VIRUS-L Digest Wednesday, 26 Feb 1992 Volume 5 : Issue 43

VIRUS-L Digest Wednesday, 26 Feb 1992 Volume 5 : Issue 43

Today's Topics:

Re: Simple IBM PC virus (PC)
Re: Stoned, Michaelangelo, Boot Sector ReLocation (PC)
Re: V-Care Antivirus Expert System (PC)
Re: Virus on CPAV (PC)
Re: VirX 2.0 (PC)
A quick Michelangelo question (PC)
Re: Which Package is Best? (PC)
Device Drivers, Enough with the AUX awreddy (PC)
Re: F-Prot 2.02D/DOS 2.11 (PC)
Joshi information, please (PC)
Review of ViruSafe (PC)
Revision to Product Test 41, VIRx, Version 2.0 (PC)
Revised Product Test 23, Virex-PC, Version 2.1 (PC)
Revision to Product Test 12, Virucide, Version 2.37 (PC)
Revised Product Test 17, F-PROT, Version 2.02D (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. (The complete set of posting guidelines is available by
FTP on cert.sei.cmu.edu or upon request.) Please sign submissions
with your real name. Send contributions to [email protected]
(that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks).
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list. Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
[email protected].

Ken van Wyk

----------------------------------------------------------------------

Date: 24 Feb 92 18:43:48 +0000
>From: [email protected] (Vesselin Bontchev)
Subject: Re: Simple IBM PC virus (PC)

[email protected] writes:

> I ran into this Virus which added 2K to .EXE files (but not .COM
> files for some reason). Every time you executed the .EXE, 2K would be
> added on. The virus was also resident in memory. Oh, in the 2K
> segment would be the string "MsDos" which I used to find infected
> files, but I'm not 100% sure I got rid of it entirely. Anyone heard
> of this virus or something similar and know whether it might still be
> lurking on my hard drive somewhere?

Something "very similar" is the Jerusalem virus and its more than 94
different variants... :-) However, you probably have the main one. It
is memory resident, infects files when you are executing them, append
1805 bytes to the COM files (yeah, they -do- get infected) and 1813
(plus up to 15 bytes for padding) to the EXE files. The latter are
infected each time you execute them, since the virus does not mark
them as already infected.

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
[email protected] Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54

------------------------------

Date: 24 Feb 92 18:50:10 +0000
>From: [email protected] (Vesselin Bontchev)
Subject: Re: Stoned, Michaelangelo, Boot Sector ReLocation (PC)

[email protected] writes:

> The question I have concerns what appears to me to be conflicting
> information from the two sources above. One source states that the
> Stoned virus and the Michaelangelo virus both copy the original boot
> sector information to the same location. The second source states
> that the two viruses copy the original boot sector information to two
> different locations. Am I reading this wrong? Which one is correct?
> Could they both be right because they may be writing about two
> different versions of the Stoned virus? Thank you for any insight
> into my confusion. ---Randy

Michelangelo and Stoned put the original boot sector at one and the
same place on hard disks and on 360 Kb floppies. They put it on a
different place on high-capacity floppies.

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
[email protected] Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54

------------------------------

Date: 24 Feb 92 19:08:10 +0000
>From: [email protected] (Vesselin Bontchev)
Subject: Re: V-Care Antivirus Expert System (PC)

[email protected] (Chuck Eater) writes:

> Does anyone have any experience/comments concerning the subject
> antivirus software which is produced by NetZ Computing Ltd., Israel,
> and marketed in the US by Sela Consultants Corporation? The product
> claims to be a generic virus detector/disinfector. I have not been

While I have not seen the product, I bet that is cannot disinfect "all
future viruses", or even all the existing ones for that matter.
However, there -is- a generic disinfector, which can remove all
possible viruses, if it is applied before the infection takes place.
It is shiped with every DOS disk. It is called BACKUP. :-)

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
[email protected] Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54

------------------------------

Date: 24 Feb 92 19:14:51 +0000
>From: [email protected] (Vesselin Bontchev)
Subject: Re: Virus on CPAV (PC)

[email protected] writes:

> I was told that F-Prot was finding Flip on two files of CPAV. F-Prot
> said it could not remove the virus, question who is right CPAV does
> not find Flip on itself, but, F-Prot does... Should one believe
> F-Prot over CPAV???

Ken, I got the impression that this is a FAQ too...

[Moderator's note: Added to the FAQ file, thanks!]

CPAV does not encrypt the scan strings is uses. Therefore, and program
that scans for scan strings and uses the same scan strings as CPAV,
will flag it as infected.

In general: Every virus scanning program -MUST- encrypt the scan
strings it uses. Furthermore, good anti-virus programs (like F-Prot)
do not rely on just finding a signature somewhere in the file, but
also require it to be at a specific place, otherwise they refuse to
try to remove the virus. The even better anti-virus programs (like Dr.
Solomon's Anti-Virus ToolKit) even perform a checksum on the
non-variable parts of the virus, and refuse to remove the virus, if it
is not identified exactly.

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
[email protected] Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54

------------------------------

Date: 24 Feb 92 19:19:48 +0000
>From: [email protected] (Vesselin Bontchev)
Subject: Re: VirX 2.0 (PC)

[email protected] (Jun Guo) writes:

> I downloaded virx20.zip. The $toc file didn't match the zip file.
> Size, time stamp, CRC are all ok, but the compressed size are
> different. Apparently the zip file was repacked using a different
> zipper than the one generated $toc. Can someone upload an original

Right, according to the text in the $TOC file, the original has been
created with PKZIP 1.01 (Ross, aren't you going to update your
archiver?). Probably someone re-packaged it with PKZIP 1.10, since
version 1.01 is buggy and sometimes causes CRC errors to appear in the
archives.

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
[email protected] Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54

------------------------------

Date: 24 Feb 92 14:22:08 -0400
>From: LARRY MATEO <HSVLM%[email protected]>
Subject: A quick Michelangelo question (PC)

>From information I've read about the Michelangelo virus, it seems that
the virus can be spread from an infected floppy diskette to a hard
drive only by attempting to boot from the floppy. A recent article in
a local newspaper sta ted that the virus can be spread from a floppy
diskette to a hard drive simply by doing a DOS dir of the floppy disk.
I think this is an incorrect statement.
Can someone substantiate it for me?

Thanks again for all the help.

------------------------------

Date: 24 Feb 92 19:27:23 +0000
>From: [email protected] (Vesselin Bontchev)
Subject: Re: Which Package is Best? (PC)

[email protected] (Wolfgang Stiller) writes:

> Considering the rapid appearance and spread of new viruses scanning is
> becoming increasingly dangerous to depend upon. Yet, this is the core
> technology that the leading anti-virals depend upon for their
> effectiveness.

In fact, there is one reason that even a good checksumming program
needs a pretty up-to-date scanner. How else are you going to make sure
that the system you are installing the checksums on is virus-free?
(OK, I know that you know that; it was aimed mainly at the other
readers.)

> >If you decide to consider checksumming products, probably the
> >Untouchable is the currently most secure one. However, have in mind
> >that its other capabilities (scanning and disinfection) are quite
> >miserable... And, at last, if you want a shareware checksummer (which
> >is not as secure as the commercial one, however), take a look at the
> >Integrity Master.

> Thank you for mentioning my product but I am appalled that you
> consider Integrity Master(tm) less secure than Untouchable. If you

I got this impression the last time I dicussed this with you. I'll
send you a more specific question about the security in private mail.

> come to this conclusion based on anufacturer's claims or perhaps the
> tremendous price difference in our two products, I can understand

No. It was based on the fact that (sometimes in the past) I asked you
whether it is able to detect a particular kind of attack. As far as I
recall, you answered that you have not been aware of the possibility
of this attack. My apologies if it wasn't you :-) or if you have fixed
the problem.

> customers who use both this product and Integrity Master. They report
> that Integrity Master is more thorough and faster than Untouchable.

I never objected speed. I objected security.

> It apparently detects more known viruses with its scanner component

Yeah, I clearly mentioned that the Untouchable's scanner has a
miserable detection rate. Something around 50 %. And nowdays anything
that has a detection rate below 90 % is considered not worth to use.

> master more secure. If this involves sensitive information feel free
> to continue this via private mail. BTW, the latest version of

Will do.

> Integrity Master is 1.11. It should be at most distribution points
> shortly if it's not there already.

The latest thing I have seen is definitively older. 1.02b or something
like that. Hope the security problem has been already fixed. Otherwise
I agree that your integrity checker is one of the best available - as
Frisk's F-Prot is one of the best scanner/removers...

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
[email protected] Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54

------------------------------

Date: Mon, 24 Feb 92 14:42:44 -0500
>From: padgett%[email protected] (A. Padgett Peterson)
Subject: Device Drivers, Enough with the AUX awreddy (PC)

[Moderator's note: This is a re-posting of Padgett's earlier posting.]

>From: [email protected]
>Subject: auxfiles (PC)

Ok folks, this has gone far enough to be confusing so lets sort it out
once and for all. MS-DOS provides the capability for device drivers to
intercept character based transfers to themselves as if they were
files. One of the effects of this is the ability to "pipe" the output
from various sources. For example "dir >dir.lst" will redirect the
output from a directory listing to a file called "dir.lst". In the
same way "dir >prn" will redirect the output to the printer. Most can
also be used bi-directionally as the classic "copy con autoexec.bat"
demonstrates.

In DOS there are many such character devices that can look to DOS like
files: CON, PRN, AUX, CLOCK$, LPT1, LPT2, NUL, COM1 et al (installed
as part of IO.SYS). Memory managers often are installed in the same
way e.g. SMARTAAR & EMMXXXX0. Additionally, at least one anti-viral
product (Enigma-Logic's Virus-Safe - also one of the few that can be
installed from CONFIG.SYS) uses this to return validation that it is
installed ("type swvsvers" will return the logo if installed, fail if
not).

The "DIR" command supplied with DOS is smart enough to be able to
separate a real file from a device driver but many other programs are
not - note that the intercept only occurs if the explicit name is used
- - CON or CLOCK$ will work, C* will not. This happens because the
device driver is doing the interception, not DOS, and it only reacts
to an explicit name, not wild cards.

Consequently, those programs that follow DOS rules or use the DOS
"dir" mechanism (DDIR - Double Dir is one) will not pick up device
drivers. Those that do not (e.g. SDIR - Sorted Dir) will display the
driver. Evidently, Norton's FF is one of this, as will probably be
any program which does not look for attribute bits.

Since these programs simply use DOS rules to change directory and then
look for the file, AUX, CON, or NUL for that matter will be found in
every directory and will probably report the current time and date.

Hopefully, this will answer the question.

Warmly,

Padgett

------------------------------

Date: 24 Feb 92 20:08:56 +0000
>From: [email protected] (Sigurd Andersen)
Subject: Re: F-Prot 2.02D/DOS 2.11 (PC)

[email protected] (Lynne Meeks) writes:
: We're having some trouble getting F-Prot (2.02D) to run successfully
: with AT&T DOS 2.11 ...
:
: What happens is we run F-Prot and get the message:
: '*.TX0 not found'
: then we get the DOS prompt
:
: The English.TX0 file IS there; the same F-prot disk works fine on
: the same machine with 3.2 or 3.3 DOS.
: ...
: Anyone else with old DOS experiencing this? ...

I had similar problems last week trying to run F-Prot 2.02D on an
old Zenith MS-DOS computer. I think it, too, was running DOS 2.11.

I first tried unsuccessfully to boot from a diskette with DOS 5.0
on it. I formatted a diskette (/S) using the DOS on the hard disk,
went to another machine, tested for infection and found none (two
other PCs in that office had been infected with Stoned), then
transferred F-Prot to the just-formatted diskette. It booted OK,
but when I attempted to run F-Prot, I got the same message as above,
"*.TX0 not found".

I have not had a chance yet to try an intermediate version of DOS.

- --
Sigurd Andersen Internet: [email protected] CNS User Services
Bitnet: ACS20833@UDELVM 115 Newark Hall
Phone: (302) 831-1992 Univ. of Delaware
fax: (302) 831-4205 Newark, DE 19716

------------------------------

Date: Mon, 24 Feb 92 15:09:57 -0600
>From: [email protected]
Subject: Joshi information, please (PC)

Greetings!

I've just been infected by my first virus, it turns out to be Joshi.
It seems to only infect 3.5" diskettes, I used F-prot 2.02 and the
newest version of Scanv86 to detect it. F-prot described Joshi as the
SBC virus, anyone know what that is? My question to everyone is what
does Joshi do? I would even appreciate an FTP site which contains
virus documention. My second question is how do I remove this virus?
F-prot said it could not remove the virus, but I did rename the file.
I cannot use my cleanv85 because the floppy turned out to be an
infected. Help please!

roberto alvarez
university of north dakota

------------------------------

Date: Sat, 25 Jan 92 00:31:05 -0800
>From: [email protected] (Rob Slade)
Subject: Review of ViruSafe (PC)

[Moderator's note: I'm finally trying to get through a big backlog of
product reviews. This review and the others in this digest are
available by anonymous FTP on cert.sei.cmu.edu (192.88.209.5) in the
pub/virus-l/docs/reviews/pc directory. Please refer to the archive
for up to date reviews.]

PCVIRSAF.RVW 920124
Comparison Review

Company and product:

EliaShim Microcomputers
520 W. Hwy. 436, #1180-30
Altamonte Springs, Florida
USA
407-682-1587
fax: 407-869-1409
VirusSafe 4.01LAN

Summary:

TSR and manual scanner, change detection, operation restriction,
utilities

Cost

Rating (1-4, 1 = poor, 4 = very good)
"Friendliness"
Installation 2
Ease of use 3
Help systems 1
Compatibility 1
Company
Stability 2
Support ?
Documentation 2
Hardware required 2
Performance 2
Availability ?
Local Support ?

General Description:

Menu or command line driven resident and non-resident scanner and change
detection software. Operation restricting features remain untested.

Comparison of features and specifications

User Friendliness

Installation

The program is shipped on one write protected 5 1/4" disk. The program
can be run off the disk, or installed on the hard disk through an
installation program.

Ease of use

The menu interface is generally straightforward and simple. There are
some exceptions; in particular the list of viri that can be dealt with.
The screen format, and cursor movement keys, of the list and the
resulting information do not match. However, it is helpful to have this
feature onscreen.

Help systems

Limited.

Compatibility

Additional virus signatures can be added in an external text file. The
format for the signatures is given in the READ.ME text on disk, and is
not difficult to figure out. However, the format is not compatible with
the fairly widely used IBM VIRSCAN format. Also, a maximum of 64
signatures can be added in this way.

Program testing on machines fitting the hardware requirements
occasionally failed.

Company Stability

Unknown.

Company Support

Unknown. The package, as received from the manufacturer, was somewhat
mislabelled as to the contents and version of the program.

Documentation

The documentation is quite brief. The first page basically states that
the program can be run without reading the documentation, and the
remainder, while clear, is quite terse and seems to be designed for the
more advanced user. Much of the documentation is a description of how
the menuing system and command line switches work. No specifics are
given as to how functions (such as "revealing the presence of" unknown
viral programs in memory) are accomplished.

A very helpful feature is a "latest information" button on the menu
interface which presents the disk READ.ME file. Thus the latest program
info, helpful hints and the hardcopy errata can be browsed onscreen.

Hardware Requirements

At least two disk drives, one of which must be a floppy, 512K memory and
DOS 3.0 or higher.

Performance

It is gratifying to note the importance that EliaShim gives to boot
sector viri. The package contains provisions to save and restore the
boot sector and partition records for the hard disk.

Testing of this program was very problematic. The program would not run
properly on the primary testing machine (a NEC Multispeed). The system
locked up, repeatedly on most attempts to invoke any of the programs in
the package, including the installation and menuing program.

Testing of the programs is not as complete as I would prefer. However,
it can be said that the claims made for this package exceed performance.
The package is able to detect known viral programs, and can deal with
most effectively. Performance with viral programs not known to the
authors/program indicates that these viri are able to bypass
protections.

Local Support

Not provided.

Support Requirements

Users at any level should be able to run the program without assistance.

General Notes

The package has a multilayered approach to virus detection and
prevention. It should be suitable for most users in situations of
normal risk. While the package would effectively deal with the bulk of
infections one would normally encounter, some of its claims would appear
to be overrated. Nevertheless, its use would significantly reduce risk
of infection.

copyright Robert M. Slade, 1992 PCVIRSAF.RVW 920124
==============
Vancouver [email protected] | "A ship in a harbour
Institute for [email protected] | is safe, but that is
Research into CyberStore Dpac 85301030 | not what ships are
User [email protected] | built for."
Security Canada V7K 2G6 | John Parks

------------------------------

Date: Tue, 18 Feb 92 11:41:30 -0700
>From: Chris McDonald ASQNC-TWS-R-SO <[email protected]>
Subject: Revision to Product Test 41, VIRx, Version 2.0 (PC)

*******************************************************************************
PT-41
July 1991
Revised February 1992
*******************************************************************************

1. Product Description: VIRx is a copyrighted program written by Ross M.
Greenberg to detect computer viruses and malicious programs. VIRx is the
detection portion (VPCScan) of the commercial protection program Virex-PC
(reference PT-23, revised February 1992). This product test addresses version
2.0, 7 February 1992.

2. Product Acquisition: The program is freely distributed by Microcom
Systems, Inc., with special instructions for business and corporate users.
These users have only a 30 day license for product evaluation, after which they
must contact Microcom for site license authorization. THIS MAJOR LICENSING
CHANGE OCCURRED AT VERSON 1.9. Microcom has made VIRx available on many
bulletin boards and software repositories, to include the MS-DOS repository on
simtel20 [192.88.110.20]. The current path on simtel20 is pd1:<msdos.trojan-
pro>virx20.zip.

3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Information
Systems Command, White Sands Missile Range, NM 88002-5506, DSN: 258-4176, DDN:
[email protected] or [email protected].

[Moderator's note: Available in its entirety via anonymous FTP on
cert.sei.cmu.edu (192.88.209.5) in pub/virus-l/docs/reviews/pc.]

------------------------------

Date: Wed, 19 Feb 92 08:25:53 -0700
>From: Chris McDonald ASQNC-TWS-R-SO <[email protected]>
Subject: Revised Product Test 23, Virex-PC, Version 2.1 (PC)

*******************************************************************************
PT-23
March 1991
Revised February 1992
*******************************************************************************

1. Product Description: Virex-PC is a software package to detect, disinfect
and prevent computer viruses and malicious programs for the MS-DOS environment.
This product test addresses version 2.1.

2. Product Acquisition: Virex-PC is available from Microcom Software
Division, P.O. Box 51489, Durham, NC 27717. The telephone number is 919-490-
1277. The price is $99.00. Site licenses are available. There are several
third party vendors who sell single copies at a significantly reduced cost.
Registered users receive discounts on product upgrades.

3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Information
Systems Command, White Sands Missile Range, NM 88002-5506, DSN: 258-4176, DDN:
[email protected] or [email protected].

[Moderator's note: Available in its entirety via anonymous FTP on
cert.sei.cmu.edu (192.88.209.5) in pub/virus-l/docs/reviews/pc.]

------------------------------

Date: Tue, 18 Feb 92 12:29:19 -0700
>From: Chris McDonald ASQNC-TWS-R-SO <[email protected]>
Subject: Revision to Product Test 12, Virucide, Version 2.37 (PC)

*******************************************************************************
PT-12
June 1990
Revised February 1992
*******************************************************************************

1. Product Description: VIRUCIDE is a commercial anti-virus program to detect
and to repair known computer viruses for the MS-DOS computer environment. The
report addresses version 2.37, released 29 January 1992.

2. Product Acquisition: The product is available from Parsons Technology, Inc.
The address is Parsons Technology, Inc., One Parsons Drive, Hiawatha, IA 52233.
The company has a toll free number for orders, 1-800-223-6925. The cost of a
single copy, as of 28 October 1991, was $49.00. Each of five program upgrades
has been $15.00 which includes shipping and handling.

3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Information
Systems Command, White Sands Missile Range, NM 88002-5506, DSN 258-4176, DDN:
[email protected] or [email protected].

[Moderator's note: Available in its entirety via anonymous FTP on
cert.sei.cmu.edu (192.88.209.5) in pub/virus-l/docs/reviews/pc.]

------------------------------

Date: Thu, 20 Feb 92 10:26:56 -0700
>From: Chris McDonald ASQNC-TWS-R-SO <[email protected]>
Subject: Revised Product Test 17, F-PROT, Version 2.02D (PC)

*******************************************************************************
PT-17
August 1990
Revised February 1992
*******************************************************************************

1. Product Description: F-PROT is a program designed to provide malicious
program detection, disinfection, and protection. This product test addresses
version 2.02D, 7 February 1992.

2. Product Acquisition: F-PROT is a shareware program distributed by
Fridrik Skulason, Box 7180, IS-127 Reykjavik, Iceland. Mr. Skulason has posted
F-PROT on a number of Internet sites. The program is on the USAISC-White Sands
host simtel20. With version 1.14 the program became free if a user utilizes it
on a single personally-owned computer. There is a registration fee for
commercial and government users. Site licenses are available as well as
discounts for multiple copy registrations. The path on simtel20 [192.88.110.
20] for anonymous ftp downloading is: pd1:<msdos.trojan-pro>.

3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Information
Systems Command, White Sands Missile Range, NM 88002-5506, DSN 258-4176, DDN:
[email protected] or [email protected].

[Moderator's note: Available in its entirety via anonymous FTP on
cert.sei.cmu.edu (192.88.209.5) in pub/virus-l/docs/reviews/pc.]

------------------------------

End of VIRUS-L Digest [Volume 5 Issue 43]
*****************************************

Downloaded From P-80 International Information Systems 304-744-2253