VIRUS-L Digest Monday, 2 Mar 1992 Volume 5 : Issue 51
Today's Topics:
hiding hard drives (PC)
Re: Question on Michelangelo Date-Trigger (PC)
Re: Weird Joshi (PC)
Re: Kamikaze virus? (PC)
Re: mutated FORM? (PC)
Re: TIME virus (PC)
Re: V2P6 VIRUS (PC)
Request for Info on Lisbon Virus (PC)
False Positives with Virus Scanners (PC)
Problem with McAfee CLEAN against the FORM virus (PC)
Re: Another Michelangelo question... (PC)
Michelangelo question (PC)
Michelangelo (PC)
Fprot 2.20d and Novell (PC)
Manufacturing of software (GENERAL)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. (The complete set of posting guidelines is available by
FTP on cert.sei.cmu.edu or upon request.) Please sign submissions
with your real name. Send contributions to
[email protected]
(that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks).
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list. Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
[email protected].
Ken van Wyk
----------------------------------------------------------------------
Date: 01 Mar 92 22:17:55 -0500
>From: Leonard Erickson <
[email protected]>
Subject: hiding hard drives (PC)
Martin McCormak writes:
>> Before testing new software on my 286/386 machines, I disable the hard
>> disk by changing the CMOS hard disk type to 0 and reboot from a
>
>First of all, I make this statement without ever having experimented
>with a present generation system containing the CMOS hardware
>configuration setup ability so my opinions are worth just what you
>paid for them, but I would say, with some confidence that it is
>possible for a sophisticated virus to bypass any CMOS settings. After
>all, it is possible for any running program to determine the type of
>system which is running it. If anything about this system can be set
>by software, it can be a potential mark for attack. Basically, if you
>set something from the keyboard or a disk file, somebody else can set
>it also with their program. Remember, we aren't talking about
>following all the rules or doing things according to the book. We are
>talking about field expedience and getting the job done any way one
>can. If this means doing something totally unorthodox, such as
>loading "incorrect" values into a BIOS routine, somebody will do it if
>it makes their sabotage program stealthier or more destructive.
A virus isn't going to *infect* a hard drive that way. On machines
with CMOS setup, *all* the info about the drive is determined by the
info in the setup. # of heads, cylinders, sectors per track, etc.
A virus *might* try testing access with all of the possible drive
types (over 40 on many machines) but picking the wrong one will result
in a BIOS level error, with attendant error message. It would be
*very* noticeable, especially since as soon as it tried to access the
drive, the drive access light would come on (it doesn't if you tell
the machine that there is no HD).
I really don't think any virus author is going to waste time and
effort on trying to find such a drive. It'd tie up the virus for
*minutes*, generate some noticeable physical effects (the drive
light), and could be a waste of time (if there really *wasn't* a hard
drive).
------
Sid <
[email protected]> asks about his mother's HD getting
trashed and being told "..it had a virus which replaced information in
sectors 2-35 with "E5"."
Well it could be a virus. On the other hand, guess what gets written to
sectors when you format a disk? There are *lots* of ways to caused a porly
behaved program to do that to the FAT... I'd test anyway, just to be on
the safe side.
------------------------------
Date: Sat, 29 Feb 92 11:16:15 -0500
>From:
[email protected] (Michael Keirnan)
Subject: Re: Question on Michelangelo Date-Trigger (PC)
[email protected] (Vesselin Bontchev) writes:
>> It would seem that if true, as an interim measure until all systems
>> could be scanned, that the systems just be set so that Friday, the 6th
>> of March never comes....
>Yeah... And on March 13 (Friday) the Jerusalem virus (a quite
..
>on March 15 the Maltese Amoeba virus (quite widespread in the UK, but
..
>Are you going to turn your computer on at all?
>
>No, you must take proper anti-virus measures. Not because one silly
>virus happens to activate in a few days, but because computer viruses
>do exist and because the -are- widespread. You -must- take those
>measures -now- and not wait till the next panic, or rely on changing
>the system date.
Yes indeed, and I would add that turning off your computer and waiting
for the threat to pass sounds a lot like giving in: "Okay, virus
writer, you win, I won't use my computer because of your virus." If
people start doing that, as Vesselin pointed out, computers would
become large paper weights. I'd rather get infected!! well...almost :)
The idea of setting the clock has probably been suggested largely
because it is easy to do, and doesn't take much time. This is
understandable, but the virus situation is such that to protect
yourself requires a time investment. But it is well worth it. The
plans that the people on this list suggest typically include a regular
backups, something that pays for itself even if you never get hit with
a virus. And the time investment is biggest to set up a prevention
scheme. Once procedures are in place and part of your (or your
company's) routine, the time spent is minimal.
===========================================================================
Michael Keirnan | Internet:
[email protected]
Sr. Software Engineer | Voice: 617-270-9234 x202
SQL Solutions, Inc. | #include <legal/disclaimer.h>
- ---------------------------------------------------------------------------
Seize the day by next week at the latest. -- Boynton
===========================================================================
------------------------------
Date: Mon, 02 Mar 92 00:51:46 -0500
>From:
[email protected]
Subject: Re: Weird Joshi (PC)
The problem you ran into with Joshi has a fairly simple explanation:
Joshi, as you know, infects boot sectors. The boot sector contains some
data about the disk as well as the bootstrap loader program (which you
probably also knew). This data includes such things as the media
descriptor (5 1/4", 3 1/2", etc.), the number of bytes per sector,
sectors per track, tracks per cluster, FAT's, root directory entries,
etc. DOS needs this information to access the disk.
Your floppy was infected, no doubt about it. But your hard disk
wasn't, and Joshi was not active in memory. Now, you do a DIR of the
infected diskette. To do this, DOS reads the root directory, BUT FIRST
IT READS THE BOOT SECTOR! It reads it into a buffer, and uses the data
contained therein. It does NOT execute the code, so Joshi never gets
control. Then, when you run F-PROT and it goes looking through memory
for viruses, Joshi is found in the DOS buffer into which it had been
read. Although Joshi is not active in memory, F-PROT either doesn't
realize this, or takes the conservative course, and reports it. And
well it should.
The reason you saw this behavior under MS-DOS 5.0 but not under HP
MS-DOS 3.30 or 3.20 is presumably that HP MS-DOS reuses the buffer into
which it read the boot sector for the root directory sectors, whereas
MS-DOS 5.0 keeps the boot sector around so that it doesn't have to read
it again if you access the same diskette. I think someone on this list
mentioned that you can press Ctrl-C or Ctrl-Break, which will force DOS
to flush its buffers and reload them on the next diskette access. Could
someone confirm this?
Anyway, all you're seeing is the ghost of Joshi in memory. Disinfect
(or reformat) the diskette and any others which may be infected and you
should have no more problems.
David R. Conrad
[email protected]
------------------------------
Date: 02 Mar 92 11:47:05 +0000
>From:
[email protected] (Vesselin Bontchev)
Subject: Re: Kamikaze virus? (PC)
[email protected] (Pug) writes:
> semester. When I run scan, it comes up with nothing. When I run
> f-prot, it comes up with TURBO.TPL possibly being infected with the
> Kamikaze virus. I understand that it's possible that the signature for
> a virus COULD randomly appear, but for some reason I doubt it. This
Not randomly. There is a perfectly good reason why the Turbo Pascal
library causes a false positive. Kamikaze is a pretty silly
overwriting virus, written in a high level language. In Turbo Pascal,
more exactly. While such viruses have virtually no chances to spread
(although I personally caught this one in the wild, but this was in
Bulgaria anyway <grin>), it is extrememly difficult to select a good
scan string for them. The reason is that most of their body consists
of library routines, and if you happen to pick something from there,
you'll get a false positive in any program, which is compiled by the
same compiler and contains the same library. Or in the library itself.
However, I think that Frisk corrected this problem. Maybe your version
of F-Prot is outdated; try 2.02d (available from Simtel20, garbo, and
many other places).
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
[email protected] Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54
------------------------------
Date: 02 Mar 92 11:53:45 +0000
>From:
[email protected] (Vesselin Bontchev)
Subject: Re: mutated FORM? (PC)
[email protected] (James P. Gunderson) writes:
> At the University of Colorado Denver we have run across an interesting
> situation. On a routine scan of a users disk, we found FORM in memory
> with no detection on the disk it self. After making a disk copy of
> the disk (5 1/4 HD formatted at 360K) we again scanned. No image on
> the disk, but the machine was reinfected.
Just a (wild) guess. Do you run any other (resident) form of virus
protection? Like the one that comes with Central Point Anti-Virus? If
so, remove it and check whether the "virus" (actually a ghost false
positive) will disappear.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
[email protected] Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54
------------------------------
Date: 02 Mar 92 12:11:36 +0000
>From:
[email protected] (Vesselin Bontchev)
Subject: Re: TIME virus (PC)
[email protected] (Jose A. Peinador) writes:
> We are having a lot of requests to eliminate TIME virus from several
> machines (PCs).
"TIME" is a not very often used alias for the Monxla viruses. There
are two Monxla viruses (A and B), both are Vienna variants.
> A vendor and us started investigating about it in our organization and
> found some strange facts (we used an antivirus called anti-kot that he
> brought):
Hmm... Anti-kot is a Russian program, right? If the guy has been in
Russia (or anywhere in East Europe), chances are that he has brought
the virus as well... :-)
> - - first we found out that not only com files were infected but text files
> did also.
Are they -really- infected or just flagged as such? This is easy to
check, just load them with a text editor and see what's inside.
> - - not all of the com files that we ran in a computer that was supposelly
> infected, got infected.
Well, if you really have the virus, the above is not strange, since
the virus infects only files in the current directory and in the
directories, listed in the PATH variable.
> So, what would you think? Is it the anti-kot program or is it that this
> virus doesn't really exist? In any case, what damage can it cause?
I can't tell for sure, because I have not seen an infected program,
and I don't know the anti-kot program well. I advise you to try some
other scanners. For instance, F-Prot 2.02d calls these viruses Vienna
(Monxla-A) and Vienna (Monxla-B). SCAN 86-B calls both viruses Vienna
[VHP].
Anyway, if you are really infected, be sure to remove the infection
before March 13, since on 13th of any month this virus will damage the
files it tries to infect.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
[email protected] Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54
------------------------------
Date: 02 Mar 92 12:23:06 +0000
>From:
[email protected] (Vesselin Bontchev)
Subject: Re: V2P6 VIRUS (PC)
[email protected] (S. E. Grove) writes:
> One of my co-workers ran virex-pc 2.0 on his 486 and it declared that
> powermenu was infected by the virus v2p6. He doesn't beleive he has
> done anything to infect the pc, and he hasn't had it very long. The
> same program on his old pc is clean and that is where he got powermenu
> from.
It is certainly a false positive.
> Questions:
> 1) What does V2P6 do to a pc?
Basically, nothing else than spreading. However, this is a polymorphic
virus, the decryption routine and infective length of which vary a
lot, so it is extremely difficult to locate all the infected files.
Otherwise, this is a Vienna-related virus, non-resident, and infecting
only COM files in the current directory and in the directories, listed
in the PATH variable.
> 2) Is it possible that virex-pc 2.0 is in error?
It is almost certainly an error. Please report it to Microcomm (the
producers of Virex-PC) or to Ross Greenberg (the author of the
program).
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
[email protected] Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54
------------------------------
Date: Mon, 02 Mar 92 13:45:08 +0700
>From: "Mickie Person, SA" <
[email protected]>
Subject: Request for Info on Lisbon Virus (PC)
Can you please furnish any more information about the Lisbon virus
than is in the PC Tools ver 6 User's guide?
Mickie Person
------------------------------
Date: Thu, 20 Feb 92 21:06:39 +0000
>From:
[email protected] (Marilyn Francis)
Subject: False Positives with Virus Scanners (PC)
Thought I would pass on an interesting experience for those of
you who have to check out virus reports on other people's machines.
I recently got a call from a staff member who said when he
booted from his hard disk the scanners reported it infected with
the Pakistani Brain virus and said to immediately
turn off the machine until it was disinfected.
When he booted from a clean floppy as we had instructed people
to do, his scanners reported that he was clean.
I checked it out with F-Prot (which said he had the Brain) and
Scan (which said he had Invader) and VirX (which said he had
every virus! - I quit counting after 17).
Further investigation showed he is using the Central Point
Anti-Virus product and the above scanners were triggering on
the VWATCH.SYS and VSAFE.SYS files. When we removed these files
from the hard disk, all scanners reported the machine clean.
I'm not sure why these files triggered the message unless they
pick up the signatures that Central Point is using and think
it is the actual virus.
Hope it can save someone else some valuable investigative
time.
Marilyn Francis
[email protected]
Computing & Network Services programmer analyst
University of Alberta
****************************************************************
------------------------------
Date: 02 Mar 92 14:46:04 +0000
>From:
[email protected] (Maarten Meijer)
Subject: Problem with McAfee CLEAN against the FORM virus (PC)
We - at the Academic Computing Centre of Utrecht University (ACCU),
the Netherlands - have tried to remove the FORM virus from several
hard disks using McAfee's CLEAN version 8.3B86. All disks were larger
than 60 MB, formatted with DOS 5.0, some with one large partition,
others with multiple partitions (C:, D:, etc.). CLEAN always reports
removal of the [FORM] virus, but in the meanwhile it often destroys
the boot sector of partition C:, making the partition unreachable at
the next bootstrap. Although the FORM virus puts the original
bootsector at the end of the hard disk, CLEAN isn't able to find it.
(So does F-PROT 2.02D of Fridrik Skulason, but at least this program
correctly reports that it can't find the original bootsector, instead of
messing up the system).
It seems quite simple to locate the original bootsector at the very end of
the hard disk. Why then do both these programs not succeed?
- --
Maarten Meijer,
Academic Computing Centre University of Utrecht, The Netherlands.
Email:
[email protected]
------------------------------
Date: Mon, 02 Mar 92 16:45:46 +0000
>From:
[email protected] (Gary Heston)
Subject: Re: Another Michelangelo question... (PC)
[email protected] (Robert Slade) writes:
=HSVLM%
[email protected] (LARRY MATEO) writes:
=>Actually, this is a question about viruses that infect the boot sector
=>of a hard drive. If I boot a Novell network (version 2.x, 3.x) from an
=>infected disk, can the boot sector on the server become infected? If
=>so, what happens when the server is brought up? Does the virus get
=>loaded into memory where it CANNOT infect floppies, or what?
=Can we define "boot a Novell network"?
Booting the network would mean booting the server, as was implied by
the following question about "when the server is brought up". At least,
that's the way I read it.....
=If you boot a workstation from an infected disk, the workstation will
=become infected. The infection on the workstation will not "travel"
=to the server, at least not over the network.
In the case of a boot-sector infector, this is correct. In the case of
an executable infector, executables that the user has write
permissions to will most certainly get infected on the network drives.
If another user then executes one of those, their system becomes
infected. For this reason, anyone using supervisor logins or having
supervisor-equivalency can do *serious* damage to a network if they're
not careful. I scan my server daily, and every floppy I put into my
workstation, shrink-wrapped or not.
[ re: servers ]
=The possibility of infection of the network is the same as for a
=workstation.
Actually, if an infected NetWare server was able to boot, I don't
think the infection would spread. It's a totally different environment
in there; even though the BIOS calls are the same, memory is handled
in a totally different manner, and I just can't see how it would do
anything other than crash on attempting to boot. An executable
infector on a NW 3.11 server could infect everything in the DOS
partition, but couldn't get to the files in the NW volumes, or infect
workstations.
Note that I'm not going to go infect my server to test any of this,
either.... :-)
- --
Gary Heston uunet!sci34hub!gary or
[email protected] Authority? Me??
"I understand the chairman of the Senate Ethics comittee is going to examine
the check-bouncing scandal with a microscope. ...makes sense... If you're
going to look at ethics in Congress, a microscope is what you need." J. Leno
------------------------------
Date: Mon, 02 Mar 92 12:54:00 -0500
>From:
[email protected]
Subject: Michelangelo question (PC)
Does the Mich virus spread from executable files (such as the
Jerusalem B virus)? In other words, can the virus be spread through
distribution of executable files, or does it require a boot sector to
be present to spread it?
- -Garrett
------------------------------
Date: Mon, 02 Mar 92 10:13:00 -0800
>From:
[email protected]
Subject: Michelangelo (PC)
A faculty member happened to read a newspaper report about
Michelangelo which indicated the changes in memory available if
infected, and compared it to the information he had on a piece of
paper written down when he purchased his computer last summer. The
numbers matched, and in fact, his diskettes were infected. It appears
that the infection came with the computer, which was purchased from
HI-TECH USA, a clone outlet in the San Francisco Bay Area. I am
placing no blame, just circulating a warning for those who may be
unaware.
[email protected]
------------------------------
Date: Mon, 02 Mar 92 13:42:40 -0500
>From:
[email protected] (Jeffrey Johnson)
Subject: Fprot 2.20d and Novell (PC)
When I try to run Fprot 2.02d from a PS/2 model 50 running off a
Novell 3.11 network it comes up and says i have a boot-secotr virus. I
have run F-prot 2.02d and Scan86b on the machine and nothing shows up.
This happens on all of our 60 PS/2 running IBM Dos v3.30. VIRSTOP
gets loaded after the machine logs onto the network. The only TSR's
that are loaded on the machine are IPX and XMSNET3 network drivers.
Is anyone having any problems like this? I have scanned the machines
over and over again and no virus shows up. Any help appreciated!!!!!!!
___
___....-----'---`-----....___
=======================================
___`---..._______...---'___
(___) _|_|_|_ (___)
\\____.-'_.---._`-.____//
~~~~`.__`---'__.'~~~~
~~~~~
Jeff Johnson
LAN Administrator
Georgia State University
(404)651-2686
(404)651-2013 FAX
------------------------------
Date: Mon, 02 Mar 92 00:11:11 -0500
>From: Michael Purcell <
[email protected]>
Subject: Manufacturing of software (GENERAL)
I was looking in the Virus-L archives in Jan. 1990 (v3i12) and read
the discussions then concerning shrink-wrapped software. I've also
seen the recent reports of software distributors shipping their
product infected with the Michelangelo virus.
Can anyone respond to (a) How do software publishers tend to produce
the physical disks -- in house or by contract to another business, (b)
How is this software copied to the disks (xx thousands of copies), and
(c) How often and what type of quality checks are being performed?
I'm sure that there are as many variations as there are companies,
but I'm wondering what the normal practice is. Personally, I never
trust any software with regards to viruses irregardless of the source.
But it is frustrating to hear of these reports of Michelangelo being
distributed via commercial software. Maybe it is time for the lawyers
to test the laws concerning merchantability.
- -=Michael Purcell=-
[email protected]
[email protected]
------------------------------
End of VIRUS-L Digest [Volume 5 Issue 51]
*****************************************
Downloaded From P-80 International Information Systems 304-744-2253
