LUKEN@IBM1.CC.Lehigh.EDU (The Moderator Kenneth R. van Wyk) (05/09/89)
VIRUS-L Digest Tuesday, 9 May 1989 Volume 2 : Issue 111 Today's Topics: File testing packages More on the SYS command (PC) Boot Infections (PC) Re: Possible PC virus bouncing ball (PC) SecureINIT Follies (Mac) --------------------------------------------------------------------------- Date: Mon, 8 May 89 19:52:33 CDT From: "Len Levine" <len@evax.milw.wisc.EDU> Subject: File testing packages >Subject: Virus testing at Social Security Administration >Original-From: LYNN MCLEAN > [...] >review were that none of the products were effective. The Tracer >program (I understand it's been renamed Sentry and placed in public >domain) was able to detect them all, but only if the system was >re-booted every day or so. Most of our network systems are never >re-booted, or booted only every few months, and many of the test > [...] Some time ago, I posted a batch group called filetest that is stored on the listserve with virus-l. I have some improvements in a current version that I run. When I first ran Sentry it was clear that is was a faster way to do the same things that I did (except that I test only files in a list, and they test all but files in a list and I do a complete CRC and they do a begin-middle-end test). In any event, the product was good, except, as you noted that it had to be run as part of a boot. Filestest can be run at any time. Any takers? + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + | Leonard P. Levine e-mail len@evax.milw.wisc.edu | | Professor, Computer Science Office (414) 229-5170 | | University of Wisconsin-Milwaukee Home (414) 962-4719 | | Milwaukee, WI 53201 U.S.A. Modem (414) 962-6228 | + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ------------------------------ Date: Mon, 8-May-89 21:34:38 PDT From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM Subject: More on the SYS command (PC) Regarding the comments on the SYS command: Everybody is correct. The SYS command will remove all floppy based boot viruses and all HD based boot viruses except the Australian (Stoned). Since the major problem with most installations is identifying and dealing with the floppy part of their boot infections (approximately 25 infected floppies for each infected HD - depending on how long they've had the infection), and since the Australian represents a small fraction of boot infections, one might be justified in taking a cavalier attitude and say - "all boot viruses". On the other hand, the SYS command definately will not remove the Australian from a hard disk. Mr. McAfee's descriptions, as always, assumed that we all knew more than we do. The actual procedures that are given to infected organizations include the use of the SYS command AND a replacement for FDISK for hard disk infections. The replacement program - MDISK - does what FDISK should do but doesn't - it recovers the partition table record without losing partition structure information. This utility - happily provided by Mr. McAfee - does remove the Australian virus. The SYS command is also recommended as a precautionary after MDISK is run. It seems superfluous since this virus stores itself between the partition table and the first partition, but - better safe than sorry. It is certainly reasonable, if you accept the above, to recommend the SYS command for removing boot sector infections since it does work in a virtual majority of cases. Jim Goodwin, The HomeBase BBS 408 988 4004 ------------------------------ Date: Mon, 8-May-89 21:41:02 PDT From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM Subject: Boot Infections (PC) I noticed a few messages about boot sector viruses and how to avoid them in the last few distributions. I thought that the following HomeBase posting might be of interest here: Original-Date: 05/08/89 09:03:10 Original-From: From: FRANK NALLS I finally got around to checking out McAfee's comments about boot virus infections of data diskettes (non-system disks). His claim that data diskettes can transfer a boot infection and, further, that they account for the majority of boot infections seemed hardly believable and not worth the time to consider. But a free weekend and an absent wife left me with excess time on my hands and so I thought I'd just make a quick test and drop a note to John telling him that he'd finally gone over the deep end. Well, I was wrong. Believe it or not I successfully infected a clean system with a data disk and after some additional thought, I too believe that data diskettes are the prime transmitters of boot infections. To run this test yourself, grab any boot infector (I used the Den Zuk) and infect a system. Next, format a clean, non-system floppy on another system which is uninfected. You can add data files if you like (I created one text file containing the statement - "This will never work", but anything will do for the test), or you can leave the disk blank - makes no difference. Then insert this clean diskette into the infected system. Do a directory of the diskette so that the virus knows it's there. The virus will attempt to infect it. Now remove the diskette and take it to another system which is not infected. Power the system down. Insert the test floppy. Power up. You will get the boot error message. Insert another diskette which is bootable (make sure it is not already infected). PRe-boot. The system diskette that was just booted is now infected! I tried it dozens of times. It always works. After thinking about this a while, it ocurred to me that at least twice a week I inadvertantly leave a diskette in the drive when I power down. I then forget this and when I power up I get the message - - "Non system disk etc". Has this ever happened to any of you? Of course it has. In fact, this happens at least ten times more often than I would purposely boot my system from a different floppy! I do in fact now believe that McAfee is correct in his assumptions. Purposefully avoiding booting your system from a strange floppy will not work, and unless we turn into Gods and never make mistakes again, we will continue to inadvertantly infect systems through data disks. My apologies to the old grouch. ------------------------------ Date: Tue, 09 May 89 00:32:33 CDT From: James Ford <JFORD1@UA1VM.BITNET> Subject: Re: Possible PC virus > We have a virus running on some OPUS 7 PCs, The program is > call oneontwo.exe it runs by reading in data from a file > call 1on2.gl, what it produces is a pornographic moving > animation. This 1ON2.GL file is just a library of still picture files which is used by a program called GRASP (GRAphical System Presentation...or something like that). The total program is a commerical product, however the runtime file (called GRASPRT.EXE) which reads the *.GL file is allowed to be freely distributed. All GRASPRT does is read in the pictures into memory, and then show them at a pre-determined rate, as specified by a file in the .GL library. > Students, as usual, are very good at distributing such programs > and run them without any permission. It comes with a bat file > which simply has oneontwo 1on2 as command line. The effects This batch file should read GRASPRT (file). You might give the file ONEONTWO.EXE (or COM, I forget) a serious look. It may be that the file is just GRASPRT renamed......then again, maybe not. > are not noticed until later the hard disk refuses to boot up > even if it does have bootable files, it refuses to read command.com > but you can boot from A drive. So far one Opus 7 is very sick and > also an amstrad 1640 with 20mb HD is very very sick. >... > I supect whats happening is that the command.com file are growing > as they are run causing most of the above problems. > >Ripon.. I'm not sure, but I think that there was a discussion on a virus that increased COMMAND.COM everytime it was run, but I can't remember its name....I'm sure someone out there knows it, though. I'll look on the local bbs and see if that file is there. If it is, I can give you a listing of the files in the library. I'm not sure exactly what help that would be, though........... James ------------------------------ Date: Tue, 9 May 89 09:20 N From: ROB_NAUTA <RCSTRN@HEITUE5.BITNET> Subject: bouncing ball (PC) In virus-l digest #105 Frank Nalls states that tools like FluShot+ and C4 are useless against viruses like the bouncing ball. That is of course NOT true!! When I was investigating the virus it was a very useful tool. It doesn't prevent the virus from installing, but every time it tries to approach a disk flushot+ beeps and you can cancel the operation. Also, all this beeping is a good sign that a virus is present. For the 'fans' of this virus, I recently got a 50K textfile describing it in a lot of detail, together with a program that can remove the virus from a disk, it is called antidote but that name may be used before for other programmes... I am still interested in other descriptive textfiles or disassemblies, so if anybody got some, please contact me as I cannot use FTP ... Greetings, Rob J. Nauta ------------------------------ Date: Mon, 08 May 89 17:33:31 EDT From: Joe McMahon <XRJDM@SCFVM.GSFC.NASA.GOV> Subject: SecureINIT Follies (Mac) dmg@mwunix.mitre.org writes: >Subject: More on SecureINIT... (Mac) > >Another tidbit about this application. One of the users on the >Twilight Clone BBS (not Joe McMahon) here in DC recently tried this on >his system at home. He alledges (and I believe it) that SecureINIT >deleted some hold-dozen inits, including OnCue... Yeah, that's it's "Delete System Aliens" "feature" (gak!), which destroys anything that is doesn't recognize as a valid INIT, cdev, or rdev file. If you forget to tell SecureINIT about any new files you put in there, they get blown away at the next boot. Can you say "lousy user interface"? I knew you could. >...It looks more and more like this one's a dog. Woof! And a pretty-ill bred one at that. --- Joe M. ------------------------------ End of VIRUS-L Digest *********************