From lehigh.edu!virus-l Mon Apr 5 05:05:53 1993 remote from vhc Received: by vhc.se (1.65/waf) via UUCP; Mon, 05 Apr 93 18:01:13 GMT for mikael Received: from fidoii.CC.Lehigh.EDU by mail.swip.net (5.65c8-/1.2) id AA01636; Mon, 5 Apr 1993 15:38:50 +0200 Received: from (localhost) by Fidoii.CC.Lehigh.EDU with SMTP id AA34585 (5.67a/IDA-1.5 for ); Mon, 5 Apr 1993 09:05:53 -0400 Date: Mon, 5 Apr 1993 09:05:53 -0400 Message-Id: <9304051213.AA19903@first.org> Comment: Virus Discussion List Originator: virus-l@lehigh.edu Errors-To: krvw@first.org Reply-To: Sender: virus-l@lehigh.edu Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas From: "Kenneth R. van Wyk" To: Multiple recipients of list Subject: VIRUS-L Digest V6 #56 VIRUS-L Digest Monday, 5 Apr 1993 Volume 6 : Issue 56 Today's Topics: Michelangelo (PC) CLEAN Recovery? (PC) Port Writes (PC) Lao Duong (PC) Optimum Strategy for Virus Checking (PC) Re: Booting password (PC) Superstor and McAfee (PC) Bug in FixUtil4 (PC) Zenith boot selection (PC) Re: What is the Genb or Form Virus??? (PC) Re: Problems with DOS 6.0 Microsoft Anti-Virus (PC) VI-SPY VS Central Point AntiVirus (PC) Re: Scanners and exe/com file compressors? (PC) Re:Scanners and exe/com files (PC) Virus signature determination. (PC) Catch from DIR? (PC) Scan 99 % PKlite 1.15 (PC) Untouchable (PC) Untouchable (PC) Which CRC/scanner to use. (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.org or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk, krvw@first.org ---------------------------------------------------------------------- Date: Mon, 29 Mar 93 08:51:07 +0100 From: Malte_Eppert@f6051.n491.z9.virnet.bad.se (Malte Eppert) Subject: Michelangelo (PC) Hello Paul & Frisk! > Well, not every Michelangelo story has a sad ending. I did a > data recovery a week or two ago for a guy who'd been hit -- he had a > 200MB drive, and as M takes only a 9MB "bite" out of the drive, what > was left turned out to be pretty useful. 9MB? You musta been very quick in powering the PC down :-). Ah, joking. Okay, it may be possible to recover _something_ in some instances, if Mich didn't touch one copy of the FAT or your files weren't too fragmented. You need a big bucket of luck to recover "all you want" :-) > Yeah, they chose the wrong switch; then "Oops, sorry", and > switched back on again. "Funny, this machine won't boot". Funny :-) :-( cu! eppi - --- GEcho 1.00 * Origin: No Point for Viruses - Eppi's Point (9:491/6051) ------------------------------ Date: Mon, 29 Mar 93 08:58:08 +0100 From: Malte_Eppert@f6051.n491.z9.virnet.bad.se (Malte Eppert) Subject: CLEAN Recovery? (PC) Hi Chris! > My question is, is there any way of rebuilding a "CLEANed" > partition table??? Yes - get a virus-free DOS 5 boot disk containing FDISK and a sector editor, boot from it and issue "FDISK /MBR". If this does not help at all, it means your partition table entries have gone, too. In that case take the sector editor, look for the DOS bootsectors on your hard disk (if you ever saw an intact DOS boot record, you know how it looks like) and insert the right parameters into the new-built MBR's partition entries. A little difficult, but works. > what does IMHO stand for... In my humble opinion, IMHO stands for... ehem :-) cu! eppi - --- GEcho 1.00 * Origin: No Point for Viruses - Eppi's Point (9:491/6051) ------------------------------ Date: Mon, 29 Mar 93 09:43:16 +0100 From: Inbar_Raz@f210.n9721.z9.virnet.bad.se (Inbar Raz) Subject: Port Writes (PC) Hello everyone. A couple of days ago, I first succeeded in compiling and running a routine to access disk using port writes only, therefore avoiding any interrupt whatsoever. Needless to say, this piece of code is not going anywhere. However, this raised a question. Is there any EXISTING control program to inhibit such access? If a virus were to use port writes, no anti-virus shield would be able to stop it. Inbar Raz - - -- Inbar Raz 5 Henegev, Yavne 70600 ISRAEL. Phone: +972-8-438660 Netmail: 2:401/100.1, 2:403/100.42, 9:9721/210 nyvirus@weizmann.weizmann.ac.il - --- FMail 0.92 * Origin: Inbar's Point - Home of the UnTinyProg. (9:9721/210) ------------------------------ Date: Fri, 02 Apr 93 01:56:19 -0500 From: "Roger Riordan" Subject: Lao Duong (PC) A.APPLEYARD@fs1.mt.umist.ac.uk writes > (1) What is the exact proper spelling of 'Loa Duong'? I have met >3 spellings so far. Who knows? We use Laodoung, which was the name of the sample file we received. > (2) We had Loa Duong in a PC III (running DOS 3.10) in Manchester >University (England), and I suspect that either it or the only >antiviral that we use (VET) or both between them deleted some >files. Who issues VET? Who will have information about it? We do, and the Manchester Computer Centre has the information about it. >Please someone send me fullest information about what Loa Duong >does. The version of VET that we had, found it but could not remove >it. According to Alan Solomons VENCYCL it "Plays music, or beeps." It does not appear to have any warhead, so it is unlikely that eithe it, or VET, caused the files to be lost. >In the end we resorted to the ultimate weapon: wiping and re- >initializing the hard disk. This is almost never necessary, and will usually cause far more trouble than waiting till you can get proper advice. If VET had been installed on the PC it would have been able to put back the saved copy of the DOS boot sector, but as this virus infects the DOS boot sector it can readily be removed with the command "SYS C:" Roger Riordan Author of the VET Anti-Viral Software. riordan.cybec@tmxmelb.mhs.oz.au CYBEC Pty Ltd. Tel: +613 521 0655 PO Box 205, Hampton Vic 3188 AUSTRALIA Fax: +613 521 0727 ------------------------------ Date: Fri, 02 Apr 93 01:56:26 -0500 From: "Roger Riordan" Subject: Optimum Strategy for Virus Checking (PC) markb@grv.grace.cri.nz (Malcolm Shore) writes >I have been considering the integrity requirements of PC systems and >applications, and thinking about the problem of full system scanning >and user resistance because of the time involved. > >This leads me to ask members of the list more experienced than I >in these matters the following question: > >Can risk analysis techniques be applied to the problem of viruses, >ie do we have the base data needed to assess the risk of attack by >various viruses and apply only the required countermeasures?. Do we >have the methodology? > >For instance, if such an analysis reveals that only (say) the STONED >and MICHAELANGELO viruses pose a threat in excess of acceptable risk >then boot sector protection will provide an acceptable countermeasure >without the overheads of full system scanning. Do I speak heresy? In their enthusiasm to protect themselves from every possible risk systems administrators often specify security measures which render users PCs almost inaccessible. The inevitable result is that the users find some way of disabling the security measures, and so they end up having no protection whatsoever. When we were designing our program VET we started from the assumption that if it added more than about 20 seconds to the normal startup time it would be disabled, so we set out to provide an adequate degree of security without exceeding this limit. The measures we adopted are: 1. We made VET as fast as possible. 2. During Installation we take copies of both boot sectors, so that any change can be detected. 3. We record the top of memory, so the user will be warned if a virus goes resident here. 4. We check memory for known viruses, and then fill unused memory with a diagnostic code, so that if a new virus should hide in memory without protecting itself the PC will lock up, after warning that unused memory has been executed. 5. We calculate signatures for our program files, after adding the information relating to the users PC, and for COMMAND.COM (or equivalent). The signatures are embedded in the program files, and these are then encrypted, and new signatures are calculated and recorded. 5. By default VET will check the first 50 executable files it finds. Most program viruses will spread rapidly, so this will detect nearly all infections the next time the PC is booted. Using the default options VET takes about 16 seconds to check an XT, and 4 to check a modern 486, but it will identify nearly all viruses that are remotely common, recover files and hard disks infected with most common viruses, and warn of most infections with new viruses. The author of the locally written Gingerbread virus went to inordinate lengths to hide it, but if it infected a PC with VET installed the user would be warned in the normal boot that the top of memory had been changed. After a clean boot VET would also warn that the MBR and the VET file were corrupted. Roger Riordan Author of the VET Anti-Viral Software. riordan.cybec@tmxmelb.mhs.oz.au CYBEC Pty Ltd. Tel: +613 521 0655 PO Box 205, Hampton Vic 3188 AUSTRALIA Fax: +613 521 0727 ------------------------------ Date: Fri, 02 Apr 93 11:05:39 -0500 From: Fabio Subject: Re: Booting password (PC) Can't you go into the setup program? I had the same problem with a DTK 486DX 50Mhz computer: I could not execute the setup utilities, because it allways asked me for the setup password. What I did follows: I wrote my own setup program (CMOSEDIT.EXE) which allows me to modify any register in the CMOS. Particularly, I changed the hard disk type number to other number and then booted up again. The DTK BIOS POST routine tried to recognize the new hard disk type parameters, checking them against the real HD installed. Of course, the comparison failed and the POST suggested to get into the setup Voila... No setup password were asked. Try it, you can use any CMOS modifier utility; there are several on InterNet (Mark Aitchison has written CMOS.EXE version 2.99 which is very good. FTP for it in cantva.canterbury.acs.nz under the PC directory, file CMOS299.ZIP, login as anonymous). Good luck ,,, (O o) * * * * * * * * * * * * * * * *oOO* (_) *OOo* * * * * * * * * * * * * * * * U * * Fabio Esquivel Chacon * Computerize God - It's the new religion * * fesquive@ucrvm2.bitnet * Program the Brain - Not the heartbeat * * University of * * * * Virtual existence / Superhuman mind * * Costa Rica * The ultimate creation / Destroyer of mankind * * "My girlfriend, * Termination of our youth / For we do not compute * * ____/| music and * * * \'o O' computers * "Computer God" - Dehumanizer * * =(_._)= drive me * Ronnie James Dio - Black Sabbath (1992) * * U crazy..." * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ------------------------------ Date: 02 Apr 93 17:26:27 +0000 From: psgrbbc@prism.gatech.edu (Brian Cooper) Subject: Superstor and McAfee (PC) I'm posting this question for a friend. He has had some problems using McAfee and Superstor. He scanned the files on his Superstor disk, and McAfee reported no viruses. However, he could not access the Superstor disk; he could only access the regular disk with the Superstor temporary files. Luckily, when he rebooted, all was fine-- he could access his Superstor disk and all files were in tact. Are there any problems with using Superstor and McAfee? What may have caused his inability to access the Superstor disk? Thanks, Brian Cooper psgrbbc@prism.gatech.edu ------------------------------ Date: Fri, 02 Apr 93 12:53:27 -0500 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: Bug in FixUtil4 (PC) I have discovered a bug in FixMBR.EXE v2.7 and 2.7b included in the FixUtil4.zip file that may trigger an "Sector Mismatch..." error on some partition tables. This bug does not exist in the 1.x versions in FixUtil3. I will put together a fix that will be posted as FixUtl4c.zip and contain FixMBR v 2.8. Again, this will only occur on certain oddly partitioned PCs in which the active MS-DOS partition is not the first entry in the table. Chagrined, Padgett ------------------------------ Date: Fri, 02 Apr 93 13:19:41 -0500 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: Zenith boot selection (PC) >From: cftdl@ux1.cts.eiu.edu (Terry Lundgren) >Subject: Zenith Hard Disk Boot (PC) >Our computer lab seems to be under constant virus attack, >especially from boot sector viruses. We have Zenith 386's and >they allow through the setup procedure accessible by Ctrl/Alt/Ins >to make the system boot from the hard disk. I tried it and it >made no difference then what was in the A drive (empty, >>unformatted, formatted no system, etc.). The startup obviously >did check the drives, but I don't think the boot sector is being >used. The problem is that the Zenith looks at the hard disk entry first. If the type is NONE (as when a hard card or any disk requiring its own controller) is in use, it will ALWAYS boot from A: reguardless of the boot select setting. If this is the case, first check to see if you can turn the controller BIOS off and use the Zenith BIOS instead (seen frequently when upgrades from 159s to 248s and 386s occured & the old disk and controller were kept. >Will changing the setup to boot from the hard disk stop boot >sector infections? (Of course it could be changed, but it might >significantly slow down the spread if it works.) IMHO this is true. A MBR or BSI could still occur with a dropper or if an insider "helped" but most of the currently "common" viruses of this type will be stopped. Warmly, Padgett ------------------------------ Date: 02 Apr 93 20:03:24 +0000 From: cjkuo@symantec.com (Jimmy Kuo) Subject: Re: What is the Genb or Form Virus??? (PC) crk5@vm2.cis.pitt.edu writes: >Yesterday one of our machines contracted the Genb virus at boot up. When I >cleaned it off it said that is was the Form virus. I suppose one is a >variant of the other. I have not been able to find any information on >either of these viruses and what they do, or how dangerous they are. GENB is McAfee's designation for a generic boot sector infector. So it is not a specific virus. If it later said Form, then you have Form. Jimmy Kuo cjkuo@symantec.com Norton AntiVirus Research ------------------------------ Date: Fri, 02 Apr 93 21:18:48 +0000 From: 007 Subject: Re: Problems with DOS 6.0 Microsoft Anti-Virus (PC) acrosby@uafhp..uark.edu (Albert Crosby) writes: [Observations of MSAV's feebleness omitted] >Personally, I think Frisk and McAfee can rest assured. I, for one, CANNOT >take this offering from Microsoft seriously, and will reccomend other >anti-virus solutions to my network users and clients. Well, what did you expect? The startup line shows that the copyright is held by Central Point Software, and just about everyone who has read this list for long knows what the conventional wisdom regarding CPAV is... Just to see if the CW was right, I tested MSAV on my rather small collection of 350 viruses. F-prot 2.07 caught 345 of these, SCAN 102 caught 343, and MSAV caught 308. Quite a difference! Microsoft oughta be ashamed... -- 007 - -- 000 000 7777 | sbonds@jarthur.claremont.edu 0 0 0 0 7 |----------------------------------------------------------- 0 0 0 0 7 | Childhood is short... [Calvin & Hobbes] 000 000 7 | ...but immaturity is forever. ------------------------------ Date: 02 Apr 93 21:59:15 +0000 From: minchin@rumba.seas.upenn.edu (Min-Chin Hsiao) Subject: VI-SPY VS Central Point AntiVirus (PC) Hi netters, This is not an comparison between the two scanners. I ran into some problems while running Vi-Spy version 10 while scanning my hard disk. Vi-Spy consistently pick the Central Point Antivirus files like vsafe.com or Vsafe.sys saying that Flip virus is found. I think I have used a Virus scanner from Taiwan Eten group which report the same thing. Just wondering if anyone has this problem? Is it just coincidence that Flip's signature was found in CPAV files? Min-Chin Hsiao minchin@eniac.seas.upenn.edu ------------------------------ Date: Fri, 02 Apr 93 21:52:34 +0000 From: phil@wearbay.demon.co.uk (Philip Coull) Subject: Re: Scanners and exe/com file compressors? (PC) frisk@complex.is (Fridrik Skulason) writes: >It cannot be expanded by PKLITE, that is...expanding it with a special >program is not a problem at all. I think what you're saying here is that pklite can't expand it, but its pretty easy to write one that does!(?) If that is the case there seems to be little point in using PKLITE Pro! As an aside, and without giving away any "trade secrets". Can you use the compressed programs built-in ability to uncompress itself, or do you have to write a de-compressor totally from scratch?? - --------------------------------------------------------------- Philip Coull G3XVY phil@wearbay.demon.co.uk CI$ 76046,332 ------------------------------ Date: 02 Apr 93 22:38:00 +0000 From: shakib.otaqui@almac.co.uk (Shakib Otaqui) Subject: Re:Scanners and exe/com files (PC) PA> To answer your question, yes scanners (at least McAfee) do unpack/decompr ess > programs. I have tested it with PKLite (shareware), I PKLited an infected > program and Scan v100 found it with no problem,I do not know about the > professional version of PKLite, but, there is a BUT, If the > PKLite header were to be trashed...then Scan would not know to decompress > the program. It would then miss completely te virus. You would have then what > I call a Stealth Bomber delivery system, when the virus would begin to sp read, > it would then become scannable but you would not be able to find the sour ce. You're so right. Some idiot recently posted on the Fido-Net Batchpower echo the debug script for what was described as a tiny disk cache program. At least two users have reported that the program trashed their drives, even though it had been scanned. Investigation showed that the file was compressed with PKLite 1.15, and that a hex editor was used to replace the PKLite signature with null characters. This apparently defeated SCAN, which treated it as an ordinary file. After uncompressing the file with PKLite, one user said SCAN apparently identified it as a virus, though I suspect it's more likely to be a trojan. I've saved both the debug script and the related messages in case anyone is interested (offer only open to bona fide virus reserachers whose names I recognise). * PQ 2.15 189 * Lose that ugly FAT: download a trojan today! ------------------------------ Date: Wed, 31 Mar 93 09:14:01 +0100 From: Malte_Eppert@f6051.n491.z9.virnet.bad.se (Malte Eppert) Subject: Virus signature determination. (PC) Hi Frisk! > 2) For each polymorphic virus you disassemble it, and find a > piece of > the code which is found in all samples of the virus (you > want to [...] > 3) For the difficult, polymorphic ones, which can not be > found with a > search string, you write a detection procedure. I always use the term 'polymorphic' in a different way to 'encrypting'. What you describe under 2) is an encrypting virus, what you mention under 3) is a polymorphic one. Isn't the term 'polymorphic' specifically reserved for viruses who have their encoder changed along with every copy by exchanging instructions etc. in a way that there can be no signature extracted? cu! eppi - --- GEcho 1.00 * Origin: No Point for Viruses - Eppi's Point (9:491/6051) ------------------------------ Date: Wed, 31 Mar 93 09:19:02 +0100 From: Malte_Eppert@f6051.n491.z9.virnet.bad.se (Malte Eppert) Subject: Catch from DIR? (PC) Hi Frisk! > There is, however, one way to run a program from a diskette by > just doing a DIR, Ugh... if this isn't too special, can you or someone else post how this could be possible? I just know about an ANSI bomb which will execute a file from disk if you hit the 'hot key' next time. Do you mean this? cu! eppi - --- GEcho 1.00 * Origin: No Point for Viruses - Eppi's Point (9:491/6051) ------------------------------ Date: Fri, 02 Apr 93 22:31:36 -0500 From: bill.lambdin@frenchc.eskimo.com (Bill Lambdin) Subject: Scan 99 % PKlite 1.15 (PC) From: 1070056@SAPHIR.ULAVAL.CA (PATRICK A. MORIN) programs. I have tested it with PKLite (shareware), I PKLited an infected program and Scan v100 found it with no problem,I do not know about the professional version of PKLite, but, there is a BUT, If the PKLite header were to be trashed...then Scan would not know to decompress - -------------------------------------------------------------------------- I did a similar test with Scan99, and PKlite 1.15. Scan 99 detected both copies of the virus. After I trashed the PKlite header with Nolite from a back issue of 40 HEX. After trashing the PKlite header, Scan 99 wasn't able to detect the compressed virus. Bill - --- * WinQwk 2.0 a#383 * 903 activates any day in March ------------------------------ Date: Fri, 02 Apr 93 22:31:39 -0500 From: bill.lambdin@frenchc.eskimo.com (Bill Lambdin) Subject: Untouchable (PC) Date: Wed, 31 Mar 93 10:49:06 +0000 From: chermesh@chen.bgu.ac.il (Ran Chermesh) Subject: Is "Untouchable" (V-analist-3) effective? (PC) Our department considers buying an anti virus package. High in the list is an Israeli product, sold in Israel under the name V-analyst-3 and in the US as Untouchable. The feature of most interest to us is the way this package claims to deal with future viruses. Since this feature can't be tested experimentally, - -------------------------------------------------------------------------- I have tested Untouchable against viruses that the scanner couldn't detect. Untouchable can detect these new viruses by integrity checking. and was able to restore most of the infected files. Untouchable does this by integrity checking. Bill - --- * WinQwk 2.0 a#383 * 1554 activates Oct 1 - Dec 31 ------------------------------ Date: Fri, 02 Apr 93 22:31:52 -0500 From: bill.lambdin@frenchc.eskimo.com (Bill Lambdin) Subject: Untouchable (PC) Date: Tue, 30 Mar 93 23:46:33 +0000 From: scotth@cs.umr.edu (Scott Hayes) Subject: virus checking in the CMOS? (PC) Also, (this may be related), how do UNTOUCHABLE and other non-scanner anti-virus programs work? - -------------------------------------------------------------------------- I have tested Untouchable, and recommend it. With it's use of scanning, resident virus detector, and integrity checking, it can detect the presence of new or unknown viruses. Bill - --- * WinQwk 2.0 a#383 * SATURDAY THE 14TH activates Saturday 14th ------------------------------ Date: Sat, 03 Apr 93 16:34:52 +0000 From: btf57346@uxa.cso.uiuc.edu (Byron Faber) Subject: Which CRC/scanner to use. (PC) I currently use f-prot/virstop/ and Integrity master on my machine. (a 386/40 pc). I was curios if anyone could give me their opinions as to which scanner would be the best to use. I have been in a high risk group for computer viruses and have found that Integrity master's crc checks and f-prot's heuristic scans have done pretty well. If anyone has opinions on my setup, or could suggest any other alternatives please mail me. Byron Faber - -- Free Software Exchange: Support it!!!! (pgp2.1, questionable code, etc). Using PGP2.1 on request. Ask for a file list or information on the exchange. Internet: btf57346@uxa.cso.uiuc.edu & btf57346@sumter.cso.uiuc.edu ------------------------------ End of VIRUS-L Digest [Volume 6 Issue 56] *****************************************