VIRUS-L Digest Friday, 15 Jul 1994 Volume 7 : Issue 53 Today's Topics: Re: GOOD vs. BAD HUH? Re: books on virus' and their history? Re: books on virus' and their history? Re: ARJ-, ZIP-viruses ? Re: virus terrorists (?) Re: books on virus' and their history? Good Viruses Re: Types of viruses??? Re: The truth about good viruses Fred should owe me a grand ? Looking for reviews Re: Stop the Madness! :-) Re: The truth about good viruses Re: Killing the Monkey Virus (PC) Re: false alarm (boot sector changed) by M (PC) Re: Little Fishies? (pc) Re: Why so many Leprosy viruses? (PC) Re: Best Anti-virus software (PC) Re: HELP!!!!! (PC) Network virus protect (PC) Re: Help! (PC) Stoned Virus help needed (PC) Re: Dr Solomon's on the move! (PC) Re: Matura (PC) Best Anti-virus software (PC) Re: SMEG Junkie (PC) Re: Budo Virus (PC) Re: Help! (PC) Re: STACK virus (PC) Re: Virus found, Please help! (PC) Re: NATAS Virus? (PC) Re: Stoned.Manitoba (PC) Re: Need help on "stoned" virus (PC) Re: Why so many Leprosy viruses? (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Fri, 01 Jul 94 11:01:54 -0400 From: jroberts@ripco.com (Jack Roberts) Subject: Re: GOOD vs. BAD HUH? bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: > First, as I already pointed out in another message of mine, just > asking the user for permission to infect is not enough, because it > causes an interruption that may be unwanted. No, a virus that claims > to be "beneficial" *must* not infect a system, unless the owner of > that system *actively* invites the virus. And there should be no place > for mistakes, that is, cryptographically strong means should be used > to authenticate the virus to the system and the system to the virus. one does have to invite KOH to install itself. to get it to set itself up on your hard drive, you have to first install it on a floppy disk and then boot using that floppy. it then asks you if you want it to install. its pretty hard to do this by accident. ------------------------------ Date: Fri, 01 Jul 94 11:05:02 -0400 From: joedal@dfi.aau.dk (Lars Joedal) Subject: Re: books on virus' and their history? hankp@UTKVX.UTCC.UTK.EDU (REMOTE SUPERVISOR) writes: >Hello all, I was wandering if anyone knew of a good book about viruses and >their history. There is Computers Under attack - Intruders, Worms, and Viruses Edited by Peter J. Denning Since the book is 5 years old it is from the good old days when there were few viruses, and as such it is not escpecially strong on viruses. But it does contain some material of historical interest. My advice is: If you are only interested in viruses then find the book in a library and read the chapters that are on viruses. If you are interested in computer security as such, insider stories of the Internet Worm, how to build invisible self-reproducing trojan horses into compilers, etc. then go ahead and buy the book. /Lars +------------------------------------------------------------------------+ | Lars J|dal | Q: What's the difference between a quantum | | email: joedal@dfi.aau.dk | mechanic and an auto mechanic? | | Physics student at the | A: A quantum mechanic can get his car into | | University of Aarhus | the garage without opening the door. | | Denmark | -- David Kra | +------------------------------------------------------------------------+ ------------------------------ Date: Fri, 01 Jul 94 11:05:19 -0400 From: joedal@dfi.aau.dk (Lars Joedal) Subject: Re: books on virus' and their history? hankp@UTKVX.UTCC.UTK.EDU (REMOTE SUPERVISOR) writes: >Hello all, I was wandering if anyone knew of a good book about viruses and >their history. There is Computers Under attack - Intruders, Worms, and Viruses Edited by Peter J. Denning Since the book is 5 years old it is from the good old days when there were few viruses, and as such it is not escpecially strong on viruses. But it does contain some material of historical interest. My advice is: If you are only interested in viruses then find the book in a library and read the chapters that are on viruses. If you are interested in computer security as such, insider stories of the Internet Worm, how to build invisible self-reproducing trojan horses into compilers, etc. then go ahead and buy the book. /Lars +------------------------------------------------------------------------+ | Lars J|dal | Q: What's the difference between a quantum | | email: joedal@dfi.aau.dk | mechanic and an auto mechanic? | | Physics student at the | A: A quantum mechanic can get his car into | | University of Aarhus | the garage without opening the door. | | Denmark | -- David Kra | +------------------------------------------------------------------------+ ------------------------------ Date: Fri, 01 Jul 94 11:01:28 -0400 From: jroberts@ripco.com (Jack Roberts) Subject: Re: ARJ-, ZIP-viruses ? bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: > > Are there viruses which really infect .ARJ and .ZIP files ? > > I know of only one such virus - the Russian virus Archive_Worm, which > infects ARJ archives. However, it is not the existence of such how does that go about happening? does it infect when you unarchive the thing? why does arj let it do this? ------------------------------ Date: Fri, 01 Jul 94 11:03:29 -0400 From: tracker@netcom.com (Craig) Subject: Re: virus terrorists (?) Vesselin Bontchev (bontchev@fbihh.informatik.uni-hamburg.de) wrote: : And yes, there *are* a lot of things there (Eastern Europe) that cause : frustration - I can tell you from personal experience... :-) This has : caused a lot of people in Bulgaria, Russia, and other countries to : write viruses. Of course, while being a reason, it is certainly not an : excuse, and you shouldn't get the impression that everybody there is : doing this. I still fail to see why frustrated people would do this. Why don't they find some hobby like fishing, some kind of sport/athletic activity, etc. instead of causing havoc and lost work for millions of people worldwide. If frustrated people want to possibly exercise their intellect why not take up chess and win several tournaments. ------------------------------ Date: Fri, 01 Jul 94 11:03:00 -0400 From: tracker@netcom.com (Craig) Subject: Re: books on virus' and their history? REMOTE SUPERVISOR (hankp@UTKVX.UTCC.UTK.EDU) wrote: : Hello all, I was wandering if anyone knew of a good book about viruses and : their history. I heard of one a while back but could not recall the name. My : point is not to build a virus, but to learn more about them, first ones, what : certain ones do, etc. any help is appreciated. : Hank Pike Dr. Alan Solomon of S&S International has one. Maybe someone here can provide a title. ------------------------------ Date: Fri, 01 Jul 94 13:02:55 -0400 From: "AMERICAN EAGLE PUBLICATION INC." <0005847161@mcimail.com> Subject: Good Viruses After reading the ongoing discussions about good viruses in virus-l, it would seem that some people will never agree on anything related to this subject. I would like to ask a question to some of the people who seem ready to attack any and everyone who suggests a good virus is possible: What criteria would you propose to qualify a virus as "good"? At one end of the spectrum, I see people who say a virus is good if one can imagine a hypothetical use for it. At the other end of the spectrum, it seems there are some who take the stand that no virus is good. If you take the latter position then there isn't any point discussing the matter because it's already been decided as a postulate, an article of faith. Are you hard-liners trying to deal with viruses by postulating that they are bad, or is there SOME criteria which even you might use to agree that some virus is truly good? Please be careful if you answer. I don't think it's reasonable to say that such a virus should achieve a standard that is higher than what comparable non-viral software should achieve. If you do that, then you are really saying there is no such thing as good software. For example, saying that a piece of viral software must never cause problems with other software in order to be good is ignorant. There is no software that NEVER causes problems with other software, at least not on PC's. And the closer to a systems level one gets, the more it is true. On the other hand, buggy software isn't commercially viable, and that could equally be applied to viruses as well. =============================================================================== Mark Ludwig, American Eagle Publications, Inc. PO Box 41401, Tucson AZ 85717 (602) 888-4957 ameagle@mcimail.com =============================================================================== ------------------------------ Date: Fri, 01 Jul 94 15:18:47 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Types of viruses??? Mike Winkelman (mlwinkelman@dow.com) writes: > I was wondering if there is a faq for this group and > where it might be? I'm surprised Ken has not answered this... The FAQ is posted here monthly and the last posting of it was not so long time ago. It can also be found on several ftp sites, including ours: ftp.informatik.uni-hamburg.de:/pub/virus/texts/viruses/v-l-faq.zip > Also, could someone explain in short sentences and laymans > dialog the major methodologies by which viruses infect > computers? FAQ, section B. > I'm particularly interested to find out if there are any viruses > that infect things like word processing files or other nonexecutable > files that get transported from work to home and vice versa. FAQ, question E5. > Just what are the problems with doing that?? > > I do not intend to floppy transport any executables. You are still not safe. FAQ, question E1. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 01 Jul 94 15:45:41 -0400 From: "D.J.E.Nunn" Subject: Re: The truth about good viruses computergy@aol.com (Computergy) writes: >UCCDASD Administration writes: > >I have concerns about a 'good' virus. As anyone who uses computer >software on a regular basis even the best program can have errors and >glitches. A 'good' virus no matter how well written is bound to have >some conflict with other software or equipment that causes it to do a >bad thing. >Since there are millions of combinations of computers and software >there is always going to be a chance that the virus will do something >wrong. > Would you use this argument to show that there are no good programs? ------------------------------ Date: Fri, 01 Jul 94 16:36:55 -0400 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) Subject: Fred should owe me a grand ? From: "Brian H. Seborg" Subject: A virus definition... >"We define a computer 'virus' as a self-replicating program that can 'infect' >other programs by modifying them or their environment such that a call to an >'infected' program implies a call to a possibly evolved copy of the 'virus'." This is a very good definition though I would be tempted to say "possibly evolved but functionally similar" to account for "real" virus behavior. >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) >Subject: Re: GOOD vs. BAD HUH? >In fact, it is extremely easy to implement a primitive version of what >I described above. A simple set of command lines inserted in the >system login script and a couple of external programs will do the job... >Now, consider the above for a moment. Is it a virus? Is it a >beneficial virus?.. >"Of course yes!", will say Dr. Fred Cohen. "It conforms to my >definition. It is able to replicate (parts of) itself under certain >conditions. Therefore, it is a virus. It does some useful job. >Therefore, it is a beneficial virus.". This is where we differ (and why the addition above). In updating software on many workstation from a server, the update is copied NOT the update mechanism and this is a major difference. The best just copy new data files. Since I will claim origination of the technique (see Virus-L postings in 1991 & 1992) in PCs, if you will refer those postings it will be noted that this was the reason it was not considered a virus for the purposes of Fred's famous contest and no-one dissented. To me, the difference between a worm and a virus is that the first is a stand-alone process and the second is parasitic. The common point is that both strive to become self-invoking as opposed to user-requested. This IMHO is the dangerous part since a virus, worm, or any other programm CANNOT determine that it is safe to be invoked at any random time given a single state machine such as a PC. (I suspect this is provable under Turing but am not particularly interested in doing so myself). Further, and also under Turing it is impossible for a process to determine if a random program, even one meeting specific criteria, can be infected without damaging either the program or the environment. Given this postulate (it is impossible for a process to determine with certainty that it may run or modify another program or process without damage), how could there be a beneficial virus ? True, many programs need special massaging but the user usually knows what is going on. Windoze INSTALL programs may well be viruses (or at least trojans) under this definition. Well reasoned efforts to specify conditions under which the above can be proven false are welcomed. Flames >nul. Warmly, Padgett ps I have a word for the Junkie: booooorrrrriiinnnnggg. pps IMHO Virus-L needs a 441 error (NNTP) ------------------------------ Date: Fri, 01 Jul 94 17:18:44 -0400 From: scsabir@tvgurus.hdtv.zenithe.com (Andrew Birner) Subject: Looking for reviews Greetings, all. I am looking for recent reviews of anti-virus packages. I downloaded several from the archives on cert.org; these were all at least one year old, and of somewhat limited utility. I would appreciate pointers to any reviews which might be available on the net; I would also be interested in pointers to such reviews which may have appeared in print recently. (In particular, I'm looking for reviews of McAfee, CPAV, and the commercial version of F-PROT.) Thank you in advance for any responses, Andrew Birner Zenith Electronics Corporation ------------------------------ Date: Fri, 01 Jul 94 17:18:58 -0400 From: iandoug@cybernet.za (Ian Douglas) Subject: Re: Stop the Madness! :-) Vesselin Bontchev (bontchev@fbihh.informatik.uni-hamburg.de) wrote: > Suppose your company has thousands of PCs, all connected together to a > huge LAN. You are the owner of the company, or at least the person > charged for virus protection of the LAN. You want to make sure that > each PC is running the latest version of your favorite anti-virus > program. > Well, problem is, the scanner part of any anti-virus program needs > constant updating, and updating thousands of PCs every month is a > pain. That's why, you do the following. You install the latest copy of > the anti-virus program on the server (this requires only one copy to > be constantly updated, instead of thousands of them), and put a small > program in the login script. > At login time, i.e., whenever a user tries to log in from his/her > workstation, this program checks whether the workstation is running > the latest version of the anti-virus package. If this is not the case, > the program offers the user to automatically update his/her copy from > the server and then to reboot the PC (so that any resident scanners > are reinstalled from the updated versions). If the user does not > accept the offer, then access to the LAN is refused. > Well, according to Dr. Cohen's definition, the anti-virus package, > together with the login script and the parts that do the checking and > the copying of the updated versions, is a virus - because it copies > (possibly modified parts of) itself. Sorry for the long quote.. We use a similar system at work, where when a PC connects to the mainframe, it is checked to make sure that it has the latest versions of certain software. If not, you are offered an automatic update. However, that is not the same as the examples of AV programs used. These programs offer to update themselves, but the version that they update is not capable of further updating other copies. So the 'virus' has failed to reproduce a functionally identical version of itself, ergo, it is not a 'virus', but an installer. Or am I playing with words and semantics? - -- - ----------------------------------------------------------------------------- Ian Douglas InterNet: iandoug@cybernet.za P.O. Box 484 Lead, Follow, FidoNet: 5:7102/119 7532 Sanlamhof or get out of TopNet: 225:2048/1 South Africa the way. - ----------------------------------------------------------------------------- ------------------------------ Date: Fri, 01 Jul 94 17:21:24 -0400 From: iandoug@cybernet.za (Ian Douglas) Subject: Re: The truth about good viruses Vesselin Bontchev (bontchev@fbihh.informatik.uni-hamburg.de) wrote: > For instance, the company that produces the virus could publish some > kind of public key for it; then the user could make available (to the > virus) an invitation encrypted with this public key, and so on - the > particular details of the protocol are left as an exercise to the > cryptographically inclined reader. {...} > Why unknown? It says "Hi! I am the SuperDuper beneficial virus made by > BeneViral Software Inc. and here is my MD5 hash, signed with my secret > key". You compute the MD5 hash yourself, verify the one in the virus > using the published public key, check that the two values match and > then you know that this is indeed a BeneViral Software's product. Is it expected to do this everytime it infects a file or boot sector? That could get rather annoying.. as well as life threatening (in your hospital examples..) Cheers, Ian - -- - ----------------------------------------------------------------------------- Ian Douglas InterNet: iandoug@cybernet.za P.O. Box 484 Lead, Follow, FidoNet: 5:7102/119 7532 Sanlamhof or get out of TopNet: 225:2048/1 South Africa the way. - ----------------------------------------------------------------------------- ------------------------------ Date: Fri, 01 Jul 94 11:04:48 -0400 From: hzf30@mfg.amdahl.com (Curly) Subject: Re: Killing the Monkey Virus (PC) dd.id=msmwhq01.tmollo01@eds.diamondnet.sprint.com (TC Molloy) writes: > I would like to share an experience with the "Monkey" computer virus on > June 3, 1994. > > A customer was directed to me concerning a problem. He couldn't read a DOS > floppy diskette on his notebook PC and wanted to know if I could help him > to recover his critical data. > > I put the disk in my PC and typed 'dir'. Immediately, the bells and > whistles from my Anti-viral package went off. The "Monkey" virus was > attempting to write to the boot sector of my hard disk and my anti-virus > software package had frozen my machine waiting for me to respond with > Proceed or Stop. My anti-virus package stops whenever anything attempts to > write to the boot sector without permission. Of course, I said STOP..... I was under the impression that there are no viruses, currently known, that can infect a system by merely using the "dir" command. If so, then your anti- virus package merely stated it had found the "Monkey" virus on the diskette. The virus, however, was not active in memory, and therefore couldn't have been "attempting to write to the boot sector" of your hard disk. Can someone with real knowledge confirm or deny? - -Curly > > The "Monkey" virus is an encrypted virus that can only be identified when > it is in RAM. The "Monkey" virus re-writes the boot sector on the disk > (floppy or hard). There are no viral signatures on the disk to identify > and destroy. The user of an infected machine experiences problems reading > floppy disks. When I attempted to boot his machine from floppy, the hard > drive was not visible or identifiable (Drive not found). > - -- > TC Molloy > Internet email: dd.id=msmwhq01.tmollo01@eds.diamondnet.sprint.com > ------------------------------ Date: Fri, 01 Jul 94 11:04:03 -0400 From: hzf30@mfg.amdahl.com (Curly) Subject: Re: false alarm (boot sector changed) by M (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: > Henrik Stroem (hstroem@ed.unit.no) writes: > > > Try my HS v3.58. Available by ftp from 141.210.10.117:/pub/msdos/virus > > as the file hs-v358.zip. It is a bootsector integrity checker that > > will detect all bootinfectors, and automatically remove them. It uses > > no RAM, and executes in less than a second on most machines. Is there an option to "remove them" upon confirmation from the user, rather than doing it automatically? > I do have your HS v3.58 and it is on our ftp site. The only problem is > that it refuses to run on my machine - something I have reported to > you several times in the past. As far as I recall, the problem occured > because the installation program was trying to trace in interrupt down > to the BIOS - but my machine is running QEMM in stealth mode. I have not been able to get this program to run on my system either. It may have been because I have Padgett's DiskSecureII protecting the system, but that is only speculation. - -Curly ------------------------------ Date: Fri, 01 Jul 94 11:02:28 -0400 From: ruben@ralp.satlink.net (Ruben Arias) Subject: Re: Little Fishies? (pc) Mon, 27/06/94 computergy@aol.com (Computergy) [Emerson] Writes: >About a year ago I had to do a search and destroy mission on an >clients machine. I knew there was a virus lurking but only one >program out of four I used would detect and clean it. > >I believe it infected the partition table on the hard drive. >It would replicate onto every floppy disk placed in a drive. (took >hours to track down all floppies that had been in the machine.) >When active it would slow the machine to a crawl, then lock it up, >and display the words 'Save the Little Fishies'. > >I have never read anything about a virus of this sorts. >For personnel interest, does anyone have an idea? "Stoned" is a very good example of virus that hangs PC and then show any kind of messages depending versions (many persons take the job to modify viruses) of virus. If you dont know (or hear about Stoned) I tell you its one of the most popular Partition Table virus. Locks the PC and display "Your PC is Stoned". Its very simple to change the Message inside Virus and put other. If any Scanner or Anti-Viral program don't recognize it as "Stoned" or a variant I highly recommend you send a copies to researchers in order to include this new threat in some programs. Here we have some names: Fridrik Skulasson. Wolfgang Stiller. Vesselin Bontchev. Regards Ruben Arias - ------------------------------------------------------------------------------ Ruben Mario Arias |> /| | |> |\ | | |_ | E-mail: ruben@ralp.satlink.net Buenos Aires, ARGENTINA. - ------------------------------------------------------------------------------ ------------------------------ Date: Fri, 01 Jul 94 11:02:05 -0400 From: jroberts@ripco.com (Jack Roberts) Subject: Re: Why so many Leprosy viruses? (PC) probably because it is easy to get the source and easy to change it a little. ------------------------------ Date: Fri, 01 Jul 94 11:00:56 -0400 From: buster@klaine.pp.fi (Kari Laine) Subject: Re: Best Anti-virus software (PC) ohe@allianse.no writes: >From: ohe@allianse.no >Subject: Best Anti-virus software (PC) >Date: Thu, 30 Jun 1994 08:58:35 EDT >Were trying to figure out the best Anit-virus software for both >Netware server's (NLM's) and DOS/Windows workstation. >We have been looking at Norton Antivirus v3.0, F-Prot, >Norman Data Defences and Central Point. >Does anybody have any kind of hints and tips, which one is the best >and why ?? First I say I am biased [otherwise somebody would get the moderator to say it]. I am working for the company selling Solomon's Anti-Virus Toolkit. There has been some good reviews in a magazines Virus Bulletin and Secure Computing. I know the editors are reading this forum maybe they could post some digest of these tests here? If you want to evaluate scanners which might one of the best have a look on following . - - Solomon's Anti-Virus Toolkit - - Sophos Sweep - - McAfee Scan Be careful not to be misleaded by the DOS-scanner. One of the products you named is good as a DOS-scanner. But the NLM-version is very poor. For instance it does not seem to find any polymorphic viruses. This same kind of a problem goes with windows versions and OS/2 versions. So if you are making a multiplatform desicion make sure you are evaluating all the versions and not just buing all the versions of a product and thingking that because the DOS version is good the others should be also. Best Regards Kari Laine, buster@klaine.pp.fi LAN Vision Oy, FINLAND ------------------------------ Date: Fri, 01 Jul 94 11:06:09 -0400 From: v922340@si.hhs.nl (Snaaijer, I.H.) Subject: Re: HELP!!!!! (PC) c007@Lehigh.EDU (ERIC A. MEEKER) writes: - ->I'm pretty sure I have a virus on my computer but I have no idea what - ->it is or how to get rid of it. I've been trying a few virus scanners, - ->etc. and have no luck. The only thing I noticed is that the virus is - ->adding (usually) 959 bytes to most executable files. I have a program - ->called vsafe that tells me what is being changed, but it does nothing - ->to remove it. If ANYONE can help me, please write to the Internet - ->address below. Thanx in advance!!! - -> witch virus scanners have you tried ? try F-prot (also huristics) and TBAV if there is a virus they should show something Try to infect a smal file with your virus and send it to some of the people that make these products. i don't know from witch package vsafe is but if it a part of CPAV or MSAV then you could consider removing the extra code appended to programs to imunize them. Luck... - ->Eric Meeker - ->Internet address: c007@ns1.cc.lehigh.edu - -> Ivar Snaaijer +---------------------+-----------------------------------------------------+ | uu uu sssss sssss | Ivar Snaaijer. E-mail : v922340@si.hhs.nl | | uu uu ss ss +-----------------------------------------------------+ | uu uu sssss sssss | "Violence is the last refuge of the incompetent" | | uu uu ss ss | -Asimov | | uuuuu sssss sssss | -= This space is for $ale =- | +---------------------+-----------------------------------------------------+ ------------------------------ Date: Fri, 01 Jul 94 13:10:59 -0400 From: jjb18@columbia.edu (Jeremy J. Blumenfeld) Subject: Network virus protect (PC) Hello, We are going to be installing Novell 3.12 in a computer lab of about 80 computers in the upcoming weeks. We are concerned about viruses spreading through the network. Anybody have info on programs to use? In the past we have used F-Prot with a fairly good record on stand-alone machines, but I am not sure what additional dangers there are now that we will be on a LAN. One product recommended was Intel's Landesk Virus Protect v2.1. Anyone have info/experience with this? posts or email jjb18@columbia.edu jeremy blumenfeld ------------------------------ Date: Fri, 01 Jul 94 13:55:33 -0400 From: mo@pineapple.apmaths.uwo.ca (Matthew Osborne) Subject: Re: Help! (PC) Craig S. Maloney (craig%enterprise@uunet.UU.NET) wrote: : I need help in getting rid of a virus. It is Newbug variety of the GENB : [Generic Boot Sector] virus. It will not "Clean" from a hard disk. I have : used McAfee Clean ver. 115 to remove Genb from floppy drives, but I have had : no luck with hard disks. Anyone have any ideas? Try booting up with a floppy disk that is clean,, and typing FDISK /MBR. it MUST have FDISK on it. What is MBR? It is a Uncodumented switch included in FDISK. It will repair yuor Master Boot Sector.. MBR=Master Boot Record! : Craig : - -- : - ------------------------------------------=---------------------------------- : Craig Maloney | Engineering Computer Center : Supervisor | Wayne State University : PC/Mac Systems, College of Engineering | 5050 Anthony Wayne Drive : Internet: craig@enterprise.eng.wayne.edu| Detroit, MI 48202 : Fax : 313-577-5969 | : - ------------------------------------------=---------------------------------- - -- +--------------------------------------------------------------------------+ | Matthew C Osborne, Osborne's Software Programer, owner etc... | Email at: | mo@pineapple.apmaths.uwo.ca | matthew.osborne@aplus.dt-can.com +--------------------------------------------------------------------------+ ------------------------------ Date: Fri, 01 Jul 94 15:24:59 -0400 From: jasobel@alpha1.csd.uwm.edu (Jill A Sobel) Subject: Stoned Virus help needed (PC) I am desperately seeking information and help regaring the STONE VIRUS - EMPIRE MONKEY B This virus seems to eat RAM, and althought I have used a virus detection software and have eradicated it off my computer, the hard drive bytes are still lost (they are supposed to be @ 556,360 and are presently 551,300). Can anyone out there email me personally with information they may have? My main question is.... I bought Norton Anti-Virus to try again to clear the hard drive of the lost bytes (I was using F-Prot before), however, once I use the Norton Anti-Virus, do you think the bytes will be returned to the computer, or are they permanently destroyed. Help!!! Please email me personally at jasobel@csd4.csd.uwm.edu Thank you ------------------------------ Date: Fri, 01 Jul 94 15:25:39 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Dr Solomon's on the move! (PC) R. Wallace Hale (halew@nbnet.nb.ca) writes: > Going head-to-head with F-PROT 2.12, it's nearly impossible for me to > pick a winner. However, since I value both products primarily for their > scanner functions, and strongly advocate the use of at least two > quality scanners, that presents no problem. :) My own impressions of those two scanners completely agree with yours. > I've regarded Toolkit as one of the best AV products available and wonder The AVTK has one of the best *scanners* available. This does not necessarily mean that it is one of the best products overall - an anti-virus product has other components too. > why there is so little mention of it here, other than in Vesselin's posts. Even I am not mentioning it very often - mainly because it is a commercial product. First, many of the users asking for good scanners here have limited financial capabilities and prefer a freeware/shareware product. Second, there is a scanner/remover which is shareware/freeware and has a similar (if not better) detection/ disinfection rate as the AVTK - F-Prot. What the AVTK does better than anything else is exact virus identification - but few users are interested in this. Third, advertising commercial products on the net is usually consider to be of bad taste. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 01 Jul 94 15:29:28 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Matura (PC) Sugan Moodley (moodley@beastie.cs.und.ac.za) writes: > Help! I got the Matura92 virus.... > Actually the entire durban campus of Natal got it ( south africa ) Hm, a Polish virus... > Is there a doctor in the house? > Whats the prognosis....? If this is indeed one of the Matura viruses, F-Prot 2.12c should be able to reliably detect and disinfect it. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 01 Jul 94 15:38:46 -0400 From: iolo@mist.demon.co.uk (Iolo Davidson) Subject: Best Anti-virus software (PC) > Were trying to figure out the best Anit-virus software for both > Netware server's (NLM's) and DOS/Windows workstation. Dr. Solomon's Anti-Virus Toolkit for Netware includes both NLM and DOS executables, with facilities for linking both together. There are also Windows and OS/2 versions. Dr. Solomon's is more capable than the others you mention, with a better detection rate. I believe Ontrack is the USA distributor. - -- MOM AND POP AS PLAIN ARE FEELING GAY AS DAY BABY SAID Burma Shave ------------------------------ Date: Fri, 01 Jul 94 15:51:02 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: SMEG Junkie (PC) Lloyd E Vancil (lev@slced1.Nswses.Navy.Mil) writes: > A report in dod news this am ,Quoted below, speaks of > Smeg and Junkie spreading. I cannot find reference to This media hype is getting out of hand... Those two viruses *are* in the wild, but the threat is clearly overblown out of proportions. :-( > What are these? Viruses, of course. > Is the report below accurate? Not quite. > what can I use to find and kill them? > Macafee? Nope. McAfee's SCAN cannot neither detect nor disinfect any of them. Recently they have published an external scan string that will allow SCAN to detect Junkie, but not disinfect it. No, better get F-Prot version 2.12c. It detects and disinfects reliably both viruses - Junkie and the two SMEG viruses. There are a few problems, however. First, in my tests F-Prot says "Possibly a new or modified version of Junkie" when examining a Junkie-infected boot sector. (In a previous message I stated that it cannot detect it; I was wrong.) I think this means that it won't be able to remove it from the boot sector. Also, a third SMEG virus appeared recently, using an improved polymorphic engine. F-Prot can detect some replicants, but not all and cannot disinfect them. > ANN ARBOR, Mich., June 14 -- A new breed of computer > virus that outsmarts anti-virus software has cropped Rubbish! Junkie is an incredibly lame COM and MBR infector. SMEG is polymorphic, but nothing particularly difficult like TPE or MtE. ABout the only interesting thing in it is that it can generate huge decryptors (up to 2 Kb, I think). > up nationwide and as far away as London's financial > district since its discovery in Ann Arbor, experts > said Tuesday. Hm, your e-mail address seems to suggest that you are in the USA. If this is the case, ignore the SMEG virus - they have been fewer than two dozen reports about it and all of them are from the UK. The virus is in the wild there, but nowhere else. As opposed to that, Junkie seems to be spread very widely - we have reports from Germany, Australia, Canada - but those reports are very scarce - usually only a single case or something like that. In short - absolutely no reason to panic. > The virus known as "Junkie" and its relative "Smeg" Rubbish. The two viruses are not related at all. Probably by "related" the journalist who has written the article means that they are both viruses and both for the IBM PC platform - this is about the only common thing among them. > are part of a technological breakthrough by the > underground hackers who create viruses for the thrill RUBBISH!!! See above about their "quality". > of infecting computers and destroying data. Junkie is not intentionally destructive. > Junkie was discovered last month after an Ann Arbor man > bought a new computer for his son. > The virus shut down the computer and went undetected RUBBISH!!! > until local computer consultant Jim Shaeffer found it > using a special program. The silly thing is even not stealth. What kind of "special program" has he used, DIR? > Shaeffer reported the virus to Frank Horowitz, > a specialist in anti- virus software in Brier, Wash. > "This is the first time we've seen this," Horowitz told > United Press International. "And there're going to be > many others like this." What does he mean, that this is the first time he sees a virus? Probably true. That there will be many other viruses like that? Certainly true. Or maybe he means that he sees Junkie for the first time? Also correct - the virus is relatively new. > After computer users were electronically told about the > discovery, Horowitz said, the Smeg virus was found in > computers used by London financial services firms. I can't comment on who the victims of SMEG are, but how is this related with the Junkie case? > It's unclear how many computers have been infected by the > new viruses, About three dozens, probably. > which Horowitz said are far more dangerous > than the well-publicized "Michelangelo" virus, which was > designed to shut down computers on Michelangelo's birthday > several years ago. RUBBISH!!! Junkie is not intentionally destructive. SMEG is about as destructive as Michelangelo, only does it more often, which means that its chances to spread widely are lower. About the only common thing between those cases and Michelangelo is that the media is trying to make a lot of noise for nothing. > By breaking Junkie's code, Horowitz said, he could tell > the virus was created in 1994. Yeah, after debugging the trivial decryption loop, you can see a text message in the virus, which *claims* this date of creation. About anybody who knows how to use DEBUG could discover this; I wouldn't call it "breaking the code". I also wouldn't believe anything a virus author claims in his virus. A pretty naive guy, this Mr. Horovitz... > The code also contained > the virus name, a standard procedure for hackers who want to > know when their creation gets publicity. Ain't it nice from their part... > Junkie is unique because, unlike other viruses, it can attack > a floppy disk, a computer's boot sector, or its executable files. AAARRRRGGGHHH!!! 'scuse me... I feel better now. Multi-partitie viruses, able to infect both files and boot sectors have been around for ages - there is nothing unique in that. Junkie can infect only COM files, DBSes and MBRs. There are more advanced viruses, which can infect literally "anything in sight" - COM, EXE, SYS files, MBRs and DBSes. If Mr. Horovitz or the journo who has written the article do not know about this, their ignorance is not an excuse to spread hype and misinformation. They should have consulted an expert. > Other viruses only attack one of those three crucial areas > of a computer. Rubbish. See above. > It's also dangerous because Horowitz said standard, scanner- > type anti-virus software can't find Junkie. Until updated to do so. > The virus is > "polymorphic," meaning its characteristics are always changing > to avoid detection. Rubbish. The virus is only variably encrypted. Mr. Horovitz should be directed to the FAQ of this newsgroup. > Horowitz compared the relationship between the new virus and anti- > virus software to updated police radar devices that go unseen > by civilian radar detectors. So what do we have now? Viruses exceeding the speed limit? > Also disturbing is that Junkie was found in a new computer. Of course, finding it in an old computer would make it quite different. NOT! > Horowitz said the computer might have been infected at the > computer factory. Or anywhere else. > The discovery indicates that viruses are entering a new phase > of destruction, Horowitz said. Like destroying the brain of the people who write incompetent articles about them? > "Viruses are continuing to be developed with a lot of > expertise," Horowitz said. .forgetting to mention the hundreds of new viruses developped every day by people who wouldn't be able to program their way out of a paper bag or even writing a "Hello world" program, but have figured out how to use one of the available virus generators. Oh well... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 01 Jul 94 15:51:30 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Budo Virus (PC) Dana Antkowiak (MICBB@CUNYVM.CUNY.EDU) writes: > Has anyone else been infected with the Budo (B2) virus? If you have and > have sucessfully cleaned it, please e-mail me back on which program you used > to clean it off of your machine. Or if anyone has any ideas or suggestion > that would be helpful will be appreciated. Thanks:=} If you indeed have the Budo virus, no disinfection of the infected files is possible, because this is an overwriting virus. Just remove those files and replace them with clean originals or backups. However, it is extremely difficult for an overwriting virus to spread, so I suspect that you are a victim of a misidentification. Which scanner did you use? Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 01 Jul 94 15:52:04 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Help! (PC) Craig S. Maloney (craig%enterprise@uunet.UU.NET) writes: > I need help in getting rid of a virus. It is Newbug variety of the GENB > [Generic Boot Sector] virus. It will not "Clean" from a hard disk. I have > used McAfee Clean ver. 115 to remove Genb from floppy drives, but I have had > no luck with hard disks. Anyone have any ideas? This is quite probably the AntiEXE.A virus - we have been observing an increasing number of infections by it. Get F-Prot 2.12c - it will be able to remove it. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 01 Jul 94 15:56:03 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: STACK virus (PC) Peter Jennings (peterj@netcom.com) writes: > In a routine scan of my system using McAfee's SCAN 1.15B obtained > yesterday from a SimTel site, the STACK virus was reported in 6 files > recently installed with Xerox Ventura PicturePro. > > The files were DLLs and executable overlays (filters). You are almost certainly a victim of a false positive. Contact McAfee and complain about it - it's their fault. > However, the documentation accompanying both SCAN and CLEAN makes no > reference to the STACK virus. The documentation accompanying SCAN and CLEAN is *miserable* in this aspect and shouldn't be relied upon. It lists viruses that SCAN never reports, does not list viruses that SCAN reports, the characteristics listed are often wrong, and it even lists viruses that do not exist. > Does anyone have any knowledge of the STACK virus and how I might go about > removing it, or if this product gives a false indication with SCAN. It is a false positive from SCAN. To the best of my knowledge, no such virus exists. There is a small program floating around, which is not a virus, but demonstrates a method that could be used by a virus to hide in COMMAND.COM's stack space - a very unreliable approach. This program is called STACK and is usually found in the virus collections on the virus exchange BBSes. Maybe somebody at McAfee has decided that it is a virus and has picked a not-very-good scan string for it, causing a false positive. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 01 Jul 94 16:02:18 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Virus found, Please help! (PC) CL-28951@cphkvx.cphk.hk (CL-28951@cphkvx.cphk.hk) writes: > My friend's company has a Novell network computer system. He told me > that when he DIR the Executable files (EXE files>, the file size was > increased. He used the Mcafee SCN-201 to scan the hard disk, but > it does not show virus was detected. Does anybody know what kind > of virus is it? How can this virus can be removed. Please advise! First, if you are relying on McAfee's anti-virus products, I would advise to try SCAN 116 - the "new generation" 2.0x seems to perform rather worse and, IMHO, is not quite ready for distribution. Second, having in mind where you are from (Honk Kong?), it is quite probable that you have some new, local virus. I would advise you to send an infected file to a few anti-virus researchers, so that the virus can be examined and their anti-virus products - updated to become able to handle it. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 01 Jul 94 16:06:03 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: NATAS Virus? (PC) Geoframe User (garcia@bkfsu1.sedalia.sinet.slb.com) writes: > I notice an "emergency copy" of the new Scan 2, specifically aimed at > the "NATAS" virus. After downloading it from the McAfee ftp site, > I'm still no wiser than before about this virus, but I assume if McAfee > saw fit to release a special version, it must be fairly serious. The virus is in the wild in South America (Argentina, I think), and there are reports from the USA too. Nothing deadly serious - just yet another virus found from time to time in the wild. A rather polymorphic one. > Anybody have any information? Multi-partite, memory-resident, polymorphic virus. Stealth. Tunnelling. Tries to "escape" from TbClean and format the hard disk, but the trick does not work with the new versions any more. Written by James Gentilly - the author of Satan Bug. Is there anything else you want to know about it? > Oh, for what it's worth, this special version seems to hang up on me > while doing an "internal scan" of one of my Central Point Backup files. > No error message, it just stops. Anyone else have any problems with it? Try just waiting - like a few hours. It's possible that it does not hang, but its emulator is fooled to emulate some loop that it shouldn't. BTW, Luca Sambucci's tests, available from our ftp site, have demonstrated that this version of SCAN is *not* able to detect this virus reliably, so better throw it away and get something that works. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 01 Jul 94 16:08:13 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Stoned.Manitoba (PC) R. Janzen (janzen@atbms.ncs.dnd.ca) writes: > locations (around the original infection). As I understand BSVs, the only > way that it could be spread is by booting off of an infected disk (or having > an infected data disk in the boot drive at boot-time). Correct. > To me this means one of two things: either Stoned.Manitoba is not a BSV, or > not all floppy disks have been scanned. The latter. > I'm currently scanning *every* floppy disk anywhere near the area, and not > trusting the users at all. Consider also setting up the computers to boot from the hard disk first (if their BIOS provides this option) and/or installing Padgett's DiskSecure or some other program of this kind. > Can anyone verify for me whether stoned.manitoba is only a BSV? And am I > correct on how it could be spread. It is and you are. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 01 Jul 94 16:15:53 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Need help on "stoned" virus (PC) Phat H. Le (phle@undergrad.math.uwaterloo.ca) writes: > Please forgive me if this is one of those FAQ. The problem is that my > PC is infected with the so called "stoned" virus. This virus infects the boot > sector and from the info I've got from MSAV indicates that this virus is harm- > less yet irritating. First, there is no such thing as a harmless virus. Second, MSAV is extremely bad at identifying viruses. Third, the symptoms your are describing (the hard disk not accessibly after booting from a floppy) are not characteristic for the "normal" Stoned virus. This makes me think that you have probably some variant - or maybe even a completely different virus. > Anyway, I tried F-PROF and it told me to reboot the PC > with a virgin boot disk and rerun the antivirus software. I did just that but > when I rebooted the PC with a cleaned boot diskette, I couldn't see the C driv Have you tried using the option /HARD for F-Prot? > So the way I got rid of the virus was to reboot the PC from the harddrive and > backed up all the files onto a server, then did a low level format to the C > drive. This is what you might call a "brute force" method and it worked fine. > However, my question is - is there another way to remove this stoned virus or > is there any antiviral software out there that can get rid of it other than th > "brute force" method? An alternative method, if you know what you are doing, is to boot from the infected disk, use a disk editor to save the MBR in a file, then boot from a clean floppy and use a disk editor to copy the MBR from the file you have saved it in to its original place. But this should be done by a knowledgeable person. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 01 Jul 94 16:34:52 -0400 From: Michael_D_Jones@ccm.hf.intel.com (Michael Jones) Subject: Re: Why so many Leprosy viruses? (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >Take anything you read in Patricia Hoffman's VSUM with a large grain >of salt. It's more like a truck of salt, actually. VSUM is the biggest >peiece of disinformation, incorrect, incomplete, and plain wrong >things about computer viruses ever put together. Vesselin, I agree with your appraisal of VSUM...may I add outdated? But then concerning viruses, what we write now is sometimes outdated tomorrow :) My question to you and to other individuals is: Is there a source out there that you would recommend as being better. Patricia's is easy to use and that is a benefit, but that doesn't make it reliable. What would be ideal, would be to get information using something similar to "finger" where you could say: "finger virusname@whoever.wants.this.huge.project" and it would return the important information about the virus, i.e. type of virus, detection, cleaning, etc. Yes, I do realize that this would be a huge project and NO, I do not want to do it. :) What are you're ideas about this? Michael D. Jones michael_d_jones@ccm.hf.intel.com ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 53] *****************************************