VIRUS-L Digest Monday, 4 Mar 1991 Volume 4 : Issue 35
Today's Topics:
Boot Sectors and Viruses (e.g. STONED) (PC)
New Scan, High-memory, researchers (PC)
SCORES and Mac virus lethality (Mac)
Windows antivirals (PC)
Scan 75 new features (PC)
New files on MIBSRV (PC)
Re: Norton rebuttal (PC)
Re: Windows v3.0 / F-Prot (PC)
Virus BBS
Re: File reduction virus? (PC)
Can [Stoned] remain in hard-drive?
Low-level signature checking protection
re: unknown virus--help (pc)
The new version of the Stoned Virus (PC)
Reviews and Norton Antivirus (PC)
computer virus (PC)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to
[email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at:
[email protected].
Ken van Wyk
---------------------------------------------------------------------------
Date: Tue, 26 Feb 91 12:42:01 -0500
>From: padgett%
[email protected] (A. Padgett Peterson)
Subject: Boot Sectors and Viruses (e.g. STONED) (PC)
More and more we are seeing reports of institutions being hit
by the STONED and other BSI viruses. Unless there is a trojan
involved, the only way for a machine to become infected by one of
these is by booting from a floppy.
What amazes me is that boot records contain no integrity
checking whatsoever (this includes the DOS 5.00 beta we are testing)
particularly since the code would take only a few bytes.
Following with the DISKSECURE experiment, I wrote a Boot
Record program that just replaces the executable on a non-booting disk
with such a check procedure. If all goes well, it tells you. If the
disk has become infected, it also tells you, not what has infected the
disk, but that something has.
In the future, I expect large organizations to remove FORMAT
and SYS from most machines and either use a central formatting
facility or purchase preformatted disks. Putting a new boot record on
a disk takes 2-3 seconds.
Since the difficulty of putting such checks into disk
approaches zero. My feeling is that use of such disks should be one of
the layers of protection for the "safe" PC model.
Padgett
Would you trust ANY computer in Kuwait today ?
------------------------------
Date: 28 Feb 91 23:20:31 +0000
>From:
[email protected] (Morgan Schweers)
Subject: New Scan, High-memory, researchers (PC)
Introductory Note: The opinions stated here are mine, as a programmer
working in the field of anti-viral software. They
do not in any case represent the opinions of McAfee
Associates.
Greetings,
In regards to the bugs reported in SCAN V74 and 74B, they have been
repaired since, and the new version (V75) is available. The programmer
responsible has since been flayed. :-)
I recieved an interesting spate of mail from folks who purported to be
aware of some secret conspiracy to create a high-memory virus. Frankly,
I find it unfortunate that there are some people out there who know WHO
virus writers are, and are unwilling to expose them. It shows a certain
irresponsibility and a degree of acceptance of what is being done.
It bothers me, as a programmer, when a person sends me a virus
and STATE that it will never show up in the public domain. Further,
when *ONE* person is the link to a virus writer (or writers) it is
even more irksome to know that they are under no obligation to expose
the authors of this code.
It has been suggested to me by one nameless individual that they are,
'only interested in new and unusual techniques of viruses.' The major
problem is that this person has been the *SOLE DISTRIBUTOR* of a
virus which he claimed used an unusual technique. He is possibly
soon to be the sole distributor of another. This appears to be an
encouragement of these virus writers. It also appears to be an ego
boost for the individual in particular, since they seem to wish the anti-
viral workers to waste time on these viruses.
Frankly, research viruses in general are a Bad Thing, IMHO. What
need do we have for supposed researchers writing viruses and
distributing them all over? The virus authors are annoying enough on
their own without contributions from the AV community.
One of the major problems that I see is this: the anti-viral
community treats as commonplace and acceptable the writing of
'research viruses.' Perhaps it's merely the silence of the people
which leads me to believe this. Perhaps all the other AV people
believe that they are Bad Things also. Speak up. I'd like to hear
your opinions. Respond if you do or don't think that RV's should be
condoned. Tell me why. I'll concatenate it all and put it all up to the
moderator, if he's interested. (If he's not, I'm sure he'll tell me.
I'd like to know anyway.)
I'd like to hear opinions (and I'm sure I will, this *IS* Usenet
after all... ;-) ) on this issue.
On a more serious note, th Swedish virus has been eliminated and
subsumed into the Stoned Virus general description. (It is sufficiently
similar to not warrant a different name.)
Further, the following viruses are new to V75:
Cancer (.COM), V-299 (.COM), Phantom (.COM), V-555 (.COM/.EXE), Lazy (.COM)
and Yap. The bigger-than-512 byte partition table problem, and the false
alarms have been dealt with.
-- Morgan
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| I don't *KNOW* what my employers opinions are, so I can't |
| possibly reflect them here. --
[email protected] |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
------------------------------
Date: Thu, 28 Feb 91 22:56:39 -0800
>From:
[email protected] (Rob Slade)
Subject: SCORES and Mac virus lethality (Mac)
[email protected] (Francis A. Uy) writes:
> Another important thing to note is that none of the Mac virii
> known as of Disinfectant 2.4 are specifically malignant: i.e.
> they only attempt to spread, rather than trying to destroy files.
Well, I suppose it depends a bit on your definition. No, no Mac viri
have *destroyed* files, but the Mac does have the distinction of being
home to the first virus *known* to be targetted at a commercial
program. The program containing the ERIC and VULT resources never did
get released, but the bomb was waiting, nonetheless ...
==============
Vancouver
[email protected] | "It says 'Hit any
Institute for
[email protected] | key to continue.'
Research into (SUZY) INtegrity | I can't find the
User Canada V7K 2G6 | 'Any' key on my
Security | keyboard."
------------------------------
Date: Thu, 28 Feb 91 23:04:09 -0800
>From:
[email protected] (Rob Slade)
Subject: Windows antivirals (PC)
[email protected] (Jeff Payne) writes:
> I was curious if there was a Windows 3.0 version (or even aware) of
> any anti virus software? I am currently evaluating F-Prot and
Of the commercial products I have received for review so far, none
indicate any plans for Windows versions, nor do any of the "leads"
that are published advertising material.
I wonder if Windows versions would be easy. The "received wisdom" for
Windows users is that you stop running any TSRs before running
Windows. Scanners, of course, don't need to be TSR, but then, do they
not run well enough as a "non-Windows" program?
==============
Vancouver
[email protected] | "It says 'Hit any
Institute for
[email protected] | key to continue.'
Research into (SUZY) INtegrity | I can't find the
User Canada V7K 2G6 | 'Any' key on my
Security | keyboard."
------------------------------
Date: Thu, 28 Feb 91 14:30:54 -0800
>From:
[email protected] (Aryeh Goretsky)
Subject: Scan 75 new features (PC)
WHAT'S NEW
Version 75 of VIRUSCAN adds seven new viruses and fixes a
problem that caused Version 74-B to false alarm on diskettes
formatted with Easy-Format. We apologize for any inconvenience we
may have caused due to this problem. The new viruses added were:
The Phantom virus is a memory-resident .COM file infector sent
to us from Budapest, Hungary by Dr. Szegedi Imre. It contains a
message stating that it was written by the PHANTOM of the
"Hungarian Virus Developing Laboratory." The Azusa virus is a
memory-resident floppy disk boot sector and hard disk partition
table infector reported from multiple sites in the U.S. The V-299
is a direct-action .COM file infector based on the Amstrad virus.
It is not memory-resident. The V-555 virus is a memory-resident
COM, .EXE, and overlay infector. The Lazy virus is a
memory-resident .COM file infector. When it is resident, it slows
down the processor and screen output significantly. For more
information about these viruses, please refer to the enclosed
VIRLIST.TXT file.
Version 75 of CLEAN-UP adds removal of the Azusa virus, a
floppy disk boot sector and hard disk partition table virus that
has been reported in multiple sites in the U.S.
Version 75 of VSHIELD and NETSCAN add prevention against and
network detection of the above-listed viruses, respectively.
- ------------------------------------------------------------
NB: I've received several pieces of mail regarding Version 74
incompatibilities with the NEC and Zenith OEM Versions of DOS 3.3.
The NEC version of DOS uses a nonstandard partitioning scheme to
"get around" the 32Mb hard disk size limit imposed by DOS.
VIRUSCAN Version 74 was unable to recognize this and as a result
would give a false alarm. Version 74 also misidentified the Zenith
OEM version of DOS as having the Swedish Diaster (yet another
Stoned variant) virus in the boot sector of formatted disks (hard
and floppy). This is due to the fact that the boot sector
contained the same code we were looking for in the Swedish Diaster
virus. We've also found this code in 10Mb Iomega Bournoulli disk
cartridges and disks formatted with DR-DOS 5.0. Version 74-B
corrected this problem.
We are sorry for any inconvenience or panic caused by our error.
Aryeh Goretsky
PS: I've also gotten several messages about my internet address. To
the best of my knowledge, the site I'm calling from, "ozonebbs.uucp"
is on the networks maps and I can be reached as "
[email protected]"
if this fails, please try "
[email protected]" which should
reach me. In the event this one bounces also, Mr. Keith Peterson has
graciously set up the following mail address
"
[email protected]" A special note of thanks to all who have
persevered in their efforts to reach me (thanks Keith!). -- Aryeh
[Ed. The ".uucp" is not supported by Internet Domain Name Service;
Internet users should use the @apple.com address.]
+----------------------------------------------------------------+
| Aryeh Goretsky, Tech Support vox (408) 988-3832 |
| McAfee Associates fax (408) 970-9727 |
| 4423 Cheeney Street bbs (408) 988-4004 |
| Santa Clara, California 95054-0253 // |
| Internet:
[email protected] // |
| UUCP: apple!netcom!nusjecs!ozonebbs!aryehg \X/ |
| "Opinions expressed are my own and do not neccessarily reflect |
| those of my employer."--universal disclaimer applied herein. |
| "How is a cat like a meatloaf?"--John R. De Palma, M.D. |
+----------------------------------------------------------------+
------------------------------
Date: Mon, 04 Mar 91 08:23:13 -0600
>From: James Ford <
[email protected]>
Subject: New files on MIBSRV (PC)
The following files have been placed on MIBSRV (130.160.20.80) in the
directory pub/ibm-antivirus:
scanv75.zip - McAfee's Scan v75
clean75.zip - McAfee's Clean v75
netscn75.zip - McAfee's NetScan v75
vshld75.zip - McAfee's VirusShield v75
validate.crc - McAfee's list of validation numbers
0files.9103 - Listing of files available on mibsrv.
- ----------
The more heavily a man should be taxed, the more power he has to avoid it.
- ----------
James Ford -
[email protected],
[email protected]
The University of Alabama (in Tuscaloosa, Alabama)
------------------------------
Date: 01 Mar 91 09:19:10 +0000
>From:
[email protected] (Fridrik Skulason)
Subject: Re: Norton rebuttal (PC)
In a quote "YUSUF HASSAN General Manager Symantec UK" quoted the Virus
Bulletin, and as the Technical Editor I just wanted to clarify two minor
details.
>%"PC performance drops noticeably": in the December issue of the Virus
>Bulletin, Nav was rated better than the competition ...
Better than some of the competing products in some areas.
>%"Percentage of files in which viral activity was detected--80%":
>Virus Bulletin stated that Nav had a 99% capability. ...
99% only when scanning the standard test set of only 100 common viruses.
If the full set of 400+ variants was scanned, the performance is not nearly
as good. It must of course be noted that the same applies to all other
anti-virus products.
- -frisk
Fridrik Skulason University of Iceland |
Technical Editor of the Virus Bulletin (UK) | Reserved for future
expansion
E-Mail:
[email protected] Fax: 354-1-28801 |
------------------------------
Date: 01 Mar 91 09:40:53 +0000
>From:
[email protected] (Fridrik Skulason)
Subject: Re: Windows v3.0 / F-Prot (PC)
[email protected] (Jeff Payne) writes:
>I was curious if there was a Windows 3.0 version (or even aware) of
>any anti virus software?
I do not (yet) offer a Windows version of my programs, but I seem to recall
that Ross Greenberg is working on that (sorry, Ross if I'm not right).
There is not very serious pressure to develop a Windows-specific anti-virus
package - there are no Windows-specific viruses yet, and many current
anti-virus products do work quite well with Windows.
In the case of my own program, I do not recommend using F-LOCK/F-POPUP
with Windows - they are just character-based TSR, and may cause problems.
The F-DRIVER program works without problems, however, and should provide
sufficient protection from known viruses.
I am looking into the possibility of developing a Windows anti-virus
program,
but I think that is 8-12 months away.
>Also, has anyone tested F-Net with 3Com or Microsoft LanManager
>networks? I've loaded it and it didn't crash, but without a virus to
>test it, I can't really tell...
You may have to run the F-NET program after you run the network programs,
to redirect some interrupts back to F-DRIVER, baut as you said, it is
difficult to determine whether is is necessary without a virus.
In version 1.15 of F-PROT (almost finished now), I will include a small
TESTVIR.COM program, which can be run to determine if the package is
working correctly. F-DRIVER should stop the program, and report it to be
infected with the "Test" virus, but if F-DRIVER is not installed, or not
working, a warning message will be displayed.
>Which brings me to my last question, Is there a "harmless" virus that
>I could use to test my configurations (in an isolated environment) ?
I would recommend the Cascade virus - it is widely available, well known
and all anti-virus programs should be able to detect it. The "standard"
variant is also one of the most harmless viruses around.
- -frisk
------------------------------
Date: Fri, 01 Mar 91 09:58:00 +0000
>From:
[email protected] (Fridrik Skulason)
Subject: Virus BBS
Virus BBS
One of the most serious developments recently is the creation of virus
Bulletin Board Systems, where viruses and disassemblies are freely
available.
The availability of source code creates a serious problem - it is much
easier to create a working virus from a disassembly, than from just a
sample, and I fear we may see an explosion in the number of virus variants
soon - the 400 variants we know today may multiply and become 1000 or so
before the year is over.
In this area the Bulgarians lead the way - virus writers there often making
their sources freely available - I have several assembly listings in my
collection, with comments in Bulgarian, and even the names and addresses of
the authors.
It should not surprise anyone that the best-known virus BBS is in Bulgaria,
and anyone uploading a new virus can download other viruses. The BBS is
accessible by anyone in the west, but luckily the telephone connections to
Bulgaria are quite bad.
However, I am more worried about the (reported) virus BBS in Germany and the
UK - I have no confirmation they exist, but naturally I would be very
interested in hearing from anyone who can confirm their existence.
Patricia's list
Now that the VSUM list is no longer available on SIMTEL20, I was
wondering how to obtain it - as the Technical editor of the Virus
Bulletin, I often have to select names for new viruses, and I like to
compare my list with hers, although the information on the viruses
published there is often incredibly inaccurate.
- -frisk
Fridrik Skulason University of Iceland |
Technical Editor of the Virus Bulletin (UK) | Reserved for future
expansion
E-Mail:
[email protected] Fax: 354-1-28801 |
------------------------------
Date: 01 Mar 91 09:15:00 -0500
>From: "zmudzinski, thomas" <
[email protected]>
Subject: Re: File reduction virus? (PC)
In VIRUS-L Vol 4 #33, Dan Sline said:
> I know viruses sometimes increase file lengths, but can a
> virus decrease a file length? The reason why I was asking was on a
> bank of PCs in a lab, the ipx.com file was 26666, but on one machine
> in the bank, the size was 25500, and the file had the correct date.
> Another problem was that the machine was notreading the autoexec.bat
> file when the computer was booted up. I ran scan 72, but it did not
> detect anything.
I can only offer theoretical knowledge on this as I know of no
virus that actually does what I'm about to describe, but yes, it is
possible for a virus to compress an executable and preface it with
itself (including the necessary expansion code) such that the file
length decreases. However, it would be sloppy of the illegitimate
vermin who coded such not to pad the file out to its original size. I
suggest you compare the two files. One dead giveaway: compress- ed
files don't look anything like uncompressed ones.
Tom Zmudzinski | Internet:
[email protected]
"Better to trade knowledge than something of value"
-- Sergio Aragones
------------------------------
Date: 28 Feb 91 11:38:14 +0000
>From:
[email protected]
Subject: Can [Stoned] remain in hard-drive?
Hello everyone!
I've got a question for anybody who knows abou the [Stoned] virus:
Every time I clean it off the hard-drive (a Seagate st-238-r), it will
appear to be clean for some time, but then will re-appear. Is it
possible for [Stoned] to remain in my partition table, or do I also
have it on another disk, and it gets put back on? I've checked most
of my disks, but to check all the disks I use would be almost
impossible. Any chance of it staying on the drive after being
cleaned? (I'm using McAffee's SCAN, and CLEAN)
Please reply through E-Mail, I don't
read the net often.
[email protected]
[email protected]
Thanks!
------------------------------
Date: Fri, 01 Mar 91 11:38:00 -0500
>From:
[email protected]
Subject: Low-level signature checking protection
I agree with Bob Bosen that signature checking is the ONLY anti-viral
protection that will detect future viruses as well as known ones. My
"preferred implementation", however, is to put the checking in the BIOS
ROM so that any executable can be checked while it is being loaded.
With the checker in ROM, I don't think it is "too easy to fake the all
clear signal" as Bob says.
What is probably needed to get the manufacturers to go along is either
Federal legislation forcing every commercial software vendor to provide
a signature or else a Federal standard requiring it on all software
bought by the Federal government. Or maybe if MicroSoft, AMI, Phoenix
Technologies, IBM, and RSA Data Systems all got together and offered it
as an option for people who wanted it... Unfortunately, we have here an
example of what I like to call the "Railroad Problem" (literary
reference, Heinlein's "Door Into Summer"): If there are no tracks, who
wants to spend money to develop locomotives, but if there are no
locomotives, who wants to spend money to lay down tracks? And in the
present case, there may well be software vendors who don't like the idea
that someone can prove their negligence if an employee sneaks a virus
into their shipped products. That's why legislation may be necessary.
- -John Sangster SPHINX Technologies, Inc. / (315) 446-8800 / (617)
235-8800
------------------------------
Date: Fri, 01 Mar 91 08:02:10 -0500
>From:
[email protected]
Subject: re: unknown virus--help (pc)
this note is in reply to Christie Kell's note concerning a virus
infecting the file WIN386.EXE on a pc. my guess would be that the
virus came from a floppy inserted into the pc at some time. your best
bet, rather than investing in an expensive virus killer, is simply to
remove the WIN386.EXE file and re-install it from the factory copy.
if this is not possible, however, i would reccomend VIRUCIDE by
McAffee and Associates. i work in a microcomputer lab, and we have
found it to be very effective in keeping things cleaned up. this
should be available to any non-profit organization, but is not
licensed for business use. if you cannot get the address of McAffee
and Associates, i will be happy to mail it to you. good luck!
dave thurmond (dthurmon@utcvm)
------------------------------
Date: Fri, 01 Mar 91 10:31:54 -0800
>From:
[email protected] (Ken West - Entomology)
Subject: The new version of the Stoned Virus (PC)
I have also encountered a new version of the stoned virus. The
message in the boot sector is "This pc is stoned Legalise Marijuana".
F-disinf from the fprot package version 1.14a cannot cure it. It
reports "no boot sector found". f-inoc reports an "unusual DOS boot
sector". Does anyone have any more information about this beast?
Thanks in advance.
------------------------------
Date: Fri, 01 Mar 91 11:30:25 -0800
>From:
[email protected] (Rob Slade)
Subject: Reviews and Norton Antivirus (PC)
I have, after three months of continuous phone calls to various
Symantec offices, received NAV for review. It is now at the bottom of
the pile, but given the recent postings here, is there interest in
having it moved up ahead of other reviews?
(I think Ken would appreciate it if you replied directly to me ...)
==============
Vancouver
[email protected] | "It says 'Hit any
Institute for
[email protected] | key to continue.'
Research into (SUZY) INtegrity | I can't find the
User Canada V7K 2G6 | 'Any' key on my
Security | keyboard."
------------------------------
Date: Sat, 02 Mar 91 12:33:45 -0600
>From:
[email protected] (Rozita Abdul Samad)
Subject: computer virus (PC)
Hello...
I've been reading the RN and particularly interested in the computer
virus problems. And now I'm doing a final paper for my technical
writing class about computer virus. The topic is a proposal about how
to destroy one kind of virus in ibmpc and compatibles.
I know that there are many viruses like stone, ping-pong, lehigh but I
still haven't decided which I want to specify. I'd like to write about
the virus, how it affect, which part it affects, how to avoid, protect
the parts, make recovery of the parts and the most important thing is
how a technique can be used to get rid of the virus.
I do not have many knowledge about these viruses but I want to do
a paper on it. So if you have any suggestion or ideas , please do
contact me.
My e-mail address is :
[email protected]
Thanks a lot.
I'm looking for your reply.
Bye.
Cheers,
Rozita
------------------------------
End of VIRUS-L Digest [Volume 4 Issue 35]
*****************************************
Downloaded From P-80 International Information Systems 304-744-2253
