home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
The World of Computer Software
/
World_Of_Computer_Software-02-387-Vol-3of3.iso
/
v
/
vl6-025.zip
/
VL6-025.TXT
< prev
Wrap
Internet Message Format
|
1993-02-16
|
37KB
Received: from fidoii.CC.Lehigh.EDU by abacus.hgs.se (5.65c/1.5)
id AA17113; Fri, 12 Feb 1993 16:26:01 +0100
Received: from (localhost) by Fidoii.CC.Lehigh.EDU with SMTP id AA25992
(5.67a/IDA-1.5 for <mikael@abacus.hgs.se>); Fri, 12 Feb 1993 09:43:15 -0500
Date: Fri, 12 Feb 1993 09:43:15 -0500
Message-Id: <9302121354.AA11086@barnabas.cert.org>
Comment: Virus Discussion List
Originator: virus-l@lehigh.edu
Errors-To: krvw@cert.org
Reply-To: <virus-l@lehigh.edu>
Sender: virus-l@lehigh.edu
Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas
From: "Kenneth R. van Wyk" <krvw@cert.org>
To: Multiple recipients of list <virus-l@lehigh.edu>
Subject: VIRUS-L Digest V6 #25
Status: RO
VIRUS-L Digest Friday, 12 Feb 1993 Volume 6 : Issue 25
Today's Topics:
The moderator is moving to a new address
Viruses in Warfare
Pundits and bandits
Re: Virus education
Re: New virus in Germany :-( (PC)
Re: New Virus (PC)
STONED update/additional info questions. (PC)
Notes about Sunday Virus (PC)
DOS undocumented switches... (PC)
F-prot/FSP/bootsum problem. Help! (PC)
Re: dame virus (PC)
Virus scan on a compressed drive (PC)
New way of opening files??? (PC)
Unknow Virus (PC)
Re: New virus in Germany :-( (PC)
MtE Infected... (PC)
latest CPS virus definition file sought (PC)
Warning: Michelangelo will return (PC)
UMB-1 (Tremor) (PC)
Re: Cascade & SCANV99 (PC)
Michelangelo origins (CVP)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. (The complete set of posting guidelines is available by
FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with
your real name. Send contributions to VIRUS-L@LEHIGH.EDU.
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list. A FAQ (Frequently
Asked Questions) document and all of the back-issues are available by
anonymous FTP on cert.org (192.88.209.5). Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
<krvw@CERT.ORG>.
Ken van Wyk
----------------------------------------------------------------------
Date: Thu, 11 Feb 93 14:21:52 -0500
From: Kenneth R. van Wyk <krvw@cert.org>
Subject: The moderator is moving to a new address
VIRUS-L/comp.virus readers:
I'm going to be moving to a new location and a new job. Starting 1
March 1993, I'll be working for the Defense Information Systems Agency
(DISA) in Washington, DC (actually, Arlington, Virginia...). I fully
intend to keep VIRUS-L/comp.virus running at full steam, but please
bear with me during the transition period. While all of my old e-mail
addresses should continue to direct mail to me, I'll be getting a new
e-mail address at the new location. I've set up an interim account,
however, and will be moderating VIRUS-L from it for at least a few
weeks.
The new address is: krvw@first.org.
Once I have a permanent $HOME account at DISA, I may move the
moderation duties over to that, but for the meantime the above address
will be used for my VIRUS-L work.
I want to begin testing the new mechanism starting next week (15-19
February). None of you _should_ notice any change in service, but if
you do, please report it to me at krvw@first.org.
NOTE that the submission procedure will not change; you should still
post any submissions to VIRUS-L@LEHIGH.EDU, or post to the comp.virus
newsgroup. All submissions will be forwarded to the new moderator
address, as if by magic. :-)
Thanks to the National Institute of Standards and Technology (NIST),
who is graciously allowing me to use one of their systems, first.org,
for this purpose.
Cheers,
Ken
My soon-to-change .signature follows:
Kenneth R. van Wyk
Moderator VIRUS-L/comp.virus
Technical Coordinator, Computer Emergency Response Team
Software Engineering Institute
Carnegie Mellon University
krvw@CERT.ORG (work)
ken@THANG.PGH.PA.US (home)
(412) 268-7090 (CERT 24 hour hotline)
------------------------------
Date: Thu, 11 Feb 93 19:17:10 +0000
From: "George Guillory" <wk04942@worldlink.com>
Subject: Viruses in Warfare
In the past in this newsgroup there has been much discussion of the use
of viruses in the military. I have always believed that I saw
legitimate research in this area in the past. Well researching another
issue I came across the reference.
In the Procedings of the Fourth Annual Computer Virus and Security
Conference there is an article on pages 830-845 titled "Computer Viruses
in Electronic Warfare" by Dr. Myron L. Pratt and Stephen R. Pratt of
Booz, Allen and Hamilton.
Abstract included in the paper.
"Events of the last few years have demonstrated dramatically that
computer viruses are not only feasible but can quickly cause
catastrophic disruption of computer systems and networks.
Current trends in the development of military electronic systems have
significantly increased the vulnerability of these systems to computer
virus attack. This has created a new form of electronic warfare
consisting of the electronic insertion of computer viruse microcode into
a victim electronic system through direct or indirect mechanisms.
This paper discusses the application of computer virus techniques to
electronic warfare from a both an offensive and defensive perspective."
------------------------------
Date: Thu, 11 Feb 93 22:07:21 -0500
From: fergp@sytex.com (Paul Ferguson)
Subject: Pundits and bandits
On 7 Feb 93 (20:29:44 GMT), <bontchev@fbihh.informatik.uni-hamburg.de>
Vesselin Bontchev wrote -
VB> According to the latest information, six members of the ARCV
VB> group have been arrested. Perhaps this will stop them from
VB> writing viruses any more...
Well, it may stop them from authoring viruses, but unfortunately
virus "creationists" are like a pesky rodent infestation -- you
eradicate six of them and there are six (times two) that step in
to take their place.
I'm anxious to hear their punishment (if any). Hopefully the
participants of this list will keep us informed of any
interesting develpoments in this particular case.
Cheers from Washington, DC.
_____________________________________________________________________
Paul Ferguson | "The goal of all inanimate objects
Network Integration Consultant | is to resist man and ultimately
Alexandria, Virginia USA | defeat him."
fergp@sytex.com (Internet) | -- Russell Baker
sytex.com!fergp (UUNet) |
1:109/229 (FidoNet) |
PGP public encryption key available upon request.
- ---
fergp@sytex.com (Paul Ferguson)
Sytex Systems Communications, Arlington VA, 1-703-358-9022
------------------------------
Date: Fri, 12 Feb 93 08:24:02 -0500
From: Chip Seymour <CHIP@BDSO.Prime.COM>
Subject: Re: Virus education
> Re: Donald G Peters <Peters@DOCKMASTER.NCSC.MIL>
> Subject: What is safe to discuss?
> "How do we prevent the bad guys from getting educated?" I don't have
> a good answer to that, since bad guys have a right to attend schools
> like us good guys do. Personally, I believe strongly in censorship
> of some things, but I'm not yet convinced that censorship of
> virus-related information does much good.
I couldn't agree with Mr. Peters more, but I find that I am the one in
need of the education. It seems the Black Hats have a more advanced
knowledge of how to perpetrate computer crimes than we White Hats have
to properly protect electronic assets. WE'RE playing catch-up with
THEM.
BTW, all the talk over the definition of a virus is ok, but how do I
apply that to the protection of my work here? The viruses themselves
don't care - they just do what they're told.
Chip Seymour
Net Admin
Computervision Corp
Bedford MA
------------------------------
Date: 12 Feb 93 13:28:35 +0000
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: New virus in Germany :-( (PC)
Malte_Eppert@f6050.n491.z9.virnet.bad.se (Malte Eppert) writes:
> There's a new virus around in Northern Germany which was isolated on the
> Fachhochschule Braunschweig/Wolfenbuettel on Feb. 4, 1993. It was analyzed by
> Robert Hoerner and has the following characteristics:
> - - infects COM and EXE
> - - loves infecting COMMAND.COM on drive A:
More exactly, loves infecting the command interpreter - regardless
where it is. For instance, C:\DOS\4DOS\4DOS.EXE works just as well as
A:\COMMAND.COM.
> - - TSR in UMBs (!), stealth
> - - uses interrupt trace techniques
> - - slightly polymorphic, WHALE and FISH-like
Tested the following scanners: FindVirus 6.10 (Drivers of December 5,
1992); F-Prot 2.07; SCAN 100. Only F-Prot 2.07 detects the virus and
NOT reliably - some infected files are missed. I was told that S&S
International has created an external additional driver for their
scanner, that detects this virus; users of Dr. Solomon's Anti-Virus
ToolKit should contact them for more information.
> - - uses seconds-stamp for marking infections
> - - contains the encrypted text "T.R.E.M.O.R was done by NEUROBASHER /
> May-June'92, Germany" and "MOMENT OF TERROR IS THE BEGINNING OF
> LIFE"
> - - Length: exactly 4000 bytes
Some additional information:
1) The virus uses the following "Are you there?" call: INT
21h/AX=F1E9h, returns AX=CADEh. A program that intercepts that could
be used as poor man's defense.
2) The virus particularly targets the program VSAFE that comes with
Central Point Anti-Virus and MS-DOS 6.0 and disables it. I'm not
certain why it does that - the virus is tunnelling enough to bypass
monitoring software... Maybe the virus author just wanted to
demonstrate that he knows how to disable this particular program.
3) The virus is definitively in the wild in Germany. There is some
information that a large software distributor has shipped it with some
software, but we don't have confirmation yet.
> The virus is provisorically referenced as "UMB-1 (Tremor)", until a name has
> been officially constituted.
CARO name for this virus is Tremor.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany
------------------------------
Date: 12 Feb 93 13:41:53 +0000
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: New Virus (PC)
Inbar_Raz@f210.n9721.z9.virnet.bad.se (Inbar Raz) writes:
> For someone who's not very smart, the Whale virus would sound like a
> good work- grounds, because it is fairly known that most of the virus
> code is dedicated to anti-debugging (which consequently made it very
> slowing), and that would aledgedly make it harded to detect.
First, for someone who's not very smart, the Whale virus will be too
difficult to understand, so they are more likely to go hacking yet
another Jerusalem variant. Second, Whale is -trivial- to detect - just
34 simple (i.e. non-wildcard) scan strings...
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany
------------------------------
Date: 11 Feb 93 12:23:59 -0700
From: CASTILLO@nauvax.ucc.nau.edu (Ulysses Castillo)
Subject: STONED update/additional info questions. (PC)
I want to thank the people who have responded with their ideas about
what might be happening. I also wanted to explain more clearly
the procedure we followed. Specifically:
1) Cold booted from a write-protected virus free disk.
2) Used SCAN v99 on C:, no virus was found in memory or on C:.
3) Inserted an infected floppy in B:.
4) Ran scan on b:. No virus found in memory, stoned virus found
in boot sector of B:.
5) Ran scan on B: again. Virus found in memory and in boot sector
of B:. (HOW???)
6) Reboot (cold boot, not control-alt-delete).
7) Inserted infected disk in B:.
8) Ran CLEAN on B:. Virus NOT in memory, but found in boot sector
of B:. Virus removed from B:.
9) Ran scan on B:. Virus found in memory. (Again, HOW???), but NOT
found on B:.
Again, from these observations we are being led to believe that stoned
loaded itself into memory after a read operation on the infected disk.
Again, the documentation I've read on Stoned seem to indicate that
this is impossible. Alternately, it's been suggested that SCAN/CLEAN
can give false alarms on occasion. And to answer other questions
that have come up, disk caching was NOT on during this time, all
reboots were cold boots, and scan/clean.exe were located on C:.
Ideas?
Ulysses.
_____
Ulysses Castillo (aka Belgarion) Trr, lbh zhfg or n irel phevbhf crefba!
Castillo@nauvax.ucc.nau.edu
"And be assured, I am with you always, to the end of Time.", Matt. 28:20
------------------------------
Date: Thu, 11 Feb 93 17:09:07 -0500
From: "Mario Rodriguez (Virus Researcher)" <EM436861@ITESMVF1.RZS.ITESM.MX>
Subject: Notes about Sunday Virus (PC)
The virus Sunday is rather old, but is still on the wild. It hit on some Mexica
n Universities, but is not too diseminated. The version we have here is the
the original one (version A).
This virus is a simple non-encripting virus. It stays resident using interru
pt 21h service 31h (TSR). Because of this you can find the program from wich th
e virus get into memory in the list presented by the command 'MEM.EXE /P'. The
size showed in that list is 750h.
Sunday infects programs with extensions .COM, .EXE and .OVL as they are exec
uted. The .COM files grow 1,636 bytes, and files .EXE and .OVL grow between 1,6
36 and 1,647 bytes. They programs are NOT reinfected, the virus checks for the
signature 'C8 F7 E1 EE E7' at the end of the file. In programs .COM the origina
l program would be right before this signature.
The virus doesn't infect the COMMAND.COM or any program with this name. In d
isplacement 84h can be found the string "COMMAND.COM", which is the one that pr
events the infection of that program.
Sunday intercepts interrupts 21h (Dos services) and 8 (time of day), but the
last one is only intercepted if the year is different 1989. In any other year
the virus will activate on Sundays, and in that day 10 seconds after an infecte
d program is excecuted, th virus will 'teletype' the next message using interru
pt 10h (video services):
"Today is SunDay! Why do you work so hard?"
"All work and no play make you a dull boy!"
"Come on ! Let's go out and have some fun!"
The text above will keep apearing every 10 seconds. If you try to write a co
mmand and the text 'brakes' it appart it will still work. By that time ANY prog
ram tried to be run will be erased producing the error "Cannot execute 'filenam
e'". Before deleting, the virus will erase any attribute of the file, so a READ
ONLY attribute will be of no help.
In any day, executing programs in a write-protected diskette will look norma
l, becuase the virus intercepts for a moment interrupt 24h (error handler). To
get rid of the virus it would be enough to press CTRL-ALT-DEL and the virus wil
l be out of memory. Almost any vacsine can detect it and satetly remove it.
Recently, in Mexico has appeared a rumor about a new version of the Sunday v
irus that presents a diferent text and a strange sound instead of deleting file
s, but I have seen none of those. So,perhaps it's just an invention.
Any coments would be apreciated.
Mario Rodriguez (Virus Researcher)
Instituto Tecnologico de Estudios Superiores
de Monterrey. Campus Estado de Mexico.
em436861 at itesmvf1.cem.itesm.mx
em436861 at rsserv.cem.itesm.mx
------------------------------
Date: Thu, 11 Feb 93 17:30:18 -0500
From: Fabio Esquivel <FESQUIVE@ucrvm2.bitnet>
Subject: DOS undocumented switches... (PC)
Hi everybody.
I recently found a copy of the Compaq MS-DOS 5 Reference Guide as
published by Compaq Computer Corporation. Some of you have posted
on this forum that undocumented switches for several DOS commands
have been found in the MS-DOS 5 released by Microsoft (April 9,
1991 version).
Reviewing this book I found that the Compaq DOS 5 version documents
some of them.
Documented switches:
"FDISK /mbr"
Indicates that the master boot record is to be updated.
"FDISK /status"
Displays a list of all hard drives and partitions.
"VER /r"
Specifies that the revision number is to be displayed
along with a message, indicating whether DOS is loaded in
high or low memory.
Not documented switches:
"COMMAND /f" (included in the SHELL= command in CONFIG.SYS)
Makes an automatic (F)ail on "Abort, Retry, Fail?"
messages.
"FORMAT <d:> /backup"
I don't know its function, but when I ran it I got this
message: "Parameters not compatible with fixed disk".
I'm using an IDE 40Mb hard disk that uses sector
translation.
"FORMAT <d:> /select"
Unknown function, but it seems to do much besides
creating the files MIRROR.FIL and MIRORSAV.FIL for use
with UNDELETE and UNFORMAT commands.
"FORMAT <d:> /autotest"
Saves UnFormat information (by creating MIRROR.FIL and
MIRORSAV.FIL again) and verifies drive <d:>'s surface
without deleting information. This command fills the
boot record (NOT the master boot record) of hard drives
with null bytes... :-( So, if you try to boot from the
hard drive formatted in this way, you'll get the message
"Missing operating system" (thanx Norton's DiskTool.EXE,
I could restore it from my Rescue Diskette ;-).
Moreover, the MODE command has A LOT of new switches.
Regards,
Fabio.
PS: BTW, What the h... does "IMHO" mean?
[Moderator's note: The H in IMHO stands for "humble".]
PS2: Yesterday I was playing with McAfee's SCAN V100 just a bit...
When I issued the command "C>SCAN" with no parameters, I got
the usual help lines for the SCAN.EXE; however, when I issued
the command "C>SCAN /?" I got the help lines for NETSCAN.EXE.
Sometimes you can find some funny "bugs"...
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* Fabio Esquivel Chacon * Computerize God - It's the new religion *
* fesquive@ucrvm2.bitnet * Program the Brain - Not the heartbeat *
* University of * * * * Virtual existence / Superhuman mind *
* Costa Rica * The ultimate creation / Destroyer of mankind *
* "Women, * Termination of our youth / For we do not compute *
* ____/| Music and * *
* \'o O' Computers * "Computer God" - Dehumanizer *
* =(_Q_)= drive me * Ronnie James Dio - Black Sabbath (1992) *
* U crazy..." * *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
------------------------------
Date: Thu, 11 Feb 93 17:54:06 -0500
From: 92brown@gw.wmich.edu (THE EYES OF GO ARE WATCHING YOU)
Subject: F-prot/FSP/bootsum problem. Help! (PC)
I have a question regarding a problem I am having running Flushot and
F-prot 2.06 concurrently. (I have not yet updated to F-prot 2.07 or
FSP+). I have FSP configured so that it checks my bootsum when I boot
up. The value of the bootsum is not supposed to change, and never
does until I scan my drive with F-prot. After I finish scanning my
drive I get an alert from FSP saying my bootsum records do not match,
and then it shows the newly assigned value. I am confused about why
F-prot changes my bootsum when it scans my drive and if there is
anything I can do about it.
Should I simply disable FSP before I scan with F-prot, bear with the
problem and pretend it doesn't exist or break down and upgrade my
software?
By the way, my system is a IBM AT (100% compatible) running Stacker on
a 32m hard drive, and DOS 5.0.
Help if you can,
thanks.
- --
//////////////////////////////////////////////////////////
/ Sean Brown | /
/ Department of Anthropology | "The EYES in GO /
/ Western Michigan University | are Watching You" /
/ 92BROWN@GW.WMICH.EDU | /
//////////////////////////////////////////////////////////
------------------------------
Date: 11 Feb 93 16:20:00 -0800
From: a_rubin@dsg4.dse.beckman.com
Subject: Re: dame virus (PC)
worley@a.cs.okstate.edu (WORLEY LAWRENCE JA) writes:
>A friend of mine has a 486 that recently crashed. After booting on a
>clean disk, I ran ScanV100 on it, and found that it had the Stoned
>virus. I cleaned it off, and ran scan again, only to find that it now
>had Michaelangelo virus. I ran clean again, this time with [Mich],
>and it reported that the virus had been cleaned off. However, after
>cleaning, ScanV100 still reported it was in the partition table, and
>the drive will still not boot. Both floppies in the computer are
>write protected and are virus-free. I have now run Clean c: [Mich]
>approx. 30 times, each time, it says it cleaned the drive, and then
>after rebooting, Scan still reports the virus is there. Any ideas?
This is a known problem, as Stoned and Michaelangelo both modify the boot
sector in similar ways. You'll need to recreate or relocate the boot
sector. Norton Utilities will probably help you locate the boot sector (it
may be absolute sector 3 or 7). If you have DOS 5, FDISK /MBR will
probably work. Otherwise, Padgett's fine program (whose name I've
forgotten) may help you.
- --
Arthur L. Rubin: a_rubin@dsg4.dse.beckman.com (work) Beckman Instruments/Brea
216-5888@mcimail.com 70707.453@compuserve.com arthur@pnet01.cts.com (personal)
My opinions are my own, and do not represent those of my employer.
My interaction with our news system is unstable; please mail anything important
------------------------------
Date: Mon, 08 Feb 93 14:13:00 +0100
From: Inbar_Raz@f210.n9721.z9.virnet.bad.se (Inbar Raz)
Subject: Virus scan on a compressed drive (PC)
> From: wongja@ecf.toronto.edu (WONG JIMMY PAK-YEN)
> I'm considering getting some sort of disk compression utility for my
> PC (such as Stacker). Are virus scan programs still able to detect a
> virus on a compressed hard drive? Presently, when I download some ZIP
Those programs user-transparent, and decompress on the fly. Since
most, if not all the scanners use standard DOS function calls to
access files, there is no reason for them not to work on compressed
media or any other device that has a transparent interface.
Inbar Raz
- - --
Inbar Raz 5 Henegev, Yavne 70600 ISRAEL. Phone: +972-8-438660
Netmail: 2:401/100.1, 2:403/100.42, 9:9721/210 nyvirus@weizmann.weizmann.ac.il
- ---
* Origin: MadMax BBS - Co-SysOp's Point. (9:9721/210)
------------------------------
Date: Tue, 09 Feb 93 14:48:00 +0100
From: Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv)
Subject: New way of opening files??? (PC)
Hi
You quote:
> Nemrod_Kedem@f101.n9721.z9.virnet.bad.se (Nemrod
> Kedem) writes:
Nemrod is quating me:
>> > Why go so far? Did you here of writing to the disk via a port - instead
>> > of using standard interrupt method to write?
>> > I don't know of any A-V product that can monitor writing to ports,
>> > (unless it was a debugger that monitors every command that an
>> > application performs, and believe me: you don't want to use that!).
and adds:
>> More then that: A product like the one you described will only work on 386,
>> or higher, in protected mode....
> Well, there are several ways to spot writing to the
> disk port directly.
> Obviously, software-only methods would be limited in
> speed, which means
Isn't that what I said?...
> it is a good idea to have a dedicated machine for
> testing programs for
> viruses (and compatibility) as they come into an
> organisation.
Great idea.
> The methods are:
Here you list a list of debuggers, hardware tools and so to help you monitor
direct disk access. Obviously you are correct, but the main isue here was to
help anyone (not only an organization with capabilities) to think of a
solution to this problem. What you suggest is a bit too expensive for a user
to get, and he doesn't have the time nor the means to create a virus combat
Tank, (nor should he).
> Overall, I prefer viruses that do something out of the
> ordinary, like trying to
> write to disk ports, since they become easy to
> distinguish from valid software.
Me too, but life is different, don't you think?
> The big problem with viruses on PC's, at least, at the
> moment is that there is
> a large fuzzy area filled with programs (like Norton's
> DS and self-modifying
> executables) that bypass DOS in the same way that
> viruses do - you have to
> individually look at what they are doing and decide
> whether that is okay.
I wish it were the only problem.
> There are a few "clever" tricks like direct disk access that
> I genuinely hope virus
> writers will adopt - in place of yet-another-stoned-
> hack and so on, and I think
> that naming schemes which give too much glory to
> authors of slightly-changed
> viruses should be changed to reflect that fact it is
> just another hack of
> somebody else's idea. Even if string-scanners weren't
> being overtaken by virus
> technology, the sheer nuisance factor of hundreds of
> slightly new viruses is
> worth discouraging.
Personally I prefer that they will just stop writing viruses, or better yet
write usual ones that are easy to solve with generic methods like FDISK /MBR
or SYS or...
and let the PC users work without fear. Are you among those that will
secrifice the user's benefit for an academic interest?
> (Hopefully this will generate some interesting discussion!)
If that's what you were aming at... you got it.
Regards
* Amir Netiv. V-CARE Anti Virus, Head team *
- --- FastEcho 1.21
* Origin: <<< NSE Software >>> Israel (9:9721/120)
------------------------------
Date: Tue, 09 Feb 93 14:11:00 +0100
From: Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv)
Subject: Unknow Virus (PC)
PROPE4@ifens01.insa-lyon.fr (Arnaud Thomas) writes:
> I've got a problem with my computer . Sometimes ASCII
> files change . There
> is letters which become other . When I use SCAN , i
> find no viruses .
You probably have a hardware problem or a configuration problem of your
software. However some viruses tend to do just what you write. For example the
HAIFA virus will add some text to every *.DOC file that it meets, or the DBASE
virus will change dbase data files in a way only he knows and there are others.
I think it would be best to try to reconfigure your software or try to take
some files to another machine: if the other machine will try to show strange
symptoms, then you probably have a virus problem in your hands, otherwise its
probably what I explained above.
If you do not manage to solve it by yourself call
(1) 64 66 15 97 (Paris) mabe they can help you.
Good Luck...
Regards
* Amir Netiv. V-CARE Anti Virus, Head team *
- --- FastEcho 1.21
* Origin: <<< NSE Software >>> Israel (9:9721/120)
------------------------------
Date: 11 Feb 93 22:06:27 -0500
From: eggo@STUDENT.umass.edu (Round Waffle)
Subject: Re: New virus in Germany :-( (PC)
ballerup@diku.dk (Per Goetterup) writes:
>Some of those words are from material by the Belgian techno/industrial
>band named 'Front 242'. "Neurobasher" is a B-side song from the
>"Tragedy For You" remix-maxisingle, and the sentence "Moment of terror
>is the beginning of life" is from the inner cover of their album
>"Front By Front" (I think).
This is mere semantics, but the Front 242 single I have lists
"Neurodancer" rather than "Neurobasher". Thus, the word "Neurobasher"
may not have come from Front 242, but rather some other musical (or
non-musical) source. I just wanted to clear this up in case someone
was perhaps trying to do a little viral pathology.
- --
+- eggo@titan.ucc.umass.edu Eat Some Paste -+
+- Yorn desh born, der ritt de gitt der gue, -+
+- Orn desh, dee born desh, de umn bork! bork! bork! -+
------------------------------
Date: Fri, 12 Feb 93 06:52:20 +0000
From: mdewaele@TrentU.CA (martin dewaele)
Subject: MtE Infected... (PC)
I have Norton Anti-Virus 2.1 and it has detected what is called the
MtE Infected virus. Yet the Repair function states that it is unable
to repair the infected file.
Does anyone happen to know what the virus is or the problem which is
creating this warning in Norton Anti-Virus.
I usually don't subscribe to this conference, but am now, so if it has
previously been discussed I apologize.
Martin Dewaele
------------------------------
Date: Fri, 12 Feb 93 03:52:12 -0500
From: simionat@unive.it
Subject: latest CPS virus definition file sought (PC)
I have CPS Antivirus software (original package) and I would like to
now if the latest virus definition files are available on the
Internet. I know they are posted by CPS to dialup BBS, but it's
somewhat trickier - and too expensive - if you're calling from Italy.
If someone has them, would be so kind to send them to me?
Please reply DIRECTLY, I'm not on this list. If someone asks for it, I
can later summarize the responses to the list.
___________________________________________________________________
Marco Simionato tel : 39 - (0)41 5225570
Dorsoduro 2408/B fax : 39 - (0)41 5225570
30123 Venezia, ITALY email: simionat@unive.it
___________________________________________________________________
------------------------------
Date: Fri, 12 Feb 93 10:23:10
From: <GHGAOAT@cc1.kuleuven.ac.be>
Subject: Warning: Michelangelo will return (PC)
We, a group of young informatics concerned with viruses, tried it out with
some infected floppy's we still had and Michelangelo is starting indeed on
March 6.
We also made another test and scanned several floppy's from not-professionel
users and on some of them, we've found Michelangelo.
So to be sure, scan your disk before March 6.
- ---> SJAMAYEE
______________________________________________________________________
GHGAOAT@CC1.KULEUVEN.AC.BE *******************************************
______________________________________________________________________
********************
* SJAMAYEE *
* P.O. BOX 1 *
* B-3370 BOUTERSEM *
* BELGIUM *
********************
_______________________________________________________________________
------------------------------
Date: Fri, 12 Feb 93 10:28:42
From: <GHGAOAT@cc1.kuleuven.ac.be>
Subject: UMB-1 (Tremor) (PC)
This virus was already discovered earlier somewhere in Belgium. Who, I don't
know, but someone passed me the information just before Newyear. And that info
was just the same as the one that Malte Eppert writes.
P.S. Ballerup.diku is talking about the origin of the words and as a Belgian,
I can affirm what he said.
- ---> SJAMAYEE
______________________________________________________________________
GHGAOAT@CC1.KULEUVEN.AC.BE *******************************************
______________________________________________________________________
********************
* SJAMAYEE *
* P.O. BOX 1 *
* B-3370 BOUTERSEM *
* BELGIUM *
********************
_______________________________________________________________________
------------------------------
Date: Fri, 12 Feb 93 14:53:29 +0000
From: julianh@sni.co.uk (Julian Haddrill)
Subject: Re: Cascade & SCANV99 (PC)
I too have had the same problem, with the 'FORM' virus.
Scanning and finding the virus caused it to infect my PC, and I had to
Clean the PC from a Write-Protected safe floppy with CLEAN on it.
You've just got to be careful out there!
Regards
Julian
------------------------------
Date: Thu, 11 Feb 93 14:57:15 -0800
From: rslade@sfu.ca
Subject: Michelangelo origins (CVP)
I've been a bit behind in keeping ahead of my columns. This past
week's research reminds me: it's that time of year again. Part 1 of
5.
HISVIRV.CVP 930210
Michelangelo Origins
Although disputed by some, Michelangelo is generally known by
researchers to have been built on, or "mutated" from, the Stoned
virus. The identity of the replication code, down to the inclusion
of the same bugs, puts this beyond any reasonable doubt. Any
"successful" virus inspires (if such a term can be used for the
unimaginative copying that tends to go on) "knock-offs":
Michelangelo is unusual only in the extent of the "renovations" to
the payload.
The Stoned virus was originally written by a high school student in
New Zealand. All evidence suggests that he wrote it only for study,
and that he took precautions against its spread. Insufficient
precautions, as it turns out: it is reported that his brother stole
a copy and decided that it would be "fun" to infect the machines of
friends.
Reporting on the "original" state of a virus with as many variants
as Stoned is difficult. For example, the "original" Stoned is said
to have been restricted to infecting floppy disks. The current most
common version of Stoned, however, does infect all disks. It is an
example of a second "class" of boot sector infecting viri, in that
it places itself in the master boot record, or partition boot
record, of a hard disk instead of the boot sector itself. In common
with most BSIs, Stoned "repositions" the original sector in a new
location on the disk. On hard disks and "double density" floppies
this generally works out: on high (quad) density floppies system
information can be overwritten, resulting in a loss of data. One
version of Stoned (which I do not have) is reported not to infect
3.5" diskettes: this is undoubtedly the template for Michelangelo
since it doesn't infect 3.5" disks either.
Stoned is an extremely simple virus. Its length is less than 512
bytes, and it requires no more space than the original boot sector.
It is extremely infective, and also, in viral terms, extremely
successful. Stoned is definitely the most "common" (in terms of
number of infections) virus at present. If all variant members of
the Stoned family are included, all my research, and all published
studies that I have seen, indicate that this family accounts for
more infections than all other viral programs combined.
Stoned has "spawned" a large number of "mutations" ranging from
minor variations in the spelling of the "payload" message to the
somewhat functionally different Empire, Monkey and No-Int
variations. Interestingly, only Michelangelo appears to have been
as "successful" in reproducing, although the recent rise in Monkey
reports is somewhat alarming.
copyright Robert M. Slade, 1992 HISVIRV.CVP 930210
=============
Vancouver ROBERTS@decus.ca | "The client interface
Institute for Robert_Slade@sfu.ca | is the boundary of
Research into rslade@cue.bc.ca | trustworthiness."
User p1@CyberStore.ca | - Tony Buckland, UBC
Security Canada V7K 2G6 |
------------------------------
End of VIRUS-L Digest [Volume 6 Issue 25]
*****************************************
