VIRUS-L Digest Friday, 22 Nov 1991 Volume 4 : Issue 225

VIRUS-L Digest Friday, 22 Nov 1991 Volume 4 : Issue 225

Today's Topics:

Re: System 7 vs. viruses (Mac)
ANSI Bombs
Re: Protection...
Re: DIR-2 found in USA (PC)
Does PC virus affect hardwares? (PC)
Re: Generic scanning - a small test (PC)
Mark Washburn
Strange occurences using DBase IV & AZUSA Comm Port (PC)
Request for help on getting ".CVP" documents.
Gosia virus search string (PC)
Booting from floppy, Multifinder & Disinfectant (Mac)
Frog's Alley / new upload (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to [email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: [email protected].

Ken van Wyk

----------------------------------------------------------------------

Date: Thu, 21 Nov 91 15:10:57 -0500
>From: [email protected] (Joseph D. McMahon)
Subject: Re: System 7 vs. viruses (Mac)

[email protected] (David Smith)i writes:
> Well I do not know about Multifinder under sys 7 but under 6.8 running
> AUX in which multifinder is always running the desktop and the system
> have been infected and Disenfectent cannot remove it, it must be
> reinitilized.

Which virus are you speaking of? If it's a desktop infector, you
certainly don't need to reinitialize (I assume you mean format) the
disk! Rebuilding the Desktop file is good enough. Write to me
privately if you need to know how to do this.

--- Joe M.

------------------------------

Date: Thu, 21 Nov 91 15:12:28 -0500
>From: padgett%[email protected] (A. Padgett Peterson)
Subject: ANSI Bombs

>From: [email protected]

>I went to a re-write of ANSI that doesn't allow redefs, and as such was a lot
>smaller. Saved me a few K in space, and disabled any ANSI bombs in the process.
>Good trade off, I think.

Again, a single byte change in most ANSI drivers (offset 61h for the
DOS 5.0 version I have) will change the redirection character from the
standard lower case "p" to *something else* and defuses the whole
problem. But it is unlikely that many people will.

>"How stupid you are depends on exactly where you're standing at any given
>Moment."

ref. Smokey & the Bandit, 1977 - the South & Pontiacs, my favourite mix.

Padgett

------------------------------

Date: 21 Nov 91 19:49:23 +0000
>From: [email protected] (Vesselin Bontchev)
Subject: Re: Protection...

[email protected] (Fred Waller) writes:

> Scanning is not foolproof either; the person could have scanned and
> still gotten infected. Or, if the scanner was not too well designed
> (as some are not), then the act of scanning itself might have spread
> the virus further to other parts of the system.

While I agree that scanning does not offer any serious protection, I
would like to point out that the way the scanner is implemented
doesn't really matter. What -does- matter is how the user uses it. If
s/he always boots from a non-infected write-protected system diskette
and always starts a non-infected copy of the scanner from a
write-protected disk, the simple act of scanning CANNOT spread the
infection. Regardless how poorly the scanner is implemented. (Unless
the scanner pusposely releases a virus, of course... <grin>)

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
[email protected] Fachbereich Informatik - AGN
Tel.:+49-40-54715-224, Fax: -246 Vogt-Koeln-Strasse 30, D-2000, Hamburg 54

------------------------------

Date: Thu, 21 Nov 91 14:02:45 -0800
>From: [email protected] (Karyn Pichnarczyk)
Subject: Re: DIR-2 found in USA (PC)

[email protected] (Vesselin Bontchev) writes:

Also Dr. Solomon's Anti-virus Toolkit, version 5.13 and above, is able
to detect the virus. Not to eradicate it, however. The only three
methods for removing this virus which are currently availble, are
CLEAN 84, my program DIR2CLR, and using the REN method, described by
Andrzej Kadlof (similar to your backup method, but much easier and
faster).

Also DDI's Virhunt (from the Data Physician package) version 3.0B
detects and eradicates DIR-2.

Karyn Pichnarczyk
CIAC Group
Lawrence Livermore Nat. Labs
510-422-1779

------------------------------

Date: Fri, 22 Nov 91 10:39:49 +0000
>From: [email protected] (Hans Roulund)
Subject: Does PC virus affect hardwares? (PC)

This is the first time I write to this newsgroup. My friend and I had
several unpleasant experiences with hardware failures. we speculate
that there was probably a virus on our PCs. Now I try to describe what
had happened to us. My friend had 80286 PC clone with scsi harddisk
and 5.25" floppy driver. A monthago his pc kept remembering the disk
infomation of A: So every time he changed adiskette, the PC continued
to show contents of previous diskette when he used DOS command DIR.
Further more, the correctly connected laser-printer didn't print

anything. When he tried with a virus-free system diskette , everything
worked. fine. But there was no way to install system on harddisk
correctly. PC kept losi ng harddisk configuration info. Then my friend
bought an other PC 80386, but the same problem begins to appear again.
That's losing harddisk configuration info and refusing to take new
diskette plus printer doesn't work. (It beeps when screen print key
pressed). Can you tell me what kind of virus it could be and what
cure?

Now to my headache, I use PC 80386sx with AT-bus harddisk control (My
friend's second PC has also AT-bus harddisk). It worked fine until I
installed a fax- modem. One day the Fax modem started to siren very
loudly and unbearably. And my machine seemed to have lost all info
stored in cmos. AFter I specified all parameters cmos asked, I found
my harddisk was total off order! Both boot sector and FAT, root
directory seems to have removed 18 sectors forwards. There are a lot
of blank sectors scattered on the harddisk (marked with 6F, or letter
l). I know they should not be there since my harddisk was virtually
full.) After I checked the FAX-modem on other machine, it seemed to
be damaged. I thoug t all was due to I had no earth grounded AC line.
But it doesn't seem to the right explantion. Now I try to recover
invaluble files sector by sector on 89 MB harddisk. Can you expeters
help. thank you

G.f.x.

------------------------------

Date: Fri, 22 Nov 91 08:53:35 +0000
>From: Fridrik Skulason <[email protected]>
Subject: Re: Generic scanning - a small test (PC)

In Message 18 Nov 91 17:06:41 GMT, [email protected] (Otto Stolz) writes:

>How can it be that in these two cases a Quick scan detected something,
>a Secure scan missed? Before that test, I was under the impression
>that a Secure scan will never find less viruses or variants than a
>Quick scan.

Well, as the name implies, Secure scan is generally more secure than
Quick Scan - that is....

They are about as good at detecting known viruses - If you only want
to consider them, then Quick scan is sufficient. (Of course, if you
want to disinfect, then you have too use Full/Secure scan, of course).

Secure Scan has a higher chance of detecting new, modified variants of
old viruses - simply because it uses two search strings for each virus,
while Quick Scan only uses one. However - The one string used by
Quick scan is generally not the same as either of the two strings used
by Secure scan.

So, if a virus is modified in a way which changes both of the strings
used by Secure Scan, but not the string used by Quick Scan, then Quick
Scan will detect the new variant, but Secure Scan will not. This is
not very likely, but nevertheless it happened in the case you refer to.

Of course, when searching for totally new viruses, Quick and Secure
will probably not detect anything, but it is very likely that "Analyse"
will find something....

>Does this result mean that we will have to run both scans to be on the
>safe side?

Well, using both is safer - but normally Quick Scan should be all that is
needed.

- -frisk

------------------------------

Date: Fri, 22 Nov 91 08:53:39 -0500
>From: [email protected]
Subject: Mark Washburn

Y. Radai, in his reply to Frisk's comment about Mark Washburn, writes:

>Anyway, I do not agree that a program should be ignored simply because
>it was written by a known virus author.

While agreeing that this is strictly a matter of personal opinion and
not of fact, I must disagree with Radai's view on a couple of grounds.
The first is practical. If I knew that a certain program was written
by a virus author, I would not use if for the simple fact that I could
never be reasonably sure that the author had not planted some kind of
virus, logic bomb, trap door, or some other nefarious piece of code in
the program. He has done it in the past and there is probably not
much reason to believe he wouldn't do it again. Thus, I would never
use Virus Secure by Ralf Burger (I have seen it and it is a terrible
program anyway), or any program written by Robert Morris or someone
like him, no matter how good the program may be. There are too many
other good programs out there written by responsible programmers. I
would probably even stay away from any product from a company that
knowingly employed a virus author.

The second ground for my disagreement is ethical. When a person
writes a virus (destructive or not) and releases it, he has violated
the ethical principles that most computer professionals adhere to. To
then embrace his next non-viral programming effort is to implicitely
readmit him into the professional society with no regard for his past
deeds. Also, I would not like any of my money going into the pockets
of a virus author, even though he may claim he is "reformed". I think
the view expressed by Radai implicitely encourages virus authors and
so should be rejected.

------------------------------

Date: Thu, 21 Nov 91 20:26:36 -0500
>From: [email protected]
Subject: Strange occurences using DBase IV & AZUSA Comm Port (PC)

We are running DBASE IV 1.1 in a Student Lab setting using the A: disk
as the data drive and running the program off of a Novell server. While
DBase is buggy (Not my choice; merely my support!), the events in our
lab exceeds even Ashton Tates know and unknown problems.

The lab boot/data disks contain Read Only files for IPX, NET3,
AUTOEXEC.BAT and CONFIG.SYS. Of course the system files are Hidden/Read
Only.

One Lab contains 640K PC Clones booting from 5.25 Floppies; the other,
PS2-30s booting from 3.5 inch Floppies.

In the clone lab, disks running Dbase are being trashed at the FAT
level. Seriously trashed. We had no problem running Lotus and Word
Perfect earlier in the quarter. Now, it is "Nightmare on Court Street!"

Some of the problems are figuring out what is not in the manual.

Others are memory not being released by Dbase or Dbase trashing Dbase.

But, how are read only files getting fried and the FAT messed up.

Note: The same event has started in the 3.5 inch PS2 lab. SCAN80 is
being run at Login. Have had few viruses on my 3.5 inch computers.

Anyway, HHHEEELLLLPPPPP! would be appreciated.

Something in return:

Sound sympton of Stoned in a Partition Table -- Drive Grinds badly.
Break out the Scan, then use Nortons.

AZUSA virus will play with the COMM Port, effectively disabling it on a
PC/XT. Discovered while trying to install a new KERMIT on a faculty
members PC/XT -- "Port 1 run through BIOS1" message. Thought it was DOS
3.2 until it always worked when I booted from Floppy A:. Took me awhile
to catch on.

Sent request to admin side for subscription. Will re-interate here.
Also need info on how to get Patricia Hoffman's VSUM.
------------------------------------------------------------------
David B. Underwood
College of Business
Ohio University
Athens, Ohio 45701

------------------------------

Date: 14 Nov 91 11:03:00 -0600
>From: "APACHE::COOPER" <cooper%[email protected]>
Subject: Request for help on getting ".CVP" documents.

Dear Gentlemen of Virus-L.

When I was subscribed to the list, someone (sorry I forgot
your name) was posting instructional files with the extension of
".CVP". Is there somewhere that I can do a database search for that
string? Or do I have to download all the archives via FTP then
search? Or maybe the kind gentleman can send me all those files?

aTdHvAaNnKcSe
(THANKS 'in' advance)

/----------------------\
| Jim Cooper, TSgt |
| Programmer/Analyst |
| Armstrong Laboratory |
| Brooks AFB, TX 78235 |
\----------------------/

BTW, send replies to cooper%[email protected] as I am
no longer subscribed to the list.

P.S. Hopefully, our *wonderful* maintainers of the mail server will
have it back on line (incoming) by the time I start receiving replies
from you.

------------------------------

Date: Fri, 22 Nov 91 16:42:48 +0700
>From: [email protected]
Subject: Gosia virus search string (PC)

Kenneth R. van Wyk <[email protected]> writes:

>I received the following FAX this morning from the Virus Bulletin:

>The hexadecimal search pattern for the Gosia virus published on page 5
>of Virus Bulletin, November 1991 should NOT be used as it produces
>numerous false positives. A suitable alternative pattern will be
>published in December.

I do not have November issue of Virus Bulletin, but Gosia is polish
virus and you may find interesting some info about it.

The following is extracted from Virus Information Card published in
PCvirus 2(3)91:

Gosia has been isolated in Poland in April 1991. It is rather primitive
virus with logic very similar to W13.

Effective length of virus is 466 bytes. It infects only COM files.
Infected files are marked by putting 44 in the second field in file
time stamp.

Gosia is not resident and do not use any stealth technic. In one run it
infects only one file in current directory. COM files are recognized by
extension of the name. It infects files with the length in the range 100 ...
63 000 bytes.

On write protected diskettes virus generate: Write protect error ...

The virus signature is:
5681C64401b90300BF0001FCF3A45E8BD6
(I do hope it is not the same as in VB).

The name of the virus (polish girl nickname) is taken from the string
inside virus: "I love Gosia" where insted of the word "love" is heart
character (code 3).

Virus do not contains any destructive code.

And that is all.

Regards from Warsaw
Andrzej Kadlof <[email protected]>
Department of Mathematics, University of Warsaw
Editor-in-chief of PCvirus Bulletin

------------------------------

Date: Thu, 21 Nov 91 19:24:00 -0500
>From: <[email protected]>
Subject: Booting from floppy, Multifinder & Disinfectant (Mac)

[email protected] (Albert Lunde) recently wrote:

> 3 - It is *not* safe to assume that because Disinfectant cannot
> repair a file that the file cannot be infected in the first place.
> A virus could infect from an INIT running before the Finder was
> launched, from booting from a floppy or various other ways.
> Disinfectant "plays by the rules" more than viruses - the
> scanning and repair runs as a regular application. Viruses
> are executed by several means, each with its own limitations.

Sorry, this is me being a bit naive. We don't really have a problem
with people starting up from bootable floppies, so we rarely see this
problem. Most kids here don't even know they can do that, and for
those of us who know we can, we don't really see a point. (Most of us
who know how to are employees of the computer center.) Of course, we
haven't had a major virus breakout on campus lately, either.

[email protected] (David Smith) recently wrote:

>Well I do not know about Multifinder under sys 7 but under 6.8 running
>AUX in which multifinder is always running the desktop and the system
>have been infected and Disenfectent cannot remove it, it must be
>reinitilized.

Disinfectant can't remove viruses while Multifinder is running. In
order to be able to disinfect your system, you have to turn off
Multifinder (which I believe can still be done in system 6.8...but I'm
not sure, I haven't seen it...we're still using 6.0.7). If you can't
turn it off, use a system 6.0.x disk to boot, and then run
Disinfectant, and it should kill the virus.

My opinions are my own...my employers would shoot me if I claimed my
opinions as theirs! :-)

*******************************************************************************
*** Melissa A. Jehnings * "We sometimes catch a window ***
*** Student Manager * A glimpse of what's beyond ***
*** Academic Computing Center * Was it just imagination ***
*** Wheaton College * Stringing us along? ***
*** Norton, MA * More things than are dreamed about ***
*** BITNET: LISSA@WHEATNMA * Unseen and unexplained ***
*** WUG@WHEATNMA * We suspend our disbelief ***
*** Apple Ambassador for the * And we are entertained." ***
*** Computer Users' Group of Wheaton* ---Rush, "Mystic Rhythms" ***
*******************************************************************************

------------------------------

Date: Thu, 21 Nov 91 14:44:26 -0600
>From: James Ford <[email protected]>
Subject: Frog's Alley / new upload (PC)

For those people keeping track, Frog's Alley has been found in
Tuscaloosa, Alabama. This comes on the heels of
Plastique/Anticad..... :-(

VIRLAB14.ZIP has been uploaded to risc.ua.edu for anonymous FTP.
Below is a short description of the file by the uploader (part of
README.TXT).
- ----------
Common sense is the least common of all senses.
- ----------
James Ford - Consultant II, Seebeck Computer Center
The University of Alabama (in Tuscaloosa, Alabama)
[email protected], [email protected]

- ---------------------- begin short description --------------------------

VIRLAB
A Computer Virus Simulation Environment

VIRLAB is a program for the simulation of the spreading of DOS-
computer viruses and their prevention. VIRLAB will thereby allow
free, riskless experimenting, rather than following any fixed
teaching strategy. With a basic knowledge about computer viruses
the effects of viral infections during various stages can be
studied without dealing with real viruses. This provides students
in computer security classes etc. with a hands-on experience without
getting in touch with actual viral code.

The program simulates an IBM-compatible personal computer under
MS-DOS, version 3.2 which contains both a floppy disk drive and a hard
disk drive. In the simulation environment you can select one virus out
of a database with more than 300 currently known computer viruses
(including Dir-2) and infect a disk with it. As the work with this
disk continues, the virus will become active and start spreading. As a
general rule, this would happen unnoticed by the user during the
execution of DOS-commands or user programs. VIRLAB will make these
viral activities visible in various ways:

- - infected disks will be shown in red
- - each action of the virus will be announced if the trace mode is switched on
- - you can display information about the exact content of a disk or the
main memory in an info-window. Thus, you can find out where
the virus has already installed itself

Furthermore, VIRLAB will give help depending on the situation as to how
you can remove the virus from the system.

!!! What VIRLAB is NOT:
!!! - VIRLAB is NOT a virus construction kit
!!! - VIRLAB does NOT scan your files for viruses or prevent viral attacks
!!! - VIRLAB does NOT modify your files
!!! - VIRLAB does NOT use any viral code or viral scan strings.
!!! If your scan program reports infections while scanning
!!! VIRLAB files, this probably means that these files are infected
!!! by a real computer virus.

- ------------------------------------------------------------------------------

For experimentation with VIRLAB, you will need an IBM-compatible
PC with operating systems MS-DOS or PC-DOS, an EGA or VGA graphic
card, a mouse and a color screen.

- ------------------------------------------------------------------------------

VIRLAB was developed at the Institut fuer Informatik of the Technical
University of Munich (Germany) in the course of general student education.
This software is in the public domain. Program and files can be freely
distributed and used in this configuration. You will find the actual version
on gsradig1.informatik.tu-muenchen.de in the directory pub/VIRLAB.
(NOTA BENE: Copyright for the file VIRLIST.TXT is by McAfee Associates;
we hereby gratefully acknowledge the permission to use this file for VIRLAB).

Distribution of VIRLAB must be free of charge (except for a reasonable fee
for floppy discs etc.)

Karlhorst Klotz
Institut fuer Informatik
TU Muenchen
Orleansstr. 34
8000 Muenchen 40
GERMANY
Tel. +89/48095-115
Fax. +89/48095-203
e-mail: [email protected]

Any comments and suggestions are appreciated.

------------------------------

End of VIRUS-L Digest [Volume 4 Issue 225]
******************************************

Downloaded From P-80 International Information Systems 304-744-2253