From lehigh.edu!virus-l Tue May 25 04:05:20 1993 remote from vhc Received: by vhc.se (1.65/waf) via UUCP; Tue, 25 May 93 16:29:28 1 for mikael Received: from fidoii.CC.Lehigh.EDU by mail.swip.net (5.65c8-/1.2) id AA08472; Tue, 25 May 1993 14:12:05 +0200 Received: from (localhost) by Fidoii.CC.Lehigh.EDU with SMTP id AA18835 (5.67a/IDA-1.5 for ); Tue, 25 May 1993 08:05:20 -0400 Date: Tue, 25 May 1993 08:05:20 -0400 Message-Id: <9305251043.AA07340@agarne.ims.disa.mil> Comment: Virus Discussion List Originator: virus-l@lehigh.edu Errors-To: virus-l@agarne.ims.disa.mil Reply-To: Sender: virus-l@lehigh.edu Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas From: VIRUS-L Moderator To: Multiple recipients of list Subject: VIRUS-L Digest V6 #83 VIRUS-L Digest Tuesday, 25 May 1993 Volume 6 : Issue 83 Today's Topics: Should viral tricks be publicized? Anti-viral file on gopher Copyrighting viruses Unix viruses (UNIX) TREMOR Chronology (PC) Re: TREMOR-infected virus-scanner? (PC) Port Writes (PC) "DIR" infection, or "Can internal commands infect" (PC) Cansu or V-Sign virus (PC) Can virus infect a hard drive that one cannot access? (PC) NAV Updates (was Central Point Anti-Virus Updates) (PC) DOS v6.0 and Virus Functionality (PC) Port Writes (PC) F-Prot 2.07 (PC) Port Writes (PC) Can virus infect a hard drive that one cannot access? (PC) ??Hidden file: 386spart.par?? What is this? (PC) A New Virus ? (PC) "Dirty Tricks" (PC) CPAV updates? (PC) Re: McAfee's Scan and Compressors (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.org or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk, krvw@first.org ---------------------------------------------------------------------- Date: Fri, 21 May 93 14:49:00 +0200 From: Nemrod_Kedem@f101.n9721.z9.virnet.bad.se (Nemrod Kedem) Subject: Should viral tricks be publicized? > As I read this, his primary interest is in avoiding disassembly of > viruses by AV people; copy protection comes only in second place. But > even if we ignore the implied ranking, the very fact that he is aware > that the tricks he has published can be used to defeat AV techniques > (even if only among other things) says a lot, as far as I'm concerned. > Let me put it this way: Would *you* think of posting an article of > the type which he wrote (which includes code) in a public forum? More > important, would you be proud of being "ON BOTH SIDES", as Inbar > describes himself?? When you say that you're defending Inbar, is that > really the type of person or position you want to defend? Dear Mr, Radai. Inbar is working under my supervision in Chief Data Recover Ltd. (Which you probably know) and the things you write about him actually damage the name of the company he works in. I can guaranty that if Inbar was involved in anything related to computer viruses, he wouldn't have worked in Chief D.R. Inbar is a very talented programmer that writes assembler better then you speak hebrew and that is the only reason he is working with us. his anti- debugging tricks are very widely used in Chief's commercial programs and his knowledge in computer viruses only helps us in giving a better service to our clients. Inbar is by no means a virus writer nor are he intentions to improve the knowledge of other virus writers in anti-debugging tricks. I think you should apologize to both Inbar Raz and Chief Data Recovery Ltd for these words you wrote. See you on the same table in the next virus convention. Regards, Nemrod Kedem, Development Dpt. Chief Data Recovery Ltd. Nemrod.Kedem@f138.n403.z2.fidonet.org (Nemrod Kedem) FidoNet: 2:403/138 VirNet: 9:972/0 CI$ ID: 100274,73 (972)3-966-7562 (14.4K) (972)3-967-0348 (Voice) Pvt: P.O.Box 8394, Rishon Le-Zion, Zip 75253, Israel. - --- FastEcho/386 B0426/Real! (Beta) * Origin: Make Safe Hex! (9:9721/101) ------------------------------ Date: Mon, 24 May 93 10:32:11 -0400 From: John Perry Subject: Anti-viral file on gopher - -----BEGIN PGP SIGNED MESSAGE----- The anonymous FTP archives available on phil.utmb.edu are now available by gopher. If you are running a gopher client, you can connect to the gopher on phil.utmb.edu and download the latest anti-viral files automatically. Just pick the menu selection "FTPable files on phil" and away you go! If you have any questions, please send email to perry@phil.utmb.edu. - - -- John A. Perry - perry@phil.utmb.edu PGP Key available on request by sending e-mail to any of the following: pgp-public-keys@jpunix.com pgp-public-keys@phil.utmb.edu - -----BEGIN PGP SIGNATURE----- Version: 2.2 iQCVAgUBLADcTehUav9uyLDpAQHAVgP/Zeo49REhB4suNxpH4YA+r9IDWM9WIUUv x2+4BD+CrE1Sa064Q5fo/1vb+Khi87i4/BXA0Jyh3H936bto/7Cew565+bnkCay0 viKUBaw73FaBUTPZKAKn4HV2zwLWDx+wZyip8WePji7FJKHm+5qkchiN6Ppimx8N NAAEf4YlYTQ= =Z8Sn - -----END PGP SIGNATURE----- ------------------------------ Date: Mon, 24 May 93 11:27:25 -0400 From: Donald G Peters Subject: Copyrighting viruses I have been informed that some viruses are "copyrighted" by the author. No doubt the author did not register the copyright at the Library of Congress with the first 25 pages of source code. (If they did, it would be publically available! I wonder if they would want to?) But I think that is not necessary for a valid copyright, although I think it helps in court. I would propose here that to keep anti-virus products legal and above board, all copyrights on malicious software should be considered invalid. I would appreciate comments for or against this idea. Any ACLU-type here? If one court could issue a ruling, or if one city could pass a law to this effect, it would probably hold a lot of precedence value in this country. Remember, despite the "free speech amendment", that does NOT prevent this country from passing anti-slander or anti-libel laws. It seems to me that anti-malicioussoftware laws fall into the same category. Correct? ------------------------------ Date: Mon, 24 May 93 21:33:33 -0400 From: radatti@cyber.com (Pete Radatti) Subject: Unix viruses (UNIX) >>From: "David M. Chess" > That depends on what you consider "wild". My company tracks Unix > attacks and provides generic information on such. Last year there > were at least 2 attacks of which I was directly aware. So far this > year, there was one attack of which I received 2ed hand information > from a reliable source. >>Really?! That's very interesting. Can you give any more detail (to >>the list or directly to me) about the nature of these "attacks"? What >>sorts of viruses were involved? Were these just traditional direct >>attacks that happened to use a custom virus of some sort as a tool, or >>were they cases in which a virus spread to systems beyond the one >>targetted by the writer? (And, of course, are you sure there were >>really viruses involved, rather than just misuse of words by someone >>reporting a normal Unix security incident?) Ok, however CyberSoft will never supply information that might lead to disclosing who the infected party was. This policy is necessary to insure that people keep telling us when they get hit. So few do so. During the first quarter of 1992 three Unix attacks were reported to me: 1. A virus attack using a script virus. The person appeared to not believe that the virus would work and found out the hard way. 2. A trojan named choosegirl.game which was distributed on the internet as an executable binary 3. A worm/virus like attack that was deliberity placed in the source code of a custom contract program by a staff member that lost their position. During the second quarter of 1992 I was personally aware of 1 Unix attack 4. An employee that lost their job installed a timebomb in the operating system. During the first 5 months of 1993 I received reports of 3 Unix attacks 5. Two separate sites that execute Unix on a i80386 based PC reported that an MS-DOS virus attacked their system. This is possible since these systems can execute MS-DOS programs. Samples were not provided therefor I only count these as one-half reports. 6. A professional security officer reported to me a virus attack against their Unix datacenter. This only counts as a maybe since details and samples were not provided, however the reporter was a professional full time security officer of a major organization. 7. Two reports of Typhoid Mary Syndrome attacks. (Typhoid Mary Syndrome describes systems that are unaffected carriers of computer viruses. Unix systems act as carriers for MS-DOS and Apple Mac because NFS makes it easy for Unix servers to also act as file servers for these systems.) Not all of these attacks were from the genus computer virus, however they were all of the family of undirected attack software. I define undirected to infer software that was created and let loose into the wild to "fend" for itself without control by its authors. This therefor does not include software used as tools by crackers in a real time attack to secure access or privilege. I understand that my use of the word virus may have caused some confusion. In the course of normal business I have found that the average person does not understand the difference between Worms, Viruses, Trojans, etc... I have becom e used to using the word virus, which most people think they know the meaning of, to describe attack software. It is, from my view point, much better to impart knowledge that is correct except for the name than to impart no knowledge at all. When writing in this forum I will now use the correct names. Hard to learn hab its are hard to break. :-) In closing, I wish to add that these attacks are not yet wide spread and that t here is no need to panic. Products like VFind solve several problems, not just Unix vi ruses. VFind scans for Unix, MSDOS, Apple Mac, Amiga and user programmed patters. Net works that are heterogeneous and require high reliablity or data migration tracking a re better customers for scanners like VFind. Additionally, some people find the e xtra protection provided by searching for all forms of Unix attack software, not jus t viruses to be of great value. To insure that my comments are not used out of context and that they are reproduced in their whole: Copyright 1993 by Peter V. Radatti. My comments may be used by individuals and educational institutions as long as they are reproduced whole, complete with this notice. Pete Radatti radatti@cyber.com ------------------------------ Date: Mon, 24 May 93 21:48:55 +0600 From: Fischer@rz.uni-karlsruhe.de Subject: TREMOR Chronology (PC) Chronology of the Channel Videodat incident On May 6th the Micro-BIT Virus Center was contacted by an anti-virus consultant, who couldn't cope with a new virus a user had sent him. The facts he described clearly indicated that TREMOR was the cause of the problems. The user, who had initially sent in the virus claimed he had downloaded the first infected file through Channel Videodat. (There were several calls before that stated this as a source too, but weren't able to provide any clues for their suspicion) This is a system that broadcasts software in 3 of the invisible lines of a TV picture. The TV program on the same channel is called PRO-7 and is broadcasted via satellite, terrestrially and via cable. It can be received in most of Europe. The company providing the software distribution (Channel Videodat Medien GmbH in Cologne, Germany) claims to have some 60 000 registered users in Europe. They are not connected to PRO-7, they just use the same channel for broadcasting. On May 7th a disk arrived and the TREMOR infection was verified. Channel Videodat Medien GmbH was contacted, but denied that they had sent out infected software. But they told about how they checked their systems, since they had a written complaint from one of their users, which was acompanied by some samples. It became evident, that their search method was insufficient and that they might well be infected. A special TREMOR detector was sent to them, but no reply was sent back, so the MVC monitored their program. Friday 14th 2pm a TREMOR infected file was received! It was a PKUNZIP.EXE accompanying McAfees V104 ZIP files. The ZIPs were ok, but the unpacker the company had bundled was infected. This was also dicovered by the source and 2 hours later they broadcasted a replacement PKUNZIP.EXE and overwrote the infected file on those machines that were still online. Since Tuesday 18th they have broadcasted several anti-virus programs and alert messages 3 times per day to all online systems. Several of the "victims" claim, that there were infected files distributed at earlier times through this source, some even claim as early as the beginning of March. Fact is that TREMOR is in the wild and was quoted every other day on the Micro-BIT Virus Center's help phone for the last two months. Christoph Fischer Micro-BIT Virus Center University of Karlsruhe Zirkel 2 W-7500 KARLSRUHE 1 Germany +49 721 376422 Phone +49 721 32550 FAX email: ry15@rz.uni-karlsruhe.de ------------------------------ Date: Fri, 21 May 93 19:36:50 +0000 From: bontchev@news.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: TREMOR-infected virus-scanner? (PC) Karsten Steffens (steffens@VTP147.UNI-MUENSTER.DE) writes: > bad news is circulating in Germany: a private televison station > usually spreads shareware among the people by sending it in a datachannel > overlaid to their normal TV-program, using a special decoder hardware > people can separate the data from the movies and download. They call it > CHANNEL VIDEODAT. Now, newspapers claim that during the transmission last > friday also the latest version of "a famous american virus scanner", which > itself was infected by the TREMOR virus had been transmitted, and lots of > computers had been infected. As no newspaper calls the "famous scanner" by > its name, my question is: > Which scanner is infected by TREMOR? > Which scanner can disinfect TREMOR? Here are some corrections and additional information. First, the "famous American virus scanner" mentioned is McAfee's SCAN, version 104. Second, the scanner itself was not infected. However, it was sent together with an infected copy of PKUNZIP. Third, version 104 of SCAN does NOT detect the virus at all. F-Prot 2.08a detects it, but not reliably - that is, some infected files could be missed. Dr. Solomon's Anti-Virus ToolKit seems to detect it reliably, but I have not done detailled tests. It is very difficult to run good tests. While the virus has a big mutating potential (something of the range of TPE), it mutates slowly, which means that even if you generate thousands of samples, you'll generate only a small number of different mutations. Fortunately, the virus does not spread well between computers - if you copy an infected file to a floppy with the virus active in memory, the copy on the diskette will be uninfected. The only way to spread the virus between different machines are: 1) If you boot from a clean floppy (i.e., no virus in memory) and copy one of the infected file on a diskette, and execute it later on another machine. Unlikely. 2) If you execute a file on a diskette - then this file will become infected, if the diskette is not write-protected, of course. 3) If you download an infected file from a BBS (from from the TV ). Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Fri, 14 May 93 10:00:05 +0200 From: Inbar_Raz@f210.n9721.z9.virnet.bad.se (Inbar Raz) Subject: Port Writes (PC) trimm@netcom.com (Trimm Industries) writes: > You could simply use the interrupt controller to mask the IRQ of the > disk drive. But yes, the disk can be operated in purely a polling I don't think it will work. Didn't try it, though. > There are two 8 bit regs you load up with the cylinder, one for the > head, one for the sector, and one for the count. Then by writing > an opcode into the control register, the operation begins. I've > posted at length on this issue on Fido Virus_Info, should I cross- > post it here? I don't think so. This is a sensitive issue, and the less people know about it, the more secure we are. Inbar Raz Chief Data Recovery - - -- Inbar Raz 5 Henegev, Yavne 70600, ISRAEL. Phone: +972-8-438660 Chief Data Recovery, 15 Habanim, Nes-Ziona 70400, ISRAEL. Phone: +972-8-400070 Netmail: 2:401/100.1, 2:403/100.42, 9:9721/210 nyvirus@weizmann.weizmann.ac.il - --- FMail 0.94 * Origin: Inbar's Point - Home of the first UnTinyProg. (9:9721/210) ------------------------------ Date: Tue, 18 May 93 13:57:00 +0200 From: Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv) Subject: "DIR" infection, or "Can internal commands infect" (PC) bontchev@news.informatik.uni-hamburg.de (Vesselin Bontchev) suggested the following: > would you agree with the following addition to the FAQ: > Q: Is it possible to infect a virus-free computer by > just executing the DIR command on an infected diskette? > A: The only way to infect a computer with a virus is > to execute (transfer control to) the virus code. The DIR command > reads various parts of the disk(ette)s, but does not execute > anything. Therefore, it is not possible to catch a virus by simply > doing a DIR on an infected diskette. There are a few caveats, however. Yep... > First, some systems have a special device driver loaded. This driver > is called ANSI.SYS and its purpose is to provide ANSI terminal like > compatibility. Unfortunately, one of its features is that it allows > the keys of the keyboard to be reprogramed by sending special codes > ("escape sequences") to the screen. These codes can be contained in a > text file - simply displaying the contents of this file will cause one > or more keys to be reprogrammed. > It is possible to create a diskette, the directory of which contains > files with "names" that consist of such escape sequences. Executing > DIR on such a diskette will cause the contents of its directory to be > displayed, and therefore one or more keys to be reprogrammed. The > result could be that the next time you press one of those keys, you > could get unexpected results - files deleted, some program from the > diskette executed, etc. Since this could result in execution of an > external code, it means that it is (theoretically) possible to catch a > virus this way. > The solution is to disable the ANSI.SYS driver completely, or at > least its keyboard programming capability. There are several free > programs that allow you to do this (PKSFANSI is one of them). As an > alternative, you could use a different ANSI dirver instead of the one > that comes with DOS - and select one that does not have the keyboard > reprogrammability feature or that at least has means to disable it. Splendid... > Second, while the DIR command alone will not execute any external > code, for many users it is equivalent to "display the contents of a > particular directory". Unfortunately, some sites might have installed > more elaborated front-ends of DOS - shell programs which provide an > easy and convenient way to use the services of the operating system. > In particular, the function "display the contents of a directory" of > such systems might be implemented in a complex way and might not be a > simple DIR. It may load new copies of the command interpreter, execute > external programs, etc. All these actions involve the execution of > external code, which in some cases may cause a virus to be executed. Great... > Finally, the DIR command causes various parts of the examined disk(s) > to be read in memory, and in particular - the boot sector. Just add here: On the *first* time a floppy is accessed the bios attempts to read the boot sector sometimes for several times if the read has failed (reseting the floppy drive between attempts). Later the Boot-sector is read once (or not at all) on each floppy access. The aim of this is to read the BPB (Bios Parameter Block) holding the information of how to read this floppy. > If this boot sector contains a virus, the virus code will be read in > memory - but will remain inactive, since control is never passed to it. > However, if the user now executes a scanner which plainly scans the > whole memory for some virus scan strings, it may detect the virus > code. If the scanner is not intelligent enough to figure out that this > particular boot sector virus just cannot reside at that place of > memory and be active, then it will incorrectly report that there is an > active virus in the computer's memory. This is often called a "ghost > positive alert" or simply a "ghost positive", see question C8. It DOES > NOT mean that the computer is really infected. I cannot think of a better way to write it 8-) Warm regards * Amir Netiv. V-CARE Anti-Virus, head team * - --- * Origin: <<< NSE Software >>> Israel (9:9721/120) ------------------------------ Date: Tue, 18 May 93 15:08:00 +0200 From: Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv) Subject: Cansu or V-Sign virus (PC) gj9@prism.gatech.edu (georgia deakin) asks: > I checked the computer with F-Prot 2.08a and got a message > that the boot sector was infected with the V-Sign virus. > McAfee detected the Cansu virus. ... > find out anything I can about either or both of these > viruses. Did I have both or just one? What do they do and where did > they come from? The V-sign and the Cansu viruses are one. these are different names used for the same virus. It general operation is described in VSUM, however the virus is a BOOT infector on floppies, and an MBR infector on hard-disks, unlike other BOOT or MBR infectors this virus does not keep a backup of the original sector. Therefore in some cases an infected disk will not boot, and it will not be possible to access it with normal means. The way to catch it is to try to BOOT from an infected floppy, (EVEN IF ITS ONLY A DATA LOPPY THAT IS NOT CAPABLE OF BOOTING). The attempt to boot is enough to infect (blindly) the disk, and the next boot ( normal from the disk) is loading the virus to memory. The way to clean it is simple, but it will work only if the disk allocation tabe (offset 446 and on of the MBR) is not damaged. That is FDISK /MBR. regards * Amir Netiv. V-CARE Anti-Virus, head team * - --- * Origin: <<< NSE Software >>> Israel (9:9721/120) ------------------------------ Date: Tue, 18 May 93 14:56:00 +0200 From: Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv) Subject: Can virus infect a hard drive that one cannot access? (PC) Yi Hong asks: > If I had a hard drive in my computer, but I > reconfigured the ROM set up and put that there is no hard drive, > and i boot from a floppy, so that i won't be able to access the > C: drive. > Can a virus affect the C: drive if there is no partition to link > to it? I don't think so, but I am justing trying to make sure.. Usually it is not possible to access the drive via INT 13h (in most PCs) and this is sufficiant against viruses (declare "HARD DISK TYPE: None" in the setup menu), however it was brought to my knowledge (although I've never experianced it myself) thet in some computers this is not enough to avoid disk access (the BIOS treats the setup information differently). So generally I would say the answer to your question is NO. Regards * Amir Netiv. V-CARE Anti Virus, head team * - --- * Origin: <<< NSE Software >>> Israel (9:9721/120) ------------------------------ Date: Sat, 01 May 93 14:35:00 +0200 From: Chris_Franzen@f3020.n491.z9.virnet.bad.se (Chris Franzen) Subject: NAV Updates (was Central Point Anti-Virus Updates) (PC) > Mr. Slade mentioned ftp servers. Will Symantec permit the distribution > of the updates via ftp servers? There were updates of Norton Antivirus distributed via VirNet. I think Symantec is one iof the first non-shareware av contenders who understand how nice file echo distribution is, and how clumsy diskette mailing is. > If you don't support ftp access, would you allow to others to do it > for you? We also have a BBS at the VTC-Hamburg, but I am not > maintaining it, so I cannot decide what is there and what not. But I > do maintain our ftp site, so I can put there the latest NAV definition > updates, if Symantec allows us to do so. If you were VirNet node, you would be allowed to let others do file-requests or free BBS downloads for all files that pop up in VirNet. In fact, you *have* *to* do this. Anonymious FTP is kinda file-request, like in Fido-style networks, ey? So I don't see any problems doing it the FTP way as well? > Regards, > Vesselin Chris, The Blast I - --- GEcho 1.00/beta+ * Origin: The Blast I BBS, D-2942 Jever, ++49-4461-73696 (9:491/3020) ------------------------------ Date: Wed, 19 May 93 09:18:01 +0200 From: Inbar_Raz@f210.n9721.z9.virnet.bad.se (Inbar Raz) Subject: DOS v6.0 and Virus Functionality (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) wrote: I Write: >> few experiments myself, I can safely tell you that it's the DOS=HIGH >> that disabled a lot of viruses. > What actually causes troubles in DOS 5.0 loaded high is the "dirty" > way it installs its INT 21h handler (first sets an IV handler, then > moves itself high, then "fixes" only the segment part of the IV), and > the fact that many offsets in the handler are different from the > previous versions... Yes. Going through DOS will show you what it does: 1. Call a routine that CMPs 0:0 and FFFF:10h. If the A20 address line is DOWN, the segment wrap-around will cause both addresses to point to the beginning of physical memory - the Vector Table. 2. If the comparison didn't make out, issue a call to the XMS Handler, and enable the A20 line. 3. Jump to whatever address in the HMA. >> 2. Based on articles in PCMagazine and PCToday, I gather that DOS 6.0 is >> merely 'DOS 5.0 + ToolCase'. Not many enhancements, and most of the new > Well, don't forget that one of the "tools" is a disk compression > device driver a la Stacker. This already causes a lot of mess when a > virus is present - either the virus doesn't work properly, or damages > the compressed volume, or other messy things... :-) If you are implying that people moved to DOS 6 just becuase of DoubleSpace, then I can guarentee you that the same people used Stacker before. However, I fear that the fact that Microsoft has approved of this by including it in ___DOS___, people will actually believe this program is worth anything, namely risking data. I'm not going to fall for this... >> Again, you almost say it yourself. DOS 6 is probably DOS 5, with minor >> improvements and a toolcase. Nothing to be worried about. > Again - could please somebody who has MS-DOS 6.0 verify whether the > FDISK/MBR trick still works? Please? I have DOS 6 (naturally... It involves with my work. Chief Data Recovery's programs have to be up-to-date with the latest changes, therefore supporting as many end-users as possible, and those who use DOS 6.0 w/ or w/o DoubleSpace are included. ) However, would you like me to /MBR a 1. normal disk, 2. infected disk, 3. DoubleSpaced disk? [Text added later (17:41, original message 9:18)] I tried infecting my 100Mb HardDisk with Stoned, and from DOS 6.0 I ran FDisk /MBR. Stoned was successfully removed, and my harddisk is no longer infected. Inbar Raz Chief Data Recovery - - -- Inbar Raz 5 Henegev, Yavne 70600, ISRAEL. Phone: +972-8-438660 Chief Data Recovery, 15 Habanim, Nes-Ziona 70400, ISRAEL. Phone: +972-8-400070 Netmail: 2:401/100.1, 2:403/100.42, 9:9721/210 nyvirus@weizmann.weizmann.ac.il - --- FMail 0.94 * Origin: Inbar's Point - Home of the first UnTinyProg. (9:9721/210) ------------------------------ Date: Wed, 19 May 93 09:25:02 +0200 From: Inbar_Raz@f210.n9721.z9.virnet.bad.se (Inbar Raz) Subject: Port Writes (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) wrote: >> I mean, if someone already >> takes the trouble to learn and implement Port-Write disk access, what is it >> for him to add a Vector Change before and after? > I thought that this would crash the computer. DOS seems to intercept ^^^^^^^^^^^^^^^^^^^^^^ Exactly. DOS. But _I_ am NOT dos. I am 'interacting' with the disk directly, and I don't need any IRQs from it when I can LOOP until it's not busy. > It is possible. The question is whether the computer will continue to > work without problems. I don't know. Again - DOS won't work with it. But I said - you only need to disable it when YOU do your dirty stuff. Turn it on later, and no one will ever know you've been around... > by a small TSR handler that just does IRET and see what happens. This disables the harddisk. Old trick against [stupid?] viruses. >> please remind you that the BIOS itself also uses port writes? And you CAN' T >> link into the BIOS and tell it to tell you when it's OUTting a port... > I know that... :-) I meant that the BIOS performs its port writes on > user requests, not when it damn pleases. By "user requests" I mean INT > 13h requests. So, the idea is to hook -both- INT 13h and the "device > ready" interrupts and to check if the INT 13h requests match the > "device ready" reports. As far as I've checked, through single-stepping my AMI 386DX33 BIOS, INT 13 calls INT 15/90 sometime, and that's all. All other interaction with the harddisk is through pure port writes, and reading the Status Register. >> True, virus writers really don't care MUCH about portability. Nevertheless, >> the only portability problems would occur on change of interface. For >> example, >> if the author had an IDE drive, then his virus wouldn't work on SCSI's and >> ESDI's, but then again, most of the AT class computers use IDE... > There are still a lot of MFMs around there... But you are right - a > program that controls IDEs and SCSIs through the ports might be > portable enough. When I read the 'you are right' part, I was sure you were going to say that I was right about saying that virus writers don't care about portability. If your program would like, for whatever ligitimate or illegitimate reason, use port writes instead of conventional INT 13 calls, it would be wise enough to distinguish an MFM from an IDE from a SCSI. At the time being, what I remember at the moment (I might know more, but on sourcefiles), I know how to distinguish an IDE DEFINITELY, how to determine a SCSI is installed, and then, by eliminating, determine that it's an MFM if it wasn't either. Inbar Raz Chief Data Recovery - - -- Inbar Raz 5 Henegev, Yavne 70600, ISRAEL. Phone: +972-8-438660 Chief Data Recovery, 15 Habanim, Nes-Ziona 70400, ISRAEL. Phone: +972-8-400070 Netmail: 2:401/100.1, 2:403/100.42, 9:9721/210 nyvirus@weizmann.weizmann.ac.il - --- FMail 0.94 * Origin: Inbar's Point - Home of the first UnTinyProg. (9:9721/210) ------------------------------ Date: Wed, 19 May 93 09:34:03 +0200 From: Inbar_Raz@f210.n9721.z9.virnet.bad.se (Inbar Raz) Subject: F-Prot 2.07 (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) wrote: >> I don't understand why you don't allow the extraction. SCAN does. The >> original >> SCAN comes PkLited. If you PkLite -X SCAN/CLEAN, they still run normally. >> Why can't you? > Well, SCAN says that it has been "damaged" - why do you think that ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ That's the whole point! It DOESN'T. SCAN is compressed with PkLite NONPROFESSIONAL. It allows its extraction, and it runs JUST AS WELL, compressed or not. If you try to re-compress it, however, it WILL say it has been tampered with. > Maybe a compromise would be an option to force F-Prot to run even if > it has been modified... I believe that such programs should ask me wether it was I who tampered with them. Only if I say yes, will they agree to run. How does that sound? That's much like resident virus detectors that ask you before any harddisk write attempt... Inbar Raz Chief Data Recovery - - -- Inbar Raz 5 Henegev, Yavne 70600, ISRAEL. Phone: +972-8-438660 Chief Data Recovery, 15 Habanim, Nes-Ziona 70400, ISRAEL. Phone: +972-8-400070 Netmail: 2:401/100.1, 2:403/100.42, 9:9721/210 nyvirus@weizmann.weizmann.ac.il - --- FMail 0.94 * Origin: Inbar's Point - Home of the first UnTinyProg. (9:9721/210) ------------------------------ Date: Wed, 19 May 93 09:48:05 +0200 From: Inbar_Raz@f210.n9721.z9.virnet.bad.se (Inbar Raz) Subject: Port Writes (PC) padgett@tccslr.dnet.mmc.com (A. PADGETT PETERSON) wrote: >>From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) >>There are still a lot of MFMs around there... But you are right - a >>program that controls IDEs and SCSIs through the ports might be >>portable enough. > Vesselin as usual is correct, but you have to wonder what is the point > of a > port write when a FAR CALL to the proper location will do the same thing > and is independant of drive type. The moment someone uses QEMM386 in stealth mode, there goes your FAR call. > The problem a virus has is not being able to write to the disk but in > being able to spread. This requires that the virus be executed whether > as part of a program or as an intercept. If it is going to use port calls > for stealthy reasons, then it must capture the interrupt so that it knows > when to use its "stealth". This capture is detectable if a program knows > what to look for. Who told you I have to capture INT 13? FYI, it's enough to stay resident on INT 15, Service 90 (I think) - Device Busy. The BIOS always calls that before calling the disk, and you can use that ISR merely as a trigger to call your own code. > Therefore, IMHO it is possible to use direct port calls to bypass both > DOS and the BIOS to reach the disk provided you know what calls to use > for a particular disk but it really does not buy anything that a FAR CALL > to the BIOS cannot do. To intercept the verification for this might make ^^^^^^^^^^^^^^^^^^^^^ Sorry to disappoint you. I thought you would know better. If you only had the slightest idea what I can do with port writes to the disk, you'd flip out of your skin. Unfortunately, (or Furtunately, Mr. Radai would say), I am not at liberty to expose those techniques, for numerous reasons. > some sense but any a-v program that can check this can also check the > validity of the intercept & detect if it has already been captured - > Turing again. Remember what Vesselin wrote about the new russian virus? It was undetectable. And it uses a one-degree-less technique from port-writes. Inbar Raz Chief Data Recovery - - -- Inbar Raz 5 Henegev, Yavne 70600, ISRAEL. Phone: +972-8-438660 Chief Data Recovery, 15 Habanim, Nes-Ziona 70400, ISRAEL. Phone: +972-8-400070 Netmail: 2:401/100.1, 2:403/100.42, 9:9721/210 nyvirus@weizmann.weizmann.ac.il - --- FMail 0.94 * Origin: Inbar's Point - Home of the first UnTinyProg. (9:9721/210) ------------------------------ Date: Wed, 19 May 93 09:51:06 +0200 From: Inbar_Raz@f210.n9721.z9.virnet.bad.se (Inbar Raz) Subject: Can virus infect a hard drive that one cannot access? (PC) > If I had a hard drive in my computer, but I reconfigured > the ROM set up and put that there is no hard drive, and i boot > from a floppy, so that i won't be able to access the C: drive. > Can a virus affect the C: drive if there is no partition to link > to it? I don't think so, but I am justing trying to make sure.. Ofcourse. Using my suggested port-write technique, you can freely access any harddisk conntected to your controller, regardless of what your computer thinks about it. I did it myself. Once, I lost my CMOS info, in a computer not mine, that was not backed up. My harddisk was Type 47, and I had no idea what the setup was. SO, I removed the HardDisk from the CMOS setup, loaded DOS from a diskette, and wrote a small diagnostical program to tell me the drive's parameters, by accessing it through port writes. In less than 5 minutes, the disk was back on. Inbar Raz Chief Data Recovery - - -- Inbar Raz 5 Henegev, Yavne 70600, ISRAEL. Phone: +972-8-438660 Chief Data Recovery, 15 Habanim, Nes-Ziona 70400, ISRAEL. Phone: +972-8-400070 Netmail: 2:401/100.1, 2:403/100.42, 9:9721/210 nyvirus@weizmann.weizmann.ac.il - --- FMail 0.94 * Origin: Inbar's Point - Home of the first UnTinyProg. (9:9721/210) ------------------------------ Date: Wed, 19 May 93 06:39:00 +0200 From: Micha_Kersloot@f8.n317.z9.virnet.bad.se (Micha Kersloot) Subject: ??Hidden file: 386spart.par?? What is this? (PC) Hallo Inbar, Monday May 10 1993, Inbar Raz schrijft aan Forked Tongue Redlich: >> why a hidden file in the root directory. >> Any help would be appreciated. IR> This is the swap file of Windows. You may erase it every time you exit IR> windows. Not when you've installed a permenent swap-file in windows. Then it is better to leave it on your HDD b'cause else it could be difficault for windows to find another place to put a swapfile. Greotjes, Micha Sysop KovoKs - --- FastEcho 1.25 * Origin: KovoKs / 074-504834 / 24uur / V32b / V42b (9:317/8) ------------------------------ Date: Mon, 24 May 93 11:58:45 +0500 From: Dr.Varol Keskin Subject: A New Virus ? (PC) I've sent a message about a suspected virus on Friday. I've worked on this virus at weekend and found that : It infects only .COM files and the file size increases 604 bytes. When you execute an infected file the system hangs. The virus does not decrease the amount of RAM, instead, it uses Upper Memory. When you ask the memory situation using MEM command with /C parameter, it shows no upper memory. The virus puts hexadecimal codes E9 and 6D in front of the file and then skips a character and puts 88 and 31 hex coded ( I think these are the GOTO statements of this virus). At the and of a COM file there is virus body and it includes the following hex codes: 88 31 74 58 B8 02 42 8B ....... and so on. I've searched my C disk using this code and I've found that no files have the characteristic 88 31 hex code. Only infected files have. SCAN 104 from McAfee couldn't find this virus, so I don't know it is a new or known. There are two virus names in the VIRLIST of McAfee which increase the file sizes 604 bytes. But this virus is not one of them. Is there anybody who knows anything about this virus ? If so, is there any program to remove it? Thanks in advance, V. Keskin =-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+ Dr. Varol Keskin Ege University Observatory Bornova, Izmir - TURKEY e-mail : efeast01 at trearn.bitnet =-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+ ------------------------------ Date: Mon, 24 May 93 11:51:46 -0400 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: "Dirty Tricks" (PC) >Subject: Re: DOS 6.0 and Virus Functionality (PC) >From: bontchev@news.informatik.uni-hamburg.de (Vesselin Bontchev) I wrote: > In defense of Microsoft (oh my), this mechanism is not really "dirty" > since the operative code is present in low memory at this point. After > the copy to high memory, all that is necessary to change is the > segment. Vesselin Responded: >Well, this is exactly what I call "dirty"... :-) After all, we have >been always tought that the correct way to set an interrupt handler is >to use the appropriate DOS finction call or (oh, my) to turn off the >interrupts, change the segment AND the offset of the vector in the >IVT, and turn the interrupts on again... Well, my formal schooling began before there was such a thing as "structured programming" though I think ANSI 77 Fortran is easier to read than the Fortran II (2) learned originally. IMHO, this comes under the heading of "If you have to ask...". The key element is an understanding of how interrupts work e.g. on the competion of an instruction. The interrupt branch is part of the microcode and *cannot* interrupt an instruction, rather it interrupts an instruction sequence. Now if it had been necessary to change more than a single RAM word, the process would have qualified as "dirty" since there would be an unguarded point between the instructions in which an interrupt would have unpredictable effects. In this case, since only a single word is changed (the segment address) and since *both* addresses are valid during the process, there is no point at which execution of an interrupt would do anything except what it is supposed to. (could think of a multi-tasking scenario in which this would not be valid but DOS is single-tasking at this point). Thus, since the operation takes place wholly during the execution of a single instruction, there is no need for using CLI/STI since it cannot be interrupted. Warmly, Padgett ps I also like "equivalence" instructions. ------------------------------ Date: Mon, 24 May 93 19:55:38 +0000 From: ee1ckb@sunlab1.bath.ac.uk (Alan Boon) Subject: CPAV updates? (PC) Hi All, I am currently using CP Anti-Virus v1.4 and before anyone say anything bad about it, I like it and think it's one of the best around! Does anybody knows where I can download virus signature files from so I can update my CPAV detection capabilities? It will be lovely if anyone can. Thankx in advance. Please e-mail or post with me with the responses. Cheers! Alan .___________________________________________________________________________. | | "Hope is the denial of reality. It is the carrot | | Alan C. K. Boon | dangled before the draft horse to keep him | | ee1ckb@uk.ac.bath.ss1 | plodding along in a vain attempt to reach it."| | | - Raistlin | |_______________________|____________________(Dragonlance Chronicles Vol.1)_| ------------------------------ Date: Tue, 25 May 93 00:04:52 -0400 From: al026@YFN.YSU.EDU (Joe Norton) Subject: Re: McAfee's Scan and Compressors (PC) >SCAN currently checks inside PKLITE and LZEXE compressed files >for viruses. We do plan on adding other "run-time compression" >routines, such as DIET, but it is a fairly low priority for us. Are you going to have SCAN do some type of integrity testing? Versions 1.02 and 1.04 you can un-pklite with any normal unregistered PKlite, then infect with something like Coffeeshop 3. Scan doesn't care. It seems like some type of serious self test is in order if it is to be distributed in it's new and improved? form. On the FIDO virus echos there are reports of many trojanized copys of SCAN being distributed because of it's lack of self testing. No fancy signature file. I'm just Joe ------------------------------ End of VIRUS-L Digest [Volume 6 Issue 83] *****************************************