krvw%CERT.SEI.CMU.EDU@vm.ucs.UAlberta.CA ("The Moderator Kenneth R. van Wyk") (02/28/91)
VIRUS-L Digest Thursday, 28 Feb 1991 Volume 4 : Issue 33
Today's Topics:
Problems with AirCop (PC)
Stoned - new version? (PC)
Word Perfect and change checkers (PC)
Virus Protection in Real Time
Boot Sector/Partition Table Protection (PC)
Re: SCANv74B false positive (PC)
ALERT: WDEF A, found on Rodime utilities for Mac. (Mac)
File reduction virus? (PC)
Unidentified infection - help (PC)
f-prot & windows (PC)
CARMEL Turbo Anti-Virus Set (PC)
Innoculating diskettes (PC)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU.
Ken van Wyk
---------------------------------------------------------------------------
Date: Wed, 27 Feb 91 11:50:31 -0600
From: Jesus Barrera Ramos <BL161926@TECMTYVM.BITNET>
Subject: Problems with AirCop (PC)
Last week I detected AirCop virus in two disks of mine (in my systems
disks to be exact), well I "removed" them with scan72 but in the
finish of the clearing it said me that "Virus cannot be safely removed
from boot sector"; so, I cleane d it again and said me again that it
cannot be removed safely, I don't know if giving to the disk a "Sys
b:" can I get ride of AirCop, I read Patricia M. Hoff man document and
it doesn't says nothing about that. Can anybody tell me how ca n I get
ride of AirCop?, Does a scan newer than scan72 can remove it
safely?and if it does, Where can I get that new version?, and last,
does AirCop virus safe it virus code anywhere else the boot sector?
(Like a backup af itself)...Well, that's all for now, I'll thank your
answers...and please...forgive my english errors.
Jesus Barrera Ramos
(BL161926@TECMTYVM)
(Eqix)
------------------------------
Date: Tue, 26 Feb 91 11:36:53 -0500
From: martha rapp <IMER400@INDYCMS.BITNET>
Subject: Stoned - new version? (PC)
We may have a new variation of STONED II here at IUPUI. The message
has been changed to say LEGALISE instead of version 2. This IS NOT
being found by virus scan version 74b on the harddrive but will find
it on the floppy. The machine infected is a COMPAQ XT. Also before I
forget the message does not appear in the partition table when viewed
with a sector editor.
Martha Rapp BITNET: IMER400@INDYCMS || INTERNET: IMER400@INDYCMS.IUPUI.EDU
Programmer/Analyst Indiana University Purdue University at Indianapolis
------------------------------
Date: 27 Feb 91 13:35:38 -0500
From: Bob Bosen <71435.1777@CompuServe.COM>
Subject: Word Perfect and change checkers (PC)
Rob slade writes:
>All versions of Word Perfect (at least since 4.2) have had a self
>testing module in them. Neither F-XLock nor SCAN /AV nor any
>other self checker that adds code to the program can be used on
>it, since the added code invalidates the internal self test.
Please note that not all "change checkers" add code to the program.
SafeWord Virus-Safe, for example, does not. There are probably others.
The term "change checkers" is very descriptive, but I prefer the more
positive-sounding terms such as "integrity checkers" or "signature
verifiers". Whatever you call them, in my view these represent the
only defense capable of detecting TODAY's and TOMORROW's viruses in
addition to YESTERDAY's! Viral infection is a subset of the larger
problem of verification of integrity.
- -Bob Bosen-
Enigma Logic Inc. (Producers of SafeWord VIRUS-Safe ]Now Shareware()
2151 Salvio Street #301
Concord, CA 94520
USA
Tel: 415 827-5707
FAX: 415 827-2593
Internet: 71435.1777@COMPUSERVE.COM
------------------------------
Date: 27 Feb 91 14:37:54 -0500
From: Bob Bosen <71435.1777@CompuServe.COM>
Subject: Virus Protection in Real Time
David M. Ung writes:
>Does anyone know about existing software packages that watch for
>suspicious viral activities in real time?
There are several such packages. One of them is mine, SafeWord
Virus-Safe, now available as shareware. This package evaluates all
executable code prior to allowing it to execute, performing a
sophisticated integrity check. It does NOT check for viruses
specifically. Instead, it alerts the user if it detects any CHANGES in
the file(s) or programs or program segments being executed. Users can
"tune" this package to achieve any trade-off they want, choosing
between the highest possible performance or the highest possible
protection.
- -Bob Bosen-
Enigma Logic Inc.
2151 Salvio Street #301
Concord, CA 94520
USA
Tel: (415) 827-5707
FAX: (415) 827-2593
Internet: 71435.1777@COMPUSERVE.COM
------------------------------
Date: 27 Feb 91 14:22:36 -0500
From: Bob Bosen <71435.1777@CompuServe.COM>
Subject: Boot Sector/Partition Table Protection (PC)
Referring to the idea of inserting viral detection code very early in
the bootstrap sequence by modifying the partition table, Padgett
Peterson writes:
>I hope that this will stimulate some activity on the part of the
>vendors to provide such protection -- it is not difficult to write,
>but for me, I would no longer consider any product complete unless
>some such form of low level protection was included.
I'm sorry, but it would just be too easy to fake the "all clear"
message generated by any such technique.
I agree that some form of low level protection is necessary but I fear
that defensive code hiding in partition tables will be much more
vulnerable to attack than MY preferred method: periodically
bootstrapping from a "sterile" boot diskette that is kept isolated from
every other usage. If I never use that boot diskette in any machine
executing any code that didn't COME from that diskette, then it CAN't
be corrupted. Period. End of discussion. That's the ultimate low-level
protection.
Bob Bosen
Enigma Logic Inc. (Producers of SafeWord VIRUS-Safe ]Now Shareware()
2151 Salvio Street #301
Concord, CA 94520
USA
Tel: (415) 827-5707
FAX: (415) 827-2593
Internet: 715435.1777@COMPUSERVE.COM
------------------------------
Date: 28 Feb 91 18:34:22 +0100
From: cctr132@csc.canterbury.ac.nz (Nick FitzGerald)
Subject: Re: SCANv74B false positive (PC)
In Virus-L V4 #32 GORDON@CHMEDS.AC.NZ (Gordon Findlay) wrote:
>I just downloaded the latest version of McAffee's SCAN (v74B) and
>tried it.
>
>It gives a false positive (I HOPE it's a false positive!) on a NZ
>program KILLER.COM, which is a little .COM file for removing
>variations on the Stoned virus. Scanv74B reports the Invader virus.
It's a false postive alright. Seems that the code sequence in the
INVADER that SCAN looks for is also *legitimately* present in KILLER.
My guess is that it is part of the code that does the absolute disk
reads and/or writes that is likely to be present in both the virus and
KILLER.
Anyone who has KILLER shouldn't be using it any more. Apart from the
"annoyance" value of the false SCAN report, it does not detect or fix
the STONED-2 virus. NOSTONE (an update of KILLER), is aware of both
strains of the STONED, and doesn't set off the false alarm when SCANned.
>I assume it's a false positive as the file is only 799 bytes long, and
>the Invader virus is reported as adding 4096 bytes to .COM files;
>modifying the boot sector, and hooking interrupts (Thanks, Patricia
>Hoffman, for your VIRSUSSUM work). None of these has happened.
Sounds like good reasoning to me. As I said above, its likely the absolute
disk read/write code is the same in the virus and KILLER.
- ---------------------------------------------------------------------------
Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z.
Internet: n.fitzgerald@csc.canterbury.ac.nz Phone: (64)(3) 642-337
------------------------------
Date: Thu, 28 Feb 91 09:44:36 +0000
From: Paul Woodman <woody@praxis.co.uk>
Subject: ALERT: WDEF A, found on Rodime utilities for Mac. (Mac)
This subject may have been covered here before, but viewers may
be interested in the virus that came with my new Rodime disk.
Last week I took delivery (in the UK) of a Rodime 45 plus drive
for my Mac. It was supplied in an unopened Rodime carton so I
presume, but can't be sure, that nobody has had their fingers in
it since it left the factory. The drive comes with a 3.5' floppy
called PLUS/RX utilities for the Macintosh.
It is a nice touch by Rodime that the drive is supplied already
formatted complete with System 6.0.4 installed so you are ready
to plug in and go. However, as the accompanying documentation
points out, it would be a good idea to reformat/partition your
disk etc with the utilities provided on the floppy. So I did,
and they were very nice utilities that left me with a reformated
disk waiting for me to load with my appropriate software
environment. In fact the utilities were so nice that I inserted
the floppy in another Mac to see if they would work with a
different Rodime drive.
As I inserted the floppy, good old disinfectant 2.4 complained
the floppy was infected with WDEF A. I then went back to my
newly formatted 45 plus with a clean write protected copy of
disinfectant and sure enough, the hard drive was infected.
(I must make clear that this was a diskless Mac Plus that I
connected the Rodime drive to. At the time of connection it
was switched off, had no other external hardware attached and
on subsequent power up, no external hardware was attached and
the only floppy inserted in the internal drive was the Rodime
utilities followed by the disinfectant floppy AFTER I had
discovered the virus.)
I called the Rodime UK technical support number as listed in the
manual and discovered it was the number of their Fax machine.
When I finally got through to their UK technical support, they
appologised, but didnt seem in the slightest bit concerned to
the extent that they didnt even want to take my name or contact
details or have the offending floppy back. They also confirmed
that the utilities floppies are not delivered shrink wrapped
so there is no security involved.
In conclusion, I dont know enough about viruses to be sure of
where this one got in. However I can be 100% sure it wasnt on
this site, as far as I can tell from the packaging, nobody has
opened the box since it left Rodime and the dealer confirms that
he didnt open the box. When you consider the damage that could
have been caused if trusty disinfectant hadn't come to my rescue,
then Rodimes response is incredibly poor, even if they aren't
responsible for the appearance of this virus on my disk. The
UK price is $900 and for that price, I expect better.
Rodime told me that they no longer make this model in the UK but
import it from Rodime in the US. I wonder if anybody else has
discovered this problem with Rodime ?
Paul Woodman
Praxis plc, Software Engineers,
\ / | 20 Manvers Street, Bath, BA1 1PX, UK.
\ / ___ ___ _| Tel +44 225 444700 xt228
\ /\ / / / / / / | \ / Fax +44 225 465205, Telex 445848
\/ \/ /__/ /__/ /__| \/ woody@praxis.co.uk
_________________________/
------------------------------
Date: Wed, 27 Feb 91 18:24:00 -0500
From: Sliner <SLINE@ITHACA.BITNET>
Subject: File reduction virus? (PC)
I know viruses sometimes increase file lengths, but can a
virus decrease a file length? The reason why I was asking was on a
bank of PCs in a lab, the ipx.com file was 26666, but on one machine
in the bank, the size was 25500, and the file had the correct date.
Another problem was that the machine was notreading the autoexec.bat
file when the computer was booted up. I ran scan 72, but it did not
detect anything.
Thanks in advance,
Dan Sline
Bitnet: Sline@Ithaca
Internet:Sline@Ithaca.bitnet
P.S. Could someone please post to list or e-mail me a message when the next
batch of scan programs from McAfee is available (I currently have V74B)?
------------------------------
Date: 28 Feb 91 14:58:57 -0500
From: "Christa.Keil" <UMV001@DBNMEB1.BITNET>
Subject: Unidentified infection - help (PC)
Hallo :-)
I have a probleme.... with a virus (with whatelse ;-) )
A student is working with WINDOWS 3.0, the name of the file which
is 'infected' is: WIN386.EXE.
He has 2 viren scan programs (ANTIVIR SCAN), which both tell me that
there is a virus, BUT they can't tell me what virus it is.
The original exec is smaller then the exec the student is using now.
Is it possible, that the virus has been in a free space of the hard-
disc, before the installation of windows was started?
The program is still running and the student did not find any changes
in files or other exe's or com's
Can anybody give me the name of a virus-kill-program, which is avaible
in Germany.
Christa Keil
*====================================================================*
! _--_ _--_ ! Christa Keil UMV001@DBNMEB1.BITNET!
! ( )~~~( ) ! S.-Freud-Strasse 25 Tel.: +49-228-280-2832!
! \ / ! D-5300 Bonn 1 !
! ( O _ O ) ! Fed. Republic Germany !
! \ / !==================================================!
! ( `-' ) ! "Teddies will never disappoint you .... :-)"!
! `---' ! "I'm the female your mommy always warned you!
! Zotty ! about...." !
*====================================================================*
------------------------------
Date: Thu, 28 Feb 91 15:25:01 +0000
From: treeves@magnus.ircc.ohio-state.edu (Terry N Reeves)
Subject: f-prot & windows (PC)
I hope the author will speak to this, but by actual test:
IBM DOS 4.01
IBM PS/2 55sx
Windows 3.0
F-PROT 1.14a
Attempted to run file infected with Jerusalem viurs from
windows file manager. The f-driver flashed the "this file infected
message" (gone too fast to read thanks to windows) and then windows
gave me a dialog box with an Access Denied error. This is the same
error I would get at the C> prompt. The virus was blocked. The same
results occur if an icon is setup for an infected file.
Hardly an exhaustive test, but it would appear windows doesn't
stop the f-driver from functioning.
_____________________________________________________________________________
| That's my story, and I'm sticking to it! |
|_____________________________________________________________________________|
| Microcomputer software support, | treeves@magnus.IRCC.OHIO-STATE.EDU |
------------------------------
Date: Tue, 26 Feb 91 10:16:47 -0800
From: Ferdi.Louw@p112.f1.n491.z5.fidonet.org (Ferdi Louw)
Subject: CARMEL Turbo Anti-Virus Set (PC)
infocenter@urz.unibas.ch told All on <Fri 01 Feb 15:32> that:
Newsgroups: comp.virus
>Please send me any information you have about the
>Turbo Anti-Virus Set from Carmel Software Engineering
Short evaluation of "Turbo Anti-virus" by Carmel Software Engineering, Israel.
It costs about (SA)R300 and contains the following:
TNTVIRUS EXE 153600 91-01-10 23:12
Menu or command line driven do-it-all program. It can scan, clean, immunize
self verification and backup boot areas. The menu system allows you to tag
dir.s or files to operate on. It is quite reasonable friendly.
INSTALL EXE 48734 90-09-27 17:23
Automatic installation.
README DOC 71067 90-09-14 11:02
Updates and short virus descriptions.
TSAFE COM 22703 91-01-08 11:09
TSR of 16.5k ram. Checks for invalid operations (on disk and on ram), known
virii, pop-up menu, friendly configuration. Select what you want to protect.
DEFENDER COM 6819 91-01-08 11:10
Small 4.5k TSR checks only for known virii
BOOTSAFE EXE 34014 90-11-08 7:00
Compares boot areas at startup for modifications. Can restore from saved
copies.
PROTECTH EXE 9728 90-09-25 9:38
Copy protection :-( allows install on HD. (Protection scheme involves a
series of magnetically bad sectors.) Only on tntvirus.exe.
LAN version also available.
Includes 1 year free upgrades.
I don't like menu driven software but this seems quite acceptable.
Non-technical users should also find it usable. The manual is however short,
without index or contents. But I heard there is a new manual out now.
Ferdi :-)
D.F.B. Louw E-mail: Ferdi.Louw@p112.f1.n491.z5.FidoNet.org
Atomic Energy Corp. FidoNet: Ferdi Louw of 5:491/1.112
Pelindaba 1500 UniNet: Ferdi.Louw%p112.f1.n491.z5.FidoNet.ORG at RURES
PO Box 582 Phone: +27-12-316-6125(w)
Pretoria 0001 Phone: +27-12-344-3331(h)
South Africa Fax: +27-12-316-5137
(Alternative e-mail: "]D.Louw/OMNET(MAIL/USA%TELEMAIL"@intermail.isi.edu)
- --
uucp: uunet!m2xenix!puddle!5!491!1.112!Ferdi.Louw
Internet: Ferdi.Louw@p112.f1.n491.z5.fidonet.org
------------------------------
Date: Mon, 25 Feb 91 15:43:38 -0400
From: MMCCUNE@sctnve.BITNET
Subject: Innoculating diskettes (PC)
]Ed. The INNOC program (source code only) is available by anonymous
FTP from mibsrv.mib.eng.ua.edu in pub/ibm-antivirus/innoc.zip.(
INNOC Boot Virus Immunizer
- --------------------------
(c) Mike McCune 1991 - All rights reserved.
This program may be used and distributed freely.
Boot Sectors infectors are among the most prevalent of computer
viruses in the US. Commercial programs that detect and clean out
these viruses do not confer any immunity, and the same diskettes can
be reinfected at a later date by the same virus.
INNOC is a general-purpose Boot virus immunizer for diskettes. It will
not only destroy Boot Sector infectors, but will `innoculate' against
some of the more common Boot viruses. To use it, insert the desired
diskette in Drive A: and type:
innoc <ENTER>
INNOC will immediately destroy any Boot infectors present on the
diskette and will simultaneously immunize it against the following
viruses:
Brain
Ashar
Stoned
Ping-Pong
Diskettes immunized by INNOC will not be infected by any of the
viruses against which INNOC confers immunity. The immunization is
achieved by writing special code sequences into the Boot Sector. For
this reason, immunized Diskettes can no longer be used as Booting
disks. Since most disks are never used in that manner, this is not a
major problem. If you need to make a diskette bootable again, simply
use DOS's SYS.COM (SYS A:.). This, however, will destroy the
immunization conferred by INNOC.
INNOC issues the following messages:
- -----------------------------------
Read Error | An error occured while reading from the diskette. Simply
run the program again. Usually a hardware/media problem.
Write Error | An error occured writing to the diskette. Same as above.
Try again.
Diskette A: | Any Boot Sector viruses have been disabled, and the diskette
Innoculated | is now immunized.
DISCLAIMER
----------
In order to avoid getting sued, I offer no warranty on this or any
other program. I do appreciate suggestions, though. I can be reached
on the ILink and FidoNet virus conferences. I can also be reached on
the RelayNet DataProtect and Virus-L conferences. My BitNet address is
MMCCUNE@SCTNVE...<MM>.
------------------------------
End of VIRUS-L Digest ]Volume 4 Issue 33(
*****************************************