Date: Fri, 11 Jan 91 10:59:42 EST

Date: Fri, 11 Jan 91 10:59:42 EST
From: "The Moderator Kenneth R. van Wyk" <[email protected]>
Subject: VIRUS-L Digest V4 #9
To: Multiple recipients of list VIRUS-L <[email protected]>

VIRUS-L Digest Friday, 11 Jan 1991 Volume 4 : Issue 9

Today's Topics:

Re: SCAN program for IBM's (PC)
Mac system 7.0 compatible Anti-Virus programs (Mac)
Stoned and Joshi (PC)
Re:Auto-scanning Virus Vaccine? (PC)
Hard Disk Protection (PC)
Re: Virex Address (PC)
Re: possible macintosh virus (Mac)
Re: Stoned Virus (PC)
Re: Computers at Risk book - how to order - (General)
Joshi & Stoned II (PC)
Re:obscure procedure in Yankee Doodle (PC)
Re:SCAN program for IBM's (PC)
re: Joshi & Stoned 2 (PC)
re: obscure procedure in Yankee Doodle (PC)
Politically motivated viruses

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to [email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: [email protected].

Ken van Wyk

---------------------------------------------------------------------------

Date: Thu, 10 Jan 91 12:56:00 -0600
From: Pete Klammer/303-556-3915 <[email protected]>
Subject: Re: SCAN program for IBM's (PC)

>> From: Mr Gordon S Byron <[email protected]>
>>
>> I am interested in finding a DOS antivirus program which would
>> automatically scan disks as they are inserted. ideally, something like
>> SAM II on the Mac. I noticed a reference to a program called McAfee's
>> scan. Is that an auto-scan antivirus program?
>
>Only one problem with that idea: How can the machine tell when a disk
>is inserted? There isn't any type of sensor in IBM floppy drives like
>in the Mac.
>
>Doug Barlow

Isn't the write-protect sensor status available for polling? If you
constantly (once per clock tick) check the write-protect detector, you
could see the "shadow" of the diskette sleeve (write protected or not)
as the disk is inserted or removed. I.e., if the detector toggles in
any way, a diskette has been either inserted or removed.

- --poko "Eesti vabaks/free Estonia!" Pete Klammer (303)556-3915
FAX(303)556-4822
CU-Denver Computing Services, AHEC Box#169 / [email protected]
1200 Larimer St, NC2506, Denver CO 80204 / {uucp...}!boulder!pikes!pklammer
P.O. Box 173364, Denver CO 80217-3364 / [email protected]

------------------------------

Date: Thu, 10 Jan 91 15:01:46 -0500
From: [email protected]
Subject: Mac system 7.0 compatible Anti-Virus programs (Mac)

Hello folks. I have been working under system 7.0b1 for a while
now and It's pretty snazzy. In fact I now need the functionality of
7.0 and rarely switch back to 6.0.x. I am also a registered user of
Sam 2.0.2c, Rival 1.whatever amd Disinfectant 2.4. (yes, I do the
virus protection here) My problem is that none of these versions of
these anti-viral programs (esp. the inits) are not fully 7.0
compatible. Anyone out there know anything that is? Mister Cozza,
are you listening? Any replies are welcome. Send to
[email protected]

Thanks,
Alex Zavatone
Zav B!-]

------------------------------

Date: Thu, 10 Jan 91 10:32:21 -0800
From: [email protected] (Rob Slade)
Subject: Stoned and Joshi (PC)

[email protected] (Jeffrey) writes:

> The guy that is "curing" the problem indicated that the
> two viruses in combination created some sort of unique problem
> and that Joshi may be a "Friday the 13th" type bomb.

Get a new expert.

The dual infection may indeed cause some "conflict" problems between the
viri, but the "hanging" of the computer is a common symptom of Joshi.
But only on January 5th.

According to Pat Hoffman's December '90 listing, Joshi cannot be removed
from a hard disk without a low level format, but you might try FPROT
version 1.13. FPROT's BOOTVIR.TXT does not state whether or not it will
remove Joshi, but it does a fine job with Stoned (1 or 2).

Joshi is a "Friday the 13th" type bomb *only* in the sense that it is
date activated. There is no report of deletion of files.

Finally, yes, Jeffrey, recovery is possible. Quite easily. *Boot from a
known clean system disk first!* Both Joshi and Stoned are boot sector
viri. In fact, if you are willing to boot from floppy, you can know use
your computer as is. As long as you don't boot from the hard disk, the
viri will never activate. But, assuming you don't want to go along with
such an awkward kludge, having booted clean you can now use any back
utility to backup your files, and then do any disinfection procedures you
wish, with FPROT, SCAN, CLEAN or even a low level format.

OK, one caveat. With the two viri operating and moving sectors around,
your FAT *may* have suffered some damage. But I don't think it very
likely.

------------------------------

Date: Thu, 10 Jan 91 16:07:52 -0500
From: "Bonnie Scollon"<[email protected]>
Subject: Re:Auto-scanning Virus Vaccine? (PC)

I have been waiting for someone more knowledgable than I to answer this
but since no one has stepped forward, here goes.........

Vi-Spy (from RG Software) has a resident program which can be used
to automatically scan diskettes. It works on most newer machines (since
around 1986) which support Drive Change Line (or something like that.)
If the machine has this technology, the disk is automatically scanned and if
a virus is found, the user has the option to clean the diskette. If the
user chooses not to clean, they are not able to use the diskette.

This, however, does not work if the diskette is called from within a
program (such as a data disk with a word processor.)

More info on this can be found in the documentation with the software.
Although this program is expensive by the single copy, the educational
site license is very affordable.

Bonnie Scollon
Oakland Community College (Michigan)

------------------------------

Date: 10 January, 1991
From: Padgett Peterson <padgett%[email protected]>
Subject: Hard Disk Protection (PC)

>> From: Mr Gordon S Byron <[email protected]>
>>
>> I am interested in finding a DOS antivirus program which would
>> automatically scan disks as they are inserted. ideally, something like
>> SAM II on the Mac.

Could be done with something hooking the timer but why ? MACs execute
code on the floppy when inserted but an IBM or clone does not (unless
you try to boot from it). Under MS-DOS, a program must be requested
for execution before it is loaded and that is when good anti-viral
programs do their thing.

>From: Carlos Jimenez <[email protected]>
>Subject: Re:Prevent hard disk infection? (PC)

>>Is there any way to prevent a virus from infecting a hard disk when
>>you cold boot with an infected diskette in drive a: ? (I should have
>>written "when you unfortunately have left a diskette in drive a:" or
>>"when you leave your computer unattended and someone boots from a
>>diskette").
>>
>>Paul M. Monat Lab Manager Phone: 613-564-6895/6500

>When a boot sector virus infects a disquette (with or without operating system
)
>it can make a boot sector that can infect any hard disk using
> - direct access to hard disk port
> (I don't know any virus that use this method actually),

They do not because many disks use different ports and access methods
so one single method will not work well. Most hardcards and
non-standard disks (EDSI, SCSI) use their own ROM extensions located
at a different address so a virus cannot tell just where to look
(incidently, a similar reason is why DOS viruses do not fare well
under unix or OS/2).

> - BIOS Int 13h Function 03 (Write sector)
> (like Stoned)

Yup

> - DOS Int 26h (Write absolute sector).
> (like Bouncing Ball,

Boot sector infectors cannot use this since Int 26 is not there until
after DOS loads (and usually goes through Int 13 ultimately as do most
of the Int 21 functions that do disk access anyway).

>The third method of infection has a solution using software. If you
>clear the partition table of your hard disk, the DOS can't recognize
>the hard disk (like it hasn't low level format), and Int 26h calls
>will fail. For a sucessfull boot from hard disk you must change the
>original bootstart routine by another, that writes the original
>partition table and then reads the boot sector of the active partition
>and execute it. You must include a program that clears again the
>partition table (I have a driver in CONFIG.SYS)

This is what I have been playing with except that the copying
of sectors is a crude way to do it - a custom partition sector either
not containing the partition table or with an encrypted table is much
more effective. You can also check for certain things like a hooked
Int 13 very easily since you are dealing with the bare BIOS at this
point - something impossible from either CONFIG.SYS or AUTOEXEC.BAT.
Another plus is that you can do many other things from here like
prevention of hard disk formatting, partition table corruption, and
passing of clean system parameters to the rest of the anti-virus
program invoked later.

and may have just found a nice 69 Grand Prix, whee,

Padgett

------------------------------

Date: Thu, 10 Jan 91 16:42:10
From: [email protected]
Subject: Re: Virex Address (PC)

>From: [email protected] (Richard W Travsky)
>
>The January 7th PC-WEEK has a full page ad for virex on the back cover.
>The address and phone numbers (definitely) are:
> Microcom Software Division
> 3700-B Lyckan Parkway
> Durham NC 27717
> 1-919-490-1277
> in Europe call 44 483 740763
>There was no 800 number listed, so that apparently has been discontinued.
>A version of their software for PCs is listed as "new".

The 1-800 number is for people who have already purchased Virex-PC,
although a quick phone call to 1-800-555-1212 would give that to people
who haven't purchased the product (yet <grin>).

The "New" notation is to show that VIREX-PC is new for the PC as versus
the well established Virex for the Mac. A new release of Virex for the
Mac was announced today at MacWorld. A new release of Virex-PC will be
forthcoming shortly -- just one more bug to kill....current release
is V1.1a. Each purchase includes one free upgrade.

Ross M. Greenberg,
Author, Virex-PC

These are not the views of Microsoft.

------------------------------

Date: 11 Jan 91 00:09:51 +0000
From: [email protected] (Sam Tan)
Subject: Re: possible macintosh virus (Mac)

[email protected] writes:

>Does anyone know of a Macintosh virus that will make all floppy disks
>appear to be locked to the computer? At first, we thought the problem
>was with the disk drive, but when it started surfacing on other
>computers, we've become a little suspicious. Any help would be
>appreciated.

>Matt Wu
>[email protected]

The only occurence I know of this happenning is when you try to recover disks
using MacTools. The programs set the software disklock field on the disk to
ON, thereby making the System think that the disk is locked. You will need to
copy the stuff off the disk, and reformat it, unless you know how to reset
the lock byte.

NB: Merely inserting the disk in your drive and selecting "Erase Disk" won't
work, the System will say the disk is locked. You will have to hold down the
"Cmd-Opt-Tab" keys while inserting the disk. This key combination only works
on the Finder, not all applications.

Enjoy.

Sam

[email protected]

------------------------------

Date: Fri, 11 Jan 91 13:54:00 +1100
From: [email protected]
Subject: Re: Stoned Virus (PC)

[email protected] (Herb Presley, Emergency Planning Officer) writes:

> Last week I wrote.............
>
> > I have had a problem with the "Stoned" virus on my 8088 based XT.

Etc...

Herb goes on to say how he cleaned his HDD the hard way, instead of
using CLEAN from McAfee.

I would have suggested CLEAN to Herb, only my mail bounced, and so
did mail routed through uunet.uu.net.

Can you supply a proper path Herb? Send me an email message, and I
will tell you what your path to/from me is. (I don't know until you
send mail to me.)

> Hope this helps anyone else who has been infected by the [Stoned]
> virus. (By the way, I don't know if you've noticed but the person who
> wrote the message "Your PC is Stoned! LEGALISE MARIJUANA!" doesn't
> even know how to spell legalize.......heh! heh! And I'll bet he
> thinks he's smart.)

Unfortunately, the guy *did* know how to spell "legalise". The virus
originated in New Zealand which uses British spelling of such words,
just like I do.

Danny

[email protected]

------------------------------

Date: Thu, 10 Jan 91 12:35:00 -0800
From: [email protected]
Subject: Re: Computers at Risk book - how to order - (General)

CMLHD%[email protected] (Colin Lay) writes:
> The National Research Council has published a much longer study entitled
> "Computers at Risk - Safe Computing in the Information Age". It is
> available from the National Academy Press in Washington. Telephone
> orders are accepted at 1-800-624-6242 for US customers or (202) 334-3313
> for those of us who can't access the 800 number. They will accept VISA,
> MasterCard or American Express.

I just received my copy, but havent gotten to read it yet.

303 pages, it looks pretty good.

Chpt. Title

1 Overview & Recommendations
2 Concepts of Information Security
3 Technology to Achieve Secure Computer Systems
4 Programming Methodology
5 Criteria to Evaluate Computer and Network Security
6 Why the Security Market has not Worked Well
7 The Need to Establish an Information Security Foundation
8 Research topics and Funding

Mark <o===6

------------------------------

Date: 11 January, 1991
From: Padgett Peterson <padgett%[email protected]>
Subject: Joshi & Stoned II (PC)

In issue 7 Jeffery <[email protected]> writes that his PC is
infected by both JOSHI and the STONED II (Donald Duck). I havent tried
such a dual infection but it certainly is feasible. Because JOSHI is
more selective, I would venture that it was the first infection,
followed by the STONED II, therefore the real partition table can
probably be found at absolute sector 9 on the hard disk (if not it
might be in sector 7, but I doubt it. Interestingly, Joshi puts its
code into sectors 2-6, skipping 7 where the Stoned usually infects.

To look at these sectors, use the following debug code:
a
mov ax,0201 ; read one sector
mov bx,200 ; put it in ds:200
mov cx,9 ; ch=track 0, cl=sector to read, 1 is first
mov dx,80 ; dh=head 0, dx=80 first fixed disk
int 13 ; the notorious - see IBM ROM BIOS by Ray Duncan
int 20 ; quit
; bare <cr> gets you out of assemble mode
g ; to run

d200 3ff ; dumps sector (more than one screen) real table will have
; messages like "Invalid Partition Table" in ASCII
e107 ; to change sector number

after you find the partition table and it is in the 200-3ff area, just
e102 to change the 2 (read) to 3 (write) and e107 to 1 & run to put
the partition table back. NOTE: do not try the last part unless you
are SURE you know what you are doing as it can lose the table
completely, making the disk unreadable except by an expert. However,
for a multiple infection such as you seem to have I would prefer the
manual method to any automatic one (why CLEAN et al have disclamers).
Incidently, since this is dangerous, I didn't tell you to do it.
Padgett

Addendum: you MUST cold boot from a known clean floppy before attempting
disinfection or sector reads since many viruses intercept Int 13.
Padget

------------------------------

Date: Thu, 10 Jan 91 22:13:56 +0700
From: Carlos Jimenez <[email protected]>
Subject: Re:obscure procedure in Yankee Doodle (PC)

>Send by Martin Zejma <[email protected]>:
>
>hello virus-proofed community |
>Last week i found the ( or a ) oh-so-old-but-never-found Yankee ...
>...
>SO THE ONE AND ONLY QUESTION :
>Are there systems where this part of memory is accessible or would the
>virus just overwrite a resident other virus when the value in the
>BIOS-segment is below 280h due to a previous (already running)
>infection ?

The segment A000h of computer is used by graphics cards like EGA, MCGA
& VGA to implement graphics modes 0Dh to 13h and new modes of higher
resolution. This segment of memory isn't used in text modes. Thus,
when you use text modes (the normal situation if you don't work in
Windows) the virus can use the segment A000h. Probably you have a CGA
or Hercules Graphic Card and then you can't use this segment (There
isn't RAM for the virus in this segment). I hope this comment can
help you.

Carlos Jimenez R+D Manager Phone: +34 1 556 92 15
ANYWARE Information Security +34 1 556 92 16
General Peron, 32 Fax: +34 1 556 91 58
28020 Madrid (SPAIN) EUnet: [email protected]

------------------------------

Date: Thu, 10 Jan 91 22:40:34 +0700
From: Carlos Jimenez <[email protected]>
Subject: Re:SCAN program for IBM's (PC)

>> From: Mr Gordon S Byron <[email protected]>
>>
>> I am interested in finding a DOS antivirus program which would
>> automatically scan disks as they are inserted. ideally, something like
>> SAM II on the Mac. I noticed a reference to a program called McAfee's
>> scan. Is that an auto-scan antivirus program?
>
>Only one problem with that idea: How can the machine tell when a disk
>is inserted? There isn't any type of sensor in IBM floppy drives like
>in the Mac.
>
>Doug Barlow

I can sugest this idea:
If you install a TSR that capture Int 13h Function 02h (BIOS Read
sector) and this TSR scans virus signs in each read of the boot sector
of the floppy disk you automatically detects boot viruses in the first
access to the removable media (DOS will read the boot sector of the
removable media, i.e floppy disk, on the first access to floppy
because needs to know which is the format of the disk for access him).
You can add another interrupt routine that capture Int 21h Function
4Bh or 3Dh (EXEC or OPEN) and before to execute or open some file, the
TSR scans it for known sign of viruses. This is the basis for TSR
vaccines like VSHIELD or F-PROT.

If you wish more details you can write me to [email protected]

Carlos Jimenez R+D Manager Phone: +34 1 556 92 15
ANYWARE Information Security +34 1 556 92 16
General Peron, 32 Fax: +34 1 556 91 58
28020 Madrid (SPAIN) EUnet: [email protected]

------------------------------

Date: 11 Jan 91 09:32:33 -0500
From: "David.M.Chess" <[email protected]>
Subject: re: Joshi & Stoned 2 (PC)

I'd guess that you just have the usual Stoned virus (at least one
version of one popular scanner was reporting "Stoned 2" on normal
Stoned infections); as far as I know, the Stoned-2 hasn't reached the
U.S. population yet.

Anyway, assuming you have the usual Stoned virus and the usual Joshi
virus, neither of them "intentionally" do any damage to files (that
is, there's no piece of code in either one to which one can point and
say "this was clearly intended to trash the disk / files"). On the
other hand, both are doing odd and unexpected things to your disk, and
there are definitely circumstances in which (for instance) the Stoned
by itself can overlay part of your FAT with a copy of the original
master boot record (producing, to say the least, unexpected results).
I wouldn't be at all surprised if on some machines a combined
Stoned+Joshi infection would damage something on the disk! I would
except, though (assuming, again, that you have the "vanilla" viruses),
that only a few sectors have actually been trashed, and that virtually
all your data is still there *somewhere*...

DC

------------------------------

Date: 11 Jan 91 09:39:54 -0500
From: "David.M.Chess" <[email protected]>
Subject: re: obscure procedure in Yankee Doodle (PC)

Martin Zejma <[email protected]>:
> Are there systems where this part of memory is accessible or would the
> virus just overwrite a resident other virus when the value in the
> BIOS-segment is below 280h due to a previous (already running)
> infection ?

I haven't verified it myself, but a reasonably authoritative rumor
says that the checksum the virus does will detect a Bouncing Ball
(a.k.a. "Ping Pong") infection active in memory, and patch it so that
it (eventually?) stops infecting.

There are a few other cases of viruses that look for other viruses;
the Den Zuk / Ohio family look for and remove the Brain (before
installing themselves), the TPxxVIR look for and remove earlier
members of the family, and so on.

DC

------------------------------

Date: Fri, 11 Jan 91 15:10:18 +0000
From: [email protected] (Fridrik Skulason)
Subject: Politically motivated viruses

Somebody asked about politically motivated viruses - I just wanted to
mention the 'GrLkDos' or 'Groen Links' variant of Jerusalem, which
plays a tune associated with the Dutch 'Groen Links' (Green Left)
political party.

Of course we really don't know whether the virus was written by a
supporter of the party or somebody who wanted to give the party a bit
of bad publicity.

Both explanations are possible.

- -frisk

------------------------------

End of VIRUS-L Digest [Volume 4 Issue 9]
****************************************

Downloaded From P-80 International Information Systems 304-744-2253