VIRUS-L Digest Thursday, 21 Nov 1991 Volume 4 : Issue 223
Today's Topics:
Re: System 7 vs. viruses (Mac)
Do I have a virus or a hardware fault (PC)
Re: Hardware...
Re: Norton SI 6.01 and Cascade? (PC)
"Stealth" Viruses (4096 in particular) (PC)
Liberty virus (PC)
Re: Norton SI 6.01 and Cascade? (PC)
Re: Generic scanning - a small test (PC)
Re: Stoned on 3.5" disks / "1590" virus (PC)
Dir-II at Rutgers University (USA) (PC)
virus ? (PC)
Re: System 7 vs. viruses (Mac)
Strange symptoms include COMMAND.COM disappearing (PC)
Jerusalem Virus Questions (PC)
Mark Washburn (was: Hardware? How about software...?)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to
[email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at:
[email protected].
Ken van Wyk
----------------------------------------------------------------------
Date: Sun, 17 Nov 91 06:03:50 +0000
>From:
[email protected] (Albert Lunde)
Subject: Re: System 7 vs. viruses (Mac)
[email protected] writes:
>>AB5891A@ACAD writes:
>>>constantly be shut off. On a Mac, (OR IBM for that matter) if you
>>>want to increase the ANTI-virus protection, just after EACH
>>>application shut the system off. The virus MAY still spread, but then
>>>again, it may not.
>>DON'T DO THIS ON A MAC! [...]
>>..and some Mac viruses will continue to spread anyway. In fact, most of
>>them will if you are using MultiFinder or System 7.
I agree - the disk caches need to be flushed properly. Since common Mac
viruses take control at or soon after an application is launched, and can
infect stuff run again at startup, powering down between applications is not
generally a useful strategy for day-to-day use.
>It should be noted that the "Desktop" viruses (WDEF and CDEF) do _not_
>infect System 7. This is explained in the online Disinfectant manual.
>
>"...System 7 is completely immune to the 'Desktop' viruses (WDEF and CDEF).
>These viruses never activate, spread or cause any damage under System 7....
>..Under MultiFinder, the Desktop files are always 'busy'..."
>
>This goes on to say that Disinfectant cannot affect changes in MultiFinder.
>Since it cannot chnage it to repair it, it is safe to assume that the file
??????????????
>cannot undergo changes to be infected with the virus in the first place.
>
>Hmmm...maybe Apple is finally getting smart. :-)
You seem to be assuming a connection between facts not causally related:
1 - Desktop file viruses do not spread easily under system 7, because
the Finder is more careful about how it opens the Desktop file.
(This may be related to the use of the Desktop database except on
floppies or to the Finder rewrite in C++, I don't know. This
*could* be Apple getting smart.)
2 - Disinfectant 2.5.1 cannot repair some files under 6.0.x
Multifinder/Finder or System 7 Finder, because the files are
"busy" i.e. already open.
(This is not an insurmountable problem, because AppleEvents
could be used to make the Finder quit, and re-launch. But this
feature is not in 2.5.1)
3 - It is *not* safe to assume that because Disinfectant cannot
repair a file that the file cannot be infected in the first place.
A virus could infect from an INIT running before the Finder was
launched, from booting from a floppy or various other ways.
Disinfectant "plays by the rules" more than viruses - the
scanning and repair runs as a regular application. Viruses
are executed by several means, each with its own limitations.
This is not based on a detailed study of viruses under system 7,
but on general considerations - and a healthy dose of paranoia.
- --
Albert Lunde
[email protected]
[email protected]
------------------------------
Date: Sun, 17 Nov 91 16:39:24 +1100
>From:
[email protected] (Peter Nixon)
Subject: Do I have a virus or a hardware fault (PC)
I'm having a problem with a CCS brand XT. This uses a clone motherboard,
that features a VLSI chip that I assume handles the timer / dmi
functions etc.
The problem is that the machine is going into 'error' mode every 9 - 10
minutes. Error mode either results in the machine locking up or if I am
at the dos prompt , a string of ^ (as in the character above the 6) get
printed at the prompt, and the machine is still accessible.
Initially I considered this may have been a hardware problem associated
with the VLSI chip. But I found that when I disconnected the hard disk
and booted of a FDD, the fault did not occur. But if I leave the HDD
connected but still boot of the FDD the fault occurs. I wondered if
there may have been a virus in the partition table. I have scanned with
two virus checkers both found nothing. (But they are both slightly old).
So I then did a low level format on the hard disk, and reloaded
dos(4.01). I did turn the machine off between LLF and reload.
I had also tried disconnecting the keyboard, but the string of ^^^ still
happened. The number of ^ printed is not always the same.
I have also tried removing the multifunction card (which has the real
time clock), but the fault still occurred.
So do you think it is hardware related, or do I have a particularly
persitent virus.
Oh yes, one other thing, the size of the command.com file in the root
directory was correct, but a copy of the command.com in the dos subdir
was different. The system used the \dos copy. But even when i replace
this still no good.
Thanks for any help...
Peter Nixon
School of Commerce James Cook University Australia
[email protected]
[email protected]
------------------------------
Date: Sun, 17 Nov 91 10:40:14 +0000
>From: Fridrik Skulason <
[email protected]>
Subject: Re: Hardware...
In Message 13 Nov 91 09:12:21 GMT,
[email protected] (Vesselin writes:
>This won't help, since you'll inevitably miss some - the general
>question whether a program is infected or not is undecidable...
Only on a Turing-machine - not on a real-world computer - It is
perfectly well possible in theory on any finite machine, although it
would not be practical.
- -frisk
------------------------------
Date: Sun, 17 Nov 91 15:35:00 +0200
>From: Y. Radai <
[email protected]>
Subject: Re: Norton SI 6.01 and Cascade? (PC)
Ken West writes:
>I just installed Norton Utilities version 6.01 with DOS 5.0 running on
>my 386-25. The SI (system information) utility has a function to list
>hardware interupt usage. When I make this selection, it reports
>[Cascade] grabbing interrupt 2 (IRQ 02). I scanned the machine with
>McAfee Scan v. 84, and F-prot version 2.01 and neither report
>infection. Can anyone tell me what is going on here? Has anyone else
>seen this with Norton 6.01?
>
>I realize that Cascade is harmless but I don't want it around.
The word "[Cascade]" in the SI report has nothing to do with the
Cascade virus. It refers to a method (on ATs and higher models) by
which additional levels of external hardware interrupts are obtained
by "cascading" 8259A Programmable Interrupt Controllers, i.e. by
connecting the INT line of the new ("slave") PIC to the IRQ2 line of
the existing ("master") PIC. Thus the above report is perfectly
normal and has nothing to do with a virus.
Y. Radai
Hebrew Univ. of Jerusalem, Israel
[email protected]
[email protected]
------------------------------
Date: 18 Nov 91 02:05:55 +0000
>From:
[email protected] (Shawn Adrian Mchorse)
Subject: "Stealth" Viruses (4096 in particular) (PC)
I've been doing some research into computer viruses for my
philosophy class, and I've been rather intrigued by some of the
so-called "stealth" viruses. In particular, I have a couple of
questions about the 4096 virus (aliases: Century Virus, FroDo, IDF
Virus, Stealth Virus, 100 Years Virus). It is supposed to be able to
find the original interrupt vector addresses for both the 13h and 21h
interrupts, thus bypassing all active detectors that trap these
interrupts. I have gone through several technical references, but
have been unable to find where in BIOS or DOS it located this
information. I assume it must be in one of the several tables of
information in memory that are initialized at boot-time, but I cannot
seem to locate it. I would prefer responses by e-mail, considering
the volume of posts to this group. Thanx.
Shawn McHorse
[email protected]
------------------------------
Date: Mon, 18 Nov 91 13:35:37 +0200
>From:
[email protected] (Dmitry O. Gryaznov)
Subject: Liberty virus (PC)
McAfee's VIRLIST.TXT says about the Liberty virus:
Infects Fixed Disk Partition Table-----------------------+
Infects Fixed Disk Boot Sector-------------------------+ |
Infects Floppy Diskette Boot ------------------------+ | |
Infects Overlay Files------------------------------+ | | |
Infects EXE Files--------------------------------+ | | | |
Infects COM files------------------------------+ | | | | |
Infects COMMAND.COM--------------------------+ | | | | | |
Virus Remains Resident---------------------+ | | | | | | |
Virus Uses Self-Encryption---------------+ | | | | | | | |
Virus Uses STEALTH Techniques----------+ | | | | | | | | |
| | | | | | | | | | Increase in
| | | | | | | | | | Infected
| | | | | | | | | | Program's
| | | | | | | | | | Size
| | | | | | | | | | |
| | | | | | | | | | |
Virus Disinfector V V V V V V V V V V V Damage
- -----------------------------------------------------------------------------
Liberty [Liberty] Clean-Up . . x x x x x . . . 2862 O,P
Patricia Hoffman's VSUM says:
Virus Name: Liberty
....
V Status: Common
....
Type Code: PRfAK - Parasitic Resident .COM & .EXE Infector
....
General Comments:
....
Liberty is a self-encrpyting virus. It is not yet known if it is
destructive.
....
Fridrik Skulason's F-PROT 2.01 (Viruses/Information) says:
....
Type: Resident COM/EXE-files
....
The effects of Liberty are not fully known yet.
Four days ago I'd received a sample of the Liberty (Liberty-C according to
Patricia Hoffman) virus from my E-mail pen-pal from South Africa. I'd
disassembled and examined the virus.
The first and the main feature missed in the above descriptions is that the
Liberty virus infects not only COM/EXE files but a BOOT sector of floppies
as well. However, a floppy infection occurs rather rare and is possible
on PC XTs only. When an infecting of a file fails due to a lack of free disk
space - INT 21H/AH=40H returns with Carry flag clear but the number of bytes
actually written is less then required (AX<CX) - the virus intercepts INT 13H.
First time a floppy (either A: or B:) is accessed for read or write the
virus reads a Boot sector and if it is not infected attempts to infect it.
To infect a floppy the virus formats an additional (for 360Kb floppies) track
(28H - 40D) with unusual sectors numbers - first 8 sectors used to keep the
virus body have numbers 31H-38H and the last sector (to keep uninfected Boot)
- 3FH. This won't work on PC AT - some additional efforts are required for
these machines. Floppy infections are made one-at-a-time - regardless was it
successful or failed the virus restores the previous contents of INT 13H
vector and continues to infect files only until the next write error.
When booted from an infected floppy the virus decreases the amount of
memory available (loc. 0:413H) by 10Kb, reads the whole virus to new location
(from head 0, cyl. 28H, sectors 31H - 38H) and reads an original Boot sector
(from head 0, cyl. 28H, sector 3FH) to 0:7C00H. After 10th bootstrap from an
infected floppy the virus will disinfect itself restoring an uninfected
Boot sector with a byte 0FFH placed at offs. 2 (normally there resides 90H -
NOP). When an infecting routine of the virus encounters such a cured floppy
the virus begins to damage floppies instead of infecting them.
If a bootstrap counter is less then 10 the virus intercepts INT 13H, INT 08H
(Timer), INT 10H (Video Service), INT 14H (Serial port I/O), INT 17H (Printer)
and INT 1CH (Secondary Timer interrupt).
INT 13H is used to infect floppies. The handler installed at boot time is
different from the one used when loaded from an infected file. This handler
is permanent and infects floppies being accessed for Write or Verify (INT 13H,
AH=3 or AH=4).
Hardware timer interrupt (INT 08H) is used to intercept INT 21H after DOS
activating. From inside INT 21H handler the virus infects COM and EXE files
being executed (INT 21H/AX=4B00H).
INT 1CH is used to trigger the virus in certain periods of time. When
triggered, the virus changes all characters being sent/received via INT 14H,
printed via INT 17H and displayed via INT 10H (AH=09 or AH=0AH) to make a
string 'MAGIC!!' for 512 timer ticks (appr. 28 seconds). After 10th triggering
the virus swaps the upper line of a screen for blinking yellow-on-red sign
'M A G I C ! ! !' (won't work on monochromes) and then passes control to
ROM Basic (INT 18H). PCs without ROM Basic will either "hang" or reboot.
As I've said above an infection of a Boot sector with the Liberty virus
is rather rare and is possible only on PC XT. Nevertheless since the virus
is common (see VSUM) in the West (it is unknown in the USSR) and there are
still a lot of PC XTs in use Boot sector infections with the Liberty virus
are quiet possible. After 10th bootstrap from an infected floppy the virus
will cure it but such a cured floppy will become a trigger for the virus's
destructive function.
All scanners I've tested (SCAN84, F-PROT 2.01, VIRx 1.8, etc.) found the
Liberty virus in infected files. But *NONE* of them reported an infection
when tested against an infected floppy.
A couple of words more about self-encrypting (see VSUM). The Liberty virus
keeps self-encrypted only a small piece of its code used to infect COM files.
This causes no difficulties in detecting/disinfecting of Liberty. The virus
also keeps encrypted first 120 bytes of an infected COM file but this is NOT
SELF-encrypting.
- --
Sincerely,
Dmitry O. Gryaznov | PSI AS USSR
[email protected] or
[email protected] | Pereslavl-Zalessky
Phones: office: (08535)-2-0715 home:(08535)-2-1465| 152140 USSR
------------------------------
Date: 18 Nov 91 12:02:23 +0000
>From: Daryanani <
[email protected]>
Subject: Re: Norton SI 6.01 and Cascade? (PC)
[email protected] (Ken West - Entomology) writes:
>I just installed Norton Utilities version 6.01 with DOS 5.0 running on
>my 386-25. The SI (system information) utility has a function to list
>hardware interupt usage. When I make this selection, it reports
>[Cascade] grabbing interrupt 2 (IRQ 02). I scanned the machine with
>McAfee Scan v. 84, and F-prot version 2.01 and neither report
>infection. Can anyone tell me what is going on here? Has anyone else
>seen this with Norton 6.01?
That [Cascade] is not the Cascade virus, rather it is refers to the
hardware interrupt cascade. The interrupt controller chip (PIC) can
only support 8 IRQs, so starting with the PC/AT IBM put in 2 of these
chips and cascaded all interrupts from the second to IRQ 2 on the
first. That way you now have 15 IRQ lines and old PC/XT programs
still work, thinking there are only 8 IRQ lines.
Raju
- --
Raju M. Daryanani
[email protected]
------------------------------
Date: Mon, 18 Nov 91 12:06:41 -0500
>From: Otto Stolz <
[email protected]>
Subject: Re: Generic scanning - a small test (PC)
On Sat, 09 Nov 91 17:39:08 +0000 Frisk said:
> I just did a small test and I hope the results are of general interest.
..
> Sample name: TERROR-N.COM
> 2.01-Secure: not detected
> 2.01-Quick: Infection: Terror
> Scan 84: not detected
> Analyse: No virus-like code found
..
> Sample name: NUMLOCK.COM
> 2.01-Secure: not detected
> 2.01-Quick: Infection: PC-Flu
> Scan 84: not detected
> Analyse: This program modifies itself in a highly suspicious
> way. It is either infected, or a badly written program
> which overwrites code with data.
>
> So, what can be said about the results?
How can it be that in these two cases a Quick scan detected something,
a Secure scan missed? Before that test, I was under the impression
that a Secure scan will never find less viruses or variants than a
Quick scan.
Does this result mean that we will have to run both scans to be on the
safe side?
Bewildered,
Otto <
[email protected]> or <
[email protected]>
------------------------------
Date: Mon, 18 Nov 91 18:02:18 -0500
>From: Otto Stolz <
[email protected]>
Subject: Re: Stoned on 3.5" disks / "1590" virus (PC)
Sorry for replying so late.
On 10 Oct 91 09:56:35 -0500 Don Medal <
[email protected]> said:
> We are currently infected with an apparently new strain
> of the "Stoned" virus. We ran tests last year and determined that the
> Stoned virus we had at that time could not infect our 3.5" disks,
> suddenly we are overwhelmed by Stoned on our 3.5" machines also.
This is not necessarily a new strain.
The (ordinary) Stoned virus infects only diskettes in drive A. As the
infection always comes from the same drive A (by accidently booting
from an infected diskette), this virus will stick to one sort of
diskettes, under normal circumstances. However, it can equally spread
in an 5.25" or in an 3.5" environment. Hence, to the (ordinary) Stoned
virus, the MS-DOS world consists of two mutually exclusive populations
of PC, viz. those with 3.5" drives as A, and those with 5.25" drives
as A.
In rare cases, a copy of the virus may make it to the other sort of
diskettes, e.g. after re-configuring a PCwith an infected hard disk
(making A a drive of the other sort), or after mounting an infected hard
disk into another PC with different diskette drive A. This copy will
subsequently spread in the other part of the PC population.
Of course, a Stoned virus could be modified to infect B drives, as well;
this variant could easily propagate to the other sort of diskettes, as
many PCs are equipped with two different dikette drives. I do not know,
whether such a variant exists, however.
Best wishes
Otto
------------------------------
Date: 18 Nov 91 19:31:09 +0000
>From:
[email protected] (Michael Martin)
Subject: Dir-II at Rutgers University (USA) (PC)
On November 11, I stated that DIR-II had been found at Rutgers
University. At the same time, my incoming news feed was out, so I
have no idea what discussion may have occurred. However, by email,
Vesselin Bontchev of the University of Hamburg suggested that this
might be a misidentification.
I now have a second identification of DIR-II from Skulason's
F-PROT v2.01.
Discovery of the infection was accidental, the result of a
scan out of idle curiosity. The virus was removed by McAfee clean
7.9v84. The only snag was that McAfee CLEAN was unable to remove the
virus when executed from a boot disk. It was necessary to copy CLEAN
to the (infected) hard disk first. Beyond that, everything went
smoothly. The affected lab is back to normal, but is now protected
by McAfee VSHIELD.
F-PROT's TSR, VIRSTOP was also effective in detecting the
virus. The F-PROT version I have cannot remove this virus. Too bad
one of these programs was not installed before the virus arrived.
mike martin
[email protected]
------------------------------
Date: 18 Nov 91 22:56:02 +0000
>From:
[email protected] ( WIDJAJA)
Subject: virus ? (PC)
Hi, there !
I don't know if I put this article in the right place. I have problem
with my computer, IBM PC 286. I used MSDOS 3.2, then I
changed/installed with MSDOS 3.3. Now, the problem is that sometimes
my hard disk does not response when I boot the computer. I have to
reboot it again to make it works. Before I installed MSDOS 3.3, I did
not have any problems at all with the hard disk. I use Scan virus to
detect the computer and I do not find any virus. Is there any new
virus in my computer that the Scan can not detect it?. I use Scan v76.
Can someone help me?.
Thanks.
Wan
------------------------------
Date: 18 Nov 91 22:35:06 +0000
>From:
[email protected] (David Smith)
Subject: Re: System 7 vs. viruses (Mac)
[email protected] writes:
> It should be noted that the "Desktop" viruses (WDEF and CDEF) do _not_
> infect System 7. This is explained in the online Disinfectant manual.
>
> "...System 7 is completely immune to the 'Desktop' viruses (WDEF and CDEF).
> These viruses never activate, spread or cause any damage under System 7....
> ..Under MultiFinder, the Desktop files are always 'busy'..."
>
> This goes on to say that Disinfectant cannot affect changes in MultiFinder.
> Since it cannot chnage it to repair it, it is safe to assume that the file
> cannot undergo changes to be infected with the virus in the first place.
>
> Hmmm...maybe Apple is finally getting smart. :-)
Well I do not know about Multifinder under sys 7 but under 6.8 running
AUX in which multifinder is always running the desktop and the system
have been infected and Disenfectent cannot remove it, it must be
reinitilized.
??????????????????????????????David Smith?????????????????????????????????????
?? <
[email protected]> <
[email protected]> ??
?? I am surrounded by fools. There are people all around me. ??
?? God made us in his image. Therefor is God a fool? ??
?? "He's dead Jim!" ??
?? /Std. disclamer, My views are only my own.../ ??
??????????????????????????????????????????????????????????????????????????????
------------------------------
Date: Tue, 19 Nov 91 14:04:00 -0600
>From: Ken De Cruyenaere 204-474-8340 <
[email protected]>
Subject: Strange symptoms include COMMAND.COM disappearing (PC)
A colleague has two machines (pc compatibles - one is a COMPAQ 386)
down with strange symptoms.
COMMAND.COM
CONFIG.SYS
and AUTOEXEC.BAT have all disappeared !
Both machines were running OK but hung up when
the user tried to exit to DOS (from LOTUS in the case of the COMPAQ).
The latest anti-virals were run and turned up nothing.
I have scanned thru back issues of this digest but don't recall seeing
these symptoms before. Does anyone know of any virus, trojan -OR-
user error that would result in the above files disappearing?
Ken
- ---------------------------------------------------------------------
Ken De Cruyenaere - Computer Security Coordinator - Computer Services
University of Manitoba - Winnipeg, Manitoba, Canada, R3T 2N2
Bitnet:
[email protected] Voice:(204)474-8340 FAX:(204)275-5420
------------------------------
Date: 19 Nov 91 15:27:54 -0400
>From: Larry Mateo <HSVLM%
[email protected]>
Subject: Jerusalem Virus Questions (PC)
I'm looking for information on how the Jerusalem virus and its various
strains are spread. Could someone point me to an authority or provide
me with the information?
Thank you.
------------------------------
Date: Wed, 20 Nov 91 19:13:00 +0200
>From: Y. Radai <
[email protected]>
Subject: Mark Washburn (was: Hardware? How about software...?)
Frisk writes:
>The usefulness of SECURE is subject to debate. My opinion is however
>that the simple fact that is written by Mark Washburn is a pretty good
>reason to ignore the program - as well as all other programs written by
>known virus authors.
I don't suppose this is something we can achieve agreement on since it
has little to do with facts. Anyway, I do not agree that a program
should be ignored simply because it was written by a known virus
author. I suspect that quite a few anti-viral people have written at
least one virus for test purposes. Should we ignore their software
too?
I suppose, however, that you meant people who have released viruses
publicly, not just for test purposes. True, Washburn released a virus
publicly, but many of us distinguish between writers of deliberately
destructive viruses and those of non-destructive ones. And Mark's vi-
ruses are not destructive. True, someone else used his virus to create
a destructive one, and mainly because of the possibility that this
would happen, Washburn's decision was a mistake. But perhaps he has
realized his mistake?
And even if he has not repented, I'm not sure the public should be
deprived of knowledge of a good product because of this. As you will
no doubt recall, several months ago (long before Fred Waller appeared
on the scene), I expressed the opinion in Virus-L that SECURE was the
best generic monitoring program I had seen, at least from the point of
view of minimizing false negatives (and perhaps false positives too,
though it leaves something to be desired from the user interface as-
pect). So why should the program be ignored? Just to get revenge on
Washburn?
Well, as I said, this has little to do with facts, so I suppose
neither of us will convince the other. Still, I thought it would be a
good idea to point out that other opinions are possible on this issue.
Y. Radai
Hebrew Univ. of Jerusalem, Israel
[email protected]
[email protected]
------------------------------
End of VIRUS-L Digest [Volume 4 Issue 223]
******************************************
Downloaded From P-80 International Information Systems 304-744-2253
