From lehigh.edu!virus-l Mon Apr 1 03:29:10 1993 remote from vhc Received: by vhc.se (1.65/waf) via UUCP; Mon, 29 Mar 93 16:47:39 GMT for mikael Received: from fidoii.CC.Lehigh.EDU by mail.swip.net (5.65c8-/1.2) id AA04370; Mon, 29 Mar 1993 16:41:31 +0200 Received: from (localhost) by Fidoii.CC.Lehigh.EDU with SMTP id AA45440 (5.67a/IDA-1.5 for ); Mon, 29 Mar 1993 08:29:10 -0500 Date: Mon, 29 Mar 1993 08:29:10 -0500 Message-Id: <9303291234.AA18732@first.org> Comment: Virus Discussion List Originator: virus-l@lehigh.edu Errors-To: krvw@first.org Reply-To: Sender: virus-l@lehigh.edu Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas From: "Kenneth R. van Wyk" To: Multiple recipients of list Subject: VIRUS-L Digest V6 #51 VIRUS-L Digest Monday, 29 Mar 1993 Volume 6 : Issue 51 Today's Topics: Telephones #s for BBS Re: Beneficial/Non-destructive viruses Re: Laws and Viruses Re: Memoirs of an (untrustworthy) virus researcher (CVP) Re: Amiga viruses (Amiga) Anti virus for Novell Networks... (Novell) Disgust at the lack of interest in Atari Viruses (Atari) Re: EXE/COM switch (PC) Finish of EXE/COM discussion (I hope) (PC) How to remove Lao Dong virus? (was: cluster pc 5) Infecting from floppy (PC) Re: Swap virus(PC) Re: Virus signature determination. (PC) Re: EXE/COM switch (PC) Re: Catch from DIR? (PC) Re: Catch from DIR? (PC) Re[2]: Removing virus on stack drive (PC) Re:Virus that infects (PC) Virsig (PC) HELP: Harddisk deteriorating rapidly (PC) Re: [Stoned] (PC) Pc-Tools 8.0 (Pc) Ignorance is still curable (PC) Re: IBM PC Boot Seq (was Partition table viruses (PC)) Re: Catch from DIR? (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.org or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk, krvw@first.org ---------------------------------------------------------------------- Date: 26 Mar 93 12:28:49 +0000 From: hq!fhi0055@dsac.dla.mil (Marc Poole) Subject: Telephones #s for BBS I'm looking for telephone numbers to call bbs for anti-viri information. I have site address that I can trade in return. However, ftp and telnet take a very long time to connect. If anyone has direct number to systems that allow modem dial-in it would be greatly appreciated. Marc Poole mpoole@hq.dla.mil ------------------------------ Date: Fri, 26 Mar 93 14:14:43 +0000 From: Albert-Lunde@nwu.edu (Albert Lunde) Subject: Re: Beneficial/Non-destructive viruses cburian@ux4.cso.uiuc.edu (Christopher J Burian) writes: > Requesting help on beneficial/non-destructive viruses used >as tools. I've read a very little bit about viruses generated for a >specific task that disappear into a network; carry out their intended >function (send data back to user, etc); then "retire" themselves. This is an idea that gets floated around from time to time, but I know of no reliable real-world applications. I think there is evidence of viruses that may have been written to attack/replace other viruses (one of the strains of nVIR on the Mac *might* fit this description). But in practice these have just become problems in their own right. The main problems in writing a truely non-distructive virus are: 1) The wide variety of enviroments on various computers causing unexpected bugs and software interactions. 2) The greater likelyhood of doing damage when trying to operate "behind the back" of the human operator and/or the operating system and/or anti-virus software. 3) The unwillingnes of people to beta-test viruses ;) It is my personal opinion that any thing that can be done by a "benificial" virus, can be done more reliably by other software means. (I am not using the most general definition of a "virus" here -- I don't consider DISKCOPY to be a virus, for example, and I conceed that if an operating system provided support services for spawing processes in, say, a distributed computing system they might behave in a virus-like way while remaining reliable and controlled.) - -- Albert Lunde Albert-Lunde@nwu.edu ------------------------------ Date: Fri, 26 Mar 93 10:24:23 -0500 From: Fritz Schneider <71043.1117@compuserve.com> Subject: Re: Laws and Viruses In VIRUS-L Digest V6 #48, Vesselin Bontchev wrote: > Hold on. I think you may have something here. Since when has >> legal terminology been required to match up with common usage? >> Perhaps "malicious software" is just what we need to define as >> a legal term. Especially since the definition of virus is so >> mutable.... > >Indeed, this is the better term to use. It can be associated easily to >"intentional damage" and does not state that "virus" is something >necessarily malicious, definition problems aside... Unfortunatly it will always be difficult to prove intent, so "intentional damage" would make it difficult to apply such a law. We must also recognize that much of the damage which viruses create is due to incompetance rather than intentional malice. Many of today's viruses damage a file by incorrect infection algorithms, or make a disk unbootable by misplacing the original boot sector. The key concept has to be unauthorized changes which cause harm whether intentional or unintentional. The difficulty is in differentiating malicious software that is poorly written from legitimate software that is also poorly written. Regards, Fritz. ------------------------------ Date: 26 Mar 93 15:05:42 +0000 From: duck@nuustak.csir.co.za (Paul Ducklin) Subject: Re: Memoirs of an (untrustworthy) virus researcher (CVP) Thus spake roberts@decus.arc.ab.ca (Rob Slade): >There was, of course, only one thing to say. > >"Good luck." Or, "Trust me. I'm a computer security expert..." :-) Paul /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ \ Paul Ducklin duck@nuustak.csir.co.za / / CSIR Computer Virus Lab + Box 395 + Pretoria + 0001 S Africa \ \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ ------------------------------ Date: 25 Mar 93 10:27:00 -0500 From: olson@dstl86.gsfc.nasa.gov (Paul Olson) Subject: Re: Amiga viruses (Amiga) u9263012@uow.edu.au (Walker Andrew John) writes... > >Does anyone have a comprehensive list of amiga viruses and what they do? > >Andrew Walker. The most comprehensive list I've seen came with the doco of Virus_Checker archive. You may want to obtain it via ftp and take a look. __ Paul J. Olson - VAX Systems Manager & Resident Amiga Addict C= /// Voice - 301/286-4246, 301/210-7701 __ /// DECnet- CHARON::PAUL \\\/// Internet - paul@charon.gsfc.nasa.gov \XX/ Disclaimer: Statements in my messages are wholely my own. AMIGA "Ignorance is a renewable resource." -- P.J. O'Rourke ------------------------------ Date: Thu, 25 Mar 93 10:52:45 -0500 From: "Nabil Miguel" Subject: Anti virus for Novell Networks... (Novell) I would like to know what software I could use to protect my Novell Netware server against viruses. I am running Netware for Macintosh on the server. The software must be able to protect the server from PC and Mac viruses. Is there anything as such? Any feedback would be welcomed... Please reply directly to me... Thank You! _______________________________________________________________ Nabil J. Miguel \ InterNet: Nabil@SCLIENTS.SCS.uottawa.ca University Of Ottawa |\ Bitnet: Miguel@UOttawa 35 University | \ Ottawa, Ontario, | \ Telephone: (613) 564-5094 K1N 6N5 | \ FAX: (613) 564-4965 _______________________________________________________________ ------------------------------ Date: Thu, 25 Mar 93 15:05:43 -0500 From: Trantor The Last Stormtrooper Subject: Disgust at the lack of interest in Atari Viruses (Atari) Being a virus researcher on the Atari ST, I feel that I must write to complain about the lack of interest in discussing Atari viruses. I can understand why you talk about PC viruses more than ST ones. The reason is simple, there are over 2000 PC viruses. The Mac doesn't even have 10 viruses, whereas the ST has over 100 viruses (of both the bootsector and link variety). So I think that ST viruses should be discussed a little bit more!!!! As for virus information concerning ST viruses, the Virus Centre at the University of Hamburg is no good at all. The reason for this is because the virus information is never updated!!!! Has anyone out there (especially Atari people!) got any comments??? ------------------------------ Date: 25 Mar 93 15:05:18 +0000 From: frisk@complex.is (Fridrik Skulason) Subject: Re: EXE/COM switch (PC) Vesselin wrote: >cases. The "more general" idea (changing the extensions to something >completely different), however, -will- prevent the infection in those >particular cases (non-smart viruses that infect on Exec). not necessarily ... many of the viruses that hook the exec call and check the file name work like this if the name end in .EXE do exe_infection() else do com_infection() (or the other way around), so any renamed virus would always be infected as a .COM file. anyhow, this discussion is a bit pointless, as renaming is of too little help ... it would stop most non-resident viruses (but they are generally not common), and some of the resident ones, cause some resident ones to infect the files incorrectly, and have no effect at all on others. - -frisk - -- Fridrik Skulason Frisk Software International phone: +354-1-694749 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-28801 ------------------------------ Date: Thu, 25 Mar 93 10:33:07 -0500 From: Donald G Peters Subject: Finish of EXE/COM discussion (I hope) (PC) VB did a very good job recently of trying to close all the loose threads opened in the EXE/COM debate. I appreciate his effort and accuracy. It would be difficult to find fault with anything in that last extensive post. (The primary things I would take issue on was "who said what" but that is unprofitable.) I will admit that I'm less enthusiastic now than before, but I would classify it as a useful technique on the order of the ReadOnly flag, EEE/CCC changes, renaming COMMAND.COM, etc. For some people these tricks(?) will provide some protection, but most of the people on this forum are in the "high risk" group and it wouldn't do as much good here. However, Vesselin, it puts a smile on my face that you too, are humam, and make mistakes. ------------------------------ Date: Thu, 25 Mar 93 09:03:54 -0500 From: A.APPLEYARD@fs1.mt.umist.ac.uk Subject: How to remove Lao Dong virus? (was: cluster pc 5) > To: A.APPLEYARD > From: "CHRIS HOLBURN" > Date: 25 Mar 93 12:18:14 GMT > Subject: cluster pc 5 > > Anthony it looks as though cluster pc2 No. 5 has a virus on the hard > drive. Do you want to have a go at removing it? Our standard virus > prog. can detect but not remove it. The virus is called Lao Dong. > Good luck. CHRIS How to remove Lao Dong? Any info re it? Any history of false positives of it? Please email such info to me and/or to C.HOLBURN@FS1.MT.UMIST.AC.UK ------------------------------ Date: Thu, 25 Mar 93 11:52:57 -0500 From: Alessandro Lombardi Subject: Infecting from floppy (PC) On Virus-l #49, ,Terry Lundgren asks for a definitive answer: hope this satisfies you. Generally a virus CAN spread from an infected diskette to the HD of your system; a clear example: FORM. Remember this is a boot vector virus (BSV). I do not know of BSV which does not replicate and spread with DIR or about not BSV viruses which spread with dir: in my experience I always executed a file infected to get infected myself. If someone can add info or give more particulars ( tell also the opposite, if it is true), reply to this and send me a Cc, thanks. - -alexl *************************************************************************** ** Alessandro Lombardi, via P.Verri 12, 21100 VARESE (VA)-ITALY ** ** Tel.: 0332/265777; e-mail: alexl@dec01.ing.como.polimi.it ** *************************************************************************** ------------------------------ Date: Thu, 25 Mar 93 12:02:21 -0500 From: Alessandro Lombardi Subject: Re: Swap virus(PC) you wrote about your adventures using McAfee Scan..... I sincerely hope you have still not used F-prot 2.07 on your system, because I quote it good. If you haven't, get it by FTP at oak.oakland.edu, in the directory pub/msdos/virus, or write to frisk@complex.is (the author) If you used it, I do not have other suggestion. Good luck. Let me know about your following steps and successes(hope...) - -alexl *************************************************************************** ** Alessandro Lombardi, via P.Verri 12, 21100 VARESE (VA)-ITALY ** ** Tel.: 0332/265777; e-mail: alexl@dec01.ing.como.polimi.it ** ** ** ** "Noi non compriamo uno qualunque per fare del qualunquismo" ** ** ( Giovanni "gioppino" Trapattoni ) ** ** ** ** RETE 8 NETWORK : ora anche a Como e provincia 101.40/101.45 FM ** *************************************************************************** ------------------------------ Date: 25 Mar 93 17:52:24 +0000 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Virus signature determination. (PC) runefr@ifi.uio.no (Rune Fr|ysa) writes: >I'm planning to expand an anti-viral utility to include file >scanning, like Mc'Affe's scan program does. good luck :-) >Therefore I would >be interested in more information of how I determine the signature >of any virus, including mutating ones. Eh, mutating viruses do by definition not have signatures...or at least not without wildcards. What you would need to to: 1) Get an awful lot of virus samples...2000 or so...properly maintaining such a collection requires a full-time researcher, so you had better hire one :-) Obtaining those viruses might turn out to be a problem. 2) For each polymorphic virus you disassemble it, and find a piece of the code which is found in all samples of the virus (you want to avoid false negatives), and is not found in any normal program (you don't want to cause false positives). You then write a scan "engine", which searches for those strings. Exactly which bytes to select is the difficult part...but it just requires some experience. 3) For the difficult, polymorphic ones, which can not be found with a search string, you write a detection procedure. 4) You now have everything needed for a "brute force" scanner, which searches entire programs for the various search string. Perhaps not a practical approach, but it works.... >Is it also possible to get signature files from somewhere and >implement them in the package? Yes, several such files exist...and using them would mean a lot less work required - however, the scanner would not be as good, as those files don't include any information on how to detect the polymorphic viruses. - -frisk - -- Fridrik Skulason Frisk Software International phone: +354-1-694749 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-28801 ------------------------------ Date: 25 Mar 93 18:02:38 +0000 From: frisk@complex.is (Fridrik Skulason) Subject: Re: EXE/COM switch (PC) Peters@DOCKMASTER.NCSC.MIL (Donald G Peters) writes: >In this case, I once threw out an estimate that this would >work against 50% of all viruses. To my regret, nobody attempted >to produce a more accurate figure. That's simply because those which could do that, people which have a copy of practically all known viruses, and could analyse them to see which ones would get fooled have more important things to do....I have no desire to spend a full day looking at every single virus in my collection to determine how it would react to a .COM file with .EXE structure (or vice versa). The 50% idea might be right..maybe too high, maybe too low, but my opinion is that most people have no use for a 50% protection when a 99.9% protection is available. - -frisk - -- Fridrik Skulason Frisk Software International phone: +354-1-694749 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-28801 ------------------------------ Date: 25 Mar 93 19:19:26 +0000 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Catch from DIR? (PC) cftdl@ux1.cts.eiu.edu (Terry Lundgren) writes: >I have received some excellent replies to my posting on catching >a virus. Basically the question is this: Assume my system is >clean and I have an infected disk. I put the disk in the drive >and do a DIR. Then I take the disk out. Can my system be >infected now? No way...well, almost no way :-) When you do a DIR, no code on the diskette is executed, so you cannot become infected. However, DOS reads the boot sector of the diskette, so if it is infected you may find virus code in your machine - however, it is "dead" - and will not be activated, so your machine is not infected. There is, however, one way to run a program from a diskette by just doing a DIR, but it is, well...a bit weird, and is not used by any malicious program that I know of....so the answer is "in theory yes, in practice no", - -frisk - -- Fridrik Skulason Frisk Software International phone: +354-1-694749 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-28801 ------------------------------ Date: Thu, 25 Mar 93 18:47:08 -0500 From: cjkuo@symantec.com (Jimmy Kuo) Subject: Re: Catch from DIR? (PC) Terry Lungren writes: >I have received some excellent replies to my posting on catching >a virus. Basically the question is this: Assume my system is >clean and I have an infected disk. I put the disk in the drive >and do a DIR. Then I take the disk out. Can my system be >infected now? >The responses are running about 1/3 saying no way and 2/3 saying >it is possible. I would really like to get a definitive answer. >If a virus can be passed in this way, would someone please >describe how it might happen? Or not. In practice? No. In theory, yes, some really cleverly done ANSI bomb, which again, in practice, practically can't be done! You may be getting answers to the effect: YES, because if you do this and it's a boot sector infector, McAfee's SCAN will say that you are infected. This is a ghost positive from SCAN and is a bug. YES, by the ANSI derivative above. NO, which in the case of file infectors, NO is always true. (Hey, that's 2/3rds. I'll stop.) :-) Jimmy Kuo cjkuo@symantec.com Norton AntiVirus Research ------------------------------ Date: Thu, 25 Mar 93 18:47:21 -0500 From: cjkuo@symantec.com (Jimmy Kuo) Subject: Re[2]: Removing virus on stack drive (PC) pwong@igc.apc.org (Pete Wong) writes: >> I recently discovered that a virus exist within my computer. My PC >> is stacked with a Stacker. I used the Norton Anti-Virus to scan the >> drives and it advised me to turn off the computer and boot it up >> again with an un-affected boot disk. Since my drives are stacked, >> the NAV would not read drive C or D. >> I also tried to boot it up with the Stacker files in the un-affected >> DOS boot up disk. Once I use the NAV to scan the drives, it would >> say there is a virus detected in the memory and then it would not >> scan any further. This goes the same for scanning the floppy drives. Which machine was used to put the stacker files on the "un-affected" DOS boot up disk? Assuming the machine is infected with Stoned, if that activity occurred on the suspect machine, that boot up disk will now be infected!! >> The virus is called Stoned. Because there are a number of boot infectors derived from Stoned, the memory signature for Stoned actually picks up a number of strains. (You can think of this as "following the CARO naming convention.") NAV differenciates the Stoned variants in boot sectors but not the memory sig. >Stoned infects only the first -physical- disk drive (80h). In theory, >it is possible to find it on another physical drive - if you have >installed an already infected hard disk as a second one. It -never- >infects logical disk volumes, like the ones created by Stacker. >Therefore, you can safely reboot from a clean diskette and remove the >virus from your hard disk, regardless that you are not able to access >the stacked volume. NAV must be able to do that. If it isn't - call >your local Symantec tech support. >Another possibility is that the whole story is just a ghost false >positive - NAV is detecting some scan string in memory, not >necessarily the virus. Make sure you have disabled any other >anti-virus programs (like VSAFE from CPAV) when you are performing the >virus check. What happens if you boot from a clean floppy? You can't >access the stacked volume, of course, but does NAV still find the >virus in memory? If it doesn't, then it is certainly a false positive. Chances of a ghost positive are pretty slim on this one. Be careful with the conditions that Vesselin gave to say "it is certainly a false positive." Vesselin is correct if all the "if" conditions are met. But I question if your "un-affected" diskette is still "un-affected." Jimmy Kuo cjkuo@symantec.com Norton AntiVirus Research ------------------------------ Date: Fri, 26 Mar 93 00:35:51 +0000 From: wolfgang.stiller@rose.com (wolfgang stiller) Subject: Re:Virus that infects (PC) Date Entered: 03-25-93 19:32 rkolter@csuohio.edu (Ryan Kolter) asks: R(>A friend of mine recently (a few months ago) told me about what R(>appeared to be a computer virus his machine had caught that (in some R(>manner) appeared to infect the files of his hard disk just after they R(>were scanned. His claim was that it dodged the scan by taking itself R(>out of memory during the memory check (McAffee) and then reloaded into R(>memory and removed itself from the infected file during the scan of R(>that file. After that, it would infect every .exe that was scanned. R(>Thus the process of scanning actually infected the whole drive. R(>I don't know if there is a virus out there that does this. Is there? R(>If so, is there a way to protect against it? He said that Mcaffee didn't R(>pick it up. (I don't know what version he used). The virus doesn't really have to go through all that work. The more likely explanation is that your friends simply had a virus that the scanner didn't recognize (one more reason to always boot from a clean write-protected floppy before scanning and NOT to depend entirely on scanning ). Anytime you run a scanner with an unrecognized resident virus that infects on file open, this will happen. The scanner will look at each file but not notice the virus because it is not aware of that particular virus. While this is going on the virus will merrily infect each file checked and pronounced clean by the scanner. Please suggest to your friend that he/she boot from write-protected floppy before scanning. While this won't help the scanner detect the virus it will at least keep the entire system from getting infected by the act of scanning. Regards, Wolfgang Stiller Research, 2625 Ridgeway St. Tallahassee, FL 32310, U.S.A. - --- SLMR 2.1a RoseMail 2.10 : ------------------------------ Date: 26 Mar 93 08:03:06 +0000 From: demetre@phaethon.intranet.gr (Demetre Koumanakos) Subject: Virsig (PC) Hi all, It has been a couple of months now that I haven't been able to find a new Virsig file for TBAV. Does anyone know what the story is ? Demetre ------------------------------ Date: Fri, 26 Mar 93 08:05:18 +0000 From: u920666@daimi.aau.dk (Lasse Reichstein Nielsen) Subject: HELP: Harddisk deteriorating rapidly (PC) Problem: My elder brother was trying a new game out on my fathers PC. The screen froze and the harddisk kept spinning, so he pressed RESET. Nothing has been normal since... He tried deleting the game, when an erromessage popped up (some file-allocation error or cluster not found). He started Norton DiskDoctor, and found: 4 files had fat-chains destroyed 1 something else wrong 2 crosslinked and fats waren't identical. NO PROBLEMO, I thpught, and checked the backups. We had the most important files, so I let NDD do it's job. FINE. 5 mins. later there was more problems... more files with illegal fat-chains... Norton DiskEdit! I found the chains had been severed by a LARGE (50000+) number in the middle of an otherwise sound fat-chain. I fixed the chains manually, but now I was getting curious. I ran NDD, syncronizing the fats - all errors fixed. I ran NDD, Fats out of sync, files with bad chains, even crosslinked files. I DIDN'T EVEN RESTART NDD! It happened while running. OK! Boot from write-protected floppy, running McAfee SCAN v102. No virus found! NDD found some problems, DE fixed them, NDD found no new errors.. FINE Reboot from c:.... CRASH, wouldn't boot, hanged in AUTOEXEC.BAT Boot from a:, change Config & Autoexec to empty files... Crashed when booting from C:! I tried 'sys c:', 'fdisk /mbr', and looking at the bootblock and partitiontable, they looked fine. Every time I tried to boot from C: something new (and increasingly more disasterous) went wrong... when I gave up, command.com was defective, and system gave "Memory Configuration Too Small" (or something similar) error before the config.sys (tried putting device=c:\dos\himem.sys in it - no effect, but now himem was defective) Norton Calibrate said there was a bad cluster at the end of the harddisk, but both fats said all clusters were OK. Everything worked fine (except the files that had allready been messed up) when I boot from A: (write-protected). The system is a Commodore PC40-III, 286-12, 40Mb Hd 640K main, 386K extended, Dos 5.0, himem.sys The battery is dead, so the date was probably 23/3'93 (or 22/3'93) just around midninght (22th to 23th). If ANYBODY knows ANYTHING, please email. Ican't fight something I cant see!!! SPOT / u920666@daimi.aau.dk - ---------------------------------------------------------------------- 'I just want to know one thing.....where they are...!' - Vasquez ------------------------------ Date: Fri, 26 Mar 93 06:29:31 -0500 From: Otto Stolz Subject: Re: [Stoned] (PC) > > Has anyone heard of the [Stoned] virus and if so, then what does it > > do? [...] This question has been discussed so much in this list that I am somewhat surprised about the inaccurracies in Andrew's response. On Mon, 08 Mar 93 16:55:41 +0000 Andrew M Smith said: > Stoned is a rather benign virus except for when it infects irregular > hardware. Whilst the epitheton "benign" for a virus is generally debatable, Stoned exhibits some extra nastities (probably not intended by its programmer, but still nasty): - - Even on regular hardware, Stoned does not care where it puts the original master boot record, hence data may be overwritten. In parti- cular, if the HD has been partitioned with FDISK of DOS version 2, Stoned will overwrite part of the FAT of partition C. - - When a HD is doubly infected with several Stoned variants (a notorious example being Stoned.Standard and Stoned.Michelangelo, cf. FAQ list), then the system becomes unbootable. > Stoned hides in the boot sector of floppies, and the partition table of > hard drives. All of us should cease to call the Master Boote Record "Partition Table". The partition table is exactly that part of the master boot record that is *not* suited to hide a virus! > McAfee's Clean can remove the virus from hard drives, and floppies. There have been reports in this forum that McAfee's Clean did not properly disinfect Stoned in all cases. Rather than elaborating this, I'd like to remind you of the generic DOS procedure to remove MBR infectors from a hard disk: 1. Boot from a clean DOS 5.0 disk. 2. Make sure that the partition table is intact, e.g. by issuing FDISK /STATUS or by accessing all partitions of the HD, as in DIR C: DIR D: ... 3. If the partition table is intact (it will be so with a Stoned infection), issue FDISK /MBR Best regards, Otto Stolz ------------------------------ Date: Fri, 26 Mar 93 07:17:40 -0500 From: Alessandro Lombardi Subject: Pc-Tools 8.0 (Pc) Hello all. I am an Italian guy in trouble with Pc-Tools 8.0. Every time I install it on my Pc, the BIOS cries... In fact, someday ago I did not understand it, but here are the steps: After sometimes the Bios cried, I decided to do something: I formatted my HD(84 Mb) using the hard disk options in the setup of my American Megatrends, in particular I used Auto-interleave (fixed on 4) and then Hard disk format. I reinstalled all of my files(I prevently made a full backup), and all was left to do was installing these DAMNED Pc-Tools!! When, at the end of installation, it asked me if to build an emergency diskette, answering yes, at the top left of the screen appeared this message(in Italian):"ATTENTION: big error of the drive while writing on unit D: retry?" (I use DR-DOS 6.0 with sstordrv). Of course I will not use more PCTOOls 8.0, but I'd like to know if this is due to some defects only in my diskettes, to something in my hardware, or it is a general and diffused problem. If someone has any suggestion, please write both to virus-l and to me. Thanks in advance. - -alexl *************************************************************************** ** Alessandro Lombardi, via P.Verri 12, 21100 VARESE (VA)-ITALY ** ** Tel.: 0332/265777; e-mail: alexl@dec01.ing.como.polimi.it ** ** ** ** " Things go well in order to go bad " ** ** ** *************************************************************************** ------------------------------ Date: Fri, 26 Mar 93 12:08:51 -0500 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: Ignorance is still curable (PC) Subject: Ignorance is curable (mostly PC) >From: Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv) >Well dear Padgett, it seems like you didn't quite get my idea: There is no >problem in checking that the original INR-13 ISR is located on the BIOS area ( >except if you are using some smart PC that does the shadowing of the BIOS to >another area in RAM location and completely remapps the adresses), However >that is not the issue here. When you know the location of the original INT-13 >ISR is when the system is already booted (or in the process) but *AFTER* the >IO.SYS is loaded (unless your Anti Virus is also an operating system which you >will excuse me for not believing it is so). I can understand you skepticism however all of my A-V checking IS done before IO.SYS runs. For that matter I have a version of FixMBR that does not require an operating system at all ! With the BIOS (as I have said before) you have a fully functional computer. In fact the only elements that run from DOS are the validation programs (CHSMBR, CHKBOOT, CHKMEM) and the installation/repair programs (FixFBR, FixMBR). - -------------------------- >Padgett answers: > > A virus can intercept an interrupt vector. It cannot intercept as FAR CALL. > > All you need to know is where to make the far call to (the exercise is > > left to the student). >A. I agree that a virus does not intercept a FAR CALL, but only hooks an >interrupt. >B. To know where to make the far call to, you should be a Gypsy and own a >crystal ball to consult with. Because what ever YOU consider predictable is >not so in reality. Again, if it is retrieved *before* IO.SYS, it must either point to ROM or *something else* (e.g. a virus). As a result only seven bytes are necessary to validate the INT 13 path: CMP [4F], C0 ; assumes DS=0 JB The same applies to Int 2F fn 13 however if a memory manager e.g. QEMM "stealth" is in use then you may not be able to trust this test alone, some intelligence must be applied. No inductive logic is needed though. > The "original" procedure is located somwhere in the system depending >which program took it. You cannot assume that the INT-13 ISR is in a >constant place nor can you assume it is a part of the BIOS, because if you >do, your program is likelly to crach a lot of PCs especially those that >use special low level programs like Access control to disks, and several >Network tools. So much for predictions. Well, many people have been using FixMBR and SafeMBR for quite some time with everything under the sun. It does flag many acceess control programs but they usually have their own MBR replacement. It does not conflict with any BIOS routines including Boot protection & passwords once installed. >I'm sorry to be the one that lets you know that int-25 & 26 are translated >eventually into INT-13. Just as INT-21 Fn 02 (write char) is translated into >INT-10. So you see, what you wrote is incorrect. Ther is *NO* are on the >formatted disk surface that is not acessible via INT-13. Afraid you read me backwards - this was exactly my point, you cannot trust Int 25 or 26 to give you physical sectors, Incidently there are any number of surfaces you cannot reach with Int 13: Bernoullis and CD-ROMs are two common ones. My point was that since a compressed disk's boot sector is not the real partition's boot sector, any program that examines the compressed boot record must be using Int 25 and not Int 13 directly. Warmly, Padgett ------------------------------ Date: 26 Mar 93 14:57:41 +0000 From: duck@nuustak.csir.co.za (Paul Ducklin) Subject: Re: IBM PC Boot Seq (was Partition table viruses (PC)) Thus spake bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev): [stuff about FDISK /MBR] >That's correct, but particularly with ExeBug there is one more >problem. First, the virus is stealth, so when it is active in memory, >you cannot "see" that the MBR is infected. Second, when you try to >boot from a floppy, due to the CMOS "fix", the machine boots from the >hard disk and loads the virus. However, the virus checks whether a >floppy is present in the A: drive, and if it is so, BOOT FROM THAT >FLOPPY. So, if you don't watch -very- carefully, it LOOKS as if you >have booted from a floppy. A quick inspection of the MBR enforces this >impression, because the virus stealths the MBR... There's actually another problem, too. Because the virus overwrites all of the partition record [code *and* data], if you do boot clean and run FDISK /MBR, you've removed the virus, but left a mess behind instead of the partition data. Without the viral stealth, there's nothing to redirect DOS to the hidden copy of the partition table when drive letters are being assigned. Oh dear -- no hard drive. Also, your hard drive won't boot, because the partition data is in tatters. You'll get "Invalid partition table" or the like during bootup. So, "Clean Boot -- FDISK /MBR -- SYS C:" is *not* a generic clean-up procedure for all boot/partition viruses. If you've got a steady hand and a sector editor, Exebug's easy. Boot clean and move 0.0.17 back over 0.0.1. If you *haven't*, then you need software [eg: a-v software] which will automatically do the "ah yes, Exebug -- ah yes, old partition record at 0.017 -- ah yes, let's stick things back where they should be". FDISK /MBR alone *won't* work, though, with Exebug. Hoho: there is a trick, if you don't have a sector editor [or are scared] and you don't have a-v software. But you do need one of those utilities which will make an "emergency" copy of your partition record. Simply *make* the emergency copy with the virus resident [ie: after booting from hard disc] and *restore* the emergency copy after a clean boot. The viral stealth will do the rest... Paul /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ \ Paul Ducklin duck@nuustak.csir.co.za / / CSIR Computer Virus Lab + Box 395 + Pretoria + 0001 S Africa \ \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ ------------------------------ Date: 26 Mar 93 15:33:02 +0000 From: duck@nuustak.csir.co.za (Paul Ducklin) Subject: Re: Catch from DIR? (PC) Thus spake cftdl@ux1.cts.eiu.edu (Terry Lundgren): >I have received some excellent replies to my posting on catching >a virus. Basically the question is this: Assume my system is >clean and I have an infected disk. I put the disk in the drive >and do a DIR. Then I take the disk out. Can my system be >infected now? >The responses are running about 1/3 saying no way and 2/3 saying >it is possible. I would really like to get a definitive answer. >If a virus can be passed in this way, would someone please >describe how it might happen? Or not. Obviously, the answer is "No". But as soon as anyone goes public with their "No", some dork-breath will discover that code in the root directory, together with + at offset 0x0045 in FAT copy 2 will [a] cause code to be loaded into some DOS buffer or other and then [b] cause DOS to trip the light fantastic, and drop control smack into that very buffer of "garbage". Sort of like the Internet worm used buffer overflow to win control over the instruction sequence, and thus to get code executed without even logging in. Basically, when you put yourself on a definitive limb in the computer world, someone comes along and hacks it off :-) Mind you, there's another way. I make a DOS 5.0 bootable disc. I give it to you, and you DIR the disc. Then I say, "Arf, arf, gotcha". You say, "Listen, tosh, what *are* you talking about". And I say "Hoho. Have a look in the root directory of your C: drive". You do, and, lo, there's a copy of COMMAND.COM. Same size, same file as the one on my floppy. So, simply by doing a DIR, my virus has replicated COMMAND.COM from the infected floppy onto your hard drive. Hey -- there's more. I've planted two hidden files in your root directory too -- exact replicants of the ones on my floppy, and all thanks to DIR. Guess what? This virus has good stealth -- your integrity checker notices nothing. This virus is subtle -- your scanner doesn't pick it up either [mind you, I've seen some scanners which might be able to detect it, and a lot of other viruses besides, in memory -- even before you get it :-)]. OK, it's a DOS 5.0-specific virus. But most people round here are using 5.0, so that's a fair bet. And this virus isn't so far-fetched. If you're in tech support, just think of all the other "viruses" you've handled over the years. Viruses in the printer cable and the coffee machine, for example :-) Paul /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ \ Paul Ducklin duck@nuustak.csir.co.za / / CSIR Computer Virus Lab + Box 395 + Pretoria + 0001 S Africa \ \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ ------------------------------ End of VIRUS-L Digest [Volume 6 Issue 51] *****************************************