VIRUS-L Digest Monday, 20 May 1991 Volume 4 : Issue 85
Today's Topics:
Re: Trojan version of VIRUSCAN version 78 (PC)
Re: SCAN hangs when checking Windows' SOL.EXE (PC)
re: Partition Table Viruses (PC)
re: VIRUSSUM format (PC)
re: DISKSECURE update (PC)
Tequila virus (PC)
Re: VIRUSSUM format (PC)
re: The Shape of the World (PC)
VIRSCAN Question (PC)
Partition Table Viruses (PC)
MS-DOS in ROM? (PC)
Dead vs Live: Commercial Necessity??
Which format for Partition Table Viruses (PC)
Q: Yankee Doodle ?? (PC)
Re: VIRRUSSUM format
Disinfectant and System 7 (Mac)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to
[email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at:
[email protected].
Ken van Wyk
----------------------------------------------------------------------
Date: Thu, 16 May 91 16:50:01 -0700
From:
[email protected] (Rob Slade)
Subject: Re: Trojan version of VIRUSCAN version 78 (PC)
[email protected] (Mark Aitchison, U of Canty; Physics) writes:
> > NOT correct. McAfee Associate's Serial Number is NWM405.
>
> This worries me. Could somebody explain what good the PKUNZIP
> authentication system should be, as it obviously isn't providing
> enough warning here. (Who would know, and think of looking at, the
> serial number? Probably few people).
Exactly the point ~made in one recent posting that examined the various
mathods McAfee Associates uses to try to maintain the integrity of the
programs.
The "authentic verification" only attaches a code which (more or less)
confirms that the archive was packed up by an identifiable person. I am
sure that McAfee Associates is even now burning up the phone lines to
Phil Katz demanding what twit registered a copy of PKZIP under the name
of their company with that serial number.
=============
Vancouver
[email protected] | "If you do buy a
Institute for
[email protected] | computer, don't
Research into (SUZY) INtegrity | turn it on."
User Canada V7K 2G6 | Richards' 2nd Law
Security | of Data Security
------------------------------
Date: Fri, 17 May 91 09:17:00 -0400
From: "Monty Hinten" <
[email protected]>
Subject: Re: SCAN hangs when checking Windows' SOL.EXE (PC)
I suspect the problem lies in a "normal" DOS bad sector. I have
encountered similar problems with SCAN, though usually on floppy
disks. I find that running Norton's Disk Doctor will repair the disk,
moving a part of the file if necessary, and then SCAN will process the
file normally. A quick way to determine if the problem is related to
a bad sector is to COPY it to another directory, then SCAN it. If the
copy fails, then you know what the problem is. I wouldn't reccomend
using CHKDSK /F to repair your disk; if you don't have NDD (or
something equivelant, like PC TOOLS), try DELeting the file, then copy
it back to the Windows directory from the distribution diskette. You
may have to use the EXPAND utility that comes with Windows - I don't
remember.
Monty Hinten
Information Security Officer
US EPA, Region I, Boston BITNET:
[email protected]
------------------------------
Date: Fri, 17 May 91 12:09:43 -0400
From: Padgett Peterson <padgett%
[email protected]>
Subject: re: Partition Table Viruses (PC)
>From: "Anthony H. Galway" <
[email protected]>
>... and so ....format C:!
> Now am I the absolute soul of niavete by taking this action,
>or am I doing the only thing possibly?
Having dealt with a number of viruses, I have never "HAD" to format a disk,
all are removable by someone who understands the architecture. Except in one
case which I suspect you have encountered & relates to hardware rather than
a virus (no hidden sectors), all that is needed is a protected bootable
floppy containing DEBUG, a hardware list (optional but handy), and CHKDSK.
The problem with CLEAN and other generic disinfection routines is that they
being automatic routines, cannot anticipate or handle every conceivable
mix of hardware and O/S. A good tech who understands assembly language, MBRs,
& viruses can. Given the first two qualifications, the rest can be taught
in a day.
------------------------------
Date: Fri, 17 May 91 12:09:43 -0400
From: Padgett Peterson <padgett%
[email protected]>
Subject: re: VIRUSSUM format (PC)
>From:
[email protected] (Volkmar Kuhnle)
>But over the months al lot of new viruses (and strains of existing ones)
>have been uncovered, so that VIRUSSUM.DOC grew in size. Since the
>current version is about more than 500 K in length, is is getting
>harder and harder to find informations about a special virus in
>a file of this size, since I have to use a normal editor.
The 9104 version is in excess of 600k now something I have commumicated
with Patricia about since last year. For the short term, Vern Bureg's (sp?)
excellent shareware LIST facility can handle it easily plus provide search
facilities to find certain occurances. For editing, my WordStar has no
problem (very good for translating DEBUG to source code too - plug) with
large files.
At one point last year I tried some simple reformatting & whitespace
elimination that reduced VSUM from 500k to around 300k without changing
the format. I also suggested page breaks at each virus to fit into a loose-
leaf folder and allow monthly updates so that the whole thing only had to be
downloaded once. My suspician is that the original version was done on an
IBM mainframe (used to be sorted in EBCDIC order)
However since it is copyrighted material, such forms cannot be distributed
without permission.
The problem with a .DBF format is that not everyone can read it. For that
reason my preference is for flat ASCII files, these can even be put onto
a mainframe if desired. There are a number of flat-file databases available
& is the reason I reformatted VSUM for Patti last May to have consistant
column boundaries & charactoristic formats. There is no question that VSUM
could be made much smaller without losing any functionality, the .ZIP ratio
gives a good indication of that.
------------------------------
Date: Fri, 17 May 91 12:09:43 -0400
From: Padgett Peterson <padgett%
[email protected]>
Subject: re: DISKSECURE update (PC)
My DISKSECURE v.93 system for IBM PCs is now on the CVIA bulletin board
(408)988-4004 with updates and simple installation. This will probably be
the last beta version as there is only one more fix I need to put in to
handle some very early XT disk controllers that write to the MBR periodically.
I make no guarenttees for anything other than I use it myself but enen
though there is a "quickstart" for use from a floppy, PLEASE read the .DOCs.
Warmly,
Padgett
------------------------------
Date: Fri, 17 May 91 14:17:05
From:
[email protected]
Subject: Tequila virus (PC)
>From: "David.M.Chess" <
[email protected]>
>Has this been around for awhile? Just in the last week or so, I've
>heard of it from a couple of different, widely separated, places in
>Europe, and I hadn't heard of it before. Does anyone have a good....
By the look of things, it's a flip flop virus: an infected program
infects the partition record, infected partition records infect
programs. Additionally, it looks a lot like a combo of 1260 and v101:
it is impossible to get a scan string for it.
<Enter Patting Self On Back Mode>
Naturally, VIRX14 catches it.
Ross
------------------------------
Date: Fri, 17 May 91 18:54:32 +0000
From:
[email protected] (Ellen Brewer)
Subject: Re: VIRUSSUM format (PC)
[email protected] (Volkmar Kuhnle) writes:
>But over the months al lot of new viruses (and strains of existing ones)
>have been uncovered, so that VIRUSSUM.DOC grew in size. Since the
>current version is about more than 500 K in length, is is getting
>harder and harder to find informations about a special virus in
>a file of this size, since I have to use a normal editor.
>
>I came to the conclusion that an ASCII file is not appropriate for the
>distribution of so much data. Therefore I would suggest to supply
>future versions as DBF files (dbase format). Database programs which
>are able to read DBF files are very common in the PC world. And it
>would be much easier to find information about a virus quick in
>an DBF file than in an ASCII file.
Distribution in ASCII file format is far preferable to any other
format. While many people use dbase, it is far from universal. I
hesitate to think of the contortions I would have to go through to get
information from a DBF file. Nor do I think that an alternative
nonuniversal format is an acceptable solution.
What you need is a text file browser, since you don't need to edit,
just scan for strings and read. This would provide you with a general
purpose tool for looking at any text file, not just a way to look at
VIRUSSUM.DOC.
The software I use is LIST by Vernon D. Buerg. It's free for personal
use, with a suggested donation of $15 if you find it of value. It
doesn't insist on reading the whole file into memory at once. There's
probably a much more recent version than the one I have from 1987, but
even that one is very nice, and allows marking blocks of lines and
writing them to another file. I'm sure there are other programs to
fill this function too--this just happens to be what I use.
- --
Ellen Brewer (
[email protected])
"Non ignara mali, miseris succurrere disco."
------------------------------
Date: Fri, 17 May 91 14:51:04
From:
[email protected]
Subject: re: The Shape of the World (PC)
>From: padgett%
[email protected] (A. Padgett Peterson)
>.... part of the education we have failed to provide is what the
>risks really are. My opinion is that a good regimen (screening &
>briefings) plus an integrity routine that will detect anomalies is
>what the general population needs.
With all due respect, everybody has always been taught that if an
ounce of prevention is worth a pound of cure, then two ounces of
prevention must be even better.
If my code merely did integrity checks, instead of doing integrity
checks *and* known signature scanning, I'd lose out to somebody who
offers both. That's because *their* marketing people have a single
mission in life (as do *my* marketing people): to sell as much code as
possible. I've probably hobbled the marketing guys at Microcom (who
are quite good, btw, and I recommend the group I deal with to anyone
with other types of code) by requiring them to be completely honest in
their claims.
That honesty is costing marketshare, I bet.
>For large corporations, the cost of a site license can be lost in the
>noise compared to the cost of trying to administer several thousand
>updates (5000 PCs x 10 minutes per update x 4 times per year = 1 2/3
>manyears not to mention the distribution nightmare). Much easier to
>take a one-time installation hit plus automatic installation at the
>warehouse as part of the distribution process.
I agree...to a point. I would think that updating 5000 PC's for a new
scanner that differs from the previous one in a bunch of new viral
strings for a bunch of "research only" viruses is a waste of time. In
the case of my last update, though, some problem areas were worked on,
the code was made faster and more reliable, networking is better, etc.
Yet, in this climate, if I had merely released code with those
enhancements (the ones that I really care about) and not upped the
virus count from about 350 to about 420, people would not have
downlaoded the code: they seem to have seen the "two ounces" mentioned
above as more important then the enhancements. I can't simply say
"Yo! *NOBODY* gets the Whale Virus, so why do you care?"
>>And the marketing dudes I work with closely at Microcom tell me what
>>we can lose a site license because of and where our strong points are:
>So be the first to offer BIOS level checking & authenticated paths as
>part of the boot process.
We do that through the DOS level now, but you raise a good point.
I'll incorporate that into the next cut of the code, given time.
>Today, the sheer diversity of anti-viral products demonstrates that,
>as in pointing devices and user interfaces, the One True Answer has
>yet to be found.
Unle$$, of cour$e, you buy my code. <grin>
Ross
------------------------------
Date: 17 May 91 23:08:33 -0400
From: "Robert McClenon" <
[email protected]>
Subject: VIRSCAN Question (PC)
An associate of mine had a problem at work today. He was trying
to use IBM's VIRSCAN to scan a diskette for viruses. The diskette
supposedly contained three PowerPoint files with extensions of .PPT
and nothing else. The scan resulted an error message being displayed
three times saying something to the effect of: An invalid opcode was
encountered without an error handler being registered. This message
did not say where the error was found. Then his workstation "froze
hard", and he had to power it off to restart it. Was this error
message coming from VIRSCAN or from DOS? If it was coming from
VIRSCAN, what was VIRSCAN trying to do and what was it really doing?
His theory is that VIRSCAN was scanning the entire diskette rather
than all files and was being confused by fragments of deleted files,
and locked up because of an uncertain situation. I am wondering
whether the error was coming from DOS, and indicates that his copy of
VIRSCAN on his hard disk is bad and should be reinstalled. Has anyone
ever seen this message before? Where does it come from? What does it
mean?
Robert McClenon
Neither my employer nor anyone else paid me to say this.
My opinions may be someone else's, but then again they might
not.
------------------------------
Date: 17 May 91 23:38:31 -0400
From: Wolfgang Stiller <
[email protected]>
Subject: Partition Table Viruses (PC)
>From: "Anthony H. Galway" <
[email protected]>
>
> Our PC labs have been recently become victim of several
>partition table viruses, namely Bloody!, Azusa and Stoned. I find
>that McAfee's CLEAN works well on the STONED allowing it to clean the
>partition table almost all the time (rarely, though it happens, it
>seems to be to far gone and I end up doing a format), but the BLOODY!
>virus seems to be a bit more advanced more often than not the CLEAN
>program claims that it can not safely remove the virus from the
>partition table ... and so ....format C:!
>
> Now am I the absolute soul of niavete by taking this action,
>or am I doing the only thing possibly? Is there any better anti-viral
>around that can handle partition table problems? If not is there any
>way to better protect ourselves.
There are tools: CHKBOOT and LODBOOT which come with the PCdata
Integrity toolkit (Free) which will detect any boot or partition table
infections and reload if these sectors should be infected. (The
toolkit also detects any file corruption or virus infection) Reloading
the partition sector would have solved your problem without the need
for a "format C:" unfortunately, you've got to use CHKBOOT before your
partition table is infected. These programs are available on
CompuServe (GO ZNT:UTILFORUM) and download PCDCOM.ARC and PCDART.COM
for the toolkit and the (self-extracting) article. These files are
also on many BBS systems including the NCSA BBS 202-364-1304. Please
read my article in the Feb 13th 1990 PC Magazine to learn all about
this free software without downloading. If used according to
directions the toolkit provides a complete virus detection system that
will detect ALL viruses.
Wolfgang Stiller (Stiller Research)
Author of the PCdata Integrity Toolkit
------------------------------
Date: Fri, 17 May 91 06:43:55 -0400
From: "Krishna E. Bera" <
[email protected]>
Subject: MS-DOS in ROM? (PC)
Is there any effort underway to produce a ROM version of MS-DOS or
clone that is:
1. inexpensive
2. easy to upgrade (by changing a board, for example)
3. standardized in interface (i.e., DOS interrupt calls)
4. bootable (obviously), but DIP switch selectable from a disk
5. preferably not patented
?
If this has been dismissed in earlier discussion, my apologies and
please e-mail me a summary.
- --
Krishna E. Bera
Programmer/Analyst
[email protected]
MIL Systems Engineering Inc.
Ottawa, Canada
------------------------------
Date: Sat, 18 May 91 02:16:00 -0600
From: "Jonathan E. Oberg" <
[email protected]>
Subject: Dead vs Live: Commercial Necessity??
Without getting into a philosophic discussion about what constitutes
life, and whether viruses (biologic or electronic) are alive, let me
define a virus that has had limited detection in the public - what has
been refered to here as a research virus - as a "dead" virus and a
virus that continues to be detected in the public to a signficant
degree as a "live" virus.
QUESTION: Will new live viruses spread effectively without new
techniques??
The observation may be a bit naive, but in regard to the discussion of
research viruses vs viruses in the environment, have we not minimized
the risk of a new virus propogating by known means (for example, boot
sector stealth viruses) with any success?? Few sites do not have
*some* protection/ detection available. Further, the infrastructure
for distributing notices of new viruses symptoms, detection
methods/signitures, et cetera is now well defined and used (this forum
for example.)
Has anyone studied the rate of introduction of successful viruses?? My
guess would be a strict decline. Is this far off others' experiences?
On a strickly biological model, viruses must have some time X
necessary to propogate from one system to another. We are unconcerned
with propogation on one system, as this will be a factor in how long
the virus takes to move from system to system.
With the increase of scan/resident/other virus programs, and a
significant decrease in the time between when a virus is detected and
the information on that virus is published, the time a virus has
available to spread is shortened, perhaps below the critical level
necessary for success.
The WDEF virus on the mac, for example, was an example of a new viral
technique. It became widespread. Successors however, have faired
poorly: CDEF, MDEF, LDEF?? Once the technique is known,
detection/prevention effectively kills these viruses. Call this the
smallpox syndrome; once we know how to detect, remove, and innoculize
against these strains, we effectively erradicate them as successful
viruses.
Is the stoned virus, for example, so prevelent because it is well
designed and/or defeats virus detection, or because it proceded the
large increase in sites with virus detection programs. Does not, in
fact, a unique (defeats currect programs) and successful (infects
"large" number of sites) virus *drive* the acceptance of virus
detection/prevention programs.
The question is important in considering the commercial aspect of
virus protection. Without discarding the deeply appreciated efforts
of frisk, et al, virus protection has become big business. I cannot
imagine Symantic for example, advertising NAV as "Catches 100% of live
viruses." To be commercially competitive, they *have* to advertise
they catch *at least* as many viruses as their competitors, even
though 99% of these viruses are never seen outside "virus labs."
Without a continual influx of successful viruses, that is new
techniques, the only marketable force behind upgrades and/or market
share are dead viruses.
Jonathan Oberg
[email protected]
------------------------------
Date: Sat, 18 May 91 09:39:11 -0230
From: "Anthony H. Galway" <
[email protected]>
Subject: Which format for Partition Table Viruses (PC)
I have, for partition table viruses, always done a DOS format
to rid myself of the offender if McAfee's CLEAN didn't work (be
assured that I have also done a LOW level format in cases when the
partition table was hopelessly infected). This does not remove the
virus, but it does seem to do something to the partition table that
allows CLEAN to then remove it. Recently, (READ: since my previous
post 2 days ago), it has come to my attention that this is not the
accepted way of ridding myself of the virus, instead I should do the
LOW Level format.
Which way is correct? I know the LOW level format guarantee's
results, but this method also destroys any additional partitions. We
use DOS 3.3 and have two partitions, C: & D:. If I do a LOW level
format then I have to reinstall about 30MB of various programs, this
of course does not include any user programs/data, whereas if I use
the DOS format and reformat only drive C: I then have to reinstall
little more than half that.
So am I safe in doing the DOS format,
or should I only use a LOW level format?
Thanks for any help.
Anyone know where I can get a comprehensive list of viruses, their
symptoms and what they do?
- --
Anthony H Galway |\_/| I tried to think up something either
[email protected] (` ') profound or witty to put here ......
[email protected] |"| I couldn't.
------------------------------
Date: Fri, 17 May 91 23:58:37
From: Michael Stribick <
[email protected]>
Subject: Q: Yankee Doodle ?? (PC)
Hello !
What kind of virus is the YANKEE DOODLE ?? What happens to a infected
PC ??
Bye,
mike
------------------------------
Date: Mon, 20 May 91 08:56:00 +1000
From:
[email protected]
Subject: Re: VIRRUSSUM format
It is far easier to view the document with a file viewer, say LIST.
This works quickly and effieciently as the user simply has to do a
search for a keyword and the information is presented immediately.
Not everyone wants to use a database to access the information, as
this will take more time and increase the complexity of retrieving
information.
Wayne Boxall
Computer Virus Information Group
Queensland University of Technology
Australia
------------------------------
Date: Sun, 19 May 91 19:50:16 -0600
From:
[email protected] (John Norstad)
Subject: Disinfectant and System 7 (Mac)
Thanks to an error in Apple's Compatibility Checker, I've been deluged
with requests for information on Disinfectant 2.5.
If you have installed the Disinfectant INIT on your system, Apple's
Compatibility Checker incorrectly reports that it is incompatible with
System 7, and it recommends that you get version 2.5.
There is no Disinfectant 2.5, and there won't be one! Disinfectant 2.4
works fine with System 7, provided you leave the Disinfectant INIT in
the System Folder proper. Do not move the INIT to the new Extensions
Folder. If the Installer moves the INIT to the Extensions Folder for
you, move it back to the System Folder proper.
If you try to repair an infected file, Disinfectant 2.4 may tell you
that the file is busy and recommend that you "try again without
MultiFinder." You can't turn off MultiFinder in System 7. If this
happens to you, restart your Mac using the "Disk Tools" startup floppy
that comes with System 7. Then run Disinfectant again.
There is one small problem with Disinfectant 2.4's custom get file
dialog which lets you select a folder to be scanned. Don't try to
select any files or folders in the new Desktop level in this dialog.
Disinfectant may crash or scan the wrong object.
I am working on a new version 3.0 of Disinfectant which will take full
advantage of the new facilities available in System 7, including
Balloon help, full color icon families, anti-viral and other Apple
events, icon dropping in the Finder, a new solution to the busy files
problem, and other neat new stuff. Version 3.0 will also include a
very thorough discussion of all the issues regarding viruses,
Disinfectant, and System 7 in the online manual, and it will fix the
problem with the custom get file dialog. I hope to release this new
version sometime this summer.
Again, until my version 3.0 is released, you can and should use
version 2.4 with System 7.
John Norstad
Academic Computing and Network Services
Northwestern University
[email protected]
------------------------------
End of VIRUS-L Digest [Volume 4 Issue 85]
*****************************************
Downloaded From P-80 International Information Systems 304-744-2253
