V.I.R.U.S. Weekly - November 19, 1993 A weekly digest of virus and related news, V.I.R.U.S. Weekly BBS feed and newsletter is prepared by the Vancouver Institute for Research into User Security. For those without online service feeds, both V.I.R.U.S. Weekly and Monthly are available in hardcopy. For more information contact Robert Slade or CyberStore. copyright 1993, Robert M. Slade Other columns this week: 16 Getting started 17 Quick reference antiviral comparison list NEW ANTIVIRALS Unsupported Untouchable (MS-DOS) Almost immediately after the purchase of Fifth Generation by Symantec, callers asking for upgrades to the Untouchable and Search and Destroy programs are being told that support is being discontinued. Apparently those with support subscriptions are being offered a partial refund or a $29 "upgrade" to NAV. Gobbler (MS-DOS) The fate of the Gobbler II antiviral is still unknown, but the author is reported to be working for McAfee Associates -- on non-virus related software. ProView and LANview are said to be his products. AVP alarming Eugene Kaspersky's AVP_107.ZIP has caused a bit of a tempest. The file -V.DEM in the package is part of a virus demonstration of sorts. SCAN 108, when using the /A "all files" switch will find the Abraxas5 [OW] virus in the non- executable file. Those in the know can understand the reasons why ... NEW VIRAL PROGRAMS CRUELv2 (MS-DOS) A report from Hungary of an unusual new virus. Seemingly a boot sector infector, it does not replace the sector in the usual manner, but, in similar fashion to a file infector, it patches in a jump to code placed in the last two sectors of the root directory. Supposedly the code contains the text "CRUELv2". The report is not very clear, and perhaps inaccurate. There is some indication that the virus is a file infector as well. The only payload seems to be the occasional zeroing of the CMOS. More signatures from Michael Paris (MS-DOS) BOB, 909090905D81ED0601E84A16; MINI-357 (Mini-Variant), 680001501E06BA44008EC226A100; Memory Lapse 366-A, 5D81ED0301065F83C7102E03BE63; Dark Apocalypse Dropper, 33EFBB2401BFFB0303FBB0FFAA53; Dark Apocalypse, 8D8605058BE0E800005D81ED0900; Stimp, 8B16F601BB0501B9580090311790; 398 Don't Panic, 5DBB8E029083EB02813F3412740E; P/S G2 Sucker, BB?2B925012E81?383C302; Shark, 5E81EEC60183EE032E8C063601B8; Thing, 51B96203BE38018BFEFCAD331E03; YB-2, 5E83EE0356FC81C65F01BF0001A5 I boobed again (MS-DOS) Apologies for one of the entries in last week's column. (It is, of course, my own fault for trusting information from someone in the vx community.) Patricia Hoffman's name is spelled correctly by the virus in question. The following text can apparently be found in the body of the virus: "CEREQUA.COM", "Thank you for viewing Patty Hoffman's Boobs!", "Patty Hoffman's Boobs! Virus version 1.0 Copyright (c) 1993 by Cerebral Quantis. Made in Canada, Eh! July 4, 1993." The virus also contains a graphic, so it is likely quite large and not likely to spread very far. Arbeit (MS-DOS) A Fidonet posting from Sweden contains the assembly source code for a COM infector which attacks files in both the current and parent directory. Not surprising, but rather disturbing, are the neo-Nazi references in the source. Target files are referred to as "Jews", while a subroutine for overwriting the hard drive has the label "Auschwitz". Comments refer to Hitler, machine guns and "tortue" [sic] while the compiled program should contain the text string "ARBEIT MACHT FREI!" ANTIV37 (MS-DOS) A supposed antiviral program seemingly contains a trojan. The relevant piece is the file ANTIV.EXE, 24,357 bytes. When invoked it will create a hidden file about 3K in length called ABC.COM. This file will make calls to FORMAT.COM and bypasses the confirmation requests. CONFERENCES AND COURSES VSI '94 The Virus Security Institute is presenting a conference in Philadelphia, Pennsylvania on March 29-30, 1994. Presented as "A Different Kind of Information Security Conference", the symposium will involve a high degree of participation in challenging models of security as applied to the "real world". Papers are solicited by the conference chair firstname.lastname@example.org (A. Padgett Peterson). For more information, E-Mail or Fax: VSI94_info@dockmaster.ncsc.mil (case sensitive) or (302)764-6186 (include E-Mail address, please). RESEARCH Another "step up" bug Another bug has been reported in connection with the Microsoft MS-DOS 6.2 "step up" program and the antiviral software. It appears that if the VSAFE program is not disabled before running the upgrade installation, then Windows may not run afterwards. Deleting CHKDSK.MS files in the DOS, WINDOWS and WINDOWS/SYSTEM directories, rebooting and ignoring error messages may resolve the situation, but it seems rather messy. GOSSIP X-Central Point Anti-ViruSafe? Not to be outdone by Symantec/Norton/Zortech/Fifth/etc., Central Point has "merged" with Xtree, makers and sellers of utility and antiviral software. VIRUS back on track The Fidonet "higher powers" have, indeed, stepped in to deal with the VIRUS echo dispute. Edwin gets to continue to wield his electronic baseball bat. Gene Paris apparently has a reputation for causing trouble in other echoes, and may have caused himself some trouble this time around. However, the fight has not been without caualties. A number of sites have dropped the echo, and the vx community took advantage of the confusion to distribute more virus source code. (This is one time being late kept *me* on track: see the next two articles.) Redundant moderators An "echo coup" appears to have taken place in the Fidonet VIRUS echo. Gene Paris has been making a nuisance of himself, and was told by the moderator, Edwin Cleton, to desist. Instead of getting mad, Gene took over. Somehow he has managed to "grab" the echo tag, and is, without benefit of vote or handoff, listed in the Fidonet echo files as the moderator for VIRUS. If Boris can do it ... (Now fixed.) VIRUS echo dispute The furor in the VIRUS echo appears to arise from the fact that VIRUS is a Fidonet Zone 2 (Europe) echo. As such, it is not normally carried in the "elist" maintained in Zone 1 (North America) even though the echo is ported to Zone 1. Gene Paris submitted an elist entry for Zone 1, and has, in effect, created a new echo -- which happens to carry all the traffic of the original. Unless adjudicated by the "higher powers" of Fidonet, the upshot appears to be that North America will gain a new echo with strong ties to the vx community, and lose the valuable information from Europe. (Now fixed.) Virus coverage this year The-media-aren't-taking-this-seriously-dept.: you guys think I'm kidding with this little note, don't you? Datamation magazine has published its index for the first half of 1993. There are only four security related articles, only one of which relates to the virus issue. (It wasn't a really good article.) ============== Vancouver ROBERTS@decus.ca | "It says 'Hit any Institute for Robert_Slade@sfu.ca | key to continue.' Research into email@example.com | I can't find the User p1@CyberStore.ca | 'Any' key on my Security Canada V7K 2G6 | keyboard."