VIRUS-L Digest Wednesday, 4 Dec 1991 Volume 4 : Issue 229

VIRUS-L Digest Wednesday, 4 Dec 1991 Volume 4 : Issue 229

Today's Topics:

Administrivia - Seeking volunteers
FORM-virus / documentation (PC)
Re: NIST Naming Proposal
Re: What's special about LAN's? (PC)
Re: Telefonica (PC)
Computer Sounds Like Telephone--Virus? (PC)
F-PROT 2.01 (PC)
Request for help on removing the DIR-II virus (PC)
Re: VIRUS: DIR-II (PC)
Re: Latest version of McAfee Scan?? (PC)
Re: Secure DOS... (was: What the user wants) (PC)
Re: A couple questions (Mac) (Commodore)
New Joshi Variant (PC)
Washburn et al
Re: Michelangelo Virus (PC)
directory update

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to [email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: [email protected].

Ken van Wyk

----------------------------------------------------------------------

Date: Wed, 04 Dec 91 09:47:35 -0500
>From: Kenneth R. van Wyk <[email protected]>
Subject: Administrivia - Seeking volunteers

Hi gang,

A few people have suggested to me that we put together an FAQ
(Frequently Asked Questions) list, to be distributed periodically as
well as made available on the archives. It would also be useful for
sending to people who ask FAQs, in lieu of posting these messages to
the group itself. This, of course, could help cut traffic on the list
somewhat - at the very least, it should reduce the number of FAQs that
get posted.

So, what I'm looking for is a couple volunteers to help put together
an FAQ list, complete with questions and answers. I will collate the
Qs and As into one FAQ sheet. I'd like to see the FAQ be small enough
to post periodically (say, once a month, along with the list of
archive sites). Any takers?

I'm also (always) interested to hear feedback on how to improve the
group. I think that an FAQ will do a lot to improve the quality of
the group, and hopefully reduce the quantity a bit, and I can't
imagine anyone objecting to either. :-) So, with the new year (and
VIRUS-L Volume 5) approaching, lets get those ideas in, so that we can
start the new year by improving the group.

Cheers,

Ken

Kenneth R. van Wyk
Moderator VIRUS-L/comp.virus
Technical Coordinator, Computer Emergency Response Team
Software Engineering Institute
Carnegie Mellon University
[email protected] (work)
[email protected] (home)
(412) 268-7090 (CERT 24 hour hotline)

------------------------------

Date: Thu, 28 Nov 91 10:24:31 +0000
>From: "Olivier M. Zaech-Liesegang" <[email protected]>
Subject: FORM-virus / documentation (PC)

Hi there,

I recently got a couple of texts on several diskettes. Some of them
were infected by the FORM-virus (VSHIELD, SCAN84, VIRX). Although I was
able to clean them with CLEAN84 I'd like to know what the form virus
can do, how it operates and so on. I took a hexdump of the boot
sector before and after cleaning and saw some differences.
Is there any documentation (short descriptions) available about
the most popular viruses?

Thanks for any help & greetings from the mountains (yes, it's Switzerland).

olivier m. zaech-liesegang

------------------------------

Date: Thu, 28 Nov 91 16:37:59 +0000
>From: Fridrik Skulason <[email protected]>
Subject: Re: NIST Naming Proposal

In Message 23 Nov 91 07:09:02 GMT, [email protected] writes:

>collection any file with name like RCE-1834 then it is from Soviet Union
>archives.

The problem with this naming sceme is that although it may have been usable
when there were only a few viruses, but now that we have broken the
"two new viruses per day" limit, it simpley becomes useless - it is helpful
as a primitive description of the functionality of the virus, but unusable
as a reaL name.

Anyhow - some real progress was made regarding virus namiong at the NCSA
conference (which I just returned from)....more about that later..

- -frisk

------------------------------

Date: Thu, 28 Nov 91 16:45:56 +0000
>From: Fridrik Skulason <[email protected]>
Subject: Re: What's special about LAN's? (PC)

In Message 25 Nov 91 04:55:00 GMT,
[email protected] (TED SHAPIN) writes:

>What if anything is special about virus on a LAN? Is it simply a
>matter of needing to scan all the network drives when looking for
>possible virus?

I can think of the following significant differences:

* Boot sector viruses cannot spread over the LAN.

* If the LAN software is installed properly, it can provide excellent
virus protection - under Novell Netware one can for example make
files "Execute-only" - which effectively protects them from all
file viruses - (well, unless you log in as an infected SUPERVISOR,
of course).

* Some scanners and anti-virus products to not operate 100% on all
LANs.

- -frisk

------------------------------

Date: Thu, 28 Nov 91 16:51:13 +0000
>From: Fridrik Skulason <[email protected]>
Subject: Re: Telefonica (PC)

>Does anyone have experience of this virus, and if so, can they tell me
>how to recover a totally corrupted hard disc.

If the virus has thashed the dish, you probably cannot recover anything -
just repartition, reformat and restore from the latest backup...(You do
keep backups, I hope).

>Also, is there any way of removing this virus safely from a floppy disc?

Try F-PROT 2.01 - I have huccessfully used it to handle a major outbreak
here in Iceland.

Actually, when people are talking about Spanish telecom they may refer to
two separate things. Spanish Telecop is really only a file virus, but it
contains another virus - "Campanja" or "Campana"...which is only a boot
sector virus - and it sounds as you got hit by that one...

- -frisk

------------------------------

Date: Thu, 28 Nov 91 19:15:29 +0000
>From: [email protected] (Mark A. Holtz)
Subject: Computer Sounds Like Telephone--Virus? (PC)

I am not sure if this is a virus or not, so I'm asking.....

Ocasionally, while running a MS-DOS program, my PC will stop for a
second and ring twice, like a telephone. This will occur wither in
SHEZ, or when I am executing a MS-DOS 5 command. No other harm, al
least, not yet.

According to McAfee's SCANV84, using SCAN C: turns up no viruses.

This is occuring on both a Everex 386/20 Cache and a clone 386/33
cache. Both have AMI BIOS's and MS-DOS 5.

Maybe someone ought to make a weekly posting of external virus
identification strings for use with McAfee's scan to identify
viruses that pop up since the last scan....
- --
A man, trapped in the past, facing <:> UUCP: PacBell.COM! -> mholtz!sactoh0
mirror images that are not his own... <:> ucbvax!csusac! /
QUANTUM LEAP! Wednesdays at 10 on NBC <:>
(9p Central/Mountain/Sacramento, CA) <:> Internet: [email protected]

------------------------------

Date: Fri, 29 Nov 91 10:20:58 +1100
>From: [email protected] (Paul Carapetis)
Subject: F-PROT 2.01 (PC)

I sent an enquiry to Frisk earlier this month but have not had a reply. I
know that he is a very busy man so I am sending this post to this group as
I know that he and many very talented and knowledgeable people read it.
Please have patience with me for asking this question, but I think it may
be of interest to more people than just myself.

Background: I work in a software development group that is split into
several sub-groups each being responsible for different pieces or packages
of software. One sub-group have the need to alter information in the boot
sector of their DOS machines and have written a utility to perform this
alteration. I am nervous about them utilising such a utility however they
have the requirement that it be used.

Utilising F-PROT 1.16, each time they ran the utility, they were presented
with a window informing them of the intended "suspicious" activity of
writing to the boot sector and prompted them to specify whether the program
should be allowed to continue or not. This window was the result of
running F-LOCK and F-POPUP.

Now we have loaded F-PROT 2.01 and the situation has changed such that the
above utility runs without interruption.

The question: Does F-PROT 2.01 support the detection of suspicious activity
and, if not, will future versions?

I may have missed something in the documentation, but I don't believe I
have.

Any enlightenment would be greatly appreciated.

Regards,
Paul

| Paul Carapetis, Software Advisor (Unix, DOS, C)| Phone: 61 3 4200944 |
| Melbourne Development Centre | Fax: 61 3 4200445 |
| Bull HN Information Systems Australia Pty Ltd |---------------------------|
| Internet: [email protected] | > Cogito Ergo Sum < |
| #define STD_DISCLAIMER _my_opinion_only | "What, the curtains?" |

------------------------------

Date: 29 Nov 91 20:04:38 -0400
>From: <[email protected]>
Subject: Request for help on removing the DIR-II virus (PC)

The DIR-II virus has been detected on one of our PC's , used for
transferring files around our LAN. As we have read in your List, in
order to remove this virus completely you must use the DIR2CLR or
DIR2CURE.COM programs. Can you tell us where we can find any of these
programs, or any other that effectively removes the virus?

Thanks in advance for any information

Giannis Siahos
Computer Engineering Dpt.
University of Patras , Greece
Please reply to : siahos@grpatvx1

------------------------------

Date: 30 Nov 91 08:14:17 +0000
>From: [email protected] (Ricky Suave Stella)
Subject: Re: VIRUS: DIR-II (PC)

> I heard & read abaut the viruses above,(DIGEST-4).
> We tryed all kind of anti viral softwer (CLEAN 84,F-PROT,etc). all of them
> infformed me abaut "my" virus's, NO ONE of them CLEAN this virus.
> your concept requested KUICKLY as possible.

If you are talking about the DIR-II... About two weeks ago two
micro-labs at Rutgers University, the DIR-II virus infected almost
every PC. They were discoverd as version 84 of McAfee's virus scanner
was installed (Vshield, Scan Clean and NetScan)

Clean version 84 got rid of the virus on every computer. Vshield has
detected every infection thereafter (Some users still had floppies
infected).

BTW, the lab I manage, was not infected.

Ricardo

- ------------------------------------------------------------------------------
Ricardo Stella [email protected]
RUCS US - CCF [email protected]
Owl's Roost Manager [email protected]
Hill 118 - (908)932-2491 Rutgers University, NJ
...suave...
- ------------------------------------------------------------------------------

------------------------------

Date: Sat, 30 Nov 91 13:41:51 +0000
>From: [email protected] (Helmut Dier)
Subject: Re: Latest version of McAfee Scan?? (PC)

The latest Versions are (all available from wsmr-simtel20.army.mil)
SCANV84.ZIP, CLEAN84.ZIP, NETSCN84.ZIP, VSHLD84.ZIP, VCOPY82.ZIP.

>... Is there a program that can check floppies for viruses immediate-
> ly upon palacing the floppy in the drive?

VSHIELD does a good job in checking the loaded EXE and COMs for
viruses while loading them into memory. So if it isn't a Boot-floppy
you want to use all files will be checked because as long as your
machine is clean you can READ from it without coming into danger.

Helmut

------------------------------

Date: Sun, 01 Dec 91 01:28:51 +0000
>From: [email protected] (Frotz)
Subject: Re: Secure DOS... (was: What the user wants) (PC)

[email protected] (Mark Aitchison, U of Canty; Physics) writes:
]As I see it, it is hard to get users to make the effort unless it is
]either built into the operating system or provides some other
]advantage that is worthwhile (like extra disk space), or preferably
]both. ...
]
]Possibly a new "secure DOS" is it. ... Possibly a hardware add-on
]that gives security plus something else that is attractive. Overall,
]the problem is selling the idea to users... not only the idea of any
]security at all, but the concept that it is not (can never be) 100%
]effective (as anyone determined enough, with a big enough
]sledgehammer, can always beat any security system) - yet is worth
]having.

There is a story running around our marketing department about a user
who wanted to return product after the following situation developed.

He installed DRDOS 6.0 with security over DOS 4.01.

He then had a problem (lost password), improperly removed
DRDOS 6.0 without removing security and tried to reinstall
DOS 4.01 on his hard disk. Naturally, 4.01 did not recognize
the partition type and failed to install on his C: drive.

His complaint was that our security shouldn't be so difficult to
break, as it was costing him time and money to get around the problem!

Here is an example of an end-user wanting the security to be
sub-standard!

This emphasizes the need to train end-users in the value (and cost) of
adding security (and/or virus protection). If you want it, there are
somethings that you will have to give up in return. Either data
accessibility, time, or diskspace.
- --
Frotz
"Just do it!"
-- Nike

------------------------------

Date: Mon, 02 Dec 91 10:12:31 +0000
>From: [email protected] (Alexis Rosen)
Subject: Re: A couple questions (Mac) (Commodore)

[email protected] (Mark Notarus) writes:

>[email protected] (Alexis Rosen) writes:
>>>I also own a Commodore 128. Strangely, over the 6 years I have had it
>>>I have never once had a single virus in it. Recently a few trojan
>>>horses appeared, but they were easy to spot.

>>>Another reason why my Commodore can't be infected is that it has its
>>>DOS in ROM not in a modifyable DISK which is then loaded into RAM.
>>>Both are loaded into RAM, but on the Commodore, it cannot be changed
>>>with software.

> this isnt quite true. The Commie 128 often has it's rom-based OS [etc.]

Damnation. Watch who you're quoting. I did NOT write that- I explained why
inferring Mac behavior from that statement was foolish.

- ---
Alexis Rosen
Owner/Sysadmin, PANIX Public Access Unix, NYC
[email protected]
{cmcl2,apple}!panix!alexis

------------------------------

Date: Wed, 27 Nov 91 15:59:01 +0000
>From: "Vaughan.Bell" <[email protected]>
Subject: New Joshi Variant (PC)

A new variant of the Joshi virus has appeared on some machines at
Polytechnic South West Plymouth, which seems to be able to intercept
BIOS calls. When Joshi is in memory and the boot sector is examined
with Defiant System's Virus Hunter package (the 'Non-DOS' sector
editor which uses only BIOS calls) it appears as a normal DOS boot
sector. Also VISCAN (from The Virus Information Service) when using
BIOS calls only, crashes on some machines although it detects the
virus succesfully on others. However this has not happened with
previous versions of the virus that have been encountered. Has any one
else encountered this version of the virus as we have had several new
variants over the past few months and we suspect some-one local may be
altering this virus.

If any one could help with this matter I would be very grateful.

Contact: Vaughan Bell or:- Vaughan Bell
Room 112 Babbage Building 162 Dunstone View
Polytechnic South West Plymouth
Drake Cirus Devon
Plymouth PL9 8QL
or [email protected]

------------------------------

Date: Mon, 02 Dec 91 10:27:24 -0500
>From: padgett%[email protected] (A. Padgett Peterson)
Subject: Washburn et al

I have tried (obviously unsuccessfully) to stay out of this one
primarily because it is an ethical issue and therefore a personal one.
At one time in my life, time was spent in a warm place where the use of
deadly weapons was not only condoned but encouraged (of course the object
had similar intentions).

Consequently, I do have a certain amount of sympathy for obviously
talented people who were unlucky enough to have been in the right place
at the wrong time. As I recall, all of Mr. Washburn's viruses were claimed
to be written written to demonstrate the fallibility of virus scanners.
ISFAICA this seems to be true and the code was distributed only to
"researchers".

Prior to October 1989, there was no real stigmata associated with
writing a computer virus and recall seeing the Scientific American
"Mathematical Games" issue a number of years ago dealing with the subject as
something worth exploring. Of course the DataCrime panic changed that and
since then have had enough viruses to study that there was no need to
write one. Personally, I find developing integrity management techniques
applicable to all of the myriad systems that abound to be more challenging.

As far as PCs were concerned, my experience with viruses began
with a series of Brain & Merrit infections at a place I was working at in
1988. Like many others, I wrote a simple discovery/eradication mechanism,
dismissed them as trivial, and went back to what the company was payng me for.

My opinion is still that what makes a virus a virus is the least
interesting part. Though I have seen some useful techniques, they had
nothing to do with being a virus - propagation is only difficult if you
are selective about it.

Consequently, I do not feel it proper for fallible humans to try
judge another. In fact, while I cannot think of any beneficial use for
a virus, that does not necessarily mean that there will never be one. Certainly
evolving techniques for distributed network authentication begins to sound
suspiciously similar (of course we will find a different name for it -
AI maybe 8*).

However, when I was a member of the United States Air Force, to be an
officer, there was a requirement that the candidate had to have a college
degree, not because there were not good people without them, but because the
needs of the service, when compared to the pool of applicants, allowed them
to be more selective.

Padgett

<padgett%[email protected]>

"What is a Dove, willing to be the best possible Hawk so that others will
not have to be ?" - anon

Disclaimer: my employer does not necessarily share my opinions, but I am
working on that.

------------------------------

Date: 28 Nov 91 08:30:58 +0000
>From: @sunic.sunet.se:goran@infovax (G|ran Bostr|m )
Subject: Re: Michelangelo Virus (PC)

[email protected] (Scott Bringen) writes:
>I recently discovered that my 386 compatable was infected with the
>Michelangelo virus.

stuff deleted

Here a sample from an earlier article of this subject:

================================================================
>From: [email protected]
Subject: Michelangelo virus info (PC)
Date: 17 Sep 91 04:26:10 GMT

Name: Michelangelo virus
Aliases: none sofar!
Family: Stoned virus
First occurence: summer 1991
Place: n/a
Type: bootsektor / partitiontable virus
Length: fits well into the code space of the partitiontable
Operating system: not of interest, just uses BIOS interrupts
Version: any
Computer: PCs and up
Direct detection: The original partition table or the original boot sector
can be found in sector 7 with hard disks, sector 3 with
12 bit FAT media, and sector 14 with 16 bit FAT media.
Type of infection: Upon boot up from an infected floppy the virus will go
memory resident and infect the partition table. Any
INT13 is intercepted thereafter. Any floppy A: operation
will infect the disk in drive A: provided the motor
was off. (This cuts excessive infection testing)
Infection trigger: Bootup from an infected disk will infect a computer.
Usage of the floppy A: drive (read, write, or format)
can cause an infection of that medium.
Infection targets: Partition table with harddisks and bootsectors with
floppy disks.
Interrupts: INT 13 and INT 1A
Payload: Data destruction by overwriting the medium, from which
the computer was booted from. (with harddisks it will
overwrite sector 1..17 on head 0..3 of all tracks, with
floppies sector 1..9 or 1..14 on both heads and all
tracks depending on FAT type)
Payload trigger: Date equal 6th of Mach of any year, which is
Michelangelo's birthday.
Families: The virus seems to be an enhanced Stoned virus.
Removal: Boot up from a clean disk and move the original sector
to its proper location (sector 1 head 0 track 0)
on some systems FAT copy 1 might be damaged, so an
additional copying of FAT 2 onto FAT 1 might be
necessary.
Analysis: Christoph Fischer
Micro-BIT Virus Center
University of Karlsruhe
Germany

================================================================
Hope this helps.

------------------------------

Date: Thu, 28 Nov 91 08:13:00 -0500
>From: [email protected]
Subject: directory update

The following new files are now available for anonymous FTP on our site:

V-FAQ .ZIP Frequently Asked Questions about PC viruses. Version 2
By: Tapio Keihanen.

ANSIKILL.ZIP Kill embedded escape sequences which can be included into
"comment files" in self-extracting .ZIP archives. Contra-
ry to STRIPZIP, the comment file is *not* removed. Use
against "ansi bombs". Shareware.

VIRLAB14.ZIP Virus simulator from Germany. This program is a great training
and teaching tool. Fetched from RISC.

IMAST101 ZIP Integrity Master version 1.01a is an easy to use, anti-virus an
d
data integrity program. Uploaded by the author (<ASP> member)
to a local BBS (sysop being also <ASP> member). Shareware.

Site address: urvax.urich.edu, IP# 141.166.1.6
Directory: [anonymous.msdos.antivirus] (you will be placed in the
[anonymous] directory at logon.)
login: anonymous
password: <your_e-mail_address>

Regards, Claude

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Claude Bersano-Hayes HAYES @ URVAX (Vanilla BITNET)
University of Richmond [email protected] (Bitnet or Internet)
Richmond, VA 23173

------------------------------

End of VIRUS-L Digest [Volume 4 Issue 229]
******************************************

Downloaded From P-80 International Information Systems 304-744-2253