VIRUS-L Digest Friday, 11 Feb 1994 Volume 7 : Issue 11 Today's Topics: Re: "Good Viruses?" and other stuff virus signature database? re: Telescript Agents Re: good vs bad viruses Virus testing Re: What is a virus ? (Archimedes) Monkey Virus - Dead hard disk (PC) VSHIELD (PC) McAfee Scan 111 false positive (PC) Discussion of FIST 2 virus (PC) FS5 possible virus warning (PC) FS5 (Microsoft) possible virus? (PC) Re: SKISM 14 (PC) Re: Best PD anitvirus? (PC) Re: Fprot or McAfee (PC) Re: independent testers (PC) Form Virus Response (PC) Re: Virus in MBR, which cannot be found? (PC) Re: Virus in MBR, which cannot be found? (PC) Re: McAfee versus F-prot (PC) Re: noint info please (PC) Re: Virus in MBR, which cannot be found? (PC) Re: Form virus (PC) Re: Virus in MBR, which cannot be found? (PC) re: Help in removing Monkey virus from hard disk (PC) Alternate infection method? (V-Sign) (PC) Amisetup & Chipaway virus? (PC) WildList for February 1994 AVP update is available on anonymous ftp site (PC) Cancellation of VSI94 Virus Bulletin Call For Papers Network Security Seminar - Los Angeles VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Mon, 31 Jan 94 13:18:08 -0500 From: lev@nssdca.gsfc.nasa.gov (Brian S. Lev) Subject: Re: "Good Viruses?" and other stuff Brian Seborg writes... >First, let me answer a few questions quickly: PC Cyborg is a hacker who >has broken the copy protection of many programs. Seeing this message on >any game you have run does not necessarily imply a virus, but it does >likely imply that you are bootlegging software and depriving someone of >the income it takes to keep them in business writing game software. If you >use it, pay for it. Also, invest in a scanner! I assume you mean _virus_scanner_, not graphics.. :-) :-) [ text deleted ] >Viruses in the wild are inherently bad. Hear, hear! As things now stand, this statement is *very* difficult to refute. However... >I challenge anyone to put forth (even conceptually) a virus that would >be considered "good" in that it would be beneficial for it to be released in >the wild. Purely as a mental exercise, howzabout a virus-like piece of software that mimicked part of the functionality of the old "Spinwrite" program? It would glom onto as many disks as it could, check to see if they were bootable, and then do a verbatim rewrite of the boot sectors so that they'd never "age out" due to electomagnetic degradation? Of course, as things now stand (please note that modifying statement!), I would defend myself vigorously against even this "benign" virus because it gives people with a malevolent bent an easy "in" to my system... Just a thought, I now return you to the network in progress... - -- Brian ------------------------------ Date: Mon, 31 Jan 94 17:29:04 -0500 From: steve mazdeh Subject: virus signature database? Hello everyone. I was wondering if there is a sort of reference list anywhere on the internet that has the names and signatures of all the known viruses. I would be very interested in getting a hold of it. Sincerely, Steve Mazdeh ------------------------------ Date: Tue, 01 Feb 94 11:40:38 -0500 From: "David M. Chess" Subject: re: Telescript Agents >From: rdaily@cbnewsg.cb.att.com (ronald.r.dailey) >I don't see these agents as viruses, but rather >self modifying worms. I doubt if they even >modify there own code. Certainly your typical agent would not be a virus, or even a self-replicating worm; it would just be an object that goes from one place to another on a network. But the interesting question is whether or not someone could write a virus or worm for such objects. Could there be a piece of code, for instance, that said "every day at noon, make two copies of myself, send them to random destinations, and then delete this copy" (a worm), or "look at the agent closest to me, and insert my code into it if it isn't already there" (a virus). I don't know much about the security in the current TeleScript design, so I can't say anything specific about it, In general, though, active-agent systems have to be designed carefully, using principles that are just beginning to be understood, if they are to be both powerful and resistant to replicant attacks. - - -- - "At 11, more dramatic testimony from David M. Chess Marla Maples Trump in the trial of High Integrity Computing Lab the man accused of stealing her IBM Watson Research shoes." -- Actual TV phonemes ------------------------------ Date: Tue, 01 Feb 94 14:37:09 -0500 From: Ellen Carrico Subject: Re: good vs bad viruses All of the messages that have been exchanged on the theory of whether viruses are inherently "bad" or may be "good" simply don't have any relevence in the real world. Out here, where I work, if a scanned computer shows a virus that computer is no longer available for staff or public use until it has been cleaned (usually by me). With more than 150 PC's being used in public areas we *cannot* and *will not* allow unauthorized software on our machines. I don't care how benign someone meant it to be, it can still consume memory or disk space both of which are at a premium already. Therefore, any virus incident that occurs costs at the least REAL money for my time (or the other staff member who cleans the computer) and downtime for users (members of the public sign up at least a day in advance for some of our computers and then must travel downtown to use them). This is in addition to the funds that are expended to purchase anti-virus software, train staff, develop and maintain policies, perform routine scans, and repair destroyed files and disks. I can think of many more productive ways to spend my time and the library's funds. Ellen Carrico ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Microcomputer Coordinator "It's one thing to burn your bridges. It's Automated Services another to burn them while you're standing on Seattle Public Library them." -- John Lewis (206)386-4168 ecarrico@spl.lib.wa.us ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ------------------------------ Date: Fri, 04 Feb 94 00:52:04 -0500 From: cshema@uta.fi (Marko Helenius) Subject: Virus testing I am the responsible reseacher of Virus Test Laboratory of Finland. I would appreciate comments on how to arrange virus test sets. One problem is gathering new viruses. I thought that one source might be Anti-Virus producers, which are willing to co-operate. Is this the right thing to do it and how should I do it in an objective way ? - -- _____________________________________________________ l Marko Helenius l l University of Tampere, Finland l l E-Mail: cshema@uta.fi l l Fax: +358 31 2156070 l l Phone: +358 31 655960 l l _________________________________________________ l ------------------------------ Date: Wed, 02 Feb 94 04:39:15 -0500 From: aglover@acorn.co.uk (Alan Glover) Subject: Re: What is a virus ? (Archimedes) esveb@csv.warwick.ac.uk (Jon Ribbens) writes: >The program is indeed a virus, the above excuse is ridiculous. Apart from >anything else, it did do damage.... Furthermore, it has also been used as the basis for two further viruses. One triggers on a different day, and the other has a different payload. These wouldn't exist without his help..... Alan ------------------------------ Date: Sat, 29 Jan 94 23:51:37 -0500 From: Mahmoud.Mirzamani@lambada.oit.unc.edu (Mahmoud Mirazamani) Subject: Monkey Virus - Dead hard disk (PC) I work at a university with about 100 PC's (386sx, DOS 3.3) in which most of them are infected with the Monkey virus. My first question is whether there is a systematic quick way to clean all of the infected PC's by running a batch file and then installing the virus protection program? I also like to know if there is a program other than the sahreware KILLMONK that would be helpful? We are in the process of purchasing McAfee's virus protection package, however I believe it can only detect the Monkey virus. Finally, as I was testing KILLMONK to remove the Monkey virus on one the PC's last Thursday, I followed its suggestion by typing fdisk /mb(?). Since then, the hard disk is not bootable. I have removed and restored the partitians several times, and the same problem occures. Is there a solution to this problem? I really appreciate any help in this, since I have very little knowledge of removing this virus. - -- The opinions expressed are not necessarily those of the University of North Carolina at Chapel Hill, the Campus Office for Information Technology, or the Experimental Bulletin Board Service. internet: laUNChpad.unc.edu or 152.2.22.80 ------------------------------ Date: Sun, 30 Jan 94 14:27:06 -0500 From: matherne@bobcat.ent.ohiou.edu (MaRcUs MaThErNe) Subject: VSHIELD (PC) I have just updated my McAfee scan to what i think is the latest version (111)... .when i use the VSHIELD that works in my autoexec.bat file i get the following message: Can not find file c:\windows\win.ini VSHIELD Windows Messager is not installed I'm using the /windows flag as I have done for older versions of VSHIELD. My Windows directory is on my drive D: My question is: How do I correctly get VSHIELD to find windows on drive D and what exactly does Windows Messager do? Thanks for reading, Marcus ECE OU ------------------------------ Date: Sun, 30 Jan 94 20:19:27 -0500 From: rjryba@major.cs.mtu.edu (Russell J. Ryba) Subject: McAfee Scan 111 false positive (PC) I just upgraded to MS-DOS 6.2 and now scan says I have the Filler and Isreali Boot Sector Viruses. After some experimenting I narrowed the culprit down to the new version of MSAV. All my disks were clean, the instalation disk too. I tried MSAV with different options loaded, but it seems to pick filler more then isreali. I have reinstalled DOS 6.0 and there are no problems.Any one else have this happen? I used the scan c: and scan /m c: - Russ Ryba ------------------------------ Date: Mon, 31 Jan 94 10:22:55 -0500 From: hj5@prism.gatech.edu (JOHNSON P.E., HARRIS T) Subject: Discussion of FIST 2 virus (PC) One of our field office DOS machines became infected with the FIST 2 virus (I think). Central Point Anti-Virus indicated this is the infection. The symptoms included corrupted files and directories, invalid drive specification, etc. No other virus detection incl. DOS 6.2 found the virus which made me suspicious but on the currupted machine command.com for DOS_6.2 grew from 54K bytes to 55K bytes. Also by sequentualy inspecting EVERY disk than came into that office for the past 3-months we did find a WP_5.2 document with some very suspicious code appended to the end of the document. Without trying to disassemble the code, I think this was the source. Does anyone know anything about this virus? What does it do? Where does it reside? Can it be cleaned from a machine without reformatting? Has other scan software begun to find it? Is reformatting sufficient to clean it? Now the big question, can it be detected and cleaned from a rather large FOXPRO database? 11 months of management information is in what may be an infected file. While we have backups, if we can't find it we don't know which backups are infected. Thanks for any input you may have. - -- Harris Johnson, PE - Economic Development Institute, Georgia Tech Atlanta Georgia, 30332 voice: 404-836-6665 uucp: ...!{decvax,hplabs,ncar,purdue,rutgers}!gatech!prism!hj5 Internet: hj5@prism.gatech.edu ------------------------------ Date: Tue, 01 Feb 94 03:45:12 -0500 From: Roberto@suds01.cern.ch (Roberto Divia) Subject: FS5 possible virus warning (PC) While updating my parents' system (I do a check once a year) I have detected the "Cascade" virus in the memory plus in the main "COM" files: COMMAND.COM, EDIT.COM, DOSKEY.COM and many others. The Cascade virus, according to the list included in the McAfee (111) packet, is a "COM" and "MEMORY" virus, but NOT an "EXE" virus. In other words, it should not infect EXE files. After removing the virus, I scanned all my parents' floppies. And I found the virus on the 2nd floppy of the FS5 distribution kit. Purchased in a big shop, it was original, write-protected copy from Microsoft. The presence of the virus has been detected in an "EXE" file! The diagnosis has been confirmed by the McAfee (111) and the DOS (6.2) virus package from Microsoft. As I have not followed the all story (I came in only at the last chapter), I am not sure of what happened to that floppy. The dates are correct, so I don't think that the file has been tampered by someone outside Microsoft. And the "Cascade" virus should not have infected an "EXE" file. So, my conclusion was: this virus was on the floppy since the beginning. But I am not an expert in viruses... I reported all this to Microsoft and their polite reply was:" We check at the source all out floppies. The virus must have contaminated your floppy after it left the factory". Well, it's not a big deal. The virus was easy to remove and it took "only" three hours to scan all floppies and files to be sure all was fine. FS5 was running OK, just freezing from time to time (but this could have been a problem with the memory, so I cannot relate it to the presence of the virus). I still have the infected originals. I suppose I can remove the virus, or stick 'em to the wall. I have all the details (floopies serial #, purchase details etc...). If you are interested, drop me a line. And, please, run your preferred anti-virus scanner on the 2nd floppy of the FS5 distribution kit. - -- | Roberto Divia` | Love at first sight is one of the greatest | | ============= | labor-saving devices the world has ever seen | | CERN : European Laboratory for Particle Physics, 1211 Geneva 23 | | Switzerland (CH) | ------------------------------ Date: Tue, 01 Feb 94 07:52:56 -0500 From: Roberto@suds01.cern.ch (Roberto Divia) Subject: FS5 (Microsoft) possible virus? (PC) While updating my parents' system (I do a check once a year) I have detected the "Cascade" virus in the memory plus in the main "COM" files: COMMAND.COM, EDIT.COM, DOSKEY.COM and many others. The Cascade virus, according to the list included in the McAfee (111) packet, is a "COM" and "MEMORY" virus, but NOT an "EXE" virus. In other words, it should not infect EXE files. After removing the virus, I scanned all my parents' floppies. And I found the virus on the 2nd floppy of the FS5 distribution kit. Purchased in a big shop, it was original, write-protected copy from Microsoft. The presence of the virus has been detected in an "EXE" file! The diagnosis has been confirmed by the McAfee (111) and the DOS (6.2) virus package from Microsoft. As I have not followed the all story (I came in only at the last chapter), I am not sure of what happened to that floppy. The dates are correct, so I don't think that the file has been tampered by someone outside Microsoft. And the "Cascade" virus should not have infected an "EXE" file. So, my conclusion was: this virus was on the floppy since the beginning. But I am not an expert in viruses... I reported all this to Microsoft and their polite reply was:" We check at the source all out floppies. The virus must have contaminated your floppy after it left the factory". Well, it's not a big deal. The virus was easy to remove and it took "only" three hours to scan all floppies and files to be sure all was fine. FS5 was running OK, just freezing from time to time (but this could have been a problem with the memory, so I cannot relate it to the presence of the virus). I still have the infected originals. I suppose I can remove the virus, or stick 'em to the wall. I have all the details (floppies serial #, purchase details etc...). If you are interested, drop me a line. And, please, run your preferred anti-virus scanner on the 2nd floppy of the FS5 distribution kit. - -- | Roberto Divia` | Love at first sight is one of the greatest | | ============= | labor-saving devices the world has ever seen | | CERN : European Laboratory for Particle Physics, 1211 Geneva 23 | | Switzerland (CH) | ------------------------------ Date: Tue, 01 Feb 94 14:08:03 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: SKISM 14 (PC) rpearson@relay.drev.dnd.ca (Pearson Russel) writes: > We have encountered an virus detection of SKISM 14 by Central Point > Anti-Virus V2 beta 1. This is a non-standard name, and quite frankly it does not help much in finding out what virus this is. If you run F-PROT and/or DSAVTK, you would get something much closer to a standard name, and then maybe somebody could answer the question. - -frisk ------------------------------ Date: Wed, 02 Feb 94 03:50:43 -0500 From: vogler@rzddec2.informatik.uni-hamburg.de (Jens Vogler) Subject: Re: Best PD anitvirus? (PC) Fredrik Appelberg (fred-app@dsv.su.se) wrote: > As a newcomer to this group, I'd like to ask : What is the best >PD/ShareWare antivirus program, and where do I get it? > Thanx, > --Fredrik Hello Fredrik, I am no expert in PC viruses/antiviruses, but I think you can/should try F-Prot. You can find it e.g. at: ftp.uni-hamburg.de in the directory: /pub/virus/progs and it is named: fp-210c.zip If you don't like it try the McAfee progs in the directory: /pub/virus/McAfee Or ask your local archie server for the nearest antivirus ftp site. Okay? Any further question? Yours (etc.) ABert - -- /* ************************************************************* */ /* Wir waren zusammen, den Rest habe ich vergessen. */ /* We were together, I have forgotten the rest. */ /* Eravamo insieme, tutto il resto del tempo l'ho scordato. */ /* Nous etions eusemble, le reste je l'ai oublie. */ /* Estabamos juntos, el otro lo he olvidado. */ /* (Walt Whitman) */ /* */ /* \\\|||/// */ /* o o Yours ... */ /* | Jens Vogler */ /* \_/ vogler@informatik.uni-hamburg.de */ /* Amiga Gruppe - Virus Test Center - Uni Hamburg */ /* ************************************************************* */ ------------------------------ Date: Wed, 02 Feb 94 00:23:42 -0500 From: carterm@spartan.ac.BrockU.CA (Mark Carter) Subject: Re: Fprot or McAfee (PC) F-Prot is much better in my experience. : it really matter which one we use in a university. Fprot is much : cheaper with their site licenses. Are they very close in quality? Well, F-Prot's scanning engine seems more accurate, and F-Prot is also about five times faster than McAfee's Scan. Mark ------------------------------ Date: Tue, 01 Feb 94 13:59:33 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: independent testers (PC) 100015.422@compuserve.com (Pat Bitton) writes: >our product (Dr Solomon's). Testers must have a strong virus library and be >able to test products for all types of infection, including polymorphics, on >standalone PCs and across networks, and on DOS, Windows, OS/2 platforms. Well, I would very much like to see something like this as well. However, I doubt anybody, anywhere can do this properly ....Well, maybe if Vesselin was a bit more business-oriented :-) One problem is financial - Maintaining the collection and doing the testing is time-consuming.....one researcher and a copuple of assistants might be able to do the job - add the cost of hardware and you end up with at least 50.000 pounds per year....minimum. The question is who would pay. The vendors ? The government ? EC [yeah, why not... :-)] ? Another problem has to do with independence. It is nearly impossible for anybody to claim that they are independent...just consider the VSUM fiasco. Where do the viruses in the library come from ? If they only come from a few vendors, there is a certain bias, and I have VERY serious doubts that obtaining viruses from "everybody" would work. - -frisk ------------------------------ Date: Tue, 01 Feb 94 18:26:04 -0500 From: ALLENTAYLOR@delphi.com Subject: Form Virus Response (PC) Frank W. Felzman wrote: Date: Mon, 24 Jan 94 16:16:05 -0500 From: FWF%GISA.UUCP@GERMANY.EU.NET Subject: Re: Removing Form Virus (PC) >ALLENTAYLOR@delphi.com wrote (VIRUS-L Digest Volume 7: Issue 5) > 3. You can use the appropriate virus cleaner [TBAV-TBUtility], [and > with DOS 5 or higher; FDSIK /MBR command] or [DOS Sys Command] or, > [McAfee MDisk] to restore the boot sector. No, no, no !!!! FDISK/MBR restores only the MBR and n o t the boot sector. Therefore you must use the DOS Sys command for removing the FORM-Virus. Regards Frank W. Felzmann ===================== allentaylor@delphi.com responds: Frank, You are absolutely correct! However, you must have seen that I had quoted Virus.faq 4 times and was speaking in only "general" terms concerning the use of FDISK/MBR, MDISK and the DOS.SYS Command. I was directing the "infected" to the FAQ for more detailed instructions on removing the virus. However my redundant use of the word "or" made my advice "technicaly" incorrect. I stand corrected and humbled in the light of your wisdom "mein gute Deutsche Freund, viele danke"! Auf Spater... und Best Regards, ________________________________________________________________________ | Allen G. Taylor, | allentaylor@delphi.com | | Computer Virus Research Center | * CVRC BBS * | | Indianapolis, Indiana, USA | Specializing in Anti-Virus Software | |======================================================================| ------------------------------ Date: Wed, 02 Feb 94 01:16:58 -0500 From: datadec@ucrengr.ucr.edu (kevin marcus) Subject: Re: Virus in MBR, which cannot be found? (PC) Jukka E Jarvinen wrote: >I bought a new hard disk drive, Seagate 340 MB IDE. I got it in an >opened package and there was DOS installed. I deleted the partitions >and made new ones. When quitting FDISK in the middle of the screen blinked: > > BootSector Write !!! > Possible VIRUS: Continue (Y/N)?" > >I answered Y. >I made same operations once more and I got the same text. >Also FDISK /MBR gives the same. > >McAfee's SCAN 109 and F-PROT 2.10 cannot find any virus. >What's the problem and how can I fix it? > Newer BIOS's on motherboards these days have a feature that can be enabled which monitor writes to the hard drive (often called like, "boot sector virus protection). You have the option turned on. This can usually be configured from the CMOS setup options, if you don't want to see it, then just turn it off. It will also occur when you format floppies, as the boot sector of the floppy is rewritten on a format. Sys'ing a disk will also cause that to come up. - -- --=> Kevin Marcus: datadec@ucrengr.ucr.edu, tck@bend.ucsd.edu CSLD Room Monitor, Tues, Thurs 9-12p, Sat 11a-2p (909)/787-2842. Computer Science Dept., University of California, Riverside. .oOo.oOo.oOo. Thieves Suck. Don't steal. .oOo.oOo.oOo. ------------------------------ Date: Tue, 01 Feb 94 13:42:34 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Virus in MBR, which cannot be found? (PC) jej@cc.jyu.fi (Jukka E Jarvinen) writes: >McAfee's SCAN 109 and F-PROT 2.10 cannot find any virus. >What's the problem and how can I fix it? Well, assuming you didn't have some anti-virus hardware/software installed, and forgot about it, the answer is that there is no problem, and there is nothing you need to fix. Basically, the BIOS in your machine is set to intercept all attempts to write tho MBR. This will prevent viruses like Stoned, Michaelangelo etc. from infecting the machine, so it makes perfect sense to have it enabled. However: 1) Sometimes you really have to write to the MBR - in particular when running FDISK. The BIOS will intercept this, and issue a warning. There is nothing wrong with this. 2) A virus might disable the virus check, by modifying the CMOS before infecting the MBR, which makes this somewhat useless against future viruses. - -frisk Fridrik Skulason Frisk Software International phone: +354-1-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-617274 ------------------------------ Date: Wed, 02 Feb 94 01:27:39 -0500 From: datadec@ucrengr.ucr.edu (kevin marcus) Subject: Re: McAfee versus F-prot (PC) Joel Johnson wrote: >I would like to know if there are significant differences between >McAfeee and F-Prot antiviral software. Currently Looking into site >license and want to know is F-Prot considered as through as McAfee and >will it catch as many virus's. Any input on this would be >appreciated. Thank you. F-Prot is faster, is capable of cleaning more viruses, provides much more accurate virus identification, has much more accurate descriptions of viruses (though they are often pretty brief -- they're not wrong), and has had a much better history (less false positives, less hacks (any?), less bugs...) - -- --=> Kevin Marcus: datadec@ucrengr.ucr.edu, tck@bend.ucsd.edu CSLD Room Monitor, Tues, Thurs 9-12p, Sat 11a-2p (909)/787-2842. Computer Science Dept., University of California, Riverside. .oOo.oOo.oOo. Thieves Suck. Don't steal. .oOo.oOo.oOo. ------------------------------ Date: Wed, 02 Feb 94 01:19:07 -0500 From: datadec@ucrengr.ucr.edu (kevin marcus) Subject: Re: noint info please (PC) Charles E Bell wrote: >What can everyone tell me about the noint virus, and can it be >destroyed? The NoInt virus is based on the Stoned virus. It is a pretty simple MBR infector, it can be removed fromthe hard drive by booting from a known clean write protected system disk and executing "fdisk /mbr" from dos 5.0 or higher. On floppies, it could be removed with the sys command, but this will also take up abou 100K of space on the disk. Most antivirus products are capable of cleaning this virus, such as Norton AntiVirus 3.0 - -- --=> Kevin Marcus: datadec@ucrengr.ucr.edu, tck@bend.ucsd.edu CSLD Room Monitor, Tues, Thurs 9-12p, Sat 11a-2p (909)/787-2842. Computer Science Dept., University of California, Riverside. .oOo.oOo.oOo. Thieves Suck. Don't steal. .oOo.oOo.oOo. ------------------------------ Date: Tue, 01 Feb 94 21:39:08 +0000 From: hannu@acheron.demon.co.uk ("Hannu T. Ylioja") Subject: Re: Virus in MBR, which cannot be found? (PC) jej@cc.jyu.fi "Jukka E Jarvinen" writes: > I bought a new hard disk drive, Seagate 340 MB IDE. I got it in an > opened package and there was DOS installed. I deleted the partitions > and made new ones. When quitting FDISK in the middle of the screen blinked: > > BootSector Write !!! > Possible VIRUS: Continue (Y/N)?" > > I answered Y. > I made same operations once more and I got the same text. > Also FDISK /MBR gives the same. > > McAfee's SCAN 109 and F-PROT 2.10 cannot find any virus. > What's the problem and how can I fix it? One reason could be that you have AMI bios with the virus checker enabled. Go to advanced configuration and turn it off. Actually it is not a very good virus checker, it only spots writes to the master boot record, i.e. the first sector of the disk - -- Hannu Ylioja / ylioja_hannu_icl@smail.relay.icl.fi / hannu@acheron.demon.co.uk / 70023,1101 (compu$erve) ------------------------------ Date: Wed, 02 Feb 94 22:19:00 -0500 From: SOSUMI@delphi.com Subject: Re: Form virus (PC) We have had a RAMPANT infection of Form at work. The most evident we have experienced is an error when loading the Windows 32-bit disk driver upon Windows startup. Good luck getting rid of this sucker...it's a BUGGER! Cody ------------------------------ Date: Thu, 03 Feb 94 06:52:08 -0500 From: hermanni@elma.fi (Mikko Hypponen) Subject: Re: Virus in MBR, which cannot be found? (PC) Jukka E Jarvinen (jej@cc.jyu.fi) wrote: > When quitting FDISK in the middle of the screen blinked: > > BootSector Write !!! > Possible VIRUS: Continue (Y/N)?" I just wrote about this to the upcoming F-PROT 2.11 Update Bulletin, here's a fragment from it: F-PROT Support Informs: Common Question and Answers - --------------------------------------------------- When I was installing DOS 6.2 on my computer, I received the warning "Boot sector write, possible virus. Continue Y/N?". What caused the warning? Is my computer infected? All the newer AMI BIOSes give this warning when something tries to make changes to the hard disk's boot sector. The warning is justified, too, since it is able to prevent most boot sector viruses from infecting the computer. However, the DOS installation program must make some legitimate changes in the boot sector. You can either ignore the warning when you are installing the program, or turn it off for the duration. The warning can be switched off via the computer's Setup. Remember to turn it back on when you have completed the installation. Hope this helps, MH - -- Mikko Hypponen // mikko.hypponen@df.elma.fi // Finland Data Fellows Ltd's F-PROT Professional Support: f-prot@df.elma.fi PGP 2.3a public key available, ask by e-mail ------------------------------ Date: Fri, 04 Feb 94 09:56:17 -0500 From: cvardema@bashful.helios.nd.edu (charles vardeman) Subject: re: Help in removing Monkey virus from hard disk (PC) There is a small community college here in South Bend that has a computer lab that was infected w/ the monkey virus. Unfortunately, they used the FDISK/MBR option and now cannot restart their systems. Is there anything that can be done to restore the MBR of their hard drives. I'm thinking of something like Northon disk doctor or some utility of that nature. Short of that, would it be possible to go in w/ a disk editor and reset the information.. Thanks - -chuck - ------------------------------------------------ cvardema@bach.helios.nd.edu "say what you will" - ------------------------------------------------ ------------------------------ Date: Fri, 04 Feb 94 17:14:10 +0000 From: kenney@laser.nb.rockwell.com (Kevin Kenney) Subject: Alternate infection method? (V-Sign) (PC) Ran into a virus F-Prot 2.10(c?) calls V-Sign, and other programs call Cansu. Since it is a boot-sector infector and was on a non-bootable disk, it had partially corrupted a(n executable) file on that disk. By trying to run that program, I at least moved the virus into memory, and possibly activated it there. (VIRHUNT reported the virus active in memory.) I don't know my DOS file structure well enough to know if starting an EXE (possibly) executes code in the 1st block of a file, and thus could run a 'non-file infecting' virus residing there. This might be an alternate way to be infected with any (or some) boot virii. Also, no disinfector I tried (F-Prot, Virhunt, Norton 2.1) repaired the file to an properly executable state. (It may not have been executable before infection - the disk's source is unknown.) Several questions: Can anyone confirm/refute this alternate infection method? Is disinfecting a boot infector from a file more prone to failure than other disinfections? (Yes I know backups are best: In this case, not knowing the source of the disk, running the infected file was desirable to try to find the disk's owner. (I'm a programmer: this looked like a utility from someone at work.) Can someone send me a rundown of V-sign, so I can panic to the proper degree? (Is there an informational server I could e-mail to for automatic info?) How might I tell (due to the disinfection failures) if this might be a new strain, and if so how (for a boot virus) and where should I send it? (i.e. what ftp sites might have BootId or Checkout (from the FAQ).) As always, thanks in advance... ========================= KILL THE PARANOIDS A Public Service Message, making paranoids happier, All standard disclaimers: apply! by letting them know that they are right. :o -> :> kenney@nb.rockwell.com ------------------------------ Date: Fri, 04 Feb 94 13:14:28 -0500 From: jwayne@news.delphi.com (JWAYNE@DELPHI.COM) Subject: Amisetup & Chipaway virus? (PC) Just installed a new motherboard and Amisetup has options for Chipaway virus handler. Does anybody use this and is it effective? The motherboard also came with Trendmicro Chip Away Viruses diskette. Is this worth using and does it have anything to do with the Ami bios setup? Thanks. jon ------------------------------ Date: Wed, 02 Feb 94 03:08:40 -0500 From: Joe Wells <0004886415@mcimail.com> Subject: WildList for February 1994 ============================================================================ PC Viruses in the Wild - February 1, 1994 ============================================================================ This is a cooperative listing of viruses reported as being in the wild by 16 virus information professionals. The basis for these reports are virus incidents where a sample was received, and positively identified by the participant. Rumors and unverified reports have been excluded. The list should not be considered a list of "currently common" viruses however. No provision is made for commonness. A currency basis for the list has been set. Reports date from September of 1992 to the present. This data indicates only "which" viruses have been found in the wild. ============================================================================ The section below gives the names of participants, along with their organization, antivirus product (if any), and geographic location. Key Participant Organization Product Location ============================================================================ As Alan Solomon S&S Int'l Toolkit UK Dc Dave Chess IBM IBM AntiVirus USA Ek Eugene Kaspersky KAMI AVP Russia Fb Fernando Bonsembiante Virus Report None Argentina Fs Fridrik Skulason Frisk Int'l F-Prot Iceland Gj Glenn Jordan Datawatch VirexPC USA Jw Joe Wells Symantec NAV USA Pd Paul Ducklin CSIR Virus Lab None So Africa Pp Padgett Peterson Hobbyist DiskSecure USA Rf Richard Ford Virus Bulletin None UK Rh Richard Head Jade Corp None Japan Rr Roger Riordan CYBEC VET Australia Sg Shimon Gruper EliaShim ViruSafe Israel Vb Vesselin Bontchev U of Hamburg None Germany Ws Wolfgang Stiller Stiller Research Integ Master USA Yr Yuval Rakavi BRM Untouchable Israel ============================================================================ The first chart is based on two or more participants reporting a virus. Therefore, these viruses are probably more geographically scattered. CARO Name of Virus AsDcEkFbFsGjJwPdPpRfRhRrSgVbWsYr Alias(es) ============================================================================ AntiEXE..................| . . . . x . x . . . . . . x . x | D3 Athens...................| . . . . x . x . . . . . . . . . | Trajector Barrotes.A...............| x . . . . . x x . . . . . . . . | Barrotos Brasil...................| . . . . . . x . x . . . . . . . | Butterfly................| . . . . . . x . . . . . . x . x | Cascade.1701.A...........| x x . x x . . . . x x . x x . . | 1701 Cascade.1704.A...........| x x x . x . x . . . . . x . . x | 1704 Changsha.................| . . . . . . x . . . x x . . . . | Centry Chinese Fish.............| x x . . x x x x . . . x . . . x | Fish Boot CPM......................| . . . . . . x . x . . . . . . . | Chile,Meirda Dark_Avenger.1800.A......| x x . x x x x . . x x x . . x x | Eddie Dark_Avenger.2100.SI.A...| x . . . . . x . . . . . . . . . | V2100 Datalock.920.............| x x . . . . x . . . . . x . . x | V920 Dir-II.A.................| x x x x x . x x . x x x x x x x | Creeping Death Disk_Killer.A............| x . x . . . x . x x . . x . . . | Ogre Even_Beeper..............| x x . . . . . . . . . . . . . . | EXE_Bug.A................| x . . . . . x x . x . . x . x . | CMOS 1 EXE_Bug.C................| . . . . . . . x . . . . x . x . | Fichv.2_1................| x . . . x . . . . . . . x . . x | 905 Filler...................| . . . . . x x . . . . . . . . . | Flip.2153.A..............| x x . x x . x . . x x . x . . . | Omicron Flip.2343................| x . . . x . . . . . . . . . . . | Omicron Form.....................| x x . x x x x . x x x . x x x x | Form 18 Freddy_2.................| . . . . x . x . . . . . . . . . | Frodo.Frodo.A............| x x . x x . x . . . x x x . . x | 4096,100 Year Ginger...................| . . . . . . x . . . . x . . . . | Gingerbread Green Caterpillar........| x x . . x x x . . x x x x . x x | Find,1591,1575 Helloween.1376...........| x . . . . . x . . x x x . . x x | 1376 Jerusalem.1244...........| x x . . . . . . . . . . . . . . | 1244 Jerusalem.1808.Standard..| x x . x x x x x x x x . x . x x | 1808,Israeli Jerusalem.Anticad.4096.B.| x . . . x . . . . . . . x . . . | Invader Jerusalem.Fu_Manchu......| x . . . . . x . . . . . x . . . | 2080,2086 Jerusalem.Mummy.2_1......| x . . . x . . x . . x . x . . . | PC Mummy Jerusalem.Sunday.A.......| . . . . . . . x . . x . . . . x | Sunday Jerusalem.Zerotime.Austr.| x x . . . . . . . . . x x . x x | Slow Joshi.A..................| x x . . x x x . x x x x x . x . | Kampana.3700:Boot........| x x . x x x x . . x x . . . x . | Telecom,Drug Keypress.1232.A..........| x x . . . . . x . x x x x . x x | Turku,Twins Liberty..................| . x . . x . x . . x x . . . x x | Mystic,Magic Maltese Amoeba...........| x x . . x . x . x x . . x . x x | Irish Music_Bug................| . . . . x x . . x . . . . . x . | Necros...................| x . . . . . x . . . . . . . . . | Gnose,Irish3 NJH-LBC..................| x . . . . . . . . . . . . . . x | Korea Boot No_Frills.Dudley.........| x . . . . . . . . . . x . . . . | Oi Dudley No_Frills.No_Frills......| . . . . . . x . . . . x . . . . | Nomenklatura.............| x x . . . . . . . . . . . . . . | Nomen November_17th.855.A......| x x . . x . x . . . . . . . . . | V855 NPox.963.A...............| . . . . x . x . . . . . . . . x | Evil Genius Ontario.1024.............| . x . . . . . . . . . x x . . . | SBC,1024 Parity_Boot.B............| x . . . . . x x . x x . . x . . | Ping_Pong.B..............| x x . x . . . . . x . . x . x . | Italian Predator.2448............| . . . . x . x . . . . . . . . . | 2448 Print_Screen.............| x x . . . . x . . . . . . . . x | PrnScn Quit.A...................| x x . . . . . . . . . . . . . . | 555,Dutch Quox.....................| . x . . x . x . . . . . . . . . | Stealth 2 Ripper...................| x x . . x . x . . . . . . . . . | Jack Ripper Screaming_Fist.696.......| x x . . . x x . . . . . . . x . | Screamer,696 Stealth.B................| . x . . . . x . x . . . . . . . | STB Stoned.16................| x x . . . . x . . . . . . . . x | Brunswick Stoned.Azusa.............| x x . . x . x x x . x x x . x . | Hong Kong Stoned.Empire.Monkey.....| . . . . x x x . x . . x . x x . | Monkey Stoned.Flame.............| . . . . . . x . . . . x . x . . | Stoned(3C) Stoned.June_4th..........| x . . . . x x . . . x x . x x x | Bloody!,Beijing Stoned.Lzr...............| . . . . x . x . . . . . . . . x | Stoned.Whit Stoned.Manitoba..........| . . . . x . x . . . . . . . . . | Stonehenge Stoned.Michelangelo......| x x x x x x x x x x x x x x x . | March 6 Stoned.NoINT.............| x x . . x x x x . x . x . . x . | Stoned 3 Stoned.NOP...............| . . . . . . x . . . . . . . x . | NOP Stoned.Standard.B........| x . x x x x x x x x x x x x x . | New Zealand Stoned.Swedish_Disaster..| x . . . . x . . . . . . . . . . | Stoned.W-Boot............| . . . . . . x . . . . x . . . x | W-Boot Stardot.789..............| . x . . . . x . . . . . . . . . | 805 SVC.3103.................| x . x . . . x . . . x . x . . . | SVC 5.0 Swiss_Phoenix............| . . . . . . x . . . . . . . . x | Tequila..................| x x . . x . x x . x x . x x x x | Tremor...................| . . . . x . . . . x . . . x x . | V-Sign...................| x x . . x x x . . x x x x . x . | Cansu,Sigalit Vacsina.TP-05............| x x . . x x x . . x x . . . x . | RCE-1206 Vacsina.TP-16............| x x . . x . . . . . . . . . . . | RCE-1339 Vienna.648.Reboot........| x x x . . . . . . . . . . . . . | DOS-62 WXYC.....................| . x . . . . x . . . . . . . . . | Yankee Doodle.TP-39......| x . . . x . . . . . . . . . . . | RCE-2772 Yankee Doodle.TP-44.A....| x . x . x . x . . x x . . x . x | RCE-2885 Yankee Doodle.XPEH.4928..| . . . . x . . . . . . . . . . x | Micropox Yeke.1076................| . x . . . . x . . . . . . . . . | ============================================================================ The second chart is based on a single participant noting more than one infection site and may signify limited regional virus outbreaks. CARO Name of Virus AsDcEkFbFsGjJwPdPpRfRhRrSgVbWsYr Alias(es) ============================================================================ 10_Past_3.748............| . . . . . . . x . . . . . . . . | Boot-437.................| . . . . . . . . . . . . . . . x | BootEXE..................| . . . . . . . . . x . . . . . . | BFD-451 Brain....................| . . . . . . . . x . . . . . . . | Pakistani Cascade.1701.G...........| . . . . . . . . . . . . . x . . | 1701 Coffeeshop:MtE_090.......| . . . . . . . x . . . . . . . . | Darth_Vader.3.A..........| . . . . . . . . . . . . . . x . | Datalock.828.............| . . . . . . . . . . . . . . . x | Den_Zuko.A...............| x . . . . . . . . . . . . . . . | Den Zuk DosHunter................| . x . . . . . . . . . . . . . . | Emmie.3097...............| . . . . . . . . . . . . . . . x | EXE_Engine...............| . . . . . . . . . . . . . x . . | Grower...................| . . . . . . x . . . . . . . . . | V270x,268+ Hafenstrasse.............| . . . . . . . . . . . . . x . . | Hafen Hi.......................| . . . . . . . . . . . . . . . x | Hi.460 Involuntary.A............| . . . . . . x . . . . . . . . . | Invol Japanese_Xmas............| . . . . . . . . . . x . . . . . | Xmas in Japan Jerusalem.1808.CT........| . x . . . . . . . . . . . . . . | Capt Trips Jerusalem.1808.Null......| . x . . . . . . . . . . . . . . | Jerusalem.Carfield.......| x . . . . . . . . . . . . . . . | Jerusalem.Moctezuma......| . x . . . . . . . . . . . . . . | Jerusalem.Mummy.1_2......| . . . . . . . x . . . . . . . . | Jerusalem.Sunday.II......| . x . . . . . . . . . . . . . . | Sunday 2 Joshi.B..................| . x . . . . . . . . . . . . . . | Jumper...................| . . . . . . . . . . . . . . . x | Kampana.Galicia:Boot.....| . . . . . . x . . . . . . . . . | Telecom,Drug Keypress.1744............| . . . . . . . . . . . . . . . x | Little Brother.307.......| . . . . x . . . . . . . . . . . | Lyceum.1788..............| . . x . . . . . . . . . . . . . | MacGyver.................| . . . . . . x . . . . . . . . . | Shoo MISiS....................| . . . . . . . . . . . . . . . x | Zharinov,NIKA Murphy.Smack.1841........| . . . . . . x . . . . . . . . . | Smack Necropolis...............| . . . . . . . . . . . . . . . x | 1963 November_17th.800........| . . . . . . x . . . . . . . . . | Jan1, 800 Number_of_the_Beast......| . . . x . . . . . . . . . . . . | 512,666 Parity_Boot.A............| . . . . . . . . . . . . . . x . | Sat_Bug..................| . . . . . . x . . . . . . . . . | Satan Bug Screaming_Fist.NuWay.....| . . . . . . x . . . . . . . . . | Sticky Sleepwalker..............| . . . . . . . . . . . x . . . . | Stinkfoot................| . . . . . . . x . . . . . . . . | Stoned.Bunny.A...........| . . . . . . . x . . . . . . x . | Stoned.Dinamo............| . . . . . . . . . . . . . . . x | Stoned.Michelangelo.K....| . . . . . . . . . . . . . . . x | Stoned.Empire.In_Love....| . . . . . . x . . . . . . . . . | SVC.2936.................| . . . . . . x . . . . . . . . . | Stoned.Empire.Int_10.....| . . . . . . . . x . . . . . . . | Swiss_Boot...............| . . . . x . . . . . . . . . . . | Swiss Army Syslock.Syslock.A........| x . . . . . . . . . . . . . . . | Vmem.....................| . . . . . . . . . . . . . . . x | Voronezh.1600............| . . x . . . . . . . . . . . . . | RCE-1600 Yale.....................| . x . . . . . . . . . . . . . . | Alameda ============================================================================ Release Notes: Vol.202, February 1994 This volume adds two new sources: Fernando Bonsembiante of Argentina, who produces the publication Virus Report, and Richard Head, of Yasuko Amano Jade Corp, who translates the virus reports of the IPA in Japan. Both these sources provide information that is regional in nature. This report includes the MISiS (Zharinov,NIKA) which was omitted from Vol.201. It was reported in Israel by Anthony Naggs of the UK and BRM. Vol.201, January 1994 The Ripper virus was reported by four participants last month. Formerly reported to be in Bulgaria and Finland, the virus is now verified in the UK (several reports), Ireland, Finland, and the Netherlands. New information from BRM adds some viruses to the second list that are verified in Israel. Note especially Necropolis, which, with Dir II and Frodo, represent over 75 percent of the reports received by BRM. ============================================================================ The collation of this material is done by Joe Wells, Virus Specialist at Symantec, Peter Norton Group, who is solely responsible for its contents. The material presented is implicitly copyrighted under various laws, but may be freely quoted or cited. However, its source and cooperative nature should be duly referenced. Other antivirus product developers are invited to participate in the list. If you wish to do so, please contact me. ============================================================================ The WILDList by Joe Wells -- jwells@symantec.com -- 70750,3457 -- Vol2.02a ============================================================================ ------------------------------ Date: Tue, 01 Feb 94 11:25:10 +0300 From: eugene Subject: AVP update is available on anonymous ftp site (PC) Hello! January update of Antiviral Toolkit Pro (AVP) is available on anonymous ftp site: ftp.informatik.uni-hamburg.de:/pub/virus/progs/avp_upd.zip This package contains beta version of heuristic scanner as well as new antiviral database. You can use an ftp-by-email server. Here are three of them, for European, American, and Australian users: ftpmail@doc.ic.ac.uk ftpmail@Pa.dec.com ftpmail@cs.uow.edu.au You should to send a message consisting of the word 'help' to one of those addresses and they will get instructions how to proceed. Good luck, Eugene - --- - -- Eugene Kaspersky, KAMI Group, Moscow, Russia - -- eugene@kamis.msk.su +7 (095)278-9949 ------------------------------ Date: Tue, 01 Feb 94 11:56:18 -0500 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: Cancellation of VSI94 Unfortunately it has become necessary to cancel the anti-virus conference scheduled for 28-29 March in Philadelphia (aka VSI 94), there was just insufficient interest. A. Padgett Peterson, P.E. Program Chairman [Moderator's note: Sorry to hear that the conference was cancelled. If anyone out there is maintaining a calendar of virus-related conferences, seminars, etc., I'm sure that a lot of people would appreciate seeing it here. >From snowed-in DC, KRvW.] ------------------------------ Date: 03 Feb 94 15:17:14 +0000 From: virusbtn@vax.oxford.ac.uk Subject: Virus Bulletin Call For Papers It was with some horror that I realised I had forgotten to post the following. If you wish to submit a paper but cannot Email an abstract in time, Email me. Regards, DF. Virus Bulletin Conference 1994 8/9 September, Jersey, UK Call for Papers The International Virus Bulletin Conference is the largest and most prestigious annual event to address the computer virus threat in Europe. The 1994 conference will be held on 8/9 September at the Htel de France, Jersey, and will attract delegates and speakers from around the world. They will comprise corporate computer security staff, PC support specialists, hardware and software developers, government, military, public sector and corporate IT managers, and researchers. Abstracts of between 200 and 500 words outlining proposed papers are now invited from anyone engaged in combating the computer virus threat. Papers will be selected for their originality and for their appeal to a diverse audience. VB will cover speakers' travel and accommodation expenses. Papers covering the following topics are particularly welcome: y Windows viruses y Virus-proof DOS y Virus awareness and successful user education programmes y Disaster recovery and preparing for a large-scale attack y Civil and criminal aspects of computer crime y Developments in anti-virus software y Heuristic scanning y New PC operating systems (OS/2, Windows NT, UNIX) and their susceptibility to viruses y Changing computer architecture to combat viruses y The psychology of virus writers The conference will be held in two streams, the first of which will address management issues; the second, technical developments. Abstracts should be completed by 18th February 1994 and sent to: The Editor Virus Bulletin Abingdon Science Park Abingdon OX14 3YS England Fax +44 (0)235 559935 e-mail VIRUSBTN @ UK.AC.OX.VAX (or @vax.ox.ac.uk, depending on Email flavour). ------------------------------ Date: Wed, 02 Feb 94 13:35:32 -0500 From: Michael Berger Subject: Network Security Seminar - Los Angeles This is an announcement of a series of network security seminars to be given in LA, Orange County, and San Diego in March, 1994. For further information or a full brochure, call Computer Security Corporation at (714)840-4656 or FAX (714)840-7450. Dr SOLOMON'S NETWORK SECURITY SEMINAR Management and Implementation You'll learn about: * VIRUSES: How to minimize the threat * BACKING UP: Choosing a reliable system * ACCESS CONTROL: Secure communications and computing systems * DATA RECOVERY: Retrieving inaccessible data * HACKING: An insight into the mind of the hacker * IMPLEMENTATION: Policies and procedures for network integrity and protection You'll take away products worth over $350 - FREE: * CheckIt LAN (5 node version) SRP $249.00 * The Virus Video Corporate Training Pack SRP $69.95 * RingFence diskette security software SRP $29.95 * RamExam from Qualitas SRP $29.95 * Latest issue of Secure Computing Dates: Los Angeles County Monday, March 21, 1994 Orange County Wednesday, March 23, 1994 San Diego County Thursday, March 24, 1994 Seminar Developer - ----------------- Dr. Alan Solomon is Chairman of S&S International Ltd. He was educated at Cambridge where he read mathematics for his first degree, and earned a Ph.D. in Econometrics at Cranfield. He has also worked in industry and in the financial sector, giving him a wide- ranging insight into the problems faced by computerized businesses. Dr. Solomon is a frequent speaker at PC conferences and writes for a number of magazines and newspapers. He is co-founder and technical director of EICAR, the European Institute for Computer Anti-Virus Research, and is also Chairman of the IBM PC User Group in the UK. Seminar Leader - -------------- The Network Security Seminar is led by Mr. Peter Morley. Prior to joining S&S International in 1990, Mr. Morley spent 23 years at IBM and has been involved with the PC since its inception; he is also a past Chairman of the PC Independent User Group in the UK. Currently Senior Data Recovery Consultant at S&S, Mr. Morley handles the most complex data recovery tasks personally, and runs frequent workshops worldwide. Mike Berger Computer Security Corporation ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 11] *****************************************