VIRUS-L Digest Thursday, 17 Oct 1991 Volume 4 : Issue 194
Today's Topics:
Invalid Media Type (Virus attack?) (PC)
Thunderbyte (PC)
Re: SF Worms/Viruses (Re: HW not a solution)
re: scanner for all files (PC)
Unfair advantage
Re: Virus on Mac (Mac)
Any Apple //e viruses?
virus help (PC)
New versions of SVC out in the wild! (PC)
Re: Version 84 of McAfee anti-virus programs now available (PC)
Re:Alteration-Searcher for all files (PC)
PC hardware vs software
Re: Anti-virus patent - David.M.Chess
Re: STONED Virus - information please! (PC)
Re: Help urgently needed for stoned virus (PC)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to
[email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at:
[email protected].
Ken van Wyk
----------------------------------------------------------------------
Date: Wed, 16 Oct 91 13:24:22 -0700
>From:
[email protected]
Subject: Invalid Media Type (Virus attack?) (PC)
In the last 3 weeks, my hard drive has crashed 4 times. This is what
happens:
I boot up, and it locks up. Then I boot from floppy, and get to the
dos prompt. When I try to get a directory of C: I get the message
'Invalid media type' ...
Luckily, I use MS-DOS 5.0, and use the MIRROR command in my
autoexec.bat so I FORMAT drive C: and then UNFORMAT drive C:, and then
most (but not all) of my data is recovered. I brought the cpu to the
manufacturer and he tested the hard drive, and said there were no
defects. Could this be a virus? I run McAffee's virus checker daily,
not to mention whenever I unzip a file I get from a BBS. I never
found a virus! Could it be a new (or undetectable) virus? Has this
happened to anyone else before? It's really a pain in the butt to
have to go through this format/unformat (and lose data) process over
once a week! Any suggestions?
Thanks.
- ------- Taz
Email Address:
[email protected]
------------------------------
Date: Wed, 16 Oct 91 23:19:43 +0100
>From: Mikael Larsson <
[email protected]>
Subject: Thunderbyte (PC)
[email protected] (Harry Stox) wrote:
> Although personally I don't have any experiences with the Thunderbyte
> hardware, my guess is that is is unusable with modern IDE or SCSI
> drives, since the hardware is placed between your MFM/RLL controller
> and your harddisk.
Sorry but You're wrong! Thunderbyte works real great with
IDE/SCSI/ESDI drives. You just plug in the card into a free slot, and
forget the cable the card will get the signals from the BUS instead of
via a cable between the controller and the harddisk.
> The idea behind Thunderbyte resembles that of FluShot, with the
> exception that instead of in software, the locking of the hard disk is
> now done in hardware.
Well, it's not only locking You use it for. Thunderbyte is an
excellent piece of hardware that checks if files are changed,
modifications of files/boot-sectors are done, if time-stamps are being
changed to an odd value (like 62 in the seconds), if COM/EXE/SYS/OVL
files are renamed to a NON executable extension, if read only
attribute is beeing changed. etc etc.
Since the card do NOT look after specific viruses, it's possible to
detect new unknown viruses with it. For example, I got an example of a
virus which the sender didn't know what it was. I ran the file, and
wops! Thunderbyte said that the file was trying to modifiate the
partition table... Later on, this virus was named TEQUILA. (This was
before SCAN etc could detect it...)
Thunderbyte also includes a password protection that is pretty good,
You can't bypass the password whitout removing the card from the slot.
Rgds,
MiL
(Mikael Larsson)
==============================================================================
Virus Help Centre BBS Line #1: +46 26 275710
P.O. Box 7018
S-811 07 Sandviken FidoNet : 2:205/204
Sweden VirNet : 9:461/101, 9:9/0
Phone : +46-26 100518 Home of VirNet
Fax : +46-26 275720 McAfee Associates Agent Sweden
Mobile Phone: +46-10 955551 VSUM Agent Sweden
Thunderbyte Support Sweden
Member of PCVRF
===============================================================================
------------------------------
Date: Wed, 16 Oct 91 21:00:32 +0000
>From:
[email protected] (Gary Heston)
Subject: Re: SF Worms/Viruses (Re: HW not a solution)
[email protected] (Rick Smith) writes:
|
[email protected] (Jay Skeer) writes:
|
|>P.P.S. I got the idea of a computer virus from an old S.F. book. In
|>the book they actually describe a worm (and called it that) ...
|>.... This was in 1983 or 4.
|>Does any one know the name of that book, or of an earlyer reference to
|>computer viruses?
|There's Gerrold's "When Harlie was One" which dates at least to the
|early 70s. There's "Adolescence of P1" (a Morris-like worm) which I
|read in the mid-late 70s, but I don't remember the author.
For those interested, here's the info I have:
The Adolescence of P-1, Thomas J. Ryan, (C) 1977, Ace SF Books,
ISDN 0-441-00360-5
The Shockwave Rider, John Brunner, (C) 1975, Ballantine Books,
ISDN 345-24853-8
- --
Gary Heston System Mismanager and technoflunky uunet!sci34hub!gary or
My opinions, not theirs. SCI Systems, Inc.
[email protected]
Become a pheresis donor. Loan your blood to the Red Cross for a couple
of hours. They, and cancer patients, will appreciate it.
------------------------------
Date: 16 Oct 91 19:23:48 -0400
>From: Wolfgang Stiller <
[email protected]>
Subject: re: scanner for all files (PC)
Bob Babcock <
[email protected]> writes:
>Recently I corrupted some files on my hard disk, not by a virus
>infection but by changing my QEMM setup and crashing while downloading
>in the background. The end result was a few corrupted files with
>unchanged time stamps, and maybe a few more such files that I haven't
>found yet. What I would like for future use is a checksumming program
>which would look at all files on my hard disk and tell me which ones
>have changed without the time stamp changing. Will any of the
>anti-virus programs do this? The closest I've found is one which only
>looks at executable files.
I've written PC Magazine's PCdata data integrity toolkit. It will do
exactly what you want. It's free and you can download it from
CompuServ Ziffnet UTILFORUM (GO ZNT:UTILFORUM). It will detect any
virus if you boot from a clean copy of DOS first and allow you to
detect damage and reload your system sectors as well as your files. It
will NOT identify viruses by name, it merely identifies changes and
provides directions for determining if it's a virus. If you don't
have access to CompuServe send me a formatted disk in a self-addressed
stamped mailer and I'll send you the toolkit and full documentation.
Mail to Stiller Research, 2625 Ridgeway St. Tallahassee, FL 32310
U.S.A.
Regards,
Wolfgang
------------------------------
Date: Wed, 16 Oct 91 21:21:13 -0700
>From:
[email protected] (Fred Waller)
Subject: Unfair advantage
Writes
[email protected] (Yary Richard Phillip Hluchan)
on the subject of Fred's Virus-resistant machine:
> In other words, you built one computer and ran viruses
> designed for a completely different computer.
Yes, yes! Someone noticed! :-) It _is_ unfair, and the viruses will
complain. Actually, though, the difference is not "complete", only
_slight_. It's slight enough that the OS does not see it, and the
apps do not see it, but current viruses don't like it! Isn't that
amazing?
> If Fred Waller's Virus-Resistant machine became widely
> available, all viruses that infect .COM, .EXE, etc files
> would become obsolete, granted.
That was part of the objective and the confirmation is appreciated.
But don't forget Boot viruses and the new kind of Cluster viruses
(DIR II). Those will become unhappy also. All that talent wasted!
> But about six months after we all upgraded to the protected-
> disk scheme we'd start seeing the spreadsheet / .BAT / terminal
> viruses...
I'll gladly take my chances then, and so should everyone else. But
a minor correction: .BATs are executable and would be restricted to
the program disk. And so can terminal emulators that I am familiar
with. Not that I am particularly worried about .BAT viruses - one
could READ them with a text viewer! That would be delightful, maybe
even instructive. Wish all viruses were so nice.
As far as "interpreted" viruses, well, Axel Gutman's posting of 12
Oct 91 16:42:00 GMT addresses the issue better than anything I
could have written. Yes, there is some concern. But yes, it would
be much more difficult to write interpreted viruses as effective
as the current ones. Maybe impossible.
Another small correction: Fred Waller's Virus-Resistant machine
doesn't need to be made widely-available.. it's widely available
already. In fact, it is the machine you have now, plus some
interesting modifications. Nature is bountiful... :-)
> A "new" virus would write to a shell / macro / etc. data file,
> and would execute from within some third-party software other
> than the operating system.
It should be interesting to see just how it manages to become a
"stealth" virus or how competently it would take over and manipulate
Int 13. (In fact, I've been thinking about letting Matsumoto's
DIET loose on that data drive.. just to complicate things a
little... :-)
Fred Waller
------------------------------
Date: Thu, 17 Oct 91 06:00:19 +0000
>From:
[email protected] (Paul N. Zaremba (AA9BK))
Subject: Re: Virus on Mac (Mac)
[email protected] (Olivier BAUDON) writes:
>We have find a new Virus. The message given is 'Don't Panic' given by
>virus-check 1.2. We don't remember to have neither install this init.
>(We use SAM Intercept). The virus is on an internal hard disk and
>it's now impossible to boot the Mac from a protected/not protected
>floppy or external hard disk.
This virus is the nVIR virus, of which there are several strains. Use
a recent copy of Disinfectant or Virex to remove it. It (like most Mac
viruses) are wimpy.......
- --
*******************************************************************************
Paul N. Zaremba - Amateur Callsign AA9BK (After A 9th Beer, Killed!)
**
[email protected] [email protected] **
[email protected] **
Affiliated with the best in the midwest, WKIG FM 107! I'm a shiny, happy guy
*******************************************************************************
------------------------------
Date: Wed, 16 Oct 91 21:23:53 -0400
>From:
[email protected] (John Palaima)
Subject: Any Apple //e viruses?
Well,Are there any APPLE //e viruses?
__________ __________
|John | John Palaima |John |
| _ | ProLine :johnp@pro-angmar | _ |
| (_). | Internet :
[email protected] | (_). |
| | UUCP: :uunet!alphalpha!pro-angmar!johnp | |
|.... O....| Argus: :johnp |.... O....|
------------------------------
Date: Wed, 16 Oct 91 19:43:21 -0400
>From:
[email protected] (Zaki Alam)
Subject: virus help (PC)
Hi their:
I seem to be having a little problem with a possible virus. I have ran
SCAN v49, and it came up with no results. I have notices that the
program primarily goes after any executable file; and it seems to
corrupt the file when it is being executed. I have downloaded the
following programs from the local BCS bbs:
SCAN v49
CLEANUP 7.9v84
FLUSHOT+ v 1.7
System Info:
Computer: NEC PowerMate 386/20
Segate HD 40MB (internal) - two.
DOS Version: 3.30
Printout of Autoexec.bat:
@echo off
prompt $p$g
PATH = c:\dos;c:\;c:\batch
turbo +
set acadcfg=c:\acad10\cfg
chkdsk /f
cls
if exist c:\tmp\*.* del c:\tmp\*.*
if exist c:\*.chk del c:\*.chk
if exist c:\*.bak del c:\*.bak
cls
Printout of config.sys:
buffers=15
device=d:\captor\ibmgpr.sys /transient /group:output
device=d:\captor\ibmega.sys /transient /group:output
device=d:\captor\ibmpro.sys /transient /group:output
device=d:\captor\hpplot.sys /transient /group:output
device=d:\captor\gsscgi.sys /transient /group:output
files=20
I ran SCAN with the disk lock on. When I tried to run the program I could
hear that the disk was being accessed to write on it. FLUSHOT varified this
assumpting of mine. With FLUSHOT I got the following message:
+=========================================================================+
|=====>Direct Disk write attempt by program other than DOS! <==== |
| Interrupt 40=> Drive: x Head: y Track: zzzzz Sector: zzzzz |
| By program: a:/scanv/scan.exe |
| Press "Y" to allow, "G" to go till exit, any other key to fail. |
+=========================================================================+
I would appreciate any help on the same. If you have any questions please
do not hesitate to "call" on me.
Regards,
Zaki
________
|.------.| Zaki Alam, 146 Jewett Street, Newton, MA 02158
|| oo || Internet:
[email protected]
|| '--' || Bitnet: zalam%
[email protected]
|'------'| UUCP:
[email protected]
| === | Proline: zalam@pro-angmar
|________| Telephone: (617) 527-7668 Res. (617) 328-9215 Off.
------------------------------
Date: Thu, 17 Oct 91 10:54:05 -0500
>From:
[email protected]
Subject: New versions of SVC out in the wild! (PC)
Hi,
I just received a new variant of SVC it is labeled SVC 6.0! I also talked
to Dr. Alan Solomon and he has a SVC 5.0. Both are out in the wild!
These viruses are quite complicated and use advanced stealth techniques!
Even more complicated and better than 4096.
SVC 5.0 is some 3.5k
SVC 6.0 is 4644 Bytes.
Thes are the second most complicated viruses next to Whale.
I am in the progress of analysis.... More will follow.
Chris
Christoph Fischer
Micro-BIT Virus Center
University of Karlsruhe
Zirkel 2
W-7500 KARLSRUHE 1
Germany
+49 721 376422 Phone
+49 721 32550 FAX
email:
[email protected]
------------------------------
Date: 17 Oct 91 11:01:21 +0000
>From:
[email protected] (Werner Icking)
Subject: Re: Version 84 of McAfee anti-virus programs now available (PC)
[email protected] (McAfee Associates) writes:
>I have uploaded to SIMTEL20 and Garbo:
And why have these files different sizes on OAK.Oakland.edu (=SIMTEL) and
on Garbo?
>pd1:<msdos.trojan-pro>
>SCANV84.ZIP Scans standalone and networked PC's for viruses
>CLEAN84.ZIP Virus removal program for PC's, LAN's
>VSHLD84.ZIP Infection-prevention TSR for PC's
>NETSCN84.ZIP Scans network file servers for viruses
and in addition LIST *84* told me that there is WSCAN84B.ZIP. It's a
windows-3 version of SCAN, which makes problems when I install it on
my machines, because SCAN is badly named. What does SCAN mean? I have
a scanner on one of my machines, therefor I always renamed SCAN.EXE to
VIRUSCAN.EXE. This does not work with the windows-version. And I do
not understand why, because there is a SCAN.PIF in the
windows-directory which I modified so that it points to the renamed
VIRUSCAN.
- --
Werner Icking
[email protected] (+49 2241) 14-2443
Gesellschaft fuer Mathematik und Datenverarbeitung mbH (GMD)
Schloss Birlinghoven, P.O.Box 1240, D-5205 Sankt Augustin 1, FRGermany
"Der Dativ ist dem Genitiv sein Tod."
------------------------------
Date: Thu, 17 Oct 91 12:27:00
>From: "Axel Gutmann" <
[email protected]>
Subject: Re:Alteration-Searcher for all files (PC)
>From: Bob Babcock <
[email protected]>
>(...) What I would like for future use is a checksumming program
>which would look at all files on my hard disk and tell me which ones
>have changed without the time stamp changing. Will any of the
>anti-virus programs do this? The closest I've found is one which only
>looks at executable files.
There are two ShareWare checksumming programs named FICHECK/MFICHECK
that take the extensions of files to check as a command line argument
(wildcards o.k.). The version (4.0) I know of is a bit outdated (see
below) and I don't know if the company still exists. Here are
Copyright notice and address of the company:
(C)Copyright 1988, Gilmore Systems
Gilmore Systems
P.O. Box 3831
Beverly Hills, CA 90212-0831
U.S.A.
Voice: (213) 275-8006 Data: (213) 276-5263
I can't tell You where to get them on the net because I got them on a
disk from a ShareWare-vendor two years ago.
If You can't reach Gilmore Systems or get the program from somewhere
else, I can try to send it to You UUencoded.
Bye Axel
************************************************************************
*Axel Gutmann, uh2m@DKAUNI2, Internet:
[email protected]*
************************************************************************
------------------------------
Date: Thu, 17 Oct 91 10:20:29 -0400
>From: padgett%
[email protected] (A. Padgett Peterson)
Subject: PC hardware vs software
I think we have about beaten this to death theoretically. My opinion
is that software is *enough* even though hardware is *more*. If I buy
a new PC, BIOS boot drive selection will be a requirement but I am not
going to retrofit my older ones.
>From: Chris Stops <
[email protected]>
>Subject: Virus Proof Machine ?
>Any comments anyone?
Some good thoughts but believe that there are easier ways (unix for
instance) if you need that level of protection. Personally, IMHO, disk
boot selection in hardware (e.g. Zenith, Compaq, Tandon BIOSes) plus a
good set of software permissions/controls would drop viral spread
below the critical point for MS-DOS machines. If viruses stop
spreading, there would be little incentive for writing them. Safe Hex
does not require absinence, merely prudence.
In 1981, the TI 99/4 was a superior 16 bit system but the lack of
flexibility doomed it in the marketplace and this was before we had an
80,000,000 PC installed base. Considering how well thay were made, it
would not surprise me to see a significant number of 8088 and 80286
machines lasting into the next century. Inertia is inevitable. I also
have not yet seen many millionaire anti-virus vendors yet (if they
are, they hide it well).
>From: "David.M.Chess" <
[email protected]>
>Subject: re: More hardware!
>My suspicion (and, again, I'd love to be proven wrong in actual
>practice) is that software hasn't done more than it has primarily
>because it isn't widely-enough installed, *not* primarily because it's
>software rather than hardware...
Great minds think alike <grin>. Anyone care to guess what the effect
on STONED, JOSHI, etc. would be if everyone used my FREEWARE NoFBoot
program ?
Padgett
ps this Ultravision is neat - it has a 34 row mode that lets debug display
an entire sector on one screen and is easier to read than the 43 row
mode. Good work is appreciated.
------------------------------
Date: Thu, 17 Oct 91 16:07:00 +0000
>From: Sanford Sherizen <
[email protected]>
Subject: Re: Anti-virus patent - David.M.Chess
David.M.Chess said
>I've just run across an interesting U.S. patent. It's number
>4,975,950, granted to Stephen A. Lentz, entitled "System and Method of
>Protecting Integrity of Computer Data and Software".
If anyone is interested in contacting Steve Lentz, he can be reached
in Phoenix at (602) 274-8001. He is the inventor of this very
interesting product and is working with Hal Becker (602) 841-0962, who
has been in information security for many years, as well as
heavyweight investors. The product has gotten some good inside
reviews from companies and government agencies and is being looked at
quite seriously by several U.S. and international vendors.
For the record, I have helped Hal and Steve with strategic information
but have not had any financial stake or arrangement with them or their
company.
Ken De Cruyenaere said:
>That is the day after RTM launched the infamous internet worm.
>Coincidence ?
It was a coincidence since Steve had been working on this for quite a
while and the filing data had to do with the lawyers and their
timetable rather than RTM.
Sandy
******************
Sanford Sherizen
Data Security Systems, Inc.
5 Keane Terrace
Natick, MA 01760 USA
RESPOND VIA-------------------> MCI MAIL: SSHERIZEN (396-5782)
-------------------> FAX: (508) 879-0698
-------------------> PHONE: (508) 655-9888
******************
------------------------------
Date: Thu, 17 Oct 91 19:19:00 +0000
>From:
[email protected] (Peter H. Lemieux)
Subject: Re: STONED Virus - information please! (PC)
I don't have answers about SCAN, but I can tell you about the Stoned
virus. It has been a persistent problem on our departmental computers
for about a year. It propagates via the boot sector of a floppy disk.
If an infected floppy is inserted in the A: drive and the machine
booted, the virus will be transferred to the partition table of the
hard drive EVEN IF THE FLOPPY IS NOT A SYSTEM DISK! An infected
floppy data disk will transmit the virus despite the fact that you get
a "nonsystem disk or disk err or" message back from the BIOS. I have
basically thrown out infected floppies whenever I find them rather
than using CLEAN for safety's sake, so I don't know about your
problems with the McAfee program.
Peter H. Lemieux
Dept of Political Science
MIT, Cambridge, MA 02139
[email protected]
------------------------------
Date: Thu, 17 Oct 91 19:23:49 +0000
>From:
[email protected] (Peter H. Lemieux)
Subject: Re: Help urgently needed for stoned virus (PC)
Okay, if you know what you're doing you can try this. You need a copy
of Norton Utilities. Use the explore disk function to examine
ABSOLUTE sector 1. You should see the number 55 in the last byte of
the sector if your disk is Stoned. The virus has copied the partition
information to absolute sector 7. Using Norton copy ABSOLUTE sector 7
to ABSOLUTE sector 1. That should solve the problem.
If you've never played around with a low level utility like Norton,
you'd best download a copy of McAfee's Viruscan package. It's
available by FTP, though I'm not sure where.
Peter H. Lemieux
Dept of Political Science
MIT, Cambridge, MA 02139
[email protected]
------------------------------
End of VIRUS-L Digest [Volume 4 Issue 194]
******************************************
Downloaded From P-80 International Information Systems 304-744-2253
