V.I.R.U.S. Monthly - October, 1993
A monthly digest of virus and related news, V.I.R.U.S. Monthly is prepared by
the Vancouver Institute for Research into User Security from the V.I.R.U.S.
Weekly BBS feed and newsletter.  For those without online service feeds, both
V.I.R.U.S. Weekly and Monthly are available in hardcopy.  For more information
contact Robert Slade or CyberStore.
copyright 1993, Robert M. Slade
Norton Antivirus 3.0 (MS-DOS)
Another release from the Symantec/Norton people.  This appears to be the first
time it incorporates the technology they bought along with Certus.  Almost a
year later.  Hmmm.
Thunderbyte 6.07 (MS-DOS)
What happened to 6.06?  Oh well.  The new version of TBScan corrects a
"feature" which did *not* always scan all files when "all files" were
specified.  It also now scans the master boot record of a second physical hard
drive because of the prevalence of portable drives.  The weakness that allowed
TBClean to activate certain viral programs has been fixed.  Thunderbyte is now
using PGP technology for security of distribution.
F-Prot 2.09F (MS-DOS)
F-Prot version 2.09F has been released.  In common with the "lettered"
releases, this generally only adds more signatures and fixes a few minor bugs. 
This version was intended to be 2.10, but frisk wants more time to add some
additional functions before his release.  This has caused a little concern: the
update file is called WHATSNEW.210, and led to some initial speculation that
this might be a trojan version.
TBAV 6.07 false alarms (MS-DOS)
Version 6.07 seems to be generating more than its share of false alarms.  A
number of "false positive" reports are coming in within a week of its release. 
One of the false reports is on the Satanbug virus, which will no doubt fuel the
Satanbug hysteria.
Don't use SCAN2000 (MS-DOS)
There is a report of a supposed McAfee version called SCAN2000 doing the
rounds.  There has been no word yet form McAfee Associates about any change in
numbering, and it's a good bet that this is a trojan.
Satanbug again (MS-DOS)
More details on the Satanbug virus.  (The name, by the way, comes from an ASCII
text string contained in the code.)  The virus takes between three and nine
kilobytes from the "top of memory": TOM measures, such as CHKDSK, will show a
drop.  There is also a BIOS/DOS memory mismatch.  Files grow by three to five
kilobytes.  *Any* files with a COM or EXE extension will be infected: this is a
possible test for the infection, by checking non-executable files with those
extensions.  Unfortunately, recovery may be very difficult since the original
file size is lost, and the original file "beginning" is encrypted along with
the virus.
More Satanbug (MS-DOS)
The first file attacked is COMMAND.COM: this means that you may see an "Invalid
COMMAND.COM" message immediately after the infection  (The message will
disappear on rebooting.)  LANs that use COMSPEC to redirect access to the
server copy will show this message when infected, unless the server has also
been infected.  The LAN server should be adequately protected by normal LAN
security.  Unless, that is, the SUPERVISOR logs into an infected workstation. 
As a "fast infector" it will infect any files opened.  Virus scanners that do
not detect it could spread the infection.
Loren (MS-DOS)
The Loren virus using both stealth and "fast infection" technology.  When a
directory listing is taken, and the virus is active in memory, all files opened
will be infected.  The increase in length will be hidden.  After the virus has
infected twenty files, it will try to format the "physical first" track on the
hard disk (likely rendering it unreadable).  If there is no hard disk, both
floppies will be attempted.  If any disk is formatted, the virus will display a
message identifying itself.
New Stoned? (MS-DOS)
A numbe of messages are asking for help with a new version of Stoned.  Not many
details are being given, and normally I wouldn't mention such skimpy reports,
but one factor seems to be common to all the reports.  If the computer is
booted from an infected drive, all seems normal.  If the computer is booted
from a clean system disk, the hard drive can no longer be accessed.
In addition to the SCAN2000 mentioned last week, the Fort Worth area has had a
copy of "SCAN109" doing the rounds.  This is apparently a dropper of the Filler
virus.  Please, be careful of where you get the "latest" antiviral ...
The TIMID virus is not new: its source code was published in the "Little Black
Book" over two years ago.  However, until now it has been considered a rarity. 
It now appears to be creating some problems "in the wild".  Vesselin Bontchev
also reports at least thirteen different variants: understandable with the
source code widely available.  TIMID (at least the original) infects COM files
only, and appears to carry no destructive "payload".
Form (MS-DOS)
Form isn't new either, but it starting to appear in a number of places
(including the University of Asmara in Eritrea!)  The information in both the
Hoffman VSUM listing and the CARO catalogue, interestingly, is incorrect: the
virus activates on the 18th of the month, rather than the 24th.  A lot of
people are reacting to the presence of *any* boot sector infector with
"FDISK/MBR": in the case of Form this is useless since Form resides in the boot
sector proper and is unaffected by MBR corrections.
Ultimation (or Ultimatum) (MS-DOS)
A large and rather clumsy virus written in Turbo C++ has been making some
press, mostly because the large code has made finding a signature string that
doesn't create false positives difficult.  The following text strings are fund
in it: "I'm bored.", "Screw you.", "Life is a drag.", "Ouch! Don't hit me so
hard.", "Floppy drive A: is flooded. Please insert J cloth.", "Murderer.", "You
have been infected by ULTIMATION corp.", "Go directly to jail. Do not pass go.
Do not collect $200.", ".Ah ha! Caught you.", "Copy protection error 23. Please
re-install from master."
Satanbug (MS-DOS)
The recent spate of reports about the Satanbug virus is probably due to the
fact that the source code was widely distributed on virus exchange bulletin
boards (including the brief foray that the US federal government had into virus
distribution).  Test results from CARO indicate that SCAN version 108 does not
detect the virus reliably.
Nice Day (MS-DOS)
IBM's virus research group report a virus from Indonesia which they are calling
YMP-NiceDay.  It is a boot sector infector of the MBR type, and will present
the message "HAVE A NICE DAY (c) YMP" when booted up on the first day of the
month.  The FDISK /MBR function should take care of it, although the report
cautions users to check the partitions first.
Stoned 3 (and 4) (MS-DOS)
There have recently been a rash of reports of something called "Stoned 3" or
"Stoned III" infecting computers left, right and sideways.  There is, of
course, no such thing, and we have been unable to find the source of all the
rumours.  Australia also reports a similar situation with "Stoned 4": in that
case "leftover" bits of Stoned which had been disabled with FDISK /MBR had been
generating false positive alarms with MSAV.  Given the prevalence of MSAV, this
may be happening here.
Boot-437 (MS-DOS)
A boot sector infector of MBR type, this uninspired program is apparently of
Polish origin.  The original sector can be found on cylinder 0, side 0, sector
6 on hard disks, and the last sector of the root on floppies for those who like
to do their own repairs.  FDISK /MBR will work on hard disks otherwise.  The
virus appears to carry no payload.
Crunch (MS-DOS)
More details on the Crunch or Cruncher viri.  There are at least three known
variants; only 2.1 asks permission before going resident.  (Unless you happen
to have set the CRUNCH environment variable to AUTO.)  If files are
uncompressed with Diet or UNP a message to Fred Cohen and the author of Diet
appears.  The compression routine is pretty good: as it should be, given that
it is stolen directly from Diet.  Unfortunately, the majority of programs
infected and compressed will not, thereafter, execute.
Xuxa (MS-DOS)
Based on the SURIV virus (part of the Jerusalem family), this virus plays a
tune between 5 and 6pm.  The tune is the theme song of a childrem's show,
broadcast between 5 and 6pm in Argentina.  (The host of the show is Xuxa, the
soccer player Pele's ex-wife.)
ISSS '93 - No seminar
Well, I still might see you at ISSS '93, but my seminar has been pulled due to
low registration.  An unfortunately common occurrence these days: at least two
"training" companies have pulled virus seminars from their offerings ...
CSI's 20th
The Computer Security Institute's computer security conference will be held
November 8-10th in Anaheim, California.  Of four virus sessions, only one is by
a known reputable researcher.  However, a full day seminar by Tom Duff should
be of interest to all.  Ray Kaplan and Padgett Peterson will be giving sessions
and Bill Murray is conference chair so it should be good overall.  Contact CSI
in San Francisco.
European Symposium on Research in Computer Security
To be held in Brighton, United Kingdom, November 7th-9th, 1994, ESORICS-94 is
organised by The IMA in cooperation with AFCET (creator), BCS Security Special
Interest Group, and CERT-ONERA.  Viral programs are one of the areas for which
papers are being solicited.  Papers can be submitted to: Gerard Eizenberg,
CERT-ONERA   ESORICS 94, 2, avenue E. Belin, B.P. 4025, 31055 Toulouse Cedex,
A great many systems people keep handy a five byte program which will reboot
MS-DOS computers.  This is often used in batch files to change a set of TSR
configurations by simply copying in a new CONFIG.SYS and then automatically
rebooting.  Apparently, though, the Norton product uses this scan string as a
check for suspect viral programs.  It also doesn't appear to perform any
"sanity checking", such as for program size ... 
Norton false alarm on Lotus
The latest Norton AntiVirus, version 3.0, is triggering false alarms off the
LOTUS.COM file for 1-2-3 version 2.2.  It is being identified as Vengeance-B. 
Until this is fixed, Symantec suggests putting the LOTUS.COM file on the
exclusion list for known virus checking.  The change detection monitoring can
be left intact to inform you of any other infections.
"Fault tolerant" infections
RAID (redundant arrays of inexpensive disks) manufacturers, as well as the
virus research community, are being asked about the possible problems of viral
programs on redundant disk arrays.  The answer is that RAID only deals with
hardware faults.  Software corruption, such as viral infections, is unaffected. 
If a virus can infect a RAID stack, it can also be disinfected.  (There are
some software based RAID systems: these will behave in unexpected fashions.) 
Sort of like expecting an error correcting modem to fix your spelling ... 
MBR disinfection damage
Recently there have been a number of reports of "unrecoverable" hard disks,
even after a virus has supposedly been disinfected.  Nick Fitzgerald reported
one specific case which points out a weakness which seems common to almost all
antiviral software.  In this particular case, an attempt had been made to
recover the disk and a very slight change had been made to the partition table. 
This mismatch was enough to create the problem.  Most MBR disinfectors do not
check the configuration once they find a "valid" partition table to replace the
one that had been damaged.
DIR errors.*
A recent column on companion viri and program precedence has sparked more
corrections than any I can recall in a long time.  I used the example that,
under MS-DOS, a program with the file name DIR.COM will never be executed since
DIR is an "internal" DOS command and gets executed first.  Bad choice of
example.  Among the discoveries when people tried it out: specifying the (or
any) path will execute the file; specifying the full filename still executes
the internal command; Disk Doubler and other disk compression programs use
DIR.COM programs; the operations vary depending upon DOS version.
Norton attacking the competition?
A recent report has the Intercept portion of the Norton AntiVirus 2.1 reporting
(falsely) that PC Tools programs are infected with MtE equipped viri.  Using
the scanning portion to read the disk turns up nothing.
MSAV and Michelangelo
One of the many recent reports of infections through computer retailers,
renters and repair shops concerns a number of systems which came with MS-DOS
6.0 and MSAV ... as well as Michelangelo.  The installed MSAV did *not* detect
the virus, which is odd since it should.  This may indicate a new version of
Michelangelo, or a heretofore undiscovered weakness in MSAV.
Norton dropping XTs
Reports of testing with the latest versions of both the Norton Utilities
(version 7) and the Norton AntiVirus (3.0) indicate that many of the programs
and functions will no longer run on 8088 and 8086 CPUs.  In addition, Norton
seems to have gone back to the rather clumsy "run time library" files that most
programmers haven't used for some time.
Circular partition problem
Mike Lambert has reported a bug in all versions of MS-DOS from 3.3 to 6.0.  The
extended partition is a forward linked list and, if it is circular and does not
contain a valid DOS partition, IO.SYS will go into an endless loop, hanging the
computer.  DOS manufacturers have been informed of the problem: Novell says it
is fixed in DR-DOS 7.0, IBM says it is fixed in PC-DOS 6.1 and Microsoft ain't
talkin'.  (The bug apprently still exists in beta copies of 6.2)  Copies of the
detailed report can be obtained from mlambert@cap.gwu.edu.
Large use of bandwidth department
Michael Paris is an avowed "Pro-Virus" person.  Still, he had agreed to abide
by the rules of the Fidonet VIRUS_INFO echo/discussion area, and has stuck to
that over the past six weeks.  His contributions, while not exactly
overwhelming insights, have been moderate and on topic for the most part. 
However, he seems to be single handedly responsible for the fact that
VIRUS_INFO carrying twice the traffic of VIRUS.  "Open channel D" (for
"Dialogue" ...)
The life of a Fidonet moderator is not an easy one.  Just ask Paul Ferguson,
moderator of the VIRUS_INFO echo.  Subject to verbal abuse via both public and
private messages, he manfully (can I say that without being sexist?) strives to
keep peace, order and good information flowing on the echo.  A while back,
because of a new job, it looked as if he would have to give up the job.  He
managed to keep it, but with another new job, he is looking for someone to help
carry the load.  Support your local (or remote) moderator ...
Symantec buys Fifth (Fourth?)
First Symantec was a Mac utility software house.  Then they bought Norton, to
add MS-DOS respectability.  Then they bought Certus, to beef up the Norton
Antivirus.  Now they have purchased Fifth Generation, itself a fairly major
player in the antiviral market as a packager of other products.  Given the lag
of almost a year to get the Certus NOVI technology into NAV, who knows when we
will see evidence of Untouchable and so forth.
New VIRUS_INFO co-moderator
Paul Ferguson has announced his "running mate" in the management of the Fidonet
VIRUS-INFO echo.  It will be Jeff Cook, American agent for Thunderbyte.  This
has already provoked some comment about bias and fairness ... 
It's a joke, alright?
F-Prot identifies not only viral signatures, but some trojans and other
programs as well.  It also identifies some joke or prank programs which may
give some users a bit of a turn when "insects" start appearing on the screen
and so forth.  On a fairly regular basis, the VIRUS-L/comp.virus and Fidonet
discussion groups see posts like "F-Prot says HELPME.EXE is the `Help Me Joke
program'.  Am I infected?"  If frisk says it's a joke, it's a joke.  Come on,
now ... 
Michael Paris recidivus
In response to a somewhat immoderate (moderators can get touchy at times)
attack, Michael Paris has posted his resume to the VIRUS_INFO Fidonet echo. 
Interesting reading.  He is, himself, seemingly under a bit of an attack from
the hacker community: someone appears to be imitating him on the echo ... 
Would you buy a used antiviral from this man?
John Buchanan, also known as "Aristotle", was largely responsible (or
irresponsible) for the promotion of virus exchange bulletin boards in 1992.  He
stated, in private converstations with virus researchers, that this was his own
research into the virus/cracker/phreak phenomenon.  However, after publicly
stating this, shutting down his original board and announcing that he was now
"on the side of the angels", he restarted a virus exchange board and offered
viral code for sale.  An associate has now announced that they are producing
antiviral software.  Why don't I want to review this? ...
ArIsToTlE by any other name ...
John Buchanan, infamous vx promoter and self promoted virus researcher has
apparently been collecting different accounts and names in a vain attempt to
post without people catching on.  A Fidonet denizen recently identified his
various personae as Aristotle, John Buchanan, John A. Buchanan, Barbara Bush,
Elmo Winston and Jim Brandon.
Vancouver        p1@arkham.wimsey.bc.ca   | "If a train station
Institute for    Robert_Slade@sfu.ca      |  is where a train
Research into    rslade@cue.bc.ca         |  stops, what happens
User             p1@CyberStore.ca         |  at a workstation?"
Security         Canada V7K 2G6           | Frederick Wheeler