home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Phoenix Rising BBS
/
phoenixrising.zip
/
phoenixrising
/
vir-docs
/
v05i008.txt
< prev
next >
Wrap
Internet Message Format
|
1992-09-27
|
23KB
From: Kenneth R. van Wyk (The Moderator) <krvw@CERT.SEI.CMU.EDU>
Errors-To: krvw@CERT.SEI.CMU.EDU
To: VIRUS-L@IBM1.CC.LEHIGH.EDU
Path: cert.sei.cmu.edu!krvw
Subject: VIRUS-L Digest V5 #8
Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU
--------
VIRUS-L Digest Wednesday, 15 Jan 1992 Volume 5 : Issue 8
Today's Topics:
Re: VIRUS at AT286 in SCAN85 (PC)
Re: Odd Problem with F-PROT 2.01 (PC)
Re: Does this behaviour sound like a virus (PC)
Re: Antitelifonica (A-VIR) (PC)
Re: Question re Stoned (PC)
Form virus infected Dos 5.0 diskettes (PC)
Re: Antitelifonica (A-VIR) (PC)
Re: NCSA has tested Antivirus Programs (PC)
Re: Gulf War "virus"
Re: Viruses against Iraq??????
LANs & Viruses
RE: NCSA Has Tested Anti-Virus Programs
Re: Military Viruses
Re: UNIX viruses, request for information (UNIX)
VIRX19.ZIP - VIRX v1.9: Easy to use free virus checker (PC)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. (The complete set of posting guidelines is available by
FTP on cert.sei.cmu.edu or upon request.) Please sign submissions
with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU
(that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks).
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list. Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
krvw@CERT.SEI.CMU.EDU.
Ken van Wyk
----------------------------------------------------------------------
Date: Wed, 15 Jan 92 06:16:32 +0000
From: mcafee@netcom.netcom.com (McAfee Associates)
Subject: Re: VIRUS at AT286 in SCAN85 (PC)
DVORACEK@CSEARN.BITNET (Jarda Dvoracek) writes:
>
> !!! AT 286 USERS !!!
> !!! WARNING !!! WARNING !!! WARNING !!!
> !!! SCANV85 INFECTED, CLEAR85 MAYBE TOO !!!
Hello Jarda,
>
>In Czechoslovakia, I got some new virus with the SCANV85.ZIP from some
>BBS. It makes all .COM, .EXE and .ASM files 10 bytes longer, the first
When SCAN is run with the /AV option, it will create a validation code
that is used to compare the file against so that it can be checked for
unknown virus. This process adds ten (10) bytes to the end of .COM
and .EXE files.
[some of message deleted]
>During 3 days it has infected all files but COMMAND.COM, some of them
>worked normally, several terminated just after calling them.
[rest of message deleted]
SCAN does not add ten bytes to COMMAND.COM or the system files.
Instead, it stores the validation data in a hidden file in the root
directory called SCANVAL.VAL.
Regards,
Aryeh Goretsky
McAfee Associates Technical Support
- --
- - - -
McAfee Associates | Voice (408) 988-3832 | mcafee@netcom.com (business)
4423 Cheeney Street | FAX (408) 970-9727 | "Welcome to the alligator
Santa Clara, California | BBS (408) 988-4004 | farm..."
95054-0253 USA | v.32 (408) 988-5190 | CompuServe ID: 76702,1714
ViruScan/CleanUp/VShield | HST (408) 988-5138 | or GO VIRUSFORUM
------------------------------
Date: Wed, 15 Jan 92 10:48:19 +0000
From: Fridrik Skulason <frisk@complex.is>
Subject: Re: Odd Problem with F-PROT 2.01 (PC)
In Message 9 Jan 92 18:40:00 GMT,
WALKER@aedc-vax.af.mil (William Walker C60223 x457 writes:
>While testing F-PROT 2.01 against my suite of captive viri, I noticed a
>curious behavior. When F-PROT prompted to "Press ENTER to scan next
>diskette," I swapped diskettes, pressed ENTER, and F-PROT began scanning
>the diskette, but the files it reported scanning were those on the
>previous diskette.
This problem has been fixed in version 2.02. The problem only appears on
certain types of 360K drives - mostly old ones - which do not have a
disk change status line - 1.2M drives and 3.5" drives did not cause the
problem, which is why it never surfaced in testing.
Version 2.02 also corrects a few other problems:
"Secure Scan" used to report a "possible new variant of Yaunch" when
scanning certain files, including some OS/2 executables - fixed.
"Analyse Program" would occasionally crash with a "Divide error"
message - fixed.
Version 2.01 had some problems when scanning Bernoulli boxes, and
when run from the OS/2 DOS box - fixed.
The major changes in 2.02 are not bug fixes of course, but a
considerable speed improvement ans some other nice features. It is
finished - I am just making some changes to the virus names, to bring
them in line with the recent "standard" naming scheme.
Expect to see an annoucement that 2.02 is available in a couple of days or
so.
- -frisk (author of F-PROT)
------------------------------
Date: Mon, 13 Jan 92 16:54:00 +0000
From: Anthony Naggs <AMN@vms.brighton.ac.uk>
Subject: Re: Does this behaviour sound like a virus (PC)
In issue 1 Mark Saake reports:
>The other day I inserted a floppy into the A: drive on my pc and tried
>to do a dir. I got the message back stating "Sector not found" and it
>was unable to read the disk.
>...
>I tried booting off a a floppy instead of the hard drive and was able
>to read other floppies fine, with and without write protect tabs.
>However, after some experimenting, I discovered that if I booted off
>the hard drive I could read floppies as long as they had the write
>protect tab on but the second I took the tab off the disks became
>trashed. Note that when booting off an original system floppy this
>behavior was not exhibited. Everything worked fine.
Yes Mark you definitely have a 'boot sector' virus, probably a variant
of New Zealand (also known as Stoned or Marijuana).
So what is happening?
Well, the first sector on each DOS diskette is the boot sector, this
carries a short 'boot strap' program and some information about the
disk format. To infect a diskette the virus copies the original boot
sector to somewhere safe (towards the end of the root directory for
the New Zealand virus), and places a copy of itself in the first
sector. The purpose of the bootstrap program is to examine the disk
and decide whether it is suitable to boot from, by ensuring the DOS
system files are present, and giving a warning message if they are
missing.
The effect you see is due to a major fault in the New Zealand virus,
and most of subsequent variants, it does not understand that there are
different diskette sizes. It therefore doesn't include the the disk
size information in the new boot sector. Without the disk size
information DOS does not correctly recognise some sizes of disk, eg it
assumes 1.2M diskettes are 360k and reads the root directory from the
wrong part of the disk.
The New Zealand virus spreads if you boot your PC from an infected
diskette, even if the diskette does not have the system files. This
is because the virus is loaded by the BIOS ROM, the virus looks for a
hard disk and infects that, and then it loads the original bootstrap
program.
To confirm this run CHKDSK, for 640k of standard memory it should
normally report "655360 bytes total memory", with New Zealand virus in
memory this will be reduced to 653312.
The solution: either acquire some anti-virus software locally, or send
me your postal address & you can have a program of mine which will
disinfect your hard disk & should be able to recover all your floppy
disks. To ensure that my program works with the virus version that
you have you can post a copy of an infected diskette to me:
P.O. Box 1080,
PEACEHAVEN
East Sussex BN10 8BT
GREAT BRITAIN
Good luck with your clean up,
Anthony Naggs
~~~~~~~~~~~~~
PS "Review: A Pathology of Computer Viruses"
Interested to see Gene Spafford's review especially as I am still
awaiting my review copy. Ho hum.
------------------------------
Date: 14 Jan 92 09:51:01 +0000
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Antitelifonica (A-VIR) (PC)
ahubbell@orlith.bates.edu (Arlyn Hubbell) writes:
> Antitelifonica. According to McAffee's SCAN85 documentation it can
> only be cleaned using a program called M-DISK. Has anyone out there
^^^^
Well, "only" is a bit hard... :-) M-DISK is certainly not the only
anti-virus program in the world, which can help you get rid of this
virus. In fact, if you have a DOS 5.0 system disk, you don't need any
anti-virus program at all in order to remove the virus from the hard
disk. Just run FDISK with the /MBR option. It will rewrite the master
boot sector program without touching your partition table information.
The bad news is that the virus might have already destroyed some
information on some kinds of hard disks, but that same happens with
Stoned...
You can remove the virus from diskettes (if their root directory
information has not been destroyed) by copying all the files to
another diskette and reformatting the infected one.
In order to remove the infection from the files (this is a
multi-partite virus), you need some kind of virus scanner, which will
tell you which files are infected, so you can delete them and replace
them from clean backups.
Of course, all this must be done while the virus is not active in
memory (i.e., after booting from a write-protected non-infected system
diskette), since the virus is a stealth one.
If you really want to disinfect the infected files (instead of
removing them), which I strongly discourage you, you might consider
getting a good disinfector. Dr. Solomon's Anti-Virus ToolKit is one,
but even McAfee's CLEAN 85 is able to disinfect this virus from the
files (and it is less expensive than the AVTK). Fridrik Skulason's
F-Prot 2.01 is also a good choice (read: it detects the virus
perfectly, but I haven't found time yet to test its disinfection
capabilities on this virus. You can contact Fridrik Skulason at
frisk@complex.is for more information.) and it is -very- cheap.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54
------------------------------
Date: 14 Jan 92 10:56:00 +0000
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Question re Stoned (PC)
martin@cs.ualberta.ca (Tim Martin; FSO; Soil Sciences) writes:
> For stoned to infect a hard disk, the computer must be booted from an
> infected diskette. It may be that in its current setup no student ever
The wording of the above sentence is not very exact, which often leads
to misunderstandings. (Tim, I know that you know what you're talking
about, you just didn't express it in the most exact way.)
The wording should be: "For Stoned to infect a hard disk, there must
be an ATTEMPT to boot from and infected diskette." Note that this does
not imply that the attempt is successful. According to my own
experience, most users get re-infected by Stoned not by actually
booting from and infected bootable diskette, but by forgetting an
infected data diskette (i.e., with no DOS or even any executable files
on it) in the A: drive when they are truning their computer on.
The trick is that when you see the "Press any key" message, the hard
disk is -already- infected.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54
------------------------------
Date: Tue, 14 Jan 92 11:05:49 +0000
From: root@itnsg1.cineca.it (Valter Cavecchia)
Subject: Form virus infected Dos 5.0 diskettes (PC)
Some time ago we were infected by the Form (boot sector) virus.
Nothing serious happened, but among the computers infected few of them
were running Dos 5.0. We tried to remove the virus using M-DISK but
found that Dos 5.0 is not yet supported. Is there a new version of
M-DISK available? Is there any other way to clean up the diskettes
(without formatting :-)) ?
Thanks a lot for any help
Valter
---------------------------------------------------------------------------
| Valter V. Cavecchia | Bitnet: cavecchi@itncisca |
| Centro di Fisica del C.N.R. | Internet: valter@itnsg1.cineca.it |
------------------------------
Date: Tue, 14 Jan 92 13:43:12 +0000
From: Fridrik Skulason <frisk@complex.is>
Subject: Re: Antitelifonica (A-VIR) (PC)
>We here at Bates College have just come across our first occurrence of
>Antitelifonica.
This virus is also known under the following names:
Kampana (boot)
Telefonica
Spanish Telecom (boot)
Telecom (boot)
It is a very rapidly spreading boot sector virus, which can be quite harmful
as it may reformat the disk on the 400th boot.
This virus is sometimes "dropped" by a different virus - a program virus,
which exists in several versions. You probably have only the boot virus.
> According to McAffee's SCAN85 documentation it can
>only be cleaned using a program called M-DISK.
"only" is not correct - I think most other anti-virus programs, at least my
own - can disinfect it as well.
- -frisk
------------------------------
Date: Tue, 14 Jan 92 13:57:00 +0000
From: Fridrik Skulason <frisk@complex.is>
Subject: Re: NCSA has tested Antivirus Programs (PC)
In Message 8 Jan 92 16:26:35 GMT, RZOTTO@DKNKURZ1.BITNET (Otto.Stolz) writes:
> F-Prot V. 2.0 | F. Skulason | 129
Well, I'm not complaining...I was quite happy with the results, and getting
the top score has only helped me... :-)
Actually, the main reasons why I did not get a perfect score (140 points)
were:
Speed - Version 2.0 was quite slow compared to some of the other
scanners - a problem which has been fixed in 2.02.
Handling of "self-infections" - I did not agree with this part of the
review, but the question was what what the scanner program should do if
it determined that it had been infected with a virus.
Obviously 0 points were awarded if the scanner did not detect the
infection, but my opinion was that the program should simply abort
and announce that it had been infected, telling the user to reboot from
a "clean" disk, and run an original copy of the program.
They wanted to program to be able to disinfect itself in memory,
disable the virus, if it was active in memory, and continue as if
nothing had happened...something which I consider too dangerous.
>england) ranking among the best ones. Most apparently, high-quality
>European products in this domain will be recognized internationally.
Actually - quite a few of the "American" anti-virus program are actually
American at all...quite a few of them are just repackaged programs from
elsewhere...Israel for example.
- -frisk
------------------------------
Date: 15 Jan 92 11:30:05 +0000
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Gulf War "virus"
fstuart@eng.auburn.edu (Frank Stuart) writes:
> CNN is reporting that a computer "virus" was used during the Gulf War.
> Reportedly, the virus was used to blank the screens of Iraq's air
> defense computers. The alleged virus was supposed to have been hidden
> in a printer chip that was smuggled in from Jordan. I (and many
> others, I'm sure) would be very interested if anyone has further
> information.
This is old news; I heard about that when I was in Bulgaria, maybe in
May. I'm afraid that it is based on an April 1st joke, published by a
computer magazine (was it Computerworld?)... It is, essentially,
nonsense, of course.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54
------------------------------
Date: 15 Jan 92 14:44:04 +0000
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Viruses against Iraq??????
stus5239@mary.cs.fredonia.edu (Kevin Stussman) writes:
> Virus on a chip?? How and when did it go off? What type virus?
> (it probably wasn't a real virus (not self replicating) but nasty
> screen killing code on a chip) So now hacking is now legal, but only
> during wartime against an enemy. (goes with killing)
Nonsense, complete nonsense. If it is in the printer, it cannot force
you to execute it. It cannot copy itself to the computer. It cannot
exist. Period.
The whole story is a rumor, just as the "modem virus", an excellent
article about which was posted by Rob Slade just in time.
And the rumor in this case is based on an April 1st joke, made by a
computer magazine.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54
------------------------------
Date: Mon, 13 Jan 92 16:33:16 -0500
From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson)
Subject: LANs & Viruses
It is my conviction that part of effective LAN protection from Viruses
and other malicious software must center arount the ability of the
server to be able to authenticate clients prior to permitting access.
This requires the ability for the client to force the client to run
certain applications during the login process. While most
client-server networks provide for such login "scripts", I do not know
of any perr-peer networks that do. I would appreciate hearing from
users who know of any peer-peer networks that can force such action on
the requestor by the requestee (or alternately, any client-server
systems that cannot.
Please reply to me directly.
Warmly (73 today),
Padgett
padgett%tccslr.dnet@mmc.com
------------------------------
Date: Mon, 13 Jan 92 19:53:00 -0500
From: <RUTSTEIN@HWS.BITNET>
Subject: RE: NCSA Has Tested Anti-Virus Programs
The information you presented was correct, though outdated. Those
results were from the previous virus scanner evaluation report, and
were printed last year in Network World, as you said. Just this week,
the latest update to that scanner evaluation was released, and is
available from the NCSA at 717-258-1816. The results may surprise
you..... Hope this helps, happy virus-busting....
Charles
**************************************************************************
Rutstein@HWS.BITNET
(Charles Rutstein)
***************************************************************************
------------------------------
Date: 14 Jan 92 10:12:06 +0000
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Military Viruses
U953001@RUTADMIN.BITNET (Nick Di Giovanni) writes:
> The Review reported that Software and Electrical Engineering (SEE) was
> one of two organizations preparing reports for the Army Center for
> Signal Warfare on the deliberate use of computer viruses and worms to
Probably SPARTA, INC. is the other one.
> incapacitate computer networks. The center identified the desired
> effects of such a use as including data disruption, denial of use, and
> affecting the operation of processors and the management of data
Yeah, yeah, but this is mainly wishful thinking - they dream to have
viruses which are able to do this... Currently no such things are
available, of course.
> storage. SEE's contract was reportedly for $50,000; however, it stood
> to make as much as $500,000, according to this account, if it received
> a contract for the follow-up phase of the project, which involves
> devising particular viruses, demonstrating them, and devising possible
> defenses against their use.
This is not quite exact, and it involves not only SEE.
In fact, the DoD's SBIR (Small Business Innovation Research) program
consists of three phases. During the first one (Concept Feasability),
contracts are awarded for a study of feasability of the projects in
the Army' areas of interest. The awards are for $50,000 over a
six-month period. They say that the available funds will permit
support of approximately 20 % of the proposals received.
Firms that successfully complete Phase I study are eligible to submit
Phase II (Research and Developpment) proposals in that area of study.
The Phase II awards fund research, developpment, and prototype
production. The awards cover a period of two years, and average
$450,000. They expect that the funds will permit to about 40 % of
those who have completed Phase I to progress to Phase II.
Success in Phase II is expected to lead to Phase III (Production and
Commercialization). The SBIR contractors normally obtain funding for
this phase of their product or service from the private sector. The
Government, through its agencies, also provides financial support for
contractors whose products will be used by the U.S. Government. By
law, no SBIR funds are extended for this phase.
Sigh... After all that, there will be again people, who will claim
that I'm a KGB agent... :-) Just FYI, I read all this in an article,
published in the proceedings of a Virus & Security conference. The
document bears, indeed, sceals from the Department of Defense, the
Department of the Army, the Department of the Navy, the Department of
the Air Force, DARPA, the Defense Nuclear Agency, and the Strategic
Defense Initiative Organization, but it also has an inscription, which
says that "Nothing on this page is classified or proprietary
information/data"...
Hope that this clears any misunderstandings... :-)
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54
------------------------------
Date: Tue, 14 Jan 92 10:31:50 -0500
From: m19940@mwvm.mitre.org (Emily H. Lonsford)
Subject: Re: UNIX viruses, request for information (UNIX)
You might want to read the article by Tom Duff called "Experience with
Viruses on UNIX systems" in the 1989 V2#2 issue of Computing Systems.
pp155-171.
**************************
* EMILY H. LONSFORD
* MITRE - HOUSTON H123 (713) 333-0922
* EHL@MITRE.ORG
**************************
------
Downloaded From P-80 International Information Systems 304-744-2253