From lehigh.edu!virus-l Wed Apr 21 04:15:47 1993 remote from vhc Received: by vhc.se (1.65/waf) via UUCP; Wed, 21 Apr 93 16:48:10 GMT for mikael Received: from fidoii.CC.Lehigh.EDU by mail.swip.net (5.65c8-/1.2) id AA15014; Wed, 21 Apr 1993 15:52:34 +0200 Received: from (localhost) by Fidoii.CC.Lehigh.EDU with SMTP id AA36021 (5.67a/IDA-1.5 for ); Wed, 21 Apr 1993 08:15:47 -0400 Date: Wed, 21 Apr 1993 08:15:47 -0400 Message-Id: <9304211109.AA17599@first.org> Comment: Virus Discussion List Originator: virus-l@lehigh.edu Errors-To: krvw@first.org Reply-To: Sender: virus-l@lehigh.edu Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas From: "Kenneth R. van Wyk" To: Multiple recipients of list Subject: VIRUS-L Digest V6 #67 VIRUS-L Digest Wednesday, 21 Apr 1993 Volume 6 : Issue 67 Today's Topics: Contest (was Beneficial/Non-Destructive) Re: Virus Signatures Re: Beneficial/Non-Destructive Re: New program chair for IDES-of-March Virus Conference Re: Sending viruses over Internet Re: Should viral tricks be publicized? Re: Virus Signatures Fido-Net trojan (PC) Boot Survival (Technical) (PC) Re: Central Point and Stacker (PC) Re: Censoship/40-Hex (PC) Help needed with the Bootexe virus (PC) Viruses which cost $$$ (PC) Re: Removing PingPong virus from boot sectors (PC) Re: Unknown little virus? (PC) Re: VSAFE WONDER false alarm? (PC) Got rid of Stoned -- but where did it come from? (PC) Re: viruses and compression (PC) keyboard virus? (PC) Re: 5lo virus? (PC) Re: VSAFE WONDER false alarm? (PC) Re: Disk Death (PC) Re: Can a virus infect NOVELL? (PC) Corporate climate (CVP) SCNDAY10.ZIP - Scan HD for viruses once a day on Mon/Wed/Fri (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.org or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk, krvw@first.org ---------------------------------------------------------------------- Date: Mon, 19 Apr 93 13:38:46 -0400 From: CELUSTP@cslab.felk.cvut.cs Subject: Contest (was Beneficial/Non-Destructive) Hi all, bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) wrote: >Don't be so sure... Suppose that the beneficial virus does the >following: >1) Modifies only one executable file on your system. Very unusual virus behaviour. >2) This file is an anti-virus program. Very suspicious activity. >3) The modification consists of replacing the program with a newer copy. How do you know it is the better or correct one? >4) The virus infects your computer when you log to the LAN server. First was said it infects only one executable file. Now is whole computer. Hmm... >5) The virus has been installed on the LAN server by the LAN >administrator. It means deliberately entered into system. >6) The LAN owner has a policy that no workstations are allowed to log >in unless they are running the latest version of this particular >anti-virus software. Blackmail. >7) The virus (actually a worm - it does not "attach" itself to >programs and spreads via networks) does not do anything else. If virus is something "attaching" itself to programs, then some of existing viruses (boot viruses or companions) are not viruses too. >8) The whole thing is marketed by the producer of the anti-virus >software not as a virus, but as "a centralized method for automatic >update of the software on the workstations". Why this whole story about beneficial virus then? >The main problem is that when talking about beneficial viruses, most >people think about what is well-known to be a virus (something nasty >that spread without your permission and often destroys something) and >then try to fit it into the frame "beneficial". Of course it doesn't >fit. Instead, it should be the other way around - think of what is >beneficial (good user interface, you have full control of it, performs >useful functions) and then try to add virus-like capabilities to it >(i.e. self replication) without losing any of the beneficial >capabilities. Additionally, for the peace of mind of the general >public, don't call it "virus", but something more sophisticated et >voila! Exactement (=exactly for non-French speaking people). Don't call a "virus" something you are not sure is a virus. How can you be sure something is a virus? Well, some things are repeating over and over and it seems to me the problem is virus definition again. I was following everything written about this subject on this list and reread recently all numbers of Virus-L Digest from no 1 to the last one (for this year). I will not summarize here what I concluded. Instead of that I announce: CONTEST FOR THE BEST COMPUTER VIRUS DEFINITION In following categories: 1. Technical definition (in plain language - preferably English) 2. Technical definition (mathematical) 3. Legislative definition 4. Ethical definition 5. Philosophical definition 6. Poetical definition 7. Funny definition 8. Other definitions Propositions: 1. This definition should be short as much as possible, cleared of attributes as "good", "bad", "beneficial" or similar, not mentioning state of user's mind,etc., it should be clearly stated for which environment (e.g. operating system) is applicable and definition should be undoubted. 2. The meaning of every symbol in mathematical formula(s) should be clearly explained. 3. This definition should contain statement which part of virus code could be considered as punishable (supposing virus writing is criminal act). 4. This definition may include terms as "good", "bad", "beneficial", "malicious", etc. The point is to stress what could be good and what is bad in writing viruses. 5. This definition may have completely free form. However, religious statements of type "First was a virus..." should be avoided if possible. 6. Limerick is preferred form, but epic poems if good may also compete. 7. Preferable form is short joke. For fair play I suggest to not use any personal names of real persons. 8. Any other definition not belonging to previous categories. Contributions may be sent by e-mail to celustka@sun.felk.cvut.cs with subject "contest - number of category" (e.g. contest - 1) or by snail mail to address bellow. Everybody willing to participate may send his/her own definition or suggest somebody else's with exact citing of source where definition could be found (preferably sending a copy of definition). One person can compete in more than one category with more than one definition (however limit is five definitions/category). Jury: At the moment only me. Everybody who doesn't want to compete and feel enough competent to judge quality of definitions is welcome. Just send me short e- mail with your address and category of interest. Prizes: For my limited financial ability these prizes YOU WILL NOT GET: 1. Red Porsche (nor any other car of any colour nor even bicycle) 2. Two weeks on Bahamas 3. 1 000 000 $ Prizes which I can assure at the moment are: 1. Diploma for the best virus definition in respective category 2. Nice postcard from Prague Any sponsor willing to increase the prizes fund is welcome. Deadline: 30 June, but this term could be changed depending on interest. Any suggestions about propositions and/or better contest organization will be appreciated. Enjoy the contest and let the best win! Cheers, __________________________ | | Suzana /| Only the best is enough |\ |\__/| /~~~~~~\ / | good for us! | \ / \ ~\( * * )/~ |__________________________| ~\( 0 0 )/~ ( \___/ ) ( /---\ ) \______/ \______/ @/ \@ @/ \@ - --------------------------------------------------------------------------- Address: Suzana Stojakovic-Celustka e-mail addresses: Department of Computers celustka@sun.felk.cvut.cs Faculty of Electrical Engineering celustkova@cs.felk.cvut.cs Karlovo namesti 13 12135 Prague 2 phone : (+42 2) 293485 Czech Republic fax : (+42 2) 290159 ------------------------------ Date: 19 Apr 93 23:39:50 +0000 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Virus Signatures ST29701@vm.cc.latech.edu writes: >I was wondering why there is not anyone that periodically post NEW virus >Signatures. This would be very helpful to people in between releases of >different virus scanners. Very helpful ? Well, keep in mind that most of the "new" viruses that appear are not a threat "in the wild"...and by the time a virus becomes a threat most scanners will probably be detecting it. Also, consider that an ever-increasing percentage of new viruses uses polymorphic encryption - so signature lists will not help...you need a program update. - -frisk - -- Fridrik Skulason Frisk Software International phone: +354-1-694749 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-28801 ------------------------------ Date: Tue, 20 Apr 93 10:23:07 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Beneficial/Non-Destructive padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) writes: > My question is: why do you need a virus (or worm) to do this ? All In order to achieve automatic update when a workstation logs in. If you are using the usual go-to-every-PC-and-install-the-program technique, this might be rather expensive for an organization with a few thousands of PCs... > you need is a regular program that runs as part of the login script, > detects the version via strobe/date/size/checksum and performs a copy/ > execute if an update is needed. You don't understand - this -is- the virus. The anti-virus package plus the relevant part of the system login script. When you install the virus (as a supervisor), it modifies the system login script, by including in it a (possibly modified) part of itself. At workstation login, this part is executed and spreads another part of the virus (the anti-virus package) to the workstation that logs in. The whole process matches exactly Dr. Cohen definition for a virus and is clearly beneficial. > McAfee's CHKSHLD in a .BAT will do this > function plus verify that the TSR is functioning properly and is neither > virus nor worm (neither the .BAT nor CHKSHLD needs to be copied to the > client). That's exactly why McAfee's package is not a virus - it doesn't have the capability to automatically update itself on the workstations. Although you could easily add virus-like capabilities to it by some clever login script programming and a few external utilities (e.g., to check the current version of the package on the workstation). Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Tue, 20 Apr 93 10:30:33 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: New program chair for IDES-of-March Virus Conference bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: > jsb@well.sf.ca.us (Judy S. Brand) writes: > > The person does not seem to have read my letter last week > > to "Ides of March" attendees. > Uh, what letter? I have not received any such letter - at least not > yet. Correction - got the letter yesterday. No wonder that it has taken such a long time - the address was a horrible mess of my office and private addresses and my name was misspelled. As it was misspelled on my ID on the conference, and on the previous conference, and on the "certificate" I got from the previous conference. IMNSHO, this mess is an excellent example of the lack of organization that surrounds this event. The organizers seem to be unable even to get their mailing lists straight... And my name and office address can be found at the end of any message I post to Virus-L/comp.virus - a newsgroup that both you and Dick Lefkon have demonstrated to have access to. Prof. Brunnstein has still not received his letter, BTW. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Tue, 20 Apr 93 10:36:36 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Sending viruses over Internet atman@rahul.net (Visceral Clamping Mechanism) writes: > This is not strictly true. Fidonet also has an email routing method called > "host routing" in which email is transferred through one (or more?) "host" > systems. I see... I didn't know that - when I was using FidoNet in Bulgaria, the SysOps used to tell me that I cannot send NetMail to anybody outside Europe and Israel, because they are unable to dial his/her telephone directly. (For those of you who don't know it, it is impossible to automatically dial a number outside these areas from Bulgaria. It can be done only via very special lines.) > gateway. Email in Fidonet is not always point-to-point, and encryption of > sensitive data, such as new viruses, with a good encryption program is always > a good idea. Wasn't the transfer of encrypted data forbidden by the rules of FidoNet? Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Tue, 20 Apr 93 10:40:57 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Should viral tricks be publicized? khan0095@nova.gmi.edu (Mohammad Razi Khan) writes: > Virus writers will write viruses, Ant-Virus writers will write > anti-virus programs, I think it should be publicized, only > to inform the (uninformed) public about how easy it actually > is, you wouldn't belive the amount of people who "trust". To inform you about what exactly? That it is very easy to write a virus? Doesn't the number of existing viruses (about 2,300) convince you enough? Or don't you trust me that they are so many? > There are also another extreme group of people, paranoid about > security, who cringe at even hearing the word virus, and all the > hype about michelangelo did bring many of them out. If these > viruses were made to be public domain then As I tried to explain to somebody else, there are other things to be concerned about. First, while not giving viruses to anybody certainly cannot stop the viruses from spreading, giving them to anybody who wishes -does- help them spreading. Why should we help them? Second, by giving them to anybody who wishes, you are damaging your reputation. Maybe we really need a new FAQ entry? > a.) trusting people will see what they really are up against > b.) paranoid people will see how trivial most viruses are. How exactly do you expect people to "see" this? According to your own words, your friend has had two viruses on his computer and has not "seen" anything. Remember, the vast majority of the computer users are just not competent enough to handle a virus properly. Making viruses freely available to them will only making the problem worse. > heck, who can't make a batch program that goes > echo Y|del *.* Heck, a Russian hacker has written a memory resident (!) slow BAT file infector - entirely in the BAT language... Using NO external programs that are required to be present (DEBUG, EDLIN). Fortunately, there's a bug in the virus and it doesn't work well, but the basic idea is there... > Also, people, in general, will know how to effectively combat a virus > by them selves. Could you please explain HOW exactly a person who is not competent enough to handle a virus will handle it better if you give him/her free access to virus code? And WHY s/he won't be able to get better informed by reading this forum? > Well, anyway, I think they should be public domain.] I think - not. They spread well enough by themselves or are spread by the VX BBSes. No need to help them additionally. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Tue, 20 Apr 93 10:54:50 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Virus Signatures ST29701@vm.cc.latech.edu writes: > I was wondering why there is not anyone that periodically post NEW virus > Signatures. But they do! Virus Bulletin regularly posts new virus signatures - actually, every month. Jan Terpstra maintains a publicly available list of virus signatures and updates it from time to time. S&S International ships by fax urgent updates for their scanner to their users, when this is necessary. > This would be very helpful to people in between releases of > different virus scanners. There are some problems with that. First, some scanners don't rely simply on signatures. They are using the offset from the file entry point where the signatures could be found, commands to disinfect the virus, algorithms for polymorphic viruses, etc. Second, there is the problem you note below, merely that > this might be helpful to the writter of that virus Third, some producers of anti-virus software consider their collection of virus signatures to be a trade secret and guard it not only from the virus writers but also from their competitors. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 18 Apr 93 20:22:00 +0000 From: shakib.otaqui@almac.co.uk (Shakib Otaqui) Subject: Fido-Net trojan (PC) VB> shakib.otaqui@almac.co.uk (Shakib Otaqui) writes: VB> > Further reports on Fido-Net say that once uncompressed, SCAN > > identifies the Taiwan virus in the file. F-Prot 2.07 says it has > > ACAD. VB> This is one and the same virus. The question is - which one exactly? > Here are the possibilities: There have been a lot of conflicting reports about this on Fido-Net. The consensus now is that it is a trojan rather than a virus. Apparently, the writer used the disk-trashing code from Anti-Cad/Taiwan, but not the infection code. The program begins to do its dirty work immediately on execution, so I suppose there's not much point in infecting files its about to trash. * PQ 2.15 189 * The worst trojan is someone's ignorance. ------------------------------ Date: Mon, 19 Apr 93 06:11:46 -0400 From: groot@idca.tds.philips.nl (Henk de Groot) Subject: Boot Survival (Technical) (PC) A week ago I patched my BIOS (EPROM) to support a new disk. To patch the ROM and had to collect the checksum. A small C program was written to calculate the checksum of the current bios. I was convinced that adding up all the bytes in the current bios (from F000:0000 till F000:FFFF) should give an answer 0. To my surprise it didn't! What I found may be of interest to this group. I was running MS-WINDOWS and decided to reboot the PC with a clean floppy. I ran the C program again and the bios checksum was 0 this time! So running MS-WINDOWS seemd to 'change' the contents of the BIOS. I realized that I was looking at (Protected) RAM instead. A diff reveiled what had been changed: The jump to the POST/BOOT code at FFFF:0000 was not jumping into the BIOS anymore but to some address in the conventional memory. This is probably the way WINDOWS 3.1 catches CTRL-ALT-DEL or even a brute call to FFFF:0000. It could also be Smartdrive, to have the ability to flush the cached writes this way (just guessing here). Whatever program did it I don't know, I expect it to be a feature of MS-WINDOWS, not a virus (I didn't bother to find out). In the group there has been a statement that a virus cannot survive a call to FFFF:0000 to do a cold boot. This is NOT correct. The 386 processor with virtual memory capabilities is able to 'change' the BIOS by coping the BIOS to RAM and swapping the pages. A virus could even hide in unused parts of the BIOS, or other unused area's within 0K-1024K as soon as it finds out how to exploid the 386 capabilities. Anyway I think the only real cold boot is the reset button or even switching the systen off and on again. The statement that there is no virus that survives boots trough FFFF:0000 may be valid todat but may not be valid tomorrow. Kind Regards, Henk. - -- / / Henk de Groot | Dep.: IISS-SE (System Management) /---/ __ __ / Loc: V2/A05 | Mail: groot@idca.tds.philips.nl / / (-_ / / /( Tel: +31 55 432104 | Digital Equipment Corporation ------------------------------ Date: Mon, 19 Apr 93 06:13:53 -0400 From: DONNY@iris.netcom.com Subject: Re: Central Point and Stacker (PC) Amir Netiv (Mon, 22 Mar 93 13:23:00) writes > Since you are new here, let me first welcome you. Well, not exactly, I did talk here before but thanks for the welcome :-) > Juust to remind you V-CARE is equipped with a TSR for quite some time > already, I keep getting confused between VCARE and VGUARD (for obvious reasons). > and as a TSR writer myself, I think I may express my poinion about them. Even if you weren't you may. > Second thing: your *"DOS is built for TSRs"* flag ship is not correct ( > historically speaking). "DOS supports TSRs" is a much better term. Keybxx has been part of DOS ever since 1.0 (I think) and I guess that is as close as you can get to "built for". Even CP/M was quite TSR supporting. > However the main problem is that DOS is an operating system that suffers > from the lack of standartization, It depends on what level of standards you wish to reach. > Thired: You do not have to warn anybody using other TSRs like keyboard > handlers since they do not tamper with the set of interrupts used to acess > the disk. But they do access the keyboard and they may/do cause trouble. What I am pointing out is that anyone who wants to use DOS (do they?) also has to consider the various features and the fact that some TSRs may have bugs (same goes for the whole computer world). Whether an A/V TSR can be more or less "painful" depends on the utility and what you combine it with. This is the "facts of life" with DOS, Microsoft, etc. Your aim of removing TSRs (if possible) that tamper with the disk is like removing electricity because it is more dangerous than water. > As for QEMM386 I'm surprized that a man with such an experiance as you What experience? :-) > claim to have does not know thet EMM386 has many conflicts, So? There are bugs in everything. I do agree that MS should put more effort in improving EMM386 but EMM386 is not a "bad" product in its concept (which is what I am trying to say). > Last but not least: If it didnt happened to yet I truelly hope it never will, > but Double disk for example conflicts with several optimization programs and > some utilities, > the result is fatal, I've experianced it myself several times. So fix the bugs, Fix the various utilities, make standards, etc. Don't condemn the system. Donny Gilor (Dr. Virus) donny@iris.ilnet.net - ----------------------------------------------- Development manager, Iris Software (Israel) Iris produces software for Text-Retrieval, Anti-Virus, and Copy-Protection. Telephone: (972)-3-5715319 Fax: (972)-3-318731 ------------------------------ Date: 15 Apr 93 16:34:44 +0000 From: duck@nuustak.csir.co.za (Paul Ducklin) Subject: Re: Censoship/40-Hex (PC) Thus spake bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev): >As a scientist, I am trying to provide verifiability of my claims any >time I am able to do it. Unless I have to worry about more important >things. You don't demand that NASA takes you in the Shuttle, in order >to verify the claims that the Earth is round with your own eyes, do >you? [No definite relevance to comp.virus, but noteworthy anyway...] As someone pointed out in another newsgroup [sci.crypt?] a while back, you *don't* need to get a shuttle ride to demonstrate the the earth is round; it can be done in the comfort of your own home [you need a window...] using Foucault's pendulum [to satisy yourself that the earth rotates] and observation of lunar eclipses [shadow of earth is always circular, although it's at a different position in its rotation each time]. Paul /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ \ Paul Ducklin duck@nuustak.csir.co.za / / CSIR Computer Virus Lab + Box 395 + Pretoria + 0001 S Africa \ \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ ------------------------------ Date: Mon, 19 Apr 93 12:41:45 -0400 From: RHY@CU.NIH.GOV Subject: Help needed with the Bootexe virus (PC) If you have any information on the Bootexe virus. What exactly is it? How to remove it without destroying any data? Will appreciate any info. Thanks! ------------------------------ Date: Mon, 19 Apr 93 13:15:57 -0400 From: Donald G Peters Subject: Viruses which cost $$$ (PC) I think I recall seeing the following warning in one of my books: "Improper use of this register may cause physical damage to your monitor." Am I correct, is there physical damage that can be done through software? Monitors sounds likely. Disks, possibly. With CPU's that run hot and can be configured perhaps through software, then maybe them too! If this is a threat should we discuss it here? I think so. Of course, I don't want the details spelled out here. Just enough generic information that we can be sure the info is correct. I know of a simple way that a virus could cost a user lots of money, [in fact the virus author could MAKE money from the victim!!!] {if that doesn't whet the appetite I don't know what will!!!] without causing physical damage, but I am unsure if I should mention that here. Even though the method is absurdly simple. Any comments? [Moderator's note: Be careful - this topic comes up every once in a while here, and the discussions are always full of conjecture. I will reject all postings in this thread that are of the "a friend of mine said that his third cousin, twice removed, once had a monitor blow up..." variety.] ------------------------------ Date: Mon, 19 Apr 93 19:06:00 -0400 From: kam.bansal@symantec.com (Kam Bansal) Subject: Re: Removing PingPong virus from boot sectors (PC) > One of the IBM's that I manage has pingpong virus in the boot blocks of >the hard drive. I have Norton's AntiVirus, but it will not remove it. What >do I have to do to remove the pingpong virus, or is it really nothing to >worry about? Dave, What version of NAV do you have? And, when you do a scan, what does it say? Does it say that you have a Virus on you boot record? And if it does do that, does it give you an option of repairing it? -Kam (^8* ------------------------------ Date: 19 Apr 93 23:36:07 +0000 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Unknown little virus? (PC) ac999512@umbc.edu (ac999512) writes: > 24 bytes? That's it? Really? The smallest I've managed to obtain/create >is 27 bytes. Hmmm...I don't have any 27 byte one :-) ... actually I have never seen a 24 byte virus (the shortest I have is 25 bytes), but I figured out how to shorten a 26-byte one by 2 bytes. Or, maybe 24 bytes are impossible, and I'm just writing this to keep the virus authors reading this occupied for a while.... :-) - -frisk - -- Fridrik Skulason Frisk Software International phone: +354-1-694749 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-28801 ------------------------------ Date: 19 Apr 93 23:46:41 +0000 From: frisk@complex.is (Fridrik Skulason) Subject: Re: VSAFE WONDER false alarm? (PC) Ullrich_Fischer@mindlink.bc.ca (Ullrich Fischer) writes: >I've had a number of incidents lately on our 255 PC Novell LAN where >VSAFE reports an executable is infected with the WONDER virus. I think this has been reported as a false alarm - Wonder is written in some high-level language - C++, I think, and some scanners gave false positives on programs created with the same compiler. Anyhow, as a rule of thumb, if a scanner reports only one or two files on a machine, and if they have been in use for a while - you are likely just to have a false alarm. - -frisk - -- Fridrik Skulason Frisk Software International phone: +354-1-694749 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-28801 ------------------------------ Date: Mon, 19 Apr 93 20:49:18 -0400 From: bruno@mcrcim.mcgill.edu Subject: Got rid of Stoned -- but where did it come from? (PC) I administer a bunch of Intel-based UNIX systems, and found that one of them just stopped booting. I could mount the disks on another machine, and everything seemed mostly OK, except for the boot sector. Upon inspection, the boot sector had been infected by the Stoned virus. It looked preyy primitive to (to the untrained eye), since it contained a non-encrypted string. I installed a new boot sector and secondary boot, and all is well. But now I'm wondering how this thing got there in the first place. My question is: ===> What is the specific mechansim that Stoned uses to propagate its self? Must one boot with an infected floppy, or does it live next to an execuatble, or... Thanks, Bruno - -- /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ Bruno Hall | VE2HUM | bruno@mcrcim.mcgill.edu McGill Research Centre for Intelligent Machines - Controls Group New systems generate new problems -- Join the Flat Earth Society. ------------------------------ Date: Mon, 19 Apr 93 23:42:52 -0400 From: mcafee@netcom.com (McAfee Associates) Subject: Re: viruses and compression (PC) Hello Colin Beckman, You wrote: > I was wondering if anybody could tell me if it is possible for a >scanner to detect a virus in a compressed file or on a stacked hard drive Some anti-viral programs check inside compressed files (either run-time compression such as PKLITE or LZEXE, or archived files, such as those created by ARC and PKZIP). To find out which ones do, you'll need to contact the developer (or distributor) of the program in question. Most anti-viral programs will check a volume compressed with Stacker, SuperStor, DoubleSpace, and the like as long as the correct device driver is loaded to access the disk. >or if the virus can be detected on a file that has been backed up using >DOS or Norton backup. Some how I doubt it but I am asking to be sure. >If it can be detected could you tell me the name of the software that can >do it I'm not aware of any anti-viral program that checks inside floppy (or tape, for that matter) backups made by any of the various hard disk backup programs out there. Since most backup programs perform some sort of compression (which would probably by proprietary) on the backups, it is unlikely that any anti-viral program would be able to check them. Regards, Aryeh Goretsky Technical Support - -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: 3350 Scott Blvd, Bldg 14 | FAX (408) 970-9727 | mcafee@netcom.COM Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714 95054-3107 USA | USR HST Courier DS | or GO MCAFEE Support for SENTRY/SCAN/NETSCAN/VSHIELD/CLEAN/WSCAN/NETSHIELD/TARGET/CONFIG MGR ------------------------------ Date: Tue, 20 Apr 93 06:14:10 -0400 From: Jeroen.Donkers@mi.rulimburg.nl Subject: keyboard virus? (PC) At our university we have some strange problems with keyboards, starting a month ago. All kinds of PC's using different DOS-versions and network operating systems, have 'stucked' ALT-, SHIFT- or CTRL keys. Even brand-new computers show this problem. Some computers produce a beep before getting stucked. There is no hardware problem (e.g. dirt). Sometimes the problems are solved using keyboard-fix utilities or new keyboard drivers but results are unpredictable. We have used MacAffee scanners but found nothing. Is this some kind of virus? I coudn't find a virus description with similar symptoms... Jeroen Donkers, University of Limburg, The Netherlands ------------------------------ Date: Tue, 20 Apr 93 10:14:35 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: 5lo virus? (PC) Marcin_Dobrucki@f200.n3581.z9.virnet.bad.se (Marcin Dobrucki) writes: > While using F-PROT 2.07 I got a message that some 60 files on my > drive are infected with 5lo (?) virus. However after checking > the virus list I could not locate such virus nor find any > information anywhere else. Hmm... 5lo is an obscure Polish virus... Are you calling from Poland (I'm not familiar with the VirNet addressing scheme)? It -might- be a false positive, because Frisk (and I) had problems to replicate the virus, but 60 files... No, it sounds like a real infection... Anyway, this is a resident EXE-only infector that infects files when you execute programs. The programs being infected are not necessarily those being executed - on each Exec the virus does a FindFirst/FindNext, like a non-resident virus... Look at the end of the files reported as infected - can you spot a text string like '92.05.24.5lo.2.23'? If it is there, then your computer is really infected. > Is this some kind of a code name for the PROTO-T virus which > I suspected was the one I had? No, that's a real virus. And the two Proto-T variants we know are reported by F-Prot as Proto-T (Proto-T) and Proto-T (Civil War). Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Tue, 20 Apr 93 11:00:49 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: VSAFE WONDER false alarm? (PC) Ullrich_Fischer@mindlink.bc.ca (Ullrich Fischer) writes: > I've had a number of incidents lately on our 255 PC Novell LAN where > VSAFE reports an executable is infected with the WONDER virus. > F-PROT 2.07, CPAV's SCAN function (1.4), and McAfee's SCANV102 and NETSCAN102 > don't find anything, so I'm assuming it is a false alarm. No suspicious It's almost certainly a false positive. Wonder is a silly overwriting virus, written in a high-level language (C). It barely works, let alone spreads... However, because it is written in a high-level language, it is very difficult to select a scan string for it without causing false positives. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Tue, 20 Apr 93 11:02:57 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Disk Death (PC) apreiser@skidmore.EDU (arthur preiser) writes: > Anyway, I let a friend run some numbers through lotus 1-2-3 on my > computer. Right in the middle of calculating something, my virus > detector went off. What kind, brand and version of virus detector and what did it say? Please, read the FAQ for information about what to supply when asking questions like yours. > I scanned the hard drive and found the disk to be > infected. With what? > The problem was, my virus cleaning program was infected. I That's why you must always boot from an uninfected write-protected system diskette and run your anti-virus software from a write-protected diskette. > tried to recover my information with the original copies of the virus > program, but the virus was resident and infected my "A:\" drive as > well. Because you have not write-protected your original copies. This is a VERY severe mistake. > I had to reformat the hard drive on my computer. I wanted to This is almost never necessary. > know what kind of virus could attack all these files in so short a > time? Any resident virus that infects files when they are executed. There are probably more than a thousand of viruses that match this description... What did your scanner report? > What could I have done differently to save my disks? I don't Write protect your diskettes. Delete your executable (and infected) files and restore them from clean originals. After booting from a clean diskette, of course. > know what virus it was or how it infected my system without infecting What do you mean that you don't know! What did the scanner say? > my friends. We ran a virual scan on his computer and it came up > negative. So probably his system is not infected. Or it is a stealth virus that your scanner does not detect in memory and you have not booted from a clean floppy before checking his system. > Is it just me or does anyone else think my friend sabatoged > (sp?) my system? It's just you, IMHO... :-) > How can I prevent this kind of total disaster from > reoccuring? First read the FAQ, then devise some kind of safe computing practice. > Please excuse me for rambling on. I'm still getting over the > shock of loosing everything. I was niave and, you guessed it, I > didn't have backups of my work. I guess a hard lesson learned is a > lesson worth remembering. Particularly, the points to remember are: 1) Always keep backups. 2) Write protect your original diskettes. 3) Always boot from a clean diskette before doing any virus hunting. 4) Don't panic when a virus is detected. Nothing worse can happen, unless you do it yourself. > An important question I wanted answered is: what do I do when > all my virual killing defences are breached? 1) Don't panic. 2) Boot from a clean diskette. 3) Replace all executable programs (including the boot sectors) that you suspect to be infected. > Is there another line of > defence I could established? It is not clear from your description what kind of defense you are using exactly. In general, you should use a combination of scanners, resident scanners, integrity checkers, disinfectors, and backup. > Should I kill my EX-friend now? This is the most stupid thing you could do - he is probably not guilty at all about your problem... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Tue, 20 Apr 93 08:16:55 -0400 From: Garry J Scobie Ext 3360 Subject: Re: Can a virus infect NOVELL? (PC) > Date: Sat, 17 Apr 93 05:20:08 +0000 > From: sywu@csie.nctu.edu.tw (Xianyow ) > Subject: Can a virus infect NOVELL? (PC) > > I have a question, can a virus infect NOVELL system? Since there are > many read-only files in NOVELL, how can it write into that file? If it can't > , how can it live when the power turned off? > But I really heard some viruses can infect NOVELL. Can anyone answer me? > Thanks in advance! > Victor > > ------------------------------ Please, Please, Please before this thread gets out of hand, the 1992 virus digests are full of the pros and cons concerning Novell/Viruses/Access Rights. It would be best to consult these. In Sept 1992, vol 5 issue 151 I asked If a virus can infect my applications volume where everyone has only read and filescan permission set as a trustee assignment then I would appreciate being told about it as soon as possible. The thread appeared to end there as no-one could say either way. I suspect the answer is still no. However, play it safe and always assume that a virus has the same permissions as the logged on user. Supervisors be extremely careful when updating public access software. Just think how much hassle an infected LOGIN.EXE program could cause you! Cheers Garry Scobie Lan Support Officer Edinburgh University Computing Services e-mail g.j.scobie@ed.ac.uk ------------------------------ Date: 19 Apr 93 13:44:00 -0600 From: "Rob Slade, DECrypt Editor, VARUG NLC rep, 604-984-4067" Subject: Corporate climate (CVP) PRTAVS4.CVP 930418 Corporate Climate Part of the assessment of the user is the user environment. This aspect covers not only the "corporate culture" (eg. home user, user in a large corporation with internal support staff, etc.) but also the operating system environment. For example, the MS-DOS environment has a very large number of viral strains, with more being produced every day. The Macintosh environment has relatively few viral programs. Therefore, "generic" identification of "new and unknown" viral programs is more important to MS-DOS users than to Macintosh. (Interestingly, while Macintosh antivirals are quite mature, and protected Macintosh systems have a negligible infection rate, the infection rate on unprotected Macs is astronomical. This, too, should be taken into account.) Related to the interaction of the user and the program is the potential negative impact of the security program. Antiviral programs consume time and disk space, and may also interfere with the normal operation of the computer system. As Jeff Richards' first law of data security has it, you can guarantee security if you don't buy a computer. It's just not a very useful alternative. Computer systems can be secured more and more by restricting the operations more and more, but restriction of "dangerous" operations also restricts useful ones. There comes a point at which the trade- off for greater security becomes more than users want to pay. An antiviral program, therefore, must be matched to the environment in which it is to be used. In a "low risk, low change" situation, such as a word processing office, change detection software provides very effective protection, without too much interference with operations. In a "high change" milieu, such as a software development team, change detection software is less useful against viral programs, although it has other helpful features. In a "high risk, multi risk" environment such as a college computer lab, operation restricting software may prevent not only viral infection, but may help to "idiot-proof" the computers as well. We come, though, full circle back to the corporate climate. It is important also to match the type of program to the type of support provided within the company. Sadly, in many cases, this may prevail against the use of a superior product. However, note that even the best product is of little use if improperly installed or supported. If routine maintenance is not performed on computers, then a scanner will be of little use, since it needs to be updated from time to time. (Of course, if a company is not doing regular maintenance and support, they in in danger of more than viral programs ...) copyright Robert M. Slade, 1993 PRTAVS4.CVP 930418 ============= Vancouver ROBERTS@decus.ca | "Remember, by the Institute for Robert_Slade@sfu.ca | rules of the game, I Research into rslade@cue.bc.ca | *must* lie. *Now* do User p1@CyberStore.ca | you believe me?" Security Canada V7K 2G6 | Margaret Atwood ------------------------------ Date: Tue, 20 Apr 93 03:12:09 -0400 From: russo@fec.unicamp.br (Renato Aparecido Russo) Subject: SCNDAY10.ZIP - Scan HD for viruses once a day on Mon/Wed/Fri (PC) I have uploaded to WSMR-SIMTEL20.Army.Mil and OAK.Oakland.Edu: pd1: SCNDAY10.ZIP Scan HD for viruses once a day on Mon/Wed/Fri ScanDay is a Scan optimizer. If it is Monday, Wednesday or Friday, ScanDay will run the virus detection software, ONLY the first time you turn the computer on. The parameters for Monday and Wednesday are /a /nomem /bell and the ones for Friday are /a /m /chkhi /bell. When it runs the first time a file called ALREADY.CTL is generated so that ScanDay can recognize it is not necessary to run SCAN.EXE again. So, don't delete this file in case you don't know what it is. If you do, next time you turn your computer on you'll have to wait some time because SCAN.EXE will be run again. Luiz Ot vio russo@fec.unicamp.br ------------------------------ End of VIRUS-L Digest [Volume 6 Issue 67] ***************************************** Downloaded From P-80 International Information Systems 304-744-2253