From lehigh.edu!virus-l Wed Apr 14 03:57:10 1993 remote from vhc Received: by vhc.se (1.65/waf) via UUCP; Wed, 14 Apr 93 18:01:17 GMT for mikael Received: from fidoii.CC.Lehigh.EDU by mail.swip.net (5.65c8-/1.2) id AA14898; Wed, 14 Apr 1993 14:18:23 +0200 Received: from (localhost) by Fidoii.CC.Lehigh.EDU with SMTP id AA45655 (5.67a/IDA-1.5 for ); Wed, 14 Apr 1993 07:57:10 -0400 Date: Wed, 14 Apr 1993 07:57:10 -0400 Message-Id: <9304141045.AA05988@first.org> Comment: Virus Discussion List Originator: virus-l@lehigh.edu Errors-To: krvw@first.org Reply-To: Sender: virus-l@lehigh.edu Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas From: "Kenneth R. van Wyk" To: Multiple recipients of list Subject: VIRUS-L Digest V6 #61 VIRUS-L Digest Wednesday, 14 Apr 1993 Volume 6 : Issue 61 Today's Topics: Scanners getting bigger and slower Integrety check & checksum Re: Sending viruses over Internet Ides of march Virus Conference Re: Best Net Antivirus (Novell) Is "Untouchable" (V-analist-3) effective? (PC) Re: VSIG availability (PC) Abe Lincoln Virus? (PC) Strange COMMAND.COM virus.. Password? (PC) ANSI viruses and things that go bump in the night (mostly PC) viruses and compression (PC) Windows 3.1 virus (PC) Re: Superstor and McAfee (PC) MSAV "Updates" ? (DOS 6.0) (PC) Re: Vir-Sig (PC) Re: New viruses warning (PC) Re: Loa Duong (PC) Identifying a virus: help needed (PC) Brazil virus (PC) Re: Unknown little virus? (PC) Tequila problem... (PC) Virus Data Base (PC) Re: VI-SPY VS Central Point AntiVirus (PC) Terminator 2 and Bert virus ?? (PC) Help wanted with Dir-II virus (PC) Censoship/40-Hex (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.org or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk, krvw@first.org ---------------------------------------------------------------------- Date: Sun, 04 Apr 93 12:31:00 +0100 From: Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv) Subject: Scanners getting bigger and slower In a reply to frisk@complex.is (Fridrik Skulason) Inbar Raz writes on the issue of rare viruses hitting a PC: > However, the way I see it, when we're discussing > protection of BIG companies, as opposed to the protection > of private people, the chances of someone downloading a virus > from a board in order to deliberately upload it, are much > smaller, if existant at all. If a company is wise enough to > enfore a prohibition of disk exchange, and capable of doing > it, then the networks/modem connection are the only > way to get infected, and assuming those links are > reliable links with reliable sources, this reduces the > chance even further. I wish it was so. If it was, then they wouldn't need an Anti Virus in the first place, and the PC's/Networks etc' would work fine. But take notice that *people* use these PCs, and wherevere people are envolved anything could happened. Someone can get a floppy from home and run it on the network, or you can buy a *NEW* "clean" software package to be used at work only (but the company that sold it to you also has employees that jurk-around with thair PC at work), so eventually, a virus can find its way in your PC by many ways, and you cannot assume anything for a fact (unfortunately). Just to remind you of the magazine in France that gave away thousends of copies of infected floppies (FRODO virus), or several *major* companies in Israel that *SOLD* infected software.... Frisk wrote to Inbar: >> As I have said before - the number of viruses should not affect the speed >> significantly - memory shortage is a problem, however - in 5 years a virus >> scanner might require more than 640K of memory to run....but so what ? >> I think it is reasonable to expect "everybody" to have more memory than >> that in 5 years.. That is true, if the scanner is designed properly the number of viruses will have small affect on the speed: Suppose your method of chacking a file for virus presence in based on an algorithm which generates the pointer to the data concerning the virus in your scanner, so there is always but *ONE* process per tested-file running and a second cpecific process for verification. . whatever the number of viruses known at that time. As for memory requirements, programs are converted more and more into DPMI programs, so in Protected Mode the memory problem is smaller... Besides: most programs are becoming GENBERIC programs, thus minimizing the need of huge database for more and more viruses. Warmly * Amir Netiv. V-CARE Anti Virus, head team * - --- * Origin: <<< NSE Software >>> Israel (9:9721/120) ------------------------------ Date: 07 Apr 93 06:53:22 +0000 From: s907997@numbat.cs.rmit.OZ.AU (Paul Yue) Subject: Integrety check & checksum I am currently writing my master's thesis and am doing something about an integrity check for computer viruses. If anyone has any information about this subject I would appreciate it if they could e-mail it to me. Any information whatsoever would be of great help and thank you in anticipation for your submissions. Paul Yue ------------------------------ Date: Wed, 07 Apr 93 14:48:00 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Sending viruses over Internet Peters@DOCKMASTER.NCSC.MIL (Donald G Peters) writes: > When people send viruses to each other for research (or commercial) > purposes, how is it done? Internet mail? US Post Office? Both e-mail and regular mail. When regular mail is used, it is, of course, not limited to the US Post Office only - you know, the US Post Office is not that much popular here in Germany... :-) > My concern is that it would be easy for an untrustworthy Internet > node to trap all mail to/from a certain Internet address in order > to obtain virus code. You are right. > Of course, similar concerns exist for other networks like Fidonet > and local area networks as well. On FidoNet the situation is slightly different. If NetMail is used, then you are calling directly the telephone of the recipient, so the only way to intercept the virus code is by wiretaping. On the other side, some idiots like to broadcast viruses to the echo conferences - since it is not possible to moderate them, there is no way this can be prevented... > And how does one determine if the person to whom you intended to > transmit the data is really a "bona fide" researcher, or even a > person at all? Uh, that's a tough question... For instance, according to some people, I am an automatic e-mail daemon; according to others (see the April 1st issue), I am a virus... :-) Indeed, several people have met me personally, but it has probably been a spoof... :-)) [Moderator's note: I have met Vesselin and I can attest to the fact that he is most definitely, beyond any doubt whatsoever, a virus. ;-)] > If some form of encryption is used (properly!), then that is a good > thing, but I am not able to help you determine the value of a > specific system. Indeed, we are usually using encryption when sending viruses to other researchers. In general, PKZIP with at least 8-character password selected from the full ASCII set is secure enough against hackers. For additional security, one may use DES or PGP. PGP uses public key cryptography, which eliminates the key management problem, but there seem to be some legal obstacles (patents) against its usage in the USA. I would like to use this opportunity to ask everybody to use some kind of encryption when sending us viruses. If you cannot use PGP, use PKZIP with a long password and send the password by a different channel, for instance by fax. My phone and fax numbers can be found in my .signature. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Thu, 08 Apr 93 03:25:34 -0400 From: "Roger Riordan" Subject: Ides of march Virus Conference I have sent the following message to dklefkon@well.sf.ca.us (Richard W. Lefkon). I would advise everyone who has spoken at previous conferences, and who does not wish to be associated with advertising for any future conference, to consider giving similar instructions as to the use of their names/photos. Dear Dick, I have attended three of your conferences. The organisation at the first two was merely disastrous, but the chaos at this years conference was totally inexcusable. I prepared a paper, which was submitted in good time, and I was assured that it had been accepted, and that I had been allocated a favorable time at which to present it. However when we arrived in New York I found that there was no program, and that no one knew what was supposed to be happening. Furthermore there were no Proceedings, so that it was impossible even to decide who to talk to, let alone which talks we should try to attend (IF we could determine when, where - or if - they were being presented). I was extremely disappointed to discover that, despite your promises, you had apparently not scheduled me to give the paper which you had assured me had been accepted by the committee. I regard this as a gross breach of faith on your part, and I suspect that you have deliberately taken advantage of me, so that you could use my name to publicise your conference. At the time you kept promising us that the Proceedings would arrive "tomorrow", and then that they would be posted to us "immediately". I am exceedingly disgusted to discover that still no-one has received them. I would point out that you have a legal obligation to deliver the Proceedings, which were advertised as an integral part of the Conference. WHEN WILL WE GET THEM? So it seems that we have gone to considerable trouble to prepare a paper which was not presented, or - apparently - even published. It cost us over $US6500 to send two delegates to this conference, and in the circumstances we can only regard this as having been largely wasted. I believe that the disaster this year was of such epic proportions that no-one would attend any conference scheduled for this time and date, even if you had no part in the organisation. However as you still seem to think that you can do better next time I wish to advise you that you may not, IN ANY CIRCUMSTANCES, make any use of my name or photograph in any advertising relating to any future conference. If you should disregard this instruction I will instruct my legal advisers to take appropriate action. Roger Riordan Author of the VET Anti-Viral Software. riordan.cybec@tmxmelb.mhs.oz.au CYBEC Pty Ltd. Tel: +613 521 0655 PO Box 205, Hampton Vic 3188 AUSTRALIA Fax: +613 521 0727 ------------------------------ Date: Thu, 08 Apr 93 11:01:31 +0000 From: v922340@kemp.si.hhs.nl (Snaaijer) Subject: Re: Best Net Antivirus (Novell) swimmer@fbihh.informatik.uni-hamburg.de (Morton Swimmer) writes: |> keren@math.tau.ac.il (Keren Shmuel) writes: |> |> > Hello there |> |> > I am sorry if it is not the right place to ask this Q but i dont know |> > where else i can post it: |> |> > The Q is : what is the best AntiVirus for a net (NOVELL) today ? |> |> Of course it is: Mine by ______________ |> ^ ^ ^ insert company name here :-) |> |> Oh, and by the way my company is: S&S International (Deutschland) GmbH or you can try TBAV .. it also has a full network support. Ivar. - -- E-mail : v922340@si.hhs.nl ... i can't help it, i'm born this way ... - ----------------------------------------------------------------------------- ------------------------------ Date: Sun, 04 Apr 93 12:02:00 +0100 From: Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv) Subject: Is "Untouchable" (V-analist-3) effective? (PC) In a message to everyone From: chermesh@chen.bgu.ac.il (Ran Chermesh) asks: > Our department considers buying an anti virus package. High in the list > is an Israeli product, sold in Israel under the name V-analyst-3 and > in the US as Untouchable. The feature of most interest to us is > the way this package claims to deal with future viruses. Since this > feature can't be tested experimentally, the best way is to learn from > the experience of other. > Thus, please post a reply, or send me a private note what's your > experience with this feature of the package. Of most interest for us > is your experience with cases where the package FAILED to > deliver the good, meaning to rebuid a useful binary file. This mailing network is *NOT* a comercial network. It should not supply such straight forward information, however you may learn your answer from talks about the product in VIRUS_L. What I do not understand is: since you are close to the dish, whay can't you obtain the information form clos-by sources, your country is a multi Anti- Viral nation? regards * Amir Netiv. V-CARE Anti-Virus head team * - --- * Origin: <<< NSE Software >>> Israel (9:9721/120) ------------------------------ Date: Tue, 06 Apr 93 14:24:00 -0400 From: Mikael Larsson Subject: Re: VSIG availability (PC) bill.lambdin%acc1bbs@ssr.com (Bill Lambdin) writes: > The latest revision of Vsig that I have seen was 9301 Yjey have added a > lot of signatures to the new January release. > > I don't have FTP access, but I downloaded VSIG9301.ZIP from French > Connection BBS in Seattle, Wa. (206) 771-1730. VSIG9303.ZIP is available at most of the VirNet connected BBSes, otherwhise Sara Gordon at VFR Systems should have it I guess. MiL - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Virus Help Centre Phone: +46-26 275740 Email: mikael@vhc.se Box 7018 Fax: +46-26 275720 or : mikael@abacus.hgs.se S-811 07 Sandviken BBS #1: +46-26 275710 Fido : 2:205/204 & 2:205/234 Sweden BBS #2: +46-26 275715 Authorized McAfee Agent! ------------------------------ Date: Tue, 06 Apr 93 19:32:56 +0000 From: Erik Scot Hatcher Subject: Abe Lincoln Virus? (PC) A week or so ago, one of the PC's in our office began acting strangely in Windows 3.1 - the effects were that any process that went out into DOS would die. We scanned the PC with Norton AntiVirus (latest version) which turned up nothing. Soon after that, the PC (from Windows) cleared the screen and drew a detailed picture of Abe Lincoln. Finally after much digging into the system, we noticed that the COMMAND.COM file in the C:\DOS directory was larger than the one in the root directory, and that the only place where the one in the DOS directory was being referenced was in some of the Windows .INI files, etc. We replaced the COMMAND.COM and now our system works fine. Has anyone experienced such an occurrence? I would like to know more about this "virus". Thanks, Erik Hatcher (esh6h@virginia.edu) ------------------------------ Date: Tue, 06 Apr 93 18:00:56 +0000 From: killion@eis.calstate.edu (Dave Killion;Pac Bell) Subject: Strange COMMAND.COM virus.. Password? (PC) We have had two calls yesterday from someone in England and someone in Puerto Rico that on April 5th, when trying to run COMMAND.COM, it asks them for a password.... I'm not sure what it is, but it's only these two machines, and not ours in our shop. One user said he can run DOSSHELL, but when he exits to the command prompt, it asks for this password... We think it's a virus. Any suggestions? Please either repost a reply, or respond to my Email box: Killion@Eis.Calstate.EDU Thanks, Dave Killion Tech Support Altima Systems ------------------------------ Date: Tue, 06 Apr 93 15:50:08 -0400 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: ANSI viruses and things that go bump in the night (mostly PC) a) If you have the stock ANSI.SYS loaded, have demonstrated that it is possible to construct a mechanism that will cause an infection to occur on execution of a DIR command on a "prepared" floppy. b) There is no real need for anyone to have ANSI.SYS loaded. IMHO while ANSI.SYS once had a real value for key redirection, this is no longer true. Today the main reason is to set the screen colors (a PROMPT string containing [37;44m will produce a blue background with white letters). You can do the same thing with a one byte change to COMMAND.COM (DOS 5.0 and 6.0 COMMAND.COM contain on byte pair "B7 07". The second byte defines the screen colors on a CLS (07 is low white on black). Using DEBUG you can change this byte (found at DEBUG offset 4A53 in DOS 6.0) to 17 for a blue background or 0F for bright white on black - - nice on older laptops - Note: you will need to reboot after the change & COMSPEC must point to the new COMMAND.COM. If you *must* have key redirection via ANSI.SYS then the fix is another simple change using DEBUG - for 6.0 the byte at DEBUG offset 161 is a hex 70 (lower case "p"). Change this to a character unused by ANSI (no hints here, diversity is strength 8*) and you ansi will not recognize a "stock" ANSI redirection command (e.g. [;p). Unless the malefactor can guess your new character, ANSI bombs will not work. Warmly, Padgett ------------------------------ Date: Tue, 06 Apr 93 20:43:20 -0400 From: sosc1043@wc05.writer.yorku.ca (Colin Beckmann) Subject: viruses and compression (PC) Greetings I was wondering if anybody could tell me if it is possible for a scanner to detect a virus in a compressed file or on a stacked hard drive or if the virus can be detected on a file that has been backed up using DOS or Norton backup. Some how I doubt it but I am asking to be sure. If it can be detected could you tell me the name of the software that can do it Thanks Colin Beckmann ------------------------------ Date: Tue, 06 Apr 93 21:35:43 -0400 From: fites@qucis.queensu.ca (Philip Fites) Subject: Windows 3.1 virus (PC) I keep seeing people who report "general protection faults" and similar things and attribute them to virus action. I'm having similar problems with the same error mesages; Microsoft insists this almost certainly is a wonky SIMM, not any sort of virus. They back it up with technical manual pages by fax. Today, someone reported actually cleaning up a 36 byte virus. I,have real trouble believing this; the smallest I know of is 44 bytes and isn't viable, much a Windows specific infector. Do you know of anyone with real data on this? (Bontchev or Skulason, perhaps?) All diagnostivc tactics I have available indicate no virus. This includes checksums on some critical programs, scan 107, (oops, 102 I think), fprot 207, limited file examination (I can't read 36 bytes of hex somewhere in some Windows kernel of several hundred K!) Yes, I booted from a known-clean diskette that doesn't load anything from the hard disk. Once the school term ends and I can do without my rather crippled computer for a few days, I'll know for sure if there's a hardware problem. I"ll let ya know -- bu this won't necessarily rule out a Windows-specific virus in other systems. Any pointers? ------------------------------ Date: Wed, 07 Apr 93 01:34:51 +0100 From: gb03@ns1.cc.lehigh.edu (GEORGE PHILIP BLUHM) Subject: Re: Superstor and McAfee (PC) > I'm posting this question for a friend. He has had some problems using > McAfee and Superstor. He scanned the files on his Superstor disk, and > McAfee reported no viruses. However, he could not access the Superstor disk; > he could only access the regular disk with the Superstor temporary files. > Luckily, when he rebooted, all was fine-- he could access his Superstor > disk and all files were in tact. > > Are there any problems with using Superstor and McAfee? What may have > caused his inability to access the Superstor disk? I have had similar problems with my system running drdos 6.0 with the windows upgrade. I have noticed mostly when I exit windows. Rebooting seems to remedy the problem. I have used F-prot and McAfee and found no virus. I have also run AVS and the files remain clean. George Bluhm - -- Phylee THEE MacNasty ------------------------------ Date: Tue, 06 Apr 93 23:10:53 -0400 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: MSAV "Updates" ? (DOS 6.0) (PC) On a coupon in the back of the MS-DOS 6.0 Upgrade Manual where you are told to send in your money for all of the optional extras (like EDLIN & EXE2BIN) for MSAV updates it says "...the first will ship now..." On page 277 of the same booklet you are advised to call a BBS (seems to be at Central Point) at (503)531-8100. Quoting from the book again "As viruses are discovered, their signatures are posted on a bulletin board system (BBS), which is available 24 hours a day, 7 days a week." Called the number on Saturday. No answer. Called tonight (Tuesday) got answer (@14,400 8*). Went through login procedure. No signatures. Not even a *place* for signatures that I could find. No place to leave comments. (Did open with presumably voice telephone numbers). Since I did not want to read a text file on the Michelangelo, I signed off. Wake me if the signatures appear. Cynically, Padgett Opinions are my own & do not necessarily reflect those of any other entity. ps Was able to download the "supplemental disk" file from the MS bulletin board (has EDLIN & EXE2BIN). 480 compressed k of it. DOS6SUPP.EXE. (206)936-6735 - page 256. pps: some of the above may be trademarks or copyrights. They are owned by whoever owns them. ppps: Has anyone seen a NETX.COM that runs with DOS 6.0 without patching & pipe warning ? ------------------------------ Date: Wed, 07 Apr 93 08:03:26 +0000 From: v922340@kemp.si.hhs.nl (Ivar Snaaijer) Subject: Re: Vir-Sig (PC) bill.lambdin%acc1bbs@ssr.com (Bill Lambdin) writes: |> >From Demetre Koumanakos to All About Vir-Sig (PC) on 03-26-93 |> .bill.lambdin@frenchc.eskimo.com |> |> DK| It has been now more than 2 months since I was able to find |> DK| a new Vir-Sig file for TBAV from any of the known sources |> |> The latest revision of Vsig that I have seen was 9301 Yjey have added a |> lot of signatures to the new January release. |> |> I don't have FTP access, but I downloaded VSIG9301.ZIP from French |> Connection BBS in Seattle, Wa. (206) 771-1730. I've uploaded something to Timo Salmi, but he isn't around untill 12th of April, I can send people who need it terrably, but i don't thinke there is that lot of change, (in the signatures) The datafile i have doesn't recognize Terminator II. the beta version of TBSCAN does ... (see also other posting.) Ivar. - -- E-mail : v922340@si.hhs.nl ... i can't help it, i'm born this way ... - ----------------------------------------------------------------------------- ------------------------------ Date: Mon, 05 Apr 93 19:01:50 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: New viruses warning (PC) EM436861@ITESMVF1.RZS.ITESM.MX (Mario Rodriguez Cardenas) writes: > The Susan 1 virus is a resident overwriting virus. When an infected file i s [stuff deleted] > You can check for this virus with the following signature: > "C91FCD21B43ECD21C3505256571E068C" Yes, we have that one here. > The FoneSex virus is also an overwriting virus and seems to be nonresident, i t [stuff deleted] > You can check for the signature "EB079000B43BCD21C3E89B00E89F00". This one seems to be new; the signature didn't match any of my samples. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Wed, 07 Apr 93 11:06:59 -0400 From: "David M. Chess" Subject: Re: Loa Duong (PC) >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) >The standard CARO name for this virus is Lao_Doung. I have no idea >where the name comes from. I know that McAfee is using a different >spelling. I think I was the first Westerner to get a sample of this virus. It came from Thailand in May of 1991, and the person I got it from said that the tune it sometimes plays is a Thai tune called "Lao Doung Duen". Hence the name (and the spelling). DC ------------------------------ Date: Wed, 07 Apr 93 16:10:13 +0000 From: preneel@esat.kuleuven.ac.be Subject: Identifying a virus: help needed (PC) Hello, I have been contacted by a company whose computers are probably hit by a virus. The guy I spoke to is not a DOS expert, so I have only very little information. The "virus" is NOT detected or identified by "recent" versions of: Norton AV (2.1), Dr. Solomon, Elia shim virusafe and Central Point AV. Operating system: DrDOS 5 and MSDOS 5 Symptoms: - - the virus creates several new files until the hard disk is full. the names of the new files are: AIAMBEAN AMCBAODC,ALDHABEF,ALCHOCK,APPLOAD.DFS size 0 ALCHCOCK.SWR,ALDHABEF.SWR,AMCBAODC.SWR size 100000 - - many lost clusters - - after starting up from a floppy, the CMOS is overwritten and DOS is not available Any help or comments is welcome. Please reply by email to bart.preneel@esat.kuleuven.ac.be ------------------------------ Date: Wed, 07 Apr 93 15:50:24 +0000 From: SKLEPZI@SSB1.SAFF.UTAH.EDU (Steven Klepzig) Subject: Brazil virus (PC) Another university here in Utah is reporting an outbreak of a virus called Brazil or Brazilian. Is there such a beast? I haven't seen it here nor have I heard of it on our campus. The reports also say that F-PROT doesn't find it, but they do refer to something called antibras. Any help is appreciated. Thanks. Steven Klepzig (sklepzi@ssb1.saff.utah.edu) University of Utah ------------------------------ Date: Wed, 07 Apr 93 13:31:09 +0000 From: gary@sci34hub.sci.com (Gary Heston) Subject: Re: Unknown little virus? (PC) motreba@mat.torun.edu.pl (Maciej Otreba) writes: |Last time I had virus in my PC. It came from Internet probably with one |from shareware games. The problem is that teh virus was not detected by any |program. Interesting. If you didn't detect it with any virus scanner, how do you know it was a virus? | I tried to find it by Scan 100, F-Prot 2.07 and Polish AV program |MkSVir (available at FUNET with on-line translator). This virus caused |General Protection Fault in Windows 3.1 in krnl386.exe when running Write, |Paintbrush, MS Word 2.0 and System Editor. It was probably very small. I |think it took 32 bytes of base memory (difference between memory with and |without virus). 32 bytes isn't enough to write an interrupt service routine, much less anything resembling a virus. | I throw it out by formatting HD and setting up system |again. This was probably unnecessary. | My question is: has anyone heard/seen anything about this virus? It doesn't sound like a virus; it sounds like one of your Windows files got corrupted. Most likely, all you had to do was reinstall Windows. | Is |there any signature? It would take a captured copy to extract a signature from, and since you formatted your drive, you destroyed any possibility of finding out what happened. Don't assume that every problem that pops up on a computer is a virus. There are many other possible causes, which is what you should have looked for after not finding anything with the scanners. | Which programs in Internet might be infected? Probably a very small number. Certainly none with a 32-byte virus. - -- Gary Heston SCI Systems, Inc. gary@sci34hub.sci.com site admin The Chairman of the Board and the CFO speak for SCI. I'm neither. Remember: A majority of the American people voted against *all* of the Presidential Candidates. How encouraging.... ------------------------------ Date: Wed, 07 Apr 93 20:19:00 +0000 From: "Look, and see the darkness..." <9008411@ul.ie> Subject: Tequila problem... (PC) Ummm, a friend of mine has had his HD infected by what appears to be Tequila. He's tried every single anti-virus program he can lay hands on, but it keeps re-appearing, for no apparent reason. Its not from a floppy or anything as he has had it re-appear BEFORE even using the floppy drive after disinfection. My only suggestion is that Stacker 2.0 (which he has installed on the infected drive) may be quirky.....can anyone suggest anything? Thanx in advance.... John Cullen, University of Limerick (yup...YABStudent) 9008411@ul.ie ------------------------------ Date: Wed, 07 Apr 93 17:20:26 -0400 From: keith.watson@stucen.gatech.edu Subject: Virus Data Base (PC) I just found an ad for a hypertext virus database. V-Base from International Computer Security Associates. A free demo is available from their BBS at 202-364-0644. Is this a rehash of Vsum or is the long awaited for virus database finally here? Comments? Keith R. Watson Georgia Institute of Technology, Atlanta Georgia, 30332-0453 uucp: ...!{decvax,hplabs,ncar,purdue,rutgers}!gatech!prism!kw3 Internet: keith.watson@stucen.gatech.edu ------------------------------ Date: Thu, 08 Apr 93 07:57:15 +0000 From: smt0@ns1.cc.lehigh.edu (STEFAN M. THIEME) Subject: Re: VI-SPY VS Central Point AntiVirus (PC) >Hi netters, > > This is not an comparison between the two scanners. I ran into some >problems while running Vi-Spy version 10 while scanning my hard disk. > > Vi-Spy consistently pick the Central Point Antivirus files like >vsafe.com or Vsafe.sys saying that Flip virus is found. I think I have used a >Virus scanner from Taiwan Eten group which report the same thing. > > Just wondering if anyone has this problem? Is it just coincidence that >Flip's signature was found in CPAV files? I had the exact same thing happen to me, except that it was F-proot that noticed the Flip virus signiture , and it was in Vwatch(.com oor .sys? I can't remember). Since CPAV was about 18 months out of date (and just taking up hard disk space) I deleted the whole program. But yeah, I think it does have that sig. somewhere in it. I never had any problems with viruses (knock on woood) other than finding flip, and only in that one file. bye. - -- *The Avatar****************************************************SMT0@LEHIGH.EDU* ***************** These are my opinions. Mine mine mine mine! ***************** ------------------------------ Date: 08 Apr 93 08:38:51 +0000 From: houkes@eb.ele.tue.nl (Vincent Houkes) Subject: Terminator 2 and Bert virus ?? (PC) Hello there, Can anyone help me with the following problem !!?? Yesterday morning I found my system infected with two virusses. Scan v100 found only one, and scan v102 detected a file with two. I found the origin of the viruses, namely a file called passrem.exe, which I downloaded from a BBS. The viruses were called the Terminator 2 virus (stealth), and the Bert virus. The latter was only found by vers. 102. Alas there is no description of those viruses in the virlist.txt, and vsum x303 doesn't answer completely too (only some info on the terminator, terminator 2001 (or something like that) and the terminator 3002 (or something like that)). Does anyone know these viruses. (scan gives [Term2] and [Bert] ) Second of all, is there a way to check zip files before extracting them on viruses ??. Thank you very much !!!!!! Vincent Houkes PS. f-prot 207 cannot locate the viruses, not even in a heuristic scan. !! E-mail houkes@eb.ele.tue.nl V.J. Houkes \ / / Student University of Technology of Eindhoven \ /---/ E-Mail : houkes@eb.ele.tue.nl \/ / - ---------------------------------------------------------------------- ------------------------------ Date: Thu, 08 Apr 93 08:47:11 +0000 From: kleyngel@dutiws.TWI.TUDelft.NL (Raymond Kleijngeld) Subject: Help wanted with Dir-II virus (PC) Hi everyone, I recently discoverd the Dir-II virus on my system (486/33 with a 212 Mb Hd). I've a bootable flop which contains no virus and includes a virusscanner, scan v102 from Mcafee. I scanned the HD but scan didn't detect any virus. So I assumed that the HD was clean. I have read in the virlist.txt that the dir-II virus uses stealth techniques and selfencryption . Maybe this is the reason that the virus can't be detected. Actually I have the following problem. Because the virlist.txt describes that the dir-II virus crosslink files and directories I used chkdsk and norton diskdoktor to correct the problem. There are crosslinked files and directories. Norton disktor (ndd) repairs the files. After using NDD I use chkdsk and the unallocated chained are nicely converted to files. I delete those files. But when I run NDD again I get the same errors and even some more. So I think that my system is still infected. Can anyone help me with this problem. Because I have optimized the programs to communicate with eachother I don`t like formating the disk again. So any comments about the dir-II virus are welcome. Thanks in advance Raymond - -- +--------------------------------------+------------------------------------+ | Raymond Kleijngeld | Delft University of Technology | +--------------------------------------+------------------------------------+ | kleyngel@dutiws.TWI.TUDelft.NL | ------------------------------ Date: Thu, 08 Apr 93 06:19:00 -0400 From: David Hanson Subject: Censoship/40-Hex (PC) Vesselin says: > Burger's and Ludwig's books are crap After wasting my time on a couple of bogus virus books ("dangerous", because they contained *actual viral source code*), I dusted off my assembly books, and am looking for some good disassemblers so I can get decent information on the two virii that I have encountered here in the "wild". It seems that in the current climate of viral censorship, the only way to get decent info is to a) Go to the "underground" (not always good information, but at least they aren't afraid to share it...) b) DIY (Which I'm currently in the process of doing. It costs me spare time, but I (slowly) gain knowldege and I know that the only person BS'ing me is me. I've yet to read a decent virus book. Can you recommend a solid, relevant virus book? Vesselin says: > Some articles in 40-Hex are interesting. I wouldn't recommend the > - -distribution- of this electronic magazine, because it contains > potentially harmful code (viruses in source or as DEBUG scripts), but > if some "good guy" already has it, I would recommend him/her to read > it. And how does a "good guy" get 40-Hex? Wouldn't receipt of 40-Hex from *any* source be participation in the -distribution- of this magazine? Not necessarily by dissemenating the info ("good guys" would NEVER do that), but by creating demand. Even if you get it from another "good guy", passing the magazine from one place or person to another is distribution. This is something that is ok for YOU to participate in, but not ME (if I am to be a "good guy")??? Tell me, where do YOU get 40-Hex from? Why should it be ok for you to receive it, but not me? I do not wish to detract from the extremely valuable and "good" work that you do as a virus researcher, just want to point out that "good"/"bad" is not black/white, more like shades of gray. Case in point - your participation in 40-Hex distribution. If you're going to fight the "bad" guys, you've got to get your hands dirty. BOTTOM LINE: I really get peeved when access to information such as 40-Hex is limited "for my own good". In the short term, censorship may seem like a good idea, but in the long term, it just limits information to the (good/bad/ugly) and leaves all of us neutral/gray people at the mercy of self-appointed "experts" (good/bad). I trust any expert as far as I can independantly verify what they say. ------------------------------ End of VIRUS-L Digest [Volume 6 Issue 61] *****************************************