Path: utzoo!utgpu!news-server.csri.toronto.edu!bonnie.concordia.ca!uunet!van-bc!ubc-cs!alberta!mts.ucs.UAlberta.CA!ualtavm!VIRUS-L@LEHIIBM1 From: krvw@CERT.SEI.CMU.EDU ("The Moderator Kenneth R. van Wyk") Newsgroups: comp.virus Subject: VIRUS-L Digest V4 #31 Message-ID: <9102221354.AA15356@ubu.cert.sei.cmu.edu> Date: 22 Feb 91 13:54:07 GMT Sender: VMNETNEW@vm.ucs.UAlberta.CA (Listserv to Netnews Gateway) Organization: Listserv to Netnews Gateway at vm.ucs.UAlberta.CA Lines: 544 Approved: VIRUS-L@LEHIIBM1 VIRUS-L Digest Friday, 22 Feb 1991 Volume 4 : Issue 31 Today's Topics: Naming/Identifying new viruses (PC) Report for virus trackers (PC) McAfee ProScan ineffective? (PC) Re: non-sacaning anti-virus techniques (PC) Hungarian anti-virus companies. SCANV73 Trojan (PC) Re: IBM Virus Scanner. (PC) New Version 74B of McAfee's SCAN (PC) Request from the Virus-L index compiler Viruses in the USSR Virus Catalog Index Feb.1991 New files uploaded (PC) Details of Scan 74-B (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: Thu, 21 Feb 91 11:18:00 +0100 From: "Mark Aitchison, U of Canty; Physics" Subject: Naming/Identifying new viruses (PC) There is a continual problem with people finding what seems to be a new virus, but not wishing to broadcast the whole (dangerous) boot sector to identify it. I have a solution to the identification problem: I have devised a "hashcode" algorithm specially designed for boot sectors, that gives a reasonably short (12-character) code (of A-Z, 0-9, '#' and '.') that pretty well uniquely identifies a boot sector, is very difficult for virus writers to get around, and is useful in its own right (i.e. you can look at the code and get a reasonable idea of what the boot sector is like). I can let anyone have the source to this (knowing the source doesn't help virus writers), and I'm happy to make it public domain - in fact I hope many people adopt the same standard encoding system. For that reason, I suggest some discussion of the format and method before it is used in a serious way. Briefly, what I have done is to generate code which is... (1) able to be passed through e-mail systems, etc without distortion (2) cannot be used to recreate a live virus (3) is a valid DOS filename, and short enough to say over the telephone easily (4) always starts with the same character, "#", so people can immediately recognise it as a hashcode (5) has a built-in check against typos (including transposition errors), and avoids case distinction or confusing characters (like "/" and "\") (6) is reasonably easy to calculate (7) generates the same code on all systems (e.g. no floating point arithmetic subject to round-off error or different formats on different systems) (8) includes four (and a half) bytes of high-order polynomial checksum, making it difficult for virus writers to give a bad boot sector the same code as a good one. (It would involve very lengthy trial-and-error methods) (9) The last bytes include bit flags, indicating the presence of dubious code of various types, and the absence of important features (such as a reboot), making it useful in itself, and making it even harder for virus writers to circumvent! (10)The size of messages and null bytes and code are also taken into account, since more sneaky viruses will need more code than a good boot sector, so encrypted boot sector viruses would have a tough time getting past!! (11)DOS 4 diskettes (with serial numbers) get the same hashcode, irrespective of serial number (except in a small number of cases, where the serial numbe r happens to contain forbidden instructions). (12)Minor variations of the same virus get similar hashcodes (the last 3 bytes and first 3 bytes should be the same or close). The code is not... A sure-fire way of indicating the presence of a virus. You could simply look at the last byte of the code, and if it isn't '0' than it is probably a virus. Not a great check, but old viruses (including Stoned) are easy to spot that way. Or you could have a list of known good and bad boot sectors, and ring alarms when it isn't a good disk. But that isn't really the aim. It is intended to identify boot sectors, so somebody can say "I know that disk"... whether you are describing the disk over the net or over the phone. I can send the program, BOOTID.PAS to anyone interested via e-mail; hopefully it, and it's big brother (CHECKOUT.EXE) will soon be available via anonymous ftp. Mark Aitchison, Physics, University of Canterbury, New Zealand. ------------------------------ Date: 20 Feb 91 17:26:15 -0500 From: Pat Ralston Subject: Report for virus trackers (PC) I remember that several months ago a new system for reporting virus occurrences was established. I apologize that I cannot remember what the reporting procedure was; so I am sending my information to the list. Starting at the very end of January we (IUPUI Indiana University - Purdue University at Indianapolis) have had scads of virus activity. I am amazed at the number of new (that is new to us) viruses we have had reported on campus. In fact, in that short time we have have more reports of "new" DOS viruses than the TOTAL number of new viruses we had ever had reported. We have been keeping a log of newly reported infections for about 2 years. Some of the reports were made by our student consultants who work in our open computer clusters and other from various "isolated" departments. Our undergraduate campus is shared with a medical school and a law school. The following are FIRST time reports of viruses on our campus: (The time frame is from January 25th to February 18th.) Joshi Music Bug Yankee Doodle Stoned Scan72 was the virus checker used to find the above mentioned virueses. We continue to find Mac viruses as well but no new ones have reached us. Our open clusters have been undergoing major upgrades. For instance this semester marks the first time when we have had Hard Drives available. I cannot draw a definite link with the upgrades and the flourish of new (and old viruses) but I do find it coincidental. Pat Ralston IUPUI ------------------------------ Date: 21 Feb 91 04:20:34 +0000 From: tbrown@lehi3b15.csee.lehigh.edu (Thomas Brown ]901015() Subject: McAfee ProScan ineffective? (PC) I have been using McAfee's SCAN/CLEAN V72 for quite some time with good success. I recently discovered an "end-user" version with a nice screen interface, etc. called ProScan (also by McAfee) which is supposed to perform the same functions as SCAN/CLEAN. I have found, however, the following problems: 1. ProScan does not scan system memory for viruses (even though documentation says it should) 2. ProScan does not test both boot sector AND partition table for viruses 3. Even with the library of 200+ viruses, ProScan does not detect even older viruses such as Stoned or Jerusalem, while SCAN/CLEAN V72 find them immediately, whether they exist in the boot sector, partition table, data area, or even in memory. The version of ProScan is the latest commercial offering which was made available (for retail sale to customers) to a computer store/service department which I work for part time. Any thoughts? Regards, Tom - --=-- Thomas Brown, KA2UGQ BITNET: twb0@lehigh.bitnet Lehigh University UC Box 855 ARPA: tbrown@lehi3b15.csee.Lehigh.EDU Bethlehem, PA 18015 UUCP: ..!uunet!twb0@lehigh.bitnet (215) 758-0093 AX.25: ka2ugq@ka2ugq.nj.usa.na 'You can't have everything...where would you put it?' -S.W. ------------------------------ Date: 21 Feb 91 07:58:16 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Re: non-sacaning anti-virus techniques (PC) LCHICAIZ@ANDESCOL.BITNET (Luis B. Chicaiza S.) writes: >I belive that is more useful to prevent virus contamination than try >to clean a system when it's infected. I think everybody will agree with this. >I have a new anti-virus product, (named COMPUCILINA), this program vaccinate >other programs (aplication ones, system programs, and a disk boot), and >guarantees these programs will not be infected. COMPUCILINA offers >protection agaist actual and future viruses. Truly interesting, if this is 100% true - but I doubt it. It is easy to add code to programs and boot sectors which will detect infection by 98% of currently known viruses - all the 400 or so known variants, other than a few "stealth" viruses. Adding code which PREVENTS something from being infected is an entirely different story - what if the computer is booted from a floppy and some infected program run ? No additions to other programs, no matter how sophisticated could prevent the programs from being infected. The additional code MIGHT detect the infection, but as I said before, detection and prevention are two different things. - -frisk Fridrik Skulason University of Iceland | Technical Editor of the Virus Bulletin (UK) | Reserved for future expansion E-Mail: frisk@rhi.hi.is Fax: 354-1-28801 | ------------------------------ Date: Thu, 21 Feb 91 13:24:33 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Hungarian anti-virus companies. I hope somebody on the net has information on the anti-virus scene in Hungary, as I am trying to determine if the companies there are trustworthy or not. I understand one of the companies there is Azsio-Microtrade Ltd. Co., a German-Hungarian joint venture. I have been told that Ralf Burger works on the German side, and if this is true, it is sufficient for me to refuse to cooperate with them in any way whatsoever. Can anybody confirm this ? The no.1 guy in the Hungarian part of the company is Szegedi Imre, but he has been making various accusations against the other company, Ferenc Leitold and other folks at the University of Budapest. Can anyone clarify what is going on there ? - -frisk ------------------------------ Date: Thu, 21 Feb 91 20:42:36 +0000 From: qualcom!news@UCSD.EDU (Ron Dippold) Subject: SCANV73 Trojan (PC) Just a quick warning on something that I haven't seen here, if it was here please excuse it.... According to the latest SCAN (V74B), there has been a SCANV73 going around. This is a TROJAN!!! Just be on the lookout for it... And watch for the PKZIP verification shell to make sure you have something authentic when you unpack it. ------------------------------ Date: 21 Feb 91 14:00:30 +0000 From: campbell@dev8n.mdcbbs.com (Tim Campbell) Subject: Re: IBM Virus Scanner. (PC) CHESS@YKTVMV.BITNET (David.M.Chess) writes: > "Pete Lucas" : >>Can anyone tell me whether any new signature files have been released >>for the IBM Virus Scanner? I currently have release 1.2 of this >>program, which is at a guess around 6 months old; has there been any >>update of the program?? > > The current version is 1.3; another version should be out pretty soon. > Price continues to be $35 for an enterprise-wide license, and > something like $10 for upgrades. Available through your IBM marketing > rep, branch office, IBMLINK, etc. I have Virscan ver. 1.23. I did dial into IBMLink to see if I could find version 1.3. I learned two things... #1) It was very hard to find. I could not locate it in any of the software catalogs or the announcement letters, etc. I finally found it in the Bulletin Board, burried a few pages deep (the last release seems to have been a while back) - and #2) It indicated that this was version 1.2 of the program (I myself have 1.23 - maybe they just don't indicate minor revs - possible because they still mark DOS 4.01 boxes as 4.0.) The program can be obtained online (electronically) by using the "fastpath" name ESD (Electronic Software Distribution) which should have a list of files that can be downloaded (for a cost) - you're supposed to send a check to IBM after downloading (I guess). The cost is $35 if you're getting it for the first time, or $10 if your just updating an old copy. This leaves me back at square 1. Unless their documentation is wrong, I *have* the most current version. Are you sure you have version 1.3? Also there is no mention of getting more signatures (I think this is all I *really* need.) I haven't looked at other virus scanners, but I imagine most are set up to allow users to add more signatures as they learn of them. (otherwise they'd become obsolete pretty quick). Is ANYBODY aware of a source for virus signatures (specifically IBM-PC (DOS))?? All of the listed virus sites are indicated by internet addresses. This is of course completely useless to people who are not on the internet. Is anybody aware of dial-up access for any of these sites? Any help is greatly appreciated. I'm sure there are others who would be equally interested in this info. -Tim --------------------------------------------------------------------------- In real life: Tim Campbell - Electronic Data Systems Corp. Usenet: campbell@dev8.mdcbbs.com @ McDonnell Douglas M&E - Cypress, CA also: tcampbel@einstein.eds.com @ EDS - Troy, MI CompuServe: 71631,654 Prodigy: MPTX77A P.S. If anyone asks, just remember, you never saw any of this -- in fact, I wasn't even here. ------------------------------ Date: Fri, 22 Feb 91 10:49:28 -0500 From: Thomas Heil Subject: New Version 74B of McAfee's SCAN (PC) Hello! Recently I got the new version 74B of SCAN. When I enter SCAN C: with C: being a 40MB Tandon DataPac that has 1K-Sectors, SCAN reported that the partition table size was too large to be processed, and it stopped all further checking of the files. The previous version 72 also complained "Sorry, I cannot read the partition table", but at least it continued checking the files. When I tried SCAN C:\*.* it scans all files in the root directory, but does not recurse into the subdirectories. Anyone who knows a way to make it work on the whole disk? /T.H. ------------------------------ Date: Fri, 22 Feb 91 09:50:48 +0000 From: Anthony Appleyard Subject: Request from the Virus-L index compiler As the author of the classified index to Virus-L, I would make a few requests to people who send messages to Virus-L:- (1) If you wish to write about two or several different subjects at the same time, please do not send in one long message containing several chapters, but a separate message for each subject. (2) If you feel that I have mis-classified something in this index, please email to me about it. My email address is below. {A.Appleyard} (email: APPLEYARD@UK.AC.UMIST), Fri, 22 Feb 91 09:40:40 GMT ------------------------------ Date: Mon, 18 Feb 91 13:47:13 +0300 From: eldar@lomi.spb.su (Eldar A. Musaev) Subject: Viruses in the USSR This is my paper on the situation with viruses in the USSR. It was written in october-november of 1990, so there are some notes to it: 1)It does not names all viruses in the SU, but this number is NOT too high. Maybe there are a couple of dozens, not more. If you'd got an information about hundred and more viruses in the USSR, don't beleive it ! 2)Vienna (648) virus is dated by 1987 there. I don't know how it could be and where is a bug but three my friends independently points out to 1987 as a first time of our problems with this virus. This is the reason why I've left out this date in the paper, though ALL other sourcers points out to the 1988. I try to make who-is-who in our field so I am interested in names, adresses, fields of interests of antiviral researchers all over the world. Another (and ORIGINAL) reason for this interest is that I am writing (and modifing) the book devoted to the problems connected with the different badware. I don't want to make a catalog, but a textbook for students and future antiviral researchers. It is going concurrently with a research work, so I'm interested to discuss different ideas as wide as possible. ]Ed. Dr. Musaev - many thanks for your paper, and welcome to VIRUS-L/comp.virus! The text of the paper has been placed on cert.sei.cmu.edu under pub/virus-l/docs/viruses.ussr for anonymous FTP.( Eldar A. Musaev Ph.D., Researcher Leningrad Division of the Mathematical Institute Academy of Sciences of the USSR email: eldar@lomi.spb.su USSR 191 011 Leningrad (maybe through fuug.fi, or Fontanka 27 demos!lomi.spb.su!eldar@fuug.fi) ------------------------------ Date: Fri, 22 Feb 91 08:40:00 -0500 From: "Kenneth R. van Wyk " Subject: Virus Catalog Index Feb.1991 Dr. Brunnstein has sent me the most recent index of his Virus Catalog, as well as the most recent PC addition to the Catalog. Both of these are available by anonymous FTP on cert.sei.cmu.edu in pub/virus-l/docs/brunnstein. Thanks to Dr. Brunnstein for these additions to the archives. Regards, Ken ------------------------------ Date: Wed, 20 Feb 91 11:41:52 -0600 From: James Ford Subject: New files uploaded (PC) The following files have been uploaded to 130.160.20.80 (mibsrv) in the directory pub/ibm-antivirus for anonymous FTP: avs_e224.zip - AVSearch: Virus Search Program v2.24 scanv74b.zip - McAfee's Scan v74b cleanp74.zip - McAfee's Clean uP v74 netscn74.zip - McAfee's NetScan v74 vcopy74.zip - McAfee's VirusCopy v74 vshld74b.zip - McAfee's Virus Shield v74b vsum9102.zip - Virus Summary List (Feb. 1991) *binary* vsum9102.txt - Virus Summary List (Feb. 1991) *text* vc200ega.zip - Virus Central v2.00 (EGA or higher monitors) - -------------------------- New List! ---------------------------------- This list is for the *announcement* of updates to mibsrv.mib.eng.ua.edu. If you want to get update announcements send directly to your userid@node, Bitnet folks should send the following message via TELL to LISTSERV@UA1VM SUB MIBSRV-L (your_name) Internet (or Bitnet) folks can send a mail message to LISTSERV@UA1VM.UA.EDU containing the line SUB MIBSRV-L (your_name). Virus-related discussions should not be sent here. - ---------- Experience is what you get when you didn't get what you wanted. - ---------- James Ford - JFORD@UA1VM.UA.EDU, JFORD@MIB333.MIB.ENG.UA.EDU The University of Alabama (in Tuscaloosa, Alabama USA) ------------------------------ Date: Thu, 21 Feb 91 11:32:18 -0800 From: ozonebbs!aryehg@apple.com (Aryeh Goretsky) Subject: Details of Scan 74-B (PC) VERSION 74-B Version 74-B fixes a bug which caused the programs misidentify the Swedish Disaster virus on Syquest 10Mb tape drives and machines formatted with some versions of Zenith-OEM MS-DOS. The machines in question were said to have the "Stoned/Swedish Virus" present in the boot sector of infected hard disks and disk packs. VIRUSCAN Version 74 Version 74 of VIRUSCAN adds 51 new viruses and over one hundred new strains of existing viruses, bringing the total number of known computer viruses to 475. In addition, version 74 improves the throughput of the scanning algorithm and handling of nonstandard hard drives, and now provides the option of displaying all messages in French. The 1575/1591 virus was sent to us from multiple sites in Quebec, Canada, Oslo, Norway, and the United States. It is a memory-resident file infector that attaches to .COM and .EXE files when a disk is accessed via internal DOS commands. The 903 virus was sent to us by Djennad Nasser from France. It is a .COM file infector. The Holocaust virus was sent to us by David Llamas of Barcelona, Spain. It is a .COM file infector that uses "stealth" type techniques. The BeBe, Kuka, Kuka/Turbo, Lozinsky, MGTU, Nina, Off Stealth, Polish-532, Sverdlov, Tiny-133, USSR-series, and Voronezh viruses were discovered in the Soviet Union and Eastern Europe and sent to us from numerous sources there and in Western Europe. They are not believed to exist in the West. The Christmas Violator, F-Word, Parity, Beeper, Best Wish, Leapfrog Destructor, Happy New Year Hymm, Justice, Label, V961, Swiss-143, Sentinel, Plague, Monxla-B, Little Pieces, IKC528, Hybrid, Dir-Vir, Stone90, Saddam, and Iraqui Warrior viruses were sent to us from various sources around the globe. For summary information about these viruses, please refer to the enclosed VIRLIST.TXT file. For a detailed description of all known viruses, please refer to the Virus Summary Document (VSUM), copyrighted by Patricia Hoffman and available and most bulletin boards. A trojan version of VIRUSCAN, Version 73, appeared on BBSes in Miami, Florida USA. In order to prevent confusion, we have used the next version number, Version 74. CLEAN-UP Verison 74 Version 74 of CLEAN-UP adds removal of the 1575/1591 and the Music Bug viruses, as well as several new variants of the Jerusalem virus. For more information about these viruses, please refer to the enclosed VIRLIST.TXT file. VSHIELD Version 74 Two new commands have been added to VSHIELD: The /CONTACT option allows a custom message to be displayed if a virus is found. The /CERTIFY option provides control over file execution. It will prevent any program from being executed if it has not been validated as an authorized program for a given site. FOREIGN LANGUAGE SUPPORT Both VIRUSCAN and CLEAN-UP can now display messages in French. When the /FR option is specified, all messages will be displayed in French instead of English. VIRLIST.TXT ENTRY FOR 1575/1591 VIRUS Version 74 went out without an entry in the VIRLIST.TXT file for the 1575/1591 virus. The correct entry should be: 1575/1591 ]15xx( Clean-Up . . x x x x . . . . vary O,P,L Sorry 'bout that, folks. Aryeh Goretsky +----------------------------------------------------------------+ | Aryeh Goretsky, Tech Support vox (408) 988-3832 | | McAfee Associates fax (408) 970-9727 | | 4423 Cheeney Street bbs (408) 988-4004 | | Santa Clara, California 95054-0253 // | | Internet: aryehg@ozonebbs.uucp // | | UUCP: apple!netcom!nusjecs!ozonebbs!aryehg \X/ | | "Opinions expressed are my own and do not neccessarily reflect | | those of my employer."--universal disclaimer applied herein. | | "How is a cat like a meatloaf?"--John R. De Palma, M.D. | +----------------------------------------------------------------+ ------------------------------ End of VIRUS-L Digest ]Volume 4 Issue 31( ***************************************** Brought to you by Super Global Mega Corp .com