From lehigh.edu!virus-l Tue Mar 23 03:19:22 1993 remote from vhc Received: by vhc.se (1.65/waf) via UUCP; Tue, 23 Mar 93 17:47:04 GMT for mikael Received: from fidoii.CC.Lehigh.EDU by mail.swip.net (5.65c8-/1.2) id AA11834; Tue, 23 Mar 1993 15:08:43 +0100 Received: from (localhost) by Fidoii.CC.Lehigh.EDU with SMTP id AA15610 (5.67a/IDA-1.5 for ); Tue, 23 Mar 1993 08:19:22 -0500 Date: Tue, 23 Mar 1993 08:19:22 -0500 Message-Id: <9303231231.AA23788@first.org> Comment: Virus Discussion List Originator: virus-l@lehigh.edu Errors-To: krvw@first.org Reply-To: Sender: virus-l@lehigh.edu Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas From: "Kenneth R. van Wyk" To: Multiple recipients of list Subject: VIRUS-L Digest V6 #46 VIRUS-L Digest Tuesday, 23 Mar 1993 Volume 6 : Issue 46 Today's Topics: Virus Code Cross-platform viruses ? Amiga viruses (Amiga) Sun virus detector-avilable? (UNIX) Michelangelo (PC) Partition table viruses (PC) Re: Michelangelo or STONE (PC) Virus Development Program (PC) Re: PC Magazine on Anti-Virus products (PC) Re: Malta Amoeba: What is it? (PC) lilsaver.zip (PC) help - PC protection (PC) Re: DBase virus (PC) Variation of Michaelangelo? (PC) Re: wordperfect virus? (PC) Re: F-PROT 2.07 and Windows not compatible? (PC) Int 21h fn 4Bh (PC) Boot Process & FixUtil4 FreeWare (PC) Can I Get Infected If... (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.org or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk, krvw@first.org ---------------------------------------------------------------------- Date: Tue, 16 Mar 93 00:49:29 +0000 From: rob.borek@rose.com (rob borek) Subject: Virus Code Date Entered: 03-15-93 19:43 OK. About thsi whole virus code thing: I believe that it should only be placed in VERY careful hands, such as virus researchers and anti-viral companies. I'm very competent, and understand viruses, but do not believe in distribution of viral code. It's just TOO hard to control the flow of "legal" distribution of viral code. Rob Borek * Biology grows on you. - --- RoseReader 2.10 P003202 RoseMail 2.00 : PowerNET/Sarnia, ONT. (519) 336-5863 ------------------------------ Date: 16 Mar 93 10:30:04 +0800 From: udptech@uniwa.uwa.edu.au (Denis Brown) Subject: Cross-platform viruses ? In the near future, my Department will have a mixture of IBMs and MACs running on the same thin-ethernet backbone. Are there any known viruses which can propagate across platforms such as these ? I assume that it would be feasible to write a "programme" on either platform to deliber- ately infect the other one, especially given that our network "lingua franca" will be TCP/IP. Am I worrying about nothing ?? If not, what "programmes" should I be aware of on either platform ? System setup: At present the IBMs are thin-ethernet connected and use LANtastic peer- peer software. We're getting LANtastic-for-TCP and will connect to our Uni. Campus LAN via a Cisco box (which will stop the raw Lantastic traffic from getting into the Campus LAN). The Apples will connect to the common thin ethernet cable via their own adaptors and likewise will run TCP/IP. The IBMs will continue to run the (very successful) raw LANtastic for their normal file/resource sharing. Any advice appreciated. Denis ------------------------------ Date: 17 Mar 93 14:47:41 +1000 From: u9263012@uow.edu.au (Walker Andrew John) Subject: Amiga viruses (Amiga) Does anyone have a comprehensive list of amiga viruses and what they do? Andrew Walker. ------------------------------ Date: Wed, 17 Mar 93 18:13:27 +0000 From: dennisk@aplcenmp.apl.jhu.edu (Dennis M. Kavanagh) Subject: Sun virus detector-avilable? (UNIX) Does anyone know of products that purport to provide some virus detection/corection for SUN's. Thank you... ------------------------------ Date: Wed, 10 Mar 93 14:34:03 +0100 From: Malte_Eppert@f6051.n491.z9.virnet.bad.se (Malte Eppert) Subject: Michelangelo (PC) Hi Christer! > A friend of mine couldn't boot his computer today (6:th of > March). Could it be the Michelangelo Virus? Yep :-(. > in that way? The partition of the drive was wiped away. How do > one recover the information on the disk? I'm sorry, all one can say is: Forget it, it's impossible :-((( cu! eppi - --- GEcho 1.00 * Origin: No Point for Viruses - Eppi's Point (9:491/6051) ------------------------------ Date: Wed, 10 Mar 93 14:32:02 +0100 From: Malte_Eppert@f6051.n491.z9.virnet.bad.se (Malte Eppert) Subject: Partition table viruses (PC) Hi Sarel! > It trigger on any date in March. Reformatting the hard disk and > running fdisk, changing everything, has no effect. You have to > low level format the harddisc (IDE). Try to rebuild the MBR by issuing "FDISK /MBR" after booting from DOS disk instead of LL-formatting a hard disk. If this doesn't work and there's no tool to remove the virus, you have to restore a saved backup of the MBR. That's why I recommend to save a backup of it when it's still OK...:-) BTW, you can, with some effort, rebuild a completely outzeroed MBR from examining where the partitions on harddisk physically reside and where the DOS bootsectors are. cu! eppi - --- GEcho 1.00 * Origin: No Point for Viruses - Eppi's Point (9:491/6051) ------------------------------ Date: 10 Mar 93 07:24:00 +0000 From: bill.lambdin%acc1bbs@ssr.com (Bill Lambdin) Subject: Re: Michelangelo or STONE (PC) Quoting from G.randolph Bickerton to All About Re: Michelangelo or STONE on 03-08-93 GB> Isn't the correct procedure to repartition the hard disk then reforma Clean 100 had a problen removing Mich. Clean 102 is supposed to have fixed this problem. It should never be necessary to low level format a hard drive to eradicate a virus. Bill - --- * WinQwk 2.0 a#383 * FINGERS activates after Nov 11th, 1990 ------------------------------ Date: 10 Mar 93 06:39:00 +0000 From: bill.lambdin%acc1bbs@ssr.com (Bill Lambdin) Subject: Virus Development Program (PC) Quoting from Sgt Rock to All About Virus Development Program on 03-07-93 SR> development programs: The Phalcon/Skism Mass-Produced Code Generator, SR> Virus Construction Set, and the Virus Construction Laboratory. SR> These programs sound scarey to me. Does anyone out there know anythin SR> about them? Where do they originate and are they available for genera Those development programs are available on almost all underground BBSs. Virus Construction Set is not a real threat. It just turns out variants of the Manta virus, and any repitable scanner can detect them. The MPC and VCL can generate different types of viruses. nut most reputable scanners (F-prot, Integrity Master, etc) can detect any viruses made by these two virus generators. Bill - --- * WinQwk 2.0 a#383 * I like to dissect computer viruses. ------------------------------ Date: 10 Mar 93 06:51:00 +0000 From: bill.lambdin%acc1bbs@ssr.com (Bill Lambdin) Subject: Re: PC Magazine on Anti-Virus products (PC) Quoting from Fridrik Skulason to All About Re: PC Magazine on Anti-V on 03-07-93 FS> lest the 50-100 that are in the wild), the viruses they used are old, FS> program that had not been updated for 18 months would have detected a FS> one or two....and so on... I couldn't agree more. FS> Anyhow, I wrote them a 4-page letter about this... Good for You! I hope they will a. improve their testing processes. b. stop testing anti-viral software. Bill - --- * WinQwk 2.0 a#383 * CASINO activates Jan 15th ------------------------------ Date: Sun, 14 Mar 93 18:24:13 -0500 From: Wolfgang Stiller <72571.3352@compuserve.com> Subject: Re: Malta Amoeba: What is it? (PC) nafziger@eagle.sangamon.edu (Scott Nafziger) writes: > I heard of a virus called the Malta Amoeba. I was wondering >what does it do. How does it effect floppies, hard drives, and/or net >Also, is there any way to detect if someone has this virus without virus >scaning software? Any information will be greatly appreciated. Here are are parts of a report I wrote about a year ago on this virus; I think it answers most of your questions: Stiller Research Virus Report - Copyright 1992 - The Maltese Amoeba Aliases: Irish (McAfee), Grain of Sand, Amoeba (mistakenly) A destructive memory resident infector of .COM and .EXE files. It will activate on Nov 1st and March 15th. The Maltese Amoeba is another variable encrypting (AKA polymorphic) virus. This means that the bulk of the virus code is encrypted and the decryption routine uses variations of several patterns of instructions similar to the technique used in the V2Px series of viruses. The decryption instructions are interspersed with variable numbers of irrelevant instructions and can appear in a varying order. While various (different) series of instructions are used for the decryption, the decryption is always accomplished by a simple exclusive or. The decrypted code is not further garbled with irrelevant instructions. The Maltese Amoeba infects only .COM and .EXE files using a different decryption pattern for .COM and than for .EXE files. It uses no stealth techniques and can be detected by doing a simple DIR and noting the file size changes. Its only sophistication lies in its ability to make generation of virus scan strings difficult. This virus spreads quite readily on all PCs tested (7). It will infect files on either a DOS open or a load and execute (files read or executed programs will be infected). After the first infected file is executed, the Maltese Amoeba goes resident in memory in the highest available 2K (usually at 9F00:0000 if 655,360 bytes are free). It seems to play by the DOS rules and changes the MCBs (memory control blocks) so that DOS does not overlay the virus code, but it does not issue the DOS TSR request (no doubt in order to bypass monitoring programs). This reduction in memory can be seen by doing a CHKDSK or a MEM command. This virus checks for its own presence in memory by issuing a DOS set date call with an invalid value and also checks for presence (in memory) of Ross Greenberg's anti-virus programs (FluShot+ and Virex-PC) as well as the PSQR virus. If these programs are present the virus will not infect any programs. It reportedly also detects and deactivates the Murphy virus but I have not confirmed this. The virus will replace the (Int 24) critical error handler so you will not see the familiar "Abort, Retry, Fail" if the virus tries to infect a write protected floppy. On Nov 1st or March 15th , it will overwrite low numbered tracks on the hard disk and any diskettes, produce a flashing display and hang the PC. The disk will probably be unreadable at this point. I have not actually allowed this virus to destructively activate on my test systems; my results are based upon code inspection and reports published in the (UK) Virus Bulletin. The code written into the partition sector (AKA Master boot record) contains encrypted poetry which displays the first four lines of Blake's Auguries of Innocence from the Pickering Manuscripts: "To see a world in a grain of sand And a heaven in a wild flower, Hold infinity in the palm of your hand And eternity in a hour." The Virus 16/3/91 The next time the PC is booted the above text is displayed -- the PC then hangs. This virus was not detected prior to its activation in the UK on November 1st 1991. It had managed to spread quite widely! According to the December 1991 Virus Bulletin: "Prior to November 2nd, 1991, no commercial or shareware scanner (of which VB has copies) detected the Maltese Amoeba virus. Tests showed that not ONE of the major commercial scanners in use (the latest releases of Scan, Norton Anti-virus, Vi-Spy, VISCAN, Findvirus, Sweep, Central Point Anti-virus et al.) detected this virus." This indicates the danger of depending upon scanner technology or active monitor technology for virus protection. Regards, Wolfgang Wolfgang Stiller, Stiller Research, 2625 Ridgeway St., Tallahassee, FL 32310 U.S.A. ------------------------------ Date: Sun, 14 Mar 93 19:26:08 -0500 From: HAYES@urvax.urich.edu Subject: lilsaver.zip (PC) To all: if you see that program (LILSAVER.ZIP -- a small screen saver) it is a dropper for the [ANTHRAX] virus. As far as *I* know, this is the first occurence of this virus in central Virginia. Best, Claude. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Claude Bersano-Hayes HAYES @ URVAX (Vanilla BITNET) University of Richmond hayes@urvax.urich.edu (Bitnet or Internet) Richmond, VA 23173 ------------------------------ Date: Tue, 16 Mar 93 11:45:42 +0000 From: prwiertz@rcl.wau.nl Subject: help - PC protection (PC) Wageningen,16-3-93 When I read the articles in this group I want to protect my PC better then I did before. Can someone send me the best anti-virus programm there is at this moment? (I hope it isn't self infected what happend to me last time).Thanks in advance. M.N.G.M. Wiertz Email:Prwiertz@rcl.wau.nl ------------------------------ Date: Sun, 14 Mar 93 14:19:07 +1300 From: dogbowl@dogbox.acme.gen.nz (Kennelmeister) Subject: Re: DBase virus (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: > dogbowl@dogbox.acme.gen.nz (Kennelmeister) writes: > > > How widespread is the DBase virus? > > Not at all... > > > I've just run across it in an MS-DOS system I was checking. > > Apparently it may have been on their machines for up to a year... > > Are you sure that it is not a false positive? How many files were > infected? Which scanner did you use? Which version of it? I was asked to check it because their dbf files were being trashed every so often. The scanner that picked it up was f-prot 2.06a. There were only about a dozen infected files, but the system was only being used for dbase work, so that's not too surprising. The real clincher was discovering bugs.dat hidden in the root of C drive. Unfortunately, I have no samples, as the owners first reaction was to reformat their hard drive, and I couldn't find any infected floppies. They only backed up data, not executables, preferring to reinstall from the original disks. Virus source is unknown - machines which have been in contact with this system all came up clean. I guess it's just a case of an isolated machine harbouring an old virus, coupled with complacency on the part of the owners that their 3 year old scanning program would keep them clean. - -- Alan Brown. (SysAdmin) dogbowl@dogbox.acme.gen.nz Palmerston North Dawghaus BBS -> +64 (6) 357-9245 New Zealand "A wet and windy place in the South Pacific" ------------------------------ Date: Tue, 16 Mar 93 20:59:27 +0000 From: garyb@pdx015.intel.com (Gary Brown) Subject: Variation of Michaelangelo? (PC) March 6 I was suprized to boot my PC and be greeted by: "Drive not ready error", etc.. Running fdisk I found that my partition was gone. It looks like MichaelAngelo. A repartition and format and everythings okay. Here's my confusion: Last year I detected and cleaned MichaelAngelo with version 84 (I'm pretty sure) of McAffee. This year I scanned with the same version about mid-Feb and I was clean. The only software I bought since then was TurboTax, and I scanned that disk and it was clean. I have only bought software during the last year. I need to download the latest version of McAffee and scan with it, but my question is: Does anyone know of a modified MichaelAngelo that is not detectable by software that could detect it last year?? Gary Brown ------------------------------ Date: Wed, 17 Mar 93 07:02:49 +0000 From: bm29@cunixf.cc.columbia.edu (Bob Matsuoka) Subject: Re: wordperfect virus? (PC) [stuff omitted] >>A number of our lab machines are exhibiting very strange WordPerfect >>behavior. For example, very small user documents are growing to >>extremely large size, until they fill up available disk space. Scans >>with F-PROT do not identify any known virus. Those files aren't kept on a Novell server, by any chance, are they? There has been as thread the past couple of weeks concerning WP files growing to huge sizes in one of the Novell groups. I don't run WP so I haven't been paying attention but I suggest you post your question there. Bit.listserv.novell I think... - -------------------------------------------------------------------------- Bob Matsuoka, Network Manager bm29@cunixf.colmbia.edu New Lab for Teaching and Learning ph. (212) 722-5160 x152 The Dalton School fax (212) 348-5885 ------------------------------ Date: Thu, 18 Mar 93 01:23:13 +0000 From: oep@colargol.edb.tih.no (oep) Subject: Re: F-PROT 2.07 and Windows not compatible? (PC) Otto Stolz (RZOTTO@NYX.UNI-KONSTANZ.DE) wrote: : Until Frisk will have looked into this matter, and will come up with a : fix, I recommend *not* to use the new /COPY option on computers that : have Windows installed on them. With the current version of F-PROT, 2.07, it is not recommended that you use the /COPY /BOOT and /WARM-options on systems with "novice" users, yet. As stated in VIRSTOP.DOC, which is included in the ZIP-file, these are new options and you can run into problems using them with some applications (read MS-Windows). F-PROT 2.08 will probably contain a version with these options working with MS-Windows. Until then, try out the new options, if they don't work on your system, don't use them. - - oep ------------------------------ Date: Wed, 17 Mar 93 20:53:16 -0500 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: Int 21h fn 4Bh (PC) From: Donald G Peters >APP discusses how 4B works and leaves the reader to draw his own >conclusions. My question to APP is how do I resolve the difference >between the description in Norton's book and Duncan's book regarding >how to load a program WITHOUT executing it. One book says to use >subfunction 1 and the other says subfunction 3. Neither book gives >enough detail that I can gain a good understanding of it without >experimenting first. Actually, the best source for this information is Ralf Brown's Interrupt List (current version is 33) found on many archives (pub/msdos/info on oak.oakland.edu - be sure to get all four ZIP files A,B,C,& Q). Listed for Int 21h Function 4Bh are the following subfunctions: (around line 21,319) 00 load and execute 01 Load but do not execute (what DEBUG uses) (02 is not listed but think I have seen it somewhere) 03 Load overlay (different organization than a .COM or .EXE) 04 Load and execute in background (European MS-DOS 4.x only) Good luck, Padgett ps Incidently, the idea of a .COM/.EXE scramble is not new, I first saw it in a paper circulated in 1988. ------------------------------ Date: Wed, 17 Mar 93 20:54:08 -0500 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: Boot Process & FixUtil4 FreeWare (PC) sarel@ford.ford.ee.up.ac.za (Sarel Lugtenburg) writes: > Can someone tell me what happens during the whole boot process from > poweron. Where does this virus get into the chain of the bootup > sequence ? Vesselin gave a good generic description however it should be noted that diverse BIOSes act differently. Some *always* look at drive A first, others (nearly every BIOS I've looked at dated after mid-1991) allow selection of the boot drive. Some (Tandon) even do some validation while the latest Award and AMI BIOSes can flag attempts to alter the MBR or DBR. However, to do anything, the options must be turned on, the default is the traditional "boot from A first and don't check anything". In line with this I have released an update to the FixUtilities (FixUtil4) with two major differences: the utilites are now copyrighted FreeWare instead of ShareWare (though donations will not be refused 8*), and SafeMBR now supports booting from floppy - since this is not obvious I will explain the concept: For several years I have been saying that the first line of defense is not to boot from unknown floppies. At the same time I recognise that occationally it is necessary to do so for maintenance purposes. SumFBoot was the first response: Ctrl-Alt-Del with a floppy in drive A would be refused, however if you really wanted to boot from a floppy, Ctrl-Alt-F would reboot *only* from floppy. But this could not handle the case of a cold boot. Today things are different with nearly all PCs built since mid-1991 (and many Zeniths, Compaqs, NECs, and Tandons built earlier) have had boot selection. Yet this feature is rarely used since few people a) knew about it or b) wanted to have to reset the CMOS to boot from a floppy (I need to do so at least once a week when I defrag). Accordingly SafeMBR v2.7 has the following switch: You can set the BIOS to always boot from the C: drive and SafeMBR will always check the low levels out first. However once checks are complete and if you hold the Ctrl key down during the boot, the logo "Boot A" will appear and the boot process will transfer to the disk in drive A. Thus even cold boots are protected yet the user still has the ability to boot from A if really necessary. This follows my personal philosophy that the users are responsible individuals but do not need to be computer experts. So long as only known clean floppies are used to reboot, low level viruses such as we have seen today cannot infect a machine (droppers excluded but then the logo will not appear on boot). Yes, I know this is not a perfect defense but it is effective against nearly "common" MBR infections and the price is certainly right 8*). Again, This new version is FreeWare and requires no licensing other than the limited license included in the documentation (though I would like to hear who is using it). Enjoy. Warmly, Padgett ------------------------------ Date: Thu, 18 Mar 93 04:02:04 +0000 From: cftdl@ux1.cts.eiu.edu (Terry Lundgren) Subject: Can I Get Infected If... (PC) My system is clean. I use Central Point's virus watch/safe. With the system running, I put in a student's (assume infected) disk. I do a DIR on the student's disk. I take the disk out. Now, is it possible that my system caught the virus? Any virus? I received no warning messages of any kind. The system has not shown any symptoms. I would appreciate your comments and advice. - -- T. Dennis (Terry) "Bud" Lundgren, BE/AIS, Lumpkin Hall 343, 581-2162 ------------------------------ End of VIRUS-L Digest [Volume 6 Issue 46] *****************************************