Received: from fidoii.CC.Lehigh.EDU by abacus.hgs.se (5.65c/1.5) id AA04418; Wed, 17 Feb 1993 18:27:52 +0100 Received: from (localhost) by Fidoii.CC.Lehigh.EDU with SMTP id AA12481 (5.67a/IDA-1.5 for ); Wed, 17 Feb 1993 11:55:45 -0500 Date: Wed, 17 Feb 1993 11:55:45 -0500 Message-Id: <9302171544.AA00461@first.org> Comment: Virus Discussion List Originator: virus-l@lehigh.edu Errors-To: krvw@first.org Reply-To: Sender: virus-l@lehigh.edu Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas From: "Kenneth R. van Wyk" To: Multiple recipients of list Subject: VIRUS-L Digest V6 #27 Status: RO VIRUS-L Digest Wednesday, 17 Feb 1993 Volume 6 : Issue 27 Today's Topics: TIME Magazine on "Cyperpunk": How Not to Define a "Worm" Efficacy of Scanners Definitions of Viruses etc. Scanners getting bigger and slower os2-stuff (OS/2) Dame virus (PC) scanners. (PC) standardization (PC) Re: ANSI Bombs (PC) How to measure Polymorphism (PC) Hardware faults and viruses (PC) Re: New Virus (PC) Re: Zerotime/Slow virus (PC) Re: Suggestion to the developers of resident scanners (PC) RE: Tremor (PC) Re: F-prot/FSP/bootsum problem. Help! (PC) two new viruses (PC) Re: STONED update/additional info questions. (PC) Re: F-prot/FSP/bootsum problem. Help! (PC) Re: Help! Help, with FORM virus (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.org or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk, krvw@first.org -------------------------------------------------------------------------------- Date: Sun, 14 Feb 93 09:06:19 -0500 >From: cmcurtin@bluemoon.use.com (Matthew Curtin) Subject: TIME Magazine on "Cyperpunk": How Not to Define a "Worm" xrjdm@calvin.gsfc.nasa.gov (Joseph D. McMahon) writes: > In last week's TIME magazine (with the "Cyberpunk" lead article), RTM's > worm is is described as "not a virus, but a worm, since the damage was > unintentional". > > This is the most singular lack of grasp of the subject I have seen in > a long time. There were quite a few people posting on alt.folklore.computers about how many silly errors like that there were. I'd be interested in seeing people post their gripes about the article, so that I coulds summarize everything and write a letter to TIME's editor... ____________________________________________________________________________ | C. Matthew Curtin ! "But I am the enlightened one, they are | | P.O. Box 27081 ! but mere sheep, following each other in | | Columbus, OH 43227-0081 ! the name of compatibility." -B. Heineman | | 614/365-3272 ! Apple II Forever! | |_cmcurtin@bluemoon.use.com______!____________GNO_your_AppleIIGS!____________| ------------------------------ Date: Mon, 15 Feb 93 00:41:22 -0500 >From: "Roger Riordan" Subject: Efficacy of Scanners >>I know this is probably a dumn question but I was wondering about the >>realistic aspects of scanners like do they really protect ..... ac999512@umbc.edu (ac999512) (Ed Toton) writes > Well, scanners are fantastic for determining how wide-spread a virus >is on your system, and great for determining just what you've been infected >with, but you must already be infected for them to aid you in any way. >They also cannot handle new and unknown viruses. For this reason they >don't make an effective front-line defense. Hogwash! Granted scanners cannot detect the "new" virus till it has infected someone, but the one thing they will do for you (if you will only let them) is detect 99.9% of the viruses you will actually meet before they ever get a chance to do anything to your system. Not using a scanner because it can't detect ALL viruses is like saying "I won't bother to lock my front door; any burglar worth his salt can get in anyway!" Michael Weiner (x0421daa@vm.univie.ac.at, *temporary*) writes >The big advantage of a checksummer is that it protects you against many >more things than just computer viruses. Disadvantage: Checksumming takes >longer than scanning (at least now; if there is more polymorphic viruses >around, checksumming will be faster at one point)... AND they can't detect a virus till it has changed something; and then it might be too late! Roger Riordan Author of the VET Anti-Viral Software. riordan.cybec@tmxmelb.mhs.oz.au CYBEC Pty Ltd. Tel: +613 521 0655 PO Box 205, Hampton Vic 3188 AUSTRALIA Fax: +613 521 0727 ------------------------------ Date: Mon, 15 Feb 93 00:41:35 -0500 >From: "Roger Riordan" Subject: Definitions of Viruses etc. Years ago I started to study philosophy. But I quickly discovered that they spent inordinate amounts of time arguing about whether or not you could prove anything. It was obvious that I could not prove that I was really living, and not just dreaming, and this left me with three alternatives: 1. I could go to bed and stay there, till the dream ended. 2. I could spend my life agonising about whether or not I really existed, or 3. I could forget the whole stupid argument and get on with making the most of what, if it was a dream, was a remarkably long running and consistent one. I am disappointed to find that far too much of our time has recently been wasted on Virus-L on similarly arid arguments about what is a virus. We used to think that the rules of trigonometry were fundamental laws, imposed from above, but mathematicians have lately come to realise that are just rules that we have chosen for our own convenience. Similarly there is no God given classification of artificial life forms (or real ones either, for that matter), and every rule will leave us with uncomfortably arbitrary decisions at the boundaries. I think most of us would be reasonably happy with the following definitions; 1. A Trojan Horse is a program which purports to do something useful, but is in reality destructive. 2. A Worm is a self contained program which can spread by itself from computer to computer in a network. 3. A virus is a program which cannot exist independantly, but wich can attach itself to (or infect) other programs, in such a way that when the original program is run the virus is activated, and enabled to infect other programs. Clearly viruses can be subdivided according to the type of files infected, the way in which this is done, and so on, but I believe these are good working definitions. But, as I said, there will always be difficult cases at the edges of any rule. It is often easy to prove that a file is infected with a virus. If you run a program, and another program grows in length, or each program you run afterwards becomes longer, and you can show that the extra code occurs in the first program then it cleary incorporates a virus. But if someone brings you a copy of some large application program, and says "XXX Scanner says this has YYY virus", or "I downloaded this, and since then Windows has been crashing regularly" you will probably fairly quickly be able to say "I am reasonably confident this program does not contain a virus", but it is almost impossible to say categorically "No it does not have a virus". When it comes to Trojan horses the situation is even worse. For most programs of any complexity it would be virtually impossible to prove that a program did not contain a trojan horse, even if you had a well commented copy of the original source code. This is also where our definitions start to get rubbery. It is well known that most applications have bugs in them which will cause them to destroy data in some circumstances. Does this mean they are Trojan horses? And think about a Basic interpreter. You can undoubtedly persuade it to overwrite the hard disk, or erase all the files. So is it a Trojan horse? I am fairly sure that if you got cunning enough you could persuade it to attach itself to another program, and for this copy to transfer itself to other programs each time it was run. So is Basic also a virus? If so maybe it is one of Freds beneficial viruses; after all it could give you access to Basic at a keystroke, without any tedious messing with AUTOEXEC.BAT, or having to pay someone exhorbitant amounts of money. And if you were lucky enough to become infected with the Basic virus, and made use of it, would you be infringing the authors copyright? However one thing which is quite clear is that Xcopy, Format, etc, are not viruses. They may fit Freds original definition, but they certainly do not fit the currently accepted definitions. Fred may not like this, anymore that the first person to use the term "personal computer" may have liked what IBM did to his idea, but it is mischievous for him to waste our time with his endless arguments. Fred, I suspect, is well aware of this, but it suits his purposes to be able to talk about his "beneficial viruses" (which no-one else would class as viruses) because of the publicity it generates. Unfortunately it also provides the schoolboy wannabe virus writers with the perfect justification for their endeavors; "If Dr. Fred Cohen says that you can have good viruses why shouldn't we try to write one." Roger Riordan Author of the VET Anti-Viral Software. riordan.cybec@tmxmelb.mhs.oz.au CYBEC Pty Ltd. Tel: +613 521 0655 PO Box 205, Hampton Vic 3188 AUSTRALIA Fax: +613 521 0727 ------------------------------ Date: Sat, 13 Feb 93 23:01:00 +0100 >From: Gal_Hammer@f111.n9721.z9.virnet.bad.se (Gal Hammer) Subject: Scanners getting bigger and slower Hi All, I was thinking (Not happen a lot, but...) if every virus have his own sig. and every week few or some viruses appers, So don't all the AnitViruses program will start to get bigger and slower ?! Gal Hammer. - --- FastEcho 1.21a * Origin: Time Vortex * +972-7-762-291 * VirNet Site (VirNet 9:9721/111) ------------------------------ Date: Sat, 13 Feb 93 01:52:02 +0100 >From: Malte.Eppert@f6050.n491.z9.virnet.bad.se (Malte Eppert) Subject: os2-stuff (OS/2) Hello Vesselin! > So, I am asking again - can some of the known viruses infect a > DLL > file (even by mistake, even incorrectly)? I think that none of > them > will do that, but maybe I am wrong... Two years ago I had a strange case of Cascade infection on a 386. An APP-File of Ventura Publisher had been mistakenly hit by 1704-B and was damaged - but not infected, since the virus in the file was no longer capable of replicating - Ventura always crashed at startup. Nevertheless SCAN (dunno which version it was those days :-) ) flagged it as infected when using the /A switch; and there were other, regularly Cascade-infected COM files on the drive which were simple to clean. The APP-File had to be reinstalled. I don't know the conditions under which that happened, but I think similar things should also be possible with DLLs and other viruses. cu! eppi - --- GEcho 1.00 * Origin: Another Virus Help Node - The EpiCentre! (9:491/6050) ------------------------------ Date: 08 Feb 93 19:19:00 +0000 >From: bill.lambdin%acc1bbs@ssr.com (Bill Lambdin) Subject: Dame virus (PC) Quoting from Ching S Siow to All About Dame virus (PC) on 02-08-93 CS> I would like to find out more about this "DAME Virus". My network has CS> 3 files infected with this virus and would appreciate some help in CS> cleaning it out. I have tried netscan and inoculan, both of which CS> failed to discover the virus. DAME is not a virus. It is a routine that virus authors use to encrypt the vius. DAME is an acronym for Dark Avenger's Mutation Engine. Most of the time this routine goes by MtE. MtE adds about 3.5K overhead to the virus. >From my tests, F-Prot and McAfee's Scan are very good in detecting the presence of the MtE. Hope this helps. Bill - --- * WinQwk 2.0 a#383 * Hacked Scan 74, 78, 79, 81, 83, 87, 88, 92, 96 ------------------------------ Date: 08 Feb 93 19:04:00 +0000 >From: bill.lambdin%acc1bbs@ssr.com (Bill Lambdin) Subject: scanners. (PC) Quoting from Ed Street to All About scanners. on 02-06-93 ES> I know this is probably a dumn question but I was wondering about the ES> realistic aspects of scanners like do they really protect as much as ES> some of the people that I have talked to seem to think? In my opinio ES> they are just merely an aid to problem solving and should not be used ES> as a general "cure-all" Scanners are good for one thing. detecting known viruses (preferably before running an infected file) For a better defence, keep a scanner updated, and use a generic virus detector to detect viruses that get around the scanner. Scanner: I recommend the following. F-Prot VIRx Scan. These rank highest in my tests. Generic virus detection software, Victor Charlie PC-Rx Untouchable Integrity Master PC-cillin. Each of these have strengths and weaknesses, so read some literature, and buy the one that seems to fill your needs. Bill - --- * WinQwk 2.0 a#383 * Hacked versions of TDraw. 4.3, 5.0, 6.0. & 8.0 ------------------------------ Date: 09 Feb 93 19:11:00 +0000 >From: bill.lambdin%acc1bbs@ssr.com (Bill Lambdin) Subject: standardization (PC) I may be stepping out of bounds here. But here goes anyway. I feel that the authors of scanners need to get together, and agree on a naming system. A friend of mine recently had a bout with 1575, and he had two scanners. McAfee's Scan, and F-Prot. Anthony ran each scanner, and he was told that he had two viruses. 1575, and Green Catepillar. Anthony was beside himself. He thought he had two viruses, and F-Prot detected one, and Scan detected another one. He called me to help. I drove over and quickly found the problem, and explained that he only had one virus, and different scanners uses a different naming system. If someone has Frodo, and is using three different scanners, s/he could get three different names. Frodo 4096 IDF Century etc. These authors meen to get together and nail down a coherent naming system to prevent this problem. If they can't work out a naming system for every known virus, start with the 60 or so common viruses that are known to be in the wild, and go from there. Climbing down from soapbox now. Bill - --- * WinQwk 2.0 a#383 * Excalibur BBS (408) 224-0813 ------------------------------ >From: bce@sactoh0.sac.ca.us (Byron C. Ellis) Subject: Re: ANSI Bombs (PC) Inbar_Raz@f210.n9721.z9.virnet.bad.se (Inbar Raz) writes: >To all of you who are afraid of ANSI bombs, two ways of avoiding them: >1. Replace your ANSI driver. Use something like NANSI, that has a /S > command line switch to DISABLE the keyboard redefinition. >2. If you are a BBS, and using the MTS package, people can infect you by > simply inserting an ANSI bomb to an ARJ COMMENT, and when the MTS > opens the ARJ to its temp dir, the bomb will active. > If you are using ARJ, do this: > SET ARJ_SW=-JA- > If you already have an ARJ_SW, add -JA- to it. Or just add a /k to your ANSI.SYS parameters... That disables the macro function... - -- Flying (v) : The art or knack of throwing : Byron C. Ellis yourself at the ground and missing : Internet: bce@sactoh0.SAC.CA.US - -The more than complete Hitchikers Guide : to the Galaxy trilogy : ------------------------------ Date: Mon, 15 Feb 93 00:40:07 -0500 >From: "Roger Riordan" Subject: How to measure Polymorphism (PC) chess@watson.ibm.com (David M. Chess) writes: >measure the randomness of a string of bits by finding the smallest >program for some standard Turing Machine that produces those bits. In theory this sounds a good idea, but in practise the length of a program tells us far more about the skill of the programmer than about the complexity of the task. It has been shown, BTW, that any program can be reduced to zero length (1.). Still I suppose that if you compare programs written by the same person you will get a better idea of the relative complexity, but even this will be biased, as the programmer should be able to do a much better job the second time round. barnold@watson.ibm.com (Bill Arnold) writes >Fridrik Skulason recently posted lines-of-code counts for some >algorithmic virus detectors in F-PROT. I'm assuming his >detectors are written in C. Here are lines-of-code counts for a >few algorithmic detectors (written in C) included in IBM >AntiVirus. .... > MtE ::= 330 physical, 105 comments, and 274 source lines > V2P6 ::= 89 physical, 57 comments, and 45 source lines > V2P2 ::= 145 physical, 38 comments, and 77 source lines I didn't notice Frisk's posting, but gather it quoted similar figures (actually rather smaller; MtE 174). I looked up our listings, & got the following figures. We don't bother to differentiate between V2P2 & V2P6. As neither is in the wild, and we don't attempt to disinfect them, there is no need to separate them. V2P2/V2P6 82 total lines 123 bytes MtE 241 " " 392 " Slovakia 162 " " 345 " In each case this is the full subroutine containing all necessary data (apart from a small standard block specifying the type of file, etc, in a table with entries for all viruses, which is used for initial selection). Each subroutine is passed a pointer to the file, which has already been loaded into a buffer. Our program is written in assembler, and the figures seem to bear out my belief that HLLs confer much less advantage than is generally claimed. Roger Riordan Author of the VET Anti-Viral Software. riordan.cybec@tmxmelb.mhs.oz.au 1. Proved by applying the generally accepted rule "You can always find at least one redundant instruction in any program if you look hard enough" recursively. CYBEC Pty Ltd. Tel: +613 521 0655 PO Box 205, Hampton Vic 3188 AUSTRALIA Fax: +613 521 0727 ------------------------------ Date: Mon, 15 Feb 93 00:40:19 -0500 >From: "Roger Riordan" Subject: Hardware faults and viruses (PC) victor@ccwf.cc.utexas.edu (V Menayang) writes > I wonder if a virus can erase the information stored in > CMOS? If it can, what virus/viri known to work this way? > The reason I am asking these questions is that the computer > repair person we took our Grid system machine to claimed > that our problem (floppy drive wouldn't refresh) is caused > by a virus. I don't know much about virus but the claim > sounds suspicious because he said that the virus is [stoned]. The only virus I know which interferes with the CMOS is AntiCad. It wipes the setup info, but only after it has written rubbish all through your hard disk, so it certainly didn't cause this problem. Unfortunately viruses are a godsend to the incompetent servicemen and purveyors of rubbish. We even had one case where a resistor on the disk controller card had burnt out (and emitted visible smoke), yet the PC shop would not repair it under warranty "because the damage had been caused by a virus"! Roger Riordan Author of the VET Anti-Viral Software. riordan.cybec@tmxmelb.mhs.oz.au CYBEC Pty Ltd. Tel: +613 521 0655 PO Box 205, Hampton Vic 3188 AUSTRALIA Fax: +613 521 0727 ------------------------------ Date: 15 Feb 93 08:19:58 +0000 >From: frisk@complex.is (Fridrik Skulason) Subject: Re: New Virus (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >First, for someone who's not very smart, the Whale virus will be too >difficult to understand, so they are more likely to go hacking yet >another Jerusalem variant. Second, Whale is -trivial- to detect - just >34 simple (i.e. non-wildcard) scan strings... And third...the source code to Whale is not available on the Vx BBSes, and disassembling whale and creating a new version that way is a LOT of work. - -frisk - -- - -- Fridrik Skulason Frisk Software International phone: +354-1-694749 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-28801 ------------------------------ Date: 15 Feb 93 08:34:39 +0000 >From: frisk@complex.is (Fridrik Skulason) Subject: Re: Zerotime/Slow virus (PC) bgroen@metz.une.edu.au (Bernie Groen) writes: >Need help,have a virus Norton antivirus 2.1 calls it SLOW, Fprot 2.07 >calls it a varient of Zerotime neither one will remove it. Well, those names are aliases...Zerotime/Slow is actually a variant of Jerusalem, with an encryption layer added. There are two known variants - Jerusalem.Zerotime.Scotts_Valley and Jerusalem.Zerotime.Australian...but it seems you have encountered the third one. F-PROT refuses to remove it, because it does not match any of the known variants, and removal might therefore fail...adding removal should be easy, once I receive a sample of the virus from somewhere. - -frisk - -- - -- Fridrik Skulason Frisk Software International phone: +354-1-694749 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-28801 ------------------------------ Date: 15 Feb 93 08:44:44 +0000 >From: frisk@complex.is (Fridrik Skulason) Subject: Re: Suggestion to the developers of resident scanners (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >I understand that Frisk also intends to make a version of VirStop that >keeps the virus signatures on the disk and loads them when necessary. Not a special version - this is just an option...enabled by the /DISK command line switch...it means a longer delay, yes...but significantly less memory usage...2K instead of 13K or so. - -frisk - -- - -- Fridrik Skulason Frisk Software International phone: +354-1-694749 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-28801 ------------------------------ Date: Mon, 15 Feb 93 03:43:01 -0500 >From: fergp@sytex.com (Paul Ferguson) Subject: RE: Tremor (PC) On 12 Feb 93 (13:28:35 +0000) Vesselin Bontchev wrote - > Malte_Eppert@f6050.n491.z9.virnet.bad.se (Malte Eppert) writes: >> There's a new virus around in Northern Germany which was isolated >> on the Fachhochschule Braunschweig/Wolfenbuettel on Feb. 4, 1993. >> It was analyzed by Robert Hoerner and has the following >> characteristics: >> - - infects COM and EXE >> - - loves infecting COMMAND.COM on drive A: > More exactly, loves infecting the command interpreter - regardless > where it is. For instance, C:\DOS\4DOS\4DOS.EXE works just as well as > A:\COMMAND.COM. So I've noticed. I "spoke" with Robert Hoener about it earlier. >> - - TSR in UMBs (!), stealth >> - - uses interrupt trace techniques >> - - slightly polymorphic, WHALE and FISH-like >> Tested the following scanners: FindVirus 6.10 (Drivers of December 5, >> 1992); F-Prot 2.07; SCAN 100. Only F-Prot 2.07 detects the virus and >> NOT reliably - some infected files are missed. I was told that S&S >> International has created an external additional driver for their >> scanner, that detects this virus; users of Dr. Solomon's Anti-Virus >> ToolKit should contact them for more information. I had noticed that F-Prot v2.07 did detect it (to what extent, I have not had an opportunity to effectively measure), but since there were no references to it within the F-Prot documentation ("New viruses -- detection added..") or from within the program itself ("Not yet analysed"), I suspect that detection of TREMOR was a last minute addition. I have FindVirus 6.07 (drivers dated 19/11/1992), which of course do not detect this virus. Would you happen to know if there is an avenue (electronic, of course) to obtain driver updates, other than waiting for regular postal delivery for registered users? If not, I'll pester him at the Ides conference next month. :-) > Some additional information: > 1) The virus uses the following "Are you there?" call: INT > 21h/AX=F1E9h, returns AX=CADEh. A program that intercepts that could > be used as poor man's defense. > 2) The virus particularly targets the program VSAFE that comes with > Central Point Anti-Virus and MS-DOS 6.0 and disables it. I'm not > certain why it does that - the virus is tunnelling enough to bypass > monitoring software... Maybe the virus author just wanted to > demonstrate that he knows how to disable this particular program. [remainder deleted] What _exactly_ is it's infection criteria? Although I've had barely enough time to read my E-mail in the past two weeks, I have noticed that it is _very_ selective about it's targets. A side note: Tarkan's VDS Pro v1.0 handles it nicely with it's generic approach. :-) Cheers from Washington, DC Paul Ferguson | "Sincerity is fine, but it's no Network Integration Consultant | excuse for stupidity." Alexandria, Virginia USA | -- Anonymous fergp@sytex.com (Internet) | sytex.com!fergp (UUNet) | 1:109/229 (FidoNet) | PGP public encryption key available upon request. - --- fergp@sytex.com (Paul Ferguson) Access <=> Internet BBS, a public access internet site Sytex Communications, Arlington VA, 1-703-358-9022 ------------------------------ Date: 15 Feb 93 08:51:36 +0000 >From: frisk@complex.is (Fridrik Skulason) Subject: Re: F-prot/FSP/bootsum problem. Help! (PC) 92brown@gw.wmich.edu (THE EYES OF GO ARE WATCHING YOU) writes: >I have a question regarding a problem I am having running Flushot and >F-prot 2.06 concurrently. (I have not yet updated to F-prot 2.07 or >FSP+). I have FSP configured so that it checks my bootsum when I boot >up. The value of the bootsum is not supposed to change, and never >does until I scan my drive with F-prot. F-PROT does NOT write to the boot sector at all (well, unless you have a boot sector virus and disinfect it). If the BSV is modified, it must be done by some other program...actually, there are certain versions of DOS (Zenith 3.3, for example) that modify the Boot sector regularly, but DOS 5.0 does not change it as far as I know. I would suggest you made a "before" and "after" hex dump of the boot sector and compared them... - -frisk - -- - -- Fridrik Skulason Frisk Software International phone: +354-1-694749 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-28801 ------------------------------ Date: 14 Feb 93 00:20:00 +0000 >From: bill.lambdin%acc1bbs@ssr.com (Bill Lambdin) Subject: two new viruses (PC) I have discovered two new viruses today. One companion infector, and one Companion infector. This companion infector is not resident, uses the MtE, and not infectious in the second and third generation the infections I have captured vary from 6686 bytes, - to 6737 bytes. File infector. This file infector is approximately 2800 bytes. When users run an infected file, this virus will try to infect every .COM, and .EXE in the current directory. It was made by the MPC very difficult to get the infected files to run. I will be sending these to to some CARO memebers that I know, so these can be added to the CARO catalog. Both of these viruses are in the wild. Bill - --- * WinQwk 2.0 a#383 * DATACRIME-B activates Oct 13-Dec 31 ------------------------------ Date: Mon, 15 Feb 93 06:01:45 -0500 >From: Otto Stolz Subject: Re: STONED update/additional info questions. (PC) Hi fellow virus-buster, this seems to be a common problem so I decided to comment on the explicit virus-eradicating procedure Ulysses reported. Definitely, the authors of virus scanners should enhance their documentation, and the users should bother to read it! On 11 Feb 93 12:23:59 -0700 Ulysses Castillo said: > 1) Cold booted from a write-protected virus free disk. > 2) Used SCAN v99 on C:, no virus was found in memory or on C:. > 3) Inserted an infected floppy in B:. > 4) Ran scan on b:. No virus found in memory, stoned virus found > in boot sector of B:. Now, any disk operation (such as DIR or, indeed, SCAN) involving B: will read the infected boot sector into memory. > 5) Ran scan on B: again. Virus found in memory and in boot sector > of B:. (HOW???) You've ordered it yourself, as explained above. But relax: the virus is not active, your computer is not infected; the virus code simply is siting somewhere in memory where it never will be executed, and where it will be overwritten sooner or later. The only way to infect your computer would be to (inadvertently) boot it from the infected disk (or any equivalent thereof such as using DEBUG to explicitely execute the copy of the bootsector sitting in memory). > 6) Reboot (cold boot, not control-alt-delete). > 7) Inserted infected disk in B:. > 8) Ran CLEAN on B:. Virus NOT in memory, but found in boot sector > of B:. Virus removed from B:. At this point, you should either re-boot your computer, or insert a clean disk into B: and DIR it. This will overwrite the buffer, so SCAN will not be fooled into rising a false alarm. > 9) Ran scan on B:. Virus found in memory. (Again, HOW???), but NOT > found on B:. Now, your B: is clean, and so is your computer (only SCAN does not believe so). Do not forget to scan all computers that have been in contact with the infected disk, and then in turn all disks that have been in contact with any computer you may find infected, and then in turn all computers ... > Again, from these observations we are being led to believe that stoned > loaded itself into memory after a read operation on the infected disk. No. Rather it was loaded by DOS, and "in memoroy" does not imply "active" (whilst "active" indeed does imply "in memory"). On Fri, 12 Feb 93 14:53:29 +0000 Julian Haddrill said: > I too have had the same problem, with the 'FORM' virus. > Scanning and finding the virus caused it to infect my PC, Julian, are you still convinced after having read the remarks above? Best wishes, Otto Stolz ------------------------------ Date: Mon, 15 Feb 93 12:11:45 +0000 >From: jornj@colargol.edb.tih.no (jornj) Subject: Re: F-prot/FSP/bootsum problem. Help! (PC) THE EYES OF GO ARE WATCHING YOU (92brown@gw.wmich.edu) wrote: [cut, cut] : FSP+). I have FSP configured so that it checks my bootsum when I boot : up. The value of the bootsum is not supposed to change, and never : does until I scan my drive with F-prot. After I finish scanning my : drive I get an alert from FSP saying my bootsum records do not match, : and then it shows the newly assigned value. I am confused about why : F-prot changes my bootsum when it scans my drive and if there is : anything I can do about it. [cut] : By the way, my system is a IBM AT (100% compatible) running Stacker on : a 32m hard drive, and DOS 5.0. I've experienced the same problem, using Integrity Master and Stacker 2.0. When I check the 'bootsector' of my stacked volume IM always claims it has changed... Is this normal for Stacker? Or do I have a 'problem'? (I've scanned with scan v99, fprot 2.06 and IM doesn't report any other problems). //Jorn - -- Jorn F Jensen, Student at Trondheim College of Engineering, CS jornj@edb.tih.no ------------------------------ Date: Mon, 15 Feb 93 08:39:35 -0500 >From: Otto Stolz Subject: Re: Help! Help, with FORM virus (PC) On Wed, 10 Feb 93 11:44:05 -0500 Bill Hayes said: > [...] machine was infected with FORM, a boot sector virus. > Now my student computer labs have been infected with it. To recover from the incident, you need a quick and reliable virus scanner (cf. infra). Use it in the following way: 1. To clean the HDs, repeat, for each computer in the lab and in the institute you got the virus from, the following steps: 1.1 Power off for at least 90 seconds, insert clean DOS (same version as on the HD) disk into drive A, switch on. Make sure the computer boots from the floppy disk (otherwise change the BIOS setup, then repeat step 1.1). 1.2 Insert clean disk with your favourite scanner, and scan HD for boot sector viruses. Take notes, which computers are reported as infected. 1.3 If computer is infected with FORM (or any other Boot Record Virus) then insert again the clean DOS disk, and enter SYS C: Note: this does not cure Master Boot Record Viruses such as Brain, Stoned, or Michelangelo. 1.4 To re-boot from the HD, take out the disk from drive A, then press Ctrl-Alt-Del, or power off and on again. Make sure the computer boots from the hard disk (otherwise change the BIOS setup, then repeat step 1.4). 1.5 To be on the safe side, check HD again with a good virus scanner. 2. For each computer found infected in step 1.2, collect *all* floppy disks that were in contact with it. Really, all of them! Search shelfs, drawers, pockets, bags! Do not even overlook disks used as book-markers or saucers! Cross-examine users and operators! Invoke your favourate virus scanner on a clean computer, and check the floppy disks you collected. Take notes, which disks are infected. 3. Get a supply of empty floppy disks, and format them on a clean computer. Then, for *every* disk found infected in step 2, repeat: 3.1 If it is a system disk, make sure that the system you are using is the same version as that on the floppy, then enter: SYS A: If it is a non-system disk, then copy all *files* from it to an empty and (cleanly) formatted disk, using XCOPY, or an equivalent utility. Do *not* use DISKCOPY (or equivalent), as the latter will include the boot sector with the copy. Make sure the copy is com- plete, then re-format the infected disk, and use it for any pur- pose. 3.2 To be on the safe side, check the floppy again with a good virus scanner. 3.3 Notify the users and operators of all computers that may have been in contact with the infected disk, and ask them to repeat steps 1 to 3, for their computer -- up to, and including, step 3.3! This is the generic method for boot sector infectors. Instead of steps 1.3 and 3.1 you may wish to exert the Disinfect option of a virus scanner. This will work, if the scanner does identify the virus beyond any doubt; but if the scanner tries to disinfect a virus that is not properly identified (perhaps a new variant of an old virus), it may do more harm than good. In case of a student lab, you may not find all relevant disks in step 2, or all relevant coputers in step 3.3. In this case, install a monitoring virus scanner on all computers; this sort of scanner will alert the students of infected disk as they bring them to the lab, and it will not allow to use these disks with your machines. However, no software can stop your students from booting deliberately from infected disks (which will necessitate you into repeating the whole procedure outlined above). > [...] I might be able to wring out $5.00 to $10.00 per machine to > license a product. Is their anything out there? The shareware version of F-PROT from Frisk Software can be licenced for US$ 1.00 per computer per year (minimum $20.00 per site per year), mass discounts and educational discounts may apply. This does not include delivery, nor individual support. Rather, you are supposed to fetch the software (including documentation) from a suitable file server, and handle virus incidents on your own. F-PROT is updated, roughly every other month. In reviews, its virus scanner usually ranks among the top three, world-wide. It also comprises a monitoring virus scanner named VIRSTOP, a heuristic scanner (which can alert you from hitherto unknown viruses, but is not as accurate as the known-virus scanner), and a database of known-virus descriptions (though rather terse ones). I think, F-PROT is the best value you can get for the least money. I hasten to add that I am not commercially connected to Frisk Software -- I'm just a satisfied user. Best wishes, Otto Stolz ------------------------------ End of VIRUS-L Digest [Volume 6 Issue 27] *****************************************