VIRUS-L Digest Friday, 23 Sep 1994 Volume 7 : Issue 77 Today's Topics: Re: delphi virus? Hackers, etc Re: Re| Viruses = Commercial Opportunity? Re: Virus simulators Re: virus in jpgs Re: virus in jpgs (Fwd) Re: delphi virus? Report of a new antiviral called `Auto-Verve' RFI: UNIX virii, UNIX virus scanners (UNIX) WPWIN6.0a infected with NATAS? (PC) Re: "Stoned" Virus Mistaken for Michelangelo? (PC) Rosenthal Virus Simulator VIRSIM2C.ZIP (PC) Re: Rosenthal Virus Simulator (VIRSIM2C.ZIP) (PC) Stealth_boot.C (PC) Rosenthal Virus Simulator (VIRSIM2C.ZIP) (PC) How do I load VSHIELD on high memory? (PC) Re: New Stoned Virus? (PC) Update on BUPT 9146 Beijing (PC) Rosenthal Virus Simulator (VIRSIM2C.ZIP) (PC) Re: "Stoned" Virus Mistaken for Michelangelo? (PC) Whisper (PC) Windows Virii (PC) How to Remove a swiss virus from the partition table? (PC) F-PROT and UMB's (PC) Bobo Virus (PC) UNKNOWN!!!!:::X3A (PC) Re; [News] Need Help on "V-SIGN" virus (PC) Re; [News] Info on AntiEXE needed (PC) Re; [News] KAOS? (PC) Re; [News] REQ: Help (PMBS, Stealth_boot.C) (PC) On exchanging viruses via BBSs (PC) Help Me: I have a virus on my PC (PC) Jack the Ripper (PC) Re: Help Win 32 Bit File Virus? (PC) Re: Rosenthal Virus Simulator (VIRSIM2C.ZIP) (PC) Video virus? (PC) HELP! - Cleaned virus, now I can't access C drive (PC) Untouchable & V-analyst 3 (PC) Re: Rosenthal Virus Simulator (VIRSIM2C.ZIP) (PC) Re: Server-downing virii - Netshield corruption on Novell server (PC) Re: FORM_A (PC) "Stoned" Virus Mistaken for Michelangelo? (PC) Re: Immune System for PCs from IBM (PC) VIRUS INFECTION - (PC) Tripwire V1.2 Release (Finally!) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Fri, 26 Aug 94 17:30:40 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: delphi virus? al bell (allbell@delphi.com) writes: > Twice, when I have been reading files on Delphi, the print on the > screen has suddenly turned gibberish, requiring me to sign > back on. My communication software's Echo setting changes from > off to on, so that I can see my password as I typed it in. I > once just signed back on, but then I thought maybe this is some > sort of viral trick to collect passwords. Unlikely. Most probably, the gibberish has been caused by line noise. Something from this line noise has been interpreted by your communication program as a command to turn the local echoing on - or you have involuntarily turned it on yourself, while trying to clear the screen. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 26 Aug 94 20:52:57 -0400 From: dnoack@world.std.com (David R Noack) Subject: Hackers, etc Hi, My name is David Noack and I'm working on a story for the Phoenix Gazette newspaper in Arizona about what first-time computer users should know about computer viruses, how they spread and what kind of precautions should they take. I'd also like to get some comments regarding why people hack and corrupt programs that can then do damage to another person's system. I realize that this may seem pretty elementary, but the article is aimed at new computer user who are just learning the ropes and advising them on some of the do's and don'ts. If anyone would care to share some of their insight and advice, I will certainly use some of it in the article. If you decide to respond, please include a little info. about yourself, such as where your-city will do and state, how you earn a living, how long you've been involved in computers, etc. BTW--I am also trying to make contact with the man who produces the Hack Report and another e-publication called the Bounty Hunter. If you know of their e-mail address, I would appreciate it. Thanks, David. ------------------------------ Date: Fri, 26 Aug 94 21:24:13 -0400 From: datadec@corsa.ucr.edu (Kevin Marcus) Subject: Re: Re| Viruses = Commercial Opportunity? Fridrik Skulason wrote: > >bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: > >>:-). Oh yeah? Could you please specify what do you mean exactly by >>"just about any"? NAV's misnamed "innoculation" is actually an >>integrity checker, and not very securely implemented, on the top of >>that. > >Also...don't forget that although the generic disinfection provided by an >integrity checker can be useful when dealing with a brand new virus, it is >of no use whatsoever unless the integrity checker has been installed before >the virus infects the machine. Exactly; this is why whenever I am posting a comment about it, I say "installed correctly". CPU simulators, however, could offer generic detection, as well as removal, without any necessary fancy "installation." A look into the future? - -- - --> Kevin Marcus, Computer Science Dept., University of California, Riverside Email: datadec@cs.ucr.edu datadec@wintermute.ucr.edu ------------------------------ Date: Sat, 27 Aug 94 11:40:26 -0400 From: parvo@netcom.com (Breath me in...) Subject: Re: Virus simulators Fridrik Skulason wrote: > >sand@biko.llc.org (David Adams) writes: > >>Hi All! > >> I was wondering if any of you have an FTP site where we can get >>some virus simulators.. Thanks! > >Hope you don't mind some questions... > > 1) What do you mean by "virus simulators" ? Something that simulates > the activation effects of some viruses or something else ? > > 2) Why do you need this...what is the purpose ? Perhaps this person wants to see what particular viruses do (i.e. their visual effects). Perhaps he/she is doing a demonstration or presentation on viruses. Regardless of the answer, in my opinion, it's none of your business. He/she simply wants to know where he/she can get one or if one is available. Why do you constantly question people's motives whenever they want to know something about this subject?? You, Frisk, are by far the most sceptical person I've ever seen in the "scene". You need to either ease up on people or get yourself a girlfriend... Anyways, to help the individual out who asked the question in the first place... If you do an ARCHIE on the string "virsim" or "vir" you will find a lot of FTP sites which carry stuff like this. Try other words like "simulator" and stuff like that. Or if you know the actual name of the file...like "virsim2c.zip"...you will find about 5 or so sites that carry this program. Also, there are plenty of virus research BBS's that carry a bunch of stuff to help you out. DJ parvo@netcom.com ------------------------------ Date: Sun, 28 Aug 94 03:56:07 -0400 From: kauf0026@gold.tc.umn.edu (Peter Kauffner) Subject: Re: virus in jpgs I have a virus infection which F-Prot detects as "Stoned.NoInt.A". McAfee detects it as "NO INT". Norton said it was a Chinese something or other. The only exposure to unscanned files that my PC has had in the last several months is JPEG and GIF files downloaded off of Usenet. Is that a plausible source for this type of infection? I haven't noticed any virus symptoms yet, even though the virus must have been in my machine for at least a month or two before I discovered it. Does anyone know what the symptoms of this particular virus are? My operating system is DR DOS 6.0. Peter Kauffner Minneapolis, Minnesota kauffner@mermaid.micro.umn.edu `Go tell the Spartans, you who pass by, That here, obedient to their laws, we lie.' --Epitaph for the Spartan force at Thermopylae ------------------------------ Date: Sun, 28 Aug 94 17:26:38 -0400 From: kauffner@seaotter.micro.umn.edu (Peter Kauffner) Subject: Re: virus in jpgs I have a virus infection which F-Prot detects as "Stoned.NoInt.A". McAfee detects it as "NO INT". Norton said it was a Chinese something or other. The only exposure to unscanned files that my PC has had in the last several months is JPEG and GIF files downloaded off of Usenet. Is that a plausible source for this type of infection? I haven't noticed any virus symptoms yet, even though the virus must have been in my machine for at least a month or two before I discovered it. Does anyone know what the symptoms of this particular virus are? My operating system is DR DOS 6.0. Peter Kauffner Minneapolis, Minnesota kauffner@mermaid.micro.umn.edu "Champagne to our real friends and real pain to our sham friends." ------------------------------ Date: Tue, 30 Aug 94 22:39:05 -0400 From: fungible@pipeline.com (Tom Patterson) Subject: (Fwd) Re: delphi virus? In comp.virus you wrote: > >Twice, when I have been reading files on Delphi, the >print on the screen has suddenly turned gibberish, >requiring me to sign back on. My communication >software's Echo setting changes from off to on, so >that I can see my password as I typed it in. I once >just signed back on, but then I thought maybe this is >some sort of viral trick to collect passwords. I >changed my password and now reboot before siging back >on after the gibberish appears. >Has anybody here seen a virus that behaves this way? It's not a virus. Contact delphi staff and they'll tell you (although you obviously can't do it by email) that for some types of comm programs it will screw up because of their terminal emulation. I have ComIt for Windows and it did that to me; supposedly there's other one's as well. The delphi staff will probably be able to help you get around it (I hope, good luck). Mr. Fungible ------------------------------ Date: Wed, 31 Aug 94 03:28:35 -0400 From: "A.APPLEYARD" Subject: Report of a new antiviral called `Auto-Verve' From Daily Telegraph (UK daily newspaper) (page 4) Wed 31 August 94 [Computers learn from man how to keep fit] By Christine McGourty, Technology Correspondent A technique for fighting computer viruses has been developed based on the human body's mechanisms for tackling foreign invaders. Researchers at IBM have developed an "immune system" for computers. The program analyses a new virus and destroys it. It can also send messages to other computers on the same network tel;ling them how to kill the virus. The program could help people to clear out viruses much more quickly. At present a software "vaccine" must be developed for each virus. The new approach would also mean computer users could tackle the problem themselves, rather than waiting for experts to update their anti-virus software. Dr.Greg Sorkin, a researcher at IBM, said: "It's hard to keep up with the viruses. There are two or three new ones every day. Most are written by high school pupils and are very simple. They can be analysed by a computer program instead of a human." The program, called Auto-Verve, is undergoing sale but could be on sale within a year. "One of the advantages is that once you have analysed a virus you can transfer the information how to destroy it to other computers in the same office and wipe it out before it becomes an epidemic." added Dr.Sorkin. ------------------------------ Date: Wed, 31 Aug 94 19:20:09 +0000 From: jtruitt@dw3f.ess.harris.com (Jim Truitt) Subject: RFI: UNIX virii, UNIX virus scanners (UNIX) Hi, I hate to be the next in a long line of folks asking this same old question, but please bear with me. I have recently been asked if I knew of any UNIX virus scanners. I didn't so I started searching. I have located (and received literature) on a product called VFind by CyberSoft. Is anyone familiar with this product? I have found another reference to a product TCell. I have not been able to locate any info on this one. Is anyone familiar with this product? Are there others out there? I have also found references that say, "Don't bother. There are no UNIX virii to scan for." Are there any UNIX virii? The gentleman that provided me the data on VFind says there are and that he recently posted a list of such to VIRUS-L. I tried to find this list, but have not located it yet. If anyone out there has a list (handy) of UNIX virii, would you please send me a copy. Or if you just happen to know about a UNIX virus, I would be interested in any info I can get. Thanks for your patience. Jim Truitt ------------------------------ Date: Thu, 25 Aug 94 09:33:52 -0400 From: byoon@eniac.seas.upenn.edu (Baryn Yoon) Subject: WPWIN6.0a infected with NATAS? (PC) I work at a computer lab and we have just found out that all of our computers are infected with NATAS. We have discovered that our Install Disk 5 of WordPerfect for Windows 6.0a has been the culprit. We have purchased over 10 unopened, shrink-wrapped copies from a reliable software dealer and they are ALL infected. All of the disks were write-protected and did not appear to be tampered with. 12 of the files on the disk have the virus on it. The only thing that has detected NATAS is Vi-Spy 12.0 Rel.08.94 which is the August 94 release. McAfee's Scan 117 did not detect it and it was not on the viruslist. When calling McAfee, they told us to try using Scan_Nat3. That didn't detect it either. Has anyone else had this virus? Are your copies of WPWIN6.0a also infected? Thanks. - - baryn yoon byoon@eniac.seas.upenn.edu ------------------------------ Date: Fri, 26 Aug 94 17:32:51 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: "Stoned" Virus Mistaken for Michelangelo? (PC) EBA (eba@netcom.com) writes: > My McAfee virus program, almost two years out of date, picked up a virus > on my hard disk which it identified as the "Stoned" virus. When I ran a > Norton anti-virus, it did not pick up "Stoned," but it did tell me it > found "Michelangelo" lurking. Relying on the results of an outdated scanner is dangerous. The Michelangelo virus *is* a variant of Stoned, which explains why the old scanner has reported it as such. > I proceeded to clean the disk using Norton, and it returned a "clean" bill > of health. Then I ran McAfee again, and it did not pick up any virus. Therefore, the virus has been removed. > Does anyone know if McAfee could have confused "Stoned" with > Michelangelo? Because the viruses are similar, and a scanner that is two years old could very well confuse the two. > I'd also be interested in hearing what sort of damage Stoned might have > done, and how quickly. There are several dozens of different variants of Stoned, and they do different things, so I am unable to reply to this question, unless you run some kind of scanner that is able to identify the virus exactly. Neither NAV nor SCAN are such scanners. Try F-Prot, AVP, or Dr. Solomon's scanner, if you have it (it is commercial). > Also, if Michelangelo has any effects other than > on the one day of the year. Yes, it does. When it infects a disk, it overwrites one sector of it. Depending on what kind of disk it is (hard, floppy), what size it is, and what it is formatted with, this can couse damage. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 26 Aug 94 19:54:16 -0400 From: Iolo Davidson Subject: Rosenthal Virus Simulator VIRSIM2C.ZIP (PC) datadec@corsa.ucr.edu "Kevin Marcus" writes: > Instead, people shouldn't balk and scream that it's too hard to > find skilled people, but rather, it is easy to find people who > have the appropriate backgroun in computer architecture, and the > laziness is what keeps the employers from training them on the > specifics. It isn't that easy. I know because I went through the process. It takes years of actual experience researching viruses to become really proficient. The top people have been in it from the beginning, and you can never catch up to them if you start now. > Whenever someone gets a new job, they *always* get some kind of > training on what they are doing, Which makes them a beginner, with the basic skills and little experience. That makes them useful, but not a top researcher. > I see the problem as most definitely laziness on the part of the > people who have AV packages. They expect people to already know > everything they need to know, which is absurd considering that > the stuff people need to know is so tightly restricted and > controlled. I think you are projecting a bit. The people I know in this position don't *expect* to be able to find experts off the street. The problem is that they can't, and they know that, and they know that they can't train real experts either, in any kind of reasonable time. But they do hire programmers and train them to pick apart viruses. > How about one of your development programmers? Did you > know the people for long before you hired them? Well, this was directed at Frisk, but... At the AV company I worked for I was hired because I had written a TSR which I was marketing myself (badly), and they needed someone specifically to write a TSR. I had known the boss for a couple of years previously. I was taught the company procedure for disassembling viruses and adding them to the scanner repertoire, but I didn't do much of that because (a) I was busy programming, and (b) the boss was twenty times faster than me at it, because he had seen all the preceeding viruses. I doubt I ever added as many as a hundred viruses to the scanner myself. - -- SAID FARMER BROWN WISH I COULD WHO'S BALD ROTATE THE CROP ON TOP Burma Shave ------------------------------ Date: Fri, 26 Aug 94 23:00:18 -0400 From: elis@teleport.com (Eli Shapira) Subject: Re: Rosenthal Virus Simulator (VIRSIM2C.ZIP) (PC) Guys, I don't undrestand your objections... I agree - the documentation on VIRSIM2C should be refined but you all know that every AV vendor is asked to give viruses to customers evaluating their products. Since we do not want to give "real viruses" to customers we all make our own little harmless samples that will work with our AV product. I have seen hundreds of these samples from almost every AV vendor. Most of them will work only with the AV product from the vendor that created the sample. VIRSIM2C should not be used to test detection rate or scanning quality of one Anti-Virus or another. I understand that Mr. Rosenthal is no longer trying to promote his utility for that purpose. It is however a very usefull tool that can help a customer that understand absolutly nothing in viruses to see how the Anti-Virus he/she evaluates - reacts to a "virus". It helps them do it without risking an infection by a real virus. Finally there is someone that is willing to work with all the AV vendors, came up with a standard that all of us can work with and is not trying to make millions of dollars from his simple idea. He is even giving the full non-shareware product to any AV vendor - free of charge. An Anti-Virus can easly distinguish between a real virus and a "simulated" one and can inform the user about it. So... what's the problem ? Eli Shapira ------------------------------ Date: Fri, 26 Aug 94 23:12:21 -0400 From: jayl@dorsai.dorsai.org (Jay_Leiser) Subject: Stealth_boot.C (PC) Need any info on a virus id'd by f-prot as stealth_boot.c I cannot find any info but I've seen lots of people infected as far back as 7/25/94 The only symptom I've seen was DRIVE C Failure ------------------------------ Date: Sat, 27 Aug 94 01:39:32 -0400 From: as194@cleveland.Freenet.Edu (Doren Rosenthal) Subject: Rosenthal Virus Simulator (VIRSIM2C.ZIP) (PC) ========================================= August 27, 1994 Douglas de Lacey, Cambridge UK writes: > Dear Mr Rosenthal, > Perhaps you will say that as a contributor to this forum I am already > something more than what your documentation calls "general end users, > system administrators and educators"; but I assume you would still expect > your product to be useful to me (and more importantly, to my customers). But > when I finally release my perfect AV package, just *how* will it help us? An excellent question. Here's how many anti-virus product developers are cooperating to incorporate my Virus Simulator into their products. In the past, it was common for many anti-virus products to include simple dummy bait files so users could verify that they have installed their products and are using them correctly. Virus Simulator offers this ability from an independent third party in a much more functional format. My simulations allow users to actually install a (dummy simulated) test virus in the boot sector, memory and files. Your customers (and potential customers) can test and evaluate the user interface and get a good feel for how your product reacts and "behaves" when a virus is detected. Additionally Virus Simulator offers a great solution to the problem of giving real viruses to customers so they can test drive your anti-virus product for themselves. Users appreciate being able to functionally demonstrate your product and determine if yours is the one that will best serve their needs. Virus Simulator provides a safe alternative to using captured viruses. Virus Simulator can be a very dramatic sales tool, and several companies used it for just that purpose on the convention floor of the last COMDEX I attended. It made an otherwise dry lecture into a much more entertaining, hands on test drive. As any educator or salesmen can tell you, far more effective. > 1. They download the pd version, and try it out. It completely fails to > activate my package, because it contains no viruses. At this point therefore > they are likely to throw my package away, and use instead an *inferior* > one (inferior in that it occasionally gives false positives. We all lose out. Yes. That would be most unfortunate. My best suggestion is you simply intentionally identify the simulations as what they are. "Virus Test Simulations From Rosenthal Engineering" That way your product will be compatible with Virus Simulator and no one could fault you for being fooled or susceptible to false alarms. That should not be difficult. Remember these simulations are quite easy to detect. In fact they're designed to be detected. If I can offer of any assistance or technical support, please don't hesitate to ask. > 2. Or perhaps they are sufficiently persuaded by my sales hype that they buy > the full version of the Simulator and get some real virus samples. Quite > apart from the ethics, what have they discovered that my own software cannot > adequately show: that it's properly installed, and that this is what happens > if a virus pops up? Well please understand that the samples my Virus Simulator generates are quite safe and controlled. I'm sure that when you examine the registered version for yourself, you will feel quite comfortable recommending it to your customers, secure in that knowledge. I have every confidence, that once you examine the complete package for yourself, you will find no ethical difficulty at all. > I'm not trying to be aggressive, but I just don't understand... Please, no apology is necessary. Your questions are quite well taken and certainly understandable. The useful concept of my Virus Simulator is difficult for many people to understand. I hope I've satisfactorily answered your questions. Thank you for asking. Regards, Doren Rosenthal as194@cleveland.freenet.edu Rosenthal Engineering P.O. Box 1650 San Luis Obispo, CA USA 93406 =========================================================== ------------------------------ Date: Sat, 27 Aug 94 04:09:08 -0400 From: hong@csulb.edu (Jason Hong) Subject: How do I load VSHIELD on high memory? (PC) I am using VSHIELD version 117 with SCAN 117 on 386 and 486. There is a switch that keeps VSHIELD on high memory (/LH). However, it is not stayed on high memory after runningg memmaker command. If I take out the parameter (/LH), it stays on conventional memory. Then I can not launch some DOS application under Windows. Is there any way that I can keep VSHIELD on high memory? - -- Documentary Photographer, |hong@csulb.edu| Auto-Mechanics, & |ACS, CSULB | Software Engineer. ------------------------------ Date: Sat, 27 Aug 94 12:56:36 -0400 From: hewitson@hickory.egs.uct.ac.za (Bruce Hewitson) Subject: Re: New Stoned Virus? (PC) > The above symptoms sound very much like the EXE_Bug.F virus. > .procedures for copying MBR over deleted.... I have a problem when I try this...my hardrive is dblspaced (dos 6.2) and when I boot off a clean floppy, I cannot access c: Any ideas...? - - bruce ------------------------------ Date: Sat, 27 Aug 94 13:51:44 -0400 From: eng30424@solar.cc.nus.sg (TAN SIEW WU) Subject: Update on BUPT 9146 Beijing (PC) So far we ( my friends and I ) haven't found out where the virus came from but we manage to get rid of it from our system. We used debug to check the memory and the partition table of the hardisk and we found out that the virus actually resides on the partition table and when we boot from the hardisk, two kilobytes of conventional memory will be missing ( shown by dos mem command ). Booting from a clean floppy disk will give all 640k of conventional memory available. The number 637k of conventional memory reported by mem.exe ( 3k missing ) was because 1k was use to store bios information. After we used memmaker, we managed to get back 640k. Somehow dos fdisk does not write to the whole partition table and the virus resides on the area that fdisk does not overwrite. When we found out what happened, my friend used debug to write some assembly code to fill the partition table with zeros. After that we retried with fdisk and formatting the hardisk and the virus was gone. Also we could get windows for workgroup 32bit disk access. Later we found out that there is a option for fdisk ie. fdisk /mbr. We have tried with this and found the virus either removed or deactivated. The /mbr option does not actually delete and recreate the partition again but it somehow fixes the problem. As for anti-virus program, we tried scan 117, macafee new generation scan 210e and f-prot version 2.13a. All these does not detect the virus. ( may be they do not check partition table???? ) - -- |----------------------------------------------------------| | Tan Siew Wu | | Department of Electrical & Electronics Engineering. | | National University of Singapore. | | Email address :- eng30424@nus.sg | | Term address :- Raffles Hall, Kent Ridge Crescent, | | Singapore 0511. | |----------------------------------------------------------| ------------------------------ Date: Sat, 27 Aug 94 19:26:16 -0400 From: as194@cleveland.Freenet.Edu (Doren Rosenthal) Subject: Rosenthal Virus Simulator (VIRSIM2C.ZIP) (PC) **B00000000000000 ================================================ Doren Rosenthal August 27, 1994 When referring to myself and my Virus Simulator MtE supplement, Vesselin Bontchev writes: > I maintain my claims and have facts to back them up. He lied when he > said that he has "made MtE safer" - he has not changed it at all. His > product *does* fool the people who are using it, and I have explained > several times why. Vess, I realize that English is not your native language, so perhaps someone at CARO or the university you represent can assist you to understand my comments and in choosing your words when presenting your arguments more appropriately to a scientific forum. Obviously you are quite confused, please let me explain what I mean by "Safe and Controlled." The Virus Simulator MtE supplement contains an actual "Dark Avenger Mutation Engine". The engine itself is not a virus at all, but a routine that allows the virus writers to give their work polymorphic properties that makes their viruses more difficult to detect. When the virus replicates, the embedded mutation engine encrypts (or scrambles) the code so it takes on a new appearance to (attempt to) escape detection. The time to be concerned about viruses is before you get one. My Virus Simulator allows users to better prepare themselves using safe bait as an alterative to live captured viruses. The Virus Simulator MtE supplement continues in that effort by allowing users to practice their skills on a real (although limited by my design) polymorphic virus using an actual Dark Avenger mutation engine. Although the Virus Simulator MtE supplement is a real virus, it has special limitations designed to make it suitable and safe for its intended purpose. Only the MtE engine itself is captured, the rest of the virus is my own original work. If users obtain the registered version of my Virus Simulator directly from me without compromise (which is the only legal way to obtain it) they can be comfortable that it, like all the simulations in Virus Simulator, are safe and controlled. In addition to the thorough testing I personally conducted, it was also independently tested and reviewed "Computer Virus Developments Quarterly" (vol 1 num 2) and the "National Software Testing Laboratories (NSTL) (see Software Digest May '93 vol 10 no 5). Virus Simulator has safely been in general use for over four years and the MtE supplement has been available since December '92. First to anti-virus researchers and product developers and then general end users. It remains without question, safe and controlled and entirely appropriate for the legitimate purpose I designed it to perform. Doren Rosenthal as194@cleveland.freenet.edu Rosenthal Engineering P.O. Box 1650 San Luis Obispo, CA USA 93406 ======================================================== ------------------------------ Date: Sun, 28 Aug 94 06:58:21 -0400 From: mrnoise@econs.umass.edu (Mr. Noise) Subject: Re: "Stoned" Virus Mistaken for Michelangelo? (PC) EBA wrote: >My McAfee virus program, almost two years out of date, picked up a virus >on my hard disk which it identified as the "Stoned" virus. When I ran a >Norton anti-virus, it did not pick up "Stoned," but it did tell me it >found "Michelangelo" lurking. [...] One is a variant of the other (I don't remember which way the relationship goes, off hand), so that's not surprising. - -- Mr. Noise Sea of Noise +1-203-886-1441 UMASS-Amherst 8^>= "Shop as usual & avoid panic buying." Remember: If codes are outlawed, only outlaws will have codes. ------------------------------ Date: Sun, 28 Aug 94 20:55:43 +0000 From: d92joaar@ida.liu.se (Joakim Aronius) Subject: Whisper (PC) I have just been told that i have this 'Whisper' virus on my HD. I havn't checked my HD yet but i expect it to be a mess. ScanV is supposed to find it, but is not able to remove it. So, what should i use to get rid of this thing? Preferably shareware/freeware. /Joakim ------------------------------ Date: Sun, 28 Aug 94 22:40:50 -0400 From: Cynthia Sue Garrett Subject: Windows Virii (PC) Has anyone else ever seen a Windows specific virus? I was just wondering, because as a Windows programmer(C++) I know just how much control over the system the programmer can have. I myself am against any malicious virus programming but have seen a Windows virus in a store computer once. It opened many instances of a program and then scrolled the focus through the instances so that you couldn't access the menu on one instance to exit it easily. Eventually it opens so many instances that anything you try to do is restricted for lack of memory. ------------------------------ Date: Mon, 29 Aug 94 03:02:38 -0400 From: castillo@casino.cchs.su.oz.au (Tony Castillo) Subject: How to Remove a swiss virus from the partition table? (PC) Good day, No, I'm not having a good day... Just want to ask everyone on how I can remove a swiss virus from the Partition table without low leverl formating the hard-disk... It there any virus cleaner that can be able to remove it from the partition table. Will appreciate any help or advice you can give to me... regards, tony *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* * TONY CASTILLO e-mail: castillo@coco.cchs.su.oz.AU * * EDP Unit, The University of Sydney, Cumberland College of Health Sciences * * East Street, Lidcombe, NSW 2141, Australia * * --------------------------------------------------------------- * * And without controversy great is the mystery of godliness: God| ,-_|\ * * was manifest in the flesh, justified in the Spirit, seen of | / \ * * angels, preached unto the Gentiles, believed on in the world, | \_,-._* * * received up into glory. 1 Timothy 3:16 (Read Phi 2:8-9 also) | o * *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* ------------------------------ Date: Mon, 29 Aug 94 05:20:55 -0400 From: trebor@test3.stack.urc.tue.nl (tREBOr) Subject: F-PROT and UMB's (PC) I was wondering if F-PROT (v 2.12) scans UMB's (seg A000-FFFF, techn. speaking) during the normal conv./HMA memory-scan. If it does: are there any viruses who utilize this area? If it doesnt: why not? Thanks, robert "Ambient is the mind" -- Carl Craig ------------------------------ Date: Mon, 29 Aug 94 09:35:32 -0400 From: fisherd@cfs.purdue.edu (David Fisher ) Subject: Bobo Virus (PC) I have a virus which has been identified as "bobo". Apparently, it infects command.com. Does anyone have any additional information about this virus? Thanks in advance. David ------------------------------ Date: Mon, 29 Aug 94 13:58:35 -0400 From: schoew@urvax.urich.edu Subject: UNKNOWN!!!!:::X3A (PC) Help! I'm a lab manager at a university and 15% of my machines have a virus called X3A. If anyone has info, e-mail me ASAP! Thanks! John Schoew ------------------------------ Date: Tue, 30 Aug 94 00:33:47 +0400 From: Kazatski Oleg Nikolaevitch Subject: Re; [News] Need Help on "V-SIGN" virus (PC) Hi ! oerkul@site.gmu.edu (Oguz Erkul (CS 471)) writes: > I am facing a virus which is called "v-sign" as the title > says. It is messing up the partition table, it is more like cansu > with some powerful stuff it sometimes doesn't let you go in to OS. > Anybody having anykind of experience with this kind of virus, please > write to me about cleaning it (totally). It's a memory resident not dangerous virus which hooks INT 13h and hits Boot-sectors of floppy-disks and MBR of hard drives. It inserts 40 bytes of installator code into the sector while infection. On every 64th infection this virus types a large letter 'V'. - -- OK ------------------------------ Date: Tue, 30 Aug 94 00:57:54 +0400 From: Kazatski Oleg Nikolaevitch Subject: Re; [News] Info on AntiEXE needed (PC) Hi ! smusser@world.std.com (Scott Musser) writes: > Can anyone provide me with information on the AntiEXE virus (symptoms, > means of infection, history, etc.)? Anything at all would be greatly > appreciated. This is a boot virus. It can hide MBR in 0/0/13 on hard drive, and in the last sector Root Directory on floppies. This virus corrupted unknown EXE-program (size 200256). Try the antivirus program "Aidstest" (Russia, Lozynski). Good luck ! - -- OK ------------------------------ Date: Tue, 30 Aug 94 01:04:37 +0400 From: Kazatski Oleg Nikolaevitch Subject: Re; [News] KAOS? (PC) Hi ! brett_miller@ccm.hf.intel.com (Brett Miller - N7OLQ) writes: > I have been hearing about a new (?) virus called KAOS that has been > transferred over the internet. Does any one have any info on it? CE-697 ------ Any name of this virus is "Kaos4". So far, verified reports or samples of this virus have been received from the US, Austria, Norway and Finland. It seem that the virus was distributed over Usenet, possibly in one of the alt. groups. The virus is not very remarkable - it is a 697 byte non-resident COM/EXE infector, which contains the string "KODE4 / Kohntark" (The "o" has 2 dots above it). This string is not encrypted and can be found with any text search utility. The virus does not seem to have any specially interesting functions, and does not contain any destructive code, so the problem is not as serious as it might have been, but the virus might have non-intentional side-effects, such as preventing a machine from booting if it infects IBMBIO.COM/IBMDOS.COM on a machine running IBM DOS. - -- OK ------------------------------ Date: Tue, 30 Aug 94 00:37:51 +0400 From: Kazatski Oleg Nikolaevitch Subject: Re; [News] REQ: Help (PMBS, Stealth_boot.C) (PC) Hi ! fac0294@uoft01.utoledo.edu (Colin McGinnis) writes: > "The PMBS virus search string has been found in memory." > "The Master Boot Sector is infected with the C variant of the Steal= th_boot > virus." > If anyone has any information on either of these viruses (what they= are and/or > how to get rid of them, please post ssomething on the group or mail= me. PMBS =94=94=94=94 It's a dangerous memory resident boot virus. On loading from infected disk it copies itself into extended memory, switches the PC into protect mode and run virtual V86 machine. The DOS and applications will be executed under that virtual PC. It hooks all interrupts (from 0 till FFh) and checks the critical situation. On critical situation on reading the floppy it infects it (the MBR of hard drive is infected on loading from infected floppy). On other critical situation it displays one of the messages and hangs the computer up: Unimplemented Interrupt: Offending instructions: General Protection Fault: Offending instructions: Offending CS:IP: This virus contains the internal string "PMBSVIRS" also. It's stealth virus on accessing infected hard drive. It checks the ports input/output (by using protect mode 386 features) and corrects the data which is for output on reading infected MBR. This virus contains several errors, including the error of principle. The programmer's bug is the infection of the floppy. The virus saves on floppy the part of itself only, not all code. The virus consist of two parts of code - the code which is executed in real mode (on loading and on infection then the virus jumps to V86 mode), and the code of protected mode. The virus doesn't save the code which is executed in protected mode. The second generation of the virus will hang up. The problem of principle is using of infected i386 as i86 only. The virus can't let switch i386 in protected mode again. So, EMS386, QEMM386, MS-WINDOWS e.t.c. will not work. Moreover, the DOS command MEM will hang up infected PC. It's because this program checks extended memory also, and the virus stops it. StealthBoot =94=94=94=94=94=94=94=94=94=94=94 It's a harmless memory resident stealth virus. It hits hard drive MBR upon loading from infected floppy and then hooks int 13h and infects the floppy boot sectors. It doesn't manifest oneself. Good luck ! - -- OK ------------------------------ Date: Tue, 30 Aug 94 03:14:53 -0400 From: Peter Hubinsky Subject: On exchanging viruses via BBSs (PC) Hi Vesselin, (Sorry, but some time ago you proposed me such greeting, didn't you?), >> This is a very >> pejorative and unworthy personal attack, completely without foundation. >> What -evidence- do you have that Rosenthal uses such BBS's? >First, I didn't claim that he "uses such BBS's", did I? Second, yes, >incidentally I happen to know that he *is* involved in virus exchange >and has been even quoted as "maintaining" the virus collection of >another collector from Slovakia. Let me introduce myself to other Virus-L readers: my name is Peter Hubinsky and I am a teacher at the Slovak Technical University in Bratislava Slovakia and I am member of Slovak Antivirus Center in Bratislava, which is organization which is doing absolutely similar things like other AV-centers are :-) Simply - we have in my opinion succesful AV-orientated BBS and FTP-site, we are supporting development of only Slovak antivirus product - NOD-Stopvir, we are publicating in PC-related magazines etc, we have virus problem hot-line etc. I am not very happy to enter into this already a little bit off-topic discussion, but when you have mentioned indirectly my name, I have not another possibility. Well, it is truth, that approximately one year ago I have sent to Mr.Doren Rosenthal major part of Slovak Antivirus Center virus database because of we have cooperated together for some time in sorting of virus samples for research purpose. Mr.Rosenthal was for me the same AV-specialist as you - Vesselin, as Frisk or Alan, as... He is (and in that time he was) member of ASP and other shareware authors organizations, his programs (not only Virus Simulator) you can find at majority of known FTP-sites and Shareware CD's, he is publishing in U.S. computer magazines etc. I wouldn't like to polemise with your and his opinions to Mr.Rosenthal's Virus Simulators or virus simulators generally (I am not discussing about simulations of various virus visual or sound effects). My point of view is, that when someone would like to create something for living virus simulation, then he has only 2 ways: - - to create something which is not virus in all characteristics, but in some ways he is looking like it. Maybe the way of Mr.Rosenthal was not absolutely right and in some things I must agree with the objection, that more sophisticated AV's cannot find anything between files generated by VIRSIM, because they have more detailed searching algorithms than only simple string searching. But I must also agree with Mr.Rosenthal, that for testing of some AV's is it enough and to tell the truth when anybody is buing Rosenthal's VIRSIM, then it has it's right to living (it is a law of free market, isn't it?). BTW recently I have found at one German FTP site something very similar like Mr.Rosenthal's Simulator - the name is Virus Simulator VS2 - copyrighted by Boff Consulting Freising - author F.H.Martin Otto - dated in Sept.1992. Therefore my question is why discussion is not going also about this product (and how many else?). In my opinion it is because of your personal antipathy to Mr.Rosenthal, isn't it? - - to create living virus with embedded limitations as to number of replications, name of victim files, query before some acting. Such characteristics are used in Mte Simulator by Mr.Rosenthal, which is selling like supplement to above mentioned Virus Simulator. Well, in your opinion it is already virus (BTW there are a lot of similar Testing Viruses in our collection, not only Mr.Rosenthal's Mte simulator products, why discussion is not going also about these "viruses"?). Maybe you are right (it is only a question of definition, what is virus and what is pseudovirus) when you are arguing, that it is replicating, but in no case I cannot agree with you that it is dangerous - it cannot be dangerous neither for non-skilled user, because it has above mentioned mechanisms which brake its non-limited replication nor for probable abusing (modification) by some hackers because hackers has several years in their hands full Mte materials (src, obj...) and they do not want any "pseudovirus" analysis for their further "developments". Simply Virus Simulator is in imaginary scale bellow and Mte Simulator above the border, when real viruses are beggining? How then to create anything bellow this border, but still having main virus characteristics so that simulate real viruses (BTW main virus characterstics is replication...). BTW it looks, that there is need for virus simulation product existing in PC community - why didn't you create anything better by yourself? As to virus exchange: I am not supporting free virus exchange in any way, but simply, Vesselin, you cannot forbid to any AV-orientated subject (either private person or company or organization) outside of CARO (or outside of Europe?) to exchange anything with its partner. You can believe me, that you cannot. You can do any interventions in this direction (for instance in such way, like above), but you cannot forbid anything. BTW what's new with our application to CARO membership sent to you over 1 year ago? :-) Best wishes Peter Hubinsky ******** ******** ******** SAC BBS and NOV1 FTP-server * * * * file administrator ******** ******** * * * * * Tel. +42 7 351 608 ******** * * ******** E-Mail: hubak@elf.stuba.sk FIDO: 2:422/80 Slovak Antivirus Center Bratislava, Slovakia: TLF +42 7 2048 228 FAX +42 7 2048 230 BBS +42 7 2048 232 ZyXEL 1496+ 19.200 Bd NonStop Partial mirror of SAC BBS is maint'd at FTP-server nov1.kar.elf.stuba.sk Motto: If you have any problems, jump out of the Window(s) !!! ------------------------------ Date: Tue, 30 Aug 94 07:34:09 -0400 From: hiep@cs.utexas.edu (Hiep Huu Nguyen) Subject: Help Me: I have a virus on my PC (PC) Hi. Please help me. i seem to have a virus on my IBM PC system. Please email answers to: hiep@cs.utexas.edu These are the characteristics: - - Vertical bandings (white and black lines) on fonts in ascii mode (i.e. dos). - - Vertical bandings on icons in programs such as DPaint - - Vertical banding on windows bars/icons and color loss (i.e. icons are totally black) in Windows. these are just some of the symptoms i can see. i think it might be because i down loaded some demos/shareware things over the net... any help or pointers on how to fix this would be greatly appreciated. thanks for your time. -hiep ------------------------------ Date: Tue, 30 Aug 94 09:26:44 -0400 From: phh@dmu.ac.uk (Paul Hodgkinson) Subject: Jack the Ripper (PC) Interested to hear from anybody with experience of the Jack the Ripper boot sector virus. Its not on our scanners. Seems to go for the disc controller and clock Paul - -- Paul Hodgkinson F.I.Sc.T., Dept of Pharmacy, De Montfort University UK ------------------------------ Date: Tue, 30 Aug 94 10:24:45 -0400 From: a0631vdc@c1.cc.univie.ac.at (Gerhard Kluenger) Subject: Re: Help Win 32 Bit File Virus? (PC) : Hi there, : > Help We have been getting an error message when : > starting Windows 3.1 about not being able to start 32 Bit File Access. : > This machine has been running for 8 months without this message. : > It has now jumped to another machine through a bootable diskette. I encountered a similar problem, after by accident I had a diskette in my A-drive (without system). After reboot (DOS 6.2) all looked fine, but loading win for workgroups 3.1 gave the msg: "The MS Windos 32-bit disk driver WDCTRL cannot be loaded. There is unrecognizable disk software installed on this computer. The address that MS-DOS uses to communicate with the hard disk has been changed. Some software, such as disk-caching software, changes this address. " [and some further hints that it might be a virus] 3 days later I noticed, that my system clock was back exactly 1 day (1 day date delay, time was OK). Any idea if - and what kind of - virus this might be? What I wonder is, that my IBM-AV (about 8 month old version) shield didn't say anything, when I used this diskette the first time to tranfer an AMI-PRO textfile from a friend. (After this I forgot it in the drive and next time powering on I got the troubles described before). - -- - ------------------------------------------------------- Gerhard Kluenger Email: Gerhard.Kluenger@univie.ac.at ------------------------------ Date: Tue, 30 Aug 94 11:01:50 -0400 From: jlicquia@mhc.uiuc.edu (Jeff Licquia) Subject: Re: Rosenthal Virus Simulator (VIRSIM2C.ZIP) (PC) frisk@complex.is (Fridrik Skulason) writes: >as194@cleveland.Freenet.Edu (Doren Rosenthal) writes: >> Virus detecting programs that fail to find >> these simulations may indeed >indeed, yes... >> discover their real counterparts and >> variations, but should only be trusted after that ability is >> demonstrated. >In other words..."The virus simulator cannot really tell you anything, you >have to check out some real test for that purpose". So what is the purpose >of it, if it cannot be used to test anti-virus products and does not trigger >them ? >From a "dumb user's" perspective, this seems to actually say something more insidious than that... It seems to say, "Any virus detector that claims to be reliable but cannot detect 'viruses' in this virus simulator should not be trusted." If I were a user of the simulator (not forewarned) and I tested, say, F-Prot with it and F-Prot didn't detect any viruses, this part of the documentation would warn me that F-Prot was probably not a reliable scanner. (I use F-Prot here because of its reputation as a high quality scanner.) I might then test some other, inferior product, find it detects viruses, and place my trust in it OVER F-Prot because of my trust in the truth of the documentation. This could potentially be disastrous, especially if I am a netadmin for a highly important network. >From what I understand of the debate, non-detection of viruses is actually a hallmark of *QUALITY* in a scanner. This statement from the documentation seems not only misleading - it is dangerous, as it encourages users to use inferior scanners and mistrust the quality products. ------------------------------ Date: Tue, 30 Aug 94 16:27:56 -0400 From: chris584@aol.com (Chris584) Subject: Video virus? (PC) We have lost several monitors in the past month, and have read that there are viruses which can alter frequencies or voltages sent to the monitor or video card. Please advise whether this is true, how to detect such a virus, whether standard virus detection packages can detect such a virus, etc. Thanks. C. Harper ------------------------------ Date: Tue, 30 Aug 94 18:17:04 -0400 From: Thomas Dosedel Subject: HELP! - Cleaned virus, now I can't access C drive (PC) Scenerio: AT&T Safari laptop was diagnosed with the Forms virus, it would not boot off of the hard drive. Ran scan and confirmed virus in boot sector. Using boot floppy I successfully removed the virus using "mwav". All seemed well, until I rebooted the system and it reported: Missing operating system I booted from a floppy and when I tried to access the C: drive it reported: Invalid media type reading drive C Any sugestions? Thom Dosedel See it BIG --- Keep it simple! ------------------------------ Date: Tue, 30 Aug 94 19:40:14 -0400 From: im.haq@uttsbbs.ness.com (Im Haq) Subject: Untouchable & V-analyst 3 (PC) I was wondering if you received the fax that I sent on August 10, '94. I have not heard back from anyone, and was curious to find out what is going on. As I stated in the fax, I have been a registered user of your Untouchable product for over TWO years, and would like to continue to receive updates, whenever they become available. Regards, IMTIAZ HAQ . Bureaucracy: That place always in need of a laxative. ___ Blue Wave/QWK v2.12 - ---- +------------------------------------------------------------------------+ | The Transfer Station BBS (510) 837-4610 & 837-5591 (V.32bis both lines)| | Danville, California, USA. 1.5 GIG Files & FREE public Internet Access | +------------------------------------------------------------------------+ ------------------------------ Date: Tue, 30 Aug 94 19:45:18 -0400 From: Marcio Migueletto de Andrade Subject: Re: Rosenthal Virus Simulator (VIRSIM2C.ZIP) (PC) The so called "Virus Simulator" would cause much less noise if it was named something like that: "False Positive Generator Plus Real MTE Based Controlled Virus" Humm...think it is not that sexy :-)) Marcio M. Andrade Department of Computer Science Universidade Federal de Minas Gerais - Brazil mar@dcc.ufmg.br ------------------------------ Date: Tue, 30 Aug 94 22:32:20 -0400 From: kellogg@netcom.com (Lucas) Subject: Re: Server-downing virii - Netshield corruption on Novell server (PC) Fabio, I'm not sure what you are referring to in this posting; however, Netshield does not corrupt data base files.My inclination would be that there may be an incompatibility between this database and Netshield. At any rate, if you're running Netware 3.11 or 3.12, I recommend upgrading to Netshield 1.61 [currently in beta], which makes use of an API available from Novell in CLIB revision 3.12f [you must use this or 3.12g]. This routine allows for file access through a Netware provided call, which may resolve any incompatibilities associated with multiple NLM's monitoring file-opens and writes on the networked drive. Regards, Lucas McAfee Tech Supt Fabio Esquivel C. (fesquive@cariari.ucr.ac.cr) wrote: : OK, Fran excuses himself 'cause he doesn't know all the details why the : PC Support group in their headquarters issued the warning about not=20 : using McAfee's NetShld.NLM on a Novell Server. : But... what does McAfee have to say about this? Has McAfee experienced : such corruption on their own Novell servers when testing the product : before they put it on their FTP node? Was it a bug on a single old : version, already fixed on current versions? Or what? : I think it's important to know if NetShld.NLM is potentially dangerous : if loaded on a Novell server, which is a file (data, programs, etc.) server. : If it does corrupt databases (I don't know why would it do so), then people : already running this software is in danger... : Please, John McAfee or Aryeh Goretsky, answer us : \___/ : (O o) : - ----------------------------------oOo-U-oOo-------------------------------- : Fabio Esquivel - University of Costa Rica | C:\GAMES>a:install : fesquive@cariari.ucr.ac.cr (163.178.101.5) | Blood_Drinker virus found! : fesquive@bribri.ci.ucr.ac.cr (163.178.101.8) | Apply, Kill, Panic? _ : =09=09=09 "Up the Irons!" - 8=AC) : - --------------------------------------------------------------------------- : __|||__ : (__/^\__) ------------------------------ Date: Wed, 31 Aug 94 00:46:03 -0400 From: dhartung@chinet.chinet.com (Daniel A. Hartung) Subject: Re: FORM_A (PC) Bob Smith wrote: >I have a DOS 486 machine that is reporting FORM_A virus from McAfee's >scan 2.0.1e program. I have searched mcafee.com, oak archives and >cert.org for methods or programs to remove this virus but have not >found anything. > >Can somebody offer some sugggestions on how to dispose of this virus >or point me to some useful info? At my job I have *sigh* extensive experience with FORM variants, particularly FORM-18. I have not seen FORM_A but presumably it is similar in its implementation, which basically means it writes its code to the boot sector of any disk (IMPORTANT: whether it has the operating system or not!). Thus a simple method of removing the infection is to reformat the disk. If you have a hard disk, FDISK /MBR (master boot recrod) may be able to restore a previously stored clean copy of the boot record. Run your scan both before and after. UNFORMAT, however, is a risky utility to run -- since it creates a new copy of the current boot sector, which happens to be infected. There are several utilities as well (check your utility package docs) that may be able to restore the boot record. You can take some comfort in the fact that FORM rarely actually destroys data -- in several dozen infections, we only know of one disk that was trashed. - -- Daniel A. Hartung | I believe we can fly Birch Grove Software | on the wings that we create dhartung@chinet.chinet.com | -- Melissa Etheridge ------------------------------ Date: Wed, 31 Aug 94 12:57:25 -0400 From: robbins@pipeline.com (Albert Robbins) Subject: "Stoned" Virus Mistaken for Michelangelo? (PC) I had some experience with stoned. It works slowly most of the time--it only advances when disk operations are performed. So if you're word processing as I was, it will only advance each time a document is saved. It infects the boot sectors of the hard disk. I also remember that CPAV couldn't get the thing out of the hard disk by itself. I had to call for support and they gave me a procedure that worked. It got into the system on startup, and even starting from a clean system disk and reformatting the hard drive didn't get rid of it. CPAV could clean floppies of it, however. It was strange, though--it would tell me it had cleaned the hard disk, but then if I ran the cleaning program again it would still find stoned. In any event, it didn't cause any visible damage, and it was on the system for several weeks. It sounds, though, like you are doing a lot more disk operations than I was. What it will ultimately do is prevent you from getting to the contents of your hard disk, or so I hear. ------------------------------ Date: Wed, 31 Aug 94 14:26:46 -0400 From: "David M. Chess" Subject: Re: Immune System for PCs from IBM (PC) > From: tluten@news.delphi.com (TLUTEN@DELPHI.COM) > However, it feels to me sort > of like a "good" virus: unsolicited instructions spreading across a net, > to be executed wthout user intervention. Incidentally, doesn't it also > create an interesting piggybacking vector? Yes to both; that's why it's an interesting challenge (as I said the first time the subject came up, if it was easy, someone would already have done it!). One of the hard parts of the system is avoiding situations where the immune system itself starts to cause problems for the "host" (the network, in this case). Avoiding, that is, the computer equivalent of an auto-immune disease. We already have this problem to some extent, where a false alarm from an anti-virus program can start a cascade of alerts and alarms and people running about and writing memos, even long after the original false alarm has been identified as such. The potential is even stronger in a more highly connected and automated system. (This is why we put so much effort into eliminating false alarms in IBM AntiVirus.) People interested in Jeff's full paper on the subject from a recent Alife conference are pointed, as usual, at the menu gopher://index.almaden.ibm.com/1virus/menus/virpap.70 - - -- - David M. Chess | Check, one, two. Check, one, two. High Integrity Computing Lab | Pffffft... Pfffffft.... IBM Watson Research | Is this thing on? ------------------------------ Date: Wed, 31 Aug 94 14:39:34 -0400 From: bpwarner@csupomona.edu (Brian Warner) Subject: VIRUS INFECTION - (PC) - -- Hi, {Note: My conection with this net is via a pc to a VAX to this newsgroup. I thin4 my VAX account is safe.} I thin4 my pc might be infected with a virus. My virus checher dosn't detect anything, but I have some strange symptoms. Three of my 4eys are returning incorect va5ues, as you can see. 5 and 4 are two examp5es of said errors. This is my first expierience with a virus, if it is a virus. My question is, does anyone recognize these symptoms... and can someone refer me to a particu5ar virus program.... and is this program on the internet.... I have thought about bootinig my pc from drive a, but that dosn't wor4 - It continues booting on drive C:, ignoring the boot dis4 in drive A:. I understand that my post is rather distorted with errors (4, 5, etc.) but I hope that someone can he5p me. and forgive the messy nature of this post... SYMPTOMS: -Incorrect responces are being given from my 4eyboard. -I havn't noticed any change in memory. - --- Brian Warner Student of Economics at Cal Poly Pomona, ca. Email: bpwarner@csupomona.edu ------------------------------ Date: Tue, 30 Aug 94 10:14:32 -0500 From: spaf@cs.purdue.edu (Gene Spafford) Subject: Tripwire V1.2 Release (Finally!) Announcing the release of version 1.2 of Tripwire! This version supersedes all previous versions of Tripwire. Version 1.2 includes several new features, small performance improvements, and several bug fixes. This version also includes a new signature routine, porting to new machines, support for symbolic links and HP CDF files, and more. (See the list below.) Version 1.2 of Tripwire is probably the final release of Tripwire for some time to come. Gene Kim is no longer at Purdue, Spaf is on sabbatical for the 1994/95 academic year, and no COAST sponsor has shown particular interest in funding continued development. Enclosed below is a brief description of what Tripwire is, a description of how to get a copy of the source code, and a list of new features added since the Version 1.1 release. We greatly appreciate the time and effort expended by all the people who beta-tested various versions of Tripwire over the last few years. Without the contributions and reports of these people, we are certain that the package would not be as complete as it is currently. We have tried to acknowledge all our testers and contributors in the documentation and Changlog file in this distribution; our sincere apologies if we forgot anyone. Also, our thanks to COAST sponsors and sponsors of COAST research projects who helped fund this project, directly or indirectly. This includes especially Bell Northern Research, Trident Data Systems, Sun Microsystems and the US Air Force. (Be sure to read the COAST.info file!) 30 August 1994 Gene Kim Gene Spafford What is Tripwire? - ----------------- Tripwire is an integrity monitor for Unix systems. It uses several checksum/message-digest/secure-hash/signature routines to detect changes to files, as well as monitoring selected items of system-maintained information. The system also monitors for changes in permissions, links, and sizes of files and directories. It can be made to detect additions or deletions of files from watched directories. The configuration of Tripwire is such that the system/security administrator can easily specify files and directories to be monitored or to be excluded from monitoring, and to specify files which are allowed limited changes without generating a warning. Tripwire can also be configured with customized signature routines for site-specific checks. Tripwire, once installed on a clean system, can detect changes from intruder activity, unauthorized modification of files to introduce backdoor or logic-bomb code, and virus activity (if any were to exist) in the Unix environment. Tripwire is provided as source code with documentation. The system, as delivered, performs no changes to system files and does not require root privilege to run (in the general case). The code has been extensively tested at many sites. Tripwire should work on almost any version of Unix, from Xenix on 80386-based machines to Cray and ETA-10 supercomputers. It now even works properly on DEC Alphas, and on Linux and BSDI systems! Tripwire may be used without charge, but it may not be sold or modified for sale. Tripwire was written as a project under the auspices of the COAST Project at Purdue University. The primary author was Gene Kim, with the aid and under the direction of Gene Spafford (COAST Director). Where to Get Tripwire - --------------------- Copies of the Tripwire distribution may be obtained from "ftp://coast.cs.purdue.edu/pub/COAST/Tripwire". The distribution is available as a compressed tar file. When you untar the file, you will find another tar file, a Readme file, and a PGP external signature to give proof against tampering. A mailserver exists for distribution and to provide a means of reporting bugs. To use the mail server, send e-mail to "tripwire-request@cs.purdue.edu" with a message body consisting solely of the word "help". The server will respond with instructions on how to get sources, patches (if any are issued), and how to report a bug (which we hope doesn't happen!). Questions, comments, complaints, bugfixes, etc may be directed to: gkim@cs.arizona.edu (Gene Kim) spaf@cs.purdue.edu (Gene Spafford) The address "tripwire@cs.purdue.edu" is aliased to both of us. The mailserver, and the "tripwire-request" address have been discontinued. What's New in Version 1.2 - ------------------------- Version 1.2 adds several new features, as well as fixing reported bugs. Among the changes are: - Signature checking for symbolic link contents has been added. - Tripwire now correctly runs on Alpha AXPs, and other machines with "long" types that are not 32 bits wide. - The Haval digital hash routine has been added as the eighth signature routine (faster than MD5, and purportedly more secure). - The SHA signature routine has been changed to conform to the recent fix introducted in its FIPS definition by NIST/NSA to correct an unspecified weakness. - The database format changes slightly to correct a boundary condition error. Because database entry numbers change, because the SHA signatures change, and because of Haval, old Tripwire databases must be reinitialized. - Handling specified configuration and database files (and file descriptors) has been fixed to better accomodate pipes. - Full support for flex added. - Signature checking is now considerably faster through the use of the stdio library for file I/O. - A Perl script has been added to update Tripwire databases where all inode numbers were changed by "fsirand" (NFS sites only); See FAQ. - Another fix to make database updates more predictable. - All reported bugs have been fixed in this revision. - A new README section describes some documented attacks on systems running Tripwire. - Many small changes have been made to the documentation to correct and update information. NOTE: The script `twdb_check.pl' (written in Perl) has been added to the distribution. It checks database consistency after updates of the tw.config file. This functionality will be put into the Tripwire program in the next release. Run this script after Tripwire database updates to ensure that database entry numbers are consistent with the tw.config file. See the README file for details (section 3.5.2). ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 77] *****************************************