V.I.R.U.S. Weekly - November 19, 1993
A weekly digest of virus and related news, V.I.R.U.S. Weekly BBS feed and
newsletter is prepared by the Vancouver Institute for Research into User
Security.  For those without online service feeds, both V.I.R.U.S. Weekly and
Monthly are available in hardcopy.  For more information contact Robert Slade
or CyberStore.
copyright 1993, Robert M. Slade
Other columns this week:
16   Getting started
17   Quick reference antiviral comparison list
Unsupported Untouchable (MS-DOS)
Almost immediately after the purchase of Fifth Generation by Symantec, callers
asking for upgrades to the Untouchable and Search and Destroy programs are
being told that support is being discontinued.  Apparently those with support
subscriptions are being offered a partial refund or a $29 "upgrade" to NAV.
Gobbler (MS-DOS)
The fate of the Gobbler II antiviral is still unknown, but the author is
reported to be working for McAfee Associates -- on non-virus related software. 
ProView and LANview are said to be his products.
AVP alarming
Eugene Kaspersky's AVP_107.ZIP has caused a bit of a tempest.  The file -V.DEM
in the package is part of a virus demonstration of sorts.  SCAN 108, when using
the /A "all files" switch will find the Abraxas5 [OW] virus in the non-
executable file.  Those in the know can understand the reasons why ...
A report from Hungary of an unusual new virus.  Seemingly a boot sector
infector, it does not replace the sector in the usual manner, but, in similar
fashion to a file infector, it patches in a jump to code placed in the last two
sectors of the root directory.  Supposedly the code contains the text
"CRUELv2".  The report is not very clear, and perhaps inaccurate.  There is
some indication that the virus is a file infector as well.  The only payload
seems to be the occasional zeroing of the CMOS.
More signatures from Michael Paris (MS-DOS)
BOB, 909090905D81ED0601E84A16; MINI-357 (Mini-Variant),
680001501E06BA44008EC226A100; Memory Lapse 366-A, 5D81ED0301065F83C7102E03BE63;
Dark Apocalypse Dropper, 33EFBB2401BFFB0303FBB0FFAA53; Dark Apocalypse,
8D8605058BE0E800005D81ED0900; Stimp, 8B16F601BB0501B9580090311790; 398 Don't
Panic, 5DBB8E029083EB02813F3412740E; P/S G2 Sucker, BB?2B925012E81?383C302;
Shark, 5E81EEC60183EE032E8C063601B8; Thing, 51B96203BE38018BFEFCAD331E03; YB-2,
I boobed again (MS-DOS)
Apologies for one of the entries in last week's column.  (It is, of course, my
own fault for trusting information from someone in the vx community.)  Patricia
Hoffman's name is spelled correctly by the virus in question.  The following
text can apparently be found in the body of the virus: "CEREQUA.COM", "Thank
you for viewing Patty Hoffman's Boobs!", "Patty Hoffman's Boobs! Virus version
1.0 Copyright (c) 1993 by Cerebral Quantis. Made in Canada, Eh! July 4, 1993." 
The virus also contains a graphic, so it is likely quite large and not likely
to spread very far.
Arbeit (MS-DOS)
A Fidonet posting from Sweden contains the assembly source code for a COM
infector which attacks files in both the current and parent directory.  Not
surprising, but rather disturbing, are the neo-Nazi references in the source. 
Target files are referred to as "Jews", while a subroutine for overwriting the
hard drive has the label "Auschwitz".  Comments refer to Hitler, machine guns
and "tortue" [sic] while the compiled program should contain the text string
A supposed antiviral program seemingly contains a trojan.  The relevant piece
is the file ANTIV.EXE, 24,357 bytes.  When invoked it will create a hidden file
about 3K in length called ABC.COM.  This file will make calls to FORMAT.COM and
bypasses the confirmation requests.
VSI '94
The Virus Security Institute is presenting a conference in Philadelphia,
Pennsylvania on March 29-30, 1994.  Presented as "A Different Kind of
Information Security Conference", the symposium will involve a high degree of
participation in challenging models of security as applied to the "real world". 
Papers are solicited by the conference chair padgett@tccslr.dnet.mmc.com (A.
Padgett Peterson).   For more information, E-Mail or Fax:
VSI94_info@dockmaster.ncsc.mil  (case sensitive) or (302)764-6186 (include
E-Mail address, please).
Another "step up" bug
Another bug has been reported in connection with the Microsoft MS-DOS 6.2 "step
up" program and the antiviral software.  It appears that if the VSAFE program
is not disabled before running the upgrade installation, then Windows may not
run afterwards.  Deleting CHKDSK.MS files in the DOS, WINDOWS and
WINDOWS/SYSTEM directories, rebooting and ignoring error messages may resolve
the situation, but it seems rather messy.
X-Central Point Anti-ViruSafe?
Not to be outdone by Symantec/Norton/Zortech/Fifth/etc., Central Point has
"merged" with Xtree, makers and sellers of utility and antiviral software.
VIRUS back on track
The Fidonet "higher powers" have, indeed, stepped in to deal with the VIRUS
echo dispute.  Edwin gets to continue to wield his electronic baseball bat. 
Gene Paris apparently has a reputation for causing trouble in other echoes, and
may have caused himself some trouble this time around.  However, the fight has
not been without caualties.  A number of sites have dropped the echo, and the
vx community took advantage of the confusion to distribute more virus source
code.  (This is one time being late kept *me* on track: see the next two
Redundant moderators
An "echo coup" appears to have taken place in the Fidonet VIRUS echo.  Gene
Paris has been making a nuisance of himself, and was told by the moderator,
Edwin Cleton, to desist.  Instead of getting mad, Gene took over.  Somehow he
has managed to "grab" the echo tag, and is, without benefit of vote or handoff,
listed in the Fidonet echo files as the moderator for VIRUS.  If Boris can do
it ... (Now fixed.)
VIRUS echo dispute
The furor in the VIRUS echo appears to arise from the fact that VIRUS is a
Fidonet Zone 2 (Europe) echo.  As such, it is not normally carried in the
"elist" maintained in Zone 1 (North America) even though the echo is ported to
Zone 1.  Gene Paris submitted an elist entry for Zone 1, and has, in effect,
created a new echo -- which happens to carry all the traffic of the original. 
Unless adjudicated by the "higher powers" of Fidonet, the upshot appears to be
that North America will gain a new echo with strong ties to the vx community,
and lose the valuable information from Europe.  (Now fixed.)
Virus coverage this year
The-media-aren't-taking-this-seriously-dept.: you guys think I'm kidding with
this little note, don't you?  Datamation magazine has published its index for
the first half of 1993.  There are only four security related articles, only
one of which relates to the virus issue.  (It wasn't a really good article.)
Vancouver      ROBERTS@decus.ca         | "It says 'Hit any
Institute for  Robert_Slade@sfu.ca      | key to continue.'
Research into  rslade@cue.bc.ca         | I can't find the
User           p1@CyberStore.ca         | 'Any' key on my
Security       Canada V7K 2G6           | keyboard."