VIRUS-L Digest Wednesday, 28 Nov 1990 Volume 3 : Issue 189 Today's Topics: Harddisk virus (Amiga) Sunday V. in Turbo C 2.00: is false alarm possible? (PC) new boot sector virus (PC) anti-virus programs Washing machine (PC) UK Computer Crime Unit Lateral Thinking Re: Dark Avenger frequency (David Chess) RE: Trojan Warning (PC) Disinfectant 2.4 will be out soon (Mac) Any news on the SCANV trojan? (PC) Papers/Documentation... Need info on 4096 (PC) Re: Dark Avenger frequency? (PC) V & S VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: Mon, 26 Nov 90 20:13:00 +0100 From: Bj|rn Sandell Subject: Harddisk virus (Amiga) Dear Sirs, My harddisk (A590) has behaved strange lately. It started when some files (e.g. runback) ceased to be objectfiles. When I examined them, they contained mostly FF (HEX). I guess one could say that they were empty, but they were still of original size. I deleted the files, and replaced them with backuped stuff, and thought not much more of it. After a while I found more files with these symptoms. Since I didn't worry to much first time this happened, I couldn't tell if it was the same files as the first time or new one. At this time I noticed that 'info' claimed that 49% of DH0 was used, but I knew that it should be more than 80% full. A recursive listing confirmed this. When I booted up the machine the next the, a system request popped up. It said something like "Key 23046 already defined". The harddisk wouldn't verify, I found several readerrors, and eventually I gave up and reformated it. Could this be the result of a virus or trojan, or am I to blame? Is there any Amiga-virus that infect the harddisk? If so, what symptoms does it cause, and how do I get rid of it? Yours sincerely Bjorn Sandell ------------------------------ Date: Mon, 26 Nov 90 17:28:00 -0500 From: "Jan C. Zawadzki" Subject: Sunday V. in Turbo C 2.00: is false alarm possible? (PC) Greetings... Can Turbo C 2.0 execs trigger a Sunday virus alarm? I re-installed TC from backups of the original disks, and Sunday virus was reported (we scan *everything* that goes into our machines) on the following: TC.EXE INSTALL.EXE GREP.COM [.exe? - I forget] UNPACK.COM Curiously enough, the same was reported when I checked the *original* disk set. We have no history of an infection. None of the information on any of the machines is missing/damaged. Are we incredibly lucky, or does Turbo C trigger the warning? Would someone with an ORIGINAL copy of the disk set check? I used SCAN v67 to verify the infection, and the same files are reported as infected. We would greatly appreciate any help, at this point we are really not sure what to do... Jan ps. Borland is not aware of any such problems... - --- INet: yahn@midget.towson.edu BNet: S72UZAW@TOWSONVX ------------------------------ Date: Mon, 26 Nov 90 23:16:00 -0500 From: Michael Head Subject: new boot sector virus (PC) We have found an unknown boot sector virus on "COMBASE" and "SVGA-UTILITY" software shipped in PACKARD-BELL PACKMATE-III and 386sx computers . The diskettes are in sealed envelopes. The seal bears characters which appear to be chinese . The disks were not intended to be booted and will produce the standard error message "NON-SYSTEM DISK etc." if accidently booted, however the harddisk if present will have been infected. The symptoms are varied. Some infected systems play a few notes with every DOS command issued . On others there are no notes but there is a lot of I/O of write protected disks (one has the feeling it is trying to burn its way onto the disk) . Still others (my quarantined Taiwanese AT) will not boot at all after being infected. Now for the bad news. SCANV67c does not report anything. F-PROT113 also doesn't find a known virus but reports the boot sector is an unusual DOS boot sector and there may be a an unknown virus. (Thanks Fridrik,it sure is lonely trying to convince yourself your the first one to ever see a brand new virus). Michael Head ______________________________________________________________________ e:mail - ccmh@mvs.mcgill.ca | McGill Computing Center bitnet - ccmh@mcgillvs.bitnet | 805 Sherbrooke St. West voice - (514) 398-3707 | Montreal,Quebec | Canada H3A 2K6 ------------------------------ Date: Sat, 27 Nov 90 07:22:26 From: "Hussain A. Bazar'Ah" Subject: anti-virus programs hi everybody, steve huff was asking about the best anti-virus & scan programs available today. the best of these programs are : scanv67c.zip, cleanp67.zip,m-disk. zip or md.zip, & fprot113.zip. scanv67c & cleanp67 are the most popular programs worldwide, both of them can detect and disinfect nearly 223 viruses , 67 is the current release #. m-disk or md is a disinfector only (can't detect viruses), it woks well with viruses that attack boot sectors or file allocation tables. fprot113 is a great & big anti-virus package, in addition to detecting and disinfecting you have many functions & utilities to protect, unprotect ,change attributes, & more. also you can find many other programs in the simtel-20 archive: through bitnet servers: rpiecs or ndsuvm1, as well as a number of ftp sites. to find out what can every program do? request this file 00-index.txt from listserv@rpiecs. i hope this is clear, and useful. i will be glad to share information with every one. \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ \ hussain A. Bazar'ah \ \ king abdulaziz university, computer center \ \ p.o.box 3494 \ \ jeddah 21471 , saudi arabia. \ \ fax (02) 631-0438 , tel (02) 640-0000 \ \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ ------------------------------ Date: Tue, 27 Nov 90 08:08:00 -0400 From: Marc TARDIF Subject: Washing machine (PC) I Netlanders, Last weekend we had the worst time with virus in our labs. We got stoned, jerusalem'ed, ping pong'ed. I found a funny thing on one of the machine. This is a tsr file who responded when the return key is pressed. It say that your disk need a cleaning and ask for a confirmation. When you agree for a cleaning the floppy disk drive start. Then "washing cycle" is writen at the bottom of the screen and a washing machine sound come from the speaker. After that there's a spin cycle, a rince cycle and another spin cycle with all appropriate sounds. At the end of the process it says that your disk is clean. I checked all disks and no damaged occured. But it's kind of funny joke. I reset the PC and forgot to take a copy. If a see it again i'll take a copy and let it avalaible to the net. I want to appologize for my lest then poor english. ========================================================================= | MARC TARDIF | Net: S004@HECMTL01.BITNET | | Ecole des HAUTES ETUDES COMMERCIALES |============================| | MONTREAL, QUEBEC | Watch for VIRUS: | | CANADA H3T 1V6 | make backup's often | | Phone: (514) 340-6066 | trust nobody | ========================================================================= ------------------------------ Date: Tue, 27 Nov 90 15:53:29 +0100 From: David J Ferbrache Subject: UK Computer Crime Unit Since the passing of the Computer Misuse act of 1990, the insertion of viral material into computer systems has become an offence which may result in up to 5 years imprisonment. The insertion of viruses is dealt with under the offence of unauthorised modification of computer data, and was a problem specifically addressed in the English Law Commission report 186 (para 3.65 (2)). The UK police have established a central "Computer crime unit" who are interested in monitoring all infections by computer viruses within the UK. This unit is currently four strong and consists of a Detective Inspector, Detective Sergeant and two Detective constables and is located at New Scotland Yard, London. They are keen for any person, organisation or company infected by a virus to report the infection. This will allow the construction of a picture of the damage caused by the virus infection, and provide useful background material for a prosecution if the author is ever located. In this regard they have asked anyone in the UK experiencing a computer virus infection to contact: Noel Bonczonzek Computer crime unit 071-725-2409 - ------------------------------------------------------------------------------ Dave Ferbrache Internet Dept of computer science Janet Heriot-Watt University UUCP ..!mcvax!hwcs!davidf 79 Grassmarket Telephone +44 31-225-6465 ext 538 Edinburgh, United Kingdom Facsimile +44 31-220-4277 EH1 2HJ Cellular +44 831-223120 - ------------------------------------------------------------------------------ ------------------------------ Date: Mon, 26 Nov 90 18:08:04 +0100 From: "Otto.Stolz" Subject: Lateral Thinking Hellow fellow, two recent, seemingly unrelated, contributions to VIRUS-L deserve a common response. My point in both cases is: When a virus is active, it does not need to crack any anti-virus method, as it can circum- vent it. This holds for contemporary architectures of personal computers (note the small "p": I'm referring to all brands) and many types of hosts. Imagine a firm door, locked with seven secure locks: If you forget to put an equally strong wall on both sides of it, nobody will bother with the locks nor the door! (And if the wall is in place, don't forget the floor and the ceiling; don't forget the people and equipment that will have to go in and out; and so on...) An amusing variation of this motif can be found in the chapter introductions of Douglas Hofstatter's "Goedel, Esher, Bach: an Eternal Golden Braid", where the Turtoise keeps producing records that cannot be played on Achilles' more and more sophisticated hi-fi record players. On Thu, 15 Nov 90 17:35:00 -0400 Herbert Lin said: > In a recent msg, someone said that a "stealth" virus could evade > checksum and CRC checks. ... > Wouldn't the author of the virus have to know the checksum/CRC > technique being used in detail? He/she (Aside: Ever thought of female virus authors? In my imagination, virus authors are inevitably of the male sex and of age < 25 years, but I may be wrong...) can circumvent any algorithm (even a bitwise compare to a backup-copy) by simply interfering with all disk-read operations and presenting any programs reading an infected file with a (faked!) image of the unaltered file. This is exactly what "Stealth Viruses" do. > I should be able to detect viruses ALL THE TIME (of course, if and > only if I have a confirmed clean system to begin with). That's exactly the point: To check for viruses, you have to start your system without activating any virus. E.g. you can boot from a confirmed clean system disk and avoid running any infected program. > what am I missing? Nothing. On Tue, 20 Nov 90 14:11:00 +0100, Peter van der Landen said: > I have experimented quite a bit with Jerusalem-B but I have never seen > it survive a warm boot. Neither did I. Possibly the originial contribution has confused it with some other virus that indeed can survive a warm boot. > Could anyone explain to me how it is possible for any virus to survive > a warm boot by any method other than infecting something on the boot > disk. As you have noted yourself, a virus can intercept the Ctrl-Alt-Del keystroke (we call it the "Monkey's Snatch"). Then it can do anything the programmer can imagine. E.g. it could fake a warm-boot by reading something from the A-disk (this would fool many users, perhaps even experienced ones). Or it could perhaps use part of the Int-19-code, keeping controll during the whole process (or making sure that it will re-gain controll, afterwards). The latter scheme has been discussed in VIRUS-L before, and I think we arrived at the conclusion that a virus must be rather large and sophisticated to do this with any DOS variant; however, a virus need not deal with any and all systems to prosper. > ... doing a reboot with int 19h, this would be difficult. I think, no virus would be able to survive a genuine, complete re-boot in memory AND re-gain controll. (Take this as an educated guess, as I'm no expert with system internals.) Hence the motif reappers: Circumvent what cannot be cracked. Best wishes Otto ------------------------------ Date: Tue, 27 Nov 90 18:58:00 +0000 From: Sanford Sherizen <0003965782@mcimail.com> Subject: Re: Dark Avenger frequency (David Chess) >One person, he says, tells him that he's seeing several Dark Avenger reports >per week. Does this agree with anyone else's observations? We get rather few >reports of the Dark Avenger (or the VACSINA, or any other TPxxVIRs, or really >any other "Bulgarian" viruses); are there places (many places?) in the world >where these viruses are very common? USSR installations have been hit many times by various "Bulgarian" viruses. Bulgaria was a significant supplier of hardware and software for the Soviets, although I suspect it is much less so now. Reports have also been given about these viruses spreading through Eastern Bloc nations. A brief discussion on this is found in my COMPUTERWORLD article, "Lack in the USSR" (Aug. 20, 1990, InDepth, 73-74). Sandy ------------------------------ Date: 27 Nov 90 17:01:00 -0400 From: "DRCV06::OPER1" Subject: RE: Trojan Warning (PC) keithm@ashtate.A-T.COM (Keith Mund) writes: >>Speaking personally as a software author, buy software from the >>manufacturer or a legitimate dealer. The same fears you have are felt >>by them manyfold, and great care is taken to insure safe software. >>Although you threw out names of companies freely, none of them has >>distributed software with any problems. Why fear a problem that does >>not exist. Viruses are spread by individuals copying software, not by >>legitamate manufacturers. One way of insuring that the SCAN or F-PROT programs are legitamate is for the authors to ZIP their program with the -AV (Authenticate Verification) switch on. That way if the programs were modified PKUNZIP would tell you. It would also be a way for users to know that the ZIP file came straight from the author and hasn't been modified in any way. Glenn. ------------------------------ Date: Tue, 27 Nov 90 22:31:02 +0000 From: mailrus!gatech!ornl.gov!wnn@uunet.UU.NET (Wolfgang N. Naegeli) Subject: Disinfectant 2.4 will be out soon (Mac) I asked John Norstad whether Disinfectant 2.3 was effective against ZUC B (a.k.a ZUC 2) or whether there would be a new version. He responded that version 2.4 should be out in a few days. I'll append some extra information he sent to me later. I am posting this here because I am sure many of you have wondered about that too. I hope this will save you and him time by making similar inquieries unnecessary. ************************************************************** Wolfgang N. Naegeli President, MacClique--East Tennessee Macintosh Users Group Internet: wnn@ornl.gov Bitnet: wnn@ornlstc Phone: 615-574-6143 Fax: 615-574-6141 (MacFax) QuickMail (QM-QM): Wolfgang Naegeli @ 615-574-4510 Snail: Oak Ridge National Laboratory, Oak Ridge, TN 37831-6206 ************************************************************** >Thanks for the news. >Please forgive my impatience. It goes to tell you how much we appreciate >your work. >I guess we have become spoiled by your almost instantaneous releases of >the last several versions in response to new viruses. Yes, whenever I make vacation plans, I always worry that a new virus will show up just before I leave or while I'm gone. This time it happened - I got the new ZUC B virus late last Tuesday, and I left for my vacation on Wednesday morning. Fortunately, the original ZUC A virus was never widespread, and we have no reason to believe that ZUC B is widespread or terribly damaging or dangerous. So I figured that Disinfectant 2.4 could wait for a week or so while I was gone. John Norstad Academic Computing and Network Services Northwestern University jln@casbah.acns.nwu.edu ------------------------------ Date: Tue, 27 Nov 90 13:38:00 -0600 From: "J.K. Meddahi" Subject: Any news on the SCANV trojan? (PC) I read a couple of postings last week that mentionned Trojans in the zip files SCANV68 and SCANV70. I was expecting more reactions to these two messages, but nothing got posted. Does that mean that this was an unfounded rumor? If not, I'd like to know if these infected files originated from McAfee or if somebody fiddled with the files somewhere in the distribution chain. Thanks for any information you could share on this. Karim Bitnet: elee4cz@judy Internet: elee4cz@jane.uh.edu ------------------------------ Date: Wed, 28 Nov 90 03:36:34 +0000 From: jstewart@rodan.acs.syr.edu (Ace Stewart) Subject: Papers/Documentation... A Request for Help - ------------------ There are plenty of places where one can find virus combatting material, and plenty of places with virus programs. What I am looking for are Virus published papers, Virus documentation (and I've looked through sumex :), and technical reports that have been released. Are these beasties out there somewhere? I'd like to centralize such things in an archive site I have been setting up, but am looking for a starting point. Help? Many thanx...cheers! Ace - -- | Ace Stewart (Jonathan III) |A /\ | | Affiliation: Eastman Kodak Company. Rochester New York | _/ \_ | | Internet/ARPA: jstewart@rodan.acs.syr.edu | \_ _/ | | Bitnet: jstewart@sunrise.bitnet | /\ A| ------------------------------ Date: Tue, 27 Nov 90 22:46:53 -0500 From: William Howell Subject: Need info on 4096 (PC) Is there a repository of information somewhere that would tell me about the '4096' virus, and how to disinfect a system with such a virus? Thanks. ------------------------------ Date: 28 Nov 90 13:55:01 From: kiravuo@hila.hut.fi (Timo Kiravuo) Subject: Re: Dark Avenger frequency? (PC) Here at Helsinki University of Technology we have had Dark Avenger twice, first time last fall, when it supposedly came with a Bulgarian reseacher, last time two weeks ago, source not known. Since the Dark Avenger spreads very eagerly, I would not be surprised if it were common. Other common viruses in Finland are at least PingPong and Yankee Doodle. - -- Timo Kiravuo, kiravuo@hut.fi Helsinki University of Technology, Computer Center, Finland ------------------------------ Date: Mon, 26 Nov 90 08:18:12 -0500 From: padgett%tccslr.dnet@uvs1.orl.mmc.com (A. Padgett Peterson) Subject: V & S - --------------------------------------------------- >From: s37775d@taltta.hut.fi (Pandy (A. Holmberg)) >Subject: Re: List of known viruses urgently required. >From: JAN-LIEN@vera.stacken.kth.se >Subject: Virus info databases I strongly recommend Patricia Hoffman's Virus Summary List (PC) and the Disinfectant by John Norstad (MAC) documentaion (both available from any number of electronic sources as REQUIRED reading. Having access to a VAX, the SEARCH command allows selective extraction and resorting of just about anything. On the PC, Q&A (by Symantec I think) is a good flat-file database or a custom flat file analysis routine is trivial (well, an evening) to write in BASIC. - ---------------------------------------------------------------------- >From: cjohnson@acsu.buffalo.edu (charles johnson) >Subject: Yale/Alameda (PC) >From: "Daud.R..Matthews" >Subject: Removal of EDV? (PC) These are both boot sector infectors. The Yale/Alameda originally just infected 360k floppies and the EDV could also infect the Partition Table though heaven only knows what varients have been cooked up. From floppies, just replace the boot sector using DEBUG (L100 0 0 1 with a good floppy in A and W100 0 0 1 with an infected floppy in A), however, any sector overwritten or marked bad by the virus will remain that way. (the bad sectors can be recovered, overwritten data cannot) According to my data, the Yale stores the original boot sector at head 0 track 39 sector 8. The EDV stores it at head 1 track 39 sector 8. Both go resident at the TOM & reduce total system memory (CHKDSK or the three bytes again). As to EDV surviving CLEAN, I have seen cases of Ghosting (viral code still attached to a file or in memory but disconnected from the execution path) & would suggest following CLEAN by: 1) COLD (power off) boot from a clean floppy. POST should wipe memory. 2) use DEBUG to read the HD partition table & boot record 3) if ok, boot from the HD, check for the TOM movement & run SCAN again. If the /m finds it in memory BELOW the 640k segment & CHKDSK returns 655360 bytes (640k) total memory, one of the files in CONFIG.SYS or AUTOEXEC.BAT used to be infected & is ghosting - try copying these files to a floppy and back to the HD in a different place. The smaller floppy cluster size should strip the remnant off. NOTE: this is not a one-size-fits-all procedure: TOM is only ONE of the "three bytes" but will work for Yale/Alameda or EDV original recipes. p.s. I would rather have a few "false positives" thatn ANY "false negatives" - ------------------------------------------------------------------------------ keithm@ashtate.A-T.COM (Keith Mund) writes: >Speaking personally as a software author, buy software from the >manufacturer or a legitimate dealer. The same fears you have are felt >by them manyfold... When the software houses start distributing their wares on notchless floppies like IBM, Norton, Intel, and Iomega (plus a few others) do, I'll believe it. Not perfect but a BIG step in the right direction. Padgett, had my Judge out yesterday & had nearly forgotten what a RA400/4spd was like. Now if I can just get the electrics fixed... ------------------------------ End of VIRUS-L Digest [Volume 3 Issue 189] ******************************************