Date: Thu, 10 Jan 91 13:57:04 EST

Date: Thu, 10 Jan 91 13:57:04 EST
From: "The Moderator Kenneth R. van Wyk" <[email protected]>
Subject: VIRUS-L Digest V4 #8
To: Multiple recipients of list VIRUS-L <[email protected]>

VIRUS-L Digest Thursday, 10 Jan 1991 Volume 4 : Issue 8

Today's Topics:

Administrivia - Document archive update
Re: nVIR-like resources... (Mac)
Re: UK Computer Crime Unit
Re: MacVirusIndex (Mac)
Re: Prevent hard disk infection? (PC)
Re: QEMM Virus? (PC)
Re: Addition to monthly postings?
Floppy disk detection (PC)
Re:Prevent hard disk infection? (PC)
Re: QEMM Virus? Followup from Quarterdeck (PC)
clean72.zip update (PC)
Virex Address (PC)
Various thoughts
Stoned in KC, Mo. (PC)
Re: Stoned Virus (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to [email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: [email protected].

Ken van Wyk

---------------------------------------------------------------------------

Date: Thu, 10 Jan 91 11:54:55 -0500
From: Kenneth R. van Wyk <[email protected]>
Subject: Administrivia - Document archive update

I just put a README file in the VIRUS-L/comp.virus document archives
on cert.sei.cmu.edu (directory pub/virus-l/docs), and did some general
house-cleaning there. The README contains a list and one-line summary
of all the files on the archive.

Don't forget that the docs are provided as a free service; if you have
submissions or updates, please feel free to send them in! Just mail
them to [email protected].

Ken

------------------------------

Date: 09 Jan 91 22:55:51 +0000
From: [email protected] (Puneet Pasrich/;093091;eeugrad)
Subject: Re: nVIR-like resources... (Mac)

[email protected] (Kevin Hill) writes:
> I beleive that a way to "vaccinate" a Mac against nVir is to create a
>resource with the nVir type and when nVir tries to infect it, it bumps
>into the nVir resource already there and fails.
> If I am wrong, please correct me everyone.. Thanks.

You are correct in stating that you can "vaccinate" against the nVir
by creating dummy resources and pasting them into each application.
However, this will not be met with a favorable response from your
favorite anti-viral program. I'd recommend not creating these dummy
resources, unless for whatever reason, you are not allowed to use a
program like Disinfectant or SAM.

- --
==============================================================================
== Puneet Pasrich ============ Internet: [email protected] ==============
== Karate Kid ================ Macs rule, and that's all there is to it ======
== In Capitalism, man exploits man. In Communism, it's the other way around. =

------------------------------

Date: 10 Jan 91 00:10:11 +0000
From: [email protected] (daniel lance herrick)
Subject: Re: UK Computer Crime Unit

[email protected] (James Nash) writes:
> [email protected] (Anthony Appleyard) writes:
>>>"The UK Computer Crime Unit hasn't got an email-address, nor do they
>>>read these UUCP-news. Pandy
>>>[email protected]"
>>
>>If they aren't in contact with the computing world, how can they operate
>>effectively? If they can't email, and have to rely on GPO mail and the
>>phone and personal visits, and can't get email circulars, they are going to
>>be way behind developments. Can't they afford a microcomputer and a modem?
>
> The reason why the UK CCU has such a small budget is because their
> superiors do not believe there is a problem. If more people in the UK
> actually reported viral infections as crimes then the police might be
> interested in solving those crimes. We are years behind America and
> other nations in this respect.

Is there a system manager geographically near them who reads this and
could invite them over to get acquainted? Show them some of the
existing cooperative anti-vandal effort? Give both you and them new
resources? Offer them access to the net through your system, either
by phone or by coming to your facility to use a local terminal?

dan herrick
[email protected]

------------------------------

Date: Thu, 10 Jan 91 02:14:44 +0000
From: [email protected] (Ace Stewart)
Subject: Re: MacVirusIndex (Mac)

[email protected] (Jim Wright) writes:
>Andreas "Pandy" Holmberg ([email protected]) has pointed out to me
>that there is a MacVirusIndex available from nic.funet.fi in the
>directory /pub/mac/doc. Does anyone know if this is available from an
>archive site in the U.S.?

Yup sure is! On icarus.cns.syr.edu (128.230.1.49) in /virus is a copy
of the file. Being one of the SysAdmins for that system, I am always
interested about these things, and if people have requests, let me
know...

Cheers! Ace

>(Please don't everyone grab this file from
>Finland. Wait until it shows up a bit closer to you.) I haven't seen
>this, so I don't know how it compares to the Virus Encyclopedia Stack.

I agree wholheartedly.
- --
| Ace Stewart (Jonathan III) |A /\ |
| Affiliation: Eastman Kodak Company. Rochester New York | _/ \_ |
| Internet/ARPA: [email protected] | \_ _/ |
| Bitnet: [email protected] | /\ A|

------------------------------

Date: 10 Jan 91 09:17:07 +0000
From: [email protected] (Fridrik Skulason)
Subject: Re: Prevent hard disk infection? (PC)

MONAT%[email protected] writes:
>Is there any way to prevent a virus from infecting a hard disk when
>you cold boot with an infected diskette in drive a: ?

Not without additional hardware I'm afraid. Any program run from
AUTOEXEC.BAT or CONFIG.SYS is run after the disk has booted, and
(possibly) infected the hard disk.

You can get software which will detect the infection as soon as it
happens, but to prevent it, you need additional hardware, which will
prevent writes to the hard disk, unless some conditions are met.

- --
Fridrik Skulason University of Iceland |
Technical Editor of the Virus Bulletin (UK) | Reserved for future expansion
E-Mail: [email protected] Fax: 354-1-28801 |

------------------------------

Date: 09 Jan 91 09:47:04 +0000
From: Mark Hughes <[email protected]>
Subject: Re: QEMM Virus? (PC)

[email protected] (Richard W Travsky) writes:

>This appeared in a recent Info-Ibmpc digest. Figured I'd pass it on.
> ...deleted...
>From: David Kirschbaum <[email protected]>
>Subject: Reported QEMM virus

>Received from the Fido Dr. Debug Echo, 1 Jan 91.
>David Kirschbaum
>Toad Hall

>FROM: Richard Crain Area # 23 ( Dr. Debug )
>TO: ALL
>SUBJECT: Virus

>I have found what appears to be a virus on the factory supplied disk
>from Quarterdeck on the QEMM386 V5.1 diskette in the Optimize.com amd
>install.exe programs. These 2 programs contain a HEX signature of
>EAF0FF00F0 which indicates the possible presence of the 648 virus.

I have checked my QEMM v5.0 master disks and find this signature also
occurs in the same named files, but which are obviously much older.
They are dated 9 March 90 on my disk. I have been using QEMM v5.0 for
a good few months (can't remember exactly when I bought it) and have
had no reason to suspect virus infection of my system. The age of QEMM
v5.0 without apparent virus report is interesting.

In addition, McAfee's scan program 5.1v67 fails to complain about QEMM
v5.0 or v5.1 despite manual inspection showing that the signature does
appear as reported above. A "Vienna/648" virus is described in the
McAfee documentation.

This is all fairly re-assuring to me, but it is possible that this
is a dormant virus just waking up. It needs further investigate (by
Quarterdeck I guess), but caution rather than panic seems appropriate.

Hope this adds to the investigation.

[Ed. Please see followup below!]

Mark

- --
---------------- Eml: [email protected] or [email protected]
| Mark Hughes | Tel: +44 (0) 223 420024 Cambridge Consultants Ltd.
|(Compware & CCL)| Fax: +44 (0) 223 423373 The Science Park, Milton Road,
---------------- Tlx: 81481 (CCL G) Cambridge, CB4 2JB, UK.

------------------------------

Date: 09 Jan 91 21:29:44 +0000
From: [email protected] (Chuck Hoffman)
Subject: Re: Addition to monthly postings?

[email protected] (Jim Wright) writes:
> It has been suggested that I add a section to the monthly postings of
> archive sites that would explain what to do with ZIP, ZOO, ARC, HQX,,
> SIT, etc. files. Would you find this information useful?

I would find it useful, especially if you included in the "what to do"
information about upgrades to software like Stuffit, United, etc.

- -Chuck

- - Chuck Hoffman, GTE Laboratories, Inc. | I'm not sure why we're here,
[email protected] | but I am sure that while we're
Telephone (U.S.A.) 617-466-2131 | here, we're supposed to help
GTE VoiceNet: 679-2131 | each other.
GTE Telemail: C.HOFFMAN |

------------------------------

Date: Thu, 10 Jan 91 12:31:00 +0100
From: "Olivier M.J. Crepin-Leblond" <[email protected]>
Subject: Floppy disk detection (PC)

>From: Douglas Barlow <[email protected]>
>> From: Mr Gordon S Byron <[email protected]>
>>
>> I am interested in finding a DOS antivirus program which would
>> automatically scan disks as they are inserted. ideally, something like
>> SAM II on the Mac. I noticed a reference to a program called McAfee's
>> scan. Is that an auto-scan antivirus program?
>
>Only one problem with that idea: How can the machine tell when a disk
>is inserted? There isn't any type of sensor in IBM floppy drives like
>in the Mac.
>
>Doug Barlow

There are many types of 3 1/2 PC disk drives. Some drives
actually detect a disk as soon as it is inserted. This type is
recognizable when the shutter door of the disk is heard to slide as
soon as the disk is inserted. However, I think that the sensor is a
purely mechanical sensor (switch) which is connected to a solenoid of
some sort, which makes a small lever slide the shutter. The second
type of 3 1/2 disk drive slides the shutter open only when the disk is
accessed for the first time after being inserted in the drive.
What one would need, is some guidelines on the features a PC
disk drive should have. Because of the number of cheap clones around,
there is still a long way to go.

Olivier M.J. Crepin-Leblond, Internet: <[email protected]>
Communications & Signal Processing , Electrical Engineering Dept.,
Imperial College of Science, Technology and Medicine, London, UK.
>> If nothing else works: take disk. take knife, use knife on disk.

------------------------------

Date: Thu, 10 Jan 91 14:24:38 +0700
From: Carlos Jimenez <[email protected]>
Subject: Re:Prevent hard disk infection? (PC)

>Is there any way to prevent a virus from infecting a hard disk when
>you cold boot with an infected diskette in drive a: ? (I should have
>written "when you unfortunately have left a diskette in drive a:" or
>"when you leave your computer unattended and someone boots from a
>diskette").
>
>Paul M. Monat Lab Manager Phone: 613-564-6895/6500
> Faculty of Administration Fax: 613-564-6518
> Canada K1N 6N5 Bitnet: Monat @ Uottawa

When you light the computer the ROM BIOS checks the machine and then
searchs for someone disquette in drive A:. If it can read a boot
sector, read it in 0000:7C00 and run it.

(There is someones BIOS for AT's,'386 & '486 that permits configure
which is the drive for start and stores this information in CMOS
memory. I don't know if this is your case).

When a boot sector virus infects a disquette (with or without operating system)
it can make a boot sector that can infect any hard disk using
- direct access to hard disk port
(I don't know any virus that use this method actually),
- BIOS Int 13h Function 03 (Write sector)
(like Stoned)
- DOS Int 26h (Write absolute sector).
(like Bouncing Ball,

I don't know any solution throw software for the two first method of
infection but I can suggest that you change the ROM or add some EPROM
that prevents boot from A:.

The third method of infection has a solution using software. If you
clear the partition table of your hard disk, the DOS can't recognize
the hard disk (like it hasn't low level format), and Int 26h calls
will fail. For a sucessfull boot from hard disk you must change the
original bootstart routine by another, that writes the original
partition table and then reads the boot sector of the active partition
and execute it. You must include a program that clears again the
partition table (I have a driver in CONFIG.SYS)
WARNING: - This method forces two writes in the partition sector (for create
and erase the partition table) in each warm or cold boot. It can
reduce MTBF (Mean Time Between Failures) of this sector, and a write
error can to be dangereus.
- If you don't have the DOS in the active partition, the problem is
more complicated. (I can send you some ideas).

Carlos Jimenez R+D Manager Phone: +34 1 556 92 15
ANYWARE Information Security +34 1 556 92 16
General Peron, 32 Fax: +34 1 556 91 58
28020 Madrid (SPAIN) EUnet: [email protected]

------------------------------

Date: 09 Jan 91 01:52:25 +0000
From: [email protected] (Robert Stanley)
Subject: Re: QEMM Virus? Followup from Quarterdeck (PC)

Dear Virus-L moderator,

With reference to the report of a possible virus in QEMM-386 v5.1, this
is not a virus. I have already passed the enclosed information through
to the comp.sys.ibm.pc.digest moderator where this report first surfaced
on the Internet/Usenet.

I have been in touch with Quarterdeck Office Systems because we make
extensive use of QEMM-386 in our development environment, and received
the following FAX from them.

======================= Start of FAX =============================
Dear Mr. Stanley,

Thanks for forwarding the FidoNet message. We will see if we can
crawl on FidoNet and set the record strait (sic).

For the record, the byte string "EA F0 FF 00 F0" can indeed be
found in the OPTIMIZE.EXE and INSTALL.EXE as well as QEMM386.SYS.

That code is JMP F000:FFF0. It is the way that we reboot the
system. It is an intentional part of our code, not the result of
a virus. While rebooting the system is something a virus might
do, having this code in your program certainly does not make you
a virus. If this is the signature some virus scan program is
using to detect the 648 virus, it would seem they need to devise
a more discriminating test.

Please be assured that our programs are produced under highly
controlled circumstances and that great care is taken throughout
our organization with respect to virus infection. We are
confident that none of the products we have ever shipped have
contained viruses. Of course, our disk, like any unprotected
diskette is subject to infection by a virus when it is installed
on a machine which already carries a virus. If you are concerned
about this, you should obtain and run one of the many good virus
detection programs, but again, the report you forwarded does not
indicate a virus.

Hopefully, all of this helps you breath easier.

Stan Young
Technical Support
======================== End of FAX ==============================

We had no evidence of a virus on any of our systems, but I thought
I ought to inform them of this report. I have informed Quarterdeck
that I am forwarding their reply to you. I believe that you should
publish this information as soon as possible, to allay fears that
may have been started by the wide dissemination of the original
report. If you wish to cross-check my information before publishing
it (I, too, could be a malicious prankster), Quarterdeck's standard
phone line is (213) 392-9851, and their technical support line is
(213) 392-9701.

I have no connection with Quarterdeck other than as an extremely
satisfied user of QEMM-386.

Robert_S
- --
Robert Stanley UUCP: uunet!mitel!cunews!cognos!roberts | 3755 Riverside Driv
e
Cognos, Inc. INet: roberts%[email protected] | PO Box 9707, Ottawa
(Research) Alice: (613) 738-1338 x6115 (EST/EDT) | Ont K1G 3Z4, Canad
a
[I haven't really lost my mind, I'm sure I have a backup on tape somewhere.]

------------------------------

Date: Thu, 10 Jan 91 09:21:27 -0600
From: James Ford <[email protected]>
Subject: clean72.zip update (PC)

A bad copy of clean72.zip was put on mibsrv on Janurary 9, 1990. When
receiving the file from Homebase, line noise apparently trashed the
file transfer. A clean copy of clean72.zip has been placed on mibsrv
at 9:00am CST on Jan. 10, 1990.

Thanks to [email protected] and [email protected] for telling me
me of the problem.
- ----------
You cannot antagonize and influence at the same time.
- ----------
James Ford - [email protected], [email protected]
THE University of Alabama (in Tuscaloosa, Alabama USA)

------------------------------

Date: Thu, 10 Jan 91 09:12:55 -0700
From: [email protected] (Richard W Travsky)
Subject: Virex Address (PC)

The January 7th PC-WEEK has a full page ad for virex on the back cover.
The address and phone numbers (definitely) are:
Microcom Software Division
3700-B Lyckan Parkway
Durham NC 27717
1-919-490-1277
in Europe call 44 483 740763
There was no 800 number listed, so that apparently has been discontinued.
A version of their software for PCs is listed as "new".

------------------------------

Date: 10 January, 1991
From: Padgett Peterson <padgett%[email protected]>
Subject: Various thoughts

Being a new year and having some time over the holidays to
collect a few thoughts on PC (IBM-type) viral protection.

First off, the only effective solution to unknown boot sector
viruses (as well as known ones) would have to be in the form of an Int
13 intercept, and the only time that the system is both stable and
known that software can affect is on the partition table read
following POST since neither DOS nor anything else has revectored the
interrupts yet. Since there is no way short of hardware to prevent
floppy booting, protection must take place here. This way, even if an
infection takes place, it can be detected immediately, something I do
not believe can be guarenteed at any later time (e.g. in CONFIG.SYS or
AUTOEXEC.BAT).

A second layer is some form of system protection that monitors
the operating system and prevents subversion. The easiest method would
be to incorporate this into the "special" partition table but must be
recognized as a separate task.

The next layer of protection would be authentication of files
presented to the operating system for execution such as any number of
systems do (Enigma-Logic's VIRUS-SAFE, McAffee's SCAN with the /AV, or
the Dr. Panda Utilities plus many others). Such authentication can
only be effective if the operating system can be trusted when it is
invoked.

Finally, some form of authentication or denial of unknown
programs presented to the system (floppies) must be provided, such as
with McAfee's VSHIELD, Fridrik's F-PROT, or CERTUS. The trouble is
that such scanning is only good on known infections and must be kept
up to date. For many the thought of updating 5000 machines with no
budget is horrifying.

Intelligent application of these four elements should reduce
risk of infection to near zero and detect the remainder as soon as
they happen.

Lately, I have been playing with some "smart" partition table
programs and other than the difficulty of debugging (when you make a
mistake, on boot the PC just sits there smiling at you) and proper
handling of registers in a 50h byte "nitch", it is proving very
interesting. For instance "fixing" a PC so that if it is booted fom a
floppy, the hard drive is just not there to DOS is trivial and
STONED/JOSHI/BRAIN attacks are immediately detected.

Having fun in the Sun

Padgett

ps some of the techniques found could correct viral mistakes so I cannot
discuss these in an open forum or with unknown individuals however, the
above should point to things to look for in a "good" anti-virus program
or mix of programs.

------------------------------

Date: Thu, 10 Jan 91 12:47:57 -0500
From: Arthur Gutowski <[email protected]>
Subject: Stoned in KC, Mo. (PC)

Just got off the phone with a friend of mine in Kansas City, MO. He
has been infected with the Stoned virus (don't know which variant).

He apparently contracted the infection from a borrowed copy of
Ontrack's Disk Manager. The diskette was obtained from the Computer
Resale Center in Kansas City. He has not booted up with any other
diskettes in quite some time, so he strongly suspects the Disk Manager
diskette. Fortunately for him, he had already cleaned off the drive
and was preparing to low-level format the hard drive anyway. He will
start with a cold boot from a clean diskette before proceeding (don't
want to spread the beast any further).

He has contacted the vendor and alerted them to the problem. As
always, there are no guarantees, but it would seem that the Ontrack
diskette caused the infection.

Disclaimer: This was meant for information only. It was not intended to nail
anyone to the wall (except for the ******* that wrote the virus
to begin with!!)

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
"The problem with the future is that it keeps turning into the present."
-Hobbes
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
_ /| Arthur J. Gutowski, System Programmer
\'o.O' MVS & Antiviral Group / WSU University Computing Center
=(___)= Bitnet: AGUTOWS@WAYNEST1 Internet: [email protected]
U PH: (313) 577-0718 *or* [email protected]
Bill sez "Ackphtth"

------------------------------

Date: Thu, 10 Jan 91 06:44:04 +0000
From: [email protected] (Frank van der Hulst)
Subject: Re: Stoned Virus (PC)

[email protected] (Herb Presley, Emergency Planning Officer) writes:
>Further to my earlier posting, I got ahold of a copy of McAfee's SCAN
>program, and it confirmed that the [Stoned] Virus was still affecting
>my hard drive. So I have now managed to cure the problem, and for
>what it's worth to anyone, if interested, here's how:

Lots of stuff deleted here:

What you needed to do was to a) Boot from a clean copy-protected disk
(which you did), then b) Fix your HD boot sector. Having done that,
Stoned is dead. Finally, c) Go through your floppies with e.g. SCAN,
and treat them the same way... Stoned can only get off the floppy if
you boot off the floppy.

>Hope this helps anyone else who has been infected by the [Stoned]
>virus. (By the way, I don't know if you've noticed but the person who
>wrote the message "Your PC is Stoned! LEGALISE MARIJUANA!" doesn't
>even know how to spell legalize.......heh! heh! And I'll bet he
>thinks he's smart.)

Hate to say this, but he's smarter than you are!!! LegaliSe is the
Queen's English as spoken here in NZ (where Stoned originated, and is
now at epidemic levels) -- your version is a mere vulgar Americanism.
:-)

>And one other thing, a warning! I think I picked up the virus from a
>fairly reputable software company's disks that I purchased several
>months ago - a word processor, no less! It looks like some this major
>company may have a snake in the woodpile. I can't mention their name
>here, however I will be taking my case up with them so that they can
>call in the mongoose brigade.

Many software shops here open packages for demos, etc., then reseal
them. It is not uncommon to find a virus on a disk in a "sealed"
package.

- --
Take a walk on the wild side, and I don't mean the Milford Track.

------------------------------

End of VIRUS-L Digest [Volume 4 Issue 8]
****************************************

Downloaded From P-80 International Information Systems 304-744-2253