|
Virus- L Digest Vol 6 Issue #024
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
Received: from fidoii.CC.Lehigh.EDU by abacus.hgs.se (5.65c/1.5)
id AA02051; Thu, 11 Feb 1993 23:38:24 +0100
Received: from (localhost) by Fidoii.CC.Lehigh.EDU with SMTP id AA38430
(5.67a/IDA-1.5 for <[email protected]>); Thu, 11 Feb 1993 17:04:43 -0500
Date: Thu, 11 Feb 1993 17:04:43 -0500
Message-Id: <[email protected]>
Comment: Virus Discussion List
Originator: [email protected]
Errors-To: [email protected]
Reply-To: <[email protected]>
Sender: [email protected]
Version: 5.5 -- Copyright © 1991/92, Anastasios Kotsikonas
From: "Kenneth R. van Wyk" <[email protected]>
To: Multiple recipients of list <[email protected]>
Subject: VIRUS-L Digest V6 #24
Status: RO
VIRUS-L Digest Thursday, 11 Feb 1993 Volume 6 : Issue 24
Today's Topics:
TIME Magazine on "Cyperpunk": How Not to Define a "Worm"
What is safe to discuss?
Re: How to measure polymorphism
Re: Internet Worm - the "Perp" (CVP)
Re: general entertainment
Re: What is a virus ?
Re: Norton buggy??? (or I have a PROBLEM!) (PC)
Help! Help, with FORM virus (PC)
Re: New virus in Germany (PC)
More Viruses in Memory (PC)
Michelangelo Virus? (PC)
Re: Virstop 2.07 in Icelandic (PC)
Re: Twelve Tricks (PC)
Re: Suggestion to the developers of resident scanners (PC)
green catipillar (PC)
Re: New virus in Germany :-( (PC)
Michaelangelo's payload (PC)
Re: Suggestion to the developers of resident scanners (PC)
Re: dame virus (pc)
Help, which scanner? (PC)
Should scanners detect only common viruses? (PC)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. (The complete set of posting guidelines is available by
FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with
your real name. Send contributions to [email protected].
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list. A FAQ (Frequently
Asked Questions) document and all of the back-issues are available by
anonymous FTP on cert.org (192.88.209.5). Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
<[email protected]>.
Ken van Wyk
----------------------------------------------------------------------
Date: Wed, 10 Feb 93 15:56:29 -0500
From: [email protected] (Joseph D. McMahon)
Subject: TIME Magazine on "Cyperpunk": How Not to Define a "Worm"
In last week's TIME magazine (with the "Cyberpunk" lead article), RTM's
worm is is described as "not a virus, but a worm, since the damage was
unintentional".
This is the most singular lack of grasp of the subject I have seen in
a long time.
--- Joe M.
------------------------------
Date: Wed, 10 Feb 93 15:57:14 -0500
From: Donald G Peters <[email protected]>
Subject: What is safe to discuss?
I have been reading (most of) the posts on this bulletin board <?> for
many months. One question that was recently raised was what kind of
information can be placed here. (The thing that inspired me to write this
was a comment responding to someone that posted a binary version of
a PKZIP authenticated file which had been tampered.)
We must have two kinds of people: those who think there should be no
restrictions (eg, posting virus code is okay) and those who believe
in some restrictions (to varying degrees) but NOBODY who posts here
believes that nothing about viruses should be posted here or THEY
wouldn't be posting here.
If an evil person (ie, virus writer and/or propagator) were to be
reading these messages, what would he (or she) want to read? I would
think that just about everything here would be useful to some extent.
For example, the constant discussion of polymorphic viruses would be
a great way to learn exactly how to write viruses that cannot (easily)
be detected. Many virus writers may not even THINK about polymorphism
until they read about it somewhere, like here.
Over the months I have learned a fair bit about viruses, and if I
were evil I could apply that new knowledge to writing viruses instead
of defending against them.
The point to my little soapbox is that secrecy is not the only or the
best way to defend against a threat. In some ways public discussion
can actually help, which is probably the reasoning behind the
existence of this forum. The more people know about viruses, the
more that people will be able to defend against them. And in some
cases the FAQ is simply not deep enough. As an evaluator of computer
security products (not focussed on anti-viral products) I find the
FAQ to be good but I could gain more from something more technical.
I ask myself, "Where do I go from here?"
I expect that an opposing viewpoint will focus on the question,
"How do we prevent the bad guys from getting educated?" I don't have
a good answer to that, since bad guys have a right to attend schools
like us good guys do. Personally, I believe strongly in censorship
of some things, but I'm not yet convinced that censorship of
virus-related information does much good.
Okay, if I'm wrong, sock it to me. :-)
------------------------------
Date: Thu, 11 Feb 93 00:30:01 +0000
From: [email protected] (Paul Houle)
Subject: Re: How to measure polymorphism
I was thinking a little bit about polymorphism in both virus programs
and antivirus programs and got a few ideas about how one could go about
implementing it.
If an antivirus program is not polymorphic, it potentially can be
recognized and tampered with by a virus. The code can be altered so it always
reads "clean", or the files it keeps can be altered to delete signatures (for
scanners) or to change CRCs, message digests, whatever is used to protect
programs. Therefore, for safety, an antivirus program should ideally be
different in every installation. The filename should be different, the code
should be different with ideally no scannable strings, and any files that
it keeps should be in encrypted and/or variable format. Encryption strings
especially must be stored in varying and hard to locate places. (Of course
in real life, we would hope that viruses never get smart enough to be
able to use nontrivial attacks on antivirus software... Sure, the present
generation of stealth viruses is pretty lame, but when we get stuff like
Windows, Windows NT, and executables that keep growing and growing, there
will be much more slack space for more complicated viruses.)
Anyway, it seems like the ideal way to make a program polymorphic
is to have a "polymorphic compiler". One could, say, do all the parsing
at home and distribute (either in a virus or in an antivirus program) the
code tree and a code generator that always generates different code. Maybe it
stores at least two ways to do every simple operation... To make it worse,
it can randomize the order of subroutines and procedures, and use all sorts
of transformations to really complicate the thing (Especially if the
"polymorphic language" is functional -- that would really be a blast of
course, a functional language for systems programming). One of course
could put the "source code" and the compiler on a floppy and have it install
the actual antivirus stuff in whatever incarnation on the disk, using junk
off the disk, the clock, the CMOS ram and all that to start a RNG. Viruses
would have both the polymorphic executable and the source code in encrypted
form, maybe encoded with a one-time pad based on a randomly selected
segment in the program. This kind of system would be really nasty to deal
with, and worse yet, might actually make non-lame stealth viruses practical.
Let's face it -- the reason why stealth viruses are so easy to
defeat is that they pretty much need to have sections in memory that
are scannable. The polymorphic compiler could conceivibly make the part of
a virus that plays hob with the operating system unscannable, which would
be a pretty bad situation.
------------------------------
Date: Thu, 11 Feb 93 13:38:03 +0000
From: [email protected] (R. Moss-Eccardt)
Subject: Re: Internet Worm - the "Perp" (CVP)
[email protected] (Kevin Andrew Buhr) writes:
>[email protected] writes:
>| Robert Tappan Morris was a student at Cornell University when he
>| wrote the Worm. He was a student of data security. The Worm is
>| often referred to as a part of his research, although it was neither
> ^^^^^^^^^^^^^^^^^^^^^^^
>| an assigned project, nor had it been discussed with his advisor.
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>A "university" that requires such permission can hardly call itself a
>university. Any institution that treats students with that level of
>contempt is better termed an "academic cattle drive".
>
>Kevin <[email protected]>
At the University of Cambridge (an early university), we permit a
certain amount of 'recreational use'. However significant use of
resources or international networks requires approval from a
tutor/director of studies. If an undergrad causes any trouble
(filling the job queue, sending abusive mail etc.) then to regain
access to any university-provided computer requires approval from the
tutor.
This has been roughly the policy since we built EDSAC (the first
stored-program
------------------------------
Date: 11 Feb 93 13:50:36 +0000
From: [email protected] (Vesselin Bontchev)
Subject: Re: general entertainment
kelty_h@aci_1.aci.ns.ca (KELTY HAMILTON) writes:
> Just mentioning a good virus article in the February "Discover"
> magazine. Thought you virus fanatics would be interested in its coverage
> of virus origins.
This so-called article is in fact one chapter of the book "Approaching
Zero" by Bryan Clough and Paul Mungo. They are calling it "forthcoming
book" which sounds rather surprising to me - it was published in the
UK about one year ago and I have read it since a long time...
The book is not just about viruses, it is about computer crime in
general. It's a very entertaining reading and I recommend it.
Unfortunately, it is also full of technical and factual mistakes. In
fact, every story described there, for which I know how it actually
happened, there is something misrepresented in the book. In several
cases I know that the declination of the truth is deliberate, because
it was me who has told the authors some of the facts and they are
represented differently in the book...
The article is "Discover" does not make an exception - lots of
technical and factual details are wrong. Maybe the funniest of them is
the conjecture that "Diana P." in Dark Avenger's viruses has something
to do with Lady Diana, Princess of Wells. However, the general
analysis of the situation in Bulgaria that leaded to the creation of
so many viruses there is rather exact.
[Moderator's note: FYI, I think that's "Princess of Wales".]
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: [email protected] D-2000 Hamburg 54, Germany
------------------------------
Date: 11 Feb 93 14:21:44 +0000
From: [email protected] (Vesselin Bontchev)
Subject: Re: What is a virus ?
[email protected] (William Walker C60223 x4570) writes:
> posted anything else. There is a limit to how much a virus can change
> its functionality, since the "parent" must contain within itself the
> changes it is going to make in the "child," and if the "child" or some
> later generation is going to eventually produce a copy of the original
> "parent," it must contain all the functionality of the "parent" as
> well.
Not necessarily. First, the child does not have to retain the full
functionatily of the parent. Consider a virus that carries a dozen of
video tricks as a payload and each 1,000 replications drops one of the
tricks (meaning that the next replicants do not contain the code for
that trick). For another example, see below. Second, you are assuming
that the virus is self-contained. I would argue that it is
theoretically possible to make it able to fetch code fragments from
the environment (e.g., the programs it infects) and use them to
upgrade itself in an unpredictable way. Sure, most of the upgraded
replicants won't work (i.e. will be sterile), but some of them might
be able to evolve further. After all, this is exactly how the
evolution works. Also, the percentage of the sterile progeny might
depend on some properties of the environment; e.g. in the Tierra
simulator almost any opcode is a valid instruction that can be
executed without crashing the program...
So, a virus can both reduce and increase its functionality.
> Take, for example, a bipartite (two-part) virus which infects
> files and boot sectors. The file infector must contain not only the
> functions which infect the boot sector but those which will eventually
> infect files again. Likewise, the boot infector must contain not only
> the file infector but what will again be the boot infector.
OK, let's look at some real example like that. The Kampana virus. Most
people consider it multi-partite. I fact, this is a file infector,
which infects both files and boot sectors, but the part installed in
the boot sector can infect only other boot sectors. In some sense,
this is a file infector, which drops a boot sector virus. The
replicants of the boot sector virus are not able to infect files,
while the replicants of the file virus -are- able to infect boot
sectors... Therefore, what you claim above is not necessarily true -
any of the parts of a multi-partitie virus could have a reduced
functionality.
> In this example, neither the boot infector nor the file infector alone
> produce "functional duplicates" of themselves.
Exactly, but I fail to see how this fits in your arguments... Maybe
there is a typo something or I am missing something?
> Together, though, the
> boot infector and the file infector are considered one virus, designed
> to go through two infection steps, and together as one virus they
> produce a "functional duplicate" of the pair. With this example, I'll
Well, some people argue that the Kampana virus is in fact two
viruses...
> agree that my wording "functional duplicate" is poor, but I am at a
> loss to come up with a better term. I don't think that "possibly
> evolved copy" is suitable, because "evolved" implies an involuntary
> change.
OK, let's try to find some other term, but not "duplicate"...
> Any functional changes made in the copy will be those which
> have been intentionally coded for the original to make.
Yes, but they may not be predictable by examining the original...
> > 4) What is "intercept program execution"? The non-resident viruses do
> > not intercept anything; they get executed only when the user runs the
> > infected program.
> Oh, yes, they DO intercept program execution! A non-resident virus
> may not intercept DOS interrupts or whatever, but it intercepts the
> call to the original program; otherwise, it would never get executed.
> If a virus doesn't intercept program execution in some way -- ANY
> way -- it would never be run, never spread, and thus not be a virus.
Oh, I see, you mean that it somehow attaches itself to the process of
program execution... I misunderstood you because of the word
"intercept" - too much DOS-oriented thinking... :-) Yes, I agree with
the meaning you explain above.
> A computer virus is a sequence (or sequences) of symbols which,
> when executed or interpreted under certain conditions or in
> certain environments, will make a functional duplicate of this
> sequence (or sequences) and will place this duplicate where it
> will intercept program execution at a later time under certain
> conditions. This is called "replication" and the duplicate
> retains at least the capability to recursively replicate further.
Seems better. The only problem I have with it is the term "duplicate".
> A virus may also have additional functions, but these functions
> are necessary for something to be called a virus.
I don't think that this should be included in the definition and it is
not true, BTW... Or do you mean that they are -not- necessary? In this
case, why including them in the definition?
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: [email protected] D-2000 Hamburg 54, Germany
------------------------------
Date: Wed, 10 Feb 93 15:24:13 +0000
From: [email protected] (Ivar Snaaijer)
Subject: Re: Norton buggy??? (or I have a PROBLEM!) (PC)
[email protected] (Alan Mead) writes:
>I think I found a bug in the Norton virus scaner NAV.EXE
>(dated 5-28-92). I don't know what version or anything.
i think it's just a matter of getting yourself a new (updated) copy of
NAV or get rid of it and it's rather fauly scanning methods, take
TBAV503.ZIP or SCAN100 you will be cheaper and safer ! (how would you
react to a program saying every 5 mintis that your system is
infected?)
/\/\
\ /
I \/ huristic scanning !
Ivar.
------------------------------
Date: Wed, 10 Feb 93 11:44:05 -0500
From: Bill Hayes <[email protected]>
Subject: Help! Help, with FORM virus (PC)
Recently, a professor here armed his students with a custom program
written for him by a student programmer. He had a secretary make
about twenty copies of the program for his students. Unfortunately,
the secretary's machine was infected with FORM, a boot sector virus.
Now my student computer labs have been infected with it.
Our state legislature is slashing the university by 15 million
dollars, and up to 1000 staff positions may be lost. The bottom line
is that I can't get approval to buy between $3500 - $4400 dollars
worth of software to protect my labs. Since the labs were being used
by people who respected copyrights, and generally weren't running
programs from their own diskettes, I had only seen one viral
infestation (on Macs) in my six years at the university. The student
labs DOS machines up to this time had not been infected.
The low probabilty of infection kept my boss from approving a
comprehensive preventative solution. I knew that eventually we would
be bitten. During better times, I purchased a few copies of CPAV and
NAV to cover my office and to put one copy in each lab for the
exclusive use of my student lab consultants. I sure as heck am not
going to violate the copyright of this software.
Although I would much rather buy enough licenses to cover my machines,
I am now trying to find public domain (and I mean FREE) software.
McAffee and Associates quoted me a whopping $17,000 dollars to site
license their products. I might be able to wring out $5.00 to $10.00
per machine to license a product. Is their anything out there, or am
I doomed to spend my life chained to a chair cleaning off FORM from
student diskettes?
Bill Hayes
[email protected]
------------------------------
Date: Wed, 10 Feb 93 11:44:09 -0500
From: Y. Radai <[email protected]>
Subject: Re: New virus in Germany (PC)
Malte Eppert describes a new virus: "UMB-1 (Tremor)":
> There's a new virus around in Northern Germany which was isolated on the
> Fachhochschule Braunschweig/Wolfenbuettel on Feb. 4, 1993. It was analyzed by
> Robert Hoerner and has the following characteristics:
. [list omitted] ...
There's one important characteristic of the Tremor virus which wasn't
listed: The virus specifically targets VSAFE, i.e. it contains code
which turns off all of its eight monitoring options.
Btw, the Tremor virus was discovered in Southern Germany in January.
Y. Radai
Hebrew Univ. of Jerusalem, Israel
[email protected]
[email protected]
------------------------------
Date: Wed, 10 Feb 93 14:04:52 -0500
From: [email protected] (A. Padgett Peterson)
Subject: More Viruses in Memory (PC)
>From: [email protected]
>Subject: STONED, Scanv99/Clean 99 Questions/Concerns (PC)
>Over the past several days our school has been dealing with the
>Stoned virus.
Maybe so maybe not - you *probably* have an MBR virus but might not be
STONED.
>2) When McAfee's Scan v99 is used, it finds the Stoned virus,
>and the Clean can clean it. HOWEVER, when scanning AGAIN for the
>virus, we find it in memory. This is after having booted from a
>write-protected virus free floppy disk. Further tests apparently
>show that Stoned can load into memory by a simple read on an
>infected disk. The documentation I've read via FTP land say that that
>is impossible.
First off, an active STONED (and most other infections) have two components:
a code segment that has replaced the MBR executable area stored on the
fixed disk, and an interrupt 13 intercept that has been loaded into memory
on boot. CLEAN removes the viral code from the fixed disk but does nothing
about the infection in memory, you must reboot from a clean disk to cure this.
Secondly, just because a scanner finds a virus in memory does not necessarily
meant that it is *active*. One thing that can happen is that when you do a
DIR of a floppy, the boot record is read into a buffer in low memory (fer
sure DOS 5.0 - am running tests on other versions). The scanners that I have
seen do not check to determine if the infection is *active* (being executed)
or is just present as data (could be done but non-trivial & they don't - yet),
rather, if a signature is found, a warning is triggered.
Thirdly, it is possible to have a double infection but this is unlikely.
>Questions: Why doesn't Untouchable work right?
Probably (a guess, do not have U-T) has to do with a "first-match" selection,
NO-INT and STONED share certain strings. Then again maybe you have "something
else".
>CAN the Stoned virus
>load into memory by a simple read from an infected floppy??
The binary code could be loaded this way but would not be active (but would
trip scanners).
>Is there
>a strain of stoned that can do this? (become active from a DIR)
Not that I am aware of.
Warmly,
Padgett
------------------------------
Date: Wed, 10 Feb 93 19:30:35 +0000
From: Arlyn <[email protected]>
Subject: Michelangelo Virus? (PC)
The question came up in our office today: Is the world expecting another
round of the Michelangelo Virus to turn up on march 6 this year? Does
anyone know if the date trigger on the virus checks for the year?
[Moderator's note: Michelangelo does not check for the year; it
triggers on 6 March of any year.]
Thanks in advance for your thoughts.
Arlyn Hubbell
Academic Computing
Lewiston, Me. 04240
------------------------------
Date: Wed, 10 Feb 93 22:00:42 +0000
From: [email protected] (oep)
Subject: Re: Virstop 2.07 in Icelandic (PC)
John Hendriks (jdh@medicine.newcastle.edu.au) wrote:
: reports. When loading virstop though and testing with f-test the
: diagnostics are incomprehensible. Is there an English version of
: virstop?
If you choose Install.Install from the menu of F-PROT, you make a version
of VIRSTOP.EXE with messages in your current Language. If your version
of F-PROT has menus in English, VIRSTOP will have messages in English.
The language is also selected from the Install menu.
You don't have to reinstall F-PROT from a diskette to run Install. F-PROT
won't copy any files unless needed.
Another feature with Install is that you can enter your own message, in any
language you want, to be displayed when VIRSTOP detects a virus.
- - oep
------------------------------
Date: Wed, 10 Feb 93 22:09:21 +0000
From: [email protected] (oep)
Subject: Re: Twelve Tricks (PC)
[email protected] wrote:
: Norton anti-virus detected Twelve-Tricks virus on one of our PCs but
: f-prot 2.06a reported the PC as clean. Is this virus one that the
: current f-prot misses or have we found a NAV false +ve?
: [email protected]
Current version of F-PROT is 2.07.
- - oep
PS: I would not be very surprised if NAV gave a false alarm. Have you tried
heuristic scan on this PC ?
------------------------------
Date: Wed, 10 Feb 93 22:29:12 +0000
From: [email protected] (oep)
Subject: Re: Suggestion to the developers of resident scanners (PC)
Vesselin Bontchev ([email protected]) wrote:
: I understand that Frisk also intends to make a version of VirStop that
: keeps the virus signatures on the disk and loads them when necessary.
Frisk made the /DISK option for VIRSTOP a long time ago :-)
: This means VirStop will become almost unusable on the system I am
: talking about too... What do you want, not everybody has a '486... :-)
I've run VIRSTOP with the /DISK option on several "slow" systems, but
I don't think that VIRSTOP make them unusable...., and as I said:
it's optional.
: One solution is to have an option that forces the resident scanner to
: keep the virus signatures in memory. This is fast, but could take a
: lot of memory as the number of viruses increases...
: 1) Scan the file when it is executed ONLY if it resides on a floppy.
Why not when executed from a network drive, where your friends has
put all their viruses.......
I guess there are many ways to implement a resident solution, and by
giving the users all options, you get a flexible solution. But you also
make the resident routine more complex, and larger.
Antivirus-soulutions is not the only solutions where you have to trade
security for speed.
Regarding 486, how long do you think the 286 will live ?
- - oep
------------------------------
Date: 11 Feb 93 03:50:40 +0000
From: [email protected] (Harry Zuzan)
Subject: green catipillar (PC)
Does anyone know what the green catipillar virus does?
I have it in a copy of KERMIT I had been using on an old
IBM PC which doesn't have a hard drive.
Will it do any harm? Can I get rid of the virus?
H. ZUZAN
------------------------------
Date: Thu, 11 Feb 93 08:54:31 +0000
From: [email protected] (Per Goetterup)
Subject: Re: New virus in Germany :-( (PC)
[email protected] (Malte Eppert) writes:
[...]
>- - contains the encrypted text "T.R.E.M.O.R was done by NEUROBASHER /
> May-June'92, Germany" and "MOMENT OF TERROR IS THE BEGINNING OF
> LIFE"
>- - Length: exactly 4000 bytes
Just for your information:
Some of those words are from material by the Belgian techno/industrial
band named 'Front 242'. "Neurobasher" is a B-side song from the
"Tragedy For You" remix-maxisingle, and the sentence "Moment of terror
is the beginning of life" is from the inner cover of their album
"Front By Front" (I think).
>The virus is provisorically referenced as "UMB-1 (Tremor)", until a name has
>been officially constituted.
> * Origin: Another Virus Help Node - The EpiCentre! (9:491/6050)
The EpiCentre - and a virus named 'Tremor"...? ;-)
- --
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| Per Goetterup, Student, DIKU InterNet: [email protected] |
| [email protected] |
| FidoNet: 2:231/91.10 -or- [email protected] |
| |
| DIKU is the department of Computer Science at the University of Copenhagen. |
|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
| The most merciful thing in the world I think, is the inability of the human |
| mind to corrolate all its contents... - H.P. Lovecraft, 1926 - |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"...Suburban gladiators in shoplifters battledress, turning Brussels into a mo-
nument of excremental architecture..." ('The Colloseum Crash', A Split-Second)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
------------------------------
Date: Thu, 11 Feb 93 07:23:39 -0500
From: [email protected] (Marcio Migueletto de Andrade)
Subject: Michaelangelo's payload (PC)
Hello all,
It is known that the Michaelangelo virus makes use of INT 1Ah (AH=4)
to read the system date. It works on a 386, but fails on a XT (nothing
is returned). The virus still works but the payload is never
achieved. Is it due to an old BIOS ? Is there a *standard* way to
read the system date at *boot time* on a XT ? If not, any virus that
uses the same function cannot work properly in such machines.
(Below the equator line the XT still lives...)
Thanks,
Marcio Migueletto de Andrade
Brazil.
------------------------------
Date: Thu, 11 Feb 93 14:46:57 +0000
From: [email protected] (Ivar Snaaijer)
Subject: Re: Suggestion to the developers of resident scanners (PC)
[email protected] (Vesselin Bontchev) writes:
>My colleague in front of me is working on an old 12 MHz AT, with no
>ex{te|pa}nded memory and a slow hard disk. He's using Dr. Solomon's
>resident scanner GUARD. In order to keep memory requirements low,
> [...]
Sounds like tbscanx !
on garbo.uwasa.fi there is a file in /pc/virus witch is called
tbav50?.zip this file contains a scanning pakage. you also have to
download the signatures (vsig????.zip)
but this program is fully configurable (only shareware)
Ivar.
------------------------------
Date: Thu, 11 Feb 93 14:55:33 +0000
From: [email protected] (Ivar Snaaijer)
Subject: Re: dame virus (pc)
[email protected].edu (WORLEY LAWRENCE JA) writes:
>A friend of mine has a 486 that recently crashed. After booting on a
>clean disk, I ran ScanV100 on it, and found that it had the Stoned
>virus. I cleaned it off, and ran scan again, only to find that it now
>had Michaelangelo virus. I ran clean again, this time with [Mich],
>and it reported that the virus had been cleaned off. However, after
>cleaning, ScanV100 still reported it was in the partition table, and
>the drive will still not boot. Both floppies in the computer are
>write protected and are virus-free. I have now run Clean c: [Mich]
>approx. 30 times, each time, it says it cleaned the drive, and then
>after rebooting, Scan still reports the virus is there. Any ideas?
the tbav package has also a partition and bootsector imunizer ..
it might be an idea !
My plesure
Ivar.
------------------------------
Date: Thu, 11 Feb 93 17:46:06 +0000
From: [email protected].edu
Subject: Help, which scanner? (PC)
Hi, I am relatively unknowledgable about virii.
My question is which scanner(s) should I use regularly
ie: new programs, boot up.
I am currently using Norton Anti Virus at boot up, and during windows
opperation with Norton Desktop for Windows 2.0. I have installed the
latest Virus Definitions.
Thanks for any help.
Larry
------------------------------
Date: 11 Feb 93 18:17:09 +0000
From: [email protected] (Vesselin Bontchev)
Subject: Should scanners detect only common viruses? (PC)
Well, several people asked me by private e-mail to explain why I do
not think that scanners should be tested only against the viruses
known to be in the wild. Instead of replying to each of them
privately, I decided to post here.
There are several reasons:
1) A known-virus scanner is able to do only one thing - detect known
viruses. Nothing more. Because of that, it is a relatively weak
defense against viruses. Well, since it is able to do only that, then
it must do it -well- and detect -all- known viruses, or as many of
them as possible. 'Coz a known-virus scanner that does not detect even
the known viruses is an even weaker defense... :-)
2) Since the appearance of the virus exchange BBSes, there is no more
such thing as a "research-only" virus. Anybody with a PC and a modem
can call such a BBS and download heaps of "research" viruses and use
them to infect the computer of somebody he does not like... And if
this somebody depends on a known-virus scanner for virus protection,
and if this scanner detects only the 100 or so viruses that are
believed to be "in the wild", then the result could be rather
disastrous... Of course, the malicious person could write a completely
new virus from scratch and use it with the same disastrous effect,
even if the scanner on the attacked computer is able to detect all
known viruses. But, first, this proves nothing more than the scanners
ARE a weak defense against viruses and, second, it is still easier to
get a virus written by somebody else than to write your own.
3) "Viruses in the wild" is a rather fuzzy term. There are several
reliable sources of information about which viruses are in the wild -
for instance IBM, Virus Bulletin, Computer Crime Unit at Scotland
Yard, and some others. However, if you compare their data, you'll see
that they agree mainly on one thing - that only a small percentage of
the known viruses are in the wild. They don't agree on which viruses
exactly are in the wild. This is partly due to the fact that viruses
show some geographic prevalence. For instance, 95% of the infections
in Bulgaria are caused by the Dir_II virus. In most other countries
this virus has a status "sometimes found in the wild, but not very
common". According to IBM, Jerusalem is one of the most widespread
viruses in the USA. During my 3-year career of virus fighter in
Bulgaria, the number of Jerusalem infections that I witnessed there
can be counted on the fingers of one hand. In the same time, I have
observed at least one infection of Kamikaze and Anti-Pascal.605 in the
wild there - viruses that are so stupid that some anti-virus
researchers refuse to believe that they are able to survive at all...
So, when I am referring to "the known viruses", I have something
objective to stand on - a virus collection for each example of which
it can be objectively verified that it is indeed a virus and that it
is different from the other samples. I have no similar objective
criteria to decide what is a "virus found in the wild".
I tend to agree with those who claim that it is more important to
detect those viruses that are in the wild, than those that aren't. It
would be a good idea, when testing scanners, to assign some weights to
each virus, reflecting how widespread it is. A scanner that misses 200
(of 2000) viruses that nobody has ever seen in the wild is
definitively better than a scanner that detects all those 1,999
viruses, but misses Stoned.
However, while less important, the detection of non-spread viruses is
not -unimportant-. And since I have no objective criteria to decide
which viruses are widespread and which are not, I prefer to test the
scanners against all viruses that I have.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: [email protected] D-2000 Hamburg 54, Germany
------------------------------
End of VIRUS-L Digest [Volume 6 Issue 24]
*****************************************
|
|
