From: Kenneth R. van Wyk (The Moderator) <krvw@CERT.SEI.CMU.EDU>

From: Kenneth R. van Wyk (The Moderator) <[email protected]>
Errors-To: [email protected]
To: [email protected]
Path: cert.sei.cmu.edu!krvw
Subject: VIRUS-L Digest V5 #5
Reply-To: [email protected]
--------
VIRUS-L Digest Monday, 13 Jan 1992 Volume 5 : Issue 5

Today's Topics:

Virus Update disk for Central Point Antivirus (PC)
Re: Question re Stoned (PC)
What Does Michael Angelo Do? (PC)
NCSA has tested Antivirus Programs (PC)
Antitelifonica (A-VIR) (PC)
Re: Question re Stoned (PC)
re: Joshi Virus and IDE Hard Drives (PC)
Worldwide Software products Vaccine and Vacnet (PC)
Error on WSCANV85B (PC)
Resource Forks (Mac)
Re: Macs Running Soft PC (Mac) (PC)
a trojan horse - literally!
Trojan definition? Special case
Military Viruses
new programs available (PC)
More myths

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. (The complete set of posting guidelines is available by
FTP on cert.sei.cmu.edu or upon request.) Please sign submissions
with your real name. Send contributions to [email protected]
(that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks).
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list. Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
[email protected].

Ken van Wyk

----------------------------------------------------------------------

Date: Wed, 08 Jan 92 13:31:16 +0000
From: [email protected] (Dale Fraser)
Subject: Virus Update disk for Central Point Antivirus (PC)

Does anyone know of an ftp site that carries the virus update file that
comes out quarterly from Central Point? I just got my first Virus Update
Bulletin and I can't afford to download this file through their BBS or
pay to get the Update Disk (another poor university student!!) and I
don't really want to type in all the hex codes.

Any help will be greatly appreciated!
Dale

|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-|
| "Why sex is so popular | Dale Fraser [email protected] |
| Is easy to see: | Memorial University of Newfoundland |
| It contains no sodium | CS Undergrad - Class of '92 |
| And it's cholesterol free!" |-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-|
| Shelby Friedman | THIS SPACE FOR RENT-REASONABLE RATES! |
|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-|
| *OPINIONS EXPRESSED ABOVE DO NOT BELONG TO ME OR THIS INSTITUTION!* |
|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-|

------------------------------

Date: 08 Jan 92 09:15:00 -0600
From: "William Walker C60223 x4570" <[email protected]>
Subject: Re: Question re Stoned (PC)

From: [email protected] (Claude Bersano-Hayes):
> I myself came with no good reason why the system [detailed below] ...
> does not get infected. Any guru out there with some explanation(s)?

> - ----- begin forwarded messages --

> ... A: & B: drives are 360K and 1.2M (respectively); C: is
> 1.44M. D: is the hard drive. If ever a PC would be succeptable to
> "Stoned" it would be this one, considering the amount and nature of
> its use--or so it would seem! Periodic checks for the virus on the
> hard drive have always been negative over four months of heavy use.
> (Like I say--I know "Stoned" is still around here.) Is there
> something about the four-disk controller setup (or the drive name
> "D:") that creates an immunity to "Stoned"? Or have we been
> incredibly lucky?

> ... The hard drive is a 40 meg. (brand or type
> unknown--I'm not that familiar with the types), and as I said, it was
> designated D: as per the requirements of the JDR ...
> Microdevices 4-floppy controller card I used. I wrote a snazzy
> menu-driven batch program (with BATMAN and ANSWER enhancements)
> walking users through any of the 4 floppy formats and permitting
> copying of files ("All" or selected) between any two of the floppy
> drives. The "selected" copying option would list the directory of the
> source floppy before copying (prime infection activity!) No virus
> protection installed. (I'd check it periodically by running Clean-Up
> on the D: drive.)

IMHO, you've just been lucky, but not incredibly lucky. "Stoned" will
only infect a hard drive if you boot from an infected floppy; however,
since you operate the PC in question with a batch program, it is
unlikely that you ever have the need (or take the opportunity) to boot
from a floppy.

Your hard disk's having the drive letter D: has nothing to do with the
"Stoned" virus' ability to infect it. Drive letters are assigned by DOS,
but "Stoned" operates at a much lower level than DOS -- through the
disk interrupt, INT 13H. At this level, all disks are specified by
a sequential number, according to drive type. Floppy drive numbers start
at 00H and hard drive numbers start at 80H (numbers are hexadecimal).
For a system with one floppy and one hard disk, Drive A: is 00H and drive
C: is 80H. For your system, Drive A: is 00H, Drive B: is 01H, Drive C:
is 02H, and Drive D: is 80H. As you can see, the number of the first
hard drive, regardless of letter, is always 80H to INT 13H, and therefore
to "Stoned," which infects drive 80H via INT 13H.

You may want to consider installing VSHIELD or a comparable TSR anti-
virus package, in spite of the speed (or lack thereof) of your machine.
Or if speed really is a major concern, Padgett's NoFBoot will at least
prevent you from warm-booting with a floppy in drive A: (the cause of
hard disk "Stoned" infections).

BTW, listing the directory of a floppy disk is NOT "prime infection
activity," at least not in the sense of getting a virus FROM the floppy
TO the hard disk. Now, if the machine was ALREADY infected, listing the
directory of a floppy (or any other floppy access) WOULD be "prime
infection activity" in the sense of getting a virus FROM the hard disk
TO the floppy. With ANY virus (not just "Stoned"), the viral code must
be EXECUTED to infect a clean system, not just viewed.

Hope this is of some help.

(P.S. - "You" above refers to the original author, not Claude)

Bill Walker ( [email protected] ) |
OAO Corporation | "Some days you just can't get
Arnold Engineering Development Center | rid of a bomb!"
M.S. 120 | -- Adam West, "Batman"
Arnold Air Force Base, TN 37389-9998 |

------------------------------

Date: 08 Jan 92 11:31:00 -0400
From: "21478, SCHILLIG,JR., LAWRENCE K" <[email protected]>
Subject: What Does Michael Angelo Do? (PC)

In the Cleveland Ohio area the virus Michael Angelo Has popped up
But has not seemed to do any damage to the systems that it has been
found on. It was detected by a virus checking program. Does anyone
know what this virus can do to a IBM system?

Larry Schillig

------------------------------

Date: 08 Jan 92 17:26:35 +0100
From: "Otto.Stolz" <[email protected]>
Subject: NCSA has tested Antivirus Programs (PC)

Dear virus buster,

below, I'll give my translation of an article that appeared in the
German periodical "Personal Computer", page 134, number 1 (January
1992). I hope this does not re-hash an old topic.

I know, I'm reporting from hearsay (or is it "from readwrite"? :-) Has
anybody read the article in Network World, or the original report from
the NCSA, and can (and is willing to) tell us more details?

Best wishes,
Otto Stolz <[email protected]>
<[email protected]>

- -------- From "Personal Computer", p 134, no 1 (1992):

.. Scanner Test ...

The American National Computer Security Association (NCSA) has tested
11 anti-virus programs. The report has been issued on 21 Oct 1991, and
it has been published e.g by the periodical "Network World". The scoring
table reads thus:
Product | Producer | Score
------------------------------+-----------------------+------
F-Prot V. 2.0 | F. Skulason | 129
Virus Buster V. 3.75 | Leprechaun | 116
Solomon's Toolkit V. 5.15 | S&S International | 103
| |
Virex-PC V. 2.00 b | Microcom | 103
Scan V80 | McAfee | 102
Antivirus | Central Point | 99
| |
Virusafe V. 4.50 | XTREE | 99
Anti-Virus V. 1.5 | Symantec | 98
Pro-Scan V. 2.32 | McAfee | 90
| |
Virus Clean V. 2.10 | Comp. Cons. | 66
Antivirus Plus V. 3.7 | IRIS | 64
------------------------------+-----------------------+------

It goes without saying that all those scores are subject to the usual
proviso.

Irrespectively of this proviso, note that this list comprises two
European products (F-Prot from Iceland, and Dr. Solomon's Toolkit from
england) ranking among the best ones. Most apparently, high-quality
European products in this domain will be recognized internationally.

The complete test report can be obtained from NCSA.

------------------------------

Date: Wed, 08 Jan 92 17:16:31 +0000
From: [email protected] (Arlyn Hubbell)
Subject: Antitelifonica (A-VIR) (PC)

We here at Bates College have just come across our first occurrence of
Antitelifonica. According to McAffee's SCAN85 documentation it can
only be cleaned using a program called M-DISK. Has anyone out there
had any experience with this particular virus? If so, can you please
tell me what you know about it?

Thank you much in advance.

Arlyn J. Hubbell
Applications Programmer
Bates College

[email protected]

------------------------------

Date: Wed, 08 Jan 92 09:36:44 -0700
From: [email protected] (Tim Martin; FSO; Soil Sciences)
Subject: Re: Question re Stoned (PC)

[email protected] writes:

>As a co-sysop of the virus discussion board I received the following
>message. I thought it was interesting enough, and asked more details
>which will show in the second forwarded message (in fact, long
>excerpts of both messages).
>
>I myself came with no good reason why the system (details in msg #2)
>does not get infected. Any guru out there with some explanation(s)?
> (etc...)

For stoned to infect a hard disk, the computer must be booted from an
infected diskette. It may be that in its current setup no student ever
reboots the computer from any diskette, because the computer has
only one function -- disk copying -- and is always already on and
ready to go.

Many of the diskettes being copied may be infected, but because the
copy station isn't started from these infected diskettes, the virus
doesn't get onto the station. Nor is it transferred between the
diskettes during the file copying process.

Stoned is a problem in multi-use computer labs, where students reboot
the computers from diskettes, either because they are using copy-protected
games that must be booted from the diskette, or because they don't know
any better -- don't know how else to get to the task they want to run.

I'm afraid I'm not a guru, and for all I know there may be something
about stoned's INT 13 hard disk reads and writes being set with DL=80h
rather than 81h, but I don't think so. (Padgett?) I would suspect the
above explanation in the case of a dedicated, one-use computer like
you describe.

The test is to intentionally boot the computer from an infected
floppy, then see if Stoned is on the hard drive. This test is only to
be done if you know what you are doing, of course!

Tim.

-------------------------------------------------------------
Tim Martin *
Soil Science * These opinions are my own:
University of Alberta * My employer has none!
[email protected] *
-------------------------------------------------------------

------------------------------

Date: 08 Jan 92 16:11:00 -0500
From: "David.M.Chess" <[email protected]>
Subject: re: Joshi Virus and IDE Hard Drives (PC)

> From: [email protected] (Greg Argendelli)

> How are people removing the Joshi virus from IDE hard drives? Based
> on what I have read in Patricia's VSUM program, the only way to reomve
> the virus is via a low-level format.

If VSUM says that, it's wrong. All you have to do is fix the master
boot record; the undocumented /MBR option to DOS 5's FDISK command
can do that (with the caveats noted in the last VIRUS-L), or your
local guru can do it with DEBUG, or you can use any of various
commercially-available utilities that I'm sure are out there! *8)

DC

------------------------------

Date: Wed, 08 Jan 92 16:41:18 -0500
From: Thomas DiBlasi <[email protected]>
Subject: Worldwide Software products Vaccine and Vacnet (PC)

Hi,

We had a salesman in today espousing the virtues of the above viral
detection and extraction (he called it that) products. Is anyone out
there familiar with them? I've yet to find an evaluation on them
anywhere including my back issues of Virus-L. Any information would
be appreciated.

Thanks,
Tom

------------------------------

Date: Thu, 09 Jan 92 10:20:34 +0000
From: News System Uni-Oldenburg.DE <[email protected]>
Subject: Error on WSCANV85B (PC)

After scanning my harddisks with Scan for Windows the switches
"scanning all files", "scanning overlay extionsions" were _both_ ON
and I couldn't turn them off. Can anyone help me?
- --
**********************************************************
* T h o r s t e n K o c h *
* *
* University of Oldenburg, Germany *
* *
* E-Mail: [email protected] *
**********************************************************

------------------------------

Date: Wed, 08 Jan 92 17:33:50 +0000
From: cmontoya%[email protected] (Red Dragon)
Subject: Resource Forks (Mac)

Problem: Our file server and three mac machines have had errors during
virus scanning using Disinfectant saying that a resource fork for
Mathematica is damaged or missing.

The Quark we use gives us this message also.

Can someone help please? I think our anti-virus person is on leave.

/cm
cmontoya@carina

------------------------------

Date: Wed, 08 Jan 92 10:56:40 +0000
From: [email protected] (Ben Liberman)
Subject: Re: Macs Running Soft PC (Mac) (PC)

[email protected] (Brian S. Lev) writes:
>[email protected] (Frank Price) writes...
>>SoftPC does such a good job of emulating an MS-DOS machine that many
>>(most? virtually all?) viruses WILL infect it. SoftPC uses a (big)
>>data file for the contents of the simulated PC's hard drive. I believe
>>Mac antiviral programs consider this to be a data file and do not
>>check it. Even if they did, they would not know how to recognize
>>MS-DOS viral code.
>
>Ummm... I'm not 100% positive, but I seem to remember the more recent
>versions of the Mac's "Big 4" (Disinfectant, Virex, SAM, SUM) all _do_
>look at data files if you tell 'em to scan your disk...

While Mac antivir. pgms. may scan your SoftPC hard disk file, they
are not designed to identify PC virii. You can install a PC antivir.
program on your SoftPC drive (or keep it on a locked floppy). I have
McAffe's SCAN and CLEAN installed on mine and they work fine. Just
treat your SoftPC virtual hard drive the way you would treat any other
PC drive.

SoftPC also allows you to designate a Mac folder as your E: drive.
There may be problems trying to scan this folder from SoftPC because
it is not a real drive and doesn't have all of the normal structures
(no boot blocks for example)

------------ ------ ----------------------
Ben Liberman USENET [email protected]

------------------------------

Date: Tue, 07 Jan 92 16:17:36 +0000
From: Anthony Appleyard <[email protected]>
Subject: a trojan horse - literally!

(from UK newspaper "Daily Telegraph", Mon 6 Jan 1992)
[Trojan horse workers trick factory guards]
A trojan horse used by protesting wheat farmers during President Bush's visit to
Australia was used by locked-out workers to slip back into a factory today. The
13-foot horse, which was made up of metal drums had been used by farmers outside
Canberra's Parliament House on Thursday when the Americal President was in the
capital. It bore the sign: "Not a New World Order, a New Wheat Order." The
farmers were protesting at United States grain subsidied that Australians say
undercut their crops in world markets.
Yesterday the horse found a different use when it was driven on a trailer
through the gates of the Bryant Group heavy transport firm which had been
repossessed by the Commonwealth Bank because of a mortgage dispute. The guards
left on the factory gate by the bank thought the horse was being returned to the
plant after being used in the demonstration. Then about 20 workers spilled out
of the horse and into the factory. The security guards left after they found
that they were outnumbered by the workers. Police said that no charges would be
laid. Bank officials were not available for comment. "It's business as usual,"
said Mr.Joe Bryant, managing director of the Bryant Group. "If we have to pay
the bank, we have to generate income, and we do that by working" - AP
{A.Appleyard} (email: [email protected]), Tue, 07 Jan 92 16:04:36 GMT

------------------------------

Date: Tue, 07 Jan 92 11:10:33 +0100
From: Ralf Stephan <[email protected]>
Subject: Trojan definition? Special case

Hi,

I heard there was a collection for a FAQ list. Maybe this question
belongs to it: What is the exact definition for "trojan"?

I would like to present you a special case where I would say,
this is one, and I'm very interested in your opinion.

Some week ago, someone uploaded a program in a BBS where
anonymous uploading is possible. The program description given
had some attributes that were sufficient to make the program a
widely downloaded one. Keywords were: "sex","porno" et cetera...
To admit, the author did all not to say what the program really
was for.

What the program did: It asked the user to free 20MB of hard
disk space (if not already free), created a file with that length
fully filled with "6"es and stuffed it on the screen. This should
apparently be a joke since in German the words for "sex" and for
the number 6 are spoken the same way. So the program actually
intended no damage, but some users with small hard disks had
problems with Murphy's law when freeing the space (they deleted
files, you know).

The story still is not ended because the program writer later
claimed it to be a "scientific experiment"...

So, is this a trojan or not? Where is the border between "damaging"
and "not damaging"? Is it sufficient for a program to be a trojan
if it does not what it says or intends?

BTW: I know that the users are to blame for not maintaining some
security on their system, but that's not the point.

Thanks for answers R Stephan

- [email protected] "The only civilized way of being a scientist
is to engage in _the_process_ of doing science
primarily for one's own _private_pleasure_."
B B Mandelbrot

------------------------------

Date: Thu, 09 Jan 92 08:44:00 -0500
From: Nick Di Giovanni <[email protected]>
Subject: Military Viruses

The January 1992 edition of the EDP Audit, Control, and Security
(EDPACS) newsletter includes an overview of an article that appeared
in the October 1991 Massachusettes Institute of Technology Review.
The Review reported that Software and Electrical Engineering (SEE) was
one of two organizations preparing reports for the Army Center for
Signal Warfare on the deliberate use of computer viruses and worms to
incapacitate computer networks. The center identified the desired
effects of such a use as including data disruption, denial of use, and
affecting the operation of processors and the management of data
storage. SEE's contract was reportedly for $50,000; however, it stood
to make as much as $500,000, according to this account, if it received
a contract for the follow-up phase of the project, which involves
devising particular viruses, demonstrating them, and devising possible
defenses against their use.

Nick Di Giovanni
EDP Audit Manager
Rutgers University

------------------------------

Date: Thu, 09 Jan 92 07:26:00 -0500
From: [email protected]
Subject: new programs available (PC)

Hello.
Now available for FTP processing from our site:

FIXMBR21.ZIP Update of A. Pagett Peterson's FixMBR program. This new
version is now shareware. Please note that it is impor-
tant to read the documentation before reading.

I-M102B.ZIP Comprehensive protection program.

- -----
Site: urvax.urich.edu IP# 141.166.1.6
Directory: .msdos.antivirus
User: anonymous
Password; your_e-mail_address
When logged on, the user will be in the anonymous directory. Type:
cd msdos.antivirus<ret>
to enter the "antivirus" (no quotes) subdirectory.
- -----

All files must be fetched using the "binary" format (we do not support Tenex),
with the exception of AAAAREAD.ME, an ASCII file.
Case is NOT significant.
Please download AAAAREAD.ME for short descriptions of the available programs.

Regards, Claude

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Claude Bersano-Hayes HAYES @ URVAX (Vanilla BITNET)
University of Richmond [email protected] (Bitnet or Internet)
Richmond, VA 23173

------------------------------

Date: Mon, 06 Jan 92 12:40:46 -0800
From: [email protected] (Rob Slade)
Subject: More myths

DEFMTH5.CVP 920105

More hardware myths

I am indebted to Padgett Peterson for reminding me of some
additional "hardware" viri which have occasionally been
reported.

1) "Lethal Floppy Eject" aka "Toaster" virus
I think this one belongs with the users who can't find "Any"
keys, photocopy floppies and can't see whether the screen is on
because the power is off.

2) "CMOS" virus
3) "BIOS" virus
4) "Battery" virus
These three are all variations on a similar theme. These types
of viri are reported regularly.

First of all, BIOS is ROM BIOS. The RO in ROM stands for "read
only". The BIOS, therefore, cannot be infected by a virus. At
least, not yet. Intel has already developed flash EEPROMs which
it is pushing as "upgradeable" ROMs for the BIOS. It *is*
possible to get "bad" ROMs, and it is even possible that a run
of BIOS ROMs would be programmed such that they constantly
"release" a virus. It hasn't yet happened, though, and it is
extremely unlikely, as well as being easy to trace.

The CMOS is stored in RAM, and can be changed. However, the
CMOS table is stored in a very small piece of memory. It is
highly unlikely that a virus could fit into the "leftover"
space, even though the theoretical limit of the "minimal" family
is about 31 bytes. More importantly, in normal operation the
contents of the CMOS are never "run", but are referred to as
data by the operating system.

We have had "joke" reports of electrical "metaviri" (eg. "they
cluster around the negative terminal, so if you cut off the
negative post you should be safe ...", "they transmit over the
"third prong", but occasionally leak over onto the others ...").
However, there are also a number of reports that changing the
battery in a computer damages the CMOS. This is probably
because no matter how fast you change the battery, there is a
loss of power during that time, and therefore the data is lost.
Some computers do have a backup system that does give you about
10 minutes
Downloaded From P-80 International Information Systems 304-744-2253