V.I.R.U.S. Weekly - November 12, 1993
A weekly digest of virus and related news, V.I.R.U.S. Weekly BBS feed and
newsletter is prepared by the Vancouver Institute for Research into User
Security. For those without online service feeds, both V.I.R.U.S. Weekly and
Monthly are available in hardcopy. For more information contact Robert Slade
or CyberStore.
copyright 1993, Robert M. Slade
Other columns this week:
Table of Contents:
1 KILLMONK kills Int_10 too (MS-DOS)
2 Disinfectant 3.3 (Mac)
3 Gatekeeper
4 Virex 4.1 (Mac)
5 VirusDetective 5.0.10 (Mac)
6 NAV updates available via ftp (MS-DOS)
7 AVP 1.07B (MS-DOS)
8 November 17 (MS-DOS)
9 New virus signatures (MS-DOS)
10 Int_10 (MS-DOS)
11 Memory Lapse 366.A (MS-DOS)
12 CODE-1 (Mac)
13 MBDF-B (Mac)
14 VSI '94
15 Oracle Office Demo disk clean
16 SCAN's Generic Boot virus
17 Stepping up to 6.2 (MS-DOS)
18 SCAN doing worse on MtE
19 Tremor tests
20 But it must be true! I saw it on the news ... (Clinton correction)
21 Save what you can
22 Antivirus BBS listing
NEW ANTIVIRALS
KILLMONK kills Int_10 too (MS-DOS)
An unexpected side benefit of KILLMONK version 3.0, reported here last week: it
kills the new Int_10 virus as well. (see entry this week)
Disinfectant 3.3 (Mac)
The free Mac scanner has been updated to include detection of the two new Mac
viri, and is available immediately.
Gatekeeper
Chris Johnson's activity monitor should be available by now and should deal
with the two new Mac viri.
Virex 4.1 (Mac)
The commercial antiviral from Datawatch Corporation has been updated to detect
the two new Mac viri. Older versions will identify and repair the MBDF-B virus
but identifies it as the MBDF-A virus. UDV for the CODE-1 virus is Guide
Number = 13656448
1: 020A 30FA 7D90 7610 / 8C
2: 00A9 C60C AF00 0A00 / F1
3: 3EA0 0B4E 7581 8090 / 59
VirusDetective 5.0.10 (Mac)
VirusDetective is shareware. Search strings for the CODE-1 virus will be sent
only to registered users via e-mail. Registered users without e-mail access
should contact the author for the search string. The MBDF-B virus is already
detected by the MBDF-A search string.
NAV updates available via ftp (MS-DOS)
Vesselin Bontchev, with permission from Symantec, has made the latest NAV
updates available via ftp. The full references of the two archives are:
ftp.informatik.uni-hamburg.de:/pub/virus/progs/nav21upd.zip
ftp.informatik.uni-hamburg.de:/pub/virus/progs/nav30upd.zip
AVP 1.07B (MS-DOS)
Eugene Kaspersky's "Anti Virus Program" has been released with updated
signature strings. So far as has been announced, the only ftp site is:
ftp.informatik.uni-hamburg.de:/pub/virus/progs/avp_107b.zip
NEW VIRAL PROGRAMS
November 17 (MS-DOS)
Four variants of a virus first seen in the fall of 1992 have been reported.
These attack both COM and EXE files, adding 768, 800, 880, or 855 bytes to the
infected file. Triggering on various dates between November 17th and December
31st, the virus will overwrite parts of the hard disk. Top rated scanners will
detect infections, but many of the lower accuracy commercial scanners will not.
the string "SCAN.CLEAN.COMEXE" can be found in infected files. There will
likely be a number of media reports of this virus as it has been announced by
CIAC.
New virus signatures (MS-DOS)
Michael Paris is posting signatures which can be used with Thunderbyte. These
can also be used with other scanners with slight modifications. The new
signatures are: DAEM_2, 5E81EE4E07B94A07B8?22E3104; Golgi_Testicles_1,
5D81ED03011E06B80342CD213D03; Golgi_Testicles_2, 5D81ED0301061EB83D3DCD213D3D;
Golgi_Testicles_3, 5D81ED0301B83D4DCD213D3D0074; Chromosome Glitch Goat v1.0,
5F81EF060187EFBE0001C604C3FF; Chromosome Glitch v2.0,
5F81EF030187EF1E060E0E071F8D; Nympho Mitosis v1.0, BD?21E06B83D5DCD213D3D0074;
Nympho Mitosis v2.0, BD?248CD21BB4D5A74531E0633; Patricia Hohfman's Boobs 1.0,
B800B85007BF0000BE3B02B9D007
Int_10 (MS-DOS)
This December you may see a graphic "snowfall" on the screen six hours after
boot or at midnight. The new Int_10 virus is a boot sector infector of MBR
type which appears to carry no destructive payload. The string "88 85 93 02 41
41 D3 E0 80 7D 0B 00 75" may be found in memory if the virus is active or in
the MBR if you "boot clean".
Memory Lapse 366.A (MS-DOS)
SF2_UP.ZIP is an update file for Street Fighter 2, and appears on the Night Owl
10 CD-ROM. It is infected with a virus which is being called Memory Lapse
366.A after one of the text strings which appears in the code. Text strings
are "Memory_Lapse.366A", "(07/01/93) Copyright (c) 1993 Memory Lapse" and
"*M.EXE". The virus is 366 bytes in length and appends to EXE files via direct
action.
CODE-1 (Mac)
This virus alters applications and system files and changes internal code
pointers. This may cause the system to crash or damage some files. It may
rename the hard disk to "Trent Saburo" if the system is restarted on October 31
of any year.
MBDF-B (Mac)
MBDF-B is a new variant of the MBDF-A strain. It has no overt payload, but has
been seen to crash systems and applications because of the changes it makes.
CONFERENCES AND COURSES
VSI '94
The Virus Security Institute is presenting a conference in Philadelphia,
Pennsylvania on March 29-30, 1994. Presented as "A Different Kind of
Information Security Conference", the symposium will involve a high degree of
participation in challenging models of security as applied to the "real world".
Papers are solicited by the conference chair padgett@tccslr.dnet.mmc.com (A.
Padgett Peterson). For more information, E-Mail or Fax:
VSI94_info@dockmaster.ncsc.mil (case sensitive) or (302)764-6186 (include
E-Mail address, please).
RESEARCH
Oracle Office Demo disk clean
There have been reports of an infection by the "Cruncher" virus on demo disks
for Oracle's Office product. These reports have been traced back to a false
positive report by Central Point Anti-Virus version 1.4.
SCAN's Generic Boot virus
Following increasing numbers of queries regarding the "Generic Boot" virus
identification by SCAN, Vesselin Bontchev repeated the information that there
is no such thing: this is simply a report SCAN uses when it can't be bothered
to specifically identify the virus it sees. He than went on the list the
various infections which SCAN identifies as GenB -- several dozen, including at
least 27 Stoned variants.
Stepping up to 6.2 (MS-DOS)
In Europe, a "step-up" diskette from MS-DOS 6.0 to 6.2 has been distributed
through a computer magazine. The readme on the diskette says that MS-DOS 6.2
Setup automatically updates the Backup, Undelete and Antivirus programs only if
the MS-DOS 6 versions of these programs are already on your computer when you
run MS-DOS 6.2 Setup". Tony Naggs tried it and did not note any changes to the
antiviral software.
SCAN doing worse on MtE
Tests on SCAN 1.08 indicate that it can no longer detect encrypted variants
(the vast majority) of the MtE based Coffeeshop virus. This is odd since
earlier versions did detect Coffeeshop.
Tremor tests
Vesselin Bontchev will be conducting formal Tremor detection tests on major
scanning programs in the near future. He has issued a call for software for
those who wish to be included in the tests.
GOSSIP
But it must be true! I saw it on the news ...
Your humble scribe, along with a great many other people, has been "caught out"
by the reports of a virus infecting the Clinton health plan. The reports all
trace back to one reporter whose machine was infected, and who decided the
infection must have come from the government disk. The reporter worked for a
newswire service, and so the "news" was spread instantly. There were tell-tale
indications of something wrong with the report: the "Legalise Marijuana"
message is never displayed. However, this was simply put down to the usual bad
quality of virus reporting.
=============
Vancouver ROBERTS@decus.ca | "Remember, by the
Institute for Robert_Slade@sfu.ca | rules of the game, I
Research into rslade@cue.bc.ca | *must* lie. *Now* do
User p1@CyberStore.ca | you believe me?"
Security Canada V7K 2G6 | Margaret Atwood