To: VIRUS-L@LEHIGH.EDU Subject: VIRUS-L Digest V6 #142 -------- VIRUS-L Digest Wednesday, 3 Nov 1993 Volume 6 : Issue 142 Today's Topics: Re: Can you help me locate an important Masters thesis Re: Swiss AntiViral legislation Re: Draft Swiss AntiVirus regulation Hollywood and Computer Viruses..!? Oh no. Re: Novell Network Protection (Novell) Re: Virus scanning for UNIX (UNIX) Re: Parasitic? (PC) Re: Satan Bug, et al; VIRUS-L Digest V6 #140 (PC) Re: Monkey Problem (PC) Re: INVADER: info wanted (PC) Re: Protection needed for LAN servers and workstations (PC) Re: --- Virus sigs for 'Dudley' virus - - (PC) Re: MtE virus...what does it do? (PC) *HELP*--Possible Virus? (PC) Re: Why is CPAV bad? (PC) Re: Why is CPAV bad? (PC) Re: Yoshi Virus *&^%$ Help! (PC) Re: Removing Boot Sector Virus from Floppies (PC) Re: 1837 bytes 9E 10 16 ... (PC) Re: Nov 17 Virus (PC) Re: KEYPRESS 5 virus (PC) Re: Removing Boot Sector Virus from Floppies (PC) Re: S-Bug virus (PC) Looking for Info.:ANNOINT VIRUS (PC) GS.ZIP VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Fri, 29 Oct 93 12:11:20 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Can you help me locate an important Masters thesis Paul Yue (yue@se.citri.edu.au) writes: > I am trying to obtain a copy of: > "A new integrity based model for limited protection against > computer viruses" > by M. Cohen. Master Thesis, Pennsylvania State University, college > Park, 1988. It is available from ASP Press, PO Box 81270, Pittsburgh, PA 15217, USA. [Moderator's note: I believe the above contact is for obtaining Dr. Fred Cohen's thesis, not M. Cohen; to my knowledge, Fred Cohen never wrote a master's thesis at Penn State University. If all else fails, you might try sending e-mail to postmaster@psu.edu to get pointed in the right direction at PSU.] Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 29 Oct 93 12:18:29 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Swiss AntiViral legislation Klaus Brunnstein (brunnstein@rz.informatik.uni-hamburg.d400.de) writes: > PS: Mr. Frigerio will have another fight with lawyers who think that any leg > lation is dangerous as it may also hurt the "good viruses". I argued that > "good viruses" exist only in Dr. Cohen's head, as those applications which h > always mentions can be realized by non-replicative methods. I'll take the risk to disagree with my boss... :-) While I am perfectly aware of the general public oppinion that "good viruses" are a "bad idea", I also find some of Dr. Cohen's examples pretty convincing. I am not yet prepared to argue on the subject. I am not even decided myself whether "good viruses" can exist or not. However, I am quite certain that responsible research in this field should not be forbidden. Anyway, about a year ago, I have posted here a message, asking for arguments supporting the oppinion that a good virus is a bad idea. I have collected about a dozen - all of them very good ones, but they still have not convinced me. Nevertheless, as I said, I am not prepared to argue on this subject yet, so please don't send me messages proving that you are right and I am wrong. (Just for the record, I would like to note that I am not convinced that Dr. Cohen is right, either.) However, in an attempt to help Mr. Frigerio in his legal fights, I am posting here the arguments that I have collected. I hope that they will be helpful to him - virus exchange is something that I am strongly opposed to, and I would welcome any reasonable legislation against it. > Moreover, any auto > matic reproduction has an unwished side-effect, as copyrights for any softwa > does only apply to the original (=uninfected) program, so viruses "steal" al > legal rights from both the originator and the user (who looses the guarantee > if any, of a working program :-) Not quite. Compressing the program with something like PKLite does the same (modification), yet nobody says that PKLite is illegal. I agree that unauthorized reproduction is a bad thing, but who ever claimed that the good viruses have to reproduce without authorization? Anyway, as I said, I am not prepared to argue on this subject yet. Regards, Vesselin A dozen reasons why a "good" virus is a bad idea 1) It is unethical to modify somebody's data without his/her knowledge. In several countries this is also illegal. 2) Modifying a program could mean that the owner of the program loses his/her rights for technical support, ownership, or copyright. 3) Once released, you have no control on how the virus will spread; it may reach a system about which you know nothing (or which could have even not existed at the time the virus is created) and on which it might cause non-intentional damage. Even if the bug is discovered, it would be extremely difficult to find all replicants of the virus and apply the appropriate fix to them. 4) A bad guy could get a copy of the virus and modify it to include something malicious. Actually, a bad guy could trojanize -any- program, but a "good" virus will provide the attacker with means to transport his malicious code to a virtually unlimited population of computer users. 5) The anti-virus programs will have to distinguish between "good" and "bad" viruses, which is essentially impossible. Also, the existence of useful programs which modify other programs at will, will make the integrity checkers essentially useless, because they will be able only to detect the modification and not to determine that it has been caused by a "good" virus. 6) A virus will eat up disk space and time resources unnecessarily while it spreads. 7) A virus could contain bugs which might damage something or harm somebody. Any program could be buggy, but the virus is a self-spreading buggy program which is out of control. 8) A virus will disable the few programs on the market which check themselves for modifications and halt themselves if they have been changed, thus performing a denial-of-service attack. 9) Anything useful that could be done by a virus, could also be done with a normal, non-replicating program. 10) A virus steals control of the machine from the user and ruins the trust that the user has in his/her machine - the belief that s/he can control it. 11) Declaring some viruses as "good" will just give an excuse to the crowd of virus writers to claim that they are actually doing "research". 12) For most people the word "computer virus" is already loaded with negative meaning. They will not accept a program called like that, even if to claims to do something useful. - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 29 Oct 93 12:28:45 -0400 From: context@dialix.oz.au (r frey) Subject: Re: Draft Swiss AntiVirus regulation DEL2@phx.cam.ac.uk writes: >It's always good to see a country framing anti-virus legislation, but >I was puzzled by the Swiss draft (VIRUS-L Digest V6 #133). It strikes >me as linguistically ambiguous, surely not a good idea. The text runs: >"Wer unbefugt elektronisch oder in vergleichbarer >Weise gespeicherte oder uebermittelte Daten loescht, >veraendert oder unbrauchbar macht, oder Mittel, die [stuff deleted - electronically!] >Now surely the phrase "elektronisch oder ...Weise" could qualify either >"gespeicherte" (as [presumably] in the translation offered) or "loescht" >(indicating that the law is against viri rather than against, say, the >burning of floppies)? Is there something special in Swiss German which >could distinguish between the two possibilities: >(a) Anyone who without authorisation uses electronic or similar means to >erase, alter or render useless saved or transmitted data; or manufactures.. >(b) Anyone who without authorisation erases, alters or renders useless >data electronically (or by other means) saved or transmitted ... There is indeed something special in/about Swiss German, but this ain't it ;-) In fact, it's just plain horrible officialese/legalese "High" German. To answer your question, I think (b) is what they're talking about, mor e or less. (I haven't read the original post, though). Which means, of course that, yes, the burning of floppies is also covered, along with viri, plug-pulling, sledgehammers, etc. They're thorough back in the old country :-) (I know this is not a linguistics group, but I didn't start this! You are correct in thinking that translation (a) is also 'possible', ie, grammatically correct -- it just wouldn't be likely in this kind of text, or in any technical writing. To put it simply, the adverbial phrase would be positioned so that it is no longer ambiguous. I'm sure there's a better way of explaining this, but not at 0018 here in the Land of Oz!) >And what is the significance of adding the "transmitted" ("uebermittelte")? >Does it clarify or only obscure? It extends the area covered to include not only data that is stored but also data that is in transit. I think it is a useful addition. > Surely legislation above all should be crystal clear in its intent? This is where it gets ideological and nasty .. let's leave it alonet - -- ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ roger frey phone +61 9 481 4056 context@dialix.oz.au fax +61 9 481 4249 ------------------------------ Date: Fri, 29 Oct 93 14:38:07 -0400 From: datadec@ucrengr.ucr.edu (kevin marcus) Subject: Hollywood and Computer Viruses..!? Oh no. I recently read an article about the horror movies coming out for (or with in mind) Halloween. IN it, there was mention of a film, which is supposed to be about a family chased by a computer virus that can travel along any means of electricty - so through the stove, and the power outlets.. It's supposed to be a Fox production. I don't have the name (yet)! If I can get it, I'll post it up.. - -- -- Kevin Marcus: datadec@ucrengr.ucr.edu, tck@bend.ucsd.edu CSLD Room Monitor, Thurs 10-12p, Sunday 5-10p (909)/787-2842. Computer Science, University of California, Riverside. ------------------------------ Date: Fri, 29 Oct 93 11:45:41 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Novell Network Protection (Novell) Brian Cooper (psgrbbc@prism.gatech.edu) writes: > I appologize if this is a FAQ. I have a friend who is installing a > network (first time). He has one file server and about 20 workstations. > He wants to know the best way to protect his network from viruses. As usual, there are no "best" solutions. In general, it is a good idea to restrict access to the shared files on the network as much as possible. Mark them in such a way that the users can only execute them. (How exactly this is achievable and to what extent, depends on the kind of network you have.) Tell those users with supervisor privileges to never log in as privileged users, if they suspect that the system is infected. Also, tell them to never execute other people's files, while they are logged in as privileged users. In general, create alternative accounts for them with "normal" privileges, and tell them to use only those accounts, except in those cases, when a task has to be performed that requires more privileges. Restrict access the best you can without hampering productivity. Make sure that the server's console is physically secure. > He is interested in protecting the SERVER but also the individual > workstations. He is running Novell v. 3.11. What's the best > line of defence? If you are asking about anti-virus products, many producers will be happy to sell you a LAN version of their scanner, which includes both an NLM for the server and a resident scanner for each of the workstations. There are also integrity checkers which support Novell LANs - for instance, Untouchable. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 29 Oct 93 14:04:30 -0400 From: barnes@sde.mdso.vf.ge.com (Barnes William) Subject: Re: Virus scanning for UNIX (UNIX) Gary, > From: gmckee@cloudnine.com (Gary McKee) > When is the last time you copied an executable from one UNIX machine > onto another one? This is not a characteristic mode of usage for UNIX > activity. Usually, programs are recompiled when being ported to > another machine. > > [Moderator's nitpick: Happens all the time on the NFS LAN that I'm > on...] Everytime we load a 3rd party package (ie. Interleaf doesn't send us source, only binary) or the OS, and as the Moderator indicated, to every NFS system, which reaches about 500 nodes for us. Also, while we try to stress to our user community, that they need to go through us, some of them still pull binaries and programs off of other machines and their "friends". You might ask how would they get them to run, and I would reply, there are lots of Suns out there to get binaries from. > How often do you transfer data between UNIX machines by carrying a > floppy disk from machine to machine? Usually, UNIX machines are on > some kind of network and data is transferred electronically. hourly. Our users have a interesting configuration. They have local floppy drives (OH WOW!). They tend to copy their own files off the system so that they feel more secure in their information. It also indicates that they can also load information onto the machine. And if you haven't heard, Sun is now making it possible to do this without root priviledges. > Consequently, there is, as of yet, no reliable indication of rather or > not UNIX access control is helpful. As a competent UNIX sysop will > protect executables from modification by users, it seems likely that a > much higer level of skill will be required to effectively propagate > viruses on UNIX. While a sysop will take protective measures that he/she knows, remember that many products ask to be installed as root. If there is a virus in that package, then it was just installed as root and can run amuck throughout the entire "trusted" network, not just the local machine. If you think that this is far fetched then you probably don't remember some of the "shrink wrapped" software that has been shipped with Viruses, accidently, in them for PC's and MACs. > In any event, if you have access to a UNIX machine, you probably are > too busy doing something interesting to have time for virus writing. Are you out of touch with the Unix world? Many of us have Unix boxes at home, we have a couple of sparcbooks that run around the country picking up whatever may land on them and we have people that come in after hours to play games and just work on their own stuff. Not only is Unix now available to more people, but the people also have more time to work on Unix cracking if they are so inclined. I am sorry that the tone of this is sarcastic, but I have been fighting with people for several years now, not to ignore viruses on Unix machines. There may not be many floating around yet, but ignorance of the problem is no solution. It will just jump up and bite us if we are not ready. Unix machines and PC's are starting to look much like each other. If there is a problem with viruses on PC's, why do people think that there will not be a problem, some day on Unix machines. Bill Barnes Sr Systems Analyst Martin Marietta barnes@mdso.vf.ge.com ------------------------------ Date: Fri, 29 Oct 93 11:06:25 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Parasitic? (PC) vfreak@aol.com (vfreak@aol.com) writes: > Parasites usually can't live for very long without their hosts, and since > file infectors require host files in order for them to replicate, they are > parasitic. No, Kevin's reply was more correct - the term "parasitic" is usually used to label a virus which attaches itself to files somehow physically (not necessarily at the end) - that is, one that does not overwrite them, and not a companion or boot sector virus. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 29 Oct 93 11:10:17 -0400 From: Eric_N._Florack.cru-mc@xerox.com Subject: Re: Satan Bug, et al; VIRUS-L Digest V6 #140 (PC) In #140 Padgett writes: - -=-=-= >The encryption will also make the virus invisible to antivirus >scanners dated before August. *Virus scanners must open a file to >scan it, and if your virus is in memory, the act of opening it for >scanning will infect it. And, if you run an infected antivirus >scanner, nearly every executable file on the disk will be infected.: The key here is "scanners". Integrity management software will spot it immediately (my FreeWare CHKMEM will spot it instantly in memory using a check added in 1990 - doesn't even require memory size input). - -=-=-= Ya know, I`ve always been hazy on this point, at least. Why does should a scanner /have/ to open a file? Could an effective string serach be done at the DISK level, such as what such utils as NDD do? Sector by sector, it would be; and it would require that the whole disk be done, as opposed to just one file. Sure, the program would have to keep track of what file such and such a sector is assigned to, but it should be able to do this by using the FAT as a data file, thereby avoiding the opening of ANY files, except the scanning EXE itself. Or am I sideways, here? Thanks for all the info, and thanks to the folks who sent me reams of information, off the list. /E ------------------------------ Date: Fri, 29 Oct 93 11:17:12 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Monkey Problem (PC) Scott Gregory (wg2b+@andrew.cmu.edu) writes: > We have an epidemic of the Monkey virus here at our school. I just > learned that F-Prot won't properly remove Monkey from a hard drive. Indeed, that's a known bug in F-Prot. Also, it will misidentify the virus (as "new variant of Stoned") on anything other than a 360 Kb floppy. > Can somebody suggest a program (preferably public domain so I can > distribute it to the kiddies around here) that can successfully remove > the Monkey virus from a hard drive? Try KillMonk2 from Tim Martin, available from our anonymous ftp site: ftp.informatik.uni-hamburg.de:/pub/virus/progs/killmnk2.zip Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 29 Oct 93 11:27:32 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: INVADER: info wanted (PC) A.W.van Steijn (felfs!awsl3@uunet.uu.net) writes: > Who has had some expereince with "Inader"-virus? You probably mean one of the Jerusalem.AntiCAD.4096 viruses? > I have the following questions: > 1. Is the MacAffee virus scanner abel to find it? Yes. It calls it "Invader [Invader]", except that it reports one of my replicants as "Sunday [Sunday]". (Huh?!) > 2. Can the virus be "cleaned" from an infected disk? Of course. > 3. Is it an stealth virus? No, as far as I recall. But it is multi-partite (infects both files and boot sectors) and highly destructive. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 29 Oct 93 11:31:10 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Protection needed for LAN servers and workstations (PC) fishern3485@cobra.uni.edu (fishern3485@cobra.uni.edu) writes: > Is it possible to poll the write-protect soft-switch? If it is possible > to poll this location without turning the drive on, then you can have > an interrupt-driven program watch to see if the write protect status > changes. This would indicate a disk removal/insertion. Hm. That's a neat idea. Yes, it is possible to poll the ports of the floppy disk controller and to check the write protection status. I don't know whether this will require the drive motor to be turned on. Try to implement it and keep us posted. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 29 Oct 93 11:34:47 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: --- Virus sigs for 'Dudley' virus - - (PC) sdoddsir01@cc.curtin.edu.au (sdoddsir01@cc.curtin.edu.au) writes: > I was wandering if any of you guys out there in computer world > would have any virus signatures for the Dudley virus??? Nope. The virus is polymorphic. I have not analysed it, but it is quite possible that no single scan string for it (or even a reasonably small set of them) can be found. > Because this virus was caught recently on the net there are no > scanners for it avail. so I'll do the more monotonous task of > searching signatures (usually works for me....) Try VET from Cybec. It's an anti-virus company local to you, and since the virus has also been reported first in Australia, it is quite likely that their software can deal with it. > I hope one of those sorts who likes gathering virus signatures for > there own scanners might be reading this and can help.. I hope that this example can show you why gathering virus "signatures" ("scan strings" is the more appropriate term) is not a good idea - there are viruses for which no such scan strings can exist. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 29 Oct 93 11:50:07 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: MtE virus...what does it do? (PC) John Coughlin (jcoughli@vela.acs.oakland.edu) writes: > I recently encountered a virus that Norton NAVSCAN identified as > MtE. Unfortunately, Norton didn't provide a description of the virus; > it basically told me to delete it and reinstall the file. Neither > the versions of Central Point CPAV, MacAffee, or PC Virus that I > have even recognize this virus. Does anyone know what this MtE virus > does, and if there's a way to remove it without re-installing the > infected files? First, there is no such thing as the MtE virus. MtE is a polymorphic engine - a library function that can be linked to a virus written to use it, which makes it polymorphic. This way, the author of the virus doesn't have to care to implement polymorphism himself, and the polymorphism provided by MtE is very good. Currently there are a couple of dozens of viruses, which use the MtE. Some (most) scanners are unable to distinguish between them and call all of them just "MtE" (or "DAME", or whatever). In my tests, the latest versions of McAfee's SCAN were able to detect the MtE-based viruses reliably. CPAV also has reasonably good detection, although it is not 100% reliable. I don't know what PC Virus is, but if you mean PC Vaccine Professional, it is also able to detect the MtE reliably. As opposed to that, NAV up to and including version 2.1 is known to have unreliable detection of the MtE-based viruses. The older versions of the virus definitions were also known to cause false positives. Therefore, I am inclined to believe that in your case you don't have a virus, but are a victim of a false positive. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 29 Oct 93 12:01:04 -0400 From: bc1f_067@uwpg02.uwinnipeg.ca Subject: *HELP*--Possible Virus? (PC) Hi. I've read the FAQ, and i didn't find anything describing my problem. I think that i may have a virus of sorts. I'm using a 496DX2 IBM compatiblerunning MS-DOS 6 with a TVGA89-blah card. Occasionally, when i power up,nothing happens on the screen. The power light is on, the fan is going, butthere are no Power On Self Tests (memory, drive check, ect...). This is remedied by hard-booting. I was told that this was most likely caused by a bad BIOS chip, but, i can hear my hard disk work for approx. 2-3 seconds when i power up. It is only when this happens that the screen blanks. I've run the three virus checkers that i own, CP Antvir, Manitoba Hydro scan, and Msav. Cp hangs, Manitoba Hydro doesn't find my boot record, and Msav detects nothing. Any help would be appreciated. Many thanks in advance, Chris. email: bc1f_067@uwpg02.uwinnipeg.ca ------------------------------ Date: Fri, 29 Oct 93 12:18:36 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Why is CPAV bad? (PC) Jonah Lin (lin@rs5.tcs.tulane.edu) writes: > I've read several posts saying how bad CPAV is. > Why is it so bad,is it because of low detection rate or a combination of > things? A combination of things. Miserable detection rate, sometimes crashes, very weak integrity checker, the resident part in most versions can be disabled or even removed from memory by a virus, some misleading and plain wrong things in the manual, etc., etc. The restricted variant called MSAV that comes with MS-DOS 6.0 is even worse. Yisrael Radai has an article, explaining all the deficiencies in MSAV; it is available in PostScript format from our anonymous ftp site: ftp.informatik.uni-hamburg.de:/pub/virus/texts/viruses/msaveval.zip > Which AV software is considered to be the best? Which editor is the best? Which compiler is the best? None! It all depends on what exactly you need. Of course, some products perform some anti-virus functions better than others. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 29 Oct 93 12:28:48 -0400 From: Subject: Re: Why is CPAV bad? (PC) Jonah Lin asks: > I've read several posts saying how bad CPAV is. > Why is it so bad,is it because of low detection rate or a combination of > things? I'm sure by now you've already received some replies to your question, but anyway, here are 15 reasons why I think CPAV is an inferior product: 1. CPAV consistently scores at or near the bottom on comparisons of known-virus scanners with respect to their detection rate. 2. CPAV's scanning is relatively slow. 3. CPAV's resident program VSafe (or Vwatch) can be very easily disabled by a virus (even when the program is installed as a device driver). 4. VSafe does not detect creation of new executables (important for detecting companion viruses), modifications to files with a non- executable extension or renaming of files (thus enabling a virus to circumvent the fact that modifications to files with an executable extension are detected). 5. The integrity checking does not detect companion viruses. 6. If the checksum database is deleted by a virus, instead of sounding an alarm, CPAV simply creates the database anew, using the *infected* files as a basis for future comparison instead of the original ones. 7. CPAV checksums only the first 63 bytes of a file. A virus could be written which infects files without altering either these 63 bytes or the file size. Furthermore, a virus could overwrite the scan strings within CPAV.EXE or VSAFE.COM with garbage, without the user becoming aware of this. 8. CPAV's checksum algorithm is not key-dependent. Hence for any given file, all users will have the same checksum. This could easily be exploited to forge checksums. 9. CPAV 2.0 can detect viruses within certain types of compressed executables and archives, but it is very slow at this. 10. CPAV 2.0 contains heuristic scanning, but its detection rate is very low. 11. Some of the defaults (Anti-Stealth = Off and Check All Files = On) are very poorly chosen. 12. Despite claims to the contrary, it seems that scan patterns containing wildcards are still not encrypted, causing "ghost positives" when other scanners scan memory after CPAV or VSafe has been active, and possibly false positives in the CPAV.EXE and VSAFE.COM files themselves. No other widely used scanner (except MSAV, which is a sub-product of CPAV) fails to take some measure to prevent such false alarms. 13. CPAV hangs after scanning a certain number of MtE-infected programs. 14. Keeping a separate checksum database for each directory uses a lot of disk space and makes blocking of some of the above security holes very difficult. 15. Market-wise, CPAV has been rather successful. However, high sales figures do not imply high quality, especially in the AV field, where the ordinary user has no way of knowing how good a product really is. The developers of CPAV have consistently demonstrated that sales fi- gures are much more important for them than quality of their product. Note: It is possible that a few (relatively minor) faults among those mentioned above have been corrected since the last version of CPAV which I examined. However, I'm quite sure that this does not apply to any of the major faults. Y. Radai Hebrew Univ. of Jerusalem, Israel RADAI@HUJIVMS.BITNET RADAI@VMS.HUJI.AC.IL ------------------------------ Date: Fri, 29 Oct 93 12:32:16 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Yoshi Virus *&^%$ Help! (PC) Stephen H White (swhite@bach.udel.edu) writes: > I work at a student computer lab at the University of Delaware. We > came across a hard-drive that was infected with the Yoshi virus. We Yoshi? Don't you mean Joshi, by chance? I'll assume that you do. > tried everything we knewof to remove it: > DOS FORMAT (4 Times) Useless, because the virus infects the MBR and DOS FORMAT doesn't touch this. > CHANGING the PARTITION MAP Useless, because the virus infects the CODE in the MBR and just changing the PT doesn't touch it. > NORTON WIPEDISK > WRITING 0's to entire disk & Reformatting Wiping only the DOS partition is uselsess, because the virus is not there! > None of these methods have worked. Of course. > After reinstalling DOS on this > machine with a LOCKED DISK, the virus has reappeared each time. Our It has been just left on the hard disk. It has been always there; no need to "reappear". > network is not infected. Can't be. Joshi infects only boot sectors; it can't infect across the network. Just make sure you don't boot your server from an infected floppy. > this happen. Does anyone know how toremove YOSHI? Best solution is to use the appropriate anti-virus program that knows the virus and can remove it. Try F-Prot, or CLEAN, for instance. Otherwise, a poor man's removal tool for MBR infectors is to boot from MS-DOS 5.0 or above (the version is important), make sure you still "see" the files on your hard disk (unless you don't care whether they will be preserved), and run the command "FDISK /MBR". This will cure the virus from the hard disk, but it will remain on the infected floppies, and forgetting such a floppy in drive while the computer is booting, will cause a reinfection. Therefore, I'll still need an anti-virus program to disinfect all the infected floppies. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 29 Oct 93 12:45:45 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Removing Boot Sector Virus from Floppies (PC) Russell Aminzade (aminzade@moose.uvm.edu) writes: > We had an epidemic of the ESSEX virus (supposedly started here in > ESSEX, VT), known to FPROT as the QRry virus. I can see where the > name comes from -- when I use a hex editor on the boot sextory QRry is > there... > We cleaned it up fairly easily (after reading the FAQs here and asking > around) with FDISK /MBR, and restoring with SYS. This was easy -- > we're all DOS 5 in the lab where the infection happened. I hate to > think of the hassles if it gets around campus where we have a lot of > different varieties of DOS! Qrry is a MBR infector, so just doing FDISK /MBR will be sufficient to remove it from the hard disks. It doesn't matter what version of DOS you have on them; you just need version 5.0 or above, or FDISK will not support the /MBR switch. SYS -is- DOS version dependent, but you need it only to remove the virus from floppies, and it doesn't really matter what version of the boot sector you'll put on them. > Here is the problem, and I'd appreciate any help from the nets. I > don't see how to clean off floppy disks since the boot sector remains. Just copy the files from them somewhere else (file-by-file, using COPY or XCOPY, -not- DISKCOPY), format the diskette and copy the files back. Or just SYS them, if there is enough space for a copy of DOS. > Copying a file or just doing a DIR of the disk seems to put the virus > code into RAM (F-PROT finds it , McAfeee doesn't...), but not > propagate it. Yes. When DOS is executing the DIR command, it has to read the boot sector of the diskette, in order to figure out some parameters. "To read" the boot sector means that a copy of it is read in the DOS buffers, i.e. in memory. If this copy is infected, this means that a copy of the virus is read in memory. However, it never receives control and cannot infect. But it is there and that's why some scanners find it there after a DIR of an infected diskette. I maintain the oppinion that this is a mistake and they shouldn't be looking for the virus at a place in memory where it definitely can't be. > etc.). I'd like to have a better way to tell students how to clean up > disks than "copy all files to the hard drive, reboot to remove Qrry > from memory, format the disk, copy them back." No need to reboot. If the scanner continues to moan that the virus is active (when you know that it isn't), tell it not to scan the memory - most scanners have such an option. > I'm not entirely sure > that this clean it up, either. It will. > Damn these virus-writing sociopaths. Fully agree with you. > And by the way, is there any way this virus could be lurking in some > part of our Novell server? No, unless you attempt to boot the server from an infected floppy. Then you will infect the server's hard disk, but it will be still unable to propagate the virus to the workstations across the network. > I don't think a Novell volume has anything > like a boot sector It sure does have one, just there is no way to access it across the network, because NetWare does not support sector access across the network. > (there is a boot IMAGE for no-disk booting, and I > suppose I need to restore that from a known clean copy just in > case...). Yes, that's a good idea. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 29 Oct 93 12:45:52 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: 1837 bytes 9E 10 16 ... (PC) Lutz Marten (marten@ilt.fhg.de) writes: > we found a virus (start pattern 9E 10 16 01 74 07 70 00 00 21 06 06 > 00, length 1837 bytes) with the validate function of MacAfee 10.8 but > can't get rid of him with this MacAfee version. So can someone tell me > which virus it is and how to blow it out of the infected system ? I just scanned my whole virus collection for this scan string and no file contained it. It seems to be a new virus. I suggest you to send a copy to the anti-virus researchers for analysis. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 29 Oct 93 13:09:30 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Nov 17 Virus (PC) Fridrik Skulason (frisk@complex.is) writes: > This information is quite a bit out of date. There are not four known > variants, but at least eight: 584, 690, 768, 800, two 855, 880 and 1007 > bytes long. > Somebody seems to be developing the new variants faster that the information > (or many anti-virus products) can be updated... Indeed... :-) I will add that even the above information is already out of date. In my collection, there are at least 10 variants: 584, 690, 706, three 768, 800, two 855, and 880 bytes long. I was not aware of the 1007-byte variant, so this makes 11... :-( Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 29 Oct 93 13:13:03 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: KEYPRESS 5 virus (PC) Fridrik Skulason (frisk@complex.is) writes: > Sorry, but "KEYPRESS 5" is not enough to provide accurate identification. > At the moment I know of the following variants: > 1215 1215/1455 bytes > 1228 1228/1468 bytes > 9 variants of 1232 1232/1472 bytes > 1236 (Chaos) 1236/1492 bytes > 1266 1266/1506 bytes > 1495 1495/1735 bytes > 1744 1744/1984 bytes > 2728 2728/2984 bytes > A total of 16 variants...whatever CPAV identifies as "KEYPRESS 5" is > probably one of them, but without information on the virus size I > cannot tell which one it is. CPAV 2.0 calls "KeyPress 5" only the last one - Keypress (2728) in your naming scheme. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 29 Oct 93 13:13:16 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Removing Boot Sector Virus from Floppies (PC) Russell Aminzade (aminzade@moose.uvm.edu) writes: > We had an epidemic of the ESSEX virus (supposedly started here in > ESSEX, VT), known to FPROT as the QRry virus. I can see where the > name comes from -- when I use a hex editor on the boot sextory QRry is > there... > We cleaned it up fairly easily (after reading the FAQs here and asking > around) with FDISK /MBR, and restoring with SYS. This was easy -- > we're all DOS 5 in the lab where the infection happened. I hate to > think of the hassles if it gets around campus where we have a lot of > different varieties of DOS! Qrry is a MBR infector, so just doing FDISK /MBR will be sufficient to remove it from the hard disks. It doesn't matter what version of DOS you have on them; you just need version 5.0 or above, or FDISK will not support the /MBR switch. SYS -is- DOS version dependent, but you need it only to remove the virus from floppies, and it doesn't really matter what version of the boot sector you'll put on them. > Here is the problem, and I'd appreciate any help from the nets. I > don't see how to clean off floppy disks since the boot sector remains. Just copy the files from them somewhere else (file-by-file, using COPY or XCOPY, -not- DISKCOPY), format the diskette and copy the files back. Or just SYS them, if there is enough space for a copy of DOS. > Copying a file or just doing a DIR of the disk seems to put the virus > code into RAM (F-PROT finds it , McAfeee doesn't...), but not > propagate it. Yes. When DOS is executing the DIR command, it has to read the boot sector of the diskette, in order to figure out some parameters. "To read" the boot sector means that a copy of it is read in the DOS buffers, i.e. in memory. If this copy is infected, this means that a copy of the virus is read in memory. However, it never receives control and cannot infect. But it is there and that's why some scanners find it there after a DIR of an infected diskette. I maintain the oppinion that this is a mistake and they shouldn't be looking for the virus at a place in memory where it definitely can't be. > etc.). I'd like to have a better way to tell students how to clean up > disks than "copy all files to the hard drive, reboot to remove Qrry > from memory, format the disk, copy them back." No need to reboot. If the scanner continues to moan that the virus is active (when you know that it isn't), tell it not to scan the memory - most scanners have such an option. > I'm not entirely sure > that this clean it up, either. It will. > Damn these virus-writing sociopaths. Fully agree with you. > And by the way, is there any way this virus could be lurking in some > part of our Novell server? No, unless you attempt to boot the server from an infected floppy. Then you will infect the server's hard disk, but it will be still unable to propagate the virus to the workstations across the network. > I don't think a Novell volume has anything > like a boot sector It sure does have one, just there is no way to access it across the network, because NetWare does not support sector access across the network. > (there is a boot IMAGE for no-disk booting, and I > suppose I need to restore that from a known clean copy just in > case...). Yes, that's a good idea. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 29 Oct 93 13:16:51 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: S-Bug virus (PC) A. Padgett Peterson (padgett@tccslr.dnet.mmc.com) writes: > a) Identification when resident in memory - easy - faulty/obvious mechanism > used. I beg to disagree - detection that something is in memory is easy, identification that it is exactly this virus - isn't as easy as that, because the virus is encrypted. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 29 Oct 93 15:32:32 -0400 From: thull@skidmore.edu Subject: Looking for Info.:ANNOINT VIRUS (PC) Several universities in our area have had a sudden attack of the virus known as ANNOINT. Anyone have experience with this virus? Any information would be helpful. THANKS! \\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\ Terri Hull Skidmore College, Saratoga Springs, NY 12866 thull@skidmore.edu \\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\/\\\ ------------------------------ Date: Fri, 29 Oct 93 15:21:55 -0400 From: HAYES@urvax.urich.edu Subject: GS.ZIP Hi fellows. Announcing a new AV package, GLOBAL SHIELD, just sent my by the author, Gleb Esman. Followin is the description sent by Gleb: - ------------------------------------------------------------------------------ The Global Shield. Full-scale integrity checker with powerful recovery capabilities. IBMPC/DOS version. Dedicated against unknown and future viruses. Can detect unknown/possible boot viruses and recover boot/partition sector. Saves tiny "images" of selected files to be used later for integrity checking and recovery of files/disks. Can be used on Networks. Gl.I.Yes.(gesman@io.org) - ------------------------------------------------------------------------------ Please note that this is a BETA version, and address all mail directly to Gleb Esman at: gesman@io.org ========== Site: urvax.urich.edu, [141.166.36.6] (VAX/VMS using Multinet) Directory: [anonymous.msdos.antivirus] FTP to urvax.urich.edu with username anonymous and your email address as password. You are in the [anonymous] directory when you connect. cd msdos.antivirus, and remember to use binary mode for the zip files. ========== Good weekend to all, Claude. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Claude Bersano-Hayes HAYES @ URVAX (Vanilla BITNET) University of Richmond hayes@urvax.urich.edu (Bitnet or Internet) Richmond, VA 23173 ------------------------------ End of VIRUS-L Digest [Volume 6 Issue 142] ******************************************