VIRUS-L Digest Monday, 2 Mar 1992 Volume 5 : Issue 50

VIRUS-L Digest Monday, 2 Mar 1992 Volume 5 : Issue 50

Today's Topics:

New Virus? (PC)
Re: Possible virus? (PC)
More on SCAN87 (albeit belatedly) (PC)
Re: Surviving warm reboot (PC)
"2,400" PC infected with Michelangelo virus (PC)
Re: Will re-formatting a floppy remove ALL viruses (PC)
What does the Tequilla virus do? (PC)
Virus protection in OS? (PC)
Re: Will Write Protection Prevent Virus Infection? (PC)
Re: F-Prot 2.02D/DOS 2.11 (PC)
RE: F-PROT on DOS 2.xx (PC)
re: A quick Michelangelo question (PC)
Michelangelo Confused w/Joshi (PC)
joshirep.doc/ps on risc (PC)
about Michelangelo (PC)
Re: Preventing virus infection by disabling the hard disk (PC)
Alamo Virus? (PC)
Re: Disinfectant 2.6 (Mac)
Viruses in general
New files on risc.ua.edu (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. (The complete set of posting guidelines is available by
FTP on cert.sei.cmu.edu or upon request.) Please sign submissions
with your real name. Send contributions to [email protected]
(that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks).
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list. Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
[email protected].

Ken van Wyk

----------------------------------------------------------------------

Date: 28 Feb 92 21:34:21 -0700
>From: [email protected]
Subject: New Virus? (PC)

I have recently encountered a virus wich seems to only infect .com
files and add 322 bytes to infected files. I have not (as of yet) had
a chance to s study this "new" virus. Infected .com files contain the
text "The Troi Virus". This virus escapres detection from both scan85
(I do not have the newest version) and F-prot202d. While running the
heuristics scan from f-prot I get the warning that "it is most likely
virus infected" on a purposefully infected file. I have "watched" this
virus attempt any new .com file being executed to be infected once it
is memory resident. I have sent a copy to one expert allready -- I
have no idea of the others locations to send virii to.

Stephen Zamarripa

Thanks to Integrity Master for early detection :)

------------------------------

Date: Sat, 29 Feb 92 06:29:22 +0000
>From: [email protected] (Robert Slade)
Subject: Re: Possible virus? (PC)

[email protected] (Vera Marvanova) writes:

>caused by a virus? In two computers (386-SX AND 386 - 33) after some
>time of operation suddently all look like CAPS LOCK would be touched.
>All letters changes to upper case. After "SHIFT" all is O.K., but

Actually, this is extremely common behaviour in MS-DOS machines in
general. I have often had machines that would suddenly behave as if
all the keys were "shift"ed, "ctrl"ed or "alt"ed. Some could be
recovered, and some couldn't (at least I never found a way to do it.)
None were virally infected.

==============
Vancouver | "Don't buy a
Institute for [email protected] | computer."
Research into [email protected] | Jeff Richards'
User CyberStore Dpac 85301030 | First Law of
Security Canada V7K 2G6 | Data Security

------------------------------

Date: Sat, 29 Feb 92 07:26:01 +0000
>From: [email protected] (Robert Slade)
Subject: More on SCAN87 (albeit belatedly) (PC)

A trojan horse that pretends to be the latest version of McAfee's SCAN
program has been seen locally. So far all versions have had -AV
codes, although none have been reported with the McAfee license number
(NWN405).

The "parent" file is titled "CLEANV87.ZIP", and contains most of the
files from the normal SCAN package, including file called SCAN.EXE.
(SCAN.EXE is normally distributed in an archive named SCANVxx.ZIP,
while the associated CLEANUP program is generally shipped in an
archive named CLEANxx.ZIP.) The SCAN.EXE file is slightly shorter,
65,765 bytes, than SCAN version 86B. The SCAN87.DOC file contains
validation codes which match those for the trojan.

The program initially runs similarly to the normal SCAN program,
identifying itself as SCAN8.5A87. It finds no viri in memory or on
disk, and then says it will write REPORT.SCN. At this point, if the
system does not have a hard disk, the program crashes with "Runtime
error 105 at 0000:2725". If the system does have a hard disk, the
program will display a message about the Illuminati and will then
erase, and "zero out", all files on the disk. Directory structure is
left intact.

There is one report that the REPORT.SCN file contains a message to the
sysop of the Gallows Howe BBS, referring to the BBS number in the West
Point Grey area of Vancouver, with reference to a voice number in
Richmond.

======================
Vancouver Institute for Research into User Security, Canada V7K 2G6
[email protected] [email protected] Fidonet 1:153/733
CyberStore p1 (Datapac [3020] 8350 1030) 604-526-3676
"If you do buy a computer, don't turn it on." - Richards' 2nd Law of Security

------------------------------

Date: Sat, 29 Feb 92 03:10:27 +0000
>From: [email protected] (Steve Russell)
Subject: Re: Surviving warm reboot (PC)

[email protected] (David.M.Chess) writes:
>>From: [email protected] (Vesselin Bontchev)
>>
>>In short, no virus is able to survive the Alt-Ctrl-Del IN GENERAL.
>
>An interesting argument (we can take it offline if you like; I'd claim
>that there are viruses that can do it in virtually any configuration),
>BUT not of interest to end users. As far as the user is concerned
>(and that includes even us expert-types when we're actually using
>machines!) if there are -some- viruses that can -sometimes- survive a
>three-key reboot, it's safest to assume that any virus might, and to
>always do a poweroff reboot if it's important to have the machine in a
>clean state. It's just too easy to make a mistake otherwise! So, to
>present an alternative to your statement:
>
> In short, since some viruses ARE able to survive the Ctrl-Alt-Del
> sometimes, it's best to always poweroff reboot when it's important
> to have a clean boot.

Running multiple configurations of memory management and
network/non-network set ups, I've had any number of occasions where
something was left hanging in memory which wasn't cleared up by a warm
boot - either c-a-d or one of the software types.

- -steve

------------------------------

Date: Sat, 29 Feb 92 10:46:00 -0500
>From: "David Bridge" <[email protected]>
Subject: "2,400" PC infected with Michelangelo virus (PC)

News item in The Washington Post, Sat. Feb. 29, 1992, Page B1.

"The Michelangelo computer virus has infected roughly 80 percent of
the 3,000 personal computers at the New Jersey Institute of
Technology. Computer specialists at the Newark Campus have launched
an emergency effort to test each machine and remove the virus before
it can activate and destroy stored data on March 6, the Italian
Renaissance artist's birthday."

If the above facts are accurate, I think this might be of the largest
(ca. 2,400) Michelangelo virus infections recorded so far.

David Bridge
Smithsonian Institution

------------------------------

Date: Sat, 29 Feb 92 18:37:02 +0000
>From: [email protected] (Chris Beauregard)
Subject: Re: Will re-formatting a floppy remove ALL viruses (PC)

[email protected] (zmudzinski, thomas) writes:
> I've noticed various folks talking about bulk magnetic erasers, and
>they're fine if you happen to have one handy. But I picked up a floppy
>zapper at a trade show that's the cheapest one around (free, that is):
>it's just a refrigerator magnet (one of those thick, flexible jobbies).
>One slow scrub up & down, then left & right, and presto! Those annoying
>little magnetic particles have been thoroughly confused. The key here

A little caution with this is in order however. Someone told
me about attemting to wipe a disk with a magnet. The final results
was a 3.5" disk whose metal cover could lift a pen. While it would
undoubtably erradicate any evil code on the disk, it would also do
wonders to the drive head of the system in question...

- -------------------------------------------+---------------------------------
Chris Beauregard | Live, free(),
[email protected] | and exit(0).
"If you can't beat 'em, take 'em with ya!" | - Me

------------------------------

Date: 01 Mar 92 00:10:17 +0000
>From: [email protected] (Timothy Fredrick)
Subject: What does the Tequilla virus do? (PC)

We found several PC's that were infected with the Tequilla virus [Teq]
using McAfree's scan 86b program. We were able to use clean to remove
the viruses from the infected hard disks, although it destroyed the
boot sector and we needed to restore it with Norton's Disk Doctor.

Does anyone have any experiences or comments about the Tequilla virus?
Does it have a trigger date? How does it spread? Are there any
machines or operating systems that are "immune"? How long has the
virus been around? Is it a particular problem in Belgium or has it
been more prevalent here? Any information would be appreciated.

I guess the publicity over the Michelangelo virus is helping us to
ferret out the other ones.

Thanks in advance.

Tim Fredrick ([email protected])
Ntl Center for Atmospheric Research, Boulder, CO 80307-3000

------------------------------

Date: Sat, 29 Feb 92 14:57:38 -0500
>From: "Mark W. Schumann" <[email protected]>
Subject: Virus protection in OS? (PC)

padgett%[email protected] (A. Padgett Peterson) writes:

> Incidently it takes a whole 10 (decimal, not hex) generic bytes at
> BIOS time to detect every MBR infector I have seen thusfar (including
> Brain, Yale, Evil Empire, Stoned, Joshi, Michelangelo, and all their
> cousins). "Stealth" just makes it easier. When are the O/S
> manfacturers going to wake up ?

Is it practical to include virus protection in an operating system?
- --
Mark W. Schumann/3111 Mapledale Avenue/Cleveland, Ohio 44109-2447 USA
Bang: ...!ncoast!nshore!wariat!whizbang!mark (WAY off the Internet..)
Domain: [email protected] CIS: 73750,3527
"Aren't you glad you didn't marry someone dumber than you?" --my wife

------------------------------

Date: Sun, 01 Mar 92 11:14:24 -0500
>From: David Lesher <[email protected]>
Subject: Re: Will Write Protection Prevent Virus Infection? (PC)

Yes, write protection will absolutely protect you.

Note, however, that this must be H A R D W A R E write protection such
as provided by floppy disk tabs. Few off_the_shelf winchester hard
disks offer this option, although it used to be standard on HDU's on
minis. The RK-05 and RL-02 come to mind.

It's no big deal to add a HW write protect switch to a MFM/RLL drive. I
have not looked at doing this to an IDE or a SCSI, though.

- --
A host is a host from coast to [email protected]
& no one will talk to a host that's close..........................
Unless the host (that isn't close).........................pob 1433
is busy, hung or dead....................................20915-1433

------------------------------

Date: Sun, 01 Mar 92 17:33:17 +0000
>From: Fridrik Skulason <[email protected]>
Subject: Re: F-Prot 2.02D/DOS 2.11 (PC)

In Message 19 Feb 92 21:02:27 GMT, [email protected] (Lynne Meeks) writes:

>We're having some trouble getting F-Prot (2.02D) to run successfully
>with AT&T DOS 2.11 (Yes, I know this is very old but fiscal
>constraints what they are not everyone has upgraded to a modern
>version of DOS)
>
>What happens is we run F-Prot and get the message:
>'*.TX0 not found'
>then we get the DOS prompt

Well, this is a bug, I admit. I have fixed it in 2.03 which is due
very soon.

- -frisk

------------------------------

Date: Sun, 01 Mar 92 13:57:45 -0500
>From: [email protected] (Michael Fry)
Subject: RE: F-PROT on DOS 2.xx (PC)

> We're having some trouble getting F-Prot (2.02D) to run successfully
> with AT&T DOS 2.11 ...

(Trouble with F-PROT finding ENGLISH.TX0)

I might have missed the response from Frisk on this. I suspect a
similar problem may arise when F-PROT is run from certain menu
packages.

When a program is executed, DOS 3 and up passes a message telling the
program it's name and path. It seems F-PROT uses this feature for
locating its own directory, at least on my machine running DOS 3.30.
The absence of this message under DOS 2.xx may be tripping up F-PROT.
Menu systems have been known to fail to pass this message, too, even
under DOS 3 or higher. In case of similar ("Can't find .TX0...")
trouble with F-PROT.EXE being run from a menu under DOS 3 or higher, a
workaround is to instead run COMMAND.COM with command line parameter
"/c path\F-PROT". A workaround for DOS 2.xx is possible, too.

Mike Fry Lebanon Valley College Annville, PA 17003
[email protected]

------------------------------

Date: Sat, 29 Feb 92 21:05:26 -0800
>From: [email protected]
Subject: re: A quick Michelangelo question (PC)

In VIRUS-L Digest V5 #46 Pagett Peterson (padgett%[email protected]) wrote:

> Incidently it takes a whole 10 (decimal, not hex) generic bytes at
> BIOS time to detect every MBR infector I have seen thusfar (including
> Brain, Yale, Evil Empire, Stoned, Joshi, Michelangelo, and all their
> cousins). "Stealth" just makes it easier. When are the O/S
> manfacturers going to wake up ?

Is there not a danger that, once there exists a "standard" way in
which such infectors are detected, a virus could reach into the boot
code and disable this checking at the time that it infects?

Fritz Schneider ([email protected])

------------------------------

Date: Sat, 29 Feb 92 21:21:02 -0800
>From: [email protected]
Subject: Michelangelo Confused w/Joshi (PC)

In VIRUS-L Digest V5 #46 Rob Lustig ([email protected]) wrote:

> I read some disturbing news in a SIG on a BBS that said if you type
> HAPPY BIRTHDAY MICHELANGELO at the DOS prompt, it would disable the
> virus. I posted a reply stating that it was FALSE and if they have a
> copy of the virus that responds to that then send it to me so I can
> forward it on.

Apparently they have confused Michelangelo with Joshi to some extent.
Maybe it was the word "Birthday" that managed to stick in their
memory?

When Joshi triggers (on January 5th) you must type "Happy Birthday
Joshi" in order to continue. Michelangelo does not ask for any input:
When it triggers, it just starts writing over the first 256 tracks on
the first four sides of the boot disk(ette). Bye-bye data!

Fritz Schneider ([email protected])

------------------------------

Date: Sun, 01 Mar 92 16:27:03 -0600
>From: James Ford <[email protected]>
Subject: joshirep.doc/ps on risc (PC)

The following files have been placed on risc.ua.edu (130.160.4.7) in
the directory /pub/virus-text/docs for anonymous ftp:

/pub/virus-text/docs/joshirep.doc (ascii format)
/pub/virus-text/docs/joshirep.ps (PostScript format)

- ----------
When you are over the hill, you pick up speed.
- ----------
James Ford - Consultant II, Seebeck Computer Center
The University of Alabama (in Tuscaloosa, Alabama)
[email protected], [email protected]
Work (205)348-3968 fax (205)348-3993

------------------------------

Date: Sun, 01 Mar 92 14:02:34 -0800
>From: [email protected]
Subject: about Michelangelo (PC)

I read some information about the virus named MICHELANGELO. But I have
some questions, maybe you can help me.

o The virus works in march 6th only or it is activated this day
and works every day after march 6th of 1992 ?

o I haven't got the Scan V.85, Can I remove the Mich virus with the
84 version ?

o My BIOS ask me what to do when somebody is trying to change the hard
disk partition table or the boot. Can Mich get into mi hard disk
without I note this ?

o Sorry for my english, and, PLEASE send me the answer before march 4th.
so it can reach me before march 6th.

Thank's
Alfrenovsky

- -------------------------------+----------------------------------------------
Alfredo Daniel Rezinovsky | E-Mail adress: [email protected]
Student of the Facultad de | Phone: (54-61)-29-1774
Ingenieria of the Universidad |
Nacional de Cuyo - Mza - Arg | |\/\/\/| ______________________
| | _ _| / \
Mailing Adress: | | (_)(_) / if A=B and B=C, A=C |
Alfredo Daniel Rezinovsky | C _) __| except if void or |
9 de julio 1067 Piso 5 Dpto. 9 | | ,___| <___ prohibited by law. |
(5500) - Mendoza - Argentina | |____/ \______________________/
| | \
- -------------------------------+----+-----+-----------------------------------

------------------------------

Date: Sun, 01 Mar 92 15:25:04 +0000
>From: [email protected] (Administrator)
Subject: Re: Preventing virus infection by disabling the hard disk (PC)

[email protected] (Vesselin Bontchev) writes:
> [email protected] (Jason Mathews - 514) writes:
>
> > It seems that DOS and most programs cannot access the hard disk from
> > this point. However, are there any viruses (actual or theoretical)
> > that can infect the hard disk after the CMOS disabled it?
>
> For sure none of the currently existing viruses will bypass this
> protection. The hard disk is not accessible even throuth BIOS calls.
> However, I will not take the responsability to state that it is really
> impossible to access the disk and that no future virus will be able to
> do that. Note that in this case my reaction ("who knows, might be
> possible") is caused mainly because I am not informated well enough
> (read: ignorant) on this (hardware) matter.

A simple hardware level device driver for the normal AT type
controller is only several screen fulls of C code. I would venture
that it would not be theoretically impossible to have such a thing in
a virus. But, I think it is impossible to deactivate the disk
activity light. So, in the above test method, I would keep a sharp
eye on the disk activity light, just in case.

------------------------------

Date: Sun, 01 Mar 92 18:07:14 -0500
>From: "Albert M. Berg" <[email protected]>
Subject: Alamo Virus? (PC)

Has anyone had experience with a virus or trojan that overwrites the
beginning of disk sectors with the string:

"remember the alamo!"

I have a client whose NetWare server got trashed, and we found this
string at the beginning of many sectors examined with Novell's DISKED
utility.

There doesn't seem to be a listing for this type of behavior anywhere
I looked.

Any help will be greatly appreciated.

Al

------------------------------

Date: Fri, 28 Feb 92 23:57:28 +0000
>From: [email protected] (William Kucharski)
Subject: Re: Disinfectant 2.6 (Mac)

[email protected] (Norman Paterson) said the following:
>I've been having trouble running Disinfectant 2.6 on an Apple Quadra.
>There are several other applications that might be involved, including
>TELNET 2.4 and CAP/AUFS. Symptoms include crashing during hard disc
>scan with "unimplemented trap" error and sporadic unmounting of file
>server volumes.
>
>Has anyone else come across this? The Quadra seems to have a number of
>peculiarities.

Don't blame the Quadra; Disinfectant 2.6 works just great for me.
Sounds like an INIT problem somewhere (standard answer.)

- --
| William Kucharski, Solbourne Computer, Inc. | Opinions expressed above
| Internet: [email protected] Ham: N0OKQ | are MINE alone, not those
| Snail Mail: 1900 Pike Road, Longmont, CO 80501 | of Solbourne Computer, Inc.
| President, "Just the Ten of Us" Fan Club | "It's Night 9 with D2 Dave!
"

------------------------------

Date: Sun, 01 Mar 92 12:34:42 -0500
>From: [email protected] (Jack Churchill)
Subject: Viruses in general

[email protected] (Vesselin Bontchev) writes:
> [email protected] (NSI Security Manager +1-202-434-4541) writes:
>
>> This question may have been asked/answered already, but does merely
>> setting the system date ahead on the 5th (to the 7th) cause the
>> trigger mechanism never to go off?
>
> No. The trigger mechanism will go off the next March 6 (after one
> year) too. "Never say never"... :-)
>
>> It would seem that if true, as an interim measure until all systems
>> could be scanned, that the systems just be set so that Friday, the 6th
>> of March never comes....
>
> Yeah... And on March 13 (Friday) the Jerusalem virus (a quite
> widespread one, maybe more than Michelangelo) will delete files. And
> on March 15 the Maltese Amoeba virus (quite widespread in the UK, but
> also in other places in the world) will destroy your hard disk... Are
> you going to change the date in these cases as well? Not to forget
> the few hundreds other viruses, which cause destruction every day,
> every hour... Some of them are -very- widespread (Dark Avenger). Are
> you going to turn your computer on at all?
>
> No, you must take proper anti-virus measures. Not because one silly
> virus happens to activate in a few days, but because computer viruses
> do exist and because the -are- widespread. You -must- take those
> measures -now- and not wait till the next panic, or rely on changing
> the system date.

If it's that important to have a good anti-virus tool (which it is)
then it should be mandatory on all PCs. It's now come to the stage we
spend too much time chasing viruses and ant-viruse cures. PCs are
supposed to be useful, productive and cost effective means of
computing. I feel it's come to the stage that MSDOS should have
anti-virus tools as standard with the provision for updates through
normal computer stores or electronic means. In other words, why
should we put up with so many different forms of anti-virus tools when
one should be enough and made a permanent feature of all PCs. That
way the spread of viruses would be much harder since every system
would stop the spread as close to the source as possible. Then we can
get back to using PCs for other more productive uses. Otherwise, we
will quickly come to the stage of having so many new viruses (one per
day or worse) that we spend most of our time doing
backups/restores/virus-checking/etc. If it's not that important to
make every system safe then the opposite argument becomes true, namely
we are all becoming paranoid about viruses (which I don't think is
true). You see, you can't have it both ways. Either we take it
seriously or not.

- --
Jack N. Churchill | [email protected]
CSIRO Division of Exploration Geoscience | [email protected]
PO Box 136 North Ryde NSW 2113 | Phone: +61 2 887 8884
Australia | Fax: +61 2 887 8909

------------------------------

Date: Fri, 28 Feb 92 23:47:59 -0600
>From: James Ford <[email protected]>
Subject: New files on risc.ua.edu (PC)

The following files have been placed on risc.ua.edu for anonymous FTP:

/pub/ibm-antivirus/stealth.zip (replaces crcset*.zip)
/pub/ibm-antivirus/navm.zip Nortin AV M(ichelangel)
/pub/ibm-antivirus/cpavse.zip Central Point AV "special edition"

- ------------------------------------
stealth.zip
This is an anti-virus protection utility that uses a 32-bit CRC to test
the integrity of the running program and any supporting files. It also
performs a basic system check for any viruses that may evade detection by
a file check. Supporting code is in C and Turbo Pascal and full
documentation is included. (DOS)
- -------------------------------------

Below is a file listing from risc.ua.edu (130.160.4.7) pub/ibm-antivirus files.
If you see an outdated file, please let me know which file so I can replace it.
Thanks.

risc.ua.edu (130.160.4.7) filelist current as of Feb. 28, 1992.
- ----------------------------------------------------------------------------
0files.9203 fshld15.zip tbresc15.zip vc300ega.zip vshld86b.zip
avs_e224.zip fsp_183.zip tbscan30.zip vc300lte.zip vstop54.zip
bbug.zip htscan12.zip trapdisk.zip vcheck11.zip vsumx201.zip
bootid.zip i-m102b.zip unvir902.zip vcopy82.zip vtac48.zip
ccc91.zip innoc5.zip uu-help.text vdetect.zip vtec30a.zip
checkout.zip m-disk.zip uudecode.bas virlab14.zip wcv201.zip
chk.zip navm.zip uudecode.doc virpres.zip wolfchk.zip
chkint.zip navupd01.zip uudecode.pas virsimul.zip wp-hdisk.zip
clean86b.zip netsc86b.zip uuencode.pas virstop.zip wscan86b.zip
cpavse.zip pcv4.zip uxencode.pas virusck.zip xxdecode.bas
dir2clr.zip pkz110eu.exe vacbrain.zip virusgrd.zip xxdecode.c
fixfbr11.zip scanv86b.zip vaccine.zip virx20.zip xxencode.c
fixmbr24.zip secur231.zip vaccinea.zip vkill10.zip xxencode.cms
fixutil2.zip sentry02.zip validat3.zip vs920109.zip
fprot202d.zip stealth.zip validate.crc vshell10.zip
- ----------
The pot at the end of the rainbow is not Acapulco Gold.
- ----------
James Ford - Consultant II, Seebeck Computer Center
The University of Alabama (in Tuscaloosa, Alabama)
[email protected], [email protected]
Work - (205) 348-3968 fax - (205) 348-3998

------------------------------

End of VIRUS-L Digest [Volume 5 Issue 50]
*****************************************

Downloaded From P-80 International Information Systems 304-744-2253