To: VIRUS-L@LEHIGH.EDU Subject: VIRUS-L Digest V6 #112 -------- VIRUS-L Digest Monday, 16 Aug 1993 Volume 6 : Issue 112 Today's Topics: Re: Learning how to make virus programs: Info? Problems with FPROT ?? (PC) Re: Information on the 'Trident' Virus (PC) Re: Virus protection Software recommendation (PC) Re: Dudley [odud] virus ? (PC) Mark II virus - HELP! (PC) Trigger virus (PC) possible virus? (PC) Arj-virus? (PC) Name this virus (PC) ? HELP on DIR 2 Virus (PC) HELP!! more informations to russian virus (PC) Questions on McAfee Scan Verson 106 (PC) Sharing .def files between scanners (Novell) (PC) Perry and CPAV 2.0 (PC) VIRSTOP & boot sectors?? (PC) [mon] virus (PC) whats good? (PC) Anti-virus software usable on LAN's (PC) Can"t read 3,5" HD disk (still alive) (PC) Thanks (was: Hokay, boot sector viruses) (PC) Boot sector infectors (CVP) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Sun, 08 Aug 93 16:00:38 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Learning how to make virus programs: Info? >So, any information or guidance would be appreciated on how to make >this type of non-malicious virus. What you want is not a virus - all you need is something that is run in a login script, and checks the user's hard disk when he logs into the network. Sure, this *could* be done with a virus, but that would be an *EXTREMELY STUPID* thing to do, and would probably cost you your job. Problem #1: Preventing the virus from "escaping" - you don't want the virus spreading over the whole country, do you ? Problem #2: Self-checking programs & Integrity checkers would notice the virus, and raise an alarm - have you considered the support that would require. Problem #3: Unknown side-effects - what if there is a bug in the virus, and it corrupts something when a certain combination of other programs is in use ? Problem #4: Do you seriously think I (and other anti-virus producers) would ignore your virus just because it was supposed to be "non-malicious" ? I could co on, but the conclusion is obvious...trying to solve the problem with a virus-type program is pretty idiotic. - -frisk ------------------------------ Date: Fri, 06 Aug 93 16:58:59 -0400 From: "Andrew Brennan, LRC Manager" Subject: Problems with FPROT ?? (PC) Actually, VIRSTOP - not FPROT. I had a run-in with Michelangelo recently that was appearing on machines that were set up to check for viruses on reboot (/DISK /FREEZE /WARM /BOOT /COPY) and we ran a few tests to see what we could do about it. VIRSTOP does not (??) appear to do memory-testing for viruses already loaded? We set up FPROT to load and scan the machine (using cmd line parms) and it can be set to scan memory -or- to auto-disinfect the disk. FPROT's auto-disinfect is nice, but that's only available if you do *not* scan the memory and it leaves the active virus in memory. The memory scan is nice, but it appears to detect a virus and continue through without locking the machine (if in cmd-line mode). Curiously enough, the configuration we toyed with that _did_ work as expected (locking on reboot if the diskette was infected) was a combination of VIRSTOP *and* VSHIELD. It seems that VSHIELD's action to check the disk triggers VIRSTOP's /COPY (or one of the other parms) to detect a virus on the diskette - hanging the machine with a message to this effect. Anyone planning a package with the future detection abilities of the VIRSTOP /COPY and the bulldog attributes of VSHIELD's virus-in-memory detection? I would definitely be interested. andrew. (brennan@hal.hahnemann.edu) ------------------------------ Date: Fri, 06 Aug 93 17:18:19 -0400 From: neuro@santafe.edu (Terrance Johnson) Subject: Re: Information on the 'Trident' Virus (PC) Brenda Parsons (parson@coulomb.pcc.oz.au) wrote: : We've recently had an attack of the 'Trident' virus, and seemed to : have gotten rid of it, but no one was able to supply us with information : as to what it would do when activated. The Trident virus I believe is not actually a virus, it is the Trident Polymorphic Engine, akin to the Mutation Engine, which encrypts a virus differently every time a new file is infected. Since any number of virii may use the Engine, it is impossible to say what the virus would have done upon activation. - --- neuro@bbs.santafe.edu -- You know me as Neurophire or Neurophyre... I am the PHYRE that burns in your brain. ------------------------------ Date: Fri, 06 Aug 93 23:05:52 -0400 From: "William H. Lambdin" <73044.2573@compuserve.com> Subject: Re: Virus protection Software recommendation (PC) From: bjgreenb@rs6000.cmp.ilstu.edu (Brian Greenberg) >I am looking for the best Anti-Virus software for DOS or Windows >(perferably Windows). I used to use McAffee and Norton. Are there >any reccomendations of types and prices, also why might one out weigh >another. If you're going to rely on Scanners, I recommend the following. F-Prot Integrity Master Thunderbyte Scan VIRx All five scanners are Share Ware or Free Ware. If you want to go beyond scanning, look for Generic virus detection. I have tested all of these on my test machine with live viruses in memory, and all of these work as advertized. F-Prot Professional * Integrity Master PC-cillin PC-Rx * Thunderbyte Anti-Virus Untouchable * Victor Charlie * denotes Share Ware product. I test A-V software monthly, and will be releasing the LAT report in about a week. Hope it is of use to you. Bill ------------------------------ Date: Sun, 08 Aug 93 16:00:46 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Dudley [odud] virus ? (PC) oenglund@bilbo.abo.fi (Olof Englund) writes: >Nope, i don't think there is. I looked the virus up in VSUM (Oi Dudley) >aaand.....no detection method....YET! You must be reading an old VSUM - the latest VSUM states that DSAVTK, F-PROT Scan, Virus Buster and VirusNet can detect it - I guess VET and several other products that VSUM does not cover can detect it too.... > Just delete infected files (however >you'll find out wich are infected) Never trust anything VSUM says about removal of viruses - that is usually the most incorrect part of the description. - -frisk ------------------------------ Date: 08 Aug 93 17:45:24 -0400 From: mrobbins@umiami.ir.miami.edu Subject: Mark II virus - HELP! (PC) My HD is infected with the Mark II virus. I've tried CBAV and the latest scan, and it can't even be located, not to mention destroyed. If anyone knows of a cure for this thing, PLEASE mail me the details. Mark ------------------------------ Date: Sun, 08 Aug 93 23:47:14 -0400 From: "William H. Lambdin" <73044.2573@compuserve.com> Subject: Trigger virus (PC) Trigger Virus Trigger infects .COM and .EXE files from 2 bytes - 29696 bytes. My largest bait file is 29K 29696 bytes. Trigger has the following text in the first generation (Trigger by Dark Angel of Phalcon/Skism Utilising Dark Angel's Multiple Encryptor (DAME)). No text is readable in the second generation and beyond. Trigger is polymorphic, but not stealth. On my test machine, the files grew by 2493 bytes - 2653 bytes Trigger appends the virus to the end of the host files. Bill ------------------------------ Date: Thu, 05 Aug 93 10:55:00 +0200 From: Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv) Subject: possible virus? (PC) pdavies@alchemy.chem.utoronto.ca (Paul Davies) writes: > This is what I have experienced. I have noticed that > there seems to be a bit too much disk activity, most notably when > Windows is loading. This might just be paranoia. This is the way windows works, what you see is the swapping it does with the disk. If you use SMARTDRV also you might even experiance writes and reads to the disk at IDLE time (when apperantly nothing is running on your system) these are the delyed disk access done by the CACHE. > my computer has crashed a few times when running Telix. > One time when running Telix my machine froze up and there where > (random?) flashing characters all over the screen. I thought that this > was the behaviour of a known virus. No virus, but a well known problem with communication programs. (As well as others) ;-) > I used the latest version of McAFee Scan (106) on my > machine and it did not find anything. I would be surprised if it warent so (judging from your description of the PC behaviour). > I am currently running DOS 5 and Windows 3.1. Enjoy them... * Amir Netiv. V-CARE Anti-Virus, head team * - --- * Origin: <<< NSE Software >>> Israel (9:9721/120) ------------------------------ Date: Mon, 02 Aug 93 15:03:00 +0200 From: Arie_Zilberstein@f0.n462.z9.virnet.bad.se (Arie Zilberstein) Subject: Arj-virus? (PC) StarDate 07-18-93 10:53: A transmission from Amir Netiv to All was decoded: >>Hi! I use Arj verision 2.41 (The best). Well, i have a memory-resident >>program, that says if files are being changed. Everytime i access .exe >>files that belong to arj the program warns me that the file has >>changed. Has this happened to you? Will you test the problem? AN> If you are using a program that has the "Protect executable files" AN> option in it, don't be surprised by these alarms, it usually simply a AN> false alarm made by it, I'd reccomend using another TSR instead, It's the new version of VWatch/VSafe V2.00 that creating all the mess. It gives me "File is infected" on ARJ.EXE, Q.EXE and lots of more programs. Bye AZ ... The more people I meet, the more I love my computer - --- FMail 0.95a4 beta+ * Origin: Beyond Tomorrow * 972-3-544-4488/3746 * 24h * 14Kbps (9:9721/202.0) ------------------------------ Date: Thu, 05 Aug 93 11:02:00 +0200 From: Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv) Subject: Name this virus (PC) ? JERRY@hnrc.tufts.edu (Jerry Dallal) asks: > Is this the behavior of an IBM-PC virus that anyone is familiar with? > Files are being created on floppy disks. One invariably shows (DIR) a > size of over 21Mb (on a 1.4Mb disk) and has a name composed of > graphics characters. Another file will be named 'read me.com' or 'DOS > 5.0xxx'. Typical Root-Directory destruction. Cause: can be a virus (DIR-2 sometimes causes it, but then one should expect the have som indication on one's hard disk, run CHKDSK on your disk to see), another cause might be a fault in some program, or a hardware fault. If you nkow what you are doing you might regain access to the floppy by using the combination of CHKDSK, NDD and DISKEDIT. If you are not familiar with the reconstructing methods, don't start, as it might turn out to be very frustrating! > UTScan early '92 > Norton Anti-Virus fall '92 > Microsoft Aint-Virus (DOS 6.0) > show no infection. > UTScan can't scan the files with graphics characters > in the name (bad path). Norton says somehting like access denied to > these files. Sure.... 8-) * Amir Netiv. V-CARE Anti-Virus, head team * - --- * Origin: <<< NSE Software >>> Israel (9:9721/120) ------------------------------ Date: Thu, 05 Aug 93 10:48:00 +0200 From: Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv) Subject: HELP on DIR 2 Virus (PC) 9239561@rkw-lan.cs.up.ac.za (KRUGER S) asks: > Can anybody help me with a DIR II virus. How about me? > I would like to know if there is a cure for it, and if so, Yes, most Anti Viruses of today... however there is a way to clean it without one by: 0. Make sure you have a CLEAN DOS DISKETTE available ! 1. Boot from the infected disk. 2. while the virus is running in memory do in EACH directory: REN *.COM *.CVC REN *.EXE *.EVC 3. Boot the PC from the floppy and do (again in EVERY directory): REN *.CVC *.COM REN *.EVC *.EXE 4. Boot again. The PC should be clean! 5. Run CHKDSK to verify: if you have a lot of "is crosslinked into cluter..." on your screen then the process failed. if you have only few... erase these files or let CHKDSK correct (actually destroy) the files and then delete them! Step 2 may be replaced with the commands ATTRIB +s *.COM ATTRIB +s *.EXE In such case a clean DOS floppy is not necessary. > where I can obtain it. Buy it... ;-) > I would appreciate any answer helping me with the virus. Hope that helped. > Must the hard drive be formatted NO NO NO NO NO NO NO....... almost never... > or is there a something else that I can do? As explained above. > Thanks !! Your welcome... * Amir Netiv. V-CARE Anti-Virus, head team * - --- * Origin: <<< NSE Software >>> Israel (9:9721/120) ------------------------------ Date: Mon, 09 Aug 93 11:19:20 -0400 From: Astrid Kuhr Subject: HELP!! more informations to russian virus (PC) Hello! There are some new infos I can give to our dubious russian virus: We are using DOS 5.00. The COMMAND.COM on the infected PC is 50244 Bytes, original it's 50031 Byte. The date is a little bit different to. (Sorry, I forgot to write it down, and now the PC is already locked for today) Scanning with F-PROT 209 gives following result: Scanning MBR of hard disk 1 Master Boot Sector: Possibly a new version of Shifter If possible, we want to avoid to formatt our harddisk. Because there are very many things installed at. If possible, we would like to find the virus, clear the .COM and .EXE files, and the formatt the hard disk to get free of the virus at the Boot Sector. Or is their another possibility to get free of the virus in the boot sector? Perhaps somebody can make more conclusions from this than me?? Any help is welcome!! Thanx and regards, Astrid Kuhr - -- a.kuhr@kfa-juelich.de ------------------------------ Date: Mon, 09 Aug 93 13:14:17 -0400 From: kathy@oasys.dt.navy.mil (Kathy Smith) Subject: Questions on McAfee Scan Verson 106 (PC) We have found the Version 106 of McAffee Scan and Clean on one of the ftp sites. Was there a announcement posted in this newsgroup that I missed? Also, does anyone have their email address. Kathy M. Smith Carderock Division, Naval Surface Warfare Center Customer Support Bethesda, Maryland, U.S.A. Code 3581 Bldg 17W, Room 219 kathy@oasys.dt.navy.mil 301-227-3000, AV/DSN 287-3000 ------------------------------ Date: Mon, 09 Aug 93 13:37:29 -0400 From: "The Radio Gnome" Subject: Sharing .def files between scanners (Novell) (PC) Hi, Is it possible for any of the popular PC scanners to use a MAC .def file to scan a Netware Volume with MAC namespace loaded? ...Also vice-versa. e.g., have F-Prot load additional definitions from SAM or Disinfectant and scan the MAC volumes... have SAM load an F-Prot .def file and scan PC files on the server. Is there or should there be a standard for virus definition files? Thoughts? Andy Wing "On the internet, nobody knows that you're a dog" ------------------------------ Date: Tue, 10 Aug 93 10:49:37 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Perry and CPAV 2.0 (PC) I have been receiving reports from concerned users, that the VALIDATE.COM program that is distributed by Patricia Hoffman as a part of the VSUM package might be infected with the Perry virus. It seems that version 2.0 of the Central Point Anti-Virus claims this is the case. This is not a typical false alarm, however - the VALIDATE.COM program *does* indeed contain the Perry code, but it is not infected at all, as Perry is NOT A VIRUS. Perry is (or rather was) a somewhat useless program, distributed by InterPath. It was used to "protect" programs, so that they would either ask for a password when run, or self-destruct on a specific date. In this particular case, the VALIDATE.COM program is set to self-destruct on June 6th, 2000. (Note that this is a different version of VALIDATE than the one currently distributed with McAfee's SCAN). Apart from this, the Perry code is quite harmless, and the general consensus among anti-virus manufacturers has been that there is no real need to detect Perry-ized files as such. Central Point, however calls Perry-ized files "infected with the Perry virus" (which is nonsense, as the code does not replicate, and therefore is not a virus, and even confirms this on the phone when called "Yes, Perry is a virus, but it does not spread very much - you should just delete the file" was the reply they gave, even though CPAV has been made aware of the problem some time ago. This posting is intended to set the matter straight - CPAV is calling a clean program virus-infected. - -frisk ------------------------------ Date: Tue, 10 Aug 93 11:11:55 -0400 From: BRENNAN@hal.hahnemann.edu (A. Andrew Brennan) Subject: VIRSTOP & boot sectors?? (PC) It's not entirely impossible that I'm messing up the configs somewhere ... this is related to machine(s) in an open environment where you can't expect users to respond appropriately ... VIRSTOP *shouldn't* peacefully co-exist with Michelangelo, should it? I get Stoned and/or Michelangelo-A loaded before VIRSTOP (that's the nature of those beasts, no?) and at best VIRSTOP whispers the data equivalent of "I'll get you next time, Red Baron!!" as it does not hang/freeze/crash the machine until the virus actually infects a diskette (oh - using the /FREEZE /COPY params with VIRSTOP). We've had pleasant results with VSHIELD _and_ VIRSTOP on the same machine - Vstop to nail future problems with /COPY and Vshield to halt the machine if anything is already present. I dunno how long I want to use that configuration - we're in the process of waiting for purchasing (the corporate equivalent of "the check is in the mail") to get our license for F-PROT. We recently dropped McAfee, so the "use both" approach can't be used too long. andrew. (brennan@hal.hahnemann.edu) ------------------------------ Date: Tue, 10 Aug 93 12:25:01 -0400 From: mingione@acf2.NYU.EDU (mingione) Subject: [mon] virus (PC) whats good? (PC) We have had a lot of trouble here at Academic Computing with the [MON] virus infecting the boot sectors o our PCs. Has anyone had problems with this particular virus? I know Clean106 and Scan106 work fairly wellto detect and erase it. What I don't understand is why other programs are not doing as well. We have purchased a license from frisk@complex.is for the f-prot program but as far as I can tell version 2.0.9 still does not have the capability to erase the virus from the partition table. Does anyone know of other good effective ways of ersing this virus. Repeated e-mailings to the author of f-prot (even sent him a disk with the [mon] virus on it ) have produced no feedback. So we may have to switch to something else after we evaluate several products. Thanx in advance. ------------------------------ Date: Tue, 10 Aug 93 20:06:21 -0400 From: marc_b@ingres.com (Marc Burckin) Subject: Anti-virus software usable on LAN's (PC) Hi, A friend who is w/o net access has asked me to pose this question. "What types of software and/or methods to people use to keep their LAN's free of viruses? Is there a way to run the virus software from the server and thereby check all of the connected PC's?" Thanks, Marc - ---- Marc Burckin | I wish I was on that N17 __o The ASK Group | traveling with just my -\<, (510) 748 3488 | thoughts and dreams. (_)/(_) marc_b@ingres.com | - ------------------------------------------------------------------------------- - - - -- marc_b@ingres.com Ingres International London, UK ------------------------------ Date: Wed, 11 Aug 93 04:08:46 -0400 From: Ralph Rinschen Subject: Can"t read 3,5" HD disk (still alive) (PC) Hello, my problem to read 3,5" HD disks is still alive. I changed following components : AT Controller The 3,5" drive All cables McAffee 106 can not find any viruses. So, why can i read sometimes the HD and sometimes not ?? IS this a virus or just a unknown hardware problem ?? Any hints ?? Thanks Ralph - -- ============================================================== Sender4s Name and Adress | - ------------------------- | There is no grazy lazy boring text Name : Rinschen, Ralph | in here .. Street : Cromptonstr. 10e | ---------------------------------- Location : 4790 Pb-Elsen | Telephon : not visible | email : rinschen.pad@sni.de ============================================================== - -- ============================================================== Sender4s Name and Adress | - ------------------------- | There is no grazy lazy boring text Name : Rinschen, Ralph | in here .. ------------------------------ Date: Mon, 09 Aug 93 03:59:25 -0400 From: corneliu@cs.curtin.edu.au (Nigel Cornelius) Subject: Thanks (was: Hokay, boot sector viruses) (PC) To all those who responded, (you know who you are), THANKS!! regards, Nigel - -- .................................................................... ......... . . ......... __ Nigel Cornelius . ........ _--_|\ ...... | . corneliu@marsh.cs.curtin.edu.au . ....... / OZ \ ..... | . . ....... x_.--._/ ..... | . "Home is where the heart is" . ...... /^\ . .v ...... | . "and the fridge, the beer, the tv, ..." . ....... |______________|............................................ ------------------------------ Date: Fri, 06 Aug 93 16:20:38 -0400 From: ROBERTS@decus.ca Subject: Boot sector infectors (CVP) DEFGEN5.CVP 930728 Boot sector infectors Having dealt with some non-viral terminology, let us cover some viral related terms that may be unfamiliar. Most people think of viral programs in terms of Fred Cohen's definition. That is, a virus is a program which always "attaches" to another program. This has given rise to a great many misconceptions about some of the most common viral programs, boot sector infectors. Boot sector infecting viral programs, often referred to as "BSI"s, *do*, in a sense, attach to another program. Most people are unaware of the fact that there is a "program" on every disk, even those which are "blank". Every formatted disk has a "boot sector", specified, not by a filename, but simply by its location as the first physical (or logical, in the case of hard drives) sector. When the computer is "booted", the ROM programming looks for a disk, then "runs" whatever happens to be in that sector as a program. In most cases, with non-bootable disks, the "program" that is there simply prints a message reminding the user that the disk is non-bootable. The important thing, however, is that regardless of how small the actual program may be, the computer "expects" there to be a program in the boot sector, and will run anything that happens to be there. Therefore, any viral program that places itself in that "boot sector" position on the disk will be the first thing to run, other than ROM programming, when the computer starts up. BSIs will copy themselves onto floppy disks, and transfer to a new computer when the "target" machine is (usually inadvertantly) booted with an infected floppy in the A: drive. The physical "first sector" on a hard drive is not the boot sector. On a hard drive the boot sector is the first "logical" sector. The number one position on a hard drive is the master boot record or MBR. (This name gets slightly confused by the fact that the MBR contains the partition table; the data specifying the type of hard disk and the partitioning information. "Master boot record", "partition table" and "partition boot record" are often used interchangeably, although they are not identical entities.) Some viral programs, such as the Stoned virus, always attack the physical first sector: the boot sector on floppy disks and the master boot record on hard disks. Thus viri that always attack the boot sector might be termed "pure" BSIs, whereas programs like stoned might be referred to as an "MBR type" of BSI. copyright Robert M. Slade, 1993 DEFGEN5.CVP 930728 ============= Vancouver ROBERTS@decus.ca | "Remember, by the Institute for Robert_Slade@sfu.ca | rules of the game, I Research into rslade@cue.bc.ca | *must* lie. *Now* do User p1@CyberStore.ca | you believe me?" Security Canada V7K 2G6 | Margaret Atwood ------------------------------ End of VIRUS-L Digest [Volume 6 Issue 112] ******************************************