VIRUS-L Digest Friday, 29 Apr 1994 Volume 7 : Issue 30 Today's Topics: New viruses: SMEG.Pathogen, SMEG.Queeg (PC) Re: How big a threat are Books? Re: Number of viruses on non-PC machines Re: Harmless Viruses Re: The truth about good viruses Re: Intelligent detection Re: AVP 2000 Re: Fractal Virus Detection Re: Intelligent detection Re: NT viruses? (NT) Re: Clean 111 & Mich. (PC) Re: Thoughts on FORM infections...(PC) Re: CANSU Virus (PC) Re: Is speed really important? (PC) Re: Avoiding floppy boot (was: FORM problems) (PC) Re: packed file is currupt ?? is it a VIRUS? (PC) Re: MUSH.COM? (PC) Re: No PC viruses on 3.5" disks? (PC) Re: Monkey Curiosity (PC) Re: Generic MBD virus in partition table (PC) Re: Help getting rid of the boot437[genb] virus (PC) Re: Stealth (PC) Re: Anti-virus? (PC) Re: help! on michelangelo virus (PC) Re: VDS questions answered (PC) Re: VDS, compatibility etc. (PC) Re: Virus on MS DOS 6.2? (PC) Re: Joshi.a (PC) Re: Form.A (PC) Re: Monkey/Telecom Virus (PC) Re: No PC viruses on 3.5" disks? (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Wed, 27 Apr 94 11:08:09 -0400 From: gcluley@nose.sands.co.uk Subject: New viruses: SMEG.Pathogen, SMEG.Queeg (PC) S&S International, developers of Dr. Solomon's Anti-Virus Toolkit, have discovered two dangerous new viruses running wild on British computers. The two new viruses, Pathogen and Queeg, have both been written using what the virus author, The Black Baron, calls the Simulated Metamorphic Encryption Generator (SMEG). The viruses are highly polymorphic, using an intensely variable and large encryption loop. This means that each infection of the virus looks completely different to those seen before, making the job of writing a reliable detector extremely difficult. Pathogen and Queeg are memory-resident, polymorphic infectors of COM and EXE files. If Pathogen triggers its payload (between the hours of 17:00 and 18:00 on a Monday evening) BIOS level writes are made to the first 256 cylinders on heads 1-4 of the hard disk, and the following message is displayed: Your hard-disk is being corrupted, courtesy of PATHOGEN! Programmed in the U.K. (Yes, NOT Bulgaria!) [C] The Black Baron 1993-4. Featuring SMEG v0.1: Simulated Metamorphic Encryption Generator! 'Smoke me a kipper, I`ll be back for breakfast.....' Unfortunately some of your data won`t!!!!! The line and other messages contained within the viruses suggest the author is British and a fan of the cult science-fiction television comedy series, Red Dwarf. Dr Solomon's Anti-Virus Toolkit has the ability to find both viruses using the following "Extra driver": 216 178 130 177 14 96 192 246 74 29 221 210 121 91 226 212 104 93 166 159 4 136 140 90 12 136 204 177 14 57 134 161 30 41 150 145 46 25 166 129 62 11 180 137 54 115 204 241 72 117 202 251 68 121 192 253 66 67 252 193 126 71 248 197 122 75 244 201 118 79 240 205 114 179 12 55 136 185 6 117 202 227 92 97 222 218 120 69 250 203 116 79 166 53 34 179 12 51 140 50 74 13 216 24 1 205 141 183 12 50 92 178 137 50 94 178 203 116 179 230 166 61 115 179 8 49 140 177 12 196 140 51 12 51 140 69 74 13 216 24 31 205 141 180 14 50 135 178 200 50 183 178 39 50 159 178 9 50 1 244 51 102 93 190 13 19 141 179 13 51 157 179 13 51 141 243 13 250 134 119 244 105 125 63 241 111 215 67 193 12 128 49 8 51 70 162 90 51 153 21 0 183 141 136 11 150 130 192 14 144 40 188 62 243 152 160 10 17949 21 SMEG.Pathogen 247 178 129 177 14 96 224 214 106 29 220 198 104 86 234 152 33 58 54 178 228 50 54 242 15 48 135 184 31 32 151 168 47 16 167 152 63 0 181 138 55 8 205 242 79 118 203 244 69 122 199 254 67 124 253 194 127 64 249 198 123 68 245 202 119 72 241 206 115 76 13 50 137 182 7 56 203 244 93 98 223 224 100 70 251 196 117 74 241 152 139 28 13 50 141 178 140 116 179 230 166 63 115 179 9 50 140 98 12 183 140 96 12 245 202 141 88 152 131 77 13 54 143 178 15 50 122 178 141 50 141 178 251 116 179 230 166 33 115 179 10 48 140 185 12 246 140 137 12 25 140 161 12 55 140 63 74 13 216 117 6 51 173 179 13 48 141 163 13 51 141 179 202 61 154 76 242 148 140 128 67 200 161 164 126 7 115 148 0 245 134 179 45 51 141 176 13 51 140 179 13 51 68 189 26 204 114 20 12 0 195 72 33 36 254 135 243 20 15 186 13 234 178 130 13 0 141 12 13 39 43 190 14 51 213 77 193 130 137 96 229 191 70 178 213 38 158 180 20391 21 Smeg.Queeg If you find any instances of the viruses using the above extra drivers you should then use the following drivers in their place. These following drivers are not intended for use, unless a Pathogen or Queeg infection has already been detected: 79 178 130 177 14 96 192 246 74 29 221 210 121 91 226 212 104 93 166 159 4 136 140 90 12 227 128 179 45 51 141 179 13 35 141 179 13 51 205 179 196 56 73 74 87 195 1 79 81 105 125 127 50 62 15 182 13 248 156 228 13 39 43 190 137 51 182 181 168 60 254 176 174 150 130 128 205 38 158 180 6018 21 SMEG.Pathogen 110 178 129 177 14 96 224 214 106 29 220 198 104 86 234 152 33 58 54 178 228 50 75 184 13 19 141 179 14 51 157 179 13 51 141 116 3 36 114 76 170 50 190 253 246 31 154 192 57 205 170 190 203 56 141 147 13 51 142 179 13 50 141 179 13 250 131 164 242 204 42 178 62 125 118 159 26 64 185 77 42 177 132 179 212 12 188 179 62 51 50 179 25 149 128 176 13 107 115 127 188 55 94 91 129 248 140 107 24 32 138 8460 21 Smeg.Queeg At the time of writing S&S International know of no anti-virus product (including Dr Solomon's Anti-Virus Toolkit) which detects these viruses. However, with the addition of the above extra drivers Dr Solomon's Toolkit has this capability. How to use Extra drivers: ================== Extra drivers are ASCII files consisting of a series of decimal numbers with a virus name. They should be entered exactly as shown above. If saved as a file called EXTRA.DRV in the same directory as FindVirus, FindVirus will automatically use the above definitions and detect the viruses. The above extra drivers are also available for download to registered users of S&S International's BBS in the UK: +44 (0)442 877883 and +44 (0)442 877884. The are also available for download in the a_v_toolkit conference area of CIX (Compulink Information eXchange). Please address any queries about SMEG.Pathogen and SMEG.Queeg to our Technical Support department. Users of Dr Solomon's Anti-Virus Toolkit can receive technical support on +44 (0)442 877877, and via email: sands@cix.compulink.co.uk Regards Graham - --- Graham Cluley gcluley@sands.co.uk Product Specialist S&S International, Berkley Court S&S International Mill Street, Berkhamsted, Herts Tel: +44 (0)442 877877 UK HP4 2HB ------------------------------ Date: Fri, 15 Apr 94 10:37:19 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: How big a threat are Books? Russell J. Ryba (rjryba@major.cs.mtu.edu) writes: > I just saw an add for the "Little Black Book of Computer Viruses". > It is supposed to teach you how to create your own computer viruses. > Are books like this a threat? Yes, they are. > Or is it a good idea to let people know > how they work, so they can protect themselves better? Yes, it is a good idea to teach the people how viruses work and how to protect from them. It is NOT a good idea, however, to teach people how to write their own viruses, without telling them anything about how to protect from them. The book mentioned above does the latter, not the former. > I think I read > somwhere that TIMID was listed in this book. It is, indeed. As a result, a whole bunch of variants have been created by the brainless idiots who don't have the skills even to write their own virus, let alone a normal program. There have been at least two reports from Timid variants from the wild. This is the same old story that happens every time when a virus is published in a book. It happened with Ralf Burger's book in West Europe, it happened with Mark Ludwig's book in the USA, it happened with Khizhnyak's book in Russia. > Either in an article, or > Virus info list somewhere. The whole virus source is published there. > So, what do you think? I think that the authors of those books are irresponsible members of the society. They abuse the right of free speech that this society has granted them, without taking the responsibility in exchange. Their only concern is to make money, exploiting a controversal subject. As a result, they are wasting a lot of resources and ruin their reputation. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 15 Apr 94 12:06:09 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Number of viruses on non-PC machines mikko.hypponen@df.elma.fi (mikko.hypponen@df.elma.fi) writes: > Even though I'm working with only the PC viruses, I get often asked > about the virus situation on other computers. As I do not have very > recent information about the current situation, could anyone fill me > in? About 4,300. A quick report from my collection says 4,330 (344 boot and 3,986 file infectors), but this is not very exact, because (a) the multi-partite viruses are counted twice (once as file and once as boot sector viruses), (b) the two Whale variants are counted as 34 (by the number of different decryptors; I have to fix this one of these days), and (c) there are a couple of dozens of new viruses in my "not sorted yet" part of the collection. So, "about 4,300" is a safe bet. > Apple Macintosh: 18 (around 50 with all variants?) 42, I think. > Commodore Amiga: more than 100 About 300. Only about 100 of them are classified in our Computer Virus Catalog. > Acorn Archimedes: 84 (according to a recent article in VB) 56 (using the same source of information - the April issue). > Atari ST series: 20 At least 20 - that many are described in our CVC. There are probably more, but I don't know how much more. We don't support this platform any more. > HP-48: 5 Haven't seen any, but have heard of at least 3. > UNIX: 3 At least 5. Three I have here, one used in Dr. Cohen's experiements, and one compiled virus (not a sh script) described in Tom Duff's paper. Also, a few versions of the infectious sh script described in the other paper in the same volume. > Commodore 64: 2 Have only one here. > Any others? Two Japanese viruses for Sharp-68000 and one Japanese virus for NEC. All the three are boot sector infectors and don't work on IBM PC compatible machines. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 15 Apr 94 13:51:13 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Harmless Viruses WOLF@vaxb.acs.unt.edu (WOLF@vaxb.acs.unt.edu) writes: > However, with other examples such as the KOH and > Cruncher 2.1 (notice the version number, very important) I doubt > you could find such flaws. Sigh... Here we go again. Maybe it is time to repost the list of reasons why viruses are considered bad. I posted it some time ago, so maybe you should do some research into the Virus-L/comp.virus archives first. It has even been published by the April issue of the EDPACS Newsletter, pp. 11-12, so you could do some library research instead. And no, neither KOH, nor Cruncher 2.1 are "good" viruses. They violate rules 3, 4, 5, 6, 7, 8, 9, 11, and 12. This is violating 9 rules out of 12. Pretty bad for a virus that is supposed to be good. > There are some situations that each will > cause incompatibilities, such as any software, BUT because they do ask > for user permission for their actions, I can not see them as being > harmful. You can't see? Look again. It's obvious. Here is an example. Suppose a system that controls a real-time application, for instance a life-support system. At a particular moment, the sensors report that the patient urgently needs an insuline injection. This has never happened before, so the system starts the program that is responsible for controlling the insuline injecting device. It is life-critical that this program works. Unfortunately, one of your "beneficial" viruses has infected the system. No, it doesn't infect without permission. It has intercepted the execution of the application and has stopped the system, displaying the prompt "May I infect this program?". Unfortunately, there is nobody around to enter "yes" or "no". Result: the life-critical program never starts. Consequence: the patient dies. A bit harmful for a "beneficial" virus, don't you think so? Ah, but you will say, it is possible to tell Cruncher 2.1 to infect without asking questions, just by setting an environment variable. Fine! Let's assume that this has been done. However! The author of the life-critical application is a responsible person and is worried about the integrity of the program. After all, if it gets accidentally corrupted, this may result in human lifes being lost. So, he has made the program to checksum itself and refuse to run if it finds that its integrity has been compromised. Here comes your "beneficial" virus and infects the program, without asking questions. Ooops, the program's self-integrity check fails and it refuses to run. Result: the patient dies. Not a very beneficial achievement, don't you think so? Then, what does the user gain from Cruncher? More free disk space? Problem is, this is at the cost of the increased load time. Maybe in some cases this is much worse than having a few more kilobytes occupied on your hard disk - who are you to tell? Besides, the strategy used is not optimal - only the executed applications are compressed. Much better is to compress those applications that are *not* executed often - because then the time delay is not that important. Even better is to compress the data instead - a database or a spreadsheet compresses much better than an executable. The best is to use a dedicated utiltity like PKLite, or Stacker, and let the user decide what to compress and what not. How is the Cruncher's approach better? Then, how about environments you know nothing about? Suppose that Alice just loves Cruncher and has let it infect all her programs. One nice day, she accidentally gives one of them to Bob, who has never heard of Cruncher and who does not want no viruses on his machine. Unfortunately, Bob uses a completely different program, say an archiver Alice has never heard about, which requires that he has "SET CRUNCH=AUTO" in his AUTOEXEC.BAT file. Result: the virus severly infects Bob's system, without being authorised by Bob. Some of Bob's favorite applications fail when they are infected. Result: Bob spends a lot of time locating the problem and calling different tech support hotlines. All this because some wimp Bob has never heard about has decided that he knows how to write the ultimate utility that is useful for everybody and everybody must run it on their computers. Beneficial virus? NOT! More examples? How about the time and efforts wasted by the producers of the scanners, in order to be able to detect the virus and be able to help Bob in the above situation? Do you know how difficult is to detect Cruncher without causing false positives? What if somebody takes the virus and modifies it to do something malicious? Admitedly, this can be done with any program, but we are talking about a self-spreading malicious program here! I can give you similar examples about KOH. What does it do that a stand-alone program won't? I mean, what *useful* thing? Disk encryption? You want privacy of your data? Fine, get the program SFS (available from garbo.uwasa.fi:/pc/crypt/sfs100.zip). You are in the States, you can also get SecureDrive. Forgot the ftp site, but if you are interested, just ask in sci.crypt or alt.security, or alt.security.pgp. It uses the same encryption algorithm as KOH! It is just as secure. It is not a virus. It is free. It even comes in source, so you can examine it yourself and check for backdoors and/or implementation errors. If any are found, you can even fix them yourself! Can you say that about KOH? In fact, can you guarantee us that this KOH plot is not mounted by the NSA/CIA/KGB/insert your favorite TLA here and does not store the passwords in a secret place on your disk? Or doesn't call the NSA headquarters using your modem and does not transfer there the contents of your hard disk while you are looking elsewhere? :-) Beneficial viruses... ha! > In point of fact, each of them can be benificial. KOH They they can. Michealngelo can be beneficial too - it's a very nice tool for wiping secret data from your hard disk. However, I would prefer to use one of the dedicated disk wiping utitlties instead, thank you very much. > encrypts your hard drive and floppies (should you request it to) > with a user specified password. Having seen Mark Ludwig's programming capabilities, I am ready to bet that it has several implementation errors that weaken the security. See the documentation of SFS for a short discussion of the caveats when implementing a disk encryption utiltity, or ask in sci.crypt. > As each of these > asks for user permission, and are free of harmful code at least to the > point that CHKDSK.EXE is, I see them as being harmless or even good. No, they are not. And neither would be CHKDSK, if it were able to replicate. > I am not defending the writers that write destructive code, merely pointing > out that some virus writers (such as some members of TridenT and Mark > Ludwig in the examples above) are writing good, useful, user friendly > programs and deserve a second look regarding the "virus writer" mentality. I can give you several examples of harmful code written by the members of TridenT. I can also give you samples of Mark Ludwig's viruses causing harm in the real world. > To discuss > harmless viruses, stick to the ones that self-respecting researchers will > term that way No self-respecting researcher will call a real computer virus "harmless". > (or at least stick to the ones that have no "intentionally > damaging" code). Ah, that's something completely different! Yes, some viruses are not intentionally destructive. This doesn't mean that they are harmless, however! They do cause damage, just like the others. Sometimes it is due to bugs, sometimes due to incompatibilites, most of the time - because they are wasting people's time and resources. > My two examples from above ARE in this category. If it Which category? Not intentionally destructive viruses? Yes, I agree. Harmless viruses? No, they are not. > is up to the user to make the decisions on whether a virus spreads or not, > and nothing is being hidden from the user, then it is not inherently > bad. In general, the above is true, but it doesn't hold for the examples you listed. See the counter-examples I gave you above. > Just the fact that a program modifies code, or > even replicates itself while doing so, is not wrong. Yes, it is. Modifying code can prevent other programs from working. Ever tried to modify F-Prot or almost any other good anti-virus program? But this is not essential - it is possible to implement a virus without directly modifying the existing programs. The "bad" things are when this happens unnecessarily and without authorisation, or causes interruption, or has any other unwanted effects. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 15 Apr 94 14:07:57 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: The truth about good viruses fc@Jupiter.SAIC.Com (fc@Jupiter.SAIC.Com) writes: > There ain't no such thing as a good virus > (because) they all cause damage under some > circumstances > The same is true for any program - what does > being a virus have to do with it? - Nothing The difference, as I am trying to explain to everybody, is that what *we* call *real* viruses spread without authorization. None of the "normal" programs do that. Also, what we call real viruses tends to contain much more bugs per byte of code than the normal applications. Sounds like a serious enough difference to me. > I've never met a virus I liked > Bigotry was never a good excuse before, why use it > as one now. Show me at least one person who wants to run a *real* virus on their machine. Then I'll show you at least 100 others who wouldn't. From your logic it follows that at least 99% of the people are bigots. > Anyone who claims to like viruses is trying > to justify their past. . or doesn't know what he is talking about. > Did you > know that many of us virus writers did good > things with our viruses? How many of you? With how many viruses? What and how many good things? > You too can > feel good about youself if you will only apply > these talents to the benefit of others But I, and many others do - we help the others to keep the real viruses away from their machines. They seem to want it. We are not forcing anybody to remove the viruses from their machine. As opposed to that, many virus writers are going to big efforts to force people who they even don't know to install their viruses on their machines. > All viruses are bad because they go where they > are not authorized to go, overwriting data, or > at least using othrewise available space and time. > The definition of virus does not imply spreading > without authority or overwriting other data. Gotcha! We are just talking about different things. I admit that what fits into *your* definition of "computer virus" (and, as you have admitted yourself, even DISKCOPY fits into it), *can* be useful, and even often is. In fact, many anti-virus packages of existence today are using virus-like (actually, worm-like) techniques to automatically update themselves on all workstations connected to a LAN. That's not a problem. The problem, Dr. Cohen, is that we, the anti-virus researchers, are talking about something completely different. We are talking about *real* computer viruses, not about histories of the states of Turing Machines. We are talking about those nasty little programs, written usually by irresponsible adolescent kids, that try to sneak into our computers against our will and often to destroy our data. *That* is always bad, no matter what you are trying to tell me. > If > using otherwise unused space or time is inherently > bad, then all programs are inherently bad, not just > viruses, because all programs use time and space that > would not otherwise be used. No, I disagree here. That's not enough. Who are you to decide what is unused on my machine and who gave you the right to use it? It's *my* machine. It's my right to decide whether to run your program on it or not. If your program attempts to run without my authorisation, then I consider this bad, even if it uses only recources left unused at that particular time. > I await your further attempts at demonstrating that all viruses are bad. That's not a problem; the problem is to agree what we are talking about. As I said, I am ready to admit that what *you* call a virus can be a useful program. I'll keep insisting that all viruses, according to the general public's understanding of this term, are bad. Another problem, Dr. Cohen, is that you often tend to be too terse and not to explain in details what you mean exactly - and do not express it in a language understandable by the general public. This often makes people not to understand you, or to misunderstand you. Is it surprising then that people tend to flame you? :-) There is also a third problem. A bunch of criminal-minded idiots are not taking even the slightest effort to understand you, and are intentionally misinterpretting your words, in order to find an excuse for their anti-social behaviour - virus writing. This is also bad... :-( > Please just continue to rave into Virus-L, and I will respond with a > similar dismissal of new ravings in another few months. You are quite welcome. > P.S. Whoever has been taking the heat for supporting the concept of > good viruses - I commend you. Do you mean Kohntark? Maybe you should first (a) make clear that you understand what he means, (b) look at his viruses, and (c) ask him whether he is running his own viruses on his machine. On the same subject, Dr. Cohen, I would like to ask you: how many of the viruses in my virus collection (there are about 4,300 of them) will *you* be willing to run on *your* machine? > Sorry I haven't been more supportive, but > I have been busy finishing a book on good viruses. Looking forward to see your work. I don't doubt that it will be really interesting and valuable, unlike that junky virus writing guide published by Mark Ludwig. > Please send me some > E-mail so we can gang up on these miscreants who can't tell the > difference between morality and mathematics. - FC The real problems arise when some people (a) cannot see the difference between mathematics and real life and (b) don't see the need for morality and ethics. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 15 Apr 94 15:54:19 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Intelligent detection John W. Byrd (jbyrd@well.sf.ca.us) writes: > The proof went something like this. Say you write the perfect virus > detection program, VPERFECT, which scanned any file and told you whether > it was infected or not. It returns true if the file is infected and > false otherwise. > Given VPERFECT, then, it would be possible to construct a virus called > METAVIRUS that worked as follows: > If VPERFECT( METAVIRUS ) > then do nothing > otherwise infect other programs > In essence, this virus only activates if the VPERFECT scanner says it's > not a virus, and it does nothing if VPERFECT says it's a virus! You > conclude that VPERFECT necessarily doesn't work for every possible virus. This has been discussed here before. This "proof" can be found in one of Dr. Fred Cohen's papers. It is a variation of the proof that it is impossible to create an algorithm that will be always able to decide in finite time whether a given program terminates in finite time or not. Unfortunately, the proof is wrong. First, it is possible that in some cases the program VPERFECT() never terminates. Second, suppose that each time when the program returns a negative result, it also attaches a virus to a file. Then the contradiction disappears: in the program you listed above, if METAVIRUS is a virus and VPERFECT decides that it is not, the result will be that a file will be infected - that is, it is indeed a virus. If VPERFECT decides that it is a virus, then it will correctly report it as such - no contradiction. This is better explained in a paper of an Austrian researcher. Take a look at the first issue of the electronical journal "Alive", available from our ftp site as ftp.informatik.uni-hamburg.de:/pub/virus/texts/alive/alive10.zip Does this mean that it *is* possible to construct an algorithm which will be able, in finite time, to correctly decide whether a given program is a virus or not, without any false positives or false negatives? Unfortunately - no. Just the proof is not as simple as above. It can be found in another of Dr. Cohen's papers and in his Ph. D. thesis. > This logic can fail only because a computer only has a finite number of > states, and theoretically it is possible (though computationally ridiculous) > to list exhaustively all states in which a finite-state machine is infected. This is correct. > In sum, yeah, just keep using McAfee, and beware of any so-called universal > virus scanners. Oh, it's very easy to write a universal virus scanner, I mean a scanner that will detect all possible viruses. Here is a batch file which takes as an argument the name of a program and prints a message, reporting whether there is a virus in it: =====cut here===== @echo off echo off if "%1" == "" goto usage echo The file %1 contains a virus. goto quit :usage echo Usage: %0 file_to_be_checked_for_viruses :quit =====cut here===== The only problem is that the false positive rate is a bit too high. :-) But wait! If this is what worries you, here is a modification that fixes this problem completely! No false positives whatsoever; guaranteed. =====cut here===== @echo off echo off if "%1" == "" goto usage echo The file %1 does not contain viruses. goto quit :usage echo Usage: %0 file_to_be_checked_for_viruses :quit =====cut here===== Unfortunately, when I tested the above program on my virus collection of 4,300 viruses, the detection rate was not very good. :-) Back to the drawing board... OK, here is the brand new, much improved version. It requires an external program which displays a prompt and accepts user input from a set of characters and returns ErrorLevel 1 if the user input among those characters and ErrorLevel 0 otherwise. Programs like that are freely available from many sources, and it is very easy to write one. Here is our new, universal virus detector. No false positives! No false negatives! Windows 3.1 versions planned, watch this space. =====cut here===== @echo off echo off if "%1" == "" goto usage ask "Does the file %1 contain any viruses?" yY if errorlevel 1 goto found echo The file %1 does not contain viruses. goto quit :found echo The file %1 contains a virus. goto quit :usage echo Usage: %0 file_to_be_checked_for_viruses :quit =====cut here===== Acknowledgments: I heard the above excellent joke (in a slightly modified form) on one of Dr. Alan Solomon's excellent speeches, so all credits go to him. Seriously, stop for a moment and think - how many "universal virus detectors" that are sold nowadays are a disguised version of the third program? They rely on the user to decide whether the observed phenomenon is indeed a virus or not. Can you say "monitoring program"? Can you say "integrity checker"? I knew you could. They all claim to detect "known and unknown viruses", and most of them leave it to the user to decide whether the "something" they have detected is indeed a virus... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 15 Apr 94 16:04:14 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: AVP 2000 Jeffrey Rice - Pomona College, California. (jrice@pomona.claremont.edu) writes: > I just downloaded AVP 2000 from Uni-Rostock. I was surprised to see You mean, AVP 2.00, right? > that this program will attempt to remove a virus from memory. How effective i > this, and how safe? Quite. The program identifies the important part of the virus which is responsible for the replication and patches it in memory in such a way that the virus becomes inactive. I don't know whether the destructive payloads are also patched - they should be. > In a very short look at the program, I was rather > impressed by the options. Have you looked at the help system? Once you get used to the bad English, it's equally impressive - with detailled descriptions of what the viruses do, demos of the video and sound effects of hundreds of them and so on. > What kind of hit rate does it get? I thought I > heard +/-80% awhile back, but I'm not sure. Much better. On file viruses, version 2.00 has a detection rate of something like 98%, if the heuristics are enabled. Because of some peculiarities of the user interface and of my testing environment, I am currently unable to provide test data about this program when tested on boot sector viruses. Of the file viruses, it detected 3882 out of 3981. Only 15 viruses were not detected reliably (they are NOT inncluded in the number 3882). Very few scanners are so good. In fact, I can think only of two F-Prot and VScan (a scanner which is currently under develeopment). Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 15 Apr 94 16:29:23 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Fractal Virus Detection Tom Zmudzinski (zmudzint@cc.ims.disa.mil) writes: > Is there something "virus-ish" in an infected file that is > detectable regardless of the particular virus involved? No. The viruses can be very different from each other, even the replicants of one and the same virus can be very different from each other, and some viruses are very similar to legitimate programs. Can't be done. The most that can be done is to create a set of heuristics that will tell you whether a file looks as if it is infected. Those heuristics will miss some viruses and might report some virus-free files as infected. [train recognition example deleted] Something like that can be done. For instance, it is probably possible to detect all viruses which are produced by the PS-MPC virus generator. It is possible to detect almost all boot sector viruses. Now, when the algorithm you mentioned becomes able to decide whether something is a transport vehicule or not, for all possible transport vehicules, including those that are not known yet, I'll reconsider. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Sat, 16 Apr 94 08:33:36 -0400 From: hstroem@ed.unit.no (Henrik Stroem) Subject: Re: Intelligent detection jbyrd@well.sf.ca.us (John W. Byrd) writes: >There was an interesting application of Godel's theorem to virus detection >on the net a couple years ago. It was basically a high-level proof that a [SNIP] >Given VPERFECT, then, it would be possible to construct a virus called >METAVIRUS that worked as follows: > >If VPERFECT( METAVIRUS ) > then do nothing > otherwise infect other programs > >In essence, this virus only activates if the VPERFECT scanner says it's >not a virus, and it does nothing if VPERFECT says it's a virus! You >conclude that VPERFECT necessarily doesn't work for every possible virus. In theory this is ok, but in real life it might be a very difficult task for METAVIRUS to detect the presence of VPERFECT. What if VPERFECT uses a very strong polymorphic engine as part of its installation program? But, as I always say, you cannot protect your program against targeting. Another point here is that it would almost always be easier to write METAVIRUS, than to attempt to write VPERFECT. But if VPERFECT gets complex enough, it will in real life avoid any METAVIRUS. At least today we see the best code within some of the anti-virus programs, while it seems like the virus-writers in general are less knowledgable programmers. It is also common that av-researchers have more resources than virus-writers. This makes it possible to write something close to VPERFECT. But it would not be profitable, so the companies with the resources to do it will not try. My own program (HS v3.58) is kind of a VPERFECT for bootviruses. It detects and removes all of them, but a METAVIRUS would be possible to create. The point is to raise the level of knowledge required to write a METAVIRUS for a given VPERFECT. I think it should be pretty hard to write a METAVIRUS for HS v3.58. And if somebody did write it, I would just release a new version, raising the required knowledge-level once again. Enough said :-) Henrik Stroem Stroem System Soft ------------------------------ Date: Fri, 15 Apr 94 12:17:47 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: NT viruses? (NT) Craig Williamson (craig.williamson@ColumbiaSC.NCR.COM) writes: > Have there been any NT viruses yet? If you mean NT-specific viruses - no, I am not aware of any. However, many MS-DOS viruses will work in a DOS box under WinNT. Also, many boot and master boot sector viruses will infect a WinNT system, althought they most probably will be disconnected once the OS loads. > As we consider moving to NT or > Chicago as our OS, I wonder about DOS viruses causing problems and how > we can find and fix them in that enviornment. I am by no means a WinNT expert, but I suspect that the DOS viruses will cause the same kind of problems under WinNT as they are causing under OS/2. > Since DOS is not going > to be in Chicago or Daytona (the next release of NT) how much of a > problem could it be? Will it be able to run DOS programs? If yes, then it will be able to run DOS viruses - they are nothing more than DOS programs. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 15 Apr 94 11:21:08 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Clean 111 & Mich. (PC) Scott Howard (c9219517@sage.newcastle.edu.au) writes: > The only way that a virus detector could be assured of never incorrectly > detecting a strain of a virus would be to have a complete copy of the > virus that it could compare with that found on disk/in memory. For all practical purposes it is sufficient to use a checksum of the non-modifiable parts of the virus. Make that a cryptographicalls strong checksum, if you are paranoid about security. > For some > viruses you could use a checksum, but not for all. Care to tell us for which ones a checksum cannot be used and why? > The resulting scanner > would then of course be rather too large to be of any use. Big - yes. Unusable - no. There are already several products (FindVirus, IBM Antivirus, F-Prot, AVP) which use this method to detect (and often - identify exactly) viruses in files and/or boot sectors. Some of them (IBM Antivirus, AVP) already use this method for memory detection too, although not for all viruses. AVP uses it almost always, IBM Antivirus - only for very few viruses. However, AVP does not identify the whole virus (only some important parts), while IBM Antivirus does. As somebody has said once, if it happens, it must be possible. :-) > : disinfector the next time. One that can identify "your" virus exactly > : - - like F-Prot, for instance - and which will not attempt to remove the > : virus if it is not perfectly sure what to do. Or use some backup > Are you saying that F-Prot will never get it wrong?? I think not... Did I say that anywhere? Quote it, please. No, I just said that F-Prot uses exact identification. Not always - on about 1/3 of the viruses it can detect. Quite unlike SCAN/CLEAN which *never* use exact identification. If F-Prot messes up, this means that either (a) it doesn't use exact identification for that particular case or (b) the implementation of the disinfection algorithm for that particular virus is buggy. In the case of CLEAN the same can happen for the same reasons, but (a) happens much more often, because the program does not perform exact (or even nearly exact) identification at all. > As I stated in an earlier port, MIRROR/PARTN is the best option, and anyone I tend to disagree that MIRROR/PARTN is the "best" option for restoring the MBR after a virus attack - I tend to prefer virus-aware utilities, which know many of the tricks that a virus could pull to prevent them from working properly. However, I agree that MIRROR/PARTN is good enough, and certainly better than nothing. > : assuming that the "one way" is CLEAN's way. Somebody else posted that > : it is impossible to identify the viruses in memory and to deactivate > : them - he is wrong too; this is perfectly possible, only not easy, > : that's why almost nobody bothers to do it. > If your going to paraphrase me, at least get what I said right. I said : > >Considering that there are often dozens of mutations of each virus, it > >would be almost impossible to write a program that could actually > >deactivate all of them from memory, and even if it could, it would still > >have no way of safely de-activating new strains. Sorry about paraphrasing you inexactly; I lost your message, otherwise I would have quoted it. > No, it would not be impossible, but it would be very hard, and also very > risky. Very hard - yes. That's what distinguishes the better products from the worse ones. The better products can do very hard things. The bad products can't. The better a product is, the more hard things it is able to do. Risky - why? If you have *identified* the virus *exactly*, what is the risk of disabling it? > There is no sensible reason that I can think of that would require > such treatment. Most users don't boot from a clean diskette and/or are likely to have their bootable diskettes already infected. If a scanner is able to work properly even in such an environment, isn't it a good enough reason for you? > : Third, it is a surprize to me that McAfee claim "10 years experience" > : in the field, especially having in mind that "the field" is about 8 > : years old. :-) I remember very well when McAfee seriously entered the > : anti-virus business - it was around the DataCrime scare, although, of > : course, he might have written virus detectors some months ago. > I believe that McAfee was involved in computer security well before > viruses were even heard of. Not exactly the same thing, but close enough. Not really. John McAfee's previous occupation was in a company that offered to register in a database people who have been tested and it has been discovered that they do NOT have AIDS, and to help them meet each other. From his own words, his first involvement with computer viruses has been with Brain, but he really entered the business during the DataCrime scare. (For those of your who haven't been around at that time, the DataCrime scare was much like the Michelangelo one, only much more groundless - the virus is a non-resident one and is unlikely to spread anywhere.) Well, Brain was in October 1987. That makes 6.5 years at most. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 15 Apr 94 11:25:18 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Thoughts on FORM infections...(PC) JDG111@PSUVM.PSU.EDU (JDG111@PSUVM.PSU.EDU) writes: > one other question - I don't think Form has a payload, am I correct? If No, you are not - it does have one. > it does, what's it do and when? On 18th of each month, it makes the keys on the keyboard "click" when you press them. This cannot be observed if the infected computer's BIOS does not support INT 1Ah (i.e., most XTs) or if a the foreign keyboard dirver KEYB is used (i.e., most European computers). > And while I'm here - where can I find the newest F-Prot and VSUM on FTP? oak.oakland.edu:/pub/msdos/virus/fp-211.zip mcafee.com:/pub/vsum/vsumx403.zip Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 15 Apr 94 11:29:32 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: CANSU Virus (PC) Jerry Brown (jerry.brown@cld9.com) writes: > Anyone know anything about the CANSU virus, This virus is listed in our Computer Virus Catalog under the name V-Sign. See the FAQ for information how to get the CVC. > as in if it can remvoved without > haveing to re-partion the hard drive? Every virus can. > Any suggestions? Get a better scanner/disinfector. My recommendation: F-Prot. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 15 Apr 94 11:46:49 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Is speed really important? (PC) Jimmy Chung - from TAIWAN (u801403@Winkie.Oz.nthu.edu.tw) writes: > In fact, DSME 1.0 is only a test program. Because a magazine writer > post the message of polymorph engine( MtE, TPE) in our country, > so Dark Slayer wrote DSME 1.0 to meet the ability of polymorph. > He indeed had NEVER other polymorph engine before. Hmm... how do you know? :-) Do you happen to know him? > Because the ability is not very powerful yet, so many Scan's AV will > show "found [TridenT]" for the answer. Not really. It happens not because DSME is "not very powerful yet", but because SCAN is so clumsy and the decryptors generated by TPE are so generic. SCAN tries to recognize the TPE-based viruses only from their decryptors (and spectacularly fails, I mean, it is not able to detect reliably *any* of the TPE-based viruses), and the TPE can generate some of the decryptors that DSME can. Actually, the TPE can also generate some of the decryptors that Tremor can, so SCAN mistakenly reports about half of the Tremor replicants as "TridenT" - the name it uses for the TPE-based viruses. > I think TBAV and FP lost the DSME's viruses because DSME does NOT > look like other polymorph device all over the world, so the > signature of DSME is not the same as other engines. Not really. The DSME-based viruses (I know of only one actually - Teacher:DSME) look pretty much like any other polymorphic virus - they are polymorphic. Second, "signatures" (or, to use the more correct term, "scan strings") are not used to detect polymorphic viruses. (Well, there are a few exceptions.) The only reason why few scanners can detect the DSME-based viruses is because those viruses are not well known and because the authors of the scanners have hundreds of other viruses to worry about. > Dear Frisk : > If you want to get DSME 1.0, i am glad to mail you that > because I like your product. Frisk does have a copy of DSME 1.0. What he really needs is free time. :-) Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 15 Apr 94 12:03:45 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Avoiding floppy boot (was: FORM problems) (PC) David M. Chess (chess@watson.ibm.com) writes: > As a sidenote, it's not just AMI BIOSes that allow this; various > IBM PS/2s, for instance, also have a configurable boot order... Ah, yes, indeed. One thing I don't like about PS/2s, however, is that they require a configuration diskette in order to change the CMOS. AMI's way is so much more convenient - just press at boot time. Besides, a diskette can carry a virus... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 15 Apr 94 12:05:55 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: packed file is currupt ?? is it a VIRUS? (PC) Harry W.Hertz (hertzh@lanf.kaiserslau-emh1.army.mil) writes: > I keep getting the msg. "PACKED FILE IS CURRUPTED" on several .COM and .EXE > files! No VIRUS found on the Systems. LOADFIX is only a temp. > solution to this... Is there any other way to fix this? Is it a VIRUS? No, it is not a virus, it is a bug, sort of. You have too much conventional memory on your machine - something like 600 Kb or more. This means that the programs you run are loaded very low - in the first 64 Kb segment of the address space. Several compressed programs cannot run properly there. > What should I do get this solved permaned? Either of the following: 1) Load more TSRs and device drivers in the low memory. 2) Unpack your EXEPACKed programs - there is a nice utitlity that does this, called UNP. The latest version can be obtained from garbo.uwasa.fi:/pc/execomp/unp330.zip. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 15 Apr 94 12:08:25 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: MUSH.COM? (PC) Thom Odell (guest06@mtholyoke.edu) writes: > I am wondering if an audio program called mush.com and it's associated > file mushroom.ovl is som sort of virus? No. It is a joke program, and a rather old one at that. Does nothing destructive - just plays a digitized melody. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 15 Apr 94 12:15:48 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: No PC viruses on 3.5" disks? (PC) Mike Bogdan (Mbogdan@msu.edu) writes: > I was wondering if someone could explain here how PC viruses work. Can The FAQ is a good start. Then, there are many books and papers on the question. Do some library research. > PC viruses be transmitted via network? Yes. > Can they be carried on a 3.5" > disk? Yes. > I was told that PC viruses can only be tranferred via 5.25" disks > and I shouldn't worry about it too much. Whoever has told you this suffers of ACDS (Acute Clue Defficit Syndrome). :-) > Thanks for the help. You are welcome. > Or point me towards a FAQ please. cert.org:/pub/virus-l/FAQ.virus-l Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 15 Apr 94 14:05:53 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Monkey Curiosity (PC) Dale Morlock (harrier1@delphi.com) writes: > I just encountered Monkey on a client's PC. I can't find much on > Monkey except that it's a stealth virus. What am I dealing with? Any > cautions? Thanks! Stealth MBR infector. Infects both physical hard disks, of two are present. Occupies 1 Kb of memory. Stores the original boot sector at the end of the root directory on floppies. Encrypts the original boot sector. Damages 2.88 Mb diskettes (trahses the FAT). Contains the encrypted string "Monkey", which is never displayed. Is able to detect and bypass and earlier version of Padgett's program DiskSecure. The virus is not polymorphic. It contains no destructive payload. Has been probably written by a student at the University of Alberta, Canada. CAUTION: Do NOT use FDISK/MBR to remove this virus. It will make your hard disk inaccessible. Instead, use an anti-virus program, or a saved copy of the original (uninfected) MBR. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 15 Apr 94 14:15:30 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Generic MBD virus in partition table (PC) Christine JOUVE (jouve@manitou.ensmp.fr) writes: > Can somebody help me in the removal of the Generic MBR virus ? This *must* go to the FAQ. Repeat after me: THERE IS NO SUCH THING AS THE GENERIC MBR VIRUS. It is a message reported by McAfee's SCAN and means: "I have found something highly suspicious in the MBR of your hard disk, and I am pretty sure that it is a virus, but I really have no idea which virus that is.". SCAN 113 reports like that 68 completely different viruses from my collection. > I have discovered it using scan which have informed me by the message: > "Scanning partition table of disk C: > Found the Generic MBD [Genp] virus in partition table." Quite probably your computer is infected. No idea with what, however. > Every things become right (scan have detected no virus) until reusing scan, > a few days later, I have descovered again that my PC is infected by > Generic MBR virus. Probably a re-infection. You must also clean your diskettes. Note that there the virus will be reported differently: as "Generic Boot [GenB]". Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 15 Apr 94 14:21:14 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Help getting rid of the boot437[genb] virus (PC) Patrick D'Cruze (pdcruze@iinet.com.au) writes: > A friend of mine has somehow infected the boot sector of his hard drive with > the: > boot437[genb] > virus. He has tried using scanv113 and clean113 to rid himself of it. > They unfortunately don't work (at least scan113 is able to detect it, > scan112 doesn't). > He has also tried to reformat the boot sector to rid himself of the problem > (using: fdisk /mbr) however this too has failed. Indeed, this is a DBS infector, not an MBR one, so FDISK/MBR won't work. > Does anyone know how he may rid himself of this virus? What shareware > or commercial virus checkers can clean it up (or other disk management > tools)? Try the program AVP 2.00 from our ftp site. Don't know whether it is able to remove the virus - disinfection is something very difficult to test, especially for boot sector viruses. As a last resort, use SYS to overwrite the virus. Don't forget to boot from an uninfected write- protected system diskette first. > Another related problem is that scan113 is not able to detect which > file was originally infected with the virus and hence even after This virus does not infect files. It infects boot sectors. And no, there is no way to trace the origins of the infection - but your friend has to check all his diskettes, even the blank and the data-only ones. > removing the virus there is the possibility that it could once again > infect his harddrive. What virus checkers would you recommend to > detect this virus and detect the files that have been infected by it > (ie, the original carriers of the virus)? Both SCAN 113 and F-Prot 2.11 detect this virus reliably. Neither of them is able to disinfect it, though. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 15 Apr 94 14:28:53 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Stealth (PC) RANKI(Jorge Flores) (jaflores@dcc.uchile.cl) writes: > Hello, how can i remove the virus "stealth", i found it in > my computer and i can't remove it with the scan 112. Uhm, what does SCAN report *exactly*? You see, it calls different viruses like that. For instance: 1) If it reports "Stealth Boot B [GenB]", this is EXE_Bug.Hooker. 2) If it reports "Stealth [Stb]", this is Quox. 3) If it reports "Stealth Boot [Genb]", this is either Stealth_Boot.A or Stealth_Boot.C. I suspect that you have the second case, because Quox is known to be in the wild. Not sure which scanners can remove it... F-Prot cannot. Maybe IBM Antivirus can. As a last resort, you can always use FDISK/MBR - it should work for this virus. But first use a better scanner, in order to make sure that it is indeed this virus. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 15 Apr 94 14:32:52 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Anti-virus? (PC) VAROJON MORAN (vzmoran@csupomona.edu) writes: > Can some one tell me what is the easiest and most reliable antivirus > program that stays in memory and prevents memory resident viruses... I Dunno how do you measure "easyness". Regardless reliability... I am very happy with Guard - the resident scanner in Dr. Solomon's Anti-Virus ToolKit. I am using it myself. However, the product is commercial and you are probably looking for freeware/shareware. If this is the case, try VirStop (from F-Prot) and McAfee's VShield. However, I do not have test data for them and cannot tell you how good they are. Just give them a try and decide yourself. > thought Ms-dos antivirus would do it but it didnt help me when the > monkey virus came to my computer... MSAV is a *very* bad program; don't use it. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 15 Apr 94 14:44:00 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: help! on michelangelo virus (PC) Ming-zhou Liu (mjliu@csie.nctu.edu.tw) writes: > today at my friend's place, i turned on his computer and strange message > appears: > DRIVE FAILURE (or something to that effect, i forgot) > Put boot disk into drive A > and press any key... Yes, this is what happens *after* you reboot a PC the hard disk of which has been destroyed by Michelangelo. > my question is: the error message above looks like what the michelangelo > does to the computer? Yes. > to disable harddisk completely?? Not completely. The hard disk is still there and works (mechanically). The problem is, it doesn't contain any DOS or boot sectors any more. That's why, the BIOS is unable to recognize it and to boot the computer from it, and offers booting from a floppy as an alternative. > any recovery of data possible?? Very unlikely, and very costly. In short - forget it. Use your backups. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 15 Apr 94 15:04:34 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: VDS questions answered (PC) Mr. Tarkan Yetiser (tyetiser@umbc.edu) writes: > >As an example, consider the Omud virus. It sometimes overwrites a > >random part of the file, without pointing the entry point to itself. > >The file size doesn't change, the entry point doesn't change. An > >integrity checker which tries to be too smart will not notice anything > >- - yet if the virus part in the file receives control during the normal > >execution of the infected program, it will be able to run and infect > >properly. There are other examples, which are relatively easier to > Doesn't Omud increase the file size? It depends. Usually - yes, it does. However, sometimes (the cases I am referring to in the paragraph quoted above) it simply overwrites some random 512 bytes of the file with its body, without changing the file's length. > Receives control? It depends. Usually, it receives control normally, like any other virus (e.g., Vienna). However, in the cases I am talking about, it just hopes that the normal execution flow of the program will pass to the place where the virus is. > How? Randomly? Hmm, Yes. It may get control, yet it may not. > not a virus likely to go too far :-) It also spreads by usual means. It is, or has been, in the wild in Russia. Granted, the "normal" infections are easily detectable with an integrity checker. The tricky part is to detect *all* infected files. Which leads me to the following idea. If an integrity checker run in "smart" mode detects a change that seems to be caused by a virus, it should automatically switch to "check the whole file" mode. > It needs to arrange to get control to > spread well enough. Some very buggy viruses such as this one damage their > victims. The result is a program that does not function properly and a virus > that does not spread. Here is where this virus differs from the others. First of all, if it really happens to receive control, it will manage to properly install in memory and begin to infect. Second, the program infected in this way does not behave unpredictably, like when damaged by the buggy viruses you mentioned. Instead, the program exits to the DOS prompt. No crash, the system continues to work, but the virus is already resident and ready to infect. This particular virus does not display any messages either, but it is trivial to use the same idea and display something like "Insufficient memory", that will fool the user even better. > >handle - like the Emmie and LeapFrog viruses, which do not modify the > >file entry point, but the place where this entry point points to. > An integrity checker should detect this sort of change even in quick mode. > If not, it is probably just checking the file size, which is NOT enough. I mean that an integrity checker that checks only (a) the file entry point, (b) the file date & time and (c) the file attributes will NOT detect the above viruses, because they do not modify any of those. An integrity checker that, in addition to the above, also checks the file size, *will* detect the above viruses. However, as I said, it is trivial to combine the above ideas (not modifything the file date, time, attributes, and entry point) with the idea seen in Darth Vader, Lehigh, and several others, i.e. - not to modify the file size either. The only way to detect a virus like that with an integrity checker would be to (a) checksum the whole file or (b) trace the first few instructions and remember the execution flow, not just the few bytes around the file entry point. And the second method is much less reliable. > >True, they also modify the file size, but it is trivial to combine > >this strategy with something like Darth Vader or any other cavity > >virus does. > Strategy? This is a bug in the virus, nothing crafted by design :-) I am afraid that you do not understand. I am refering to the infection method that does not modify the file size, and speculated what would happen if it is combined with the other methods that do not modify the file's date, time, attributes, and entry point either. > The bigger > concern is stealth mechanisms in viruses that work correctly. They can hide They are just one of the concerns. They can be detected after booting from a clean diskette. The method I was talking above cannot - unless you are checksumming every part of the file. > On a side note, a "cavity" virus? I think I know what you mean... I bet you do. Lehigh, Darth Vader, and several others which install themselves in unused parts of the file without modifying the file's size. > But is this > a new CARO term? Yes. We should put it in the FAQ one of these days. > It's quite fitting. Hmm, I like it; I guess I'll use it too. I like it too. I'm not the author, BTW. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 15 Apr 94 15:15:59 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: VDS, compatibility etc. (PC) Mr. Tarkan Yetiser (tyetiser@umbc.edu) writes: > >is reasonably good. It's main drawback is its inability to run on some > >unusual environments, like compressed disks, encrypted partitions, > >(maybe SCSI drives? dunno, don't have one to test), and so on. > That is no longer the case, Vesselin. Version 3.0 addressed the compatibility > issues sufficiently well. OK, I stand corrected; I should have used a more precise language. Here it is: VDS 3.0j refused to even install on a '386SX notebook computer, under DR-DOS 6.0 with password disk protection enabled and a hard disk compressed by SuperStor. Since I remembered that the package used to have such problems in the past because of incompatibility with device-driven volumes, I didn't bother to test it any further. > In 1991, compressed drives were not as common as > today. After MS-DOS introduced DubiousSpace, that changed quite a bit. In Yup. If you remember, I told you about two years ago, that the incompatibility with compressed volumes is going to cause you troubles. I was right. :-) Now, I am telling you to fix the scanner, if you want to be successful. Do it; you'll see that I am right again. > VDS 3.0 can even handle Netware volumes > without getting confused by the dynamic drive mappings. Well, getting the truename of a networked drive is relatively easy. Can you handle properly SUBSTed and JOINed drives and a combination of them? Even DOS itself tends to get confused sometimes if you try to JOIN a SUBSTed drive... > For example, how would > you use a Windows-only anti-virus in the case of an emergency? Have you seen any? I mean, any Windows-only anti-virus package? All of them that I have seen have also a DOS version. > I hope you will be equally generous and put the VDS30 shareware edition on > your FTP site as well :-) It's on Simtel-20 mirrors. Has been done long time ago - at the moment when the announce came from the Simtel20 mirror. Available as ftp.informatik.uni-hamburg.de:/pub/virus/progs/vds30j.zip Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 15 Apr 94 15:21:33 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Virus on MS DOS 6.2? (PC) Paul W. Shew (paul%mahler@uunet.uu.net) writes: > I posted a report to comp.os.msdos.misc earlier regarding MS DOS 6.2 failed > to read a diskette infected by Michelangelo virus. Michealngelo indeed makes the 1.44 Mb diskettes unreadable when it infects them. It does not infect 720 Kb diskettes. The 5.25" diskettes should be readable (I think). All this is not dependent on the particular DOS version. > I did not encounter other virus after that. I wonder if the version of DOS > will read a diskette infect with other viruses. Can anyone share his/her > experience of virus infection from diskette on DOS 6.2 please? Depends on the virus. Some viruses can make some diskette formats unreadable after infection. Others do not have this effect. > If indeed MS DOS 6.2 can never a diskette with boot record damaged/altered > by any virus, then is it immune to viruses (of course I'm referring to boot > sector resident viruses)? No, this is a wrong and dangerous assumption. First of all, not all viruses have this effect. Second, not all diskette formats are affected this way. Third, and most important, while unreadable, those infected diskettes are still infective! That is, if you forget them in the first physical floppy disk drive of your computer at boot time, the virus on them will infect the hard disk of the computer. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 15 Apr 94 16:09:47 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Joshi.a (PC) Mike Mandili (MIKE@felix.lib.csulb.edu) writes: > Few of our computers got infected with Joshi I tried exe > (March 14 release) I tried f-prot (newest) they did not get rid of > the virus. That's bizzare; F-Prot should be able to disinfect both Joshi.A and Joshi.B. > I delete the partition and Deleting the partition does not help, because it does not modify the code part of the MBR, where the virus resides. > low level format on one of > the computer and I still have the virus. Low level formatting is *never* necessary and sometimes dangerous. Besides, if not done properly, it will get rid of everything but the virus. As has, obviously, happened in your case. > Every time I check for virus > clean will tell me that there is Joshi virus on your partition table > clean is unable to get rid of the virus!!!! Clean? I thought that you are using F-Prot? Could it be a different virus what CLEAN misidentifies? What does F-Prot say exactly? > Does anyone have any suggesting or has anyone ran into the same > problem? please help. Thank you for all your help. A note of caution. Joshi is a stealth virus, so don't forget to *cold* boot from an uninfected write-protected system diskette. I emphasized the word "cold", because on many combinations of computers and users Joshi is able to survive a warm reboot. That's why, don't simply press Alt-Ctrl-Del, but either turn your computer off and then on again, or use the Reset button, if your machine has one. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 15 Apr 94 16:13:49 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Form.A (PC) Jeffrey Rice - Pomona College, California. (jrice@pomona.claremont.edu) writes: > I'm looking for information about this virus. Look in our Computer Virus Catalog. Look in the FAQ for information about how to get it. > I know it's a boot > infector, but am unsure of its length. Some sources (McAfee) say 512bytes, > some (Vsum) seem to say 3072. How long is it? Forget about McAfee, forget about Vsum. The virus consists of two parts. The first part replaces the boot sector and is 512 bytes long. The second part consists of one the original boot sector (512 bytes) and one additional sector with virus code (and some messages, he-he) - this is another 512 bytes. On floppy disks, this second part occupies one cluster marked as bad. On hard disk, it simply overwrites the last two sectors. BTW, where in VSUM did you find the information that the virus is 3072 bytes long? > And what parts of the MBR does > it infect? None. It's a DBS infector. > Does it affect the FAT or anyother parts? Yes. FAT: it marks one cluster as bad on floppies. Other parts: it overwrites the last sectors of the active partition on the hard disk, possibly destroying something that is already there (i.e., a file). > I am refering to floppy > disks, not hard disks, if that makes a difference. Yes, it does make a difference; see above. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 15 Apr 94 16:23:31 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Monkey/Telecom Virus (PC) Brandon Paul Lai (bl2n+@andrew.cmu.edu) writes: > I have a Monkey/Telecom virus on my PC computer. Do you have Monkey or Telecom or both? Those are two different viruses. > I can't seem to get > rid of it. I've tried formatting the entire hard drive. With FORMAT.COM, right? It doesn't work, both viruses infect the MBR, which FORMAT.COM doesn't touch. > I've also used > Fprot, CPAV, NAV and various other software. That's strange, F-Prot should be able to handle both Monkey and Telecom properly... Ooops, no I am wrong - F-Prot cannot disinfect Telecom. > The virus does not go away!! I think it may have destroyed the > MASTER BOOT RECORD. Quite possible. An improper attempt to remove Monkey can screw up your MBR, if you do not know exactly what you are doing. For instance, if you have tried FDISK/MBR, that could have done it (the screw up, I mean, could be caused by this). > Also, I have to boot the drive with a floppy, and the drive only > works if the bootable floppy has the virus. If the bootable floppy does > not have the virus, the hard drive does not get recognized. Yep, typical for Monkey. > My next idea would be a low level format. I don't know how to do > this, or if it would work. Don't. It will work, but is not necessary and can be dangerous for some disk drives. If you don't care about the contents of your hard disk, do the following: Boot from DOS 5.0 or above (uninfected write-protected system diskette and all that) and run FDISK/MBR. Then start FDISK again, without any options, and recreate the partition(s). Then format the DOS partition(s) with FORMAT. That will do it. If you want to preserve the information on your hard disk, I suggest that you contact a data recovery expert. Probably only the MBR of your hard disk is damaged and the original is stored by the virus in encrypted form somewhere else, so it can be retrieved, but you should better get some experienced person to do it. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 15 Apr 94 17:39:43 -0400 From: datadec@ucrengr.ucr.edu (Kevin Marcus) Subject: Re: No PC viruses on 3.5" disks? (PC) Mike Bogdan (Mbogdan@msu.edu) wrote: : Hi, : I was wondering if someone could explain here how PC viruses work. Can : PC viruses be transmitted via network? Can they be carried on a 3.5" : disk? I was told that PC viruses can only be tranferred via 5.25" disks : and I shouldn't worry about it too much. : Thanks for the help. Or point me towards a FAQ please. Virus can be transferred by a Network, as well as both forms of disk. For disks, they can be, both file infectors, and merely have a copy of an infected file, or they boot sector could become infected. A lot of viruses tweak and crash on 3.5" media, but there are others that work. On a Network, you could quite easily execute an infected file, or copy an infected file and spread the virus. - -- --=> Kevin Marcus: datadec@ucrengr.ucr.edu, tck@bend.ucsd.edu "ciafn syoo,u yroeua da rteh icso?o l ." <- Email for solution. Computer Science Dept., University of California, Riverside. .oOo.oOo. T H I E V E S S U C K .oOo.oOo. ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 30] *****************************************