VIRUS-L Digest Wednesday, 26 Feb 1992 Volume 5 : Issue 44
Today's Topics:
Norton AntiVirus Michelangelo Edition (PC)
Another Michelangelo question... (PC)
Help Needed to Recover from the Stoned Virus (PC)
Information on FORM and Azusa sought (PC)
On reformatting floppies to remove infections (PC)
Re: Cinderella virus/ does VSHIELD work? (PC)
IBM PC Virus or Set Up Problem? (PC)
re: Surviving warm reboot (PC)
Michelangelo and 3.5" diskettes (PC)
DOS 5 FDISK /MBR (PC)
Re: F-prot and non-executable files (PC)
Re: Will re-formatting a floppy remove ALL vires (PC)
Re: WP.EXE appended to, up front (PC)
Bootable floppies and FixFBR (PC)
MBDF Suspects Arrested (Mac)
Alleged MBDF virus-creators arrested at Cornell (Mac)
book recommendation????
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. (The complete set of posting guidelines is available by
FTP on cert.sei.cmu.edu or upon request.) Please sign submissions
with your real name. Send contributions to
[email protected]
(that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks).
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list. Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
[email protected].
Ken van Wyk
----------------------------------------------------------------------
Date: Mon, 24 Feb 92 16:24:44 -0500
>From: James Williams <
[email protected]>
Subject: Norton AntiVirus Michelangelo Edition (PC)
While I think that the Norton AntiVirus Michelangelo Edition is smart
business by Symantec. I thought the program was shoddy at best. Why
does this program scan all exe and com files when Michelangelo is a
boot sector infector?
- --------------------------------------------
| James Williams |
| Bitnet: JWW%ESS%
[email protected] |
| Internet:
[email protected] |
| CompuServ: 70304,2462 |
- --------------------------------------------
------------------------------
Date: 24 Feb 92 18:25:30 -0400
>From: LARRY MATEO <HSVLM%
[email protected]>
Subject: Another Michelangelo question... (PC)
Actually, this is a question about viruses that infect the boot sector
of a hard drive. If I boot a Novell network (version 2.x, 3.x) from an
infected disk, can the boot sector on the server become infected? If
so, what happens when the server is brought up? Does the virus get
loaded into memory where it CANNOT infect floppies, or what?
Thanks again.
------------------------------
Date: 25 Feb 92 00:52:44 +0000
>From:
[email protected] (Jim M Paugh)
Subject: Help Needed to Recover from the Stoned Virus (PC)
I am attempting to help a friend, who's PC286 w/DOS 4.01 was struck by
the Stoned virus. The system has a 40m IDE HD, which was the boot
disk. After the virus struck, the HD was total inaccessible.
Attempts to access the HD (after booting from a floppy) results in a
"invalid drive specification" message. At this point, I have given up
recovery, and am attempting to reformat and reinstall the hard drive.
When I use the DOS 4.01 installation disks (from Leading Technology,
the manufacturer of the PC) I get an error message about half way
through, stating "an unrecoverable error has occured, enter F3 to
exit", then the installation procedure aborts. I'm not exactly sure
what the installation is doing when it reports this error, but I
believe it occurs when it attempts to format the HD.
I then attempted to partition and format the HD myself. The
partitioning was sucessful(using fdisk), but then when I attempted to
format the HD, with the following:
A> format c: /s
I get the message:
"invalid drive specification"
I then ran the ROM diagnostics and was able to format the HD from
there, as well as successfully run some read/write verify tests. But
I still get the same results mentioned above, when trying to install
DOS 4.01 or format the HD.
I heard something about problems with IDE drives, requiring a low
level format to recover from viral damage, something that has to be
done by the manufacturer of the drive, or at least something that is
difficult to do. Does anyone know anything about this, or have some
information on low level formats for IDE drives?? Perhaps there is
just an oversight on my part as far as installing DOS on a HD, but
when I originally installed this HD new, I just used the 4.01
installation disks, and they did everything for me, no problems.
As for the Stoned virus, we are pretty sure it was contracted from the
computers in the computer lab at Golden West Junior College, in the
computer lab. A diskette was used in the computers in the lab, and
then brought home to the PC in question. My friend is taking a class
on DOS to learn about her new computer and how to use it, and is
learning the HARD WAY :( When the virus struck, it left the following
message on the monitor:
"you are stoned"
Any help will be greatly appreciated, as the PC is now dead in the
water, and my friend's paranoia of computers is now ten fold :-(
------------------------------
Date: Tue, 25 Feb 92 12:44:56 +0100
>From: enda purcell <
[email protected]>
Subject: Information on FORM and Azusa sought (PC)
Could somebody out there tell me what the following viruses do?
1) FORM
2) AZUSUA
is azusuz the bastard son of the combination of FORM and STONED.
Our computer system has recently been attacked by the above three.
Help greatly appreciated!!!!
Enda Purcell..
------------------------------
Date: Tue, 25 Feb 92 12:02:21 -0500
>From: James_Williams%ESS%
[email protected]
Subject: On reformatting floppies to remove infections (PC)
I have seen a couple postings recently recommending using an electro-
magnet to erase infected floppies. Wouldn't running Norton's WIPEDISK
from a clean PC work just as well?
- --------------------------------------------
| James Williams |
| Bitnet: JWW%ESS%
[email protected] |
| Internet:
[email protected] |
| CompuServ: 70304,2462 |
- --------------------------------------------
------------------------------
Date: Tue, 25 Feb 92 17:38:05 +0000
>From:
[email protected] (Jason Mathews - 514)
Subject: Re: Cinderella virus/ does VSHIELD work? (PC)
[email protected] (Tapio Keih{nen) writes:
>> I have recently had a very bad run in with Cinderella, losing
>>about 200 files. I think i found my problem after a while, but i'm
>>still a bit paranoid.
>
>Interesting... This virus was found here in Finland on September 1st
>1991 and this is the very first time I've heard it has spreaded
>outside Finland. One the other hand, this virus is becoming more and
>more common here in Finland - during past few weeks I've received
>reports only of it and Michelangelo.
>
>F-Prot from Fridrik Skulason removes Cinderella just OK. BTW, did you
>see a file named CINDEREL.LA anywhere? Cindrella should create such
>file after certain number of keys have been pressed.
I've examined the Cinderella virus, but I couldn't make it
do this. What's the contents of this file is any? Is there
is a more clearly defined triggering description to do this?
>If you have Cinderella resident in memory, it'll infect files when you
>execute or open them. Cinderella has a kind of bug in it which causes
>it to infect files with 'wrong' extensions. The author of the virus
>has probably tried to make it infect .COM files only, but it will
>infect also files with .DOC and .CO extensions as well as some other
>extensions too. Of course, virus can't spread via those non-executable
>files.
I've tried this and it will infect any file opened with the *.CO?
file pattern; e.g. TEST.COM, TEST.CO, TEST.CO_, etc.
However, I could not infect any .DOC or any other such files. Can anyone
confirm or deny this? Can Cinerella infect files other than with a CO?
extension?
There seems to be a problem with SCAN V85 and SCAN V86B because it
cannot detect Cinderella in memory, even with the "/M /CHKHI" options.
If you run SCAN while Cinderella is resident then every file that is
scanned will become infected. McAfee's SCAN program, however, does detect
it in every infected file, but it should find it in memory. Norton
Anti-Virus detects Cindy at memory location 0024:000D. CLEAN cannot
safely remove the virus from the infected files, but it offers to delete
them. F-PROT V2.01D is able to detect and disinfect all infected files
successfully.
Jason
------------------------------
Date: Tue, 25 Feb 92 15:15:51 -0500
>From:
[email protected] (Marc D Sayre)
Subject: IBM PC Virus or Set Up Problem? (PC)
Does anyone know of a virus that would cause the following type of
problems?
The machine is a Zeos 386 SX portable with a 40 MB hard drive and
single floppy drive, 3.5 inch, 1.44 MB.
If the system is booted from the hard drive any application or DOS
command that trys to access the floppy disk returns sector read
errors. After further investigation I found that the applications and
DOS think the drive is a 5.25 inch , 360K drive.
If the system is booted off of a DOS disk in the floppy drive
the applications have no problem reading or writing to the drive.
Further investigation now shows that the application thinks the
drive is a 3.5" 1.44 MB.
I have gone into the CMOS set up and the configuration settings
are for one 3.5inch 1.44MB drive. It seems that something is resident
on the hard drive or in the boot memory which is corrupting the CMOS
configuration. I have seen this problem on several other PC's I
frequently use so I beleive it is some sort of virus. It is not
the disks, I have tried an assortment of disks and they all are either
readable on the machine or not.
I have run the latest version of SCAN V8.5? virus checker and found
nothing. Does this sound like a known virus? Does anyone have some
other virus checkers/cleaners I can run to verify this is or
is not a virus?
HELP ANYONE???
Marc Sayre
AT&T Network Systems
att!ihlpb!mds1
------------------------------
Date: 25 Feb 92 15:30:28 -0500
>From: "David.M.Chess" <
[email protected]>
Subject: re: Surviving warm reboot (PC)
>From:
[email protected] (Vesselin Bontchev)
>
>Sorry to disagree, Dave, but this is a pet peeve of mine, so I
>couldn't resist. :-)
>
>In short, no virus is able to survive the Alt-Ctrl-Del IN GENERAL.
An interesting argument (we can take it offline if you like; I'd claim
that there are viruses that can do it in virtually any configuration),
BUT not of interest to end users. As far as the user is concerned
(and that includes even us expert-types when we're actually using
machines!) if there are -some- viruses that can -sometimes- survive a
three-key reboot, it's safest to assume that any virus might, and to
always do a poweroff reboot if it's important to have the machine in a
clean state. It's just too easy to make a mistake otherwise! So, to
present an alternative to your statement:
In short, since some viruses ARE able to survive the Ctrl-Alt-Del
sometimes, it's best to always poweroff reboot when it's important
to have a clean boot.
DC
------------------------------
Date: 25 Feb 92 15:34:58 -0500
>From: "David.M.Chess" <
[email protected]>
Subject: Michelangelo and 3.5" diskettes (PC)
There have been a few posts talking about the Michelangelo and 3.5"
diskettes. We just did some tests, and here are the findings:
- Because of some assumptions it makes about media types,
it will generally not even try to infect a 720K 3.5"
diskette (because it will try to save the original
boot record to a sector 15, which will fail, and it
will give up on infecting altogether). (It's possible
to produce a 3.5" 720K diskette that the virus *will*
infect, but they are unlikely to exist in the real world,
as the BPB has to lie about the disk format.)
- It will successfully infect a 1.4M 3.5" diskette, in the
sense that it will put itself into the boot record, and
stash away the orginal boot record, BUT such diskettes
often cannot be read by DOS (because the virus doesn't
preserve the BPB area). Trying to read such a diskette
will often produce critical "Abort, Retry, Ignore" style
messages (depending on your exact configuration, DOS
version, and what drivers are running the drive in
question). Trying to boot from such a diskette WILL
cause the hard drive to become infected, but the boot
will often fail (presumably because DOS can't read
COMMAND.COM off the diskette).
So in general I wouldn't expect to see 720K 3.5" diskettes getting
infected, and I wouldn't expect an infected 1.4M 3.5" to go unnoticed
long in many environments. (On the other hand, they CAN infect hard
disks, and there may be DOS versions that have no trouble reading
them, so people with 3.5" A: drives should -not- assume they don't
have to worry!).
DC
------------------------------
Date: 25 Feb 92 15:54:11 -0500
>From:
[email protected]
Subject: DOS 5 FDISK /MBR (PC)
I'v seen comments that FDISK /MBR can clean up any master boot record
infector. For the record, this is not strictly true.
- - The Joshi virus (and other viruses I'm sure:), infect a second
physical hard drive if it is present. FDISK /MBR will only clean up the
first physical hard drive. Some of the other undocumented FDISK options
take a drive number as a (undocumented) parameter, but FDISK /MBR
ignores this drive number parameter. Since the system does not load and
run the master boot record of the second hard drive, an incomplete
cleanup using FDISK /MBR won't generally cause problems, but it could be
a problem if the second hard drive becomes the first hard drive for some
reason, for example if the drive cables were swapped, or the second hard
drive moved to another machine, etc.
- - FDISK /MBR will replace the code in the master boot record with the
code in a DOS 5 master boot record. This new master boot record will
work on most systems, but (as A. Padgett Peterson has noted
periodically) security or anti-virus software that replaces the master
boot record may be adversely affected if the master boot record is
replaced with generic master boot record code. This problem may be why
FDISK /MBR isn't documented. Padgett's suggestion to use DOS 5 to check
for the presence of security software is a very good idea. Here's a
reasonable procedure. Please remember that it uses an *unsupported*,
*undocumented* option, and don't use this procedure if you are using
security software (or anything other software (except for a virus :))
that replaces the master boot record. The procedure calls for PC-DOS 5,
but MS-DOS 5 should work as well.
o Power off the infected machine.
o Put the uninfected, write-protected PC-DOS 5 install diskette
(diskette 1) into the A: drive.
o Power on the machine.
o When the machine has finished booting, press F3
o Press Y to get a DOS command prompt.
o If the PC-DOS 5 install diskettes are 5.25 inch diskettes (i.e. they
are not 3.5 inch diskettes), then
a. Remove the PC-DOS 5 install diskette (diskette 1)
b. Insert the PC-DOS 5 diskette 2.
o Type
DIR C:
If the directory of the C: drive is *not* displayed, then
*DO NOT* continue to the next step! Use another disinfection
procedure.
o Type
FDISK /MBR
o Remove the diskette in the A: drive, and reboot the machine.
o Carefully scan the disk for viruses again.
Bill Arnold
------------------------------
Date: Tue, 25 Feb 92 22:22:28 +0000
>From:
[email protected] (Tom VanVleck)
Subject: Re: F-prot and non-executable files (PC)
I disagree. Viruses can live and propagate in text or non-executable
files. (I hasten to add that no interesting examples exist.. yet.)
Every file is used as instructions to some program to do something.
COM and .EXE files instruct COMMAND.COM to create a core image and
transfer control into them. "text" files instruct TYPE etc to produce
characters on the screen. Every file is interpreted by some interpreter.
If the interpreter can be instructed to write files, you can write a
virus in its language; the HyperCard virus on the Mac is an example.
A second, more interesting case arises if the interpreter has any
escape that allows data to be passed to some other interpreter. This
includes the case of bugs or errors in the interpreter. The sendmail
bug exploited by the Internet Worm is of this class. So are the
various function key reprogramming trojans.
Mac and PC applications that read structured data files can be tricked
into executing a trojan horse by an ill-formed input file. Given
garbage input, word processors, picture displayers, and spreadsheets
sometimes crash by executing an illegal instruction. I have seen MS
Word, Excel, MacPaint, MacDraw, and Digital Darkroom crash on bad
input files on the Mac; I am sure that PC examples abound. A bad guy
could create an input file to MS Word (for example) that caused it to
overwrite an executable instruction and execute trojan code.
Can datafile trojan horses be prevented? Not easily.
The immediate cause of the problem is that applications use values
from the data file as lengths, indexes, or relative pointers without
checking them for reasonableness. (All application manufacturers
should change all their code to check for bad references and not make
them.) Errors and bad references caused by undefended programming
allow trojan horses to gain a toehold because the memory containing
executable programs is writeable and has the same kind of addresses as
data memory. (Operating systems should protect the memory blocks
containing executable code, including the operating system, from
modification.)
Can datafile trojan horses be detected? Maybe.
Trojan code can be found in any data, not just resource forks (Mac)
or .COM and .EXE files (PC). (Virus scanners will have to scan all
data, not just executables.) A given bit string may be noxious or not
depending on what application program interprets it. The number of
data formats, interpreters for data formats, and bugs and variations
in the interpreters is too large for a virus scanner to know and keep
up with. (False positives will be unpreventable.)
Tom Van Vleck <
[email protected]>
------------------------------
Date: Tue, 25 Feb 92 21:38:32 +0000
>From:
[email protected] (Steve Russell)
Subject: Re: Will re-formatting a floppy remove ALL vires (PC)
"
[email protected]"@Arizona.edu writes:
>Does anybody know if a bulk tape eraser would be practical for erasing
>floppies? If so, it would be the ideal solution for quandaries like
>this one.
Use the video tape eraser from Radio Shack (about $30.00). It will
wipe floppies, mag tape, audio cassette, and video cassette in about
30 seconds.
It won't put much of a dent in metal-oxide 8mm tape, however.
- -steve
------------------------------
Date: Tue, 25 Feb 92 21:41:16 +0000
>From:
[email protected] (Steve Russell)
Subject: Re: WP.EXE appended to, up front (PC)
[email protected] (Michael Fry) writes:
>On Zenith XT hard drive:
>
>We found several files on a directory with WordPerfect 5.0 with size
>increases ranging from 380 to 3000+ bytes.
>
>When the contents of WP.EXE were inspected, the bodies of several text
>files (.BAT files from a different directory) were at the top of the
>file, with names and a few bytes of data between them. The names
>were, like, "WP.BAT" in 6 characters, so not directory entries.
>Format looked a little like WP .SET file entries, but no open space
>(0's) between bodies of text. The file started with the text of a
>.BAT file, not its name. These were tightly packed (not caused by FAT
>shuffling). Not sure if original WP.EXE is still in there, but
>suspect this strange data appended to the front of WP.EXE. File size
>increased by 2101 bytes.
> ...
CHKDSK didn't report any problems???
- -steve
------------------------------
Date: Tue, 25 Feb 92 17:48:01 -0500
>From: padgett%
[email protected] (A. Padgett Peterson)
Subject: Bootable floppies and FixFBR (PC)
>From:
[email protected] (Vesselin Bontchev)
>padgett%
[email protected] (A. Padgett Peterson) writes:
>>This is the reason I do not bother in the FixFBR program to try to retrieve
>>the original boot sector.
>Please, note also that this will make an infected system diskette
>non-bootable, while disinfecting it with a virus-specific program
>might (in most, but not all) cases preserve bootability...
Vess is correct, however if you want the disk to be bootable, SYS A:
will also remove the virus from a floppy. Since an adequate solution
existed for that case, I did not take the time to make my generic boot
record bootable, rather it displays a warning about booting from
floppies. It is designed for non-bootable disks.
Warmly,
Padgett
ps don't forget, this is my hobby, not what I get paid for.
------------------------------
Date: Tue, 25 Feb 92 10:10:14 -0500
>From:
[email protected] (Mark Anbinder)
Subject: MBDF Suspects Arrested (Mac)
The Cornell Daily Sun reported in this morning's issue that two
Cornell University sophomores, David Blumenthal and Mark Pilgrim, were
arrested Monday evening and arraigned in Ithaca City Court on one
count each of second degree computer tampering, in connection with the
release of the MBDF virus that infected Macs worldwide over the last
several days. The two are being held in Tompkins County Jail.
Further charges are pending.
[Moderator's Note: See press release, below]
- --
Mark H. Anbinder 607-257-2070 - FAX 607-257-2657
BAKA Computers, Inc. QuickMail QM-QM 607-257-2614
200 Pleasant Grove Road
[email protected]
Ithaca, NY 14850
------------------------------
Date: Wed, 26 Feb 92 08:42:17 -0500
>From: Tom Coradeschi <
[email protected]>
Subject: Alleged MBDF virus-creators arrested at Cornell (Mac)
Forwarded from Info-Mac.
tom coradeschi <+>
[email protected]
- ----- Forwarded message # 1:
Date: Tue, 25 Feb 1992 11:47:32 PST
>From:
[email protected] (Bill Lipa)
Subject: Alleged MBDF virus-creators arrested at Cornell
"Computer Virus Traced to Cornell Students"
by Jeff Carmona
[The Cornell Daily Sun, 25 February 1992]
Two Cornell students were arrested yesterday for allegedly creating and
launching a computer virus that crippled computers around the world,
according to M. Stuart Lynn, the University's vice president for information
technologies.
David Blumenthal '94 and Mark Pilgrim '94 were arrested by Department of
Public Safety officers and arraigned in Ithaca City Court on one count of
second-degree computer tampering, a misdemeanor, Lynn said.
Both students were remanded to the Tompkins County Jail and remained in
custody early this morning. They are being held on $2,000 cash or $10,000
bail bond, officials said.
Cornell received national attention in Nov. 1988 when Robert T. Morris
Jr., a former graduate student, was accused of unleashing a computer virus
into thousands of government and university computers.
Morris, convicted under the 1986 Computer Fraud and Abuse Act, was fined
$10,000, given a three-year probation and ordered to do 400 hours of
community service by a federal judge in Syracuse, according to Linda
Grace-Kobas, director of the Cornell News Service.
Lynn would not compare the severity of the current case with Morris',
saying that "each case is different."
Lynn said the virus, called "MBDFA" was put into three Macintosh games --
Obnoxious Tetris, Tetriscycle and Ten Tile Puzzle.
On Feb. 14, the games were launched from Cornell to a public archive at
Stanford University in Palo Alto, Calif, Lynn said. From there, the virus
spread to computers in Osaka, Japan and elsewhere around the world when
users connected to computer networks via modems, he added. It is not known
how many computers the virus has affected worldwide, he explained.
When computer users downloaded the infected games, the virus caused "a
modification of system software," Lynn said. "This resulted in unusual
behavior and system crashes," he added.
Lynn said he was not aware of anyone at Cornell who reported finding the
virus on their computers.
The virus was traced to Cornell last Friday, authorities were quickly
notified and an investigation began, Lynn said.
"We absolutely deplore this kind of bahavior," Lynn said. "We will pursue
this matter to the fullest."
Armed with search warrants, Public Safety investigators removed more than
a dozen crates full of evidence from the students' residences in Baker and
Founders halls on West Campus.
Public Safety officials refused to disclose the contents of the crates or
issue any comment about the incident when contacted repeatedly by phone last
night.
"We believe this was dealt with very quickly and professionally," Lynn
said.
The suspects are scheduled to appear in Ithaca City Court at 1 p.m. today
and additional charges are pending, according to Grave-Kobas.
Because spreading a computer virus violates federal laws, "conceivably,
the FBI could be involved," she added. Officials with the FBI could not be
reached to confirm or deny this.
Blumenthal and Pilgrim, both 19-year-olds, were current student employees
at Cornell Information Technologies (CIT), Lynn said. He would not say
whether the students launched the virus from their residence hall rooms or
>From a CIT office.
Henrik N. Dullea '61, vice president for University relations, said he
thinks "the act will immediately be associated with the University," not
only with the individual students charged.
Because a major virus originated from a Cornell student in the past, this
latest incident may again "bring a negative reaction to the entire
institution," Dullea said.
"These are very selfish acts," Lynn said, referring to the intentional
distribution of computer viruses, because innocent people are harmed.
Lynn said he was unaware of the students' motive for initiating the virus.
Lynn said CIT put out a notice yesterday to inform computer users about
the "very virulent" virus. A virus-protection program, such as the new
version of Disinfectant, can usually cure computers, but it may be necessary
to "rebuild the hard drive" in some cases, he added.
A former roommate of Blumenthal said he was not surprised by news of the
arrest. Computers were "more than a hobby" for Blumenthal, said Glen Fuller
'95, his roommate from last semester. "He was in front of the computer all
day," Fuller said.
Blumenthal, who had a modem, would "play around with viruses because they
were a challenge to him," Fuller said. He said that, to his knowledge,
Blumenthal had never released a virus before.
- ----- End of forwarded messages
------------------------------
Date: Mon, 24 Feb 92 23:21:54 -0500
>From:
[email protected] (Joseph Costanzo)
Subject: book recommendation????
Hello all,
Put it like this: I know NOTHING about viruses, but would like to
learn simply what they're all about. I don't want anything too
technical, and nor do I want something that's written for
pre-schoolers. Any suggestions on some simple reading so I can
understand what is going on in this newsgroup?
Thanks in advance.
Joseph Costanzo
Lehigh University
[email protected]
------------------------------
End of VIRUS-L Digest [Volume 5 Issue 44]
*****************************************
Downloaded From P-80 International Information Systems 304-744-2253
