|
Virus- L Newsletter V.6 No.34 From Internet
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
================================================================================
VIRUS-L Digest Thursday, 25 Feb 1993 Volume 6 : Issue 34
Today's Topics:
WARNING: Problem with CLEAN-UP V100 and Michelangelo (PC)
WARNING: McAfee CLEAN & Michelangelo [Mich] (PC)
Re: Scanners getting bigger and slower
More on Education
Re: Censorship
A quick request for opinions
Known viruses in a UNIX evvironment (UNIX)
Re: Michelangelo or STONED? (PC)
Re: standardization (PC)
Re: New Virus (PC)
Re: Michelangelo or STONED? (PC)
PC Magazine on Anti-Virus Software (PC)
Re: PC Magazine reviews virus scanners (PC)
Request for virus tools (PC)
Maybe a virus (PC)
FPROT, Thunderbyte, & DataCrime II (PC)
Re: F-prot/FSP/bootsum problem. Help! (PC)
Problems w/ LAN Prrotect (PC)
Anybody knows SHIRLEY or VIVALDI ? (PC)
Shriley and Vivaldi Part II (PC)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. (The complete set of posting guidelines is available by
FTP on cert.org or upon request.) Please sign submissions with your
real name. Send contributions to [email protected]. Information on
accessing anti-virus, documentation, and back-issue archives is
distributed periodically on the list. A FAQ (Frequently Asked
Questions) document and all of the back-issues are available by
anonymous FTP on cert.org (192.88.209.5). Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
<[email protected]>.
Ken van Wyk, [email protected]
----------------------------------------------------------------------
Date: Wed, 24 Feb 93 11:18:57 -0800
From: aryeh@mcafee.com (McAfee Associates)
Subject: WARNING: Problem with CLEAN-UP V100 and Michelangelo (PC)
[Moderator's note: This message was posted to VALERT-L last night.]
McAfee Associates has been made aware of a possible problem with
removing the Michelangelo virus with Version 9.12V100 of CLEAN-UP:
When is CLEAN C: [MICH] is run to remove the Michelangelo virus on
some computer systems, the original master boot record of the hard
disk is restored to the wrong location, resulting in a non-accessable
hard drive until repaired.
This problem does not occur consistently and we are investigating it
now. In the meantime, anyone wishing to remove the Michelangelo virus
from a hard disk should use the [GENP] I.D. code with CLEAN-UP instead.
For example:
CLEAN C: [GENP]
This will remove the Michelangelo virus by replacing the infected
portion of the master boot record with a clean piece of code from
inside the CLEAN.EXE file.
Details will follow as I find out more.
Regards,
Aryeh Goretsky
Technical Support
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: aryeh@mcafee.COM
3350 Scott Blvd, Bldg 14 | FAX (408) 970-9727 | IP# 192.187.128.1
Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714
95054-3107 USA | USR HST Courier DS | or GO MCAFEE
------------------------------
Date: Sat, 20 Feb 93 22:32:29 -0500
From: [email protected] (A. Padgett Peterson)
Subject: WARNING: McAfee CLEAN & Michelangelo [Mich] (PC)
[Moderator's note: This message was posted to VALERT-L last night.]
Dangerous Bug in CLEAN.EXE v100 (& possibly earlier)
For some time now I have been receiving reports of a problem between
McAfee's CLEAN utility & the Michelangelo virus (yes, it is that time
again). In this case the cure may be worse than the problem.
First, about a week ago I suggested to Aryeh that someone should look
into the reports, he said that they would look into it & meanwhile to
use CLEAN [GENP] instead of CLEAN [MICH].
The calls I have been getting indicated that after CLEANing, the disk
would become unaccessable. The last report was lucid enough to
indicate that the Dos Boot Record was being replaced by a Master Boot
Record (not a good). Tonight I finally backed up the trusty Columbia
VP-1600 for some testing using the [Mich] and SCAN/CLEAN version 100
(current).
Note: the VP is a 4.77 Mhz "luggable" equipped with a WD controller and
an ST-225 20 Mb fixed disk with MS-DOS 5.0 loaded.
Following a deliberate infection but with a clean boot SCAN had no
problem finding the [Mich] (boy howdy, you could go watch Ren & Stimpy
while waiting on a 4.77 Mhz PC to run SCAN C: /M with v100).
Running CLEAN C: produced the following:
- ---------------------------------------------------
(header skipped)
Cleaning [Mich]
Scanning Volume: TESTDISK
Scanning partition table of disk C:
Found the Michaelangelo [Mich] Virus in partition table.
Scanning partition table of disk C:
Found the Michaelangelo [Mich] Virus in partition table.
Virus cannot be safely removed from partition table.
Found 1 file containing viruses.
1 virus was removed.
(remainder deleted)
- ------------------------------------------------------------
On reboot, not only was the disk unbootable, but access from floppy
resulted in "Invalid media type reading drive C:"
Examination of the disk revealed the [Mich] still in sector 1 and the
original MBR code/partition table now residing in the Dos Boot Record.
Running CLEAN a second time had no effect again on the MBR (where the
Mich was still residing) but a replacement of the DBR with DBR code
id'ed as IBM PC-DOS version 3.3 and an empty Boot Parameter Block.
Again access attempt generated an "Invalid..." (well, the BPB was
empty).
Replacement of the MBR & DBR with the originals restored the disk to
operation with no loss of files, however without these replacement is
possible though difficult (move 0,0,7 to sector 1, pop fresh batteries
in TI Programmer and generate a new BPB for the proper OS Boot Record
code, iterate mistakes until it works). I would not recommend this for
recreational use.
Meanwhile, until McAfee can come up with a fix, I would strongly
recommend reaching for FDISK /MBR (DOS 5.0 undocumented feature)
rather than CLEAN if the Michaelangelo is present.
Warmly,
Padgett
------------------------------
Date: 23 Feb 93 09:54:58 +0000
From: [email protected] (Fridrik Skulason)
Subject: Re: Scanners getting bigger and slower
[email protected] writes:
>I wonder how Frisk, McAfee, and the rest survive the work load.
I wonder too.... :-)
- -frisk
- --
Fridrik Skulason Frisk Software International phone: +354-1-694749
Author of F-PROT E-mail: [email protected] fax: +354-1-28801
------------------------------
Date: Tue, 23 Feb 93 08:53:10 -0500
From: Chip Seymour <[email protected].COM>
Subject: More on Education
Thanks for the reply from:
> [email protected]
> Mark Aitchison, University of Canterbury, New Zealand.
> Subject: Re: Virus education
I guess I was speaking in the more generic sense about needing an education.
I've found that, for almost every new technology, there are one or
more new risks. Someone invents PC's, many people invent viruses.
Someone invents a PBX, someone else figures out how to manipulate it
illicitly. Who would have figured that there are ways to exploit
weaknesses in SNMP?
As close to the leading crevasse of technology as we are, I'm finding
there are always those with little regard for personal integrity who
have tread the area before and found a number of means toward personal
profit and/or malicious mischief.
Many times I find they've known how to perpetrate crimes using
technology I've not yet heard of. I am not at all comfortable with not
knowing what they know about my computing resources. That's the
education I'm after.
------------------------------
Date: Tue, 23 Feb 93 15:00:22 +0000
From: [email protected] (Chris Antkow)
Subject: Re: Censorship
As far as I know, In Canada at least, it IS NOT illegal to post viruses
on BBS'. It IS illegal however to spread virus (could be counted as
conspiracy). The BBS does not actually spread the viruses but it's
charged to the individual who downloads it and spread's the virus
maliciously.
If I am wrong, please rebute this as I am curious myself and am allways
getting conflicting messages.
Thanx... Chris
antkow@eclipse.sheridanc.on.ca
------------------------------
Date: Tue, 23 Feb 93 20:15:43 -0500
From: [email protected] (Fred Cohen)
Subject: A quick request for opinions
I am writing a book about artificial life, and have some examples of
programs that automate distribution of software in LANs, implement
distributed databases, etc. They are all written in the Unix shell,
and involve a few lines of code that automatically copy the programs
between machines to automate the distribution process. It has come to
my attention that there may be substantial objection to this idea and
I am asking people in this forum for their opinion.
Each program includes explicit safeties to prevent copying to
machines where operation is not authorized by the root, and they are
designed not to spread outside of particular directories. The code is
very obvious (only a few lines of shell script after all), and the
book includes explicit warnings not to remove safeties or use on any
machine where you don't have permission.
Questions:
1 - why not provide this in the book?
2 - what risks do you see in it?
3 - are you an admin or a user?
4 - do you think there is value in including these examples?
5 - do you think the advantages of examples outweigh any risks?
6 - do you think that the versions that optimize their own behavior by
`evolving' improved forms should not be included - if not why not?
Please Email me your responses ASAP, as the book goes to press in a few
weeks. Also, if you DO NOT want your comments included in the book
(no names will be used) tell me. Otherwise, I will feel free to include
any comments I find particularly enlightening.
FC
------------------------------
Date: Wed, 24 Feb 93 17:12:12 -0500
From: [email protected]
Subject: Known viruses in a UNIX evvironment (UNIX)
I'm looking for information on any known UNIX viruses, as well as any
anti-viral software than runs on UNIX. I've never heard of either,
but some people who should know keep telling me they "think" they've
heard of such things, so I asking for help from the Virus community.
------------------------------
Date: 22 Feb 93 19:03:27 +0000
From: [email protected] (Vesselin Bontchev)
Subject: Re: Michelangelo or STONED? (PC)
[email protected] (LEPRICAN~~~) writes:
> time. We tried McAfee v100, which would recognise the virus, but
> would not remove it from hard drives. It appears to be [Mich] when
> it is on a drive, but when it loads itself into memory, McAfee says
> it's [STONED].
This is a known bug in SCAN. It reports the Michelangelo virus in
memory are Stoned, while on the disk the virus is reported correctly.
> It seems to be easily removed from floppies, but the virus infects
> the partition table of hard drives, where McAfee cannot remove it.
This could be either due to a new variant of the virus, or due to a
bug in CLEAN.
> Reformatting it from a write-protected floppy didn't remove it, either.
Sure, because the virus is in the MBR and FORMAT only rewrites the
FAT, the root directory, and the DOS boot sector.
> Does anyone have any suggestions on how to combat this virus?
Sometimes CLEAN is able to remove new variants of MBR infectors, if
you tell it to remove the [genp] virus. Another solution is to boot
from a write-protected DOS 5.0 (the version is important) system
diskette and to run the command FDISK/MBR.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: [email protected] D-2000 Hamburg 54, Germany
------------------------------
Date: 23 Feb 93 09:53:18 +0000
From: [email protected] (Fridrik Skulason)
Subject: Re: standardization (PC)
[email protected] (007) writes:
>(Hey frisk, how about "f-prot /CARO" as a command line switch?? ;-)
Well, the reason I cannot provide that (yet) is that I don't to exact
identification...I do what I call "almost exact identification". That
is, I don't genaerate a map for each virus and calculate a checksum
for the constant areas, but instead I just check a number of bytes
located at various locations, to make sure I have the size correct,
and know how to disinfect the file.
The problem is that if somebody makes a *very small* change to the
virus, like changing a single byte, I may fail to detect it as a new
variant, although I will be able to remove it, just like the original
variant. When I have implemented exact checksum-based identification
of file viruses (something which I have started to implement), I will
be able to stick 100% to the CARO names.
- -frisk
- --
Fridrik Skulason Frisk Software International phone: +354-1-694749
Author of F-PROT E-mail: [email protected] fax: +354-1-28801
------------------------------
Date: Tue, 23 Feb 93 14:48:36 +0000
From: [email protected] (Chris Antkow)
Subject: Re: New Virus (PC)
Actually, The Whale source code is posted on a few Canadian VX
boards, however, it is in German, making any modifications by a
"wannabe" virus writer a bit difficult. This is just an FYI, stating
that it IS available to those who know where to look.
Chris
antkow@eclipse.sheridanc.on.ca
------------------------------
Date: Tue, 23 Feb 93 17:39:51 +0000
From: [email protected] (LEPRICAN~~~)
Subject: Re: Michelangelo or STONED? (PC)
Thanks, all of you who have given me suggestions...
The latest release of Central Point Anti Virus seems to
work the best, but a few others worked as well.
Until the next strain...
Leprican~~~
------------------------------
Date: Wed, 24 Feb 93 02:05:24 +0000
From: Joe.[email protected]
Subject: PC Magazine on Anti-Virus Software (PC)
Hello:
Do people in this group support Pc Mag's Editor's Choice Awards to
Central Point Anti-Virus and Norton's Anti-Virus? I thought the best
protection was McAfee's SCAN backed up by F-PROT or vice-versa.
In the review, F-PROT received a honorable mention because it
correctly removed all of the virus's it found. The review did not
test McAfee's SCAN.
Joe George
- ----------------------------------------------------------------------------
Joe George |
University of Notre Dame | A cute quote goes here
joseph.m.george.[email protected] |
- ----------------------------------------------------------------------------
------------------------------
Date: Wed, 24 Feb 93 03:21:10 +0000
From: Christopher Yoong-Meng Wong <[email protected]>
Subject: Re: PC Magazine reviews virus scanners (PC)
[email protected] (Christopher Yoong-Meng Wong) writes:
>influence in the industry. A summary:
>
>1. Editors' choices are CPAV and NAV.
>
>2. The great grandaddy of virus scanners, Mc Afee's Viruscan family,
> was not reviewed. Nor was F-prot (though the commercial version was
> reviewed), except as an aside: "... for those comfortable with
> command line operation ... original F-prot".
> ^^^^^^^^^^^^
>3. Scanning tests involved 11 -- count them -- 11 viruses.
>
>4. Review emphasized completeness of package: disinfection,
> comprehensiveness of service etc, not detection ability.
I am embarassed. Some of you might jump on me for this, so I should
clarify this before others do. I should have been more thorough with
my reading before posting the above. The PC Magazine article does
indeed review the Mc Afee products, under the name of "Pro-Scan", a
commercial product. Also, F-prot's engine was present in 3 of the
products reviewed. So, I have no complaints about the presence of
those 2 products.
My main concern was their emphasis on features (interface etc) rather
than actual performance. Their testing was also quite inadequate.
Finally, when I said "summary", I meant "summary of what this group
(and myself) might object to".
Hope this clarifies things.
Chris
------------------------------
Date: Wed, 24 Feb 93 08:49:31 -0500
From: G J Scobie <gscobie@castle.edinburgh.ac.uk>
Subject: Request for virus tools (PC)
Hi there,
Over the years I have collected a wide range of tools to use when
dealing with PC viruses. However, I'm interested in what other readers
of this board use for disassembling code, inspecting memory, protection,
eradication etc etc. I'm particularly interested in shareware/public
domain software but all replies welcome. If you could mail me direct
and indicate if the product is avaliable via ftp I'll summarise for the
list. The main anti-virus products are often quoted here so no need to
mention these, but I'm sure there are little known utilities we would
all love to hear about.
As always thanks in advance to any replies.
Cheers
Garry Scobie Edinburgh University Computing Service Scotland
e-mail: [email protected]
------------------------------
Date: Wed, 24 Feb 93 12:16:30 -0500
From: [email protected] (Holtz John F)
Subject: Maybe a virus (PC)
I have been having problems with my hard drive recently. About a
month ago my drive was a stacked drive(Stacker 2.0). I never had a
problem with the files on the stacked part only the files on the
unstacked part. When I try to use my .exe files an error message
"Unable to read drive. abort retry etc.". I try to use norton(6.0)
for a disk problem which none was found. I also tried norton NAV(2.0)
and still no problems were found.
Currently I'm unable to boot from my harddrive. (try sys, but no help)
All my *.exe files are not usable.
When I try to use dos .exe files (like mem.exe) error
message "can't execute mem.exe"
I have tried formating the drive, and it worked one time, after the
second time I booted the newly formated drive the same errors resulted.
Does this sound like Hardware or virus problems???
John Holtz ([email protected])
system
386/25
5.0 dos
102 meg drive (ids)
(currently not using stacker)
------------------------------
Date: Wed, 24 Feb 93 18:36:34 +0000
From: [email protected] (Michael Harlos)
Subject: FPROT, Thunderbyte, & DataCrime II (PC)
I've just run FPROT 2.07 for the first time, in a "real DOS" (not OS/2
DOS) session, with several Thunderbyte TSR's loaded. One of the
Thunderbyte TSR checks for suspiciuos activity.
FPROT warned me that "DataCrime II virus search activity was found in memory".
This warning did not occur if I ran FPROT from a clean floppy boot, or if
I remmed out the lines in the autoexec.bat & config.sys files that loaded
the Thunderbyte TSR's. It also doesn't occur in OS/2 DOS, in which I don't
load the Tbyte programs.
I think that FPROT is giving me a false alarm on the Thunderbyte TSR
(TBCHECK).
No problems were noted with Scan100, OScan100 (McAfee OS/2), or
Thunderbyte TBSCAN. All checked the memory as OK.
Any comments or advice would be appreciated.
Thanks,
Mike Harlos [email protected]
------------------------------
Date: Wed, 24 Feb 93 20:33:23 -0500
From: Anthony Naggs <[email protected]>
Subject: Re: F-prot/FSP/bootsum problem. Help! (PC)
Wolfgang Stiller, <72571.3352@compuserve.com>, writes
> [email protected] (jornj) writes:
>
> > I've experienced the same problem, using Integrity Master and Stacker
> > 2.0. When I check the 'bootsector' of my stacked volume IM always
> > claims it has changed...
>
> > Is this normal for Stacker? Or do I have a 'problem'?
> > (I've scanned with scan v99, fprot 2.06 and IM doesn't report any
> > other problems).
>
> Yes, it's a "normal" Stacker function. Stacker creates a pseudo boot
> sector on the simulated (compressed) Stacker volume. For some reason
> Stacker insists on constantly changing this sector. ...
Stacker, (and all similar disk compression products, such as SuperStor),
- -must- change the drive size informtion in the boot sector after all
writes to the drive. When the software is set up it is given a fixed
amount of the physical disk to use, and making an assumption about
expected compression will typically tell DOS that the compressed drive
has twice the capacity of the reserved area.
As data is placed in the compressed drive the disk size must be updated,
to reflect the actual compression of the portion used and the anticipated
compression of the remainder. (Compression depends significantly on
file content). The frequent updates of the disk size are important to
the user, to indicate compress effectiveness, and for DOS to accurately
recognise when the compressed volume is full.
> ... Since you can
> not boot from this sector, there's little reason to check its integrity.
Yes, but there is little reason to trouble users with such details,
they expect the s/w to 'know' what it should check.
> A future version of IM will recognize Stacker boot sectors and not
> bother to check them.
Soon, I hope, :-)
Hope this helps,
Anthony Naggs
Software/Electronics Engineer P O Box 1080, Peacehaven
(and virus researcher) East Sussex BN10 8PZ
Phone: +44 273 589701 Great Britain
Email: (c/o Univ of Brighton) [email protected] or [email protected]
------------------------------
Date: Wed, 24 Feb 93 17:12:09 -0500
From: [email protected] (Paul Ferguson)
Subject: Problems w/ LAN Prrotect (PC)
A question for the pundits:
Within the past two months, one of our clients has implemented INTEL
Corp's LAN Protect across their LAN topology. LAN Protect was selected
because of several factors, namely managability and low overhead for
the server and the memory and disk requirements on the individual
workstation (only a whopping 3k TSR, actually). The managability issue
was critical -- this is no small LAN with 70+ Novell 3.11 servers and
approximately 2500 users (and growing). We did evaluate several other
NLM based antivirus products, but LAN protect fit nicely into the
scenario,
based on the client's needs and technical constraints.
Additional note: All servers are IBM PS/2 Model 80's or Model 95's and
the LAN topology is Token Ring currently running at 4 Mb per sec.
The initial verion was v1.50 and has since been upgraded (maintenance
release) to v1.54, which we received a couple of days ago and have now
installed on an isolated server to ensure that the previous problems that
we experienced have been corrected. (The documemntation accompanying
the maintenance disk mentioned several problems that were corrected,
but did not specifically address the one that bothers me most.)
Our initial problem was that on servers that were heavily used and
operated with a high degree of throughput, the server would occasionally
crash. This is not a "minor" bug. The low volume servers plodded along
happily. Our first suspicions were that the FRYE Utilities Management
NLM (FRYESERV.NLM) and the LAN Protect NLM (LPROTECT.NLM) were somehow
conflicting, but after unloading all non-Novell NLMs (and subsystem
drivers), the problem would reoccur.
We have loaded the v1.54 onto a test server for a short period in order
to test it (or at least simulate a real-time environment) before a mass
upgrade.
Has anyone else experienced this problem? We have worked with INTEL
extensively on this (and other minor) problems and their last action
was to FedEx this maintenance release.
Replys welcome from anyone who has experience this or other problems
with this product.
Cheers.
Paul Ferguson |
Network Integration Consultant | "All of life's answers are
Alexandria, Virginia USA | on TV."
[email protected] (Internet) | -- Homer Simpson
sytex.com!fergp (UUNet) |
1:109/229 (FidoNet) |
PGP public encryption key available upon request.
------------------------------
Date: Wed, 24 Feb 93 01:22:03 +0100
From: [email protected] (Heinz Wagner)
Subject: Anybody knows SHIRLEY or VIVALDI ? (PC)
Hello folks,
I think this is the right place for questions on virusses.
So please, if anyone of the readers do know something about the
SHIRLEY and/or VIVALDI virus, please drop me a line.
Thi0s virus infects only .EXE files under DOS and produces a batch
file with a ps+eudovariable name like 189acdfg.bat with the length of
18 ... 28 bytes in m0ost cases. + The .bat files contain only one
line like @dosshell *qDP -- Heinz
Wagner [email protected] 2300 Kiel
------------------------------
Date: Wed, 24 Feb 93 01:27:32 +0100
From: [email protected] (Heinz Wagner)
Subject: Shriley and Vivaldi Part II (PC)
Sorry my computer plays tricks on me...
Last Posting continued:
This batch files contian only one line like
@dosshell %df98s/
AND I find some of these files yesterday on a computer of a friend of mine ,
but all virusscanners failed.
So if there are other experiences made out there, please drop me a line,
because I do not read this board regulary. Thanks a lot.
Heinz Wagner [email protected]
2300 Kiel
------------------------------
End of VIRUS-L Digest [Volume 6 Issue 34]
*****************************************
|
|
