VIRUS-L Digest Friday, 21 Apr 1995 Volume 8 : Issue 38 Today's Topics: Re: Unwarranted Litigiousness Re: Flash ROM virus questions (PC?) Re: Flash ROM virus questions (PC?) Re: Anti-CMOS--HELP (PC) Re: ANTIEXE Virus (PC) Re: Virstop causing memory problems (?) (PC) Re: Can this HardDisk be saved? (PC) Re: Boot Sector Virus from Network? (PC) SBLANK Boot Sector Virus (PC) Re: die hard 2 virus - help! (PC) Re: Teletype virus (PC) removing Natas (PC) Trying to figure out if I have a virus... (PC) Re: Can this HardDisk be saved? (PC) McAfee - MSD Conflict or Virus (PC) 2KB Virus Found--Need Help (PC) Anti CMOS virus cleaner (PC) Jack the Ripper (PC) Warning NEW Virus (PC) Win-32-bit access (PC) Best AV Product (PC) Re: Is Anti CMOS a virus? (PC) AntiCMOS Virus Answers (PC) Re: Strange Request (PC) Need help with NATAS! (PC) MS Antivirus for windows (PC) Mail Spooler detected virus (PC) HELP: Need info on 5 viruses... (PC) Hard Drive Virus/Crash/No C:/Pissed (PC) Re: Virus damage hype (PC) Ripper Virus (PC) RE: Beaches virus (PC) RE: "_1099" virus (PC) Re: Is this a virus? (PC) AntiCMOS Cleaner ?? (PC) Re: "_1099" virus (PC) Re: How to remove Filler virus? (PC) Re: French boot is Russian (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Tue, 11 Apr 95 21:41:14 -0400 From: emd@access2.digex.net (EMD Enterprises) Subject: Re: Unwarranted Litigiousness Mike_Muth_at_fra__post@eur_smtp.europe.dla.mil wrote: : Mark Mottershead writes: : > Vesselin Bontchev writes: : : >>The last sentence in the paragraph quoted above is provably false. I : >>have looked at your product and it is not much different than any of : >>the other hardware behaviour blockers on the market. In fact, it is : >>rather worse than some of them. It fails to detect even some of the : : >I refer to the message posted by you in this forum. Firstly a full answer : >will be posted on this forum shortly. Secondly, we are taking legal advise : >as to your comments and actions taken in this light will be directed to : >you at the University or to your next location when you leave later this : >year. I feel very strongly about your comments and virtually all of them : >are "FALSE". : : >For other readers of this thread please ensure you read our response that : >will be sent shortly. : : I have never tried or even seen your product. Thus, I am unable to comment : on the claims made for it or on Vesselin Bontchev's statements. : You are free to refute his statements. Based on what I have seen in : several years of reading this forum, I feel confident that our moderator : will not stop you from doing so. Indeed, you have promised just such a : response in your second paragraph. : However, I find the first paragraph of your response (quoted above) to be : reprehensible. As I understand it, this forum is for the free exchange of : ideas and information between those who are concerned with defending : against malicious software. Each of us is free to express and defend his : opinion. IMHO your response can only work to curtail this free exchange. : It seems to me that your statements are intended to intimidate those who : would criticize your product. As I read your first paragraph, it appears : to me that you are considering (or threatening) actions to effectively end : Mr. Bontchev's career. Indeed the statements you have made have the : potential to do just that in of themselves. : While Mr. Bontchev's statements would certainly have made me look carefully : before buying your product, your over-reaction has had a much more drastic : effect. I will not ever buy any products offered by or for your company, : no matter how effective they may be. I will not even accept your products : free of charge from any source. In any job I may have, now or in the : future, if my employer considers buying any of your products, I will : recommend against that action. And, I will always cite your actions here : as my reason. IMHO there is no room in a free market system for companies : which seek to improve or protect their market position through legal action : (or threats of legal action). : Mike Muth : My opinions are mine alone and do not reflect my employers opinions or : policies. I felt that we needed to respond to this posting as the comments directly concern our products. (MIS Europe is one of the key distributors of EMD Enterprises' product line). It is important to understand the reasons behind the original comments of Mr. Mark Mottershead, the director of MIS Europe. Some time back in this forum Vesselin Bontchev, a virus researcher at the University of Hamburg, made certain negative remarks about EMD Armor Plus, our flagship anti-virus/security product. He claimed that he had examined the product and found a number of problems with it. However, we were able to establish that at the time when he wrote those comments, he had not even seen the product - Vesselin's comments were simply based on what he felt the problems MIGHT BE with EMD Armor Plus (Vesselin has not contradicted us on this point). I do not wish to elaborate further on this episode. For the full story interested readers can read the thread "Need help selecting virus softwares" in comp.virus, or see our rebuttal to Vesselin Bontchev's posting in vol 8 issue 29 of the Virus-L digest. MIS Europe's strong response was a reaction to Vesselin Bontchev's posting. Their, as well as EMD Enterprises' annoyance at Vesselin was not so much for his comments, but more for his false claim that his comments about EMD Armor Plus were based on his examination of the product. Our mutual feeling was that while Vesselin Bontchev no doubt was entitled to his own opinion, we needed to respond strongly to prevent him from spreading further false propaganda about our product. However, we will admit that perhaps MIS Europe's original posting was not very clear about the reason of our displeasure with Vesselin Bontchev. It may have given the impression that MIS Europe is considering legal action simply because Vesselin Bontchev made certain negative comments regarding our product, while in reality the thought of legal action came up only as a way of stopping Vesselin Bontchev from making public claims that he had examined the product. Internet newsgroups are a wonderful place for free and frank exchange of ideas. Disagreements about technical viewpoints are perfectly normal, and we certainly have no intention of suppressing any critical opinion, even if it is hurtful to our commercial interests. In the case of Vesselin Bontchev and the University of Hamburg, all we are asking is that our product be given a fair trial before any sweeping judgment is passed. Sujoy Deb, Ph.D. Director EMD Enterprises ** Developers of EMD Armor Plus, the generic solution to computer viruses** 606 Baltimore Ave, Suite 205, Towson, MD 21204, U.S.A. Phone: (410) 583-1575 ext. 4624 Email: emd@access.digex.net (800) 8989-EMD 24 hour fax-back: (410) 583-1575 ext 4, select document 1015 for EMD Armor Plus ------------------------------ Date: Thu, 13 Apr 95 10:27:27 -0400 From: "Ken Kriesel, Physical Sciences Lab, UW-Madison" Subject: Re: Flash ROM virus questions (PC?) Poon Jacob Tin Hang wrote: > > Recently many motherboards uses flash ROM BIOS so that they can be > upgraded via software. My questions are: > > Will virus attack flash ROM BIOS the way it attacks disks? In other > words, are they safe from viruses? If a piece of software can be purchased to do beneficial modifications of flash bios (and it can; Phoenix bios upgrades are available this way for example) then software can also be written to do destructive modifications using the same hardware features. None have been identified yet, but then since it would load before even adapter- based firmware antivirus code, much less disk-based antivirus software it may be mighty tough to detect and defend against. To be stealthy, all bios functions would have to be preserved well enough during the flash virus operation that it would be transparent to the user. Then again, a virus could just erase your bios and write HAHA, GOTCHA to the screen, which would not require much sophistication at all, and render the machine useless immediately; you'd have to crack the case, set jumpers for bios reprogram, and beg or buy a copy of your missing bios. I prefer ROM bios because if you do an upgrade and need a retreat, you just pop the old chips back in. At least some flash bios vendors withhold the information on how to reverse the upgrade, and put your old bios code out to a single floppy during the upgrade. Flash bios is definitely a double-edged sword. > > Are there any viruses available that attacks flash ROMs? > > Are there any products that can detect and/or remove flash ROM viruses? > This will require integrity checks of the BIOS be securely recorded and compared, for detection of changes. This is a new feature, which some products lack currently. Ken > Thanks in advance. > ------------------------------ Date: Thu, 13 Apr 95 14:31:41 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Flash ROM virus questions (PC?) Poon Jacob Tin Hang (a148poon@cdf.toronto.edu) writes: > Will virus attack flash ROM BIOS the way it attacks disks? No. It will have to find a different way. > In other > words, are they safe from viruses? Depends on how the write to the Flash memory is implemented. If it requires the user to set some physical jumper, then no virus will be able to touch it. If it is implemented entirely in software, then a virus would write to it too. > Are there any viruses available that attacks flash ROMs? Yes. I know of one such virus - it's a boot sector infector and attempts to attack the AMI Flash BIOSes. According to my tests - unsuccessfully. > Are there any products that can detect and/or remove flash ROM viruses? No. I have yet to see an infected Flash ROM. If such infectable ROMs become popular, then it will pose quite of a problem to fix them. It will have to be done with the virus active in memory - because you won't be able to "boot clean" from a floppy. Not an impossible task, but I don't envy the person who will have to rely on it being properly done. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 11 Apr 95 17:59:12 -0400 From: tdi@tulsa.com (Kent Mitchell) Subject: Re: Anti-CMOS--HELP (PC) "yang (y.) cheng" says: >Mark Wilhelm wrote: >>I've detected this virus several times on laptops that I work with. My ques- >>tion is, if not detected in time will it get to a point where it won't let >>you boot from the hard nor the floppy drive? I've been running into this >>situation a lot lately, and of course I can't tell if it's Anti-CMOS that's >>doing it, since I can't access the hard drive or the "Setup" info. If it >>gets this far, what can be done short of a service rep? Any help would be >>greatly appreciated. I had this problem with an Anti-cmos-A virus. I believe it is probably the same thing. The way I solved it was to: 1. Boot off a clean bootable floppy with the same version of DOS as on my system. 2. Change directory to c:\dos 3. Type fdisk /mbr. This rebuilds the master boot record and gets rid of the boot sector virus. I haven't been able to get it off of floppies other than doing an unconditional format. I hope this helps. Kent Mitchell ------------------------------ Date: Tue, 11 Apr 95 19:51:51 -0400 From: gtaylor@io.org (Gordon Taylor) Subject: Re: ANTIEXE Virus (PC) Martin Ravell wrote: >Can anybody help me with information on getting rid of the >ANTIEXE virus? Macafee Scan tells me it is there but does >not have a way of removing it. Clean117 doesn't seem to >want to know about it. The only way I've ever found of getting rid of this this virus is by deleting the infected files. The files, from what I understand, are unfixable because the virus REPLACES some of the existing code. Since the original code is destroyed, there is no way of knowing what it was, making it irreplaceable. If someone else finds a way to actually clean it, I'd love to hear of it. 'Til later Gord ------------------------------ Date: Tue, 11 Apr 95 23:50:35 -0400 From: Raul Quintanilla Subject: Re: Virstop causing memory problems (?) (PC) johnm@corbis.com (John Mollman) wrote: > > machines have become extremely unstable since having Virstop installed > on them. Most machines seem to run out of memory and freeze with what If your workstations have Smartdrive installed, UNinstall it. It might help. Best Regards - Raul ------------------------------ Date: Tue, 11 Apr 95 23:59:14 -0400 From: Raul Quintanilla Subject: Re: Can this HardDisk be saved? (PC) fbax@bosshog.arts.uwo.ca (Frank Bax) wrote: > > > Several posts have mentioned fdisk /mbr - with the assumption that > readers would know what's going on; my system has no doc on this > option to fdisk. What exactly does it do? > If you have Monkey virus don't use fdisk /mbr because Monkey overwrite the MBR and you'll loose it for good (almost for good). Your best choice is to use F-Prot or if "an accident" happens, like the one you mention (quite a friend you have), then use Killmonk program available in many BBS all around the globe. Best Regards - Raul ------------------------------ Date: Wed, 12 Apr 95 01:35:24 -0400 From: sbringer@netcom.com (Scott B. Ringer) Subject: Re: Boot Sector Virus from Network? (PC) Joseph D. Tatum (JDTatum@lanmail.rmc.com) wrote: : Is it possible to get a boot sector virus from a file downloaded from a : network : or from a file that is included as an attachment to Email? : Joe Tatum jdtatum@lanmail.rmc.com : Reynolds Metals Company not possible if you are dealing with the virus in pure form, unless it is a multipartite (i.e. infects files and bootsectors/mbrs) such as Tequila or Natas. Now, a loader program or "dropper" could be written such that when run, a virus was either placed into memory or put on a disk, but that would be an additional outside attack. Stormbringer, Phalcon/SKISM ------------------------------ Date: Wed, 12 Apr 95 02:21:08 -0400 From: lutey@nevada.edu (Darrell Lutey) Subject: SBLANK Boot Sector Virus (PC) Haven't seen this one before. Someone booted a machine with a floppy in it. Tried to reboot the machine and it got stuck loading EMM386.exe. Ran F-prot and it say the machine has SBLANK boot sector virus and couldn't get rid of it on the hard drive, however can remove it from floppies. Tried booting off of a clean system diskette, however cannot read drive C: when i boot from a clean diskette. Have had experiences with empire.monkey virus, and was able to get rid of that virus without many difficulties off the hard drive. Anyone see this one yet, any suggestions. ------------------------------ Date: Wed, 12 Apr 95 08:19:51 +0000 From: cherbu@cui.unige.ch (Michel Cherbuliez) Subject: Re: die hard 2 virus - help! (PC) knoxcj@elec.canterbury.ac.nz (c.j. knox) says: >I have a computer here that is infected with the die hard 2 virus. >Neither F-Prot 2.15 nor McAffee scan (dunno what version - not >expired yet) have been able to remove it. How can I get rid of the >virus apart from "format c: /u", since the backups are probably >infected as well. In other words - HELP! Try F-Prot 2.16, I guess this version is able to remove Die Hard 2. hope this helps ! Mike - ------------------------------------------------------------- Michel Cherbuliez email: cherbu@cui.unige.ch University of Geneva Switzerland - ------------------------------------------------------------- ------------------------------ Date: Wed, 12 Apr 95 04:37:15 -0400 From: Mikko Hypponen Subject: Re: Teletype virus (PC) Don Di Tomasso (dond@ix.netcom.com) wrote: > Has anyone heard of Teletype virus. It only appeared on computer > with PC Central Point for Windows virus protection software. You probably have a false alarm. The following information is taken from the document "Frequently Answered Questions Document for Central Point AntiVirus and Microsoft Anti-Virus. FAQ Version 2.0", which is available from ftp.symantec.com: 3.b VSafe says the Teletype virus is present on a floppy disk. The Teletype virus is a false positive virus alarm. The Teletype virus does not exist. The floppy disk needs to be reformatted with a later version of Dos than is on it now. The only time this message will appear is when a floppy disk was formatted with a very early version of Dos is accessed while VSafe is loaded. Simply copy the files on the floppy disk to a directory on the hard drive and type FORMAT A: or B: and press . After the format is done copy the files back to the floppy disk. - --=20 Mikko Hermanni Hypp=F6nen // mikko.hypponen@datafellows.fi Data Fellows Ltd's F-PROT Professional Support: f-prot@datafellows.fi Computer virus information available via WWW; http://www.datafellows.fi ------------------------------ Date: Wed, 12 Apr 95 05:17:09 -0400 From: "A.Appleyard" Subject: removing Natas (PC) The VET that we have deletes Natas-infected files instead of cleaning them. That is a nuisance, because I then have to restore the files. The McAfee SCAN that we have, on finding a NATAS-infected file, shies at it and leaves it alone. That is a nuisance and a treacherous danger, as NATAS can corrupt directory trees. When will VET and SCAN (or any other antiviral) remove NATAS from files properly???? ------------------------------ Date: Wed, 12 Apr 95 05:32:45 -0400 From: michael@karlsberg.usask.ca (Michael Craggs) Subject: Trying to figure out if I have a virus... (PC) I have recently encountered a very odd problem and suspect it may be a virus. I have downloaded the latest copies of F-prot and Mcaffee and scanned, and nothing has turned up. However, whenever I exit Windows, my disk drive accesses for approximately 2 minutes. I tried removing smartdrv, the swap file, wiping clean win.ini and system.ini and also scanning and defragmenting the hard drive, but nothing seems to affect it. I have the Seagate 3550A IDE drive (yes, I know of its problems with crashing, but have never heard of it causing these symptoms), a QD6580 VL IDE card on a standard OPTI chipset motherboard. Hardware ideas? Software ideas? Virus suggestions? Any assistance would be appreciated, as this is a complete mystery to me. - -- - ---------------------------------------------------------------------------- | Michael Craggs 340 Ave. Q. South Saskatoon, SK | | Phone: (306) 382-5995 Fax: (306) 382-4995 CANADA | | Micwil Computer Consulting A Cacophony of Music | | E-mail address: michael@karlsberg.usask.ca | | * Certified Buyer and Seller of New and Used Computer Systems | | and Parts. Give me a call and "Let's Make a Deal" * | ============================================================================ ------------------------------ Date: Wed, 12 Apr 95 07:54:39 -0400 From: swidlake@rl.ac.uk (S Widlake) Subject: Re: Can this HardDisk be saved? (PC) In short, Yes, probably. fbax@bosshog.arts.uwo.ca (Frank Bax) writes: >A friend asked me to look at two computers which he said were infected >with Monkey virus. The first machine he cleaned with F-PROT and >needed help with installing VIRSTOP. He said that F-PROT reported the >virus in several EXE files on the second system. I understand this is >a boot sector virus, which means he shouldn't find it in an EXE, but >anyway ... He said he tried to "LOOK" at the file before deleting it >and accidently RAN the program. Now the system does not boot from >hard drive. When I boot from a clean floppy and enter c: the system >responds with "invalid drive specification. When I run fidk from this >floppy, and ask todi splay info about hard disk, the first line >indicates a non-DOS partition. The screen is somewhat garbled over >the ext nfew lines but SEEMS to indicate 3 other partitions. Monkey is an MBR - BOOT sector infector and shouldn't be found in any .EXE files (so he must have meant something else). Anyway how the hard drive got into such a state doesn't really matter right now you just want to know what's wrong and get it fixed... It looks like the monkey virus which has taken the place of the MBR has somehow got corrupted. Normally, the virus gets control of the system when booting from the hard drive and then passes control to an encrypted good copy of the MBR which has been moved to an "unusual" location. Since the virus has been corrupted, it can't do this and the PC won't boot. I wouldn't expect the PC to recognise the hard drive on booting from floppy because the disk's partition table isn't where it should be and can't be properly read. What you need is a good copy of your partiton table either from a "mirror /partn" backup or anti-virus "rescue" disk that you've already got (one from a non-identical hard disk will not do!) or you need to re-build the partition table from scratch. If any of these options are open to you then go for it, but be careful - how important is the data on the drive and why haven't you got copies? If you have got good, recent backups just FDisk Format and Restore, the whole lot - but you haven't have you? - Don't take this but personally, it's just that few people ever seem to have good, recent backups ;-( If none of these options are available then you could try to get the good information out of the copy of the MBR that the virus has encrypted and moved... to do this you need to fix the virus that has become corrupted so that it can de-crypt the good MBR and give you back your partition table information. Now this is is going to get interresting - prepare a new/fresh PC ready for infection, yes that's right, infection. Put a monkey infected disk - you've probably got loads of them - into the boot drive and power up. When it's completed that, power down. Then reboot this system from a known clean write-protected system disk, of the same type of DOS that is on, or was used to create, the DOS partition volume on the hard drive. "Dir C:" Can you access the C: drive? NO! Excellent... succesful infection. Next take your favouite disk sector editor and take a copy of Cylinder 0, Head 0, Sector 0 - the "MBR", actually the virus, and then restore it to the very same sector on the first non-functional PC and then try to boot it from the hard drive... It might even work. Now, you've just got two PC's to disinfect, and that's easy ;-) >Is it possible to recover from this? If so, how do I proceed? Up a bit. >Several posts have mentioned fdisk /mbr - with the assumption that >readers would know what's going on; my system has no doc on this >option to fdisk. What exactly does it do? This is exactly the type of damage that FDisk /MBR can do to an infected PC, if the Partition Table has been moved then you can "wave bye, bye" to your data. *** If you can NOT "DIR C:" correctly *** DON'T FDisk /MBR *** S. - - -- sig II Still Under Construction ... ------------------------------ Date: Wed, 12 Apr 95 10:02:58 -0400 From: Steven Kemp Subject: McAfee - MSD Conflict or Virus (PC) We recently had a call from a user who had tried to run MSD on an NCR 3215e PC. On running MSD McAfee's Vshield(v117 - Previously loaded in autoexec on boot up)) kicked in and reported that COMMAND.COM was infected with the 621 virus. On checking we found that one of the activication dates of the 621 virus was 4th April. Coincidentally this problem appeared on 4/4/95. We scanned the disk using McAfee's scan 117 and 2.16 neither of which reported any infection. We also tried F-Prot 2.16d which again did not report any infection. We also scanned a number of most recently used floppies but failed to find any infection with the 3 scanners used. Also as Vshield was loaded in the autoexec.bat file and did not report any problem when booting up we suspect that there might be a conflict in this case. We have successfully run MSD with Vshield on many other occasions on other machines. Has anyone got any ideas on this one? TIA Steve Kemp ------------------------------ Date: Wed, 12 Apr 95 10:38:20 -0400 From: danwelty@ix.netcom.com (Dan Welty) Subject: 2KB Virus Found--Need Help (PC) St. Louis office of Interep Radio Store is having problems disinfecting 2KB virus. Running Novell 3.11 on 486-based server, 12 DOS/Windows workstations. Can't get workstation hard-disks reformatted, think virus still infecting. Suggestions? ------------------------------ Date: Wed, 12 Apr 95 10:51:19 -0400 From: idkajai@singnet.com.sg (Zule) Subject: Anti CMOS virus cleaner (PC) hi there, which antivirus software to use against this virus and where can i get it ? (by FTP) - -thanx ------------------------------ Date: Wed, 12 Apr 95 11:25:10 -0400 From: "D.J.E Nunn" Subject: Jack the Ripper (PC) A friend's PC has become infected with the Jack the Ripper [Genb]. I understand it's a boot sector virus. F-Prot claims to be able to remove it, but can anyone confirm this? Can McAfee's clean also remove it? Thanks, Douglas Nunn ------------------------------ Date: Wed, 12 Apr 95 12:00:43 -0400 From: Martin Overton Subject: Warning NEW Virus (PC) I would like to post the following warning. A new virus has been discovered in the UK. It was passed to me for analysis by one of the infected sites. Details known to date: - --------------------- The virus changes file sizes (.EXE only) by 1376 Bytes. It is encrytped with a viariable key. It has anti-hueristic code (TBAV & F-Prot heuristics are unable to detect it) It is memory resident. It will NOT infect .EXE files larger than 300kb (Most AV software is larger!) It may randomnly overwrite sectors on the HD It is believed that it was created using VirLab 1.01 (this has not yet been confirmed) No stealth capabilities noted Tests: - ----- A sample infected file was scanned with the following products: Dr Solomons AVTK Version 7.00 ThunderByte Version 6.32 McAfee SCAN Version 2.2.0 F-Prot Version 2.17 NONE of the scanners used could detect the virus. Infections Known to date: - ------------------------ Three systems in the UK It is believed to have arrived from a BBS in Germany attached to a utility. (source: One of the infected sites) If the above is true it may be 'in the wild' in Germany also. The message in Virus-L Digest #32 from Theo Savidas appears to indicate the same virus is 'in the wild' in Sweden (.SE?) Detection: - --------- The virus has been disassembled and the following search pattern has been selected. This pattern appears to be solid as no false alarms have been seen. I would like to suggest the following 'temporary' name until a CARO name has been agreed: Name = VLab.1376 This virus is detected/trapped by the following products: ChekMate 1.05c (Available from the SimTel mirrors as CM8105C.ZIP in the /msdos/virus directory) (ChekMate is FREE for personal use) DiskNet (TM) from Reflex Magnetics, England (Author Dr. David Aubrey-Jones) Both of these products use 'Generic' virus detection routines, and are designed to be used with existing virus scanners. Search String: - ------------- 81 2E 15 00 07 14 81 2E 17 00 13 05 8A 26 0C 00 This search string was extracted by Dr. David Aubrey-Jones of Reflex Magnetics (+44 171 372 6666) Samples: - ------- A sample of this virus is being sent to Dr. Alan Solomon (S&S), Fridrik Skulason (FRISK), Vesselin Bontchev (VTC,Univeristy of Hamburg), Frans Veldman (ESaSS). No requests for a sample will be answered. Further details will be posted as they become available. Regards, Martin Overton. - -- +==========================+==========================+===============+ | Martin Overton, | Internet |"Beam me up ...| | PC Technical Specialist | martin@salig.demon.co.uk | er..Sooty???" | | | OR | | | Tel: +44 (1403) 232937 | gbsalmgo@ibmmail.com | | |--------------------------+--------------------------+---------------| | .oO: PGP 2.6 PUBLIC Key Available Upon Request :Oo. | +=====================================================================+ ------------------------------ Date: Wed, 12 Apr 95 16:06:28 -0400 From: naoh@yvax.byu.edu Subject: Win-32-bit access (PC) There are many, many viruses that mess up windows' 32-bit disk access. So you really can't tell what virus you have just because it is messed up. I know that Zhariznov (sp?) also messes it up. So do a few others. NaOH ------------------------------ Date: Wed, 12 Apr 95 17:14:54 -0400 From: naoh@yvax.byu.edu Subject: Best AV Product (PC) I've been doing some experimenting recently to try to determine which antivirus products are the best. And I've come up with the following conclusions. These opinions are mine and mine alone. I don't work for any AV companies, etc. Thunderbyte V. 6.30. Works great. It caught most of them, even the polymorphic ones. (I was using maximum heurestic scans, and it usually catches the following symptoms: Encryption, code that is usually generated by polymorphic viruses, and codes that aren't usually used on a 386-486.) It did have several false alarms. (Some from my sound card files, and some from Civilization.) It will even attempt to clean viruses that it doesn't recognize. That's very useful for new viruses that don't have fixes out yet. Also, it also creates chksums to determine if your files have changed, which is another real advantage. I forget how much it costs. (It's shareware.) Oh, and you can also set it to "immunize" your disks, so that when you boot up, it will do a CRC check of the bootsector, and tell you if it has changed. It will also do a check to see if INT 13 is like it should be. (If a virus changes that, then many AV products are useless.) There are also other modules that you can run that will protect disks from being written to, protect you from running files that are infected or that have no CHKSUMS, etc. Good product. The next best is F-Prot V. 2.17. It catches many viruses, although it won't even try to clean any that are not exactly known. (Any varients, etc.) It missed the polymorphic ones, though. (But it probably detects most of the known common ones.) I also like the program VIRSTOP. It will detect boot sector viruses, and other _known_ viruses when they are run, and will deny access to that file. The only problem is that it only detects known ones, and I don't think it will detect any polymorphic ones, because that would take too much code, and slow it down greatly. But for most common viruses, it does good. Plus, its free for personal use! Definitely a program worth getting, especially since its free!! Plus, it will detect many viruses that are running in memory, and I don't think that TBYTE will. I have also tried Invircible 6.01B. I like the "Boot-spoofing" technology that it uses. It seems to catch many stealth viruses that way. It will also check the boot sector/partition table and how much RAM is available. (All things that viruses change.) I think it is good as an integrity checker. But I don't really like it as a scanner. And you have to register to use most of the functions, so I don't know how well they work. I also tried McAfee SCAN 2.2.0. It's also a good program, but I don't like it as much as TBYTE or F-Prot. It will catch many viruses, but it also misses many. And I don't like the format that it uses. (Although there is a windows version that looked neat.) It displays too much text on the screen, and consequently it is easy to miss what it says, unless you use the |more command. It is also shareware. In summary, if you want a good program for free, get F-Prot. If you're going to purchase one, then I would recommend Thunderbyte. TByte seems to work the best overall. But they really need to incorporate something to scan memory for viruses, and also a way to scan the drive once a day on boot up. (And not more than once a day. That's one good think about Invircible.) I would be happy to test out any other AV products, if anyone has one to recommend. NaOH ------------------------------ Date: Wed, 12 Apr 95 17:25:44 -0400 From: Chris Christenson Subject: Re: Is Anti CMOS a virus? (PC) I have seen this virus in action. It will not damage any files "as far as I know!". However, it causes problems with systems because it changes CMOS settings. For example. I have run into machines that say there is no C: drive. Also, memory errors because the CMOS reports less memory than there actually is. Chris Christenson ------------------------------ Date: Wed, 12 Apr 95 17:31:27 -0400 From: Chris Christenson Subject: AntiCMOS Virus Answers (PC) For all of you who have been hit by the Pain in the *** AntiCmos virus. There is a Company called Digital Dispatch that puts out virus software that will remove this thing. There number is 602-423-8000. The product is Virus Hunt. It is better than most I have seen because not only does it detect the Virus', but it also knows how to remove them. Chris Christenson ------------------------------ Date: Wed, 12 Apr 95 17:58:38 -0400 From: jmccarty@spdmail.spd.dsccc.com (Mike McCarty) Subject: Re: Strange Request (PC) Dylan J. Greene wrote: )I've been asked if there is any anon ftp sites where a user could )download/upload viruses. My first feelings were "I hope not!" but )then I thought about the many virus protection developers. How do )they get samples of the latest viruses? ) )Stemming off the first question is this one: Is there a such thing )as a virus that is not harmful (aka possibly helpful)? What if a TSR ) was implemented as a virus, such as antivirus software that could )"spread" causing any program it came in contact with to posses the )ability to know if it had a virus before executing (or modified in )suspisious ways). ) )Thanks for any insight. This is a topic which has been debated ad infinitum here. There seem to be 4 schools of thought: viruses can be good, and can do things nothing else can do viruses can be good, but whatever they do can be done better otherwise all real viruses are always bad all viruses are always bad Along with the "who cares?" group. Each time this thread has been opened (in my experience) it eventually degenerates into "viruses are TOO good" "viruses are NOT good" spoken ever more loudly and angrily until they become "anyone who designs/writes viruses is a slimeball" "anyone who says virus writers are slimeballs are sons of slimeballs" And after about another 500 messages of this, it peters out. That is, of course, until someone like you raises the question again. Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Wed, 12 Apr 95 18:46:08 -0400 From: JYCW25B@prodigy.com (Dosdevil Mackenzie) Subject: Need help with NATAS! (PC) Recently at school I put several viruses on an old PS/2 IBM. The viruses I ran were PLAGUE, PHOENIX, NATAS, THOR. The ucky part is however that my teacher found out and is forcing myself to take it off. I'm stumped. The real problem seems to be NATAS. I can't boot from the hardrive, and no utilites can seem to get rid of it. I've already tried formatting, wiping the drive, and have considered unplugging the battery. Also, today I came in to work on it and C drive was screwed. Somehow the virus had set the drive to have a "non-DOS partition". I tried using CHKDSK (I was desperate), but it said there was an error in the FAT. I know what that is, but how do I fix it. If I buy a new drive, will that take care of it? By the way, I've been using disks to boot up from and originally used them to install software. Even if they were WP, could the virus still be on them? -Any help is great. P.S. If I try USING the C drive, I get a "Not ready reading drive C" ------------------------------ Date: Wed, 12 Apr 95 19:10:44 -0400 From: bv854@freenet.carleton.ca (Joe Amelia) Subject: MS Antivirus for windows (PC) How can I get an upgrade for MS AntiVirus for Windows, and what do I do with it? ------------------------------ Date: Wed, 12 Apr 95 20:35:38 -0400 From: byng@technet.sg (Ng Bee Yong) Subject: Mail Spooler detected virus (PC) I encountered the following message on my networked PC (connected to Novell NetWare 4): Mail Spooler has detected a virus problem in a .dll Restall from a clean copy of ... I have run a number of anti-virus software on the entire server and cannot detect anything. I believe it is a false alarm from Microsoft Mail. Has anyone encountered the above before? Thanks. ------------------------------ Date: Wed, 12 Apr 95 22:41:28 -0400 From: mosh@eng.umd.edu (Mosh) Subject: HELP: Need info on 5 viruses... (PC) Hi there, I don't normally frequent this newsgroup, but a situation arose, recently, that led me to post this message. So, to those that I offend, sorry. And to those that will help, thanks and please send responses to my email address below. The high school that I teach at, just "came down" with 5 viruses on it's student network, and I was looking for some info on these viruses: Stealth B Backform-16 (?) NYB (?) HLLD-4032.B-8 (?) Ripper-15 As you can see I'm not sure about some of the names, but that's what I've got. We cleaned off the viruses using a combo of NAV and f-prot, but the real question is this. Can viruses damage hardware, as well as software? 'Cause we now seem to be having some problems with some hardware (RAM and hard drives). Any help is greatly appreciated, Mosh ____ ____ _____ ______ ___ ___ / // // // ____// // / / // // // / \ \ / // / / // // // /___\ \ / // / /___//___//____//_____//__//__/ O O O THE DEFINITION OF MISCHIEF mosh@eng.umd.edu ------------------------------ Date: Thu, 13 Apr 95 00:03:07 -0400 From: oracle@lava.net (informix) Subject: Hard Drive Virus/Crash/No C:/Pissed (PC) i seem to have been the lucky recipient of some neat piece of viral code that makes my computer think that c:\ is a 1.2 meg floppy and i now get invalid media type c: errors... the last thing i did before this happened was to try to install the desqview 2.7 i just bought... it went through all the way to optimize and after putting in the quickboot option that's when the system first gave me invlaid command interpreter... it was pretty obvious to me that the quickboot option of the new qemm modifies the boot sector in some way but i doubt it would screw up my system this bad... i think it's a virus... c: thinks it's a floppy... if anyone one has any clue or a way that i can fix this i would be stoked... i've tried all the program i could get my hands on but nothing will recognize c: i'd really hate to format this stuff as there are a few things i failed to backup... my last set of backups is a month old... somebody help me... Ron! informix ------------------------------ Date: Thu, 13 Apr 95 13:37:01 +0200 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Virus damage hype (PC) Zvi Netiv (netz@actcom.co.il) writes: > FV> Once a virus has > FV> been executed on your machine, the reliability of your data is > FV> compromised. Period. > The above statement implies that data could be changed in result of a > virus attack. If it was true, then computing could be in serious trouble. > Fortunately for you, Frans Veldman's statement, above, does not reflect > the reality at all. WOW!!! Silly me, after all my seven years of field experience with computer viruses I had the (obviously wrong) impression that some computer viruses can be HIGHLY DESTRUCTIVE to the user's data. > Although a virus in your computer is not a pleasant encounter, the damage > common virus do (I am not talking collection items, like the ones > discussed in this echo, but real, common and widespread ones - like > Stoned, Jerusalem, Junkie, Natas, NYB, AntiExe, Monkey and just a handful > more) doesn't affect data at all. Mr. Netiv, have you actually disassembled and analysed the viruses you are talking about? Let's consider your own examples. Jerusalem. There are dozens of variants - some destructive, some not - but let's consider the plain, original, common Jerusalem.1803.Standard.A. On Friday 13th it deletes every file that the user attempts to execute. I thought that everybody knew that. Obviously not Mr. Netiv. Or, maybe Mr. Netiv does not consider the deletion of your files as "damage"? Quite possible, because his very own software that he distributes under the disguise of "anti-virus programs" does exactly this! AntiEXE. Looks for the execution of an EXE file with a particular header and prevents it from running. Oh, I guess, that's not damage either. Natas. Overwrites your hard disk at boot time with a probability of 1/512. Isn't that "damage to your data", Mr. Netiv? Is there anybody besides me who thinks that it is? But let's take a look at some other common viruses, shall we? Michelangelo. Who has not heard of Michelangelo? Is there someone who doesn't know what this virus does on March 6? For those people, let me remind you: it overwrites the first up to 17 sectors of the first up to 4 heads of the first up to 256 tracks of the infected disk you have booted from. Isn't that "damage to your data"? Does Mr. Netiv volunteer to repair this "no damage" for the users who have been hit by this particular virus about a month ago? According to the reports, there were thousands of them just in South Africa alone! Ripper. A rather common virus - if someone does not believe me, they need just to browse the archives of Virus-L/comp.virus and count the number of messages in which the users are asking about it. Mr. Netiv, do you know what this virus does? This Bulgarian virus is a data diddler - it means that it slowly and unnoticeably corrupts your data - - and when you notice that something is wrong, it is usually too late - - because the corrupted data is already on your backups and because you have no way to determine what part of it is corrupted and what is not. Isn't this "damage to your data", Mr. Netiv? I think that it is - and I don't think that I am alone to think so. > An intelligent user should be able to distinguish between propaganda and > facts. True. But this requires some pecialized nowledge, which most users do not have - otherwise they would be immediately able to notice *your* propaganda. > Veldman's statement above is propaganda and it has an obvious > purpose: to scare, and to encourage you to `protect' yourself from such > a gloomy possibility. Veldman's statement is perfectly true. It is your outrageous statement which I think is meant as a propaganda. Or maybe you are saying this because your anti-virus product does not provide the user with means to detect damage to their data, let alone to protect their data from damage? > I am saying that neither Frans' claim is true, > nor can his product protect you from such eventuality, even if it was I am not going to comment on how well his product protects from such an eventuality, but his claim *is* true - and I listed some samples above; even used some of your own. Mr. Netiv, I really thought that you knew more about computer viruses. > The real damage from computer viruses isn't in direct destruction of > programs or data (that's deliberately promoted hype), Indeed, most damages are not due to the destruction caused by the viruses (destruction which they do cause anyway). > but mostly in the > intangible areas of bad reputation to your business, bruised > self-esteem and ego, Rubbish. > and some very real financial damages due to idle > time until things are restored to normal. Yes! Indeed, this is causing most of the costs. Not because viruses don't damage data (they do), but because the costs of removing them (costs in the sense of downtime and resources involved) are EVEN BIGGER than the costs of the data they might have destroyed. > If there is damage to > programs or to data, in result of a viral incident, you can blame it in > the majority of cases to the lack of skills of whom handled the > problem, or to the use of inappropriate anti-viral software. So, protect your computer with InVircible, then infect it with Michelangelo, change your system date to March 6 and boot from your infected hard disk. When it gets trashed, remember to blame the inappropriate anti-viral software instead of the virus. > Here are some facts from recent field experience. In the last couple of > months InVircible was installed in thousands of corporate and > institutional sites (usually automatic installation, initiated from the > file server). I pity those people. Their data is at risk, since InVircible sometimes INTENTIONALLY DESTROYS DATA - as I am explaining in another message of mine. > Almost in every one of these sites there was one, or more > computers that had a previous infection, that no one was aware of. In > none of these cases there wasn't any loss of data, nor of programs, > provided that no other than InVircible was used to handle the problem. There might be, if they continue to use InVircible - or any other program from Mr. Netiv, for that matter (e.g., AVPL, XMONKEY, etc.). > I suggest that you dismiss virus hype propaganda and protect your > computer from virus risks without crippling your machine. It isn't that > difficult at all. I suggest that you dismiss Mr. Netiv's propaganda and marketing hype, remove his product from your machine, never try it again, and install something that *works* and doesn't trash your data. It isn't that difficult at all. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 13 Apr 95 08:57:33 -0400 From: SBURKEEN@sburkeen.navsea.navy.mil (Samuel Burkeen) Subject: Ripper Virus (PC) Both CPAV and F-PROT identify the ripper virus on 3.5-inch diskettes, originally used on another PC having a scsi drive controller. My aproach to get rid of the virus was to make a system disk on my PC (IDE controller), containing a copy of F-PROT, and to use it to boot up on the infected PC having the scsi controller. Unfortunately, when booting from the infected PC with my 3.5-inch disk, and loading F-PROT, F-PROT would hang during the memory scan. A friend of mine observed that scsi controllers always read from the boot sector of the hard drive during the boot up and initialization whether the bios setup is configured to load the operating system from the 3.5-inch drive or not. If this is the case, I had loaded the ripper virus into memory, and perhaps it was interfering with F-PROT. Does anyone know of a strategy to get rid of this virus in my case or can they elaborate on how the scsi controller works with respect to the hard drive at boot up? ------------------------------ Date: Thu, 13 Apr 95 09:39:54 -0400 From: gcluley@sands.co.uk Subject: RE: Beaches virus (PC) hrollfs@cs.vu.nl (Rollfs of Roelofs H) writes: > A friend of mine has problems with a virus called Beaches. > Macafee couldn't detect it and I haven't found any programs > that can remove it. > > Does anyone know of a program that can? BEACHES infects EXE files which increase by 1106 bytes. The virus has a memory-resident infection system. It has minimum stealth capability. The whole virus is encrypted, and it has a variable loader. The virus patches other programs. There are 2 known variants: Beaches.1090 and Beaches.1376 Dr Solomon's Anti-Virus Toolkit can detect and repair this virus. > please e-mail hrollfs@cs.vu.nl I've also sent you this message by private email. Regards Graham - --- Graham Cluley [gcluley@sands.co.uk] Senior Technology Consultant, UK Tel: +44 (0)1296 318700 Dr Solomon's Anti-Virus Toolkit UK Support: support@sands.co.uk S&S International PLC, UK USA Tel: +1 617 273 7400 CIS Tech Support: GO DRSOLOMON USA Support: 72714.2252@compuserve.com ------------------------------ Date: Thu, 13 Apr 95 09:16:34 -0400 From: gcluley@sands.co.uk Subject: RE: "_1099" virus (PC) peterg@netaccess.on.ca (Milan P. Gola) writes: > I have recently come across the _1099 virus. > Does anyone know how to remove this virus without the suggested delete > the file. I have an infected program which is a chinese word processor > and I can't get another copy. > > Any information would be appreciated. The 1099 virus is also known as Mange-Tout. It was widely distributed in mouse driver software, and until was not really considered to be in the wild. Mange-Tout is a tricky virus, infecting both COM and EXE files, and adding between 1099 and 1115 bytes to the end of the infected file. It goes memory resident in the Twixt region (above DOS memory but below the top of BIOS memory) by shrinking the last DOS MCB to make room for it. It does not have any stealth mechanism so the file growth is easily visible. When it goes memory resident it intercepts three interrupt vectors; 8 (System Timer), 9 (Keyboard Data Ready) and 21h (DOS Services). Ints 8 and 9 are used for the trigger routine and Int 21h is used for infection. Most of the virus in memory is encrypted, only being decrypted when in use. The code is decrypted to a location in the DOS data segment starting at address 00540h and is executed from that point. This is true of the Int 21h interceptor, the initial residency code and the payload routine. All the time the code is decrypted, the keyboard is disabled by turning off the keyboard interrupt (IRQ 2) in the 8259A interrupt controller. After use, the code is overwritten with words of 0CBBAh so it is no longer visible. The decryption system makes it very difficult to analyse the virus using DEBUG as this buffer area is overwritten with every DOS call. INFECTION One file is infected whenever a DIR command is used. This is done by trapping DOS function 36h (Get Drive Allocation Information) which is used when calculating free disk space. You expect a delay at this point, when doing a DIR, so don't notice the time taken to infect. When the file is infected the seconds field of the file date/time is set to 36. It preferentially infects EXE files, but if all the EXE files in the directory are already infected it will move on to COM files. Note that infection occurs in the directory being looked at, not the current directory/drive! THE PAYLOAD Int 8 decrements an internal counter which, if it goes to zero, triggers the payload routine. Int 9 resets the counter to 0FFFFh every time a key is pressed. Basically, this means that if no key is pressed for 0FFFFh ticks (59 mins, 59.5 secs - let's call it an hour!) the payload routine is activated. THE PAYLOAD IS RATHER UNFRIENDLY! Using the system timer, it selects a random cylinder and head on the first hard drive (device 80h). It then formats it, and sets the status of all the sectors on that track to bad. It does this using the BIOS services routine Int 13h function 5. Any track can be selected including track 0 (the MBR) track 1 (the Boot sector and FAT) etc. Reformatting the disk does not recover these sectors. They must be explicitly reset to good by a call to the same function. Should it have formatted track 0 it may render the hard disk unusable if these sectors are not recovered. Any data on those sectors is, of course, lost. Having formatted the track it then hangs the machine forcing a reboot. NOTE: It is unclear what effect this payload would have on a SCSI drive. Dr Solomon's Anti-Virus Toolkit has been able to detect and repair this virus since October 1994. Regards Graham - --- Graham Cluley [gcluley@sands.co.uk] Senior Technology Consultant, UK Tel: +44 (0)1296 318700 Dr Solomon's Anti-Virus Toolkit UK Support: support@sands.co.uk S&S International PLC, UK USA Tel: +1 617 273 7400 CIS Tech Support: GO DRSOLOMON USA Support: 72714.2252@compuserve.com ------------------------------ Date: Thu, 13 Apr 95 13:16:32 -0400 From: tsimondi@pinot.callamer.com (Tom Simondi) Subject: Re: Is this a virus? (PC) Jon A Fabris (bender@world.std.com) wrote: : when I am in DOS and do a DIR, it will list the files correctly but at : the bottom where it says the # of files, it will always add two to the : correct number. Also, if I do a DIR with | MORE it will list two : extra files with zero length such as "ANAADEFB" and "ANAADEFH" the date : on the files always seems to be the current date. : Wierd. : Can anyone tell me if this is a virus or something else? There are no : other symptoms that I notice. The activity you describe is normal. The two "extra" files are the dot and double dot at the top of the directory listing and the zero length files you find with MORE are the temporary pipe files DOS has created to handle the piped data. They are erased by DOS after the MORE operation is complete. - -- Tom Simondi =-=-<< tsimondi@slonet.org >>-=-=-= =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= In olden times a thief caught paid you and gave you a (literal) hand; now you give the thief free room and board. This is progress. ------------------------------ Date: Thu, 13 Apr 95 14:27:24 -0400 From: cope@glue.umd.edu Subject: AntiCMOS Cleaner ?? (PC) Does anyone know of a safe AntiCMOS-B cleaner or can I just kiss my MBR goodbye?? ------------------------------ Date: Thu, 13 Apr 95 14:35:53 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: "_1099" virus (PC) Milan P. Gola (peterg@netaccess.on.ca) writes: > Does anyone know how to remove this virus without the suggested delete > the file. I have an infected program which is a chinese word processor and I > can't get another copy. F-Prot version 2.17 (and probably AVP too) will be able to disinfect this virus. It calls it "Mange_Tout.1099". Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 13 Apr 95 14:40:14 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: How to remove Filler virus? (PC) Kevin Marcus (datadec@cs.UCR.EDU) writes: > Israel Kay <100112.2001@compuserve.com> wrote: > > > >There are 2 known variants, Filler.A and Filler.B. > > > >Dr. Solomon's AVTK and F-Prot identify and remove it. > NAV 3.0 also detects and removes both these varients. Folks, folks. Before going ballistic and listing all anti-virus products that can handle Filler, let me share my experience with you. In *every* particular Filler-related case that I have witnessed, the problem was caused by the user running VSafe (from CPAV, MSAV, or TNTVIRUS) and then another anti-virus program (usually McAfee's SCAN). In every such case I suggested them to remove VSafe and the problem went away. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 13 Apr 95 16:50:41 +0200 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: French boot is Russian (PC) Zvi Netiv (netz@actcom.co.il) writes: > What's wrong with being able to clean "only" the many existing boot and > mbr viruses? Nothing. Many existing freeware programs (e.g., DiskSecureII or HS) do exactly that. But I thought that your product had higher ambitions? > Why scaring the users with infection techniques that no > existing virus exploits them yet? Because they represent a particular recurity hole in a generic anti-virus product that can be exploited generically by billions of viruses. Since you claim that your product is generic and not virus-specific, I thought that you should be worried about generic virus attacks, instead of the virus-specific ones. > If InVircible can handle the existing > 6300+ viruses (the figure is from one of your posts) - among them a few > hundreds are boot, mbr and multipartite - then I would think it's quite > an achievement. Oh, yes! If it could handle those 6300+ viruses it would be quite an achievement, indeed. An achievement like... ugh... that of a good SCANNER! Like, for instance, AVP, which detects about 99% of the about 6500 viruses known to me. There are only two problems. First, InVircible CANNOT handle all those 6300+ viruses. Therefore, it, with all its famous "generic techniques", "anti-piggybacking", "hyper-correllation" and other buzzwords does not provide even as much of a protection as a good scanner! Second, I thought that you were claiming that your product attempts to protect from more than just the few thousands known viruses - after all, even a known-virus scanner can do the latter and I had the impression that you were claiming that your product is something much better. If you confirm publicly that you did not intend to make any such claims, I'll apologize for the misunderstanding. > The already existing viruses won't go away and it's nice to know there > is a product that can take good care of them, before we start worrying > about the future ones. :-) But of course! There already *are* several products that can take good care of them. AVP. FindVirus. F-Prot. Too bad, InVircible is not one of them... > Even if a new infection technology emerges as you say, then InVircible, > using generic detection and recovery techniques, has the edge on your > favorite scanners. Doubt it. Some of the security holes in InVircible would require a complete redesign. That's much harder than just adding a few new scan strings to a scanner, IMHO. > No matter what technology a virus uses, it will take > from months to years to spread, while adding a new generic technique to > InVircible is a matter of hours, and distributing it through the web can > take a couple of weeks at the most. Funny, I have seen exactly that same argument used to show that scanners *can* be used as adequate protection from viruses (something I disagree with). After all, say the scanner producers, regardless of how "terrible" a new virus is, regardless of how fast it spreads, we'll be able to distribute updates of our scanners to most users before the virus hits them. > Your `new infection technique' is > thwarted even before it could start spreading. :-) The same goes in regard with scanners. I wonder why the people keep getting infected then... > You will certainly > agree that adding a generic technique to InVircible is much more easier > than to add a couple of hundred viruses every two months to the scanners > and TSR. :-) Actually, no, I wouldn't agree that easily with this. It is at least debatable. Mr. Netiv, not all scanners are like IVSCAN and not all anti-virus producers use primitive ways to update their products. Have you ever heard of automated virus analysis? Most of the producers of the good scanners have such tools which can automatically analyse a simple virus and create the proper detection record for the scanner's database - so that the researcher can concentrate on the really difficult ones. And, what is a difficult virus largely varies from producer to producer. Do you know that the polymorphic viruses are handled by Dr. Solomon's team much in the same way as a simple Vienna variant? Their scanner automatically strips down the encryption and simple techniques can be applied to the rest of the virus body. For them a "difficult" virus is one that prevents this automatic decryption. It seems that for IVScan a simple polymorphic virus is "difficult enough" because this known-virus scanner is notoriously bad at detecting them. As opposed to that, the comlete redesign of an anti-virus product - which has to be done when a new virus technique appears - often is much more difficult and expensive. For instance, in order to make IVB able to detect Omud infections, the format of the checksum database has to be changed (thus becoming incompatible with the old versions) and the integrity checker has to be slowed down significantly. Even if you succeed to do that - and remember, you have to do it just because one single, silly virus uses a technique your current product cannot handle - it is still unknown whether the users of the product will be willing to continue to use it. So, no, I do not agree that "certainly" with your claim. Not at all. > InVircible is the proactive and anticipative anti-virus > protection, while scanners and TSR are on the defensive, lagging behind > the virus `production', with a continuously increasing gap. Rubbish. It is exactly the opposite. InVircible detects a virus (in those cases when it does) *after* that virus has infected the user's computer. A TSR scanner will detect the virus *before* it has got the chance to execute at all. So, which technique is proactive and which one is "defensive and lagging behind"? > The following example will illustrate how wrong you are. On December 4, > 1994, a few hard disks in our military were zapped by a virus identified > as Zappa. It's a plain boot-mbr infector that trashes the hard drive on > Dec. 4, the day Frank Zappa died, and displays the message "Dedicated to > Zappa ... ". All the zapped machines were protected with one of your > favorite scanners, BRM's UNVIRUS. BRM's IMMUNE TSR was active on all those > machines as well. The virus certainly got there before December 4, since > they all booted from their hard drive when they got hit. Mr. Netiv, I am aware of this example of yours, and you are aware of my reply - so why repeating ourselves? First of all, BRM's *scanner* has never been one of my favorite ones. They managed to improve it (so that it became rather good), but this was only after their product got effectively off the market. What is my favorite is their INTEGRITY CHEKCER. And, as you have told me before, in this example of yours, that company DID NOT BUY THE INTEGRITY CHECKER, because they considered it to be too expensive. Well, that's their problem. Had they installed a good integrity checker, the above disaster wouldn't happen. Had they used a good TSR scanner, the disaster might have not happened either, although this is much less certain. > InVircible recognized Zappa both with passive scanning (yes, IVscan) and IVScan? Yes? Honest? Really? Then why doesn't IVScan contain any such name??? Or do you think that I am unable to uncompress the program and find out which names it can report? There aren't many of them, you know? Should I list them all here? > IV couldn't tell > the name of the virus, but removed it alright from both the hard drive and > from infected floppies. I guess, FDISK and SYS would have done the same? That's hardly an achievement... > With InVircible a situation like the above could > simply never develop. With InVircible, much worse situations can develop. Users can get their data trashed. Users can get a false sense of security. Many bad things. > You wrote many times that users want and ought to > know what virus hit them. Fine! In Zappa's case the scanner was as > helpful as the Coroner's advice, post mortem, but didn't help much in > preventing disaster. The proper way to use a scanner is to scan the *incoming* software *before* it is used. Since most people forget to do that, TSR scanners do it automatically for them. > You are repeating this error over and over again. For some reason that I > ignore you decided that InVircible is an integrity based system across > the board. Well, it is NOT! Isn't it? OK, let's see, shall we? INSTALL.EXE - just installs the product. Agreed, not an integrity checker - but hardly an anti-virus program at all. IVHELP.EXE - a hypertext help browser. Agreed, not an integrity checker - but hardly an anti-virus program at all. IVLOGIN.EXE - it checks its header (integrity checking) and installs the software across a network. Not an anti-virus program, unless you count the header check, but this is integrity checking. IVX.EXE - it checks its header (integrity checking) and performs automatic scan string extraction and search. So, it's a combination of an integrity checker, an analyser, and a scanner. IVMENU.EXE - it checks its header (integrity checking), checksums itself (integrity checking), and launches a simple decoy (integrity checking). Other than that, it is a shell to the other programs from the package. So, it is either performing integrity checking, or is not an anti-virus program at all. RESQDISK.EXE - it checks its header (integrity checking), checksums itself (integrity checking), launches a simple decoy (integrity checking), and performs disk editing functions. So, it is an integrity checker, combined with a disk editor. IVSCAN.EXE - it checks its header (integrity checking), launches a simple decoy (integrity checking), and checksums itself (integrity checking). Other than that, it is a known-virus scanner. So, it is an integrity checker, combined with a scanner. IVTEST.EXE - it check its header (integrity checking), launches a simple decoy (integrity checking), then launches advanced decoys. That's all. So, it is an integrity checker - checking its own integrity and the integrity of the decoys it launches. IVB.EXE - it checks its header (integrity checking), checksums itself (integrity checking), launches a simple decoy (integrity checking), then performs integrity check of the files on the disk. So, it's just an integrity checker. IVINIT.EXE - it checks its header (integrity checking), checks the command interpreter (integrity checking), checksums itself (integrity checking), checks the MBR (integrity checking), launches a simple decoy (integrity checking), launches advanced decoys (integrity checking), performs a second check on its header (integrity checking), checks the DOS boot sector of the active partition (integrity checking), checks the CMOS (integrity checking). So, it is just an integrity checker of the bootstrap process. Additionally, most of the above programs also scan the memory for Dir-2 and 1963, and some of the programs check whether the boot sector is being stealthed (although the latter could be argued to be a form of integrity checking too). BTW, why those two particular viruses, Dir-2 and 1963, the readers of this forum might ask. Simple, all of InVircible's "generic methods" are COMPLETELY UNABLE to cope with the level of stealth provided by those viruses. None of the programs from the package discovers that such a stealth virus is active in memory and all the programs that scan the files on the disk spread those viruses to all files. I just did this experiment with Dir_II.T - a variant of Dir_II that InVircible's known-virus memory scan does not detect. So, this effectively means that each time a new such virus appears, the author of InVircible will have to update ALL programs in the package to detect the virus in memory. Surprise, surprise, it's just like with a known-virus scanner. So, did I miss anything when listing what the programs from the package do? Or did you think that I would be fooled by the buzzwords and the marketing hype and won't be able to figure out that your programs are actually doing? What part of the words "integrity checking" don't you understand? > Boot and mbr infections are handled in > several ways, most of are generic. An interesting one is cooperative > SeeThru, this is the one that was used to remove Russian Flag, or Wow, how impressive. For the less knowledgeable of the readers, let me explain what the above buzzwords mean. IVINIT creates two files in the root directory of drive C:, named PART.NTZ and BOOT.NTZ. The first of them contains a plaintext (i.e., not even encrypted) copy of the MBR and the second - a copy of the DOS boot sector of the active partition. Those files are created if they do not already exist. In the case they already exist, the current contents of the MBR and the DBS is read and is compared with the contents of those two files. If there is a change, IVINIT sounds an alarm and proposes to replace those sectors with the contents of those two files (which are supposed to contain the original contents of those two sectors). If the user's disk is of the IDE (and probably of the EIDE) type, a direct disk access (via the ports) is used to read the boot sectors from the hard disk and the results are compared with those of accessing the same sectors in a "standard" way (i.e., via the BIOS). This is the famous "SeeThru". It is used only for the boot sectors - the files are accessed via the normal, plain DOS functions. Also, the "SeeThru" technique does not work on my SCSI disk or on our MFM hard disk - so plain BIOS INT 13h calls are used there. Needless to say, it is trivial for a virus to bypass this "protection". The simplest way is to delete those two files - they have fixed names and are created in a fixed place. A more elaborated approach is to replace the contents of those files with a copy of the infected boot or master boot sector - then IVINIT won't detect anything and even if you manage to remove the virus with ResQdisk or with a known-virus scanner, the next time you run IVINIT it will re-infect the disk from those files. > I hope that > you'll like "SeeThru" more than "piggybacking", but even if not, I am Too bad, I don't. Why not just use the established terms "tunnelling" or "accessing the IDE disks via the ports"? > What > cooperative SeeThru does is to use the virus' own stealth properties in > order to recover the original mbr or boot sector, and reinstate it in > spite of whatever technique the virus uses. :-) Translation: "cooperative SeeThru" (I thought that it was "integrity interrogation"? Oh, well) means that the program reads the boot sector via the BIOS functions, the virus stealths that, so we get the real boot sector. Then the program writes that sector back to the disk using direct disk access via the ports, so the virus is unable to intercept this. Then we reboot the machine and the virus is gone. Nasty question - what about the non-IDE disks? > There isn't a single > boot stealth virus that could thwart SeeThru. Unless it has infected a SCSI disk. Or on a MFM one. Then ResQdisk simply displays "SeeThru OFF". Tough luck. Reach for your scanner and pray that it can disinfect the virus. An alternative, and much more portable approach (used in, e.g., DiskSecureII or HS) is to install the product on a disk that is known to be clean. At installation time, the product remembers the original interrupt vectors. When you do the check (and, if necessary, the restore), the product uses calls to those vectors, instead of INT 13h instructions, to access the hard disk, thus preventing the virus from stealthing it. This works well with both products, but DiskSecureII is installed in the MBR and knows better how the memory should look like at boot time - and can fix many things, if necessary. HS is a program you run from DOS and can have compatibility problems with some memory managers. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ End of VIRUS-L Digest [Volume 8 Issue 38] *****************************************