V.I.R.U.S. Weekly - January 7, 1994

A weekly digest of virus and related news, V.I.R.U.S. Weekly BBS feed and
newsletter is prepared by the Vancouver Institute for Research into User
Security.  For those without online service feeds, both V.I.R.U.S. Weekly and
Monthly are available in hardcopy.  For more information contact Robert Slade
or CyberStore.
copyright 1993, Robert M. Slade

Other columns this week:

13   Other antivirals - change detectors

14   Network Security Organizer by Leprechaun


Aids Test (MS-DOS)
A possibly overlooked antiviral is Dmitry Lozinsky's Aids Test scanner and
disinfector.  It concentrates on Russian viral programs, and by default shows a
Russian language interface.  You can, however, bring it up in English with the
/L switch.  For the latest version look for AIDST610.ZIP.

F-Prot Update Bulletin
This isn't exactly an antiviral program and its been going for over a year now. 
Those of you who are lucky enough to have bought F-Prot Professional from Data
Fellows will have seen this bulletin published with each new update of F-Prot. 
Various viral programs are explained, some observations sre made on the virus
writing scene, and there is some general antiviral advice.  A thoroughly useful
little publication.


SCAN 110 Trojan (MS-DOS)
A trojan version of SCAN has been doing the rounds of Gainesville, Florida. 
The archive SCAN110.ZIP contains four files, SCAN.EXE, SCAN110.NEW, SCAN.DAT
and SCAN.OBJ.  The later two files are not part of normal SCAN distributions,
and there is no documentation or the usual ancilliary files.  The archive is
also only 30K in size as opposed to the more usual 250K.  Comments can be found
in the object code file.  If run, the trojan looks very identical to the normal
McAfee screen display, but will delete files beginning with the letters A, C, F
and W everywhere on the hard disk.

Arabian/27344 (MS-DOS)
A message from the Netherlands reports a virus being referred to as "The
Arabian F_____".  The virus was first reported from the town of Venlo.  It
appears to be an overwriting file infector.  It will overwrite all files in a
directory with files of length 27344 bytes.  The report states an affinity for
the DOS directory.  No further details are available.

Night Owl CD (MS-DOS)
For those of you who tried, and failed, to find a virus on your Night Owl 10
CD, there are two versions.  The original has the legend "Mastered by Nimbus"
on the inner ring of the CD near the centre hole.  The new version 10.1 has had
the infected files removed and should say "10.1" on the inner ring.  Night Owl
will replace version 10 disks with 10.1.

French bugs (MS-DOS)
Four viral programs were recently reported from France.  Chaos Years is a COM
and EXE infector with signature reported to be "3D FF 30 75 12 81 FA 34 12 75
0C 55 89 E5 33 D2 86 56 0A BA 34 12 5D 9D".  Sauron is and EXE infector with
signature "F2 AE 26 8A 45 FD 24 5F 3C 58 75 BF EB 14 90 66 5A 64".  French Bug
is a COM and EXE infector with two variants; Beware "B4 54 BB 75 44 B9 6C 61 CD
21 81 FB 74 47 75 09 81 F9 21 4D" and Greviste "B4 54 BB 45 52 B9 41 5A CD 21
81 FB 74 47 75 09 81 F9 21 4D".  Boot FR is a BSI which appears to corrupt the
FAT on hard disks, a reported signature is "BE 70 00 A5 A5 FA C7 06 70 00".

Sabbath (MS-DOS)
Sabbath is a resident file infector.  Among its bugs are that it will infect
files more than once and that it will infect data files.  A reinfection of an
infected program will general render the program inoperable, but also serves to
make detection of the infection a problem.  Search strings are reported to be:
    TBAV: B9 43 03 81 3L ?2 83 02 E2 F7
    SCAN: "B94303813L??8302E2F7" [Sabbath]
    F-PROT: B94303813L????8302E2F7
while a variation is "1E 75 13 B0 02 B9 20 00 33 D2 CD 26".

Quadratic Equation II (MS-DOS)
This is a resident COM and EXE infector which uses a somewhat buggy stealth
system.  Infected files will show a 15 byte increase while the virus is active,
but 1285 bytes if the virus is removed from memory.  A signature for a dropper
or first generation file is said to be "BD 00 00 1E 06 B4 3F BB FF FF CD 21 3D
FF".  Signatures for scanners are reported as:
    TBAV: BH DA 04 2E 30 ?2 E2 FA
    SCAN: "BHDA042E30??E2FA" [Quadratic Equation II]
    F-PROT: BH DA 04 2E 30 ?? ?? E2 FA
but this may be faulty as "H" is not a valid hexadecimal nibble.

A COM infector with an infective length of 466 bytes.  Reported signature: "EB
00 C3 8D 94 8E 01 B4 4E B9 3F 00 CD 21".

An encrypting direct action COM and EXE infector.  The file creation date of
infected files is changed to 1994: this is not a terribly good indicator for
program files configured this year.  Reported signatures are:
    TBAV: B9 B6 01 BB ?2 2E 81 07 ?2 83 C3 02 E2 F6
    SCAN: "B9B601BB??2E8107??83C302E2F6" [DK]
    F-PROT: B9B601BB????2E8107????83C302E2F6


Oops, MISed
Maybe I should make this a regular feature.  Yisrael Radai (whose name I also
mispelled in another article) points out that MISiS is not in Israel, but is
the "Moskovsky Institut Stali i Splavov" ("Moscow Institute of Steel and
Alloys") in Russia.

"New" doesn't mean "clean"
More postings recently on Fidonet telling of buying new or used computers, or
geting them back from repair shops, infected with viri.  Please -- do *not*
assume that because someone knows how to fix or assemble computers that they
know anything about virus protection ...

Noise to signal increasing
John Buchanan's vx-no-AV-no-vx persona seems to have swung right out into left
field.  His rantings on Fidonet have become increasingly personal and abusive. 
In recent weeks his postings alone are wasting substantial amounts of
bandwidth.  (Why doesn't Fidonet have the standard Usenet warning, "Your post
may cost hundreds, if not thousands, of dollars to send everywhere ...")
Vancouver      ROBERTS@decus.ca         | "The only thing necessary
Institute for  Robert_Slade@sfu.ca      |  for the triumph of evil
Research into  rslade@cue.bc.ca         |  is for good men to do
User           p1@CyberStore.ca         |  nothing."
Security       Canada V7K 2G6           |            - Edmund Burke