VIRUS-L Digest Tuesday, 16 Apr 1991 Volume 4 : Issue 62
Today's Topics:
Is virus infection by inserting floppy disk possible? (PC) (Mac)
Do any viruses affect Novell? (PC)
EMPIRE Virus (PC)
Self-extracting archive files (PC)
SCUD Virus (PC)
Re: Joshi Virus in part. table (PC)
Joshi Virus (IBM)
Re: Infoworld article
Re: Azusa (PC)
EMPIRE virus (contd)
Gatekeeper 2.0 (Mac)
scan76-c.zip / vshld76c.zip (PC)
Re: Is virus infection by inserting floppy disk possible? (PC) (Mac)
Azusa Virus (PC)
Stoned removal from memory (PC)
Amiga Virus Listing (Amiga)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to
[email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at:
[email protected].
Ken van Wyk
----------------------------------------------------------------------
Date: Thu, 11 Apr 91 19:11:52 -0700
>From:
[email protected] (Rob Slade)
Subject: Is virus infection by inserting floppy disk possible? (PC) (Mac)
[email protected] (Thomas DiBlasi) writes:
> Is it possible for a virus, trojan, worm, etc. to infect a hard disk
> or RAM simply by inserting an infected floppy into a drive without
> execution??
A short answer: on a Mac, yes. However, most of the Mac virus protection
programs do automatic detection on disk insertion.
On a PC: no. Or at least, not with standard machines. (I use an old NEC
laptop for my comm sessions, and it growls at every disk insertion so it
must be doing *something*. But most PC's don't.)
=============
Vancouver
[email protected] | "Is it plugged in?"
Institute for
[email protected] | "I can't see."
Research into (SUZY) INtegrity | "Why not?"
User Canada V7K 2G6 | "The power's off
Security | here."
------------------------------
Date: Thu, 11 Apr 91 19:26:02 -0700
>From:
[email protected] (Rob Slade)
Subject: Do any viruses affect Novell? (PC)
[email protected] (WiseGuy) writes:
> What viruses (if any) affect Novell local area networks? Any DOS
> virus? Over a broadband/ethernet LAN?
I used to tell people that "why should a virus work on a network?
Nothing else does!" However, that doesn't appear to be the case.
Because of remapping of interrupts by network "shells", many viral
programs will not work properly on a network. However, a number do.
Network protection seems to be fairly effective against most, but not
necessarily all, of these, so networks do seem to provide a measure of
protection above that of "plain" MS-DOS.
The people at Novell do not like unsubstantiated claims of viral
programs that purportedly bypass network security, and you can't blame
them. Unfortunately, substantiation is not always easy to come by,
vis the company that called me about a program which reported itself
as the "ICK virus" and was trashing their system. In spite of the
fact that *they* were calling *me* as an expert in the field, they
would not allow me to examine their system. Odd ideas of security
there ...
=============
Vancouver
[email protected] | "Is it plugged in?"
Institute for
[email protected] | "I can't see."
Research into (SUZY) INtegrity | "Why not?"
User Canada V7K 2G6 | "The power's off
Security | here."
------------------------------
Date: Fri, 12 Apr 91 14:21:16 -0400
>From: padgett%
[email protected] (A. Padgett Peterson)
Subject: EMPIRE Virus (PC)
In my previous alert on the EMPIRE virus, I had not yet seen the
second sector with the transposed text. Since then I have received
this also and thanks to WordStar (plug) here is the decrypted text.
Note that each sentance is a single line and relies on text-wrapping
by the terminal for legibility.
After study, I suspect that the virus was written at first,
possibly with a different message, and had this message inserted
later, possibly by a different person - is this a quote ?
Warmly,
Padgett
Text of encrypted message follows:
I'm becoming a little confused as to where the "evil empire" is these
days.
If we paid attention, if we cared, we would realize just how unethical
this mpending war with Iraq is, and how impure the American motives
are for wanting to force it.
It is ironic that when Iran held American hostages, for a few lives
the Americans were willing to drag negotiation on for months; yet when
oil is held hostage, they are willing to sacrifice hundreds of
thousands of lives, and refuse to negotiate .......
------------------------------
Date: Fri, 12 Apr 91 11:12:54 -0700
>From:
[email protected] (Rob Slade)
Subject: Self-extracting archive files (PC)
We've had various discussions on the merits of "archived" and "self-
extracting" files for virus protection. The following is from a local
bulletin board:
Original message from: Rene Blais, to: All -ffected by the presence of header a
nd
trailer information.
However, in the case of the newer "spawning" viral programs, this
procedure does nothing at all for detection, because "spawning" viri
never touch the original file, relying on MS-DOS's "execution order
preference" for .COM files, and creating a separate virus file. The
separate file may be hidden from detection in various ways, and still be
"infectious."
=============
Vancouver
[email protected] | "Don't buy a
Institute for
[email protected] | computer."
Research into (SUZY) INtegrity | Richards' First
User Canada V7K 2G6 | Law of Data
Security | Security
------------------------------
Date: 12 Apr 91 20:01:34 +0000
>From:
[email protected] (Ray Dunn)
Subject: SCUD Virus (PC)
We are investigating a possible minor infection by a virus which
infects the master boot partition record of IBM compatibles and which
can be identified by the letters SCUD appearing in its body.
At present we know very little about it other than the fact that it
appears to corrupt the hard disk and may also (in another
incarnation?) corrupt the CMOS, specifically be changing the floppy
disk type configuration.
We are still at a very early stage of the investigation, i.e. we
haven't separated the facts from the misinformation yet, so I
apologize for the vagueness.
If anyone has any knowledge of such a virus, I'd appreciate it if they
got in touch with me ASAP.
Thanks, I'll post the eventual outcome.
- --
Ray Dunn. | UUCP:
[email protected]
Philips Electronics Ltd. | ..!{uunet|philapd|philabs}!philmtl!ray
600 Dr Frederik Philips Blvd | TEL : (514) 744-8987 (Phonemail)
St Laurent. Quebec. H4M 2S9 | FAX : (514) 744-9550 TLX: 05-824090
------------------------------
Date: 13 Apr 91 02:25:56 +0000
>From:
[email protected] (Paul McGuire)
Subject: Re: Joshi Virus in part. table (PC)
padgett%
[email protected] (Padgett Peterson) writes:
>>From:
[email protected] (Tony Locke)
>
>>We have a machine with Joshi on it and can't find something to kill
>>it. Anyone have any ideas (have tried SCAN 74B)
>
>As I recall, the Joshi stores the real MBR (partition table) code in
>cyl 0 head 0 sector 9 (should be able to tell by looking).
>To recover, just cold boot from a known clean write-protected floppy and
>use DEBUG to copy the real MBR back to sector 1. The rest of the virus code
>will still be on (hopefully) unused sectors on cyl 0 but will be cut off from
>execution & harmless.
I have an IBM-AT that won't boot from drive c:, but comes up fine from
a floppy, at which point the c: drive seems to be okay. FPROT114
f-fchk tells me my files are fine, f-syschk tell me my memory is fine,
however f-disinf tells me I have joshi but fails to cure it. I tell
f-disinf to cure it, it says I'm cured, but if I run it again it again
tells me I'm infected and the computer still won't boot from the hard
disk.
Is this an FPROT bug? Am I prehaps multiply infected? Can I trust
the identification of Joshi and preform the above sector 9 to sector 1
copy, or does FPROT's failure indicate more serious problems that the
copying won't fix or will make worse?
Thanks for any help,
Paul McGuire
------------------------------
Date: Sat, 13 Apr 91 13:51:00 -0400
>From: "MICHAEL L. LERNER" <MLLERN01%
[email protected]>
Subject: Joshi Virus (IBM)
My friend's hard drive has been infected by the Joshi Virus. It's
taking up about 4-6K at present, and it's messing with his 5 1/4
drive... He ran a program that is supposed to kill viruses, but it
didn't help. Does anyone know how to get rid of this particular
virus? Any help will be appreciated.
Mike
------------------------------
Date: 13 Apr 91 17:16:16 +0000
>From:
[email protected] (Michael Nolan)
Subject: Re: Infoworld article
padgett%
[email protected] (A. Padgett Peterson) writes:
>ps I left a similar message on Mr. Cringely's voice mail system. It
> has not been returned.
Try
[email protected]. You're much more likely to get a reply by e-mail.
------------------------------
Date: Sun, 14 Apr 91 01:18:43 -0700
>From:
[email protected] ()
Subject: Re: Azusa (PC)
padgett%
[email protected] (Padgett Peterson) writes:
>
> It seems that quite a few folks are getting hit by the AZUSA
>virus. Removing it, while not very difficult, is complicated by the
>fact that the virus has completely overwritten the master boot record
>code so that the original cannot be simply retrieved from another
>location as with most such viruses (STONED, JOSHI, etc). Since the
>virus has also overwritten the ASCII warning messages, simple patching
>of the virus code to remove the infection is not a good solution.
>
..source code deleted...
I got a copy of the virus from my friend. I did find a copy
of the original boot sector on the disk (floppy) not sure about the
partition table though since my hard drive is not infected, it was
located on the second to the last sector.
Does anyone know does this virus infect all floppy or just some?
I am planning to write a program to write the orig boot sector back. Since
my version of clean does not reconize it yet. Are there any virus expert
against this? Say so fast, my program is almost ready..
- --Nelson
-
[email protected]
------------------------------
Date: Mon, 15 Apr 91 08:36:15 -0400
>From: padgett%
[email protected] (A. Padgett Peterson)
Subject: EMPIRE virus (contd)
Since the last posting (Virus-L and Valert-L), yet another strain of
the EMPIRE virus has appeared. For the moment it would seem that the
University of Alberta (Canada) is the only victem. The second strain
has the same charactoristics except that this one is encrypts each
infection differently.
For the moment, the best detection is by the intitial JMP which is the
same in both strains and is the viruses signature to itself. "EA 9F 01
C0 07" - jmp 07C0:019F, this will pick up both.
Warmly,
Padgett
------------------------------
Date: Mon, 15 Apr 91 12:47:40 +0000
>From:
[email protected]
Subject: Gatekeeper 2.0 (Mac)
In responce to my comp.virus post I got this e-mail message from
[email protected] (Dave Platt) of New Technologies Group, Inc.
Palo Alto CA:
<2.0 will probably be some time in arriving... it turned out to be a>
<bigger rewrite than Chris Johnson anticipated.>
<Version 1.2 is currently in beta-test... it has a cleaner interface
<then 1.1.1 and fixes quite a lot of problems It's quite nice.>
<I'd guess that it'll be ready for release sometime around the>
<end of the month... but that's just a guess.>
Can anyone out there validate this. If so what does the Version 1.2
interface look like and exactly what has been improved.
And this time post the answer on comp.virus
on comp.virus
but that's just a guess.
------------------------------
Date: Mon, 15 Apr 91 09:52:32 -0500
>From: James Ford <
[email protected]>
Subject: scan76-c.zip / vshld76c.zip (PC)
The following files have been placed on mibsrv (130.160.20.80) in the
directory pub/ibm-antivirus:
scan76-c.zip
vshld76c.zip
These files replace scanv76.zip and vshld76.zip. The file clean76.zip has
been removed until a maintance release is issued from Homebase. Clean75.zip
is still available for downloading.
- ----------
A road map always tells you everything except how to refold it.
- ----------
James Ford -
[email protected],
[email protected]
The University of Alabama (in Tuscaloosa, Alabama)
------------------------------
Date: 15 Apr 91 15:28:37 +0000
>From:
[email protected] (Chuck Hoffman)
Subject: Re: Is virus infection by inserting floppy disk possible? (PC) (Mac)
[email protected] (Thomas DiBlasi) writes:
>
> Is it possible for a virus, trojan, worm, etc. to infect a hard disk
> or RAM simply by inserting an infected floppy into a drive without
> execution??
Yes, the WDEF virus on the Macintosh can do this. By the time the
icon for the floppy appears on the screen, ALL the disks shown on the
screen will have been infected, both hard disks and floppies. WDEF is
benign, and is easily deleted, and is detected by Virex before the
icon appears on the screen, but the answer to your question is yes.
WDEF is the only virus I have been hit with. A friend sent me a text
file with a description of (you guessed it) WDEF infections! I also
got a shrinkwrapped diskette from a software subscription service
which had WDEF on it, but by then I had Virex on the system so the
system did not pick up the WDEF.
- - Chuck Hoffman, GTE Laboratories, Inc. | I'm not sure why we're here,
[email protected] | but I am sure that while we're
Telephone (U.S.A.) 617-466-2131 | here, we're supposed to help
GTE VoiceNet: 679-2131 | each other.
GTE Telemail: C.HOFFMAN |
------------------------------
Date: Mon, 15 Apr 91 13:08:17 -0600
>From: J Picazzo <
[email protected]>
Subject: Azusa Virus (PC)
Hi,
Last week, I was told I was stroke by Azusa virus... I was told to
use McAffee's SCANv75. What I found was not Azusa virus, but a one
called AirCop. Can this virus reside in a network? How does it work?
J Picazzo
ITESM Campus San Luis - MEXICO
------------------------------
Date: 16 Apr 91 05:12:37 +0000
>From: Paul Evans <
[email protected]>
Subject: Stoned removal from memory (PC)
I am writing a virus protection utility and am wondering if someone
could give me some insight in how to remove Stoned from memory (besides
rebooting)
thanks
[email protected]
------------------------------
Date: Tue, 16 Apr 91 16:10:00 +1000
>From:
[email protected]
Subject: Amiga Virus Listing (Amiga)
Does anybody have a list of AMIGA viruses and their actions? There is
an excellent list available for the IBM PC. Any info would be
appreciated.
Thanx
Wayne.
------------------------------
End of VIRUS-L Digest [Volume 4 Issue 62]
*****************************************
Downloaded From P-80 International Information Systems 304-744-2253
