VIRUS-L Digest Tuesday, 17 Dec 1991 Volume 4 : Issue 237
Today's Topics:
Re: Untouchable from Fifth Generation Systems (PC)
Re: Not a virus / Generic Boot virus (PC)
Re: Booting from clean floppy (PC)
Address of the Laboratory of Computer Virology
Re: A good low-cost Macintosh anti-virus... (Mac)
Re: Washburn and Ethics
re: Virex antivirus software (PC)
Where to load virstop on a network (PC)
DOS 5.0 FDISK, UNFORMAT and the wily MBR (PC)
Re: A good low-cost Macintosh anti-virus... (Mac)
Copyrace Trojan (PC)
(virus) Did someone announce? (UNIX)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to
[email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at:
[email protected].
Ken van Wyk
----------------------------------------------------------------------
Date: Mon, 16 Dec 91 16:24:00 +0200
>From: Y. Radai <
[email protected]>
Subject: Re: Untouchable from Fifth Generation Systems (PC)
Audrey Grosch writes:
>I recently received an ad for an antivirus program called Untouchable
>from Fifth Generation Systems which I have not heard of or seen
>before. Does anyone have any positive or negative experiences with
>this program. We use FPROT and SCAN here for the most part but I am
>open to using other programs if they are decent for the $$. The price
>of this one is $149 in the ad.
Untouchable consists of three modules. The main one, UT, is an
extension of a program, V-Analyst, which I have been using for several
years. V-Analyst is a generic detection program (modification detec-
tor), which, in my opinion, is the best of its kind, partly because in
addition to checking for modifications, it takes into account several
ways in which a virus can propagate without modifying existing files.
(It's the only program I've heard of which was ready for companion
viruses two years before they appeared, and it's ready for other such
methods too.) UT is essentially V-Analyst augmented to include
*generic disinfection*. That is, UT stores enough information to be
able to restore a file infected by any virus, even an unknown one.
(Of course, that doesn't hold for overwriting viruses, and it's possi-
ble that there are a few non-overwriting viruses on which it won't
work.)
Untouchable comes with two additional modules, UTSCAN and UTRES.
UTSCAN is a known-virus scanner and disinfectant, like McAfee's SCAN +
CLEAN, but it scans twice as fast. It doesn't recognize as many vi-
ruses (although on the test I just performed it found two that SCAN
didn't). UTSCAN is activated automatically by UT to check the disk
for existing infections before the UT database is created and when new
programs are added, but it can also be activated independently.
UTRES is a resident program. Mainly it's a known-virus checker ac-
tivated when a program is about to be executed or when a diskette is
accessed (something like V-Shield, but smaller and faster). However,
it has some generic features as well, such as checking for missing
memory when it is initially loaded.
Untouchable also comes in a network version.
Y. Radai
Hebrew Univ. of Jerusalem, Israel
[email protected]
[email protected]
------------------------------
Date: 16 Dec 91 16:28:00 +0000
>From:
[email protected] (Vesselin Bontchev)
Subject: Re: Not a virus / Generic Boot virus (PC)
[email protected] (Eric Carlson) writes:
> I also ran into a floppy that SCANv84 said had a GENERIC BOOT SECTOR VIRUS
> I also tried CPAV 1.0, NAV, and F-Prot 2.01. The only thing that said
> anything (other than SCAN) was the ANALYZE function in F-PROT 2.01 and
> it agreed with scan.
Well, then there's a good chance that it's a new boot sector virus...
> I didn't do anything to the disk after that, but I saved a copy of
> the BOOT sector to a file using NORTON 6.01 DISKEDIT. I have that file if
Hmm, this might have been unsufficient... Some boot sector viruses
consist of several parts (usually two). The code in the boot sector
contains just the loader; the rest of the virus (and the original boot
sector) are stored somewhere else on the disk - in the last sector of
the root directory, on an additionally formatted track, in a cluster,
marked (or not) as bad,... When you suspect a boot sector virus, it's
usually better to preserve the whole disk.
> anyone wants it. Just tell me how to transfer it (if that is possible).
Just do as with any binary file - zip & uuencode it. However, NEVER
send unencrypted viruses over the net. Better call an anti-virus
serearcher, who is near you, agree with him (on the phone; voice) on a
password, and then send the encrypted file. The password must NEVER
pass on the net either.
> What should I have done to the disk? It was some sort of spreadsheet
> file disk used in some courses.
I would suggest to use TeleDisk (or something similar) to convert the
disk to a file. TeleDisk has built-in compression, if you transfer the
disk to a file using something less sophisticated (like copying all
the sectors of the disk to a file with Nurton Utilities), you could
zip the resulting file, in order to save space...
In general, when you suspect a boot sector virus, which infects
diskettes, it's a good idea to process like that:
1) Find a diskless (floppy-only) machine. Remove any LAN connections
if any. If you cannot find a diskless machine, you can physically
disconnect the hard disk(s) of a normal computer. (My oppinion is that
it is also safe to use the BIOS setup program, is any, and to indicate
"no hard disk" instead; I'm sure somebody will correct me if I'm
wrong.) Of course, the disconnecting must be done only when the
machine is powered off.
2) Prepare a blank, formatted diskette, with no DOS on it and no files
either. Don't just delete the files from an old diskette; FORMAT it.
3) Insert the diskette on which the suspected boot sector virus
resides and try to boot from it. If the infected diskette contains an
operating system and boots successfully, go to 5), else continue with
the next instruction.
4) Insert the blank formatted diskette and perform a DIR on it. Then
try to write on it (e.g. REM>A:TEST). Go to 6).
5) If the infected diskette does not contain DOS, then you'll see the
message "Insert a system disk and press any key" (the exact wording
may be a bit different). Insert the formatted diskette and press any
key. You'll see the message again.
6) Done. TeleDisk the formatted diskette and save the resulting file.
And, of course, cold-boot the computer. (If you have disconnected the
disk, turn the computer off and re-connect it, or run the BIOS setup
program and indicate the correct disk type.)
The above shceme is not 100 % foolproof (e.g., it won't capture a
virus, which infects only when the boot sector is being written), but
it will work with all of the currently known boot sector viruses.
Hope the above helps.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
[email protected] Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -246 Vogt-Koeln-Strasse 30, D-2000, Hamburg 54
------------------------------
Date: 16 Dec 91 16:20:18 +0000
>From:
[email protected] (Vesselin Bontchev)
Subject: Re: Booting from clean floppy (PC)
[email protected] (Mikael Larsson) writes:
> Let me disagree with You. I think if "virus scanner" can realy
> desinfect virus in memory it does not matter from where You booted
> computer, for example it is very easy to stop activity of 4096 just
> replace 3rd call to jmp in virus and it will stop activity, and "virus
Well, he's more or less right, but how do you know whether the scanner
is really able to deactivate the virus? Very often, when the author of
the scanner says that his scanner detects a virus in memory, it means
just that - it detects the virus, does not deactivate it... Would you
prefer to learn this the hard way?
> scanner" can try to scan any file. Of course if "virus scanner" can
> not cure virus in memory it is very dangerous to scan files...
That's the point - it's too dangerous, and you usually have no way to
be sure that the anti-virus program is able to deactivate the virus in
memory...
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
[email protected] Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -246 Vogt-Koeln-Strasse 30, D-2000, Hamburg 54
------------------------------
Date: 16 Dec 91 16:57:24 +0000
>From:
[email protected] (Vesselin Bontchev)
Subject: Address of the Laboratory of Computer Virology
Hello, everybody!
Several people asked me how to contact the Laboratory of Computer
Virology at the Bulgarian Academy of Sciences, Sofia. After the third
request, I decided to post the coordinates here.
Snail-mail:
Laboratory of Computer Virology
Bulgarian Academy of Sciences
ul. Acad. G. Bontchev, bl. 8, rm. 104
1113, Sofia, Bulgaria
Phone: +359-2-719212
BBS: +359-2-737484 (Virus Busters)
FidoNet: 2:359/110
EUnet:
[email protected]
where user is one of the following:
postmaster - the general account
eugene - the boss
assen - the communications guy
shu \
ivan ) - the programmers
michail /
katrin - public relations
For those who might be confused by the name - this is not a lab for
creating viruses, it is a lab for disassembling/fighting them... :-)
Regards,
Vesselin
P.S. And the "Bontchev" in the address is a street's name and has
nothing to do with me... :-)
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
[email protected] Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -246 Vogt-Koeln-Strasse 30, D-2000, Hamburg 54
------------------------------
Date: Mon, 16 Dec 91 18:33:41 -0500
>From: metal <CWBLUMRE%
[email protected]>
Subject: Re: A good low-cost Macintosh anti-virus... (Mac)
A friend says that SAM Intercept works well. It's a system extension
(INIT) that checks the hard drive on start up. I t also checks all
floppies when inserted and warns of any found viruses. It asks if you
want to allow a file to be changed and if a resource is made it asks
if you want to allow it to continue. He doesn't know how much it
costs, but it's made by Symtech(sp?) Check in MacWorld for info on
it.
------------------------------
Date: Tue, 17 Dec 91 08:25:38 +0000
>From: Fridrik Skulason <
[email protected]>
Subject: Re: Washburn and Ethics
In Message 10 Dec 91 20:17:02 GMT,
[email protected] writes:
>tolerated. It stands to reason that anyone who knows enough about
>computers to create a virus, does other 'above board' programming.
Eh..I must disagree. Most viruses are probably not written by
programming geniuses, or even by professional programmers - many known
virus authors are just teenagers, doing this "for fun"...
- -frisk
------------------------------
Date: 17 Dec 91 13:14:18 -0500
>From: "Otto.Stolz" <
[email protected]>
Subject: re: Virex antivirus software (PC)
On: Wed, 04 Dec 91 15:39:00 -0500 A. Paul Reynolds <REYNOLAP@SNYBUFVA> said:
> We are beginning to get hit heavily with Stoned, Dark Advenger and
> Alameda.
I've sent you descriptions of the viruses you have reported. Note that
Dark Avenger is a "fast virus", i.e. it spreads while you are reading
program files (e.g. scanning them for infections). You have to
- - either boot from a clean system disk before scanning
- - or use a professional Anti-virus package that scans for known fast
and stealth viruses in memory, before attempting to scan disks and
files.
> I would like to know your impression of VIREX antivirus software.
> Is it good? Is there something better?
I am most satisfied with F-PROT 2.01 from Fridrik Skulasson. This is
one of the best Anti-Virus packages, and certainly the cheapest one.
Additionally, I use F-OSCHK.EXE, part of F-PROT 1.16, to alert of
unknown bootsector viruses (and other system viruses).
Good luck,
Otto Stolz <
[email protected]>
<
[email protected]>
------------------------------
Date: Tue, 17 Dec 91 07:38:00 -0600
>From: Steven Klepzig <
[email protected]>
Subject: Where to load virstop on a network (PC)
Frisk, et al
I received the following message on another list concerning Novell
networks. I haven't experienced the problem described here, I'm
hoping that someone else has some insights. If replies are made to me
I will forward them on to the author of the message or replies can be
made directly to him. I will also forward any replies I see on
VIRUS-L to him. Thanks for your attention.
Steven Klepzig (
[email protected])
****** START OF FORWARDED MESSAGE ******
Date: Tue, 17 Dec 91 00:18:20 AST
>From: "Brian Cassidy" <BPC%
[email protected]>
To: <
[email protected]>
Subject: Re: where to load virstop
[... the discussion has been concerning loading virstop in a remote boot
image file on a Novell network ...]
My boot image is on floppy diskette and I am using DOS 5 (with emm386)
and therefore netx instead of xmsnetx and this may be an important
difference. Anyway, when I put virstop after netx as you suggest,
then during login (while login is executing) the local floppy is
accessed several times as if it were in the DOS path. This does not
happen when virstop is loaded before ipx. When the remote boot image
is built (and the floppy diskette removed), you still get the floppy
drive access (several times), but this access times out (after a few
seconds) and login eventually completes. After login, this problem
disappears. I was wondering if the same happens to you and if you knew
why?
[...]
==============================================
Brian Cassidy, Systems Support Group
University of New Brunswick Computing Services
PO Box 4400, Fredericton, NB, CANADA, E3B 5A3
E-Mail:
[email protected] Telephone:(506)453-4573
****** END OF FORWARDED MESSAGE ******
------------------------------
Date: Tue, 17 Dec 91 10:00:40 -0500
>From: padgett%
[email protected] (A. Padgett Peterson)
Subject: DOS 5.0 FDISK, UNFORMAT and the wily MBR (PC)
It seems that I am becoming something of an MBR and BSI specialist -
it di not start out that way, it just kind of happened (or maybe I'm
just lazy - BIOS code is easier to read than DOS).
Today, most published reports show that infections are nearly evenly
divided between file and MBR/BS infections with the great prepoderance
of the "low level" half attacking the MBR.
Interestingly, all but a very few are detectable by the SafeMBR
technique and preventable (unless a cold boot occurs) by NoFBoot
(Freeware technology demonstrators) - but what do you do after an
attack has been mounted ? My FixMBR program was written with this in
mind but if you have MS-DOS 5.0, you already have the necessary tools
to repair the most common infections. Interestingly enough this is
built into three programs, two well documented, and one not-so-well.
In any event some characteristics are common to most MBR & BSI
infections: almost all preserve the proper disk information in the
Partition-table and the Boot Parameter Block (a few confuse things but
in this case, you will probably not be able to boot from a floppy -
viruses that have spread avoid this since this is sumething that
people tend to notice and viruses want to avoid notice.
The three programs are FDISK, UNFORMAT, & SYS - since the use of SYS
for recovering from BR infections is well known I am not going to go
into it other than to say it is even effective with the Music Bug but
you will have to change a single byte afterwards.
The new FDISK is not so well known but is just as effective for the
MBR if the cunningly named /MBR switch is used however you will not
find mention of this by typing FDISK /? or HELP FDISK. Nor could I
find it in the hologram-equipped manual that came with the software
from EggHead but it does seem to work in replacing the MBR code
section while maintaining the Partition-Table.
For Partition-Table problems, the new UNFORMAT program (bundled in
with DOS 5.0 but actually from Central Point Software) can be
effective particularly if you have stored the MIRROR.PTN file offdisk.
However, even if not, it will do its best to recover based on the
BIOS/CMOS information (make sure this is correct first because if
incorrect, it can really confuse a disk). Here the switches are well
documented - to see the current values UNFORMAT /TEST /L /PARTN will
display the current values - the TEST switch prevents UNFORMAT from
changing anything.
Properly used, these included utilities can provide effective generic
recovery tools for (IMHO) half of all current infections without
having to use DEBUG.
Padgett
<padgett%
[email protected]>
"Usual disclaimers apply"
------------------------------
Date: Tue, 17 Dec 91 11:43:17 +0000
>From:
[email protected] (Brian Excarnate)
Subject: Re: A good low-cost Macintosh anti-virus... (Mac)
[email protected] (Frank Doss) writes:
>Can anyone tell me what a GOOD low-cost Macintosh anti-virus package
>would be?
It's not a question of a GOOD low-cost Macintosh anti-virus package,
it's where to get GREAT FREE Macintosh anti-virus packageS. There are
two that I recommend.
Disinfectant (at this time 2.5.1) disinfects known viruses, and can
make an init to protect against the same. Well written, and very
helpful help. A good place to learn about viruses on the Mac.
Available at many fine ftp sites. It originates from ftp.acns.nwu.edu
(129.105.113.52). It doesn't take care of new Mac viruses, though it
has always been updated very quickly. Do all Mac users use this?
They should.
Gatekeeper (at this time 1.2.1) guards the door by watching for virus-
like activity. It has a preset list of programs/etc. that need special
permissions. It is in several parts (read: modular) and reading the
manual will give you a better idea of what is going on. It also has on
line help that is very informative. It is available from many fine ftp
sites. It originates from ix1.cc.utexas.edu (128.83.1.21). It is a
little more complicated to use, but is still easy. It will guard against
even new viruses, but disinfecting isn't it's purpose. Also highly
recommended.
I use both habitually. In a lab (not mine) where hammerheads would
sometimes disable virus protection and allow the Macs to get infected,
putting both back on made it a race to see which would stop the
virus(es) first. The two programs complement each other nicely, and
in a lab situation, I can't imagine not using both.
To be fair, there are some other products out there, SAM (currently
3.n) is the only one I ever hear of regularly. But it's commercial
and I'd trust Disinfectant and Gatekeeper first. Why pay money for
less when the best is free?
> Please respond by E-mail. If anyone wishes, I'll sumarize.
Since this is all but FAQ (Mr. Moderator?), I'll post it as a summary,
and send you a Cc: of it.
Brian
- --
signature: No such file or directory
------------------------------
Date: Tue, 17 Dec 91 00:32:20 +0700
>From:
[email protected] (Morton Swimmer)
Subject: Copyrace Trojan (PC)
Copyrace - Trojan
=================
A trojan, or perhaps I should say a joke program, was sent
out to various firms in and around Hamburg. The sender was
given as Gesellschaft f\"ur Datentechnik, a firm that actually
exists, but at an address and telephone number that is in-
correct, but also exists. (In fact, its a family that has
absolutely nothing to do with the case.)
The program promises to be the copy program that will "make you
forget your old tools" (translation from German). It askes
you to test its "Schnelligkeit - Handhabung - Datensicherheit",
ie its speed, handling and security.
If you like the program, you should send DM 38.00 to a
bank account (plausible looking) in Hamburg.
The program is started with a batch, cp.bat. The rest is
self-descriptive.
What happens is this: cp.bat calls copyrace.com which displays
a message, waits for you to hit a key. The program then claims
to have found only one disk drive and say it will use the hard
disk. It then says it will format the drive c: and asks if this
is ok. Whatever you press, it will then pretend to format the
disk by counting up the heads and cylinders while reseting the
disk (so that the drive light flickers). At some point it will
break off with a "Fatal BIOS-Error: 1701: HEAD CRASH", claim
that air has gotten in the disk and that there is danger of
explosion. A whistling noise acompanies this. Garbage follows,
which can be interrupted by pressing return.
The last message before we're back in DOS is to the effect
that we've had rotten luck.
The disk was directly addressed to my contact in the firm. We
tried to identify the mailing list the address could possibly
come from, but as of yet, no luck. As no damage is done, I dont
expect legal action from any of the other recipients. I informed
the computer fraud department of the Landeskriminalamt (the local
police), but they wont act independently. There are some indicators
as to where the the trojan was written, but they are not certain.
As the trojan is harmless, at least in its function, it will
not cause too much stir. At the moment I cant tell how many people
received a copy, but it cant be too many judging by the way it was
sent. I hate to think of how some of the recipients reacted to
the program, though.
Cheers, Morton
PS: If anyone else has seen this trojan, please let me know.
.............................................................................
morton swimmer..odenwaldstr.9..2000 hamburg 20..germany..tel: +49 40 4910247.
internet:
[email protected] or
[email protected].
.............to leave only footprints, and take only memories................
------------------------------
Date: Tue, 17 Dec 91 19:20:55 +0000
>From:
[email protected] (Ace Stewart)
Subject: (virus) Did someone announce? (UNIX)
Before heading to a conference two weeks ago, a colleague of mine
thought he saw an announcemnt about a UNIX virus that showed up at
U.Cal Berkeley. I understand that this was the only place it showd up.
I am trying to find that information, since I mentioned it at the
conference.
The source was unclear, and I am annoyed at myself for mentioning
it having not seen the original information. Did anyone see this?
Ok folks -- no panick-ing :)
John Stewart
Senior UNIX/VMS Consultant
Academic Computing Services
Syracuse University
(315) 443-3995
------------------------------
End of VIRUS-L Digest [Volume 4 Issue 237]
******************************************
Downloaded From P-80 International Information Systems 304-744-2253
