VIRUS-L Digest   Wednesday, 21 Aug 1991    Volume 4 : Issue 144

Today's Topics:

Re: Hard disk locking ? (PC)
Re: New Anti-Virus Consortium Announced
Re: Problem cleaning "LIBERTY" virus? (PC)
Re: Mutation engine available (PC)
Re: Smithsonian Virus (PC)
Re: Hard disk locking ? (PC)
help identifying virus on PC (PC)
Re: NEW VIRUS? (PC)
Re: Problem cleaning "LIBERTY" virus? (PC)
Re: More about the mutation engine (PC)
Re: Hard disk locking ? (PC)
Re: HELP - possible virus (IBM 5150?)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed.  Contributions should be relevant, concise,
polite, etc.  Please sign submissions with your real name.  Send
contributions to [email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks).  Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list.  Administrative mail (comments, suggestions,
and so forth) should be sent to me at: [email protected].

  Ken van Wyk

----------------------------------------------------------------------

Date:    Mon, 19 Aug 91 14:15:00 +1200
>From:    "Nick FitzGerald" <[email protected]>
Subject: Re: Hard disk locking ? (PC)

In VIRUS-L Digest V4 #142 Fridrik Skulason <[email protected]> wrote:

One person here at the University of Iceland had the misfortune of
having his hard disk trashed by the Spanish Telecom virus recently.
It was possible to trace the source of the infection, but now he wants
some method to prevent anyone from working on his machine while he is
away - for example by asking for a password on boot-up.

This is easily solvable with additional hardware - some machines
include this feature in the BIOS, but it is also possible to get an
add-in card for this purpose.

Software-only solutions are less secure of course, but they are
sufficient in his case.  It is possible to create a small program
which asks for a password when you boot from the hard disk, and cannot
be bypassed simply by booting from a diskette.

>My questions:
>
>     #1 I guess that such a program already exists - but I have not yet
>        been able to find it.  Does anyone know of something like this ?

There's one called PC-Lock which is shareware (sort of).  A "demo"
version is available from many FTP sites but it only allows one
character "passwords".  The replacement MBR that this program writes
makes the HD "invisible" if the PC is booted from floppy.  From a brief
play with the "demo" version it seemed to work much as claimed.  I think
it also gives you the option of write-protecting on a partition-by-
partition basis.

Padgett's DiskSecure has the option of password protecting your HD, but
I don't think there has been a "public" release of this yet.  (Certain
extremely abberant HD controllers, like one I own, cause grief to the
operation of DiskSecure and some similar programs.)

>     #2 If the answer to #1 is "no", I'll probably write this, and might
>        make it available if anybody is interested.  The question is - are
>        programs like this a good idea ?  I can imagine some potential
>        problems, for example if the hard disk is "protected" in this way,
>        without the owner's permission, and if a utility to remove the
>        protection is included, it really makes the program rather useless.

The way PC-Lock and DiskSecure work is they allow you to create a
"maintenance" disk, so you can boot from a floppy for various legitimate
reasons (e.g. booting without your disk cache to de-frag).  They also
provide "de-install" programs.  Obviously, neither maintenance disks nor
de-installers should be left near the PC, although the former still
require the user to supply a password.

On the issue of being able to remove the protection, FDISK will do the
trick if the PC's are booted from floppy, as the system still reports
the hardware is present, it's just that DOS doesn't see it.  A
determined hacker will still be able to break in by using something as
sophisticated as Norton's Utility and a bit of low level snooping around
the disk and then repartitioning to his/her best guess at the original
partitioning scheme (FDISK again).

- - -------------------------------------------------------------------------
Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z.
Internet: [email protected]        Phone: (64)(3) 642-337

------------------------------

Date:    Sun, 18 Aug 91 18:00:19 +0700
>From:    [email protected] (Morton Swimmer)
Subject: Re: New Anti-Virus Consortium Announced

[email protected] (Rich Travsky (307) 766-3663/3668) writes:

> The August 5th Network World has an article on a new consortium: The

These people obviously haven't heard of EICAR and CARO yet. It looks
like there will be much work being done doubled. What a waste of time.

Cheers, Morton
.............................................................................
morton swimmer..odenwaldstr.9..2000 hamburg 20..germany..tel: +49 40 4910247.
internet: [email protected] or [email protected].
.............to leave only footprints, and take only memories................

------------------------------

Date:    Mon, 19 Aug 91 16:40:00
>From:    "Johnwee Lee" <[email protected]>
Subject: Re: Problem cleaning "LIBERTY" virus? (PC)

[email protected] (Johnwee Lee) writes:
> [email protected] (Ken De Cruyenaere 204-474-8340) writes:
>> The LIBERTY virus made another appearance on our campus recently.
>> CLEAN V80 was unable to clean it though.  I beleive the message
>> was something like "Unable to clean this file, delete ? y/n "
>> (Over a dozen infected files and none of them could be cleaned.)
>>
>> We next tried Central Point's ANTIVIRUS and it cleaned it up
>> quickly. Central Point identified it as the MYSTIC virus,
>> which caused a little confusion as MYSTIC isn't listed as
>> and alias of LIBERTY...
>>     I have checked back issues of this digest for any other
>> similar problems with CLEAN (version80) and LIBERTY and didn't
>> find any.  Has anyone else bumped into this?
>>   Ken
>
>   Recently, I was also given a disk from a friend that was infected
> with the LIBERTY virus. I am also having the same problem trying to
> remove it....  If anyone has any idea of cleaning or removing it
> without replacing the infected files please kindly let me know.
>
>   I appreciate any help that is available.
>
>    Johnwee Lee

    First of all... I would like to express my sincere *THANKS* to
all those people who mailed me their advice and experience on the
above.

    Just then when I was pondering on how to removed the "LIBERTY"
virus, a friend of mine suggested to me on using the SCAN (Version 77)
from McAfee on our LAN Network to try and removed it. I try using SCAN
77 and it detected it.  When I used CLEAN 77, it reported to have
removed it.

    Later on, I tried using SCAN 80 to make sure that the disk was
"clean" and SCAN 80 reported that "No virus was found" !!! Thus I
think that the "LIBERTY" virus that I have was a variant of the
original LIBERTY virus which SCAN 80 fails to removed it safely. As
such, I would recommand to others to try it out with SCAN 77 and CLEAN
77 if CLEAN 80 fails....

    Now that the virus is "removed" successfully, I regret that I
didn't make a copy of it for those interested in diagnosting it.

Thanks you once again...

Johnwee Lee
*=============================================================================*
|  Johnwee LEE  Y.K.                                |  Second Year NOVICE     |
|  Internet: [email protected]                |  Information Processing |
|  P.O.BOX 589, WILLETTON, WESTERN AUSTRALIA  6155. |  CURTIN UNIVERSITY of   |
|  TEL: 619-310-1440       FAX: 619-310-4986        |     TECHNOLOGY          |
*=============================================================================*

------------------------------

Date:    19 Aug 91 09:06:43 +0000
>From:    [email protected] (Vesselin Bontchev)
Subject: Re: Mutation engine available (PC)

[email protected] (Fridrik Skulason) writes:

>The person who calls himself Dark Avenger - the author of the "Eddie"
>virus (and others), has just released a "mutation engine" - a skeleton
>for constructing encrypted self-modifying viruses.  This program has
>been posted in source code form on several virus BBSes, and although
>it is not as sohisticated as expected, I would not be surprised if
>several viruses build around it would apper in the next few months.

Is this the MUTATE.ASM file, which comments you asked me to translate?
If so, this file is quite old (it has been available since long time)
and all viruses that can be created with it will belong to the PHOENIX
family. All of them could be detected with a wildcard scan string.  If
this is indeed the same file (please, confirm it), I can post here
scan strings that are compatible with SCAN and HTScan/TbScan(X).

Regards,
Vesselin

------------------------------

Date:    19 Aug 91 09:11:41 +0000
>From:    [email protected] (Vesselin Bontchev)
Subject: Re: Smithsonian Virus (PC)

[email protected] (Peter Kibbee) writes:

>       Has anyone ever herd of the stoned virus referred to as the
>Smithsonian Virus? Jack Anderson's column of August 12, 1991,
>headlined *Computer Hackers Still Playing Havoc*, contains the
>following reference:

>       This particular virus even has aliases that include "Hawaii,"
>"Marijuana," "New Zealand," "Smithsonian" or "Hamo."

C'mon, if we wait for the media to give us exact information... :-)

Regards,
Vesselin

------------------------------

Date:    19 Aug 91 09:14:44 +0000
>From:    [email protected] (Vesselin Bontchev)
Subject: Re: Hard disk locking ? (PC)

[email protected] (Fridrik Skulason) writes:

>It was possible to trace the source of the infection, but now he wants
>some method to prevent anyone from working on his machine while he is
>away - for example by asking for a password on boot-up.

>This is easily solvable with additional hardware - some machines
>include this feature in the BIOS, but it is also possible to get an
>add-in card for this purpose.

Yes, as far as I know, the ThunderByte card offers password protection
among other anti-virus stuff.

>Software-only solutions are less secure of course, but they are
>sufficient in his case.  It is possible to create a small program
>which asks for a password when you boot from the hard disk, and cannot
>be bypassed simply by booting from a diskette.

It depends on what do you mean exactly by "cannot". A really skilled
penetrator won't be stopped by a software solution, no matter how
sophisticated. True, you may even encypt the whole disk with a
cryptographically strong algorithm (and of course not store the
password on the disk <g>). This will prevent him only from -reading-
the disk, not from writing on it.

>My questions:

>     #1 I guess that such a program already exists - but I have not yet
>        been able to find it.  Does anyone know of something like this ?

I have heard of a program, called PC-LOCK. It is shareware. I -can-
bypass it, therefore for me it's just garbage.

There is another thing, but it is commercial and is manifactured by a
Bulgarian firm. When you install it (as a device driver), you won't be
even able to boot from a diskette - the machine just hangs. Yeah, this
is achieved entirely in software... Nevertheless, it can be bypassed too.

>     #2 If the answer to #1 is "no", I'll probably write this, and might
>        make it available if anybody is interested.  The question is - are
>        programs like this a good idea ?  I can imagine some potential
>        problems, for example if the hard disk is "protected" in this way,
>        without the owner's permission, and if a utility to remove the
>        protection is included, it really makes the program rather useless.

My oppinion is that such programs are not a very good idea. As I already
said, all of them can be bypassed, if enough effort is applied. Also,
they sometins are in conflict with programs like Disk Manager, that
use the unused space of the first disk track...

Regards,
Vesselin

------------------------------

Date:    Mon, 19 Aug 91 10:32:00 +0100
>From:    [email protected]
Subject: help identifying virus on PC (PC)

Hello,
     We have recently discovered a virus on some of our PC's here and
would appreciate it if anybody out there can recognise it and describe
it for us.  It manifests itself rather blatantly by displaying a
colour graphic on the screen of what looks like the pictorial
representation of the Mandelbrot set of Fractal geometry fame. (if
that rings a bell with anyone). There is also some text on the top
left hand corner "Execute: mov ax feb0, interrupt 21 any key to
continue!". The hex address there may not be 100% accurate. Anyway, we
would appreciate any help. Thanks.
                                    Paul Rothwell.

------------------------------

Date:    19 Aug 91 09:35:59 +0000
>From:    [email protected] (Vesselin Bontchev)
Subject: Re: NEW VIRUS? (PC)

[email protected] writes:

>1.- SCAN detects the virus in memory, then it sends and alert, saying that some
>thing strange is happening in the computer's memory, and migth want to turn it
>off.

Does SCAN identify the virus? (Does it print a name?)

>2.- A bozo message appears on the screen saying: "I'm killing the &%$,@... poli
>ce program ..."

After you have started SCAN? And do you use VSHIELD?

>5.- You discover that all your files, including those on the sub-directories, h
>as been converted to a 144 byte file that contains the message "Fakkir has %$,&
>@ this Go-Go file... Ha, Ha, Ha"

Is there something more that this message in the files? For such a primitive
virus 144 bytes seem sufficient... Are all these 144-byte files equal?

>I was searching for signatures, boot sectors, or any other clue for try to figu
>re-out how the virus works, but the attack was very faster, and lethal.

Was the boot sector destroyed too? If not, does it seem infected? Are there
any clusters, marked as bad on the disk?

Regards,
Vesselin

------------------------------

Date:    19 Aug 91 09:28:05 +0000
>From:    [email protected] (Vesselin Bontchev)
Subject: Re: Problem cleaning "LIBERTY" virus? (PC)

[email protected] (Johnwee Lee) writes:

>  Recently, I was also given a disk from a friend that was infected
>with the LIBERTY virus. I am also having the same problem trying to
>remove it....  If anyone has any idea of cleaning or removing it
>without replacing the infected files please kindly let me know.

CLEAN is not able to disinfect most of the viruses that SCAN detects.
It just destroys the infected files. It is written in the documentation,
please read it. There is also a list of the viruses that CLEAN -is- able
to disinfect successfully. They are not very much - in fact only the most
often encountered viruses can be removed. McAfee's oppinion is that it is
safer to replace the infected files from non-infected backups or from the
original diskettes. I agree with him - very often it is impossible to
restore an infected file -exactly- in its previous state.

BTW, note that there are at least two variants of the Liberty virus.
You can also try F-Prot and Dr. Solomon's Anti-Virus Toolkit as
disinfection programs - they are quite good.

Regards,
Vesselin

------------------------------

Date:    19 Aug 91 09:43:28 +0000
>From:    [email protected] (Vesselin Bontchev)
Subject: Re: More about the mutation engine (PC)

[email protected] (Fridrik Skulason) writes:

>Normally I would ask Vesselin Bontchev for a translation, as the text
>is probably in Bulgarian, but I have not been able to reach him.  So,
>if there is anybody reading this who...

Well, this is probably a misunderstanding, but didn't my mail reach you?
I translated them on the same day I received your message. If you still
don't have them, do you want the translation posted here?

>       ... can display the Cyrillic character set on his/her PC.
>and
>       ... understands Bulgarian

Oh, the first thing is easy... :-) I have a small TSR program, that is
both a screen (EGA/VGA only) and a keyboard driver for Cyrillics... If
a lot of anti-virus researchers need it, I can send it to Ken.

About the second thing, well I guess that our language is not easier then
the Icelandic one... :-)

Regards,
Vesselin

------------------------------

Date:    Mon, 19 Aug 91 11:59:56 +0000
>From:    [email protected] (Stephen R. van den Berg)
Subject: Re: Hard disk locking ? (PC)

Frisk wrote:
>One person here at the University of Iceland had the misfortune of
>having his hard disk trashed by the Spanish Telecom virus recently.
>It was possible to trace the source of the infection, but now he wants
>some method to prevent anyone from working on his machine while he is
>away - for example by asking for a password on boot-up.

>     #1 I guess that such a program already exists - but I have not yet
>        been able to find it.  Does anyone know of something like this ?

It does exist, it's called PC-Lock, can't remember who distributes it
right now.  I never used it, a friend of mine used it in his office.
I think it is ShareWare.  If you need more info, drop me a note, I'll try
to find it and will tell you where to buy/ftp it.

>     #2 If the answer to #1 is "no", I'll probably write this, and might
>        make it available if anybody is interested.  The question is - are
>        programs like this a good idea ?  I can imagine some potential
>        problems, for example if the hard disk is "protected" in this way,
>        without the owner's permission, and if a utility to remove the
>        protection is included, it really makes the program rather useless.

PC-Lock replaces your harddisk partition table, i.e. without typing
in your password, you can not access any harddrives by using DOS; not
even when booting by floppy.  As far as I can remember they do not supply
a lockbreaker program (no doubt someone wrote something like that), however
any direct disk editor like NDD or DE can probably be used to remove the
lock.  But in order to do this, some expertise is still needed.
- --
Sincerely,                                [email protected]
          Stephen R. van den Berg (AKA BuGless).    [email protected]

"Good moaning!"

------------------------------

Date:    Mon, 19 Aug 91 12:55:45 +0000
>From:    [email protected] (Helmut Dier)
Subject: Re: HELP - possible virus (IBM 5150?)

You should clean yor disk, because the Jerusalem sort is a really
dumb one. It infects files on and on so it's no wonder they need a
longer time to load. you should be able to use CLEAN from McAfee
(I hope I spelled it correctly) to clean most files.
We had a lot of infections here at the university all over the last
year and we could "heal" most of the files using CLEAN.
Try to get it at some BBS (probably TRICKLE is the easiest to use).

Helmut (E-Mail: [email protected])

------------------------------

End of VIRUS-L Digest [Volume 4 Issue 144]
******************************************

Downloaded From P-80 International Information Systems 304-744-2253

You are viewing proxied material from infinitelyremote.com. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.