Received: from fidoii.CC.Lehigh.EDU by abacus.hgs.se (5.65c/1.5) id AA02051; Thu, 11 Feb 1993 23:38:24 +0100 Received: from (localhost) by Fidoii.CC.Lehigh.EDU with SMTP id AA38430 (5.67a/IDA-1.5 for ); Thu, 11 Feb 1993 17:04:43 -0500 Date: Thu, 11 Feb 1993 17:04:43 -0500 Message-Id: <9302111908.AA09795@barnabas.cert.org> Comment: Virus Discussion List Originator: virus-l@lehigh.edu Errors-To: krvw@cert.org Reply-To: Sender: virus-l@lehigh.edu Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas From: "Kenneth R. van Wyk" To: Multiple recipients of list Subject: VIRUS-L Digest V6 #24 Status: RO VIRUS-L Digest Thursday, 11 Feb 1993 Volume 6 : Issue 24 Today's Topics: TIME Magazine on "Cyperpunk": How Not to Define a "Worm" What is safe to discuss? Re: How to measure polymorphism Re: Internet Worm - the "Perp" (CVP) Re: general entertainment Re: What is a virus ? Re: Norton buggy??? (or I have a PROBLEM!) (PC) Help! Help, with FORM virus (PC) Re: New virus in Germany (PC) More Viruses in Memory (PC) Michelangelo Virus? (PC) Re: Virstop 2.07 in Icelandic (PC) Re: Twelve Tricks (PC) Re: Suggestion to the developers of resident scanners (PC) green catipillar (PC) Re: New virus in Germany :-( (PC) Michaelangelo's payload (PC) Re: Suggestion to the developers of resident scanners (PC) Re: dame virus (pc) Help, which scanner? (PC) Should scanners detect only common viruses? (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk ---------------------------------------------------------------------- Date: Wed, 10 Feb 93 15:56:29 -0500 From: xrjdm@calvin.gsfc.nasa.gov (Joseph D. McMahon) Subject: TIME Magazine on "Cyperpunk": How Not to Define a "Worm" In last week's TIME magazine (with the "Cyberpunk" lead article), RTM's worm is is described as "not a virus, but a worm, since the damage was unintentional". This is the most singular lack of grasp of the subject I have seen in a long time. --- Joe M. ------------------------------ Date: Wed, 10 Feb 93 15:57:14 -0500 From: Donald G Peters Subject: What is safe to discuss? I have been reading (most of) the posts on this bulletin board for many months. One question that was recently raised was what kind of information can be placed here. (The thing that inspired me to write this was a comment responding to someone that posted a binary version of a PKZIP authenticated file which had been tampered.) We must have two kinds of people: those who think there should be no restrictions (eg, posting virus code is okay) and those who believe in some restrictions (to varying degrees) but NOBODY who posts here believes that nothing about viruses should be posted here or THEY wouldn't be posting here. If an evil person (ie, virus writer and/or propagator) were to be reading these messages, what would he (or she) want to read? I would think that just about everything here would be useful to some extent. For example, the constant discussion of polymorphic viruses would be a great way to learn exactly how to write viruses that cannot (easily) be detected. Many virus writers may not even THINK about polymorphism until they read about it somewhere, like here. Over the months I have learned a fair bit about viruses, and if I were evil I could apply that new knowledge to writing viruses instead of defending against them. The point to my little soapbox is that secrecy is not the only or the best way to defend against a threat. In some ways public discussion can actually help, which is probably the reasoning behind the existence of this forum. The more people know about viruses, the more that people will be able to defend against them. And in some cases the FAQ is simply not deep enough. As an evaluator of computer security products (not focussed on anti-viral products) I find the FAQ to be good but I could gain more from something more technical. I ask myself, "Where do I go from here?" I expect that an opposing viewpoint will focus on the question, "How do we prevent the bad guys from getting educated?" I don't have a good answer to that, since bad guys have a right to attend schools like us good guys do. Personally, I believe strongly in censorship of some things, but I'm not yet convinced that censorship of virus-related information does much good. Okay, if I'm wrong, sock it to me. :-) ------------------------------ Date: Thu, 11 Feb 93 00:30:01 +0000 From: houle@nmt.edu (Paul Houle) Subject: Re: How to measure polymorphism I was thinking a little bit about polymorphism in both virus programs and antivirus programs and got a few ideas about how one could go about implementing it. If an antivirus program is not polymorphic, it potentially can be recognized and tampered with by a virus. The code can be altered so it always reads "clean", or the files it keeps can be altered to delete signatures (for scanners) or to change CRCs, message digests, whatever is used to protect programs. Therefore, for safety, an antivirus program should ideally be different in every installation. The filename should be different, the code should be different with ideally no scannable strings, and any files that it keeps should be in encrypted and/or variable format. Encryption strings especially must be stored in varying and hard to locate places. (Of course in real life, we would hope that viruses never get smart enough to be able to use nontrivial attacks on antivirus software... Sure, the present generation of stealth viruses is pretty lame, but when we get stuff like Windows, Windows NT, and executables that keep growing and growing, there will be much more slack space for more complicated viruses.) Anyway, it seems like the ideal way to make a program polymorphic is to have a "polymorphic compiler". One could, say, do all the parsing at home and distribute (either in a virus or in an antivirus program) the code tree and a code generator that always generates different code. Maybe it stores at least two ways to do every simple operation... To make it worse, it can randomize the order of subroutines and procedures, and use all sorts of transformations to really complicate the thing (Especially if the "polymorphic language" is functional -- that would really be a blast of course, a functional language for systems programming). One of course could put the "source code" and the compiler on a floppy and have it install the actual antivirus stuff in whatever incarnation on the disk, using junk off the disk, the clock, the CMOS ram and all that to start a RNG. Viruses would have both the polymorphic executable and the source code in encrypted form, maybe encoded with a one-time pad based on a randomly selected segment in the program. This kind of system would be really nasty to deal with, and worse yet, might actually make non-lame stealth viruses practical. Let's face it -- the reason why stealth viruses are so easy to defeat is that they pretty much need to have sections in memory that are scannable. The polymorphic compiler could conceivibly make the part of a virus that plays hob with the operating system unscannable, which would be a pretty bad situation. ------------------------------ Date: Thu, 11 Feb 93 13:38:03 +0000 From: rm113@cus.cam.ac.uk (R. Moss-Eccardt) Subject: Re: Internet Worm - the "Perp" (CVP) buhr@umanitoba.ca (Kevin Andrew Buhr) writes: >rslade@sfu.ca writes: >| Robert Tappan Morris was a student at Cornell University when he >| wrote the Worm. He was a student of data security. The Worm is >| often referred to as a part of his research, although it was neither > ^^^^^^^^^^^^^^^^^^^^^^^ >| an assigned project, nor had it been discussed with his advisor. > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ >A "university" that requires such permission can hardly call itself a >university. Any institution that treats students with that level of >contempt is better termed an "academic cattle drive". > >Kevin At the University of Cambridge (an early university), we permit a certain amount of 'recreational use'. However significant use of resources or international networks requires approval from a tutor/director of studies. If an undergrad causes any trouble (filling the job queue, sending abusive mail etc.) then to regain access to any university-provided computer requires approval from the tutor. This has been roughly the policy since we built EDSAC (the first stored-program ------------------------------ Date: 11 Feb 93 13:50:36 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: general entertainment kelty_h@aci_1.aci.ns.ca (KELTY HAMILTON) writes: > Just mentioning a good virus article in the February "Discover" > magazine. Thought you virus fanatics would be interested in its coverage > of virus origins. This so-called article is in fact one chapter of the book "Approaching Zero" by Bryan Clough and Paul Mungo. They are calling it "forthcoming book" which sounds rather surprising to me - it was published in the UK about one year ago and I have read it since a long time... The book is not just about viruses, it is about computer crime in general. It's a very entertaining reading and I recommend it. Unfortunately, it is also full of technical and factual mistakes. In fact, every story described there, for which I know how it actually happened, there is something misrepresented in the book. In several cases I know that the declination of the truth is deliberate, because it was me who has told the authors some of the facts and they are represented differently in the book... The article is "Discover" does not make an exception - lots of technical and factual details are wrong. Maybe the funniest of them is the conjecture that "Diana P." in Dark Avenger's viruses has something to do with Lady Diana, Princess of Wells. However, the general analysis of the situation in Bulgaria that leaded to the creation of so many viruses there is rather exact. [Moderator's note: FYI, I think that's "Princess of Wales".] Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 11 Feb 93 14:21:44 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: What is a virus ? WALKER@aedc-vax.af.mil (William Walker C60223 x4570) writes: > posted anything else. There is a limit to how much a virus can change > its functionality, since the "parent" must contain within itself the > changes it is going to make in the "child," and if the "child" or some > later generation is going to eventually produce a copy of the original > "parent," it must contain all the functionality of the "parent" as > well. Not necessarily. First, the child does not have to retain the full functionatily of the parent. Consider a virus that carries a dozen of video tricks as a payload and each 1,000 replications drops one of the tricks (meaning that the next replicants do not contain the code for that trick). For another example, see below. Second, you are assuming that the virus is self-contained. I would argue that it is theoretically possible to make it able to fetch code fragments from the environment (e.g., the programs it infects) and use them to upgrade itself in an unpredictable way. Sure, most of the upgraded replicants won't work (i.e. will be sterile), but some of them might be able to evolve further. After all, this is exactly how the evolution works. Also, the percentage of the sterile progeny might depend on some properties of the environment; e.g. in the Tierra simulator almost any opcode is a valid instruction that can be executed without crashing the program... So, a virus can both reduce and increase its functionality. > Take, for example, a bipartite (two-part) virus which infects > files and boot sectors. The file infector must contain not only the > functions which infect the boot sector but those which will eventually > infect files again. Likewise, the boot infector must contain not only > the file infector but what will again be the boot infector. OK, let's look at some real example like that. The Kampana virus. Most people consider it multi-partite. I fact, this is a file infector, which infects both files and boot sectors, but the part installed in the boot sector can infect only other boot sectors. In some sense, this is a file infector, which drops a boot sector virus. The replicants of the boot sector virus are not able to infect files, while the replicants of the file virus -are- able to infect boot sectors... Therefore, what you claim above is not necessarily true - any of the parts of a multi-partitie virus could have a reduced functionality. > In this example, neither the boot infector nor the file infector alone > produce "functional duplicates" of themselves. Exactly, but I fail to see how this fits in your arguments... Maybe there is a typo something or I am missing something? > Together, though, the > boot infector and the file infector are considered one virus, designed > to go through two infection steps, and together as one virus they > produce a "functional duplicate" of the pair. With this example, I'll Well, some people argue that the Kampana virus is in fact two viruses... > agree that my wording "functional duplicate" is poor, but I am at a > loss to come up with a better term. I don't think that "possibly > evolved copy" is suitable, because "evolved" implies an involuntary > change. OK, let's try to find some other term, but not "duplicate"... > Any functional changes made in the copy will be those which > have been intentionally coded for the original to make. Yes, but they may not be predictable by examining the original... > > 4) What is "intercept program execution"? The non-resident viruses do > > not intercept anything; they get executed only when the user runs the > > infected program. > Oh, yes, they DO intercept program execution! A non-resident virus > may not intercept DOS interrupts or whatever, but it intercepts the > call to the original program; otherwise, it would never get executed. > If a virus doesn't intercept program execution in some way -- ANY > way -- it would never be run, never spread, and thus not be a virus. Oh, I see, you mean that it somehow attaches itself to the process of program execution... I misunderstood you because of the word "intercept" - too much DOS-oriented thinking... :-) Yes, I agree with the meaning you explain above. > A computer virus is a sequence (or sequences) of symbols which, > when executed or interpreted under certain conditions or in > certain environments, will make a functional duplicate of this > sequence (or sequences) and will place this duplicate where it > will intercept program execution at a later time under certain > conditions. This is called "replication" and the duplicate > retains at least the capability to recursively replicate further. Seems better. The only problem I have with it is the term "duplicate". > A virus may also have additional functions, but these functions > are necessary for something to be called a virus. I don't think that this should be included in the definition and it is not true, BTW... Or do you mean that they are -not- necessary? In this case, why including them in the definition? Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Wed, 10 Feb 93 15:24:13 +0000 From: v922340@hildebrand.si.hhs.nl (Ivar Snaaijer) Subject: Re: Norton buggy??? (or I have a PROBLEM!) (PC) amead@s.psych.uiuc.edu (Alan Mead) writes: >I think I found a bug in the Norton virus scaner NAV.EXE >(dated 5-28-92). I don't know what version or anything. i think it's just a matter of getting yourself a new (updated) copy of NAV or get rid of it and it's rather fauly scanning methods, take TBAV503.ZIP or SCAN100 you will be cheaper and safer ! (how would you react to a program saying every 5 mintis that your system is infected?) /\/\ \ / I \/ huristic scanning ! Ivar. ------------------------------ Date: Wed, 10 Feb 93 11:44:05 -0500 From: Bill Hayes Subject: Help! Help, with FORM virus (PC) Recently, a professor here armed his students with a custom program written for him by a student programmer. He had a secretary make about twenty copies of the program for his students. Unfortunately, the secretary's machine was infected with FORM, a boot sector virus. Now my student computer labs have been infected with it. Our state legislature is slashing the university by 15 million dollars, and up to 1000 staff positions may be lost. The bottom line is that I can't get approval to buy between $3500 - $4400 dollars worth of software to protect my labs. Since the labs were being used by people who respected copyrights, and generally weren't running programs from their own diskettes, I had only seen one viral infestation (on Macs) in my six years at the university. The student labs DOS machines up to this time had not been infected. The low probabilty of infection kept my boss from approving a comprehensive preventative solution. I knew that eventually we would be bitten. During better times, I purchased a few copies of CPAV and NAV to cover my office and to put one copy in each lab for the exclusive use of my student lab consultants. I sure as heck am not going to violate the copyright of this software. Although I would much rather buy enough licenses to cover my machines, I am now trying to find public domain (and I mean FREE) software. McAffee and Associates quoted me a whopping $17,000 dollars to site license their products. I might be able to wring out $5.00 to $10.00 per machine to license a product. Is their anything out there, or am I doomed to spend my life chained to a chair cleaning off FORM from student diskettes? Bill Hayes ianr012@unlvm.unl.edu ------------------------------ Date: Wed, 10 Feb 93 11:44:09 -0500 From: Y. Radai Subject: Re: New virus in Germany (PC) Malte Eppert describes a new virus: "UMB-1 (Tremor)": > There's a new virus around in Northern Germany which was isolated on the > Fachhochschule Braunschweig/Wolfenbuettel on Feb. 4, 1993. It was analyzed by > Robert Hoerner and has the following characteristics: . [list omitted] ... There's one important characteristic of the Tremor virus which wasn't listed: The virus specifically targets VSAFE, i.e. it contains code which turns off all of its eight monitoring options. Btw, the Tremor virus was discovered in Southern Germany in January. Y. Radai Hebrew Univ. of Jerusalem, Israel RADAI@HUJIVMS.BITNET RADAI@VMS.HUJI.AC.IL ------------------------------ Date: Wed, 10 Feb 93 14:04:52 -0500 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: More Viruses in Memory (PC) >From: CASTILLO@nauvax.ucc.nau.edu >Subject: STONED, Scanv99/Clean 99 Questions/Concerns (PC) >Over the past several days our school has been dealing with the >Stoned virus. Maybe so maybe not - you *probably* have an MBR virus but might not be STONED. >2) When McAfee's Scan v99 is used, it finds the Stoned virus, >and the Clean can clean it. HOWEVER, when scanning AGAIN for the >virus, we find it in memory. This is after having booted from a >write-protected virus free floppy disk. Further tests apparently >show that Stoned can load into memory by a simple read on an >infected disk. The documentation I've read via FTP land say that that >is impossible. First off, an active STONED (and most other infections) have two components: a code segment that has replaced the MBR executable area stored on the fixed disk, and an interrupt 13 intercept that has been loaded into memory on boot. CLEAN removes the viral code from the fixed disk but does nothing about the infection in memory, you must reboot from a clean disk to cure this. Secondly, just because a scanner finds a virus in memory does not necessarily meant that it is *active*. One thing that can happen is that when you do a DIR of a floppy, the boot record is read into a buffer in low memory (fer sure DOS 5.0 - am running tests on other versions). The scanners that I have seen do not check to determine if the infection is *active* (being executed) or is just present as data (could be done but non-trivial & they don't - yet), rather, if a signature is found, a warning is triggered. Thirdly, it is possible to have a double infection but this is unlikely. >Questions: Why doesn't Untouchable work right? Probably (a guess, do not have U-T) has to do with a "first-match" selection, NO-INT and STONED share certain strings. Then again maybe you have "something else". >CAN the Stoned virus >load into memory by a simple read from an infected floppy?? The binary code could be loaded this way but would not be active (but would trip scanners). >Is there >a strain of stoned that can do this? (become active from a DIR) Not that I am aware of. Warmly, Padgett ------------------------------ Date: Wed, 10 Feb 93 19:30:35 +0000 From: Arlyn Subject: Michelangelo Virus? (PC) The question came up in our office today: Is the world expecting another round of the Michelangelo Virus to turn up on march 6 this year? Does anyone know if the date trigger on the virus checks for the year? [Moderator's note: Michelangelo does not check for the year; it triggers on 6 March of any year.] Thanks in advance for your thoughts. Arlyn Hubbell Academic Computing Lewiston, Me. 04240 ------------------------------ Date: Wed, 10 Feb 93 22:00:42 +0000 From: oep@colargol.edb.tih.no (oep) Subject: Re: Virstop 2.07 in Icelandic (PC) John Hendriks (jdh@medicine.newcastle.edu.au) wrote: : reports. When loading virstop though and testing with f-test the : diagnostics are incomprehensible. Is there an English version of : virstop? If you choose Install.Install from the menu of F-PROT, you make a version of VIRSTOP.EXE with messages in your current Language. If your version of F-PROT has menus in English, VIRSTOP will have messages in English. The language is also selected from the Install menu. You don't have to reinstall F-PROT from a diskette to run Install. F-PROT won't copy any files unless needed. Another feature with Install is that you can enter your own message, in any language you want, to be displayed when VIRSTOP detects a virus. - - oep ------------------------------ Date: Wed, 10 Feb 93 22:09:21 +0000 From: oep@colargol.edb.tih.no (oep) Subject: Re: Twelve Tricks (PC) REEDA@ibm3090.bham.ac.uk wrote: : Norton anti-virus detected Twelve-Tricks virus on one of our PCs but : f-prot 2.06a reported the PC as clean. Is this virus one that the : current f-prot misses or have we found a NAV false +ve? : A.Reed@bham.ac.uk Current version of F-PROT is 2.07. - - oep PS: I would not be very surprised if NAV gave a false alarm. Have you tried heuristic scan on this PC ? ------------------------------ Date: Wed, 10 Feb 93 22:29:12 +0000 From: oep@colargol.edb.tih.no (oep) Subject: Re: Suggestion to the developers of resident scanners (PC) Vesselin Bontchev (bontchev@fbihh.informatik.uni-hamburg.de) wrote: : I understand that Frisk also intends to make a version of VirStop that : keeps the virus signatures on the disk and loads them when necessary. Frisk made the /DISK option for VIRSTOP a long time ago :-) : This means VirStop will become almost unusable on the system I am : talking about too... What do you want, not everybody has a '486... :-) I've run VIRSTOP with the /DISK option on several "slow" systems, but I don't think that VIRSTOP make them unusable...., and as I said: it's optional. : One solution is to have an option that forces the resident scanner to : keep the virus signatures in memory. This is fast, but could take a : lot of memory as the number of viruses increases... : 1) Scan the file when it is executed ONLY if it resides on a floppy. Why not when executed from a network drive, where your friends has put all their viruses....... I guess there are many ways to implement a resident solution, and by giving the users all options, you get a flexible solution. But you also make the resident routine more complex, and larger. Antivirus-soulutions is not the only solutions where you have to trade security for speed. Regarding 486, how long do you think the 286 will live ? - - oep ------------------------------ Date: 11 Feb 93 03:50:40 +0000 From: hzuzan@sgi1.mathstat.uoguelph.ca (Harry Zuzan) Subject: green catipillar (PC) Does anyone know what the green catipillar virus does? I have it in a copy of KERMIT I had been using on an old IBM PC which doesn't have a hard drive. Will it do any harm? Can I get rid of the virus? H. ZUZAN ------------------------------ Date: Thu, 11 Feb 93 08:54:31 +0000 From: ballerup@diku.dk (Per Goetterup) Subject: Re: New virus in Germany :-( (PC) Malte_Eppert@f6050.n491.z9.virnet.bad.se (Malte Eppert) writes: [...] >- - contains the encrypted text "T.R.E.M.O.R was done by NEUROBASHER / > May-June'92, Germany" and "MOMENT OF TERROR IS THE BEGINNING OF > LIFE" >- - Length: exactly 4000 bytes Just for your information: Some of those words are from material by the Belgian techno/industrial band named 'Front 242'. "Neurobasher" is a B-side song from the "Tragedy For You" remix-maxisingle, and the sentence "Moment of terror is the beginning of life" is from the inner cover of their album "Front By Front" (I think). >The virus is provisorically referenced as "UMB-1 (Tremor)", until a name has >been officially constituted. > * Origin: Another Virus Help Node - The EpiCentre! (9:491/6050) The EpiCentre - and a virus named 'Tremor"...? ;-) - -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | Per Goetterup, Student, DIKU InterNet: ballerup@ask.diku.dk | | pgoetter@nyx.cs.du.edu | | FidoNet: 2:231/91.10 -or- Per.Goetterup@p10.f91.n231.z2.fidonet.org | | | | DIKU is the department of Computer Science at the University of Copenhagen. | |~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| | The most merciful thing in the world I think, is the inability of the human | | mind to corrolate all its contents... - H.P. Lovecraft, 1926 - | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "...Suburban gladiators in shoplifters battledress, turning Brussels into a mo- nument of excremental architecture..." ('The Colloseum Crash', A Split-Second) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ------------------------------ Date: Thu, 11 Feb 93 07:23:39 -0500 From: mar@dcc.ufmg.br (Marcio Migueletto de Andrade) Subject: Michaelangelo's payload (PC) Hello all, It is known that the Michaelangelo virus makes use of INT 1Ah (AH=4) to read the system date. It works on a 386, but fails on a XT (nothing is returned). The virus still works but the payload is never achieved. Is it due to an old BIOS ? Is there a *standard* way to read the system date at *boot time* on a XT ? If not, any virus that uses the same function cannot work properly in such machines. (Below the equator line the XT still lives...) Thanks, Marcio Migueletto de Andrade Brazil. ------------------------------ Date: Thu, 11 Feb 93 14:46:57 +0000 From: v922340@hildebrand.si.hhs.nl (Ivar Snaaijer) Subject: Re: Suggestion to the developers of resident scanners (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >My colleague in front of me is working on an old 12 MHz AT, with no >ex{te|pa}nded memory and a slow hard disk. He's using Dr. Solomon's >resident scanner GUARD. In order to keep memory requirements low, > [...] Sounds like tbscanx ! on garbo.uwasa.fi there is a file in /pc/virus witch is called tbav50?.zip this file contains a scanning pakage. you also have to download the signatures (vsig????.zip) but this program is fully configurable (only shareware) Ivar. ------------------------------ Date: Thu, 11 Feb 93 14:55:33 +0000 From: v922340@hildebrand.si.hhs.nl (Ivar Snaaijer) Subject: Re: dame virus (pc) worley@a.cs.okstate.edu (WORLEY LAWRENCE JA) writes: >A friend of mine has a 486 that recently crashed. After booting on a >clean disk, I ran ScanV100 on it, and found that it had the Stoned >virus. I cleaned it off, and ran scan again, only to find that it now >had Michaelangelo virus. I ran clean again, this time with [Mich], >and it reported that the virus had been cleaned off. However, after >cleaning, ScanV100 still reported it was in the partition table, and >the drive will still not boot. Both floppies in the computer are >write protected and are virus-free. I have now run Clean c: [Mich] >approx. 30 times, each time, it says it cleaned the drive, and then >after rebooting, Scan still reports the virus is there. Any ideas? the tbav package has also a partition and bootsector imunizer .. it might be an idea ! My plesure Ivar. ------------------------------ Date: Thu, 11 Feb 93 17:46:06 +0000 From: ls8139@cis.ohio-state.edu Subject: Help, which scanner? (PC) Hi, I am relatively unknowledgable about virii. My question is which scanner(s) should I use regularly ie: new programs, boot up. I am currently using Norton Anti Virus at boot up, and during windows opperation with Norton Desktop for Windows 2.0. I have installed the latest Virus Definitions. Thanks for any help. Larry ------------------------------ Date: 11 Feb 93 18:17:09 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Should scanners detect only common viruses? (PC) Well, several people asked me by private e-mail to explain why I do not think that scanners should be tested only against the viruses known to be in the wild. Instead of replying to each of them privately, I decided to post here. There are several reasons: 1) A known-virus scanner is able to do only one thing - detect known viruses. Nothing more. Because of that, it is a relatively weak defense against viruses. Well, since it is able to do only that, then it must do it -well- and detect -all- known viruses, or as many of them as possible. 'Coz a known-virus scanner that does not detect even the known viruses is an even weaker defense... :-) 2) Since the appearance of the virus exchange BBSes, there is no more such thing as a "research-only" virus. Anybody with a PC and a modem can call such a BBS and download heaps of "research" viruses and use them to infect the computer of somebody he does not like... And if this somebody depends on a known-virus scanner for virus protection, and if this scanner detects only the 100 or so viruses that are believed to be "in the wild", then the result could be rather disastrous... Of course, the malicious person could write a completely new virus from scratch and use it with the same disastrous effect, even if the scanner on the attacked computer is able to detect all known viruses. But, first, this proves nothing more than the scanners ARE a weak defense against viruses and, second, it is still easier to get a virus written by somebody else than to write your own. 3) "Viruses in the wild" is a rather fuzzy term. There are several reliable sources of information about which viruses are in the wild - for instance IBM, Virus Bulletin, Computer Crime Unit at Scotland Yard, and some others. However, if you compare their data, you'll see that they agree mainly on one thing - that only a small percentage of the known viruses are in the wild. They don't agree on which viruses exactly are in the wild. This is partly due to the fact that viruses show some geographic prevalence. For instance, 95% of the infections in Bulgaria are caused by the Dir_II virus. In most other countries this virus has a status "sometimes found in the wild, but not very common". According to IBM, Jerusalem is one of the most widespread viruses in the USA. During my 3-year career of virus fighter in Bulgaria, the number of Jerusalem infections that I witnessed there can be counted on the fingers of one hand. In the same time, I have observed at least one infection of Kamikaze and Anti-Pascal.605 in the wild there - viruses that are so stupid that some anti-virus researchers refuse to believe that they are able to survive at all... So, when I am referring to "the known viruses", I have something objective to stand on - a virus collection for each example of which it can be objectively verified that it is indeed a virus and that it is different from the other samples. I have no similar objective criteria to decide what is a "virus found in the wild". I tend to agree with those who claim that it is more important to detect those viruses that are in the wild, than those that aren't. It would be a good idea, when testing scanners, to assign some weights to each virus, reflecting how widespread it is. A scanner that misses 200 (of 2000) viruses that nobody has ever seen in the wild is definitively better than a scanner that detects all those 1,999 viruses, but misses Stoned. However, while less important, the detection of non-spread viruses is not -unimportant-. And since I have no objective criteria to decide which viruses are widespread and which are not, I prefer to test the scanners against all viruses that I have. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ End of VIRUS-L Digest [Volume 6 Issue 24] *****************************************