VIRUS-L Digest Thursday, 20 Feb 1992 Volume 5 : Issue 37 Today's Topics: Re: F-PROT says IMV.COM is a virus (PC) exact damage of Michelangelo on 3-06 (PC) VSHIELD v86 bug? (PC) Preventing virus infection by disabling the hard disk (PC) Joshi report available. (PC) AUX, Mirror, etc (PC) auxfiles (PC) FORMS virus (PC) Boot Sector Virus Infections (In General) (PC) Re: Possible virus (PC) Re: CIAC Bulletin (PC) RE:Intel enters the game (PC) RE: Latest Test of Anti-Virus Packages by NCSA (PC) On disinfecting floppy disks (PC) Michelangelo (PC) DOS virus scanner for UNIX system. (PC) (UNIX) Executive Guide To Computer Viruses" From NCSA? VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Wed, 19 Feb 92 10:19:46 +0000 From: Fridrik Skulason Subject: Re: F-PROT says IMV.COM is a virus (PC) In Message 9 Feb 92 15:58:24 GMT, 74676.2537@CompuServe.COM (Arthur Buslik) writes: >which has been infected by the DIR II virus. F-PROT ver 2.02 gives the >following message when this file is scanned using the heuristic scanning >option: > >"This program contains several features which are normally only found in >virus programs. It is almost certainly virus infected." Well, that is the problem with heuristic analysis - it generates occasional false alarms. This particular message simply means that at least three "virus-like" features are found within the program. The reason I don't tell exactly what features is simple - I don't want to make it too simple for virus authors to hide their viruses from my program, by telling them exactly what I detected. In this case the most significant feature is that it opens the file when it is to be executed, as you expected, but it finds some other minor features as well....I guess I have to make some minor changes to my database of rules but please keep in mind that this program is attempting a theoretically impossible task - differentianting between viruses and non-viruses, so a few false positives and false negatives are unavoidable. - -frisk ------------------------------ Date: 19 Feb 92 10:47:07 +0000 From: mmeijer@accucx.cc.ruu.nl (Maarten Meijer) Subject: exact damage of Michelangelo on 3-06 (PC) Could someone tell us what the exact damage would be on the ominous 6 March when the Michelangelo virus awakes? The rumours vary on this subject. Does it only affects e.g. the partition table, does it destroy the FAT (in/excluding its copy), or does it really perform a low level format of the hard disk. We haven't discovered the Michelangelo virus at our university yet, so we can't try it ourselve. Thank you all in advance. Maarten Meijer at Computing Centre of University of Utrecht, the Netherlands. (mmeijer@cc.ruu.nl) ------------------------------ Date: Wed, 19 Feb 92 09:53:00 -0500 From: Chris Tohline 546-5988 Subject: VSHIELD v86 bug? (PC) Here is a problem a friend of mine ran into yesterday when attempting to compile (this worked before he installed the new VSHIELD...): | VSHIELD 4.8B86 Copyright 1989-92 McAfee Associates. (408) 988-3832 | Sorry, I don't understand "/tlink.exe". He was using the following: Turbo C++ v 1.00 Turbo Link v 3.0 MS-DOS v 3.3 This problem didn't occur with VSHIELD 84 (whatever version that was)... Thanks for your time... ------------------------------ Date: Wed, 19 Feb 92 15:43:24 +0000 From: mathews@kong.gsfc.nasa.gov (Jason Mathews - 514) Subject: Preventing virus infection by disabling the hard disk (PC) Before testing new software on my 286/386 machines, I disable the hard disk by changing the CMOS hard disk type to 0 and reboot from a write-protected floppy disk. I proceed to evaluate the new software on floppy disk and monitor for any suspicious activity. It seems that DOS and most programs cannot access the hard disk from this point. However, are there any viruses (actual or theoretical) that can infect the hard disk after the CMOS disabled it? It this method sufficiently safe or is it necessary to disable the hard disk by physically disconnecting the cables? Jason ------------------------------ Date: Wed, 19 Feb 92 15:19:36 +0000 From: "Vaughan.Bell" Subject: Joshi report available. (PC) Some of you may remember that I posted an article in VIRUS-L about a new variantof the Joshi virus I found, well I've written a report on it so if any body wants a copy (in ASCII) then mail me and I'll mail you a full copy. Thanks... *************************************************************************** * Vaughan Bell - Polytechnic South West - vaughan@uk.ac.psw.cd * *************************************************************************** ------------------------------ Date: 19 Feb 92 11:57:50 -0500 From: Leonard Erickson <70524.2603@CompuServe.COM> Subject: AUX, Mirror, etc (PC) Ok, I grabbed our old copy of Norton Utilities 4.5 and checked two machines. One was DOS 3.31, the other 5.00. On both FF didn't find anything for "FF C:AUX*.*". But it did find a 112 byte AUX file (with the current date/time!) in every directory for "FF C:AUX". My gues is that Kathy tried to create a file called AUX, and was (correctly) told that it already existed. Then she did an FF AUX. The results we know... As for the person looking for a "Mirror" virus, Central Point's MIRROR program creates a huge hidden file named MIRORSAV.FIL. This is to enable recovery after an inadvertent format of the drive. I believe that this may also be used by DOS 5.0 ------------------------------ Date: Wed, 19 Feb 92 16:56:10 +0200 From: KARGRA@GBA930.ZAMG.AC.AT Subject: auxfiles (PC) Just to add another one. I tried to find these miraculos files. I managed it by using Windows 3.0 File- manager. All I did was: Alt File, Find, and then I used "AUX:" as filename. The window showing the found files got filled with 1 file in each (sub)director y By the way: I use MS-DOS 5.0 and the german version of windows. The problem why some of you did not find the AUX-files might be, that they forgot about the colon. - -alfred ******************************************************************************** Alfred JILKA * Never upload from hell, Geologic Survey * Download your viri to hell... Austra * ******************************************************************************** ------------------------------ Date: Wed, 19 Feb 92 10:02:15 +0000 From: aconway@vax1.tcd.ie Subject: FORMS virus (PC) I heard a scare item on an Irish radio station this morning about a virus called "Forms", which, according to the annoucer will trash PC system files on the 23rd of the month. Does anyone know anything about this virus, particularly how to detect/remove it? It's a matter of urgency if it's true about the 23rd of the month. On a more general note (and I apologise if it is too general, I couldn't find a FAQ file in this group), can anyone advise me on procedures for regularly scanning a PC for viruses? This is something I have not done up to now and I think I should start. I noticed a program VIRX mentioned in this newsgroup - is it good? Should it be used in conjunction with other programs and if so which ones, and where can I get them? Any help with the above questions would be greatly appreciated. Alan. [Moderator's note: A FAQ file is currently being prepared. I have been collating FAQ submissions into the file for a few weeks now. I hope to be able to send a "beta" version out shortly. In the meantime, submissions (in Q&A form) are being graciously accepted.] ------------------------------ Date: Wed, 19 Feb 92 14:10:43 -0500 From: austin@tecnet1.jcte.jcs.mil Subject: Boot Sector Virus Infections (In General) (PC) karyn@cheetah.llnl.gov (Karyn Pichnarczyk) writes: >Fri, 07 Feb 92 15:44:12 -0800 > >Infection Mechanism > >This virus is very similar to the Stoned family of viruses (see CIAC >Bulletin A-28 for a description of the Stoned virus). When a >Michelangelo-infected diskette is placed in the A: drive and the >machine is booted, the virus is loaded into memory from the infected >floppy disk. It then quickly infects the machine by moving the hard >disk's original boot sector to another location on the disk, and >installs itself as the boot sector. From then on, any access to >another disk spreads the virus to that disk. The disk which infects >the hard disk does NOT have to be a bootable system diskette to spread >the infection. Also, all boot infector viruses, such as this one, do >NOT affect user files, therefore, a backup prior to eradication will >enable full recovery of all user data and programs. Michael E. Goldstein writes: >Fri, 07 Feb 92 07:54:32 -0500 > >I'm a little confused. Does a boot-sector virus, like STONED, infect >a floppy which is not bootable (command.com and system files)? If it >does, can an unsuccessful boot (beacuse of the lack of system files) >with the infected floppy, in a PC with a hard drive, infect the hard >drive? David.M.Chess writes: >11 Feb 92 14:40:59 -0500 >Any diskette that has been properly formatted contains a working boot >sector. If the diskette is not "bootable", all that boot sector does >is print a message like "Non-system disk or disk error; replace and >strike any key when ready". But it's still a boot sector, and still >vulnerable to infection. If you accidentally turn your machine on >with a "non-bootable" diskette in the drive, and see that message, it >means that any boot virus that may have been on that diskette *has* >run, and has had the chance to infect your hard drive, or whatever. So >when thinking about viruses, the word "bootable" (or "non-bootable") >is really misleading. Almost all diskettes are bootable enough to >carry a boot virus. I have some curiosity questions about the way "boot sector" viruses infect the "hard drive" and "the system (memory)", (or is it "the system (memory)" and then the "hard drive"?), only because I have been reading the Digest for awhile and do not recall this being addressed. I understand how the floppy does not need to be "bootable" because the virus can exist on the floppy in the area where the computer "looks" first when attempting to "boot" from any floppy in drive "A". First example: We, (you, me, anybody), have a "powered-off", non-infected, MS DOS based, PC computer system with one 5.25" floppy drive and one hard drive. Let's say I have an infected (Michaelangelo virus) 5.25", 360K, "bootable" floppy. Let's put it into our "A" Drive and close the door. Now, turn on the power to the computer and let it "boot" up. We now have a DOS Prompt. 1. Is the virus in memory? I believe yes. 2. Has the virus infected the hard drive? In most systems, yes. Second example: We have the same "powered-off", non-infected, MS DOS based, PC computer system with one 5.25" floppy drive and one hard drive. Let's say I have an infected (Michaelangelo virus) 5.25", 360K, "NON-bootable" floppy. Let's put it into our "A" Drive and close the door. Now, turn on the power to the computer and let it attempt to "boot" up. Instead of a DOS Prompt, we now have "Non-system disk or disk error; replace and strike any key when ready" or something like that--you get the idea. NOW, instead of replacing and rebooting, let's turn the power off. 1. Is the virus in memory? I believe no, since the power is off. 2. Has the virus infected the hard drive? (I do not know. Can someone answer for me?) The point I am getting at is this: Most people will FIX the "non-boot" problem by opening the floppy drive door and then use the three-key (CTRL-ALT-DEL) combination to "reboot" from the hard drive without turning the system power off, possibly leaving the virus in memory, but maybe the virus has not infected the hard drive yet, giving it the opportunity to now infect the hard drive, after the second, now successful, "boot" attempt. If we were to turn the system power off, killing the virus in memory, and then reboot from a "non-infected" floppy disk, would the hard drive already be infected? Please let me know if this makes sense and/or is understandable as written? Thank you for any input and for taking the time to think this out. ---Randy +=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+ + Randy Austin austin@tecnet1.jcte.jcs.mil + + + + * * SPACE FOR RENT * * + + (Not necessarily this Space) + +=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+ ------------------------------ Date: Wed, 19 Feb 92 13:14:04 -0500 From: JOHNSON@tarleton.edu Subject: Re: Possible virus (PC) REPLY TO PERSON WHO WRITES: >After a boot, the first floppy is read correctly. If I insert a >floppy with different files, a dir still lists the files from the old >floppy. This condition exists until I reboot. My hard drive seems to >behave normally in all respects. This sounds like a hardware problem instead of a "virus" problem. I had a similar problem some time back and found out that the floppy disk drive on an AT system the diskette changeline signal is used to determine whether the disk has been changed. The DC signal has a value of 1 unless a disk is present in the drive and a ste pulse has been received by the drive to move heads, in which case the signal is set to 0. When you move the door lever on a high-capacity drive, the DC signal is reset to 1. After the disk has been accessed and until the door is opened again, the signal is set to 0. The drive initially reads the contents of the disk into memory and unless the signal is changed (by inserting another disk into the drive), the directory will be read from memory. This speeds up the accessing of the disk contents by avoiding a read to the disk every time. This problem can be caused by an incorrectly configured drive, as well as by a drive where the door switch mechanism no longer operates correctly. A temporary solution to the problem is to remember to press the Ctrl-Break or Ctrl-C combination every time you change floppy disk in the drive. These commands cause DOS to flush the RAM buffers and reread the directory and file allocation table on the next disk access. Hope this helps. Danny Johnson, Computer Systems Mgr., Tarleton State University, Stephenville, Texas. ------------------------------ Date: Wed, 19 Feb 92 11:21:36 -0800 From: karyn@cheetah.llnl.gov (Karyn Pichnarczyk) Subject: Re: CIAC Bulletin (PC) I wrote in my bulletin: > The infection mechanism of this virus may also cause read errors > to occur upon some high density (1.2 M) diskettes. I have seen a case where a 1.2M diskette was rendered unreadable by the virus on a specific older PC. I actually saw this happen. When I brought the unreadable diskette to a newer-model PC, the disk was read with no problem. I tried to read this diskette on a variety of PC's, and the older model PCs sometimes had trouble reading it, whereas the newer models didn't. The real strange thing was that >sometimes< the drive would read the disk, and >sometimes< it wouldn't. The disk was readable by that drive prior to infection, according to the user. The message received was a General Failure error. shrug? karyn ------------------------------ Date: Wed, 19 Feb 92 14:49:00 -0500 From: Subject: RE:Intel enters the game (PC) HOBBIT@FTP>COM writes (vl32): >I grilled them about their detection methods; they claimed to get all of >their samples and info from NCSA. [Does this mean that NCSA will send >virus samples to "just anybody", or it not, what are their criteria? To this point, NCSA has provided no viruses to Intel. The intel product was, however, reviewed by NCSA. The product was tested against the full NCSA library. As for virus access, the NCSA complies with the wishes of the Anti-Virus Product Developer's Consortium in order to help determine who will gain access. Basic requirements are to demonstrate a true "need" for viruses as well as agreeing to the code of ethics and non-proliferation. These, of course, are in addition to showing that a prospective group has (or is in development of) an anti-virus product. As was the case with Intel, NCSA does perform independent evaluations of anti-virus products (as well as other security products). By this means, developers improve their products and are better able to combat the global virus problem. ------------------------------ Date: Wed, 19 Feb 92 14:58:00 -0500 From: Subject: RE: Latest Test of Anti-Virus Packages by NCSA (PC) Rich Travsky writes: >The article doesn't mention which viruses were used, or how many. The tests were done, as was stated, on a Netware 3.11 network with a compaq systempro (2 486-33's) containing a hard disk with 4868 files in 148 directories. All of these files tested seem to contain a virus of one sort of another. Without question, there are duplicates, but we now recognize over 1,000 completely different samples. The setup with directories was designed to approximate that of a real "live" site. The full report is available from the NCSA office at 717-258-1816 or from the NCSA research center at 202-364-8252. It includes full explanations of the files used, how points were awarded, etc. Charles **************************************************************************** RUTSTEIN@HWS.BITNET (Charles Rutstein) "Why ask why?" **************************************************************************** ------------------------------ Date: Wed, 19 Feb 92 16:05:43 -0600 From: "Don J. Slogar" Subject: On disinfecting floppy disks (PC) >> I am know the proud and happy owner of an infected 3.5" 1.44Mb floppy. >> Should I immediately burn it in a large bonfire, or will re-formatting >> exorcise it adequately. > > Formatting should be enough - if you don't have a virus in memory. > Otherwise you'll destroy everything... except the virus. :-) > > Regards, > Vesselin The best way to do a "clean" format is to boot the machine from an un-infected R/O floppy and then format the disk. This way You are sure no virus is in memory. Don't forget that on DOS 5 you need the /u switch to do an unconditional format so that "all" existing info on disk is gone (not possible to do unformat, so therefore not possible for virus to reappear). -Don __ __ __ _____ _________ |\_\ |\_\ / \__\ |\_____\ |\_________\ Labop, Computing Services | | | | | | |\ / _ \ | | ___| | | _____ | University of Arkansas | | |___| | | |\| | | | | | |__\ | | |_____| | Bitnet: ds06101 at uafsysb | | |____\| | \| |_| | | | __| | | _____ | Internet: \|_________| \___/ \|_| \|_| \|_| ds06101@uafsysb.uark.edu ------------------------------ Date: Wed, 19 Feb 92 14:16:05 -0800 From: kwang@nike.calpoly.edu () Subject: Michelangelo (PC) >wayner@teknetix.com (Jim Wayner) says: >We have seen a number of systems w/ the Michelangelo virus and have a >couple of observations and questions. > >What is the potential for this to spread on a Novell network? It >doesn't seem to be a big risk, but I don't want to find out March 6th >I was wrong. Well, in terms of boot-sector infectors, I don't think that there is any possibility, but since I don't know enough about Novell, I won't rule out the possibility completely. I'll post to comp.sys.novell and let you guys know more about this. There is a possibility of infection if you use the remote-boot roms, however. This would involve the infection of the "original" disks from which you generated the boot image files. (Yes, I do believe that Novell creates an exact sector-for-sector image of the floppy) I am not sure if virus checkers would scan the boot-image file and detect a virus correctly. I'll have to look into this... In terms of file-infectors, it is impossible to infect a file unless you have write access to the file. This is because the server performs all write/read/accdess right checks, not the workstation. However, if the virus is written specifically for Novell, they might know about some holes in Novell. Also, you could set the files to Execute-only, in which case NOBODY has write access to the file. Of course, this will not work for all programs, such as those which use overlays (according to Novell documentation. I haven't had to deal with such a program yet). (Just fyi, I have been working with Novell for the past 5 years now) - Kevin Wang kwang@polyslo.csc.calpoly.edu, or kwang@hermes.calpoly.edu ------------------------------ Date: Wed, 19 Feb 92 14:25:56 +0000 From: Technician Subject: DOS virus scanner for UNIX system. (PC) (UNIX) I know this is a FAQ, but yet to see an answer in digest (I don't read it religiously though). We need a scanner that will check DOS files on a mixed DOS/UNIX filesystem. This can be batch job, cron'd at midnight or whatever, doesn't need to repair files, or protect PC's on line, just find viruses. Thats running on a SUN system, 4.1 & 4.1.1 OS. Thanks in advance. Jim.Cottrell@uk.ac.durham Computer Science School Engineering & Computer Science University of Durham South Rd, Durham, UK. +44 091 374 3653 ------------------------------ Date: Wed, 19 Feb 92 13:30:00 -0700 From: "Rich Travsky 3668 (307) 766-3663/3668" Subject: Executive Guide To Computer Viruses" From NCSA? In an article on the Michelangelo virus, the February 12th Network World mentions a "Executive Guide To Computer Viruses" (24.95 from the NCSA). Anyone seen this guide? Is it a worthwhile thing to pursue? (My feeling is it isn't, but ya never know.) Richard Travsky Division of Information Technology RTRAVSKY @ CORRAL.UWYO.EDU University of Wyoming (307) 766 - 3663 / 3668 ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 37] *****************************************