From virus-l@lehigh.edu Tue Nov 3 17:05:53 1992 Errors-To: krvw@cert.org Date: Tue, 3 Nov 1992 11:01:32 -0500 Message-Id: <9211031553.AA28851@barnabas.cert.org> Comment: Virus Discussion List Originator: virus-l@lehigh.edu Errors-To: krvw@cert.org Reply-To: Sender: virus-l@lehigh.edu Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas From: "Kenneth R. van Wyk" To: Multiple recipients of list Subject: VIRUS-L Digest V5 #173 VIRUS-L Digest Tuesday, 3 Nov 1992 Volume 5 : Issue 173 Today's Topics: Stealth Bomber (PC) ExeBug - other names and removal? (PC) Re: Infection density (PC) Info on Commander Bomber and Starship? (PC) Re: HELP! (RE: IBM PASSWORD) (PC) Re: Checking high memory with VSCAN (PC) Re: MBR Viruses and FDISK /MBR (PC) Re: cascade virus info wanted. (PC) Re: Comment on the MtE wars (PC) Re: Newest and best scanner? (PC) Filler virus - Need Help! (PC) autoexec.bat deletion virus?? (PC) FDISK /MBR and Boot Sector Viruses (PC) Re: MtE ?? (PC) Re: SCAN 95b doesn't find MtE in EXE files (PC) Information on ExeBug requested (PC). Re: Landmark legal ruling on software copyright Independent Virus Experts CATCHM15.ZIP - Algorithmic MtE virus scanner and MtE report (PC) Files on risc.ua.edu (PC) Scores functions (CVP) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk ---------------------------------------------------------------------- Date: 29 Oct 92 18:45:50 -0500 From: Kevin Dean <76336.3114@CompuServe.COM> Subject: Stealth Bomber (PC) In VIRUS-L 164, Bryan D. Nehl (kodiak@matt.ksu.ksu.edu) says: >I remember hearing of C code that you could add to your program that >wouldn't let it run if it detected that it had been changed. Any idea >where I can find this code? It would be great if the source is >available for both Unix and DOS. In VIRUS-L 161, Blow Me Down (u906271@bruny.cc.utas.edu.au) says: >I'm looking for a program that saves a checksum of files on the PC and >later checks for files changes automatically. With my usual modesty I hope that the code Mr. Nehl is referring to is Stealth Bomber. Stealth Bomber version 2.2 (formerly CRCSET) is available in the following locations (among others): risc.ua.edu (/pub/ibm-antivirus/stealth.zip) and ux1.cso.uiuc.edu. Stealth Bomber is a programmer's tool: it is an anti-virus protection utility that uses a 32-bit CRC to test the integrity of the running program and any supporting files. It also performs a basic system check for viruses that may evade detection by a file check. Please note that it will _NOT_ detect all such viruses (for every check, there is a way around it). Supporting code is in C and Turbo Pascal and full documentation is included. For the moment, it is not available under UNIX. It is also not possible to use the CRCSET.EXE generation program to patch UNIX files unless those programs are to be run on an Intel architecture (or any other chip that has low-byte to high-byte integer storage). Kevin Dean Author, Stealth Bomber ------------------------------ Date: 30 Oct 92 17:34:18 +0200 From: mybdav02@uctvax.uct.ac.za Subject: ExeBug - other names and removal? (PC) There is an outbreak of EXEBUG virus on campus. It is easily removed by copying the original partition table from H0,T0,S17 to S17. It is also easily detected by SCANv97 and Doc Solomon v5. Both identify it as ExeBug, and SCAN gives the clean code [Swb]. The problem arises here - VIRLIST.TXT does not list ExeBug OR [Swb]. Neither does Hoffmans VSUM 9206. What is the name used for this virus in VIRLIST.TXT and VSUM? Another question: the virus formats an extra sector on floppies and copies the original boot sector there - how does one read this sector? Does the virus have to be in memory? It can be cleaned by copying a clean boot sector from another floppy over it, but I would like to be able to copy the original boot sector. Any help and information about ExeBug would be welcome. Thanks in advance Dave ------------------------------ Date: Fri, 30 Oct 92 22:10:25 -0500 From: Jimmy Kuo Subject: Re: Infection density (PC) chess@watson.ibm.com (David M. Chess) writes: > I'd like to start a brief tangent on the question of how many files > are generally infected in a file-infector incident. Does anyone have > any interesting experience of insights to share? For file infectors, over the past 6 months, we've only heard of one or two cases where the number of infected files were in the couple of hundreds. Otherwise, it was always one's and two's. (Otherwise equals a few hundred cases that got through Tech Support to the "Lab." Chances are, if the numbers were huge, Tech Support would have involved us, and did.) Boot infections is a different animal. Here we hear about "hundreds" of machines (can't tell if the person telling us is exagerating to light a fire) quite frequently. And we had one case of a couple thousand machines infected by the same boot virus. This is probably as good a place as any to advance my own "infection rate" theory. I would propose that a virus will spread only until it meets an anti-virus system. Thus, it would be one exponential function chasing another, which would reduce to a linear effect. (There was a recent article by Jeff Kephart of IBM also noting a linear effect on virus spread. If I recall correctly, his explanation involved topology. I think my explanation is easier to comprehend. :-) "A virus spreads until it encounters an anti-virus system.") Jimmy Kuo cjkuo@ccmail.norton.com Norton AntiVirus Research ------------------------------ Date: Sat, 31 Oct 92 11:04:15 +0000 From: pehmo@parker.ositech.fi (Petteri Jarvinen) Subject: Info on Commander Bomber and Starship? (PC) Has anybody dissected and analyzed these new advanced viruses like Commander Bomber and Starship? Virus Bulletin, perhaps? Petteri - -------------- Pehmo@ositech.fi Petteri J{rvinen, tel. +358 (9)0 43542717, fax +358 (9)0 466464 Espoo, Finland ------------------------------ Date: 31 Oct 92 13:33:23 +0000 From: "Brian W. Gamble" Subject: Re: HELP! (RE: IBM PASSWORD) (PC) rudy.hehn%hombas@canrem.uucp (Rudy Hehn) writes: >The AMI and DTK BIOS, as well as some others, have this option, which >I always warn people not to use. That "I always warn people not to use" covers a lot of territory! In the business world, that password feature is very desirable. It keeps casual users out of systems and reduces the risk of virus infection because the PC so protected won't boot from ANYTHING until the password test is satisfied. Naturally, this "feature" is not helpful in a user lab situation :-( You do, however, point up a bigger problem - the sad lack of options when one wants a BIOS version to match a particular set of circumstances. I suspect that there is a market for this - picure walking into a better grade of computer store. A PC in the order area presents a menu driven system. You select your present (or just ordered) motherboard, then choose from a list of BIOS options like: password on boot selective boot from a or b separate keyboard lock code shadow RAM options etc Seclect what you need, then the system programs a set of chips (a matter of minutes from direct observation.) Given the amount of effort devoted to virus creation, the amount of work required to do this seems small. Do I oversimplify? The equipment required to program the chips is not that expensive, nor is it difficult to use. The biggest problem I see is the database required to match the BIOS type and chip type to the motherboard in question. Perhaps those with more direct knowledge would comment? - -- Brian W. Gamble, Brian.W.Gamble@Waterloo.NCR.COM NCR Canada Ltd. Information Products Group E&M Waterloo Charter Member -- The ShoeString Racing Team ------------------------------ Date: Sat, 31 Oct 92 08:43:16 -0500 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: Re: Checking high memory with VSCAN (PC) From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) >Yes, there is no need (almost) to check the rest. Besides in >conventional memory (up to the 640 Kb limit), a virus could also >reside in the following places: - --- examples deleted ---- >Till now, there are no known viruses that use the last two methods. >Since the known-virus scanner can detect only known viruses, it is >obviously useless to check places in memory where no known virus can >reside. Sorry to niggle but must point out that the above refers to MS-DOS (and its close family) only. More specifically to an Intel based system (PC) in REAL mode. Once operating in PROTECTED mode or with virtual DOS boxes, all bets are off. I point this out only so that people running Windows do not do a memory-only SCAN from a DOS box and possibly miss an infection in another. If you are going to run from Windows, it is best to check the programs on disk as well. With the rise of network authentication, this may become important in the future. Just to quell another fear about swapped boxes, "stealth" won't work when swapped out either. Vesselin is correct that no known virus (though I'm not sure about that new Windows specific one - haven't seen it) exploits this though I am sure that it is just a matter of time. Warmly, Padgett ps Just this week have heard of some new hardware that really sounds promising, one that may be included as part of the architecture in new systems at little or no cost. Not free to give details at the moment but soon... ------------------------------ Date: Sat, 31 Oct 92 09:31:48 -0500 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: Re: MBR Viruses and FDISK /MBR (PC) From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) >> okay and it is safe to use FDISK /MBR. Of course, one has to boot >> from a floppy diskette with the same (or higher) version of DOS as the >> one on the hard disk, otherwise it may not be possible to access the >> hard disk at all. >Is this -really- necessary? As far as I understand, the command FDISK >/MBR (not that no hard disk is specified as an argument) uses INT 13h >to rewrite the MBR of the first hard disk. In order to do that, it is >not necessary that the logical drive is visible to DOS. Therefore, you >can use FDISK/MBR, regardless of the DOS version the hard disk is >formatted with - you will need only a DOS 5.0 system diskette... While my esteemed colleagues (election is three days off) are both essentially correct, I suspect that the whole thing is getting a bit confusing to some of the readers ergo I shall attempt to elucidate eschewing sesquipedalian phrasology. FDISK/ is a dumb program. What it does is not related to the OS version at all though an internal check keeps current versions from running under anything except its own version and the /MBR switch appears to be available only in the DOS 5.0 version hence to use it you must boot with DOS 5.0. (My FixMBR could care less - plug). As has been stated before the /MBR switch merely dumps a new code segment into the hard disk using a BIOS interrupt while maintaining the Partition Table. The code is rather simple, just sufficient to find the OS boot sector (DBR), load it, and get out of the way. The whole thing can be accomplished in a few bytes. (as an aside, the original IBM PC-DOS MBR also had the author's name implanted - wonder if IBM knew 8*) Vess is correct that the OS on the Disk is unimportant except in a few cases: for instance Mark William's COHERANT uses a "dual boot" selected by a switch in the MBR code. Run FDISK/MBR on one of these and the ability to boot with COHERANT will be lost. The caveat here is that anything other than the P-Table is going to get overwritten with "new" code. Unlike many Anti-Viral utilities, no attempt is made to restore the original MBR contents. Further, no attempt is made to validate the P-Table so if it is corrupt, FDISK/MBR is not going to help (on the other hand, I have seen some "smart" anti-virals happily restore what they thought *should* have been the correct information and lose the real P-table in the process. Caveat y'all). So, the bottom line is that while you must boot with DOS 5.0 to use the DOS 5.0 FDISK which contains the /MBR switch, the OS(s) on the disk are irrevalent. As Aryeh says, if after booting the DOS partitions are DIRable, FDISK/MBR will probably work. Just be aware that this does not test for *other* partitions as the (also DOS 5.0) UNFORMAT/PARTN/TEST/L command will. Warmly, Padgett ------------------------------ Date: 31 Oct 92 14:41:53 +0000 From: frisk@complex.is (Fridrik Skulason) Subject: Re: cascade virus info wanted. (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >This makes 22 known variants. In fact, the only two that are spread in >the wild are Cascade.1701.A and Cascade.1704.A. The 1704.Format variant was somewhat common in the wild, but because of its nature it probably managed to wipe itself out. Most of the other variants have also appeared in isolated cases, but are not nearly as common as the two Vesselin mentioned. - -frisk ------------------------------ Date: Sat, 31 Oct 92 12:16:54 -0500 From: Fritz Schneider <71043.1117@compuserve.com> Subject: Re: Comment on the MtE wars (PC) In VIRUS-L 5-171 hobbit@ftp.com (*Hobbit*) asks: > So the entire discussion is so far based on percentage hit rate, which > for me has significantly less meaning in terms of explaining WHY > product A sucks and product B is so much better. Is this just me, or > does it smell like so much handwaving to anyone else, too? As another contributor in the same digest pointed out, there is a great deal of acrimony in the exchanges in this field. The most charitable explanation is that we have a sizable number of very talented people who, because of the nature of the field, must have a paranoid view of every file that comes along. All of them are True Believers protecting the innocents of the world both from the virus authors and from the scum who would prey upon the victims. >From a technical standpoint, the detection ratio argument can be summarized as: 1) If you cannot detect every single file infected by the MtE, you are likely to leave one behind that can restart the whole cycle of infection. The product will give a false sense of security, and the user will keep thinking that some outside source is causing reinfection. 2) The most important factor in fighting viruses is to detect that you are infected. Even if we don't detect every infected file, we at least alert the user to the fact that he has a problem. In all likeleyhood all of the infected files will be detected, so a slightly less than 100% detection ratio, while it needs correcting, is not a major flaw. 3) Because virus scanners got MtE detection (however flawed) in their products very early, virus authors are not using the .91b version of the MtE and so the threat of getting infected by it has been countered. It is now a minor problem, and we can improve the algorithm at a leisurly pace. So, pick your favorite point of view, and cheer them on. ------------------------------ Date: Sat, 31 Oct 92 12:17:28 -0500 From: Fritz Schneider <71043.1117@compuserve.com> Subject: Re: Newest and best scanner? (PC) In VIRUS-L 5-171 dluckma3@mach1.wlu.ca (david luckman 9209 U) asks: > What is the latest and most extensive virus scanner for the IBM PC > (clone) and where can I get my hands on it? Is this akin to yelling "Fire!" in a crowded theater? Or asking "What's the best word processor?" on a crowded BBS? Ought there not be some limits to free speach? ------------------------------ Date: Sat, 31 Oct 92 21:59:19 +0000 From: teasdale@ere.umontreal.ca (Teasdale Gilles) Subject: Filler virus - Need Help! (PC) Hi, I just find out that Filler virus has invaded my computer system. The Scan Test (SCAN 8.9V97 - McAfee) sometime detect it and other time it can't. Is there any other thing I can do to get rid of this damned virus... Thanks! Gilles Teasdale Universite de Montreal e-mail: teasdale@mistral.ERE.UMontreal.ca ------------------------------ Date: Sat, 31 Oct 92 22:13:18 -0500 From: ed street Subject: autoexec.bat deletion virus?? (PC) hello; My mom recently purchased a IBM machine (PS/1) and is complaining about her virus checker deleting her autoexec.bat file,(she has the standard virus checking program that came with the computer) this only occurs when she gets an error message that says something similar to "can't read autoexec.bat and procedes to delete it. This sounds to me not like a virus problem, but a file problem. So my question is does anyone know anything about this problem and if i told her right? (the program also deletes a text file from where the search program is located on her hard drive, so I am at a loss on this. I know some programs delets file upon use (like workperfect and others) but never have I heard of this happening.) thank you Ed Street ------------------------------ Date: Thu, 29 Oct 92 12:38:00 +0000 From: Nemrod_Kedem@f101.n9721.z9.virnet.bad.se (Nemrod Kedem) Subject: FDISK /MBR and Boot Sector Viruses (PC) >>Will FDISK /MBR work for them all or are there any interesting "gotchas" >>using this method? > Well, there is one potential problem. FDISK /MBR does not touch the > partition table itself (bytes 1be-1ff in the MBR). Of course, as most > boot sector viruses don't touch that table either, they can easily be > removed. The problems start when the virus > 1) Modifies only the partition table - for example to create a new > partition, and making it the loadable one. > or > 2) Overwrites the entire MBR and uses "stealth" methods to make the > original MBR visible to other programs. If you run FDISK/MBR with > the virus active, it may not have any effect, as the virus could > intercept the write operation. If you run it after booting from > a "clean" diskette, most of the virus body will be overwritten, > but the table information may not be valid. > Fortunately none of the common MBR infectors belongs to either of those > categories. The FDISK/MBF will NOT work right on drives that are partitioned by DiskManager program. If you have a DOS/DM drive and you boot from a clean floppy to use FDISK/MBR, your DM partition is lost. The DM partition, for that matter, is any NON-DOS partition. Nemrod Kedem, Authorized Agent of McAfee Associates. - --- * Origin: Make Safe Hex! (9:9721/101) ------------------------------ Date: Sat, 31 Oct 92 18:53:07 +0000 From: Philip_Bird@f107.n441.z9.virnet.bad.se (Philip Bird) Subject: Re: MtE ?? (PC) -=> Quoting A.J. to All <=- A.> Can anyone tell me What in the world MtE stand for and give more A.> info... -aj. Hi a.j., MtE stands for mutation Engine. What is does is hide the virus by mutating it using a random number generator. This makes the virus VERY hard to detect. MtE can be linked to any virus and is available as a Module (like a libary for C for example). It's a very nasty pieces of work and worth staying clear of UNLESS you know what ya doing! Cheers Phil B.V.D. (British Virri Detectives) .. Ahh! Come on George, just this one last little feature! - --- GEcho 1.00/beta+ * Origin: INDEX III - Nottm UK - +44-602-855607/61 - (9:441/107.0) ------------------------------ Date: Fri, 30 Oct 92 19:32:00 +0000 From: Stefano_Turci@f0.n462.z9.virnet.bad.se (Stefano Turci) Subject: Re: SCAN 95b doesn't find MtE in EXE files (PC) Hello Vesselin, in your message dated 22-10-92 you wrote: VB> From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) I hope you'll be able to read this message, I never wrote in this area before. VB> - Questo (1994 COM files) VB> - CoffeeShop (2000 EXE files) VB> - CryptLab (2000 COM files) VB> - Dedicated (2000 COM files) VB> - Fear (2000 COM files) VB> - Pogue (2000 COM files) VB> - Groove (2000 COM and 2000 EXE files) I tested the following anti-virus programs (showed in alphabetical order 8-) on Dedicated and Pogue viruses: F-prot 2.05 Gobbler 2.99 beta 5 Scan 97 TbScan 4.3 (with AVR module, version 2.3) VirX 2.4 I made 1000 infected files for each virus, and then I randomly took off some of these viruses and made a tricky work on them. Do you know LZEXE ? It's a worldwide spread package like PkLite, that is it compresses executable files. In the complete package there is a program called COMTOEXE. LZEXE only works with .EXE files, so if you want to compress a .COM file with LZEXE you have to convert it from .COM to .EXE. The conversion is very simple, in fact COMTOEXE adds 32 bytes long header at the top of the file, and the CS:IP points to the first byte after the header. Well, I converted the files from COM to EXE, and made some scanning tests with the mentioned programs. The results were a bit strange, in fact: F-prot 2.05 Scan 97 VirX 2.4 missed *ALL* the converted files, while Gobbler 2.99 beta 5 TbScan 4.3 got each infected file. The viruses in the files missed by F-prot, Scan and VirX in the .EXE form were all found out by the same programs in the original .COM version. I have personally tried to infect a COM file starting from a .EXE converted file and the infection was made correctly, that is the converted files are still able to propagate the virus, so I think the authors of the "missing-in- action" programs should improve their a-v packages. 8-) VB> I'll perform similar tests with other programs that claim to detect VB> the MtE-based viruses and will post the results soon. Meanwhile, both VB> F-Prot 2.05 and FindVirus 6.01 (drivers from 24 September 1992) were VB> able to detect ALL of the infected samples. Of course, this does not Well, I'm trying to write my own Mte detector. I run it on a high number of files infected with two Mte-based viruses ( Dedicated and Pogue) and it is able to detect all of the infected files, but how could I say if it will work for *EVERY* mutation and for *EVERY* Mte-based virus ? I think it's impossible. _ Ciao. /\\ _\\ \/teve. - --- Mercurio 1.00 * Origin: Move fast in the tunnels of the underground. (9:391/108.0) ------------------------------ Date: 02 Nov 92 09:34:26 +0200 From: mybdav02@uctvax.uct.ac.za Subject: Information on ExeBug requested (PC). G'Day Folks Recently, I have had a run-in with the so-called ExeBug virus. I have some information on it from BIT magazine, and was interested to find out some more about it in VIRLIST.TXT v97 (from McAfee) and VSUM 9206 (Hoffman). However, neither sources listed this virus at all. Doc Solomon v5 did list this virus, it could also detect and apparently remove it too (from the partition table, while files had to be deleted). When I used SCANv97 it detected the virus as ExeBug [Swb], in a 1.2 boot sector. I used CLEAN 97 A: [Swb] /nomem to remove the virus, and CLEAN reported that it had removed the virus. However, on rebooting (before any other programs were run), the partition table of the HDD was infected! (Yes, the virus was removed beforehand, by copying Sector 17 to Sector 1. Also, [Swb] was not listed in VIRLIST.TXT. In the article by BIT magazine, it was stated that the virus formatted an extra sector for itself, and copied the original boot sector there. I couldn't find this extra sector with Norton 6.01's DISKEDIT, so copied clean boot sectors from other disks to the infected disks. My 1st question is: What is the actual name used by VIRLIST.TXT and VSUM for ExeBug? Secondly: How does one read this extra sector formatted on floppy disks? Thanks in advance Dave ------------------------------ Date: Fri, 30 Oct 92 15:02:39 -0500 From: Dennis Clouse Subject: Re: Landmark legal ruling on software copyright on Wed, 28 Oct 92 04:19:35 -0500 Douglas de Lacey, Cambridge (DEL2@phx.cam.ac.uk) wrote: > (btw does the San Francisco Examiner really not know the difference > between "its" and "it's"? :-) They do; I don't ;-) : it's "its"! (my typo: an apostrophe catastrophe). > I"m not a lawyer, but surely I'm not either (I get enough abuse being a programmer). Meanwhile, software publishers are *rushing* to remove the offending clause(s) from those envelopes in which commercial software is shipped. You know: the ones with the contract you accept by opening the envelope? Right. First thing next Tuesday. Is Bill Gates (or the Dark Avenger, for that matter) losing any sleep over this? - ------------------------- Dennis E. Clouse Office of the President University of California - ------------------------- ------------------------------ Date: Mon, 02 Nov 92 04:47:56 +0000 From: amesml@monu1.cc.monash.edu.au (Mark L. Ames) Subject: Independent Virus Experts A Melbourne based organisation is looking for vendor-independant virus experts to advise on strategies to control and deal with the virus threat. If you are such a person, or know of one, please email me amesml@monu1.cc.monash.edu.au. ------------------------------ Date: Fri, 30 Oct 92 17:55:58 -0500 From: tyetiser@umbc5.umbc.edu (Mr. Tarkan Yetiser) Subject: CATCHM15.ZIP - Algorithmic MtE virus scanner and MtE report (PC) I have uploaded to WSMR-SIMTEL20.Army.Mil: pd1: CATCHM15.ZIP Algorithmic MtE virus scanner and MtE report CatchMtE is designed to recognize viral code based on the so-called Mutation Engine distributed by DarkAvenger from Bulgaria. CatchMtE uses sophisticated algorithms to determine if a program is infected by an MtE-based virus. We have tested it on MS/PC DOS 3.3+ as well as Netware 386 based disks. On network drives, some files may not be opened and will generate an error message. The program uses handle-oriented DOS file access for compatibility. Regards, Tarkan Yetiser VDS Advanced Research Group P.O. Box 9393 Baltimore, MD 21228, U.S.A. (410) 247-7117 tyetiser@umbc8.umbc.edu ------------------------------ Date: Sat, 31 Oct 92 22:06:12 -0500 From: James Ford Subject: Files on risc.ua.edu (PC) Several new files have been placed on risc.ua.edu (130.160.4.7) in the directory pub/ibm-antivirus for anonymous FTP (the McAfee v97 files, vsig9210.zip, catch15.zip, etc). Below is the current listing of files that are available. If you see something that is not current, please drop me a note stating where I can get the current version. - ---------- Three may keep a secret, if two of them are dead. - ---------- James Ford - Consultant II, Seebeck Computer Center The University of Alabama (in Tuscaloosa, Alabama) jford@ua1vm.ua.edu, jford@seebeck.ua.edu Work (205)348-3968 fax (205)348-3993 - ------------------- file 0files.9210 ------------------------------ 0files.9210 cvcindex.zip scanv97.zip validate.crc vkill10.zip aavirus.zip dir2clr.zip secur235.zip vc300ega.zip vshell10.zip asig9207.zip ds95.zip sentry02.zip vc300lte.zip vshld97.zip avs_e224.zip fixutil3.zip stealth.zip vcheck11.zip vsig9210.zip bbug.zip fp-205.zip tbresc19.zip vcopy82.zip vstop54.zip bootid.zip fshld15.zip tbscan43.zip vdetect.zip vsumx209.zip catch15.zip fsp_183.zip tbscnx31.zip vds210t.zip vtac48.zip catchmte.zip htscan18.zip trapdisk.zip virlab15.zip vtec30a.zip ccc91.zip i-m124.zip unvir902.zip virpres.zip wcv201.zip chk.zip i-msetup.bat uxencode.pas virsimul.zip wp-hdisk.zip chkint.zip innoc5.zip v-faq.zip virstop.zip wscan97.zip clean97.zip killmonk.zip vacbrain.zip virus-l.faq ztec61b.zip cvc792am.zip m-disk.zip vaccine.zip virusck.zip cvc792ma.zip netscn97.zip vaccinea.zip virusgrd.zip cvc792ms.zip pkz110eu.exe validat3.zip virx24.zip ------------------------------ Date: Sat, 31 Oct 92 18:19:42 -0800 From: rslade@sfu.ca Subject: Scores functions (CVP) HISVIRG.CVP 921016 Scores virus - functions The Scores virus has a complicated structure and operation. There are time delays, and the use of both the system and application files for reproduction. It starts simply enough. When an infected application is run on a new system, the system folder is infected. Two invisible folders are created, one named Desktop and the other Scores (hence the name). Thus the Scores infection gets to start early and go "resident". (INITs of 6, 10 and 17 are created. This led to later problems with other INITs numbered the same way that were mistakenly thought to be infected.) The Note Pad and Scrapbook files, if not already present, are created. The file types for these files are changed, as are the normal icons. The virus waits two days before it starts to infect applications. Thus the Scores might almost seem to be an early form of the multipartite virus, since it "toggles" between system and application files. However, it is only after the infection has entered the system folder that the other activities take place. Four days after the infection of the system folder, the second part of the virus starts up. At this point, it looks for applications which, when run, identify themselves as ERIC or VULT. If such an application is run, the application will be terminated after 25 minutes of operation. Seven days after the infection of the system folder the final part of the payload comes into play. Again operating on applications with the VULT resource, it will force errors and termination on a complicated series of timings and operations. The timing sequences and complicated arrangements for triggering of errors and program termination would seem to indicate that the author saw this program interfering with an application in a normal environment, and generating "normal" problems. An intermittent "bug" would be difficult to trace, and would be less likely to be effectively attended to as a virus. This would tend to support the idea that the author thought to cause trouble for ERIC and VULT as a released application. It does not, however, rule out the possibility of creating trouble for an in-house utility. copyright Robert M. Slade, 1992 HISVIRG.CVP 921016 ============== Vancouver ROBERTS@decus.ca | "virtual information" Institute for Robert_Slade@sfu.ca | - technical description of Research into rslade@cue.bc.ca | marketing info disguised User p1@CyberStore.ca | as technical description Security Canada V7K 2G6 | - Greg Rose ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 173] ******************************************