From: SDS::"virus-l@Lehigh.EDU" 11-SEP-1992 01:53:22.30 To: 3338$SPAN::HENDEE CC: Subj: VIRUS-L Digest V5 #150 Received: from CS2.CC.Lehigh.EDU by Sdsc.Edu (sds.sdsc.edu STMG) via INTERNET; Thu, 10 Sep 92 21:57:05 GMT Received: from (localhost) by CS2.CC.Lehigh.EDU with SMTP id AA21571 (5.65c/IDA-1.4.4 for ); Thu, 10 Sep 1992 17:32:37 -0400 Date: Thu, 10 Sep 1992 17:32:37 -0400 Message-Id: <9209102038.AA25851@barnabas.cert.org> Comment: Virus Discussion List Originator: virus-l@lehigh.edu Errors-To: krvw@cert.org Reply-To: Sender: virus-l@lehigh.edu Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas From: Kenneth R. van Wyk To: Multiple recipients of list Subject: VIRUS-L Digest V5 #150 VIRUS-L Digest Thursday, 10 Sep 1992 Volume 5 : Issue 150 Today's Topics: tbscanx41 and scan95 ! (PC) "New" 1530 virus ? (PC) Auto-detecting Virus (PC) Re: Bug in F-PROT? (PC) Re: Stoned/Azusa haunting (PC) re: Windows virus? exists? (PC) Re: Lydia virus (PC) Re: Bug in F-PROT? (PC) Scanners and polymorphic viruses (PC) Problems with F-PROT (V2.05) (PC) A new virus????? HELP! (PC) scads of viri... (PC) Re: Netware and viruses - some new results (PC) New virus that scanv95b cannot pick it up!!!(HELP) (PC) Re: Windows virus? exists? (PC) F-PROT 2.05 on Netware . . . (PC) Re: On daily scanning (general) Re: Fingerprinting self-modifying files Registration and Hotel Information - 15th National Computer Fairwell to network, for now VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk ---------------------------------------------------------------------- Date: Tue, 08 Sep 92 16:38:23 -0400 From: Subject: tbscanx41 and scan95 ! (PC) Hello... I was working on my computer...and had tbscanx41 resident when i tried scan95 (new!) for the first time....and it found Israeli Boot virus.. in the boot sector! I though it was real, but I wanted to see if it was true... I disactivated tbscanx41 and run scan95 .....guess what ?? NO VIRUS FOUND !! I ran tbscanx41 again...then scan c:....and again found virus.. CONCLUSION...: scan95 and tbscanx41 DON'T work good together! Is it a bug...? (must be) thanks.. <<>> ---:<:--- Marcelo A. Maraboli R. "The Diode" Student of Electronic Engineering The Beginning of the Universidad Tecnica Federico Santa Maria Electronic Age I5MMARAB@UTFSM.BITNET ------------------------------ Date: Tue, 08 Sep 92 17:42:36 -0400 From: Ken De Cruyenaere 204-474-8340 Subject: "New" 1530 virus ? (PC) A new virus has turned up on our campus. McAfee v95 identifies it as "1530" but will not clean it. CPAV (1.2) does not detect it. F-PROT (V2.05) does not detect it (even in HEURISTICS) (!) When infected, VIRSTOP does note that it has been changed and tells one to boot from a clean diskette, but VIRSTOP doesn't stop the boot at that point (?!). It appears to infect .EXEs and .COMs. It seems to go for COMMAND.COM first. Infected files increase in size (by apprx 1960) but the date doesn't change. The following search string seems to be unique to the virus: 06 56 57 50 53 51 52 8C DE (but hasn't been tested very thoroughly at this point) - Ken - --------------------------------------------------------------------- Ken De Cruyenaere - Computer Security Coordinator - Computer Services University of Manitoba - Winnipeg, Manitoba, Canada, R3T 2N2 Bitnet: KDC@CCM.UManitoba.CA Voice:(204)474-8340 FAX:(204)275-5420 ------------------------------ Date: Sun, 06 Sep 92 11:04:38 -0000 From: Alexander_Ofek@p8.f101.n9721.z9.virnet.bad.se (Alexander Ofek) Subject: Auto-detecting Virus (PC) In a message to All <02 Sep 92 17:52> Denis Beauregard wrote: DB> I would like to write a program that will check if it is per se DB> holder of a virus. The method I have in view : DB> Compile the program. DB> Compute the checksum of the program. DB> Put the checksum in the program. DB> When starting the program : Stop the DB> program if the checksum has been altered. Your approach will fail to detect a stealth virus like 1963 or dir2. To be on the safe side you will have to read the directory using absolute read (int 13h) and follow the FAT chains yourself. Of course it might be useful to check whether the interrupt vectot of int 13h still points to the BIOS area. DB> Would it be safer to use a 32 bit checksum (I understand a 16 bit DB> checksum would mean if something if wrong, odd are 1 to 65536 not to DB> find it). A 32 bit machine will just count faster a 32 bit sum. DB> So I would use 32 bit for speed reason instead of security (while DB> changing the checksum will be harder if 32 bit, and still more if DB> instead of adding 32 bits, I mask some bits and add them twice). Use any CRC check with an UNUSUAL (i.e. rarely used) polinomial. regards Alexander Ofek ------------------------------ Date: Wed, 09 Sep 92 13:17:37 +0300 From: Tapio Keih{nen Subject: Re: Bug in F-PROT? (PC) >fprot 2.05 thinks a couple of menu.com files are infected with CREW. >However, that happens only w/Quickscan, not w/ Secure or Heuristics and >2.04 finds no problem. Unfortunately, Virstop also detects CREW and halts. I'm quite sure that this is just a false alarm. Crew is not known outside Finland (although I suspect it has been made in Germany). It is very slow infector (it infects only .COMs bigger than ~10 kb if the month is January-May), so it doesn't have too many chances to spread widely. You can check the files if they have Crew infection or not by looking at the end of them. If you can find a big ASCII graphic logo with texts like 'Notice this: TS ain't smart at all!' etc. But, in case Crew has reached out to the USA, it might be a new version of it. If this turns to be a real Crew infection instead of being a false alarm, I'd like to hear more about it... - -- - -- Tapio Keihanen \ rare DIO records wanted / Holy Father - Holy Ghost tapio@nic.funet.fi \ / Who's the one who hurts you most? ------------------------------ Date: 09 Sep 92 10:45:19 +0000 From: rmartin@oasys.dt.navy.mil (Robert Martin) Subject: Re: Stoned/Azusa haunting (PC) In comp.virus, Felix.Lafontaine@f23.n367.z1.FIDONET.ORG (Felix Lafontaine) writes: >DT> scan a: - 1 virus found [azusa] >DT> clean a: [azusa] - 1 virus removed [azusa] ^^^^^ [stuff deleted] If the 'azusa' virus is haunting you, you should check all floppies before using them. We discovered the virus here about 1 1/2 years ago. We also discovered the source. The virus was located on factory write protected software. This software was Tridents TVGA 8800 or 8900 driver disk (I don't remember which right now). If you are using an older Trident driver disk, I would definitely sheck it out. Regards, Bob ------------------------------ Date: Wed, 09 Sep 92 08:52:30 -0400 From: "David M. Chess" Subject: re: Windows virus? exists? (PC) >From: alan@saturn.cs.swin.OZ.AU (Alan Christiansen) > >I was just wondering. Are there any viruses that are windows >specific.... There are one or two viruses that recognize Windows executables and do special things to them (erase them, overlay them with Trojan code of one kind or another, etc). I know of no virus that can correctly infect a Windows (or OS/2) executable in such a way that the virus will be run when the program is run under Windows (OS/2); the structure of these new-format EXE files is considerably more complex than old-format DOS EXEs, and viruses generally either don't infect them at all, break them while trying to infect them, or (rarely) infect the "DOS fork" (the little program that runs and says "I don't run in this environment" when you try to run one under flat DOS). Not that it would be impossible to write a virus that did it, of course; we just haven't seen one yet. The virus-writers will have to develop some new technology... *8) DC ------------------------------ Date: Wed, 09 Sep 92 10:23:56 -0400 From: "Vaughan.Bell" Subject: Re: Lydia virus (PC) I have disassembled and analysed a 643 byte Vienna variant I have named Lydia. This is NOT detected by any current virus scanners correctly but is detected as a Vienna variant (or is usually detected in some way). It is pretty harmless and poses very little threat. DONT PANIC. Anyway here is my brief report.. A description of the Lydia Virus A 643 byte variant of the Vienna virus by Vaughan Bell 162 Dunstone View Plymouth Devon PL9 8QL UNITED KINDOM Internet:- vaughan@uk.ac.plym.sc Overview The Lydia virus was given to me as a 643 byte variant of the Vienna virus. The Vienna virus one of the first viruses that emerged and has many variants. Possibly due to the publication of the source code in a book and a magazine. After a little investigation I noticed that the virus scanners I had did not detect the virus correctly, at all, or only as a 'Possible variant of the Vienna' virus. So it was disassembled and analysed and this brief report was written. Name: Lydia Effective length: 643 bytes Infection Method: Parisitic Non-resident .COM infector McAfee Code: PNCK Discovered: Early 1992 Symptoms: .COM file growth Scan string : A68B4475241F3C1F74EF817C79CEFA77 General Details The virus is a 'direct action' virus in that it does not reside in memory and infects one other .COM file in the current directory when an already infected program is executed. If there are no other .COM files in the directory or they are already infected the virus will infect .COM files in the current path. The Lydia virus does not use a specific value (usually 62 with Vienna variants) in the seconds field of the files timestamp to detect infection. This Vienna variant also does not have a payload, it does not delete the host file or reboot the computer. It seems to have been written with no intentional damage in mind but some .COM programs crash when executed. The virus also does not check the size of the file it is infecting so if the addition of the virus causes the size of the .COM program to be greater than 64k an 'Out of memory' will occur, rendering the program un-executable. The are several text strings which appear in infected programs these are as shown below : "Lydia 1.0 (C) 1992 by L'amore" "ViRuS Lab USA" "*.SYS" "*.COM" "PATH=" "????????COM" The 'PATH=' string will immediately be followed by the name of the host program (in upper case characters), also the name of the host program (also in upper case charcters) will appear elsewhere. The name of the virus comes from the first text string. The '*.SYS' is not used by the virus and .SYS files are not infected. However, there seems to be some 'junk' in the code that would indicate that the virus was released unfinished or that this is a prototype or test version of a virus that hasn't been released. The code seems to have been written by someone who does not have a complete grasp of assembly language or at least of the architecture of the 80x86 series of microprocessors, as some of the code is inefficient and could be optimized considerably to make the executable code shorter. I would imagine the virus is written by a 'beginner'. The virus poses no major threat as it can easily be detected and it does no intentional damage. The virus is not polymorphic or self-encrypting and does not use any stealth techniques. The most effective way to remove the virus is to replace infected files with clean copies. ------------------------------ Date: 09 Sep 92 19:12:00 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Bug in F-PROT? (PC) glauber@ele.puc-rio.br (Glauber Maciel Santos) writes: > Despite this, I consider F-PROT to be the best antivirus > program ever written. The rate at which its updates appear is I share your oppinion that F-Prot is an excellent anti-virus program, but would slightly correct you, by saying that "F-Prot is one of the best -scanners- available". Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN ** PGP public key available on demand. ** Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 09 Sep 92 19:31:01 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Scanners and polymorphic viruses (PC) Hello, everybody! With the advent of the sophisticated polymorphic viruses like Dark Avenger's Mutating Engine, it is becoming more and more obvious that the scanners have really hard time to detect all infections. I have already posted several times articles about how well (or, more exactly, how bad) the different scanners detect the MtE-based viruses. Several people have asked me why I am testing only MtE detection capabilities, since none of the currently existing MtE-based viruses is intelligent enough to spread widely and to be a significant danger. I am doing this because the MtE is one of the most sophisticated tool for building polymorphic viruses and presents a lot of trouble to the producers of scanning software. Therefore, the inability to detect the MtE-based viruses shows very well how limited the scanners are - the MtE has been available since almost a year, yet only about a dozen scanners achieve at least some success in detecting it. Of them about the half are unable to detect it reliably. However, the MtE-based viruses are not the only polymorphic viruses which present problems to the scanners... I have tested several scanners on a lot of examples of some of the most polymorphic viruses. There is clear need to use a lot of examples, since some scanners are able to detect only one or two instances of some polymorphic viruses - the examples that the producer of the scanner has... I used the following viruses during the tests: Standard CARO name: Number of different mutants generated: - ------------------- -------------------------------------- Andryushka.A 46 Emmie 16 Haifa.Haifa 105 Haifa.Motzkin 101 Involuntary.A 8 Involuntary.B 89 Maltese_Amoeba 39 MtE_0_90.Dedicated 96 MtE_0_90.Pogue 98 MtE_0_90.Questo 101 MVF 96 Necros 115 PC-Flu_2 35 Silly_Willy 93 Simulate 29 Slovakia.2_02 81 Slovakia.3_00 57 StarShip 148 Tequila 68 Todor 101 V2Px.V2P1 35 V2Px.V2P2 8 V2Px.V2P6 27 V2Px.V2P6Z 61 WordSwap.1391 3 WordSwap.1495 10 Whale 164 (covering mutants #00 to #33) The following scanners were used during the tests: Scanner: Version: Producer: - -------- -------- --------- FindVirus 4.34 S & S International F-Prot 2.05 FRISK Software VIRUSCAN 95 McAfee Associates HTScan 1.8 Harry Thijssen VirX 2.4 Microcom AntiVir IV 4.04 H+BEDV Anti-Virus+ 4.20.01 IRIS CPAV 1.0 Central Point Software Some comments. You all know the first three products; I used the latest versions available. HTScan is a user-programmable scanner. It depends on a text file, containing wildcard scan strings. Since most polymorphic viruses cannot be detected this way (they need algorithmic approach), I tested another feature of the scanner - the so-called AVR modules. They are loadable at runtime small programs, which are executed by the scanner and are supposed to perform algorithmic detection of those polymorphic viruses, which cannot be detected with simple or even with wildcard scan strings. In this particular version, there are AVR modules for Maltese_Amoeba, MtE-based viruses, and the V2Px.* series. VirX I couldn't test. It does something incredibly stupid - tries to keep the whole report file in memory. Of course, it soon runs out of memory, so not record is kept about what viruses are detected and which are not. I did only a partial test - on the MtE-based viruses only. We have only a very ancient version of CPAV, so the test results for it are not up-to-date. That version tried to detect only V2Px.* and Whale. Unsuccessfully, on the top of that... Here are the results of the tests. Note that when I say that a scanner reliably detects a virus, this holds only for these tests. It does not mean that it will be able to detect all possible instances of the virus; it just means that I have been unable to find an instance that it does not detect. However, when I say that a scanner does not detect a virus reliably, this means that it misses at least one example and I have proven this. FindVirus detected all infected files. However, this result is not very fair towards the other scanners, since Dr. Solomon had access to the infected samples, before submitting that version of the scanner. This was not so with the other anti-virus producers. F-Prot failed to detect at all Necros, Silly_Willy and Todor. It failed to detect reliably Andryushka.A, Whale (mutant #32), and V2Px.V2P6Z (only one example missed). It detected reliably all other viruses. VIRUSCAN does not detect at all Andryushka.A and StarShip. The latter is rather strange, since I have submitted examples of this virus to McAfee Associates months ago. The scanner does not detect reliably MtE_0_90.Questo, MVF, Slovakia.2_02, Slovakia.3_00, V2Px.V2P6Z (only one example missed) and Whale (mutant #33 missed). It also sometimes misidentifies MtE_0_90.Pogue as 7thSon (when the virus is not encrypted), but SCAN is proverbial with its lack of exact identification. It succeeded to detect the other viruses reliably. VirX tested on the MtE-based viruses only still does not recognize those viruses reliably. It missed 12 of the total 292 examples. AntiVir IV (a German anti-virus product) does not detect at all Andryushka.A, Emmie, Haifa.Haifa, Haifa.Motzkin, Involuntary.A, Involuntary.B, MVF, Necros, PC-Flu_2, StarShip and Todor. It failed to identify correctly V2Px.V2P2 (one missed example) and Whale (several mutants). The other viruses were detected reliably - even the MtE-based one, with the exception that the non-encrypted files infected with an MtE-based virus were reported to contain two viruses. HTScan's AVR module for Maltese_Amoeba (IRISH.AVR) doesn't detect the virus reliably. Surprisingly, the collection of wildcard scan strings for the same virus, which is present in the text database, -does- detect this virus reliably. So, my advice to the users of HTScan is to delete the file IRISH.AVR and to rely on the database of signatures. The module for Haifa.Haifa detected reliably all instances of the virus, but didn't detect even one instance of the related virus Haifa.Motzkin. The module which is supposed to detect MtE-based viruses (its version is 2.3) failed to detect the non-encrypted examples, infected with MtE_0_90.Pogue and MtE_0_90.Questo. The module for the V2Px viruses (called "Washburn") detects reliably V2Px.V2P1, but missed one instance of V2Px.V2P2, three instances of V2Px.V2P6 and lots of instances of V2Px.V2P6Z. The Whale virus was detected reliably by the collection of scan strings in the database. Anti-Virus+ does not detect at all Andryushka.A, Emmie, MVF, Necros, Silly_Willy, Necros, Slovakia.2_02, Slovakia.3_00, StarShip, Tequila, Todor, WordSwap.1391 and WordSwap.1485. It did not detect reliably Involuntary.A (in SYS files), MtE_0_90.Dedicated, MtE_0_90.Questo, V2Px.V2P6, V2Px.V2P6Z and Whale (several mutants). The other viruses were detected reliably. The above tests clearly show that most of the current scanners are still unable to cope with the existing polymorphic viruses. Even with such well known viruses like V2P6 and MtE. At least one scanner was unable to detect even Tequila! This virus is quite widespread and can be detected with a few wildcard scan strings (3-4, I believe). And in the near future we'll see more and more polymorphic viruses... If some producer of scanning software thinks that his product is able to show better results but I have missed to test it, s/he is welcome to contact me and provide me a copy of their product (or tell me where to get it, if it is available through anonymous ftp). I am ready to test it and to publish the results, provided that: 1) The scanner is able to run without user intervention. I don't want to be prompted to "press any key" each time a virus is found. 2) The scanner is able to produce a report file. 3) The scanner is able to output in the report file the names of all files being scanned, not only those that it considers to be infected. 4) The scanner is requires a reasonable amount of memory. For instance, Norton Anti-Virus 2.1 refused to run in about 400 Kb free memory. A description how to instruct the scanner to conform to the above requirements (i.e., secret options, etc.) is welcome. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN ** PGP public key available on demand. ** Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Wed, 09 Sep 92 17:17:51 -0400 From: Ken De Cruyenaere 204-474-8340 Subject: Problems with F-PROT (V2.05) (PC) As a satisfied user of F-PROT I have to comment on a couple of problems I have with the latest version. 1) It no longer has the "SCANNING MEMORY FOR VIRUSES" box come up at start-up time, though that is apparently what it is doing. Result is an span of several seconds where the menu appears ready for action but does not respond. 2) VIRSTOP no longer hangs up the boot when it notices that it has been changed. It still produces the warning message, with the recommendation to boot from a clean floppy, then allows the boot to continue. 3) This might not be new to 2.05. When you define some signature strings a file called USER.DEF is created. When you INSTALL F-PROT, USER.DEF is NOT one of the files copied over. Just my two cents, am I being too picky ? Ken D. - --------------------------------------------------------------------- Ken De Cruyenaere - Computer Security Coordinator - Computer Services University of Manitoba - Winnipeg, Manitoba, Canada, R3T 2N2 Bitnet: KDC@CCM.UManitoba.CA Voice:(204)474-8340 FAX:(204)275-5420 ------------------------------ Date: Wed, 09 Sep 92 21:44:26 +0000 From: scholl@gaul.csd.uwo.ca (Cam Scholl) Subject: A new virus????? HELP! (PC) HELP!!!! I seem to have encountered a new virus, I don't know what it is or where it came from. I have run SCAN 95B on my hard disk, but it came up with nothing. Anyways, here's what is happening. Every once in a while, my system will try to access a file, only to find out that somehow, it has been damaged! This has happened to Windows 3.1 program manager groups, Lotus 123 data files, etc. I ran Norton's disk doctor, thinking I might have something wrong with my HD. Well, that deleted all my lost clusters, and fixed all my cross-linked files. Shortly thereafter, I ran into the same problem... After much investigation, I have found that the virus seems to only attack files with their archive bit set, meaning they've been changed since the last backup (a few days ago I put all 120 megs on tape). Other than that, I really don't know much, except that I keep losing things. Please help, and thanx, Cam Scholl. Internet: scholl@gaul.csd.uwo.ca ------------------------------ Date: Wed, 09 Sep 92 21:58:25 +0000 From: cass8806@elan.glassboro.edu (KYLE CASSIDY) Subject: scads of viri... (PC) i'd been having hard drive problems for a while, a few bad sectors a week would pop up, so i was on my way to getting a new drive anyway .. i run v-shield at startup and i ftp quite a bit, well last night v-shield said it found A-VIR in memory, i powered down, booted from a clean floppy and ran scan, which claimed to find a whopping 25 different viri. there appeared to be significant hard drive dammage to a small portion of the drive. what i'm wondering is, could this be a false positive? i don't see how i could have picked up such a high degree of virus infestation that went unnoticed by v-shield.... i haven't tried rebooting the machine since then, i figured i'd try and get a general consensis on what to do from the powers that be first. thanks. kc ------------------------------ Date: Wed, 09 Sep 92 19:17:49 -0400 From: Anthony Naggs Subject: Re: Netware and viruses - some new results (PC) Felix Lafontaine, , comments: > JJ> From: JFORD@seebeck.ua.edu > JJ> Newsgroups: comp.virus > JJ> >At QUT, we have set up an experimental network to test viruses > JJ> >networked environments, and the first results have just come > JJ> >Test 1: Exhaustive test of netware preotection setting on > JJ> files and > JJ> >directories against common viruses. > Thats sound well, but most of the commons virus have an > erradicated status, so what about new viruses, like MTE bases > viruses. Felix, are you a French speaking citizen? I don't wish to be rude about your English, so I shall just recommend that you compare 'common' and 'eradicated' in your dictionary. On MTE: MTE is not a base but rather a wrapper. It is used to make detection with scanning software more difficult. It does not provide any 'magic' new functions for viruses. Regards, Anthony Naggs Software/Electronics Engineer P O Box 1080, Peacehaven (and virus researcher) East Sussex BN10 8PZ Phone: +44 273 589701 Great Britain Email: (c/o Univ of Brighton) amn@vms.brighton.ac.uk or xa329@city.ac.uk ------------------------------ Date: Wed, 09 Sep 92 19:19:55 -0400 From: Anthony Naggs Subject: New virus that scanv95b cannot pick it up!!!(HELP) (PC) Henry Chan, , says: > I just found out that my computer is attacked by a new virus(may be). > The signatures of that virus is always attack the "format.com" file. > When I viewed the file, the file contain "-stack!--stack!--stack!--" > string. And this string has about 10 or more "-stack!-" in it. In MS-DOS 4.0 it is normal to have this in Format.Com, I don't have a copy of 5 to hand, but suspect that does as well. > In my friends' cases, it attacked the borlandc directory(Borland C++ > 3.0). The directory /borlandc/opernach (spelling?) has lots of junks, > also with the word "-stack!-" and cannot be deleted. Also the virus > rewrite the file "config.sys" with a long string of repeated > "-stack!-". Apart from the text in Config.Sys, why do you think there is a virus involved? The corruption of Config.Sys may be due to DOS mangling things, or perhaps a 'friend' playing a prank? If you still think you have a virus then you can try using F-PROT, available from most FTP sites and BBSs that have SCAN. Alternately you could send an 'infected' file to some virus researchers for detailed analysis. Hope this helps, Anthony Naggs Software/Electronics Engineer P O Box 1080, Peacehaven (and virus researcher) East Sussex BN10 8PZ Phone: +44 273 589701 Great Britain Email: (c/o Univ of Brighton) amn@vms.brighton.ac.uk or xa329@city.ac.uk ------------------------------ Date: Wed, 09 Sep 92 19:20:50 -0400 From: Anthony Naggs Subject: Re: Windows virus? exists? (PC) Alan Christiansen, , asks: > I was just wondering. Are there any viruses that are windows > specific. > > ie they infect windows programs only? infect windows OS. have > sysmptoms only when windows runs etc. There are rumours of Windows & OS/2 aware viruses, but none have reached researchers - yet. In the incidents reported to me, the affected individuals/companies have always cleared it up themselves, and 'lost' the copies that they had put aside. Anthony Naggs Software/Electronics Engineer P O Box 1080, Peacehaven (and virus researcher) East Sussex BN10 8PZ Phone: +44 273 589701 Great Britain Email: (c/o Univ of Brighton) amn@vms.brighton.ac.uk or xa329@city.ac.uk ------------------------------ Date: Wed, 09 Sep 92 19:50:58 -0400 From: Grant Getz Subject: F-PROT 2.05 on Netware . . . (PC) gary@sci34hub.sci.com (Gary Heston) writes: >Greetings, all.... > > I've run into a *very* strange interaction problem. When using >F-Prot 2.05 to scan a group of servers, it works it's way through five >servers running NetWare 3.11 without any problem. When it gets to the >last server, which is the one it's being run from and which has >NetWare 2.15c installed, it scans merrily along until it hits the >\public\ms_dos\v500 directory, then locks up *solidly*. I can't even >toggle the numlock LED, or do a warm boot. It's red switch time. > > However, it'll scan a DOS 5 system without any problems at all. I >tried changing the command line to remove the /all file selection >switch, with the result that it locks up on a *different* file. >Actions are identical if run interactively (I've got a user set up on >each server to attach the other five and kick off F-Prot automatically >upon login; I run this each morning), scanning all files or >executables. It's consistent about which files it crashes on; scanning >all files it doesn't like DOSSHELL.HLP, and locks *every* time. If >checking executables only, it dies on another file. > > Has anyone else seen this? I've been running 2.04a for weeks without >a glitch, and have dropped back to it until I can figure out what's >going on. It still runs fine. > > My copy of FP-205 was retrieved from uunet, FWIW. I ran into the same problem scanning my Banyan networks with F-PROT 2.05. I have not tested this theory out completely but I believe the memory area for the scan report is filling up. On the next write to this memory some protected or program area is being overwritten and the program hangs. Version 2.04 must have had a bigger memory area for the scan report. I have not checked this out but you could try running F-PROT in command mode try the /SILENT switch with the /REPORT=file switch to get away from screen output. Good Luck !! - - R. Grant Getz INTERNET - KGGXG @ ASUVM.INRE.ASU.EDU Support Systems Analyst (192.67.165.36) Arizona State University BITNET - KGGXG @ ASUACAD Computing & Network Consulting Services - ODP PHONE - (602) 965-5663 Tempe, AZ 85287-0101 FAX - (602) 965-8698 ------------------------------ Date: Tue, 08 Sep 92 20:13:06 +0000 From: gary@sci34hub.sci.com (Gary Heston) Subject: Re: On daily scanning (general) rslade@sfu.ca writes: >Scanning has been denigrated not only for its inability to deal with "new" >viral programs, but also due to time consumption. David Stang, in his >seminars, stresses that a five minute scan every day adds up to a full >20 hours, half a working week, over the course of a year. I'll be glad to invest 20 hours/year in prevention as opposed to 20 hours of my time + the cost of 60 co-workers idled (or a manufacturing line producing $500K/shift shut down) cleaning up after a hit. >However, in doing some work on a fairly average machine this week (386/25, >80 meg HD with 75 meg of files, 350 executable out of 2400 files), I noted >that Thunderbyte Scan took only 22 seconds to scan the entire thing. (I >didn't time any of the others, but none of them took five minutes.) I scan a total of about 2GB (about 12K files, I think) every workday morning, using a 386/25; the files are distributed between five NetWare servers w/SCSI drives running 3.11 and one running 2.15 w/ESDI drives, all connected via thin Ethernet. This scan takes about 28 minutes using F-Prot 2.04a. I think it's the best half hour of the day, when it comes up and says, "Infected: 0". Besides, I've got two other workstations in my cubicle that I can use while the scan is running. - -- Gary Heston SCI Systems, Inc. gary@sci34hub.sci.com site admin The Chairman of the Board and the CFO speak for SCI. I'm neither. The most dangerous person in the world is Jessica Fletcher. Everywhere she goes, people die. ------------------------------ Date: 09 Sep 92 19:15:43 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Fingerprinting self-modifying files PHYS169@csc.canterbury.ac.nz (Mark Aitchison, U of Canty; Physics) writes: > changes that are allowed. Quite often, the start of the file (be it > .EXE or .COM) doesn't get changed by self-modifying programs, but does > by viruses. More exactly, you should determine the file entry point (i.e., the place where the initial JMP points to in COM files and the entry point in the EXE files) and checksum a few bytes (30-40) from that point. This is by no means secure (it can be trivially bypassed), but at least will work against the currently existing viruses (supposing that the virus is not stealth or is not active in memory). Just remembering the file entry point is not sufficient - you have to checksum at least a few bytes from that point. The reason is that there are several viruses, which modify not the entry point, but the place where this entry point points to. Such viruses are LeapFrog (for COM files), Voronezh.1600 (for EXE files), and others. > I don't know, but probably! The version munging option in MSDOS 5 > supposedly used some self-modification. The number of programs that > modify themselves (or other programs!) is relatively small (but still > annoying), so can be handled as exceptions. Unfortunately, some of these programs are very widely used... Examples include SideKick, Borland's integrated environments, McAfee's SCAN, SETVER in DOS 5.0... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN ** PGP public key available on demand. ** Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Wed, 09 Sep 92 11:19:29 -0400 From: Jack Holleran Subject: Registration and Hotel Information - 15th National Computer The following information includes registration and hotel information for the upcoming 15th National Computer Security Conference. Appropriate phone numbers are included. =-+-= CONFERENCE REGISTRATION FORM 15th National Computer Security Conference October 13-16, 1992 Baltimore Convention Center 1 East Pratt Street Baltimore, Maryland NAME: ___________________________________________________________ COMPANY: ________________________________________________________ ADDRESS: ________________________________________________________ CITY: ___________________ STATE: ___________ ZIP: ______________ COUNTRY: ______________________ TELEPHONE NO: ___________________ HOW WOULD YOU LIKE YOUR NAME TO APPEAR ON YOUR BADGE? _________________________________ Registration Fee $280.00 before October 1, 1992; $315.00 on or after October 1, 1992 Payment Enclosed in the Amount of: __________ Form of Payment: ___ Check. Make checks payable to NIST/15th National Computer Security Conference. All checks must be drawn on U.S. banks only. ___ Purchase Order Attached. P.O. No.: __________ ___ Federal Government Training Form ___ MasterCard ___Visa Account No.: _______________ Exp. Date _______ Authorized Signature: _______________________ PLEASE NOTE: No other credit cards will be accepted. Please return conference registration form and payment to: c/o 15th National Computer Security Conference Office of the Comptroller National Institute of Standards and Technology Room A807, Administration Building Gaithersburg, MD 20899 Credit card registration may be faxed to Tammie Grice at (301) 926-1630. Is this the first time you have attended the National Computer Security Conference? ______________ Conference Participants List: __ I do want my name on the Conference Participants List which is distributed to conference attendees. __ I do not want my name on the Conference Participants List. =-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-= HOTEL RESERVATION FORM 15th National Computer Security Conference October 13-16, 1992 Baltimore Convention Center Baltimore, Maryland Hyatt Regency Baltimore (410) 528-1234 300 Light Street Baltimore, MD 21202 Holiday Inn Baltimore Inner Harbor (410) 685-3500 301 West Lombard Street Baltimore, MD 21201 Radisson Plaza Baltimore Hotel (410) 539-8400 20 West Baltimore Street Baltimore, MD 21201 Tremont Plaza (410) 727-2222 222 St. Paul Place Baltimore, MD 21202 (An all suites hotel) Baltimore Marriott Inner Harbor (410) 962-0202 110 South Eutaw Street Baltimore, MD 21201 Tremont Hotels (410) 576-1200 8 East Plesant Street Baltimore, MD 21202 (An all suites hotel) NAME: COMPANY: ADDRESS: CITY: ____________________ STATE: ________ ZIP: ____ COUNTRY: ___________ TELEPHONE NO: __________ (include country access code if appropriate) Please Reserve: Single Room(s) ______ Double Room(s) _______ Arrival Date: _________ Departure Date: _________ Person Sharing Room: ___________________________ RATE (Refer to Conference Brochure): ____Corporate; _____Government Method of Guarantee: _____Deposit Enclosed; _____ Credit Card Check One: __ American Express __ Visa __MasterCard __Diners Club __Carte Blanche Credit Card #: _________________ Exp. Date: ______ Signature of Cardholder: ________________________ ------------------------------ Date: Tue, 08 Sep 92 15:15:59 -0400 From: "Scott (nmi) Mattes" Subject: Fairwell to network, for now Today I will be losing my Internet access, for an unknown length of time. This is due to the downsizing of our IBM mainframe and consolidation of certain applications to another IBM data center. So, for the time being at least, I bid farewell to the net. I wish to thank all those who have helped to enlighten me on various things (work, religion, eating, etc) while I have had access. If anyone needs to contact me, my 'home' and voice addresses will still work. Needless to say (I will anyway) the ANONYMOUS FTP account (144.11.100.1) is going away also. - --------------------------------------+---------------------------------------- Scott (nmi) Mattes | No success can compensate for failure Work: COTRSSM@SEA04VM.NAVSEA.Navy.Mil | in the home. David O. McKay, Prophet Home: 73027.3270@CompuServe.COM | and President of the Church of Jesus Voice: (703) 769-2917 | Christ of Latter-day Saints, 1951-70 ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 150] ******************************************