To: VIRUS-L@LEHIGH.EDU Subject: VIRUS-L Digest V6 #126 -------- VIRUS-L Digest Tuesday, 5 Oct 1993 Volume 6 : Issue 126 Today's Topics: Re: 'Dark Avenger' Still searching for Mr. Goodwin Re: of interest Viruses on CD-ROMs? "Stone virus problem" (PC) tsr's and messages (PC) [PC] FORM virus infection. (PC) Re: Bait files (PC) Re: Boot-437 (PC) Re: The form virus vs. F-prot 2.09d (PC) Re: Cruncher virus versions? (PC) Re: Info wanted on Keystroke virus (PC) VShield 108 still buggy (PC) Need help with on killing monkey virus? (PC) Michaelangelo and 3 1/2 inch drive (PC) MtE Virus (PC) VIRUS ? (PC) TREMOR virus (PC) unzipping antivirus programs (PC) NAV 3.0 and LOTUS.COM (ver 2.2) (PC) Word of Warning (PC) Infection of "New Stoned variant" (PC) Re: Floppy disk virus (PC) Phoenix 3 virus (PC) Tunnelling (CVP) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Fri, 24 Sep 93 00:55:34 -0400 From: Andrew Y Ng Subject: Re: 'Dark Avenger' Excerpts from netnews.comp.virus: 18-Sep-93 'Dark Avenger' Anthony Naggs@ubik.demon (655) > Following my recent comments about the Dark Avenger here, I have > receivedsome obviously bogus email from > "DarkAvenger@sofia.somewhere.bg". > The 'virus underground' supposedly regard him as a 'hero', yet this > behaviour seems to be a calculated insult. A hero? That sounds like quite an ego. I unassembled the Dark Avenger virus some time ago, and admittedly, it is incredibly well-written, and employs more methods to infect files than most other viruses, which is why it has been one of the more successful and prolific viruses. In fact, I can't help but admire this guy's programming ability. (BTW, for those of you new to virus who are wanting to look at a good virus, I think DAV is a good place to start!) But a hero? I think a more appropiate term to describe someone who releases viruses into PD is "creep." - Andrew Ng ------------------------------ Date: Fri, 24 Sep 93 05:43:18 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Still searching for Mr. Goodwin I am looking for a person by the name of Jim Goodwin, who was active in the virus area back in '89, as I am working on an article about the early days of the anti-virus industry, and I would really like chat with him. Jim Goodwin dropped from view around mid-year '89, I think, after publishing some very interesting documents. There is a rumour that he never existed at all, (bu was just an alias of another well-known person), so even if anybody could just confirm his existence, that would help. - -frisk ------------------------------ Date: Fri, 24 Sep 93 19:58:53 +0000 From: bontchev@news.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: of interest (SED2WJF@cardiff.ac.uk) writes: > So as a "lay antivi prog user"(also, I have not had to use these > against a virus) I offer an evaluation of some packages I know as > follows: Warning, wannabe evaluators! Please, have in mind the following: 1) If you intend to evaluate an anti-virus package and publish the results, begin with publishing the details of your evaluation procedure. Just saying "Product XYZ is OK" expresses only your subjective view and doesn't help anybody. When people see how you are evaluating the products they will be able to (a) decide whether the points interesting to them are investigated carefully enough and (b) spot mistakes in your evaluation procedure. 2) If you don't have a good knowledge about and experience with computer viruses, it is better if you leave the evaluation to somebody who is a specialist in the field. A professional evaluation of an anti-virus product is a very tricky thing, and even professional computer security experts happen to goof sometimes when it comes to computer viruses. For a general discussion of the subject, see Sara Gordon's paper "Evaluating the Evaluators" in Virus News International. > Vis(total control) - excellent information and explanation > scanning is very good Is it? I have not had any experience with this product, but according to the review in Virus Bulletin, it is quite slow and has serious problems in detecting polymorphic (e.g., MtE-based) viruses. > F-prot - information not so good, lacks an educational aspect > scanning is excellent > tsr is very good - some concern about it able to load as device driver Another good side of F-Prot is its high disinfection rate. One of the bad sides is that the resident scanner (VirStop) has problems with DR-DOS 6.0. > Dr. Solomons - information ok > scanning ok - wary of limitations What limitations? This scanner has one of the highest detection rates I have ever seen. The integrity checker is extremely bad, however. > Dos6 central point - information ok > scanning ok - again wary "Wary"? The detection rate is -miserable- and the program is sloooowwww... > group of people - measure knowledge of computers, viruses, etc. > present them with 4-8 anti progs > ask them to evaluate > after wards test for ease of use, gain in awareness, their evaluation > of package etc. Anybody can evaluate that, even the users themselves. The tricky part is to evaluate how well does the product protect from viruses... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Mon, 27 Sep 93 07:00:00 -0400 From: ian@unipalm.co.uk (Ian Phillipps) Subject: Viruses on CD-ROMs? I have the responsibilty for anti-virus policy here, and am faced with a new challenge: CD-ROMs. There are at least three types of ROMs that have emerged- Collections of free/shareware. Promotional disks "Shrink-wrap" products The first is easy: treat each extraction from the disk as if it were from an FTP server or BBS - i.e. check it on extraction/download. Promotional disks are more of a problem - they include some free stuff, some demo programs, some things that install themselves on your hard disk, etc. etc. A mess, in other words. Shrink-wrap is more of a problem. We currently do scan shrink-wrap software coming in on floppies. We have our own shrink-wrap machine here, so can't be too careful :-) Have there been any reports of viruses on CD? Has anyone else been through this and come to some sort of conclusion? I'm mostly thinking of MS-DOS here, but I guess the Macintosh people may have more experience, since CDs have been in that field longer. Ian ------------------------------ Date: Tue, 21 Sep 93 19:26:56 -0400 From: ksaj@pcscav.com (OS R & D) Subject: "Stone virus problem" (PC) padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) writes: > > Sorry but this does not track. The STONED is a master boot sector infector > and there is only one MBR on a disk regardless of how many logical drives > it may contain. Remove it from that one sector, reboot, and the disk is clean > > (I am assuming from the above that there is only one physical disk in the PC) > > Each logical partition does contain an Operating System Boot Record (also > a single sector) but the STONED virus does not infect these. I suspect that > either something is confused or you have an entirely different virus (F-Prot > is one of the best in avoiding mis-identification though). The Stoned virus most certainly DOES infect the boot sectors of logical drives. As soon as you access the drive (in this case, probably drive D:), it will be infected. WARNING: Do not use FDISK/MBR for this. In some situations it will simply delete the partition. Most virus cleaners will clean the virus out of there. If yours does not, use Thunderbyte. It works. karsten johansson - --- ksaj@pcscav.com (OS R & D) PC Scavenger -- Computer Virus Research, Toronto CANADA (416)463-8384 Free services: send EMAIL to info@pcscav.com or virus.list@pcscav.com ------------------------------ Date: Fri, 24 Sep 93 04:32:48 -0400 From: Bill Fear Subject: tsr's and messages (PC) I have had the following false positives and error messages - I hope thats what they are - which may be of interest to someone. I have following set up PC486 sx25 Dos6 Windows3.1 Packages VIS F-PROT209 CENTRAL POINT(with dos6) 1) VIS tsr loaded in autoexec.bat - VISMON Go to dos prompt in windows Start to scan floppy message - Sister 1000 viruses located in memory. I boot from floppy. Scan hdisk is ok, floppy is ok, check sums are ok. Scan with CPAV is ok. 2)F-PROT tsr loaded as device driver, VIS tsr loaded as above, CPAV tsr loaded in autoexec.bat with option /2+. >From windows dos prompt run F-PROT to scan floppy message - Stoned...memory...if sure...disable memory scan same message from dos prompt out of windows. boot from floppy scan etc. ok scan with Dr. Solomons ok. Warm boot same message Take out CPAV tsr and ok - no more message from F-PROT 3) Have facility in windows from P. Breen(pbreen@world.std.com - he has copy of log) called Barclk, a bar clock showing time, space on disk etc. CPAV bombs one scan out of every two scans when gets to barclk. one message included from Dr. Watson log. Once completely crashed - had to cold boot subsequent scans with other progs ok. Tsr's F-PROT and VISMON resident but assume they are not the problem - ---------------- Dr. Watson 0.80 Failure Report - Wed Sep 15 17:23:23 1993 BARCLOCK had a 'Unknown' fault at KERNEL 1:81dc $tag$BARCLOCK$Unknown$KERNEL 1:81dc$pop es$Wed Sep 15 17:23:23 1993 CPU Registers (regs) ax=2490 bx=f4fd cx=1437 dx=854a si=1fcf di=145f ip=81dc sp=24ac bp=4fec O- D- I+ S- Z+ A- P+ C- cs = 0117 20460:a93f Code Ex/R ss = 1437 7d660:273f Data R/W ds = 145f 2bc60:01ff Data R/W es = 00bf 80532000:1da3f Data R/W CPU 32 bit Registers (32bit) eax = 00002490 ebx = 0000f4fd ecx = 00001437 edx = 0000854a esi = 00001fcf edi = 0000145f ebp = 00004fec esp = 8001249c fs = 0000 0:0000 Null Ptr gs = 0000 0:0000 Null Ptr eflag = 00000202 System Info (info) Windows version 3.10 Retail build Windows Build 3.1 Username bill Organization System Free Space 10384896 Stack base 3526, top 9520, lowest 8214, size 5994 System resources: USER: 80% free, seg 078f GDI: 73% free, seg 05e7 LargestFree 8368128, MaxPagesAvail 2043, MaxPagesLockable 575 TotalLinear 2940, TotalUnlockedPages 582, FreePages 346 TotalPages 846, FreeLinearSpace 2541, SwapFilePages 2021 Page Size 4096 4 tasks executing. WinFlags - 80486 Enhanced mode Protect mode Stack Dump (stack) Stack Frame 0 is KERNEL 1:81dc ss:bp 1437:4fec 0117:81d0 26 8e 06 021a mov es, es:[021a] 0117:81d5 26 ff 0e 001e dec word ptr es:[001e] 0117:81da 5a pop dx 0117:81db 5b pop bx (KERNEL:1:81dc) 0117:81dc 07 pop es 0117:81dd 59 pop cx 0117:81de 58 pop ax 0117:81df 5f pop di System Tasks (tasks) Task DRWATSON, Handle 14b7, Flags 0001, Info 26864 03-10-92 3:10 FileName C:\WINDOWS\DRWATSON.EXE Task PROGMAN, Handle 061f, Flags 0001, Info 115312 03-10-92 3:10 FileName C:\WINDOWS\PROGMAN.EXE Task MWAV, Handle 1fcf, Flags 0001, Info 142640 03-10-93 6:00 FileName C:\DOS\MWAV.EXE Task BARCLOCK, Handle 145f, Flags 0001, Info 33136 08-26-93 22:07 FileName C:\PROGRAMS\BARCLCK2\BARCLOCK.EXE 1> scanning hard disk with windows central 2> point antivi - ---------------------------------------------- bill Fear sed2wjf@uk.ac.cf If you want to be heard, speak softly. ------------------------------ Date: Fri, 24 Sep 93 06:36:49 -0400 From: "Andy Packham." Subject: [PC] FORM virus infection. (PC) I'm new to this list so please excuse if this is a rather dumb question. We have just been hit by FORM on several computers but it seems to behave in a 'different manner' to which we would expect. According to the documentation we have it such make keys click on the 24th but it doesn't, it does however stop one computer from booting, a cause random crashes on others. Two computers which have read infected disks do not seem to be infected at all. THe SCAN/CLEAN combo seems to work however. So my query is - what is the effect of this virus, could any files be damaged? Andy. - ------------------------------------------------------------------------------- Dr Andy Packham. (Andy.Packham@UMIST.AC.UK) - ------------------------------------------------------------------------------- Tel +44 (0) 61 200 4899 Fax +44 (0) 61 200 4911 Department of Instrumentation and Analytical Science. University of Manchester Institute of Science and Technology. PO BOX 88. Manchester, M60 1QD. United Kingdom ------------------------------ Date: Fri, 24 Sep 93 19:22:04 +0000 From: bontchev@news.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Bait files (PC) uqitu01 (uqitu01@ucl.ac.uk) writes: > I observe increasing reference to the use of "bait files" as a means > to detect virus activity. What more specifically are bait files? "Bait files" (or "goat files" or "victim files") are small (well, usually) do-nothing programs, the only raison d'etre of which is to be infected by viruses. And example of such file is code segment assume cs:code org 100h start: jmp quit db (1000-8) dup (90h) quit: mov ax,4C00h int 21h code ends end start When assembled, the above source will produce a 1000-byte file, containing mostly NOPs (90h), which exits as soon as it is executed. Bait files have two main applications. First, it is much easier to disassemble a virus attached to a short bait file with a known contents, than if it is attached to, say, a copy of the Borland C++ compiler... :-) Also, the virus samples occupy less space in a virus collection, if they are attached to short host files. That's why, most anti-virus researchers, when they get a new virus, try to replicate it and to attach it to a bait file. The second application has something to do with integrity checking programs. These programs compute the checksums of the different executable objects in the computer system and compare those checksums with a known database of checksums of those objects when they are uninfected. Since infecting them will change their contents, the checksums of the infected objects will not be the same any more and will lead to the detection of the virus, even if this is a new, unknown virus, missed by the scanners. Unfortunately, there is a kind of attack against the above scheme. It is called "slow viruses". Those viruses install themselves in the computer memory and infect only those files that are being modified (or created). Since such files will have a different contents and checksum, and since the user knows that fact, s/he will probably not pay attention to the message that the file has been modified and the infection will remain unnoticed. The only solution is to create/modify a few files with a -known- contents, to compute their checksum, and to verify whether it is what it should be. For this purpose, some integrity checking programs create, copy, modify and execute a few bait (do-nothing) files with a known contents (e.g., 1000 NOPs), in a hope that the virus (if one is present) will infect them. Then a checksum of those files is computed and it is compared with a known one (the program knows what the checksum of a file containing only 1000 NOPs will be). (Note: the number 1000 in the above discussion is just an example; usually a whole set of different file lengths is used.) > What > characteristics do bait files have that make them more succulent and > desirable to ALL viruses (including unknown viruses) than juicy, fat, > frequently-used application programs or operating system executables? Nothing. The viruses don't infect them more eagerly than the "normal" files; most of them infect them in the same way as any other files. Actually, some viruses try to avoid infecting bait files, by setting a set of conditions to which the infectable files must conform. (E.g., if the file seems to consist of one and the same byte repeated over and over, or if the file begins with a JMP to the end, and so on.) Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 24 Sep 93 19:28:25 +0000 From: bontchev@news.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Boot-437 (PC) Rodrigo Lopez (rodrigo.lopez@biotek.uio.no) writes: > A friend of mine got his machine infected with a DOS virus > called boot-437. I have not been able to find any references > to this one on any of my list. Has anyone heard of it ? Yes. It's a rather unremarkable MBR infector of Polish origin. Infects the boot sector of diskettes and the MBR of hard disks. The original boot sector is moved to cylinder 0, side 0, sector 6 on hard disks and to the last sector of the root directory on floppies. It is not intentionally destructive and in fact has no payload at all. Can be removed with FDISK/MBR (from DOS 5.0 or higher) from the hard disk. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 24 Sep 93 19:32:15 +0000 From: bontchev@news.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: The form virus vs. F-prot 2.09d (PC) Douglas Bell (doug@viper.ELP.CWRU.Edu) writes: > After repeated attempts with fprot and liberal use of fdisk /MBR, > the virus seems to be gone. FDISK/MBR -cannot- remove Form, because this virus infects the DOS boot sector and not the MBR. > Anyone else ever have problems with the form virus and f-prot? In our tests, F-Prot has been able to disinfect Form quite reliably. It could be that you have some new variant, or it is a false positive. Do you happen to use some other anti-virus products, like VSAFE/CPAV/MSAV? Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 24 Sep 93 19:45:27 +0000 From: bontchev@news.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Cruncher virus versions? (PC) OS R & D (ksaj@pcscav.com) writes: > I have 2 versions of the Cruncher virus. We have three of them here: 1.0, 2.0 and 2.1. > The one version asks permission > all the time, This is version 2.1. The version number can be seen in plaintext in the infected files (along with other text and greetings to Dr. Cohen and the author of Diet), if you decompress them with Diet or UNP. > and will not infect a file without asking first. The other Will, if you set the environment variable CRUNCH to AUTO. > compresses all of them all the time. The majority of the files that I > have infected with the cruncher were, in fact, compressed rather well. Exactly as well as Diet would have compressed them - the algorithm is stollen directly from there. (Well, actually the compression will be slightly worse, because the virus infects the file first.) > The problem was that the majority of the well-compressed files would not > execute. An excellent example, demonstrating why a "good virus" is usually a bad idea. Modifying the user's files is generally a bad idea, unless you know perfectly well what you are doing. And making a self-replicating buggy program is much worse than just releasing a buggy program. > Note that the virus is inherently scannable, because it is a modified > version of the Coffeeshop virus. The main virus code is nearly > identicle. The author too... :-) I mean, both viruses are written by the same author. > And by the way: I looked up the word VIRUS in 7 different medical > dictionaries. They _all_ say the plural is VIRUSES. Never did I see the > words VIRII (Which, when broken down, has more to do with fertility than > with VIRUS), VIRA, or VIRI (Which VIRI does have a meaning in latin, but > it is totally unrelated). That's in the FAQ (question F3). The Latin word "virus" (=poison) does not have a plural form (like "air" in English). "Viruses" is an English form. The people who use the form "virii" usually apply the rule that says that Latin words ending in "-us" end in "-ii" in plural (e.g., "radius" -> "radii"). As the FAQ says, "Please use 'viruses,' and if people use other forms, please don't use VIRUS-L/comp.virus to correct them." :-) Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 24 Sep 93 20:01:12 +0000 From: bontchev@news.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Info wanted on Keystroke virus (PC) Jeff Bryer (bryer@ccu.umanitoba.ca) writes: > I would like any information that anyone can give me on > the virus Keystroke. It supposedly went through the computers > at my father's office (including the LAN). McAfee cleaned it up > but they are now concerned about where it came from. Don't you mean "Keypress", by any chance? It is described in our Computer Virus Catalog, read the FAQ for more information about how to get it. > Please email if at all possible as I don't regularly read this group. If you are interested in computer viruses, you should. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 24 Sep 93 16:54:01 -0400 From: CMEELBOO@vmtecqro.qro.itesm.mx (Elite of the Network) Subject: VShield 108 still buggy (PC) Hello: Two days ago, I downloaded vshield 108 from mcafee.com but this version still has the /lh bug. Im using qemm 7.01 and vshield says there is not enough high ram to load (it says it needs 198 KB!!!). I know I can loadhi vshield by using DOS=UMB, but QEMM manual says dont use that option! I want to use vshield without using DOS=UMB, just like vshield 106 did it. Is there any other suggestion to loadhi vshield with QEMM 7.01? Thanks in advance ------------------------------ Date: Fri, 24 Sep 93 14:12:50 -0400 From: MCHLG@cunyvm.cuny.edu Subject: Need help with on killing monkey virus? (PC) Hi guys, It's been a while since I posted anything here. I've been busy with some major renovations on my house. Anyhow, I need some help. My College: F.H. LaGuardia Comm. College Has been recently seeing a rash outbreak of infection of the Monkey Virus. I have gotten a sample {purposely infecting a floppy} to start analyzing But I don't have what I feel is enough relavent information on this bugger?. can anyone supply me with more information on monkey? Thanks, in advance. p.s. I already have the file KILLMONK.ZIP But to me, it doesn't look like it gi ves enough information on the virus itself. Is there any more detailed file or summary on the monkey virus? Please get back to me ASAP by EMAIL. - ------- ____________________________________________________________________________ | Christopher Mateja (PRES. / OWNER) |Bitnet: | | Bits-N-Bytes Computer Services |Internet: | | 333 15th street, Suite #2 |Panix.Internet: ( COMING SOON ) | | Brooklyn, NY 11215-5005 ( USA ) |Compu$erve/Delphi (coming maybe soon)| |======================================+-------------------------------------| | MY TOYS ?? WHERE ARE MY TOYS !??! I CAN'T DO THIS JOB WITHOUT MY TOYS !!! | |____________________________________________________________________________| ------------------------------ Date: Sat, 25 Sep 93 15:51:13 +0000 From: remmons@iat.holonet.net (Robert Emmons) Subject: Michaelangelo and 3 1/2 inch drive (PC) I was having some wierd problems with a 3 1/2 inch floppy which were apparently caused by the Michangelo virus!? Briefly, the computer was originally set up with the 5 1/4 inch drive as A: and the 3 1/2 as B:, and I wanted to reverse them. Whenever I configured the 3 1/2 to be A:, all data on any non-write protected disk was corrupted as soon as the disk was accessed, even by just entering "DIR A:". On the first and every subsequent access, I would get "Abort, Retry, Fail?". This happend whether or not the 5 1/4 inch was configured as B:. I had no problems with the 5 1/4 inch, whether it was configured as A: or B:. I had no problems with the 3 1/2 inch configured as B:. I gave up on switching the drives, and lived with the 3 1/2 as B: and the 5 1/4 as A:. One slow day, I ran a virus scanner on the system, and it said it had the Michaelangelo virus in the disk partition table (boot sector). I ran a cleaning program and got rid of the virus. Just for the heck of it, I switch the drives again, configuring the 3 1/2 as A: and the 5 1/4 as B:. Believe it or not, I've been running for weeks with no problems. I have to conclude that the virus was the problem. - -- Robert Emmons Never hesitate to sacrifice clarity CalcShop Inc. and maintainability to save precious remmons@holonet.net picoseconds during program execution. ------------------------------ Date: Sat, 25 Sep 93 15:03:21 -0400 From: "Jeff Rice - Pomona College, Claremont, CA." Subject: MtE Virus (PC) Twice in the last month, I have received a warning from Norton Anti- Virus's 2.1 Intercept, that my image file for Pctools was infected with MtE. Both times I stopped the file execution, and went to scan. however, Norton's Virus Clinic has never been able to find the virus anywhere on my drive. I intentionally did not reboot, so the virus should have been there. I scanned the original Pctools disks, and they are clean, and I also scanned with my original Norton disk, in case the program was infected. Both turned up nothing. Am I getting a false positive? And why can the Intercept find it, but the clinic turn up nothing? Don't they use the same virus information? I've always used Norton Antivirus, and now use v2.1. However, I see no mention of it here. Is this program still sufficient protection, or should I try and find a different program? I've always liked Norton, but if it doesn't do the job, I can't afford to keep using it. Thanks, Jeff Rice jrice@pomona.claremont.edu ------------------------------ Date: Mon, 27 Sep 93 08:11:46 -0400 From: buex93d@urc.tue.nl (Richard Braeken) Subject: VIRUS ? (PC) Hello there, I have a problem. Lately when I work with Word Perfect (don't start to laugh) I notice that some characters in a file has been changed since the last time I used that same file. By example: the 'n' is changed into a 'j' and the 'o' is changed into the 'k'. Also some programs, like Civilization and Roger Rabbit, hang while I am playing them. When I compared the files of Civ. on my harddisk and the original files I noticed that the only difference appeared in the file civ.exe. The difference was that the one file contained 5B and the other 5F. Although I used almost "every" scanprogram (svanv108, TBAV, FPROT), no program can detect a virus. Do I have a virus? If so, what sort of virus and what van I do against it? Are there any other scanners who might recognize "my virus"? Or do I have a problem with my hardware? Richard. ------------------------------ Date: Tue, 28 Sep 93 09:53:31 -0400 From: thiele@GOEDEL.UNI-MUENSTER.DE (Maren Thiele) Subject: TREMOR virus (PC) Is there anybody who knows about the TREMOR virus. What exactly does he do? Is he able to stay in the High Mem part of your system? Are there programs that are able to remove it. So far I have only found programs that are able to detect him. I hope there are other possibilities than reinstalling the system. Thanks for any tips and information. Maren ------------------------------ Date: Tue, 28 Sep 93 09:53:25 -0400 From: smhawkin@midway.uchicago.edu (stephanie mia hawkins) Subject: unzipping antivirus programs (PC) this may be the wrong place to post this, but please, please don't flame me... my university doesn't do ibms. the only anti-virus software that's available here (VIRx) is old doesn't seem to catch the virus i seem to have (does a virus that inserts obscenities into the end of a text file sound familiar?). ok. a computer friend tells me it may be the monkey virus, so i ftp over to oak.oakland.edu and pick up killmonk.zip, plus the two unzipping programs oak recommends to unzip files, unz50p1.exe and pkz204g.exe. when i attempt to execute these files in dos, i get the following error messages: unz50p1 tells me there's a HeaderC error pkz204g tells me there's been an attempt made to execute an invalid instruction, and that i should probably reboot my system. cluelessly, i download these files again, but get the same messages. (well, at least it's consistent... ). i'm just learning about dos and such, so these messages mean nothing to me. can anyone please, please help? stephanie (a clueless lit. major who's used to macintoshes) - -- ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Never try to outstubborn a cat. -- Lazarus Long ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ------------------------------ Date: Tue, 28 Sep 93 09:53:38 -0400 From: "Jimmy Kuo" Subject: NAV 3.0 and LOTUS.COM (ver 2.2) (PC) We have been informed that NAV 3.0 is detecting a false id in LOTUS.COM ver 2.2 as Vengence.B. This will be corrected readily. In the meantime, if you have this problem, you may place LOTUS.COM in the exclusion list for known virus checking. You will still be protected by leaving the inoculation verification intact. Jimmy Kuo cjkuo@symantec.com Norton AntiVirus Research ------------------------------ Date: Tue, 28 Sep 93 10:14:42 -0400 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: Word of Warning (PC) Recently I purchased the upgrade to Symantec's Norton Utilities v7.0 for use with my personal PCs and discovered a number of oddities that make it seem as if it is not supposed to be a technician's tool any more. The first is just an annoyance: few of the programs will run without the NLIB100.RTL (run time library) a 200k file (I thought the use of RTLs went out with BASIC interpreters). The second is a real bother: most of the NU7 programs will not run on an 8088 or 8086 CPU. All you get after lots of disk gnashing is a message to that effect. This makes it essentially unusable to a technician particularly since software upgrading generally includes an implied agreement not to use earlier versions. Thus keeping 5.0 or 6.0 (which work on 8088s) when upgrading for $49.00 to 7.0 may be illegal. Forget It. Plagued by Idiots, Padgett "On the whole, I'd rather be in Philadelphia" - Mahatma K. Jeeves (VSI94) ------------------------------ Date: Tue, 28 Sep 93 12:26:18 -0400 From: "Paul D. Shan" Subject: Infection of "New Stoned variant" (PC) I have found several cases these past two weeks of a virus infection in on of our departments of a "New variant of Stoned" as reported by Fprot 2.09d. The first encounter was with three infected diskettes. They were completely unreadable (i.e., the directory was there, but copying the files resulted in a list of one-byte files). F-prot detected a virus present but could not remove it. Running Norton Disk Doctor, version 7.0 and 6.0, I could not repair the FAT, boot record, nor directory structure. I suggested that the use who brought this to our help desk reformat those diskettes. The second case occurred soon after that. Since we have been virus-free for quite a while, we were a bit lax on our procedures, so one of our hard drives ended up being infected. This proved to be a good thing. Again, F-prot detected this as a "new variant of Stoned" and could not remove it. When I booted from a clean floppy after powering off and on the machine, I could no longer read drive C: (but a reboot from drive C: worked fine). That told me right there that it most likely IS a virus, and not some anomalous program. I then rebooted from a clean floppy, and ran Norton Disk Doctor, version 6.0. It detected that the partition table was corrupted, and offered to repair it. I told it to go ahead, and it repaired it with no problems. After that, the drive scanned clean with F-prot. The reason this was a good thing is that we got another call from the same department that brought us the diskettes. Two hard drives in their lab were infected (more were not infected because they use VIRSTOP in their lab!) and they had no idea how to fix it...using FDISK did not remove the virus. So I went with my kit, rebooted vrom a clean floppy, and tried Norton Disk Doctor version 6.0 again. Again, it cleaned off the two drives painlessly. Since I've looked through all literature I have on viruses, and have followed every procedure I know of to detect and remove this virus, and still cannot identify it, can I get some feedback on what this could have been? If I can get an answer about this, I will be reasonably sure that a near-future version of F-prot will remove this. Notes: 1. FORMAT /MBR did not work because the machines I tried this on did not support the /MBR option. 2. Since FDISK did not remove the virus, I assumed that their version of DOS was infected as well. But I am not sure of this as the people in that department's lab are very competant and know the correct procedures for removing viruses. 3. Since Norton disk Doctor removed it easily from a hard drive, I assume that the copy of the partition table was in an unused area of the directory table. 4. I do not have a "live" copy of this virus. Since removing the virus had a higher priority, I worked on that problem first. In retrospect I now wish I had been able to get a copy. 5. I assume the floppies were unrecoverable because the boot sector was copied to a used area of the FAT, which confused NDD too much. Thanks for your ear, and I hope to hear from someone soon. Paul D. Shan PDS2@PSUVM.psu.edu Consulting and Application Support (814) 863-4356 Center for Academic Computing 12 Willard Building University Park, PA 16802 ------------------------------ Date: Wed, 29 Sep 93 09:20:38 -0400 From: adamj@highett.mel.dbce.csiro.au (Adam Jenkins) Subject: Re: Floppy disk virus (PC) Another possibility is that the jumper on the floppy drive is not set properly. Rgds.. Adam - -- Adam Jenkins adamj@mel.dbce.csiro.au ------------------------------ Date: Wed, 29 Sep 93 11:56:51 +0000 From: adrie@gouldnl.encore.nl (Adrie van Hoogstraten) Subject: Phoenix 3 virus (PC) Can someone tell me what the virus 'Phoenix 3' does and where I can find a virus killer for it. Thanks Adrie van Hoogstraten email: adrie@encore.nl ------------------------------ Date: Fri, 24 Sep 93 16:54:06 -0400 From: "Rob Slade" Subject: Tunnelling (CVP) DEFGENC.CVP 930908 Tunnelling Somewhat related to stealth technology is the concept of "tunnelling". Again, this is a technology, not a virus per se, and one that is used in both viral and antiviral programs. To examine the concept of tunnelling, let me go back a bit in computer history. Before there were viri, there were trojans. Anti-trojan software was generally of the activity monitoring and operation restricting variety, similar to a number of antiviral programs today. Activity monitors do not really monitor activity. They place traps and interrupts at certain points in the operating system. Certain system calls are either potentially dangerous themselves (such as the function that formats a disk) or are precursors to dangerous activities. Therefore, when a program calls one of these functions, the activity monitor is triggered. Again, this relies upon the fact that operating system functions *must* be made available in a known location so that valid programs can use them. Activity monitors, as we have said, place traps at the location of potentially dangerous system calls. These traps are generally pieces of code which run the activity monitor program, rather than the original operating system code. The activity monitor can then alert the user, and the user can choose to stop the action, or to allow the action, in which case the original operating system code is run. This means that the activity monitor has performed a very virus- like action. It has made a change to the original state of the system. Since the state of the system is generally well known, a virus can be written to examine these system entry points. The virus can "tunnel" or trace back along the programming associated with the system call. If an activity monitoring program is found (and this generally means anything other than the original operating system code) the trap can be reset to point to the original system call. The activity monitoring program is now bypassed, and will *not* trigger--at least not for that particular function. This same type of activity can be used against viral programs. Viri often trap certain system calls in order to trigger infection activities and so forth. Antiviral software can tunnel along the various interrupts, looking for changes. Viral programs can thus be disarmed. Tunnelling may seem like a lot of work to go to in order for a virus to defend itself. Indeed it is. One particularly well known, and widely marketed, antiviral has a resident component. Only seven bytes of code are required to disable it. Not to tunnel around it, but to disable it completely. (Viral programs are also becoming more aggressive. One has been found which takes action to disable or cripple no less than fourteen antiviral systems ... ) copyright Robert M. Slade, 1993 DEFGENC.CVP 930908 ============= Vancouver ROBERTS@decus.ca | Life is Institute for Robert_Slade@sfu.ca | unpredictable: Research into rslade@cue.bc.ca | eat dessert User p1@CyberStore.ca | first. Security Canada V7K 2G6 | ------------------------------ End of VIRUS-L Digest [Volume 6 Issue 126] ******************************************