|
Virus- L Newsletter V.6 No.28 From Internet
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
================================================================================
VIRUS-L Digest Wednesday, 17 Feb 1993 Volume 6 : Issue 28
Today's Topics:
Re: Michelangelo origins (CVP)
Re: Pundits and bandits
Re: How to measure polymorphism
Re: general entertainment
F-Prot 2.07 & Append (PC)
Is this a virus? (PC)
Re: green catipillar (PC)
Re: Michaelangelo's payload (PC)
Re: MtE Infected... (PC)
Re: New virus in Germany :-( (PC)
Re: International computer virus day (was: Michelangelo Virus?) (PC)
Re: Notes about Sunday Virus (PC)
Virstop 2.07 & Lanworkplace = Windows Hangs... (PC)
Re: STONED update/additional info questions. (PC)
Re: Suggestion to the developers of resident scanners (PC)
FORM (again!) (PC)
Re: windows virus (PC) - is WALDO one?
Re: New Virus (PC)
Re: NAV questions (PC)
Re: New virus in Germany :-( (PC)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. (The complete set of posting guidelines is available by
FTP on cert.org or upon request.) Please sign submissions with your
real name. Send contributions to [email protected]. Information on
accessing anti-virus, documentation, and back-issue archives is
distributed periodically on the list. A FAQ (Frequently Asked
Questions) document and all of the back-issues are available by
anonymous FTP on cert.org (192.88.209.5). Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
<[email protected]>.
Ken van Wyk, [email protected]
----------------------------------------------------------------------
Date: 15 Feb 93 19:09:35 +0000
>From: [email protected] (Vesselin Bontchev)
Subject: Re: Michelangelo origins (CVP)
[email protected] writes:
> information can be overwritten, resulting in a loss of data. One
> version of Stoned (which I do not have) is reported not to infect
> 3.5" diskettes: this is undoubtedly the template for Michelangelo
> since it doesn't infect 3.5" disks either.
I don't have such version of Stoned either, but the rest of your
sentence is not quite correct. Michelangelo infects 3.5" 1.44 Mb
floppies, but the infected ones have the Media Description Byte in the
boot sector destroyed, which makes them unreadable on some computers.
They are perfectly infective, though. The virus also tries to infect
3.5" 720 kb diskettes - there is nothing in the code to stop such
attempts. However, due to a bug, the virus tries to infect them as
high-capacity diskettes and to store the original boot sector at a
non-existing location. This produces an error and the virus just gives
up.
> Stoned has "spawned" a large number of "mutations" ranging from
> minor variations in the spelling of the "payload" message to the
> somewhat functionally different Empire, Monkey and No-Int
> variations. Interestingly, only Michelangelo appears to have been
> as "successful" in reproducing, although the recent rise in Monkey
> reports is somewhat alarming.
The major reason of the spread of No_INT and Michelangelo was that
they have been distributed with commercial software...
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: [email protected] D-2000 Hamburg 54, Germany
------------------------------
Date: 15 Feb 93 20:14:44 +0000
>From: [email protected] (Vesselin Bontchev)
Subject: Re: Pundits and bandits
[email protected] (Paul Ferguson) writes:
> Well, it may stop them from authoring viruses, but unfortunately
> virus "creationists" are like a pesky rodent infestation -- you
> eradicate six of them and there are six (times two) that step in
> to take their place.
Bah, I disagree... Convicting a few virus writers will have enough
preventing effect at least towards the other "wannabes" from the same
country... Wonder why nobody else has released yet another Internet
worm from the USA?... :-)
> PGP public encryption key available upon request.
Please, consider this a request. I am collecting public keys and am
making them available by anonymous ftp.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: [email protected] D-2000 Hamburg 54, Germany
------------------------------
Date: 15 Feb 93 18:52:53 +0000
>From: [email protected] (Vesselin Bontchev)
Subject: Re: How to measure polymorphism
[email protected] (Paul Houle) writes:
> If an antivirus program is not polymorphic, it potentially can be
> recognized and tampered with by a virus. The code can be altered so it alway
s
> reads "clean", or the files it keeps can be altered to delete signatures (fo
r
> scanners) or to change CRCs, message digests, whatever is used to protect
> programs. Therefore, for safety, an antivirus program should ideally be
> different in every installation. The filename should be different, the code
Yes, that's a very good idea. And it can be implemented quite easily,
no need to have the "polymorphic compiler" you are talking about. Just
have some polymorphic engine in the intallation program and use it to
encrypt and prepend a random decryptor to the executable before
installing it. Of course, you could even use MtE for that purpose, but
this is not a wise idea, because then everybody's scanner will detect
your program as infected with an MtE-based virus... :-)
This will practially elliminate a direct attack against the virus. Of
course, in theory, the virus writer could create a virus that contains
a detector for your polymorphic engine, but I wish 'em luck trying to
do that... :-) More likely they'll just stick to a stealth virus.
Of course, the implementation of the polymorphic anti-virus program
should be strong enough - e.g. an integrity checker that shokes when a
virus deletes its dabases of checksums is not good, even if it is a
polymorphic one... :-)
Oh, yes, and it is enough to make the executable different each time.
You don't need to bother with the names of the data files, if you
provide the possibility to the user to use just -any- names...
Possible problems - encrypting the executable and prepending a
decryptor is not trivial for some executables (e.g., Windows
applications), but it is not an unsolvable problem...
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: [email protected] D-2000 Hamburg 54, Germany
------------------------------
Date: 15 Feb 93 21:20:16 +0000
>From: [email protected] (Vesselin Bontchev)
Subject: Re: general entertainment
[email protected] (Vesselin Bontchev) writes:
> The article is "Discover" does not make an exception - lots of
> technical and factual details are wrong. Maybe the funniest of them is
> the conjecture that "Diana P." in Dark Avenger's viruses has something
> to do with Lady Diana, Princess of Wells. However, the general
> analysis of the situation in Bulgaria that leaded to the creation of
> so many viruses there is rather exact.
> [Moderator's note: FYI, I think that's "Princess of Wales".]
Ooops, sorry... :-( My apologies to Lady Diana... But my ignorance on
the subject somehow demonstrates how popular she is in Bulgaria and
how probable is that the Dark Avenger has used her name in his
viruses... :-)
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: [email protected] D-2000 Hamburg 54, Germany
------------------------------
Date: Mon, 15 Feb 93 13:57:42 +0000
>From: [email protected] (Conrad Longmore)
Subject: F-Prot 2.07 & Append (PC)
F-Prot 2.07 seems to clash with the MSDOS APPEND command. The problem
occurs trying to load VIRSTOP after APPEND. VIRSTOP won't install,
complaining that the version of DOS is incompatible or a virus is active
in memory.
The solution is to load APPEND after VIRSTOP, or even better - stop using
APPEND altogether.
- --
// Conrad Longmore / Janet: [email protected] / //
// Bedford College / Internet: [email protected] / "It's all gone //
//------------------/ Phone: +44 234 345151 / horribly wrong" //
// c/o De Montfort / Fax: +44 234 342674 / //
------------------------------
Date: Mon, 15 Feb 93 09:15:35 -0600
>From: "MICHAEL @CPEAK 6807" <[email protected]>
Subject: Is this a virus? (PC)
A friend of mine is running a 386/40mhz machine with ms-dos 5.0 and an
ide drive partitioned into 4 smaller drives. recently (the last 3-4
weeks we have experienced crashes on 3 out of the 4 disks. what has
happened is if you were in an executable file, all of a sudden the FAT
gets scrambled for the drive you executed from, and the disk must be
reformatted to recover. I have tried to recover with norton disk
doctor ver 6.01 to no avail (too many cross-linked files to deal
with). Running scan v100 shows no viruses, running f-prot 2.07 in scan
mode shows nothing, in heuristic mode it shows xtg.exe to be
suspicious but no known virus. Since we have formated each of the
three partitions, everything works fine. but we are concerned as to
wether this could be a virus or meerly a hardware failure? We have
restored from tape to get both really old versions and recent versions
(from the 4th of feb. 1993 and from backup disks from november 1991)
and there doesn't appear to be any differences in the file sizes. Any
ideas? The system is only 6 months old. Oh yeah, no messages are
displayed, so we aren't sure what we are dealing with, except it has
happened with three different executables (telix, ACAD10, and
frontdoor 2.02).
thanks,
Michael
------------------------------
Date: 15 Feb 93 18:34:54 +0000
>From: [email protected] (Vesselin Bontchev)
Subject: Re: green catipillar (PC)
[email protected] (Harry Zuzan) writes:
> Does anyone know what the green catipillar virus does?
In short, it displays a green caterpillar, crawling on the screen.
> Will it do any harm?
Not intentionally. But it may crash your computer, interfere with
other software, infect your friends, etc.
> Can I get rid of the virus?
Of course. Just replace the infected file with a clean copy. Or use
some disinfection program (e.g., F-Prot).
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: [email protected] D-2000 Hamburg 54, Germany
------------------------------
Date: 15 Feb 93 19:03:12 +0000
>From: [email protected] (Vesselin Bontchev)
Subject: Re: Michaelangelo's payload (PC)
[email protected] (Marcio Migueletto de Andrade) writes:
> It is known that the Michaelangelo virus makes use of INT 1Ah (AH=4)
> to read the system date. It works on a 386, but fails on a XT (nothing
It will also work on a '286 and on some XTs with a CMOS-based clock.
> is returned). The virus still works but the payload is never
> achieved. Is it due to an old BIOS ?
Yes.
> Is there a *standard* way to
> read the system date at *boot time* on a XT ? If not, any virus that
No. A genuine XT just does not have a "system date" at boot time,
because it doesn't have a clock/calendar or CMOS RAM to store such
values. At boot time the system date on a XT is initialized to January
1, 1980.
> uses the same function cannot work properly in such machines.
Correct.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: [email protected] D-2000 Hamburg 54, Germany
------------------------------
Date: 15 Feb 93 19:41:35 +0000
>From: [email protected] (Vesselin Bontchev)
Subject: Re: MtE Infected... (PC)
[email protected] (martin dewaele) writes:
> I have Norton Anti-Virus 2.1 and it has detected what is called the
> MtE Infected virus. Yet the Repair function states that it is unable
> to repair the infected file.
As far as I know, NAV is not able to repair any MtE-based virus. It is
even not able to detect them reliably. If you -must- repair that file,
try the program TbClean from the TBAV package. It is a generic
disinfector (i.e., not virus-specific) and sometimes succeeds to
disinfect the MtE-based viruses, especially if they are in a COM file.
CPAV 1.3+ also can disinfect some of the MtE-based viruses. There is
also a German product that can do that, but I guess it is not
interesting to you. Nevertheless, it is much better to just delete the
infected file and replace it with a clean copy.
However, what bothers me is that you are talking about a single file
(if I've understood you correctly). In this case, it is likely to be a
false positive alarm (for more information about that, please read the
FAQ). Thus, you are advised to try a couple of other scanners that are
able to detect MtE-based viruses reliably. Two general-purpose
scanners (shareware) that can do that are SCAN 100 and F-Prot 2.07. An
MtE-only detector, called CatchMtE is freeware and is available from
most anti-virus sites, including ours. If no other scanners reports
the file as infected, it is almost certainly a false positive. In this
case you are advised to contact your local Symantec tech support.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: [email protected] D-2000 Hamburg 54, Germany
------------------------------
Date: 15 Feb 93 19:51:11 +0000
>From: [email protected] (Vesselin Bontchev)
Subject: Re: New virus in Germany :-( (PC)
[email protected] (Per Goetterup) writes:
> Some of those words are from material by the Belgian techno/industrial
> band named 'Front 242'. "Neurobasher" is a B-side song from the
> "Tragedy For You" remix-maxisingle, and the sentence "Moment of terror
> is the beginning of life" is from the inner cover of their album
> "Front By Front" (I think).
Hmm, this is yet another proof of the connection that exists between
the virus writers and the fans of this kind of music... :-) A
colleague of mine in Bulgaria has a paper on this subject;
unfortunately it is in Bulgarian... Maybe, if she is reading this, she
would like to post a translation... :-)
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: [email protected] D-2000 Hamburg 54, Germany
------------------------------
Date: 15 Feb 93 19:15:54 +0000
>From: [email protected] (Vesselin Bontchev)
Subject: Re: International computer virus day (was: Michelangelo Virus?) (PC)
[email protected] (Arlyn) writes:
> The question came up in our office today: Is the world expecting another
> round of the Michelangelo Virus to turn up on march 6 this year? Does
> anyone know if the date trigger on the virus checks for the year?
> [Moderator's note: Michelangelo does not check for the year; it
> triggers on 6 March of any year.]
Disclaimer: the opinions expressed below are entirely my own. The
VTC-Hamburg might or might not agree with them. In any case, we do not
want to be accused in starting another virus scare.
Answer: Yes, as Ken points it out, the Michelangelo virus does not
check for the year and activates on March 6 on ANY year.
Now, may I remind you that regardless of the world-wide virus scare
the last year, when you might have hoped that even the little old
ladies that can't program their microwave have been warned about the
virus, there were still a couple of thousands of trashed hard disks on
March 6 around the world.
This year, nobody's going to believe us when we tell them that
computer viruses exists and can damage your data. This year March 6 is
a Saturday, so it is unlikely that you'll even turn your office
computer (the one with the important date) on. Yet, Michelangelo is
not dead. It is still around and is still causing about 1% of the
reported infections. This year there will be some hard disks trashed
on March 6 too. Maybe hundreds of disks around the world, maybe even a
thousand or two. Almost nothing. But you wouldn't want that to be
YOUR hard disk, would you?
This year, like any other, on March 6, like on any other day,
hundreds of viruses are lurking around, causing the other 99%
infections. Viruses like Stoned and Jerusalem, like Form and Green
Caterpillar, that don't do anything remotely as spectacular and
thrilling as Michelangelo. Yet they -are- lurking around, they -are-
infecting the computers around and they -are- causing data destruction
- - often unintentionally, due to bugs.
So, how about declaring March 5 as International Anti-Virus Day?
There are several things you can do to participate:
1) Get a good, up-to-date scanner and run it at least once. Computer
viruses -do- exist. It is rather unlikely, but one of them might be on
your computer, or on that nifty game your kid just copied from a
friend. Scanners are a weak line of anti-virus defense, because they
cannot detect new viruses, but most good scanners can detect all
widespread viruses. There are some very good scanners, which are
essentially free. Get one and use it.
2) Back-up your data. Don't delay it until you finish that other "more
important job", or it might be too late. Devise a good backup strategy
and follow it strictly.
3) Get a good integrity checker and install it on your system. There
are several shareware ones, which are not 100% fool-proof, but are
good enough. Besides, all widespread viruses are foolish enough and
will be detected.
4) Tell all your friends who are using computers about these four
points and ask them to participate. Remember - every virus that is
detected and destroyed means one virus less to attack somebody's
systems in the future - maybe even yours.
5) Try to follow those guidelines during the whole year, not only a
single day. After you get used to them, you'll see that it's not that
difficult at all.
6) Educate your fellow users. If you are a system administrator, a
tech support person, or just have some friends who are also using
computers, educate them about computer viruses. You are already
reading Virus-L/comp.virus; that's good. Get the FAQ and read it. Get
some of the information sources referred there and read them. Share
your new knowledge with other computer users.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: [email protected] D-2000 Hamburg 54, Germany
------------------------------
Date: 15 Feb 93 20:04:03 +0000
>From: [email protected] (Vesselin Bontchev)
Subject: Re: Notes about Sunday Virus (PC)
[email protected] (Mario Rodriguez (Virus Researcher)) writes:
> Sunday infects programs with extensions .COM, .EXE and .OVL as they are exe
> uted. The .COM files grow 1,636 bytes, and files .EXE and .OVL grow between 1,
That's not quite correct; the virus does not infect overlays. It
intercepts INT 21h/AX=4B00h and infects anything executed this way,
except COMMAND.COM. If the file being executed matches the
specification ????????.??M, then it will be infected as a COM file,
otherwise - as an EXE file. Overlays are NOT loaded this way.
> Sunday intercepts interrupts 21h (Dos services) and 8 (time of day), but th
> last one is only intercepted if the year is different 1989. In any other year
> the virus will activate on Sundays, and in that day 10 seconds after an infect
> d program is excecuted, th virus will 'teletype' the next message using interr
> pt 10h (video services):
No, version A of the virus does not do that. It contains a bug (waits
for the eight day of the week), due to which it never activates. What
you have is probably Jerusalem.Sunday.10_seconds.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: [email protected] D-2000 Hamburg 54, Germany
------------------------------
Date: Mon, 15 Feb 93 15:34:54 -0500
>From: "Rich Travsky 3668 (307) 766-3663/3668" <[email protected]>
Subject: Virstop 2.07 & Lanworkplace = Windows Hangs... (PC)
I have been using VIRSTOP from the recently released version 2.07
of F-Prot, and have noticed the following about a couple of the
new options (/COPY and /BOOT) under Lanworkplace.
My setup: a 386 Zenith pc; on a Novell 3.11 lan using ODI; using
Lanworkplace. Besides the Novell stuff, Lanworkplace uses another
piece of network software called TCPIP.EXE. Virstop is loaded after
all the network software.
When I start up Windows (3.1), it generally puts me right back at the
dos prompt. Or it might just hang the machine, forcing a re-boot. Once,
by chance that I wasn't able to repeat, I got a message saying something
like "not enough file handles for dos operation" (or words to that
effect). So, I tried increasing the number of file handles. Sure enough,
the more file handles I set, the farther into Windows I get. However,
Windows still fails, giving messages like "general protection fault",
sometimes on progman.exe, sometimes on krnl386.exe, and sometimes with
user.exe. At this point I was well over 200 file handles (also
counting the ones allocated in the Novell NET.CFG file).
Anyone have any thoughts, workarounds, etc.? Need more information?
I think the two options are great additions to F-prot and we have some
setups on our campus that could really use this. We haven't committed to
distributing and supporting Lanworkplace yet, but if we do, we won't be
able to recommend the use of these features.
At the moment I'm only posting this to comp.virus; I may also post it
to the Novell groups and the comp.protocols.tcp-ip.ibmpc group (so
apologies if you end up seeing this more than once).
Thanks all,
+---------+ Richard Travsky RTRAVSKY @ UWYO . EDU
| | Division of Information Technology
| U W | University of Wyoming (307) 766 - 3663 / 3668
| * | "Wyoming is the capital of Denver." - a tourist
+---------+ "One of those square states." - another tourist
------------------------------
Date: 15 Feb 93 20:28:30 +0000
>From: [email protected] (Vesselin Bontchev)
Subject: Re: STONED update/additional info questions. (PC)
[email protected] (Ulysses Castillo) writes:
> I want to thank the people who have responded with their ideas about
> what might be happening. I also wanted to explain more clearly
> the procedure we followed. Specifically:
Sigh... Some people won't read the FAQ, regardless how often you tell
them to do so. And some anti-virus producers won't fix their products,
regardless how often you are telling them what's broken and how to fix
it...
> 3) Inserted an infected floppy in B:.
> 4) Ran scan on b:. No virus found in memory, stoned virus found
> in boot sector of B:.
The scanning process has caused the infected boot sector of the floppy
to be read in the DOS buffers. Now the virus is there (i.e., in
memory), but, of course, is not active.
> 5) Ran scan on B: again. Virus found in memory and in boot sector
> of B:. (HOW???)
Virus found in memory (in the DOS buffers), because SCAN is stupid
enough to scan the whole memory, instead of only those places where
this virus could reside, if active. Why the virus is found on the
floppy I don't know, but this is again some kind of mistake.
> 6) Reboot (cold boot, not control-alt-delete).
This cleans the memory, including the DOS buffers, thus the virus
code is wiped out. It has never been active anyway.
> 7) Inserted infected disk in B:.
> 8) Ran CLEAN on B:. Virus NOT in memory, but found in boot sector
> of B:. Virus removed from B:.
The cleaning operation has read the infected boot sector in the DOS
buffers.
> 9) Ran scan on B:. Virus found in memory. (Again, HOW???), but NOT
> found on B:.
Virus found in memory (in the DOS buffers), because SCAN is stupid
enough to look for it there.
> Again, from these observations we are being led to believe that stoned
> loaded itself into memory after a read operation on the infected disk.
Nope, it's actually DOS that loads the virus code (the infected boot
sector) in its buffers.
> Again, the documentation I've read on Stoned seem to indicate that
> this is impossible.
It is impossible for the virus to become ACTIVE, if you just read an
infected floppy. But of course it is possible to place its code in
memory - where do you think goes everything that you read from the
floppy?
> Alternately, it's been suggested that SCAN/CLEAN
> can give false alarms on occasion.
Yup. This is called ghost positive. It can be easily avoided by the
producer of the scanner with a little bit of intelligent programming.
I suggest that people REFUSE to use anti-virus software that is so
stupid. Maybe some user pressure put on the developers will force them
to fix the product.
> Ideas?
Read the FAQ.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: [email protected] D-2000 Hamburg 54, Germany
------------------------------
Date: 15 Feb 93 20:39:53 +0000
>From: [email protected] (Vesselin Bontchev)
Subject: Re: Suggestion to the developers of resident scanners (PC)
[email protected] (oep) writes:
> Frisk made the /DISK option for VIRSTOP a long time ago :-)
Uhm, well, not so long time ago, I think... :-)
> : 1) Scan the file when it is executed ONLY if it resides on a floppy.
> Why not when executed from a network drive, where your friends has
> put all their viruses.......
Ah, yes, I forgot about that. Yes, the file should be scanned when
executed from a network drive too. BTW, one thing that Frisk really
*MUST* implement soon is an option to re-activate VirStop after the
network shell has been loaded...
> I guess there are many ways to implement a resident solution, and by
> giving the users all options, you get a flexible solution. But you also
> make the resident routine more complex, and larger.
Yes, flexibility is the key... But code added due to this kind of
complexity does not increase much the resident program size. In any
case, much less than the database of scan strings...
> Regarding 486, how long do you think the 286 will live ?
This is irrelevant. My colleague is using a slow '286 -now- and he is
removing the virus protection due to the system slowdown -now-.
(Actually, he removed it a few days ago.) Therefore, we need a fast
resident scanner -now-. I'll try to convince him to use VirStop and
we'll see whether the system slowdown will be bearable...
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: [email protected] D-2000 Hamburg 54, Germany
------------------------------
Date: Mon, 15 Feb 93 16:23:41 -0500
>From: [email protected] (Paul Ferguson)
Subject: FORM (again!) (PC)
On 12 Feb 93 (14:53:29 GMT), <[email protected]> Julian Haddrill
wrote -
> I too have had the same problem, with the 'FORM' virus.
As you may have noticed, the FORM virus has enjoyed wide-spread
propagation around the world. One of our clients in New York has
had a re-occuring problem with it for six months or better.
(Makes one wonder how "Corinne" is faring -- better than Sylvia,
I would hope, considering that her address was not inclusive in
the code!)
> Scanning and finding the virus caused it to infect my PC, and I
> had to Clean the PC from a Write-Protected safe floppy with
> CLEAN on it.
Your problem sounds as if you're either finding "ghost" signatures
in memory (or in the master boot sector, which was not disinfected
properly) or you somehow have managed to re-introduce the virus into
your system in some fashion.
Don't put all of your eggs into one basket: Try another recommended
virus detection utility.
> You've just got to be careful out there!
Yes, we all do. :-)
Cheers from Washington, DC
Paul Ferguson | "Making duplicate copies and computer
Network Integration Consultant | printouts of things no one wanted
Alexandria, Virginia USA | even one of in the first place is
[email protected] (Internet) | giving America a new sense of
sytex.com!fergp (UUNet) | purpose." - Andy Rooney
1:109/229 (FidoNet) |
PGP public encryption key available upon request.
- ---
[email protected] (Paul Ferguson)
Access <=> Internet BBS, a public access internet site
Sytex Communications, Arlington VA, 1-703-358-9022
------------------------------
Date: 15 Feb 93 21:50:22 +0000
>From: [email protected] (Andrew Wang)
Subject: Re: windows virus (PC) - is WALDO one?
[email protected] (David M. Chess) writes:
>>From: [email protected]
>>
>>I am sorry to be a nuisance, but several users of Windows at Sheffield
>>appear to have been hit by a virus that isn't detected directly. Using
>>memory resident virus checkers only detect a write to a protected file
>>or disc, but not the name. Scanning the disc and memory also fails to
>>show up the 'virus'.
>Well, the possibilities seem to be:
> - A genuine Windows-targetted virus, although that seems unlikely
> since you say that the Windows files fail to run after
> being altered,
> - A Trojan Horse program that's just damaging the Windows files,
> - A DOS virus that your "memory resident virus checkers" don't
> have a specific signature for, but that they are able to
> notice now and then,
> - A system problem that's causing some component of the system
> to mistakenly alter other components,
> - A problem with your resident anti-viral, that's causing it
> to give false reports and then mess up the system.
We have been experiencing a problem with Windows that also may
be connected with a virus. Recently a couple machines have been
producing a "WALDO has caused a General Protection Fault" error,
and then crashing hard. The only reason I suspect a possible
virus is "WALDO". For those of you who haven't read Waldo books,
I have been told there are a set of books where you have to find
Waldo, and it can be very difficult to find him.
I haven't been able to find any documentation of a virus called Waldo,
but since our data is valuable to us, I am taking the possibility
seriously. Here's some info: We run Word for Windows, Corel Draw, and Excel
almost exclusively. I've just downloaded virscan90 but it turns up nothing.
We use SCSI disks.
If anyone can shed some light, I'd really appreciate it!!!
Andrew
------------------------------
Date: 15 Feb 93 22:06:00 +0000
>From: "Tan Bui" <[email protected]>
Subject: Re: New Virus (PC)
[email protected] (Amir Netiv) writes...
>Daphne Rosenhouse writes:
>Whell, it could be as you say (a variant of the WHALE), but it would
>be rather surprising, since the Whale is an old one and from a viral
>point of view... an unsuccessful one.
>
>I find it hard to believe that someone will use this as a base virus
>for modifications. [...]
Well, from my point of view, the Whale virus is one of the better viruses
written by the virus authors. It uses stealth techniques and has procedures
to keep away the unsuspecting and the less qualified 'debuggers'. It is
a virus from which you can learn a lot, and I am sure that some people
will take its source codes for modifications.
Take the Jerusalem virus for example. It is a rather old virus, and yet,
modifications have been made to it, and have been released.
Although the Whale virus has flaws, we can learn a lot from it.
------------------------------
Date: Mon, 15 Feb 93 22:29:58 +0000
>From: [email protected] (McAfee Associates)
Subject: Re: NAV questions (PC)
[email protected] (oep) writes:
[comments about NAV and SCAN and VSUM deleted]
>As far as I know, there is a close link between the authors of SCAN and
>VSUM, and i wouldn't trust the test as a purely independent test.
>
>I did *not* say that I trust NAV either....
There is no close link between McAfee Associates and Ms. Hoffman, at
least, none different from that between her and any other anti-viral
vendor.
Regards,
Aryeh Goretsky
Technical Support
- --
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET:
3350 Scott Blvd, Bldg 14 | FAX (408) 970-9727 | [email protected]
Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714
95054-3107 USA | USR HST Courier DS | or GO MCAFEE
Support for SENTRY/SCAN/NETSCAN/VSHIELD/CLEAN/WSCAN/NETSHIELD/TARGET/CONFIG MGR
------------------------------
Date: Mon, 15 Feb 93 18:16:21 -0500
>From: Fabio Esquivel <[email protected]>
Subject: Re: New virus in Germany :-( (PC)
G'day netters:
Per Goetterup ([email protected]) writes:
> [email protected] (Malte Eppert) writes:
>
>>- - contains the encrypted text "T.R.E.M.O.R was done by NEUROBASHER /
>> May-June'92, Germany" and "MOMENT OF TERROR IS THE BEGINNING OF
>> LIFE"
>>- - Length: exactly 4000 bytes
>
> Just for your information:
>
> Some of those words are from material by the Belgian techno/industrial
> band named 'Front 242'. "Neurobasher" is a B-side song from the
> "Tragedy For You" remix-maxisingle, and the sentence "Moment of terror
> is the beginning of life" is from the inner cover of their album
> "Front By Front" (I think).
I'm not stranged about this; just FYI:
- The DIR-II alias "Creeping Death" may come from the Heavy Metal band
"Metallica": third song, B-side, "Ride the Lightning" long play.
- Dark Avenger mentions "Eddie lives... Somewhere in Time", where Eddie
is the Iron Maiden's puppet and 'Somewhere in Time' is their 1986
long play.
- The variant of Dark Avenger "Die Young" (V2000-B virus) mentions
"Only the good die young", which is the last song, B-side, of the
"Seventh Son of a Seventh Son" long play of the same Speed Metal
band Iron Maiden. Even more, the string "Seventh son of a seventh
son" is found inside the "Seventh Son" virus...
- The "Evil Men" virus (variant of Dark Avenger) contains the text
"The Evil that men do" which is a song from the same long play
"Seventh son of a seventh son".
- The V800 virus has the encrypted text "Live after Death" which is
the name of the album that Iron Maiden released in 1985 (live in
from California and Hammersmith Odeon, London).
- The August 16th virus has the string "IRON MAIDEN" inside...
- The Enigma virus contains the string "This is the voice of Enigma...
the spirits of the hell are coming back!". The first sentence is
from the song "The voice of Enigma" (1st A-side) from the long play
"ENIGMA+ MCMXC a.D." of the group (yup!, you guessed it) Enigma.
In the back cover of this album you can read the string "LPVIR 1"
("Long Play Virus 1"?).
As you can see, there's a couple of music-fans writting viruses out there.
So beware of those neighbors who like the music/noise...
Regards,
Fabio
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* Fabio Esquivel Chacon * Computerize God - It's the new religion *
* [email protected] * Program the Brain - Not the heartbeat *
* University of * * * * Virtual existence / Superhuman mind *
* Costa Rica * The ultimate creation / Destroyer of mankind *
* "My girlfriend, * Termination of our youth / For we do not compute *
* ____/| music and * *
* \'o O' computers * "Computer God" - Dehumanizer *
* =(_Q_)= drive me * Ronnie James Dio - Black Sabbath (1992) *
* U crazy..." * *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
------------------------------
End of VIRUS-L Digest [Volume 6 Issue 28]
*****************************************
|
|
