V.I.R.U.S. Monthly - October, 1993 A monthly digest of virus and related news, V.I.R.U.S. Monthly is prepared by the Vancouver Institute for Research into User Security from the V.I.R.U.S. Weekly BBS feed and newsletter. For those without online service feeds, both V.I.R.U.S. Weekly and Monthly are available in hardcopy. For more information contact Robert Slade or CyberStore. copyright 1993, Robert M. Slade NEW ANTIVIRALS Norton Antivirus 3.0 (MS-DOS) Another release from the Symantec/Norton people. This appears to be the first time it incorporates the technology they bought along with Certus. Almost a year later. Hmmm. Thunderbyte 6.07 (MS-DOS) What happened to 6.06? Oh well. The new version of TBScan corrects a "feature" which did *not* always scan all files when "all files" were specified. It also now scans the master boot record of a second physical hard drive because of the prevalence of portable drives. The weakness that allowed TBClean to activate certain viral programs has been fixed. Thunderbyte is now using PGP technology for security of distribution. F-Prot 2.09F (MS-DOS) F-Prot version 2.09F has been released. In common with the "lettered" releases, this generally only adds more signatures and fixes a few minor bugs. This version was intended to be 2.10, but frisk wants more time to add some additional functions before his release. This has caused a little concern: the update file is called WHATSNEW.210, and led to some initial speculation that this might be a trojan version. TBAV 6.07 false alarms (MS-DOS) Version 6.07 seems to be generating more than its share of false alarms. A number of "false positive" reports are coming in within a week of its release. One of the false reports is on the Satanbug virus, which will no doubt fuel the Satanbug hysteria. NEW VIRAL PROGRAMS Don't use SCAN2000 (MS-DOS) There is a report of a supposed McAfee version called SCAN2000 doing the rounds. There has been no word yet form McAfee Associates about any change in numbering, and it's a good bet that this is a trojan. Satanbug again (MS-DOS) More details on the Satanbug virus. (The name, by the way, comes from an ASCII text string contained in the code.) The virus takes between three and nine kilobytes from the "top of memory": TOM measures, such as CHKDSK, will show a drop. There is also a BIOS/DOS memory mismatch. Files grow by three to five kilobytes. *Any* files with a COM or EXE extension will be infected: this is a possible test for the infection, by checking non-executable files with those extensions. Unfortunately, recovery may be very difficult since the original file size is lost, and the original file "beginning" is encrypted along with the virus. More Satanbug (MS-DOS) The first file attacked is COMMAND.COM: this means that you may see an "Invalid COMMAND.COM" message immediately after the infection (The message will disappear on rebooting.) LANs that use COMSPEC to redirect access to the server copy will show this message when infected, unless the server has also been infected. The LAN server should be adequately protected by normal LAN security. Unless, that is, the SUPERVISOR logs into an infected workstation. As a "fast infector" it will infect any files opened. Virus scanners that do not detect it could spread the infection. Loren (MS-DOS) The Loren virus using both stealth and "fast infection" technology. When a directory listing is taken, and the virus is active in memory, all files opened will be infected. The increase in length will be hidden. After the virus has infected twenty files, it will try to format the "physical first" track on the hard disk (likely rendering it unreadable). If there is no hard disk, both floppies will be attempted. If any disk is formatted, the virus will display a message identifying itself. New Stoned? (MS-DOS) A numbe of messages are asking for help with a new version of Stoned. Not many details are being given, and normally I wouldn't mention such skimpy reports, but one factor seems to be common to all the reports. If the computer is booted from an infected drive, all seems normal. If the computer is booted from a clean system disk, the hard drive can no longer be accessed. SCAN 109 (MS-DOS) In addition to the SCAN2000 mentioned last week, the Fort Worth area has had a copy of "SCAN109" doing the rounds. This is apparently a dropper of the Filler virus. Please, be careful of where you get the "latest" antiviral ... TIMID (MS-DOS) The TIMID virus is not new: its source code was published in the "Little Black Book" over two years ago. However, until now it has been considered a rarity. It now appears to be creating some problems "in the wild". Vesselin Bontchev also reports at least thirteen different variants: understandable with the source code widely available. TIMID (at least the original) infects COM files only, and appears to carry no destructive "payload". Form (MS-DOS) Form isn't new either, but it starting to appear in a number of places (including the University of Asmara in Eritrea!) The information in both the Hoffman VSUM listing and the CARO catalogue, interestingly, is incorrect: the virus activates on the 18th of the month, rather than the 24th. A lot of people are reacting to the presence of *any* boot sector infector with "FDISK/MBR": in the case of Form this is useless since Form resides in the boot sector proper and is unaffected by MBR corrections. Ultimation (or Ultimatum) (MS-DOS) A large and rather clumsy virus written in Turbo C++ has been making some press, mostly because the large code has made finding a signature string that doesn't create false positives difficult. The following text strings are fund in it: "I'm bored.", "Screw you.", "Life is a drag.", "Ouch! Don't hit me so hard.", "Floppy drive A: is flooded. Please insert J cloth.", "Murderer.", "You have been infected by ULTIMATION corp.", "Go directly to jail. Do not pass go. Do not collect $200.", ".Ah ha! Caught you.", "Copy protection error 23. Please re-install from master." Satanbug (MS-DOS) The recent spate of reports about the Satanbug virus is probably due to the fact that the source code was widely distributed on virus exchange bulletin boards (including the brief foray that the US federal government had into virus distribution). Test results from CARO indicate that SCAN version 108 does not detect the virus reliably. Nice Day (MS-DOS) IBM's virus research group report a virus from Indonesia which they are calling YMP-NiceDay. It is a boot sector infector of the MBR type, and will present the message "HAVE A NICE DAY (c) YMP" when booted up on the first day of the month. The FDISK /MBR function should take care of it, although the report cautions users to check the partitions first. Stoned 3 (and 4) (MS-DOS) There have recently been a rash of reports of something called "Stoned 3" or "Stoned III" infecting computers left, right and sideways. There is, of course, no such thing, and we have been unable to find the source of all the rumours. Australia also reports a similar situation with "Stoned 4": in that case "leftover" bits of Stoned which had been disabled with FDISK /MBR had been generating false positive alarms with MSAV. Given the prevalence of MSAV, this may be happening here. Boot-437 (MS-DOS) A boot sector infector of MBR type, this uninspired program is apparently of Polish origin. The original sector can be found on cylinder 0, side 0, sector 6 on hard disks, and the last sector of the root on floppies for those who like to do their own repairs. FDISK /MBR will work on hard disks otherwise. The virus appears to carry no payload. Crunch (MS-DOS) More details on the Crunch or Cruncher viri. There are at least three known variants; only 2.1 asks permission before going resident. (Unless you happen to have set the CRUNCH environment variable to AUTO.) If files are uncompressed with Diet or UNP a message to Fred Cohen and the author of Diet appears. The compression routine is pretty good: as it should be, given that it is stolen directly from Diet. Unfortunately, the majority of programs infected and compressed will not, thereafter, execute. Xuxa (MS-DOS) Based on the SURIV virus (part of the Jerusalem family), this virus plays a tune between 5 and 6pm. The tune is the theme song of a childrem's show, broadcast between 5 and 6pm in Argentina. (The host of the show is Xuxa, the soccer player Pele's ex-wife.) CONFERENCES AND COURSES ISSS '93 - No seminar Well, I still might see you at ISSS '93, but my seminar has been pulled due to low registration. An unfortunately common occurrence these days: at least two "training" companies have pulled virus seminars from their offerings ... CSI's 20th The Computer Security Institute's computer security conference will be held November 8-10th in Anaheim, California. Of four virus sessions, only one is by a known reputable researcher. However, a full day seminar by Tom Duff should be of interest to all. Ray Kaplan and Padgett Peterson will be giving sessions and Bill Murray is conference chair so it should be good overall. Contact CSI in San Francisco. European Symposium on Research in Computer Security To be held in Brighton, United Kingdom, November 7th-9th, 1994, ESORICS-94 is organised by The IMA in cooperation with AFCET (creator), BCS Security Special Interest Group, and CERT-ONERA. Viral programs are one of the areas for which papers are being solicited. Papers can be submitted to: Gerard Eizenberg, CERT-ONERA ESORICS 94, 2, avenue E. Belin, B.P. 4025, 31055 Toulouse Cedex, France. RESEARCH REBOOT.COM triggers NAV A great many systems people keep handy a five byte program which will reboot MS-DOS computers. This is often used in batch files to change a set of TSR configurations by simply copying in a new CONFIG.SYS and then automatically rebooting. Apparently, though, the Norton product uses this scan string as a check for suspect viral programs. It also doesn't appear to perform any "sanity checking", such as for program size ... Norton false alarm on Lotus The latest Norton AntiVirus, version 3.0, is triggering false alarms off the LOTUS.COM file for 1-2-3 version 2.2. It is being identified as Vengeance-B. Until this is fixed, Symantec suggests putting the LOTUS.COM file on the exclusion list for known virus checking. The change detection monitoring can be left intact to inform you of any other infections. "Fault tolerant" infections RAID (redundant arrays of inexpensive disks) manufacturers, as well as the virus research community, are being asked about the possible problems of viral programs on redundant disk arrays. The answer is that RAID only deals with hardware faults. Software corruption, such as viral infections, is unaffected. If a virus can infect a RAID stack, it can also be disinfected. (There are some software based RAID systems: these will behave in unexpected fashions.) Sort of like expecting an error correcting modem to fix your spelling ... MBR disinfection damage Recently there have been a number of reports of "unrecoverable" hard disks, even after a virus has supposedly been disinfected. Nick Fitzgerald reported one specific case which points out a weakness which seems common to almost all antiviral software. In this particular case, an attempt had been made to recover the disk and a very slight change had been made to the partition table. This mismatch was enough to create the problem. Most MBR disinfectors do not check the configuration once they find a "valid" partition table to replace the one that had been damaged. DIR errors.* A recent column on companion viri and program precedence has sparked more corrections than any I can recall in a long time. I used the example that, under MS-DOS, a program with the file name DIR.COM will never be executed since DIR is an "internal" DOS command and gets executed first. Bad choice of example. Among the discoveries when people tried it out: specifying the (or any) path will execute the file; specifying the full filename still executes the internal command; Disk Doubler and other disk compression programs use DIR.COM programs; the operations vary depending upon DOS version. Norton attacking the competition? A recent report has the Intercept portion of the Norton AntiVirus 2.1 reporting (falsely) that PC Tools programs are infected with MtE equipped viri. Using the scanning portion to read the disk turns up nothing. MSAV and Michelangelo One of the many recent reports of infections through computer retailers, renters and repair shops concerns a number of systems which came with MS-DOS 6.0 and MSAV ... as well as Michelangelo. The installed MSAV did *not* detect the virus, which is odd since it should. This may indicate a new version of Michelangelo, or a heretofore undiscovered weakness in MSAV. Norton dropping XTs Reports of testing with the latest versions of both the Norton Utilities (version 7) and the Norton AntiVirus (3.0) indicate that many of the programs and functions will no longer run on 8088 and 8086 CPUs. In addition, Norton seems to have gone back to the rather clumsy "run time library" files that most programmers haven't used for some time. Circular partition problem Mike Lambert has reported a bug in all versions of MS-DOS from 3.3 to 6.0. The extended partition is a forward linked list and, if it is circular and does not contain a valid DOS partition, IO.SYS will go into an endless loop, hanging the computer. DOS manufacturers have been informed of the problem: Novell says it is fixed in DR-DOS 7.0, IBM says it is fixed in PC-DOS 6.1 and Microsoft ain't talkin'. (The bug apprently still exists in beta copies of 6.2) Copies of the detailed report can be obtained from mlambert@cap.gwu.edu. GOSSIP Large use of bandwidth department Michael Paris is an avowed "Pro-Virus" person. Still, he had agreed to abide by the rules of the Fidonet VIRUS_INFO echo/discussion area, and has stuck to that over the past six weeks. His contributions, while not exactly overwhelming insights, have been moderate and on topic for the most part. However, he seems to be single handedly responsible for the fact that VIRUS_INFO carrying twice the traffic of VIRUS. "Open channel D" (for "Dialogue" ...) M'aidez! The life of a Fidonet moderator is not an easy one. Just ask Paul Ferguson, moderator of the VIRUS_INFO echo. Subject to verbal abuse via both public and private messages, he manfully (can I say that without being sexist?) strives to keep peace, order and good information flowing on the echo. A while back, because of a new job, it looked as if he would have to give up the job. He managed to keep it, but with another new job, he is looking for someone to help carry the load. Support your local (or remote) moderator ... Symantec buys Fifth (Fourth?) First Symantec was a Mac utility software house. Then they bought Norton, to add MS-DOS respectability. Then they bought Certus, to beef up the Norton Antivirus. Now they have purchased Fifth Generation, itself a fairly major player in the antiviral market as a packager of other products. Given the lag of almost a year to get the Certus NOVI technology into NAV, who knows when we will see evidence of Untouchable and so forth. New VIRUS_INFO co-moderator Paul Ferguson has announced his "running mate" in the management of the Fidonet VIRUS-INFO echo. It will be Jeff Cook, American agent for Thunderbyte. This has already provoked some comment about bias and fairness ... It's a joke, alright? F-Prot identifies not only viral signatures, but some trojans and other programs as well. It also identifies some joke or prank programs which may give some users a bit of a turn when "insects" start appearing on the screen and so forth. On a fairly regular basis, the VIRUS-L/comp.virus and Fidonet discussion groups see posts like "F-Prot says HELPME.EXE is the `Help Me Joke program'. Am I infected?" If frisk says it's a joke, it's a joke. Come on, now ... Michael Paris recidivus In response to a somewhat immoderate (moderators can get touchy at times) attack, Michael Paris has posted his resume to the VIRUS_INFO Fidonet echo. Interesting reading. He is, himself, seemingly under a bit of an attack from the hacker community: someone appears to be imitating him on the echo ... Would you buy a used antiviral from this man? John Buchanan, also known as "Aristotle", was largely responsible (or irresponsible) for the promotion of virus exchange bulletin boards in 1992. He stated, in private converstations with virus researchers, that this was his own research into the virus/cracker/phreak phenomenon. However, after publicly stating this, shutting down his original board and announcing that he was now "on the side of the angels", he restarted a virus exchange board and offered viral code for sale. An associate has now announced that they are producing antiviral software. Why don't I want to review this? ... ArIsToTlE by any other name ... John Buchanan, infamous vx promoter and self promoted virus researcher has apparently been collecting different accounts and names in a vain attempt to post without people catching on. A Fidonet denizen recently identified his various personae as Aristotle, John Buchanan, John A. Buchanan, Barbara Bush, Elmo Winston and Jim Brandon. ============= Vancouver p1@arkham.wimsey.bc.ca | "If a train station Institute for Robert_Slade@sfu.ca | is where a train Research into rslade@cue.bc.ca | stops, what happens User p1@CyberStore.ca | at a workstation?" Security Canada V7K 2G6 | Frederick Wheeler