To: VIRUS-L@LEHIGH.EDU Subject: VIRUS-L Digest V6 #102 -------- VIRUS-L Digest Friday, 16 Jul 1993 Volume 6 : Issue 102 Today's Topics: Integrity Checking for Anti-Viral Purposes [and MSAV paper] Virus Calendar Info needed about gulf war virus - help! Unix Scanners (UNIX) Re: FORM virus (PC) FORM Virus (PC) Re: Arj-virus? (PC) how to kill virus in boot sector ? (PC) FORM Virus (PC) Please help! (Removing Generic Boot Virus) (PC) July 1993 LAT Disinfection (CVP) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@AGARNE.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Fri, 09 Jul 93 12:15:46 -0400 From: Subject: Integrity Checking for Anti-Viral Purposes [and MSAV paper] Two years ago I presented a paper (at the first Virus Bulletin Conference) on checksumming techniques for anti-viral purposes, which Vesselin has mentioned in this forum several times. I intended to make it available to anyone who's interested ... but only after I got through revising it. Well, it's now ready (33 pages long). To a large extent it's a tutorial ("everything you always wanted to know about integrity checking but were afraid to ask"), but it also defends a certain controversial position (CRC is as secure as a cryp- tographic algorithm for anti-viral purposes if certain conditions are satisfied). The article is also a bit unusual in that some sections are on a very practical level while others are theoretical. Mainly because of the mathematical symbols in some of the sections, the article is not available as an ordinary text file. In fact, it's available only in PostScript form or as a uuencoded DVI file. Let me know which you prefer and I'll e-mail it to you. (If you have absolu- tely no way of printing such files, I could send a very abbreviated version (containing about 1/4 of the content) as an ordinary text file, but you'll be missing a lot.) Y. Radai Hebrew Univ. of Jerusalem, Israel RADAI@HUJIVMS.BITNET RADAI@VMS.HUJI.AC.IL [Moderator's note: Yisrael also sent me a revised copy of his review on the Microsoft Anti-Virus package. That paper is available with the rest of the product reviews on cert.org:/pub/virus-l/docs/reviews/pc/radai.msav. The IP number for cert.org is 192.88.209.5. Thanks for your work, Yisrael!] ------------------------------ Date: Tue, 13 Jul 93 16:55:02 -0400 From: axtlp@acad2.alaska.edu Subject: Virus Calendar I'm looking either to find/purchase a calender of viruses attack dates (ie: when to watch out for them more so than normal) or to create one. So if anyone knows of either an existing calendar or the dates a virus will attack to go on a calender would you please email me. Thank you in advance. Tam Pikey axtlp@acad2.alaska.edu axtlp@alaska (for bitnet) axhelp@acad2.alaska.edu ------------------------------ Date: Mon, 12 Jul 93 19:50:01 -0400 From: henrya@UCS.ORST.EDU ( ) Subject: Info needed about gulf war virus - help! I'm doing a presentation on computer viruses this thursday (07/15/93) and would like to include some information about a supposed computer virus inserted into the Iraqi computer systems by the coalition forces, or the U.S. This virus (I've heard) blanked out iraqi computer screens (like a screen blanker) making it impossible to see information printed thereon. If ANYBODY has any info about this at all (whether the virus was real, how effective, or even if this rumor is true!) please e-mail me at: HENRYA@UCS.ORST.EDU!! Any help is much appreciated!! Thanks to all respondents in advance!! - -- - ------------------------------------------------------------------------------ Had this been an actual emergency.... =) - ------------------------------------------------------------------------------ ------------------------------ Date: Thu, 15 Jul 93 05:45:39 -0400 From: Martin@salig.demon.co.uk (Martin Overton) Subject: Unix Scanners (UNIX) A couple of questions regarding UNIX. 1. Are there any UNIX viruses in the wild? I have heard rumours of 'research viruses' writen for UNIX,if this is true and the situation develops in a similar fashion to the DOS virus arena then sooner or later some of theses 'research viruses' will be found in the wild. 2. Are there any virus scanners available for UNIX? Thanks in advance. - --+ Martin Overton |Compuserve: 100063,1161 PC Technical Specialist |Internet : Martin@Salig.Demon.Co.Uk Tel: +44 (403) 231937 |"Beam me up,Sooty!" ------------------------------ Date: Fri, 09 Jul 93 11:17:27 -0400 From: "David M. Chess" Subject: Re: FORM virus (PC) > From: Brian Seborg > I replace the > erased programs from originals or clean back-ups and I'm done. I > don't care if the virus is MtE, TPE, Phoenix or King Kong's > Illegitimate Love Child, it's dead, gone, kaput! No doubt, and no > cleaning software. Two points here that I'd like to illuminate: - You don't need cleaning software, you can just restore from originals. I personally agree with this, and it's definitely what *I* would do if I got infected. But large organizations would much prefer an automatic and reliable cleanup program over having Z different end users per month trying to figure out what needs to be replaced, and from where, on their systems. I can understand that, I think! *8) The key is that the cleanup has to be reliable: it should either do the job right, or warn you that it couldn't and you need expert assistance. (Also, things aren't always as easy as you make out; using FDISK /MBR on a Monkey-infected system creates something that would take even a guru a bit of work to fix.) - You don't need to know which virus you had. Yes, you do! Once you've replaced the changed files with originals, wouldn't you also like to be sure that (for instance) the virus hasn't while it was there riffled through all your text files, and inserted little "the boss is a jerk" notices here and there? I certainly would... - - -- - David M. Chess \ Nothing moves; High Integrity Computing Lab \ where would it go? IBM Watson Research \ ------------------------------ Date: Fri, 02 Jul 93 15:38:01 +0200 From: Rinse_Balk@f7.n316.z9.virnet.bad.se (Rinse Balk) Subject: FORM Virus (PC) * In a message originally to All, Yves Riedrich said: > From: riedrich@socrates.umd.edu (Yves Riedrich) > While using the McAfee virus scanner, I discovered the "form" > virus > in my boot sector. > I tried to clean this virus off the hard drive...and got > the message "Virus can not be safely removed from boot > sector" The Form Virus is a nasty virus indead... > If this has happened to you before or if you have any ideas > how to remove this from my hard drive...please send me e-mail McAfee has a special program for boot virusses! If you look in the Virlist. txt you can find by some virusses M-Disk. I think you need that programm to remove the form virus safely. I'm not sure, but i think there's a documentation by M-Disk that will tell you more... > Thanks in advance With pleasure, and good luck Yves Riedrich Greetings, Rinse Balk P.S. Let me know how you're doing... bye bye - --- FMail 0.92 * Origin: All Or Nothing BBS -= Za & Zo 10:00-18:00 =- +31-5126-2412 (9:316/7) ------------------------------ Date: Sat, 10 Jul 93 08:49:48 -0400 From: "William H. Lambdin" <73044.2573@compuserve.com> Subject: Re: Arj-virus? (PC) >Hi! I use Arj verision 2.41 (The best). Well, i have a memory-resident >program, that says if files are being changed. Everytime i access .exe >files that belong to arj the program warns me that the file has >changed. Has this happened to you? Will you test the problem? I'm using ARJ 2.41 with no difficulty. I use three anti-viral systems. F-Prot Integrity Master my routine thay detects file infectors All three routines report that my system is all clean. If you have a virus, you got the virus somewhere else, or you have a copy of ARJ 2.41 that has been tampered with. Bill ------------------------------ Date: Sat, 10 Jul 93 11:14:38 -0400 From: Dong LI Subject: how to kill virus in boot sector ? (PC) Dear netters, I have a IBM compatible PC with DOS 6 and windows 3.1. My scanning-only anti-virus software found recently a virus named Michelongelo in the boot sector on my hard drive D. I tried to use other antivirus softwares to kill it but failed, because they cannot even find the virus in the boot sector ! Could someone tell me where to get software to kill above virus in boot sector? Thank you in advance. Dong LI ************************************************************************* With malice toward none, with charity for all.......... Abraham Lincoln - ------------------------------------------------------------------------- Dong Li Telephone: (312) 996-0509(Lab) (312) 413-1308(Off) Fax: (312) 413-2435 Internet: u53077@uicvm.uic.edu Bitnet: u53077@uicvm.bitnet Dept. Biological Sciences, Univ. Illinois at Chicago, Chicago, IL 60607 ************************************************************************* ------------------------------ Date: Fri, 09 Jul 93 07:42:00 +0200 From: Christian_Koelliker@f403.n412.z9.virnet.bad.se (Christian Koelliker) Subject: FORM Virus (PC) > McAfee has a special program for boot virusses! If you look in the > Virlist.txt you can find by some virusses M-Disk. I think you need > that programm to remove the form virus safely. I'm not sure, but i > think there's a documentation by M-Disk that will tell you more... There is a mouch easier way to remove a FORM virus from your HD, and it can be done (surprise) by naked DOS. All you need is a clean boot-floppy with the sys-command on it. Boot up your Computer from this floppy and run the sys command and you will see that the FORM has disappeared from HD. Cheers Christian - --- * Origin: HighWater Datamanager Langenthal (Switzerland) (9:412/403) ------------------------------ Date: Fri, 16 Jul 93 02:41:26 -0400 From: sbuffler@cs.uct.ac.za (Simon Buffler) Subject: Please help! (Removing Generic Boot Virus) (PC) Hi there A friend's computer was recently infected by the Generic Boot Virus. I gave him a copy of Clean106 which is supposed to remove [Genb]. When booting from a clean system disk and running Clean (from floppy) on his hard- drive, he receives a "No viruses detected" message. However, [Genb] IS still sitting on his hard-drive, as when he reboots, the virus is loaded into memory ...and Clean picks up a "critical virus" when scanning RAM. Any ideas or suggestions? Thanks Simon ------------------------------ Date: Thu, 15 Jul 93 15:48:07 -0400 From: "William H. Lambdin" <73044.2573@compuserve.com> Subject: July 1993 LAT Here is the July LAT. I hope that it is of use to someone. There are now three tests instead of one. Bill - -------------------------------------------------------------------------- LAT 9307 +-------------------------+----------+---------+-----------+-----+ | SCANNER | COMMON | POLY- | ZOO |FLAGS| | | | MORPHIC | | | | | | | | | | |32 |56 |1335 1303| | +-------------------------+----------+---------+-----------+-----+ | F-Prot 2.08a |31 96.9%|55 98.2%|1332 99.8%| S | | Virus Alert 2.08a |31 96.9%|55 98.2%|1332 99.8%| C | | Integrity Master-151b |30 93.8%|54 96.4%|1310 98.1%| GS | | | | | | | | TBAV 603 |32 100% |55 98.2%|1307 97.9%| GS | | Scan 106 |31 96.9%|52 92.9%|1275 95.5 | S | | Dr Sol A-V toolkit 6.18 |30 93.8%|29 51.8%|1243 93.1%| C | | | | | | | | VIRx 2.9 |30 93.8%|34 60.1%|1231 92.2%| S | | UT Scan 25.1 June 1993 |25 78.1%|33 58.9%|1075 82.5%| CDG | | CPAV SW 04/93 signature |26 81.3%|26 46.4%|1079 80.1%| C | | | | | | | | NAV 2.1 June 1993 |25 78.1%|24 42.9%|1026 76.9%| C | | HT Scan 1.20 VSIG 9305 |28 87.5%|34 60.1%|1016 76.1%| S | | MSAV w/DOS 6.0 |24 75.0%|17 30.4%| 975 74.8%| D | +-------------------------+----------+---------+-----------+-----+ C- Commercial software D- This product does not scan for boot sector viruses inside droppers. This is why scanners that detect droppers were tested against 1335 viruses. Scanners that fail to detect droppers were tested against 1303 viruses. I tried to be fair. G- Generic Virus detector. The other utilities with this product may detect viruses that this scanner misses, so don't judge this product too harshly because the scanner isn't as effective as you would like. S- Share Ware or Free Ware procuct. F-Prot 2.09 should be released soon.This is why I tested the old 2. 08a release. Virus Alert appears to use the F-Prot 2.08a engine from Frisk Software International. I will be adding more specimens to the Commom virus test in August. I ran out of time. ======================================================================== I have tested the following generic products, and recommend them. FLAGS +------+ F-Prot Professional (Command Software Systems) | IV | Integrity Master (Stiller Research) |*ISV | PC-cillin (Trend Micro Devices) | ASV | PC-Rx (Trend Micro Devices) | ASV | TBAV (Thunderbyte) |*ISV | Untouchable (Fifth Generation Systems) | ISV | Victor Charlie (Bangkok Security Associates) |*BEISV| +------+ *-Share ware product A-Activity Monitor B-Uses Bait files that try to get infected by unknown viruses E-extract the signatures for unknown viruses I-uses integrity checking S-Stores System areas. Boot sector, and Partition table V-comes with a Virus scanner. I placed the generic virus detectors in alphabetical order. I do not recommend one product over another. All of them work differently and may not fit the way you use a computer, so request information on several before you decide. ======================================================================== I would like to thank most of these companies for providing me with evaluation copies of their software to test. If your company produces anti-viral software, and would like for me to test it in LAT, contact me at either of the addresses below. ======================================================================== These tests were performed on a 33 MHZ 486 Bill Lambdin 102 Jones Lane P.O. Box 577 East Bernstadt, Ky. 40729 Internet address> 73044.2573@compuserve.com Compuserve ID> 73044,2573 ------------------------------ Date: Fri, 09 Jul 93 15:01:18 -0400 From: "Rob Slade" Subject: Disinfection (CVP) PRTAVSG.CVP 930625 Disinfection A strong, albeit non-technical, reason why scanners are so popular is the specific identification of the particular virus responsible for an infection. Rather than telling you merely that something is amiss, a scanner gives you a name. More than that, scanner authors, given the necessity to know the specifics of a virus in order to identify it, had an advantage in finding out how a virus infected a file, and therefore how it could be removed. Scanning software was, therefore, the first to offer "disinfection" of viral infections, either as a feature or in an adjunct program. This would seem to be, and likely is, another reason to prefer "scanning" antiviral software. However, beware. Disinfection is by no means the optimum way to deal with viral infections. The best solution is to delete (and, preferably, overwrite) the affected file or area, and restore programs from original sources. "Boot sector infectors" affect a whole disk, and therefore present greater problems, but in most cases material can be recovered from infected disks, and the disks themselves "cleansed" in various ways. There comes a point at which the trade-off between security and convenience tips the scales in favour of disinfection, but be aware of the dangers. In many cases, disinfection is simply not possible. An overwriting virus, for example, will not keep any track of the material it destroys when it dumps itself into a file. Many viri contain bugs which prevent the recovery of the original file. Also, sadly, disinfection software has been known to contain bugs which left the situation worse after the attempted "cleanup" than after the infection. Generally speaking, disinfecting software will contain a "description" of the specific viral operation of a given viral program, so that the infection process can be reversed. However, virus removal is no longer the exclusive province of scanning software. Two types of "generic" disinfection now exist. Some change detection programs now store sufficient information about the file to make an attempt to restore it if the damage is not too severe or complicated. Also, "heuristic" scanning is being used to "trace and remove" viral infections. So far testing has revealed serious drawbacks to both of these applications, but the technology is still in its infancy, and shows promise for the future. copyright Robert M. Slade, 1993 PRTAVSG.CVP 930625 ============= Vancouver ROBERTS@decus.ca | "Kill all: God will know his own." Institute for Robert_Slade@sfu.ca | - originally spoken by Papal Research into rslade@cue.bc.ca | Legate Bishop Arnald-Amalric User p1@CyberStore.ca | of Citeaux, at the siege of Security Canada V7K 2G6 | Beziers, 1209 AD ============= for back issues: Contacts list: cert.org, /pub/virus-l/docs/reviews Reviews: cert.org, /pub/virus-l/docs/reviews/pc Column: cert.org, /pub/virus-l/docs/slade.cvp.articles For those without ftp, see Jim Wright's posting, or use Cyberstore. Also FREQ from 1:153/733 The Cage 604-261-2347. ------------------------------ End of VIRUS-L Digest [Volume 6 Issue 102] ******************************************