From lehigh.edu!virus-l Wed Aug 12 02:13:04 1992 Date: Tue, 11 Aug 1992 17:21:46 -0400 Message-Id: <9208112015.AA01568@barnabas.cert.org> Comment: Virus Discussion List Originator: virus-l@lehigh.edu Errors-To: krvw@cert.org Reply-To: Sender: virus-l@lehigh.edu Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas From: To: Multiple recipients of list Subject: VIRUS-L Digest V5 #138 Status: R VIRUS-L Digest Tuesday, 11 Aug 1992 Volume 5 : Issue 138 Today's Topics: Re: McAfee GENP/GENY identification (PC) Re: MS-DOS 6.0 with Anti-Virus ? (PC) Laptop return serviced and infected (PC) 4096 (frodo) false alarm? (PC) Strange MBR (PC) Is "Bloody" a virus? (PC) Are the Azusa and Bloody! viruses related? (PC) Scan93 Calls Michangelo "Stoned" (PC) Re: Scan93 Calls Michangelo "Stoned" (PC) Re: F-Prot and Stoned (No-Int) Virus (PC) V84 and DOS 5.0 Shell (PC) F-PROT reports IBMBIO.COM as 'suspicious' (PC) Vi-Spy review from Virus Bulletin (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk ---------------------------------------------------------------------- Date: 07 Aug 92 19:38:17 +0000 From: frisk@complex.is (Fridrik Skulason) Subject: Re: McAfee GENP/GENY identification (PC) james.roy@synapse.isis.org writes: >if available, cleaning is not 100%, new polymorphic viruses are >self-mutating and as they improve will become invisible to scanners and >other heuristic techniques. Scanning is not heuristic! actually, my opinion is that the more difficult it is for a scanner to detect a virus, the easier it becomes for a heuristic analyser to detect it. >Our firm distributes Victor Charlie which can deal with all known and >unknown viruses. Yeah, sure...99% maybe 99.9% even, but "all".....nah... - -frisk ------------------------------ Date: 07 Aug 92 19:56:39 +0000 From: frisk@complex.is (Fridrik Skulason) Subject: Re: MS-DOS 6.0 with Anti-Virus ? (PC) padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) writes: >I see in the new PC-Week that MS-DOS 6.0 is scheduled to contain anti- >virus software from Central Point. Well, if they do this, they could hardly have picked a better product for the rest of the anti-virus community to compete against, as outperforming CPAV is generally considered extremely easy... a few examples from the most recent comparative review from Swoboda: CPAV the top program(s) Pogue detection 0% 100% Slovak detection 0% 72% Dedicated detection 0% 100% Crashes during scan and disinfection of 24.000 infected files 0 79 correct disinfection 37% 64% percentage of viruses detected (EXE) 69% 93% (COM) 53% 98% V2P6 detection crash 100% I guess that nobody from Microsoft reads this group (if they do, I would very much like to hear form them)....... ------------------------------ Date: Fri, 07 Aug 92 21:36:44 -0400 From: John Kida (jhk) (Vienna) Subject: Laptop return serviced and infected (PC) A Grid laptop was returned from the Raliegh, Nc. service center infected with the "JOSHI" virus... .. All persons who have had a laptop repaired in the Raleigh, Nc. service center, should scan the Hard drive and any media which has been introduced into it... Since this is a service center the odds of more than 1 infection are HIGH.... John Kida SSDS, Eastern Region ------------------------------ Date: Sun, 09 Aug 92 07:52:36 +0000 From: nyh@gauss.technion.ac.il (Nadav Har'El) Subject: 4096 (frodo) false alarm? (PC) Hi. This question is for anti-virus writers, such as McAfee and Frisk, and for anybody with any expiriance with the 4096 (also known to f-prot as frodo) virus. Yesterday I was checking out a new MS-windows product I got, and I decided to check it with scan 93 before I run it. So I exited windows, and run the scanner. I almost got a heart attack when I so the message '4096 Virus [4096] active in memory' or something of the sort. This was impossible, since I always scan new software before I run it, and the 4096 is an old virus. So I rebooted from a write protected dos diskette which I have saved in advance (whith no autoexec/config.sys so no files for the hard disk are used). I then used scan from a write protected diskette, and of course now there was no 4096 in memory. But it didn't find any virus at all on my hard disk, nor on my Windows boot diskette! This was very puzzling: I've run scan from the hard disk when the virus was active, so how come it wasn't infected? So I deliberatly boot again from the windows diskette and exited it, and of course I got the virus alarm again. As I have a write protected backup, I didn't care messing up some files, as long as I get rid of this virus. So I deliberately run some executible files from my hard disk. >From past expiriance I have with the 4096 virus I know the when it is active, as soon as you run a program, it gets infected. But when I rebooted again from the clean floppy and scanned, there was no virus on my hard disk! Now I was almost certain that that had to be a false alarm. I rebooted again from the windows diskette, and of caurse it still got the virus alarm. I used arj to extract a 200K file, and what do you know: right after arj was finished there was no virus in memory according to scan! The question is - are my conclusions correct? i.e. if it was really the nasty 4096 virus, wouldn't it infect all executables I ran, or at least some of them? does the fact that it didn't infect anything mean that it is a false alarm? by the way, when the virus was active in memory according to scan, chkdsk returned 640K of memory, and no disk errors. sd /i returned 639K of memory, but as far as I remember, that is the way they return since I got the computer. Also, I used f-prot after using scan ant it came to the same conclusions - frodo in memory, but when rebooting from a clean diskette, there was no frodo in memory but no files infected as well. I hope someone has any clues for me, because I am not sure it is a false alarm, although it certainly looks like one (How on earth can random memory or parts from tsr's I load look like a 4096 virus???) Thanks in advance, - -- Nadav Har'El | ###### ######## # | <-- Sorry if Email: nyh@gauss.technion.ac.il | # # # | you can't Department of Mathematics, Technion | # # # | read Hebrew. Israel Institute of Technology | ######## # ###### | Nadav. ;) ------------------------------ Date: Sun, 09 Aug 92 13:30:04 -0500 From: phil@cs.utexas.edu (Philip Smolen) Subject: Strange MBR (PC) I noticed a machine with a strange MBR at work recently. The first 16 bytes look like this: EA 05 00 C0 07 E9 99 00 02 6F 79 00 F0 E4 00 80 The machine I found this on refused to boot. SCAN could not find anything unusual. Glancing at the code it looks like it was made for a boot sector or MBR. The first instruction, for example, is jmp 07C0:0005. (On bootup this translates to jump to the next instruction. After DOS has loaded normally, this translates to crash and burn.) Has anyone seen anything like this? Does anyone know what could have caused this? Some additional information: This machine is in a student computer lab. The disk had been having a number of other strange problems, like sector not found errors, even though spin-rite could not find a problem. The machine had been running some experimental software that disk some int 13 disk i/o, but nothing that should have made anything like this. ------------------------------ Date: Sun, 09 Aug 92 20:34:22 +0000 From: Jonathan Lewin Subject: Is "Bloody" a virus? (PC) My PC has begun to display the words "Bloody" and "Jun 4, 1989" on boot-up. Is this a known virus? If it is, could someone PLEASE tell me, and advise me how to get rid of it? The PC it is on is vital to a small company, and I don't want it to start losing files. Thanks, Jonathan ------------------------------ Date: Mon, 10 Aug 92 20:23:00 +0000 From: Jonathan Lewin Subject: Are the Azusa and Bloody! viruses related? (PC) In depth: I suddenly got the Bloody! virus on my hard drive partition table, and when I got rid of it, the clean program notified me that I had the Azusa in memory. Since deleting it, I have not seen the Azusa again. But I saved copies of both, and couldn't find (or didn't see) any similarity. Are these related, or do I have two different infections that I should worry about? Thanks, Jonathan ------------------------------ Date: Sun, 09 Aug 92 11:32:51 -0400 From: Adrienne Voorhis Subject: Scan93 Calls Michangelo "Stoned" (PC) There has been some discussion recently about how (unnamed versions of) McAfee's Scan program are announcing an infection by Stoned when other virus scanners are calling it Michaelangelo. A copy of Michaelangeo that I have saved from April 1992 is detected by Scan89 as Michaelangeo, but is detected by Scan93 as Stoned. My guess is that other posters that have reported this phenomenon are not dealing with a new variant of Michaelangelo. It's just that the newest version of Scan got sloppy and detects all Michealangeo infections as Stoned. (I haven't heard that Michaelangelo has any other strains detected.) Not knowing the actual virus that has infected your machine can be a real problem. Previous posts, for example, have described the special problems that users face when disinfecting a computer that has been infected by both Stoned and Michealangelo. If the scanner does not even distinguish between the two, how is the user supposed to know why he or she is having no luck disinfecting the computer? Adrienne and Bob Voorhis Albert Einstein College of Medicine Bronx, New York ///\\\\ /////\\ _________________________________ ////\\\\\//////\\\\ / Adrienne and Bob can't \ |||| | mmm mmm | |||| | speak for me or my medical school | |||| | 0 0 | |||| \__________________________________/ |||| | |_| | |||| / |||| | mmmmm | |||| \ --- / ------------------------------ Date: Sun, 09 Aug 92 19:42:51 -0400 From: Adrienne Voorhis Subject: Re: Scan93 Calls Michangelo "Stoned" (PC) Earlier today we sent a post saying: > A copy of Michaelangeo that I have saved from April 1992 is detected by > Scan89 as Michaelangeo, but is detected by Scan93 as Stoned. My guess is This information was based on faulty memory. Scan 85 identified it as Michaelangelo. Scan 89B and Scan 93 identified the same sample as Stoned. Needless to say, this doesn't affect the points we made in our last post. Adrienne and Bob Voorhis Albert Einstein College of Medicine Bronx, New York ///\\\\ /////\\ _________________________________________ ////\\\\\//////\\\\ / Adrienne and Bob can't speak for me \ |||| | mmm mmm | |||| | or my medical school, particulary if they | |||| | 0 0 | |||| | can't get their facts straight. | |||| | |_| | |||| ___________________________________________/ |||| | mmmmm | |||| / \ --- / ------------------------------ Date: Mon, 10 Aug 92 21:10:26 +0000 From: gary@sci34hub.sci.com (Gary Heston) Subject: Re: F-Prot and Stoned (No-Int) Virus (PC) mike@csc.albany.edu (Michael Ciarfello) writes: [ ... ] >The No-Int Stoned virus is about the only virus that gives us trouble >around here. Does anyone have any experience with cleaning up Stoned >with F-Prot? Can't say. >We have a program to restore the boot-sector of the hard disk from a >good copy of it, but it doesn't work to restore floppy disks. Copy the files to another disc and reformat the floppy. Seems like Stoned has a tendancy to copy the original boot record over the secondary FAT or something; better to wipe it completely than to risk finding something was corrupted that you didn't know about. Gary - -- Gary Heston SCI Systems, Inc. gary@sci34hub.sci.com site admin The Chairman of the Board and the CFO speak for SCI. I'm neither. Hestons' First Law: I qualify virtually everything I say. ------------------------------ Date: Tue, 11 Aug 92 00:28:19 +0000 From: lgough805@kean.ucs.mun.ca Subject: V84 and DOS 5.0 Shell (PC) Having only recently regained a network account, I have been away from posting for awhile. Anyway, I thought I would ask a somewhat dated question, about VSHIELD and DOS 5.0 shell. Over the winter, I was asked to investigate a problem, namely that with V84 of VSHIELD. The micro would lock up when the user moved the mouse from one window to the next in the shell. I eventually passed him on to McAfee, but I would like to know for myself why happened. Unfortunately I cannot pass on more detail than this about the user's setup. I'm pretty sure that later versions of VSHIELD have addressed this problem. If anyone can enlighten me, it would be appreciated. Thanks Bill Gough ------------------------------ Date: Sun, 09 Aug 92 01:32:15 -0700 From: System Manager Subject: F-PROT reports IBMBIO.COM as 'suspicious' (PC) I ran F-PROT with 'heuristics' option on my IBM DOS system and it reports that IBMBIO.COM 'moves itself into different area of memory using methods usually only used by viruses'. F-PROT's 'secure scan' reports nothing, neither does VIRUSCAN. What is it - false alarm or an unknown virus ? ------------------------------ Date: 07 Aug 92 12:39:51 -0400 From: Ray Glath <76304.1407@CompuServe.COM> Subject: Vi-Spy review from Virus Bulletin (PC) Reprinted with permission from Edward Wilding, Editor, Virus Bulletin. VIRUS BULLETIN August 1992 PRODUCT PREVIEW 2 Dr. Keith Jackson VI-SPY - PROFESSIONAL EDITION It is now over two years since VB reviewed Vi-Spy (May, 1990 to be precise). If a week is a long time in politics, then two years is an eternity in the development of anti-virus software, so another look at Vi-Spy is now long overdue. Vi-Spy version 9 includes a host of features including an automatic scheduler program (AUTOVS) which conducts a scan of the system at pre-determined intervals, memory map comparison, hidden file count and list, integrity self-checking and a facility to save boot sectors. A TSR with a range of options is also included. RG Software refer to the term `8-in-1': Windows, DOS, LAN, Stand alone PCs, Detection, Removal, Protection and Scheduling. The options are numerous: this review concentrates primarily on Vi-Spy's virus-specific detection features. `VIRUS PRIMER' Vi-Spy came with two A5 booklets, one of which is the `Guide to Operations' - a 45 page long user manual. The other booklet (67 pages) is entitled the Computer Virus Primer and Troubleshooting Guide, which contains an excellent description of what viruses are, how to combat them, and what to do if a virus is actually detected. It also provides a very good explanation of how a PC bootstraps, and how a virus can interact with this process. I particularly like the way in which emphasis is placed on the fact that although many software packages (Vi-Spy included) offer a `cleanup' facility which removes viruses from infected files, this process can never be guaranteed to work and should be used with due caution. I even learned from the booklet that the FDISK supplied with version 5.0 of MS-DOS can be persuaded to repair the Master Boot Sector of a hard disk without affecting the partitioning [using the syntax `FDISK /MBR'.Ed.]. I think that this Virus Primer has been pitched at just the right level. It is difficult to explain viruses in terms understand- able by non-technical PC users. Producing a `Kiddies' Guide to Viruses' is of no use to anyone. Conversely, there is a danger of explaining things in overly-complex terms. This booklet steers a course midway between these extremes and will prove very useful to anyone using anti-virus software for the first time. STANDARD NAMING CONVENTION Vi-Spy is provided on both 3.5 inch (720 Kb) and 5.25 inch (1.2 Mb) floppy disks. The manual mentions that 360 Kb floppy disks (5.25 inch) are available, but only on request. Free quarterly updates are provided for one year from the date of purchase. Support is also provided via a Bulletin Board (see Technical Details for the phone number). The documentation states categorically that Vi-Spy uses the VB naming convention for all viruses. There have been various attempts to standardize virus naming conventions, none of which have been successful, so it is good to see a manufacturer trying to stick to a known naming convention rather than inventing a proprietary nomenclature. INSTALLATION Installation to a hard disk (in any desired subdirectory) is very straightforward, with the install program simply requesting information about where the software should be installed, whether Windows is to be used, etc. A fast scan (memory, all boot sectors and some DOS files) is performed before installation commences. Some Vi-Spy files are supplied in compressed form (using LZH data compression), and they are automatically decompressed during installation. After installlation is complete, Vi-Spy can either be activated as a parameter driven DOS program, or via a drop- down, mouse driven, menu interface. Either of these methods works under both DOS and Windows. On-line help is provided in the form of text files which can be browsed via the drop-down menu interface. I liked the fact that all error messages are documented in a text file, thereby ensuring that they are kept up to date. This is in marked contrasts to many packages where error reports are not mentioned anywhere in the documentation. I don't think that Vi-Spy needs a drop-down menu interface. It's easy enough to use without such fripperies. However, the developer has deferred to the inevitable market pressure to provide this feature and its presence does no harm. The latest version of Vi-Spy `knows" about 750 unique viruses (an increase of 250 from the last major upgrade). This is in stark contrast to the version reviewed two years ago which described only 22 known viruses in the manual, and increased that number to 46 in the accompanying README file. How the world has moved on in two years! Interestingly, the manual warns ~BEWARE THE VIRUS NUMBERS GAME' -an apposite comment; in accuracy tests Vi-Spy has continually beaten other scanners which claim to detect many more viruses! The original version of Vi-Spy requested that it should not be installed on a hard disk, but that it should always be executed directly from a write-protected floppy disk, thereby preventing the possibility of the program itself becoming infected. This is sound advice, but the addition of the menu driven front end and all the online documentation reduce the likelihood that the program will be run this way. However, the menu program does contain an option to make a `Maintenance' disk, a diskette version of Vi-Spy. SCANNER ACCURACY Vi-Spy was tested against the viruses listed in the Technical Details section. With just one exception it detected them all, no matter which scanning options were set. The exception was the Kamikaze virus, a point of academic interest only as this virus is unlikely ever to be seen in the wild. Vi-Spy has produced consistently good results in VB tests; in the most recent test (VB, June 92, pp. 13-16). Vi-Spy gained a perfect rating for its ability to detect viruses known to be in the wild and a selection of polymorphic (encrypting, self-modifying) specimens. SCANNER SPEED Vi-Spy's scanning speed was measured by searching the entire contents of a hard disk, 728 files spread across 22.7 Mbytes. The time taken by Vi-Spy to scan this disk took 26 seconds. For comparison purposes, SWEEP (v.2.39) from Sophos, and Findvirus from Dr. Solomon's Anti-Virus Toolkit (v.5.59) scanned this disk in 19 seconds and 15 seconds respectively. When every part of every file was scanned, Vi-Spy's scanning time checked in at 7 minutes 44 seconds (this is the most secure option and its use is only recommended once a virus has been detected using the scanner's `turbo' mode). The same detection rate was measured no matter which of the scanning modes was used, so the `turbo' mode is still efficient at detecting viruses. Vi-Spy's test timings were exactly the same when the program was run under Windows. This is unusual since Windows make programs typically run more slowly by a factor of two. I'm not sure whether this is a reflection of efficient coding in Vi-Spy, or the consequences of using a very fast PC for this month's testing Vi-Spy was previously among the fastest scanners tested. The above figures show that it has lost some of that speed advantage. Having said this, Vi-Spy scan speed is perfectly acceptable. The scanner also provides a complete screenful of information about each virus detected, with details about each virus' infective length, the types of file or sector infected, transmission methods, associated symptoms, trigger routines and disinfection. This feature is simply excellent. MEMORY-RESIDENT FEATURE A memory-resident program (RVS) is provided with Vi-Spy. RVS occupies 19.25 Kb of RAM and can be loaded high thus consuming no conventional memory. RVS searches files for viruses as they are accessed. Such an action imposes an inevitable overhead on system performance; in recent reviews of various anti-virus products the increase in program load/copy time has occasionally exceeded 250%! I thus measured the overhead imposed by RVS by recording the increase in the time taken to copy 90 files (2.3 Mbytes) from one subdirectory to another, being very careful to disable any disk cache, avoid using data compressed partitions, and ensuring that the copy was made to/from exactly the same parts of the hard disk. With no memory-resident option active, this test took 23 seconds, which increased to 32 seconds when the memory-resident option was activated in its default mode. When a complete scan was used this time increased again to 36 seconds. These times represent increases of 28% and 56% respectively, a very creditable performance given the amount of checking that has gone on during the copying process. The courteous nature of RVS revealed itself when I accidentally rebooted while it was still active, and a floppy disk had been left in drive A:, Vi-Spy intervened, reminded me that I was about to boot from a floppy disk and requested confirmation that this was my intention. CONCLUSION Last time around, I concluded that `Vi-Spy is simple to understand (it detects viruses and destroys them by overwriting), easy to use, and very fleet of foot in searching for virus signatures on a disk'. Nothing has made me change that conclusion. Vi-Spy has kept up with the recent explosion in the total number of viruses. It now contains a Computer Virus Primer and Troubleshooting Guide which I can unreservedly recommend to the uninitiated user. In short, Vi-Spy knows exactly what it intends to do and does it extremely well. TECHNICAL DETAILS Product: Vi-Spy (Professional Edition) Developer and Vendor: RG Software Systems, Inc., 6900 E. Camelback Road, 630 Scottsdale, AZ 85251, USA, Telephone 602 423 8000, Fax: 602 423 8389, BBS: 602 970 6901. Availability: Vi-Spy requires at least 150 Kb of memory. The core scanning program will operate using v.2.xx of MS-DOS, while other programs packaged with Vi-Spy require v.3.2 or above. Vi- Spy is compatible with Windows 3.0 and 3.1, and will operate on all major local networks. Version Evaluated: v.9.0 Serial Number: None Visible Price: $89.95 (single copy), $149.95 (single copy with quarterly updates). Hardware Used: A 33 MHz `486 PC, with one 3.5 inch (1.44 Mb) floppy disk drive, one 5.25 inch (1.2 Mb) floppy disk drive, and a 120 Mb hard disk, running under MS-DOS v.5.0. Virus Test Set: 113 unique viruses spread across 182 individual virus sample comprising two boot sector viruses (Brain and Italian) and 111 parasitic viruses. Where more than one variant of a virus is included, the number of examples of each virus is shown in brackets. 1049, 1260, 1600, 2144, (2), 405, 417, 492, 4K (2), 5120, 516, 600, 696, 707, 800, 8 TUNES, 905, 948, AIDS, AIDS II, Alabama, Ambulance, Amoeba (2), Amstrad (2), Anthrax (2), Anti-Pascal, (5), Armagedon, Attention, Bebe, Blood, Burger (3), Cascade (2), Casper, Dark Avenger, Datacrime, Datacrime II (2), December 24th, Destructor, Diamond (2), Dir, Diskjeb, Dot Killer, Durban, Eddie 2, Fellowship, Fish 6 (2), Flash, Flip (2), Fu Manchu (2), Hymn (2), IceIandic (3), Internal, Itavir, Jerusalem (2), Jocker, Jo- Jo, July 13th, Kamikaze, Kemerovo, Kennedy, Keypress (2), Lehigh, Liberty (2), Lovechild, Lozinsky, MIXI (2), MLTI, Monxla, Murphy (2), Nina, Number of the Beast (5), Oropax, Parity, Perfume, Piter, Polish 217, Pretoria, Prudents, Rat, Shake, Slow, Subliminal, Sunday (2), Suomi, Suriv 1.01, Suriv 2.01, SVC (2), Sverdlov (2), Svir, Sylvia, Taiwan (2), Terror, Tiny (12), Traceback (2), TUQ, Turbo 488, Typo, Vacsina (8), Vcomm (2), VFSI, Victor, Vienna (8), Violator, Virus-101 (2), Virus-90, Voronezh (2), VP, V-1, W13 (2), Whale, Yankee (7), Zero Bug. ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 138] ******************************************