VIRUS-L Digest Monday, 8 Jul 1991 Volume 4 : Issue 117
Today's Topics:
Recurring 4096 Infection (PC)
VSHLD80B.ZIP - Resident virus infection prevention program (PC)
VIRX16.ZIP - VIRX v1.6: Easy to use free virus checker (PC)
VirusX (PC)
Demo Disk from Mainstay (Mac)
DOS 5.0 & FPROT116 (PC)
Virus Scanner (PC)
Re: McAfee on VSUM accuracy and Microcom (PC)
sideshow on doom2:reply (PC)
TNT AntiVirus from CARMEL / WARNING !!! (PC)
Re: Recalciterant infection with Frodo
IBM Anti-Virus Product 2.1.2 (PC)
Introduction to introductory columns (general)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to
[email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at:
[email protected].
Ken van Wyk
----------------------------------------------------------------------
Date: 03 Jul 91 09:14:00 -0500
>From: "William Walker C60223 x4570" <
[email protected]>
Subject: Recurring 4096 Infection (PC)
>From: Aviel Roy-Shapira <
[email protected]>
> Help please! I have a recalciterant infection by Frodo or 4096. I am
> not sure about the source of the infection, but somehow it got into my
> system. Clean (V. 77) cleaned the disk alright, but the infection
> keeps poping up. It has become even wierder. Both Clean, Virus Scan,
> and F-Fchk (115) report that all the files on my hard disk are free
> from the virus. But, if I boot from the hard disk, and I run
> F-SYSCHK, it says the virus is lurking in memory. I don't get this
> warning if I boot from a floppy.
> My config.sys file contains Device=DMDrvr.bin, Device=f-driver.sys,
> files=40 and buffers=20. I don't run any programs or TSR from my
> autoexec, which simply states the path and sets a couple of
> environment variable. DMDrvr.bin appears to be clean, as its length
> is 8000 bytes or so and it didnot change.
> I thought that Frodo was only a COM and EXE file infector, yet it
> somehow entered my system and refuses to leave. Any ideas?
4096 also infects COMMAND.COM and (I think) .SYS and .BIN files, but
SCAN should still find it there. I have a few ideas to try. Since I
don't know your level of expertise, forgive me if I say something you
already know or have already tried.
4096 is a "stealth" virus because it covers its tracks if it is active
in memory. For this reason, you must first boot from a known clean
floppy (usually your original DOS diskette) before running SCAN or
whatever. A potential problem that I see in your case is DMDRVR.BIN,
which (if I'm not mistaken) is Disk Manager, implying that you have a
large hard disk partitioned into several logical drives. Booting from
a pure DOS floppy will not allow access to partitions other than C:.
One thing you can do is create a bootable floppy (after booting from a
known clean floppy, of course), copy DMDRVR.BIN from your original
Disk Manager diskette (SCAN it first), make a CONFIG.SYS file on the
floppy which contains only DEVICE=DMDRVR.BIN, and add a write-protect
tab. Booting from this diskette should give you access to all
partitions on your hard disk as well as provide a clean environment in
which to run SCAN.
Since you apparently do not know what is still infected, try the
following. After booting from a known clean floppy, do
SYS C:
COPY COMMAND.COM C:
to put a clean system back on your hard disk. Before rebooting,
rename CONFIG.SYS and AUTOEXEC.BAT to something else (I know you said
that you have no programs in AUTOEXEC, but I'm making this more
generic). Reboot, then SCAN the system. If the virus is NOT in
memory, restore CONFIG.SYS, but take out the DEVICE=F-DRIVER.SYS line.
Copy the DMDRVR.BIN file from your original Disk Manager diskette to
drive C:. Reboot and SCAN. If the virus is still NOT in memory,
restore the line DEVICE=F-DRIVER.SYS, and copy F-DRIVER.SYS from a
known clean source if you have one. Reboot and SCAN. Restore
AUTOEXEC.BAT. Reboot and SCAN. Now start running programs and SCAN
after each program. I know this seems like a pain-in-the-butt, time-
consuming procedure, but if the anti-virus programs aren't finding the
remaining infected files, it's about the only way.
I hope this helps in some way and hasn't duplicated your efforts.
Bill Walker (
[email protected] ) |
OAO Corporation | "I think, therefore I am.
Arnold Engineering Development Center | Nah, I think not."
M.S. 120 | *POOF*
Arnold Air Force Base, TN 37389-9998 |
------------------------------
Date: Wed, 03 Jul 91 13:13:00 -0600
>From:
[email protected] (McAfee Associates)
Subject: VSHLD80B.ZIP - Resident virus infection prevention program (PC)
I have uploaded to SIMTEL20:
pd1:<msdos.trojan-pro>
VSHLD80B.ZIP Resident virus infection prevention program
Version 80-B of VSHIELD has been released. This version
replaces Version 80, which mis-identified some files encrypted
with ICE as being infected with the Crypt-1 virus.
The validation results for VSHIELD Version 80-B should be:
FILE NAME: VSHIELD.EXE VSHIELD1.EXE
SIZE: 33,723 11,281
DATE: 07-01-1991 02-14-1991
FILE AUTHENTICATION
Check Method 1: 9B2B 6B40
Check Method 2: 097C 103E
Regards
Aryeh Goretsky
McAfee Associates Technical Support
- - -
McAfee Associates | Voice (408) 988-3832 |
[email protected]
4423 Cheeney Street | FAX (408) 970-9727 | (Aryeh Goretsky)
Santa Clara, California | BBS (408) 988-4004 |
95054-0253 USA | v.32 (408) 988-5190 |
[email protected]
ViruScan/CleanUp/VShield | HST (408) 988-5138 | (Morgan Schweers)
------------------------------
Date: Wed, 03 Jul 91 13:25:00 -0600
>From:
[email protected] (Ross Greenberg)
Subject: VIRX16.ZIP - VIRX v1.6: Easy to use free virus checker (PC)
I have uploaded to SIMTEL20:
pd1:<msdos.trojan-pro>
VIRX16.ZIP VIRX v1.6: Easy to use free virus checker
VIRx is a freely distributable scanning program -- there is *no*
charge associated with it, although copyrights *are* maintained by
both Microcom and me.
In addition to SIMTEL20, it is available on CIS and on my BBS at
212-889-6438.
===
What's New In VIRx Version 1.6
1. VIRx Version 1.6 now detects six newly discovered viruses,
bringing the total count to just over 500.
2. VIRx now indicates whether an infected compressed program
was infected before or after the compression (PKLITE and LZEXE).
This was trivial to implement, but a useful addition.
3. Another few cycles were shaved off our decompression routines:
experience pays. For those wondering, all decompression routines
are completely internal and done in memory --- and always have been.
Ross
- - -
Ross M. Greenberg <
[email protected]>
Author, Virex-PC, VIRx and FLU_SHOT+
------------------------------
Date: 03 Jul 91 17:03:58 +0000
>From: Tom Carter <
[email protected]>
Subject: VirusX (PC)
I have asked this question before but have received nil replies.
PLEASE, can someone out there tell me what the latest version of
VirusX really is??
Thanx.....
------------------------------
Date: Wed, 03 Jul 91 20:58:05 +0000
>From:
[email protected] (Rob Schaeffer)
Subject: Demo Disk from Mainstay (Mac)
The demo disk from Mainstay has nVIR attached to the archive. It
seems to not be able to spread, but it is there.
Disinfectant nicely removes the virus.
I would be curious to know why the virus doesn't spread.
Rob
- --
[email protected]
"Putting magnets on the T.V. distorts the picture and
makes it more real."
------------------------------
Date: Wed, 03 Jul 91 16:44:46 -0700
>From: Steve Clancy <
[email protected]>
Subject: DOS 5.0 & FPROT116 (PC)
A user recently posted this on our BBS. Has anyone else experienced this?
"I was wondering if any one has experienced a problem with FPROT116.
Since I installed it with msdos ver 5.00 it hangs my system with the
message Virus Alert!! Int 13 has been changed. I have tested and no
virus is found. If I disable f-driver in my config.sys file everything
is ok. All other programs associated with this program works fine. Any
thoughts or suggestions?"
I am not familiar enough with FPROT116 or DOS 5.0 to make an
intelligent comment. Any help will be appreciated.
- -- Steve Clancy
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
% Steve Clancy, Biomedical Library % WELLSPRING RBBS %
% University of California, Irvine % 714-856-7996 300-2400 24hrs %
% P.O. Box 19556 % 714-856-5087 300-9600 24hrs %
% Irvine, CA 92713 U.S.A. %
[email protected] %
% %
[email protected] %
%.....................................................................%
% "As long as I'm alive, I figure I'm making a profit." %
% -- John Leas, 1973 %
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
------------------------------
Date: Thu, 04 Jul 91 09:23:14 +0700
>From: Vincent Chan <
[email protected]>
Subject: Virus Scanner (PC)
Hi,
I have read with interest some of the reviews and entries here in
this Virus List and I must say that this is by far the most
informative and well discussed topic on computer virus. I have also
followed some of the discussions on various virus scanner on the
market today, be it commercially available or shareware, these
discussions have helped me to choose the right product that will cater
to my need.
Two of the virus scanners that I found most helpful for the
detection and removal of virus are Fprot from frisk and McAfee Scan.
Both of these product have helped me to detect and remove some of the
prevalent virus over here. The most common virus is Joshi virus, that
has caused me much headache and heartache at times. Both of these
product have managed to detect and remove the virus.
Recently I was introduced to Ross Greenberg VIRX. This program
looks interesting and it is able to scan the harddisk for virus at
considerable speed. But I have not really explored the potential of
this program. But recently I tried to scan a diskette which has been
infected with Joshi virus and it couldnt detect it! Fprot and McAfee
Scan have no problem with it. The VIRX version is 1.5. I dunno
whether the author realised this or not. Anyway I read from the
latest issue of Virus-l that Ross has come out with the latest version
of VIRX 1.6 and hopefully will be able to fix the problem that I
mentioned above, if not in this version then future version of Virx.
------------------------------
Date: Sat, 29 Jun 91 00:43:49 +0000
>From:
[email protected] (McAfee Associates)
Subject: Re: McAfee on VSUM accuracy and Microcom (PC)
[email protected] writes:
[stuff deleted]
>
>This is good news. I was under the impression that Microcom attempted
>to license a copy from you and was told that they may not use it
>without a license and that a license would not be issued to Microcom
>under any circumstances.
>
>I am glad that the information given to me is false and that Microcom
>is expressly being given permission to utilize this product from the
>vendor. I would presume there is a charge for such usage: what would
>that charge be for *only* one computer to use your product? I'll be
>sure to report that amount to the Microcom people I deal with.
>
>Ross
Hello Ross,
I've given Mr. McAfee a copy of your message, but he hasn't typed up a
reply yet. In the meantime, perhaps you could leave me your mailing
address and/or fax number so that I could give that to John for a
(faster) reply.
Thanks,
Aryeh Goretsky
McAfee Associates Technical Support
- - --
McAfee Associates | Voice (408) 988-3832 |
[email protected]
4423 Cheeney Street | FAX (408) 970-9727 | (Aryeh Goretsky)
Santa Clara, California | BBS (408) 988-4004 |
95054-0253 USA | v.32 (408) 988-5190 |
[email protected]
ViruScan/CleanUp/VShield | HST (408) 988-5138 | (Morgan Schweers)
------------------------------
Date: Thu, 04 Jul 91 02:27:30
>From:
[email protected]
Subject: sideshow on doom2:reply (PC)
>From: "zmudzinski, thomas" <
[email protected]>
>
>Actually, what Mr. Greenburg wrote was:
^
Actually, what Mr. Greenberg wrote was:
^
minor nit... :-)
>> The bad guys can certainly break
>> whatever coding scheme I use, thereby using the string list just as if
>> it were not encoded at all.
> Mr. Greenburg's statement describes his assessment of his
>abilities to develop/implement a cryptographic system. If he says
>that he cannot do something he believes to be difficult, so be it --
>he knows where his strengths lie.
Whoa! I'm sure that simply sticking in DES encryption is probably
within even my meager abilities -- provided that the instruction
manual doesn't use words that are too big... But does even using DES
(provided I can find the on/off switch on my computer by myself)
really buy us anything?
It's just the idea that it's not that tough to break such a scheme:
recall that I spend a good deal of my life actively disasming
encrypted viruses. Anything that is gonna be disasmed at run time is
trivial to disasm by anyone with their mind set on it. Remember that,
regardless of the scheme used to make such a marvelous cryptographic
system, the key *must* be included in the body of the program in order
for it to work convieniently.
To have different keys that are external to a program that are
different from machine to machine would be a tech support nightmare.
Have you ever tried to figure out what shipping >50K copies of code
*really* means? I merely have to code this stuff: Microcom has to do
tech support. I have the easy part of the job: disasming new viruses
and creating fast search algorithms is nothing compared to dealing
with Martha from BrokenHipBone, Arkansas who wants to know why she has
to stick the ignition keys to her tractor into the floppy drive door
when the machine asks her to "insert her key, then press any key."
She will, of course, end up asking wherere the "any" key is.
> And on the other hand, does anyone _really_ believe that the "bad
>guys" _don't_ run the latest crop of anti-viral software to check that
>their "products" won't be caught immediately?
Hey, I'm sure that most of the anti-virus people probably have bad
guys as beta testers without even knowing it!
Ross
------------------------------
Date: 04 Jul 91 09:02:14 +0700
>From:
[email protected]
Subject: TNT AntiVirus from CARMEL / WARNING !!! (PC)
This is a warning to everybody, who intends buying
the product Turbo Anti-Virus
from CARMEL
distributed by EPG Softwareservice, Germany
In January 91 I bought this product (Version 7.02). The program
itself has a nice user-interface and was at the time I bought it quite
up-to-date. By buying the product they promise you a quarterly
update.
HAAAAAAAAAAAAAAAAAAAAAAAAAA ... well, they promise ?!?!?
I got version 7.02. It's now half a year later and I've never seen an
update. I know from other people who bought the stuff later, that
they got meanwhile up to 7.06. During a phone call with EPG they told
me about V7.1.
Totally I sent them a FAX for customer support (something they also
promised); you expect right ... I never got an answer ... and I
called them up three times.
I think you will agree with me that nothing needs to be more
up-to-date than Virus-protection packages.
So with my experiences I can only recommend:
DO NOT BUY TNT ANTI-VIRUS
at least not from EPG Softwareservice, Germany.
You can find enough other good software, where you get updates so you
can catch up with the virus-spreaders.
bye ............................................................. Didi
------------------------------
Date: Thu, 04 Jul 91 08:10:46 +0000
>From:
[email protected] (McAfee Associates)
Subject: Re: Recalciterant infection with Frodo <4096> (PC)
[email protected] (Aviel Roy-Shapira) writes:
>Help please! I have a recalciterant infection by Frodo or 4096. I am
>not sure about the source of the infection, but somehow it got into my
>system. Clean (V. 77) cleaned the disk alright, but the infection
>keeps poping up. It has become even wierder. Both Clean, Virus Scan,
>and F-Fchk (115) report that all the files on my hard disk are free
>from the virus. But, if I boot from the hard disk, and I run
>F-SYSCHK, it says the virus is lurking in memory. I don't get this
>warning if I boot from a floppy.
[rest of message deleted...]
Hello Mr. Roy-Shapira,
One POSSIBLE reason the virus might be occuring is because there is a
segment of viral code stuck at the end of one of the files loaded when
your hard disk boots. When a file is saved on disk, space is
allocated for it in clusters. If a file does not fill up the last
cluster allocated for it, DOS will fill the left-over space with
garbage from memory to pad out the file so it fills up the cluster to
the end. If the virus were in memory it could have been written into
the "empty" space at the end of a cluster to pad the remaining space
in the cluster. If this occurred, whenever the file was loaded into
memory, the virus signature would appear because it was read in as
well.
The virus itself would not be infectious. First off, it's most likely
that only a relatively small segment of code was stored at the end of
the cluster, and secondly, such viral code exists beyond the End Of
File marker; it's not recognized as being part of the program and will
not be executed. So what you're left with is an annoying false alarm.
The best way to deal with this is to overwrite the space at the end of
cluster chains on the disk. A practical way to do this is to
defragment the fixed disk with a disk optimizing program. This will
usually overwrite any possible "virus garbage."
Another solution may be a program called COVERUP1.ZIP in the SIMTEL20
archives. It says that it erases the "tails" of clusters, and
overwrite the offending section of viral code. I have not had a
chance to try this myself, so use at your own risk.
Regards,
Aryeh Goretsky
McAfee Associates Technical Support
- --
McAfee Associates | Voice (408) 988-3832 |
[email protected]
4423 Cheeney Street | FAX (408) 970-9727 | (Aryeh Goretsky)
Santa Clara, California | BBS (408) 988-4004 |
95054-0253 USA | v.32 (408) 988-5190 |
[email protected]
ViruScan/CleanUp/VShield | HST (408) 988-5138 | (Morgan Schweers)
------------------------------
Date: 03 Jul 91 15:22:19 -0400
>From: "David.M.Chess" <
[email protected]>
Subject: IBM Anti-Virus Product 2.1.2 (PC)
A new level of the IBM Anti-Virus Product now exists. It should be
available now or shortly from IBM Marketing Reps, Branch Offices, the
Electronic Software Delivery section of IBMLINK, and on Promenade (the
PS/1 support BBSy-thing). I'll attach the contents of the WHATIS.NEW
file. As I said a bit ago, I'm not an Official Anything, so don't
send me your money! *8) As before, the U.S. terms are $35 for an
original license, $10 for an upgrade (for terms outside the U.S.,
contact your country IBM).
DC
The IBM Anti-Virus Product, Version 2.1.2
Copyright (C) IBM Corporation 1989, 1990, 1991
The following are the highlights of the changes and enhancements made
to The IBM Anti-Virus Product since the release of Version 2.00.01:
- Added signatures for approximately 42 viruses (refer to VIRSCAN.DOC,
section 5.1, for more details)
- VIRSCAN now looks for the local message file "local.msg", in the same
directory as "virscan.exe", and if it is found, virscan displays it
upon exit (in addition to the standard messages) when one or more
virus signatures are found. A maximum of 10 message lines are displayed.
This facility allows sites to tell users about local procedures that
should be followed when viruses are encountered.
- Added support for arbitrary-length "don't-cares". "%N" sequences (in
place of a pair of bytes in a signature) mean that 0 to N arbitrary
bytes can be in the corresponding position. 'N' is a single hex digit
from '0' to 'F'.
- Spaces are now allowed between pairs of hex digits in VIRSCAN signatures.
This can simplify the use of signatures from other sources.
- VIRSCAN now respects the "boot" keyword that can be used in the third
line of virscan signatures. If a "boot" virus is found in a file, the
user won't by default be warned unless the third signature line also
contains the strings "EXE" or "COM" (or both). If the -G command line
option is specified, then the user will be warned of boot virus
signatures wherever they are found.
- VIRSCAN now won't complain if it can't read the boot sector of a network
drive, unless the '-v' option is used or the boot sector scan was
explicitly specified with the '-b' option.
- Added the "*" option:
"*" scans all local fixed drives.
"*n" scans all network drives.
"*f" scans all local fixed drives.
"*fn" scans all local and network drives.
For instance, try
virscan *
to scan all local fixed disks.
- Improved the speed of the memory scan.
- Documented the -NB option.
------------------------------
Date: Mon, 01 Jul 91 20:58:28 -0700
>From:
[email protected] (Rob Slade)
Subject: Introduction to introductory columns (general)
INTRO1.CVP 910701
Introduction to Computer Viral Programs Column
This file/posting/column, and the ones which will follow, are a weekly
column devoted to explaining computer viral type programs. The
material can be roughly divided into the following topic areas:
Introduction (this file), History, Functions, Protection and
Implications. The file names will reflect this division, beginning
with DEF, HIS, FUN, PRT or IMP, continuing with a further three letter
subcategory, as appropriate, a sequence number, and all ending with
CVP.
The format is intended to be as easy as possible for all mail systems
and terminals to handle. Each "column" will be approximately one
typewritten page in length.
The material is intended to be "non system specific", and to be
applicable to all type of computer and operating systems. Examples
will be given from many different computers and operating systems at
different times. Readers will note, however, that much of the
material relates to the MS-DOS "world": IBM compatible microcomputers.
This is deliberately chosen. The "PC" platform demonstrates the
concepts that are common to all computer systems in the clearest
manner.
I retain copyright of this material. Anyone is free to post any of
this material on any publicly accessible electronic bulletin board or
electronic mail system which does not charge for connect time or data
transfer, provided that the files/postings are posted intact,
including my copyright notice, the filename and date at the beginning
and end and my contact addresses. Anyone wishing to post this
material on a commercial system, or to print it in a book or
periodical, please contact me, and I'm sure we can work something out.
I am sure that the material will be archived at various servers, but
the one place that I can garantee the complete set will be available
is on the SUZY information system. This is a commercial system, but
is accessible through a local call to a Datapac or Tymnet node for
most people in Canada and the United States. If your local computer
store does not carry the access kit for SUZY, contact Stratford
Software at (604) 439-1311.
Vancouver Usenet:
[email protected]
Institute for Internet:
[email protected]
Research into SUZY: INtegrity or 1123
User Snailnet: Canada V7K 2G6
Security Fidonet: 1:153/915
copyright Robert M. Slade, 1991 INTRO1.CVP 910701
------------------------------
End of VIRUS-L Digest [Volume 4 Issue 117]
******************************************
Downloaded From P-80 International Information Systems 304-744-2253
