VIRUS-L Digest Tuesday, 21 May 1991 Volume 4 : Issue 86

VIRUS-L Digest Tuesday, 21 May 1991 Volume 4 : Issue 86

Today's Topics:

m-disk (PC)
Help With Frodo & Yankee Doodle (PC)
A busy month (PC)
re: The Shape of the World (PC)
Re: Tequila virus (PC)
re: VIRSCAN Question (PC)
re: Dead vs Live: Commercial Necessity??
Problem with Yankee Doodle virus (PC)
Bug in VirusScan (PC)
Re: VIRRUSSUM format
Re: Dead vs Live: Commercial Necessity??
Re: Which format for Partition Table Viruses (PC)
re: Dead vs Live: Commercial Necessity??
Detecting Spanish Telecom ?? (PC)
F-PROT and BBSes (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to [email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: [email protected].

Ken van Wyk

----------------------------------------------------------------------

Date: 20 May 91 03:39:26 +0000
From: [email protected] (Mark Ryman)
Subject: m-disk (PC)

Could someone please send me some info about how we may become
registered to legally use m-disk in our labs here at Ohio University?
We have been having some problems with the 'Ohio' virus and I have
used a copy of m-disk to remove it from several user's disks. My boss
would like for me to find out about getting registered and possibly
obtaining a site liscence (if necessary) before we begin using it on a
regular basis in our labs. Any info would be appreciated. Also, what
other anti-viral software will remove this particular virus? Thanx.
-Mark

------------------------------

Date: Mon, 20 May 91 10:12:30 +0000
From: "Alan Jones" <[email protected]>
Subject: Help With Frodo & Yankee Doodle (PC)

Alan J Jones
Manchester Computing Centre
University of Manchester
Oxford Road
M13 9PL
England

FRODO & YANKEE DOODLE

Has anyone got any information on these two viruses.
They have just arrived on the campus ( 2000+ computers ),
I have managed to contain them so far but I am worried as they are brand
new to this site; at the moment there is only myself who is dealing with
the virus problem and it's great fun just keeping up with the ones that
I know about.

Viruses that have arrived in the last three years are

STONED, PING PONG, JERUSALEM (1813), DARK AVENGER, V2100, VIENNA,
ITIALIAN, YALE, BRAIN ( LIMITED INFECTION ), LISBON, CASCADE.

The last virus to hit hard was V2100 which is running rampent but I
can deal with that one at the moment.

Thanks Alan

------------------------------

Date: Mon, 20 May 91 14:44:22 +0000
From: [email protected] (Fridrik Skulason)
Subject: A busy month (PC)

Well, this has been a busy month.....over 60 new viruses so far.

Here is a list of most of the PC viruses I have received this month, but
I am expecting over 40 additional new ones by mail any day now.

The names below are the names Virus Bulletin will use in the next issue,
where the viruses are listed - hopefully this list (which I plan to post
monthly) will help reduce the naming confusion a bit.

217-A
268-plus
1028
Backtime
Bljec family:
Bljec-3
Bljec-4
Bljec-5
Bljec-6
Bljec-7
Bljec-8
Bljec-9
Boys
Darth Vader family:
Darth Vader-1
Darth Vader-2
Darth Vader-3
Darth Vader-4
Diamond (1024) family:
Damage-A
Damage-B
Diamond-1173 (David)
Greemlin
Eddie (Dark Avenger) family:
Eddie-1801
MIR
ETC
Evil Empire family:
Empire A
Empire B
Horse (Hacker, Black horse) family:
Horse-1 (1154)
Horse-2 (1158)
Horse-2B (1160)
Horse-3 (1610)
Horse-4 (1776)
Horse-5 (1576)
Horse-6 (1594)
Horse-7 (1152)
Jerusalem family:
Carfield
Discom
Keypress-1228
MG family:
MG-1A
Murphy family:
Guru (Bhaktivedanta)
Murphy-3
Murphy-4
Smack-1835 (Patricia)
Smack-1841 (Patricia-2)
Mutant family:
Mutant-123
Mutant-127
Mutant-127A
Old Yankee family:
Bandit
Pixel (Amstrad) family:
Pixel-257
Pixel-275
Pixel-283
Pixel-295
Pixel-779
Pixel-837
Pixel-850
Pixel-854
Pixel-892
Pixel-892
Raubkopi
Tequila
VCS 1.0
Vienna family:
Arf (Violator subgroup)
645
Warrior

- -frisk

- --
Fridrik Skulason Technical Editor of the Virus Bulletin (UK)
(author of F-PROT) E-Mail: [email protected] Fax: 354-1-28801

------------------------------

Date: 21 May 91 00:26:00 +0000
From: rebill02%[email protected] (Russell E. Billings)
Subject: re: The Shape of the World (PC)

[email protected] writes:
>Dave: A telling anecdote: at the Trenton Computer Fair last month,
>about 100 people crammed into a room to hear about some of the new
>virues. When asked who had been infected with a virus, about 80% of
>the people raised their hands. I asked those infected with Jerusalum,
>Stoned and Ping-Pong to drop their hands. One hand was left. Cascade.

I'm curious, did you tell the ones who had been hit by those three to
drop their hands, or did you ask that those who had *ONLY* been hit by
those three to drop their hands? A subtle difference, but an
important one, nonetheless.

Russell
- --
BITNET: [email protected] UUCP: ...psuvax1!ulkyvx.bitnet!rebill02

------------------------------

Date: Mon, 20 May 91 18:19:00 -0700
From: [email protected] (Morgan Schweers)
Subject: Re: Tequila virus (PC)

Some time ago [email protected] whispered:
>>From: "David.M.Chess" <[email protected]>
>
>>Has this been around for awhile? Just in the last week or so, I've
>>heard of it from a couple of different, widely separated, places in
>>Europe, and I hadn't heard of it before. Does anyone have a good....
>
>By the look of things, it's a flip flop virus: an infected program
>infects the partition record, infected partition records infect
>programs. Additionally, it looks a lot like a combo of 1260 and v101:
>it is impossible to get a scan string for it.
>
><Enter Patting Self On Back Mode>

Greetings,
*Chuckle* It's a variant of the Flip virus, actually. A bit of
psuedo-encryption code was added, and a bit of infection code was
removed, but otherwise it's mostly flip-like.

Mr. McAfee gave me a scan string quickly after I handed it to
him, and it'll be in the upcoming release of Scan as well. (Clean,
of course, will remove it.) It's *VERY* rarely 'impossible' to find
a scan string for something.

It's been suggested that pirated copies of Golden Axe by Sega
have been spreading it's infection on the other side of the pond.

A side note, regarding the Flip, it patches COMMAND.COM (under DOS
3.3, at least) to fix the DIR command to hide the filesize increase. It
modifies two bytes, to chain to itself. This is important, as if these
bytes are not fixed the COMMAND.COM will crash after being cleaned.
I haven't checked to see if the Tequila virus does this as well, but
I would guess that it does.

Dave Chess mentioned to me that the Tequila displays a low resolution
Mandelbrot set upon activation. I haven't confirmed it, but I plan to.
(Anybody want GIF copies when I do? *chuckle*)

-- Morgan Schweers
- --
"Any opinions are not the express opinions of McAfee Associates. I
just pattern, in game of life." (Do not meddle in the affairs of cats, for
they are subtle and will piss on your computer.) -- [email protected]

------------------------------

Date: 20 May 91 14:44:04 -0400
From: "David.M.Chess" <[email protected]>
Subject: re: VIRSCAN Question (PC)

> From: "Robert McClenon" <[email protected]>
>
> The scan resulted an error message being displayed
>three times saying something to the effect of: An invalid opcode was
>encountered without an error handler being registered. This message
>did not say where the error was found.

Heh! That error message is coming from the FAPI interface code in
VIRSCAN.EXE. (VIRSCAN is a "Family Application" that can run under
either OS/2 or DOS.) The only time I've seen it before is when
something has damaged the VIRSCAN.EXE file (and damaged it enough that
it bombs before it gets to the self-check). Could this VIRSCAN.EXE
have been damaged by something? Some viruses, the 1813 (Jerusalem)
for example, have bugs that keep them from correctly infecting Family
Apps, and they sometimes break them instead. I'd suggest that your
friend get a known-good copy of VIRSCAN.EXE, and run it from a
write-protected floppy. That's the best advice I can think of at the
moment...

DC

------------------------------

Date: 20 May 91 14:51:06 -0400
From: "David.M.Chess" <[email protected]>
Subject: re: Dead vs Live: Commercial Necessity??

"Jonathan E. Oberg" <[email protected]> asks whether or not new
viruses can still become widespread in the real world, given that
there are lots of detectors out there, and lots of channels by which
information about new viruses can travel.

I'm afraid the answer is probably "yes, definitely", although I'd love
to be wrong! While the people who read VIRUS-L, and probably all
their friends, are well aware of viruses and how to defend against
them, I think the average machine out there, and possibly still the
average company, is not at all well protected. The Joshi virus, for
instance, is now quite widespread, but it has not been around that
long; certainly it doesn't date from before we knew about stealthed
boot viruses! The world still seems to contain a critical mass of
unprotected, sufficiently connected machines, dense enough for viruses
to thrive in. If a virus gets lucky (gets shipped with 10,000+
pre-configured machines from some random source, say), it's still the
case that it has a very good chance of getting thoroughly embedded in
the populace...

*Boy*, would I like to be wrong this time! *8)

DC

------------------------------

Date: Tue, 21 May 91 00:52:38 +0000
From: [email protected] (Samid Hoda)
Subject: Problem with Yankee Doodle virus (PC)

I have a serious problem with the Yankee Doodle virus. I am currently
using McAfee v.75 to scan and clean the hard disk, but it does not
seem to be working very well. I have already formatted the hard disk
once, in attempt to get this virus off the machine. Any help at all
will be greatly appreciated as this is a school machine and is needed.
Thanks in advance.

Samid Hoda
decwrl!spock!lucifer

------------------------------

Date: Mon, 20 May 91 22:51:29 -0400
From: Padgett Peterson <padgett%[email protected]>
Subject: Bug in VirusScan (PC)

It is possible that there is a bug in some of the 7x versions
(inc. 77) of the McAfee SCAN utility that may cause it to miss some
infected overlays.

A JERUSALEM infection was encountered in which the .EXE was properly
diagnosed but an infected .OVL was missed despite being checked as
part of the default. Use of the /A swich resulted in the infected .OVL
being detected. Since the .EXE will always be infected also, there is
no real danger, however, if an infection occurs that may also infect
OVL files (see the VIRLIST.TXT file iside the SCANxx.ZIP file), a
rescan using the /A switch following a CLEAN activity is recommended.

I do not know if this is particular to the Jerusalem-related
viruses or if others are affected also.

We have reported this to McAfee associates and a fix or
explination should be forthcoming. Incidently, the infection appears
to be the original sUMsDos version.
Warmly,
Padgett

------------------------------

Date: Tue, 21 May 91 17:23:00 +1200
From: "Mark Aitchison, U of Canty; Physics" <[email protected]>
Subject: Re: VIRRUSSUM format

[email protected] writes:
> It is far easier to view the document with a file viewer, say LIST.
> This works quickly and effieciently as the user simply has to do a
> search for a keyword and the information is presented immediately.
>
> Not everyone wants to use a database to access the information, as
> this will take more time and increase the complexity of retrieving
> information.

There is a (growing) need to find virus information when a simple
search is insufficient (no disrespect to Vernon's program) - there are
simply too many viruses to make this convenient unless you are
familiar enough with them to search the likely places first.

So I suggest a smallish index file (in DIF format, which most
people/programs can understand) *as well as* the big virus lists. The
index should be public domain and list several important attributes of
each virus, one per line. I could go into further detail if anyone
needs it.

Mark Aitchison.

------------------------------

Date: 21 May 91 07:42:12 +0000
From: [email protected] (Fridrik Skulason)
Subject: Re: Dead vs Live: Commercial Necessity??

[email protected] (Jonathan E. Oberg) writes:
>QUESTION: Will new live viruses spread effectively without new
>techniques??

Yes - just consider viruses like Telecom (stealth/boot sector), Azusa
(stealth/boot sector) and Tequila (steaLth/program) - all of which are
quite recent, use no radical innovations, although they are all quite
intersting from a technical point of view, and spreading quite
rapidly. However, around 90% of all new viruses no not spread much, if
at all.

My opinion is that...

...The number of new virus variants is growing exponentially.
...The number of new virus families is also growing exponentially,
but at a much slower rate.
...The number of "successful" new viruses has been constant
for a while, or growing very slowly - I don't think that
more than 5 "successful" viruses appear per month, even though
the number of the number of new variants is nof 60-100 per
month.
...The number of virus infections is more-or-less stable - no
significant increase, despite all those new viruses.

>With the increase of scan/resident/other virus programs, and a
>significant decrease in the time between when a virus is detected and
>the information on that virus is published, the time a virus has
>available to spread is shortened, perhaps below the critical level
>necessary for success.

One problem - people will often use outdated anti-virus software. Here
in Iceland anti-virus software has been sold on 10-20% of all MS-DOS
machines, and probably pirated on additional 30-40%. As a result,
infection reports had practically stopped. Last month, however, Asuza
arrived here and has been spreading considerably, often on sites which
obtained anti-virus programs two years ago, and have not bothered to
update them since.

>Is the stoned virus, for example, so prevelent because it is well
>designed and/or defeats virus detection, or because it proceded the
>large increase in sites with virus detection programs.

The second explanation - no doubt. The same applies to Jerusalem, and
a few other "old" viruses.

>Without a continual influx of successful viruses, that is new
>techniques, the only marketable force behind upgrades and/or market
>share are dead viruses.

Well, there are always occasional "successful" viruses - but the
success often depends on how the viruses are distributed initially.
If the author just uploads the virus to McAfee's BBS or sends is
anonymously to me or some other anti-virus author, the virus will not
spread much - not unless it "escapes" from the virusv-research
community.

If, as in the case of Tequila, the author systematically uploads an
infected, popular game to BBSes all over Europe, the virus may get a
significant initial distribution, before anti-virus programs have been
updated to detect it.

- -frisk

------------------------------

Date: 21 May 91 07:49:47 +0000
From: [email protected] (Fridrik Skulason)
Subject: Re: Which format for Partition Table Viruses (PC)

[email protected] (Anthony H. Galway) writes:
>(be assured that I have also done a LOW level format in cases when the
>partition table was hopelessly infected).

Uh, what do you mean ? There is NO virus which will "hopelessly"
infect the partition table - all PBR infections can be removed without
any formatting at all, although sometimes with some effort.

Disinfection may not always cure all problems - if the virus in
question is the variant of Stoned which stores the original PBR at
(0,0,2) a low level format may be necessary on some machines - PS/2 in
particular, I think.

In the case of Azusa, Bloody and a few other viruses, not all
disinfection packages are able to handle the problem, however.

- -frisk

------------------------------

Date: Tue, 21 May 91 09:46:42 +0700
From: James Nash <[email protected]>
Subject: re: Dead vs Live: Commercial Necessity??

Jonathan E. Oberg wrote:
> QUESTION: Will new live viruses spread effectively without new
> techniques??
>
[lots of good stuff deleted for space]

> With the increase of scan/resident/other virus programs, and a
> significant decrease in the time between when a virus is detected and
> the information on that virus is published, the time a virus has
> available to spread is shortened, perhaps below the critical level
> necessary for success.

I agree. Everyone fears a "great plague" type of virus but we won't
get one. When the Black Death swept across Europe, medical science was
still throwing leeches at problems. We are beyond the "leech" stage
and will effectively combat any hyper-virus.

Worth remembering when using the medical analogy for viruses that
humans have created these binary beasts (: not nature.

Everyone has now become a virus "expert". I have heard tales (from my
own department) of a one-byte hyper-code self-extracting virus. If I
ever find it, I'm going to analyse it and make a fortune in data
compression routines!

The point I want to make is that while people like ourselves stay
restrained, others like to panic and this panic causes a lot more
damage than most viruses. In that sense, a virus that gets a lot
of media attention but causes little actual damage could be called
successful because of mental damage. Also, people lose their jobs
over one case of Stoned; now that's REAL damage :-<

> Is the stoned virus, for example, so prevelent because it is well
> designed and/or defeats virus detection, or because it proceded the
> large increase in sites with virus detection programs. Does not, in

I would say that Stoned is so successful because it exploits a flaw in
the PC architecture which is also our main ally in the fight against
viruses - booting from floppy. How many times have you seen a student
put their disk in the PC then switch it on? I do it by mistake myself
sometimes. Whether the author was a great visionary(!) or got lucky
doesn't matter, he was the first(?) to use the technique.

I doubt that we will see too many original techniques because we (not
I!) know about every aspect of the PC, unlike the human body.

> Without a continual influx of successful viruses, that is new
> techniques, the only marketable force behind upgrades and/or market
> share are dead viruses.

Cruel. Perhaps virus fighters ought to remember that their ultimate
goal, like doctors, is to make themselves redundant.
- --
James Nash, Computing Services, Coventry Polytechnic, England

------------------------------

Date: Mon, 20 May 91 14:40:33 +0000
From: [email protected] (Aidan Saunders)
Subject: Detecting Spanish Telecom ?? (PC)

Following the recent infections at Oxford University (see article from
A.Appleyard - 16/5/91) I've been trying to find scanners to detect
these viruses. (I understand there are two forms of this: one boot
sector version, one file version.)

Having checked the documentation of the F-PROT (1.14) & McAfee SCAN (v77)
packages, I don't find any reference to these. So:

1) How can Spanish Telecom be detected ?

2) Which virus detection/removal packages can deal
with Spanish Telecom ?

3) What signature strings can be added to programs
such as F-PROT & SCAN that allow user-defined signatures ?

Any help would be appreciated !

If you mail responses to me, I'll summarise.

Many thanks,

Aidan Saunders
- --
- ----------------------------------------------
ARPA :: [email protected]
UUCP :: ...!ukc!newcastle.ac.uk!a.c.g.saunders
- ----------------------------------------------

------------------------------

Date: Tue, 21 May 91 13:09:05 +0000
From: [email protected] (Fridrik Skulason)
Subject: F-PROT and BBSes (PC)

My anti-virus package (F-PROT) is by now quite well known in the
academic community, but I hear quite often that it is very difficult
to obtain for anyone without network access. This is a problem for
many PC-owners, who would like to use it, but are unable to find it.
The package is available on several BBSes, but they often have only
old versions.

So, what I am planning to do is to send each new version by mail to
30-50 BBSes around the world - the question is just which ones.....

If you know of (or run) a BBS, where the SysOp is willing to upload
the package and announce each new version as it is received, I would
like to hear about it.

I will not consider any BBS on my list of 'Virus BBSes', however - the
12 or so BBSes which make viruses available for downloading are IMHO
the major reason for the recent explosion in the number of virus
variants.

- -frisk

------------------------------

End of VIRUS-L Digest [Volume 4 Issue 86]
*****************************************

Downloaded From P-80 International Information Systems 304-744-2253