From: Kenneth R. van Wyk (The Moderator) Errors-To: krvw@CERT.SEI.CMU.EDU To: VIRUS-L@IBM1.CC.LEHIGH.EDU Path: cert.sei.cmu.edu!krvw Subject: VIRUS-L Digest V5 #14 Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU -------- VIRUS-L Digest Friday, 24 Jan 1992 Volume 5 : Issue 14 Today's Topics: Re: Michelangelo questions (PC) Re: VIRUS at AT286 in SCAN85 (PC) SCAN configuration question (PC) Re: WARNING - Michelangelo Virus (PC) vsum info... (PC) VIRSTOP Requirements (PC) Printer sending to PC (was: Iraqi Computer Virus...) (PC) .SYS Infector? Really? Info Please! (PC) Re: SBC? (PC) Re: WDEF (mac) Re: WDEF (mac) HELP re HP700 vs. PC viruses (PC) (HP700) Re: Polymorphic viruses New files on BEACH (PC) Fprot v2.02 on risc (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: 23 Jan 92 18:00:21 +0000 From: paraska@oasys.dt.navy.mil (Peter Paraska) Subject: Re: Michelangelo questions (PC) In comp.virus, Michael_Kessler.Hum@mailgate.sfsu.edu writes: >I had a Zenith 386 SX machine infected. When booting up with the >infected diskette, I get a "Disk read error" message. When I reboot >off the hard disk, I get a "Unable to read boot code from partition" >message, and the computer is disabled unless I boot off the floppy. >If I run a CHKDSK, I still get 655360 bytes total memory. F-Prot 2.01 >recognizes the existence of the virus, but does not remove it. The >installation of VIRSTOP does not seem to affect the installation of >the virus or the subsequent screen messages. McAfee's CLEAN does >remove it. > >Since the virus denies access to the hard disk as soon as it is >installed, what is the meaning of the March 6th date? Isn't the virus >supposed to be dormant until that date? Why does my experience not >match Padgett's description of its activities? My 386DX with DTK's multi-I/O (2s/1p/1g w/ 2floppy & 2 IDE) card, and Western Digital's WD93044A 43Mb harddrive was recently infected with the Michelangelo Virus (detected by Mcaffee's SCANV85). Several bootable and non-bootable 5-1/4" (both 360K and 1.2M) floppies were infected. (My PC has a 1.2M A: drive and a 1.44M B: drive) No 3-1/2" floppies were found to be infected, although several non-write-protected ones were used while the hard disk was infected. My harddrive is partitioned into to logigal drives C: and D:. Indications of the virus were SLOW floppy disk access with DRDOS 6.0 on both floppies and the 2,048 bytes missing just below the 640K barrier, as reported by CHECKIT 3.0. The slow floppy disk access was partly due to DRDOS's practice of actually reading more data off the floppy disk than MSDOS 5.0. Note that My PC booted just fine numerous times from the harddisk when it was infected. Maybe your disk hardware was interacting differently with the virus, causing it to not boot from it. Just a guess. BTW, I used McAffee's CLEANV85 to "remove" the virus from my harddrive. Luckily, I overrode my usual laziness and backed up C: and D: before doing so. When I "CLEANED" the harddisk, the partition table became corrupted and I was unable to acces my 37Mbyte D: partition. I've read here that CLEANV85 will clean the harddisk, so maybe my hardware didn't allow the CLEAN program to work correctly (no surprise, since IDE's are fluky anyway.) Pete - ----------------------------------------------------------------------- paraska@oasys.dt.navy.mil {} voice: (US) (301)-227-1650 days ------------------------------ Date: Wed, 22 Jan 92 11:19:25 +0000 From: tkorho@cs.joensuu.fi (Tommi Korhonen) Subject: Re: VIRUS at AT286 in SCAN85 (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >> In Czechoslovakia, I got some new virus with the SCANV85.ZIP from some >> BBS. It makes all .COM, .EXE and .ASM files 10 bytes longer, the first >> 6 bytes are: >> F0 FD C5 AA FF F0 >> No antivirus program has i detected, except from those watching files' >> length. >:-))) C'mon, calm down, it's not a virus! Just you (or somebody else) >are running SCAN with the /AV switch. This means to add checksum >information to the files and the F0FDC5AAFFF0 is just the identifier >that SCAN usues to tell whether the file is already "certified" or >You can remove those by running SCAN again, this time with the /RV >switch instead. >Yeah, I think that SCAN is "clever enough" not to touch this file... >> worked normally, several terminated just after calling them. >Ha, this is not normal. They should run (unless they perform some kind >of self-check themselves, but I don'T believe that this is your case). >Maybe they are damaged by something else. Anyway, the problem that you >are reporting, is caused by SCAN, not by a virus. >Hope the above helps. Thanks for the advice BUT: Mine 286 did also JAM after i GOT THE SCAN85.ZIP!!!!! Well, I have to admit that the extended/panded memory of mine isn't working quite as it should, but now, after I got the scan it is jamming more often than ever. And most of the time from COMMAND.COM! Say I make a cd command and after pressing enter the gadget is stuck! It happens every now and then. I'd say once every 1 and a half hour. I have not yet (after 3 active days) noticed any files missing. And nothing is ever displayed, so if it is a virus, it has not gone off yet. No scan nor any other program notices anything. Not even memory mappings. But still something weird is going on. Once (but only once) the screen was blinking white and purple while the thing was jammed... I had to reset the computer, as always when it jams. After the first notions I have frequently scanned the whole computer, with cv switch. But the only scan I have is this particular scan 85!! So here is some info about the discussion. If you still think it is not a virus, then good. Is this just panic, or is it happening (on the twilight zone)? Programs, if they start, work so far normally... Thanks for listening!! :)) - -- T.Korhonen " Yeah, I said that. So what? student of physics Come and kick my ass! " you can reach me by mailing: tkorho@cs.joensuu.fi ------------------------------ Date: Wed, 22 Jan 92 12:52:09 +0100 From: Enda the Slamm head Subject: SCAN configuration question (PC) Could anybody tell me how to configure scan so that every time the a: and b: drives are accessed it will automatically execute scan first and then do the interrupt service routine for the disk access. In other words what interrupt vector is used for the disk service routine. Help greatly appreciated Enda Purcell. ADDRESS :-> SCP23016@IRTCCARL.BITNET ------------------------------ Date: Wed, 22 Jan 92 16:43:43 +0000 From: tong@ee.ubc.ca (ONG TONY TUNG L) Subject: Re: WARNING - Michelangelo Virus (PC) We've been hit here at the University of B.C., if anybody is keeping track. - -- =============================================================================== = Wolfman | "Windoze + MessDOS doesn't work." --Terje Bergesen tong@ee.ubc.ca | comp.windows.ms =============================================================================== = ------------------------------ Date: Wed, 22 Jan 92 15:29:17 -0500 From: hobbit@vax.ftp.com (*Hobbit*) Subject: vsum info... (PC) Forgive me if this is a faq; I haven't seen any recent references. Is there a plaintext version of vsumx.h! that is readable by humans without use of a program? _H* ------------------------------ Date: Wed, 22 Jan 92 15:41:00 -0600 From: MARK@iscsvax.uni.edu Subject: VIRSTOP Requirements (PC) Some of our computers on campus do not have enough hard disk space to install the entire F-PROT package, however, we would still like to run VIRSTOP. What files are necessary to run only VIRSTOP? Is this possible? Thank you! Marty Mark, University of Northern Iowa mark@iscsvax.uni.edu ------------------------------ Date: Thu, 23 Jan 92 09:07:04 +0000 From: Anthony Appleyard Subject: Printer sending to PC (was: Iraqi Computer Virus...) (PC) On Sun, 19 Jan 92 22:05:00 -0500, "David Bridge" (Iraqi Computer Virus story Defended !) wrote:- "from "The Washington Post" Washington, DC USA, Tuesday, January 14, 1992. Page A7.: COMPUTER VIRUS REPORT IS SIMILAR TO SPOOF ..... virus in a computer printer being smuggled to Baghdad through Amman, Jordan.... A printer is a receiving device. Data does not transmit from the printer to the computer....". A printer send to the computer!, e.g. the "out of paper" signal and the "hang on while I finish printing what you gave me before" signal. A printer does not usually send bulk data because it has no means of receiving bulk data except from the computer; but if the printer had its own microprocessor programmable by user or supplier or virus/trojan, the printer could quite well keep emitting copies of its virus. Some computers are quite able to receive data from printers, e.g. I have a Cifer T4 terminal which can receive from its downstream printer port in case that port is used for not a printer but e.g. an experiment. {A.Appleyard} (email: APPLEYARD@UK.AC.UMIST), Thu, 23 Jan 92 08:51:52 GMT ------------------------------ Date: Thu, 23 Jan 92 14:05:00 -0700 From: "Rich Travsky 3668 (307) 766-3663/3668" Subject: .SYS Infector? Really? Info Please! (PC) What's this about a .sys infector? (Frisk Skulason mentions this in a recent Virus-l digest.) Some more information please, this is news for me. Richard Travsky Division of Information Technology RTRAVSKY @ CORRAL.UWYO.EDU University of Wyoming (307) 766 - 3663 / 3668 ------------------------------ Date: 24 Jan 92 16:02:23 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: SBC? (PC) kenm@maccs.dcss.mcmaster.ca (...Jose) writes: > Does anyone know anything about a virus that McAfee SCAN > reports as SBC? Neither SCAN 8.4 nor F-PROT seem to know about it > (though f-prot 2.01's analyze will detect it in memory). Ha, you managed to get infected by a pretty new virus - I received a copy of it yesterday. Haven't disassembled it yet, but at first glance it seems that: 1) The virus is encrypted, but not polymorphic. 2) It is memory resident; uses INT 21h/AX=4BFFh to detect its presence in memory. 3) It is a fast infector - infects both when you copy and execute files. 4) Infects both COM and EXE files. The EXE files are padded up to the next multiple of 16 before they are infected. 5) The virus is 1024 bytes long. The minimal lenght of the infectable files seems to be 1536 bytes. 6) The virus is semi-stealth, i.e. it hides the fact that the files become 1024 +/- 16 bytes larger. You won't notice the file increase if you use the DIR command. 7) Couldn't find any intentional destructive routine in the virus code. There might be more, or some of the above might be incorrect, since I haven't looked at the virus code very carefully; only glanced at it while reading your message. Hope the above helps. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: Thu, 23 Jan 92 12:39:03 -0500 From: mlg@cblph.att.com (Michael L Goodrich) Subject: Re: WDEF (mac) brown20@obelix.gaul.csd.uwo.ca (Dennis Brown) writes: >This is a request for information concering the virus WDEF. It seems that I >have contracted this virus and I am now trying to get rid of it. > >Here's the facts:Mac Plus > External HD > >About a week ago, while doing a routing copy of some files, I created a >folder that is empty and is unremoveable. Shortly after this, about 3/4 of >the icons on my desktop dissappeared. The missing files are still >accessable to some programs (eg: the system that disappeared, still boots >the drive when started up, and the cdev boomering can access files that it >knows the path to even if it is one of the files that dissapeared). I am >told that this virus is searched for by the newest version of SAM, but are there >any other programs out there that will find WDEF? Dennis, There are a few programs that will detect and eliminate the WDEF virus and any relatives. There is a quick way to get rid of it on your hard disk by rebuilding your desktop file. This can be done by holding down the Command and the option keys while your Mac is booting. You should get a dialog box that asks if you want to rebuild your desktop. The program that I use to keep my hard disk relatively virus free is Disinfectant (current version 2.5.1) There are two parts to this program 1. The viral scan and elimantion application 2. The system init that prevents viri (??) from entering your hard disk. This program is available from most users groups or from various internet archives is if you have ftp capability from your host. Gatekeeper and Gatekeeper Aid are two other system inits that will keep a virus from invading your hard disk. The problem with these progarms is that they must be taught what programs are allowed to do operations that look similar to what a virus does. (Some what time consuming) Mike mlg@excalibur.cb.att.com ------------------------------ Date: Thu, 23 Jan 92 12:32:07 -0600 From: werner@cs.utexas.edu Subject: Re: WDEF (mac) you don't have a WDEF virus, you have a messed-up file-system (due to a bug in the OS one hears about from different sources); you can try running DiskFirstAid and Diskinfectant first, but it won't help, probably. back-up, reformat, reload you disk. btw, your report failed to indicate what OS-version you are running and why you assumed that you had WDEF; you also don't indicate that you have run DFA and any anti-viral utilities (and what they reported) - why not? all anti-virals (latest version) handle all known critters just fine (and WDEF for a couple of years now), and several free ones are available. rumours get started that way ... ------------------------------ Date: Thu, 23 Jan 92 13:32:37 +0000 From: rocp@ghost.dsi.unimi.it (Pier Luigi Rocco) Subject: HELP re HP700 vs. PC viruses (PC) (HP700) I'm a student at Universita' degli studi di Milano (Italia) and I cannot download PUBLIC MATERIAL from the net, because the responsable say "It's not possible to verify all the software of the student for virus, so it's possible to infect the computer system of the university". I (and other student) want a PC IBM compatible to download/upload material on the net and use it at home. I'm not a expert of virus, but HOW CAN A VIRUS FOR A PC INFECT A HP700 SYSTEM???? Rocco Pier Luigi Howard Alaan Treesong PS: Excuse for my english but I don't known it very well ------------------------------ Date: 23 Jan 92 23:50:10 +0000 From: vail@tegra.com (Johnathan Vail) Subject: Re: Polymorphic viruses frisk@complex.is (Fridrik Skulason) writes: Terms such as "Viruses using variable encryption with a variable decryption routine" are rather cumbersome, but no accurate single word has been found for those viruses, of which V2P6, Whale, Maltese Amoeba, Russian Mutant and PC-Flu 2 are examples. Until now. It is hereby proposed that the term "polymorphic" be used fore this class of viruses, but this term originated in one of the marathon 5-hour telephone conversations I had with Alan Solomon on the subject of virus naming. How about this additon the glossary: polymorphic virus - A virus using variable encryption with a variable decryption routine to avoid detection by its "signature". V2P6, Whale, Maltese, Amoeba, Russian Mutant and PC-Flu 2 are examples of this kind of virus. Email any comments to me and I will post a new version to the net in a few weeks. jv "Honesty without Fear" -- Kelvinator _____ | | Johnathan Vail vail@tegra.com (508) 663-7435 |Tegra| jv@n1dxg.ampr.org N1DXG@448.625-(WorldNet) ----- MEMBER: League for Programming Freedom (league@prep.ai.mit.edu) ------------------------------ Date: Thu, 23 Jan 92 15:29:40 -0600 From: John Perry Subject: New files on BEACH (PC) The following files have been added to the anti-vial archive on beach.gal.utexas.edu (129.109.1.207): FPROT202.ZIP VIRX19.ZIP If you have any trouble connecting, contact perry@beach.gal.utexas.edu or perry@utmbeach (Bitnet) -- John Perry - perry@eugene.gal.utexas.edu ------------------------------ Date: Thu, 23 Jan 92 17:57:18 -0600 From: James Ford Subject: Fprot v2.02 on risc (PC) The file fprot202.zip has been ftped down from Simtel20 and placed on risc.ua.edu (130.160.4.7) in the directory pub/ibm-antivirus. Also, I attempted to ftp the file ccc21.zip (?), but was unable to access the server using anonymous. If someone has it, please upload it to ri Downloaded From P-80 International Information Systems 304-744-2253