home *** CD-ROM | disk | FTP | other *** search
- From: Kenneth R. van Wyk (The Moderator) <krvw@CERT.SEI.CMU.EDU>
- Errors-To: krvw@CERT.SEI.CMU.EDU
- To: VIRUS-L@IBM1.CC.LEHIGH.EDU
- Path: cert.sei.cmu.edu!krvw
- Subject: VIRUS-L Digest V5 #13
- Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU
- --------
- VIRUS-L Digest Thursday, 23 Jan 1992 Volume 5 : Issue 13
-
- Today's Topics:
-
- Re: QEMM386's LOADHI with VSHIELD1 and/or VIRSTOP (PC)
- Reply to Smulders-virus found? (PC)
- FixMBR and very large disks - potential problem (PC)
- re: SBC? (PC)
- Michelangelo & (some) Zeniths (PC)
- Re: Novell Viruses (PC)
- Unknown Virus? (PC)
- Flip virus (PC)
- Virus found: Flip (PC)
- Re: NCSA has tested Antivirus Programs (PC)
- Re: Trojan definition? Special case
- Need some simple statistics
- Antivirus Methods Congress
- Re: Report: 8th Chaos Computer Congress
- Re: Gulf War Virus & "Softwar"
- FLASH Virus
- Re: New Antivirus Organization Announced
- program update from Padgett Peterson (PC)
- F-PROT 2.02 now available (PC)
-
- VIRUS-L is a moderated, digested mail forum for discussing computer
- virus issues; comp.virus is a non-digested Usenet counterpart.
- Discussions are not limited to any one hardware/software platform -
- diversity is welcomed. Contributions should be relevant, concise,
- polite, etc. (The complete set of posting guidelines is available by
- FTP on cert.sei.cmu.edu or upon request.) Please sign submissions
- with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU
- (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks).
- Information on accessing anti-virus, documentation, and back-issue
- archives is distributed periodically on the list. Administrative mail
- (comments, suggestions, and so forth) should be sent to me at:
- krvw@CERT.SEI.CMU.EDU.
-
- Ken van Wyk
-
- ----------------------------------------------------------------------
-
- Date: Wed, 22 Jan 92 05:29:34 +0000
- From: mcafee@netcom.netcom.com (McAfee Associates)
- Subject: Re: QEMM386's LOADHI with VSHIELD1 and/or VIRSTOP (PC)
-
- Hello Jim Hendee,
-
- You should be able to load VSHIELD V85 high with QEMM V5.1 by running
- VSHIELD with the /LH option. You shouldn't use the LOADHI program.
-
- Regards,
-
- Aryeh Goretsky
- McAfee Associates Technical Support
- - --
- - - - -
- McAfee Associates | Voice (408) 988-3832 | mcafee@netcom.com (business)
- 4423 Cheeney Street | FAX (408) 970-9727 | "Welcome to the alligator
- Santa Clara, California | BBS (408) 988-4004 | farm..."
- 95054-0253 USA | v.32 (408) 988-5190 | CompuServe ID: 76702,1714
- ViruScan/CleanUp/VShield | HST (408) 988-5138 | or GO VIRUSFORUM
-
- ------------------------------
-
- Date: Wed, 22 Jan 92 11:34:50 +0100
- From: overdijk@ECN.NL
- Subject: Reply to Smulders-virus found? (PC)
-
- Dear Bert Plat,
-
- On "Thu, 16 Jan 92 14:21:47" you wrote in digest 5-010 :
-
- > "Tangram finds virus:
- >
- > Tangram in Utrecht (NL) warns about the recently found 'Smulders'-virus.
- > This virus renames all directories up tto two levels deep to
- > Criminal.XXX.
-
- Yes, that is the same new Dutch virus (Ultimate Weapon) reported by me
- in VIRUS-L digest 5-004 :
-
- >> I've got a friend with a possible virus on his disks...
- >> SCANV85 doesn't detect this beast. He has a HISCREEN 386sx
- >> machine. I haven't seen the problem myself, but after discussion
- >> I understood the following:
- >>
- >> Symptoms:
- >> - It appears that the 'virus' is activated after january 1-st, 1992
- >>
- >> - After boot, a message is displayed:
- >>
- >> +-------------------------------------------+
- >> ! The Ultimate Weapon has arrived, !
- >> ! please contact the nearest police station !
- >> ! to tell about the illegal copying of you !
- >> +-------------------------------------------+
- >>
- >> (Yes, I had a 'printscreen' of the message)
- >> (No, I don't know if he has an illegal copy of a program ;-))
- >>
- >> - System hangs.
- >>
- >> - After boot from floppy in A: he found ALL his files and directory's
- >> in the root and next directory-level renamed to CRIMINAL.001,
- >> CRIMINAL.002, CRIMINAL.003 ..... etc.
-
- I've had contact with my friend, he could reproduce the problem...
- The virus was found in COMMAND.COM of a MS-DOS 5.0 system.
- COMMAND.COM has grown with 2601 bytes. A 'grep' on COMMAND.COM didn't
- find the string 'Ultimate', probably the message is encripted. This
- virus is of the 'stealth' type (original size of COMMAND.COM is shown
- when a 'DIR' is done on the infected system).
-
- After I recovered from a (flu-)virus myself, I heard that our
- local representative of McAfee Associates (CPU Communications) was
- already notified about this virus (by someone else...). They told
- that the next version of SCAN will be able to recognize the new virus.
- They even supplied the virus signature (MF00EVKUR). However I don't
- know how to feed SCAN with this signature, SCAN expects a hexadecimal
- string... maybe some of the readers can help me with that.
-
- Greetings,
- Harrie Overdijk Internet : overdijk@ecn.nl
- ECN - Petten BITNET : not any more
- The Netherlands Noisenet : ++31-2246-4597
- Europe Fidonet : 2:500/43.1902 (At home!)
-
- ------------------------------
-
- Date: Wed, 22 Jan 92 08:51:13 -0500
- From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson)
- Subject: FixMBR and very large disks - potential problem (PC)
-
- I have identified the *possibility* for an adverse reaction
- between FixMBR and disks having sector sizes larger than 512 bytes. I
- have never seen one but believe that there are some in use, primarily
- with very large older disks (over 300 Mb). FixMBR v2.4 corrects this
- potential problem.
-
- Theoretical Symptoms: Following FixMBR22 use, system will not boot from hard
- disk but will from floppy. Use of MBR80 restores system
- (see documentation). Alternate recovery would be to
- use DOS 5.0 FDISK/MBR or FixMBR24.
-
- Again, I have never seen this happen nor have I ever received
- a report of such but *think* it *might* be possible & cannot test.
- Those most common disks used in PCs (MFM, RLL, IDE, SCSI) have
- standard 512 byte sectors and are not affected. In any event, FixMBR
- v2.4 *should* handle everything.
-
- Warmly,
- Padgett
-
- ------------------------------
-
- Date: 22 Jan 92 11:06:42 -0500
- From: "David.M.Chess" <CHESS@YKTVMV.BITNET>
- Subject: re: SBC? (PC)
-
- >From: kenm@maccs.dcss.mcmaster.ca (...Jose)
- >
- > Does anyone know anything about a virus that McAfee SCAN
- >reports as SBC?
-
- SBC is a resident infector of files that are executed, and COM, EXE,
- and OVL files that are opened. The first time an infected program is
- run, it will try to infect the command interpreter (COMSPEC=, or
- COMMAND.COM). It infects both COM and EXE format files. It is
- "length-stealthed", in that if the virus is in memory the DIR command
- will show the old, uninfected lengths. It sets the seconds field of
- infected files to 0x1F (==62), as usual. It doesn't seem to have any
- payload. Since it infects files that are opened, scanning your system
- with the virus in memory, using a scanner that doesn't know about the
- virus, will tend to infect every file in your system... DC
-
- ------------------------------
-
- Date: Wed, 22 Jan 92 11:09:10 -0500
- From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson)
- Subject: Michelangelo & (some) Zeniths (PC)
-
- >From: Michael_Kessler.Hum@mailgate.sfsu.edu
-
- >I had a Zenith 386 SX machine infected. When booting up with the
- >infected diskette, I get a "Disk read error" message. When I reboot
- >off the hard disk, I get a "Unable to read boot code from partition"
- >message, and the computer is disabled unless I boot off the floppy.
-
- Not surprising since some versions of Zenith's operating system expect
- the MBR code to follow the specifications. Most other OSes do not
- expect help and will boot anyway.
-
- >If I run a CHKDSK, I still get 655360 bytes total memory.
-
- Well, you booted off an uninfected floppy so the virus is not resident.
- The CHKDSK test detects Mich when memory resident.
-
- >xxx recognizes the existence of the virus but will not remove it.
-
- Well either copy sector 7 back to sector 1 or try FixMBR24 (will let
- you do the same thing).
- Warmly,
- Padgett
-
- padgett%tccslr.dnet@mmc.com
-
- "Usual Disclaimers Apply"
-
- ------------------------------
-
- Date: Wed, 22 Jan 92 11:23:57 -0700
- From: kev@inel.gov (Kevin Hemsley)
- Subject: Re: Novell Viruses (PC)
-
- Doug Eckert <75140.1550@CompuServe.COM> writes:
-
- >I'm interested in obtaining a (believable) list that says which
- >viruses infect and/or spread through Novell local area networks,
- >and what effects they cause (error messages and the like).
-
- The basic rule is only file infecting viruses can propagate on a
- network. This includes the file infecting characteristics of
- multi-partite viruses. Because of NetWare's redirection of BIOS and
- DOS interrupts, normal BSI viruses cannot infect a NetWare file server
- from a workstation. Linking viruses also cannot propagate using
- NetWare as there is no DOS directory entry to modify.
-
- >Only two of the five viruses tested, 1701 and Invader, proved
- >capable of circumventing the file attributes set by the Novell
- ^^^^^^^^^^^^^^^
- There is a clear distinction between NetWare RIGHTS and ATTRIBUTES.
- ATTRIBUTES are an emulation and an extension of regular DOS file
- attributes. All DOS attributes (or NetWare ATTRIBUTES which exactly
- emulate DOS attributes) can be changed by viruses. Viruses can
- therefor bypass certain Netware attributes. There are only two
- NetWare ATTRIBUTES which prohibit viral infection, they are EXECUTE
- ONLY and surprisingly, SYSTEM. The SYSTEM NetWare ATTRIBUTE does not
- perfectly emulate the DOS system attribute, and does not permit viral
- infection. The 1701 virus used in your test CANNOT infect a file
- protected by the NetWare SYSTEM ATTRIBUTE but it will zip right past a
- DOS system attribute.
-
- RIGHTS are NetWare's own security implementation and provide
- substantial protection against viruses. Viruses cannot directly alter
- assigned effective RIGHTS. However, assigned RIGHTS can be overridden
- through the use of the SUPERVISORY RIGHT. The SUPERVISORY right
- supersedes any restrictions placed on subdirectories or files with an
- inherited rights mask.
-
- >While successful at infecting C:\TESTEXEC files, repeated efforts
- >to get Jerusalem-B, 4096 and Whale to infect network files - to
- >which the user had all rights - were unsuccessful.
-
- There are some viruses, such as 4096, which do very well on
- stand-alone systems, but can't properly infect files stored on a
- NetWare shared volume. In fact, attempting to copy a 4096 infected
- file from an infected workstation to a NetWare volume will disinfect
- the file. This is because of the stealth actives of 4096 and
- NetWare's redirection of interrupts. The 4096 uses single-stepping to
- determine the original interrupt 21h and place its code. Since
- NetWare redirects this type of call, 4096 is unable to infect files
- stored on the server.
-
- I hope this helps.
-
- - --
- - -------------------------------------------------------------------------------
- Kevin Hemsley |
- Information & Technical Security | If you think that you have someone
- Idaho National Engineering Laboratory | eating out of your hand, it's a
- (208) 526-9322 | good idea to count your fingers!
- kev@inel.gov |
- - -------------------------------------------------------------------------------
-
- ------------------------------
-
- Date: Wed, 22 Jan 92 18:33:05 +0000
- From: cksvih01@ulkyvx03.louisville.edu
- Subject: Unknown Virus? (PC)
-
- My brother was installing an expanded memory manager he had
- legitamately purchased and found what he thought was a virus. Upon
- rebooting the system, the following message flashed across the screen:
-
- Look out! Buy direct from Bob and Steve!
-
- He took the disk in and scanned it using McAffee's SCAN, but nothing
- turned up. Is this a virus, or maybe just an extra tossed in by the
- software designers?
-
- ------------------------------
-
- Date: Thu, 23 Jan 92 02:38:29 +0000
- From: jeremy@quest.har.sunysb.edu (Jeremy Wohl)
- Subject: Flip virus (PC)
-
- Hello,
-
- Anybody heard of the Flip virus and how to get rid of it? A friend
- from Spain is convinced his machine is infected with this virus.
-
- thanks.
-
- - -jeremy
- jeremy@quest.har.sunysb.edu
-
- ------------------------------
-
- Date: 23 Jan 92 14:05:52 +0700
- From: Pim Clotscher <CLOTSCHER@hb.fgg.eur.nl>
- Subject: Virus found: Flip (PC)
-
- L.S.,
- Today, 23 january 1992 we found one (1) PC infected with the flip-
- virus [Flip]. It was reported by McAfee's VSHIELD v77 being resident
- at that PC after boot-up.
-
- First booted from a clean MS-DOS 3.30 system disk.
- Scan with McAfee's SCANv85 resulted in three infected 'files'.
- 1. a general partitiontable infection [GenP]
- 2. VSHIELD.EXE, externally infected LZEXE compressed file [Flip]
- 3. COMMAND.COM [Flip]
-
- We were able to remove the infections in two passes, the first one
- for the [GenP], the second for both [Flip]. Thank you, McAfee!
-
- The Infected PC is one out of 16 in a public student facility, all
- being a workstation in a Novell Netware 3.11 network. The route of
- infection is unknown, but we think the infection took place through
- running infected .EXE file(s) from a user's floppy disk. No other
- PC's were infected so far, but as long as the infected floppy
- circulates, there is a potential for re-infection (alas...).
-
- The Erasmus University Rotterdam is a legal user of McAfee's
- SCAN/CLEAN/VSHIELD through a negociated licence mediated by the dutch
- SURFnet organization in Utrecht, the Netherlands.
-
- Sincerely,
-
- ------------------------------
-
- Date: Thu, 23 Jan 92 16:54:00 +0200
- From: Y. Radai <RADAI@HUJIVMS.BITNET>
- Subject: Re: NCSA has tested Antivirus Programs (PC)
-
- Vesselin Bontchev writes:
-
- >There are currently several products, which claim to add a
- >"self-disinfecting" envelope to other programs: I have only McAfee's
- >FShield, but have heard about at least three more - The Untouchable,
- >something from Central Point Software, and a product under
- >development, which I discuss with someone from Bogota, Colombia (if I
- >remember correctly, else - sorry)
-
- Sorry, that's not accurate. F-Shield (now called File Protector and
- no longer associated with McAfee) does indeed add a self-disinfecting
- envelope to other programs, but Untouchable certainly does not. It
- keeps all the disinfectant info in a central database. (It does check-
- sum itself before checking other files and warns you if it has been
- modified, but it does not *disinfect* itself on the fly as described
- in your quote from Frisk.)
-
- Y. Radai
- Hebrew Univ. of Jerusalem, Israel
- RADAI@HUJIVMS.BITNET
- RADAI@VMS.HUJI.AC.IL
-
- ------------------------------
-
- Date: 21 Jan 92 22:18:27 +0000
- From: vail@tegra.com (Johnathan Vail)
- Subject: Re: Trojan definition? Special case
-
- hagbard@ark.abg.sub.org (Ralf Stephan) writes:
-
- I heard there was a collection for a FAQ list. Maybe this question
- belongs to it: What is the exact definition for "trojan"?
-
- The definition I have in my glossary is:
- ________________
- trojan (horse) - This is some (usually nasty) code that is added to,
- or in place of, a harmless program. This could include many viruses
- but is usually reserved to describe code that does not replicate
- itself.
- ________________
-
- [Moderator's note: Thanks for the FAQ submission. I'm continuing to
- put submissions in as they arrive. As soon as we have a critical mass
- of Q's and A's, I'll post a "beta" FAQ for everyone to review and
- comment on. BTW, I've gotten a number of suggestions on how/when I
- should distribute the FAQ - thanks to all. Comments and suggestions
- are welcomed.]
-
- I would like to present you a special case where I would say,
- this is one, and I'm very interested in your opinion.
-
- Some week ago, someone uploaded a program in a BBS where
- anonymous uploading is possible. The program description given
- had some attributes that were sufficient to make the program a
- widely downloaded one. Keywords were: "sex","porno" et cetera...
- To admit, the author did all not to say what the program really
- was for.
-
- What the program did: It asked the user to free 20MB of hard
- disk space (if not already free), created a file with that length
- fully filled with "6"es and stuffed it on the screen. This should
- apparently be a joke since in German the words for "sex" and for
- the number 6 are spoken the same way. So the program actually
- intended no damage, but some users with small hard disks had
- problems with Murphy's law when freeing the space (they deleted
- files, you know).
-
- The story still is not ended because the program writer later
- claimed it to be a "scientific experiment"...
-
- So, is this a trojan or not? Where is the border between "damaging"
- and "not damaging"? Is it sufficient for a program to be a trojan
- if it does not what it says or intends?
-
- I would say not. It didn't masquerade as another program or hide
- itself as part of another program.
-
- Damaging or not is not part of the definition. I would label it a
- stupid immature prank, shun the author and forget about it.
-
- And BTW, anyone who would download an untested program and follow
- "suspect" instructions like that based on keywords like "sex" and
- "porno" is just asking for trouble. Some might suggest that these
- people got what they deserved.
-
- jv
-
- "The time of day is no secret, but Apple still doesn't
- deserve the time of day." - RMS
- _____
- | | Johnathan Vail vail@tegra.com (508) 663-7435
- |Tegra| jv@n1dxg.ampr.org N1DXG@448.625-(WorldNet)
- ----- MEMBER: League for Programming Freedom (league@prep.ai.mit.edu)
-
- ------------------------------
-
- Date: 22 Jan 92 06:22:16 +0000
- From: spaf@cs.purdue.edu (Gene Spafford)
- Subject: Need some simple statistics
-
- I am trying to do some simple calculations regarding the appearance of
- new viruses for the PC. In particular, I need some information on:
- * how many new viruses appeared on the scene in 1990?
- * how many new viruses appeared in the first half of 1991?
- * how many new viruses appeared in the second half of 1991?
-
- If you believe you have a reliable source for any of these figures,
- please MAIL me your figures along with your source. Please specify if
- your numbers are for distinct viruses, or for variants too. I will
- summarize the answers I get back to this list.
-
- Thanks in advance.
-
- - --spaf
- - --
- Gene Spafford
- NSF/Purdue/U of Florida Software Engineering Research Center,
- Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-1398
- Internet: spaf@cs.purdue.edu phone: (317) 494-7825
-
- ------------------------------
-
- Date: Wed, 22 Jan 92 10:35:20 -0500
- From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson)
- Subject: Antivirus Methods Congress
-
- It is real & I have been asked to be a part of it (was waiting
- to make sure that it was going to be not-for-profit). IMHO this type
- of organization is something that we have been needing in this country
- just like we need a national virus/anti-virus testing facility. Since
- NIST has decided not to take an active role in the PC community (at
- least that was how I interpreted Dennis's talk at the NCSA luncheon),
- there is a definate vaccuum.
-
- Since the criteria for proper testing has gone beyond what I
- have available in my Den Closet (though now equipped with a network),
- and the magazines are apparently unable to provide such testing. We
- NEED a proper non-profit public testing and communicating
- organization.
-
- With March 6th fast approaching, I suspect that Dick is acting
- in the best Kanban possible. It is not going to be perfect, it is
- going to make misteaks, it is not going to make everybody happy 8*(,
- but it is necessary and I intend to support it.
-
- Now keep in mind that Dick is a NewYorker so one must make
- allowances but he and Judy have done an excellent job in conducting
- the International Virus and Security Conference (March 12 & 13 this
- year - plug) which will be concurrent with the first meeting of the
- AMC. "Well, lets just see..." (_The Legend & the Mission_ (C) 1989
- Pontiac Motor Div GMC).
-
- Warmly now but in San Antonio (IMHO the nicest city in
- America that's hard to get to) tomorrow,
-
- Padgett
- padgett%tccslr.dnet@mmc.com
-
- (usual disclaimers apply)
-
- ------------------------------
-
- Date: 17 Jan 92 11:24:00 +0000
- From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
- Subject: Re: Report: 8th Chaos Computer Congress
-
- Eric_Florack.Wbst311@xerox.com writes:
-
- > The following message was copied from RISKS-L. Of particular interest to
- > VIRUS-L reader will be where the writer inserts 'comment #1'. That such
-
- Yep... The review is from my boss, Prof. Klaus Brunnstein, who is the
- head of the Virus Test Center at the University of Hamburg. I'll add
- just a few corrections.
-
- > Remark #1: recent events (e.g. "Gulf hacks") and material presen ted on
- >Chaos Congress '91 indicate that Netherland emerges as a new European center o
- f
- > malicious attacks on systems and networks. Among other potentially harmful
-
- Yeah, we all have a bit of luck that Bulgaria does not have -wide-
- access to computer communications... :-)
-
- > information, HACKTIC #14/15 publishes code of computer viruses (a BAT-virus
- > which does not work properly; "world's shortest virus" of 110 bytes, a
- > primitive non-resident virus significantly longer than the shortest resident
- > Bulgarian virus: 94 Bytes). While many errors in the analysis show that the
-
- Correction. The published "shortest virus" is in fact the shortest
- (they believe) non-overwriting non-resident COM-file infector for
- MS-DOS. It is 109 bytes, not 110. It was published in both source and
- hex dump. The hex dump has obviously been entered by hand from an
- assembly listing of the source, and by an unexperienced person, on the
- top of that, that's why it is extremely buggy and will not work. The
- source works perfectly, however, if assembled.
-
- The shortest virus in the same class (Prof. Brunnstein is wrong here -
- it is non-resident) is indeed Bulgarian and is indeed 94 bytes only.
- However, it contains an undocumented instruction (POP CS), which works
- only on 8086/8088 processors (not above).
-
- >authors lack deeper insigth into malware technologies (which may change), thei
- r
- >criminal energy in publishing such code evidently is related to the fact that
- >Netherland has no adequate computer crime legislation. In contrast, the adven
- t
-
- Indeed, the lack of legislation leads to creation of computer viruses,
- as my Bulgarian experience tells me... :-)
-
- > not all topics have been reported. All German texts are available from the
- > author (in self-extracting file: ccc91.exe, about 90 kByte), or from CCC
- > (e-mail: SYSOP@CHAOS-HH.ZER, fax: +49-40-4917689).
-
- Just a moment!!! We already got HUGE amount of requests, so we are
- unable to send the proceedings by e-mail. Those of you who have ftp
- access can get them from ftp.informatik.uni-hamburg.de [134.100.9.29],
- directory /pub/virus/texts, file ccc91.zip. Just don't forget that the
- texts are in German. If anybody volunteers to translate them in
- English, we'll appreciate that. Please, upload anything virus-related
- to the directory /pub/virus/incoming, *not* to the directory
- /incoming.
-
- Regards,
- Vesselin
- - --
- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
- Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C
- Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54
-
- ------------------------------
-
- Date: Wed, 22 Jan 92 10:04:40 -0700
- From: jrbd@craycos.com (James Davies)
- Subject: Re: Gulf War Virus & "Softwar"
-
- RTRAVSKY@corral.uwyo.edu (Rich Travsky) writes:
- >Regarding the Gulf War virus: Anyone remember the book "Softwar", by
- >Thierry Breton and Denis Beneich? Came out in 1984. Been a while since
- >I read it, goes something like this: The U.S. allows the Soviets to
- >buy a super-computer. The chips were, uh, slightly modified. Or
- >something like that. You can guess the rest. Fair reading as I recall.
-
- I didn't read this book, but I remember seeing reviews and looking at
- it in a bookstore. The inane, implausible plot was that the US
- allowed the USSR to smuggle a Cray-something into their country, and
- that as soon as a particular weather condition came up in the weather
- program (that all Crays run all the the time, of course, even ones
- doing codebreaking in the Soviet Union), it started taking over all of
- the other computers in the country. Interoperability at its finest.
- What I found especially laughable in the promotions for the book was
- that one of the authors was described as some sort of incredible
- computer genius, thus enhancing the plausibility of the book's
- scenario. I suspect that the guy had a C64 that he used to play video
- games, given the deep technical understanding that the book appeared
- to show...
-
- >Too bad the Gulf War version seems to an April Fool's story. (We
- >coulda had a sequel to the book!)
-
- Heaven forbid.
-
- ------------------------------
-
- Date: Wed, 22 Jan 92 11:54:32 -0700
- From: kev@inel.gov (Kevin Hemsley)
- Subject: FLASH Virus
-
- p1@arkham.wimsey.bc.ca (Rob Slade) writes:
-
- >"Upgradeable" means the *user* can update (*change*) his BIOS from a
- >program distributed on a floppy or other media. The danger of flash
- >EAPROMs is a real area of concern and should not be taken lightly.
-
- >True, they have not hit the marketplace yet but figure:
-
- Correction, Flash EPROM BIOS are on the market and have been for
- several months now. An EISA board designed by Anigma and marketed by
- Swan Technologies is for sale at your local mail order catalogue.
-
- >This is the danger to be considered but fortunately it has been. The
- >following things can/are being done:
-
- >* hardware enable of reprogramming (switch/jumper plug, etc)
-
- According to Swans technical support the BIOS are upgraded by
- "software-only, no hardware."
-
- >Most importantly is that different vendors are implementing their own
- >hardware and the lack of a "standard" should prevent any flash virus
- >from having a large enough culture to thrive in.
-
- I agree that because of proprietary differences, and the fact that
- most machines today do not have Flash EPROM BIOS, BIOS modifying
- viruses will not become a significant issue. Although I have no doubt
- that someone will probably try, "just for the fun of it." :(
-
- - -------------------------------------------------------------------------------
- Kevin Hemsley |
- Information & Technical Security | If you think that you have someone
- Idaho National Engineering Laboratory | eating out of your hand, it's a
- (208) 526-9322 | good idea to count your fingers!
- kev@inel.gov |
- - -------------------------------------------------------------------------------
-
- ------------------------------
-
- Date: 22 Jan 92 23:36:24 +0000
- From: spaf@cs.purdue.edu (Gene Spafford)
- Subject: Re: New Antivirus Organization Announced
-
- Here is a description of the Antivirus Methods Congress, direct from
- Dick Lefkon himself (along with a paragraph about who Dick is):
-
- Dick Lefkon (dklefkon@well.sf.ca.us) is 1991-1992 President of
- Antivirus Methods Congress. His term of office ends spring 1992. He
- is program chair of the FIFTH INTERNATIONAL COMPUTER VIRUS & SECURITY
- CONFERENCE to be held March 11-13 at the Loews Summit and Marriott in
- New York. Dick was asked to do the setup work for AMC in 1991 since
- he had helped to start five of the eight SIGs at Data Processing
- Management Association. Of four clearance levels (researcher, vendor,
- user practitioner, lay user), Dick ranks himself as a user
- practitioner.
-
- AMC was established to unite all constituencies in the struggle to
- slow and eventually overcome the onslaught of malevolent code.
- Specific committees for University Users, Corporate Users, Government
- Users, Vendors, Telecom Users, and Non-DOS users have directly elected
- chairs and make sure their constituencies receive proper liaison and
- are not inadvertently ignored by the joint effort. AMC does not
- endorse any product or course.
-
- Action Committees of AMC include Identification/Classification, Legal,
- Credentials (includes clearance for virus swapping), Nonproliferation
- (protections in swapping), Research Methods and possible others. AMC
- acts as a "frontend" for existing centers and efforts, a single
- well-known referral point that the uninitiated user can contact with a
- need and be sent directly to one or more existing parties. AMC
- "harmonizes" with other ongoing efforts and does not attempt to
- supplant any. No dues until spring vote, then $5 or $10 US
- thereafter. Quarterly or monthly thin newsletter (no scholarly
- journal), with most productive committee work done via existing e-mail
- and donated forum space.
-
- Membership by sending name, address, e-mail and phone and saying
- you hereby declare yourself a member. Name your classification
- if it's clear to you.
- - --
- Gene Spafford
- NSF/Purdue/U of Florida Software Engineering Research Center,
- Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-1398
- Internet: spaf@cs.purdue.edu phone: (317) 494-7825
-
- ------------------------------
-
- Date: Wed, 22 Jan 92 07:37:00 -0500
- From: HAYES@urvax.urich.edu
- Subject: program update from Padgett Peterson (PC)
-
- Hello.
-
- Just received and made available for FTP transfer FIXMBR24.ZIP. This
- is an update of A. Padgett Peterson FixMBR. This update corrects a
- potential problem with ESDI hard disks.
-
- Best, Claude.
-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Claude Bersano-Hayes HAYES @ URVAX (Vanilla BITNET)
- University of Richmond hayes@urvax.urich.edu (Bitnet or Internet)
- Richmond, VA 23173
-
- ------------------------------
-
- Date: Thu, 23 Jan 92 15:53:21 +0700
- From: frisk@complex.is (Fridrik Skulason)
- Subject: F-PROT 2.02 now available (PC)
-
- Version 2.02 of F-prot is now available on SIMTEL20, and should be
- available on beach.gal.utexas.edu in a day or two....
-
- - -frisk
-
- - ------------------------------------------------------------------------------
- Version 2.02 - corrections:
-
- "Secure Scan" used to report a "possible new variant of Yaunch" when
- scanning certain files, including some OS/2 executables - fixed.
-
- On certain old types of 360K floppy disk drives the scanner would not
- always detect a disk change - it would scan the boot sector correctly,
- but not the files contained on the diskette - fixed.
-
- "Analyse Program" would occasionally crash with a "Divide error"
- message - fixed.
-
- Version 2.01 had some problems when scanning Bernoulli boxes, and
- when run from the OS/2 DOS box - fixed.
-
- Version 2.02 - improvements:
-
- "Secure Scan" is now several times as fast as previously, and it is now
- the default method. "Full Scan" no longer exists.
-
- "Secure Scan" can now usually determine if data has been appended to a
- file after infection.
-
- "Secure Scan" can now also usually determine if a file has been
- infected by two different viruses, and should be able to remove them
- in the correct order.
-
- Memory scan is now much faster than previously, but can no longer be
- aborted by pressing ESC.
-
- As the first .SYS-infecting files have now been found "in the wild"
- outside Bulgaria, the set of default file extensions has been expanded
- to include "SYS" as well.
-
- It is now possible to scan for any combination of boot/file viruses,
- Trojans and user-defined patterns at the same time - previously a
- separate scan was required to search for user-defined patterns.
-
- The scanning report now includes a date/time stamp, as well as a
- description of the parameters used.
-
- The following command-line switches have been added.
-
- /ANALYSE Uses heuristic analysis instead of signature-based
- virus scanning.
- /HARD Scan all DOS partitions on the hard disk.
- /MULTI Scan multiple diskettes.
- /NET Scan all network "drives".
- /REPORT=file Saves the output to "file".
- /SILENT Generates no screen output.
-
- "Analysis" no longer exists as a separate function in the main menu,
- but only as the third search method, in addition to Secure Scan and
- Quick Scan.
-
- The VIRSTOP.BIN file no longer exists.
-
- F-PROT.EXE now returns an exit code, which can be checked with an
- ERRORLEVEL command. See COMMAND.DOC for further information.
-
- Version 2.02 - new viruses:
-
- The following 75 new viruses (or new variants of old viruses) can be
- detected and removed with version 2.02
-
- _2330 (temporary name)
- Albania (429, 506, 575 and 606)
- AntiPascal 2 (440-B and 480-B)
- Anto
- Black Monday-Borderline
- Boojum
- Bulgarian Tiny-Ghost
- Burger-Pirate
- Burghofer
- Cascade-1701-S
- Checksum (1.00 and 1.01)
- Crazy imp
- CSL (V4 and V5)
- Dada
- Dark Avenger-null
- Day/10
- DM (310 and 400-1.01)
- Feist
- Hitchcok
- Hungarian-473
- Hydra (0, 1, 2, 3, 4, 5, 6, 7 and 8)
- ILL
- JD (158, 276, 356, 392, 448 and 460)
- Jerusalem (Einstein, Miky and T13)
- Lao Doung
- MH-757
- Mosquito-Topo
- MSTU-554
- Murphy-Amilia
- MPS-OPC-EXE-4.01
- NV71 (only 1827 bytes long, not 1840 as reported elsewhere)
- Orion (262 and 365)
- Pixel-Rosen
- QMU-1513
- Shadowbyte-635
- Sistor (2225 and 2380)
- Smallv-115
- South African-623
- Stoned-NoInt
- Surrender
- Sylvia-C
- Tokyo
- Trivial-44
- Tumen-1.2
- V-472
- V-905-765 (The family name may be changed soon)
- VCS-Manta
- VCS-VDV-853
- Vienna-625
- Voronezh-Chemist
- Words (1391 and 1485)
-
- The following 33 new viruses can now be detecte
-