V.I.R.U.S. Monthly - September, 1993
A monthly digest of virus and related news, V.I.R.U.S. Monthly is prepared by
the Vancouver Institute for Research into User Security from the V.I.R.U.S.
Weekly BBS feed and newsletter.  For those without online service feeds, both
V.I.R.U.S. Weekly and Monthly are available in hardcopy.  For more information
contact Robert Slade or CyberStore.
copyright 1993, Robert M. Slade
F-Prot 2.09D (MS-DOS)
An update release D of version 2.09 of F-Prot has been fairly generally
distributed.  Version 2.10 should be out within a week or two.
Integrity Master 2.01 (MS-DOS)
IM-201 has been seen on a number of boards, including the VirNet file
distribution system.  No word yet from Wolfgang as to the features, but he had
promised some major changes in the 2.xx level.
TBFence and TBAV 6.05 (MS-DOS)
Very close together, Thunderbyte has released version 6.05 of the utilities
package, and a new program called TBFence.  TBFence provides "group
encryption", which allows a group of computers to use a set of disks, while not
being able to read disks from outside the group.  Disks passed outside the
group are likewise unreadable by other computers.  There is no word as to
whether TBFence is included in TBAV 6.05: indications are that it isn't.
Padgett Peterson has finally released version two of his excellent DISKSECURE
boot protection program, the first general release since 1990.  DISKSECURE
provides protection and detection of boot sector infectors.  In most cases
recovery is automatic, but the program also provides for manual recovery of the
disk which can help iwht non-viral problems as well.  In addition to a general
strengthening of the program, it can now protect Novell servers.
The latest version of the Hoffman Summary List is making the rounds of the
VID 2.20 (MS-DOS)
The Cairo Labs people have announced another version of the Virus Information
Door.  Seems they must be serious about it, but until they get some better
distribution Patty still hasn't got much competition here.
F-Prot 2.10 delay (MS-DOS)
F-Prot version 2.10 was to have been out by now, but frisk just sent word that
he is off to the Virus Bulletin conference an then on to (a well deserved)
vacation.  Possibly the release of 2.09D has delayed things.
Padgett blames lack of sleep and an oddity in some original IBM ATs for a minor
bug in DISKSECURE which has necessitated a DS231B release.
SCAN suite 108 (MS-DOS/OS/2)
Version 108 of the McAfee Associates programs are doing the rounds.  These
replace the somewhat bug laden 107 version which was released before final
testing a few weeks ago.  Code, release, test -- code, release,test ...
Some new features have been added to McAfee's VSHIELD resident scanning
program.  The abortive 107 version had added new EMS and Windows compatibility
features, and the 108 version has added new switches that enable (and also
disable) checking of the boot sectors when new floppy disks are accessed.
SuperVisor forthcoming (Amiga)
Safe Hex International is promoting what they say is a new type of antiviral
for the Amiga.  (At one point the announcement mistakenly calls it a "BBS
killer"  :-)  They are broadcasting announcements in the Fidonet virus echoes
asking for virus samples in order to expand its scope.  Careful, guys.  That's
against the rules ...
BFF 2.17 (MS-DOS/Fido)
Bad File Finder is an oddball but intriguing little piece of work.  Apparently
using material from Lee Jackson's "Hack Report", it will scan your drive for
"hacks".  Presumably these are the hacked, trojaned, infected, pirate and
invalid files that the Hack Report lists.  It also provides for "calling"
F-Prot, SCAN and Thunderbyte Scan to check for viri.  BFF can be run on a BBS,
and the results can be automatically sent by netmail.
Norton Antivirus 3.0 (MS-DOS)
Another release from the Symantec/Norton people.  This appears to be the first
time it incorporates the technology they bought along with Certus.  Almost a
year later.  Hmmm.
Thunderbyte 6.07 (MS-DOS)
What happened to 6.06?  Oh well.  The new version of TBScan corrects a
"feature" which did *not* always scan all files when "all files" were
specified.  It also now scans the master boot record of a second physical hard
drive because of the prevalence of portable drives.  The weakness that allowed
TBClean to activate certain viral programs has been fixed.  Thunderbyte is now
using PGP technology for security of distribution.
Don't use SCAN2000 (MS-DOS)
There is a report of a supposed McAfee version called SCAN2000 doing the
rounds.  There has been no word yet form McAfee Associates about any change in
numbering, and it's a good bet that this is a trojan.
A file called BREAKARJ is doing the rounds in Germany, purporting to be able to
split up large ARJ compressed files into smaller pieces.  The file contains the
Split virus, a 250 byte COM infector.  A signature scan string is 9CFC 8DB6
DF01 BF00 01B9 0200.
A 426 byte direct action COM infector has been found.  It infects COM files up
to 29696 bytes long.  The text strings "! YB-1 &  Handsome Dick Manitoba / K
hntark", "*.COM" and "????????COM?" are found unecrypted in infected files.
Predator (MS-DOS)
Bill Lambdin reports several variants of the Predator virus, which he is
calling a "partially stealth" COM infector.  Signature strings are:
B4 42 33 C9 99 E8 5F 00 C3 2E 8F 06 A2 04 07 1F
B8 00 43 50 E8 5C 01 58 72 CC 2E 88 0E 7E 04 F6
B8 00 57 E8 2A 01 80 FE C8 73 77 80 C6 C8 89 16
B4 40 BA 16 04 B9 03 00 E8 AE 00 2E F6 06 2B 04
Bill reports some evidence that one variant may have multipartite properties.
Miscellaneous (MS-DOS)
Bill also gives some brief reports on:
Pinky Ghost, non resident companion infector
B4 2A CD 21 80 FA 02 75 0B 3C 04 75 07 B4 09 BA
Smile, claims multipartite properties
B4 2A E8 84 00 80 C6 03 80 FE 0C 76 04 41 80 EE
Varicell, stealth file infector
B8 00 43 E8 3B 03 73 03 E9 45 01 2E 88 0E A6 06
Following on the heels of the KOH virus (reported here two weeks ago), is the
CRUNCH21 program, which has been distributed through the Fidonet virus related
echoes.  The person posting it seemed to indicate that this was a "version two"
after an original release at some previous time.  The program *appears* to be a
virus which will compress and decompress executables on the fly. When an
infected program is invoked, it queries the reader as to whether or not it
should "go resident".
Moose (MS-DOS)
Reported from Sweden, there are a number of variants of this virus, all bearing
the text "Moose" in the infective code.  The virus appears to be a simple
direct action infector, which will attach to uninfected files in the current
directory or, if none exist, recursively search the parent directory up to the
root.  Moose is destructive, in that it randomly changes code in program files. 
Both COM and EXE files are affected, and sometimes SYS files are converted to
COM format with the text "This, and much more, from the Moose crashing corp" in
the code.  Some files also contain could which appears to be part of CPAV.EXE.
Although the Satanbug virus has been known for a while, the Computer Incident
Advisory Capability (CIAC) of the US federal government has apparently been
alarmed by recent reports of it.  This virus is memory resident and
polymorphic, and attacks COM, EXE, SYS and OVL files.  LAN drivers have
reportedly been damaged by the infection: likely this is due to a programming
error in the handling of the files.  Infected files grow in length from three
to five kilobytes and the file creation date is increased by one hundred years.
Varicella-II (MS-DOS)
Normally I wouldn't report a virus reported by a virus writing group.  This
one, however, has an interesting interaction with the Thunderbyte Utilities. 
Because of the way that Thunderbyte attempts to execute a suspect virus under
"control", checking a file infected with Varicella-II will activate the virus,
and alow it to spread on the system.
Bluebox (Amiga)
A somewhat incoherent report has been received of an Amiga "virus" identified
only by the archive it was originally found in: BLUEBOX.LZH.  This program
"infects" the icon.library file on Amigas.  According to the report, it watches
the serial port for a chance to transmit itself (possibly with another file?)
1463 (MS-DOS)
A report from France of a virus which adds 1463 bytes to COM and EXE files. 
(That last is somewhat suspect; infections of EXE files tend to vary in
length.)  No word on effects, but an initial search string is "81 F9 21 4D 75
03 E9 DC 04".
Cruncher recidivus (MS-DOS)
The Cruncher virus (cf CRUNCH21.COM) reported here last week has undergone some
further testing.  The researcher states that the compression works very well
... but the compressed files no longer execute.  The infective code of the
virus is a nearly unaltered copy of the Coffeeshop virus, and even current
versions of F-Prot will identify it that way.
ISSS '93 - No seminar
Well, I still might see you at ISSS '93, but my seminar has been pulled due to
low registration.  An unfortunately common occurrence these days: at least two
"training" companies have pulled virus seminars from their offerings ...
CSI's 20th
The Computer Security Institute's computer security conference will be held
November 8-10th in Anaheim, California.  Of four virus sessions, only one is by
a known reputable researcher.  However, a full day seminar by Tom Duff should
be of interest to all.  Ray Kaplan and Padgett Peterson will be giving sessions
and Bill Murray is conference chair so it should be good overall.  Contact CSI
in San Francisco.
CPAV and boot sectors (MS-DOS)
Central Point has admitted a bug in its detection of boot sector infectors.  In
a situation where there are two physical hard disks on the system, one of the
disks may become infected while not normally posing a threat for further
infection.  CPAV uses two different means of examining boot sectors, and the
detection and disinfection programs are not the same.  Therefore, CPAV may
alert you to the presence of a common virus but be "unable" to clean it.  No
word is available on whether this affects MSAV as well. Details are available
from the Central Point Faxback system.
NetWare LOGIN insecurity (MS-DOS/NetWare)
A problem has been found with NetWare 4, supposedly the "secure" version of
NetWare.  It involves the LOGIN.EXE file.  As usual with proprietary systems,
no other details are being released.  A fix, in the form of a SETLOG.EXE
program, are available from Novell and first.org.
Parent killing bug?  (MS-DOS 6.0)
There is an as yet unconfirmed report of a bug in MS-DOS 6.0 which may cause it
to delete files in the parent directory when deleting all files (with the "*.*"
wildcard) in a subdirectory.  According to the report, Microsoft is denying the
bug exists ... but has a "fix".
A great many systems people keep handy a five byte program which will reboot
MS-DOS computers.  This is often used in batch files to change a set of TSR
configurations by simply copying in a new CONFIG.SYS and then automatically
rebooting.  Apparently, though, the Norton product uses this scan string as a
check for suspect viral programs.  It also doesn't appear to perform any
"sanity checking", such as for program size ... 
Large use of bandwidth department
Michael Paris is an avowed "Pro-Virus" person.  Still, he had agreed to abide
by the rules of the Fidonet VIRUS_INFO echo/discussion area, and has stuck to
that over the past six weeks.  His contributions, while not exactly
overwhelming insights, have been moderate and on topic for the most part. 
However, he seems to be single handedly responsible for the fact that
VIRUS_INFO carrying twice the traffic of VIRUS.  "Open channel D" (for
"Dialogue" ...)
The life of a Fidonet moderator is not an easy one.  Just ask Paul Ferguson,
moderator of the VIRUS_INFO echo.  Subject to verbal abuse via both public and
private messages, he manfully (can I say that without being sexist?) strives to
keep peace, order and good information flowing on the echo.  A while back,
because of a new job, it looked as if he would have to give up the job.  He
managed to keep it, but with another new job, he is looking for someone to help
carry the load.  Support your local (or remote) moderator ...
Vancouver      ROBERTS@decus.ca    | "Do you get guns with your 
Institute for  Robert_Slade@sfu.ca |  gun magazines?  No.
Research into  rslade@cue.bc.ca    |  Do you get viruses with your 
User           p1@CyberStore.ca    |  virus magazines?  Yes."
Security       Canada V7K 2G6      |               - Kevin Marcus