VIRUS-L Digest Thursday, 23 May 1991 Volume 4 : Issue 88

VIRUS-L Digest Thursday, 23 May 1991 Volume 4 : Issue 88

Today's Topics:

PKZ120.EXE trojan? (PC)
Unidentified virus? (PC)
Stoned (Was: Re: Dead vs Live) (PC)
Re: Detecting Spanish Telecom ?? (PC)
Re: Into the 1990s
SPANISH VIRUS
Software Upgradable BIOS (PC)
Re: Bug in VirusScan (PC)
Virex-PC question for you
re: The Shape of the World (PC)
Re: Tequila virus (PC)
Product Test, Flu_Shot+ (PC)
New mailing list for Macintosh security discussion (Mac)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to [email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: [email protected].

Ken van Wyk

----------------------------------------------------------------------

Date: Wed, 22 May 91 08:50:00 +0100
From: <[email protected]>
Subject: PKZ120.EXE trojan? (PC)

L.S.,

Rumors are going around here that versions of PKZ120.EXE (the
self-extracting archive containing PKZIP & PKUNZIP version 1.20 with
their accompanying other files) exist that contain a trojan or some
virus. I have no more information. Can anybody give comments? Some
time ago I downloaded a copy from TRICKLE (European shadow of SIMTEL20
more or less) and never observed any strange behavior, nor did
virus-scanning reveal any problems.

[Ed. As with the case of *all* unfounded rumors, I would like to urge
everyone to NOT jump to any conclusions unless/until we have an
accurate statement from someone of authority on this matter.]

Sincerely,

Pim Clotscher
Erasmus University Rotterdam
Computer Support Group

------------------------------

Date: 22 May 91 09:47:16 -1200
From: [email protected]
Subject: Unidentified virus? (PC)

Hi All:

I am afraid I have got a virus. But SCAN77 does not identify it..
What happened to me is that the system syddenly reboots when I am
working.

I noticed this when I was drawing a plan in AUTOCAD. When I display
the object with hidden lines removed ,It started rebooting.. Later I
noticed that there were 3 hidden files created in the ACAD directory .
Those files are some parts of MTE directory.. The file names were
different and hidden and not the complete file but a small part of a
file about 6k.

This rebooting continued even when I was in Norton commander..

I turned the system off and on again.. There were No problem at the
beginning.. But after 30 minutes( or so) It started rebooting as if
the reset button is pressed.. And the same files were again created (
I erased those file before positively). So I thought that something
wrong from the MTE and I erased the whole MTE Directory.. ( No BBS
calls yesterday) I also chaned the AUTOCAD directory by erasing it and
installing it again from a fresh DIFFERENT AUTOCAD software.

Now I do not have that rebooting problem upto now . But the three
hidden files are still created in ACAD directory with some contents
from MTE software. Note that I do not have MTE in my Hard disk NOW.
How do those files are created. Did anybody hvave such an experience
before.. I dought that this is a VIRUS. But SCAN77 says NO.

Can anyone give me a suggestion what to do...

Thanks in Advance....
Nasir
([email protected])

------------------------------

Date: 22 May 91 08:20:54 +0000
From: [email protected] (Fridrik Skulason)
Subject: Stoned (Was: Re: Dead vs Live) (PC)

[email protected] (James Nash) writes:
>How many times have you seen a student
>put their disk in the PC then switch it on? I do it by mistake myself
>sometimes. Whether the author was a great visionary(!) or got lucky
>doesn't matter, he was the first(?) to use the technique.

Not quite the first. According to the chronological list by Y. Radai,
the first boot sector virus (Brain) was discovered in January '86, and
Yale/Alameda in March '87 - both those viruses spread by the same
method. Stoned and Ping-Pong were discovered later, in early '88.

- -frisk

------------------------------

Date: 22 May 91 08:46:38 +0000
From: [email protected] (Fridrik Skulason)
Subject: Re: Detecting Spanish Telecom ?? (PC)

[email protected] (Aidan Saunders) writes:
>Having checked the documentation of the F-PROT (1.14) & McAfee SCAN (v77)
>packages, I don't find any reference to these. So:

F-PROT 1.14 is a bit outdated - the current version (1.15A) will
detect the virus without problems, as will 1.16 which will be released
around June 1st. In the meantime, you can detect the virus on boot
sectors, by adding the following line to SIGN.TXT 1.14

Telecom 1DuoWjeMGmqkUXUlq+wl5ajj5XOOM54Z06tFd8NGJAbqkOJjl9Rwj8DFTmdKy4W4BX

Detecting infected program is a slightly larger problem - as the virus
does not seem to be able to infect files. Don't misunderstand me, it
is clearly intended to - but testing, as well as a study at Oxford
where the virus has been spreading recently has only revealed spreding
by boot sector infections.

The following string can be used to detect the original .COM file I
have, but it is not 100% certain to detect all instances of the virus
- - I have heard of a different variant, but not yet received a sample.

Telecom xyJnWmtj2mDuGkjAVFHRl0AeAK9nxtmS74gBbEAG8K9NJdMLZplgBhZEkK

If you want hex patterns for some other program, the following
patterns are the Virus Bulletin patterns:

Telecom Boot: 8A 0E EC 00 BE 70 00 03 F1 8A 4C 02 8A 74 03 C3
Telecom Program1: 8B 1D B2 00 83 FB 00 74 18 BF 55 00 B2
Telecom Program2: 83 ED 09 BE 20 01 03 F5 FC B6

Regarding disinfection - F-DISINF 1.15A can remove the infection from
boot sectors - This was thoroughly tested as I managed somehow to
infect one of my own computers by accident with the virus.

I have not yet added code to "clean" infected files, as I have not
been able to generate them - if anyone has been able to get Spanish
Telecom to infect files, I would very much like to hear about it.

- -frisk

Fridrik Skulason Technical Editor of the Virus Bulletin (UK)
(author of F-PROT) E-Mail: [email protected] Fax: 354-1-28801

------------------------------

Date: Wed, 22 May 91 13:12:00 +0300
From: Y. Radai <[email protected]>
Subject: Re: Into the 1990s

Among Ross Greenberg's points in his reply last week to Padgett
Peterson was the following:

>You mentioned a few products and their methods, so its obvious that
>this integrity checking *IS* being done (FLU_SHOT+ has had integrity
>checking on program run for about three years, I guess). Now, is this
>integrity checking being done *properly*? Interesting question and
>one that only the marketplace can answer by what they select for their
>purchase (or freeware usage).

Sorry, but I just can't pass over that without comment.
Whether integrity checking or any other software function is being
done properly is not a question which can be settled by asking the
marketplace. If it were, we could completely dispense with all the
quality comparisons that are continually being made in the literature
and simply quote sales figures. Because of many other factors such as
marketing skill, luck, etc., the correlation coefficient between pro-
duct quality and volume of sales, in computer software as in other
products, may be closer to 0 than to 1, even if we consider only pro-
ducts in the same price range. (Some cynics claim that this coeffi-
cient is negative. I'm not sure that they're far off.)
(No offense meant, Ross, but I'm sure it won't come as a surprise to
you if I mention that in my opinion, a good example of poor product
quality despite presumably good sales figures is the integrity-check-
ing feature of FLU_SHOT+. But since I've discussed FSP enough in the
past, I won't repeat my arguments unless someone asks.)

>Resident integrity checking, and access control, is a worthy goal of
>any of the anti-virus products. However, remember that it can and
>*will* be circumvented the first time somebody boots off a floppy.

That does not have to be true; details in a couple of weeks.

Y. Radai
Hebrew Univ. of Jerusalem, Israel
[email protected]
[email protected]

------------------------------

Date: 22 May 91 11:13:20 +0000
From: "Alan J Jones" <[email protected]>
Subject: SPANISH VIRUS

A.J.Jones
University of Manchester

Has anyone got some information on this virus. It has been reported
at Oxford University and it is bound to get here sometime.

------------------------------

Date: Wed, 22 May 91 13:55:21 -0400
From: Padgett Peterson <padgett%[email protected]>
Subject: Software Upgradable BIOS (PC)

>From: "William Walker C60223 x4570" <[email protected]>

>I feel that the prominent anti-virus researchers (and some of us
>others) ought to collectively rise up and protest the software-
>upgradable BIOS before it gets any acceptance.

As one who a few careers ago made a living designing digital control systems
("flew" some digitally controlled gas-turbine engines with 8080s at
Tullahoma in the seventies - Hi Bill), there does not have to be a problem
if the hardware designers do their job. A EEPROM requires a special signal
on one lead to tell it to write. If that lead is under hardware control and
accessable only with the case open and a special plug in place that disables
everything except a "load & verify BIOS" program, risk can be minimal.

The point is not to "protest" the concept, it sounds like a good idea, but
demand adequate safeguards (dare I say "standards") for its use.

------------------------------

Date: Wed, 22 May 91 13:55:21 -0400
From: Padgett Peterson <padgett%[email protected]>
Subject: Re: Bug in VirusScan (PC)

>From: [email protected] (Aryeh Goretsky)

> Since the Jerusalem (and sundry variants) infects overlays
>in addition to .COM and .EXE files, it's always a good idea to run
>SCAN (and CLEAN) with the /A option, or use the /E option and list the
>extensions you would like to add.

Have done some more checking & v74B-earlier operate correctly, 75, 77 (& I
assume 76) are the ones that need the /A switch, something shared with
CLEAN and NETSCAN. BTW, I tried using /E OVL and it still did not pick it
up, only the /A (or, I would assume, an /EXT) seem reliable. What I tell
people is when an infection is confirmed (the parent .EXEs are picked up just
fine) or no other explination is reached, always use the /A switch & take a
coffee break.
Warmly,
Padgett

------------------------------

Date: Wed, 22 May 91 16:55:57
From: [email protected]
Subject: Virex-PC question for you

VIRX, Version 1.4, is available for download from my BBS
(212-889-6438), as well as CIS and BIX -- those are places I
personally uploaded some copies, so they are 100% safe. Additionally,
I uploaded a copy directly to Keith's board and it should be available
on SIMTEL-20 by now.

Ross M. Greenberg
Author, Virex-PC.

------------------------------

Date: Wed, 22 May 91 16:44:52
From: [email protected]
Subject: re: The Shape of the World (PC)

>From: rebill02%[email protected] (Russell E. Billings)

>I'm curious, did you tell the ones [at the Trenton Computer Fest]
>who had been hit by those three to
>drop their hands, or did you ask that those who had *ONLY* been hit by
>those three to drop their hands? A subtle difference, but an
>important one, nonetheless.

I had asked them to keep their hands up until all the viruses they had
been hit with were accounted for. I believe that only one person in
the audience had been hit with more than one virus.

Ross

------------------------------

Date: Wed, 22 May 91 16:53:37
From: [email protected]
Subject: Re: Tequila virus (PC)

>From: [email protected] (Morgan Schweers)
>
> *Chuckle* It's a variant of the Flip virus, actually. A bit of
>psuedo-encryption code was added, and a bit of infection code was
>removed, but otherwise it's mostly flip-like.

Interesting phrase, "psuedo-encryption". What, exactly, does it mean?

> Mr. McAfee gave me a scan string quickly after I handed it to
>him, and it'll be in the upcoming release of Scan as well. (Clean,
>of course, will remove it.) It's *VERY* rarely 'impossible' to find
>a scan string for something.

Sorry: I don't count "wild card" strings as a search pattern. There's
too much chance for false positives. But, true, if you don't mind the
occasional false positive, I guess you could state that a search
string was available for Tequilaa.

> Dave Chess mentioned to me that the Tequila displays a low resolution
>Mandelbrot set upon activation. I haven't confirmed it, but I plan to.
>(Anybody want GIF copies when I do? *chuckle*)

Sorry, I'l wait for the sequel: Tequila Part II: The Resolution
Improves! <grin>

Ross

------------------------------

Date: Tue, 21 May 91 14:54:49 -0600
From: Chris McDonald ASQNC-TWS-R-SO <[email protected]>
Subject: Product Test, Flu_Shot+ (PC)

[Ed. The following is the first part of Chris McDonald's product
review of Flu_Shot+. The complete text to this review, along with the
rest of Chris's (and Rob Slade's) reviews, is available for anonymous
FTP on cert.sei.cmu.edu (IP # 128.237.253.5) in the
pub/virus-l/docs/reviews directory.]

*******************************************************************************
PT-27
May 1991
*******************************************************************************

1. Product Description: Flu_Shot+ is a shareware program to assist a user in
detecting "suspicious" activity which may be indicative of a malicious program.

2. Product Acquisition: Flu_Shot+ is available from Software Concepts Design,
594 Third Avenue, New York City, NY 10016. The cost for version 1.81 is $15.00
plus $4.00 handling charges. Site licenses are available. The program is
available on the Internet to include the host simtel20 in the path: pd1:
<msdos.trojan-pro>fsp_181.zip. The author of the program is Ross Greenberg,
who is also associated with the commercial program Virex-PC (see PT-23, Revised
May 1991).

3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Information
Systems Command, White Sands Missile Range, NM 88002-5506, DSN: 258-4176, DDN:
[email protected] or [email protected].

4. Product Test:

a. I acquired version 1.5 in January 1989 from the simtel20 repository.
Then the registration fee was $10.00 plus $4.00 handling. I registered my
copy at that time and have continued to download revisions to the program
through version 1.81 to look for any significant changes. At version 1.7 Mr.
Greenberg indicated that future upgrades to Flu_Shot+ might end because he had
entered into an agreement with a commercial firm to market the program's
protection features with additional viral scanning and disinfection
capabilities. The commercial firm is now Microcom Software Division which
markets Virex-PC. While Mr. Greenberg actually sold Microcom Flu_Shot++, not
Flu_Shot+, I was somewhat surprised when version 1.81 reached the repository in
December 1990. This version came bundled with a demonstration copy of the
viral scanning capability of Virex-PC. Subsequent electronic communications
with Mr. Greenberg suggest that Microcom may view continued releases of
Flu_Shot+ as a commonsense marketing strategy to migrate users to their
commercial product.

..

------------------------------

Date: Tue, 21 May 91 23:30:00 -0400
From: [email protected]
Subject: New mailing list for Macintosh security discussion (Mac)

I have established a mailing list for people interested in Macintosh
security. This can be used to:

* Discuss existing security problems in various Macintosh applications.
* Discuss security applications, hardware, and solutions.
* Discuss potential problems and their solutions.
* Announcements of new Macintosh viruses and virus control software.
(Discussion of viruses in depth should be carried out on
virus specific mailing lists.)
* Just about anything else related to Macintosh security and
access control.

With the arrival of System 7.0 and it's wealth of information sharing
facilities, Macintosh security has entered a new era. Originally you
only had to worry about someone getting into your Macintosh via the
keyboard, or stealing it outright. Now it's much easier to browse
through information on someone else's Macintosh over the network.

If you're interested in joining the list, please send a message to:

[email protected]

Contributions to the list should go to:

[email protected]

At present, the list is unmoderated and will immediately distribute
any incoming messages to the list. If conditions change, the list will
change to a moderated list, a digest, or some other form. Also, we can
look into making it a newsgroup at some point but I'd like to start it
in this form and see what develops.

Please redistribute this message, particularly to whoever maintains
the list-of-lists since I can't figure out how to get onto that list,
or even where it is.

- -David C. Kovar
Consultant ARPA: [email protected]
Eclectic Associates AppleLink: ECLECTIC
Ma Bell: 617-643-3373 MacNET: DKovar

"It is easier to get forgiveness than permission."

------------------------------

End of VIRUS-L Digest [Volume 4 Issue 88]
*****************************************

Downloaded From P-80 International Information Systems 304-744-2253