VIRUS-L Digest Tuesday, 16 Aug 1994 Volume 7 : Issue 67 Today's Topics: re: Immune System for PCs from IBM / Gopher server Re: Bad and good viruses... Re: The truth about good viruses Re: Fred should owe me a grand ? Technical question about viruses... Re| Viruses = Commercial Opportunity? Re: virus in jpgs Re: Bad and good viruses... Re: Looking for Virus Scan Strings Re: Q/A about Norman Virus Control (PC) Viruses & TSRs (PC) Re: How to save a boot sector (PC) changing genP/genB virus (PC) Re: Network virus protect (PC) Re: Network virus protect (PC) Re: Help! - Does my PC have a virus? (PC) Re: WARNING: VALIDATE.COM and VALIDATE.EXE can be cheated. (PC) Re: Need Help on "V-SIGN" virus (PC) Re: Stealth.B Pain (PC) Re: Virus Source code on CD ROM? (PC) Re: WARNING: VALIDATE.COM and VALIDATE.EXE can be cheated. (PC) Re: Mosquito Viruses (PC) Re: fp-213a.zip - Version 2.13a of the F-PROT anti-virus program (PC) Re: AntiExe virus, Help!! (PC) Smeg viruses (PC) Re| FamM virus (PC) Re: How to save a boot sector (PC) Re: Form Virus Mutation! Netware problem? (PC) Re| Killing the Monkey Virus (PC) Fixing the boot sector of a floppy? (PC) Re; SMEG.Queeg, SMEG.Pathogen virus writer caught (PC) Re: Why so many Leprosy viruses? (PC) Re| [News] Yankee Doodle Virus? (PC) Re: WARNING: VALIDATE.COM and VALIDATE.EXE can be cheated. (PC) Re: Netware & Virstop (PC) Re: Tamsui? (PC) Re: Tequilla (PC) Re: HK Vtech virus & Amoeba (PC) Re: Virus Scanners, Detectors, etc. (PC) Re: Virus Scanners, Detectors, etc. (PC) Sincerest Apologies to Forum VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Tue, 09 Aug 94 15:30:05 -0400 From: "David M. Chess" Subject: re: Immune System for PCs from IBM / Gopher server > From: Rich Travsky > Jeffrey O. Kephart of the IBM Thomas J. Watson Research > Center in Yorktown Heights, N.Y., reports designing an > immune system for computers that "takes much of its > inspiration from nature." > Sounds interesting, but I have some doubts. My guess is it'll > take a smp pentium machine and the tsrs will weigh in at several > meg ;) As I said on alt.security (I think it was), that'll only be true if we do it badly. We don't plan to do it badly! *8) > From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) > At last, I recently noticed that IBM have a rather nice collection of > virus descriptions on their gopher site - but I forgot the exact > address; maybe Dave Chess can help. gopher://index.almaden.ibm.com/1virus/virus.70 Glad you like it! - - -- - David M. Chess | Check, one, two. Check, one, two. High Integrity Computing Lab | Pffffft... Pfffffft.... IBM Watson Research | Is this thing on? ------------------------------ Date: Tue, 09 Aug 94 16:06:40 -0400 From: Sam Wilson Subject: Re: Bad and good viruses... Vesselin Bontchev (bontchev@fbihh.informatik.uni-hamburg.de) wrote: [[[ US export control laws apply to virus!? ]]] : ... And : since KOH is a disk encryption self-replicating program... BTW, the : penalty for breaking the regulations mentioned above is 41 to 51 : months of jail time. Of course, this law is virtually unenforcable for : the software made available on the 'net. And in the case of a virus I can't help wondering just who they'd prosecute... Sam Wilson Network Services Division Computing Services, The University of Edinburgh Edinburgh, Scotland, UK ------------------------------ Date: Tue, 09 Aug 94 21:25:43 -0400 From: David_Conrad@MTS.cc.Wayne.edu Subject: Re: The truth about good viruses Vesselin writes: >Ian Douglas (iandoug@cybernet.za) writes: >[I think Vesselin wrote this, but there was no attribution: -drc] >>>It says "Hi! I am the SuperDuper beneficial virus made by BeneViral >>>Software Inc. and here is my MD5 hash, signed with my secret key". > >> Is it expected to do this everytime it infects a file or boot sector? > >No, of course not. ... [T]here should be ways to set the default .... > >But you again seem to be thinking about the PC case. ... >I imagine the beneficial virus more like a worm. As do I. >The company that produces it posts its public >key (signed by the company's key) to the Internet. Every site that >wants to get infected by this virus sends an invitation message, >.... [Description of public key authentication and approval deleted.] > This is a better method than what I had thought of. What occurred to me was having the virus send an email request to infect a system. The MD5 and public key authentication could still take place. This takes care of the problem with undesired code running on a system before the request is made in order to make the request, and it also solves the problem of interrupting critical systems, but it has one major flaw: Who wants dozens (perhaps many more) of requests per day from viruses showing up in their mailbox? David R. Conrad David_Conrad@mts.cc.wayne.edu ------------------------------ Date: Tue, 09 Aug 94 21:29:44 -0400 From: David_Conrad@MTS.cc.Wayne.edu Subject: Re: Fred should owe me a grand ? Vesselin writes: >Padgett writes: >> In updating software on many workstation from a server, the update is >> copied NOT the update mechanism and this is a major difference. > >This doesn't contradict Dr. Cohen's definition for a virus: a program >that infects other programs by modifying them to include a possibly >modified copy of itself. The definition does not say that the infected >programs must be able to propagate the infection further. The >"possible modification" could very well be one that excludes the >replicating mechanism from the virus. > This is true, but it is very useful in practice to distinguish between viruses that only copy once and stop versus ones which can copy repeatedly. And, unlike some of the other ways that practice differs from Dr. Cohen's theory, it is probably at least interesting if not useful to distinguish between them in theory as well. >> The best just copy new data files. > >As you know, there is no real difference between code and data. >According to Dr. Cohen, a virus is inseparable from its environment. >Every finite (does it have to be finite?) In this universe, yes. Although I suppose that a theory about infinite strings of symbols might also have some applicability to finite ones. Nevertheless, finite strings of symbols are the only type possible around here. I might also note that if viruses are considered as a species of algorithm, then it is part of the technical definition of an algorithm that it be a finite sequence of steps. >... sequence of symbols is a virus in some environment, and for >every environment there is a sequence of symbols that is a virus >for it (not sure about the latter). > I am not an expert on the theory, but I think that there would probably be some environments which are too simple to allow for viruses. There should be, it seems to me, some minimum expressivity, or strength, if you will, of the environment before viruses would be possible. (I am drawing a parallel here with the requirement for a formal system to be subject to Godel's Incompleteness Theorem. The theorem only applies to a system if it is of a minimum complexity. Specifically, it must be at least as powerful as the Peano arithmetic.) What this adds up to is that while there are some environments which are so trivial that they cannot support viruses, there exists for any non- trivial environment a string of symbols that is a virus. But, please, don't ask me to prove this. :-) Wishing he could come up with witty closings like Padgett, Dave David R. Conrad David_Conrad@mts.cc.wayne.edu ------------------------------ Date: Tue, 09 Aug 94 21:42:47 -0400 From: al163388@academ01.mty.itesm.mx (Mario Luna Arroyo) Subject: Technical question about viruses... Hi! I need to know how the viruses and programs antivirus are made, and how the antivirus works to detect and remove them. All this explained with techical details (It's a homework for a computers class in my university). Thanks in advance. ------------------------------ Date: Tue, 09 Aug 94 06:40:05 +0400 From: Kazatski Oleg Nikolaevitch Subject: Re| Viruses = Commercial Opportunity? Hi ! iolo@mist.demon.co.uk (Iolo Davidson) > > 3) Do you really need to detect 4500 viruses to be a useful product? > > There are many other products which don't detect nearly that many > > which still sell *quite* well. Are there the antivirus programm that can find nearly 4500 viruses ? > > 4) While you will get opposite answers from just about everyone here, > > consider: Viruses in the wild are considerably more important to detect/ > > remove than viruses *not* in the wild. Those should be highest priority > > (use Joe Wells' list, for example). ^^^^^^^^^^^^^^^ What is this ? - -- OK ------------------------------ Date: Wed, 10 Aug 94 08:58:38 -0400 From: BRENNAN@hal.hahnemann.edu (A. Andrew Brennan) Subject: Re: virus in jpgs bontchev@fbihh.informatik.uni-hamburg.de writes: > The long answer... Well, it is possible to hide a message in a > graphical image, but distributing it over the least significant bits > that code each pixel. This message could contain anything, including a > virus. Of course, it is not possible to activate the virus (i.e., make > it infect) by juts viewing the image; you'll have to extract the virus > to an executable file first and then run this file. > Not to carry this version of a digital-urban legend too much further, but don't JPEGs have a comment or note field? Wouldn't (if I read the note correctly, you're referring to steganography?) it be possible to imbed an ANSI bomb in the comment field that *some* JPEG viewers might activate? Then again, we're back to "ANSI bomb != virus" so it's not exactly the same thing either. ... then again, if I'm all washed up - someone pull the drain. :^) andrew. (brennan@hal.hahnemann.edu) ------------------------------ Date: Wed, 10 Aug 94 09:21:16 -0400 From: pein@informatik.tu-muenchen.de (Ruediger Pein) Subject: Re: Bad and good viruses... bsemtner@autodesk.com writes: |> From: hauh@ismennt.is (Haukur Hreinsson) |> |> roger.ertesvaag@thcave.bbs.no (Roger Ertesvaag) writes: |> |> >* In a message to All on 06-28-94, Bradley said: |> |> >B> It's a virus that does what I said. It includes an uninstall option |> for |> >B> the hard drive. If you want to know more, I have the full KOH document |> >B> in my little personal FTP site: Well, thanks for advertising this address at least five times here in comp.virus! I collect viruses for testing AV software, so this has been very helpful. Perhaps spreading viruses helps forcing Microsoft to introduce a safer operating system than MS-DOS or Windows, but this can't be the reason why you published that address ? Also my warm regards to Mr Vesselin Bontchev who published more than once the email address of good old Mark A. Ludwig, not forgetting to say you can order his books with viral source code and even a CD-ROM full of source code there. Why's this newsgroup moderated ? Ruediger Pein PS: If this posting doesn't appear in comp.virus, I know why it is . ------------------------------ Date: Wed, 10 Aug 94 11:01:35 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Looking for Virus Scan Strings iolo@mist.demon.co.uk (Iolo Davidson) writes: >Virus Bulletin regularly publishes such strings as are possible for new >viruses. This is too primitive a method for finding many viruses >though. And it's slow. Agreed....in fact I have suggested that VB stop publishing the strings ... I feel they are more-or-less a waste of my time (I have to pick those #$%%^#$@ strings, but according to my editor, some readers want them, so they will continue to be published, at least for a while. However - the number of viruses that cannot be (reliably) detected with a search string is growing...fast. Simple, sequential string search is an outdated mechanism for detecting viruses anyhow... - -frisk ------------------------------ Date: Tue, 09 Aug 94 10:39:40 -0400 From: oep@colargol.edb.tih.no (Oeyvind Pedersen) Subject: Re: Q/A about Norman Virus Control (PC) Norman Data Defense Systems A/S (norman@norman.no) wrote: [snipped some brag where Norman claims to have a 99% detection rate ] Vesselin said: : >Also, they used to claim to be TOAST - "The Only Anti-virus Software That : >detects Statan Bug". Too bad that they can't substantiate their claims. Bognaes replied: : How would you like us to prove it? At the time we made the claim, none of the : better known current scanners would detect Satan Bug. I can get you the exact : date and the name of the other products that we tested if that helps. Mmmm, why don't you include some proof that F-PROT *dont* detect "Chaos4" as you stated in your message 9. of August.... When I got a version from 27. of July that does the trick :-) Am I the only one that sees some paralell here? - -oep BTW, Bognaes just told the computer press that they were the only one to detect this virus, which is not plain truth. I may have to make a phone call... ------------------------------ Date: Tue, 09 Aug 94 12:02:08 -0400 From: "Mark J. Miller" Subject: Viruses & TSRs (PC) Would someone please address themselves to the following questions. 1. What antivirus products are available for scanning in compressed partitions? (dos) 2. How easy is it for a virus to defeat an antivirus product loaded as a tsr? (dos) 3. Given the following scenario: - fprot's virstop is loaded as a device driver. - netware is loaded - virstop is "rehooked" using the /rehook option How easy is it for a virus to circumvent virstop's protection? 4. Is a product like fprot's virstop susceptible to the same weakness, when it's loaded as a device driver without netware being loaded. Thanks, Mark :-) ***************************************************************************** Mark J. Miller * The man who fights for his Instructional Computing Programmer/Analyst * ideals is the man who is Saginaw Valley State Universtiy * alive! Wickes 227, 517-790-5643 * -- Miguel de Cervantes, mjm@tardis.svsu.edu * author of Don Quixote ------------------------------ Date: Tue, 09 Aug 94 12:00:06 -0400 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Re: How to save a boot sector (PC) Iolo Davidson wrote: )> How can you save a boot sector on to disk. (if you suspect a virus )> and want to upload it to the anti-virus companies system for them )> to inspect it?) ) )Most disk sector editors have a facility to save a sector to a file. )Some AV software does, too. Why don't you ask the support desk for the )AV Software company to whom you intend to send the sample how they )handle this? What's wrong with DEBUG? It's suppled with all DOS systems for free. Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Tue, 09 Aug 94 11:42:57 -0400 From: jayl@dorsai.dorsai.org (Jay_Leiser) Subject: changing genP/genB virus (PC) I need some info. We got a virus that is detected as the stealth genb when booting from hard drive and when booting from floppy it is detected as a stealth genp. In addition this virus was detected as the newbug genp. Any information regarding theses viruses would be greatly appreciated. jayl@dorsai.dorsai.org ------------------------------ Date: Tue, 09 Aug 94 13:33:08 -0400 From: mikko.hypponen@wavu.elma.fi (Mikko Hypponen) Subject: Re: Network virus protect (PC) Robert Schifreen (hex@cix.compulink.co.uk) wrote: > It's better to use a program like this on a LAN, rather than siply > running stand-alone scanners on the workstations. No, no. It's a common misunderstanding that an anti-virus NLM running on a Novell server could replace workstation-based virus protection. The reason a NLM by itself does not provide sufficient protection is the existance of the boot sector viruses. There are no exact statistics available, but I would guess that boot sector viruses like the Stoned and Form variants cause over 75% of all virus infections. Viruses of this type will only spread from a machine to another via diskettes (ok, via hard drives as well, if you transfer the actual drive from a machine to another). Since these viruses do not infect files at all, and NLM scanners only check that the files on the server are clean, they do not detect boot sector viruses at all. Even though you had the best NLM there is guarding all the servers on your network, you could still have Stoned in every single of your workstations. Thus, if you have to choose between workstation-based protection and server-based protection, take the former. For example, we are selling both PC-based antivirus programs and NLMs. However, we do not sale NLMs by themselves unless the organization is protecting their workstations as well - either with our product or with a 'sufficiently good' competitor (no, MSAV does not qualify). > Doing both, of course, is even better. This is true. If, for some reason, a unprotected machine is able to log into the network, the NLM module should be able to protect the server files from getting infected. Note, that even if there was no NLM installed, the other workstations would not get infected, if they would have an anti-virus TSR installed (and if the virus in question was known to that TSR). There's another argument to defend the NLM-solutions; the NLM is running on the server, and is completely separated from the PC's. Thus, the NLM can not be fooled by any kind of a stealth virus. This is true, but one has to remember that we are talking about scanners here. Scanners check the memory of the PC as soon as they are started. Stealth viruses are not able to stealth themselves in memory, so the PC-based scanner would find them before it would be fooled by it. I'm not saying anti-virus NLMs are useless; they are not. I'm just saying that they are not a one-stop solution to virus problem. Also, I'm referring only to the scanner-based NLMs. I am aware that there are anti-virus NLMs with different approach in the market, but I have not studied them myself. - -- Mikko Hypponen // mikko.hypponen@datafellows.fi // Finland Data Fellows Ltd's F-PROT Professional Support: f-prot@datafellows.fi PGP public key available, check the keyservs ------------------------------ Date: Tue, 09 Aug 94 13:37:40 -0400 From: mikko.hypponen@wavu.elma.fi (Mikko Hypponen) Subject: Re: Network virus protect (PC) Robert Schifreen (hex@cix.compulink.co.uk) wrote: > It's better to use a program like this on a LAN, rather than siply > running stand-alone scanners on the workstations. No, no. It's a common misunderstanding that an anti-virus NLM running on a Novell server could replace workstation-based virus protection. The reason a NLM by itself does not provide sufficient protection is the existance of the boot sector viruses. There are no exact statistics available, but I would guess that boot sector viruses like the Stoned and Form variants cause over 75% of all virus infections. Viruses of this type will only spread from a machine to another via diskettes (ok, via hard drives as well, if you transfer the actual drive from a machine to another). Since these viruses do not infect files at all, and NLM scanners only check that the files on the server are clean, they do not detect boot sector viruses at all. Even though you had the best NLM there is guarding all the servers on your network, you could still have Stoned in every single of your workstations. Thus, if you have to choose between workstation-based protection and server-based protection, take the former. For example, we are selling both PC-based antivirus programs and NLMs. However, we do not sale NLMs by themselves unless the organization is protecting their workstations as well - either with our product or with a 'sufficiently good' competitor (no, MSAV does not qualify). > Doing both, of course, is even better. This is true. If, for some reason, a unprotected machine is able to log into the network, the NLM module should be able to protect the server files from getting infected. Note, that even if there was no NLM installed, the other workstations would not get infected, if they would have an anti-virus TSR installed (and if the virus in question was known to that TSR). There's another argument to defend the NLM-solutions; the NLM is running on the server, and is completely separated from the PC's. Thus, the NLM can not be fooled by any kind of a stealth virus. This is true, but one has to remember that we are talking about scanners here. Scanners check the memory of the PC as soon as they are started. Stealth viruses are not able to stealth themselves in memory, so the PC-based scanner would find them before it would be fooled by it. I'm not saying anti-virus NLMs are useless; they are not. I'm just saying that they are not a one-stop solution to virus problem. Also, I'm referring only to the scanner-based NLMs. I am aware that there are anti-virus NLMs with different approach in the market, but I have not studied them myself. - -- Mikko Hypponen // mikko.hypponen@datafellows.fi // Finland Data Fellows Ltd's F-PROT Professional Support: f-prot@datafellows.fi PGP public key available, check the keyservs ------------------------------ Date: Tue, 09 Aug 94 14:37:11 -0400 From: scott@mcc.com (David Scott) Subject: Re: Help! - Does my PC have a virus? (PC) mark@tidos.tid.es (Mark Gemmell) wrote: > My PC spontaneously reboots from Windows about once every 3 days. It > always does it when I'm not typing or doing anything. > > I've ran the Microsoft Virus checker but I don't know if that is > a reliable checker. > > Any help seriously appreciated (good virus checkers or symptoms to look > for etc.) If anyone has an idea about what is causing this problem, I would be interested. I was once the Network Administrator for a PC-Lan network. The PS/2 Mod 80 server, running OS/2, would spontaneously cold-boot. We replaced the operating system, motherboard, and other components without success. This was more than four years ago and I still wonder about it. And no, MSAV is a lousy choice for finding viruses or removing them. - -- Gardyloo! David M. Scott _________________________________________________________________________ Voice: 512/338-3444 EMail: Scott@MCC.COM FAX: 512/338-3885 ------------------------------ Date: Tue, 09 Aug 94 19:13:31 -0400 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Re: WARNING: VALIDATE.COM and VALIDATE.EXE can be cheated. (PC) Jas (Matthew K) wrote: [stuff deleted] )CRCs (for the most part (at least non cryptogarphic ones)) are linear )functions. so therefore faking them is *VERY* easy. One way to use CRCs for )haueristic cheking (CRCs are very fast which is why they are used) is to )use more than one CRC hash value (is this the correct term for it?) or to )use other methods as well as the CRCs (aka crypto CRCs or use a non )standard CRC method (such as Fletchers Sum) which is just as fast). I have coded both CRCs and Fletcher's Checksum, and find that Fletcher's Checksum is slower than CRC's, and not as good. [stuff deleted] )to find out about CRCs crypto methods, you only need to read a few simple )books on crypto and have a moderate understanding of polynomial and integer )maths. Ok, where. Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Tue, 09 Aug 94 19:48:36 -0400 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Re: Need Help on "V-SIGN" virus (PC) Oguz Erkul (CS 471) wrote: )Hi, ) I am facing a virus which is called "v-sign" as the title )says. It is messing up the partition table, it is more like cansu )with some powerful stuff it sometimes doesn't let you go in to OS. )Anybody having anykind of experience with this kind of virus, please )write to me about cleaning it (totally). ) )Thanx in advance..... ) )Oguz Erkul oerkul@mason1.gmu.edu )- ---------- ===================== ) Many (most?) viruses cannot be _totally_ cleaned. I had a Stoned.Azusa infection some time back. I removed the infection. But backup discs' data had been _damaged_ by the virus, and a few of the files were _unrecoverable_. Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Tue, 09 Aug 94 20:14:35 -0400 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Re: Stealth.B Pain (PC) Fridrik Skulason wrote: )jmccarty@spd.dsccc.com (Mike McCarty) writes: ) )>This critical attitude is unworthy of the bandwidth it used in )>transmission. I would rather see you offer helpful suggestions, esp. to )>the people at Central Point, encouraging them to improve their product. ) )Oh..boy...now you really managed to annoy Vesselin, I guess....you cannot )imagine how unresponsive CP has been to his suggestions in the past. Even so, I stand by what I said. And I do not care one whit whether Mr. Bontchev gets annoyed. )>If Mark Ludwig actually published the source for a virus, and did not do )>so with the intent that others use it for illicit purposes, but rather )>to educate the public at large, then: ) )Educate ...huh.... as far as I can see his only interest is simply to make )money. Even if he did it only to make money and not to encourage others to destroy persons data, I still think that what he did was good. Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Tue, 09 Aug 94 20:16:33 -0400 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Re: Virus Source code on CD ROM? (PC) Sean Gallagher wrote: )I saw a post on another forum that stated a company, possibly American Eagle )Publishing (?) was selling a CD ROM with the source code to approx 200 viruses. ) )1)Is this true? )2)Did I get the company's name right? )3)Have any controls been placed on the sale of this source code? )4)Is there any ballpark figure on how many copies have been sold, and to whom? ) )Any info on this would be greatly appreciated. )- --------------------- )Sean Gallagher )sgallagh@gcn.com )sgallagh@vision-thing.com ) I take it you do not live in the USA, understand the concept of liberty, or believe in it if you do live here and understand it. Controls placed on sale of source code? Give me a break! Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Tue, 09 Aug 94 21:23:45 -0400 From: David_Conrad@MTS.cc.Wayne.edu Subject: Re: WARNING: VALIDATE.COM and VALIDATE.EXE can be cheated. (PC) Vesselin writes: >I (David Conrad) wrote: > >> Perhaps the time has come for McAfee to give up on the CRC polynomials, >> which of course can be forged, and to start using something better, like >> MD5. They could publish source code for the validation program as well as >> the executables. > >There is one problem which remains even if a cryptographically strong >hash function like MD5 is used. The attacker could just modify the >files, compute the MD5 hashes of the modified files, and replace the >new MD5 values in the documentation. This way he will succeed to fool >the user who does not have an independent way to obtain the real hash >values. In fact, this is exactly what the forgers have been doing even >now, because most of them don't know how to forge CRCs. > I wasn't talking about putting the hashes in the documentation. I meant publishing them in comp.virus/VIRUS-L and other places. I specifically *would* *not* put them in the docs, since this is worse than useless, and I can't for the life of me imagine why McAfee does so. I know that some users don't have access to the net, but consider this: Let's say you publish a public key and include a detached pgp signature for every file in an antiviral. All the attacker needs to do is modify the files, create his own private key/public key pair, sign the modified files with the private key, include the public key in the zip file along with a message saying, "Our old key wasn't secure enough or accidently got stolen or whatever, please use this key from now own." This would probably catch at least 90% of the users. The other 10% all have access to the net. >The only solution to this problem would be to use public key >authentication. > I believe the RSA patent expires on 20 September 1997. Before that there will be too many legal problems for any company that wants to do business in the U.S. to go this route. >> ... my own mdx.exe (which is in xsum10.zip and can be found >> at oak.oakland.edu in /pub/msdos/fileutil) .... > >You mean that MDX.EXE is yours? It is amazingly fast; how did you >achieve this? .... > Vesselin, please, you're making me blush. :-) David R. Conrad David_Conrad@mts.cc.wayne.edu ------------------------------ Date: Tue, 09 Aug 94 21:29:37 -0400 From: Dennis.Clouse@ucop.edu (Dennis Clouse) Subject: Re: Mosquito Viruses (PC) First, I said: >>We consider mosquitoes a threat...we eradicate them without >>considering the guilt or innocence of *individual* mosquitoes... >>ditto the alleged 'beneficial or 'nondestructive' computer >>virus. >Then bmonette@porpoise.oise.on.ca (Bernie Monette) said: >You argue precociously. However, it has been a common practise >to use genetically altered insects (stuff deleted) > So why not try a similar tactics with computer viruses? Sterilized fruit flies diluting the reproductive pool don't qualify: Computer viruses don't breed. In order to succeed, your hunter-killer(s) must (like any organism) be very good at reproducing, and displacing competitors. How you gonna get rid of the hired guns when the job is done? Write hunter-killer killers? As for "precocious" ... When I started programming: - the I/O was a row of toggle switches and lamps. - Storage was done by pencil. - The hot new buzzwords were "bootstrap loader". Then, I was precocious. Now I'm just cynical. Dennis.Clouse@ucop.edu University of California Office of the President ------------------------------ Date: Tue, 09 Aug 94 23:19:30 -0400 From: rhoenes@astro.ocis.temple.edu (Richard Hoenes) Subject: Re: fp-213a.zip - Version 2.13a of the F-PROT anti-virus program (PC) : We have not yet been able to trace the origin, but it *SEEMS* that the : virus was distributed over Usenet, possibly in one of the alt. groups. : Any information on how the virus spread would be appreciated. I believe this could be the virus that was spread by someone posting a sexually oriented program in alt.binaries.pictures.erotica that was infected. I didn't download the program so I don't know if it was KAOS4, but it was reported as a strain of KAOS. Richard ------------------------------ Date: Tue, 09 Aug 94 06:22:02 +0400 From: Kazatski Oleg Nikolaevitch Subject: Re: AntiExe virus, Help!! (PC) Hi ! choud_gs@jhunix.hcf.jhu.edu (G Sayeed Choudhury) writes: > I have an ANTIEXE virus on my computer. I used F-PROT version 2.12c > (shareware) which detected it but can not disinfect it. Any advice on > how to proceed (course of action, approrpriate software, etc.). This is a boot virus. It can hide MBR in 0/0/13 on hard drive, and in the last sector Root Directory on floppies. This virus corrupted unknown EXE-program (size 200256). Try the antivirus program "Aidstest" (Russia, Lozynski). Good luck ! - -- OK ------------------------------ Date: Wed, 10 Aug 94 04:25:06 -0400 From: cudat@csv.warwick.ac.uk (J M Hicks) Subject: Smeg viruses (PC) panther!jaguar!cmeli@relay.iunet.it (Clyde Meli) writes: >The following is taken from a Maltese newspaper, The Times >of Friday, July 22, 1994. The report is provided from >Reuters. >...The viruses, Queeg, named after a character in a television >science fiction series, Pathogen and Germ, destroy data >on a computer's hard disk and can disable the external disk >drive, meaning victims have to take their computer apart to >fix it... Is it really true that the computer has to be taken apart? If so, how does the virus disable the disc drive? I'm always disturbed by reports that software can damage hardware. - -- Jim Hicks, Computing Services, Warwick University, Coventry, England. CV4 7AL Fax: +44 12O3 523267 cudat@csv.warwick.ac.uk ------------------------------ Date: Tue, 09 Aug 94 06:52:08 +0400 From: Kazatski Oleg Nikolaevitch Subject: Re| FamM virus (PC) Hi ! rubinmh@nextwork.rose-hulman.edu writes: > Hey, does anyone out there know anything at all about the FamM > virus or how to get rid of it? I found it using the clean-up and scan shareware > programs put out by McAfee, but it seems to be a memory resident virus, and > I think it has infected most of my hard drive, any help would be appreciated! The Family [Fam] viruses are a number of viruses, usually very recent, using standard viral code. SCAN is able to detect them through generic detection, but CLEAN does not have the ability to remove those. As with the GENB and GENP viruses, please forward a copy of an viruses of this sort to McAfee Associates for analysis and identification. Good luck ! - -- OK ------------------------------ Date: Tue, 09 Aug 94 07:12:09 +0400 From: Kazatski Oleg Nikolaevitch Subject: Re: How to save a boot sector (PC) Hi ! iandoug@cybernet.za (Ian Douglas) writes: > Steve Tamanaha (stevet@fujitsu.com) wrote: > > How can you save a boot sector on to disk. (if you suspect a virus > > and want to upload it to the anti-virus companies system for them > > to inspect it?) > > Various ways... > 1. Use Teledisk to grab an image of the whole disk > 2. Use Norton (or similar) to write the boot sector to a file Run Norton Utilites 4.5 (very nice program !!!). 1. Press "E". 2. Press "C". 3. Press "A". 4. Select drive: A B C, for example press "C". 5. Enter the adress of sector you want save. For examles, if MBR press four times. 6. Press "W". 7. Press "F". 8. Select drive, for example press "A". 9. Enter filename. 10. Press (YES). 11. Press "Esc" two times. Good luck ! - -- OK ------------------------------ Date: Tue, 09 Aug 94 06:02:49 +0400 From: Kazatski Oleg Nikolaevitch Subject: Re: Form Virus Mutation! Netware problem? (PC) Hi ! billt@pipeline.com (Bill Taub) writes: > I work for a network/computer system integrator. One of our > clients has had a problem with what CPAV, MSAV, and Intel's > Landesk Vprotect/Lprotect 2.0 considers "Form" virus. > IF ANYONE HAS HAD A RECENT EXPERIENCE WITH FORM VIRUS PLEASE > CONTACT ME VIA > E-MAIL. ANY SUGGESTIONS OR FOLLOW UPS WILL BE GREATLY > APPRECIATED. I WILL POST ANY INFORMATION INTEL BRINGS ME. - ------ Form ---- If using the BootManager, Form will infect the BootManager partition. Removal consists of booting OS/2, running FDISK, removing BootManager from partition table, then creating it again (without exiting), then adding bootable entries. When Form infects the hard disk, it overwrites the last two sectors of the active partition with the second part of its body. This could corrupt the file system, if the active partition is not a DOS FAT system - which is exactly the case when BootManager or HPFS are used. A HPFS system can become corrupted. In both cases, it is better to use anti-virus software that knows about those problems with Form and handles them properly. One such program is IBM Antivirus. - ----- Good luck ! - -- OK ------------------------------ Date: Tue, 09 Aug 94 05:56:05 +0400 From: Kazatski Oleg Nikolaevitch Subject: Re| Killing the Monkey Virus (PC) Hi ! beng@dorsai.dorsai.org (Ben Ng) writew: > Curly (hzf30@mfg.amdahl.com) wrote: > > : I was under the impression that there are no viruses, currently known, that > : can infect a system by merely using the "dir" command. If so, then your anti- > : virus package merely stated it had found the "Monkey" virus on the diskette. > > : Can someone with real knowledge confirm or deny? > > Surely, though I cannot be sure my knowledge is real. I had cleaned out > several PS/2 Model 60's + a couple of ibm compatibles that had the monkey > virus. From what I've experienced, this is what the monkey virus does > (And please correct me if I'm wrong) - ----- "Monkey" -------- The Monkey virus (both variants: 1 and 2) is a boot sector virus that doesn't save the partition information inside the infected Master Boot Record. The original MBR is encrypted and hidden in: cylider 0, head 0, sector 3. If you boot from the infected disk virus knows how to find the proper Partition Table and therefore can access the hard disk. When you boot from a clean floppy the system cannot find the valid partition information and cannot access the disk. In the case of any memory resident viruses (Monkey is on of them) every good anti-viral program will advise you to boot from a system floppy and then try to clean the system. Every good a-v program should be able to run from a diskette, detect the virus and clean it too. VET 7.62 (and later) can access the hard disk and clean Monkey after booting from clean system floppy without any problems. The current version of VET can find Monkey (1 & 2) in memory and then can disable it in memory in order to clean infected hard disk. It means that now you can run VET even on the infected sytem to detect and clean Monkey without rebooting from the clean floppy (although it should happen only if you don't have any system diskette around. Don't format your hard disk (FORMAT won't help anyway) send us a message and try VET. Good luck ! - -- OK ------------------------------ Date: Wed, 10 Aug 94 08:48:07 -0400 From: rtulloch@lynx.dac.neu.edu (renrick tulloch) Subject: Fixing the boot sector of a floppy? (PC) Alot of are floppies were infected by the Genb and Genp virus, which effects the boot sector. Is there a way to overwrite th boot sector of the floppy with out deleting the contents of the disk. EX: I know you can fix the boot sector of the hard drive with the command fdisk /mbr but is there a command for diskettes that will do this? - -- _|___/v\___|_ //// -====(~)=(.*.)=(~)====- o o `-' o00___(_)___00o ==================================================| | Rickster | | tulloch@nsbe.org | | rtulloch@lynx.dac.neu.edu | | NSBE '95' 617-247-4998 | ==================================================| |"Knowledge may be the key" | |"But wisdom unlocks the door" | ==================================================| ------------------------------ Date: Wed, 10 Aug 94 01:12:33 +0400 From: Kazatski Oleg Nikolaevitch Subject: Re; SMEG.Queeg, SMEG.Pathogen virus writer caught (PC) Hi ! panther!jaguar!cmeli@relay.iunet.it (Clyde Meli) writes: > [News] SMEG.Queeg, SMEG.Pathogen virus writer caught (PC) I'd like more intormation about this history. Thank you in advance. - -- OK ------------------------------ Date: Wed, 10 Aug 94 09:21:07 -0400 From: mikko.hypponen@datafellows.fi (Mikko 'Hermanni' Hypponen) Subject: Re: Why so many Leprosy viruses? (PC) > How many overwriting viruses do you know that have spread > successfully? :-) Well, I know one; Budo.890. This overwriting virus managed to spread around in an educational establishment for six months before it was noticed. At that time (October 1992) the virus was new and unknown to scanners. When the virus was finally noticed, the total number of infected PCs was around forty. I know that this sounds incredible, but it really happened. The reason this overwriter managed to be so succesful were probably the following: - - Budo is a resident virus - - it will not infect the programs that are executed or accessed; instead it will activate every three minutes and locate a suitable victim file from somewhere on the hard disk. Thus the programs that get destroyed might be rarely used - - when an infected (and overwritten) program is executed, the user will receive a message. This is either 'Bad command or file name' or 'Run time error', depending on whether the virus was already resident or not. So the users did not suspect a virus infection but something else. - -- Mikko Hypponen // mikko.hypponen@datafellows.fi // Finland Data Fellows Ltd's F-PROT Professional Support: f-prot@datafellows.fi PGP public key available, check the keyservs ------------------------------ Date: Wed, 10 Aug 94 01:00:05 +0400 From: Kazatski Oleg Nikolaevitch Subject: Re| [News] Yankee Doodle Virus? (PC) Hi ! > I'm looking for information on a virus known as the "Yankee Doodle" virus. > Does it exist? Yes. There are many viruses named "Yankee Doodle". For example RCE-2890, RCE-2885 etc. > If so, can anyone lead me to a source for a scanner to detect > it? Thanks in advance for any help. Also there are many antivirus program which can find this virus. SCAN, MSAV, SDScan and many others. If you want receive more information, please write me. Good luck ! - -- OK ------------------------------ Date: Wed, 10 Aug 94 09:38:47 -0400 From: mikko.hypponen@wavu.elma.fi (Mikko 'Hermanni' Hypponen) Subject: Re: WARNING: VALIDATE.COM and VALIDATE.EXE can be cheated. (PC) > The attacker could just modify the files, compute the MD5 hashes > of the modified files, and replace the new MD5 values in the > documentation. > In fact, this is exactly what the forgers have been doing even > now, because most of them don't know how to forge CRCs. Or, just replace the VALIDATE.COM file in the archive with a bogus copy written in DOS batch language and compiled to a COM; @echo off echo VALIDATE 0.4 Copyright 1988-92 echo. echo File name: %1 echo Size: 164,319 echo Date: 7-15-1994 echo File authentication: echo Check Method 1 - 064C echo Check Method 2 - 0AA2 > This way he will succeed to fool the user who does not have an > independent way to obtain the real hash values. This method would also fool the user who would have seen a public notice of the correct validation values. I've never understood why some packages come with the validation program included. - -- Mikko Hypponen // mikko.hypponen@datafellows.fi // Finland Data Fellows Ltd's F-PROT Professional Support: f-prot@datafellows.fi PGP public key available, check the keyservs ------------------------------ Date: Wed, 10 Aug 94 09:50:17 -0400 From: mikko.hypponen@wavu.elma.fi (Mikko 'Hermanni' Hypponen) Subject: Re: Netware & Virstop (PC) Vesselin wrote: > This resident scanner has been intentionally designed in a way that > makes it difficult to be removed from memory - otherwise a virus could > do that too. Well, in this case, there is not much point for a virus to try to turn VIRSTOP off. VIRSTOP is a resident scanner; it only tries to find known viruses. If a virus is unknown to VIRSTOP, it wouldn't be detected anyway, so why should the virus turn VIRSTOP off? If a virus is known to VIRSTOP, VIRSTOP wouldn't let it to be executed, thus the virus would be unable to turn VIRSTOP off. A method like this would be useful for an unknown dropper program of a known virus, but those are almost never seen in the wild. - -- Mikko Hypponen // mikko.hypponen@datafellows.fi // Finland Data Fellows Ltd's F-PROT Professional Support: f-prot@datafellows.fi PGP public key available, check the keyservs ------------------------------ Date: Wed, 10 Aug 94 10:00:11 -0400 From: ykchung@Winkie.Oz.nthu.edu.tw (is2a) Subject: Re: Tamsui? (PC) Kevin Kenney (kenney@netcom.com) wrote: > Ran into the Virus F-prot 2.13 calls Tamsui and can repair, > and Norton 3.0 (7/94 defs 30a09) calls Christmas-1649 (the correct size > increase) and can't repair. I looked in F-Prots list, the msdosvir files > and vsumx 4.01 without finding anything about this one. Details anyone? > Thanks in advanced, KpK As I know..... Tamsui virus is from Taiwan, written by someone in Tamsui Oxford College. When it acts, it will sing a song. In our country, it is called Merry Xmas Virus. You may try to see 'Merry Xmas' virus in vsumx406. :p Sincerely. - -- Jimmy Chung ( Chung Yuan-Kai ) u801403@Winkie.Oz.nthu.edu.tw National Tsing Hua University bugger@ftp.cis.nctu.edu.tw Hsin-Chu, Taiwan Bugger.bbs@bbs.nsysu.edu.tw ------------------------------ Date: Wed, 10 Aug 94 10:06:36 -0400 From: ykchung@Winkie.Oz.nthu.edu.tw (is2a) Subject: Re: Tequilla (PC) Bob Madan (bmadan@pipeline.com) wrote: > Is there any one out there who can tell me the best way to rid > a PC of the Tequilla Virus. Formatting the disk is not helping > and I understand from MCAfee that the boot sector is infected. > I also understand that the virus can point to another sector on > the disk when asked for the boot. 1) Boot from an EXACT clean MSDOS boot disk. 2) Try to use fp-213a. Sincerely. - -- Jimmy Chung ( Chung Yuan-Kai ) u801403@Winkie.Oz.nthu.edu.tw National Tsing Hua University bugger@ftp.cis.nctu.edu.tw Hsin-Chu, Taiwan Bugger.bbs@bbs.nsysu.edu.tw ------------------------------ Date: Wed, 10 Aug 94 10:15:48 -0400 From: mikko.hypponen@wavu.elma.fi (Mikko 'Hermanni' Hypponen) Subject: Re: HK Vtech virus & Amoeba (PC) news@hpg30a.csc.cuhk.hk wrote: > A new virus was being found at HK. This new virus is called HK > Vtech virus. Well, depending on the exact variant, this virus is not so new. We received our first sample of the Jerusalem.Vtech virus from our Hong Kong distributor (Yui Kee Company Ltd) during March 1994. F-PROT has detected this virus since version 2.12 (April 1994). After that two additional variants of this virus has been found; both of them are detected by the latest version of F-PROT, version 2.13a. > Since it is produced in HK so that overseas scanner cannot scan out > this virus! Even though a virus is made in Hong Kong, it doesn't mean that a scanner made and published in Scandinavia couldn't detect it... - -- Mikko Hypponen // mikko.hypponen@datafellows.fi // Finland Data Fellows Ltd's F-PROT Professional Support: f-prot@datafellows.fi PGP public key available, check the keyservs ------------------------------ Date: Wed, 10 Aug 94 10:31:32 -0400 From: ykchung@Winkie.Oz.nthu.edu.tw (is2a) Subject: Re: Virus Scanners, Detectors, etc. (PC) Mansour Toloo Shams (toloo@eleceng.ee.queensu.ca) wrote: > What are the "best" Virus Scanners. In particular, In differnet countries, the BEST AVs are different. But, I will recommend you to use: TBAV F-Prot AVP > where can I get the latest version of the F-PROT? complex.is - -- Jimmy Chung ( Chung Yuan-Kai ) u801403@Winkie.Oz.nthu.edu.tw National Tsing Hua University bugger@ftp.cis.nctu.edu.tw Hsin-Chu, Taiwan Bugger.bbs@bbs.nsysu.edu.tw ------------------------------ Date: Wed, 10 Aug 94 11:01:13 -0400 From: gcluley@sands.co.uk Subject: Re: Virus Scanners, Detectors, etc. (PC) toloo@eleceng.ee.queensu.ca (Mansour Toloo Shams) writes: >What are the "best" Virus Scanners. In particular, >where can I get the latest version of F-PROT? Expect a barrage of mail from Anti-Virus vendors! 8-) It rather depends on what your criteria for "best" is. Vesselin Bontchev and the University of Hamburg Virus Test Center just conducted a comparative test which came up with the following information: Scanners with detection rate of 90% or above (in decreasing order of detection rate): 1. AVP - A Russian product by Eugene Kaspersky and Co. 2. FINDVIRUS - From Dr Solomon's Anti-Virus Toolkit. 3. F-PROT - From Fridrik Skulason 4. TBSCAN - From ThunderByte. 5. UTSCAN - From the Untouchable package. Of course, detection rates aren't everything.. some people like pretty user interfaces too. 8-) AFAIK the latest version of F-Prot is usually downloadable via anonymous ftp from oak.oakland.edu:/SimTel/msdos/virus/fp-???.zip Regards, Graham Cluley - --- Graham Cluley [gcluley@sands.co.uk] S&S International PLC Product Specialist Alton House, Gatehouse Way Dr Solomon's Anti-Virus Toolkit Aylesbury, Bucks HP19 3XU Tel: +44 (0)296 318700 United Kingdom ------------------------------ Date: Tue, 09 Aug 94 19:01:17 -0400 From: olpopeye@ix.netcom.com (Walter Murdock) Subject: Sincerest Apologies to Forum Am deeply embarrassed at what the America OnLine gateway did to my last submission to Virus-L (it stuck into an ASCII-Saved .TXT file a bunch on extraneous formatting characters in place of quotation marks, etc.) and certainly detracted from the beauty and clarity of my prose ;-)). Sorry for the hoohoo (or booboo). Have gotten out of my lazy streak and gone to netcom.com for my primary Internet access 'stead of AOL. Hopefully, t'wont happen again. Warm regards, Walt Murdock Walter E. Murdock olpopeye@ix.netcom.com Murdock Associates, Palo Alto olpopeye@aol.com =93U.S. Navy Retired & Proud Of It.=94 olpopeye@svpal.org ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 67] *****************************************