VIRUS-L Digest Thursday, 22 Apr 1993 Volume 6 : Issue 69 Today's Topics: Re: Sending Viruses over Internet/Fidonet sharing virus related info Viral "code" Re: Contest (was Beneficial/Non-Destructive) Re: Virus Signatures Scanners getting bigger and slower Sending viruses over Internet Re: Can a virus infect NOVELL? (PC) Re: Can a virus infect NOVELL? (PC) Re: Censoship/40-Hex (PC) Re: Got rid of Stoned -- but where did it come from? (PC) Re: Help needed with the Bootexe virus (PC) Re: Unknown little virus? (PC) Re: Viruses which cost $$$ (PC) Windows 3.1 virus (PC) Re: Help wanted with Dir-II virus (PC) Invol virus (PC) TSR programs are too big (PC) NAV Updates (was Central Point Anti-Virus Updates) (PC) Re: Viruses that cost $$$ (PC) Re: V-Sign? (PC) Re: Censoship/40-Hex (PC) TBAV600.ZIP - TBAV anti-virus software (complete pkg v6.00) (PC) FP-208.ZIP - F-PROT v2.08: Virus detection/removal software (PC) Survey Results VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.org or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk, krvw@first.org ---------------------------------------------------------------------- Date: Wed, 21 Apr 93 10:23:21 -0400 From: Donald G Peters Subject: Re: Sending Viruses over Internet/Fidonet > I think relating it to a gun magazine is a fairly good analogy, except > that gun mags usually don't have guns kits included that require minimal > assembly to become fully functional. I see the point that you and others have made here, but your point that gun magazines don't come with guns is not the final word. First, some of the "bad books" (presumably legal under the 1st amendment) show you how to do crimes from readily available materials. I have heard of the Anarchist's Cookbook. And the email mag that I referred to before tells you how to kill someone with a potato! Now, they didn't have to INCLUDE the potato for that material to exceed standards of human decency. Using your argument, spreading the information on how to kill someone with a potato is acceptable as long as they don't include the potato! (Ie, it isn't "fully functional".) Second, by your definition even 40-Hex doesn't include "fully functional" viruses because it doesn't include the computer. (No groans please, as this could be a real point made to defend the 40-Hex people in court if it should ever come to that.) Third, PC's and guns and potatos are all readily available in this country, so instructions on how to do bad things with each of these items should fall into the same category. The question is, which takes precedence, the first amendment or human decency? Indeed, would you choose between the first amendment or national security??? ------------------------------ Date: Wed, 21 Apr 93 10:28:25 -0400 From: rreymond@vnet.IBM.COM Subject: sharing virus related info Hi all there. I wanna point that I agree at 100% with the previous append of Suzana, about Hex40 and info share. My point is: there are "bad Girls/Guys" and there are "good Girls/Guys"; in my opinion, stated that is not so important to question about the black that is white or so, but on the characteristics of those two groups of people. I intentionally don't care about those "grey level" people that we can found one time on our side, another on the opposite. Every- body has the freedom of choice, in free countries. Let's state we count them as "bad G/G", for make all a bit easy. Now, let's suppose a new trick was discovered, enabling the construction of some hellfire virus, able to nuke any PC. Most probably, the underground tam- tam (Hex40,BBS,Books,Clubs etc.) will share that info and/or samples in a quite little time. So, I think we can suppose a lot of "bad G/G" working on that; I also think only few of them will be strong programmers, but almost all will know something about ASM and so on. In such a scenario, I suppose isn't too difficult that, with a lot of brains at work, at least one 'good' (I mean strongly functional) idea spread out, and this will immediatly shared in the "bad G/G" group. And so the first Hellfire Virus spreads... On the other hand, if this virus or related code is discovered by one of us,the "good G/G", it seems to me (by reading this Digest) it's quite probable that the related info (code, structure, etc.) will be carefully keeped by the one that first jump into, and at maximum shared with those few s/he well knows. So, while the Bad Army has (can expect to have) a lot of people at work, the Good Army can face that with only four or five persons. Don't misunderstand me, I'm sure we have the best researchers/developers, but I think that there's a lot of people on the good side that can also work about, and perhaps bring some good hints. And that have also the right to know. I'm really not so scared about the "bad G/G" that can be tuned, intercepting th e info the "good G/G" are sharing between them; if they don't have them yet, they will in a while; about info sharing theyr organisation seems to me better than our. I only agree not to share executable samples, viruses 'ready to use'. Those can be a danger, I admit. If someone gets a such-a-file, the virus has great chance to spread. But code... a virus writer has no need of sources from us, and other people... Do you know how much time it require to copy row after row some seven-pages source virus code? Yeah, someone get the effort (life is a GREAT risk), but I don't think they're the major part of whom will receive it. And, anyway, share an Hex40 issue means only to show at Goods what Bads yet have (no hint for them). Bye| Roberto Roberto Reymond IBM C.E.R.T. Italy RREYMOND@IBM.VNET.COM - ------------------------------------------------------------------------------- All above is my PERSONAL opinion, and NOT that of my employeer. ------------------------------ Date: Wed, 21 Apr 93 11:06:52 -0400 From: Donald G Peters Subject: Viral "code" People seem to think (as I have in the past) that somehow viral "code" is the thing we must not publish. Do these people think that a documented description of the virus function is also wrong? In fact, an accurate description of a program is "functionally equivalent" to the program itself. Indeed, an assembler source code program is just a "description" of the program it represents. And a high level language (or English itself) can take indirection one level further, without loss of, or change in, functionality. Certainly even an "innocent" forum such as VIRUS-L goes into extensive detail (in English) of the functionality of viruses. Sure, you need to be a good programmer to convert English to Assembler, but this is something that they teach you in school. As I analyze myself here and now, I think the inner reason I started reading VIRUS-L was to learn more about the things viruses actually do, partly to enhance my knowledge of DOS, and partly to learn things that I wasn't "supposed" to know. Is it any surprise that the books that attract me are often titled "Tricks, Tips and Traps?" This forum certainly does not provide you with code for writing viruses. That's great. But what does it provide? Lots and lots of information about the things viruses do; the way they work; their functions. Call it an "idea well" or call it an "informal specification forum", it still contains many English language functional descriptions that bad guys(/gals) could use. In fact, if the moderator doesn't get mad at me (Ken, there may be a degree of truth to the following but it's not the whole story of course) I would propose that the FAQ which is available from this forum could be called "An English Primer for Would-Be Virus Writers". (Again, Ken, I see a lot of value to the FAQ, which is why I have contributed to it. For people who can't read between the lines of my post, my theme remains the same: the benefits of knowledge outweigh the risks. Of course there are exceptions such as nuclear bomb technology but I don't see virus-related technical information as fitting that category.) Just in case it isn't obvious, my opinions are my own (the facts are public domain. :-) [Moderator's note: I have to admit that I never considered the FAQ to be a primer to writing viruses. Your point is well taken, however; it is essential to know something about viruses in order to administer effective countermeasures. The intent of the FAQ was - and is - to provide some of that basic knowledge to would-be virus _removers_. If that causes it to also provide some knowledge to the virus writers, then so be it. I think, however, that most (all?) virus writers wouldn't find much new (to them) information in the FAQ.] ------------------------------ Date: Wed, 21 Apr 93 16:21:28 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Contest (was Beneficial/Non-Destructive) CELUSTP@cslab.felk.cvut.cs writes: > >1) Modifies only one executable file on your system. > Very unusual virus behaviour. Is it? Maybe my mistake was in specifying the word "file", but I thought you know enough about viruses to understand what I mean... There are a couple of hundreds of viruses that infect only a SINGLE executable on the attacked computer. > >2) This file is an anti-virus program. > Very suspicious activity. Elaborate, please. Do you consider it suspicious for somebody to use an anti-virus program? Or do you consider it suspicious if the owner of a LAN insists that all users are using the latest version of a particular anti-virus program? > >3) The modification consists of replacing the program with a newer copy. > How do you know it is the better or correct one? That's so obvious that I left it as an exercise to the reader. Remember, it was the system administrator who put it there. It is his/her right to decide whom to permit to log in to the server. The policy might be "have the latest version of VShield installed" or "Don't run MS Windows". It doesn't mean that VShield is "better" or that Windows is "worse" - just such is the policy. A little bit more tricky is the question how the program on the server ensures that the program being replaced on the workstation is really an older version of itself, but this is a technical quibble and can be solved easily. > >4) The virus infects your computer when you log to the LAN server. > First was said it infects only one executable file. Now is whole computer. > Hmm... What's so strange about it? Stoned infects only one thing - the MBR. Yet, when it happens, we are saying that the computer is infected with Stoned. > >5) The virus has been installed on the LAN server by the LAN > >administrator. > It means deliberately entered into system. Of course, that's the point. Deliberately, intentionally, willfully, etc. By a person who owns the system - by the supervisor on the server and by the user on the workstation. The supervisor does the initial installation and the user permits the update. > >6) The LAN owner has a policy that no workstations are allowed to log > >in unless they are running the latest version of this particular > >anti-virus software. > Blackmail. Please, read the definition of "blackmail". I don't have it handy, but it says something about "with threats making unwaranted promises". Here the situation is different - the user has the choice to accept the update or not to log in. And if s/he accepts the update, s/he is granted access - no unwaranted promises. > >7) The virus (actually a worm - it does not "attach" itself to > >programs and spreads via networks) does not do anything else. > If virus is something "attaching" itself to programs, then some of existing > viruses (boot viruses or companions) are not viruses too. We've already been through all this a few times in the past. Please, read the appropriate back issues. It all depends on how you define "attach". > >8) The whole thing is marketed by the producer of the anti-virus > >software not as a virus, but as "a centralized method for automatic > >update of the software on the workstations". > Why this whole story about beneficial virus then? See below. > Exactement (=exactly for non-French speaking people). Don't call a "virus" > something you are not sure is a virus. You are missing the point. I am trying to explain to everybody (including you) what Dr. Cohen means when he is speaking about "beneficial viruses". Those are programs that are beneficial and that match his definition for a virus. They might not match -your- definition for a virus, or the definition that most people use for the term "virus", or whatever. It doesn't matter, because it is not you or "most people" who are speaking about "beneficial viruses", it is Dr. Cohen. So, it is more than natural that he will use his definition of the term - especially having in mind that he was the first one to define it. So, if you want to understand what Dr. Cohen means when speaking about beneficial viruses, don't jump on him - instead try to understand his definition of a virus and assume that he is using it when speaking about beneficial viruses. > How can you be sure something is a > virus? Simple - you call "virus" everything that matches your definition for this term. > CONTEST FOR THE BEST COMPUTER VIRUS DEFINITION > 1. Technical definition (in plain language - preferably English) > 1. This definition should be short as much as possible, cleared of attributes > as "good", "bad", "beneficial" or similar, not mentioning state of user's > mind,etc., it should be clearly stated for which environment (e.g. operating > system) is applicable and definition should be undoubted. It should also emphasize the main capability of the virus that makes it different from other programs - merely its ability to spread. Its optional side effects (damage, etc.) should left out of the definition. > 2. Technical definition (mathematical) > 2. The meaning of every symbol in mathematical formula(s) should be clearly > explained. I have one here. It is actually Dr. Cohen's definition, with all symbols explained and without the abbreviation shortcuts he usually uses. It's hand-written and is one A4 sheet of formulae. Unfortunately, I don't know TeX enough to translate it into electronical form. > 3. Legislative definition > 3. This definition should contain statement which part of virus code could > be considered as punishable (supposing virus writing is criminal act). Supposing that virus writing is a criminal act would be wrong, because it isn't, according to the legislation of most countries. Instead, the definition should concentrate on causing (directly or indirectly) unauthorized modifications of information stored in computers. It doesn't need to deal with the term "virus" at all - the more general, the better. It could very well include trojan horses, logic bombs, spoofs, hacking, etc. It is all the same from the legal point of view - - causing directly on indirectly unauthorized modifications to computer information, and -this- is what should be a crime. > Everybody who doesn't want to compete and feel enough > competent to judge quality of definitions is welcome. I do feel competent to judge the quality of the first two definitions - - the technical ones. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Wed, 21 Apr 93 13:12:02 -0400 From: "Info Security 3-9797" Subject: Re: Virus Signatures In volume 6 issue 65, Alan Jones wrote: > I was wondering why there is not anyone that periodically post NEW > virus Signatures. This would be very helpful to people in between > releases of different virus scanners. > I know this might be helpful to the writter of that virus but > there has to be a middle ground. It seems to me that there is a big risk here. If I post a false signature, but one that will register a hit on some popular piece of software, and this signature accidently gets incorporated into one or more anti-viral software packages, then some people are going to get false-positives. What a waste of time for everyone. But, given the opportunity, I have no doubt that people will try this ploy. Even if the phoney signature is only used by individuals, those individuals may be tricked for awhile to think they have a virus when they don't. Bill Bauriedel ------------------------------ Date: Sun, 18 Apr 93 12:44:00 +0100 From: Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv) Subject: Scanners getting bigger and slower Hi Inbar: On the example given on how to search quickly for a virus: IR: > This is an interesting idea. What I do today, is this: > Each virus has its information, namely a search > string, and a location. The location would usually be > an offset from the first CALL/JMP opcode. This is what > I had in mind, therefore, when I wrote the message. Hope my idea helps, try to develop it, you might benefit from it. IR: > Second, even today, there is not much memory needed. I > don't think it will be short before programs have to > use extended/expanded memory for virus database or > code overlays, due to memory problems. Maybe for SPEED > reasons - memory is faster than disk. If it's there, hay not use it? if it isn't, its the same old story... IR: > Yes, BUT, you must agree that the key point in > disinfecting, rises when the virus encrypts, either > itself, the original overwritten bytes of the victim > (often replaced with a JMP/CALL instruction) or the > entire file. When we're talking polimorphic viruses, > that's a lot of trouble. Even Haifa presented a > problem which did not exist then, of true polimorphism > in algorithm and encryption key (the key thing did > exist at the time. I think 512 used it too). I agree on the fact that if a virus encrypts the host program, it might not be possible to recover it (unless you keep a backup of some sort, and this is also the most generic method of all). But if the virus "damaged" the file so that only a key-part of it is encrypted (like HAIFA realy does) that poses a problem in *Specific* cleaning but non for grneric one (suppose the signature you keep on the file containes just the information missing). AN: >> Please recall the method of renaming files to clean the DIR-II virus, >> (as well as meny other methods), wouldn't you call a program that uses >> it a "GENERIC DISINFECTOR" ? IR: > No, because I see that as using special techniques for > special cases. Then again, whenever one method works > for more than one virus, you may call it generic. By definition a method that may do its task whithout knowing the identity of the attacker should be called "generic". FDISK /MBR is the generic method to clean most MBR viruses, SYS.COM it a generic BOOT-SECTOR cleaner (even if MicroSoft did not intend to do it) etc... Yours, * Amir Netiv. V-CARE Anti-Virus, head team * - --- * Origin: <<< NSE Software >>> Israel (9:9721/120) ------------------------------ Date: Mon, 19 Apr 93 12:51:07 +0100 From: Malte_Eppert@f6051.n491.z9.virnet.bad.se (Malte Eppert) Subject: Sending viruses over Internet Hi Vesselin! > On FidoNet the situation is slightly different. If NetMail is > used, then you are calling directly the telephone of the recipient, so This is not completely true. NetMail is also routed, you need to specify Direct- or Crash-Mail for that purpose. Don't send virus code via FIDO and Compatibles just by simple netmail! cu! eppi - --- GEcho 1.00 * Origin: No Point for Viruses - Eppi's Point (9:491/6051) ------------------------------ Date: Wed, 21 Apr 93 10:00:44 -0400 From: Donald G Peters Subject: Re: Can a virus infect NOVELL? (PC) In PC WEEK, Nov 9, 1992, there was a major review of "Network Operable Anti-Virus Software." I see this as a valid way of interpreting your question but realize that you may have had something else in mind. In any case, you may find this useful. ------------------------------ Date: Wed, 21 Apr 93 16:04:53 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Can a virus infect NOVELL? (PC) GSCOBIE@ml0.ucs.edinburgh.ac.uk (Garry J Scobie Ext 3360) writes: > Novell/Viruses/Access Rights. It would be best to consult these. In > Sept 1992, vol 5 issue 151 I asked > If a virus can infect my applications volume where > everyone has only read and filescan permission set as a trustee > assignment then I would appreciate being told about it as soon as > possible. > The thread appeared to end there as no-one could say either way. I > suspect the answer is still no. The answer is still "it depends". First, it depends on what version of NetWare you are using. It seems to me that you are implying 3.11 and I don't have much experience with it. If you are using anything below, and if you have not applied the security patch from Novell, then it is possible for a virus to use the mechanism of the KNOCK.EXE program to obtain supervisor privileges and do with your files whatever it wishes. Note however that this trick doesn't work under 3.11 and no such virus has been written yet anyway - - it is just a possibility. Second, what does "everyone" mean? A user with supervisor privileges is obviously able to do anything with those files. In practice, this means that if a virus succeeds to infect such a user, the virus will be able to do anything with the protected files. So, it is important not only what the protection settings of the protected files are, but also can a virus infect a user with supervisor privileges? That is, can such user execute something from a place where a regular user has write privileges? (That is - is there a transitive information flow from users with low security privileges to users with high security privileges?) Third, it is possible to use a variant of the PATH companion attack to make the protected files "look" as infected, but such "infection" doesn't spread between users and is not of serious concern anyway. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Wed, 21 Apr 93 16:15:43 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Censoship/40-Hex (PC) duck@nuustak.csir.co.za (Paul Ducklin) writes: > >things. You don't demand that NASA takes you in the Shuttle, in order > >to verify the claims that the Earth is round with your own eyes, do > >you? > As someone pointed out in another newsgroup [sci.crypt?] a while back, > you *don't* need to get a shuttle ride to demonstrate the the earth is > round; it can be done in the comfort of your own home [you need a My analogy in this case is still a proper one - demanding from the anti-virus researchers that they make the viruses in their collections publicly available, just because some Joe Random wants to verify that computer viruses exist and are able to do all kinds of things is just like demanding NASA to take you in the Shuttle, in order to verify that the Earth is round - in both cases there are much cheaper, easier, more practical, etc. ways to do it. And a demand like that is something that the concerned people (AV researchers or NASA) will just not care about, regardless how much the other part is yelping. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Wed, 21 Apr 93 16:53:59 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Got rid of Stoned -- but where did it come from? (PC) bruno@mcrcim.mcgill.edu writes: > I administer a bunch of Intel-based UNIX systems, and found that one > of them just stopped booting. I could mount the disks on another > machine, and everything seemed mostly OK, except for the boot sector. > Upon inspection, the boot sector had been infected by the Stoned > virus. [stuff deleted] > ===> What is the specific mechansim that Stoned uses to propagate its > self? Must one boot with an infected floppy, or does it live > next to an execuatble, or... See the FAQ about how to get the answer for your first question. Regarding you second question - it lives on the boot sector of a floppy and the MBR of the hard disk; not in the executable files. It can infect an IBM PC compatible machine (regardless of the operating system it runs) if you TRY to boot from an infected floppy. Note that the attempt to boot does not need to be successful - i.e., it can be a blank, formatted diskette, with no executable files or operating system on it. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Wed, 21 Apr 93 17:00:29 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Help needed with the Bootexe virus (PC) RHY@CU.NIH.GOV writes: > If you have any information on the Bootexe virus. Our Computer Virus Catalog contains a technical description of this virus. Read the FAQ for information about how to get the CVC. > What exactly is it? Memory resident EXE and boot sector infector of Russian origin. > How to remove it without destroying > any data? Will appreciate any info. Boot from a clean diskette and do a SYS C: to remove it from the hard disk's boot sector. Removing it from the files is trickier - it overwrites the EXE header and you need an anti-virus program to repair the infected files. For instance, F-Prot 2.07 is able to disinfect this virus correctly. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Wed, 21 Apr 93 17:09:28 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Unknown little virus? (PC) frisk@complex.is (Fridrik Skulason) writes: > Hmmm...I don't have any 27 byte one :-) Heh... There are at least two 27-byte viruses and you are detecting them as Trivial (27-A) and Trivial (27-B)... :-) Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Wed, 21 Apr 93 17:11:17 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Viruses which cost $$$ (PC) Peters@DOCKMASTER.NCSC.MIL (Donald G Peters) writes: > I think I recall seeing the following warning in one of my books: > "Improper use of this register may cause physical damage to your monitor." That information is a bit out-of-date. It was real, it was a hardware bug (in the controller for monochrome monitors, not in the monitors themselves), but those (buggy) controllers and not produced any more since a long time. > Am I correct, is there physical damage that can be done through > software? Not to the contemporary hardware. > Monitors sounds likely. Disks, possibly. With CPU's > that run hot and can be configured perhaps through software, then > maybe them too! Nope. None of the above. > I know of a simple way that a virus could cost a user lots of money, > [in fact the virus author could MAKE money from the victim!!!] > {if that doesn't whet the appetite I don't know what will!!!] > without causing physical damage, but I am unsure if I should > mention that here. Even though the method is absurdly simple. > Any comments? You are right, a simple virus could cost a user or a company lots of money. Even if the virus does NOTHING but spreads. Actually, even a false positive (a non-virus) could cost a LOT of money... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Mon, 19 Apr 93 12:45:06 +0100 From: Malte_Eppert@f6051.n491.z9.virnet.bad.se (Malte Eppert) Subject: Windows 3.1 virus (PC) Hi Philip! > I keep seeing people who report "general protection faults" and > similar things and attribute them to virus action. I'm having This could be, but need not. General protection faults occur from time to time, sometimes without an obvious reason. Sometimes you can fix this by correctly configuring Windows (e.g. if you try to print in a BANYAN VINES network, you' ll get this one. You must insert NETSPOOL=YES at the entry [spooler] in WIN. INI, then it works). > Today, someone reported actually cleaning up a 36 byte virus. > I,have real trouble believing this; the smallest I know of is 44 bytes > and isn't viable, much a Windows specific infector. There are smaller ones (the smallest 30 bytes if I remember correctly), but these are all overwriting COM-infectors and non-windows specific. cu! eppi - --- GEcho 1.00 * Origin: No Point for Viruses - Eppi's Point (9:491/6051) ------------------------------ Date: Sun, 18 Apr 93 12:14:00 +0100 From: Robert_Hoerner@f2170.n492.z9.virnet.bad.se (Robert Hoerner) Subject: Re: Help wanted with Dir-II virus (PC) Hello Raymond, RK> I recently discoverd the Dir-II virus on my system (486/33 with a RK> 212 Mb Hd). I've a bootable flop which contains no virus and RK> includes a virusscanner, scan v102 from Mcafee. I scanned the HD but RK> scan didn't detect any virus. So I assumed that the HD was clean. RK> I have read in the virlist.txt that the dir-II virus uses stealth RK> techniques and selfencryption . Maybe this is the reason that the RK> virus can't be detected. no : a virus is only "stealth" if it is running. If you have booted from a clean disk, the virus did not run and therefore was "naked", not stealth. RK> describes that the dir-II virus crosslink files and directories I used RK> I used chkdsk and norton diskdoktor to correct the problem. There are RK> RK> crosslinked files and directories. Norton disktor (ndd) repairs the files. .. he killed them... To remove a DIR-infection the only secure way is to copy all executables to files with non-executable extensions with THE VIRUS ACTIVE IN MEMORY ! This way the virus itself will "desinfect" the files, it will act as a "low-level- cleaner" :-)) "COPY *.COM *.MOC" "DEL *.COM" "COPY *.EXE *.XEX" "DEL *.EXE" in every (sub and root) directory, on every exe and com-file (uses ATTRIB from DISK to remove any hidden and sys attributes, but write on a piece of paper, which files have been hidden /system/read-only to re-set these attributes at the end of the session), some programs may require these. then reboot from a clean disk and (from now on we don't need the virus anymore) type "SYS C:" "UNFORMAT /PARTN" - note : only valid, if you have run MIRROR /PARTN before the infection occured. *recommended* ! Very useful. "REN *.MOC *.COM" "REN *.XEX *.EXE" in every directory. reboot again from C:, your computer is clean. Using CHKDSK /F on a DIR-infected disk without the virus in memory will DESTROY all infected files if you allow CHKDSK to "repair" anything. Greetings from karlsruhe, frgdr Robert - --- * Origin: Virus Help Service Karlsruhe, 49-721-821355 (9:492/2170) ------------------------------ Date: Wed, 21 Apr 93 03:00:18 -0400 From: al026@yfn.ysu.edu (Joe Norton) Subject: Invol virus (PC) Does anyone have a bit more info on the Invol virus than is in Vsum? I had a client with it today. As soon as he ran our go.exe installation program it poped up with it's little message. I was just wondering what causes it to activate mostly. Vsum mentions the message as being visable in infected sys files, and encrypted in exe files, but doesn't mention the display of the message. The client was in California, and I'm in Michigan, do I don't have access to his PC, or a sample of his infection. - -- ------------------------------ Date: Wed, 21 Apr 93 05:38:43 -0400 From: "Werner Ente 21-APR-1993 11:36:51.58" Subject: TSR programs are too big (PC) Moin, there are several mails about too big scanners, but that's not my problem. I have a problem with the size of the TSR-program which I use for security. I need at least! 480KB of base memory for one DOS program and get it with some difficulties without my actual security program VSHIELD. The HMA and the UMB are filled with DOS, several drivers (Network, SCSI) and the EMS page. The PC is a 486 with 16MB memory. Is there a security TSR program, which can be loaded (partly) in the extended or expanded memory ? If not, is any developer planning to create such an option in his program(s) ? The "/lh" switch in VSHIELD allows only loading into the UMB and that doesn't work. So the program will be not loaded. Werner *----------------------------------------------------------------* | Werner Ente wente@ifw.uni-kiel.dbp.de | | Kiel Institute of World Economics +49 -431 /8814-277 | | D2300 Kiel 1, Germany | *----------------------------------------------------------------* ------------------------------ Date: Wed, 21 Apr 93 14:54:34 -0400 From: cjkuo@symantec.com (Jimmy Kuo) Subject: NAV Updates (was Central Point Anti-Virus Updates) (PC) Robert Slade writes: >A whole bunch of people have asked: >>I'm just wondering if there is an ftp site that supports updated virus lists >>for the Central Point Anti-Virus program. Thanks a lot. >Is it time we put this in the FAQ? If it is, certainly, I hope you don't write the entry! And in the future, please do NOT make statements representing the NAV product. >CPAV is a commercial product. CP also wants to make some return on >the bucks they put into keeping the program updated. Therefore: >No, you are not likely to see any updates for the CPAV signature files >(or NAV, or MSAV) on ftp servers. Or public bulletin boards. If you >do, they have not been posted with the consent of Central Point. NAV update files are available *free* on Compuserve, on Symantec's BBS at 408-973-9598 or 408-973-9834. They may be purchased on a one-time basis by people who do not have access to those things or any networks. And they can be subscribed to for regular delivery for a fee. (I'll just say, call 1-800-343-4714 x756 for further information on the services that cost money.) Back to the *free* ways to get updates: They are available free through me by individual request. They are available through the Virus Help Centre (Sweden), ask mikael@vhc.se, even if *he* is a McAfee Agent. They can be available through anyone who wishes to redistribute. Basically, NAV definition file updates are and can be freely distributed in its present form (note lack of copyrights). >Both CP and Symantec/Norton provide update services in various ways. >Some require a license and some don't. None, however, involve free >ftp access. We don't support ftp access yet. We may. But that's under someone else's jurisdiction and has nothing to do with wanting to charge for the updates since I already send out updates to anyone who asks. [Updates are only available for 2.1.] Jimmy Kuo cjkuo@symantec.com Norton AntiVirus Research ------------------------------ Date: Wed, 21 Apr 93 14:54:36 -0400 From: cjkuo@symantec.com (Jimmy Kuo) Subject: Re: Viruses that cost $$$ (PC) Donald G Peters writes: >I think I recall seeing the following warning in one of my books: >"Improper use of this register may cause physical damage to your monitor." Yes, it was possible to destroy an original IBM Monochrome monitor through software activity. But not too many of them around any more. (All been destroyed? :-) ) But that was only the IBM Monochrome monitor and some "really good" clones. As soon as this was discovered, manufacturers realized the circumstances and made new ones that would not have that problem. (Sorry, I'm not a hardware guy.) >Am I correct, is there physical damage that can be done through >software? Monitors sounds likely. Disks, possibly. With CPU's >that run hot and can be configured perhaps through software, then >maybe them too! The concept of destroying hardware with software is a possibility. There are many concepts that can be applied. But that's not the only way to assess "Viruses which cost $$$". Even though mainframes have circuit breakers when they get too hot, if you can turn off the fan that would result in a subsequent activation of the circuit breaker, you've caused the machine to go down. Downtime costs $$$. So, simply crashing the machine costs $$$. So, whereas the possibility to destroy hardware through software might be real, there's really no need. You cause enough loss just by getting a virus onto the system. Jimmy >If this is a threat should we discuss it here? I think so. Of >course, I don't want the details spelled out here. Just enough >generic information that we can be sure the info is correct. >I know of a simple way that a virus could cost a user lots of money, >[in fact the virus author could MAKE money from the victim!!!] >{if that doesn't whet the appetite I don't know what will!!!] >without causing physical damage, but I am unsure if I should >mention that here. Even though the method is absurdly simple. >Any comments? ------------------------------ Date: Wed, 21 Apr 93 23:10:54 +0000 From: mechalas@expert.cc.purdue.edu (John Mechalas) Subject: Re: V-Sign? (PC) bc1w+@andrew.cmu.edu (Barbara Carlson) writes: >A computer in a public cluster here turned up with what f-prot called >"V-Sign". It said it infected the boot sectors of each of the drives >(c,d,e,f) and listed garbage as the name for one of them. Has anyone >heard of this virus? There is no mention of it in the listing that comes >with f-prot. The version of f-prot was current -- 2/93. They had to do a >hardware reformat of the disk - *three times* - could this thing have Reformatting is almost never necessary. >stuck around and diverted a format? Anything out there that could get >rid of it?? We had V-Sign in our labs on campus a while ago. FDISK /MBR took care of it. - -- John Mechalas \ If you think my opinions are Purdue's, then mechalas@expert.cc.purdue.edu \ you vastly overestimate my importance. Purdue University Computing Center \ Stamp out and abolish redundancy. General Consulting \ If you can read this you are too close. ------------------------------ Date: Wed, 21 Apr 93 21:18:22 -0000 From: phil@wearbay.demon.co.uk (Philip Coull) Subject: Re: Censoship/40-Hex (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >...... One thing is certain - I didn't get them from virus >exchange BBSes, because I don't call -any- BBSes. ^ ^^^^^ ^^^^ ^^^^^ ^^^^^ I'm puzzled - you seem to know a lot about virus exchange bbs's - how do you get your info, if you don't call them?? - --------------------------------------------------------------- Phil Coull g3xvy phil@wearbay.demon.co.uk CI$ 76046,332 ------------------------------ Date: Wed, 21 Apr 93 03:07:54 -0400 From: bondt@dutiws.TWI.TUDelft.NL (Piet de Bondt) Subject: TBAV600.ZIP - TBAV anti-virus software (complete pkg v6.00) (PC) I have uploaded to WSMR-SIMTEL20.Army.Mil and OAK.Oakland.Edu: pd1: TBAV600.ZIP TBAV anti-virus software (complete pkg v6.00) Thunderbyte Anti-Virus (TBAV) is a toolkit designed to protect against, and recover from computer viruses. It is claimed to be the most complete anti-virus system available. Included are TbScan, TbScanX, TbSetup, TbClean, TbDisk, TbFile, TbMem, TbCheck, and TbUtil. This file has replaced TBAV504.ZIP. Greetings, Piet de Bondt E-mail: bondt@dutiws.twi.tudelft.nl - - - FTP-Admin for the MSDOS Anti-virus software, @dutiws.twi.tudelft.nl ------------------------------ Date: Thu, 22 Apr 93 05:37:59 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: FP-208.ZIP - F-PROT v2.08: Virus detection/removal software (PC) I have uploaded to WSMR-SIMTEL20.Army.Mil and OAK.Oakland.Edu: pd1: FP-208.ZIP F-PROT v2.08: Virus detection/removal software Version 2.08 - major changes: The identification and disinfection information has now been moved to the file SIGN.DEF, which reduced the memory requirements considerably, by 50K or so. Version 2.08 - the following problems were found and corrected. A few minor false positives were corrected: "Possibly a new variant of ARCV" in a version of SPINRITE.COM "TPE" in a few non-executable files. The disinfection of the following viruses was corrected, but previously F-PROT was not able to clean all infected files correctly: Tula-419, Prudents, Tiny.198, Macedonia, Gotcha.C, Vbasic.B, Vbasic.C The VIRSTOP program could not be run after the APPEND program was loaded. Fixed now. Some problems with /WARM and /COPY have been fixed. Version 2.08 - new viruses: The following 14 new viruses can now be detected but not removed, only deleted. This is because they overwrite infected files, or damage them irreversibly. Burger.560.Liquid Itti.Toxic Leprosy (FVHS.1644 and Surfer) Milan.BillMe Trivial (Wolverine, 30-D, 64 and 81) VCL (408, 423, 481, 666 and Dome) The following 115 new viruses can now be detected and removed. (Many of them were detected by 2.07 (or earlier versions) as new variants of known viruses). _388 _558 Arcv.Lurve Armagedon.1074 Beer (2794, 2850 and 3164) Baobab.731 Black Jec.307 Comvirus Creeper.476 Danish Tiny (177 and 180) Dark Avenger.1800.Quest Diamond (444, 465, 594, 602, 606, 607, 608, 620, 621, 624, 626, 891,1013 and Sathanyk-1399) Dreamer Dutch Tiny.124.B Frajer Fumble.D Gotcha.F Hamster Intruder (1326, 1440, 1967, 1988 and 2136) Jerusalem.Glory July 13th.1199 Kiwi Liquid Marauder.860.B Phalcon.Elvis Pixel (Cheef and 762) Polish Tiny.176 Print Monster Problem.854 Protect.2535 PS-MPC (Alien, Bamestra.1, Bamestra.2, Bamestra.3, Bamestra.4, Bamestra.5, Bamestra.6, Bamestra.7, Bamestra.8, Bamestra.9, Bamestra.10, Cinco, Demoexe, Gold, Jo.916, Jo.942, Tim.301, Tim.401, Tim.515, Warez Russian Tiny (C.146, C.150, C.157, D.129, D.130, D.132) Semtex (619 and 1000.C) Shaman SillyCR.178 Simple 1992 Sinep Star One (222, Cybertech.A, Cybertech.B) StinkFoot.2-E SVC (1228 and 5.0-C) Timid (290, 297, 320, 371, 382, 513 and 526) Uruk-hai (300, 361 and 394) Vienna (518, 561, 600, 618.B, 648.E, 700, 851, MD.354, MD.498, MD.499, MD.557, New Years, Vio-lite and Violator.Baby) Youth.Hannibal The following 6 new viruses can now be detected but not yet removed. VCL(933, Chuang and Diarrhea) X-1.570 Yankee.XPEH.4752 Zherkov.1940 The following 3 viruses which were detected by earlier versions can now be removed. Cascade (1703-Jojo and Formiche) Ear.Ear In addition over 100 new viruses are detected, but not identified accurately, and have not been analysed. They will be listed later. frisk - - - Fridrik Skulason frisk@complex.is ------------------------------ Date: Tue, 20 Apr 93 15:45:55 -0400 From: mdallin@lamar.ColoState.EDU (MDallin) Subject: Survey Results Ok, here are the results of my recent virus survey. Thanks to all who replied. Enjoy! The Results: First, a note... keep in mind that not everyone answered all the questions, and in several cases, I had to throw out vague or confusing answers (only once or twice, however). Also, keep in mind that I know very little about Mac and Atari viruses/scanners, so forgive me if I mistype any names... 32 people responded, 2 of which used Atari ST's, and 6 of which used Macs. Note that some people used more than one type of computer (ie, they responded with what they use for their Mac and their PC). On PC's, F-Prot was the most used scanner... 22 people used it. 8 people used McAfee products (Scan, etc). On Macs, Disinfectant was used by 5 people, SAM by 1 person. On Atari, Virendetektor was used by 1 person. Of those polled, 8 have never been infected by a virus, 14 had been infected once, 2 had been infected twice, 1 person had been infected three times, 1 person infected four times, 2 people infected 5 times, and two people infected 7 times (and several that responed were unsure, ie 'A dozen or so times'). Of Dos viruses, 7 of the infections were from Stoned, 6 were by Jerusalem, 3 were by Form, and 2 were by Not-int, Cascade, Yankee Doodle, Michaelangelo, and Brain. About a dozen other viruses infected only one person, too many to list here. Of Mac viruses, 3 infections were by nVIR A, and 1 infection by nVIR B, WDEF and MDEF. Here is how the virus danger was rated by those polled: Rating # People Who Chose It 1 1 2 2 3 5 4 5 5 5 6 5 7 6 8 3 9 0 10 0 17 people said the media over-hypes viruses, while 9 said they do not. 5 people replied, "Yes, and No." 29 people said that no countries write viruses to "punish" computer hackers, while 1 said yes and 1 said for the most part, no. 10 people said that some countries write viruses meant to infiltrate computers in other countries, while 22 said they do not. 14 people predicted useful applications of viruses in the future, 17 said they saw no useful applications. 1 said they saw useful applications, but not until the distant future. 1 said worms had useful applications, while viruses did not. 2 people said the law enforcement community was properly trained to deal with viruses, while 27 said that they were not. 1 person replied, "Yes, and No." 5 people said it is possible for a virus to cause hardware damage, while 13 said no. 12 people said it is possible on old/buggy hardware, but not at all on new hardware. 28 people said that viral code should be available to those who would use it responsibly, while 2 said it should not. 14 people said it is or will be possible for a virus to work on machines with different operating systems, while 8 said it is not. 10 others said it is possible, but not probable. Mdd - -- "Ah, Ah, Ah, Ah, AAAAAAAAAAAH!!!!" mdallin@lamar.colostate.edu -- Queen, Ogre Battle dallin@beethoven.colostate.edu ------------------------------ End of VIRUS-L Digest [Volume 6 Issue 69] *****************************************