V.I.R.U.S. Weekly - December 17, 1993
V.I.R.U.S. Weekly - December 17, 1993

A weekly digest of virus and related news, V.I.R.U.S. Weekly BBS feed and
newsletter is prepared by the Vancouver Institute for Research into User
Security.  For those without online service feeds, both V.I.R.U.S. Weekly and
Monthly are available in hardcopy.  For more information contact Robert Slade
or CyberStore.
copyright 1993, Robert M. Slade

Other columns this week:

Table of Contents:

20   2.1 Assume you're wrong

21   InocuLAN by Cheynne


EMD in beta (MS-DOS)
EMD Enterprises of Baltimore, MD have posted a message on GEnie asking for beta
testers of a new product said to be a combination of a scanner and a hardware
restricting device.

Integrity Master 2.11a (MS-DOS)
Integrity Master has been upgraded with the addition of 300 new programs in the
scanner portion.  It now displays a one line summary of each virus detected
along with the full one or two page detailed description.  The full description
can optionally be disabled for those scanning heavily infected systems.

Thunderbyte Utilites 6.09 (MS-DOS)
TBAV609 is now making the rounds.  This version has an associated Windows
version.  Like the "processor optimized" files, the Windows program is
distributed in a separate archive.

TPE 1.4 tests (MS-DOS)
From the Netherlands comes a report of some tests of various popular scanners
against viri augmented with the Trident Polymorphic Engine.  A somewhat
surprising winner is Eugene Kaspersky's new AVP, the only program to detect the
whole one thousand variants used in the test.  Thunderbyte came in second at
about 75%.  (Please note that the only "real" test of polymorphic detection is
against all possible variants, in this case much higher than the 1000 files

Polymorphic tests (MS-DOS)
The same Dutch group has released another test of viral programs using MtE,
Commander Bomber and various TPE versions.  Again AVP came in first, missing
only 9 of some six thousand assorted files.  With advanced scanning on it did
not miss any.  SCAN showed unexpected overall strength given its weakness
against some MtE infections.

SCAN 109 check (MS-DOS)
For those concerned about the possible infection in some distributions of SCAN
109 (see also "1984" this issue), the following PKZIP data is presented for the
valid file:
 Length  Method   Size    Date    Time    CRC-32  Attr  Name
 155729  Stored  155729 08-11-93  06:55  bc31ecdd --w-  SCAN.EXE
The infected archive is also said to have had the AV codes stripped off.

Crisscan (MS-DOS)
Michael Paris of CRIS, who has been reporting most of the new viri seen here in
recent weeks, has announced the initial development of a new scanner.  His
posting is not completely clear, but it seems to promise a heuristic mode which
would automatically add new and undetected signatures, based upon a
sufficiently large number of infections, as well as change detection functions.


Apparently this memory resident virus infects only EXE files, but a dropper COM
file may also be found.  Written by the ARCV group in England, it can be
detected by F-Prot as a variant of ARCV.  May also be known as Mandelbrot.  A
signature is 5E81EE06008D841F00508DBC1F00.

Whale/McAfee (MS-DOS)
This EXE infector is not related to Whale, nor to McAfee.  The name comes from
a misspelled message which displays when an infected file is run.  There is no
stealth or ploymorphism and the virus adds 1125 bytes to infected files.  A
reported signature is BB2A02BE18002E81?346464B.

Chromosome Glitch 3.0 (MS-DOS)
A memory resident COM infector which adds 385 bytes to infected files.  A
reported signature is 5D81ED03011E06B8EFDDCD2181FB.

Blood Rage (MS-DOS)
Reportedly a direct action COM infector, this is detectable by the heuristics
is both F-Prot and Thunderbyte.  The following text string is found in the
code: "THE WORLD WiLL NEVER FORGETT US! -Beta Boys- Blood Rage (c)1992 The

Demo-Exe (MS-DOS)
A direct action EXE infector that adds 334 bytes to files.  Three files will be
infected when an infected file is run.  The text "Demo-Exe Virus Admiral Bailey
[YAM]" is reported to be in the virus code, and a signature is said to be

Handy (MS-DOS)
According to a very sketchy report, this may be a COM infector with a bug that
will cause it to try and attach to other file types with problematic results. 
A signatureis reported as 8CC00500108EC0BE0001BF0000B9.

Iron Maiden (MS-DOS)
A COM and EXE infector that adds 636 bytes to two files in the current
directory and then attempts to infect two files in the root directory of the C:
drive.  On a system without a hard drive this will lock the machine.  A
reported signature is 8CC6060B01C3EBF8B8D9C8D9BADF.

Binary Fission v1.0 (MS-DOS)
A memory resident COM and EXE infector which increases file size by 517 bytes. 
A reported signature is BD?2B83D3DCD21353E3DBB4D5A.

Phasor (MS-DOS)
This virus is said to become memory resident at offset 1E0h in the interrupt
table.  It will add 230 bytes to COM files.  A reported signature is

1984 recidivus (MS-DOS)
I may have been had, but it pays to err on the side of caution.  There have
been requests for further info about the reported 1984 virus.  One report lists
it as multipartite and with an infective length of 1979 bytes on files.  A
signature suitable for F-Prot is reported as "33 C0 8E D8 BE ?? ?? FF 34 FF 74
02 C7 04".  However, the virus is also, according to one report, capable of
infecting the system even if only read.  (For the uninitiated, this is a good
sign of a fake.)  The reports, though, are coming from sources that have been
reliable in the past and Thunderbyte 6.09 now detects a "Nuke1984".

Firefly (MS-DOS)
A COM infector with an extremely complicated payload and infection process. 
The infective length is 1106 bytes and the virus is encrypted with a variable
XOR function.  After having been active in memory for some time the virus will
toggle keyboard indicator LEDs and the keyboard SHIFT function.  A reported
signature is "BB ?? ?? B9 10 01 81 37 ?? ?? 81 77 02 ?? ?? 83 C3 04 E2 F2".

Addams Family group (MS-DOS)
A set of direct action COM infectors, eight in all.  While the programs infect
only on execution, they also go resident in memory and may be a failed
experiment replcated eight times.  The six "men" in the family are reported to
be detected by "BB 12 01 FF 27 2A 2E 43 4F 4D 00 2D 3D 41", the two "women" are
Wendy "BB 12 01 FF 27 2A 2E 43 4F 4D 00 4D 63 41" and Morticia "BB 12 01 FF 27
2A 2E 43 4F 4D 00 2D 3D 90".
Vancouver      ROBERTS@decus.ca         | Life is
Institute for  Robert_Slade@sfu.ca      | unpredictable:
Research into  rslade@cue.bc.ca         | eat dessert
User           p1@CyberStore.ca         | first.
Security       Canada V7K 2G6           |