VIRUS-L Digest Tuesday, 22 Jan 1991 Volume 4 : Issue 13

VIRUS-L Digest Tuesday, 22 Jan 1991 Volume 4 : Issue 13

Today's Topics:

Stoned on a Hardcard (PC)
Re: Need help w/ CMOS problem in PS/2 Model 70 (PC)
Query - Disinfectant vs. Virex (Mac)
Re: Need OTS Virus package (UNIX)
Re: Disinfectant vs. Virex (Mac)
International Virus Infections (PC)
Stoned variants (PC)
Apathy and viral spread (general)
F-PROT 1.14 (PC)
Processor-specific viruses and other subjects (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to [email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: [email protected].

Ken van Wyk

---------------------------------------------------------------------------

Date: Fri, 18 Jan 91 14:15:12 -0700
>From: [email protected] (Richard W Travsky)
Subject: Stoned on a Hardcard (PC)

We're currently having a few skirmishes here with the stoned virus.
In one instance we had stoned show up on a hardcard (and removed
same). Hadn't thot of hardcards being infectable before, but I
suppose it's no different from the flat round kind of hard disk. Are
there any differences in viral behavior/ detection/removal when a
hardcard is involded (as opposed to a hard disk)?

Richard Travsky Bitnet: RTRAVSKY @ UWYO
Division of Information Technology Internet: RTRAVSKY @ CORRAL.UWYO.EDU
University of Wyoming (307) 766 - 3663 / 3668

------------------------------

Date: 18 Jan 91 22:09:13 +0000
>From: [email protected] (Brian D. Howard)
Subject: Re: Need help w/ CMOS problem in PS/2 Model 70 (PC)

[email protected] (David Wright) writes:

>My apologies if this group is not appropriate, but I would like to
>solicit advice on a problem that may be a malicious attack:

>I am looking at a friend's PS/2 Model 70 that he reports has had
>problems including problems reading diskettes that appear to be fine
>in another machine (a laptop that I am keeping carefully isolated).

Hold it right there. The PS/2 has a 'feature' in that it will ignore
how a diskette is formatted and will ignore the diskette hardware. If
you format a 1.44M 3-1/2" (I assume you mean 3-1/2") to be 720K (i.e.
use it in your laptop that only has 720K floppy?) and attempt to read
it in the PS/2 it will think it is formatted HD (1.44M) and give up.
Tape up the little square hole on the upper left hand side (no, not
that one under the slide) and try it again.

- --
"Hire the young while they still know everything."

------------------------------

Date: 18 Jan 91 22:32:07 +0000
>From: [email protected] (RD Francis)
Subject: Query - Disinfectant vs. Virex (Mac)

Virex 1.3 is rather old, and probably won't catch any virus except
those older than WDEF, at least (discovered in late 1989). Virex is
updateable from the company, for a fee; I believe that 2.0 was
released in 1989, though my memory may be playing tricks on me there.
As far as I know, from the standpoint of reliability, both products
are completely reliable. The only differences visible to the user are
minor cosmetic differences in implementing the interface, the
commercial vs. PD issue, and the cost. By commercial vs. PD, I mean
to mention that some people would prefer to use a commercial product
that they have to pay to get upgrades for because that prodcut's
creators are more motivated to keep the program up-to-date, and less
likely to drop support. Personally, I recommend Disinfectant; John
Norstad's done a great job, his updates are usually the first I hear
of the existance of a new Mac virus, and his support for the product
has been wonderful.

------------------------------

Date: 18 Jan 91 22:38:14 +0000
>From: [email protected] (Greg Limes)
Subject: Re: Need OTS Virus package (UNIX)

[email protected] (jim basara) writes:
|> I would like to request recommendations for off-the-shelf packages
|> which will prevent/isolate/monitor/etc. viruses on a Sun workstation
|> under unix.

Occasionally, I see people asking about such things on this list and
elsewhere, and I am underwhelmed by the amount of information that
therefore appears on the net.

Has anyone ever actually SEEN a "virus" on a UNIX box? And, don't tell
me about worms, that's a different matter ... I am specificly looking
for information about programs that propogate by modifying other
programs.

My background as an operating systems programmer at Sun leads me to
believe that such virii would be more difficult and less rewarding for
Joe Virus-Writer to create, and easier to protect against using
mechanisms available in the system, but it might be nice if I could
have some backing information that I could give when people ask me
about such things ...

- -- Greg Limes
#include <disclaimer>
#include <cute-quote>

------------------------------

Date: 19 Jan 91 05:31:38 +0000
>From: [email protected] (Robert Trebor
Woodhead)
Subject: Re: Disinfectant vs. Virex (Mac)

First of all, you should ALWAYS GET THE CURRENT VERSION of any
Antiviral utility. Using old versions is a ticket to disaster as it
lends a false sense of security.

Given the easy availability (Disinfectant is everywhere; and
you can order an upgrade of your current VIREX by calling
1-800-877-CURE) there is no excuse not to be current.

The current versions of VIREX and Disinfectant find and remove
all currently known Mac Viruses. Both have powerful INITs.

Starting with V3.0, the VIREX INIT became significantly more
powerful. The INIT now has repair capabilities (in fact, the
only reason to use the Application is if wierd things start
to happen and you want the App's better reporting.)

All the antivirals do a fine job of the basic function of virus
detection and repair; where they are differentiated is in
bells&whistles, nice user interfaces, and support. When you go with a
commercial product like, oh to pick one at random, VIREX (available at
finer computer stores, as well as a lot of direputable ones...) you
are paying for handholding; there's going to be someone on the other
end of the phone line for you to call when the going gets wierd.

Disclaimer : I wrote the Virex Application.

- --
+--------------------------------------------------------------------------+
| Robert J. Woodhead, Biar Games / AnimEigo, Incs. [email protected] |
| "The Force. It surrounds us; It enfolds us; It gets us dates on Saturday |
| Nights." -- Obi Wan Kenobi, Famous Jedi Knight and Party Animal. |

------------------------------

Date: 20 Jan 91 19:23:37 +0100
>From: [email protected]
Subject: International Virus Infections (PC)

One of my BBS users (David Clarke) reported an interesting virus attack
on board the cruise liner Royal Viking, in Wellington on Sat 19 January.

He was called to the ship to diagnose some problems they had been having
with the hardware.

The JOSHI virus was discovered on two PS/2 55's running MS-DOS 4.01.
The KEYPRESS virus was found lurking on a Toshiba portable running
MS-DOS 3.3 on a 20MB HD.

David writes, "Joshi infected three of my diskettes while I was hunting
for the problem, I've learned my lesson, keep all diskettes write
protected!"

As mentioned, the callout was to diagnose hardware problems. What made
it harder to pin down as viruses was neither of these viruses being seen
in New Zealand before (as far as I know).

It is interesting to note he had downloaded SCAN and CLEAN from The Cave,
as the computer press and newspapers over here are continually lambasting
bulletin boards as a primary source of infection. Its a good thing some
people know better...
- --
- --------------------------------------------------------------------------
Charlie "The Bear" Lear | [email protected] | Kawasaki Z750GT DoD#0221
The Cave MegaBBS +64 4 643429 V32 | PO Box 2009, Wellington, New Zealand
- --------------------------------------------------------------------------

------------------------------

Date: Sun, 20 Jan 91 17:52:17 -0800
>From: [email protected] (Rob Slade)
Subject: Stoned variants (PC)

[email protected] (Tim Trimble) writes:

> the stone virus not being in the states yet can be considered false.

The original posting referred to the fact that the *Stoned-II* virus
had not been seen in the United States. There have, in fact, been two
*major* variants of Stoned, with *minor* variations of each. The
Hoffman list describes a total of six variants altogether, and as
those familiar with virus reseaarch will attest, this is probably very
conservative.

------------------------------

Date: Sun, 20 Jan 91 18:07:13 -0800
>From: [email protected] (Rob Slade)
Subject: Apathy and viral spread (general)

Recently, Stratford Software has started a new online information
service called SUZY. (The service is active in Canada, and is in
beta testing for users in the United States.) I manage the data
security/anti-viral topic area (referred to as an "Information
Network", or "IN") called INtegrity. Any SUZY user can look at
the information in the INs, but, as they "leave" the area, they
are asked if they want to "join". This simply puts them on a
mailing list that can be used to send announcements to the
"members" of an IN. If they want to "join", they hit ENTER, if
not, they hit <ESC>.

Well, as of today, the number of SUZY users who have joined
INtegrity stands at 170. Some others may have dropped in and
looked around, but deliberately left themselves off the list when
they left the IN.

The number of accounts on SUZY currently stands at about 6000.
However, research I have done indicates that less than 15%
actually use the system more than once a month. Interestingly,
this figure has remained unchanged since SUZY was released. That
means that less than 900 accounts are "active".

What does this mean to you, and to data security? It means that
less than 3% of all, and 20% of *active* SUZY users care enough
about data security to join the anti-virus IN. This is the
*real* reason that computer viri are so widespread today: people
do not realize the danger.

Those of you who have studied viral charactersitics, and
virus protection and functions, will realize how easy
it is to protect yourselves against most viri. But if the
majority of users think they are safe, and do not take *any*
precautions, then viri have a fertile breeding ground to grow and
spread in. As my wife says, it show not only how few people
understand technology, but how few even understand the concepts
of public health.

------------------------------

Date: Mon, 21 Jan 91 09:47:48 +0000
>From: [email protected] (Fridrik Skulason)
Subject: F-PROT 1.14 (PC)

Changes to F-PROT

Version 1.14 added the following features:

Detection, but not removal of

Anthrax
Crazy Eddie
V2P6

The reason V2P6 is not removed is because of the complexity of
the various encryption methods - If you ever get infected by the
virus, I suggest you contact its author:

Mark Washburn
4656 Polk Street NE
Coloumbia Heights, MN 55421
USA

Detection and removal of the following viruses:

217
417
440
492
516
600
696
699 (erronously called "711" elsewhere)
707
948
1049
1067
1075
1226
1600
2144
2480
Agiplan
Alabama-B
Amstrad-852
AntiPascal
AntiPascal 2
Attention
Bebe
Best Wishes
Black Monday
Burger-537
Carioca
Christmas in Japan
Cookie
Datalock
Destructor
DIR
Doteater
Evil
Father Christmas (Choinka)
Groen Links
Guppy
Hymn
Internal
Invader
Jerusalem-G
Joker
Joker-01
Kemerovo
Leprosy-B
Liberty II
Lozinsky
MG
MG-3
MGTU
MLTI
Monxla/Time
Musicbug
Nina
Nomenklatura
Parity
Phoenix
Piter
Plastique (4 new variants)
Polimer
Proud
Saddam
Scott's Valley
Stone `90 (T@V) - a variant of Vienna
Superhack (Scottish Murphy)
SVC
Sverdlov
Tiny-family (11 different variants)
Turbo-448
Turbo Kukac
Turku (Twins)
V2P2
VFSI (Happy)
Vienna (several new variants)
Violator
Virdem-792
Voronezh
Westwood
Wisconsin
Zero Hunt (Minnow)

F-FCHK now does a much better job of identifying minor variants of
viruses, in particular those cases where the differences are
insignificant and do not matter with regard to disinfection. As
an example, it will now identify the minor Jerusalem-variants
(Payday, Mendoza, A-204, Puerto, Sunday, Anarkia, Westwood, B, C, G
GrLkDos etc.) correctly, instead of just labeling them "Jerusalem".

The /LIST switch added to F-FCHK, to produce a report with a list
of files scanned, and results.

The /MULTI switch added to F-FCHK and F-DISING to scan multiple
diskettes.

The switches may be combined with other switches - for example
you can use

F-DISINF A: /MULTI /AUTO

if you have a large pile of infected diskettes or

F-FCHK C: /AUTO /LIST > report.lis

to scan and disinfect drive C: and produce a report.

The following bugs/problems have been fixed:

The identification string for "Zero Bug" has been changed
as it produced a false positive in LB.COM from Lahey and
several other programs.

F-FCHK now reports the correct number of files disinfected,
when files are infected with multiple viruses.

Occasional (but very rare) crashes of F-XLOCK and F-FCHK
if F-LOCK was not installed.

Problems when removing "Stoned" from a hard disk formatted
under some DOS versions earlier than 3.0

Occasional incorrect removal of Alabama.

The following problem-fixes and changes are expected in version 1.15

Detection of Whale is not fully reliable, as I do not yet have
samples of all the different mutations of the virus. This is not
a serious problem, as the virus is not known to exist "in the wild",
but I am working on this.

F-DRIVER.SYS seems to be disabled on some machines running PC-NFS.
This was only discovered yesterday, and I am searching for a way to
solve this.

Automatic scanning of boot sectors will be added in 1.15.

------------------------------

Date: Mon, 21 Jan 91 10:11:46 +0000
>From: [email protected] (Fridrik Skulason)
Subject: Processor-specific viruses and other subjects (PC)

Processor-specific viruses

When the first viruses appeared, some of them were discovered to work
only on 8088/8086 but not on '286 or '386 computers. The best example
of this are two early boot-sector viruses:

Ping-Pong (Italian, Bouncing Ball) - the standard version uses
the MOV CS,AX instruction which only exists on 8088 and 8086.

Alameda (Yale) - The first version used the POP CS instruction,
for the same purpose - which also generates an "invalid instruction"
interrupt on later processors.

The reason for this was assumed to be that the authors of the viruses
only had access to an 8088/8086 computer.

Now we have a different, but equally interesting situation. One of
the recent viruses from Eastern Europe fails to execute on the 8088
and 8086 processors, but works perfectly on a '386. The reaon is its
use of the PUSH IMMEDIATE instruction (hex opcode 68), which did not
exixt on the 8088/86. The author of this otherwise non-remarkable 492
byte virus can therefore safely be assumed to have access to a more
powerful computer than the virus writers two years ago... :-)

Translations wanted....

>From the Bebe virus comes this text - what does it mean - and what
language is this ?

VIRUS! Skagi "bebe" Fig Tebe !

The MLTI virus contains this text - clearly a reference to the "Eddie"
virus, but what does "RED DIAVOLYATA" mean ? (I want to emphasize
that "Dark Avenger" is the name of the author of the "Eddie" virus -
not the name of the virus itself.)

Eddie die somewhere in time!
This programm was written in the city of Prostokwashino
(C) 1990 RED DIAVOLYATA
Hello! MLTI!

>From the POLIMER comes this text - is this Polish ? And what does it
mean ?

A le'jobb kazetta a POLIMER kazetta ! Vegye ezt !

------------------------------

End of VIRUS-L Digest [Volume 4 Issue 13]
*****************************************

Downloaded From P-80 International Information Systems 304-744-2253