VIRUS-L Digest Thursday, 25 Jul 1991 Volume 4 : Issue 130

VIRUS-L Digest Thursday, 25 Jul 1991 Volume 4 : Issue 130

Today's Topics:

Re: Inaccuracies in Press on Viruses
Re: DOS virus attack (PC)
Ralf Burger (again)
re: virus for sale
F-PROT & DOS 5.0 (PC)
Re: F-PROT configuration question (PC)
Re: Anti-Virus software recommendation sought
Re: CARMEL TntVirus, A Trojan suspect. (PC)
Need prg to write-prot HD partition. (PC)
Re: New Devil's Dance? (PC)
Index of Known Malware: 998 viruses/trojans
Revised Product Test- - Virex (Mac)
Revision to the Revised Product Test on SAM (Mac)
Revision to PT-9, Disinfectant 2.5.1 (Mac)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to [email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: [email protected].

Ken van Wyk

----------------------------------------------------------------------

Date: 23 Jul 91 22:49:04 -0400
>From: "Robert McClenon" <[email protected]>
Subject: Re: Inaccuracies in Press on Viruses

>From: Helena M Vonville <[email protected]>
>
>Robert McClennon wrote on the Washington Post article which discussed
>the possibility of a virus in the telephone software. He was
>disturbed (and rightly so) that the press does not use the jargon
>correctly when describing such problems.
[The correct spelling is either McClenon in the last four generations
or MacLennan. -- R. McC.]
>
>Fortunately (or maybe not so fortunately since we are dealing with a
>certain amount of potential incompetence) the problem was not virus,
>trojan, or worm related. It was just bad programming. The story was
>updated on NPR late last week, I believe.
>Helena VonVille
>Ohio State Universiy
>------------------------------
>
>Date: Mon, 22 Jul 91 15:00:17 +0000
>From: [email protected] (Jan B. Andersen)
>Subject: Re: Inaccuracies in Press on Viruses
>
>[email protected] (Robert McClenon) writes:
[Thank you. That spelling is correct. -- R. Mc.C]
>
>>[from] The Washington Post, [...]
>>>Phone system experts have suggested that a virus might explain
>>>why the failures have been occurring within days of each other
>>>and at the same time of day.
>
>>It was possible as of the date of this article (but unlikely) that
>>the phone system failures were caused by a time bomb, but if so, it
>>was planted as a Trojan
>
>Not if we're talking of the same incident. The company that develops
>the software in the swithes, has admitted the bug was introduced as
>part of an upgrade. But, because it was such a minor upgrade, the
>software had not been tested af rigourusly as it should have been. See
>comp.risk (or was is comp.dcom.telecom) for more details.
>
>------------------------------

1. My real concern was not incorrect use of "jargon" terminology so
much as incorrect characterization of the degree of public threat.
Viruses and worms, which do spread, do not spread to isolated systems
like telephone switches. To suggest that they do is a disservice to
the public, who are likely to panic unnecessarily.

2. We know now that the problem was not a time bomb. I suggested
that I did not think that the problem was a time bomb. The conclusion
that the problem was a simple bug (which I had always suspected and
had indeed posted to comp.risk) was published later than the date of
my quoted note.

3. I was admonished off-line by a journalism student for making
unreasonable demands of journalists with a minimal number of
column-inches. I do not demand that journalists define precise
technical terminology unless it is essential to technical
understanding. The distinction between viruses and worms is not as
important in this context as the distinction between replicators and
non-replicators. Bell Atlantic may have been vulnerable to Trojan
horses, time bombs, or logic bombs. Bugs got them. The press
suggested that there was a real risk from viruses, commonly understood
to mean replicators including viruses and worms. I don't ask full
explanations from the press. I do ask the absence of harmful error.
The _Washington_Post_ article contained harmful error.

------------------------------

Date: Wed, 24 Jul 91 15:20:00 +1200
>From: "Nick FitzGerald" <[email protected]>
Subject: Re: DOS virus attack (PC)

Ed Wright wrote:

>A virus has appeared in Detroit for DOS. The virus changes files to
>hidden type and adds charters to file names.
>
>The standard DOS scan program are not effective for this virus.
>
>First infection was found on July 20, original infection occurred
>within the previous 3 days.

Thanks - what great information! I feel a lot better knowing this. 8-)

Is this _all_ that is known? Why are you so sure it's a "virus"? Are
you sure that you're not seeing the "aftermath" of someone having run
Norton Anti-virus on your machine?

Sorry - but with the "wealth of detail" you supplied, skeptics are
likely to wonder such things.

- ---------------------------------------------------------------------------
Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z.
Internet: [email protected] Phone: (64)(3) 642-337

------------------------------

Date: Wed, 24 Jul 91 07:50:19 +0000
>From: [email protected] (Fridrik Skulason)
Subject: Ralf Burger (again)

The new and updated How-to-write-a-virus book by Ralf Burger has just
been published - called "Computer Viruses and Data Security".

According to the publishers, the book contains the source code to
several viruses, so we can probably expect a new flood of variants
based on the published examples.

I'm not sure what the best response would be - a call for a boycott of
all books by Abacus might be a bit too drastic...but I sure don't
approve of their actions...

- -frisk

------------------------------

Date: Tue, 23 Jul 91 22:24:49 -0700
>From: [email protected] (Rob Slade)
Subject: re: virus for sale

On a related note, by coincidence I happened to receive this message
tonight:

== E-Mail > Fetch > Echlin, Robert =======================================

Subject: virus files

Hi,

I am a consultant. I intend to provide training and installation
of Central Point Anti-Virus.

I would like to demonstrate detection and cleaning of a virus.
Could you send me a file with a virus in it that I could copy and
use in such a demonstration?

If the first couple of bytes of the file are changed to zeroes,
it could not be run and the virus could not be "transmitted".

Yours sincerely,

Robert Echlin

== E-Mail > Out-Box > Echlin, Robert =====================================

Subject: virus files

1) Why do you intedn to specialize in CPAV?

2) I do exchange viral code with other researchers, but I need
some more background on who you are. Most of those I exchange
with are people whose work and writings I know, and whom I have
corresponded with for at least six months.

3) Your request does not indicate a sophisticated knowledge of
the field. If this is incorrect, please feel free to expand upon
it, but you must realize that I receive a number of requests of
this nature from those to whom I should *not* send such files.

=============
Vancouver [email protected] | "If you do buy a
Institute for [email protected] | computer, don't
Research into (SUZY) INtegrity | turn it on."
User Canada V7K 2G6 | Richards' 2nd Law
Security | of Data Security

------------------------------

Date: Wed, 24 Jul 91 08:27:48 -0400
>From: Lou Anschuetz <[email protected]>
Subject: F-PROT & DOS 5.0 (PC)

Installed DOS5.0 on my machine last night (which works well imho),
but ran into a problem with F-PROT. If I attempted to leave the
F-PROT driver.sys in my config.sys file the machine would freeze
and complain that INT13 was modified (undoubtedly true). Has
anyone found a work-around for this?

Thanks in advance!

Lou Anschuetz
[email protected]

------------------------------

Date: Wed, 24 Jul 91 22:11:02 +0000
>From: [email protected] (Eric N. Lipscomb)
Subject: Re: F-PROT configuration question (PC)

> We are currently in the process of obtaining F-PROT for our 100 PCs
>in the Business Computer Lab at The University of Alabama. We are
>also using the Novell 3.1 NetWare. Our workstation's C drives are
>write-protected, so our users can only infect the memory, their own
>floppies, and the D drive which is used as a temporary drive. We do
>however have a couple of workstations for the uses of the consultants
>in which the hard drives are not write-protected. My question - Do we
>need to use the F-DRIVER.SYS? The only people who can infect the
>network are those who have access to places on the server other than
>their own personal directory. These are only the consultants, and we
>are aware about scanning anything before we download or use a floppy.
>Any comments would be appreciated.

We have a similar situation here at UNT. In my main lab, I have 15
PCs that are networked, but only have 2 floppies. It is true that my
users can "only infect the memory" on these stations, but I *still*
don't want even that to happen. So, we've installed F-DRIVER.SYS and
F-NET to prevent the users from running any program that might be
infected. This is also a good way for me to keep tabs on the software
on the network. If a student is suddently unable to run a program
from the network because F-DRIVER has prevented it, I need to take a
more careful look into the rights setup on my network to see who
infected the programs and how.

Protection is not a bad thing. Using F-DRIVER is so simple and
painless, it makes almost no sense *not* to use it. If nothing else,
it can act as a good advanced warning system for your network.

}lips

Eric N. Lipscomb, Lab/Network Manager Academic Computing Services
Email: [email protected] "Golf is something you do to make
[email protected] the rest of your life look good."

------------------------------

Date: Wed, 24 Jul 91 22:17:05 +0000
>From: [email protected] (Andrew Turner)
Subject: Re: Anti-Virus software recommendation sought

[email protected] (David Ivens) writes:
>We are considering purchasing a site licence for Virus Buster from
>Leprechaun Software.
>It looks a very good package.

As with all the Anti-viral pacakages it has its pros and cons - while
not wishing to say it's any better or worse than others(It pays to sit
on the fence) I have found it a very good product. We use it widely
across campus in for staff and in student laboratories. Additionally
the Leprechaun folks are very responsive to user input and a number of
Buster's features have come from user requests. Buy a copy and give it
a whirl.

- --
Andrew Turner [email protected]
Die, v: To stop sinning suddenly.
-- Elbert Hubbard

------------------------------

Date: 25 Jul 91 07:30:00 +0200
>From: [email protected]
Subject: Re: CARMEL TntVirus, A Trojan suspect. (PC)

[email protected] ( Mr S. Rahim ) writes:
> I got hold of Carmel Antivirus package through a bulletin board. After
> having installed it on the harddisk two weeks ago, I began to have
> problems. This included EXE and COM files which were working before
> Carmel came on the PC. Some files hang up while others refuse to run.
>
> When TntVirus is activated, I performed a scan of the memory with
> McAffee Scan V80, and it reported that P1 Related virus was active in
> memory. Another file relating to the package when run, SCAN revealed
> that Brain was active in memory.
>
> The possibilities which arose with the indetification by Scan were
> that either Carmel software was using signatures to be resident in
> memory which were the same as those viruses. I tried to infect a COM
> and EXE file but there was no increase in file size not the date of
> modification. However during this process a directorying of the root
> directory revealed that an AUTOEXEC.$$$ file had been created in the
> past few minutes. I deleted that file but it appeared back again.
>
> I am leaving this question open for discussion. Is this a work of a
> trojan?

I know a lot of people using TNT AntiVirus (me included) since about
half a year and there was so far no sign for such a Trojan.

Two questions raise from your problem:

1. What version do you use? The current is I think about 7.1.

2. Are you sure you got a clean copy? TNT AV is a commercial product, where
you have to pay for normally. How reliable is your bulletin board you got
it, when it "distributes" commercial software ??????????

bye .................................................................... Didi

******************************************************************************
* Universitas Basiliensis InfoCenter *
******************************************************************************

------------------------------

Date: 25 Jul 91 06:23:57 +0000
>From: [email protected] (Mark Medici)
Subject: Need prg to write-prot HD partition. (PC)

Pardon the wide distribution, but I am in sort of a bad situation, and
need a specific piece of software to help me out.

I am in desperate need of a reasonably priced utility that can
completely and securely write protect a directory branch or logical
partition on a PC hard disk while allowing unimpeded read access to
the protected branch/partition AND full read/write access to the
remaining branch(es) or partition(s).

The problem is simple: I've got 22 computers to put in four public
student computer sites. These computers will not have reliable access
to a file server, so software will have to be loaded on the local
fixed disk of each system. I can't afford the staff or my own time to
constantly clean viruses, reload software, and reconfigure
applications on these computers. So I'd like to set up part of each
computer's 40MB disk as a write protected partition.

The ideal utility would:

1. Allow full read/write access to the 10MB boot C: partition of
a 40MB fixed drive for swap space and temporary user storage.
2. Permit read-only access to the 30MB D: partition of the 40MB
fixed drive for protected storage of supported programs.
3. Not be defeated by a user booting from his/her own diskette
(D: would either still be read-only or be inaccessible.)
4. Be completely transparent to the user (no extra prompts or
pauses during system start-up or reboot).
5. Be compatible with MS-DOS 5.0, MS-Windows 3.0, and applica-
tions designed for a MS-DOS/Windows environment.
6. Provide a separate utility that, when used with a valid pass-
word, provides write access to the normally protected D:
partition.
7. Utility in #6 should allow the definition of more than one
password and should keep a log of accesses for each system,
so that different levels of maintenance staff could have
access.
8. Be reasonably priced. I have a limited budget, and can't
afford to pay $200 per machine for this.

Of course I need to get the program, if its available, as soon as
possible so I can learn it, install it on the 22 machines, and get the
machines put out at the sites by Sept 1st.

If you know of any utility, be it public domain, shareware or standard
commercial, that might fill many of these needs, please let me know.
If you have written similar software and feel you could quickly and
successfully write a program to accomplish the above, I would be happy
to talk to you.

Please E-Mail your replies to me at [email protected], or
call me at 908-932-2412. I will summarize here if there is sufficient
interest.
___________________________________________________________________________
Mark A. Medici, Systems Programmer III
Rutgers Univ. Computing Services, USD
<[email protected]>

------------------------------

Date: Thu, 25 Jul 91 00:26:36 +0300
>From: Tapio Keih{nen <[email protected]>
Subject: Re: New Devil's Dance? (PC)

>Does anyone have any hard evidence about the message displayed upon an
>attempted soft reboot when devil's dance is resident? I've been
>experimenting here with a version that has a different message (and
>seemingly different actions) than those I've read about elsewhere.

At least the variant of Devil's Dance I have displays this message:

"Have you ever danced with the devil under the weak light of the moon?"

"Pray for your disk!"

"The_Joker..."

"ha ha ha ha ha ha ha"

(maybe some more / less 'ha's - I'm not 100% sure)

All this is on grey background made of those ascii graphic characters
(ascii code 178).

Tapio Keih{nen | [email protected] | DIO COMES - ARE YOU READY TO ROCK?
Disclaimer: This posting has nothing to do with nic.funet.fi archive server.

------------------------------

Date: 24 Jul 91 12:39:00 +0100
>From: Klaus Brunnstein <[email protected]>
Subject: Index of Known Malware: 998 viruses/trojans

After weeks of work and excellent assistance of David Chess, Yisrael Radai,
Alan Solomon, Padgett Peterson and some others, I just published the "Index
of Known Malicious Software: MsDos systems". It covers most of the viruses
and trojans reported in this arena (similar indices for Amiga and Macintosh
to follow later this year). When summing up, I was deeply depressed: the
index counts:
120 virus families ("strains)") with 59 more sub-families
with 744 viruses, variants and clones
plus 7 trojans,
and 228 single (non-strain) viruses
plus 19 trojans
*** totalling 998 pieces of malware ***

Though some people (including Alan Solomon) foresaw 1,000 viruses later this
year, the rise in figures has been underestimated. As this development is
likely to continue, antivirus experts should cooperate even more strongly than
contemporarily discussed.

At the same time, the July edition of VTCs Computer Virus Catalog describes
+ 8 AMIGA viruses totalling 54 viruses
+10 Macintosh viruses totalling 20 (out of 28 existing)
+14 PC viruses/trojans totalling 84
The disparity between "virus known" and "viruses classified" (with the aim to
maintain a good quality over quantity of classification) demands other tools
and methods for analysis, classification and production of countermeasures. We
are working harder to a more actual version of Virus Catalog; I am glad that
Mr.Jahn joined VTC (for a doctor workm on secure databanks), and that Vesselin
Bonchev will join us next week for a (not yet specified) dissertation. On the
Moreover, I appreciate any cooperation with serious antivirus experts.

VTC documents (Index of Known Malicious Software: IMSDOS.791; Index of Virus
Catalog: Index.791; all entries classified up to now) are now available from
FTP:
Our FTP server: ftp.rz.informatik.uni-hamburg.de
Login anonymous
ID as you wish (preferably your name)
dir: directory of available information
cd pub/virus: VTCs documents

Hoping that this works, I will be absent (with Auto-Reply on) on a sailing trip
(with my schooner "Arethusa" which is a small replica of BLUENOSE but with
staysails) until August 18. 1991. Klaus Brunnstein, Hamburg

------------------------------

Date: Thu, 18 Jul 91 15:06:43 -0600
>From: Chris McDonald ASQNC-TWS-R-SO <[email protected]>
Subject: Revised Product Test- - Virex (Mac)

******************************************************************************
PT-10
March 1990
Revised July 1991
******************************************************************************

1. Product Description: VIREX is a commercial program which includes virus
detection, virus treatment, and virus prevention. The program also identifies
"major" Macintosh trojan horses. The current version is 3.5 as of July 1991.

2. Product Acquisition: The product is available from Microcom, P.O. Box
51489, Durham, NC 27717. There are also several mail order software firms
which market VIREX, generally at substantial savings for a single copy. Site
licensing arrangements are available from the vendor.

3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Information
Systems Command, White Sands Missile Range, NM 88002-5506, DSN 258-4176, DDN:
[email protected] or [email protected].

4. Product Test:

a. I obtained a copy of VIREX from MacWarehouse in July 1989. The
purchase price at that time was about 30% below the manufacturer's suggested
retail quote. The registration form received with the software gave one two
options to obtain any future upgrades to the product. The first option was a
$75.00 Annual Update Service. For this fee Microcom (then known as HJC
Software) would provide automatic updates for a year. The second option was to
purchase single updates for $15.00 upon notification of any VIREX new release.
I chose the second option given that VIREX at version 2.0 identified and
repaired all known Macintosh viruses as of that time. I wanted to build some
historical knowledge as to the frequency with which updates might occur before
committing myself to the automatic annual fee. I have subsequently purchased
upgrades at the 2.1, 2.5, 3.0, 3.2 and now 3.5 version.

[Ed. The remainder of this review, and numerous other anti-virus
product reviews, is available by anonymous FTP on cert.sei.cmu.edu (IP
number= 192.88.209.5) in the pub/virus-l/docs/reviews directory.]

------------------------------

Date: Fri, 19 Jul 91 15:50:34 -0600
>From: Chris McDonald ASQNC-TWS-R-SO <[email protected]>
Subject: Revision to the Revised Product Test on SAM (Mac)

******************************************************************************
PT-20
November 1990
Revised July 1991
******************************************************************************

1. Product Description: Symantec AntiVirus for Macintosh (MAC) is a commercial
software program for the prevention, detection, and elimination of viruses for
the Macintosh.

2. Product Acquisition: SAM is available from Symantec Corporation, 10201
Torre Avenue, Cupertino, CA 95014-2132 for $99.95. However, there are several
mail order services which offer a single copy of the product at a reduced cost.
Symantec's telephone number is 408-253-9600.

3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Information
Systems Command, White Sands Missile Range, NM 88002-5506, DSN: 258-4176, DDN:
[email protected] or [email protected]; and Robert
Thum, Systems Administrator, Information Systems Command, White Sands Missile
Range, NM 88002-5506, DSN: 258-7739, DDN: [email protected].

4. Product Test:

a. I obtained a copy of SAM, Version 2.0, in October 1990 from
MacWarehouse in Lakewood, NJ for $67.00 dollars. I have previously purchased
software from this source with satisfactory results. I upgraded to version 3.0
for $25.00 in March 1991 directly from Symantec.

[Ed. Again, the remainder of this review can be downloaded by
anonymous FTP from cert.sei.cmu.edu]

------------------------------

Date: Tue, 16 Jul 91 11:58:05 -0600
>From: Chris McDonald ASQNC-TWS-R-SO <[email protected]>
Subject: Revision to PT-9, Disinfectant 2.5.1 (Mac)

******************************************************************************
PT-9
January 1990
Revised July 1991
******************************************************************************

1. Product Description: DISINFECTANT is a public domain program to detect and
to repair virus activity for Macintosh systems. The author is Dr. John
Norstad, Academic Computing and Network Services, Northwestern University, 2129
Sheridan Road, Evanston, IL 60208. Dr. Norstad's BITNET address is jln@nuacc;
the INTERNET address is [email protected].

2. Product Acquisition: DISINFECTANT is available on several university and
public bulletin boards. It resides in the MS-DOS repository on the Information
Systems Command host simtel20 [192.88.110.20] at White Sands Missile Range:
pd3:<macintosh. virus>.

3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Information
Systems Command, White Sands Missile Range, NM 88002-5506, DSN 258-4176, DDN:
[email protected] or [email protected].

4. Product Test:

a. I obtained a copy of DISINFECTANT, Version 1.5, in January 1990 from
the Macintosh repository on the the USAISC-White Sands host simtel20. The
repository has been registered with HQ ISC, and has been approved for operation
by the Commander, USAISC-White Sands, under the policy of AR 380-19. I have
continued to receive updates with the most recent version 2.5.1, 7 July 1991.

[Ed. Again, the remainder of this review can be downloaded by
anonymous FTP from cert.sei.cmu.edu]

------------------------------

End of VIRUS-L Digest [Volume 4 Issue 130]
******************************************

Downloaded From P-80 International Information Systems 304-744-2253