VIRUS-L Digest Tuesday, 4 Jun 1991 Volume 4 : Issue 97
Today's Topics:
Fw: Trojan version of VIRUSCAN version 78 (PC)
Virus Stats
RE: MS-DOS on ROM (PC)
RE:CERTUS STUDY mentioned in - VIRUS-L Digest V4 #94
Requirements for Virus Checkers (PC)
Re: AIDS Information Trojan (PC)
Virus Unknown (PC)
Hong Kong on MircoTough dist. disks (PC)
RE:My mail of June 3 - NOVELL and Virus (PC)
Hong Kong/Azusa (PC)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to
[email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at:
[email protected].
Ken van Wyk
----------------------------------------------------------------------
Date: Mon, 13 May 91 14:50:16 -0700
From: Aryeh Goretsky <aryehg%
[email protected]>
Subject: Fw: Trojan version of VIRUSCAN version 78 (PC)
- --------------------------
HEADS UP!
- --------------------------
(original message follows)
TROJAN VERSION OF VIRUSCAN VERSION 78
We have received a trojan horse version of VIRUSCAN. The hacked SCAN
has apparently been uploaded to BBSes in Michigan, USA under the
filename SCANV78.ZIP. Running PKZIP -V on the file reveals:
.PKUNZIP (R) FAST! Extract Utility Version 1.1 03-15-90
.Copr. 1989-1990 PKWARE Inc. All Rights Reserved. PKUNZIP/h for help
.PKUNZIP Reg. U.S. Pat. and Tm. Off.
.
.Searching ZIP: SCANV78.ZIP - Fantasia BBS (313)/788-0882
.
. Length Method Size Ratio Date Time CRC-32 Attr Name
. ------ ------ ----- ----- ---- ---- ------ ---- ----
. 12816 Implode 5255 59% 04-08-91 14:28 08a87ed8 --w AGENTS.TXT
. 9406 Stored 9406 0% 02-03-91 17:04 42cf9931 --w REGISTER.DOC
. 23008 Implode 12550 46% 05-06-91 18:15 f9735dd5 --w SCAN.EXE
. 6495 Implode 1895 71% 10-31-89 16:16 0449b09d --w VALIDATE.COM
. 3626 Implode 1802 51% 11-29-90 01:59 ab76470f --w README.1ST
. 21257 Implode 5767 73% 05-06-91 19:35 a0728a17 --w VIRLIST.TXT
. 2844 Implode 1406 51% 02-14-91 14:25 aa330b57 --w VALIDATE.DOC
. 24515 Implode 9188 63% 05-06-91 19:34 172a967f --w SCAN78.DOC
. ------ ------ --- -------
. 103967 47269 55% 8
The number listed for the Fantasia BBS is NOT a BBS number and has no
connection with the trojan horse. I have called the phone number and
asked the party at the other end to contact me.
Running PKUNZIP on the file reveals the following:
.PKUNZIP (R) FAST! Extract Utility Version 1.1 03-15-90
.Copr. 1989-1990 PKWARE Inc. All Rights Reserved. PKUNZIP/h for help
.PKUNZIP Reg. U.S. Pat. and Tm. Off.
.
.Searching ZIP: SCANV78.ZIP - Fantasia BBS (313)/788-0882
. Exploding: AGENTS.TXT -AV
. Extracting: REGISTER.DOC -AV
. Exploding: SCAN.EXE -AV
. Exploding: VALIDATE.COM -AV
. Exploding: README.1ST -AV
. Exploding: VIRLIST.TXT -AV
. Exploding: VALIDATE.DOC -AV
. Exploding: SCAN78.DOC -AV
.
. Authentic files Verified! # TJB859 Zip Source: McAFEE ASSOCIATES
While the Authentic Files Verified Message appears, the Serial Number is
NOT correct. McAfee Associate's Serial Number is NWM405.
Examination of the AGENTS.TXT, README.1ST, VALIDATE.*, and VIRLIST.TXT
files revealed that these are straight from VIRUSCAN Version 77--the
version number in the VIRLIST.TXT file was still V77.
The SCAN78.DOC file had been modified so that all occurrences of V77
were switched to V78. Additionally, the following text was added for
the validation data:
. The validation results for Version 77 should be:
.
. FILE NAME: SCAN.EXE
. SIZE: 23,008
. DATE: 05-06-1991
. FILE AUTHENTICATION
. Check Method 1: 2C21
. Check Method 2: 022E
.
For the What's New section, the following text was added:
. WHAT'S NEW
. Version 78 of SCAN removes a few small bugs and continues
. to optimize the procedures SCAN uses to find viruses, as in Version 77,
. as well as adding a few more to the list of known viruses. SCAN is now much
. more compressed than was previously thought possible, so please enjoy the
. shortened file size, it should still work just fine.
. Refer to the enclosed VIRLIST.TXT file for a schematic
. description of the new viruses. For a complete description, please
. refer to Patricia Hoffman's VSUM document.
.
Examination of the SCAN.EXE file has show that it contains the help
message that VIRUSCAN displays as well as the program information
message. However, the program does not contain any of the other
messages that VIRUSCAN has in it.
The REGISTER.DOC file distributed with the trojan version of VIRUSCAN is
not a text file, but rather another .ZIP file containing a file named
TB1.COM:
. PKUNZIP (R) FAST! Extract Utility Version 1.1 03-15-90
. Copr. 1989-1990 PKWARE Inc. All Rights Reserved. PKUNZIP/h for help
. PKUNZIP Reg. U.S. Pat. and Tm. Off.
.
. Searching ZIP: REGISTER.DOC
. Extracting: TB1.COM -AV
.
. Authentic files Verified! # TJB859 Zip Source: McAFEE ASSOCIATES
.
When unZIPped, the REGISTER.DOC file displays the same Authentic Files
Verified Message as the SCANV78.ZIP file did. Examination of the of the
TB1.COM file revealed that it contains the Whale virus.
This is all I currently know about the SCANV78.ZIP trojan. If you see
any copies of this file, please ask the system administrator or sysop to
remove it and ask them to contact the uploader to warn them that it
contains a virus.
Aryeh Goretsky
McAfee Associates Technical Support
- - - -
[email protected]
------------------------------
Date: Mon, 03 Jun 91 02:35:41 -0500
From: Fwtns Georgakopoulos <ACPS7031%
[email protected]>
Subject: Virus Stats
Hi Everyone...
I am wondering if anybody out there can help me...
I have to write this paper on virus and I have no statistics...
I couldn't possibly conduct a survey which could have been very
realistic...If anyone knows where I could find some stats on virus
or if someone even has anything (that would be great! :-)) I would
really appreciate the help...
Thanks in advance...
Frank
------------------------------
Date: Mon, 03 Jun 91 10:02:46 -0400
From: "David B. Horvath" <
[email protected]>
Subject: RE: MS-DOS on ROM (PC)
Radio Shack, in the newer versions of the TANDY-1000 series (SL, TL,
and newer) all have MS-DOS in ROM. The ROM emulates a write-protected
hard disk with NO free space. The boot device is selectable in the
system startup (stored in battery backed CMOS RAM) - as well as
certain default AUTOEXEC.BAT/CONFIG.SYS entries.
The pseudo-disk is implemented in socket ROM chips; the salesmen talk
about the ease of upgrade - "just replace the chip with a new one -
easier than upgrading from floppy..."
- David B. Horvath
+--------------------------------------------------------------------+
| David B. Horvath, CDP AT&T Net: 215-354-2468 |
| Systems Analyst - GE Internet:
[email protected] |
| Adjunct Instructor - CCC DecNet : SCOV19::horvath_db |
| M.S. Candidate - UPENN ICBM Net: 40 N 75 E |
| (
[email protected]) |
| Standard Disclaimer: All expressed opinions are my own and do not |
| represent any of my employers or affiliated organizations. |
| |
+--------------------------------------------------------------------+
------------------------------
Date: 03 Jun 91 09:45:00 +0200
From: J|rgen Olsen <
[email protected]>
Subject: RE:CERTUS STUDY mentioned in - VIRUS-L Digest V4 #94
RE: LAN's as vehicle for spreading virii!
- -----------------------------------------
We run an installation including 700 MAC/PC's (250+450), 8 Novell
Nets, 6 3+SHARE-nets, Appletalk etc.
The remarks below refers mainly to our experience with the Novell-nets
in the Dep. of Social Sciences - 5 - with 120+ workstations.
- -----------------------------
This is mainly a question of network management.
1. Certainly - in a university where students can load programs into
the netdrives - an infected program can be spread. BUT -
2. Serious problems only arise if someone with Supervisor rights are
infected when logging in to do a bit of system Admin.
3. So the combination - daily scanning of areas where users (students)
can leave their (games,pirate copies (sorry) etc) and removal of same
combined with carefull network management (scanning of RAM & local
disk) will do the trick.
4. We still have to see a Virus infecting the Netware - without a bit
of outside help - as described under 2.
- -----------------
Anybody with a comment to 4. ??
- --------------------------------
Do not bother to suggest that we install TSR's etc for checking. We
have tried - but a number of our applications are RAM-hungry - and
some does not even like some of those TSR - e.g. they start behaving
funny. But a bit of planning and prevention can do the trick - or have
done so til this moment.
J Olsen
Academic Information Systems
University of Odense
Denmark
------------------------------
Date: 02 Jun 91 23:41:01 -0400
From: Robert McClenon <
[email protected]>
Subject: Requirements for Virus Checkers (PC)
>From:
[email protected]
>>From: padgett%
[email protected] (A. Padgett Peterson)
>> 6) Must be easy to remove for troubleshooting
>Hey, *my* code never needs to be removed! <grin>
Excuse me, but I use Virex-PC, which is Ross's product. I do
occasionally need to remove it, not to troubleshoot IT, but because
something is incompatible with it. One commercial game requires 540K
of FREE memory, not counting MOUSE.SYS, which it uses, and can't fit
if Virex-PC is installed. A third-party fax board program has TSR
conflicts with Virex-PC. I don't know what it is doing, but it tries
to take over the same interrupts as Virex-PC and the results are
unpredictable. (Sometimes it refuses to run. Sometimes it crashes.)
The need to remove an anti-viral program is not entirely a function of
the anti-viral program's flaws. I have dealt with the problem by
defining a batch file which creates a dummy file which signifies that
on the next (warm) boot of my PC, Virex-PC is not to be loaded, and
then rebooting. Anyway, Padgett is right. A program must be easy to
remove in the event of trouble. The trouble may not be the fault of
the program. The game admits it is a hog. The fax program is written
very sloppily, but it is worth the price I paid for it. (It came free
with the fax modem board.)
Robert McClenon
Neither my employer nor anyone else paid me to say this.
------------------------------
Date: 03 Jun 91 20:42:30 +0000
From:
[email protected] (Fridrik Skulason)
Subject: Re: AIDS Information Trojan (PC)
[email protected] (McAfee Associates) writes:
>Does anyone recall whatever happened to Joseph W Popp, the alleged
>mastermind behind the AIDS Introductory Information Trojan Diskette?
The trial date has been set for November 11th and will take place at
Southwark Crown Court, London.
- -frisk
Fridrik Skulason Technical Editor of the Virus Bulletin (UK)
(author of F-PROT) E-Mail:
[email protected] Fax: 354-1-28801
------------------------------
Date: Tue, 04 Jun 91 06:24:13 +0000
From:
[email protected] (Edward the Awaken)
Subject: Virus Unknown (PC)
Help! My PC is infected by this virus that my SCAN 3.5 can't even
detect. The virus has a little bug that moves across the screen line
by line shifting the text something like 10 spaces to the left. The
bug seems to work in the background, ie while an application is
running. The bug that moves across the screen looks like this
********=(
Can someone help me id this virus and maybe suggest a possible care I
will be greatful.
Thankyou in advance.
Edward K.
Address:
[email protected]
[email protected]
------------------------------
Date: Tue, 04 Jun 91 08:34:33 -0500
From:
[email protected] (Frank Doss)
Subject: Hong Kong on MircoTough dist. disks (PC)
One of our users here at Eastern Illinois has discovered the Hong Kong
virus on the distribution disks included with Micro Tough's TVGA
board. This board is a MS-Windows enhancer Trident chip graphics
board. The disk are labeled TVGA-8916 (disks one - three).
All three of the notchless disks had the virus. As the disks were the
notchless type, the virus came from either the factory or the
duplicating company. Micro Tough has been notified.
Norton Anti-Virus 1.00 did NOT find the virus, but Central Point
Anti-Virus 1.00 found and purged the virus.
To say the least, our user was most discerned with his factory-bought
virus. ;-)
This has been a warning . . .
Frank E. Doss
Academic Computing
Eastern Illinois University
------------------------------
Date: 04 Jun 91 16:15:00 +0200
From: J|rgen Olsen <
[email protected]>
Subject: RE:My mail of June 3 - NOVELL and Virus (PC)
In my mail - I wrote on Mon, 3 Jun 1991 9:45:45 UTC+0200
>Subject: RE:CERTUS STUDY mentioned in - VIRUS-L Digest V4 #94
>RE: LAN's as vehicle for spreading virii!
- -----------------------------------------
<deleted>
>4. We still have to see a Virus infecting the Netware - without a bit
> of outside help - as described under 2.
> -----------------
>Anybody with a comment to 4. ??
>--------------------------------
Later the same day the June issue of VIRUS BULLETIN hit my desk
(compliments to the editor for ensuring that By FIRST CLASS MAIL you
get it at the start of the month and not at a somewhat later date) -
and there it was! The answer to any network managers nightmare - GP1
- - a NOVELL specific virus (variant of Jerusalem)!
I have mailed the NOVELL board - asking for a comment! Any answer
will be forwarded to Ken for consideration/remailing through him.
J Olsen
Academic Information Systems
University of Odense
Denmark
------------------------------
Date: Tue, 04 Jun 91 11:29:39 -0400
From: padgett%
[email protected] (A. Padgett Peterson)
Subject: Hong Kong/Azusa (PC)
>One of our users here at Eastern Illinois has discovered the Hong Kong
>virus on the distribution disks included with Micro Tough's TVGA
>board. This board is a MS-Windows enhancer Trident chip graphics
>board. The disk are labeled TVGA-8916 (disks one - three).
The "Hong Kong" is the name Central Point Software has chosen to use
for the AZUSA virus previously reported in Dayton on Trident TVGA
disks. It becomes memory resident on boot and has a counter that
typically after 32 boots will zero the interrupt addresses of COM1 and
LPT1 in the system data area casusing access to these peripherals to
fail.
CHKDSK will also report something less than 640k (655360 total bytes
memory) available to DOS.
More importantly, this is the THIRD time that Trident's distribution
disks have been reported in connection with infected boot sectors.
(Packard Bell SVGA - Dec,90; TVGA disks in May) & points out the need
for something more that just a warning. Other manufacturers have
accidently introduced viruses before but most have instituted policies
to avoid ever doing it again.
(IMHO) an investigation should be launched to determine just what is
going on, to determine why this has occured, and to try to ensure that
it is not repeated.
It has been mentioned before but (IMHO) what is needed is a national
computer integrity laboratory organized to become a clearing house for
viral information (to avoid AZUSA/Hong Kong & Jerusalem/1813 confusion
in the future), to provide a testing mechanism for the effective
*weighted* evaluation of anti-virus products, and to inspect/certify
manufacturers procedures for preventing future virus disseminations.
This would have to created as a disassociated not-for-profit
organization to have any meaning, we seen several commercial attempts
already, but is something that is needed. However, it would take
resources to establish so if any of the Virus-L members know of grants
available or manufacturers who would be willing to make equipment
available to set up such an organization, (my den closet is not big
enough) please let me know.
Hotly,
Padgett
Somewhere west of Orlando
These views are my own, most likely no one else would want them.
------------------------------
End of VIRUS-L Digest [Volume 4 Issue 97]
*****************************************
Downloaded From P-80 International Information Systems 304-744-2253
