From lehigh.edu!virus-l Tue Apr 20 03:49:56 1993 remote from vhc Received: by vhc.se (1.65/waf) via UUCP; Tue, 20 Apr 93 18:01:25 GMT for mikael Received: from fidoii.CC.Lehigh.EDU by mail.swip.net (5.65c8-/1.2) id AA29916; Tue, 20 Apr 1993 15:18:13 +0200 Received: from (localhost) by Fidoii.CC.Lehigh.EDU with SMTP id AA52647 (5.67a/IDA-1.5 for ); Tue, 20 Apr 1993 07:49:56 -0400 Date: Tue, 20 Apr 1993 07:49:56 -0400 Message-Id: <9304201050.AA11351@first.org> Comment: Virus Discussion List Originator: virus-l@lehigh.edu Errors-To: krvw@first.org Reply-To: Sender: virus-l@lehigh.edu Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas From: "Kenneth R. van Wyk" To: Multiple recipients of list Subject: VIRUS-L Digest V6 #66 VIRUS-L Digest Tuesday, 20 Apr 1993 Volume 6 : Issue 66 Today's Topics: Re: Sending viruses over Internet/Fidonet Re: Sending viruses over Internet/Fidonet Re: Sending viruses over Internet/Fidonet Re: VSUM (PC) FORM-18 Virus and 1.44Mb diskettes (PC) Integrity Checking (PC) Re: Status of victor charlie (PC) Re: Central Point Anti-Virus Updates (PC) "DIR" infection, or "Can internal commands infect" (PC) Re: gerbil.doc virus (PC) Re: VSUM (PC) Re: Censoship/40-Hex (PC) Can a virus infect NOVELL? (PC) Port Writes (PC) What's this??? (PC) Catch from DIR? (PC) DOS 6.0 and Scan (McAfee) Interaction (PC) Re: viruses and compression (PC) WINHELP.EXE virus?? (PC) Possible mcafee scan trojan (PC) What's this??? (PC) Catch from DIR? (PC) Unknown little virus? (PC) Re: What is a fragmentation virus (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.org or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk, krvw@first.org ---------------------------------------------------------------------- Date: Sat, 17 Apr 93 15:51:25 -0400 From: tck@fold.ucsd.edu (Kevin Marcus) Subject: Re: Sending viruses over Internet/Fidonet Peters@DOCKMASTER.NCSC.MIL (Donald G Peters) writes: >Of course, I have not yet seen 40-Hex. If it also contains material >on how to commit crimes (eg, I have seen an email mag which tells >people how to commit murders) then I may change my mind. Somehow >I don't think writing a virus is as bad as committing a murder. >Right now I would equate virus magazines with gun magazines. In >theory, no harm done. Do you get guns with your gun magazines? No. Do you get viruses with your virus magazines? Yes. - -- -=+> Kevin Marcus, Virus Researcher. Author: TSCAN, RE-xxx, MICHEX, STONEXT datadec@ucrengr.ucr.edu (619)/457-1836, 3-2400 baud, 24 hours. Comp. Sci. Major, University of California, Riverside. ------------------------------ Date: Sun, 18 Apr 93 14:55:08 -0400 From: CELUSTP@cslab.felk.cvut.cs Subject: Re: Sending viruses over Internet/Fidonet Hi everybody, Donald G Peters wrote: >I liked David Hanson's argument with VB that people should have >access to 40-Hex. May I suggest that the good guys at least limit >distribution of 40-hex to poor quality photocopies (to prevent >scanning) and keepa master copy of the good-guy mailing list. Okay, >that idea causes extra work, but it would help to prevent the >spread of the rag to anonymous bad guys, at least electronically. It is only extra work. Besides, who can tell who is a "bad" or "good" guy (or girl)? People who could possibly use information found in 40-Hex for "malicious purpose" (which is still not clearly defined) will find their way to read it anyway. Others (especially if concerned with anti- virus research and/or development) should be informed in time. >Personally, I would think it is fair to email it to anyone with >a government Internet address (is this reasonable?) or to anyone >that one thinks is probably a good guy. Life's a risk. Don't forget sending to girls (not only guys are interested in viruses :-)). Life is a risk. Sharing information is necessity. >Of course, I have not yet seen 40-Hex. If it also contains material >on how to commit crimes (eg, I have seen an email mag which tells >people how to commit murders) then I may change my mind. Somehow >I don't think writing a virus is as bad as committing a murder. >Right now I would equate virus magazines with gun magazines. In >theory, no harm done. Writing a virus is not a crime by itself as well as writing of any code. If you write a virus which will have extremely destructive function, spread very fast and use some sophisticated method for avoiding detection and then keep its code in the drawer of your desk, no harm is done. But the question here is : Why did you write such virus at all if you don't have intention to spread it? Well, if you really don't want to spread it what if somebody else find that code and spread or use it deliberately? Let's suppose further you get sick and have to go to hospital. Somebody put your (or any other) virus in computer(s) containing vital data about patients and you (and possibly other people) die for drugs overdosing or receiving wrong drugs or radiation overdosing or something similar. Or you have to go somewhere by airplane. But because of virus active in computer(s) for flight control your plane crashes with you and other passengers. Would we call those (just hypothetical, I hope) situations accidents or murders (or terrorist acts)? Considering every possible consequences of virus activities the best advice is : don't write viruses. Who will listen to? Virus writers certainly not. Not going too deeply in philosophical aspects about irrationality of human behaviour (i.e. why people write viruses at all), general conclusion is: writing viruses is not crime yet. At least I am not aware of any law explicitly stating that it is.[Few laws I've heard of state launching a virus is illegal activity concerning altering (adding, deleting, destroying) data or endangering a dataprocessing unit or unauthorized modification of information.] Accordingly writing about viruses with giving complete code (e.g. in 40-Hex) is not crime too, so such information could be shared freely. But, considering possible consequences of virus writing and/or writing about viruses, as well as facts that viruses could be distributed unknowingly and that altering data doesn't have to refer only to virus activities, the questions are: 1. Is there any law in any country which explicitly says that the act of virus writing could be considered as criminal activity? 2. If yes does it clearly states which part of virus code make his author out of law, i.e. is it "do damage" part, infection part or something else? 3. If not is it possible to give such definition of computer virus which could be the basis for adequate legislative measure and who is enough competent to give such definition? 4. Considering virus writing can be treated as crime could the publishing of virus code be prohibited and writing about viruses censored in some way? As I am not a lawyer (only interested person) I can't answer these questions. Hopefully, lawyer(s) reading this list (is any?) will answer. If writing viruses could be defined as criminal act, the magazines as 40-Hex could be prohibited too (or at least publishing of full virus code) and discussions like this one will be unnecessary. Cheers, ______________ | ? ? ? ? | Suzana /| ? ? ? | /~~~~~~\~\ / |______________| ( * * )/ /( ___ ) ~ \______/ @/ \@ - --------------------------------------------------------------------------- Address: Suzana Stojakovic-Celustka e-mail addresses: Department of Computers celustka@sun.felk.cvut.cs Faculty of Electrical Engineering celustkova@cs.felk.cvut.cs Karlovo namesti 13 12135 Prague 2 phone : (+42 2) 293485 Czech Republic fax : (+42 2) 290159 ------------------------------ Date: Sun, 18 Apr 93 16:59:52 -0400 From: ac999512@umbc.edu (ac999512) Subject: Re: Sending viruses over Internet/Fidonet >Of course, I have not yet seen 40-Hex. If it also contains material >on how to commit crimes (eg, I have seen an email mag which tells >people how to commit murders) then I may change my mind. Somehow >I don't think writing a virus is as bad as committing a murder. >Right now I would equate virus magazines with gun magazines. In >theory, no harm done. No, 40 hex is not a generic computer-crime magazine. It focuses strictly on viruses. Most of the articles are either viral source code, disassemblies, hex dumps, or tips/tricks/instructions on viral creation. I think relating it to a gun magazine is a fairly good analogy, except that gun mags usually don't have guns kits included that require minimal assembly to become fully functional. +-------------------------------------------------------+ | Ed T. Toton III, Virus Researcher ac999512@umbc.edu | | Press any key.. Except THAT one! | +-------------------------------------------------------+ ------------------------------ Date: Fri, 16 Apr 93 18:58:01 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: VSUM (PC) mikael@vhc.se (Mikael Larsson) writes: > Well, Okay, I maybe expressed myself a bit dizzy, but I still think it > is quite good for the average user - Okay, not for us who knows a lot > about viruses, but for the "common-people" I think VSUM can be used with > great satisfaction - even though it contains inaccurate information in > some cases. That's the main problem. It looks very nice, it is very big (so people think that it is complete), and because of that many people are compelled to use it and believe it. Unfortunately, it is very misleading - sometimes it has wrong even such basic things as the infective length of the virus. > What do you recommend as a better alternative, instead of VSUM then? There's none. I mean, there's no available collection of information about viruses, which is good enough. The FAQ lists some, VBASEABC is another one. The FAQ also lists VSUM, BTW. Each of these sources is either inaccurate, or incomplete. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Fri, 16 Apr 93 15:37:25 -0400 From: fergp@sytex.com (Paul Ferguson) Subject: FORM-18 Virus and 1.44Mb diskettes (PC) I've been tinkering with a FORM variant that has continually plagued one of our large commercial clients in New York City for months. Although we had been fairly successful in cleaning it up, an infected machine occassionally surfaces. An earlier sample of an infected HD 3 1/2" diskette that I managed to acquire was non-functional. Somehow, the virus did not relocate the DBR and transplant it's own "jump" code. Recently. however, this particular variant surfaced again yesterday. I made sure that I got a functional copy this time. This variant activates on the 18th of the month, as described in the dialog below from last fall. From: G J Scobie - > We have had the FORM virus in a big way around the University > this year. ... The version we have here triggers on the 18th of > the month. Students have reported corrupt files on their floppies > though this only seems to happen if the disk was nearly full > before the infection took place. Date: Tue, 27 Oct 92 14:16:17 -0500, "William Walker C60223 x4570" wrote - > The sample of Form that I have is the variant that triggers on > the 18th of the month. When it infects a 360 KB floppy (I haven't > tried it with other densities), it allocates Cluster 34 (Sectors 76 > and 77) to itself and marks it as a bad block. It may be possible > that, if Cluster 34 is in use, the file which used it would then be > damaged. However, if the virus tries searching for an available > cluster and the diskette was full or nearly full, it could be > possible that the virus would go ahead and grab a used cluster. I > haven't tested it enough to see how it infects under these > circumstances, but perhaps this is enough to be of use to you. Our client site is purely true "blue", from PS/2's right on down to running a token ring network (we finally sold them on idea of ditching IBM source routing and install intelligent hubs, though), so I can only report the results on a HD 3 1/2" diskette. (My 486/33 notebook has only a 1.44 Mb drive, as well.) On a 1.44 Mb diskette, FORM relocates it's "jump" code to Cyl 7, Side 0, Sector 16. It relocates the original DBR in the next sector, sector 17, and marks both sectors bad. The text contained in sector 16 is the same "The FORM Virus sends greetings..." message as with the original FORM. Correct me if I'm wrong, but isn't this area used by DOS to store the second copy of the FAT? If my understanding is correct, then the disk allocation for a 1.44 Mb diskette is: Sectors Used for Used by - ------- -------- -------- 0 Boot Record DOS 1-9 1st FAT DOS 10-18 2nd FAT DOS 19-32 Root Directory DOS 33-2,879 Data Whatever Also, I realize that VSUM is chock full of technical errors, but I wonder what possessed Patti Hoffman to refer to this variant as "FORM-Canadian?" Is there reason to suspect that this is where this variant hailed from? The only thing that I found that coincides with the 18th of the month is that April 18th, 1982 marks the date that the Canada Constitution Act replaced the British North America Act. Cheers. Paul Ferguson | "Sincerity is fine, but it's no Network Integration Consultant | excuse for stupidity." Centreville, Virginia USA | -- Anonymous fergp@sytex.com (Internet) | sytex.com!fergp (UUNet) | 1:109/229 (FidoNet) | PGP 2.2 public encryption key available upon request. ------------------------------ Date: Fri, 16 Apr 93 14:45:58 -0600 From: ST29701@vm.cc.latech.edu Subject: Integrity Checking (PC) I am looking for a program like Integrity Master that will store all the data in one file. I dislike Integrity Master because it stores all the info in each subdirectory. At the same time I would like something as safe or safer than Integrity Master. Are there any plans to add this feature to integrity Master? ------------------------------ Date: Fri, 16 Apr 93 17:39:18 -0400 From: rslade@sfu.ca (Robert Slade) Subject: Re: Status of victor charlie (PC) Although VC 3.0 was available as shareware once version 4.0 came out, neither 4.0 nor 5.0 were initially released as shareware. To the best of my knowledge, neither has been released or distributed by the company as shareware to date. However, it has been very difficult to get in touch with the principals in Thailand of late. A distributor in Canada has been trying to get some info from them for more than six months, without success. In the absence of other evidence, I suggest that VC 5.0 is *not* shareware. =================== Vancouver ROBERTS@decus.ca | "Power users think Institute for Robert_Slade@sfu.ca | 'Your PC is now Research into rslade@cue.bc.ca | Stoned' is part of User p1@CyberStore.ca | the DOS copyright Security Canada V7K 2G6 | line." R. Murnane ------------------------------ Date: Fri, 16 Apr 93 17:48:33 -0400 From: rslade@sfu.ca (Robert Slade) Subject: Re: Central Point Anti-Virus Updates (PC) A whole bunch of people have asked: >I'm just wondering if there is an ftp site that supports updated virus lists >for the Central Point Anti-Virus program. Thanks a lot. Is it time we put this in the FAQ? CPAV is a commercial product. CP also wants to make some return on the bucks they put into keeping the program updated. Therefore: No, you are not likely to see any updates for the CPAV signature files (or NAV, or MSAV) on ftp servers. Or public bulletin boards. If you do, they have not been posted with the consent of Central Point. Both CP and Symantec/Norton provide update services in various ways. Some require a license and some don't. None, however, involve free ftp access. ------------------------------ Date: Tue, 13 Apr 93 22:24:03 +0100 From: Chris_Franzen@f3020.n491.z9.virnet.bad.se (Chris Franzen) Subject: "DIR" infection, or "Can internal commands infect" (PC) Hello Amir! Thursday April 08 1993 12:18, Amir Netiv wrote to Vesselin Bontchev: AN> available to programs). It is in the TSR part's responsibility to check AN> the TRANSIENT and refresh it if it was overwritten (this is when you see AN> DOS's message: "Insert diskette with COMMAND.COM and strike a key..."). The transient part is never overwritten if you execute an internal command. AN> The TRANSIENT's job is to support *INTERNAL COMMANDS*, Batch AN> files and external commands. AN> (for more information please read Microsoft's "The MS-DOS Encyclopedia" AN> page 76-79). No. I never saw this happen. You will be unable to force a re-read of the transient part by executing an internal DOS command from the DOS prompt... because the DOS prompt (the internal command processor) is part of the transient part :-) AN> In conclusion: If you use a floppy drive system (assuming you've booted AN> from it) and you type "DIR" it is possible (but not likelly) that the TSR AN> part of COMMAND.COM will try to load the TRANSIENT part from the infected AN> floppy. However: to infect the TRANSIENT part alone in such a way that the No! I would like you to demonstrate this. You will be unable to do that eh? AN> TSR will load exactly what you want is an un-easy task (however possible), AN> but the *INFECTED* COMMAND.COM should be present at boot time since the AN> TSR knows the file it is using to refresh the TRANSIENT by meens of a AN> CHECKSUM generated at first loading. Thus: simply switching COMMAND.COM to AN> an infected one (after the system is already booted) will not sufice. He! Here you say "it's unlikely because the reloaded COMMAND.COM must be the one used when first bootet". It's like saying "I can read with eyes closed, but I will never give you a chance to verify this because I don't have eyes.". >> infected, you must execute some viral code. Therefore, the question is >> equivalent to whether you can execute some code by executing the DIR >> command on a floppy. AN> I think I explained above how you *might* execute some code by "DIR". No. Demonstrate this! Demonstrate this! You will not be able to force a COMMAND.COM-reload if you execute DIR from a plain vanilly DOS prompt. AN> Warmly Hot for reply Chris, The Blast I - --- GEcho 1.00/beta+ * Origin: Now let's switch over to ZIP2, ok? (FidoNet 9:491/3020) ------------------------------ Date: Fri, 16 Apr 93 22:39:07 -0400 From: al026@yfn.ysu.edu (Joe Norton) Subject: Re: gerbil.doc virus (PC) >: >anyone come across this one? The gerbil.doc virus? > >report. You are correct. Something about the program writting gerbil >to file names if my memory is correct, but which word processor was it again? It was PFS First Choice, the first WP I ever used.. One that had me going for a while was a DOS shell called IDCSHELL. It had the ability to make ARC files. It had bugs though, and when it crashed while making an ARC file it left a 0 byte file called NOAHS.ARC on the drive. I didn't notice it till I had 12 or so of them scattered around. I was sure I had some strange new virus...8-; - -- ------------------------------ Date: Fri, 16 Apr 93 23:04:33 -0400 From: 007 Subject: Re: VSUM (PC) mikael@vhc.se (Mikael Larsson) writes: >bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: > >> It for sure cannot contain "info about all known viruses", because >> new viruses appear averagely three per day and it is updated monthly. >> But this is not the only problem - I have found almost all articles in >> VSUM to be very inaccurate, incomplete, verbose, and just plain >> wrong... So, no, I don't agree that it can be considered to be quite >> good... > >Well, Okay, I maybe expressed myself a bit dizzy, but I still think it >is quite good for the average user - Okay, not for us who knows a lot >about viruses, but for the "common-people" I think VSUM can be used with >great satisfaction - even though it contains inaccurate information in >some cases. WHAT?! This really rubs me the wrong way... Isn't there enough misinformation out there already? Of course VSUM will be fine for the "common-people"-- they don't know any better! I find it very upsetting that you would be willing to knowingly spread information that is just plain WRONG. You are preying on the ignorance of these common people. It is one thing to be wrong, admit you were wrong, and correct any mistakes possible, and entirely another to be wrong, know you are wrong, and just not care that many people will have just enough information to get into trouble. Ignorance, at least, inspires caution. >What do you recommend as a better alternative, instead of VSUM then? So far the best source of CORRECT information has been from Frisk's F-prot. I have yet to find a case where his information has been incorrect. Unfortunately, there isn't a whole lot of info included. The program CVBASE, which is just a hypertext version of MSDOSVIR looks ok. The information is good, but it suffers from a lack of standardization amongst the names, and too few viruses are cataloged. VBASE, which I have only seen the demo of seems to show lots of potential. My only real peeve is that everything is indexed together, viruses, statistics, program info, etc. Better to separate these under different headings. I do like how the scan codes and also the name(s) of those who actually disassembled the virus have been included. This way if my analysis shows anything different, I at least know who to talk to. I would also like a bit more technical information. Frisk isn't afraid to get down and dirty and explain exactly why some viruses do what they do. Sure, not every user will even understand this information, but it is invaluable to the rest of us. Maybe there could be a command-line switch or configuration option, similar to that found in Integrity Master where you can tell the program how much you know about DOS? Something like Layman-User-Expert-Vesselin. Even a two-level configuration would be better than always being stuck at "layman". The sort of info I'd like is on the order of: if resident, how? What interrupts are hooked? Does it ask DOS to allocate memory, or does it go around DOS? If it's buggy, why? Of course one or two researchers aren't going to be able to answer ALL these questions for EVERY virus. This is why I keep hounding over putting the names of the analysts on the information. With so many people dissecting viruses, if we all pooled our knowledge we could get an info sheet of enormous proportions! Oh, well. Enough dreaming. ;-> -- 007 - -- 000 000 7777 | sbonds@jarthur.claremont.edu 0 0 0 0 7 |----------------------------------------------------------- 0 0 0 0 7 | Childhood is short... [Calvin & Hobbes] 000 000 7 | ...but immaturity is forever. ------------------------------ Date: Sat, 17 Apr 93 00:17:28 -0400 From: sara@gator.rn.com (Sara Gordon) Subject: Re: Censoship/40-Hex (PC) afrc-mis@augsburg-emh1.army.mil (David Hanson) writes: >I've yet to read a decent virus book. Can you recommend a solid, >relevant virus book? what kind of virus book? why people write them? how to write them? how to stop them? there are all kinds of virus books.... >And how does a "good guy" get 40-Hex? Wouldn't receipt of 40-Hex from >*any* source be participation in the -distribution- of this magazine? not really. i get a lot of underground magazines because the authors send them to me. >that), but by creating demand. Even if you get it from another "good guy", >passing the magazine from one place or person to another is distribution. >This is something that is ok for YOU to participate in, but not ME (if I am >to be a "good guy")??? >Tell me, where do YOU get 40-Hex from? i don't know if vesselin will tell you or not. i know one person who has sent him 40 hex is -me-. and, it was sent to me by the some of the 'contributors' to it; same as with some of the other publications. i don't think it makes me a 'distributor' of viruses. i don't have it on my bbs. i don't pass it around to the general public. the key issue here is responsibility. >Why should it be ok for you to receive it, but not me? i think it depends on who you are, whether or not a 'good guy' will pass x, y, or z onto you..and, its not even so much that as i think no one is saying you -cant- have it. just that it is not within their value construct to personally give it to you. >you do as a virus researcher, just want to point out that "good"/"bad" >is not black/white, more like shades of gray. Case in point - your >participation in 40-Hex distribution. If you're going to fight the "bad" >guys, you've got to get your hands dirty. actually good and bad are black and white. why do you think they are not? shades of grey are the things in between people try to do to convince themselves they are one or the other when they are not....its not getting your hands dirty to read and process information. true, some 'anti-virus researchers' do tread the grey areas..but there are those who just flatly refuse to participate in them. of course, what the heck do i know. i talked for months to the dark avenger, i must be as corrupt as they come... - -- # "push, pop, mov, jmp..wanna dance???..." # fax/voice: 219-277-8599 p.o. 11417 south bend, in 46624 # data 219-273-2431 SGordon@Dockmaster.ncsc.mil # fidomail 1:227/190 vfr@netcom.com ------------------------------ Date: Sat, 17 Apr 93 05:20:08 +0000 From: sywu@csie.nctu.edu.tw (Xianyow ) Subject: Can a virus infect NOVELL? (PC) I have a question, can a virus infect NOVELL system? Since there are many read-only files in NOVELL, how can it write into that file? If it can't , how can it live when the power turned off? But I really heard some viruses can infect NOVELL. Can anyone answer me? Thanks in advance! Victor ------------------------------ Date: Thu, 15 Apr 93 11:42:00 +0100 From: Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv) Subject: Port Writes (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes back to Inbar_Raz@f210.n9721.z9.virnet.bad.se (Inbar Raz): IR: >> A couple of days ago, I first succeeded in compiling and running a routine >> to access disk using port writes only, therefore avoiding any interrupt >> whatsoever. > [stuff deleted] >> Is there any EXISTING control program to inhibit such access? VB: > Yes. Most modern hard disk controllers issue a hardware interrupt to > indicate "device ready" when they are done with the request. You could > count the access requests that have passed "naturally" through INT 13h > and check whether the number matches the number of > "device ready" interrupts from the hard disk controller. > If there are more "device ready" interrupts than INT 13h requests, > this means that something has accessed the disk in a non-natural way, What do you mean "non-natural way" who said that the "natural way to write to a disk is only via INT-13, and how do you think INT-13 accesses the disk? Why can't it be by port write? Does the DMA not use ports to perform some disk transfers? I'd say that generally your suggested method is good due to the lack of other methods (except hardware products that monitor the system-bus) but I don't think it is suitable for implementation in a software product because you'll have more False Alarms then you can handle (at probably the worst times). VB: > so you raise an alert. At first look it might seem that this way you can > only report- the disk write after the fact. Fortunately, for each Write > request the controller actually performs -two- actions - Seek and > then Write. It issues "device ready" after each of them, so you'll be > able to raise the alert after the Seek and before the Write. Again, if you interfere in the wrong time, you might end up with a crashed disk. But theoretically it is true. IR: >> If a virus were to use port writes, no anti-virus shield would be >> able to stop it. VB: > This will also make the virus rather non-portable. Unfortunately, it > will still work on many computers and the virus writers don't seem to > care about portability anyway... (I've seen a virus that is able to > infect correctly only 17-byte files...) > BTW, note that many hardware anti-virus products - will- *MIGHT* instead of "- will -" ;-) > be able to > stop this kind of disk access, if they can be installed between the > computer and the disk controller or between the disk controller and > the bus... Usually the Hardware Anti-Virus products are installed ON the system-bus (in one of the slots), if one does as you suggest (between disk and bus) I'd expect "some" 8-) problems (to say the least). Warmly * Amir Netiv. V-CARE Anti Virus, head team * - --- * Origin: <<< NSE Software >>> Israel (9:9721/120) ------------------------------ Date: Tue, 13 Apr 93 18:51:36 +0100 From: Ferdinando_Caputo@f115.n395.z9.virnet.bad.se (Ferdinando Caputo) Subject: What's this??? (PC) Hello All! Just look what happened on my system when I pressed u (it was a mistake, but now it's scaring me)... - ----- C:\>u Environ DATE {r ej satt till n}got datum!^G C:\> - ----- Is there someone who knows this stuff or, at least, who can translate it??? 'till next one... Dino P.S. Sorry for the out-of-policy ASCII, but I had to report it aas it is... - --- GoldED 2.41 * Origin: Viruses??? No, Thank You!!!! :-))) (9:395/115) ------------------------------ Date: Thu, 15 Apr 93 12:05:00 +0100 From: Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv) Subject: Catch from DIR? (PC) louis_rs@bruny.cc.utas.edu.au (Louis *grin* siuoL) writes to Malte Eppert: Malte: > There is, however, one way to run a program from a diskette by > just doing a DIR, Louis: > A method that I KNOW WILL WORK is, to trap DOSs findfirst and findnext > services, and infect any files that are returned via thos services. > Is as easy as traping DOSs Exec services, which is what a large number > of virii do. That is true... but in order for it to happened you'd need the virus to load * BEFORE* the DIR command (to trap the Find First proc)... So you will not be infected from DIR in such a way unless you are already infected, and if you are then you cannot be infected (since you already are)... :-) regards * Amir Netiv. V-CARE Anti Virus, head team * - --- * Origin: <<< NSE Software >>> Israel (9:9721/120) ------------------------------ Date: Sat, 17 Apr 93 14:18:54 -0400 From: s926191@yallara.cs.rmit.OZ.AU (Donald Gingrich) Subject: DOS 6.0 and Scan (McAfee) Interaction (PC) This report is second hand. I did not personally see the effects reported. I am on a dial up help list for viruses among other things. A user group member rang with the following report. 1. he booted the machine with the MS DOS 6.0 VSAFE in the autoexec (config?) (I haven't seen DOS 6.0 yet) 2. he ran McAfee scan with the /chkhi option twice (don't ask why) 3. on the second pass it reported the "filler" virus 4. he has scanned the hard disk with the /chkhi /a options after a cold boot on a known clean floppy -- nothing found seems like a false positive to me. I have had a similar problem in the past (false positives). As a network administrator I regard false positives as very nearly as dangerous as false negatives. A false positive - if it continues for any length of time will create a situation where the user responds to a virus report by simply continuing on without reading. not a good thing IMO. I believe that these false positives are a combination of both the OS and the BIOS. I recognise that as the number of search strings continues to increase the chances of them turning up in legitimate code will increase. It is also obvious that with the large number of apps and machines out here it is impossible for the anti-virus people to be *sure* that their code will produce no false positives. And it isn't going to get any better!!! Don Gingrich s926191\@yallara.rmit.cs.OZ.AU ------------------------------ Date: Sat, 17 Apr 93 15:18:34 -0400 From: tck@fold.ucsd.edu (Kevin Marcus) Subject: Re: viruses and compression (PC) sosc1043@wc05.writer.yorku.ca (Colin Beckmann) writes: >Greetings > I was wondering if anybody could tell me if it is possible for a >scanner to detect a virus in a compressed file or on a stacked hard drive >or if the virus can be detected on a file that has been backed up using >DOS or Norton backup. Some how I doubt it but I am asking to be sure. >If it can be detected could you tell me the name of the software that can >do it Since Stacker decompresses files on the fly, it is possible to scan binary files that are on a Stacked partition. However, compressed files are a little bit more difficult, as is being discussed in another thread. THe file must first be uncompressed, then scanned. > - -- -=+> Kevin Marcus, Virus Researcher. Author: TSCAN, RE-xxx, MICHEX, STONEXT datadec@ucrengr.ucr.edu (619)/457-1836, 3-2400 baud, 24 hours. Comp. Sci. Major, University of California, Riverside. ------------------------------ Date: Sat, 17 Apr 93 21:13:48 -0400 From: samuell@cis.uab.edu ('s) Subject: WINHELP.EXE virus?? (PC) Is anyone familiar with a virus that infects the WINHELP.EXE file? I have recently noticed some unusual system behavior and ran Norton AntiVirus for WINDOWS. It indicated a possible unknown virus in the WINHELP.EXE file in both the MWINDOWS and WINOS2 directories. Neither file changed since I installed my OS/2 system in January as far as I know. Any information about this possible virus and suggestions on remedies would be greatly appreciated. Bobb Samuell samuell@cis.uab.edu ------------------------------ Date: Sun, 18 Apr 93 21:22:40 +0000 From: Eugen_Woiwod@mindlink.bc.ca (Eugen Woiwod) Subject: Possible mcafee scan trojan (PC) I just got this message in my local arear about a trojan which claims to be v1.03 of mcafee's virus scan, if anybody has info on this please send e-mail to me at Eugen_Woiwod@mindlink.bc.ca WARNING!!! WARNING!!! WARNING!!! WARNING!!! WARNING!!! WARNING!!! WARNING!!! SOMEONE HAS UPLOAD A FILE CALLED SCANV103.ZIP TO SOFTWARE ALLEY THAT IS A TROJAN VIRUS. THIS PERSON IS TRYING TO CAUSE HARM. BE CAREFUL THIS PERSON MIGHT TRY THE SAME HERE. HE/SHE HAS ALSO UPLOAD ANOTHER PROGRAM CLAIMING THAT IT CAN EDIT THE CMOS. IT TOO IS A TROJAN VIRUS. WHEN THE SYSOP POST THE UPLOADERS NAME I WILL POST YOU A MESSAGE. BE VERY CAREFULL. SCANV103.ZIP IS EXACTLY LIKE SCAN.EXE RUN THE SAME BUT AS IT SCANS IT WIPES THE FILE ALONG WITH THE PARTITION TABLE. IT ERASE MY MACHINE IN LESS THEN 2 SECONDS. A VIRUS SCANNER WILL NOT PICK IT UP. I KNOW YOU GET YOUR SCAN PROGRAM FORM A RELIABLE SOURCE, BUT THIS PERSON HAS WRITTEN OTHER PROGRAMS AND IS BELIEVED TO TARGET THE BBS SYSTEM . PLEASE BE CAREFULL AND PLEASE POST THIS TO EVERYONE ------------------------------ Date: Sat, 17 Apr 93 11:09:00 +0100 From: Mikael_Larsson@vhc.bbs.bad.se (Mikael Larsson) Subject: What's this??? (PC) Ferdinando Caputo said: > Environ DATE {r ej satt till n}got datum!^G > ----- > Is there someone who knows this stuff or, at least, who can > translate it??? That text is in SWEDISH and it says: "Enviroment DATE is not set to a date" MiL - --- - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Virus Help Centre Phone: +46-26 275740 Email: mikael@vhc.se Box 7018 Fax: +46-26 275720 or : mikael@abacus.hgs.se S-811 07 Sandviken BBS #1: +46-26 275710 Fido : 2:205/204 & 2:205/234 Sweden BBS #2: +46-26 275715 Authorized McAfee Agent! - --- GEcho 1.00+ * Origin: -=* Virus Help Centre *=- (9:9/0) ------------------------------ Date: Thu, 15 Apr 93 13:34:04 +0100 From: Malte_Eppert@f6051.n491.z9.virnet.bad.se (Malte Eppert) Subject: Catch from DIR? (PC) Hi Louis! > There is, however, one way to run a program from a diskette by > just doing a DIR, >>Ugh... if this isn't too special, can you or someone else post how this >>could be possible? I just know about an ANSI bomb which will execute a file >>from disk if you hit the 'hot key' next time. Do you mean this? > That may be one way. A method that I KNOW WILL WORK is, to trap > DOSs findfirst and findnext services, and infect any files that are > returned via thos services. Is as easy as traping DOSs Exec > services, which is what a large number of virii do. This means the virus must have been active before the DIR A:. This is not what the question was about :-). I wanted to know how Frisk will have a non- infected PC infected by a DIR A:. IMHO this is impossible, excluding the thread of ANSI bombs. cu! eppi - --- GEcho 1.00 * Origin: No Point for Viruses - Eppi's Point (9:491/6051) ------------------------------ Date: Thu, 15 Apr 93 13:45:05 +0100 From: Malte_Eppert@f6051.n491.z9.virnet.bad.se (Malte Eppert) Subject: Unknown little virus? (PC) Hi Vesselin! > There's no way to fit a memory-resident virus into 32 bytes... What about a resident 'high DOS' or XMS swap routine, could it be that short? cu! eppi - --- GEcho 1.00 * Origin: No Point for Viruses - Eppi's Point (9:491/6051) ------------------------------ Date: Fri, 16 Apr 93 19:25:08 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: What is a fragmentation virus (PC) ST29701@vm.cc.latech.edu writes: > I have heard people talking about a new type of virus and a way for it to > hide. They called it a fragmentation virus (this is not the name > of a particular virus but a type of virus). > > Could someone give a detaled explination of this?? They probably mean a virus which uses the DOS file fragmentation attack, in order to avoid integrity checkers. The attack has been made obsolete by DOS 5.0 and above, but nevertheless should be taken into account by the developers of integrity checkers. No such virus exists yet. For a description of this attack any many others, and also for hints how to thwart them, you could read my paper (plug), available via anonymous ftp as ftp.informatik.uni-hamburg.de:/pub/virus/texts/viruses/attacks.zip Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ End of VIRUS-L Digest [Volume 6 Issue 66] *****************************************