The Hacker's Encyclopedia 1998

home *** CD-ROM | disk | FTP | other *** search

/ The Hacker's Encyclopedia 1998 / hackers_encyclopedia.iso / pc / virus / v05i115.txt < prev next >

Wrap

Internet Message Format | 2003-06-11 | 36.1 KB

From: Kenneth R. van Wyk (The Moderator) <krvw@CERT.ORG> Errors-To: krvw@CERT.ORG To: VIRUS-L@IBM1.CC.LEHIGH.EDU Path: cert.sei.cmu.edu!krvw Subject: VIRUS-L Digest V5 #115 Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU -------- VIRUS-L Digest Wednesday, 10 Jun 1992 Volume 5 : Issue 115 Today's Topics: help me .. is this a virus? (PC) F-PROT & DR-DOS 6.0 (PC) Help for a new(unknown) virus (PC) Virus or hard disk problems ? (PC) Troi Two information (PC) "Wonder-2" False Alarms in NAV 2.0 update 4 (PC) SCAN vs. CLIPPER 5.0 (PC) Re: Zipped Viruses (PC) Re: VD virus (PC) Detecting the MtE (PC) ISPNews & Virx (PC) Virus Discovery (PC) HyperCard anti-virus solution available (Mac) Notes on ANSI bombs (various) Re: Taxonomy of viruses An apparent case of deliberate punitive virus-spreading Re: what's this .signature stuff? uploads to risc.ua.edu (PC) New files on eugene (PC) (Mac) Colds and Flu season... (Humor!) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: <krvw@CERT.ORG>. Ken van Wyk ---------------------------------------------------------------------- Date: Tue, 02 Jun 92 16:06:25 -0500 From: CCGERRY@UMCVMB.BITNET Subject: help me .. is this a virus? (PC) >I boot up the machine and it appears to run fine through the boot up >until I type in a command and hit return. It doesnt matter what the >command is. Every time it does this: > >B: >A: >A:cd\ >A:win Hmmm, we had someone call in with this problem during the Michalengo event. Is your machine a new Gateway? His was. The new Gateways have highly programmable keyboards. Somehow he put his keyboard into "Record" mode and assigned all subsequent keystrokes to his Enter key. He accidentally recorded his installation of F-PROT. Even after power off, and booting from a DOS diskette, every time he pressed his Enter key, it played back the keystrokes he accidentally recorded. Since it kept on attempting to re-install F-PROT, he swore that F-PROT had a virus. :-) If you have a Gateway clone, check your manual and find out how to "de-program" your keys! - ---CCGERRY@UMCVMB.MISSOURI.EDU ------------------------------ Date: Wed, 03 Jun 92 07:12:33 -0500 From: "Dr. Martin Erdelen" <HRZ090@DE0HRZ1A.BITNET> Subject: F-PROT & DR-DOS 6.0 (PC) Good morning (Central European Summertime) everybody, here are two questions concerning F-PROT: 1) What does the message "invalid program" mean? 2) Several users reported problems when trying to run VIRSTOP (v. 2.01) under DR-DOS v. 6.0. Apparently, VIRSTOP.EXE can *not* be installed by - DEVICE= ... in CONFIG.SYS - HIDEVICE= ... in same - INSTALL ... in AUTOEXEC.BAT - HIINSTALL ... in same - HILOAD ... in same VIRSTOP *can* be installed by simple command in AUTOEXEC.BAT, but then is reported to use up over 52 KB of memory. Can't be true, can it? (I don't have DR-DOS here & don't know it much, so I can only pass this on.) I am wondering why I have never seen this mentioned on VIRUS-L - after all, DR-DOS isn't that rare. Am I missing something? Thanks in advance for any info. Humidly (to paraphrase one of our highly esteemed gurus ;-) ), MArtin (~ , , (___/__/__-_ Dr. Martin Erdelen EARN/BITNET: HRZ090@DE0HRZ1A.BITNET - -Computing Centre- Internet: erdelen at hrz.uni-essen.de University of Essen Tel.: +49 201 183-2998 Schuetzenbahn 70 FAX: +49 201 183-3960 D-4300 Essen 1 Binary: . .-. -.. . .-.. . -- (~~ Germany (()~~ +-----------------------+ Smoke: ()))) ((()))~~~ ())~~~ | Remarkably | ())))) ~~~ | remarkless | (())()~(())()) | room | (())()) +-----------------------+ ((()()()))) Acknowledge-To: <HRZ090@DE0HRZ1A> ------------------------------ Date: Wed, 03 Jun 92 07:13:38 +0000 From: adv5@saathi.ernet.in (Course account) Subject: Help for a new(unknown) virus (PC) Could any one help me detect/clean/remove the virus(name still unknown), whose characteristics are listed below : 1. File or Boot Sector virus 2. Attaches to EXE or COM programs 3. Increases filesize by 3K 4. Corrupts FAT of hardisks and floppies 5. Makes starting cluster of all EXE and COM programs in FAT the same 6. Can't be detected by SCAN 4.5B66, or Findvir(ver 4.2), CPAV(ver 1) or NAV 7. Mostly likely doesnot remain in memory 8. Activated by running infected files. 9. Probable name of the virus is 'Made in India' (Wild Guess). I don't have any other tools to detect this virus. Thanks in advance, for any help. Dinesh Vardhan Please reply on zvichare@saathi.ncst.ernet.in zsuhas@saathi.ncst.ernet.in ------------------------------ Date: Wed, 03 Jun 92 17:54:46 -0400 From: Alan.Gilbertson@f230.n3603.z1.FIDONET.ORG (Alan Gilbertson) Subject: Virus or hard disk problems ? (PC) Sunday May 31 1992, unx.sas.com!sasaer@mcnc.org (Andy Ravenna) writes: AR> First I ran "Qaplus" which came with my Gateway, and the DMA testing AR> on the Main Components menu seemed to freeze up. Does this mean the AR> DMA chip has gone bad ? AR> Secondly, I ran Norton Disk Doctor II and when Norton got to the last AR> 55% of my 80 meg hard drive, it started marking every sector as "BAD". AR> I did run a virus check on the system and nothing was found. AR> HELP ! Does this sound like a virus problem or a hardware problem ? This sounds exactly like a wrong CMOS setting (too few cylinders) for a hard disk, such as an IDE drive, using translations in the controller. This particular problem can produce some of the weirdest, off-the-wall, and in many cases apparently disrelated symptoms on a PC. The clue is that Norton suddenly began finding every sector bad past a certain point. Check your CMOS hard drive setting and compare it with what your drive requires. Hopefully, you can correct this and clear up the trouble. Alan - -- Internet: Alan.Gilbertson@f230.n3603.z1.FIDONET.ORG UUCP: ...!uunet!myrddin!tct!psycho!230!Alan.Gilbertson Note:psycho is a free gateway between Usenet & Fidonet. For info write to root@psycho.fidonet.org. ------------------------------ Date: 04 Jun 92 11:24:16 -0400 From: "Tarkan Yetiser" <TYETISER@ssw02.ab.umd.edu> Subject: Troi Two information (PC) Hello, We have received a sample of a virus named Troi Two from Australia. Mr. Brian Marriott isolated the virus and reported to Virus-L previously. Neither SCAN 91, nor F-PROT 2.03 recognizes the virus. If you add the following signature to F-PROT, make sure you are using SECURE scan, or it will miss it; just an observation. A quick analysis (using DIS86 by Mr. James R. Van Zandt, SIMTEL-20 archives, /msdos/disasm/dis86212.zip, highly recommended) revealed the following characteristics of the virus: ------------------------------------------------------------------------ Suggested Name: Troi Two Date/Location : May 1992, Australia by Mr. Brian Marriott Targets : EXE files by appending and modifying CS:IP in header RU-there call : mov AH, 0FCh int 21h cmp AH, 55h jz virus_is_active_in_mem *In English : The virus adds a service to DOS Int 21h to determine if it is already resident in memory. The virus interrupt handler responds by setting AH to 55 hex. Scan String : B8 64 02 FA A3 84 00 8C 1E 86 00 FB EB B9 9C 80 FC FC 75 04 B4 55 9D CF Operation : Troi Two is a 512-byte non-stealth EXE file infector. When an infected program is run, the virus checks the DOS date (2Ah/21h) to see if it is before May 1, 1992. If not, it will issue an RU-there call (see above) to determine if it is already installed in memory. Otherwise, it will copy itself to the upper half of the interrupt vector table (thus not taking up any "memory"). After that, it will hook Int 21h by storing the original handler address within itself (offsets 0291 & 0293), and changing the IVT entry to its own handler [0264]. Since the RU-there call is skipped if the date is before May 1, 1992, the second time the virus runs, the original Int 21h handler address is lost, freezing the system. Once the virus is resident in memory, it monitors Int 21h LOAD/EXEC (4B00) requests, and checks the extension of programs for EXE. If a victim is found, it will also check to see if the program is already infected by looking at the INVERTED-CHECKSUM field (offset 12h) of EXE header, and comparing it to 3254h. If not equal, then it assumes the program is not infected yet, and proceeds with infection. Infection is done using DOS handle-oriented file access. It also attempts to preserve the file attribute. Comments : The way it copies itself to the upper half of the IVT, and hooks Int 21h, as well as the RU-there call, and a bug "fix" (5700/21h <--> 0101/21h) suggests the virus writer has seen Troi-1, which is a COM infector. DOS 5.0 systems will experience immediate system lockup, and the virus will not be able to spread, though it infects PC/DOS 3.3 systems as long as the date is set to after May 1, 1992. The following text string can be found inside the virus: >>>-Troi Two--> Regards, Tarkan Yetiser VDS Advanced Research Group P.O. Box 9393 (410) 247-7117 Baltimore, MD 21228 e-mail: tyetiser@ssw02.ab.umd.edu ------------------------------ Date: Thu, 04 Jun 92 10:14:13 -0400 From: doc@magna.com (Matthew J. D'Errico) Subject: "Wonder-2" False Alarms in NAV 2.0 update 4 (PC) Hi, all... I thought I'd pass along the essence of a growing thread from compuserve in which some false alarms have been caused by Norton Anti-Virus' latest update (04) for version 2.0 which was released on June 1st... Several instances have been reported where this update reported infections of the "Wonder-2" strain of the "Wonder" virus in commercially distributed software... These infections include files from : Borland C++ 3.0 (TOUCH.COM) Mavis Beacon Teaches Typing 2.0 Stacker 2.0 VCD.COM (from VCD.ZIP - shareware ?) Intermission 3.0 (IMSETUP.COM) SHEZ v7.1 (3 different files : SHEZCFG.COM, SGREG.COM and DUMPMAC.COM) That's the list as of last night... In at least 3 of these cases, the authors or companies involved have verified the files as correct, and thus not infected... Naturally, this infomation has been passed along to SYMANTEC. - -- Matt +-------------------------------+---------------------------------------+ | Matthew J. D'Errico | DOMAIN: mderrico@magna.com | | Magna Software Corporation | uucp: uunet!magna!mderrico | | 275 Seventh Avenue | CompuServe: 70744,3405 | | 20th Floor +---------------------------------------+ | New York, NY 10001 | Voice : 212 / 727 - 6737 | | USA | Fax : 212 / 691 - 1968 | +-------------------------------+---------------------------------------+ ------------------------------ Date: Thu, 04 Jun 92 20:32:16 +0700 From: Cezar Cichocki <CEZAR@PLEARN.BITNET> Subject: SCAN vs. CLIPPER 5.0 (PC) Hi! Over installing CLIPPER 5.0 I ( of course ) ran SCAN with /AG option for immunization. Immunized CLIPPER said me : 'Rules not found in file CLIPPER.EXE', and didn't work corectly. When I reinstalling CLIPPER, all was right. I repeat it few times, and my conclusion is : adding generic code to CLIPPER.EXE make it unusable ( of course I can add rules manualy, but it is funny idea, is'n it ?) Cezar Cichocki System operator ------------------------------ Date: Thu, 04 Jun 92 11:26:06 +0000 From: mwb@wybbs.mi.org (Michael W. Burden) Subject: Re: Zipped Viruses (PC) magnus@thep.lu.se (Magnus Olsson) writes: >David_Conrad@MTS.cc.Wayne.edu writes: >[...] >>Here's what happens: Your virus scanner is infected with a stealth, >>fast infecting virus. It isn't currently active. You run the scanner, >>telling it to scan your entire hard drive. First the virus gets control: >>It goes resident, takes over, then runs the scanner. Now the scanner >>attempts to perform a self-check on its file. This detects nothing, >>because the virus disinfects the file as it reads it. Now your scanner >>goes through your entire hard drive, reading all programs. Not only >>does it have no chance of catching the virus in any program, but every >>program (even ones which weren't infected before) will get infected!!! >At least McAfee's scanner doesn't only check files on the disk and >make a self-check, but also scans memory for viruses before doing >anything else. Doesn't this cure the above problem, as the >memory-resident stealth virus would be detected in memory? Even better yet: Make sure you get a clean copy of your anti-virus tools BEFORE you get infected, put them on a floppy, write protect it, and NEVER run these programs from the hard disk. - -- +----------------------------------------------------+------------------------+ |"Paradise is exactly like where you are right now...| Mike Burden | | only MUCH better!" -Laurie Anderson |sharkey!wybbs.mi.org!mwb| +----------------------------------------------------+------------------------+ ------------------------------ Date: 05 Jun 92 14:54:15 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: VD virus (PC) michael.blackwell@f820.n680.z3.fido.zeta.org.au (Michael Blackwell) writes: > Has anyone heard of a virus called VD, scan string [FD] ? > Scan90 picked it up the other day. Scan89, virex (april ver), and Norten Anti > Virus report nothing. Neither does the docs for scan, or the april Vsum. Hmm, seems that SCAN 91 causes a false positive about this virus sometimes... We also got a report for it yesterday - in one file only and a file that the user has not touched for years... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN ** PGP public key available by finger. ** Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 05 Jun 92 14:58:39 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Detecting the MtE (PC) Hello, everybody! I received a fax of something that looks like a bulletin issued by McAfee Associates. I discussed the problem with them and they said that it is not their; maybe some of their agents has published it. If this is the case, I would suggest them to pick their agents more carefully... Anyway, here is the bulletin: - ---------cut here---------- The Virus Test Center at the University of Hamburg just released the results of their test of McAfee Associates Viruscan V89B, and Dr. Solomon's FindVirus (version 4.15 including drivers from May 15th, 1992) against 9,468 different viruses spawned by the Dark Avenger Mutating Engine: FindVirus failed to detect 744 of the viruses; Viruscan detected all but 4 of the viruses. Although we continue to strive for perfection (100%), we are gratified that our detection tools offer our users 99.95% effectiveness against this threat at this time. ****************** End of Bulletin #0020 ************************ - ---------cut here---------- The above is a clear misrepresentation of my results with marketing purposes. 1) They "forgot" to mention the results of F-Prot (13 missed variants) which is the most serious competitor of SCAN - it is a much, much cheaper scanner, with slightly better detection rate in general, and with MUCH better disinfection capabilities. 2) They even got their arithmetic wrong - it would be 99.96%... :-) 3) I my message on Virus-L/comp.virus I clearly stated that ALL the three scanners tested FAILED the test. SCAN failed, F-Prot failed, FidnVirus failed. Period. When we speak about detecting known viruses in general, a detection rate of 90 % and higher is acceptable. When are speaking about detecting a particular virus, the arithmetic is boolean - you either detect it (in its ALL instances), or you don't. SCAN 89-B DOESN'T detect the MtE, F-Prot 2.03a DOESN'T detect the MtE, FindVirus 4.15 DOESN'T detect the MtE. Both me and Dr. Fred Cohen clearly explained in our messages why anything less than 100 % detection of a particular virus cannot be acceptable. Meanwhile the missed variants have been sent to McAfee Associates and Fridrik Skulason (the variants missed by the other programs are too many to permit their sending by e-mail). Let's hope that the newer versions of their programs will detect this virus. Meanwhile SCAN 91 still DOESN'T detect the MtE. Those of the readers of Virus-L/comp.virus who have access to bulletin board systems and FidoNet are invited to distribute this message widely, with the hope to reduce the damage caused by the bulletin quoted above. OK, that was the silly stuff, now back to business. We did the same MtE-detection tests with a few other programs. Here are the results. Virex 2.3 missed 664 variants out of 9469. Conclusion: Virex DOESN'T detect the MtE-based viruses. We received an update of FindVirus - this time the version is 4.19 with drivers of June 3, 1992. Results: it missed only 1 variant this time. Conclusion: FindVirus still DOESN'T detect the MtE-based viruses reliably, but at least Dr. Solomon is working to improve the product. A side note for those who are not familiar with this program. It is part of Dr. Solomon's Anti-Virus ToolKit, produced by S & S International. The latest version of the ToolKit is 5.56. The different programs in the ToolKit have different version numbers. Particularly, version 4.19 of FindVirus might not be shipped to the regular users yet. We accepted to test it because of the seriousness of the problem - we wanted to report the latest results in this area. We received UTScan version 23.00.12. UTScan is the scanner part of an integrity-oriented product, called V-Analyst III. The product is distributed in the USA under the name The Untouchable by Fifth Generation Systems. The user interface in this product is slightly different than the one in the European version, but otherwise the product is functionally equivalent. The version of the scanner that I received for review was clearly designed for the American version of the product. Results: UTScan detected ALL instances of the virus. Conclusion: UTScan DOES detect the MtE-based viruses ACCORDING TO OUR TESTS (that is, if it misses some, we were unable to prove this). Since this was the first scanner which detected all instances of the virus, I was so excited that I ran the scanner on our full virus collection. The results were very good, although nothing exciting - it missed about 160 different virus variants (out of about 1,300), which scores slightly worse than McAfee's SCAN 89-B. However, this is a - -huge- improvement relatively to the previous version I have seen (22), which had a less than 50 % detection rate. The virus identification capabilities of the product were very bad - it was able to recognize the exact variant only slightly better than SCAN - which means almost never. Therefore, my conclusion is that it is a good product to be used for initial scanning of your system, in order to determine whether it is infected (by anything) or not - prior to install the integrity checking part of the package. However, do not rely on it for exact virus identification. The last product received was an MtE-only detection program. It is produced by Digital Dispatch Inc. and is supposed to be included in the program VirHunt, version of June 8. The author of the program told me that he has done a full analysis of the MtE and his detection is algorithmical and based on his knowledge of what MtE is able to generate. I don't know what UTScan does; all the other programs seem to use some kind of heuristics. Results: the program detected ALL the 9,469 mutations of the virus. Conclusion: The program DOES detected the MtE-based viruses, according to our tests. OK, that was all for now, if more MtE-detectors appear, we'll test them too and I'll keep you informed. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN ** PGP public key available by finger. ** Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 05 Jun 92 12:12:46 -0400 From: "Ross M. Greenberg" <72461.3212@CompuServe.COM> Subject: ISPNews & Virx (PC) >Date: 02 Jun 92 11:40:57 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) >Subject: Re: ISPNews and why 100% is the only good enough solution (PC) >BTW, recently it was announced that the new version of VirX (2.3) is >able to detect the MtE-based viruses. BEWARE! In my -very- preliminary >tests, it missed 7 out of 27 Fear mutations! Don't use this scanner >for detecting MtE-based viruses! It is unreliable!!! That's what last-minute-before-the-release fiddling will getcha, alas. We recently became aware of this, dangitall, and a new release that catches 10,000 out of 10,000 of our test viruses will be released very shortly. Ross - ------------------------------ >Date: 01 Jun 92 16:56:10 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) >Subject: Re: VIRx version 2.3 released (PC) >trent@rock.concert.net (C. Glenn Jordan -- Virex-PC Development Team) writes: >> 2. VIRx now detects all files encrypted with the "Mutating Engine" >> attributed to the Dark Avenger that are not already destroyed by the >> Engine's attempts to encrypt them (and most of those, as well). >This requires a bit of clarification. No files are "destroyed by the >Engine's attempts to encrypt them". However, the MtE sometimes (a bit >too often, IMHO) generates something that I call a "zero-key >decryptor". It does not encrypt the body of the virus and generates a >decryptor which essentially does nothing else than juggling a few >constants around some registers. No attempt to perform decryption is >present in these cases. >The files are not destroyed - they work perfectly and are able to >spread the virus. However, since the decryptor is almost non-existent, >it is very difficult to detect it... :-) I dunno, Vessilin: some of the above mentioned 10,000 viruses seem to trash the productivity of the target file pretty nicely: after the decryptor comes a whole bunch of NOP's, followed immediately by a return. The target program is never run, as an exit back to DOS seems to preclude that pretty well. Ross ------------------------------ Date: Fri, 05 Jun 92 14:14:03 -0400 From: vgunay@sun.wga.peachnet.edu (Vedat Gunay) Subject: Virus Discovery (PC) Unknown MS-DOS Based Virus found on the West Georgia College Campus The virus infects COM and EXE files. It is not detected by: McAfee Scan v8.3B86 F-Prot v2.03A Quick Scan or Secure Scan Virusafe 2.43 It is detected by: F-Prot v2.03A Heuristic Scan which reports "This program seems to contain a memory-resident virus, which infects other programs when they are executed." Infected files have larger file sizes. The problem was first detected when certain application no longer ran. Windows 3.0 dies with a memory protection error before the program finishes loading. Once the virus is in memory it attaches itself to any programs that are executed. Most programs however still run correctly after the virus has attached itself. The F-Prot scan of memory does not initially detect the virus if it is already resident, but during a heuristic scan the following message may appear: "Alert! An active "stealth" virus has been found in memory. You should reboot the computer from a "clean" system diskette. It has either lain dormant on our campus and just activated itself (which I do not believe is the case), or it spreads very fast! If users have write permission on fileservers in locations where EXE and COM files exist, the virus can spread through the network. At the moment we are deleting any files that are suspect and replacing them with clean copies. We still do not have a name, or any way to disinfect. Any information regarding what we might have, and how we can get rid of it would be greatly appreciated. - --------------------------------------------------------------------------- Scott W. Hughes shughes@sun.wga.peachnet.edu West Georgia College Computer Center (404) 836-6604 ------------------------------ Date: Thu, 04 Jun 92 19:13:47 +0000 From: mike@pyrite.SOM.CWRU.Edu (Michael Kerner) Subject: HyperCard anti-virus solution available (Mac) This has already been posted in comp.sys.mac.hypercard so here's the deal: I am making available in a limited beta release, a HyperCard anti-virus product that is available by EMAILing me a message. I have not been able to override the protection even by SENDing "SET THE SCRIPT..." to Hypercard Mikey. Mac Admin WSOM CSG - CWRU / TRW Inc. - Corporate HQ Yea, though I walk through the valley of the shadow of death I shall fear no evil, for I am the meanest son of a bitch in the valley. ------------------------------ Date: Tue, 02 Jun 92 15:35:13 -0400 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: Notes on ANSI bombs (various) Since there has been quite a bit of discussion lately about ANSI bombs, I just thought that a few footnotes might be in order. First, if an ANSI driver is in use, you cannot trust any program that does unfiltered screen writes to display a file since lines may be overwritten. The DOS utilities TYPE and MORE are two of these. Filtering word processors such as EDLIN (I know, some people do not consider EDLIN a word processor) or viewers such as LIST will either suppress the ESCAPE character (hex 1B) or translate it to a displayable sequence (usu. either a carat-bracket "^[" or left arrow (PC extended character set translation of hex 1b)). One problem in determining if an ANSI driver is in use is that it may not be labeled as such. Though ANSI.SYS comes with DOS, third party drivers such as DANSI, FANSI, DVANSI, etc. also exist and may not be so obvious. Years ago I wrote an ANSI derivative that could accomodate over 1k of keyboard redirection (most ANSI drivers only have space for about 100 bytes) to apermit a menuing system that used all forty function keys (f1-f10, alt_f1-f10, etc.) to provide single keystroke application launching. For some reason I called it "Padgett.Sys". Keep in mind that it does not have to be a .SYS driver to work either. There is no reason an ANSI program could not load after DOS so long as it intercepts and processes all screen display commands (Int 10). As I have mentioned before, all that is necessary to protect from malicious keyboard redirection is to "fix" the ANSI driver to change the key mapping function terminator from "p" to"something else" since there are a number of good features found in ANSI (try "prompt=$e[37;44m$p$g" if you have a colour display and are tired of white on black). In DOS 5.0 ANSI.SYS this is located at DEBUG offset 161h. Just change the 70h ("p") to something unused by other ANSI commands. Since there are a number of these, and the virus/trojan/bomb must get it right the first time, it is a reasonable defense and any of the above attempting a remap will just display its command on the screen (if ANSI does not recognize the escape sequence, it will release it to the screen instead of trapping it). What you would see in this case is a bracket "[" folowed by a string of garbage, followed by a lower case "p". If returns (hex 0D) are part of the sequence, the string may partly overwrite itself. If in doubt, examine the file with DEBUG. A dump will not only reveal the full string but also the leading hex 1b (escape). Warmly, Padgett ------------------------------ Date: 03 Jun 92 09:46:35 +0000 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Taxonomy of viruses mkkuhner@phylo.genetics.washington.edu (Mary K. Kuhner) writes: >Disadvantages: Distance algorithms were designed under the assumption >that changes take place one at a time and at random (as in mutation of >DNA). Computer viruses more likely change in blocks. Two viruses may >be very distant bitwise because a payload message has been changed, or >the order of certain operations is different, even though they are >otherwise identical. I think this method is especially likely to fail >with polymorphic viruses. Well, not necessarily. If the polymorphic code is just a decryption block, you simply decrypt the virus, and apply the distance alorithm to the decrypted portion. Actually, this applies to all encrypted viruses, not just the polymorphic ones. >On the whole, I think distance may work well with very closely related >viruses, but will probably fall apart with more distantly related >viruses (and is hopeless with unrelated ones, of course). This has been my experience too - I have found it very useful in determining the relationship among Jerusalem variants, for example. >2. Parsimony methods. Viruses can be hand-scored for the presence or >absence of various features--file types infected, stealth, encoding, >polymorphism, file destruction, etc. Stealth, encoding and polymorphism are features that get often added to later versions of viruses, as viruses belonging to the same family generally grow in complexity as time passes. These features are not really useful for classification. Types of files infected, TSR or not, how the virus allocates memory and other such features are a lot less likely to change... - -frisk ------------------------------ Date: 04 Jun 92 14:41:56 +0000 From: A.APPLEYARD@fs1.metallurgy.umist.ac.uk Subject: An apparent case of deliberate punitive virus-spreading Part of article 'How they get your number', page 21, 'Daily Telegraph' (by Eric Bailey, additional reporting by Hugh Davies) (British newspaper, editorial address = 1 Canada Square, Canary Wharf, London E14 5DT, England) [long description of techniques, some using computers, of reprogramming in-car phones to run charging the calls to someone else's account, and other ways of defrauding the telephone system] [First sentence of last paragraph:-] But manufacturers are fighting back: tampering with the chips of some new models corrupts both the chip and the phone, and lodges a nasty <virus> in whatever computer has been used. ------------------------------ Date: Thu, 04 Jun 92 13:06:00 -0800 From: "a_rubin@dsg4.dse.beckman.com"@BIIVAX.DP.BECKMAN.COM Subject: Re: what's this .signature stuff? refrig@dixie.com (Todd Hedenstrom) writes: >I'm sorry if this is in a FAQ somewhere I haven't been able to find, >but this is starting to nag at me - >I keep seeing a line on messages here on the net that says something >like 'Hi, I'm a virus - copy me to your .signature file' or something >like that. What the heck is that? >I just saw the same line, only this time the message was in German. I've been using it lately. IMHO, it's a joke. It does meet the definition of a virus, except it spreads only with active intervention by people. >>>Ich bin ein Virus. Mach' mit und kopiere mich in Deine .signature. <<< - -- Arthur L. Rubin: a_rubin@dsg4.dse.beckman.com (work) Beckman Instruments/Brea 216-5888@mcimail.com 70707.453@compuserve.com arthur@pnet01.cts.com (personal) My opinions are my own, and do not represent those of my employer. Our news system is unstable; if you want to be sure I see a post, mail it. ------------------------------ Date: Thu, 04 Jun 92 08:19:09 -0500 From: James Ford <JFORD@UA1VM.BITNET> Subject: uploads to risc.ua.edu (PC) The following files hav been placed on risc.ua.edu for anonymous FTP in the directory /pub/ibm-antivirus: virx25.zip - Ross M. Greenberg's Virex vsig9205.zip - May 1992 VIRSCAN.DAT file for TBSCAN/HTSCAN asig9206.zip - "Forgotten" additions to VIRSCAN.DAT file scanv91.zip - McAfee's VirusScan v91 clean91.zip - McAfee's CleanUp v91 vshld91.zip - McAfee's VirusShield netscn91b.zip - McAfee's VirusScan v91 (for networks) - ---------- By the time you realize what love can do, the damage has already been done. - ---------- James Ford - Consultant II, Seebeck Computer Center The University of Alabama (in Tuscaloosa, Alabama) jford@ua1vm.ua.edu, jford@seebeck.ua.edu Work (205)348-3968 fax (205)348-3993 ------------------------------ Date: Thu, 04 Jun 92 13:13:51 -0500 From: perry@eugene.gal.utexas.edu (John Perry) Subject: New files on eugene (PC) (Mac) Hello Everyone! The following files have been added to the anti-viral/security archives on eugene.gal.utexas.edu (129.109.9.21) If you have any problems, please send e-mail to perry@eugene.gal.utexas.edu. Disinfectant-2.8.hqx (MAC) Virx23.zip (PC) Asig9206.zip (PC) Vsig9205.zip (PC) Netscn91.zip (PC) Scanv91.zip (PC) Vshld91.zip (PC) Clean91.zip was not added due to the fact that Clean91b.zip will be available shortly. - -- John Perry - perry@eugene.gal.utexas.edu ------------------------------ Date: 05 Jun 92 08:30:03 +0000 From: douglasm@henson.cc.wwu.edu (Douglas McCorison) Subject: Colds and Flu season... (Humor!) [Moderator's note: This is forwarded from the rec.humor.funny newsgroup] Original from my wife and I... How do you tell which computer on the network has a virus? ....It's the one with a stuffed up node. - -- Selected by Brad Templeton. MAIL your joke (jokes ONLY) to funny@clarinet.com Attribute the joke's source if at all possible. A Daemon will auto-reply. Jokes ABOUT major current events should be sent to topical@clarinet.com (ie. jokes which won't be funny if not given immediate attention.) Anything that is not a joke submission goes to funny-request@clarinet.com ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 115] ****************************************** oo ottvariIf ioftettvariIf ioftettvariIf ioftettvariIf ioftettvariIf ioftettvariIf ioftettvariIf ioftett