From first.org!krvw Wed Mar 24 11:58:59 1993 remote from vhc Received: by vhc.se (1.65/waf) via UUCP; Thu, 25 Mar 93 00:01:24 GMT for mikael Received: from first.org (CSRC.NCSL.NIST.GOV) by mail.swip.net (5.65c8-/1.2) id AA11753; Wed, 24 Mar 1993 22:59:08 +0100 Received: from CSRC.NCSL.NIST.GOV by first.org (4.1/NIST) id AA26469; Wed, 24 Mar 93 16:59:02 EST Organization: FIRST, The Forum of Incident Response & Security Teams Posted-Date: Wed, 24 Mar 93 16:58:59 -0500 Message-Id: <9303242159.AA26469@first.org> To: mikael@vhc.se (mikael larsson) Subject: Re: Virus-L Issue 44 In-Reply-To: Your message of "Tue, 23 Mar 93 11:25:48." Date: Wed, 24 Mar 93 16:58:59 -0500 From: "Kenneth R. van Wyk" VIRUS-L Digest Friday, 19 Mar 1993 Volume 6 : Issue 44 Today's Topics: Re: Viruses in other populations Re: Product reviews in magazines Re: Product reviews in magazines Re: Laws and Viruses Ignorance is curable (mostly PC) Votes on Virus Scanners. (PC) Re: Michelangelo (PC) Which Virus is this? (PC) New (?) virus ? (2294) (PC) Viruses in South Africa (PC) Minnow-V virus correction (PC) Removing virus on stack drive (PC) Date triggered virus (PC) Re: wordperfect virus? (PC) IBM PC Boot Seq (was Partition table viruses (PC)) Central Point and Stacker (PC) Re: F-PROT (PC) Re: Executable signitures (PC) FIXUTIL4.ZIP from A. Padgett Peterson (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.org or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk, krvw@first.org ---------------------------------------------------------------------- Date: 09 Mar 93 16:42:10 +0000 From: rind@enterprise.bih (David Rind) Subject: Re: Viruses in other populations I'm not certain this group actually cares, but rather than have the world of computer virus researchers scared of chicken pox... WHMurray@DOCKMASTER.NCSC.MIL writes: >If you introduce Herpes Simplex ("Chicken Pox") into a sterile population Chicken pox is caused by varicella-zoster virus which is in the family of herpesviruses but is not Herpes Simplex virus. Herpes Simplex viruses are the causes of cold sores and genital herpes. >of 10K people, about 10 percent will die, most of the remainder will >become immune, and Herpes will die out. About 10% of adults who get chicken pox will develop a serious complication such as pneumonia. The mortality in adults is not 10%. >"childhood" disease. It is not that children are inherently more >vulnerable to the virus than adults, but that all of the adults are >either immune or dead. Childhood chicken pox has virtually no mortality. Also, about 10% of adults in the U.S. are not immune to chicken pox. - -- David Rind rind@enterprise.bih.harvard.edu ------------------------------ Date: Wed, 10 Mar 93 00:40:33 +0000 From: debrown@hubcap.clemson.edu (David E. Brown) Subject: Re: Product reviews in magazines fc@noether.duq.edu (Fred Cohen) writes: >When will you guys figure out that the PC magazine reviews of >antivirus products favored those who spend a lot of money advertising? >These magazines don't want to offend their advertisers, they exist to >help the advertisers sell more product. Just look at the things they >advocate, and how can you believe anything else? Oh sure, this has been evident for a long time. They just hype whatever suits them at the time. They have it in for certain companies and are in the pocket of others. In this month's issue, Dvorak, advocates doing away with the present BIOS, and coming up with a whole new architecture. I agree that the present AT style bus has many limitations but really how many people are unsatisfied with the speed of their 486/33? I do a lot of numerical programming (processor intensive) and it's rare that anything really takes that long. Ok I know it's his job to get people like me to say things like the above. So he succeeded. BTW, have you noticed at the end of every one of his Inside track columns he advertises some sort of software that he really likes. Even though it's an "inside track" column, he's advertising software. I guess he's just flexing his muscle. I don't mean to single him out too much; some of the stuff he writes is pretty interesting. It just a little difficult to swallow that we all need some sort of new machine every month when apparently everything was working pretty good, Basically the magazine is a whole lot of solutions in search of problems. In spite of all this they can be happy to know I'll resubscribe and that will keep the important thing intact - the money. Grudgingly, I'll admit they're probably the best of the lot. Dave ------------------------------ Date: Wed, 10 Mar 93 07:55:14 -0500 From: Y. Radai Subject: Re: Product reviews in magazines Fred Cohen writes: > When will you guys figure out that the PC magazine reviews of > antivirus products favored those who spend a lot of money advertising? > These magazines don't want to offend their advertisers, they exist to > help the advertisers sell more product. Just look at the things they > advocate, and how can you believe anything else? That may sound plausible and it may be very convenient to believe, but you'll have to produce some evidence to support your claim. (Evi- dence to the contrary: In its previous review, PC Magazine gave one of its Editors' Choices to Alan Solomon's Anti-Virus Toolkit, and in its first review it chose Ross Greenberg's FluShot+, despite the fact that neither Alan nor Ross advertised in PC Magazine.) I think the main problem is that PC Mag's editors and reviewers are simply amateurs when it comes to viruses. One way in which this manifests itself is in the fact that one of their main criteria for Editors' Choice was that the software have a nice graphic interface. More important, the reviewers don't have the slightest concept of security holes. They properly emphasized that known-virus scanning isn't enough. But they gave lots of points to products just because they include some kind of integrity checking and generic monitoring protection. It doesn't seem to have occurred to them that there may be tremendous differences in the quality of such software, that it may be very simple for a virus to circumvent this protection in some of the products, and that it's necessary to compare the products on this basis as well. One other point. Fred, I can't help suspecting that a major cause of your writing as you did above was that the Integrity Toolkit which you developed wasn't included in the review. That's very unfortunate, because from what I saw of it at last year's Lefkonference, it certainly *looks* good. However, I think this is partly your own fault. Correct me if I'm wrong, but as far as I know, you never advertised it on any widespread level, gave out evaluation copies to anyone, or made a shareware version available. How then were the editors supposed to even *know* of its existence? Y. Radai Hebrew Univ. of Jerusalem, Israel RADAI@HUJIVMS.BITNET RADAI@VMS.HUJI.AC.IL ------------------------------ Date: 11 Mar 93 01:31:48 +0000 From: ulogic!hartman@netcom.com (Richard M. Hartman) Subject: Re: Laws and Viruses padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) writes: > From a legal standpoint it might be enough to define a virus >as "a sequence of instructions that intentionally performs an unwanted >and undocumented modification within a computing system for which it is >intended." As in Microsoft's undocumented software interrups in the various DOS versions? How about the "hidden" Windows functions? > Possibly "malicious software" would be a better term but IMHO >the word "computer virus" has passed beyond any hope of control. Hold on. I think you may have something here. Since when has legal terminology been required to match up with common usage? Perhaps "malicious software" is just what we need to define as a legal term. Especially since the definition of virus is so mutable.... =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Lazy day, Sunday afternoon. | Like to get your feet up, watch TV. | -Richard Hartman Sunday roast is something good to eat, | hartman@uLogic.COM must be lamb to day 'cause beef was last week! | ------------------------------ Date: Tue, 09 Mar 93 10:58:08 -0500 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: Ignorance is curable (mostly PC) >From: Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv) >Subject: Scanners and Compressed Disk Boot Sectors (PC) "A higher path..." >> my previous posting >> With the rise of companion and stealth viruses, to be >> sure in checking the low levels you must first authenticate the path to >> disk >How exactly do you do that? If a virus has been loaded and is chained to INT >13h, so that when you look for Sector-X Cyl-Y Head-Z it will replace it with >another location and you will never know ! Read Andrew Shulman's "Undocumented DOS". Int 2F Fn 13 will return the path to Int 13 DOS found when loading. If it does not point to the ROM BIOS or a controller card ROM, you have a problem (how you WILL know). If your program runs at the BIOS level like mine do, the table vector *must* point to the ROM BIOS or a disk controller if the machine is clean. At BIOS time, high RAM does not exist and every Intel processor is in REAL (8086) mode. Things are very predictable. >Any way that you might point out as the total solution to the problem, I can >show a hole that viruses (naturally) may (or alredy do) use. A virus can intercept an interrupt vector. It cannot intercept as FAR CALL. All you need to know is where to make the far call to (the exercise is left to the student). *No* virus can infect ROM memory unless built in at the factory. > > As a consequence, the fact that the A-V is checking the STACed drive boot > > sector means more than just an error is being flagged each time, it would > > make me concered that the real boot sector may be skipped. >Not necessarily so, but quite likely. Would you care to bet your PC on it ? Perhaps I was being too gentle. EVERY A-V I have seen that flags the compressed drive has been missing the real DBR. Further, with the possible exception of the DOS 6.0 compression (haven't gotten that far in studying it yet, it blew up on the test XT) every one of the compression schemes I've looked at have layered their driver on top of DOS and intercept INT 25 & 26, not 13. If you use 13, you will never see the compressed disk boot sector. Is that clear enough ? >As for myself, I do not recommend using >these double-diskers, since the problem that you mentioned (and viral problems >in whole) is only a small portion of possible problems to happened. And >believe me - you don't want to be the owner of a disk when it crashes. Legitemate opinion. Mine is that compressed drives make so much sense that they will become a standard. The key is in the recovery programs and they are maturing nicely. >It remindes me of the EXPANDED memory cards that people used to buy once, and >got stuck with it immediatelly since EXTENDED memory has emerged. Get a bigger >(faster) and reliable disk. I have not yet reached the point of being able to treat PCs as disposable items, nor would I want to. Extended memory is a valuable attribute for 386 and higher machines. I still have 2 XT class and 1 AT class machines that see regular and valuable use. My next *major* purchase will be a parallel port ethernet adaptor for my laptop. I suspect that like myself, most readers are not independantly funded. Warmly (but in NY tomorrow), Padgett ------------------------------ Date: 09 Mar 93 19:34:01 +0000 From: steve@wet.sbi.com (Steve Jarrett) Subject: Votes on Virus Scanners. (PC) I know this is probably a widely asked question but following the complaints about the PC Mag's review of virus scanners and the complaints concerning its accuracy what is best. Also do "shields" work without blocking the use of device drivers etc. Any comments via email if possible. I will summarise back. Cheers, Steve. Steve Jarrett Phone : +44-71-721-2422 Technical Services Fax : +44-71-416-0029 Salomon Brothers Email : steve@wet.sbi.com ------------------------------ Date: 09 Mar 93 22:27:07 +0000 From: twcaps@tennyson.lbl.gov (Terry Chan) Subject: Re: Michelangelo (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: + +BTW, I am very curious how many Michelangelo hits have happened this +year... Just for a data point, I ostensibly have some PC support responsibilities for a program here (encompassing about 75 PCs). We had no infections of Michelangelo (though this may have been mitigated in part because March 6 fell on a Saturday this year). However, one of our senior scientists who frequently shuffles files between home and work did turn on his PC on Saturday and found that he couldn't boot his and it was infected by the Michelangelo virus. Somewhat ironically, in the aftermath of last year's hullabaloo, on a whim, I scanned his hard disk and found Michelangelo in June 1992. I warned him of it, but I guess it's not enough sometimes. Fortunately, he was backed up. Terry Chan - -- Energy and Environment Division | Internet: TWChan@lbl.gov Lawrence Berkeley Laboratory | Berkeley, California USA 94720 | Yeah, right. ------------------------------ Date: 09 Mar 93 22:35:42 +0000 From: kxj6@po.CWRU.Edu (Kijin Jung) Subject: Which Virus is this? (PC) A friend of mine apparently got hit by a virus (poor guy! - just another statistic...) several days ago, before March 6 I believe. The details are a bit sketchy, since he hastily reformated his hard drive after the incident. Actually, he had thought that his hard drive had gone bad, so initially, he actually went out and bought a new hard drive! He claims that all his executable files (.EXE) were renamed to .COM. Also, the virus apparently rewrote some of his CMOS settings, since the computer would not recognize his hard drive. Correction: sometimes it would not recognize his hard drive, but at other times, he could boot up the drive (maybe the boot sector was affected?) I would like to know what virus this might possibly be, not only because of curiosity, but because he and I often use the computers at school (where he might have caught the virus), and I would like to protect myself from this particular virus. Thanks, - -- __ Kijin Jung ________________________ To affect the quality of the day, __ | kxj6@po.cwru.edu | that is the highest of the arts. | | Case Western Reserve University | | |__ (216) 754-1101 __________________|________________________ -Thoreau ____| ------------------------------ Date: Wed, 10 Mar 93 10:30:21 +0000 From: v922340@hildebrand.si.hhs.nl (Ivar Snaaijer) Subject: New (?) virus ? (2294) (PC) Hi virus netters, A costomer came across last thusday, complayning about window's (who ain't, only people who bougt a 486DX/66 with 2Mb cach local bus ide + 8Mb and a local bus video, don't complain :-) ) the window's we installed on his system didn't work and baild out with an error complaying about almost everything. It was likely a virus becase when i execute a program that isn't likely to execute normaly (tree.com) the harddisk is quite buisy but the second time it isn't (I mean not searching the tree !) TBSCAN (v5.04) showed behind a lot of files a U and a K witch mean an undocumented dos call and an odd stack. executing a file that didn't have the UK flags, resulted in the fact that it did get the flags, I have beta tested TBSCAN v5.10 witch claims it is the 2294 virus, (v5.04 doesn't recognize it) ... it stroke me like an abnormality, because TBSCAN had recognized all the viruses i have on stock, I v'e tried F-PROT witch says that the file is strange but doesn't report a virus eigter, SCAN v99 doesn't see anything, and i gonna try v102 this afternoon Is there anybody who can tell me more about this virus. (acept it is 2294 bytes long) Ivar. - ----------------------------------------------------------------------------- Rule one in program optimization : Don't do it. Rule two in program optimization (for experts only) : Don't do it yet. Rule three in program optimization (for athlets only) : Just do it. - -- - ----------------------------------------------------------------------------- E-mail : v922340@si.hhs.nl ... i can't help it, i'm born this way ... - ----------------------------------------------------------------------------- ------------------------------ Date: Wed, 10 Mar 93 14:31:30 -0500 From: cjkuo@symantec.com (Jimmy Kuo) Subject: Viruses in South Africa (PC) [In a thread on CMOS corruptors, Paul Ducklin wrote...] >This virus family was pretty widespread in South Africa at one time -- >which is where my knowledge of the CMOS RAM map comes from :-) Paul, We've been getting reports of many virus outbreaks in South Africa lately. Could you provide some factors that you believe is contributing to this? Are there any particular hotbed locations within S. Africa or is it simply the whole of S.Africa? I would really appreciate being able to get some insight to your problems there. Thanks. Jimmy Kuo cjkuo@symantec.com Norton AntiVirus Research ------------------------------ Date: Wed, 10 Mar 93 14:37:34 -0500 From: fergp@sytex.com (Paul Ferguson) Subject: Minnow-V virus correction (PC) On 6 Mar 93 (05:45:49 GMT), bill.lambdin@frenchc.eskimo.com (Bill Lambdin) wrote - BL> I was aware of Zero Hunt inly infecting files with areas of 00 BL> hex. Usually data or buffer areas. This is how that Zero Hunt BL> can infect files, but not show a increase in the filesize. Bill, this area is called "stack space". The oiginal sample of the Minnow-V (the original name of the virus; I think one of the McAfee programmers named it Zero Hunt) that I isolated (check your sources) would only infect .COM files that contained 416 contiguous bytes of 00h stack space. It does not use the DOS copy buffers for a transfer area the way the Darth Vader viruses do (you must be confusing the two viruses), but rather, Minnow-V is an infect_on_execute (host), TSR virus. According to Patti Hoffman's reference, there is a 411 byte variant, although I have never seen it. Hope this clears things up for you. Cheers. Paul Ferguson | Network Integration Consultant | "All of life's answers are Alexandria, Virginia USA | on TV." fergp@sytex.com (Internet) | -- Homer Simpson sytex.com!fergp (UUNet) | 1:109/229 (FidoNet) | PGP public encryption key available upon request. ------------------------------ Date: Wed, 10 Mar 93 16:26:45 -0800 From: Pete Wong Subject: Removing virus on stack drive (PC) To whomever that can help me with this catastrophic dilemna, I recently discovered that a virus exist within my computer. My PC is stacked with a Stacker. I used the Norton Anti-Virus to scan the drives and it advised me to turn off the computer and boot it up again with an un-affected boot disk. Since my drives are stacked, the NAV would not read drive C or D. I also tried to boot it up with the Stacker files in the un-affected DOS boot up disk. Once I use the NAV to scan the drives, it would say there is a virus detected in the memory and then it would not scan any further. This goes the same for scanning the floppy drives. The virus is called Stoned. What should I do? If anyone has come across this or has a solution to this problem, I would appreciate it if you could contact me. Even if anyone would like to look into this issue or inquire about the problem, please feel free to email me or respond to this posting. I am desperate for HELP!! Pete ( pwong@igc.apc.org ) or ( easu322@orion.oac.uci.edu ) ------------------------------ Date: 11 Mar 93 04:44:03 +0000 From: marx@vms.huji.ac.il (Michael M. Marx / Jerusalem, Israel) Subject: Date triggered virus (PC) Hi there -- I will be very thankful if someone will send me a list of viruses (virii...) triggered by dates, such as Michael Angello and April 1st etc etc. Thanks for your urgent response, Michael... - ---------------------------------------------------------------------------- Michael M. Marx, Jerusalem, Israel. marx@hujivms.bitnet, marx@vms.huji.ac.il Telex: G 9312132257. Disclaimer: "I speak not to disprove what Brutus spoke" - ---------------------------------------------------------------------------- ------------------------------ Date: Thu, 11 Mar 93 04:50:09 +0000 From: jdc@selway.umt.edu (John-David Childs) Subject: Re: wordperfect virus? (PC) In article <0009.9303041259.AA21084@first.org> GMS@PSUVM.PSU.EDU (Gerry Santoro - CAC/PSU 814-863-7896) writes: >A number of our lab machines are exhibiting very strange WordPerfect >behavior. For example, very small user documents are growing to >extremely large size, until they fill up available disk space. Scans >with F-PROT do not identify any known virus. > >Can anyone clue me into what is happening? In all cases the version >of WP5.1 is being run from a read-only volume of a Banyan network >server. > >Any info would be greatly appreciated! > >gerry santoro (gms@psuvm.psu.edu) | >academic computing/speech communication -(*)- >penn state university ..... | ..... Old, semi-well documented Word Perfect bug! Each time you edit/save a file, especially if you change printer definitions (e.g. you load up a file and WP says "Reformatting Document for Default Printer") WP adds the printer definition information to the "header" (top) of the file. The solution is to retrieve the existing document into a blank (current) document. I tried to search the WPCORP-L archives for more specific information, but was unable to come up with any hits. You should repost your question to that group and they'll be able to give more specifics. John-David Childs Consultant, University of Montana CIS jdc@selway.umt.edu ------------------------------ Date: 11 Mar 93 12:34:47 +0000 From: virusbtn@vax.oxford.ac.uk Subject: IBM PC Boot Seq (was Partition table viruses (PC)) Sarel Lugtenburg writes: >We had just an outbreak of a virus that infects the partition table. >It triggers on any date in March. Reformatting the hard disk and >running fdisk, changing everything, has no effect. You have to low >level format the harddisc (IDE). I was always under the impression >that a high level format from a clean , booted floppy would be enough >but this is apparently not so. > >Can someone tell me what happens during the whole boot process from >poweron. Where does this virus get into the chain of the bootup >sequence ? First question: what virus was it, and how did you detect it (hopefully not by its trigger :( .....) It's not the EXEBUG virus by any chance is it? BTW Just running FDISK isn't enough - you need to run FDISK /MBR (from DOS v5) to re-write the Master Boot Sector - but more on this below... In answer to your second question (briefly): When a machine is first switched on, the power supply activates and voltages begin to build to their normal operating levels within the machine. A hardware timer will eventually trip and kick the main processor into action, whereupon it will start executing a program stored at a fixed address in ROM. This program enables the processor to carry out sensible hardware tests and, in ATs, collects information from the CMOS of the machine about its hardware configuration. All of this sequence is referred to as the Power On Self Test, or POST. The actions at this point vary depending on the BIOS installed in the computer. The original PC design intended that the machine would check if a floppy disk was present in the A: drive, and if one was, would boot from it. If no floppy disk was found, the machine is booted from the hard disk. However, some BIOSes provide a way to disable the floppy disk boot sequence so that it is impossible to pick up a pure boot sector viruses by accident. In this case the PC will boot from the C: drive by default. The early versions of MS-DOS used a similar method of booting either from floppy disk or hard disk. However, as disk drives got bigger, different routines were developed for hard disk boots. In order to cope with multiple partitions etc a sector (called the Master Boot Record or Master Boot Sector), located at track 0, head 0, sector 1 is loaded and executed. This code examines the data held in the partition table and locates the position of the active partition on the disk. The code then loads this second boot sector (called the DOS Boot Sector or Partition Boot Sector) which in turn loads the appropriate system files. So, for a hard disk boot sequence: BIOS: Switch on, and load POST routines Load and execute MBR from track 0, head 0, sector 1. MBR: Examine the Partition Table and find the entry marked as active. Load the associated DOS Boot Sector and execute it. DBS: Load the system files and pass control to them. Therefore, if you boot from a clean floppy, and fdisk/MBR and SYS your hard drive, any boot sector virus is gone, right? WRONG :( All BIOSes are created equal - but some are more equal than others. If the CMOS information tells *certain* BIOSes that there are no floppy disk drives present on the system then the machine is booted from the hard drive. Therefore every time you FDISK or SYS the hard drive, the virus re-infects, because you are attempting to disinfect with the virus active in memory. This doesn't work on all PCs, but is a problem on some. However, there are free utilities available which can disable the virus in memory, and then disinfect the hard drive. It's messy, but unfortunately that's the way it is. Low level formatting works too, as this routine is usually executed from ROM. However, Low level formatting is a last resort - you don't need to do that to recover. There was a four page article in the December Virus Bulletin on exactly what happens when a PC boots up (pp 5-8) - if you want more info, let me know. Yours aye, Richard Ford E-mail VIRUSBTN@uk.ac.ox.vax Editor, Virus Bulletin Tel: +44 235 555139 Fax: +44 235 559935 ------------------------------ Date: Thu, 11 Mar 93 08:51:36 -0500 From: DONNY@iris.netcom.com Subject: Central Point and Stacker (PC) Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv) writes > Remember that stacker (or any other disk doubler) uses the DOS > environment to do what ever it is doing, > and so does Anti Virus TSRs (especially those that use many interrupt > monitoring). A conflict might be fatal (generally speaking). Most TSR writers disagree with you especially since DOS is built for TSRs. If you're right you should be warning anybody using any sort of TSR with Stacker (including keyboard handlers, EMM386, Windows, etc). Donny Gilor (Dr. Virus) donny@iris.ilnet.net - ----------------------------------------------- Development manager, Iris Software (Israel) Iris produces software for Text-Retrieval, Anti-Virus, and Copy-Protection. Telephone: (972)-3-5715319 Fax: (972)-3-318731 ------------------------------ Date: Thu, 11 Mar 93 09:26:26 -0700 From: martin@cs.ualberta.ca (Tim Martin; FSO; Soil Sciences) Subject: Re: F-PROT (PC) MARIE@sclients.scs.uottawa.ca (Marie-Andre Giroux) writes: >Hi! I need some information about VIRSTOP from F-Prot. That program >is suppose to let you know if a virus is trying to do some >dammage on your disk. I was reported to me that VIRSTOP 2.07 did not >detect the presence of the Monkey virus. If anyone has >experienced such a problem let me know about it or of any solution to >it. I tested virstop from f-prot 2.07 against the two Monkey strains. You are correct: it doesn't notice them on an infected system. It does notice if a system is infected with "Stoned". I think the reason is probably that Monkey uses a level of stealth that may be keeping virstop from seeing the infected MBR. And in memory it is installed not at "Top of Memory", but at offset 200h from TOM. So a device that checks what is at TOM won't find the virus there. I tested the f-prot 2.07 scanner as well. Scanning diskettes, it correctly identifies Monkey variant 1, but still calls Monkey variant 2 a "new variant of stoned". F-prot cannot find either variant on a hard disk, if you boot from a clean floppy, because Monkey encrypts and moves the partition table data, so f-prot can't find the hard disk partitions at all. (It should still be able to check the MBR, though.) I am not sure the fprot I tested was the very latest, though: I think Frisk has released some bug-fixed versions. As to a solution, the easiest is probably to get killmonk.zip from your favorite ftp site. (For example, it is at oak.oakland.edu, in /pub/msdos/virus.) Tim. ------------------------------------------------------------- Tim Martin * Spatial Information Systems * These opinions are my own: University of Alberta * My employer has none! martin@cs.ualberta.ca * ------------------------------------------------------------- ------------------------------ Date: 11 Mar 93 17:14:01 -0500 From: ac999512@umbc.edu (ac999512) Subject: Re: Executable signitures (PC) >To check for an executable file a virus will read in the appropriate bytes >and check to see if it is "MZ". > >Why do some viruses check for "ZM"? What kind of file does this denote? I believe both signify an EXE file. Someone correct me if I'm worng, but it is my understanding that both "MZ" and "ZM" mean that it is an EXE.. +-------------------------------------------------------+ | Ed T. Toton III, Virus Researcher ac999512@umbc.edu | | BREAKFST.COM halted! Cereal port overflow! | +-------------------------------------------------------+ ------------------------------ Date: Tue, 09 Mar 93 13:56:13 -0500 From: HAYES@urvax.urich.edu Subject: FIXUTIL4.ZIP from A. Padgett Peterson (PC) Hi fellows. Just received and made available for anonymous FTP the new suite of virus defence programs from A. Padgett Peterson. Following is an excerpt of the "what's new" file: - ----- begin excerpt -- FixUtilities copyright (C) 1989-1993 by Padgett - all rights reserved. FixUtil4 is the March 1993 revision of the FixUtils. WHAT'S NEW The major change is that the FixUtils are now all FREEWARE. Major Changes FixMBR now generates automatically a copy of the original MBR with a user designated name of up to 7 characters. This .DAT file should be stored in a safe place off-line. When changed to a .COM file and executed, the original MBR will be restored. On machines having BIOS selection of the boot disk, users may now select booting only from the C: drive for additional protection from viruses. If the CTRL key is held down during the boot, SafeMBR, following integrity checking of the hard disk MBR will transfer the boot process to drive A: to allow booting from floppy for maintenance purposes. - ----- end excerpt -- Site: urvax.urich.edu, [141.166.36.6] (VAX/VMS using Multinet) Directory: [anonymous.msdos.antivirus] FTP to urvax.urich.edu with username anonymous and your email address as password. You are in the [anonymous] directory when you connect. cd msdos.antivirus, and remember to use binary mode for the zip files. Thanks Padgett! Best, Claude. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Claude Bersano-Hayes HAYES @ URVAX (Vanilla BITNET) University of Richmond hayes@urvax.urich.edu (Bitnet or Internet) Richmond, VA 23173 ------------------------------ End of VIRUS-L Digest [Volume 6 Issue 44] *****************************************