home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
The Hacker Chronicles - A…the Computer Underground
/
The Hacker Chronicles - A Tour of the Computer Underground (P-80 Systems).iso
/
misc
/
v05i012.txt
< prev
next >
Wrap
Internet Message Format
|
1992-09-27
|
25KB
From: Kenneth R. van Wyk (The Moderator) <krvw@CERT.SEI.CMU.EDU>
Errors-To: krvw@CERT.SEI.CMU.EDU
To: VIRUS-L@IBM1.CC.LEHIGH.EDU
Path: cert.sei.cmu.edu!krvw
Subject: VIRUS-L Digest V5 #12
Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU
--------
VIRUS-L Digest Wednesday, 22 Jan 1992 Volume 5 : Issue 12
Today's Topics:
Low-level utilities (PC)
SBC? (PC)
Michelangelo questions (PC)
Loading Vshield High (PC)
PC Computing Magazine Virus Articles, Feb 92 (PC)
FLASH Virus (WAS: Re: More myths) (PC)
New virus found (PC)
WWIV4.20 doesn't like Vshield (PC)
Re: WARNING - Michelangelo Virus (PC)
An A/B floppy drive switch design (PC)
Virus Detection and Protection for Unix (UNIX)
Help Required re IBM RSCS malicious programs (IBM VM/SP)
Re: The modem virus myth
VS920109.ZIP on risc (PC)
new pgms from Padgett Peterson (PC)
RE: NCSA Has Tested Anti-Virus Programs (PC)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. (The complete set of posting guidelines is available by
FTP on cert.sei.cmu.edu or upon request.) Please sign submissions
with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU
(that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks).
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list. Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
krvw@CERT.SEI.CMU.EDU.
Ken van Wyk
----------------------------------------------------------------------
Date: Mon, 20 Jan 92 11:14:31 -0500
From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson)
Subject: Low-level utilities (PC)
OK, I find it hard to stay away. Yesterday my son cleaned out
& painted his room and it was raining so I had a chance to put
together a final piece I had been meaning to for some time: FixFBR,
the last part of my low level utilities.
FixFBR is designed to replace the Boot Record on floppy disks
with non-bootable code that performs part of my integrity checking and
displays a message if a boot from floppy is performed. An additional
warning will be displayed if a typical Boot Sector Infector is present
(the .DOC has more of an explination).
The technique is fairly simple so I do not anticipate problems
(right) and it has been tested but at this point it must be considered
an ALPHA. Since I do not have a 2.88 floppy drive, at the moment it is
limited to the big four floppies: 360k, 720k, 1.2Mb, & 1.44 Mb (did
not see any need for including 160k or 320k 5 1/4s but would not be
difficult).
Since the entire BR including the BPB is replaced, any viruses
lurking there are defanged (incidently FixFBR also performs a number
of integrity checks on the original BR that will announce the presence
of most BR viruses - not the name but that "something" is wrong. The
BR is then - with permission - overwritten).
Also, with this release, the Shareware price of the "Fix"
utilities is changed to $1.00 per supported PC/user (other options
available - see the .Doc). This includes both FixMBR and FixFBR. The
code used in SafeFBR and SafeMBR as well as NoFBoot and the CHK
detection utilities remain copyrighted Freeware (may be used freely so
long as not changed).
Barring major setbacks, this should be available for Anonymous
FTP from Claude Hayes at URVAX (141.166.1.6) as FIXUTIL.ZIP in the
antivirus directory - Right, Claude ?
Warmly (and tired),
Padgett
------------------------------
Date: Mon, 20 Jan 92 16:09:32 -0500
From: kenm@maccs.dcss.mcmaster.ca (...Jose)
Subject: SBC? (PC)
Does anyone know anything about a virus that McAfee SCAN
reports as SBC? Neither SCAN 8.4 nor F-PROT seem to know about it
(though f-prot 2.01's analyze will detect it in memory).
Any info will be appreciated....
....Ken
- ------------------------------------------------------------------------------
|Kenneth C. Moyle MOYLEK@SSCVAX.CIS.MCMASTER.CA|
|Computing Services Coordinator (Sciences) MOYLEK@MCMASTER|
|Computing and Information Services ...!uunet!mnetor!maccs!kenm|
|McMaster University - Hamilton, Ontario (Canada) |
- ------------------------------------------------------------------------------
------------------------------
Date: Tue, 21 Jan 92 10:30:00 -0800
From: Michael_Kessler.Hum@mailgate.sfsu.edu
Subject: Michelangelo questions (PC)
I had a Zenith 386 SX machine infected. When booting up with the
infected diskette, I get a "Disk read error" message. When I reboot
off the hard disk, I get a "Unable to read boot code from partition"
message, and the computer is disabled unless I boot off the floppy.
If I run a CHKDSK, I still get 655360 bytes total memory. F-Prot 2.01
recognizes the existence of the virus, but does not remove it. The
installation of VIRSTOP does not seem to affect the installation of
the virus or the subsequent screen messages. McAfee's CLEAN does
remove it.
Since the virus denies access to the hard disk as soon as it is
installed, what is the meaning of the March 6th date? Isn't the virus
supposed to be dormant until that date? Why does my experience not
match Padgett's description of its activities?
MKessler@HUM.SFSU.EDU
------------------------------
Date: Tue, 21 Jan 92 14:05:58 -0500
From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson)
Subject: Loading Vshield High (PC)
>From: hendee%3338.span@Sdsc.Edu (Jim Hendee)
>I've noticed that you can use Quarterdeck's QEMM386 and LOADHI to load
>VSHIELD1.EXE in high memory, as well as FPROT's VIRSTOP.EXE, but you
>can't load VSHIELD.EXE high (so far as I'm aware).
Do not know about VIRSTOP but can make the following observations
about VSHIELD: Have been loading high for some time using its /LH
switch. This also works under QEMM 5.0+ but only with MS-DOS 5.0 -
does not work with earlier MS-DOS versions nor with DR-DOS 6.0
(reports itself as IBM 3.3). When the internal /LH switch is used a
416 byte "connection" is left in low menory. This can also be loaded
high with either the DOS LOADHIGH or the QEMM LOADHI commands but then
CHKSHLD cannot find it (if you care).
Can also say it finds things when loaded this way, at least on my PCs.
Believe the problem stems from the large extent of memory required for
initial memory & vital area check it makes that is reduced following
load. Have also found that it needs a certain amount of contiguous
memory (forget how much) to load and consequently load it FIRST in
Autoexec.Bat (I believe the .DOC recommends loading it LAST but had
case of refusing to load then - at present I have about 121k loaded
high).
Warmly again,
Padgett
I-Net: padgett%tccslr.dnet@mmc.com
(my opinions, obviously)
------------------------------
Date: Tue, 21 Jan 92 12:13:27 -0700
From: Chris McDonald ASQNC-TWS-R-SO <cmcdonal@wsmr-emh03.army.mil>
Subject: PC Computing Magazine Virus Articles, Feb 92 (PC)
PC Computing Magazine, February 1992, has two articles on computer
viruses. The first, entitled "Virus-Proof Your PC", examines the
characteristics of 11 products. With no false modesty I must comment
that Rob Slade's reviews and my own on anti-viral programs are of
higher quality. Different persons reviewed the 11 products, and
propose some evaluation statements without much supporting
information. There is no overview of the test methodology, no
specific identification of those malicious programs against which the
programs performed, and no consistent identification of the version of
the program actually tested. The article relies heavily on
information from the National Computer Security Association and on
Patricia Hoffman's Hypertext Virus Summary List. There is no mention
of the Virus-L Forum which is unforgivable.
The second article is a summary of 350 FAX responses to a
questionnaire on computer viruses which appeared in an earlier
edition. The survey size is so small that the results on infection
rates and on defensive strategies seem statistically insignificant.
------------------------------
Date: 21 Jan 92 22:38:42 +0000
From: vail@tegra.com (Johnathan Vail)
Subject: FLASH Virus (WAS: Re: More myths) (PC)
p1@arkham.wimsey.bc.ca (Rob Slade) writes:
More hardware myths
3) "BIOS" virus
First of all, BIOS is ROM BIOS. The RO in ROM stands for "read
only". The BIOS, therefore, cannot be infected by a virus. At
least, not yet. Intel has already developed flash EEPROMs which
it is pushing as "upgradeable" ROMs for the BIOS. It *is*
possible to get "bad" ROMs, and it is even possible that a run
of BIOS ROMs would be programmed such that they constantly
"release" a virus. It hasn't yet happened, though, and it is
extremely unlikely, as well as being easy to trace.
"Upgradeable" means the *user* can update (*change*) his BIOS from a
program distributed on a floppy or other media. The danger of flash
EAPROMs is a real area of concern and should not be taken lightly.
True, they have not hit the marketplace yet but figure:
* first line virus defense is booting off a floppy from power-on so that
you have a "known" stable and virus free environment.
* a flash virus invades the system and reprograms the system BIOS
* your BIOS that is a known state can be altered then it is now an
"unknown" and no longer trustworthy.
This is the danger to be considered but fortunately it has been. The
following things can/are being done:
* hardware enable of reprogramming (switch/jumper plug, etc)
* "protected" portions of the chip that cannot be changed.
* elaborate "locks" to reprogram (indeed, the memory cells are
relatively fragile and can be damaged by improper programming
algorithms).
* CRCs, LRCs and or checksums to increase reliability and integrity.
Most importantly is that different vendors are implementing their own
hardware and the lack of a "standard" should prevent any flash virus
from having a large enough culture to thrive in.
jv
"theobromine: a compound which, contrary to it's name,
contains neither bromine nor God" -- David Throop
_____
| | Johnathan Vail vail@tegra.com (508) 663-7435
|Tegra| jv@n1dxg.ampr.org N1DXG@448.625-(WorldNet)
----- MEMBER: League for Programming Freedom (league@prep.ai.mit.edu)
------------------------------
Date: Tue, 21 Jan 92 16:02:17 +1100
From: Miguel de Icaza <DEICA@UNAMVM1.BITNET>
Subject: New virus found (PC)
I recently found a new virus, here in Mexico City. After debugging the
code, I found a message ("Moctezumas Revenge"), The virus uses an
aproach to code infection similar to the Jerusalem virus. No virus
scanner catchs it so I wrote a signature for the virus (this signature
works fine with ThunderByte Scan):
062e 8f060201 1e2e 8f0600010e07
as soon as I know more about the internals of the virus (such as the
date of activation: Yes, it has an activation date, but it seems that
it only clears a portion of the screen), I'll post-it here.
Miguel de Icaza.
Instituto de Ciencias Nucleares, Universidad Nacional Autonoma de Mexico
------------------------------
Date: 21 Jan 92 18:15:53 -0600
From: "Jerome.Grimmer" <ST6267@SIUCVMB.BITNET>
Subject: WWIV4.20 doesn't like Vshield (PC)
I recently got WWIV4.20 and started to set up a BBS here in
Carbondale. I was running Vshield at the time, and noted that WWIV
would boot OK, and every thing would run normally untill I decided to
exit WWIV (I'm still doing setup). When I would exit WWIV, the system
would HARD HANG and I would have to hit the reset button. I have
since stopped using Vshield and have taken to scanning the HD regulary
for viruses using SCAN85, which seems to work just fine. I haven't
got enough RAM to run DV, that's next...does anyone know if there are
any incompatibilities between McAfee's antivirus utilities and
Desqview?
Jerome Grimmer
ST6267@SIUCVMB.BITNET
ST6267@siucvmb.siu.edu
------------------------------
Date: Tue, 21 Jan 92 22:15:32 -0500
From: Charles Fee <CXF111@psuvm.psu.edu>
Subject: Re: WARNING - Michelangelo Virus (PC)
To those who are interested in information regarding the Michelangelo Virus
My machine was infected with Michelangelo for about two weeks, and worked
normally for that time. The only clue I had was that Microsoft SmartDrive
would not load and cited an 'Incompatible Disk Partition'
After banging my head against the wall trying to figure out why, I ran F-prot
2.01 and it discovered the Michelangelo Virus. I removed it successfully with
F-prot 2.01 and the problems with SmartDrive were eliminated..
I hope this possible sign helps...
______
Charles A. Fee DOS Lived... 814-862-2543
cxf111@psuvm.psu.edu DOS Lives...
fee@wilbur.psu.edu DOS Will Live... 128 Beaver Hall
fee@vivaldi.psu.edu Univeristy Park, PA 16802
------------------------------
Date: Mon, 20 Jan 92 08:30:54 +0000
From: rmason@ecst.csuchico.edu (Robert Mason)
Subject: An A/B floppy drive switch design (PC)
Last August, I posted a two part paper that described attempts
to contain virus infections at San Jose State University. It
referred to a device for helping prevent infections.
This posting describes that device, which makes a single
floppy drive appear as either A or B, depending on the switch
position. This purpose of this functionality is to allow or prevent
booting a single floppy drive PC from a floppy disk. While the
switch is in the non-boot mode, floppy disks infected with boot
sector infectors, such as Azusa or Stoned, are prevented from
infecting the hard disk. The device has been tested on an IBM
XT class machine, clones using the Phoenix and AMI BIOS, and an
AST Premium machine.
A simple design using a 74LS157 Quad 2-IN Multiplexer can switch
the drive select and motor enable signals to the floppy drive to
make it appear electrically as drive A or drive B. The CMOS setup
also needs to be changed to show drive A or B installed, according
to the switch position. Ideally, the switch would be the keylock
type that is built into most AT-class machines. The device can be
inserted into the FDC cable, by means of a 8 pin edge card connector,
or a 8 pin DIP plug connector. Note that only 4 lines are shown
coming in. The ribbon cable actually has 7 lines that are cut and
twisted 180 deg. at the FD A connector. The odd numbered lines are
at signal ground. The electrical-physical design is shown below. The
lines marked as FDC come from the controller. The lines marked as
FD go to the floppy drive A connector. The LS157 pin numbers are
given next to the multiplexor symbols, with pin 15 connected to
an odd numbered input line. The chip must also be connected to power
(+5v) and ground at pins 16 and 8, respectively.
Floppy drive A/B switch
(Switch open selects B drive signals)
-------------------------------------
IC1
|\
FDC 10 --13--|B \o-15-o
| \__12___________ FD 10
| /
FDC 16 --14--|A /
|/ |
|
|\ |
FDC 12 --10--|B \
| \___9___________ FD 12
| /
FDC 14 --11--|A /
|/ |
|
|\ |
FDC 14 ---6--|B \
| \___7___________ FD 14
| /
FDC 12 ---5--|A /
|/ |
|
|\ |
FDC 16 ---3--|B \
| \___4___________ FD 16
| /
FDC 10 ---2--|A /
|/ | 1
+5v | Prototype Parts List:
| | ---------------------------------
R1 | 1 IC1 74LS157 .35
____/ _|______| 1 R1 10kOhm, 1/4w, 5% .02
| SW1 1 16 pin DIP socket .12
| 2 8 pin DIP plugs .49 ea.
| 2 8 pin DIP sockets .11 ea
GND 1 1 pin header (power) .02
1 2 pin header (keylock) .04
1.5 sq. in. circuit board .40
----------------------------------
Total: $2.15
Wirewrap and solder prototypes were built and tested for the
approximate cost indicated. Power is obtained from a line to
the second FD power connector, and an extension can be made to
an AT machine's keylock cable for use with this application. If
the machine's keylock is used, it cannot be used to lock the
keyboard. I have a single layer board design to manufacture
these devices in quantity, if anyone is interested.
- --
Bob Mason - rmason@ecst.csuchico.edu
------------------------------
Date: Mon, 20 Jan 92 07:40:45 -0800
From: Scott_Hollenbeck.McLean_CSD@xerox.com
Subject: Virus Detection and Protection for Unix (UNIX)
I'm looking for recommendations for SunOS (at least 4.1) software
packages to provide virus detection and protection services. My
preference is for a supported commercially available product, and I'd
like to hear from any vendors or users that can provide a detailed
product and mechanism description.
Please call or respond via e-mail.
Thanks,
Scott Hollenbeck
Xerox Corporation
(703) 790-3766
------------------------------
Date: Wed, 15 Jan 92 00:00:00
From: U10009@SNAESP2.BITNET
Subject: Help Required re IBM RSCS malicious programs (IBM VM/SP)
Hi! Everybody!
My name is Xavier Salmon and I am in charge of the computer System in
the ESPOL ( Escuela Superior Politecnica del Litoral ) in Guayaquil-E-
cuador.
We are new in this "universe" ( BITNET ) and naturally we have had some
difficulties seting on our communication system.
Now our major concern is about security, could somebody out there,
help us with suggestions or references where we can find information
about protection against "Malicious Programs" ( worms, virus, etc.
within BITNET network ).
Our system is and IBM-4341 running RSCS Version 2 Release 3 under VM/SP
6.0.
Any information will be appreciated.
Please write directly to U10009@SNAESP2.BITNET.
Thank you very much.
------------------------------
Date: 21 Jan 92 23:02:01 +0000
From: vail@tegra.com (Johnathan Vail)
Subject: Re: The modem virus myth
p1@arkham.wimsey.bc.ca (Rob Slade) writes:
As people started to raise objections to the possibility of this
ridiculous scenario, the initial report was traced back to a
posting on Fidonet (the earliest date I have in my records is
October 6, 1988) by someone who gave his name as "Mike
RoChenle". Ken later suggested this might be read as
"microchannel", the then new bus for IBM's PS/2 machines.
I think the moral of the story is not to blindly believe what you
read, especially if it comes off of fidonet. I always felt that
fidonet was the lowest form of life on the internet foodchain.
Seriously, one of the "problems" with the internet and related
networks is that to a casual observer the "Mike RoChenle"s have the
same visibility and stature as the Rob Slades and Padgett Petersons.
it. BBSes, and, by extension, modems, have had a consistently,
and unfairly, bad press over the past few years. BBSes are seen
as the ultimate source of all "evil" programs; viri and trojans;
and anything bad said about them is to be believed.
It is still my belief that BBSs are a major vector for the spread of
viruses and nasty code. I don't mean to paint all BBSs with the same
brush but consider that access is mostly anonymous and a lot of people
using BBSs are barely computer literate. The ease of access to BBSs
and the questionable nature of security and integrity make them an
easy target to aid the spreading of viruses.
jv
"Everything that gives us pleasure gives us pain to measure it by."
-- The Residents, GOD IN THREE PERSONS
_____
| | Johnathan Vail vail@tegra.com (508) 663-7435
|Tegra| jv@n1dxg.ampr.org N1DXG@448.625-(WorldNet)
----- MEMBER: League for Programming Freedom (league@prep.ai.mit.edu)
------------------------------
Date: Tue, 21 Jan 92 16:58:48 -0600
From: James Ford <JFORD@UA1VM.BITNET>
Subject: VS920109.ZIP on risc (PC)
The file vs920109.zip has been placed on risc.ua.edu for anonymous ftp
in the directory pub/ibm-antivirus. This file replaces vs911114.zip
and was ftped down from Simtel20.
Fyi, if an update of an ibm antivirus file is announced on Virus-l, it
will usually be on risc.ua.edu a couple of days later if not sooner.
I do try to keep the archives updated, but sometimes forget to post
the upgrade(s) on mibsrv-l@ua1vm.ua.edu
- ----------
Is there any truth to the rumor that everything is really okay?
- ----------
James Ford - Consultant II, Seebeck Computer Center
The University of Alabama (in Tuscaloosa, Alabama)
jford@ua1vm.ua.edu, jford@risc.ua.edu
------------------------------
Date: Tue, 21 Jan 92 04:33:00 -0500
From: HAYES@urvax.urich.edu
Subject: new pgms from Padgett Peterson (PC)
Hello. Glad to report the availability of new programs from A.
Padgett Peterson:
FIXMBR22.ZIP This program is designed to replace the standard MS-DOS master
boot record program with code that does more than just find the
active partition and jump to the O/S boot record.
This archive contains also the latest version of SafeMBR.
Now shareware. Update.
CHK .ZIP Two utilities to check both floppy and hard disk and detect the
"Michelangelo" virus.
These two programs are integrity checkers.
FIXFBR11.ZIP FixFBR is a generic anti-virus program and repair tool for
infected and corrupted boot records on floppy disks. FixFBR
first checks the disk for a valid Boot Parameter Block (BPB)
and does a generic test for infection/corruption. Once the
disk has been identified (and the user has an option to
change if incorrect), the complete boot record is replaced with
non-bootable but error checking and flagging code. If the disk
is wished to be made bootable, the DOS SYS command will be
effective.
FIXUTIL .ZIP For the user who wishes to get Padgett's FIXxxx programs.
Contains: CHK.ZIP, FixMBR22.ZIP and FixFBR.ZIP.
CHKINT .ZIP Checks the interrupts of a given program without running the
said program. Useful to track possible trojan horses.
This program used to be in [.msdos.utility].
Reading the respective doc files is a must with Padgett's programs to avoid
problems later.
- ----------
site: urvax.urich.edu, IP# 141.166.1.6
system: vax/vms 5.4, Multinet as FTP processing program
directory: .msdos.antivirus
user: anonymous
password: your_email_address
Please note:
a) at logon, the user is in the anonymous directory. typing:
cd msdos.antivirus<ret>
will put the user in this directory.
b) I received reports of problems with some files when downloaded on
PCs. This is *hopefully* solved. For whose who use Zmodem, no
change will be apparent. For whose using Kermit, the command
set file type fixed instead of set file type binary *MUST* be issued
*before* the server command and download start.
Regards, Claude.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Claude Bersano-Hayes HAYES @ URVAX (Vanilla BITNET)
University of Richmond hayes@urvax.urich.edu (Bitnet or Internet)
Richmond, VA 23173
------------------------------
Date: Tue, 21 Jan 92 08:23:00 -0500
From: "Gerry Santoro - CAC/PSU 814-863-7896" <GMS@PSUVM.PSU.EDU>
Subject: RE: NCSA Has Tested Anti-Virus Programs (PC)
In VIRUS-L V5 #8 someone posted the following:
>Subject: RE: NCSA Has Tested Anti-Virus Programs
>
>The information you presented was correct, though outdated. Those
>results were from the previous virus scanner evaluation report, and
>were printed last year in Network World, as you said. Just this week,
>the latest update to that scanner evaluation was released, and is
>available from the NCSA at 717-258-1816. The results may surprise
>you..... Hope this helps, happy virus-bust
Downloaded From P-80 International Information Systems 304-744-2253