VIRUS-L Digest Thursday, 16 May 1991 Volume 4 : Issue 84
Today's Topics:
Re: PC-security/password
re: The Shape of the World (PC)
PKWare ZIP -AV cracked (PC)
Partition Table Viruses (PC)
Virus destroys data at Oxford Univ (England)
VIRUSSUM format
New Boot Infector (PC)
RM_NOINT Virus Remover (PC)
New INNOC (Version 5) (PC)
Revised Product Test - - VIREX-PC, version 1.20 (PC)
Review of Eliminator (PC)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to
[email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at:
[email protected].
Ken van Wyk
----------------------------------------------------------------------
Date: Sat, 11 May 91 09:17:00 -0400
From: "Ignorance HATES Knowledge..........!!" <
[email protected]>
Subject: Re: PC-security/password
Resent-From: "A. Andrew Brennan" <
[email protected]>
Thought you might be interested in seeing this - don't know if
you are on this list ...
A. Andrew Brennan
{you don't know me from Adam - but he didn't have a belly button ... }
- ----------------------------Original message----------------------------
I agree that Disk Manager PC is a fantastic product. It uses a boot
block protetcion scheme which doesn't let the user bypass it when they
boot with a floppy disk. It also has some interesting side effects
that may be worth noting --- since this program doesn't allow
modifications to the boot-block of a hard disk -- it tends to inhibit
the reproduction of boot-block type viruses. This program is NOT
marketed by mentioning this -- it simply seems to be an artifact of
the program. I attempted to infect a DMPC protected disk with a LIVE
boot block virus (of the stealth variety) and it just didn't work.
Hope that helps a bit!
Bob Martin -- Eastern KY U -- Academic Computing
Bitnet: acsmartin@eku
------------------------------
Date: Wed, 15 May 91 17:12:49 -0400
From: padgett%
[email protected] (A. Padgett Peterson)
Subject: re: The Shape of the World (PC)
>From:
[email protected]
>Remember that we can't even get the user community (the folks who
>spend their hard earned money to buy my products!) to make backups to
>protect themselves.
Partly our fault: we have never taught good hygene to people. I
generally back up my data files as they are created. Since my program
disk is fixed, it is backed up as part of my weekly defrag. True, most
people who have not had losses do not understand backing up - one
reason why we are looking at things like Bernoulli Transportables as
part of out weekly maintenance and CD-ROMS for standardised software,
and have an annual computer security briefing that emphasizes such
things as backups & how to recognize unusual behaviour.
>Maximal Protection! That's what the market seems to clamour for.
Because part of the education we have failed to provide is what the
risks really are. My opinion is that a good regimen (screening &
briefings) plus an integrity routine that will detect anomalies is
what the general population needs. Detecting intrusion immediately
reduces risks to the point that even quarterly updates (as a scanner
would require) cannot be justified. A linited number of scanners for
the techs and administrators are justifiable both from a maintenance
and a training standpoint.
For large corporations, the cost of a site license can be lost in the
noise compared to the cost of trying to administer several thousand
updates (5000 PCs x 10 minutes per update x 4 times per year = 1 2/3
manyears not to mention the distribution nightmare). Much easier to
take a one-time installation hit plus automatic installation at the
warehouse as part of the distribution process.
>And the marketing dudes I work with closely at Microcom tell me what
>we can lose a site license because of and where our strong points are:
So be the first to offer BIOS level checking & authenticated paths as
part of the boot process.
>So, when one of our competitors says "Yes, but do you want to risk
>even the slightest chance of getting infected with this virus if it
>escapes into the wild.", my marketing can respond "Ha! We already
>protect you against that nasty virus!".
How about "There are only x ways a virus can get into a system, if it
is a virus we have seen, we will identify it. If it is something else,
we will detect the change and warn the user immediately. Nothing can
identify an unknown virus, but its activity can be detected." Of
course the biggest problem is elimination of false positives but a
dollup of AI should permit the program to learn who is permitted to do
odd things.
In my experience, most corporate environments are stable enough to
make the learning period short. In the last year we installed such a
package on many thousands of PCs with nearly every known program and
every OS from DOS 2.x to beta versions of DOS 5 and the major problems
(development machines, Zeniths writing to boot sectors, word processor
quirks) were annoying but relatively easy to solve. Today, when a user
gets a warning screen, it is usually a virus or other "anomaly" that
we needed to know about anyway.
As far as what the user wants, quantum economics applies. There are
certain things that are automatic disqualifiers: noticably degraded
performance, insufficient free memory to run programs, excessive false
alarms, failure to detect well known viruses. Only once these step
functions are satisfied will relative merits/demerits such as cost
(no. 1), ease of installation, documentation, & support come into play
on a linear decision basis.
Today, the sheer diversity of anti-viral products demonstrates that,
as in pointing devices and user interfaces, the One True Answer has
yet to be found.
Warmly,
Padgett
everything herein my own opinion & may or may not have any relation to
reality
------------------------------
Date: Wed, 15 May 91 17:13:00 -0600
From: Keith Petersen <
[email protected]>
Subject: PKWare ZIP -AV cracked (PC)
I have received word from a reliable source that there is now a PKWare
ZIP authentication varification (-AV) cracker going around called
MAKEAV. It will generate registration numbers so that people can
create their own serialized ZIPs.
MAKEAV was apparently used to make the bogus SCANV78.ZIP which was
warned about in a recent posting by McAfee Associates.
PKWare has been notified.
Keith
- - - -
Keith Petersen
Maintainer of SIMTEL20's MSDOS, MISC and CP/M archives - [192.88.110.20]
Internet:
[email protected] or
[email protected]
Uucp: uunet!wsmr-simtel20.army.mil!w8sdz BITNET: w8sdz@OAKLAND
------------------------------
Date: Wed, 15 May 91 21:39:50 -0230
From: "Anthony H. Galway" <
[email protected]>
Subject: Partition Table Viruses (PC)
Our PC labs have been recently become victim of several
partition table viruses, namely Bloody!, Azusa and Stoned. I find
that McAfee's CLEAN works well on the STONED allowing it to clean the
partition table almost all the time (rarely, though it happens, it
seems to be to far gone and I end up doing a format), but the BLOODY!
virus seems to be a bit more advanced more often than not the CLEAN
program claims that it can not safely remove the virus from the
partition table ... and so ....format C:!
Now am I the absolute soul of niavete by taking this action,
or am I doing the only thing possibly? Is there any better anti-viral
around that can handle partition table problems? If not is there any
way to better protect ourselves.
FYI: We use the latest version of Scan, Vshield, and Clean taken
from Simtel (we have the site licence), plus we are not
adverse to getting a better package commercially if it will
satisfactorally protect us.
P.S. Where can I get a comprehensive list of the effects and symptoms
of known viruses?
I appreciate any help.
- --
Anthony H Galway |\_/| I tried to think up something either
[email protected] (` ') profound or witty to put here ......
[email protected] |"| I couldn't.
------------------------------
Date: Thu, 16 May 91 09:09:52 +0100
From: Anthony Appleyard <
[email protected]>
Subject: Virus destroys data at Oxford Univ (England)
(from Daily Telegraph (UK national newspaper), Wed 15 May 1991)
[University computer virus wipes out studies]
The work of dozens of students and researchers at Oxford University has
been destroyed by a computer virus. The virus was brought into the
university on a contaminated floppy disk and unwittingly passed on from
terminal to terminal. As a result, thousands of hours' work were lost,
including several enties theses. The virus had been designed in Spain as a
protest against telephone charges. Once fed into a computer's memory, it
lay unnoticed, growing each time the machine was switched on. On the 400th
occasion, it came to life, garbling everything stored in the computer and
filled the screen with a message in Spanish saying "Lower tariffs, more
service". Thames Valley police Fraud Squad are to link up with Spanish
police to try to trace the culprits, although Det Sgt Gerald Causer said it
was unlikely that any charges could be brought. "Students and researchers
move from computer to computer within the university and unwittingly spread
the virus. This is a particularly nasty one and the university is the first
place in Britain where it has been discovered." he said.
{A.Appleyard} (email:
[email protected]), Thu, 16 May 91 09:00:08 BST
------------------------------
Date: Thu, 16 May 91 16:09:14 +0000
From:
[email protected] (Volkmar Kuhnle)
Subject: VIRUSSUM format
For about half a year, I regularly acquired the new VIRUSSUM.DOC by
Patricia Hoffman. Compliments to Mrs. Hoffman for her excellent and
detailed work!
But over the months al lot of new viruses (and strains of existing ones)
have been uncovered, so that VIRUSSUM.DOC grew in size. Since the
current version is about more than 500 K in length, is is getting
harder and harder to find informations about a special virus in
a file of this size, since I have to use a normal editor.
I came to the conclusion that an ASCII file is not appropriate for the
distribution of so much data. Therefore I would suggest to supply
future versions as DBF files (dbase format). Database programs which
are able to read DBF files are very common in the PC world. And it
would be much easier to find information about a virus quick in
an DBF file than in an ASCII file.
Any suggestions? Please e-amil them to this list, because I want to
start a dioscussion about the distribution of virus information.
Volkmar Kuhnle
[email protected]
------------------------------
Date: Thu, 16 May 91 02:55:07 -0400
From:
[email protected]
Subject: New Boot Infector (PC)
Here is a new boot infector. I have a removal utility called NO_NOINT
that remvoes it. It is will be available on most FTP sites soon. I
have also updated my INNOC utility to INNOC5 to handle this new virus.
..<MM>.
Noint Virus
-----------
(The Furtive Stoned Virus)
The Noint Virus was reported by Todd Fisher of Cleveland, OH, in May
of 1991. This is a furtive Boot Sector infector capable of infecting
Hard disks as well as diskettes. It was reported that Noint can
infect Novell networks. The action of Noint is reminiscent of that
of the Stoned virus. (Stoned is the most prevalent Boot-sector virus
in the US). Since Noint has, in addition, the ability to hide itself
-which the Stoned does not- it's possible that Noint may become even
more widespread than the Stoned in time.
The virus spreads ONLY by booting (or attempted booting) from an
infected disk(ette). If an infected diskette is left in a clean
machine, and the machine turned off without removing the disk, the
next time the computer is turned on, the virus will become RAM-
resident as soon as the machine reads and executes the Boot sector
of the diskette in Drive A:, even though a "Non-System Disk or Disk
Error" is issued. By the time the operator removes the infected
diskette and presses any key to continue booting, the virus has
already infected the hard disk. It remains active in RAM, waiting
for the next diskette to be inserted. From then on, every time
the computer is booted from the hard disk, the virus will become
TSR and continue infecting new diskettes. A simple dir read of a
diskette is sufficient to infected it. Noint does not infect files.
Like the Stoned, the virus moves a diskette's original Boot Sector
to Track 1, Sector 3 and and writes itself in the Boot Sector's
place. In the case of hard disks, it's the Partition Table that
gets displaced to Track 0, Sector 7; the virus then writes itself
into its place.
If an infected system is booted from a clean, non-infected system
diskette, however, the virus will not be active. Files may then be
copied and disks accessed without fear of infection. This is the
approach to use when cleaning up an infected system.
The virus checks diskettes to see whether they are already infected
by itself. If so, it doesn't try to infect them again. This feature
has been used to develop an immunization program that effectively
fools the virus into thinking that the immunized diskette is already
infected, thus preventing infection. The program is included. It will
immunize fresh diskettes and clean up infected ones, as long as the
process is carried out on a clean system.
A separate utility is provided to clean up infected hard disks. This
utility has been tested on DOS systems only. Read the accompanying
DOC files. Additional work to allow cleaning up the virus in Novell
systems without lengthy reformatting and reinstallation needs to be
done.
No manipulation tasks (damaging or otherwise) have been detected.
However, since the virus stashes away the original Boot Sector of
infected diskettes to the end of the Directory table, some diskette
directory entries may be corrupted or overwritten. This may give the
effect of displaying "unusual" filenames when a dir of the diskette
is listed.
There are two major differences between the action of the Stoned and
that of Noint: Noint doesn't use any BIOS calls (INT calls) as such.
(thus: "No-Int"). Instead, it calls Int 13 by its direct address to do
all reading/writing to disk. Therefore, while the Noint virus will
probably work on most IBM-compatible machines, it may not be able to
run on all hardware.
The second difference between Noint and the Stoned is that Noint is a
furtive ("stealth") infector, while the Stoned is not. It hides its
code on disk as long as it's present in memory. Again, this is
accomplished by means of a direct JMP to Int 13 code, causing a
redirection. If the Boot Sector/Partition Table are examined while
the Noint virus is in memory, the virus will not allow its code to be
visualized, will redirect the Read and display instead the original
Boot Sector which it has stashed away. This furtiveness works on some
machines but not on all.
A suitable search string for the Noint virus is:
-------------
FF 2E 0C 01 00 53 51 52 56 57 06 BE 02 00 B8 01 02 B9
01 00 BB 00 02 0E 07 32 F6 9C 2E FF 1E 0C 01 73 0F 33
The above string contains an instance of bypassing a DOS Int call, as
well as part of the read-redirection routine, so it should be typical
of this virus and not cause false alarms. This string should be found
in all Boot Sectors/Partition Tables of disks infected by it. If
desired, either the upper or lower half only of the above string may
be used with fair reliability to detect the virus. The string may
be used with Norton Utilities, or with any of the virus scanners that
accept replaceable, user-provided search strings, such as IBM's VIRSCAN.
The characters may need to be reformatted or re-spaced to comply with
the format requirements of each scanner.
- ------------------------------------------------------------------
This file and the attached utilities are provided
as a public service by:
CompuService Norwalk
P.O. Box 385
Norwalk, CT 06852
(203) 847-8992
May, 1991
------------------------------
Date: Thu, 16 May 91 03:20:57 -0400
From:
[email protected]
Subject: RM_NOINT Virus Remover (PC)
[Ed. This program has been sent to the VIRUS-L/comp.virus archives.]
RMNOINT - removes the Noint Virus from Hard drives.
- ------
- -------------------------------------------------------------------
This program may be freely used by anyone. If you find the program
useful, a donation of $5.00 in US funds is requested. My mailing
address is:
Mike McCune
1100 S. Marietta Pky., Box 9007
Marietta, Ga. USA 30060
- --------------------------------------------------------------------
This program will remove a newly discovered partition infector. First,
cold boot (turn the machine off, then on) from a clean, write
protected diskette. Then type
rmvirus <ENTER>
You should see one of these messages:
RMVIRUS messages
- ----------------
Virus Removed - The virus was found and removed from the partition
table of the hard disk.
Virus not found - The hard disk is not infected or the virus is in
memory.
Virus can not - Either the partition record is corrupted or you have
be removed a new variation of the virus.
Read Error - The program aborted because there was an error read-
ing the hard disk. It could also be cause by the
Virus being in memory.
Write Error - The program aborted because there was an error
writing to the hard disk.
- ------------------- Disclaimer -------------------------
When dealing with viruses, there is always a danger of losing programs
or data. Thus, I offer no warranty on these programs. They may be
freely distributed as long as they are not altered in any way. I may
be reached on the FidoNet Virus Echo, on the Ilink Virus and RIME Data
Protection Conferences, and on VIRUS-L. I can also be reached on
as MMCCUNE@SCTNVE (BitNet) or
[email protected] (InterNet.)
Mike McCune.
------------------------------
Date: Thu, 16 May 91 03:22:34 -0400
From:
[email protected]
Subject: New INNOC (Version 5) (PC)
INNOC5 Boot-Virus Immunizer
- --------------------------
(c) Mike McCune 1991 - All rights reserved.
- ---------------------------------------------------------------------
If you find this program useful, please send $5.00 in US funds to:
Mike McCune
1100 S. Marietta Pky., Box 9007
Marietta, Ga. USA 30060
- ---------------------------------------------------------------------
Boot-Sector infectors are among the most prevalent of computer viruses
in the US. Commercial programs that detect and clean out these viruses
do not confer any immunity, and the same diskettes can be reinfected
at a later date by the same virus.
INNOC5 is a general-purpose Boot virus immunizer for diskettes. It will
not only destroy Boot Sector infectors, but will `inoculate' against some
of the more common Boot viruses. To use it, copy the program to the hard
drive of a clean system, insert the desired diskette in Drive A: and type:
innoc <ENTER>
INNOC5 will immediately destroy any Boot infectors present on the diskette
and will simultaneously immunize it against the following viruses:
Ashar
Azusa
Brain
Disk Killer
Joshi
NoInt (A new one discovered in early May 1991)
Ping-Pong
Stoned (Including the Swedish variant)
Diskettes immunized by INNOC5 will not be infected by any of the viruses
against which INNOC5 confers immunity. Such diskettes will be immune to
infection from the viruses that cause most of Boot infections in the US.
The immunization is achieved by writing special code sequences into the
Boot Sector. A side-effect of immunization is that immunized diskettes
can no longer be used as Booting disks. Since most disks are never used
in that manner, this is not a major problem. If you should need to make
a diskette bootable again, simply use DOS's SYS.COM (SYS A:.). This,
however, will destroy the immunization conferred by INNOC5.
INNOC5 issues the following messages:
- -----------------------------------
Read Error | An error occured while reading from the diskette. Simply
run the program again. Usually a hardware/media problem.
Write Error | An error occured writing to the diskette. Same as above.
Try again.
Diskette A: | Any Boot Sector viruses have been disabled, and the diskette
Innoculated | is now immunized against infection.
DISCLAIMER
----------
In order to avoid getting sued, I offer no warranty on this or any
other program. I do appreciate suggestions, though. I can be reached
on the ILink and FidoNet virus conferences. I can also be reached
on the RelayNet DataProtect and Virus-L conferences. My BitNet address
is MMCCUNE@SCTNVE and my InterNet address is
[email protected].
EDU...<MM>.
------------------------------
Date: Wed, 15 May 91 12:42:33 -0700
From:
[email protected] (Rob Slade)
Subject: Revised Product Test - - VIREX-PC, version 1.20 (PC)
[email protected] (Chris McDonald ASQNC-TWS-R-SO) writes:
> part, even though they were under no obligation to do so. In May 1991 I
> received Version 1.20 directly from Microcom. This was a surprise since I
> expected to have to pay for any upgrade and because I had not subscribed to
> their annual update service. A telephone conversation with a Microcom
> represented confirmed that the vendor had chosen to send out the upgrade to a
> registered users free of charge. I have no idea how long this will continue.
Coincidentally, today an update disk from Microcom fell through the
mail slot for me too. The date on the postmark is May 8, 1991.
=============
Vancouver
[email protected] | "If you do buy a
Institute for
[email protected] | computer, don't
Research into (SUZY) INtegrity | turn it on."
User Canada V7K 2G6 | Richards' 2nd Law
Security | of Data Security
------------------------------
Date: Tue, 14 May 91 16:26:37 -0700
From:
[email protected] (Rob Slade)
Subject: Review of Eliminator (PC)
Comparison Review
Company and product:
International Computer Virus Institute
1257 Siskiyou Boulevard, Suite 179
Ashland, OR 97520
USA
503-488-3237
503-482-3284
BBS 503-488-2251
British Computer Virus Research Centre
12 Guildford Street, Brighton, East Sussex, BN1 3LS, England
Tel: 0273-26105
Joe Hirst
Eliminator/Virus Monitor/Virus Clean, version V1.17, Oct. 1990, Rel B,
also Virus Simulation Suite
Summary:
Resident and manual virus scanning and disinfection, also demonstration
virus simulators.
Cost: range from $190 (single copy with updates) to volume $8.50/CPU
(US)
Rating (1-4, 1 = poor, 4 = very good)
"Friendliness"
Installation 2
Ease of use 3
Help systems 1
Compatibility 2
Company
Stability
Support
Documentation 3
Hardware required 4
Performance 3
Availability
Local Support
General Description:
Virus Monitor is a resident scanning program which checks disks as
accessed, and programs when invoked. Virus Clean is a manual scanner
and disinfector. The programs are suitable for intermediate users in
the average computing environment.
The suite of virus characteristic simulator programs are interesting,
and may be useful in boosting attention in virus awareness training.
Comparison of features and specifications
User Friendliness
Installation
The programs are shipped protected, but on a writable disk. There is no
installation program, as installation consists merely of copying the
files to the system they are to be run on. Virus Monitor (VM.COM) is a
resident checker, and the user is instructed to add it as the first line
in the AUTOEXEC.BAT file, but no direction is given as to how this is to
be done.
The package comes with a printed manual. There is also a file on disk
(MANUAL.TXT) which is the same information in softcopy. The disk label
directs the user to type "ICVI" to get information. Doing this presents
a menu which offers to list onscreen or print out the manual (as well as
the documentation for the virus simulators.)
The documentation is brief, but fairly clear aside from the lack of
installation instructions. There is no discussion of dealing with
pre-existing infections.
Ease of use
The resident scanner, VM.COM, has no options and, the documentation
suggests, should be started at boot time. When invoked, it will examine
memory for viral infections, and then go into the background. (If any
infection is found, the program will disable it.) As disks are
accessed, VM will examine the boot sector, and will alert the user to
known virus code. No other action is taken or suggested, the user is
merely prompted to "Press any key to continue." If an infected program
is called, the program will alert the user and refuse to run the file.
The Virus Clean program (VC.COM) accepts command line switches to check
only boot sectors, check only files, check files with specific
extensions, check all files, list files checked, pause when the screen
has filled, output to a file, delete infected files or remove
infections. The removal option has five sub-options, boot sector only,
COM ONLY, .EXE only, all and none. The default settings are stated to
be to check boot sectors, .COM and .EXE files, not to list checked files
and to remove only boot sector and .COM infections. (This is suggested
by the documentation because of the possible overwriting of overlay
portions of .EXE files.) However, in testing the program did not
attempt any removal of infections.
When removal is attempted on a write protected disk, the program will
generate an error message.
The virus simulator programs that come with the disk are amusing, and
can be useful in demonstrating to users the type of activities that
viral programs *may* demonstrate. I have found that they stimulate
great interest in seminars, but must be used with caution so as not to
suggest that all viral programs demonstrate these, or similar,
characteristics. (Joe Hirst is to be congratulated on the TSR expertise
that allows Cascade, Ping-Pong/Italian, Oropax and Yankee Doodle to play
simultaneously. Note that attempts to run Cascade on 386 systems have
not been successful.)
Help systems
None provided.
Compatibility
Given the old release date (as supplied), the program finds a
significant number of common viral programs. Of interest is the fact
that the program checks for variation in known viral strains, and alerts
the user to keep a copy for forwarding to the distributor for study.
Company Stability
Unknown.
Company Support
Unknown.
Documentation
The documentation is brief, in terms of program operation, but clear.
Over two thirds of the documentation is given to a description of the
operation of the viral programs that the program will detect. This
section has about the same level of detail as that supplied with FPROT,
but with fewer viral programs listed.
Hardware Requirements
No special hardware required.
Performance
Although the program does not match the number of viral programs
detected by some others, the speed of operation ranks with the fastest
scanners tested.
Local Support
Unknown.
Support Requirements
Although the program is not very complicated, the lack of automated
installation, the lack of detail in the installation section of the
documentation, and the command line switches used by VC.COM suggest that
novice users will need some assistance.
copyright Robert M. Slade, 1991 PCELMNTR.RVW 910514
=============
Vancouver
[email protected] | "If you do buy a
Institute for
[email protected] | computer, don't
Research into (SUZY) INtegrity | turn it on."
User Canada V7K 2G6 | Richards' 2nd Law
Security | of Data Security
------------------------------
End of VIRUS-L Digest [Volume 4 Issue 84]
*****************************************
Downloaded From P-80 International Information Systems 304-744-2253
