VIRUS-L Digest Monday, 3 Jan 1994 Volume 7 : Issue 1 Today's Topics: Re: Are virii taking over the world..? Re: Liabilities Re: Virus/gun analogy doesn't work Re: Liabilities Integrity of files at ftp sites Re: Viruses not destructive?? (Was: Virus/gun analogy doesn't work) Re: Freeware distribution of anti-virus software Re: F-PROT 2.10c is out (PC) Re: Windows viruses? (PC) Re: Windows viruses? (PC) Re: MSAV Strings Being Picked Up By SCAN (PC) Re: Nice Day Virus (PC) NetShield 109 misses Tremor (PC) Re: 'Anti-viral' Viruses (PC). Re: Nice Day Virus (PC) Anti-virus part. & mbr (PC) Power Pump virus (PC) 3K virus (PC) Prevent programs (PC) Beb* virus (PC) Nice Day Virus (PC) Re: Windows viruses? (PC) Re: New type of virus, EXE-header infector (PC) Possible Network Infection (PC) What is FScan? (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Thu, 16 Dec 93 16:42:43 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Are virii taking over the world..? Daniel J. Karnes (djk@netcom.com) writes: > a customer base of 13000 installations. Now, with a company in the same > line of business, and a customer base of 2000 installations, I am seeing > an average of TWO INFECTIONS A DAY! Stoned, Stealth, HBD Joshi, Musicbug, > some Jerusalem, and an occasional disk-killer. All of the above, except Jerusalem, are boot or master boot sector infectors. You are strongly advised to suggest your customer one of the following (whichever is more appropriate to them): 1) Modify the CMOS settings, so that the BIOS tries to boot from the hard disk first - on many of the contemporary machines this is possible. 2) Install Padgett's DiskSecure II. 3) Use Henrik Stroem's HS. The last two products are available from our anonymous ftp site: ftp.informatik.uni-hamburg.de:/pub/virus/progs/ds231c.zip ftp.informatik.uni-hamburg.de:/pub/virus/progs/hs35.zip > Have incidences of infection generally increased? Or do I just happen to > work for a company in VERY infected straights?!? The frequency of the cases of virus infections have indeed increased lately, as well as the number of known viruses and the number of known viruses in the wild. It's pretty predictable. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 16 Dec 93 16:53:19 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Liabilities Mike Hanewinckel (mikehan@kaiwan.com) writes: > Well, I think most of us have seen or own a copy of a certain collection, > known as "the Goat Collection" which claims to have originally belonged to > a certain well-known member CARO. 1) This doesn't contradict our claim that each CARO member has his own collection and there is no such thing as "The CARO Virus Collection". It simply doesn't exist. 2) Our "goat files" are certainly no secret, so anybody could get them, infect them with viruses and distribute them. 3) It's pretty easy to create infected goat files that claim to belong to one of us. I can easily create scores of them, and they can say that they belong to me, to CARO, to you, to the President Clinton, and so on. Want more? :-) Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 16 Dec 93 17:00:13 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Virus/gun analogy doesn't work Karl Tarhk (src4src!ktark@imageek.york.cuny.edu) writes: > Of course not. > The point here is not distribution, the point here is the making > and creating of viruses. > Distribution of viruses is another story. OK. As several people mentioned here, it is OK to write a virus, if you don't give it to anybody. However, if it appears somewhere where it is not wanted, then you are partly responsible for it. Do you agree with this? > As i said it has yet to be proven that viruses are inherently > destructive! OK, let's put it in another way. All viruses are harmful (i.e. can cause damage) in some environments. Some of the existing viruses are written with the intent to be harmful, while others cause harm non-intentionally. Do you agree with this or should I eleaborate? Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 16 Dec 93 17:07:11 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Liabilities Sean Kirkpatrick (seank@nermal.santarosa.edu) writes: > viruses are not inherently destructive. It is only the application of malicio > code within the virus that causes it to be destuctive. That history shows tha Not true. Simple replication cases modification and *this* can be destructive (although I like the more general term "harmful"), even if the virus doesn't have intentionally malicious code in it. In fact, we call such viruses "not intentionally destructive" - that is, they *may* destroy something, but not intentionally. > most viruses to date does not prove the point that all viruses are malicious. *All* currently existing viruses *can* be harmful in some environments. More exactly, for every possible virus, there exists a combination of software and hardware, on which it causes damage. As far as I recall, this rule was first formulated (although not necessarily in this exact wording) by Prof. Harold Highland. > That a virus spreads by modifying some other program is not debatable. That > the resulting changes to the infected program are good or bad can be discussed > only in the context of the behaviour of that newly infected program, and in th Exactly! It depends on the environment! A virus which does "del *.*" at 12:00 may be even beneficial in an environment when it is desired that all files in the current directory are deleted at that time. > way that the infection was carried out. If the infection causes deliberate or > accidental destruction or otherwise interfers with the system, then I think > one could safely say that the infection is destructive. On the other hand, Yes. Unfortunately, all known (and possible, IMHO) viruses interfer with the system. Of course, the same can be said for any other program. > if the infection causes some benefit to system operation, such as compressing > or decompressing executables to free up disk space, then I doubt that anyone > could claim that the behaviour was destructive provided, however, that it was > not done in a way that obscured what was happening from the user. Again, it depends on the environment. If I have mostly self-checking programs on my computer, I certainly wouldn't want some nastie to compress them for me, because then they will not run. Also, I might need the applications to start as fast as possible, so slowing the startup down for decompression might be harmful for me. > Of course, there could be bugs in a beneficial virus which could cause > malicious results; i.e., loss of functionality. Does this mean > that the virus is destructive? Yes, it does. In that particular environment. > I'm not sure; all software has bugs. Are Yes, all programs are harmful in some environments. However, I don't authorise them to run in environments in which they can be harmful. This is another key word - authorisaton. If the virus comes on my system *only* if I have authorised (installed) it myself, then I am not considering it as harmful - after all, if I have decided to install it, I probably have pretty good reasons for that. > problems caused by buggy software destructive? Perhaps not for my word > processor, perhaps so for a Boeing 757 Flight Control System. Yet another proof that it depends on the environment. The problem with the currently existing viruses is that their spread cannot be controlled, they are too buggy, and they don't wait to be installed on a system by the owner of the system AND with his/her permission. In fact, the authorization must be active - that is, I have to actively install or invite the virus. Just asking me for permission to infect is not good enough, because it interrupts me (without my authorisation) and in some cases this can be harmful. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 16 Dec 93 19:32:33 -0500 From: tomc@intel.com (Tom Coleman) Subject: Integrity of files at ftp sites I recently asked the group comp.sys.sgi.graphic for solutions to a programming problem I was having. Several people pointed me to a public domain library available via anonymous ftp which gave me the tools I was looking for. The library is called FORMS v2.2, by Mark Overmars. It is available at ftp.cs.ruu.nl. I ftp'ed this library, and looked it over. It seemed to be exactly what I was looking for. My manager, however, was concerned about using public domain tools and libraries from "unknown" sources. He was concerned about viruses and security risks. There is so much excellent public domain software available on the internet. How do I go about using whats available, while ensuring my manager that security is not being threatened. How can I verify the integrity of the software at ftp.cs.ruu.nl, specifically; and other p.d. software in general? I have no reason to doubt the integrity of the author of the library, but my faith isn't enough to convince my manager. Please excuse me if this is already covered in a FAQ. - - Tom Coleman ------------------------------ Date: Fri, 17 Dec 93 15:52:51 +0000 From: cotton@vms.ucc.okstate.edu (Greg Cotton) Subject: Re: Viruses not destructive?? (Was: Virus/gun analogy doesn't work) src4src!ktark@imageek.york.cuny.edu (Karl Tarhk) writes: >As i said it has yet to be proven that viruses are inherently >destructive! Pardon me if I sound ignorant (for I haven't been following the thread), but this point seems a bit hard to swallow. Please clarify how when there are so many viruses out there that reformat the hard drive or one of my favorite (not because it destroys data, but because it was cunning) is the one that randomly erases a sector for every 16 files it infects. How can these be said to not be destructive?? L8r. Greg ------------------------------ Date: Fri, 17 Dec 93 18:30:56 -0500 From: kyber Subject: Re: Freeware distribution of anti-virus software seank@nermal.santarosa.edu (Sean Kirkpatrick) writes: >Fridrik Skulason (frisk@complex.is) wrote: >: halew@jupiter.sun.csd.unb.ca (R. Wallace Hale) writes: >: >It seems to be working quite well for Frisk et al... >: Well....I'm not complaining. $1 per machine (and free for private use) >: may not seem likely to generate much income, but well...there are just so >: many computers out there ... :-) >: However - I must admit that when this started I never expected to celebrate >: the registration of the millionth copy :-) >By the way Frisk, I want to thank you for the way in which you are >addressing this problem. Unlike others in the business, your policy >of distribution is, I think, one of the finest examples of users >helping users that I have ever seen. Your efforts are commendable, >and I wish there was an award that you could receive for your >contributions. >Last year about this time, I did some research for a Bank that I was >consulting for, and discovered that the FPROT engine was used in about >6 or 7 of the top 10 commercial virus scanners. Based on my own >testing for the Bank, FPROT compared favorably in terms of >performance. But your product stood heads above *any* other package >in terms of your licensing policies. I sincecerly hope that my >recommendation that they license your product was taken. >Cheers! > Sean Let me second that! Due to this forum's urging I have switched to f-prot and I'm delighted! Good work! And a hearty THANK YOU! Ken Saichek - -- |==========================================================================| | "A man said to the universe: "Sir, I exist!" | | kyber@mixcom.com "However," replied the universe, | | "That fact has not created in me | | A sense of obligation." -- Stephen Crane | |==========================================================================| ------------------------------ Date: Thu, 16 Dec 93 16:35:43 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: F-PROT 2.10c is out (PC) Jorgen Olsen (masjol@dou.ou.dk) writes: > Version 210c - gives the following 'non-error message' if you run it > in a DOS-window under windows: > Error opening C:\WINDOWS\SYSTEM\USER.EXE > Error opening C:\WINDOWS\SYSTEM\USER.EXE > .. > .. > etc (in my case a total of 12) > It only means that the files are reserved (e.g. running) and thus not > scanned! I can confirm this. Frisk, it seems to be a bug. The files *can* be opened for reading (e.g., with F3 of Norton Commander run in a DOS window), so they are not locked and I see no reason why the scanner should not be able to read them. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 16 Dec 93 16:37:30 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Windows viruses? (PC) Fridrik Skulason (frisk@complex.is) writes: > We added detection of Winvir several versions ago...not sure about Twitch, At least F-Prot 2.10c does not detect the only sample of this virus that I have. > I have to check what that is.... On the other side, I have been unable to replicate it - and you too, if I remember correctly. Ask the person who analysed it for Virus Bulletin - he should have a working sample. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 16 Dec 93 16:37:36 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Windows viruses? (PC) kevin marcus (datadec@ucrengr.ucr.edu) writes: > Winvir is more like a Windows aware virus. It does not actually infect > Windows executable files. > Twitch is supposed to be able to ifnect Windows .EXE's, but I've yet to > see it replicate. The sample I have seen was definitely a Windows file, > though. Ugh, no, you got it slightly backwards. It is Twitch that doesn't touch the Windows executables - it simply renames them. It is a Windows application itself, though. But I have been unable to make it replicate too. WinVir is aware of the NewEXE format and infects Windows executables perfectly. It is non-resident and when you start the application it disinfects it (but infects another one in the current directory). Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 16 Dec 93 16:46:11 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: MSAV Strings Being Picked Up By SCAN (PC) Vin Anielo (aniello@remus.rutgers.edu) writes: > and later? It's some kind of WeIrD modification of an older boot sector > virus known as "1226". I could only isolate it in MWAV.EXE and Just for the record, by "1226" SCAN probably means the virus Phoenix.1226, which is a file, not a boot sector infector. Although, I had the impression that SCAN reported all Phoenix.* viruses as "P1 [P1r]". > I told him that it was probably just an old version of Scan picking up > the unencrypted virus signatures of MSAV. Is my conclusion correct? Yes, it is. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 16 Dec 93 16:51:32 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Nice Day Virus (PC) Ng Bee Yong (byng@solomon.technet.sg) writes: > Has anyone come across Nice Day virus? Please, folks, read the FAQ for information how to ask such questions! What machine? (I'll assume that it's an IBM PC and it was you, not the moderator, who put "(PC)" in your Subject: line.) Which scanner reported it? Which version? What other anti-virus software were you running? Without all this information, it is pretty hopeless to figure out how to help you. There is a virus, called VFSI, which displays a message, saying HELLO!!! HAPPY DAY and SUCCESS Maybe a scanner is reporting it under the name "Nice Day"? Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 16 Dec 93 17:10:49 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: NetShield 109 misses Tremor (PC) Hello, everybody! Version 1.56 (V109) of McAfee Associates' NETShield (an NLM) for Novell NetWare 4.x does not detect the Tremor virus. Of 7,395 infected files, it detected only 8 and reported them as "DAME [DAME]" - a name that it usually give to MtE-based viruses. As opposed to that, SCAN 109 seems to detect the virus reliably. Don't know about VShield 109. McAfee Associates have been informed about the problem. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 16 Dec 93 19:01:27 -0500 From: al026@yfn.ysu.edu (Joe Norton) Subject: Re: 'Anti-viral' Viruses (PC). The only "good" virus that I can think of would be one that only infects DOS's RECOVER.EXE program. It would trojanize it so that it self destructs upon execution like Lovechild does..... ------------------------------ Date: Thu, 16 Dec 93 19:08:31 -0500 From: al026@yfn.ysu.edu (Joe Norton) Subject: Re: Nice Day Virus (PC) According to Vsum Semtex, Sumulati, Staf, VCL Beva 32, and Vienna-943 all either display or contain "Nice Day"..... Do you have any more information on it? You would probably be best off to just run F-prot to see exactly what it is, if it is a virus. ------------------------------ Date: Thu, 16 Dec 93 20:41:47 -0500 From: mikehan@kaiwan.com (Mike Hanewinckel) Subject: Anti-virus part. & mbr (PC) Has anybody else noticed this 'bug' in ThunderByte's anti-viral boot sector/partition feature? If you are using IBM DOS version 6 and QEMM version 7.0 or higher with the DOS-UP feature enabled, ThunderByte's partition software will be triggered when it 'check system ram'. I find this unfortunate since it prevents me from being able to actually use the feature with out having to type in 'y' to continue each time. And I have a question about TBAV's anti-vir.dat files. What is to prevent someone from packing the anti-vir.dat file along with an infected file? If they have force-validated it then it wont trigger thunder byte's virus scan no matter how suspicious it looks. WOuldnt it be smarter to have a user defined filename for the anti-vir.dat file? (or is this feature already included and I missed it?) Mike Hanewinckel ------------------------------ Date: Thu, 16 Dec 93 23:38:33 -0500 From: Greg.Norris@lambada.oit.unc.edu (Greg Norris) Subject: Power Pump virus (PC) Can anyone give me any information on th power pump virus? It recently turned up on my father's machine. Thanx. - -- The opinions expressed are not necessarily those of the University of North Carolina at Chapel Hill, the Campus Office for Information Technology, or the Experimental Bulletin Board Service. internet: laUNChpad.unc.edu or 152.2.22.80 ------------------------------ Date: Fri, 17 Dec 93 01:33:22 -0500 From: yadav@cse.iitb.ernet.in (Yadav Navneet ) Subject: 3K virus (PC) hi, our LAN has recently got infected with a new(???) virus. it has the following characteristics. 1. Affects only com files. 2. Attaches a 3K segment to the file. 3. Infected program on running hangs. 4. The virus stores names of files it had infected somewhere on the hard disk. If one deletes an infected file,powers down the machine and tries to copy the file again from some other source the file copied again gets a 3K segment attached to it. Xcopy with the /v option hangs if used for copying the program. 5. dir with an argument say dir c* does not show any files beginning with 'c', but plain dir shows the files. on rerunning command.com this problem disappears. 6. On one PC after infecting the command.com it subsequently infected all com files. I tried scan, tntvirus, vshield and cpav to detect the virus but i couldn't detect it. Has anyone heard of this virus and what is the cure ? thanks and cheers, yadav email: yadav@cse.iitb.ernet.in yadavn@cc.iitb.ernet.in ------------------------------ Date: Thu, 09 Dec 93 15:48:00 +0200 From: Dries_Bessels@f205.n314.z9.virnet.bad.se (Dries Bessels) Subject: Prevent programs (PC) HI Mark, > Also, I saw mention of a "Virus Bulletin". Can someone please tell > me how to get copies of this? Thanks. You can reach them in England on +44-235-555139. Brgds Dries ------------------------------ Date: Thu, 09 Dec 93 15:48:00 +0200 From: Dries_Bessels@f205.n314.z9.virnet.bad.se (Dries Bessels) Subject: Beb* virus (PC) Hi John, > This virus infected his DOS directory, inserting 2 files to DOS. the > files he found were " BEB_____ " (8 letters, no extensions) The final > 5 letters changed each time the directory was accessed using the more > command. ( A simple DIR command always failed to show the files at > all. But when more was used, e.g. DIR | more, the files showed up as > noted) The files did not seem to do anything to the system, but one > has to wonder what would have happened when or if the two filenames > finally matched. you have found what is (in our company) known as the MORE virus. The files you are referring to are 0 bytes? They are some temporary files as created by the MORE command. Better check out all the system because I think all machines in the world are infected by this :-) Brgds Dries ------------------------------ Date: Fri, 17 Dec 93 08:40:32 -0500 From: "David M. Chess" Subject: Nice Day Virus (PC) >From: byng@solomon.technet.sg (Ng Bee Yong) > >Has anyone come across Nice Day virus? >Any info is appreciated. Thks. jcchan@solomon.technet.sg (Chan Joo Chong) asked this same question back in October; you might want to contact that person to see if your problems are related. Back then, I answered as follows: We've seen a virus that we call YMP-NiceDay; it may be the same thing that you have. It's a diskette and hard disk master boot infector, and on the first of the month it will display "HAVE A NICE DAY (c) YMP" during boot. To clean up an infected hard disk: - Power off and boot from a clean DOS diskette. - Make sure the hard disk partitions are visible (Important! Don't skip this step!). - Use "FDISK /MBR" to replace the code in the master boot record. (This requires the FDISK command from DOS 5 or better.) We've seen this virus only in Indonesia so far, but that's not *too* far from you. Of course, the virus that you have may be completely unrelated to the one I describe here! - - -- - / We have a little garden, David M. Chess / A garden of our own, High Integrity Computing Lab / And every day we water there IBM Watson Research / The seeds that we have sown. ------------------------------ Date: Fri, 17 Dec 93 08:45:45 -0500 From: "David M. Chess" Subject: Re: Windows viruses? (PC) Bradley wrote: >What is the name of that one? The names that I was given are: > Winvir and Twitch. I'll have to disagree with Kevin Marcus, or perhaps I just misunderstood his posting: Winvir does infect Windows executables, but it does it without using any Windows functions (it just uses DOS calls to plunk itself into a Windows program in such a way that it gets executed when you click on it). Twitch, on the other hand, uses lots of Windows functions, but doesn't actually infect files; it's more a companion-type virus (after some amount of time, it begins replacing other windows programs with a copy of itself, and saving the originals under another name, or something like that). Neither virus has, to my knowledge, been seen "in the wild", and neither uses an infection strategy that I would expect to be very successful... - - -- - David M. Chess | "This chicken has a *very* High Integrity Computing Lab | small opening book!" IBM Watson Research | ------------------------------ Date: Fri, 17 Dec 93 18:17:12 -0500 From: MIG@lt.phys.msu.su Subject: Re: New type of virus, EXE-header infector (PC) today I have faced with one new and unique virus, which was found in Moscow State University (Russia). After short investigation I understood that virus is new: F-PROT Professional 2.10, SCAN-108 and AIDSTEST 746 - cannot identify it. Technology of virus seemes to be uncommon. It infects EXE headers. Only headers! Virus does not change EXE file code in any way and it does not use any DOS functions (only one and only once - to set itself resident, Int 27h). Infected files are not changed in size. Virus contains only one string (at viral code end) - '(C)VVM'. I called virus "VVM". Virus appeared to be extremely short - 205 bytes, but it is resident, stealth virus, infecting each accesses EXE file! I think that VVM should be regarded as new type of virus (additionally to: file, boot, cluster, companion) because: - virus do not use any DOS services to infect files, it intercepts low-level disk writes (like DIR-II) - VVM "infects" any disk sector starting with "MZ", because it regards it as EXE header! - infection strategy is specific for MS-DOS EXE files structure, this strategy cannot be used to infect real COM files (without EXE header) - VVM uses DOS quirk that EXE/COM files are processed similarly (feature, already used by companion viruses) In order to find virus you have to reboot from clean floppy, because virus is stealth. Any integrity checker will found VVM, because each EXE header will be seen as modified in only one (!) byte (third byte of EXE header is not restored by virus stealth routine). With very high probability any EXE starting with the following three bytes - E9, 30, 01 is infected with VVM virus. To disinfect (quickly) you only need to restore first two bytes to original EXE header signature 'MZ'. Unique signature to find virus more reliably: "B4,13,BA,75,02,8B,DA,CD". VVM virus conflicts with SMARTDRV (and, probably, other disk-caching utilities) - infected programs hangs with diagnostics "Memory allocation error/Cannot load COMMAND". Some users reported that many lost clusters were found on some infected computers. Best regards, Igor. | | ))---(( | ((O) (O)) | -/ V \- | // '' `` \\ | ( | ''' ``` | ) | \| ''' ``` |/ \ \ .. .. / ~~~~~~(((^)))~~~~~~~~~ Igor G. Muttik, Ph.D. Moscow, Russia MIG@lt.phys.msu.su /~~~~~~~~~~~~~~~~~~~~~~ ------------------------------ Date: Fri, 17 Dec 93 20:29:02 -0500 From: topham@access.mbnet.mb.ca (Mark Topham) Subject: Possible Network Infection (PC) Posting this on behalf of classmates who do not have Internet access. Several people have reported the same problem with files on floppy disks. The students are working with dBase IV v2.0 on a Novell Network. The problem is simple enough: characters go missing from filenames, of course this means that dBase gets rather confused and cannot access the files. ie: CATALOG.CAT becomes CATALOG.AT or something similar. (I would have checked the files outmyself but they renamed them when they saw the problem.) simple answers wanted: is there a known virus which does this? If so, what program will detect this particular virus? (I trust the schools virus protection methods about as far as I can throw the PC's... which isn't far because of the security cables...) The school has had MANY problems with viruses in the past, in several cases the files were infected on the network itself. (generally the computers are rebooted between classes) If instead this is a bug in dBase, or dos or Novell I would also like to know of any possible solutions. - -- - --------------------------------------------------------- Mark Topham Email: topham@access.mbnet.mb.ca ------------------------------ Date: Fri, 17 Dec 93 21:01:04 -0500 From: df@christa.unh.edu (Daniel Ford) Subject: What is FScan? (PC) An earlier discussion of zipped files suggested that F-Prot doesn't scan them before they're opened. A follow-up suggested that the poster user FScan. (I think I have this right?) Okay, I'm willing, but what is it? A program (I can't find it in the oak virus directory)? A switch for F-Prot (I can't find it in the manual)? Thanks - Dan Ford ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 1] ****************************************