|
Virus- L Digest, Volume 6 Issue Number 27
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
From CUNYVM.CUNY.EDU!lehigh.edu!virus-l Thu Feb 18 05:10:52 1993
Date: Wed, 17 Feb 1993 11:29:17 -0500
Message-Id: <[email protected]>
Comment: Virus Discussion List
Originator: [email protected]
Errors-To: [email protected]
Reply-To: <[email protected]>
Sender: [email protected]
Version: 5.5 -- Copyright © 1991/92, Anastasios Kotsikonas
From: "Kenneth R. van Wyk" <[email protected]>
To: Multiple recipients of list <[email protected]>
Subject: VIRUS-L Digest V6 #27
Status: RO
VIRUS-L Digest Wednesday, 17 Feb 1993 Volume 6 : Issue 27
Today's Topics:
TIME Magazine on "Cyperpunk": How Not to Define a "Worm"
Efficacy of Scanners
Definitions of Viruses etc.
Scanners getting bigger and slower
os2-stuff (OS/2)
Dame virus (PC)
scanners. (PC)
standardization (PC)
Re: ANSI Bombs (PC)
How to measure Polymorphism (PC)
Hardware faults and viruses (PC)
Re: New Virus (PC)
Re: Zerotime/Slow virus (PC)
Re: Suggestion to the developers of resident scanners (PC)
RE: Tremor (PC)
Re: F-prot/FSP/bootsum problem. Help! (PC)
two new viruses (PC)
Re: STONED update/additional info questions. (PC)
Re: F-prot/FSP/bootsum problem. Help! (PC)
Re: Help! Help, with FORM virus (PC)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. (The complete set of posting guidelines is available by
FTP on cert.org or upon request.) Please sign submissions with your
real name. Send contributions to [email protected]. Information on
accessing anti-virus, documentation, and back-issue archives is
distributed periodically on the list. A FAQ (Frequently Asked
Questions) document and all of the back-issues are available by
anonymous FTP on cert.org (192.88.209.5). Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
<[email protected]>.
Ken van Wyk, [email protected]
--------------------------------------------------------------------------------
Date: Sun, 14 Feb 93 09:06:19 -0500
>From: [email protected].com (Matthew Curtin)
Subject: TIME Magazine on "Cyperpunk": How Not to Define a "Worm"
[email protected] (Joseph D. McMahon) writes:
> In last week's TIME magazine (with the "Cyberpunk" lead article), RTM's
> worm is is described as "not a virus, but a worm, since the damage was
> unintentional".
>
> This is the most singular lack of grasp of the subject I have seen in
> a long time.
There were quite a few people posting on alt.folklore.computers about how
many silly errors like that there were. I'd be interested in seeing people
post their gripes about the article, so that I coulds summarize everything
and write a letter to TIME's editor...
____________________________________________________________________________
| C. Matthew Curtin ! "But I am the enlightened one, they are |
| P.O. Box 27081 ! but mere sheep, following each other in |
| Columbus, OH 43227-0081 ! the name of compatibility." -B. Heineman |
| 614/365-3272 ! Apple II Forever! |
|[email protected].com______!____________GNO_your_AppleIIGS!____________|
------------------------------
Date: Mon, 15 Feb 93 00:41:22 -0500
>From: "Roger Riordan" <[email protected]>
Subject: Efficacy of Scanners
>>I know this is probably a dumn question but I was wondering about the
>>realistic aspects of scanners like do they really protect .....
[email protected] (ac999512) (Ed Toton) writes
> Well, scanners are fantastic for determining how wide-spread a virus
>is on your system, and great for determining just what you've been infected
>with, but you must already be infected for them to aid you in any way.
>They also cannot handle new and unknown viruses. For this reason they
>don't make an effective front-line defense.
Hogwash! Granted scanners cannot detect the "new" virus till it has
infected someone, but the one thing they will do for you (if you
will only let them) is detect 99.9% of the viruses you will actually
meet before they ever get a chance to do anything to your system.
Not using a scanner because it can't detect ALL viruses is like
saying "I won't bother to lock my front door; any burglar worth his
salt can get in anyway!"
Michael Weiner ([email protected].ac.at, *temporary*) writes
>The big advantage of a checksummer is that it protects you against many
>more things than just computer viruses. Disadvantage: Checksumming takes
>longer than scanning (at least now; if there is more polymorphic viruses
>around, checksumming will be faster at one point)...
AND they can't detect a virus till it has changed something; and
then it might be too late!
Roger Riordan Author of the VET Anti-Viral Software.
[email protected]
CYBEC Pty Ltd. Tel: +613 521 0655
PO Box 205, Hampton Vic 3188 AUSTRALIA Fax: +613 521 0727
------------------------------
Date: Mon, 15 Feb 93 00:41:35 -0500
>From: "Roger Riordan" <[email protected]>
Subject: Definitions of Viruses etc.
Years ago I started to study philosophy. But I quickly discovered
that they spent inordinate amounts of time arguing about whether or
not you could prove anything. It was obvious that I could not prove
that I was really living, and not just dreaming, and this left
me with three alternatives:
1. I could go to bed and stay there, till the dream ended.
2. I could spend my life agonising about whether or not I
really existed, or
3. I could forget the whole stupid argument and get on with making
the most of what, if it was a dream, was a remarkably long
running and consistent one.
I am disappointed to find that far too much of our time has recently
been wasted on Virus-L on similarly arid arguments about what is a
virus. We used to think that the rules of trigonometry were
fundamental laws, imposed from above, but mathematicians have lately
come to realise that are just rules that we have chosen for our own
convenience. Similarly there is no God given classification of
artificial life forms (or real ones either, for that matter), and
every rule will leave us with uncomfortably arbitrary decisions at
the boundaries.
I think most of us would be reasonably happy with the following
definitions;
1. A Trojan Horse is a program which purports to do something
useful, but is in reality destructive.
2. A Worm is a self contained program which can spread by
itself from computer to computer in a network.
3. A virus is a program which cannot exist independantly, but wich
can attach itself to (or infect) other programs, in such a way
that when the original program is run the virus is activated,
and enabled to infect other programs.
Clearly viruses can be subdivided according to the type of files
infected, the way in which this is done, and so on, but I believe
these are good working definitions. But, as I said, there will
always be difficult cases at the edges of any rule.
It is often easy to prove that a file is infected with a virus. If
you run a program, and another program grows in length, or each
program you run afterwards becomes longer, and you can show that the
extra code occurs in the first program then it cleary incorporates a
virus.
But if someone brings you a copy of some large application program,
and says "XXX Scanner says this has YYY virus", or "I downloaded
this, and since then Windows has been crashing regularly" you
will probably fairly quickly be able to say "I am reasonably
confident this program does not contain a virus", but it is almost
impossible to say categorically "No it does not have a virus".
When it comes to Trojan horses the situation is even worse. For
most programs of any complexity it would be virtually impossible to
prove that a program did not contain a trojan horse, even if you had
a well commented copy of the original source code.
This is also where our definitions start to get rubbery. It is well
known that most applications have bugs in them which will cause them
to destroy data in some circumstances. Does this mean they are
Trojan horses?
And think about a Basic interpreter. You can undoubtedly persuade
it to overwrite the hard disk, or erase all the files. So is it a
Trojan horse? I am fairly sure that if you got cunning enough you
could persuade it to attach itself to another program, and for this
copy to transfer itself to other programs each time it was run.
So is Basic also a virus? If so maybe it is one of Freds beneficial
viruses; after all it could give you access to Basic at a keystroke,
without any tedious messing with AUTOEXEC.BAT, or having to pay
someone exhorbitant amounts of money. And if you were lucky enough
to become infected with the Basic virus, and made use of it, would
you be infringing the authors copyright?
However one thing which is quite clear is that Xcopy, Format, etc,
are not viruses. They may fit Freds original definition, but they
certainly do not fit the currently accepted definitions. Fred may
not like this, anymore that the first person to use the term
"personal computer" may have liked what IBM did to his idea, but it
is mischievous for him to waste our time with his endless arguments.
Fred, I suspect, is well aware of this, but it suits his purposes to
be able to talk about his "beneficial viruses" (which no-one else
would class as viruses) because of the publicity it generates.
Unfortunately it also provides the schoolboy wannabe virus writers
with the perfect justification for their endeavors; "If Dr. Fred
Cohen says that you can have good viruses why shouldn't we try to
write one."
Roger Riordan Author of the VET Anti-Viral Software.
[email protected]
CYBEC Pty Ltd. Tel: +613 521 0655
PO Box 205, Hampton Vic 3188 AUSTRALIA Fax: +613 521 0727
------------------------------
Date: Sat, 13 Feb 93 23:01:00 +0100
>From: [email protected] (Gal Hammer)
Subject: Scanners getting bigger and slower
Hi All,
I was thinking (Not happen a lot, but...) if every virus have his own sig. and
every week few or some viruses appers, So don't all the AnitViruses program
will start to get bigger and slower ?!
Gal Hammer.
- --- FastEcho 1.21a
* Origin: Time Vortex * +972-7-762-291 * VirNet Site (VirNet 9:9721/111)
------------------------------
Date: Sat, 13 Feb 93 01:52:02 +0100
>From: Malte.[email protected] (Malte Eppert)
Subject: os2-stuff (OS/2)
Hello Vesselin!
> So, I am asking again - can some of the known viruses infect a
> DLL
> file (even by mistake, even incorrectly)? I think that none of
> them
> will do that, but maybe I am wrong...
Two years ago I had a strange case of Cascade infection on a 386. An
APP-File of Ventura Publisher had been mistakenly hit by 1704-B and
was damaged - but not infected, since the virus in the file was no
longer capable of replicating - Ventura always crashed at startup.
Nevertheless SCAN (dunno which version it was those days :-) ) flagged
it as infected when using the /A switch; and there were other,
regularly Cascade-infected COM files on the drive which were simple to
clean. The APP-File had to be reinstalled.
I don't know the conditions under which that happened, but I think similar
things should also be possible with DLLs and other viruses.
cu!
eppi
- --- GEcho 1.00
* Origin: Another Virus Help Node - The EpiCentre! (9:491/6050)
------------------------------
Date: 08 Feb 93 19:19:00 +0000
>From: bill.lambdin%[email protected] (Bill Lambdin)
Subject: Dame virus (PC)
Quoting from Ching S Siow to All About Dame virus (PC) on 02-08-93
CS> I would like to find out more about this "DAME Virus". My network has
CS> 3 files infected with this virus and would appreciate some help in
CS> cleaning it out. I have tried netscan and inoculan, both of which
CS> failed to discover the virus.
DAME is not a virus. It is a routine that virus authors use to encrypt the
vius. DAME is an acronym for Dark Avenger's Mutation Engine. Most of the
time this routine goes by MtE.
MtE adds about 3.5K overhead to the virus.
>From my tests, F-Prot and McAfee's Scan are very good in detecting the
presence of the MtE.
Hope this helps.
Bill
- ---
* WinQwk 2.0 a#383 * Hacked Scan 74, 78, 79, 81, 83, 87, 88, 92, 96
------------------------------
Date: 08 Feb 93 19:04:00 +0000
>From: bill.lambdin%[email protected] (Bill Lambdin)
Subject: scanners. (PC)
Quoting from Ed Street to All About scanners. on 02-06-93
ES> I know this is probably a dumn question but I was wondering about the
ES> realistic aspects of scanners like do they really protect as much as
ES> some of the people that I have talked to seem to think? In my opinio
ES> they are just merely an aid to problem solving and should not be used
ES> as a general "cure-all"
Scanners are good for one thing.
detecting known viruses (preferably before running an infected file)
For a better defence, keep a scanner updated, and use a generic virus
detector to detect viruses that get around the scanner.
Scanner:
I recommend the following.
F-Prot
VIRx
Scan.
These rank highest in my tests.
Generic virus detection software,
Victor Charlie
PC-Rx
Untouchable
Integrity Master
PC-cillin.
Each of these have strengths and weaknesses, so read some literature, and
buy the one that seems to fill your needs.
Bill
- ---
* WinQwk 2.0 a#383 * Hacked versions of TDraw. 4.3, 5.0, 6.0. & 8.0
------------------------------
Date: 09 Feb 93 19:11:00 +0000
>From: bill.lambdin%[email protected] (Bill Lambdin)
Subject: standardization (PC)
I may be stepping out of bounds here. But here goes anyway.
I feel that the authors of scanners need to get together, and agree on a
naming system.
A friend of mine recently had a bout with 1575, and he had two scanners.
McAfee's Scan, and F-Prot.
Anthony ran each scanner, and he was told that he had two viruses. 1575,
and Green Catepillar.
Anthony was beside himself. He thought he had two viruses, and F-Prot
detected one, and Scan detected another one. He called me to help.
I drove over and quickly found the problem, and explained that he only had
one virus, and different scanners uses a different naming system.
If someone has Frodo, and is using three different scanners, s/he could
get three different names.
Frodo
4096
IDF
Century
etc.
These authors meen to get together and nail down a coherent naming system
to prevent this problem. If they can't work out a naming system for every
known virus, start with the 60 or so common viruses that are known to be
in the wild, and go from there.
Climbing down from soapbox now.
Bill
- ---
* WinQwk 2.0 a#383 * Excalibur BBS (408) 224-0813
------------------------------
>From: [email protected] (Byron C. Ellis)
Subject: Re: ANSI Bombs (PC)
[email protected] (Inbar Raz) writes:
>To all of you who are afraid of ANSI bombs, two ways of avoiding them:
>1. Replace your ANSI driver. Use something like NANSI, that has a /S
> command line switch to DISABLE the keyboard redefinition.
>2. If you are a BBS, and using the MTS package, people can infect you by
> simply inserting an ANSI bomb to an ARJ COMMENT, and when the MTS
> opens the ARJ to its temp dir, the bomb will active.
> If you are using ARJ, do this:
> SET ARJ_SW=-JA-
> If you already have an ARJ_SW, add -JA- to it.
Or just add a /k to your ANSI.SYS parameters... That disables the macro
function...
- --
Flying (v) : The art or knack of throwing : Byron C. Ellis
yourself at the ground and missing : Internet: [email protected]
- -The more than complete Hitchikers Guide :
to the Galaxy trilogy :
------------------------------
Date: Mon, 15 Feb 93 00:40:07 -0500
>From: "Roger Riordan" <[email protected]>
Subject: How to measure Polymorphism (PC)
[email protected] (David M. Chess) writes:
>measure the randomness of a string of bits by finding the smallest
>program for some standard Turing Machine that produces those bits.
In theory this sounds a good idea, but in practise the length of a
program tells us far more about the skill of the programmer than
about the complexity of the task. It has been shown, BTW, that any
program can be reduced to zero length (1.).
Still I suppose that if you compare programs written by the same
person you will get a better idea of the relative complexity, but
even this will be biased, as the programmer should be able to do a
much better job the second time round.
[email protected] (Bill Arnold) writes
>Fridrik Skulason recently posted lines-of-code counts for some
>algorithmic virus detectors in F-PROT. I'm assuming his
>detectors are written in C. Here are lines-of-code counts for a
>few algorithmic detectors (written in C) included in IBM
>AntiVirus. ....
> MtE ::= 330 physical, 105 comments, and 274 source lines
> V2P6 ::= 89 physical, 57 comments, and 45 source lines
> V2P2 ::= 145 physical, 38 comments, and 77 source lines
I didn't notice Frisk's posting, but gather it quoted similar
figures (actually rather smaller; MtE 174). I looked up our
listings, & got the following figures. We don't bother to
differentiate between V2P2 & V2P6. As neither is in the wild, and
we don't attempt to disinfect them, there is no need to separate
them.
V2P2/V2P6 82 total lines 123 bytes
MtE 241 " " 392 "
Slovakia 162 " " 345 "
In each case this is the full subroutine containing all necessary
data (apart from a small standard block specifying the type of file,
etc, in a table with entries for all viruses, which is used for
initial selection). Each subroutine is passed a pointer to the
file, which has already been loaded into a buffer.
Our program is written in assembler, and the figures seem to bear
out my belief that HLLs confer much less advantage than is generally
claimed.
Roger Riordan Author of the VET Anti-Viral Software.
[email protected]
1. Proved by applying the generally accepted rule "You can always
find at least one redundant instruction in any program if you look
hard enough" recursively.
CYBEC Pty Ltd. Tel: +613 521 0655
PO Box 205, Hampton Vic 3188 AUSTRALIA Fax: +613 521 0727
------------------------------
Date: Mon, 15 Feb 93 00:40:19 -0500
>From: "Roger Riordan" <[email protected]>
Subject: Hardware faults and viruses (PC)
[email protected] (V Menayang) writes
> I wonder if a virus can erase the information stored in
> CMOS? If it can, what virus/viri known to work this way?
> The reason I am asking these questions is that the computer
> repair person we took our Grid system machine to claimed
> that our problem (floppy drive wouldn't refresh) is caused
> by a virus. I don't know much about virus but the claim
> sounds suspicious because he said that the virus is [stoned].
The only virus I know which interferes with the CMOS is AntiCad. It
wipes the setup info, but only after it has written rubbish all
through your hard disk, so it certainly didn't cause this problem.
Unfortunately viruses are a godsend to the incompetent servicemen
and purveyors of rubbish. We even had one case where a resistor on
the disk controller card had burnt out (and emitted visible smoke),
yet the PC shop would not repair it under warranty "because the
damage had been caused by a virus"!
Roger Riordan Author of the VET Anti-Viral Software.
[email protected]
CYBEC Pty Ltd. Tel: +613 521 0655
PO Box 205, Hampton Vic 3188 AUSTRALIA Fax: +613 521 0727
------------------------------
Date: 15 Feb 93 08:19:58 +0000
>From: [email protected] (Fridrik Skulason)
Subject: Re: New Virus (PC)
[email protected] (Vesselin Bontchev) writes:
>First, for someone who's not very smart, the Whale virus will be too
>difficult to understand, so they are more likely to go hacking yet
>another Jerusalem variant. Second, Whale is -trivial- to detect - just
>34 simple (i.e. non-wildcard) scan strings...
And third...the source code to Whale is not available on the Vx BBSes,
and disassembling whale and creating a new version that way is a LOT
of work.
- -frisk
- --
- --
Fridrik Skulason Frisk Software International phone: +354-1-694749
Author of F-PROT E-mail: [email protected] fax: +354-1-28801
------------------------------
Date: 15 Feb 93 08:34:39 +0000
>From: [email protected] (Fridrik Skulason)
Subject: Re: Zerotime/Slow virus (PC)
[email protected].edu.au (Bernie Groen) writes:
>Need help,have a virus Norton antivirus 2.1 calls it SLOW, Fprot 2.07
>calls it a varient of Zerotime neither one will remove it.
Well, those names are aliases...Zerotime/Slow is actually a variant of
Jerusalem, with an encryption layer added. There are two known variants -
Jerusalem.Zerotime.Scotts_Valley and Jerusalem.Zerotime.Australian...but it
seems you have encountered the third one.
F-PROT refuses to remove it, because it does not match any of the known
variants, and removal might therefore fail...adding removal should be easy,
once I receive a sample of the virus from somewhere.
- -frisk
- --
- --
Fridrik Skulason Frisk Software International phone: +354-1-694749
Author of F-PROT E-mail: [email protected] fax: +354-1-28801
------------------------------
Date: 15 Feb 93 08:44:44 +0000
>From: [email protected] (Fridrik Skulason)
Subject: Re: Suggestion to the developers of resident scanners (PC)
[email protected] (Vesselin Bontchev) writes:
>I understand that Frisk also intends to make a version of VirStop that
>keeps the virus signatures on the disk and loads them when necessary.
Not a special version - this is just an option...enabled by the /DISK command
line switch...it means a longer delay, yes...but significantly less memory
usage...2K instead of 13K or so.
- -frisk
- --
- --
Fridrik Skulason Frisk Software International phone: +354-1-694749
Author of F-PROT E-mail: [email protected] fax: +354-1-28801
------------------------------
Date: Mon, 15 Feb 93 03:43:01 -0500
>From: [email protected] (Paul Ferguson)
Subject: RE: Tremor (PC)
On 12 Feb 93 (13:28:35 +0000) <[email protected]>
Vesselin Bontchev wrote -
> [email protected] (Malte Eppert) writes:
>> There's a new virus around in Northern Germany which was isolated
>> on the Fachhochschule Braunschweig/Wolfenbuettel on Feb. 4, 1993.
>> It was analyzed by Robert Hoerner and has the following
>> characteristics:
>> - - infects COM and EXE
>> - - loves infecting COMMAND.COM on drive A:
> More exactly, loves infecting the command interpreter - regardless
> where it is. For instance, C:\DOS\4DOS\4DOS.EXE works just as well as
> A:\COMMAND.COM.
So I've noticed. I "spoke" with Robert Hoener about it earlier.
>> - - TSR in UMBs (!), stealth
>> - - uses interrupt trace techniques
>> - - slightly polymorphic, WHALE and FISH-like
>> Tested the following scanners: FindVirus 6.10 (Drivers of December 5,
>> 1992); F-Prot 2.07; SCAN 100. Only F-Prot 2.07 detects the virus and
>> NOT reliably - some infected files are missed. I was told that S&S
>> International has created an external additional driver for their
>> scanner, that detects this virus; users of Dr. Solomon's Anti-Virus
>> ToolKit should contact them for more information.
I had noticed that F-Prot v2.07 did detect it (to what extent, I have
not had an opportunity to effectively measure), but since there were
no references to it within the F-Prot documentation ("New viruses --
detection added..") or from within the program itself ("Not yet
analysed"), I suspect that detection of TREMOR was a last minute
addition.
I have FindVirus 6.07 (drivers dated 19/11/1992), which of course do
not detect this virus. Would you happen to know if there is an avenue
(electronic, of course) to obtain driver updates, other than waiting
for regular postal delivery for registered users? If not, I'll pester
him at the Ides conference next month. :-)
> Some additional information:
> 1) The virus uses the following "Are you there?" call: INT
> 21h/AX=F1E9h, returns AX=CADEh. A program that intercepts that could
> be used as poor man's defense.
> 2) The virus particularly targets the program VSAFE that comes with
> Central Point Anti-Virus and MS-DOS 6.0 and disables it. I'm not
> certain why it does that - the virus is tunnelling enough to bypass
> monitoring software... Maybe the virus author just wanted to
> demonstrate that he knows how to disable this particular program.
[remainder deleted]
What _exactly_ is it's infection criteria? Although I've had barely
enough time to read my E-mail in the past two weeks, I have noticed
that it is _very_ selective about it's targets.
A side note: Tarkan's VDS Pro v1.0 handles it nicely with it's
generic approach. :-)
Cheers from Washington, DC
Paul Ferguson | "Sincerity is fine, but it's no
Network Integration Consultant | excuse for stupidity."
Alexandria, Virginia USA | -- Anonymous
[email protected] (Internet) |
sytex.com!fergp (UUNet) |
1:109/229 (FidoNet) |
PGP public encryption key available upon request.
- ---
[email protected] (Paul Ferguson)
Access <=> Internet BBS, a public access internet site
Sytex Communications, Arlington VA, 1-703-358-9022
------------------------------
Date: 15 Feb 93 08:51:36 +0000
>From: [email protected] (Fridrik Skulason)
Subject: Re: F-prot/FSP/bootsum problem. Help! (PC)
[email protected] (THE EYES OF GO ARE WATCHING YOU) writes:
>I have a question regarding a problem I am having running Flushot and
>F-prot 2.06 concurrently. (I have not yet updated to F-prot 2.07 or
>FSP+). I have FSP configured so that it checks my bootsum when I boot
>up. The value of the bootsum is not supposed to change, and never
>does until I scan my drive with F-prot.
F-PROT does NOT write to the boot sector at all (well, unless you have
a boot sector virus and disinfect it). If the BSV is modified, it
must be done by some other program...actually, there are certain
versions of DOS (Zenith 3.3, for example) that modify the Boot sector
regularly, but DOS 5.0 does not change it as far as I know. I would
suggest you made a "before" and "after" hex dump of the boot sector
and compared them...
- -frisk
- --
- --
Fridrik Skulason Frisk Software International phone: +354-1-694749
Author of F-PROT E-mail: [email protected] fax: +354-1-28801
------------------------------
Date: 14 Feb 93 00:20:00 +0000
>From: bill.lambdin%[email protected] (Bill Lambdin)
Subject: two new viruses (PC)
I have discovered two new viruses today. One companion infector, and one
Companion infector.
This companion infector is not resident, uses the MtE, and not infectious
in the second and third generation
the infections I have captured vary from 6686 bytes, - to 6737 bytes.
File infector.
This file infector is approximately 2800 bytes.
When users run an infected file, this virus will try to infect every .COM,
and .EXE in the current directory.
It was made by the MPC
very difficult to get the infected files to run.
I will be sending these to to some CARO memebers that I know, so these can
be added to the CARO catalog.
Both of these viruses are in the wild.
Bill
- ---
* WinQwk 2.0 a#383 * DATACRIME-B activates Oct 13-Dec 31
------------------------------
Date: Mon, 15 Feb 93 06:01:45 -0500
>From: Otto Stolz <[email protected]>
Subject: Re: STONED update/additional info questions. (PC)
Hi fellow virus-buster,
this seems to be a common problem so I decided to comment on the explicit
virus-eradicating procedure Ulysses reported. Definitely, the authors
of virus scanners should enhance their documentation, and the users
should bother to read it!
On 11 Feb 93 12:23:59 -0700 Ulysses Castillo
<[email protected]> said:
> 1) Cold booted from a write-protected virus free disk.
> 2) Used SCAN v99 on C:, no virus was found in memory or on C:.
> 3) Inserted an infected floppy in B:.
> 4) Ran scan on b:. No virus found in memory, stoned virus found
> in boot sector of B:.
Now, any disk operation (such as DIR or, indeed, SCAN) involving B: will
read the infected boot sector into memory.
> 5) Ran scan on B: again. Virus found in memory and in boot sector
> of B:. (HOW???)
You've ordered it yourself, as explained above.
But relax: the virus is not active, your computer is not infected; the
virus code simply is siting somewhere in memory where it never will be
executed, and where it will be overwritten sooner or later. The only way
to infect your computer would be to (inadvertently) boot it from the
infected disk (or any equivalent thereof such as using DEBUG to
explicitely execute the copy of the bootsector sitting in memory).
> 6) Reboot (cold boot, not control-alt-delete).
> 7) Inserted infected disk in B:.
> 8) Ran CLEAN on B:. Virus NOT in memory, but found in boot sector
> of B:. Virus removed from B:.
At this point, you should either re-boot your computer, or insert a clean
disk into B: and DIR it. This will overwrite the buffer, so SCAN will
not be fooled into rising a false alarm.
> 9) Ran scan on B:. Virus found in memory. (Again, HOW???), but NOT
> found on B:.
Now, your B: is clean, and so is your computer (only SCAN does not
believe so).
Do not forget to scan all computers that have been in contact with the
infected disk, and then in turn all disks that have been in contact with
any computer you may find infected, and then in turn all computers ...
> Again, from these observations we are being led to believe that stoned
> loaded itself into memory after a read operation on the infected disk.
No. Rather it was loaded by DOS, and "in memoroy" does not imply "active"
(whilst "active" indeed does imply "in memory").
On Fri, 12 Feb 93 14:53:29 +0000 Julian Haddrill <[email protected]>
said:
> I too have had the same problem, with the 'FORM' virus.
> Scanning and finding the virus caused it to infect my PC,
Julian, are you still convinced after having read the remarks above?
Best wishes,
Otto Stolz <[email protected]>
<[email protected]>
------------------------------
Date: Mon, 15 Feb 93 12:11:45 +0000
>From: [email protected] (jornj)
Subject: Re: F-prot/FSP/bootsum problem. Help! (PC)
THE EYES OF GO ARE WATCHING YOU ([email protected]) wrote:
[cut, cut]
: FSP+). I have FSP configured so that it checks my bootsum when I boot
: up. The value of the bootsum is not supposed to change, and never
: does until I scan my drive with F-prot. After I finish scanning my
: drive I get an alert from FSP saying my bootsum records do not match,
: and then it shows the newly assigned value. I am confused about why
: F-prot changes my bootsum when it scans my drive and if there is
: anything I can do about it.
[cut]
: By the way, my system is a IBM AT (100% compatible) running Stacker on
: a 32m hard drive, and DOS 5.0.
I've experienced the same problem, using Integrity Master and Stacker
2.0. When I check the 'bootsector' of my stacked volume IM always
claims it has changed...
Is this normal for Stacker? Or do I have a 'problem'?
(I've scanned with scan v99, fprot 2.06 and IM doesn't report any
other problems).
//Jorn
- --
Jorn F Jensen, Student at Trondheim College of Engineering, CS
[email protected]
------------------------------
Date: Mon, 15 Feb 93 08:39:35 -0500
>From: Otto Stolz <[email protected]>
Subject: Re: Help! Help, with FORM virus (PC)
On Wed, 10 Feb 93 11:44:05 -0500 Bill Hayes <[email protected]> said:
> [...] machine was infected with FORM, a boot sector virus.
> Now my student computer labs have been infected with it.
To recover from the incident, you need a quick and reliable virus
scanner (cf. infra). Use it in the following way:
1. To clean the HDs, repeat, for each computer in the lab and in the
institute you got the virus from, the following steps:
1.1 Power off for at least 90 seconds, insert clean DOS (same version
as on the HD) disk into drive A, switch on. Make sure the
computer boots from the floppy disk (otherwise change the BIOS
setup, then repeat step 1.1).
1.2 Insert clean disk with your favourite scanner, and scan HD for
boot sector viruses. Take notes, which computers are reported as
infected.
1.3 If computer is infected with FORM (or any other Boot Record Virus)
then insert again the clean DOS disk, and enter
SYS C:
Note: this does not cure Master Boot Record Viruses such as
Brain, Stoned, or Michelangelo.
1.4 To re-boot from the HD, take out the disk from drive A, then
press Ctrl-Alt-Del, or power off and on again. Make sure the
computer boots from the hard disk (otherwise change the BIOS
setup, then repeat step 1.4).
1.5 To be on the safe side, check HD again with a good virus scanner.
2. For each computer found infected in step 1.2, collect *all* floppy
disks that were in contact with it. Really, all of them! Search
shelfs, drawers, pockets, bags! Do not even overlook disks used as
book-markers or saucers! Cross-examine users and operators!
Invoke your favourate virus scanner on a clean computer, and check
the floppy disks you collected. Take notes, which disks are
infected.
3. Get a supply of empty floppy disks, and format them on a clean
computer. Then, for *every* disk found infected in step 2, repeat:
3.1 If it is a system disk, make sure that the system you are using
is the same version as that on the floppy, then enter:
SYS A:
If it is a non-system disk, then copy all *files* from it to an
empty and (cleanly) formatted disk, using XCOPY, or an equivalent
utility. Do *not* use DISKCOPY (or equivalent), as the latter will
include the boot sector with the copy. Make sure the copy is com-
plete, then re-format the infected disk, and use it for any pur-
pose.
3.2 To be on the safe side, check the floppy again with a good virus
scanner.
3.3 Notify the users and operators of all computers that may have been
in contact with the infected disk, and ask them to repeat steps
1 to 3, for their computer -- up to, and including, step 3.3!
This is the generic method for boot sector infectors. Instead of steps
1.3 and 3.1 you may wish to exert the Disinfect option of a virus
scanner. This will work, if the scanner does identify the virus beyond
any doubt; but if the scanner tries to disinfect a virus that is not
properly identified (perhaps a new variant of an old virus), it may do
more harm than good.
In case of a student lab, you may not find all relevant disks in step 2,
or all relevant coputers in step 3.3. In this case, install a monitoring
virus scanner on all computers; this sort of scanner will alert the
students of infected disk as they bring them to the lab, and it will
not allow to use these disks with your machines. However, no software
can stop your students from booting deliberately from infected disks
(which will necessitate you into repeating the whole procedure outlined
above).
> [...] I might be able to wring out $5.00 to $10.00 per machine to
> license a product. Is their anything out there?
The shareware version of F-PROT from Frisk Software can be licenced for
US$ 1.00 per computer per year (minimum $20.00 per site per year), mass
discounts and educational discounts may apply. This does not include
delivery, nor individual support. Rather, you are supposed to fetch
the software (including documentation) from a suitable file server, and
handle virus incidents on your own.
F-PROT is updated, roughly every other month. In reviews, its virus
scanner usually ranks among the top three, world-wide. It also comprises
a monitoring virus scanner named VIRSTOP, a heuristic scanner (which can
alert you from hitherto unknown viruses, but is not as accurate as the
known-virus scanner), and a database of known-virus descriptions (though
rather terse ones).
I think, F-PROT is the best value you can get for the least money. I
hasten to add that I am not commercially connected to Frisk Software --
I'm just a satisfied user.
Best wishes,
Otto Stolz <[email protected]>
<[email protected]>
------------------------------
End of VIRUS-L Digest [Volume 6 Issue 27]
*****************************************
|
|
