VIRUS-L Digest Wednesday, 3 Apr 1991 Volume 4 : Issue 52
Today's Topics:
New Mac Hypercard Virus (Mac)
Questions re. UNIX viruses (UNIX)
VSHIELD vs F-DRIVER (PC)
Re: Re:Mutation of Stoned/Implications for self check (PC)
Re: Whale virus, can anybody find it? (PC)
FDISK; partitions starting at 0,0,2; Stoned virus; (PC)
F-PROT 1.13 vs. 1.14 Bug? (PC)
Help on key press (PC)
How to kill Stoned in partition table (PC)
Re: Need information about VIRUS BUSTER
Re: Taking out A: & USSR BBS
SILITEK virus (PC)
Reviews placed on MIBSRV
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to
[email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at:
[email protected].
Ken van Wyk
---------------------------------------------------------------------------
Date: 01 Apr 91 17:48:00 +0000
>From:
[email protected] (SoftPlus, Paul Cozza,PRT)
Subject: New Mac Hypercard Virus (Mac)
For SAM 3.0 Users:
A new Macintosh HyperCard virus has been found and has been named the
HC Virus. The virus infects only HyperCard stacks, and is mostly
annoying. With SAM 3.0 you can download the latest Virus Definitions
file from the Symantec bulletin board which includes both detection
and repair of stacks infected with this virus. You can also enter a
virus definition via SAM Virus Clinic 3.0 if you only require
detection capabilities for this virus. The proper virus definition for
SAM 3.0 is included here.
*************************************
SAM 3.0 Virus Definition For HC Virus
Open the Data Definitions dialog in SAM 3.0 Virus Clinic by choosing
"Add Definition (Data)" from the Definitions menu. Then enter the
following information:
Virus Name: HC Virus
File Type: STAK
Search String pop-up menu: ASCII
Search String text field: if char 1 to 2 of LookAtDate <11
The string in the Search String text field above is an ASCII string.
Blank area between words are spaces. The string IS case sensitive.
As a guard against incorrect entry, SAM 3.0 has a "Check field" in the
Definitions dialog boxes. If all of the above information is entered
correctly, then your check field should be A0BD.
Note that SAM 2.0 had the capability to detect and repair Hypercard
viruses (such as Dukakis), but did NOT have a data definitions entry
dialog. This is new to SAM 3.0.
Paul Cozza
SAM Author
------------------------------
Date: Mon, 01 Apr 91 20:18:49 +0000
>From:
[email protected] (Dave Gilmour)
Subject: Questions re. UNIX viruses (UNIX)
Our company is currently under contract to provide some software to a
customer that is worried that, because our system is connected to the
USENET, it could potentially become infected with a virus and
subsequently transmit that virus to their machine via the delivered
software.
Given this, I basically have three questions:
1) Are viruses a problem on UNIX machines that are connected to the
net? We do not accept binary UNIX sources on our machine, so I
presume that trojans are more likely to be a problem than viruses.
2) If viruses are out there ready to infect my UNIX machine, is there
any software that I can run to detect/remove them from my machine?
3) What steps should I take in order to "reduce the risk" |-)
Any help in the matter will be greatly appreciated. As always, if
there is sufficient interest I will summarize to the net.
Thanks.
System Info : ISC2.2 System V R3.2, Everex Step 386/33
__________________________________________________________________________
David A. Gilmour |
[email protected]
Excalibur Systems Limited | uunet!mitel!cunews!micor!esleng!dag
Kanata, Ontario, Canada |
------------------------------
Date: Mon, 01 Apr 91 17:11:46 -0500
>From: Jeff <
[email protected]>
Subject: VSHIELD vs F-DRIVER (PC)
I am looking for comments on Vshield vs F-Driver running on a
Novell network. Thanks in advance.
Jeff
LAN Administrator
Georgia State University
usgjej@gsuvm1
[email protected]
------------------------------
Date: Tue, 02 Apr 91 10:50:00 +1200
>From: "Mark Aitchison, U of Canty; Physics" <
[email protected]>
Subject: Re: Re:Mutation of Stoned/Implications for self check (PC)
[email protected] (David.M.Chess) writes:
> ... Someone that I trust to be reasonably knowledgeable
> in such things told me awhile back something like (I didn't write it
> down) this: some hard disk controllers keep some information about the
> structure of the hard disk on the hard disk itself, in the MBR.
An area, up to 17 bytes, before the partition table, is used by some
older XT controllers to store disk type parameters, instead of using
CMOS or jumpers.*
This isn't a problem for sensible checkers, since the area cannot gain
control (even if it does contain nasty stuff), so long as the rest of
the sector is still okay. The IMMUNISE program works around that area,
for example.
Mark Aitchison, Physics, University of Canterbury, New Zealand.
* Info courtesy of Peter Johnson, still half asleep when I phoned.
------------------------------
Date: 02 Apr 91 10:59:23 +0000
>From:
[email protected] (Fridrik Skulason)
Subject: Re: Whale virus, can anybody find it? (PC)
[email protected] (J.C. Kohler) writes:
>I have a computer which is infected by the Whale virus, but none of
>the virus-scanners I use can find it. I found the virus on the
>computer about a week ago, using McAffee's scan. I removed the
>infected files, but it keeps coming up.
Ono possible explanation might be that most existing scanners only
detect the "standard" 30 forms of the Whale, but recently some new
forms have appeared. There are rumors they are created by a
"configuration" program which swaps out entire modules, if it finds
Whale present in memory, but this has not been confirmed.
- -frisk
------------------------------
Date: Tue, 02 Apr 91 08:39:12 -0700
>From:
[email protected] (John-David Childs)
Subject: FDISK; partitions starting at 0,0,2; Stoned virus; (PC)
>> Nick Fitzgerald <
[email protected]> wrote
>> Some OEM versions of DOS (some of them still
>> labelled MS DOS) with version numbers 3.0 and above have versions of
>> FDISK that still begin the first partition at 0,0,2 - from memory, I
>> think Falcon DOS 3.1 is one such. This may give a tiny bit more
>> usable disk space, but causes grief after a Stoned strike.
>Padgett Peterson <padgett%
[email protected]> replied:
>[stuff deleted] One point though: A disk could be partitioned with FDISK 1.00
>even though a later version of DOS is loaded. I would like to hear from the
>readers if they have come across any later partitioning software that does
>not use "hidden sectors" as described.
One of our computer labs on campus uses Computerland DOS 3.1
(the FDISK version number is listed as "BC88/BC286 FDISK ver 3.0")
which begins the first partition at 0,0,2. A few months back, the lab
got hit with the Stoned virus and we discovered that F-PROT 1.13 would
not disinfect the stoned virus properly so we ended up having to
reinstall the machines from scratch every time the PC's got infected
(until I wrote a small C program to get rid of it...thanks to the
VIRUS-L readers). F-PROT 1.14 DOES properly disinfect the Stoned
virus from machines whose partitions begin at 0,0,2. When used in
conjunction with F-DRIVER.SYS at startup, I've had no trouble with
removing the virus. If F-DRIVER.SYS or some other detection utility
was not loaded at startup (F-DRIVER.SYS halts the PC if a virus is
detected), then Nick's and Padgett's comments about corrupted FAT's
etc. would be apropos.
John-David Childs
Consultant, University of Montana CIS
------------------------------
Date: Tue, 02 Apr 91 09:45:29 -0700
>From:
[email protected] (Richard W Travsky)
Subject: F-PROT 1.13 vs. 1.14 Bug? (PC)
I have an older version of the Jerusalem virus (2 years or so) I use
for testing. F-Prot version 1.13 detects and removes it, version
1.14a detects it but doesn't remove it, saying it's an unknown
variant.
Does anyone have any other information or similar reports on version
differences? I've sent this on to Mr. Skulason, but I don't think my
mail is getting through.
Richard Travsky
Division of Information Technology Internet: RTRAVSKY @ CORRAL.UWYO.EDU
University of Wyoming (307) 766 - 3663 / 3668
------------------------------
Date: Tue, 02 Apr 91 18:01:17 +0000
>From:
[email protected] (PC-Operator)
Subject: Help on key press (PC)
We are having trouble with the key press virus and would like some
information about it.
We clean our machines regulary with SCAN wich seams to work, but it
always shows up again. Is this a common problem with this virus (it
could of course be due to people bringing infected disks but sometimes
it shows up only an our after we have cleaned the machine)
If anybody has the signature we would apriciate if he/she could mail
it. (we would like to scan a partition on our UNIX system without
using MS-DOS.
Please send the above information to:
[email protected]
Thanks Martin
------------------------------
Date: Tue, 02 Apr 91 23:25:15 +0000
>From:
[email protected] (Ken West - Entomology)
Subject: How to kill Stoned in partition table (PC)
How does one kill the stoned virus when it resides in the partition
table of a hard drive. Does McAfee's clean kill it? I've had no
trouble killing in boot sectors with f-disinf but it won't get it in
the PT. Thanks in advance!
=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
=
Kenneth J. West Ever notice how war is particularly ugly
[email protected] when you try to explain it to children?
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
- -
------------------------------
Date: Tue, 02 Apr 91 23:42:13 +0000
>From:
[email protected] (Andrew Turner)
Subject: Re: Need information about VIRUS BUSTER
[email protected] (Robert Grapes) writes:
>I am trying to obtain as much information as possible about a product
>called VIRUS BUSTER. The only information I have about it is that it
>appears to be an Australian product. Any help would be greatly
>appreciated.
Virus Buster is marketted by:
Leprechaun Software Pty Ltd
PO Box 134
Lutwyche Queensland 4003
Australia
A contact for them is Lindsay Hough +61 7 2524037
At the University of Canberra we have just purchased a site license
after reviewing a number of antivirus products. As with all of them
it has its pros and cons. I was surprised to find an Australian
product able to keep track of the latest virii, these guys seem to
have the right sources. The product approaches the Virus problem from
very sound principles and while signatures are used it is recognised
that with the exponential growth in virii this approach has limits.
Virus Buster also uses ISO standard check-summing at very low levels
to defeat virii which attempt to catch and defeat check-summers.
For the State-side listeners. Virus Buster makets out of
Leprechaun International
2284 Pine Warbler Way (pretty name eh!)
Marietta Georgia 30062 USA
404 971 8900
fax 404 971 8988
I would be happy to accept queries via e-mail.
PLEASE NOTE THAT THIS POSTING IS NOT AIMED AT PROMOTING THIS PRODUCT OVER
ANY OTHER. SO LETS NOT HAVE A NEWS WAR!!!
I believe that
- --
Andrew Turner :-) | E-mail :
[email protected]
Comp. Services Centre | +61 6 2522414 / +61 6 2522401
University of Canberra |________________ fax +61 6 2522400
P.O. Box 1 BELCONNEN ACT 2616 AUSTRALIA |
------------------------------
Date: Tue, 02 Apr 91 11:01:00 -0800
>From: "
[email protected]"@MDCBBS.COM
Subject: Re: Taking out A: & USSR BBS
[email protected] (Morgan Schweers) writes:
> Greetings,
> I recently recommended to a network site that they lock their 'A'
> drives with a network boot diskette in them. Their 'B' drives should
> remain unlocked for data transfer. There are many companies that make
> disk drive door-locks, and this is a much 'nicer' solution than
> removing the drive entirely. In fact, one could lock the drive doors
> WITHOUT a disk in them, thus forcing a boot from the HD, and still
> allowing access to the B drive by anyone (and access to the 'A' drive
> by the computer-manager).
I know a lot of sites ( and will probably use this in my own setup
soon) in which one small PC is the lone interface to the outside
world. It is a one way gate. There is no way to communicate from the
PC to the internal systems, only from the internal systems to the PC.
The PC connection to the world is two way. This is a hardwire job,
and thus effectivly prevents a virus attack from getting any further
than the PC ( which is kinked with all kinds of detection and
elimination code).
------------------------------
Date: Wed, 03 Apr 91 09:28:36 -0500
>From: Dj Merrill <DEEJ%
[email protected]>
Subject: SILITEK virus (PC)
Shows a bunch of hearts, smiley faces, etc. on the screen - says
something to the effect 'Copyright 1989 by SILITEK' Anyone ever hear
of this?? SCAN75 apparently doesnt find it... Know of something to
clean it?
- -Dj Merrill
[email protected]
------------------------------
Date: Mon, 01 Apr 91 14:57:03 -0600
>From: James Ford <
[email protected]>
Subject: Reviews placed on MIBSRV
Several antivirus package reviews by Rob Slade and Chris McDonald have
been placed on MIBSRV (130.160.20.80). These reviews are located in
the directory pub/ibm-antivirus/0REVIEWS. These reviews were taken
from cert.sei.cmd.edu's pub/virus-l/docs/reviews directory.
Note: The directory name *is* case sensitive. You must specify 0REVIEWS
in caps (thats "zero"REVIEWS, not "oh"REVIEWS).
The file vsum9103.txt has been placed online. This is the text version
of vsum9103.zip.
Hopefully I have all the permissions set right on the files this time! :-)
- ----------
Help fight truth decay.
- ----------
James Ford -
[email protected],
[email protected]
The University of Alabama (in Tuscaloosa, Alabama)
------------------------------
End of VIRUS-L Digest [Volume 4 Issue 52]
*****************************************
Downloaded From P-80 International Information Systems 304-744-2253
