From lehigh.edu!virus-l Tue Apr 27 06:58:27 1993 remote from vhc Received: by vhc.se (1.65/waf) via UUCP; Wed, 28 Apr 93 00:01:45 GMT for mikael Received: from fidoii.CC.Lehigh.EDU by mail.swip.net (5.65c8-/1.2) id AA06163; Tue, 27 Apr 1993 18:30:57 +0200 Received: from (localhost) by Fidoii.CC.Lehigh.EDU with SMTP id AA37628 (5.67a/IDA-1.5 for ); Tue, 27 Apr 1993 10:58:27 -0400 Date: Tue, 27 Apr 1993 10:58:27 -0400 Message-Id: <9304271407.AA10826@first.org> Comment: Virus Discussion List Originator: virus-l@lehigh.edu Errors-To: krvw@first.org Reply-To: Sender: virus-l@lehigh.edu Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas From: "Kenneth R. van Wyk" To: Multiple recipients of list Subject: VIRUS-L Digest V6 #71 VIRUS-L Digest Tuesday, 27 Apr 1993 Volume 6 : Issue 71 Today's Topics: contest Re: Scanners getting bigger and slower Re: Sending Viruses over Internet/Fidonet Re: Source of Virus Information Re: Survey Results Re: Viral "code" Congratulations to Dr Solomon Re: Forwarded message from Scotland Yard Re: Should viral tricks be publicized? re: Virus vectors of infection Seeking virus info Re: NAV Updates (was Central Point Anti-Virus Updates) (PC) Re: Proffesional Group Virusized ! (PC) Re: Single state machines and warm reboots (PC) Re: V-Sign? (PC) Re: On the merits of VSUM (PC) Re: Professional Group Virusized! (PC) Re: Viruses which cost $$$ (PC) Re: Viruses which cost $$$ (PC) Re: Can a virus infect NOVELL? (PC) Re: Viruses which cost $$$ (PC) TBAVX600.ZIP - TBAV anti-virus software (optimized *.EXE's) Disinfectant 3.2 Announcement (Mac) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.org or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk, krvw@first.org ---------------------------------------------------------------------- Date: Thu, 22 Apr 93 13:35:02 -0400 From: CELUSTP@cslab.felk.cvut.cs Subject: contest Hi everybody, bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) wrote: >There are a couple of hundreds of viruses that infect only a SINGLE >executable on the attacked computer. May you give exact ratio: viruses infecting only single executable/total number of known viruses, e.g. 200/2500 ? >>>2) This file is an anti-virus program. >> Very suspicious activity. >Elaborate, please. Do you consider it suspicious for somebody to use >an anti-virus program? Or do you consider it suspicious if the owner >of a LAN insists that all users are using the latest version of a >particular anti-virus program? I apologize for being indistinct. I had in mind virus infecting anti-virus program is very suspicious activity. >>>7) The virus (actually a worm - it does not "attach" itself to >>>programs and spreads via networks) does not do anything else. >> If virus is something "attaching" itself to programs, then some of existing >> viruses (boot viruses or companions) are not viruses too. >We've already been through all this a few times in the past. Please, >read the appropriate back issues. It all depends on how you define >"attach". I've read them. I wish to see clear definition of "attach". I add here suggestion for competitors : When your definition contains term "attaching to something(whatever)", please define what you exactly mean with it. >define it. So, if you want to understand what Dr. Cohen means when >speaking about beneficial viruses, don't jump on him - instead try to >understand his definition of a virus and assume that he is using it >when speaking about beneficial viruses. I wish to understand the meaning of "beneficial viruses". Please, could you send your suggestion to category 4. Ethical definition? I apologize to Dr. Cohen if anything I wrote looked as "jumping on him" (without nasty thoughts, please). >> CONTEST FOR THE BEST COMPUTER VIRUS DEFINITION >> 1. Technical definition (in plain language - preferably English) >> 1. This definition should be short as much as possible,cleared of attributes >> as "good", "bad", "beneficial" or similar, not mentioning state of user's >> mind,etc., it should be clearly stated for which environment (e.g. operating >> system) is applicable and definition should be undoubted. >It should also emphasize the main capability of the virus that makes >it different from other programs - merely its ability to spread. Its >optional side effects (damage, etc.) should left out of the >definition. I wouldn't agree that doing damage is "optional side effect". So, I leave to competitors to decide whether or not will include this property in their definitions. >> 2. Technical definition (mathematical) >> 2. The meaning of every symbol in mathematical formula(s) should be clearly >> explained. >I have one here. It is actually Dr. Cohen's definition, with all >symbols explained and without the abbreviation shortcuts he usually >uses. It's hand-written and is one A4 sheet of formulae. >Unfortunately, I don't know TeX enough to translate it into >electronical form. Please send it by fax or send the copy by snail mail to address bellow. >> 3. Legislative definition >> 3. This definition should contain statement which part of virus code could >> be considered as punishable (supposing virus writing is criminal act). >Supposing that virus writing is a criminal act would be wrong, because >it isn't, according to the legislation of most countries. Instead, the >definition should concentrate on causing (directly or indirectly) >unauthorized modifications of information stored in computers. It >doesn't need to deal with the term "virus" at all - the more general, >the better. It could very well include trojan horses, logic bombs, >spoofs, hacking, etc. It is all the same from the legal point of view >- - causing directly on indirectly unauthorized modifications to >computer information, and -this- is what should be a crime. Causing directly or indirectly unauthorized modifications to computer information is IMHO too large frame. Existing laws defined that way are not sufficient for effective action against virus writers. I agree that definition may be extended to trojan horses and logic bombes, but not to spoofs and hacking. Those are different things. The point is to find definition which could be possibly used as basis for adequate law (which doesn't exist now). So, I suggest to competitors to stress what is the part in -written- code (virus, trojan horse, logic bomb, etc.) which could be considered as punishable. >> Everybody who doesn't want to compete and feel enough >> competent to judge quality of definitions is welcome. >I do feel competent to judge the quality of the first two definitions >- - the technical ones. O.K. I consider you as member of jury for these two categories and all respective contributions will be sent to you. However, till all members of jury (juries) for all categories are not known, competitors are asked to send contributions only to my address celustka@sun.felk.cvut.cs or address bellow. I've been asked to add form "haiku" for category 6. Poethical definition. I didn't limit forms, only said limerick is preferable form, but all others are welcome too (thanks to Mr. Zmudzinsky for interesting haiku). Cheers, __________________________ | | Suzana /| Only the best is enough |\ |\__/| /~~~~~~\ / | good for us! | \ / \ ~\( * * )/~ |__________________________| ~\( 0 0 )/~ ( \___/ ) ( /---\ ) \______/ \______/ @/ \@ @/ \@ - --------------------------------------------------------------------------- Address: Suzana Stojakovic-Celustka e-mail addresses: Department of Computers celustka@sun.felk.cvut.cs Faculty of Electrical Engineering celustkova@cs.felk.cvut.cs Karlovo namesti 13 12135 Prague 2 phone : (+42 2) 293485 Czech Republic fax : (+42 2) 290159 ------------------------------ Date: Thu, 22 Apr 93 17:52:46 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Scanners getting bigger and slower Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv) writes: > I agree on the fact that if a virus encrypts the host program, it might not be > possible to recover it (unless you keep a backup of some sort, and this is > also the most generic method of all). There is also another method that will often work - even if the virus has encrypted the entire original file. In general, the method consists of interpreting the virus until it transfers control to the original program - at which time it should have decrypted it, of course. The program TbClean from the package TBAV uses this method. Note that I am not saying that the method is fool-proof - it is just yet another useful tool against viruses. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Thu, 22 Apr 93 17:56:22 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Sending Viruses over Internet/Fidonet Peters@DOCKMASTER.NCSC.MIL (Donald G Peters) writes: > Third, PC's and guns and potatos are all readily available in this country, s o > instructions on how to do bad things with each of these items should fall int o > the same category. The question is, which takes precedence, the first > amendment or human decency? Indeed, would you choose between the first > amendment or national security??? I'd hate to start a political flame war, but nevertheless, here it goes. Please, note that "this country" is not the only one in the Universe. There are others, which may and often do have different laws. According to those laws, something that might be obviously allowed in your country, may be seriously illegal in those other countries. A very good example is the possession of guns - it is a right of every US citizen, granted by the US Constitution, but is illegal in most other countries. (Please, no flames here whether this is "good" or "bad".) Unfortunately, viruses and electronic publications like 40-Hex do not recognize national boundaries. While this electronic newsletter might be perfectly legal in the USA (or not - I just don't know), it also might be illegal in many other countries. For instance, I think that according to the British law, it contains incitements to commit crime and is thus illegal. (I might be wrong, I am by no means expert in legal matters.) The point is that just because something is allowed in your country, you shouldn't assume that it is also allowed everywhere else and that it is OK to do it everywhere else. In fact, if you are a responsible person, you must actually check whether it is permitted in all places where you intend to promote it. Never forget - the net is international. As to the Anarchist Cookbook you mentioned in your message - I've read parts of it and have to tell you that many of the materials described there are not freely allowed in Bulgaria, for instance. Not that they are forbidden - it is just almost impossible for the average private citizen to find them. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Thu, 22 Apr 93 18:16:58 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Source of Virus Information GSCOBIE@ml0.ucs.edinburgh.ac.uk (Garry J Scobie Ext 3360) writes: [two excellent sources of information about viruses from Dr. Solomon] Indeed, those two books are very good. BTW, the second one is partially mentioned in the FAQ - which is yet another opportunity to emphasize why people should read the FAQ... :-) I like significantly less the electronic implementation of Dr. Solomon's virus enciclopaedia - it contains too few and too general information about the viruses it describes. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Thu, 22 Apr 93 18:20:34 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Survey Results mdallin@lamar.ColoState.EDU (MDallin) writes: > On PC's, F-Prot was the most used scanner... 22 people used it. 8 people > used McAfee products (Scan, etc). Strange, according to the download statistics that I have access to (those of garbo.uwasa.fi and of our ftp site), SCAN is downloaded approximately three times more than F-Prot. I can see the following explanations for this: 1) 32 is not a representative number to draw conclusions like yours. The ftp sites I mentioned deal with hundreds of downloads per month of only those two programs. 2) You have mainly asked the participants of this forum. I often post here about superiority of F-Prot, so the folks here are likely to be informed. It might not be so with the rest of the world... :-) Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Thu, 22 Apr 93 18:25:52 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Viral "code" Peters@DOCKMASTER.NCSC.MIL (Donald G Peters) writes: > People seem to think (as I have in the past) that somehow viral "code" is the > thing we must not publish. Do these people think that a documented > description of the virus function is also wrong? In fact, an accurate > description of a program is "functionally equivalent" to the program itself. > Indeed, an assembler source code program is just a "description" of the > program it represents. And a high level language (or English itself) can take > indirection one level further, without loss of, or change in, functionality. All the above proves only that it is difficult to define how much information about viruses is dangerous and how much isn't. Indeed, it is extremely difficult to make such a decision - and everybody must make it for him/herself. There is no formal rule that can help. Everyone has to take the responsibility to decide how much of his/her knowledge about such ambiguous matters will be more useful than harmful to the general public. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Thu, 22 Apr 93 19:32:06 -0400 From: as194@cleveland.freenet.edu (Doren Rosenthal) Subject: Congratulations to Dr Solomon To: Dr. Alan Solomon and his associates at S & S International Ltd Subject: The Queen's Award to Industry for Technology Dr. Solomon, Please accept my congratulations on receiving the Queen's Award to Industry for Technology in recognition of your many accomplishments and achievements. Sincerely, Doren Rosenthal ------------------------------ Date: Fri, 23 Apr 93 02:59:09 -0400 From: dtb@otto.bf.rmit.oz.au (David Bath) Subject: Re: Forwarded message from Scotland Yard aryeh@mcafee.com (McAfee Associates) writes: >Hello All, >I was recently contacted by DC Noel Bonczoszek of the Computer Crimes Unit >at New Scotland Yard in London. As some of you may be aware, Noel is one >of the folks responsible for arresting the members of ARCV, a UK-based >group of virus-writers. He would like to speak with anyone who suffered Computer Crimes *Unit* ??? What, they aren't putting it in the miscellaneous bucket along with lost dogs and bent fenders? Congratulations to the Brits !!!! - -- David T. Bath | Email:dtb@otto.bf.rmit.oz.au (131.170.40.10) Senior Tech Consultant | Phone: +61 3 347-7511 TZ=AEST-10AEDST-11 Global Technology Group | 179 Grattan St, Carlton, Vic, 3153, AUSTRALIA "The robber of your free will does not exist" - Epictetus ------------------------------ Date: Fri, 23 Apr 93 08:27:21 -0400 From: Y. Radai Subject: Re: Should viral tricks be publicized? I wrote: >> Btw, it should be noted that on Fidonet there appeared an article >> describing tricks which can be used by virus writers to prevent tra- >> cing and disassembly of their code. The reason I mention this parti- >> cular article is that it appeared under the name of someone who has >> been contributing to this forum recently, Inbar Raz. .... >> .... It's hard for me to >> imagine that anyone who wrote such an article could have had any >> intention other than to help the *virus writers*, not the AV people. Inbar Raz replies: > Ahem. This is SURELY not what I had in mind when I compiled that article. > That article is a result of the crackings I did in the past. I collected all > the fairly useful tricks I've came across, and published them. I only crack t o > learn, and teach others. But useful to *whom*? *Which* others are you trying to teach: the virus writers or the AV people? The very fact that you completely ignore this little distinction says a lot about you. Some people expose tricks used by *virus writers* and explain to the *AV people* how to deal with them. Your article does the opposite: It describes tricks, along with sample code, to prevent or bypass tech- niques used by the *AV people*, something which would be most useful to the *virus writers*, as is evidenced by the fact that one of them chose to forward it to 40 Hex. That's not what you had in mind? You'll have a hard time convincing me. > I consider myself on both sides. <<<<--------------------- !! Sort of like being both a cop and a crook at the same time, eh? That should make you highly trusted by cops and crooks alike!! You say you work as a programmer in Data Security?!? I, for one, certainly wouldn't want to risk using any program you had written. Y. Radai Hebrew Univ. of Jerusalem, Israel RADAI@HUJIVMS.BITNET RADAI@VMS.HUJI.AC.IL ------------------------------ Date: Fri, 23 Apr 93 10:48:30 -0400 From: "David M. Chess" Subject: re: Virus vectors of infection > From: bediger@nugget.rmnug.org (Bruce Ediger) >My question is, "how do viruses spread?", and the followup question is, >"are there any pointers to quantification of such spread?" It would seem >that the only information on this is contained in the post-mortem reports >on the 1988 Internet worm and the various DECnet worms. A very good, and very important, question. Certainly spread via all of (A) through (E) happen. You can add to the list any other method you can think of whereby program code that's on one machine at one time can be executed on another machine at another time. As you point out, it'd be good to figure out the relative important of each method for virus spread, so as to know where to concentrate limited resources. In our experience, and it's unfortunately mostly anecdotal rather than systematic, local virus spread happens mostly via diskette exchange (SneakerNet). LAN-mediated spread happens less often, but can have a much larger and more sudden effect. Wider spread (between, rather than among, groups of people who work together) is harder to observe and track. That is, it's easy to guess that in a given incident machine B got infected when a diskette from machine A was accidentally used to boot it, when A and B are in the same room. But how the virus got to Company X in the first place is generally very hard to determine. Sometimes an employee finds out that his home machine is infected, and that the same virus is rampant at his daughter's university. Sometimes a machine has been serviced by someone who discovers that he has an ongoing infection. Or whatever. But most of the time we just don't find out; the infection is cleaned up, but the original source remains mysterious. There are various interesting questions that can be asked and studied by applying epidemiological methods to computer-virus spread. Jeff Kephart here has been doing some very interesting work on what various spread-models imply for virus growth and anti-virus measures. But we still don't have a good feel for what a reasonable model of the real world should look like; which of the theoretical models the real world most resembles. That's hard data to gather, especially when informal networks like SneakerNet play such a large role. When a virus/worm spreads mostly or only via a particular hardware network (as the Internet worm spread via Internet), the easy and hard things are somewhat different... - - -- - David M. Chess \ Come home to your wife and family, High Integrity Computing Lab \ Come home to the fireside bright. IBM Watson Research \ ------------------------------ Date: Fri, 23 Apr 93 07:04:00 -0600 From: "How many days till THURSDAY? :)" Subject: Seeking virus info I am doing a report on computer viruses for a class here at Mankato and I was wondering if anybody could tell me where I can find some good info on the viruses themselves. I have found what seem to be a few outdated books and most of the other information I have found has been on prevention. I am just looking for a few good sources if any of your are aware of them. Thanks, Laura Galligher LLG@VAX1.MANKATO.MSUS.EDU ------------------------------ Date: Thu, 22 Apr 93 17:35:10 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: NAV Updates (was Central Point Anti-Virus Updates) (PC) cjkuo@symantec.com (Jimmy Kuo) writes: > NAV update files are available *free* on Compuserve, on Symantec's BBS > at 408-973-9598 or 408-973-9834. They may be purchased on a one-time > basis by people who do not have access to those things or any networks. > And they can be subscribed to for regular delivery for a fee. (I'll just > say, call 1-800-343-4714 x756 for further information on the services > that cost money.) Mr. Slade mentioned ftp servers. Will Symantec permit the distribution of the updates via ftp servers? > Back to the *free* ways to get updates: They are available free through > me by individual request. They are available through the Virus Help Centre > (Sweden), ask mikael@vhc.se, even if *he* is a McAfee Agent. They can be > available through anyone who wishes to redistribute. I wish to distribute them via anonymous ftp. May I do so? I think that in this way we'll be providing a valuable service to your users. At least to those of them who do have Internet access but don't call BBSes. > Basically, NAV definition file updates are and can be freely distributed in > its present form (note lack of copyrights). Even via anonymous ftp? > We don't support ftp access yet. We may. But that's under someone else's > jurisdiction and has nothing to do with wanting to charge for the updates > since I already send out updates to anyone who asks. [Updates are only > available for 2.1.] If you don't support ftp access, would you allow to others to do it for you? We also have a BBS at the VTC-Hamburg, but I am not maintaining it, so I cannot decide what is there and what not. But I do maintain our ftp site, so I can put there the latest NAV definition updates, if Symantec allows us to do so. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Thu, 22 Apr 93 17:49:59 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Proffesional Group Virusized ! (PC) Robert_Hoerner@f2170.n492.z9.virnet.bad.se (Robert Hoerner) writes: > VB> Uh, wait a minute... Mich uses INT 1Ah to get the current date, so it > VB> usually does not trigger on XTs... Or did yours have some kind of CMOS > VB> clock? > On XTs it is (has been) common practice to insert the commands "date" and " > time" into the autoexec.bat. INT 1Ah will give the system-date as set by the > user. No CMOS is needed (but highly preferred :-)) Yeah, but we are talking about Michelangelo. It asks about the system date at boot time, when no operating system is loaded, and when the user has not had the opportunity to enter the system date - yet. That's why I expressed by doubt that Mich will activate on such a system - it activates its payload only at boot time. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Thu, 22 Apr 93 18:08:07 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Single state machines and warm reboots (PC) GSCOBIE@ml0.ucs.edinburgh.ac.uk (Garry J Scobie Ext 3360) writes: [about the possibility of a virus to survive warm reboot] > Was this taken off-line and resolved? David, Vesselin? I thought that we made it clear publicly... OK, never mind, here it goes. No, it is not possible for a virus to survive warm reboot unnoticeably on all kinds of IBM PC compatible machines. It is, however, possible for it to survive warm reboot on SOME classes of such machines. For instance: 1) 100% compatible XT machines - using one method. 2) True IBM machines or any other machines, the BIOS of which does not display any messages during the warm reboot. This can be achieved by a different method. There are already at least two viruses using it - Joshi and Alabama. 3) '386 or above based machines, using a third method. It is also possible for a virus to fake a reboot from a floppy - like EXE_Bug does - thus making it look like if it has survived the reboot (even a "cold" one). Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Thu, 22 Apr 93 18:30:54 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: V-Sign? (PC) bc1w+@andrew.cmu.edu (Barbara Carlson) writes: > A computer in a public cluster here turned up with what f-prot called > "V-Sign". It said it infected the boot sectors of each of the drives > (c,d,e,f) and listed garbage as the name for one of them. Has anyone > heard of this virus? Read the FAQ, questions C4 and A7. This particular virus is described in the Computer Virus Catalog, published by our VTC. Question A7 tells you how to obtain it (the CVC, that is, not the virus ). > They had to do a > hardware reformat of the disk - *three times* - As usual, this is never necessary. > could this thing have > stuck around and diverted a format? No, but if you don't perform the format competently enough, you destroy everything but the virus. > Anything out there that could get > rid of it?? Boot from a write-protected uninfected system diskette, containing DOS 5.0, and enter FDISK/MBR. This will remove the virus from the hard disk. BTW, F-Prot should be able to disinfect it - wasn't it? You could also try CLEAN - it can remove the virus and calls it Cansu. Side question - could somebody with MS-DOS 6.0 verify whether the FDISK/MBR trick still works and post the results? Thanks. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Thu, 22 Apr 93 18:59:16 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: On the merits of VSUM (PC) mikael@vhc.se (Mikael Larsson) writes: > No, that is not correct, but since most of the common-users get infected > by viruses like form, cascade etc.. and wants to read about THOSE > viruses, then I think VSUM is good. Ah, you think so? OK, let's see... > Virus Name: Cascade > Aliases: BlackJack, Fall, Falling Letters, 1701, 1704, 1701 Mutation, > 1704 Format, 1704-B, Cascade-1621, Cascade-1706 ^^^^ ^^^^ Note the sizes. > Symptoms: TSR; falling letters; .COM file growth; random reboots Huh? Random reboots? Cascade?! > Origin: Germany Austria. > Eff Length: 1,701 or 1,704 bytes Contradiction - the 1621 and 1706 variants have other infective lengths. Not to mention that there's also a variant with infective length of 1661 bytes. > Type Code: PRsC - Parasitic Resident Encrypting .COM Infector What does ".COM Infector" mean exactly? Cascade can infect a file with .EXE extension, if it is of COM-type. For instance - if the Vacsina virus has converted it into such file. Thus, if you look for Cascade only in the files with a .COM extension, you might miss some infected files. That's not just theory - I've seen it happen in exactly the same combination - Vacsina+Cascade and a scanner that thought it would be very smart to look for Cascade only in the *.COM files... > Detection Method: ViruScan, F-Prot, IBM Scan, VirexPC, AVTK, NAV, Novi, > UTScan, Sweep, CPAV, VBuster, Gobbler2, AllSafe, Iris, > ViruSafe, Trend, VNet, Panda, VET, Detect+, IBMAV, > DrVirus, Vi-Spy, NShld, LProt, CPAV/N, Sweep/N > Removal Instructions: CleanUp, F-Prot, VirexPC, or delete infected files Huh, the set of removal tool is pretty slim, compared with the number of programs that are listed to be able to detect the virus... In fact, most of the can also disinfect it. > General Comments: > > While the original virus had a length of 1,701 bytes and would > infect both true IBM PCs and clones, a variation exists of this > virus which is 3 bytes longer than the original virus and does not > infect true IBM PCs. Both viruses are functionally identical in all > other respects. Wrong, both the 1701- and the 1704-byte variants infect true IBM PCs too. It's a bug in the virus - the author -intended- not to infect such computers, then tried to fix the bug, but unsuccessfully. > analysis of them. The activation mechanisms are based on a > sophisticated randomization algorithm incorporating machine checks, > monitor types, presence or absence of a clock card, and the time or > season of the year. Pretty clear, isn't it? Now, has the average user understood when the virus activates? > The viruses will activate on any machine with a CGA or VGA monitor > in the months of September, October, November, or December in the > years 1980 and 1988. Wrong. The condition is different and significantly more sophisticated; see our Computer Virus Catalog. > Known variant(s) of Cascade are: > 1701-B: Same as 1701, except that it can activate in the Fall of > any year. So can the original, provided that some other conditions are met (no internal clock and the user enters the date manually). > 1704-D: Same as the 1704, except that the IBM selection has been > disabled so that it can infect true IBM PCs. So can the original. > Cascade-1621: Based on the original Cascade virus, this variant > adds 1,621 bytes to the .COM programs it infects. Its > memory resident TSR is 1,936 bytes, and hooks interrupt 21. > Attempts to execute .BAT files on infected systems may > result in the scrolling of the message "Insufficient > disk space", and the .BAT file not executing. Nonsense. > Cascade-1706: Based on the original Cascade virus, this variant > adds 1,706 bytes to the .COM programs it infects. It is > a memory resident virus which employs a 2,064 byte TSR > hooking interrupts 1C and 21. The virus will be located > at the end of infected files. One could think that the original variant does not hook these interrupts... > Cascade-B: Similar to the Cascade virus, except that the > cascading display has been replaced with a system reboot > which will occur at random time intervals after the > virus activates. Huh? > Cunning: Based on the Cascade virus, a major change to the virus is > that it now plays music. Music? Cascade? Hmm... has anybody heard about this one? Have to check our samples... Anyway, the different variants of Cascade are listed in such a way, that it is not possible to identify them - we have even more variants here (about two dozen), but there's no way one can figure which are exactly the ones listed in VSUM... > Virus Name: FORM-Virus > Detection Method: ViruScan, F-Prot, NAV, Novi, Sweep, CPAV, AVTK, UTScan, > VirexPC, Gobbler2, VBuster, AllSafe, ViruSafe, IBM Scan, > Trend, Iris, VNet, Panda, VET, Detect+, IBMAV, DrVirus, > Vi-Spy > Removal Instructions: CleanUp, MDisk, NAV, or DOS SYS command Same problem with the too short list of disinfection tools. > General Comments: > > When a system is first booted with a diskette infected with the > FORM-Virus, the virus will infect system memory as well as seek out > and infect the system's hard disk. The floppy boot may or may not > be successful, on the author's test system, a boot from floppy > diskette infected with FORM-Virus never succeeded, instead the system > would hang. It should be noted that the virus was received by the > author of this document as a binary file, and it may have been > damaged in some way. Now, the above simply means "I don't know"; it is just expressed in a very sophisticated way. When you don't know something about a virus, you just get a debugger and see what the virus does. You understand it, you draw conclusions and make conjectures, then test them on a sacrificial system. Then you write a careful report. This is how an anti-virus researcher operates. You don't tell the world "look, guys, I couldn't replicate the sample that was sent to me, and I have no idea what it does" and especially you don't call this "information about the virus"! > "The FORM-Virus sends greetings to everyone who's reading > this text.FORM doesn't destroy data! Don't panic! Fuckings > go to Corinne." > > These messages, however, may not appear in all cases. For example, For instance, when the virus is not there... :-) > I did not find these messages anywhere on a hard disk infected with > Form Boot. Which means that she has not looked carefully enough or has failed to infect the hard disk. > This virus can be removed with the same technique as used with many > boot sector infectors. First, power off the system and then boot > from a known clean write-protected boot diskette. The DOS SYS > command can then be used to recreate the boot sector. Alternately, > MDisk from McAfee Associates may be used to recreate the boot sector. Or use some -real- anti-virus software. Even McAfee's CLEAN is more suitable than MDisk... > Known variant(s) of the FORM-Virus are: > Form II: Based on FORM-18, this variant was submitted in May > 1992 from an unknown origin. It is functionally equivalent > to FORM-18, though altered to avoid detection by most anti- > viral utilities. > Origin: Unknown May, 1992. Huh? Now, did you understand that? How is it altered? How do you figure out that you are infected by this one and not by the original? How does the original infect you, if you are told that it couldn't be replicated? > FORM-18: Similar to the FORM-Virus, FORM-18 activates on the 18th > day of the month, at which time clicking will be heard from > the system speaker on systems which have a system clock and > CMOS. Systems without a system clock will most likely not > have the clicking occur. Ah, the story about the activation date is a very funny one; even our CVC entry contains an error about that. The virus does the following to get and check the date: MOV AH,4 ;get realtime clock date INT 1Ah CMP DL,18h ;day of the month However, this function returns the information in DX register in BCD format! That is, '18h' in this case means 18th of every month, not 18h = 24. The appropriate byte string for INT 1Ah; CMP DL,?? is CD1A80FA?? and can be found at offset 0B0h of the infected boot sector. The byte marked with '??' is therefore at offset 0B4h. We have 4 different variants of Form here, and in three of them this byte contains 18h. In one of them the contents is 05h, which means that this variant activates on the 5th of every month. All the other ones activate on 18th of every month - NONE activates on 24th, as is mentioned in several sources, including ours... > FORM-Canada: Similar to the FORM-18 variant, this variant is > a minor alteration. On diskettes, it locates the > remainder of the viral code and original boot sector in > the first two available, unused sectors on the diskette, > marking them as bad sectors. > Origin: Canada August, 1992. This is exactly what the original virus does. (BTW, did you notice that you are not told how the "original" virus replicates and where does it store the boot sector?) FORM-Canada is just the original, working virus. Actually, I'm afraid that many of the listed in VSUM virus variants exist only in Mrs. Hoffman's imagination. Too many mistakes/incorrectnesses/incompletenesses for two "good" entries for two so common and well-known viruses, don't you think? Strange that you have been unable to notice them yourself - some of them are blatantly obvious. > Sure, there are incorrect info in VSUM, but the users get the general > idea of what the virus does/does not. The wrong idea, that is... > The COMMON user aren't interested > in all the technical stuff about that virus that they got infected by, > they wanna see if it does any harm or not, how it spreads. Unfortunately, this is often wrong too. > Hope you get my point, Hope you got mine - wrong information is worse than no information. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Thu, 22 Apr 93 16:04:45 -0400 From: WILLIAM.D.BAUSERMAN@gte.sprint.com Subject: Re: Professional Group Virusized! (PC) Hi Robert, RH> On XTs it is (has been) common practice to insert the commands "date" and RH> "time" into the autoexec.bat. INT 1Ah will give the system-date as set RH> by the user. No CMOS is needed (But highly preferred :-)) The reason Vesselin stated that Mich would not trigger on CMOS-less XTs is because the system date has not been set when Mich makes the check. Mich infects the MBR - ie, it is "run" before the autoexec is. Also, the DOS "date" and "time" commands set the DOS "date" and "time". The "DOS" date and time are not always equal to the "System" date and time. In fact, some "times" you need a setup disk to change the "system" date and time. Bill Bauserman william.d.bauserman@gte.sprint.com ------------------------------ Date: Thu, 22 Apr 93 20:28:21 -0400 From: kam.bansal@symantec.com (Kam Bansal) Subject: Re: Viruses which cost $$$ (PC) I knew of a program for the PET (remember the PET?!!) that was a space invaders type game, and when it started, it resynced the monitor to a higher scan rate, and over time (I forget how many minutes...) when the user played the game, it fried the monitor! And yes, there are video cards that can be resynced via software (and they state in the manuals that you can kill the monitor that cannot handle the new speed) that could be victims. Also, think about a virus that changes your CMOS to different clock settings, strange things would happen with your machine! -Kam (^8* ------------------------------ Date: Fri, 23 Apr 93 06:26:50 -0400 From: Jeroen.Donkers@mi.rulimburg.nl Subject: Re: Viruses which cost $$$ (PC) Vesselin Vladimirow Bontchev answered to: >> Monitors sounds likely. Disks, possibly. With CPU's >> that run hot and can be configured perhaps through software, then >> maybe them too! > Nope. None of the above. I remember to have destroyed a EGA Color monitor by installing MS-DOS version 4.0 on a Sperry HT (a XT from 1986). (I was able to repeat it with another machine of the same type, but managed to switch it off quick enough...) Probably some switch inside this monitor was driven crazy by very rapid video mode changes caused by a BIOS incompatibility problem. So software can be really hardware destructive (IHMO). - -------- Jeroen Donkers, University of Limburg, Netherlands EMAIL jeroen.donkers@mi.rulimburg.nl ------------------------------ Date: Fri, 23 Apr 93 10:42:51 -0400 From: gary@sci34hub.sci.com (Gary Heston) Subject: Re: Can a virus infect NOVELL? (PC) kam.bansal@symantec.com (Kam Bansal) writes: >> I have a question, can a virus infect NOVELL system? [ ... ] It's possible for file infectors to propagate through NetWare servers, and then infect workstations. A boot sector infector cannot infect a server from a workstation. The risk from file infectors is why I scan seven NetWare servers *every* morning, first thing, with F-Prot. > "set executable files read only = on" > >Yes, I know the set command is wrong, but what it does is makes *every* >executable file read only and will not allow *any* file to be writen too, so >the only way to upgrade a file is to first delete it and then copy a new one! Yes, this will protect the files real well. Including protecting them from being backed up. There are other problems as well, which is why execute-only is a bad idea in most situations. >The real question is what if the following happens... > >A virus waits till a user has write rights to SYS:SYSTEM, and then attaches >itself to a NLM! stream.nlm or clib would be a good start! They are the >libraries for netware, then once the virus is active, on the server now, not >the workstation, it can do ANYTHING! From a NLM, you can delete, trash >anything even if it has read only rights! However, the virus must first infect a conventional .COM or .EXE file in order to get onto the server in the first place. The size of such a virus would seem to be quite large, making it very noticable when it infects the .COM or .EXE. Of course, it'd need to have the Novell Developers' Kit libraries linked in (otherwise it'd be difficult for it to infect a NLM), as well as the payload. Pretty soon, this gets so complex and unwieldy it's not likely to work. >I believe that the new trend of viruses will be for netware (this is my >opinion!) as NLM infectors! I don't. Propagation would be a problem, size, bugs, etc. With the changes in NetWare from time-to-time, they'd be very version-specific, and would just have to do too much to work. I worry about file infectors, keep the servers themselves secure so BSIs aren't a problem, and leave it at that. - -- Gary Heston SCI Systems, Inc. gary@sci34hub.sci.com site admin The Chairman of the Board and the CFO speak for SCI. I'm neither. Remember: A majority of the American people voted against *all* of the Presidential Candidates. How encouraging.... ------------------------------ Date: Fri, 23 Apr 93 13:25:13 -0400 From: A06012XT@helios.edvz.univie.ac.at Subject: Re: Viruses which cost $$$ (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >Peters@DOCKMASTER.NCSC.MIL (Donald G Peters) writes: > >> I think I recall seeing the following warning in one of my books: >> "Improper use of this register may cause physical damage to your monitor." > >That information is a bit out-of-date. It was real, it was a hardware >bug (in the controller for monochrome monitors, not in the monitors >themselves), but those (buggy) controllers and not produced any more >since a long time. >> Am I correct, is there physical damage that can be done through >> software? >Not to the contemporary hardware. Don't think your way. For further info I would liketo direct you to the comp.os.linux group. I don't read it (I donot have as much time :), but I receive the mailing list for linux. And there (from time to time) there are "help wanted???" reports of blowing the monitor by playing around with Xconfig. (This file contains also some register values.) For VGA-monitors I do not know for sure because I overrun my monitor from time to time, but I killed some time ago my EGA-monitor (and it was not monochrome). So damaging monitors sounds possible to me. (You know the sounds my monitor gives when I am taking it beyond it's possibilities doesnot sound nice. I can think, having a worse monitor (I mean in quality,...) the same actions could kill the monitor. Andreas Kostyrka (A06012XT@HELIOS.UNIVIE.AC.AT) ------------------------------ Date: Fri, 23 Apr 93 00:32:52 -0400 From: bondt@dutiws.TWI.TUDelft.NL (Piet de Bondt) Subject: TBAVX600.ZIP - TBAV anti-virus software (optimized *.EXE's) I have uploaded to WSMR-SIMTEL20.Army.Mil and OAK.Oakland.Edu: pd1: TBAVX600.ZIP TBAV anti-virus software (optimized *.EXE's) This file has replaced TBAVX504.ZIP. Greetings, Piet de Bondt E-mail: bondt@dutiws.twi.tudelft.nl =================================================================== FTP-Admin for the MSDOS Anti-virus software, @dutiws.twi.tudelft.nl ------------------------------ Date: Thu, 22 Apr 93 19:55:08 -0500 From: j-norstad@nwu.edu (John Norstad) Subject: Disinfectant 3.2 Announcement (Mac) Disinfectant 3.2 April 21, 1993 Disinfectant 3.2 is a new release of our free Macintosh anti-viral utility. Version 3.2 detects the new INIT-M virus. The INIT-M virus was discovered at Dartmouth College in April, 1993. INIT-M is a malicious virus. It is designed to trigger on any Friday the 13th. The virus severely damages a large number of folders and files. File names are changed to random 8 character strings. Folder names are changed to random 1-8 character strings. File creators and types are changed to random 4 character strings. This changes the icons associated with the files and destroys the relationship between programs and their documents. File creation and modification dates are changed to Jan. 1, 1904. In some cases, one file or folder on a disk may be renamed "Virus MindCrime". In some very rare circumstances, the virus may also delete a file or files. Note that the next three Friday the 13ths are in August 1993, May 1994, and January 1995. The virus can also sometimes cause problems with the proper display of windows. The virus only spreads and attacks under System 7.0 or later. It does not spread or attack under System 6. The Disinfectant protection INIT, however, will detect an infected application under any system. The virus infects all kinds of files, including extensions, applications, preference files, and document files. The virus creates a file named "FSV Prefs" in the Preferences folder. If you use Disinfectant to repair an infected system, it will delete this file. The damage caused by the INIT-M virus is very similar to that caused by the INIT 1984 virus. Despite this similarity, the two viruses are very different in other respects, and should not be confused. Version 3.2 also contains two other changes: There was an error in version 3.1 in the changes made to the damaged file detection code. This error affected only a very few people with very rare kinds of damaged files. Version 3.2 fixes the problem. Thanks to Stephen Lardieri of Princeton University for helping to find and fix this error. Disinfectant's preferred memory partition has been increased from 700K to 1000K. This fixes a problem scanning some specific applications with very large CODE resources, including PSpice and Intellidraw. Thanks to the many users who reported this problem. Disinfectant 3.2 is available now via anonymous FTP from site ftp.acns.nwu.edu [129.105.113.52], file pub/disinfectant/disinfectant32.sea.hqx. It will also be available soon from most of the other popular sources of free and shareware software. John Norstad Academic Computing and Network Services Northwestern University j-norstad@nwu.edu ------------------------------ End of VIRUS-L Digest [Volume 6 Issue 71] *****************************************