From lehigh.edu!virus-l Tue Apr 27 06:58:27 1993 remote from vhc

From lehigh.edu!virus-l Tue Apr 27 06:58:27 1993 remote from vhc
Received: by vhc.se (1.65/waf)
via UUCP; Wed, 28 Apr 93 00:01:45 GMT
for mikael
Received: from fidoii.CC.Lehigh.EDU by mail.swip.net (5.65c8-/1.2)
id AA06163; Tue, 27 Apr 1993 18:30:57 +0200
Received: from (localhost) by Fidoii.CC.Lehigh.EDU with SMTP id AA37628
(5.67a/IDA-1.5 for <[email protected]>); Tue, 27 Apr 1993 10:58:27 -0400
Date: Tue, 27 Apr 1993 10:58:27 -0400
Message-Id: <[email protected]>
Comment: Virus Discussion List
Originator: [email protected]
Errors-To: [email protected]
Reply-To: <[email protected]>
Sender: [email protected]
Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas
From: "Kenneth R. van Wyk" <[email protected]>
To: Multiple recipients of list <[email protected]>
Subject: VIRUS-L Digest V6 #71

VIRUS-L Digest Tuesday, 27 Apr 1993 Volume 6 : Issue 71

Today's Topics:

contest
Re: Scanners getting bigger and slower
Re: Sending Viruses over Internet/Fidonet
Re: Source of Virus Information
Re: Survey Results
Re: Viral "code"
Congratulations to Dr Solomon
Re: Forwarded message from Scotland Yard
Re: Should viral tricks be publicized?
re: Virus vectors of infection
Seeking virus info
Re: NAV Updates (was Central Point Anti-Virus Updates) (PC)
Re: Proffesional Group Virusized ! (PC)
Re: Single state machines and warm reboots (PC)
Re: V-Sign? (PC)
Re: On the merits of VSUM (PC)
Re: Professional Group Virusized! (PC)
Re: Viruses which cost $$$ (PC)
Re: Viruses which cost $$$ (PC)
Re: Can a virus infect NOVELL? (PC)
Re: Viruses which cost $$$ (PC)
TBAVX600.ZIP - TBAV anti-virus software (optimized *.EXE's)
Disinfectant 3.2 Announcement (Mac)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. (The complete set of posting guidelines is available by
FTP on cert.org or upon request.) Please sign submissions with your
real name. Send contributions to [email protected]. Information on
accessing anti-virus, documentation, and back-issue archives is
distributed periodically on the list. A FAQ (Frequently Asked
Questions) document and all of the back-issues are available by
anonymous FTP on cert.org (192.88.209.5). Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
<[email protected]>.

Ken van Wyk, [email protected]

----------------------------------------------------------------------

Date: Thu, 22 Apr 93 13:35:02 -0400
From: [email protected]
Subject: contest

Hi everybody,

[email protected] (Vesselin Bontchev) wrote:

>There are a couple of hundreds of viruses that infect only a SINGLE
>executable on the attacked computer.

May you give exact ratio: viruses infecting only single executable/total
number of known viruses, e.g. 200/2500 ?

>>>2) This file is an anti-virus program.

>> Very suspicious activity.

>Elaborate, please. Do you consider it suspicious for somebody to use
>an anti-virus program? Or do you consider it suspicious if the owner
>of a LAN insists that all users are using the latest version of a
>particular anti-virus program?

I apologize for being indistinct. I had in mind virus infecting
anti-virus program is very suspicious activity.

>>>7) The virus (actually a worm - it does not "attach" itself to
>>>programs and spreads via networks) does not do anything else.

>> If virus is something "attaching" itself to programs, then some of existing
>> viruses (boot viruses or companions) are not viruses too.

>We've already been through all this a few times in the past. Please,
>read the appropriate back issues. It all depends on how you define
>"attach".

I've read them. I wish to see clear definition of "attach". I add here
suggestion for competitors : When your definition contains term
"attaching to something(whatever)", please define what you exactly mean
with it.

>define it. So, if you want to understand what Dr. Cohen means when
>speaking about beneficial viruses, don't jump on him - instead try to
>understand his definition of a virus and assume that he is using it
>when speaking about beneficial viruses.

I wish to understand the meaning of "beneficial viruses". Please, could
you send your suggestion to category 4. Ethical definition? I apologize to
Dr. Cohen if anything I wrote looked as "jumping on him" (without nasty
thoughts, please).

>> CONTEST FOR THE BEST COMPUTER VIRUS DEFINITION

>> 1. Technical definition (in plain language - preferably English)
>> 1. This definition should be short as much as possible,cleared of attributes
>> as "good", "bad", "beneficial" or similar, not mentioning state of user's
>> mind,etc., it should be clearly stated for which environment (e.g. operating
>> system) is applicable and definition should be undoubted.

>It should also emphasize the main capability of the virus that makes
>it different from other programs - merely its ability to spread. Its
>optional side effects (damage, etc.) should left out of the
>definition.

I wouldn't agree that doing damage is "optional side effect". So, I leave
to competitors to decide whether or not will include this property in
their definitions.

>> 2. Technical definition (mathematical)
>> 2. The meaning of every symbol in mathematical formula(s) should be clearly
>> explained.

>I have one here. It is actually Dr. Cohen's definition, with all
>symbols explained and without the abbreviation shortcuts he usually
>uses. It's hand-written and is one A4 sheet of formulae.
>Unfortunately, I don't know TeX enough to translate it into
>electronical form.

Please send it by fax or send the copy by snail mail to address bellow.

>> 3. Legislative definition
>> 3. This definition should contain statement which part of virus code could
>> be considered as punishable (supposing virus writing is criminal act).

>Supposing that virus writing is a criminal act would be wrong, because
>it isn't, according to the legislation of most countries. Instead, the
>definition should concentrate on causing (directly or indirectly)
>unauthorized modifications of information stored in computers. It
>doesn't need to deal with the term "virus" at all - the more general,
>the better. It could very well include trojan horses, logic bombs,
>spoofs, hacking, etc. It is all the same from the legal point of view
>- - causing directly on indirectly unauthorized modifications to
>computer information, and -this- is what should be a crime.

Causing directly or indirectly unauthorized modifications to computer
information is IMHO too large frame. Existing laws defined that way are
not sufficient for effective action against virus writers. I agree that
definition may be extended to trojan horses and logic bombes, but not to
spoofs and hacking. Those are different things. The point is to find
definition which could be possibly used as basis for adequate law (which
doesn't exist now). So, I suggest to competitors to stress what is the
part in -written- code (virus, trojan horse, logic bomb, etc.) which
could be considered as punishable.

>> Everybody who doesn't want to compete and feel enough
>> competent to judge quality of definitions is welcome.

>I do feel competent to judge the quality of the first two definitions
>- - the technical ones.

O.K. I consider you as member of jury for these two categories and all
respective contributions will be sent to you. However, till all members
of jury (juries) for all categories are not known, competitors are asked
to send contributions only to my address [email protected] or
address bellow.

I've been asked to add form "haiku" for category 6. Poethical definition.
I didn't limit forms, only said limerick is preferable form, but all
others are welcome too (thanks to Mr. Zmudzinsky for interesting haiku).

Cheers, __________________________
| |
Suzana /| Only the best is enough |\ |\__/|
/~~~~~~\ / | good for us! | \ / \
~\( * * )/~ |__________________________| ~\( 0 0 )/~
( \___/ ) ( /---\ )
\______/ \______/
@/ \@ @/ \@

- ---------------------------------------------------------------------------
Address: Suzana Stojakovic-Celustka e-mail addresses:
Department of Computers [email protected]
Faculty of Electrical Engineering [email protected]
Karlovo namesti 13
12135 Prague 2 phone : (+42 2) 293485
Czech Republic fax : (+42 2) 290159

------------------------------

Date: Thu, 22 Apr 93 17:52:46 +0000
From: [email protected] (Vesselin Bontchev)
Subject: Re: Scanners getting bigger and slower

[email protected] (Amir Netiv) writes:

> I agree on the fact that if a virus encrypts the host program, it might not be
> possible to recover it (unless you keep a backup of some sort, and this is
> also the most generic method of all).

There is also another method that will often work - even if the virus
has encrypted the entire original file. In general, the method
consists of interpreting the virus until it transfers control to the
original program - at which time it should have decrypted it, of
course. The program TbClean from the package TBAV uses this method.
Note that I am not saying that the method is fool-proof - it is just
yet another useful tool against viruses.

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: [email protected] D-2000 Hamburg 54, Germany

------------------------------

Date: Thu, 22 Apr 93 17:56:22 +0000
From: [email protected] (Vesselin Bontchev)
Subject: Re: Sending Viruses over Internet/Fidonet

[email protected] (Donald G Peters) writes:

> Third, PC's and guns and potatos are all readily available in this country, s
o
> instructions on how to do bad things with each of these items should fall int
o
> the same category. The question is, which takes precedence, the first
> amendment or human decency? Indeed, would you choose between the first
> amendment or national security???

I'd hate to start a political flame war, but nevertheless, here it
goes.

Please, note that "this country" is not the only one in the Universe.
There are others, which may and often do have different laws.
According to those laws, something that might be obviously allowed in
your country, may be seriously illegal in those other countries. A
very good example is the possession of guns - it is a right of every
US citizen, granted by the US Constitution, but is illegal in most
other countries. (Please, no flames here whether this is "good" or
"bad".)

Unfortunately, viruses and electronic publications like 40-Hex do not
recognize national boundaries. While this electronic newsletter might
be perfectly legal in the USA (or not - I just don't know), it also
might be illegal in many other countries. For instance, I think that
according to the British law, it contains incitements to commit crime
and is thus illegal. (I might be wrong, I am by no means expert in
legal matters.)

The point is that just because something is allowed in your country,
you shouldn't assume that it is also allowed everywhere else and that
it is OK to do it everywhere else. In fact, if you are a responsible
person, you must actually check whether it is permitted in all places
where you intend to promote it. Never forget - the net is
international.

As to the Anarchist Cookbook you mentioned in your message - I've read
parts of it and have to tell you that many of the materials described
there are not freely allowed in Bulgaria, for instance. Not that they
are forbidden - it is just almost impossible for the average private
citizen to find them.

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: [email protected] D-2000 Hamburg 54, Germany

------------------------------

Date: Thu, 22 Apr 93 18:16:58 +0000
From: [email protected] (Vesselin Bontchev)
Subject: Re: Source of Virus Information

[email protected] (Garry J Scobie Ext 3360) writes:

[two excellent sources of information about viruses from Dr. Solomon]

Indeed, those two books are very good. BTW, the second one is
partially mentioned in the FAQ - which is yet another opportunity to
emphasize why people should read the FAQ... :-)

I like significantly less the electronic implementation of Dr.
Solomon's virus enciclopaedia - it contains too few and too general
information about the viruses it describes.

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: [email protected] D-2000 Hamburg 54, Germany

------------------------------

Date: Thu, 22 Apr 93 18:20:34 +0000
From: [email protected] (Vesselin Bontchev)
Subject: Re: Survey Results

[email protected] (MDallin) writes:

> On PC's, F-Prot was the most used scanner... 22 people used it. 8 people
> used McAfee products (Scan, etc).

Strange, according to the download statistics that I have access to
(those of garbo.uwasa.fi and of our ftp site), SCAN is downloaded
approximately three times more than F-Prot. I can see the following
explanations for this:

1) 32 is not a representative number to draw conclusions like yours.
The ftp sites I mentioned deal with hundreds of downloads per month of
only those two programs.

2) You have mainly asked the participants of this forum. I often post
here about superiority of F-Prot, so the folks here are likely to be
informed. It might not be so with the rest of the world... :-)

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: [email protected] D-2000 Hamburg 54, Germany

------------------------------

Date: Thu, 22 Apr 93 18:25:52 +0000
From: [email protected] (Vesselin Bontchev)
Subject: Re: Viral "code"

[email protected] (Donald G Peters) writes:

> People seem to think (as I have in the past) that somehow viral "code" is the
> thing we must not publish. Do these people think that a documented
> description of the virus function is also wrong? In fact, an accurate
> description of a program is "functionally equivalent" to the program itself.
> Indeed, an assembler source code program is just a "description" of the
> program it represents. And a high level language (or English itself) can take
> indirection one level further, without loss of, or change in, functionality.

All the above proves only that it is difficult to define how much
information about viruses is dangerous and how much isn't. Indeed, it
is extremely difficult to make such a decision - and everybody must
make it for him/herself. There is no formal rule that can help.
Everyone has to take the responsibility to decide how much of his/her
knowledge about such ambiguous matters will be more useful than harmful
to the general public.

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: [email protected] D-2000 Hamburg 54, Germany

------------------------------

Date: Thu, 22 Apr 93 19:32:06 -0400
From: [email protected] (Doren Rosenthal)
Subject: Congratulations to Dr Solomon

To: Dr. Alan Solomon and his associates at S & S International Ltd

Subject: The Queen's Award to Industry for Technology

Dr. Solomon,

Please accept my congratulations on receiving the Queen's Award
to Industry for Technology in recognition of your many
accomplishments and achievements.

Sincerely,

Doren Rosenthal

------------------------------

Date: Fri, 23 Apr 93 02:59:09 -0400
From: [email protected] (David Bath)
Subject: Re: Forwarded message from Scotland Yard

[email protected] (McAfee Associates) writes:

>Hello All,

>I was recently contacted by DC Noel Bonczoszek of the Computer Crimes Unit
>at New Scotland Yard in London. As some of you may be aware, Noel is one
>of the folks responsible for arresting the members of ARCV, a UK-based
>group of virus-writers. He would like to speak with anyone who suffered

Computer Crimes *Unit* ??? What, they aren't putting it in the miscellaneous
bucket along with lost dogs and bent fenders? Congratulations to the
Brits !!!!
- --
David T. Bath | Email:[email protected] (131.170.40.10)
Senior Tech Consultant | Phone: +61 3 347-7511 TZ=AEST-10AEDST-11
Global Technology Group | 179 Grattan St, Carlton, Vic, 3153, AUSTRALIA
"The robber of your free will does not exist" - Epictetus

------------------------------

Date: Fri, 23 Apr 93 08:27:21 -0400
From: Y. Radai <[email protected]>
Subject: Re: Should viral tricks be publicized?

I wrote:
>> Btw, it should be noted that on Fidonet there appeared an article
>> describing tricks which can be used by virus writers to prevent tra-
>> cing and disassembly of their code. The reason I mention this parti-
>> cular article is that it appeared under the name of someone who has
>> been contributing to this forum recently, Inbar Raz. ....
>> .... It's hard for me to
>> imagine that anyone who wrote such an article could have had any
>> intention other than to help the *virus writers*, not the AV people.

Inbar Raz replies:
> Ahem. This is SURELY not what I had in mind when I compiled that article.
> That article is a result of the crackings I did in the past. I collected all
> the fairly useful tricks I've came across, and published them. I only crack t
o
> learn, and teach others.

But useful to *whom*? *Which* others are you trying to teach: the virus
writers or the AV people? The very fact that you completely ignore
this little distinction says a lot about you.

Some people expose tricks used by *virus writers* and explain to the
*AV people* how to deal with them. Your article does the opposite: It
describes tricks, along with sample code, to prevent or bypass tech-
niques used by the *AV people*, something which would be most useful
to the *virus writers*, as is evidenced by the fact that one of them
chose to forward it to 40 Hex. That's not what you had in mind?
You'll have a hard time convincing me.

> I consider myself on both sides. <<<<--------------------- !!

Sort of like being both a cop and a crook at the same time, eh? That
should make you highly trusted by cops and crooks alike!!

You say you work as a programmer in Data Security?!? I, for one,
certainly wouldn't want to risk using any program you had written.

Y. Radai
Hebrew Univ. of Jerusalem, Israel
[email protected]
[email protected]

------------------------------

Date: Fri, 23 Apr 93 10:48:30 -0400
From: "David M. Chess" <[email protected]>
Subject: re: Virus vectors of infection

> From: [email protected] (Bruce Ediger)

>My question is, "how do viruses spread?", and the followup question is,
>"are there any pointers to quantification of such spread?" It would seem
>that the only information on this is contained in the post-mortem reports
>on the 1988 Internet worm and the various DECnet worms.

A very good, and very important, question. Certainly spread via
all of (A) through (E) happen. You can add to the list any other
method you can think of whereby program code that's on one machine
at one time can be executed on another machine at another time.
As you point out, it'd be good to figure out the relative
important of each method for virus spread, so as to know where
to concentrate limited resources.

In our experience, and it's unfortunately mostly anecdotal
rather than systematic, local virus spread happens mostly
via diskette exchange (SneakerNet). LAN-mediated spread
happens less often, but can have a much larger and more
sudden effect. Wider spread (between, rather than among,
groups of people who work together) is harder to observe
and track. That is, it's easy to guess that in a given
incident machine B got infected when a diskette from machine
A was accidentally used to boot it, when A and B are in
the same room. But how the virus got to Company X in
the first place is generally very hard to determine.
Sometimes an employee finds out that his home machine
is infected, and that the same virus is rampant at
his daughter's university. Sometimes a machine has been
serviced by someone who discovers that he has an
ongoing infection. Or whatever. But most of the time
we just don't find out; the infection is cleaned up, but
the original source remains mysterious.

There are various interesting questions that can be
asked and studied by applying epidemiological methods
to computer-virus spread. Jeff Kephart here has been
doing some very interesting work on what various
spread-models imply for virus growth and anti-virus
measures. But we still don't have a good feel for
what a reasonable model of the real world should look
like; which of the theoretical models the real world
most resembles. That's hard data to gather, especially
when informal networks like SneakerNet play such a
large role. When a virus/worm spreads mostly or only
via a particular hardware network (as the Internet
worm spread via Internet), the easy and hard things
are somewhat different...

- - -- -
David M. Chess \ Come home to your wife and family,
High Integrity Computing Lab \ Come home to the fireside bright.
IBM Watson Research \

------------------------------

Date: Fri, 23 Apr 93 07:04:00 -0600
From: "How many days till THURSDAY? :)" <[email protected]>
Subject: Seeking virus info

I am doing a report on computer viruses for a class here at Mankato and I
was wondering if anybody could tell me where I can find some good info
on the viruses themselves. I have found what seem to be a few outdated
books and most of the other information I have found has been on prevention.
I am just looking for a few good sources if any of your are aware of them.

Thanks,

Laura Galligher
[email protected]

------------------------------

Date: Thu, 22 Apr 93 17:35:10 +0000
From: [email protected] (Vesselin Bontchev)
Subject: Re: NAV Updates (was Central Point Anti-Virus Updates) (PC)

[email protected] (Jimmy Kuo) writes:

> NAV update files are available *free* on Compuserve, on Symantec's BBS
> at 408-973-9598 or 408-973-9834. They may be purchased on a one-time
> basis by people who do not have access to those things or any networks.
> And they can be subscribed to for regular delivery for a fee. (I'll just
> say, call 1-800-343-4714 x756 for further information on the services
> that cost money.)

Mr. Slade mentioned ftp servers. Will Symantec permit the distribution
of the updates via ftp servers?

> Back to the *free* ways to get updates: They are available free through
> me by individual request. They are available through the Virus Help Centre
> (Sweden), ask [email protected], even if *he* is a McAfee Agent. They can be
> available through anyone who wishes to redistribute.

I wish to distribute them via anonymous ftp. May I do so? I think
that in this way we'll be providing a valuable service to your users.
At least to those of them who do have Internet access but don't call
BBSes.

> Basically, NAV definition file updates are and can be freely distributed in
> its present form (note lack of copyrights).

Even via anonymous ftp?

> We don't support ftp access yet. We may. But that's under someone else's
> jurisdiction and has nothing to do with wanting to charge for the updates
> since I already send out updates to anyone who asks. [Updates are only
> available for 2.1.]

If you don't support ftp access, would you allow to others to do it
for you? We also have a BBS at the VTC-Hamburg, but I am not
maintaining it, so I cannot decide what is there and what not. But I
do maintain our ftp site, so I can put there the latest NAV definition
updates, if Symantec allows us to do so.

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: [email protected] D-2000 Hamburg 54, Germany

------------------------------

Date: Thu, 22 Apr 93 17:49:59 +0000
From: [email protected] (Vesselin Bontchev)
Subject: Re: Proffesional Group Virusized ! (PC)

[email protected] (Robert Hoerner) writes:

> VB> Uh, wait a minute... Mich uses INT 1Ah to get the current date, so it
> VB> usually does not trigger on XTs... Or did yours have some kind of CMOS
> VB> clock?

> On XTs it is (has been) common practice to insert the commands "date" and "
> time" into the autoexec.bat. INT 1Ah will give the system-date as set by the
> user. No CMOS is needed (but highly preferred :-))

Yeah, but we are talking about Michelangelo. It asks about the system
date at boot time, when no operating system is loaded, and when the
user has not had the opportunity to enter the system date - yet.
That's why I expressed by doubt that Mich will activate on such a
system - it activates its payload only at boot time.

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: [email protected] D-2000 Hamburg 54, Germany

------------------------------

Date: Thu, 22 Apr 93 18:08:07 +0000
From: [email protected] (Vesselin Bontchev)
Subject: Re: Single state machines and warm reboots (PC)

[email protected] (Garry J Scobie Ext 3360) writes:

[about the possibility of a virus to survive warm reboot]

> Was this taken off-line and resolved? David, Vesselin?

I thought that we made it clear publicly... OK, never mind, here it
goes.

No, it is not possible for a virus to survive warm reboot unnoticeably
on all kinds of IBM PC compatible machines. It is, however, possible
for it to survive warm reboot on SOME classes of such machines. For
instance:

1) 100% compatible XT machines - using one method.

2) True IBM machines or any other machines, the BIOS of which does not
display any messages during the warm reboot. This can be achieved by a
different method. There are already at least two viruses using it -
Joshi and Alabama.

3) '386 or above based machines, using a third method.

It is also possible for a virus to fake a reboot from a floppy - like
EXE_Bug does - thus making it look like if it has survived the reboot
(even a "cold" one).

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: [email protected] D-2000 Hamburg 54, Germany

------------------------------

Date: Thu, 22 Apr 93 18:30:54 +0000
From: [email protected] (Vesselin Bontchev)
Subject: Re: V-Sign? (PC)

[email protected] (Barbara Carlson) writes:

> A computer in a public cluster here turned up with what f-prot called
> "V-Sign". It said it infected the boot sectors of each of the drives
> (c,d,e,f) and listed garbage as the name for one of them. Has anyone
> heard of this virus?

Read the FAQ, questions C4 and A7. This particular virus is described
in the Computer Virus Catalog, published by our VTC. Question A7 tells
you how to obtain it (the CVC, that is, not the virus <grin>).

> They had to do a
> hardware reformat of the disk - *three times* -

As usual, this is never necessary.

> could this thing have
> stuck around and diverted a format?

No, but if you don't perform the format competently enough, you
destroy everything but the virus.

> Anything out there that could get
> rid of it??

Boot from a write-protected uninfected system diskette, containing DOS
5.0, and enter FDISK/MBR. This will remove the virus from the hard
disk.

BTW, F-Prot should be able to disinfect it - wasn't it? You could also
try CLEAN - it can remove the virus and calls it Cansu.

Side question - could somebody with MS-DOS 6.0 verify whether the
FDISK/MBR trick still works and post the results? Thanks.

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: [email protected] D-2000 Hamburg 54, Germany

------------------------------

Date: Thu, 22 Apr 93 18:59:16 +0000
From: [email protected] (Vesselin Bontchev)
Subject: Re: On the merits of VSUM (PC)

[email protected] (Mikael Larsson) writes:

> No, that is not correct, but since most of the common-users get infected
> by viruses like form, cascade etc.. and wants to read about THOSE
> viruses, then I think VSUM is good.

Ah, you think so? OK, let's see...

> Virus Name: Cascade
> Aliases: BlackJack, Fall, Falling Letters, 1701, 1704, 1701 Mutation,
> 1704 Format, 1704-B, Cascade-1621, Cascade-1706
^^^^ ^^^^
Note the sizes.

> Symptoms: TSR; falling letters; .COM file growth; random reboots

Huh? Random reboots? Cascade?!

> Origin: Germany

Austria.

> Eff Length: 1,701 or 1,704 bytes

Contradiction - the 1621 and 1706 variants have other infective
lengths. Not to mention that there's also a variant with infective
length of 1661 bytes.

> Type Code: PRsC - Parasitic Resident Encrypting .COM Infector

What does ".COM Infector" mean exactly? Cascade can infect a file with
EXE extension, if it is of COM-type. For instance - if the Vacsina
virus has converted it into such file. Thus, if you look for Cascade
only in the files with a .COM extension, you might miss some infected
files. That's not just theory - I've seen it happen in exactly the
same combination - Vacsina+Cascade and a scanner that thought it would
be very smart to look for Cascade only in the *.COM files...

> Detection Method: ViruScan, F-Prot, IBM Scan, VirexPC, AVTK, NAV, Novi,
> UTScan, Sweep, CPAV, VBuster, Gobbler2, AllSafe, Iris,
> ViruSafe, Trend, VNet, Panda, VET, Detect+, IBMAV,
> DrVirus, Vi-Spy, NShld, LProt, CPAV/N, Sweep/N
> Removal Instructions: CleanUp, F-Prot, VirexPC, or delete infected files

Huh, the set of removal tool is pretty slim, compared with the number
of programs that are listed to be able to detect the virus... In fact,
most of the can also disinfect it.

> General Comments:
>
> While the original virus had a length of 1,701 bytes and would
> infect both true IBM PCs and clones, a variation exists of this
> virus which is 3 bytes longer than the original virus and does not
> infect true IBM PCs. Both viruses are functionally identical in all
> other respects.

Wrong, both the 1701- and the 1704-byte variants infect true IBM PCs
too. It's a bug in the virus - the author -intended- not to infect
such computers, then tried to fix the bug, but unsuccessfully.

> analysis of them. The activation mechanisms are based on a
> sophisticated randomization algorithm incorporating machine checks,
> monitor types, presence or absence of a clock card, and the time or
> season of the year.

Pretty clear, isn't it? Now, has the average user understood when the
virus activates?

> The viruses will activate on any machine with a CGA or VGA monitor
> in the months of September, October, November, or December in the
> years 1980 and 1988.

Wrong. The condition is different and significantly more
sophisticated; see our Computer Virus Catalog.

> Known variant(s) of Cascade are:
> 1701-B: Same as 1701, except that it can activate in the Fall of
> any year.

So can the original, provided that some other conditions are met (no
internal clock and the user enters the date manually).

> 1704-D: Same as the 1704, except that the IBM selection has been
> disabled so that it can infect true IBM PCs.

So can the original.

> Cascade-1621: Based on the original Cascade virus, this variant
> adds 1,621 bytes to the .COM programs it infects. Its
> memory resident TSR is 1,936 bytes, and hooks interrupt 21.
> Attempts to execute .BAT files on infected systems may
> result in the scrolling of the message "Insufficient
> disk space", and the .BAT file not executing.

Nonsense.

> Cascade-1706: Based on the original Cascade virus, this variant
> adds 1,706 bytes to the .COM programs it infects. It is
> a memory resident virus which employs a 2,064 byte TSR
> hooking interrupts 1C and 21. The virus will be located
> at the end of infected files.

One could think that the original variant does not hook these
interrupts...

> Cascade-B: Similar to the Cascade virus, except that the
> cascading display has been replaced with a system reboot
> which will occur at random time intervals after the
> virus activates.

Huh?

> Cunning: Based on the Cascade virus, a major change to the virus is
> that it now plays music.

Music? Cascade? Hmm... has anybody heard about this one? Have to check
our samples...

Anyway, the different variants of Cascade are listed in such a way,
that it is not possible to identify them - we have even more variants
here (about two dozen), but there's no way one can figure which are
exactly the ones listed in VSUM...

> Virus Name: FORM-Virus
> Detection Method: ViruScan, F-Prot, NAV, Novi, Sweep, CPAV, AVTK, UTScan,
> VirexPC, Gobbler2, VBuster, AllSafe, ViruSafe, IBM Scan,
> Trend, Iris, VNet, Panda, VET, Detect+, IBMAV, DrVirus,
> Vi-Spy
> Removal Instructions: CleanUp, MDisk, NAV, or DOS SYS command

Same problem with the too short list of disinfection tools.

> General Comments:
>
> When a system is first booted with a diskette infected with the
> FORM-Virus, the virus will infect system memory as well as seek out
> and infect the system's hard disk. The floppy boot may or may not
> be successful, on the author's test system, a boot from floppy
> diskette infected with FORM-Virus never succeeded, instead the system
> would hang. It should be noted that the virus was received by the
> author of this document as a binary file, and it may have been
> damaged in some way.

Now, the above simply means "I don't know"; it is just expressed in a
very sophisticated way. When you don't know something about a virus,
you just get a debugger and see what the virus does. You understand
it, you draw conclusions and make conjectures, then test them on a
sacrificial system. Then you write a careful report. This is how an
anti-virus researcher operates. You don't tell the world "look, guys,
I couldn't replicate the sample that was sent to me, and I have no
idea what it does" and especially you don't call this "information
about the virus"!

> "The FORM-Virus sends greetings to everyone who's reading
> this text.FORM doesn't destroy data! Don't panic! Fuckings
> go to Corinne."
>
> These messages, however, may not appear in all cases. For example,

For instance, when the virus is not there... :-)

> I did not find these messages anywhere on a hard disk infected with
> Form Boot.

Which means that she has not looked carefully enough or has failed to
infect the hard disk.

> This virus can be removed with the same technique as used with many
> boot sector infectors. First, power off the system and then boot
> from a known clean write-protected boot diskette. The DOS SYS
> command can then be used to recreate the boot sector. Alternately,
> MDisk from McAfee Associates may be used to recreate the boot sector.

Or use some -real- anti-virus software. Even McAfee's CLEAN is more
suitable than MDisk...

> Known variant(s) of the FORM-Virus are:
> Form II: Based on FORM-18, this variant was submitted in May
> 1992 from an unknown origin. It is functionally equivalent
> to FORM-18, though altered to avoid detection by most anti-
> viral utilities.
> Origin: Unknown May, 1992.

Huh? Now, did you understand that? How is it altered? How do you
figure out that you are infected by this one and not by the original?
How does the original infect you, if you are told that it couldn't be
replicated?

> FORM-18: Similar to the FORM-Virus, FORM-18 activates on the 18th
> day of the month, at which time clicking will be heard from
> the system speaker on systems which have a system clock and
> CMOS. Systems without a system clock will most likely not
> have the clicking occur.

Ah, the story about the activation date is a very funny one; even our
CVC entry contains an error about that. The virus does the following
to get and check the date:

MOV AH,4 ;get realtime clock date
INT 1Ah
CMP DL,18h ;day of the month

However, this function returns the information in DX register in BCD
format! That is, '18h' in this case means 18th of every month, not
18h = 24. The appropriate byte string for INT 1Ah; CMP DL,?? is
CD1A80FA?? and can be found at offset 0B0h of the infected boot
sector. The byte marked with '??' is therefore at offset 0B4h. We have
4 different variants of Form here, and in three of them this byte
contains 18h. In one of them the contents is 05h, which means that
this variant activates on the 5th of every month. All the other ones
activate on 18th of every month - NONE activates on 24th, as is
mentioned in several sources, including ours...

> FORM-Canada: Similar to the FORM-18 variant, this variant is
> a minor alteration. On diskettes, it locates the
> remainder of the viral code and original boot sector in
> the first two available, unused sectors on the diskette,
> marking them as bad sectors.
> Origin: Canada August, 1992.

This is exactly what the original virus does. (BTW, did you notice
that you are not told how the "original" virus replicates and where
does it store the boot sector?) FORM-Canada is just the original,
working virus. Actually, I'm afraid that many of the listed in VSUM
virus variants exist only in Mrs. Hoffman's imagination.

Too many mistakes/incorrectnesses/incompletenesses for two "good"
entries for two so common and well-known viruses, don't you think?
Strange that you have been unable to notice them yourself - some of
them are blatantly obvious.

> Sure, there are incorrect info in VSUM, but the users get the general
> idea of what the virus does/does not.

The wrong idea, that is...

> The COMMON user aren't interested
> in all the technical stuff about that virus that they got infected by,
> they wanna see if it does any harm or not, how it spreads.

Unfortunately, this is often wrong too.

> Hope you get my point,

Hope you got mine - wrong information is worse than no information.

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: [email protected] D-2000 Hamburg 54, Germany

------------------------------

Date: Thu, 22 Apr 93 16:04:45 -0400
From: [email protected]
Subject: Re: Professional Group Virusized! (PC)

Hi Robert,

RH> On XTs it is (has been) common practice to insert the commands "date" and
RH> "time" into the autoexec.bat. INT 1Ah will give the system-date as set
RH> by the user. No CMOS is needed (But highly preferred :-))

The reason Vesselin stated that Mich would not trigger on CMOS-less XTs is
because the system date has not been set when Mich makes the check. Mich
infects the MBR - ie, it is "run" before the autoexec is.

Also, the DOS "date" and "time" commands set the DOS "date" and "time".
The "DOS" date and time are not always equal to the "System" date and time.
In fact, some "times" you need a setup disk to change the "system" date and
time.

Bill Bauserman [email protected]

------------------------------

Date: Thu, 22 Apr 93 20:28:21 -0400
From: [email protected] (Kam Bansal)
Subject: Re: Viruses which cost $$$ (PC)

I knew of a program for the PET (remember the PET?!!) that was a space
invaders type game, and when it started, it resynced the monitor to a higher
scan rate, and over time (I forget how many minutes...) when the user played
the game, it fried the monitor! And yes, there are video cards that can be
resynced via software (and they state in the manuals that you can kill the
monitor that cannot handle the new speed) that could be victims. Also, think
about a virus that changes your CMOS to different clock settings, strange
things would happen with your machine!

-Kam (^8*

------------------------------

Date: Fri, 23 Apr 93 06:26:50 -0400
From: [email protected]
Subject: Re: Viruses which cost $$$ (PC)

Vesselin Vladimirow Bontchev answered to:

>> Monitors sounds likely. Disks, possibly. With CPU's
>> that run hot and can be configured perhaps through software, then
>> maybe them too!

> Nope. None of the above.

I remember to have destroyed a EGA Color monitor by installing MS-DOS
version 4.0 on a Sperry HT (a XT from 1986). (I was able to repeat it
with another machine of the same type, but managed to switch it off
quick enough...)

Probably some switch inside this monitor was driven crazy by very
rapid video mode changes caused by a BIOS incompatibility problem.

So software can be really hardware destructive (IHMO).
- --------

Jeroen Donkers, University of Limburg, Netherlands
EMAIL [email protected]

------------------------------

Date: Fri, 23 Apr 93 10:42:51 -0400
From: [email protected] (Gary Heston)
Subject: Re: Can a virus infect NOVELL? (PC)

[email protected] (Kam Bansal) writes:
>> I have a question, can a virus infect NOVELL system? [ ... ]

It's possible for file infectors to propagate through NetWare servers,
and then infect workstations. A boot sector infector cannot infect a
server from a workstation.

The risk from file infectors is why I scan seven NetWare servers *every*
morning, first thing, with F-Prot.

> "set executable files read only = on"
>
>Yes, I know the set command is wrong, but what it does is makes *every*
>executable file read only and will not allow *any* file to be writen too, so
>the only way to upgrade a file is to first delete it and then copy a new one!

Yes, this will protect the files real well. Including protecting them from
being backed up. There are other problems as well, which is why execute-only
is a bad idea in most situations.

>The real question is what if the following happens...
>
>A virus waits till a user has write rights to SYS:SYSTEM, and then attaches
>itself to a NLM! stream.nlm or clib would be a good start! They are the
>libraries for netware, then once the virus is active, on the server now, not
>the workstation, it can do ANYTHING! From a NLM, you can delete, trash
>anything even if it has read only rights!

However, the virus must first infect a conventional .COM or .EXE file in
order to get onto the server in the first place. The size of such a virus
would seem to be quite large, making it very noticable when it infects
the .COM or .EXE. Of course, it'd need to have the Novell Developers' Kit
libraries linked in (otherwise it'd be difficult for it to infect a NLM),
as well as the payload. Pretty soon, this gets so complex and unwieldy it's
not likely to work.

>I believe that the new trend of viruses will be for netware (this is my
>opinion!) as NLM infectors!

I don't. Propagation would be a problem, size, bugs, etc. With the
changes in NetWare from time-to-time, they'd be very version-specific,
and would just have to do too much to work. I worry about file infectors,
keep the servers themselves secure so BSIs aren't a problem, and leave
it at that.

- --
Gary Heston SCI Systems, Inc. [email protected] site admin
The Chairman of the Board and the CFO speak for SCI. I'm neither.
Remember: A majority of the American people voted against *all* of the
Presidential Candidates. How encouraging....

------------------------------

Date: Fri, 23 Apr 93 13:25:13 -0400
From: [email protected]
Subject: Re: Viruses which cost $$$ (PC)

[email protected] (Vesselin Bontchev) writes:

>[email protected] (Donald G Peters) writes:
>
>> I think I recall seeing the following warning in one of my books:
>> "Improper use of this register may cause physical damage to your monitor."
>
>That information is a bit out-of-date. It was real, it was a hardware
>bug (in the controller for monochrome monitors, not in the monitors
>themselves), but those (buggy) controllers and not produced any more
>since a long time.
>> Am I correct, is there physical damage that can be done through
>> software?
>Not to the contemporary hardware.

Don't think your way. For further info I would liketo direct you
to the comp.os.linux group. I don't read it (I donot have as much time :),
but I receive the mailing list for linux. And there (from time to time) there
are "help wanted???" reports of blowing the monitor by playing around with
Xconfig. (This file contains also some register values.) For VGA-monitors I
do not know for sure because I overrun my monitor from time to time, but I
killed some time ago my EGA-monitor (and it was not monochrome). So damaging
monitors sounds possible to me. (You know the sounds my monitor gives when I am
taking it beyond it's possibilities doesnot sound nice. I can think, having
a worse monitor (I mean in quality,...) the same actions could kill the
monitor.

Andreas Kostyrka ([email protected])

------------------------------

Date: Fri, 23 Apr 93 00:32:52 -0400
From: [email protected] (Piet de Bondt)
Subject: TBAVX600.ZIP - TBAV anti-virus software (optimized *.EXE's)

I have uploaded to WSMR-SIMTEL20.Army.Mil and OAK.Oakland.Edu:

pd1:<msdos.virus>
TBAVX600.ZIP TBAV anti-virus software (optimized *.EXE's)

This file has replaced TBAVX504.ZIP.

Greetings,

Piet de Bondt E-mail: [email protected]
===================================================================
FTP-Admin for the MSDOS Anti-virus software, @dutiws.twi.tudelft.nl

------------------------------

Date: Thu, 22 Apr 93 19:55:08 -0500
From: [email protected] (John Norstad)
Subject: Disinfectant 3.2 Announcement (Mac)

Disinfectant 3.2

April 21, 1993

Disinfectant 3.2 is a new release of our free Macintosh anti-viral
utility.

Version 3.2 detects the new INIT-M virus.

The INIT-M virus was discovered at Dartmouth College in April, 1993.

INIT-M is a malicious virus. It is designed to trigger on any Friday the
13th. The virus severely damages a large number of folders and files.
File names are changed to random 8 character strings. Folder names
are changed to random 1-8 character strings. File creators and types
are changed to random 4 character strings. This changes the icons
associated with the files and destroys the relationship between
programs and their documents. File creation and modification dates
are changed to Jan. 1, 1904. In some cases, one file or folder on a disk
may be renamed "Virus MindCrime". In some very rare circumstances,
the virus may also delete a file or files.

Note that the next three Friday the 13ths are in August 1993,
May 1994, and January 1995.

The virus can also sometimes cause problems with the proper
display of windows.

The virus only spreads and attacks under System 7.0 or later. It does
not spread or attack under System 6. The Disinfectant protection INIT,
however, will detect an infected application under any system.

The virus infects all kinds of files, including extensions, applications,
preference files, and document files.

The virus creates a file named "FSV Prefs" in the Preferences folder.
If you use Disinfectant to repair an infected system, it will delete
this file.

The damage caused by the INIT-M virus is very similar to that caused
by the INIT 1984 virus. Despite this similarity, the two viruses are
very different in other respects, and should not be confused.

Version 3.2 also contains two other changes:

There was an error in version 3.1 in the changes made to the damaged
file detection code. This error affected only a very few people with very
rare kinds of damaged files. Version 3.2 fixes the problem. Thanks to
Stephen Lardieri of Princeton University for helping to find and fix this
error.

Disinfectant's preferred memory partition has been increased from
700K to 1000K. This fixes a problem scanning some specific applications
with very large CODE resources, including PSpice and Intellidraw. Thanks
to the many users who reported this problem.

Disinfectant 3.2 is available now via anonymous FTP from site
ftp.acns.nwu.edu [129.105.113.52], file
pub/disinfectant/disinfectant32.sea.hqx. It will also be available
soon from most of the other popular sources of free and shareware
software.

John Norstad
Academic Computing and Network Services
Northwestern University
[email protected]

------------------------------

End of VIRUS-L Digest [Volume 6 Issue 71]
*****************************************

Downloaded From P-80 International Information Systems 304-744-2253