VIRUS-L Digest Friday, 14 Feb 1992 Volume 5 : Issue 30
Today's Topics:
Maltese Amoeba report (PC)
STONED on MSDOS 4.01 Distribution disks (PC)
Fprot (PC)
System Troubles... (PC)
Info wanted on the Form virus (PC)
Re: AUX files (PC)
"Variant" virus (PC)
Re: Yankee Doodle (PC)
Dark Avenger on vendor disks (PC)
Viruses and Backups (PC)
Mirrors virus info? (PC)
Cinderella virus/ does VSHIELD work? (PC)
Biological analogy
Re: Polymorphic viruses
List of all viruses available?
virx20.zip on risc (PC)
VIRX20.ZIP (PC)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. (The complete set of posting guidelines is available by
FTP on cert.sei.cmu.edu or upon request.) Please sign submissions
with your real name. Send contributions to
[email protected]
(that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks).
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list. Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
[email protected].
Ken van Wyk
----------------------------------------------------------------------
Date: 10 Feb 92 11:40:10 -0500
>From: Wolfgang Stiller <
[email protected]>
Subject: Maltese Amoeba report (PC)
Stiller Research Virus Report - Copyright 1992 - The Maltese
Amoeba
Aliases: Irish (McAfee), Grain of Sand, Amoeba (mistakenly)
A destructive memory resident infector of .COM and .EXE files.
It will activate on Nov 1st and March 15th.
The Maltese Amoeba is another variable encrypting virus. This
means that the bulk of the virus code is encrypted and the
decryption routine uses variations of several patterns of
instructions similar to the technique used in the V2Px series of
viruses. The decryption instructions are interspersed with
variable numbers of irrelevant instructions and can appear in a
varying order. While various (different) series of instructions
are used for the decryption, the decryption is always accomplished
by a simple exclusive or. The Maltese Amoeba infects only .COM
and .EXE files using a different decryption pattern for .COM and
than for .EXE files.
It uses no stealth techniques and can be detected by doing a
simple DIR and noting the file size changes. Its only
sophistication lies in its ability to make generation of virus
scan strings difficult. This virus spread quite readily on all
PCs tested (7). It will infect files on either a DOS open or a
load and execute (files read or executed programs will be
infected). After the first infected file is executed, the Maltese
Amoeba goes resident in memory in the highest available 2K
(usually at 9F00:0000 if 655,360 bytes are free). It seems to
play by the DOS rules and changes the MCBs (memory control blocks)
so that DOS does not overlay the virus code, but it does not issue
the DOS TSR request (no doubt in order to bypass monitoring
programs). This reduction in memory can be seen by doing a CHKDSK
or a MEM command.
This virus checks for its own presence in memory by issuing a
DOS set date call with an invalid value and also checks for
presence (in memory) of Ross Greenberg's anti-virus programs
(FluShot+ and Virex-PC) as well as the PSQR virus. If these
programs are present the virus will not infect any programs. It
reportedly also detects and deactivates the Murphy virus but I
have not confirmed this. The virus will replace the (Int 24)
critical error handler so you will not see the familiar "Abort,
Retry, Fail" if the virus tries to infect a write protected
floppy.
On Nov 1st or March 15th (March is going to be a rough month!),
it will overwrite low numbered tracks on the hard disk and any
diskettes, produce a flashing display and hang the PC. The disk
will probably be unreadable at this point. I have not actually
allowed this virus to destructively activate on my test systems;
my results are based upon code inspection and reports published in
the (UK) Virus Bulletin. The code written into the partition
sector (AKA Master boot record) contains encrypted poetry which
displays the first four lines of Blake's Auguries of Innocence
from the Pickering Manuscripts:
"To see a world in a grain of sand
And a heaven in a wild flower,
Hold infinity in the palm of your hand
And eternity in a hour."
The Virus 16/3/91
The next time the PC is booted the above text is displayed -- the
PC then hangs.
The remainder of the partition sector will contain unencrypted
ASCII text. This text names the virus "AMOEBA" and proclaims that
the University of Malta "destroyed 5X2 years of human life". This
implies that the virus was written by two students who did not do
very well at this university. (Note, there is another virus more
commonly known as AMOEBA so this name should NOT be used for this
virus)
=========== End of Virus report =========
Since this virus will soon activate (March 15th), I suggest that
you check your software to make sure it can detect this virus. I
understand that it is prevalent mostly in the UK and Europe.
A little editorial comment here. This virus was not detected
prior to its activation in the UK on November 1st 1991. It had
managed to spread quite widely! According to the December 1991
Virus Bulletin: "Prior to November 2nd, 1991, no commercial or
shareware scanner (of which VB has copies) detected the Maltese
Amoeba virus. Tests showed that not ONE of the major commercial
scanners in use (the latest releases of Scan, Norton Anti-virus,
Vi-Spy, VISCAN, Findvirus, Sweep, Central Point Anti-virus et al.)
detected this virus."
This indicates the danger of depending upon scanner technology or
active monitor technology for virus protection.
Regards,
Wolfgang (Author of Integrity Master)
Stiller Research
2625 Ridgeway St.
Tallahassee, FL 32310
USA
------------------------------
Date: Tue, 11 Feb 92 18:16:14 -0600
>From:
[email protected] (Jerome Grimmer)
Subject: STONED on MSDOS 4.01 Distribution disks (PC)
[I received the following from another listserv list I am on. I feel that it
warrants posting here in this forum, so here it is. --Jerome Grimmer]
===========BEGIN FORWARDED MESSAGE==================
>From: "Stephanie A. Hall"
<mamut.wlu.ca!UBVM.cc.buffalo.edu!shal%SEQ1.LOC.GOV>
Subject: VIRUS ALERT
X-To: anthro-l%
[email protected]
To: Multiple recipients of list ANTHRO-L <ANTHRO-L@UBVM>
Status: RO
Folks:
In our office we recently got a practical lesson in virus
prevention when one of our PCs crashed with virus-like symptoms.
No virus was found, and the PC was backed up, so we are just
wiser and not sadder for the experience. The information we
learned from the experts involved in virus detection and clean-up
is worth passing on -- especially since there is a particularly
nasty virus going around right now. Following are the details as
best as I know them:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
VIRUS ALERT 1/31/92
A computer virus called "stoned" has been damaging systems in the
Washington DC area, and may have spread to other areas.
A known source for the "stoned" virus in the Washington area is
on commercially duplicated copies of MS DOS 4.01 packaged and
sold with new Win brand computers. The virus was apparently put
on many diskettes when Win Laboratories in Manassas, VA had DOS
4.01 duplicated by another company. Many federal and private
offices purchased Win computers with DOS 4.01 in 1991.
This virus is extremely widespread. Not only was it transmitted
through duplicates of MS DOS 4.01, it is also extremely
contagious. Also, since it is believed that the virus was put on
diskettes at a commercial duplication lab (without their
knowledge, of course), it is possible that copies of other
commercial software may carry the virus.
If you have a Win computer with DOS 4.01 installed, the copy
installed by the computer dealer should be OK. But do not use the
DOS diskettes that came with the computer. These diskettes are
clearly marked "Win Laboratories, Ltd." One way to protect
yourself in this case is to upgrade to DOS 5.0 and toss your old
copies of 4.01.
If you use a MS DOS 4.01 or other source diskette with the
"stoned" virus you will get a message "Your PC is now stoned,"
hence the name. The virus attacks the boot files and destroys
the file allocation table of both the hard drive and any floppy
disks it corrupts. Eventually it makes floppys unreadable and
causes hard drives to crash.
The "stoned" virus can be readily transmitted by diskette. In
this case the warning message does not appear. It is not
necessary to copy files from a diskette onto a hard drive, or
even read them in order to spread the virus. Just reading the
directory of a floppy disk can transmit the virus from hard drive
to floppy or vice versa. Write-protect stickers will prevent
transmission of the virus by floppy disk.
Downloading corrupted files by modem will also transmit this and
other viruses. Some fileservers include anti-virus programs to
protect users, but it is best to rely on protecting yourself.
Current versions of both Norton's Anti-Virus and Central Point
Anti-Virus have been used successfully to detect and destroy the
"stoned" virus. They have also been used to recover data from
corrupted diskettes and hard drives, when the problem was caught
in time. (This information should not be construed as an
endorsement of these products.)
Computer technicians advise the use of general anti-virus
precautions to protect your computer and your data. Use an
anti-virus program and upgrade frequently. Scan all foreign
diskettes, even commercially purchased programs. If files are
packed, unpack them to a floppy disk and scan them before copying
them to your hard drive. When you download data from a network,
download it to a floppy disk, unpack to another floppy if
necessary, and scan the data before copying it to your hard
drive. Scanning it again after you have loaded it to your hard
drive is also a good idea. Scan your hard drive before backing it
up and back up frequently. If you do detect a virus on a disk,
notify the company or individual who gave it to you so they can
stop transmitting it themselves. If your computer system becomes
infected, do not transmit any files over the network or give
anyone a diskette until you are sure you have gotten rid of the
virus.
Finally, in case any users reading this have an opportunity to
influence young minds with a cautionary tale: this virus has
brought down the computer system of at least one area hospital,
thus endangering lives as well as data. Apparently the creators
of such viruses think of them as practical jokes. No one here is
laughing.
DISTRUBUTE FREELY
Stephanie Hall
seq1.loc.gov
------------------------------
Date: Wed, 12 Feb 92 01:29:46 +0000
>From:
[email protected] (Edmund Yat Ming Wong)
Subject: Fprot (PC)
[email protected] (James Ford) writes:
>The file fprot202b on risc.ua.edu has been replaced by fprot202d.zip.
>
>- -----------------------------------------------------------------------
>The major change in 2.02D is improved ability to search for viruses in
>compressed executables - the program can now search in LZEXE and PKLITE
>(version 1.03 and 1.13)-packed files.
>
>This method is not foolproof, but a considerable improvement, compared
>to earlier versions.
>
>I strongly recommend that anyone using 2.02A, 2.02B and 2.02C switch
>to this version - it corrects a few (very minor) bugs in those
>versions - those who are using 2.02 and have not bothered to get the
>minor updates can just as well ignore this one too - 2.03 will be
>released in early March.
I've TRIED to use FPROT v2.0 and it doesn't seem to work on my XT
computer. All it does is give a blank blue screen and that's all.
I've followed it's install.doc file, but it still gives me the
blue screen. I know this might be a bit old considering that v2.02d
is out, but like I was wondering if FPROT works on XT's.
Has anyone else have that kind of problem?
- --
[email protected] :\/: | "If you were me, and I were you,
=00= | would you be here and I be there?"
/\ | = = = = =
-- CrazyCat | "Hahahahaha" - Joker
------------------------------
Date: Tue, 11 Feb 92 21:01:00 -0500
>From:
[email protected]
Subject: System Troubles... (PC)
I'm wondering if anyone can help me with a problem. I am one of the
few students/people on campus knowledgeable of computer viri - most
students and faculty come to me for help. Admittedly, I am in the
weaning stages of becoming a viral-guru and have never ran across this
type of problem. Included is a letter sent to me from a faculty
member here at our college.
I'm not sure exactly what machine he's working on, but I know he had a
Dark Avenger infection last semester and reformatted his HD to remove
it. I haven't had a chance to check out his system yet (I use
McAffe's Scan/Clean V85) but I'm guessing it may be a virus - not to
cry wolf :)
Please send to my address as to not clutter up the list. Any help
will be appreciated. Thanks.
>Have you ever heard of a virus that:
>I was unzipping a file dl'd from a bbs and only a few files uncompressed
>and the process stopped. I grabbed for the power switch but... When I
>tried to reboot, the hd wasn't able. I brought the system up on a floppy
>and couldn't get to the hd at all--the config was still in cmos and accurate.
>After sys c: and copying command.com to the hd (this I could do), it booted.
>Half the root was erased but easily recovered with Unerase. But the
>boot files, command.com, autoexec.bat and config.sys were missing, vanished.
>It was no mere glitch that went after just those files.
>I've never heard of a virus that emerges will being uncompressed. It
>shouldn't be possible since the file wasn't executing. I've checked my
>unzipper and it's fine and I've used it since.
>Any ideas would be appreciated.
mcc
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+
| Michael C. Calanan -- SUNY College at Buffalo, N.Y. |
| Computer Information Systems |
| Consultant/User Support |
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+
| BITnet ID : CALANA95@SNYBUFVA |
| DECnet ID : SBUFVA::CALANA95 |
| INTERnet ID :
[email protected] |
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+
------------------------------
Date: Wed, 12 Feb 92 07:58:49 +0000
>From:
[email protected] (Kjell Sivertsen)
Subject: Info wanted on the Form virus (PC)
I Have recently found the Form virus on a diskette. Can anyone
give me some information about this virus?
Thank you in beforehand.
==================================================================
|| Kjell Sivertsen || Telefax: +47-4-875199 ||
|| Rogaland Research || Phone: +47-4-875000 ||
|| P.O.Box 2503 Ullandhaug || Direct line: +47-4-875362 ||
|| N-4004 Stavanger , Norway || E-mail:
[email protected] ||
==================================================================
------------------------------
Date: 12 Feb 92 11:07:53 +0100
>From: "Otto.Stolz" <
[email protected]>
Subject: Re: AUX files (PC)
Hi gang,
on 07 Feb 92 21:41:05 +0000, Vesselin Bontchev
<
[email protected]> said:
> [...] I think to recall that I observed the same situation, when
> booting from an old DOS version (I was using 3.30 then), and running
> Norton Utilties' (version 4.5) program FileFind:
> FF C:AUX*.*
>
> I got a report that the file AUX is "found" in each directory of drive
> C:. The same was true for any other device driver - CON, PRN, LPT,
> COM... [...]
>
> If somebody has DOS 3.3 and FF from version 4.5 of NU, could you please
> check and confirm or deny this? [...]
I've just checked with IBM Personal Computer DOS Version 3.30 and
FF-File Find, Advanced Edition 4.50:
The above command produces the response
no files found.
Maybe an older DOS would do the trick?
Doubtfully,
Otto Stolz <
[email protected]>
<
[email protected]>
------------------------------
Date: Wed, 12 Feb 92 09:51:20 +0000
>From: Anthony Appleyard <
[email protected]>
Subject: "Variant" virus (PC)
On Thu, 06 Feb 92 12:19:57 -0500
[email protected] (Subject: Variant Virus
(PC)) wrote: "We have been infected with the variant virus here on the Tarleton
State University campus. Can anyone educate me on this virus? We are detecting
more and more virus infections since obtaining Untouchable Software. Others have
included Stoned, Michelangelo, Brain and now Variant. We are constantly having
to guard against these infections in our labs. Thanks in advance. Danny Johnson,
Computer Systems Manager, TSU, Stephenville, Texas.".
Does this virus exist? or does it only infect computers fitted with a key
labelled "ANY" :-) ? More likely he found "a variant of some virus".
{A.Appleyard} (email:
[email protected]), Wed, 12 Feb 92 09:45:24 GMT
------------------------------
Date: Wed, 12 Feb 92 08:54:59 -0500
>From: JEDI <
[email protected]>
Subject: Re: Yankee Doodle (PC)
To whom it may concern:
To my knowledge, Yankee Doodle just infects .COM and .EXE files. From
what I've seen, it likes BASICA.COM to start off with. It also likes
to inhabit the Windows directory also.
Yankee Doodle isn't a malicious virus like 'Possessed' is... To put it
in my supervisor's words, it's a fun virus. When it's done it's work,
it plays the tune of 'Yankee Doodle'. It's readily cleaned up with
CPAV or Mcaffee (SP?) software.
- -- JEDI
------------------------------
Date: Wed, 12 Feb 92 08:57:52 -0500
>From: KM2G000 <
[email protected]>
Subject: Dark Avenger on vendor disks (PC)
I assume this is old news, but I figured I would report it anyway.
At least some of the Sony Laser Library Distribution Install disks are
infected with "Dark Avenger." I opened a box, straight from a
distributer and found it infected.
Chris
------------------------------
Date: 12 Feb 92 17:34:35 +0000
>From:
[email protected] (Steve Guccione)
Subject: Viruses and Backups (PC)
I'm not sure if this has been discussed here or not, but I have been
wondering about the danger of backups being damaged by viruses.
A friend recently backed up his PC hard disk using a popular backup
utility. This utility uses a non-MS-DOS format.
After performing the backup, the hard disk was reformatted, and an
attempt was made to restore the files. But the data on the backup
disks had been damaged and could not be restored. The company who
made the backup program was called, and they were not able to repair
the disks.
It was later discovered that all of the machines in this particular
lab were infected with Stone-related viruses.
Could Stone have overwritten what it thought was "safe" space on an
MS-DOS diskette, only to damage backup data?
This seems like a significant problem. At least it was for my friend,
who lost the entire contents of his hard drive.
- -- Steve
- --
[email protected]
- -- 2/12/92
------------------------------
Date: 12 Feb 92 18:35:27 +0000
>From:
[email protected] (Baylor)
Subject: Mirrors virus info? (PC)
Tis teh season it seems. Our lab and sone others seem to be
breeding groundas these days. Does anyone know of the Mirrors virus?
Our slightly older versions of mcaffrey scan (sorry about spelling)
don't seem to know it, but i think the newest version might. Anyone
know what it infects or what it does? Any decenmt ways to check for it
(i was told by one person who came in that it leaves a huge file
called mirrors on the drive, but can't say i verified it)?
- --
- -----------------------------------------------------------------------
Baylor Wetzel
[email protected] "There is no such thing
Biafra for president 1992 as an innocent Kennedy"
"All opinions are soley those of the unix guys playing with my account"
- -----------------------------------------------------------------------
------------------------------
Date: 12 Feb 92 18:51:17 +0000
>From:
[email protected] (Baylor)
Subject: Cinderella virus/ does VSHIELD work? (PC)
I have recently had a very bad run in with Cinderella, losing
about 200 files. I think i found my problem after a while, but i'm
still a bit paranoid.
When my compiler started acting up (keys wouldn't work), i, on
a n off chance, scanned my system. It seemed a good number of files
were infected (about 20, at which point i simply quit the scanner and
rebooted).I booted from a write protected floppy with vshield and scan
(the one that was new two months ago or so) and scanned again. Command
com was gone of course, as were every other .com file i had. I checked
the other partition, same there.
After deleting all .com files (mcaffery said it couldn't fix
any of them and just wiped them out), i rebooted again off disk then
copied command.com to the harddrive.
Here's the problem. Everytime i scanned it, it came out bad.
After scanning 12 times or so (scanned the one on teh disk i was copying
from. it was good), i tried copying cc to the hardrive then doing
a dir (and viewing it with norton). The file was 47k. I then thought
great, it works, and scanned it, and post-scan it was 48k and infected.
I think i finally figured out it was hooked in memory (i warm booted-
will cinderella survive this?) and when i touched anything with scan,
scan infected the file (scan itself passed the scan check with three other
scanners; not infected and writeprotected). So effectievly, scanning
my whole hard drive infected my whole harddrive. What's
up?
Actually, i was just wondering, if cindy was following in
scans tracks, why wasn't vshield picking it up? At work we always say
vshiled is worthless (it's failed to protect against stoned,
michelangelo and liberty), but i used it anyway at home (blind faith,
or, could more hurt?). It should have picked up any attempt to infect
a file. right? Does it just not work (tried three version releases of
vshield)? Or was my file getting infected another way (i turned off
the machine for an hour and no more infections during scan)? What am i
missing here?
- --
- -----------------------------------------------------------------------
Baylor Wetzel
[email protected] "There is no such thing
Biafra for president 1992 as an innocent Kennedy"
"All opinions are soley those of the unix guys playing with my account"
- -----------------------------------------------------------------------
------------------------------
Date: Tue, 11 Feb 92 23:51:55 -0500
>From:
[email protected] (John Councill)
Subject: Biological analogy
Greetings. A student here at Bard is interested in doing a senior
project about the similarities between computer viruses and the
biological kind, most notibly bacteriophage. I know that this topic
has at times been discussed here (or perhaps even beaten to death), so
I was wondering if anyone reading this knows of anything scholarly or
otherwise that has been written on the subject.
Thanks! Please post replies to the address below.
John Councill
Technical Assistant / Henderson Computer Resources Ctr / Bard College
Annandale NY / etc...
[email protected]
------------------------------
Date: 10 Feb 92 22:16:04 +0000
>From:
[email protected] (Vesselin Bontchev)
Subject: Re: Polymorphic viruses
Otto.Stolz.RZOTTO@DKNKURZ1 writes:
> If (when?) viruses will be able to operate on various hosts, we should
> coin a new term for them, perhaps something resembling the terms "cross-
> compiler" and "cross-assembler".
Maybe "multi-host" viruses? I expect them to appear pretty soon;
especially a PC/Atari ST boot sector virus seems quite trivial to
me...
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
[email protected] Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54
------------------------------
Date: Wed, 12 Feb 92 09:22:31
>From:
[email protected]
Subject: List of all viruses available?
Apologies if this has been asked before, is there a listing of the
known viruses, their names, major symptoms and possible cures? It
would help when trying to follow discussions on the list as I'm new
around here.
Many thanks
Joe Claxton
------------------------------
Date: Wed, 12 Feb 92 08:13:56 -0600
>From: James Ford <
[email protected]>
Subject: virx20.zip on risc (PC)
The file virx20.zip has been placed on risc.ua.edu for anonymous FTP in
the directory pub/ibm-antivirus. Thanks to C. Glenn Jordan for the file.
James Ford - Consultant II, Seebeck Computer Center
[email protected],
[email protected]
The University of Alabama in Tuscaloosa
- ----------------------- message follows -------------------------------
>From: C. Glenn Jordan
Subject: VIRx 2.0 is released !
Microcom and Ross Greenberg have released an update to the ongoing
VIRx series of anti-virus scanners. This version, 2.0 will detect
20 new viruses, and also disinfect (up through March 6) the MICHELANGELO
virus. Still free, mostly.
virx20.zip VIRX v2.0: Easy to use mostly free virus checker
- ------------------------- end message ---------------------------------
------------------------------
Date: Tue, 11 Feb 92 20:27:00 -0500
>From:
[email protected]
Subject: VIRX20.ZIP (PC)
Hi. Just received and made available VIRX20.ZIP. The file was sent to me
directly from C. Glenn Jordan of Microcom. As usual the file is in our
[.msdos.antivirus] directory. Following is the message from Glenn:
- ----- begin forwarded message --
Date: Tue, 11 Feb 92 14:44:01 -0500
>From: "C. Glenn Jordan -- Microcom" <
[email protected]>
Subject: VIRx 2.0 is released !
Microcom and Ross Greenberg have released an update to the ongoing
VIRx series of anti-virus scanners. This version, 2.0 will detect 20
new viruses, and also disinfect (up through March 6) the MICHELANGELO
virus. Still free, mostly.
VIRX20.ZIP VIRX v2.0: Easy to use mostly free virus checker
- ----- end forwarded message --
Thanks, Glenn!
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Claude Bersano-Hayes HAYES @ URVAX (Vanilla BITNET)
University of Richmond
[email protected] (Bitnet or Internet)
Richmond, VA 23173
------------------------------
End of VIRUS-L Digest [Volume 5 Issue 30]
*****************************************
Downloaded From P-80 International Information Systems 304-744-2253
