From lehigh.edu!virus-l  Mon Apr  1 03:29:10 1993 remote from vhc
Received: by vhc.se (1.65/waf)
	via UUCP; Mon, 29 Mar 93 16:47:39 GMT
	for mikael
Received: from fidoii.CC.Lehigh.EDU by mail.swip.net (5.65c8-/1.2)
	id AA04370; Mon, 29 Mar 1993 16:41:31 +0200
Received: from  (localhost) by Fidoii.CC.Lehigh.EDU with SMTP id AA45440
  (5.67a/IDA-1.5 for <mikael@vhc.se>); Mon, 29 Mar 1993 08:29:10 -0500
Date: Mon, 29 Mar 1993 08:29:10 -0500
Message-Id: <9303291234.AA18732@first.org>
Comment: Virus Discussion List
Originator: virus-l@lehigh.edu
Errors-To: krvw@first.org
Reply-To: <virus-l@lehigh.edu>
Sender: virus-l@lehigh.edu
Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas
From: "Kenneth R. van Wyk" <krvw@first.org>
To: Multiple recipients of list <virus-l@lehigh.edu>
Subject: VIRUS-L Digest V6 #51

VIRUS-L Digest   Monday, 29 Mar 1993    Volume 6 : Issue 51

Today's Topics:

Telephones #s for BBS
Re: Beneficial/Non-destructive viruses
Re: Laws and Viruses
Re: Memoirs of an (untrustworthy) virus researcher (CVP)
Re: Amiga viruses (Amiga)
Anti virus for Novell Networks... (Novell)
Disgust at the lack of interest in Atari Viruses (Atari)
Re: EXE/COM switch (PC)
Finish of EXE/COM discussion (I hope) (PC)
How to remove Lao Dong virus? (was: cluster pc 5)
Infecting from floppy (PC)
Re: Swap virus(PC)
Re: Virus signature determination. (PC)
Re: EXE/COM switch (PC)
Re: Catch from DIR? (PC)
Re: Catch from DIR? (PC)
Re[2]: Removing virus on stack drive (PC)
Re:Virus that infects (PC)
Virsig (PC)
HELP: Harddisk deteriorating rapidly (PC)
Re: [Stoned] (PC)
Pc-Tools 8.0 (Pc)
Ignorance is still curable (PC)
Re: IBM PC Boot Seq (was Partition table viruses (PC))
Re: Catch from DIR? (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed.  Contributions should be relevant, concise,
polite, etc.  (The complete set of posting guidelines is available by
FTP on cert.org or upon request.) Please sign submissions with your
real name.  Send contributions to VIRUS-L@LEHIGH.EDU.  Information on
accessing anti-virus, documentation, and back-issue archives is
distributed periodically on the list.  A FAQ (Frequently Asked
Questions) document and all of the back-issues are available by
anonymous FTP on cert.org (192.88.209.5).  Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
<krvw@FIRST.ORG>.

   Ken van Wyk, krvw@first.org

----------------------------------------------------------------------

Date:    26 Mar 93 12:28:49 +0000
From:    hq!fhi0055@dsac.dla.mil (Marc Poole)
Subject: Telephones #s for BBS


  I'm looking for telephone numbers to call bbs for anti-viri
  information.  I have site address that I can trade in return.
  However, ftp and telnet take a very long time to connect.  If anyone
  has direct number to systems that allow modem dial-in it would be
  greatly appreciated.

  Marc Poole
  mpoole@hq.dla.mil



------------------------------

Date:    Fri, 26 Mar 93 14:14:43 +0000
From:    Albert-Lunde@nwu.edu (Albert Lunde)
Subject: Re: Beneficial/Non-destructive viruses

 cburian@ux4.cso.uiuc.edu (Christopher J Burian) writes:
>	Requesting help on beneficial/non-destructive viruses used
>as tools.  I've read a very little bit about viruses generated for a 
>specific task that disappear into a network; carry out their intended
>function (send data back to user, etc); then "retire" themselves.

This is an idea that gets floated around from time to time, but I
know of no reliable real-world applications.  

I think there is evidence of viruses that may have been written to
attack/replace other viruses (one of the strains of nVIR on the 
Mac *might* fit this description).  But in practice these have
just become problems in their own right.

The main problems in writing a truely non-distructive virus
are:

  1) The wide variety of enviroments on various computers
     causing unexpected bugs and software interactions.

  2) The greater likelyhood of doing damage when trying to
     operate "behind the back" of the human operator and/or
     the operating system and/or anti-virus software.

  3) The unwillingnes of people to beta-test viruses ;)

It is my personal opinion that any thing that can be done by
a "benificial" virus, can be done more reliably by other software 
means.

(I am not using the most general definition of a "virus" here -- I
 don't consider DISKCOPY to be a virus, for example, and I conceed
 that if an operating system provided support services for spawing
 processes in, say, a distributed computing system they might behave
 in a virus-like way while remaining reliable and controlled.)

- -- 
    Albert Lunde                      Albert-Lunde@nwu.edu

------------------------------

Date:    Fri, 26 Mar 93 10:24:23 -0500
From:    Fritz Schneider <71043.1117@compuserve.com>
Subject: Re: Laws and Viruses

In VIRUS-L Digest V6 #48, Vesselin Bontchev wrote:

> Hold on.  I think you may have something here.  Since when has
>> legal terminology been required to match up with common usage?
>> Perhaps "malicious software" is just what we need to define as
>> a legal term.  Especially since the definition of virus is so
>> mutable....
>
>Indeed, this is the better term to use. It can be associated easily to
>"intentional damage" and does not state that "virus" is something
>necessarily malicious, definition problems aside...

Unfortunatly it will always be difficult to prove intent, so "intentional
damage" would make it difficult to apply such a law. We must also
recognize that much of the damage which viruses create is due to
incompetance rather than intentional malice. Many of today's viruses
damage a file by incorrect infection algorithms, or make a disk
unbootable by misplacing the original boot sector. 

The key concept has to be unauthorized changes which cause harm
whether intentional or unintentional. The difficulty is in differentiating
malicious software that is poorly written from legitimate software that
is also poorly written. 

Regards,
Fritz.



------------------------------

Date:    26 Mar 93 15:05:42 +0000
From:    duck@nuustak.csir.co.za (Paul Ducklin)
Subject: Re: Memoirs of an (untrustworthy) virus researcher (CVP)


Thus spake roberts@decus.arc.ab.ca (Rob Slade):

>There was, of course, only one thing to say.
> 
>"Good luck."

Or, "Trust me. I'm a computer security expert..." :-)

Paul

    /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
    \  Paul Ducklin                         duck@nuustak.csir.co.za  /
    /  CSIR Computer Virus Lab + Box 395 + Pretoria + 0001 S Africa  \
    \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/

------------------------------

Date:    25 Mar 93 10:27:00 -0500
From:    olson@dstl86.gsfc.nasa.gov (Paul Olson)
Subject: Re: Amiga viruses (Amiga)

u9263012@uow.edu.au (Walker Andrew John) writes...
> 
>Does anyone have a comprehensive list of amiga viruses and what they do?
> 
>Andrew Walker.

The most comprehensive list I've seen came with the doco of Virus_Checker
archive.  You may want to obtain it via ftp and take a look.

       __  Paul J. Olson - VAX Systems Manager & Resident Amiga Addict
  C=  ///  Voice -    301/286-4246, 301/210-7701
 __  ///   DECnet-    CHARON::PAUL
 \\\///    Internet - paul@charon.gsfc.nasa.gov                       
  \XX/     Disclaimer: Statements in my messages are wholely my own.   
  AMIGA    "Ignorance is a renewable resource." -- P.J. O'Rourke

------------------------------

Date:    Thu, 25 Mar 93 10:52:45 -0500
From:    "Nabil Miguel" <Nabil@sclients.scs.uottawa.ca>
Subject: Anti virus for Novell Networks... (Novell)

I would like to know what software I could use to protect my Novell Netware 
server against viruses.  I am running Netware for Macintosh on the server.
The software must be able to protect the server from PC and Mac viruses.

Is there anything as such?
Any feedback would be welcomed...

Please reply directly to me...  

Thank You!
_______________________________________________________________
Nabil J. Miguel      \  InterNet: Nabil@SCLIENTS.SCS.uottawa.ca
University Of Ottawa |\   Bitnet: Miguel@UOttawa 
35 University        | \
Ottawa, Ontario,     |  \ Telephone: (613) 564-5094
K1N 6N5              |   \      FAX: (613) 564-4965
_______________________________________________________________


------------------------------

Date:    Thu, 25 Mar 93 15:05:43 -0500
From:    Trantor The Last Stormtrooper <S12609@prime-a.plymouth.ac.uk>
Subject: Disgust at the lack of interest in Atari Viruses (Atari)

Being a virus researcher on the Atari ST, I feel that
I must write to complain about the lack of interest in
discussing Atari viruses. I can understand why you talk
about PC viruses more than ST ones. The reason is
simple, there are over 2000 PC viruses. The Mac doesn't
even have 10 viruses, whereas the ST has over 100 viruses
(of both the bootsector and link variety). So I think that
ST viruses should be discussed a little bit more!!!!

As for virus information concerning ST viruses, the Virus
Centre at the University of Hamburg is no good at all. The
reason for this is because the virus information is never
updated!!!!

Has anyone out there (especially Atari people!) got any
comments???



------------------------------

Date:    25 Mar 93 15:05:18 +0000
From:    frisk@complex.is (Fridrik Skulason)
Subject: Re: EXE/COM switch (PC)


Vesselin wrote:

>cases. The "more general" idea (changing the extensions to something
>completely different), however, -will- prevent the infection in those
>particular cases (non-smart viruses that infect on Exec).

not necessarily ... many of the viruses that hook the exec call and check
the file name work like this

   if the name end in .EXE
         do exe_infection() 
   else
         do com_infection()

(or the other way around), so any renamed virus would always be infected as
a .COM file.

anyhow, this discussion is a bit pointless, as renaming is of too little
help ... it would stop most non-resident viruses (but they are generally not
common), and some of the resident ones, cause some resident ones to infect
the files incorrectly, and have no effect at all on others.

- -frisk
- -- 
Fridrik Skulason      Frisk Software International     phone: +354-1-694749
Author of F-PROT      E-mail: frisk@complex.is         fax:   +354-1-28801

------------------------------

Date:    Thu, 25 Mar 93 10:33:07 -0500
From:    Donald G Peters <Peters@DOCKMASTER.NCSC.MIL>
Subject: Finish of EXE/COM discussion (I hope) (PC)

VB did a very good job recently of trying to close all the loose
threads opened in the EXE/COM debate. I appreciate his effort and
accuracy. It would be difficult to find fault with anything in
that last extensive post. (The primary things I would take issue
on was "who said what" but that is unprofitable.)

I will admit that I'm less enthusiastic now than before, but I
would classify it as a useful technique on the order of the
ReadOnly flag, EEE/CCC changes, renaming COMMAND.COM, etc. For
some people these tricks(?) will provide some protection, but
most of the people on this forum are in the "high risk" group
and it wouldn't do as much good here.

However, Vesselin, it puts a smile on my face that you too, are
humam, and make mistakes.


------------------------------

Date:    Thu, 25 Mar 93 09:03:54 -0500
From:    A.APPLEYARD@fs1.mt.umist.ac.uk
Subject: How to remove Lao Dong virus? (was: cluster pc 5)

> To:           A.APPLEYARD
> From:         "CHRIS HOLBURN"  <C.HOLBURN@fs1.mt.umist.ac.uk>
> Date:         25 Mar 93 12:18:14 GMT
> Subject:      cluster pc 5
> 
> Anthony it looks as though cluster pc2 No. 5 has a virus on the hard
> drive.  Do you want to have a go at removing it?  Our standard virus
> prog. can detect but not remove it.  The virus is called Lao Dong.
> Good luck. CHRIS

How to remove Lao Dong? Any info re it? Any history of false positives of it?
Please email such info to me and/or to C.HOLBURN@FS1.MT.UMIST.AC.UK


------------------------------

Date:    Thu, 25 Mar 93 11:52:57 -0500
From:    Alessandro Lombardi <alexl@dec01.ing.como.polimi.it>
Subject: Infecting from floppy (PC)

On Virus-l #49, ,Terry Lundgren asks for a definitive answer: hope this
satisfies you.

Generally a virus CAN spread from an infected diskette to the HD of your
system; a clear example: FORM.
Remember this is a boot vector virus (BSV).

I do not know of BSV which does not replicate and spread with DIR or about
not BSV viruses which spread with dir: in my experience I always executed
a file infected to get infected myself. If someone can add info or give
more particulars ( tell also the opposite, if it is true), reply to this
and send me a Cc, thanks.

- -alexl

***************************************************************************
**   Alessandro Lombardi,  via P.Verri 12, 21100 VARESE (VA)-ITALY       **
**   Tel.: 0332/265777;    e-mail: alexl@dec01.ing.como.polimi.it        **
***************************************************************************

------------------------------

Date:    Thu, 25 Mar 93 12:02:21 -0500
From:    Alessandro Lombardi <alexl@dec01.ing.como.polimi.it>
Subject: Re: Swap virus(PC)

you wrote about your adventures using McAfee Scan.....

I sincerely hope you have still not used F-prot 2.07 on your system,
because I quote it good. If you haven't, get it by FTP at oak.oakland.edu,
in the directory pub/msdos/virus, or write to frisk@complex.is (the author)
If you used it, I do not have other suggestion.
Good luck.
Let me know about your following steps and successes(hope...)

- -alexl

***************************************************************************
**   Alessandro Lombardi,  via P.Verri 12, 21100 VARESE (VA)-ITALY       **
**   Tel.: 0332/265777;    e-mail: alexl@dec01.ing.como.polimi.it        **
**                                                                       **
**    "Noi non compriamo uno qualunque per fare del qualunquismo"        **
**                     ( Giovanni  "gioppino"  Trapattoni )              **
**                                                                       **
**   RETE 8 NETWORK : ora anche a Como e provincia 101.40/101.45 FM      **
***************************************************************************

------------------------------

Date:    25 Mar 93 17:52:24 +0000
From:    frisk@complex.is (Fridrik Skulason)
Subject: Re: Virus signature determination. (PC)


runefr@ifi.uio.no (Rune Fr|ysa) writes:

>I'm planning to expand an anti-viral utility to include file
>scanning, like Mc'Affe's scan program does.

good luck :-)

>Therefore I would
>be interested in more information of how I determine the signature
>of any virus, including mutating ones. 

Eh, mutating viruses do by definition not have signatures...or at least
not without wildcards.

What you would need to to:

   1) Get an awful lot of virus samples...2000 or so...properly maintaining
      such a collection requires a full-time researcher, so you had better
      hire one :-)  Obtaining those viruses might turn out to be a problem.

   2) For each polymorphic virus you disassemble it, and find a piece of
      the code which is found in all samples of the virus (you want to
      avoid false negatives), and is not found in any normal program (you
      don't want to cause false positives).   You then write a scan "engine",
      which searches for those strings.

      Exactly which bytes to select is the difficult part...but it just
      requires some experience.

   3) For the difficult, polymorphic ones, which can not be found with a
      search string, you write a detection procedure.

   4) You now have everything needed for a "brute force" scanner, which
      searches entire programs for the various search string.  Perhaps
      not a practical approach, but it works....

>Is it also possible to get signature files from somewhere and 
>implement them in the package? 

Yes, several such files exist...and using them would mean a lot less work
required - however, the scanner would not be as good, as those files don't
include any information on how to detect the polymorphic viruses.

- -frisk
- -- 
Fridrik Skulason      Frisk Software International     phone: +354-1-694749
Author of F-PROT      E-mail: frisk@complex.is         fax:   +354-1-28801

------------------------------

Date:    25 Mar 93 18:02:38 +0000
From:    frisk@complex.is (Fridrik Skulason)
Subject: Re: EXE/COM switch (PC)


Peters@DOCKMASTER.NCSC.MIL (Donald G Peters) writes:

>In this case, I once threw out an estimate that this would
>work against 50% of all viruses. To my regret, nobody attempted
>to produce a more accurate figure. 

That's simply because those which could do that, people which have a copy
of practically all known viruses, and could analyse them to see which ones
would get fooled have more important things to do....I have no desire to spend
a full day looking at every single virus in my collection to determine how it
would react to a .COM file with .EXE structure (or vice versa). The 50%
idea might be right..maybe too high, maybe too low, but my opinion is that
most people have no use for a 50% protection when a 99.9% protection is
available.

- -frisk


- -- 
Fridrik Skulason      Frisk Software International     phone: +354-1-694749
Author of F-PROT      E-mail: frisk@complex.is         fax:   +354-1-28801

------------------------------

Date:    25 Mar 93 19:19:26 +0000
From:    frisk@complex.is (Fridrik Skulason)
Subject: Re: Catch from DIR? (PC)


cftdl@ux1.cts.eiu.edu (Terry Lundgren) writes:

>I have received some excellent replies to my posting on catching
>a virus.  Basically the question is this:  Assume my system is
>clean and I have an infected disk.  I put the disk in the drive
>and do a DIR.  Then I take the disk out.  Can my system be
>infected now?

No way...well, almost no way :-)

   When you do a DIR, no code on the diskette is executed, so you cannot
   become infected.

   However, DOS reads the boot sector of the diskette, so if it is infected
   you may find virus code in your machine - however, it is "dead" - and
   will not be activated, so your machine is not infected.

There is, however, one way to run a program from a diskette by just doing a DIR,
but it is, well...a bit weird, and is not used by any malicious program that
I know of....so the answer is "in theory yes, in practice no",

- -frisk
- -- 
Fridrik Skulason      Frisk Software International     phone: +354-1-694749
Author of F-PROT      E-mail: frisk@complex.is         fax:   +354-1-28801

------------------------------

Date:    Thu, 25 Mar 93 18:47:08 -0500
From:    cjkuo@symantec.com (Jimmy Kuo)
Subject: Re: Catch from DIR? (PC)

Terry Lungren writes:
>I have received some excellent replies to my posting on catching
>a virus.  Basically the question is this:  Assume my system is
>clean and I have an infected disk.  I put the disk in the drive
>and do a DIR.  Then I take the disk out.  Can my system be
>infected now?

>The responses are running about 1/3 saying no way and 2/3 saying
>it is possible.  I would really like to get a definitive answer.
>If a virus can be passed in this way, would someone please
>describe how it might happen?  Or not.

In practice?  No.  In theory, yes, some really cleverly done ANSI
bomb, which again, in practice, practically can't be done!

You may be getting answers to the effect:

        YES, because if you do this and it's a boot sector infector,
        McAfee's SCAN will say that you are infected.  This is a
        ghost positive from SCAN and is a bug.

        YES, by the ANSI derivative above.

        NO, which in the case of file infectors, NO is always true.

(Hey, that's 2/3rds.  I'll stop.)  :-)

Jimmy Kuo                                       cjkuo@symantec.com
Norton AntiVirus Research


------------------------------

Date:    Thu, 25 Mar 93 18:47:21 -0500
From:    cjkuo@symantec.com (Jimmy Kuo)
Subject: Re[2]: Removing virus on stack drive (PC)

pwong@igc.apc.org (Pete Wong) writes:

>> I recently discovered that a virus exist within my computer.  My PC
>> is stacked with a Stacker.  I used the Norton Anti-Virus to scan the
>> drives and it advised me to turn off the computer and boot it up
>> again with an un-affected boot disk.  Since my drives are stacked,
>> the NAV would not read drive C or D.

>> I also tried to boot it up with the Stacker files in the un-affected
>> DOS boot up disk.  Once I use the NAV to scan the drives, it would
>> say there is a virus detected in the memory and then it would not
>> scan any further.  This goes the same for scanning the floppy drives.

Which machine was used to put the stacker files on the "un-affected" DOS
boot up disk?  Assuming the machine is infected with Stoned, if that
activity occurred on the suspect machine, that boot up disk will now be
infected!!

>> The virus is called Stoned.

Because there are a number of boot infectors derived from Stoned, the
memory signature for Stoned actually picks up a number of strains.
(You can think of this as "following the CARO naming convention.")
NAV differenciates the Stoned variants in boot sectors but not the
memory sig.

>Stoned infects only the first -physical- disk drive (80h). In theory,
>it is possible to find it on another physical drive - if you have
>installed an already infected hard disk as a second one. It -never-
>infects logical disk volumes, like the ones created by Stacker.
>Therefore, you can safely reboot from a clean diskette and remove the
>virus from your hard disk, regardless that you are not able to access
>the stacked volume. NAV must be able to do that. If it isn't - call
>your local Symantec tech support.

>Another possibility is that the whole story is just a ghost false
>positive - NAV is detecting some scan string in memory, not
>necessarily the virus. Make sure you have disabled any other
>anti-virus programs (like VSAFE from CPAV) when you are performing the
>virus check. What happens if you boot from a clean floppy? You can't
>access the stacked volume, of course, but does NAV still find the
>virus in memory? If it doesn't, then it is certainly a false positive.

Chances of a ghost positive are pretty slim on this one.  Be careful with
the conditions that Vesselin gave to say "it is certainly a false
positive."  Vesselin is correct if all the "if" conditions are met.  But
I question if your "un-affected" diskette is still "un-affected."

Jimmy Kuo                                       cjkuo@symantec.com
Norton AntiVirus Research


------------------------------

Date:    Fri, 26 Mar 93 00:35:51 +0000
From:    wolfgang.stiller@rose.com (wolfgang stiller)
Subject: Re:Virus that infects (PC)


Date Entered: 03-25-93 19:32
 rkolter@csuohio.edu (Ryan Kolter) asks:

R(>A friend of mine recently (a few months ago) told me about what
R(>appeared to be a computer virus his machine had caught that (in some
R(>manner) appeared to infect the files of his hard disk just after they
R(>were scanned.  His claim was that it dodged the scan by taking itself
R(>out of memory during the memory check (McAffee) and then reloaded into
R(>memory and removed itself from the infected file during the scan of
R(>that file.  After that, it would infect every .exe that was scanned.
R(>Thus the process of scanning actually infected the whole drive.

R(>I don't know if there is a virus out there that does this.  Is there?
R(>If so, is there a way to protect against it?  He said that Mcaffee didn't
R(>pick it up. (I don't know what version he used).

The virus doesn't really have to go through all that work.  The more
likely explanation is that your friends simply had a virus that the
scanner didn't recognize  (one more reason to always boot from a clean
write-protected floppy before scanning and NOT to depend entirely on
scanning <g>).  Anytime you run a scanner with an unrecognized resident
virus that infects on file open, this will happen.  The scanner will
look at each file but not notice the virus because it is not aware of
that particular virus.  While this is going on the virus will merrily
infect each file checked and pronounced clean by the scanner.

Please suggest to your friend that he/she boot from write-protected
floppy before scanning.  While this won't help the scanner detect the
virus it will at least keep the entire system from getting infected
by the act of scanning.

Regards, Wolfgang

Stiller Research, 2625 Ridgeway St. Tallahassee, FL 32310, U.S.A.
- ---
   SLMR 2.1a  
   RoseMail 2.10 :

------------------------------

Date:    26 Mar 93 08:03:06 +0000
From:    demetre@phaethon.intranet.gr (Demetre Koumanakos)
Subject: Virsig (PC)

Hi all,

It has been a couple of months now that I haven't been able to
find a new Virsig file for TBAV.
Does anyone know what the story is ?

Demetre


------------------------------

Date:    Fri, 26 Mar 93 08:05:18 +0000
From:    u920666@daimi.aau.dk (Lasse Reichstein Nielsen)
Subject: HELP: Harddisk deteriorating rapidly (PC)

Problem:

My elder brother was trying a new game out on my fathers PC.
The screen froze and the harddisk kept spinning, so he pressed RESET.

Nothing has been normal since...

He tried deleting the game, when an erromessage popped up (some
file-allocation error or cluster not found).

He started Norton DiskDoctor, and found:
4 files had fat-chains destroyed 
1 something else wrong
2 crosslinked 

and fats waren't identical.

NO PROBLEMO, I thpught, and checked the backups. We had the most important
files, so I let NDD do it's job.

FINE.

5 mins. later there was more problems...

more files with illegal fat-chains...

Norton DiskEdit!

I found the chains had been severed by a LARGE (50000+) number in 
the middle of an otherwise sound fat-chain. I fixed the chains
manually, but now I was getting curious. 
I ran NDD, syncronizing the fats - all errors fixed.
I ran NDD, Fats out of sync, files with bad chains, even crosslinked files.
I DIDN'T EVEN RESTART NDD! It happened while running.

OK! Boot from write-protected floppy, running McAfee SCAN v102.

No virus found!

NDD found some problems, DE fixed them, NDD found no new errors.. FINE

Reboot from c:.... CRASH, wouldn't boot, hanged in AUTOEXEC.BAT

Boot from a:, change Config & Autoexec to empty files...

Crashed when booting from C:!

I tried 'sys c:', 'fdisk /mbr', and looking at the bootblock and 
partitiontable, they looked fine.

Every time I tried to boot from C: something new (and increasingly
more disasterous) went wrong... when I gave up,
command.com was defective, and system gave "Memory Configuration 
Too Small" (or something similar) error before the config.sys
(tried putting device=c:\dos\himem.sys in it - no effect, but
now himem was defective)

Norton Calibrate said there was a bad cluster at the end of the 
harddisk, but both fats said all clusters were OK.

Everything worked fine (except the files that had allready been
messed up) when I boot from A: (write-protected).

The system is a Commodore PC40-III, 286-12, 40Mb Hd
640K main, 386K extended, Dos 5.0, himem.sys
The battery is dead, so the date was probably 23/3'93 (or 22/3'93)
just around midninght (22th to 23th).

If ANYBODY knows ANYTHING, please email. Ican't fight
something I cant see!!!

			SPOT / u920666@daimi.aau.dk


- ----------------------------------------------------------------------
'I just want to know one thing.....where they are...!' - Vasquez

------------------------------

Date:    Fri, 26 Mar 93 06:29:31 -0500
From:    Otto Stolz <RZOTTO@NYX.UNI-KONSTANZ.DE>
Subject: Re: [Stoned] (PC)

> > Has anyone heard of the [Stoned] virus and if so, then what does it
> > do? [...]

This question has been discussed so much in this list that I am somewhat
surprised about the inaccurracies in Andrew's response.

On Mon, 08 Mar 93 16:55:41 +0000 Andrew M Smith <theodore@unity.ncsu.edu>
said:
> Stoned is a rather benign virus except for when it infects irregular
> hardware.

Whilst the epitheton "benign" for a virus is generally debatable, Stoned
exhibits some extra nastities (probably not intended by its programmer,
but still nasty):

- - Even on regular hardware, Stoned does not care where it puts the
  original master boot record, hence data may be overwritten. In parti-
  cular, if the HD has been partitioned with FDISK of DOS version 2,
  Stoned will overwrite part of the FAT of partition C.

- - When a HD is doubly infected with several Stoned variants (a notorious
  example being Stoned.Standard and Stoned.Michelangelo, cf. FAQ list),
  then the system becomes unbootable.

> Stoned hides in the boot sector of floppies, and the partition table of
> hard drives.

All of us should cease to call the Master Boote Record "Partition Table".
The partition table is exactly that part of the master boot record that
is *not* suited to hide a virus!

> McAfee's Clean can remove the virus from hard drives, and floppies.

There have been reports in this forum that McAfee's Clean did not
properly disinfect Stoned in all cases. Rather than elaborating this, I'd
like to remind you of the generic DOS procedure to remove MBR infectors
from a hard disk:
1. Boot from a clean DOS 5.0 disk.
2. Make sure that the partition table is intact, e.g. by issuing
        FDISK /STATUS
   or by accessing all partitions of the HD, as in
        DIR C:
        DIR D:
        ...
3. If the partition table is intact (it will be so with a Stoned
   infection), issue
        FDISK /MBR

Best regards,
                    Otto Stolz <RZOTTO@DKNKURZ1.Bitnet>
                               <RZOTTO@nyx.uni-konstanz.de>


------------------------------

Date:    Fri, 26 Mar 93 07:17:40 -0500
From:    Alessandro Lombardi <alexl@dec01.ing.como.polimi.it>
Subject: Pc-Tools 8.0 (Pc)

Hello all.

I am an Italian guy in trouble with Pc-Tools 8.0. Every time I install it
on my Pc, the BIOS cries...
In fact, someday ago I did not understand it, but here are the steps:
After sometimes the Bios cried, I decided to do something:
I formatted my HD(84 Mb) using the hard disk options in the setup of my
American Megatrends, in particular I used Auto-interleave (fixed on 4) and
then Hard disk format. I reinstalled all of my files(I prevently made a
full backup), and all was left to do was installing these DAMNED Pc-Tools!!
When, at the end of installation, it asked me if to build an emergency
diskette, answering yes, at the top left of the screen appeared this
message(in Italian):"ATTENTION: big error of the drive while writing on
unit D: retry?" (I use DR-DOS 6.0 with sstordrv). Of course I will not use
more PCTOOls 8.0, but I'd like to know if this is due to some defects only
in my diskettes, to something in my hardware, or it is a general and diffused
problem. If someone has any suggestion, please write both to virus-l and
to me.
Thanks in advance.

- -alexl

***************************************************************************
**   Alessandro Lombardi,  via P.Verri 12, 21100 VARESE (VA)-ITALY       **
**   Tel.: 0332/265777;    e-mail: alexl@dec01.ing.como.polimi.it        **
**                                                                       **
**                " Things go well in order to go bad "                  **
**                                                                       **
***************************************************************************
 
------------------------------

Date:    Fri, 26 Mar 93 12:08:51 -0500
From:    padgett@tccslr.dnet.mmc.com (A. Padgett Peterson)
Subject: Ignorance is still curable (PC)

Subject: Ignorance is curable (mostly PC)

>From:    Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv)

>Well dear Padgett, it seems like you didn't quite get my idea: There is no 
>problem in checking that the original INR-13 ISR is located on the BIOS area (
>except if you are using some smart PC that does the shadowing of the BIOS to 
>another area in RAM location and completely remapps the adresses), However 
>that is not the issue here. When you know the location of the original INT-13 
>ISR is when the system is already booted (or in the process) but *AFTER* the 
>IO.SYS is loaded (unless your Anti Virus is also an operating system which you
 
>will excuse me for not believing it is so).

I can understand you skepticism however all of my A-V checking IS done before
IO.SYS runs. For that matter I have a version of FixMBR that does not require
an operating system at all ! With the BIOS (as I have said before) you have a 
fully functional computer. In fact the only elements that run from DOS are the
validation programs (CHSMBR, CHKBOOT, CHKMEM) and the installation/repair
programs (FixFBR, FixMBR).

- --------------------------

>Padgett answers:
> > A virus can intercept an interrupt vector. It cannot intercept as FAR CALL.
> > All you need to know is where to make the far call to (the exercise is
> > left to the student).

>A. I agree that a virus does not intercept a FAR CALL, but only    hooks an 
>interrupt.
>B. To know where to make the far call to, you should be a    Gypsy and own a 
>crystal ball to consult with. Because    what ever YOU consider predictable is
 
>not so in reality.

Again, if it is retrieved *before* IO.SYS, it must either point to ROM or
*something else* (e.g. a virus). As a result only seven bytes are necessary
to validate the INT 13 path:

CMP [4F], C0        ; assumes DS=0
JB  <error handler>

The same applies to Int 2F fn 13 however if a memory manager e.g.
QEMM "stealth" is in use then you may not be able to trust this test
alone, some intelligence must be applied. No inductive logic is needed though.

>   The "original" procedure is located somwhere in the    system depending 
>which program took it. You cannot assume    that the INT-13 ISR is in a 
>constant place nor can you    assume it is a part of the BIOS, because if you 
>do, your    program is likelly to crach a lot of PCs especially those    that 
>use special low level programs like Access control to    disks, and several 
>Network tools. So much for    predictions.

Well, many people have been using FixMBR and SafeMBR for quite some time
with everything under the sun. It does flag many acceess control programs but
they usually have their own MBR replacement. It does not conflict with any
BIOS routines including Boot protection & passwords once installed. 

>I'm sorry to be the one that lets you know that int-25 & 26 are translated 
>eventually into INT-13. Just as INT-21 Fn 02 (write char) is translated into 
>INT-10. So you see, what you wrote is incorrect. Ther is *NO* are on the 
>formatted disk surface that is not acessible via INT-13.

Afraid you read me backwards - this was exactly my point, you cannot trust
Int 25 or 26 to give you physical sectors, Incidently there are any number
of surfaces you cannot reach with Int 13: Bernoullis and CD-ROMs are two
common ones. My point was that since a compressed disk's boot sector is
not the real partition's boot sector, any program that examines the compressed
boot record must be using Int 25 and not Int 13 directly.

						Warmly,
							Padgett


------------------------------

Date:    26 Mar 93 14:57:41 +0000
From:    duck@nuustak.csir.co.za (Paul Ducklin)
Subject: Re: IBM PC Boot Seq (was Partition table viruses (PC))


Thus spake bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev):

  [stuff about FDISK /MBR]

>That's correct, but particularly with ExeBug there is one more
>problem. First, the virus is stealth, so when it is active in memory,
>you cannot "see" that the MBR is infected. Second, when you try to
>boot from a floppy, due to the CMOS "fix", the machine boots from the
>hard disk and loads the virus. However, the virus checks whether a
>floppy is present in the A: drive, and if it is so, BOOT FROM THAT
>FLOPPY. So, if you don't watch -very- carefully, it LOOKS as if you
>have booted from a floppy. A quick inspection of the MBR enforces this
>impression, because the virus stealths the MBR...

There's actually another problem, too. Because the virus overwrites all
of the partition record [code *and* data], if you do boot clean and 
run FDISK /MBR, you've removed the virus, but left a mess behind instead
of the partition data. Without the viral stealth, there's nothing to
redirect DOS to the hidden copy of the partition table when drive letters
are being assigned. Oh dear -- no hard drive. Also, your hard drive won't
boot, because the partition data is in tatters. You'll get "Invalid
partition table" or the like during bootup.

So, "Clean Boot -- FDISK /MBR -- SYS C:" is *not* a generic clean-up
procedure for all boot/partition viruses.

If you've got a steady hand and a sector editor, Exebug's easy. Boot clean
and move 0.0.17 back over 0.0.1. If you *haven't*, then you need software
[eg: a-v software] which will automatically do the "ah yes, Exebug -- ah
yes, old partition record at 0.017 -- ah yes, let's stick things back where
they should be". FDISK /MBR alone *won't* work, though, with Exebug.

Hoho: there is a trick, if you don't have a sector editor [or are scared]
and you don't have a-v software. But you do need one of those utilities
which will make an "emergency" copy of your partition record. Simply 
*make* the emergency copy with the virus resident [ie: after booting from
hard disc] and *restore* the emergency copy after a clean boot. The viral
stealth will do the rest...

Paul

    /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
    \  Paul Ducklin                         duck@nuustak.csir.co.za  /
    /  CSIR Computer Virus Lab + Box 395 + Pretoria + 0001 S Africa  \
    \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/

------------------------------

Date:    26 Mar 93 15:33:02 +0000
From:    duck@nuustak.csir.co.za (Paul Ducklin)
Subject: Re: Catch from DIR? (PC)


Thus spake cftdl@ux1.cts.eiu.edu (Terry Lundgren):
>I have received some excellent replies to my posting on catching
>a virus.  Basically the question is this:  Assume my system is
>clean and I have an infected disk.  I put the disk in the drive
>and do a DIR.  Then I take the disk out.  Can my system be
>infected now?

>The responses are running about 1/3 saying no way and 2/3 saying
>it is possible.  I would really like to get a definitive answer. 
>If a virus can be passed in this way, would someone please
>describe how it might happen?  Or not.

Obviously, the answer is "No". 

But as soon as anyone goes public with their "No", some dork-breath will
discover that code in the root directory, together with <Ctrl-M><F>+
<ecce-ecce-ole-fertanggg-biscuit-barrel> at offset 0x0045 in FAT copy
2 will [a] cause code to be loaded into some DOS buffer or other and
then [b] cause DOS to trip the light fantastic, and drop control smack
into that very buffer of "garbage". Sort of like the Internet worm used
buffer overflow to win control over the instruction sequence, and thus
to get code executed without even logging in. Basically, when you put
yourself on a definitive limb in the computer world, someone comes along
and hacks it off :-)

Mind you, there's another way. I make a DOS 5.0 bootable disc. I give
it to you, and you DIR the disc. Then I say, "Arf, arf, gotcha". You say,
"Listen, tosh, what *are* you talking about". And I say "Hoho. Have a 
look in the root directory of your C: drive". You do, and, lo, there's
a copy of COMMAND.COM. Same size, same file as the one on my floppy. 
So, simply by doing a DIR, my virus has replicated COMMAND.COM from 
the infected floppy onto your hard drive. Hey -- there's more. I've 
planted two hidden files in your root directory too -- exact replicants
of the ones on my floppy, and all thanks to DIR. 

Guess what? This virus has good stealth -- your integrity checker notices
nothing. This virus is subtle -- your scanner doesn't pick it up either
[mind you, I've seen some scanners which might be able to detect it, and
a lot of other viruses besides, in memory -- even before you get it :-)].
OK, it's a DOS 5.0-specific virus. But most people round here are using 
5.0, so that's a fair bet. 

And this virus isn't so far-fetched. If you're in tech support, just
think of all the other "viruses" you've handled over the years. Viruses
in the printer cable and the coffee machine, for example :-)

Paul

    /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
    \  Paul Ducklin                         duck@nuustak.csir.co.za  /
    /  CSIR Computer Virus Lab + Box 395 + Pretoria + 0001 S Africa  \
    \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/

------------------------------

End of VIRUS-L Digest [Volume 6 Issue 51]
*****************************************


