Received: from fidoii.CC.Lehigh.EDU by abacus.hgs.se (5.65c/1.5) id AA10457; Thu, 25 Feb 1993 16:29:14 +0100 Received: from (localhost) by Fidoii.CC.Lehigh.EDU with SMTP id AA16920 (5.67a/IDA-1.5 for ); Thu, 25 Feb 1993 09:51:46 -0500 Date: Thu, 25 Feb 1993 09:51:46 -0500 Message-Id: <9302251450.AA03674@first.org> Comment: Virus Discussion List Originator: virus-l@lehigh.edu Errors-To: krvw@first.org Reply-To: Sender: virus-l@lehigh.edu Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas From: "Kenneth R. van Wyk" To: Multiple recipients of list Subject: VIRUS-L Digest V6 #34 Status: RO VIRUS-L Digest Thursday, 25 Feb 1993 Volume 6 : Issue 34 Today's Topics: WARNING: Problem with CLEAN-UP V100 and Michelangelo (PC) WARNING: McAfee CLEAN & Michelangelo [Mich] (PC) Re: Scanners getting bigger and slower More on Education Re: Censorship A quick request for opinions Known viruses in a UNIX evvironment (UNIX) Re: Michelangelo or STONED? (PC) Re: standardization (PC) Re: New Virus (PC) Re: Michelangelo or STONED? (PC) PC Magazine on Anti-Virus Software (PC) Re: PC Magazine reviews virus scanners (PC) Request for virus tools (PC) Maybe a virus (PC) FPROT, Thunderbyte, & DataCrime II (PC) Re: F-prot/FSP/bootsum problem. Help! (PC) Problems w/ LAN Prrotect (PC) Anybody knows SHIRLEY or VIVALDI ? (PC) Shriley and Vivaldi Part II (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.org or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk, krvw@first.org ---------------------------------------------------------------------- Date: Wed, 24 Feb 93 11:18:57 -0800 From: aryeh@mcafee.com (McAfee Associates) Subject: WARNING: Problem with CLEAN-UP V100 and Michelangelo (PC) [Moderator's note: This message was posted to VALERT-L last night.] McAfee Associates has been made aware of a possible problem with removing the Michelangelo virus with Version 9.12V100 of CLEAN-UP: When is CLEAN C: [MICH] is run to remove the Michelangelo virus on some computer systems, the original master boot record of the hard disk is restored to the wrong location, resulting in a non-accessable hard drive until repaired. This problem does not occur consistently and we are investigating it now. In the meantime, anyone wishing to remove the Michelangelo virus from a hard disk should use the [GENP] I.D. code with CLEAN-UP instead. For example: CLEAN C: [GENP] This will remove the Michelangelo virus by replacing the infected portion of the master boot record with a clean piece of code from inside the CLEAN.EXE file. Details will follow as I find out more. Regards, Aryeh Goretsky Technical Support - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: aryeh@mcafee.COM 3350 Scott Blvd, Bldg 14 | FAX (408) 970-9727 | IP# 192.187.128.1 Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714 95054-3107 USA | USR HST Courier DS | or GO MCAFEE ------------------------------ Date: Sat, 20 Feb 93 22:32:29 -0500 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: WARNING: McAfee CLEAN & Michelangelo [Mich] (PC) [Moderator's note: This message was posted to VALERT-L last night.] Dangerous Bug in CLEAN.EXE v100 (& possibly earlier) For some time now I have been receiving reports of a problem between McAfee's CLEAN utility & the Michelangelo virus (yes, it is that time again). In this case the cure may be worse than the problem. First, about a week ago I suggested to Aryeh that someone should look into the reports, he said that they would look into it & meanwhile to use CLEAN [GENP] instead of CLEAN [MICH]. The calls I have been getting indicated that after CLEANing, the disk would become unaccessable. The last report was lucid enough to indicate that the Dos Boot Record was being replaced by a Master Boot Record (not a good). Tonight I finally backed up the trusty Columbia VP-1600 for some testing using the [Mich] and SCAN/CLEAN version 100 (current). Note: the VP is a 4.77 Mhz "luggable" equipped with a WD controller and an ST-225 20 Mb fixed disk with MS-DOS 5.0 loaded. Following a deliberate infection but with a clean boot SCAN had no problem finding the [Mich] (boy howdy, you could go watch Ren & Stimpy while waiting on a 4.77 Mhz PC to run SCAN C: /M with v100). Running CLEAN C: produced the following: - --------------------------------------------------- (header skipped) Cleaning [Mich] Scanning Volume: TESTDISK Scanning partition table of disk C: Found the Michaelangelo [Mich] Virus in partition table. Scanning partition table of disk C: Found the Michaelangelo [Mich] Virus in partition table. Virus cannot be safely removed from partition table. Found 1 file containing viruses. 1 virus was removed. (remainder deleted) - ------------------------------------------------------------ On reboot, not only was the disk unbootable, but access from floppy resulted in "Invalid media type reading drive C:" Examination of the disk revealed the [Mich] still in sector 1 and the original MBR code/partition table now residing in the Dos Boot Record. Running CLEAN a second time had no effect again on the MBR (where the Mich was still residing) but a replacement of the DBR with DBR code id'ed as IBM PC-DOS version 3.3 and an empty Boot Parameter Block. Again access attempt generated an "Invalid..." (well, the BPB was empty). Replacement of the MBR & DBR with the originals restored the disk to operation with no loss of files, however without these replacement is possible though difficult (move 0,0,7 to sector 1, pop fresh batteries in TI Programmer and generate a new BPB for the proper OS Boot Record code, iterate mistakes until it works). I would not recommend this for recreational use. Meanwhile, until McAfee can come up with a fix, I would strongly recommend reaching for FDISK /MBR (DOS 5.0 undocumented feature) rather than CLEAN if the Michaelangelo is present. Warmly, Padgett ------------------------------ Date: 23 Feb 93 09:54:58 +0000 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Scanners getting bigger and slower phys169@csc.canterbury.ac.nz writes: >I wonder how Frisk, McAfee, and the rest survive the work load. I wonder too.... :-) - -frisk - -- Fridrik Skulason Frisk Software International phone: +354-1-694749 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-28801 ------------------------------ Date: Tue, 23 Feb 93 08:53:10 -0500 From: Chip Seymour Subject: More on Education Thanks for the reply from: > phys169@csc.canterbury.ac.nz > Mark Aitchison, University of Canterbury, New Zealand. > Subject: Re: Virus education I guess I was speaking in the more generic sense about needing an education. I've found that, for almost every new technology, there are one or more new risks. Someone invents PC's, many people invent viruses. Someone invents a PBX, someone else figures out how to manipulate it illicitly. Who would have figured that there are ways to exploit weaknesses in SNMP? As close to the leading crevasse of technology as we are, I'm finding there are always those with little regard for personal integrity who have tread the area before and found a number of means toward personal profit and/or malicious mischief. Many times I find they've known how to perpetrate crimes using technology I've not yet heard of. I am not at all comfortable with not knowing what they know about my computing resources. That's the education I'm after. ------------------------------ Date: Tue, 23 Feb 93 15:00:22 +0000 From: antkow@sis.uucp (Chris Antkow) Subject: Re: Censorship As far as I know, In Canada at least, it IS NOT illegal to post viruses on BBS'. It IS illegal however to spread virus (could be counted as conspiracy). The BBS does not actually spread the viruses but it's charged to the individual who downloads it and spread's the virus maliciously. If I am wrong, please rebute this as I am curious myself and am allways getting conflicting messages. Thanx... Chris antkow@eclipse.sheridanc.on.ca ------------------------------ Date: Tue, 23 Feb 93 20:15:43 -0500 From: fc@turing.duq.edu (Fred Cohen) Subject: A quick request for opinions I am writing a book about artificial life, and have some examples of programs that automate distribution of software in LANs, implement distributed databases, etc. They are all written in the Unix shell, and involve a few lines of code that automatically copy the programs between machines to automate the distribution process. It has come to my attention that there may be substantial objection to this idea and I am asking people in this forum for their opinion. Each program includes explicit safeties to prevent copying to machines where operation is not authorized by the root, and they are designed not to spread outside of particular directories. The code is very obvious (only a few lines of shell script after all), and the book includes explicit warnings not to remove safeties or use on any machine where you don't have permission. Questions: 1 - why not provide this in the book? 2 - what risks do you see in it? 3 - are you an admin or a user? 4 - do you think there is value in including these examples? 5 - do you think the advantages of examples outweigh any risks? 6 - do you think that the versions that optimize their own behavior by `evolving' improved forms should not be included - if not why not? Please Email me your responses ASAP, as the book goes to press in a few weeks. Also, if you DO NOT want your comments included in the book (no names will be used) tell me. Otherwise, I will feel free to include any comments I find particularly enlightening. FC ------------------------------ Date: Wed, 24 Feb 93 17:12:12 -0500 From: Fish@DOCKMASTER.NCSC.MIL Subject: Known viruses in a UNIX evvironment (UNIX) I'm looking for information on any known UNIX viruses, as well as any anti-viral software than runs on UNIX. I've never heard of either, but some people who should know keep telling me they "think" they've heard of such things, so I asking for help from the Virus community. ------------------------------ Date: 22 Feb 93 19:03:27 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Michelangelo or STONED? (PC) imeslsl@trex.oscs.montana.edu (LEPRICAN~~~) writes: > time. We tried McAfee v100, which would recognise the virus, but > would not remove it from hard drives. It appears to be [Mich] when > it is on a drive, but when it loads itself into memory, McAfee says > it's [STONED]. This is a known bug in SCAN. It reports the Michelangelo virus in memory are Stoned, while on the disk the virus is reported correctly. > It seems to be easily removed from floppies, but the virus infects > the partition table of hard drives, where McAfee cannot remove it. This could be either due to a new variant of the virus, or due to a bug in CLEAN. > Reformatting it from a write-protected floppy didn't remove it, either. Sure, because the virus is in the MBR and FORMAT only rewrites the FAT, the root directory, and the DOS boot sector. > Does anyone have any suggestions on how to combat this virus? Sometimes CLEAN is able to remove new variants of MBR infectors, if you tell it to remove the [genp] virus. Another solution is to boot from a write-protected DOS 5.0 (the version is important) system diskette and to run the command FDISK/MBR. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 23 Feb 93 09:53:18 +0000 From: frisk@complex.is (Fridrik Skulason) Subject: Re: standardization (PC) sbonds@jarthur.Claremont.EDU (007) writes: >(Hey frisk, how about "f-prot /CARO" as a command line switch?? ;-) Well, the reason I cannot provide that (yet) is that I don't to exact identification...I do what I call "almost exact identification". That is, I don't genaerate a map for each virus and calculate a checksum for the constant areas, but instead I just check a number of bytes located at various locations, to make sure I have the size correct, and know how to disinfect the file. The problem is that if somebody makes a *very small* change to the virus, like changing a single byte, I may fail to detect it as a new variant, although I will be able to remove it, just like the original variant. When I have implemented exact checksum-based identification of file viruses (something which I have started to implement), I will be able to stick 100% to the CARO names. - -frisk - -- Fridrik Skulason Frisk Software International phone: +354-1-694749 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-28801 ------------------------------ Date: Tue, 23 Feb 93 14:48:36 +0000 From: antkow@sis.uucp (Chris Antkow) Subject: Re: New Virus (PC) Actually, The Whale source code is posted on a few Canadian VX boards, however, it is in German, making any modifications by a "wannabe" virus writer a bit difficult. This is just an FYI, stating that it IS available to those who know where to look. Chris antkow@eclipse.sheridanc.on.ca ------------------------------ Date: Tue, 23 Feb 93 17:39:51 +0000 From: imeslsl@trex.oscs.montana.edu (LEPRICAN~~~) Subject: Re: Michelangelo or STONED? (PC) Thanks, all of you who have given me suggestions... The latest release of Central Point Anti Virus seems to work the best, but a few others worked as well. Until the next strain... Leprican~~~ ------------------------------ Date: Wed, 24 Feb 93 02:05:24 +0000 From: Joe.George@nd.edu Subject: PC Magazine on Anti-Virus Software (PC) Hello: Do people in this group support Pc Mag's Editor's Choice Awards to Central Point Anti-Virus and Norton's Anti-Virus? I thought the best protection was McAfee's SCAN backed up by F-PROT or vice-versa. In the review, F-PROT received a honorable mention because it correctly removed all of the virus's it found. The review did not test McAfee's SCAN. Joe George - ---------------------------------------------------------------------------- Joe George | University of Notre Dame | A cute quote goes here joseph.m.george.4@nd.edu | - ---------------------------------------------------------------------------- ------------------------------ Date: Wed, 24 Feb 93 03:21:10 +0000 From: Christopher Yoong-Meng Wong Subject: Re: PC Magazine reviews virus scanners (PC) cwong@cs.cornell.EDU (Christopher Yoong-Meng Wong) writes: >influence in the industry. A summary: > >1. Editors' choices are CPAV and NAV. > >2. The great grandaddy of virus scanners, Mc Afee's Viruscan family, > was not reviewed. Nor was F-prot (though the commercial version was > reviewed), except as an aside: "... for those comfortable with > command line operation ... original F-prot". > ^^^^^^^^^^^^ >3. Scanning tests involved 11 -- count them -- 11 viruses. > >4. Review emphasized completeness of package: disinfection, > comprehensiveness of service etc, not detection ability. I am embarassed. Some of you might jump on me for this, so I should clarify this before others do. I should have been more thorough with my reading before posting the above. The PC Magazine article does indeed review the Mc Afee products, under the name of "Pro-Scan", a commercial product. Also, F-prot's engine was present in 3 of the products reviewed. So, I have no complaints about the presence of those 2 products. My main concern was their emphasis on features (interface etc) rather than actual performance. Their testing was also quite inadequate. Finally, when I said "summary", I meant "summary of what this group (and myself) might object to". Hope this clarifies things. Chris ------------------------------ Date: Wed, 24 Feb 93 08:49:31 -0500 From: G J Scobie Subject: Request for virus tools (PC) Hi there, Over the years I have collected a wide range of tools to use when dealing with PC viruses. However, I'm interested in what other readers of this board use for disassembling code, inspecting memory, protection, eradication etc etc. I'm particularly interested in shareware/public domain software but all replies welcome. If you could mail me direct and indicate if the product is avaliable via ftp I'll summarise for the list. The main anti-virus products are often quoted here so no need to mention these, but I'm sure there are little known utilities we would all love to hear about. As always thanks in advance to any replies. Cheers Garry Scobie Edinburgh University Computing Service Scotland e-mail: g.j.scobie@uk.ac.ed ------------------------------ Date: Wed, 24 Feb 93 12:16:30 -0500 From: occ@mailbox.syr.edu (Holtz John F) Subject: Maybe a virus (PC) I have been having problems with my hard drive recently. About a month ago my drive was a stacked drive(Stacker 2.0). I never had a problem with the files on the stacked part only the files on the unstacked part. When I try to use my .exe files an error message "Unable to read drive. abort retry etc.". I try to use norton(6.0) for a disk problem which none was found. I also tried norton NAV(2.0) and still no problems were found. Currently I'm unable to boot from my harddrive. (try sys, but no help) All my *.exe files are not usable. When I try to use dos .exe files (like mem.exe) error message "can't execute mem.exe" I have tried formating the drive, and it worked one time, after the second time I booted the newly formated drive the same errors resulted. Does this sound like Hardware or virus problems??? John Holtz (occ@rodan.acs.syr.edy) system 386/25 5.0 dos 102 meg drive (ids) (currently not using stacker) ------------------------------ Date: Wed, 24 Feb 93 18:36:34 +0000 From: mharlos@ccu.umanitoba.ca (Michael Harlos) Subject: FPROT, Thunderbyte, & DataCrime II (PC) I've just run FPROT 2.07 for the first time, in a "real DOS" (not OS/2 DOS) session, with several Thunderbyte TSR's loaded. One of the Thunderbyte TSR checks for suspiciuos activity. FPROT warned me that "DataCrime II virus search activity was found in memory". This warning did not occur if I ran FPROT from a clean floppy boot, or if I remmed out the lines in the autoexec.bat & config.sys files that loaded the Thunderbyte TSR's. It also doesn't occur in OS/2 DOS, in which I don't load the Tbyte programs. I think that FPROT is giving me a false alarm on the Thunderbyte TSR (TBCHECK). No problems were noted with Scan100, OScan100 (McAfee OS/2), or Thunderbyte TBSCAN. All checked the memory as OK. Any comments or advice would be appreciated. Thanks, Mike Harlos mharlos@ccu.umanitoba.ca ------------------------------ Date: Wed, 24 Feb 93 20:33:23 -0500 From: Anthony Naggs Subject: Re: F-prot/FSP/bootsum problem. Help! (PC) Wolfgang Stiller, <72571.3352@compuserve.com>, writes > jornj@colargol.edb.tih.no (jornj) writes: > > > I've experienced the same problem, using Integrity Master and Stacker > > 2.0. When I check the 'bootsector' of my stacked volume IM always > > claims it has changed... > > > Is this normal for Stacker? Or do I have a 'problem'? > > (I've scanned with scan v99, fprot 2.06 and IM doesn't report any > > other problems). > > Yes, it's a "normal" Stacker function. Stacker creates a pseudo boot > sector on the simulated (compressed) Stacker volume. For some reason > Stacker insists on constantly changing this sector. ... Stacker, (and all similar disk compression products, such as SuperStor), - -must- change the drive size informtion in the boot sector after all writes to the drive. When the software is set up it is given a fixed amount of the physical disk to use, and making an assumption about expected compression will typically tell DOS that the compressed drive has twice the capacity of the reserved area. As data is placed in the compressed drive the disk size must be updated, to reflect the actual compression of the portion used and the anticipated compression of the remainder. (Compression depends significantly on file content). The frequent updates of the disk size are important to the user, to indicate compress effectiveness, and for DOS to accurately recognise when the compressed volume is full. > ... Since you can > not boot from this sector, there's little reason to check its integrity. Yes, but there is little reason to trouble users with such details, they expect the s/w to 'know' what it should check. > A future version of IM will recognize Stacker boot sectors and not > bother to check them. Soon, I hope, :-) Hope this helps, Anthony Naggs Software/Electronics Engineer P O Box 1080, Peacehaven (and virus researcher) East Sussex BN10 8PZ Phone: +44 273 589701 Great Britain Email: (c/o Univ of Brighton) amn@vms.brighton.ac.uk or xa329@city.ac.uk ------------------------------ Date: Wed, 24 Feb 93 17:12:09 -0500 From: fergp@sytex.com (Paul Ferguson) Subject: Problems w/ LAN Prrotect (PC) A question for the pundits: Within the past two months, one of our clients has implemented INTEL Corp's LAN Protect across their LAN topology. LAN Protect was selected because of several factors, namely managability and low overhead for the server and the memory and disk requirements on the individual workstation (only a whopping 3k TSR, actually). The managability issue was critical -- this is no small LAN with 70+ Novell 3.11 servers and approximately 2500 users (and growing). We did evaluate several other NLM based antivirus products, but LAN protect fit nicely into the scenario, based on the client's needs and technical constraints. Additional note: All servers are IBM PS/2 Model 80's or Model 95's and the LAN topology is Token Ring currently running at 4 Mb per sec. The initial verion was v1.50 and has since been upgraded (maintenance release) to v1.54, which we received a couple of days ago and have now installed on an isolated server to ensure that the previous problems that we experienced have been corrected. (The documemntation accompanying the maintenance disk mentioned several problems that were corrected, but did not specifically address the one that bothers me most.) Our initial problem was that on servers that were heavily used and operated with a high degree of throughput, the server would occasionally crash. This is not a "minor" bug. The low volume servers plodded along happily. Our first suspicions were that the FRYE Utilities Management NLM (FRYESERV.NLM) and the LAN Protect NLM (LPROTECT.NLM) were somehow conflicting, but after unloading all non-Novell NLMs (and subsystem drivers), the problem would reoccur. We have loaded the v1.54 onto a test server for a short period in order to test it (or at least simulate a real-time environment) before a mass upgrade. Has anyone else experienced this problem? We have worked with INTEL extensively on this (and other minor) problems and their last action was to FedEx this maintenance release. Replys welcome from anyone who has experience this or other problems with this product. Cheers. Paul Ferguson | Network Integration Consultant | "All of life's answers are Alexandria, Virginia USA | on TV." fergp@sytex.com (Internet) | -- Homer Simpson sytex.com!fergp (UUNet) | 1:109/229 (FidoNet) | PGP public encryption key available upon request. ------------------------------ Date: Wed, 24 Feb 93 01:22:03 +0100 From: heinz@tpki.toppoint.de (Heinz Wagner) Subject: Anybody knows SHIRLEY or VIVALDI ? (PC) Hello folks, I think this is the right place for questions on virusses. So please, if anyone of the readers do know something about the SHIRLEY and/or VIVALDI virus, please drop me a line. Thi0s virus infects only .EXE files under DOS and produces a batch file with a ps+eudovariable name like 189acdfg.bat with the length of 18 ... 28 bytes in m0ost cases. + The .bat files contain only one line like @dosshell *qDP -- Heinz Wagner heinz@tpki.toppoint.de 2300 Kiel ------------------------------ Date: Wed, 24 Feb 93 01:27:32 +0100 From: heinz@tpki.toppoint.de (Heinz Wagner) Subject: Shriley and Vivaldi Part II (PC) Sorry my computer plays tricks on me... Last Posting continued: This batch files contian only one line like @dosshell %df98s/ AND I find some of these files yesterday on a computer of a friend of mine , but all virusscanners failed. So if there are other experiences made out there, please drop me a line, because I do not read this board regulary. Thanks a lot. Heinz Wagner heinz@tpki.toppoint.de 2300 Kiel ------------------------------ End of VIRUS-L Digest [Volume 6 Issue 34] *****************************************