VIRUS-L Digest Tuesday, 16 Aug 1994 Volume 7 : Issue 68 Today's Topics: Re: Naming of Viruses Re: Questions for anti-virus community Re: Virus Life? Re: Mutating viruses? Re: Virus Scanners, Detectors, etc. Re: virus in jpgs Netcom distributing viruses Comments and Observations......... Re: Virus Life? Re: Mutating viruses? Virus Definition Revisited... TranScan Re: Finger daemon virus information service Unix Virus Attacks and Scanner (UNIX) Invisible Man... (PC) Re; boot diskette (PC) Re; [News] "Horse" virus? (PC)(Anywhere else?) Re; [News] virus 1028 Bytes need help (PC) Re: Rosenthal Virus Simulator VIRSIM2C.ZIP (PC) virus construction labratory (PC) Rosenthal Virus Simulator (VIRSIM2C.ZIP) (PC) Rosenthal Virus Simulator (VIRSIM2C.ZIP) (PC) Whisper Presenterar Tai-Pan (PC) whisper virus (PC) Dr. Solomon Virus Signature Update (PC) SMEG Virus Test (PC) Lenart? or CPAV blof. (PC) Help Win 32 Bit File Virus? (PC) Re: ANSI bombs (PC) McAfee Virus Scan (PC) Re: Server downing virii - Netware corruption? (PC) Re: Rosenthal Virus Simulator VIRSIM2C.ZIP (PC) Re: Stoned 4 mystery (PC) YK2885 What does this virus do ? (PC) Re: How to remove FORM from a PC bootsector? (PC) Re: Rosenthal Virus Simulator VIRSIM2C.ZIP (PC) Re: Help on Budo Virus (PC) Re: Mummy Virus (PC) Re: Best Anti-virus software (PC) Re: Strange DOS 5.x-6.x behaviour (floppies) (PC) Re: Network virus protect (PC) Help Re: Rosenthal virus simulator (PC) Re: Rosenthal Virus Simulator (PC) New ICARO sites Increased Enrollment at Lehigh (administrative Q&A) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Wed, 10 Aug 94 11:14:41 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Naming of Viruses michael_d_jones@ccm.hf.intel.com (Michael D. Jones) writes: >This may be a trick question, or a useless one depending on your >point of view, but what determines the correct "official" name >for a virus. It is a good question. The closest thing to an official name is the CARO name, and that is decided with a consensus among myself, Vesselin Bontchev and Alan Solomon. Some scanners stick pretty closely to the CARO names (not surprisingly, that includes my F-PROT as well as Dr. Solomon's Anti-Virus Toolkit), and other scanners that used different names in the past have been moving closer to it (NAV and SCAN in particular). The most widely-used product that does not use CARO naming at all is the CPAV/MSAV product, but hopefully that problem will disappear soon, as Central Point has been absorbed by Symantec. >question I'll ask later. so is there some type of criteria by >which a virus is named and if so, There is, but the problem is that the same virus may have multiple acceptable names - and different researchers just pick different ones....then a few months later, one of them is accepted as the "official" one. Sometimes names change later, for example if it is determined that two viruses are related and belong to the same family. >the best and easiest to use that I have found so far, truth is, >it doesn't meet the above requirements very well. I know it sounds >like I'm just complaining and not giving any solutions, but I >don't have any solutions, just suggestions. There will be something out later this year that should meet your requirements. >been asking the same questions since 1992. It's not really that >bad is it Vesselin and Frisk. :) It is that bad. Oh, the FAQ should be updated a bit - there are a few new books that have been published, and such, but basically nothing much has happened. - -frisk ------------------------------ Date: Wed, 10 Aug 94 11:44:52 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Questions for anti-virus community cvhender@csn.org (Chris Henderson) writes: > Is there a finite number of viruses as yet to guessed at for each >of the systems: os/2 windows unix dos ect...? the number of viruses that exist is finite, yes :-) .... after all, an infinite number would requite an infine number of disks to store them on, with the probable result of converting our planet into a Black hole...unless you believe the universe is infinite, and there is an infinite number of DOS machines all over the universe, running an infinite number of DOS programs, infected with an infinite number of different viruses. :-) Seriously, though, the current estimates are something like this: DOS: around 4500-5000 Mac, Amiga, Atari-ST less than 100 each OS/2, Windows, Unix: less than 10 > Where seem to be the most viruses being made, {geographical} > and field.. {BBS Lan r&d} most viruses seem made by teenagers that barely know how to program, scattered all over the world...I don't notice any special "hot spots" right now ... the development in Bulgaria, Netherlands and other "problem sites" seems to have cooled down. >Does a dos based BBS have any concerns if using "THDPRO9.01 w/ tbav, >scan117, f-prot213a. yes...if the virus authors has those programs too, and makes sure his virus is not detected with them, before uploading...not too difficult for any decent programmer. - -frisk ------------------------------ Date: Wed, 10 Aug 94 11:50:24 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Virus Life? shornik@shadow.net (Steve Hornik) writes: >I just read an article in The Miami Herald which reports Steven Hawking >saying that "I think computer viruses should count as life". Well, he is entitled to his opinion...but in this case I wouls tend to disagree rather strongly with him...check out comp.ai.alive for related discussion. - -frisk ------------------------------ Date: Wed, 10 Aug 94 12:04:50 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Mutating viruses? c0900238@techst02.technion.ac.il (Dimerman Dan ) writes: >I mean, if not now perhaps in the future, can a piece of self-replicating >code be changed in a way that in some cases it's still runnable? easily .... for example a text string may change, or an instruction may change into another equivalent instruction. For example the XOR reg,reg instructions have two forms, which differ by one bit ("33 xx" versus "31 xx"). Any mutation which transformed a virus using one of those into a virus using the other one would result in a functionally equivalent, but different virus. - -frisk ------------------------------ Date: Wed, 10 Aug 94 12:18:22 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Virus Scanners, Detectors, etc. toloo@eleceng.ee.queensu.ca (Mansour Toloo Shams) writes: >Hello: > What are the "best" Virus Scanners. In particular, > where can I get the latest version of the F-PROT? to see where to obtain it, just 'finger f-prot@complex.is' we use that to say what the latest version is, and where to get it. - -frisk ------------------------------ Date: Fri, 12 Aug 94 22:04:21 -0400 From: anaconda@gagme.wwa.com (bob kwiatkowski) Subject: Re: virus in jpgs bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) wrote: > Scott Fletcher (fletcher@bud.peinet.pe.ca) writes: > > > I just finished talking to someone who said that virus's can be hidden > > and released from jpgs. It is the first time I have ever heard of this. > > You mean JPEGs, right? The files containing compressed graphic > information. The short answer is that no, no such virus exists and no > such virus can be written. > > The long answer... Well, it is possible to hide a message in a > graphical image, but distributing it over the least significant bits > that code each pixel. This message could contain anything, including a > virus. Of course, it is not possible to activate the virus (i.e., make > it infect) by juts viewing the image; you'll have to extract the virus ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > to an executable file first and then run this file. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Does anyone know of any cases where this has actually happened? Where a virus was dormant in a JPEG or any non-exectuable for that matter ?? Bob Kwiatkowski anaconda@gagme.wwa.com toomuchjava@delphi.com ------------------------------ Date: Sat, 13 Aug 94 07:50:34 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Netcom distributing viruses padgett@141.240.2.145 (Padgett 0sirius) writes: >Sorry, for quite some time several people have been attempting to make >netcom.com aware that particlarly in view of recent court decisions, >they might be held liable for malicious programs and source code that are >publicly available from their systems. Mail was sent repeatedly to the NIC >identified administrator and the only response I know was received was an >Electronic form letter. Netcom's policy on making viruses available via FTP is: >Viruses and information relating to viruses are not, at this time, >controlled code. We allow users to make available via anonymous FTP any >and all data as long as it is legal, which viruses, viral source code, and >newletters published by virus groups are. It is not placed there by >Netcom, and it's distribution is not necessarily endorsed by Netcom. So, the next time you get hit by a virus, remember to send Netcom a "thank-you" note for assisting in distributing them. Another question that was raised with Netcom had to do with making export-restricted software available via FTP. Their policy on that matter: >Making software using encryption available for download does not violate >international cryptography laws, only the act of someone receiving them >in another country is. Ah, well...this is USA. - -frisk ------------------------------ Date: Mon, 15 Aug 94 08:36:31 -0400 From: "Steven W. May" Subject: Comments and Observations......... I have been following this news-group for almost two years now. I have never felt the need to post until now. There have been two or three threads of thought which have gotten out of hand over the last year or two. I was extremely tired of "What is a virus?", and now find myself very sick of "Good and Bad Virus". BTW, I agree that there is no such thing as a good virus (general world view of real virus meant here). Overall though, this group has continued to hold my interest and I look forward to each issue. I would like to see this group contain more in the line of what viruses are in the wild, where, what these viruses do etc. I think it would be beneficial to the computer world at large for this group to cooperatively develop a complete and useful database of information concerning the virus problem and known viruses. I have heard that one was started and available for FTP somewhere but I did not get the whole story on it. I understand that VSUM is not worth the time it takes to do the DL. I feel that demographically this groups readers would be people who are searching for help and information. The contributors are people who know what they are talking about and are daily involved in the fight against real viruses and the battle against false information. I think that the virus specialists would be better serving the world and the readers of this group if the above were the focus of this group rather than these esoteric strains of thought. ********************************************************************* The above is my own thoughts and ideas. Since I work for the government that is the only way it can possibly be.............. Steven May cerfas.swm107%smtpgate@cra_mail.nwscc.sea06.navy.mil or swm107@crane-ns.nwscc.sea06.navy.mil phone (812) 854-3446 *********************************************************************** ------------------------------ Date: Mon, 15 Aug 94 10:19:05 -0400 From: s4mwh@csc.liv.ac.uk (M.W. Holcroft) Subject: Re: Virus Life? shornik@shadow.net (Steve Hornik) writes: > I just read an article in The Miami Herald which reports Steven Hawking > saying that "I think computer viruses should count as life". He goes on > to say that "A living being usually has two elements, First, an internal > set of instructions that tell it how to sustain and reproduce itself. > Second, a mechanism to carry out the instructions". > > These comments were made at the Macworld Expo in boston, was > anyone there? Does anyone know of where this issues is being discussed > on the net? > > Steven Hornik > - -- > Steven Hornik > horniks@servax.fiu.edu > Why aren't lemmings artificial life??? why aren't the cells in life artificial life??? What is Hawking talking about??? ------------------------------ Date: Mon, 15 Aug 94 10:43:34 -0400 From: s4mwh@csc.liv.ac.uk (M.W. Holcroft) Subject: Re: Mutating viruses? c0900238@techst02.technion.ac.il (Dimerman Dan ) writes: > In some antiviruses I noted that under the comment about certain virus, > goes something about a "mutation" of some original virus. This type of mutation sounds a little strange... they would have to be variants of some virus, rather than mutants, because if a virus mutates properly, it should be unrecognisable from its 'parent' or source. Of course, you might check for percentage similarity.... > Besides of the human touch to some part of the virus code, can it be that > taking in account the exponential rate of propagation and some kind of "noise" > in the process of propagation, be analogous to the biological viruses > propagation and mutation processes? Set aside the complexity of the latter > against the former... > I mean, if not now perhaps in the future, can a piece of self-replicating > code be changed in a way that in some cases it's still runnable? > > Thanks for your time... > > Dan. > It doesn't make a great deal of sense to talk about computer viruses in the same way as biological viruses. They are of course subject to the 'laws of evolution' (fitness) but that is all... they do not mutate at random, they mutate in an entirely determined way (and the means of mutation is included in the code!); and most of all they do not evolve. They do not gain new features or new abilities, they just present to the virus detector a different face, so that the virus detector has to come up with an entirely new way of locating them (it is no longer possible to have a search pattern associated with a virus). The 'fit' viruses therefore avoid detection for longest. There is no need to create a mutant replica of a piece of code and just HOPE that it will work... it is possible to alter a piece of executable in an entirely determinable way (before hand, that is) which will then be so dissimilar to the original that it can never be traced by any pattern matching algorithms. You might take en existing executable from the "system as it is" (from an old Kant volume (Critique of formal systems)), and insert your code into it so that the vast majority of the new file is "the file as it was". You would do this by inserting one instruction and a branch (unconditional, or conditional on some condition that you have just set - so the branch always occurs) or a jump (the more opcodes a processor has for this the better - DBRA BRA BREQ BRNEQ & so on, because it means you can select from these rather than use the same few over and over) to the next instruction of viral code.... in between viral code you have the existing code, and jumps over, around, under (hoho) the viral code so the new executable becomes the virus..... and it will still work as the executable it once was, just infecting other executables (maybe itself....??) every n occasions... to some piece of code that runs over a network.... (yum?) You might just tell your virus mutate function to introduce NOPs all over the place, and ADD 0, and MUL 1 and so on into the new viral code, introduce random opcodes and operands, but branch over them, so that the viral code is entirely different from the original. From To ----------------------- ------------------------- MOVE.B #255, d0 NOP a MOVE.L (a0)+, -(a7) a MOVE.L (a0)+, -(a7) DBRA d0, a ADD.Q #0, a7 JSR d MUL a7, 1 MOVE.L (a7)+, d0 NOP MOVE.W #5, -(a7) DBRA d0, a MOVE.L d0, -(a7) NOP SUB.W $FFFF, d0 BRA b MOVE.L do, -(a7) MOVE.L 25356, d0 MOVE.W #-1, -(a7) MOVE.L 25, d4 TRAP #14 NOP MOVE d0,-(a7) JMP a7 b JSR d ADD.Q 1,d MUL d,1 MOVE.L (a7)+, d0 etc etc. You might rearrange the viral code From To ------------------ ------------------ a opcode operand JMP a opcode operand c opcode operand b opcode operand opcode operand opcode operand JMP d c opcode operand a opcode operand opcode operand opcode operand d RTS JMP b d RTS b opcode operand opcode operand JMP c Less than effective???? Rapid growth in size??? maybe mimicing behaviour of some data file??? you might make it more sophisticated, so that it can grow and shrink, the problem being that the mutate function works off itself, so there would have to be some way of tracing the flow of a program and rewriting it in a single sequential block. How does the mutate function recognise loops??? You might specify some instructions as being equivalent to others... so MOVE.W a,b = MOVE.W a,c MOVE.W c,b MOVE.L a,b = MUL b,0 ADD a,b ADD.W a,b = MOVE.W a,c SHR c,#8 ADD.W c,a ADD.W c,a (maybe not quite?) etc etc And, of course, you might combine them. Otherwise known as code obfuscation. > I mean, if not now perhaps in the future, can a piece of self-replicating > code be changed in a way that in some cases it's still runnable? As I said, it's not necessary to mutate randomly.... however, any code is executable..... try executing a bitmap image from a screen.... it will more likely than not try a divide by zero, or jmp out of range or some other such, so that it will not run for very long... at least in a multitasking operating system, the executing process will be removed. But nice behaviour is hardly expected of a virus? These 'viruses' wouldn't reproduce very well though. They would be sterile offspring (to talk in the biological sense, that I said shouldn't be used....) You are thinking of something entirely diferent, being genetic algorithms (which DO take their terms from biology - programmes are written on an environment (like a RISC in someways) where the opcodes all take the same form. Algorithms are mutated, and their behaviour compared to the desired behaviour. It might be nothing like, in which case it is unfit; it might be the same, in which case it is fit; it might be 'the same, but better' (more efficient, more generalised, more stable, whatever), in which case it is superior. Evolution is biased in favour of 'fit' and 'superior'. The choice of fitness is arbitrary. Not like real evolution at all, where an 'inferior' organism might survive at 'bubble over' until a dramatic change in the environment makes it more suited than any of its (previously superior) competitors; and where perfectly fit organisms can become extinct (unfit?) by chance (dinosaurs, etc). It can be seen from this that it (is / will be) impossible to trace a virus by its byte appearance on some 'storage device' (possibly RAM), but only by its behaviour. You would have to monitor certain parts of a system (writing executable files for example), and log them carefully, then notify the administrator (user on a PC). Normally executables SHOULDN'T alter very often at all, created by COPY perhaps, or by a compiler. Processes (writing / writing to) executables should be logged. It would be easy for the admin to see whether a process should be allowed to write an executable. You might have an OS call that registers processes able to write executables, and bar all others from doing so... but what about executables introduced from (say) an install disk???? Or across a WAN, via a modem???? What about viruses that log themselves?? What about some system (can't think of one :) ) that constantly writes executables (propagation, garbage collection???) maybe presenting such a list to a person would be completely overwhelmed by such a list. What about a merge-mutate virus (as described above) infecting a compiler? What happens if your OSs write to device function is infected (unlikely, but possible) so as to insert 'obfuscated' code into the file it is writing to under certain circumstances???? This applies fairly easily on a standalone system that makes a clear distinction between "executables" and "data", but what about object oriented systems, where data comes with methods to alter it??? The 'object broker', 'object server', whatever has to be trusted to maintain virus free objects... How do you disinfect a compound object, in which a low level object has been infected? What about distributed OSs, where the virus might be lurking somewhere where you have no way of verifying correct behaviour??? What about DLLs (dynamic link libraries) where an executable is thrown together (nomore here's one I made earlier :( ) at load time????? What about distributed DLLs??? From across somthing as simple as an ethernet network? On another track: why encrypt a virus???? To execute, it must decrypt. It must therefore either use some OS decryption routine, or include unencrypted decryption code, which will be the pattern to search for (might use some autodecypt function shared with compacted programmes - I DO NOT use auto decrypting executables for this reason. It IS a pain decrypting to run, but you KNOW about it). Encrypted code cannot mutate (the chance of altering a block of meaningless data, and expecting it to mean something at some later stage AFTER the random alterations is tiny) so it too can be used as the pattern to search for in a virus detector. Encryption is useless; although it does mean that you cannot find calls to certain routines (XBIOS calls, or whatever) so locating it in the first instance is made more difficult, but once someone has done that, a virus detector can be updated and the virus is no longer any more difficult to find than eny other. ------------------------------ Date: Mon, 15 Aug 94 17:55:57 -0400 From: "Brian H. Seborg" Subject: Virus Definition Revisited... Padgett Peterson made a suggestion to modify the virus definition that I put out for comment 4 or 5 issues ago. I like Padgett's suggestion to add the constraint that the virus be "functionally similar" to it's parent; however, I know of several examples of viruses for which this is not currently the case. I'll site one example later. Also, I think that in the future we may see viruses where this is not necessarily the case. For example, if we ever have polymorphic viruses that actually are capable of generating functional code variants (as opposed to just viruses with variable decryptors), then we could have a case were the child viruses of the original parent may be functionally dis-similar, and in fact may not even work (I believe that Vesselin has also stated this in the past). One example of a standard virus that has the property of generating copies that are not functionally the same is datalock 1043. Datalock is an un-remarkable virus that infects .com files correctly, but has a bug that causes it to screw up when it infects .exe files such that any exe file infected with it just hangs, and is not capable of spreading the virus further (it does not change the program entry point properly for .exe files). In this case, the child is not functionally similar to the parent, yet we would all agree that Datalock 1043 is a virus (although a buggy one!) However, Padgett's point is well taken since it is most often the case that the child virus is functionally similar to its parent. Therefore, I have modified the definition to include his comment as follows: "We define a computer 'virus' as a self-replicating program that can 'infect' other programs by modifying them or their environment such that a call to an 'infected' program implies a call to a possibly evolved, and in most cases, functionally similar copy of the 'virus'." --Seborg's modification to Cohen's definition with help from Peterson :-) >From reading one of Fred's books (I thought reading his doctoral dissertation and a few of articles would have been enough, silly me! :-)) I can see that his definition of computer viruses, is not the same as that generally accepted by most researchers in the field (no surprise to Vesselin Bontchev who must have actually read Fred's book as well :-)). For example, I was surprised to see that Dr. Cohen considers the Internet Worm to be a virus while most purists would consider it a Worm. He also considers the IBM e-mail Christmas card incident as another case of a virus. Again, most people in the field would not consider this to be a virus although I would say that there may be much disagreement about what it should be called. However, be that as it may, if we are going to look at the term computer virus in terms of its biological equivalent, then it seems that my modified definition is more in line with this objective since to define it otherwise would be to do the biological equivalent of grouping viruses (see Webster's Dictionary if you think it should be viri :-)), bacteria, and parasites into the same group (while it is true that some bacteria are parasites and some parasites are bacteria, we would never say that all parasites are bacteria, nor that all bacteria are parasites). I will not debate the merits or lack thereof of this approach for Fred, as it has obviously provided a good working definition for his purposes; however, I will have to disagree with making so general a definition if we are to consider parallels between computer creations and their biological counterparts, especially as we progress into the realm of artificial life research (yes, I know it's similar to artificial intelligence research in which we try to create "artificial" intelligence before we can even define "intelligence," but that never stopped us before!:-)). I'm looking forward to other's viewpoints on this. Brian :-) bseborg@fdic.gov ------------------------------ Date: Tue, 16 Aug 94 03:24:36 -0400 From: jwood@az15eh09.iac.honeywell.com (Jim Wood) Subject: TranScan Has anyone heard of or used the TranScan virus detecting software? If so, can you give me some information. Specifically: Company Address Phone Number Price Thanks a lot. Jim Wood jwood@az15eh09.iac.honeywell.com ------------------------------ Date: Sun, 14 Aug 94 09:59:10 -0400 From: Henrik Stroem Subject: Re: Finger daemon virus information service Vesselin writes: > Michael Jones (Michael_D_Jones@ccm.hf.intel.com) writes: >> What would be ideal, would be to >> get information using something similar to "finger" where you could say: >> "finger virusname@whoever.wants.this.huge.project" >> and it would return the important information about the virus, i.e. type of >> virus, detection, cleaning, etc. > That wouldn't be a wise thing to do for two reasons. First, it would > require an account to be created for each virus name. I doubt that a > sysadmin would be willing to dedicate 4,600 accounts for such a > purpose... :-) Second, there is the naming problem. How to design the > software so smart as to figure out that when the user is asking for > "Frodo", "4K", "Centry", "100 Years", etc. they actually mean the same > thing? I think you are wrong ;-) It is trivial for any programmer with some knowledge of C and UNIX and daemons, to write a fingerd that displays the contents of a file when the name of that file is fingered. E.g., finger stoned@virinfo.uni-hamburg.de would make the finger daemon check for a file named stoned in e.g., a directory /virinfo and display something like: "There are currently more than 100 variants of Stoned. Try fingering one of the following for more detailed info on the different variants: Stoned.Standard Stoned.Empire Stoned.No_INT etc." And then when fingering Stoned.Empire@virinfo.uni-hamburg.de one would get a list of all Empire variants, etc. The problem you mention with people fingering aliases like DAME for MtE, etc., is (easily) solved with softlinks to the correct CARO name for that virus. > A much more practical way to implement it is to use a mail server. And > indeed, several years ago, the Heriot-Watt university in the UK used > to run such a server. Unfortunately, it is not active any more. Well an even more practial approach is a gopher server, much like IBM already have. The problem is not to implement such an information service, but to provide all the information, which does not even exist today. The big advantage of using something as simple as a fingerd is that a finger program is supplied as a part of almost any system with TCP/IP support, on most platforms. Whereas a gopher client or a mosaic client is not. E-Mail is hard to setup and is typically not within reach for many non-UNIX users. In addition the finger program is incredibly easy to use, and runs with minimal hardware and software requirements. Sincerely, Henrik Stroem Stroem System Soft ------------------------------ Date: Sat, 13 Aug 94 15:27:42 -0400 From: radatti@cyber.com (Pete Radatti) Subject: Unix Virus Attacks and Scanner (UNIX) Sorry about this late posting. I have been away. In virus-l volume 7, issue 64 there were questions about viruses in Unix and Unix virus scanners. This is in reply. First, within the last 30 days I have had first hand reports of 3 Unix systems that have been attacked with viruses. The first system was a 486 system running Unix. The system was undergoing the typical Insane Unix problems that one would expect with hardware problems. The filesystem was going crazy, processes died and the system crashed every night at about the same time. It also thrashed. I was able to help the System Adminstrator resolve the problem. It turned out that their system was connected to a University and to a factory. (Not a good pratice) Their Unix system was infected with a file infector. I have not completely finished my study of how the virus was able to target the executable, however using 2 different virus scanners an msdos virus was found infecting a Unix executable. The executable was created on the Unix system by compiling. The virus did not have the same effect on the Unix system as it would have on an Msdos system. The SA also reported that a week after their "hardware" problems system that they were networked to also had simular problems. The system crashed at about the same time every night because the infected program was run using cron. Efforts to fully understand what happened here is still on going. Only the fact that is was a confirmed msdos virus infecting a "unix only" binary is confirmed. Secondly, a customer called and mentioned that their virus scanner on a Sun Sparc system detected an msdos virus in their softpc subsystem. I told them to erase the infected file and reinstall it from the manufacturer diskette. The virus was one of those that didn't do much. Erasing is the best disinfection routine every devised and it appears to have worked well. Finally, I guess being quiet is not a very big help to my pocketbook. My company manufactures an anti-virus product for Unix called VFind. It simultaneously scans for Unix, Msdos, Macintosh and Amiga viruses. It also now includes an MD5 integerity checker. The integerity checker is way too slow since our tests show that a "small" unix system can have 50,000 files. We are now writing our own hashed ISAM drivers to speed things up. If anyone knows of any PD ISAM drivers please let me know. Pete Radatti PS: I will be at Unix Expo manning the CyberSoft booth this year. I would love to meet any virus-l fokes that come by. ------------------------------ Date: Sun, 14 Aug 94 10:46:00 +0000 From: leonardo@kuc01.kuniv.edu.kw Subject: Invisible Man... (PC) Dear All, We are having a problem with the "Invisible Man" Virus. Does any body know of a way out? We have been trying with it for a long time, but to no avail. Any one has experience with sort of thing? If so, please send me a mail at leonardo@kuc01.kuniv.edu.kw . Best Regards, Leo. ------------------------------ Date: Sun, 14 Aug 94 15:05:35 +0400 From: Oleg Nickolaevitch Kazatski Subject: Re; boot diskette (PC) Hi ! herb@dorsai.dorsai.org (herb_rabinowitz) writes: > if using the new scn program by mcafee..what files must be put on a > diskette to clean the system if a virus is found Before cleaning the hard disk, copy the SCAN and CLEAN programs on system floppy disk. Good luck ! - -- OK ------------------------------ Date: Sun, 14 Aug 94 14:59:10 +0400 From: Oleg Nickolaevitch Kazatski Subject: Re; [News] "Horse" virus? (PC)(Anywhere else?) Hi ! Blaine.Delancey@lambada.oit.unc.edu (BlaineDeLancey) writes: > >Has anybody got information on the "Horse" virus? A friend of mine > >reported detecting it, I think with PC Tools Antivirus(?), There are several viruses "Horse". - ------------------------------- SCAN. DOC -------------------------------- A Infects Fixed Disk Partition Table-A-------------------+ 9 Infects Fixed Disk Boot Sector-----9-----------------+ | 8 Infects Floppy Diskette Boot-------8---------------+ | | 7 Infects Overlay Files--------------7-------------+ | | | 6 Infects EXE Files------------------6-----------+ | | | | 5 Infects COM files------------------5---------+ | | | | | 4 Infects COMMAND.COM----------------4-------+ | | | | | | 3 Virus Installs Self in Memory------3-----+ | | | | | | | 2 Virus Uses Self-Encryption---------2---+ | | | | | | | | 1 Virus Uses STEALTH Techniques------1-+ | | | | | | | | | | | | | | | | | | | Increase in | | | | | | | | | | Infected | | | | | | | | | | Program's | | | | | | | | | | Size 1 2 3 4 5 6 7 8 9 A | | | | | | | | | | | | Virus Disinfector V V V V V V V V V V V Damage - --------------------------------------------------------------------------- Horse (7) [Hrs] Clean-Up . . x x x x x . . . 1154 O P Horse Boot [DRP] Clean-Up . . x x x . . x x . N/A B - ----------------------------- end ------------------------------------- - -- OK ------------------------------ Date: Sun, 14 Aug 94 14:57:01 +0400 From: Oleg Nickolaevitch Kazatski Subject: Re; [News] virus 1028 Bytes need help (PC) Hi ! moehlman@gelb.informatik.uni-bonn.de (Peter Moehlmann) writes: > > >I have this virus which is 1028 Bytes long and appends at command.com > >and other com/exe-files at my c:-partition. There are several viruses which has this size. For example: - ----------------------------- SCAN.DOC ----------------------------------- A Infects Fixed Disk Partition Table-A-------------------+ 9 Infects Fixed Disk Boot Sector-----9-----------------+ | 8 Infects Floppy Diskette Boot-------8---------------+ | | 7 Infects Overlay Files--------------7-------------+ | | | 6 Infects EXE Files------------------6-----------+ | | | | 5 Infects COM files------------------5---------+ | | | | | 4 Infects COMMAND.COM----------------4-------+ | | | | | | 3 Virus Installs Self in Memory------3-----+ | | | | | | | 2 Virus Uses Self-Encryption---------2---+ | | | | | | | | 1 Virus Uses STEALTH Techniques------1-+ | | | | | | | | | | | | | | | | | | | Increase in | | | | | | | | | | Infected | | | | | | | | | | Program's | | | | | | | | | | Size 1 2 3 4 5 6 7 8 9 A | | | | | | | | | | | | Virus Disinfector V V V V V V V V V V V Damage - --------------------------------------------------------------------------- Mosquito [Mosq] Clean-Up . x x . . x x . . . 1028 O D P QP3 [1530] Clean-Up . . x x x x x . . . 1028 L O P V1028 [QP2] Clean-Up . . x x x x x . . . 1028 O P L - ---------------------------- end ---------------------------------------- - -- OK ------------------------------ Date: Sun, 14 Aug 94 14:26:35 -0400 From: iandoug@cybernet.za (Ian Douglas) Subject: Re: Rosenthal Virus Simulator VIRSIM2C.ZIP (PC) Mike McCarty (jmccarty@spd.dsccc.com) wrote: > What's wrong with selling viruses? So long as the person buying knows > what he is getting (no fraud) I see no problem. Does the seller not have a responsibility to society not to put dangerous information in the hands of people too young/immature/irresponsible to handle it wisely? > Until everyone knows how to write a virus, there will be those attracted > to the mystique of it. I say publish source for viruses everywhere and > make sure everyone can easily get a copy. And then what? What good will it do you or me to have the source code for 4000 viruses? Firstly, where will I get the time to read it? Secondly, the % of computer users that can read asm is minute. So it will be totally useless to them. Thirdly, assuming I manage to wade through it all, how will it benefit me? Am I supposed to examine every new program for that code? And lastly, we will have an explosion of viruses spreading all around - when those young/immature/irresponsible people can not resist the temptation to 'see if Bob detects it', etc. I have seen it happen. I have seen kids hack old viruses and upload them to BBS's. (just this week there were two uploaded). I fail to see how widely distributed virus code can be a 'good thing' (tm). > What we need is good antiviral products. We do not need thought police. And how will spreading virus code help? > We believe in liberty. We believe in freedom of thought. We believe that > individuals have intelligence. We believe that people should be free to > learn and use everything there is to know in the universe. We believe > individuals should be responsible for their _own_ behavior (and no one > elses!). And how do we trace virus writers/spreaders? I agree they are should be held responsible, but HOW will we hold them responsible if we can't trace them? > DISTRIBUTE INFORMATION FREELY AND POSITIVELY. HOLD PEOPLE ACCOUNTABLE > FOR THEIR OWN ACTIONS. Does that include selling American military secrets to [insert current USA enemy #1]? > I HATE being attacked by viruses. Let's stop them! But please QUIT > TRYING TO SUPPRESS INFORMATION! LET'S SUPPRESS THE PEOPLE WHO > DELIBERATELY CREATE AND RELEASE VIRUSES WITH MALICIOUS INTENT! Easy to say.. but how? Spreading virus code will only help the underground. > Only knowlege and experience can make a person safe from viruses. When > we all know how they work then: > there will be much less incentive to write them > we will be able to protect ourselves from the ones being written non sequiter. Cheers, Ian - -- - ----------------------------------------------------------------------------- Ian Douglas Lead, Follow, InterNet: iandoug@cybernet.za P.O. Box 484 or get out of FidoNet: 5:7102/119 7532 Sanlamhof the way. TopNet: 225:2048/1 South Africa (Ted Turner, CNN) PGP key available. - ----------------------------------------------------------------------------- ------------------------------ Date: Sun, 14 Aug 94 14:58:05 -0400 From: rockfor101@aol.com (ROCKFOR101) Subject: virus construction labratory (PC) Has anyone heard of a piece of software called "Virus Construction Labratory"? If so where might I find it? ------------------------------ Date: Sun, 14 Aug 94 15:20:24 -0400 From: as194@cleveland.Freenet.Edu (Doren Rosenthal) Subject: Rosenthal Virus Simulator (VIRSIM2C.ZIP) (PC) ------------------------------------------- August 14, 1994 Alfred JilkaILKA writes: Date: Wed Aug 10 07:44:27 1994 > I feel, that at least part of the problem, that now and then some- > body tries to create virussimulators comes from the fact, that you > are usually will never see, what the virus-alert-screen looks like > and if it actually works, especially under windows. Yes Alfred, that is an interesting point and many users appreciate being able to more fully test drive their anti-virus software for themselves. The advantages of "Try before you buy" are well known to both commercial and sharware users. If you want to see how your anti-virus product looks when it detects a virus, Virus Simulator will certainly allow you to do just that, and quite effectively. > A kind of alleviation could be, to make an "/ALERT" switch, to > trigger this screen without the need of a virus, or a cheat-program. Many anti-virus products include a dummy test file for just that purpose, and some make a special effort to cooperate and detect simulations supplied by my product. Virus Simulator provides several safe but far more dramatic bait alternatives. At least some of the simulations should set off the anti-virus program you are demonstrating. For example, you can watch how the boot sector simulations get executed when a floppy disk remains in the drive when your system is turned on. The Virus Simulator Supplement "B" even allows the system to load normally off your hard drive after it takes over in memory. It beeps continuously (even in Windows) while it displays "Rosenthal Engineering Test Virus in Memory" and gives you approx. four minutes to exercise your anti-virus measures before the message dominates the screen and on most systems locks the keyboard. Windows users will notice their mouse seems intoxicated and if you exit Windows to employ a DOS anti-virus program, you receive an additional four minutes before your system locks. That should certainly reveal the virus-alert-screen you wish to examine, don't you agree? Doren Rosenthal, member ASP & ASAD as194@cleveland.freenet.edu Rosenthal Engineering P.O. Box 1650 San Luis Obispo, CA USA 93406 --------------------------------------------- ------------------------------ Date: Sun, 14 Aug 94 15:22:23 -0400 From: as194@cleveland.Freenet.Edu (Doren Rosenthal) Subject: Rosenthal Virus Simulator (VIRSIM2C.ZIP) (PC) ------------------------------------------- August 14, 1994 (Vesselin Bontchev) writes: Subject: Re: Rosenthal Virus Simulator VIRSIM2C.ZIP (PC) Date: Wed Aug 10 08:14:14 1994 >> Doren Rosenthal (as194@cleveland.Freenet.Edu) writes: >> Thank you for your very positive comment about my Virus Simulator >> on Virus-L. >His "very positive comment" indicates only that you have succeeded to >fool him to believe that your Virus Simulator is useful, which it >isn't, as I have explained several times already. Yes, although you have explained your views on my Virus Simulator even before you saw it, there are many who have examined it for themselves and formed their own opinions. Some people will disagree with you, as I do. >> Your useful application of my Virus Simulator for >> training and demonstrations is exactly its intended purpose and I >> appreciate your sharing that publicly. > I strongly suspect that the intent to fool the people that your > program is of any use and therefore to buy it has been exactly your > intended purpose. I offer Virus Simulator as shareware with the ultimate "Try before you buy" guarantee. If a user finds my Virus Simulator useful, their encouraged to register it. >> The current shareware version of Virus Simulator is VIRSIM2C.ZIP >> and is available from most BBS's, ftp sites and ASP vendors. >> Registered users now receive three additional supplements >> described in the documentation. There is certainly no deception intended as they can obtain Virus Simulator from most sources without charge, read the documentation and form their own opinion as to how useful it is for themselves. > . such as viruses. I will *really* appreciate if you stop promoting > your viruses here. It contradicts the charter of this forum. Go brag > about them on your favorite virus exchange BBS. Your attempts to suppress opinions that are contrary to your own continue to disappoint me. People should be able to hear all sides of an issue and make up their own minds without one of the participants being invited to take his ideas elsewhere. Vess, although your postings dominate this forum, there are other readers who might appreciate being able to share ideas and freely examine other points of view legitimately different from yours. Doren Rosenthal Member ASP & ASAD as194@cleveland.freenet.edu Rosenthal Engineering P.O. Box 1650 San Luis Obispo, CA USA 93406 ------------------------------------------------------ ------------------------------ Date: Sun, 14 Aug 94 15:42:54 -0400 From: tarshom@iia.org (The Killer) Subject: Whisper Presenterar Tai-Pan (PC) Does anyone have any knowledge of the Whisper Presenterar Tai-Pan virus? I had a difficult time discovering this virus due to the fact that it could not be detected with Norton, MSAV, or PCTools 8.0 AV. It adds about 500 bytes to infected files (Only exe's under 64k) with the message Whisper Presenterar Tai-Pan printed within. I was able to delete my infected files by using scanning for them with TBAV, but I am still curious of what damage the virus may have done if I left it on my system. Does it activate on a certain date? Has anyone even heard of this virus? Thank you ------------------------------ Date: Sun, 14 Aug 94 21:49:38 -0400 From: joe.milenky@ase.com (Joe Milenky) Subject: whisper virus (PC) anyone know which virus program can detect and clean the whisper virus which adds 439 bytes to each file executed in the directory of the executed program and eats up your hard drive space. thanx ------------------------------ Date: Mon, 15 Aug 94 00:08:35 -0400 From: hkueee2!h9114644@uunet.uu.net (CHAN TAK YIN) Subject: Dr. Solomon Virus Signature Update (PC) Can anyone tell me where can I ftp the signature update of Dr. Solomon Toolkit? TyChan - -- ___________________________________________________________________________ ** ___ ___ ** The University of Hong Kong ** ** (~* `--/' `\ ** Department of Electrical & Electronic Engineering ** ** \HKU _) ** Chan Tak Yin, Class of 1994 ** ** ~~\/\ (\ \ **===================================================** ** `'\<^'`\) ** Internet: h9114644@hkuxa.hku.hk ** ** ` ** h9114644@hkueee.hku.hk ** ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ------------------------------ Date: Sun, 07 Aug 94 11:31:00 +0200 From: Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv) Subject: SMEG Virus Test (PC) frisk@complex.is (Fridrik Skulason) writes in regard to 93647758S@sgcl1.unisg.ch (Luca Sambucci): LS>> VIRUS TEST Nr. 002 LS>> -= SMEG Viruses =- FS> Sometimes an infection by those viruses ... Queeg in FS> particular....seems to create a corrupted file ... FS> when it is run, it does not decrypt correctly, and will FS> most probably crash the machine. Its time ypu people stop making this unreal tests and everybody will not have to appologize so much for not knowing one particular virus or another that has no imlications what so ever on the real market. FS> By my definition those samples are not viruses, That makes my point even stronger! FS> and I strongly suspect that the reason all the programs missed some FS> Queeg "samples" is that they wre files of this type. And so is any "new" virus that you might create for an "independed" test to say which is the best AV by saying which detects more useless viruses. however if you create a new virus and what to test AVs, use integrity checking, heuristics, generic detection and cleaning etc... because that in my opinion will be the reality in the neer future. Warmly * Amir Netiv. V-CARE Anti-Virus, head team * - --- * Origin: <<< NSE Software >>> Israel (9:9721/120) ------------------------------ Date: Sun, 07 Aug 94 11:45:00 +0200 From: Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv) Subject: Lenart? or CPAV blof. (PC) vkelson@bronze.ucs.indiana.edu (victor allan kelson) writes: > I have recentyl found the Lenart virus on several machine which I > commonly use. Bad luck ;-) > It was found and removed by Central Point PC Tools for Windows .. Oah really? (read next quote)... > We have found that post-cleaning, floppies are unreadable. It > apparently attaches to the boot sector. CPAV (of all versions, windows or not) is known to do that, it alarms on perfectly clean and good BootSectors as infected by all kinds of things, and rermarkably enough even "cleans" them (ThTh virus (?)) in most cases the trick works (a useless bye or some are modified in the BS) and the virus is presumably "cleand", in other cases like your own...it fails! You know the rest... The funy thing is that most users believe that they really had a virus that " no other Anti Virus found" so this must be a great program. I'm afraid... Hmmm...no actually I'm happy, to tell you that you probably had nothing there, but now you do! Warm regards * Amir Netiv. V-CARE Anti-Virus, head team * - --- * Origin: <<< NSE Software >>> Israel (9:9721/120) ------------------------------ Date: Sun, 07 Aug 94 11:57:00 +0200 From: Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv) Subject: Help Win 32 Bit File Virus? (PC) Hi there, > Help We have been getting an error message when > starting Windows 3.1 about not being able to start 32 Bit File Access. > This machine has been running for 8 months without this message. > It has now jumped to another machine through a bootable diskette. Some Boot Sector viruses are known to cause this problem. You may want to try any (good enogh) AV program to check your Hard Disk for viruses. Remember to boot from a clean DOS floppy first. If you want another assurance for the existance of a Boot sector (or MBR) virus on your machine) run CHKDSK and look at the summary: if total memory is less then 655360 it might indicate a virus of this kind. Last (but not least): Running: FDISK /MBR (of DOS 5 or higher) might help solving this situation (beware of this if your disk is not standard DOS). Hope that helps Warmly * Amir Netiv. V-CARE Anti-Virus, head team * - --- * Origin: <<< NSE Software >>> Israel (9:9721/120) ------------------------------ Date: 15 Aug 94 11:32:54 +0100 From: virusbtn@vax.oxford.ac.uk Subject: Re: ANSI bombs (PC) as316@freenet.carleton.ca (Michael McGuire) writes: > I was wondering if anyone knew of a virus scanner/cleaner that > can clean something called an "ANSI bomb"? I was told that they > can't be found by most scanners, and I think there's one going > around my area... > > Thanks.. > Hmmm.. because of their nature, that is almost impossible to do. However, unless you actually need to load ANSI.SYS, remove it from your CONFIG.SYS file, and they can no longer function. Alternatively, their are replacement versions of ANSI.SYS around which do not allow typed text files to remap your keyboard etc. Maybe this would also be of use? Regards, Richard Ford Editor, Virus Bulletin. ------------------------------ Date: Mon, 15 Aug 94 07:41:32 -0400 From: weekh@merlion.singnet.com.sg (Wee Keng Hor) Subject: McAfee Virus Scan (PC) Recently McAfee has released 2 kinds of virus scan. Besides the normal scanvXXX.zip, cleanXXX.zip etc, it also has another kind of virus scanning s/w. Can someone tell me what are the differences between them or are they the same? ------------------------------ Date: Mon, 15 Aug 94 13:49:04 -0400 From: fguidry@crl.com (Fran Guidry) Subject: Re: Server downing virii - Netware corruption? (PC) Fabio Esquivel C. wrote: >In a previous message, Fran Guidry mentioned to have experienced file=20 >corruption on a Novell Netware with NetShield loaded at the server. > >I would like Fran to give more details on how did that happen. I'm sorry that I'm unable to provide any further details. Perhaps I should not have posted this warning, but the PC support group in my headquarters issued a warning of such file corruption and recommended that the NLM not be used. I have not experienced such file corruption myself, but I have also not used the Netshield NLM on my server. Fran ------------------------------ Date: Mon, 15 Aug 94 15:09:40 -0400 From: stanr@mdhost.cse.TEK.COM (Stanley E Ridenour) Subject: Re: Rosenthal Virus Simulator VIRSIM2C.ZIP (PC) jmccarty@spd.dsccc.com (Mike McCarty) writes: |> What's wrong with selling viruses? So long as the person buying knows |> what he is getting (no fraud) I see no problem. What is wrong with selling nuclear weapons to Iran, Iraq, or the IRA? Just as long as they are good, reliable, nukes there shouln't be any objections. |> Any kid who knows DEBUG can also get a copy of Michaelangelo or any |> other virus just by looking around a little. If it were difficult to get |> copies of viruses, then nobody would need protection or scanners, |> because it would be difficult to get infected. Get the drift? Isn't that the way things ought to be? |> Until everyone knows how to write a virus, there will be those attracted |> to the mystique of it. I say publish source for viruses everywhere and |> make sure everyone can easily get a copy. The logic of this escapes me. Until every nation knows how to build and maintain nuclear weapons, and can aquire them cheaply, somebody's curiosity is going to get us into difficulty? Maybe we should teach courses in hacking in the schools. Let's publish widely the various security holes in the mainframe operating systems so that people who are *intrigued* by these things won't have to work to get the information. I just can't express how much safer these measures would make me feel :). |> You sound like some people who, from time to time, decry |> alt.locksmithing because "someone might find out how to pick a lock". If everyone is taught locksmithing, of what value is any lock in defending your possessions or your life? |> So what? You can't suppress knowledge. No, but you can make it difficult to aquire, and especially for novices and casual users. |> Anyone who really wants to get a copy of a virus can get one. |> I got one when I didn't even want it. Cost me |> many hours of disinfecting. If we proceed the way you want, you'll get to do a lot more of this. |> What we need is good antiviral products. We do not need thought police. That's a defensive posture, like saying that what we all need to do is learn karate and carry guns and everything will be OK. How do I know that some genius isn't going to break through my anti-viral defenses tomorrow? Why should the expense of maintaining AV defenses be mine? This is a hidden tax on all of society. |> We believe in liberty. We believe in freedom of thought. We believe that |> individuals have intelligence. We believe that people should be free to |> learn and use everything there is to know in the universe. We believe |> individuals should be responsible for their _own_ behavior (and no one |> elses!). I believe in liberty, as well, but NOT in the liberty to vandalize the property or data of my fellow human beings. I believe in freedom of thought, also, however all thoughts are not created equal. It's when those thoughts are put into action certain lines must be drawn. Learning everything there is to know is OK as long as your motives are not detrimental to your fellow man. Individuals ARE responsible for their own behavior but a society's job is to protect it's members from the rapacious behaviors of the sociopaths within that society. |> I don't think I like your ideas very much, sir. You remind me of the |> bureaucratic nonsense over here attempting to suppress pure mathematical |> research because someone might, just might, use it to create a cypher |> which the NSA couldn't break. I don't think that *research* is being suppressed so much as selling the results of that research to the likes of Saddam Hussein. |> DISTRIBUTE INFORMATION FREELY AND POSITIVELY. HOLD PEOPLE ACCOUNTABLE |> FOR THEIR OWN ACTIONS. Distribution of information about how to defend against viruses is not a problem. However, we don't have to hand a mugger the gun with which he will blow our head off! |> I HATE being attacked by viruses. Let's stop them! But please QUIT |> TRYING TO SUPPRESS INFORMATION! LET'S SUPPRESS THE PEOPLE WHO |> DELIBERATELY CREATE AND RELEASE VIRUSES WITH MALICIOUS INTENT! How are you going to do this without abridging some or all of those *freedoms* you have been talking about? You can control the creation and spread of viruses in only so many ways: 1. Deny people the hardware to make them. 2. Deny people the software to make them. 3. Deny people the access to means to spread them. 4. Deny people the knowledge to write them. Now which of your freedoms are you willing to lose? Once you leave the door open, you are playing a defensive game of catch-up with the virus writers, with them being one step ahead most of the time. This means that there will always be a group of people losing data, time, and money to viral attacks. The wider you spread the knowledge of writing viruses, the odds against bumping into a sociopath with the desire to aquire the skill-set of Frisk or Vesselin go WAY DOWN. Remember, these people are not stupid; all they need is a little training and they might be able to write something really nasty. |> What you say sounds like Nazi Germany and Communist Russia to me. There |> are a few intelligentsia who know how to run the lives of everyone |> else. They are allowed to collect viruses and thwart them for the rest |> of us. Oh, by the way, the ones who support this idea always seem to be |> a part of the intelligentsia, not one of the plebes. BAH! Sounds like a case of sour grapes to me. |> Only knowlege and experience can make a person safe from viruses. When |> we all know how they work then: |> |> there will be much less incentive to write them |> we will be able to protect ourselves from the ones being written Only the people who write AV software or do AV research have a NEED to know viral code. Whether you or anyone else outside of that community knows a thing about viral code, does not make me any safer from viral attack. In fact, it only can get WORSE. The sheer amount of viral code that has been written merely proves this. - -- XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX X Stan Ridenour | stanr@tekgp4.CSE.TEK.COM X X Tektronix, Inc. | Beaverton, OR 97077 X XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ------------------------------ Date: Mon, 15 Aug 94 20:47:24 -0400 From: riordan@tmxmelb.mhs.oz.au (Jakub Kaminski) Subject: Re: Stoned 4 mystery (PC) Hi, Almost a year ago we also had a flood of Stoned 4 spreading around Australia. We have been getting quite a lot nervous phone calls from our customers disapointed that VET couldn't detect it. It turned out that the only product that could find (but not clean :-)) that bug was MSAV!!! Eventually we got a copy of a suspect Master Boot Record and situation has been clarified; no one detected Stoned because there wasn't any. It looked that the hard disk was previously infected with Stoned but it had been cleaned by puting a standard boot procedure in its proper place. Unfortunatelly program (system? person?) who did it didn't overwrite the rest of the virus body (in the usually empty space between a boot procedure and a partition table). The dead body of the Stoned virus in the MBR was enough to trigger a false alarm by MSAV (don't ask why, but we were not very suprised ;-)). We discovered that usual trick with FDISK /MBR fixes the Stoned 4 problem (at least on MSDOS 6.0 we tested cause we suspect that it can depend on PC and/or on a release version of DOS). There is only one unresolved mystery. What tool had been used to clean the originally infected disks that didn't overwrite the whole virus? Regards, Jakub. riordan.cybec@tmxmelb.mhs.oz.au (Jakub Kaminski) CYBEC Pty Ltd. Tel: +613 521 0655 PO Box 205, Hampton Vic 3188 AUSTRALIA Fax: +613 521 0727 ------------------------------ From: Frank.van.Tol@ctp.nl (Frank van Tol) Subject: YK2885 What does this virus do ? (PC) After running scan v117 last night i found 25 files infected with YK2885. I couldn't find this virus in the virlist.txt and wonder what it is/does. I traced it back to mouse driver disks i got from my PC vendor but i want to double check this before i accuse people. Frank ------------------------------ Date: Wed, 10 Aug 94 11:01:20 -0400 From: gcluley@sands.co.uk Subject: Re: How to remove FORM from a PC bootsector? (PC) kabreuer@cip.informatik.uni-erlangen.de (Klaus Breuer) writes: >Darn! After being extremely careful all this time, I've finally >caought a virus - ThunderByte v6.20 detects it as Form Virus. > >Now this is sitting on my 1.2GB drive - how do I get rid of it >without a damn reformat? FDISK/MBR does nothing, and the >Immunize/Clean Bootsector of TB doesn't work either. 1. Cold Boot from a clean write-protected DOS diskette. 2. Type: SYS C: at the DOS prompt. The Clean DOS diskette should be the same version of DOS that is on the hard disk. To find out which version is running, type: VER at the DOS prompt. FDISK /MBR won't work as Form infects the boot sector of the hard disk, not the partition sector (or Master Boot Record - MBR) Reformatting your hard disk is never necessary. Regards, Graham Cluley - --- Graham Cluley [gcluley@sands.co.uk] S&S International PLC Product Specialist Alton House, Gatehouse Way Dr Solomon's Anti-Virus Toolkit Aylesbury, Bucks HP19 3XU Tel: +44 (0)296 318700 United Kingdom ------------------------------ Date: Wed, 10 Aug 94 11:27:55 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Rosenthal Virus Simulator VIRSIM2C.ZIP (PC) jmccarty@spd.dsccc.com (Mike McCarty) writes: >What's wrong with selling viruses? So long as the person buying knows >what he is getting (no fraud) I see no problem. Well, there is one problem with selling viruses - paying for them encourages development or distribution of more viruses...which leads you to the question whether there is anything wrong with developing and distributing viruses. Opinions on that seem to differ, as Virus-L/comp.virus readers have noticed :-) >Any kid who knows DEBUG can also get a copy of Michaelangelo or any >other virus just by looking around a little. If it were difficult to get >copies of viruses, then nobody would need protection or scanners, >because it would be difficult to get infected. And do you have a problem with that situation ? >Until everyone knows how to write a virus, there will be those attracted >to the mystique of it. I say publish source for viruses everywhere and >make sure everyone can easily get a copy. If *everyone* can, *everyone* will ... even mentally unstable people that would spend their time deliberately infecting computers. Is that what you want ? >What we need is good antiviral products. Unfortunately, one can argue that the increased number of viruses in circulation will lead to worse anti-virus products...I will be presenting a paper on that subject at a conference later this year. >We believe in liberty. We believe in freedom of thought. We believe that >individuals have intelligence. We believe that people should be free to >learn and use everything there is to know in the universe. We believe >individuals should be responsible for their _own_ behavior (and no one >elses!). >From the point of view of many non-Americans, it looks like you people in the US seem to concentrate too much on the "rights", and not enough on the "responsibility"....while most virus-development in the UK is promptly shut down by the police, no similar action has ever been taken in the US. Why ? - -frisk ------------------------------ Date: Wed, 10 Aug 94 11:33:33 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Help on Budo Virus (PC) ibaminformat@ax.apc.org writes: >Hello, > I'm looking for in how we finish with the Budo Virus. > It infected our local network. Budo ? This is the third report I hear of a big Budo infection, but this is a silly, overwriting virus that should not be able to spread well. anyhow... 1) Which scanner did you use ? This might be a false alarm...get a "second opinion" 2) As this is an overwriting virus, you have to replace infected files... I hope you have a good, recent backup of your executable files. - -frisk ------------------------------ Date: Wed, 10 Aug 94 11:36:21 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Mummy Virus (PC) JUNAIDN@ctrvax.Vanderbilt.Edu writes: >I have just encountered the Mummy Virus on m IBM PC. There is no such thing as "the Mummy virus". Mummy is a group in the Jerusalem family, which contains three variants, 1364, 1399 and 1489 bytes long...or at least F-PROT recognizes and disinfects those three Mummy variants. - -frisk ------------------------------ Date: Fri, 12 Aug 94 20:18:26 -0400 From: Bob Janacek <74431.1646@CompuServe.COM> Subject: Re: Best Anti-virus software (PC) Besides F-Prot Professional, you should also look at VirusNet from Safetynet, Inc. It is based on the F-Prot scanner, but adds new DOS and Windows interfaces. The LAN version has software distribution and VERY powerful distributed scheduling. Bob Janacek | 1-201-467-1024 | 55 Bleeker Street Safetynet, Inc. | 1-800-851-0188 | Millburn, NJ 07041 ------------------------------ Date: Fri, 12 Aug 94 20:18:29 -0400 From: "R. Wallace Hale" Subject: Re: Strange DOS 5.x-6.x behaviour (floppies) (PC) On Thu, 04 Aug 94 12:40:44 -0400 padgett@tccslr.dnet.mmc.com wrote: >Have not found exactly what is happening but it is apparent that some changes >to the code section of a floppy disk boot sector will cause the above >DOS versions to return a "General Failure" on attempts to access the disk. You may recall I was griping some time ago about having to write a utility to clean Stoned.16 from a stack of HD 3.5s. MS-DOS 5.0 was the OS, and DOS couldn't read the infected diskettes and some of the "standard" AV tools couldn't disinfect them. Encountered a similar situation with a Michelangelo infection on another site. You then reminded me about FIXUTIL6 but have had no occasion to use it since that time. Mind you, I'm not complaining. :) >The important element is that the code may be functional and the BPB >information correct, just DOS has a problem. One indicator is that >while DOS will refuse to read the disk, the BIOS has no problem with >it. Seems to be the case in my limited experience. >Such disks may respond well to boot sector repair programs (such as my >FixFBR v1.x or v2.1 - v2.0 has a problem). Yes, even the repair utility I wrote worked. R. Wallace Hale "You can observe a lot just by halew@nbnet.nb.ca watching." BBS (506) 325-9002 - Lawrence Berra ------------------------------ Date: Fri, 12 Aug 94 20:44:49 -0400 From: Bob Janacek <74431.1646@CompuServe.COM> Subject: Re: Network virus protect (PC) If you are happy with the F-Prot scanner, but need more network features, try VirusNet LAN. It's based on F-Prot, but adds the following LAN features: * Software distribution to install/update anti-virus files as well as room for up to 99 other applications, each with up to 1000 files associated with them. * Event scheduling - Scans can occur during workstation bootup (daily HD scans), network login (memory scan, logout workstation & send network message if active virus is found) or from a Windows icon in the background (scan server at regular intervals during low use times). Also can define up to 100 events such as tape backups, modem transfers, etc. * Network groups - Up to 100 groups can be defined, each with unique schedules and software distribution * Automatic installation and configuration of VIRSTOP on workstations, including command line switches and alert message. All this is done from a network console using DOS or Windows interfaces. One program is added to the login script which automates all of the above. Bob Janacek | 1-800-851-0188 | 55 Bleeker Street Safetynet, Inc. | 1-201-467-1024 | Millburn, NJ 07041 ------------------------------ Date: Sat, 13 Aug 94 04:42:46 -0400 From: msmar@olive.mscc.huji.ac.il (marina kaganovic) Subject: Help < Bad Sectors 1.2 C(Virus) on Novell Netware > !!!!! (PC) Hello !!! I have in my Novell Netware one very pretty virus , called Bad Sectors 1.2 i have tried to kill (clean) him with Unvirus,Vanalyst-3, clean,vshield nothing helps , all antiviruses have tald me that the virus is removed but in few days i see him again and again , i'm really do not want to re-install my Novell , if anybody knows how to fight with this Bad Sectors 1.2 please send me e-mail georg@rubiin.physic.ut.ee fred@cs.huji.ac.il Thank U. ------------------------------ Date: Sat, 13 Aug 94 08:26:27 -0400 From: ay736@Freenet.HSC.Colorado.EDU (Vassil Ivanov) Subject: Re: Rosenthal virus simulator (PC) Vesselin Bontchev (bontchev@fbihh.informatik.uni-hamburg.de) writes: >Doren Rosenthal (as194@cleveland.Freenet.Edu) writes: [stuff deleted] >> The Virus Simulator MtE supplement virus therefore >> has both the permission of the user, and the consent of the >> copyright holder (me) of the host files it modifies. > >The Virus Simulator MtE supplement virus therefore provides a >convenient means to any malicious person to get his very own highly >polymorphic virus, without having to spend the time to write one. As >such, your product is *harmful* and you are a shame of the Association >of Shareware Professionals that you claim to be a member of. yeah, and besides that, MtE is copyrighted material, as it is clearly indicated in its docs. its not shareware, freeware, copyware, vxware, use-me-to-make-money-ware, or any of that sort. and i dont think that Doren Rosenthal got any kind of permission from the author(s) to use MtE for profit, or for anything at all. an asp member selling stolen software. what a shame indeed. cant you people make anything ORIGINAL? ------------------------------ Date: Sat, 13 Aug 94 08:34:04 -0400 From: iolo@mist.demon.co.uk (Iolo Davidson) Subject: Re: Rosenthal Virus Simulator (PC) datadec@corsa.ucr.edu "Kevin Marcus" writes: Re: Rosenthal's virus simulation stuff [much clipped] > How would you suggest he change it > so that we could all get along? If it is a virus, then he should not distribute it. If it is not a virus, he should not pretend that it is suitable for testing anti-virus software. This is the issue. It is intractable. > How about, instead of telling him that he is wrong and bad, and he > shouldn't be doing something, suggest something that would let him > continue to produce his program, without offending you. Offending Vess isn't the issue. "Simulated viruses" are a sham, useless for the purpose they are supposed to serve. Real viruses are viruses. Neither should be distributed. There is no way to make this "product" acceptable. The concept is fundamentally flawed. > Obviously, a > simulation is exactly that, and could not possibly be a "real test" for > an Anti-Virus product since the only test that counts is a *real* virus. Exactly. So the "simulated viruses" are a sham. Would you buy a word processor that *pretended* to write text to files? > For example, have you ever seen a test done with "Fake viruses were > used in this testing" in fine print? Of course not. Actually yes, there was such a review in a highly respected UK magazine. The word "fake" was not used, but the test objects were discribed as "deactivated" viruses or something of the sort. Crap test of course, half the scanners found nothing at all. - -- THE HERO SHE FELT HIS CHIN- WAS BRAVE AND STRONG THEN WED THE VILLAIN AND WILLIN' Burma Shave ------------------------------ Date: Mon, 15 Aug 94 11:54:05 +0100 From: Luca Sambucci <93647758S@sgcl1.unisg.ch> Subject: New ICARO sites - -----BEGIN PGP SIGNED MESSAGE----- I am pleased to inform you that now ICARO has two new official distribution sites, a ftp-site in Sweden, and another ftp-site in Taiwan (our first distribution site outside Europe!). SWEDEN: - ftp.sunet.se:pub/pc/Antivirus/icaro TAIWAN: - ftp.cis.nctu.edu.tw:pub/Msdos/antivirus/ICARO A complete list of all ICARO's official distribution sites is available at our sites (file SITES.ZIP ) or at request via e-mail directly from me. Every Sysop or ftp-administrator who wishes to become an official I.C.A.R.O. distribution site can contact me via electronic mail. Internet: luca.sambucci@ntgate.unisg.ch FidoNet: Luca Sambucci 2:335/348.6 Best Regards, Luca Sambucci =**********************************************************************= ___________ Luca Sambucci ____________ | | | | | __ | | | | | Postfach 2006 | | | | | | | | 9001 - St. Gallen | | | | | | | | Switzerland | ___| |___ | | | | | || || | | | | ||___ ___|| | | | | Internet: luca.sambucci@ntgate.unisg.ch | | | | | | | | Fido Net: Luca Sambucci 2:335/348.6 | | | | | | | | Caesar Net: Luca Sambucci 175:391/1.7 | |__| | |___|___|___| |____________| * PGP public key available on the public key servers * =----------------------------------------------------------------------= "You see but your shadow when you turn your back to the sun" Kahlil Gibran =----------------------------------------------------------------------= =**********************************************************************= - -----BEGIN PGP SIGNATURE----- Version: 2.3a iQCVAgUBLkWBz+ZQNzkHaA4JAQHf7QQAl06DGo7fb8XNWE5rzqur6NCYL9PaBHa3 oiZ3a92gSZ/h/Kmn/aaJ+nOxdf7debbe9GvIEVDt3l0rErLQbk+XjLts5jatZdUH tko+X/wMDxUUEXjd2gKIg7LPli3JA7K4VBhM2Qo8QSrSXxmiDWvAMMHMi+6CgUMd 4EJ+9Mv6/mk= =VH+H - -----END PGP SIGNATURE----- ------------------------------ Date: Sat, 13 Aug 94 08:39:52 -0400 From: Iolo Davidson Subject: Increased Enrollment at Lehigh (administrative Q&A) The "Organisation:" line on all comp.virus posts is set to Lehigh University. On my newsreader this is reported at the top of messages as: "From Iolo Davidson at Lehigh University". This may give a false impression to new users of the group. [Moderator's note: This is due to the fact that all of the messages are first posted to the VIRUS-L mailing list (which is distributed by listserv@lehigh.edu); from there, the digests are exploded into individual postings and then posted comp.virus. Thus, all of the postings appear (to the news system) to originate at Lehigh. Yes, there are ways around this, but they would involve sending all of the relevant newsgroup headers (not just organization:) to the mailing list, which I would prefer to not do. I'm open to hearing better suggestions, though.] - -- THE HERO SHE FELT HIS CHIN- WAS BRAVE AND STRONG THEN WED THE VILLAIN AND WILLIN' Burma Shave ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 68] *****************************************