VIRUS-L Digest Monday, 28 Oct 1991 Volume 4 : Issue 199

VIRUS-L Digest Monday, 28 Oct 1991 Volume 4 : Issue 199

Today's Topics:

VSHIELD.... (PC)
"Heavens no, I think thieves are terribly *irresponsible*!"
Michaelangelo Virus (PC)
RAD: flagged by ZeroVirus III (Amiga)
Re: SVC 5.0 (PC)
RE: Measures
Info on Tequila virus (PC)
Is this a Mac Virus? (Mac)
Sneaky Multi-Partites (PC)
Protection for Desqview users (PC)
Re: New virus - advanced symptoms (PC)
Re: Version 84 of McAfee anti-virus programs now available (PC)
Re: Several subjects (PC)
Re: Pakistani/Ashar (PC)
Typo in Validation Data for NETSCAN V84 (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to [email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: [email protected].

Ken van Wyk

----------------------------------------------------------------------

Date: Tue, 22 Oct 91 18:38:58 -0500
>From: [email protected] (Robert Yung)
Subject: VSHIELD.... (PC)

To anyone...hopefully the maker.
Does VSHIELD v84 work with Super PcKwik v2.X when VSHIELD is
loaded high?
In previous versions of Vshield, I needed about 110K UMB to load
it high. Now that it has the /LH switch, can I make due with less UMB
available prior to loading?
In the latest PC-MAG, it says that a device driver is better
against certain viruses that can run circles around TSRs. Why not make
Vshield a device driver? It certainly would have more memory to load
into when it is the first loaded (that is after the memory driver).

/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\
| Robert 'Bobby' Yung | | That is about as effective as trying |
(| [email protected] | | to melt an iceberg with a warm stream |
| "THE MACHINE!" | | of piss. -Armmstrong |
\~~~~~~~~~~~~~~~~~~~~~~~~ |_______________________________________/

------------------------------

Date: Tue, 22 Oct 91 17:13:32 -0700
>From: [email protected] (Rob Slade)
Subject: "Heavens no, I think thieves are terribly *irresponsible*!"

>From the "do they really mean that?" media file:

>From the "Trend Newsletter", published by Trend Microdevices, makers
of PC-cillin antivirus package, September, 1991:

On the Federal Micro Show in August

"The popularity of computer viruses was evident since three other
antivirus software developers were [there] ..."

Just love them little varmints, don't you? :-)

=============
Vancouver [email protected] | "Power users think
Institute for [email protected] | 'Your PC is now
Research into CyberStore | Stoned' is part of
User (Datapac 3020 8530 1030)| the DOS copyright
Security Canada V7K 2G6 | line." R. Murnane

------------------------------

Date: Wed, 23 Oct 91 04:01:53 +0000
>From: [email protected] (Stephen P. Gilmer)
Subject: Michaelangelo Virus (PC)

I'm a student at Kalamazoo College who's been asked to find out any
information about the Michelangelo virus on PC's. Any and all
information on this virus would be helpful. Also, as a new subscriber
to this group, what virus detection program(s) is considered the best
for the PC? As I am extremly busy (midterm exams!), would you please
e-mail me direct at [email protected]. Thanks in advance.

Steve Gilmer
[email protected]

------------------------------

Date: Tue, 22 Oct 91 19:49:49 -0400
>From: [email protected]
Subject: RAD: flagged by ZeroVirus III (Amiga)

I have been having a problem with ZeroVirus III when I have a RAD:
device mounted. It gives me two warnings about KickTagPtr being
$7f7ff58 and KickMemPtr containing $7f7ff38. If I tell it to ignore
the results while I'm running the program, everything's fine.
However, if I iconify the program, the alerts return constantly, and I
cannot make them go away.

This is a bulletin for the author(s) of ZeroVirusIII to recognize and
repair this problem.

My system is an Amiga 3000, model 25/100, with 6 megs of Ram, and an 880k
rad: device in fast memory.

Rachel K. McGregor : [email protected] : {tredysvr,uunet}!cellar!rogue

------------------------------

Date: Wed, 23 Oct 91 12:01:32 +0300
>From: [email protected] (Dmitry O. Gryaznov)
Subject: Re: SVC 5.0 (PC)

Andrzej Kadlof <KADLOF AT PLEARN.BITNET> writes on Soviet SVC virus:

>only files on hard disk) and Create File (3C only on hard drive). I do
>not know for what reason virus do not infect files if the file name
>contains characters 'MM' or 'MB' (maybe protection of author software).

First of all, not 'MB' but 'BM' - a hexadecimal 16-bit constant 4D42
represents the 'BM' string - bytes must be swapped. This trick IS a
protection of some software - namely COMMAND.COM, IBMBIO.COM and IBMDOS.COM.
^^ ^^ ^^
The SVC 3.1 virus checks file names for 'AI' and 'SC' substrings -
Soviet anti-virus AIDSTEST by Lozinsky and McAfee's SCAN. It doesn't
^^ ^^
check for 'MM' and 'BM' however.
The next, SVC 4.0, virus checks for 'AI', 'SC', 'MM' and 'BM' and
SVC 5.0 checks only for 'MM' and 'BM'.
- --
Sincerely,
Dmitry O. Gryaznov | PSI AS USSR
[email protected] or [email protected] | Pereslavl-Zalessky
Phones: office: (08535)-2-0715 home:(08535)-2-1465| 152140 USSR

------------------------------

Date: Wed, 23 Oct 91 15:53:37 -0400
>From: Arthur Gutowski <[email protected]>
Subject: RE: Measures

A long time ago in a galaxy not too far from home, Fred Waller said:

> We weren't discussing idiot-proof measures. But the
> virus problem is not user-created, although a recent article by Mark
> Aitchison makes an extremely good point that public education must
> play a very important part in any attempt to solve it.

True, it is not user-created, but it is user- (and vendor-)
proliferated. I say this because vendors have yet to put sufficient
integrity management (both soft- and firmware) into PCs. I also say
this because the bulk of the users out there have not implemented even
a minimum of protection on their machines. Even a modicum of protection
could greatly reduce the current threat.

> Rather, my view is based on (Waller's) Pecking-order Metaphysics:
> (...details deleted...)

> So the "pecking order" is: 1. software; 2. hardware; 3. operator,
> ascending. (Above that, you have to resort to mythical or government
> forces... both yield unpredictable results).

> From (Waller's) Pecking-order Metaphysics, one readily derives the
> Waller Principle:

> "If You Really Want to Stop a Software Virus, Stop
> it with Hardware".

> and the Waller Afterthought:

> "Anything Else is Probably a Waste of Time and Effort, and
> May Actually Be Counterproductive".

Not necessarily so. As said before, and points have been made since,
that because hardware and software communicate with humans, who are
likely to obey a percentage of the time. You're right, with operators
iike that, who needs a virus? These people are more likely to cause
crashes *without* the help of a virus. But, with proper education, even
software can be used to effectively reduce the virus threat to a
livable minimum.

Hardware isn't absolutely necessary to solve the problem, if the OS
has enough smarts (though it is a stronger determinant than software,
in most cases). VM, MVS, and even Apple Systems, have more smarts
built into them than MESS-DOS. This is a factor that causes infection
numbers to look like they do. Also has to do with population and the
types of people that work on these other systems. That's not to say
that we'll never see an MVS virus, because it is quite possible, but
it's a lot less likely to happen.

> > ...who's to say that there won't come a day when we can create
> > (or encounter) infectious "beings"?)..

> We encounter them all the time, in the air we breathe, the water we
> drink, the food we eat and the things we touch. Zillions of them
> live within and on our bodies - permanently. As for creating new
> ones, we've done that, too.

The tongue-in-cheek reference to the hardware "mites" that infected
the Enterprise in TNG was merely to point out that even hardware,
may, way in the future, may not be invulnerable either. But, let us
not worry about that now, and go on with the assumption that it is.
Tongue removed from cheek, I continue...

> I feel Peterson's post was extremely interesting and appropriate.
> The ideas presented there (and in several other articles of his)
> were the sort of thing that should be explored seeking more definite
> solutions to this problem. They should be pursued further.

Yes, they should. Hardware and software can be used together to
produce a more effective solution than hardware alone. As has been
pointed out before, we do have ignorant operators.

> NOBODY is proposing to make it impossible to share data. Such a
> suggestion was NEVER advanced by me. And the ideas I did mention
> were NOT equivalent to `not sharing data'. Stopping viruses by
> hardware means DOES NOT equal `stop the flow of data'. It does,
> however, restrict and regulate the *uncontrolled* flow of
> executables, which is the main thing that enables virus spread.
> (It may also restrict a kind of programming that's becoming very
> popular, but will not eliminate it; only a modification is needed).

That was the mistaken impression I got. I apologize.

The Holy Grail in this case is complete eradication. That is
unattainable, as long as people share data. Giving up on that,
we are left with a "reasonable minimum" of infections. This is
attainable. It is attainable through a combination of software,
hardware, and training. If we can bring these three elements together,
then we can achieve this goal.

> Of course it's easier to infect MS DOS systems (Can many users
> write to a mainframe executable or system file?). But another (not
> minor) consideration is that there are some 60 million MS DOS PCs
> out there. That's a market. Both viruses and antiviruses must
> perceive that fact. It's likely to be a main motivator.
> In both cases.

Yes, it is much easier to infect MS DOS than a mainframe, both for
stated above and the following. Mainframe OSes tend to keep their
operations secret, much like Apple does. But, that's not to say that
a good techie (like several we have around here), couldn't infiltrate
the OS with a virus. But global access to the OS or to all user files
isn't necessary either. All that is required is *some* access.

Consider this: User A has execute access to user B's program libraries.
User A's libraries have a program which contains a resident virus.
User A has run this program in his own address space, and managed to
spread the infection to all of his programs (because he has access to
all of his own stuff). User B executes A's program in his address space
and infects all of his stuff (again by normal accesses). Along comes C
who has execute access to B...beginning to get the picture? And
nobody had write access to anything but their own stuff. Granted,
this is difficult to do, but a good assembler programmer may know
enough about the assembler, the system, the link editor, etc., to
do such a deed.

> And a comment on etiquette:
> (...Stuff deleted...)
> People who are tired of repetition should have grown EXTREMELY
> tired of the virus/antivirus repetition. Currently, that's the
> grandmother of all repetitions.

Yes, I have grown tired of the virus/antivirus repetition. And I don't
mean to discourage discussion of topics on this forum. It is at times
very informational; it is at times *very* repetetive. I am merely
attempting to confront what you have admitted to as being sometimes-
confrontational postings. We are all concerned professionals here.
Etiquette should be a given on this (or any) forum. The bursting
flames, have, I think, subsided for the most part some time ago.
When addressing an issue of import confrontationally, one should
expect to see people who hold (even slightly) different views to react
with a degree of confrontation as well.

I apologize for the length and delay in posting, but through the
mounds of recent articles, of which I am about to contribute even more
mounds, I managed to miss Fred's response the first time through.

Warm (Indian Summer here in Michigan) Regards,
Art

[email protected]
Agutows@Waynest1

------------------------------

Date: Wed, 23 Oct 91 16:59:00 +0000
>From: Nick Hilliard <[email protected]>
Subject: Info on Tequila virus (PC)

Hi,

Does anyone out there have any info on the Tequila virus, about how it
works, what it does to the hard disk partition and files? Things like
that? If you do, you might drop me a line at the address above.

Thanks,
Nick Hilliard.

------------------------------

Date: Wed, 23 Oct 91 23:30:00 +0000
>From: "Albert M. Berg" <[email protected]>
Subject: Is this a Mac Virus? (Mac)

Has anyone had experience with:

A Mac virus that displays a dialog box containing the phrase
"HO HO HO" followed by assorted punctuation on the screen and
then seems to roach track 0 and/or delete files? Symantec's
Anti Virus does not seem to recognize this critter.

Mac viruses that will damage and/or delete on NetWare file
servers that the infected Mac is attached to via Novell's Mac
NLM? The NetWare server looks like a normal Mac volume to the
Mac, so if the Mac virus deletes the files using relatively
high level calls, this seems possible.

Any help on this would be *much* appreciated. Please email to me
directly - I'll summarize responses for the digest.

Thanks!

- ----------------------------------------------------------------------------
Al Berg | [email protected]
NETLAN Inc. - 29 W 38th Street - NYC, NY 10018 | Phone 212/768-2273
No one else deserves the blame for my ravings. | Fax 212/768-2301
- ----------------------------------------------------------------------------

------------------------------

Date: Wed, 23 Oct 91 23:55:00 +0000
>From: Joe Wells <[email protected]>
Subject: Sneaky Multi-Partites (PC)

Note to people analyzing the SVC 6.0 virus.

The virus is a multipartite. It will write to the hard drive partition
table. It modifies the table and DOS 5 (I was using) won't recognize
it as a valid drive. The rest of the virus code is written in the
sectors just after the table. On drives that use this area damage will
occur.

To aid in disassembly, a convient jump table is found in the virus as shown
below.

JMP TABLE FROM THE SVC 6.0
(More viruses should have such aids to disassembly)

5893:01FB E96A0A JMP 0C68 ===> terminate
5893:01FE E9070A JMP 0C08 ===> write handle
5893:0201 E97403 JMP 0578 ===> exec (al=1 or 3)
5893:0204 E90006 JMP 0807 ===> close handle
5893:0207 E9CF05 JMP 07D9 ===> create file
5893:020A E9C000 JMP 02CD ===> exec
5893:020D E97205 JMP 0782 ===> open handle (from above)
5893:0210 E9C704 JMP 06DA ===> 1st/next FCB
5893:0213 E90F05 JMP 0725 ===> 1st/next handle
5893:0216 E9BF07 JMP 09D8 ===> set file ptr eof
5893:0219 E9F207 JMP 0A0E ===> open handle (from below)
5893:021C E94508 JMP 0A64 ===> read handle
5893:021F E97F0A JMP 0CA1 ===> get/set file time/date
5893:0222 C3 RET
5893:0223 E80300 CALL 0229 ===> called from 02D3 (exec)
5893:0226 EB22 JMP 024A

This table occurs in the virus's INT 21 handler.

Another multipartite that some researchers may want to look at again
is the 3445 virus. Most references fail to note its habit of infecting
the partition. The virus also contains an encrypted message from the
GRUPO HOLOKAUSTO in Spain. The message is similar but not identical to
the Telecom (holo) 1.

Joe Wells
Virus Specialist (deprogrammer)
Co-developer of NOVI by Certus
Certus International
216-752-8181

------------------------------

Date: Wed, 23 Oct 91 21:29:15 -0400
>From: Allan Heinicke <[email protected]>
Subject: Protection for Desqview users (PC)

Do the standard TSR virus-protection schemes (F-Prot, Vshield, Central
Point's anti-virus for example) work inside a DOS window if one is
operating under Desqview?

I ask this because I had F-Prot installed (at bootup) as a TSR. When
I ran the program F-test (from ver 1.16 of F-prot) before invoking
Desqview I got the `access denied' message as I should, but when I ran
Desqview, opened a Dos window, and ran F-test, the message that came
back was that the TSR was not installed or not working. This applied
to VIRSTOP from v2 as well.

I looked at the documentation for VSHIELD, F-prot and Central Point
but didn't see any mention of behaviour under DV. Nor have I seen any
comments on this point in comp.virus.

------------------------------

Date: Wed, 23 Oct 91 22:48:03 +0300
>From: [email protected] (Dmitry O. Gryaznov)
Subject: Re: New virus - advanced symptoms (PC)

[email protected] (Vesselin Bontchev) writes:

> [email protected] (Shulman Ilya A.) writes:
>
>> No, I mean that it is very simple to identificate is virus present
>> when it is active :-)
>
>What symptoms did you have in mind exactly? This one is pretty
>stealthy...

Insert write protected diskette into drive A: and try to delete a
file from it - DOS won't report "Write protect" error.

>> Yep. Two times I found virus on the hard disk in the cluster 714 and
>> 2371 (I can't remember this numbers exactly but) which are the last
>> clusters on the 5" 1.2Mb and 3.5" 730Kb diskettes respectivly. I can't
>> explain why there were the last clusters but not the pre-last but it
>> was so. Also I know the other abnormal effects when virus infects disk
>> but didn't write itself to the last cluster. May be it is an error
>> too, but anti-virus developers _HAVE TO_ know this.
>
>Maybe this referes to the COMPAQ DOS 3.31 situation that was described
>by Dimitri Gryaznov?

The situation described by me refers only to hard disk partitions
larger than 32Mb. I've also observed two strange situations with
floppies. In first case on a 5.25" 720Kb (formatted using software
similar to 800.COM) floppy all executable files were cross-linked to
the proper clusters (two-clusters chain, the last being marked as
0FFEH) but those did *NOT* contain the virus. In second case a normal
360Kb floppy was infected properly but it wasn't possible to restore
affected files since their real start clusters (being decrypted) were
also cross-linked to the cluster appropriate for 720Kb floppy.
- --
Sincerely,
Dmitry O. Gryaznov | PSI AS USSR
[email protected] or [email protected] | Pereslavl-Zalessky
Phones: office: (08535)-2-0715 home:(08535)-2-1465| 152140 USSR

------------------------------

Date: Thu, 24 Oct 91 00:04:56 +0300
>From: [email protected] (Dmitry O. Gryaznov)
Subject: Re: Version 84 of McAfee anti-virus programs now available (PC)

>For those of you without FTP:
>I have downloaded and uuencoded SCANV84.ZIP, CLEAN84.ZIP, VSHLD84.ZIP, and
>NETSCN84.ZIP. I would be happy to e-mail them to anybody who wants them.
>
>- --Barry ([email protected])
>Occidental College Computer Center

You can also send an E-mail to [email protected] with a subject
being 'garbo-request':
..
Subject: garbo-request

send pc/virus/scan84.zip
send pc/virus/clean84.zip
< etc. >
quit

- --
Sincerely,
Dmitry O. Gryaznov | PSI AS USSR
[email protected] or [email protected] | Pereslavl-Zalessky
Phones: office: (08535)-2-0715 home:(08535)-2-1465| 152140 USSR

------------------------------

Date: Thu, 24 Oct 91 00:11:58 +0300
>From: [email protected] (Dmitry O. Gryaznov)
Subject: Re: Several subjects (PC)

[email protected] (Vesselin Bontchev) writes:

>[email protected] (Fridrik Skulason) writes:
>
>> ...
>
>> The release of version 2.01 has been delayed by a week, so I can add
>> 60 (or so) new viruses from Poland.
>
>There are a few interesting ones, aren't they? BTW, they are not only
>from Poland; most of the new ones are from the Soviet Union
>(Andrzej?). Which reminds me that the hackers out there are quickly
>catching up after the Bulgarian ones... :-(

My latest acquisition is somewhat like 100 new viruses most of them
being Soviet... New Soviet threat, eh?
- --
Sincerely,
Dmitry O. Gryaznov | PSI AS USSR
[email protected] or [email protected] | Pereslavl-Zalessky
Phones: office: (08535)-2-0715 home:(08535)-2-1465| 152140 USSR

------------------------------

Date: Wed, 23 Oct 91 23:57:38 +0300
>From: [email protected] (Dmitry O. Gryaznov)
Subject: Re: Pakistani/Ashar (PC)

Mario Guerra <[email protected]> writes:

>One machine in my university (a PS/30 with a Seagate 30 MB. disk) was
>infected with the Pakistani Brain/Ashar virus (according to Viruscan 84).
>If I run Viruscan from a clean disk it does not detect the virus, but if
>I boot from the hard disk, the same program says it is in memory.
>
>I have tried everything: a Sys, running Norton 6.0 Disktool, using DE
>for writing a new boot sector from other machine with a similar hard disk,
>rewriting the partition table (once again, from a similar disk), etc.

It seems to be a false positive since Pakistani Brain/Ashar does not
infect hard disk at all - only floppies...

- --
Sincerely,
Dmitry O. Gryaznov | PSI AS USSR
[email protected] or [email protected] | Pereslavl-Zalessky
Phones: office: (08535)-2-0715 home:(08535)-2-1465| 152140 USSR

------------------------------

Date: Sat, 26 Oct 91 00:00:37 -0700
>From: [email protected] (McAfee Associates)
Subject: Typo in Validation Data for NETSCAN V84 (PC)

Hello,

It has been reported to me (by several people!) that I made a mistake in
posting the filesize for Version 84 of NETSCAN.EXE. The correct size is
50,347 bytes, not 50,345. My apologies for any alarm.

Regards,

Aryeh Goretsky
McAfee Associates Technical Support

PS: I promise to wear my glasses when typing from now on! :-)

------------------------------

End of VIRUS-L Digest [Volume 4 Issue 199]
******************************************

Downloaded From P-80 International Information Systems 304-744-2253