Received: from fidoii.CC.Lehigh.EDU by abacus.hgs.se (5.65c/1.5) id AA08036; Wed, 3 Feb 1993 17:50:32 +0100 Received: from (localhost) by Fidoii.CC.Lehigh.EDU with SMTP id AA26376 (5.67a/IDA-1.5 for ); Wed, 3 Feb 1993 10:16:42 -0500 Date: Wed, 3 Feb 1993 10:16:42 -0500 Message-Id: <9302031310.AA24606@barnabas.cert.org> Comment: Virus Discussion List Originator: virus-l@lehigh.edu Errors-To: krvw@cert.org Reply-To: Sender: virus-l@lehigh.edu Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas From: "Kenneth R. van Wyk" To: Multiple recipients of list Subject: VIRUS-L Digest V6 #16 Status: RO VIRUS-L Digest Wednesday, 3 Feb 1993 Volume 6 : Issue 16 Today's Topics: Re: On the definition of viruses Re: On the definition of viruses Patriotic Virus Writers? Re: On the definition of viruses Re: How to measure polymorphism Re: Assymetric Cryptographic Checksums Way to go, AP (Not)! Complexity of polymorphic viruses. RE: LAT Re: Infection question Re: On the definition of viruses Re: Sale of Viri Re: os2-stuff (OS/2) Re: os2-stuff (OS/2) DOS CHKDSK bug: a first (?) victim (PC) VIRSCAN.DAT: Error in line 2178 (PC) re: windows virus (PC) Re: windows virus (PC) can anybody help my little lost computer? (PC) Cansu virus plague! (PC) How do MtE utilizing viruses detect themselves? (PC) Cascade & SCANV99 (PC) TBAV 5.03 and VSIG9301 upload (PC) Internet Worm - the "Perp" (CVP) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk ---------------------------------------------------------------------- Date: Fri, 29 Jan 93 09:25:52 -0500 From: fc@turing.duq.edu (Fred Cohen) Subject: Re: On the definition of viruses > "David M. Chess (863-6665)" writes: > > In Hoffman's "Rogue Programs", there's a paper by Len Adleman called > "An Abstract Theory of Computer Viruses". It contains what seems to > be a proof that it's possible to design a virus so that given one > instance of an infected object, it's not decidable whether or not > another object might be a descendant of it. However, I don't > understand the proof; I'd love to hear from someone that does! The > next proof in the paper softens the blow: it seems to be a proof that > you can come close enough, by deciding whether or not another object > is EITHER a descendant of the captured virus OR an element of the > "germ set" for the virus, where the "germs" of a virus are the set > (roughly) of droppers of the virus. I've read Adleman's paper, but I also have problems understanding it. Is there a good mathematician in the house? I'm pretty much convinced that Adleman's definition is very different than mine, and one of the differences is that under my definition of viruses, both finding descendants and progenitors is undecidable. eugene@kamis.msk.su (Eugene V. Kaspersky) writes: > > One my friend wrote a virus. It's a extremely primitive program that > contains several MS-DOS commands which are united into one BAT-file named > VIRUS.BAT. > > echo --- > echo Hello! I'm the virus! > echo Look at your watch. Waiting ... > pause > echo Is today Friday, 13th ? > echo If 'yes' please type FORMAT C: and say YES for all the questions. > echo If it's not enough please drop your monitor and > echo [...skiped...] > echo If 'no' please copy this program to all your friends because > echo this is a very useful program! > echo --- > > Several color effects were added to this BAT file also. > Is this a virus? No? One week after first execution of this program > about 100 computers were 'infected' by this ... program? ... virus? Those > are about a half of all the computers of the company where this gay works ^u? > now. The users like this program-joke and copy it. So this program > replicates very well, its name is VIRUS.BAT and it's a dangerous because it > say "FORMAT C:" and 'good user' can do this. Is this not a virus? > In your environment, it seems to be a virus. > Another one example: virus-packer. > This imaginary program stays resident and on running any not packed COM or > EXE files asks: "Do you wish to PACK your program? " and then packs > and appends itself to the packed file at 'Y' pressing. On execution > 'infected' program types "I'm infected by VIRUS-PACK, do you wish to > remove me? " and then unpacks the file and removes its body on 'Y' or > stays memory resident on 'N'. Is this the virus-like utility only and not a > virus? Seems like a virus to me. > > So what is a computer virus? In simple terms, it is a sequence > > of instructions that, when interpreted in an appropriate environment, > > "replicates" in that at least one replica also "replicates", etc., ad > > infinitum. > > The last condition is incorrect because there are the viruses which > replicates a limited times. I forgot the name of example but this virus > contains the 'generation counter' and it not replicates on N generation. So > the condition must be as: "it 'replicates' at least several (more than 1) > times, on other cases this is a Trojan horse installator". Ah!! The partitioning problem. The counter is really no different than a conditional. If we redefine the virus as the part of the program that replicates, and the counter as part of the environment that the virus carries with it, we have a virus that extincts itself by destroying it's environment. To exhaustively test against my definition requires that we try all possible partitionings of environment and virus. Just as Shannon's information theory is usually applied by choosing symbols of 1 byte each, most people choose to look only at the `whole' program as the virus. Just as we can try different symbol sets and get different information content under Shannon's theory, we can try different partitionings under my definition of viruses. In this sense (alluding to a previous question) I am talking about Popper's refutation for testing against the definition of viruses. > > > Want an example? A backup program replicates by making an > > exact copy of itself (if it does a good job) on the backup media. In > > It's a bad example. MS-DOS, PC-DOS (I operate the IBM-PC terms only, sorry) > are the viruses also: > > - - they replicate: > SYS A: > COPY *.* A: > ... > - - they load itself silently and without user consent. > > MS-DOS is a virus! That is a shock for antiviral researchers and vendors! > It's need to update all the antiviral databases. That program seems to be a virus under DOS - but you might like to add a format command to prepare the disk first - that would likely make the virus work in more environments. That doesn't make DOS a virus however. It also isn't much of a surprise to most virus researchers. > > So I'll try to set several virus definitions. > .. > And who say that the virus is 'a sequence of instructions'? The real > virus can consists of several parts of code, a *sequences* of instructions > i.e. several different files, sectors, RAM areas. Well, let this virus > named as 'multipartite virus'. The formal definition speaks of sequences of symbols in the `viral set' of symbol sequences. A multipartite virus is no problem. We have (as one element of the set) something like this: s1, s2, ..., sn, ANY OTHER SYMBOLS, sn+1, ..., sm, ANY OTHER SYMBOLS, ... Note that the size of the set is enormous in this case because the sequences of ANY OTHER SYMBOLS really just identify a set of x^y different sequences where x is the size of the symbol set and y is the length of the sequence. > > So, the MS-DOS is useful programs, but the MS-DOS floppy with specific > AUTOEXEC.BAT is a multipartite-virus: > > AUTOEXEC.BAT: > > sys a: > copy *.* a:\ > sys b: > copy *.* b:\ > ... > sys z: > copy *.* z:\ > Right, assuming we have all formatted floppy disks. > This MP-virus (multipartite virus) infects all the accessible logical disks > very well. > > Well, lets examine all the sequences of instructions of all the computers. > This multitude of files, sectors, RAMs is one great MP-virus (it's very > dangerous and it can replicate). So, Not so!! Some of these sequences may be parts of viruses, and other may not. See the discussion above about the partitioning problem. > DEF_2: All the programs of all the computers are the parts of the World > MegaVirus. Not true - As above > > DEF_3: It's impossible to set the virus definition. > Not true - As above. > It's because the viruses are manufactured by men and the virus definitions > are produced by men also. So if we say new virus definition there are > someone who can write the counter-example virus. As the result the true > virus definition is DEF_2 only. Not true - As above. In the formal definition, it is proven that the set of viruses and non-viruses are both infinite for a Universal Computing Machine. The real problem with writing a good definition is that you have to anticipate all of these sorts of arguments ahead of time (although that is done almost automatically by using a mathematical system which has known properties of consistency, etc.). That's why the formal definition may seem like it's not exactly what you mean in some cases. For example: I would have liked to define viruses so that they involve using mechanisms of a host for some purpose, but when you try to do this formally, you end up being unable to differentiate the `host' from the rest of the environment. A side effect is that this anticipates the partitioning problem, the so-called companion viruses, multipartite viruses, evolutionary viruses, and all of the other things we have come upon. FC __________________________________________________________________________ 8:30AM-2PM Eastern Protection 2PM-8:30PM Eastern US+412-422-4134 Experts US+907-344-5164 FAX US+412-422-4135 -OR- 907-344-3069 24 hours - 7 days __________________________________________________________________________ ------------------------------ Date: Fri, 29 Jan 93 10:06:40 -0500 From: Y. Radai Subject: Re: On the definition of viruses Bob Babcock quotes the following lines from a posting of mine: >>Note that this argument does not require the assumption that the >>computer has an infinite amount of storage, as Fred's proof does. >> If the definition is (a) or (b), then we can do even better: we can >>show that in some cases the question cannot be decided even by running >>the program any finite number of times. For example, suppose the >>program asks the user to input four positive integers i, j, k, n >>(where n must be > 2). If you choose definition (b), I shall take >> to be "i^n + j^n = k^n". He then replies: > Minor quibble: the integers i,j,k,n can be arbitrarily large, so the storage > necessary is unbounded. I anticipated that someone would make such a comment. It's for pre- cisely that reason that I placed the lines >>Note that this argument does not require the assumption that the >>computer has an infinite amount of storage, as Fred's proof does. *before* the i,j,k,n example, where they refer only to the argument which *precedes* what you have quoted, i.e. to the argument for unde- cidability by the program's *appearance alone*, and not necessarily to the argument which you have quoted, which applies to undecidability by its run-time behavior as well. Y. Radai Hebrew Univ. of Jerusalem, Israel RADAI@HUJIVMS.BITNET RADAI@VMS.HUJI.AC.IL ------------------------------ Date: 29 Jan 93 15:59:00 +0000 From: Sam Wilson Subject: Patriotic Virus Writers? The following letter and editorial response appears in the February 1993 issue of the UK magazine 'Personal Computer World' under the heading "Spreading viruses": We are a bunch of programmers who, depressed with the lack of viruses that have originated in England, have sought to change matters. We presently write viruses for the PC, Archimedes and Atari ST. We have increased the few viruses written in England by about 25, though this number is increasing all the time as our ptogrammers churn out more quality computer viruses. Although there are many viruses about we hope to dominate the UK 'market'. Won't it be nice, though, for England to have at least one export? Finally, we as an organisation like to stress that, contrary to public opinion, we are *not* boring people who wear anoraks, nor are we depraved people who were beaten as children and so grew up with a hatred of humanity. We are highly intelligent and good at programming and are just ordinary people. But we are gonna get you soon! ARCV (Association of Really Cruel Viruses) [And the editor replies:] You say you're not depraved people? Perhaps you weren't beaten as children, but as far as we're concerned you should be beaten as adults. I wish it were the April issue... Sam Wilson Network Services Division Computing Services, The University of Edinburgh Edinburgh, Scotland, UK ------------------------------ Date: Wed, 27 Jan 93 17:13:20 -0500 From: peprbv@cfa0.harvard.edu (Bob Babcock) Subject: Re: On the definition of viruses >Note that this argument does not require the assumption that the >computer has an infinite amount of storage, as Fred's proof does. > If the definition is (a) or (b), then we can do even better: we can >show that in some cases the question cannot be decided even by running >the program any finite number of times. For example, suppose the >program asks the user to input four positive integers i, j, k, n >(where n must be > 2). If you choose definition (b), I shall take > to be "i^n + j^n = k^n". Minor quibble: the integers i,j,k,n can be arbitrarily large, so the storage necessary is unbounded. ------------------------------ Date: 29 Jan 93 19:47:58 +0000 From: favor@ecst.csuchico.edu (Michael Favor) Subject: Re: How to measure polymorphism chess@watson.ibm.com (David M. Chess) writes: >measure the randomness of a string of bits by finding the smallest >program for some standard Turing Machine that produces those bits. In his paper, did Grep Chaitin explain how to 'find' the 'smallest' program in an objective way? It seems easy enough to measure two programs and decide which one is smaller or simpler, but how can one generate these programs in the first place without using all of the subjective intuition of the programmer? regards, michael. ------------------------------ Date: Fri, 29 Jan 93 20:20:45 +0000 From: raph@panache.demon.co.uk (Raphael Mankin) Subject: Re: Assymetric Cryptographic Checksums padgett@tccslr.dnet.mmc.com writes: >> In reply to me, Vesselin Bontchev writes: > >>> Well, a CRC is usually computer like this: >>> >>> crc = INITIAL_VALUE; >>> while ((c = getc (file)) != EOF) >>> crc = crc_table [(crc & 0x00FF) ^ c] ^ (crc >> 8); >>> >>> Usually INITIAL_VALUE is 0, but you could set it to anything you would >>> like... > >>Well, I think that comes from using a particular (table-driven) *im- >>plementation* of CRC, and is not an essential feature of CRC as it >>is defined. Also, while I agree that in this implementation All the polynomial-residue CRCs can be calculated like this (HDLC, CRC-16, V42). For an n-bit polynomial the value of crc_table[i] is just the remainder that you get from dividing (polynomial division) (i<From the article (identified as an AP story): "The mysterious Dark Avenger lurks in Bulgaria brewing 'viruses' to infect and rot computer programs and data around the world. He is a scourge in the West but a kind of hero in is own country, computer experts say." The article goes on to identify Russia and Bulgaria as prime sources of viruses and says that "One East Coast company lost $1 million because of the Avenger's electronic pranks." David Stang was quoted as well: "My guess is that he has a regular job and works regular hours and looks like a normal guy but comes home at night to a computer, stays up real late and works on viruses." It seems to me that this is exactly the kind of coverage that would encourage virus authors to practice their craft. It glorifies the electro terrorism that they commit and gives users no real information on what viruses are and how to protect themselves from viruses. A suggestion to the AV organizations (like Mr. Stang's) - Why not prepare a "Computer Virus Media Guide" that would explain the virus problem and steps that users can take to protect themselves? This guide could start as a simplified version of the Virus FAQ. Another thing that would help would be the issuing of press releases to major media outlets when scares like the Michaelangelo virus occur. I'd like to hear others' opinions on this... Al - -- ========================================================================= Al Berg, Net Rider The Hudson Link Cyberspace Gateway alberg@hudlink.hoboken.nj.us Public access email/news Phone: 201/659-5387 201/659-3935 ========================================================================= ------------------------------ Date: Sat, 30 Jan 93 22:26:15 -0500 From: barnold@watson.ibm.com Subject: Complexity of polymorphic viruses. Fridrik Skulason recently posted lines-of-code counts for some algorithmic virus detectors in F-PROT. I'm assuming his detectors are written in C. Here are lines-of-code counts for a few algorithmic detectors (written in C) included in IBM AntiVirus. The lines of code counts for each detector include a 25-line structure initialization that is arguably data, so the real counts are arguably 249, 20 and 52 lines respectively. The V2P2 detector is a bulk scanner, and it could be made considerably smaller. The lines-of-code counts agree quite nicely with Fridrik's counts. (File I/O handling is *not* included in these counts. The lines-of-code counter is a standard counter used in many IBM development projects. I'm not completely sure what rules this lines-of-code counter uses. Obviously, some lines are counted as both code and comment lines.) MtE ::= 330 physical lines, 105 lines of comments, and 274 source lines V2P6 ::= 89 physical lines, 57 lines of comments, and 45 source lines V2P2 ::= 145 physical lines, 38 lines of comments, and 77 source lines Bill Arnold ------------------------------ Date: Sun, 31 Jan 93 00:07:39 -0500 From: fergp@sytex.com (Paul Ferguson) Subject: RE: LAT On 17 Jan 93 21:32:00 GMT, , (Bill Lambdin), writes - > Some have asked me about certain aspects of LAT, and I > have decided to send one public message insead of > multiple messages via Email. > 1. I started LAT because of the hype in advertizing. [ some deleted ] > 2. LAT is an acronym it means "Lambdin's Accuracy Tests" All of the reasons that you mentioned are well and good, Bill, but there are a few points that you seem to have overlooked. Simply running an antivirus "product" against a "zoo" of viruses is no way to evaluate an antivirus product. Unless you can test the product in a "real-world" environment (including whatever TSR monitor/filter, integrity manager, etc.), tossing detection numbers around not only misrepresents the antivirus products' effectiveness or lack of effectiveness, as the case may be. As far as I can see, your "accuracy" test reflects no measure of: o Detecting a virus at runtime (file_open) o Detecting a virus resident in memory (fairly important as you certainly wouldn't want to perform any file_open functions with a fast infector resident) o Accurate detection/catagorization of detection o Detecting unknown viruses or other file discrepancies o Speed of scanning Nothing personal, but tossing a few hundred viruses at a few scanners and then posting the results as "accuracy" tests is about as irresponsible as chiding the vendors themselves about hype in advertising. Paul Ferguson | "Making duplicate copies and computer Network Integration Consultant| printouts of things no one wanted Alexandria, Virginia USA | even one of in the first place is fergp@sytex.com | giving America a new sense of FidoNet - 1:109/229 | purpose." - Andy Rooney - --- fergp@sytex.com (Paul Ferguson) Sytex Systems Communications, Arlington VA, 1-703-358-9022 ------------------------------ Date: Mon, 01 Feb 93 05:29:04 -0500 From: David_Conrad@MTS.cc.Wayne.edu Subject: Re: Infection question In VIRUS-L v6i13 hutchinson@wrair-emh1.army.mil writes: >bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >> the currently existing types of viruses on the IBM PC. These viruses >> (boot sector infectors, file system infectors, companion viruses) do >> not match even Dr. Cohen's natural-language definition of the term >> "virus", unless you define "program" and "attach" too broadly. And > >Then maybe "program" is the wrong word. Maybe it should be something >like "function" or "process" instead. F'rinstance, a boot sector >infector doesn't exactly attach itself to any program. But it *does* >attach itself to the boot *Process*. But in my (humble?) opinion, a boot sector infector does attach itself to a program, i.e. the bootstrap loader. This program just doesn't happen to be contained in a file. Messy details about the file system shouldn't get involved in the definition of a computer virus. I'm not quite as certain what to say about companion viruses. I don't think calling the bootstrap loader a program is too broad a use of the word, but saying that a companion virus is "attached" to the program it has infected may be too broad a use of "attach." Still, without the "host" program the companion virus would never be executed by the user, would it? Imagine if it used a name consisting of a random string of {, }, $, and % with a .COM extension, rather than the name of another program on the system. Probably wouldn't ever be executed. So the connection between the virus and the program which is its host is certainly important, if tenuous. David R. Conrad David_Conrad@mts.cc.wayne.edu ------------------------------ Date: Mon, 01 Feb 93 08:25:45 -0500 From: keith.watson@stucen.gatech.edu Subject: Re: On the definition of viruses For brevity I will not repeat what Y. Radai stated in VIRUS-L Digest V6 #11. In the case of undecidabilty by the program to infect the fact that it can makes it a virus by my 'practical definition' so I don't want it on my system. As for my practical definition I'll state it via a question. Why is it that none of the anti-viral packages call backup or xcopy viruses when a system is scanned (yes, assuming they are not infected)? It seems obvious that we have agreed with users that Stoned is indeed different than xcopy. The question to be answered is what is it about a program that the user perceives as a virus where virus = bad and everything else is just a program where program = benevolent. Can fuzzy logic be applied here? Define bad and benevolent. They too are undecidable, or in more metaphysical terms, all things are relative. However, in the real world of trashed files and dead hard drives we make real decisions. Stoned is a virus and xcopy isn't. In twenty five words or less explain how we make this decision and you will be a hero in AI programming. Keith R. Watson Georgia Institute of Technology, Atlanta Georgia, 30332-0453 uucp: ...!{decvax,hplabs,ncar,purdue,rutgers}!gatech!prism!kw3 Internet: keith.watson@stucen.gatech.edu ------------------------------ Date: 01 Feb 93 13:57:49 +0000 From: johan@blade.stack.urc.tue.nl (Johan Wevers) Subject: Re: Sale of Viri frisk@complex.is (Fridrik Skulason) writes: >As I have said before - the lack of any action against virus writers >is the primary reason why viruses are a problem today. Really? Then tell me, how would you take any legal action against virus writers? How would you even find them? - -- *************************************************************** * J.C.A. Wevers * LaTeX * The only nature of * * johan@blade.stack.urc.tue.nl * wizard * reality is physics. * *************************************************************** ------------------------------ Date: Fri, 29 Jan 93 11:06:57 -0500 From: "David M. Chess" Subject: Re: os2-stuff (OS/2) >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) > Does OS/2 access some DLLs in order to handle the running of >a DOS program in a DOS window? Yes. > Are those accesses visible to the >program running in the DOS window? No. At least, not in any way I'm aware of, and I'd be surprised if there were any way. In any case, they won't be visible to a DOS program just watching INT 21 / 4B calls. >So, it seems that there is indeed no need to scan the DLL files, >right? Or am I missing something? For existing viruses, I'd say there's no strong reason to scan DLL files by default (they should get scanned, along with every other file on the system, during cleanup, just in case). Anything that wants to watch out for new viruses should watch DLLs, though, because they do contain code. - - -- - David M. Chess | "This chicken has a *very* High Integrity Computing Lab | small opening book!" IBM Watson Research | ------------------------------ Date: Wed, 27 Jan 93 21:28:29 -0500 From: Anthony Naggs Subject: Re: os2-stuff (OS/2) Vesselin Bontchev, , wrote: > OK, but suppose that the user opens a DOS window. Suppose also that > s/he runs an infected DOS program in this window and the virus becomes > resident. ... Okay. > ... Does OS/2 access some DLLs in order to handle the running of > a DOS program in a DOS window? Are those accesses visible to the > program running in the DOS window? If they are not, then none of the > currently existing viruses will infect a DLL file and there is no need > to scan such files... I don't think so, but OS/2 (2.x) DLLs run in the CPU's 'Protected Mode' and so will not be visible to the DOS box. If the virus is OS/2 aware then it can interact with OS/2 form the DOS box, but I don't know what the scope of that is. > Another possibility is a virus like Frodo, which (erroneously) > infects files with different extensions, because it thinks they are > COM or EXE. But Frodo's criteria for executable extension does not > classify "DLL" as such and I don't know other viruses which do the > same stupidity... There are three big reasons not to worry at the moment: 1 OS/2 DLL files have a different internal layout from DOS programs, preventing DOS viruses from successfully infecting them. 2 OS/2 (2.x) programs (including DLLs) run in "Protected Mode" which means that code for the "Real" or "Virtual" modes used by DOS is unlikely to work. 3 Even if these could be overcome a DOS virus would fail as soon as it tried an Int 21h call. > So, it seems that there is indeed no need to scan the DLL files, > right? Or am I missing something? In anticipation that OS/2 specific viruses may be written it is wise to include DLLs as files to be checked by your integrity software, but you knew that anyway, :-) Regards, Anthony Naggs Software/Electronics Engineer P O Box 1080, Peacehaven (and virus researcher) East Sussex BN10 8PZ Phone: +44 273 589701 Great Britain Email: (c/o Univ of Brighton) amn@vms.brighton.ac.uk or xa329@city.ac.uk ------------------------------ Date: Fri, 29 Jan 93 07:27:21 -0500 From: fwf@gisa.uucp (Frank W. Felzmann) Subject: DOS CHKDSK bug: a first (?) victim (PC) A small German company in the field of picture data processing is a first (?) victim of the DOS CHKDSK bug. 6th January 1993: Data processing with a huge picture file. The error message "Disk full" appeared at the attempt to save this file. The user deleted all files with the extension *.BAK. Then he used the DOS command CHKDSK to proof that the whole memory was usable. He got the message: "x files in 7 lost clusters". After looking in the manual he executed the command "CHKDSK /F" - and .... afterwards using the DIR command the user got a very curios display of the content of the root directory. It was a hard disk with capacity of 1 gigabyte in 1 partition. He called a specialist and after some hours of work they fixed that the FAT was existing but no data were available in the root directory. Because of the urgency to finish the job the user decided to reformat his harddisk and restored his data with loss of actual work. The restored configuration made some problems in addressing the whole memory, therefore he supposed a hardware error. The result of a two-day diagnosis at his vendor was negative. By chance his vendor read the description of the CHKDSK bug in a computer newspaper (PC Woche, 11th Jan.). The user informed GISA to confirm his suspicion. I checked his information and this company must be a victim, because: - - it was a harddisk with a 256 sector FAT - - there was a chaining error - - it was the unfixed CHKDSK.EXE - - and there was a correction attempt with the /F parameter The damage in this case is about 7.000 Dollars. If you get information about other victims and you can check the case, please inform me or VIRUS-L. I will collect all cases for a report. Frank W. Felzmann - ---------------------------------------------------------------- G German I Information <> Voice +49-228-9582-248 S Security <> FAX +49-228-9582-400 A Agency - ---------------------------------------------------------------- "It's a Snark!" ... Then the ominous words, "It's a Boo---" - ---------------------------------------------------------------- ------------------------------ Date: Fri, 29 Jan 93 14:10:13 +0000 From: boone@athena.cs.uga.edu (Roggie Boone) Subject: VIRSCAN.DAT: Error in line 2178 (PC) I downloaded the latest VSIGxxxx.ZIP file from OAK.OAKLAND.EDU to use with the TBSCANX program. This file unzips into a file called VIRSCAN.DAT. The previous one that I was using worked with no problem. This latest one has an error apparently. Here is the basic info of what I see: ----------------------------------------------- VIRSCAN.DAT REVISION: 9212220 ERROR IN LINE 2178 ----------------------------------------------- I have looked at line 2178, but it appears to be a normal line. Is there a bug in this version of VIRSCAN.DAT? Thanks, Roggie Boone boone@athena.cs.uga.edu - -- Roggie Boone Dept. of Ag and Applied Economics University of Georgia ------------------------------ Date: Fri, 29 Jan 93 11:12:13 -0500 From: "David M. Chess" Subject: re: windows virus (PC) >From: S.M.Baines@sheffield.ac.uk > >I am sorry to be a nuisance, but several users of Windows at Sheffield >appear to have been hit by a virus that isn't detected directly. Using >memory resident virus checkers only detect a write to a protected file >or disc, but not the name. Scanning the disc and memory also fails to >show up the 'virus'. Well, the possibilities seem to be: - A genuine Windows-targetted virus, although that seems unlikely since you say that the Windows files fail to run after being altered, - A Trojan Horse program that's just damaging the Windows files, - A DOS virus that your "memory resident virus checkers" don't have a specific signature for, but that they are able to notice now and then, - A system problem that's causing some component of the system to mistakenly alter other components, - A problem with your resident anti-viral, that's causing it to give false reports and then mess up the system. The best way I can think of to decide which it is would be to examine one of the files after your TSRs tell you that a write has occurred. Has it gotten larger? Have the first 512 bytes just been overwritten with zeros? Has it been replaced with a file containing the words "Destroyed by MegaFoo"? (Just a made-up example!) - - -- - David M. Chess High Integrity Computing Lab IBM Watson Research ------------------------------ Date: Wed, 27 Jan 93 21:20:21 -0500 From: Anthony Naggs Subject: Re: windows virus (PC) Stephen Baines, , reports: > I am sorry to be a nuisance, but several users of Windows at Sheffield > appear to have been hit by a virus that isn't detected directly. Using > memory resident virus checkers only detect a write to a protected file > or disc, but not the name. Scanning the disc and memory also fails to > show up the 'virus'. You probably have a virus that is too recent to be found by the scanner(s) you are using. I don't want to pick on you, so a quick aside: > > > General Reminder To All Posters With Virus Problems: < < < > > > For best advice it helps other readers to know details < < < > > > of the results of all products (& versions) you tried! < < < > It appears only to infect the Windows files, and these fail to run. Many DOS viruses travel without generally announcing themselves, but corrupt large DOS programs (eg WordPerfect) and those for Windows - drawing attention to themselves. > ... this has occured to 2 different users, not using the same computers, > or ... In both cases the only solution was to reinstall windows and all > other software ... Often the most reliable way of clearing up. > ... The common link between the two was use of HENSA to > download software at terminals at the University of Sheffield. Has > this 'virus', if it is a virus, been reported before or is it just a > bug and an unhappy co-incidence? Many viruses could give similar effects, but without knowing whether the scanner(s) you have used is recent it is hard to say how new it might be. Downloading software from HENSA shouldn't be a problem, but all DOS programs are provided in a (IMO) horrible 'BOO' format. So the first suspect is the "DeBoo" software that restores the archive files to a usable state, a virus infected copy of this is a likely point of infection of multiple students. In the event of finding a new, or suspected new, virus you should send copies of the infected files to the author of your anti-virus software. It is also worth sending the same files to other anti-virus producers that you know of, particularly in your own country where other local users may lack protection. Hope this helps, Anthony Naggs Software/Electronics Engineer P O Box 1080, Peacehaven (and virus researcher) East Sussex BN10 8PZ Phone: +44 273 589701 Great Britain Email: (c/o Univ of Brighton) amn@vms.brighton.ac.uk or xa329@city.ac.uk ------------------------------ Date: Sat, 30 Jan 93 00:03:47 +0000 From: gree7015@elan.rowan.edu (DAN GREENSPAN) Subject: can anybody help my little lost computer? (PC) I run an ibm type machine. Lately my machine began acting up and now I have three invisible files in my hard drive instead of two. No antivirus software that I have run finds anything (norton, clean). A directory utility that I use shows the invisible dos files but nothing else. The only way I can tell there is a third invisible file is by doing a chkdsk command! Other disks used on my computer soon get this problem too. I got rid of it once by doing a low-level format, but recently I used an old floppy and whatever this is must have transferred itself back to my system. It seems to interfere with the keyboard interpreter. Anybody got a suggestion? Gratefully, gree@elan.rown.edu ------------------------------ Date: Thu, 28 Jan 93 23:14:00 +0100 From: Malte_Eppert@f6050.n491.z9.virnet.bad.se (Malte Eppert) Subject: Cansu virus plague! (PC) Hi Amir! > From hard-disks: If your disk is a DOS disk, (no disk-manager) > run CHKDSK /MBR and your troubles will be over. (Obviously boot > the PC from a clean DOS diskette first). Sorry, it was FDISK /MBR! cu! eppi - --- Via SCANTOSS V 1.37 * Origin: Another Virus Help Node - The EpiCentre! (9:491/6050) ------------------------------ Date: Wed, 27 Jan 93 11:20:00 +0100 From: Inbar_Raz@f210.n9721.z9.virnet.bad.se (Inbar Raz) Subject: How do MtE utilizing viruses detect themselves? (PC) >> Can't an algorithmic scanner use the method used >> by MtE itself to detect it? > Unfortunately - not. The virus author does not care if his virus does > not infect some infectable files, while a producer of an anti-virus > program cannot permit himself to erroneously flag a perfectly valid > file as infected... The only thing that can be done is to use the I think that ThunderByte implicated an interesting line of thought in their scanner, in whatever concerns detecting polymorphic viruses. They work like that: MtE has certain characteristics, and certain opcodes that always appear there. Then again, it has things that NEVER appear there. So. When you scan a file, you assume it as INFECTED, and you are trying to find evidence to the fact that it's NOT infected. If you find a series of bytes that can't possible be an MtE product, there you have it. If you can't find that, and assuming you did enough tests, your file is infected. Inbar Raz - - -- Inbar Raz 5 Henegev, Yavne 70600 ISRAEL. Phone: +972-8-438660 Netmail: 2:401/100.1, 2:403/100.42, 9:9721/210 nyvirus@weizmann.weizmann.ac.il - --- * Origin: MadMax BBS - Co-SysOp's Point. (9:9721/210) ------------------------------ Date: Mon, 01 Feb 93 10:58:14 +0100 From: zimmerms@Informatik.TU-Muenchen.DE (Stephan Zimmermann) Subject: Cascade & SCANV99 (PC) Yesteday I scaned a disk with McAfees' ScanV99 and found the Cascade [170x] Virus. In a second run Scan found this virus 'active in memory' ?!? But I haven't used any of the files on the disk, and none of the files on the HD were corupted. Is this a false alarm due to my first scaning, or is it possible that this virus gets active after scanning it ? Thanks in advance ... Ciao Stephan. ------------------------------ Date: Sun, 31 Jan 93 18:43:59 +0700 From: jeroenp@rulfc1.LeidenUniv.nl (Jeroen W. Pluimers) Subject: TBAV 5.03 and VSIG9301 upload (PC) Hi all, I just uploaded to oak.oakland.edu and garbo.uwasa.fi the following files: VSIG9301.ZIP VIRSCAN.DAT virus signatures Jan 1993 ASIG9301.ZIP Additional virus signatures Jan 1993 TBAV503.ZIP TBAV utils 5.03 (was tbscanXX.zip) TBAVU503.ZIP TBAV utils upgrade 5.02 to 5.03 These replace all the other VSIG and TBAV files - -- jeroen voice: +31-2522-20908 (19:00-23:00 UTC) snail: P.O. Box 266 jeroenp@rulfc1.LeidenUniv.nl 2170 AG Sassenheim jeroen_pluimers@f256.n281.z2.fidonet.org The Netherlands ------------------------------ Date: Fri, 29 Jan 93 14:47:03 -0800 From: rslade@sfu.ca Subject: Internet Worm - the "Perp" (CVP) HISVIRT.CVP 921215 The Internet Worm - the perpetrator Robert Tappan Morris. Son of Bob Morris. (Hence often referred to as Robert Tappan Morris Junior, in spite of the fact that Bob Morris' middle name is not Tappan.) Since the "birth" of the Worm of sufficient fame to be known simply by his initials: RTM. Robert Tappan Morris was a student at Cornell University when he wrote the Worm. He was a student of data security. The Worm is often referred to as a part of his research, although it was neither an assigned project, nor had it been discussed with his advisor. The release of the Worm, at the time that it was released, seems to have been accidental. Whatever the motivations for its creation, and whatever the intentions for its future use, both internal evidence of incomplete coding and the early generation of "alerts" from the author would seem to support the theory of accidental release. At the same time, RTM was not exactly immediately forthcoming in warning the net. The first recorded warning was one generated by a friend (and anonymously at that) about ten hours after the first release. In reading various documents studying the Worm, there is a division of opinion regarding the quality of the program itself. However, an "averaging" of the comments might yield the following: the Worm shows a lot of knowledge of security "holes, and competent, occasionally flawed, but no brilliant coding. The Worm might be considered to be a "proof of concept", except that it contains too many concepts at once. There is no evidence that Bob Morris Senior had any part in, or knowledge of, the Worm under construction. Nevertheless, it is unreasonable to expect that there was never any "shop talk" around the dinner table. RTM was convicted of violating the computer Fraud and Abuse Act on May 16, 1990. An appeal was denied in March of 1991. He was sentenced to three years probation, a $10,000 fine and 400 hours of community service. Opinion about what the sentence should be started even before the last copy of the Worm was shut down. It ranged from "hanging's too good for him" to "he's done us all a great favour". This range of opinion still exists today. Estimates of the damage done range from $100,000 to $97 million. In addition, it is very instructive to read the appeal court's decision. The arguments all hinge on very fine interpretations of the law, over matters of intentionality and the extension of authority to use machine covering the use of the network it is attached to. copyright Robert M. Slade, 1992 HISVIRT.CVP 921215 ============== Vancouver p1@arkham.wimsey.bc.ca | You realize, of Institute for Robert_Slade@sfu.ca | course, that these Research into rslade@cue.bc.ca | new facts do not User p1@CyberStore.ca | coincide with my Security Canada V7K 2G6 | preconceived ideas ------------------------------ End of VIRUS-L Digest [Volume 6 Issue 16] *****************************************