VIRUS-L Digest Monday, 10 Jan 1994 Volume 7 : Issue 3 Today's Topics: Scanners vs Integrity Managers (generic) CuD Newsletter Michael Lafaro, the truth Military implications of computer viruses (Theory & Practicalities) Virus signatures Liabilities again "Good Viruses?" Ripper virus alert/warning (PC) Possible Windows-specific virus (PC) Re: McAfee VSHIELD vs Frisk VIRSTOP ??? (PC) Cure CPAV Immuninzation? (PC) RE: Possible virus (PC) My Memory is gone! (PC) Cure CPAV Immunization? (PC) Form virus on PC (PC) Help in removing Monkey virus from hard disk (PC) Re: Any reviews of InVircible/V-Care ? (PC) Need info on "RIPPER" virus. (PC) McAffee SCANV109 finds prob w/MODE.COM (PC) SCAN 109 FALSE POSITIVE (PC) MBR/FBR viruses (PC) Re: Any reviews of InVircible/V-Care ? (PC) Re: Freeware distribution of anti-viral software (PC) fixutil6.zip - BIOS detection & recovery from BSI viruses (PC) diskse24.zip - DiskSecure: Protects hard disk partition table (PC) New programs from A. Padgett Peterson New(?) Virus MAKE MONEY FAST (Humor) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Thu, 23 Dec 93 12:15:55 -0500 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: Scanners vs Integrity Managers (generic) From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) >If you doubt in the above, ask the producer how the package protects >your system against Brain - one of the first IBM PC viruses. Just for >information, Brain is a diskette-only boot sector infector. If the >producer says "ah, but we are protecting only your hard disk", ask >them how would their product protect your hard disk from a virus that >infects like Brain, but also corrupts only the data files on your hard >disk and only when they are being modified by DOS. >BTW, one of the problems with the integrity-based system is that they >detect the infection only after-the-fact - which in some cases might >be too late. Like if you get infected by Michelangelo on March 6. :-) While Vesselin makes some very good points, this does not mean that *all* integrity management programs are so limited. Pardon me if I use my own software (DS II) to illustrate. In the Brain example above, the virus infects from a floppy boot. A management system can protect in two ways - by preventing floppy boots in the first place (and providing a means to boot from floppy *after* the management software is in place if necessary), and by preventing the virus (and incidently DOS) from gaining access to the hard disk should the first line of defense fail. His second point is also not necessarily true either. After DS II loads it prevents writes to the MBR, hidden sectors, and DBR and prevents formatting (BIOS level) of any part of the disk. If desired this can be extended to any partition or a whole disk. This stops all low-level viruses and droppers that I know of before the fact. It is possible to detect and block the act of infection, not just "after the fact". This leaves the possibility of a "directed attack" and, by the nature of a "single-state" machine comes under the "Turing Halting Problem". True, solutions are possible (my "bypass" program illustrates one), but so far I have not seen a real implimentation of this. The solution is a separate program that can be invoked periodically to validate operation of the program and to verify that "tunneling" has not occured. (Of course this also brings up separate second-generation problems such as QEMM "stealth" and 32BitDiskAccess - not insurmountable just different.) Hippo Hoppidays. Padgett ------------------------------ Date: Thu, 23 Dec 93 03:19:27 -0500 From: hqxoos1@ramstein.af.mil (HQ USAFE/XOOS-TEMPEST;480-7984) Subject: CuD Newsletter Hi, I would like to find out if anybody has heard of the CuD Newsletter which I "hear" is another 'publication' that discusses viruses and other topics. Can anyone tell me how to subscribe to it? And if they have heard of it, what are their opinions about its usefulness. Thanks bunches. Dennis Hernit =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Dennis S. Hernit hqxoos1@ramstein.af.mil United States Air Forces in Europe DSN 480-7984 Ramstein Air Base, Germany +49-6371-47-7984 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ------------------------------ Date: Thu, 23 Dec 93 14:59:02 -0500 From: ktark@src4src.linet.org Subject: Michael Lafaro, the truth THE GAR writes: >The 19NOV93 issue of Network World reports that a Michael Lafaro >has been arraigned under the New York state law against computer >tampering. The charge was "intentionally infecting a customer's >network with a business-threatening virus". Nassau County Police >say that one of Lafaro's employees was ordered to install the >"virus" in an account-tracking program of a furniture company in >Westbury NY. This story was reported in NY Newsday. As usual, the reporters didn't do their homework, but oh, well what can you expect if even people who write for WIRED still think that the military used a the 'printer virus' in Desert Storm!! (WIRED #2) This is part of the circle of ignorance around computer viruses drawn by several people with economical stakes in the matter, (they shall remain nameless.) :) This is the scoop: Mr. Lafaro is a computer consultant. He did some programming work for the furniture company in Westbury NY. He was not paid the entire amount for his work by the company. He decided to send his techie and install a time bomb that would have unabled the usage of his program displaying a message saying that his program would remain unaccessible until he was paid the remaining money for his services. Mr. Lafaro felt guilty and decided to warn the company about the time bomb. The company contacted the police. Chaos followed and countless idiotic reporters distorted the news. This is a very interesting story as there is no clear cut rights or wrongs. Mr. Lafaro was defending his code. He might not have had legal access to his clients computers but he does have legal rights over his code. Interesting questions arise... I see lawyers everywhere... ;) ktark@src4src.linet.org ------------------------------ Date: Sat, 25 Dec 93 17:06:48 -0500 From: Sajid.Rahim@p3.f6.n7105.z5.fidonet.org (Sajid Rahim) Subject: Military implications of computer viruses (Theory & Practicalities) Hello all, After having come across so many articles which have mentioned the use of "non-lethal" methods of combat whereby the military authorities have decided to employ the replication code into enemy defence installation in order to render the opposition intergrated electronic defence network useless. Rumour was rife during Desertstorm that the allied units had used some type of this system to bring down the iraqi electronics system to its knees. Well it is pretty clear that it was just a hoax. However, considering the possibility that most countries in the world tend to import their defence equipment especially electronics the probabilities that the backdoors in all these systems might be used to house these deliberate bugs inside them thus bring this type of conflict into being a reality. To illustrate the last statement with an example from Desert Storm; the iraqi airforce Mirage F1C fighters' air-air combat radar systems had certain deliberate flaws whose details were handed over to the allied forces in order to turn the tables around. One has to keep in mind that we are assuming that the basis of the electronic network is the integrated chip and not the vaccuum tube technology quite a lot of which is in use by the Russian forces. Avid followers of Star Trek might recall that the in the episode called "Borg" a similar method was considered inorder to destroy a civilization comprising of compu-organic beings. The trick was to give insert an unsolvable problem which would increase in complexity once an analysis was begun by a borg, more and more resources would be diverted to solving it leading the slow destruction of the civilization. One would wonder as to what the replicating mechanism would be. Borgs civilization does not comprise of individual but masses of groups who are constantly involved in group thinking. The trick here was that the Borg would be returned to its hive and the collective thought process would distribute the puzzle cum virus thus crumbling the civilization. A pretty clever notion. A parallel could be drawn to the internet worm whose actions were in a way related to draining the resources of the infected machine by wasting the time replicating the code. However the internet worm did demonstrate the ability to move across certain types of platforms. The similar method would be the basis upon which the military application would work. It is a fact that all, if not most military electronic equipment are capable to interfacing with each other based upon a standardised protocol. This could be very well be exploited to great detail. Questions are definitely going to arise relating to how the virus would survive; would there be only one virus or several whereby each pertaining to a specific equipment but all able to relate to one another; what the trigger mechanism would be; or may it be called a trojan rather than a virus waiting to be activate and etc. It is clear that there is a new frontier opening up in any advance armed force as part and parcel of the electronic warfare section. Gone are the days when jamming ,elint and sigint formed the fundamental keys in electronic warefare. This means that this new type of warefare play an equal if not more of a role in the future thus being a force multiplier. PS: I would appreciate any comments on this matter. I am working on a paper outlining the future of this type of warfare ie. its merits, flaws and possible repurcussions on society as a whole given the fact that it is just a program and as we all know that there is no perfect program. Sincerely Sajid PS: I can be also reached on internet at the following address: sajid@oris.ru.ac.za Sajid.Rahim@p3.f6.n7105.z5.fidonet.org There is a slight problem with the mail getting thru to the fidonet via internet at the moment thus please stick to oris address. - -- INTERNET: Sajid.Rahim@p3.f6.n7105.z5.fidonet.org via: THE CATALYST BBS in Port Elizabeth, South Africa. (catpe.alt.za) +27-41-34-2859, V32bis & HST. ------------------------------ Date: Sat, 25 Dec 93 18:05:54 -0500 From: ghosh@cs.pitt.edu (Sunondo Ghosh) Subject: Virus signatures I'd like to know if there are any sources (commercial or otherwise) of all known virus signatures. Thanks, Sunondo ------------------------------ Date: Mon, 27 Dec 93 16:55:03 -0500 From: Subject: Liabilities again Hi all, I was preparing recently two lectures about computer viruses, one for the students, the other for the people in business/industry. Although one could say it is one and the same text, I would say it is not. First, the students wanted to know everything about, say that, technical side of viruses, what are the new trends in virus writing and a-v protection, they were willing to exchange viruses with me after the course, etc. Might be that some of them will try to write a virus from pure curiosity. The other lecture is something else, of course. The people from business/industry using PCs will probably prefer (I didn't keep that lecture yet) to know what is the extent of damage virus can do and what is the best way of protection. They certainly will not be interested in how to write viruses, but rather in how to remove them and repair eventual damage. It brings me to the recent discussion about liabilities. Many arguments and "arguments" were done pro and con good/bad usage of viruses and good/bad guys. I would say we should see first who is who in whole story and what viruses we are talking about actually. 1. I assume that most of discussions on this forum are referred to "population" of PC viruses created in last 5 years (roughly). The operating system concerned is DOS (maybe the discussion can be extended to Novell Netware environment). In further text they will be called viruses. 2. Bad (or "bad") guys/girls. I don't have precise sociological analysis what kind of people (age, profession, degree of education, etc.) write viruses and establish Virus Exchange BBS'. From my (incomplete) knowledge, I would say that most of them are students in their adolescent age (probably not very different from students attending my speech). About their motives to write and exchange viruses they may be: curiosity, temporary frustration by somebody or something (e.g. professor in school), usual tendency of young people in adolescent age to oppose to everything and everybody, i.e. to behave as rebels (it is normal stage when somebody is growing up, but as soon as we get out from this stage we forget it), etc. The exchange of viruses I see as normal wish to exchange software among the members of the same group of software authors/users. Maybe it could be said that those people are slightly deviant, because they probably know that some viruses can cause damage in some environments and some of them write viruses with intention to make a damage, e.g. by destroying data. However, I don't dare to classify all of them as criminals. Not yet. The most I can say that they are irresponsible or simply "kids with problems" (whatever is their real age). 3. Victims - those are wide group of people using PCs. I agree that in some environments just appearance of a virus on some PC can cause significant damage. The most cited example is virus writing message on the screen of PC in the hospital life-support environment. In some company the loss of important data may be catastrophic. On the other hand some computer hobbyist may find presence of virus on his PC amusing and keep it as a "pet virus". Not every PC user is equally "endangered" by computer viruses, which is often neglected. When talking about damage one could state the environment and degree of damage in that environment. 4. Good (or "good") guys/girls - people producing anti-virus products or dealing in some way with anti-virus stuff (research, evaluation of a-v products, hobby, etc.). Their reasons for doing such a job are probably in the greatest extent to make a profit from their products/evaluations/ research. Then it could be interesting field of research for getting an academical degree. Some of reasons to choose right this field might be as in the first group of "bad" guys/girls, i.e. frustrations of different kind. I would say there is no special reason to call this group of people "good". Those are simply people doing their job. Well, after all we should look what is the virus/anti-virus picture today. Maybe I will oversimplify, but roughly it is: "good" guys/girls are fighting against "bad" guys/girls to protect "victims" (or more exactly "poor innocent victims"). Is that really so? Or maybe, the question is : who has use from that picture? On the first place - a-v producers, because it is the part of marketing, i.e. exaggerations in representation of "virus danger" sell the product better. Of course, other a-v people (including me) also can find this picture usable to justify (and charge) their work. In some extent, the virus writers have also satisfaction in the period when they are dealing with virus writing because they get a kind of "negative glory" (never mind, for adolescent person looking for confirmation of his/her immature ego, glory is glory - some mystification, as using false names, add to it more flavour). All this noise is also useful to future generation of real criminals who can learn a lot (not only about viruses, but also about still inadequate legislation), while being in background and keeping quiet. Who has disadvantage from this picture? Well, mostly the "victims" who can only be confused with heaps of information/disinformation about computer viruses and anti-virus products. They usually get an exaggerated and chaotic picture about how viruses can be dangerous and how bad are person writing them, while any a-v product is represented as salvation. What they don't get from articles in newspapers, courses, advertisements and possibly from this forum is real information about how to protect -their- systems in -their- working environment and what is real degree of danger in -their- environment, not in some general space/time/society. Of course, minority of researchers who dare to think that viruses can be used for something useful (not defining now what is really useful) have disadvantage from the statements of kind "all viruses are bad, because they exist". [Yes, Karl, I agree with you in some points, only don't know what is the purpose of your arguing. If you really want to point that not -all- viruses will cause damage in -all- environments and if you have wish to do some serious work, as e.g. a study of epidemiology, I will be glad to help you in that and explain how to investigate such things in isolated and controlled environment. But, if you only want to justify writing of viruses for which you know that are harmful in some environment and to provoke people here, then you are nothing more than just another frustrated kid, making noise and it would be better to stop wasting bandwidth here. You decide what you want to be.] What are the final conclusions? To stop unnecessary wasting of bandwidth with discussions who are "bad"/"good" guys/girls and if viruses can be good or bad, I propose to turn back the discussion to the question of virus definition. This time from the legal point of view. I announced some time ago the contest for the best virus definition in different categories. While response in technical categories was more than good, the response in ethical and legal categories was almost zero. [I would like to thank to everybody who participated, to technical jury for their hard work, and to apologize to those who asked me what happened with the contest - I will present the results in the near future, I hope]. As I can see from discussions here the legislative/ethical problems with viruses are still actual. I don't dare to discuss ethical problems in detail, because I feel that ethics is fairly subjective for every individual, dependent on his/her education, culture, country, etc. Anyway, I am still interested in legal problems. Few laws I have seen are in my opinion still vague. What I see as a serious flaw in that subject is non-existent cooperation between technical people and lawyers in defining "malicious software". I think that it should be stated precisely where (in which environment), when (in which time, e.g. specific working hours) and why some software (virus or not) is causing a damage. Also, what degree of damage is punishable (losing important data in the bank is not the same as losing games or letters on some PC at home, although they can be caused by the same piece of software). Then, what can be used as an evidence on court (on damaged computer the traces can be lost) and so on. When having a clear definition, it is easier to conclude who is responsible for the damage, whether the person spreading/entering such a piece of software or the person who wrote it. I hope some questions will be answered here. __________________________ Cheers, | We wish happy New Year | /| and life in peace to |\ |\__/| Suzana /~~~~~~\ / | all "good" and "bad" | \ / \ ~\( * * )/~ | guys and girls. | ~\( 0 0 )/~ ( \___/ ) |__________________________| ( /---\ ) \______/ \______/ @/ \@ @/ \@ - --------------------------------------------------------------------------- Address: Suzana Stojakovic-Celustka e-mail addresses: Department of Computers celustka@sun.felk.cvut.cz Faculty of Electrical Engineering celustkova@cs.felk.cvut.cz Karlovo namesti 13 celust@cslab.felk.cvut.cz 12135 Prague 2 phone : (+42 2) 293485 Czech Republic fax : (+42 2) 290159 ------------------------------ Date: Thu, 30 Dec 93 10:37:08 -0500 From: Brian Seborg Subject: "Good Viruses?" It's been quite a while since I last fealt compelled to post to Virus-L, but I thought that recent discussions regarding the legality of viruses and liability were interesting enough that I'd like to jump back into the fray. There has been much discussion on how common large-scale network infections are. I would say that they probably happen to a large corporation at least twice before they are effectively controlled. My own experience has included infections of 4 servers, 8 servers, 11 servers, and 4 servers. The viruses encountered were (in order) Jerusalem, Jerusalem, Pegg, and a mixture of Jerusalem (primary), 4096, Green Caterpillar, and Copyright respectively. In the last two infections (11 servers and 4 servers) I merely list the number of infected servers; however, it is noteworthy that in determining the extent of the infection and in recovering from the viruses over 30 servers had to be checked in the first case and 40 in the second. During the scanning procedure an enormous number of users had to be shut out of applications to prevent them from potentially being infected and to prevent (in some cases) the re-infection of the network applications by users. Each of these events took over a day to completely recover since even after the network is cleaned, each individual workstation has to be checked for potential infection (this can be done in an automated fashion, but not if the virus is a "fast-infector" and is likely to be RAM resident as is the case with Pegg). Once a virus is found on an individual workstation, one must take the time to personally visit the workstation to ensure that it is cleaned properly, and that diskettes are scanned to ensure against re-infection. All this takes time, costs money, and reduces the capability of employees using the network to get work done. Additionally, in the cases I have sited, we would generally agree that the viruses mentioned are (for the most part) benign (Jerusalem and 4096 can cause problems, but only under certain conditions). So, if these viruses are benign, then (with the exception of Jerusalem) they are not destructive right? Wrong! How many of us would be willing to say "Well, we are infected with the Pegg virus, it's benign, so we'll just accept it and not bother to dis-infect the system."? No one! Therefore, we have to waste time to disinfect any virus that enters our environment. Worse, if we have a large inter-connected network and people detailed to still other sites, we have to spend a large amount of time just scanning to find perhaps one infected file. How long does it take to scan a gig drive? How about 40? How about 500 hard-drives in 500 PCs? Get the picture? It's expensive! 500 users down for about a day and a half, system administrators pulling overtime and wasting entire days scanning drives and servers. Were talking about 10's of thousands of dollars. We estimate that one infection we encountered were over 500 users were affected, 11 servers, (30 having to be checked), 120 PCs actually found infected, down-time 1.5 days cost a low of $70,000 to a high of $140,000 in time spent, overtime, lost productivity, and recovery. So, what is the moral? Network infections do happen, and I would suspect that many corporations have had them although they obviously have a disincentive to talk about them. They will likely happen only about twice before adequate procedures are in place. If a new virus gets by a scanner, these infections will happen at least two more times before additional procedures are put in place. There is NO SUCH THING AS A NON-DESTRUCTIVE VIRUS, PERIOD!!!!! If even the most benign virus gets out of the lab, it's a problem. Who's liable? The distributor of the virus, can you find him/her? Even if I do put a disclaimer, there is such a thing as strict liability, and even if it is not applicable to software like computer viruses, you can disclaim all liability, but this does not mean that you do not have any liability! I hope this adds some real-world perspective to the discussion. Brian Seborg VDS Advanced Research Group ------------------------------ Date: Wed, 22 Dec 93 06:25:26 -0500 From: adam@lbs.lon.ac.uk (Adam S. Nealis) Subject: Ripper virus alert/warning (PC) Here at LBS over the last 2 weeks, we have been eradicating a relatively new virus called (Jack_The_)Ripper. The virus got through our defences. Apparently it is confined mostly to the UK at present. It is also known to the virus newsgroups. As far as we know, it lives in the boot sector of floppies and hard disk partition tables, and infects four DOS files :- FORMAT.COM SYS.COM MORE.COM UNFORMAT.COM We think it tries to appear innocuous until the sixteenth reboot, when it will reformat your hard drive. At the moment, we are only aware of these anti-virus packages which will detect and/or disinfect effectively: F-PROT Dr Solomon's Anti-V Toolkit Our procedure at present for detection/prevention is something like. 1. Run F-Prot in full screen mode and clean master boot sector. 2. Run Cleanpar from Dr Solomon Toolkit to repair partition. 3. Make sure autoexec.bat loads Guard and Findviru. 4. Use Dr Solomon's CLEANBOO to clean floppies. NB CPAV does not detect Ripper at present. adam@lbs.lon.ac.uk ------------------------------ Date: Thu, 23 Dec 93 15:46:23 -0500 From: gooley@netcom.com (Mark. Gooley) Subject: Possible Windows-specific virus (PC) I started up Windows 3.1 this morning to find that it could read no group configuration files except the one for Games -- it claimed that the others were corrupted. In a fit of pique I deleted the entire Windows directory (I had little in there apart from what came on the Windows floppies) and tried to re-install -- the installation failed. I installed the anti-virus software from IBM's PC-DOS 6.1: running IBMAVD gave the message "Stack overflow!" and IBMAVSP hung after the initial banner. On reboot, CONFIG.SYS was full of errors, some being reported on impossibly-large line numbers. Changing the STACKS line in CONFIG.SYS didn't cure the stack-overflow message. I had recently bought a new SCSI drive, so I booted the machine off the old one, installed the PC-DOS antivirals, and scanned both the old disk and the putatively infected one -- nothing showed up. The only Windows code that I think could be the source of an infection is a version of Wintach that was posted, uuencoded, to one of the comp.ms-windows groups -- from an Italian site, if memory serves. I haven't run any other Windows freeware or shareware except the xnot emacs and some ET4000 drivers. Mark. gooley@netcom.com ------------------------------ Date: Thu, 23 Dec 93 01:36:14 -0500 From: carterm@spartan.ac.BrockU.CA (Mark Carter) Subject: Re: McAfee VSHIELD vs Frisk VIRSTOP ??? (PC) Allen Taylor (ALLENTAYLOR@delphi.com) wrote: : why not use ThunderByte? I find it's options are more than enough to : accomodate highmem concerns. I use Thunderbyte for scanning(the speed can't be beat), but for my TSR I use Virstop. It's much simpler just to put Virstop /warm /boot in my config.sys than load tbdriver, and 3 or 4 other utilities... Besides, on my 286 virstop uses less memory than anything else. I wouldn't mind finding out exactly how the signatures in Virstop are chosen, though... are they basically the Quickscan signatures? A mix of Quickscan and Heuristic signatures(or rules, in the latter case I suppose)? Anyways, considering that I view my TSR as merely the first line of defense, used mostly to prevent accidents due to carelessness(forgetting to scan, for instance...), I consider Virstop the product that best meets my needs. Mark ------------------------------ Date: Thu, 23 Dec 93 18:56:54 -0500 From: Thom Kerr Subject: Cure CPAV Immuninzation? (PC) - -- Hi folkes; My fiance purchased a second-hand PC clone that came with CPAV loaded. For curiousity's sake she used the IMMUNIZE option. Now the machine will not boot-up off the hardrive. We don't have any CPAV documentation and the online help files are missing. The machine is running MS-DOS 5.0; no windows. I've checked datemarks on the dos files: COMMAND.COM, IO.SYS, and MSDOS.SYS. They do not appear to have been updated. Also CONFIG.SYS and AUTOEXEC.BAT seem to have no unusual contents. Any suggestions? Thanks oodles ... -------------------------------------------------------- | "Hey, hey, hey. Don't be cruel. Lets not be cruel. | | 'cause, .... no matter where you go, there you are." | | - B. Banzai - | -------------------------------------------------------- kerrt@cgsvax.claremont.edu ------------------------------ Date: Sat, 25 Dec 93 09:13:42 -0500 From: Marilyn Scott {CMSD} Subject: RE: Possible virus (PC) Many thanks to everyone who took to the time to answer my query both through Virus-L and via Email. The consensus was that either windows SMARTDRV write cacheing was the culprit or the Ripper virus (which has just been found on campus -sigh!). Seasons greetings and a happy new year to all, Marilyn - --------------------------------------------------------------------------- Marilyn Scott, Computing Adviser University of Stirling, Stirling FK9 4LA, SCOTLAND Phone: (+44 786 46) 7269 - --------------------------------------------------------------------------- ------------------------------ Date: Sat, 25 Dec 93 10:24:08 -0500 From: ai806@FreeNet.Carleton.CA (Andrew Belo) Subject: My Memory is gone! (PC) I had a virii called something like pc-pcs or something like that it was in my command.com and detect files along with some other non important stuff. I have cleaned them off but now I can't run programs that need more than like 1 meg of ram. HELP ME PLEASE. PLEASE RESPOND VIA E-MAIL. - -- ------------------------------ Date: Sun, 26 Dec 93 20:31:00 -0500 From: Thom Kerr Subject: Cure CPAV Immunization? (PC) Hi folkes; My fiance purchased a second-hand PC clone that came with CPAV loaded. For curiousity's sake she used the IMMUNIZE option. Now the machine will not boot-up off the hardrive. We don't have any CPAV documentation and the online help files are missing. The machine is running MS-DOS 5.0; no windows. I've checked datemarks on the dos files: COMMAND.COM, IO.SYS, and MSDOS.SYS. They do not appear to have been updated. Also CONFIG.SYS and AUTOEXEC.BAT seem to have no unusual contents. Any suggestions? Thanks oodles ... -------------------------------------------------------- | "Hey, hey, hey. Don't be cruel. Lets not be cruel. | | 'cause, .... no matter where you go, there you are." | | - B. Banzai - | -------------------------------------------------------- kerrt@cgsvax.claremont.edu - -- -------------------------------------------------------- | "Hey, hey, hey. Don't be cruel. Lets not be cruel. | | 'cause, .... no matter where you go, there you are." | | - B. Banzai - | -------------------------------------------------------- ------------------------------ Date: Tue, 28 Dec 93 10:00:49 -0500 From: eraath@lmera.ericsson.se (Anders Trosell JL/OD) Subject: Form virus on PC (PC) Keywords: We have big problems with a virus called FORM. I want information about this virus. How it infects? Where it comes from? etc. /Anders Trosell ------------------------------ Date: Wed, 29 Dec 93 01:48:23 -0500 From: warrenw@tekig6.pen.tek.com (Warren Woo) Subject: Help in removing Monkey virus from hard disk (PC) I used scan109 and F-prot 2.10c to detect the virus. F-prot and killmonk.exe appear to have gotten rid of the virus from my floppies (clean109 does not work), but I am having difficulty in removing the virus from my hard disk. I booted a clean version of MSDOS6.2 from the floppy and attempted to run F-prot, but it won't recognize the existence of c: drive. I have read in past postings about using FDISK /MBR to get rid of boot sector viruses, but will this work if I can't access c: drive? What's the best way to permanently kill this virus? And is it possible to remove the virus without having to restore the whole hard drive? Thanks in advance. Warren warrenw@tekig6.pen.tek.com ------------------------------ Date: Wed, 29 Dec 93 09:33:24 -0500 From: amirg1@ccsg.tau.ac.il (GOL AMIR) Subject: Re: Any reviews of InVircible/V-Care ? (PC) Chua Keng Ngee (isc00272@leonis.nus.sg) wrote: : Well, I can only point out an oddity I discovered after install.exe has : finished the installation. : The size of files inoculated by CPAV were decreased by 5 bytes. Is this : normal ? I use Stacker 3.0, Dos 5.0, and InVircible version 5.01. It's a bug in InVircible. When CPAV/TNT "immunize" a file,it appends a short CRC checking code to it, and a 5 bytes MSDOS sig, to fool some virus (a variant of Jerusalem, as far as I remember). When the scaning module of InVircible detects a file with the CPAV/TNT "immunization" code, it removes that MSDOS sig automatically, without asking for user confirmation, without any notification and without even updating its own signatures database. Naturally, the next time you scan that directory, all "immunized" files will be 5 bytes shorter. Just regenerate the signatures for that directory, and you should have no more problems with it. : and is 5.01 the latest version ? The last version is 5.04A. BTW, sorry for that last post, its been a while since I last used VI... Amir Gol (I) ------------------------------ Date: Wed, 29 Dec 93 15:33:41 -0500 From: "Charles R. Milam - UW-Oshkosh" Subject: Need info on "rIPPER" virus. (PC) Greetings All, I'm a microcomputer technician with Academic Computing at the University of Wisconsin-Oshkosh. We recently encountered the "RIPPER" virus, both in student IBM PC labs and shared student/faculty machines. The only software that was able to detect and clean this virus was F-PROT 2.10C (December 1993.) It should be noted that this virus infected both bootable and _non-bootable_ fixed and floppy disks. "Ripper" shows up in F-PROT's listing of new viruses, but there's no information available on it. Does anyone have any information/experience with this particular virus? What damage does it do (Besides mess with Windows 3.1's 32-bit disk access)? Is it a time bomb? If, so when does it "detonate?" Thanks, Charles R. Milam University of Wisconsin-Oshkosh Academic Computing (414) 424-2309 milamc@vaxa.cis.uwosh.edu milamc@oshkoshw.bitnet ------------------------------ Date: Thu, 30 Dec 93 15:53:18 -0500 From: Rich Chong Subject: McAffee SCANV109 finds prob w/MODE.COM (PC) I just got SCANV109.ZIP off of oak.oakland.edu and started a scan on a few of my systems. On a DOS 3.3 system, it finds 1008drop in MODE.COM. I don't have a reference copy of the old mode.com Does anyone know if this could be real for me? or just a known false alarm? No other files werte flagged as sick. Thanks rich ------------------------------ Date: Fri, 31 Dec 93 09:43:14 -0500 From: Martin@salig.demon.co.uk (Martin Overton) Subject: SCAN 109 FALSE POSITIVE (PC) We have stumbled across a 'false positive' when using the /A option with SCAN 109 on PC's with IBM DOS 3.3. This may also affect other 3.3 versions of MS-DOS and it's derivatives. The 'false positive' is the MODE.COM file, and SCAN 109 reports that it contains the 1008-B Dropper [1008Drop] virus. If the /A (Scan ALL Files) switch is not used no 'false positive' is experienced. This has been reported to McAfee in the States, but, they say they have not had this 'bug' reported previously. They also mentioned that they had NOT tested 109 on a PC with IBM DOS 3.3. This caused a serious problem for our company, as upto 500 users will be told their PC is infected by a virus. !!! BE WARNED !!! I hope this will stop others having problems with 109. - -- - --+ Martin Overton |Compuserve: 100063,1161 PC Technical Specialist |Internet : Martin@Salig.Demon.Co.Uk Tel: +44 (403) 231937 |"Beam me up,Sooty!" ------------------------------ Date: Sat, 01 Jan 94 00:30:26 -0500 From: uttsbbs!steven.hoke@pacbell.com (Steven Hoke) Subject: MBR/FBR viruses (PC) TO:ALL A. PADGETT PETERSON was heard to say to ALL on 12-13-93: AP>Once more I am seeing an incredible number of people talking about AP>not being able to use FDISK/MBR for MBR viruses (usu because they AP>still do not have DOS 5) and SYS not working for floppies. This is AP>exactly why I wrote the FixMBR/FixMBR pair of FREEWARE programs (now AP>in FixUtil6). True there are other commercial versions (with the AP>logo of the purchaser and some other options) but the basic AP>capability is there for the effort of a downloaded .ZIP. Could you explain in non-technical terms what these utilities do? I know how to use FDISK, and FDISK /MBR, but I'm not exactly certain what the MBR contains. I *believe* it contains the boot sector and the partition table, but since I've never worked with these manually with an editor for any reason, I wouldn't know one if it was in front of me. I take it that FixMBR will save the MBR and can restore it from an archived copy. >From the documentation, it looked like it was replacing the MBR (or the boot sector?) with its own record, and you saved a copy of the original off line. Is that correct? One question then is can you restore the original MBR, i.e., remove FixMBR to leave the system as if it had never been installed, or if you restore the MBR, are you restoring the MBR modified with the installation of FixMBR. If there was nothing wrong with the system, and you simply did FDISK/MBR, would the system be restored to its original state? A similar question is do you know what TBAV's TBUTIL does? It *sounds* like its doing something similar, but I don't know if its doing the same function. I know if you install TBUTIL, when you boot, you get a message giving the results of its internal checking of the modified boot sector, and after it checks ok, then you get the message "Starting MS-DOS". There is also the provision to remove the modified boot sector through either its own utility or with FDISK/MBR. Is this similar to what FixMBR is doing, in what its modifying? I'd rather know exactly what the different available utilities do before choosing one and using it, and certainly before I *have* to use it to restore a system. Since I've been hit by a virus before, and lost a logical partition to it in its removal several years ago (Stoned on a system using MS-DOS 3.3 and Disk Manager partitioning), I know how valuable recovery information is before the fact. AP>Along the same lines DiskSecure II v2.4 should be out this weekend AP>with a major change: It will now be free to individuals (though a AP>postcard would be nice) and otherwise available only on a site AP>licensing basis. See the .DOCs for details. What does DiskSecure II do, and where could I find it? Even though I'd seen messages on FixMBR for some time, I never saw it on any BBS until about a week ago. I'd prefer a dial-in BBS rather than an FTP site if you know of one, as my internet access is through UUCP and I only have message access. steven.hoke%uttsbbs@ness.com - -=Steve=- - --- CmpQwk 1.40b #408 . Milk of Amnesia: For when you need to forget. - ---- +------------------------------------------------------------------------+ | The Transfer Station BBS (510) 837-4610 & 837-5591 (V.32bis both lines)| | Danville, California, USA. 1.5 GIG Files & FREE public Internet Access | +------------------------------------------------------------------------+ ------------------------------ Date: Sun, 02 Jan 94 09:52:57 -0500 From: hstroem@ed.unit.no (Henrik Stroem) Subject: Re: Any reviews of InVircible/V-Care ? (PC) Bontchev writes: > doesn't adopt it - then it is weaker than a combined system. In the > product mentioned by you relies on integrity checking alone, I can bet > you that (a) I can design a virus that will be able to infect a system > infected by it and pass unnoticed (actually, I'll probably be able to > invent 3-4 different ways to bypass the system, but I am making a safe > bet ) and (b) it doesn't protect against at least some of the > already existing viruses. (a) goes for all anti-viral software, whether it is a Scanner, IC, monitor or anything else. A software-only solution can always be bypassed if targeted. It does not help to combine all known anti-viral techniques, as long as it is a applied in software alone, so I don't understand Bontchev's point here. (b) is a safe assumption since integrity checking against file infectors can never be made 100% secure as long as you are using a real-mode operating system like DOS. > If you doubt in the above, ask the producer how the package protects > your system against Brain - one of the first IBM PC viruses. Just for > information, Brain is a diskette-only boot sector infector. If the It is quite possible to make a generic integrity checker that protects against Brain, without the use of scan-strings. My own program does this. The memory can be checked for integrity much like the harddisk is checked, by looking in the right places. > BTW, one of the problems with the integrity-based system is that they > detect the infection only after-the-fact - which in some cases might > be too late. Like if you get infected by Michelangelo on March 6. :-) Powering up your machine on March 6. with a Michelangelo infected floppy, on a machine that permits floppy boots, can not be avoided by any software based antivirus techniques. Not even a scanner able to catch ALL known and unknown viruses would be of ANY help at all in this scenario... Sincerely, Henrik Stroem Stroem System Soft ------------------------------ Date: Thu, 23 Dec 93 07:39:29 -0500 From: Subject: Re: Freeware distribution of anti-viral software (PC) Frisk writes: > The products that currently use my [F-PROT] "engine" are: > > F-PROT shareware (Frisk Software) > F-PROT Professional (Command Software, DataFellows and PerComp) > Virus Alert (Look Software) > VirusNet (SafetyNet) Seems to me you've forgotten at least one: ASP Integrity Toolkit Y. Radai Hebrew Univ. of Jerusalem, Israel RADAI@HUJIVMS.BITNET RADAI@VMS.HUJI.AC.IL ------------------------------ Date: Sun, 02 Jan 94 11:48:17 -0500 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: fixutil6.zip - BIOS detection & recovery from BSI viruses (PC) I have uploaded to the SimTel Software Repository (available by anonymous ftp from the primary mirror site OAK.Oakland.Edu and its mirrors): pub/msdos/virus/ fixutil6.zip BIOS detection & recovery from BSI viruses FixUtil6 FixUtil6 is a collection of utilities for prevention, detection, and repair of low-level virus damage and other corruption. Included are the NoFBoot utilities which prevents accidental floppy disk booting, the CHK utilities which validate various aspects of the system, and FixMBR/FixFBR which will repair viral damage to the MBR of a hard disk and the DOS Boot Record on floppies and replace the intitial boot code with a more sophisticated program. The FixUtilities are copyrighted FreeWare and there is no charge for their use by individuals - custom logos/features/switches are available on site licenses. Uploaded by the author. Padgett - - - A. Padgett Peterson padgett@tccslr.dnet.mmc.com ------------------------------ Date: Sun, 02 Jan 94 11:48:11 -0500 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: diskse24.zip - DiskSecure: Protects hard disk partition table (PC) I have uploaded to the SimTel Software Repository (available by anonymous ftp from the primary mirror site OAK.Oakland.Edu and its mirrors): pub/msdos/virus/ diskse24.zip DiskSecure: Protects hard disk partition table DiskSecure v2.4 Disksecure II is a BIOS level antivirus program for Intel platforms that combines integrity management with BIOS definitions. It uses multiple redundancy to detect/block/remove MBR and DBR infections. DS II is also the only known antivirus program that will also block MBR "droppers". Used in conjunction with a BIOS that selects booting from the hard disk only, will provide compete protection against low-level infections. DiskSecure II is compatable with Novell Netware for use on Novell servers. Provision is also made for booting from a standard floppy disk following authentication. It also includes a simple access control (password) mechanism that cannot be bypassed by DOS 6 F5/F8. DiskSecure II is copyrighted FreeWare (no charge for individual use) - custom logos/features/switches are available on a site/corporate license basis. Uploaded by the author. Padgett - - - A. Padgett Peterson padgett@tccslr.dnet.mmc.com ------------------------------ Date: Sun, 02 Jan 94 17:53:50 -0500 From: HAYES@urvax.urich.edu Subject: New programs from A. Padgett Peterson Hi fellow netters, and happy new year to all. Just received from A. Padgett Peterson the following programs: DiskSecure v2.4 Disksecure II is a BIOS level antivirus program for Intel platforms that combines integrity management with BIOS definitions. It uses multiple redundancy to detect/block/remove MBR and DBR infections. DS II is also the only known antivirus program that will also block MBR "droppers". Used in conjunction with a BIOS that selects booting from the hard disk only, will provide compete protection against low-level infecctions. DiskSecure II is compatable with Novell Netware for use on Novell servers. Provision is also made for booting from a standard floppy disk following authentication. It also includes a simple access control (password) mechanism that cannot be bypassed by DOS 6 F5/F8. DiskSecure II is copyrighted FreeWare (no charge for individual use) - custom logos/features/switches are available on a site/corporate license basis. FixUtil6 FixUtil6 is a collection of utilities for prevention, detection, and repair of low-level virus damage and other corruption. Included are the NoFBoot utilities which prevents accidental floppy disk booting, the CHK utilities which validate various aspects of the system, and FixMBR/FixFBR which will repair viral damage to the MBR of a hard disk and the DOS Boot Record on floppies and replace the intitial boot code with a more sophisticated program. The FixUtilities are copyrighted FreeWare & there is no charge for their use by individuals - custom logos/features/switches are available on site licenses. - ------------------------------------------------------------------------------ Thanks Padgett!!! As usual: Site: urvax.urich.edu, [141.166.36.6] (VAX/VMS using Multinet) Directory: [anonymous.msdos.antivirus] FTP to urvax.urich.edu with username anonymous and your email address as password. You are in the [anonymous] directory when you connect. cd msdos.antivirus, and remember to use binary mode for the zip files. Best, Claude. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Claude Bersano-Hayes HAYES @ URVAX (Vanilla BITNET) University of Richmond hayes@urvax.urich.edu (Bitnet or Internet) Richmond, VA 23173 ------------------------------ Date: Wed, 29 Dec 93 09:50:26 -0500 From: "The Radio Gnome" Subject: New(?) Virus MAKE MONEY FAST (Humor) Hi, This virus has been seen increasingly often on internet. I first saw it on NOVELLR. It has since been seen on misc.consumers, rec.audio EMUSIC-L and alt.music.progressive. It infects both LISTSERVEs and newsgroups. Identification is easy, the virus contains the string 'David Rhodes'. Symptoms proceed as follows: An initial post is seen with a subject matter of 'MAKE MONEY FAST'. The nucleus of the virus contains an inane scheme about chain lettering the internet. There is an almost instant response from the list/newsgroup members as they attack the virus with antibodies (aka flames). These antibodies contain such genetic fragments as "pull this guys net access", "illegal" and "postmaster". As the effects widen, the list soon gets clogged with posts from macrophages (aka netpolice) that are auto cc:ed to the unfortunate postmaster of the originating site. Further inFLAMEation can possibly take place as the list moderator gets dragged in. The final phase of the infection is an aggravated plea from the list moderator to ignore the virus. It will then go into remission. The virus usually finds its way onto the the internet via someones unattended terminal or non-secure account. No utility is known to clean it and scanners seem powerless in its prescence. Variants include the 'Hooray! Frank Zappa is dead' virus (scan for the string 'Joe six-pack') which has infected alt.music.progressive, the "Divine Masters" virus which regularly infects rec.music.newage and the "Hondas SUCK" virus that still hasn't been fully cleaned off of rec.autos. Any disclaimer issued by me is subject to change without notice ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 3] ****************************************