VIRUS-L Digest Monday, 17 Jun 1991 Volume 4 : Issue 103

VIRUS-L Digest Monday, 17 Jun 1991 Volume 4 : Issue 103

Today's Topics:

Re: Hong Kong on MircoTough dist. disks (PC)
re: Is there a 1024 virus? (PC)
DOS 5 Fdisk (PC)
Re: Hypercard Antiviral Script? (Mac)
Request for info on BBS viruses, worms, etc
Possible PC Virus (PC)
Re: Virus scaners (PC)
Re: Help With Frodo & Yankee Doodle (PC)
Infected networks (PC)
Re: Questions about "Disinfectant" (Mac).
Getting register contents, etc. "on the fly." (PC)
Problems removing Azusa (PC)
Re: Is there a 1024 virus? (PC)
Fprot v1.16 (PC)
Why I didn't find the virus.exe (PC)
Re: Hoffman Summary & FPROT (PC)
New address and hostname for MIBSRV (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to [email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: [email protected].

Ken van Wyk

----------------------------------------------------------------------

Date: Thu, 13 Jun 91 11:43:07 -0500
From: [email protected] (Frank Doss)
Subject: Re: Hong Kong on MircoTough dist. disks (PC)

[email protected] (Derek William Ebdon) writes:
>One thing that Mr. Doss forgot to mention is that although Central
> . . .
>it cannot remove the virus from a hard drive. The only way to
>disinfect a hard drive is to redo the low level format because the

For those of you with IDE hard drives, contact Seagate. They are
selling Disk Manager (version 4.1 or later is needed) for $6.00. This
version of Disk Manager will format the boot sector, partition table,
and the data sections of the disk, but not the error table. You might
want to ask Seagate and your vendors for details.

I am not endorsing Disk Manager, but merely reporting what Mr. Ebdon has
reported as what worked for him.

Thanks, Derek, for the reminder. I hope your machine is working much
better now. ;-)

Frank E. Doss
Eastern Illinois University

------------------------------

Date: Thu, 13 Jun 91 12:52:56 -0400
From: padgett%[email protected] (A. Padgett Peterson)
Subject: re: Is there a 1024 virus? (PC)

>From: Arthur Buslik <[email protected]>
>
>As Rob Slade suggests, one possibility is a virus. However, a much
>more likely possibility is that the computers have extended bios
>extended data areas.

This is certainly a vialble alternative. However, if running DOS 4.0
or later, CHKDSK will "normally" detect this and return "655360"
anyway.

A few years ago, when we received or first Compaq 386-20e in we
discovered the same thing: 1k missing from the TOM & DEBUG revealed it
to be essentially zero-filled (obviously not executable). After much
prodding, Compaq told us that it was a buffer area for the mouse
driver and that there is a jumper on the motherboard that can be moved
to restore the missing 1k.

Whenever a new machine comes in, it is a good idea to take some
baseline data for later reference.

For me, any time Int 12 is lowered, I check the memory area in
question. If executable code is found, unless known, a look is taken
at other system integrity areas for a reason. If nulled or obviously
data, the manufacturer is called for an explination (often a
frustating & time consuming experience).

Padgett

Somewhere West of Orlando

------------------------------

Date: 13 Jun 91 14:26:07 -0400
From: [email protected]
Subject: DOS 5 Fdisk (PC)

Readers might want to play with an undocumented /MBR switch in DOS 5
FDISK. It appears to force FDISK to overwrite the code in a PC/PS2
master boot record, without touching the partition table, and in
limited testing on a half dozen machines it succeeded in cleaning up
machines infected with the Stoned, the Stoned 2, and the Joshi
viruses. This was with the DOS 5 shipped by IBM, not Microsoft's DOS
5; can somebody please test MS-DOS 5?

The Joshi can't be removed this way unless it isn't active in memory.
(e.g. cold boot from a write protected, uninfected bootable DOS 5 disk
with a copy of FDISK on it.)

The command line syntax tested was
FDISK /MBR

Bill Arnold [email protected]

------------------------------

Date: Thu, 13 Jun 91 18:38:36 +0000
From: [email protected]
Subject: Re: Hypercard Antiviral Script? (Mac)

Mike writes...
- ------------------------------------------------------------------
The main problem is that there is no way to catch the parameters of
the SET function in HC 2.1.
- -----------------------------------------------------------------
I write...
According to the release notes, you can catch the parameters of a Set in HC 2.1
But that doesn't matter since a Send to HyperCard is untrappable.

Mike later writes...
- -----------------------------------------------------------------
The problem with this is that a field of all stacks that have been
checked needs to be kept, and everytime that a stack is opened, the
field must be examined to see if this particular stack has been
checked.
- ------------------------------------------------------------------
I write...
Unfortunately if the virus stack traps for the OpenStack Message it becomes
harder to know when a new stack has been opened. You could have the user induce
the checking proceedure, but then it would be too late and your Home Stack
script could be wiped out or other worse things could happen by then.

Mike again....
- --------------------------------------------------------------------
As I said before, if anyone else feels like beating me
to the punch with a solution of their own, feel free - but don't you
DARE charge $$ for it.
- --------------------------------------------------------------------
Me again...
The only solution seems to be, check your Home Stack periodicaly, or lock it,
and always make backups of important stacks.
Apple MUST prevent using a Set command within a Send to HyperCard or no stack
will be safe!!

Sounds scary doesn't it?

>Mikey.
>Mac Admin
>WSOM CSG
>CWRU
>[email protected]

and me...
- --Eric

------------------------------

Date: Thu, 13 Jun 91 15:33:00 -0500
From: [email protected]
Subject: Request for info on BBS viruses, worms, etc

We are putting together a list of viruses, worms, or trojan horses
specifically aimed at BBS software or are capable of being implanted
in a system through BBS procedures (e.g., new user information,
uploading zip files). We *ARE NOT* looking for viruses that are
spread *on* BBSs by sharing of software, but rather for programs
speficially designed to attack a system *using* BBS software, such as
the recent bug in Telegard that allowed a user to access the system
using zip files.

We are trying to update a story for CuD. Responses can be sent to:
[email protected] or [email protected]

Jim Thomas / Sociology-Criminal Justice / Northern Illinois University

------------------------------

Date: Thu, 13 Jun 91 13:36:04 -0700
From: "robert c. morales" <[email protected]>
Subject: Possible PC Virus (PC)

I have a Packard Bell with an 80386X-16 Mhz CPU. It runs on MS-DOS
4.01 and a Dosshell 4.0. Everytime I do work on the computer (word
processing, networking, games, etc.) DOS seems to create (on its own)
a file, named numerically or alpha-numerically but in a random
fashion, of about 15K in size (with a range of from 7K to 17K). When
you try to view the file (which incidentally sits among the DOS
files), you can make out that it is bits and pieces of what is on the
hard drive. Initially, it has not affected any other program on the
hard drive. However, two days ago, the DOS files appeared to have
replicated themselves with such names as EDLIN._OM and AUTOEXEC._AT,
all of which were 77 bytes in size with the same dates and times. This
necessitated reformatting the hard drive. Also, the Dosshell was
removed from the AUTOEXEC.BAT. Right now, the problem seems to have
been corrected, whatever it was. Is anybody familiar with this
problem? Most other resource people I I have consulted about this have
indicated that they have only heard about this on Packard Bell
computers. Any tips?

Robert Morales
7340p@navpgs
[email protected]

------------------------------

Date: Wed, 12 Jun 91 23:57:53 -0700
From: [email protected]
Subject: Re: Virus scaners (PC)

In a recent VIRUS-L posting Dennis Hollingworth <[email protected]> said:

> I tested McAfee's SCAN77 using Rosenthal Engineering's new
> release of Virus Simulator (I've seen posted as VIRSIM11.COM
> on EXEC-PC, Compuserve and others). It seems that SCAN77
> misses three boot sector viruses that SCAN76 found on
> the same disk. Both versions of SCAN found nine viruses
> in the .COM, four in the .EXE and seven in the test memory
> virus.

Since no real virus was present all of these "hits" could be regarded
as false alarms, theoretically. We must be careful to distinguish what
is being tested here. Just because a particular anti-viral product
does not declare a particular test string to be a virus, we cannot say
that the scanner has failed. A good case can be made for saying that
the simulator failed.

The only "test target" that can be used is the entirety of a virus,
and at that point you no longer have a "simulator", you have the real
thing.

Fritz Schneider

------------------------------

Date: Fri, 14 Jun 91 16:05:27 +0000
From: dave@nucleus (Dave Coder)
Subject: Re: Help With Frodo & Yankee Doodle (PC)

[email protected] (Alan Jones) writes:
> FRODO & YANKEE DOODLE
>
> Has anyone got any information on these two viruses.
> They have just arrived on the campus ( 2000+ computers ),

Norton Antivirus 1.0.0 gets both Yankee Doodle (various forms) and
Frodo (4096). You can install as RAM-resident program to check
incoming files. It works.

Dave
[email protected]

------------------------------

Date: Fri, 14 Jun 91 13:12:04 -0700
From: [email protected] (Rob Slade)
Subject: Infected networks (PC)

padgett%[email protected] (A. Padgett Peterson) writes:

> In this case I had such a self-check program (1400 bytes) that just
> checks its own length & checksum. If it passes, the program exits, if
> it fails, the client machine displays a warning message and is locked
> up. In this manner, the server application files are protected from
> infection (are never called by an infected client). Each client gets a
> new copy of the "goat" file so clean clients are not affected, and
> infected clients are identified.

I have been reviewing a product from Bangkok called Victor Charlie
that takes a similar approach. An intriguing concept.

I hope to be able to release the review shortly.

=============
Vancouver [email protected] | "If you do buy a
Institute for [email protected] | computer, don't
Research into (SUZY) INtegrity | turn it on."
User Canada V7K 2G6 | Richards' 2nd Law
Security | of Data Security

------------------------------

Date: Sat, 15 Jun 91 01:09:56 +0000
From: [email protected] (Albert Lunde)
Subject: Re: Questions about "Disinfectant" (Mac).

[email protected] writes:
> 1. I believe since version 2.0, Disinfectant had the ability to install
> a protection INIT. The thing is only 5k... What does it DO?...
> Does it just give a warning if something is being infected?
> What does it look for?

It is small because it is written in assembly, with no configuration
options. It tries to prevent virus infection from being successful,
and issue an informative message via the notification manager. The
means used to block infection vary according to the virus. Like
Disinfectant it is effective against a list of known viruses, and
tries to be specific enough to avoid false alarms.

It does not scan files on every inserted disk for say, nVIR.

> 2. I remember hearing that using Disinfectant AND the old virus
> protection
> CDEV(?) "Vaccine (TM) 1.0.1" was a bad idea (Vaccine somehow
> rendered the
> Disinfectant INIT useless or something to that effect).
> Is it also a good idea to remove the INITs "KillVirus" (Icon is a
> needle with the word nVIR next to it). and "Kill WDEF - virus INIT"
> (Icon is just a standard document icon)? I know these are pretty old
> too. (at least I don't have "Ferret" and "Kill Scores" and those
> other
> related relics)

We are currently advocating that general users at Northwestern use
only the Disinfectant INIT and not Vaccine or Gatekeeper Aid, and that
they get periodic updates.

The risk from unknown viruses seems balanced by the reduced grief to
general users. The rate of virus spread is slow enough that this is
workable.

Vaccine presents unclear messages, bombs on application startup under
many real infections and is bypassed by other newer viruses and has a
few minor bugs unrelated to viruses.

Gatekeeper Aid has occasionally removed the CODE resources from my
running applications. Like the other Gatekeeper tools, I think it is
useful for advanced users, but too paranoid and subject to false
alarms for average Mac users. There is a tradeoff between detecting
suspicious activity and being quiet and specific. (See discussion in
the Disinfectant online help.)

I would not recommend "KillVirus" - it seems to be one of many early
nVIR tools, that are not as generally effective as the Disinfectant
INIT. I know nothing about "Kill WDEF - virus INIT", but it is not
needed if you use the Disinfectant INIT.

> 2a. Almost forgot... What about "SAM (TM) Intercept" INIT... I know it's
> newer but do "SAM" and "Disinfectant" interfere with each other?

I think that these can co-exist, but I don't remember which takes priority.

> My current version of Disinfectant is 2.4... Is this the most current
> one? I've had it for about 6 months now.

Yes 2.4 is current - see John's prior post about it and system 7.

Albert Lunde - Northwestern University This post represents neither NU
[email protected] or John Norstad

------------------------------

Date: Fri, 14 Jun 91 15:09:32 -0500
From: Paul Coen <[email protected]>
Subject: Getting register contents, etc. "on the fly." (PC)

If you want to find out what's in memory at a particular location, and
you're lucky enough to be using a Zenith computer (at least, on every
Zenith I've seen except the Eazy-PC -- it had a non-Zenith BIOS), you
can press ctrl-alt-return (enter, whatever), at pretty much any time,
and be thrown into what Zenith calls a "monitor program" -- the same
one you get when you press ctrl-alt-ins. Only in this state, it shows
you the memory contents at the current location. You can change,
examine, etc. from this point. If you type "g" and press return,
you'll go back to executing the program where you left off, assuming
you didn't mess with anything important. It's essentially a built-in
debugger.

Apologies to anyone who doesn't have a Zenith, but look on the bright
side, this feature can cause incompatability problems on rare
occasions.

------------------------------

Date: 15 Jun 91 09:05:24 +0000
From: [email protected] (Fridrik Skulason)
Subject: Problems removing Azusa (PC)

padgett%[email protected] (A. Padgett Peterson) writes:
>From: [email protected] (Derek William Ebdon)
>One thing that Mr. Doss forgot to mention is that although Central
>Point Anti-Virus v1.0 can easily romove the Asuza virus from a floppy,
>it cannot remove the virus from a hard drive. The only way to
>disinfect a hard drive is to redo the low level format because the
>virus infects the boot sector and the dos partition. A high level
>format will not remove the virus, nor will simply removing the dos
>partition with the fdisk program.

Well, this is of course not correct - a format is never necessary to
get rid of a virus - boot sector or otherwise. However, Azusa is
rather problematic, as it does not store the original PBR anywhere -
it simply replaces it. (It is easy to remove Azusa from diskettes)

Suggested solutions: 1) Use NU to zero out the PBR, then use
NDD to rebuild it.

2) Use a disinfection program which can replace
the PBR with a "standard" PBR - such programs
exist.

- -frisk

------------------------------

Date: 15 Jun 91 09:12:01 +0000
From: [email protected] (Fridrik Skulason)
Subject: Re: Is there a 1024 virus? (PC)

Arthur Buslik writes:

>As Rob Slade suggests, one possibility is a virus. However, a much
>more likely possibility is that the computers have extended bios
>extended data areas.
:
>Moreover, INT 15H, AH=C1H will return the segment address
>of the base of the extended bios area.

Well, not always - I have a HP/Vectra, where the BIOS reserves a 4K
area just below the 640K mark. However, INT 15H, AH=C1H is not
implemented in the BIOS (I know - I traced through it), and INT 15H,
AH=C0H will return the information that no Extended BIOS area is used.

- -frisk

------------------------------

Date: Sat, 15 Jun 91 09:46:41 -0400
From: Jeff <[email protected]>
Subject: Fprot v1.16 (PC)

Is Fprot v1.16 avaiable yet? If so where can I ftp it? Thanks.

------------------------------

Date: Sun, 16 Jun 91 01:19:14 -0400
From: Daniel Pan <[email protected]>
Subject: Why I didn't find the virus.exe (PC)

A friend of my got viruses. I use scan v77 to check it found the
partition table was infected by sotned and the file
C:\DOS\KILL\VIRUS.EXE was infected by jerusalem. I also use Virx 1.14
to check the C drive, the only hard drive she has, and find stoned-b.
But I could not find the file VIRUS.EXE exist. The kill subdir only
has four files and neither is VIRUS.EXE. Does any one know what
happened ? could it be a hidded file or Scan gave the fault alarm ?
But the Clean did doing very well when cleaned those viruses. I
cleaned the hard disk before I thinking about this question!

------------------------------

Date: Sat, 15 Jun 91 23:34:48 -0700
From: [email protected] (ofa123)
Subject: Re: Hoffman Summary & FPROT (PC)

I think it's just too bad that Hoffman's summary keeps ignoring the
latest versions of F-PROT. The SCANV shown is always the latest issue.
Frisk, are you looking for distribution sites in the US? I may have a
couple of systems that would be interested in becoming official
distribution sites for F-PROT. Please let me know.

- --- Opus-CBCS 1.14
* Origin: Universal Electronics, Inc. [714 939-1041] (1:103/208.0)
- --
Ray Mann
Internet: [email protected]
Compuserve: >internet:[email protected]

------------------------------

Date: Sun, 16 Jun 91 10:56:44 -0500
From: James Ford <[email protected]>
Subject: New address and hostname for MIBSRV (PC)

The mibsrv antiviral site (MIBSRV.MIB.ENG.UA.EDU) is moving to the new
location RISC.UA.EDU (130.160.4.7). The directory structure will
remain the same. At this time, all ibm-antivirus have been moved
over. The solutions directory (pub/games/solutions) will me moved
Monday.

MIBSRV (130.160.20.80) will stay up until June 26. After that time,
it will be gone / kaput / lost_in_time / lost_in_space.

Please make any necessary changes in your script / information files
regarding this. If you have any problems, please let me know.
/\/\/\/\/\/\/\/\/\/\/\/\ /\/\/\/\/\/\/\/\/\/
- ----------
Life is one long process of getting tired.
- ----------
James Ford - [email protected], [email protected]
The University of Alabama (in Tuscaloosa, Alabama)

------------------------------

End of VIRUS-L Digest [Volume 4 Issue 103]
******************************************

Downloaded From P-80 International Information Systems 304-744-2253