VIRUS-L Digest Thursday, 11 Jul 1996 Volume 9 : Issue 111 Today's Topics: InterScan VirusWall -- experience? Updated AVP Mkiller! Re: ONLINE AV program Neural networks in virus detection?? WordMacro/Wazzu detected by TBAV 7.03!! Unix virus scanners (UNIX) Re: Missing Files (MAC) "Wazzu" on MS Word 6.0 (MAC,WIN) Re: mcafee Virus Scan 2.2 (WIN) Re: mcafee Virus Scan 2.2 (WIN) Re: mcafee Virus Scan 2.2 (WIN) The 800 Virus (PC) Re:HELP!!...I'm being FORM-ed to death! (PC) A complaint about VET (PC) HARE virus family dissected! (PC) Re: Complete Antivirus Guide, available on the net (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform--diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available at ftp://cs.ucr.edu/pub/virus-l. The current FAQ document is in a file called vlfaq200.txt. Administrative mail (e.g., comments or suggestions) should be sent to me at: n.fitzgerald@csc.canterbury.ac.nz. (Beer recipes should still be sent to Ken van Wyk at: krvw@mnsinc.com.) All submissions should be sent to: VIRUS-L@Lehigh.edu. Nick FitzGerald ---------------------------------------------------------------------- Date: Tue, 09 Jul 1996 10:58:40 -0500 From: Doug White Subject: InterScan VirusWall -- experience? X-Digest: Volume 9 : Issue 111 Trend Micro recently released VirusWall. It was in beta five months prior to its release. I would like to get product reviews from particularly beta customers. ------------------------------ Date: Tue, 09 Jul 1996 12:10:51 +0000 From: Keith Peer Subject: Updated AVP Mkiller! X-Digest: Volume 9 : Issue 111 AVP Word Macro Killer version 1.1 - -------------------------------- AVP Word Macro Killer will detect and delete infected and suspicous macros in Microsoft Word for Windows v6.xx and v7.xx documents. It also, converts infected documents from a Template back to the Document format. Contains a heuristic scanner to detect new unknown Macro viruses! FREEWARE Protect yourself today with AVP! - ------------------------------- Get a copy from the following sites: www.command-hq.com/command ftp.command-hq.com/pub/command/avp/mkillr11.zip www.metro.ch www.datarescue.com Enjoy, Keith =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Central Command Inc. USA Distributor for P.O. Box 856 AntiViral Toolkit Pro Brunswick, Ohio 44212 Internet: info@command-hq.com Compuserve:102404,3654 FTP: ftp.command-hq.com /pub/command/avp :GO AVPRO WWW: http://www.command-hq.com/command Phone: 330-273-2820 Fax: 330-220-4129 BBS: 330-220-4036 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ------------------------------ Date: Tue, 09 Jul 1996 13:58:39 -0400 From: TPeek55001 Subject: Re: ONLINE AV program X-Digest: Volume 9 : Issue 111 I have used McAfee as my primary AV and F-Prot as a backup protection. You cannot go wrong with either one of these programs. Another one you could try is ThuderByte. ------------------------------ Date: Wed, 10 Jul 1996 10:01:37 +0700 From: Fransiscus Xaverius Subject: Neural networks in virus detection?? X-Digest: Volume 9 : Issue 111 My name is Fransiscus Xaverius. I am a last-year-student in one of computer and information system school named STMIK Bina Nusantara in Indonesia. I have a question about neural network application. Can neural network be implemented to detect computer viruses ? If it can, what kind of models might be used ? And what about the method ? Would you give me some information about my question ? I hope you don't mind to explain it. Thank you very much for your attention. Fransiscus Xaverius software@binus.ac.id ------------------------------ Date: Wed, 10 Jul 1996 03:56:41 -0400 (EDT) From: "C.J. Mackay" <101444.1435@CompuServe.COM> Subject: WordMacro/Wazzu detected by TBAV 7.03!! X-Digest: Volume 9 : Issue 111 ThunderBYTE detects and cleans WordMacro virus Wazzu! Wijchen, ESaSS BV- ThunderBYTE International Headquarters, July 10th 1996. The latest discovery of the a WordMacro virus called WordMacro/Wazzu has led to the new release of ThunderBYTE anti virus utilities version 7.03. This new version, which will be released today is able to detect this rather annoying macrovirus as well as remove it from infected documents. Version 7.03 can be downloaded for a free evaluation period from the ThunderBYTE customer BBS: +31 59 138 2011, and via Internet on: http://www.thunderbyte.com. The WordMacro/Wazzu Virus WordMacro/Wazzu is a macrovirus which operates under the Word for Windows versions 6.0 and 7.0 environment. The reason that the WordMacro/Wazzu (hereafter called Wazzu) has become so successful and widespread is due to the distribution of this virus in source form on the Internet. The Wazzu virus consists of one macro, which is called AUTOOPEN. Every time a document is opened, Wazzu will be activated. It then will infect, depending on the document name of the host, the template NORMAL.DOT or the document itself. NORMAL.DOT is the global template which is always loaded when Word for Windows is loaded. After the infection, the payload routine is called. Wazzu will get a random-number. There is a 20% chance that the random-number matches Wazzu's requirements and then it will move the current word to another destination in the document. Wazzu will repeat this movement-loop three times. This means that there is only a 51.2% (80% * 80% * 80%) chance that no word will be moved. Finally, Wazzu will get yet another random-number. This time there is a 25% chance that the number meets the requirements and Wazzu will then insert the phrase "wazzu " (note the trailing space) at a random position in the document. In general, there is only a 38.4% (51.2% * 75%) chance that your document has not been changed when your system is infected with Wazzu. As documents may be read, changed or edited several times a day, the chance that the document is not tampered with, is almost 0%. ThunderBYTE version 7.03 Detecting and removing Wazzu with version 7.03 of the ThunderBYTE Anti Virus Software Utilities is quite easy. Scanning incoming documents for WordMacro viruses will prove to be cost-effective and can save a lot of time and money afterwards. The new release 7.03 is an enhancement to the 7.02 version, which was the first ThunderBYTE release to contain a revolutionary macrocleaning utility. The DOS version of TBAV 7.02 very recently received the NCSA certification, which means a full 100% detection of "in the wild" viruses. In version 7.03 the ThunderBYTE developers have also included around 100 signatures of other recently ocurred viruses. ///////////////////////////// Inquiries: ESaSS BV - ThunderBYTE International Headquarters: telephone: +31 24 642 2282 fax: +31 24 645 0899 Additional press information: Caroline Mackay, Public Relations, Compuserve ID: 101444.1435@compuserve.com Commercial information: Mr. Harald M. Zeeman, International Sales Manager. Compuserve ID: 100140.3046@compuserve.com Visit our Website: http://www.thunderbyte.com ------------------------------ Date: Tue, 09 Jul 1996 14:10:03 +0000 (GMT) From: Meetesh Mahendra Karia Subject: Unix virus scanners (UNIX) X-Digest: Volume 9 : Issue 111 I'm looking for information on unix virus scanners and where I can get them. I've searched the web and I have been unable to locate much information on anti-virus programs for unix-based systems. If anyone has any information please respond and/or write me email. Thanx, Meetesh ------------------------------ Date: Tue, 09 Jul 1996 19:41:45 -0600 From: Stu Derby Subject: Re: Missing Files (MAC) X-Digest: Volume 9 : Issue 111 In article <0003.01I6RFV09PFQWHZC3A@csc.canterbury.ac.nz>, ehamm@cctr.umkc.edu wrote: :I have picked up a virus on my Power Macintosh (Performa 6200CD)... I :believe its source to be an Info-Mac mirror site (can't remember which :site I got the file from). Details follow... : :I downloaded a BBedit HQX from one of the info-mac mirror sites using :Anarchie. [tale of woe deleted] :My point in all this... : :Awareness for other people.. (this is my first trauma with a virus) : :See if anyone else has experienced the same thing.. : :I welcome ANY responses at ehamm@cctr.umkc.edu or (of course) this :newsgroup... : :Thanks : :[Moderator's note: Thanks for your concern. Can anyone actually confirm :that the archive referred to contains a virus? Unfortunately ehamm's :report does not show any evidence of a virus at all. Strange system and :file corruptions happen all the time and are heavily disproportionately :-NOT- casued by viruses.] The info-mac archive scans for all known Mac viruses, and since the symptoms described are much more like a file system corruption, I think that's the problem. A product like MacTools Pro or Norton Utilities is very good at recovering files in such cases. - - Stu Derby |"When in trouble, when in doubt, stu@miave.bcm.tmc.edu | run in circles, scream and shout." ------------------------------ Date: Tue, 09 Jul 1996 18:03:47 +0000 (GMT) From: "land-conservancy@slonet.org" Subject: "Wazzu" on MS Word 6.0 (MAC,WIN) X-Digest: Volume 9 : Issue 111 I apparently have the newest MS Word 6.0 macro Virus. It runs undesirable macros that rearrange text and inserts the word "wazzu" somewhere in the text. I have tried microsoft's macro virus scanner but it did not find the virus or clean files. If anyone knows of a fix, where to find a fix, or is affected by this virus, lets get together and compare notes on what we find. Please email correspondence to me as well as posting. Thanks, Brian Stark ------------------------------ Date: Tue, 09 Jul 1996 01:15:40 -0400 From: McAfee Subject: Re: mcafee Virus Scan 2.2 (WIN) X-Digest: Volume 9 : Issue 111 <<... loaded on virus scan and ALL windows programs run extremely slow, i mean very slow. i am running a 486, 8meg memory. any ideas? i was under the impression that this is a very good virus detection and removal program, however, the time being consumed by this program is unbearable. >> You are probably loading the DOS VShield TSR in memory before Windows. VShield scans any files identified as executable. This would include .DLL files, which are repeatedly read during Windows startup. Remove the /ANYACCESS switch from the VShield command line in your AUTOEXEC.BAT (or wherever you are loading VShield), and replace it with /ONLY A: B: (or just A: if you only have one floppy drive).This will tell VShield to only read executible files coming from your floppy disks, which are the most likely place to find infected files. Also, the newest version of VirusScan for Windows (2.50), now uses a VxD, which takes up no conventional memory outside of Windows. Mike Hitchcock McAfee Online Services Supervisor http://www.mcafee.com ------------------------------ Date: Tue, 09 Jul 1996 13:05:55 -0400 From: "Bob Witham Jr." Subject: Re: mcafee Virus Scan 2.2 (WIN) X-Digest: Volume 9 : Issue 111 Bob D Makowski wrote: > help. loaded on virus scan and ALL windows programs run extremely > slow, i mean very slow. i am running a 486, 8meg memory. any ideas? > i was under the impression that this is a very good virus detection and > removal program, however, the time being consumed by this program is > unbearable. lmk I am assuming that you are running VSHIELD. If so, you can start it up with the /ONLY A: switch. This will ensure that only files on the A: drive are scanned, not all files on the C: drive. You may gain some speed there. Also, take a look at your conventional and high mem allocations. You can play around with the way memory loads and gain a bit of speed. I also found that on anything less than a 486/33, VSHIELD does make performance suffer. You can always disable the it and just run SCAN on a daily basis. You will also want to ensure you run scan whenever you access a diskette. Finally, you may have a problem with the windows work file space. You may not have enough space allocated. Also take a look at doing your file accesses in 32 bit mode. We have been using McAfee for several years now, and these are all things that I have done to one or more machines to tune their performance. Good luck. Bob Witham Information Systems Security Analyst Bureau of Information Services State of Maine ------------------------------ Date: Wed, 10 Jul 1996 09:11:18 +0000 (GMT) From: Old Salt Subject: Re: mcafee Virus Scan 2.2 (WIN) X-Digest: Volume 9 : Issue 111 George Wenzel had this to say about Re: mcafee Virus Scan 2.2 (WIN): >>In article <0008.01I6TWK6TJQIWHZC3A@csc.canterbury.ac.nz>, >>makowb@ix.netcom.com says... >> >>>help. loaded on virus scan and ALL windows programs run extremely >>>slow, i mean very slow. i am running a 486, 8meg memory. any ideas? >>>i was under the impression that this is a very good virus detection and >>>removal program, however, the time being consumed by this program is >>>unbearable. lmk >> >>You leave out one critical detail: What anti-virus program were you >>using? This detail will make it a lot easier for people to help you, as >>the tech support people for that particular product should be able to >>help you. Look at subject. ;) ------------------------------ Date: Mon, 08 Jul 1996 23:42:59 -0400 From: Phyllis David Subject: The 800 Virus (PC) X-Digest: Volume 9 : Issue 111 I was working to rid a machine of Concept, using F-Prot and I. Master then there appeared (from I. Master) a serious warning the machine was infected with the '800 virus' and it was in control of the PC. OK, so I go to the net to find out what this is and how to fix it, and cannot find any virus called this. Help! Thanks. pdavid@scsn.net [Moderator's note: VGrep tells me McAfee Scan 2.2.12 labels (some of) the November_17th (or Nov17) family as just "800".] ------------------------------ Date: Tue, 09 Jul 1996 04:36:37 +0000 (GMT) From: kore8@usa.pipeline.com Subject: Re:HELP!!...I'm being FORM-ed to death! (PC) X-Digest: Volume 9 : Issue 111 >>The computer had shown the following phrase before it halted: >> >> MEMORY WAS INFECTED BY THE FORM VIRUS. >> THE VIRUS WAS EXTRACTED AND DESTROYED. The Form virus does nothing except migrate from disk to disk. It does not mess up the memory. I had a problem w/ the Form. The encrypted message that it comes with says this is the Form virus, don't worry, it doesn't do anything - - D3lyr1uM? ------------------------------ Date: Tue, 09 Jul 1996 08:17:54 +0000 (GMT) From: "A.Appleyard" Subject: A complaint about VET (PC) X-Digest: Volume 9 : Issue 111 I am in charge of 22 PC's that students use. We use VET. I find that since VET changed last, whenever VET finds a virus, or some other irregularity such as a bad file or being called on an empty floppy drive, such that it creates a C:\VET_LOG.1 report file, it puts in C:\VET_LOG.1 before each error report the name of every file in the computer, one per line. This is a %$@#&^ and a pest, because I have to wade through it all when reading the C:\VET_LOG.1 to find what caused the error report. It did not do this before: it only reported any hidden and bad files that it found. ------------------------------ Date: Tue, 09 Jul 1996 12:37:02 +0000 From: Keith Peer Subject: HARE virus family dissected! (PC) X-Digest: Volume 9 : Issue 111 Hare family Please note: Registered users of AntiViral Toolkit Pro obtain the latest virus update to detect and disinfect these Hare viruses! Hare.7610: Hare.7750: Hare.7786: These are very dangerous memory resident multipartite Stealth and Polymorphic viruses. They infect COM, EXE files as well as the MBR of the hard drive and boot sectors of the floppy disks. In files the viruses are encrypted three times. In infected sectors the viruses are polymorphic as well as in the infected files. Installing and Infecting When an infected file is executed the virus decrypts itself, infects MBR of the hard drive, traces and hooks INT 21h, and returns to the host program. Then the virus writes itself to the end of COM and EXE files that are executed, closed or on DOS calls Terminate (AH=0,31h,4Ch). Under Win95 the virus also hooks INT 13h. While opening an infected EXE file the virus disinfects it. When the virus infects a file, it checks the file name and does not infect the files: TB*.* F-*.* IV*.* CH*.* COMMAND*.* The virus also does not infect the file if there is letter 'V' in its name. While loading from infected boot sector of the floppy disk the virus just infects the MBR, returns the control to the host sector, and does not stay memory resident. While infecting the hard drive the virus traces INT 13h or uses direct calls to the HD ports, then it writes itself to the MBR sector, and the rest of code writes to the last available track in the hard drive (the track that is out of declared tracks - LandZone?). When the virus stores and overwrites the original Disk Partition Table, as a result the FDISK/MBR command may crash the hard drive. While loading from infected MBR the virus restores Disk Partition Table to let DOS load the active boot sector and calculate the disk information (at this moment the virus' INT 13h stealth routine is not active), then it decreases the size of the system memory for its TSR copy (the word at the address 0000:0413),hooks INT 1Ch and returns the control to original MBR. By hooking INT 1Ch the virus waits for the DOS loading procedure, then restores the size of the system memory, hooks INT 13h, 21h, 28h. On first INT 28h call the virus again corrupts the Disk Partition Table. I see no reason for such complex procedure of installation into the system, but only to fool the anti-virus hardware and software, if it is installed. By hooking INT 13h the virus intercepts access to floppy disks, and infects them. While infecting the virus formats extra track on the disk, and writes its code to there. It also calls a stealth routine while accessing to infected disks. Features While executing an infected files the virus also searches for "WIN=" string in environment area, and deletes the \SYSTEM\IOSUBSYS\HSFLOP.PDR file in the Windows directory. While installing memory resident the virus checks the system date and on 22nd of August and September it erases the hard drive sectors and depending on its version displays the message: "Hare.7610": "HDEuthanasia" by Demon Emperor: Hare Krsna, hare, hare... "Hare.7750": "HDEuthanasia-v2" by Demon Emperor: Hare Krsna, hare, hare... "Hare.7786": "HDEuthanasia-v3" by Demon Emperor: Hare Krsna, hare, hare... While infecting MBR the virus performs some strange manipulation with keyboard: it hooks INT 16h, checks the keys that are entered, and sometimes substitutes them with 'Y" or 'N' keys. It looks as the virus tries to fool BIOS anti-virus features, and answer "Yes, Infect it!" on the standard request while writing to the MBR of the hard drive. The virus uses quite strange way to run its polymorphic routines. While infecting a computer the virus generates a block of random data and saves it to the last sectors of the hard drive. Then the virus does not correct these random data in any way (see note below). It restores that data (reads from the sector) while loading from infected MBR or while executing a infected file. While re-infecting the disk (if it has been disinfected) the virus detects these data in the last sector and does not renew them. While infecting a file or a sector the virus uses that data as a random generator to select the opcodes and keys for its polymorphic routines - in all cases the polymorphic routine gets the same data, and produces the same code when the virus infects any object. As a result all polymorphic decryption loops contain the same code in all infected files that were infected on the same computer. All such files are encrypted by the same code and with the same keys. The length of the files grows on random value while infecting (VirusLength plus the length of polymorphic decryption loop), but that value is constant for all files on the same computer. And the same for infected floppy disks - all they contain the same polymorphic code in their boot sectors. As a result all files and sectors that were infected on the computer have the constant mask to detect them with anti-virus utilities. Is it directed against anti-virus researchers, or just to fool users and hide the infected file/floppy-guest that caused infection? Note: the major versions of this virus while loading from an infected disk with probability 1/16 change the random data in last disk sectors, and as a result infect the files and boot sectors with different polymorphic code. Virus description (C) Eugene Kaspersky 1996 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Central Command Inc. USA Distributor for P.O. Box 856 AntiViral Toolkit Pro Brunswick, Ohio 44212 Internet: info@command-hq.com Compuserve:102404,3654 FTP: ftp.command-hq.com /pub/command/avp :GO AVPRO WWW: http://www.command-hq.com/command Phone: 330-273-2820 Fax: 330-220-4129 BBS: 330-220-4036 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ------------------------------ Date: Wed, 10 Jul 1996 05:11:42 +0000 (GMT) From: Aryeh Goretsky Subject: Re: Complete Antivirus Guide, available on the net (PC) X-Digest: Volume 9 : Issue 111 Hello Zvi (and fellow readers of comp.virus/VIRUS-L), I have not actually downloaded a copy of your anti-virus white paper, so if the following has been addressed please ignore this [and if you just happen to be an anti-virus developer planning on an online white paper, please consider this]. I would like to point out a possible problem for U.S. readers: In the U.S. the most common size of printer paper is US Letter size, 8.5"x11" (or about 216mm x 280mm). This is slightly shorter (and wider??) than A-4 size and anyone printing it will end up with additional pages with a few sentences on it after each page. I am not sure of an easy way for people to reformat the document to U.S. paper sizes. Printing on US Legal size paper (3" longer than US Letter, if I recall correctly) or reducing the size of printed pages to 60 - 75% of the original might help. If you have not done so, you might want to consider writing a Word macro which repaginates the document and generates a new table of contents and index based on the current numbers. It would be nice if it prompted for this automatically when users opened the document. Just a concern with some possible ideas for solutions :-) Regards, Aryeh Goretsky ______________________________________________________________________________ Mr Aryeh Goretsky EMAIL goretsky@netcom.com 627 W Midland Ave CompuServe 76702,1714 Woodland Park, CO TEL +1 (719) 687-0480 USA 80863-1100 FAX +1 (719) 687-0716 ------------------------------ End of VIRUS-L Digest [Volume 9 Issue 111] ******************************************