VIRUS-L Digest Wednesday, 10 Jul 1991 Volume 4 : Issue 121
Today's Topics:
Re: DOS 5.0 & FPROT116 (PC)
Stoned virus (PC)
Re: Self scanning executables (PC)
F-Prot on BBS. (PC)
Doodle Virus (pc)
T.S.R's ( Which is the best )
Keypress Virus (PC)
Re: Problem with GUARD (PC)
Re: Apology; Malicious Programs Definitions Revisited
Self testing; New viruses; Beta testing; Translations (PC)
re: Research
Virus Bulletin Conference
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to
[email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at:
[email protected].
Ken van Wyk
----------------------------------------------------------------------
Date: 09 Jul 91 19:26:38 +0000
From:
[email protected] (Shaun Case)
Subject: Re: DOS 5.0 & FPROT116 (PC)
[email protected] (Steve Clancy) writes:
>A user recently posted this on our BBS. Has anyone else experienced this?
>
>"I was wondering if any one has experienced a problem with FPROT116.
>Since I installed it with msdos ver 5.00 it hangs my system with the
>message Virus Alert!! Int 13 has been changed. I have tested and no
>virus is found. If I disable f-driver in my config.sys file everything
>is ok. All other programs associated with this program works fine. Any
>thoughts or suggestions?"
I recently installed DOS 5.0 on a 25 mhz 486. When I attempted to
install FPROT116 on the system, I got the exact same result you
describe above.
Shaun.
- --
[email protected]
- -- 100,000, perhaps 200,000 or more Iraqis died in a "Turkey Shoot"
inappropriately called a "war." -- Michael Albert
The above work is in the public domain, unless it is a piece of email.
------------------------------
Date: Tue, 09 Jul 91 20:45:42 +0000
From:
[email protected] (Strahd Von Zarovich)
Subject: Stoned virus (PC)
Hello all you Virus Gurus.
The ever friendly Stoned Virus just hit our office and luckily (???)
there was only one casualty. It seemed to wipe out the partition
table and both copies of the fat. I used Norton to get back the
partition table but it seems to be choking a little getting the FAT's
back.
Any Ideas? I really hate to let it wipe out files that it doesn't think
are repairable.
Oh yeah, did I forget to mention that this was my Boss's Computer?
Thanks for ANY help. A post or e-mail are fine either way.
- --
Do you crave power? Hate the living? Then don't be afraid of the Mists!
Come to Ravenloft! Your New Island Home!
Jeff Kenward:
[email protected]
------------------------------
Date: Tue, 09 Jul 91 19:04:10 -0400
From: Jeff Boyd <
[email protected]>
Subject: Re: Self scanning executables (PC)
A friend of mine solved the self-scanning problem, and his solution
(with TC and TP code) is in the public domain. A *true* CRC is
calculated.
Such a routine must solve a set of equations which predict what the
CRC will be after that same CRC is stored within the program itself.
Since the CRC is stored somewhere within, it is theoretically possible
for the self-check to be cracked. However, the current estimate of
time required for this is 3-4 hours on a 33-386 ... too long for such
action to escape your notice.
If there is interest in this item, let me know. I'll contact the
author and ask if he can make it available for FTP somewhere.
jeff
------------------------------
Date: Tue, 09 Jul 91 19:53:08 -0400
From:
[email protected]
Subject: F-Prot on BBS. (PC)
Does anyone on this list know of a public BBS that usually has the
most recent F-PROT? I will be closing my university Internet account
in a few weeks and would like to be able to access new versions as
they are released. Does Frisk offer a mail update service to
registered users?
Thanks for any responses. You can E-mail me direct if you wish.
Mark Stoffan
University of Southern Maine
IP85272@PORTLAND (BITNET)
[email protected] (Internet)
------------------------------
Date: Sat, 10 Jul 91 08:44:24
From: "MUSTAFA T. ALGHAZAL" <
[email protected]>
Subject: Doodle Virus (pc)
Hello ,
one of our PCs here is inficted by doodle virus .We remove it by Macafee
clean software ,but it returned back.
Can anybody send me some info about it,and a way to remove it .
Thanks a lot ....
Mustafa
____________________________________________________________________
| MUSTAFA T. AL-GHAZAL ||
[email protected] |
| ACADEMIC COMPUTING SERVICES || VOICE: (966) 3-580-0219 |
| KING FAISAL UNIVERSITY || COMPUTER CENTER |
| HOFUF-SAUDI ARABIA || P.O.BOX 380 |
|________________________________||________________________________|
------------------------------
Date: Wed, 10 Jul 91 08:10:48 +0000
From: "Alan Jones" <
[email protected]>
Subject: T.S.R's ( Which is the best )
Alan J Jones
Manchester Computing Centre
University of Manchester
Oxford Road
M13 9PL
England
tele 061-275-6038
fax 061-275-6040
Does anyone have any feelings on what T.S.R. virus checker for the PC
gives the best protection whilst not using a vast amount of memory.
I work at the Universtiy of Manchester and on site there are about
4000 + computers and all will need some form of protection from the
students ( sorrey I ment viruses ) at this moment the little cherubs
are off on holiday ( peace, quiet, joy and bliss ).
My task is to place some form of protection on the computers before
the hoards get back and start to infect ( sorrey again I ment to say
use ) the computers and in doing so make my life a liveing hell.
The products that I have looked at so far are :-
Dr Solomons Virus Guard
Norton Anti-Virus Virus Intercept
McAfee Associates Vshield
Vet Vet-Res
Bye for now
Alan ( MCC )
------------------------------
Date: Wed, 10 Jul 91 12:23:00 +0000
From:
[email protected]
Subject: Keypress Virus (PC)
HELLO EVERYBODY .....
I AM A NEW MEMBER IN YOUR GROUP.
I want to discuss a new virus in my LAN ,i'm the lan adminstrator,
which is KEYPRESS. My LAN type is 10NET , the server is TANDY 4000,IBM compatib
e
This virus symptoms is :
1. Damaging the SCAN.EXE
1. Damaging the SCAN.EXE & tthe CLEAN.EXE files
2. Hanging some of the commands of LAN loading,specially those managing
the connection with modem on an RS232 serial port.
3. Hanging the commands of management of the Ram extensions, i use the
386MAX commands.
4. Finally , when scanning and cleaning from a write protect floppy
it make horrible sounds trying to cut the protecion shields.
Even when i succeed to remove them, they just come back again showing
at the top right corner of the screen the word SAMSOFT.
I have tried scan & clean with McAfee scan ver. 6.9V75.
I WOULD LIKE TO KNOW OF ANY NEW ANTI VIRUS PACKAGE AND ANY SUGGESTION FOR
PROTECTING THE LANS FROM VIRUSES.
MONIRA B.W. MOHAMED
PROGEMMER,SYSTEMS ENGINEER
A.O.I. HEAD OFFICE
------------------------------
Date: Wed, 10 Jul 91 15:01:00 +0300
From: Y. Radai <
[email protected]>
Subject: Re: Problem with GUARD (PC)
Tim Martin writes:
> I received GUARD from Y. Radai today. I think I found a
>significant problem with it. On rebooting from the hard drive, after
>an infection by "stoned", Guard removes stoned from the PBR but not
>from memory. .... If
>instead a floppy disk is formatted, chances are it will be infected
>with the stoned virus. ....
As is stated in the GUARD.DOC file, "GUARD ... does not prevent infec-
tion of RAM or of diskettes." It is designed to protect only the hard
disk. For protection of diskettes and memory you have write-protect
tabs, generic monitoring programs, known-virus scanners, etc.
Several people seem to be under the impression that GUARD is sup-
posed to be a panacea for virus problems, and are disappointed when
they find that it is not. GUARD is intended to block a *specific
security hole*: that which occurs because ordinary anti-viral pro-
grams, such as those mentioned above, don't get a chance to activate
when booting is performed from a diskette. GUARD is not designed as a
*substitute* for other programs, but as a *supplement* to them.
Please judge it in that light.
>In my opinion, "Guard" doesn't give us anything that is not already in
>Padgett's DiskSecure package.
Who ever said it does? Actually, I haven't yet had the opportunity
to try DiskSecure (though I'm willing to bet that GUARD contains quite
a few features that DiskSecure doesn't). I guess the most authorita-
tive answer on such a comparison will come from Padgett.
>When it is infected by a stealth virus (at least by the Empire family
>of viruses) guard does not permit the computer to be rebooted from the
>hard drive, and automatically remove the virus from the hard disk.
This is a serious claim, and will have to be investigated. (That,
after all, is what testing is for.) Thanks, Tim.
Y. Radai
Hebrew Univ. of Jerusalem, Israel
[email protected]
[email protected]
P.S. I take this opportunity to apologize to the person who received
six copies of the GUARD.UUE file. (I sent only one, honest!) And if
anyone who requested it has not received it within (say) 5 days of his
request, please write to me again.
------------------------------
Date: Wed, 10 Jul 91 18:37:00 +0300
From: Y. Radai <
[email protected]>
Subject: Re: Apology; Malicious Programs Definitions Revisited
William Walker writes:
> Finally, postings from several people
>caused me to correct my spelling of the plural of "virus." The
>correct spelling is "viri," according to the rules of spelling in the
>Lincoln Library of Essential Information (my dictionary doesn't have a
>plural listed for "virus").
NO, NO, NO. (That's getting to be a popular retort. Two people used
the very same expression when correcting a statement by Mike Ramey!)
Take into account the following facts:
1. Webster's Third New International Dictionary gives the plural
form of the word explicitly; it's "viruses", not "viri" (and certainly
not "virii"!!).
2. Since our use of the word "virus" is by analogy with the micro-
biological use, try looking at a book in that area. Again, you'll
find that the only plural used is "viruses".
3. As for the book you mention, take a closer look. You might
find (as I found in another grammar book) that not all words ending
in "-us", even if they are of Latin origin, form their English plural
by replacing the "us" by "i" (as in Latin itself); many simply suffix
"es". If you don't believe me, try using "boni", "circi", "chori",
"campi", or "cauci" in a sentence.
Summary: "Viri" is fine if you're speaking Latin, but in English
it's "viruses".
------------------------------
Date: Wed, 10 Jul 91 15:06:33 +0000
From:
[email protected] (Fridrik Skulason)
Subject: Self testing; New viruses; Beta testing; Translations (PC)
Several subjects...
Self-testing:
I wrote about a self-testing program yesterday - saying it was useless against
stealth-viruses and overwriting viruses, but as others have pointed out it is
even worse than that - a routine which only checks the program in memory is of
no use whatsoever. There exist programs for adding self-test to most
programs, but they cannot detect infection by Frodo and a few other
sophisticated stealth viruses. It is possible for a self-test program to
detect those viruses, but I know of no such program available now - they are
all on the drawing board.
New companion virus:
Until now the only known companion viruses were AIDS II and TPWORM. Now
the third one has been discovered, and it is by far the most sophisticated
one. It is a 351 byte COM virus, called Twin-351. Unlike the other two
companion viruses it stays resident in memory, intercepting the
Findfirst/FindNext calls. As the files containing the virus are also marked
as "hidden", the virus is able to hide quite efficiently, unless a program
reads the directory directly. Has anyone heard of this virus outside Norway ?
Mule:
One of the more interesting variants of Jerusalem is the 'Slow' virus. It was
first reported in Australia, but sources there say it may have arrived from
Thailand. A related variant was discovered later in California, and named
Scott's Valley, after the place of discovery. What makes these variants
interesting is the addition of encryption - apart from it they are
more-or-less standard variants of Jerusalem. Recently a new encrypted variant
of Jerusalem was discovered in Australia. My personal opinion is that the
viruses have a common auther, but this new one uses a different encryption
algorithm, and is not detected by the same pattern as the other two variants.
To detect it, the following pattern can be used
Mule 2E8A 262F 0E3E 3027 43E2 FA59 585B 1FC3
(or, for users of F-FCHK)
Mule 3+5m6kpjdmgjUlsuQbMSM-gEm7ZR7Wlgs+AFojmN5jwum94OmLjLjoAt5a5aMofWgN
The virus is 4112/4117 bytes long, and contains the text "My name is Mule"
Beta-testing?
I am sending out copies of version 2.0 of my program to anyone willing to do a
bit of testing - let me know if you are interested.
Cracker Jack:
There is a crackpot in Milan, Italy who is producing an incredible number of
viruses. Most of the viruses are variants of Murphy, or some other viruses,
which are available in source code form.
He gives them names like "Exterminator", "Demon" and so on - expecting us to
distribute the viruses in the reasearch community, and make him "famous".
One of the viruses was not named according to his wishes - he called one of
them "Patricia", but in accordance with the rule that viruses should not be
named after virus researchers, (therefore the "Solomon" virus should be
known as Jerusalem-1600/1605), it was named "Smack", because of the following
text it contains:
Special message to Patricia Hoffman: I love you!!!!!!!! SmackSmack!!
Can you give me your telephone number??? Ciao bellissima!
He did not like this name change, as is evident from a text message in one of
the viruses in the next batch we got from him:
Patricia does not function correctly, because I haven't run it before send.
Now I'm debugging it
ehehehehehahahahahahah
Smack Virus....what a horrible name!!!!!!!!!!!!!!!!!!!
Compliments to the Dark Avenger for the nice viruses
excuse me if I create some variants of your beautiful viruses
Viruses are a nice thing!!
His viruses are available on one of the Italian virus BBSes, and probably
elsewhere as well, but they are (as far as I know) not known in the wild.
My question - he is probably going to continue creating viruses, but should
we play the game the way he wants - what I would like to propose is a name
change - just group all his viruses together and give them a name like
"Stupid Jack" or "Crackpot", followed by a number. We would then have
Crackpot-272 (not "Demon")
Crackpot-1951 (not "Goblin")
and so on for his 20 (or whatever) viruses. Opinions ?
Translations:
I am having my anti-virus package translated into several different languages,
including Norwegian, Finnish, French, German, Italian and Spanish - in
addition to English and Icelandic. Portugese and Turkish versions have
also been discussed. If anybody is interested in the production of a version
for any other language, please contact me.
- -frisk
------------------------------
Date: Wed, 10 Jul 91 11:18:00 -0400
From: "Dr. Harold Joseph Highland, FICS" <
[email protected]>
Subject: re: Research
Hope this reaches you in response to your request on Virus-L. Will
forward to Ken van Wyk as well for inclusion in Virus-L.
[1] The mathematical in COMPUTERS & SECURITY was by Dr. Winfried Gleissner
and appeared in Vol. 8, No. 1, pp 35-41 [February 1989].
[2] Dr. Klaus Brunnstein of U of Hamburg [Germany] presented an excellent
paper on spread of virus [counts, new ones, mutations, etc.] at Fourth
Annual Computer Virus and Security Conference in NYCity in March 1991.
You should read this.
[3] Dr. Frederick Cohen also has some estimates of virus spread.
[4] What school are you at? What is your address?
[5] If you school library does not have C&S I might be able to direct
you to one near you that has. Too bad you're not near NY.
HJH
-----------------------------------------------------------------------
| |
| Dr. Harold Joseph Highland, FICS |
| Managing Director, COMPULIT Microcomputer Security Laboratory |
| Distinguished Professor Emeritus of State University of New York |
| Chairman, IFIP/WG11.8 on Information Security Education & Training |
| Editor-in-Chief Emeritus of Computers & Security |
| 562 Croydon Road Elmont, New York 11003-2814 USA |
| |
| Voice: +1 516 488 6868 Telex: +1 650 406 5012 [MCIUW] |
| Electronic mail:
[email protected] |
| X.400: C=US/A=MCI/S=Highland/D=ID=4065012 MCI Mail: 406 5012 |
| |
-----------------------------------------------------------------------
------------------------------
Date: Wed, 10 Jul 91 17:41:00 +0300
From: Y. Radai <
[email protected]>
Subject: Virus Bulletin Conference
This is a forward from Edward Wilding, editor of the Virus Bulletin:
--------------------------------------------------------------------
The Virus Bulletin Conference takes place on September 12-13th 1991 at
the Hotel de France on the Channel Island of Jersey in the UK.
Speakers include Vesselin Bontchev, Ross Greenberg, Yisrael Radai, Jim
Bates, Jan Hruska, Steve White (IBM), Fridrik Skulason, John Norstad,
Ken van Wyk, David Ferbrache and Gene Spafford, plus presentations
from Digital, New Scotland Yard's Computer Crime Unit, and corporate
computer security specialists responsible for implementing real world
anti-virus measures worldwide.
Subjects include an introduction to MS-DOS viruses, the Bulgarian
'virus-factory', anti-virus tools and techniques, integrity checking
methods, disassembly and forensics, IBM's strategy, future programming
trends, Macintosh viruses, CERT, Unix, Digital's strategy, blackmail,
extortion and espionage through logic bombs, trojans and covert
channels and corrupt working practice.
Registration information is available from Miss Petra Duffield in the
UK. Tel. +44 235 531889, Fax. 0235 559935.
------------------------------
End of VIRUS-L Digest [Volume 4 Issue 121]
******************************************
Downloaded From P-80 International Information Systems 304-744-2253
