VIRUS-L Digest Tuesday, 7 Sep 1993 Volume 6 : Issue 119

VIRUS-L Digest Tuesday, 7 Sep 1993 Volume 6 : Issue 119

Today's Topics:

Multi-Platform/OS Virus Scanner?
comments on the last virus-l
Re: Dark Avenger Update?
Re: Dark Avenger Update?
Dark Avenger Update?
WARNING -- SPLIT in BREAKARJ.LZH (PC)
Floppy disk virus (PC)
TBAV604.ZIP/TBAVX604.ZIP - Thunderbyte Anti-Virus utilities v6.04 (PC)
Re: Write protect ... (HELP!) (PC)
Exebug1 problems......... aaaggghhhh!! (PC)
Re: Butterfly (Crusades) (PC)
Lambdin's Accuracy Tests (PC)
Re: Butterfly (Crusades) (PC)
Anti-virus package testing (PC)
Re: Any good anti-viral shareware out there (PC)
Vshield v107 (PC)
Re: virusses in .ARJ & .ZIP (PC)
NukePox disinfector? (PC)
Detecting droppers (was: Form virus) (PC)
You never forget the first time (PC)
YB-1 (PC)
DiskSecure II (PC)
announcing DISKSECURE II (PC)
Polymorphism and self-encryption (CVP)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a gatewayed and non-digested USENET
counterpart. Discussions are not limited to any one hardware/software
platform - diversity is welcomed. Contributions should be relevant,
concise, polite, etc. (The complete set of posting guidelines is
available by FTP on CERT.org or upon request.) Please sign submissions
with your real name; anonymous postings will not be accepted.
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list. A FAQ (Frequently
Asked Questions) document and all of the back-issues are available by
anonymous FTP on CERT.org (192.88.209.5).

Administrative mail (e.g., comments, suggestions, beer recipes)
should be sent to me at: [email protected].

All submissions should be sent to: [email protected].

Ken van Wyk

----------------------------------------------------------------------

Date: Wed, 01 Sep 93 08:49:19 -0400
>From: Curtis Sawyer <[email protected]>
Subject: Multi-Platform/OS Virus Scanner?

Has anyone dealt with a product called "VFind" by CyberSoft, Inc.?
According to their literature, VFind "Scans for UNIX, MS-DOS, Macintosh,
and Amiga viruses on your NFS network, servers, clients, or stand-alone
systems, in one pass." VFind uses something called a CVDL generic pattern
matching language. I am in the process of trying to get an evaluation
copy, however, I just wondered what other people's experience has been with
this product.
You can feel free to post (obviously) or E-Mail me at:
[email protected] (preferred) .OR.
[email protected]
Thank you in advance for your time and consideration...
- ---Curt

------------------------------

Date: Thu, 02 Sep 93 07:49:11 -0400
>From: <[email protected]>
Subject: comments on the last virus-l

Novell can easily be infected - read the paper presented on this at last
years (1992) Virus Bulletin conference - also see the improved article in
Computers and Security

Every Eternet card does not have a built-in address - or at least some
didn't used to. Also, current routers strip the address of the sending
chip in favor of their own addresses, so you lose this information over any
nonlocal network.

The problem with the turn switch and all the other schemes for flash ROMs
is that like a hard disk with a write lock switch, when you eventually write
enable it for a few seconds to make a legitimate change, the attack can use
that window of vulnerability to win. That's why we need to have a procedure
involving booting from a special disk starting from, power down in order
to be even a little bit safe:
1: Turn keyswitch to ROM CHANGE position
2: Place permanently write protected disk in disk drive
3: wait till screen tells you to remove disk
4: remove disk and turn keyswitch back to RUN position

The ROM should be set to look for a disk in A after clearing memory. As soon
as the door is closed, it should read from A, verify the write protect status
of A by attempting (and failing) to write to it, use an RSA based (or similar)
cryptographic checksum to verify the legitimacy of the data in A, load its
Flash ROM, put the proper message on the screen, and halt the processor.
This scheme would allow even a bad ROM update to be backed out of because the
loading routine is in ROM not EROM, should prevent unauthorized updates, and
enforces the procedures required to prevent malicious EROM changes.

The reason this scheme is NOT used (even though the hardware designers of most
flash ROMs designed their ROMs to work this way) is that it costs money to add
a switch and the few hundred lines of code required to implement protection,
and we all know that people want protection for free and believe it is safe
even when it isn't. Call a bug a feature, and you have happy customers.
FC

------------------------------

Date: Thu, 02 Sep 93 12:58:33 -0400
>From: [email protected] (Rushka)
Subject: Re: Dark Avenger Update?

[email protected] (jenny.m.abar) writes:

>Just wondering if anyone has heard anything about Dark Avenger
>lately, any new viruses, mutation engines, has he been caught,
>etc.

1. No new viruses released. However some people (who
have certain ulterior motives) would like to represent
that he has released new ones.
If he does, there are experts who can confirm he actually has written
xyz beyond most reasonable doubt, as well as verify any communications
with him, subject to the same stident measures used to assure my communication
with him was valid prior to my interview with him.

2. No new mutation engines. There is a vs1.00, with some text about
Data Destroyers. I personally have not looked at it nor received
any comment from him other than that he has not 'updated' the MTE.
There were, however, several versions of it released a -long- time ago, as I to
ld
some of the a-v community. It is possible this is one of them. I don't know, be
cause I've not
discussed it in any great depth with him. I have seen "source codes" and
object modules of the original MTE..only they were actually just sourcer
outputs, garbage, useless modules, etc.

3. Has he been caught for what? Writing viruses, etc., was not a crime when he
did it. Vesselin has stated no one in Bulgaria cares to catch him, and I've
not
heard from anyone who is looking to track down an ex-virus writer, especial
ly when there are so many whose names and addresses are
well known.

- --
[email protected] / [email protected] bbs: 219-273-2431
fidonet 1:227/190 / virnet 9:10/0 p.o. box 11417 south bend, in 46624
you are only coming thru in waves..your lips move but i cant hear what you say

------------------------------

Date: Thu, 02 Sep 93 17:37:41 -0400
>From: "William H. Lambdin" <[email protected]>
Subject: Re: Dark Avenger Update?

>Just wondering if anyone has heard anything about Dark Avenger
>lately, any new viruses, mutation engines, has he been caught,

The latest thing that I have seen written by Dark Avenger was the Uruguay
virus, but that was several months ago

Bill

------------------------------

Date: Thu, 02 Sep 93 21:54:53 -0400
>From: [email protected] (Chris Unger)
Subject: Dark Avenger Update?

Most of you probably already know this, but in case you
haven't heard: I read a book the other day. Approaching Zero by Paul
Mongo and Bryan Clough. They say The Dark Avenger has (or will be)
created a virus that is encrypted and creates its own strains, over a
billion of them! So it would be kind of hard to track that one down!
- --
(*************************************************************************)
(** Chris Unger Kutztown University **)
(** [email protected] Computer Services **)
(** [email protected] (215)-683-4152 **)
(** **)
(** Last night as I lay in bed looking at the stars, I asked myself **)
(** "Where the hell is the ceiling?!" **)
(*************************************************************************)

------------------------------

Date: Fri, 03 Sep 93 10:16:00 +0200
>From: [email protected] (Martin Roesler)
Subject: WARNING -- SPLIT in BREAKARJ.LZH (PC)

Hello all!

In Germany a file named BREAKARJ.LZH floats around. This file contains the
SPLIT virus.

Split is a simple COM infector (250 Byte) and can be detected with following
signature:

9CFC 8DB6 DF01 BF00 01B9 0200

bye Martin

===============================================================
Martin Roesler, Kolpingstr.7, 84416 Taufkirchen/Vils,08084/3270
email: [email protected]

- --- GoldED 2.41+--IMAIL 1.31/beta
* Origin: Virus Help Munich - call 49-89-92793593 (9:491/1070)

------------------------------

Date: Wed, 01 Sep 93 00:11:53 -0400
>From: [email protected] (Elisa Aquino)
Subject: Floppy disk virus (PC)

I don't know how to fix my computer because i think it is infected by
virus.

1. Drive A just can read first disk. Even u put second disk , directory
will show the same as first disk.
2. After I read drive B , then drive A is reset to read first disk but
it is the same after puting another disk.

I even reformat the hard disk, still the same. Then I low level format the
hard disk, also the same.

Any help!

Email: [email protected]

------------------------------

Date: Wed, 01 Sep 93 03:26:36 -0400
>From: [email protected] (Piet de Bondt)
Subject: TBAV604.ZIP/TBAVX604.ZIP - Thunderbyte Anti-Virus utilities v6.04 (PC)

I have uploaded to WSMR-SIMTEL20.Army.Mil and OAK.Oakland.Edu:

pd1:<msdos.virus>
TBAV604.ZIP TBAV anti-virus software (complete pkg v6.04)
TBAVX604.ZIP TBAV anti-virus - processor optimized versions

Replaces:
tbav603.zip
tbavx603.zip

Greetings,

Piet de Bondt E-mail: [email protected]
===================================================================
FTP-Admin for the MSDOS Anti-virus software, @dutiws.twi.tudelft.nl

------------------------------

Date: Wed, 01 Sep 93 05:40:12 -0400
>From: Martin_blas Perez Pinilla <[email protected]>
Subject: Re: Write protect ... (HELP!) (PC)

[email protected] writes:
> My computer (IBM386+110Mb harddisk[C+D part.]+MS-DOS 5.0+Stacker 2.0
> version) displays at each disk operation on C that:
>
> "Write protect error writing drive C
> Abort, Retry, Fail?"

I think that Stacker is the guilty. This problem was discussed last
year in V5#167 of VIRUS-L. This follows the verbatim copy of a message
of [email protected]:

Subject: Stacker problems (PC)

The last few months I've observed a lot of discussion on
the automatic write protection of stacker drives as a result
of allocation errors.
I had this unfortunate experience this weekend as a result
I dialed into the stacker BBS which was listed in the manual.
They have several nice utilities and text files that you can d/l
for troubles and updates.
Below I have included the text file I d/l on how to get out of
the write-protected problem.

Bruce

- - ------------------------------------------------------------------------
STACKER NOTE Stac Electronics Technical Note

SUBJECT: Write Protected Stacker Drives.

Tec035 - 6/10/92
- - ------------------------------------------------------------------------

When file corruption such as a damaged temp file is detected, Stacker
will write protect the drive as a means of safeguarding data. This
forces the user to run Stacker's SCHECK /F, to repair logical data
structures before anything else can be written to the drive. Stacker
will also write protect a mounted drive if it has not been "padded" to
its full size. The fix for this condition involves the SCREATE
program and is discussed in greater detail in section III.

I. Fixing Errors with SCHECK /F:

SCHECK is similar to the DOS CHKDSK program in that it checks for and
repairs allocation unit errors. Unlike CHKDSK's work at the DOS
cluster level, SCHECK will diagnose and repair at the sector level.
Stacker's ability to store on a sector by sector basis makes this a
necessity. Because SCHECK only repairs sector allocation errors, it
will recommend using CHKDSK to fix any DOS cluster allocation errors
that it has detected. Sometimes SCHECK will offer to delete damaged
files. It is able to do this even though the drive is write
protected. If it offers to do this, make a backup copy of the file
and let SCHECK delete it. After SCHECK has made its repairs, the
write protection may then be removed by rebooting or by unmounting
then re-mounting the drive.

II. Forcing SCHECK to remove the write protection:

DOS errors can be repaired by CHKDSK or another disk repair utility
such as Norton Disk Doctor or PCTOOLS Diskfix. Because SCHECK will
not repair all DOS errors, it may be necessary to force SCHECK to
remove the write protection before one of these utilities may be used.
This should ONLY be done AFTER SCHECK /F has repaired any Stacker
errors. Remove the write protection by typing: SCHECK /=w d: where d:
is the write protected drive. NOTE: DO NOT use this option if the
Stacker drive has been mounted as (SIZE MISMATCH) (Write Protected).
See section III.

Scheck /=w will return the following message. Follow its advice.

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

The read only status of drive D has been cleared so that you may
delete those files which contain errors. However, the damage to drive
D has not yet been repaired!"

DO NOT ATTEMPT TO WRITE OR CHANGE ANY DATA ON DRIVE D UNTIL
YOU HAVE COMPLETED ALL OF THE FOLLOWING STEPS:

1) DELETE THE FILES CONTAINING THE ERRORS
2) REBOOT YOUR COMPUTER
3) RUN SCHECK /F D:

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Restart the system after step 3 to reset the status of the Stacker
drive.

III. Repairing a (Size Mismatched), (Write Protected) Drive.

Stacking a drive is a three step process. First, construction of the
Stacker drive companion file (STACVOL.DSK) begins as compressed files
are copied into it. After all the files have been added, Norton
Speedisk is run to defragment this file and optimize the host drive.
The last step is to "pad" the file (add the free space). If the
process halts for some reason, such as Speedisk discovering a bad
sector or someone tripping over the power cord, the Stacvol file will
be undersized. Upon reboot, as the drive is mounted, the message
(Size Mismatched) (Write Protected) will be displayed. In order to
continue where Speedisk left off and pad the file, it is necessary to
use the Screate program as follows:

Note: insert the Stacker program diskette and issue these commands from
the floppy drive prompt.

1. Unmount the Stacker drive by typing: Stacker -c:
c: is the letter of the drive you wish to unmount.

2. Run SCREATE d: /P
where d: is the letter of the host drive containing the
Stacvol file.

3. After receiving the message "volume created successfully" ,
reboot to mount the drive.

- - -----------------------------------------------------------------------------
1992 STAC ELECTRONICS

Is possible that some details are different for your version. See the
documentation and good luck.
A personal opinion: Don't use any disk compressor (Is _my_ opinion.
Stacker/SuperStor/etc fans, please, i don't want initiate a flame war).

Regards,

- -mb

M.B. Perez Pinilla |
[email protected] | Write 10^6 times:
Departamento de Matematicas | "I'll never waste bandwidth"
Universidad del Pais Vasco |
SPAIN

------------------------------

Date: Wed, 01 Sep 93 10:36:57 -0400
>From: [email protected]
Subject: Exebug1 problems......... aaaggghhhh!! (PC)

Hi..

I have a 286 IBM that is infected with the Exebug1 virus.

It seems to be active in the memory and McAffee (sp) scan/clean
tells me to switch off the machine and boot from a floppy and
run scan and clean from there. The problem is however, when I
do this the hard drive is no longer accessible (which makes it
rather difficult to clean :-)

I have tried re-formatting, m-disk, norton disk doctor,
sacrifising a virgin under a full moon and a whole host
of other black magic type things but nothing works.

Could someone (with a non black magic answer) please help...
it is driving me mad.

thanks in advance.

.alan

------------------------------

Date: Thu, 02 Sep 93 08:39:48 -0400
>From: [email protected] (Fridrik Skulason)
Subject: Re: Butterfly (Crusades) (PC)

[email protected] (William H. Lambdin) writes:

>1. This variant contains the text string "Hurray the Crusades!"
>2. This variant will infect .EXE files as well as .COM files.

>F-Prot 2.09 detects this virus as Butterfly in .COM files, but misses it in
>EXE files.

Uh...the virus does *not* infect .EXE files as far as I can see. There is
a simple check for *.COM inside it. There is a third variant of this virus
that infects .EXE files, but infected programs *never* work.

> Add this signature to F-Prot or others scanners that allow the

As the current version of F-PROT identifies (and disinfects) the virus,
any concerned F-PROT users can just obtain the 2.09d version.

- -frisk

------------------------------

Date: Thu, 02 Sep 93 09:23:34 -0400
>From: <[email protected]>
Subject: Lambdin's Accuracy Tests (PC)

Bill Lambdin writes:
> Here is the August 1993 LAT.
> LAT 9308 August 14, 1993
> +--------------------------+----------+---------+-----------+-----+
> | SCANNER | COMMON | POLY- | ZOO |FLAGS|
> | | | MORPHIC | | |
> | | | | | |
> | |36 |56 |1502 1454| |
> +--------------------------+----------+---------+-----------+-----+
> | F-Prot 2.09 |36 100% |56 100% |1480 98.5%| S |
> | TBAV 604 |36 100% |55 98.2%|1462 97.3%| GS |
> | Scan 106 |35 97.2%|52 92.9%|1376 91.6%| S |
> | | | | | |
> | Integrity Master 2.01 |36 100% |54 96.4%|1351 90.0%| GS |
> | Dr Sol A-V toolkit 6.18 |34 94.4%|29 51.8%|1346 89.6%| C |
> | VIRx 2.9 |34 94.4%|34 60.1%|1300 86.6%| S |
> | | | | | |
> | UT Scan 25.1 June 93 SIGS|29 80.1%|33 58.9%|1074 73.9%| CDG |
> | NAV 2.1 Aug 93 SIGS |29 80.1%|24 42.9%|1014 67.5%| C |
> | MSAV w/DOS 6.0 |28 77.7%|17 30.4%| 913 62.8%| D |
> +--------------------------+----------+---------+-----------+-----+

I've noticed your "accuracy" tests for a long time and hoped that they
would eventually improve without my having to comment on them, but I
can't pass over this in silence any more. The question is how such a
comparison can be fair when you don't use the latest version of each
scanner. For example, despite the date "June 93", the fact is that
UT Scan 25.1 was released in *OCTOBER 1992*, while the most recent
version is Ver. 30. (Even Patricia Hoffman updated UTScan to Ver.
28.02 in her VSUM comparison a month ago.)

It's true you write:
> If your company produces anti-viral software, and would like for me
> to test it in LAT, contact me at either of the addresses below.

But is it fair to penalize a product in the eyes of the readers simply
because no one at that company has read your invitation? Or if for
some other reason no one has sent you a free copy of the latest ver-
sion of the scanner or scan strings? Does that really justify giving
the readers misleading results?

Also, don't you think it'd be a good idea to explain the meaning of
certain notations in your table without our having to guess? For
example, is "ZOO" supposed to suggest a kind of "zoo" populated by vi-
ruses? (Or could it mean that the infected files are contained within
a ZOO-type archive which the scanner is supposed to be able to un-
pack?) And you might explain precisely what "SIGS" means.

Y. Radai
Hebrew Univ. of Jerusalem, Israel
[email protected]
[email protected]

------------------------------

Date: Thu, 02 Sep 93 10:44:42 -0400
>From: [email protected]
Subject: Re: Butterfly (Crusades) (PC)

In V6#117, "William H. Lambdin" <[email protected]> Writes:

I wish to thank Brian O'Sullivan for uploading SPORT21C.ZIP to The
Metaverse BBS this morning.

Here are the contents of the archive.

Searching ZIP: SPORT21C.ZIP

Length Method Size Ratio Date Time CRC-32 Attr Name
------ ------ ----- ----- ---- ---- -------- ---- ----
4853 Stored 4853 0% 07-11-93 14:01 70ff5aa6 --w- DOCUMENT.CO_
1037 Implode 933 11% 07-11-93 14:01 e7a47861 --w- INSTALL.COM
11407 Stored 11407 0% 07-11-93 14:01 0a9cd832 --w- SPORT21C.EXE
3153 Stored 3153 0% 07-11-93 14:01 ec985abb --w- SPORTS.CO_
------ ------ --- -------
20450 20346 1% 4

INSTALL.COM is infected with a new variant of Butterfly.
- -=-=-=

(Sorry for the re-formatting... can't be helped.

However; note the compression ratios. 11%? The rest all zeros? Obviously, we're
dealing with compressed files, inside the zip. On my BBS, the FREE FILE FARM
(716-352-1629, 716-352-6544) I have a standing policy against such packages.
I'm willing to bet that the packages that INSTALL is supposed to work with are
also infected, once de-compressed. This may explain why F-PROT missed
BUTTERRFLY in these EXE files.....

/E

------------------------------

Date: Thu, 02 Sep 93 16:30:46 -0400
>From: [email protected] (OS R & D)
Subject: Anti-virus package testing (PC)

Today I finished some heavy anti-virus package testing. For those
interested, Thunderbyte found 1873 of the 2011 viruses in my
test suite. This scan took a total of 1 minute and 7 seconds.

On the other hand, McAfee SCAN found 1550 of them, and took 1 hour and 14
minutes to do it.

There were a few other packages tested, but I thought that this
comparison was most interesting.

karsten johansson

BTW: this was only one out of several tests done between 6 "top"
packages.

- ---
[email protected] (OS R & D)
PC Scavenger -- Computer Virus Research, Toronto CANADA (416)463-8384
Free services: send EMAIL to [email protected] or [email protected]

------------------------------

Date: Fri, 03 Sep 93 03:04:39 +0000
>From: [email protected] (Michael Lara)
Subject: Re: Any good anti-viral shareware out there (PC)

Myself, I'm partial to the F-Prot shareware program. It's free for
individual users and reasonably priced for businesses/institutions.

For one thing, you can use it in either menu-driven or command-line
mode.

I think the latest version available is F-PROT 2.09d...

Mike :)

------------------------------

Date: Fri, 03 Sep 93 09:52:16 -0400
>From: [email protected] (Francisco J. Diaz)
Subject: Vshield v107 (PC)

I was just trying to get Vshield to loadhi under MSDOS 6.0/QEMM 7.01
combo and while it worked fine before, now it refuses to loadhi.
I guess there is some incompatibility between the 2 programs.
There's a lot of upper memory available and I have tried many
different combinations using Vshield's options and still have the
problem. Can any1 help me out on this one? Thanks!
- --
| Francisco J. Diaz Rivera | Freenet: [email protected] |
| University of Puerto Rico | Internet: [email protected] |
| Hey Waitress! There's a pubic hair in my soup! |
| "Don't give up, don't ever give up" - Jim Valvano |

------------------------------

Date: Fri, 03 Sep 93 12:47:13 -0400
>From: [email protected] (Gary Heston)
Subject: Re: virusses in .ARJ & .ZIP (PC)

[email protected] (Kees Leune) writes:
>Can anyone help me out? I am the sysop of a BBS running WWIV software
>under MS-DOS 5.0 and we have lots of .ARJ en .ZIP software in our transfer
>areas. Last night I was running a virus checker over the software and
>since most of those programs have their default values set to only
>checking executables, these archives where not checked.

So, read the documentation for the software you're running and learn how
to make it scan all files.

I not only scan all files, I redirect the results to a report file, and
then grep out the summary lines. This is sort of necessary on a NetWare
server (seven of them, actually, about to be 10), since there are problems
reading some NetWare files that aren't openable by a regular application.

- --
Gary Heston SCI Systems, Inc. [email protected] site admin
The Chairman of the Board and the CFO speak for SCI. I'm neither.
# It's a bad year for NASCAR. #7 Allan Kulwicki, #28 Davey Allison, RIP #
# Where was Dale Ernhart at 3:00PM CDT on July 12? #

------------------------------

Date: Fri, 03 Sep 93 18:34:00 +0000
>From: [email protected] (FRANK JUDE WOJCIK)
Subject: NukePox disinfector? (PC)

Does anyone have/know of a disinfector for NPox (NukePox) 2.2? F-Prot
2.09d identifies the infected file as a new variant of NPox, and CLEAN
corrupts the file when it tries to disinfect it. Any help/info would
be appreciated...

Frank
[email protected]

------------------------------

Date: Fri, 03 Sep 93 16:49:14 -0400
>From: "Jimmy Kuo" <[email protected]>
Subject: Detecting droppers (was: Form virus) (PC)

William H. Lambdin writes:

>the scanner authors should add the ability to detect droppers. Even though
>they themselves aren't viruses, they should be detected. Some have replied
>to me with " Why? the scanner will detect the virus after it is laid on the
>boot sector." The idea is to detect the dropper before infection takes
>place. It is always best to preventa user from running a dropper than to
>have the user remove the virus later.

Bill, this logic is slightly flawed.

The correct part of the statement is:
>It is always best to prevent a user from running a dropper than to
>have the user remove the virus later.

But this does not necessarily support your conclusion that scanners need
to detect droppers. That is only one possible way of arriving at the
desired result. Other ways involve mechanisms outside the realm of the
scanner (like blocking the write).

It is simply not feasible for a scanner to detect all forms of packaging
a virus (dropper). Also, it is not feasible to ask that the scanner do
everything you ever need in the battle against viruses. If scanners could
do everything, there wouldn't be any need for other antivirus components
like TSRs and integrity checking.

The idea is that each concept has a task to perform and you should not
rely on just one.

Jimmy Kuo [email protected]
Norton AntiVirus Research

------------------------------

Date: Sat, 04 Sep 93 23:16:30 -0400
>From: [email protected] (Gregory Millman)
Subject: You never forget the first time (PC)

I think I've just had my first brush with a virus and I need some
advice. I'm a novice at telecommunications. Last night I went
cruising and had a ball. I stopped in at a couple local bbs. I
downloaded a couple files. I downloaded pkunzip.exe, and pkz204.zip,
and showgif.exe, and tush.gif from a local bulletin board. I also
downloaded a popular internet tutorial, meritcrz.exe, and
meritcrz.zip, and even hyteln65.zip. Maybe I got a little carried
away. Today, when I tried to unzip hyteln65.zip, I got a message
saying there was an error in the zip file. Same message when I tried
to unzip meritcrz.zip. When I tried to run meritcrz.exe using
windows, a message popped up in windows advising me to load my
anti-virus softwared first. I loaded it. It's the MSDOS 6.0
anti-virus software. It didn't spot anything. But the meritcrz.exe
program wouldn't run. Well, I'd downloaded some text files too, and I
started to read one of those using my wordperfect program. Suddenly,
unbidden, my printer started printing hexadecimal numbers (at least
that's what i think they are). It printed half a page before I shut
it off. Then the wordperfect screen went black at the top, like the
dos prompt, and gibberish figures filled it. Then the computer hung.
I couldn't get it to do anything. I had to shut it off. Even
Ctrl-Alt-Del wouldn't move it. I just cut the power. I ran the MSDOS
antivirus program again when I booted the system back up. It didn't
actually detect a virus, but it flagged a file that had grown by
200-300 bytes. the file's name was PCPLUS.FON. I use Procomm Plus
for telecommunication. I deleted the file from within the anti-virus
program -- that is, the file was in the procomm plus directory but Iyt
I deleted it without leaving anti-virus. Then I plugged my original
procomm plus diskettes into my a: drive. I checked the directory.
None of them list anything called a PCPLUS.FON file.
OK, those are the facts as I remember them. I hurriedly
deleted every file I had downloaded yesterday, every one of them
(except the text files which I understand are no threat).
Can anyone tell me what happened? Is this a virus? If so,
why didn't my MSDOS anti-virus program pick it up? IS my system at
risk? I'm a writer and I depend on this Compaq 486 machine for my
work. No machine, no work.
I just discovered this newsgroup this evening, and I notice
all this talk about Chinese Fish and Goddam Butterflies. It's like
listening to somebody with delerium tremens. But maybe somebody out
there can tell me what I need to do. Heck, I only cruised the bbs one
time. And now ... what a headache.
Any information or advice will be appreciated. Thanks.
Best Regards,
Greg
[email protected]

PS: I'm always glad to receive e-mail responses. This situation may
be too basic for extended public discussion before an audience of
savants. Thanks again.

------------------------------

Date: Sun, 05 Sep 93 14:37:28 -0400
>From: [email protected]
Subject: YB-1 (PC)

I received a 426 byte direct infector of .COM files.

This virus infected every .COM bait file on my test computer from 2 bytes
- - 29696 bytes.

The virus appends to the end of .COM file, and contains the
following text.

! YB-1 & Handsome Dick Manitoba / K hntark
*.COM
????????COM?

The virus is also infectctious in the second generation.

This virus isn't reportedly in the wild. so there shouldn't be
any reason to distribute a signature for it.

I am temporarily naming this specimen "YB-1" from the text enclosed
above.

F-Prot 2.09 is unable to detect this virus with either the Secure scan mode
or the heuristics scan mode.

I will be sending a copy of this virus to the following people.

David M. Chess of IBM Anti-virus
Fridrik Skulason Author of F-Prot
Wolfgang Stiller Author of Integrity Master

Bill Lambdin

------------------------------

Date: Sun, 05 Sep 93 18:14:34 -0400
>From: [email protected] (A. Padgett Peterson)
Subject: DiskSecure II (PC)

Announcing DiskSecure II (for real) (C) 1993 by Padgett

Today (Sunday 5 September, 1993) I have uploaded to URVAX.URICH.EDU the
complete DIskSecure II v2.31, the first public release.

This is the first major upgrade to the DiskSecure programs since DiskSecure
was first released in 1990 (and is still effective for many users), since
this was the first time I have been able to put something together that I
consider to be a real upgrade, with some features that I did not think
possible a few years ago.

First some philosophy is necessary: For years I have believed that the only
*real* protection for a PC is in hardware. This is still true. Today
however, modern BIOSes have added the one critical feature that I saw first
in a Zenith 248 (286), the ability for the user to select the boot disk.
IMHO, this is *all* that hardware must do, everything else can be handled in
software. (For those machines that do not my FreeWare SumFBoot and NoFBoot
programs - now use only 256 bytes as TSR - can protect against accidental
"three finger salutes").

True, for really sensitive installations requiring DOD-class security, a
strong full disk encryption with off-line key storage is the only real
answer and such products are available including those with smart cards,
PINs, and self-destruct features. Most are very good but expensive and one
must ask if a PC is the right platform for such work in the first place.

DiskSecure is not designed for a rigorous defense against a physical attack
by a real expert. Instead its first and foremost aim is to provide Integrity
and Availability in a personal and corporate environment in a time of
"rightsizing". Password boot protection has been included for those who feel
they need it but Confidentiality was not a prime concern. Physical security
is the best answer to this.

Two years ago we felt that only experts could deal with viruses and the
standard approach on exception detection was to shut the PC down and call in
a specially-trained technician. Today, few can afford specially trained
technicians at every site.

To answer this, DiskSecure II is specially trained to deal with most MBR and
BSI infectors such as STONED, MICHELANGELO, JOSHI, MUSICBUG, AND FORM
automatically, all the user must do is grant permission for repair. Of
course if booting from the DiskSecure protected partition is selectable, the
PC will not become infected in the first place.

True, some machines do not have boot selection and some low level viruses
are unable to deal with the DiskSecure partition (e.g. AZUSA) leaving
corruption in their wake. Sh*t happens. In this case just booting from a
known clean floppy and running DiskSec2.exe *whether or not the C: drive is
accessible* will accomplish recovery. Unlike commercial scanners with
recovery, DiskSecure assumes nothing and does not rely on knowing *what* has
caused the corruption. Further, in each case, redundant mechanisms are
available - one size does not fit all.

In the past, such BIOS level protection was expensive. Nothing used less
memory than the original DISKSECURE at 1k but even this came from the top of
memory (typically just before the 640k boundary) making impossible the use
of DOS extenders such as QEMM (I like Quarterdeck products - plug) VIDRAM.
Further, this location was vulnerable to attack - the Monkey viruses were
written specifically to exploit this - DiskSecure II can move itself into
low memory where it uses only 304 bytes. Exactly where is not determinable
prior to DOS load and DS II has some "extra added attractions" to make
subversion a bit more difficult.

Another void DS II fills is protection of Novell servers from the boot
level. Past products including the original Disksecure could be loaded onto
a server but Netware would not be bootable. As a consequence many servers
today are vulnerable to infection. DISKSECURE II is compatible with Netware
3.11 and I would expect it to be compatible with other versions (only have
3.11 running at home). Possibly even UNIX & OS/2 but not tested. It will
block "dual boot" when it resides in the MBR or OSBR. OSs using a special
"boot floppy" should work just fine 8*).

To see all of the other features, just download the programs and try them
but PLEASE read the documentation.

Caveat: DiskSecure is not protection agaianst all malicious software, only
those that affect the MBR and DBR on boot. The figures I have seen this year
indicate that these have become by far the most common problem, file
infectors seem to have nearly disappeared. Further DS II is designed to be
compatable with OS-specific protection such as F-PROT, Dr. Panda, Dr.
Solomon, MSAV, CPAV, NAV, and McAfee products though it is sugested that low
level checking be turned off since IMHO DiskSecure & DS2CHK are better at
this.

Final note, this is a hobby and not a business or corporation (just ask the
IRS) and must be done in my spare time. Custom versions are possible
(logo's, incorporation in other software) but my house still needs painting
and the weather is cooling off so I can start working outside again.

Warmly (and exhausted 8*)
Padgett

------------------------------

Date: Sun, 05 Sep 93 20:35:17 -0400
>From: [email protected]
Subject: announcing DISKSECURE II (PC)

Hello folks.

Announcing the availability starting monday 09/06/1993 of the new version of A.
Padgett Peterson's "DISKSECURE", now DISKSECURE II.

As usual, it will be in our [anonymous.msdos.antivirus] directory (see below)
as DS231.ZIP. A companion file, DS231.DOC (an ASCII file), sent also by
Padgett, gives some additional information about the program -- but please DO
read the .DOC files also included in the distribution archive.

===========
Site: urvax.urich.edu, [141.166.36.6] (VAX/VMS using Multinet)
Directory: [anonymous.msdos.antivirus]

FTP to urvax.urich.edu with username anonymous and your email address
as password. You are in the [anonymous] directory when you connect.
cd msdos.antivirus, and remember to use binary mode for the zip files.
===========

Best, Claude.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Claude Bersano-Hayes HAYES @ URVAX (Vanilla BITNET)
University of Richmond [email protected] (Bitnet or Internet)
Richmond, VA 23173

------------------------------

Date: Fri, 03 Sep 93 17:26:44 -0400
>From: "Rob Slade" <[email protected]>
Subject: Polymorphism and self-encryption (CVP)

DEFGEN9.CVP 930819

Polymorphism and self encryption

Scanning software is, for all of its limitations, still the most
widely used of antiviral software. The idea is to find a "signature
string" for the virus: a piece of code that appears in the virus
and in no other program, thus giving a unique identification. There
is an art to the choice of a signature string, as with anything
else. You want a piece of code more than you want text, which is
easy to change. You want a piece of code integral to the operation
of the virus. You want a string which may identify new "mutations"
of this virus, as well as the current infection. However, once you
have a suitable signature, you can identify the virus.

Unless the virus changes.

This is the idea behind polymorphism. There are a number of ways to
change the "shape" of a virus. One way is to get a simple "random"
number, such as the value of the "seconds" field of the system time
when the infection occurs, and to perform a simple encryption on the
value of each byte in the viral code. Only a short chunk is left at
the beginning to decrypt the rest of the virus when the time comes
to activate it. Encryption could be used in other ways: encrypting
a regular but arbitrary number of bytes, or encrypting the code as a
whole rather than on a bytewise basis.

A second means is the fact that, in programming, there are always at
least half a dozen means to the same end, and that many programming
functions are commutative; it doesn't matter in what order certain
operations are performed. This means that very small chunks of
code, pieces too small to be of use as signatures, can be rearranged
in different orders each time the virus infects a new file. This,
as you can imagine, requires a more "intelligent" program than a
simple encryption routine.

A distinction tends to be made between the early, and limited,
"self-encrypting" viral programs, and the latter, more
sophisticated, polymorphs. Earlier self-encrypting viri had limited
numbers of "variants": even the enormous Whale virus had less than
forty distinct forms. (Some of the earliest were the V2Px family
written by Mark Washburn. He stated that he wrote them to prove
that scanners were unworkable, and wrote his own activity monitoring
program. He is one of the very few people to have written, and
released, a virus, and to have written antiviral software. His
release of "live" code in the wild tends to deny him the status of
an antivirus researcher. Lest some say this is arbitrary bias,
please note that his thesis was rather ineffectual: all his variants
are fairly easily detectable.) More recent polymorphs are more
prolific: Tremor is calculated to have almost six billion forms.

copyright Robert M. Slade, 1993 DEFGEN9.CVP 930819

==============
Vancouver [email protected] | "Do you get guns with your
Institute for [email protected] | gun magazines? No.
Research into [email protected] | Do you get viruses with your
User [email protected] | virus magazines? Yes."
Security Canada V7K 2G6 | - Kevin Marcus

------------------------------

End of VIRUS-L Digest [Volume 6 Issue 119]
******************************************