home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker Chronicles 1
/
HACKER1.ISO
/
misc
/
v05i011.txt
< prev
next >
Wrap
Internet Message Format
|
1992-09-27
|
26KB
From: Kenneth R. van Wyk (The Moderator) <krvw@CERT.SEI.CMU.EDU>
Errors-To: krvw@CERT.SEI.CMU.EDU
To: VIRUS-L@IBM1.CC.LEHIGH.EDU
Path: cert.sei.cmu.edu!krvw
Subject: VIRUS-L Digest V5 #11
Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU
--------
VIRUS-L Digest Wednesday, 22 Jan 1992 Volume 5 : Issue 11
Today's Topics:
Re: Looking for info on "Friday the 13th" virus (PC)
Keypress and Keypress II (PC)
Re: Making DIR of a contaminated floppy (PC)
Re: NCSA has tested Antivirus Programs (PC)
Novell viruses (PC)
Re: 1575/1591 Virus (PC)
WDEF (mac)
PC Virus Checker for Unix (PC) (UNIX)
Re: New Antivirus Organization Announced
Re: New to the forum - question
Re: New Antivirus Organization Announced
Sigs
Polymorphic viruses
new program from Padgett Peterson available (PC)
Iraqi Computer Virus story Defended !
Mail Problem (McAfee)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. (The complete set of posting guidelines is available by
FTP on cert.sei.cmu.edu or upon request.) Please sign submissions
with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU
(that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks).
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list. Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
krvw@CERT.SEI.CMU.EDU.
Ken van Wyk
----------------------------------------------------------------------
Date: Fri, 17 Jan 92 06:13:36 +0000
From: forbes@cbnewsf.cb.att.com (scott.forbes)
Subject: Re: Looking for info on "Friday the 13th" virus (PC)
bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes:
>Yes, but the original poster said that his disk was formatted on
>13-Dec-1991. This excludes the Jerusalems and the South Africans, and
>also Datacrime. If I remember correctly, Monxla, Leningrad, and Omega
>do not format the disk... Or am I wrong? Does any of it at least
>overwrite it? Maybe this has been misinterpretted as formatting... And
>I can't remember what Relzfu does when it activates... :-(
My apologies for ambiguity in the original post. I wrote, "The hard
drive received a low-level format," by which I meant that, as a method
of curing and removing the virus, all recoverable files were removed,
the hard drive was formatted, and the files were restored from master
disks.
As to damage caused by the virus, I'm afraid I can't be certain: An
eager but very misguided person got to the computer before I did, and
attempted to make repairs by copying several files *onto* the damaged
drive...
The only things I know for certain are that the disk was made
unbootable, and that later attempts to repair the drive (using Norton
Utilities) showed a damaged File Allocation Table.
Hope this helps. Any/all info would be appreciated.
- -- Scott Forbes
------------------------------
Date: Fri, 17 Jan 92 03:35:31 -0500
From: <CSRCC%CUNYVM.BITNET@mitvma.mit.edu>
Subject: Keypress and Keypress II (PC)
Hi everyone.
Does anyone have a product thet can clean an infected
program from Keypress, Keypress II and Tirku ???
/Colin St Rose
Internet: CSRCC@CUNYVM.CUNY.EDU
Bitnet: CSRCC@CUNYVM
Compuserve: 75730.2121@COMPUSERVE.COM
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
------------------------------
Date: 17 Jan 92 10:29:12 +0000
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Making DIR of a contaminated floppy (PC)
UBAESQ01@EBCESCA1.BITNET (Josep Fortiana Gregori) writes:
> 1. Boot from a clean write-protected floppy
> 2. SCAN C:\ /m /chkhi
> >> No viruses found
> 3. SCAN B:\
> >> Found Anti-Tel Virus A-Vir! in boot sector
> 4. DIR B:
> 5. SCAN C:\ /m /chkhi
> >> Found Anti-Tel Virus A-Vir!
> active in memory
> My conjecture is that the boot sector is read in one of the
> DOS buffers, so that the virus is present in memory as data,
> not code (so it is not active).
> Is that correct?
Yes, your conjecture is correct. It's not a virus, it's a ghost false
positive in memory. Possible fixes are:
1) Run CHKDSK (on a non-infected disk) each time after SCAN detects a
virus or you copy an infected file/diskette. CHKDSK will flush the DOS
buffers, and the stupid ghost will disappear.
2) After 2., always run SCAN with the /nomem switch. After all, you
have already checked your memory (including the upper memory, which is
completely useless, since no known virus is using it and SCAN can
detect only known viruses), so you -know- that the memory is not
infected.
3) Pester McAfee Associates to write a better memory detection
routine. It can be done (there are several scanners like HTScan,
TbScan, F-Prot, which already do it) in such a way, that these stupid
ghost false positives do not occur. I am doing this since quite a long
time, let's hope that if more users do it, SCAN's memory checking will
be finally improved.
Hope the above helps.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54
------------------------------
Date: 17 Jan 92 10:41:15 +0000
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: NCSA has tested Antivirus Programs (PC)
frisk@complex.is (Fridrik Skulason) writes:
> They wanted to program to be able to disinfect itself in memory,
> disable the virus, if it was active in memory, and continue as if
> nothing had happened...something which I consider too dangerous.
Even worse - I claim that the above is IMPOSSIBLE in all cases. There
are currently several products, which claim to add a
"self-disinfecting" envelope to other programs: I have only McAfee's
FShield, but have heard about at least three more - The Untouchable,
something from Central Point Software, and a product under
development, which I discuss with someone from Bogota, Colombia (if I
remember correctly, else - sorry)
Neither of the products is able to do the above against all possible
viruses, even if we limit the viruses to use only the currently known
techniques. In fact, I'm almost certain, that even some of the
currently existing viruses will be able to circumvent all of the
products mentioned...
It just cannot be done!
> Actually - quite a few of the "American" anti-virus program are actually
> American at all...quite a few of them are just repackaged programs from
> elsewhere...Israel for example.
Yeah, if you mean CPAV and the Untouchable... But, I have observed the
same thing as the original poster - the European anti-virus programs,
at least the scanners, seem to be supperior to the American ones, at
least those we have here at the VTC.
When compared with Dr. Solomon's Anti-Virus ToolKit and your product,
only McAfee's scan was able to compete, and only if I compared the
capabilities to detect whether an object (file or boot sector) is
infected or not. Even VirX (the free version) didn't score that
much... (More exactly, SCAN was somewhere between AVTK and F-Prot.)
However, I tested only the detection capability, since this is the
most important, IMHO, property. If one considers anything else -
speed, user interface, flexibility, exactness of the reports,
documentation, ability to remove viruses, ability to detect unknown
variants of the known viruses, then even SCAN is left far behind...
American anti-virus producers, where are you? The challenge is here to
take... Just don't ferget that the task is not easy and involves a
huge amount of research efforts...
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54
------------------------------
Date: 17 Jan 92 12:49:01 -0500
From: Doug Eckert <75140.1550@CompuServe.COM>
Subject: Novell viruses (PC)
Greetings, All;
I'm interested in obtaining a (believable) list that says which
viruses infect and/or spread through Novell local area networks,
and what effects they cause (error messages and the like). I've
followed information about the GP1 ("Get Password 1") about as
far as seems worthwhile (it doesn't work).
Below I'll share with you what some testing I was involved in
early last year showed. My feeling is there needs to be more
trustworthy information available on this subject. If NOVELL has
any such listing, last time I checked they weren't sharing.
We were testing Central Point Anti-Virus version 1.0, at the time
of the below. The results were shared with Central Point. And
while they are heartening for those of us who depend upon LANs
every day, the sample is obviously too small for any general
smugness about the imperviousness of Novell Trustee Rights.
VIRUS / LOCAL AREA NETWORK TESTING
SUMMARY
Only two of the five viruses tested, 1701 and Invader, proved
capable of cirumventing the file attributes set by the Novell
FLAG.EXE command. Repeated attempts with all 5 viruses to infect
files protected by Novell Trustee Rights (for example, IBM DOS
3.30 files in F:\PUBLIC\IBM_PC\V3.30 when logged in as a non-
supervisory user without trustee rights to those subdirectories)
were unsuccessful. Upon execution, Jerusalem-B consistently
either prevented or broke the connection to the LAN.
SETUP
A test local area network (LAN) using Novell NetWare 2.15, 3COM
ethernet adapters, coaxial cable, IBM DOS 3.30, 2 IBM PS/2 Model
50's, 2 AST '286's, and one IBM PS/2 Model 80 as a file server
was set up. Three types of network shells were used: ODI, NET3
version 3.01 rev. E, and NET3 version 2.15.
Attempts were made to infect test .COM and .EXE files stored
under F:\USERS\<username> and C:\TESTEXEC, using the following
viruses:
(1) Jerusalem-B (aka. "Friday the 13th")
(2) 1701 (aka. "1701/1704")
(3) 4096 (aka. "100 Years", "Frodo", "Stealth")
(4) Invader (aka. "Anticad-2", "Plastique")
(5) Whale (aka. "Motherfish")
All of these viruses except 1701 were obtained from an anti-
virus software vendor. Two versions of Whale were tested. 1701
was obtained from an infected site in Michigan.
Test network files NE.COM and FASTGIF.COM were flagged as read-
only using Novell's FLAG.EXE program. The file BROWSE.COM was
"wrapped" on both the network and the local (C:) drive, using
Central Point Anti-Virus's (CPAV) immunization coding, which
added 779 bytes to the file size (1737 new size minus the 958
original size).
RESULTS
While successful at infecting C:\TESTEXEC files, repeated efforts
to get Jerusalem-B, 4096 and Whale to infect network files - to
which the user had all rights - were unsuccessful.
Jerusalem-B continually interfered with the LAN connection.
Several attempts to login to the network after becoming infected
were unsuccessful. Attempts to become infected after logging in
to the network consistently resulted in network adapter card
error messages that required re-booting to escape. These results
were consistent across all three driver sets and both PC types.
Novell technical support indicated there have been reports that
certain network adapters, among them those by 3COM, are
incompatible with Jerusalem-B.
4096 evidenced no conflict with the network connection and
infected C:\TESTEXEC executables, but - strangely - NOT the same
files in F:\USERS\<username> when changed to that directory
immediately afterwards. The file BROWSE.COM, previously "wrapped"
(immunized) by CPAV, was protected from infection by 4096.
Whale also evidenced no conflict with the network connection.
Attempts to infect network files with the Whale virus were also
unsuccessful. Immediately subsequent calls of the same executable
files on drive C: infected those files with Whale.
Previous CPAV immunization did NOT protect the file BROWSE.COM
from infection by the Whale virus. The CPAV reconstruction
feature for this immunized file was also not triggered by future
calls of BROWSE.COM. Cleaning of BROWSE.COM by the menu-driven
CPAV program left 8 extra bytes which caused execution of
BROWSE.COM to hang the computer.
Regards,
Eck
------------------------------
Date: Sat, 18 Jan 92 13:04:19 +0000
From: Fridrik Skulason <frisk@complex.is>
Subject: Re: 1575/1591 Virus (PC)
In Message 15 Jan 92 11:20:06 GMT,
bontchev@fbihh.informatik.uni-hamburg.de (Vesselin writes:
>There are 6-7 variants of this virus, but they are essentially the
>same.
Eh, no...Alan Solomon discovered he was wrong - he included one variable
byte in his checksumming range. There seem to be at most two variants.
- -frisk
------------------------------
Date: Fri, 17 Jan 92 20:20:36 +0000
From: brown20@obelix.gaul.csd.uwo.ca (Dennis Brown)
Subject: WDEF (mac)
This is a request for information concering the virus WDEF. It seems that I
have contracted this virus and I am now trying to get rid of it.
Here's the facts:Mac Plus
External HD
About a week ago, while doing a routing copy of some files, I created a
folder that is empty and is unremoveable. Shortly after this, about 3/4 of
the icons on my desktop dissappeared. The missing files are still
accessable to some programs (eg: the system that disappeared, still boots
the drive when started up, and the cdev boomering can access files that it
knows the path to even if it is one of the files that dissapeared). I am
told that this virus is searched for by the newest version of SAM, but are ther
e
any other programs out there that will find WDEF?
Any help would be greatly appreciated.
Dennis Brown brown20@gaul.csd.uwo.ca
------------------------------
Date: Fri, 17 Jan 92 13:11:39 +0000
From: dylan@ibmpcug.co.uk (Matthew Farwell)
Subject: PC Virus Checker for Unix (PC) (UNIX)
I've been wondering for a while whether there are actually any PC
Virus checkers which work under Unix. I'm wondering this because we
have a fairly large download area, which contains a lot of DOS/OS/2
stuff, and it might be an idea to just run through the lot with a
checker once in a while. It's a bit of a pain taking them all to a
DOS machine & then bringing them all back again.
Anyone got any ideas?
Dylan.
- --
Opinions above are mine, unless discovered to be wrong.
------------------------------
Date: 17 Jan 92 10:58:53 +0000
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: New Antivirus Organization Announced
bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes:
> > Virus Busters Join Hands -- The Antivirus Methods Congress, a
> > newly formed organization to combat computer viruses, was announced
> > last week with the goal of bringing users, vendors and researchers
> > together to tackle virus attacks on networks in the private and
> > government sectors.
> > Dick Lefkon, associate professor at New York University and chair-
> > man of the new group, said the organization already has 50 members,
> > including representatives from Martin Marietta Corp., the
> > insurance industry, the state of Arizona's legal department,
> > Northern Telecom, Inc. and universities in Hamburg, Germany, and
> > Iceland.
> Well, to be honest, I have never heard about that. But, I can speak
> only about myself; I'll ask Prof. Brunnstein whether he knows
> something on the subject (he is the head of the Virus Test Center at
> the Hamburg University) and will inform you.
Well, I did. It seems that these are pretty hot news - since the last
Saturday. This organization has been indeed established, and we are
indeed members of it. It will be in the States something similar to
what EICAR is in Europe. More news should appear on the 5th
International Virus & Security conference on March 11-13, in New York.
BTW, Padgett Peterson should also know about that... Padgett?
A more detailed message with explanations was promised by Prof.
Brunnstein. In fact, I alread got the message, and Ken should have a
copy of it too. Ken, if my boss forgets to CC a copy to Virus-L, could
you please forward it here? Thanks.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54
------------------------------
Date: 17 Jan 92 11:07:24 +0000
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: New to the forum - question
geoffb@coos.dartmouth.edu (Geoff Bronner) writes:
> This is something that varies from site to site, I'm sure. Dartmouth
> is a site that is very prone to viruses, we have many inexperienced
> mac users on the campus who have the ability to share files all the
> time. Viruses get here very quickly on visitors disks or via ftp and
Well, it depends what you mean by "very prone"... :-)
> I would say that the avergage user here who is running Disinfectant
> INIT (most do) sees viri very rarely. A couple times a year maybe.
Well, isn't it more plausible to suppose that people, who do NOT run
any virus detection software, see the viruses much less, since they
are unable to detect them?... :-)
> Since I run a cluster and support dozens of macs and ibms directly I
> see them more often. Even so, things are better. 3 or 4 years ago I
> could expect to see an infected disk or hard disk every day. After
> several years of spreading inits like Disinfectant INIT and Gatekeeper
> Aid around I see an infected disk maybe once a week. Usually on the
Just out of interest, here at the VTC, we get averagely one to two
requests for help per week, from all over the Germany. I don't know,
maybe for some people this means that the computers in Germany are
"very prone" to viruses... To me it means that there are almost no
viruses here... When I was in Bulgaria, an average of 20 phone calls
per DAY, and only from Sofia, was something usual.... :-)
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54
------------------------------
Date: 17 Jan 92 13:02:12 +0000
From: douglas@rhi.hi.is (Douglas Brotchie)
Subject: Re: New Antivirus Organization Announced
RTRAVSKY@corral.uwyo.edu (Rich Travsky 3668 (307) 766-3663/3668) writes:
>The following is from the Dec 30,1991/Jan 6,1992 issue of Network World.
> Virus Busters Join Hands -- The Antivirus Methods Congress, a
> newly formed organization to combat computer viruses, was announced
> last week [...]
> Dick Lefkon, associate professor at New York University and chair-
> man of the new group, said the organization already has 50 members,
> including representatives from Martin Marietta Corp., the
> insurance industry, the state of Arizona's legal department,
> Northern Telecom, Inc. and universities in Hamburg, Germany, and
> Iceland.
^^^^^^^
Not to my knowledge.
Douglas A. Brotchie
Director of Computing Services
University of Iceland
------------------------------
Date: Sat, 18 Jan 92 16:54:32 +0000
From: willimsa@unix1.tcd.ie (alastair gavi williams)
Subject: Sigs
So, what's a signature virus? Does it require the file to be
written to an acc before it will infect it?
Thanks
A G Williams
willimsa@unic1.tcd.ie
------------------------------
Date: Sat, 18 Jan 92 23:42:10 +0700
From: frisk@complex.is (Fridrik Skulason)
Subject: Polymorphic viruses
Terms such as "Viruses using variable encryption with a variable
decryption routine" are rather cumbersome, but no accurate single word
has been found for those viruses, of which V2P6, Whale, Maltese
Amoeba, Russian Mutant and PC-Flu 2 are examples.
Until now.
It is hereby proposed that the term "polymorphic" be used fore this
class of viruses, but this term originated in one of the marathon
5-hour telephone conversations I had with Alan Solomon on the subject
of virus naming.
- -frisk
------------------------------
Date: Sun, 19 Jan 92 16:44:00 -0500
From: HAYES@urvax.urich.edu
Subject: new program from Padgett Peterson available (PC)
Hello.
Just received and made available for FTP processing a new utility from
A. Padgett Peterson.
CHK.ZIP Integrity checker. Can be used to detect the Michel-
Angelo virus.
Best, Claude Bersano-Hayes. <hayes@urvax.urich.edu>
------------------------------
Date: Sun, 19 Jan 92 22:05:00 -0500
From: "David Bridge" <DAVID@SIMSC.BITNET>
Subject: Iraqi Computer Virus story Defended !
from "The Washington Post" Washington, DC USA
Tuesday, January 14, 1992. Page A7.
COMPUTER VIRUS REPORT IS SIMILAR TO SPOOF
Magazine Rechecking Story That U.S. Disabled Iraqi Network
Associated Press
A newsmagazine report that U.S. intelligence agents planted a
disabling "virus" in an Iraqi military computer network before the
Persian Gulf War is strikingly similar to an article published last
year as an April Fool's joke.
The main author of the U.S. News and Report article, Brain Duffy,
said yesterday [= Jan. 13], "I have no doubt" that U.S. intelligence
agents carried out such an operation, but he said the similarities
with the spoof article were "obviously troubling."
Duffy said the magazine was rechecking the sources who told it about
the operation to determine whether details from the spoof article
could have "leached into our report."
In an article in its Jan. 20 issue, U.S. News said it had learned
from unidentified U.S. officials that intelligence agents placed the
virus in a computer printer being smuggled to Baghdad through Amman,
Jordan.
It said the printer, described as French-made, spread the virus to
an Iraqi mainframe computer that the magazine said was critical to
Iraq's air defense system.
The magazine reported that the trick apparently worked, but it
provided no details.
The main elements of the U.S. News virus story are similar to an
article published in the April 1, 1991, edition of InfoWorld, a
computer industry publication based at San Mateo, Calif. The article
was not explicitly labeled as fiction but the last paragraph made
clear that it was written as an April Fool's joke.
Duffy said he had not heard of the InfoWorld spoof. In response to
an inquiry by the Associated Press, he said a U.S. News reporter in
Tokyo got the "initial tip" on the computer virus story, which the
reporter then confirmed through "a very senior official" in the U.S.
Air Force. Duffy said he personally confirmed the story through a
senior official in the Air Force and a senior intelligence official.
Some private computer experts said it seemed highly unlikely that a
virus could be transferred to a mainframe computer from a printer. "A
printer is a receiving device. Data does not transmit from the
printer to the computer," said Winn Schwartaw, executive director of
the International Partnership Against Computer Terrorism.
=====================================================================
from "The Washington Post" Washington, DC USA
Saturday, January 18, 1992. Page A4.
COMPUTER VIRUS STORY DEFENDED
Associated Press
U.S. News & World Report said Thursday [= Jan. 16] it is sticking by
its story that U.S. intelligence agents tried to disable an Iraqi air
defense network with a computer virus several weeks before the start
of the Persian Gulf War.
The magazine said it had confirmed that the attempt was made, as
reported in its Jan. 20 issue and later questioned, but had not been
able to determine whether it was successful. The original story,
published Monday [= Jan. 13], quoted two senior U.S. officials as
saying that the virus "seems to have worked as planned."
Questions arose about the story after it was learned that the
computer industry publication InfoWorld spelled out a strikingly
similar scenario in a column that ran as an April Fool's joke last
year.
------------------------------
Date: Fri, 17 Jan 92 02:12:28 +0000
From: mcafee@netcom.netcom.com (McAfee Associates)
Subject: Mail Problem (McAfee)
Hello all,
Sorry for wasting bandwidth over this, but:
I have accidentally lost part of my workspace for the week of Jan 6th
to Jan 13th. If anyone from Europe sent mail to mcafee@netcom.com and
Downloaded From P-80 International Information Systems 304-744-2253