VIRUS-L Digest Friday, 7 Feb 1992 Volume 5 : Issue 25 Today's Topics: Michelangelo threat (PC) Remedy for Michelangelo (PC) Re: CHKDSK and Viruses (PC) yet another commercial Michelangelo (PC) Re: SafeMBR and SCAN8.3B86 (PC) two small comments (PC) Re: Polymorphic viruses Re: What virus creates SD.INI? (PC) Help! Michelangelo and Windows (PC) Micro Cops Virus????? (PC) Re: LZ virus found by McAffee NETSCAN and CLEANUP but not SCAN? (PC) Virus Descriptions FP-202D.ZIP is on BEACH (PC) CLEAN86B/NETSC86B anti-virals uploaded to SIMTEL20 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Thu, 06 Feb 92 13:26:21 -0500 From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: Michelangelo threat (PC) With the latest announcement of Michelangelo being distributed on BitCom disks packed with modems, it seems apparent that the spread of this virus is getting out of hand. Accordingly, between now and the 7th of March, 1992 I am suspending the requirement for submission of any shareware fees for my FIX utilities which will detect and may be used to remove the Michelangelo virus - consider this a "free trial" period just PLEASE read the .DOCs. The bundled FREEWARE, NoFBoot, SafeMBR, CHKMEM, CHKBOOT, and SafeFBR may, of course, be used without restriction so long as they are not modified in any way. The current versions may be retrieved via Anonymous FTP from urvax.urich.edu (141.166.1.4) as FixUtils2.zip and only these latest versions should be used. Permission is granted for this .ZIP to be posted at any site. Editorial: I am astounded that today, nearly six years after the discovery of the first BIOS-level infection, the OS manufacturers: MicroSoft and Digital Research have not yet included these simple rules in their products. IMHO simple addition of the SafeMBR and SafeFBR code to FDISK & FORMAT would rapidly stop the spread of those viruses currently accounting for over 50% of recorded infections. Warmly, Padgett padgett%tccslr.dnet@mmc.com Disclaimer: everything expressed herein is my own opinion and not necessarily that of my employer. ------------------------------ Date: Fri, 07 Feb 92 09:37:29 -0500 From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: Remedy for Michelangelo (PC) This virus has really surprised me. When I first say it, my thought was "yet another STONED" (and not as well written), but it seems to be spreading & spreading & spreading... If Rob Slade's estimate is right, for every report we see, there are at least three other infected computers that we don't. March 6th may just be interesting. Some time ago I did a number of experiments concerning boot sectors in general since we seemed to have good protection from DOS viruses but few people were working at the BIOS level before DOS ever starts. IMHO, since over 50% of the reported infections begin at the BIOS level, then that is where the checking should start. The first experiments (written in 1988) were a set of integrity checking programs, two of which were CHKMEM and CHKBOOT (now FREEWARE) that could be used to detect all "common" viruses - I presented a paper on this at last year's Virus & Security Conference in New York (March 12 & 13 this year call (800)835- 2246 x190 for info - plug). These operate from the DOS level. About two years ago, I began studying a BIOS level approach - at this point the Intel PC is a fully functioning computer with access to all peripherals, it is just not yet a DOS (or Unix or OS/2 or...) computer. The first result was the DISKSECURE program that was designed as a technology demonstrator & performed BIOS level integrity checking and protection of the MBR, hidden sectors, and DOS boot record. Many researchers seem to like it as an additional layer of protection. DISKSECURE's biggest limitation was that it could do nothing about a floppy boot (only hardware can prevent this) and I was and am convinced that a global solution had to be software based - not for technical reasons but for logistical and economic ones. The next effort was SafeMBR - a BIOS level Master Boot Record replacement that performed integrity checking on the system and which would halt a boot if "something" was wrong and used lessons learned in DISKSECURE to avoid conflicts with the incredible array of disk controllers, BIOSes, and DOS variants that exist. SafeMBR is FREEWARE. Late in 1991, I extended the SafeMBR concepts to a similar floppy disk replacement SafeFBR to provide a generic floppy disk boot record replacement with warning messages. Concurrently with SafeMBR, I addressed the "floppy boot" problem as far as possible with software, a TSR (512 bytes needed & can be loaded "high") was written to intercept the Ctrl-Alt-Del sequence and test for a floppy in drive A. If one is found, the reboot is denied. This taught me more about the inner workings of the BIOS and the Interrupt Controller. NoFBoot was the result and is also FREEWARE. The final parts FixMBR and FixFBR were extensions of this concept used to install SafeFBR and SafeMBR. FixMBR came from hours spent disinfecting machines infected by MBR viruses and was designed to automate the repair based on the fact that ALL leave an intact partition table SOMEWHERE. Given an intact partition table, all that is usually necessary is to replace the MBR program. Generally I use the SafeMBR code to do this. For some time, I was hesitant to release these techniques but then along came the Azusa virus... FixFBR works essentially the same way except that only four Boot Parameter Blocks are needed (does not work with 2.88 Mb floppies yet). Since it also incorporates the CHKBOOT techniques, it will also flag potentially infected disks. This last is the key to the concept. None of these programs (well maybe NoFBoot) will prevent a virus infection. What they will do is to detect viruses almost immediately. Flag the "anomaly" in a way the user cannot ignore, and provide a recovery mechanism. They do not "identify 1000 viruses" but will tell you that "something" has happened at the BIOS level without going resident. They are designed as one layer in a layered protection (I use four layers myself). Similarly, either CHKBOOT or FixFBR will detect the Michelangelo virus on floppy disks and report them as "suspect". FixFBR will then remove the problem. To me this is a vital element in fighting malicious software, knowing early on that "something" has happened and isolating the abnormality to as narrow range. I personally believe that if these techniques were used globally, those viruses responsible for over half of reported infections: Stoned, Azusa, Aircop, Brain, Joshi, & Michelangelo would quickly disappear. But today there appears to be a very real threat: Michelangelo that needs to be addressed. I have never seen so many reports of a virus in so short a time before and am particularly disturbed about the number of "shrink-wrapped" reports. Consequentially, while normally I "suggest" a nominal SHAREWARE fee ($1.00) for the two "FIX" utilities, from now until 7 March, 1992, payment requirements are suspended and they may be freely used, posted, & transmitted without limitation so long as they are not modified. Warmly, Padgett padgett%tccslr.dnet@mmc.com ps: I know that the current version of these programs is in FIXUTIL2.ZIP and may be found in directory msdos.antivirus at urvax.urich.edu (141.166.1.6 - thanks Claude) Note: this is my hobby, my employer has nothing to do with this. Programs in FIXUTIL2.ZIP Length CRC-32 Name ------ ------ ---- 1331 449b4371 CHKMEM.COM 2189 2753290a FIXFBR.EXE 368 72b99d29 SUMFBOOT.COM 1357 77936de4 CHKBOOT.EXE 2219 332bf466 FIXMBR.EXE 4885 3e04a29b FIXFBR1A.DOC 749 3f347828 CHKSMBR.EXE 368 cccf71a5 NOFBOOT.COM 2602 63f3d358 NOFBOOT.DOC 4461 a1408395 CHK.DOC 366 4c0e9c20 VALIDATE.24 26118 8138037e FIXMBR24.DOC ------ ------- 47013 12 files ------------------------------ Date: 06 Feb 92 20:53:21 +0000 From: suned1!slced1.Nswses.Navy.Mil!lev@elroy.Jpl.Nasa.Gov (Lloyd E Vancil) Subject: Re: CHKDSK and Viruses (PC) I believe you will find that this is due to a change in the size of IO.sys and the option to load dos high. Try mem /p>mem.txt and then read mem.txt. My Dos 5.0 book indicates 0000h to 002670h is used by System interupt, IO and MSDOS.sys. I think this is smaller than Dos 3.3. L. - -- |suned1!lev@elroy.JPL.Nasa.Gov|lev@suned1.nswses.navy.mil|sun!suntzu!suned1!lev| |S.T.A.R.S. The revolution has begun!| My Opinions are Mine mine mine hahahah!| ------------------------------ Date: Thu, 06 Feb 92 14:21:33 -0700 From: martin@cs.ualberta.ca (Tim Martin; FSO; Soil Sciences) Subject: yet another commercial Michelangelo (PC) The Michelangelo virus was found at the University of Alberta on a diskette from "Meridian Data, Inc.", who seem to be involved in CD-ROM extension software for MS-DOS systems. The diskette was shipped write-protected, and the infection was detected immediately. Meridian Data have been informed of the problem. Is that 5 confirmed commercial distributions of Michelangelo, now? This is beginning to smack of conspiracy. What are the statistical odds of one relatively dumb boot sector infector being this "successful"? Or do the various companies have something in common: same supplier of pre-formatted diskettes, maybe? Same diskette-copying service? Recipients of the same "Demo" disk that required a system reboot? Beta testers of some software that does a reboot for installation purposes? I find the "pure coincidence" interpretation a bit too unlikely, though I have no statistics to support my hunch. Tim. ------------------------------------------------------------- Tim Martin * Soil Science * These opinions are my own: University of Alberta * My employer has none! martin@cs.ualberta.ca * ------------------------------------------------------------- ------------------------------ Date: Thu, 06 Feb 92 22:27:05 +0000 From: mcafee@netcom.netcom.com (McAfee Associates) Subject: Re: SafeMBR and SCAN8.3B86 (PC) jwbutler@mentor.cc.purdue.edu (J.W.) writes: >Just thought I'd pass this along... When I ran McAfee's SCAN (8.3B86) >having SafeMBR installed on my MBR, SCAN reported a changed MBR, and >asked if I wanted to continue. When I ran SCAN again, this message >did not come up. Hello Joe, VIRUSCAN (SCAN.EXE) will check the partition table (alias MBR) for non-standard code, but it also has a feature to check the partition table against a checksum stored in a hidden file in the root of the drive named SCANVAL.VAL. If this file were not updated and SCAN was run to check validation codes, it ouwld then report that the partition table has been changed. To fix this, run SCAN with the /RV option to remove validation codes from your system, and then /AV todd new validation codes to it. Regards, Aryeh Goretsky McAfee Associates Technical Support - -- - - - - McAfee Associates | Voice (408) 988-3832 | mcafee@netcom.com (business) 1900 Wyatt Drive, Suite 8| FAX (408) 970-9727 | Santa Clara, California | BBS (408) 988-4004 | 95054-1229 USA | v32bis(408) 988-5190 | CompuServe ID: 76702,1714 ViruScan/CleanUp/VShield | HST (408) 988-5138 | or GO VIRUSFORUM ------------------------------ Date: Thu, 06 Feb 92 17:06:06 -0500 From: hobbit@vax.ftp.com (*Hobbit*) Subject: two small comments (PC) Virx 19, halfway through an admittedly old and flakey hard drive: Can't locate that sector. Disk must be bad. Press any key to exit. Not useful. A bad sector shouldn't be fatal. F-prot 2.02 believes that Central Point's "vsafe" and "vwatch" are Flip variants. This may have been stated already on virus-l and I think I dimly remember it, but perhaps it should find its way into the doc... _H* ------------------------------ Date: 06 Feb 92 17:43:58 -0500 From: Otto.Stolz.RZOTTO@DKNKURZ1 Subject: Re: Polymorphic viruses Hello fellow virus-hunter, on 23 Jan 92 23:50:10 +0000 vail@tegra.com (Johnathan Vail) said: > frisk@complex.is (Fridrik Skulason) writes: > > Terms such as "Viruses using variable encryption with a variable > > decryption routine" are rather cumbersome, [...] > > It is hereby proposed that the term "polymorphic" be used for this > > class of viruses, [...] > polymorphic virus - A virus using variable encryption with a > variable decryption routine to avoid detection by its > "signature". V2P6, Whale, Maltese, Amoeba, Russian Mutant > and PC-Flu 2 are examples of this kind of virus. I think, the definition both authors are proposing is too confined, or too narrow. Rather, the term should cover more than variable decryption routines. I'll state my proposed definition as a FAQ list entry, so Ken can put it into that list, if most people agree. Could a kind soul, who has a better command of English and/or better knowledge of viruses than I have, proof-read the following contribution, before it goes into the FAQ list? [Moderator's note: Thanks for the FAQ submission, Otto! The list grows...] Q: What is special about polymorphic viruses? Why are they called "polymorphic"? A: In order to eradicate a virus infection, all instances of this these routine s would be plainly visible in any instance of the virus (e.g. the Whale virus does it this way, if I am not mis- taken). A signature-driven virus scanner would have to exploit several signatures (one for each possible encryption method) to reliably identify a virus of this kind. A more sophisticated polymorphic virus (e.g. V2P6) will vary the sequence of instructions in its copies, by interspersing it with "noise" instructions (e.g. a No Operation instruction, or an instruction to load a currently unused register with an arbitrary value), by interchanging mutually independent instructions, or even by using various instruction sequences with identical net effects (e.g. Subtract A from A, and Move 0 to A, have the same net effect). A simple-minded, signature-based virus scanner would not be able to reliably identify this sort of viruses; rather, a sophisticated "scanning engine" has to be constructed after a thorough research into the particular virus. The advent of polymorphic viruses has rendered virus-scanning an ever more difficult and expensive endeveaour; adding more and more search strings to simple scanners will not adequately deal with these viruses. (End of propose FAQ entry) On Mon, 03 Feb 92 19:08:00 +0000, Anthony Naggs said: > POLYMORPHIC is a term that I have been using about viruses for about a > year, however I use it in a different way. Polymorphic means having > multiple forms, so I have used the word to describe viruses which > infect different types of host or change their mode of operation. > Specifically I have applied the word to viruses which infect BOOT > sectors and program files (COM or EXE), or system files (eg .SYS). Recently, I have learned of another good term for this kind of viruses: Alan Solomon calls them Multipartite Viruses. I think this is a rather compelling term, as "polymorhic" is for the phenomenon I've dwelt on, in my FAQ contribution above. > For "Viruses using variable encryption with a variable decryption > routine" I would suggest the word "variable". Polymorphic seems > inappropriate as the form is still the same: As to my understanding, the latter viruses vary their form and not their function; hence "polymorphic" seems just appropriate. > [...] It is only the superficial appearance that has changed, and even > that is relatively minor; loading the decryption key and executing the > processing loop are clearly visible [...] I agree that self-encrypting viruses (e.g. Cascade) should *not* be termed "polymorphic", if only the encryption key makes all the dif- ference. However, there are viruses which exploit varying encryption methods (requiring entirely different decryption routines) and/or varying instruction sequences. Hence, I plead to use the following terms: * polymorphic : for viruses that produce varying instances by the techniques described above (unrespective of them being self-encrypting or not), * multipartite: for viruses that exploit several distinct infection paths, and hence will be found attached to varying pieces of code (i.e. at least two of the following: program files, overlay files, program libraries, source programs, device drivers, boot records, etc.) If (when?) viruses will be able to operate on various hosts, we should coin a new term for them, perhaps something resembling the terms "cross- compiler" and "cross-assembler". > I don't intend to dictate nomenclature to anyone nor is this intended > as a flame. However I feel quite strongly that nomenclature should be > carefully considered, not least because if the sand changes under my > feet I shall have to change a lot of text sitting on my harddisk! I agree whole-heartedly! Hence, I thank Frisk for bringing up this topic so we can discuss it, and I hope that we all can agree on a common nomen- clature, even if some of us will have to rephrase existent text files or message strings. Best wishes, Otto Stolz ------------------------------ Date: Fri, 07 Feb 92 09:33:16 -0400 From: pjc@melb.bull.oz.au (Paul Carapetis) Subject: Re: What virus creates SD.INI? (PC) [Moderator's note: Not surprisingly, we've received numerous (!) replies to Larry's question. Since they've all pointed to Norton's Speed Disk, I am only including this reply in the digests. Thanks to all those who replied, however!] riddle@mathcs.emory.edu (Larry Riddle) writes: > Is there a PC virus that creates a hidden file called SD.INI in the > root directory? If so, which of the detection programs will find it? Larry, Let me take a wild guess and say that you have used Norton Utility's Speed Disk!? This program will create a file in the root directory of the disk being defragmented containing information about the disk and the name of this file is SD.INI. You can be assured that you do not have a virus in this case. Blueskies, Paul | Paul Carapetis, Software Advisor (Unix, DOS, C)| Phone: 61 3 4200944 | | Melbourne Development Centre | Fax: 61 3 4200445 | | Bull HN Information Systems Australia Pty Ltd |---------------------------| | Internet: pjc@melb.bull.oz.au | > Cogito Ergo Sum < | | #define STD_DISCLAIMER _my_opinion_only | "What, the curtains?" | PS: Why is it that any unexplained incident is almost always balmed on a virus? ------------------------------ Date: Fri, 07 Feb 92 00:40:12 +0000 From: dloper@clark.edu (Donna Loper) Subject: Help! Michelangelo and Windows (PC) I have a lab of twenty 386 PC machines. I need some advice. I have purchased a copy of Norton Anti-Virus with the definition of Michelangelo strain included. However, most applications I run in this lab are Windows based. An alarm sounds each time I access an executable file and from a DOS prompt It asks to proceed, innoculate. This screen is not visible from within Windows. The alarm sounds, and you are not sure if it is a virus warning, or if it simply wishes to innoculate a file. I can't tell if it's trying to innoculate the same files over and over. Is there a better way? Can anyone provide a suggestion to not only clean up the lab, but from the autoexec and config level - pre scan accessed files from within Windows - where you are shown what's going on? These alarms in the dark are driving me crazy. Running out of time.... Help soon - Please ;-( Donna Loper E-Mail: dloper@clark.edu ------------------------------ Date: Fri, 07 Feb 92 12:42:00 +1000 From: W.BOXALL@qut.edu.au Subject: Micro Cops Virus????? (PC) Has any one heard of the Micro Cops Virus. A message is displayed similar to the following : Illegal Software Detected -- Micro Cops Any information would be appreciated. Wayne Boxall Computer Systems Officer Computer Virus Information Group Queensland University of Technology AUSTRALIA ------------------------------ Date: Fri, 07 Feb 92 07:47:36 +0000 From: mcafee@netcom.netcom.com (McAfee Associates) Subject: Re: LZ virus found by McAffee NETSCAN and CLEANUP but not SCAN? (PC) chi9@midway.uchicago.edu (lucius chiaraviglio) writes: > We are testing the McAffee package in our lab and found what >NETSCAN and CLEANUP say is a virus named LZ but which SCAN does not >detect; no such virus is listed in VIRLIST.... >.... Does anyone know >whether this is a real virus, and if so, should I send a sample to >McAffee Associates, or is this one familiar and just didn't make it >into VIRLIST? Hello Lucius, The LZ Virus was added to Version 86 of SCAN after the VIRLIST.TXT was created so it isn't listed in the VIRLIST.TXT file. SCAN V86 gives a false alarm on the virus, so a new release named Version 86-B was made to fix this. Version 86-B of the programs is available from the wsmr-simtel20.army.mil, garbo.uwasa.fi, and beach.gal.utexas.edu anonymous ftp sites, as well as any site that mirrors them. Regards, Aryeh Goretsky McAfee Associates Technical Support - -- - - - - McAfee Associates | Voice (408) 988-3832 | mcafee@netcom.com (business) 1900 Wyatt Drive, Suite 8| FAX (408) 970-9727 | Santa Clara, California | BBS (408) 988-4004 | 95054-1229 USA | v32bis(408) 988-5190 | CompuServe ID: 76702,1714 ViruScan/CleanUp/VShield | HST (408) 988-5138 | or GO VIRUSFORUM ------------------------------ Date: Fri, 07 Feb 92 10:32:00 +0000 From: Colin Buckett Subject: Virus Descriptions Hello, Does anybody know how I can obtain a detailed description of all, or most, of the current viruses. I have a reference to a list that a Patricia M. Hoffman owns, but I have no idea of how to get to her. If anyone can help, I would be grateful, Thanks, Colin. ------------------------------ Date: Fri, 07 Feb 92 11:07:47 -0600 From: PERRY@beach.gal.utexas.edu (John Perry KG5RG) Subject: FP-202D.ZIP is on BEACH (PC) The latest version of Fridrik Skulason's anti-viral software is on beach.gal.utexas.edu (129.109.1.207). The name of the file is FP-202D.ZIP and is located in the directory DUB3:[ANONYMOUS.PUB.VIRUS.PC] If you have any questions or problems obtaining software by anonymous FTP from BEACH, please contact perry@beach.gal.utexas.edu. John Perry KG5RG | perry@beach.gal.utexas.edu - Internet University of Texas Medical Branch | PERRY@UTMBEACH - BITnet Galveston, Texas 77550-2772 ------------------------------ Date: Mon, 03 Feb 92 19:38:04 -0800 From: mcafee@netcom.com (McAfee Associates) Subject: CLEAN86B/NETSC86B anti-virals uploaded to SIMTEL20 I have uploaded to WSMR-SIMTEL20.ARMY.MIL: pd1: CLEAN86B.ZIP Virus disinfector. Version 86B NETSC86B.ZIP Scans LAN's for viruses. Version 86B WHAT'S NEW CLEAN-UP Version 86-B adds the option to disinfect files, boot sectors, and partition table, or boot sectors infected with non-specific (unknown) viruses based on the recovery information added to them by VIRUSCAN. Additionally, removers for the 1992, Haifa, Lehigh, Perfume, and Slayer viruses have been added. NETSCAN has been updated to detect all the new viruses added in VIRUSCAN. McAfee Associates has moved from Cheeney Street to Wyatt Drive (about two blocks away). Our new address is: McAfee Associates 1900 Wyatt Drive, Suite 8 Santa Clara, California 95054-1529 USA The telephone, FAX, and BBS numbers remain the same. VALIDATION DATA IS AS FOLLOWS: CLEAN-UP V86B (CLEAN.EXE) S:84,682 D:02-03-92 M1: 682D M2: 068A NETSCAN V86B (NETSCAN.EXE) S:63,284 D:02-03-92 M1: 7561 M2: 0ED9 VALIDATE V03 (VALIDATE.COM) AG Add S:6,537 D:10-31-89 M1: 00DE M2: 1E06 Aryeh Goretsky McAfee Associates Technical Support - - - - McAfee Associates | Voice (408) 988-3832 | mcafee@netcom.com (business) 1900 Wyatt Dr., Suite 8 | FAX (408) 970-9727 | "Welcome to the alligator Santa Clara, California | BBS (408) 988-4004 | farm..." 95054-1529 USA | v.32 (408) 988-5190 | CompuServe ID: 76702,1714 ViruScan/CleanUp/VShield | HST (408) 988-5138 | or GO VIRUSFORUM ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 25] *****************************************