V.I.R.U.S. Weekly - November 5, 1993 A weekly digest of virus and related news, V.I.R.U.S. Weekly BBS feed and newsletter is prepared by the Vancouver Institute for Research into User Security. For those without online service feeds, both V.I.R.U.S. Weekly and Monthly are available in hardcopy. For more information contact Robert Slade or CyberStore. copyright 1993, Robert M. Slade Other columns this week: CyberColumns - Virus Weekly Table of Contents: 1 KILLMONK 3.0 (MS-DOS) 2 Thunderbyte 6.08 (MS-DOS) 3 VIRx 2.91 (MS-DOS) 4 More on KOH (MS-DOS) 5 Well, I *meant* Monkey ... (MS-DOS) 6 OFF-ROAD (MS-DOS) 7 PS-MPC.Math-test (MS-DOS) 8 Norton AV 3.0 9 Unhealthy planning disks 10 October Hack Report Cancelled 11 (1.1) Power NEW ANTIVIRALS KILLMONK 3.0 (MS-DOS) Prompted by growing reports of Monkey infections, Tim Martin has released an improved version of KILLMONK, which should start to become available. If you have Internet access, ftp to ftp.srv.ualberta.ca and get the file pub/dos/virus/killmnk3.zip. This version will fix problems caused by those who have tried the universally recommended FDISK /MBR command, which doesn't work on Monkey. Usually the mangled disks are identified as having a Stoned variant present (see entry this issue). Thunderbyte 6.08 (MS-DOS) The latest Thunderbyte is definitely out there, but there is amazingly little word as to what improvements it contains. VIRx 2.91 (MS-DOS) The version number aside, Glenn Jordan promises major improvements from VIRx 2.91. Of particular interest is the fact that the memory resident portion of the system is down to a mere 528 bytes. NEW VIRAL PROGRAMS More on KOH (MS-DOS) Testing by Wallace Hale has revealed some interesting characteristics from the KOH virus, one of two known "good" viral programs. The virus, or the version tested at any rate, is apparently reasonably well behaved on a system with a hard disk installed, but behaves in a much more covert manner on a system with only floppy drives. ("Good" is used here in an extremely subjective manner: both KOH and Cruncher have properties that can easily create problems on your system.) Well, I *meant* Monkey ... (MS-DOS) In a recent issue I noted reports of a "new Stoned" which was distinctive in that if the computer was booted from a clean disk, the hard drive was no longer accessible. Tim Martin reminded me that this is a fairly easy call. The Monkey virus encrypts the original partition table so the hard disk does not appear to have any partition table data at all. OFF-ROAD (MS-DOS) A new COM file infector is reported from Israel. The infective length adds 894 bytes to files. It is encrypted with a simple single layer XOR function. When decrypted the text "AMEF0\OFF-ROAD", "*.com *.*" and "????????COM" can be seen within the virus code. All COM files in a directory will be infected on a single pass. The virus hooks the timer and activates on March 3, formatting floppies accessed on that date. It also checks for Mondays for unknown reasons. PS-MPC.Math-test (MS-DOS) The CD-ROM "Software Vault, Collection 2", published by American Databank Corp, is said to contain the PS-MPC.Math-test virus. The infected file is stored in directory #18, "Communication" inside 64BLAZER.ZIP. An uninfected version of the same archive is also present, with the filename 64BLAZE.ZIP. The virus is a memory resident infector of COM and EXE files. Activating daily between 9 and 10 am, it will ask the user a simple math question and refuse to invoke the requested program if the answer is incorrect. RESEARCH Norton AV 3.0 More details regarding the latest Norton. It does *not* catch the new Int_10 BSI. Testing with DISKSECURE II installed, however, reveals an interesting anomaly. Padgett Peterson's product (which *does* detect Int_10, and was, in fact, how it was discovered) installs to the master boot record, and uses a stealth technology to redirect calls to the original. Norton finds something wrong -- not with the MBR though. NAV claims that it can't read the DOS boot sector ... GOSSIP Unhealthy planning disks The White House got high tech with the new proposals to overhaul the US health care system. The plan was distributed on floppy disks to those lucky enough to get a copy. If you have one, don't put it in your A: drive. The disks are said to be infected with a version of Stoned. (There is a lot of fun being had at the Clinton's expense over this. However, it should be noted that this is not the first time a US federal office has sent out virus infected material.) October Hack Report Cancelled Due to illness and "personal problems", Lee Jackson has had to cancel the October issue of the Hack Report. (I can relate: I'm still catching up after the ISSS conference -- and that was three weeks ago.) Hopefully things are back on track, and the November report will be out soon. ============= Vancouver email@example.com | "Metabolically Institute for Robert_Slade@sfu.ca | challenged" Research into firstname.lastname@example.org | User p1@CyberStore.ca | politically correct Security Canada V7K 2G6 | term for "dead"