Received: from fidoii.CC.Lehigh.EDU by abacus.hgs.se (5.65c/1.5) id AA09432; Tue, 9 Mar 1993 14:25:48 +0100 Received: from (localhost) by Fidoii.CC.Lehigh.EDU with SMTP id AA28466 (5.67a/IDA-1.5 for ); Tue, 9 Mar 1993 08:03:47 -0500 Date: Tue, 9 Mar 1993 08:03:47 -0500 Message-Id: <9303091254.AA19243@first.org> Comment: Virus Discussion List Originator: virus-l@lehigh.edu Errors-To: krvw@first.org Reply-To: Sender: virus-l@lehigh.edu Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas From: "Kenneth R. van Wyk" To: Multiple recipients of list Subject: VIRUS-L Digest V6 #42 Status: RO VIRUS-L Digest Tuesday, 9 Mar 1993 Volume 6 : Issue 42 Today's Topics: circumspect Product reviews in magazines Unix, viruses and you (UNIX) Typo in VSHIELD 102 values, Questions about -AV (PC) Re: Virus Development Programs (PC) Re: Virus Development Programs (PC) Re: wordperfect virus? (PC) scanners. (PC) EXE/COM switch (PC) Scanners and Compressed Disk Boot Sectors (PC) Re: scanners. (PC) Re: standardization (PC) Executable signitures (PC) Malta Amoeba: What is it and what does it do? (PC) Re: wordperfect virus? (PC) 256 copies of FAT in root directory may be a bug in DOS 5.0 (PC) Re: DBase virus (PC) Re: Effect of Form (PC) Re: Michelangelo (PC) Re: Mutating Engine concerns (PC) Naming system (PC) my idea (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.org or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk, krvw@first.org ---------------------------------------------------------------------- Date: Sat, 06 Mar 93 00:43:43 -0500 From: bill.lambdin@frenchc.eskimo.com (Bill Lambdin) Subject: circumspect Peters@DOCKMASTER.NCSC.MIL (Donald G Peters) writes: I think people who know the details of how viruses work have plenty of reasons to be cautious -- anti-virus "experts" with no commercial interests to protect, who have no "trade secrets" seem equally circumspect. Anyone who maintains - -- I am not one of the virus experts, but I try not to reveal too much information. I have no vested interest in any of the companies that write anti-viral software. My name was plastered in the underground newsletter 40HEX. All I did to get this dishonor was by posting a few comments on virus conferences. So I know for a fact that the bad guys are reading these virus conferences and they do gain an advantage when we virus researchers divulge a little too much information. If someone says that xx xx xx xx xx xx xx xx xx xx is a signature for the XYZ virus, the hackers will know exactly which bytes to change so that scanners will miss the new variants that they create. If I said "most viruses use DOS calls through INT xx, and ususally use the xx or xx registers. this is not revealing destructive code, but it is helping the hackers that may not be able to program 2+2. Bill Lambdin - --- * WinQwk 2.0 a#383 * 1554 activates Oct 1 - Dec 31 - ---- +----------------------------------------------------------------------+ + The French Connection - 206/283-6453 - 206/771-1730 - 6.5g online + + It takes only 11 seconds to get loaded on the French Connection! + +----------------------------------------------------------------------+ ------------------------------ Date: Mon, 08 Mar 93 10:03:09 -0500 From: fc@noether.duq.edu (Fred Cohen) Subject: Product reviews in magazines When will you guys figure out that the PC magazine reviews of antivirus products favored those who spend a lot of money advertising? These magazines don't want to offend their advertisers, they exist to help the advertisers sell more product. Just look at the things they advocate, and how can you believe anything else? ------------------------------ Date: Fri, 05 Mar 93 16:39:11 -0500 From: fergp@sytex.com (Paul Ferguson) Subject: Unix, viruses and you (UNIX) This text was extracted from RISKS DIGEST 14.37 - 8<--------- Cut Here --------------------- Date: Wed, 3 Mar 93 14:16:47 EST From: radatti@cyber.com (Pete Radatti) Subject: Cohen/Radatti on Unix and Viruses The widely circulated paper by J. David Thompson entitled "Why Unix is Immune to Computer Viruses" has been attracting controversy. Due to this controversy and the concern that this paper may be providing a false sense of security to the Unix community, Doctor Fredrick B. Cohen and Peter V. Radatti have published refuting papers. These papers are too long to post here, however they are available upon request. Make your request by fax, email or post and copies can be returned by fax or post. Email copies are not available. Address post to: Peter V. Radatti, C/O CyberSoft, 210 West 12th Avenue Conshohocken, PA. 19428 USA FAX requests to: +1 (215) 825-6785 Email requests to: radatti@cyber.com Thank You, Peter V. Radatti 8<--------- Cut Here --------------------- Cheers. Paul Ferguson | Network Integration Consultant | "All of life's answers are Alexandria, Virginia USA | on TV." fergp@sytex.com (Internet) | -- Homer Simpson sytex.com!fergp (UUNet) | 1:109/229 (FidoNet) | PGP public encryption key available upon request. ------------------------------ Date: Mon, 08 Mar 93 18:25:19 -0800 From: aryeh@mcafee.com (McAfee Associates) Subject: Typo in VSHIELD 102 values, Questions about -AV (PC) It has come to my attention that there is a typo in the VALIDATE values listed in my posting announcing VSHIELD Version 5.22V102. The correct VALIDATE values for the program are as follows: VSHIELD 5.22V102 (VSHIELD.EXE) S:45,724 D:02-27-93 M1: 06EB M2: 066C My apologies for any confusion. - - ------- On a semi-related note, I have received several messages asking why no Authenticity Verification codes were displayed when the various McAfee programs were downloaded from ftp sites and then unzipped. The reason is that the programs were zipped with PKZIP Version 1.10, and the only time they will display the -AV message is when they are unzipped with PKUNZIP Version 1.10, specifically, the "U.S. only" version of PKUNZIP which is not available at WSMR-SIMTEL20.ARMY.MIL, but may be available at other ftp sites outside the U.S. If you using PKUNZIP Version 2.04 to unzip the programs, you will not see the -AV message. Regards, Aryeh Goretsky Technical Support - -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: aryeh@mcafee.COM 3350 Scott Blvd, Bldg 14 | FAX (408) 970-9727 | IP# 192.187.128.1 Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714 95054-3107 USA | USR HST Courier DS | or GO MCAFEE ------------------------------ Date: Sat, 06 Mar 93 20:43:50 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Virus Development Programs (PC) kerchen@k2.cs.ucdavis.edu (Paul Kerchen) writes: > features of the PS-MPC include the following: > - Over 150 encryption techniques, randomly generated during > each run of the PS-MPC This is actually a mistake of the author of the program. The number of really different decryptors is 96, I think... However, there are two different versions of PS-MPC. > - Compact, commented code, much tighter than VCL Uh, "less buggy" is probably a better description. I mean, the viruses created with PS-MPC often work... > VCL comes encrypted in a > zip file that requires a password to unzip it. The 'bad guys' want to > keep this toy to themselves. Actually, the ZIP archive is encrypted with a password and the installation program asks for another password, before unarchiving the file. However, it is relatively trivial to hack both passwords out of the installation program... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Sat, 06 Mar 93 20:50:42 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Virus Development Programs (PC) cskahrs@sunvis1.vislab.olemiss.edu (John H. Kahrs) writes: > I doubt that these programs are a threat at all. Well, there are some threats. First, since those programs are available, the anti-virus researchers must work to provide protection from the viruses created with them. Second, it is possible for someone to just sit down and create hundreds of viruses with those kits, which means that the scanners and their developer will have some hard time... Fortunately, the authors of those virus authoring packages have not been very good in implementing polymorphism, so it is relatively easy to make a scanner that detects any virus generated by those programs. At last, the third danger is that the viruses are generated in source - so that people could modify them easily, e.g. in order to make them not detected by the currently existing scanners... > The people > that know anything about coding viruses will never use them and the > hatefull people that just want to make a virus for malicious reasons > aren't connected to the community that makes the virus construction > kits available. Problem is, because those kits have been made available on many underground virus exchange BBSes, many of those "hateful" people can easily obtain a copy of them... :-( Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Sun, 07 Mar 93 02:22:17 +0000 From: rslade@sfu.ca (Robert Slade) Subject: Re: wordperfect virus? (PC) GMS@PSUVM.PSU.EDU (Gerry Santoro - CAC/PSU 814-863-7896) writes: >After scanning the past years worth of VIRUS-L offerings I've seen >this question asked before, but with no reply. Since it has now hit >at my institution I will ask it again in the hopes that someone knows >what is happening. "This question"? Your Subject line seems to ask about a "Word Perfect" virus. There was a postulation, around 1988 and 89, that a virus had specifically targetted the Word Perfect program. This was later found to be false: an artifact of the fact that the WP.EXE file sometimes stopped working after it had been infected. This was thus often the first indication of a virus infection which was not being detected by other means. >A number of our lab machines are exhibiting very strange WordPerfect >behavior. For example, very small user documents are growing to >extremely large size, until they fill up available disk space. Scans >with F-PROT do not identify any known virus. Document files are data, and, while they are sometimes attacked by a virus, tend not to be the primary targets. (The existence of "macro" viral programs has been theorized, and Word Perfect does have a macro capability, but Word Perfect, unlike other macro capable programs, does not store macros in the data/document files.) In order to advize in this matter, we need more information. Have you examined the large files? One possibility is that files are being repeatedly "called" into the document, thus increasing the size. >Can anyone clue me into what is happening? In all cases the version >of WP5.1 is being run from a read-only volume of a Banyan network >server. This isn't particularly helpful. other than indicating that the problem you have is not likely viral. >Any info would be greatly appreciated! We, also, would appreciate more spcific information. ============== Vancouver ROBERTS@decus.ca | "virtual information" Institute for Robert_Slade@sfu.ca | - technical description of Research into rslade@cue.bc.ca | marketing info disguised User p1@CyberStore.ca | as technical description Security Canada V7K 2G6 | - Greg Rose ------------------------------ Date: Wed, 03 Mar 93 09:18:05 +0100 From: Malte_Eppert@f6051.n491.z9.virnet.bad.se (Malte Eppert) Subject: scanners. (PC) Hi Inbar! > Making CRC checks from a BOOTING FLOPPY will also catch ANY > virus, provided it hasn't infected your floppy yet. Sorry, it won't. It will catch any modification, that's true. But if you get infected with a slow virus, the user just would regard the change as legitimate. Then, Vesselin introduced the idea of a DOS file fragmentation attack. You could not detect that with a file-oriented CRC checker, too. > A friend of mine once wrote an 80byte routine to unload Carmel's > TSafe. I believe that after a little research, I could unload > almost anything. Unloading is a problem if the TSR is not the last one in the TSR chain. Disabling would be more "efficient", as the user could not recognize any memory freed up. How do you get your system straight if you remove a TSR out of the middle of the chain - is there a method? cu! eppi - --- GEcho 1.00 * Origin: No Point for Viruses - Eppi's Point (9:491/6051) ------------------------------ Date: Thu, 04 Mar 93 12:19:00 +0100 From: Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv) Subject: EXE/COM switch (PC) FESQUIVE@ucrvm2.bitnet (Fabio Esquivel) writes: > Sometime ago I wrote a program that changes the > executable filename's > extensios (EXE & COM) to another user-given > extensions. ...... > to see if file infector viruses could infect those files > too (those with the new extension). > I had to modify COMMAND.COM as well internally in order to allow it > Anyway, the experiment failed and the file infector viruses (DIR-II, > Dark Avenger, Lisbon (Vienna), Sunday and others) did infect the files. > I think there's no way of fooling file infector viruses, is there? Yes, there are ways but not in the way of changing names. However the reason that your experiance has failed is that most viruses use DOS functions to find their victims, for example chaining to Interrupt 21h and looking for service 4bh (execute file) is a common way of doing it. So you see: what you did has no imlication on that way of infecting since the virus will absorb it's information from the DOS function "exec" regardless of the file's name :-)) Keep on trying, you might get there in the end... Regards * Amir Netiv. V-CARE Anti Virus, head team * - --- FastEcho 1.21 * Origin: <<< NSE Software >>> Israel (9:9721/120) ------------------------------ Date: Thu, 04 Mar 93 12:36:00 +0100 From: Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv) Subject: Scanners and Compressed Disk Boot Sectors (PC) padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) writes: > Recently there has been some discussion concerning a > problem with scanning compressed drives for viruses and constantly getting > a flag that the "boot sector has changed". > Actually, this is an indication of a much more serious > problem that A-V producers should address immediately: > The problem indicates that the A-V product *thinks* it > is checking the real OS boot sector when in reality it is checking the > swapped compressed drive "boot sector". To me this means that a) the > real boot sector is *not* being checked, and b) the A-V is relying > on DOS Interrust 25 to read the sector rather than Interrupt 13 Who told you so? It is quite foolish to read a boot sector with INT 25, I don' t know of many programs that do so ! > (or a direct BIOS call - better). The important thing is that while > DOS since the early 3's has provided a means to validate > /bypass Interrupt 13, there is no way to validate Interrupt 25. > With the rise of companion and stealth viruses, to be > sure in checking the low levels you must first authenticate the path to > disk How exactly do you do that? If a virus has been loaded and is chained to INT 13h, so that when you look for Sector-X Cyl-Y Head-Z it will replace it with another location and you will never know ! > (it can be done even from DOS), and then walk the boot procedure > to make sure that there are no "extra added attractions". This does > not take any longer to do than using DOS (in fact is probably a few > cycles shorter) and eliminates a possible intrusion path. Any way that you might point out as the total solution to the problem, I can show a hole that viruses (naturally) may (or alredy do) use. > As a consequence, the fact that the A-V is checking the STACed drive boot > sector means more than just an error is being flagged each time, it would > make me concered that the real boot sector may be skipped. Not necessarily so, but quite likely. As for myself, I do not recommend using these double-diskers, since the problem that you mentioned (and viral problems in whole) is only a small portion of possible problems to happened. And believe me - you don't want to be the owner of a disk when it crashes. It remindes me of the EXPANDED memory cards that people used to buy once, and got stuck with it immediatelly since EXTENDED memory has emerged. Get a bigger (faster) and reliable disk. Regards * Amir Netiv. V-CARE Anti Virus, head team * - --- FastEcho 1.21 * Origin: <<< NSE Software >>> Israel (9:9721/120) ------------------------------ Date: 05 Mar 93 20:06:34 +0000 From: frisk@complex.is (Fridrik Skulason) Subject: Re: scanners. (PC) Inbar_Raz@f210.n9721.z9.virnet.bad.se (Inbar Raz) writes: >I was categorizing scanners. About defending against NEW viruses, there are a >lot of ways. For example, a protective shield that is mounted on a file. True, >it's effective only against the normal end-of-file-leaching viruses, but still , >a lot of them DO work like that, including the new ones. well, it might work... ...unless the virus is a "stealth" virus ...or the program does some self-testing ...or the program contains internal overlays >Making CRC checks from a BOOTING FLOPPY will also catch ANY virus, unless it is a floppy-only infector, or a companion virus, or an unknown "slow" virus. - -frisk - -- Fridrik Skulason Frisk Software International phone: +354-1-694749 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-28801 ------------------------------ Date: 05 Mar 93 21:30:47 +0000 From: frisk@complex.is (Fridrik Skulason) Subject: Re: standardization (PC) Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv) writes: >I would differentiate the interests of Virus researchers from this of >the common user. You would very much like to have a scanner that >supplies the NAME the full CHAIN of parrential viruses and sub viruses >etc... while the common user's only wish would be to know what desease >he has, and ger cured! Maybe so - but telling somebody that he has a "Generic-X" virus, to take an extreme example - where "Generic-X" can be one of many, totally different viruses is of very little help to the user. I agree that it may not be important to know exactly which minor subvariant of Jerusalem hits, if the software can get rid of it, and tell you what the effects are, but suppose that somebody took the "standard" version of Jerusalem, modified it so it corrupted data files, and released it - I think most users would like their scanners to be able to differentiate between this variant and the standard one... Suppose you tell a user: "You have the >Parkinson.AtzeliCholine.Flue desease" (not that such exists), what do >you think his/her reaction will be? In that case he has at least a better chance of getting the correct threatment, than if you tell him: "you have a generic disease". >the virus exist that you don't even know about? Doeas it cause any problem in >cleaning these viruses from an infected site even if their name is simply " >Jerusalem-B" ? the actual name is not significant, with respect to cleaning - what matters is the ability of the anti-virus software to distinguish between variants that must be removed in different ways or have different effects - something you cannot do if you call all the Jerusalem variants just "Jerusalem-B" - -frisk - -- Fridrik Skulason Frisk Software International phone: +354-1-694749 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-28801 ------------------------------ Date: 03 Mar 93 00:37:31 +0000 From: motazev@hobo.ece.orst.edu ( ) Subject: Executable signitures (PC) To check for an executable file a virus will read in the appropriate bytes and check to see if it is "MZ". Why do some viruses check for "ZM"? What kind of file does this denote? - -- Vahid motazev@hobo.ece.orst.edu ------------------------------ Date: Sun, 07 Mar 93 21:45:07 +0000 From: nafziger@eagle.sangamon.edu (Scott Nafziger) Subject: Malta Amoeba: What is it and what does it do? (PC) I heard of a virus called the Malta Amoeba. I was wondering what does it do. How does it effect floppies, hard drives, and/or networks. Also, is there any way to detect if someone has this virus without virus scaning software? Any information will be greatly appreciated. - -- /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ < Scott Nafziger > < Sangamon State University > < Internet: nafziger@sangamon.edu > \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ ------------------------------ Date: Mon, 08 Mar 93 08:50:06 +0000 From: johnk@cs.kun.nl (John Kroeze) Subject: Re: wordperfect virus? (PC) blake@nevada.edu (Rawlin Blake) writes: >GMS@PSUVM.PSU.EDU (Gerry Santoro - CAC/PSU 814-863-7896) writes: >>After scanning the past years worth of VIRUS-L offerings I've seen >>this question asked before, but with no reply. Since it has now hit >>at my institution I will ask it again in the hopes that someone knows >>what is happening. >> >>A number of our lab machines are exhibiting very strange WordPerfect >>behavior. For example, very small user documents are growing to >>extremely large size, until they fill up available disk space. Scans >>with F-PROT do not identify any known virus. >> >>Can anyone clue me into what is happening? In all cases the version >>of WP5.1 is being run from a read-only volume of a Banyan network >>server. >This one is easy, I see it all the time. >The users are doing one of two things-- using shift-F10 and continually >retrieving the file within itself, or are doing the same thing in F5 list >files by ignoring the prompt "retrieve into current document?" >This is another example of what I teach in my classes and seminars. 99% of >all virus reports are: 1. user error 2. software problems 3. hardware >problems. It might not be that easy: I had my thesis blown up from 200 Kb to 500 Kb during one day of work. After some examination I found out that the overhead had to be invisible codes WP saves with the document. I could create documents of abt. 300 kb containing a single space! I got the impression this all was caused by some ugly editing: moving subtrees a level up in the document hierarchy. I suggest you ask WP-people about it. John. - ----------------------------------------------------------- John Kroeze Internet: johnk@cs.kun.nl University of Nijmegen, UUCP:uunet!cs.kun.nl!johnk - ----------------------------------------------------------- ------------------------------ Date: Mon, 08 Mar 93 09:38:59 -0500 From: A.APPLEYARD@fs1.mt.umist.ac.uk Subject: 256 copies of FAT in root directory may be a bug in DOS 5.0 (PC) I just received this email message:- To: A.APPLEYARD, (etc) From: "CHRIS HOLBURN" Date: 8 Mar 93 12:02:20 GMT Subject: * MS-DOS BUG * **** IMPORTANT FYI ****** People, There is a potentially dangerous bug in MS-DOS 5.0. The bug will effectively wipe part of your hard disc, rendering it unusable to any program. The bug only effects certain disk setups: Those with partitions with more than 65,278 file allocation units. This translates to disks with capacities between 127Mb and 129Mb, 254Mb and 258Mb, 508Mb and 516Mb, 1,018Mb and 1,030Mb, and 2,034 and 2,061Mb. The problem only occurs when you use the UNDELETE /ALL CHKDSK /F The /F and /ALL switches activate the fix options, to alter errors in the file allocation table, and recover lost units. When CHKDSK or UNDELETE are run they write 256 copies of the FAT table all over the root directory, making data recovery almost impossible. ** PLEASE use Norton Disk Doctor to solve FAT tables. ** CHRIS HOLBURN [Moderator's note: This was also covered in detail here in December 1992.] ------------------------------ Date: Mon, 08 Mar 93 15:37:44 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: DBase virus (PC) dogbowl@dogbox.acme.gen.nz (Kennelmeister) writes: > How widespread is the DBase virus? Not at all... > I've just run across it in an MS-DOS system I was checking. > Apparently it may have been on their machines for up to a year... Are you sure that it is not a false positive? How many files were infected? Which scanner did you use? Which version of it? Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Mon, 08 Mar 93 15:39:30 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Effect of Form (PC) adb91pbe@hfb-aes.hfb.se (Pontus Berglund) writes: > >> This brings me to my next qestion: I it possible to obtain a file > >> somewhere giving a brief description of the action of various vira. I > > > > How about 300K of ZIP ? :-) > Where do I get this file? Eugene Kaspersky probably means the documentation of his anti-virus product. If he is willing to make that file publicly available, I could put it for anonymous ftp (he doesn't have ftp access). The file contains a good technical description of many viruses, with a slight bias towards the Russian viruses (which is understandable). The only think I didn't like was the abuse of the term "very dangerous virus" - even for viruses that are not intentionally destructive, like Form... :-) Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Mon, 08 Mar 93 15:44:15 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Michelangelo (PC) d91-cni@nada.kth.se (Christer Nilsson) writes: > A friend of mine couldn't boot his computer today (6:th of March). > Could it be the Michelangelo Virus? An inspection of the first sectors of > the disk showed that they were completly blank. Does Michelangelo behave > in that way? The partition of the drive was wiped away. How do one recover > the information on the disk? Yes, this is exactly what Michelangelo does. It overwrites the first 255 tracks of the disk with what happens to be at segment 5000h - usually zeroes. Take a look at some tracks after track 255 - if there are no zeroes there but some information, it is yet another confirmation that the Michelangelo virus has caused the destruction. BTW, I am very curious how many Michelangelo hits have happened this year... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Mon, 08 Mar 93 16:04:38 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Mutating Engine concerns (PC) exucad@exu.ericsson.se (Charles Dobbins) writes: > I am curious if any of the experts out there can help me out here. I am > concerned about the possibility of getting hit with one of these with our > current level of protection, we are installing NAV 2.1 after using Certus > for some time with constant problems with virus infections. A big concern > for us is memory at the wotkstation since we are running Lanman 2.1 there > isn't room for some of the larger TSR's that seem to offer better protection > against unknown virus technology. At this point we cannot consider a > different antivirus product at the workstation due to the fact that money > has already been spent on NAV so what I am concerned about is what sort of First, no MtE-based virus is spread in the wild, so maybe you should not be that much concerned about that particular problem. Second, I am sorry to disappoint you, but NAV 2.1 is NOT able to detect the MtE-based viruses reliably. For more information, look at the report on testing 17 different scanner for detection of MtE-based viruses. The report is available via anonymous ftp as ftp.informatik.uni-hamburg.de:/pub/virus/texts/tests/mtetests.zip Third, if you are concerned only about the inability of NAV to detect the MtE-based viruses, there are several freeware programs that -do- detect those viruses reliably. One of them can be obtained from our ftp site: ftp.informatik.uni-hamburg.de:/pub/virus/progs/catchm18.zip Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Sat, 06 Mar 93 00:45:16 -0500 From: bill.lambdin@frenchc.eskimo.com (Bill Lambdin) Subject: Naming system (PC) That's a very good idea, but it is damn difficult to implement... - -- I never said that it would be easy. ;-) First, somebody has to come up with a good naming scheme. But what is a "good" naming scheme? For instance, for me, a good naming scheme is a scheme that allows two people to understand each other that they are - -- I would prefer the CARO naming system. I like the naming system, and everything is up to date. So, your idea is good. The only problem is to get an easy implementation of it... - -- Thanks Vesselin: I just hope that some coherent naming system can be developed to prevent the habit of having four different names for the same virus. Bill Lambdin - --- * WinQwk 2.0 a#383 * DATACRIME IIB activates Oct 13 - Dec 31 - ---- +----------------------------------------------------------------------+ + The French Connection - 206/283-6453 - 206/771-1730 - 6.5g online + + It takes only 11 seconds to get loaded on the French Connection! + +----------------------------------------------------------------------+ ------------------------------ Date: Sat, 06 Mar 93 00:45:49 -0500 From: bill.lambdin@frenchc.eskimo.com (Bill Lambdin) Subject: my idea (PC) From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) And DataLock does not infect a COM file smaller than 23,000 bytes. And - -- Thanks for the update. I guess I will have to make a 23K bait file then. ;-) I incorrectly assumed that 8Tunes required the largest bait file my appologies. some viruses infect only some special files (Lehigh infects only COMMAND.COM, ZeroHunter infects only files with large areas of zeroes in them, some viruses do not infect files with some particular names, etc. - -- I was aware of Zero Hunt inly infecting files with areas of 00 hex. Usually data or buffer areas. This is how that Zero Hunt can infect files, but not show a increase in the filesize. I was also aware that Lehigh only infected COMMAND.COM Uh, what do you mean by "file size fluctuates"? - -- In my tests, with ARJ 2.30. The new archive filesize would occasionally be 2 - 10 bytes larger or smaller than the original archive that I was comparing it against. There was no virus present, and in the time I tested this idea with ARJ, I wasn't able to find out what was causing the difference. LHA, and PKzip archives remain constant day after day after day. And what if the virus refuses to infect files with such names? - -- My writing must be a lot worse than I thought it was. ;-( I never meant to imply that my idea was the perfect solution to detect viruses. It is only an idea that will detect viruses that scanners may miss, or an early warning system for people that use integrity checking software. Most people believe that Virus detection = Scanners. Integrity Checking if used properly will detect all changes, but some people believe it is too painful to use. ;-) In general, the idea is equivalent to checking the integrity of a small subset of your executables. - -- Exactly! As I said above some people feel that integrity checking software is too painful to use. They can set up this .BAT file and painlessly check for change to their vital files in only a few seconds. It only takes 4.5 to 5 seconds on my 33 MHZ 486) to check the six files that I access constantly. These are most likely to get infected that any of the other files on my system. Bill Lambdin - --- * WinQwk 2.0 a#383 * Hacked version of BiModem. 1.26 - ---- +----------------------------------------------------------------------+ + The French Connection - 206/283-6453 - 206/771-1730 - 6.5g online + + It takes only 11 seconds to get loaded on the French Connection! + +----------------------------------------------------------------------+ ------------------------------ End of VIRUS-L Digest [Volume 6 Issue 42] *****************************************