krvw%CERT.SEI.CMU.EDU@vm.ucs.UAlberta.CA ("The Moderator Kenneth R. van Wyk") (02/28/91)
VIRUS-L Digest Wednesday, 27 Feb 1991 Volume 4 : Issue 32
Today's Topics:
problems w/ scan V74-b (PC)
Re: IBM Virus Scanner. (PC)
Standardized virus signatures
Norton rebuttal (PC)
Virus Zaps POW Database
MusicBug (PC)
Problem with Scan 74B (PC)
Comments to VAX/VMS: XENIX vs. MS-DOS boot vir.
New Virus (PC)
Re: Mac viruses (Mac)
MusicBug Boo-Boo (PC)
Possible new BRAIN version? (PC)
SCANning incompatible drive (PC)
SCANv74B false positive (PC)
Windows v3.0 / F-Prot (PC)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU.
Ken van Wyk
---------------------------------------------------------------------------
Date: 22 Feb 91 15:23:34 +0000
From: ben@bucsf.bu.edu (Benjamin Cline)
Subject: problems w/ scan V74-b (PC)
I just downloaded scanv74-b from beach.gal.utexas.edu and it refuses
to work properly with my hard disk, which is a Seagate ST-251-1
formatted with NEC DOS 3.3 (supports partions > 32 megs). When I try
scan c:\ it gives an error message "Sorry, the partion table on drive
C is 1024 bytes long. That's too big forme." It will work fine if try
scan c:\windows. Previous versions (71,72) of scan worked fine. Any
ideas?
Benjamin
- --
-
-------------------------------------------------------------------------------
Benjamin Cline 700 Commonwealth Ave, Box 1087
ben@bucsf.bu.edu Boston, MA 02215
-
-------------------------------------------------------------------------------
------------------------------
Date: 22 Feb 91 11:13:58 -0500
From: "David.M.Chess" <CHESS@YKTVMV.BITNET>
Subject: Re: IBM Virus Scanner. (PC)
If you have a version of VIRSCAN that is labelled 1.23, what you have
is a (quite old) copy of the INTERNAL USE version of the program. The
internal version number and the product version number are on two
entirely different tracks (we'll be fixing this soon!). So internal
1.23 is in fact *older* than product 1.2. (The next versions of both
will probably be called "2.0", so this problem will go away.)
The current version of the product is 1.3; it should be available in
IBMLINK in the Electronic Software Distribution section (this is what
I'm told; I've never used IBMLINK myself).
The one source of virus signatures (suitable for use in VIRSCAN, for
instance) that springs to mind is the list that is published in Virus
Bulletin. That's a UK publication; I'm not sure how likely you are to
find it in a US library, for instance...
DC
------------------------------
Date: Fri, 22 Feb 91 12:12:14 -0500
From: Jim Pinson <JPINSON@uga.cc.uga.edu>
Subject: Standardized virus signatures
I have been evaluating several of the virus-scan programs and have
noticed that several of them use (or can use) an external text file
containing virus "signatures". This seems a very useful feature since
signatures can be posted on lists such as this. There does not seem
to be a standard format for these files. Is there any reason a
standard format could not be developed? It would simplify the virus
posting process.
Jim Pinson University of Georgia
------------------------------
Date: Fri, 22 Feb 91 16:23:28 +0000
From: DEL2@phoenix.cambridge.ac.uk
Subject: Norton rebuttal (PC)
Since I posted a comment from PC Business World recently which was
critical of the Norton Anti-Virus package; I think it incombent on me
to offer also this response from Symantec. The "%" stand for bullets
in the original text, which I have abbreviated, slightly edited and
reformatted.
Regards, Douglas de Lacey,
Cambridge University.
<quote>
I would like to respond to PC Business Word's review of Symantec's
Norton Anti Virus for the PC (Nav) software--"Physician, heal
thyself", 22 January 1991. Not only did it set out deliberately to
discredit the solution offered by the Norton Anti Virus, but it did so
with considerable inaccuracy. To illustrate this, I have highlighted
some of the criticism in the review and offer Symantec's reply.
...
%"lt contains the signatures for 141 viruses": this is incorrect. We
do not contain signatures but virus definitions, which offer a more
comprehensive description of the virus and in some cases, contain
repair facilities. Furthermore, Nav has more than 141 definitions and
detects more than 200 viruses and strains. We are constantly adding to
the libraries to increase detection and prevention with monthly update
disks, the first of which is currently being shipped. We have also
consistently made it clear that we place great emphasis on providing
users with a data protection service. This includes a unique Virus
Newsline which users can dial into for information, a Virus
Clinic-providing users with comprehensive seminars to address
anti-viral issues-and the regular anti-virus update disk protecting
against new virus outbreaks. It is also worth mentioning that as there
is no standard taxonomy of viruses, competitive analysis of virus
libraries is spurious. Until there is an industry standard way of
naming viruses, competitive surveys should be treated with caution.
%"Unless you have Norton Intercept loaded in memory, you must boot up
from an uninfected, write-protected Dos disk": this is no criticism,
but highlights a positive feature. Good practice dictates that if
Virus Intercept is not loaded, the user should boot from a
write-protected disk. Virus Intercept also detects all defined viruses
in memory.
%"PC performance drops noticeably": in the December issue of the Virus
Bulletin, Nav was rated better than the competition ...
%"Percentage of files in which viral activity was detected--80%":
Virus Bulletin stated that Nav had a 99% capability. ...
... we have
d
already begun a dialogue with Interpol via Bob Hay, chairman of Fast
and the Police Computer Crime Unit, as well as talking to our
competitors about establishing an independent, international virus
research facility.
%"The company says it does not do research in Europe, nor does it
co-operate with the UK research community": this is untrue. ...
YUSUF HASSAN General Manager Symantec UK
<endquote>
------------------------------
Date: Sun, 24 Feb 91 07:43:50 -0800
From: teda!RATVAX.DNET.teda.Teradyne.COM!ROBERTS@EDDIE.MIT.EDU (George
Roberts)
Subject: Virus Zaps POW Database
Taken without permission from: DEFENSE NEWS Monday, February 18,1991
Virus Zaps POW Database
A small computer in the U.S. Army's Pentagon operations center was
struck by a virus Feb. 8, damaging a database of information about
Iraqi prisoners of war, according to a Defense Department computer
expert. However, the information was automatically preserved by
security software, he said.
The virus, called the "Marijuana Stoned" virus, probably infected
the computer through video game software used for recreation by
soldiers in Saudi Arabia, the expert said. Once the virus infects a
computer, the screen displays a message telling users that the
computer is stoned, adding "Legalize Marijuana!."
------------------------------
Date: Fri, 22 Feb 91 19:13:55 -0500
From: padgett%tccslr.dnet@uvs1.orl.mmc.com (A. Padgett Peterson)
Subject: MusicBug (PC)
Have just had a chance to look at the February VSUM and though
Patti and I discussed this, evidently the fix did not get into this
month's list.
In short, you do not have to do a low level format of a hard
disk to remove the MBug (though it will certainly work). Earlier I
posted the "better" way to remove it, but if you are familiar with the
disk and do not mind boot sector patching, restoration using "SYS" is
possible.
Simply put, the MBug wipes the "reserved" sector value in the
boot record. Since a DOS SYS command preserves this value, on boot,
the system looks in the wrong place for the FAT. This makes finding
the system files difficult. If the disk is a standard MFM or RLL
drive, this value is hex 11 (17). Big drives are liable to use 3F
(63). If in doubt, the maximum sector value (bits 0-5 of CL return
from Int 13 fn 08) is a good start.
No guarentees & caveat todo but might retrieve the disk.
Padgett
------------------------------
Date: Mon, 25 Feb 91 13:01:42 -0500
From: Stephen McCloud <CCSDM@INDST.BITNET>
Subject: Problem with Scan 74B (PC)
SCAN 74B still finds Stoned/Swedish Virus on some Zenith-OEM MS-DOS
computers. McAfee still has some work to do.
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Stephen McCloud, Systems Programmer, Indiana State University
------------------------------
Date: Mon, 25 Feb 91 16:08:28 +0300
From: eldar@lomi.spb.su (Eldar A. Musaev)
Subject: Comments to VAX/VMS: XENIX vs. MS-DOS boot vir.
Though UNIX and UNIX-like systems are highly protected, it does not
work on the PC with many MS-DOS boot-viruses. For example, I've seen
a month ago the XENIX floppy infected by the Italy Ball virus.
Eldar A. Musaev, Ph.D., eldar@lomi.spb.su
Mathematical Institute, Leningrad or fuug.fi!lomi.spb.su!eldar
------------------------------
Date: Mon, 25 Feb 91 16:49:00 -0500
From: S008@HECMTL01.BITNET
Subject: New Virus (PC)
Here is some information about a new virus (that I named "SCUD").
This virus modifies the boot record or the master boot of the hard
disk depending on the stage of infection.
Randomly, when you try to access a diskette (dir or other commands), if it is
not write protected, it changes the boot record of the diskette and most of
the time, it changes the media descriptor byte so you're not able to
correctly access this disk anymore.
One way to recover the data is to put a clean boot record on the diskette.
Hakim Belmaachi
Computer Analyst
Ecole des Hautes Etudes Commerciales
5255 Decelles, Montreal
Quebec, H3T 1V6
Tel. (514) 340-6067
------------------------------
Date: Mon, 25 Feb 91 23:02:44 +0000
From: fau@po.CWRU.Edu (Francis A. Uy)
Subject: Re: Mac viruses (Mac)
Melissa Jehnings said:
"Although Mac viruses are easier to write, they are written much
simply-minded. That is, it just has one thing in mind...to mess up a
Mac. However, if you're keeping count of viruses, there are fewer Mac
viruses (I think the last count was at 16) than there are for PC's,
although PC viruses are usually much more sophisticated."
Another important thing to note is that none of the Mac virii
known as of Disinfectant 2.4 are specifically malignant: i.e.
they only attempt to spread, rather than trying to destroy files.
As we all know, this is dangerous anyways, but at least it's
heartening to know that aside from a few old Trojans, the Mac
environment isn't lethal yet.
- --
"I have a very interesting pencil holder.
It's an exact replica of a microwave oven." --mac7
Francis A Uy The Loft 754.2079
------------------------------
Date: Sat, 23 Feb 91 15:11:35 -0500
From: padgett%tccslr.dnet@uvs1.orl.mmc.com (A. Padgett Peterson)
Subject: MusicBug Boo-Boo (PC)
Must have had brain fade over the weekend - only normal MFM drives use
17 sectors per track. RLL drives use 24 or 26 or something like that
(why they are bigger). Int 13 fn 8 will tell you. Sorrabout that.
Padgett
------------------------------
Date: Mon, 25 Feb 91 15:51:36 -0800
From: p1@arkham.wimsey.bc.ca (Rob Slade)
Subject: Possible new BRAIN version? (PC)
I have no confirmation on this as yet, but ...
Date : 16-Feb-91 16:23
From : Larry Beattie
A version of Brain (apparently) know as "Shithead" as surfaced
trashing hard disks etc on home computers. It apparently was
transferred from PCs used by the airline reservation systems and
came from a travel agent in Quebec. Anyone know anything about
it. Using SCAN /M seems to disinfect it. The virus also
apparently hides the work of other viruses (didn't know they did
that) so it could be particularly insidious.
RS> Larry:
RS>
RS> Do you have a copy of the new virus for disassembly?
Unfortunatly not. As new user exchanging disks with my friend
(who had his drive trashed) I immediatly ran everything I could
to clean my system. Apparently it worked. I will try to see
what I can get since it also infected (came from) Airlines
reservation systems and travel agents (brought home by my
friend's wife).
========
In addition, I have recently been promised, but haven't yet seen, a
version of Stoned that infects COMMAND.COM, increasing its length by 960
bytes.
Vancouver p1@arkham.wimsey.bc.ca _n_
Insitute for Robert_Slade@mtsg.sfu.ca H
Research into (SUZY) INtegrity /
User Canada V7K 2G6 O=C\
Security Radical Dude | O- /\_
/-----+---/ \_\
/ | ` ||/
"A ship in a harbour is safe, but that / ||`----'||
is not what ships are built for." || ||
- John Parks `` ``
------------------------------
Date: Tue, 26 Feb 91 11:44:00 +0100
From: <VANTENT@HROEUR5.BITNET>
Subject: SCANning incompatible drive (PC)
In a message of <Fri, 22 Feb 91> Thomas Heil said:
> When I enter SCAN C: with C: being a 40MB Tandon DataPac that has
> 1K-Sectors, SCAN reported that the partition table size was too large
> to be processed, and it stopped all further checking of the files.
I think that you should give NETSCN74 a try: it will scan all files
(recursing into subdirectories) without checking on boot/partition
compatibility. I don't know whether your DataPac won't be (easily)
infected by current bootsector or partition table viruses though...
(maybe not, if it is really non-standard?).
Jan van 't Ent, Apparatuurbeheer (computer support & maint dept)
ERASMUS
VANTENT@HROEUR5.bitnet UNIVERSITEIT telefoon +31 10 4081337
jvte@cs.eur.nl usenet ROTTERDAM telefax +31 10 4081372
------------------------------
Date: Wed, 27 Feb 91 11:07:00 +0000
From: "Gordon Findlay" <GORDON@chmeds.ac.nz>
Subject: SCANv74B false positive (PC)
I just downloaded the latest version of McAffee's SCAN (v74B) and
tried it.
It gives a false positive (I HOPE it's a false positive!) on a NZ
program KILLER.COM, which is a little .COM file for removing
variations on the Stoned virus. Scanv74B reports the Invader virus.
I assume it's a false positive as the file is only 799 bytes long, and
the Invader virus is reported as adding 4096 bytes to .COM files;
modifying the boot sector, and hooking interrupts (Thanks, Patricia
Hoffman, for your VIRSUSSUM work). None of these has happened.
I don't know how far KILLER.COM has travelled - it is a public domain
program widely distributed in NZ; it may have spread as widely as
Stoned, who knows? This false positive is definitely something for
people to be aware of.
Gordon Findlay
GORDON@CHMEDS.AC.NZ
------------------------------
Date: Tue, 26 Feb 91 21:52:00 -0500
From: "Jeff Payne" <JSP105@PSUVM.PSU.EDU>
Subject: Windows v3.0 / F-Prot (PC)
I was curious if there was a Windows 3.0 version (or even aware) of
any anti virus software? I am currently evaluating F-Prot and
Norton's virus software for use on a large scale at the company I work
for, as well as Penn State's Ogontz campus. What kind of result
should I expect if I were to pick up a virus? My experience with
Character-based TSR's has shown that most will either be ignored or
cause an UAE (the Microsoft user friendly "Unrecoverable Application
Error" - about as Intelligent as "Abort, Retry, Ignore?") Does F-prot
get around this?
I think there would be a serious demand for a windows-based anti-virus
program or even just a win front end (in the spirit of Zip Manager)
for F-Prot. Although I don't claim to be a programmer, windows
"TSR's" should probably be easier to write than a standard TSR,
because they are actually seperate processes, running in the
background.
Also, has anyone tested F-Net with 3Com or Microsoft LanManager
networks? I've loaded it and it didn't crash, but without a virus to
test it, I can't really tell...
Which brings me to my last question, Is there a "harmless" virus that
I could use to test my configurations (in an isolated environment) ?
If so, where could I get it and how would you recommend I do this
testing? Please mail or post...
Jeff Payne
JSP105@psuvm.psu.edu
------------------------------
End of VIRUS-L Digest ]Volume 4 Issue 32(
*****************************************