home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
DP Tool Club 8
/
CDASC08.ISO
/
VRAC
/
VL6_120.ZIP
/
VL6-120.TXT
Wrap
Internet Message Format
|
1993-09-10
|
36KB
From Fidoii.CC.Lehigh.EDU!lehigh.edu!virus-l Thu Sep 9 05:48:53 1993 remote from vhc
Received: by vhc.se (1.65/waf)
via UUCP; Thu, 09 Sep 93 15:52:44 1
for mikael
Received: from fidoii.CC.Lehigh.EDU by mail.swip.net (5.65c8-/1.2)
id AA27426; Thu, 9 Sep 1993 15:52:43 +0200
Received: from Fidoii.CC.Lehigh.EDU ([127.0.0.1]) by Fidoii.CC.Lehigh.EDU with SMTP id <4112-3>; Thu, 9 Sep 1993 09:48:55 EDT
Message-Id: <9309091349.AA09484@agarne.ims.disa.mil>
Reply-To: virus-l@lehigh.edu
Originator: virus-l@lehigh.edu
Sender: virus-l@lehigh.edu
Precedence: bulk
From: VIRUS-L Moderator <virus-l@assist.ims.disa.mil>
To: Multiple recipients of list <virus-l@lehigh.edu>
Subject: VIRUS-L Digest V6 #120
X-Listprocessor-Version: 6.0a -- ListProcessor by Anastasios Kotsikonas
X-Comment: Virus Discussion List
Date: Thu, 9 Sep 1993 09:48:53 EDT
VIRUS-L Digest Thursday, 9 Sep 1993 Volume 6 : Issue 120
Today's Topics:
see you in Amsterdam :-)
Re: Dark Avenger Update?
Experiments with mutated viruses. (PC)
Re: Any good anti-viral shareware out there (PC)
Re: Lambdin's Accuracy Tests (PC)
Re: Write protect ... (HELP!) (PC)
Possible DOS/Windows virus... in the development stage? (!) (PC)
EXEBUG (PC)
Re: Floppy disk virus (PC)
1530 or SVC? Disinfection? (PC)
posting re retaliator viruses (PC)
CRUNCH21.COM (PC)
Re: NukePox disinfector? (PC)
"Moose" PC viruses (PC)
virusses in .ARJ & .ZIP (PC)
Re: Vshield v107 (PC)
TBAVU605.ZIP/TBAVX605.ZIP - TBAV anti-virus v6.05 (optimized/upgrade) (PC)
New files on risc (PC)
DS II (PC)
DiskSecure II updated (yes) (PC)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a gatewayed and non-digested USENET
counterpart. Discussions are not limited to any one hardware/software
platform - diversity is welcomed. Contributions should be relevant,
concise, polite, etc. (The complete set of posting guidelines is
available by FTP on CERT.org or upon request.) Please sign submissions
with your real name; anonymous postings will not be accepted.
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list. A FAQ (Frequently
Asked Questions) document and all of the back-issues are available by
anonymous FTP on CERT.org (192.88.209.5).
Administrative mail (e.g., comments, suggestions, beer recipes)
should be sent to me at: krvw@ASSIST.IMS.DISA.MIL.
All submissions should be sent to: VIRUS-L@Lehigh.edu.
Ken van Wyk
----------------------------------------------------------------------
Date: Tue, 07 Sep 93 12:20:58 -0400
From: frisk@complex.is (Fridrik Skulason)
Subject: see you in Amsterdam :-)
Well, I am off for the Virus Bulletin conference in Amsterdam, followed by
my annual vacation, far away from any viruses.
My staff here in Iceland will know how to get in touch with me if absolutely
necessary, but don't expect any E-mail replies from me personally until I get
back on the 22nd.
- -frisk
- --
Fridrik Skulason Frisk Software International phone: +354-1-617273
Author of F-PROT E-mail: frisk@complex.is fax: +354-1-617274
------------------------------
Date: Tue, 07 Sep 93 20:49:15 -0400
From: blah@netcom.com (baby copperfield)
Subject: Re: Dark Avenger Update?
73044.2573@compuserve.com (William H. Lambdin) writes:
>The latest thing that I have seen written by Dark Avenger was the Uruguay
>virus, but that was several months ago
i dont know where this information came from, bill, but according to
everything i have read, uraguay came from Uraguay. dark avenger is/was
from bulgaria :). that virus has been around since december 1992, and
in my extended conversations with dav, it was -never- mentioned as one
of his viruses.
there are a lot of people who would like him to be writing and
distributing viruses. monster virus writers make much better press
than ones that quit or suspended 'operations' for whatever reason. i
study the subculture relating to virus writers, and if someone has
some documentable verifiable proof that this particular guy is at it
again, i would really appreciate seeing it. it woudl be an important
part of the work involved in developing case histories and a general
overview of the 'culture' that exists around viruses.
however, to date, all i have seen regarding this particular guy is a
few imitators, some insertions of his name in test strings, and a few
attempts to provoke him to some action or other made by persons who
are part of the virus subculture. i know this is not your intent;
maybe someone told you he wrote that virus. as far as i know, he's
never been in uraguay, and more importantly, did not write that virus.
at least, he has not stated he did, and he has been more than
cooperative about his past actions.
sara
- --
SGordon@Dockmaster.ncsc.mil / vfr@netcom.com bbs: 219-273-2431
fidonet 1:227/190 / virnet 9:10/0 p.o. box 11417 south bend, in 46624
you are only coming thru in waves..your lips move but i cant hear what you say
------------------------------
Date: Tue, 07 Sep 93 12:20:25 -0400
From: "Sajid Rahim" <sajid@oris.ru.ac.za>
Subject: Experiments with mutated viruses. (PC)
To: virus-l@lehigh.edu
From: sajid
Date: 5 Sep 93 18:36:14
Subject: Experiments with mutated viruses.
Priority: normal
X-mailer: Pegasus Mail v2.3 (R5).
Hello all,
I have just finished carrying out experiments designed to test the
detection ability of three products namely :
i. Dr Solomons Toolkit
ii. McAffee Scan v106
iii. F-prot v2.08d
They were specifically chosen as available on internet in case of
McAffee whilst Dr Solomons has been aggressively marketed in South
Africa. I did not bother using the local product from CSIR which in
my view was a very limited product when compared to the three
mentioned above.
Samples of used were restricted to multi-partite viruses which
included DAVs as well as stealth. The viruses were firstly
disassembled to the target assembler TASM v2.0. The disassembled
sources were then modified in the following manner :
Non-Encrypting Viruses
----------------------
Modification : The potential string combination were slightly
altered
ie. Reset virus's omega sign display. This was done
without
any slightest idea as to what the detection string
might
be to pervent any biasing.
Some codes pieces were removed (a couple of bytes
only).
Encrypting Viruses
------------------
Modification : The encrypting keys of the viruses were modified to
different values than those utilised by the existing
virus.
The samples were then assembled into binary code.
All the anti-virus products were then utilised to see how well their
detection systems were. Here surprises emerged.
Toolkit failed to recognise any one of the mutated code. Scan was able
to work for non-encrypted codes whilst fprot was able to detect all.
At the conclusion, I was horrified to think of the potential disaster
waiting to emerge for those using Dr Solomons. Finally I wish to file
a disclaimer that all these experiments were carried out without any
biase to any of the three products.
Hope that this info is of any use to users out there.
Sincerely
Sajid
- --
- ------------------------------------------------------------
Sajid Rahim internet : sajid@oris.ru.ac.za
S.R.L fidonet : 5:7105/4.5
P.O. Box 5890,MMabatho,Bophuthatswana.
============================================================
------------------------------
Date: Tue, 07 Sep 93 12:22:42 -0400
From: bondt@dutiws.TWI.TUDelft.NL (Piet de Bondt)
Subject: Re: Any good anti-viral shareware out there (PC)
>dk010b@uhura.cc.rochester.edu wrote:
>: I'm looking for a good anti-viral program that is available as
>: shareware. If you know af a good one (and how I can easily get it) or
>: if you have one you wouldn't mind sharing I'd really appreciate it.
>
>Shareware, is not free-ware it means try before you buy. Try
>Mcafee.com ftp site the best for me.
>
>Michael
>Try ThunderByte Anti-Virus v6.04. Better everything then Mcafee. You can get
>the latest copy via modem at ThunderByte USA. Number is 1-302-732-6399.
>
>Ttul
Thunderbyte Anti Virus Software is downloaded at a *very* regular base by
me, directly from the author's Thunderbyte BBS in Holland !
It is then placed on ftp.twi.tudelft.nl in dir /pub/msdos/virus/tbscan
Then it is uploaded to oak.oakland.edu (& simtel20), garbo.uwasa.fi
and nic.funet.fi
We also mirror mcafee.com (McAfee software)
mail me (bondt@ftp.twi.tudelft.nl) for info, or to be added to the TBAV
list (keeps you informed on TBAV software)
------------------------------
Date: Tue, 07 Sep 93 19:21:45 -0400
From: vfreak@aol.com
Subject: Re: Lambdin's Accuracy Tests (PC)
>I've noticed your "accuracy" tests for a long time and hoped that they
>would eventually improve without my having to comment on them, but I
>can't pass over this in silence any more. The question is how such a
>comparison can be fair when you don't use the latest version of each
>scanner. For example, despite the date "June 93", the fact is that
I use the latest version that I can get of each scanner.
I have been awaiting a newer version of UTscan for months, but it hasn't
arrived, so downloading the signature update from Fifth Generation BBS is the
best that I can do at the present time. Since the June 1993 signatures are
three months old I will be removing UTscan from the September release.
>But is it fair to penalize a product in the eyes of the readers simply
>because no one at that company has read your invitation? Or if for
I am not penalizing any company.
I have contacts at Fifth Generation Systems, and at BRM in Israel the
developers of Untouchable, and several others.
It's not my fault that the new releases haven't arrived as promised, so I
updated the signatures to make UTScan as current as possible.
>example, is "ZOO" supposed to suggest a kind of "zoo" populated by vi-
>ruses? (Or could it mean that the infected files are contained within
>a ZOO-type archive which the scanner is supposed to be able to un-
>pack?) And you might explain precisely what "SIGS" means.
I post LAT into 16 virus related conferences, and for most of them the marjin
is 75 columns wide, and to get it to fit inside the marjins, I have to use
shorthand.
ZOO is short hand for my virus collections
SIGS is short Hand for SIGnatureS.
There haven't been many people that have asked me to explain the short hand.
Three people now in the last year.
Bill
------------------------------
Date: Wed, 08 Sep 93 01:21:16 -0400
From: latim912@crow.csrv.uidaho.edu (Jerry E. Latimer)
Subject: Re: Write protect ... (HELP!) (PC)
Martin_blas Perez Pinilla (mtppepim@lg.ehu.es) wrote:
: berces@ludens.elte.hu writes:
: > My computer (IBM386+110Mb harddisk[C+D part.]+MS-DOS 5.0+Stacker 2.0
: > version) displays at each disk operation on C that:
: >
: > "Write protect error writing drive C
: > Abort, Retry, Fail?"
: I think that Stacker is the guilty. This problem was discussed last
: year in V5#167 of VIRUS-L. This follows the verbatim copy of a message
: of OB77665@IBMH1.ORL.MMC.COM:
: Subject: Stacker problems (PC)
:
: The last few months I've observed a lot of discussion on
: the automatic write protection of stacker drives as a result
: of allocation errors.
: I had this unfortunate experience this weekend as a result
: I dialed into the stacker BBS which was listed in the manual.
: They have several nice utilities and text files that you can d/l
: for troubles and updates.
: Below I have included the text file I d/l on how to get out of
: the write-protected problem.
[complicated instructions deleted]
There is a much easier method. On the uncompressed drive, simply use
the MS-DOS attribute command to turn-off the read-only flag of the
Stacker volume file. Email me if you need more info, because this
topic has nothing to do with viruses.
// --------------------------------------------------------------------------
// Name: Jerry E. Latimer ( latim912@crow.csrv.uidaho.edu )
//
#include "cutequot.h"
//---------------------------------------------------------------------------
------------------------------
Date: Wed, 08 Sep 93 01:58:05 -0400
From: sjsmith@cs.UMD.EDU (Stephen Joseph Smith)
Subject: Possible DOS/Windows virus... in the development stage? (!) (PC)
Preface: I know next to nothing about viruses. This is not an actual
virus report. This is a report of a letter received at my place of
employment that made me suspicious. If anyone else has received a
letter like this, please post or email. If anyone has any idea what
to do about the letter, please post or email.
I'm a grad student in computer science at the University of Maryland
at College Park. On the side I work for Great Game Products in
Bethesda, Maryland doing C programming under DOS. Recently Tom
Throop, president and founder of GGP, received a strange unsolicited
letter from someone wanting information on names, dates and times, and
sizes of executable files included in all of GGP's software products.
Figuring that it is better to be safe than sorry, I told Tom not to
give out any information until he knew more about how it was going to
be used. The vagueness and unprofessionality of the letter and the
abnormal request for information about executables have made me worry
about the possibility of someone out there trying to write a virus or
viruses and masking them as software products from unsuspecting small
software companies who just answered a survey.
If I'm just being too paranoid, I apologize. But if not, please let
me know what you think I should do.
Thanks. The letter from "Cheyenne Software" and Tom's reply are enclosed.
- - Stephen
- ---------------------------------------------------------------------------
Dear Tom Throop:
I need information on all of your software products. I need all of
them to be for DOS and/or Windows. For this I would need to know what
version you have come out with (ex: 1.0, 2.0) and for the versions I
would need to know what the executable name is, the size of the file,
the date and time of the file. If possible can you give me as many
different maintenance versions as you can.
The reason for me requesting this information is because I am doing a
database project for Cheyenne Software which will be used to check for
illegal copies of your product. It also will be used for copy
protection. This will benefit you by when we find an illegal copy we
will make them either buy it or get rid of it.
Please send that to Stephanie LaMarca at Cheyenne Software. The fax
number is (516) 484-1853. Please fax me back as soon as possible. If
you need to contact me by phone my number is (516) 629-4424. Thank
you. And if you would like to contact me by mail it would be 3
Expressway Plaza, Roslyn Heights, NY 11577.
Sincerely,
Stephanie LaMarca
- ---------------------------------------------------------------------------
8/21/93
Stephanie -
We may be able to help you with your project, but I would like to know
a little more about the project:
1. What is your purose, and what funds are you putting up or
receiving from contributors or a client?
2. If the funds are coming from a client, who is he, and what is his
objective?
3. You say that upon finding an illegal copy, "we will make them
either buy it or get rid of it". This is admirable, indeed, but by
whose authority will you act? What mechanism exists for enforcement?
4. Is there existing publicity on the project?
Sincerely,
Tom Throop
------------------------------
Date: Tue, 07 Sep 93 14:33:16 -0400
From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson)
Subject: EXEBUG (PC)
>From: craa77@vaxa.strath.ac.uk
>Subject: Exebug1 problems......... aaaggghhhh!! (PC)
> It seems to be active in the memory and McAffee (sp) scan/clean
> tells me to switch off the machine and boot from a floppy and
> run scan and clean from there. The problem is however, when I
> do this the hard drive is no longer accessible (which makes it
> rather difficult to clean :-)
Well I guess you have not tried my FixMBR from FixUtil5. The point is
that just because DOS cannot find the hard disk that it is not there,
only that the partition table in the MBR or the DBR has become
lost/corrupted. In this case FDISK/MBR will not work & FDISK/STATUS
wll report odd things.
Somehow I have to wonder about the diagnosis though as I do not recall
EXEBUG fouling up the P-Table, just the CMOS floppy parameter.
The EXEBUG is rather strange in that it tries to prevent floppy booting
by telling the CMOS that drive A: is not there (by zeroing offset 10h -
see my CMOS.LST in the latest version of Ralf Brown's Interrupt List).
This is surmounted by re-selecting the floppy in the BIOS SETUP and
immediately booting from floppy.
Good luck,
Padgett
ps DiskSecure II is hardened against droppers & will flag any attempt (plug).
------------------------------
Date: Wed, 08 Sep 93 10:49:20 -0400
From: gary@sci34hub.sci.com (Gary Heston)
Subject: Re: Floppy disk virus (PC)
s9018166@pewter.spectrum.cs.unsw.OZ.AU (Elisa Aquino) writes:
>I don't know how to fix my computer because i think it is infected by
>virus.
Doesn't sound like it. You might benefit from a book on hardware
maintenance of personal computers. Assuming any strange problems
to be a virus is usually a mistake.
>1. Drive A just can read first disk. Even u put second disk , directory
> will show the same as first disk.
>2. After I read drive B , then drive A is reset to read first disk but
> it is the same after puting another disk.
It sounds like your A drive has a bad disc-change sensor. Try pulling
the drive out and cleaning any lint or dust from it (compressed air
works well), then reconnect and try it. Or, move your B drive to the
A drive position and try it. The sensor is usually a mechanical switch,
so look for something along where the back of the disc rests (when in
the drive) that is stuck or broken.
>I even reformat the hard disk, still the same. Then I low level format the
>hard disk, also the same.
Unless you know it's a virus, don't format your hard drive. It's almost
never necessary, anyway.
- --
Gary Heston SCI Systems, Inc. gary@sci34hub.sci.com site admin
The Chairman of the Board and the CFO speak for SCI. I'm neither.
# It's a bad year for NASCAR. #7 Allan Kulwicki, #28 Davey Allison, RIP #
# Where was Dale Ernhart at 3:00PM CDT on July 12? #
------------------------------
Date: Wed, 08 Sep 93 12:06:21 -0400
From: Fabio Esquivel <FESQUIVE@ucrvm2.bitnet>
Subject: 1530 or SVC? Disinfection? (PC)
*HELP* Here I am again with another virus:
Yesterday I found an EXE file infected with a virus reported like this:
- - CPAV for Windows 1.0 does not find anything (which is normal 8^);
- - F-Prot 2.09d called it a "New or modified variant of SVC";
- - Scan 104 called it "1530" with the ID 1530|;
- - Scan 107 called it "June1530" with the ID J1530| (which
does not appear in the VirList.TXT file).
Searching in VSumX307 I found a mention on the CB-1530, but I'm not
sure if it is the same virus, mainly because F-Prot thinks it may be a new
variant of SVC, -because of this, F-Prot does not make any attempt to disinfect
the strain-. Clean 107 says it is not possible to disinfect the file
safely and suggests to overwrite it.
I found this virus on a 3.5 floppy disk; this disk is an ORIGINAL diskette
from IBM containing the installation software for PCSupport. I checked
out other ORIGINAL diskettes with the same software and they are not
infected, so I suspect that this floppy was infected in a workstation
during the installation process (the file infected is INSTALL.EXE),
because the protection tab was closed, which allows write operations
to the floppy disk.
I fear that this virus is VERY propagated throughout the network:
we are experiencing problems since 2 weeks ago (workstation hangs,
unexpected machine boots, one or two lines of screen deleted when
trying to login into the token ring...).
What can I do? The network cannot be shut down: it must be working
24 hours a day. We are losing time and money with those several
workstations that refuse to login into the network. The most recent
copies of the BEST worldwide antivirus softwares (FProt and ViruScan,
of course) refuse to disinfect this virus...
Should I send it to Fridrik and Aryeh and wait for good news?
Should I reinstall ALL the software in EVERY workstation from
the non-infected original IBM disks (very time-consuming)?
Thanks for any help,
DATA SEGMENT PARA PUBLIC
name DB 'Fabio Esquivel' ; C:\> dir a:
bitnet DB 'fesquive@ucrvm2.bitnet' ; Virus found in drive A:
internet DB 'fesquive@ucrvm2.ucr.ac.cr' ; Install, Kill, Panic?_
DATA ENDS
------------------------------
Date: Wed, 08 Sep 93 12:13:15 -0400
From: fltline@aol.com
Subject: posting re retaliator viruses (PC)
"William H. Lambdin" <73044.2573@compuserve.com> writes:
Posted: Thu, 26 Aug 93 14:23:02 -0400
:Does anyone have experience with retaliator viruses?
:I have read several messages about them, and would appreciate some info.
:It the information is of a sensitive nature, please respond via E-Mail.
I had a discussion with a tech from McAfee, in the America OnLine
Virus area (McAfee message board) about this same subject. He stated
that he had no knowledge of any viruses that attack anti-viral
software. When I presented the following chart to him, he changed his
story somewhat:
Virus Name Action
- ----------------- ---------
Encroacher Will search for and delete the following CPAV files:
CHKLIST.CPS files
CPAV.EXE - the CPAV main program
VSAFE.COM - the resident sentry program
Groove (Same as above)
Peach Searches for and destroys all CHKLIST.CPS files in
every directory before infection
takes place (thereby disabling
CPAV)
Tremor Will disable (aka Turn off) the Microsoft
memory resident
virus identifier (VSAFE)
LOKJAW-ZWEI Will search for CPAV, F-Prot, McAfee's Scan, McAfee's
Clean and delete them
PC WEEVIL A Mutation Engine Variant which will, like Tremor,
disables Microsoft Anti-Virus
Hope this has been of some help to you.
Sam Pitawala
E-mail: Fltline@AOL.com
------------------------------
Date: Wed, 08 Sep 93 13:17:03 -0400
From: vfreak@aol.com
Subject: CRUNCH21.COM (PC)
Steven Hoke uploaded CRUNCH21.COM to the Metaverse BBS last night and
requested that I forward it to the A-V developers..
F-Prot 2.09 detects CRUNCH21 as possibly a Diet compressed Coffeeshop
dropper. F-Prot reports the same for the second generation too.
I ran the file on my test machine, and it requested permission before going
resident. I answered no on the first run just to check.
It will not go resident without an affirmative responce.
After running the file for the second time on my test machine, I gave it
permission to go resident, then ran my bait files.
My 10K bait files were reduced to 4K, and at first I had thought that it
was an overwriting virus.
I ran the bait files again, and they still ran properly. They were not
overwritten, just compressed, so it's not easy to tell the size of this
thing.
Since this requests permission, it shouldn't really be called a virus. I am
open to suggestions on what this type of program should be called.
This thing attaches to .COM and .EXE files, but ignores COMMAND.COM.
I am sending the first and second generation of this to David Chess,
Fridrik Skulason, and Wolfgang Stiller.
Bill Lambdin
------------------------------
Date: Wed, 08 Sep 93 17:13:24 +0300
From: eugene@kamis.msk.su (Eugene V. Kaspersky)
Subject: Re: NukePox disinfector? (PC)
> Does anyone have/know of a disinfector for NPox (NukePox) 2.2? F-Prot
Previous versions of NukePox (2.0 and 2.1) cure the infected files on opening.
For removing the virus you should open the infected files by DOS function
OPEN (under active TSR virus, of course), and the virus will remove itself.
How to open these files? Try execute "copy . nul", or scan all files by
antiviral.
But these viruses infect the files again on closing, be careful! So, you
should open and close the infected file, and let the virus remove itself from
the file on opening and stop the infection on closing. To stop the infection
you should (your own TSR program should) intercept INT 2Fh and check the
functions 1220h and 1216h, these functions are called by the virus on
infection. My a-v monitor does it.
The second way: the old version of NukePox save the original 1Bh (27) bytes
of the file beginning at the file end. If new version is of the save
standard, you should move last 27 bytes of the infected file to its
beginning and cut the file at its 'entry point'. To automatize that
task you can use my toolkit which you can download from
ftp.informatik.uni-hamburg.de:/pub/virus/progs/avp_106b.zip
The last way: send the infected sample to a-v researchers and wait for updates.
Regards,
Eugene
- --
- -- Eugene Kaspersky, KAMI Group, Moscow, Russia
- -- eugene@kamis.msk.su +7 (095)939-4066
------------------------------
Date: Wed, 08 Sep 93 15:37:35 -0400
From: "Lars Renman" <LARS@amc.chalmers.se>
Subject: "Moose" PC viruses (PC)
I sent a message to VALERT-L regarding these viruses on August 15,
1993. I now know a little more about the bastards:
1) It is probably at least four (or more) very similiar strains, all
carrying the readable text string "Moose" in the code appended
to infected files. Various version? numbers "30", "31", "32" -
some of them with a space before the number - also in readable
format follow the "Moose" text.
2) Different strains attack .EXE and .COM files. There are also
instances of .SYS files being converted to .COM file format, in
the latter case with the readable text string "This, and much
more, from the Moose crashing corp" in the code.
3) Some files have been infected by two strains ("Moose31" and
"Moose32").
4) All of the common virus scanning programs can successfully be
taught to look for the "Moose" signature.
5) Some files have also had parts of Central Points CPAV.EXE file
appended to them.
6) I have taken the trouble to disassemble all of the strains I have
found. They are rather clumsily written and they all seem to do
the same thing:
i) look for an uninfected file in the current directory. If
not found, go to the overlying directory and try again
(repeated until the root is reached).
ii) infect the uninfected file (if found)
iii) randomly change one byte in the program running by
calculating a random address using
IN AL,40h
a three times, but only if a first reading gives a value
below 10 hex. The random value also comes from the last
reading.
iv) restore the initial directory
v) return to normal execution (which sometimes will fail if
the random destruction part worked)
To be frank, I don't understand what has happened in the cases when
CPAV.EXE code has been added to the programs.
6) There is probably no memory-residency, boot sector or partition
sector infection involved. My previously reported fears of stealth
properties are probably not true - Solomon's PEEKA program behaves
strangely also on non-infected PCs of the same make (Acer 486/33),
so it is most probably an incompatibility problem.
There have been no other sightings of the virus reported at this
university campus (Alerts have been sent to all system managers).
I have, however, managed to track down students from this department
who have had their PCs at home infected, so the things are on the
loose !
I have had a few requests for samples - so far I haven't had the time
to do anything about this. For those with an urgent interest: I have
sent samples on diskettes to frisk@complex.is and McAfee's Swedish
representative.
/Lars Renman
Lars Renman
AMK, CTH/GU, Gothenburg, Sweden
tel. +46 31 772 2782 fax. +46 31 772 2785
------------------------------
Date: Thu, 09 Sep 93 02:35:21 -0400
From: uttsbbs!timothy.lam@uunet.UU.NET (Timothy Lam)
Subject: virusses in .ARJ & .ZIP (PC)
Well, suppose you use McAfee VIRUSCAN..... Adding an option /a like...
SCAN /a C:
Will cause the scanner to scan all the files, including the ZIPS......
But the bad thing is that since the files inside the archive are
re-coded, those scan would not be able to found out if there is a virus
in there.... What you can do for the next step is to D/L a file used to
do the procedure like UNZIP->SCAN->ZIP
and so you can fully check if your user uploaded any viruses....
Hope that helps!
Timothy Lam - Internet : lam@nebbs.nersc.gov
- ----
+------------------------------------------------------------------------+
| The Transfer Station BBS (510) 837-4610 & 837-5591 (V.32bis both lines)|
| Danville, California, USA. 1.5 GIG Files & FREE public Internet Access |
+------------------------------------------------------------------------+
------------------------------
Date: Thu, 09 Sep 93 04:02:23 -0400
From: mcafee@netcom.com (McAfee Associates)
Subject: Re: Vshield v107 (PC)
Hello Mr. Rivera,
You write:
>I was just trying to get Vshield to loadhi under MSDOS 6.0/QEMM 7.01
>combo and while it worked fine before, now it refuses to loadhi.
This was a minor bug (buglet?) introduced in Version 107* of VSHIELD
when some debugging code was accidentally left in the program. If
the "DOS =" statement in your CONFIG.SYS file did not mention loading
DOS into a UMB with either a "DOS=HIGH,UMB" or "DOS=UMB" switch, then
VSHIELD would not recognize that the Upper Memory Area was present and
as a result would not load high into an Upper Memory Block. Replacing
your "DOS =" statement with "DOS=HIGH,UMB" will allow it to successfully
load high.
This will be fixed in V108, which should be available within the next
two weeks.
>I guess there is some incompatibility between the 2 programs.
>There's a lot of upper memory available and I have tried many
>different combinations using Vshield's options and still have the
>problem. Can any1 help me out on this one? Thanks!
Please feel free to contact me if you have any further problems.
Regards,
Aryeh Goretsky
Technical Support
PS: For those wondering, V107 was released on August 25 but was not
placed on our Internet site because of a problem that VIRUSCAN
had with scanning PKLITE compressed files. A new release, V108,
is currently in beta-test which incorporates a fix for this
problem.
- --
- - - - - - - Please send your reply, if any, to Aryeh@McAfee.COM - - - - - -
McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: mcafee@netcom.com
2710 Walsh Ave, 2nd Floor| FAX (408) 970-9727 | or try: support@mcafee.com
Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714
95051-0963 USA | USR HST Courier DS | or GO MCAFEE
Support for SENTRY/SCAN/VSHIELD/CLEAN/WSCAN/NETSHLD/TARGET/CONFIG MGR/PROVIEW
------------------------------
Date: Tue, 07 Sep 93 13:42:44 -0400
From: bondt@dutiws.TWI.TUDelft.NL (Piet de Bondt)
Subject: TBAVU605.ZIP/TBAVX605.ZIP - TBAV anti-virus v6.05 (optimized/upgrade)
(PC)
I have uploaded to WSMR-SIMTEL20.Army.Mil and OAK.Oakland.Edu:
pd1:<msdos.virus>
TBAVU605.ZIP Thunderbyte anti-virus pgm, upgrade 6.04->6.05
TBAVX605.ZIP TBAV anti-virus - processor optimized versions
Replaces:
tbavx604.zip
tbavu602.zip
Greetings,
Piet de Bondt E-mail: bondt@dutiws.twi.tudelft.nl
===================================================================
FTP-Admin for the MSDOS Anti-virus software, ftp@ftp.twi.tudelft.nl
------------------------------
Date: Tue, 07 Sep 93 13:58:40 -0400
From: James Ford <JFORD@UA1VM.UA.EDU>
Subject: New files on risc (PC)
The following files have been placed on risc.ua.edu (130.160.4.7) in the
directory /pub/ibm-antivirus for anonymous FTP:
_filename_ _size_ _date_ _v1_ _v2_
TBAV605.ZIP 241,192 9-1-1993 2096 0313
TBAVU605.ZIP 85,094 9-1-1993 BDA2 1EB3
TBAVX605.ZIP 83,831 9-1-1993 D2A1 13AA
TBAV605 replaces TBAV604 (it is mainly a small upgrade with some fixes,
and of course with updated virus signatures; see whatsnew.605).
TBAVU605 contains only the files modified in this release.
TBAVX605 replaces TBAVX604 (this only has processor optimized versions
of the program for registered users).
------------------------------
Date: Wed, 08 Sep 93 15:54:31 -0400
From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson)
Subject: DS II (PC)
Turns out that my lack of sleep and the last minute accomodation
of real IBM-PC ATs (not XTs) with BIOS dated 01/04/84 caused a bug
to creep into one of the rarely used peripheral files. This is fixed in
DS231b.ZIP just uploaded to URVAX.URICH.EDU.
Warmly,
Padgett
------------------------------
Date: Wed, 08 Sep 93 19:45:51 -0400
From: HAYES@urvax.urich.edu
Subject: DiskSecure II updated (yes) (PC)
Hi gang.
Just received from A. Padgett Peterson an update for his DiskSecure II.
DS2BYP wasn not usable with an AT using DOS 3.31. Now this is corrected.
As usual:
- ----------
Site: urvax.urich.edu, [141.166.36.6] (VAX/VMS using Multinet)
Directory: [anonymous.msdos.antivirus]
FTP to urvax.urich.edu with username anonymous and your email address
as password. You are in the [anonymous] directory when you connect.
cd msdos.antivirus, and remember to use binary mode for the zip files.
- ----------
The file is, obviously, DS231B.ZIP.
Best, Claude.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Claude Bersano-Hayes HAYES @ URVAX (Vanilla BITNET)
University of Richmond hayes@urvax.urich.edu (Bitnet or Internet)
Richmond, VA 23173
------------------------------
End of VIRUS-L Digest [Volume 6 Issue 120]
******************************************