Received: from fidoii.CC.Lehigh.EDU by abacus.hgs.se (5.65c/1.5)
id AA09432; Tue, 9 Mar 1993 14:25:48 +0100
Received: from (localhost) by Fidoii.CC.Lehigh.EDU with SMTP id AA28466
(5.67a/IDA-1.5 for <
[email protected]>); Tue, 9 Mar 1993 08:03:47 -0500
Date: Tue, 9 Mar 1993 08:03:47 -0500
Message-Id: <
[email protected]>
Comment: Virus Discussion List
Originator:
[email protected]
Errors-To:
[email protected]
Reply-To: <
[email protected]>
Sender:
[email protected]
Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas
From: "Kenneth R. van Wyk" <
[email protected]>
To: Multiple recipients of list <
[email protected]>
Subject: VIRUS-L Digest V6 #42
Status: RO
VIRUS-L Digest Tuesday, 9 Mar 1993 Volume 6 : Issue 42
Today's Topics:
circumspect
Product reviews in magazines
Unix, viruses and you (UNIX)
Typo in VSHIELD 102 values, Questions about -AV (PC)
Re: Virus Development Programs (PC)
Re: Virus Development Programs (PC)
Re: wordperfect virus? (PC)
scanners. (PC)
EXE/COM switch (PC)
Scanners and Compressed Disk Boot Sectors (PC)
Re: scanners. (PC)
Re: standardization (PC)
Executable signitures (PC)
Malta Amoeba: What is it and what does it do? (PC)
Re: wordperfect virus? (PC)
256 copies of FAT in root directory may be a bug in DOS 5.0 (PC)
Re: DBase virus (PC)
Re: Effect of Form (PC)
Re: Michelangelo (PC)
Re: Mutating Engine concerns (PC)
Naming system (PC)
my idea (PC)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. (The complete set of posting guidelines is available by
FTP on cert.org or upon request.) Please sign submissions with your
real name. Send contributions to
[email protected]. Information on
accessing anti-virus, documentation, and back-issue archives is
distributed periodically on the list. A FAQ (Frequently Asked
Questions) document and all of the back-issues are available by
anonymous FTP on cert.org (192.88.209.5). Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
<
[email protected]>.
Ken van Wyk,
[email protected]
----------------------------------------------------------------------
Date: Sat, 06 Mar 93 00:43:43 -0500
From:
[email protected] (Bill Lambdin)
Subject: circumspect
[email protected] (Donald G Peters) writes:
I think people who know the details of how viruses work have
plenty of reasons to be cautious -- anti-virus "experts"
with no commercial interests to protect, who have no "trade
secrets" seem equally circumspect. Anyone who maintains
- --
I am not one of the virus experts, but I try not to reveal too much
information.
I have no vested interest in any of the companies that write
anti-viral software.
My name was plastered in the underground newsletter 40HEX. All I did
to get this dishonor was by posting a few comments on virus
conferences.
So I know for a fact that the bad guys are reading these virus
conferences and they do gain an advantage when we virus researchers
divulge a little too much information.
If someone says that xx xx xx xx xx xx xx xx xx xx is a signature for
the XYZ virus, the hackers will know exactly which bytes to change so
that scanners will miss the new variants that they create.
If I said "most viruses use DOS calls through INT xx, and ususally use
the xx or xx registers.
this is not revealing destructive code, but it is helping the hackers
that may not be able to program 2+2.
Bill Lambdin
- ---
* WinQwk 2.0 a#383 * 1554 activates Oct 1 - Dec 31
- ----
+----------------------------------------------------------------------+
+ The French Connection - 206/283-6453 - 206/771-1730 - 6.5g online +
+ It takes only 11 seconds to get loaded on the French Connection! +
+----------------------------------------------------------------------+
------------------------------
Date: Mon, 08 Mar 93 10:03:09 -0500
From:
[email protected] (Fred Cohen)
Subject: Product reviews in magazines
When will you guys figure out that the PC magazine reviews of
antivirus products favored those who spend a lot of money advertising?
These magazines don't want to offend their advertisers, they exist to
help the advertisers sell more product. Just look at the things they
advocate, and how can you believe anything else?
------------------------------
Date: Fri, 05 Mar 93 16:39:11 -0500
From:
[email protected] (Paul Ferguson)
Subject: Unix, viruses and you (UNIX)
This text was extracted from RISKS DIGEST 14.37 -
8<--------- Cut Here ---------------------
Date: Wed, 3 Mar 93 14:16:47 EST
From:
[email protected] (Pete Radatti)
Subject: Cohen/Radatti on Unix and Viruses
The widely circulated paper by J. David Thompson entitled "Why Unix is
Immune to Computer Viruses" has been attracting controversy. Due to
this controversy and the concern that this paper may be providing a
false sense of security to the Unix community, Doctor Fredrick B.
Cohen and Peter V. Radatti have published refuting papers. These
papers are too long to post here, however they are available upon
request. Make your request by fax, email or post and copies can be
returned by fax or post. Email copies are not available.
Address post to:
Peter V. Radatti, C/O CyberSoft, 210 West 12th Avenue
Conshohocken, PA. 19428 USA
FAX requests to: +1 (215) 825-6785
Email requests to:
[email protected]
Thank You, Peter V. Radatti
8<--------- Cut Here ---------------------
Cheers.
Paul Ferguson |
Network Integration Consultant | "All of life's answers are
Alexandria, Virginia USA | on TV."
[email protected] (Internet) | -- Homer Simpson
sytex.com!fergp (UUNet) |
1:109/229 (FidoNet) |
PGP public encryption key available upon request.
------------------------------
Date: Mon, 08 Mar 93 18:25:19 -0800
From:
[email protected] (McAfee Associates)
Subject: Typo in VSHIELD 102 values, Questions about -AV (PC)
It has come to my attention that there is a typo in the VALIDATE values
listed in my posting announcing VSHIELD Version 5.22V102. The correct
VALIDATE values for the program are as follows:
VSHIELD 5.22V102 (VSHIELD.EXE) S:45,724 D:02-27-93 M1: 06EB M2: 066C
My apologies for any confusion.
- - -------
On a semi-related note, I have received several messages asking why no
Authenticity Verification codes were displayed when the various McAfee
programs were downloaded from ftp sites and then unzipped. The reason
is that the programs were zipped with PKZIP Version 1.10, and the only
time they will display the -AV message is when they are unzipped with
PKUNZIP Version 1.10, specifically, the "U.S. only" version of PKUNZIP
which is not available at WSMR-SIMTEL20.ARMY.MIL, but may be available
at other ftp sites outside the U.S. If you using PKUNZIP Version 2.04
to unzip the programs, you will not see the -AV message.
Regards,
Aryeh Goretsky
Technical Support
- --
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET:
[email protected]
3350 Scott Blvd, Bldg 14 | FAX (408) 970-9727 | IP# 192.187.128.1
Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714
95054-3107 USA | USR HST Courier DS | or GO MCAFEE
------------------------------
Date: Sat, 06 Mar 93 20:43:50 +0000
From:
[email protected] (Vesselin Bontchev)
Subject: Re: Virus Development Programs (PC)
[email protected] (Paul Kerchen) writes:
> features of the PS-MPC include the following:
> - Over 150 encryption techniques, randomly generated during
> each run of the PS-MPC
This is actually a mistake of the author of the program. The number of
really different decryptors is 96, I think... However, there are two
different versions of PS-MPC.
> - Compact, commented code, much tighter than VCL
Uh, "less buggy" is probably a better description. I mean, the viruses
created with PS-MPC often work...
> VCL comes encrypted in a
> zip file that requires a password to unzip it. The 'bad guys' want to
> keep this toy to themselves.
Actually, the ZIP archive is encrypted with a password and the
installation program asks for another password, before unarchiving the
file. However, it is relatively trivial to hack both passwords out of
the installation program...
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail:
[email protected] D-2000 Hamburg 54, Germany
------------------------------
Date: Sat, 06 Mar 93 20:50:42 +0000
From:
[email protected] (Vesselin Bontchev)
Subject: Re: Virus Development Programs (PC)
[email protected] (John H. Kahrs) writes:
> I doubt that these programs are a threat at all.
Well, there are some threats. First, since those programs are
available, the anti-virus researchers must work to provide protection
from the viruses created with them. Second, it is possible for someone
to just sit down and create hundreds of viruses with those kits, which
means that the scanners and their developer will have some hard
time... Fortunately, the authors of those virus authoring packages
have not been very good in implementing polymorphism, so it is
relatively easy to make a scanner that detects any virus generated by
those programs. At last, the third danger is that the viruses are
generated in source - so that people could modify them easily, e.g. in
order to make them not detected by the currently existing scanners...
> The people
> that know anything about coding viruses will never use them and the
> hatefull people that just want to make a virus for malicious reasons
> aren't connected to the community that makes the virus construction
> kits available.
Problem is, because those kits have been made available on many
underground virus exchange BBSes, many of those "hateful" people can
easily obtain a copy of them... :-(
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail:
[email protected] D-2000 Hamburg 54, Germany
------------------------------
Date: Sun, 07 Mar 93 02:22:17 +0000
From:
[email protected] (Robert Slade)
Subject: Re: wordperfect virus? (PC)
[email protected] (Gerry Santoro - CAC/PSU 814-863-7896) writes:
>After scanning the past years worth of VIRUS-L offerings I've seen
>this question asked before, but with no reply. Since it has now hit
>at my institution I will ask it again in the hopes that someone knows
>what is happening.
"This question"? Your Subject line seems to ask about a "Word
Perfect" virus. There was a postulation, around 1988 and 89, that a
virus had specifically targetted the Word Perfect program. This was
later found to be false: an artifact of the fact that the WP.EXE file
sometimes stopped working after it had been infected. This was thus
often the first indication of a virus infection which was not being
detected by other means.
>A number of our lab machines are exhibiting very strange WordPerfect
>behavior. For example, very small user documents are growing to
>extremely large size, until they fill up available disk space. Scans
>with F-PROT do not identify any known virus.
Document files are data, and, while they are sometimes attacked by a
virus, tend not to be the primary targets. (The existence of "macro"
viral programs has been theorized, and Word Perfect does have a macro
capability, but Word Perfect, unlike other macro capable programs,
does not store macros in the data/document files.)
In order to advize in this matter, we need more information. Have you
examined the large files? One possibility is that files are being
repeatedly "called" into the document, thus increasing the size.
>Can anyone clue me into what is happening? In all cases the version
>of WP5.1 is being run from a read-only volume of a Banyan network
>server.
This isn't particularly helpful. other than indicating that the
problem you have is not likely viral.
>Any info would be greatly appreciated!
We, also, would appreciate more spcific information.
==============
Vancouver
[email protected] | "virtual information"
Institute for
[email protected] | - technical description of
Research into
[email protected] | marketing info disguised
User
[email protected] | as technical description
Security Canada V7K 2G6 | - Greg Rose
------------------------------
Date: Wed, 03 Mar 93 09:18:05 +0100
From:
[email protected] (Malte Eppert)
Subject: scanners. (PC)
Hi Inbar!
> Making CRC checks from a BOOTING FLOPPY will also catch ANY
> virus, provided it hasn't infected your floppy yet.
Sorry, it won't. It will catch any modification, that's true. But if you get
infected with a slow virus, the user just would regard the change as
legitimate. Then, Vesselin introduced the idea of a DOS file fragmentation
attack. You could not detect that with a file-oriented CRC checker, too.
> A friend of mine once wrote an 80byte routine to unload Carmel's
> TSafe. I believe that after a little research, I could unload
> almost anything.
Unloading is a problem if the TSR is not the last one in the TSR chain.
Disabling would be more "efficient", as the user could not recognize any
memory freed up.
How do you get your system straight if you remove a TSR out of the middle of
the chain - is there a method?
cu!
eppi
- --- GEcho 1.00
* Origin: No Point for Viruses - Eppi's Point (9:491/6051)
------------------------------
Date: Thu, 04 Mar 93 12:19:00 +0100
From:
[email protected] (Amir Netiv)
Subject: EXE/COM switch (PC)
[email protected] (Fabio Esquivel) writes:
> Sometime ago I wrote a program that changes the
> executable filename's
> extensios (EXE & COM) to another user-given
> extensions.
.....
> to see if file infector viruses could infect those files
> too (those with the new extension).
> I had to modify COMMAND.COM as well internally in order to allow it
> Anyway, the experiment failed and the file infector viruses (DIR-II,
> Dark Avenger, Lisbon (Vienna), Sunday and others) did infect the files.
> I think there's no way of fooling file infector viruses, is there?
Yes, there are ways but not in the way of changing names. However the reason
that your experiance has failed is that most viruses use DOS functions to find
their victims, for example chaining to Interrupt 21h and looking for service
4bh (execute file) is a common way of doing it. So you see: what you did has
no imlication on that way of infecting since the virus will absorb it's
information from the DOS function "exec" regardless of the file's name :-))
Keep on trying, you might get there in the end...
Regards
* Amir Netiv. V-CARE Anti Virus, head team *
- --- FastEcho 1.21
* Origin: <<< NSE Software >>> Israel (9:9721/120)
------------------------------
Date: Thu, 04 Mar 93 12:36:00 +0100
From:
[email protected] (Amir Netiv)
Subject: Scanners and Compressed Disk Boot Sectors (PC)
[email protected] (A. Padgett Peterson) writes:
> Recently there has been some discussion concerning a
> problem with scanning compressed drives for viruses and constantly getting
> a flag that the "boot sector has changed".
> Actually, this is an indication of a much more serious
> problem that A-V producers should address immediately:
> The problem indicates that the A-V product *thinks* it
> is checking the real OS boot sector when in reality it is checking the
> swapped compressed drive "boot sector". To me this means that a) the
> real boot sector is *not* being checked, and b) the A-V is relying
> on DOS Interrust 25 to read the sector rather than Interrupt 13
Who told you so? It is quite foolish to read a boot sector with INT 25, I don'
t know of many programs that do so !
> (or a direct BIOS call - better). The important thing is that while
> DOS since the early 3's has provided a means to validate
> /bypass Interrupt 13, there is no way to validate Interrupt 25.
> With the rise of companion and stealth viruses, to be
> sure in checking the low levels you must first authenticate the path to
> disk
How exactly do you do that? If a virus has been loaded and is chained to INT
13h, so that when you look for Sector-X Cyl-Y Head-Z it will replace it with
another location and you will never know !
> (it can be done even from DOS), and then walk the boot procedure
> to make sure that there are no "extra added attractions". This does
> not take any longer to do than using DOS (in fact is probably a few
> cycles shorter) and eliminates a possible intrusion path.
Any way that you might point out as the total solution to the problem, I can
show a hole that viruses (naturally) may (or alredy do) use.
> As a consequence, the fact that the A-V is checking the STACed drive boot
> sector means more than just an error is being flagged each time, it would
> make me concered that the real boot sector may be skipped.
Not necessarily so, but quite likely. As for myself, I do not recommend using
these double-diskers, since the problem that you mentioned (and viral problems
in whole) is only a small portion of possible problems to happened. And
believe me - you don't want to be the owner of a disk when it crashes.
It remindes me of the EXPANDED memory cards that people used to buy once, and
got stuck with it immediatelly since EXTENDED memory has emerged. Get a bigger
(faster) and reliable disk.
Regards
* Amir Netiv. V-CARE Anti Virus, head team *
- --- FastEcho 1.21
* Origin: <<< NSE Software >>> Israel (9:9721/120)
------------------------------
Date: 05 Mar 93 20:06:34 +0000
From:
[email protected] (Fridrik Skulason)
Subject: Re: scanners. (PC)
[email protected] (Inbar Raz) writes:
>I was categorizing scanners. About defending against NEW viruses, there are a
>lot of ways. For example, a protective shield that is mounted on a file. True,
>it's effective only against the normal end-of-file-leaching viruses, but still
,
>a lot of them DO work like that, including the new ones.
well, it might work...
...unless the virus is a "stealth" virus
...or the program does some self-testing
...or the program contains internal overlays
>Making CRC checks from a BOOTING FLOPPY will also catch ANY virus,
unless it is a floppy-only infector, or a companion virus, or an unknown
"slow" virus.
- -frisk
- --
Fridrik Skulason Frisk Software International phone: +354-1-694749
Author of F-PROT E-mail:
[email protected] fax: +354-1-28801
------------------------------
Date: 05 Mar 93 21:30:47 +0000
From:
[email protected] (Fridrik Skulason)
Subject: Re: standardization (PC)
[email protected] (Amir Netiv) writes:
>I would differentiate the interests of Virus researchers from this of
>the common user. You would very much like to have a scanner that
>supplies the NAME the full CHAIN of parrential viruses and sub viruses
>etc... while the common user's only wish would be to know what desease
>he has, and ger cured!
Maybe so - but telling somebody that he has a "Generic-X" virus, to take an
extreme example - where "Generic-X" can be one of many, totally different
viruses is of very little help to the user. I agree that it may not be
important to know exactly which minor subvariant of Jerusalem hits, if
the software can get rid of it, and tell you what the effects are, but
suppose that somebody took the "standard" version of Jerusalem, modified
it so it corrupted data files, and released it - I think most users would
like their scanners to be able to differentiate between this variant and the
standard one...
Suppose you tell a user: "You have the
>Parkinson.AtzeliCholine.Flue desease" (not that such exists), what do
>you think his/her reaction will be?
In that case he has at least a better chance of getting the correct threatment,
than if you tell him: "you have a generic disease".
>the virus exist that you don't even know about? Doeas it cause any problem in
>cleaning these viruses from an infected site even if their name is simply "
>Jerusalem-B" ?
the actual name is not significant, with respect to cleaning
- what matters is the ability of the anti-virus
software to distinguish between variants that must be removed in different
ways or have different effects - something you cannot do if you call all
the Jerusalem variants just "Jerusalem-B"
- -frisk
- --
Fridrik Skulason Frisk Software International phone: +354-1-694749
Author of F-PROT E-mail:
[email protected] fax: +354-1-28801
------------------------------
Date: 03 Mar 93 00:37:31 +0000
From:
[email protected] ( )
Subject: Executable signitures (PC)
To check for an executable file a virus will read in the appropriate bytes
and check to see if it is "MZ".
Why do some viruses check for "ZM"? What kind of file does this denote?
- --
Vahid
[email protected]
------------------------------
Date: Sun, 07 Mar 93 21:45:07 +0000
From:
[email protected] (Scott Nafziger)
Subject: Malta Amoeba: What is it and what does it do? (PC)
I heard of a virus called the Malta Amoeba. I was wondering what does
it do. How does it effect floppies, hard drives, and/or networks. Also, is
there any way to detect if someone has this virus without virus scaning
software? Any information will be greatly appreciated.
- --
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
< Scott Nafziger >
< Sangamon State University >
< Internet:
[email protected] >
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
------------------------------
Date: Mon, 08 Mar 93 08:50:06 +0000
From:
[email protected] (John Kroeze)
Subject: Re: wordperfect virus? (PC)
[email protected] (Rawlin Blake) writes:
>
[email protected] (Gerry Santoro - CAC/PSU 814-863-7896) writes:
>>After scanning the past years worth of VIRUS-L offerings I've seen
>>this question asked before, but with no reply. Since it has now hit
>>at my institution I will ask it again in the hopes that someone knows
>>what is happening.
>>
>>A number of our lab machines are exhibiting very strange WordPerfect
>>behavior. For example, very small user documents are growing to
>>extremely large size, until they fill up available disk space. Scans
>>with F-PROT do not identify any known virus.
>>
>>Can anyone clue me into what is happening? In all cases the version
>>of WP5.1 is being run from a read-only volume of a Banyan network
>>server.
>This one is easy, I see it all the time.
>The users are doing one of two things-- using shift-F10 and continually
>retrieving the file within itself, or are doing the same thing in F5 list
>files by ignoring the prompt "retrieve into current document?"
>This is another example of what I teach in my classes and seminars. 99% of
>all virus reports are: 1. user error 2. software problems 3. hardware
>problems.
It might not be that easy:
I had my thesis blown up from 200 Kb to 500 Kb during one day of work.
After some examination I found out that the overhead had to be invisible
codes WP saves with the document. I could create documents of abt. 300 kb
containing a single space! I got the impression this all was caused by some
ugly editing: moving subtrees a level up in the document hierarchy.
I suggest you ask WP-people about it.
John.
- -----------------------------------------------------------
John Kroeze Internet:
[email protected]
University of Nijmegen, UUCP:uunet!cs.kun.nl!johnk
- -----------------------------------------------------------
------------------------------
Date: Mon, 08 Mar 93 09:38:59 -0500
From:
[email protected]
Subject: 256 copies of FAT in root directory may be a bug in DOS 5.0 (PC)
I just received this email message:-
To: A.APPLEYARD, (etc)
From: "CHRIS HOLBURN" <
[email protected]>
Date: 8 Mar 93 12:02:20 GMT
Subject: * MS-DOS BUG *
**** IMPORTANT FYI ******
People, There is a potentially dangerous bug in MS-DOS 5.0. The bug will
effectively wipe part of your hard disc, rendering it unusable to any program.
The bug only effects certain disk setups: Those with partitions with more than
65,278 file allocation units. This translates to disks with capacities between
127Mb and 129Mb, 254Mb and 258Mb, 508Mb and 516Mb, 1,018Mb and 1,030Mb, and
2,034 and 2,061Mb. The problem only occurs when you use the
UNDELETE /ALL
CHKDSK /F
The /F and /ALL switches activate the fix options, to alter errors in the
file allocation table, and recover lost units. When CHKDSK or UNDELETE are run
they write 256 copies of the FAT table all over the root directory, making
data recovery almost impossible. ** PLEASE use Norton Disk Doctor to solve FAT
tables. ** CHRIS HOLBURN
[Moderator's note: This was also covered in detail here in December 1992.]
------------------------------
Date: Mon, 08 Mar 93 15:37:44 +0000
From:
[email protected] (Vesselin Bontchev)
Subject: Re: DBase virus (PC)
[email protected] (Kennelmeister) writes:
> How widespread is the DBase virus?
Not at all...
> I've just run across it in an MS-DOS system I was checking.
> Apparently it may have been on their machines for up to a year...
Are you sure that it is not a false positive? How many files were
infected? Which scanner did you use? Which version of it?
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail:
[email protected] D-2000 Hamburg 54, Germany
------------------------------
Date: Mon, 08 Mar 93 15:39:30 +0000
From:
[email protected] (Vesselin Bontchev)
Subject: Re: Effect of Form (PC)
[email protected] (Pontus Berglund) writes:
> >> This brings me to my next qestion: I it possible to obtain a file
> >> somewhere giving a brief description of the action of various vira. I
> >
> > How about 300K of ZIP ? :-)
> Where do I get this file?
Eugene Kaspersky probably means the documentation of his anti-virus
product. If he is willing to make that file publicly available, I
could put it for anonymous ftp (he doesn't have ftp access).
The file contains a good technical description of many viruses, with a
slight bias towards the Russian viruses (which is understandable). The
only think I didn't like was the abuse of the term "very dangerous
virus" - even for viruses that are not intentionally destructive, like
Form... :-)
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail:
[email protected] D-2000 Hamburg 54, Germany
------------------------------
Date: Mon, 08 Mar 93 15:44:15 +0000
From:
[email protected] (Vesselin Bontchev)
Subject: Re: Michelangelo (PC)
[email protected] (Christer Nilsson) writes:
> A friend of mine couldn't boot his computer today (6:th of March).
> Could it be the Michelangelo Virus? An inspection of the first sectors of
> the disk showed that they were completly blank. Does Michelangelo behave
> in that way? The partition of the drive was wiped away. How do one recover
> the information on the disk?
Yes, this is exactly what Michelangelo does. It overwrites the first
255 tracks of the disk with what happens to be at segment 5000h -
usually zeroes. Take a look at some tracks after track 255 - if there
are no zeroes there but some information, it is yet another
confirmation that the Michelangelo virus has caused the destruction.
BTW, I am very curious how many Michelangelo hits have happened this
year...
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail:
[email protected] D-2000 Hamburg 54, Germany
------------------------------
Date: Mon, 08 Mar 93 16:04:38 +0000
From:
[email protected] (Vesselin Bontchev)
Subject: Re: Mutating Engine concerns (PC)
[email protected] (Charles Dobbins) writes:
> I am curious if any of the experts out there can help me out here. I am
> concerned about the possibility of getting hit with one of these with our
> current level of protection, we are installing NAV 2.1 after using Certus
> for some time with constant problems with virus infections. A big concern
> for us is memory at the wotkstation since we are running Lanman 2.1 there
> isn't room for some of the larger TSR's that seem to offer better protection
> against unknown virus technology. At this point we cannot consider a
> different antivirus product at the workstation due to the fact that money
> has already been spent on NAV so what I am concerned about is what sort of
First, no MtE-based virus is spread in the wild, so maybe you should
not be that much concerned about that particular problem. Second, I am
sorry to disappoint you, but NAV 2.1 is NOT able to detect the
MtE-based viruses reliably. For more information, look at the report
on testing 17 different scanner for detection of MtE-based viruses.
The report is available via anonymous ftp as
ftp.informatik.uni-hamburg.de:/pub/virus/texts/tests/mtetests.zip
Third, if you are concerned only about the inability of NAV to detect
the MtE-based viruses, there are several freeware programs that -do-
detect those viruses reliably. One of them can be obtained from our
ftp site:
ftp.informatik.uni-hamburg.de:/pub/virus/progs/catchm18.zip
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail:
[email protected] D-2000 Hamburg 54, Germany
------------------------------
Date: Sat, 06 Mar 93 00:45:16 -0500
From:
[email protected] (Bill Lambdin)
Subject: Naming system (PC)
That's a very good idea, but it is damn difficult to implement...
- --
I never said that it would be easy. ;-)
First, somebody has to come up with a good naming scheme. But what is
a "good" naming scheme? For instance, for me, a good naming scheme is
a scheme that allows two people to understand each other that they are
- --
I would prefer the CARO naming system. I like the naming system, and
everything is up to date.
So, your idea is good. The only problem is to get an easy
implementation of it...
- --
Thanks Vesselin:
I just hope that some coherent naming system can be developed to prevent
the habit of having four different names for the same virus.
Bill Lambdin
- ---
* WinQwk 2.0 a#383 * DATACRIME IIB activates Oct 13 - Dec 31
- ----
+----------------------------------------------------------------------+
+ The French Connection - 206/283-6453 - 206/771-1730 - 6.5g online +
+ It takes only 11 seconds to get loaded on the French Connection! +
+----------------------------------------------------------------------+
------------------------------
Date: Sat, 06 Mar 93 00:45:49 -0500
From:
[email protected] (Bill Lambdin)
Subject: my idea (PC)
From:
[email protected] (Vesselin Bontchev)
And DataLock does not infect a COM file smaller than 23,000 bytes. And
- --
Thanks for the update. I guess I will have to make a 23K bait file then.
;-)
I incorrectly assumed that 8Tunes required the largest bait file my
appologies.
some viruses infect only some special files (Lehigh infects only
COMMAND.COM, ZeroHunter infects only files with large areas of zeroes
in them, some viruses do not infect files with some particular names,
etc.
- --
I was aware of Zero Hunt inly infecting files with areas of 00 hex.
Usually data or buffer areas. This is how that Zero Hunt can infect files,
but not show a increase in the filesize.
I was also aware that Lehigh only infected COMMAND.COM
Uh, what do you mean by "file size fluctuates"?
- --
In my tests, with ARJ 2.30. The new archive filesize would occasionally
be 2 - 10 bytes larger or smaller than the original archive that I was
comparing it against.
There was no virus present, and in the time I tested this idea with ARJ, I
wasn't able to find out what was causing the difference.
LHA, and PKzip archives remain constant day after day after day.
And what if the virus refuses to infect files with such names?
- --
My writing must be a lot worse than I thought it was. ;-(
I never meant to imply that my idea was the perfect solution to detect
viruses.
It is only an idea that will detect viruses that scanners may miss, or an
early warning system for people that use integrity checking software.
Most people believe that Virus detection = Scanners.
Integrity Checking if used properly will detect all changes, but some
people believe it is too painful to use. ;-)
In general, the idea is equivalent to checking the integrity of a
small subset of your executables.
- --
Exactly! As I said above some people feel that integrity checking software
is too painful to use. They can set up this .BAT file and painlessly check
for change to their vital files in only a few seconds.
It only takes 4.5 to 5 seconds on my 33 MHZ 486) to check the six files
that I access constantly. These are most likely to get infected that any
of the other files on my system.
Bill Lambdin
- ---
* WinQwk 2.0 a#383 * Hacked version of BiModem. 1.26
- ----
+----------------------------------------------------------------------+
+ The French Connection - 206/283-6453 - 206/771-1730 - 6.5g online +
+ It takes only 11 seconds to get loaded on the French Connection! +
+----------------------------------------------------------------------+
------------------------------
End of VIRUS-L Digest [Volume 6 Issue 42]
*****************************************
Downloaded From P-80 International Information Systems 304-744-2253
