VIRUS-L Digest Wednesday, 13 Mar 1991 Volume 4 : Issue 43
Today's Topics:
Re: VIRUSCAN v1.51 available (PC)
Norton's Diskmon and viruses (PC)
PROTEC System & Stoned Virus (PC)
Correction/apology re Michael Harding in Virus-L vol3 index
new virus program from ibm available (PC)
FLIP Virus (PC)
Re: Plastique/Taiwan 3/Anticad 2 (confused!) (PC)
Dyslexia/Subliminal and PckSPL.com (PC)
Help on (key press) virus
Re: Standarized virus signatures
Re: Stoned Again (PC)
Re: Plastique/Taiwan 3/Anticad 2 (confused!) (PC)
Re: Life, Turing Machines, viruses.
Re: Research viruses
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to
[email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at:
[email protected].
Ken van Wyk
---------------------------------------------------------------------------
Date: Mon, 11 Mar 91 14:34:47 -0500
>From: Arthur Gutowski <
[email protected]>
Subject: Re: VIRUSCAN v1.51 available (PC)
>From: "David K. Mickle" <
[email protected]>
>Subject: VIRUSCAN Version 1.51 is Available (PC)
>
>They obtained it at my request from their IBM rep who downloaded it from an
>IBM internal service. The version number 1.51 is correct.
Not to quibble (much :-), but you mean VirScan. Viruscan is McAfee's product.
I know, I know with all the AV products on the market these days, it's getting
harder to keep them straight.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
l\/\/\/\/l Arthur J. Gutowski, System Programmer
l l MVS & Antiviral Group / WSU Computing Center
l l Bitnet: AGUTOWS@WAYNEST1
l (e) (e) Internet:
[email protected] *or*
(c _)
[email protected]
\ ,_____\ PH: (313) 577-0718 +-------------------------------+
l / | I will not Xerox my butt... |
/_____| +-------------------------------+
------------------------------
Date: Mon, 11 Mar 91 21:59:46 +0000
>From:
[email protected] (Ken West - Entomology)
Subject: Norton's Diskmon and viruses (PC)
Has anyone had any experience using the Norton Utilities version 5.0
disk monitor program to protect disks from virus infection?
Apparently, it will protect the boot sector, partition table, etc....
from being written to without your permission.
=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
Kenneth J. West Ever notice how war is particularly ugly
[email protected] when you try to explain it to children?
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
------------------------------
Date: Mon, 11 Mar 91 15:20:10 -0700
>From:
[email protected] (Richard W Travsky)
Subject: PROTEC System & Stoned Virus (PC)
In one of our public labs, we have a Zenith 159 with hard disk
attached to a laser printer. We have SOPHCO's PROTEC system installed
on said Zenith and we offer 3 flavors of Word Perfect (and charge a
quarter per page for printing).
We had been experiencing problems accessing files and printing (users
have their documents on their floppy; we don't want them playing too
much with the hard disk, hence the PROTEC system). Upon examination
we found the Stoned virus on the hard disk. I didn't do the scanning,
but the person who did said Stoned didn't show up in memory (the scan
was done by exiting out of PROTEC by using the supervisor's password).
Said person also cleaned things up. (The virus got on the machine by
some student trying to break in to the machine by booting off a floppy
that happened to be infected.)
I find this interesting. Short of re-infecting the machine to
investigate further, I'm curious as to why Stoned didn't show in
memory when a boot from floppy hadn't been done. I'm also curious
about the mechanism of transferral under PROTEC. Does anyone have any
insight to offer? Thanks.
Richard Travsky Bitnet: RTRAVSKY @ UWYO
Division of Information Technology Internet: RTRAVSKY @ CORRAL.UWYO.EDU
University of Wyoming (307) 766 - 3663 / 3668
------------------------------
Date: Tue, 12 Mar 91 09:22:36 +0000
>From: Anthony Appleyard <
[email protected]>
Subject: Correction/apology re Michael Harding in Virus-L vol3 index
[CORRIGENDUM AND APOLOGY] (Matthew D.Harding is not a virus spreader)
(1) In Virus-L vol3 #167, <
[email protected] (Dean Davidson)>
(Subject: Beware of some virus researchers) said what may be summarized as
"Don Sheffer (who asked me for a copy of the "1022" alias Fellowship virus)
is not a genuine virus researcher, and the 'University of Waterloo Virus
Response Team' (that Don Sheffer allegedly belongs to) does not exist.".
(2) In Virus-L vol3 #171, <
[email protected] (Terry Ingoldsby)>
(Subject: Re: Beware of some virus researchers) said what may be summarized
as "the username <Matthew D. Harding (rose.waterloo.edu!mdharding> emailed
to me wanting a copy of the Yankee Doodle virus, but in the light of
message (1) hereinabove that request seems suspicious to me.".
and I accordingly by routine put these two entries in Virus-L vol 3 index:-
- ---------------------------------------------------------------------------
[Beware of some virus researchers] "Don Sheffer" &
"University of Waterloo Virus Response Team" are bogus 167
[Re: Beware of some virus researchers] "Matthew D.Harding" is bogus 171
- ---------------------------------------------------------------------------
On 11 March 1991 <
[email protected] (Charles Benaiah)>
(Subject: Incorrect info. in virus-l indexes) emailed to me to say that "a
student named Don Shaeffer at the Univ of Waterloo indeed gained
unauthorized access to several accounts there, and used them for some
purpose or another; but Matthew Harding (a student at the University of
Waterloo) knew nothing about this and has no connection with viruses.".
It seems that the suspicious request was from <someone else unauthorizedly
logging in under Matthew Harding's username>, and that
<<Matthew Harding is innocent of any suspicion concerning viruses>>.
Therefore this entry in Virus-L vol 3 index:-
[Re: Beware of some virus researchers] "Matthew D.Harding" is bogus 171
should read:-
[Re: Beware of some virus researchers] suspicious request for virus by
someone logged in unauthorizedly under a reputable user's username 171
I apologize for any imputation thereby caused.
------------------------------
Date: Tue, 12 Mar 91 13:39:27 +0000
>From:
[email protected] (Rainer Foeppl)
Subject: new virus program from ibm available (PC)
we were notified this morning, that flash214 in ibmlink (or dial-ibm
in europe) has been updated with the newest version of the ibm
virus-check utilities.
i do NOT distribute them. please contact your pc-dealer or ibm or
download them yourself.
we are just in progess of testing them against known virus. if anybody
has some results, we would like to discuss them.
regards
rainer
- --
Rainer Foeppl
email:
[email protected]
------------------------------
Date: Tue, 12 Mar 91 10:36:16 -0100
>From: Genaldo <
[email protected]>
Subject: FLIP Virus (PC)
Hi,
Does someone out there knows how to eliminate the Flip Virus? I
got my hard disk infected and after using CLEAN.EXE the virus came
back in new copy of COMMAND.COM .
Genaldo
______________________________________________________________
GENALDO LEITE NUNES | HOME ADDRESS
DEPARTAMENTO DE MATEMATICA-UFSC | RUA LAURO LINHARES, 360/U-102
88049-FLORIANOPOLIS-SC-BRASIL | 88040-FLORIANOPOLIS-SC
FAX: (482)344069 | BRASIL
PHONE: (482)-319232 | PHONE: (482)-340115
_______________________________|______________________________
------------------------------
Date: Wed, 13 Mar 91 14:19:00 +0100
>From: "Mark Aitchison, U of Canty; Physics" <
[email protected]>
Subject: Re: Plastique/Taiwan 3/Anticad 2 (confused!) (PC)
[email protected] (James Nash) writes:
> Fridik's F-PROT calls it Plastique
> McAffee's SCAN calls it Taiwan 3 (as does AVSEARCH)
> Solomon's FINDVIRUS calls it Anticad 2
>
> Now, I know that all these virii are related in some way or another
> but I am confused as to whether they are all the same or not. VIRUSSUM
> does not help much as it calls Taiwan 3 and Plastique seperate virii.
This, plus other recent comments about difficulties in naming variants of
viruses, suggests a better approach to naming viruses is needed. I posted
a note recently about naming/identifying boot sector viruses - anyone who
missed that can get a copy of BOOTID.ZOO and/or CHECKOUT.ZOO by anonymous
ftp to 132.181.30.3 - these are still experimental, but worth looking at.
[Ed. The hostname of 132.181.30.3 is cantva.canterbury.ac.nz]
What I am suggesting now is a naming system for all types of virus (such
as trojans), which depends on the contents of the virus, not where it was
discovered or a piece of text one version displays. This isn't as easy as
naming boot sector viruses, but should be possible. (Read: I haven't made
a nice demo program this time; let's discuss it before anyone goes to the
effort of programming something). If you've already looked at BOOTID.PAS,
you may have noticed a range of hashcodes left unassigned (in byte 2), so
I do intend to extend the hashcode into other areas.
My guess is that a naming scheme would...
1. Use only letters and digits,
2. Not try to be pronouncable, but be short (up to 12 characters) and maybe
have a "popular name" tacked on the end for convience. The reason is that
good, descriptive "real" words becode easily exhausted, and may be just
as difficult to pronounce in some countries as computer-generated names!
3. Certain bytes would flag what the virus attacks (.EXE, .COM, .SYS, .BAT
files, and so on), whether it overwrites or appends to the original file,
what interrupts it uses, and other distinguishing features of its effects.
4. The rest of the code would be a sophisticated checksum of the virus code,
hopefully weighting important code in some way to give similar viruses
similar codes.
The aims, as with BOOTID, are to positively identify viruses, avoiding
confusion as mentioned above. The method, I suspect, would be to isolate
the virus fromn what it has infected (e.g. compare an infected .EXE file
with the uninfected original, or (better still) use some automated dis-
assembly software which works out what instructions are executed before
the original program is executed). As I said, it probably won't be easy.
But what do you think? Is it worthwhile? Essential?
Mark Aitchison, Physics, University of Canterbury, New Zealand.
------------------------------
Date: 13 Mar 91 05:47:23 +0000
>From: "Daniel H Marx" <
[email protected]>
Subject: Dyslexia/Subliminal and PckSPL.com (PC)
I just ran FPROT114's F-FCHK on my hard drive and received the following
message: C:\PCKWIK\PCKSPL.COM Possibly infected: Dyslexia/Subliminal
Number of files checked: 1
Infected files: 1
Infections removed: 0
I never received any prompt while the program was running.
Can anyone tell me what's going on? Am I really infected? What
should I do next? I know PCKSPL is my print spooler. It comes form
PC-Kwik Power Pak v 1.57 by Multisoft. Any help gratefully
appreciated.
------------------------------
Date: 13 Mar 91 10:49:53 -0700
>From:
[email protected]
Subject: Help on (key press) virus
how we remove this type of viruse ,is this type of virus dammage the
scan also what aliases and more information about this virus
thanks in advance
Terry jawberha
king abdul aziz unversity
jeddah -saudia
cca3607@sakaau03
------------------------------
Date: 13 Mar 91 08:41:53 +0000
>From:
[email protected] (Fridrik Skulason)
Subject: Re: Standarized virus signatures
Should virus identification strings be published in hex form ?
My personal opinion is that they should be kept secret or published in
an encrypted form.
The reason is quite simple - anybody who obtains a copy of the virus
can easily patch the section containing the published signature
string, in order to make it non-detectable by any scanner using that
string.
Another danger of publishing the strings is that several scanners
might use the same strings - so no extra security would be gained by
using multiple scanners - if a new variant of an old virus appears,
they would all fail or all succeed in finding it.
- -frisk
------------------------------
Date: 13 Mar 91 08:57:12 +0000
>From:
[email protected] (Fridrik Skulason)
Subject: Re: Stoned Again (PC)
[email protected] (Kamran Farahi) writes:
>My question is , how is it
>possible that the F-DRIVER did not protect the hard disk?. Although ,
>the warning message was given by the DRIVER on both occasions.
No drivers, TSR programs etc, can prevent you from being infected by a
boot sector virus, like the 'Stoned' for a simple reason - the virus
is executed and gets a chance to infect the hard disk before it can be
intercepted by any other program. You need some special hardware to
prevent this. The best any normal program can do is detecting the
infection, displaying a warning message and halting the computer, just
like F-DRIVER did.
>We lost everything because of the low-level format, do we have to go
>through this each time we get infected or is there a way to recover
>the data?
You never need to low-level format a disk infected by 'Stoned', to get
rid of the virus. If the virus manages to infect the hard disk
successfully, you should be able to remove it by booting from a
'clean' system disk and running a disinfector program.
If that fails, use NU (or a similar program) to zero out the partition
table, and then use NDD to generate a new one.
- -frisk
------------------------------
Date: 13 Mar 91 09:23:29 +0000
>From:
[email protected] (Fridrik Skulason)
Subject: Re: Plastique/Taiwan 3/Anticad 2 (confused!) (PC)
[email protected] (James Nash) writes:
>Fridik's F-PROT calls it Plastique
>McAffee's SCAN calls it Taiwan 3 (as does AVSEARCH)
>Solomon's FINDVIRUS calls it Anticad 2
Don't forget the anti-virus programs which call it 'Invader' ..... :-)
Anyhow - it is like this.
This is a group of several viruses from Taiwan, created by
disassembling the Jerusalem virus, modifying it and releasing
it again.
There are at least 6 viruses in the family:
one 2576 bytes long
one 2900 bytes long - the one you have.
one 3012 bytes long
three 4096 bytes long
In addition, the (non-working) HM2 virus may be related, and a
variant around 3000 bytes long has also been reported.
Some of the variants contain the text "Plastique", either in plain
text or encrypted - they also produce "explosion" sounds occasionally.
All the viruses are targeted against the AutoCAD program - When a
program named ACAD.EXE is run or sometimes when Ctrl-Alt-Del is
pressed, the viruses will activate, overwriting data on floppy disks
and hard disks, as well as garbling the contents of the CMOS. This
behaviour produced the 'AntiCAD' name.
The three 4096 byte variants also contain code for infecting the boot
sector.
The "Taiwan" name should IMHO not be used, as there is already a
family of 4 viruses which have been called Taiwan-1, Taiwan-2,
Taiwan-3 and Taiwan-4, but they are not related to the family
discussed above.
- -frisk
Fridrik Skulason University of Iceland |
Technical Editor of the Virus Bulletin (UK) | Reserved for future expansion
E-Mail:
[email protected] Fax: 354-1-28801 |
------------------------------
Date: 12 Mar 91 20:08:46 +0000
>From:
[email protected] (Johnathan Vail)
Subject: Re: Life, Turing Machines, viruses.
[email protected] (The Sanj-Machine aka Ice) writes:
If automata are capable of reproducing themselves, by following the
laws of a Turing machine, for a particular hardware architecture and
instruction set, how do you determine the minimum number of bytes that
this can be achieved in?
Since there are so may variables involved I don't think that you can
get an answer for this by theory. It is entirely emperical. For
example for an OS virus to "reproduce" all it needs to do is call the
OS routine that writes the boot sectors (this is how at least one
Apple ][ virus worked). A couple bytes is all it takes. For other
designs the constraints involve the file system operations and how
much the OS does and hides for you.
On a related note, I was talking with a friend about how CDs have
error correcting codes through redundancy. Does anyone know if viruses
yet exist which are capable of being fault tolerant so that if they
try to mutate, and the mutation inhibits its ability for continued
self reproduction, it will return to its former state and try again?
You could do this but why bother? It would serve no real purpose for
a virus writer and be easily defeatable by the modifier.
"Gravity pulls the trousers down
Morality pulls the trousers up" -- Bedful of Metaphysicians
_____
| | Johnathan Vail |
[email protected]
|Tegra| (508) 663-7435 |
[email protected](WorldNet)
-----
[email protected] {...sun!sunne ..uunet}!tegra!vail
------------------------------
Date: 13 Mar 91 13:05:58 +0000
>From:
[email protected] (Chuck Hoffman)
Subject: Re: Research viruses
[email protected] (Rick Keir, MACC) writes:
> I can count the number
> of legitimate researchers I know of on one hand, and have fingers left
> over.
I'll bet I know which finger(s)!
I agree that "research" has become synonomous with "experimenting."
Someone who is trying something out, unsupervised, with no intention
of publishing, and with no go/nogo decision by peers with respect to
ethics, may be "experimenting," but hardly is doing "research" in the
sense that professional researchers use it.
I guess I might note the same about about the use of the term
"ethics." Same thing. Someone trying to understand the ethics of a
situation, but unsupervised, with no intention of publishing or a
go/nogo decision by peers, may be "deciding" about something, but
hardly is going through the process of ethics review in the sense that
professionals do.
- - Chuck Hoffman, GTE Laboratories, Inc. | I'm not sure why we're here,
[email protected] | but I am sure that while we're
Telephone (U.S.A.) 617-466-2131 | here, we're supposed to help
GTE VoiceNet: 679-2131 | each other.
GTE Telemail: C.HOFFMAN |
------------------------------
End of VIRUS-L Digest [Volume 4 Issue 43]
*****************************************
Downloaded From P-80 International Information Systems 304-744-2253
