VIRUS-L Digest Friday, 18 Jan 1991 Volume 4 : Issue 12

VIRUS-L Digest Friday, 18 Jan 1991 Volume 4 : Issue 12

Today's Topics:

Re: Stone-2 (PC)
Comments on GAME2 (IBM VM/CMS)
Virus X?? (Mac)
Need OTS Virus package (UNIX)
Stoned (and other boot viruses) & non-bootable floppies(PC)
Re: Stoned (PC)
Plans regarding F-PROT (PC)
Eaters of Language: (WAS: (No) Viruses in Irak's EXOCET?)
Need help w/ CMOS problem in PS/2 Model 70 (PC)
SITELOCK
Query - Disinfectant vs. Virex (Mac)
Re: Stonned reoccurence of reformatted hard drive (PC)
Re: possible macintosh virus (Mac)
Possible Mac virus? Problems need an answer. (Mac)
AU Virus Alert (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to [email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: [email protected].

Ken van Wyk

---------------------------------------------------------------------------

Date: Wed, 16 Jan 91 13:07:43 -0800
>From: Tim Trimble <[email protected]>
Subject: Re: Stone-2 (PC)

We have had the stone virus pop up here with one or two incidents but
was able to catch it with the McAfee software. So the suggestion of
the stone virus not being in the states yet can be considered false.

- --
=============================================================
Timothy Trimble (Ashton-Tate 213-538-7625)
[email protected] Unix
76306,1115 Compuserve

------------------------------

Date: Wed, 16 Jan 91 13:50:30 -0800
>From: "R N Hathhorn, VM Systems Support" <[email protected]>
Subject: Comments on GAME2 (IBM VM/CMS)

I have made a preliminary analysis on GAME2 MODULE and have stored my
comments on LISTSERV@PCCVM under the file GAME2 COMMENTS. Included in
this file are several notes from other contributors from other lists.
I will be adding to the COMMENTS file as more information is forwarded
and/or found. The copy of the virus that I was given is 'broken' and
my testing was therefore limited. A better (un-received) copy is
needed to continue. Please remember that I am not an 'expert',
'authority', or 'guru' in these matters, I am still learning.

All mailings to this list will automatically forwarded to VIRUS-L,
hopefully this will not cause too much duplication. Any assistance
and/or 'viral cracking' programs that you could give me would be
greatly appreciated.

R N Hathhorn, VM Systems Support | Portland Community College
Computer Services Department | P. O. Box 19000
Sylvania Campus: CCB27c | 12000 S. W. 49th Ave.
(503) 244-6111 ext. 4705 | Portland Oregon 97219

------------------------------

Date: 17 Jan 91 01:41:32 +0000
>From: [email protected] (John Mazzocchi)
Subject: Virus X?? (Mac)

In a recent issue of the Australian Macintosh magazine "MacNews", it
was announced that there was a new Mac virus called "Virus X".
Apparently, every time you restart your mac, it deletes a file, going
in backwards numerical order. Recommended procedure for finding out if
you have the virus is to create a file called, say, "z", then reboot
your mac. If the file's gone, you've got the virus.

I haven't seen any similar symptoms mentioned before, so could this be
a first for Australia?

- --
+ John Mazzocchi + "The mind is not a vessel to be filled, +
+ Melbourne, Victoria + but a fire to be lighted" - Plutarch +
+ Australia +
+ [email protected] +

------------------------------

Date: 16 Jan 91 21:46:37 +0000
>From: [email protected] (jim basara)
Subject: Need OTS Virus package (UNIX)

I would like to request recommendations for off-the-shelf packages
which will prevent/isolate/monitor/etc. viruses on a Sun workstation
under unix.

thank you
jim basara
uunet!ssdc!jbasara

------------------------------

Date: Thu, 17 Jan 91 09:10:28 +0000
>From: Anthony Appleyard <[email protected]>
Subject: Stoned (and other boot viruses) & non-bootable floppies(PC)

In reply to this message in Virus-L vol 4 #11:-
.....................................................................
"Date: Tue, 15 Jan 91 10:48:25 -0600
>From: ROsman%ASS%[email protected]
Subject: STONED and NON-bootable floppies (PC)
I learned something new about the STONED virus today. One of our users' PCs
was infected by the STONED virus by attempting to boot from a NON-bootable
diskette that was infected! All MS/DOS diskettes (bootable and
non-bootable) have a sector reserved for the boot code (the boot sector). I
was under the impression that the DOS boot code had to be present
(bootable) in order for the STONED virus to move itself to the hard disk.
This was an incorrect assumption."

I understand from several Virus-L recent messages that PC 'non-bootable'
floppies are actually bootable, and their boot sectors contain only a
little program that merely prints out "This disk is not bootable". Thus
Stoned etc can infect them same as any other PC floppy.

{A.Appleyard} (email: [email protected]), Thu, 17 Jan 91 09:03:52 GMT

------------------------------

Date: 17 Jan 91 10:09:35 +0000
>From: [email protected] (Fridrik Skulason)
Subject: Re: Stoned (PC)

[email protected] (David Conrad) writes:
>Many recent postings have made the point that the Stoned virus
>overlays a sector in the FAT, thus causing damage to the file system.

The original "Stoned" virus came in two variants. Both infect the
Partition Boot Record - the first physical sector on the hard disk.
The original PBR is stored on head 0, track 0 and either on sector 2
or sector 7.

Those sectors are normally unused, but not always. In particular, if
the hard disk is small, and formatted under DOS 2.x (even though it
may now contain DOS 3.x), the first track will be in use.

In some cases the DOS boot sector is located in sector 2, and will be
overwritten, but the other variant of the virus may overwrite a part
of the FAT - located at sector 7, which could, indeed, be restored
from the other copy - provided you do the repair right after
infection.

On large hard disk, or disks formatted under DOS 3.x this is not a
problem.

- -frisk

Fridrik Skulason University of Iceland |
Technical Editor of the Virus Bulletin (UK) | Reserved for future
expansion
E-Mail: [email protected] Fax: 354-1-28801 |

------------------------------

Date: Thu, 17 Jan 91 11:20:31 +0000
>From: [email protected] (Fridrik Skulason)
Subject: Plans regarding F-PROT (PC)

I just wanted to inform readers of VIRUS-L/comp.virus of my plans for
F-PROT.

Version 1.14 will be distributed on Monday, Jan 21st. It is able to
detect and remove over 70 new viruses (most of them recent viruses
from Eastern Europe), which 1.13 could not handle.

I will send out copies to the people on my mailing list, in the form
of an xxencoded .ZIP file as I usually do. I will also send a copy to
the moderator of comp.binaries.ibm.pc - hoping the program will appear
there soon.

>From now on a new version of the program may be expected once per
month - I am leaving my job here at the University of Iceland and plan
to work full-time on the viruses.

At the same time I am cancelling some other plans, and announcing that
I will continue to support and update the program for the next 24
months - but continued support after that will depend on the success
of the product.

Version 2.0, with a totally rewritten user-interface will be ready for
beta-testing in the first week of February - are there any volunteers
who would like to assist in the testing ?

I have now decided to distribute it as previous versions, that is
"freeware" for individual use, but "shareware" for
companies/institutions, but I am not ruling out the possibility of an
expanded, commercial version, though.

- -frisk

- --
Fridrik Skulason University of Iceland |
Technical Editor of the Virus Bulletin (UK) | Reserved for future
expansion
E-Mail: [email protected] Fax: 354-1-28801 |

------------------------------

Date: 17 Jan 91 16:52:36 +0000
>From: [email protected] (Johnathan Vail)
Subject: Eaters of Language: (WAS: (No) Viruses in Irak's EXOCET?)

> reports about "viruses in Hussein's rockets". According to dpa,
> (unnamed) French computer scientists said:
>
> - manufacturers of war material usually implant, "for mere
> commercial reasons", viruses in exported war electronics to
> provoke, after some time, faults and "profitable repair
> work";

Without specific comments about the cyberpunk musings of Iraqi
weapons, is anyone else concerned about the usage of these terms?
Specifically the tendancy of mostly non technical people to classify
any intentional or unintentional bug and computer "nasty" as a virus?

I see the terms defined more or less thus:

Virus - A self replicating piece of code that is atached to another
program or OS and that depends on that program running in order for it
to be executed. This is what most of us reading here are familiar with.

Worm - A self replicating program that is complete in itself. Usually
replicating over a network. Morris's creation was the "Internet
Worm".

Trojan (Horse) - Code that included in a program that is intended to
do something other than what the original program is supposed to do.
Usually something bad.

Magic Cookie - Code or feature put into a program intentionally by the
programmer that is not part of the design. It is usually
something harmless. Many instances of this in commercial software
and the kind of thing that is alluded to in the post about military
weapons. Another example is the 'xyzzy' command in DG's AOS
operating system.

"Discussion invited, flames discarded" ... jv

"Frisbeetarianism is the belief that when you die, your soul goes up on
the roof and gets stuck." -- button
_____
| | Johnathan Vail | [email protected]
|Tegra| (508) 663-7435 | [email protected](WorldNet)
----- [email protected] {...sun!sunne ..uunet}!tegra!vail

------------------------------

Date: Thu, 17 Jan 91 17:17:32 +0000
>From: [email protected] (David Wright)
Subject: Need help w/ CMOS problem in PS/2 Model 70 (PC)

My apologies if this group is not appropriate, but I would like to
solicit advice on a problem that may be a malicious attack:

I am looking at a friend's PS/2 Model 70 that he reports has had
problems including problems reading diskettes that appear to be fine
in another machine (a laptop that I am keeping carefully isolated).
Since the PS/2 has been exposed to physical, unmonitored access by
outsiders, I suspect that the machine may have been tampered with.
The SCAN program reports no viruses in the system, but the INFOPLUS
program (on the CMOS page) reports that the CMOS checksum is
incorrect; other anomalies on this page include a ridiculous system
date and no hard disk reported. However, the system does boot off of
the hard disk, and the DOS date command reports the correct date. My
friend reports some unusual behavior reading and writing the hard
disk, but I have been reluctant to test the system further.

I seem to remember hearing of the possibility of altering the CMOS
as a form of computer attack. Could someone enlighten me on this subject
briefly, or alternately, point me to a reference? I have general
technical background in PCs, but will need specific info on how to
approach this problem.

Any help would be greatly appreciated.

- -David Wright
[email protected]

------------------------------

Date: Thu, 17 Jan 91 16:06:53 -0500
>From: martha rapp <[email protected]>
Subject: SITELOCK

Has anyone heard of SiteLock by Brightwork Development Inc.? It
advertises itself as the following.. "Others can only fight
yesterday's virus but Brightwork can protect you from yesterday's,
today's and tomorrow's. " Any and all comments appreciated. Thanks

Martha Rapp, BITNET: IMER400@INDYCMS; INTERNET: [email protected]

------------------------------

Date: Thu, 17 Jan 91 16:34:17 -0500
>From: Lee Ratzan <[email protected]>
Subject: Query - Disinfectant vs. Virex (Mac)

There is some discussion here about the relative merits of
Disinfectant 2.4 versus Virex 1.3 . Apart from issues of personal
taste which supplies a greater range of protection? For example, is
Virex effective against WDEF? Are there viri (a/k/a viruses) which are
detected by one but not the other? (For the record D 2.4 is circa
Fall 1990, V 1.3 is circa 1989).

Any information would be most helpful!

Lee Ratzan
Univ of Medicine/Dentistry of NJ
Rm S-B11/ Dpt IST
675 Hoes Lane
Piscataway, NJ 08854

------------------------------

Date: Thu, 17 Jan 91 17:55:42 -0600
>From: [email protected]
Subject: Re: Stonned reoccurence of reformatted hard drive (PC)

>From: "David.M.Chess" <[email protected]>

>Hm, interesting. The Stoned infects the master boot record
>(synonymous with "partition table") on the first physical hard drive
>(BIOS drive id "80" hex). In your case, that's the master boot record
>on the 80Mb hard disk. The master boot record (and therefore the
>partition table) are stored at the very bottom of the disk, lower than
>any of the partitions (E F G and H).

Ooops. Yes I found all this out after I sent the message. I am,
unfortunately, BIOS illiterate. But the poliferation of viruses here
at Washington University in St. Louis is forcing me to learn more
every day. It was a "shoot from the hip" answer to very real effect
which I outlined.

>Did you test whether or not, after booting from a clean floppy and
>then switching to E: and back to A:, the virus was actually *active*
>(infecting new diskettes), as well as being in memory? My guess would

No we did not. Oops again.

[stuff deleted]

>active virus from a "ghost" of the virus that just happens to be
>sitting in a buffer somewhere, never running). The only way the usual
>Stoned virus can get control is if it's present on the boot record or
>the disk or diskette that the system is booted from.

Ummmm... I'm not sure I understand what a "ghost" virus implies, we
were never able to actually clean it off so I don't know how it could
have become a "ghost". Also there was at least enough of it to set of
McAfee's SCAN program.

Jon
Jon Spinner
Washington University
C09615SJ@WUVMD

------------------------------

Date: Fri, 18 Jan 91 06:40:25 +0000
>From: [email protected] (David A. Milton)
Subject: Re: possible macintosh virus (Mac)

>[email protected] (Brenda Barabash) writes:
>>We are also experiencing problems with floppy disks appearing to be
>>locked when they aren't. This is happening on both new disks and old
>>disks. It's definitely got to be a virus. If anyone knows which one
>>please let us know.

It definately does NOT have to be a virus! Are you using Virus
Blockade II? This nifty little utility automatically locks ALL disks,
even after they have been formatted. It is also possible it to
configure it to leave the hard disk unlocked.

David A. Milton, University of Manitoba.

------------------------------

Date: Thu, 17 Jan 91 22:08:01 -0800
>From: [email protected] (Adam Smith)
Subject: Possible Mac virus? Problems need an answer. (Mac)

The directory of my hard disk keeps changing the information regarding
how much space is allocated and how much is free. Symptoms include:
copying a file to Hd from floppy, Hd indicates file is 1,700 k when
original file is only 12k. My removable drive (45 meg) said 42,050 in
disk, 69,750 free! We've been having problems with disk space
disappearing as well. One drive looked full but when all files added
up it should have had 25 meg free. I ran various utilities including
Norton, Disinfectant 2.4., checked for invisible files (none). Can
anyone shed some light on this phenomenon? Apple tech support does't
admit a problem. These problems have occured on or llci, ll cx, and
Fx.

Also folders that won't delete. Only whenname is changed using resedit
or similar utility. Don't know if the problmsare related or not.
Runnig system 6.0.7 recommended by the great mother Apple.

Follow-ups to comp.virus or mail to "[email protected]"
please. And excuse the sig.

========================================================================
Adam Smith Genius - Graphic Artist - Bad Mood Guy
The Chameleon Papers Vancouver, BC CANADA
"I'd give my eyeteeth to have a Macintosh--unfortunately, due to
Apple's pricing policies, that's not enough"
========================================================================

------------------------------

Date: 17 Jan 91 18:55:36 +0000
>From: [email protected] (Ron Haukenfrers)
Subject: AU Virus Alert (PC)

The Joshi virus has been discovered on a PC at Athabasca University.
So far it appears to have been contained to the local machine. Anyone
who has had contact with the 386 in Lewis Varga's office, please check
your system. A copy of virus scan software is available for this
purpose.

One of the known symptoms is the floppy drives will no longer read disks
reporting that the disk has bad sectors.
- --
Ron Haukenfrers [email protected]
Academic Programmer/Analyst {alberta,cbmvax,mips}!atha!ron
Athabasca University (403)675-6332

------------------------------

End of VIRUS-L Digest [Volume 4 Issue 12]
*****************************************

Downloaded From P-80 International Information Systems 304-744-2253