The Hacker's Encyclopedia 1998

home *** CD-ROM | disk | FTP | other *** search

/ The Hacker's Encyclopedia 1998 / hackers_encyclopedia.iso / pc / virus / v06i154.txt < prev next >

Wrap

Internet Message Format | 2003-06-11 | 56.6 KB

To: VIRUS-L@LEHIGH.EDU Subject: VIRUS-L Digest V6 #154 -------- VIRUS-L Digest Monday, 6 Dec 1993 Volume 6 : Issue 154 Today's Topics: Re: general information on computer viruses Virus at atomic power station Virus Bulletin's address (General) Virus infected floppy drive? (HELP!) (PC) Re: Stoned Dual-report with McAffee Scan (PC) McAfee vs Power Pump virus (PC) November 17th virus (PC) Re: Scanning below the DOS level (PC) Re: Why should a scanner HAVE to open a file? (PC) Re: STONED 3 as broken my floppy !!! (PC) Re: McAfee Vshield and Windows (bad combination) (PC) Re: which antivirus program (PC) Re: CPAV immunization in .COM/.EXE and copyrigths (PC) Re: Percentage of virus that infect boot sectors (PC) Re: Virstop & Boot sector infectors (PC) Ripper-virus (PC) Re: essex virus (PC) monkey virus (PC) Re: Restoring Floppy's Boot Sector (PC) Re: 'D3' virus (PC). Re: Thunderbyte's reply about danger of TbClean (PC) Re: Strange Behavoiur of F-PROT, possible boot sector virus? (PC) Re: WinSleuth? (PC) Re: Removing Boot Sector Virus from Floppies (PC) Re: Strange Behavoiur of F-PROT, possible boot sector virus? (PC) What does YOUTH virus do??? (PC) Re: Save all you can (CVP) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Wed, 01 Dec 93 07:03:34 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: general information on computer viruses U60780@UICVM.UIC.EDU (U60780@UICVM.UIC.EDU) writes: > We are computer illiterates at the University of Illinois at Chicago. > We are doing a final assignment in our English class. Graduation is > only three weeks away and we need help in order to get this assignment > done on time. We need some general information on computer viruses > and their effect on computers today. Please reply asap as we only Start by reading the FAQ, in particular, question A9. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Wed, 01 Dec 93 08:32:26 -0500 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: Virus at atomic power station pdb@cdc.demon.co.uk (Peter Burnett) and A.APPLEYARD@fs1.mt.umist.ac.uk write: >> VIRUS: A computer virus sparked a safety scare at Sizewell B nuclear power >>station, the latest Computer Weekly says. A man was later sacked for >>introducing unauthorized software. >( I am a recent vistor as a contractor to the site ), >allthough I must say, when I went onto the site, I had PC disks with >me, but was never asked about them nor did I offer them up for >site inspection either. Reminds me of a rule I first read sometime around the time of Noah (believe it was "The Moon is a Harsh Mistress" by Heinlein): "Tell me three times". This is something that has been effective all through my career from designing digital flight controls for the F-16 to designing virus protection schemes. A single layer is *never* enough because nothing is perfect. If all they relied upon was a sign then they *all* deserve to be sacked, not just the poor SOB who got caught. What would the layers look like ? 1) The sign (policies and procedures properly promulgated) 2) Detection software at each input device (well, better everywhere) 3) Periodic and random audits to verify that (1) and (2) work (note: this can be fun for everyone if done properly). In a high risk environment, I would probably add a fourth layer where each platform is also checked by another non-vulnerable platform such as when logging into a server - but then I'm paranoid 8*) Warmly, Padgett ------------------------------ Date: Wed, 01 Dec 93 11:39:46 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Virus Bulletin's address (General) Mark J. Miller (mjm@tardis.svsu.edu) writes: > Also, I saw mention of a "Virus Bulletin". Can someone please tell > me how to get copies of this? Thanks. See the FAQ, question A7. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 30 Nov 93 14:28:58 -0500 From: jeffs@dvorak.amd.com (Jeff Sobotka) Subject: Virus infected floppy drive? (HELP!) (PC) Recently, I have had problems with my 3.5" floppy drive. It will NOT read HD disks, however, it WILL read DD disks. After replacing the cable, controller card, and the drive itself, nothing has changed! Not too long ago, I found and cleaned Stoned on my computer, but I do not detect any other viruses using SCAN. I've replaced all of the hardware, and it still behaves this way. Has anybody heard of a virus that causes this??? If so, how do I get it off? PLEASE HELP!!! - -Jeff- ------------------------------ Date: Tue, 30 Nov 93 21:12:15 -0500 From: rballard@fox.nstn.ns.ca (Rick Ballard) Subject: Re: Stoned Dual-report with McAffee Scan (PC) THE GAR (GLWARNER@samford.bitnet) writes: > Can anyone tell me why some machines would report being infected > with STONED twice on a single scan? I'm running Scan 108, and > when I scan some infected machines it reports that STONED has > been found in the partition table, then scans a minute more, > and reports the same thing again. I also experienced this. In some previous postings I asked about removing stoned from a machine that Scan108 said it could not remove safely. As far as I can remember, on every machine infected Scan108 reported the stoned virus twice. At the time I figured it was just normal behaviour. Unfortunately (perhaps fortunately), I have no specimens left. - -- __________________________________________________ _______________ | | | / _____________O | Rick Ballard | rballard@fox.nstn.ns.ca | / /|___________ | Halifax, Nova Scotia | 429-8850 | / /_/___________O | Canada | | /________________ |______________________|_________________________| |________________O ------------------------------ Date: Tue, 30 Nov 93 21:12:21 -0500 From: vfreak@aol.com Subject: McAfee vs Power Pump virus (PC) Hello All: I sent McAfee Association a copy of the POWER PUMP virus 16 months ago. McAfee's Scan still doesn't detect the POWER PUMP virus. POWER PUMP is a 1199 byte companion infector, and fairly brain dead. In the past 18 months, Power Pump has been distributed in the following files. In a hacked Qmodem 5.0 FX2.ZIP XYPHR2.ZIP XYPHR2.ZIP was accidentaly distributed on the SO MUCH SHAREWARE VOL II CD. As you know CDs will last for years. SO MUCH SHARE WARE VOL II was prepared by PowerUser Software PO Box 89 Erie, PA 16512 PowerUser Software scanned all files with McAfee's Scan because they believed it to be the best. Just because Scan doesn't detect POWER PUMP. the virus may be appearing occasionally for the next 10 years or so. After I was able to verify that XYPHR2.ZIP on the CD was really infected, I wrote a letter to PowerUser Software, and I am happy to say that PowerUser Software has stopped producing copies of SO MUCH SHARE WARE VOL II. Bill Lambdin ------------------------------ Date: Wed, 01 Dec 93 03:52:10 -0500 From: A.APPLEYARD@fs1.mt.umist.ac.uk Subject: November 17th virus (PC) spud@fnts07 (Rick Dixon FNTS09 3782 ) wrote to me on Tue 30 Nov 93 16:15:20 CST (Subject: November 17th virus):- Sir: I have a PC which seems to be infected with a virus. I have run MS-DOS 6.0 anti-virus on the hard disk but it found nothing. We first started seeing the problems on the 20th of November. Files are being reproduced. All reproduced files are either .EXE files or .COM files. All of these copied files are the same in the following manner: they are 77 bytes in size they are all dated on the same day the extension of the copied file is ._XE or ._OM Is this the November 17th virus and if so how do I get rid of it. Help I am at my whits end. Thanks for the time. Rick Dixon E-mail spud@fnts36.fnal.gov or AAA$Q@fnal.gov ------------------------------ Date: Wed, 01 Dec 93 05:49:20 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Scanning below the DOS level (PC) hstroem@ed.unit.no (hstroem@ed.unit.no) writes: > If you take the trouble to handle the low-levels of the FAT > filesystem, you must of course also take the trouble to handle sector > reading and writing in a similarly "secure" manner. This would be > accomplished by calling the ROM BIOS handler for INT 13h directly, or > by writing to the ports of the harddisk controller (good luck :-0). It That's true, but you have to worry also about the method used by the Strange virus and take care of that too. > will make things even more complicated, but it is nothing the average > antivirus programmer can't handle (right? :-)). The point is that it is too cumbersome, too non-portable (compressed volumes, networks, etc.), and so on - that's why most anti-virus producers have decided not to bother doing it. Some are doing it to some extent (e.g., TbScan). Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Wed, 01 Dec 93 06:02:55 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Why should a scanner HAVE to open a file? (PC) Eric_N._Florack.cru-mc@xerox.com (Eric_N._Florack.cru-mc@xerox.com) writes: > Well, his point was that if I were to try and trace (in reverese) the ownershi > of each sector, it would result in a slower scan.... and he`s correct. Howeve > what he (and you, apparently) does not know is that my design (on paper) does > not intend to do that. The only time the scanner I`m designing would bother to > look up the ownership of the file is when it finds a string matching one in th > virus table. However, you will still have to do it too often if there is infection. Even worse, you'll have to do it too often even in those cases when there is no infection ANY MORE. That is - after a virus has been removed and its parts are still present on many sectors, which are just not contained in any files. The best that can be done with your idea is to implement it in the opposite way. Instead of scanning the sectors and trying to figure out to which file the ones containing the virus belong, figure out which sectors belong to the files that have to be scanned and scan only them. This will give you the additional advantage that you will have to scan fewer sectors. All remarks about incompatibility with device-driven volumes still apply; you'll just have to use the standard DOS functions in those cases. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Wed, 01 Dec 93 06:06:31 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: STONED 3 as broken my floppy !!! (PC) Jean Laganiere (jean@cam.org) writes: > One of my friend has detected STONED 3 on is PC a couple of day ago. > He says that he can not use is floppy drive since then. When he try > to read a disket, he always see the directory of the preceding one... > This seem very strange. Is that possible that the virus as broken > someting in is hardware ??? No, but it is possible that the virus interferes with the software controlling the drive (BIOS, DOS, cache, whatever). Remove the virus and the problem might disappear. On the other hand, the problem might be completely unrelated to the virus infection. For instance, I have the same problem on my machine. It took me a lot of time to figure out what is causing it. The culpit was the disk cacher - SUPERPCK that comes with DR-DOS. I *must* use it, because without it DR-DOS is annoyingly slow with the floppies. However, when it is turned on, the floppy drive does not notice the diskette change and also thinks that all 720 Kb diskettes are write-protected. The solution for me is to flush the cache each time after changing the diskette in the drive and to turn the cacher off when installing a product from multiple diskettes. See if your friend is running a disk cacher and turn it off - the problem might go away. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Wed, 01 Dec 93 06:10:02 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: McAfee Vshield and Windows (bad combination) (PC) Alexander Dittrich (Dittrich@urz.uni-bamberg.dbp.de) writes: > BTW, SCAN is slow, indeed, but an infection doesn4t only slow down > work, it STOPS IT. I think those few seconds of delay are REALLY > neglectible. Also, there4s another product by McAfee called SENTRY. > Don4t know how good it is, but it sure IS fast... It is also a completely different kind of anti-virus program too. SCAN is a scanner, while SENTRY is an integrity checker. And a rather insecure one, I would add. If you want to use an integrity checker and are limited to shareware products, I would recommend Integrity Master or VDS. If you can afford a commercial product and care about security, you should get Untouchable - if it is still available for sale, after Symantec aquired Fifth Generation Systems. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Wed, 01 Dec 93 06:30:43 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: which antivirus program (PC) Piet de Bondt (bondt@dutiws.twi.tudelft.nl) writes: > The scores: > software normal new polymorf > Thunderbyte TBAV 6.05 >99 >99 >99 > Sohos Vaccine 4.38 & Sweep 2.53 97.9 >83 88.4 > F-Prot Pro 2.09 >98 85.6 83 > McAfee Viruscan-VShield-Cleanup 106 94.1 60.5 92.1 > Dr. Solomons anti-virus toolkit 6.54 96.7 61.3 62.9 > PC Vaccine Professional 1.21 94.5 40.9 >74 > IBM Antivirus 1.03 92.9 61.5 47.7 > Norton Antivirus 2.1 71.5 20 40 > Microsoft Anti-virus 70 19.8 27 A couple of things are a surprise to me in the above results: 1) That TBAV (you mean the scanner TbScan, right?) performed so well compared to the others. You have obviously used it with heuristics turned on. In this case, it is not very fair to compare it with F-Prot, which has a separate "heuristic analysis" mode. Also, in my experience, TbScan sometimes has unreliable detection - that is, it doesn't detect all replicants of a virus, or reports some of them with the name of the virus and some as "unknown virus" (because the heuristics have triggered). Not very often, but often enough to be noticeable. Did you use several replicants of each virus in those tests? 2) That PCVP got such incredibly low score with the new viruses. It's really bizzare... Could there be some mistake? 3) That FindVirus (from the AVTK) got such a low score on new and polymorphic viruses. I would expect it to be in the 85-95%. BTW, can you list the polymorphic viruses used during the tests? And how was the percentage computer - as a percentage of the detected viruses or as a percentage of the detected replicants? > ***1) avoid Microsoft and Norton And especially CPAV. Remember, it even didn't succeed to complete the tests. I have the same experience here - CPAV 2.0 crashes on some replicants of the MtE-based viruses; it crashes on some replicants of Tremor; it crashes on some replicants of Andryushka... There seems to be a serious bug in it, so I would advise everybody to avoid it. Version 2.1 (the "special Vesselin Bontchev edition" that they sent me) at least doesn't crash. > ***3) Use (in combination of one of those anti-virus packages) an > integrity checker. One of the best (as far as I know) is > Integrity Master, but there should be others around too. > McAfee, Dr. Solomon and Sophos seem to have rather reliable > ones. I strongly disagree with the above; especially with the last sentence. Integrity Master is indeed the best shareware integrity checker I have seen, but on a general scale I would rate it only as "good enough". McAfee's integrity checker is insecure and vulnerable to several kinds of attack against integrity checkers, described in my paper on the subject. Don't know about Sophos - have never seen theirs. Dr. Solomon's integrity checker is just junk - forget it. The scanner is excellent (one of the best, IMO), but the integrity checker is completely useless. > resident programs. For me it was (although I knew it was rather > reliable) a kind of a surprise that TBAV came out 'best'. For me too. I expected to find it near the top of the list, but not at the top. > NOTE 2: mail me if you want to know more details on this test and I will > try to answer any questions. Is it possible to get a list of the viruses used in the test? Not the viruses themselves; just their names, in a way sufficient to identify them (their CARO names would be ideal). Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Wed, 01 Dec 93 06:42:04 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: CPAV immunization in .COM/.EXE and copyrigths (PC) b manuel (bmanuel@melmak.engga.uwo.ca) writes: > I have read the manual and still can't find anything about > using this immunization in commercial software. > Can I do this or is there any restrictions I am unaware of? I am not sure that I understand your question. Are you asking whether there are any copyright problem if you "immunize" other programs? Well, you should refer to the license of those programs - if it does not allow you to modify the executable, then "immunizing" it will be against the terms of the license. Besides, there are many other problems with the immunization: 1) It doesn't detect new stealth viruses. 2) Files with internal overlay structure, containing debugging information, or Windows applications cannot be immunized. 3) If an immunized file gets infected, when you run it, you will still activate the virus, regardless of whether the immunization module will detect the presence of the virus or not. 4) If the virus is a fast infector, the disinfection function probably will not work. 5) Immunizing an already infected file can "hide" the presence of the virus from several scanners that would be otherwise able to detect it. In short, "immunizing" programs is a very bad idea. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Wed, 01 Dec 93 07:30:32 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Percentage of virus that infect boot sectors (PC) David Hanson (afrc-mis@augsburg-emh1.army.mil) writes: > of backups (naturally) came up. Of course, a good backup strategy should be > your first line of defense against virus problems. It is a very important line of defense, but I would call it the last line of the defense, not the first one. The first line should be not to allow a virus on your computer in the first place (scanners, monitors, access control devices). The second line should be to detect it early enough if it slips through the first line (integrity checkers). The third line should be to remove it (generic and specific disinfectors). At last, if nothing works, you should resort to the last line of defense - restoring from a backup. The third line (disinfection) is often not very reliable and often can be skipped. > I noted that use of a tape backup can be especially effective against boot > sector virus, as there is no boot sector on a tape to carry the infection > into your backups (as opposed to a file infector). Correct. > My question is, what percentage of known virus are boot sector infectors? About 7-8%. Sorry, can't supply more exact numbers; haven't counted the known viruses recently. The above number is based on a -very- rough guestimation of 3,300 known viruses, about 250 of which - BSIs. > What percentage of common (ie., "in the wild") virus are boot sector? About 40%. This is based on the WildList of November '93, published by Joe Wells (42 BSIs out of 109 viruses; multi-partite viruses counted as BSIs, which is probably not very correct, but which doesn't affect the percentage very much). Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Wed, 01 Dec 93 07:31:12 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Virstop & Boot sector infectors (PC) Fabio Esquivel (FESQUIVE@ucrvm2.bitnet) writes: > I allways supposed that Virstop.EXE from the F-Prot package was capable > of detecting diskettes infected with a boot sector virus, even a simple > one: Stoned. [deleted] > Is this a bug? Or a feature (just because boot sector viruses do not > get active when a DIR command is issued)? Boot sector viruses indeed do not get active when a DIR command is used, but the boot sector is read anyway, so VirStop should be able to detect them. Are you sure that you have used the /boot option when you have started VirStop? If you have, then it might be a bug. If you haven't - use it (and read the documentation for VirStop - it's described there). > To Vesselin: Regarding the question about Frisk's name on viruses... > Check the description of Billboard 1.0 virus on VsumX310. Ah, indeed. I was looking for "Fridrik", that's why I didn't find it. Well, we don't have a copy of the virus either. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Wed, 01 Dec 93 07:36:27 -0500 From: P.Lucas@mail.nerc-swindon.ac.uk Subject: Ripper-virus (PC) I am currently sorting out an infestation of the Ripper-virus on a number of PCs. Can anyone supply me with any info on the characteristics of this beastie? It trashes hard-disks after a number of boots. In particular, I am interested in where the 'number of boots' info is kept, so I can try and develop a feel for how the visus has propagated. All information gratefully received! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Peter J.M. Lucas NERC Computer Services Swindon England pjml@swmis.nsw.ac.uk pjml@uk.ac.nsw.swmis g6wbj@gb7sdn.gbr.eu 'Bring unto me the little children; and I will get a good price for them' ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ------------------------------ Date: Wed, 01 Dec 93 06:59:09 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: essex virus (PC) Mike Osier (mosier@moose.uvm.edu) writes: > Recently, there have been a number of infections of the Essex Virus here The standard CARO name of this virus is Qrry and that's how F-Prot calls it. FindVirus calls it "Query" and SCAN calls it "Essex [Ess]". > on campus...I've searched far and wide for more information on this virus > only to find nothing on the net...I've even gone so far as to check the Try ftp.informatik.uni-hamburg.de:/pub/virus/texts/carobase/carobase.zip > documentation of Scan and Central Point AV, as well as write McAfee's > support line on the net (which didn't know anything about it, although the That's not very nice from their part, having in mind that their program seems to be the only one that calls this virus like that... :-) > An individual within the department found a way to remove the virus from > HD's, but I'm unsure if this will remove it from floppies also...it was in > the following batch file: > FDISK /MBR > SYS C: Two problems with that: 1) The "SYS C:" part is useless and can be even harmful, if the disk contains a different version of the operating system than the one on the floppy from which the batch file is run. (You must boot from DOS version 5.0 or above, otherwise FDISK will not support the /MBR option.) 2) It doesn't work on floppies. > I know this works fine for the hard drive, but will it also work for > infected floppies (of which I have several dozen to disinfect)...only a > handful of the floppies are boot disks (therefore the "sys" command won't > help out there)... No, it won't. To fix the problem, create two batch files - one containing only "FDISK /MBR" and one containing "SYS B:" (or whatever your available floppy disk drive is). The problem with the non-bootable floppies - well, DOS 5.0 and above can make bootable almost any floppy that has enough free disk space. As an alternative, try using McAfee's CLEAN in this way: clean a: [genb] It might work (well, not tested, but should work). F-Prot can also remove this virus, I think. > I would also appreciate any other information about the virus (ie actual > location of infection and method of infection [besides boot rec virus, etc). Chech the place I mentioned. I could post the CARObase entry for this virus here, but then I will have to explain the meaning of each of the different fields and the archive I mentioned contains this description too, as well as some CARObase entries. > please e-mail me at mosier@moose.uvm.edu as I do not subscribe to this > list, as well as to save bandwidth... 1) I hate "I don't read this list, e-mail me" messages. If you are interested enough to ask a question, you should bother to subscribe to the group at least for some time and check for answers. 2) If you have problems with viruses, you *should* subscribe to this list. 3) There may be other people interested in the answer of the same question. I am CC'ing a copy of this article to you, though. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Wed, 01 Dec 93 09:46:19 -0500 From: KRIS WESTMAN <WESTMANK@central.edu> Subject: monkey virus (PC) Fellow Virus-busters, Recently, there has been an outbreak of the Monkey virus in our neighborhood. Although we have not been hit yet, I would like to make sure my defenses are in place. Am I correct in believing that since Monkey is a boot sector virus, it can only be tranferred from a diskette to a pc by booting from the diskette? TIA, -- klw -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= | Kristy Westman | WESTMANK@central.edu | | Computer System Manager | | | Central College | Work: (515) 628-5289 | | 812 University Street | Fax: (515) 628-5316 | | Pella, IA 50219 | | =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ------------------------------ Date: Wed, 01 Dec 93 10:00:31 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Restoring Floppy's Boot Sector (PC) Russell Aminzade (aminzade@moose.uvm.edu) writes: [DEBUG scripts for reading and writing boot sectors deleted] > Here's my question. Is there a soul out there who can tell me > how to make these debug scripts into EXE or COM files? You can't. DEBUG scripts don't "compile". You have to write your own program that does the same. > - -- writing each byte in pig latin like that). I suspect it would > just be one more line or two of DEBUG Nope, the scripts don't contain programs; they use the built-in routines of DEBUG. It is still possible to write a program to do what you want, although it would take a bit more than just a line or two of DEBUG. :-) Here is one I wrote for you. Save everything between the "cut here" lines in a file named RWFBOOT.SCR and execute the command debug < rwfboot.scr This will create the program RWFBOOT.COM. It can be used in the following way: rwfboot -r file reads the boot sector of the floppy disk in drive A: and stores it in a file. rwfboot -w file reads the first 512 bytes from the file and writes them as a boot sector on the diskette in drive A:. You can use '/' instead of '-' in front of the option. You *must* use either 'r' or 'w'. If you use the wrong syntax, or if an error occurs, the program will print the appropriate (but rather terse) error message, explaining which phase of the transfer process didn't work. One problem of this program is that it can work ONLY with drive A:. Modifying it to work with any logical drive, specified from the command line, is left as an exercise to the user. You'll have to switch from using INT 13h to using INT 25h/26h and take care of the different ways to call these interrupts in the different versions of DOS (pre 4.0 and post 4.0). Regards, Vesselin ====8<====Cut Here====>8==== e 100 A0 80 00 98 09 C0 75 08 BA 83 02 B4 09 E9 BD 00 e 110 8B C8 BA 79 00 BE 81 00 BF A4 02 FC E8 B4 00 3C e 120 2D 74 04 3C 2F 75 E1 AC 49 74 DD 0C 20 3C 72 74 e 130 0A 3C 77 74 02 EB D1 FE 06 A3 02 AC 49 74 C9 3C e 140 20 74 04 3C 09 75 F4 E8 89 00 74 BC AA F3 A4 B0 e 150 00 AA A0 A3 02 09 C0 74 33 B8 00 3D BA A4 02 CD e 160 21 73 05 BA 6F 02 EB 5C 93 B4 3F B9 00 02 BA 24 e 170 03 CD 21 73 05 BA 56 02 EB 4A 3D 00 02 75 F6 B8 e 180 01 03 E8 5B 00 74 33 BA 0F 02 EB 38 B8 01 02 E8 e 190 4E 00 74 05 BA 56 02 EB 2B B4 3C 31 C9 BA A4 02 e 1A0 CD 21 73 05 BA 2A 02 EB 1B 93 B4 40 B5 02 BA 24 e 1B0 03 CD 21 73 05 BA 3F 02 EB 0A B4 3E CD 21 B0 00 e 1C0 B4 4C CD 21 52 BA ED 01 B4 09 CD 21 5A CD 21 B0 e 1D0 01 EB ED AC 49 74 08 3C 20 74 F8 3C 09 74 F4 C3 e 1E0 B9 01 00 31 D2 BB 24 03 CD 13 08 E4 C3 45 72 72 e 1F0 6F 72 20 24 72 65 61 64 69 6E 67 20 74 68 65 20 e 200 62 6F 6F 74 20 73 65 63 74 6F 72 2E 0D 0A 24 77 e 210 72 69 74 69 6E 67 20 74 68 65 20 62 6F 6F 74 20 e 220 73 65 63 74 6F 72 2E 0D 0A 24 63 72 65 61 74 69 e 230 6E 67 20 74 68 65 20 66 69 6C 65 2E 0D 0A 24 77 e 240 72 69 74 69 6E 67 20 74 6F 20 74 68 65 20 66 69 e 250 6C 65 2E 0D 0A 24 72 65 61 64 69 6E 67 20 66 72 e 260 6F 6D 20 74 68 65 20 66 69 6C 65 2E 0D 0A 24 6F e 270 70 65 6E 69 6E 67 20 74 68 65 20 66 69 6C 65 2E e 280 0D 0A 24 55 73 61 67 65 3A 20 72 77 62 6F 6F 74 e 290 20 7B 2D 7C 2F 7D 7B 72 7C 77 7D 20 66 69 6C 65 e 2A0 0D 0A 24 00 n rwboot.com rcx 1a4 w q ====8<====Cut Here====>8==== - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Wed, 01 Dec 93 10:57:31 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: 'D3' virus (PC). P.Lucas@mail.nerc-swindon.ac.uk (P.Lucas@mail.nerc-swindon.ac.uk) writes: > Does anyone have any information on what S&S [Alan Solomon] > describe as the 'D3' virus? Yes, somebody does. :-) > Its a boot-sector infector that apparently has no payload > and is not stealthed. It hooks int13. It is a MBR infector, does have a payload, is stealth, and hooks interrupts 13h and 0D3h. > Any additional info on its behaviour , or what its > called by others, would be of interest. Standard CARO name of this virus is AntiEXE. F-Prot calls it AntiExe. SCAN calls it "NewBug [Genb]". Here is a CARObase entry for this virus. For a description of the CARObase format (although a slightly obsolete version) and explanation of the meanings of the different field and entries, see ftp.informatik.uni-hamburg.de:/pub/virus/texts/carobase/carobase.zip Regards, Vesselin NAME: AntiEXE ALIASES: D3 TARGETS: MBR, FBR RESIDENT: TOP MEMORY_SIZE: 1K STORAGE_SIZE: 1S WHERE: LAST_R (any floppy), AT 0/0/0dH (HARD) { The virus calculates the address of the last sector of a root directory, using data from BIOS parameter block on a diskette } STEALTH: INT 13/AH=02,CX=0001,DH=0 { Hides infected MBR/FBR } POLYMORPHIC: NONE ARMOURING: CODE { Remaps INT 13 to INT D3 and uses the latter } TUNNELLING: BIOS (OTHER - loaded before DOS) INFECTIVITY: 6 { As Stoned - MBR infector } OBVIOUSNESS: NONE COMMONNESS: 2 COMMONNESS_DATE: 1993-09-19 TRANSIENT_DAMAGE: When the virus is active in memory, some (one?) EXE program(s) are copied/loaded with a very first byte changed (i.e. 'MZ' sign is corrupted). Thus, such a program would be treated by DOS as a COM program, most likely hanging a PC when executed. T_DAMAGE_TRIGGER: First eight bytes of a sector being read are as follows: DB 'M', 'Z', 40H, 00H, 88H, 01H, 37H, 0FH I.e. the virus hunts for a certain EXE header. PERMANENT_DAMAGE: NONE P_DAMAGE_TRIGGER: NONE SIDE_EFFECTS: As in the case of Stoned, if a floppy being infected contains many files/subdirectories in its root directory, several (up to 16) last entries in the root directory get corrupted. INFECTION_TRIGGER: Floppies: INT 13/AH=02,CX=00001,DH=0 && DL<=1 { I.e. it attempts to infect a floppy in either A: or B: drive when the floppy's Boot record is being read } Hard disk: Boot from an infected floppy { As Stoned } MSG_DISPLAYED: NONE MSG_NOT_DISPLAYED: 'MZ' INTERRUPTS_HOOKED: 13/AH=02, 13/AH=F9, D3 SELFREC_IN_MEMORY: NONE { Doesn't need any - MBR/FBR infector } SELFREC_ON_DISK: PDisk[0/0/1][0-3] == Virus[0-3] { Compares first 4 bytes of MBR/FBR to the virus body } LIMITATIONS: NONE { MS-DOS/PC-DOS } COMMENTS: The virus hunts for a certain unknown EXE program. Besides INT 13/AH=02 (Read Sector(s)) BIOS function, the virus also intercepts INT 13/AH=F9, which is unknown to me. In the case of AH=F9 the virus simply returns to the caller. ANALYSIS_BY: Dmitry O. Gryaznov DOCUMETATION_BY: Dmitry O. Gryaznov ENTRY_DATE: 1993-09-21 LAST_MODIFIED: 1993-09-21 SEE_ALSO: END: - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Wed, 01 Dec 93 11:20:10 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Thunderbyte's reply about danger of TbClean (PC) Piet de Bondt (bondt@dutiws.twi.tudelft.nl) [actually, Frans Veldman] writes: > TbClean will normally use the Anti-Vir.Dat records, which do not pose any > risk at all. Heuristic cleaning will only be performed as a last resort, > if all other means to clean a file failed, mainly because the user > neglected to use TbSetup. If you apply our tools correctly, there is and > has never been any danger. It's not as easy as that. Consider the following scenario: The user gets some new files. One of them is infected with this virus. Since the files are new, obviously no Anti-Vir.Dat records can exist for them. The user runs TbScan. The scanner tells them that one of the files is probably infected with an unknown virus. The user runs TbClean. Failing to see any Anti-Vir.Dat records, TbClean begins to trace the virus. The virus gets control, escapes, and infects the user's system. You have to admit - there *was* a security hole in the old versions of TbClean. > ??? How do you mean 'Too high'? According to what standard? The default > heuristic mode of TbScan does not cause any false alarm. "Any" is probably a bit overstated. Any scanner which is of any practical use will give a potentially infinite number of either false positives, or false negatives, or both. Usually - both. For instance, TbScan does the following on my machine. It finds a virus "demo" program, which contains most of a virus (Murphy), with just the replication code disabled and reports it as a virus. So far - so good; there's nothing wrong in that - this program is quite natural to be flagged as a virus. However, this forces TbScan to switch its heuristics in "paranoid" mode and it then reports as "probably infected" a bunch of other files which it normally shouldn't. > Heuristic is already perfect. It detects about 90% of the new viruses. For many people this is far from perfectness. A normal user will find the detection rate too low - after all, what are those percentages helping me if the 10% undetected viruses infect my system? On the other hand, a big corporation, with thousands (if not millions) of users, using all kinds of software, may find the false positive level still too high. At last, don't forget that the potential number of possible viruses (the "new" or "unknown" ones) is practically infinite. And 10% of infinity is still quite a lot... :-) BTW, I am very curious how exactly have you calculated this percentage? Just running the scanner on a collection of existing viruses? First, that is pretty difficult to test - while it is possible to disable the heuristics in your scanner, I know of no way to disable the known virus detector, so I can't check what part of the known viruses can be detected by the heuristics. Second, as soon as the virus writers figure out *which* 10% of the viruses pass undetected, they will just begin to create their viruses like that and the rate will drop... I would say - the heuristic checker is *good*. Certainly not perfect; just a valuable additional line of defense, which has to be used properly. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Wed, 01 Dec 93 11:28:21 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Strange Behavoiur of F-PROT, possible boot sector virus? (PC) Eric Eastwood (eastwood@unbsj.ca) writes: > 2) 09:30 Have the virus located on one machine in lab and get reports > from F-PROT 2.09f saying that is the "TELECOM virus" is in > memory. Only if you boot the machine using the hard drive and > letting autoexec.bat be run. (loadhigh, mouse, doskey, msav > and mode only programs in autoexec.bat). If autoexec not run > virus not seen. Check the contents of AUTOEXEC.BAT. Does it start a program called VSAFE? Yes? Remove that line and your problem will go away. See a previous article of mine for advice what to do with VSAFE in particular and the whole MSAV/CPAV/TNTVIRUS/whatever package in general. > 4) 10:15 Discover that only F-PROT will find the virus, MSAV and SCAN > do not find the virus. SCAN detects this virus reliably. Yet another indication that you are getting a false positive. The latest version of F-Prot will warn you if you have VSafe loaded in memory and will refuse to scan the memory for viruses. > 5) 11:00 Get virus to infect a disk with f-prot on the disk. The disk > will consistently give a hit for the "TELECOM" virus. Cannot The disk? Or only in memory? > 6) 11:45 Try to get virus to infect another disk that we have made in > our offices as a duplicate of a master disk. The virus will > not attack the disk, even though it is still reported in > memory. It's pretty difficult for it to attack the disk, if it is not present. :-) > We also start to low level format each if the drives > in the lab (20 machines in all) As I am often saying, this is never necessary, often stupid, and sometimes harmful. > 7) 13:15 After trying for over hour an to get virus to act > consistently, virus seems to disappear from the infected > F-Prot disk even though it is write protected. Most probably, it has never been there in the first place. > 8) 13:45 Get the original disk that was used to do the scanning and > find that it has been modified by Central Point Anti-Virus to Sigh... CPAV. Yet another thing to throw away. > 10) 15:00 For the sake of our collective sanity, we stop trying to find > the virus to sit back and reflect on what has happened. Maybe you should have begun with that. :-) > Have we been chasing a non-virus conflict between MSAV and F-PROT? Yes. > Is there any other way to rid ourselves of this virus besides > reformatting all of the hard drives on campus? Yes. Just throw away MSAV/CPAV. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Wed, 01 Dec 93 11:35:48 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: WinSleuth? (PC) Fabio Esquivel (FESQUIVE@ucrvm2.bitnet) writes: > Does anybody have any experience with the Win Sleuth antivirus? > Where is it from? Is it good? Never heard about it. > Someone here says it identifies the Kamikaze and OM-97 viruses in the > same PC, though F-Prot just finds Kamikaze. Which version of F-Prot? An old version had a problem with a false positive for Kamikaze, I think. This virus is written in a high-level language, and it is very difficult to extract a reliable scan string for it that does not cause a false positive. You see, most of the virus is just standard libraries. If you pick your scan string from there, chances are that you will detect as "infected" any other program that uses the same library functions. The rest of the virus is compiler-generated code, which also looks pretty "normal". On the top of that, the virus is of the overwriting type and is extremely difficult to spread. What you get is almost certainly a false positive. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Wed, 01 Dec 93 11:43:27 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Removing Boot Sector Virus from Floppies (PC) kevin marcus (datadec@ucrengr.ucr.edu) writes: > >> Er... While true, keep in mind that this is treated as data, and not > >> code - it is not executed. > 2) I was just making it clear in that particular comment block - > because it wasn't. > The part up top there with the ">> >" in front of it. I see, sorry for the misunderstanding. The wording of your sentence, combined with the fact that you were posting a follow-up to an article of mine, made me believe that you mean me. Maybe a wording like "readers should keep in mind" would have helped. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Wed, 01 Dec 93 11:58:14 -0500 From: Otto Stolz <RZOTTO@NYX.UNI-KONSTANZ.DE> Subject: Re: Strange Behavoiur of F-PROT, possible boot sector virus? (PC) On Thu, 25 Nov 93 15:54:45 -0500 Eric Eastwood <eastwood@unbsj.ca> said: > 1) The lab is closed to all access until we can isolate the problem. Good move. However, do not let you drive to panic by the fact that people are waiting to use that lab. > 2) Have the virus located on one machine in lab and get reports > from F-PROT 2.09f saying that is the "TELECOM virus" is in > memory. Actually, there are at least 3 Telecom viruses; they used to be identified by older versions of F-Prot and Scan, thus: Caro Identifier | F-Prot 2.06b | Scan V99 ----------------+--------------------+------------------ Kampana.3445 | Telecom (3445) (?) | 4096 [4096] Kampana.3700 | Telecom (3700) | Telecom [Tele] Kampana.3784 | Telecom (3784) | Holo [Hl] When you are seeking advice via E-mail, please be as precise as possible. > Only if you boot the machine using the hard drive and > letting autoexec.bat be run. (loadhigh, mouse, doskey, msav > and mode only programs in autoexec.bat). Probably a ghost positive (F-Prot sees MSAV). > 3) Find virus on about half of the machines in the lab using > F-PROT after booting the machines with a full pass of the > autoexec.bat. Look for differences between machines, and procedures used. Do all machines actually invoke he same sequence of MSAV, other programs, and F-Prot from their Autoexec files? Are all program versions used identical? > 4) Discover that only F-PROT will find the virus, MSAV and SCAN > do not find the virus. These are more hints on a ghost positive. > 5) Get virus to infect a disk with f-prot on the disk. How? Please try to describe precisely your actions, and the responses when you seek help via E-mail. > The disk > will consistently give a hit for the "TELECOM" virus. Cannot > tell where the virus is because [...] F-Prot always tells you where it has located a virus. For file-viruses (such as Kampana alias Telecom) it will display, and record, the full file name, including path. No need to resort to auxiliary information or clean backups -- just read the Scanning Report. > 6) [...] We also start to low level format each if the drives > in the lab (20 machines in all) Unneccessary work for you. Unneccessary delay for the regular users. > 7) After trying for over an hour to get virus to act > consistently, virus seems to disappear from the infected > F-Prot disk even though it is write protected. To get a computer to act consistently, you will have to boot from a clean DOS disk, invoke no program, whatsoever, from the hard disk (not even a "| more"), and invoke just one (not several) Scanner from a clean disk. A "clean disk" is a floppy disk that has been formatted and written in a clean environment, that has been write-protected ever since, and that has never been used in a faulty drive. > 8) Get the original disk that was used to do the scanning and > find that it has been modified by Central Point Anti-Virus to > have external self checking code. A clean environment (cf. previous paragraph) is an environment that has been established as described in the previous paragraph, and that does not attempt to modify programs not meant to be modified. In other words, CPAV does render your environment dirty. > 10) For the sake of our collective sanity, we stop trying to find > the virus to sit back and reflect on what has happened. Definitely a good move. Would have been perfect if scheduled as second item, right after closing the lab to the public. > Have we been chasing a non-virus conflict between MSAV and F-PROT? Most probably. > Is there any other way to rid ourselves of this virus besides > reformatting all of the hard drives on campus? Reformatting all the hard disks will definitely NOT rid you of any virus! When you really have a virus, you can format (both lo & hi) all your hard disks, and re-install all the software from clean copies, and the next day, the virus will be back from one of the user's floppy disks! You will rather have to identify all copies of the virus on all accessable media (including network connections and user's disks) and make them inaccessable (remove from accessible media, cut network links if the virus will not be removed from the foreign node, lock away specimens on disks). In case of a public computer lab, this includes making *policies* and installing *procedures* to check all (really all!) (repeat: any and all and every and each) disks any user might choose to bring in -- before they are used on your computers, of course. To locate all copies of the virus, you should use a reliable scanner. One scanner is better then several, if it reliably locates the virus. How to remove the copies from media, depends on the type of the virus: - - file viruses are removed by re-installing the affected software from clean master disks, - - companion viruses are removed by erasing the parasitic COM file, - - DOS boot record viruses are removed by writing a new DOS boot record (use DOS Sys or Format commands, as appropriate, or utilities such as FixFBR by Padgett Peterson), - - Master boot record viruses (on hard disks only) are removed by writing a new MBR (use FDISK /MBR, after making sure that the C: partition is still accessable after a clean boot from floppy). Some viruses need special treatment, as they do not fall into one of the above categories, or as they effect additional modifications on the infected media which must be reverted (if possible). Bottom lines: - - don't panic; reflect; - - know what you are doing: do not believe what is told (or displayed) to you, believe only what you can prove; - - keep precise records of your actions and the computer's responses; - - it is virtually never neccessary to low-level format all disks; - - to deal effectively whith viruses you must know what you are doing; - - you will have to find, and eradicate, all copies of a virus to avoid recurrences. Good hunting, Otto Stolz <RZOTTO@nyx.uni-konstanz.de> <RZOTTO@DKNKURZ1.Bitnet> ------------------------------ Date: Wed, 01 Dec 93 11:36:01 -0500 From: carpenterv@vmsf.csd.mu.edu (V.S.Carpenter) Subject: What does YOUTH virus do??? (PC) We have a lab that is having a really bad problem with the YOUTH virus. SCAN/CLEAN and CPAV don't even find the virus, but F-PROT (the master) reports the infection as YOUTH.... Most of the files on the infected machines are stripped of their contents. The files lengths are either 0 bytes or 1024 bytes. My question is: Is the virus doing this to those files or it is a prankster???? Any comments, suggestions would be greatly appericiated. Thanks Vin - --- __ ___ __ ___ __ \ / | \ | V. S. Carpenter | It takes a big man to \ / | \ | Marquette University | cry. It takes an even / | | \ | carpenterv@vms.csd.mu.edu | bigger man to laugh at / | | | vinit@studsys.mscs.mu.edu | that man -Jack Handey ------------------------------ Date: Wed, 01 Dec 93 11:32:06 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Save all you can (CVP) Ellen Carrico (ecarrico@spl.lib.wa.us) writes: > > program cost you, anyway? $500? Even if you don't have the > > original disks toinstall it again, you can run down to the store > If you have a legal copy, you *should* have the disks, shouldn't you? You should, but they wouldn't necessarily be of any use to you. Many vendors still distribute their software on floppies that are not permanently write-protected. Chances are, that the victim of a virus infection has managed to infect them too. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ End of VIRUS-L Digest [Volume 6 Issue 154] ******************************************