VIRUS-L Digest Friday, 15 Nov 1991 Volume 4 : Issue 220
Today's Topics:
1701 and DATALOCK in the same hit (PC)
Re: Format problem (PC)
Re: UNIX anti-virus program (UNIX)
Re: Subjects
Disinfectant (Mac)
Windows & viruses (PC)
Re: First SPARC Virus? (Character Replacement Within Files) (UNIX)
Re: First SPARC Virus? (Character Replacement Within Files) (UNIX)
followup on hardware-destructive virus found in Canada -- from Fido (PC)
AirCop virus in boot sector (PC)
virus scanner on UNIX? (PC) (UNIX)
IBM-PC Virus Protection Software (PC)
File checking - 1
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to
[email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at:
[email protected].
Ken van Wyk
----------------------------------------------------------------------
Date: Wed, 13 Nov 91 08:18:53 -0800
>From:
[email protected]
Subject: 1701 and DATALOCK in the same hit (PC)
A report from our domin, in ElSegundo, that I've obtained permission to echo
out:
"
- -=-=
The symptoms we experienced with the virus were:
The desired software would run correctly immediately after
installation, but never again. The failures included system lock-ups,
or simply dropping back into DOS with no messages. Some programs
would display the message "overlay not found" prior to dropping back
to DOS. The programs included Windows 3.0, and the Genoa CET package.
At least one program (an .EXE) grew by 920 bytes during its first
execution after re-installation. I viewed the .EXE file with the
debugger out of curiosity, and noticed a string "DataLock version 1.0"
, but it meant nothing to me at the time. I assumed it was part of a
copy protection mechanism. However, after we ran SCAN we discovered
that there is a virus called DataLock, and we had it. In addition,
one of our machines had both the DataLock virus, and another called
1701.
After running CLEAN, everything is back to normal. What a frustrating
experience this has been. I never suspected a virus, and assumed I
had a problem in my machine/DOS configuration.
Finally, we haven't determined the source of these viruses. We
believe they were imported by authorized users running unauthorized
(read "games") software. We are running SCAN over all our
installation floppies.
"Eternal vigilance is the price of freedom"
--Ian
=-=-=-=
.... including viruses, seemingly.
ENF
------------------------------
Date: Wed, 13 Nov 91 18:49:07 +0100
>From:
[email protected]
Subject: Re: Format problem (PC)
This is not so difficult. Your main problem is that the configuration
of your BIOS is wrong. So you should use a setup program to change
these settings to the ones it should be. Instead of a floppy of 1.44Mb
you'll have a 1.2Mb in the BIOS.
Erik.
------------------------------
Date: Wed, 13 Nov 91 18:18:07 +0000
>From:
[email protected] (Brian D. Howard (CS))
Subject: Re: UNIX anti-virus program (UNIX)
[email protected] (Tommy Pedersen) writes:
>I wrote:
>>
[email protected] (Brian Schieber) writes:
>>>I'm looking for sources for virus checking for UNIX boxes. Whats available ?
>>TCell is a commercial UNIX virus checking program that the company I
>>work for has developed. It uses cryptographic checksums to check for
>>unexpected changes in the file system. Contact me and I'll tell you
>>more about it.
>
[email protected] (Peter da Silva) writes:
>>Are there any viruses on UNIX to actually *check* for?
>
[email protected] (Brian D. Howard (CS)) writes:
>>No. But that never stopped nobody from selling.
>No, there are no virus to check for on UNIX systems around today ...
Not to be snide (means I am so being) but its fair to say then that
you are selling something that would detect something *If* in fact
that something actually existed when in fact it does not?
I have a program that will test and determine if your UNIX machine has
been possessed by the Devil himself. I will sell it to anyone that
wants it. The WEEKLY WORLD NEWS contains a report of an *actual*
daemonic possession at a bank in Chile so you can read about the
dangers thereof.
- --
Dallas,TX "Where we shoot Presidents and shoot people who shoot Presidents."
------------------------------
Date: Wed, 13 Nov 91 18:24:14 +0000
>From:
[email protected] (Brian D. Howard (CS))
Subject: Re: Subjects
[email protected] (Fred Waller) writes:
>Complains Dr. Chess:
> > I notice you always seem to change the Subject: line
> > when replying to a posting. Is that intentional?
> Mostly, yes - but not ill-intentioned. By the time I start
> composing a reply, some part of its theme is already clear in
> my mind, and I tend to use that as the subject.
> ...
> I'll try to do better, though. :-)
Many of us may use the subject line as the means of placing the text
in a database, hence if changed the relevent text goes more than one
place. Not difficult to handle, merely irritating.
- --
Dallas,TX "Where we shoot Presidents and shoot people who shoot Presidents."
------------------------------
Date: Wed, 13 Nov 91 12:43:00 -0600
>From:
[email protected]
Subject: Disinfectant (Mac)
In response to the people...
I did use Disinfectant v1. something. It took it out, but I had to
track down a new version of System 6. All I had was 6.0.2 and
HyperCard 1.6.5 wouldn't run under it, so I need ed to find something
else so that it would work.
I have NEVER seen a virus for the Commodore (Many people remark "Who'd
waste the time?") 64/128. I am running system 6 without Multi-finder
because I know of the dirriculties under many applications I have of
it running. I only have 2.5 Megs in this SE.
I thank everyone who suggested keeping the Disinfectant INIT. I did,
but it was erased. And unfortunately my roommate (and his non-ethical
ways) got it infected the next time he used it... I am just curious as
to how many MacIntosh viruses are currently roaming around. and also,
I have just recently aquired a COMPAQ an dI am interested in how many
and if there are any IBM Public Domain Anti- Virus utilities...
ParaPsykotically Yours,
Tony
[email protected]
------------------------------
Date: Wed, 13 Nov 91 16:35:00 -0400
>From:
[email protected]
Subject: Windows & viruses (PC)
Is there a virus scanner available which is written
specifically for Windows?
The reason I ask is because VIRUSCAN appears to skip right
over any Windows .EXEs (either that or it only checks the short DOS
headers).
Last, have there been any reports of viruses written only for
Windows?
- --
Steve Madsen ! Internet:
[email protected] (preferred)
Miami University !
[email protected]
Oxford, Ohio !
And now for something completely different.
------------------------------
Date: Wed, 13 Nov 91 19:21:00 -0500
>From: Russell Billings <REBILL02%ULKYVX.BITNET%
[email protected]
eley.EDU>
Subject: Re: First SPARC Virus? (Character Replacement Within Files) (UNIX)
Looking at the characters that are getting replaced in your system,
and the replacement characters, it looks like you have a hardware
failure somewhere on your data bus. The characters that are being
changed are starting out as ASCII values 0x5B, 0x5C, and 0x5D and are
ending up as the values 0x7B, 0x7C, and 0x7D. If the 0x20 data bus
line went high when it should not have, you would get this kind of
change in your data.
Assuming that the ^? characters in your .h files were NUL characters
(ASCII 0x00), then if the 0x20 data line dropped low during the
transmission of blank spaces (ASCII 0x20), those characters would turn
into NULs.
Hope this helps!
Russell E. Billings
University of Louisville, Louisville, Ky
- --
BITNET:
[email protected] UUCP: ...psuvax1!ulkyvx.bitnet!rebill02
------------------------------
Date: Thu, 14 Nov 91 10:11:23 +0000
>From:
[email protected] (Janet Jackson)
Subject: Re: First SPARC Virus? (Character Replacement Within Files) (UNIX)
[email protected]
(L Testerville) describes { being replaced by [, } by ] and \ by | in various
Unix files.
[, \ and ] are consecutive in ASCII, and { | and } are all 32 (decimal)
above the characters they're replacing. Sounds like misguided upper to
lower case conversion.
The only thing I can think of (other than a virus) that might randomly
do this to various files throughout the system is a bug in the backup/restore
software. Unfortunately the poster doesn't say what he or she is using.
Janet Jackson
(
[email protected])
Department of Computer Science
The University of Western Australia
------------------------------
Date: Thu, 14 Nov 91 08:05:00 -0500
>From:
[email protected]
Subject: followup on hardware-destructive virus found in Canada -- from Fido (P
C)
Hi. Following is a follow-up about the hardware-destructive virus found in
Canada. This is a forwarded excerpt from the FIDO VIRUS echomail conference.
- --- begin forwarded message --
To: Antony Purvis Message #: 3426 1123 <Thread
>From: Todd Burgess Submitted: 12 Nov 91 16:36:00
Subject: Destruction! Status: Public
Received: No Group: VIRUS (30)
> Anyone got any comments? Newsbytes isn't exactly the
> most reliable of
> agencies, it must be said. (No disrespect to them)
I live in Canada and Queens University isn't all that far from where I
live... If it was a varient of the 1575 I wouldn't be surprised
because the 1575 can be found all over Southern Ontario. I should
know because I get hit by the 1575. Now who wrote it is speculation.
I know we have a group called Rabid but they release their viruses
through the BBSes. It could be a rebel student who modified the code.
- -Todd-
- --- FD 1.99c
* Origin: Virus Awareness Group - Whitby Ont. (1:229/420.16)
- ----- end forwarded messsage --
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Claude Bersano-Hayes HAYES @ URVAX (Vanilla BITNET)
University of Richmond
[email protected] (Bitnet or Internet)
Richmond, VA 23173
------------------------------
Date: 14 Nov 91 16:30:38 +0000
>From: Tom Killalea <
[email protected]>
Subject: AirCop virus in boot sector (PC)
We have a number of hard-diskless (to avoid virus infection) PC labs
which students use floppies to boot. Previous viruses such as stoned,
cascade, form, 170x etc. have caused considerable inconvenience, but
we're currently beseiged by AirCop and I'm reaching for the valium.
It causes FPROT 2.01 to hang, while FPROT 1.15 (f-disinf) occasionally
says it's cured (only it never is) or else returns "error reading
boot sector".
CLEAN 7.9v84 says "Virus cannot be safely removed from boot sector".
DOS\SYS says "Not able to SYS to .3L File System"
(That's a superscripted L, and is the same for all floppies.)
Needless to say, any help would be appreciated. If you think this is
a new strain then I can archive or mail samples to the appropriate
bodies.
Thanks,
Tom.
- --
Tom Killalea | 011 353 1 702 2165 | Trinity College
|
[email protected] |
------------------------------
Date: Thu, 14 Nov 91 13:26:50 -0500
>From:
[email protected] (Jim Clarke)
Subject: virus scanner on UNIX? (PC) (UNIX)
The subject of this note is not "UNIX virus scanner" but "virus scanner
on UNIX"--and with a question mark.
In the November issue of the IEEE "Computer" magazine, page 87, a
review of IBM's Aix 3.1.5, a version of UNIX, mentions that the system
comes with "a 'virscan' command [that] can scan files and detect bit
patterns that match known (DOS-based) viruses." I take it that this is
IBM's standard DOS "VIRSCAN", and that it is not intended to detect
UNIX viruses, of which we've been hearing there aren't any.
Is this worth doing?--that is, do DOS users frequently have DOS
programs in scannable form on UNIX machines? As a Mac user, I often
have Mac programs stored as UNIX files, but in binhexed form and
consequently unscannable.
Or does IBM distribute "virscan" with Aix just because it's there?
(While you're looking at the magazine, check the bottom of the next
page, where a reviewer of an alternative version of DOS has an "oops!
dear, dear" reaction to finding the Stoned virus on his machine. It's
frightening that a user competent enough to be asked to write a review
would be so unaware his machine was infected.)
- --
Jim Clarke -- Dept. of Computer Science, Univ. of Toronto, Canada M5S 1A4
[email protected] or
[email protected] // (416) 978-4058
------------------------------
Date: Thu, 14 Nov 91 20:36:52 +0000
>From:
[email protected] (bryan chaney)
Subject: IBM-PC Virus Protection Software (PC)
I am looking for virus protection software. McAFEE looks like the top
of the line. Does anyone know of anything comparable in service but
cheaper?
Bryan
------------------------------
Date: Wed, 13 Nov 91 21:59:29 -0800
>From:
[email protected] (Rob Slade)
Subject: File checking - 1
FUNGEN7.CVP 911113
File checking
Most file infecting viral programs can be checked for quite
simply, and without any special programs or equipment.
Provided, that is, that the computer user will pay the most
minimal attention to the system, and take the most basic
precautions.
The simplest form of antivirus detection "equipment" is a list
of all the programs to be run on the computer, with the size and
"last changed date" for each. (The list for "resource" based
systems such as the Macintosh will, of necessity, be somewhat
larger, and must include all "code" resources on the disk.)
With some few (albeit important) exceptions, programs should
never change their size or file date. Any changes that are
made, should be at the request of the user, and thus easy enough
to spot as exceptions.
While "stealth" technology of various types has been applied to
viral programs, the most common (and successful) viri, to the
date of this writing, have not used it. Most change the size of
the file, and generally do it in such a standardized fashion
that the "infective length" of the virus is often used as an
identification of the specific viral program. The file date is
changed less often, but is sometimes deliberately "used" by the
virus as an indicator to prevent reinfection. (One used the
value of "31" in the seconds field, which is presumably why the
later 1.xx versions of F-PROT all had dates ending in 31.
Another used the "impossible" value of 62.)
Even when stealth techniques are used, they generally require
that the virus itself be running for the measures to be
effective. We thus come to the second piece of antiviral
equipment; the often cited "known clean boot disk". This is a
bootable system (floppy) disk, created under "sterile"
conditions and known to be free of any viral program infection,
and write protected so as to be free from possible future
contamination. When the computer is "booted" from this disk,
the hard disk boot sector and system areas can be bypassed so as
to prevent "stealth" programs from passing "false data" about
the state of the system.
Viral protection can thus start with these simple, and
non-technical provisions. Starting with a known-clean system,
the list can be checked regularly for any discrepancies. The
"clean disk" can be used to "cold boot" the system before these
checks for added security. Checks should be performed before
and after any changes made to software, such as upgrades or new
programs.
Security does not, of course, end here. This is only a very
simple first line of defence.
copyright Robert M. Slade, 1991 FUNGEN7.CVP 911113
=============
Vancouver
[email protected] | "Power users think
Institute for
[email protected] | 'Your PC is now
Research into CyberStore | Stoned' is part of
User (Datapac 3020 8530 1030)| the DOS copyright
Security Canada V7K 2G6 | line." R. Murnane
------------------------------
End of VIRUS-L Digest [Volume 4 Issue 220]
******************************************
Downloaded From P-80 International Information Systems 304-744-2253
