VIRUS-L Digest Thursday, 22 Sep 1994 Volume 7 : Issue 76 Today's Topics: Errata corrige Infection Lists Re: Netcom distributing viruses Netcom distributing viruses FAQ, posting/mailing, Goldbug Re: Re| Viruses = Commercial Opportunity? Re: 386/486 virus protection(UNIX) Rosenthal Virus Simulator VIRSIM2C.ZIP (PC) Re: Posible new virus variant (PC) Update...WPWIN6.0a and NATAS (PC) HELP!! w/ TSR Virus and Stacker (PC) Re: XA1 Virus (PC) Re: Rosenthal Virus Simulator VIRSIM2C.ZIP (PC) Can a master boot record be repaired? (PC) Virus Source on CD (PC) ALERT! Unkown X3A found! (PC) Update on BUPT 9146 Beijing (PC) Unknown virus (PC) Re: Fixing the boot sector of a floppy? (PC) FORM (?) virus (PC) Rosenthal Virus Simulator (VIRSIM2C.ZIP) (PC) HELP with form virus / FAQ (PC) Rosenthal Virus Simulator (VIRSIM2C.ZIP) (PC) Rosenthal Virus Simulator (VIRSIM2C.ZIP) (PC) VET false positive, and help needed (PC) Re: 666 virus (PC) Re: changing genP/genB virus (PC) Re: Fixing the boot sector of a floppy? (PC) Re: Rosenthal Virus Simulator VIRSIM2C.ZIP (PC) Re: Smeg viruses (PC) Re: Rosenthal Virus Simulator (VIRSIM2C.ZIP) (PC) LRZ in the wild (NYC) (PC) Re: Floppy boot sector replacement (PC) Re: FORM_A (PC) Re: Trashed Floppies (PC) Re: XA1 Virus (PC) Re: Help need to get rid of Michelangelo (PC) Re: GenB Virus - Need Help! (PC) Help with trident virus!! (PC) Re: [HELP] I Don't know if I have a virus in my computer or not.... (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Thu, 25 Aug 94 18:35:37 +0100 From: Luca Sambucci <93647758S@sgcl1.unisg.ch> Subject: Errata corrige - -----BEGIN PGP SIGNED MESSAGE----- In the new version of the SMEG Test's results there were some minor typing errors. Nothing bad, of course. They did not affect the Global Results. Here the corrections: Queeg:SMEG.0.2 | Antivirus |Rel. |Unrel. |Not | %Total | | product |Identif.|Identif.|Detected |Detected | =----------------+--------+--------+---------+=========+-= Findviru 6.6 | 1000 | 0 | 0 < 100.00% > =----------------+--------+--------+---------+=========+-= VPCScan 2.94 | 0 | 0 | 1000 < 0.00% > =----------------+--------+--------+---------+=========+-= Trivia:SMEG.0.3 | Antivirus |Rel. |Unrel. |Not | %Total | | product |Identif.|Identif.|Detected |Detected | =----------------+--------+--------+---------+=========+-= F-Prot 2.13a | 0 | 891 | 109 < 89.10% > =----------------+--------+--------+---------+=========+-= A corrected version of the test has been already sent to our distributors. Best Regards, Luca Sambucci - -----BEGIN PGP SIGNATURE----- Version: 2.3a iQCVAgUBLl0YX+ZQNzkHaA4JAQHXzgP/Qys59jW5sYj7Q9zZsfbMzLbpwUBPu2Qg 2q8sknRLnqdteyfM9QuQ5hnFE8ikeIAhkWkTZd5UmxIaZm60FUXSXCSg8u8dLmIT 1cSzjnwaNiXxxauU4uw1jm5gKGd0UWAx0KbXm6py44lFBRIFisb96AtRjmidCN2w KFZexGJcJgc= =ajww - -----END PGP SIGNATURE----- ------------------------------ Date: Fri, 26 Aug 94 01:22:05 -0400 From: ygoland@hollywood.cinenet.net (Yaron Y. Goland) Subject: Infection Lists I am looking for lists of virus infection frequencies. Basically any lists like IBM's top 10 or Joe Well's list. Thanks, Yaron - -- ygoland@seas.ucla.edu Senior, Computer Science & Engineering 73160.327@compuserve.com School of Engineering and Applied Science University of California, Los Angeles ------------------------------ Date: Fri, 26 Aug 94 01:53:51 -0400 From: ygoland@hollywood.cinenet.net (Yaron Y. Goland) Subject: Re: Netcom distributing viruses bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >Unfortunately, the 'net is not confined to the United States of >America, and what Netcom does causes impact to several other >countries, where actions like that are considered illegal. I shudder to consider what happens if acts on the internet must meet the lowest common denominator rule. I could not even be on Internet as I am a Jew and several Islamic countries proscribe second class citizenship for Jews (it's all in the Koran). The fact that I am an Israeli on top of that only makes things so much the worse. Because viruses are basically text any licensing of their distribution is equivalent of licensing freedom of speech. It is easy to license people's right to drive as a physical object is involved. But viruses are nebulous entities whose very definition has caused years of acrimonious debate. It seems simple to say 'anyone who releases a virus to an irresponsible person should be held legally liable' but its practical effect is horrifying. It means that every time one utters a phrase or a word one is put in very real jeopardy of being legally liable beyond the usual liabilities for uttering falsehoods. Your own article on integrity checkers gave me several ideas on virus design, if I actually designed and released a virus based on your comments should you be put in jail? Yaron - -- ygoland@seas.ucla.edu Senior, Computer Science & Engineering 73160.327@compuserve.com School of Engineering and Applied Science University of California, Los Angeles ------------------------------ Date: Fri, 26 Aug 94 05:04:39 -0400 From: rreymond@VNET.IBM.COM Subject: Netcom distributing viruses Vesselin wrote: >Unfortunately, the 'net is not confined to the United States of >America, and what Netcom does causes impact to several other >countries, where actions like that are considered illegal. Hmmm... This is an interesting point. I think the solution rests in the individual responsability, and it cannot be elsewhere. In fact, as example, I know that distributing viruses (if I'm right, "with bad intents") it's an illegal activity now, here in Italy. But, as far as I know, nothing forbids me to connect in some net and get whatever I want (or I can find) there. That stated, it's my own responsability of which use I gonna do of what I downloa- ded. I believe it cannot be otherwise because, if not, I cannot see other actions than close the net, or at least fill it of gateways/controls/locks etc., 'cause the net is broad, and who can ensure there's around nothing that, somewhere in the world, would be considered illegal or unethic or so? Since a locked net will soon be unuseful/unused, only a solution remains, IMHO. .............................................Bye| ..................................................Roberto - ----------------------------------------------------------------------- * All the above are my own opinions, not necessarily shared by IBM * *********************************************************************** Roberto Reymond IBM PSP - Computer Emergency Response Team Italy RREYMOND@VNET.IBM.COM Circonvall. Idroscalo RREYMOND at VNET 20090 Segrate (MI) ITIBM99K@IBMMAIL.COM MI SEG 526 Italy .........Phone +39.2.596.25244 Fax +39.2.596.29587.............. *********************************************************************** * " Another one bites the dust| " , Queen (The Game, 1980) * *********************************************************************** ------------------------------ Date: Fri, 26 Aug 94 06:31:07 -0400 From: perry@garfield.hacktic.nl (Perry Rovers) Subject: FAQ, posting/mailing, Goldbug [Look, no VIRSIM subject ;-) ] [moderator's note: THANK YOU!] From: VIRUS-L Digest Thursday, 25 Aug 1994 Volume 7 : Issue 74 >Date: Mon, 22 Aug 94 09:11:18 -0400 Note: > == bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Note: >> == Mike McCarty (jmccarty@spd.dsccc.com) >=> A4) What are the guidelines for VIRUS-L? >=> >=> The list of posting guidelines is available by anonymous FTP on >=> cert.org. See the file pub/virus-l/virus-l.README for the most recent corsa.ucr.edu? probably still on ftp.cert.org, but the header of this Digest says corsa.ucr.edu [Moderator's note: The primary archive is corsa.ucr.edu.] >=> copy. In general, however, the moderator requires that discussions >=> are polite and non-commercial. (Objective postings of product >=> availability, product reviews, etc., are fine, but commercial >=> advertisements are not.) Also, requests for viruses (binary or >=> disassembly) are not allowed. Technical discussions are strongly >=> encouraged, however, within reason. > >Elementary politeness requires that you read the FAQ of a newsgroup >before posting there. This discussion seems to be an extra reason to make sure every first reader or poster to comp.virus/Virus-L gets the FAQ mailed to him/her first (either upon subscription or when first posting to the group). The 'within reason' bit seems to apply to the following: >> Get a grip, Vesselin. > >I am *very* tempted to reply with "Get a life, Mike" to this, but I >won't... This part seems to be an incentive to start an e-mail discussion or a mike-vs-vess list instead of continuing here :) - -------------------------- >Date: Mon, 22 Aug 94 09:12:09 -0400 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) >Subject: Re: A new virus? (PC) > >Eric Hilton Jones (ehjones@whale.st.usm.edu) writes: > >> 1. Is undetectable using McAfee (2.10, 1.17, 1.13), MSAV 6.22, >> F-prot(late july). [rest of description deleted] > >Indeed, sounds like a virus. I suggest that you send one of those new >files that are created in the place of the originals to some >anti-virus researchers, and especially to the producers of the >products that have failled to detect the virus. I'd be very interested in seeing a scanner that can find this virus (probably out by the time this reaches the list anyway). Is this the same thing as the Goldbug virus that some person from Datafellows mentioned? - -- Perry Rovers - Maintainer Anonymous FTP FAQ and Sitelist Home: Perry.Rovers@garfield.hacktic.nl Attention: will change to Perry.Rovers@garfield.xs4all.nl starting 1-Sep-94 Work: Perry.Rovers@kub.nl ------------------------------ Date: Fri, 26 Aug 94 16:11:54 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Re| Viruses = Commercial Opportunity? Kevin Marcus (datadec@corsa.ucr.edu) writes: > >that. Also, could you please list the infection methods that the > >generic repair is able to repair - then I'll list you several more > >that it isn't able to repair... > I am referring to an extremely high percentage of detection with it, probably > between 95 and 100% if the scan was done from a clean disk with the virus > not in memory. Please, explain where did you get those figures from? How many viruses did you examine? Which ones? How many of them used *different* infection methods? > Repair is not quite as high with *INNOCULATION*. I would put it probably > around 80%. Again, I am afraid that this figure (80%) is "sucked from your fingers" as we say in Bulgaria. Please provide the methods you have used to obtain it. > The infection methods which NAV's innoc will take care of include the > generic appender for both .COM and .EXE's, any boot or MBR infector, > as well as prependers. Generic repair of boot sectors, if you have a copy of their uninfected state and always boot clean before attempting the repair is indeed always possible. So, let's concentrate on the files. So far you have listed *two* techniques - prependers and appenders. I can easily list half a dozen other infection techniques. Do you mean that NAV's "innoculation" (i.e., integrity checking and generic repair) is unable to handle them? > This is 80 or more % of known viruses. Where are you getting those figures from?! There are more than 4,600 known viruses - have you *really* analysed and tested 3,680 of them? Besides, this is irrelevant; see below. > While it > is true that it won't take care of, say, an improved overwriter, or an > overwriter, or maybe ten or fifteen other methods, Yep, I believe that 10 to 15 other infection techniques is the correct number. So, NAV won't be able to handle them, right? > these methods > are not used by very many viruses. Yet. > So while you might be able to mention > many methods that it can't perform *repair* on, (even though you'd advocate > that it is better for restoration from backups and you shouldn't use > repair at all, right?), there are currently few viruses doing it, so it is > not as big a concern. You are wrong. Actually, this is a very serious delusion, which I have often seen made by the companies who sell generic but not very secure forms of anti-virus protection, so I'll try to explain here what the problem is. You see, the question "how many known viruses does this product detect/repair/etc." is relevant only to *scanners* - because they are virus-specific. It is not a relevant question to ask about *generic* anti-virus protections like monitoring, integrity checking, heuristic analysis, etc. - because those defenses are not designed against particular viruses; they are designed against viruses in general. The correct question to ask in this case is "how many kinds of attacks against this kind of anti-virus software does this anti-virus program withstand?". In the case of an integrity checker those are the attacks against integrity checkers, described in my paper. In the case of generic repair, this is the kinds or different infection methods. In the case of monitoring, this is the different methods for tunnelling. Let me stress it again - it is not important how many existing *viruses* does a generic protection protect against. The important is how many different *types* of attack does it protect against. The reason is that, unlike scanners, the generic anti-virus protection products are not supposed to be updated every now and then when a new virus pops up. Therefore, they are supposed to deal even with the viruses that do not exist yet - the viruses of the future. Actually, this is almost always mentioned in the ads for such programs - "detects known and unknown viruses", "detects present and future viruses", and so on. If one such product gets widely used and somebody finds *one* type of attack that can bypass it, then *hundreds* of viruses will be written that will expoit this attack. A typical example is CPAV/MSAV. Since MSAV was included with MS-DOS 6.0, and since there are some very simple ways to bypass its generic protection mechanisms (the integrity checker and the monitor), dozens of viruses were written that exploited those simple attacks. So, to the point. Don't tell me how many *viruses* does NAV's integrity checker protect against. This is irrelevant. Tell me how many *types* of viruses does it protect against. You shouldn't measure a generic protection by the means of measuring a virus-specific one. > And, so you know, I'm getting my figures from viruses that I have seen. How many and which ones? > Why don't you tell me how accurate they are. Because I do not know. I have not analysed all those 4,600 viruses in my collection and I do not want to "suck numbers from my fingers". Besides, as I explained you above, it would be pointless. > Have you done any tests there > at The Virus Test Center on NAV's innoculation techniques to see how many > viruses it can detect and remove accurately? No. We are not ready yet to test integrity checkers. However, I have enough experience with integrity checkers and from what I have seen NAV's integrity checker to do, I can claim that it is not secure. You are free to believe me or not - and I do not have numbers to backup my claim. However, if you list exactly the methods used by NAV for virus detection and repair, I'll be able to list several methods of attack that it will not be able to deal with - all of them picked from existing viruses. > I don't know why you are not happy with the term Innoculation. Because it is misleading. This term is usually used in the anti-virus industry to name the kind of virus protection achieved by appending a small piece of code or data to the objects that are being protected. Since NAV does not do this (thank God, because it is a Bad Idea), I find that the term is misleading. As you might have noticed from my posts in this forum, I am not happy with misleading thinigs, especially in an area where there is a lot of confusion already. > If you'd > prefer, I'll use "Virus Sensor Technology", like it says on the box. That would be equally misleading. The correct way would be to call it "integrity checker", which it actually is. > Besides, > using Vesselogic, you end up seeing that you can't give a name to a concept, > for example, the absurdity that Calculus is just a misnamed math class > occurs, which isn't wholly true. "Calculus" is an established term to call an area of mathematics. It would be misleading to call it something else. Likewise, integrity checking is an established term in virus protection and it is misleading to call it "innoculation", "virus sensor", or whatever other sexy name the marketing department of Symantec comes up with. > Let's, for the sake of the matter, say that NAV's Innoculation is not secure. > Would you please tell me how many viruses you have seen take advantage of > this with *NAV* and no other product? First, as I explained above, I cannot answer to the question "how many *viruses*", because I don't know, and strongly suspect that you don't know either. Second, as I explained above, this question does not make sense in this particular case. > What would you suggest should be done to make it more secure? As a beginning, one should be able to checksum the whole files. Also, the checksum algorithm should be somehow seeded as to produce different checksums for the different installations - even if one and the same file is checksummed. It should also be modified to withstand the attacks mentioned in my paper about the attacks against integrity checkers. There are *many* other things that have to be improved. I suspect that this cannot be done without serious re-designing of the integrity checker. Of course, I cannot provide a short answer here - if Symantec are interested, they should contact me, make an interesting offer, provide full detaills about the current mechanisms used by the integrity checker and then I could tell them what exactly is wrong in it and how it can be improved. However, I can tell from experience that Symantec is unlikely to listen to my suggestions. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 26 Aug 94 16:40:07 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: 386/486 virus protection(UNIX) GARY K BARNES (gkb@aber.ac.uk) writes: > Shouldn't that be _any_ low-level formatted floppy, regardless of > file-system, that has _ever_ been used in _any_ DOS machine? I'm It depends on what you mean by "low-level formatted". As a rule, if you are able to read the floppy with INT 13h calls, then it is infectable and can be infective, regardless of whether it is DOS-formatted or not. > pretty sure that some boot-sector viruses aren't gonna be too fussed that > your floppy has, say, a minix filesystem on it... Minix - probably, yes. However, I am pretty sure that diskettes formatted for Apple ][+ will not be infectable on an IBM PC. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 25 Aug 94 10:25:35 -0400 From: as194@cleveland.Freenet.Edu (Doren Rosenthal) Subject: Rosenthal Virus Simulator VIRSIM2C.ZIP (PC) - ---------------------------------------------------------------- Dr. David B Hull (dhull@nunic.nu.edu) writes: > In particular, Rosenthal Engineering' s Virus Simulator, does a > reasonable job and I have used it repeatedly in teaching anti-virus > and computer security tactics. Vesselin Bontchev (VB) writes: >It is a very misleading product and the fact that it has succeeded to >mislead you shows how harmful it can be. Not at all. Dr. Hull is using my Virus Simulator for exactly the intend purpose it is designed to perform. > (Dr. Hull) > It allows students to actually detect a "virus" and get the feel > of the various scanners on the market. I saw Virus Simulator being used by several anti-virus product suppliers to demonstrate their software on the convention floor of last COMDEX show I attended. It was quite dramatic, and very effective. >(VB) > What you need, is to design a good, well-organized, > hands-on course with real viruses, in a strictly controlled > environment. We are providing such experience to our students and > several anti-virus companies (S&S International and Sophos, for > instance) offer such training courses. >(Dr. Hull) >For $25 for a single user license; it is a lot nicer than the >FORM virus I used to use for training - and let's you sleep at >night too. Virus Simulator has been in general use now for some time without difficulty. Registered users receive their copy directly from Rosenthal Engineering, in a mailer with a special seal bearing the words "Tamper Resistant". Users of my product enjoy a comfort level that a captured wild virus can not provide. These simulations are run safely on real world systems in homes, schools and offices that are also used for other more general purposes as well. The samples have proven to be not only safe and controlled, but very effective for demonstrations. They will not contaminate any programs beyond the samples I provide especially for that purpose. > (VB) As I mentioned above, Rosenthal's so-called > "virus simulator" generates mostly non-viruses. With one exception. > The registered version of the simulator comes with two live, MtE-based > real viruses. You have to exercise on them the same kind of care that > you do with other real viruses - to prevent your students from > accidentally releasing them, or from knowlingly stealing them, > modifying them, and using them for some malicious purpose. These precautions seem excessive, as the samples will not infect any files but those generated internally. The virus first checks its own integrity, that of its special dummy host file and clearly displays its intention and origin. Accidentally releasing these viruses has not been a problem. > (VB) > Well, since you have to do this anyway with any real virus, why should > you pay for Rosenthal's simulator? When a user elects to register my shareware Virus Simulator, they receive a copy current version and as a registration incentive bonus, all the supplements are included at no additional charge. These are not a collection of someone else's viruses of questionable origin. You get them directly from a known author who has designed them for a legitimate purpose and can vouch that they are safe, harmless and controlled. >(VB) >You mean, to use it as some kind of "self-test" or "installation >check" of the scanner? It's not a bad idea to have such a possibility, >but it must be implemented by the producer of the scanner, because >they know best how their product works. For instance, the manual of Dr. >Solomon's AVTK specifies a text string that you can put in a file. >When this file is scanned, the scanner displays a message that this >file contains the test string designed to check whether the detector >is working. F-Prot has such an utility to check whether the memory >resident scanner is active. SCAN has something like that, called >ChkShield, if I remember correctly. Yes. The value of bait or simulations to confirm that an anti- virus product is being employed correctly is quite well demonstrated. Many anti-virus products now also support Virus Simulator by identifying the samples as "Virus Simulations from Rosenthal Engineering" or words to that effect. This after all is exactly what they are, and Virus Simulator has established itself quite well as an important anti-virus tool and the defacto independent product for this purpose. Any anti-virus product producer who wishes to include detection of my simulations in their product is welcome to contact me and can count on my cooperation. Doren Rosenthal, member ASP & ASAD as194@cleveland.freenet.edu Rosenthal Engineering P.O. Box 1650 San Luis Obispo, CA USA 93406 - - ------------------------------------------------------------- ------------------------------ Date: Thu, 25 Aug 94 12:43:17 -0400 From: Mikko Hypponen Subject: Re: Posible new virus variant (PC) Brian D Stark (stark@iastate.edu) wrote: > I've recently come across what appears to be a new virus variant. All your symptoms (first hard drive missing when booting from a floppy; new, extensionless companion files created; error messages and CMOS failures happening when executing anti-virus products; strange allocations in video memory etc) match the Goldbug virus. See my other message about this virus in VIRUS-L digest #72. > It's difficult to say which file originally carried the virus, so it's > difficult to clean up the system. Well, at least this virus was distributed in a pirated copy of a DOOM beta version during June/July 1994. - -- Mikko Hypponen // mikko.hypponen@datafellows.fi // Finland Data Fellows Ltd's F-PROT Professional Support: f-prot@datafellows.fi Check out our WWW site at http://www.datafellows.fi/ ------------------------------ Date: Thu, 25 Aug 94 13:17:47 -0400 From: byoon@eniac.seas.upenn.edu (Baryn Yoon) Subject: Update...WPWIN6.0a and NATAS (PC) After calling around, WordPerfect didn't seem to be too interested in what we had to say. It is possible that Vi-Spy is detecting it incorrectly. Other people have confirmed that Vi-Spy detects NATAS on WPWIN6.0a files on Install Disk 5. Can anyone verify whether Vi-Spy is "flaky" or if WP is at fault? Thanks. - - baryn yoon ------------------------------ Date: Thu, 25 Aug 94 13:18:09 -0400 From: bbecke1@umbc.edu (Bryan M. Becker) Subject: HELP!! w/ TSR Virus and Stacker (PC) Can someone please help me, I have Stacker on my hard drive. I also have the Liberty Virus there too. The Liberty Virus is a TSR virus that effects .com and .exe files when they are executed. If I boot from a disk without the Stacker driver, I can only see some of my hard drive. So I need the driver to see all of the hard drive. When I boot from the disk stacker must swap drives. Now the virus is loaded into memory and I haven't done anything. I run scanners from my floppy and it tells me that a virus is loaded into memory. I have no idea what to do. I've tried everything I can think of!! Can anyone please help? Thanks so much, Bryan *********************************************************************** Bryan M. Becker E-Mail : bbecke1@gl.umbc.edu University of Maryland - Baltimore County -> Retrievers *********************************************************************** ------------------------------ Date: Thu, 25 Aug 94 14:17:48 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: XA1 Virus (PC) dmill05@aol.com (DMILL05) writes: >I recently found an XA1 virus on a laptop at work. It was attached to a >windows swap file 386spart.par. Does anyone have any information on what >this virus does and what damage it causes? Considering that this file should only infect normal COM files, I would say that finding it only in this particular file probably indicates a false positive. The virus by the way is 1539 bytes long, overwrites the beginning of COM files and places the overwritten code at the end. - -frisk ------------------------------ Date: Thu, 25 Aug 94 14:58:04 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Rosenthal Virus Simulator VIRSIM2C.ZIP (PC) as194@cleveland.Freenet.Edu (Doren Rosenthal) writes: >I'm sorry, but I do not make the source code or MtE engine >available without my built in safeguards. Unfortunately, your safeguards are worthless. Any decent assembly-language programmer can easily remove them, and create a fully working virus, without your restrictions. - -frisk ------------------------------ Date: Thu, 25 Aug 94 16:03:52 -0400 From: kauf0026@gold.tc.umn.edu (Peter Kauffner) Subject: Can a master boot record be repaired? (PC) Hi! I have a virus infection which F-Prot detects as "Stoned.NoInt.A". McAfee detects it as "NO INT". Norton said it was a Chinese something or other. I'm now using McAfee's SCN-210E to disinfect my floppies, and that seems to be working OK. But earlier I was using CLEAN117, which made two of my floppies unreadable. (I assume it destroyed the master boot record.) This is my first experience with an infection, so I foolishly didn't back the disks up before disinfecting. My question: is there any way in which this type of problem can be repaired? I haven't noticed any virus symptoms yet, even though the virus must have been in my machine for at least a month or two before I discovered it. Does anyone know what the symptoms of this particular virus are? My operating system is DR DOS 6.0. Finally, I was wondering where I might have picked this virus up. The only exposure to unscanned files that my PC has had in the last several months is JPG and GIF files downloaded off of Usenet. Is this a possible source of infection? Peter Kauffner Minneapolis, Minnesota kauffner@mermaid.micro.umn.edu "Why me!" said Nancy Kerrigan lamely. "We didn't inhale," said Bill and Hillary jointly. ------------------------------ Date: Thu, 25 Aug 94 17:03:51 -0400 From: roger.ertesvaag@thcave.bbs.no (Roger Ertesvaag) Subject: Virus Source on CD (PC) * In a message to All on 08-19-94, Mike Mccarty said: MM> =FF@SUBJECT:Re: Virus Source code on CD ROM? (PC) = MM> I have no problem with people growing, investigating, and selling MM> viruses which cause human diseases. Do you? MM> I do have problems with people growing and spreading viruses with t= he MM> intent of causing disease. This is and should be a crime. MM> I have no problem with people growing and investigating, e.g. HTLV = III MM> virus. I have a real problem with members of ACTUP intentionally MM> attempting to spread this virus. MM> Very different things. But from what I've seen, you support that datavirus should be distributed freely. Do you support distributing viruses which causes human diseases to the general public? RogEr -=3D-=3D-=3D[ roger.ertesvaag@thcave.bbs.no ]=3D-=3D-=3D- - --- > SPEED 2.0b #1486 > Engineers never die - they just lose their toleran= ce. - ---- +----------------------------------------------------------------------= - -+ + Thunderball Cave BBS +47 2256 7018 / 2256 8809 (USR V.FC / V.FAST) = + + -- thcave.bbs.no -- Oslo Norway -- = + +----------------------------------------------------------------------= - -+ ------------------------------ Date: Thu, 25 Aug 94 18:07:50 -0400 From: schoew@urvax.urich.edu Subject: ALERT! Unkown X3A found! (PC) I manage 6 computer labs at a university. I've found a virus that the very, very latest versions of F-PROT and McAfee can recognize but cannot clean. It's called X3A. It's in memory and is found when scanning the master boot record. If anyone knows anything about it, e-mail me directly with any info, preferably a cure. 10% of my machines have it and classes start Wednesday... Infectedly Yours, John ------------------------------ Date: Fri, 26 Aug 94 03:03:19 -0400 From: eng30424@solar.cc.nus.sg (TAN SIEW WU) Subject: Update on BUPT 9146 Beijing (PC) So far we ( my friends and I ) haven't found out where the virus came from but we manage to get rid of it from our system. We used debug to check the memory and the partition table of the hardisk and we found out that the virus actually resides on the partition table and when we boot from the hardisk, two kilobytes of conventional memory will be missing ( shown by dos mem command ). Booting from a clean floppy disk will give all 640k of conventional memory available. The number 637k of conventional memory reported by mem.exe ( 3k missing ) was because 1k was use to store bios information. After we used memmaker, we managed to get back 640k. Somehow dos fdisk does not write to the whole partition table and the virus resides on the area that fdisk does not overwrite. When we found out what happened, my friend used debug to write some assembly code to fill the partition table with zeros. After that we retried with fdisk and formatting the hardisk and the virus was gone. Also we could get windows for workgroup 32bit disk access. Later we found out that there is a option for fdisk ie. fdisk /mbr but we didn't tried it and don't know whether by doing that will get rid of the virus or not? As for anti-virus program, we tried scan 117, macafee new generation scan 210e and f-prot version 2.13a. All these does not detect the virus. ( may be they do not check partition table???? ) |----------------------------------------------------------| | Tan Siew Wu | | Department of Electrical & Electronics Engineering. | | National University of Singapore. | | Email address :- eng30424@nus.sg | | Term address :- Raffles Hall, Kent Ridge Crescent, | | Singapore 0511. | |----------------------------------------------------------| ------------------------------ Date: Fri, 26 Aug 94 04:47:56 -0400 From: walter3@netcom.com (Walter Emil Teague III) Subject: Unknown virus (PC) Help! A friend used the kid's computer to download some stuff from the net, and I think that he brought a virus with it. When we now boot up, the computer asks where the command interpreter is. Usually, we typed it in, and then we could go on. I also ran DOS 6.2 MSAV and noticed that many of the .com files in DOS had been altered. I replaced the DOS, I replaced the io.sys, msdos.sys, and the command.com, but that didn't help. I tried changing the attributes, but that didn't help. I seemed to be rid of it after I removed my autoexec.bat file. I transfered the contents to another file, deleted the autoexec.bat file, and renamed the other file autoexec.bat. Then, I tried to defrag my drive using ORG 25, which I have used for years, and up popped my problem again. I remember the freind saying that he started to get problems after defraging the drive. MSAV doesn't detect anything, but something is there. I want to use McAFEE 9.30 V117, but I don't seem to have the virus scan part, only the clean part, which requires that I know what I'm trying to clean. Does anybody have any ideas? I'm looking at wiping the drive, otherwise. BTW, one program, QMODEM, started to not work, so I deleted it and put in another copy. Obviously, this was a link in the chain. Thanks. Walt. ------------------------------ Date: Fri, 26 Aug 94 09:29:48 -0400 From: duplain@btcs.bt.co.uk (Andy Duplain) Subject: Re: Fixing the boot sector of a floppy? (PC) Vesselin Bontchev wrote: > >> char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} > >Hmm... short, but not very portable. Assumes a computer with ASCII >charset. :-) How about the slightly longer > >#define y(x)char*s=#x;x >y(main(){printf("#define y(x)char*s=#x;x\ny(%s)\n",s);}) Nice code frags; but the second is even less portable as it assumes an ANSI compiler. - -- Andy Duplain, Syntegra, Brighton, UK. duplain@rtf.bt.co.uk #define DISCLAIMER "My views and opinions are my own, and not my company's" ------------------------------ Date: Fri, 26 Aug 94 09:29:40 -0400 From: petrini@di.unipi.it (Fabrizio Petrini) Subject: FORM (?) virus (PC) Hi everybody! I hope some gurus out there could help me. I am in big troubles. My 486 has been contaminated by a virus called "FORM" (at least I suspect this is its name). I can boot using a floppy disk, and the hard disk is not recognized any more. Running SCAN v2.0.2 I didn't get any positive results. Fdisk tells me that there are 4 partitions, 3 of them non DOS, while there shuold be just one partition. What can I do to find my lost data? Are there other virus scanners (if possible, public domain) that I can use? Is there a VIRUS-FAQ that I can read, somewhere? Thanks for your time and consideration Fabrizio Petrini Dipartimento di Informatica Universita' di Pisa e-mail: petrini@di.unipi.it ------------------------------ Date: Fri, 26 Aug 94 07:12:33 -0400 From: as194@cleveland.Freenet.Edu (Doren Rosenthal) Subject: Rosenthal Virus Simulator (VIRSIM2C.ZIP) (PC) - ----------------------------------------------------------- Mike McCarty writes: > Furthermore, I believe that the charter (if it indeed forbids offering > virus material, I haven't seen the charter) should be changed. Iolo Davidson responds: > You will be outvoted. By Doren Rosenthal, for one. Why would anyone > buy his simulated viruses if they could get the real thing for free? Two points. First, who and what I vote for is for me to say, not you. Second, most of my registered users are government, military, institutional and corporate users who already have captured viruses and prefer to use my safe Virus Simulator. Doren Rosenthal Rosenthal Engineering P.O. Box 1650 San Luis Obispo, CA USA 93406 - ------------------------------------------------------------- ------------------------------ Date: Fri, 26 Aug 94 10:54:56 -0400 From: walts@gate.net (Walter Scrivens) Subject: HELP with form virus / FAQ (PC) I recently had an infection of the form virus on some workstations on my LAN. We cleaned it, and several weeks later it reappeared (and has been cleaned again) Can someone point me to a source of information re:propogation of this virus, and possibly the location of a FAQ on the subject? Thanks, Walt Scrivens ------------------------------ Date: Fri, 26 Aug 94 07:16:25 -0400 From: as194@cleveland.Freenet.Edu (Doren Rosenthal) Subject: Rosenthal Virus Simulator (VIRSIM2C.ZIP) (PC) Quoting from the Virus Simulator documentation: > products, on their own systems, without using live ammo. The simulators > ability to actually test products exhaustively is limited. That's why > Rosenthal Engineering maintains a very comprehensive collection of real > sample viruses for testing at our facility. Frisk writes: > Yeah, sure...hundreds of viruses, I'm sure... Well Frisk, although the cataloged, organized and verified portion of my collection is no where near the extent of your collection, it is substantial and quite adequate for my needs. Further my collection is totally independent and not subject to the controls of CARO or any anti-virus product supplier. For a description of my collection as it appeared 9/93 please refer to the documentation in my Master Disk program (MASTER20.ZIP) on the current ASP CD-ROM and elsewhere. Mike McCarty writes: [stuff deleted] > This is a very > pejorative and unworthy personal attack, completely without foundation. > What -evidence- do you have that Rosenthal uses such BBS's? Vesselin Bontchev responds: > First, I didn't claim that he "uses such BBS's", did I? Second, yes, > incidentally I happen to know that he *is* involved in virus exchange > and has been even quoted as "maintaining" the virus collection of > another collector from Slovakia. Now gentlemen by "collector" I must assume you are referring to the very highly respected researcher from Slovak Technical University Dr. Peter Hubinsky and his capable assistants at the Slovak Anti-Virus Research Center who reviewed my collection last year. I personally verified his credentials by letter from Dr. Milan Zalman, the department head for the department of automation, faculty of electrical engineering. Dr. Alan Solomon also wrote highly of Dr. Hubinsky by letter to me. My independent, verifiable and audited virus collection is maintained for legitimate purposes. Once again, I find your insinuations uncalled for and insulting. But mostly just disappointing. Doren Rosenthal - -------------------------------------------------- ------------------------------ Date: Fri, 26 Aug 94 07:18:26 -0400 From: as194@cleveland.Freenet.Edu (Doren Rosenthal) Subject: Rosenthal Virus Simulator (VIRSIM2C.ZIP) (PC) - ----------------------------------------------------------- Iolo Davidson writes: > Oh, I see! Triggers *detectors* not scanners. I wonder what kind of > *detector* would trigger when it found a virus "signature" in a file. I > guess it would be the kind of detector that searches through a file > looking for "signatures". Sort of like a primitive scanner does. There are a number of virus detectors of which scanners are only one type. Some programs like Ross Greenbergs Flu-Shot work by monitoring the activity on your system. Virus Simulator produces some very suspicious activity that sets of these types of programs. For example, the memory simulation puts a very suspicious program in memory. The boot sector simulation actually overwrites the boot sector on the test diskette. The supplement "B" boots through from the floppy and lets your system load off the hard drive leaving a very suspicious program in memory. The simulated virus attempts to hide its location by not reporting the memory it occupies. The supplement "C" has hidden files that rename themselves and take on a companion file name. Programs like InVircible have no difficulty in reporting this very suspicious activity even without known scan signatures. Other types of anti-virus products record the size and checksum of files, then latter verify their integrity. Virus Simulator modifies files and the floppy disk boot sector. It is quite capable of setting off most detectors that report this (and other) suspicious activity by design. >Not that viruses have signatures, of course. The use of this word >betrays a vast lack of comprehension about how viruses are found in >files, by *detectors*, scanners, or whatever. What an anti-virus >scanner looks for to find a virus depends on the choice of the person >who wrote the scanner. There is no one set search pattern used by >every AV scanner. Anyone who thinks you can take "the signatures (only) >from real viruses" is fundamentally confused about the entire issue, and >cannot be relied upon to say anything sensible on the subject. Well clearly Virus Simulator does much more than just provide known signatures. Additionally, I think I've demonstrated at least some modest understanding on what it takes to set off anti- virus products. > In fact useless for the purpose for which it is sold. This is actually > a breach of Trading Standards regulations in Britain. Well now this is just not reality and it keeps coming up all the time. Virus Simulator is quite popular in the UK as it is elsewhere. I've contacted Scotland Yard several times and nobody has ever complained. In fact government, military, institutional and corporations are my best source of satisfied users. > Furthermore, promoting this stuff as a test standard maligns > Anti-Virus software which correctly identifies the non-virus > simulation files as not infected. This is certainly unfortunate and I'm willing to cooperate with any anti-virus product producer that wishes to participate. Simply identify the simulations as what they are "Test Simulated Viruses From Rosenthal Engineering." Surely this is exactly what they are and who could fault anyone for detecting them as that. >> Many anti-virus product producers appreciate the ability to >> work with Virus Simulator and have made efforts to be compatible. > Sounds like some vendors are afraid that if they don't detect > viruses where there aren't any, the dummies who use your > simulator will think their AV is no good. I would rather educate > the dummies than cooperate with the deception. I'm sure the "dummies" you guys educate will appreciate your enlightening them. Frankly I don't believe everyone who disagrees with you (or me for that matter) is a dummy. Doren Rosenthal Rosenthal Engineering P.O. Box 1650 San Luis Obispo, CA USA 93406 - ----------------------------------------------------------------- ------------------------------ Date: Fri, 26 Aug 94 11:58:25 -0400 From: "A.APPLEYARD" Subject: VET false positive, and help needed (PC) (1) VET_RES installed on one of our PC's that has DOS 5, thinks that (any floppy formatted under DOS 6) has an infected boot sector. That is a nuisance. (2) Please someone send me, or tell me where or how to get, help on what the various optional parameters of VET.EXE are and what they do. The files that come with VET say absolute zero about it. ------------------------------ Date: Fri, 26 Aug 94 11:34:13 +0000 From: c9419008@alinga.newcastle.edu.au (Brainy Smurf) Subject: Re: 666 virus (PC) Philip Kremer (pkremer@epas.utoronto.ca) wrote: : I'm sure that I have a virus, since two of my jpegs were ruined, and : since, while I was using WordPerfect, I got "666" on my screen. But : McAfee's virus-scan software won't detect it. Can anyone suggest : other virus-scan and virus-clean software? : Thanks, Why not try Thunder Byte? - -- Edmund ------------------------------ Date: Fri, 26 Aug 94 15:38:19 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: changing genP/genB virus (PC) Jay_Leiser (jayl@dorsai.dorsai.org) writes: > Mcaffe cleaned it up and the client had to re format their hard drive. Uhm, sorry, but I do not understand - if McAfee's program has cleaned the virus - why did you have to re-format the hard disk? Or was the removal unsuccessful - e.g., did it corrupt the hard disk? Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 26 Aug 94 15:43:10 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Fixing the boot sector of a floppy? (PC) Iolo Davidson (iolo@mist.demon.co.uk) writes: > > We agree again. It should not be hard to write a utility which would > > read the boot sector off any cleanly formatted disc, fix up the BPB part > > of it and write it to the disc to be "disinfected". Maybe I'll do it. > Been done. Dr. Solomon's has had a utility to clean floppy boots for > years. Uhm, sorry Iolo, but Dr. Solomon's usility does not do *that*. Instead, it overwrites the boot sector of the floppy with a non-bootable sector with the correct BPB, thus making the floppy non-bootable. True, in most cases this doesn't matter, however if such a capability existed in the system software (SYS is the right program to do it), then even this minor inconvenience wouldn't exist. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 26 Aug 94 16:00:04 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Rosenthal Virus Simulator VIRSIM2C.ZIP (PC) Doren Rosenthal (as194@cleveland.Freenet.Edu) writes: > Although my Virus Simulator is clearly an anti-virus product > designed to assist people to better defend themselves against > viruses, You are wrong. Your "virus simulator" is clearly NOT an anti-virus product and it does NOT assist the people to better defend themselves against viruses. The only thing your product is capable to do is to show how false positives could trick a scanner to report a virus, without actually one being there. I admit that this does provide some educational experience, but it is by no means sufficient to call your product an "anti-virus product", which it is not. > The second point is that copyright protection is not extended > programs that make copies of themselves or modify the copyrighted > works of another without informed permission and consent. I am sure that the producers of operating systems and file managers would be interested to hear this, since all those programs are able to copy themselves. Also, could you please quote the law or the regulation that states or implies that computer viruses cannot be copyrighted work? If I remember correctly, any significantly original piece of intellectual work is automatically protected by copyright at the moment it has been created. > Viruses > that modify someone else's copyright do not enjoy copyright > protection. Again, please state the legal grounds behind this claim. It might be possible that by infecting a product, computer viruses make the copyright protection on that particular product invalid (because the original product does not exist any more), but even this is debatable and I would hate to have to defend it. > By their actions, they by nature enter the public > domain. You seem to have a deep misunderstanding of what copyright and public domain is. Just because something is widely distributed does not mean that it is public domain. Otherwise DOS should be public domain - it is certainly more widespread than any particular virus. > Virus signatures are a derivative work of something in public > domain and do not enjoy copyright protection either. This is debatable too. In particular, the scan strings that you are using in your "simulator" are taken from other people's scanners. The scan strings in those scanners, while not enjoying individual copyright for each string, are certainly a sufficiently original collection and should enjoy copyright as a whole. Don't the publishers of the telephone directories hold a copyright on their works? > My Virus Simulator MtE supplement does not modify anyone's > copyrighted work but mine and although the mutation engine is > embedded within the compiled program, the MtE supplement is my > own original work. However, since this supplement is a real virus, by your own words it shouldn't enjoy a copyright protection. You are contradicting yourself. > polymorphic ability to (attempt) avoid detection. The main body > of the virus is the portion I have written to be safe and > controlled. Well, you have failled. It is neither safe nor controlled. > Tampering is > discouraged, and anyone who obtains a copy for a purpose beyond > my legitimate intention is going to be disappointed. Ha-ha. Takes about 30 seconds and 3 bytes change to remove those so-called "safeguards". I am afraid that the people who have obtained a copy of your product with illegitimate intentions in mind will not be disappointed, unfortunately. > Although the complete development kit is not available from me, > Vess has posted the email address of Dr. Mark Ludwig at American > Eagle Publications in Tucson, Arizona on this forum. His Computer > Virus Developments Quarterly (vol 1, no 3) spring of '93 did a > very in depth coverage of the subject, complete with a supporting > diskette. Far more informative than wasting time attempting to > extract the mutation engine from my Virus Simulator MtE > supplement... and you needn't pay me a dime! Yes, your unethical actions put you in the same cathegory of unethical people as Mark Ludwig. Both of you are selling viruses to your customers and are thus helping to make the virus problem even more serious. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 26 Aug 94 16:13:23 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Smeg viruses (PC) Rex Sheasby (rshea@netcom.com) writes: > > Most (all) of those reports are either urban legends or concern > > outdated/defective hardware. > A close friend works in HD design for a major drive company. We recently > had a discussion about the possibility of malicious code using the > proprietary HD commands (commands not in the IDE spec) to overwrite areas > of the disk essential to its operation. A jumper to disable this possibility > was considered, and rejected as not being cost effective. So at least some > new hardware can be disabled by software to the point that a return to the > factory repair center is necessary to restore its operation. In fact, the > center may choose to replace the HDA as the most economical solution. Most > users would call a disk that had to be returned to the factory repair center > 'damaged', I suspect. First, the fact that the users do not know how to deal with the software damage does not mean that the hardware has been damaged. We've had one report when somebody was infected their disk with the Tequila virus. Their favorite anti-virus program (TNTVIRUS) was unable to remove the virus and their computer hardware dealer had succeeded to convince them that they have to buy another hard disk. Second, the modern IDE drives are usually "idiot-proof" in the sense that they simply do not allow the user to write to those areas of the disk where it could damage the hard disk. Therefore, I stand by my original claim - all those rumors are either urban legends, or based on deffective and/or obsolete hardware. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 26 Aug 94 16:18:23 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Rosenthal Virus Simulator (VIRSIM2C.ZIP) (PC) Doren Rosenthal (as194@cleveland.Freenet.Edu) writes: > Article 2321 RE:Virus simulators If it is "RE:Virus simulators", why the heck did you post it in a different thread? > Certainly. The current shareware version of my Virus Simulator > anit-virus product is available from most FTP sites as This is the FOURTH time you are advertising your viruses here. May I ask the moderator whether the guidelines of this newsgroup have changed lately? > Additionaly, you might also try the ICARO ftp sites as well. But > I'm not sure they're aware of its existance. Our site is one of the ICARO ftp sites, I am aware of its exitence, it is not available here, and will NEVER be. Unlike you, we do not distribute viruses. > If you still have trouble finding it, please don't hessitate to > contact me directly. If you felt like misleading yet another user with your product, couldn't you have contacted him by e-mail? Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 26 Aug 94 16:29:28 -0400 From: cannon@panix.com (Kevin Martin) Subject: LRZ in the wild (NYC) (PC) I just encountered my first virus in the wild. A co-worker had a PC crash and lose its partition information while trying to upgrade a spreadsheet for one of his users; the user mentioned that it had been "running slower lately." The co-worker rebuilt the drive information, but checked his install diskettes afterward with McAfee Scan v113 on a hunch. It reported that all of them had GENB. At that point he came to me, and I ran F-PROT 2.13 and TBAV 6.23. F-PROT reported LRZ on two of the six; TBAV reported nothing (!) I disinfected them with F-PROT, and doublechecked them with Scan v115 which pronounced them clean. Looks like it's going to be an interesting week over in that area. I provided him with the information file "VIRUSES.DOC" from the F-PROT package, in the hopes that he'll be able to translate it into an action plan for the less computer-literate in the user area. - -- cannon@panix.com --- Brass Cannon Consulting ------------------------------ Date: Fri, 26 Aug 94 16:36:42 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Floppy boot sector replacement (PC) A. Padgett Peterson, P.E. Information Security (padgett@tccslr.dnet.mmc.com) writes: > >We agree again. It should not be hard to write a utility which would > >read the boot sector off any cleanly formatted disc, fix up the BPB part > >of it and write it to the disc to be "disinfected". Maybe I'll do it. > >But not now, I'm working 14 hours per day as it is. Anyone else want to > >pick up the gauntlet? It would be a good thing! > I did that three years ago. It is FreeWare and it is called FixFBR > (Fix Floppy Boot Record) & is one of the FixUtils. It also performs heuristic No, Padgett, it doesn't do *that*. After FixFBR treats a floppy, that floppy becomes non-bootable. This is exactly why I want such a capability built-in in SYS - because SYS already contains a proper image of a bootable boot sector for that particular operating system and it is natural for it to do this job. We just need an option that tells it not to put the operating system itself on the floppy. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 26 Aug 94 16:48:04 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: FORM_A (PC) Bob Smith (bosmith@umich.edu) writes: > I have a DOS 486 machine that is reporting FORM_A virus from McAfee's > scan 2.0.1e program. I do not have a copy of this version of SCAN any more, but SCAN version 2.10 reports as "FORM_A" the two different (but similar) variants - Form.A and Form.B. Interestingly, it reports Form.C as "FORM.A". > I have searched mcafee.com, oak archives and > cert.org for methods or programs to remove this virus but have not > found anything. Are you sure that you have looked carefully? First of all, Form.A is the most widespread virus in the world, so almost all virus removers should be able to handle it properly. Can't SCAN 2.10 remove it? That's wouldn't surprise me - SCAN 2.x is an unfinished product which is rather bad from the anti-virus point of view. However, at least the old CLEAN (117) should be able to remove this virus. Also, have you checked F-Prot 2.13a - also available from the oak archive? I know that it is able to remove all the variants of Form. There are many other product which should be able to remove this virus, because it is very well known. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 26 Aug 94 16:49:35 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Trashed Floppies (PC) Robert Morton (73362.1207@CompuServe.COM) writes: > Vesselin, > In a note to Kirk Lipscomb you trash CPAV for not removing > the FORM virus properly. Now I am not saying that CPAV is great, > but I have had two other virus programs trash floppies when they > try to remove viruses, and by that standard we should trash them > all. Correct. Every virus remover that is unable to handle properly such a widespread virus as Form deserves to be trashed. Which are the other two programs? Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 26 Aug 94 16:55:52 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: XA1 Virus (PC) DMILL05 (dmill05@aol.com) writes: > I recently found an XA1 virus on a laptop at work. It was attached to a > windows swap file 386spart.par. Does anyone have any information on what > this virus does and what damage it causes? It is a 1539-byte non-resident slightly polymorphic COM-only infector of German origin. Infects COM files in the current directory and the directories listed in the PATH variable. Files shorter than 1539 bytes are padded to that size with garbage prior to infection. After December 24 the virus displays a Christmas tree. On April first it displays the string "April, April" and overwrites the first physical hard disk and the two floppy disk drives. Since the virus is non-resident and infects only COM files, it is not widespread. In your particular case I am absolutely certain that you are *not* infected by this virus. You are a victim of a false positive. Which scanner did you use? I suggest that you report the problem to the producer of the scanner - they might already have an update that fixes the problem. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 26 Aug 94 17:14:00 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Help need to get rid of Michelangelo (PC) Tzu-Soon Jim Horng (p4f192@ugrad.cs.ubc.ca) writes: > msav.exe (virus scanner that came with dos 6.x), I foundd the > harddrive is infected by the "Michelangelo" virus. Doesn't it call this virus "Michael Angelo"? > I have some experiences dealing with virus, but I can't seem > to remove it by msav.exe or by SYS.COM from a floppy boot up. It seems The fact that MSAV is unable to remove such a well-known virus is a shame. On the other hand, it's virus identification capabilities are so poor, that I wouldn't be surprised if it mistakes it with another, different virus. Also, it is pretty normal that you cannot remove the virus with SYS - this program overwrites the DOS boot sector and this particular virus is in the Master Boot Record - an area which is not accessed by SYS. > I do not wish to reformat the whole harddrive, since she does not > have a backup of all the programs. Formatting the hard disk is never necessary to get rid of a virus. > Questions: > 1.How can I remove Michelangelo virus on her system? Execute the command FDISK/MBR and reboot your machine. This should get rid of this particular virus from the hard disk. > 2.Is there a program (shareware or freeware if possible) that can > remove the virus without reformating the harddisk? Most of the popular anti-virus products are able to handle this virus correctly. A particular good one is F-Prot, but you could use a variety of others - AVP, CLEAN, etc. > 3.How safe is the files on the disk (is the files infected as well?) They are safe and are not infected. > Is it too late for me to back up the files now? No, you can do a backup. However, take care to make sure that there is no virus in memory when you are doing the backup - otherwise you are running the risk to have all your backup floppies damaged. This depends on the particular backup program used. In the worst case (i.e., if you cannot ensure that the virus is not in memory), you could do the backup via floppy drive B: - this virus does not infect the floppies in drive B:. > If you have dealed with Michelangelo virus or if you have ideals about how > to get rid of please send an email to me. I am sending you a copy of this message. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 26 Aug 94 17:24:15 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: GenB Virus - Need Help! (PC) Steve Daley (spdaley@undergrad.math.uwaterloo.ca) writes: > Having a problem with several computers, reporting GenB, Generic Boot Virus. Sigh... Here we go again. Please, take care to review just a few messages that have been posted here before. In short, there is no such thing as "the GenB virus". This is a way of McAfee's SCAN to tell you "this boot sector is very suspicious and I am pretty sure that it is infected, but I really have no idea which particular virus it might be infected with". > The following programs give the following reports: > McAfee 2.01 GenB at 960k > Thunderbyte Unknown Boot sector virus > MSAV Nothing > CPAV Nothing The first two programs are saying essentially one and the same thing - a quite probably infected boot sector; infected by a virus they are unable to recognize. The last two program have such a bad detection rate, that it is not worth even talking about them. > No attempts to remove the virus work. I have done the following (as > well as about 500 other things): > 1. Make 6.2 boot disk on clean machine with only Himem.sys and Emm386 loading > - boot infected machines and check with Scanner - Same Result as above Of course. If your hard disk is infected, scanning it after a clean reboot will naturally indicate that it is still infected. > 2. Sys the hard drive from a clean floppy > 3. Re-format hard drive, re-install DOS from BRAND NEW package Those two steps wouldn't help if the virus is in the MBR. However, in this case SCAN would have reported the virus as "GenP", not as "GenB". Are you completely certain that it is reported as "GenB"? > 4. Low level drive, then do step 3. You mean, even low-level formatting the drive did not help? In this case, your machine might just have a weird boot sector that happens to trigger the heuristics of SCAN and TbScan. Although, having in mind what SCAN uses as a heuristic in this case, this seems rather unlikely. A much more probable conjecture is that the "clean machine" you used to prepare the bootable floppy on was not that clean at all... I would suggest that you send a copy of the boot sectors of an infected hard disk to an anti-virus researcher. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 26 Aug 94 17:25:42 -0400 From: frank@ee.uwm.edu (Always I wanna be with u!!) Subject: Help with trident virus!! (PC) I am posting this for my friend, so pls reply to the account below. Thank you. >From mhwoo@ucdavis.edu Thu Aug 25 23:02:18 1994 Hey guys, My computer has been infected by the [TridenT] virus. After I deleted all the infected files, I used the scan116 to scan my harddisk and no virus was found, but later, I find it again after 1 or 2 days. I haven't added any new files to the computer after I deleted the infected files. So I know it is hidden some where inside my harddisk. Can somebody help me to remove it? Thank you very much for your help! ------------------------------ Date: Fri, 26 Aug 94 17:27:11 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: [HELP] I Don't know if I have a virus in my computer or not.... (PC) Kwong Wong (kwwong@lynx.dac.neu.edu) writes: > My IBM PS/2 Model 70 is acting very strange for the past two weeks. I > suspect that there is a virus in my system. > Here are the problems that are happening so far... [description deleted] > I was wondering if anyone here can tell me if I have a virus in my PS/2 Most probably - you don't. Your description sounds very much like a hardware problem. Maybe something is wrong with the interrupt controller, but I am not sufficiently competent in hardware matters in order to give you a good advice. Consult your local technical support. All I can tell you is that the problem does not sound as being caused by a virus. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 76] *****************************************