VIRUS-L Digest Tuesday, 17 Dec 1991 Volume 4 : Issue 236
Today's Topics:
Re: "Bloomington" Virus (PC)
Re: Booting from clean floppy (PC)
Password program (PC)
IDE dead sector viruses (was: potentially cute idea (PC))
Re: Booting from a clean floppy (PC)
DIR-2 vs CLEANv84 (PC)
Virus source in BBS's (PC)
Re: password program (PC)
Identifying a BSI virus (was Re: Generic boot sector virus (PC)
Untouchable From Fifth Generation Systems (PC)
Source code on Fidonet (PC)
Re: Low-cost Macintosh anti-virus software (Mac)
Mac virus?: system crash (HELP!) (Mac)
Hardware damage
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to
[email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at:
[email protected].
Ken van Wyk
----------------------------------------------------------------------
Date: Thu, 12 Dec 91 16:39:31 -0500
>From: padgett%
[email protected] (A. Padgett Peterson)
Subject: Re: "Bloomington" Virus (PC)
>From:
[email protected] (David K. Lannigan)
>Having just purchased Norton Anti-Virus, we discovered a strain of the
>"Bloomington" virus on a floppy we have. The strange thing is that we
>can't find it on any hard drives we have, just a floppy that we copied
>some files onto.
"Bloomingtom" is another name for the "NOINT", a "stealthy" MBR and
boot sector infector. Not a very nice virus, if you ask for the
partition table you are likely to get garbage. If DOS gets garbage,
bye,bye disk.
CHKDSK will report 2k less "total bytes memory" (640k usu reports
655360 - 653 or less is a danger sign).
Padgett
------------------------------
Date: Thu, 12 Dec 91 16:38:16 -0500
>From: padgett%
[email protected] (A. Padgett Peterson)
Subject: Re: Booting from clean floppy (PC)
Victor Smith writes:
>Hello
>Let me disagree with You. I think if "virus scanner" can realy
>desinfect virus in memory it does not matter from where You booted
>computer, for example it is very easy to stop activity of 4096 just
>replace 3rd call to jmp in virus and it will stop activity, and "virus
>scanner" can try to scan any file. Of course if "virus scanner" can
>not cure virus in memory it is very dangerous to scan files...
Further on:
>Hello Aryeh,
>Only one thing You forgot, for example my computer has very interesting key -
>"Reset" :-).
>I mean that usualy people reboot computer by pressing this key or switching
>power on, of course I agree that it is very useful feature, but somethimes it
>does not work.
On the dirt tracks of North Carolina where I learned "offensive
driving" there was a saying for this kind of attitude: "More guts than
brains".
Padgett
------------------------------
Date: 12 Dec 91 16:50:00 -0600
>From: "351SMWDOV" <
[email protected]>
Subject: Password program (PC)
This letter is in response to S. D. Law's article on the same subject:
In the June 91 Computer Shopper is an article on virus-detection
programs on page 352. In it is a review of a program called Virus
Prevention Plus by PC Guardian. Included in the program is a security
feature that makes the computer unusuable unless a password is
entered. The computer will even bypass a bootable floppy if present
and require the password to be entered. The article stated that an
emergency access route was built in, but provided no details. The
author of the article is Steven J. Vaughan-Mills, and can be reached
on MCI Mail as sjvn.
Mike Taylor
351smwdov
------------------------------
Date: Fri, 13 Dec 91 12:48:16 +0000
>From:
[email protected] (Helge Oldach)
Subject: IDE dead sector viruses (was: potentially cute idea (PC))
[email protected] (*Hobbit*) writes:
^^^^^^^^
..whatever you real name is...
| Do enough partition table viruses hide stuff in the "dead" sectors
| around the rest of cyl/head 0/0 to make the following hack worthwhile:
| Low-level format your HD such that the first sector of 0/0 is good and
| the rest are flagged bad.
| [...]
| Of course, it probably wouldn't work on IDE drives, but then again...
This is actually a very bad idea for IDE hard disk drives. Since these
drives have an on-drive controller specialized for controlling that
particular drive, it usually also has the ability to fumble with odd
drive geometry. For example, manufacturers may place more sectors in the
outer region of the surface than in the inner region while the drive
geometry seen externally (i.e. for software) appears straightforward
with a fixed number of sectors per track. As a result:
One should never, repeat: NEVER, low-level format an IDE drive!
By incident, a friend of mine just has a virus on one of the "dead"
sectors and no virus scanner available to delete this virus. :-(
Does anybody in Netland know a virus scanner that handles these odd
viruses and repairs IDE drives?
- --
[email protected] [email protected]
------------------------------
Date: Fri, 13 Dec 91 14:55:00 +0000
>From: Nick Hilliard <
[email protected]>
Subject: Re: Booting from a clean floppy (PC)
In Virus-l, 12-DEC-91, Victor Smith writes:
> > The first ability is the reason it is recommended to boot from a "clean"
> > floppy before you run a virus scanner.
>
>Hello
>Let me disagree with You. I think if "virus scanner" can realy
>desinfect virus in memory it does not matter from where You booted
>computer, for example it is very easy to stop activity of 4096 just
>replace 3rd call to jmp in virus and it will stop activity, and "virus
Writing virus scanners which have to cope with the problem of
already-resident viri is an unnecessary complication. It could be
done, of course, but it just means more work for the programmers,
*and* it would not be fail-safe. Remember just how many viri there
actually _are_ out there [no comments about names and classification,
please ;-)]. Writing the code to disable each one of them, restore all
the interrupts they hook, reclaim memory, etc. is superfluous when all
you have to do is stick in a clean floppy, and press the reset
button....
>scanner" can try to scan any file. Of course if "virus scanner" can
>not cure virus in memory it is very dangerous to scan files...
If you boot off a clean floppy, you avoid all these problems.
>BTW should do users who has no floppy drives ? :-)
All PC's with hard drives have floppy drives, and if they don't, they should.
**************************************************************************
* Nick Hilliard * If you pick up a starving dog and *
* e-mail:
[email protected] * make him prosperous, he will not *
* s-mail: Too slow, don't bother. * bite you. This is the principal *
* * difference between a dog and a man *
* Standard disclaimers apply.... * -- Mark Twain *
**************************************************************************
------------------------------
Date: Thu, 12 Dec 91 18:41:55 +0700
>From: Cezar Cichocki <
[email protected]>
Subject: DIR-2 vs CLEANv84 (PC)
Hi|
My computer catch an DIR-2 virus, and I try to clean it with McAffe's
CLEAN v 84. And what I saw ?
1) SCAN and CLEAN ignore last sectors on disk, so virus live
normally there.
2) CLEAN can not clean DIR-2, it can only DESTROY (erase) all
infected files.
So, when I scan an empty disk with DIR-2 virus, SCAN tell me
that all is right. When I have virus in system CLEAN erase all
my .exe and .com files and DO NOT CLEAN MY DISK.
It is rather abnormally situation, is't it ?
Virus was cleaned with DIR2CURE.COM by Marek Sell.
Cezar Cichocki
Dep. of Psychology
Warsaw Uniwersity
Poland
------------------------------
Date: Fri, 13 Dec 91 16:08:58 +0700
>From:
[email protected]
Subject: Virus source in BBS's (PC)
Vesselin Bontchev in Virus-l 4/231 writes about DIR-2:
>Unfortunately, just minutes ago I got a report that somebody has
>posted the SOURCE (!) of the virus (not a disassembly, the original
>source) on a public FidoNet conference, which is distributed around
>the world...
The same person (alias: Ahmed Dogan) at the same time posted source
code of the following viruses:
DIR-2, The Diamond Virus, Darth Vader, MG 3 and Anti-Pascal version AP-400.
The source of the last one is a really good disassembly prepared by
Vesselin Bontchev in July 1990. It contains copyright note and remark:
"This listing is only to be made available to virus researchers
or software writers on a need-to-know basis."
I do not claim that Vesselin has made his disassembly available to
persons like "Ahmed Dogan" or Todor Todorov. It is just an example
that the distribution of virus source among even the most "trusted
researchers" is never safe. Maybe some day I will see in some public
forum my own disassembly.
The problem is more general: how to organize safe and effective
cooperation between different anti-virus centers? How to decide which
anti-virus center is a real responsible anti-virus laboratory,
especially in countries which authorities do not care about the
problem, where victims of Anti-Telephonica or Disk Killer are talking
about practical jokes instead of crimes? Poland is not bad example of
such a country.
Andrzej Kadlof <
[email protected]>
Department of Mathematics, University of Warsaw, Poland
Editor-in-chief of PCvirus Bulletin
------------------------------
Date: Sun, 15 Dec 91 18:14:58 +0000
>From:
[email protected] (Daniel Linder)
Subject: Re: password program (PC)
In comp.virus, someone writes:
>We have recently found on our public pc's some sort of password
>program that I think has somehow been put into the cmos. It seems to
>be a "commercial type product" that has been put on for fun. Does
>anyone know of this and abviously more importantly, how do I get into
>the pc to get it off. Booting from floppy does not work as cmos is
>run before this.
If you have an IBM PS/2 line, then some user might have set the
hardware password. If this is the case, all you need to do is open
the case, and look for a small jumper (I believe in the back). Just
move this to the "reset password" position, and the machine should
boot up like normal. I think that if you leave this jumper in this
position, the machine will automatically reset the password each time
it is powered up, so no password will be able to be set.
If this is a clone motherboard, I believe you can reset the CMOS
back to the factory defaults by holding down the [INSERT] key while
turning the system on. (I think it's the insert key, may be the
[DELETE] key...)
Hope this helps!!
Dan
[email protected]
- --
| Dan Linder - Comp. Eng. - Junior | Ensign Ro: "Who are you?"
|
[email protected] | Guinan: "I told you; I am Guinan,
| University of Nebraska - Lincoln | I tend bar, and I listen."
| Disclaimer: My university does not listen to me, why would I speak for them?
------------------------------
Date: Mon, 16 Dec 91 12:35:00 +1300
>From: "Mark Aitchison, U of Canty; Physics" <
[email protected]>
Subject: Identifying a BSI virus (was Re: Generic boot sector virus (PC)
[email protected] (Eric Carlson) writes:
> I also ran into a floppy that SCANv84 said had a GENERIC BOOT SECTOR VIRUS
> I also tried CPAV 1.0, NAV, and F-Prot 2.01. The only thing that said
> anything (other than SCAN) was the ANALYZE function in F-PROT 2.01 and
> it agreed with scan.
>
> I didn't do anything to the disk after that, but I saved a copy of
> the BOOT sector to a file using NORTON 6.01 DISKEDIT. I have that file if
> anyone wants it. Just tell me how to transfer it (if that is possible).
>
> What should I have done to the disk? It was some sort of spreadsheet
> file disk used in some courses.
Good question. I have two programs, BOOTID and CHECKOUT, both free
(BOOTID source is also free), designed specifically for such cases,
i.e. someone has a suspicious boot sector and wants identification of
it without the risk of broadcasting the entire boot sector in any way
that could result in "the wrong people" reconstituting a live virus.
Both programs are available via anonymous ftp from:
cantva.canterbury.ac.nz [IP address: 132.181.30.3] in the pc
directory, or newton.phys.canterbury.ac.nz [132.181.40.1] in the
pub/local directory. The BOOTID program generates a relatively short
"ID number" for the boot sector, which people with a collection of
viruses, plus the program, can use to identify the virus, or to at
least get an idea of what general type of boot sector it is (in the
case of new viruses or valid-but-strange boot sectors). I'm still
interested in comments on the program, by the way, and almost have
enough to make it worth writing a new version. (At that stage I'd be
happy to see the program on many ftp sites).
CHECKOUT can do everything that BOOTID can, plus has the ability to
give quite a bit of information about the boot sector, including a
description (giving reasons why it thinks the boot sector is good or
bad). But, like any heuristic, be careful not to assign too much
significance to its conclusions. The part that does a reverse-assemble
and tries to work out register contents at the time of interrupt calls
is downright buggy - I include it in CHECKOUT at the moment only
because it is of some help as it stands, so long as people understand
enough to ignore some of what this part of the program says! Checkout
also can look up a database of "known" hashcodes, and give the
conventional name for a virus, or at least the closest virus in the
database... but (again) that bit in the version that's publicly
released needs improving.
In case you missed my earlier postings on the subject, the "boot id's"
created are of a form where the first part tries to assign a unique
number to the basic contents of the diskette's boot sector, ignoring
changes in size & serial number but otherwise sensitive to the
slightest version/generation change; the last part of the code tries
to identify what the boot sector is doing - indicating family
relationships, etc. It is possible to get an idea of what the boot
sector is up to simply by looking carefully at the code (or applying
CHECKOUT to the code produced by BOOTID on somebody else's machine).
It is possible to create a boot sector which isn't a virus but still
gets reported by CHECKOUT as "probably a virus", although it would
definately be strange and contrived. Some valid, non-bootable,
diskettes do get a "seems strange" warning, especially those that
deliberately try to look like infected diskettes to avoid viruses
infecting them. It is possible, but difficult, to make a virus that
CHECKOUT thinks is normal. It is also possible, but very, very
difficult, to make such a virus get the same identification code as
some known, genuine DOS diskette. And even if someone does waste their
time doing that, such viruses can still be caught by true virus
detectors (in fact, something required to get around one test would
make the virus even easier to spot by at least one type of virus
detector, so I don't mind making the source of BOOTID free to everyone
- - but I don't want to say any more on why any virus specially written
to fool the program would be easy to spot by some methods!)
The aim of H(ash)codes is to assign names to boot sectors (viruses and
good ones) for which no other knowledge is required. Many present
names are based on somebody's idea of a good name, e.g. where it was
discovered, or a word from a message that one version produces. With
my program, you get a name for a BSI virus given only the diskette and
the program, and people on the other side of the world can arrive at
the same name for the same virus. The only problem is that some
mutating viruses can get lots of different names, which is a nuisance,
but then the "family" part of the identification is helpful. That's
one of the areas I'd like comments on - whether to increase the
"family" part of the code.
If anyone wants to chat about the technique, or the extension of the
code to non-BSI viruses (which is possible, but a lot of work), feel
free to e-mail me. Certainly I am happy for others to include the
naming scheme in their software, so long as they ask first (in case
there's a better version to include).
Mark Aitchison, Physics, University of Canterbury, New Zealand.
------------------------------
Date: Sun, 15 Dec 91 13:10:14 -0800
>From:
[email protected] (Rob Slade)
Subject: Untouchable From Fifth Generation Systems (PC)
[email protected] writes:
> I recently received an ad for an antivirus program called Untouchable
> from Fifth Generation Systems which I have not heard of or seen
My understanding is that this is a repackaging of V-Analyst, by B.R.M. of
Israel. Fifth Generation has promised me a copy for review, so I should
have something to post here .. say, before 1994? :-)
(My apologies to those companies which have sent product and still not
seen reviews. An in-laws 50th anniversary plays hob with your work
schedule ...)
=============
Vancouver
[email protected] | "Metabolically
Institute for
[email protected] | challenged"
Research into CyberStore |
User (Datapac 3020 8530 1030)| politically correct
Security Canada V7K 2G6 | term for "dead"
------------------------------
Date: Sun, 15 Dec 91 13:29:16 -0800
>From:
[email protected] (Rob Slade)
Subject: Source code on Fidonet (PC)
Vesselin has noted the publishing, on the unmoderated "VIRUS" echo on
Fionet (not to be comfused with the moderated "VIRUS_INFO" and
"*WARNINGS*" echoes) source code for five previously known viri.
Although this is a blow, thanks to Tim Martin I have been able to test
all five against SCAN 85, VIRx 1.8 (by the way, Ross, where/when is
1.9?), FPROT 2.01 and TBSCAN 2.8 with the VS911009 signatures. All
programs will identify the viral code produced, with the exception of
TBSCAN, which does not identify the DIR-II/Creeping Death code.
=============
Vancouver
[email protected] | "Metabolically
Institute for
[email protected] | challenged"
Research into CyberStore |
User (Datapac 3020 8530 1030)| politically correct
Security Canada V7K 2G6 | term for "dead"
------------------------------
Date: Fri, 13 Dec 91 17:57:03 +0000
>From:
[email protected] (Frank Doss)
Subject: Re: Low-cost Macintosh anti-virus software (Mac)
I would like to thank every one who answered my request for Mac anti-virus
software.
Here is my summary of responses:
Disinfect seems to be the most popular package, followed by
GateKeeper. Of the commercial packages, only SAM (Symantic's
Anti-virus for Macs) was mentioned.
Thanks, again.
Frank E. Doss Academic Computing
[email protected] Eastern Illinois University
------------------------------
Date: Sat, 14 Dec 91 15:18:00 -0500
>From:
[email protected]
Subject: Mac virus?: system crash (HELP!) (Mac)
Does anyone have any information about a Mac virus that causes
programs to frequently "unexpectedly quit due to error type 1"
It happens under both system 7 & system 6, on various machines.
If this is a virus, is there a utility to get rid of it? (I have
already run Disinfectand 2.5.1)
Christopher Manly
[email protected]
[email protected]
------------------------------
Date: Sun, 15 Dec 91 13:35:56 -0800
>From:
[email protected] (Rob Slade)
Subject: Hardware damage
DEFMTH2.CVP 911215
Hardware damage
The myth of viral programs damaging hardware seems to be one of
the more enduring. *No viral program yet found has been
designed to damage hardware, and THERE HAS NEVER BEEN ANY
CONFIRMED CASE OF A VIRAL PROGRAM DIRECTLY CAUSING PHYSICAL
DAMAGE TO COMPUTER HARDWARE.* Is that plain enough?
It *is* possible for certain pieces of hardware to be damaged by
software or programming. To the best knowledge of the
international virus research community, no such programming
(with the exception of low level formatting, see below) has ever
been found on an existing virus "in the wild."
Monitors - certain older types of monitors (notably early IBM
mono graphics adapters) could be made to "freeze" the sweep of
the electron beam, and thus "burn in" a section of the screen
phosphors. No one has ever burned a hole in a monitor, nor have
they ever caused one to overheat and "blow up" with software.
Power supplies - cannot be addressed by software. No one has
ever "melted down" a power supply with software.
Printers - as with any physical device can be damaged by getting
them to do any one thing for too long. This, of course, depends
upon the machine running unattended for a long time.
Drives - some drives can be damaged by "pushing" the heads
beyond normal limits. On others, this is a good way to find
more disk space. Certain drives can be damaged by having the
heads "seek" back and forth at a resonant frequency. (Usually
older drives, for mainframes, are more susceptible to this.
There is also a story, likely apocryphal, that one computer
company set up a "portable" computer, including banks of disk
drives, in a semi-trailer for demos. The first time the truck
took a turn with all the drives running, it flipped over due to
the enormous stored angular momentum of the spinning platters.)
IDE controllers and drives do not allow for the normal calls to
low level format the drive. If such a call is made, the results
are uncertain. The drive will not be formatted, but it will not
be left in a usable state. IDE drive manufacturers have not, in
the past, shipped programs for low level formatting, and so a
call for a low level format on an IDE drive has been, to the
normal user, no different than hardware damage. As this has
become known in the user community, more IDE manufacturers have
been shipping the formatting programs.
Hardware damage by software is possible, but extremely rare.
copyright Robert M. Slade, 1991 DEFMTH2.CVP 911215
=============
Vancouver
[email protected] | "Metabolically
Institute for
[email protected] | challenged"
Research into CyberStore |
User (Datapac 3020 8530 1030)| politically correct
Security Canada V7K 2G6 | term for "dead"
------------------------------
End of VIRUS-L Digest [Volume 4 Issue 236]
******************************************
Downloaded From P-80 International Information Systems 304-744-2253
