home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
The 640 MEG Shareware Studio 2
/
The 640 Meg Shareware Studio CD-ROM Volume II (Data Express)(1993).ISO
/
info
/
vl5_156.zip
/
VL5-156.TXT
Wrap
Internet Message Format
|
1992-10-01
|
25KB
From lehigh.edu!virus-l Tue Sep 29 00:24:19 1992
Date: Mon, 28 Sep 1992 16:11:44 -0400
Message-Id: <9209281937.AA12337@barnabas.cert.org>
Comment: Virus Discussion List
Originator: virus-l@lehigh.edu
Errors-To: krvw@cert.org
Reply-To: <virus-l@lehigh.edu>
Sender: virus-l@lehigh.edu
Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas
From: "Kenneth R. van Wyk" <krvw@cert.org>
To: Multiple recipients of list <virus-l@lehigh.edu>
Subject: VIRUS-L Digest V5 #156
Status: R
VIRUS-L Digest Monday, 28 Sep 1992 Volume 5 : Issue 156
Today's Topics:
TBav50 beta or just regular tbav50 (PC)
I need info on the FORM 1704 virus (Boulder) (PC)
Re: A few questions (Stardot/V801/Michaelangelo) (PC)
A virus infecting Windows excutables found (Windows) (PC)
Re: A few questions (Stardot/V801/Michaelangelo) (PC)
TSR runtime scanner needed (PC)
Recent IBM Virus List? (PC)
Virus information for thesis
The Hacker Files
Thank you for help with Stoned (PC)
I-M124.ZIP - Integrity Master data integrity/anti-virus (PC)
Call for papers - Ides of March virus conference
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. (The complete set of posting guidelines is available by
FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with
your real name. Send contributions to VIRUS-L@LEHIGH.EDU.
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list. A FAQ (Frequently
Asked Questions) document and all of the back-issues are available by
anonymous FTP on cert.org (192.88.209.5). Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
<krvw@CERT.ORG>.
Ken van Wyk
----------------------------------------------------------------------
Date: Wed, 23 Sep 92 21:18:10 +0000
From: ian@bvsd.co.edu (Ian Nelson)
Subject: TBav50 beta or just regular tbav50 (PC)
Is there an FTP site that has TBAV 5.0beta (or non beta if it's done
yet)? adv(tnx)ance,
Ian Nelson
- --
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.0
mQBYAiqtYqEAAAECWKssWKoVxXAu9S0A/rKepT1GT+PJjv+lHh1LyIYwI9gzfnoq
ydwdKIJ81qIDgkMAliSIOWZiGSYbXszmmspRDenRARe15NOEM36pGQAFE7ABh7Qc
SWFuIE5lbHNvbiA8aWFuQGJ2c2QuY28uZWR1PrABAw==
=bpll
- -----END PGP PUBLIC KEY BLOCK-----
------------------------------
Date: Fri, 25 Sep 92 19:14:54 +0000
From: garth@nyx.cs.du.edu (Garth E. Courtois Jr.)
Subject: I need info on the FORM 1704 virus (Boulder) (PC)
Virucide detected the FORM 1704 virus on my /XT clone and Central Point
removed it.
I would like to find out more about this virus and the damage it causes,
if any. Could someone who has knowledge of this call in Boulder at
499-7044, please?
- -garth@nyx.cs.du.edu
Garth Courtois Jr.
- --
- --garth@nyx.cs.du.edu Garth E. Courtois Jr. (303)-499-7044
- --
------------------------------
Date: Fri, 25 Sep 92 16:22:53 -0400
From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson)
Subject: Re: A few questions (Stardot/V801/Michaelangelo) (PC)
There seem to be some common mythconceptions here that I'll try to clear up.
>From: "NBECC::KENNEY" <KENNEY%NBECC.decnet@consrt.rockwell.com>
(actually several postings on this but these questions were intelligently
phrased).
>- - how stealthy was Michaelangelo, and does it survive warm boots?
It is (not was) not "stealthy" at all and does not survive warm boots (but
don't rely on it). In fact it is rather stupid but that does not make it
any less dangerous.
>- - can you tell where the start and end of an infected file are supposed to
>be algorithmically, so that one routine could trim off all length-variants of
>one or more virii?
If the virus is "well written" and does not "intend" destruction this might
be true. Unfortunately this is not the case.
For instance, Michelangelo is known to foul up 720k floppies, not deliberately,
but because it *assumes* that all non-360k floppies are the same.
Problem is that many viruses do not attach themselves properly to files &
overwrite part of the file or lose the original pieces. Once this happens
the file cannot be reconstructed. Unlike the movies where every virus does
exactly what it is supposed to, in the real world virus code is incredibly
buggy. Possibly this is because those people who could write one without
without bugs won't 8*) - but don't count on it. (do you hear an echo here ?)
Of course buggy code is not only the provence of virus writers, I have been
amazed at how bad "professional" software has gotten lately including
a couple of releases that IMHO should never have made it out of Alpha testing -
I mean stuff that will not work on certain platforms. Recently one piece
of commercial software was distributed containing 286 reserved instructions
an advetised for "all PCs". Another version 1.0 from a major house allowed
you to change the colours on everything *except* the active window. Sheesh.
> Since Stoned + Michaelangelo = bye-bye FAT, this is getting
>very interesting. (I've sent the Stardot to Norton, so maybe on their
>next update...)
Not quite, I can always fix this combination without much trouble and no FAT
damage (well some overpopulated floppies maybe) but have heard a number of
reports that if you add Norton's Disk Doctor to the mixture, partitions
have been lost, particularly HUGE ones.
Warmly,
Padgett
------------------------------
Date: 27 Sep 92 21:23:12
From: Ari.Hypponen@hut.fi (Ari Hypp|nen)
Subject: A virus infecting Windows excutables found (Windows) (PC)
A new virus capable of infecting Windows executables has been
found. The new virus uses direct action methods and does not
infect DOS EXE files. It seems that this new virus, called
Win_Vir.14, is the first virus to successfully spread under
the Windows operating environment using the native NE format.
Data Fellows Ltd of Helsinki, Finland obtained a sample from
Sweden. Here are some preliminary research notes about the
virus:
_____
Apparently the first virus to infect Windows executables
has been found. The virus activates when an infected file is
run and copies its code to other Windows EXE files. These
notes are from a preliminary analysis and may contain errors.
- - The sample was obtained 26.9.1992 from Goteborg, Sweden. The
original source is not known.
- - The sample contains a parasitic, direct-action virus, which infects
EXE files of the New Executable format, i.e. Windows executables.
- - DOS EXE files are not infected.
- - The code of the virus contains two strings:
'Virus_for_Windows v1.4' and 'MK92'
- - Final name for this virus has not yet been decided. The
suggested name is Win_Vir.14.
- - Win_Vir.14 is not detectable by any of the current virus-scanners
in their normal scanning modes.
The infection process is as follows:
1. Virus gains control when an infected program is run.
2. The virus searches for a suitable victim file (*.EXE)
from the current directory using DOS INT 21, AX=4E, 4F
services.
3. If no files are found, program is terminated with INT 21,
AX=4C00. The host program never gets executed.
4. The victim file is opened and the date and time are memorized.
5. MZ and NE (New Executable) signatures are checked. Relocation
table offset is checked to be below 40h.
6. Various items of the NE header are checked to match an
infection criteria.
7. Virus code is inserted into the middle of the victim.
8. The original code is moved to the end of the program.
9. The NE header's CS:IP address is changed to point to the start
of the virus.
10. The virus removes its code from the original host
restoring it to the exact state it was in before infection.
11. Virus terminates.
Notes:
- - While terminating itself the virus also terminates the host
program, so when the user starts an infected file it will
simply fail to do anything. This will usually look like a
missed double-click.
- - If the same file is started again, it will run normally, as
the virus has already removed itself from the file at that time.
- - Infected files grow by 854 (356h) bytes.
- - The virus conserves date attributes.
- - The virus is not crypted or protected in any way.
- - The code does not seem to contain any triggering routines.
- - If the executable includes attributes for allowing relocation of
segments, this attribute is removed from the infected segment.
- - The virus carries the name of the host program and also the name of
the program that infected it.
- - The virus might to be able to infect OS/2 files also. This
has not been tested.
A temporary search string to find the infected files follows
(in F-PROT USER.DEF format):
-------- cut here and insert into USER.DEF ---------
E Win_Vir.14
813C4E457516817C0C0203750F807C3204750981
--------------------- cut here ---------------------
Remember to use the /USER switch if using F-PROT in command
line mode.
For more information, contact
Data Fellows Ltd
F-PROT Support
Mikko Hypponen
Wavulinintie 10
SF-00210 Helsinki
Finland
Internet: Mikko.Hypponen@compart.fi
Phone: +358-0-692 3622
Mobile: +358-49-648 180
Fax: +358-0-670 156
- --
Ari Hypp|nen, Ari.Hypponen@hut.fi
------------------------------
Date: Mon, 28 Sep 92 07:11:44 -0400
From: Otto Stolz <RZOTTO@NYX.UNI-KONSTANZ.DE>
Subject: Re: A few questions (Stardot/V801/Michaelangelo) (PC)
Hello,
this is another item in the Facts & Fibs chapter I want to set
straight, publicly. I've sent a Stoned and Michelangelo memo directly
to NBECC::KENNEY, and I hope somebody else will post info about the
other viruses mentioned.
On 23 Sep 92 18:00:00 -0800 NBECC::KENNEY said:
> [...] Michaelangelo, and does it survive warm boots?
As a MBR infector, Michelangelo will automatically be run early in the
boot sequence. Hence there is no need to deal with a warm boot in any
particular way: the virus will be installed anyway.
> can you tell where the start and end of an infected file are supposed
> to be algorithmically, so that one routine could trim off all length-
> variants one or more virii?
This question is misleading. Remember that it is *not* enough to strip
the virus code off a program; the more important step in disinfecting
is to replace that part of the program that gives control to the virus
with its original contents. Usually, this is contained in the virus
code, but in a form highly dependent on the particular virus; hence,
you must identify the virus reliably before attempting any
disinfection.
Many viruses do not keep enough information to re-construct the original
contents of the program file precisely (e.g. the exact length of the
uninfected program may be unknown); this will render self-checking pro-
grams unoperable. Sometimes, a virus is not identified reliably by the
disinfectant program (e.g., in case of a hitherto unknown variant of the
virus); this may invalidate the info needed to re-construct the original
file. These, and similar, dangers render disinfecting a hazardous
endeaveaour. It is always safe (and sometimes the only option left) to
replace the infected programs with copies from the original, write-pro-
tected distribution disks.
These remarks hold, mutatis mutandis, for all sorts of viruses: You can
remove file-viruses by re-installing the programs, companion viruses by
deleting the companion file (i.e. the part that gives control to the
virus), DOS boot sector viruses by FORMATing the infected disks, MBR
viruses by replacing the infected MBR, etc. (The latter can be accomp-
lished by the DOS-5.0 command "FDISK /MBR, if the partition table is
still in place, which you can check via booting from a floppy disk: if
you can still access all partitions of the HD, read and even modify the
files on those partitions, then the partition table is ok.)
> Since Stoned + Michaelangelo = bye-bye FAT, this is getting
> very interesting.
Stoned + Michaelangelo (on most systems, and on most days of the year)
does *not* affect the FAT. Rather, the MBR will be lost, hence the
system won't boot from its hard disk, and cannot be disinfected (i.e. by
recovering the original MBR). You can still boot the system from a floppy
disk (or any other external medium, e.g. via a network), and you can
always write an entirely new MBR to the HD to recover from the infection
without loss of data.
Kenney's misconception may stem from the fact that on particular systems
(e.g. DOS 2, on a 20MN HD), Stoned, or Michelangelo, will overwrite
part of the FAT (probaly accidentally) with the original MBR.
Best wishes,
Otto Stolz <RZOTTO@DKNKURZ1.Bitnet>
<RZOTTO@nyx.uni-konstanz.de>
------------------------------
Date: Mon, 28 Sep 92 14:46:42 +0000
From: monta_l@dist.dist.unige.it (Marco Gualdi)
Subject: TSR runtime scanner needed (PC)
Hi folks!
I need a TSR runtime scanner with the ability to scan for a single
userdefined virus signature. I'm able to compile e/o assemble a
similar program, so the sources are agreed. I have a lot of problem
with the Stanco virus (a local production, I suppose). Bontchev, Frisk
and McAfee know it, but no scanner recognize it, jet.
_______________________________ | According to the latest official figures,
__/~\_______/~\____/~~~~~~~\___ | 43% of all statistics are totally worthless.
__/~~\_____/~~\___/~\_____/~\__ | _____________________________________________
__/~~~\___/~~~\___/~\_____/~\__ | Marco Gualdi MaGu on irc
__/~\/~\_/~\/~\___/~\__________ | (monta_l@dist.dist.unige.it)
__/~\_/~~~\_/~\___/~\__/~~~~\__ | _____________________________________________
__/~\__/~\__/~\___/~\_____/~\__ | To be sure of hitting the target, shoot first
__/~\_______/~\___/~\_____/~\__ | and, whatever you hit, call it the target.
__/~\_______/~\____/~~~~~~~\___ | _____________________________________________
------------------------------
Date: Mon, 28 Sep 92 17:21:28 +0000
From: mechalas@mentor.cc.purdue.edu (John Mechalas)
Subject: Recent IBM Virus List? (PC)
Where can I find a current list of known IBM viruses that is in the
public domain? I am looking for virus name, type, disinfectant
method, and short description if possible. I see a lot of lists, but
most of them are either (a) old or (b) copyrighted.
- --
John Mechalas [This space intentionally left blank]
mechalas@mentor.cc.purdue.edu
Purdue University Computing Center Help put a ban on censorship
General Consulting #include disclaimer.h
------------------------------
Date: Sep 25 92 15:23:28
From: hmaldona@mtecv2.mty.itesm.mx
Subject: Virus information for thesis
Hello I am Hugo maldonado from Monterrey, could you send me info about
some virus for my thesis!!! I need it so much thanks very much...
Vampi on IRC
------------------------------
Date: Mon, 28 Sep 92 11:52:14 -0400
From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson)
Subject: The Hacker Files
One of the advantages of our family structure it that the many
diverse interests sometimes cross. Accordingly, when I saw reference
to a new comic book series called "The Hacker Files" from DC, getting
a set was just a matter of passing the request along to the
appropriate member.
As a result, I was able to examine the first four issues of
what is billed to be a 12 copy series. They would appear to be being
successful since after the first two issues, the price went up from
US1.95 to US2.20.
Since my mainstream comics reading has been confined to the
newspaper since the newstand variety ceased to be "52 pages, 10
cents", the modern version came as something of a shock. Obviously
obtaining the 'Comics Code Authority Seal of Approval" is no longer an
issue. The graphics are rather well done though.
In the letters section of the first issue, the writer explains
that the idea came to him in 1989. This would appear correct since the
storyline revolves around a combination of the plot from "WARGAMES"
and the Morris Worm on Internet (population 60,000). A reasonable
attempt is made to accuracy though a few technical flaws are evident
(difference between a Virus and a Worm is that Worms don't propagate,
erasing a file irretrevably destroys it).
Along the way, homage is paid to the current facination with
TEMPEST which is nothing more than a military equivalent of the US FCC
part 15 which deals with radiation from computing equipment (see the
label on the back of any PC).
The most disturbing issue is the ethical one: the "hero" is a
brilliant social misfit (just ask his ex-wife) in his mid-thirties who
seemingly avoids all attempts at personal hygene, builds trapdoors
into commercial operating systems software, and displays all of the
traits of the classical "disgruntled employee" who feels that he
"owns" all of the software developed while working for someone else.
Further, when the source of the problem is found to be a
virus, he unhesitatingly releases a "retro-virus" (a nice flow diagram
is shown in the background) on the Internet. Long-time readers of
Virus-L will immediately understand why this is not considered a good
thing to do. As the plot progresses, no hesitation is shown in making
structural changes to NORAD and Pentagon systems.
Also much is made of his use of lockpicks to break into filing
cabinets and restricted doors (that were apparantly carried through
both Airport and Pentagon security).
In short, while entertaining in its fashion, hardly a good
role model for fourteen-year-olds.
There has been a sudden spate of such media experiences on
Television (SecretService, Star Trek-the Next Generation), Movies
(Lawnmover Man, Sneakers, the opening scenes of Company Business), and
novels (almost any of the techno-thrillers in recent years), but with
a steady degredation of ethical concerns.
Only the TV shows have been positive while the movies, like
"The Hacker Files", seem to revel in the "innocent people with good
purposes made criminals/persecuted/victems by bad
governments/agencies/corporations and thereby justifying
illegal/unethical behaviour", a trend that started in the early
seventies but which seems to be accellerating recently.
In other words "The Hacker Files" make a graphic statement
about the worldview of the writer, a statement that is aimed at
impressionable minds and reminds me of the title of a novel by the
late Robert Anson Heinlein: "If This Goes On".
Padgett
ps would send a copy of this to DC Comics but no E-Mail address was given.
------------------------------
Date: Mon, 28 Sep 92 14:37:56 +0000
From: msp2@midway.uchicago.edu (Michael S. Post)
Subject: Thank you for help with Stoned (PC)
Thank you for all the help I have gotten with my virus problems.
Everything is now working and virus-free.
Although frustrating, I have now learned a lot about viruses, and so
maybe I'll recognize the signs a little sooner next time, and know a
little more about what to do....
Thanks again.
-- Michael Post
mpost@math.ucla.edu
------------------------------
Date: Sun, 27 Sep 92 02:44:00 -0400
From: "Kenneth R. van Wyk" <krvw@cert.org>
Subject: I-M124.ZIP - Integrity Master data integrity/anti-virus (PC)
I have uploaded to WSMR-SIMTEL20.Army.Mil a new version of Integrity
Master which I received on floppy disk directly from the author, Wolfgang
Stiller.
pd1:<msdos.trojan-pro>
I-M124.ZIP Integrity Master data integrity/anti-virus sys
Ken
- - -
Kenneth R. van Wyk
Moderator VIRUS-L/comp.virus
Technical Coordinator, Computer Emergency Response Team
Software Engineering Institute
Carnegie Mellon University
krvw@CERT.ORG (work)
ken@THANG.PGH.PA.US (home)
(412) 268-7090 (CERT 24 hour hotline)
------------------------------
Date: Sun, 27 Sep 92 12:16:50 -0700
From: Richard W. Lefkon <dklefkon@well.sf.ca.us>
Subject: Call for papers - Ides of March virus conference
SIXTH INTERNATIONAL COMPUTER SECURITY & VIRUS CONFERENCE and Exposition
sponsored by DPMA Fin.Ind.Chapter in cooperation with
ACM-SIGSAC, BCS, CMA, COS, EDPAAph, ISSAny, NUInypc, IEEE Computer Society
C A L L F O R P A P E R S
Approximately 500 attendees will hear 90 speakers and 53 vendors over 3 days
Wednesday thru Friday - March 10-12, 1993 - New York Ramada Madison Square
YOUR AUDIENCE: Past attendees have represented industry, military
government, forensic and academic settings -
creators and users of related software and hardware.
They travel from U.S. and many international locations
and have titles such as MIS Director, Security Analyst,
Operations Manager, Investigator, Programming Leader
TOPICS OF INTEREST INCLUDE (but are not limited to):
- prevention, detection, and recovery from viruses,
crackers, and other unauthorized usage
- oritinal research in these and related topics
- survey of products and techniques available
- particulars of LSN, UNIX, cryptography, military use
- Computer crime, law, data liability, related contexts
= US/international sharing of research & techniques
- case studies of mainframe, pc &/or network security, e.g.,
- 1992 hurricane, flood, fire disaster recovery
- recent court decisions
- security implementation and user awareness in industry
PAPER SUBMISSION:
Send a draft final paper for receipt by Wednesday, 10/28/92.
Address to Judy Brand, Conference Chair, box 6313 FDR Station,
New York, NY 10150, USA. Please include a small photo and
introductory bio not exceeding 50 words. Successful submittors
or co-authors are expected to present in person. Presenters
receive the Conference Proceedings and complimentary admission.
PAPER FORMAT: Send one original and three copies. When making the copies,
please cover over the author name(s) and other identifying data.
Each paper goes to three revieweers.
Type double spaced, with page# below bottom line (may be
handwritten): TITLE (caps); Name; Position, Affiliation;
Telephone, City/State/Zip, Electronic Address (optional).
NOTIFICATION: Written and (where practicable) telephoned confirmation will
be initiated by Monday, 1/13/93, to facilitate low cost travel.
Those needing earlier notification should attach a note.
You may be asked to perform specific revisions to be accepted.
Nobody can guarantee you a place without an acceptable paper.
AT THE CONFERENCE: There are five tracks. Time your presentation to last
40 minutes and have clear relation to your paper. A committee
member will preside over your assigned room and adhere to schedule.
Don't hesitate to submit a presentation you've given elsewhere
to a more specialized audience. Most attendees will find it
new - and necessary. On-site schedule is duplicated early on
first day. If you may have a work emergency you can reschedule
or substitute your co-author.
or substitute your co-author.
------------------------------
End of VIRUS-L Digest [Volume 5 Issue 156]
******************************************