VIRUS-L Digest Tuesday, 23 Apr 1991 Volume 4 : Issue 68
Today's Topics:
RE: Bug in F-Prot 1.15 (PC)
Re: Viraphobia (Re: AF/91 and April Foolism in general)
mac virus question from amateur radio packet (PC)
Re: HyperCard anti-virus script bad (Mac)
Re: AF/91 and April Foolism in general
12-Tricks Trojan (PC)
Boot Sector virus from
[email protected] (South Africa) (PC)
Zenith Dos Writes (PC)
PREVENTION of Drive A: boots - Suggestions Please (PC)
Re: AF/91 and April Foolism in general
re: Virex-PC and PKlite ? (PC)
Re: Viruses
HC virus (Mac)
Azusa Virus Found on factory diskettes
virus on os/2 machines - info needed (PC OS/2)
Updated FPROT115 on BEACH (PC)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to
[email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at:
[email protected].
Ken van Wyk
----------------------------------------------------------------------
Date: Mon, 22 Apr 91 10:27:15 -0400
>From: Arthur Gutowski <
[email protected]>
Subject: RE: Bug in F-Prot 1.15 (PC)
[email protected] says in V3 #67:
>now i run f-test only to get the following message:
>program infected with the f-test- virus.
>access denied.
This tells you that f-driver is functioning as it should be. The
USAGE.TXT doc file under F-DRIVER says that when f-test is run is
check whether f-driver is working, it will be stopped just as any
other virus would (NOTE: F-TEST itself is NOT A VIRUS!!). This
message is what you would see if you ran a program that was actually
infected with anything that F-prot knows about.
\Art
------------------------------
Date: 20 Apr 91 07:54:38 +0000
>From: "Eric C. Pan" <
[email protected]>
Subject: Re: Viraphobia (Re: AF/91 and April Foolism in general)
Allow me to comment further on this subject. You would be
mistaken to think that I did not have to deal with viruses..... I can
remember several incidents of major virus infection. One machine
actually had 99% of its applications infected ( and it's 200Mb )
But what we have implemented at our school seems to be
effective at stopping the spread of viri. I believe all of them have
Virex init installed. While that may not be able to stop everything
that comes along, you certainly would not have to scan your machine
daily ( personally, I consider that a terrible waste of manpower, use
programs to fight programs.... don't use people.!)
Eric
------------------------------
Date: Sat, 20 Apr 91 07:34:00 -0500
>From:
[email protected]
Subject: mac virus question from amateur radio packet (PC)
>------------------------------msg------------------------------------
>Date: 19 Apr 91 12:49:35 EDT (Fri)
>From: ka2bqe@ka2bqe.#nwvt.vt.usa.na (Brian Riley)
>Subject: Re: WDEF
>
> Darryl please send this back out to BITNET in response to the WDEF commentary
>--------
>
> That WDEF A is 'mostly benign' is questionable. I recently had a query
>made to the network about an infestation of nVIR B. Upon recommendation, I
>obtained Disinfectant 2.4 and went to work cleaning house in the corporate
>tower at the Village of Smuggler's Notch Resort where I do some part time
>computer work. Of some 14 machines I scanned and cleaned, every one was
>infected with a nVIR B that came to us attached to a copy of Stuffit 1.5.1.
>Moreover every single HD desktop was infected with WDEF A. 85% of the
>floppies were infected. Most machines were SE's or Plus's and a few
>Classics, no II's. All system were complaining of 'minor annoyances';
>premature program terminations, a number of the Plus's had Europa 20
>external HD's and all of them were 50-50 whether or not they would boot
>from HD. There were anumber of other complaints that are hard to
>categorize. ALL complaints stopped upon removal of WDEF A! I installed the
>Protection INIT and everything has run smooth for several days with 0
>complaints.
>
> I am sort of new to Macs (I have 8 years on PCs!) and its brand of virii,
>but this experience would have to make me think that, while not maliciously
>catastrophic, WDEF A is far from 'mostly benign!'
>
> Interesting sidelight on Disinfectant. You cannot sucessfully install the
>INIT on a system that was infected but was cleaned. You must re-boot first.
>I could not find mention of this in the docs, but it is quite verfiable - I
>had almost 20 chances to check it out!
>
> *--------------------------------------------*-----------------------------*
> | 73 de brian @ WULFDEN on Hawk's Mountain | Since when does winning a |
> |--------------------------------------------| war have anything at all to |
> | us snail: Box 188, Underhill Ctr, VT 05490 | do with its being right? |
> *--------------------------------------------*-----------------------------*
>----- End of message 5622 from KA2BQE @ KA2BQE.#NWVT.VT.USA.NA -----
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Darrell G. Leavitt
SUNY Empire State College (ESC) ESC VAX: DLEAVITT
403 Sibley Hall SUNYNET: SESCVA::DLEAVITT
Plattsburgh, New York, 12901 INTERNET:
[email protected]
PHONE : (518) 564-2837 AMATEUR
BitNet : LEAVITDG@SNYPLAVA PACKET: N2IXL @ KD2AJ.NY.USA.NA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
------------------------------
Date: 22 Apr 91 16:45:56 +0000
>From:
[email protected] (Fred Brehm)
Subject: Re: HyperCard anti-virus script bad (Mac)
[email protected] (Michael Kerner) writes:
>Try to send the set command directly to HC and change the script of a
>stack. I have yet to be able to do it.
>... try it and then send me your
>scripts because all I'm getting are error messages with no results.
>Don't send me your ideas, I want working, syntactically correct
>scripts. If they work for me I'll withdraw my previous comments.
>Until then, please prove me wrong.
Using HC 2.0v2, in an empty stack, put the "set catcher" into the
stack script, then make a button with:
on mouseUp
put script of this stack into s
put return & "--" && the date && the time after s
-- this set should be caught by the set catcher
set script of this stack to s
put return & "-- Sorry, Mikey." after s
-- this command won't be caught.
send "set script of this stack to s" to HyperCard
answer script of this stack -- just to see it
end mouseUp
Fred
- --
Frederic W. Brehm Siemens Corporate Research Princeton, NJ
[email protected] -or- ...!princeton!siemens!demon!fwb
------------------------------
Date: Mon, 22 Apr 91 13:07:35 -0400
>From: padgett%
[email protected] (A. Padgett Peterson)
Subject: Re: AF/91 and April Foolism in general
>From:
[email protected] (Dan King)
>Viruses are a problem. A big one. Are they're going to get worse.
>Come on, don't pick on the users. Attack, instead, the virus authors.
The real problem is that MS-DOS, like the Mac OS, has NO integrity
checking and that viruses are remarkably easy to write. It would be
easy to legislate viruses out of existance except that it is difficult
to arrest a virus. Laws are only effective as a remedy after the fact,
most people are more concerned with not being infected in the firstc
place.
>From:
[email protected] (Rick Keir, MACC)
>You HAVE to be vigilant because there are many REAL viruses out there.
This is the only effective procedure. If it places too heavy a burden
on the users than it is up to technology to determine an acceptable
solution. As in many areas of social intercourse, nothing is no longer
acceptable.
>From one standpoint, we have been very lucky to have been stuck by so
many inept and essentially benign viruses over the last few years.
This has given up an effective learning period where ignorance was
both the norm and curable. Today, things are quite different. The
writers of viruses have been learning at the same time we have and
Windows/DOS 5 provide more opportunities for intrusion (actually many
of these "holes" have existed since DOS 3.0 in 1984, jut had not been
exploited).
To those who have been paying attention, it should be obvious that
protection layered on to of DOS is no longer sufficient, integrity
management must (and can easily) start at the BIOS level. The fact
that so many current viruses do so (Stoned, Joshi, MusicBug, Empire,
etc) should be evidence enough.
------------------------------
Date: Mon, 22 Apr 91 13:07:35 -0400
>From: padgett%
[email protected] (A. Padgett Peterson)
Subject: 12-Tricks Trojan (PC)
>From: "Dr. Martin Erdelen" <
[email protected]>
>At least, a user reports that a certain ANTIVIR (which one?) reports
>an infection.
Some versions of VIRUSCIDE (Parsons Technology) contain the "12
Tricks" signature string & will cause this indication from a number of
other anti-viral programs.
Warmly,
Padgett
------------------------------
Date: Mon, 22 Apr 91 15:18:26 -0400
>From: padgett%
[email protected] (A. Padgett Peterson)
Subject: Boot Sector virus from
[email protected] (South Africa) (PC)
Just received a copy of the boot sector virus and it is a hacked
STONED that has just had the message changed (at least that is what FC
says) As in the STONED the message has two parts, one that is
displayed, and one that is not. The displayed message:
<bell>VIVA Saddam Hussain.!!<bell><cr><lf><lf>
The non-displayed message:
KILL IMPERIALISTS.!
Any good anti-virus or integrity program that finds the STONED should
also reveal this version.
Removal from a hard disk is the same, copy absolute sector 7 (the real
MBR) back to absolute sector 1. On floppies, it is best to copy off
any needed files and reformat the disk. (always boot from a known
clean write-protected floppy by cycling power before attempting any
removal.)
Warmly,
Padgett
------------------------------
Date: Mon, 22 Apr 91 18:03:13 -0500
>From:
[email protected] (Arthur I. Larky)
Subject: Zenith Dos Writes (PC)
Some versions (or maybe all versions) of Zenith MSDOS write the date
and time someplace in the system every time you write a file. If you
have a system without a real-time clock, you can prove this by not
setting date and time when you boot up. It will be set to the time of
the last file write. This does, of course, upset all kinds of
virus-hunting programs.
(I have, on occasion, taken advantage of this property of my Zenith
158).
Art Larky
Professor, CSEE Dept
Lehigh University
------------------------------
Date: Tue, 23 Apr 91 00:50:31 +0000
>From:
[email protected] (Andrew Turner)
Subject: PREVENTION of Drive A: boots - Suggestions Please (PC)
To minimise and manage virusses at our institution I wish to prevent
PC's being booted off Drive A: and only permit booting off the Hard
Disk. This of course immediately presents a management problem of
what to do if the Hard Disk goes bad and I need to boot off a floppy.
So ideally any solution needs to address this situation. Two
possibilities spring to mind:
a. Use of a ROM. This would sit in the appropriate address space and be
detected during the BIOS boot. The code would need to at least
prevent floppy boots and desirably check for a floppy with a particular
label and if detected permit the floppy boot. This would overcome the
problem of a clobbered hard disk.
b. Use of hardware modifications connected to a key switch mounted on
the case which would be used to enable/disable floppy boots. On our
machines the keyboard lock could be used for this purpose.
If you have a solution that does not address all the problems still
respond. ALL suggestions help welcome. For option a., actual code
and/or technical specs would be appreciated. For option b., specific
details please. We run both Wyse 286's and PROTECH 386sx's(towers) all
with hard disks. If I get a meaningful response I'll post a summary.
- --
Andrew Turner :-) | E-mail :
[email protected]
Comp. Services Centre | +61 6 2522414 / +61 6 2522401
University of Canberra |________________ fax +61 6 2522400
P.O. Box 1 BELCONNEN ACT 2616 AUSTRALIA |
------------------------------
Date: Tue, 23 Apr 91 01:40:19 +0000
>From:
[email protected] (Jyrki Kuoppala)
Subject: Re: AF/91 and April Foolism in general
dank@stealth (Dan King) writes:
>|> It seems to me that especially in the computer virus field the lack of
>|> knowledge about computer security in general is often exploited by
>|> various venturers. Sure, there's nothing inherently wrong with
>|> wasting your money spending it on various virus detection programs,
>|> populist books and such.
>
>Now I began to question Mr (? I may be mistaken, my apologies if you
>are actually Ms) Kuoppala.
Well, that's overgeneralizing things a lot, I admit. Just say Jyrki
as the net habit seems to be, no need to Mr. (that's the correct one)
me.
>|> Computer viruses in themselves are not a big problem. The big problem
>|> is persons with no knowledge of the risks involved and no proper
>|> training and/or usage policies using computer systems with nil (or
>|> worse, security-by-obscurity ones) operating system and application
>|> program access controls, with the programs often written by persons
>|> with equal lack of knowlegde. Add to that the lack of source code and
>|> then even if the users were competent enough they couldn't find or fix
>|> the holes and lacks of controls.
>
>Hold it. Wrong. Dead wrong. Computer viruses are a HUGE problem for
>anyone who is even remotely connected with the maintenance of a
>significant number of computers. Ask someone who's home system has
>just had its HD partition destroyed by a virus. Ask someone who is
>ready to go back to a typewriter because their new, spiffy Mac IIci
>crashes at application launches due to WDEF.
Yes, you are somewhat correct about the present situation - I was
unclear in what I was trying to say, although I would still say that
the problem would be a lot less serious if the users had habits of not
booting from every other floppy and using floppies borrowed from a
neighbour.
What I really should have pointed out is that computer viruses wouldn't
be a serious problem if the commonly-used operating systems had even
some decent protection mechanisms provided by the operating system.
By 'commonly-used OSs' I'm now referreing to MacOS (whatever that's
really called) and MS-DOS. Viruses are not a serious problem on Unix
or VMS or VM/something, because the OS provides at least some minimum
access control mechanisms.
>Proper "usage policies"? Pray tell,
>what are these? We could set up fascist-like user rooms where users
>can only submit batch jobs and never touch the computers, but we'd get
>less accomplished that way.
It helps not to boot from friends' floppies, only install programs to
your computer from reliable sources like known vendors and free
software distributors, distribute the installable programs in
write-protected disks, scan the programs you install with some virus
detector and some other simple precautions. If you do the above,
viruses won't get to your system very often, and it doesn't seem to
make life much more difficult.
>Including source code with every program would help eliminate viruses,
>but forgive me if I only pay attention to realistic options.
Well, dunno, I have source source code to every program I run on my
home system and every part of the system, even the ROM monitor and the
PCB. Oh, not every part exactly, I don't have the source code to the
chips (like the processor), there might be some trojans hidden there..
>Likewise
>running only programs not written by "persons with an equal lack of
>knowledge". Whatever that means.
It means something like running an OS whose designers had enough
common sense and expertise to put at least some most basic access
control mechanisms in the OS. Same goes for applications.
//Jyrki
------------------------------
Date: Mon, 22 Apr 91 23:26:37
>From:
[email protected]
Subject: re: Virex-PC and PKlite ? (PC)
> From:
[email protected] (Jun Guo)
>
> Will Virex-PC scan into PKlited files using 'extra compression method'?
> (which cannot be expanded using PKlite -x).
>
> And where can I get a demo version of Virex-PC?
Yup: Virex-PC (Version 1.2 and later) will scan inside of PKLITE
files, including the "extra compression method". You should be able
to get a copy of VIRX, the demo, at most BBS's -- call mine at
(212)-889-6438 if you like.
Ross M. Greenberg
------------------------------
Date: Tue, 23 Apr 91 12:32:00 +0100
>From: <
[email protected]>
Subject: Re: Viruses
There was a question of 'Cezar' about an assumed virus (COMMAND.COM
increased in size, message 'P-CK (1M), etc.). Jeroen W. Pluimers and
Jeroen Smulders ask some questions to get more information about the
problem.
My opinion: P-CK has nothing (?) to do with a virus, it is the
announcement of a parity-check error of the memory on the PC mainboard
( or memory card). The system will not boot (i.e. 'hangs') if parity
errors occur in the RAM- banks. You should boot your system from a
known-good floppy and run a good memory test program. If your system
appears sick, you will have to fix it before you can go for the
virus-bust (if present at all ...)
Good luck!
Pim Clotscher
Erasmus University Rotterdam
Computer Systems Support
------------------------------
Date: Tue, 23 Apr 91 09:13:42 +0100
>From: Norman Paterson <
[email protected]>
Subject: HC virus (Mac)
Have I missed out on an issue? There has been a great deal of
discussion of this virus, and whether it is really a trojan, and how
to combat it, but not a word on (a) where it can be caught, (b) what
it does, (c) how to tell if you have it, or similar hard details.
When I passed on the information to my colleagues, there was very
little to say. Is it a joke? Can we start laughing now?
Norman Paterson
------------------------------
Date: 23 Apr 91 10:51:13 +0000
>From:
[email protected] (Robert Martin)
Subject: Azusa Virus Found on factory diskettes
The Azusa virus has appeared at DTRC. While checking software for
viruses, I found the Azusa virus on several diskettes belonging to a
systems I was checking out. Upon further investigation, I made a
startling discovery. The Azusa virus was found on one of the VGA
utilities disks.
This disk was a 5 1/4 1.2mb HD floppy and was factory read only (no
notch). The virus was on disk one of a three disk set.
The disks were labeled TVGA - 8916. According to the manual, TVGA is
a trademark of "Trident Microsystems, Inc.
I notified our supplier of this finding and had them check their
remaining supply of TVGA software and they verified that ALL of their
disk one of three TVGA - 8916 utilities disks were infected with the
Azusa virus.
This supplier told me that at least 10,000 TVGA units per week are
being distributed worldwide by many suppliers.
I would suggest that if you have these drivers, they should not be
used until verified to be virus-free.
Good Luck ....... Bob
------------------------------
Date: Tue, 23 Apr 91 12:49:03 +0000
>From:
[email protected] (Rainer Foeppl)
Subject: virus on os/2 machines - info needed (PC OS/2)
hello
is anybody aware of any viruses that infect pc using os/2 and having os/2
running.
i am aware of the problems that could arrise if you install dual-boot feature
and if you boot then the machine using dos.
but if you only are an os/2 user - no dos - what problems do you have to expect
?
thanks for any feedback
rainer
[email protected]
- --
Rainer Foeppl
email:
[email protected]
------------------------------
Date: Tue, 23 Apr 91 11:29:00 -0500
>From: John Perry KG5RG <
[email protected]>
Subject: Updated FPROT115 on BEACH (PC)
The updated version of FPROT115.ZIP by Fridrik Skulason in now
available on BEACH.GAL.UTEXAS.EDU. The new version fixes the bug found
in the test module reported in the previous version.
John Perry KG5RG
University of Texas Medical Branch
Galveston, Texas 77550-2772
You can send mail to me at any of the following addresses:
DECnet : BEACH::PERRY
THEnet : BEACH::PERRY
Internet :
[email protected]
Internet :
[email protected]
BITNET : PERRY@UTMBEACH
SPAN : UTSPAN::UTADNX::BEACH::PERRY
FIDOnet : 1:106/365.0
------------------------------
End of VIRUS-L Digest [Volume 4 Issue 68]
*****************************************
Downloaded From P-80 International Information Systems 304-744-2253
