VIRUS-L Digest Thursday, 2 May 1991 Volume 4 : Issue 73

VIRUS-L Digest Thursday, 2 May 1991 Volume 4 : Issue 73

Today's Topics:

STONED Info Needed (PC)
Re: What's so bad about self-extracting archives?
Virus help sought (PC)
New Viruses ? (PC)
FRODO (4096) found at NIH (PC)
New files on MIBSRV (PC)
Re: PREVENTION of Drive A: boots - Suggestions Please (PC)
Info on PRINT SCREEN P-2 VIRUS (PC)
F-prot v1.13 (PC)
Product Test - IBM Anti-Virus Product (PC)
Questionnaire

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to [email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: [email protected].

Ken van Wyk

----------------------------------------------------------------------

Date: Tue, 30 Apr 91 21:56:54 +0000
>From: [email protected] (Ronald E. Dalton)
Subject: STONED Info Needed (PC)

I would greatly appreciate any information readers may have on how
Stoned is spread, especially in a Novell environment. Since this is
probably a repeated request please mail replies. ([email protected]) Thanks
in advance.

------------------------------

Date: Wed, 01 May 91 10:20:00
>From: [email protected]
Subject: Re: What's so bad about self-extracting archives?

magnus%[email protected] (Magnus Olsson) writes:
> I'm sorry if this question seems a bit naive, but why are people so
> concerned about the risk of virus-infected self-extracting archive
> files?
>
> Can't you just first run the archive file through your favourite virus
> checker, and if it passes the test extract it, and then test the
> individual files that were inside it? Or have I missed something?

Well, yes, I suppose you could, but it involves an extra step which
is unnecessary. The other objection I have with self-extracting
archives is that you're stuck with extracting the whole lot, even if
you only want to find out what the !@#$%^&*() thing does. If it's not
a self-extracting archive, you can use a shell like SHEZ (or, even,
just extract the .doc files) and do it much faster and easier.
....Ron

===============================================================================
Internet: [email protected] | "You can lead a horse to
ACSnet: [email protected] | water, but if you can
Bitnet: Murray_RJ%[email protected] | get him to float on his
UUCP : uunet!munnari.oz!cc.curtin.edu.au!Murray_RJ | back you've really got
Amateur Packet Radio: VK6ZJM@VK6BBS.#WA.AUS.OC | something"
TCP/IP: 44.136.204.14, 44.136.204.19 | -- Murphy's Law I
===============================================================================

------------------------------

Date: Wed, 01 May 91 13:27:25 +0100
>From: T Dowling <[email protected]>
Subject: Virus help sought (PC)

I wonder whether anybody can help me please ?

I have managed to pick up a virus, on a PC, which adds between about
1580 and 1595 bytes to the end of .COM, .EXE, .OVL, and several other
files. Apart from this, there seems to be no other effect to the
system.

A friend ran a virus checker program on one of the files, which
identified the virus as 'A mutation of the Green Catapiller virus',
but was unable to remove the virus.

Does anybody have any information on this virus please, or know what
event will trigger it off ?

Thanks in anticipation,

Tim Dowling.
([email protected]).

------------------------------

Date: Wed, 01 May 91 10:34:48 -0400
>From: padgett%[email protected] (A. Padgett Peterson)
Subject: New Viruses ? (PC)

Recently, I have received questions from two different people
concenting activities that sound suspicious yet do not match any of
the charactoristics that I am aware of. If anyone has further
information, elucidation would be appreciated.

Oddity #1: Several XT class machines exhibit the following: all Master
Boot Records (partition table) have 17 bytes written into
offset ACh-BDh (immediately before P-table). These bytes are
an executable fragment containing the following assembly code:

1E PUSH DS
07 POP ES
BB007C MOV BX,7C00
B90100 MOV CX,0001
BA8000 MOV DX,0080
000000

I am told that any attempt to replace the MBR results in an
unbootable machine and if the locations are zero'd using Norton,
the code immediately reappears.

Oddity #2: Single 386/SX20 found the an unusual MBR which appears to be
the second half of "something". The MBR will operate normally
if called with DX=0. If called with a non-zero DX and if a data area
from offset 03-15 is filled, amoung other activities, an interrupt
between 42h and 59h will be trapped (which one is found in the
data region, unfilled in the fragment I received). The code
has all of the normal error messages and appears otherwise normal
e.g. no attempt to modify 413 is made.

If any reader has seen anything like this, a reply would be appreciated.

Warmly (only 93 yesterday)
Padgett

------------------------------

Date: Wed, 01 May 91 12:10:49 -0400
>From: <[email protected]>
Subject: FRODO (4096) found at NIH (PC)

Just wanted to report that we were recently infected by virus FRODO
(4096) in PC and network server. This virus apparently was imported
from Israel. It appears that Norton Anti-virus works well in
destroying this virus.

We would appreciate any more information/comments about this virus
from readers.

Bob Ketterlinus NIH/LCE/SSED

------------------------------

Date: Wed, 01 May 91 15:26:43 -0500
>From: James Ford <[email protected]>
Subject: New files on MIBSRV (PC)

New files have been uploaded to MIBSRV for anonymous FTP in the directory
pub/ibm-antivirus. They are:

clean77.zip - McAfee's Clean version 77
scanv77.zip - McAfee's Scan v77
netscn77.zip - McAfee's NetScan v77
vshld77.zip - McAfee's VirusShield v77

vsum9104.zip - Hoffman's Virus Summary List, April 1991 edition (binary)
vsum9104.txt - Hoffman's Virus Summary List, April 1991 edition (text)
- ----------
All progress stems from change but all change is not necessarily progress.
- ----------
James Ford - [email protected], [email protected]
The University of Alabama (in Tuscaloosa, Alabama)

------------------------------

Date: 01 May 91 16:23:50 +0000
>From: [email protected] (j chapman flack)
Subject: Re: PREVENTION of Drive A: boots - Suggestions Please (PC)

[email protected] (Wm E Davidsen Jr) writes:
>I mailed this to the original poster, but here's my idea. I suggested
>it to a vendor, but they haven't used it, or at least not yet.
>
>Have in the CMOS a "boot path" which works like the PATH variable, and
>specifies which devices are to be tried, in what order. This allows
>disable of floppy boot, as well as boot from B: if A: fails or if you
>have one 5-1/4 and one 3-1/2, etc.
>
>Use a password to allow access to change the configuration. If the
>password takes too much room, save three bytes of CRC20 plus a value
>for length range 1-15 characters. Length zero could mean "no
>password."

AST Research implements all of this. They included every detail
needed to make a workable system: 1) you can set a boot path in the
CMOS, 2) the setup program is in firmware, so you can change the boot
path if you can't boot, 3) a password can be required to get into the
firmware setup.

Then they added a "feature": if the hard drive won't boot, it will
automatically override your boot path and boot the diskette. Grr.
Furthermore, if your hard drives are on a SCSI, it NEVER believes you
have a hard drive, so it ALWAYS overrides your boot path. GRR. This
is because it only checks the CMOS to see if you have a hard disk,
rather than following the drive parameter table vector to see if
there's a table. This is /* flame ON */ inexcusable, because there
are tons of disk subsystems, not just SCSI, that have their own
firmware and build their own parameter tables. This is common
knowledge.

*Sigh*. They were close... I think IBM got it all right in the PS/2
firmware. But you have to buy a PS/2 to get it....

- --
Chap Flack Their tanks will rust. Our songs will last.
[email protected] -Mikos Theodorakis

Nothing I say represents Appropriate Roles for Technology unless I say it does.

------------------------------

Date: 01 May 91 19:54:36 +0000
>From: [email protected] (Salim)
Subject: Info on PRINT SCREEN P-2 VIRUS (PC)

I am looking for information on the Print Screen P-2 virus. Seems
like there is no cure except to reformat the disk. If anyone knows of
a vaccine to cure this virus, I would be very thankful for the name of
the vaccine and where I could find it.

Any help or advice would be greatly appreciated.

Salim.

------------------------------

Date: 02 May 91 14:01:44
>From: [email protected] (Juha Hemminki)
Subject: F-prot v1.13 (PC)

I would like to know why the version of F-chk I have (1.13) wants to
write a temporary file called LZ__TEMP.TMP to DOS current directory.
That happens only when f-fchk scans INST_DSK.EXE from hyperdisk
speedkit. The tmp file is always deleted after scan. Size of the TMP
file si 22888 bytes and it seems to have code from the scanned file in
it.

I would like to know what causes this. None of the virus scanners I
have available has reported any virusinfection. Any suggestions or
information is appreciated

BUT PLEASE REPLY BY E-MAIL.
- --
H E M M O
Juha Hemminki
[email protected]
The last true gentleman alive

------------------------------

Date: Mon, 29 Apr 91 15:09:01 -0700
>From: Chris McDonald ASQNC-TWS-R-SO <[email protected]>
Subject: Product Test - IBM Anti-Virus Product (PC)

*******************************************************************************
PT-34
April 1991
*******************************************************************************

1. Product Description: The IBM Anti-Virus Product is a program to detect
computer viruses in the PC-DOS (MS-DOS) and OS/2 environments.

[Ed. The remainder of this product review has been placed on
cert.sei.cmu.edu, for anonymous FTP, in
pub/virus-l/docs/reviews/mcdonald.ibm.anti-virus. Thanks Chris!]

------------------------------

Date: 09 Apr 91 16:10:40 +0100
>From: [email protected] (Paul A. Taylor)
Subject: Questionnaire

[Ed. I would simply like to emphasize that this questionnaire is
entirely optional.]

Here's a questionnaire concerned with computer security and its
related issues. Please complete it by replying with the question
number and the number of the option listed with it, that most closely
corresponds to your view.

I am in the second year of a PhD investigating the issue of computer
security in its social context. All responses will be treated with
total confidentiality and none of their content will be used verbatim
in the research without the prior consent of the respondent.

I EMPHASISE THAT THIS RESEARCH IS FOR PURELY ACADEMIC PURPOSES.
VERIFICATION OF MY ACADEMIC STATUS AND NATURE OF THE RESEARCH CAN BE
SUPPLIED UPON REQUEST, AS WILL THE FINDINGS WHEN EVENTUALLY COLLATED
AND ANALYSED.

Q1) What is your nationality?

Q2) What is your gender?
[1] Male
[2] Female

Q3) What is your age?
[3] 15-20
[4] 21-30
[5] 31-40
[6] Over 40

Q4) What is your job title?

Q5) Which of the following best describes your organisation?
[7] academic
[8] commercial manufacturing
[9] commercial R&D
[10] consultancy
[11] commercial services (e.g. banking)
[12] public serivices
[13] other (please state)

Q6) Which of the following are features of your computing environment?
[14] central multi-access mini/mainframe(s)
[15] single-worker workstations
[16] local area network(s)
[17] wide area network(s)

Q7) How would you describe the computing security arrangements and
practices within your organisation?
[18] too strict
[19] adequate
[20] lax

Q8) Do you have any formal qualifications in computing? e.g.
[21] B.Sc.
[22] M.Sc.
[23] Ph.D.
[24] other (please state)

Q9) What's the length of your professional experience?
[25] 1-5 years
[26] 6-10 years
[27] 11-15 years
[28] more than 15 years

Q10) Name any professional or computer-orientated interest group to
which you belong.

Q11) How long have you maintained a serious interest in computing?
[29] 1-5 years
[30] 6-10 years
[31] More than 10 years

Q12) Would you describe this interest as:
[32] mainly professional
[33] professional and recreational (please describe the latter)

Q13) Have you ever had experience of...
[34] a malicious hack
[35] a harmless browse
[36] a viral-type incident
[37] none of these

Q14) If so, how many times?
[38] 0-5
[39] 6-10
[40] more than 10

Q15) Was it...
[41] a virus
[42] a worm
[43] a trojan horse
[44] none of these, please specify.

Q16) How serious were the problems it caused?
[45] very
[46] not very
[47] not at all serious

Q17) Would you say that the computing industry's concern about viruses
has been...
[48] about right
[49] insufficient
[50] excessive
[51] hysterical

Q18) Would you describe non-destructive unauthorised access to data as
a crime?
[52] yes
[53] no
[54] don't know

Q19) Are you happy with current legislation concerning computer
security?
[55] yes, it's about right
[56] no, it's too draconian
[57] not strong enough
[58] don't know

Q20) Do you think the computing industry would gain from a more
professional structure?
[59] yes
[60] no
[61] don't know

Q21) In your view, who poses the greatest threat to systems/data
security?
[62] "insider" disaffected employees
[63] "external" cracker/browsers
[64] about the same risk

Q22) Do you think there are any potentially useful aspects to virus-
producing techniques? (e.g. serendipitous improvements in
programming methods)
[65] yes, please specify
[66] no
[67] don't know

Q23) Are there any beneficial (side) effects to system-breaking?
[68] yes, please specify
[69] no
[70] don't know

Q24) Do you have any knowledge or interest in "Cyberpunk" culture/
fiction?
[71] yes
[72] no

Q25) Do you think that browsing/cracking/virus incidents, will, in
the future...
[73] increase
[74] decrease
[75] stay the same

THANK YOU FOR YOUR TIME AND EFFORT, PLEASE CONTACT ME BY E-MAIL IF
YOU WOULD LIKE TO DISCUSS THESE ISSUES IN MORE DEPTH OR IF YOU ARE
INTERESTED IN THE RESULTS OF MY RESEARCH.

Paul A. Taylor,
Depts of Economics and Politics,
University of Edinburgh.

------------------------------

End of VIRUS-L Digest [Volume 4 Issue 73]
*****************************************

Downloaded From P-80 International Information Systems 304-744-2253