VIRUS-L Digest Tuesday, 10 May 1994 Volume 7 : Issue 31 Today's Topics: Scanning ZIP files. Virus in USA-Internet Re: Number of viruses on non-PC machines The virus Hyperbole Book Review Re: NT viruses? (NT) a look at os2scan v 111 (OS/2) Tequila & 2803 (PC) new virus? (PC) Parity boot virus! Any help? (PC) RE VIRUSES on 3.5 disks (PC) XPEH-2 (PC) regularly updated virus protection (PC) RE: VIRUS-L Digest V7 !27 - Mushroom (PC) New MS-DOS Virus? (THE HAVOC VIRUS) (PC) Re: No PC viruses on 3.5" disks? (PC) HDZap trojan (PC) Re: WinWord 6.0a (PC) Re: MS-DOS 6.x Anti-Virus (PC) Please let me know N.O.B (PC) McAfee-Clean-Blues (PC) Re: MSAV signature files via *any* download (Q) (PC) virus file on several ftp sites (PC) Re: WinWord 6.0a - Virus ??? (PC) Suspicious boot sector (PC) HI!!!!! Monkey and Monkey2 Viruses!!! (PC) Info on Tequila Virus (PC) The LZR virus (PC) Win 3.11 + F-Prot 2.11 for Win = False Alarm?! (PC) New(?) Stoned Variant (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Sat, 16 Apr 94 19:10:10 -0400 From: e_duda@oz.plymouth.edu (Eric T. Duda) Subject: Scanning ZIP files. Does anyone know, when you scan a ZIP file will the virus scanner pick up a virus if there was one on the EXE program that was in the ZIP file. Can someone send me some info on this or post it. Thanks. ___ __ ___ ___ __ __ /_ /__\ / / / \ / / / \ /\ /__ / \ _/_ /___ /__/ /__/ /__/ /--\ E-mail address = e_duda@oz.plymouth.edu ------------------------------ Date: Sun, 17 Apr 94 02:05:33 -0400 From: vweiss@sun3.oulu.fi (Viktor Weisshaupl) Subject: Virus in USA-Internet Yesterday in Finnish TV-news there was a short story about problems with viruses in the USA-Internet which get access to part of the systems where they actually should not have access to. Does anybody know anything more detailed?? Regards, Viktor *************************************************************************** Viktor Weisshaupl | Viktor.Weisshaupl@oulu.fi Oulu Univerisity, | vweiss@cc.oulu.fi Oulu, Finland | ****************************************************************************** ------------------------------ Date: Tue, 19 Apr 94 13:06:44 -0400 From: vogler@rzddec2.informatik.uni-hamburg.de (Jens Vogler) Subject: Re: Number of viruses on non-PC machines mikko.hypponen@df.elma.fi wrote: [...] >Apple Macintosh: 18 (around 50 with all variants?) Exactly: 47 are known at the moment (including all variants) >Commodore Amiga: more than 100 almost 500 (still growing :-( ) >Acorn Archimedes: 84 (according to a recent article in VB) ? unknown to me, I think about 40 (well, that's what I heard) ? >Atari ST series: 20 20 viruses are known to me, too. >HP-48: 5 ?? viruses on a HP-48 ?? >UNIX: 3 Exactly: 2 viruses and 1 worm. >Commodore 64: 2 Well, I just heard of one. >Any others? Yes: - MVS 2 chain letter - VMS 1 worm - OS/2 2 viruses Yours (etc.) ABert - -- /* ************************************************************* */ /* Wir waren zusammen, den Rest habe ich vergessen. */ /* We were together, I have forgotten the rest. */ /* Eravamo insieme, tutto il resto del tempo l'ho scordato. */ /* Nous etions ensemble, le reste je l'ai oublie. */ /* Estabamos juntos, el otro lo he olvidado. */ /* (Walt Whitman) */ /* */ /* \\\|||/// */ /* o o Yours ... */ /* | Jens Vogler */ /* \_/ vogler@informatik.uni-hamburg.de */ /* Amiga Gruppe - Virus Test Center - Uni Hamburg */ /* ************************************************************* */ ------------------------------ Date: Wed, 20 Apr 94 22:58:13 -0400 From: src4src!ktark@imageek.york.cuny.edu (Karl Tarhk) Subject: The virus Hyperbole bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >> Is is common knowledge that virus infection and 'damage' figures >> are way out of proportion to scare users and sell more AV software. >Is it? Care to provide some hard evidence? Here some info directed to you and others who have posted about the statement about the truthfulness of the "virus scare" Take the Following SYMANTEC advertisement that appeared in various magazines such as INFOWORLD: "Computer viruses. Perhaps the most misunderstood computer security issue in America today. Throughout the mid-80's and early 90's, the computer and business press were filled with horror stories about viruses and the dreaded possibility that one day that one day a "killer virus" would bring America's critical computer networks crashing down. The fear rose and scalated until it peaked with the announcement that the Michelangelo virus would race across America's networks overwriting hundreds of thousands of hard drives. Then, nothing happened. Michelangelo turned up on the national news ^^^^^^^ ^^^^^^^^ but just about nowhere else. People began to dismiss viruses as hype. ^^^^^^^ ^^^^ ^^^^^^^ ^^^^^^^ ^^^^ The media and MIS turned to other issues. But while the "killer virus" may be a myth, the virus danger is not. Despite their dark, Doomsday mythology, virus attacks are most likely to be small-scale, discrete infections that on the surface merely disrupt ^^^^^^^^^^^ ^^^^^^^^ ^^^^^^^^^^ ^^^^^^^ ^^^^^^ ^^^^^^^ operations." ^^^^^^^^^^ For anyone who doubts the exactness of the words quoted above refer to INFOWORLD Volume #16 issue #13, pages 38-39. It is also worthwhile to note that the 2 page advertisement contains full color drawings of the Predator virus (Bearing the likeness of the "Predator" movie alien) and the Satan-Bug virus. If these nationally published drawings are not a glorification to the deeds of virus writer Priest / Little-Loc, I don't know what is. To anyone who has the audacity or the mental inability to see that viruses are big business, I can provide more information on hype advertising and campaigns of fear. >With all my respect to Dr. Stang, some of our students who have >attended his speech on computer viruses at the Hannover Computer Fair >have reported it to be total nonsense, so I would take anything technical >he says on this subject with a pinch of salt. Especially when it is >reported by third parties known to be virus writers. :-) To anyone who doubts that the David Stang quote was true I will provide photocopies of the article and the cover of the magazine in which it appeared, on request. This is a more honest proof of the integrity of the information I am providing, that the nonsensical and biased criticisms I am quoting. >> You say 'There is no such thing as a good virus in the wild' >> Prove it! >Don't they teach you basic logic in your country? Haven't you ever >heard that it is always difficult (and often impossible) to prove a >negative? *You* claim that there is such a thing as a good virus, >*you* prove it. It should be much easier. KOH is a good virus. I know the so called "researchers" try to ignore it on purpose. KOH is a good virus; it is a beneficial virus. Proofs to the contrary are yet to be seen, even if "negatives are harder to proof" :) ktark@src4src.linet.org ------------------------------ Date: Mon, 18 Apr 94 12:51:02 -0400 From: jaf@jaflrn.morse.net (Jon Freivald) Subject: Book Review A Short Course on Computer Viruses, 2nd Ed (a book review) by Jon Freivald - ------------------------------------------ Dr. Fredrick B Cohen offers a one day course for those companies and individuals who recognize the need to understand viruses before effective measures can be taken against them. He has just released the second edition of his book which is based on the contents of this course, titled "A Short Course on Computer Viruses, Second Edition" (John Wiley & Sons, Inc.; ISBN 0-471-00769-2 [book/disk], 0-471-00768-4 [book], and 0-471-00770-6 [disk]). Dr. Cohen targets this book at anyone who uses computers on a day-to-day basis, especially those who are responsible for their proper operation. While there is some math that I had to wrestle with to follow Dr. Cohen's thoughts (due to my lack of any mathematics background beyond high school algebra), most of the book is very easy to read, non-technical English, with clear and easy to follow examples. Dr. Cohen has a subtle, wry sense of humor that makes the book much more enjoyable reading than a typical technical or scientific text. The topics covered range from the basics, such as "what is a virus", through both technical and non-technical defenses, strategy and tactics, and even the specific results of tests done on network security settings. Methods of determining the actual cost of technical defenses are also presented. He also contrasts such items as secrecy versus integrity and contamination versus exposure. Numerous scenarios are explored and explained, showing both strengths and weaknesses. Some of the mathematics and mathematical "English" (user U-sub-1 runs program P-sub-1 that is infected with virus V-sub-1 at time T-sub-1) will give many readers trouble, and indeed, the book opens with an 11 line mathematical definition of a virus. The sections on exposure and cost analysis are also heavily mathematical. This does not, however, detract from the value of the rest of the book, which is extreamly readable. Many of the clear, real-world examples are ideal for use as answers when my users ask "Why?" The section on inadvertent compromise between peer networks was definitely an eye opener! While I thought myself much more knowledgeable about viruses than the "average" system administrator (yet by no means an expert), I found this book extreamly helpful and fascinating reading. It presented the issues in practical ways that I had not considered and has broadened my understanding of what we are up against (and it scares me...). "A Short Course on Computer Viruses" should be MUST reading for everyone from information security managers, auditors, network administrators, all the way to end users and home computer users. I am making it required reading in my shop! Dr. Cohen's book is 250 pages, including appendices, a "Good Joke", and an excellent annotated bibliography. The optional disk is a subset of Dr. Cohen's Integrity Toolkit and a number of cost analysis tools (a coupon is included in the book to order it separately). I have already found the disk quite helpful in dealing with our "bean counters." A Short Course on Computer Viruses is available from fine bookstores everywhere, or directly from: John Wiley & Sons, Inc. 605 Third Avenue New York, NY 10158 1-800-CALL-WILEY The price is $34.95 for the book, $44.95 for the book/disk set (they pay postage and handling on check and credit card orders). Quantity discounts are available. - -- Jon Freivald ( jaf@jaflrn.Morse.Net ) PGP V2 - 22A829/40 DA 9E 8E C0 A1 59 B2 46 3B 73 81 2B 7B 83 1F Nothing is impossible for the man who doesn't have to do it. ------------------------------ Date: Sat, 16 Apr 94 08:53:50 -0400 From: hstroem@ed.unit.no (Henrik Stroem) Subject: Re: NT viruses? (NT) Craig Williamson writes: >Have there been any NT viruses yet? No. > As we consider moving to NT or > Chicago as our OS, I wonder about DOS viruses causing problems and how > we can find and fix them in that enviornment. Since DOS is not going > to be in Chicago or Daytona (the next release of NT) how much of a > problem could it be? As long as you are running on a 80x86 or Pentium based PC you will always be vurneable to bootviruses, as they execute before the OS is loaded. They will not spread well on a Windows NT system, but they might do great damage. Like overwriting your 500MB NTFS partition on a particular date, or other unfortunate actions. Windows NT will not do much to prevent this, and will not detect such viruses. To get rid of a bootinfector on a Windows NT system is not the easiest task in the world. Doing it from within NT itself is even harder, as NT does not permit reading and writing of sectors. Today you have the choice of booting your machine from a floppy with another operating system on it, or performing the virus detection/removal before NT enters protected mode. I've considered writing some anti-viral for this system, but there is simply not enough people using it (yet?). There are other problems involved with disinfection as well. E.g., when using Flexboot to choose between Windows NT and another OS. As for fileviruses, I don't know. Henrik Stroem Stroem System Soft ------------------------------ Date: Mon, 18 Apr 94 04:37:25 -0400 From: Subject: a look at os2scan v 111 (OS/2) Hi all, some weeks ago I took a close look at OS2SCAN and OS2CLEAN V111. Finally I managed to mail it :) Some problems appear with the DOS-versions too. My OS is now V2.1 with MMPM/2 V1.10 CSD UN00000 GRE V2.10 CSD XRG2010 OS V2.10 CSD XRG2010 Hardware is a 486DX/33 with 16MB Ram, 1 3.5" floppy, 2 physical HD's and 1 Mitsumi-FX001D CD-Rom-drive. The HD's are all HPFS-formatted. HD #1 has a booTmanager-partition, 1 partition for the OS (C:) and a 5MB servicing-partition (D:). HD #2 is 1 partition (E:). scanv111: DOS-Version (running on a real DOS-machine) hangs when scanning networked drives. Running through a netware 4.01-servervolume produces after a while of scanning about 3 lines of garbage on the screen and hangs the PC. /M does not show any activity. If there is one, the user can't see it. I suspect there is none, as it brings up the help-pages. This was tested on another DOS 5.0 PC with network-access. os2val.exe: there seem to be a problem with the dates. Whatever date the docs reflect, os2val prints the files actual date. I used info-zip's UNZIP V 5.0. Finally a listing of the archive showed the true dates and that os2val.exe is from 1993, not 1992 as written in os2val.doc. oscn111.doc: WHAT'S NEW (V106 RELEASE) ^^^^ error in version-number (line 113) Scanning with /AD scans my CD-ROM-drive too. Nice. But tells me, that it can't find a bootsector. I would have been surprised, if there was one, as not even UNIX-systems can boot from a CD. This should be corrected, as it will confuse users and (though I don't know) the program certainly can find out, which type of media it is scanning. I wonder, what would happen, if clean tries to do its job on a CD :) I know, it tells the user, that it can't write to this drive and skips it. os2scan.exe: Does /AD scan the BMP too ? At least I found no evidence during scan was run. Another problem came up, when I ran OS2SCAN /AD /DATE. Dirve C: was scanned pretty fast (1165 files in 63 directories) and then during scanning drive D: it slowed terribly down, while it scanned gamma- techs utilities and when it came to D:\OS2\KBD01.SYS it scanned for 1 minute (+-) and gave up with the message: Sorry, an impossible internal error occured, the errorcode is 14277.64851 :( Gammatech analyze-utility found 2 errors (1 sector not found and 1 CRC-error). However, this is no reason for a scanner to give up and stop execution. If there was a real large volume with one error at the beginning, the user would not be able to scan the remaining, say, 90%. The switch /DATE remains a miracle since several versions. Though the docs say, that os2scan e: /date should create a 0 byte file named scanval.val I never found such a thing anywhere on drive E: Not even dir e:\*val/S found any file matching this simple pattern. The problem with the *ini seems to persist. Still the commandline- switches don't override the saved options, but the program runs all options from within the *ini and then performs all tasks requested on the commandline. Therefore, if you saved the switch /AD and run the program with options "d: /AF" on the commandline, drive d: will be scanned twice and during the second scan the validation-data will be created. This could have been done already during /AD was run. On the other hand a good thing: running scan afterwards with options "/CF drive_d.valid_code" was intellingent enough to use the validation- data during the complete scan only for drive d:, although this was not made clear by the user. :) Running Scan with option /AG on drive D: resulted in a surprising out- put: sorry I can not open ... (many systemfiles). Drive D: is bootable for servicing purposes. However, they were not in use at this time and therefore they should have been perfectly accessible. A more thorough check brought up, that these files are READONLY. It would have been fine, if the program had looked for such a relative simple possibility, which is no protection from viruses, and notified the user about this circumstance. Maybe the program could offer, to modify the files and restore the flags afterward. Just like a virus :). So it is once again up to the user, to fiddle with his (OS-)data. After I had modified REXX.DLL at relative sector 21 (REXXAPI was changed to REYYAPI) option /CG detected the change. However, after undoing the change the file still was reported as changed. This is probably due to the change of the files date. This makes it obvious, that it is always a problem to use self-modifying programs and any kind of integrity- checking software, if it does not check for the files checksum and the files datestamp separately. Running a kind of "touch" command on files with checksums will produce unnecessary false positives. Trying to CLEAN the (restored) file with the /GENERIC option resulted in the offer to overwrite and delete the file. This is definately not what I wanted. Option /CV found the same modification after I had removed the vali- dationcode with /RG and reapplied /AV. However, it obviously does not check for changed filedates, wheras /CG is triggered on every file where only the datstamp has been modified. The user should be noti- fied, that only the datestamp has been altered. ocln111.exe: I used a random virus-name from virlist.txt. [1392]. clean told me, that it does not know anything about this virus. Aren't the names in brackets in virlist.txt those, that scan and clean refer to ? I found this to be true for some other names too. (1049, 1436, 1210, 1559, 1475x, 1677) Is there a problem with virlist.txt or with clean ? The most promising explanation is, that the names were changed, but not updated in virlist.txt and therefore it seems to be a "marketing list" showing more viruses for the unsuspecting user. The test for the DOS-Clean with the bytes to make clean.exe clean off a JERU-A infection shows the same damaging results with OS2CLEAN V111. A file (OS2VAL.EXE) was copied to CRAP.EXE, which was modified, by appending Vesselins Bytes after the last non-zero byte. The file still had a length of 37168 bytes. After OS2CLEAN had reported, that the infection had been removed, the new filesize was 64(!) bytes.... This is really clean ;) I must check, whether this is works for version 113, too. Conclusion: The McAfee antivirus-suite may be one of the oldest on the market, but it has one of the oldest and most outdated userintefaces, too. The program still gives very few details about what it found, thus causing too many troubles for the average user, who is left in the dark about what is causing the alarm. If we take the time it took to bring it to windows, we may expect a genuine OS/2 user-interface some- time around 2000. What I'm still missing, is something like Gammatech's Sentry, which controls the bootsectors of all drives and locks the most important systemfiles and userdefined files for writeaccess. Greetings from rainy AUSTRIA, Alfred - -- ...^^^^^.. ********************************** A U S T R I A . Linz : * Geological Survey, Austria * : * * : * * :* Vienna: * jilka@gbaws4.zamg.ac.at * :^^^.........:. Salzburg : * * : * Innsbruck : * Phone: +43/222/712-56-74/85 * ........... HOME Graz : * Fax: +43/222/712-56-74/56 * :.. * * ...: * * :........: ********************************** ! Enjoy life, you'll be dead long enough ! ------------------------------ Date: Sat, 16 Apr 94 16:24:11 -0400 From: SCUT024@TWNMOE10.edu.tw Subject: Tequila & 2803 (PC) We have recently picked up two viruses identified by Mcafee SCAN as Tequila and 2803. Neither could be removed with CLEAN. Can anyone supply any information on these viruses and any programs which can remove them? Is F-Prot availble anywhere by ftp? Many thanks. David Steelman scut024@twnmoe10.edu.tw ------------------------------ Date: Sun, 17 Apr 94 02:58:47 -0400 From: cmerrifi@nyx.cs.du.edu (Conrad Merrifield) Subject: new virus? (PC) I was wondering if there was a new virus or something? I download quite a bit and I have never got a virus but just latly my b drive(3.5") is not working. It is saying that all file on it are bad I have tried quite a few programs to see if they could pick it up and I have run f-prot and nothing. some just say error. If it is not an error then what the hell is it. It is not like i move my coomp. it just sits in one spot and gathers dust Could you please e-mail me as I don't normally read this news group. cmerrifi@nyx.cs.du.edu ------------------------------ Date: Sun, 17 Apr 94 08:30:05 -0400 From: na145@fim.uni-erlangen.de (Joerg Platzer) Subject: Parity boot virus! Any help? (PC) Hi there! Not having found any help in the FAQ here about my viral problem I thought I might find help by postin this here: A friends PC has given him trouble for a while, a virus could not be detected. Now we have completely formatted the hard-disc and installed the new Novell/DR-DOS 7.0. Boot-problems still occured and we searched for viruses again. Central Point 8.0 does not detect anything. Novell/DR-DOS 7.0 detects a 'parity boot virus (B)', but does neither state where it is nor does it destroy it. Does anybody have experience with this particular virus? Where could it be, as it is still there after formatting the hard-disc? Is there any virus-scanner that can detect *and* destroy it? Any help appreciated, either here or via e-mail. Thanks in advance, Joerg - -- Joerg Platzer na145@fim.uni-erlangen.de (preferred) 100115,3050@compuserve.com * It's a long way to go when you don't know where you're going * ------------------------------ Date: Sun, 17 Apr 94 19:13:12 -0400 From: Dan Nguyen Subject: RE VIRUSES on 3.5 disks (PC) I think they can be transmitted through any kind of disk that has files that are infected, which will then infect other computers that the files come in contact with - --- dann1@chop.isca.uiowa ------------------------------ Date: Sun, 17 Apr 94 19:34:43 -0400 From: hiscrp@leonis.nus.sg (C R Pennell) Subject: XPEH-2 (PC) My nextdoor neighbour got herself infected with this little darling over the weekend. Her son noticed it and came round. He'd been running the windows-spplied anti-virus which did not show it up. When I ran V-Scan (Mcafee) it showed up the first time and then did not show the second time. Does it hide? My neighbour was out so I said to turn off until she came back and we found out what it was - I didn't want to start cealning until I knew what files she might lose. Her son forgot to turn off. The effects were interesting. XPEH, in a few hours [!] spread happily, jumping from directory to directory. It was, however, selective. It picked up EXE and COM files but only some in each directory. It looked as though it was set up to jump into as many directories as possible and THEN spread downwards through them. Does this make sense? Her son probably picked it up off a game program swapped with a friend. She is now talking about wiping all his game programs, which seems a bit drastic - but he had been warned not to swap without scanning. My son, who is a close friend of his, now understands why I insist on scanning everything though the main menu system in the univrsity! The Univesrity file credits XPEH with "Eastern Europe" any more details on this? ANyway we have it in Singapore. Yuck. Richard Pennell History NUS hiscrp@leonis.nus.sg ------------------------------ Date: Mon, 18 Apr 94 08:41:57 -0400 From: pdowman@uoguelph.ca (Paul Dowman) Subject: regularly updated virus protection (PC) Could anybody recommend which PC virus program is updated most regularly and is most reliable? I'd like a scan program as well as something which could be running all the time to detect virus activity before anything gets infected. Thanks. ------------------------------ Date: Mon, 18 Apr 94 11:11:25 -0400 From: "Derek Cotton" Subject: RE: VIRUS-L Digest V7 !27 - Mushroom (PC) Thom Odell ( guest06@mtholyoke.edu ) wrote:- > I am wondering if an audio program called mush.com and it's associated > file mushroom.ovl is som sort of virus? If it is the same as I have, no. MUSHROOM COM 20480 24-06-88 2:03a MUSHROOM OVL 267888 24-06-88 1:47a > I aquired a Grid 286 laptop recently with these files in c:\util along > side Norton Commander files. > > when executed, it "sings" an unintelligible song using PC speaker, which > on this laptop is a piezio transducer so I cannot understand what it > "says". Naturally I am unwilling to put it on my desktop to find out... It is an exellent example of what sounds can be produced from the small loudspeaker fitted in most PC's. It is a 30 second sound "clip" from an advert that certainly appeared on British TV for "Magic Mushroom" air-fresheners, it has obviously been created using some sound sampling technique, and the result on some PC's is quite astounding. I don't know where this originated, but I suspect its British. I acquired a copy some years ago, and have had on my PC ever since. Regards - Derek ------------------------------------------------------------- | Derek Cotton | Facility Code UNKMCH | | Control Data Ltd. | | | Errwood Park House | Phone : +44-61-443-1429 | | Crossley Road | | | Manchester M19 2SH | Internet : D.Cotton@cdl.cdc.com | | UK | | ------------------------------------------------------------- ------------------------------ Date: Mon, 18 Apr 94 17:02:28 -0400 From: ghansen@silver.sdsmt.edu (Gary Hansen) Subject: New MS-DOS Virus? (THE HAVOC VIRUS) (PC) Has anybody heard of a MS-DOS virus that has a signature (in ASCII) of "THE HAVOC VIRUS"? We have an infection on our campus. It appears to wreak havoc (no pun intended) with the file allocation tables. It refuses to let you save a file (MS Word files in particular) until after you have deleted over half of the file. Leaves its signature all over the place. None of the usual products seem to detect it. Any thoughts or suggestions for addressing this problem would be appreciated. Gary - --------------------------------------------------------------------------- Gary Hansen ghansen@silver.sdsmt.edu Computing & Networking Services SD School of Mines & Technology - --------------------------------------------------------------------------- ------------------------------ Date: Mon, 18 Apr 94 17:23:54 -0400 From: ruben@ralp.satlink.net (Ruben Arias) Subject: Re: No PC viruses on 3.5" disks? (PC) Mike Bogdan ask to all: (Mbogdan@msu.edu) > Hi, > I was wondering if someone could explain here how PC viruses work. It's a little complex to explain you in 2 or 3 lines, but in short Virus is a program with TSR capabilities (sometimes) that tries to REPLICATE ITSELF in other files. Executable files, like .EXE or .COM. Other kind of virus could attack boot sectors, Partitions, FAT, etc. > Can PC viruses be transmitted via network? Do you refer Internet or a LAN ??? > Can they be carried on a 3.5" disk? Yes!, or 5.25". If you have .EXE or .COM files in the disk they could be affected by Virus. Or, a Boot virus could infect it. > Thanks for the help. Don't Mention it! Ruben Arias - ------------------------------------------------------------------------------ Ruben Mario Arias |> /| | |> |\ | | |_ | E-mail: ruben@ralp.satlink.net Buenos Aires, ARGENTINA. - ------------------------------------------------------------------------------ ------------------------------ Date: Tue, 19 Apr 94 02:22:42 -0400 From: "Roger Riordan" Subject: HDZap trojan (PC) When PC users in Australia returned from the Easter break and turned on their PCs, a substantial number received a nasty shock when the PCs refused to start. When their support staff investigated they found that the CMOS setup had been corrupted, and the start of the hard disk appeared to have been overwritten with garbage. Several customers contacted us, and when we investigated we eventually discovered that the Melbourne firm IPEX had been shipping PCs in which the DOS boot sector on the hard disk contained a time bomb, set to trigger five months after the PC was formatted, and the DOS program FORMAT.COM contained a trojan, which wrote the time bomb to every disk formatted using it. In the trojan version of FORMAT.COM a time bomb has been inserted into the boot image which is written to each disk during formatting, and the start of the program has been replaced with a jump to a very short program which reads the date from the system clock, and adds five months to it to get the trigger date. The trojan plugs this into the boot image, and then lets FORMAT run normally. The trojan has been written over part of the MicroSoft copyright notice, and the time bomb replaces the normal disk error messages in the boot sector. In corrupted DOS boot sectors the normal initial jump to the boot program has been replaced with a jump to a primitive, but very effective, time bomb. Each time the PC is booted from an infected disk (either floppy or hard disk) this reads the date from the CMOS clock. If this is five months or more from the date on which the disk was formatted the low byte of the timer tick counter is read. Depending on the value returned there is a one in four probability that the first 128 sectors of the hard disk will be overwritten, and the hard disk type in the CMOS set to zero. There is another one in four probability that just the CMOS will be zeroed. If any of these conditions are not met the program will jump to the normal boot procedure. It has been established that something like 15,000 potentially corrupted PCs had been supplied to schools, government departments, and firms throughout Australia. The time bomb is believed to have been triggered on something like one hundred PCs. Many copies of the affected FORMAT.COM have been distributed, and in some schools these have been loaded onto the utilities directory on the file server so that nearly all disks formatted in those schools will contain the time bomb. Thus there will be a large number of potentially dangerous floppy disks circulating among users, and as these could destroy the data on any PC in which they are used they will continue to pose a threat to Australian PC users for some time to come. The IPEX management believes that the trojan was introduced on a master disk delivered from Singapore. There is as yet no independant evidence to corroborate this, but if it is in fact true it seems unlikely that the problem will be confined to Australia. It would therefore be prudent to kepp an eye out for this trojan. We have not found any pre-existing AV software which will detect the trojan, but it can be easily detected with debug or any hex editor. A good copy of Format.com will have a MicroSoft copyright notice containing the words "Licensed Material ..", and a boot sector image including the messages "Non system disk or disk error ...". In the trojan both these have been overwritten. A good DOS boot sector will contain the same messages at the end, and again they are missing from the trojan version. The DOS boot sector can be viewed with Debug, using the sequence C:> debug - -l0 2 0 1 - -d180 .... dump of the end of the boot sector will follow ... - -q To view a floppy boot sector use l0 0 0 1 for drive A or l0 1 0 1 for drive B (This sequence means Load at address 0, from drive 2 (ie C), starting with sector 0, one sector, then Display 128 bytes, starting at address 180h.) The SYS command will remove the time bomb from corrupted (floppy or hard) disk DOS boot sectors. Please let us know if you find any copies of this trojan outside Australia. VET 7.63 identifies the trojan as Hdzap Trojan. VET will detect both floppy and hard disk boot sectors containing the time bomb. It will remove the trojan from floppies, but cannot remove it from hard disks. VET 7.63 will also detect and delete infected copies of FORMAT.COM. VET_RES 7.63 will detect floppy disks containing the time bomb, and will either replace the corrupted boot sector or block access to the disk. Roger Riordan Managing Director. HDZAP (IPEX) Trojan. Comparison of good & corrupt Format.com (The listings are debug dumps.) A. Directory Listing i. Good DOS 5 Format.com FORMAT COM 32911 09-04-91 5:00a ii. Bad Format.com FORMAT COM 33024 10-03-93 6:00a B. Microsoft Copyright Notice i. Good DOS 5 Format.com 2323:07E0 FF FF FF 00 00 00 00 00-00 00 0D 0A 00 00 00 00 ................ 2323:07F0 00 0A 00 14 00 B2 24 41-00 B0 4D 53 20 44 4F 53 ......$A..MS DOS 2323:0800 20 56 65 72 73 69 6F 6E-20 35 2E 30 30 20 28 43 Version 5.00 (C 2323:0810 29 43 6F 70 79 72 69 67-68 74 20 31 39 38 31 2D )Copyright 1981- 2323:0820 31 39 39 31 20 4D 69 63-72 6F 73 6F 66 74 20 43 1991 Microsoft C 2323:0830 6F 72 70 20 4C 69 63 65-6E 73 65 64 20 4D 61 74 orp Licensed Mat 2323:0840 65 72 69 61 6C 20 2D 20-50 72 6F 70 65 72 74 79 erial - Property 2323:0850 20 6F 66 20 4D 69 63 72-6F 73 6F 66 74 20 41 6C of Microsoft Al 2323:0860 6C 20 72 69 67 68 74 73-20 72 65 73 65 72 76 65 l rights reserve 2323:0870 64 20 00 00 00 00 00 7D-00 B2 20 0D 00 B0 46 4D d .....}.. ...FM 2323:0880 54 2E 45 58 45 00 80 09-00 B2 00 04 01 B0 D0 06 T.EXE........... ii. Trojan Format.com. "Licensed .." overwritten with code to calculate Trigger date and insert it into boot sector image. 2323:07E0 FF FF FF 00 00 00 00 00-00 00 0D 0A 00 00 00 00 ................ 2323:07F0 00 0A 00 14 00 B2 24 41-00 B0 4D 53 20 44 4F 53 ......$A..MS DOS 2323:0800 20 56 65 72 73 69 6F 6E-20 35 2E 30 30 20 28 43 Version 5.00 (C 2323:0810 29 43 6F 70 79 72 69 67-68 74 20 31 39 38 31 2D )Copyright 1981- 2323:0820 31 39 39 31 20 4D 69 63-72 6F 73 6F 66 74 20 43 1991 Microsoft C 2323:0830 6F 72 70 00 BA 70 00 B0-09 EE 42 EC 8A E0 4A B0 orp..p....B...J. 2323:0840 08 EE 42 EC 3C 04 77 05-04 05 EB 1F 90 3C 07 77 ..B.<.w......<.w 2323:0850 07 04 15 2C 0A EB 14 90-3C 09 77 09 04 05 2C 0C ...,....<.w...,. 2323:0860 FE C4 EB 07 90 04 05 2C-12 FE C4 2E A3 21 0F E9 .......,.....!.. 2323:0870 AA 78 00 00 00 00 00 7D-00 B2 20 0D 00 B0 46 4D .x.....}.. ...FM 2323:0880 54 2E 45 58 45 00 80 09-00 B2 00 04 01 B0 D0 06 T.EXE........... C. Boot Sector Image written to Disk (this is the same as the end of the actual boot sector on the disk). i. Good DOS 5 Format.com 2323:0EF0 16 4D 7C B1 06 D2 E6 0A-36 4F 7C 8B CA 86 E9 8A .M|.....6O|..... 2323:0F00 16 24 7C 8A 36 25 7C CD-13 C3 0D 0A 4E 6F 6E 2D .$|.6%|.....Non- 2323:0F10 53 79 73 74 65 6D 20 64-69 73 6B 20 6F 72 20 64 System disk or d 2323:0F20 69 73 6B 20 65 72 72 6F-72 0D 0A 52 65 70 6C 61 isk error..Repla 2323:0F30 63 65 20 61 6E 64 20 70-72 65 73 73 20 61 6E 79 ce and press any 2323:0F40 20 6B 65 79 20 77 68 65-6E 20 72 65 61 64 79 0D key when ready. 2323:0F50 0A 00 49 4F 20 20 20 20-20 20 53 59 53 4D 53 44 ..IO SYSMSD 2323:0F60 4F 53 20 20 20 53 59 53-00 00 55 AA 00 02 B2 00 OS SYS..U..... ii. Trojan Format.com. Messages overwritten with Time bomb. 2323:0EF0 F9 C3 B4 02 8B 16 4D 7C-B1 06 D2 E6 0A 36 4F 7C ......M|.....6O| 2323:0F00 8B CA 86 E9 8A 16 24 7C-8A 36 25 7C CD 13 C3 00 ......$|.6%|.... 2323:0F10 BA 70 00 B0 09 EE 42 EC-8A E0 4A B0 08 EE 42 EC .p....B...J...B. 2323:0F20 3D 04 94 72 2A 1E 33 C0-8E D8 A0 6C 04 1F 3C C0 =..r*.3....l..<. 2323:0F30 77 10 3C 80 72 19 BA 70-00 B0 12 EE 42 B0 00 EE w.<.r..p....B... 2323:0F40 EB FE B8 80 03 B9 01 00-BA 80 00 CD 13 EB E7 E9 ................ 2323:0F50 5D FE 00 00 00 00 00 49-4F 20 20 20 20 20 20 53 ]......IO S 2323:0F60 59 53 4D 53 44 4F 53 20-20 20 53 59 53 00 00 55 YSMSDOS SYS..U With Best Wishes, Roger Riordan Author of the VET Anti-Viral Software riordan.cybec@tmxmelb.mhs.oz.au CYBEC Pty Ltd. Tel: +613 521 0655 PO Box 205, Hampton Vic 3188 AUSTRALIA Fax: +613 521 0727 ------------------------------ Date: Wed, 20 Apr 94 11:24:25 -0400 From: S_BRAUND@main01.rz.uni-ulm.de (Braun Dietmar) Subject: Re: WinWord 6.0a (PC) I can't imagine that the changing of your checksums in WINWORD.EXE are caused by a virus. Usually these kind of software and programs try to modify them- selves, e.g. they are writing your serial number and name directly into the EXE-File. I myself don't use WinWord, but I know many programs which act in this way. I would scan the system with the LATEST version of an AntiVirus-Program, e.g. SCAN of McAfee (actually V113), and if the program doesn't detect any virus, it's ok! I hope this helps you to calm down, but: NO WARRANTY that is surely no virus! Yours sincerely, Dietmar Braun - DiederSoft - ------------------------------ Date: Wed, 20 Apr 94 11:25:04 -0400 From: s0043174@cc.ysu.edu (John Kuhns) Subject: Re: MS-DOS 6.x Anti-Virus (PC) Just as an aside, which version of MS-DOS finally allowed re-writing the MBR via the "FDISK /MBR?" I just found out about it, and wondered how much time I could have saved reformatting clients' Stoned drives. John Kuhns ------------------------------ Date: Wed, 20 Apr 94 11:25:40 -0400 From: endoh@cns.canon.co.jp (Shozo Endoh) Subject: Please let me know N.O.B (PC) Hello. Please let me know about "Number of Beast" . Ifound this virus on my PC by Norton anti-virus. Only one excutable file in a floppy disk was infected. Does this virus infect to disk area where the original boot sector is stored? But, there in no "Number of Beast T" in I/O or Boot sector. I can't undestand this situation. Shozo Endoh Canon Inc. Visual Communication Systems Div. E-mail endoh@cns.canon.co.jp (Default mail) Yes,I appreciate NeXT mail and CCmail too. ------------------------------ Date: Wed, 20 Apr 94 11:25:33 -0400 From: Subject: McAfee-Clean-Blues (PC) Hi all, yesterday I took a first glance at OS2CLEAN V113. The bug described by Mr.Bontchev is the same, the situation is even worse, it claims to have removed a virus (which is very true) and then prints a message: Sorry, an impossible error has occurred. Exitcode: 3411 Why is the error "impossible"? It did happen, so it was possible :-) The file (no matter what size it was) is then truncated to 64 Bytes. I triggered the disinfection with Mr.Bontchevs pseudo-Jerusalem-A virus by appending the bytes AND by overwriting the last 10 Bytes of files. This is a severe pointer to a completely insufficient analysis of the possible virusinfection. I wonder, if disinfection of other viruses fails as bad as this one. I am glad, not pay an old serbian dinar for this "software". Greetings, Alfred - -- ...^^^^^.. ********************************** A U S T R I A . Linz : * Geological Survey, Austria * : * * : * * :* Vienna: * jilka@gbaws4.zamg.ac.at * :^^^.........:. Salzburg : * * : * Innsbruck : * Phone: +43/222/712-56-74/85 * ........... HOME Graz : * Fax: +43/222/712-56-74/56 * :.. * * ...: * * :........: ********************************** ! Enjoy life, you'll be dead long enough ! ------------------------------ Date: Wed, 20 Apr 94 11:38:52 -0400 From: geduldig@vax.afrri.usuhs.mil Subject: Re: MSAV signature files via *any* download (Q) (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >YALUSA JONGIHLATI (mm94jony@sirius.ru.ac.za) writes: > >> Could someone please tell me if the MSAV signature file for Viruses can be >> downloaded via FTP and if so, could you please E-Mail it to me. > >I don't think so, although I might be wrong. Long time ago, we got the [snip here] Does anyone know *any* site from which I can down load the most recent MSAV signature files, not just FTP_sites? I know I can send for a disk having these from MicroSoft; I think they want about $10/copy, which would be ok if we could use this throughout our institute, but I don't want to pay this price/user, several times a year. If the assumptions underlying the above paragraph are not entirely correct, then perhaps the $10 is only charges for the disk on which it comes, and in this case, it would actually cost only $10 to upgrade the institute. This is certainly affordable. And if this is correct, there ought to be a BBS or whathaveyou from which I could legally down load the signatures. Anyone have any info on this? TIA Donald (respond please to either forum or direct to address following:) geduldig@vax.afrri.usuhs.mil ------------------------------ Date: Wed, 20 Apr 94 14:10:46 -0400 From: tlynch@lynx.dac.neu.edu (Tim Lynch) Subject: virus file on several ftp sites (PC) I recently ftped via gopher a file called tvmagic1.zip which is supposed to be an example of a scrolling turbovision application. When I ran the example program, the message stated that it was a virus. I scanned my pc with McAfee's scan v 113 and v114 and was told that my system was clean. However, running chkdsk I find that I have 81920 bytes in 4 hidden files. The size of my known hidden files are: 33337 for IO.SYS; 37376 for MSDOS.SYS; and 28 for scan.val. This leaves 11179 bytes unaccounted for. This suspected file is available in many ftp sites and since I accessed it through gopher I have no idea what these sites are. I can not confirm that this is a virus (if you can please e-mail me at tlynch@lynx.dac.neu.edu) but I thought that someone should be made aware of this and thought that this was the most logical method. Tim Lynch ------------------------------ Date: Thu, 21 Apr 94 12:23:47 -0400 From: S_BRAUND@main01.rz.uni-ulm.de (Braun Dietmar) Subject: Re: WinWord 6.0a - Virus ??? (PC) hi! i think that the changes of the winword-exe-file are not caused by a virus. professional programs often change their own exe-file, e.g. when they are writing your name and serial number to the exe-file after the installation. i would scan all program files with the LATEST version of an antivirus- program (e.g. SCAN V113). if no viruses appear, you probably don#t have a virus. it is clear that i can#t give any warranty for that! if you have, i would scan my harddisk with several antivirus-programs for greater security. i hope that this helps you! just calm down! all virus-coders a psychopaths! greetings, dieder ------------------------------ Date: Thu, 21 Apr 94 13:58:57 -0400 From: jay@hamlet.umd.edu (Jay Elvove) Subject: Suspicious boot sector (PC) We have recently discovered what looks to be a boot-sector virus, but none of our scanners can identify it other than to say that it looks suspicious. I've peered into the diskette's boot sector and here's what I've found in the way of human-readable text: I am Li Xibin! Does anyone have any idea what this might be? Thanks in advance. - -- Jay Elvove jay@umd5.umd.edu c/o Academic Software Comp. Sci. Center, Univ. of Md., College Park ------------------------------ Date: Fri, 22 Apr 94 00:43:55 +0000 From: joseam@rmece02.upr.clu.edu (Jose A. Mendez ) Subject: HI!!!!! Monkey and Monkey2 Viruses!!! (PC) Hi!!!! I don't have Central Point Anti-Virus from Pc-Tools but I have a friend that have it, and the other day I was working with her Laptop when CPAV said something about Monkey Virus and then we try to remove it using the Anti-Virus from Windows 3.1 and Dos 6.0 and my computer was free but when we use the PC-Tools CPAV we detect and remove the Anti-Virus. Does anyone know what does Monkey do?? Thanx Josean ------------------------------ Date: Fri, 22 Apr 94 00:00:23 -0400 From: miguelr@uxa.cso.uiuc.edu (restrepo miguel) Subject: Info on Tequila Virus (PC) Gentlemen, I run my virus detector (NAV 2.0) on a floppy and told me that two exe files were infected with the Tequila virus. I had to erase them (fortunately they weren't the only copy I had), and there seems to be no other files infected. I am curious how this virus attacks, how is the infection scheme, and, if what a friend of my mine told me is true, if it also infects the boot sector. Just want to make sure I am on a relative safety with respect to this virus. I keep updating the virus definition table from the ftp at uni-hamburg anyway. Any info will be appreciated. - -Miguel miguelr@uxa.cso.uiuc.edu ------------------------------ Date: Fri, 22 Apr 94 05:39:34 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: The LZR virus (PC) I received a question from Alberto Solino (as7o@dc.uba.ar) regarding the LZR virus, but attempts to e-mail to that address have failed. Hoping he is reading this.... > The virus hasn't a representative string about its origin so I can't realize > about it, could you tell me where did you received this virus from? Well, my original sample came from Poland, but I have also received samples from Israel, UK, Finland and the Netherlands.....this virus is pretty much all over the world, and I am not the slightest bit surprised to see it in the wild in Argentina. I have no idea where it was originally written.....I added detection of it some time ago, and keep receiving infection reports.... - -frisk ------------------------------ Date: Sat, 23 Apr 94 11:36:38 -0400 From: jwalker@freeport.uwasa.fi (Oskari Westerholm) Subject: Win 3.11 + F-Prot 2.11 for Win = False Alarm?! (PC) Everything was fine until I installed Windows 3.11 in my 386/25 and run F-Prot. It said it had found Vienna-virus in the memory. Well, I turned the computer off, booted it from a clean disk and scanned the hard disk with F-Prot 2.11 for dos and McAfee Scan v111. Neither of them found anything, but the Windows version on F-Prot still continued reporting that there's Vienna virus in memory. After F-Prot once reported Prague instead of Vienna and there still wasn't anything on the hard disk I thought the problem might be caused by Windows itself, not by any virus. So I installed Windows 3.1 back and now everything seems to be okay again. Pretty weird, though. - -- ------------------------------ Date: Tue, 26 Apr 94 10:10:56 +0000 From: kgm@aber.ac.uk (kgm) Subject: New(?) Stoned Variant (PC) *** Stoned Variant *** At Aberystwyth, we have been visited by an apparently new variant of that old "Stoned" virus. Someone appears to have hacked it about with the intention of stopping virus scanners recognising it. BUT, they were a little short of the mark. Recent ('94) versions of F-Prot may label it "Manitoba", similarly SCAN sometimes finds it as [GenB]. We were using Visionsoft's Smartscan, which failed to find it. Norton's NDD reported corrupt boot sectors on several floppies Friday, 22 April. We dispatched express a sample disc to Visionsoft on Saturday morning and by 11.15am Monday 25 April we received the necessary patch to the virus program. We are now able to detect and clean the virus from floppies. This is an example of the standard of their service. The company is British and an unlimited site licence would now cost #345 and there is an annual fee of about #98 for monthly, postal updates on floppy. We have used it for 3 years and find it reliable, it is not prone to false positives and runs well over a network. It has the feature that when a virus is detected, one can set the software to hang-up the micro, preventing further use and therefore reducing the spread of the infection. Alasdair MacKenzie, Microcomputer Officer, University of Wales, Aberystwyth ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 31] *****************************************