VIRUS-L Digest Tuesday, 11 Jun 1996 Volume 9 : Issue 93 Today's Topics: Black Widow questions (ADMIN) Re: Black Widow ... Re: Word Macro Virus on a large LAN Dr Solomon's Virus Stats May 1996 Re: Word Macro Virus on a large LAN Re: Virus detection in boot manager (OS/2) Re: Macro Viruses - Clear and Present Danger. [long] (MAC,WIN) Re: No Clean Boot from diskette under Win95 (WIN95) Re: McAfee Bug in Win95 ? (WIN95) StealthC and StealthB (PC) Refocus! (was: Re: InVircible and Word macro rogueware (PC)) Re: Disaster recovery of compressed volume (PC) Re: Bye (PC) Re: Dull-Boy questions (PC) Re: New Virus ? Help please. (PC) Re: F-Macro (PC) Re: Were_wolf.1500 (PC) Re: Were_wolf.1500 (PC) Re: Help disinfecting HLLO.RUW (PC) Internet Security Course, July 29-August 2, at Stanford [long] VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform--diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available at ftp://cs.ucr.edu/pub/virus-l. The current FAQ document is in a file called vlfaq200.txt. Administrative mail (e.g., comments or suggestions) should be sent to me at: n.fitzgerald@csc.canterbury.ac.nz. (Beer recipes should still be sent to Ken van Wyk at: krvw@mnsinc.com.) All submissions should be sent to: VIRUS-L@Lehigh.edu. Nick FitzGerald ---------------------------------------------------------------------- Date: Tue, 11 Jun 1996 00:34:21 +1200 (NZT) From: Nick FitzGerald < n.fitzgerald@csc.canterbury.ac.nz> Subject: Black Widow questions (ADMIN) X-Digest: Volume 9 : Issue 93 I have had several submissions asking about Java viruses and/or "Black Widows". I am including a message in this digest originally written by Klaus Brunnstein as part of an Email discussion he had with Mikko Hypponen. I have Klaus's permission for this reposting (and Mikko's via Klaus). +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z. n.fitzgerald@csc.canterbury.ac.nz TEL:+64 3 364 2337, FAX:+64 3 364 2332 Virus-L/comp.virus moderator and FAQ maintainer PGP fingerprint = 2E 7D E9 0C DE 26 24 4F 1F 43 91 B9 C4 05 C9 83 ------------------------------ Date: Fri, 24 May 1996 19:14:32 +0200 From: Klaus Brunnstein Subject: Re: Black Widow ... X-Digest: Volume 9 : Issue 93 Nick and colleagues, FYI I append a message plus my reply on some remarks concerning "Black Widow" myteries. I hope that my answer helps clarify the issue. I dont think that such stuff is adequate for CERTs to worry; there has been only one instance when one CERT (CIAC) cared for hoaxes. Regrettably, such urban legends have a long life and are hard to kill. Regards Klaus (May 24,1996) ================== Delivery-date: Thursday, May 16, 1996 at 12:38:36 GMT+0100 ..... Subject:Re:Black Widow and Java Friends, concerning the Black Widows as mentioned (below), neither of those adresses really viral problems. On the first site (hpp), they argue that JAVA is THE BLACK WIDOW which makes it dangerous for business to work reliably. Apart from the name, this argument is WELL-FOUNDED through several scientific papers (e.g. U-Princeton). Moreover, on the German CERT alert list, I receive warnings about JAVA implementation errors every week, with the final suggestion: "switch off Java when you install a new Netscape version". Btw: apart from questions whether a language can be "secure" itself, there is growing evidence that Java may hardly be implemented in a secure and safe way on present D- or C1/C2 operating systems (such as Solaris, which recently was certified as F-C2/E2 under ITSEC) with contemporary software technology. Concerning the (3rd) reference to POMOCOs Black Widow: this is evidently an "intelligent agent" of the "broker" type. Such network-based software (with some sort of worm characteristic) is intended to install client/server relationships over Internet. At this time, not much work is available on "malicious intelligent agents" (I am investigating this since some ime and may have a paper on a security conference later this year).There are some elements of self-reproduction on "intelligent agents" but surely different from viral mechanisms! Nevertheless, such events support my estimation that viruses become less important threats (as they may be contained with local countermeasures) whereas malicious agents will become the real threats in the near future. Be aware! Regards Klaus (May 16,1996) - ------------Referenced email -------------------------------------------- There seems to be going confused rumours around on Java, viruses and 'Black Widow'. What I know so far: 1. Home Page Press made an article on rogue Java applets on the 5th of May. This article refers to rogue applets as 'Black Widow Applets'. It doesn't talk about Java-based viruses. See http://www.hpp.com/1obtarchives.html. 2. There's a warning going around, credited to 'VA Austin Automation Center', which talks about Java problems and a virus called 'Black Widow Java'. This warning is confused and full of errors. 3. To confuse things more, there is a Java-based ORB product called Black Widow. See http://www.pomoco.com/bwdprs.html. Here's the VA Austin Automation Center warning I received from a customer: - --- The VA Austin Automation Center (AAC) has received a message from the Department of Defense regarding a computer virus on the World Wide Web. If you have anyone at your station using Netscape version 2.0 or 2.1, you should have them disable Java ASAP to avoid the possibility of picking up a Java virus. Message from DOD follows: URGENT! URGENT! URGENT! URGENT! URGENT! URGENT! WHAT IS THE PROBLEM-- A hostile Java applet is stalking the World Wide Web. It is a Black Widow Java called JAVA. Princeton University Researchers have found hostile java applets on the World Wide Web. They reside on web sites set up with a malicious intent, and are downloaded and executed automatically when an innocent user visits that site. WHAT IT COULD DO-- These Java applets are programs that can destroy data and interfere with your network. They may even upload sensitive material to a third party. WHO DOES THIS APPLY TO-- This applies to all users using Netscape Navigator 2.0 or Netscape Navigator 2.01 HOW TO PROTECT YOURSELVES-- The (DOD) Computer Emergency Response Team (CERT) staff recommends disabling Java in Netscape Navigator 2.0 or Netscape Navigator 2.01 until patches are available. WHEN SHOULD THIS BE DONE-- AS SOON AS POSSIBLE!!!! INSTRUCTIONS ON DISABLING JAVA IN NETSCAPE 1. Open Netscape Navigator. 2. Pull down the Help menu. 3. Click on About Netscape. 4. Check to see if you have version 2.0 or 2.01. If so, continue with the next step. If not, then you can not be affected by the Hostile Java. 5. Pull down the Options menu. 6. Click on Security Preferences. 7. Under General, place an "X" in the Disable Java and the Disable Java Script box in the Java window. This is a short term solution. Netscape Navigator 2.02 is supposed to contain teh fix as a permanent solution. AAC Help Desk ------------------------------ Date: Sun, 09 Jun 1996 17:01:50 +0000 (GMT) From: Totally Lost Subject: Re: Word Macro Virus on a large LAN X-Digest: Volume 9 : Issue 93 In article <0001.01I5PTBPAF4SUBBEEO@csc.canterbury.ac.nz>, Graham Cluley wrote: >In-Reply-To: <01I5OG1EL5OGUBBBAR@csc.canterbury.ac.nz> >"B.MacDonald" writes: >> c. we are using the Microsoft patch which also boasts innoculation >> against any re-infection. By our experience this is just NOT TRUE. We >> have had numerous re-infections against PCs supposedly *fixed* by this >> patch. > > >I've heard reports from many users who have bad experiences of the >Microsoft "fix". My recommendation would be to leave the anti-virus >stuff to the anti-virus specialists rather than Microsoft. > [stuff deleted] >Graham Cluley CompuServe: GO DRSOLOMON >Senior Technology Consultant, UK Support: support@uk.drsolomon.com >Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com >Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 The whole reason that we have this problem for the A-V guys to make a killing off of the general public is because we don't DEMAND that Microsoft solve the problems by fundamental security based designs in the first place. We hold Netscape and Sun to this security standard ... why not Microsoft too? Why even allow your company to purchase products that have huge gapping security problems - is it just because they have the Microsoft as the vendor? Make security the number one purchase criteria ... without exception - for operating systems, for applications software, for network components. You will have very little Microsoft product to worry about if you do. John Bass Security Consultant ------------------------------ Date: Mon, 10 Jun 1996 11:09 +0000 From: Graham Cluley Subject: Dr Solomon's Virus Stats May 1996 X-Digest: Volume 9 : Issue 93 Here are some statistics from the United Kingdom technical support department of S&S International (developers of Dr Solomon's Anti-Virus Toolkit). These stats are for general interest and should not be treated as gospel regarding which viruses are causing the largest problem (for example, many corporate users dealing with for example, Concept, will be so used to cleaning it up that they do not need to call us up for hand-holding and advice) Concept 19 Form 15 Parity.B 15 AntiCMOS 12 AntiEXE 12 Empire.Monkey 12 Exebug 8 Kampana 8 Junkie 7 Sampo 6 Angelina 5 NYB 5 Jumper 4 Quandary 4 Ripper 4 Natas 3 Feint 2 Manzon 2 Shehas 2 Stat 2 Stealth Boot 2 Swiss 2 Beijing 1 CrazyBoot 1 Fairz 1 GranGrave.1150 1 Green Caterpillar 1 Jackal 1 Jimi 1 Mabuhay 1 Multisub Trojan 1 OneHalf 1 PKZip Trojan 1 RPS 1 Spirit 1 Telefonica 1 Tequila 1 Unashamed 1 Urkel 1 V-Sign 1 Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 Evaluation version of Dr Solomon's FindVirus available on our website! ------------------------------ Date: Sun, 09 Jun 1996 22:17:42 +0100 From: "B.MacDonald" Subject: Re: Word Macro Virus on a large LAN X-Digest: Volume 9 : Issue 93 In message , Graham Cluley writes >You don't say which macro virus you are encountering. I am presuming >that it's Concept as that is the most widespread - by far - of any of the >macro viruses. We believe the infector to be of the Prank/Concept genre. When Norton does alarm (the rare occaision), it is non-specific. In a few cases we have actually been able to identify Concept keywords in the macro tables. However, we are not at all certain that we aren't dealing with 2 viruses, thus clouding the issue somewhat. >> c. we are using the Microsoft patch which also boasts innoculation >> against any re-infection. By our experience this is just NOT TRUE. We >> have had numerous re-infections against PCs supposedly *fixed* by this >> patch. > >I've heard reports from many users who have bad experiences of the >Microsoft "fix". My recommendation would be to leave the anti-virus >stuff to the anti-virus specialists rather than Microsoft. We have come to the same conclusion. >Dr Solomon's have a 32-bit VxD for on-access virus protection under >Windows 3.x and Windows 95. It is available in a different form for >Novell NetWare servers. We are also just about to release the same >protection for Windows NT workstation and servers. This means that a >macro virus gets intercepted (and named by name) whenever an infected >document is accessed. Not just when someone tries to load the infected >document into MS Word, but when it gets copied from disk, or someone >tries to email it etc. This means the virus infection gets "strangled to >death" and has no chance of spreading any further or reinfecting. Promising. As we are just down the road from Aylesbury (NATO HQ in Northwood Mddx), we will probably talk to you further. >> e. we are also considering modifying the software (ie, Macro & template >> files and directory = read only). However, this is a last resort as we >> would lose some important functionality. > >Quite. It would also not work with a macro virus which changed the >attributes of these files. A specific anti-virus solution would be best. Do you mean that the virus could modify the file properties, removing it's read-only status? Agreed, a strong AV solution would be best. >I'd recommend Dr Solomon's WinGuard - apart from the macro viruses it >will also protect you against the regular viruses, including the complex >polymorphics. It's easy for your users as well - they're unaware that >they're running it unless a virus is intercepted. In fact, I am an loyal Dr S user at home and have just about convinced the folks at work to switch after Norton's meagre performance. Thank you for taking the time to respond and provide advice... I've noted that the Dr S folks here in the UK maintain a very positive customer relationship - another plus as far as I'm concerned. - - B.MacDonald, Northwood, Middlesex, UK E-mail burns@nthwd.demon.co.uk or burns@dircon.co.uk ------------------------------ Date: Sun, 09 Jun 1996 07:53:51 +0000 (GMT) From: Bruce Burrell Subject: Re: Virus detection in boot manager (OS/2) X-Digest: Volume 9 : Issue 93 Yew Teik Meng (eng40526@leonis.nus.sg) wrote: > I'm sorry if this has been posted before, but i want to know whether > normal dos virus scanners like sweep will be able to detect a boot sector > virus residing in the boot manager (from os/2 )?.... My guess is that they will not; I believe Boot Manager resides in its own non-DOS partition. Of course, that means that most viruses won't be able to infect it, or will probably do major damage (immediately noticeable) if they do. > if so is the virus removal as simple as just writing fdisk/mbr ?.... No. Don't even think of FDISK/MBR. Forget that you ever heard of that command. For one thing, it might make matters a lot worse (see the alt.comp.virus FAQ, Part 4 Section 14); for another, if I'm correct that Boot Manager actually resides in another partition, FDISK wouldn't touch the Boot Manager code or any virus that had attacked it. > or maybe using some other virus removal programs are required, if so > could anyone recommend anything...? That's the ticket. *IF* a virus manages to infect the Boot Manager partition, I suspect one would need an OS/2 antivirus program to remove it. If the virus is merely a Master Boot record infector, any DOS-based scanner that knows the virus in question should suffice. > thanx in advance for any help given....and please e-mail me any answers.. It's considered poor 'Netiquette to ask for private email unless you offer to summarize the responses you receive to the group. After all, if you ask others for help, it's reasonable to expect that you'll expend a little effort too, either by following your own thread here or by compiling the responses you receive. So I'm sending this as private email as well, but keep this in mind next time, ok? -BPB ------------------------------ Date: Mon, 10 Jun 1996 13:09:18 +1000 From: Grahame Grieve Subject: Re: Macro Viruses - Clear and Present Danger. [long] (MAC,WIN) X-Digest: Volume 9 : Issue 93 At 12:28 AM 05/06/96 +1200, John Bass wrote: >First the biggest and worst nightmare of all. A macro virus which agressively >replicates by extracting a list from the recipients address books and >archived email folders and sending an infected attachment to everyone on the >list. To improve the likelyhood the new recipient will open and read it, >while reducing the chances of immediate detection, the subject and content >are taken from incoming mail and the mail archive and hidden in the >attachments as an updated version of the documents. The incoming message >that started the attack is deleted to cover up tracks, a TSR is left in >the system to erase all accessable local and network files in a few minutes. >A memory parity error, or something random and similar, is left on the screen >as the system crashes to hide the real cause. If initially seeded at the >close of the european work day, and in the morning in the US, using every >available public list - there is a high probablility that a large number of >people will read the mail as it arrives, activating the attachment virus >and infecting most if not all users at their site in the process when that >mail is read a few minutes later. This is an interesting thought. But it is my impression that viruses tand to be small and stealthy, and the amount of code required to release a stable and efficient virus of this form would be inhibiting. is this true? OTOH, what a marvellous route for a bomb targetted to a specific (corporate) network. >On a lighter side, the attack can be used to do almost anything interesting >an attacker wishes to systems behind a corporate firewall. From retrieving >files to manipulating data or applications on that site. This might include >In the short term, the use of all attachments must be outlawed inside corp >america and in government circles until Microsoft and other application >vendors are forced to redesign their macro features with security in mind, >with atleast the same restrictions as the JAVA design. Yeah, well, we had a big outbreak of concept. An infected file was mailed to every user. But "outlaw" attachments? Better to connect the Word Viewer to msmail whatever? >Scanners are not likely to be useful on current products. Firewalls should >filter attachments out of incoming email. *delete all files* *100% security* (thanks, Iolo?) Scanners are still useful, except for specific one time bombs. Grahame ------------------------------ Date: Sun, 09 Jun 1996 17:53:53 -0700 From: aspaeth@bogle.com Subject: Re: No Clean Boot from diskette under Win95 (WIN95) X-Digest: Volume 9 : Issue 93 "Bob Witham Jr." wrote: >I have encountered an interesting problem with WIN95, and I was >wondering if others had encountered it. [snip] >I then attempted to clean boot using a system floppy created on >a WIN95 machine. When I ran McAfee SCAN, I got a message >indicating that memory was infected with the virus, and I should >boot from a clean floppy. And yes, the diskettes are clean. [snip] >If I booted from a DOS 6.22 diskette, the virus was not active >in memory. > >At any rate, it appears that it is impossible to "clean boot" >using a WIN95 formatted system disk. Can anyone else verify >this or has anyone else encountered this? AFAIK, you have it exactly right. First, I have observed that a Win95 PC accesses the hard drive while booting using a Win95 "startup" diskette. It sure looks like its reading the hard drive during a boot from floppy. Second, Command Software's tech support told me last week exactly what you have discovered. In fact, the rep cautioned me to always have a known-clean DOS boot diskette around for doing clean boots of Win95 PCs. The rep explained that a Win95 startup diskette looks to the hard drive for some info and that the only way to get a truly clean boot is to use a DOS boot diskette (which is a good reason to keep around a DOS AV utility instead of having only a native Win95 one.) I wonder exactly what Win95 is getting from the hard drive and whether a boot sector virus on C: would be executed when a PC is booted using a Win95 startup disk. (Also, I wonder how NT behaves on this issue.) Regards, Alan Spaeth Systems Development Coordinator Bogle & Gates P.L.L.C. (A Professional Limited Liability Company) Portland, Oregon USA My opinions are just that. ------------------------------ Date: Mon, 10 Jun 1996 06:31:30 -0400 From: "Bob Witham Jr." Subject: Re: McAfee Bug in Win95 ? (WIN95) X-Digest: Volume 9 : Issue 93 Joseph Martellotta wrote: > I downloaded McAfee Windows95 virusscan 2.03 > Everytime I exit win95 it accesses the "a" drive; > no matter what options I change such as scan on exit etc. > I telephoned McAfee about this twice, with no results. > I initially installed it on a lap top, when I noticed this; > I uninstalled it and the problem went away, I installed it on > 2 other computers using win95 and the same problem occurs... > Any help or suggestions will be appreciated. The access is coming from the VSHIELD module. You will see a little shield icon on your active task bar (mine is next to the speaker icon). Double click it, then select the properties button. On the detection tab, you will see an option to scan disks on access or shutdown. Unselect the shutdown option (the default is selected) and you should be all set. Bob Witham Jr. ------------------------------ Date: Sun, 09 Jun 1996 14:06:26 +0000 (GMT) From: Sean Heber Subject: StealthC and StealthB (PC) X-Digest: Volume 9 : Issue 93 A while back I got both of these viri, but I was just wondering if anyone knows what these viri do. All winter this virus was going around between my friends, me, and my high school. Almost everyone I knew had it, and now it is gone. Is it harmful or is it just a pointless virus? Just wondering! l8r Sean - - - --> <--- Sean Heber Ham Callsign: KB0LCJ --- E-Mail: kb0lcj@mwci.net WWW Page: http://www.mwci.net/users/sheber - --> <--- ------------------------------ Date: Mon, 10 Jun 1996 00:08:18 +0000 (GMT) From: John Elsbury Subject: Refocus! (was: Re: InVircible and Word macro rogueware (PC)) X-Digest: Volume 9 : Issue 93 Iolo Davidson wrote: I have been watching the rhetoric, puffery, and wriggling with great interest. But, hang on a minute... REFOCUS There are two schools of virus protection: (a) proactively scanning executables (and, lately, documents) for subversive embedded software; and (b) retroactively scanning objects for changes possibly resulting from the *activity* of subversive software. Surely Invircible operates mostly in the (b) category. Shouldn't Invircible be true to its model and look specifically for changes to templates (and other similar stored program settings) *known* to reflect the activity of macro viruses, while leaving the scanning to type (a) products? John Elsbury ------------------------------ Date: Sun, 09 Jun 1996 22:16:45 -0400 (EDT) From: Kenneth Albanowski Subject: Re: Disaster recovery of compressed volume (PC) X-Digest: Volume 9 : Issue 93 On Thu, 6 Jun 1996, Zvi Netiv wrote: > From statistics based on actual incidents the chances of loosing the > hard disk in a year are 1 in 600 if using an AV TSR or VxD, compared to > 1 in 5000 if not, form other reasons. [...] The risk of misfiring > roughly doubles per year. That's absurd. If those statistics were valid, that means in five years time using an AV TSR will bring down your computer every two weeks, on average. And if those statistics are valid, what is the collection method? Wouldn't places using AV TSRs be more likely to have already had drives damaged -- by viruses? - - Kenneth Albanowski (kjahds@kjahds.com, CIS: 70705,126) ------------------------------ Date: Mon, 10 Jun 1996 05:50:11 +0000 (GMT) From: Juha Paulavuo Subject: Re: Bye (PC) X-Digest: Volume 9 : Issue 93 On 8 Jun 1996 08:37:25 -0000, Bent Schack Iversen wrote: >Our computer has been infected by the memory-virus Bye. How can we remove >it??? You could take contact to DataFellows in e-mail : F-PROT@DataFellows.com or take a look at their www-page in : http://www.DataFellows.com, they have quite comprenhsive datababk about viruses. - - Juha Paulavuo Teacher in computer technology Homepage: http://www.sci.fi/~kassu1/ Maintainer of : http://www.eurohit.sci.fi ------------------------------ Date: Mon, 10 Jun 1996 05:50:09 +0000 (GMT) From: Juha Paulavuo Subject: Re: Dull-Boy questions (PC) X-Digest: Volume 9 : Issue 93 On 8 Jun 1996 08:37:28 -0000, Jose Luis Cilleruelo wrote: >Recently when scanning my PC I got the presence of Dull-Boy virus. >Does anybody know its behaviour ? ... and how to remove it? You could take contact to DataFellows in e-mail : F-PROT@DataFellows.com or take a look at their www-page in : http://www.DataFellows.com, they have quite compreHENsive databank about viruses. - - Juha Paulavuo Teacher in computer technology Homepage: http://www.sci.fi/~kassu1/ Maintainer of : http://www.eurohit.sci.fi ------------------------------ Date: Mon, 10 Jun 1996 07:58:55 +0000 (GMT) From: Erk Wendenburg Subject: Re: New Virus ? Help please. (PC) X-Digest: Volume 9 : Issue 93 First of all thank you all for trying to help me! (Its me, Erk, who had the Virus, I mailed to the Newsgroup from the PC of my college.) This is also the reason, why I get all your mails a little bit late. It is now Monday morning, and my System is running again! I`m not quite sure if it was really a virus, but I can`t explain why this things happend otherway: Ok a short reply what went wrong, and what I did, or tried to do: First of all I got an massiv Win Crash, but I though of one of these normal Crashes that does Win have some times, only a little bit more destructive. I Tried to boot my System again, but it hangs in the AUTOEXEC.BAT, were I called for CHOICE. OK I Thought something went wrong with my BAtch file, and I got in an endless loop. So I bypassed this part of the Autoexec.bat and tried to run Windows, cause I wanted to finish my work. At the Start Win tells me, that the 386spart.par is defect, and he wants to delete it. The windows crash I thought. so i deleted the file, and tried to install a new one. At the restart win tells me it wasn`t able to bebuild/build the file because of an write protection. At this time I thought of an hwrdware error by my disk, because I had some times ago a group of bad clusters on this partition. It is only my temporary Partition, so I Save a few files I yust got, and wanted to format the Partition. But the format command doesnt work Every time i called it, it went straight back to the prompt. I tried the help function, and the computer breaks down. After the next reboot I tried it with an older antivirus diskette, but after booting from disk, I got no harddisk anymore. Ok so I bootet from harddisk, and let thr AV run from disk. No good Idea I know. The AV prog didn`t found anything. But afterwards I recognized that the EDIT.COM and the HELP.COM which have normally about 429 bytes had a lenght of 7+++ ( Sorr y I don`t remember exactly). So i checked out every COM Files, and yes everyone was longer by exact the same amount of bytes. It also seems to me, that the code was every time the same. The attribut of the infecte files were erased, so i found it easy to check out the disk. I found that also the COMAMD:COM Files had changed their attributes, but weren`t longer than before. So I decided to fdisk and format my entire harddisk and backup the system again. I wanted to do this anyway in the next days. It worked everything fine until i played back the datas which I saved after the first crash from my tempor ry disk. There where one ore two programs I wanted to test. I can`t remember to have started one of these programs, but last thursday the virus was there again. The same things happend again. But now I also recognized, that the "Virus" tried to hide himself. I fixed the problem with the disk lost after diskette booting by correcting the hard disks boot sector. So i could boot from diskette and let the AV progs search for the Virus. They couldn`t found anything. So while I downloaded the newest Av progs I watched what happend with the Virus. After booting from diskette I could call every uninfected COM File without infecting it. After booting twice from harddisk, the boot sector was infected again, and the com files i called got infected. But i found that the Norton Commander showed infected files by nearly the same lenght, the none infected Files have. It distingiushes between plus minus one or two bytes. Also the DIR command shows this effect. Only XTREE shows the infected lenght in the dirlist. In the NC you could find the infected files by viewing them. There NC showed the total lenght. Okay this is all what I have found. After I got the newer AV`s I tried them, and they didn`t found anything. At this point I wrote to your newsgroup from a colleges PC and decided to take a long weekend! As I returned on Monday I first tried something I developed during the weekend. I deleted every file that could have been infected, deleted the System files from the boot sector, ereased the boot sector and tried to restore it. (Actually i ve done a little bit more ) But the restore failed completly, so I lost all my partitions. In a rage i decidedd to kill everything on the harddisk and fdisked and formated it twice. I then restored my system from new disks. During the Installation some errors occured. First Himem found non save memory, nearly evertime at the same point. But sometimes there was also no error!?!? So I looked at the chips and found it were 70ns Chip, thus i have an 100 pentium which normaly needs 60ns Chips. so I changed the chips with another PC, and it works fine. I only got the Errormessage once afterwards. But now the Network in our area broke nearly down. A lot of lost packets and bad sections occured. So after a member of our Zentral computer center checked our routers, he found there must be an computer with an defect networkcard. Yes it was mine. But now after another week of installing work, new chips and an new netcard my systems runs well again. Sorry for all who wanted an infected file for examination, until now there is no one left, and i hope i stays so. And again tanks you to all who tried to help me!! I probably should have telled you my correct E-Mail address, so you could reach me directly. Sorry again, but i was a little bit upset :-) Greeting erk ------------------------------ Date: Mon, 10 Jun 1996 09:46:26 +0000 From: Fridrik Skulason Subject: Re: F-Macro (PC) X-Digest: Volume 9 : Issue 93 In article <0010.01I5LMCGWKKYUBAT4D@csc.canterbury.ac.nz>, "Mikko H. Hypponen" wrote: >not be sent personally to Fridrik Skulason; use the support address >f-prot@complex.is instead (and you'll probably get an answer sooner). It is best to use support@complex.is if you want a reasonably speedy reply. -frisk - - Fridrik Skulason Frisk Software International phone: +354-5-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-5-617274 ------------------------------ Date: Mon, 10 Jun 1996 09:53:18 +0000 From: Fridrik Skulason Subject: Re: Were_wolf.1500 (PC) X-Digest: Volume 9 : Issue 93 In <0005.01I5LMCGWKKYUBAT4D@csc.canterbury.ac.nz> Zvi Netiv writes: >The latter versions of Dr. Solomon (7.59 and 7.60) remove WereWolf >(checked!). I suppose F-Prot will remove it too in their next version, if >you have the patience to wait. F-PROT 2.23a removes it without problems. I notice that you did not recommend Invircible for removing it... interesting... Might that be because your product is utterly useless for removing an infection of this virus (unless of course if it was installed prior to the infection). >The name of the virus is Wulf.1500, Maybe that's what you call it, but the CARO name is WereWolf.1500.B (or Werewolf.1500.B) Yes, there are two different wariants...didn't you know? -frisk - - Fridrik Skulason Frisk Software International phone: +354-5-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-5-617274 ------------------------------ Date: Mon, 10 Jun 1996 09:54:59 +0000 From: Fridrik Skulason Subject: Re: Were_wolf.1500 (PC) X-Digest: Volume 9 : Issue 93 In <0033.01I5OG1EL5OGUBBBAR@csc.canterbury.ac.nz> "Chengi J. Kuo" writes: >The CAROname for the virus is Werewolf.1500. There apparently are two >minor variants (for the really picky) but as the removal information for >both are the same, that may not be relevant. Removal information the same ? Uh...Jimmy, you are wrong there...the .A and .B variants are *not* disinfected the same way. -frisk - - Fridrik Skulason Frisk Software International phone: +354-5-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-5-617274 ------------------------------ Date: Mon, 10 Jun 1996 09:57:19 +0000 From: Fridrik Skulason Subject: Re: Help disinfecting HLLO.RUW (PC) X-Digest: Volume 9 : Issue 93 In <0034.01I5OG1EL5OGUBBBAR@csc.canterbury.ac.nz> "Scott J. Dygert" writes: >After doing a scan, PC-CILLIN detected a virus "HLLO.RUW in my >C:\PBTOOLS\BACKUP\AUTO-DET.EXE file. > >PC-CILLIN gives a message when I attempt to clean it indicating that it >cannot clean that file. This is almost 100% certainly a false alarm. Some anti-virus programs more likely than other to generate false alarms on HLL viruses. Also, an HLLO virus (Higl-level-language-overwriting) has very low chances of surviving in the wild. -frisk - - Fridrik Skulason Frisk Software International phone: +354-5-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-5-617274 ------------------------------ Date: Mon, 10 Jun 1996 09:01:47 +0000 (GMT) From: Arthur Keller Subject: Internet Security Course, July 29-August 2, at Stanford [long] X-Digest: Volume 9 : Issue 93 The Western Institute of Computer Science announces a week-long course on INTERNET SECURITY taught at Stanford University July 29 -- August 2, 1996 by Arthur M. Keller (Stanford University) David H. Crocker (Brandenburg Consulting) Tina M. Darmohray (Information Warehouse!) Whitfield Diffie (Sun Microsystems) Mark Eichin (Cygnus Support) Alan Fedeli (IBM) Gail Grant (Open Market) Lance Hoffman (George Washington University) Peter G. Neumann (SRI International) Allan Schiffman (Terisa Systems) A Practical Week-long Course for Consultants, Educators, Government and Industry Scientists and Engineers This course is taught by leading researchers and practitioners in the area of internet security: Arthur M. Keller, Dave Crocker, Tina M. Darmohray, Whitfield Diffie, Mark Eichin, Alan Fedeli, Gail Grant, Lance Hoffman, Peter Neumann, and Allan M. Schiffman. Participants will receive a grounding in internet security, familiarity with current concepts and issues, and exposure to the most important research and development trends in the area. Connecting to the Internet brings both unparalleled information resources and unparalleled security dangers. Protecting computer systems and networks from attacks is a critical and ongoing process. Equally important is protecting corporate intellectual property assets from inappropriate access. This course will examine a variety of network security topics, including protecting against intrusion, detecting and tracking intruders, and repairing damage after intrusion. The course will being with a survey of risk analysis and setting up emergency responses to network incidents. We then follow with a detailed description of cryptography, including cryptographic policy and a panel. The course will then cover specific security technologies. These include network firewalls (which provide perimeter security), Kerberos and adding security to existing network applications, secure messaging, secure payments, and World Wide Web security (including SSL). This course will also analyze security issues for electronic commerce. We will also show a videotape presentation on SATAN by Dan Farmer, one of its developers, and a videotape presentation by John Markoff and Tsutomu Shimomura on Takedown. TEXT: Building_in_Big_Brother, Lance Hoffman, and a complete set of course notes. PREREQUISITES: This course assumes a general knowledge of computers and using the Internet. WHO SHOULD ATTEND: Computer programmers, system managers, computer operations staff and managers, information technologists and managers, and teachers who want to gain insight into the capabilities, implementation and current trends in this emerging technology. COURSE SCHEDULE: INTERNET SECURITY Course dates: July 29 -- August 2, 1996 Schedule AM1: 9:00 -- 10:30 AM2: 11:00 -- 12:30 PM1: 1:30 -- 3:00 PM2: 3:30 -- 5:00 Mon AM Security Overview . Risk Analysis: Lance Hoffman . Setting up Emergency Responses to Network Incidents: Alan Fedeli Mon PM Cryptography . Cryptography 1: Whitfield Diffie . Cryptography 2: Whitfield Diffie Tue AM Cryptography . Cryptography 3: Whitfield Diffie . Cryptography 4: Whitfield Diffie Tue PM Cryptography . Cryptographic policy: Lance Hoffman . Cryptography panel: Lance Hoffman (moderator), Peter Neumann, Whitfield Diffie Wed AM Firewalls . Firewall overview and design: Tina Darmohray . Packet filtering, proxies, firewall toolkits: Tina Darmohray Wed PM SATAN: Dan Farmer by videotape Takedown: John Markoff and Tsutomu Shimomura by videotape Thu AM Kerberos: Mark Eichin Adding security to existing network applications: Mark Eichin Thu PM Security for Messaging: Dave Crocker Secure payments: Gail Grant Fri AM WWW security: Allan Schiffman SSL: Allan Schiffman Fri PM panel: Arthur Keller (moderator), Dave Crocker, Whitfield Diffie, Peter Neumann, Allan Schiffman ABOUT THE INSTRUCTORS DR. ARTHUR M. KELLER is a Senior Research Scientist at Stanford University. He is Project Manager of Stanford University's participation in CommerceNet, which is doing the first large-scale market trial of electronic commerce on the Internet. He leads the effort on smart catalogs and virtual catalogs. He was Manager of the Penguin project, to provide sharing of persistent object data among multiple applications. He is also working on managing inconsistency in federated, autonomous database systems. His publications include work on database security, databases on parallel computers, incomplete information in databases, database system implementation, hypertext databases, and computerized typesetting. DAVID H. CROCKER is a principal with Brandenburg Consulting, providing business and technical planning for distributed information products and services. He has participated in the development of internetworking capabilities since 1972, first as part of the Arpanet research community and more recently in the commercial sector. Mr. Crocker has made extensive contributions to the development of electronic mail and other Internet services. He has worked at a number of Silicon Valley companies, producing a wide range of TCP/IP, OSI, and network management products. He serves as Chairman of the non-profit Silicon Valley - Public Access Link, a community network information service. Mr. Crocker continues technical involvement in Internet standards activities for transport services, electronic mail and electronic commerce. TINA M. DARMOHRAY is a senior consultant for Information Works!, which specializes in Internet connections, firewall configurations, security audits, and Internet workshops. Previously Tina led the UNIX system administration team at Lawrence Livermore National Laboratory, where her team had responsibility for over 1000 machines. Tina is a founding board member of SAGE (USENIX System Administrators Guild) and has over a decade of experience as a UNIX system and network administrator and instructor. She received her BS/MS from the University of California at Berkeley. DR. WHITFIELD DIFFIE, who holds the position of Distinguished Engineer at Sun Microsystems, is best known for his 1975 discovery of the concept of public key cryptography, for which he was awarded a Doctorate in Technical Sciences (Honoris Causa) by the Swiss Federal Institute of Technology in 1992. For a dozen years prior to assuming his present position in 1991, Diffie was Manager of Secure Systems Research for Northern Telecom, functioning as the center of expertise in advanced security technologies throughout the corporation. Among his achievements in this position was the design of the key management architecture for NT's recently released PDSO security system for X.25 packet networks. Diffie received a Bachelor of Science degree in mathematics from the Massachusetts Institute of Technology in 1965. He is the recipient of the IEEE Information Theory Society Best Paper Award for 1979 and the IEEE Donald E. Fink award for 1981. MARK EICHIN is the primary development engineer for Cygnus Network Security, Mark Eichin has been involved in the development of the Kerberos network security system since his days as an undergraduate at MIT. He continues to work closely with MIT on the development of Kerberos. He was also involved in the design and implementation of the Zephyr Notification Service, which has been billed as one of the most complex uses of Kerberos ever seen in an application. ALAN FEDELI manages IBM network security functions including: IBM's AntiVirus products and services, phone fraud, and external network connectivity policy and security countermeasures. He also manages IBM's central Computer Emergency Response Team (CERT), which handles harmful code and network intrusions worldwide, for IBM and customers. He formed IBM's Internet Emergency Response Service (ERS) as a fee-based commercial offering. He has been a manager of technology in IBM for the past 20 years. He has managed systems programming, network software development, and in the past 7 years he has created information security businesses within IBM. He is a graduate of City College of New York, and recently earned his MBA in Organizational Behavior at Pace University. GAIL GRANT is the vice president for Business Development for Open Market, Inc., responsible for evaluation of potential technology partners and long-term technical requirements. She also is the chairman of the Network Services Working Group in CommerceNet, which is working to facilitate the development, standardization and deployment of protocols, applications and enabling technologies which provide authentication, privacy/encryption and certification services over the Internet in a secure and interoperable manner. Prior to joining OMI in 1994, Ms. Grant pioneered the Internet Alpha Program for Digital Equipment Corporation. This innovative, industry-first program generated millions in revenues and was featured in numerous publications, including Fortune Magazine, The New York Times and USA Today. Previous positions include development and development management positions at Bolt Beranek and Newman in Cambridge MA and in Cardiac Research at Mass. General Hospital in Boston MA. Ms. Grant presents regularly at conferences on the Internet, World-Wide Web and Electronic Commerce as well as recently authoring a chapter on Internet business transaction systems for Mary Cronin's upcoming book in Internet strategies to be published by Harvard Business School Press. DR. LANCE J. HOFFMAN is Professor of Electrical Engineering and Computer Science at The George Washington University in Washington, D. C. and Director of the School of Engineering's Institute on Computer and Telecommunications Systems Policy. He is known for his pioneering research on computer security and risk analysis, and for his interdisciplinary work in computer policy issues. Dr. Hoffman is the author or editor of five books and numerous articles on computer security and privacy; his new work on cryptographic policy, Building in Big Brother, is the first book devoted to the topic. He also is the editor of the well-received readings book Rogue Programs: Viruses, Worms and Trojan Horses. Dr. Hoffman has lectured around the world on computer security and privacy and on the vulnerability of society to computer systems. Dr. Hoffman was previously a National Lecturer for the Association for Computing Machinery and a Distinguished Visitor for the Institute of Electrical and Electronics Engineers. He served as general chairman of the Second Conference on Computers, Freedom, and Privacy, held in March 1992 in Washington. He is past chair of the IEEE Committee on Communications and Information Policy's Subcommittee on Information Security and Applications. Dr. Hoffman is a member of the National Advisory Board of the newsletter Privacy and American Business and a Fellow of the Association for Computing Machinery. DR. PETER G. NEUMANN is a principal scientist in the Computer Science Laboratory at SRI, where he has been since 1971, and his work is concerned with computer systems having requirements for security, reliability, human safety, and high assurance (including formal methods). He was founder and Editor of the SIGSOFT Software Engineering Notes (1976-1993), and is Chairman of the ACM Committee on Computers and Public Policy (since 1985), a Contributing Editor for CACM (since 1990), and creator (in 1985) and moderator of the ACM Forum on Risks to the Public in the Use of Computers and Related Technology. His RISKS-derived book on the benefits and pitfalls of computer-communication technology, Computer-Related Risks, is published by ACM Press and Addison Wesley. ALLAN M. SCHIFFMAN was named chief technical officer of Terisa Systems in April 1995. He was formerly chief technical officer of EIT, one of the founders of Terisa. He is principal architect of CommerceNet, a Bay Area consortium supporting electronic commerce over the Internet. His current obsession is Internet transaction security and has been working for the last year on Secure HTTP. Schiffman was previously vice president of technical strategy for ParcPlace Systems where he led the development of their well-known Objectworks\Smalltalk product family. Prior to this, he was senior MTS at Schlumberger Research and assistant director of the Fairchild Laboratory for Artificial Intelligence Research. He holds an M.S. in Computer Science from Stanford University. COURSE INFORMATION Dates: Monday-Friday, July 29-August 2, 1996 Times: Registration Sunday afternoon, July 28 Morning sessions 9:00am-12:30pm with a 30 minute break Afternoon sessions 1:30-5:00pm with a 30 minute break Lunch break 12:30-1:30pm daily Location: on the campus of Stanford University in Stanford, CA. Course Fee: $1,450 (includes instruction, complete set of course notes, break refreshments, and Tuesday night reception.) $1,575 for registration after July 15 Group Discount: A $100 discount is given to each individual when three or more register from the same organization for one of the courses. Accommodations: Housing information will be mailed at the request of the participant after enrollment. Parking permits are available at the Sunday afternoon course registration and are not included in your registration fee. Out-of-town participants will probably NOT need a car during the week. Transportation: from San Francisco International Airport: Shuttle service (Airport Connection) to the Stanford Campus approx. $17.00 each way; from San Jose International Airport: approx. $17.00 GENERAL INFORMATION Registration: Mail the registration form to the Western Institute of Computer Science, P.O. Box 1238, Magalia, CA 95954; FAX the registration form with your VISA/Mastercard number or company purchase order number to (916) 873-6697; or EMAIL your registration with company purchase order number or VISA or Mastercard number to barnhill@hudson.stanford.edu; TELEPHONE (916) 873-0575 with your company purchase order number or VISA or Mastercard numbers. CANCELLATIONS: are accepted up to 14 working days prior to the start of the course. A $100 processing fee will be assessed. After that date, no refunds will be given, but you may send a substitute in your place. If WICS is forced to cancel a course for any reason, liability is limited to the return of the paid registration fee. FOR INFORMATION: Call Western Institute of Computer Science at (916) 873-0575; email to barnhill@hudson.stanford.edu. _____________________________________________________________________________ Registration Form INTERNET SECURITY July 24-28, 1995 Registration on or before July 15 [ ] INTERNET SECURITY $1,450 Registration after July 15 [ ] INTERNET SECURITY $1,575 Name____________________________________ Title___________________________________ Company_________________________________ Address_________________________________ ________________________________________ City/State______________________________ Zip___________________ Country_________________ Work Phone (________)___________________ Home Phone (________)___________________ Electronic Mail address __________________________ on network _____________________ Total amount enclosed: $___________ Method of payment [ ] Check enclosed (payable to WICS) [ ] Visa/Mastercard #________________________________ card exp. date__________ cardholder signature___________________________________________________ [ ] Bill my company. Purchase Order #__________________________ Write billing address below. Return registration form with payment to: Western Institute of Computer Science P.O. Box 1238 Magalia, CA 95954-1238 ------------------------------ End of VIRUS-L Digest [Volume 9 Issue 93] *****************************************