Return-Path: Received: from IBM1.CC.Lehigh.EDU by abacus (SunOS 4.1/SMI-4.1-01) with sendmail 4.1/SMI-4.1-01 id AA15587; Thu, 14 May 92 04:16:27 +0200 Message-Id: <9205140216.AA15587@abacus> Received: from LEHIIBM1.BITNET by IBM1.CC.Lehigh.EDU (IBM VM SMTP R1.2.2MX) with BSMTP id 2739; Wed, 13 May 92 22:07:29 EDT Received: from LEHIIBM1.BITNET by LEHIIBM1.BITNET (Mailer R2.08) with BSMTP id 0326; Wed, 13 May 92 22:07:14 EDT Date: Wed, 13 May 1992 21:57:32 EDT Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU Sender: Virus Discussion List Comments: Warning -- original Sender: tag was krvw@CERT.ORG From: "The Moderator Kenneth R. van Wyk" Subject: VIRUS-L Digest V5 #104 Comments: To: VIRUS-L@ibm1.cc.lehigh.edu To: Multiple recipients of list VIRUS-L Status: RO VIRUS-L Digest Wednesday, 13 May 1992 Volume 5 : Issue 104 Today's Topics: Re: troi (PC) Re: New Virus: Jose Demise (PC) Re: Question about Michaelangelo (PC) Re: Starship (PC) Re: New Virus: Jose Demise (PC) Re: safe computing questions (PC) Re: Viruses via MS Windows OLE? (PC) Re: Warning on Netware console via CPAV (PC) Re: Anti-virus code in ROM (PC) VSHIELD says *.EXE infected with [K] (PC) Re: Question about Michaelangelo (PC) Virus In Printer? Re: (Primative ?) Question To get information on preventing viruses Hardware antivirus Re: Why a good virus is a bad idea? Re: Why a good virus is a bad idea? New files on Eugene (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Mon, 11 May 92 08:11:32 +0000 From: Fridrik Skulason Subject: Re: troi (PC) In Message 1 May 92 00:27:30 GMT, pl159345@academ01.mty.itesm.mx (PEREZ SALAZAR ANA writes: > Any Antivirus that can remove Troi virus? At least my F-PROT 2.03A can.... - -frisk ------------------------------ Date: 11 May 92 08:13:37 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: New Virus: Jose Demise (PC) SINGH_HA@BENTLEY.BITNET writes: > execution of the files to infect them. Thus, if the virus is resident > in memory, and you run a scanning software that is unable to detect it > in memory, each and every file that is opened during the scan gets > infected. F-Prot did this, and so did Integrity Master (Ver 1.11a), > though IM was able to detect the change in files while checking the > files (in the same scan). BTW, an idea for the developpers of integrity checkers. The following heuristic might be useful. If the integrity checker detects that the first, say, 20 files have been modified (the number should be adjustable by the user), it should stop and ask the user whether all these files have been really replaced with updated versions and that there might be a resident virus lurking in memory, so continuing might infect the other files. Of course, the user must be able to force continuation of the checking process. > The String : > 5A 5B 07 1F C3 1E 52 2E > is found in infected files and can be used to detect them. Everyone: please don't use this scan string. It translates to: POP DX POP BX POP ES POP DS RET PUSH DS PUSH DX CS: which is a perfectly legitimate code and could be found in normal programs too (and thus cause false positives)... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN ** PGP public key available by finger. ** Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 11 May 92 08:25:16 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Question about Michaelangelo (PC) john@csrnxt1.ae.utexas.edu (John R. Schutz) writes: > A friend of mine's machine recently stopped booting from the HD, so we > ran scan, and it reported that he was infected by Stoned. We cleaned > that, ran scan again, and it reported that he was bitten by Mich. We > tried cleaning that, and even though clean reported that it was > successful, upon rescan it was still there. Even Norton Anti-virus > Michaelangelo didn't clean it correctly. Any explanations and > solutions? Yup... After a Stoned+Michelangelo infection the machine becomes non-bootable because the MBR is lost. Therefore, it cannot be disinfected, since there is no saved MBR which can be put back to its place. The only solution (if you don't have a copy of the MBR) is to boot from the DOS 5.0 system diskette and to run FDISK /MBR. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN ** PGP public key available by finger. ** Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 11 May 92 08:35:07 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Starship (PC) 8326442@AWIWUW11.BITNET (Martin Zejma) writes: > The conditions for replication ( infection of the harddisk ) are : > 1) DOS Version >= 2.x > 2) Video-RAM available at b000:b000 == bb00:0000 (- approx. bba6:0000 ) > 3) all zeros from 0000:04b0-04e0 (space for additional AT parameters) > If my video card descriptions are correct, Hercules (B000-BFFF) fits, > CGA (B800-BC00), EGA and VGA (A000-BFFF) too. > Only the pure monochrom card fails (MDA, B000-B100), but I think > we can call it extinct. Other weird things like monochrome VGA, DOS 5.0 loaded high, active DOS partitions larger then 32 Mb, and applications running in graphic mode are also not advised if you want to see the virus replicate... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN ** PGP public key available by finger. ** Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Mon, 11 May 92 08:29:28 +0000 From: Fridrik Skulason Subject: Re: New Virus: Jose Demise (PC) In Message 4 May 92 20:27:00 GMT, SINGH_HA@BENTLEY.BITNET writes: >irrespective of the virus being in memory or not. The Heuristics >also gives the message "stealth virus active in memory", during this >test, WHILE scanning some of the files (F-Prot had a heuristic memory >scan, what happenned to that?). It caused too many false alarms - I had to drop it... - -frisk ------------------------------ Date: 11 May 92 08:30:26 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: safe computing questions (PC) jim@cavebear.berkeley.edu (Jim Bradley) writes: > My apologies if these are FAQs: Nevertheless, you are advised to read the FAQs before posting... :-) > o Can I contract a virus on my PC by performing a "dir" of an infected > floppy disk? No. > o Can data and document files be vectors of PC viruses? No. But define "data" and "document". Are PostScript files "documents"? They could carry a virus. Are Lotus 1-2-3 macro files "data"? They could carry a virus... Remember - any data that is interprettable at some point can be used as a virus vector. Fortunately, currently no virus exploats these things. Also, a virus that infects only, say, PostScript files, is not likely to spread very widely. > o Is there any risk in copying data and document files from an infected > DOS floppy disk to a clean PC's hard disk? (Assuming, of course, > that one does *not* boot from the the infected diskette.) No, assuming that there's no active virus in the memory of the PC with the clean disk. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN ** PGP public key available by finger. ** Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 11 May 92 08:49:17 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Viruses via MS Windows OLE? (PC) msb-ce@cup.portal.com (Fritz Schneider) writes: > VB> Isn't it possible to indicate a fake executable that must be run, > VB> which will contain the virus code? Something similar can be done with > VB> the .PIF files in a quite trivial way... > Embedded objects must be registered in WIN.INI in a section which starts out: > [embedding] > SoundRec=Sound,Sound,SoundRec.exe,picture > Package=Package,Package,packager.exe,picture > PBrush=Paintbrush Picture,Paintbrush Picture,pbrush.exe,picture > Each entry gives the name of the existing program which handles a particular > type of embedded object. A new file could not cause any program which was not > in this list to be executed. Well, to me the above means that a virus is indeed able to fix the pointer so that a virus code is executed instead... At most, it will have to be able to interpret/fix the WIN.INI file. Pretty trivial... >The joker in this pack is the "Package" object type. This can contain a command >line, or even an entire module (.EXE or .COM) to be executed. The good news is >that it might not get executed until you activate it by double clicking in the >defined area (which may be an undistinguished screen area). For safety's sake >one might consider dropping this from WIN.INI because it presents the same sort >of danger as we find in ANSI.SYS with its keyboard remapping. Yes, but one keeps wondering why Microsoft is introducing new security holes instead of bothering to close the previous ones... Is it so difficult to provide at least an option to turn the keyboard mapping of ANSI.SYS off? Why should the user have to edit it or to use third party programs? Why the installation process of Windows does not allow the possibility to have the "imbedding" option turned off?! > We have discussed the theoretical possibility of a Macro Language virus being > embedded in a spreadsheet (or a style sheet), but that did not require OLE. > However the availability of the Package object allows a spreadsheet to contain > an executable module, and allows the macro language to activate it. It doesn't have to be that sophisticated. It's enough for the macro language to allow DOS commands to be executed and to have some kind of "startup" macro - a macro that is executed each time the appropriate spreadsheet is opened... For more information ask Prof. Harold Highland or read the appropriate article in Computers & Security - such a research virus, using the Lotus 1-2-3 maco language has been constructed. It can be done. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN ** PGP public key available by finger. ** Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 11 May 92 08:57:44 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Warning on Netware console via CPAV (PC) MC0170@mclink.it (Stefano Toria) writes: > We have an Ethernet LAN of some fifty DOS clients tied up to a Novell > Netware file server. Few days ago the server showed up a message > saying > User found a Form virus in drive A: > but I was unable to find references to this message anywhere. > By repeated experiments I managed to work out that the message appears > to have been issued by CPAV using some message logging feature of Novell > that I was unaware of. > The documentation that comes with CPAV says nothing about this. > Can anyone provide further information? Has anyone stepped into this > same feature? Yes, the feature really exists in Novell (although I think that only in the latest versions; 3.11?) and CPAV really uses it (although I have no idea why it has not been documented). At least one more product I am aware of uses the same feature - the networked version of V-Analyst (the Untouchable for the USA). Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN ** PGP public key available by finger. ** Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Mon, 11 May 92 07:21:57 -0500 From: Sten M. Drescher Subject: Re: Anti-virus code in ROM (PC) > Date: 07 May 92 10:02:01 +0000 > From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) > > Another good idea is to be possible to indicate the order in wich the > boot attempts are to be performed - first from A: and then from C:, or > first from C: and then from A:. Currently I have seen this implemented > only in some laptops. Would be nice if this becomes more widely > available. The Zenith Z-248 had this feature - you could either boot only from floppy, only from HD, or first from floppy then from HD (normal PC behavior). I don't know if they kept this feature in their 386 machines, but I liked not having to worry about accidentally leaving a floppy in the drive. ------------------------------ Date: Mon, 11 May 92 15:44:57 +0000 From: mark@walt.CS.MsState.Edu (Mark Rauschkolb) Subject: VSHIELD says *.EXE infected with [K] (PC) I was recently called to examine a system that was not letting it's owner run WordPerfect because VSHIELD was saying that it was infected with the [K] virus. A few other programs that I tried to run gave the same error. Running SCAN found nothing (I tried /a, /chkhi, *.exe) When I rebooted, the programs ran, and still SCAN found nothing. Any Clues? Mark Rauschkolb mark@cs.msstate.edu ------------------------------ Date: Mon, 11 May 92 20:28:00 +0100 From: Anthony Naggs Subject: Re: Question about Michaelangelo (PC) Last Friday I said: > The solution is hard, unless you are using MS-DOS 5 in which case FDISK /MBR > should fix things for you. Otherwise you will have some problems, what > you have to do is keep the partition information stored at the end of the > virus & match it with a suitable MBR partition table boot sector. As > this seems to be a very common problem I shall write a small program to > assist & post it and details of how to use it over the weekend. Looking back through the virus-l digests, I think your best solution may be to get Padgett Peterson's FixMBR program, giving me a chance to do a reasonable amount of testing on my prog before release. Also if you use his SafeMBR this will give a warning if Stoned reappears. The explanation of the problem stands, and I noticed that there have been several similar questions/answers recently, how about putting it in the FAQ Ken? Also last Friday I posted a note about: Virus hides in printer (again) I get the smeghead of last week award, for lack of attention while typing in my email, the last line of the extract from New Scientist should be: > the computer again. I had a lie down and an aspirin on Sunday, and I'm just fine now, :-) Regards, Anthony Naggs + "Curiouser and curiouser!" cried Alice (she + was so much surprised, that for a moment she Email: amn@vms.brighton.ac.uk + quite forgot to speak good English). or xa329@city.ac.uk + - Alice's Adventures in Wonderland ------------------------------ Date: Fri, 08 May 92 16:42:56 +0100 From: LBA002@PRIME-A.TEES-POLY.AC.UK Subject: Virus In Printer? How much credence can I place on this recent piece from the "New Scientist?" Just as you thought it was safe to rely on virus-handling programs to guard your computers, Feedback [name of column] has bad tidings. Some of the newest viruses can play a nasty trick: they store themselves on your printer. This is possible because when a computer prints out a document, it often sends data to the printer which specifies which font to use. The printer stores this data in its own memory. If the virus attaches itself to the font data, it can hide in the printer while a program cleans the computer of all known viruses. It then runs back down the printer lead into the computer again. I checked the date of the issue and it wasn't April 1st :-) Rgds, Iain Noble Teesside Polytechnic Library UK - ----------------------------------------------------------------------------- Iain Noble | LBA002@tees.ac.uk | Post: Main Site Library, JANET: LBA002@uk.ac.tees | Teesside Polytechnic, EARN/BITNET: LBA002%tees.ac.uk@UKACRL | Middlesbrough INTERNET: LBA002%tees.ac.uk@cunyvm.cuny.edu | Cleveland, TS1 3BA, UK UUCP: LBA002%tees.ac.uk@ukcnet.uucp | Phone: +44 642 342121 - ----------------------------------------------------------------------------- ------------------------------ Date: Mon, 11 May 92 08:20:50 +0000 From: Fridrik Skulason Subject: Re: (Primative ?) Question >Is there any known cases of 'hackers' or those involved in computer >crimes who have dissected one or more anti-viral programs (from the >most basic to the most complex) to find out how they could make a >virus 'fool', 'trick', 'avoid', etc. that particular checker? Well, not actually dissected...but there are several cases that come close. Typically this involves decrypting the virus signatures, and then modifying the viruses so that the existing signatures become invalid. The Peach virus is another example - it disables the Central Point program in an incredibly simple way. A few viruses check whether certain anti-virus TSRs are installed, and avoid activating if that is the case. - -frisk ------------------------------ Date: Mon, 11 May 92 19:44:53 +0700 From: talwar@cdotd.ernet.in Subject: To get information on preventing viruses Dear Sir, Being in the field of Digital Telecommunications I wanted to know more about the means for preventing Virus menance. We use a wide network of computers for our purpose. It is in this respect that I wanted to know about preventing virus menance. I would be grateful to you if you can provide us requisite information. Regards. Manish Talwar. 09MAY92 ------------------------------ Date: Mon, 11 May 92 14:36:54 -0400 From: Paul Massue-Monat Subject: Hardware antivirus My mailer gave me an "undelivered address" to this person. I didn't keep the other addresses s/he posted. I decided to mail my answer to the group. To: rgolsham@uh.edu A teacher at the University of Ottawa owns a company that sells a card that hooks directly to the Bios in the computer. When the computer boots, it executes a program that asks for a password. It then runs config.sys and autoexec.bat Partitions on the hard disk can be write-protected. Contact Dr. John Nash directly at jxnhg@acadvm1.uottawa.ca (Pls post to the list: interested in reading the answers you'll receive) Paul Faculty of Administration Phone: 613-564-6895/6500 Massue-Monat University of Ottawa Fax: 613-564-6518 Lab Mgr. Canada K1N 6N5 Internet: monat@acadvm1.uottawa.ca ------------------------------ Date: 11 May 92 16:36:28 -0500 From: werner@cs.utexas.edu (Werner Uhrig) Subject: Re: Why a good virus is a bad idea? bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >werner@rascal.ics.utexas.edu (Werner Uhrig) writes: >>> If somebody can think about other arguments why a "good" virus is a >>> bad idea, please e-mail them to me. Had your article laid out your own argumentation, I might have perceived it as "inviting" and "inspiring" to send you arguments. >> why waste the time if there are no arguments given why this >> should be considered a "good idea"? (There are none? well, >> we are done then already...) >You have e-mailed me an exact copy of this message and we are already >discussing your points. Please, respect my wish not to raise a >discussion about this on Virus-L or to start public ideological wars >and send me your oppinions privately. This kind request holds for >everybody else too. CLEARLY (I think) I saw fit to criticize the basic approach of making a public "request for arguments" without laying out your own line of argumentation; and by posting this criticism publicly, I was testing my perception that your request would be perceived as somewhat "presumptious and arrogant" and to discourage that its style would become copied by others. Kindly refrain from trying to muzzle me with accusations of starting ideological wars. Is it a bad idea to send an email courtesy copy of what I post? because it feels like an old hat, maybe, by the time it sees public distribution (due to having had 3 rounds of email by then)? I don't think so. But given that 3 rounds of email later, you appear nowhere more willing to post a "more response inviting" article, I think I'll just not email a courtesy copy of this article, and just ignore your "ideas" on the "good virus/worm" topic for good measure... - -- werner@cs.utexas.edu | ..!uunet!cs.utexas.edu!werner | werner@UTXVM.bitnet ------------------------------ Date: 11 May 92 16:43:58 -0500 From: werner@cs.utexas.edu (Werner Uhrig) Subject: Re: Why a good virus is a bad idea? buglady@silver.lcs.mit.edu (Aliza R. Panitz) writes: >werner@rascal.ics.utexas.edu (Werner Uhrig) writes: |> |> have you ever heard of a human immunization that spreads |> "virus-like"? I haven't, but even if it was possible, who |> would/should take the responsibility to consider the whole |> world as their private laboratory...?!? > >One of the leading current theories on the origin of HIV, the AIDS >virus, is that it was a contaminant in polio vaccines. > >Check out sci.med.aids for info. Followups are not relevant here. of course, I am refering to the INTENDED, PLANNED EFFECT of immunization; what you seem to describe here is just about the ultimate undesired (side-) effect and danger of work in this field... (btw, I hold no opinion and have no knowledge of the theory; I don't think it is relevant for the discussion in comp.virus either... just another analogy which may lead to more misunderstanding rather than clarity) - -- werner@cs.utexas.edu | ..!uunet!cs.utexas.edu!werner | werner@UTXVM.bitnet ------------------------------ Date: Tue, 12 May 92 09:04:28 -0500 From: John Perry Subject: New files on Eugene (PC) I have just added the following files to the anti-viral archive on eugene.gal.utexas.edu (129.109.9.21). If you have any questions or problems please send email to perry@eugene.gal.utexas.edu. ASIG9205.ZIP HTSCAN17.ZIP TBRESC19.ZIP TBSCNX31.ZIP VSIG9204.ZIP On a side note, I have been transferred to a different department and I will now be administering eugene on a full-time basis. I am currently waiting to hear about whether the anti-viral archive on beach.gal.utexas.edu will be continued. I will keep everyone updated on the status of beach. I wish to thank everyone for making the archives on eugene a booming success! - -- John Perry - perry@eugene.gal.utexas.edu ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 104] ******************************************