VIRUS-L Digest Thursday, 21 Mar 1991 Volume 4 : Issue 46
Today's Topics:
Re: Stoned Again (PC)
Re: PKLITE scanning (PC)
Stoned- new version? (PC)
Integrity Checking, programs & system
lab policy
programmatic autoexec tampering? (PC)
Italian 'viruskit' is ordinary 'hack'
Question ? (PC)
Plastique 5.21 IBM Virus Report (PC)
Alternatives to Floppy booting
Re: PKLITE and hidden virus (PC)
Plastique Virus (PC)
CD ROM as virus protection
PKLITE and hidden virus (PC)
DPMA Talk - "A NEW STRATEGY FOR COMPUTER VIRUSES"
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to
[email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at:
[email protected].
Ken van Wyk
---------------------------------------------------------------------------
Date: Tue, 19 Mar 91 12:56:00 +0100
>From: <
[email protected]>
Subject: Re: Stoned Again (PC)
In a message of <13 Mar 91 08:57:12> Fridrik Skulason wrote:
> You never need to low-level format a disk infected by 'Stoned',
> to get rid of the virus. If the virus manages to infect the hard
> disk successfully, you should be able to remove it by booting from
> a 'clean' system disk and running a disinfector program.
I thought so too, but lately got into trouble with some Olivetti M24
pc's ... a [Stoned] infection immediately resulted in some subdirs
full of illegal file entries, lost clusters, and crosslinks.
The same thing happened again within a day after low-level formatting
the system, when another user didn't think it necessary to check his
disk or even removing it while rebooting. So I'm pretty sure it's the
Stoned infection that's causing the FAT and/or DIR problems, it may be
because of a non-standard FDISK that comes with Olivetti's MS-DOS 3.2.
Anyhow, it helps to have a backup :-)
Jan van 't Ent, Apparatuurbeheer (microcomputer support & maint dept)
ERASMUS
[email protected] UNIVERSITEIT telefoon +31 10 4081337
[email protected] usenet ROTTERDAM telefax +31 10 4081372
------------------------------
Date: Tue, 19 Mar 91 10:04:00 -0600
>From:
[email protected]
Subject: Re: PKLITE scanning (PC)
In reply to the PKLITE question. I do not know of any program that
scans an executable that has been compressed using PKLITE. As a
matter of fact I have just been infected by the 1260 virus that was
hidden in a file that was compressed using PKLITE. Scan75 does not
detect the virus until the file has been uncompressed.
jtucker@rckhrst1
------------------------------
Date: Tue, 19 Mar 91 12:09:00 -0400
>From: "Kamran Farahi" <
[email protected]>
Subject: Stoned- new version? (PC)
Hi;
This is my second posting to this group; I'd like to thank everybody
for responding so promptly to my first message. Now let me ask you
another question. We have encountered a new version of STONED on our
pc's. We ran SCAN V75 but did not recognize there is a virus.
However, when we ran F-DISINF V114 this message was displayed: "This
boot sector is infected with a new version of the stoned virus" but
did not remove it!! Does anybody know the cure to this problem?? Are
Mr. McAfee and Mr. Skulason aware of this virus ??.
Thanks again.
------------------------------
Date: 19 March, 1991
>From: Padgett Peterson <padgett%
[email protected]>
Subject: Integrity Checking, programs & system
Note: 44 was the first posting received since 39. Apologies if something
was missed in the middle.
>From: ***CURTIS*** <
[email protected]>
>Subject: Unknown virus help! (PC)
>Yesterday, I ran my virus checker from hard disk. It came up with the
>warning "Virus checker Infected. Do not use" So I ran the
>write-protected version I had on floppy, No virus's found.
Many times virus removal programs will pad the end of a program to an
even boundary following disinfection since the original program size
has been lost. This is usually noticed on .EXE files. If this happens
to a quality anti-virus program, the internal validation routine will
detect the change and flag the user such as Mr. Curtis noticed. I suspect
that he will find that the file on his hard disk is now a few bytes longer
than the original and if DEBUG (yes you can, rename) is used to remove the
"extra" bytes, the program will execute normally.
- -----------------------------------------------------------------------
>From:
[email protected] (Chuck Hoffman)
>Subject: Preformatted disks, flopticals, etc.
>Why can't the disks be formatted? Is the problem related to software or
>hardware, or both?
I was told this by people at both Brier and Insite. At the time I did not
ask why but suspect that a consumer drive may not be able to properly detect
"weak" sectors or that tracking correction information may be hard-coded at
the factory. In the case of fixed disks, I have heard it both ways & suspect
that it may depend on the drive/manufacturer (rumor has it that Packard-Bell
is shipping a "special" version of Ontrack's DISK MANAGER {ver 4.01 ?} to
customers reporting the MusicBug).
The point I was trying to make was that a physically sound disk
NEVER has to be "low-level formatted" just because a virus attacked it,
but is often used as a substitute for proper training.
- ----------------------------------------------------------------------------
>From: "Mark Aitchison, U of Canty; Physics" <
[email protected]>
Subject: Re: PC MS-DOS vs BIOS protection (PC)
HOORAH ! An intelligent discussion (not that I agree with all of the concepts
but at least Mr. Aitchison has done his homework).
>If DOS became the sort of standard that CPM or (better)
>Unix is, where all manner of incompatible hardware run the same o/s,
>then viruses would have a tough time spreading.
Unix is a very good platform but the O/S diversity requires that most
imported files (from Ultrix to Sun say) must be recompiled from the
source code to run properly. Few of the 80+ million DOS users have
this kind of expertise available. The stability and ease of use that has
made the IBM-PC so popular is also favorable for malicious software.
(I live in Florida because I like the climate. Insects also like the climate.
I do not support changing the climate to eliminate the bugs but do have
very fine mesh window screens.)
>So a good anti-virus approach is going to consider the whole system:
>hardware, BIOS, DOS, applications and end-user education. That, I
>think, is a good idea, but you soon end up with something that looks
>nothing like the present PC (or Mac or whatever).
Not necessarily, at least not from the user or software level. I do
not think that users would have a problem with a screen that popped up
during installation or modification, and informed the user that something
was going to happen and did he/she/it mind so long as it was not constant.
For some time I have been using such a package and when installing a new
program from 'leventy floppies received (and scanned) from a trusted vendor,
just turn off the directory the installation is to be into from checking
for the duration.
Similarly, following a modification to WordStar, the next invocation pops a
screen before loading informing me that it has changed and do I want the
signature updated ? A single keystroke returns everything to normalcy & I
would be more disturbed if the screen did not appear.
Admittedly, this is not a "normal" DOS function, but can be added
without affecting performance or functionality. {am running everything
including Prodigy from Windows on the 386KS (kitchen sink) with 120k of
TSRs loaded high (QEMM/DOS 5.00) and 636k "free" (trade and service marks
mentioned). Testing done by wife, son, and assorted cats}.
Point is that it can be layered on to DOS effectively and transparently,
without "expert" help, but needs more than just a simple program, (some
assembly reuired).
Would love to continue this discussion at your place, I hear New Zealand
is beautiful.
- --------------------------------------------------------------------
Not sure if this is from Stan Pickthall or Robert Slade - app
> SCAN does have an "internal" self check, but if a
>"stealth" virus is active in memory, it will defeat any kind of
>integrity check.
NO ! It will not defeat "any kind of integrity check" though "stealth"
will defeat SCAN's if the /nomem switch is in use (wish we had italics) While
the "stealth" seen so far will defeat a program integrity check, it will NOT
defeat a system integrity check (the six bytes). The fact that few anti-virus
programs bother to check system integrity first does not mean that it can't
be done or even that it is difficult. Even CHKDSK will reveal most "sucessful"
anomalies when resident and "stealth" MUST be resident to work.
Padgett
------------------------------
Date: Tue, 19 Mar 91 16:14:57 +0200
>From: Baruch Even <
[email protected]>
Subject: lab policy
Hello,
My father needs to take care of the computers at his work place.
The computers are aranged in a Lab (12 computers) and other computers
in offices.
The main need is to protect the lab as this can be the main place for
viruses to spread from. My father need some guidelines on how to
protect the lab from viruses... If you have some knowledge experience
or any idea that might work (including suggestions for anti-viruses
programs) please send them to me. If there will be interest I'll
summarize to the list...
Thanks in advance,
Baruch Even.
P.S. I know the discussion was some time ago but neither me nor my
father had interest in the topic... (digests to look for are welcomed
too).
+-------------------------------------------------------+
| Baruch Even |
| |
| BitNet -
[email protected] |
| InterNet -
[email protected] |
| S-Mail - Ehad Ha'am 19/2, Rehovot 76260, Israel |
| |
| If Murphy's law can go wrong - it will! |
+-------------------------------------------------------+
------------------------------
Date: Tue, 19 Mar 91 18:49:42 -0500
>From:
[email protected] (Richard Reiner)
Subject: programmatic autoexec tampering? (PC)
A mighty strange thing happened on one our departmental PCs today. I
had just finished using the machine, in the process noting that the
new screen saver I had installed a few days ago was working well. I
moved to another machine in the room, and someone else sat down to
work at the PC in question. Within minutes, she was complaining about
a misbehaving screen saver that would not go away. But it was *not*
the same screen saver I had seen working -- it was an old one we had
removed from autoexec.bat a week before. All this woman had done was
to reboot the machine and then start a comms program -- nothing she
had done should have altered autoexec.bat in any way, but when I
inspected autoexec.bat, its contents were those of a week ago!
I had booted the machine a short time earlier, and the current
autoexec had run, as evidenced by the presence of the new screen
saver. So something replaced autoexec.bat with an old copy of it in
the interim between my booting the machine and her booting the
machine.
I am at a loss to explain this. Is there a known virus or trojan
which tampers with autoexec.bat like this?
//Richard
------------------------------
Date: Wed, 20 Mar 91 20:10:00 +0700
>From: "Jeroen W. Pluimers" <FTHSMULD%
[email protected]>
Subject: Italian 'viruskit' is ordinary 'hack'
Hello all,
I received the following trough bitnet. It is a very bad example of
an ordinary hack.
_
# (_) Jeroen W. Pluimers (Alias: Charly Chaplin)
\___ | _
|~| \ snail: P.O. Box 266
|_| \_ 2170 AG Sassenheim
/ \ # The Netherlands
/ \ | phone: +31-2522-11809 18:00-21:00 UTC
\ / | fidonet: 2:281/521 (The White House)
__\ /__ | fidonet: 2:281/515.3 (Proxyon)
bitnet internet
- ---------------------------------------------------------
[email protected] [email protected]
[email protected] [email protected]
>By: Righard Zwienenberg
>Re: Itialian Virus Board
>At: Sun 17 Mar 91 19:51
>----------------------------------------------------------------------
>I just found out one of the most brutal and ordinary 'hacks' I
>have ever seen. I am talking about a 'Viruskit', which was sent
>to me, abusing Frisk (Parts of F-PROT), McAfee (VIRLIST.TXT), Patricia
>Hoffman (VSUM) and Jan Terpstra
>(VIRSCAN.DAT).
>
>The package, being a shareware package, is 'created' by Mauro Bollini
>of the Italian Virus Board. While unarchiving the file VKIT600.ZIP,
>the following message was be displayed inside a graphic box:
>
>VIRUSKIT ADVANCED RELEASE 6.00
>Il primo vero anti-virus Made in Italy
>Created by Mauro Bollini 1991
>* Shareware Version *
>
>The first thing I noticed was a 4588 byte .SYS-file named SYSCHECK.SYS.
>It tookmy attention because it had the same length as F-PROT's
>F-DRIVER.SYS (1.14a).
>After a short inspection it turned out to be F-DRIVER.SYS, with
>the text translated into Italian and the FRISK001-identifier removed.
>
>This made me susspicious and I checked out some other files. The
>result:
>
>VIR1.LST => SIGN.TXT of F-Prot, but the virusnames are also coded
>VIR2.LST => Slightly modified VIRSCAN.DAT
>VIRDOC.TXT => Virus Summary Headers and Reference Chart
>VIRUS => Modified VIRLIST.TXT
>
>I have not had the time to look at all the other files, but on
>run-time, most most of them look very familiar to the F-Prot package...
>Some of the files were missing because those will be send to one
>if one registers...
>
>The registration-fee for this package is 60.000 lire (about $45)...
>Although all documentation is in Italian and I do not read Italian,
>there isn't a single document stating the source of all the above
>and I doubt if the owners of the original documents/files will
>receive a single penny from it...
>
>The Italian Virus Board recently popped up in the Virus Echo persuading
>people to call it. The one sending me this package logged his session
>(including a chat with the sysop). It is nice to know that this
>system is an 'official member of the european virusnet'. There
>was a list displayed with all
>'members' and our good 'friend' Todor Toderov was on that same
>list as some other known participants of this conference!!!
>
>It is even more sceptical now, because Mr. Bollini loged on into
>INFOdesk claiming to be a researcher and wanted to exchange viruses
>to include new ones in his anti-virus-package...
>
>All data has been or will be forwarded to McAfee, Patti Hoffman,
>Frisk and Jan Terpstra so that they can take appropiate action
>on this.
>
>I do not have to state that downloading this package is a waste
>of money and unethical, do I?
>
>[RiZwi]
------------------------------
Date: Wed, 20 Mar 91 14:30:08 -0500
>From: Padgett Peterson <padgett%
[email protected]>
Subject: Question ? (PC)
Does anyone know of a way to set the return code (ERRORLEVEL) in DOS
without using Int 21 Fn 31 or 4C - I need to be able to do this from a
TSR. If a method is only available with some versions, please let me
know but any thoughts on the subject would be helpful.
Thank you,
Padgett
------------------------------
Date: Wed, 20 Mar 91 15:42:00 -0400
>From: Dan Wheeler <
[email protected]>
Subject: Plastique 5.21 IBM Virus Report (PC)
Several IBM PS/2 computers have been infected at Le Moyne (Syracuse,
NY) with what has been reported by IBM's VIRSCAN as the Plastique 5.21
virus (source unknown).
We're virus novices - besides removing the machines from use and
scanning other machines and disks, what should I do now before using
the infected machines?
[Ed. Follow-ups on VIRUS-L/comp.virus or private email, please.]
- --------------------------------------------------------------------------
Dan Wheeler, Academic Support Specialist
Information Systems, Le Moyne College, Syracuse, NY 13214-1399
Office (315) 445-4582/4565 Home (315) 655-8193
[email protected]
- --------------------------------------------------------------------------
------------------------------
Date: Wed, 20 Mar 91 06:59:55 +0000
>From:
[email protected] (Bob Mason)
Subject: Alternatives to Floppy booting
Bob Eager outlines a revision of a method given in the first reference
for getting boot sectors onto a floppy diskette.
[email protected] (Benchiao Jai) states that the NYU Ultra Lab is
running MINIX as a process under DOS.
Our MINIX-OS class is presently using floppies to boot the system
(v1.2) on AT-clones. We would like to eliminate all booting from
floppies by recabling the drives. This is needed to prevent the spread
of the stoned virus on the C: partition (Minix is on the D:
partition).
I see at least two solution strategies: either start up MINIX as a
process under DOS (as NYU Ultra does), or have MINIX booting directly
off the D: partition. The second method requires us to put MINIX boot
sectors on the D: partition and provide some "user transparent"
switch-active-partition software that is accessible from either
partition. Perhaps a .logoff file on the MINIX side could access the
switch program directly, since we run DOS most of the time.
If anyone has experience using these methods, or any others, to
eliminate booting from floppy, please post a message to this
newsgroup. We need your help. You can also send mail directly to me
(
[email protected]) or to Ken Majithia (
[email protected]).
Thanks very much.
- ---------------------------------------------------------------------------
Bob Mason - Computer Engineering student at SJSU.
(
[email protected])
- ---------------------------------------------------------------------------
------------------------------
Date: Wed, 20 Mar 91 18:30:32 +0000
>From:
[email protected] (Morgan Schweers)
Subject: Re: PKLITE and hidden virus (PC)
[email protected] (Jim Pinson) writes:
>I know some of the virus scanners will look within executable files
>that have been compressed with LZEXE. I believe they scan both before
>and after expansion.
Specifically we decompress partially in memory and check for the
virus in the decompressed code as well as doing a standard check on
the outside of the file.
>Lately I have been using PKLITE to compress executables, and wonder if
>any Virus scanners are capable of looking within the compressed files.
>
>Does anyone have any info on the subject?
>
>Thanks.
>
>Jim Pinson University of Georgia
Greetings,
I've spent a long amount of time attempting to provide PKLITE
protection, but the method used for compression makes it difficult.
I've attempted to talk to Phil Katz about the problem, but I've met a
stonewall.
I don't have enough knowledge of compression techniques to be able
to decompress the code at any reasonable rate of speed.
For right now, the only thing I can suggest is to PKLITE -X the
files, scan them, and re-PKLITE them. This is, IMHO, a serious
security problem.
I will point out that the author of LZEXE was quite willing to
work with us when the problem was pointed out. I'm sure Mr. Katz
would also be, if he considered it a problem.
As a general policy, do you think that it would be better to warn
users that a file is PKLITE'ed and unscanable or to simply ignore it?
Another problem is that PKWare is planning on coming out with a
'professional' version of the program which includes an encryption
portion that can not be -X'ed.
-- Morgan Schweers
+-------
All opinions stated herein are the author's only. So there. Neh!
I *AM*
[email protected] and
[email protected]. One or the other *WILL*
reach me. Enjoy!
------------------------------
Date: Thu, 21 Mar 91 01:27:00 -0400
>From: <
[email protected]>
Subject: Plastique Virus (PC)
HAS ANYONE COME ACROSS A VIRUS CALLED PLASTIQUE. IT HAS
JUST COME UP N THE IBM PC LAB HERE AT LE MOYNE COLLEGE. WE
IDENTIFIED IT VIA IBM'S 12/90 VIRUS SCAN PROGRAM. SO FAR, INDICATIONS
HAVE BEEN THAT AN INFECTED PC WILL START PLAYING A SONG AFTER IT HAS
BEEN ON FOR HALF AN HOUR. NONE OF THESE PC'S ARE HOOKED INTO AN LAN.
THE VIRUS HAS COPIED ITSELF INTO THE EXE FILES. OFTEN, THE INFECTED
MACHINES WON'T BOOT. THEY ACT AS IF THERE IS A NON-SYSTEM DISK IN
THE DRIVE UPON BOOTING. ONE OF THE HARD DRIVES HAS GONE COMPLETELY
DOWN, AND THAT COMPUTER CAN'T EVEN BE BOOTED WITH DOS FROM A FLOPPY.
IF YOU HAVE ANY INFO/QUESTIONS/ETC., PLEASE GET IN TOUCH WITH ME
THANK YOU.
JAY AMORIELL
LE MOYNE MICROLAB STUDENT MGR
AMORIEWJ@LEMOYNE
315/445-4106/6465/6320
------------------------------
Date: Thu, 21 Mar 91 16:46:41 +0000
>From:
[email protected] (Jody Hagins)
Subject: CD ROM as virus protection
I do not know the current state-of-the-art, but it seems to me that by
acquiring software via CD-ROM will eliminate virus occurances. At
least, there is someone to hold responsible, namely, the distributer.
Is it practical to expect this to come about? Would distributers take
the responsibility of guaranteeing their distributions of being
virus-free?
In this way, even if the disk changed hands, there is not much chance
of it being infected with a virus. If you start with a clean system,
and use clean disks for all trabsfers to the computer, this would
eliminate alot of problems.
This is just a thought. Any feedback?
Jody Hagins
[email protected]
Data General Corp.
62 Alexander Dr.
RTP, N.C. 27709
(919) 248-6035
Nothing I ever say reflects the opinions of DGC.
------------------------------
Date: 21 Mar 91 11:36:56 -0500
>From: "PKWARE Inc." <
[email protected]>
Subject: PKLITE and hidden virus (PC)
McAffee's scan program will support PKLITE'd files in the future.
Doug
- --
Douglas Hay
PKWARE Inc.
[email protected]
------------------------------
Date: Sun, 17 Mar 91 12:24:00 -0500
>From:
[email protected]
Subject: DPMA Talk - "A NEW STRATEGY FOR COMPUTER VIRUSES"
[Ed. The complete text of this paper is available by anonymous FTP on
cert.sei.cmu.edu in the pub/virus-l/docs directory under the filename
of virus.strategy.whm]
William H. Murray
Deloitte & Touche
Wilton, Connecticut
A New Strategy for Computer Viruses
PREFACE
This presentation was prepared for and delivered to the
"DPMA 4th Annual Virus and Security Conference" on March 14,
1991.
ABSTRACT
This presentation argues that it is time for a new strategy
for dealing with computer viruses. It reviews the present
strategy and suggests that it was adopted before we knew
whether or not viruses would be successful. It points out
that this strategy is essentially "clinical." That is, it
treats the symptoms of the virus without directly dealing
with its growth and spread.
It presents evidence that at least two computer viruses,
Jerusalem B and Stoned, are epidemic, that more copies are
being created than are being killed. It argues that simply
the growth of the viruses, without regard to their symptoms,
is a problem.
It argues that it is now time for an epidemiological
approach to viruses. A keystone of such an approach will be
the massive and pervasive use of vaccine programs. These
programs are characterized by being resident, automatic,
getting control early, and acting to resist the very
execution of the virus program.
The presentation notes that there is significant resistance
to such a strategy and, specifically, to the use of such
programs. It addresses many of the arguments used to
justify this resistance. It concludes that we will
ultimately be forced to such a strategy, but that, given the
growth of the viruses and the resistance to stragtegy, we
will not likely act on a timely basis.
------------------------------
End of VIRUS-L Digest [Volume 4 Issue 46]
*****************************************
Downloaded From P-80 International Information Systems 304-744-2253
