home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Night Owl 9
/
Night Owl CD-ROM (NOPV9) (Night Owl Publisher) (1993).ISO
/
051a
/
vl6_056.zip
/
VL6-056.TXT
Wrap
Internet Message Format
|
1993-04-06
|
26KB
From lehigh.edu!virus-l Mon Apr 5 05:05:53 1993 remote from vhc
Received: by vhc.se (1.65/waf)
via UUCP; Mon, 05 Apr 93 18:01:13 GMT
for mikael
Received: from fidoii.CC.Lehigh.EDU by mail.swip.net (5.65c8-/1.2)
id AA01636; Mon, 5 Apr 1993 15:38:50 +0200
Received: from (localhost) by Fidoii.CC.Lehigh.EDU with SMTP id AA34585
(5.67a/IDA-1.5 for <mikael@vhc.se>); Mon, 5 Apr 1993 09:05:53 -0400
Date: Mon, 5 Apr 1993 09:05:53 -0400
Message-Id: <9304051213.AA19903@first.org>
Comment: Virus Discussion List
Originator: virus-l@lehigh.edu
Errors-To: krvw@first.org
Reply-To: <virus-l@lehigh.edu>
Sender: virus-l@lehigh.edu
Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas
From: "Kenneth R. van Wyk" <krvw@first.org>
To: Multiple recipients of list <virus-l@lehigh.edu>
Subject: VIRUS-L Digest V6 #56
VIRUS-L Digest Monday, 5 Apr 1993 Volume 6 : Issue 56
Today's Topics:
Michelangelo (PC)
CLEAN Recovery? (PC)
Port Writes (PC)
Lao Duong (PC)
Optimum Strategy for Virus Checking (PC)
Re: Booting password (PC)
Superstor and McAfee (PC)
Bug in FixUtil4 (PC)
Zenith boot selection (PC)
Re: What is the Genb or Form Virus??? (PC)
Re: Problems with DOS 6.0 Microsoft Anti-Virus (PC)
VI-SPY VS Central Point AntiVirus (PC)
Re: Scanners and exe/com file compressors? (PC)
Re:Scanners and exe/com files (PC)
Virus signature determination. (PC)
Catch from DIR? (PC)
Scan 99 % PKlite 1.15 (PC)
Untouchable (PC)
Untouchable (PC)
Which CRC/scanner to use. (PC)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. (The complete set of posting guidelines is available by
FTP on cert.org or upon request.) Please sign submissions with your
real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on
accessing anti-virus, documentation, and back-issue archives is
distributed periodically on the list. A FAQ (Frequently Asked
Questions) document and all of the back-issues are available by
anonymous FTP on cert.org (192.88.209.5). Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
<krvw@FIRST.ORG>.
Ken van Wyk, krvw@first.org
----------------------------------------------------------------------
Date: Mon, 29 Mar 93 08:51:07 +0100
From: Malte_Eppert@f6051.n491.z9.virnet.bad.se (Malte Eppert)
Subject: Michelangelo (PC)
Hello Paul & Frisk!
> Well, not every Michelangelo story has a sad ending. I did a
> data recovery a week or two ago for a guy who'd been hit -- he had a
> 200MB drive, and as M takes only a 9MB "bite" out of the drive, what
> was left turned out to be pretty useful.
9MB? You musta been very quick in powering the PC down :-). Ah, joking. Okay,
it may be possible to recover _something_ in some instances, if Mich didn't
touch one copy of the FAT or your files weren't too fragmented. You need a big
bucket of luck to recover "all you want" :-)
> Yeah, they chose the wrong switch; then "Oops, sorry", and
> switched back on again. "Funny, this machine won't boot".
Funny :-) :-(
cu!
eppi
- --- GEcho 1.00
* Origin: No Point for Viruses - Eppi's Point (9:491/6051)
------------------------------
Date: Mon, 29 Mar 93 08:58:08 +0100
From: Malte_Eppert@f6051.n491.z9.virnet.bad.se (Malte Eppert)
Subject: CLEAN Recovery? (PC)
Hi Chris!
> My question is, is there any way of rebuilding a "CLEANed"
> partition table???
Yes - get a virus-free DOS 5 boot disk containing FDISK and a sector editor,
boot from it and issue "FDISK /MBR". If this does not help at all, it means
your partition table entries have gone, too. In that case take the sector
editor, look for the DOS bootsectors on your hard disk (if you ever saw an
intact DOS boot record, you know how it looks like) and insert the right
parameters into the new-built MBR's partition entries. A little difficult, but
works.
> what does IMHO stand for...
In my humble opinion, IMHO stands for... ehem :-)
cu!
eppi
- --- GEcho 1.00
* Origin: No Point for Viruses - Eppi's Point (9:491/6051)
------------------------------
Date: Mon, 29 Mar 93 09:43:16 +0100
From: Inbar_Raz@f210.n9721.z9.virnet.bad.se (Inbar Raz)
Subject: Port Writes (PC)
Hello everyone.
A couple of days ago, I first succeeded in compiling and running a routine to
access disk using port writes only, therefore avoiding any interrupt
whatsoever.
Needless to say, this piece of code is not going anywhere.
However, this raised a question.
Is there any EXISTING control program to inhibit such access? If a virus were
to use port writes, no anti-virus shield would be able to stop it.
Inbar Raz
- - --
Inbar Raz 5 Henegev, Yavne 70600 ISRAEL. Phone: +972-8-438660
Netmail: 2:401/100.1, 2:403/100.42, 9:9721/210 nyvirus@weizmann.weizmann.ac.il
- --- FMail 0.92
* Origin: Inbar's Point - Home of the UnTinyProg. (9:9721/210)
------------------------------
Date: Fri, 02 Apr 93 01:56:19 -0500
From: "Roger Riordan" <riordan@tmxmelb.mhs.oz.au>
Subject: Lao Duong (PC)
A.APPLEYARD@fs1.mt.umist.ac.uk writes
> (1) What is the exact proper spelling of 'Loa Duong'? I have met
>3 spellings so far.
Who knows? We use Laodoung, which was the name of the sample file
we received.
> (2) We had Loa Duong in a PC III (running DOS 3.10) in Manchester
>University (England), and I suspect that either it or the only
>antiviral that we use (VET) or both between them deleted some
>files. Who issues VET? Who will have information about it?
We do, and the Manchester Computer Centre has the information about
it.
>Please someone send me fullest information about what Loa Duong
>does. The version of VET that we had, found it but could not remove
>it.
According to Alan Solomons VENCYCL it "Plays music, or beeps." It
does not appear to have any warhead, so it is unlikely that eithe
it, or VET, caused the files to be lost.
>In the end we resorted to the ultimate weapon: wiping and re-
>initializing the hard disk.
This is almost never necessary, and will usually cause far more
trouble than waiting till you can get proper advice.
If VET had been installed on the PC it would have been able to put
back the saved copy of the DOS boot sector, but as this virus
infects the DOS boot sector it can readily be removed with the
command "SYS C:"
Roger Riordan Author of the VET Anti-Viral Software.
riordan.cybec@tmxmelb.mhs.oz.au
CYBEC Pty Ltd. Tel: +613 521 0655
PO Box 205, Hampton Vic 3188 AUSTRALIA Fax: +613 521 0727
------------------------------
Date: Fri, 02 Apr 93 01:56:26 -0500
From: "Roger Riordan" <riordan@tmxmelb.mhs.oz.au>
Subject: Optimum Strategy for Virus Checking (PC)
markb@grv.grace.cri.nz (Malcolm Shore) writes
>I have been considering the integrity requirements of PC systems and
>applications, and thinking about the problem of full system scanning
>and user resistance because of the time involved.
>
>This leads me to ask members of the list more experienced than I
>in these matters the following question:
>
>Can risk analysis techniques be applied to the problem of viruses,
>ie do we have the base data needed to assess the risk of attack by
>various viruses and apply only the required countermeasures?. Do we
>have the methodology?
>
>For instance, if such an analysis reveals that only (say) the STONED
>and MICHAELANGELO viruses pose a threat in excess of acceptable risk
>then boot sector protection will provide an acceptable countermeasure
>without the overheads of full system scanning. Do I speak heresy?
In their enthusiasm to protect themselves from every possible risk
systems administrators often specify security measures which render
users PCs almost inaccessible. The inevitable result is that the
users find some way of disabling the security measures, and so they
end up having no protection whatsoever.
When we were designing our program VET we started from the
assumption that if it added more than about 20 seconds to the normal
startup time it would be disabled, so we set out to provide an
adequate degree of security without exceeding this limit. The
measures we adopted are:
1. We made VET as fast as possible.
2. During Installation we take copies of both boot sectors, so
that any change can be detected.
3. We record the top of memory, so the user will be warned if
a virus goes resident here.
4. We check memory for known viruses, and then fill unused memory
with a diagnostic code, so that if a new virus should hide in
memory without protecting itself the PC will lock up, after
warning that unused memory has been executed.
5. We calculate signatures for our program files, after adding
the information relating to the users PC, and for COMMAND.COM
(or equivalent). The signatures are embedded in the program
files, and these are then encrypted, and new signatures
are calculated and recorded.
5. By default VET will check the first 50 executable files it
finds. Most program viruses will spread rapidly, so this will
detect nearly all infections the next time the PC is booted.
Using the default options VET takes about 16 seconds to check an XT,
and 4 to check a modern 486, but it will identify nearly all viruses
that are remotely common, recover files and hard disks infected with
most common viruses, and warn of most infections with new viruses.
The author of the locally written Gingerbread virus went to
inordinate lengths to hide it, but if it infected a PC with VET
installed the user would be warned in the normal boot that the top
of memory had been changed. After a clean boot VET would also warn
that the MBR and the VET file were corrupted.
Roger Riordan Author of the VET Anti-Viral Software.
riordan.cybec@tmxmelb.mhs.oz.au
CYBEC Pty Ltd. Tel: +613 521 0655
PO Box 205, Hampton Vic 3188 AUSTRALIA Fax: +613 521 0727
------------------------------
Date: Fri, 02 Apr 93 11:05:39 -0500
From: Fabio <FESQUIVE@ucrvm2.bitnet>
Subject: Re: Booting password (PC)
Can't you go into the setup program? I had the same problem with
a DTK 486DX 50Mhz computer: I could not execute the setup utilities,
because it allways asked me for the setup password.
What I did follows: I wrote my own setup program (CMOSEDIT.EXE) which
allows me to modify any register in the CMOS. Particularly, I changed
the hard disk type number to other number and then booted up again.
The DTK BIOS POST routine tried to recognize the new hard disk type
parameters, checking them against the real HD installed. Of course,
the comparison failed and the POST suggested to get into the setup
Voila... No setup password were asked. Try it, you can use any CMOS
modifier utility; there are several on InterNet (Mark Aitchison has
written CMOS.EXE version 2.99 which is very good. FTP for it in
cantva.canterbury.acs.nz under the PC directory, file CMOS299.ZIP,
login as anonymous).
Good luck
,,,
(O o)
* * * * * * * * * * * * * * * *oOO* (_) *OOo* * * * * * * * * * * * * *
* * U *
* Fabio Esquivel Chacon * Computerize God - It's the new religion *
* fesquive@ucrvm2.bitnet * Program the Brain - Not the heartbeat *
* University of * * * * Virtual existence / Superhuman mind *
* Costa Rica * The ultimate creation / Destroyer of mankind *
* "My girlfriend, * Termination of our youth / For we do not compute *
* ____/| music and * *
* \'o O' computers * "Computer God" - Dehumanizer *
* =(_._)= drive me * Ronnie James Dio - Black Sabbath (1992) *
* U crazy..." * *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
------------------------------
Date: 02 Apr 93 17:26:27 +0000
From: psgrbbc@prism.gatech.edu (Brian Cooper)
Subject: Superstor and McAfee (PC)
I'm posting this question for a friend. He has had some problems using
McAfee and Superstor. He scanned the files on his Superstor disk, and
McAfee reported no viruses. However, he could not access the Superstor disk;
he could only access the regular disk with the Superstor temporary files.
Luckily, when he rebooted, all was fine-- he could access his Superstor
disk and all files were in tact.
Are there any problems with using Superstor and McAfee? What may have
caused his inability to access the Superstor disk?
Thanks,
Brian Cooper
psgrbbc@prism.gatech.edu
------------------------------
Date: Fri, 02 Apr 93 12:53:27 -0500
From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson)
Subject: Bug in FixUtil4 (PC)
I have discovered a bug in FixMBR.EXE v2.7 and 2.7b included in the
FixUtil4.zip file that may trigger an "Sector Mismatch..." error on
some partition tables. This bug does not exist in the 1.x versions
in FixUtil3. I will put together a fix that will be posted as FixUtl4c.zip
and contain FixMBR v 2.8.
Again, this will only occur on certain oddly partitioned PCs in which
the active MS-DOS partition is not the first entry in the table.
Chagrined,
Padgett
------------------------------
Date: Fri, 02 Apr 93 13:19:41 -0500
From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson)
Subject: Zenith boot selection (PC)
>From: cftdl@ux1.cts.eiu.edu (Terry Lundgren)
>Subject: Zenith Hard Disk Boot (PC)
>Our computer lab seems to be under constant virus attack,
>especially from boot sector viruses. We have Zenith 386's and
>they allow through the setup procedure accessible by Ctrl/Alt/Ins
>to make the system boot from the hard disk. I tried it and it
>made no difference then what was in the A drive (empty,
>>unformatted, formatted no system, etc.). The startup obviously
>did check the drives, but I don't think the boot sector is being
>used.
The problem is that the Zenith looks at the hard disk entry first.
If the type is NONE (as when a hard card or any disk requiring its own
controller) is in use, it will ALWAYS boot from A: reguardless of the
boot select setting. If this is the case, first check to see if you
can turn the controller BIOS off and use the Zenith BIOS instead (seen
frequently when upgrades from 159s to 248s and 386s occured & the
old disk and controller were kept.
>Will changing the setup to boot from the hard disk stop boot
>sector infections? (Of course it could be changed, but it might
>significantly slow down the spread if it works.)
IMHO this is true. A MBR or BSI could still occur with a dropper or if
an insider "helped" but most of the currently "common" viruses of
this type will be stopped.
Warmly,
Padgett
------------------------------
Date: 02 Apr 93 20:03:24 +0000
From: cjkuo@symantec.com (Jimmy Kuo)
Subject: Re: What is the Genb or Form Virus??? (PC)
crk5@vm2.cis.pitt.edu writes:
>Yesterday one of our machines contracted the Genb virus at boot up. When I
>cleaned it off it said that is was the Form virus. I suppose one is a
>variant of the other. I have not been able to find any information on
>either of these viruses and what they do, or how dangerous they are.
GENB is McAfee's designation for a generic boot sector infector. So it is
not a specific virus. If it later said Form, then you have Form.
Jimmy Kuo cjkuo@symantec.com
Norton AntiVirus Research
------------------------------
Date: Fri, 02 Apr 93 21:18:48 +0000
From: 007 <sbonds@jarthur.Claremont.EDU>
Subject: Re: Problems with DOS 6.0 Microsoft Anti-Virus (PC)
acrosby@uafhp..uark.edu (Albert Crosby) writes:
[Observations of MSAV's feebleness omitted]
>Personally, I think Frisk and McAfee can rest assured. I, for one, CANNOT
>take this offering from Microsoft seriously, and will reccomend other
>anti-virus solutions to my network users and clients.
Well, what did you expect? The startup line shows that the copyright is
held by Central Point Software, and just about everyone who has read this
list for long knows what the conventional wisdom regarding CPAV is... <grin>
Just to see if the CW was right, I tested MSAV on my rather small collection
of 350 viruses. F-prot 2.07 caught 345 of these, SCAN 102 caught 343, and
MSAV caught 308. Quite a difference! Microsoft oughta be ashamed...
-- 007
- --
000 000 7777 | sbonds@jarthur.claremont.edu
0 0 0 0 7 |-----------------------------------------------------------
0 0 0 0 7 | Childhood is short... [Calvin & Hobbes]
000 000 7 | ...but immaturity is forever.
------------------------------
Date: 02 Apr 93 21:59:15 +0000
From: minchin@rumba.seas.upenn.edu (Min-Chin Hsiao)
Subject: VI-SPY VS Central Point AntiVirus (PC)
Hi netters,
This is not an comparison between the two scanners. I ran into some
problems while running Vi-Spy version 10 while scanning my hard disk.
Vi-Spy consistently pick the Central Point Antivirus files like
vsafe.com or Vsafe.sys saying that Flip virus is found. I think I have used a
Virus scanner from Taiwan Eten group which report the same thing.
Just wondering if anyone has this problem? Is it just coincidence that
Flip's signature was found in CPAV files?
Min-Chin Hsiao
minchin@eniac.seas.upenn.edu
------------------------------
Date: Fri, 02 Apr 93 21:52:34 +0000
From: phil@wearbay.demon.co.uk (Philip Coull)
Subject: Re: Scanners and exe/com file compressors? (PC)
frisk@complex.is (Fridrik Skulason) writes:
>It cannot be expanded by PKLITE, that is...expanding it with a special
>program is not a problem at all.
I think what you're saying here is that pklite can't expand it, but its pretty
easy to write one that does!(?) If that is the case there seems to be little
point in using PKLITE Pro!
As an aside, and without giving away any "trade secrets". Can you use the
compressed programs built-in ability to uncompress itself, or do you have
to write a de-compressor totally from scratch??
- ---------------------------------------------------------------
Philip Coull G3XVY phil@wearbay.demon.co.uk CI$ 76046,332
------------------------------
Date: 02 Apr 93 22:38:00 +0000
From: shakib.otaqui@almac.co.uk (Shakib Otaqui)
Subject: Re:Scanners and exe/com files (PC)
PA> To answer your question, yes scanners (at least McAfee) do unpack/decompr
ess
> programs. I have tested it with PKLite (shareware), I PKLited an infected
> program and Scan v100 found it with no problem,I do not know about the
> professional version of PKLite, but, there is a BUT, If the
> PKLite header were to be trashed...then Scan would not know to decompress
> the program. It would then miss completely te virus. You would have then
what
> I call a Stealth Bomber delivery system, when the virus would begin to sp
read,
> it would then become scannable but you would not be able to find the sour
ce.
You're so right. Some idiot recently posted on the Fido-Net
Batchpower echo the debug script for what was described as a tiny
disk cache program. At least two users have reported that the
program trashed their drives, even though it had been scanned.
Investigation showed that the file was compressed with PKLite
1.15, and that a hex editor was used to replace the PKLite
signature with null characters. This apparently defeated SCAN,
which treated it as an ordinary file. After uncompressing the
file with PKLite, one user said SCAN apparently identified it as a
virus, though I suspect it's more likely to be a trojan.
I've saved both the debug script and the related messages in case
anyone is interested (offer only open to bona fide virus
reserachers whose names I recognise).
* PQ 2.15 189 * Lose that ugly FAT: download a trojan today!
------------------------------
Date: Wed, 31 Mar 93 09:14:01 +0100
From: Malte_Eppert@f6051.n491.z9.virnet.bad.se (Malte Eppert)
Subject: Virus signature determination. (PC)
Hi Frisk!
> 2) For each polymorphic virus you disassemble it, and find a
> piece of
> the code which is found in all samples of the virus (you
> want to
[...]
> 3) For the difficult, polymorphic ones, which can not be
> found with a
> search string, you write a detection procedure.
I always use the term 'polymorphic' in a different way to 'encrypting'. What
you describe under 2) is an encrypting virus, what you mention under 3) is a
polymorphic one.
Isn't the term 'polymorphic' specifically reserved for viruses who
have their encoder changed along with every copy by exchanging instructions
etc. in a way that there can be no signature extracted?
cu!
eppi
- --- GEcho 1.00
* Origin: No Point for Viruses - Eppi's Point (9:491/6051)
------------------------------
Date: Wed, 31 Mar 93 09:19:02 +0100
From: Malte_Eppert@f6051.n491.z9.virnet.bad.se (Malte Eppert)
Subject: Catch from DIR? (PC)
Hi Frisk!
> There is, however, one way to run a program from a diskette by
> just doing a DIR,
Ugh... if this isn't too special, can you or someone else post how this could
be possible? I just know about an ANSI bomb which will execute a file from
disk if you hit the 'hot key' next time. Do you mean this?
cu!
eppi
- --- GEcho 1.00
* Origin: No Point for Viruses - Eppi's Point (9:491/6051)
------------------------------
Date: Fri, 02 Apr 93 22:31:36 -0500
From: bill.lambdin@frenchc.eskimo.com (Bill Lambdin)
Subject: Scan 99 % PKlite 1.15 (PC)
From: 1070056@SAPHIR.ULAVAL.CA (PATRICK A. MORIN)
programs. I have tested it with PKLite (shareware), I PKLited an infected
program and Scan v100 found it with no problem,I do not know about the
professional version of PKLite, but, there is a BUT, If the
PKLite header were to be trashed...then Scan would not know to decompress
- --------------------------------------------------------------------------
I did a similar test with Scan99, and PKlite 1.15.
Scan 99 detected both copies of the virus. After I trashed the PKlite
header with Nolite from a back issue of 40 HEX.
After trashing the PKlite header, Scan 99 wasn't able to detect the
compressed virus.
Bill
- ---
* WinQwk 2.0 a#383 * 903 activates any day in March
------------------------------
Date: Fri, 02 Apr 93 22:31:39 -0500
From: bill.lambdin@frenchc.eskimo.com (Bill Lambdin)
Subject: Untouchable (PC)
Date: Wed, 31 Mar 93 10:49:06 +0000
From: chermesh@chen.bgu.ac.il (Ran Chermesh)
Subject: Is "Untouchable" (V-analist-3) effective? (PC)
Our department considers buying an anti virus package. High in the list
is an Israeli product, sold in Israel under the name V-analyst-3 and in
the US as Untouchable. The feature of most interest to us is the way this
package claims to deal with future viruses. Since this feature can't be
tested experimentally,
- --------------------------------------------------------------------------
I have tested Untouchable against viruses that the scanner couldn't
detect.
Untouchable can detect these new viruses by integrity checking. and was
able to restore most of the infected files.
Untouchable does this by integrity checking.
Bill
- ---
* WinQwk 2.0 a#383 * 1554 activates Oct 1 - Dec 31
------------------------------
Date: Fri, 02 Apr 93 22:31:52 -0500
From: bill.lambdin@frenchc.eskimo.com (Bill Lambdin)
Subject: Untouchable (PC)
Date: Tue, 30 Mar 93 23:46:33 +0000
From: scotth@cs.umr.edu (Scott Hayes)
Subject: virus checking in the CMOS? (PC)
Also, (this may be related), how do UNTOUCHABLE and other non-scanner
anti-virus programs work?
- --------------------------------------------------------------------------
I have tested Untouchable, and recommend it.
With it's use of scanning, resident virus detector, and integrity
checking, it can detect the presence of new or unknown viruses.
Bill
- ---
* WinQwk 2.0 a#383 * SATURDAY THE 14TH activates Saturday 14th
------------------------------
Date: Sat, 03 Apr 93 16:34:52 +0000
From: btf57346@uxa.cso.uiuc.edu (Byron Faber)
Subject: Which CRC/scanner to use. (PC)
I currently use f-prot/virstop/ and Integrity master on my machine.
(a 386/40 pc). I was curios if anyone could give me their opinions
as to which scanner would be the best to use. I have been in a
high risk group for computer viruses and have found that Integrity
master's crc checks and f-prot's heuristic scans have done pretty well.
If anyone has opinions on my setup, or could suggest any other
alternatives please mail me.
Byron Faber
- --
Free Software Exchange: Support it!!!! (pgp2.1, questionable code, etc).
Using PGP2.1 on request. Ask for a file list or information on the exchange.
Internet: btf57346@uxa.cso.uiuc.edu & btf57346@sumter.cso.uiuc.edu
------------------------------
End of VIRUS-L Digest [Volume 6 Issue 56]
*****************************************