Return-Path: Received: from barnabas.cert.sei.cmu.edu by abacus (SunOS 4.1/SMI-4.1-01) with sendmail 4.1/SMI-4.1-01 id AA24742; Mon, 20 Apr 92 15:55:23 +0200 Received: from localhost.cert.sei.cmu.edu by barnabas.cert.sei.cmu.edu (4.1/2.3) id AA15422; Mon, 20 Apr 92 10:02:59 EDT Message-Id: <9204201402.AA15422@barnabas.cert.sei.cmu.edu> To: Mikael Larsson (MiL) Subject: Re: Virus-L In-Reply-To: Your message of "Wed, 15 Apr 92 19:34:42 +0200." <9204151734.AA14769@abacus.HGS.SE> Date: Mon, 20 Apr 92 10:02:57 EDT From: Kenneth R. van Wyk Status: RO VIRUS-L Digest Tuesday, 7 Apr 1992 Volume 5 : Issue 83 Today's Topics: Removing BS viruses with McAfee CLEAN (PC). VET and INT13 (PC) Norton quote (PC) Re Protection from Boot Sector Viruses (PC) Re: Stacker and viruses (PC) Re: Warning about Mutation Engine (PC) Re: Measuring Michelangelo (PC) Re: Mardi Bros (PC) Re: F-PROT warning: false positive? (PC) Re: Fprot & 2to1 (PC) Re: polymorph virus questions (PC) Re: Increasing CBCS Security (PC) Questions about AAVIRUS (PC) re: OMICROM virus (PC) Re: MDISK & FDISK - Are they the same? (PC) Post March 6 Michelangelo Infections (PC) some research subjects, info wanted New Anti-viral Product Announcement IBM Anti-virus Service (PC) FP-203.ZIP - Virus detection/removal/prevention/information FP-203A.ZIP - Virus detection/removal/prevention/information VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Thu, 02 Apr 92 02:12:45 +0000 From: pjs@mulga.cs.mu.oz.au (Peter Stuckey) Subject: Removing BS viruses with McAfee CLEAN (PC). POSTED for Roger Riordan - -------------------------------------- rsr@garnet.berkeley.edu (Roger Rosenblum) asks >Two questions: 1.) Is CLEAN unable to remove some variants of >the Stoned virus? and 2.) was this disk originally infected with >the Azusa virus? When you ask McAfee CLEAN to remove a boot sector virus it simply puts back the hidden sector, but does not check if it is clean. When I was a lecturer it was not uncommon to find two BS viruses on the same disk. CLEAN will merely replace the first virus with the 2nd, so you must run SCAN 3 times & CLEAN twice to make sure such a disk is really clean. Occasionally we would find Stoned/Brain/Stoned. If you run CLEAN repeatedly on such a disk you will get the two viruses alternately for ever, but no warning that the disk is still infected. IF you use CLEAN to remove a BS virus ALWAYS run SCAN again to make sure the disk is really clean. So the original disk may well have been infected with both viruses. I have confirmed this is still true for CLEAN 8.3V86. I can supply test disks if anyone wants to verify this. I assumed in the above that "disk" meant "floppy", but notice a reference to MBR on re-reading. I think the above still applies (I am none too enthusiastic about putting two BS viruses on any of our hard disks, and many combinations are fatal), but CLEAN has a 2nd serious bug in fixing MBRs. In Australia dealers often booted PCs from infected master disks before partitioning the hard disk. CLEAN puts back the whole of the hidden MBR, including the now incorrect partition information. This has also been confirmed for CLEAN 8.3V86 Roger Riordan PH: +61-3 521-0655 Fax: +61-3 521-0727 CYBEC Pty Ltd PO Box 82, Hampton Vic 3187, AUSTRALIA. ------------------------------ Date: Thu, 02 Apr 92 02:18:59 +0000 From: pjs@mulga.cs.mu.oz.au (Peter Stuckey) Subject: VET and INT13 (PC) Posted for Roger Riordan - ------------------------------- ether@bencd.gedlab.allied.com (Russ Ether) writes >For each PC, determine where is the ROM code which services >int13 to load the MBR into memory during the boot process. Then >use that code in your VET program instead of calling INT13 to read >the MBR. i.e: Thanks for the suggestion, but every time we try any trick like this we can guarantee a flood of support calls from users with obscure versions of BIOS, DOS, disk managers, hardware, etc, etc. eg You can retrieve the path & program name from the environment under DOS 3 or above, right? (Duncan; Advanced MSDOS, says so, while Hogan; The Programmers PC SourceBook, asserts this applies to DOS 2 up.) Not on some Epsons running DOS 3.1 to my certain knowledge. With things like Stacker, etc, around we will be very wary of doing any more delving in the hardware. If a virus crashes on 30 (or even 50)% of PCs it will still propagate happily, but if our program crashes on one PC in 1000 we will get complaints about it. Roger Riordan PH: +61-3 521-0655 CYBEC Pty Ltd Fax: +61-3 521-0727 PO Box 82, Hampton Vic 3187, AUSTRALIA. ------------------------------ Date: Thu, 02 Apr 92 02:14:39 +0000 From: pjs@mulga.cs.mu.oz.au (Peter Stuckey) Subject: Norton quote (PC) POSTED for Roger Riordan - ---------------------------------------- rsr@garnet.berkeley.edu (Roger Rosenblum) asks >Yikes! Is that quote really attributable to Peter Norton? If >so, does anyone know where, when, or in what context he said it? Peter Norton visited Australia in early 1990 (Jan or Feb if my memory is correct), and gave a public talk at Melbourne University. I asked him if his firm was planning to do anything about viruses. He launched into a tirade about urban myths, starting with the story about crocodiles in the NY sewers, and going on to a story going around in his youth about a girl with a beehive hairdo. A spider built its' nest in it, then bit her & she died. >From the vehemence and length of his answer I am sure he had given it many times before. Roger Riordan PH: +61-3 521-0655 Fax: +61-3 521-0727 CYBEC Pty Ltd PO Box 82, Hampton Vic 3187, AUSTRALIA. ------------------------------ Date: Thu, 02 Apr 92 02:16:53 +0000 From: pjs@mulga.cs.mu.oz.au (Peter Stuckey) Subject: Re Protection from Boot Sector Viruses (PC) POSTED for Roger Riordan - --------------------------------- bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >pjs@mulga.cs.mu.oz.au (Peter Stuckey) writes: Peter Stuckey didn't write anything. He merely acted as postman for me. (We are trying to arrange access to the network in our own right but the relevant authorities seem to be hiding from us at the moment.) I won't answer Vesselins comments in detail, except to re-iterate my statement; "IF you replace any boot sector VET does not recognise on any new disk, or any disk that has been in anyone elses PC, you CANNOT get a pure boot sector virus." I did not explain that our documentation says that if you get any valuable software from anyone else the first thing you should do is to check if the disks are write protected, and if not write protect them. Then check them, & if VET does not like the boot sector (or finds a virus) copy the files to a clean disk & check (& disinfect) that. This way you won't destroy anything valuable, & if a disk is infected you still have the evidence, & can't be accused of infecting it yourself. A lot of viruses arrive on shrink wrapped disks, etc, but a lot more (especially the ubiquitous BS ones) are caught from "harmless" data disks, usually by people who "never boot from floppies". Many of us are so busy thinking of obscure holes in each others products that we overlook the fact that 99% of viral incidents involve a few well known & readily detectable & removable viruses. It is nice thinking of ways of preventing exotic attacks, but meanwhile our PCs are being overrun with Stoned, M, & similar trivia. I fully agree that no system is foolproof, and we never claim so in our advertisements, but keeping viruses out is very largely good housekeeping, and almost any scanner will detect the vast majority of actual virus attacks. Furthermore a scanner is the only form of defence that will detect viruses before they have any chance do anything to your system. Assuredly someone has to be hit by a new virus before the scanners can find it, but refusing to use a scanner because it is not 100% secure is like refusing to use a condom because they sometimes have holes in them, or may burst. Integrity checkers provide a valuable second line of defence, but they are not entirely reliable unless the user can be persuaded to boot from a clean DOS disk, and experience has shown that they do not work well in the hands of unskilled users. Relying entirely on an integrity checker is akin to relying on blood checks to protect yourself against AIDs. Granted they will usually detect viruses before they do any damage, but are you prepared to stake your life on it? Roger Riordan PH: +61-3 521-0655 CYBEC Pty Ltd Fax: +61-3 521-0727 PO Box 82, Hampton Vic 3187, AUSTRALIA. ------------------------------ Date: Thu, 02 Apr 92 14:35:35 +0000 From: Fridrik Skulason Subject: Re: Stacker and viruses (PC) In Message 26 Mar 92 00:31:06 GMT, wales@CS.UCLA.EDU (Rich Wales) writes: >I wrote the following a few days ago: > > As I've said above, there is no reason to avoid Stacker > or other compressing disk drivers out of concern over > viral infection. There is one reason - (but I'm not saying it's a good reason) We have several "stealth" viruses that work on a file basis - that is, when an anti-virus program opens a file for scanning the virus may intercept the operation, and either disinfect the file (and infect it again when it is closed) or mess with the read operations, so that the file appears "clean". One way to bypass these viruses is to access the file system on a lower level - that is, read the root directory directly with INT 13 or INT 26 calls, and "walk the FAT" - bypassing the DOS file system entirely. Now, using INT 26 should not cause problems with stacker, as it operates on a cluster by cluster basis - but INT 13 calls would just return garbage. So, if anybody produced a virus scanner, which scanned the disk with INT 13 calls - or simply JMPing directly into ROM, we could expect horrible compatibility problems with Stacker and similar programs. - -frisk ------------------------------ Date: Thu, 02 Apr 92 14:25:40 +0000 From: Fridrik Skulason Subject: Re: Warning about Mutation Engine (PC) In Message 23 Mar 92 17:22:09 GMT, bontchev@fbihh.informatik.uni-hamburg.de (Vesselin writes: >mcafee@netcom.com (McAfee Associates) writes: > >> Three new viruses have appeared in the past two months that >> utilize the Bulgarian Dark Avenger Mutation Engine. The source >> code for this mutation engine has appeared on numerous virus- >> exchange bulletin boards and is now in the hands of virus writers. > >The source?! Are you sure? What we have here is a virus development >kit, which contains the MtE as a compiled, ready to link OBJ file, >together with a demo virus in source. As far as I know, the source of >the MtE itself has not been made available. Well, at least the documentation in version 0.91-beta states that the source is not available. However.... At least two people that I know of have been contacted by "Dark Avenger" and offered the source code for $5000 - to be paid to Todor Todorov, I think, who would then forward the money to DA. If the source is indeed available, I guess somebody must have bought it... :-( Anyhow - my program now detects all three MtE viruses, and *should* (no promises, though) be able to detect new MtE viruses . - -frisk ------------------------------ Date: Thu, 02 Apr 92 14:44:26 +0000 From: Fridrik Skulason Subject: Re: Measuring Michelangelo (PC) In Message 24 Mar 92 19:25:00 GMT, KDC@UOFMCC.BITNET (Ken De Cruyenaere 204-474-8340) writes: >Do you really think so ? I would have thought that copies of >Michelangelo, aside from captive copies, would be few and far between >after March 6th. Either: > > --- found and erradicated before March 6th (largely thanks to all > the media attention) > --- or self destructed when it activated on march 6th. > (If Michelangelo doesn't kill itself on March 6th, it certainly > draws attention to itself...) Oh no... consider: people may simply have left their (infected) computer turned off all day March 6th. or: somebody got infected, removed the virus but did not disinfect all floppies - the chances of becoming re-infected are fairly high. However, in my opinion the real danger is elsewhere - some companies distributed Michelangelo-specific detection programs free of charge - many people may have received them, found that they did not have Michelangleo and belive their machines are "clean"....but in reality they may be infected with "Stoned" or any other (common) virus. - -frisk ------------------------------ Date: Thu, 02 Apr 92 14:59:43 +0000 From: Fridrik Skulason Subject: Re: Mardi Bros (PC) In Message 24 Mar 92 23:25:17 GMT, treeves@magnus.acs.ohio-state.edu (Terry N Reeves) writes: >F-prot is making a false identification. F-prot 2.02d calls my sample >of ohio (denzuk varient) mardi bros just as BRENT@morekypr says. Mardi >Bros is not an alternate name - it is a differnt virus. Well, it is related - in version 2.03 I now identify the three members of the family as Denzuko (NOT Den Zuk), Ohio (alias Hacker) and (Mardi Bros). The reason for the mis-identification was that the Mardi Bros signatures were also found in the Ohio virus (quite common for related viruses), but it was not identical to Mardi Bros, so it would not disinfect it.. I have now fixed this. - -frisk ------------------------------ Date: Thu, 02 Apr 92 15:22:11 +0000 From: Fridrik Skulason Subject: Re: F-PROT warning: false positive? (PC) In Message 25 Mar 92 04:04:00 GMT, PHYS169@csc.canterbury.ac.nz (Mark Aitchison, U of writes: >bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >> 0004839378@mcimail.com (Joshua Proschan) writes: >>> A related question: f-prot identifies nearly all the Norton Utilities >>> programs The reason for this is that the programs use OPTLINK, (a linker which adds PKLITE-like compression to executables as they are linked). My heuristics did not include a rule to specifically exclude OPTLINK (I have rules to exclude PKLITE, LZEXE, DIET, KVETCH, ICE, EXEPACK etc) so it detected "highly suspicious self-modifying code" - which, strictly speaking is true. This was fixed in 2.03. and several Microsoft Word programs as exhibiting virus-like >>> behavior, when the heuristic scan is used. Is this also a false >>> positive? This (at least WORD.COM) is a documented false positive - see ANALYSE.DOC. I am working on reducing the number of false positives, but I fully agree that heuristic analysis should only be used by experienced users....there are still some false positives.... >A better solution is AI scanners (perhaps not the best term, though). >Instead of looking for fragments of known viruses (with all the >problems that entails), or looking for "things viruses tend to do", it >is possible for a program to look at a boot sector and categorically >say if it is a genuine DOS boot sector or a virus. This is theoretically impossible - just ask Fred Cohen :-) [Well, it is easy to see if it is a true DOS boot sector, but there will always be some "unknowns"...] However, it is *nearly* possible in practice, although you will always get a few false positives, a few false negatives or both. I am working on my heuristic analysis - which (and I think nobody in the anti-virus community disagrees with me) is able to detect the majority of unknown viruses, but it is not perfect - I don't analyse boot sectors yet, and I detect only a low percentage of viruses written in high-level languages. However, as I said...the analysis is improving. - -frisk ------------------------------ Date: Thu, 02 Apr 92 15:46:55 +0000 From: Fridrik Skulason Subject: Re: Fprot & 2to1 (PC) >padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) writes: > >> >I do not know if this has been reported before, fixed etc. but I just >> >ran F-Prot to check a diskette that had 2to1.com and safembr.com on >> >it. Both programs were reported as "Possibly a dropper program for a >> >new variant of Stoned." The date of 2to1 is 9/28/91, of safembr >> >10/12/91 and I am using F-Prot 2.02D. > >> This is the virtue of hueristic analysis and I would not really call >> it a "false positive" since Frisk is picking up the fact that my >> programs replace the Master Boot Record (MBR) - why the current > >Hmm, I'm sorry, but as far as I know, the above message is NOT caused >by the heuristic analyser (Frisk?). Vesselin is right - it is the actual scanner. What happens is - I have a set of signatures for Stoned. If I find at least two, I assume a boot sector is infected and proceed to identify the variant) but if I find only one I suggest it may be a new variant. Now, as my program knows that "Stoned" is a BSV, and should not be found in a com file it displays the message XXXXX.XXX seems to be a Stoned-dropper if it finds 2 (or more) Stoned-signatures in the file. If, however, the scanner only finds one signature, it will display the message XXXXX.XXX possibly a dropper program for a new variant of Stoned. So, in this case the problem is caused by a bad (too short) signature string for Stoned. I changed the Stoned signatures in 2.03, so the problem may have gone away - but I cannot test it - I can't find 2to1 or safembr anywhere... >known viruses as it currently is... My suggestion is that Frisk >implements exact identification for the known viruses and moves the >code to detect new closely related variants in the heuristic analyser. As I keep telling you :-) there is a good reason why I don't do that - I like my "sufficiently exact" variant identification, because it allows me to disinfect a virus even if it has been modified by changing a single byte - if I used exact identification, I would determine it was a new variant and had to give up on disinfecting it...On the other hand, if the virus is modified more - source code modified & reassembled in particular, I will detect that as a new variant and refuse to disinfect, avoiding any damage to the files. Some disagree with my strong emphasis on disinfection - but my experience is that it is necessary - most users don't keep proper backups... :-) That's why I can disinfect a higher percentage of viruses correctly than any other anti-virus producer....at least according to Swoboda's recent test of disinfection of 24.000 infected files. [If the moderator thinks it it accecptable I can post his results here...] - -frisk ------------------------------ Date: Thu, 02 Apr 92 16:03:56 +0000 From: Fridrik Skulason Subject: Re: polymorph virus questions (PC) In Message 26 Mar 92 14:41:09 GMT, bontchev@fbihh.informatik.uni-hamburg.de (Vesselin writes: >First, it is "polymorphic", not "polymorph". Second, it doesn't need >to be self-encrypting (although all of the current ones are). Uh, how could you get polymorphism without self-encryption - moving blocks around, maybe, but that might also qualify as a primitive encryption... Or were you thinking of something else ? >The polymorphic viruses are to the scanners what the stealth viruses >are to the integrity checkers. They "attack" the particular kind of >anti-virus software by making it more difficult to be maintained or >used. Of course, one program that is (usually) effective against polymorphic viruses (at least the self-encrypting ones) is heuristic analysis :-) [this is what...the 4th message today where I mention it...?...sorry] - -frisk ------------------------------ Date: Thu, 02 Apr 92 15:57:47 +0000 From: Fridrik Skulason Subject: Re: Increasing CBCS Security (PC) In Message 26 Mar 92 13:20:24 GMT, bontchev@fbihh.informatik.uni-hamburg.de (Vesselin writes: >I suggest that you combine SCAN with at least F-Prot (a very cheap >alternative). If you want to spend more money, get Dr. Solomon's >Anti-Virus ToolKit. And, of course, F-Prot - the two combine very >nicely (AVTK identifies viruses exactly and detects more viruses, >while F-Prot is better in detecting new variants of the known >viruses). Thanks for the free advertising :-) :-) :-) Actually, I agree with Alan Solomon the we have the two best scanners - we just disagree which is number one and which is number two. Anyhow, a few F-PROT related comments .... Version 2.03 is now ready for distribution - a few people have copies of the "pre-release", but it is not the official 2.03. I will probably be posting a message to VIRUS-L/comp.virus tomorrow, announcing 2.03 formally. Saying that Alans AVTK detects more viruses is slightly misleading - there are a few viruses that I don't detect - either very new ones that Alan has, but I don't or "garbage" viruses that don't work... For example, the AVTK detects the Starship virus, but as far as I know nobody in the West has been able to make it replicate, so I have simply not bothered to detect it. Also, If you consider my heuristic analysis (yes, yes, Vesselin, I know what you think about it)...I detect practically all of those "extra" new/garbage viruses that my scanner misses. - -frisk ------------------------------ Date: Thu, 02 Apr 92 13:40:37 -0500 From: James_Williams%ESS%NIAID@nih3plus.BITNET Subject: Questions about AAVIRUS (PC) Their is a really neat looking program called AAVIRUS on SIMTEL20 in the TROJAN-PRO directory. It creates a checksum and backup of your boot sector. Three general questions: 1. Have any of the virus experts on this list looked at AAVIRUS? What is your opinion of it? 2. How affective is a checksum of the boot record again stealth viruses or polymorphic viruses? 3. Are there better packages which do the same the thing? Thanks - -------------------------------------------- | James Williams | | Bitnet: JWW%ESS%NIAID@NIH3PLUS.BITNET | | Internet: JWW@ESS.NIAID.PC.NIAID.NIH.GOV | | CompuServ: 70304,2462 | - -------------------------------------------- ------------------------------ Date: 02 Apr 92 15:57:20 -0500 From: "David.M.Chess" Subject: re: OMICROM virus (PC) From: Antonio Joao Nunes Cardoso >A friend of mine asked me to ask this : How to remove the NEW OMICROM >virus reported by CPAv ? > >He used CPAV to remove it and he couldn't remove that properly. "OMICRON" is (perhaps among other things!) another name for the viruses that we call "FLIP". There are two that are reasonably common in the world: the 2153 and 2343 strains. They infect both files and master boot records of hard disks. The most reliable removal is to erase and replace the infected files, and use some MBR-fixing utility (see previous traffic in this list about the /MBR option of FDISK) to fix the hard disk master boot records. Or you could get some other anti-virus package that can do it automagically, although that's not as reliable. (Or he could call CP and ask them if they have an update to CPAV that will do it.) The 2343 strain (the rarer of the two) also patches COMMAND.COM, so your friend might want to replace that, too, just in case (it doesn't make it viral, it just makes it lie about some file lengths and/or not work at all). >Another thing is that someone told him that the OMICROM virus is a >mutating virus wich can be traced as FRODO or 4096. Nope! Not unless someone is using "OMICRON" to refer to some other virus besides the FLIPs... - - -- - David M. Chess mI' jIHbe' jay'! High Integrity Computing Lab loD tlhab jIH! IBM Watson Research -- qama''e' ------------------------------ Date: Fri, 03 Apr 92 00:27:34 +0000 From: mcafee@netcom.com (McAfee Associates) Subject: Re: MDISK & FDISK - Are they the same? (PC) Hello David Swayze, The FDISK program is MS-DOS's utility to partition a hard disk after low-level formatting or change the sizes of the partiions, etc. M-DISK is a set of utility programs for replacing the Master Boot Record (partition table) and DOS Boot Sector code when infected by a virus. M-DISK works for MS-DOS (and PC-DOS) 3.00 through 4.01. MS-DOS 5.00 has it's own built-in "M-DISK" for removing partition table infectors. It's the undocumented /MBR switch, which will remove the existing code in the MBR and replace it with a clean copy from inside itself, while leaving the data (the actual partition table) intact. Regards, Aryeh Goretsky McAfee Associates Technical Support - -- - - - - McAfee Associates | Voice (408) 988-3832 | mcafee@netcom.com (business) 1900 Wyatt Drive, Suite 8| FAX (408) 970-9727 | "Log... from Blammo" Santa Clara, California | BBS (408) 988-4004 | 95054-1229 USA | v32bis(408) 988-5190 | CompuServe ID: 76702,1714 ViruScan/CleanUp/VShield | HST (408) 988-5138 | or GO VIRUSFORUM ------------------------------ Date: Thu, 02 Apr 92 21:17:00 -0600 From: RCTE4@Jetson.UH.EDU Subject: Post March 6 Michelangelo Infections (PC) YAMP (yet another Michelangelo posting)..... Re: the discussion of the probability of more Michelangelo infections, my lab got its first (at least, first known to me) post-March 6 Michelangelo infection today, April 2, 1992. A student put her floppy disk in the A: drive, and THEN obeyed our signs posted on each PC to "RESET BEFORE USING." Frisk's Virstop caught it and prevented the PC from completing the boot, so there was no harm done. We successfully removed it from the floppy and hard disk using F-prot 202d. Now, this is the real reason for posting. Before cleaning the student's diskette, I used Diskcopy to copy the virus to another diskette, so I could look at it (I know, curiosity felled the feline.....). Took it home, booted my pc, put the infected diskette in the A: drive (my b: drive is wrong size for this disk), did a Dir, deleted the student's assignment files, then ran F-Prot on the A drive. I had previously confirmed the infection at school with F-prot. F-prot said "The Stoned virus search pattern has been found in memory..." My "understanding" was that Mich. would only do anything at boot time. I reset the PC from the hard disk using ctrl-alt-del, and re-ran F-prot. No infection on disk or in memory, so I assume whatever was in memory that triggered f-prot did not infect my hard disk. Is this something as simple as Dir copying the boot sector and FAT into memory and F-prot finding it there, or is there a risk of infection from (this version of) Michelangelo even after booting? I also re-booted from my sanitized and hermetically sealed Dos boot disk and re-scanned the disk. It was still clean. Thanks, Scot Carpenter ------------------------------ Date: Thu, 02 Apr 92 15:06:00 +0700 From: MIN@rulcri.LeidenUniv.nl Subject: some research subjects, info wanted Hello, As from this week I am doing research into the following issues: - - how to determine from a virus program which soft- and hardware the author has used for developing the virus (well at least how to make a good guess) - - whether or not it is possible to prove that a certain virus is the result of a certain previous version (with previous version I mean an _unfinished_ virus program) - - if there is much room for improvement in the "heuristical" search method, and if it will eventually become the standard method for virus detection I would very much appreciate a response concerning: - - how far current research into these issues has developed - - suggestions where to look for more information, apart from this list Thanks in advance, Patrick Min Leiden university department of Computer Science min@rulcri.leidenuniv.nl ------------------------------ Date: 30 Mar 92 19:25:49 -0400 From: TYETISER@ssw02.ab.umd.edu Subject: New Anti-viral Product Announcement New Anti-viral Package Featuring Real Intelligence, not Artificial with exceptional capability to handle "stealth" viruses as well as others that target PCs running MS/PC-DOS Description: VDS (Virus Detection System) 2.0 is an anti-viral software package designed to contain the spread of computer viruses by providing early detection and quick recovery. What distinguishes VDS from other anti-viral products is that its operation is based on analyzing viral behavior rather than just looking for known byte sequences extracted from virus samples. Therefore, VDS does not require frequent upgrades. VDS uses a proprietary triple-pass verification technique to catch the most evasive "stealth" viruses even when they are active in memory. Coupled with its blazing operational speed (thanks to its optimized internal cache), VDS represents the strongest software solution currently available. VDS generates a customized device driver during installation. The device driver barely adds three seconds to bootup time and catches all system infectors with ease. It can recover vital system areas such as the master boot record and the partition boot record automatically, and place a copy of the affected area in a file so that the user can examine it later. The user is given an opportunity to embed his own message inside the device driver. This message is displayed if a possible infection is detected. Businesses will find this feature very useful since it can be used to prompt users to report any incidents as instructed by the message. The device driver can also be configured to freeze the computer after displaying the customized message to ensure that it is not ignored. A unique feature of VDS is its decoy launching mechanism. The decoys are used to lure any viruses active in memory and to capture them in a POV (Prisoner Of VDS) file for examination. The captured intruders can speed up diagnosis process since you will know which virus you are dealing with or whether it is a new virus. VDS documentation rivals many books on computer viruses not only by its readability but also by its technical content. It offers practical guidelines and a risk analysis test designed to evaluate the vulnerability of your computers to viral attacks. The package includes a special utility program that helps users to recover from all system infectors that target vital areas of hard drives such as the master boot record. Another program in the package allows users to search DOS-compatible (including network) drives for known viruses. This program sports an easy-to-use menu-driven user interface as well as a spartan command-line mode for individuals who do not mind remembering half a dozen options. It also has a mechanism to add new virus patterns externally. Availability: VDS Advanced Research Group offers different versions of VDS: trial, personal, academic, charity, business and complimentary. Trial version is only $7 and can be ordered directly from the developers. It is also available on several BBSes and can be downloaded for free. Personal version sells for $25 (plus shipping) and can be used on as many computers as the user personally owns. If the user chooses to become a registered user after ordering the trial version, the $7 is credited towards the payment for the personal version. Site licenses for businesses can be negotiated. Business version allows all employees of a company to use VDS on their home computers at no extra charge. What's more, site licenses need NOT be renewed periodically! System Requirements: IBM PC/XT/AT/PS2 or compatible computer with 256K RAM, MS/PC-DOS 3.0 or higher, a hard drive and a floppy diskette drive. How to Order: Phone orders can be placed by calling (410) 247-7117 and providing your name, address and the diskette size (of A: drive) you need. You must pay by C.O.D. or request to make another arrangement if your company policy does not permit C.O.D. purchases. To order VDS by mail or if you have any questions, you can write to: Attn: Tarkan Yetiser VDS Advanced Research Group P.O. Box 9393 Baltimore, MD 21228 ------------------------------ Date: Fri, 03 Apr 92 10:30:44 +0100 From: ian@vnet.ibm.com (Ian Stirling) Subject: IBM Anti-virus Service (PC) I just picked up this announcment on our internal board and have been given permission by both IBM and the newsgroup moderator to post it here. If anyone has any questions there is an 800 number given at the bottom of the message or contact me and I will try and get some answers for you. I am not part of the program. This announcement is for US only. If it is announced in any other countries I will post again. Cheers, Ian Stirling Internet: ian@vnet.ibm.com CICS/ESA Systems Facilities Bitnet: ian at vnet IBM UK Labs Ltd, Hursley, England IBMIPnet: ian@stirling.hursley.ibm.com Disclaimer: This posting represents the poster's views, not those of IBM ************************ Posting Follows ************************* A new "IBM Anti-Virus" services offering for PC's and Personal Systems is available. It is currently available in the U.S. only, although it may be marketed to U.S. multinational firms. It is currently available by special bid and is planned for announcement as a regular services offering in the future. Basically, the offering makes available to customers the software and techniques that IBM has been using internally to combat viruses for the past several years. The service consists of: o Access to all of the anti-virus software used by IBM (VIRSCAN, VSTOP, Verifiers, Disinfectors, CHECKUP) plus any new software developed on any platform during the contract period. o Access to the Anti-Virus Bulletin Board where the latest versions of the tools are available, virus alert information, access to IBM Virus Expert Assistance. The Bulletin Board is available via an 800 number and is available 24 hours/day. It is monitored during prime shift and the board has the capability to alert the virus personnel via a pager of a virus incident 24 hours/day. o Personnel to provide advice and consulting in cleanup of a virus incident. o Capability to reverse engineer any new viruses to add signatures to our tools. This service, performed in conjunction with the Watson Research Lab in Hawthorne, usually can respond within 48-72 hours. The service is priced on the number of PC's/PS2's protected by the service. The service is just starting and has a great deal of interest from the customer accounts. It is marketed by the Branch Marketing Reps and revenue flows to the Trading Areas, while the service is performed by my group. The biggest problem we have had is explaining the service to the branches. We are NOT marketing software such as Dr. Soloman and Norton, but are offering a service to our customers which include tools necessary to perform the service. The software remains the property of IBM and the customer has a license to use the code. Our advantage is our ability to respond quickly, assist the customer in cleanup of a virus incident, and the access of new tools (potentially on other platforms if a virus is discovered, i.e. AS/400). U.S. customers who want to learn more about IBM Anti-Virus Services can call 800-742-2493. ------------------------------ Date: Sat, 04 Apr 92 16:16:00 -0700 From: frisk@complex.is (Fridrik Skulason) Subject: FP-203.ZIP - Virus detection/removal/prevention/information I just uploaded version 2.03 of my F-PROT anti-virus package to SIMTEL20. [Moderator's note: See follow-up 2.03A posting below!] pd1: FP-203.ZIP Virus detection/removal/prevention/information Version 2.03 - major changes: The program can now scan inside PKLITE (1.03, 1.1 and 1.13), LZEXE, EXEPACK and ICE-packed files. A list of all viruses that are found is now displayed while the program is running in interactive mode, instead of just being displayed afterwards. Version 2.03 - corrections: If F-PROT 2.02 was run with just the /HELP option, it might leave the cursor turned off on certain types of display adapters - fixed. User-specified file extensions were saved correctly to the setup file, but not restored the next time the program was run - fixed. The rewrite of the virus scanner engine in version 2.02 resulted in some false positives, and the search patterns have now been changed as necessary. The following false positives were reported and corrected: "Possibly a new variant of Sylvia" in TUTOR.COM (Word Perfect 4.2) "Shirley" (Quick Scan), in DIET 1.10A overlay-mode compressed files. "SBC" in several small EXE files. "Yaunch" (Quick Scan) in several programs. "AIDS" in a few programs from Personal Bibliographic Software The program also no longer reports certain files from Central Point Software as Flip-infected - it seems the programmers there used the same signature string as F-PROT uses, but they did not encrypt it. The command BREAK=ON could sometimes cause F-PROT to crash - fixed. F-PROT might not return the correct return code (ERRORLEVEL), when it found a boot sector virus, unless the virus was active in memory. Quick Scan would leave the name of the last file scanned on the screen, even if it was not infected - fixed. 2.02 produced an ugly error message if it attempted to scan a .SYS file under Netware, which was in use by another program - now it simply says "Error opening ......" When operating in command line mode on old IBM XT's with monochrome or CGA adapters, the program sometimes produced unexpected characters on the screen - fixed. Version 2.03 - minor improvements: The /TROJAN command-line switch is now default, instead of /NOTROJAN. Primary names are now highlighted in the virus list. The following command-line switches have been added: /PACKED (default) scan inside packed files. /NOPACKED don't scan packed files. /NOSUB don't scan subdirectories. The set of default extensions now includes OV? instead of OVR and OVL. Long lines (>80 chars) in the scan report now wrap properly. The heuristic analysis did not identify files that had been compressed with OPTLINK, but instead reported them as moving around in memory in a suspicious way. If the /REPORT command-line switch is used, and the report file already exists, the new report will be appended to the previous one. The F-TEST.COM program is now included again - see VIRSTOP.DOC for details. Version 2.03 - new viruses: The following 81 new viruses can now be detected and removed. _1355 (temporary name) Ada Alabama Ambulance-B AT (132, 144B and 149) Black Jec (3B, 5B, 7B and 9B) Cascade (1701-F and 1706) Criminal Danish Tiny-251 Dutch Tiny-126 Enola Fichv-2.0 Frogs-1550-B Gliss Grune Harakiri [overwriting - cannot be disinfected] Hafenstrasse-1689 Horse Boot Itti-(99 and 161) [overwriting - cannot be disinfected] Jabberwocky-615 Japanese Christmas-Cookie Jerusalem (1244, 1735, 1767, 2187, Anticad-3088, Barcelona, Moctezuma, Nov 30., Skism11, Skism12 and Sub-Zero) Kalah KO-408 Leprosy (C2 and Viper) [overwriting - cannot be disinfected] Lovechild B3 Mannequin Manuel Mshark Murphy-5 Nines Complement Null-178 Padded Pixel-Pixie 1.0 Portugese-1441 Quiet Screamer Seventh son (284 and 350) Smiley Suriv 1-Argentina Tic Timid (305 and 306) Traceback-3029 Trivial-38 Troy Vienna (618, 621, 644B, 645B, Infinity, Mob 1a, Parasite, Parasite 2B, Viperize and W-13 534-B) Violetta Void Poem We're here Wonder Yafo The following 39 new viruses can now be detected but not removed. _5792 [temporary name] Cannabis CAZ Compiler (1 and 2) Cooki (7360 and7392) Danish Tiny-Stigmata Demolition DM-330 Eliza EUPM Flip (2153-B,2153-C,2153-D) Forger Freew-692 Halloween Helloween Horror Intruder Keydrop Kremikov LV 1.2 Marauder MtE (Dedicated, Fear and Pogue) Murphy-Tormentor Nov. 17th Pathhunt Peach Phalcon-Ministry RNA2 SBC TV Vienna-Dr. Q 1028 Virus-9 XPEH The following 5 viruses that could be detected but not removed with earlier versions of F-PROT can now be disinfected. Cascade-1661 Justice Pregnant Rage Stardot-600 The following 6 "viruses" are now detected/identified. They don't work at all, due to serious internal errors, but the reason I bother to detect them is because they are included in some "virus collections", which are used for comparative reviews, and some of my competitors detect them already. Bad Brains Int 80 Scorpio Sylvia (Hong Kong and Kranz) Trivial-25 The Following families have been combined: Denzuko, Ohio, Mardi Bros -Denzuko family Number One and AIDS -Number One family frisk - - - Fridrik Skulason frisk@complex.is ------------------------------ Date: Sun, 05 Apr 92 13:33:06 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: FP-203A.ZIP - Virus detection/removal/prevention/information I have uploaded to SIMTEL20: pd1: FP-203A.ZIP Virus detection/removal/prevention/information The only change between 2.03 and 2.03A is a fix for a very minor bug - the heuristic analysis module in F-PROT.EXE thought (incorrectly) that VIRSTOP.EXE was using some suspicious techniques. frisk - - - Fridrik Skulason frisk@complex.is ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 83] *****************************************