VIRUS-L Digest Monday, 28 Jan 1991 Volume 4 : Issue 15

VIRUS-L Digest Monday, 28 Jan 1991 Volume 4 : Issue 15

Today's Topics:

Re: Text in MLTI virus (PC)
Re: Mac virii & System 7.0 (Mac)
Public domain virus information for archives?
Re: Norton Antivirus (PC)
Re: Norton Antivirus (PC)
Stoned in partition table (PC)
Virus Query (Mac)
Re: (No) Viruses in Irak's EXOCET?
Re: New virus 1586? (PC)
CARMEL Turbo Anti-Virus Set
Problem with F-Prot 1.14 (PC)
Processor-specific viruses and other subjects (PC)
Stoned, disk size and drive preference (PC)
This is getting insane...

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to [email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: [email protected].

Ken van Wyk

---------------------------------------------------------------------------

Date: Thu, 24 Jan 91 13:09:49 -0600
>From: "McMahon,Brian D" <[email protected]>
Subject: Re: Text in MLTI virus (PC)

(I haven't posted here for a long while -- things have been very busy.)

[email protected] (Fridrik Skulason) wrote:

>The MLTI virus contains this text - clearly a reference to the "Eddie"
>virus, but what does "RED DIAVOLYATA" mean ? (I want to emphasize
>that "Dark Avenger" is the name of the author of the "Eddie" virus -
>not the name of the virus itself.)
>
> Eddie die somewhere in time!
> This programm was written in the city of Prostokwashino
> (C) 1990 RED DIAVOLYATA
> Hello! MLTI!

Paul Coen <[email protected]> responded:

>Well, I can't help you with the RED DIAVOLYATA, aside from the rather
>obvious point that it seems to be the "name" of the author.

Let's hope not. :-) DIAVOLYATA I think is related to English
"diabolical", referring to the Devil. There are several interesting
things about this signature.

o "Diavolyata" does not translate directly to "Devil" in any of the
Russian, Polish, Czech, Bulgarian, and Serbo-Croatian dictionaries in
our library. The Russian would be "d'yavol." Transliterating from
Cyrillic to Latin script gets interesting, but "diavol" is a plausible
rendition. (I could go on, but it's outside of the list's topic. Check
the archives of RUSTEX-L on the UBVM LISTSERVer.) One wild and
unsupported guess: DIAVOLYATA could be a contraction of "diavol" and
"rebyata" (colloquially, "kids") for something like "devil-kids." Just
a WAG (Wild-Assed Guess), though.

o The city of Prostokwashino does not appear in either the Bol'shaya
Sovetskaya or the Brockhaus (generally good for Eastern Europe).
"Prostokvasha" is Russian for "curdled milk."

o MLTI is an abbreviation for "Moskov'skij Lesotekhnicheskij Institut,"
the Moscow Forest Engineering Institute.

It's been several years since my last Russian class -- make of this what
you will, but at your own risk...

Brian McMahon <[email protected]> | VAX Kludgemeister, Macintosh Medic,
Grinnell College Computer Services | Human Help Key, support for sundry
Grinnell, Iowa 50112 USA | stats packages, and rookie DECUS
Voice: +1 515 269 4901 | Symposia Editor. Please allow two
Fax: +1 515 269 4936 | to four weeks for miracles.

------------------------------

Date: 24 Jan 91 20:51:09 +0000
>From: [email protected] (Mark Phaedrus)
Subject: Re: Mac virii & System 7.0 (Mac)

[email protected] writes:

> I hope this hasn't been discussed already, but I'm curious about
>the net world's thoughts about what will happen to all the viruses (Virii)
>we know and hate when system 7.0 comes out (in the first quarter of 1991?)

Based on my limited Mac programming experience, I sincerely doubt
that there will be much change. System 7 is not going to magically
change all the rules of Mac programming; it adds new features on top
of the existing ones. If this weren't true, no System 6- programs
would work with System 7. Therefore, I would speculate that the
existing crop of viruses will do just fine, since they mostly use the
same sorts of file system calls that applications do. WDEF and the
other "stealth" viruses might run into trouble, if they use any
undocumented file system features to get around virus detection
programs. Those viruses might stop propagating, or might crash the
machine. But more conventional viruses (Scores, etc.) should work
under Sys 7.
- --
Internet: [email protected] (University of Washington,
Seattle)
The views expressed here are not those of this station or its management.
"If you can keep your head while those about you are losing theirs,
consider an exciting career as a guillotine operator!"

------------------------------

Date: Fri, 25 Jan 91 08:45:47 -0500
>From: the element of laughter <[email protected]>
Subject: Public domain virus information for archives?

hello all. last month, as i was sitting here paging though one of the
digests, i read a post by someone requesting help for removal of some
virus from the pcs in the lab that he was a consultant for. that post
(and the numerous others that appear with that same theme: "please
help me remove <insert virus name here> from my pc/friend's pc/pc
lab") prompted me to write to Ken and ask him what he thought about
creating a set of "virus man pages" that would be stored in the
archives and made available to everyone so that requests for help
could be referred to there instead of endlessly repeating the
procedure to the list again and again. he mentioned to me the list
that is maintained by patricia hoffman which is not public domain and
how he would *love* to have something like that made available to the
network at large. i agreed.

however, i am not a virus expert, nor am i a computer guru. (merely a
well-learned user ;) ergo, i cannot compose this data myself. but, i
am more than willing to try and coordinate an effort to make this
service available to the net.

the way i envision this project is asking people to volunteer to write
about a specific virus the necessary information regarding its charac-
teristics, its effects, its means of propagation, its removal, etc.
this method will require that some kind of template be drafted so that
there is some semblance of order to the descriptions. it will also re-
quire that there be some kind of panel or group of experts who "okay"
each file before being added to the archives.

again, that is how i think would be the best way to tackle this project,
should any of you feel that this would be worthwhile (i know kenneth and
i feel that way). please feel free to comment on that suggestion or make
your own as i'd rather discuss this matter first before plunging head-
long into it.

there are a number of other concerns ken and i discussed, but until i
am sure that there is some support for this idea, i will hold off on
them. if there is interest, i'll probably just post the correspondance
that we had for everyone's perusal (you don't mind do you, ken?) and
we can go from there.
- --
rob woiccak
[email protected]

------------------------------

Date: Fri, 25 Jan 91 16:51:53 +0000
>From: [email protected]
Subject: Re: Norton Antivirus (PC)

Santo Nucifora (<[email protected]> asked about Norton Antivirus. I
haven't used it but it got a slashing review in PC Business World last
week, for making unfair claims about its abilities, (claims "Norton
Antivirus is the most complete and comprehensive virus protection
utility for the IBM PC and its compatibles", yet only 141 signatures
are loaded into memory, in a device driver misleadingly called a
Terminate Stay Resident program); for being out of date (despite
promised monthly upgrades, nothin had arrived yet); for being
comparatively expensive (compared eg with Frisk's F_Prot!!); for using
some rather poor techniques and (not least) for not being written by
Peter Norton.

Quotes from review:
..Using [our set of viruses]... we obtained the following results:
percentage of files oin which viral activity was detected -- 80%.
Percentage of infections correctly identified -- 56%.
.. it detects Casper, V2P2, and 1260 using the same identity
..all Symantec's virus definitions come from the US [so double checks with
other programs will give different results because of differing
nomenclature]

Overall assessment:
Pro: nice user interface; both 5.25-inch and
3.5-inch write-disabled disks supplied as standard.
Con: misleading documentation; immature
product; not enough virus recognition patterns.

Hope this is useful.
Regards to all, Douglas de Lacey.

------------------------------

Date: Fri, 25 Jan 91 14:07:21 -0800
>From: [email protected] (Rob Slade)
Subject: Re: Norton Antivirus (PC)

[email protected] writes:

> I was wondering if anybody has seen or used the Norton Antivirus? Is
> it any good? What techniques are used to detect and remove viruses?
> What type of preventative measures are used?

I have spoken with the people from Symantec, and they have said they
will be shipping me a copy right away. Mind you, they said that over
a week and a half ago, so you can draw your own conclusions about
their customer service for starters. :-)

An interesting piece of trivia: apparently they were already working
on SAM-PC (Symantec Antivirus for MS-DOS) when they bought Norton, so
the package is really a combined project.

> North York, Ontario (Do I have to include Canada or is Ontario well know?)

You're willing to admit that Ontario is *within* Canada? :-)

------------------------------

Date: Fri, 25 Jan 91 14:00:01 -0800
>From: [email protected] (Rob Slade)
Subject: Stoned in partition table (PC)

[email protected] (Paul Brinkley) writes:

> the disk, and Stoned is still there. Someone at the lab suggested

Did you boot from a clean system disk before you started all this effort?
Stoned is resident in memory, and will, of course, re-infect your disk as
soon as you have prepared it if you do not boot from a clean source
first.

I apologize if you *have* done this, but we are seeing repeated reports
of this kind. FPROT deals very effectively with the Stoned variants that
I have seen, and low level formats, re-partitioning and so forth are
unnecessary extremes to go to.

------------------------------

Date: Fri, 25 Jan 91 15:14:47 -0500
>From: motto!murray@lsuc (Murray S. Kucherawy)
Subject: Virus Query (Mac)

Has anyone heard of the MURPHY virus for the Mac? Rumor has it that
it's out there, and it has already hit several sites in this area.

=============================== Murray S. Kucherawy
==========================
Motorola Canada, Ltd. Communications Division, Toronto [on work
term]
University of Waterloo, Ontario, Canada 2B Math/Computer
Science
Internet: [email protected] (work) [email protected]
(UW)
UUCP: uunet!utai!lsuc!motto!murray uunet!watmath!mskucherawy

------------------------------

Date: 25 Jan 91 06:01:18 +0000
>From: [email protected] (Rop Gonggrijp)
Subject: Re: (No) Viruses in Irak's EXOCET?

The argument that is missing in the discussion so far is the motive
for the French to include a virus other than the fact that they might
once be fighting their own weopon systems. How about this scenario:

France takes a more and more active part in the battle and sends ships
to attack the koweiti shores

Irak launches one single exocet and kills 40 French sailors

French public opnion demand the arms exports to stop immediately, thus
killing the French arms industry.

Far from any military interests, I think the industry itself would
protect itself from this worst case (best case... ;-) scenario even if
the generals did not ask for it. If they did not put a virus in they
are stupid...

- --
Rop Gonggrijp ([email protected]) is also editor of Hack-Tic (hack/phreak
mag.)
quote: "We don't care about freedom of the mind, | Postbus 22953 (in
DUTCH)
freedom of signature will do just fine" | 1100 DL AMSTERDAM
Any opinions in this posting are wasted on you | tel: +31 20 6001480

------------------------------

Date: 26 Jan 91 08:48:08 +0000
>From: [email protected] (Fridrik Skulason)
Subject: Re: New virus 1586? (PC)

[email protected] writes:
> 3. Changes files size.
> filename noVir Vir Difference
> command.com 37637 39223 1586
> simcity.exe 191845 193431 1586
> share.exe 10301 11879 1578

>From this information it is clear the length of the virus is not 1586
bytes, nor 1578, but rather 1575 bytes. The reason is as follows. In
almost all cases, a variable length increase means the virus first
pads the program to make the length a multiple of 16 bytes, before
appending the virus.

Assuming this is the case, we get

before padding after padding after infection difference
command.com 37637 37648 39223 1575
simcity.exe 191845 191856 193431 1575
share.exe 10301 10304 11879 1575

A side effect is that disinfectors may not be able to restore infected
files 100% - they may contain 1-15 garbage bytes at the end, after the
virus has been removed.This will not affect the operation of the
program in any way, unless it does a check of its own integrity.

>If someone (reputable [ie. has written vir.pro. programs before]) would
like
>to tackle this hobbie of killing and detection of this virus I'll send you
a
>copy.

Well - I would be heppy to add detection/removal of this virus to my
F-PROT program - assuming it does not use any really complex
encryption, it should not take more than a couple of hours to have the
disinfector ready.

But be careful in who you send the virus to - there are not more than
10-12 people I would send it to.

- -frisk

- --
Fridrik Skulason University of Iceland |
Technical Editor of the Virus Bulletin (UK) | Reserved for future
expansion
E-Mail: [email protected] Fax: 354-1-28801 |

------------------------------

Date: 26 Jan 91 12:08:21 +0700
>From: [email protected]
Subject: CARMEL Turbo Anti-Virus Set

Please send me any information you have about the

Turbo Anti-Virus Set from Carmel Software Engineering

distributed by EPG International
Hans-Stiessberger-Strasse 3
D-8013 Haar by Muenchen

I recently got a copy of it and it seems to be a quite good product
(so far I can judge about ...)

bye ....................................................................
Didi

****************************************************************************
*
* Universitas Basiliensis InfoCenter
*
****************************************************************************
*

------------------------------

Date: Fri, 25 Jan 91 20:01:44 +0700
>From: "J.C. Kohler" <[email protected]>
Subject: Problem with F-Prot 1.14 (PC)

Hi there,

I installed the new version of F-PROT (1.14) today and I encountered a
small problem. When I tried to do a F-XLOCK *.* in my WordPerfect
directory, there were many files which it couldn't protect. Especially
the file WP.EXE, which is the most important one, and the one that is
the most frequently run was not lock-able.

I'm using a Dutch version of WP 5.1, does anybody has an ideay why
F-XLOCK can't lock them, it displays an error message, which contains
something about a illegal header.

Many Thanks in advance

Christian

====
[J.] Christian Kohler
Keele university, United Kingdom
JANET : [email protected]
INTERNET : csw76%[email protected]
BITNET : csw76%keele.ac.uk@ukacrl
UUCP : ..!ukc!keele!csw76

------------------------------

Date: Sat, 26 Jan 91 21:24:10 -0500
>From: "Richard Budd" <KLUB@MARISTB>
Subject: Processor-specific viruses and other subjects (PC)

[email protected] (Fridrik Skulason)writes in VIRUS-L V4 #13:

>From the POLIMER comes this text - is this Polish ? And what does it
>mean ?

> A le'jobb kazetta a POLIMER kazetta ! Vegye ezt !

The last sentence looks like Magyar (Hungarian). I've had some
exposure to that language from a recent bicycle tour of Hungary, but I
am not versed in it. I will send a copy to our Budapest office for
possible translation.

Richard Budd | E-Mail: IBMers - [email protected]
VM Systems Programmer | All Others - [email protected]
IBM - Sterling Forest, NY | Phone: (914)578-3764
- ------------------------------------------------------------------------
Question of the Week - How would the Persian Gulf Crisis been handled if
Jimmy Carter had still been President?

------------------------------

Date: Sun, 27 Jan 91 17:56:46 -0800
>From: Robert Slade <[email protected]>
Subject: Stoned, disk size and drive preference (PC)

The following exchange ported from the SUZY Information System:

== E-Mail > Fetch > Sinclair, Wayne
===========================================
=

Subject: Stoned signature

I have had problems with the Stoned virus in the past, at least I
hope its past, but one thing puzzels me!

I cleaned the whole of my system including all of my 3.5 and 5.25
floppies (100's of them) and fould many of my 5.25s to be
infected by not one 3.5 disk out of a 100 or so. I did get
reports back from F-Prot that there may be something
unidentafiable on the boot sector and I attributed that to the
strange formating that PC Tools 6.0 puts on the disk.

Are some versions of the Stoned virus not capably of infecting
drive B: or was I just outright lucky?

Since I done the compleat system clean up a few month ago I have
had no problems. I run F-Prots sys file to keep gaurd all the
time, it saved me in the past 4 or 5 times.

Also what triggers the Stoned virus into action, a key
combination, timers, certain number of boots I can't figure it
out? In all the times that the little pest gave me problems I had
been previously working in PC Tools. I let Central Point know
about this and their responce was "Oh". Strange.

Wayne Sinclair

== E-Mail > Fetch > Sinclair, Wayne > Reply
===================================
=

Subject: Stoned and drives

There are at *least* six versions of "Stoned" on the loose,
probably a good many more. So one cannot be too certain about
"absolute" behaviour of the virus, but ...

There are actually two possible explanations of the behaviour you
see. I have a report of a version of "Stoned" (reported to be
the original, in fact) that will not infect 3.5" drives. (This
may have been "inspired" by the original BRAIN virus, which
checked for the signature of a low density, 5.25" disk, and would
not infect otherwise.) I have, in my possesion, a version which
happily infects any size of floppy, but will not infect the B:
drive.

Activation is problematic as well. One of the versions I have
will happily infect any disk in the A: drive, whenever the A:
drive is accessed. Even for a DIR. The other version is a
sullen beast, and I haven't yet figured out it's exact
activation, but PCTOOLS seems to trigger it in my case as you
report with yours.

And yes, FPROT (at least up to version 1.13) did report PCTOOLS
formatting as suspect. I have sent frisk a copy of the PCTOOLS
boot sector, but I don't know whether he has been able to
incorporate it into 1.14. Which is, by the way, available now in
the INtegrity Library.

------------------------------

Date: Mon, 28 Jan 91 10:23:04 +0000
>From: [email protected] (Fridrik Skulason)
Subject: This is getting insane...

A week ago I finished analysing the 70 or so new viruses I had
received in Hamburg and started distributing version 1.14 of my
program. I was hoping for a few virus-free days, but guess what
happened....

In the past week I have received over 20 new viruses, and I know of 4
more "in the mail".

I spent the weekend analyzing the new viruses, and as expected, it
turned out that many of them were just variants of older viruses.

In some cases the viruses are more-or-less rewritten, possibly by the
same author, and possibly by someone with access to the source or a
disassembly.

A good exammple of this is a group of viruses from Taiwan, which are
aither called Plastique or AntiCAD (although some people use Taiwan-3,
Taiwan-4 etc). One of the members of the family is also known as
Invader. All the viruses are targeted against AutoCAD.

I now have copies of at least 6 members of the family, one 2576 byte,
one 2900 byte, one 3012 and three 4096 byte variants.

The viruses are based on the Jerusalem virus, although the 4096 byte
variants are also able to infect the boot sector.

In many other cases, the difference between two variants is very small
- - only a few bytes (or even just a single bit) and the total length of
the virus has not changed. How do such viruses get created ?

Dr. Alan Solomon had some thoughts on this subject, and I agree with him:

1) accidental changes - bit errors in memory or when copying files.

2) deliberate changes, produced to prevent detection by some
scanning program.

3) deliberate changes, produced to get a "reward" which some
anti-virus companies offered for "new" viruses.

- -frisk

- --
Fridrik Skulason University of Iceland |
Technical Editor of the Virus Bulletin (UK) | Reserved for future
expansion
E-Mail: [email protected] Fax: 354-1-28801 |

------------------------------

End of VIRUS-L Digest [Volume 4 Issue 15]
*****************************************

Downloaded From P-80 International Information Systems 304-744-2253