From lehigh.edu!virus-l Mon Apr 19 09:03:58 1993 remote from vhc

From lehigh.edu!virus-l Mon Apr 19 09:03:58 1993 remote from vhc
Received: by vhc.se (1.65/waf)
via UUCP; Mon, 19 Apr 93 22:52:05 GMT
for mikael
Received: from fidoii.CC.Lehigh.EDU by mail.swip.net (5.65c8-/1.2)
id AA05390; Mon, 19 Apr 1993 21:28:30 +0200
Received: from (localhost) by Fidoii.CC.Lehigh.EDU with SMTP id AA51448
(5.67a/IDA-1.5 for <[email protected]>); Mon, 19 Apr 1993 13:03:58 -0400
Date: Mon, 19 Apr 1993 13:03:58 -0400
Message-Id: <[email protected]>
Comment: Virus Discussion List
Originator: [email protected]
Errors-To: [email protected]
Reply-To: <[email protected]>
Sender: [email protected]
Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas
From: "Kenneth R. van Wyk" <[email protected]>
To: Multiple recipients of list <[email protected]>
Subject: VIRUS-L Digest V6 #65

VIRUS-L Digest Monday, 19 Apr 1993 Volume 6 : Issue 65

Today's Topics:

Re: Sending viruses over Internet
Re: Scanners getting bigger and slower
Re: Scanners getting bigger and slower
Re: New program chair for IDES-of-March Virus Conference
Re: New program chair for IDES-of-March Virus Conference
Should viral tricks be publicized? (was: Integrity checking)
Virus Signatures
IDES-of-March Virus Conference
Re: Beneficial/Non-Destructive
Re: Macintosh [and non-PC] Postings
Forwarded message from Scotland Yard
Re: Should viral tricks be publicized?
Re: Survey
Re: ANSI viruses and things that go bump in the night (mostly PC)
Re: Optimum Strategy for Virus Checking (PC)
Re: Viruses and Canada (PC)
Re: McAfee latest version (PC)
Disk Access via Port Writes (PC)
5lo virus? (PC)
Disk Death (PC)
Re: Unknown little virus? (PC)
VSAFE WONDER false alarm? (PC)
Re: Removing PingPong virus from boot sectors (PC)
Re: VSUM (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. (The complete set of posting guidelines is available by
FTP on cert.org or upon request.) Please sign submissions with your
real name. Send contributions to [email protected]. Information on
accessing anti-virus, documentation, and back-issue archives is
distributed periodically on the list. A FAQ (Frequently Asked
Questions) document and all of the back-issues are available by
anonymous FTP on cert.org (192.88.209.5). Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
<[email protected]>.

Ken van Wyk, [email protected]

----------------------------------------------------------------------

Date: Thu, 15 Apr 93 17:57:20 +0000
From: [email protected] (Visceral Clamping Mechanism)
Subject: Re: Sending viruses over Internet

Quoth [email protected] (Vesselin Bontchev):
> [email protected] (Donald G Peters) writes:
>
> > My concern is that it would be easy for an untrustworthy Internet
> > node to trap all mail to/from a certain Internet address in order
> > to obtain virus code.
>
> You are right.
>
> > Of course, similar concerns exist for other networks like Fidonet
> > and local area networks as well.
>
> On FidoNet the situation is slightly different. If NetMail is used,
> then you are calling directly the telephone of the recipient, so the
> only way to intercept the virus code is by wiretaping.

This is not strictly true. Fidonet also has an email routing method called
"host routing" in which email is transferred through one (or more?) "host"
systems. There is a "host" for each "net" and one of the obligations of
a host is to pass host-routed mail, although most of them will complain if
you do so, since there is generally no good reason other than forcing
someone else to shoulder the long-distance phone bill for the message.

Additionally, email sent to other Fidonet-compatible networks or other
zones (Europe and North America are in different zones) may wait in a
gateway. Email in Fidonet is not always point-to-point, and encryption of
sensitive data, such as new viruses, with a good encryption program is always
a good idea.

@Man
- --
[email protected] || "Burn hollywood burn!"

"I hanker for a hunk of cheese."

------------------------------

Date: Thu, 15 Apr 93 17:53:35 +0000
From: [email protected] (Vesselin Bontchev)
Subject: Re: Scanners getting bigger and slower

[email protected] (Inbar Raz) writes:

> But still, the more viruses there are, the more time you'll have to spend
> searching, or, to put it in other words, there are more things to search for.

> in every scanned file, that is, exclusive of various 'Turbo Scanning'
> techniques...)

No, this is exactly what Frisk is trying to tell you - it is possible
to make the scanning time constant (and very short), regardless (well,
almost) of how many signatures you are scanning for. At the expense of
memory usage, of course. The technique is known as "hashing" and is
explained in Kunth's "bible". Roger Riordan has invented another such
technique, called Polysearch; it is described in the proceedings of
the 5th International Computer Virus and Security Conference.

> This is true, but the least program of all to EVER announce - "Sorry, 386 and

> up" is an Anti-Virus program. This program is always guarenteed to have a
> market, no matter what new chip Intel is announcing or what old chips people
> laugh about - as long as it runs MS-DOS :-)

Honest, have you recently run CPAV or NAV or SCAN or F-Prot on a XT with
CGA, 256 Kb conventional RAM, no XMS or EMS RAM, and a 20 Mb MFM hard disk?
Did the scanner fit into that memory? Did you have the patience to
wait until it finishes the memory scan? Would you run it on that
machine every day? (Note: some of the scanners mentioned will probably
run under these conditions. Whether the user will be willing to use
them is another question.)

> Generic programs were more of effect in the days where all the viruses were
> leaching - adding to file. Today, you have a lot of new techniques, that are

That's very true, but nevertheless there are hundreds of -silly-
viruses being written even nowadays, so a generic disinfector really
helps - just don't expect it to be able to handle everything.

> disinfector. Maybe a generic scanner, but what good is a scanner without a
> disinfector?

A generic disinfector is significantly easier to write than a generic
scanner. With a generic scanner you have to worry about the false
positives. To make a generic disinfector you just need to keep some
information about the uninfected files and try to restore it after
infection. The more information you keep, the better the chances that
you'll succeed to recover the file. In order to achieve 100%
effectiveness, it is sufficient to keep ALL the information about the
files.

Such 100% effective generic disinfector exists. It is supplied with
every DOS version. It is called BACKUP (or something similar). Use it.
It can disinfect any virus, and not only viruses... :-)

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: [email protected] D-2000 Hamburg 54, Germany

------------------------------

Date: Thu, 15 Apr 93 18:09:16 +0000
From: [email protected] (Vesselin Bontchev)
Subject: Re: Scanners getting bigger and slower

[email protected] (Amir Netiv) writes:

> Do you remember who published the first GENERIC method of
> how to clean the 1963 virus without an Anti-Virus program ?

A generic method for Necropolis? It's relatively difficult for generic
disinfectors... Not completely impossible, but... Oh, I see, you
probably mean the trick with archiving all executables, booting from a
clean system and restoring them? Works for almost any stealth fast
infector; I have described that years ago when I first saw Frodo...
And have actually used it to remove Number of the Beast, Necropolis,
Dir II (for the last one I used a simpler variation).

> As I said: Suppose you've discovered that when a specific virus
> infects a program the result is such that if you do a certain process on the
> file the result will always be the same... for example lets say that the
> Jerusalem virus always adds 1800 bytes to the file and the 170th word of the
> end of the file - 1800 equals 1800 (NOT THAT IT IS REALLY SO).
> So if you take ANY file and do: (FileSize-(FileSize-1800))-170 the result wil
l
> always be 1800 (if the file is infected).

Bzzt... Won't work. Here comes CPAV/TNTVIRUS in its "immunize" mode,
adding "MsDos" to all files, or SCAN /AV, adding 10 bytes to all
files, or the file has been downloaded with Xmodem and is padded with
1Ah to the next multiple of 128. Now the 170h word from the end of the
file contains something entire different and you miss the virus, which
works perfectly and infects the user's system. Or am I missing
something? Relying on the supposition that the virus will be at a
particular offset from the beginning or from the end of the file could
be very dangerous. You should either follow the file entry point, or
scan the whole file...

> You spent only 2 cycles to verify each virus on your list...

.and missed the virus on 2 of every 100 checked systems... :-)

> Ask Nemrod about the generic methods in McAfee's package...

Uh, -what- generic methods in McAfee's package? The generic boot
sector virus detection? It is relatively good, indeed. Or the generic
file virus detection - the Fam[1-3EJMNQ-S] viruses? That's horribly
bad. Or the generic boot sector virus disinfector? That's useful, but
trivial to bypass...

> Some infection methods are harder to disinfect then others, However there are

> Generic disinfection techniques for all viruses today (except the distructive

Yes, BACKUP. Works even against the destructive viruses... :-)

> viruses), generally: if a file works after infection that means that the
> information for it's recovery exists and one should only look in the right
> place.

That sounds nice in theory, but there are a few practical problems to
implement it. You are probably referring to something like the method
used by TbClean - interpret the virus until it restores the original
file. Problem is, how do you know that the virus has transferred
control to the original file? What if the virus performs (randomly)
something destructive before transferring control to the original file?
What if the virus tries to detect that it has been
interpreted/traced/emulated and behaves differently in these cases?
What are you going to do - emulate the full hardware? Let the virus do
the damage?

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: [email protected] D-2000 Hamburg 54, Germany

------------------------------

Date: Thu, 15 Apr 93 18:48:29 +0000
From: [email protected] (Vesselin Bontchev)
Subject: Re: New program chair for IDES-of-March Virus Conference

[email protected] (Judy S. Brand) writes:

> The person does not seem to have read my letter last week
> to "Ides of March" attendees.

Uh, what letter? I have not received any such letter - at least not
yet.

> It contained this announcement:

> "Next year, for the first time, the specialists
> on our greatly expanded Program Committee will
> take complete charge of organizing the presen-
> tations and sessions."

You mean "Next year it will be better"? :-)

> Each program objective or topic will have multiple session
> presiders and be chaired by a member of the Program Committee
> who is a specialist in that area. For practical reasons, a
> topic occupying more than one track will have co-chairs,
> and in one case one pair of unrelated topics of two or three
> sessions may be chaired by the same individual who knows both.

I don't think that anybody complained about the lack of chairs in the
last conference. The major complain was about the lack of
organization... Because of that the chairs didn't know what to chair,
where, when, and who was speaking in their sessions and what about.

(BTW, I thought that "chair" means only the object you use to sit on;
you seem to be using it as a synonym for "chairperson"?)

> overall Program Chair. Professor Richard G. Lefkon, who
> has been Program Chair for a few years running, will devote
> most of his effort at the 1994 conference to making sure the
> registration and premises are well-run.

I'm afraid that this alone might repulse the prospective attendees for
the next conference...

> Dick deserves the
> thanks of us all for his excellent past contributions in
> assembling and overseeing the sessions.

Huh? Dick is probably a nice chap (well those two who were thrown
away by the security guards, reportedly on his order, might disagree),
but one thing I have been unable to observe him during the last two
years was organizing conferences...

> affiliations elsewhere, papers are encouraged from all. Since
> 1989 there have always been at least 2 dozen scheduled speakers
> about computer viruses, with multiple tracks since 1990, and
> in recent years there have been nearly 100 scheduled speakers.

Due to which in 1992 the speakers had about 10-20 minutes to speak.
I'm not sure about how much time they had this year, due to the fact
that nobody knew who is speaking, where, when, for how long, and about
what.

> The 1994 base price will still be $325 for 2-1/2 days, plus an
> optional $40 for half-day beginner courses in different fields.
> Attendees receive a bound proceedings, usually distributed
> before the meeting begins.

Speaking about proceedings, may I remind you that none of us has
obtained them from this year's conference - one month after the
conference!

> As by far the oldest, best known - and the largest - conference

.and probably the worst organized one...

> treating computer viruses extensively, "Ides of March" is an
> annual "must" for many specialists in the security field to meet,
> swap samples and anecdotes, and make new business contacts. In the

Meeting many specialists and swapping anecdotes is nice, but many of us
go there to present a speech, listen to other speeches, and get the
proceedings. This year I learned when my speech is literally hours
before I had to present it, didn't know where to present it till the
end, and it was announced as something completely different. I
couldn't meet many of the attendees I wanted to meet, because I
couldn't find out where and when they are speaking, or even whether
they were present at all...

I won't discuss in details such things about the last conference like
the lack of enough food or even place at the gala dinner, the horrible
hotel (sheesh, we have better ones even in Bulgaria), etc... Actually
it was my intention not to comment it at all, because I feel indebted
to the organizer - he agreed to wave my conference fee and even payed
three days of my staying in the hotel. But after your message, I just
couldn't resist...

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: [email protected] D-2000 Hamburg 54, Germany

------------------------------

Date: 15 Apr 93 11:47:49 +0000
From: [email protected] (Fridrik Skulason)
Subject: Re: New program chair for IDES-of-March Virus Conference

[email protected] (Judy S. Brand) writes:

>overall Program Chair. Professor Richard G. Lefkon, who
>has been Program Chair for a few years running, will devote
>most of his effort at the 1994 conference to making sure the
>registration and premises are well-run. Dick deserves the
>thanks of us all for his excellent past contributions in
>assembling and overseeing the sessions.

You must be joking.

If his "contributions" this year, the last, and the one before that are
"excellent", I must have a very different understanding of what that word
means than you do.

>Attendees receive a bound proceedings, usually distributed
>before the meeting begins.

Oh, we do ? Strange, I had not noticed that :-) This year the proceedings
were not distributed at all, and I have not yet - a month later - not received
my copy.

>Nearly all the speakers are first
>required to have their papers pass an expert quality review
>where both the judges and the authors remain anonymous.

Unfortunately the papers accepted may not be the same ones as those
which get actually presented.

>As by far the oldest, best known - and the largest - conference
>treating computer viruses extensively, "Ides of March" is an
>annual "must" for many specialists in the security field to meet,

I would change "is" to "was" above. I went to the conference not because
of the papers presented, but simply to meet other "experts". However,
the conference has become an embarrassment to several of us. As I have said
before, I apologize to anyone who attended this year's confererence...this is
not what a anti-virus/security conference is supposed to be like. I will
not be supporting or attending this conference next year - this has already
been too much waste of time and money for too many people. Instead I will
be doing my best to support two other conferences in USA in '94 - one in the
spring, which is organized by VSI, and the other (the VB conference) in the
fall.

I would also like to state, as others have done, that I do not want to have
my picture on any future brochures.

- -frisk
- --
Fridrik Skulason Frisk Software International phone: +354-1-694749
Author of F-PROT E-mail: [email protected] fax: +354-1-28801

------------------------------

Date: Sun, 11 Apr 93 09:56:05 +0100
From: [email protected] (Inbar Raz)
Subject: Should viral tricks be publicized? (was: Integrity checking)

> [email protected] (Y. Radai) writes:

> Btw, it should be noted that on Fidonet there appeared an article
> describing tricks which can be used by virus writers to prevent tra-
> cing and disassembly of their code. The reason I mention this parti-
> cular article is that it appeared under the name of someone who has
> been contributing to this forum recently, Inbar Raz. The article is
> called "Anti Debugging Tricks", and one of the virus writers found it
> useful enough to forward it to 40 Hex (Number 9).

Ahem. This is SURELY not what I had in mind when I compiled that article.

That article is a result of the crackings I did in the past. I collected all
the fairly useful tricks I've came across, and published them. I only crack to
learn, and teach others. I have already advised at least one how to alter his
protection scheme to make it tougher.

I consider myself on both sides. True, I do some cracking, occasionally. I am
not ashamed of it, because most of my Assembly knowledge, which people tend to
appreciate more than myself, has come from there. And, as you saw, I routed
this experience/knowledge to useful routs.

Inbar Raz
- - --
Inbar Raz 5 Henegev, Yavne 70600 ISRAEL. Phone: +972-8-438660
Netmail: 2:401/100.1, 2:403/100.42, 9:9721/210 [email protected]

- --- FMail 0.94
* Origin: Inbar's Point - Home of the UnTinyProg. (9:9721/210)

------------------------------

Date: Thu, 15 Apr 93 23:08:22 -0600
From: [email protected]
Subject: Virus Signatures

I was wondering why there is not anyone that periodically post NEW virus
Signatures. This would be very helpful to people in between releases of
different virus scanners.

I know this might be helpful to the writter of that virus but there has
to be a middle ground.

Alan Jones

------------------------------

Date: Fri, 16 Apr 93 03:22:07 -0400
From: "Roger Riordan" <[email protected]>
Subject: IDES-of-March Virus Conference

[email protected] (Judy S. Brand) writes

It appears that someone who had been on the 1993 New York
> "Ides of March" program committee mistakenly reported to
> Virus-L that there were no significant changes for 1994.
>
> The person does not seem to have read my letter last week
> to "Ides of March" attendees. It contained this announcement:
>
> "Next year, for the first time, the specialists
> on our greatly expanded Program Committee will
> take complete charge of organizing the presen-
> tations and sessions."

Each delegate to the recent conference paid a registration fee
ranging from $325 to $425. If we add a conservative $200 for
accomodation and travel, and $400 for two days pay, and we assume
that there were 500 paying delegates (in the absense of any
reliable information on the subject), and add the costs of the
exhibitors, and overseas delegates, the total cost of this
conference was almost certainly well in excess of $500,000.

If any individual had paid this amount for a service which failed
as dismally as did this conference, they would certainly take
legal action. Unfortunately it would be difficult to establish
just how much loss the delegates had suffered, and difficult for
any individual to take action. However the registration form
clearly stated "Registration includes Proceedings, ... ". As
these are valued (by the organisers) at $100 per copy, the
organisers are in clear breach of contract to the tune of
something like $50,000.

I have been promised that I would receive the proceedings in a
couple of weeks, but as we were promised we would receive
them "Tomorrow", then "they will be posted first thing next
week", I place no credence in this.

Despite all this Ms Brand appears to think that the organisers
can make a few cosmetic changes and continue as before. Is
there anyone, or any organisation, who/which is in a position
to ensure firstly that the organisers meet their legal obligations
with respect to the Proceedings, and secondly that they are not
permitted to attempt to repeat this fiasco?

Roger Riordan Author of the VET Anti-Viral Software.
[email protected]

CYBEC Pty Ltd. Tel: +613 521 0655
PO Box 205, Hampton Vic 3188 AUSTRALIA Fax: +613 521 0727

------------------------------

Date: Fri, 16 Apr 93 11:13:51 -0400
From: [email protected] (A. Padgett Peterson)
Subject: Re: Beneficial/Non-Destructive

>From: [email protected] (Vesselin Bontchev)

>Don't be so sure... Suppose that the beneficial virus does the
>following:

>1) Modifies only one executable file on your system.
>2) This file is an anti-virus program.
>3) The modification consists of replacing the program with a newer
>copy.
>4) The virus infects your computer when you log to the LAN server.
>5) The virus has been installed on the LAN server by the LAN
>administrator.
>6) The LAN owner has a policy that no workstations are allowed to log
>in unless they are running the latest version of this particular
>anti-virus software.
>7) The virus (actually a worm - it does not "attach" itself to
>programs and spreads via networks) does not do anything else.
>8) The whole thing is marketed by the producer of the anti-virus
>software not as a virus, but as "a centralized method for automatic
>update of the software on the workstations".

My question is: why do you need a virus (or worm) to do this ? All
you need is a regular program that runs as part of the login script,
detects the version via strobe/date/size/checksum and performs a copy/
execute if an update is needed. McAfee's CHKSHLD in a .BAT will do this
function plus verify that the TSR is functioning properly and is neither
virus nor worm (neither the .BAT nor CHKSHLD needs to be copied to the
client).

Warmly,
Padgett

------------------------------

Date: 16 Apr 93 16:14:21 +0000
From: [email protected]
Subject: Re: Macintosh [and non-PC] Postings

[email protected] (Charles A. Patrick) writes:
> Of late I have noticed that there has been a distinct dearth of postings
> about NON-PC's. In particular, I have seen no postings about Macintosh
virii.
> Certainly I have no recollection of postings about the most recent one
that
> precipitated version 3.1 of Disinfectant.
>

Well, there was a lengthy post on the latest virus for the Mac. The
reason I think there aren't any postings for the Mac is because Mac users
have more respect for their environment, and less viruses are written. If
there aren't any new viruses to talk about, and the old ones are taken
care of by the detection programs out there, then there is nothing to
discuss. I think, though, if a Mac posting is made, the subject should be
easily identifiable as a Mac posting and it should stand out, because
there are so few of them.

- - Keith
__________________________________________________________________________
Keith Cooley
EE Macintosh Lab Administrator
Louisiana Tech University
Ruston, LA 71272
[email protected]

------------------------------

Date: Fri, 16 Apr 93 09:17:21 -0700
From: [email protected] (McAfee Associates)
Subject: Forwarded message from Scotland Yard

Hello All,

I was recently contacted by DC Noel Bonczoszek of the Computer Crimes Unit
at New Scotland Yard in London. As some of you may be aware, Noel is one
of the folks responsible for arresting the members of ARCV, a UK-based
group of virus-writers. He would like to speak with anyone who suffered
an infection from any of their viruses (listed below). If you have been
infected by one of their viruses, or know of someone who has, then please
give him a call at +44 (71) 230-1177 during office hours (GMT), or send
him a fax at +44 (71) 230-1275.

A list of viruses written by ARCV:

159
199
224
240
330
334 (Made)
334-2
Alpha
Anna
ARCV '93 (ICE-9)
ARCV 1
ARCV 2
ARCV 3
ARCV 4
ARCV 5
ARCV 6
ARCV 7
ARCV 8
ARCV 9
ARCV 10
ARCV Sandwich
ARCV Xmas
Benoit
Chad
Coolboot
Dennis 1
ECU
Friends
Jo V1.01
Joanna Exersiser
Joanna V1.11
McWhale
More
Nichols
Reaper Man
Scroll
Scythe
Small ARVC
Small EXE
Solomon
Spawn 1
Toxic
Toxic 2
Toxic 3
Toxic C
Two Minutes to Midnight
X-1
X-2
Zaphod

Please bear in mind that I'm only forwarding this message for DC Bonczoszek.
If you have any questions, please contact him directly.

Regards,

Aryeh Goretsky
McAfee Associates Technical Support

- --
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: [email protected]
3350 Scott Blvd, Bldg 14 | FAX (408) 970-9727 | IP# 192.187.128.1
Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714
95054-3107 USA | USR HST Courier DS | or GO MCAFEE

------------------------------

Date: Fri, 16 Apr 93 18:04:32 +0000
From: [email protected] (Mohammad Razi Khan)
Subject: Re: Should viral tricks be publicized?

Virus writers will write viruses, Ant-Virus writers will write
anti-virus programs, I think it should be publicised, only
to inform the (uninformed) public about how easy it actually
is, you wouldn't belive the amount of people who "trust".
I had one friend who was a new computer user, had 2 different
viruses on his system and didn't even know it!

There are also another extreme group of people, paranoid about
security, who cringe at even hearing the word virus, and all the
hype about michelangelo did bring many of them out. If these
viruses were made to be public domain then

a.) trusting people will see what they really are up against
b.) paranoid people will see how trivial most viruses are.

heck, who can't make a batch program that goes

echo Y|del *.*

Also, people, in general, will know how to effectively combat a virus
by them selves. I sometimes think AV people are reluctant to give out info
because they get paid for the programs, but thats not all people, only
a few.

Well, anyway, I think they should be public domain.]

- --
Mohammad R. Khan / [email protected]
After July '93, please send mail to [email protected]

------------------------------

Date: Fri, 16 Apr 93 18:21:54 +0000
From: [email protected] (ABCDefghIJKLm)
Subject: Re: Survey

[email protected] (Fridrik Skulason) writes:
>Well, as countries don't write viruses, but people do, this question can
>be assumed to mean either:
>
>2. Do you believe that programmers in some countries write viruses designed
> to infiltrate computers in other countries?
>
>or
>
>2. Do you believe that it is an official policy in some countries to write
> viruses designed to infiltrate computers in other countries?

When I say 'countries' it is implies 'government'... ie, Do You believe
that some governments write viruses meant to infect computers in other
countries?

Which, even though I can see where you could get confused, would imply
the original meaning your second question (Do you believe it is an
official policy...)

But, one thing to point out in phrasing it as such... the policy doesn't
have to be a public policy (just look at most of the USA's policies 8^) ).

Sorry for the confusion...

Mdd
- --

"Ah, Ah, Ah, Ah, AAAAAAAAAAAH!!!!" [email protected]
-- Queen, Ogre Battle [email protected]

------------------------------

Date: Thu, 15 Apr 93 17:27:17 +0000
From: [email protected] (Vesselin Bontchev)
Subject: Re: ANSI viruses and things that go bump in the night (mostly PC)

[email protected] (Sten Drescher) writes:

> screen colors in my PROMPT string? Answer: it doesn't. A better
> answer, rather than to tell people to make binary patches to their OS,
> is to use one of the multitude of ANSI drivers that don't support, or
> allow you to disable, key redirection. Just off the top of my head I
> can think of NANSI, NNANSI, ZANSI, ANSIPlus, and ANSI.COM (from PC Magazine).

Speaking about ANSI drivers, does anybody know one which:

1) Is public domain or freeware or shareware (I'm not interested in
commercial implementations);

2) Runs on anything, including CGA (I'm not interested in
implementations that require at least EGA);

3) Supports everything that the DOS ANSI.SYS does (I'm not interested
in restricted versions);

4) Can be loaded both as a device driver and as a TSR;

5) Allows the user to optionally disable keyboard programming with an
option from the command line (I'm not interested in implementations
that don't allow keyboard programming at all or that have to be
re-compiled in order to change their behavior);

6) Comes in source.

?

As far as I know (haven't seen the latest versions), none of the
drivers mentioned by you satisfies all of the above conditions... Does
anybody know a driver that does satisfy them?

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: [email protected] D-2000 Hamburg 54, Germany

------------------------------

Date: Thu, 15 Apr 93 17:34:42 +0000
From: [email protected] (Vesselin Bontchev)
Subject: Re: Optimum Strategy for Virus Checking (PC)

[email protected] (Roger Riordan) writes:

> The strategy we use is to scan till we find a subdirectory,
> immediately dive into it, continue till we find another
> subdirectory, and so on.

I see, you are using a depth-first directory tree traversing.

> This is certainly not ideal, from the
> theoretical point of view, but it is something which will work
> on any PC, and has a good chance of catching a real virus,
> without making the scan time so long that the test is disabled.

Sure, but it can be improved, IMHO.

> If you are computer literate, and know which programs you use,
> you can devise a better strategy, or you can check the lot if you
> like, but an imperfect test which is performed is better than an
> ideal test which is disabled.

If the user is computer literate, s/he probably would have organized
his/her disk in such a way that the directories listed in the PATH
variable appear first in the directory tree, so your method will work
reasonably well. However, for the casual user whose directory tree is
more likely to be a complete mess, it is possible to devise an
improvement of your method. How about the following:

1) Check the command interpreter;

2) Check the first few files in the root directory;

3) Check the first few files in the current directory;

4) Check a few files (randomly selected) in each directory listed in
the PATH variable;

5) Check the first few files in the first subdirectory of the root
directory;

6) Check the first few files in the first deepest subdirectory (i.e.,
your current approach).

I think that 10 is a reasonable number for "a few". This procedure is
a bit more complex to implement than the one you are currently using,
but will run just as fast and will increase the chance to catch the
virus.

> There are viruses which do not visibly affect the memory map, but
> Necropolis, like Jerusalem, goes TSR, and changes the loading

Well, an important difference is that Jerusalem can be -easily-
spotted with memory inspection tools like MAPMEM, while Necropolis
cannot.

> Most of the recent viruses load at the top of memory where they
> are readily detected.

Yes, they are using the "Dark Avenger" method, or the method the boot
sector viruses are using. But sooner or later the virus writers will
switch to more sophisticated schemes... With the lack of memory
protection in DOS, there are plenty of holes for an unknown virus to
hide... Hiding a known virus is significantly more difficult, but
several tricks are possible too...

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: [email protected] D-2000 Hamburg 54, Germany

------------------------------

Date: Thu, 15 Apr 93 18:34:38 +0000
From: [email protected] (Vesselin Bontchev)
Subject: Re: Viruses and Canada (PC)

[email protected] (alan parker S) writes:

> software in general use is from Leprechaun, Virus Buster; now the latest hit
> is of a new variant of Stoned which is detected by Scanv102, and F-prot-207
> as new variants, but I haven't seen or read anything about a new variant..

What do you mean? There are several dozens of Stoned variants, most of
them are not described anywhere, and new ones are popping up every
day...

> The trend seems to be turning msdos/io.sys files as non-hidden, and
> increasing io.sys for example to 40470 under dos 5. The norm also seems to

No Stoned variant does this. You might also have a different virus - a
file infector this time.

> be DD floppies becoming 1.3+Gigabytes of storage space with the obviously
> dubious file names it creates.

This means that the root directory is scrambled. Indeed, Stoned can
cause this.

> I note also that stoned appears to have dos
> 3.x as part of its make up.

Huh? What do you mean?

> I've read recently much about the wonders of Untouchable(tm); now
> I've had 3 different suites of programs from them, Untouchable 1.3, Search
> and Destroy, and Untouchable NLM, I'm not at all impressed. The evaluation
> copies sucked. As I've said the we normally suffer from stoned, although we
> have had a single hit from Form(ouch nasty beastie), and a little something
> from the Mte which proved to be very spreadable. The Untouchable software
> (all of it) failed miserably with all but the oldest variants of
> Stoned(Manitoba being our most frequent), also the safe disk it had made
> didn't seem to allow corrupted files to be restored from the information
> saved about them, which Virus Buster was able to do.

Wait, wait, wait, there are too many wrong things in the above...
First, as far as I know, Search and Destroy is the scanner/disinfector
part of Untouchable only. The strongest part of the product is its
integrity checker - that is what you must install and use.

Next, what is this "little something from the Mte that proved to be
very spreadable"? I've never heard about any MtE-based virus being
found in the wild - is your university the first case?

Next, the integrity checker from Untouchable is able to repair almost
any possible boot sector infector and certainly Stoned and Form. Are
you sure to have installed and used it in the correct way?

Next, what's so nasty about Form? A silly boot sector infector that
makes your keyboard click on a particular date...

Next, what exactly means "the Untouchable software failed miserably"?
Which part of the software? Have you installed the integrity checker
on a virus-free system? If not - why not? Maybe you have used only the
scanner/disinfector?

Next, what corrupted files? Stoned and Form are boot sector viruses;
they don't infect files...

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: [email protected] D-2000 Hamburg 54, Germany

------------------------------

Date: Thu, 15 Apr 93 23:11:36 +0000
From: Joshua Aaron Klein <[email protected]>
Subject: Re: McAfee latest version (PC)

Mike Lastort ([email protected]) wrote:
>
> I was just wondering if there was an address where McAfee's programs are
> available through Internet. I used to subscribe to Compu$$erve but have
> given up that habit when I got this account. Any info on how to ftp
> McAfee's programs would be greatly appreciated.
>
> Mike

I believe that ftp.mcafee.com will do it...

- --
*************************************************
Joshua Klein INTERNET ADDRESSES
Amherst College [email protected]
Amherst, MA [email protected]
*************************************************

------------------------------

Date: Sun, 11 Apr 93 10:02:06 +0100
From: [email protected] (Inbar Raz)
Subject: Disk Access via Port Writes (PC)

Jan-Pieter Cornet writes to Inbar Raz about Disk Access by Port Writes:

> I think the virus will not work under OS/2, as a real operating system
like > OS/2 shields the hardware from the user program. I'm not sure about
other
> operating systems. This absolutely requires a 386+, tho'

Hmm. Now that you mention it, OS/2 DOES do that. What a reliefe. That's one
less platform to be effected by such malicious code.

> Also, will your virus work on 2.88M drives? SCSI drives? Wang/DEC/
> other incompatible computers? (sold as IBM clones of course, not VAXes
> etc ;)

This is NOT a VIRUS. Please. I never wrote one, now will I.

That was an experimental code. Since I only have an AT-Type (IDE) drives, I
only know AT THE MOMENT, how to access IDE drives via ports. However, I have
the ANSI specifications of SCSI too (as well as SCSI-2), so given such a
harddisk, I believe I could write the equivalent code in less than two hours.

> On the other hand I think there are a lot of virusses not able to replicate
> on all systems... so on the majority of systems "your" virus will probably
> be effective regardless of any virus shields.

I don't think so.

When I thought about this technique, my fear was NOT for viruses to use it to
MULTIPLY, because you can scan for them anyway. My fear was that viruses will
implement such a technique to CAUSE MALICIUS HARM. And believe me, there's a
lot of harm you can do with ports, that you can't do with INT 13h...

Inbar Raz
- - --
Inbar Raz 5 Henegev, Yavne 70600 ISRAEL. Phone: +972-8-438660
Netmail: 2:401/100.1, 2:403/100.42, 9:9721/210 [email protected]

- --- FMail 0.94
* Origin: Inbar's Point - Home of the UnTinyProg. (9:9721/210)

------------------------------

Date: Mon, 12 Apr 93 23:44:02 +0100
From: [email protected] (Marcin Dobrucki)
Subject: 5lo virus? (PC)

While using F-PROT 2.07 I got a message that some 60 files on my
drive are infected with 5lo (?) virus. However after checking
the virus list I could not locate such virus nor find any
information anywhere else.

Is this some kind of a code name for the PROTO-T virus which
I suspected was the one I had?

Marcin Dobrucki
--

- --- GEcho 1.00+/RA 1.11+
* Origin: Empire BBS (9:3581/200)

------------------------------

Date: Fri, 16 Apr 93 02:43:06 +0000
From: [email protected] (arthur preiser)
Subject: Disk Death (PC)

I recently bought a notebook computer. In my enthusiasm, I
bought several new programs that would make full use of the 386
processor with the 387 Math co-processor and the 8 megs of ram.
Anyway, I let a friend run some numbers through lotus 1-2-3 on my
computer. Right in the middle of calculating something, my virus
detector went off. I scanned the hard drive and found the disk to be
infected. The problem was, my virus cleaning program was infected. I
tried to recover my information with the original copies of the virus
program, but the virus was resident and infected my "A:\" drive as
well. I had to reformat the hard drive on my computer. I wanted to
know what kind of virus could attack all these files in so short a
time? What could I have done differently to save my disks? I don't
know what virus it was or how it infected my system without infecting
my friends. We ran a virual scan on his computer and it came up
negative. Is it just me or does anyone else think my friend sabatoged
(sp?) my system? How can I prevent this kind of total disaster from
reoccuring?
Please excuse me for rambling on. I'm still getting over the
shock of loosing everything. I was niave and, you guessed it, I
didn't have backups of my work. I guess a hard lesson learned is a
lesson worth remembering.
An important question I wanted answered is: what do I do when
all my virual killing defences are breached? Is there another line of
defence I could established? Should I kill my EX-friend now?

Arthur.
E-Mail [email protected]

------------------------------

Date: 15 Apr 93 23:59:50 -0400
From: [email protected] (ac999512)
Subject: Re: Unknown little virus? (PC)

>[email protected] (Gary Heston) writes:
>
>>32 bytes isn't enough to write an interrupt service routine, much less
>>anything resembling a virus.
>
>Eh, one can easily write a virus (well, a stupid overwriting one) in less than
>32 bytes - I think 24 bytes is the minimum .... but not a memory resident one.
>
>- -frisk

24 bytes? That's it? Really? The smallest I've managed to obtain/create
is 27 bytes. I find it hard to believe another three could be stripped. Does
that use 386 instructions?

+-------------------------------------------------------+
| Ed T. Toton III, Virus Researcher [email protected] |
| Press any key.. Except THAT one! |
+-------------------------------------------------------+

------------------------------

Date: Thu, 15 Apr 93 22:49:00 -0700
From: [email protected] (Ullrich Fischer)
Subject: VSAFE WONDER false alarm? (PC)

I've had a number of incidents lately on our 255 PC Novell LAN where
VSAFE reports an executable is infected with the WONDER virus.

F-PROT 2.07, CPAV's SCAN function (1.4), and McAfee's SCANV102 and NETSCAN102
don't find anything, so I'm assuming it is a false alarm. No suspicious
activity has been detected when the suspect executables are run in the
absence of VSAFE. I'm using a home-grown CRC checking system which detects
any modifications to key executables and is run whenever any PC boots... this
hasn't detected any modifications to executables as would likely happen if
there really was a WONDER infection.

One of the suspect files is ECODE.EXE, part of a commercial hypertext
system which displays the Canadian Electrical Code.

Has anyone run into similar problems with VSAFE (version 1.4 from
Central Point)?

- --
[email protected] Before people are governable, they have
to have something to lose. - Nils Christie

------------------------------

Date: Fri, 16 Apr 93 18:27:11 +0000
From: [email protected] (Vesselin Bontchev)
Subject: Re: Removing PingPong virus from boot sectors (PC)

[email protected] (Dave Nebinger) writes:

> One of the IBM's that I manage has pingpong virus in the boot blocks of

Is it a 8088-based machine?

> the hard drive. I have Norton's AntiVirus, but it will not remove it. What

That's strange... NAV should be able to disinfect Ping Pong... You
might have a new variant, but in any case you should contact your
local Symantec support.

> do I have to do to remove the pingpong virus, or is it really nothing to
> worry about?

Boot from a clean diskette and do a SYS C:. This will remove the virus
from the hard disk. It will also leave one cluster, marked as bad by
the virus, but this is not something to worry about. If you are a
perfectionist and know what you are doing, you might use Norton
Utilities to mark the cluster back as unused.

Note: the above advice assumes that even if you are not familiar with
viruses, you are at least familiar with DOS and your PC. If you don't
know what "boot from a clean diskette" means - ask me by private
e-mail. It also assumes that you are smart enough to boot from the
same DOS version as the one installed on your hard disk. And it
finally assumes that if SYS tells you "No room for system files" you
know how to fix the problem with Norton Disk Doctor and its "Make a
disk bootable" capability. If not - ask me by private e-mail.

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: [email protected] D-2000 Hamburg 54, Germany

------------------------------

Date: Fri, 16 Apr 93 18:45:30 +0000
From: [email protected] (Vesselin Bontchev)
Subject: Re: VSUM (PC)

[email protected] (A. Padgett Peterson) writes:

> I have recently seen the new version of VSUM (currently VSUMX303) and
> must say that the user interface is much improved, particularly the
> part that lets you search the database for a particular string, I
> do not need to use LIST to examine the H! any more (also there is
> no more H!, been replaced by an .XDB).

Well, VSUM has been converted to this new format since quite a while -
I think since version 9212. One thing that I do not understand is why
the new hypertext engine (produced by the same company) is no longer
able to view the old .H! files... Another puzzling thing is why
Patricia Hoffman has disabled the Cut&Paste function - this makes even
less likely that people export information from there, correct it, and
send her back the corrections...

> Detractors say that it is flawed in the same way that Ralf Brown's
> interrupt list is flawed and it does have errors but I cannot think
> of anything today that is perfect - certainly if you have to ask, it
> is a good place to start.

"Flawed in the same way" is an insult for Ralf Brown's work. I am
using his list intensively and have found only a few minor mistakes
and omissions. In the same time, each time I consult a VSUM entry, I
find it either incomplete, or containing errors, or both. Not to
mention how unnecessary verbose the articles there are...

> For those on the net, it is available via anonymous FTP from mcaffee.com
> or can be downloaded from many sources but be advised, even compressed
> it is over 800k - bare 2400 baud will take nearly an hour.

The copy on Simtel20 is compressed with the new PKZIP and is a bit
more than 600 Kb.

> Last year I heard about several other compilations "in the works" but
> have not seen any yet so at least for now it is still an essential work.

Two of them are available for anonymous ftp from our site:

ftp.informatik.uni-hamburg.de:/pub/virus/progs/vbaseabc.zip
ftp.informatik.uni-hamburg.de:/pub/virus/texts/catalog/cvb-293.zip

The first one is in the same format as VSUM, so you can use the same
hypertext engine (VSUM.EXE) to browse it. Neither of the two is
complete enough (actually, both are ridiculously incomplete), but any
of them is significantly more accurate than VSUM.

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: [email protected] D-2000 Hamburg 54, Germany

------------------------------

End of VIRUS-L Digest [Volume 6 Issue 65]
*****************************************

Downloaded From P-80 International Information Systems 304-744-2253