VIRUS-L Digest Wednesday, 16 Nov 1994 Volume 7 : Issue 94 Today's Topics: Re: Internet Staging Publishing authentication & validation data Re: Netcom distributing Viruses Virus Laws Newsletters Or Magazines Viruses via usenet! alt.comp.virus Re: Recommendations (?) on OS/2 Scanner/Disinfector (OS/2) Hardware trojan horse (Mac) Softwindows on PowerMac (PC) (Mac) Virus (?) on PC - new user needing help (PC) Virus identification? (PC) InVircible, a new approach to AV (fwd) (PC) Re: KAOS4 (PC) ZIFF Verlag (PC) Re: Forms Virus (PC) Vacsina v 5 ?!? Info wanted!!! (PC) Die_Hard virus, need information (PC) Re: Exebug apparently surviving boot (PC) Differences between McAfee products? (PC) VLamiX.1? (PC) Signalit PT virus maybe ? (PC) Possible Variant of Jumper.B (PC) Re: Virus named Jack Ripper (PC) Re: DOOM II (PC) THANKS!! Re help with FORM (PC) Re: CMOS virus/ answer to questions (PC) Re: stoned - Monkey (PC) Unknown Virus?? (PC) Removing boot sector virus (CANSU/V-Sign) (PC) Natas Virus ? (PC) NATAS (PC) Is Possible eliminate the 1099 (PC) HELP! How do I fix the B1 virus? (PC) birdlike chars in windows (PC) F-Prot Information question (PC) Mouse ports (PC) Looking for NLM scanners (PC) Dr. Solomon Drivers (PC) What can a virus do ? I need HELP! Please (PC) NCSA hasn't heard of Viking virus (PC) FLU-SHOT (PC) Best form of Virus Protection? (PC) INFO WANTED: Junkie.Boot virus... (PC) PC drops out of Windows. Virus? (PC) Memory scanning (PC) invb601a.zip - The InVircible Anti-Virus Expert System v6.01A (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Mon, 07 Nov 94 12:44:39 -0500 From: padgett@goat.orl.mmc.com (Padgett 0sirius) Subject: Re: Internet Staging aisg@gate.net (Advanced Information Systems Group) writes: > Is there any software available to scan for viruses as they come >into a Internet gateway machine? Many people are concerned about this but the bottom line is that it is an enormously complex operation. Right now the only way this can happen is via file transfer (FTP/Gopher/Mosaic) which can transfer either binaries or ASCII or E-Mail (typ SMTP) which is generally only reliable for ASCII. The bottom line is that only rarely will a file be transferred as a pure executable - more likely it will be archived. Secondly, the file (unless it is short) is not going to come through in one piece, rather it will be a series of packets that may or may not be interspersed with packets for other destinations or processes on the same platform. So 1) You are going to have to recognize any time a file comes in (and I just received a rather large .UUE by Telnetting to a remote site, reading my mail there, and opening a "capture" file for the .UUE as it displayed). 2) When you recognize a file coming in, you will have to create a buffer to hold the file until you have the whole thing. 3) You will have to determine what the file is. If UUENCODED, it will have to be decoded. If ZIPped, it will have to be unzipped and it can be any combination including those for other platforms e.g. TAR for UNIX boxes (and I have received PC files that were TARred or GZIPped) or STUFFIT for Macs or DIET or ARJ or a complete STACed volume image, or TD0 or SENDDISK or ... Just picture a MAC disk with STUFFIT files that was captured on a PC by MACINDOS, GZIPped, UUENCODED and sent. 4) Once the programs are extracted, you will need to figure out what platform the files are intended for (see above). 5) Now you can invoke a scanner for the appropriate platform. Now 1 & 2 are not too bad and once you get that far, 4 & 5 are straightforward but 3 is a real bear. It *could* be done (and some people may claim to have done so but watch out for the smoke & mirrors). Of course, if you want to limit your search to the likely suspects (assume only uuencode & zip are used, executables will be named .COM or .EXE, and only consider files for the PC) something can be done. Not much IMHO but something. A. Padgett Peterson, P.E. Cybernetic Psychophysicist We also walk dogs PGP 2.7 Public Key Available ------------------------------ Date: Tue, 08 Nov 94 04:37:49 -0500 From: Zvi Netiv Subject: Publishing authentication & validation data Cross-posted from Fidonet. -=> Quoting Bill Lambdin to Jeff Cook <=- BL> Here is why I feel that your decision against CHK-SAFE is wrong. [ ... ] BL> The A-V developers shouldn't be distributing files in archives to BL> verify authenticity. [ ... ] BL> Who should be distributing messages to verify authenticity of A-V BL> software? BL> A: Someone that A-V developers know and send new versions of A-V BL> software to. BL> B. Someone that has access to lots of A-V conferences. [ ... ] BL> 1. 8+ A-V developers or agents for the developer upload A-V software BL> to the Metaverse Anti-Virus BBS. [ ... ] BL> 2. I post CHK-SAFE values to 10+ networks for users. [ ... ] BL> No one is making this information available to the public. So I am. Jeff, It seems that Bill, and quite many posters on this echo, misunderstand the legal aspects of publishing authentication data. Let me say that publishing UNAUTHORIZED authentication data is not only wrong, but is also unlawful, according to national and international laws and treaties on copyright. Authentication data is the legal equivalent of a signature. According to copyright treaties, this right is reserved to the author himself. Publishing unauthorized authenticity data is not only a violation of copyright, but also interferes with authors' freedom and sovereignty on their work. Unauthorized authentication data imposes restrictions on the author, such as the right to freely modify his work. Such published data will imply that perfect and legal material, modified by the author, may be labeled as forged - since it does not fit the "authentication data". As I understand, Bill Lambdin did not obtain authors' permission to publish his CHK-SAFE data for their programs. It would be unlawful to let him continue the publishing of these values. For the record: I didn't grant anybody the right to publish whatever _separate_ authentication data for InVircible. All authentication data for IV should be kept attached to the archived package itself. Best regards, Zvi Netiv, InVircible ------------------------------ Date: Tue, 08 Nov 94 19:51:22 -0500 From: bradleym@netcom.com (Bradley) Subject: Re: Netcom distributing Viruses The Radio Gnome (V2002A@VM.TEMPLE.EDU) wrote: > >From: olpopeye@ix.netcom.com (Walter Murdock) > >And guns aren't dangerous. Unless you do something stupid > >with them. > Neither are idle viruses. What guarantee can Netcom give us that > any downloadable viruses will *remain* idle and unmutated? Netcom takes no responsibility for what is in the /pub area of it's FTP site. It's all user run. But I'm sure if they did run it they would take as much responsibility as most FTP sites... NONE. For all you know that nifty new file you got off of your favorite FTP site is a trojan. And just that happened recently. Did anyone sue the archive? > OK, I'll try a new tack... how would you feel if Netcom made > all the long distance touch tone diagnostic, technician and 'coin drop' > codes available? > The phone providers have enough trouble with phreakers as is, why > make it more difficult for them by spreading knowledge that may be > interesting, but potentially dangerous? Well, actually I also have some phreak and hack stuff as well. So the chances are fairly good that I have some of that stuff. And if I don't have it, I'd be more than willing to carry it. :) Netcom has 30,000 users. There are bound to be people that have ideas and interests that others don't like. But Netcom has made it policy to not let people's opinions accect thier users. There's even a user with Nazi material that is allowed to stay. I'm sure in an Islam country he would be dead by now, and in Germany he'd be in jail. But his network access is in America where it's not illegal. Bradley - -- bradleym@netcom.com finger for PGP public key Hayward, CA ------------------------------ Date: Thu, 10 Nov 94 01:42:24 -0500 From: ncoe7@aol.com (NCOE7) Subject: Virus Laws I am looking for sources of information concerning computer virus laws in the United States. Scott ------------------------------ Date: Thu, 10 Nov 94 06:55:58 -0500 From: Finson Srl Subject: Newsletters Or Magazines We are looking for magazines or newsletter worldwide specialised in Virus and Antivirus arguments. Could anybody help us with adresses of publishers? Thank a lot! Massimo Soncini ------------------------------ Date: Fri, 11 Nov 94 00:36:34 -0500 From: jrice@pluto.pomona.claremont.edu Subject: Viruses via usenet! alt.comp.virus What is the situation with the group alt.comp.virus? Today I have seen the code of no less than 4 viruses posted in the group, with no signs that this will stop. How can this be permitted, being, as it is, illegal in quite a few countries? Let's be honest, these people are not researchers....so great, we've got a virus-exchange center in Usenet. Jeffrey Rice Virus Protection Office of Information Technologies Pomona College [Moderator's note: alt.comp.virus, an unmoderated USENET group, is in no way affiliated with comp.virus or VIRUS-L. I suggest you ask the folks on alt.comp.virus.] ------------------------------ Date: Tue, 08 Nov 94 20:02:45 -0500 From: Bruce Owens Subject: Re: Recommendations (?) on OS/2 Scanner/Disinfector (OS/2) David W. Loveless writes: >Based on your personal experience can you recommend any particular OS/2 virus >scanner and/or disinfector? I've used IBM AntiVirus/2 for OS/2, and it seems to be satisfactory. I think that it will detect but cannot disinfect the Monkey virus, but it does detect and kill a great many others. There's an IBM AntiVirus center, but I don't know the number off the top of my head. You can find it by calling 800-426-3333, I believe. ------------------------------ Date: Wed, 09 Nov 94 16:05:45 -0500 From: fixer@faxcsl.dcrt.nih.gov (Chris Driving in the Rain Tate) Subject: Hardware trojan horse (Mac) I don't see this mentioned in the FAQ, and I don't see any articles about it on the newsgroup, so I think I'll bring up the experience I had this past weekend. Recently I purchased a Macintosh, piecemeal (CPU, monitor, keyboard, CD-ROM drive all separately). I then noticed one day that without any intervention on my part, the phrase "welcome datacomp" appeared in the body of a file I was editing. I did the usual - reboot without any system extensions, etc. - and the problem remained. After a (longish) wait, the words "welcome datacomp" would appear, as though they had been typed on the keyboard. I actually watched this happen. I consulted with John Norstad, the author of the Macintosh "Disinfectant" antiviral program, and he informed me that yes, he and his team had indeed heard of this problem before. It's a practical joke incorporated into the ROMs of some third-party keyboards. !! I noticed this purely by chance; I couldn't figure out why I had gotten a confirmation dialog when closing a file that I *knew* I had saved a while earlier. But I can easily imagine the problem going unnoticed, and the spurious text being incorporated into a "final draft" of some important document, with unfortunate consequences, etc. Unlikely, but certainly possible. My big question at this point is why nobody seems to have documented the problem? My keyboard (since replace with another brand) was made by a company called "Sicon" - at least, that was the name on the invoice from the store where I purchased it. I couldn't find a manufacturer's name on any part of the actual keyboard, its packing materials, or the enclosed documentation! Clearly, this brings up a raft of other questions - are all Sicon keyboards affected? Is it one particular batch of ROMs that are "bad," or all of the ones used by Sicon? Did Sicon develop the keyboard's on-board code, or did they license it? If it's licensed, might other brands have the same Trojan Horse embedded within? And so forth... And what *other* sorts of intelligent peripherals, on what platforms, might be subject to this sort of abuse? Disk controllers? Other Apple Desktop Bus devices, of any description? *Any* add-in card, for any number of platforms? It's bad enough having to worry about software viruses, but how does one approach the problem of having to detect malicious (or even simply "deliberately unreliable") hardware? - -------------------------------------------------------------------- Christopher Tate | "I never thought of surgery as 'editing fixer@faxcsl.dcrt.nih.gov | a person' before...." eWorld: cTate | -- Mark Linton (mhl@icf.hrb.com) ------------------------------ Date: Thu, 10 Nov 94 15:30:53 -0500 From: Bert.Martin@UAlberta.CA (Bert Martin) Subject: Softwindows on PowerMac (PC) (Mac) Is anyone running SoftWindows 6.22 on a PowerMac 7.12? Do you have it setup with F-PROT 2.14? I have the above configuration and would like to know how you have it setup. I get the feeling I need some fine-tune tweaking cause it just reports(falsely) the MONKEY virus. When I restart the system F-PROT doesn't anything. Need any further info? Please ask. Thanks. Bert. ================================= Bert Martin # BOOT HUMOR: # Microsystems # # University of Alberta # keyboard error # (403)-492-5356 # Press F1 to RESUME # ================================= ------------------------------ Date: Mon, 07 Nov 94 02:39:42 -0500 From: ehorlait@ee.uts.edu.au (Eric Horlait) Subject: Virus (?) on PC - new user needing help (PC) I am a user of PC with Linux. I got a problem that seems to be related with viruses. Here is the description: When booting (cold start) with a Linux Hard Disk: Loading Linux.... Uncompressing Linux .... crc error - -- system halted When booting from a Linux Floppy disk, same result. When booting from an Ms-dos floppy disk: Starting MS-DOS