VIRUS-L Digest Wednesday, 6 Jul 1994 Volume 7 : Issue 51 Today's Topics: Re: ARJ-, ZIP-viruses ? Re: Virus in GIF Re: Good virus ? Re: The truth about good viruses Re: The truth about good viruses Re: Bad and good viruses... Re: ARJ-, ZIP-viruses ? Re: Good vs bad, HELP Disarming ANSI bombs Re: Good Virus?, here's a potential ironic example. Virus Simulators RE:RE:Stop the madness! :-) Re: Virus in GIF Re: Good viruses/Bad viruses Re: Good Virus?, here's a potential ironic example. Re: Good viruses/Bad viruses Re| VIRSTOP 2.12 Freezes PC (PC) Re: good vs. bad Re: _HELP ! (PC) Re: Scan V115 (PC) Re: vbait12.zip - Simple virus bait, detects COM infecting virus (PC) Re: MtE Virus info wanted (PC) Re: Killed the Monkey Virus (PC) Re: Killed the Monkey Virus (PC) Re: Junkie virus (PC) Re: Killed the Monkey Virus (PC) New AV software (PC) Virus Infection (PC) Re: Monkey Virus Attack (PC) First Posting - First Virus heeeellllp (PC) Re: Server-Downing Viri (PC) Re| Server-Downing Viri (PC) Re| FLIP and CANSU (V-SIGN) viruses (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Tue, 28 Jun 94 06:28:54 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: ARJ-, ZIP-viruses ? HANK PIKE (pike@UTKVX.UTCC.UTK.EDU) writes: > F-prot can scan all files so I assume it scans in compressed files too. Anyon > know for sure? Frisk? F-Prot can scan inside executables compressed by several executable compressors - PKLite, Diet, ICE (and a few other probably, I am not sure). It cannot, however, scan inside archives (ZIP, ARJ, LZH, etc.). Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 28 Jun 94 06:41:39 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Virus in GIF AN24237K (an24237k@aol.com) writes: > This is probably a simple question, but is it possible to embedd a > virus into a GIF file? Your question is not precise enough, I am afraid. So, I'll try to address all possible aspects of it. If you mean "Is it possible to put an IBM PC virus in a GIF file in such a way that it will be executed when the file is viewed?", then the answer is "No". GIF files do not contain any fields that are executed when viewing them, therefore, it is not possible to execute a virus. If you mean "Is it possible to hide a copy of an infected file in a GIF file?", then the answer is "Yes". In fact, you can hide *anything* in a GIF file, by slightly modifying the least significant bits of the image. This is called steganography and is usually used to conceal encrypted messages in innocently-looking GIF pictures. There are several programs which will allow you to do that. Of course, the message (or the virus) will have to be extracted by the recepient before it can be interpreted in any useful way. Therefore, you can use GIFs as a carrier to exchange viruses, but you cannot trick somebody to get infected if he doesn't know about the virus. If you mean "Is it possible to design a virus that would spread in a GIF environment?", then the answer is again "Yes, probably". After all the GIF viewers just interpret the GIF87 format in a particular way. It is possible to design a GIF viewer that would interpret the format in a completely different way. Then it would be possible to create GIF images which will contain instructions to this particular GIF viewer. Some of the instructions could be "find a GIF file in the current directory that does not contains these instructions and modify it as to include a copy of them" - then you will have a GIF virus that would spread only in the environment of the special GIF viewers... But I digress. Almost certainly your question was meant as a practical one (the first case), so the answer is "NO". Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 28 Jun 94 06:52:22 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Good virus ? The Radio Gnome (V2002A@VM.TEMPLE.EDU) writes: > Another thought on the operation of a 'good' virus. Wouldn't such > a program use the same sort of mechanisms to spread as bad viruses? If > so, then all the existing anti-virus TSRs would stop it in its tracks. > If it found a way around F-PROT for example, then some cybervandal would > inevitably reverse engineer it and attach a harmful payload, thus making > the 'good' virus an unwitting 'partner' in creating the next generation The concern is valid, but the example is wrong. F-Prot is just a scanner and any new virus will bypass a scanner. A better example to illustrate your concern would be a monitoring program like FluShot+. > Re: compression... not all EXEs (fewer and fewer with Windows and > more advanced OSs) are compressable, even though they might 'look' so. > Even PKlite stumbles on some. Take the following scenario: > "Hello, I am the Space Saver(c), should I compress your programs? > (125 programs to compress, 9.2Mb of disk would be saved) (y/n) Y Actually, there already exists a virus that acts in approximately this way - the Cruncher virus. It append itself to the victim files, then uses the Diet's compression algorithm to compress the whole aggregate (the file with the virus attached to it). The latest version asks for permission each time, and this can be turned off (to mean "Yes, do it") by setting an environment variable. Unfortunately, there isn't a way to say "No, don't do it, and stop asking me" or "Remove yourself from all infected files", or "Update yourself with an improved version" and so on. > The real issue here is control. When the user or administrator has > control away from them, the problems start. Exactly! That's why, any virus that claims to be beneficial, *MUST* provide to the user effective ways to control it. Much more care must be taken than with the "normal" software, because the "normal" software does not spread by itself. > BTW, how is a program like WSUPDATE (Novell Netware) classified? What does it do? Automatic software distribution, like rdist(1) does in the Unix world? Then it can provide very convenient means for a virus to spread. > I just posted a note on the Novell list about using it to control DOOM > and other nuisance net games. Sorry about the off-topic message, but I happen to disagree with you here. DOOM is a very fine game and the latest version (1.2) does not cause network overload like version 1.1 and below used to. Of course, if you mean that the "nuisancs" is that the LAN users are playing DOOM instead of doing their work, this is a different story. Or do you mean the Doom virus family? :-) Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 28 Jun 94 07:01:17 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: The truth about good viruses Scott Ste Beardsley (39534@brahms.udel.edu) writes: > I am yet to be convinced that any software can be known to be > benevolent. Anyhting you can do to ensure the validty of software can > be used on virii. Crypto signatures, checksums, trusted suppliers etc... Correct, but more careful should be taken when working with viruses (even with "beneficial" ones), because the regular software does not spread by itself. Therefore, even if you wouldn't mind using a "regular" program without reliable authentication, you should be *very* careful not to do this with a self-spreading program. > Gee don't they already do that to regular software? It's > called Trojan Horses. Regular software does not spread by itself. Trojan horses do not spread by themselves. Viruses do. This is an important different that makes them more dangerous and prone to causing unintentional damage. > installation prgram must allready be running to ask if you wish to > insallthat new graphics program you bought, how do you know it hasnt > done something already? If it turns out that has done something already, I can always contact the producer, complain, and possibly even sue for damages, if I can show that he has not taken "due care" or has even had malicious intents. This is not true for any for the real viruses that claim to be beneficial. It is true for the few beneficial programs that use replicating mechanisms and are viruses according to Dr. Cohen's definition, but then they are not real viruses. > you are skilled enough to understand. You CAN use crypto signatures, > and other things to verify it's intergrity, but the same thing could > be done to virii. Yes, and it should be done for those "beneficial viruses" Dr. Cohen is talking about. I have not had the chance to read the book he keeps mentioning, but I am pretty sure that he has tought about cryptographic authentication methods. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 28 Jun 94 07:08:35 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: The truth about good viruses C R Pennell (hiscrp@leonis.nus.sg) writes: > At the risk of starting this all over again, would someone PLEASE tell me > what are the supposed benefits of a "good" virus? > What are they supposed to do? I already posted an example - hope that it will appear soon. I see that Norman Hirsh has posted pretty much the same example. As far as I know, this is the only convincing example of self-replicating software doing useful job and being needed to to it in an effective way. Maybe Dr. Cohen knows more examples. So far none of those I've seen in his papers ("the compression virus", "the resource collector", etc.) has been convincing enough to me. Some of them are beneficial, but the same task can be completed just as effectively by a non-viral program, so I don't see the point of introducing a self-replicating one with all the security headaches that this creates. > Why are they supposed to be better than allowing me to go out an buy/ > download something that I specifically asked for? Because they save you the time to manually ask for it many times. If you are using a particular shareware package, wouldn't it be nice to have the latest version automatically uploaded and installed on your machine each time the producer makes it available? Of course, all kind of authentication problems will have to be solved, but they are solvable in principle. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 28 Jun 94 07:33:46 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Bad and good viruses... Bradley (bradleym@netcom.com) writes: [about the so-called KOH virus] > It's a virus that does what I said. It includes an uninstall option for > the hard drive. How about the floppies? > If you want to know more, I have the full KOH document > in my little personal FTP site: ftp.netcom.com:/pub/bradleym > Just read the KOH.readme to find the KOH directory, and DON'T take the > actual program out of the U.S. because it's export controlled. I took a look at that site. (No, I didn't export anything that is export-controlled - besides, I already have a sample of this virus.) Oh my! First, the person who has written the preambule for KOH.README certainly needs a spelling checker - two errors in a three-line message is definitely too much. Second, you are distributing viruses from your account. I am not talking only about KOH; but about such things like 40Hex and NuKE's InfoJournal - underground magazines that are known to contain virus code. Are the Netcom authorities aware that they can be made liable for civil damages in several countries if an infection of one of those viruses occurs and the source is traced to them? The US Department of Treasure got recently a rather negative representation by the press because of the virus exchange BBS they were running. Would Netcom like that I contact a few journalists and tip them that a major US internet provider is running a virus distribution board? Third, is Netcom aware that another of his users (to whose directory there is a link from yours) is freely making available to the world strong cryptographic software and is potentially breaking the ITAR export regulations? I couldn't care less about it, because I find the US ITAR regulations silly anyway when applied to software that is publicly available everywhere in the world, but may I remind you that the penalty for breaking this silly law is still 41 to 51 months of jail time? Does Netcom know that they could be liable for not taking due care of what their users are doing? > I only have to name one Good Virus (tm) to prove you wrong, True, but you have also to prove us that it is Good (tm) and that it is a Virus (tm). :-) > and I have. No, you have not. Stealth_Boot.D (the standard CARO virus name for the virus you are discussing) has an infection mechanism similar to Stoned and causes damage in similar environments. Also, in a previous message of mine I listed a few other cases in which this particular virus is harmful. So, no, it is not a Good Virus, and you still have to prove your claims. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 28 Jun 94 08:44:21 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: ARJ-, ZIP-viruses ? pike@UTKVX.UTCC.UTK.EDU (HANK PIKE) writes: >Norton Antivirus 3.0 (NAV) has an optionto scan within compressed files. >F-prot can scan all files so I assume it scans in compressed files too. Anyone >know for sure? Frisk? no...f-prot scans inside comressed executables (DIET/PKLITE/LZEXE), but not inside archives. We are considering adding scanning of .ZIP and .ARJ files, however... - -frisk ------------------------------ Date: Tue, 28 Jun 94 09:19:42 -0400 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) Subject: Re: Good vs bad, HELP A couple of things. I hope the posters (from 7.45) will forgive me but there was no purpose to be gained from carrying the names forward since these are representative samples: >Subject: Good Virus?, here's a potential ironic example. >Scenario: In a multiple server environment with NetShield running on each >server, NetShield can be configured with "Cross Server Updating Enabled". >With cross server updating enabled, if the VIR.DAT file on the one server is >updated (by copying a new VIR.DAT file over the older file), VIR.DAT will >then proceed to copy itself to all the other servers and automatically >update the virus database on each server. This is a wonderful idea and was first posted here over two years ago (but I did not receive Fred's grand - of course never really entered the contest either). Unfortunately, it is not a virus since IMHO a program (NetShield) is just updating its own data files and no executables are being transferred. Further, no additional code is being added to a pre-existing program. Now the original concept did (ask Aryeh where the idea for CHKSHLD came from) since it did involve copying entire executables but this way is better. >Subject: HELP!!!!! (PC) >I'm pretty sure I have a virus on my computer but I have no idea what >it is or how to get rid of it. I've been trying a few virus scanners, >etc. and have no luck. This is the best argument against self-propagating parasitic code (what most people call viruses) that I know of. It takes up an incredible amount my and many other people's time (and I have negative free time). Users who know that viruses are mean, nasty, & destructive and live in fear as a result. In the medical profession it is known as "intern's syndrome" and is the result of F.U.D. - fear, uncertainty, & doubt - mostly fear. Virus do not bother me, IMNSHO the current crop is boorrrriiinnnggg and rates right up there with rust - prolific & difficult and time-consuming to repair. Of course each time someone comes up with a new one, I do not have the luxury of deciding that until it has been pulled apart and revealed all of the mistakes because of what I know *could* be written. Further marketoids and some elements of the media thrive on FUD to sell poor products (apparently it beats working for a living but then I don't live in California), so the public sees two page colour ads for TOAST and I get more calls from people afraid of the S-Bug/Terminator each of whom needs reassurance. Finally, one poster bvrought up the subject of security on the Internet. It is to laugh. (and I recommend perusal of RFC 1281 "Guidelines for the Secure Operation of the Internet" for further edification). In simplest terms *there is no security on the Internet*. It is 100% dead solid perfect centered on the A of Availability (for those familiar with the CIA triangle). The last line in the referenced RFC sums it up: "If security considerations had not been so widely ignored in the Internet, this memo would not have been possible." Real warm now (97/97 yesterday), Padgett ------------------------------ Date: Tue, 28 Jun 94 09:32:22 -0400 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) Subject: Disarming ANSI bombs >From: mramey@u.washington.edu (Mike Ramey) >Can anyone tell me where to get a shareware -safe- ANSI driver? >Some of the programs used in our computer lab require ANSI.SYS. >PKSFANSI is -not- included in the shareware version of PKZIP. Well, it is trivial to defang the MSDOS 5 & 6 ANSI.SYS keyboard redirection: all you have to do is DEBUG ANSI.SYS and edit the "p" (hex 70) found at or near offset 61h (debug will probably load it at 161) to "something else". I prefer a character otherwise unused by ANSI so that if I want to use keyboard redirection, it is still available, just different. Winter has arrived (utility bills go up & do not go outside unless I must). Padgett ------------------------------ Date: Tue, 28 Jun 94 09:54:08 -0400 From: pein@informatik.tu-muenchen.de (Ruediger Pein) Subject: Re: Good Virus?, here's a potential ironic example. nhirsch@panix.com (Norman Hirsch) writes: |> I've seen a few messages about the potential good virus. Here's a potential |> example that I throw out for analysis/opinion. Ironically it's the VIR.DAT |> file of NetShield. |> |> Background: NetShield is McAfee's anti-virus NLM for Novell servers. The |> encrypted database of viruses that the NetShield NLM uses when it scans for |> viruses is the VIR.DAT file. When new virus strings are found, they are |> added and a new, updated VIR.DAT file is created and distributed. (The |> latest VIR.DAT file is zipped up in McAfee's filename: VIRDT115.ZIP.) |> |> Scenario: In a multiple server environment with NetShield running on each |> server, NetShield can be configured with "Cross Server Updating Enabled". |> With cross server updating enabled, if the VIR.DAT file on the one server is |> updated (by copying a new VIR.DAT file over the older file), VIR.DAT will |> then proceed to copy itself to all the other servers and automatically |> update the virus database on each server. One can certainly argue that |> VIR.DAT is a "good virus" because it reproduces itself across the network to You won't say the file VIR.DAT is a virus. It's not this file itself that reproduces onto other servers, but a program which job it is to update the installed versions on other servers. So this has nothing to do with a virus (e.g. the file VIR.DAT couldn't escape and multiply). If for example, you save a message with your text editor, that program will automaticly make a copy of your message and store it for backup reasons. I see no difference in NetShield's behaviour. Ruediger Pein ------------------------------ Date: Tue, 28 Jun 94 16:00:22 -0400 From: Burton.Weatherford@Syntex.Com Subject: Virus Simulators Mr. Skulason stated that virus simulators were *not* intended to set off avs scanners. If this is the case what can a company use to evaluate various avs products so as to decide for themselves which scanner scans faster, is more accurate, uses less memory, etc., and not have to reley on marketing hype? Thanks for any info. We are trying to choose an avs product and are looking for a product that can test avs scanners. Good Scanners Prevent Bad Days, Burt :-{> ------------------------------ Date: Tue, 28 Jun 94 18:55:52 -0400 From: DTHEO1@UMBC2.UMBC.EDU Subject: RE:RE:Stop the madness! :-) I have been a quiet subscriber to Virus-L for a few months now. Over this period of time it seems that the HOT topic is the question of good and bad viruses. I remain neutral on this issue because I believe that there are valid points to be made fo rboth sides of this issue. This topic is obviously one that will never be resolved. It is comparable to the philosophical question as to the existence of God. (i.e. There will never be a definitive solution) I have just stood by and watched as people on both sides of the issue keep at it. I recently read Fred Cohen's response to Brian Seborg. That response refers to Cohen's book a total of SEVEN times. I don't mind reading the squabbles that are going back and forth, but what I do mind is the use of this list as a marketing tool. I can understand refering to the book once or twice, but seven times is ridiculous. I believe that it was an insult to my intelligence and to the intelligence of many other people who follow this list. I thought that we as netters frown upon advertising on the net. I would suggest that Fred Cohen find other avenues to advertise his book. We are all fully aware that Fred Cohen has a new book, and if by chance we were not, he made sure that we now know. From what I have seen, this seems to be an isolated incident. I know that there are some of you out there that have an antivirus products out on the market. Other than a few references to the products, I have not seen any of the authors making overt advertisements. For example Fridrik Skulason posts quite often, yet I have not seen him refer to F-Protect anywhere near as often as Cohen mentioned his book. Furthermore I believe that Skulason's product speaks for itself. I don't really mean to "slam" Fred Cohen. I have read many of his works and I believe that he has made a great contribution in the areas of computer security and viruses. But I believe that the above mentioned incident was totally uncalled for. This good/bad controversy has really gotten ugly. There are now questions being posed from, how good someone's English is, to how intelligent someone is. I believe that our resources would be better spent on sharing our knowledge and experiences in order to help each other gain a better understanding. I think that our time would have more meaning if we also helped others who might not be as knowledgeable about viruses as some of us are. L8r, Dino ------------------------------ Date: Tue, 28 Jun 94 20:10:03 -0400 From: tracker@netcom.com (Craig) Subject: Re: Virus in GIF AN24237K (an24237k@aol.com) wrote: : This is probably a simple question, but is it possible to embedd a : virus into a GIF file? Yes and same goes for things like .mod music files. ------------------------------ Date: Tue, 28 Jun 94 21:06:09 -0400 From: evb@hermes.bouw.tno.nl (Erwin van Beinum(guest)) Subject: Re: Good viruses/Bad viruses [skipped somethings out] : Regards, : Vesselin My dear sir Vesselin. why bother to communicate with somebody like that. In my opinion you're a very brave man to do so, but it is so meaningless. Don't bother people who try to attack others because they think they are being attacked. This happens all over the world. To me it seems very stupid to do, but the person who attacked you at some non-interesting points tries to prove himself. It is (in my opinion) not our mission to waste time on those things. hope this message is clear enough for all people who consider that virusses like real 'dangerous' computer virusses or HIV-virusses can be good. Ofcourse they can. HIV virusses are good against too much people on this world and computer virusses keep the low level employee from staying all day behind his or her computer. because the malfunctioning computer has to be repaired. But virusses have, in Internet terms, a bad contribution to our level of happyness. So that's why they are bad... Erwin. PS this is my own and nothing more than my own opinion. ------------------------------ Date: Tue, 28 Jun 94 21:54:27 -0400 From: gdj@netcom.com (Gary Jones) Subject: Re: Good Virus?, here's a potential ironic example. nhirsch@panix.com (Norman Hirsch) wrote: [...] >The bottom line of my analysis of these examples is that it shows the >ridiculousness of trying to talk about good viruses. IMHO, there is no good >virus because for all practical purposes, a virus is a bad thing by >definition. Using the definition that "something nice that replicates is a >good 'virus'" is an oxymoron (sp?) as far as I'm concerned. Two points: First, since you provided no analysis of the example, it is difficult to evaluate the veracity of your 'bottom line'. Second, if the definition of a virus arbitrarily includes the notion of 'bad', then nothing has been achieved. The question is whether the definition *necessarily* includes 'bad'. Could there be a thing that exhibits all the characteristics of a virus except its 'bad' aspects? If so, then forcing 'bad' into the definition of a virus simply forces the creation of a new concept for a virus-except-it-is-not-bad. Nothing has been achieved. So, what is your definition of a virus that *necessarily* contains 'bad'. ------------------------------ Date: Tue, 28 Jun 94 21:55:56 -0400 From: gdj@netcom.com (Gary Jones) Subject: Re: Good viruses/Bad viruses bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) wrote: [...] >entitled to you oppinions - ain't freedom of speech wonderful? [...] >all those hare "ill founded fears"... I wish that there were a way to >gather all the loudmouths like you and to force them to do our job - >maybe then you will finally learn how "profitable" our profession is, >and how "ill founded" those fears are... Wishful thinking... >Loudmouths never do real work, by definition. [...] >So, what is exactly my interest in this? Perhaps you think that I am a >masochist (sp?), enjoying working 14 hours per day on a half-time job, >ruining my health, and replying to stupid questions? Respect for an authority on a subject would be enhanced by eliminating cute colloquialisms, pointless personal attacks, and spurious pleas for sympathy. The issue here is simple: is 'bad' *necessary* in an objective definition for a computer virus. ------------------------------ Date: Tue, 28 Jun 94 03:11:27 +0400 From: Kazatski Oleg Nikolaevitch Subject: Re| VIRSTOP 2.12 Freezes PC (PC) frisk@complex.is (Fridrik Skulason) wrote: > right. The exact reason....uh, well...Virstop uses some "dirty tricks", and > 386max does too....and those tricks are mutually incompatible. What is this "dirty tricks" ? > the /Notrace also fixes a few other incompatibility problems - it makes > Virstop work on old Cyrix 486SLCs (which are not 100% Intel compatible) ^^^^ Why ? Sorry for my offtopics. - -- OK ------------------------------ Date: Wed, 29 Jun 94 10:23:06 -0400 From: "A.Jilka" Subject: Re: good vs. bad Hi all, after reading this strain for ??? 3 months, I come to the conclusion, that some people around here lost their view for the things they talk about. like a gologist complainig about this rock before his nose. If he'd step back he could see, that this rock is just a pebble he can step over easily. Who said, that a virus MUST be bad to be a virus ? Why does a virus have to modify a program to get active ? (companion) Why must a virus replicate 1000 times on a HD to be a virus ? Isn't is sufficient to replicate once for each media ? (BSV) Therefore some of the bad things which make every virus a bad virus certainly don't hold. The reason, why some people would or would not choose to use a "benevolent" virus is just the same as some people prefer to use LOTUS 123 and some use even WINWORD for their simple calculations. For the question of buggy code: if I don't need to hide the existence of a virus, I may use official interfaces and can play far more on the safe side. For the question of the OS version: it is the duty of EVERY program to check its environment. I would not try to run a program written for DOS 1.0 in a dos-box on my OS2 system, and IF I did, I would not wonder why it crashed. An "official" virus would have to check the same things. If I have a certain problem, I use a program that fits my needs, regardless of what people call it. And if Windows claims to fit my needs and does not, I call it crap, regardless of its reputation or widespreadness. The world is not black and white, there is lots of colorful gray in between. Just my view of the world, Alfred - -- ...^^^^^.. ********************************** A U S T R I A . Linz : * Geological Survey, Austria * : * * : * * :* Vienna: * jilka@gbaws4.zamg.ac.at * :^^^.........:. Salzburg : * * : * Innsbruck : * Phone: +43/222/712-56-74/85 * ........... HOME Graz : * Fax: +43/222/712-56-74/56 * :.. * * ...: * * :........: ********************************** ! Enjoy life, you'll be dead long enough ! ------------------------------ Date: Tue, 28 Jun 94 00:54:14 +0400 From: Kazatski Oleg Nikolaevitch Subject: Re: _HELP ! (PC) Hi ! c007@Lehigh.EDU (ERIC A. MEEKER) wrote: > I'm pretty sure I have a virus on my computer but I have no idea what > it is or how to get rid of it. I've been trying a few virus scanners, > etc. and have no luck. The only thing I noticed is that the virus is > adding (usually) 959 bytes to most executable files. This is (may be) the virus "Drug-959/987". Infected EXE and COM files, resident. The length of COM files increased on 959 bytes, EXE - 987 bytes. Antivirus programm - AIDSTEST, Lozinsky (Russia). - -- OK ------------------------------ Date: Tue, 28 Jun 94 05:54:54 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Scan V115 (PC) Edward D. Auyang (auyanged@jhunix.hcf.jhu.edu) writes: > I have McAfee's Scan v115...upon entering the command, the hard drive is > accessed for a second or so before the memory check...anyone know what > it's doing? Probably checking its own integrity. In order to do this, it has to open its file, read it, and compute a checksum on it. This will help it determine whether the program has been corrupted or infected by a non-stealth virus. > Also, has anyone had VShield to successfully intercept a virus? Yes, it sometimes intercepts some viruses successfully. :-) > Please mail me rather than post. Why do you think that nobody else will be interested in the reply of your question? Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 28 Jun 94 06:21:41 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: vbait12.zip - Simple virus bait, detects COM infecting virus (PC) Richard M Dasheiff M.d. (dasheiff+@pitt.edu) writes: > Speak plainly (as I installed this virus bait). > Is it worthless? (i.e. just takes up disk space) Not completely - it will detect *some* classes of viruses. > harmful? (i.e. gives a sense of False security) Yes, if you rely only on it to protect you from viruses. > helpful? (i.e. works as advertised) I'm not sure how it is advertised exactly. It does help to some extent but is rather trivial to bypass and many viruses exist that will bypass it. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 28 Jun 94 06:25:22 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: MtE Virus info wanted (PC) HANK PIKE (pike@UTKVX.UTCC.UTK.EDU) writes: > If you want a great antivirus program, try F-prot, it is available free > to private users and it is by far the best AV program I have found. Stay away > from McAfee, it is no good from what I have seen. It could not clean up the > MONKEY virus and F-prot got it right away. I completely agree with all of the above. However, the original question was about MtE and, unfortunately, I have to notice that F-Prot fails to detect all replicants of some MtE-based viruses. Of course, the same is true for McAfee's SCAN, except that it misses replicants much more often. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 28 Jun 94 06:36:23 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Killed the Monkey Virus (PC) TC Molloy (dd.id=msmwhq01.tmollo01@eds.diamondnet.sprint.com) writes: > I put the disk in my PC and typed 'dir'. Immediately, the bells and > whistles from my Anti-viral package went off. The "Monkey" virus was > attempting to write to the boot sector of my hard disk and my anti-virus > software package had frozen my machine waiting for me to respond with > Proceed or Stop. That's strange... If you just do a 'dir' on a Monkey-infected floppy, the virus will NOT try to write to the disk. In fact, it will not even be activated in any way. Any not just Monkey - any virus. Now, if you already had Monkey running in the memory of your computer, and then tried to access a *clean* diskette, THEN the virus would have tried to infect the diskette (i.e., write to its boot sector), but a software anti-virus package probably won't detect this, for several reasons. Of course, if you were running a resident *scanner*, then accessing an infected floppy would have caused the scanner to detect the PRESENCE of the virus on it - not an attempt to write to the boot sector. > My anti-virus package stops whenever anything attempts to > write to the boot sector without permission. I'm pretty confident that it can be easily bypassed by a tunnelling virus. > The "Monkey" virus is an encrypted virus that can only be identified when > it is in RAM. Rubbish. It can perfectly be detected and identified on the disk as well. Of course, for this purpose you'll have to read the disk's boot sector (MBR, if it is a hard disk) - and DOS reads the sectors in memory, so if this is what you meant... > The "Monkey" virus re-writes the boot sector on the disk > (floppy or hard). On the hard disks it rewrites the MBR. > There are no viral signatures on the disk to identify > and destroy. Of course there are. Most of the virus body in the floppy boot sector or the hard disk MBR is unencrypted and a scan string from it can be picked easily. It is the *original* MBR that is encrypted, but even then the encryption is trivial (XOR with 2Ah). > floppy disks. When I attempted to boot his machine from a clean floppy, > the hard disk drive was not visible or identifiable (Drive not found). Not visible to DOS. You can still use the BIOS calls (INT 13h) to access the hard disk and remove the virus. > At the customer's home office, the notebooks go into a docking stations > that is connected to a LAN. They use the LAN to pass files using Lotus > Notes. I asked the customer to have the office machines tested and, sure > enough, they too were all infected with the "Monkey" virus. A conversation > with the LAN administrator indicated that the problem had only appeared > within the last week. In any case, the LAN is irrelevant for the virus spread in your case. Monkey, as any other boot sector and master boot sector infectors are unable to spread accross networks. They spread only with floppy disk exchange. > All the customer machines had an anti-viral package from Central Point or > other vendors but they were NOT up-to-date on the latest virus definitions. > A old copy of McAfee was run on an infected machine and it reported no > infections. That's a pretty sad an a pretty widespread case. Many people are still running anti-virus programs that are bad, obsolete, or both. > The encrypted "Monkey" virus file stores itself in the boot sector only, This is on the diskettes. On the hard disk, it stores itself in the master boot record. > therefore, to eradicate the virus, the boot sector of the disk must be > erased or the disk partition deleted. Nope, all you have to do is to fetch the original MBR, decrypt it, and put it on its place at the first physical sector of the hard disk. Beware, if you have more than one hard disk, this virus will infect the other one too - alhough it won't be able to activate from there, unless you install it as a bootable disk. > When the > "Monkey" virus infects a disk, it copies the original boot sector as a file > to somewhere else on the disk. No, it doesn't copy it as a file. It stores it in the last sector of the root directory on a floppy, or on physical sector 0/0/3 on the hard disk. > The boot sector can be rebuilt using > Symantec's Norton Disk Doctor (NDD C: /REBUILT) which will delete the boot > sector, find the original file and restore the machine. Also, the floppy The virus is stealth, so as an alternative solution you could boot from the infected hard disk, store the MBR in a file (for instance, with Norton's Disk Editor), then boot from a clean floppy, and replace the MBR with the contents of this file. Of course, at each moment you must know what you are doing, otherwise you should better consult an expert. At last, having in mind all the technical errors in the above message of yours, may I kindly suggest that you check your facts first (and carefully!) before posting information that could mislead some less experienced people who might happen to read it? Thanks. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 28 Jun 94 07:12:33 -0400 From: Henrik Stroem Subject: Re: Killed the Monkey Virus (PC) TC Molloy writes June 27th; > I put the disk in my PC and typed 'dir'. Immediately, the bells and > whistles from my Anti-viral package went off. The "Monkey" virus was > attempting to write to the boot sector of my hard disk and my anti-virus > software package had frozen my machine waiting for me to respond with > Proceed or Stop. My anti-virus package stops whenever anything attempts to > write to the boot sector without permission. Of course, I said STOP.. This is totally bogus. The virus don't execute just because you are doing a DIR. This is not the way DOS works. Read the FAQ for this group. Thus the virus did NOT try to write to the boot sector of your harddisk when you performed a dir on the infected diskette. You have to boot off from the infected diskette for this to happen. > The "Monkey" virus is an encrypted virus that can only be identified when > it is in RAM. The Monkey virus is NOT encrypted, and can of course be identified both in RAM and on disk. Read the FAQ to learn about stealth, etc. > There are no viral signatures on the disk to identify and destroy. Again a misconception. There are signatures to extract from the Monkey viruses, but you don't "kill" or "destroy" the signature, but rather you would like to overwrite the infected sector with non-infected boot code (as in "non-replicating"). > The user of an infected machine experiences problems reading > floppy disks. When I attempted to boot his machine from a clean floppy, > the hard disk drive was not visible or identifiable (Drive not found). This is because the partition table is overwritten with virus code and data, and in order to "see" the harddisk the virus must be active in memory. > "Monkey" virus infects a disk, it copies the original boot sector as a file > to somewhere else on the disk. The boot sector can be rebuilt using Nope. It stores the original MBR in encrypted form at cyl 0, head 0, sec 3. This is outside the area of the filesystem (at least for FAT under current DOS versions). > Symantec's Norton Disk Doctor (NDD C: /REBUILT) which will delete the boot > sector, find the original file and restore the machine. Also, the floppy > disk boot sectors were rebuilt using NDD to prevent re-infection. > Retesting the machine with my anti-viral software confirmed that "Monkey" > was no longer present. You should check out the file killmnk3.zip available by ftp from oak.oakland.edu (141.210.10.117) in directory /pub/msdos/virus It contains a program that disinfects the Monkey variants in a convenient and safe way. It also contains more detailed information about the Monkey virus. Sincerely, Henrik Stroem Stroem System Soft ------------------------------ Date: Tue, 28 Jun 94 08:58:51 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Junkie virus (PC) rbhessing@amoco.com (Bart Hessing) writes: >I recently read something about a new, advanced virus called "Junkie", >but don't have any details about it. Can anyone enlighten? Thanks. the virus is new, but not very advanced, or remarkable in any way..it is 1027 bytes long, and encrypted with a simple "xor with constant" ... it was easy to add detection/disinfection of it, but I didn't bother to analyse it in detail. - -frisk ------------------------------ Date: Tue, 28 Jun 94 09:06:07 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Killed the Monkey Virus (PC) dd.id=msmwhq01.tmollo01@eds.diamondnet.sprint.com (TC Molloy) writes: >I would like to share an experience with the "Monkey" computer virus on >June 3, 1994. unfortunately some of it is somewhat incorrect. >The "Monkey" virus is an encrypted virus that can only be identified when >it is in RAM. no ... it is very easy to detect, provided that the machine is booted from a clean diskette - not an infected hard disk. > The "Monkey" virus re-writes the boot sector on the disk >(floppy or hard). to be exact - the Master (Partition) boot sector on the hard disk...it does not touch DOS boot sectors on the hard disk >There are no viral signatures on the disk to identify >and destroy. Huh ? when you boot from a clean diskette, the virus can easily be found with a single search string. The user of an infected machine experiences problems reading >floppy disks. When I attempted to boot his machine from a clean floppy, >the hard disk drive was not visible or identifiable (Drive not found). This is because the virus overwrites the data part of the MBR, not just the code part....this is also why FDISK /MBR does not work. The KILLMONK program removes it easily, as well as many anti-virus programs...it is a bit difficult to remove by hand. here is our standard Tech note on this subject: - ---------------- Frisk Software International - Technical note #7 Monkey virus removal The problem with removing the monkey virus is that it changes the data part of the partition sector. This means that if you attempt to remove it after booting from the hard disk, the virus is active and able to hide by using stealth techniques. If you boot from a diskette, the partition data is invalid, and all the drives on the hard disk seem to be gone. What you need to do is: 1) Boot from a clean diskette 2) Run F-PROT /HARD /DISINF (not F-PROT C:) 3) Disinfect 4) Reboot the machine - the hard disk should re-appear, and the machine should be clean. - -frisk ------------------------------ Date: Tue, 28 Jun 94 14:39:18 -0400 From: iolo@mist.demon.co.uk (Iolo Davidson) Subject: New AV software (PC) > I read that Windows files > are basically uninfectable. Not true. > if we posit > a new AV product with essentially a 100% hit rate, Not possible. You can only attain this in a test using the same set of viruses as the set that your AV recognises. Neither you nor any tester will ever have a set of all existing viruses. Some testers will always have viruses your AV does not recognise. > very fast integrity > checker, heuristics, etc., etc., in short a betterfasternotcheapersmarter > product, does anyone care? Does the world want/need a new AV product? No, existing products are falling out of the marketplace now. > And by the way, what does it take > in an AV company to be a top three player? Starting 3 or 4 years ago would have helped. The main requirement is a top virus researcher. There aren't many, and most companies only have one or two. If you start from scratch, you will have to catch up with nearly 5000 existing viruses just to get level, then an ever increasing number of new viruses, currently running around a thousand a year. And then you have to convince corporate users that your lack of track record does not make your product less desireable than the ones that can point to a solid record of updates going back 4 years or more. - -- MOM AND POP AS PLAIN ARE FEELING GAY AS DAY BABY SAID Burma Shave ------------------------------ Date: Tue, 28 Jun 94 19:10:38 +0000 From: kbukala@undergrad.math.uwaterloo.ca (Kamil Bukala) Subject: Virus Infection (PC) I think I have been hit by well an unknown virus (to me anyway).. It's started at work when the system there got a seriously screwed up windows/system directory (many cross-linked files and allocation errors, which check disk couldn't fix but norton 7 did).. But 2 weeks after that another system did the same thing, so after scaning with Mcfee and F-prot (not finding anything resembling a virus) we decided that the virus was gone.. I was using my computer (about 3 weeks after the system at work was fixed) and well the IDE I/O card overheated (could smell it), so I got a caching controller from a friend at work and installed that but it messed up my hard drive. Thinking it was the controller that messed up my hard drive I took it back to work and installed it there on a reguler controller. After booting a couple of times (got the divide overflow message twice) the screen went blank and I got the following message: "Disks travel in packs." Anybody know what virus this is and how to get rid of it?? Email reply preferred at: kbukala@cayley.uwaterloo.ca ------------------------------ Date: Tue, 28 Jun 94 11:41:34 -0800 From: a_rubin%%dsg4.dse.beckman.com@biivax.dp.beckman.com Subject: Re: Monkey Virus Attack (PC) dd.id=msmwhq01.tmollo01@eds.diamondnet.sprint.com (TC Molloy) writes: >I had a little excitement yesterday. An accounts customer was directed to >me concerning a problem. He couldn't read a DOS floppy diskette on his >Compaq notebook. He wanted to know if I could help him to recover his >critical data. >I put the disk in my AST notebook and typed 'dir'. Immediately, the bells >and whistle from my Anti-viral package went off. The "Monkey" virus was >attempting to write to the boot sector of my hard disk and my anti-virus >software package had frozen my machine waiting for me to respond with >Proceed or Stop. My anti-virus package stops whenever anything attempts to >write to the boot sector without permission. Of course, I said STOP..... I find it hard to believe that typing 'dir' can actually activate a virus, unless your (AST) computer was already infected. Of course, Monkey could have been on the floppy, and your anti-viral software could automatically scan new floppy boot sectors, but that's not what you said. - -- Arthur L. Rubin: a_rubin@dsg4.dse.beckman.com (work) Beckman Instruments/Brea 216-5888@mcimail.com 70707.453@compuserve.com arthur@pnet01.cts.com (personal) My opinions are my own, and do not represent those of my employer. ------------------------------ Date: Tue, 28 Jun 94 23:04:18 -0400 From: ehill@world.std.com (ed hill) Subject: First Posting - First Virus heeeellllp (PC) hello last week i started getting "invalid command.com" messages when returning to dos from 3ds or Windows. within hours of the first messages i started seeing scrambled characters upon running "dir" or using file mgr. this was of course happening to the most oft accessed directories. i'm coming to the end of a large project and the damage is considerable. recent backups are, i think also infected. i've run the most recent f-prot, mcaffee, and thunderbyte. no help. nothing identified. although thunderbyte acknowledges that the command.com is infected it doesn't find the source. i do computer art, animation and vr so while i'm somewhat comp. literate this is clearly out of my league. please email me at ehill@world.std.com if you have any suggestions. or post here if it seems pertinent. thanks in advance ed hill ------------------------------ Date: Wed, 29 Jun 94 10:21:32 -0400 From: nhirsch@panix.com (Norman Hirsch) Subject: Re: Server-Downing Viri (PC) > U56513@uicvm.uic.edu " Christopher Aedo" writes: >> Also, which anti virus package is the best one out there these >> days? I recommend McAfee's NETShield, and NLM that has been Novell Tested and Approved for 3.11, 3.12, SFT-III, NetWare for OS/2 and 4.01. It also has the best detection rates according to the latest versions of VSUM. Couple that with McAfee's NEW generation workstation anti-virus products (including Windows) which will have production versions soon, and you will have a great combination of detection, prevention and support. Best regards, Norman Hirsch Phone: 212-304-9660 NH&A, authorized McAfee agent Fax: 212-304-9759 577 Isham St. # 2-B BBS: 212-304-9759,,,,,,,3 New York, NY 10034 CompuServe: 72115,661 USA Internet: nhirsch@panix.com ------------------------------ Date: Tue, 28 Jun 94 03:07:05 +0400 From: Kazatski Oleg Nikolaevitch Subject: Re| Server-Downing Viri (PC) frisk@complex.is (Fridrik Skulason) wrote: > There are a few viruses that are Netware-specific, attempt to use loopholes > in some particular versions of Netware, but they are not among those you listed. What is this viruses and versions of Netware ? - -- OK ------------------------------ Date: Tue, 28 Jun 94 04:04:14 +0400 From: Kazatski Oleg Nikolaevitch Subject: Re| FLIP and CANSU (V-SIGN) viruses (PC) buster@klaine.pp.fi (Kari Laine) writes: > itxcs@upsyc.psychology.nottingham.ac.uk (Chris Sexton) writes: > >From: itxcs@upsyc.psychology.nottingham.ac.uk (Chris Sexton) > >Subject: FLIP and CANSU (V-SIGN) viruses (PC) > >Date: Tue, 21 Jun 1994 10:23:12 EDT > >After having a recent _nightmare_ with my PC (work deadlines > >and a virus attack) I found *TWO* of the critters on my machine. > >These were the FLIP virus and CANSU (or V-SIGN). > >I thought it was a general hardware failure of the > >hard drive, not a virus. > 1. Virus caused damage to your partition sector. > > 2. Norton finished the work :-( > > Now you need an expert who could have a look on your hard disk. > But because of 2. it might be gone. > Flip-2343, -2365 Infectes COM, EXE, Partition Table of the first hard disk and cuts 6 sectors from Partition. If you have the EGA adapter, this virus makes the video effect - turns over letters on the screen. There is also Flip-2153. - -- OK ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 51] *****************************************