The Hacker's Encyclopedia 1998

home *** CD-ROM | disk | FTP | other *** search

/ The Hacker's Encyclopedia 1998 / hackers_encyclopedia.iso / pc / virus / v05i013.txt < prev next >

Wrap

Internet Message Format | 2003-06-11 | 34.1 KB

From: Kenneth R. van Wyk (The Moderator) <krvw@CERT.SEI.CMU.EDU> Errors-To: krvw@CERT.SEI.CMU.EDU To: VIRUS-L@IBM1.CC.LEHIGH.EDU Path: cert.sei.cmu.edu!krvw Subject: VIRUS-L Digest V5 #13 Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU -------- VIRUS-L Digest Thursday, 23 Jan 1992 Volume 5 : Issue 13 Today's Topics: Re: QEMM386's LOADHI with VSHIELD1 and/or VIRSTOP (PC) Reply to Smulders-virus found? (PC) FixMBR and very large disks - potential problem (PC) re: SBC? (PC) Michelangelo & (some) Zeniths (PC) Re: Novell Viruses (PC) Unknown Virus? (PC) Flip virus (PC) Virus found: Flip (PC) Re: NCSA has tested Antivirus Programs (PC) Re: Trojan definition? Special case Need some simple statistics Antivirus Methods Congress Re: Report: 8th Chaos Computer Congress Re: Gulf War Virus & "Softwar" FLASH Virus Re: New Antivirus Organization Announced program update from Padgett Peterson (PC) F-PROT 2.02 now available (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Wed, 22 Jan 92 05:29:34 +0000 From: mcafee@netcom.netcom.com (McAfee Associates) Subject: Re: QEMM386's LOADHI with VSHIELD1 and/or VIRSTOP (PC) Hello Jim Hendee, You should be able to load VSHIELD V85 high with QEMM V5.1 by running VSHIELD with the /LH option. You shouldn't use the LOADHI program. Regards, Aryeh Goretsky McAfee Associates Technical Support - -- - - - - McAfee Associates | Voice (408) 988-3832 | mcafee@netcom.com (business) 4423 Cheeney Street | FAX (408) 970-9727 | "Welcome to the alligator Santa Clara, California | BBS (408) 988-4004 | farm..." 95054-0253 USA | v.32 (408) 988-5190 | CompuServe ID: 76702,1714 ViruScan/CleanUp/VShield | HST (408) 988-5138 | or GO VIRUSFORUM ------------------------------ Date: Wed, 22 Jan 92 11:34:50 +0100 From: overdijk@ECN.NL Subject: Reply to Smulders-virus found? (PC) Dear Bert Plat, On "Thu, 16 Jan 92 14:21:47" you wrote in digest 5-010 : > "Tangram finds virus: > > Tangram in Utrecht (NL) warns about the recently found 'Smulders'-virus. > This virus renames all directories up tto two levels deep to > Criminal.XXX. Yes, that is the same new Dutch virus (Ultimate Weapon) reported by me in VIRUS-L digest 5-004 : >> I've got a friend with a possible virus on his disks... >> SCANV85 doesn't detect this beast. He has a HISCREEN 386sx >> machine. I haven't seen the problem myself, but after discussion >> I understood the following: >> >> Symptoms: >> - It appears that the 'virus' is activated after january 1-st, 1992 >> >> - After boot, a message is displayed: >> >> +-------------------------------------------+ >> ! The Ultimate Weapon has arrived, ! >> ! please contact the nearest police station ! >> ! to tell about the illegal copying of you ! >> +-------------------------------------------+ >> >> (Yes, I had a 'printscreen' of the message) >> (No, I don't know if he has an illegal copy of a program ;-)) >> >> - System hangs. >> >> - After boot from floppy in A: he found ALL his files and directory's >> in the root and next directory-level renamed to CRIMINAL.001, >> CRIMINAL.002, CRIMINAL.003 ..... etc. I've had contact with my friend, he could reproduce the problem... The virus was found in COMMAND.COM of a MS-DOS 5.0 system. COMMAND.COM has grown with 2601 bytes. A 'grep' on COMMAND.COM didn't find the string 'Ultimate', probably the message is encripted. This virus is of the 'stealth' type (original size of COMMAND.COM is shown when a 'DIR' is done on the infected system). After I recovered from a (flu-)virus myself, I heard that our local representative of McAfee Associates (CPU Communications) was already notified about this virus (by someone else...). They told that the next version of SCAN will be able to recognize the new virus. They even supplied the virus signature (MF00EVKUR). However I don't know how to feed SCAN with this signature, SCAN expects a hexadecimal string... maybe some of the readers can help me with that. Greetings, Harrie Overdijk Internet : overdijk@ecn.nl ECN - Petten BITNET : not any more The Netherlands Noisenet : ++31-2246-4597 Europe Fidonet : 2:500/43.1902 (At home!) ------------------------------ Date: Wed, 22 Jan 92 08:51:13 -0500 From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: FixMBR and very large disks - potential problem (PC) I have identified the *possibility* for an adverse reaction between FixMBR and disks having sector sizes larger than 512 bytes. I have never seen one but believe that there are some in use, primarily with very large older disks (over 300 Mb). FixMBR v2.4 corrects this potential problem. Theoretical Symptoms: Following FixMBR22 use, system will not boot from hard disk but will from floppy. Use of MBR80 restores system (see documentation). Alternate recovery would be to use DOS 5.0 FDISK/MBR or FixMBR24. Again, I have never seen this happen nor have I ever received a report of such but *think* it *might* be possible & cannot test. Those most common disks used in PCs (MFM, RLL, IDE, SCSI) have standard 512 byte sectors and are not affected. In any event, FixMBR v2.4 *should* handle everything. Warmly, Padgett ------------------------------ Date: 22 Jan 92 11:06:42 -0500 From: "David.M.Chess" <CHESS@YKTVMV.BITNET> Subject: re: SBC? (PC) >From: kenm@maccs.dcss.mcmaster.ca (...Jose) > > Does anyone know anything about a virus that McAfee SCAN >reports as SBC? SBC is a resident infector of files that are executed, and COM, EXE, and OVL files that are opened. The first time an infected program is run, it will try to infect the command interpreter (COMSPEC=, or COMMAND.COM). It infects both COM and EXE format files. It is "length-stealthed", in that if the virus is in memory the DIR command will show the old, uninfected lengths. It sets the seconds field of infected files to 0x1F (==62), as usual. It doesn't seem to have any payload. Since it infects files that are opened, scanning your system with the virus in memory, using a scanner that doesn't know about the virus, will tend to infect every file in your system... DC ------------------------------ Date: Wed, 22 Jan 92 11:09:10 -0500 From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: Michelangelo & (some) Zeniths (PC) >From: Michael_Kessler.Hum@mailgate.sfsu.edu >I had a Zenith 386 SX machine infected. When booting up with the >infected diskette, I get a "Disk read error" message. When I reboot >off the hard disk, I get a "Unable to read boot code from partition" >message, and the computer is disabled unless I boot off the floppy. Not surprising since some versions of Zenith's operating system expect the MBR code to follow the specifications. Most other OSes do not expect help and will boot anyway. >If I run a CHKDSK, I still get 655360 bytes total memory. Well, you booted off an uninfected floppy so the virus is not resident. The CHKDSK test detects Mich when memory resident. >xxx recognizes the existence of the virus but will not remove it. Well either copy sector 7 back to sector 1 or try FixMBR24 (will let you do the same thing). Warmly, Padgett padgett%tccslr.dnet@mmc.com "Usual Disclaimers Apply" ------------------------------ Date: Wed, 22 Jan 92 11:23:57 -0700 From: kev@inel.gov (Kevin Hemsley) Subject: Re: Novell Viruses (PC) Doug Eckert <75140.1550@CompuServe.COM> writes: >I'm interested in obtaining a (believable) list that says which >viruses infect and/or spread through Novell local area networks, >and what effects they cause (error messages and the like). The basic rule is only file infecting viruses can propagate on a network. This includes the file infecting characteristics of multi-partite viruses. Because of NetWare's redirection of BIOS and DOS interrupts, normal BSI viruses cannot infect a NetWare file server from a workstation. Linking viruses also cannot propagate using NetWare as there is no DOS directory entry to modify. >Only two of the five viruses tested, 1701 and Invader, proved >capable of circumventing the file attributes set by the Novell ^^^^^^^^^^^^^^^ There is a clear distinction between NetWare RIGHTS and ATTRIBUTES. ATTRIBUTES are an emulation and an extension of regular DOS file attributes. All DOS attributes (or NetWare ATTRIBUTES which exactly emulate DOS attributes) can be changed by viruses. Viruses can therefor bypass certain Netware attributes. There are only two NetWare ATTRIBUTES which prohibit viral infection, they are EXECUTE ONLY and surprisingly, SYSTEM. The SYSTEM NetWare ATTRIBUTE does not perfectly emulate the DOS system attribute, and does not permit viral infection. The 1701 virus used in your test CANNOT infect a file protected by the NetWare SYSTEM ATTRIBUTE but it will zip right past a DOS system attribute. RIGHTS are NetWare's own security implementation and provide substantial protection against viruses. Viruses cannot directly alter assigned effective RIGHTS. However, assigned RIGHTS can be overridden through the use of the SUPERVISORY RIGHT. The SUPERVISORY right supersedes any restrictions placed on subdirectories or files with an inherited rights mask. >While successful at infecting C:\TESTEXEC files, repeated efforts >to get Jerusalem-B, 4096 and Whale to infect network files - to >which the user had all rights - were unsuccessful. There are some viruses, such as 4096, which do very well on stand-alone systems, but can't properly infect files stored on a NetWare shared volume. In fact, attempting to copy a 4096 infected file from an infected workstation to a NetWare volume will disinfect the file. This is because of the stealth actives of 4096 and NetWare's redirection of interrupts. The 4096 uses single-stepping to determine the original interrupt 21h and place its code. Since NetWare redirects this type of call, 4096 is unable to infect files stored on the server. I hope this helps. - -- - ------------------------------------------------------------------------------- Kevin Hemsley | Information & Technical Security | If you think that you have someone Idaho National Engineering Laboratory | eating out of your hand, it's a (208) 526-9322 | good idea to count your fingers! kev@inel.gov | - ------------------------------------------------------------------------------- ------------------------------ Date: Wed, 22 Jan 92 18:33:05 +0000 From: cksvih01@ulkyvx03.louisville.edu Subject: Unknown Virus? (PC) My brother was installing an expanded memory manager he had legitamately purchased and found what he thought was a virus. Upon rebooting the system, the following message flashed across the screen: Look out! Buy direct from Bob and Steve! He took the disk in and scanned it using McAffee's SCAN, but nothing turned up. Is this a virus, or maybe just an extra tossed in by the software designers? ------------------------------ Date: Thu, 23 Jan 92 02:38:29 +0000 From: jeremy@quest.har.sunysb.edu (Jeremy Wohl) Subject: Flip virus (PC) Hello, Anybody heard of the Flip virus and how to get rid of it? A friend from Spain is convinced his machine is infected with this virus. thanks. - -jeremy jeremy@quest.har.sunysb.edu ------------------------------ Date: 23 Jan 92 14:05:52 +0700 From: Pim Clotscher <CLOTSCHER@hb.fgg.eur.nl> Subject: Virus found: Flip (PC) L.S., Today, 23 january 1992 we found one (1) PC infected with the flip- virus [Flip]. It was reported by McAfee's VSHIELD v77 being resident at that PC after boot-up. First booted from a clean MS-DOS 3.30 system disk. Scan with McAfee's SCANv85 resulted in three infected 'files'. 1. a general partitiontable infection [GenP] 2. VSHIELD.EXE, externally infected LZEXE compressed file [Flip] 3. COMMAND.COM [Flip] We were able to remove the infections in two passes, the first one for the [GenP], the second for both [Flip]. Thank you, McAfee! The Infected PC is one out of 16 in a public student facility, all being a workstation in a Novell Netware 3.11 network. The route of infection is unknown, but we think the infection took place through running infected .EXE file(s) from a user's floppy disk. No other PC's were infected so far, but as long as the infected floppy circulates, there is a potential for re-infection (alas...). The Erasmus University Rotterdam is a legal user of McAfee's SCAN/CLEAN/VSHIELD through a negociated licence mediated by the dutch SURFnet organization in Utrecht, the Netherlands. Sincerely, ------------------------------ Date: Thu, 23 Jan 92 16:54:00 +0200 From: Y. Radai <RADAI@HUJIVMS.BITNET> Subject: Re: NCSA has tested Antivirus Programs (PC) Vesselin Bontchev writes: >There are currently several products, which claim to add a >"self-disinfecting" envelope to other programs: I have only McAfee's >FShield, but have heard about at least three more - The Untouchable, >something from Central Point Software, and a product under >development, which I discuss with someone from Bogota, Colombia (if I >remember correctly, else - sorry) Sorry, that's not accurate. F-Shield (now called File Protector and no longer associated with McAfee) does indeed add a self-disinfecting envelope to other programs, but Untouchable certainly does not. It keeps all the disinfectant info in a central database. (It does check- sum itself before checking other files and warns you if it has been modified, but it does not *disinfect* itself on the fly as described in your quote from Frisk.) Y. Radai Hebrew Univ. of Jerusalem, Israel RADAI@HUJIVMS.BITNET RADAI@VMS.HUJI.AC.IL ------------------------------ Date: 21 Jan 92 22:18:27 +0000 From: vail@tegra.com (Johnathan Vail) Subject: Re: Trojan definition? Special case hagbard@ark.abg.sub.org (Ralf Stephan) writes: I heard there was a collection for a FAQ list. Maybe this question belongs to it: What is the exact definition for "trojan"? The definition I have in my glossary is: ________________ trojan (horse) - This is some (usually nasty) code that is added to, or in place of, a harmless program. This could include many viruses but is usually reserved to describe code that does not replicate itself. ________________ [Moderator's note: Thanks for the FAQ submission. I'm continuing to put submissions in as they arrive. As soon as we have a critical mass of Q's and A's, I'll post a "beta" FAQ for everyone to review and comment on. BTW, I've gotten a number of suggestions on how/when I should distribute the FAQ - thanks to all. Comments and suggestions are welcomed.] I would like to present you a special case where I would say, this is one, and I'm very interested in your opinion. Some week ago, someone uploaded a program in a BBS where anonymous uploading is possible. The program description given had some attributes that were sufficient to make the program a widely downloaded one. Keywords were: "sex","porno" et cetera... To admit, the author did all not to say what the program really was for. What the program did: It asked the user to free 20MB of hard disk space (if not already free), created a file with that length fully filled with "6"es and stuffed it on the screen. This should apparently be a joke since in German the words for "sex" and for the number 6 are spoken the same way. So the program actually intended no damage, but some users with small hard disks had problems with Murphy's law when freeing the space (they deleted files, you know). The story still is not ended because the program writer later claimed it to be a "scientific experiment"... So, is this a trojan or not? Where is the border between "damaging" and "not damaging"? Is it sufficient for a program to be a trojan if it does not what it says or intends? I would say not. It didn't masquerade as another program or hide itself as part of another program. Damaging or not is not part of the definition. I would label it a stupid immature prank, shun the author and forget about it. And BTW, anyone who would download an untested program and follow "suspect" instructions like that based on keywords like "sex" and "porno" is just asking for trouble. Some might suggest that these people got what they deserved. jv "The time of day is no secret, but Apple still doesn't deserve the time of day." - RMS _____ | | Johnathan Vail vail@tegra.com (508) 663-7435 |Tegra| jv@n1dxg.ampr.org N1DXG@448.625-(WorldNet) ----- MEMBER: League for Programming Freedom (league@prep.ai.mit.edu) ------------------------------ Date: 22 Jan 92 06:22:16 +0000 From: spaf@cs.purdue.edu (Gene Spafford) Subject: Need some simple statistics I am trying to do some simple calculations regarding the appearance of new viruses for the PC. In particular, I need some information on: * how many new viruses appeared on the scene in 1990? * how many new viruses appeared in the first half of 1991? * how many new viruses appeared in the second half of 1991? If you believe you have a reliable source for any of these figures, please MAIL me your figures along with your source. Please specify if your numbers are for distinct viruses, or for variants too. I will summarize the answers I get back to this list. Thanks in advance. - --spaf - -- Gene Spafford NSF/Purdue/U of Florida Software Engineering Research Center, Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-1398 Internet: spaf@cs.purdue.edu phone: (317) 494-7825 ------------------------------ Date: Wed, 22 Jan 92 10:35:20 -0500 From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: Antivirus Methods Congress It is real & I have been asked to be a part of it (was waiting to make sure that it was going to be not-for-profit). IMHO this type of organization is something that we have been needing in this country just like we need a national virus/anti-virus testing facility. Since NIST has decided not to take an active role in the PC community (at least that was how I interpreted Dennis's talk at the NCSA luncheon), there is a definate vaccuum. Since the criteria for proper testing has gone beyond what I have available in my Den Closet (though now equipped with a network), and the magazines are apparently unable to provide such testing. We NEED a proper non-profit public testing and communicating organization. With March 6th fast approaching, I suspect that Dick is acting in the best Kanban possible. It is not going to be perfect, it is going to make misteaks, it is not going to make everybody happy 8*(, but it is necessary and I intend to support it. Now keep in mind that Dick is a NewYorker so one must make allowances but he and Judy have done an excellent job in conducting the International Virus and Security Conference (March 12 & 13 this year - plug) which will be concurrent with the first meeting of the AMC. "Well, lets just see..." (_The Legend & the Mission_ (C) 1989 Pontiac Motor Div GMC). Warmly now but in San Antonio (IMHO the nicest city in America that's hard to get to) tomorrow, Padgett padgett%tccslr.dnet@mmc.com (usual disclaimers apply) ------------------------------ Date: 17 Jan 92 11:24:00 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Report: 8th Chaos Computer Congress Eric_Florack.Wbst311@xerox.com writes: > The following message was copied from RISKS-L. Of particular interest to > VIRUS-L reader will be where the writer inserts 'comment #1'. That such Yep... The review is from my boss, Prof. Klaus Brunnstein, who is the head of the Virus Test Center at the University of Hamburg. I'll add just a few corrections. > Remark #1: recent events (e.g. "Gulf hacks") and material presen ted on >Chaos Congress '91 indicate that Netherland emerges as a new European center o f > malicious attacks on systems and networks. Among other potentially harmful Yeah, we all have a bit of luck that Bulgaria does not have -wide- access to computer communications... :-) > information, HACKTIC #14/15 publishes code of computer viruses (a BAT-virus > which does not work properly; "world's shortest virus" of 110 bytes, a > primitive non-resident virus significantly longer than the shortest resident > Bulgarian virus: 94 Bytes). While many errors in the analysis show that the Correction. The published "shortest virus" is in fact the shortest (they believe) non-overwriting non-resident COM-file infector for MS-DOS. It is 109 bytes, not 110. It was published in both source and hex dump. The hex dump has obviously been entered by hand from an assembly listing of the source, and by an unexperienced person, on the top of that, that's why it is extremely buggy and will not work. The source works perfectly, however, if assembled. The shortest virus in the same class (Prof. Brunnstein is wrong here - it is non-resident) is indeed Bulgarian and is indeed 94 bytes only. However, it contains an undocumented instruction (POP CS), which works only on 8086/8088 processors (not above). >authors lack deeper insigth into malware technologies (which may change), thei r >criminal energy in publishing such code evidently is related to the fact that >Netherland has no adequate computer crime legislation. In contrast, the adven t Indeed, the lack of legislation leads to creation of computer viruses, as my Bulgarian experience tells me... :-) > not all topics have been reported. All German texts are available from the > author (in self-extracting file: ccc91.exe, about 90 kByte), or from CCC > (e-mail: SYSOP@CHAOS-HH.ZER, fax: +49-40-4917689). Just a moment!!! We already got HUGE amount of requests, so we are unable to send the proceedings by e-mail. Those of you who have ftp access can get them from ftp.informatik.uni-hamburg.de [134.100.9.29], directory /pub/virus/texts, file ccc91.zip. Just don't forget that the texts are in German. If anybody volunteers to translate them in English, we'll appreciate that. Please, upload anything virus-related to the directory /pub/virus/incoming, *not* to the directory /incoming. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: Wed, 22 Jan 92 10:04:40 -0700 From: jrbd@craycos.com (James Davies) Subject: Re: Gulf War Virus & "Softwar" RTRAVSKY@corral.uwyo.edu (Rich Travsky) writes: >Regarding the Gulf War virus: Anyone remember the book "Softwar", by >Thierry Breton and Denis Beneich? Came out in 1984. Been a while since >I read it, goes something like this: The U.S. allows the Soviets to >buy a super-computer. The chips were, uh, slightly modified. Or >something like that. You can guess the rest. Fair reading as I recall. I didn't read this book, but I remember seeing reviews and looking at it in a bookstore. The inane, implausible plot was that the US allowed the USSR to smuggle a Cray-something into their country, and that as soon as a particular weather condition came up in the weather program (that all Crays run all the the time, of course, even ones doing codebreaking in the Soviet Union), it started taking over all of the other computers in the country. Interoperability at its finest. What I found especially laughable in the promotions for the book was that one of the authors was described as some sort of incredible computer genius, thus enhancing the plausibility of the book's scenario. I suspect that the guy had a C64 that he used to play video games, given the deep technical understanding that the book appeared to show... >Too bad the Gulf War version seems to an April Fool's story. (We >coulda had a sequel to the book!) Heaven forbid. ------------------------------ Date: Wed, 22 Jan 92 11:54:32 -0700 From: kev@inel.gov (Kevin Hemsley) Subject: FLASH Virus p1@arkham.wimsey.bc.ca (Rob Slade) writes: >"Upgradeable" means the *user* can update (*change*) his BIOS from a >program distributed on a floppy or other media. The danger of flash >EAPROMs is a real area of concern and should not be taken lightly. >True, they have not hit the marketplace yet but figure: Correction, Flash EPROM BIOS are on the market and have been for several months now. An EISA board designed by Anigma and marketed by Swan Technologies is for sale at your local mail order catalogue. >This is the danger to be considered but fortunately it has been. The >following things can/are being done: >* hardware enable of reprogramming (switch/jumper plug, etc) According to Swans technical support the BIOS are upgraded by "software-only, no hardware." >Most importantly is that different vendors are implementing their own >hardware and the lack of a "standard" should prevent any flash virus >from having a large enough culture to thrive in. I agree that because of proprietary differences, and the fact that most machines today do not have Flash EPROM BIOS, BIOS modifying viruses will not become a significant issue. Although I have no doubt that someone will probably try, "just for the fun of it." :( - ------------------------------------------------------------------------------- Kevin Hemsley | Information & Technical Security | If you think that you have someone Idaho National Engineering Laboratory | eating out of your hand, it's a (208) 526-9322 | good idea to count your fingers! kev@inel.gov | - ------------------------------------------------------------------------------- ------------------------------ Date: 22 Jan 92 23:36:24 +0000 From: spaf@cs.purdue.edu (Gene Spafford) Subject: Re: New Antivirus Organization Announced Here is a description of the Antivirus Methods Congress, direct from Dick Lefkon himself (along with a paragraph about who Dick is): Dick Lefkon (dklefkon@well.sf.ca.us) is 1991-1992 President of Antivirus Methods Congress. His term of office ends spring 1992. He is program chair of the FIFTH INTERNATIONAL COMPUTER VIRUS & SECURITY CONFERENCE to be held March 11-13 at the Loews Summit and Marriott in New York. Dick was asked to do the setup work for AMC in 1991 since he had helped to start five of the eight SIGs at Data Processing Management Association. Of four clearance levels (researcher, vendor, user practitioner, lay user), Dick ranks himself as a user practitioner. AMC was established to unite all constituencies in the struggle to slow and eventually overcome the onslaught of malevolent code. Specific committees for University Users, Corporate Users, Government Users, Vendors, Telecom Users, and Non-DOS users have directly elected chairs and make sure their constituencies receive proper liaison and are not inadvertently ignored by the joint effort. AMC does not endorse any product or course. Action Committees of AMC include Identification/Classification, Legal, Credentials (includes clearance for virus swapping), Nonproliferation (protections in swapping), Research Methods and possible others. AMC acts as a "frontend" for existing centers and efforts, a single well-known referral point that the uninitiated user can contact with a need and be sent directly to one or more existing parties. AMC "harmonizes" with other ongoing efforts and does not attempt to supplant any. No dues until spring vote, then $5 or $10 US thereafter. Quarterly or monthly thin newsletter (no scholarly journal), with most productive committee work done via existing e-mail and donated forum space. Membership by sending name, address, e-mail and phone and saying you hereby declare yourself a member. Name your classification if it's clear to you. - -- Gene Spafford NSF/Purdue/U of Florida Software Engineering Research Center, Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-1398 Internet: spaf@cs.purdue.edu phone: (317) 494-7825 ------------------------------ Date: Wed, 22 Jan 92 07:37:00 -0500 From: HAYES@urvax.urich.edu Subject: program update from Padgett Peterson (PC) Hello. Just received and made available for FTP transfer FIXMBR24.ZIP. This is an update of A. Padgett Peterson FixMBR. This update corrects a potential problem with ESDI hard disks. Best, Claude. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Claude Bersano-Hayes HAYES @ URVAX (Vanilla BITNET) University of Richmond hayes@urvax.urich.edu (Bitnet or Internet) Richmond, VA 23173 ------------------------------ Date: Thu, 23 Jan 92 15:53:21 +0700 From: frisk@complex.is (Fridrik Skulason) Subject: F-PROT 2.02 now available (PC) Version 2.02 of F-prot is now available on SIMTEL20, and should be available on beach.gal.utexas.edu in a day or two.... - -frisk - ------------------------------------------------------------------------------ Version 2.02 - corrections: "Secure Scan" used to report a "possible new variant of Yaunch" when scanning certain files, including some OS/2 executables - fixed. On certain old types of 360K floppy disk drives the scanner would not always detect a disk change - it would scan the boot sector correctly, but not the files contained on the diskette - fixed. "Analyse Program" would occasionally crash with a "Divide error" message - fixed. Version 2.01 had some problems when scanning Bernoulli boxes, and when run from the OS/2 DOS box - fixed. Version 2.02 - improvements: "Secure Scan" is now several times as fast as previously, and it is now the default method. "Full Scan" no longer exists. "Secure Scan" can now usually determine if data has been appended to a file after infection. "Secure Scan" can now also usually determine if a file has been infected by two different viruses, and should be able to remove them in the correct order. Memory scan is now much faster than previously, but can no longer be aborted by pressing ESC. As the first .SYS-infecting files have now been found "in the wild" outside Bulgaria, the set of default file extensions has been expanded to include "SYS" as well. It is now possible to scan for any combination of boot/file viruses, Trojans and user-defined patterns at the same time - previously a separate scan was required to search for user-defined patterns. The scanning report now includes a date/time stamp, as well as a description of the parameters used. The following command-line switches have been added. /ANALYSE Uses heuristic analysis instead of signature-based virus scanning. /HARD Scan all DOS partitions on the hard disk. /MULTI Scan multiple diskettes. /NET Scan all network "drives". /REPORT=file Saves the output to "file". /SILENT Generates no screen output. "Analysis" no longer exists as a separate function in the main menu, but only as the third search method, in addition to Secure Scan and Quick Scan. The VIRSTOP.BIN file no longer exists. F-PROT.EXE now returns an exit code, which can be checked with an ERRORLEVEL command. See COMMAND.DOC for further information. Version 2.02 - new viruses: The following 75 new viruses (or new variants of old viruses) can be detected and removed with version 2.02 _2330 (temporary name) Albania (429, 506, 575 and 606) AntiPascal 2 (440-B and 480-B) Anto Black Monday-Borderline Boojum Bulgarian Tiny-Ghost Burger-Pirate Burghofer Cascade-1701-S Checksum (1.00 and 1.01) Crazy imp CSL (V4 and V5) Dada Dark Avenger-null Day/10 DM (310 and 400-1.01) Feist Hitchcok Hungarian-473 Hydra (0, 1, 2, 3, 4, 5, 6, 7 and 8) ILL JD (158, 276, 356, 392, 448 and 460) Jerusalem (Einstein, Miky and T13) Lao Doung MH-757 Mosquito-Topo MSTU-554 Murphy-Amilia MPS-OPC-EXE-4.01 NV71 (only 1827 bytes long, not 1840 as reported elsewhere) Orion (262 and 365) Pixel-Rosen QMU-1513 Shadowbyte-635 Sistor (2225 and 2380) Smallv-115 South African-623 Stoned-NoInt Surrender Sylvia-C Tokyo Trivial-44 Tumen-1.2 V-472 V-905-765 (The family name may be changed soon) VCS-Manta VCS-VDV-853 Vienna-625 Voronezh-Chemist Words (1391 and 1485) The following 33 new viruses can now be detecte