From lehigh.edu!virus-l Tue Sep 29 00:24:19 1992 Date: Mon, 28 Sep 1992 16:11:44 -0400 Message-Id: <9209281937.AA12337@barnabas.cert.org> Comment: Virus Discussion List Originator: virus-l@lehigh.edu Errors-To: krvw@cert.org Reply-To: Sender: virus-l@lehigh.edu Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas From: "Kenneth R. van Wyk" To: Multiple recipients of list Subject: VIRUS-L Digest V5 #156 Status: R VIRUS-L Digest Monday, 28 Sep 1992 Volume 5 : Issue 156 Today's Topics: TBav50 beta or just regular tbav50 (PC) I need info on the FORM 1704 virus (Boulder) (PC) Re: A few questions (Stardot/V801/Michaelangelo) (PC) A virus infecting Windows excutables found (Windows) (PC) Re: A few questions (Stardot/V801/Michaelangelo) (PC) TSR runtime scanner needed (PC) Recent IBM Virus List? (PC) Virus information for thesis The Hacker Files Thank you for help with Stoned (PC) I-M124.ZIP - Integrity Master data integrity/anti-virus (PC) Call for papers - Ides of March virus conference VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk ---------------------------------------------------------------------- Date: Wed, 23 Sep 92 21:18:10 +0000 From: ian@bvsd.co.edu (Ian Nelson) Subject: TBav50 beta or just regular tbav50 (PC) Is there an FTP site that has TBAV 5.0beta (or non beta if it's done yet)? adv(tnx)ance, Ian Nelson - -- - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.0 mQBYAiqtYqEAAAECWKssWKoVxXAu9S0A/rKepT1GT+PJjv+lHh1LyIYwI9gzfnoq ydwdKIJ81qIDgkMAliSIOWZiGSYbXszmmspRDenRARe15NOEM36pGQAFE7ABh7Qc SWFuIE5lbHNvbiA8aWFuQGJ2c2QuY28uZWR1PrABAw== =bpll - -----END PGP PUBLIC KEY BLOCK----- ------------------------------ Date: Fri, 25 Sep 92 19:14:54 +0000 From: garth@nyx.cs.du.edu (Garth E. Courtois Jr.) Subject: I need info on the FORM 1704 virus (Boulder) (PC) Virucide detected the FORM 1704 virus on my /XT clone and Central Point removed it. I would like to find out more about this virus and the damage it causes, if any. Could someone who has knowledge of this call in Boulder at 499-7044, please? - -garth@nyx.cs.du.edu Garth Courtois Jr. - -- - --garth@nyx.cs.du.edu Garth E. Courtois Jr. (303)-499-7044 - -- ------------------------------ Date: Fri, 25 Sep 92 16:22:53 -0400 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: Re: A few questions (Stardot/V801/Michaelangelo) (PC) There seem to be some common mythconceptions here that I'll try to clear up. >From: "NBECC::KENNEY" (actually several postings on this but these questions were intelligently phrased). >- - how stealthy was Michaelangelo, and does it survive warm boots? It is (not was) not "stealthy" at all and does not survive warm boots (but don't rely on it). In fact it is rather stupid but that does not make it any less dangerous. >- - can you tell where the start and end of an infected file are supposed to >be algorithmically, so that one routine could trim off all length-variants of >one or more virii? If the virus is "well written" and does not "intend" destruction this might be true. Unfortunately this is not the case. For instance, Michelangelo is known to foul up 720k floppies, not deliberately, but because it *assumes* that all non-360k floppies are the same. Problem is that many viruses do not attach themselves properly to files & overwrite part of the file or lose the original pieces. Once this happens the file cannot be reconstructed. Unlike the movies where every virus does exactly what it is supposed to, in the real world virus code is incredibly buggy. Possibly this is because those people who could write one without without bugs won't 8*) - but don't count on it. (do you hear an echo here ?) Of course buggy code is not only the provence of virus writers, I have been amazed at how bad "professional" software has gotten lately including a couple of releases that IMHO should never have made it out of Alpha testing - I mean stuff that will not work on certain platforms. Recently one piece of commercial software was distributed containing 286 reserved instructions an advetised for "all PCs". Another version 1.0 from a major house allowed you to change the colours on everything *except* the active window. Sheesh. > Since Stoned + Michaelangelo = bye-bye FAT, this is getting >very interesting. (I've sent the Stardot to Norton, so maybe on their >next update...) Not quite, I can always fix this combination without much trouble and no FAT damage (well some overpopulated floppies maybe) but have heard a number of reports that if you add Norton's Disk Doctor to the mixture, partitions have been lost, particularly HUGE ones. Warmly, Padgett ------------------------------ Date: 27 Sep 92 21:23:12 From: Ari.Hypponen@hut.fi (Ari Hypp|nen) Subject: A virus infecting Windows excutables found (Windows) (PC) A new virus capable of infecting Windows executables has been found. The new virus uses direct action methods and does not infect DOS EXE files. It seems that this new virus, called Win_Vir.14, is the first virus to successfully spread under the Windows operating environment using the native NE format. Data Fellows Ltd of Helsinki, Finland obtained a sample from Sweden. Here are some preliminary research notes about the virus: _____ Apparently the first virus to infect Windows executables has been found. The virus activates when an infected file is run and copies its code to other Windows EXE files. These notes are from a preliminary analysis and may contain errors. - - The sample was obtained 26.9.1992 from Goteborg, Sweden. The original source is not known. - - The sample contains a parasitic, direct-action virus, which infects EXE files of the New Executable format, i.e. Windows executables. - - DOS EXE files are not infected. - - The code of the virus contains two strings: 'Virus_for_Windows v1.4' and 'MK92' - - Final name for this virus has not yet been decided. The suggested name is Win_Vir.14. - - Win_Vir.14 is not detectable by any of the current virus-scanners in their normal scanning modes. The infection process is as follows: 1. Virus gains control when an infected program is run. 2. The virus searches for a suitable victim file (*.EXE) from the current directory using DOS INT 21, AX=4E, 4F services. 3. If no files are found, program is terminated with INT 21, AX=4C00. The host program never gets executed. 4. The victim file is opened and the date and time are memorized. 5. MZ and NE (New Executable) signatures are checked. Relocation table offset is checked to be below 40h. 6. Various items of the NE header are checked to match an infection criteria. 7. Virus code is inserted into the middle of the victim. 8. The original code is moved to the end of the program. 9. The NE header's CS:IP address is changed to point to the start of the virus. 10. The virus removes its code from the original host restoring it to the exact state it was in before infection. 11. Virus terminates. Notes: - - While terminating itself the virus also terminates the host program, so when the user starts an infected file it will simply fail to do anything. This will usually look like a missed double-click. - - If the same file is started again, it will run normally, as the virus has already removed itself from the file at that time. - - Infected files grow by 854 (356h) bytes. - - The virus conserves date attributes. - - The virus is not crypted or protected in any way. - - The code does not seem to contain any triggering routines. - - If the executable includes attributes for allowing relocation of segments, this attribute is removed from the infected segment. - - The virus carries the name of the host program and also the name of the program that infected it. - - The virus might to be able to infect OS/2 files also. This has not been tested. A temporary search string to find the infected files follows (in F-PROT USER.DEF format): -------- cut here and insert into USER.DEF --------- E Win_Vir.14 813C4E457516817C0C0203750F807C3204750981 --------------------- cut here --------------------- Remember to use the /USER switch if using F-PROT in command line mode. For more information, contact Data Fellows Ltd F-PROT Support Mikko Hypponen Wavulinintie 10 SF-00210 Helsinki Finland Internet: Mikko.Hypponen@compart.fi Phone: +358-0-692 3622 Mobile: +358-49-648 180 Fax: +358-0-670 156 - -- Ari Hypp|nen, Ari.Hypponen@hut.fi ------------------------------ Date: Mon, 28 Sep 92 07:11:44 -0400 From: Otto Stolz Subject: Re: A few questions (Stardot/V801/Michaelangelo) (PC) Hello, this is another item in the Facts & Fibs chapter I want to set straight, publicly. I've sent a Stoned and Michelangelo memo directly to NBECC::KENNEY, and I hope somebody else will post info about the other viruses mentioned. On 23 Sep 92 18:00:00 -0800 NBECC::KENNEY said: > [...] Michaelangelo, and does it survive warm boots? As a MBR infector, Michelangelo will automatically be run early in the boot sequence. Hence there is no need to deal with a warm boot in any particular way: the virus will be installed anyway. > can you tell where the start and end of an infected file are supposed > to be algorithmically, so that one routine could trim off all length- > variants one or more virii? This question is misleading. Remember that it is *not* enough to strip the virus code off a program; the more important step in disinfecting is to replace that part of the program that gives control to the virus with its original contents. Usually, this is contained in the virus code, but in a form highly dependent on the particular virus; hence, you must identify the virus reliably before attempting any disinfection. Many viruses do not keep enough information to re-construct the original contents of the program file precisely (e.g. the exact length of the uninfected program may be unknown); this will render self-checking pro- grams unoperable. Sometimes, a virus is not identified reliably by the disinfectant program (e.g., in case of a hitherto unknown variant of the virus); this may invalidate the info needed to re-construct the original file. These, and similar, dangers render disinfecting a hazardous endeaveaour. It is always safe (and sometimes the only option left) to replace the infected programs with copies from the original, write-pro- tected distribution disks. These remarks hold, mutatis mutandis, for all sorts of viruses: You can remove file-viruses by re-installing the programs, companion viruses by deleting the companion file (i.e. the part that gives control to the virus), DOS boot sector viruses by FORMATing the infected disks, MBR viruses by replacing the infected MBR, etc. (The latter can be accomp- lished by the DOS-5.0 command "FDISK /MBR, if the partition table is still in place, which you can check via booting from a floppy disk: if you can still access all partitions of the HD, read and even modify the files on those partitions, then the partition table is ok.) > Since Stoned + Michaelangelo = bye-bye FAT, this is getting > very interesting. Stoned + Michaelangelo (on most systems, and on most days of the year) does *not* affect the FAT. Rather, the MBR will be lost, hence the system won't boot from its hard disk, and cannot be disinfected (i.e. by recovering the original MBR). You can still boot the system from a floppy disk (or any other external medium, e.g. via a network), and you can always write an entirely new MBR to the HD to recover from the infection without loss of data. Kenney's misconception may stem from the fact that on particular systems (e.g. DOS 2, on a 20MN HD), Stoned, or Michelangelo, will overwrite part of the FAT (probaly accidentally) with the original MBR. Best wishes, Otto Stolz ------------------------------ Date: Mon, 28 Sep 92 14:46:42 +0000 From: monta_l@dist.dist.unige.it (Marco Gualdi) Subject: TSR runtime scanner needed (PC) Hi folks! I need a TSR runtime scanner with the ability to scan for a single userdefined virus signature. I'm able to compile e/o assemble a similar program, so the sources are agreed. I have a lot of problem with the Stanco virus (a local production, I suppose). Bontchev, Frisk and McAfee know it, but no scanner recognize it, jet. _______________________________ | According to the latest official figures, __/~\_______/~\____/~~~~~~~\___ | 43% of all statistics are totally worthless. __/~~\_____/~~\___/~\_____/~\__ | _____________________________________________ __/~~~\___/~~~\___/~\_____/~\__ | Marco Gualdi MaGu on irc __/~\/~\_/~\/~\___/~\__________ | (monta_l@dist.dist.unige.it) __/~\_/~~~\_/~\___/~\__/~~~~\__ | _____________________________________________ __/~\__/~\__/~\___/~\_____/~\__ | To be sure of hitting the target, shoot first __/~\_______/~\___/~\_____/~\__ | and, whatever you hit, call it the target. __/~\_______/~\____/~~~~~~~\___ | _____________________________________________ ------------------------------ Date: Mon, 28 Sep 92 17:21:28 +0000 From: mechalas@mentor.cc.purdue.edu (John Mechalas) Subject: Recent IBM Virus List? (PC) Where can I find a current list of known IBM viruses that is in the public domain? I am looking for virus name, type, disinfectant method, and short description if possible. I see a lot of lists, but most of them are either (a) old or (b) copyrighted. - -- John Mechalas [This space intentionally left blank] mechalas@mentor.cc.purdue.edu Purdue University Computing Center Help put a ban on censorship General Consulting #include disclaimer.h ------------------------------ Date: Sep 25 92 15:23:28 From: hmaldona@mtecv2.mty.itesm.mx Subject: Virus information for thesis Hello I am Hugo maldonado from Monterrey, could you send me info about some virus for my thesis!!! I need it so much thanks very much... Vampi on IRC ------------------------------ Date: Mon, 28 Sep 92 11:52:14 -0400 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: The Hacker Files One of the advantages of our family structure it that the many diverse interests sometimes cross. Accordingly, when I saw reference to a new comic book series called "The Hacker Files" from DC, getting a set was just a matter of passing the request along to the appropriate member. As a result, I was able to examine the first four issues of what is billed to be a 12 copy series. They would appear to be being successful since after the first two issues, the price went up from US1.95 to US2.20. Since my mainstream comics reading has been confined to the newspaper since the newstand variety ceased to be "52 pages, 10 cents", the modern version came as something of a shock. Obviously obtaining the 'Comics Code Authority Seal of Approval" is no longer an issue. The graphics are rather well done though. In the letters section of the first issue, the writer explains that the idea came to him in 1989. This would appear correct since the storyline revolves around a combination of the plot from "WARGAMES" and the Morris Worm on Internet (population 60,000). A reasonable attempt is made to accuracy though a few technical flaws are evident (difference between a Virus and a Worm is that Worms don't propagate, erasing a file irretrevably destroys it). Along the way, homage is paid to the current facination with TEMPEST which is nothing more than a military equivalent of the US FCC part 15 which deals with radiation from computing equipment (see the label on the back of any PC). The most disturbing issue is the ethical one: the "hero" is a brilliant social misfit (just ask his ex-wife) in his mid-thirties who seemingly avoids all attempts at personal hygene, builds trapdoors into commercial operating systems software, and displays all of the traits of the classical "disgruntled employee" who feels that he "owns" all of the software developed while working for someone else. Further, when the source of the problem is found to be a virus, he unhesitatingly releases a "retro-virus" (a nice flow diagram is shown in the background) on the Internet. Long-time readers of Virus-L will immediately understand why this is not considered a good thing to do. As the plot progresses, no hesitation is shown in making structural changes to NORAD and Pentagon systems. Also much is made of his use of lockpicks to break into filing cabinets and restricted doors (that were apparantly carried through both Airport and Pentagon security). In short, while entertaining in its fashion, hardly a good role model for fourteen-year-olds. There has been a sudden spate of such media experiences on Television (SecretService, Star Trek-the Next Generation), Movies (Lawnmover Man, Sneakers, the opening scenes of Company Business), and novels (almost any of the techno-thrillers in recent years), but with a steady degredation of ethical concerns. Only the TV shows have been positive while the movies, like "The Hacker Files", seem to revel in the "innocent people with good purposes made criminals/persecuted/victems by bad governments/agencies/corporations and thereby justifying illegal/unethical behaviour", a trend that started in the early seventies but which seems to be accellerating recently. In other words "The Hacker Files" make a graphic statement about the worldview of the writer, a statement that is aimed at impressionable minds and reminds me of the title of a novel by the late Robert Anson Heinlein: "If This Goes On". Padgett ps would send a copy of this to DC Comics but no E-Mail address was given. ------------------------------ Date: Mon, 28 Sep 92 14:37:56 +0000 From: msp2@midway.uchicago.edu (Michael S. Post) Subject: Thank you for help with Stoned (PC) Thank you for all the help I have gotten with my virus problems. Everything is now working and virus-free. Although frustrating, I have now learned a lot about viruses, and so maybe I'll recognize the signs a little sooner next time, and know a little more about what to do.... Thanks again. -- Michael Post mpost@math.ucla.edu ------------------------------ Date: Sun, 27 Sep 92 02:44:00 -0400 From: "Kenneth R. van Wyk" Subject: I-M124.ZIP - Integrity Master data integrity/anti-virus (PC) I have uploaded to WSMR-SIMTEL20.Army.Mil a new version of Integrity Master which I received on floppy disk directly from the author, Wolfgang Stiller. pd1: I-M124.ZIP Integrity Master data integrity/anti-virus sys Ken - - - Kenneth R. van Wyk Moderator VIRUS-L/comp.virus Technical Coordinator, Computer Emergency Response Team Software Engineering Institute Carnegie Mellon University krvw@CERT.ORG (work) ken@THANG.PGH.PA.US (home) (412) 268-7090 (CERT 24 hour hotline) ------------------------------ Date: Sun, 27 Sep 92 12:16:50 -0700 From: Richard W. Lefkon Subject: Call for papers - Ides of March virus conference SIXTH INTERNATIONAL COMPUTER SECURITY & VIRUS CONFERENCE and Exposition sponsored by DPMA Fin.Ind.Chapter in cooperation with ACM-SIGSAC, BCS, CMA, COS, EDPAAph, ISSAny, NUInypc, IEEE Computer Society C A L L F O R P A P E R S Approximately 500 attendees will hear 90 speakers and 53 vendors over 3 days Wednesday thru Friday - March 10-12, 1993 - New York Ramada Madison Square YOUR AUDIENCE: Past attendees have represented industry, military government, forensic and academic settings - creators and users of related software and hardware. They travel from U.S. and many international locations and have titles such as MIS Director, Security Analyst, Operations Manager, Investigator, Programming Leader TOPICS OF INTEREST INCLUDE (but are not limited to): - prevention, detection, and recovery from viruses, crackers, and other unauthorized usage - oritinal research in these and related topics - survey of products and techniques available - particulars of LSN, UNIX, cryptography, military use - Computer crime, law, data liability, related contexts = US/international sharing of research & techniques - case studies of mainframe, pc &/or network security, e.g., - 1992 hurricane, flood, fire disaster recovery - recent court decisions - security implementation and user awareness in industry PAPER SUBMISSION: Send a draft final paper for receipt by Wednesday, 10/28/92. Address to Judy Brand, Conference Chair, box 6313 FDR Station, New York, NY 10150, USA. Please include a small photo and introductory bio not exceeding 50 words. Successful submittors or co-authors are expected to present in person. Presenters receive the Conference Proceedings and complimentary admission. PAPER FORMAT: Send one original and three copies. When making the copies, please cover over the author name(s) and other identifying data. Each paper goes to three revieweers. Type double spaced, with page# below bottom line (may be handwritten): TITLE (caps); Name; Position, Affiliation; Telephone, City/State/Zip, Electronic Address (optional). NOTIFICATION: Written and (where practicable) telephoned confirmation will be initiated by Monday, 1/13/93, to facilitate low cost travel. Those needing earlier notification should attach a note. You may be asked to perform specific revisions to be accepted. Nobody can guarantee you a place without an acceptable paper. AT THE CONFERENCE: There are five tracks. Time your presentation to last 40 minutes and have clear relation to your paper. A committee member will preside over your assigned room and adhere to schedule. Don't hesitate to submit a presentation you've given elsewhere to a more specialized audience. Most attendees will find it new - and necessary. On-site schedule is duplicated early on first day. If you may have a work emergency you can reschedule or substitute your co-author. or substitute your co-author. ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 156] ******************************************