V.I.R.U.S. Weekly - November 5, 1993
A weekly digest of virus and related news, V.I.R.U.S. Weekly BBS feed and
newsletter is prepared by the Vancouver Institute for Research into User
Security.  For those without online service feeds, both V.I.R.U.S. Weekly and
Monthly are available in hardcopy.  For more information contact Robert Slade
or CyberStore.
copyright 1993, Robert M. Slade
Other columns this week:
CyberColumns - Virus Weekly
Table of Contents:
1    KILLMONK 3.0 (MS-DOS)
2    Thunderbyte 6.08 (MS-DOS)
3    VIRx 2.91 (MS-DOS)
4    More on KOH (MS-DOS)
5    Well, I *meant* Monkey ... (MS-DOS)
7    PS-MPC.Math-test (MS-DOS)
8    Norton AV 3.0
9    Unhealthy planning disks
10   October Hack Report Cancelled
11   (1.1) Power
Prompted by growing reports of Monkey infections, Tim Martin has released an
improved version of KILLMONK, which should start to become available.  If you
have Internet access, ftp to ftp.srv.ualberta.ca and get the file
pub/dos/virus/killmnk3.zip.  This version will fix problems caused by those who
have tried the universally recommended FDISK /MBR command, which doesn't work
on Monkey.  Usually the mangled disks are identified as having a Stoned variant
present (see entry this issue).
Thunderbyte 6.08 (MS-DOS)
The latest Thunderbyte is definitely out there, but there is amazingly little
word as to what improvements it contains.
VIRx 2.91 (MS-DOS)
The version number aside, Glenn Jordan promises major improvements from VIRx
2.91.  Of particular interest is the fact that the memory resident portion of
the system is down to a mere 528 bytes.
More on KOH (MS-DOS)
Testing by Wallace Hale has revealed some interesting characteristics from the
KOH virus, one of two known "good" viral programs.  The virus, or the version
tested at any rate, is apparently reasonably well behaved on a system with a
hard disk installed, but behaves in a much more covert manner on a system with
only floppy drives.  ("Good" is used here in an extremely subjective manner:
both KOH and Cruncher have properties that can easily create problems on your
Well, I *meant* Monkey ... (MS-DOS)
In a recent issue I noted reports of a "new Stoned" which was distinctive in
that if the computer was booted from a clean disk, the hard drive was no longer
accessible.  Tim Martin reminded me that this is a fairly easy call.  The
Monkey virus encrypts the original partition table so the hard disk does not
appear to have any partition table data at all.
A new COM file infector is reported from Israel.  The infective length adds 894
bytes to files.  It is encrypted with a simple single layer XOR function.  When
decrypted the text "AMEF0\OFF-ROAD", "*.com *.*" and "????????COM" can be seen
within the virus code.  All COM files in a directory will be infected on a
single pass.  The virus hooks the timer and activates on March 3, formatting
floppies accessed on that date.  It also checks for Mondays for unknown
PS-MPC.Math-test (MS-DOS)
The CD-ROM "Software Vault, Collection 2", published by American Databank Corp,
is said to contain the PS-MPC.Math-test virus.  The infected file is stored in
directory #18, "Communication" inside 64BLAZER.ZIP.  An uninfected version of
the same archive is also present, with the filename 64BLAZE.ZIP.  The virus is
a memory resident infector of COM and EXE files.  Activating daily between 9
and 10 am, it will ask the user a simple math question and refuse to invoke the
requested program if the answer is incorrect.
Norton AV 3.0
More details regarding the latest Norton.  It does *not* catch the new Int_10
BSI.  Testing with DISKSECURE II installed, however, reveals an interesting
anomaly.  Padgett Peterson's product (which *does* detect Int_10, and was, in
fact, how it was discovered) installs to the master boot record, and uses a
stealth technology to redirect calls to the original.  Norton finds something
wrong -- not with the MBR though.  NAV claims that it can't read the DOS boot
sector ... 
Unhealthy planning disks
The White House got high tech with the new proposals to overhaul the US health
care system.  The plan was distributed on floppy disks to those lucky enough to
get a copy.  If you have one, don't put it in your A: drive.  The disks are
said to be infected with a version of Stoned.  (There is a lot of fun being had
at the Clinton's expense over this.  However, it should be noted that this is
not the first time a US federal office has sent out virus infected material.)
October Hack Report Cancelled
Due to illness and "personal problems", Lee Jackson has had to cancel the
October issue of the Hack Report.  (I can relate: I'm still catching up after
the ISSS conference -- and that was three weeks ago.)  Hopefully things are
back on track, and the November report will be out soon.
Vancouver        p1@arkham.wimsey.bc.ca   | "Metabolically
Institute for    Robert_Slade@sfu.ca      |  challenged"
Research into    rslade@cue.bc.ca         | 
User             p1@CyberStore.ca         | politically correct
Security         Canada V7K 2G6           | term for "dead"