Return-Path: Received: from hooch.CC.Lehigh.EDU by abacus.HGS.SE (SunOS 4.1/SMI-4.1-01) with sendmail 4.1/SMI-4.1-01 id AA12900; Mon, 6 Jul 92 20:48:35 +0200 Errors-To: krvw@cert.org Received: from localhost by hooch.CC.Lehigh.EDU (AIX 3.1/UCB 5.61/4.03) id AA03399; Mon, 6 Jul 92 13:56:24 -0400 Date: Mon, 6 Jul 92 13:56:24 -0400 Message-Id: <9207061756.AA24443@barnabas.cert.org> Comment: Virus Discussion List Originator: virus-l@lehigh.edu Errors-To: krvw@cert.org Reply-To: Sender: virus-l@lehigh.edu Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas From: Kenneth R. van Wyk To: Multiple recipients of list Subject: VIRUS-L Digest V5 #127 Status: RO VIRUS-L Digest Monday, 6 Jul 1992 Volume 5 : Issue 127 Today's Topics: LISTSERV cutover is complete Identify this virus... (PC) re: Memory decrasing 1K (PC) FYI and Thanx for the information (PC) Re: MtE analysis & report (PC) Re: Protecting windows from Viruses (PC) 'A diskette labelled "Laser Incorporated 92" ' (PC) F-PROT/BBSes (PC) Re: Anti-virus recommendations for LANs? (PC) Re: 696/Scr2/Enemy (was Re: Scream II virus help?) (PC) Re: 696/Scr2/Enemy (was Re: Scream II virus help?) (PC) Re: Imprecise scanners (PC) Re: Zipped Viruses (PC) IBM PS/2 Reference Partitions (PC) Disinfectant 2.9 (Mac) Re: Adelman's "Abstract Theory of Computer Viruses" Re: virus-l stuff of late Scan 93 (PC) The "Lehigh" virus (CVP) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk ---------------------------------------------------------------------- Date: Mon, 06 Jul 92 13:48:33 -0400 From: Kenneth R. van Wyk Subject: LISTSERV cutover is complete Just a reminder that the new LISTSERV is now in place. Most aspects of the cutover appear to have gone without a hitch (knock on silicon :-). So, please start sending submissions to and LISTSERV requests to . Please treat the old ibm1.cc.lehigh.edu (= lehiibm1.bitnet) address as history; although it will continue to forward submissions to me, this functionality should not be relied upon. Thanks for your cooperation, and welcome to the new LISTSERV. Oh, and please let me know if you have any non-resolvable problems with the LISTSERV. Ken Kenneth R. van Wyk Moderator VIRUS-L/comp.virus Technical Coordinator, Computer Emergency Response Team Software Engineering Institute Carnegie Mellon University krvw@CERT.ORG (work) ken@THANG.PGH.PA.US (home) (412) 268-7090 (CERT 24 hour hotline) ------------------------------ Date: Thu, 02 Jul 92 20:41:55 -0400 From: Shawn Rutledge Subject: Identify this virus... (PC) Has anyone heard of a virus that prints a message in german saying - I have deactivated you - on bootup and then locks the computer. I don't need any tips on disinfection, I just want an ID. ============================================================= Shawn Rutledge INTERNET: srutledg@pgavin1.vetmed.wsu.edu BITNET: RUTLEDGS@WSUVM1.CSC.WSU.EDU Phone: (509)335-1286 (After 5:00pm Tu-Sa or all day Su-Mo) Work: 335-0101 335-3303 Address: 85 E. McEachern - Pullman, WA 99163 >>>>> Information is Power <<<<< ============================================================= ------------------------------ Date: Thu, 02 Jul 92 15:40:09 -0800 From: Jimmy Kuo Subject: re: Memory decrasing 1K (PC) Ege University Obs. writes: >We have an IBM PS/2 Model 30 in our Department. IBM DOS 5.0 was >installed on it. Recently I tried to install DR DOS 6.0 but memory >decreased 1K. I realized that Dr DOS diskettes carried a virus to the >computer and I decided to reinstall IBM DOS 5.0. We have the original >IBM DOS 5.0 diskettes so I was sure that the problem will be solved. >When I install it the problem remained unchanged. I formatted the disk >(20 MB) and tried reinstall DOS 5.0 but I failed. I scanned the disk >with SCAN91 and it could not find any virus. >Does anyone have any comment ? Is this a kind of virus ? Did you mean, when you installed DR DOS 6.0, memory went from 639K to 638K or that after you installed DR DOS 6.0, you noticed memory was at 639K? A Model 30, without any funny hardware or software, will show itself as having 639K available memory. For the IBM PS/2 Model 30, and all PS/2s for that matter, IBM reserves at least one K (right now, it's always 1K but there's no guarantee it will stay that way) from top of memory for BIOS use. This is called the Extended Bios Data Area. Maximum available memory as shown by CHKDSK on any and all PS/2s will always show 639K (or less). Jimmy Kuo Norton AntiVirus Research cjkuo@ccmail.norton.com [Formerly: member of IBM PS/2 Model 30 development team] ------------------------------ Date: Fri, 03 Jul 92 10:17:27 +0700 From: Vincent Tracey Subject: FYI and Thanx for the information (PC) Hello Netters, Just a followup on my earlier *alledged* problems with VSHIELD and getting a correct directory listing from the A: drive. First - I admit I ain't too schmart - ?:^9 - on some of this stuff. Second - The problem only occurred on military spec - ? - versions of Zenith 286s with model codings of ZWX-0248-62. The CMOS was somehow altered to show hardware not installed in the machine. A battery change and reset of the CMOS solved the DIR A: problem. And a scan of the system did not reveal any known infections. Next question I am sure was answered in this digest prior to me subscribing. I have had to disinfect - ?:^( - 22 IBM compatable computers this week due to [STONED] and of all things [MICH]. Nonetheless, just how do I download a infected machine in order to send it to someone competent (see first above) enough to use the information. We are still receiving diskettes from the GULF and their associated problems. Please reply to email address' below so we don't bore the rest of the VL Digest readers. Thanx again for the help/suggestions already received off line. Vincent Tracey E-mail: traceyv@heidelberg-emh2.army.mil Security Investigator aeusg-hd-po-s@heidelberg-emh2.army.mil 411th BSB Security Office Phone: 049-6221-57-8054/6456 APO AE 09102 DDN 370-8054/6456 It's okay to call someone stupid; just don't PROVE it! - Dragon's Eye ------------------------------ Date: 03 Jul 92 08:35:53 +0000 From: frisk@complex.is (Fridrik Skulason) Subject: Re: MtE analysis & report (PC) TYETISER@ssw02.ab.umd.edu (Tarkan Yetiser) writes: >>> We can only speculate that F-PROT >>>lacks Method-3 detection algorithm and uses a heuristic in such cases. >>Well, you may speculate, of course, but you are wrong :-) I have what >>you call a "Method-3", but I guess it is simply not perfect - I would > Wrong in what sense? Wrong in the sense that F-PROT lacks a Method-3 detection algorithm. As I said, I have an algorithm for detecting what you call Method-3 encryption, but it seems my algorithm has a flaw in it. As I said before, I haven't bothered to disassemble the MtE. I just generated a *lot* of samples, and made sure I detected them all. The problem with Method-3 encryption is that is relatively rare, so although I have over 99% detection ratio of MtE in general, I may miss a significant fraction of the (rare) Method-3 encrypted files, which I hope I will be able to fix as soon as I have succeeded in creating a single sample that I don't detect. - -frisk ------------------------------ Date: 03 Jul 92 12:42:22 +0000 From: "Brian W. Gamble" Subject: Re: Protecting windows from Viruses (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: The following has been heavily edited to show the thread I'm chasing.... >Sigh... Ah, virus protection and Windows... > >1) Before scanning for viruses, it is always advised to boot from a >write-protected system diskette. Now, how do you boot Windows from a >diskette? > >2) If you don't boot from a diskette (bad idea!), you must at least >scan the whole computer memory for resident, or at least for fast >infecting viruses. > >So why providing a Windows-based scanner? Well, this is essentially a >marketing trick - people are using Windows; people are scared of >viruses; therefore let's sell them a Windows-based scanner. > >(Note: I am not entirely honest - there -is- sometimes a need for such >scanners. For instance, if you want to scan the new software that you >receive, without leaving Windows.) Taking the last point first, I do suspect you (Vesselin) dispense more of the truth than most. But that's my opinion from lurking and listening a while. Since I can't get EMail to work from here to there, I'll take this opportunity to say thank you. I appreciate your postings. I confess to having a Windows scanner in my posession - but I've never found the need to unpack and install it. Instead I've just run the DOS version from Windows on the odd occasion where I need to scan a diskette. Question is, given the way Windows uses memory, have I left myself wide open by doing this? I don't much like Windows and use it only when I'm forced to. Perchance my "bad" attitude has slowed my learning cycle. Would those who know more than I do care to comment? On a related topic; Given that scanners are not the whole answer, just what combination of programs and techniques is "state of the art" this month? Please keep the responses to the user level for this one. Pretend that I've just gotten a PC and know very little more than how to load DOS. - -- Brian W. Gamble, Brian.W.Gamble@Waterloo.NCR.COM NCR Canada Ltd. Information Products Group E&M Waterloo Charter Member -- The ShoeString Racing Team ------------------------------ Date: 03 Jul 92 15:44:00 +0200 From: J|rgen Olsen Subject: 'A diskette labelled "Laser Incorporated 92" ' (PC) A diskette with the above label an the text : 'You cannot beat it with a Magnum 44' was mailed in Odense, Denmark on May 7. (using an envelope belonging to a local company that I have promised not to mention) to an adress in Germany (Neuss). The envelope contained a 5 1/4" HD diskette (no brand name but good quality) with 2 notches on it and a piece of paper with the following: (Page 1) (Picture of a ghost) Put it on the wall - it will remind you of the GHOST that comes. (Page 2) LDS - against the law. Due to an error of adress the envelope was returned to the company on July 3. The diskette was party crushed and the boot sector and FAT unreadable. The sectors (around 50%) that could be read using NORTON were emty. The name on the label seems to trigger something on my mind - but I cannot find the infor in the limited backlog of received mail I still have on line. Any information would be helpfull - especially from people who has received - - or heard of - such a mailing. Thanx in advance Jorgen Olsen University of Odense masjol@dou.dk ------------------------------ Date: Fri, 03 Jul 92 15:42:47 +0700 From: frisk@complex.is (Fridrik Skulason) Subject: F-PROT/BBSes (PC) I constantly receive qustions from people all over the world that don't have FTP access, but want to obtain my F-PROT anti-virus package from a BBS instead. As I don't upload it to any BBS at all, I frequently have a problem answering the question of which BBS to use. So, what I need is basically a list, of BBSes where the SysOps have obtained the package from Internet or another reliable source, and where the most up-to-date version is available *very* soon after it is released here. If you run such a board, and would like to see it included, I would very much like to hear from you. - -frisk (author of F-PROT) ------------------------------ Date: 04 Jul 92 16:05:47 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Anti-virus recommendations for LANs? (PC) STRASHEA@ZENO.MSC.Colorado.EDU writes: > We do have a site license agreement with McAfee for their NETSCAN, > but something that would monitor the network on a consistant basis > is preferred. Intel sells a product, called LAN Protect, which does exactly that - monitors the network traffic on a constant basis. I wouldn't recommend it, since it slows down the connection quite a lot and is nothing more than just yet another scanner (and not that good, on the top of all), but it might be exactly what you want. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN ** PGP public key available by finger. ** Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 04 Jul 92 15:58:33 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: 696/Scr2/Enemy (was Re: Scream II virus help?) (PC) mjbrown@magnus.acs.ohio-state.edu (Mike J. Brown) writes: > So what I figure happened is: > 1. I got an infected program or a trojan from somewhere > 2. Eventually the infection spread to half of my .EXE and .COM files > 3. I ran an infected scanner, thereby infecting the rest of my .EXE > and .COM files. Repeat after me: BEFORE DOING ANY VIRUS HUNTING, ALWAYS COLD-BOOT FROM A NON-INFECTED WRITE-PROTECTED SYSTEM DISKETTE, in order to make sure that there is no virus in memory. > 4. I disinfected everything with Clean. The files Clean reported as > not safely-disinfectable were deleted. Repeat after me: disinfecting viruses is unreliable. Always replace the infected files from with clean copies from your backups. > 5. I rescanned the disk with Clean and Scan separately, reporting no > viruses. I scanned with F-Prot and got no viruses but a bunch of > "invalid" .EXE files. > 6. A quick glance over my lists tells me that ALL of the .EXE files > that were successfully disinfected (supposedly) by Clean are now > "invalid," although their file lengths are okay. > 7. None of my .COM files work either, so Clean apparently made them > invalid in the disinfection process as well. Conclusion: CLEAN destroys the files infected with this virus that it tries to disinfect. It does the same with several other viruses as well. Don't rely on it for disinfection. > 10. The worst part is, I bought my computer used, so the hard drives > came packed full of things I can't easily replace! Repeat after me: ALWAYS MAKE BACKUPS. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN ** PGP public key available by finger. ** Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 04 Jul 92 15:38:15 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: 696/Scr2/Enemy (was Re: Scream II virus help?) (PC) mjbrown@magnus.acs.ohio-state.edu (Mike J. Brown) writes: > An anonymous tip from another victim of this virus told me that it was > actually neither Scr-2 nor Enemy, but was actually a variant of 696. He Huh, it's actually one and the same thing. The standard CARO name for this virus is Screaming_Fist.Stranger. McAfee calls it Scr-2 (short for Screaming Fist II), F-Prot calls it Enemy (although "Stranger" is a more appropriate name), and it is indeed 696 bytes long. > said (this was relayed through a couple of people, actually) that 696 could > be removed with McAfee Clean. So... I got Clean and tried it out, like > this: Hmm, disinfecting viruses is a not very reliable thing in general - it's always better to restore the files from clean backups. Besides, CLEAN is very often unreliable, because it does not perform exact virus identification. I would advise you against using it... > B:\> clean c:\dos\command.com [696] > It reported that it "Found Scr-2 Virus [696]" and successfully removed it. > A check of the file size showed it was back to normal, so I figured "success!" > and proceeded to work on cleaning up everything on C: drive. Hmm, have you checked whether all "cleaned" files still work? > 2. F-PROT assumes that the virus it detects is what is really there. So It is; just the current version of F-Prot cannot disinfect this virus yet. > F-PROT was useless to me. There were no discrepancies between what > files it said were infected and what files McAfee Scan and Clean said > were infected... just what the infection was. This is a complaint I hope > the F-PROT people will take into consideration... :) :-) The "F-Prot people" are just Fridrik Skulason. I hope that he'll include disinfection for this virus soon, since the virus is definitively in the wild. The discrepancy is only in the naming and probably F-Prot will match the CARO standard. I don't expect that to happen to SCAN... > 3. F-PROT said I had Enemy, Scan & Clean both said I had Scr-2. Well, > which is it? And if it's 696, or something else... agggh. I heard there It's all of them, since all those names refer to one and the same virus. > 3. Every time I ran Clean it scanned memory for "critical viruses." Fine. > But it stopped at 640K. Why didn't it scan my other 512K? This is a > complaint I hope the McAfee people... :) I think that there is a /CHKHI option that forces it to do so... Ah, no, this option is present only in SCAN. > 4. Clean successfully removed whatever the virus is from all but about 35 > out of 225 files by the above process. Unfortunately, it took forever to Before saying "successfully", have you checked whether they really work? > My config.sys lists several device drivers, all of which were previously > infected. Some of them didn't work after disinfection. First it told me Ah, you see, that's what I meant. CLEAN is often unreliable. Disinfecting viruses is unreliable in general. Always restore the infected files from clean backups. > 6. It occurred to me that there are probably infected Hidden files... > Why aren't these files scanned by any of the programs? Hmm, aren't they? Are you sure that neither SCAN nor F-Prot checked the hidden files? Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN ** PGP public key available by finger. ** Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 04 Jul 92 16:15:57 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Imprecise scanners (PC) PHYS169@csc.canterbury.ac.nz (Mark Aitchison, U of Canty; Physics) writes: > I agree that virus detectors tend not to do a good job of identifying > the viruses, (especially SCAN - but you could say their names are > right and everyone elses are wrong:-). No, that cannot say that!!! I wouldn't complain much if they used the name "Apple" for Number_of_the_Beast.A and "Orange" for Darth_Vader.2.B. But they are calling those two completely different viruses with ONE AND THE SAME NAME! I do not complain about their naming scheme - it is not perfect, of course, but after all, it is a matter of taste. What I am complaining about is their virus identification - they have none! They are not able to distinguish between two different (COMPLETELY different) viruses! > reasonably typical of the degree of match between these products)... I > don't know what the latest version of SCAN calls them. Version 91 of Scan is MUCH worse in identification than any previous version. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN ** PGP public key available by finger. ** Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 04 Jul 92 16:53:24 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Zipped Viruses (PC) exuptr@exu.ericsson.se (Patrick Taylor) writes: > >Not if the afore mentioned virus is a new one which the scanner does not > >yet detect. In that case, you're in big trouble. Note that this is not > >merely a problem with McAfee's scanner, but with any; also note that the > >memory check is a excellent idea, it just isn't perfect. > Of course, you can always run your virus scanner from a > write-protected floppy ! ;-) Not if you have an unknown fast infector active in memory. Otherwise it will be unable to infect the scanner, indeed, but will infect all files being scanned. That's why, ALWAYS COLD-BOOT FROM NON-INFECTED, WRITE-PROTECTED FLOPPY BEFORE DOING ANY VIRUS HUNTING! Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN ** PGP public key available by finger. ** Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 05 Jul 92 19:03:29 -0400 From: ESSMAN <74656.557@CompuServe.COM> Subject: IBM PS/2 Reference Partitions (PC) The following is the results of infection attempts on IBM reference partitions: 420 viruses were used to infect an IBM PS/2 56-SLC with a SCSI drive running PC-DOS 5.0. None of these viruses crossed into the reference partition. Next the reference diskette was manually infected with several file infectors. The reference partition was then restored. Manual restoration failed if COMMAND.COM was infected. The only way that the infections passed into the DOS (data) partition was when files such as KP.EXE (keyboard password) were downloaded from the reference partition to the DOS partition. In conclusion, the reference partition can get infected by a "dirty" reference diskette and the DOS partition can get infected under certain special circumstances. While it is possible to spread an infection by this route, we really had to strain to do it. Eric Essman ------------------------------ Date: Sat, 04 Jul 92 18:44:31 -0600 From: j-norstad@nwu.edu (John Norstad) Subject: Disinfectant 2.9 (Mac) Disinfectant 2.9 July 4, 1992 Disinfectant 2.9 is a new release of our free Macintosh anti-viral utility. Version 2.9 detects the new T4 virus. The T4 virus was discovered in several locations around the world in June, 1992. The virus was included in versions 2.0 and 2.1 of the game GoMoku. Copies of this game were posted to the USENET newsgroup comp.binaries.mac and to a number of popular bulletin boards and anonymous FTP archive sites. The game was distributed under a false name. The name used in the posting, and embedded in the game's about box, is that of a completely uninvolved person. Please do not use this person's name in reference to the virus. The actual virus author is unknown, and probably used this person's name as a form of harassment. The virus spreads to other applications and to the Finder. It also attempts to alter the System file. When the virus infects an application, it damages it in such a way that the application cannot be repaired. When you use Disinfectant to attempt to repair an infected application, Disinfectant removes the virus from the file, but leaves the file damaged. You should not attempt to use such a file. Disinfectant issues the following error message: ### This file was damaged by the virus, and it cannot ### be repaired properly. You should delete the file ### and replace it with a known good copy. The change to the System file results in alterations to the startup code under both Systems 6 and 7. Under System 6 and System 7.0, the change results in INIT files and system extensions not loading. Under System 7.0.1, the change may render the system unbootable or cause crashes in unpredictable circumstances. Disinfectant cannot repair this damage to the System file. If the virus damages your System file, you will have to reinstall it. If your system suddenly stops loading INITs and system extensions for no good reason, it is a good indication that you may have been attacked by the T4 virus. The virus masquerades as Disinfectant in an attempt to bypass general- purpose suspicious activity monitors like Gatekeeper. If you see an alert from such an anti-viral tool telling you that "Disinfectant" is trying to make some change to a file, and if Disinfectant is not running, it is a good indication that T4 is attacking your system. Once installed and active, the virus does not appear to perform any other overt damage. At least one version of the virus may display the following message: Application is infected with the T4 virus. There are two known strains of the T4 virus: T4-A (contained in GoMoku 2.0) and T4-B (contained in GoMoku 2.1). The two strains are very similar. The only significant difference is the trigger date. The trigger date for T4-A is August 15, 1992, while the trigger date for T4-B is June 26, 1992. Neither virus does anything before its trigger date. After the trigger date, the virus begins to spread to other files and attempts to alter the System file. We know of an earlier third strain of the T4 virus which appears to have been used for testing. Disinfectant identifies this strain as "T4-beta". For those people who may have missed the news about the MBDF virus, we added the following paragraph to the description of MBDF in the Disinfectant online manual: Three undergraduate students at Cornell university have been charged under New York state law with multiple felony counts of first-degree computer tampering in connection with the release of the MBDF virus. They are awaiting trial. We hope that this news will help convince potential virus writers that computer viruses are not trivial or harmless, and that society takes the problem very seriously indeed. Writing and releasing a virus is a serious offence which can and should be punished under the law. Disinfectant 2.9 is available now via anonymous FTP from site ftp.acns.nwu.edu [129.105.113.52]. It will also be available soon on sumex-aim.stanford.edu, rascal.ics.utexas.edu, comp.binaries.mac, America Online, CompuServe, GEnie, Delphi, BIX, MacNet, Calvacom, AppleLink, and other popular sources of free and shareware software. Macintosh users who do not have access to electronic sources of free and shareware software may obtain a copy of Disinfectant by sending a self- addressed stamped envelope and an 800K floppy disk to the author at the address given below. People outside the US may send an international postal reply coupon instead of US stamps (available from any post office). Please use sturdy envelopes, preferably cardboard disk mailers. People in Western Europe may obtain a copy of the latest version of Disinfectant by sending a self-addressed disk mailer and an 800K floppy disk to macclub benelux. Stamps are not required. The address is: macclub benelux Disinfectant Update Wirtzfeld Valley 140 B-4761 Bullingen Belgium Mactivity-macclub benelux is also offering a new international update service for Disinfectant. This service is available to people anywhere in the world, not just Western Europe. For a fee they will send you new versions of Disinfectant as new viruses appear. Write to them at the above address for more information. John Norstad Academic Computing and Network Services Northwestern University 2129 Sheridan Road Evanston, IL 60208 USA Internet: j-norstad@nwu.edu John Norstad Academic Computing and Network Services Northwestern University j-norstad@nwu.edu ------------------------------ Date: 03 Jul 92 22:56:46 +0000 From: spaf@cs.purdue.edu (Gene Spafford) Subject: Re: Adelman's "Abstract Theory of Computer Viruses" mjbtn!raider!theporch.raidernet.com!guy@uunet.UU.NET (Jonathan Guy) writes: I'm trying to locate a copy of "An Abstract Theory of Computer Viruses," by L. Adelman. I know it can be found in the CRYPTO '88 Proceedings, but as I neither have nor particularly want a copy of those proceedings I must look elsewhere. The paper is reprinted in the book "Rogue Programs: Viruses, Worms and Trojan Horses," edited by Lance J. Hoffman, Van Nostrand Reinhold, 1990. This is a book of collected readings describing in detail how viruses work, where they come from, what they do, etc. It also has material on worms, trojan horse programs, and other malicious software programs. - -- Gene Spafford Software Engineering Research Center & Dept. of Computer Sciences Purdue University, W. Lafayette IN 47907-1398 Internet: spaf@cs.purdue.edu phone: (317) 494-7825 ------------------------------ Date: 04 Jul 92 16:39:59 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: virus-l stuff of late ccmail.norton.com!cjkuo@norton.norton.com (Jimmy Kuo) writes: > >Hmm, yes, I agree with this, but if a scanner achieves such a detection > >rate, it will be practically impossible to distinguish between it and > >a 100 % detector during the tests... > People seem to forget, 99.99999999% IS 100%. It is not, however, Sorry, but 99.99999999% is NOT 100%. It is APPROXIMATELY 100%. > But getting away from semantics, a couple ideas that could be implemented: > 1) a standard location on a network drive could provide information to the > integrity checker of updates conducted or available through the network. > This would only be for a network environment. If a sysadmin propogates an > update through his network, the integrity checkers should be made to check > this directory and verify the new copy of software before calling attention > to it to the user. 2) You should be able to tell an integrity checker which > of your own directories are work areas and which directories contain your > utilities which should never change. You know this. And your integrity > checker can be made to know this. But viruses wouldn't know this. This is a nice idea and certainly has to be researched... However, consider this: such tool will be something standard. What prevents the virus from using it to register the infected files as properly updated? > >> some low-level and undocumented DOS calls. It doesn't bother me even > >> a little bit that Norton utilities cannot corrupt my file system! > >Yeah, but if it is already corrupted, it cannot be used to fix it > >either... :-) > Too quick to write a smiley perhaps? If the system is already corrupted, > you'd be booted from DOS, not being able to get to OS/2. And from DOS, of I don't see why. It is perfectly possible to corrupt the OS/2 filesystem in such a way that the operating system will boot without problems. > course you can use The Norton Utilities. Fixing it depends of course on how > badly it was corrupted. But "it cannot be used" is obviously an incorrect > statement. But if it was so obvious, why am I pointing it out? :-) I meant that it cannot be used under OS/2 for this purpose. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN ** PGP public key available by finger. ** Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Thu, 02 Jul 92 17:41:47 -0400 From: Jon Freivald Subject: Scan 93 (PC) I have posted the following files to my mail-server: scan93.zip 132041 6-26-92 9:17 clean93.zip 143908 6-26-92 9:17 netscn93.zip 119807 6-26-92 9:17 vshld93.zip 107738 6-26-92 9:17 wscan93.zip 183255 6-24-92 13:41 These were downloaded by me direct from McAfee's BBS. To obtain them, send e-mail to mail-server@jaflrn.uucp containing a line(s) patterned on the following: get dos/virus/scan93.zip uuencode You can also say "help" to get instructions or "get index" to get a listing of all available files. If there are any problems, please let me know! Jon ============================================================================= Jon Freivald ( jaflrn!jaf@uunet.UU.NET ) Nothing is impossible for the man who doesn't have to do it. ============================================================================= ------------------------------ Date: Fri, 03 Jul 92 16:51:06 -0700 From: rslade@sfu.ca (Robert Slade) Subject: The "Lehigh" virus (CVP) HISVIR2.CVP 920625 The "Lehigh" virus The autumn of 1987 really seemed to get the ball rolling with regard to virus research. The first message to awaken interest was sent by one "LUKEN" of Lehigh University. For all the damage that the Lehigh virus caused, we should at least be grateful that it brought us our Peerless Leader (aka krvw). Not all students are mini-hackers: not all students are even semi computer literate. Student consultants at universities and colleges are presented with a steady stream of disks from which files have "mysteriously" disappeared. In November of 1987, however, it appeared that certain of the failed disks were due to something other than user carelessness. The Lehigh virus overwrote the stack space at the end of the COMMAND.COM file. (Early reports stated there was no increase in file size: later research showed an increase of 555 bytes in the size of infected files.) When an infected COMMAND.COM was run (usually upon booting from an "infected disk"), the virus stayed resident in memory. When any access was made to another disk, via the TYPE, COPY, DIR or other normal DOS commands, any (and only) uninfected COMMAND.COM files would be infected. A counter was kept of infections: after four infections the virus would overwrite the boot and FAT areas of disks with contents from the BIOS. The primary defence of the virus was that, at the time, no one would have been looking for it. The date of infected COMMAND.COM files was altered by the virus, and, when attempting an infection on a write protected disk, the virus would not trap the "WRITE PROTECT ERROR" message (a dead giveaway if all you were doing was a DIR). The virus was limited in its "target population" to those disks which had a COMMAND.COM file, and, more particularly, those which contained a full operating system. Admittedly, in those heady bygone days, more users kept copies of the operating system on their disks. However, the virus was also self-limiting in that it would destroy itself once activated, and would activate after only four "reproductions". To the best of our knowledge, the Lehigh virus never did spread off the campus in that initial attack. (It is, however, found in a number of private virus collections, and may be "released" into the wild from time to time. As noted, it has little chance of spreading today.) copyright Robert M. Slade, 1992 HISVIR2.CVP 920625 ============= Vancouver ROBERTS@decus.ca | "Remember, by the Institute for Robert_Slade@sfu.ca | rules of the game, I Research into rslade@cue.bc.ca | *must* lie. *Now* do User CyberStore Dpac 85301030 | you believe me?" Security Canada V7K 2G6 | Margaret Atwood ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 127] ******************************************