To: VIRUS-L@LEHIGH.EDU Subject: VIRUS-L Digest V6 #113 -------- VIRUS-L Digest Wednesday, 18 Aug 1993 Volume 6 : Issue 113 Today's Topics: Origin of name "Virus" Cohen papers by mail, please Encrypting viruses -- not a good idea VMS Malicious Logic (VAX/VMS) E-Rillutanza virus? (PC) F-PROT_209 Problem (PC) Re: Tremor (PC) Virus? (PC) central point- anti-virus for DO (PC) Got a trojan :( (PC) two new viruses (PC) Re: Dudley Virus (PC) Re: WARNING: Stoned/Dir-2 infection in Israel (PC) Barrotes (PC) unknown (?) virus (PC) Friday 13th virus? (PC) New (?) "Moose" virus (PC) Re: Suspicious .COM files (PC) Re: Information on the 'Trident' virus (PC) NSH152A.ZIP - NETSHLD 1.52AV106 antivirus NLM for Novell3.11 (PC) August 1993 LAT (PC) "Link" virus (CVP) Call for Papers IFIP SEC'94 Caribbean VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Mon, 09 Aug 93 13:32:50 -0800 From: a_rubin%%dsg4.dse.beckman.com@biivax.dp.beckman.com Subject: Origin of name "Virus" What is the origin of the term "Virus". I didn't find this in the FAQ, (although I lost the FAQ recently due to operator error, and I haven't gotten the last repost.) - -- Arthur L. Rubin: a_rubin@dsg4.dse.beckman.com (work) Beckman Instruments/Brea 216-5888@mcimail.com 70707.453@compuserve.com arthur@pnet01.cts.com (personal) My opinions are my own, and do not represent those of my employer. ------------------------------ Date: Wed, 11 Aug 93 20:43:26 -0400 From: fernando@ubik.satlink.net (Fernando Bonsembiante) Subject: Cohen papers by mail, please I would like to get some books or papers by Fred Cohen, I only know the name of a few books, 'A short course on Computer Viruses', for instance, and a lot of papers. I would like to know if I can get some of Cohen's works by mail, if anyone knows of a bookstore that could send me those books via air mail or surface delivery to Argentina, it would be of a great help. Saludos, Fernando (fernando@ubik.satlink.net) { Fernando Bonsembiante } { Guemes 160 dto 2 Tel: (54-1) 654-0459 } { Ramos Mejia (1704) Fidonet: 4:901/303 } { Republica Argentina Internet: fernando@ubik.satlink.net } ------------------------------ Date: Sun, 15 Aug 93 17:46:03 -0400 From: fergp@sytex.com (Paul Ferguson) Subject: Encrypting viruses -- not a good idea This is a response to a message thread which is currently being held in the .cypherpunks listserv list. I thought some readers of virus-l may appreciate the content - - -----BEGIN PGP SIGNED MESSAGE----- On 14 Aug 1993 19:51:27 -0500 (CDT), Michael A. Ellison wrote - > My bottome line is this: the virus may be cool, but why a virus? > Viruses may work for attacking things, wiping stuff out, hacking > stuff, whatever (although they always tend to hit more than the > intended target, funny thing about that), but when the only user > of a machine WANTS to do something with their machine, why a > virus? I mean, honestly...... although I must admit, it solves > the problem of distribution of software in the most interesting > way - I want to see what happens if a commercial company writes > one of these and COPYRIGHTS it...... Phooey. At least you _did_ ask the right question, "Why a virus?" Fred Cohen is a bit "out there" when it comes to his ideologies about what is or what is not a virus and further, what is a "good virus," if there really _is_ such a critter. My personal opinion is that there cannot be such an animal, because by its purest definition, a virus is any program that _replicates_ -- if it doesn't replicate, then be assured that it is not a virus. Ideally, a virus replicates without the user's knowledge. In doing this, it violates the integrity of the system and furthermore, it does it surreptitiously. Personally, I like to be intamately aware of every byte on each of my systems (I am) and know _exactly_ what every executable which resides on my system does (again, I do). For users who cannot know this, then a virus is a breech of their privacy, in a matter of speaking. Finally, distributed computing need not be accomplished by something as brain-damaged as a virus. Anything a virus could beneficially do, a legitimate, non-replicating program can do better. In fact, there have been viruses designed and coded which were supposed to perform beneficial activities (see historical notes about the Denzuko, Ohio, etc. viruses). Also, every virus harbors the potential for damage. No programmer (read: virus author) can possibly know each and every environment where the code will be introduced. An example which I frequently use to illustrate this point is the Stoned virus; it is mostly an innocuous virus, however with several spoofing disk partitioning schemes (such as Disk Mangler), it can devastating. And with the advent of the Microsoft Doublspace shit, alot of other potholes in the road are introduced into the possible scenarios. A final note: There is a virus called "Cruncher" which compresses executables in much the same way as PKLite or LZEXE. Is this a "good" virus? This ia an exercise left to the reader... Cheers from Washington, DC - -----BEGIN PGP SIGNATURE----- Version: 2.2 iQCVAgUBLG57NZRLcZSdHMBNAQEHygQAhER6mpzGIctOx6sHpndNsv9EdoO++DBq x32h5Q4b5ylGDJWEcbC3RMqpkbDrzzYJOaBtRiqW+XTfpTagAKI0CbBWknxJcF3T W8hdDxu0kN2K0TVPbinkUUM+bvXLAdhYdv9GqixoWJx+Y/mkW2XtQLKbxRSFt/Uv ZC/YC+YVb18= =Mq8P - -----END PGP SIGNATURE----- Paul Ferguson | "Government, even in its best state, Network Integrator | is but a necessary evil; in its worst Centreville, Virginia USA | state, an intolerable one." fergp@sytex.com | - Thomas Paine, Common Sense Type bits/keyID Date User ID pub 1024/1CC04D 1993/03/15 Paul Ferguson Key fingerprint = EE D2 93 7D 04 6D C6 05 AC 36 AD 9D 8E 4F 41 58 ------------------------------ Date: Fri, 13 Aug 93 12:26:21 -0400 From: rcox@cscns.com (Richard Cox) Subject: VMS Malicious Logic (VAX/VMS) I'm looking for examples of malicious logic (ML) (virus, logic bomb, Trojan Horse, etc.) in the VMS environment. Preferably actual cases, type of viruses, hours expended to correct the problem, damage done, types of information stored and tools to identify, isolate and remove the ML. - ---------------------------------------------------------------------- - ---------------------------------------------------------------------- Gill Gillespie | Computer Security Engineer CTA INCORPORATED | ggillesp@cos.cta.com 7150 Campus Drive #100 | Phone 719-590-5172 Fax 590-5198 Colorado Springs, CO 80920 USA | Comments are solely of the author - ---------------------------------------------------------------------- - ---------------------------------------------------------------------- ------------------------------ Date: Wed, 11 Aug 93 04:44:02 -0400 From: sci00019@leonis.nus.sg (CHENG MUN WAI) Subject: E-Rillutanza virus? (PC) I recently scan my hard disk using F-prot 2.09 and it reported that several COM files were 'suspicious' of being infected with a variant of E-Rillutanza virus. I promptly emailed to Mcafee asking if they had heard of it but apparently they hadn't. I also scan the harddisk with scan106 for Mcafee but it didn't show any sign of the above mention virus. I believe that my disk was indeed infected because the size of the program were altered compared to the original. I managed to remove it from my disk by deleting and reinstalling (I hope). What I want to know is that have anyone had a similar report using F-Prot which scan106 missed. At the moment the 'virus' had done no damage except incresing the file size. The only problem is when I tried to upgrade Qemm7.00 to version 7.01 using the patch. When it came across loadhi.com it reported that the program is invalid (or something like that) and stopped updating. Loadhi.com was among one of the program reported as suspicious by F-Prot. Regards, Mun Wai. Death to all virus!!!! ------------------------------ Date: 10 Aug 93 13:08:04 -0600 From: brickman@mhd.moorhead.msus.edu Subject: F-PROT_209 Problem (PC) I seem to be having a problem with f-prot 209. I am a programming assitant at MSU computer services. On two different occations and on two different computers, We have been infected with stoned (no-int) (on the hard drive). Both computers are ibm ps/2 model 30 with a 30 meg hard. F-Prot 209 is unable to fix the disk. The progrma sends an error message, something like -- unable to find original MBR, I don't remeber the exact wording. I then used F-Prot 208a and it fixed the disk no prob. ------------------------------ Date: Thu, 05 Aug 93 08:52:00 +0200 From: Robert_Hoerner@f2170.n492.z9.virnet.bad.se (Robert Hoerner) Subject: Re: Tremor (PC) Hello Thomas, TR> Question: TR> Does the Virus "Tremor" mask the interrupt 21h,function 3dh No. It intercepts this function and desinfects a file on the harddisk (!) if itis opened via int21h/ax=3d02 (r/w-mode) or ah=6c (any mode). TR> or how else can T. when a File is opened, which is infected by him TR> desinfect the file and then open it for the programm that originally TR> opened it like TR> scanners...... ERRIK This is not the way tremor works. greetings, Robert - --- * Origin: Virus Help Service Karlsruhe (9:492/2170) ------------------------------ Date: Sat, 07 Aug 93 18:19:09 +0200 From: Malte_Eppert@f6050.n491.z9.virnet.bad.se (Malte Eppert) Subject: Virus? (PC) Hi Mike! > message, I get the following "Kein System oder Laufwerkfehler > Wechseln und Taste drucken". > suggestions or even a translation of the text would be helpful. It's German and means "Non system disk or disk error... Replace and strike a key when ready" ;-)) > of them find anything. So, I guess that I'm asking all of you > what I can do? Yep - reformat those disks with an english/american version of DOS :-) Somebody had them formatted with a german DOS version. cu! eppi - --- GEcho 1.00 * Origin: Another Virus Help Node - The EpiCentre! (9:491/6050) ------------------------------ Date: Wed, 11 Aug 93 09:50:22 -0400 From: pierre-b@aci1.aci.ns.ca (PIERRE BENOIT) Subject: central point- anti-virus for DO (PC) Can anyone give me any information on the centralpoint anti-virus for DOS. Any type of information, no matter how small, would be great. Also, could you tell me who to contact for more info. Thanks in advance. P.S. My email address is robert-t@aci1.aci.ns.ca if you would like to mail me the info. ------------------------------ Date: Wed, 11 Aug 93 09:50:17 -0400 From: do321@cleveland.freenet.edu (Brian R. Landel) Subject: Got a trojan :( (PC) Beware for a program called USEREDIT.ZIP described as "Full Screen User editor for SLBBS" If you need the non-virused user editor by Patrick Lewis call my board, his support board at 216-543-2321. ANyway, I was testing some recent uploads to my BBS and ran into a Trojan, McAfee's scan failed to pick up. I ran MicroSoft's VSAFE turning every option on and ran it again and it said it tried to write to the floppy disk's boot sector. Think this trojan is going to create a virus or do any harm? Thanks, Brian ------------------------------ Date: Wed, 11 Aug 93 14:03:31 -0400 From: "William H. Lambdin" <73044.2573@compuserve.com> Subject: two new viruses (PC) I recently received these two files. I don't believe either virus is in the wild. None of the scanners I tested can detect these two viruses. - ------------------------------------------------------------ GOT319.COM This is a direct infector of .EXE files. It is not stealth, and the infected files grow by 578 bytes. No text is visible in the virus. This virus appends to the end of files. This virus infected infected every .EXE bait file I use on my test machine. I tested The second generation of this virus, and it is infectious as well. - ------------------------------------------------------------ CPL35.COM This is a direct infector. I could only get this virus to infect .EXE files. It is not stealth. and the infected files grow by 478 bytes. The second generation of the virus is infectious as well. The virus appends to the end of host files. - ------------------------------------------------------------ I forwarded both files to Fridrik Skulason, and Wolfgang Stiller. Bill Lambdin ------------------------------ Date: Wed, 11 Aug 93 19:09:53 -0400 From: "Roger Riordan" Subject: Re: Dudley Virus (PC) > Does anybody know of the "Dudley" virus (Dudley [odud]). > > Is there a scanner that will disinfect it and where can I get it from. Dudley is an Australian virus; the one that caused a great upheaval at Telecom recently (Allegedly written by someone at Optus!). Our program VET will detect it, and disinfect infected files. VET is writtten and widely used in Australia, and is increasingly being used overseas. It is fast, easy to use, and safely recovers files and disks infected with most of the viruses which are actually in the field. VET is a mid price product; cheaper than Dr. Solomons Toolkit, but more expensive than F-Prot, which are the two most nearly comparable products. They will usually detect a few more viruses than VET, but VET is faster, and does a better job of recovering PCs infected with boot sector viruses. McAfee Scan is decidely slower, far more difficult to use, generates more false alarms, and has a number of serious bugs, which can cause loss of data on hard disks, especially when trying to remove MBR infectors, such as No-Int, Stoned and Michelangelo. Our normal license includes updates for one year, posted quarterly, and covers PCs belonging to staff/students, provided all PCs on the site are covered. With Best Wishes, Roger Riordan Author of the VET Anti-Viral Software. riordan.cybec@tmxmelb.mhs.oz.au CYBEC Pty Ltd. Tel: +613 521 0655 PO Box 205, Hampton Vic 3188 AUSTRALIA Fax: +613 521 0727 ------------------------------ Date: Thu, 12 Aug 93 08:47:53 -0400 From: hjstein@sunrise.huji.ac.il (Harvey J. Stein) Subject: Re: WARNING: Stoned/Dir-2 infection in Israel (PC) Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv) writes: hjstein@sunrise.huji.ac.il (Harvey J. Stein) writes back to amn@ubik.demon.co.uk (Anthony Naggs): > I informed the supermarket chain, and they informed > the distributer and the manufacturer. As i wrote to you a week ago: Check your own PC before blaming others! since I personally checked sample floppies from EACH supermarket store + The masters used for duplication + the duplication factory itself and more. Gues what: non of them was infected !!!!!!!!!!!!!! 1. I did not blame anyone for the viruses on the disk. I said that the disk I got had these viruses and that I notified the supermarket chain. The fact that both sample floppies and the masters are clean indicate that disks must have been contaminated after distribution. Perhaps people were playing with the disks in the stockroom? Perhaps disks were being brought back after being used (and getting infected)? Perhaps my machine was infected? However, 2. I did check my PC. It is clean (according to mcafee scan version 106). 3. An article in an Israeli newspaper said that some of the disks were infected with DIR2 and with STONED, and that "dozens of people were affected by the viruses". Since *I* haven't been distributing this disk, and since *I* was not in contact with this paper, OTHER PEOPLE also have seen the SAME VIRUSES on the game disks. Thus, either "dozens of people" have the same viruses on their machines and didn't notice them until they checked out this game disk, or the game disk is infected. Take your pick. - -- Harvey Stein Department of Mathematics Hebrew University hjstein@math.huji.ac.il ------------------------------ Date: Thu, 12 Aug 93 15:34:39 -0400 From: tly@SEI.CMU.EDU (Tonya L Yount) Subject: Barrotes (PC) Recently we detected this virus on our PCs. We would like to find information about it (i.e. is it destructive) but are unable to find the name anywhere. Are there other names it might go by? It was undetectable by MS DOS 6 anti-virus but detected by McAfee. It doesn't seem to do much more than attach itself to executable files. Because it changed the executables, we had trouble running Norton Commander and Turbo Pascal. Both of these programs would run, however, after much prompting. Any help, suggestions, or comments are welcome. The PCs are now clean but we would still like to know. Thank you, Tonya Tonya L. Yount "Oh, I have slipped the surly bonds of earth tly@sei.cmu.edu and danced the skies on laughter silvered wings" - ------the thoughts expressed here in no way reflect any policy of SEI------ ------------------------------ Date: Thu, 12 Aug 93 15:44:46 -0400 From: jhb@gmd.de (Joerg H. Blankenburg) Subject: unknown (?) virus (PC) I have a virus here that can not be detected by VSCAN105. When you call an infected program on a clean system, the virus first infects the program to which the COMSPEC variable points, normally COMMAND.COM, increasing it by exactly 4000 bytes, which it also does with most programs (EXE or COM) called afterwards. After a call of such a program, the virus stays resident (using little less than 4000 bytes) and infects more and more other programs. Yet it doesn't like windows applications and some others. When you scan a file on an infected system, the virus re- builds its exact contents. (This is how you get rid of it, simply zipping infected files on an infected system and un- zipping them on a clean one.) When the virus is resident, the DIR command doesn't show the 4000 additional bytes. But the Norton disk editor does. Is this is a known virus or is it new? If so, I'd suggest to call it the proton virus! Joerg H. Blankenburg - -- ************************************************************************** * Gesellschaft fuer Mathematik und Datenverarbeitung (GMD) * * (German National Research Centre for Computer Science) * * Arbeitsgruppe Informationsrecht (I3.IR) * * Institute for Information Technology in Jurisdiction * * Rathausallee 10, D-53757 St. Augustin, Germany, Tel.: +49 2241 143318 * * FAX: +49 2241 14 3017, e-mail: jhb@gmdzi.gmd.de * * Home: H.v.-Kleist-Str. 8, D-53113 Bonn, Germany, Tel.:+49 228 361556 * ************************************************************************** ------------------------------ Date: Sat, 14 Aug 93 14:30:55 -0400 From: belinda@cory.EECS.Berkeley.EDU ( ) Subject: Friday 13th virus? (PC) Thoughout yesterday, Friday 13th August, I was transferring files among floppy, local and network (Netware 3.11) drives, and thought I saw that some old files took on the August 13 date. I said to myself 'Nah, maybe it's that 14th cup of coffee...' But when I noticed the same thing during a technical support call with a customer - that her PKUNZIP.EXE (v 2.04c - the 12/28/92 version with a bug) had a date of 8/13/93 - I became more suspicious. The in-house network supervisor went ahead and scanned network drives without detecting anything. He told me that the known Friday 13th PC virus is only supposed to corrupt data and affect file execution, not anything as serious as going around changing file dates. Has anyone had this experience? Postscript: our network server did happen to go down at 4:30pm. - ------------------------------------------------------------------------- Belinda Leung | belinda@cory.eecs.berkeley.edu Software Support Technican | belinda@viper.cs.berkeley.edu Continuing Education of the Bar, Calif. | belinda@tsunami.berkeley.edu - --------------------------------------------------------------------- ------------------------------ Date: Sat, 14 Aug 93 22:23:28 -0400 From: "Lars Renman" Subject: New (?) "Moose" virus (PC) I have recently taken charge of a PC lab for the students at the Chemistry Department of Chalmers University of Technology, Gothenburg, Sweden. The lab has 24 PCs (Acer 33/468DX, local hard disks, 3 1/2" diskettes, DOS 5.0) and Novell 3.11 server. The local net has world access via internet. More than 600 students use the lab. The following is what I have found over the last three days (in roughly chronological order). Please bear with me for the length of this text - nothing in what I have seen is reproducible. * some PCs refused to boot * some PCs had enormous disk access during boot (warm & cold) * .EXE files with increased file size - on inspection of these files I found FAR JP codes to the end of the file and added code containing readable text strings "Moose31", "Moose32" or both, in the last case because code had been added twice to the files. The string "*.EXE" was also readable. Infected files sometimes work, sometimes not. Depending on type of code added (see more below) increases in file sizes vary - for a single file, I have seen at least five different versions with sizes from 464 bytes to +1700 bytes on different PCs * tests with Central Point CPAV (old version), MS-DOS 6.0 MSAV, McAfee SCAN (ver. 9.17 v106), Dr Solomon's Toolkit (virus list from 10/5/92) and Frisk Skulason's F-PROT (ver 2.09) all failed to detect anything. CPAV and F-PROT detected infections of themselves and CPAV detected increased file sizes. * .COM files with increased file size contain added code with readable text strings "Moose30" and "*.COM" * COMMAND.COM infected on a few PCs. * .EXE files infected on file server and all PCs * a message "Divide overflow" during boot on some PCs * diskette drives refusing to work - some working again after cold boots * eternal boot sessions with continuos disk access on some PCs - these will almost always boot from a diskette. * fake message (screen blanked first) "insert boot diskette and press " on machine that would not cold-boot from diskette. Inserting a write-protected boot diskette did not work. * attempted write operations on write-protected boot diskettes (after executing programs on hard disk); sometimes without error message, sometimes with normal DOS error message. * MS-DOS.SYS infected with "Moose30" on at least one PC (but not on some of the more troublesome one's) * parts of the CPAV.EXE code (The self-integrity check part) appended to some infected .EXE files * examination of the partion records with Solomon's PEEKA resulted in the following: the first display looked ok moving to the next record caused the display to be distorted (display heading with cyl/head/sector info gone) and an extra 64 bytes (copies of the first 64 bytes of the partion record) to be displayed at offset 0. This means that 40h + 200h bytes were displayed. Refreshing the display by pressing the space bar restored the display to normal. by keeping the + key down (switches between alpha and hex display) I was able to see a message "Disk read error 12 - Unknown error response." flash on the screen. It was immediatly overwritten. whatever is displayed seems normal, except for the extra 64 bytes * finally, this morning a 2 am, DISPLAY.SYS and EGA.SYS converted to COM files on one PC (this PC has also shown the "Divide overflow" and the fake "insert boot diskette .." message). These files have their original names left but start with a NEAR JP to the end where code has been after the Microsoft copyright notice. This code starts with a NEAR JP further ahead in the code and is followed by the readable text string "This, and much more, from Moose crashing corp." I don't know what all this adds up to. I have little experience of viruses, but I have tried to read what's available over the last few days. I haven't experimented much with diskettes, but it looks like everything at once - BSV, PSV, stealth, etc. I should add that there are a number of hacked and cracked games on the PCs - the previous system manager hasn't done anything about it. He also hasn't had the server backup system working since March (funny ?). Has anybody seen the "Moose" before ? Any hints ? I am now trying to collect some of the strange files. These will be forwarded to the virus expert community. Are there some special things that I should do? I will have to start low-level formatting the PC hard disks and recharge the server soon. Hordes of students are approaching .... For anyone familiar with Swedish - my name is not a hoax (For non-Swedish speakers: Renman means reindeer-man in Swedish). Lars Renman Lars Renman AMK, CTH/GU, G|teborg, Sweden tel. +46 31 772 2782 fax. +46 31 772 2785 ------------------------------ Date: Sat, 14 Aug 93 12:52:48 -0000 From: malcolm@muir.demon.co.uk ("Malcolm S. Muir") Subject: Re: Suspicious .COM files (PC) A.M.Zanker@newcastle.ac.uk writes: > I recently downloaded a file, SPORTS.ZIP from the CIX online system > in the UK. It's a program for determining the addresses of your serial > ports, I think. > > I scanned it with the new Central Point Anti-Virus version 2.0, which > contains a "virus analyzer" which looks for suspicious virus-like activity > in executable files. It reported a possible file virus in both the files > in the ZIP archive, DOCUMENT.COM and SPORTS.COM. I looked at both files > using a binary editor and discovered that they both have the string > > Hurray the crusades > > near the end of the file. Does this ring any bells with anyone? I've also > scanned with SCAN 106 and F-PROT 1.08 but neither detected anything. Both the .com files in this .zip are infected with a new strain of the butterfly virus. Everyone who downloaded the file (only a small number) in the 6 or so hours it was on line before the virus was detected (It passed the initial scrutiny for the same reason as you failed to detect the virus) has been notified by CIX and told how to remove the infection. It is a trivial non-destructive virus that does not go memory resident and only infects .com files. BTW I am a moderator of the conference that held the file at CIX. - -- ============================================================================= Malcolm S. Muir EMAIL: malcolm@muir.demon.co.uk Sunderland CIX: mmuir BIX: mmuir England CSERVE: 100012,31 ======================= PGP 2.0 Public Key Available ======================== ------------------------------ Date: Mon, 16 Aug 93 02:48:50 -0400 From: "Michal Weis or INFI" Subject: Re: Information on the 'Trident' virus (PC) > Trident? Which of scanners reported this name? I have not Trident virus(es) Trident polymorphics engine is reported as TPE. Scan also report this encryptor, but there is a 'little' problem - alots false alarms ;-) It's not easy to detect it and u must know how.... > in my collection, but several viruses contain internal string "Trident": Ooh, there is a little prbolem: "TridenT" is a name of virus research group. The member of this group, MK (such a 'east' name like Mas??? Kadif? - - I dont remember it exactly) done a polymorphic engine that is a MtE like (only a like, because this engine is not as good as Darkie's MtE, it use such a prototypes to create encryptor (thats why scan report so many false alarms, cause they use a debuger as for a MtE encryptor and they must use a large instruction set :-) So .... there are severals viruses by TridenT ... > BTW, did you have *real* attack? Maybe it's false alarm? Several scanners I > tested generate false alarms on testing the files for TPE-based viruses. lots of them generate false alarms... Regards, Mike - - This is not a trick, this is -- _ -------------------------------------- , _ _ | ) , /| / )/ ) |/ /| / | / / / /---' | ' \_/ / (_/|\ \_/ - -------------------------------- |_) ---- Origin: weis@cc.elf.stuba.cs --- ------------------------------ Date: Wed, 11 Aug 93 04:57:01 -0400 From: aryeh@mcafee.com (McAfee Associates) Subject: NSH152A.ZIP - NETSHLD 1.52AV106 antivirus NLM for Novell3.11 (PC) I have uploaded to WSMR-SIMTEL20.Army.Mil and OAK.Oakland.Edu: pd1: NSH152A.ZIP NETSHLD 1.52AV106 antivirus NLM for Novell3.11 NETSHIELD Version 1.52a fixes a problem in reading the configuration file from the 1.50 and 1.51 releases of NETSHIELD. No changes other than loading the new version should be necessary. NETSHIELD Version 1.52 automatically ignores changes made to the Novell NetWare bindery files NET$OBJ.SYS, NET$PROP.SYS, and NET$VAL.SYS when performing CRC checking for unknown viruses. This prevents NETSHIELD from reporting that these frequently-changing data files have been infected by a virus. VALIDATION DATA The validation results for Version 1.52a (V106) should be: NETSHIELD V1.52A(V106) (NETSHLD.NLM)S:127,728 D:08-05-93 M1: 0FB0 M2: 10FF NETSHIELD V1.52A(V106) (VIR.DAT) S:46,287 D:06-24-93 M1: 5209 M2: 1ED0 Regards, Aryeh Goretsky McAfee Associates Technical Support - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: aryeh@mcafee.COM 2710 Walsh Ave, 2nd Floor| FAX (408) 970-9727 | IP# 192.187.128.1 Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714 95051- USA | USR HST Courier DS | America Online: McAfee ------------------------------ Date: Sat, 14 Aug 93 19:22:31 -0400 From: "William H. Lambdin" <73044.2573@compuserve.com> Subject: August 1993 LAT (PC) LAT 9308 August 14, 1993 +--------------------------+----------+---------+-----------+-----+ | SCANNER | COMMON | POLY- | ZOO |FLAGS| | | | MORPHIC | | | | | | | | | | |36 |56 |1502 1454| | +--------------------------+----------+---------+-----------+-----+ | F-Prot 2.09 |36 100% |56 100% |1480 98.5%| S | | TBAV 604 |36 100% |55 98.2%|1462 97.3%| GS | | Scan 106 |35 97.2%|52 92.9%|1376 91.6%| S | | | | | | | | Integrity Master 2.01 |36 100% |54 96.4%|1351 90.0%| GS | | Dr Sol A-V toolkit 6.18 |34 94.4%|29 51.8%|1346 89.6%| C | | VIRx 2.9 |34 94.4%|34 60.1%|1300 86.6%| S | | | | | | | | UT Scan 25.1 June 93 SIGS|29 80.1%|33 58.9%|1074 73.9%| CDG | | NAV 2.1 Aug 93 SIGS |29 80.1%|24 42.9%|1014 67.5%| C | | MSAV w/DOS 6.0 |28 77.7%|17 30.4%| 913 62.8%| D | +--------------------------+----------+---------+-----------+-----+ C- Commercial software D- This product does not scan for boot sector viruses inside droppers. This is why scanners that detect droppers were tested against 1335 viruses. Scanners that fail to detect droppers were tested against 1303 viruses. I tried to be fair. G- Generic Virus detector. The other utilities with this product may detect viruses that this scanner misses, so don't judge this product too harshly because the scanner isn't as effective as you would like. S- Share Ware or Free Ware procuct. A new version of Integrity Master should be released soon. I will test it next month. I Removed HTSCAN, and the Share Ware release of CPAV because the signatures were getting old. ======================================================================== I have tested the following generic products, and recommend them. FLAGS +------+ F-Prot Professional (Command Software Systems) | IV | Integrity Master (Stiller Research) |*ISV | PC-cillin (Trend Micro Devices) | ASV | PC-Rx (Trend Micro Devices) | ASV | TBAV (Thunderbyte) |*ISV | Untouchable (Fifth Generation Systems) | ISV | Victor Charlie (Bangkok Security Associates) |*BEISV| +------+ *-Share ware product A-Activity Monitor B-Uses Bait files that try to get infected by unknown viruses E-extract the signatures for unknown viruses I-uses integrity checking S-Stores System areas. Boot sector, and Partition table V-comes with a Virus scanner. I placed the generic virus detectors in alphabetical order. I do not recommend one product over another. All of them work differently and may not fit the way you use a computer, so request information on several before you decide. ======================================================================== I would like to thank most of these companies for providing me with evaluation copies of their software to test. If your company produces anti-viral software, and would like for me to test it in LAT, contact me at either of the addresses below. ======================================================================== These tests were performed on a 33 MHZ 486 Bill Lambdin 102 Jones Lane P.O. Box 577 East Bernstadt, Ky. 40729 Internet address> 73044.2573@compuserve.com Compuserve ID> 73044,2573 ------------------------------ Date: Fri, 13 Aug 93 16:02:19 -0400 From: "Rob Slade" Subject: "Link" virus (CVP) DEFGEN6.CVP 930729 "Link" virus This term will be familiar only to those using Atari and Amiga systems, but for others, this is simply the standard "file infecting" virus. For most people, this is what is thought of as a virus. (For most, that is, who have *any* accurate idea of what a virus is. For all too many people, a "virus" is simply any computer problem.) File infecting viral programs "link", or attach, in many different ways. The largest number will place the bulk of the viral code to the end of the program file, with a "jump" command at the beginning of the file which "points" to the main body of the virus. Some viral code attaches to the beginning of the file: simpler in concept but actually more difficult in execution. These two techniques are known as "appending" and "prepending" respectively, but the terms are used less than they used to be. Some viral programs do not attach to the beginning or end of the file, but rather write their code into the target program itself. Most often this is done by simply overwriting whatever is there already. Most of the time the virus will also attach a jump command at the beginning of the program which points to the virus, but, on occasion, the virus will rely on chance to stumble on the code and run it. Of course, if a virus has overwritten existing code the original "target" program is damaged, and there is little or no possibility of recovery, other than by deleting the infected file and restoring from a clean backup copy. However, some overwriting viri are known to look for strings of null characters. If such can be identified, the viral code can be removed and replaced with nulls again. (The Lehigh virus, for example, attaches "behind" the COMMAND.COM file in a sense, but overwrites slack space at the end of the file so as not to change the file size.) Some viri do not physically "touch" the target file at all. There are two ways to "infect" in this manner. One method is quite simple, and takes advantage of "precedence" in the system. In MS- DOS, for example, when a command is given, the system checks first for internal commands, then COM, EXE and BAT files in that order. EXE files can be "infected" by writing a COM file in the same directory with the same filename. The second method is more difficult. "FAT" or "system" viral programs, such as DIR-II, will not change the target program, but will change the FAT (file allocation table) entry for the program so as to point to the virus. Therefore, the original file will not be changed, but when the target program is called, the virus will be run first instead. copyright Robert M. Slade, 1993 DEFGEN6.CVP 930729 ============== Vancouver ROBERTS@decus.ca | "It says 'Hit any Institute for Robert_Slade@sfu.ca | key to continue.' Research into rslade@cue.bc.ca | I can't find the User p1@CyberStore.ca | 'Any' key on my Security Canada V7K 2G6 | keyboard." ------------------------------ Date: Wed, 11 Aug 93 19:47:56 -0400 From: fortrie@cipher.nl Subject: Call for Papers IFIP SEC'94 Caribbean ================================================================= Call for Papers IFIP SEC'94 - updated information August 1993 ================================================================= *************************************************************** C A L L F O R P A P E R S *************************************************************** Technical Committee 11 - Security and Protection in Information Processing Systems - of the UNESCO affiliated INTERNATIONAL FEDERATION FOR INFORMATION PROCESSING - IFIP, announces: Its TENTH INTERNATIONAL INFORMATION SECURITY CONFERENCE, IFIP SEC'94 TO BE HELD IN THE NETHERLANDS ANTILLES (CARIBBEAN), FROM MAY 23 THROUGH MAY 27, 1994. Organized by Technical Committee 11 of IFIP, in close cooperation with the Special Interest Group on Information Security of the Dutch Computer Society and hosted by the Caribbean Computer Society, the TENTH International Information Security Conference IFIP SEC'94 will be devoted to advances in data, computer and communications security management, planning and control. The conference will encompass developments in both theory and practise, envisioning a broad perspective of the future of information security. The event will be lead by its main theme "Dynamic Views on Information Security in Progress". Papers are invited and may be practical, conceptual, theoretical, tutorial or descriptive in nature, addressing any issue, aspect or topic of information security. Submitted papers will be refereed, and those presented at the conference, will be included in the formal conference proceedings. Submissions must not have been previously published and must be the original work of the author(s). Both the conference and the five tutorial expert workshops are open for refereed presentations. The purpose of IFIP SEC'94 is to provide the most comprehensive international forum and platform, sharing experiences and interchanging ideas, research results, development activities and applications amongst academics, practitioners, manufacturers and other professionals, directly or indirectly involved with information security. The conference is intended for computer security researchers, security managers, advisors, consultants, accountants, lawyers, edp auditors, IT, adminiatration and system managers from government, industry and the academia, as well as individuals interested and/or involved in information security and protection. IFIP SEC'94 will consist of a FIVE DAY - FIVE PARALLEL STREAM - enhanced conference, including a cluster of SIX FULL DAY expert tutorial workshops. In total over 120 presentations will be held. During the event the second Kristian Beckman award will be presented. The conference will address virtually all aspects of computer and communications security, ranging from viruses to cryptology, legislation to military trusted systems, safety critical systems to network security, etc. The six expert tutorial workshops, each a full day, will cover the following issues: Tutorial A: Medical Information Security Tutorial B: Information Security in Developing Nations Tutorial C: Modern Cryptology Tutorial D: IT Security Evaluation Criteria Tutorial E: Information Security in the Banking and Financial Industry Tutorial F: Security of Open/Distributed Systems Each of the tutorials will be chaired by a most senior and internationally respected expert. The formal proceedings will be published by Elsevier North Holland Publishers, including all presentations, accepted papers, key-note talks, and invited speeches. The Venue for IFIP SEC'94 is the ITC World Trade Center Convention Facility at Piscadera Bay, Willemstad, Curacao, Netherlands Antilles. A unique social program, including formal banquet, giant 'all you can eat' beach BBQ, island Carnival night, and much more will take care of leisure and relax time. A vast partners program is available, ranging from island hopping, boating, snorkeling and diving to trips to Bonaire, St. Maarten, and Caracas. A special explorers trip up the Venezuela jungle and the Orinoco River is also available. For families a full service kindergarten can take care of youngsters. The conference will be held in the English language. Spanish translation for Latin American delegates will be available. Special arrangements with a wide range of hotels and appartments complexes in all rate categories have been made to accommodate the delegates and accompanying guests. (*) The host organizer has made special exclusive arrangements with KLM Royal Dutch Airlines and ALM Antillean Airlines for worldwide promotional fares in both business and tourist class. (**) (*)(**) Our own IFIP TC11 inhouse TRAVEL DESK will serve from any city on the globe. All authors of papers submitted for the referee process will enjoy special benefits. Authors of papers accepted by the International Referee Committee will enjoy extra benefits. If sufficient proof (written) is provided, students of colleges, universities and science institutes within the academic community, may opt for student enrollment. These include special airfares, appartment accommodations, discounted participation, all in a one packet prepaid price. (Authors' benefits will not be affected) ************************** INSTRUCTIONS FOR AUTHORS ************************** Five copies of the EXTENDED ABSTRACT, consisting of no more than 25 double spaced typewritten pages, including diagrams and illustrations, of approximately 5000 words, must be received by the Program Committee no later than November 15th, 1993. We regret that electronically transmitted papers, papers on diskettes, papers transmitted by fax and handwritten papers are not accepted. Each paper must have a title page, which includes the title of the paper, full names of all author(s) and their title(s), complete address(es), including affiliation(s), employer(s), telephone/fax number(s) and email address(es). To facilitate the blind refereeing process the author(s)' particulars should only appear on the separate title page. The language of the conference papers is English. The first page of the manuscript should include the title, a keyword list and a 50 word introduction. The last page of the manuscript should include the reference work (if any). Authors are invited to express their interest in participating in the contest, providing the Program Committee with the subject or issue that the authors intend to address (e.g. crypto, viruses, legal, privacy, design, access control, etc.) This should be done preferably by email to < TC11@CIPHER.NL >, or alternately sending a faxmessage to +31 43 619449 (Program Committee IFIP SEC'94) The extended abstracts must be received by the Program Committee on or before November 15th, 1993. Notification of acceptance will be mailed to contestants on or before December 31, 1993. This notification will hold particular detailed instructions for the presentation and the preparation of camera ready manuscripts of the full paper. Camera ready manuscripts must be ready and received by the Program Committee on or before February 28, 1994. If you want to submit a paper, or you want particular information on the event, including participation, please write to: IFIP SEC'94 Secretariat Postoffice Box 1555 6201 BN MAASTRICHT THE NETHERLANDS - EUROPE or fax to: IFIP SEC'94 Secretariat: +31 43 619449 (Netherlands) or email to: < TC11@CIPHER.NL > *************************************************************** Special request to all electronic mail readers: Please forward this Call for Papers to all networks and listservices that you have access to, or otherwise know of. **************************************************************** Sincerely IFIP TC 11 Secretariat Call for Papers - updated information August 1993 ================================================================= ------------------------------ End of VIRUS-L Digest [Volume 6 Issue 113] ******************************************