To: VIRUS-L@LEHIGH.EDU Subject: VIRUS-L Digest V6 #121 -------- VIRUS-L Digest Tuesday, 14 Sep 1993 Volume 6 : Issue 121 Today's Topics: Possible DOS/Windows virus... in the development stage? (!) Mac's, Novelle & Viruses. (Mac) Re: Mac's, Novelle & Viruses (Mac) Viruses on Networks (PC) Stone virus problem. (PC) disabling BIOS floppy boot good boot sector protection? (PC) Re: 1530 or SVC? Disinfection? (PC) Problems with Scan107. (PC) Re: virusses in .ARJ & .ZIP (PC) VSHIELD V107 has problems (PC) Stoned virus , need disinfector (PC) Virex cannot fix active system (PC) Re: Floppy disk virus (PC) More on the strange strain... (PC) Can TT font files be infected? (PC) Re: CRUNCH21.COM (PC) F-PROT & Blinker virus (PC) DOS 6.0 and Michelangelo (PC) Q: Chinese Fish (PC) TBSCANX 6.05, DV & Qmodem (PC) Needed: Info on Viruses on Novell Networks (Novell) (PC) AntiExe (PC) CIAC advisory - Satanbug virus (PC) Polymorphism and variations (CVP) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Sun, 12 Sep 93 17:36:25 -0400 From: Rob_Slade@mindlink.bc.ca (Rob Slade) Subject: Possible DOS/Windows virus... in the development stage? (!) Certainly a strange letter, and I'm not in the least surprised at your concern. However, as foar as I know, Cheyenne is legitimate. They make an antiviral called InocuLAN (which I have, but haven't gotten around to reviewing yet). The contact numbers I have for them are 800-243-9462 and 516-484-5110. ============= Vancouver ROBERTS@decus.ca | "Remember, by the Institute for Robert_Slade@sfu.ca | rules of the game, I Research into rslade@cue.bc.ca | *must* lie. *Now* do User p1@CyberStore.ca | you believe me?" Security Canada V7K 2G6 | Margaret Atwood ------------------------------ Date: Thu, 09 Sep 93 14:21:24 -0400 From: mukasa@panix.com (Kiggundu Mukasa) Subject: Mac's, Novelle & Viruses. (Mac) I help maintain an ethertalk and localtalk Mac network which is about to "go Novelle". I wanted to know are there any viruses that will go from the Novelle system to the mac? And which ones should i be on the look out for on this new mixed platform?? I also wanted to know if Disinfectant had been upgraded since 3.2 Thanks a million in advance Kiggundu ------------------------------ Date: Fri, 10 Sep 93 10:18:52 -0400 From: mha@baka.ithaca.ny.us (Mark Anbinder) Subject: Re: Mac's, Novelle & Viruses (Mac) Kiggundu Mukasa asks... > I help maintain an ethertalk and localtalk Mac network which is about > to "go Novelle". I wanted to know are there any viruses that will go > from the Novelle system to the mac? There are no known viruses that affect both Macintosh and DOS workstations, so that's not something you need to worry about. What you DO need to watch out for is the fact that your Novell server(s) will look just like AppleShare servers to the Macintosh workstations. As a result, Macintosh applications that reside on the servers can be infected unless you make certain that applications are stored in read-only directories. (This is always a good idea for file servers.) Applications on the servers that are ALREADY infected can, of course, also spread the infection to the workstations. What's the gist of all this? Basically, you have to worry about the same issues with a Novell server being accessed by Macs as with an AppleShare server being accessed by Macs. Careful management will prevent most problems. > I also wanted to know if Disinfectant had been upgraded since 3.2 Disinfectant 3.2 is the latest version. I believe Gatekeeper was the last Macintosh antiviral to be updated; it is now at version 1.2.8. ========================================================================= Mark H. Anbinder | Technical Support Coordinator BAKA Computers Inc. | mha@baka.ithaca.ny.us 200 Pleasant Grove Road | (or) mha@tidbits.com Ithaca, New York 14850 USA | Phone 607-257-2070 Fax 257-2657 ========================================================================= "The difference between fiction and reality is that fiction has got to make sense." -- Tom Clancy ========================================================================= ------------------------------ Date: Thu, 09 Sep 93 11:56:39 -0400 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: Viruses on Networks (PC) From: Fabio Esquivel Subject: 1530 or SVC? Disinfection? (PC) >- - Scan 107 called it "June1530" with the ID J1530| (which > does not appear in the VirList.TXT file). >What can I do? The network cannot be shut down: it must be working >24 hours a day. We are losing time and money with those several >workstations that refuse to login into the network. The most recent >copies of the BEST worldwide antivirus softwares (FProt and ViruScan, >of course) refuse to disinfect this virus... We ran into this problem about two years ago (and, I think discussed it here quite extensively) but maybe it is time to rehash. I am going to use SCAN as an example here because I know the necessary syntax though any scanner that detects the virus in memory and returns an ERRORLEVEL can be used. The technique is like this (note: valid only on true client-server networks. If you have a peer-peer system IMHO you have little hope): 1) Take down the server and restore infected programs from uninfected backups. (Last time I didi it was between 2 and 4 am one night) 2) Make all files in the login script process execute only and put SCAN.EXE in the same directory (also execute only) 3) Add the line "SCAN NUL /M" to the login script and follow with a line like "IF ERRORLEVEL 1 GOTO VIRUS" 4) Under VIRUS add lines that will identify the client, send a message to both client and administator, and then locks the client machine up. (eg ":self goto self" is effective) This will identify infected clients and deny tham the ability to infect your system. I have used it sucessfully on hundreds of Novell networks. The users are going to complain about the added time it takes to login. Tough. (If you do not have this level of control over the network, you have other problems). The first time I ran into this situation ("Oh we can't take the server down, we'll lose xxx million dollars a day..."), I used a little file called Canary that just checksummed itself and returned a non-zero errorlevel on failure. Effective for Jerusalem and Sunday but useless against "stealth". Just copied a fresh one into a R/W directory for each user. Fast and effective at the time but not a global solution today. "SCAN NUL /M" or any other effective scanner with this ability is better and will handle your problem though a "1991" solution and not a "state of the art" one since it can detect an infection only *after* it has happened. Real integrity management on every client and verified/updated from the server is best since "unknown" viruses are detectable and does not have to involve any lengthy scans - even just of memory. My stuff is designed to prevent the infection in the first place as are products like McAfee's VShield/Chkshld, Frisk's resident driver, Dr. Panda's BEARTRAP, and several others, yet no one seems to use these. IMHO it is way past the time for effective layered control of viruses. Warmly, Padgett ------------------------------ Date: Thu, 09 Sep 93 12:57:43 -0400 From: wirth@NADC.NADC.NAVY.MIL (B. Wirth) Subject: Stone virus problem. (PC) I have encountered a standard stone virus on hard drive. The drive is divided into two logical partitions. F-Prot v2.09 detected the virus. It was removed from the first partition, but F-prot v2.09 can not remove it from the second partition. It states that the MBR can not be found be found on the second drive (Drive D:). I run SCAN 9.17 v106 and there is no sign of the virus detected on any drive. I did not find any signs of the virus active at boot time. Any sugestions as to how to clean the second partition. What ever help can be suggested will be greatly appreciated. Thanks in advanced. ------------------------------ Date: Thu, 09 Sep 93 17:42:22 -0400 From: "James W. Kaiser" Subject: disabling BIOS floppy boot good boot sector protection? (PC) Hello in virusland. I'm a relative newcomer to this group (2-3 weeks), but have read the FAQ and have followed the group for a bit. On my new computer, the BIOS setup allows for booting from floppies to be disabled. Since I would normally only boot from a floppy if something were wrong with the hard disk and/or to check the hard disk for infection, this seems like a good way to protect against a floppy-transmitted boot sector infector. If booting from a floppy is necessary, the BIOS setup could easily be turned back on. Does this make sense, or am I just being naive. A related question: I have a friend who got infected by a boot sector virus and claims the machine was _never_ booted with the infected floppy in the machine. I don't see how this is possible. I suspect it actually happened but he just doesn't remember it. Is it possible? BTW, I am running SCAN 106 , duly institutionally licensed, at work and will be using F-Prot 2.09d at home. Thanks. ************************************************************************** James W. Kaiser email: james.kaiser.1@nd.edu Chief Engineer,Physics Dept. phone: (219)631-6808 fax:(219)631-5952 108 Nieuwland Science Hall, University of Notre Dame, Notre Dame, IN 46556 ************************************************************************** ------------------------------ Date: Thu, 09 Sep 93 18:49:19 -0400 From: vfreak@aol.com Subject: Re: 1530 or SVC? Disinfection? (PC) >Should I send it to Fridrik and Aryeh and wait for good news? >Should I reinstall ALL the software in EVERY workstation from >the non-infected original IBM disks (very time-consuming)? SVC is a resident file infector. I would suggest for you to send copies to Frisk and Aryeh. If you can not wait for a removal routine for the virus. cold boot (turn off the computer, and reboot a few seconds later) from a known clean write protected bootable diskette, then scan the work stations with F-Prot or Scan 107 from a known clean diskettes. Delete the infected files, and restore those files from backup or original diskettes. Re-boot the work station, and move to the next. Hope this helps. Bill ------------------------------ Date: Fri, 10 Sep 93 03:35:37 -0400 From: meb@deakin.OZ.AU (Matt Bottrell) Subject: Problems with Scan107. (PC) Dear Netters, Hopefully someone can shed some light onto the problem I've run into. I ftp'ed down a copy of scanv107.zip from mcafee.com. Unzipped the file and tried scanning my 150Mb hard-disk. (The options I used are below) Scan C: /m /a /chkhi This should result in the C drive being scanned with memory scanned upto the 1088k area. Also all files should be scanned. This works fine until I get into my C:\DOS directory, where an error occurs. The program aborts and reports that it needs 390k more RAM. This is quite strange because before running the program it has 586k out of a possible 640k convential memory free. Has anyone else suffered anything similar to this....and if so how did they get it up and running? I have posted to support@mcafee.com but I am still waiting for an answer (could take a while I guess). I re-ran my scan106 without a hitch and it reported no viruses even with the new version of scan, however I would like to get the newer version running. Could this just be a bug-ridden version? Please Email me at the address below as I do not read all the newsgroups this letter has been posted to. Any tips or help would be most appreciated. FYI: Running MS-DOS 6.0, Stacker 3.1. Convential memory free: 586k Also running NDOS.COM (a COMMAND.COM replacement) which come from Norton Utilites 7.01. Regards, Matt. _____________________________________________________________________________ meb@deakin.edu.au _--_|\ Matt Bottrell MBottrell@cmutual.com.au / \ Computer Science Phone: +61 3 607 6398 \_.--.*/ Deakin Unversity, Geelong Campus FAX: +61 5 274 1951 v Waurn Ponds, Victoria 3217 AUSTRALIA ------------------------------ Date: Fri, 10 Sep 93 07:43:24 +0000 From: joedal@dfi.aau.dk (Lars Joedal) Subject: Re: virusses in .ARJ & .ZIP (PC) uttsbbs!timothy.lam@uunet.UU.NET (Timothy Lam) writes: >[Even scanning all files does not catch viruses in ZIP, ARJ... files] >What you can do for the next step is to D/L a file used to >do the procedure like UNZIP->SCAN->ZIP >and so you can fully check if your user uploaded any viruses.... Even better, unzip the files, scan them, and delete the unzipped files, keeping the original ZIP file. Why? Because this way there is absolutely no chance to *add* a virus to the files. That might happen, if the packed files were OK, but your machine was infected (with a brand-new virus that SCAN didn't find, or a stealth- virus active in memory, or ...). Granted, it's not a probable scenario, but it is possible. Keeping the original archives unchanged is always a bit safer than repacking them. Besides, you save the time needed to repack. +------------------------------------------------------------------------+ | Lars J|dal | Q: What's the difference between a quantum | | email: joedal@dfi.aau.dk | mechanic and an auto mechanic? | | Physics student at the | A: A quantum mechanic can get his car into | | University of Aarhus | the garage without opening the door. | | Denmark | -- David Kra | +------------------------------------------------------------------------+ ------------------------------ Date: Fri, 10 Sep 93 07:03:56 -0400 From: greg.mcclure@mwcsinc.muug.mb.ca (Greg Mcclure) Subject: VSHIELD V107 has problems (PC) WL> Date: Fri, 03 Sep 93 09:52:16 -0400 WL> From: as789@cleveland.freenet.edu (Francisco J. Diaz) WL> Subject: Vshield v107 (PC) WL> I was just trying to get Vshield to loadhi under MSDOS 6.0/QEMM WL> combo and while it worked fine before, now it refuses to loadhi. WL> I guess there is some incompatibility between the 2 programs. WL> There's a lot of upper memory available and I have tried many WL> different combinations using Vshield's options and still have th WL> problem. Can any1 help me out on this one? Thanks! Yes there is a problem with version 107 of Vshield and McAfee is looking into it. Also Scan v107 has a problem when doing a lot of scanning, ie. you entire hard disk. Scan will indicate that it requires more memory about 390K even though you may have more than (204) 943-6507, 08, 09 HST Dual Standard (16.8) (204) 942-0BBS 2400/fax gateway (204)956-4997 HST ------------------------------ Date: Fri, 10 Sep 93 08:55:23 -0400 From: fergus@odyssey.ucc.ie (Fergus Somers) Subject: Stoned virus , need disinfector (PC) Does anyone know of a site where I can my hands on a disinfector for the stoned virus (on a floppy disk at least).I have heard about one called ANTIMARI.COM which deactivates the virus in RAM and restores the boot sector to it's correct place.I would appreciate any information as I need to get rid of this virus in a bit of a hurry. Thanks, Fergus e-mail : fergus@odyssey.ucc.ie ------------------------------ Date: Fri, 10 Sep 93 19:29:52 -0400 From: REPSTEIN@biomed.med.yale.edu (Richard Epstein) Subject: Virex cannot fix active system (PC) Dear Virus Experts: How does one use Virex to fix an infected system file that is the active system? It's not my system so I don't have many more details, except of course, it's a Mac. Thanks in advance, Richard W. Epstein repstein@biomed.med.yale.edu ------------------------------ Date: Sat, 11 Sep 93 14:41:21 -0400 From: belinda@po.EECS.Berkeley.EDU (belinda) Subject: Re: Floppy disk virus (PC) Gary Heston wrote: >s9018166@pewter.spectrum.cs.unsw.OZ.AU (Elisa Aquino) writes: >>I don't know how to fix my computer because i think it is infected by >>virus. > >>1. Drive A just can read first disk. Even u put second disk , directory >> will show the same as first disk. >>2. After I read drive B , then drive A is reset to read first disk but >> it is the same after puting another disk. > >It sounds like your A drive has a bad disc-change sensor. Try pulling >the drive out and cleaning any lint or dust from it (compressed air >... ..and when all else fails, try adding this line to your CONFIG.SYS: drivparm=/d:{drive number} /c /f:{drive type} where {drive number} can be: 0 = drive A 1 = drive B 2 = drive C and so forth You'll especially need the '/c' to enable disk drive change-line support. {drive type} can be: 0 = 160/180/320/360KB 1 = 1.2MB 5 = Hard Disk 6 = Tape 7 = 1.44MB 8 = Read/write optical disk 9 = 2.88MB Issuing the CHKDSK A: command before DIR A: also forces DOS to read the drive properly. ------------------------------ Date: Sat, 11 Sep 93 15:41:30 -0400 From: Fabio Esquivel Subject: More on the strange strain... (PC) Hi gang. I was testing the virus I found the other day. It infects COM and EXE files by attatching itself at the end of the files and changing the initial JMP instruction to point to itself. The virus hides the file size change when active in memory. Once it is resident, it hooks interrupts 8, 13h and 21h, and steals 2960 bytes from the top of RAM. On files, the virus appends 2936 bytes on COMs and EXEs, with its code. VSumX307 does not give me a clew about which one this virus is. There is no virus in the Length Reference whose size is exactly 2936 bytes. Anyway, I'll send the copy to Frisk and Aryeh by private e-mail. Thanks, DATA SEGMENT PARA PUBLIC name DB 'Fabio Esquivel' ; C:\> dir a: bitnet DB 'fesquive@ucrvm2.bitnet' ; Virus found in drive A: internet DB 'fesquive@ucrvm2.ucr.ac.cr' ; Install, Kill, Panic?_ DATA ENDS ------------------------------ Date: Sun, 12 Sep 93 02:07:49 -0400 From: prm@rz.uni-jena.de (Ralf Muschall) Subject: Can TT font files be infected? (PC) The problem came to my mind by a recent question in this group, where somebody had a possibly infected file 'pcplus.fon'. Since True Type fonts begin with the 'Mark Zbikowski' magic number, a virus could think they are executables and attach itself to them. The questions is now: Does this happen? If it happens, is it important (i.e. are fonts executed by MS Windows or only treated as data)? If both is true, do scanners take care of that fact? The same problem is represented by many other files (particularly in MS Windows) too, I just remember that the screensavers are renamed executables. Ralf - -- - -- #include PGP 2.1 key obtainable with finger prm@hpux.rz.uni-jena.de (or from public key servers) ------------------------------ Date: Sun, 12 Sep 93 13:29:31 -0400 From: blah@netcom.com (baby copperfield) Subject: Re: CRUNCH21.COM (PC) vfreak@aol.com writes: >Steven Hoke uploaded CRUNCH21.COM to the Metaverse BBS last night and >requested that I forward it to the A-V developers.. it was also 'slipped' into various networks (fidonet,etc.) as a uuencoded message. i would suggest anyone receiving a copy of this program in a message marked "TO: ALL" via Fidonet or any gated network just delete it. >It will not go resident without an affirmative responce. it did not go resident with your test. are you sure that upon subsequent executions it may go resident without permission? i am asking because some users may read what you said here, and assume it to be the case, that it -WILL NOT GO RESIDENT-. in the event that it may in deed go resident on the fourth or fifth execution, or, in the event there are soon similar viruses (such as i just described), for my peace of mind, i'd like to know if someone has actually examined it to ascertain it -will not EVER-, not just in x number of executions. i have not examined it. >I ran the bait files again, and they still ran properly. They were not >overwritten, just compressed, so it's not easy to tell the size of this >thing. did you attempt this on various types of files? if i recall correctly, the original cruncher would render some programs unusable, particularly programs that used self checking functions, and some overlays. >Since this requests permission, it shouldn't really be called a virus. I am >open to suggestions on what this type of program should be called. in my opinion, it does not matter if it requests permission or not. there are other viruses that 'request permission'. ; and asking permission is not , as far as i know, a prerequisite for determining the behaviour of a program 'virus'. >This thing attaches to .COM and .EXE files, but ignores COMMAND.COM. the original cruncher would ignore all files beginning with certain two letter pairs: CO, VS, HT, TB, RA and several others. this would explain ignoring command.com, if it has not been changed. does it (the new one) contain the same 'to be avoided' strings as the old one? >I am sending the first and second generation of this to David Chess, >Fridrik Skulason, and Wolfgang Stiller. i might suggest you send a copy to fred cohen :) it was mentioned he was interested in the original, which i sent to him via post mail. (he said he preferred this to email, if he's watching, i never did hear if he got the virus :). the original contained greetings to him, and the author of the original mentioned he would like it passed along to fred, so i did. he may be interested in the followup; by the way, does the follow-up contain text to indicate it is a new version, or is it just updated by the inclusion of a 'permission' routine? >Bill Lambdin - -- SGordon@Dockmaster.ncsc.mil / vfr@netcom.com bbs: 219-273-2431 fidonet 1:227/190 / virnet 9:10/0 p.o. box 11417 south bend, in 46624 you are only coming thru in waves..your lips move but i cant hear what you say ------------------------------ Date: Fri, 10 Sep 93 12:13:00 -0600 From: dave.loschiavo@cld9.sccsi.com (Dave Loschiavo) Subject: F-PROT & Blinker virus (PC) Does anyone out there have any experience with F-Prot and the "Blinker" virus. I recently had a comm utility quit while I was running it and I received the message"- Message Blinker: Fatal runtime error 1211". I don't know if that is an F-Prot warning, an error message from my comm program or a DOS warning. The only reasons I have to suspect that it's a virus is there is a virus named Blinker, and that I'm having general problems with my system. I ran F-Prot in Security and in Heuristic and both scans came up clean, as did MS DOS Vscan. Any help or advice would be most sincerely appreciated - --- * RM 1.0 * Eval Day 14 * Hardware: The part you kick. * R109U:* Usenet * Nitelog BBS * Monterey CA * 408-655-1096 ------------------------------ Date: 12 Sep 93 21:22:26 -0500 From: jkb@matt.ksu.ksu.edu (Jeff Baker) Subject: DOS 6.0 and Michelangelo (PC) I know this has probably been discussed many times, but does Microsoft anti-virus say that Michelangelo is always present when McAfee and Norton don't. Is there a patch out there via ftp at mcafee.com or somewhere? Thanks, I know it is repetitious..... Jeff ------------------------------ Date: Mon, 13 Sep 93 02:38:15 -0400 From: kring@siebk.enet.dec.com (Matthias Kring) Subject: Q: Chinese Fish (PC) A friend of mine detected a virus that F-PROT 2.09 identified as "Chinese Fish". (It was on a floppy of a big German PD-Distribution company). But F-PPROT's virus information does not tell anything about this virus. So, what is it? Is it a harmful virus, and what's the best way to disinfect? Thanks, Matthias - ---------------------------------------------------------------- Matthias Kring kring@sieus2.enet.dec.com INTERNET - or - SIEBK::KRING EASYNET ===== A computer virus is not a program, it's an antigram ===== ------------------------------ Date: Mon, 13 Sep 93 05:51:51 -0400 From: as789@cleveland.freenet.edu (Francisco J. Diaz) Subject: TBSCANX 6.05, DV & Qmodem (PC) Hi All! I just started testing TBAV 6.05 in one of my systems and I'm having the following problem: I use 4DOS/MSDOS 6.0/QEMM 7.01 combo and when I run Desqview and try to open a Qmodem window TBSCANX gives this message: "DV.COM tries to trace through the DOS int 21h code. Viruses do this to bypass anti-virus software! Reboot? (Y/N)" It then locks up no matter which options I use in my autoexec.bat, can anyone tell me how to fix this problem? Presently I use the command TBSCANX A L in my autoxec and I just disable it before going into desqview, but there must be some other way to fix it. Any1 suggestions? Thanks! - -- | Francisco J. Diaz Rivera | Freenet: as789@cleveland.freenet.edu | | University of Puerto Rico | Internet: 841901723@cutb.upr.clu.edu | | Hey Waitress! There's a pubic hair in my soup! | | "Don't give up, don't ever give up" - Jim Valvano | ------------------------------ Date: Fri, 10 Sep 93 11:31:00 +0200 From: Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv) Subject: Needed: Info on Viruses on Novell Networks (Novell) (PC) Hugh Whalen asks: > My recollection was that the Novell software could not be infected True! > but that if an administrator allowed users to store and shared > executeable files on the server that a virus could be propagated this way. True! > (Thus allowing individuals to upload and share executables was not > wise.) The consensus was that barring this it was difficult for a virus to > propagate across a network. "Difficult" is not the right term in this case, as there is no definition to the amount of difficulty. Viruses CAN propagate via networks only if one user can see and use what another user did! Sharing executable files (that are not ReadOnly, and if the user does not have rights to change that status) is the perfect way to infect everyone. > Is my recollection correct? Does anyone have anything > to add to this. One more thing: there is a way (used by the NetCrasher virus) to allocate memory on the server from a simple station, this will result in crashing the server, but the virus does not propagate this way. If you look at the collection of VIRUS_L_DIGEST, somewhere you'll find a lot of letters on the subject. Give it a try... warmly * Amir Netiv. V-CARE Anti-Virus, head team * - --- * Origin: <<< NSE Software >>> Israel (9:9721/120) ------------------------------ Date: Tue, 14 Sep 93 01:04:04 -0400 From: asutjian@utdallas.edu (Atma Sutjianto) Subject: AntiExe (PC) Hi, I just wonder if there is a AntiExe virus removal program ?? Thank you ! cheers Atma - -- __ \ \ _ _ ,---------------------------, \**\ ___\/ \...............| ++atma; | X*#####*+~~\_\ `---------------------------' ------------------------------ Date: Sat, 11 Sep 93 00:13:59 -0400 From: fergp@sytex.com (Paul Ferguson) Subject: CIAC advisory - Satanbug virus (PC) _______________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Information Bulletin Satan Bug Virus on MS-DOS computers September 4, 1993 1000 PDT Number D-22 __________________________________________________________________________ NAME: Satan Bug virus PLATFORM: MS-DOS/PC-DOS Computers TYPE: Memory resident, polymorphic, encrypted DAMAGE: Infects .COM, .EXE, .SYS, and .OVL files. Damages infected files, makes LANs inaccessible by damaging the LAN drivers. SYMPTOMS: Files grow at each infection, file dates change, files on LAN file servers become inaccessible. DETECTION: DataPhysician Plus 4.0D, Scan V106, Norton AntiVirus 2.1 with August 1993 virus definitions. __________________________________________________________________________ Critical Facts about the Satan Bug Virus CIAC has been alerted that the Satan Bug virus, a new virus previously thought to be contained, has been located at multiple sites in the "wild." The Satan Bug virus is an encrypted, polymorphic virus that infects all .COM, .EXE, SYS, and .OVL files on MS-DOS/PC-DOS computers. Infection Mechanism When an infected file is run, the virus installs itself in memory, and then infects COMMAND.COM. Thereafter, whenever an executable file is opened or executed it is infected with the virus. Infected files grow in size from 2.9K to 5.4K bytes, and the creation date is increased by 100 years. Potential Damage It does not appear that this virus does any intentional damage, but infected files may be inoperative. In addition, the virus is not easily removed from infected files, requiring that they be replaced with uninfected copies from backup disks (See Appendix). The virus damages network drivers, making it impossible for a machine to connect to a network and use network services. Detection Anti-virus scanners dated before August 1993 that use virus signature scanning will not be able to recognize this virus. Anti-virus scanners that use file signature scanning should be able to detect that the files have been changed, but will not be able to name the virus. Most anti-virus scanner vendors are updating their programs at this time, so scanners dated after August 1993 should be able to detect the virus by name. As of the release of this bulletin, McAfee's SCANV 106 and Norton AntiVirus version 2.1 with the August 1993 virus definitions update are known to detect it. The DataPhysician Plus package (VirHunt, ResScan) version 4.0D is in final testing and will be available soon. Warning If you run an infected anti-virus scanner, nearly every executable file on your disk will be infected. Virus scanners must open a file to scan it, and if this virus is in memory, the act of opening the file for scanning will infect it. Most scanners first check themselves to see if they are infected with a virus, and display a "Virus Found" or "File Damaged" message when they start up. If this happens, do not scan your disk with this scanner. Even if the scanner claims that it can remove the virus from itself, don't scan your disk with it. The memory resident portion of the virus will still infect your disk. To scan a computer infected with a memory resident virus like the Satan Bug virus, you must boot the computer with a clean (uninfected), locked floppy that contains a clean version of the virus scanner software. Delete any infected files the scanner finds, and replace them with fresh copies. See the Appendix for more information. For More Information or Assistance If you require additional information or assistance, please contact CIAC at: Phone: (510) 422-8193 / FTS FAX: (510) 423-8002 / FTS E-mail: ciac@llnl.gov. CIAC wishes to thank Bill Kenny of DDI, Joe Wells of Symantec and David Proulx of NAVCERT for their help in preparing this bulletin. - --------------------------------------------------------------------------- Appendix - Scanners, Encrypted Viruses and Removing Memory Resident Viruses The following appendix answers some frequently asked questions about virus scanners, encrypted viruses, and disinfecting hard disks. Anti-Virus Scanners Virus scanners use two different methods for detecting infected files; scanning for virus signatures, and scanning for changes in executable files. A signature scanner must have a string of bytes or signature that it can detect in a file that uniquely identifies a virus. If a virus does not contain a known signature, then the scanner will not detect it. File scanners look at a files attributes, creation date and time, length, checksum, file header, and other properties to determine if a file has changed. A file scanner can detect a new virus, but can not tell what virus it is. Actually, a file scanner can not tell if a file is infected by a virus only that a file has changed in some way. However, any changes in executable files should be viewed with a lot of suspicion. Few executable files rewrite themselves after installation. None of the DOS utility programs (FORMAT, ASSIGN, etc.) should ever change during normal use, so view changes there as a probable virus infection. Problems Removing Encrypted Viruses Encrypted viruses like the Satan Bug are particularly difficult to remove from an infected program. Most viruses of this type attach themselves to the end of a program, and then remove a small piece from the beginning of the program and insert code there that causes the virus code to be run first. When the virus code completes running, it executes the small piece of code it removed from the beginning of the program and then continues with the original program. That way, when you run an infected program, you will only notice a slight hesitation at the beginning when the virus code runs, and then the infected program runs like normal. Encrypted viruses store this piece of the normal program within the virus code and then encrypt the virus code. For an anti-virus program to be able to patch an infected program, it must be able to decrypt the encrypted virus to find the piece of missing code so that it can be put back where it belongs. The Satan Bug virus has up to nine levels of encryption, the level being different for each infection. Decrypting this much code is a very difficult process, so most anti-virus programs are not expected to be able to repair programs infected with the Satan Bug virus. On the other hand, some file signature scanning programs may save enough of the scanned files to be able to repair an infected program. The Data Physician Plus package does save a sufficient amount of information to be able to repair a program infected with the Satan Bug virus. However, you must have created the file signature file before your program was infected. Again, if at all possible, you should always replace infected files rather than repairing them to insure that you have undamaged copies. Disinfecting Hard Disks Infected With a Memory Resident Program Virus In order to disinfect a disk infected with a memory resident program virus, you first need to get the virus out of memory, then you need to scan the disk with an uninfected copy of the Virus Scanner. To get the virus out of memory, boot your computer with a clean, locked boot disk. Then you can scan the hard disk using an anti-virus scanner, also located on a locked disk. The following steps can be used to disinfect systems infected with memory resident program viruses such as the Satan Bug. It is also applicable to non-memory resident program viruses, but is not applicable to boot sector viruses and partition table viruses which need additional steps. 1. You need a locked, uninfected emergency boot floppy disk that contains the virus scanner, FORMAT.EXE, SYS.COM, and FDISK.COM, any disk management software needed to access your hard disk such as DiskManager. You also need simple CONFIG.SYS and AUTOEXEC.BAT files that let you bring up your system in a limited way, and any backup/restore software you may use. You need to have made this disk before your system gets infected, or make it on some other uninfected machine. 2. Boot the infected computer with the locked, uninfected floppy. 3. Run the copy of the virus scanner on the uninfected floppy and scan the hard disks on the infected computer. 4. Once the scan has completed, delete any infected files the scanner found and scan the disk again. Repeat this step until no more infected or changed files are found. Alternately, you can let the scanner disinfect all the files if it can, but this is not always possible or preferable. 5. When the scanner indicates that the hard disk is clean: Restore the system using the SYS command. This step replaces the invisible system files, COMMAND.COM, and the boot sector. 6. Restore any deleted executables from your locked master disks or backup sets. 7. Scan the disk again with your virus scanner. Note that at this point, the scanner may detect changes in some files because you have copied in new versions. If the scanner detects a virus, then delete the infected file. Later you will need to scan your source disk for that infected file, to see if it is infected as well. 8. Remove the emergency floppy and reboot the computer. Your computer should boot up correctly. 9. Insert the emergency floppy and run the scanner again just to be sure you have gotten every infected file. 10. Start scanning any floppy disks that may have been infected by your computer. Keep in mind that the virus could have been active for months before you discovered it. PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. Paul Ferguson | privacy \'pri-va-see\ n, pl, -cies; Mindbank Consulting Group | 1: the quality or state of being apart Fairfax, Virginia USA | from others 2: secrecy fergp@sytex.com | ferguson@icp.net | Privacy -- Use it or lose it. ------------------------------ Date: Sun, 12 Sep 93 03:34:37 -0400 From: "Rob Slade" Subject: Polymorphism and variations (CVP) DEFGENA.CVP 930819 Polymorphism and variations The latest development is the polymorphic "engine". This is not a virus as such, but code which can be added to *any* virus in order to make it polymorphic. The most widely known of these is the "Mutating Engine", known as MtE, written by the virus writer who identifies himself as the Dark Avenger. There *is* no MtE (or DAME: Dark Avenger's Mutating Engine) virus; only other viri which have had the code attached. MtE is not the only such program around, many others have been developed such as the more recent model known as TPE (Trident Polymorphic Engine). (vx groups tend to have as little imagination in naming as in programming.) The polymorphic engines are sometimes confused with "virus kits". The polymorphic engine, if properly attached to the original virus, will "reform" the viral code on each new infection. A virus kit is a program to automate the actual writing of a virus. The user picks characteristics from a menu of choices, and the kit program sticks together pre-programmed pieces of code to make a virus for you. A polymorphic engine, then, is code added to a virus to make the same virus change its appearance each time it reproduces. A virus kit is a non-replicating, non-viral program which automates the process of generating viral programs each with different characteristics. Unless polymorphism is one of the options chosen, viral programs produced by a kit will retain their signatures from that point on. Fortunately, polymorphism, in whatever form and at whatever level, has not been a significant threat. Polymorphs are still easily detected by change detection and activity monitoring software. Even scanners have not had great difficulty dealing with polymorphic programs. The early self-encrypting programs generally left readily identifiable signatures since the decryption code had to be left "en clair". Even those programs which performed significant encryption, or used different encryption routines, generally had few forms which could be readily identified. The latter polymorphs are marginally more difficult to identify but algorithmic, as opposed to pure signature, scanning is having reasonable success. Indeed, in the case of the polymorphic engines, these codes have sometimes been a boon to the antiviral researcher. When you can identify the MtE code, you can also identify, at least as a virus, every new virus to which it is attached. copyright Robert M. Slade, 1993 DEFGENA.CVP 930819 ============= Vancouver p1@arkham.wimsey.bc.ca | "If a train station Institute for Robert_Slade@sfu.ca | is where a train Research into rslade@cue.bc.ca | stops, what happens User p1@CyberStore.ca | at a workstation?" Security Canada V7K 2G6 | Frederick Wheeler ------------------------------ End of VIRUS-L Digest [Volume 6 Issue 121] ******************************************