VIRUS-L Digest Friday, 21 Feb 1992 Volume 5 : Issue 38 Today's Topics: VIRUS ALERT: New Mac Virus (Mac) Conflicting Software & Odd Behaviour (PC) F-Prot 2.02D/DOS 2.11 (PC) re: Latest Test Of PC Virus Packages By NCSA (PC) FTP Site for Norton Anti-Virus (PC) F-prot and non-executable files (PC) Stoned, Michaelangelo, Boot Sector ReLocation (PC) Memory discrepancies in DOS (PC) Information (PC) Tracking of Michaelangelo (PC) Re: Will re-formatting a floppy remove ALL vires (PC) Simple IBM PC virus (PC) Re: Ohio Virus? (PC) PC COMPUTING article on Anti-virals (PC) Re: Which Package is Best? (PC) WDEF infection at a school (Mac) Virus statistics sought VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Fri, 21 Feb 92 07:58:50 -0500 From: spaf@cs.purdue.edu Subject: VIRUS ALERT: New Mac Virus (Mac) New Macintosh Virus Discovered Virus: MBDF A Damage: minimal, but see below Spread: may be significant Systems affected: Apple Macintosh computers. The virus spreads on all types of system except MacPlus systems and (perhaps) SE systems; it may be present on MacPlus and SE systems and not spread, however. A new virus, currently named "MBDF A", has been discovered on Apple Macintosh computer systems. The virus does not intentionally cause damage, but it does spread widely. Instances of the virus have been found at a number of sites worldwide. The virus has been discovered in games at a number of archive sites. At those sites, the games "Obnoxious Tetris" and "Ten Tile Puzzle" are definitely infected. It is possible that other files may be infected at some archive sites. You should especially be cautious of any games named "tetris-rotating", or "Tetricycle". The virus does not necessarily exhibit any symptoms on infected systems. Some abnormal behavior has been reported, involving Mac crashes and malfunctions in various programs, which may possibly be traced to the virus. Some specific symptoms include: * Infected Claris applications will indicate that they have been altered and will refuse to run. * The "BeHierarchic" shareware program ceases to work correctly. * Some programs will crash if something in the menu bar is selected with the mouse. The virus works under both System 6 and System 7. If you have downloaded any files from an archive site recently, especially games, please do not use them or give copies of any of them to anyone else until you are certain they are not infected. Furthermore, we very strongly recommend that you DO NOT get any files from the archive sites until the moderators at those sites have had an opportunity to remove any infected files. Currently, the virus is not found by (or evades) most anti-virus tools. Authors of all the major Macintosh anti-virus tools -- including commerical products such as SAM, Rival and Virex, and shareware and freeware programs such as Disinfectant, Gatekeeper, and Virus Detective -- have been informed of this new virus. All are planning to release updates to their software within the next few days. These releases will be through the normal distribution channels. Some specific information on some of these products follows: Tool: Disinfectant Revision to be released: 2.6 Where to find: usual archive sites and bulletin boards -- ftp.acns.nwu.edu, sumex-aim.stanford.edu, rascal.ics.utexas.edu, AppleLink, America Online, CompuServe, Genie, Calvacom, MacNet, Delphi, comp.binaries.mac When available: (expected) late 2/21/92 Tool: Rival Revision to be released: 1.1.10 Where to find it: AppleLink, America Online, Internet, Compuserve. When available: 2/21/92 Other info: the only change with 1.1.9 is this vaccine (MBDF A) Tool: Virex INIT and application Revision to be released: 3.6 (for both products) Where to find: Microcom, Inc (919) 490-1277 When available: User definable virus string available 2/21/92 3.6 versions available 2/24/92 Comments: Virex 3.6 (app and INIT) will detect and repair the virus. All Virex subscribers will automatically be sent an update on diskette. All other registered users will receive a notice with information to update prior versions to be able to detect MBDF. This information is also available on Microcom's BBS. (919)419-1602. Tool: Virus Detective Revision to be released: 5.0.1 Where to find: Usual bulletin boards will announce a new search string. Registered users will also get a mailing with the new search string. When available: now (2/20/92) Comments: search string is "Resource MBDF & ID=0 & WData A9ABA146*4446#4A9A0" Special thanks to the people at Claris who included self-check code into their Macintosh software products. Their foresight resulted in an early detection of the virus, and has thus helped the entire Mac community. We strongly encourage other vendors to consider doing the same with their products. ------------------------------ Date: Wed, 19 Feb 92 17:22:51 -0500 From: "Mignon Erixon-Stanford, Academic Systems Head" Subject: Conflicting Software & Odd Behaviour (PC) We recently purchased McAfee's WSCAN & CLEAN86B, with which I'm happy. One of our scientists had Central Point's VSAFE and BOOTSAFE programs (loading from his AUTOEXEC.BAT). Upon scanning with WSCAN, it reported finding Israeli Boot [Iboot] and Filler. We booted from a safe disk, ran CLEAN against Iboot and Filler, scanned again; no viruses were found. Then we booted from his autoexec.bat which loaded the Central Point programs; wscanned and it reported Iboot in memory. We changed the autoexec.bat so VSAFE & BOOTSAFE wouldn't load; wscanned; no viruses were found. Am I right in concluding that Central Point's memory resident software is erroneously recognized as a virus by McAfee's WSCAN? IRMSS907@SIVM Research Systems Division Smithsonian Institution, OIRM, A&I 2310, Washington, DC 20560 ------------------------------ Date: Wed, 19 Feb 92 16:02:27 -0500 From: Lynne Meeks Subject: F-Prot 2.02D/DOS 2.11 (PC) We're having some trouble getting F-Prot (2.02D) to run successfully with AT&T DOS 2.11 (Yes, I know this is very old but fiscal constraints what they are not everyone has upgraded to a modern version of DOS) What happens is we run F-Prot and get the message: '*.TX0 not found' then we get the DOS prompt The English.TX0 file IS there; the same F-prot disk works fine on the same machine with 3.2 or 3.3 DOS. BTW,yesterday, the same experiment with 2.02B yielded * and then the DOS prompt. Anyone else with old DOS experiencing this? I KNOW the correct answer is to upgrade DOS, but any insights on how to cope with what we've got would be much appreciated! Thanks. Lynne Meeks (LZM@UVMVM.UVM.EDU) 238 Waterman Building University Computing Services University of Vermont, Burlington, VT 05405 ------------------------------ Date: 19 Feb 92 22:38:47 -0500 From: "Ross M. Greenberg" <72461.3212@CompuServe.COM> Subject: re: Latest Test Of PC Virus Packages By NCSA (PC) >...From: "David.M.Chess" >...Subject: re: Latest Test Of PC Virus Packages By NCSA >...Just to point out that this evaluation used a rather old version of IBM's scanner; the current version is 2.1.9, and 2.1.2 is about eight months old. Something to keep in mind when looking at the scores! *8) Likewise, the version of Virex that was evaluated was about four months old. Ross - ------------------------------ From: "Ross M. Greenberg" <72461.3212@CompuServe.COM> Subject: Book review >...[Moderator's (tongue in cheek) note: Yes Virginia, there is a Ross Greenberg.] Sorry I haven't been more active. I bought a farm in the Catskills last fall and spend a great deal of time trying to make it habitable -- viruses are *nothing* compared to spending three hours in 2" of ice-cold mud in a 18" crawl space, removing a hot air ducting system. The name of the farm, btw, is "Virus Acres". Ross ------------------------------ Date: Thu, 20 Feb 92 02:03:35 +0000 From: brian@norton.com (Brian Yoder) Subject: FTP Site for Norton Anti-Virus (PC) I am trying to find an FTP site willing to carry a some of the Norton Antivirus goodies ASAP...can anyone give me some pointers on where I can send them? Thanks! - -- - -- Brian K. Yoder (brian@norton.com) - Q: What do you get when you cross -- - -- Peter Norton Computing Group - Apple & IBM? -- - -- Symantec Corporation - A: IBM. -- - -- ------------------------------ Date: Thu, 20 Feb 92 13:02:50 +0000 From: Ivan Quill Subject: F-prot and non-executable files (PC) Hello, We were using F-prot here and we noticed that it doesn't scan non executable files. This raises the question, can a virus hide in a text file, and then transfer itself elsewhere? We have no reason to believe that this is happening, just curious. Ivan Quill University College Dublin Ireland ------------------------------ Date: Thu, 20 Feb 92 10:43:02 -0500 From: austin@tecnet1.jcte.jcs.mil Subject: Stoned, Michaelangelo, Boot Sector ReLocation (PC) karyn@cheetah.llnl.gov (Karyn Pichnarczyk) writes: > Date: Fri, 07 Feb 92 15:44:12 -0800 > From: karyn@cheetah.llnl.gov (Karyn Pichnarczyk) > Subject: CIAC Bulletin C-15: Michelangelo Virus (PC) > A problem can occur if a disk is infected by both the > Michelangelo and the Stoned viruses AT THE SAME TIME. > Both move the 'original' boot sector to the same location on > the disk, so when the second infection occurs, the original > clean boot sector is destroyed by being overwritten by the > first virus. martin zejma <8326442@AWIWUW11.BITNET> writes: > Date: Mon, 10 Feb 92 12:34:29 +0000 > From: martin zejma <8326442@AWIWUW11.BITNET> > Subject: unremoveable michelangelo virus (PC) > In response to tong@ee.ubc.ca (Issue # 19 ) : > during 3 subsequent infections of Michelangelo and Stoned the > following is possible : > Locations : (Side/Track/Sector) > > 0/0/1 1/0/3 1/0/14 > > (bootsector) (here Stoned stores ( here Michelangelo > the original stores the original > bootsector ) bootsector on > HD-floppys ) > > > 1) Original Bootsct nul nul > > 2) ( 1st Infection ) > > Michelangelo nul Original Bootsct > > 3) ( 2nd one) > > Stoned Michelangelo Original Bootsct > > 4) ( 3rd one) > Michelangelo Michelangelo Stoned > > > --> Voila, the original boot sector disappeared ||| > > Now the cleaning process : > > 1) ( Michelangelo found, cleaned ) > > Stoned Michelangelo nul > > 2) ( Stoned found , cleaned ) > > > Michelangelo nul nul > > 3) ( Michelangelo found, not removable, cause no original bootsector > found) > > Now the floppy should also not be bootable any more . The question I have concerns what appears to me to be conflicting information from the two sources above. One source states that the Stoned virus and the Michaelangelo virus both copy the original boot sector information to the same location. The second source states that the two viruses copy the original boot sector information to two different locations. Am I reading this wrong? Which one is correct? Could they both be right because they may be writing about two different versions of the Stoned virus? Thank you for any insight into my confusion. ---Randy +=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+ + Randy Austin austin@tecnet1.jcte.jcs.mil + + + + * * SPACE FOR RENT * * + + (Not necessarily this Space) + +=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+ ------------------------------ Date: 20 Feb 92 10:39:09 -0500 From: Kevin Dean <76336.3114@CompuServe.COM> Subject: Memory discrepancies in DOS (PC) Some versions of DOS (MS-DOS 5.0, DR-DOS, etc) can show a difference of up to 1k between the BIOS and DOS memories when loaded in high memory. For example, when MS-DOS 5.0 is loaded in the upper memory block (UMB), the memory control block chain ends at paragraph 9FFF, one paragraph short of 640k (A000). The UMB starts at 9FFF. While it would be nice to be able to compare DOS memory with installed memory and say categorically that any discrepancy means there's a problem, DOS itself exhibits behaviour that would otherwise be considered suspicious. Kevin Dean The opinions represented herein are my own and not necessarily those of my employer. I'm self-employed. ------------------------------ Date: Thu, 20 Feb 92 10:28:16 +0500 From: Roger Tenorio Subject: Information (PC) I would appreciate if you could send some general information regarding the TIME or TIMES virus. Roger Tenorio ------------------------------ Date: 20 Feb 92 09:34:00 -0800 From: "LUSTIG, ROB L." Subject: Tracking of Michaelangelo (PC) Greetings, If someone is tracking the virus, I can confirm it entered a "sneaker-net" (people passing data files on floppy) and we are tracking it at Vandenberg AFB, California. We used CLEAN to remove it, but I noticed that booting off of a "clean" floppy made the hard disk unaccessable. I had to clean it with the virus in memory. (after it was cleaned, booting off the floppy was fine) Also, I would like to stress that WRITE PROTECTION HAS TO BE DONE! This virus *ALMOST* made the full rounds because an analyst was installing a new mouse driver and the original disk was *NOT* write protected. She then went on to other machines and almost created an epidemic because she was updating drivers (this was her original load disk). FURTHERMORE, they 'never sw a virus before' so they (get this!) tried to infect another system so they could change the system date. The hard disk wouldn't boot up and so it went back on the shelf with other computers *WHILE STILL INFECTED*. Rob Lustig VAFB, Ca. ------------------------------ Date: Thu, 20 Feb 92 13:43:00 -0700 From: "frank@evax2.engr.arizona.edu"@Arizona.edu Subject: Re: Will re-formatting a floppy remove ALL vires (PC) >bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: > >>washer@sequent.com (Jim Washer) writes: >> >> I am know the proud and happy owner of an infected 3.5" 1.44Mb floppy. >> Should I immediately burn it in a large bonfire, or will re-formatting >> exorcise it adequately. > >Formatting should be enough - if you don't have a virus in memory. >Otherwise you'll destroy everything... except the virus. :-) Does anybody know if a bulk tape eraser would be practical for erasing floppies? If so, it would be the ideal solution for quandaries like this one. =============================================================================== Frank Manning University of Arizona ANSI Std Disclaimer =============================================================================== ------------------------------ Date: Thu, 20 Feb 92 21:50:56 +0000 From: brymastr@pepsi.eng.umd.edu Subject: Simple IBM PC virus (PC) I ran into this Virus which added 2K to .EXE files (but not .COM files for some reason). Every time you executed the .EXE, 2K would be added on. The virus was also resident in memory. Oh, in the 2K segment would be the string "MsDos" which I used to find infected files, but I'm not 100% sure I got rid of it entirely. Anyone heard of this virus or something similar and know whether it might still be lurking on my hard drive somewhere? ------------------------------ Date: Thu, 20 Feb 92 22:15:45 +0000 From: treeves@magnus.acs.ohio-state.edu (Terry N Reeves) Subject: Re: Ohio Virus? (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >treeves@magnus.acs.ohio-state.edu (Terry N Reeves) writes: > >> Ohio virus is real there are 5 or 6 variations on it at least. It is a > >Let's not exaggerate. Ohio is juts one of the Den Zuk variants and the >whole Den Zuk family consists of 4 different viruses. maybe this depends on who you ask and how they define varient. I based my count on information from a major antivirus software author. my personla experience is limited to the original version I discoverd in June 1988 here in ohio. This author explained the numebr of varients to me when I told him his software (which listed ohio as detected) did not detect my ohio - which I though of as the ONLY ohio. He has updated his product. ------------------------------ Date: Thu, 20 Feb 92 16:42:00 -0600 From: Ken De Cruyenaere 204-474-8340 Subject: PC COMPUTING article on Anti-virals (PC) The February 1992 issue of PC Computing has an story on their rating of 11 anti-viral products. Maybe I am biased but there is no mention of F-PROT, so my immediate reaction is THIS IS NOT COMPLETE. The article does not score the products (or give details on performance like Network World did. Oh well. The 11 products they did look at and the opening remarks for each review follow: (reproduced without permission) - -Central Point Anti-Virus Of all the utilities we looked at, CPAV proved one of the easiest to install, use, and configure. - -Dr. Solomon's Anti-Virus Toolkit Using Dr. Solomon's AVT is like breaking into a mad scientist's lab filled with strange contraptions shooting off sparks. - -McAfee Shareware series Viruscan and its siblings form a powerful and comprehensive if no-frills package of protection, detection, and eradication products. - -The Norton AntiVirus The cachet of the Norton name might make Norton AV your first choice in antivirus software, but our experience proved that the product live up to the Norton name. - -Novi Antivirus software should not interfere with everyday computing, and Certus' Novi comes close to that standard. - -Pro-scan The first commercial package from McAfee Assoc. is clean-looking and exceptionally easy to use, and it offers a simple, menu-driven interface for all its operations. - -Virex PC Doesn't rely on infinite layers of menus and dialog boxes to get the job done. Virex PC is quick, unobtrusive, and effective - exactly what you want in an antivirus utility. - -ViruSafe Xtree's ViruSafe includes an almost infinite number of features an options for virus detection and prevention. If you can sort through the sometimes confusing number of possible configurations and utilities, you'll find a handy antivirus program underneath. - -Virus Buster Virus Buster is the Berlin Wall of antivirus software. - -VirusCure IMSI licensed the scanning feature at the heart of its VirusCure from McAfee Assoc. You may find you prefer (McAfee's) command-line treatment to this fickle and sluggish performer. - -Virus Secure for Windows Virus Secure for Windows is good for low-risk situations in which signature scanning and file-monitoring are all you need. - --------------------------------------------------------------------- Ken De Cruyenaere - Computer Security Coordinator - Computer Services University of Manitoba - Winnipeg, Manitoba, Canada, R3T 2N2 Bitnet: KDC@CCM.UManitoba.CA Voice:(204)474-8340 FAX:(204)275-5420 ------------------------------ Date: 20 Feb 92 18:47:09 -0500 From: Wolfgang Stiller <72571.3352@CompuServe.COM> Subject: Re: Which Package is Best? (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >I have not seen NAV 2.0, but CPAV and NAV 1.5 are pretty useless as >virus scaners. They are big dinosaurs with low virus detection rate. It's unfortunate that so many people refuse to look beyond commercial software. If these products were marketed as shareware, they wouldn't have a chance against their more capable competition. >Also, have in mind that just scanning for known viruses is a quite >unreliable method for virus protection, since new viruses appear very >quickly (I got about 110 only for January). You should consider adding >an additional level of protection, like checksumming. Considering the rapid appearance and spread of new viruses scanning is becoming increasingly dangerous to depend upon. Yet, this is the core technology that the leading anti-virals depend upon for their effectiveness. >If you decide to consider checksumming products, probably the >Untouchable is the currently most secure one. However, have in mind >that its other capabilities (scanning and disinfection) are quite >miserable... And, at last, if you want a shareware checksummer (which >is not as secure as the commercial one, however), take a look at the >Integrity Master. Thank you for mentioning my product but I am appalled that you consider Integrity Master(tm) less secure than Untouchable. If you come to this conclusion based on anufacturer's claims or perhaps the tremendous price difference in our two products, I can understand this. For the benefit of those who are not aware of my product, Integrity Master verifies the data integrity of your files and system sectors and also contains a very high speed virus scanner under the covers. I do not personally have a copy of Untouchable, but I have customers who use both this product and Integrity Master. They report that Integrity Master is more thorough and faster than Untouchable. It apparently detects more known viruses with its scanner component and finds other discrepancies which Untouchable misses (I'll go into these via private mail if you wish). If there's something else behind your statement, please let me know how I can make Integrity master more secure. If this involves sensitive information feel free to continue this via private mail. BTW, the latest version of Integrity Master is 1.11. It should be at most distribution points shortly if it's not there already. Wolfgang Stiller - Author of PCdata and Integrity Master(tm) Stiller Research 2625 Ridgeway St. Tallahassee, FL 32310 ------------------------------ Date: Thu, 20 Feb 92 09:44:21 +0000 From: Norman Paterson Subject: WDEF infection at a school (Mac) Richard Pavell asks about keeping floppy Macs clean (issue 32). Disinfectant has an option to install an INIT which will do what you want. It is a very small piece of code - 5K on a disk - and detects all currently known Mac viruses. Since the population of Mac viruses is small and slow changing this is fine. It doesn't remove the viruses, just warns you and prevents infected applications from running. Latest version: Disinfectant 2.5.1. Norman ------------------------------ Date: Wed, 19 Feb 92 21:21:22 -0500 From: Subject: Virus statistics sought I am doing independent study for graduate credit on virus detection and loss prevention. I would appreciate any information available on detected and destroyed viruses as well as current threats. ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 38] *****************************************