VIRUS-L Digest Tuesday, 25 Oct 1994 Volume 7 : Issue 88 Today's Topics: Mail Security Re: Netcom distributing viruses Does anyone know about a virus named the HAL 2000? Lil' Red Virus (PC) Re: Has this been done? Re: How to become an AntiVirus insider? Need technical info on viruses! MS-DOS - Quarterdeck QEMM 7.5 (PC) Malta Amoeba (PC) Re: HELP with form virus / FAQ (PC) Re: Monkey.Stoned virus on multimedia 486 won't go away... (PC) Re: Partition Table(PC) FORM virus Info wanted (PC) memory scanning (PC) Re: ANTI-EXE What does it Do. (PC) Help IRISH virus on CD (PC) vshield (PC) Stars required (PC) Norton AV vs. TBAV and others (PC) How to detect infection of my application (PC) Re: Stealth Virus (PC) Re: Netcom distributing viruses Re: Anti-CMOS Virus Infection - HELP! (PC) Form virus (PC) Forms Virus (PC) Re: Help Please: Monkey? (PC) Re: which antivirus to trust (PC) The InVircivle Anti-Virus Expert System v6.01 (PC) Re: GenB Virii (PC) Lazarus Virus and FAQ request... (PC) Re: Thunderbyte anti-virus - how good? (PC) Re: Monkey Virus is on our backs... (PC) Re: How do boot sector viruses speard from X to X? (PC) Re: Can a master boot record be repaired? (PC) Re: Unstoppable virus? (PC) Form Virus (PC) Just another virus (PC) Re: Unstoppable virus? (PC) Please, can someone help me get rid of 'junkie' (PC) Re: Help Win 32 Bit File Virus? (PC) Lenart??! (PC) Re: KOH - The useful virus? (PC) Re: VCL?? (PC) Re: Something I found (PC) (funny file TATA.WRI) Removing safely Genb (PC) Help! How to get rid of BFD virus? (PC) Re: Exebug apparently surviving boot (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Mon, 17 Oct 94 12:30:10 -0400 From: aisg@gate.net (Advanced Information Systems Group) Subject: Mail Security Security Experts, Now that firewall packages are commercially available, I'm finding more and more companies who wish to connect up tho the big "I". Using wrappers or a packet filter/scanner you can control who comes in or goes out to the internet. Are there any products out there that can analyze data comming in from the internet to insure there are no viruses. Take SMTP mail for example, is there a secure sendmail or staging software that checks for viruses before forwarding it on to the receipient? Are mail based viruses still a threat to a company connecting up to the internet? Any advise you have would be much appreciated. John Klann AISG 1-800-780-2598 klann@advinfo.com ------------------------------ Date: Mon, 17 Oct 94 15:13:47 -0400 From: kevin@elvis.wicat.com (Kevin Vigor) Subject: Re: Netcom distributing viruses Nick FitzGerald (n.fitzgerald@cantva.canterbury.ac.nz) wrote: [ much other stuff, most of which I agree with ] : A service provider, say for argument's sake Netcom, is perfectly : entitled to make -and enforce- a condition on any subscriber to its : services that they will not distribute viruses via Netcom's system. : Vesselin (and I and others) believe that Netcom is negligent and : exercising poor judgement by -not- exercising a policy like this. : Whether Netcom does not exercise such a policy in their/its misguided : belief that the US Constitution's "freedom of speech" provisions : prohibits them from so doing is something I can only speculate on, not : having directly confronted them/it on this matter. I believe there is another point of law to consider here. As soon as Netcom (or any other such provider) institutes such a policy, they give up common carrier status. This means that they have an implied responsibility for all information in their system, as they have chosen to control at least some of that information. Thus, if somebody ftp's a pirated program and leaves it in a publicly accessibly directory, Netcom is open for legal action. I am by no means a lawyer, and am happy to be corrected on this by anyone more knowledegable. However, if my interpetration is correct, the choice for Netcom is pretty simple: either hire a bunch of people to police the system, annoy the users and open themselves to lawsuits (witness Prodigy for a fine example of this option); or leave the system completely open, in which case they avoid liability for the actions of their subscribers (who are, of course, still liable for their own actions). - -- Kevin ------------------------------ Date: Tue, 18 Oct 94 00:28:56 -0400 From: tdtennis@nyx10.cs.du.edu (Tim Tennison) Subject: Does anyone know about a virus named the HAL 2000? Has anyone out there in comp.virus ever heard of a virus named either the HAL 2000 or the HAL 9000? It has infected not only PC's and Macs at work but it also loads itself in the printer buffer and whenever a print job is started, the printer starts printing out dialog from the move 2001: Space Odyssey, such as, "Hal, I'm afraid:( David". The virus will lie dormant for a few days then come back and wreak havoc, keeping everyone and anyone from printing a file. After some of these strange dialog printouts, the virus then prints, "your computer is infected with the Hal 2000 virus." The virus doesn't seen to be malicious in any way, just annoying. Comments anyone??? [Moderator's note: Sure sounds like an urban legend (or a movie dialog) to me...] ------------------------------ Date: Wed, 19 Oct 94 00:36:23 -0400 From: wwoodf1@umbc.edu (Mr. Bill) Subject: Lil' Red Virus (PC) I work for Academic computing services at UMBC, and I happened to stumble upon "Lil Red". It is so new that our current database has no info on it however, f-prot 2.14 was able to detect and remove most of the infected files. Any info would be appreciated. *-----------------------*--------------------------------------------* | William C. Woodford | University of Maryland, Baltimore County | | wwoodf1@gl.umbc.edu | Academic Computing Services (ACS) | | Computer Science | LAN Administration | | | ACIV 325, B-Wing, x2682 | *-----------------------*--------------------------------------------* | Disclaimer: The opinions expressed here are my own, and do not | | reflect the opinions of my employer, ACS. | *--------------------------------------------------------------------* ------------------------------ Date: Wed, 19 Oct 94 15:27:20 -0400 From: "Jimmy Kuo" Subject: Re: Has this been done? Binesh Bannerjee writes: >Has this kind of a virus ever been written? I was thinking, that if a >virus writer wanted to, he could write a virus that say did something >like this : > Code A > Code B > Code C is the original code for the virus. >Now when you insert the code into the executable to be infected, >you wrap these around each line or block of code. > goto L1 <<< Block A >L2: code A > goto L3 >L1: > goto L4 <<< Block B >L3: code B > goto L5 >L4: > goto L7 <<< Block C >L5: code C > ret >L7: >Now, I can shuffle this code wherever (within limits, I can't place >these instructions in data, or in the middle of an instruction,) >but, I can analyze the code, and place the code shuffled wherever >I feel like it, or, I can make the virus itself shuffle itself, >and it would just keep changing. Plus, say it could have a location >that kept track of where in the code it starts, so it can remember to >strip out the headers (the gotos surrounding the actual viral code.) >Otherwise, you'd keep increasing the size of the virus... This >shouldn't be hard to do, if you restrict yourself to not using any >jmps in the actual viral code, and only use jmps for the wrappers... >Other than making checksums for each executable, how would such >a virus be detected? The one easy answer is emulation. But there are many ways including encrypted search. The "game" today is in cryptography. This stuff is old now. >Has it been done? Yes. Jimmy Kuo Norton AntiVirus Research ------------------------------ Date: Wed, 19 Oct 94 16:07:22 -0400 From: "Jimmy Kuo" Subject: Re: How to become an AntiVirus insider? Frisk wrote: >dnikuya@netcom.com (dave nikuya) writes: >>It is not at all clear to me how an outsider becomes an insider in the >>AV community. Must one work for a Fortune 500 company, or at a major >>university? >no, not at all.....one starts by demonstrating that (a) one has the >required skills and (b) is trustworthy. I need to provide myself as an exammple. In my current capacity, I am involved in many aspects of NAV development, especially virus detections. Until I joined Symantec in 1992 to work in this capacity, I had never touched nor looked at a virus and never been infected by one. My credentials for the job was, I co-authored (wrote an appendix segment) a paper on viruses in 1986. My section described viral entry points in the PC and DOS operating system. And my resume listed "IBM ESD, PS/2 development." When I look to hire, I look for people who have PC and programming skills. I then train them in the field of viruses. And I specifically do not hire those who have expressed curiosity in this subject. >>merit. However, it seems that many of the insiders are setting up >>criteria that will guarantee that outsiders remain so indefinitely. >Not indefinetely, but people have to be serious about what they do to be >accepted by the "insiders", including myself. My case proves that you don't need to have ever looked at a virus to get into this field. Furthermore, I came into the field as an expert, not as a trainee. But before I go, let me give you the most technical reason why I prefer programmers to those who know viruses. In developing virus detection techniques, you have to know what distinguishes viruses from regular programs. You need to have a thorough knowledge of what regular programs look like so your virus detection doesn't create false ids. You want to know that when a compiler tests for 0, it uses OR reg,reg and not AND reg,reg. You have to know what is useful programming techniques and thus what is "virus garbage code". An education of what viruses do and what characterizes a virus takes a week or two of training after being hired. This other stuff I look for takes 5 years of programming experience to acquire. Jimmy Kuo Norton AntiVirus Research ------------------------------ Date: Wed, 19 Oct 94 21:02:07 -0400 From: Jordan Rosenwald Subject: Need technical info on viruses! Hi! I'm a college student who is deperately in need of help. I request that each one of you who read this post think of the toughest viruses you've had an d to send me any and all information you have on them. Also if you have any fi les on the technical aspect of viruses in general please send them to me. I ha ve a rather large project I must do, and have found local sources of informatio n to be lacking. Any and all information that all of you can provide will be g reatly appreciated. Thank you. Jordan ------------------------------ Date: Mon, 17 Oct 94 11:54:45 -0400 From: padgett@goat.orl.mmc.com (Padgett 0sirius) Subject: MS-DOS - Quarterdeck QEMM 7.5 (PC) The new QEMM has a few advances notably the DPMS (Dos Protected Mode Services) introduced with Novell DOS 7.0 that allows aware memory resident programs (such as Stacker 4.x) to use extended memory about the 1 Mb boundary for buffers/etc. A potential security problem is the QuickBoot addition default. Many people have increased the security/virus resistance on their PCs by setting the CMOS so that warm reboots are from the C; drive. Unfortunately, the QEMM QuickBoot feature loaded by default with QEMM 7.5 boots from the A: drive if a disk is present bypassing the CMOS selection. Fortunately, there is a fix: if the option BF:N (BootFloppy=No) is added to the QEMM386 command line, the C: drive is used. Unfortunately the option is somewhat obscure unless you know what you are looking for (or just like to read tech manuals 8*) and is not given at installation. Caveat y'all. A. Padgett Peterson, P.E. Cybernetic Psychophysicist We also walk dogs PGP 2.7 Public Key Available ------------------------------ Date: Mon, 17 Oct 94 17:30:47 -0400 From: Muaddib@deathstar.cris.com (Muad'dib) Subject: Malta Amoeba (PC) Does anyone know what the Malta Amoeba virus does??? Or how to get rid of it? (Morw specifically will NAV be enough to take care of it...) . Despite the high cost of living, it remains popular. ___ Blue Wave/QWK v2.12 ------------------------------ Date: Mon, 17 Oct 94 18:00:51 -0400 From: barbay@dmso.dmso.dtic.dla.mil (Christopher Barbay) Subject: Re: HELP with form virus / FAQ (PC) Iolo Davidson (iolo@mist.demon.co.uk) wrote: : walts@gate.net "Walter Scrivens" writes: : > I recently had an infection of the form virus on some : > workstations on my LAN. We cleaned it, and several weeks later : > it reappeared (and has been cleaned again) : You get infected by booting, or trying to boot, from an infected : floppy. It will keep coming back until you find, and clean, all : the infected floppies. Especially the one that so-and-so usually : keeps at home and thinks doesn't count because it only has some : word processor files on it. Check the "blank" ones too. You're PC also gets infected when running an infected program. You don't have to boot to be infected! - -- Chris ------------------------------ Date: Mon, 17 Oct 94 20:37:01 -0400 From: cjkuo@symantec.com (Jimmy Kuo) Subject: Re: Monkey.Stoned virus on multimedia 486 won't go away... (PC) "Andy Berger - ITS User Support Services 803-953-6988" writes: > Tried FDISK/MBR to no avail. Tried F-Prot and CLEAN with no > effect. F-Prot says to boot from a clean disk. When I do this, > it "disengages" the hard drive so the system doesn't recognize > it. Reboot from the hard drive and the drive "pops" back to life > as if nothing happened. Monkey takes the partition table that was in the MBR, encrypts it and stores it away. The partition table area is then wiped clean. Thus, when booted from the harddisk (and using Monkey's viral code), it knows the whereabouts of the partition table and everything's fine. But when booted from a clean boot, no partition table, not a valid hard disk. > Microsoft Antivirus doesn't even find the virus. NAV 3.0 takes care of it fine. Boot clean. Run NAV 3.0. We access the hard drive, even if DOS doesn't think there is one, specifically because of Monkey. > It hasn't done any damage(yet) so maybe there's really no virus???? If you ever need to boot clean and repair something that has gone awry on your hard disk, that's when you'll realize that you have a serious problem. But you already know that you can't boot clean. So, the damage is that you can't boot clean and expect to use your computer. Jimmy Kuo Norton AntiVirus Research ------------------------------ Date: Mon, 17 Oct 94 21:09:50 -0400 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Re: Partition Table(PC) HUNDEWALE NISARAHMED wrote: )hi, )can u tell me how do i remove virus from partition table? )I've got Windows 3.1 running on that PC. ) )Thanx ) )g9417079@cc.uow.edu.au Well, that depends on the virus. If you are running DOS 5.0 or later, you can try this "generic" disinfection method. go to a known uninfected machine, and format a bootable floppy with fdisk on it write protect the floppy boot the infected machine from the floppy - do NOT use Ctrl-Alt-Del to reboot, power down the machine; some viruses can remain in memory after a Ctrl-Alt-Del reboot. check that you can access all your hard drives normally; do not run any programs, but do directory listings of your files on all discs and in a few subdirectories on each disc IF YOU HAVE ANY PROBLEMS ACCESSING ANY OF YOUR HARD DRIVES, THEN DO NOT PROCEED! with the floppy as your default drive type: fdisk c:/mbr That will probably fix your problem. Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Tue, 18 Oct 94 00:58:35 -0400 From: Michael Paget Subject: FORM virus Info wanted (PC) An aquaintance of mine is currently tracking down an infection of the FORM virus in the computer system of a large corporation. We have sucsessfully removed it several times, but re-infection continues on an irregular basis. Currently, we are attempting to track it's infection pattern and narrow down the possible sources of FORM's origin. More detailed information than that provided by McAffee's and other viral scanners would be a big help. If anyone can provide us with that information, either at the above E-Mail address, or in this newsgroup, it would be deeply appreciated. (I'll put you in my will......:-> ) - -------------------------------------------------------------------------- Beware The Jabberwock My Son paget@gaul.csd.uwo.ca The Claws That Catch, The Jaws That Bite Sage Research Beware The JubJub Bird And Shun The Frumious Bandersnatch 1-(519) 642-2793 - -------------------------------------------------------------------------- ------------------------------ Date: Tue, 18 Oct 94 02:13:25 -0400 From: "Frans Veldman" Subject: memory scanning (PC) Iolo Davidson writes: > clotsche@coh.fgg.EUR.NL "Pim Clotscher @ COH" writes: > >> Where can I get objective information about the thunderbyte >> anti-virus package? There was a review/test in Virus Bulletin of >> july 1994, but I have no access to that information. Can anybody >> tell the conclusion / strong points, weak points, etc.? > > I expect Richard Ford will be along to summarize the VB test. > > In a test in SECURE Computing (I'm technical editor) of *just* > the ability to find viruses in memory, which is important for > combating stealth viruses, Thunderbyte came off worst of the ten > products tested, with a score of 2 out of a possible 24. As a 'technical editor' you are acting rather unprofessional. It is a good custom to respect a developers' motivation about the design of his product. You are critisizing my product without mentioning the reasons behind the result of the test, as outlined by both our British representative and myself. I'm wondering why Secure Computing asked our comments on the test anyway, if they don't publish reasonable comments at all. Since you decided to broadcast this 'half story' even further, I feel I have to explain the same public why our product performs so bad in your test. Years ago, scanners just scanned files for viruses, and not memory. The goal of a scanner is to detect infected files. Memory as such can not be infected. When the first stealth viruses cropped up, many developers were faced with the problem that their product wasn't able to detect the viruses anymore on disk when the virus was active in memory. So they HAD TO detect the virus in memory, because their product miserably failed to detect the virus in files. Your statement above that "finding viruses in memory is important for combating viruses" is true for these products. Detecting viruses in memory is clumsey patchwork to maskerade the scanners failure to detect the virus properly on disk, and not a goal of its own. There are however other ways to beat the stealth viruses. We decided that detecting viruses in memory is clumsey and not an ultimate solution. We decided to incorporate a file system in TbScan itself, so that it no longer has to rely on the file system of DOS. Since almost all stealth viruses interfere with the DOS file system, they are not visible when you use DOS to read a file, but they are perfectly visible if you read files on (BIOS) sector level, directly from disk. Low-level file access is very difficult, but we managed to implement it anyway, in contrast to some other 'leading' anti-virus products. The result is that we can detect stealth viruses, even when they are active in memory, and we do NOT have to scan for them in memory. There is no reason anymore. In contradiction, we found that memory scanning creates more problems than it solves. 9 out of 10 false alarm reports are due to memory scanning. Many virus scanners detect signatures in memory after another scanner has just been used. Many virus scanners detect viruses in memory when an infected file has just been read or copied by another product. Very confusing for most users. As a result, we decided not to scan memory for all viruses, but only for those viruses for which it is absolutely necessary, i.e. viruses which can not be detected otherwise by TbScan once they are resident. Luckily, thanks to our integrated file system, there are very few viruses we need to detect by this clumsey memory scanning. To our big surprise, Secure Computing didn't manage to explain people why it is necessary for a scanner to detect the Jerusalem virus in memory. To our even greater surprise, Secure Computing didn't bother to publish the reaction of the author of one of the tested products. Testing products is fine, but one should at least honour the developers' motivation about the design of his product and publish it, even if you do not agree with it personally. But to say, this product is bad, because it just has a different approach than other products, is very unprofessional. I hope Secure Computing will improve significantly in the very near future and become more indepenant and objective. I wish you all the best. > Products that scored well were Dr. Solomon's (24) Surprise, surprise... - -- Thunderbye, Frans Veldman <*** PGP 2.3 public key available on request ***> Frans Veldman Phone (ESaSS) + 31 - 80 787 881 veldman@esass.iaf.nl Fax (ESaSS) + 31 - 80 789 186 2:280/200.0@fidonet Fax (VirLab) + 31 - 59 182 714 ------------------------------ Date: Mon, 17 Oct 94 14:41:25 +0400 From: Oleg Nickolaevitch Kazatski Subject: Re: ANTI-EXE What does it Do. (PC) kennedy@vt.edu (David C Kennedy) writes: > Does anyone out there know what Anti-Exe corrupts. Norton 8 says it > corrupts specific unknown exe files. I got the virus from the school > computer and caught it before it got on my hard drive, but I was just > wondering. F-Prot ------ Name: AntiExe* Alias: D3 Type: Boot MBR AntiExe is a simple boot sector virus, infecting floppy boot records and hard disk master boot records. The virus is very small, it is not encrypted, and does not have any stealth capability or activation routine. The virus will only infect hard drives when an attempt to boot from an infected diskette is made. Once the virus has infected the hard drive, all non-protected floppies used in the machine will be infected. The only special thing about the AntiExe virus is that it redirects the BIOS disk interrupt 13h to unused interrupt D3h - this way the virus can bypass some behaviour blocker programs. [Analysis by Mikko Hypp=E6nen / Data Fellows Ltd] Aidstest -------- This is a boot virus. It can hide MBR in 0/0/13 on hard drive, and in the last sector Root Directory on floppies. This virus corrupted unknown EXE-program (size 200256). Try the antivirus program "Aidstest" (Russia, Lozynski). Good luck ! - -- OK ------------------------------ Date: Tue, 18 Oct 94 10:39:53 -0400 From: asx008@coventry.ac.uk (V. Tandy) Subject: Help IRISH virus on CD (PC) My local computer shop recently found and removed several occurrences of a virus identified as IRISH while adding a second hard drive to my system. As I replaced each application I checked again and the virus was identified again. I susequently found it on a CD data file. The CD was not PD but I will not identify it in case I can be sued or something. Does anyone know what IRISH does, is it real and a serious threat or has the virus check software been fooled? It did appear to multiply but I did not leave it around for long enough to check this time. No damage seems to have been done ...(yet)!! ------------------------------ Date: Tue, 18 Oct 94 11:05:19 -0400 From: jst@ing.puc.cl (Jorge Salinas) Subject: vshield (PC) hi... first, i dont speak english very good... i have this problem.... i have installed vshield in my PC (486 dx266), when vshield run scan all the drives in my pc, c: e: d: , ..., but the drive d: is the cdrom, and vshield cant read the boot sector of cdrom, how can i say to vshield that no read the drive d:, with the command vshield /ignore d:, nothing pass, please help me... jorge p.e: please, excuse my english...=) - -- ____ ,------------------------------------------, . _ . /# /_\_ | Jorge Victor Salinas Torres | |\_|/__/| | |/o\o\ | | / / \/ \ \ | \\_/_/ | Pontificia Universidad Catolica de Chile | /__|O||O|__ \ / |_ | | Departamento de Computacion | |/_ \_/\_/ _\ | | ||\_ ~| | e informatica. | | | (____) | || | ||| \/ | | \/\___/\__/ // | |||_ | | (_/ || \// | | Email: | | || || | | | | ||\ ||_ \ | jst@plomo.ing.puc.cl | \ //_/ \_| o| | jst@malloco.ing.puc.cl | \______// /\___/ | | __ || __|| / ||||__ | | (____(____) (___)_) |------------------------------------------| /***********\ ------------------------------ Date: 18 Oct 94 17:34:58 +0100 From: virusbtn@vax.oxford.ac.uk Subject: Stars required (PC) Stars wanted... I am looking for a UK company who would be prepared to talk in a documentary about computer viruses. Could anyone wanting further information please Email me. Tnx. Richard Ford Editor, Virus Bulletin ------------------------------ Date: Tue, 18 Oct 94 13:30:11 -0400 From: dk768@cleveland.Freenet.Edu (John Guscott) Subject: Norton AV vs. TBAV and others (PC) How does Norton ANti-Virus stack up against other a-v software such as TBAV, F-Prot, scan, Invircible, etcc. thanks for any info you can provide! JOhn Guscott - -- John Patrick Guscott dk768@cleveland.freenet.edu jguscott@kentvm.kent.edu ikon@pwrtools.wariat.org ------------------------------ Date: Tue, 18 Oct 94 14:51:38 -0400 From: 7657 Subject: How to detect infection of my application (PC) I am writing an MS-DOS application that I expect to be copied among several computers and will likely be passed among users. I was wondering what kind of virus detection I could include within the application. All I really want to do is print a warning message to the user (and terminate the application) if it detects a viral infection. Can anyone point me to existing code/documentation to do this? I was thinking of simply doing a CRC of the executable file every time the application is started, but since this will probably be run from floppy, I'd like to avoid the extra startup time involved with reading the entire executable. Are there any reliable checks I can run against the executable image in memory, or are viruses able to hide as soon as the application is loaded to memory? Any suggestions or pointers to documentation (including books) or code would be appreciated. Please e-mail responses to me, and I'll post a summary of responses in a week or so. Thanks, Rodney lweaver@promus.com weaver@acm.org ------------------------------ Date: Tue, 18 Oct 94 19:07:27 -0400 From: lojacond@ccmail.us.dell.com (Debbie LoJacono) Subject: Re: Stealth Virus (PC) datadec@corsa.ucr.edu (Kevin Marcus) says: >Filesize stealthing is when a virus infects a file, but when you type >dir, one can not see a growth in filesize. Not all viruses need to be >memory resident to perform this. (Dir-II, Darth Vader) > >Fileread/open stealthing is where a program is "disinfected on the fly" by >the virus which must be active in memory. If a system is scanned with this >type of virus in memory, it will not be detected in any files. What catagory does the Stealth GENB virus fall into ? JT ------------------------------ Date: Tue, 18 Oct 94 22:46:50 -0400 From: windigo@thepoint.com (Windigo The Feral) Subject: Re: Netcom distributing viruses RE: prosecution of persons distributing virii maliciously: Just a note to the guy in Califirnia who has stated he will use the Vandalism statute in CA--most states (including California) have specialized computer-crime statutes in their penal codes now that deal specifically with the malicious distrigution of trojan horses and virii. Even here in the boonies in Kentucky :), we have a computer-crime law in the Kentucky Revised Statutes that makes the willful and malicious distribution of virii and trojans a felony, punishable by prison time and *very* large fines. (Vandalism, on the other hand, is just a misdimeanor in most states.) I'm no lawyer, but I would advise you to look in the law libraries if you're REALLY serious about prosecution--odds are, you could get them with a *lot* more than vandalism. - -- - -Windigo The Feral (NYAR!) -- Home Sec., aka Dobe Warrior Artemis--KtT, CCA--St., COB, COTABI--The 2000AD Mailinglist is now OPEN! Send mail to mailserv@thepoint.com saying "sub thrillpower" (your address) in body to subscribe...FTP archive at ftp.thepoint.com, dir /pub/text/thrillpower/ ------------------------------ Date: Wed, 19 Oct 94 08:40:59 -0400 From: pinkeru@uni-muenster.de (Ulrich Pinkernell) Subject: Re: Anti-CMOS Virus Infection - HELP! (PC) Simon Cheung (Simon_Cheung@kcbbs.gen.nz) wrote: : Using the latest version of scan V.2.1.1., one of my computers was found : to be infected with the "Anti CMOS" virus. Previously, version 117 of : scan identified the problem as a generic MBR virus. : : As a remover was not as yet available with V.2.1.1. of scan, does anyone : know of what solutions I have, as I'd like to regain the use of the : computer. I had the same problem. Also the latest version of F-PROT found this virus but did not remove it directly, but there was the option to overwrite the Master Boot Record (MBR). I did this myself with FDISK /MBR and the virus has gone. :) A third Anti-Virus-Program (SD-Scan , commercial) found this virus as a new version: Stoned (AntiCMOS) -virus, but it also was not able to remove it. You should save your data before usig fdisk /mbr. The possible infected floppy- disks you can use later by copying your files from it and formating them. Possibly you have to install your DOS-system files by SYS c: (from a clean DOS-Boot-disk !! :) ------------------------------ Date: Wed, 19 Oct 94 11:38:54 -0400 From: robla@ids.net Subject: Form virus (PC) Can anyone give me some info on the Form virus? A few machines got infected at our Jr High school. What would it have done if it had gone undetected? thanks for any info you can give me! Rob LaBanca Cranston, RI ------------------------------ Date: Wed, 19 Oct 94 14:12:07 -0400 From: "Sean D. Canady (USF)" Subject: Forms Virus (PC) I messed up and rebooted my computer with a disk in the floppy and it gave my the Forms Virus...I got rid of it using Norton Anti Virus, but now when I try to run Windows for Workgroups 3.11 it tells me that it can't find the driver for 32bit access. And it says (i think this is right) the interupt it uses to call my hard drive is not the same. It then tells me to check to make sure I don't have any viruses. I have checked my entire hard drive and it doesn't come up with anything. Also I am running Stacker 4.0, could this be part of the problem? Does Norton AV check hidden files? Thanks in advance...Sean ------------------------------ Date: Wed, 19 Oct 94 15:27:17 -0400 From: "Jimmy Kuo" Subject: Re: Help Please: Monkey? (PC) palam@delphi.com writes: >I use Norton Antivirus to check my computer and see the "Monkey" >virus message. What is that? It's the Monkey virus! On your machine, the MBR has been encrypted and moved. If you boot clean, DOS will not recognize the HD as a valid drive. >If anyone know how to get rid of it, please give me a hand. Using NAV 3.0, boot clean, run NAV from floppy. Under Tools, What to Scan, make sure Master Boot Records is enabled to be scanned. Then scan something. Then follow the instructions to repair. Jimmy Kuo Norton AntiVirus Research ------------------------------ Date: Wed, 19 Oct 94 16:07:25 -0400 From: "Jimmy Kuo" Subject: Re: which antivirus to trust (PC) Wu Hu writes: >I used both F-Prot and McAfee virus scanning software got from their ftp >sites. the problem was that when I use McAfee scan (version 117) my hard >disk, no any virus was found, but for F-Prot scan (version 2.14), the >message for Master Boot Sector was 'Possibly a new variant of AntiCMOS'. >Which one is correct? You probably have a new variant of AntiCMOS. There is one in the wild. It is new. And if you read messages here, you'll notice others seeking help against it. Most probably, your McAfee version just doesn't have a definition for that yet. You already have F-PROT so it should be able to take care of it. Jimmy Kuo Norton AntiVirus Research ------------------------------ Date: Wed, 19 Oct 94 16:18:34 -0400 From: frankj@tv.tv.TEK.COM (Frank Jazowick) Subject: The InVircivle Anti-Virus Expert System v6.01 (PC) Hi readers.. I just have heard about the 'new' anti-virus program called The InVircivle Anti-Virus Expert System v6.01... It just came out of Israel and is being used by Australia and New Zealand. So as anyone heard of this program and how good it is as compared to well-known shareware and commerical anti-virus programs????? Your info will be greatly appreciated.. Thanks, Frank ------------------------------ Date: Wed, 19 Oct 94 16:22:51 -0400 From: "Jimmy Kuo" Subject: Re: GenB Virii (PC) Scott Lynch asks: >Question : How would you 'extract' (for lack of a better word) a GenB virus >from a floppy safely? (i.e. to a ZIP file or something) Would using something >like Teledisk do it? (just thought of that.. ) Please respond via e-mail. Using DEBUG, do: debug - -n genb.boo Stick diskette into A: - -l 100 0 0 1 - -r cx :200 - -r bx :0 - -w - -q Then you will have a genb.boo file on your system that has the boot sector code in it. If you must use B:, "l 100 1 0 1" is the replacement command. And if you have different size diskettes, try naming them .b14, .b12, .b72, etc. to distinguish the diskette types. Teledisk will also work, but anyone can do this. Jimmy Kuo Norton AntiVirus Research ------------------------------ Date: Wed, 19 Oct 94 18:37:21 -0400 From: acpwvw!rogers_js@ms.uky.edu Subject: Lazarus Virus and FAQ request... (PC) Two questions: 1) What is a Lazarus virus? A good friend of mine from home runs a BBS and he claimed that "Lazarus" wrecked his system. Could anyone tell me if it truly exists (he has a tendency to jag around with me), and if it does, how much damage does it wreak? 2) How can I get a copy of the FAQ for this list? Will this request take care of it, or do I have to address the moderator personally? Sorry if this seems stupid, but I wanna know the basics before I ask any more dumb questions... =] [Moderator's note: Done.] ------------------------------ Date: Wed, 19 Oct 94 20:33:12 -0400 From: johnnyrock@delphi.com Subject: Re: Thunderbyte anti-virus - how good? (PC) I also agree TBAV beats everything else. I've tested Dr. Panda, MSAV, Norton, F-Prot, ViSpy, and Virx and TBAV blew everything away. It was written by recreational virus writers. ------------------------------ Date: Wed, 19 Oct 94 21:01:15 -0400 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Re: Monkey Virus is on our backs... (PC) Bill Crosbie wrote: [Monkey infection noticed...] [cleaned...] [searched with diskedit...] )virus signature. The signature was still present on the hard )drive in a low sector (359) I believe. Is this dangerous? )Does anyone know if this virus hides itself away from normal )viral locations? ) )And finally, what can be done to totally remove the virus? I )would appreciate responses from anyone with experience with this )particular pest. Most likely you are ok. It is entirely likely that the sector you found is not in use at all. If you know how, look at the FAT and determine whether the sector is free. If it is free, then you are ok (unless you have -another- infection in your MBR or boot block). Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Wed, 19 Oct 94 21:03:52 -0400 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Re: How do boot sector viruses speard from X to X? (PC) Brian D Stark wrote: ) I've often been interested in how a virus from an infected boot )sector of a disk, transfers to a harddrive. A long lasting rumor is that [rest deleted] There are 3 ways for viruses to infect hard drive MBRs or boot blocks: booting from an infected floppy for viruses which also infect programs (.COM or .EXE) running an infected program some viruses are built into "dropper" programs which when run install the virus on the MBR or boot block Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Wed, 19 Oct 94 21:32:04 -0400 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Re: Can a master boot record be repaired? (PC) cook cornelius john wrote: )Peter Kauffner wrote: )>PC has had in the last several months is JPG and GIF files downloaded off of )>Usenet. Is this a possible source of infection? )The only ways you can get infected with virii is through CODE. Gif and )Jpg files are data, read by displayers. Boot sectors, Exe, Com, Ovr, )Sys, and partition sectors are the things that virii can infect. ) )However, if I'm wrong, someone please correct me, because I'd love to )know what other sources are. ) )=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ) Cornelius "Case" Cook c-cook@ux5.cso.uiuc.edu cocook@nyx.cs.du.edu ) I speak for nobody but myself and my pet frog. ) "The devils of truth steal the souls of the free." - ]\[ i ]/[ ) DASA ) I suppose an ANSI bomb could run debug and actually type in the whole virus creating a program in memory or on disc and then run it for you. But I doubt any actually do that. Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Wed, 19 Oct 94 22:15:47 -0400 From: c-cook@ux5.cso.uiuc.edu (cook cornelius john) Subject: Re: Unstoppable virus? (PC) > From psychman@rci.ripco.com Wed Oct 19 14:44:07 1994 > >What if there was a virus that used MSDOS's int21 backdoor to execute all > >of it's file handling calls? In-memory virus protectors wouldn't be able > >to detect it or stop it. > > How? What does this back-door allow one to do? Using the Jump instruction in the PSP. It points to the lower half of the old CP/M FCB instruction sets. If you trace down, there's a standard distance between that and the actual DOS int 21 entry point. - -- CCSO "A "Are you flirtin' with me?" -Natural Born Killers DASA slow "That's one god-damn good milkshake!" -Pulp Fiction Student steady "Please move along. We are only shrubs." -Tick Case Cook systematic "This soup is too thick!!" -Demon Hunter Cat Machine decline" "...with... A HERRING!" - Holy Grail c-cook@ux5.cso.uiuc.edu NiN "The offical weaky pass." -Akira ------------------------------ Date: Thu, 20 Oct 94 02:10:46 -0400 From: cmm142@herald.usask.ca (Conrad Mowbray Merrifield) Subject: Please, can someone help me get rid of 'junkie' (PC) Can someone please tell me how to get rid of the virus 'junkie'. I used f-prot 2.14 and it said I how 197 com files that were all infected with the virus junkie. I have no idea were I got it!!!!!!!!!!!! Can someone please help me mail cmm142@herald.usask.ca thanx, Arnoldx ------------------------------ Date: Thu, 20 Oct 94 03:16:49 -0400 From: "Sean D. Canady (USF)" Subject: Re: Help Win 32 Bit File Virus? (PC) Lenart??! (PC) > >I encountered a similar problem, after by accident I had a diskette in my > >A-drive (without system)... the msg: > > > "The MS Windos 32-bit disk driver WDCTRL cannot be loaded. There is > >unrecognizable disk software installed on this computer. The address that > >MS-DOS uses to communicate with the hard disk has been changed. Some software, > >such as disk-caching software, changes this address. " > I getting this same message...It was the Forms virus that caused it.. I finally got rid of the virus, but I still get this message. I tried to disable 32bit access, but now windows(HP Dashboard exactly) is crashing. It says something about Optmod. ------------------------------ Date: Thu, 20 Oct 94 04:51:00 -0400 From: ANTHONY APPLEYARD Subject: Re: KOH - The useful virus? (PC) Ben Humphreys wrote on Sat 08 Oct 94 23:46:30 -0400 (Subject: KOH - The useful virus? (PC)):- > ... the same virus that encrypts your hard drive using the IDEA algorithm? Sure it can be classified as a virus because it spreads itself, but is serves a purpose! How come it is being discussed here? Does it cause some sort of damage? I downloaded it just in case I ever needed to use it, but now I am concerned about it. If someone could clear things up I would be very grateful. If it encrypts my hard disk, or does anything else to my PC, without my permission, it ain't useful!!! If I want an encrypter, I'll buy or write an encrypter of the ordinary non-viral type! ------------------------------ Date: Thu, 20 Oct 94 04:59:51 -0400 From: ANTHONY APPLEYARD Subject: Re: VCL?? (PC) theoj00@DMI.USherb.CA (JEAN-FRANCOIS THEORET) wrote:- > Does anyone know where can be found the VCL (Virus Creation Vibrary)? Should we really be alarmed about the emergence of such products? Zeppelin@ix.netcom.com (George Paulsen) replied (Subject: Re: VCL?? (PC)):- > The VCL's are on every major Virus sites such as ; Hell Pit/West Coast Institute of Virus Research/ Black Axis/Cybernetic Violence/ and any other NuKE/Phalcom Skism site. If, as seems from this, computer virus writing clubs have information exchanges at known email sites, then why can't these sites be traced and closed down? Can't the law act against them???? ------------------------------ Date: Thu, 20 Oct 94 05:08:42 -0400 From: ANTHONY APPLEYARD Subject: Re: Something I found (PC) (funny file TATA.WRI) p_molloy@smcvax.smcvt.edu (Philip Molloy) wrote in #84 (Subject: Something I found (PC)):- > I ... a file called tata.wri ... I dumped the file to the screen using the type command. What I saw were the words "I am infected with a virus" (all caps) for a few lines, and then the same message in reverse. underneath that was the message "...but I would rather have a urine sample instead" and then the garbage you see when you dump .exe files to the screen. After this windows would not work properly, I got the title screen and then it hung. Mcafee 117, and msav turned up nothing. any help is appreciated The binary `garbage' after the text in Windows Write .WRI files is not .EXE matter but the formatting matter (font changes, layout info, etc), which Write puts all at the end, instead of mixed with the text like Word Perfect etc do. Some of it may be embedded graphical matter (pictures etc). Perhaps the file contained an ANSI bomb, either deliberate, or some of the binary matter acted as an ANSI bomb accidentally. Do not use the TYPE command to examine unknown files. ------------------------------ Date: Thu, 20 Oct 94 05:20:40 -0400 From: petrini@di.unipi.it (Fabrizio Petrini) Subject: Removing safely Genb (PC) Hi everybody! I tried scan 2.1.1. unsuccessfully. In outline, this is the problem. Running windows I get an error message that flags the presence of a virus. At this point, if I run scan 9.28 v116 I get Scanning boot sector of disk C: Found the Italy [Genb] Virus in boot sector. Scanning boot sector of disk C: Found the Italy [Genb] Virus in boot sector. Found 2 files containing viruses Running clean c: [Genb] I have the following message Scanning boot sector of disk C: Found the Italy [Genb] Virus in boot sector. Searching for original boot sector Virus cannot be safely removed from boot sector But, odd enough, when I run scan 2.1.1 I get no warning or error messages. What can I do ? Thanks for your time and attention Fabrizio Petrini Dipartimento di Informatica Corso Italia 40 56100 Pisa Italy e-mail: petrini@di.unipi.it ------------------------------ Date: Thu, 20 Oct 94 05:22:18 -0400 From: ANTHONY APPLEYARD Subject: Help! How to get rid of BFD virus? (PC) hassan@isl.mei.co.jp () wrote in #85:- (Subject: Help! How to get rid of BFD virus? (PC)):- > ... infected with the BFD virus. ... the Anti-virus ... with IBM-PC DOS 6.0 (IBMAVD.EXE) as well as the one packaged with MS-DOS 6.2 (MSAV.EXE) both reported it. ... I can't disinfect the infected files using them. The most that MSAV does is to rename the files. ... After deleting the infected files I once again ran MSAV and again it says the new files that I re-installed were infected. Does anyone know of a way to get rid of this VIRUS? Is your MSAV itself infected? Use another antiviral (SCAN or VET or F-Prot) also. ------------------------------ Date: Thu, 20 Oct 94 05:32:29 -0400 From: ANTHONY APPLEYARD Subject: Re: Exebug apparently surviving boot (PC) mshmis@world.std.com (MSH MIS) wrote in #85 (Subject: Exebug (PC)):- > I have recently found Exebug on a number of computers and it seems difficult to eliminate. Yesterday I booted from a clean write protected boot diskette which contains Mcafee's latest anti-virus software. The message on the screen said that traces of exebug were found in memory. How could this be? "I booted" hereinabove: warm boot (ctrl-alt-del, or RESET button) or cold boot (switch the PC off and on)? Some viruses can survive warm boot in memory, I suspect, as warm boot is not a complete re-zeroing and reinitializing of everything. And some viruses can trap ctrl-alt-del and fake a warm boot. In finding and removing viruses, always COLD boot. ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 88] *****************************************