From lehigh.edu!virus-l Mon Apr 1 03:29:10 1993 remote from vhc

From lehigh.edu!virus-l Mon Apr 1 03:29:10 1993 remote from vhc
Received: by vhc.se (1.65/waf)
via UUCP; Mon, 29 Mar 93 16:47:39 GMT
for mikael
Received: from fidoii.CC.Lehigh.EDU by mail.swip.net (5.65c8-/1.2)
id AA04370; Mon, 29 Mar 1993 16:41:31 +0200
Received: from (localhost) by Fidoii.CC.Lehigh.EDU with SMTP id AA45440
(5.67a/IDA-1.5 for <[email protected]>); Mon, 29 Mar 1993 08:29:10 -0500
Date: Mon, 29 Mar 1993 08:29:10 -0500
Message-Id: <[email protected]>
Comment: Virus Discussion List
Originator: [email protected]
Errors-To: [email protected]
Reply-To: <[email protected]>
Sender: [email protected]
Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas
From: "Kenneth R. van Wyk" <[email protected]>
To: Multiple recipients of list <[email protected]>
Subject: VIRUS-L Digest V6 #51

VIRUS-L Digest Monday, 29 Mar 1993 Volume 6 : Issue 51

Today's Topics:

Telephones #s for BBS
Re: Beneficial/Non-destructive viruses
Re: Laws and Viruses
Re: Memoirs of an (untrustworthy) virus researcher (CVP)
Re: Amiga viruses (Amiga)
Anti virus for Novell Networks... (Novell)
Disgust at the lack of interest in Atari Viruses (Atari)
Re: EXE/COM switch (PC)
Finish of EXE/COM discussion (I hope) (PC)
How to remove Lao Dong virus? (was: cluster pc 5)
Infecting from floppy (PC)
Re: Swap virus(PC)
Re: Virus signature determination. (PC)
Re: EXE/COM switch (PC)
Re: Catch from DIR? (PC)
Re: Catch from DIR? (PC)
Re[2]: Removing virus on stack drive (PC)
Re:Virus that infects (PC)
Virsig (PC)
HELP: Harddisk deteriorating rapidly (PC)
Re: [Stoned] (PC)
Pc-Tools 8.0 (Pc)
Ignorance is still curable (PC)
Re: IBM PC Boot Seq (was Partition table viruses (PC))
Re: Catch from DIR? (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. (The complete set of posting guidelines is available by
FTP on cert.org or upon request.) Please sign submissions with your
real name. Send contributions to [email protected]. Information on
accessing anti-virus, documentation, and back-issue archives is
distributed periodically on the list. A FAQ (Frequently Asked
Questions) document and all of the back-issues are available by
anonymous FTP on cert.org (192.88.209.5). Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
<[email protected]>.

Ken van Wyk, [email protected]

----------------------------------------------------------------------

Date: 26 Mar 93 12:28:49 +0000
From: [email protected] (Marc Poole)
Subject: Telephones #s for BBS

I'm looking for telephone numbers to call bbs for anti-viri
information. I have site address that I can trade in return.
However, ftp and telnet take a very long time to connect. If anyone
has direct number to systems that allow modem dial-in it would be
greatly appreciated.

Marc Poole
[email protected]

------------------------------

Date: Fri, 26 Mar 93 14:14:43 +0000
From: [email protected] (Albert Lunde)
Subject: Re: Beneficial/Non-destructive viruses

[email protected] (Christopher J Burian) writes:
> Requesting help on beneficial/non-destructive viruses used
>as tools. I've read a very little bit about viruses generated for a
>specific task that disappear into a network; carry out their intended
>function (send data back to user, etc); then "retire" themselves.

This is an idea that gets floated around from time to time, but I
know of no reliable real-world applications.

I think there is evidence of viruses that may have been written to
attack/replace other viruses (one of the strains of nVIR on the
Mac *might* fit this description). But in practice these have
just become problems in their own right.

The main problems in writing a truely non-distructive virus
are:

1) The wide variety of enviroments on various computers
causing unexpected bugs and software interactions.

2) The greater likelyhood of doing damage when trying to
operate "behind the back" of the human operator and/or
the operating system and/or anti-virus software.

3) The unwillingnes of people to beta-test viruses ;)

It is my personal opinion that any thing that can be done by
a "benificial" virus, can be done more reliably by other software
means.

(I am not using the most general definition of a "virus" here -- I
don't consider DISKCOPY to be a virus, for example, and I conceed
that if an operating system provided support services for spawing
processes in, say, a distributed computing system they might behave
in a virus-like way while remaining reliable and controlled.)

- --
Albert Lunde [email protected]

------------------------------

Date: Fri, 26 Mar 93 10:24:23 -0500
From: Fritz Schneider <[email protected]>
Subject: Re: Laws and Viruses

In VIRUS-L Digest V6 #48, Vesselin Bontchev wrote:

> Hold on. I think you may have something here. Since when has
>> legal terminology been required to match up with common usage?
>> Perhaps "malicious software" is just what we need to define as
>> a legal term. Especially since the definition of virus is so
>> mutable....
>
>Indeed, this is the better term to use. It can be associated easily to
>"intentional damage" and does not state that "virus" is something
>necessarily malicious, definition problems aside...

Unfortunatly it will always be difficult to prove intent, so "intentional
damage" would make it difficult to apply such a law. We must also
recognize that much of the damage which viruses create is due to
incompetance rather than intentional malice. Many of today's viruses
damage a file by incorrect infection algorithms, or make a disk
unbootable by misplacing the original boot sector.

The key concept has to be unauthorized changes which cause harm
whether intentional or unintentional. The difficulty is in differentiating
malicious software that is poorly written from legitimate software that
is also poorly written.

Regards,
Fritz.

------------------------------

Date: 26 Mar 93 15:05:42 +0000
From: [email protected] (Paul Ducklin)
Subject: Re: Memoirs of an (untrustworthy) virus researcher (CVP)

Thus spake [email protected] (Rob Slade):

>There was, of course, only one thing to say.
>
>"Good luck."

Or, "Trust me. I'm a computer security expert..." :-)

Paul

/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
\ Paul Ducklin [email protected] /
/ CSIR Computer Virus Lab + Box 395 + Pretoria + 0001 S Africa \
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/

------------------------------

Date: 25 Mar 93 10:27:00 -0500
From: [email protected] (Paul Olson)
Subject: Re: Amiga viruses (Amiga)

[email protected] (Walker Andrew John) writes...
>
>Does anyone have a comprehensive list of amiga viruses and what they do?
>
>Andrew Walker.

The most comprehensive list I've seen came with the doco of Virus_Checker
archive. You may want to obtain it via ftp and take a look.

__ Paul J. Olson - VAX Systems Manager & Resident Amiga Addict
C= /// Voice - 301/286-4246, 301/210-7701
__ /// DECnet- CHARON::PAUL
\\\/// Internet - [email protected]
\XX/ Disclaimer: Statements in my messages are wholely my own.
AMIGA "Ignorance is a renewable resource." -- P.J. O'Rourke

------------------------------

Date: Thu, 25 Mar 93 10:52:45 -0500
From: "Nabil Miguel" <[email protected]>
Subject: Anti virus for Novell Networks... (Novell)

I would like to know what software I could use to protect my Novell Netware
server against viruses. I am running Netware for Macintosh on the server.
The software must be able to protect the server from PC and Mac viruses.

Is there anything as such?
Any feedback would be welcomed...

Please reply directly to me...

Thank You!
_______________________________________________________________
Nabil J. Miguel \ InterNet: [email protected]
University Of Ottawa |\ Bitnet: Miguel@UOttawa
35 University | \
Ottawa, Ontario, | \ Telephone: (613) 564-5094
K1N 6N5 | \ FAX: (613) 564-4965
_______________________________________________________________

------------------------------

Date: Thu, 25 Mar 93 15:05:43 -0500
From: Trantor The Last Stormtrooper <[email protected]>
Subject: Disgust at the lack of interest in Atari Viruses (Atari)

Being a virus researcher on the Atari ST, I feel that
I must write to complain about the lack of interest in
discussing Atari viruses. I can understand why you talk
about PC viruses more than ST ones. The reason is
simple, there are over 2000 PC viruses. The Mac doesn't
even have 10 viruses, whereas the ST has over 100 viruses
(of both the bootsector and link variety). So I think that
ST viruses should be discussed a little bit more!!!!

As for virus information concerning ST viruses, the Virus
Centre at the University of Hamburg is no good at all. The
reason for this is because the virus information is never
updated!!!!

Has anyone out there (especially Atari people!) got any
comments???

------------------------------

Date: 25 Mar 93 15:05:18 +0000
From: [email protected] (Fridrik Skulason)
Subject: Re: EXE/COM switch (PC)

Vesselin wrote:

>cases. The "more general" idea (changing the extensions to something
>completely different), however, -will- prevent the infection in those
>particular cases (non-smart viruses that infect on Exec).

not necessarily ... many of the viruses that hook the exec call and check
the file name work like this

if the name end in .EXE
do exe_infection()
else
do com_infection()

(or the other way around), so any renamed virus would always be infected as
a .COM file.

anyhow, this discussion is a bit pointless, as renaming is of too little
help ... it would stop most non-resident viruses (but they are generally not
common), and some of the resident ones, cause some resident ones to infect
the files incorrectly, and have no effect at all on others.

- -frisk
- --
Fridrik Skulason Frisk Software International phone: +354-1-694749
Author of F-PROT E-mail: [email protected] fax: +354-1-28801

------------------------------

Date: Thu, 25 Mar 93 10:33:07 -0500
From: Donald G Peters <[email protected]>
Subject: Finish of EXE/COM discussion (I hope) (PC)

VB did a very good job recently of trying to close all the loose
threads opened in the EXE/COM debate. I appreciate his effort and
accuracy. It would be difficult to find fault with anything in
that last extensive post. (The primary things I would take issue
on was "who said what" but that is unprofitable.)

I will admit that I'm less enthusiastic now than before, but I
would classify it as a useful technique on the order of the
ReadOnly flag, EEE/CCC changes, renaming COMMAND.COM, etc. For
some people these tricks(?) will provide some protection, but
most of the people on this forum are in the "high risk" group
and it wouldn't do as much good here.

However, Vesselin, it puts a smile on my face that you too, are
humam, and make mistakes.

------------------------------

Date: Thu, 25 Mar 93 09:03:54 -0500
From: [email protected]
Subject: How to remove Lao Dong virus? (was: cluster pc 5)

> To: A.APPLEYARD
> From: "CHRIS HOLBURN" <[email protected]>
> Date: 25 Mar 93 12:18:14 GMT
> Subject: cluster pc 5
>
> Anthony it looks as though cluster pc2 No. 5 has a virus on the hard
> drive. Do you want to have a go at removing it? Our standard virus
> prog. can detect but not remove it. The virus is called Lao Dong.
> Good luck. CHRIS

How to remove Lao Dong? Any info re it? Any history of false positives of it?
Please email such info to me and/or to [email protected]

------------------------------

Date: Thu, 25 Mar 93 11:52:57 -0500
From: Alessandro Lombardi <[email protected]>
Subject: Infecting from floppy (PC)

On Virus-l #49, ,Terry Lundgren asks for a definitive answer: hope this
satisfies you.

Generally a virus CAN spread from an infected diskette to the HD of your
system; a clear example: FORM.
Remember this is a boot vector virus (BSV).

I do not know of BSV which does not replicate and spread with DIR or about
not BSV viruses which spread with dir: in my experience I always executed
a file infected to get infected myself. If someone can add info or give
more particulars ( tell also the opposite, if it is true), reply to this
and send me a Cc, thanks.

- -alexl

***************************************************************************
** Alessandro Lombardi, via P.Verri 12, 21100 VARESE (VA)-ITALY **
** Tel.: 0332/265777; e-mail: [email protected] **
***************************************************************************

------------------------------

Date: Thu, 25 Mar 93 12:02:21 -0500
From: Alessandro Lombardi <[email protected]>
Subject: Re: Swap virus(PC)

you wrote about your adventures using McAfee Scan.....

I sincerely hope you have still not used F-prot 2.07 on your system,
because I quote it good. If you haven't, get it by FTP at oak.oakland.edu,
in the directory pub/msdos/virus, or write to [email protected] (the author)
If you used it, I do not have other suggestion.
Good luck.
Let me know about your following steps and successes(hope...)

- -alexl

***************************************************************************
** Alessandro Lombardi, via P.Verri 12, 21100 VARESE (VA)-ITALY **
** Tel.: 0332/265777; e-mail: [email protected] **
** **
** "Noi non compriamo uno qualunque per fare del qualunquismo" **
** ( Giovanni "gioppino" Trapattoni ) **
** **
** RETE 8 NETWORK : ora anche a Como e provincia 101.40/101.45 FM **
***************************************************************************

------------------------------

Date: 25 Mar 93 17:52:24 +0000
From: [email protected] (Fridrik Skulason)
Subject: Re: Virus signature determination. (PC)

[email protected] (Rune Fr|ysa) writes:

>I'm planning to expand an anti-viral utility to include file
>scanning, like Mc'Affe's scan program does.

good luck :-)

>Therefore I would
>be interested in more information of how I determine the signature
>of any virus, including mutating ones.

Eh, mutating viruses do by definition not have signatures...or at least
not without wildcards.

What you would need to to:

1) Get an awful lot of virus samples...2000 or so...properly maintaining
such a collection requires a full-time researcher, so you had better
hire one :-) Obtaining those viruses might turn out to be a problem.

2) For each polymorphic virus you disassemble it, and find a piece of
the code which is found in all samples of the virus (you want to
avoid false negatives), and is not found in any normal program (you
don't want to cause false positives). You then write a scan "engine",
which searches for those strings.

Exactly which bytes to select is the difficult part...but it just
requires some experience.

3) For the difficult, polymorphic ones, which can not be found with a
search string, you write a detection procedure.

4) You now have everything needed for a "brute force" scanner, which
searches entire programs for the various search string. Perhaps
not a practical approach, but it works....

>Is it also possible to get signature files from somewhere and
>implement them in the package?

Yes, several such files exist...and using them would mean a lot less work
required - however, the scanner would not be as good, as those files don't
include any information on how to detect the polymorphic viruses.

- -frisk
- --
Fridrik Skulason Frisk Software International phone: +354-1-694749
Author of F-PROT E-mail: [email protected] fax: +354-1-28801

------------------------------

Date: 25 Mar 93 18:02:38 +0000
From: [email protected] (Fridrik Skulason)
Subject: Re: EXE/COM switch (PC)

[email protected] (Donald G Peters) writes:

>In this case, I once threw out an estimate that this would
>work against 50% of all viruses. To my regret, nobody attempted
>to produce a more accurate figure.

That's simply because those which could do that, people which have a copy
of practically all known viruses, and could analyse them to see which ones
would get fooled have more important things to do....I have no desire to spend
a full day looking at every single virus in my collection to determine how it
would react to a .COM file with .EXE structure (or vice versa). The 50%
idea might be right..maybe too high, maybe too low, but my opinion is that
most people have no use for a 50% protection when a 99.9% protection is
available.

- -frisk

- --
Fridrik Skulason Frisk Software International phone: +354-1-694749
Author of F-PROT E-mail: [email protected] fax: +354-1-28801

------------------------------

Date: 25 Mar 93 19:19:26 +0000
From: [email protected] (Fridrik Skulason)
Subject: Re: Catch from DIR? (PC)

[email protected] (Terry Lundgren) writes:

>I have received some excellent replies to my posting on catching
>a virus. Basically the question is this: Assume my system is
>clean and I have an infected disk. I put the disk in the drive
>and do a DIR. Then I take the disk out. Can my system be
>infected now?

No way...well, almost no way :-)

When you do a DIR, no code on the diskette is executed, so you cannot
become infected.

However, DOS reads the boot sector of the diskette, so if it is infected
you may find virus code in your machine - however, it is "dead" - and
will not be activated, so your machine is not infected.

There is, however, one way to run a program from a diskette by just doing a DIR,
but it is, well...a bit weird, and is not used by any malicious program that
I know of....so the answer is "in theory yes, in practice no",

- -frisk
- --
Fridrik Skulason Frisk Software International phone: +354-1-694749
Author of F-PROT E-mail: [email protected] fax: +354-1-28801

------------------------------

Date: Thu, 25 Mar 93 18:47:08 -0500
From: [email protected] (Jimmy Kuo)
Subject: Re: Catch from DIR? (PC)

Terry Lungren writes:
>I have received some excellent replies to my posting on catching
>a virus. Basically the question is this: Assume my system is
>clean and I have an infected disk. I put the disk in the drive
>and do a DIR. Then I take the disk out. Can my system be
>infected now?

>The responses are running about 1/3 saying no way and 2/3 saying
>it is possible. I would really like to get a definitive answer.
>If a virus can be passed in this way, would someone please
>describe how it might happen? Or not.

In practice? No. In theory, yes, some really cleverly done ANSI
bomb, which again, in practice, practically can't be done!

You may be getting answers to the effect:

YES, because if you do this and it's a boot sector infector,
McAfee's SCAN will say that you are infected. This is a
ghost positive from SCAN and is a bug.

YES, by the ANSI derivative above.

NO, which in the case of file infectors, NO is always true.

(Hey, that's 2/3rds. I'll stop.) :-)

Jimmy Kuo [email protected]
Norton AntiVirus Research

------------------------------

Date: Thu, 25 Mar 93 18:47:21 -0500
From: [email protected] (Jimmy Kuo)
Subject: Re[2]: Removing virus on stack drive (PC)

[email protected] (Pete Wong) writes:

>> I recently discovered that a virus exist within my computer. My PC
>> is stacked with a Stacker. I used the Norton Anti-Virus to scan the
>> drives and it advised me to turn off the computer and boot it up
>> again with an un-affected boot disk. Since my drives are stacked,
>> the NAV would not read drive C or D.

>> I also tried to boot it up with the Stacker files in the un-affected
>> DOS boot up disk. Once I use the NAV to scan the drives, it would
>> say there is a virus detected in the memory and then it would not
>> scan any further. This goes the same for scanning the floppy drives.

Which machine was used to put the stacker files on the "un-affected" DOS
boot up disk? Assuming the machine is infected with Stoned, if that
activity occurred on the suspect machine, that boot up disk will now be
infected!!

>> The virus is called Stoned.

Because there are a number of boot infectors derived from Stoned, the
memory signature for Stoned actually picks up a number of strains.
(You can think of this as "following the CARO naming convention.")
NAV differenciates the Stoned variants in boot sectors but not the
memory sig.

>Stoned infects only the first -physical- disk drive (80h). In theory,
>it is possible to find it on another physical drive - if you have
>installed an already infected hard disk as a second one. It -never-
>infects logical disk volumes, like the ones created by Stacker.
>Therefore, you can safely reboot from a clean diskette and remove the
>virus from your hard disk, regardless that you are not able to access
>the stacked volume. NAV must be able to do that. If it isn't - call
>your local Symantec tech support.

>Another possibility is that the whole story is just a ghost false
>positive - NAV is detecting some scan string in memory, not
>necessarily the virus. Make sure you have disabled any other
>anti-virus programs (like VSAFE from CPAV) when you are performing the
>virus check. What happens if you boot from a clean floppy? You can't
>access the stacked volume, of course, but does NAV still find the
>virus in memory? If it doesn't, then it is certainly a false positive.

Chances of a ghost positive are pretty slim on this one. Be careful with
the conditions that Vesselin gave to say "it is certainly a false
positive." Vesselin is correct if all the "if" conditions are met. But
I question if your "un-affected" diskette is still "un-affected."

Jimmy Kuo [email protected]
Norton AntiVirus Research

------------------------------

Date: Fri, 26 Mar 93 00:35:51 +0000
From: [email protected] (wolfgang stiller)
Subject: Re:Virus that infects (PC)

Date Entered: 03-25-93 19:32
[email protected] (Ryan Kolter) asks:

R(>A friend of mine recently (a few months ago) told me about what
R(>appeared to be a computer virus his machine had caught that (in some
R(>manner) appeared to infect the files of his hard disk just after they
R(>were scanned. His claim was that it dodged the scan by taking itself
R(>out of memory during the memory check (McAffee) and then reloaded into
R(>memory and removed itself from the infected file during the scan of
R(>that file. After that, it would infect every .exe that was scanned.
R(>Thus the process of scanning actually infected the whole drive.

R(>I don't know if there is a virus out there that does this. Is there?
R(>If so, is there a way to protect against it? He said that Mcaffee didn't
R(>pick it up. (I don't know what version he used).

The virus doesn't really have to go through all that work. The more
likely explanation is that your friends simply had a virus that the
scanner didn't recognize (one more reason to always boot from a clean
write-protected floppy before scanning and NOT to depend entirely on
scanning <g>). Anytime you run a scanner with an unrecognized resident
virus that infects on file open, this will happen. The scanner will
look at each file but not notice the virus because it is not aware of
that particular virus. While this is going on the virus will merrily
infect each file checked and pronounced clean by the scanner.

Please suggest to your friend that he/she boot from write-protected
floppy before scanning. While this won't help the scanner detect the
virus it will at least keep the entire system from getting infected
by the act of scanning.

Regards, Wolfgang

Stiller Research, 2625 Ridgeway St. Tallahassee, FL 32310, U.S.A.
- ---
SLMR 2.1a
RoseMail 2.10 :

------------------------------

Date: 26 Mar 93 08:03:06 +0000
From: [email protected] (Demetre Koumanakos)
Subject: Virsig (PC)

Hi all,

It has been a couple of months now that I haven't been able to
find a new Virsig file for TBAV.
Does anyone know what the story is ?

Demetre

------------------------------

Date: Fri, 26 Mar 93 08:05:18 +0000
From: [email protected] (Lasse Reichstein Nielsen)
Subject: HELP: Harddisk deteriorating rapidly (PC)

Problem:

My elder brother was trying a new game out on my fathers PC.
The screen froze and the harddisk kept spinning, so he pressed RESET.

Nothing has been normal since...

He tried deleting the game, when an erromessage popped up (some
file-allocation error or cluster not found).

He started Norton DiskDoctor, and found:
4 files had fat-chains destroyed
1 something else wrong
2 crosslinked

and fats waren't identical.

NO PROBLEMO, I thpught, and checked the backups. We had the most important
files, so I let NDD do it's job.

FINE.

5 mins. later there was more problems...

more files with illegal fat-chains...

Norton DiskEdit!

I found the chains had been severed by a LARGE (50000+) number in
the middle of an otherwise sound fat-chain. I fixed the chains
manually, but now I was getting curious.
I ran NDD, syncronizing the fats - all errors fixed.
I ran NDD, Fats out of sync, files with bad chains, even crosslinked files.
I DIDN'T EVEN RESTART NDD! It happened while running.

OK! Boot from write-protected floppy, running McAfee SCAN v102.

No virus found!

NDD found some problems, DE fixed them, NDD found no new errors.. FINE

Reboot from c:.... CRASH, wouldn't boot, hanged in AUTOEXEC.BAT

Boot from a:, change Config & Autoexec to empty files...

Crashed when booting from C:!

I tried 'sys c:', 'fdisk /mbr', and looking at the bootblock and
partitiontable, they looked fine.

Every time I tried to boot from C: something new (and increasingly
more disasterous) went wrong... when I gave up,
command.com was defective, and system gave "Memory Configuration
Too Small" (or something similar) error before the config.sys
(tried putting device=c:\dos\himem.sys in it - no effect, but
now himem was defective)

Norton Calibrate said there was a bad cluster at the end of the
harddisk, but both fats said all clusters were OK.

Everything worked fine (except the files that had allready been
messed up) when I boot from A: (write-protected).

The system is a Commodore PC40-III, 286-12, 40Mb Hd
640K main, 386K extended, Dos 5.0, himem.sys
The battery is dead, so the date was probably 23/3'93 (or 22/3'93)
just around midninght (22th to 23th).

If ANYBODY knows ANYTHING, please email. Ican't fight
something I cant see!!!

SPOT / [email protected]

- ----------------------------------------------------------------------
'I just want to know one thing.....where they are...!' - Vasquez

------------------------------

Date: Fri, 26 Mar 93 06:29:31 -0500
From: Otto Stolz <[email protected]>
Subject: Re: [Stoned] (PC)

> > Has anyone heard of the [Stoned] virus and if so, then what does it
> > do? [...]

This question has been discussed so much in this list that I am somewhat
surprised about the inaccurracies in Andrew's response.

On Mon, 08 Mar 93 16:55:41 +0000 Andrew M Smith <[email protected]>
said:
> Stoned is a rather benign virus except for when it infects irregular
> hardware.

Whilst the epitheton "benign" for a virus is generally debatable, Stoned
exhibits some extra nastities (probably not intended by its programmer,
but still nasty):

- - Even on regular hardware, Stoned does not care where it puts the
original master boot record, hence data may be overwritten. In parti-
cular, if the HD has been partitioned with FDISK of DOS version 2,
Stoned will overwrite part of the FAT of partition C.

- - When a HD is doubly infected with several Stoned variants (a notorious
example being Stoned.Standard and Stoned.Michelangelo, cf. FAQ list),
then the system becomes unbootable.

> Stoned hides in the boot sector of floppies, and the partition table of
> hard drives.

All of us should cease to call the Master Boote Record "Partition Table".
The partition table is exactly that part of the master boot record that
is *not* suited to hide a virus!

> McAfee's Clean can remove the virus from hard drives, and floppies.

There have been reports in this forum that McAfee's Clean did not
properly disinfect Stoned in all cases. Rather than elaborating this, I'd
like to remind you of the generic DOS procedure to remove MBR infectors
from a hard disk:
1. Boot from a clean DOS 5.0 disk.
2. Make sure that the partition table is intact, e.g. by issuing
FDISK /STATUS
or by accessing all partitions of the HD, as in
DIR C:
DIR D:
...
3. If the partition table is intact (it will be so with a Stoned
infection), issue
FDISK /MBR

Best regards,
Otto Stolz <[email protected]>
<[email protected]>

------------------------------

Date: Fri, 26 Mar 93 07:17:40 -0500
From: Alessandro Lombardi <[email protected]>
Subject: Pc-Tools 8.0 (Pc)

Hello all.

I am an Italian guy in trouble with Pc-Tools 8.0. Every time I install it
on my Pc, the BIOS cries...
In fact, someday ago I did not understand it, but here are the steps:
After sometimes the Bios cried, I decided to do something:
I formatted my HD(84 Mb) using the hard disk options in the setup of my
American Megatrends, in particular I used Auto-interleave (fixed on 4) and
then Hard disk format. I reinstalled all of my files(I prevently made a
full backup), and all was left to do was installing these DAMNED Pc-Tools!!
When, at the end of installation, it asked me if to build an emergency
diskette, answering yes, at the top left of the screen appeared this
message(in Italian):"ATTENTION: big error of the drive while writing on
unit D: retry?" (I use DR-DOS 6.0 with sstordrv). Of course I will not use
more PCTOOls 8.0, but I'd like to know if this is due to some defects only
in my diskettes, to something in my hardware, or it is a general and diffused
problem. If someone has any suggestion, please write both to virus-l and
to me.
Thanks in advance.

- -alexl

***************************************************************************
** Alessandro Lombardi, via P.Verri 12, 21100 VARESE (VA)-ITALY **
** Tel.: 0332/265777; e-mail: [email protected] **
** **
** " Things go well in order to go bad " **
** **
***************************************************************************

------------------------------

Date: Fri, 26 Mar 93 12:08:51 -0500
From: [email protected] (A. Padgett Peterson)
Subject: Ignorance is still curable (PC)

Subject: Ignorance is curable (mostly PC)

>From: [email protected] (Amir Netiv)

>Well dear Padgett, it seems like you didn't quite get my idea: There is no
>problem in checking that the original INR-13 ISR is located on the BIOS area (
>except if you are using some smart PC that does the shadowing of the BIOS to
>another area in RAM location and completely remapps the adresses), However
>that is not the issue here. When you know the location of the original INT-13
>ISR is when the system is already booted (or in the process) but *AFTER* the
>IO.SYS is loaded (unless your Anti Virus is also an operating system which you

>will excuse me for not believing it is so).

I can understand you skepticism however all of my A-V checking IS done before
IO.SYS runs. For that matter I have a version of FixMBR that does not require
an operating system at all ! With the BIOS (as I have said before) you have a
fully functional computer. In fact the only elements that run from DOS are the
validation programs (CHSMBR, CHKBOOT, CHKMEM) and the installation/repair
programs (FixFBR, FixMBR).

- --------------------------

>Padgett answers:
> > A virus can intercept an interrupt vector. It cannot intercept as FAR CALL.
> > All you need to know is where to make the far call to (the exercise is
> > left to the student).

>A. I agree that a virus does not intercept a FAR CALL, but only hooks an
>interrupt.
>B. To know where to make the far call to, you should be a Gypsy and own a
>crystal ball to consult with. Because what ever YOU consider predictable is

>not so in reality.

Again, if it is retrieved *before* IO.SYS, it must either point to ROM or
*something else* (e.g. a virus). As a result only seven bytes are necessary
to validate the INT 13 path:

CMP [4F], C0 ; assumes DS=0
JB <error handler>

The same applies to Int 2F fn 13 however if a memory manager e.g.
QEMM "stealth" is in use then you may not be able to trust this test
alone, some intelligence must be applied. No inductive logic is needed though.

> The "original" procedure is located somwhere in the system depending
>which program took it. You cannot assume that the INT-13 ISR is in a
>constant place nor can you assume it is a part of the BIOS, because if you
>do, your program is likelly to crach a lot of PCs especially those that
>use special low level programs like Access control to disks, and several
>Network tools. So much for predictions.

Well, many people have been using FixMBR and SafeMBR for quite some time
with everything under the sun. It does flag many acceess control programs but
they usually have their own MBR replacement. It does not conflict with any
BIOS routines including Boot protection & passwords once installed.

>I'm sorry to be the one that lets you know that int-25 & 26 are translated
>eventually into INT-13. Just as INT-21 Fn 02 (write char) is translated into
>INT-10. So you see, what you wrote is incorrect. Ther is *NO* are on the
>formatted disk surface that is not acessible via INT-13.

Afraid you read me backwards - this was exactly my point, you cannot trust
Int 25 or 26 to give you physical sectors, Incidently there are any number
of surfaces you cannot reach with Int 13: Bernoullis and CD-ROMs are two
common ones. My point was that since a compressed disk's boot sector is
not the real partition's boot sector, any program that examines the compressed
boot record must be using Int 25 and not Int 13 directly.

Warmly,
Padgett

------------------------------

Date: 26 Mar 93 14:57:41 +0000
From: [email protected] (Paul Ducklin)
Subject: Re: IBM PC Boot Seq (was Partition table viruses (PC))

Thus spake [email protected] (Vesselin Bontchev):

[stuff about FDISK /MBR]

>That's correct, but particularly with ExeBug there is one more
>problem. First, the virus is stealth, so when it is active in memory,
>you cannot "see" that the MBR is infected. Second, when you try to
>boot from a floppy, due to the CMOS "fix", the machine boots from the
>hard disk and loads the virus. However, the virus checks whether a
>floppy is present in the A: drive, and if it is so, BOOT FROM THAT
>FLOPPY. So, if you don't watch -very- carefully, it LOOKS as if you
>have booted from a floppy. A quick inspection of the MBR enforces this
>impression, because the virus stealths the MBR...

There's actually another problem, too. Because the virus overwrites all
of the partition record [code *and* data], if you do boot clean and
run FDISK /MBR, you've removed the virus, but left a mess behind instead
of the partition data. Without the viral stealth, there's nothing to
redirect DOS to the hidden copy of the partition table when drive letters
are being assigned. Oh dear -- no hard drive. Also, your hard drive won't
boot, because the partition data is in tatters. You'll get "Invalid
partition table" or the like during bootup.

So, "Clean Boot -- FDISK /MBR -- SYS C:" is *not* a generic clean-up
procedure for all boot/partition viruses.

If you've got a steady hand and a sector editor, Exebug's easy. Boot clean
and move 0.0.17 back over 0.0.1. If you *haven't*, then you need software
[eg: a-v software] which will automatically do the "ah yes, Exebug -- ah
yes, old partition record at 0.017 -- ah yes, let's stick things back where
they should be". FDISK /MBR alone *won't* work, though, with Exebug.

Hoho: there is a trick, if you don't have a sector editor [or are scared]
and you don't have a-v software. But you do need one of those utilities
which will make an "emergency" copy of your partition record. Simply
*make* the emergency copy with the virus resident [ie: after booting from
hard disc] and *restore* the emergency copy after a clean boot. The viral
stealth will do the rest...

Paul

/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
\ Paul Ducklin [email protected] /
/ CSIR Computer Virus Lab + Box 395 + Pretoria + 0001 S Africa \
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/

------------------------------

Date: 26 Mar 93 15:33:02 +0000
From: [email protected] (Paul Ducklin)
Subject: Re: Catch from DIR? (PC)

Thus spake [email protected] (Terry Lundgren):
>I have received some excellent replies to my posting on catching
>a virus. Basically the question is this: Assume my system is
>clean and I have an infected disk. I put the disk in the drive
>and do a DIR. Then I take the disk out. Can my system be
>infected now?

>The responses are running about 1/3 saying no way and 2/3 saying
>it is possible. I would really like to get a definitive answer.
>If a virus can be passed in this way, would someone please
>describe how it might happen? Or not.

Obviously, the answer is "No".

But as soon as anyone goes public with their "No", some dork-breath will
discover that code in the root directory, together with <Ctrl-M><F>+
<ecce-ecce-ole-fertanggg-biscuit-barrel> at offset 0x0045 in FAT copy
2 will [a] cause code to be loaded into some DOS buffer or other and
then [b] cause DOS to trip the light fantastic, and drop control smack
into that very buffer of "garbage". Sort of like the Internet worm used
buffer overflow to win control over the instruction sequence, and thus
to get code executed without even logging in. Basically, when you put
yourself on a definitive limb in the computer world, someone comes along
and hacks it off :-)

Mind you, there's another way. I make a DOS 5.0 bootable disc. I give
it to you, and you DIR the disc. Then I say, "Arf, arf, gotcha". You say,
"Listen, tosh, what *are* you talking about". And I say "Hoho. Have a
look in the root directory of your C: drive". You do, and, lo, there's
a copy of COMMAND.COM. Same size, same file as the one on my floppy.
So, simply by doing a DIR, my virus has replicated COMMAND.COM from
the infected floppy onto your hard drive. Hey -- there's more. I've
planted two hidden files in your root directory too -- exact replicants
of the ones on my floppy, and all thanks to DIR.

Guess what? This virus has good stealth -- your integrity checker notices
nothing. This virus is subtle -- your scanner doesn't pick it up either
[mind you, I've seen some scanners which might be able to detect it, and
a lot of other viruses besides, in memory -- even before you get it :-)].
OK, it's a DOS 5.0-specific virus. But most people round here are using
5.0, so that's a fair bet.

And this virus isn't so far-fetched. If you're in tech support, just
think of all the other "viruses" you've handled over the years. Viruses
in the printer cable and the coffee machine, for example :-)

Paul

/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
\ Paul Ducklin [email protected] /
/ CSIR Computer Virus Lab + Box 395 + Pretoria + 0001 S Africa \
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/

------------------------------

End of VIRUS-L Digest [Volume 6 Issue 51]
*****************************************

Downloaded From P-80 International Information Systems 304-744-2253