From lehigh.edu!virus-l  Wed Apr 21 04:15:47 1993 remote from vhc
Received: by vhc.se (1.65/waf)
	via UUCP; Wed, 21 Apr 93 16:48:10 GMT
	for mikael
Received: from fidoii.CC.Lehigh.EDU by mail.swip.net (5.65c8-/1.2)
	id AA15014; Wed, 21 Apr 1993 15:52:34 +0200
Received: from  (localhost) by Fidoii.CC.Lehigh.EDU with SMTP id AA36021
  (5.67a/IDA-1.5 for <mikael@vhc.se>); Wed, 21 Apr 1993 08:15:47 -0400
Date: Wed, 21 Apr 1993 08:15:47 -0400
Message-Id: <9304211109.AA17599@first.org>
Comment: Virus Discussion List
Originator: virus-l@lehigh.edu
Errors-To: krvw@first.org
Reply-To: <virus-l@lehigh.edu>
Sender: virus-l@lehigh.edu
Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas
From: "Kenneth R. van Wyk" <krvw@first.org>
To: Multiple recipients of list <virus-l@lehigh.edu>
Subject: VIRUS-L Digest V6 #67

VIRUS-L Digest   Wednesday, 21 Apr 1993    Volume 6 : Issue 67

Today's Topics:

Contest (was Beneficial/Non-Destructive)
Re: Virus Signatures
Re: Beneficial/Non-Destructive
Re: New program chair for IDES-of-March Virus Conference
Re: Sending viruses over Internet
Re: Should viral tricks be publicized?
Re: Virus Signatures
Fido-Net trojan (PC)
Boot Survival (Technical) (PC)
Re: Central Point and Stacker (PC)
Re: Censoship/40-Hex (PC)
Help needed with the Bootexe virus (PC)
Viruses which cost $$$ (PC)
Re: Removing PingPong virus from boot sectors (PC)
Re: Unknown little virus? (PC)
Re: VSAFE WONDER false alarm? (PC)
Got rid of Stoned -- but where did it come from? (PC)
Re: viruses and compression (PC)
keyboard virus? (PC)
Re: 5lo virus? (PC)
Re: VSAFE WONDER false alarm? (PC)
Re: Disk Death (PC)
Re: Can a virus infect NOVELL? (PC)
Corporate climate (CVP)
SCNDAY10.ZIP - Scan HD for viruses once a day on Mon/Wed/Fri (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed.  Contributions should be relevant, concise,
polite, etc.  (The complete set of posting guidelines is available by
FTP on cert.org or upon request.) Please sign submissions with your
real name.  Send contributions to VIRUS-L@LEHIGH.EDU.  Information on
accessing anti-virus, documentation, and back-issue archives is
distributed periodically on the list.  A FAQ (Frequently Asked
Questions) document and all of the back-issues are available by
anonymous FTP on cert.org (192.88.209.5).  Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
<krvw@FIRST.ORG>.

   Ken van Wyk, krvw@first.org

----------------------------------------------------------------------

Date:    Mon, 19 Apr 93 13:38:46 -0400
From:    CELUSTP@cslab.felk.cvut.cs
Subject: Contest (was Beneficial/Non-Destructive)

Hi all,

bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) wrote:

>Don't be so sure... Suppose that the beneficial virus does the
>following:

>1) Modifies only one executable file on your system.

Very unusual virus behaviour.

>2) This file is an anti-virus program.

Very suspicious activity.

>3) The modification consists of replacing the program with a newer copy.

How do you know it is the better or correct one?

>4) The virus infects your computer when you log to the LAN server.

First was said it infects only one executable file. Now is whole computer.
Hmm...

>5) The virus has been installed on the LAN server by the LAN
>administrator.

It means deliberately entered into system.

>6) The LAN owner has a policy that no workstations are allowed to log
>in unless they are running the latest version of this particular
>anti-virus software.

Blackmail.

>7) The virus (actually a worm - it does not "attach" itself to
>programs and spreads via networks) does not do anything else.

If virus is something "attaching" itself to programs, then some of existing
viruses (boot viruses or companions) are not viruses too.

>8) The whole thing is marketed by the producer of the anti-virus
>software not as a virus, but as "a centralized method for automatic
>update of the software on the workstations".

Why this whole story about beneficial virus then?

>The main problem is that when talking about beneficial viruses, most
>people think about what is well-known to be a virus (something nasty
>that spread without your permission and often destroys something) and
>then try to fit it into the frame "beneficial". Of course it doesn't
>fit. Instead, it should be the other way around - think of what is
>beneficial (good user interface, you have full control of it, performs
>useful functions) and then try to add virus-like capabilities to it
>(i.e. self replication) without losing any of the beneficial
>capabilities. Additionally, for the peace of mind of the general
>public, don't call it "virus", but something more sophisticated et
>voila!


Exactement (=exactly for non-French speaking people). Don't call a "virus"
something you are not sure is a virus. How can you be sure something is a
virus? Well, some things are repeating over and over and it seems to me the
problem is virus definition again. I was following everything written about
this subject on this list and reread recently all numbers of Virus-L Digest
from no 1 to the last one (for this year). I will not summarize here what I
concluded. Instead of that I announce:

     CONTEST FOR THE BEST COMPUTER VIRUS DEFINITION      

In following categories:

1. Technical definition (in plain language - preferably English)
2. Technical definition (mathematical)
3. Legislative definition
4. Ethical definition
5. Philosophical definition
6. Poetical definition
7. Funny definition
8. Other definitions

Propositions:

1. This definition should be short as much as possible, cleared of attributes
as "good", "bad", "beneficial" or similar, not mentioning state of user's
mind,etc., it should be clearly stated for which environment (e.g. operating
system) is applicable and definition should be undoubted.
2. The meaning of every symbol in mathematical formula(s) should be clearly
explained.
3. This definition should contain statement which part of virus code could
be considered as punishable (supposing virus writing is criminal act).
4. This definition may include terms as "good", "bad", "beneficial",
"malicious", etc. The point is to stress what could be good and what is bad
in writing viruses.
5. This definition may have completely free form. However, religious
statements of type "First was a virus..." should be avoided if possible. 
6. Limerick is preferred form, but epic poems if good may also compete.
7. Preferable form is short joke. For fair play I suggest to not use any
personal names of real persons.
8. Any other definition not belonging to previous categories.

Contributions may be sent by e-mail to celustka@sun.felk.cvut.cs with subject
"contest - number of category" (e.g. contest - 1) or by snail mail to address
bellow. Everybody willing to participate may send his/her own definition or
suggest somebody else's with exact citing of source where definition could
be found (preferably sending a copy of definition). One person can compete
in more than one category with more than one definition (however limit is
five definitions/category).

Jury:

At the moment only me. Everybody who doesn't want to compete and feel enough
competent to judge quality of definitions is welcome. Just send me short e-
mail with your address and category of interest.

Prizes:

For my limited financial ability these prizes YOU WILL NOT GET:

1. Red Porsche (nor any other car of any colour nor even bicycle)
2. Two weeks on Bahamas
3. 1 000 000 $

Prizes which I can assure at the moment are:

1. Diploma for the best virus definition in respective category
2. Nice postcard from Prague

Any sponsor willing to increase the prizes fund is welcome.

Deadline:

30 June, but this term could be changed depending on interest.

Any suggestions about propositions and/or better contest organization will
be appreciated.

Enjoy the contest and let the best win!
                                                                           
Cheers,                     __________________________              
                           |                          |                    
Suzana                    /| Only the best is enough  |\     |\__/|        
             /~~~~~~\    / |     good for us!         | \   /      \       
          ~\(  * *   )/~   |__________________________|  ~\(  0 0   )/~    
            ( \___/  )                                     ( /---\  ) 
             \______/                                       \______/       
            @/       \@                                    @/      \@ 
- ---------------------------------------------------------------------------
Address: Suzana Stojakovic-Celustka          e-mail addresses:
         Department of Computers             celustka@sun.felk.cvut.cs
         Faculty of Electrical Engineering   celustkova@cs.felk.cvut.cs
         Karlovo namesti 13
         12135 Prague 2                      phone : (+42 2) 293485   
         Czech Republic                      fax : (+42 2) 290159


------------------------------

Date:    19 Apr 93 23:39:50 +0000
From:    frisk@complex.is (Fridrik Skulason)
Subject: Re: Virus Signatures

ST29701@vm.cc.latech.edu writes:

>I was wondering why there is not anyone that periodically post NEW virus
>Signatures.  This would be very helpful to people in between releases of
>different virus scanners.

Very helpful ? Well, keep in mind that most of the "new" viruses that
appear are not a threat "in the wild"...and by the time a virus becomes a
threat most scanners will probably be detecting it.

Also, consider that an ever-increasing percentage of new viruses uses
polymorphic encryption - so signature lists will not help...you need a
program update.

- -frisk
- -- 
Fridrik Skulason      Frisk Software International     phone: +354-1-694749
Author of F-PROT      E-mail: frisk@complex.is         fax:   +354-1-28801

------------------------------

Date:    Tue, 20 Apr 93 10:23:07 +0000
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Beneficial/Non-Destructive

padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) writes:

> My question is: why do you need a virus (or worm) to do this ? All

In order to achieve automatic update when a workstation logs in. If
you are using the usual go-to-every-PC-and-install-the-program
technique, this might be rather expensive for an organization with a
few thousands of PCs...

> you need is a regular program that runs as part of the login script,
> detects the version via strobe/date/size/checksum and performs a copy/
> execute if an update is needed.

You don't understand - this -is- the virus. The anti-virus package
plus the relevant part of the system login script. When you install
the virus (as a supervisor), it modifies the system login script, by
including in it a (possibly modified) part of itself. At workstation
login, this part is executed and spreads another part of the virus
(the anti-virus package) to the workstation that logs in. The whole
process matches exactly Dr. Cohen definition for a virus and is
clearly beneficial.

> McAfee's CHKSHLD in a .BAT will do this 
> function plus verify that the TSR is functioning properly and is neither 
> virus nor worm (neither the .BAT nor CHKSHLD needs to be copied to the 
> client).

That's exactly why McAfee's package is not a virus - it doesn't have
the capability to automatically update itself on the workstations.
Although you could easily add virus-like capabilities to it by some
clever login script programming and a few external utilities (e.g., to
check the current version of the package on the workstation).

Regards,
Vesselin
- -- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

------------------------------

Date:    Tue, 20 Apr 93 10:30:33 +0000
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: New program chair for IDES-of-March Virus Conference

bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes:

> jsb@well.sf.ca.us (Judy S. Brand) writes:

> > The person does not seem to have read my letter last week
> > to "Ides of March" attendees. 

> Uh, what letter? I have not received any such letter - at least not
> yet.

Correction - got the letter yesterday. No wonder that it has taken
such a long time - the address was a horrible mess of my office and
private addresses and my name was misspelled. As it was misspelled on
my ID on the conference, and on the previous conference, and on the
"certificate" I got from the previous conference. IMNSHO, this mess is
an excellent example of the lack of organization that surrounds this
event. The organizers seem to be unable even to get their mailing
lists straight... And my name and office address can be found at the
end of any message I post to Virus-L/comp.virus - a newsgroup that
both you and Dick Lefkon have demonstrated to have access to.

Prof. Brunnstein has still not received his letter, BTW.

Regards,
Vesselin
- -- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

------------------------------

Date:    Tue, 20 Apr 93 10:36:36 +0000
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Sending viruses over Internet

atman@rahul.net (Visceral Clamping Mechanism) writes:

> This is not strictly true.  Fidonet also has an email routing method called
> "host routing" in which email is transferred through one (or more?) "host"
> systems. 

I see... I didn't know that - when I was using FidoNet in Bulgaria,
the SysOps used to tell me that I cannot send NetMail to anybody
outside Europe and Israel, because they are unable to dial his/her
telephone directly. (For those of you who don't know it, it is
impossible to automatically dial a number outside these areas from
Bulgaria. It can be done only via very special lines.)

> gateway.  Email in Fidonet is not always point-to-point, and encryption of 
> sensitive data, such as new viruses, with a good encryption program is always
> a good idea.

Wasn't the transfer of encrypted data forbidden by the rules of
FidoNet?

Regards,
Vesselin
- -- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

------------------------------

Date:    Tue, 20 Apr 93 10:40:57 +0000
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Should viral tricks be publicized?

khan0095@nova.gmi.edu (Mohammad Razi Khan) writes:

> Virus writers will write viruses, Ant-Virus writers will write
> anti-virus programs, I think it should be publicized, only
> to inform the (uninformed) public about how easy it actually
> is, you wouldn't belive the amount of people who "trust".

To inform you about what exactly? That it is very easy to write a
virus? Doesn't the number of existing viruses (about 2,300) convince
you enough? Or don't you trust me that they are so many?

> There are also another extreme group of people, paranoid about
> security, who cringe at even hearing the word virus, and all the
> hype about michelangelo did bring many of them out.  If these
> viruses were made to be public domain then

As I tried to explain to somebody else, there are other things to be
concerned about. First, while not giving viruses to anybody certainly
cannot stop the viruses from spreading, giving them to anybody who
wishes -does- help them spreading. Why should we help them? Second, by
giving them to anybody who wishes, you are damaging your reputation.
Maybe we really need a new FAQ entry?

> a.) trusting people will see what they really are up against
> b.) paranoid people will see how trivial most viruses are.

How exactly do you expect people to "see" this? According to your own
words, your friend has had two viruses on his computer and has not
"seen" anything. Remember, the vast majority of the computer users are
just not competent enough to handle a virus properly. Making viruses
freely available to them will only making the problem worse.

> heck, who can't make a batch program that goes

> echo Y|del *.*

Heck, a Russian hacker has written a memory resident (!) slow BAT file
infector - entirely in the BAT language... Using NO external programs
that are required to be present (DEBUG, EDLIN). Fortunately, there's a
bug in the virus and it doesn't work well, but the basic idea is
there...

> Also, people, in general, will know how to effectively combat a virus
> by them selves. 

Could you please explain HOW exactly a person who is not competent
enough to handle a virus will handle it better if you give him/her
free access to virus code? And WHY s/he won't be able to get better
informed by reading this forum?

> Well, anyway, I think they should be public domain.]

I think - not. They spread well enough by themselves or are spread by
the VX BBSes. No need to help them additionally.

Regards,
Vesselin
- -- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

------------------------------

Date:    Tue, 20 Apr 93 10:54:50 +0000
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Virus Signatures

ST29701@vm.cc.latech.edu writes:

> I was wondering why there is not anyone that periodically post NEW virus
> Signatures. 

But they do! Virus Bulletin regularly posts new virus signatures -
actually, every month. Jan Terpstra maintains a publicly available
list of virus signatures and updates it from time to time. S&S
International ships by fax urgent updates for their scanner to their
users, when this is necessary.

> This would be very helpful to people in between releases of
> different virus scanners.

There are some problems with that. First, some scanners don't rely
simply on signatures. They are using the offset from the file entry
point where the signatures could be found, commands to disinfect the
virus, algorithms for polymorphic viruses, etc. Second, there is the
problem you note below, merely that

> this might be helpful to the writter of that virus

Third, some producers of anti-virus software consider their collection
of virus signatures to be a trade secret and guard it not only from
the virus writers but also from their competitors.

Regards,
Vesselin
- -- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

------------------------------

Date:    18 Apr 93 20:22:00 +0000
From:    shakib.otaqui@almac.co.uk (Shakib Otaqui)
Subject: Fido-Net trojan (PC)
VB>   shakib.otaqui@almac.co.uk (Shakib Otaqui) writes:

VB>   >   Further reports on Fido-Net say that once uncompressed, SCAN
  >   >   identifies the Taiwan virus in the file.  F-Prot 2.07 says it has
  >   >   ACAD.

VB>   This is one and the same virus. The question is - which one exactly?
  >   Here are the possibilities:

  There have been a lot of conflicting reports about this on
  Fido-Net.  The consensus now is that it is a trojan rather than a
  virus.  Apparently, the writer used the disk-trashing code from
  Anti-Cad/Taiwan, but not the infection code.  The program begins
  to do its dirty work immediately on execution, so I suppose
  there's not much point in infecting files its about to trash.

 * PQ 2.15 189 * The worst trojan is someone's ignorance.

------------------------------

Date:    Mon, 19 Apr 93 06:11:46 -0400
From:    groot@idca.tds.philips.nl (Henk de Groot)
Subject: Boot Survival (Technical) (PC)

A week ago I patched my BIOS (EPROM) to support a new disk. To patch the
ROM and had to collect the checksum. A small C program was written to
calculate the checksum of the current bios. I was convinced that adding up
all the bytes in the current bios (from F000:0000 till F000:FFFF) should
give an answer 0. To my surprise it didn't!

What I found may be of interest to this group. I was running MS-WINDOWS and
decided to reboot the PC with a clean floppy. I ran the C program again and
the bios checksum was 0 this time! So running MS-WINDOWS seemd to 'change'
the contents of the BIOS. I realized that I was looking at (Protected) RAM
instead.

A diff reveiled what had been changed: The jump to the POST/BOOT code at
FFFF:0000 was not jumping into the BIOS anymore but to some address in the
conventional memory. This is probably the way WINDOWS 3.1 catches CTRL-ALT-DEL
or even a brute call to FFFF:0000. It could also be Smartdrive, to have the
ability to flush the cached writes this way (just guessing here). Whatever
program did it I don't know, I expect it to be a feature of MS-WINDOWS, not
a virus (I didn't bother to find out).

In the group there has been a statement that a virus cannot survive a call
to FFFF:0000 to do a cold boot. This is NOT correct. The 386 processor with
virtual memory capabilities is able to 'change' the BIOS by coping the BIOS
to RAM and swapping the pages. A virus could even hide in unused parts of
the BIOS, or other unused area's within 0K-1024K as soon as it finds out how
to exploid the 386 capabilities.

Anyway I think the only real cold boot is the reset button or even switching
the systen off and on again. The statement that there is no virus that survives
boots trough FFFF:0000 may be valid todat but may not be valid tomorrow.

Kind Regards,

Henk.
- --
  /   /            Henk de Groot      | Dep.: IISS-SE (System Management)
 /---/ __  __  /   Loc: V2/A05        | Mail: groot@idca.tds.philips.nl
/   / (-_ / / /(   Tel: +31 55 432104 | Digital Equipment Corporation

------------------------------

Date:    Mon, 19 Apr 93 06:13:53 -0400
From:    DONNY@iris.netcom.com
Subject: Re: Central Point and Stacker (PC)

Amir Netiv (Mon, 22 Mar 93 13:23:00) writes

> Since you are new here, let me first welcome you.

Well, not exactly, I did talk here before but thanks for the welcome :-)

> Juust to remind you V-CARE is equipped with a TSR for quite some time
> already,

I keep getting confused between VCARE and VGUARD (for obvious reasons).

> and as a TSR writer myself, I think I may express my poinion about them.

Even if you weren't you may.

> Second thing: your *"DOS is built for TSRs"* flag ship is not correct (
> historically speaking). "DOS supports TSRs" is a much better term.

Keybxx has been part of DOS ever since 1.0 (I think) and I guess that is as
close as you can get to "built for". Even CP/M was quite TSR supporting.

> However the main problem is that DOS is an operating system that suffers
> from the lack of standartization,

It depends on what level of standards you wish to reach.

> Thired: You do not have to warn anybody using other TSRs like keyboard
> handlers since they do not tamper with the set of interrupts used to acess
> the disk.

But they do access the keyboard and they may/do cause trouble.

What I am pointing out is that anyone who wants to use DOS (do they?) also
has to consider the various features and the fact that some TSRs may have
bugs (same goes for the whole computer world). Whether an A/V TSR can be
more or less "painful" depends on the utility and what you combine it with.
This is the "facts of life" with DOS, Microsoft, etc.

Your aim of removing TSRs (if possible) that tamper with the disk is like
removing electricity because it is more dangerous than water.

> As for QEMM386 I'm surprized that a man with such an experiance as you

What experience? :-)

> claim to have does not know thet EMM386 has many conflicts,

So? There are bugs in everything. I do agree that MS should put more effort
in improving EMM386 but EMM386 is not a "bad" product in its concept
(which is what I am trying to say).

> Last but not least: If it didnt happened to yet I truelly hope it never will,
> but Double disk for example conflicts with several optimization programs and
> some utilities,
> the result is fatal, I've experianced it myself several times.

So fix the bugs, Fix the various utilities, make standards, etc. Don't condemn
the system.

Donny Gilor (Dr. Virus)    donny@iris.ilnet.net
- -----------------------------------------------
Development manager, Iris Software (Israel)
Iris produces software for Text-Retrieval, Anti-Virus, and Copy-Protection.
Telephone: (972)-3-5715319     Fax: (972)-3-318731


------------------------------

Date:    15 Apr 93 16:34:44 +0000
From:    duck@nuustak.csir.co.za (Paul Ducklin)
Subject: Re: Censoship/40-Hex (PC)

Thus spake bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev):

>As a scientist, I am trying to provide verifiability of my claims any
>time I am able to do it. Unless I have to worry about more important
>things. You don't demand that NASA takes you in the Shuttle, in order
>to verify the claims that the Earth is round with your own eyes, do
>you?

[No definite relevance to comp.virus, but noteworthy anyway...]

As someone pointed out in another newsgroup [sci.crypt?] a while back,
you *don't* need to get a shuttle ride to demonstrate the the earth is
round; it can be done in the comfort of your own home [you need a
window...] using Foucault's pendulum [to satisy yourself that the earth
rotates] and observation of lunar eclipses [shadow of earth is always
circular, although it's at a different position in its rotation each
time].

Paul

    /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
    \  Paul Ducklin                         duck@nuustak.csir.co.za  /
    /  CSIR Computer Virus Lab + Box 395 + Pretoria + 0001 S Africa  \
    \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/

------------------------------

Date:    Mon, 19 Apr 93 12:41:45 -0400
From:    RHY@CU.NIH.GOV
Subject: Help needed with the Bootexe virus (PC)

If you have any information on the Bootexe virus.
What exactly is it? How to remove it without destroying
any data?  Will appreciate any info.

Thanks!

------------------------------

Date:    Mon, 19 Apr 93 13:15:57 -0400
From:    Donald G Peters <Peters@DOCKMASTER.NCSC.MIL>
Subject: Viruses which cost $$$ (PC)

I think I recall seeing the following warning in one of my books:
"Improper use of this register may cause physical damage to your monitor."

Am I correct, is there physical damage that can be done through
software? Monitors sounds likely. Disks, possibly. With CPU's
that run hot and can be configured perhaps through software, then
maybe them too!

If this is a threat should we discuss it here? I think so. Of
course, I don't want the details spelled out here. Just enough
generic information that we can be sure the info is correct.

I know of a simple way that a virus could cost a user lots of money,
[in fact the virus author could MAKE money from the victim!!!]
{if that doesn't whet the appetite I don't know what will!!!]
without causing physical damage, but I am unsure if I should
mention that here. Even though the method is absurdly simple.
Any comments?

[Moderator's note: Be careful - this topic comes up every once in a
while here, and the discussions are always full of conjecture.  I will
reject all postings in this thread that are of the "a friend of mine
said that his third cousin, twice removed, once had a monitor blow
up..." variety.]


------------------------------

Date:    Mon, 19 Apr 93 19:06:00 -0400
From:    kam.bansal@symantec.com (Kam Bansal)
Subject: Re: Removing PingPong virus from boot sectors (PC)

>  One of the IBM's that I manage has pingpong virus in the boot blocks of
>the hard drive.  I have Norton's AntiVirus, but it will not remove it.  What
>do I have to do to remove the pingpong virus, or is it really nothing to
>worry about?

Dave,

	What version of NAV do you have? And, when you do a scan, what does 
it say? Does it say that you have a Virus on you boot record? And if it does 
do that, does it give you an option of repairing it?

			-Kam  (^8*

------------------------------

Date:    19 Apr 93 23:36:07 +0000
From:    frisk@complex.is (Fridrik Skulason)
Subject: Re: Unknown little virus? (PC)

ac999512@umbc.edu (ac999512) writes:

>   24 bytes? That's it? Really? The smallest I've managed to obtain/create
>is 27 bytes. 

Hmmm...I don't have any 27 byte one :-) ... actually I have never seen a
24 byte virus (the shortest I have is 25 bytes), but I figured out how to
shorten a 26-byte one by 2 bytes.

Or, maybe 24 bytes are impossible, and I'm just writing this to keep the virus
authors reading this occupied for a while.... :-)

- -frisk

- -- 
Fridrik Skulason      Frisk Software International     phone: +354-1-694749
Author of F-PROT      E-mail: frisk@complex.is         fax:   +354-1-28801

------------------------------

Date:    19 Apr 93 23:46:41 +0000
From:    frisk@complex.is (Fridrik Skulason)
Subject: Re: VSAFE WONDER false alarm? (PC)


Ullrich_Fischer@mindlink.bc.ca (Ullrich Fischer) writes:

>I've had a number of incidents lately on our 255 PC Novell LAN where
>VSAFE reports an executable is infected with the WONDER virus.

I think this has been reported as a false alarm - Wonder is written in some
high-level language - C++, I think, and some scanners gave false positives
on programs created with the same compiler.
Anyhow, as a rule of thumb, if a scanner reports only one or two files on a
machine, and if they have been in use for a while - you are likely just to
have a false alarm.

- -frisk
- -- 
Fridrik Skulason      Frisk Software International     phone: +354-1-694749
Author of F-PROT      E-mail: frisk@complex.is         fax:   +354-1-28801

------------------------------

Date:    Mon, 19 Apr 93 20:49:18 -0400
From:    bruno@mcrcim.mcgill.edu
Subject: Got rid of Stoned -- but where did it come from? (PC)

I administer a bunch of Intel-based UNIX systems, and found that one
of them just stopped booting.  I could mount the disks on another
machine, and everything seemed mostly OK, except for the boot sector.
Upon inspection, the boot sector had been infected by the Stoned
virus.  It looked preyy primitive to (to the untrained eye), since it
contained a non-encrypted string.  

I installed a new boot sector and secondary boot, and all is well.  
But now I'm wondering how this thing got there in the first place.  
My question is:

===> What is the specific mechansim that Stoned uses to propagate its 
     self?  Must one boot with an infected floppy, or does it live
     next to an execuatble, or...

Thanks,

Bruno
- -- 
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
Bruno Hall  |  VE2HUM  |  bruno@mcrcim.mcgill.edu         
McGill Research Centre for Intelligent Machines - Controls Group
New systems generate new problems -- Join the Flat Earth Society.

------------------------------

Date:    Mon, 19 Apr 93 23:42:52 -0400
From:    mcafee@netcom.com (McAfee Associates)
Subject: Re: viruses and compression (PC)

Hello Colin Beckman,

You wrote:

>	I was wondering if anybody could tell me if it is possible for a  
>scanner to detect a virus in a compressed file or on a stacked hard drive  

Some anti-viral programs check inside compressed files (either run-time
compression such as PKLITE or LZEXE, or archived files, such as those 
created by ARC and PKZIP).  To find out which ones do, you'll need to 
contact the developer (or distributor) of the program in question.

Most anti-viral programs will check a volume compressed with Stacker,
SuperStor, DoubleSpace, and the like as long as the correct device driver
is loaded to access the disk.

>or if the virus can be detected on a file that has been backed up using  
>DOS  or Norton backup.  Some how I doubt it but I am asking to be sure.   
>If it can be detected could you tell me the name of the software that can  
>do it

I'm not aware of any anti-viral program that checks inside floppy (or
tape, for that matter) backups made by any of the various hard disk backup
programs out there.  Since most backup programs perform some sort of 
compression (which would probably by proprietary) on the backups, it is
unlikely that any anti-viral program would be able to check them.

Regards,

Aryeh Goretsky
Technical Support
- -- 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
McAfee Associates, Inc.  | Voice (408) 988-3832 | INTERNET:
3350 Scott Blvd, Bldg 14 | FAX   (408) 970-9727 | mcafee@netcom.COM
Santa Clara, California  | BBS   (408) 988-4004 | CompuServe ID: 76702,1714
95054-3107  USA          | USR HST Courier DS   | or GO MCAFEE
Support for SENTRY/SCAN/NETSCAN/VSHIELD/CLEAN/WSCAN/NETSHIELD/TARGET/CONFIG MGR

------------------------------

Date:    Tue, 20 Apr 93 06:14:10 -0400
From:    Jeroen.Donkers@mi.rulimburg.nl
Subject: keyboard virus? (PC)

At our university we have some strange problems with keyboards,
starting a month ago. All kinds of PC's using different DOS-versions
and network operating systems, have 'stucked' ALT-, SHIFT- or CTRL
keys. Even brand-new computers show this problem. Some computers
produce a beep before getting stucked.  There is no hardware problem
(e.g. dirt). Sometimes the problems are solved using keyboard-fix
utilities or new keyboard drivers but results are unpredictable. We
have used MacAffee scanners but found nothing.

Is this some kind of virus? I coudn't find a virus description with similar
symptoms...

Jeroen Donkers, University of Limburg, The Netherlands


------------------------------

Date:    Tue, 20 Apr 93 10:14:35 +0000
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: 5lo virus? (PC)

Marcin_Dobrucki@f200.n3581.z9.virnet.bad.se (Marcin Dobrucki) writes:

>     While using F-PROT 2.07 I got a message that some 60 files on my
>     drive are infected with 5lo (?) virus.  However after checking
>     the virus list I could not locate such virus nor find any
>     information anywhere else.

Hmm... 5lo is an obscure Polish virus... Are you calling from Poland
(I'm not familiar with the VirNet addressing scheme)? It -might- be a
false positive, because Frisk (and I) had problems to replicate the
virus, but 60 files... No, it sounds like a real infection...

Anyway, this is a resident EXE-only infector that infects files when
you execute programs. The programs being infected are not necessarily
those being executed - on each Exec the virus does a
FindFirst/FindNext, like a non-resident virus...

Look at the end of the files reported as infected - can you spot a
text string like '92.05.24.5lo.2.23'? If it is there, then your
computer is really infected.

>     Is this some kind of a code name for the PROTO-T virus which
>     I suspected was the one I had?

No, that's a real virus. And the two Proto-T variants we know are
reported by F-Prot as Proto-T (Proto-T) and Proto-T (Civil War).

Regards,
Vesselin
- -- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

------------------------------

Date:    Tue, 20 Apr 93 11:00:49 +0000
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: VSAFE WONDER false alarm? (PC)

Ullrich_Fischer@mindlink.bc.ca (Ullrich Fischer) writes:

> I've had a number of incidents lately on our 255 PC Novell LAN where
> VSAFE reports an executable is infected with the WONDER virus.

> F-PROT 2.07, CPAV's SCAN function (1.4), and McAfee's SCANV102 and NETSCAN102
> don't find anything, so I'm assuming it is a false alarm.   No suspicious

It's almost certainly a false positive. Wonder is a silly overwriting
virus, written in a high-level language (C). It barely works, let
alone spreads... However, because it is written in a high-level
language, it is very difficult to select a scan string for it without
causing false positives.

Regards,
Vesselin
- -- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

------------------------------

Date:    Tue, 20 Apr 93 11:02:57 +0000
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Disk Death (PC)

apreiser@skidmore.EDU (arthur preiser) writes:

> Anyway, I let a friend run some numbers through lotus 1-2-3 on my
> computer.  Right in the middle of calculating something, my virus
> detector went off. 

What kind, brand and version of virus detector and what did it say?
Please, read the FAQ for information about what to supply when asking
questions like yours.

> I scanned the hard drive and found the disk to be
> infected. 

With what?

> The problem was, my virus cleaning program was infected.  I

That's why you must always boot from an uninfected write-protected
system diskette and run your anti-virus software from a
write-protected diskette.

> tried to recover my information with the original copies of the virus
> program, but the virus was resident and infected my "A:\" drive as
> well. 

Because you have not write-protected your original copies. This is a
VERY severe mistake.

> I had to reformat the hard drive on my computer.  I wanted to

This is almost never necessary.

> know what kind of virus could attack all these files in so short a
> time? 

Any resident virus that infects files when they are executed. There
are probably more than a thousand of viruses that match this
description... What did your scanner report?

> What could I have done differently to save my disks?  I don't

Write protect your diskettes. Delete your executable (and infected)
files and restore them from clean originals. After booting from a
clean diskette, of course.

> know what virus it was or how it infected my system without infecting

What do you mean that you don't know! What did the scanner say?

> my friends.  We ran a virual scan on his computer and it came up
> negative. 

So probably his system is not infected. Or it is a stealth virus that
your scanner does not detect in memory and you have not booted from a
clean floppy before checking his system.

> Is it just me or does anyone else think my friend sabatoged
> (sp?) my system? 

It's just you, IMHO... :-)

> How can I prevent this kind of total disaster from
> reoccuring?

First read the FAQ, then devise some kind of safe computing practice.

> 	Please excuse me for rambling on.  I'm still getting over the
> shock of loosing everything.  I was niave and, you guessed it, I
> didn't have backups of my work.  I guess a hard lesson learned is a
> lesson worth remembering.

Particularly, the points to remember are:

1) Always keep backups.

2) Write protect your original diskettes.

3) Always boot from a clean diskette before doing any virus hunting.

4) Don't panic when a virus is detected. Nothing worse can happen,
unless you do it yourself.

> 	An important question I wanted answered is: what do I do when
> all my virual killing defences are breached? 

1) Don't panic.

2) Boot from a clean diskette.

3) Replace all executable programs (including the boot sectors) that
you suspect to be infected.

> Is there another line of
> defence I could established? 

It is not clear from your description what kind of defense you are
using exactly. In general, you should use a combination of scanners,
resident scanners, integrity checkers, disinfectors, and backup.

> Should I kill my EX-friend now?

This is the most stupid thing you could do - he is probably not guilty
at all about your problem...

Regards,
Vesselin
- -- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

------------------------------

Date:    Tue, 20 Apr 93 08:16:55 -0400
From:    Garry J Scobie Ext 3360 <GSCOBIE@ml0.ucs.edinburgh.ac.uk>
Subject: Re: Can a virus infect NOVELL? (PC)


> Date:    Sat, 17 Apr 93 05:20:08 +0000
> From:    sywu@csie.nctu.edu.tw (Xianyow )
> Subject: Can a virus infect NOVELL? (PC)
>
>    I have a question, can a virus infect NOVELL system?  Since there are
> many read-only files in NOVELL, how can it write into that file?  If it can't
> , how can it live when the power turned off?
>    But I really heard some viruses can infect NOVELL.  Can anyone answer me?
>    Thanks in advance!
>                                                Victor
>
> ------------------------------

Please, Please, Please before this thread gets out of hand, the 1992
virus digests are full of the pros and cons concerning
Novell/Viruses/Access Rights. It would be best to consult these. In
Sept 1992, vol 5 issue 151 I asked


     If a virus can infect my applications volume where
     everyone has only read and filescan permission set as a trustee
     assignment then I would appreciate being told about it as soon as
     possible.


The thread appeared to end there as no-one could say either way. I
suspect the answer is still no. However, play it safe and always
assume that a virus has the same permissions as the logged on user.
Supervisors be extremely careful when updating public access software.
Just think how much hassle an infected LOGIN.EXE program could cause
you!

Cheers

Garry Scobie Lan Support Officer Edinburgh University Computing
Services e-mail g.j.scobie@ed.ac.uk

------------------------------

Date:    19 Apr 93 13:44:00 -0600
From:    "Rob Slade, DECrypt Editor, VARUG NLC rep, 604-984-4067" <roberts@decu
	  s.arc.ab.ca>
Subject: Corporate climate (CVP)

PRTAVS4.CVP   930418
 
                         Corporate Climate
 
Part of the assessment of the user is the user environment.  This
aspect covers not only the "corporate culture" (eg. home user, user
in a large corporation with internal support staff, etc.) but also
the operating system environment.  For example, the MS-DOS
environment has a very large number of viral strains, with more
being produced every day.  The Macintosh environment has relatively
few viral programs.  Therefore, "generic" identification of "new and
unknown" viral programs is more important to MS-DOS users than to
Macintosh.  (Interestingly, while Macintosh antivirals are quite
mature, and protected Macintosh systems have a negligible infection
rate, the infection rate on unprotected Macs is astronomical.  This,
too, should be taken into account.)
 
Related to the interaction of the user and the program is the
potential negative impact of the security program.  Antiviral
programs consume time and disk space, and may also interfere with
the normal operation of the computer system.  As Jeff Richards'
first law of data security has it, you can guarantee security if you
don't buy a computer.  It's just not a very useful alternative. 
Computer systems can be secured more and more by restricting the
operations more and more, but restriction of "dangerous" operations
also restricts useful ones.  There comes a point at which the trade-
off for greater security becomes more than users want to pay.
 
An antiviral program, therefore, must be matched to the environment
in which it is to be used.  In a "low risk, low change" situation,
such as a word processing office, change detection software provides
very effective protection, without too much interference with
operations.  In a "high change" milieu, such as a software
development team, change detection software is less useful against
viral programs, although it has other helpful features.  In a "high
risk, multi risk" environment such as a college computer lab,
operation restricting software may prevent not only viral infection,
but may help to "idiot-proof" the computers as well.
 
We come, though, full circle back to the corporate climate.  It is
important also to match the type of program to the type of support
provided within the company.  Sadly, in many cases, this may prevail
against the use of a superior product.  However, note that even the
best product is of little use if improperly installed or supported. 
If routine maintenance is not performed on computers, then a scanner
will be of little use, since it needs to be updated from time to
time.  (Of course, if a company is not doing regular maintenance and
support, they in in danger of more than viral programs ...)
 
copyright Robert M. Slade, 1993   PRTAVS4.CVP   930418
 
============= 
Vancouver      ROBERTS@decus.ca         | "Remember, by the
Institute for  Robert_Slade@sfu.ca      |  rules of the game, I
Research into  rslade@cue.bc.ca         |  *must* lie.  *Now* do
User           p1@CyberStore.ca         |  you believe me?"
Security       Canada V7K 2G6           |    Margaret Atwood

------------------------------

Date:    Tue, 20 Apr 93 03:12:09 -0400
From:    russo@fec.unicamp.br (Renato Aparecido Russo)
Subject: SCNDAY10.ZIP - Scan HD for viruses once a day on Mon/Wed/Fri (PC)

I have uploaded to WSMR-SIMTEL20.Army.Mil and OAK.Oakland.Edu:

pd1:<msdos.virus>
SCNDAY10.ZIP    Scan HD for viruses once a day on Mon/Wed/Fri

ScanDay is a Scan optimizer.  If it is Monday, Wednesday or Friday,
ScanDay will run the virus detection software, ONLY the first time you
turn the computer on.  The parameters for Monday and Wednesday are /a
/nomem /bell and the ones for Friday are /a /m /chkhi /bell.  When it
runs the first time a file called ALREADY.CTL is generated so that
ScanDay can recognize it is not necessary to run SCAN.EXE again.  So,
don't delete this file in case you don't know what it is.  If you do,
next time you turn your computer on you'll have to wait some time
because SCAN.EXE will be run again.

Luiz Ot vio
russo@fec.unicamp.br


------------------------------

End of VIRUS-L Digest [Volume 6 Issue 67]
*****************************************


