VIRUS-L Digest Sunday, 21 Jul 1996 Volume 9 : Issue 120 Today's Topics: Re: About need of 'clean' booting before scanning process Re: Fighting Macro Virus in Campus Labs Re: (fwd) SAMC Virus Alert Report UNIX Viruses (UNIX) .DLLs moved to diff't dirs--virus?? (WIN) Can a virus infect .TTF and .WAV files?? (WIN) looking for pattern Re: Zvi's tests of Findviru.exe (PC) Re: Zvi's tests of Findviru.exe (PC) Re: Which AV strategy? (PC) Re: Which AV strategy? (PC) Re: Which AV strategy? (PC) Re: Which AV strategy? (PC) Re: Virus detection by dodgy time/date (PC) Re: Zvi's tests of Findviru.exe (PC) Re: Does F-PROT score over SOLOMON or vice-versa (PC) Re: McAfee VirusScan and WebScan? (PC) Help! I've been trojaned! (PC) Generic 408* (PC) DEF CON IV Convention >Final Announcement< Vegas July 26-28th [long] VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform--diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available at ftp://cs.ucr.edu/pub/virus-l. The current FAQ document is in a file called vlfaq200.txt. Administrative mail (e.g., comments or suggestions) should be sent to me at: n.fitzgerald@csc.canterbury.ac.nz. (Beer recipes should still be sent to Ken van Wyk at: krvw@mnsinc.com.) All submissions should be sent to: VIRUS-L@Lehigh.edu. Nick FitzGerald ---------------------------------------------------------------------- Date: Sat, 20 Jul 1996 13:57:26 +0200 From: Gerard Mannig Subject: Re: About need of 'clean' booting before scanning process X-Digest: Volume 9 : Issue 120 >>X-Digest: Volume 9 : Issue 117 [../..] >> No, Henri is correct, in general. First, he gave generic help, not >>AVP-specific. Second, AVP can't necessarily deal with a virus it doesn't >>know without spreading it, if the new nasty is a fast infector. Third, >>one doesn't know, _a priori_, whether the AV program to be used recognizes >>the virus that might be infecting the machine at hand. Of course, AVP can't deal witn an *unknown* virus but, given AVP detection rate well-regarded outdoors testers ( VB, among others ) give for it, risk to be faced to this context is quite low Anyway, if this occurs, a clean boot is MANDATORY **but** is not 100% to ensure having a virus-free memory. As an example, boot clean on a V.6000 infected machine will cause you to have an infected RAM when you have the DOS prompt 8-/ In short : letting AVP dealing in all contextx is not sure ( obviously ) and the same goes for booting clean... >>But this is an important proviso; *no* virus can spread from a clean boot >>with an uninfected scanner; even AVP may spread a virus it doesn't know if >>that virus is active in memory. No, you misundertood me. As exposed above, V.6000 virus is *active* after a clean boot even if you run no executbale file from infected HD When faced to an *unknown* virus, AVP will track what's going with int like 13h and 21h. If something wrong appears, then user is displayed 'tracing at [segment][offset]' After this, of course, no scan is to be performed; Running AVPUTIL will allow him to dig deeper, assuming he wants to handle things by himself. Isolating a TSR virus hidding in TOM is done within 1 minute and allow anyone to save a piece of RAM as a binary file A virus hidding in vector interrupt table requires, of course, more acknowledge >> Bottom line: Being able to disinfect viruses correctly while they are >>active in memory is a Good Thing, and AVP is to be commended for this. >>But the best, safest procedure remains the clean floppy boot. Hence Henri I agree. I simply point out that doing this is no more 'water-proof' since V.6000 came out Moreover, some viruses (Stoned.Empire.Monkey ) forbid the user to boot from a floppy as the HD becomes unreachable in those cases. So, dealing within an infected RAM is sometimes necessary >>> Anyone willing to check this now can since AVP22E-A.ZIP is available on >>> most ( if not all ) SimTel mirror sites >> >> Glad to see that AVP is available in a full, eval version again. Yep. It has been a long-awaited launch .... Regards, - ---------------------------------------------------------------- Gerard MANNIG Virus Consultant Phone : +33 (16) 3559-9344 Fax : +33 (16) 3560-5011 Distributor of AVP & SYSGuard, France and Spanish-speaking countries http://www.avp.ch/E/avp-main.htm Report a virus attack: http://www.primenet.com/~mwest/vir-vrf.htm ------------------------------ Date: Sat, 20 Jul 1996 16:52:44 +0000 (GMT) From: Iolo Davidson Subject: Re: Fighting Macro Virus in Campus Labs X-Digest: Volume 9 : Issue 120 In article <0001.01I7B84IV0E4XZM9T6@csc.canterbury.ac.nz> helpdesk@cc.wwu.edu "Helpdesk" writes: > but we also found that the only virus protection software > that would detect the Macro virus when using Word was McAfee, Then you haven't tried very many others. - - PUT YOUR BRUSH NEEDS A BACK ON THE SHELF SHAVE ITSELF THE DARN THING Burma-Shave ------------------------------ Date: Sat, 20 Jul 1996 15:38:54 -0400 (EDT) From: Jess Daniels Subject: Re: (fwd) SAMC Virus Alert Report X-Digest: Volume 9 : Issue 120 As Moms Mabley would have put it, "Older than dirt and weaker than water". ------------------------------ Date: Sat, 20 Jul 1996 12:12:37 -0400 (EDT) From: Pete Radatti Subject: UNIX Viruses (UNIX) X-Digest: Volume 9 : Issue 120 Gee, I thought we hashed out the UNIX virus topic a while ago. Anyone who says that there are no UNIX viruses in the wild is wrong. Anyone who says that script viruses can only infect the user executing them is wrong. There are both UNIX specific script and binary viruses. Since I am getting tired of this argument I will start posting a LIST of UNIX attacks programs on my web site starting next month. I will not limit it to just viruses but will include trojans, worms and critters. Anyone wishing to contribute to the list should email me. In addition, I have put most of my white papers on UNIX viruses and other forms of UNIX attack on my web site. My newest paper is called "Why VFind" and discusses the VFind UNIX anti-virus product, its design and why it works the way it does. It's a little long at 12 printed pages but easy reading. Anyone who wishes to discuss the contents of any of my papers are invited to email me provided they are polite. I no longer bother to return email to rude people and I get enought to mention it. My web URL is http://www.cyber.com My email address is radatti@cyber.com Doctor Fred Cohen who started the work on UNIX attacks many years ago has a web site at URL http://all.net Pete Radatti ------------------------------ Date: Sat, 20 Jul 1996 09:11:05 -0500 From: Tim Courtney Subject: .DLLs moved to diff't dirs--virus?? (WIN) X-Digest: Volume 9 : Issue 120 Something is happening to my computer that no one I've talked to has ever heard of. I'm not sure if it's a virus. The symptoms are: Virtually all .DLL files get moved to directories created by the computer called "DIR0001", "DIR0002"..., etc. This, of course renders all my applications useless, including Windows 95. I can re-install all the applications, but this is obviously a huge pain, and I have to admit I don't have installation disks for all the programs I use (tsk, tsk, I know). This "attack" has happened twice. Once when I did a "shut down" and once when I closed out of a dialer to my online provider. When it happens I get a message about the system registry not being right or something (I don't remember exactly, I should have written it down). ANYWAY, I did an F-disk on my entire hard drive after the first incident, but it happened again. I also took the PC in to the local firm that built it, and they couldn't reproduce the problem, nor could they tell me where it came from. I have also run Norton anti-virus and MaCaffee, to no avail. When the second incident happened, I had Norton jacked up to detect virtually anti-virus behavior. I'm not sure, but I also think I may have rendered all my DLL's as read-only, to prevent a move command. Sorry for the long message, but I figured you could use all relevant info. Please help me Obi-Wan Kenobi, you're my only hope. ------------------------------ Date: Sat, 20 Jul 1996 17:54:46 -0600 (CST) From: Desert.Storm@bbs.net1fx.com Subject: Can a virus infect .TTF and .WAV files?? (WIN) X-Digest: Volume 9 : Issue 120 I have a few .TTF files in my WINDOWS\SYSTEM directory that have had the dates changed to the year 2032, there are about 5 of them... Integrity Master and MSAV picked them up. I also have a few .WAV files that have been set to 2092. Integrity Master picked up those. ------------------------------ Date: Sun, 21 Jul 1996 00:56:24 +0000 (GMT) From: bernhard pfennigschmidt Subject: looking for pattern X-Digest: Volume 9 : Issue 120 Does someone out there has interest to help me? Do there exist any known virus,worm,etc.. which fills free space on the harddrive with one letter? I have observed variuos harddrives and found "l" or "P". Bernhard Pfennigschmidt Cancun, Mexico ------------------------------ Date: Sat, 20 Jul 1996 16:27 +0000 From: Graham Cluley Subject: Re: Zvi's tests of Findviru.exe (PC) X-Digest: Volume 9 : Issue 120 In-Reply-To: <01I7B84IV0E4XZM9T6@csc.canterbury.ac.nz> Oeyvind Pedersen writes: > But I agree with you, A-V vendors should keep their commercial ads > somewhere else, and I feel that they more or less do now. (Maybe > except for Graham constantly announcing his "independent" reviews > on dr.sollys WWW) Which of the reviews at http://www.drsolomon.com/avtk/reviews aren't independent then? None of them are by Dr Solomon's. Most of them can also be found elsewhere on the web, and we include links to other anti-virus vendors' websites. I give people the URL when they want some independent comparative reviews, there's nothing to stop other anti-virus vendors making available good reviews of their products from Virus Bulletin, University of Tampere, etc.. I wonder why so few choose to do it? I hope people find my messages in the way they are intended - fair and balanced (albeit occasionally referring to the product I know best: Dr Solomon's) Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 Evaluation version of Dr Solomon's FindVirus available on our website! ------------------------------ Date: Sat, 20 Jul 1996 12:49:34 -0400 (EDT) From: Dave Palmer Subject: Re: Zvi's tests of Findviru.exe (PC) X-Digest: Volume 9 : Issue 120 In the VIRUS-L Digest V9 #117, DONNY@iris.co.il wrote: >I think virus-l is a place where users come to find out information >about viruses and anti-viruses. I do not think most of the users are >interested in watching anti-virus vendors at each other's throat (I >don't even think that anti-virus vendors SHOULD be at each other's >throat :-) ). Why not set up a rule or two to prevent such >"discussions" from being on virus-l and leave it for discussions about >viruses and about anti-viruses that solve those viruses? > >I am a worker of an anti-virus company and yet I do not find the need >to continuingly convince users with an ACTIVE virus problem to >immediately drop everything else and buy OUR product. If the user has a >virus it is more important to remove the virus as correctly as possible >with WHATEVER means possible. I DO think our product is the best and >I'll do all I can to convince users to buy it but I don't think that >this marketting effort should be focused mainly on virus-l or on >users crying for help (similar to a doctor saying "first sign these >forms that you will become my patient and then I'll administer CPR. >What do you mean by 'gasp gasp arrggghhh'?"). > >Why not keep virus-l a bit smaller with information about viruses and >without lots of fist-fighting? > >:personal-opinion off. > >:suggestion on. > >How about: > (a) Any appends that say that a particular product is dreadful > should not be allowed. Even pointing out that the product > destroys data and is worse than >place-favorite-word-here< > should not be allowed. > (b) Praising your product should be kept to a minimum (something > like "you can use Kill-All to remove the virus" or "Kill-Them > is the best I've seen"). No long explanations how to install, > run, select options, wipe, delete log file, etc. > That type of explanation should be in the documentation for > the product. > Exception: If a user says "I have Kill-All, how do I scan for > multi-poly viruses", you can definitely explain how to "click > on the multi-poly button and press OK". > >:suggestion off. I disagree! While both the marketing hype and the "fist fighting" has at times gotten out of hand, I find the comments about the various programs and their shortcomings, AS LONG AS THEY ARE BASED ON FACTS AND ARE GERMAIN TO THE PROGRAM'S INTENDED USE, to be quite useful. As one who has been regarded as an anti-virus "expert" on this campus, I am often asked what is a good anti-virus program or package. I have no facilities (or time, or real expertise!) for conducting tests or keeping up with all the versions of the various packages available, and I have found VIRUS-L to be quite useful in my efforts to help people whose systems were infected. I would hate to recommend a program or service that I find out later either did not completely resolve the problem or (worse yet) created additional problems. I do agree with Donny that there has been too much "marketing" efforts at times, and "fist-fighting" at other times (most readers will know who the culprits are), but I find the comments about the various program products and services, both positive and negative, to be useful AS LONG AS THE COMMENTS ARE BASED ON FACTS AND THE SUBMITTER IS WILLING TO POST THE FACTS IN SUPPORT OF THE COMMENTS FOR REVIEW BY OTHERS. ...Dave Palmer, Academic Computing palmer@ctrvax.vanderbilt.edu & Information Services Vanderbilt University ------------------------------ Date: Sat, 20 Jul 1996 15:28:56 -0400 (EDT) From: Kenneth Albanowski Subject: Re: Which AV strategy? (PC) X-Digest: Volume 9 : Issue 120 On Fri, 19 Jul 1996, Totally Lost wrote: > > How do you cut off the boot-sector entry point? > > As you are undoubtably aware, that is not an OS issue at all, but a bios > issue. Good grief -- it's not a BIOS issue, it's a _fundamental_ issue. The computer boots up an OS stored on some medium. If you replace that medium, you can boot anything you like, including a miniature OS that has viral characteristics. Yes, the PC BIOS makes this a very good route for a virus, but it is hardly the original cause of the problem. > In the same way, there is no way to secure and 8088, 80188, 80286 or > derivative system - regardless of the OS you run on it. If there is > a weak foundation in any security domain, the levels above are > compromised. If the base hardware is flawed, the OS and above don't stand > a chance. If the OS is flawed, then any policies implemented above it are > flawed too. Please define how a computer can boot without this "weak foundation". Please explain how the 80x86 line is unique in this fashion. Please explain why the von Neuman universal constructor is not suspceptible to "boot-sector viruses" since it is not derived from an 8088. > > How do you distinguish an authorized program accessing a file from an > > un-authorized program? (Without extreme file typing information, which the > > MSDOS/WIN API certainly could not support.) > > The point is that you cann't. Which is why A-V software attempting to > do this are flawed by design as well. Most things in life cannot be done perfectly. That doesn't stop people from trying. Behavior monitors/blockers make the best of a bad situation. > The solution is to use a file access paradym which has implict state > external to the applications ... file permission controls. Absolutely. > For multiuser server OS's this is a fundimental part of the system > design implemented, in part by the filesystem, and mapped to other > resources. Since the MSDOS API lacks ownership provisions, it must be > implemented external to the API as administrative state. True. > Merge(DOS on UNIX), Netware and NT do this transparently already and it > works well. As does DOSEMU under Linux and any other such emulators. It's automatic, as the emulator itself is running under the higher level of security. > By enhancing the DOS filesystem to include permission controls, and two > states - normal and administrative, then files could be marked > execute-only and read-only to limit malware access to important file > objects in the normal state. But how do you control this? Remember that the DOS execute call is merely a bit of code that loads some data in from disk, massages it, and then jumps to it. Unless DOS itself isn't present, unless tasks are separate out in a way no-one has yet succeded in doing, then a "read but not execute" flag is a farce. > > Viruses don't have to subvert the OS. > > True ... but in a bottom to top secure design, they do have to subvert > something. If the OS can not be subverted, as with UNIX, then attacks > have to be directed above or below the OS security layer. Yes, like _people_, or like the stupid things that people do, like leave nominally secure software misconfigured. > Most firewalls run on a stripped down UNIX type system, with minimal > utilities and applications ... because the base hardware and OS is secure, > then they try very hard to make sure the remaining utilities are too, > minimizing risks should a hacker find a way to get to a CLI/shell on the > firewall. Ahem: If the OS is secure, and the hardware is secure, please explain why the utilities need to be secure too? > As a UNIX Systems Programmer and administrator for over 20 years the few > problems in the security API that have surfaced over the years were due to > in experienced systems programmers (AKA bugs) ... and promptly fixed, And can all this security do any good if someone leaves a suid root binary lying around, or has a sendmail with holes? > > How do you stop macro viruses with a sound OS design? > > You don't. As I have posted elsewhere, and including in this forum, > the security domain extends into and includes any network accessable > application. I strongly believe that Microsoft made a grave mistake > in their implementation of macros in their Office Suite. Most of the > functionality they implemented could have been implemented in much more > secure ways ... by controlling the sandbox for document macros, and > restricting certain macros features to macros that must live external > to the document as linked objects. Right, so get rid of batch files too -- they have the same problems with mixing executables & data. (Not that I disagree that Microsoft made mistakes with Office. At the very least, making a macro autoexecute should require user intervention. Also note that Microsoft seems to not like the "sandbox" approach for some reason.) > > How does this stop a macro virus? > > [...] With a strong protection domain, the malware by cause problems > only with the users documents and data ... a much smaller set of data to > restore. I see. So the macro viruses can't format the disk as a payload. Otherwise, I don't see any difference from current arrangements. > With a sounder macro design, along the lines of JAVA sandboxes, macro > virus would not exist in the wild as they do today. In fact, they would > not have the means to replicate, or cause damage at all. Then they aren't very good macros, now are they? Isn't that the direct equivalent of a programming language that does "not have the menas to replicate, or cause damage at all."? > > Definitely. Unfortunately, everyone is using this incredibly old hack > > called "MS-DOS". If you figure out some way of doing something about that, > > I'm sure we'd all like to hear about it. > > Window's 95 was a big step forward, unfortunately they missed a few > points. They clearly missed the value of a security domain restriction in > the filesystem. Um, you know anything about how Windows "95" (actually 4.0) was put together? A step forward, yes, but not that big. And it wasn't at all a good oppurtunity to put in security. > From what I knew of MS-DOS back in the 2.something days, you could > probably implement the security changes in about 150 pages of C code, > and only break a few things, mostly malware and A-V products. Fixing > the problems in Win95 is probably about the same level of effort. What malware and A-V products? There weren't any back then. Sure, if DOS had been seriously cleaned up, we wouldn't be having this conversation. Instead DOS hasn't changed since the 3.3 days. Tell me something I don't know, and something that's useful in _this_ universe. > It would probably take a couple weekends for a small team to take the > FreeBSD or Linux OS, along with the DOS emulator code, to strip it down > to an 85% hack for a virus resistant DOS compatable implementation. "DOS emulator code"... You know how that code works? _It runs MS-DOS on a virtual 8086_. I'm afraid using a DOS emulator doesn't simplify anything. Why not talk to IBM -- they've got the source to PC-DOS. > Not that big a job ... making it run Win3.11 would take a little longer. > Making it an 85% replacement for Win95 could probably be done in under two > man years - again not the big an effort for a semester OS class as a team > project. For an individual ... the risk of harassment from MS would be > high if released - until it got widely used and supported. Um, yeah... > Sadly most of the people who would be interested in this type of project > are having much more fun with FreeBSD or Linux. Um, yeah... I'd suggest you look up "DOS-NT" (I _think_ it's called, apologies if I'm wrong) and WINE. > I never made that claim ... but in comparison to MS-DOS their ablity to > replicate and cause damage, would as I claimed: > > "would simply disappear to miniscule proportions." Apparently true -- either that, or no one has had the inclination. > The focus would then be on cleaning up applications like MS Office. While > applications were hosted on an unsecure platform, they had no need or > incentive to implement an unfounded security domain ... if the domain > exists in the host hardware and OS, then it's much less effort to > implement, and much more important to maintain in the application. As far as I can tell, it's exactly the same effort under a secure OS. Only the possible range of damage is limited. - - Kenneth Albanowski (kjahds@kjahds.com, CIS: 70705,126) ------------------------------ Date: Sat, 20 Jul 1996 14:58:51 -0400 (EDT) From: Kenneth Albanowski Subject: Re: Which AV strategy? (PC) X-Digest: Volume 9 : Issue 120 On Fri, 19 Jul 1996, Totally Lost wrote: > In unix environments, back ground tasks spin off all the time, but are > unable to exist past the users logout That simply isn't true. > - and they clearly are not part > of or able to get a handle on any administrative context. And that's not relevant. Any such background process could still infect any file owned or accessible by the original user. > More importantly they are highly visible from a simple ps(1) listing. True, but disguise is possible to a limited extent. > The only other access points are cron and at ... both of which are also > visible, and turned off in many installations because of past flaws - as > are certain .forward features. As are any number of other features that happen to have been installed. I hate to tell you this, but UNIX is a sieve. Every program like cron, or at, or sendmail, allows for a completely separate set of security flaws. > In a stable production PC, the administrative context should only be > entered a few times a year ... it's doubtful a lurker could hide that long > without detection somewhere, and not end up the object of a scanner > search. If the slow infector is present in the first place, either through a trojan or through infection, it could simply be restarted every now and then, just as viruses are under DOS. No virus would have to survive several months. - - Kenneth Albanowski (kjahds@kjahds.com, CIS: 70705,126) ------------------------------ Date: Sat, 20 Jul 1996 16:25:05 +0000 (GMT) From: Iolo Davidson Subject: Re: Which AV strategy? (PC) X-Digest: Volume 9 : Issue 120 In article <0013.01I7B84IV0E4XZM9T6@csc.canterbury.ac.nz> idletime@netcom.com "Totally Lost" writes: > Kenneth Albanowski wrote: > > > On Sun, 14 Jul 1996, Totally Lost wrote: > > > It doesn't take much work in an OS to close up 99.99% of the entry > > > points that give rise to real worries of distruction that a malware > > > virus/trojan could cause. > > > > How do you cut off the boot-sector entry point? > > As you are undoubtably aware, that is not an OS issue at all, but a bios > issue. So secure operating systems are not even the answer to the most prevalent viruses? Nowhere near 99.99% in that case. > One of the lingering security holes present in PC's. Which is not fixed by adding in a wonderful new secure OS? Not much cop then. - - PUT YOUR BRUSH NEEDS A BACK ON THE SHELF SHAVE ITSELF THE DARN THING Burma-Shave ------------------------------ Date: Sat, 20 Jul 1996 16:17:53 +0000 (GMT) From: Iolo Davidson Subject: Re: Which AV strategy? (PC) X-Digest: Volume 9 : Issue 120 In article <0014.01I7B84IV0E4XZM9T6@csc.canterbury.ac.nz> idletime@netcom.com "Totally Lost" writes: > Iolo Davidson writes: > > > In article <0011.01I7427PGTW6WHZC3A@csc.canterbury.ac.nz> > > idletime@netcom.com "Totally Lost" writes: > > > > > In article <0024.01I715RHU6Y2WHZC3A@csc.canterbury.ac.nz>, > > > George Wenzel wrote: > > > > Viruses do not exist because of security holes - they exist because > > > >somebody wrote a program that would replicate itself. This is possible on > > > >pretty much all high-level OS's. > > > > > > Just plain false. If any code segment can not take over hardware control > > > of the system (denial of service attacks excluded), then the foundation > > > for basic security controls is in place. As a secondary control, if the > > > filesystem normally disallows write access to selected binaries, in > > > particular those which have administrative priv's and the primary > > > applications, then the means of replication for a virus is largely > > > blocked. > > > > Too rosy a view. Even in DOS, there are viruses called "slow > > infectors" that wait for the right conditions to spread without > > alerting access control packages or AV. Someone has to be able > > to write system files and executables; you just wait for that guy > > to come along before doing your infecting. > > You assume that a security OS would allow an arbitrary program to leave > TSR's laying around which is able to grasp an administrative context and > security domain ... with license to kill. Why do you assume that viruses are necessarily TSRs? There are many DOS viruses that are not memory resident. > In unix environments, back ground tasks spin off all the time, but are > unable to exist past the users logout So? While the user is logged on the virus can infect. If the user is root, the virus can infect everything that root has permissions for. Other users then get infected from the software installed by root. As someone has pointed out in here, UNIX is not even proof against a well known PC boot sector virus. I was helping man a help desk one March sixth when a Unix user called in with a non-booting computer. Thought he was immune from viruses because he used Unix on his PC instead of DOS, but Michelangelo doesn't care. - - PUT YOUR BRUSH NEEDS A BACK ON THE SHELF SHAVE ITSELF THE DARN THING Burma-Shave ------------------------------ Date: Sat, 20 Jul 1996 16:49:21 +0000 (GMT) From: Iolo Davidson Subject: Re: Virus detection by dodgy time/date (PC) X-Digest: Volume 9 : Issue 120 In article <0028.01I7ASA9LU12XZM9T6@csc.canterbury.ac.nz> netz@actcom.co.il "Zvi Netiv" writes: > In its latest version, the generic dodgy data/time detection method > was added to InVircible's detection methods. Also, the GetDate > utility was added to the standard IV software package. GetDate is > a dedicated utility that implements dodgy date-time detection. > > In result, we started getting calls from users that found possibly > infected files, flagged by the dodgy date method. Some were genuinely > infected (Satan Bug, Natas, Predator 2, Tequila and Tremor). Were these infections not detected by the methods Invircible used previously? - - PUT YOUR BRUSH NEEDS A BACK ON THE SHELF SHAVE ITSELF THE DARN THING Burma-Shave ------------------------------ Date: Sat, 20 Jul 1996 16:31:17 +0000 (GMT) From: Iolo Davidson Subject: Re: Zvi's tests of Findviru.exe (PC) X-Digest: Volume 9 : Issue 120 In article <0016.01I7B84IV0E4XZM9T6@csc.canterbury.ac.nz> gwenzel@gpu.srv.ualberta.ca "George Wenzel" writes: > Hear, hear! Alt.cmop.virus is the place for unfounded attacks. :-) Indeed. Unfortunately, however, many are posted by mistake to alt.comp.virus. - - PUT YOUR BRUSH NEEDS A BACK ON THE SHELF SHAVE ITSELF THE DARN THING Burma-Shave ------------------------------ Date: Sat, 20 Jul 1996 16:32:58 +0000 (GMT) From: Iolo Davidson Subject: Re: Does F-PROT score over SOLOMON or vice-versa (PC) X-Digest: Volume 9 : Issue 120 In article <0023.01I7ASA9LU12XZM9T6@csc.canterbury.ac.nz> Don.Edwards@ci.seattle.wa.us writes: > Therefore (subject to confirming the above) I'm advising management to > buy Dr. Solomon for all our servers (two Netware, three NT) and F-Prot > for all our (roughly 250) workstations. By mixing the two you will miss out on the facilities (present in Dr. Solomon's to my knowledge, and possibly also in F-Prot) for the server to communicate with the TSR/VxD module on the workstations. This can be configured to give very flexible reporting across the network and to ensure that the workstation AV measure are in place, or even run scheduled scans on workstations local disks from the Netware sheduler. - - PUT YOUR BRUSH NEEDS A BACK ON THE SHELF SHAVE ITSELF THE DARN THING Burma-Shave ------------------------------ Date: Sat, 20 Jul 1996 22:49:48 +0000 (GMT) From: Jonathan Perkins Subject: Re: McAfee VirusScan and WebScan? (PC) X-Digest: Volume 9 : Issue 120 Thanks to those who took the time to respond to my questions. I appreciate your advice, and will follow up on your recommendations to check out further reviews, etc. I have already browsed some of the industry sites, and appreciate the wealth of information that these companies presented on their respective products. I should also correct my original post to say that the magazine review which I read was in PC WORLD, not PC MAGAZINE. It should also be noted, in all fairness, that they ranked both McAfee's VirusScan and Dr. Solomon's Anti-Virus Toolkit as "excellent", but gave their nod to VirusScan for what they felt was a slightly more user-friendly interface. I can't remember how F-PROT fared, but it comes highly recommended by some others whom I've spoken to. Thanks again for the help! - - - --------- Jon Perkins--Ottawa, Canada jperkins@ccs.carleton.ca "fortiter in re, suaviter in modo" ------------------------------ Date: Sat, 20 Jul 1996 19:42:26 -0400 From: edward Mahlin Subject: Help! I've been trojaned! (PC) X-Digest: Volume 9 : Issue 120 I got hit by a trojan called "sexquiz.zip" The program seemes to have copied a "blank" fat onto both copies of the FAT on my C drive. I was running it from my D drive. I beleive that all of the data on my C drive is intact, so I am doing everything I can to keep the disk untouched. I need a tool that can search the drive and reassemble the fat for me. Is there such a tool? and how much does it cost? I'm under the burdens of a timeline, so I've got to fish or cut bait as it were. (I.E. reinstall software and restart the project from scratch, or get a recovery tool.) thanks for any and all help... Wildstar ------------------------------ Date: Sat, 20 Jul 1996 19:58:24 -0500 From: "You want the truth?... YOU CAN'T HANDEL THE TRUTH" Subject: Generic 408* (PC) X-Digest: Volume 9 : Issue 120 I have a question on a virus that i have little information on. I have just encountered a virus that Pc-Cillin has labeled as Generic-408*. Does anyone have any information on this. I Know that it is a memory virus and that it will infect a disk in the boot secttor. I have heard that this may start destroying files such drivers, altering swap files, and slowing the computer down so much that it becomes impossible to do most tasks. I have Win 3.11 and all of things have happened on it recently. My Boss recently downloaded McAfee from AOL and lent the disk to me and the disks (Which were previously brand new) were infected as soon as they were booted up. (PcCillin detected it). Does Mcafee not recognize this?? I had 'Cillin clean it and my computer seems to be running fine now. Is there anythng else that I need to do? My Boss's computer will not allow him to format disks from Windows, Do you think that this virus could be ccausing this as well???? Thanks in advance for your help. Steve Mockler 00samockler@bsu.edu ------------------------------ Date: Sat, 20 Jul 1996 18:20:01 +0100 From: The Dark Tangent Subject: DEF CON IV Convention >Final Announcement< Vegas July 26-28th [long] X-Digest: Volume 9 : Issue 120 FINAL FINAL FINAL FINAL FINAL FINAL FINAL FINAL FINAL FINAL DEF CON IV Convention Update #1.21 (07.18.96) July 26-28th @ the Monte Carlo Resort in Las Vegas DEF CON IV Will be held for the fourth time in Las Vegas. Heck, they are building the hotels faster than we can use them up. If you don't know much about Def Con, please check out the web site [www.defcon.org] and you will get an idea. MEDIA SPOTLIGHT:---------------------------------------------------------- See what the all knowing media has to say about DEF CON: Despised by Tsutomu "Shimmi" Shimomura - ".. Defcon, a bizarre gathering of anklebiters, telecom industry security people, and undoubtedly a few cops.." - Takedown p. 136 "By day, speakers discussed privacy on the net and computer viruses and the hacking scene in Europe. By night, they gathered in hotel rooms and at casino bars to swap tales of hacking prowess, to dump on the new and clueless.." -The Cyberthief and the Samurai p. 145 IN SHORT:----------------------------------------------------------------- WHAT: Speakers and partying in Vegas for all hackers WHEN: July 26 - 28th WHERE: Las Vegas, Nevada @ the Monte Carlo Hotel COSTS: $30 in advance, $40 at the door MORE INFO: http://www.defcon.org or email info@defcon.org IN LONG:------------------------------------------------------------------ (The following is mostly pirated from last year's announcement.. I'll update it when I feel creative) Hey, it's time for DEF CON again. This is an initial announcement and invitation to DEF CON IV, a convention for the "underground" elements of the computer culture. We try to target the (Fill in your favorite word here): Hackers, Phreaks, Hammies, Virii Coders, Programmers, Crackers, Cyberpunk Wannabees, Civil Liberties Groups, CypherPunks, Futurists, Artists, Criminally Insane, Hearing Impaired. It seems that books about the culture are becoming more popular, so of course reporters are also welcome. You won't be hurt. I promise. So you heard about DEF CON III, and want to hit part IV? You heard about the parties, the info discussed, the bizarre atmosphere of Las Vegas and want to check it out in person? You want to do weird shit _away_ from the hotel where you can't get me in trouble? Then you're just the person to attend! Sure it's great to meet and party with fellow hackers, but besides that we try to provide information and speakers in a forum that can't be found at other conferences. While there is an initial concern that this is just another excuse for the evil hackers to party and wreak havoc, it's just not the case. People come to DEF CON for information and for making contacts. We strive to distinguish this convention from others in that respect. Plus this year we have official DEF CON GOONS(c) who will pummel you until you pass out should you cause problems for other con.friendly people! Big Brother loves you! Top Ten reasons to attend Defcon 4 by Pappy 023ndorph 10. There are new hotels and PBX operators who've never heard of us. 9. You swore one year you'd see a speaker. This could be the year. 8. Even pit bosses and bondsmen can forget a face after a year. 7. That guy that told you to fuck off in IRC will be there. 6. You miss the 107 degree evenings. 5. Hookers take credit cards. 4. You go where the no-day eurowarez go. 3. We've got to find the 20+ MIA's from last year. 2. Everyone else is going, follow the heard. Moo. 1. The unbridled smut. SPEAKERS:----------------------------------------------------------------- Speakers in the past have included Gail Thackeray, Phill Zimmermann, Bruce Schneier, Susan Thunder, Jim Settle, and many others. Who will we have this year? Well as usual the actual list is always changing, but below will be the current state of the speakers. There will be speaking all day Saturday and Sunday starting at about 10 a.m. and going to 6 p.m. Aprox. 20 people will speak (The most ever!), plus smaller tech sessions. - [> John Littman - Author of "The Fugitive Game" - Tales from the whole Kevin Mitnick saga. [> Winn Schwartau - Information Warfare - Winn is the Author of "Information Warfare" and "Terminal Compromise" as well as writing for many security journals and trade publications. Winn will recount the year's interesting InfoWar occurrences and talk about their implications. [> Eric Hughes - Founder of Cypherpunks List - Digital Banking and Currency issues. [> Dune - Lock picking demonstration and Q&A - There will be various tools and locks demonstrated. This will be a smaller talk at table X at x:xx on Sunday. [> Carolyn Meinel - "Jobs are for Lusers" - The oppressive potential of employers and the diversified marketplace results in self employment. [> Koresh - A technical talk about ip spoofing, sequencing and fragmentation attacks as well as firewall penetration techniques. [> Stephen Cobb - Head of special projects at the NCSA. - 101 Things to do with an Ex-Hacker - Could we or should we develop a process for "sanitizing" people who want to make the transition from illegal hacking to legitimate employment. [> Bootleg - "The problems with counterfeiting" - Sure to be a favorite with our federal "MIB" guests. Learn the technologies of reproducing money, and how the new $100 bills have already been forged. [> John Q. Newman - Sponsored by Index Publishing - "Paper tripping" and document manipulation. How do "they" know who you are? [> Mudge - Vulnerabilities in OTP's - SecurID and S/key. Dictionary, Spoofing, Hi-Jacking and Race Condition attacks. [> Richard Thieme - Prodigious writer for .Net, Wired, etc. Speaks on the symbiotic relationship between networked computers and humans - a dialectic constituting a rising spiral of mutual transformation. - [> Richard K. - Specialist in Kidnap & Ransom negotiations, electronic surveillance counter measures and international trade - Will talk about what's real and what isn't, plus a Q&A session that should be very interesting. Sorry! Current law prohibits show and tell of the more controversial technology. [> Netta "grayarea" Gilboa - Sex, Lies and Computer Crimes: The Truth Behind The Indictment Of "Computer Genius" Christopher Schanot. [> Jim Carter - Van Eck Tempest demonstration - Jim will attempt to "Van Eck" a remote computer monitor, and explain the theory and application. [> Dave Banisar - Senior Policy Analyst at EPIC - "Tales from inside the Beltway: truly scary stories on privacy, censorship and watching Congress and the President work. [> Andrew Black - FBI Computer Crime Division - Someone from the FBI will talk on the newly created computer crime divisions in San Francisco, Washington D.C. and New York. [> Attitude Adjuster - Windows 95 viruses and the Internet: How public API's and crafty code make for wild potential viruses. [> Yobie Benjamin - Source Coder Supreme! - Will talk about Java security issues, design considerations and areas for further "exploration" with grinch, who regularly publishes technical articles in the magazine Java World. [> Ira Winkler - NCSA - Ira Winkler has performed penetrations that rival the best of the hacker community. He is in the very enviable position of being paid to hack into some of the largest companies in the world. While he holds the unpopular opinion that hackers should be prosecuted for their actions, he believes that hackers can "outgrow their ignorance and be valuable members of the information security community." [> Mike Peros AKA White Knight - Private Investigator - He has some great war stories to share with every one about some illegal Japanese Intelligence bugs that I found at an DOD contracting facility which was working an US Air Force contraction involving the F 18 fighter jet. US Government Illegally Wire Tapping Innocent American Citizens And how I caught them. Data Tapping Through the Switch. Compromising the sub frame rooms, cross connect boxes, and the many uses of liquid solder. The use of a cell phone as an eavesdropping device. [> Hack the Lies Project - "Hack The Lies" was created to give a voice to the once-silent hacker community. Over the years, popular misconceptions have arisen about the hacking community and its motives, which are now taken as fact by the general populace. "Hack The Lies" is here to dispel this misinformation and to educate the public on who we are, what we do, why we do it, and more. Come join us for discussion during Defcon IV and make your views known. [> The Institution - [> Emmanuel Goldstein - Editor and publisher of 2600 Magazine - Panel discussion with Scott Skinner- "Why the E.F.F. Sucks" [> David I. Brussin - Information Systems and Security Consultant - David will discuss security issues involved in the changes in global networking and commerce. He will address the concerns that corporations and individuals will face doing business electronically over the next five years. [> Dan Veeneman - Decode Systems - Something along the lines of "Satellite Vulnerabilities: Present and Future", talking about controlling satellites, jamming and spoofing, GPS systems, future LEO systems, etc. ... [Moderator's note: Due to the full length of this message (32KB) and the size limit I impose on the list/group (for the mailing list subscriber's sake) I have trimmed the rest of the announcement. Check the web site mentioned or contact the poster for further details.] ------------------------------ End of VIRUS-L Digest [Volume 9 Issue 120] ******************************************