Copy Link
Add to Bookmark
Report
The Scanner Vol 01 Issue 01
The Scanner - The Anti-Virus Newsletter of Today
January 1995
Volume 1 Issue 1
The Scanner is a newsletter compiled by Howard Wood with the
help of many people in the Anti-Virus community and Anti-Virus researchers
as well as users. The information contained within the newsletter is public
domain. Any article or part of an article is free to copy as long as the
proper credits go to the author of such article.
The Scanner is in no way liable for the accuracy of any or all
information it is passing along. The sole responsibility for the data
contained in the articles remain with the original author. While accuracy
and facts are the paramount goal of The Scanner, it is humanly impossible
to verify all information and guarantee its accuracy 100%.
The goal of The Scanner is to disseminate as much information to as
wide spread a group as possible. Researchers, developers and users alike need
various levels of information to deal with the viruses, Trojans and hacks
that are encountered daily. The Scanner will *attempt* to pass along viable
information for all groups.
Any and all constructive criticism and suggestions are welcomed
and encouraged. Send all responses to the addresses below.
My PGP public key available upon request. You can send any files you
suspect of viral infection or know to have viral infections, hacks or
suspect files to the same addresses. Please include the name of the
program the file was discovered in and your name and address so the alert
notices can be a little more accurate than "there is a virus out there!!".
Most of all, The Scanner is *your* newsletter. If you have encountered
any viruses, Trojans, or hacked programs let us know. We need to all work
together to combat the problems out there. Since the last issue there have
been some address changes. Any correspondence with either The Scanner staff
or Howard Wood can be sent to the following addresses:
The Scanner SCNR@aol.com
Howard Wood HRRWood@aol.com
============================================================================
CONTENTS
Article Author
-----------------------------------------------------------------
The New Year .............................. Howard Wood
Polymorphic Generators .................... Mikko Hypponen
Tech Reports .............................. Bill Lambdin, Bill Hoover
Trojan Alert ! ............................ Howard Wood
The Bookshelf ............................. Robert Slade
Reviews on:
"The Internet Business Book" - By Jill H. Ellsworth
"Your Internet Consultant" - By Kevin M. Savatz
Gold-Bug Companions ....................... Howard Wood
In The News ............................... Howard Wood
Hacks, Viruses and Trojans ................ Howard Wood
Stoned.Empire.Monkey.A Removal ............ Howard Wood
Performance of:
F-PROT vs Monkey ...................... Mikko Hypponen
Integrity Master vs Monkey ............ Wolfgang Stiller
The Monkey is on my back !! ............... Howard Wood
From Woody's Desk ......................... Howard Wood
============================================================================
The New Year
Well, 1995 has started. It is customary in many circles to
reflect on the year past and look ahead to the new year present. We
can't look back too far but we can certainly look ahead.
As I have been reading the Virus-L digest I see the ever
increasing problem of the viruses, hacks and Trojans. Basic
precautions are needed but seem to be neglected. Promise yourself
that the new year will start new habits.
Backup your files.
Set yourself up with a tool box to help you prevent being in the
position where that report that is due tomorrow isn't lost because you
can't get to it, or even worse, has been destroyed. Take the few minutes
it takes to set up an Integrity program, and a scanner that meets your
requirements. LEARN them and talk with others that use the same ones and
find out what works for them so you can establish a system of your own.
Backup your files
Get yourself into a virus conference on one of the many
conferences offered out there. Keep you eyes open for warnings of
virus infected programs, hacks or Trojans.
Backup your files
Keep those files you just downloaded in a separate directory
where you can uncompress them and scan them before you run them.
As sure as I am writing this article, the first time you say " I'm sure
this is safe" is when you will get hit.
And finally, BACKUP YOUR FILES !!!
"The best defense is a good offense"
I hope 1995 is a good year for all. Remember, keep those
scanners going!! :-)
Woody
============================================================================
Polymorphic Generators
EDITOR NOTE: Mr. Mikko Hypponen, of Datafellows LTD, was kind enough to
allow The Scanner to use articles from his FP-Bulletins
in this issue and others to follow. We thank him for his
generosity and help in making The Scanner a more
professional newsletter.
Polymorphic viruses
-------------------
The rise of polymorphic viruses can be seen as virus writers' response
to the increasing expertise of virus scanners. Since properly built
scanners can recognize viruses by their characteristic code, the
obvious way to try to beat scanners was to design viruses that change
their code, thus rendering recognition with search strings impossible.
Polymorphic viruses employ code alteration and encryption to hide
themselves from scanners. Their usual tactic is to encrypt the main
part of their code with a variable key and leave only the decryption
executor unencrypted. The decryption code is altered during every
infection to prevent detection with a search string.
However, it takes considerable skill to design a polymorphic virus.
This kept the number of true polymorphic viruses quite small for a
relatively long time. Of course, this couldn't last forever: At some
stage, the heavyweights of the virus trade took notice and came to
rescue their less skilled brethren by writing and distributing
polymorphic generators.
Polymorphic generators
----------------------
Polymorphic generators are routines which can be linked to existing
viruses. The generators are not viruses per se; their purpose is to
hide actual viruses under the cloak of polymorphism.
The first all-purpose polymorphic generator was the Mutation Engine,
or MtE. Published in 1991, capable of billions of different
permutations, linkable to any virus, it heralded the age of instant
polymorphism. Today, there are 33 different viruses which are known to
use the MtE.
Other polymorphic generators followed in MtE's wake. The next two
appeared late in the year 1992. They were the TridenT Polymorphic
Engine (TPE) and NuKE Encryption Device (NED).
TPE was written in the Netherlands. In principle it is capable of
producing smaller number of different permutations than the MtE.
However, it created detection problems for antivirus products because
the decryptors it creates are more generic than those produced by MtE.
NuKE's generator wasn't quite as advanced, but unlike most other
polymorphic generators, it was distributed as readable source code
instead of an object module.
Other known polymorphic generators are Dark Angel's Multiple Encryptor
(DAME), Darwinian Genetic Mutation Engine (DGME), Dark Slayer Mutation
Engine (DSME), MutaGen, Guns'n'Roses Polymorphic Engine (GPE) and Dark
Slayer Confusion Engine (DSCE).
These generators are typically distributed via underground networks,
virus exchange BBSs and private areas in the internet.
Operating Principles
--------------------
Polymorphic generators are code modules which a programmer can
incorporate into a program. After this, the program can use the
functions the code module contains. This process is called linking.
Once a generator is linked to a virus, it becomes an intrinsic part of
the said virus. The virus will thereafter carry the engine along while
spreading itself.
It should be noted that the generator itself does not care in which
kind of a program it is linked to. The known polymorphic generators
are clearly written to be linked to viruses, but in principle they
could be used in other kinds of programs as well.
When a virus that employs a polymorphic generator is infecting a
program file (or some other object), it requests the generator to
create an encrypted copy of the virus code and the generator itself.
Besides performing the encryption, the generators also create a
decryptor - a routine which is able to undo the encryption applied to
the actual virus code.
The generators often use relatively simple encryption techniques.
However, they do change the encryption key during every execution.
This alone makes the detection of such a virus difficult, but
encrypted viruses retain one Achilles heel: the decryption routine,
which must remain unencrypted if it is to be executable. Thus, the
true effectiveness of a polymorphic generator is measured by its
ability to mutate the decryption routine.
All polymorphic generators need some kind of a randomization routine
in order to create different algorithms each time. Some of the
generators allow the virus programmer to substitute his own
randomization routines instead of the original one.
Polymorphic generators are able to create completely different
encryption methods and a wide variety of different decryption routines
for them. They modify their decryption routines by such means as
shifting the commands inside the routine around, adding ineffectual
commands in random places and using different processor registers and
opcodes.
The basic idea is to make the binary image of the decryption routine
totally different between different infections. All this makes it
impossible to search for the decryption routine with fixed search
strings - there is no search string that could always be found in
infections made by a polymorphic virus.
<Polymorphic-infection.GIF>
How does a virus using a polymorphic generator infect a file?
1. A clean file before the infection. We'll call this the
victim file.
2. The virus starts the infection process by modifying the
victim file's first commands. It replaces them with a
command to jump to the end of the file. The original first
bytes of the file are stored in the virus's body.
3. Next, the virus calls the polymorphic generator to create an
encrypted copy of the virus code and the generator itself.
The generator also creates a decryption routine, which is
added to the end of the victim file.
4. The encrypted code is added to the end of the victim file.
This encrypted section contains three parts: a copy of the
actual virus code, the original first bytes of the victim
file, and the code of the polymorphic generator.
Limitations
-----------
When the first polymorphic generators were found, it was feared that
there would be a huge rise in the number of polymorphic viruses.
However, these generators have not proved as popular as was originally
thought - only about one hundred viruses are known to use a generator.
One of the reasons for this is that a generator must be linked to the
program to be encrypted, and since the operation requires changes to
the program itself, some programming experience is necessary. This
alone places the generators out of the reach of the run-of-the-mill
virus enthusiasts. Unfortunately, the generators usually come with
detailed instructions on their use, so that virus aficionados with
even limited experience of assembly programming can easily use them.
Another limitation is the generators' size. Although the generators
are quite small in themselves, they do increase the size of viruses by
some amount. This makes it difficult to link them to boot sector
viruses, which have limited code space. No generator-masked boot
sector viruses have been found. With the exception of V-Sign (a mildly
polymorphic boot sector virus), polymorphic capabilities seem to be
the privilege of file viruses.
Of course, the advantage that viruses get from polymorphic generators
is somewhat questionable. If an anti-virus program is able to
recognize the presence of a particular generator, it is usually able
to detect all viruses masked by it.
Detection
---------
Despite the cunning nature of polymorphic generators, viruses masked
by them can be detected by using proper tools. Antivirus programs
often employ algorithmic means to recognize files infected by
polymorphically hidden viruses. Another way to find such viruses is to
use checksumming. It is also possible to try to solve the encryption
and search for the virus underneath the encryption layer.
Algorithmic methods
-------------------
Algorithmic methods are based on the fact that however much a
generator mutates the decryption routine, it must still contain
certain programming structures which make the decryption possible. If
a program file contains such structures, the antivirus program can say
with sufficient certainty that the file is infected by a
polymorphically cloaked virus.
As polymorphic generators vary a lot, a different algorithm is needed
for each generator - and in order to build such algorithm, the
generator will have to be studied closely.
However, the algorithmic methods have a certain weakness: they are
prone to false positives. The program structures employed by
polymorphic generators can be very random. This means that similar
structures sometimes occur inside legitimate program code. False
alarms may crop up especially if data files are also included in the
search, because they typically contain data similar to the random
'garbage-code' which the generators produce. It is relatively easy to
create an algorithm that will find all infections created with a
polymorphic engine, but if the algorithm would also flag a large
amount of clean programs as infected, it is useless.
Checksumming
------------
Checksums are comparison values calculated from the executables in a
system. These values are stored in a database. When a checksum search
is made, the checksums are re-calculated and compared with the
original values in the database. Since this method detects all changes
to a system, the mutability of polymorphically hidden viruses does
them no good; a change is a change, and thus detectable.
Checksumming has its drawbacks, too: checksummers suspect all changes
that happen inside a system, and occasionally give warnings of
ordinary programs which alter their own code. Nowadays, checksummers
are usually equipped with an exclude-list and a heuristic faculty to
prevent this from happening.
Although theoretically able to detect all changes to a system,
checksummers are vulnerable to stealth viruses. If such a virus is
active in a computer's memory, it is able to hide all the changes it
has made. When stealth viruses are involved, checksummers base their
calculations on false data, and will consequently find everything to
be in order. It should be noted that polymorphic viruses which also
stealth their presence are very rare, simply because they are
technically difficult to create.
Decryption-based detection
--------------------------
The decryption-based detection of polymorphic viruses work by first
reasoning whether the examined object is encrypted. If the object
seems to warrant suspicion, generic decryption methods are applied to
it, and a string-based search is done to the code found underneath the
encryption.
This method works against some polymorphic generators with great
success, but is difficult to implement for others.
What is the best solution?
--------------------------
Checksumming is the strongest method against polymorphic viruses - as
long as the machine is clean when the checksummer is installed, and
the virus is not falsifying the information received by the
checksummer. Checksummers will also detect those polymorphic (and
normal) viruses that have not yet been analyzed.
The algorithm-based detection mechanisms against polymorphic viruses
tend to have problems with false alarms, but these can be overcome by
designing the detection engine carefully. One advantage of algorithm-
based detection is that, once a detection engine is able to detect a
certain polymorphic generator, it will probably detect all viruses
utilizing it.
A decryption-based detection mechanism can only detect those
polymorphic viruses that have been analyzed by the creator of the
antivirus product, but it is very unlikely to produce false alarms.
Furthermore, such a mechanism is also able to detect the exact variant
of the virus in question - this is something that most algorithm-based
detection methods are unable to do.
Thus far found...
-----------------
In the following are brief descriptions of the polymorphic generators
that have been found to this date. The generators usually come with
introductory notes which explain their use, and in which the authors
seek to justify themselves, for example by prohibiting the use of
their products in viruses, by trying to explain why polymorphic
generators are beneficial, necessary and generally morally uplifting,
or by giving the by now well-established lecture about free speech and
freedom of expression. Since many of the generators' authors are
members of well-known virus groups, these disclaimers can be seen as
simple hypocrisy.
MtE (Mutation Engine)
---------------------
Mutation Engine was the first polymorphic generator, written by
the Dark Avenger. MtE was put into circulation in 1991. It is
the most widespread polymorphic generator, and has been
incorporated to 33 different viruses.
Though revolutionary in its time, Mutation Engine is currently
somewhat outdated. Practically all anti-virus products can
detect MtE-hidden viruses. Nevertheless, MtE continues to be a
source of inspiration for people aspiring to write polymorphic
generators - for example, almost all generators written after
MtE mimic the documentation provided with MtE.
MtE v0.91's size is 2048 bytes.
TPE (TridenT Polymorphic Engine), DGME (Darwinian Genetic Mutation Engine)
--------------------------------------------------------------------------
TPE was written in 1992 by Masud Khafir, a Dutch member of the
TridenT virus group. Before and after TPE, Masud Khafir has
created several advanced viruses. Among them are the first
Windows virus, Win_Vir, the Cruncher virus series, and one of
the most widespread viruses using MtE, the MtE.Pogue virus. TPE
itself is based on the encryption routine of Masud Kafir's
Coffeeshop 3 virus, currently known as TPE.1_0.Girafe.A.
To date, four versions of TPE have come out. The author has
implied that he considers the product finished, and will not
write further versions. The later versions of TPE are highly
complex, making it one the most advanced polymorphic generators
in the world.
TPE version 1.1 was technically advanced, but it contained bugs
which made it incompatible with some processor types. Versions
1.2 and 1.3 corrected this problem. The last version, 1.4,
introduced an improved, highly complex encryption method, which
makes TPE-hidden viruses difficult to identify by using
decryption-based detection methods.
A separate, modified version of TPE has also appeared. It is
known as the Darwinian Genetic Mutation Engine (DGME). DGME was
published in Mark Ludwig's latest disputed book 'Computer
Viruses, Artificial Life and Evolution'.
TPE takes up about 1.6 KB. Presently, it is known to be linked
to 10 different viruses.
NED (NuKE Encryption Device)
----------------------------
NED, the first polymorphic generator from USA, appeared at
approximately the same time as TPE. According to the
generator's documentation, it was released in October, 1992.
Nowhere Man is credited as being the author of this generator,
but there have been suspicions that it is actually written by
some other programmer. Nowhere Man is the author of NuKE's
Virus Creation Laboratory, the VCL.
Unlike most other polymorphic generators, NED was distributed
as source code. This, of course, makes it easier for other
virus creators to modify the generator, but so far only a
single version of NED has been found. The generator's
documentation expressly forbids its distribution outside NuKE
itself, but it has obviously been in wide distribution.
NED version 0.90B takes up 1355 bytes. It is known to have been
linked to two different viruses.
DAME (Dark Angel's Multiple Encryptor)
--------------------------------------
Naturally enough, Phalcon/SKISM didn't want to be upstaged by
NuKE. In 1993, this virus group, which originates from Canada,
joined the fray with Dark Angel's Multiple Encryptor, DAME. The
new generator's name may have been meant as a dig at some
members of the anti-virus community, who had been using the
name DAME for Dark Avenger's Mutation Engine, MtE.
Dark Angel published his generator during the summer of 1993 in
issue 11 of Phalcon/SKISM's magazine, 40Hex. Dark Angel has
also written the two virus creation toolkits published by
Phalcon/SKISM, the PS-MPC and G2.
Like NED, DAME was distributed as commented source code. Along
with the generator, Dark Angel published an article which dealt
with polymorphism and the writing of polymorphic generators in
general.
Dark Angel was apparently not completely satisfied with his
initial product, because he introduced an improved version of
DAME in the next issue of 40Hex.
The first version of DAME, 0.90, took up 1574 bytes. The
improved 0.91 version had grown to 1960 bytes. Dame is known to
have been linked to two different viruses.
DSME (Dark Slayer Mutation Engine)
----------------------------------
DSME was the first polymorphic generator from Taiwan. It was
written by a person calling himself Dark Slayer. DSME was
published in the end of 1993.
Interestingly, DSME contains documentation both in English and
Chinese. The author sends greetings to Dark Avenger and Nowhere
Man and thanks for the inspiration he received from earlier
polymorphic generators.
DSME is not as advanced as the generators produced before it.
Dark Slayer admits this in his notes. The actual size of the
generator is little over 2 kilobytes.
At the moment, only one virus is known to use the DSME.
MutaGen
-------
In the beginning of 1994, a new author entered the stage.
Calling himself MnemoniX, this American virus writer proudly
presented a new generator called MutaGen.
At the moment, there are four different versions of MutaGen in
distribution. Each successive version is more complex than the
previous ones. Their sizes range from 1032 bytes to 1385 bytes.
In MutaGen's documentation, MnemoniX criticizes the other
polymorphic generators for being too unreliable and easy to
detect.
MnemoniX himself has published two different viruses which
utilize the MutaGen generator, but otherwise the response of
the virus underground to this new generator is unknown.
GPE (Guns'n'Roses Polymorphic Engine)
-------------------------------------
The Guns'n'Roses Polymorphic Engine is a newcomer, written by a
person calling himself Slash Wu. Like the Dark Slayer Mutation
Engine, this generator originates from Taiwan - and it only
comes with Chinese documentation.
In the generator's documentation, the author prohibits the use
of the generator in viruses and other malicious software. He
claims to have developed GPE solely for the purpose of
protecting data and programs from unauthorized use. These
claims are lent some credence by the fact that the author has
included his apparently real name and phone number in the
introductory notes.
Version 1.00 of the Guns'n'Roses Polymorphic Engine was
released in March 1994. So far, the generator is not known to
have been linked to any virus. It's size is about two
kilobytes.
DSCE (Dark Slayer Confusion Engine)
-----------------------------------
There is at least one polymorphic generator which has so far
eluded the antivirus researchers. The one that we know of is
called DSCE, and it is written by the same author as DSME.
A file that demonstrated DSCE's abilities was sent to F-PROT
Professional Support during April 1994. Deductions based on
this demo indicate that DSCE is a rewritten version of DSME,
and capable of creating far more complicated samples.
[Source: F-PROT version bulletin 2.14. Copyright (c) 1994 Data Fellows Ltd.]
============================================================================
Tech Sheets
Mr. Bill Hoover of Virus Research and Statistics in Indianapolis,
Indiana is a new member of The Scanner's contributing authors and
researchers. We welcome him aboard and look forward to working with him
more in the future.
EDITOR'S NOTE: At publication time The Scanner learned that Bill has
just recently been hired as a programmer/analyst for a client server
based company called Support Net in Indianapolis, Indiana. CONGRATS
Bill, and good luck.
TRON and HIDER are two viruses Bill has researched. The following
are his reports on the two viruses:
TRON:
=====
The Tron virus was submitted to Virus Research & Statistics on 12.03.94
from a local sysop who runs a board here in Indianapolis, Indiana USA.
Seems a user uploaded the infected file compressed with PKLite and
F-Prot 2.14 detected it.
From taking a quick look at it and testing it on an isolated computer, it
seems to be a resident *.COM infector including COMMAND.COM and the
infected files increase by 754 bytes.
Upon executing an infected program, the virus will go resident and hook
interrupts 8 (system timer), 16 (keyboard), 21 (Dos Functions) and 22 (Dos
Terminate address) and infect *.COMs when they are executed. Seems to also
play around with the keyboard a bit, and adds 1 to the ANSI value of the
6th typed character. For example, 'xxxxxx' becomes 'xxxxxy' and 'aaaaaa'
becomes 'aaaaab'.
Although F-Prot 2.14 detects it, users can use the scan sig below to detect
it since it is present in all infected files (at least the ones I tested) :
0E 1F BE 18 01 46 81 3C 54 52 75 F9 81 7C 02 4F 4E 75 F2 83 C6 04
In addition, (not sure about the trigger yet since I've only looked at it
for a couple of secs) but a little graphic ball will appear at the top left
of the screen and continue across the screen left to right until it hits
the bottom right, erasing the screen contents. I have a feeling that this
happens after a the virus has been resident for so long (reason for system
timer being hooked) but not exactly sure.
In addition, the text 'TRON' can be found within infected programs, and the
infected program's name appears in the interrupt chain and as resident in
memory.
********
HIDER:
=====
Possible Virus Name : Hider / Anston Rant
The 'Hider / Anston Rant' virus was submitted to Virus Research &
Statistics on 10.08.94 via the Prodigy Service by a user of Prodigy.
The virus is a non-resident direct action parasitic infector of *.COM / *.EXE
files using a standard method of appending the viral code to the end of the
infected program(s) and adding a JMP command to the beginning of the
infected *.COM files.
The virus seems to use a very effective traversal scheme which will search
relentlessly until it infects 3 *.COM and 3 *.EXE files or until no more
candidate files are found.
Infected files will increase by 1782 bytes with the virus being appended to
the end of the infected files and the original file's time and date stamps
will not be changed from their original state.
Infected files will contain the following message :
Anston Rant is back for more!
Whoa, looks like you be missing some files there, Bud!
The user who submitted a sample of this virus stated that on the 13th day
of any month, the virus would 'hide' all files and directories located
within the root directory and the files could be safely recovered by using
the ATTRIB -H *.* command. However, during my tests, no files or
directories were 'hidden' and the virus merely continued to infect
non-infected files and displayed the message listed above.
Generation 1 samples of the this virus can easily be detected using the
following scan sig :
BF 03 02 06 1E 06 89 FE 81 EE 00 01 32 E4 B9 CB 06 BB 00 00
In addition, infected *.COM / *.EXE files can be detected by :
06 1E 06 89 FE 81 EE 00 01 32 E4 B9 CB 06 BB 00 00 2E 8A 04
In the current form, this virus does not contain an encryption scheme and
will easily be detected by using the above scan sigs added to F-Prot
or any other AV product that supports external user defined scan sigs.
Tron and Hider / Anston Rant virus tech-specs provided by :
Mr. William E. Hoover
Virus Research & Statistics
1142 South Reisner Street
Indianapolis, Indiana 46221
U.S.A.
********************************
Bill Lambdin is a member of The Scanner staff. The following is
his preliminary report on the NYMPHO MITOSIS virus.
NYMPHO MITOSIS 2.0
==================
Preliminary analysis of Nympho Mitosis virus by W.H. (Bill) Lambdin
Name ] Nympho Mitosis 2.0
Size ] 787 bytes
Infects ] .COM and .EXE files including COMMAND.COM.
Scan string ] 33 FF 8C C0 48 8E D8 38 3D 75 44 88 1D 83 6D 03
In the wild ] Unknown
]
A-V ] This virus has been forwarded to the following; Vesselin
] Bontchev, David M. Chess, Spencer Clark, Eugene V.
] Kaspersky, FRISK, Dr. Alan Solomon, Wolfgang Stiller,
] Frans Veldman, Tarkan Yetiser. Dmitry O. Gryaznov
Armored ] no
Detected ] Yes
Encrypted ] No
Interrupts ] Hooks interrupt 21h
Load Address] 9FBDh
Marker ] The virus places an 8 in the last column of the seconds
] field of the time stamp to mark infected files. When
] Nympho Mitosis disinfects a host file, 02 in placed in
] the seconds field of the time stamp.
Polymorphic ] No
Resident ] Yes
Size in RAM ] 1088 bytes
Stealthed ] Fully stealthed, but very unusual, the virus removes
] itself, when an infected file is opened, but does not re-
] infect when the host file is closed.
Text ] [Nympho Mitosis] v2.0 Copyright (c) 1993 Memory Lapse
] Phalcon/Skism Canada
Type ] Infects .COM & .EXE files, and the virus is appended to
] the end of the infected host files.
Unusual ] Does not trap errors. So DOS reports a write protect error
] when trying to run a file from a write protected diskette.
============================================================================
Hacks, Viruses and Trojans
A Trojan alert from THE SCANNER !!!!
The following message was taken off of the WildNet Virus conference
19 December 1994:
------------------------------------------------------------------------
Date: 12-16-94 Msg # 98
To: ALL Conf: (125) Virus'-WN
From: ROBERT KEMPER Stat: Public
Subj: WARNING WARNING WARNING Read: Yes
------------------------------------------------------------------------
I discovered a Trojan on the Software Vault Gold Collection CD.
Under the utilities section is a supposedly shareware virus scanner that
will damage any disk you attempt to scan. The file name is SCCL100.zip
DO NOT ATTEMPT TO RUN THIS PROGRAM ! I have notified American
Databankers Corp and they have confirmed that this program is designed
to damage disks and will be removed from future CD's.
Copyright 1994 Robert L. Kemper Jr.
---
þ TNet 3.60 ÷ WILDNET: The Right Note! - MUSIC ORIENTED BBS - 502-452-1453
---------------------------------------------------------------------------
Thanks Robert, great catch!! The staff at The Scanner went into action and
went looking. We found this program on 8 CDs total in our area and made the
proper notifications to the sysops. Here they are the CDs and the areas the
program was found in:
CD Title Area
-------------------------------------------------------------------------
Shareware Vault Gold Virus Detection and Prevention
Shareware Studio #4 Virus
Tech Arsenal Anti-Virus Utilities
Cream of the Crop II Virus Prevention
Hobbes OS/2 MAC File Viewers
Best of Bizzness '94 Virus Utilities
Best of Shareware '94 MAC File Viewers
Night Owl #9 Virus
Night Owl 10 Virus
EDITOR'S NOTE: Thanks to Jerome Priest - SYSOP of THE Busy Body BBS,
W. Branch, MI, we added Night Owl #10 to the list.
Thanks Jerome !
The file is 709180 Bytes with a file date of 05-26-93. This
program claims to be a *virus scanner*.
The program will start out asking you what drive you want to scan.
Upon entering a drive letter you are immediately taken to a screen where the
alleged scanning is taking place. The unsuspecting victim will observe a
Scanning box and a Status box on the screen. As the Scanning box fills
( Showing the percentage of the disk that is scanned ) the status box shows
the message : "Scanning Memory ...."
Once the Scanning box reaches 100%, the status box then reports
"Memory appears to be clean ....".
Now the program performs the alleged disk check. The Scanning box
once again will display the percentage of the disk being scanned and the
status box displays the following message:
" Now performing check on disk.... Please Wait ...."
Now the fun begins. The Scanning box will go the screens width
several times and the then stop. The Status box displays the following
message:
" Uh Oh....Virus Detected...."
Upon hitting the return button this message comes up:
" Trying to gain control of vital areas...."
After a few seconds the final message comes up as:
" Cannot destroy virus !!!!"
The system is waiting for a RETURN from the user. The light on the
A: drive goes on and the damage is now in progress. After the drive stops,
the system is locked up. The system needs to be rebooted again. After
rebooting, the unsuspecting user then looks at the disk in the A: drive to
see if the "virus" has been removed only to find the disk rendered useless.
That, folks, is a TROJAN. A program that claims to do something, but in
reality does something else unbeknownst to the user.
***************
Editor's Follow-up:
I have personally verified each program off of each CD.
I am doing more follow-up because the file sizes are not all the same, yet,
the same action occurs in each program. The EXE file is the same size in
each program 5599 bytes. The SCCL100.DAT file is always 702383 bytes. Prior
to doing a scan on a disk the following files are in the directory of the
SCCL100 program:
SCCL100.DAT 702383 05/26/93 18:57
SCCL100.DOC 1497 05/26/93 19:27
SCCL100.EXE 5599 05/26/93 18:58
After executing the program the following files are added:
SCANNER.DAT 140392 <Date program was run>
- Woody -
============================================================================
The Bookshelf
Rob Slade is busy at work up in British Columbia, Canada, reading
book after book after book. He is kind enough to share his views on these
"parcels of knowledge" with The Scanner and we appreciate it.
"The Internet Business Book", Ellsworth/Ellsworth, 1994, 0-471-05809-0,
U$22.95
oakridge@world.std.com je@world.std.com
%A Jill H. Ellsworth
%A Matthew V. Ellsworth
%C 605 Third Avenue, New York, NY 10158-0012
%D 1994
%G 0-471-05809-0
%I John Wiley & Sons, Inc.
%O U$22.95 800-CALL-WILEY Fax: 212-850-6799
%O aponnamm@jwiley.com jdemarra@jwiley.com
%P 376
%T "The Internet Business Book"
This is a reasonable guide to what the Internet is, and how it works. It
gives good advice on the best means to approach the net community. The list
of resources is aimed at, and appropriate to, business and professional
users. The specifics of how to conduct a business on the Internet could use
some work.
The Internet information provided is concise, and provides a good, if fairly
standard, starting point. Those new to the Internet should plan to spend
some time practicing the various applications, or might want to look for
more detailed guides in areas of interest. The coverage is quite broadly
based, though. The email chapter, for example, goes into some detail on the
use of UUENCODE to send binary files, an often neglected topic.
While the advice to avoid troublesome items such as unsolicited mail and
mass advertising mailing is good, there could be much more in the way of
specific business advice. The choice of Internet provider only asks whether
they provide all the Internet services you require, without analyzing the
need for an information provider to set up anonymous ftp, gopher or World
Wide Web servers. The chapter on an Internet business plan really only
looks at a standard planning tool, with a few line items added for Internet
service costs.
This work should provide an adequate starting point for those interested in
launching a business with support from Internet tools. Those who do should,
however, spend some time getting used to the net, before rushing in.
copyright Robert M. Slade, 1994 BKINTBUS.RVW 940929
***************
"Your Internet Consultant", Savetz, 1994, 0-672-30520-8, U$25.00/C$34.95
savetz@rahul.net
%A Kevin M. Savetz
%C 201 West 103rd St., Indianapolis, IN 46290
%D 1994
%G 0-672-30520-8
%I SAMS Publishing
%O U$25.00/C$34.95 317-581-3718 fax: 317-581-4669
%O 75141.2102@compuserve.com 75141.2104@compuserve.com
%P 550
%T "Your Internet Consultant"
The subtitle of this book, "The FAQs of Life Online", refers to a common
form of online documentation and reference. A list of "Frequently Asked
Questions" list basic and common questions that people have, along with
(supposedly) expert answers. FAQs are generally undergoing constant
maintenance and updating. They are periodically reposted to specific
topical groups and discussion lists, and are often accessible by various
other means.
Savetz maintains a number of such lists, so it is natural that his Internet
guide is written in this style. Question 1.2, in the introduction, in fact,
asks whether the world needs another Internet book. He feels that his guide
has a distinctive, and that the question and answer style makes a
fundamental difference to the work.
I'm not sure that the difference is fundamental, but I do think it was a
valuable exercise, and produced a worthwhile book. The need to answer the
questions keeps sidetracks and diversions to a minimum,. The "frequently"
part also helps keep the book focussed on what most people want; the
question, however, gives the book some added breadth. I note some questions
which I am certainly asked often, and which many Internet guides fail to
answer.
The questions are all listed at the beginning of the book, forming a type of
expanded table of contents. This is less helpful than one might suppose,
since one needs to know the area that the question might appear in.
Overall, a concise and informative starting guide, well worth consideration.
copyright Robert M. Slade, 1994 BKYRINTC.RVW 940930
============================================================================
DECUS Canada Communications, Desktop, Education and Security group
newsletters Editor and/or reviewer ROBERTS@decus.ca, RSlade@sfu.ca, Rob
Slade at 1:153/733 Author "Robert Slade's Guide to Computer Viruses"
0-387-94311-0/3-540-94311-0
============================================================================
EDITORS NOTE: I have recently purchased a copy of Rob's book
"Robert Slade's Guide to Computer Viruses" and
highly recommend it to anyone wishing to take
serious steps in learning the basics of computer
viruses and procedures to arm themselves against
them. It is well written and quite informative.
Hopefully, I will have completed it by the next
issue and look forward to giving you the "scoop"
in detail. :-)
============================================================================
GOLD-BUG Companions
In the last issue of The Scanner we featured the GOLD-BUG virus. In
the "gouge" we included in the article, two companion viruses of GOLD-BUG
were mentioned. The DA'BOYS virus and the XYZ virus both, accompany the
GOLD-BUG virus. All three of these viruses are written by an individual
named "Q" the misanthrope. Well, the "Q" library is growing. I guess if
we have to have virus writers that turn their creations loose on the world
we might as well have one that will at least send the code and the removal
instructions as well ! :-)
DA'BOYS VIRUS
-------------
Virus Name: DA'BOYS
Aliases: DALLAS COWBOYS
V Status: New, Research
Discovery: January, 1994
Symptoms: Possible diskette access problems; BSC; Infected disks fail to
boot on 8088 or 8086 processors; No COM4.
Origin: USA
Eff Length: 251 Bytes
Type Code: BORaX - Resident Overwriting Boot Sector and Master Boot Sector
Infector
Detection Method: None
Removal Instructions: DOS SYS
General Comments:
The DA'BOYS virus will only work with DOS 5 or DOS 6+ with an 80186 or
better processor. Unlike other boot sector infectors, the DA'BOYS
virus overwrites or rewrites the DOS boot sector. It does not make a
copy or move the boot sector to another sector. It will infect all
American DOS 5 or DOS 6 boot sectors. It will infect disks in drive
A: or B: It works with 360K, 720K, 1.2M, 1.44M or 2.88M disks.
When a disk is booted with the DA'BOYS virus, it will load itself into
a "hole" in lower DOS memory. CHKDSK will not show a decrease in
available memory. INT 12 will not be moved. The DA'BOYS virus code
is written in the "Non-System disk or disk error Replace and press
any key when ready" string. But it will display the above message by
using the code found on the hard disk DOS boot sector. It will then
infect the DOS boot sector (not the partition table) of the hard disk
and overwrite the "Non-System ... " text string with it's code.
The DA'BOYS virus does not damage any data. It disables COM4. The
text string "DA'BOYS" appears in the virus code but is not displayed.
The DA'BOYS virus has a companion virus that it works with. The
GOLD-BUG virus is also a boot sector infector. It is possible to have
a diskette with two boot sector viruses. GOLD-BUG hides the presence
of the DA'BOYS virus from the Windows 3.1 startup routine. GOLD-BUG
removes the DA'BOYS virus from the INT 13 chain at the start of
Windows and restores it when Windows ends.
It can be removed from diskettes and hard disks with the DOS SYS
command.
*************
XYZ VIRUS
---------
Virus Name: XYZ
Aliases: X-AMINE YOUR ZIPPER
V Status: New, Research Viron
Discovery: September, 1993
Symptoms: None - Pure Stealth
Origin: USA
Eff Length: 440 Bytes
Type Code: OReE - Extended HMA Memory Resident Overwriting .EXE Infector
Detection Method: None
Removal Instructions: See Below
General Comments:
The XYZ virus is a HMA memory resident overwriting direct action
infector. The virus is a pure 100% stealth virus with no detectable
symptoms. No file length increase; overwritten .EXE files execute
properly; no interrupts are directly hooked; no change in file date or
time; no change in file attributes; no change in available memory;
INT 12 is not moved; no cross linked files from CHKDSK; when resident
the virus cleans programs on the fly; works with all 80?86 processors;
VSAFE.COM does not detect any changes; Thunder Byte's Heuristic virus
detection does not detect the virus; Windows 3.1's built in warning
about a possible virus does not detect XYZ.
The XYZ virus will only load if DOS=HIGH in the CONFIG.SYS file. The
first time an infected .EXE file is executed, the virus goes memory
resident in the HMA (High Memory Area). The hooking of INT 13 is
accomplished using a tunnelling technique, so memory mapping utilities
will not map it to the virus in memory. It then reloads the infected
.EXE file, cleans it on the fly, then executes it. After the program
has been executed, XYZ will attempt to infect 15 .EXE files in the
current directory.
If the XYZ virus is unable to install in the HMA or clean the infected
.EXE on the fly, the virus will reopen the infected .EXE file, remove
itself, and then write the cleaned code back to the .EXE file. It
then reloads the clean .EXE file and executes it. The virus can not
clean itself on the fly if the disk is compressed with DBLSPACE or
STACKER, so it will clean the infected .EXE file and write it back.
It will also clean itself on an 8086 or 8088 processor.
It will infect an .EXE if it is executed, opened for any reason or
even copied. When an uninfected .EXE is copied, both the source and
destination .EXE file are infected.
The XYZ virus overwrites the .EXE header if it meets certain criteria.
The .EXE file must be less than 62K. The file does not have an
extended .EXE header. The file is not SETVER.EXE. The .EXE header
must be all zeros from offset 72 to offset 512; this is where the XYZ
virus writes its code. The XYZ virus then changes the .EXE header to
a .COM file. Files that are READONLY can also be infected.
The text string "XYZ" and "ZYX" appear in the virus code but are not
displayed.
The XYZ virus has a companion virus that it works with. The GOLD-BUG
virus also goes memory resident in the HMA and reserves space for the
XYZ virus.
To remove the virus from your system, change DOS=HIGH to DOS=LOW in
your CONFIG.SYS file. Reboot the system. Then run each .EXE file
less than 62k. The virus will remove itself from each .EXE program
when it is executed. Or, leave DOS=HIGH in you CONFIG.SYS; execute
an infected .EXE file, then use a tape backup unit to copy all your
files. The files on the tape have had the virus removed from them.
Change DOS=HIGH to DOS=LOW in your CONFIG.SYS file. Reboot the
system. Restore from tape all the files back to your system.
============================================================================
In The News
If you find any interesting or humorous articles related
to computers, hackers, Trojans or even viruses, let us know. China
seems to be a topic of interest so far as hackers and hacks go.
Death Penalty for a Computer Felony
-----------------------------------
Death penalty has been carried out in China on a person who hacked his
way into a bank's computer system. In 1991, Shi Bao embezzled 192.000
dollars from the Agricultural Bank of China by using a computer. Shi Bao
was executed as a warning to would-be computer criminals.
[Source: F-PROT version bulletin 2.09. Copyright (c) 1993 Data Fellows Ltd.]
----------------------------------------------------------------------------
Date: Mon, 05 Dec 94 04:15:39 -0500
From: ANTHONY APPLEYARD <A.APPLEYARD@fs1.mt.umist.ac.uk>
Subject: New virus reported in China: `Li Peng' (PC)
In 5 Dec 1994 issue of the Daily Telegraph (UK newspaper), p23:-
A new virus doing the rounds in China is perplexing the party faithful. When
it strikes, a question appears on the screen: "Do you think Li Peng is a good
prime minister?". If the operator answers "no", then the message disappears
and the system is left untouched. On the answer "yes", however, the virus
wipes the entire hard disk.
[ Source: Virus-L Digest Volume 7 Issue 100 ]
============================================================================
Hacks, Viruses and Trojans
LEGEND:
H = Hacked
P = Pirated
T = Trojan
V = Virus Infected
X = Hoax
* = Previous listing
============================================================================
* File: PKZ305.EXE Problem: H
Reported By: Fido Virus_Info Conference.
A hacked version of PKzip, and reportedly infected with the
Proto-T virus. Fridrik Skulason, Bill Lambdin, Wolfgang Stiller
and Tarkan Yetiser analyzed the file and found no virus. This was
just a hacked program.
- ---------------------------------
* File: DOOM2CHE.ZIP Problem: V
Reported By: Mike Karina of Biloxi, Ms.
The Mississippi Gulf Coast was hit with the Gold-Bug virus mid
October. It was uploaded to a local BBS under the name DOOM2CHE.ZIP.
The file had 2 files in it. GOLD-BUG.ASM and GOLD-BUG.COM. The .ASM
file was the actual source code for the Gold-Bug virus. The .COM
file was the virus file itself.
- -------------------
* File: SF2_UP.ZIP Problem: V
Reported By: Fido WARNING Conference. This is a renewal of the original
report in 1992. It appears there are folks out there that
didn't get the proper notification from the companies involved.
This file can be found on the Night Owl 10.0 CD. It is infected with
the Lapse_366 virus. The staff of "The Scanner" found this file and
verified the virus is still present. Fridrik Skulason verifies
the virus on this file in the FP virus information files.
- ---------------------------------
* File: SPORT21C.ZIP Problem: V
Reported By: Fido WARNING Conference. This is a renewal of the original
report in 1992. It appears there are folks out there that
didn't get the proper notification from the companies involved.
This file can be found on the Night Owl 10.0 CD. It is infected with
the Crusader variant of Butterfly. The staff of "The Scanner" found
this file and verified the virus is still present. Fridrik Skulason
verifies the virus on this file in the FP virus information files.
-----------------------------------
File: SCCL100.ZIP Problem: T
See Trojan Alert ! above.
============================================================================
STONED.EMPIRE.MONKEY.A Removal
This seems to be one of the most active viruses at this time.
I am constantly seeing questions about it in the Virus-L Digest and on
the various virus conferences. Rather than me trying to explain it, I
felt it best the "experts" pass along their summations and techniques
in its removal.
Mr. Mikko Hypponen of Datafellows LTD, Finland on
Stoned Monkey Empire A virus and F-Prot: ( Latest version 2.15)
STONED.EMPIRE.MONKEY.A
----------------------
The Monkey virus was first discovered in Edmonton, Canada, in 1991.
The virus quickly spread to USA, Australia and UK. Monkey is one of
the most common boot sector viruses.
As the name indicates, Monkey is a distant relative of Stoned. Its
technical properties make it quite a remarkable virus, however. Like
Stoned, the virus infects Master Boot Records on hard disks and DOS
boot records on diskettes. Monkey spreads only through diskettes.
The original Stoned leaves the partition table in its proper place in the
hard disk's zero track, but Monkey does not . Instead, it copies the
whole Master Boot Record to the hard disk's third sector to make room
for its own code. The hard disk is inaccessible if the computer is booted
from a diskette, since the operating system cannot find valid partition
data in the boot sector - attempts to use the hard disk result in the
DOS error message "Invalid drive specification".
When the computer is booted from the hard disk, the hard disk can be
used normally because the virus is executed first. The virus can,
therefore, escape notice, unless the computer is booted from a diskette.
As Monkey not only moves but also encrypts the Master Boot Record,
it is difficult to remove. The changes to Master Boot Record cannot be
detected while the virus is active, since it reroutes the BIOS-level disk
calls through its own code. Upon inspection, the hard disk seems to be
in its original shape.
There are two often-used procedures, either of which can disinfect most
boot sector viruses. One of these is the MS-DOS command FDISK /MBR,
which rewrites the code in the Master Boot Record, and the
other is using a disk editor to restore the Master Boot Record back on
the zero track. In this case, the relocation and encryption of the
partition table render these methods unusable. Although both
procedures destroy the actual virus code, the computer cannot be
booted from the hard disk afterwards.
There are five viable ways to remove the Monkey virus:
o The original Master Boot Record and partition table can be
restored from a backup taken before the infection. Such a backup
can be made with the MIRROR /PARTN command of MS-DOS 5, for
example.
o The hard disk can be repartitioned by using the FDISK
program, after which the logical disks must be formatted. The
procedure will also destroy all data on the hard disk, however.
o The command FDISK/MBR can be used to overwrite the virus
code, after which the partition table can be restored manually. In this
case, the partition values of the hard disk must be calculated and
inserted in the partition table by using a disk editor. The method
requires expert knowledge on the disk structure.
o It is possible to exploit Monkey's stealth capabilities by taking a
copy of the zero track while the virus is active. Since the virus hides
the changes it has made, this copy will actually contain the original
Master Boot Record. This method is not recommendable, because the
diskettes used in the copying may well get infected.
o The original zero track can be located, decrypted and moved
back to its proper place. As a result, the hard disk is restored to its
exact original state. F-PROT uses this method to disinfect the Monkey
virus.
The Monkey virus is quite compatible with different kinds of diskettes.
It has a built-in table containing structural data for the most common
diskette types. Using this table, the virus is able to move a diskette's
original boot record and a part of its own code to a safe area on the
diskette. If Monkey does not recognize a diskette, it moves the boot
record to the diskette's third physical sector. This is what happens also
to, for instance, 2.88 megabyte ED diskettes, with the consequence that
Monkey partly overwrites their File Allocation Tables.
The virus is difficult to spot, since it does not activate in any way. A
one-kilobyte reduction in DOS memory is the only obvious sign of its
presence. The memory can be checked with, for instance, DOS's
CHKDSK or MEM programs. However, even if MEM reports that the
computer has 639 kilobytes of available memory instead of the more
common 640, that does not necessarily mean that the computer is
infected. In many computers, BIOS allocates one kilobyte of DOS
memory for its own use.
F-PROT recognizes and removes all known variants of the
Stoned.Empire.Monkey virus.
************
Mr. Wolfgang Stiller of Stiller Research, and the Author of Integrity Master,
on the Stoned.Empire.Monkey.A virus and Integrity Master:
(Latest version 2.31c)
Monkey: (Description quoted from Integrity Master User's Guide)
Synopsis: Resident, stealth infector of floppy boot sectors and partition
sectors
Symptoms: Inaccessible hard disk after floppy boot, 1K less available memory
Details:
Monkey is unusual in that it completely replaces the partition
sector with its own code. If you boot from a floppy the hard
disk will be inaccessible since there is no valid partition
table in the partition sector. If the virus is resident in
memory, it will use stealth techniques to return the original
unmodified partition sector.
Once Integrity Master (AKA IM) is installed, removing Monkey is trivial. It
will detect the virus in memory and ask you to boot from a diskette. (The
hard disk will of course seem inaccessible at this point but Integrity Master
can access it anyway.) After you boot, you just use the "ReLoad" menu to
restore the "missing partition sector" (AKA Master Boot Record or MBR). Other
products call this the master boot record but we prefer to call it the
"partition sector" since it contains the hard disk's partitioning information
and to more clearly differentiate from the operating system boot sector
(usually a DOS boot sector).
What if you get the Monkey virus but you don't have Integrity Master
installed already? You could remove Monkey, with an "FDISK /MBR" but then
you would lose access to your hard disk. Not a good idea! Removal with
Integrity Master is easy. Running IM on your infected PC, you use the
Initialize menu to capture your partition sector. IM writes this to
part.srl. What IM manages to do at this point is to get you a copy of the
uninfected (clean) partition sector (Master Boot Record). You copy this to a
diskette (realizing that this diskette is now infected). You now boot from a
clean write-protected DOS diskette and run IM from floppy. You can now use
the "ReLoad" menu to reload the missing partition sector as before.
(You will need to insert the diskette with Part.srl in any one of the floppy
drives at the point you do the reload.)
Don't forget to disinfect all your diskettes. The best way to do this
is to scan your diskettes (use the scan Multiple diskettes menu option in
IM for this or the command IMSCAM a: where "a" is your drive letter.) If the
diskette is infected, copy all data to another diskette and trash or reformat
the diskette. It's not safe to just remove the infected boot sector since
Monkey will damage the file structure on the diskette causing possible
data loss, if the diskette is not reformatted.
-Wolfgang
============================================================================
The Monkey is on my back !!
After reading Wolfgang and Mikko's articles I went and infected
Albert ( my working platform :-) )
I started out with an infected floppy. I put it in the drive and
turned the system off then back on. I got the typical
" Non-Systems disk or disk error
Replace and press any key when ready"
message. I removed it from the system and continued with the boot-up.
Once the system was up I did a CHKDSK. The system reported a total of
654336 total bytes free instead of the usual 655360. MONKEY-A was there.
That is how easy it is to infect the system. No whistles, whiz bangs or
gala,just Non-system disk....
I ran F-Prot first.
Clean boot the system ( turn the system off and put the disk in the
drive then turn it on again. DO NOT USE ALT-CTL-DEL, some viruses can trap
this and the infected memory will still be in control). F-Prot will start to
come up then all of a sudden this appears in the upper right hand corner of
your screen:
Invalid drive in search path
Bad command or file name
Don't panic, wait a few seconds and F-Prot continues. Go to the Scan
screen run Scan in the Report/Only mode.You will observe the following on
your screen:
Scanning MBR of hard disk 1
Master Boot Sector infection: Stoned.Empire.Monkey.A
ERROR: No hard disk found
Again, don't panic ! Go back to the Scan screen and go to the Action:
block. You can enter either Disinfect/Query or Automatic Disinfection or
Automatic Delete. Whatever you choose, enter it. Run Scan again with this
and you will get rid of the problem in a flash.
That's it. The system is ready to go. No pain, no strain.
Next, I ran Integrity Master ( version 2.31b ).
( NOTE: Read the instructions * very carefully *.
Here is how to set up.)
The setup of Integrity Master is crucial to its proper use. I speak
from experience. :-) I had some problems at first because I did not set it
up properly. Thanks to Wolfgang Stiller and Bill Lambdin assis
ting me I now
have the proper set up. So, let me go over the set up first with you so
those of you running Integrity Master have a proper set up.
1. Format a floppy disk and use the FORMAT/S ( or SYS A: to transfer the system files
to it. Substitute the proper drive label if A: is not your boot floppy).
Make a directory called IM_HOME. Put it aside for the moment.
2. Install Integrity Master on your hard drive. Do the entire system setup
within Integrity Master. Now, put that new floppy you just formatted and
made bootable into the drive. Copy IM*.* to that drive. Go into the IM_HOME
directory on the HD and copy all .SRL files to A:\IM_HOME.
Now you are ready for any situation that arises. Be sure to copy any
new additions you make to the hard drive to the "emergency disk"
I booted the system up with an infected disk containing
Stoned.Empire.Monkey.B this time.
I ran IM from the hard drive first. The system stopped and informed me
that the virus was there and that I should perform a clean boot. Again, turn
the system off and put the bootable, write protected disk with IM in the
drive and turn the system on. Run IM. At this point you will get a screen
asking you if you want to initialize the system. You can hit any key at this
point and it will get you into the menu.
Go to ReLoad. Curser down to the Missing partition ( NOT the Partition
sector !!). Hit enter at this point. You will see two screens come up. The
one on the left explains everything on the screen on the right. Go to the
Physical hard disk number (0 to 9). Hit enter. Go to the Physical Drive
option and hit 0. ( Viruses only infect Drive zero, so no matter how many
you have hit zero )
At this point you will be warned that you are about to over write your
partition sector with the version saved in file: A:\IM_HOME\PART.SRL. This
is what we want to do. Enter Yes. You will get an error report saying there
is an error on C:\IM_HOME. This is alright. Remember, the virus tried to
tell you there was no Hard drive, but IM got through it and fixed the missing
partition. ( NOTE: If you turn off the Report FIle you wont even see this
error ) Turn the system off and then back on and you should be ready to
go. Do a chkdsk, if you come up with 655360 then that is confirmation you
are ready to go about your business.
Both of these products will remove both Monkey-A and Monkey-B in the
manner described above.
My thanks to Bill Lamdin and Wolfgang for coming to my rescue, thanks
guys. :-)
Woody
=============================================================================
From Woody's Desk
Well, that's the second issue. What do you think? *Please* let
me know. You will notice the Hacks, Viruses and Trojan section is rather
scant. I could use some help from folks out there helping me pass the word
along. Drop me a line and let me know what you want to see.
Next issue, I plan on running a treatise of Mikko Hypponen's on
Retroviruses. A brilliant paper on the viruses of today and their
aggressive behavior. You won't want to miss it !!
My heartfelt thanks to the folks that help make this issue:
- Mr. Rob Slade of British Columbia, Canada for his book reviews
and his council in matters of the internet and reviewing The
Scanner prior to publication.
- Mr. Mikko Hypponen of Datafellows LTD, Finland for his contributions
of the FP-Bulletins as well as his words of wisdom on the Monkey
virus and taking the time to help a guy out.
- Mr. Wolfgang Stiller of Stiller Research, Tallahassee, Florida for
his contribution in the Monkey virus article and helping when ever
asked for some advise and answers.
- Mr. Bill Hoover of Virus Research and Statistics, Indianapolis,
Indiana, for his contributions and willingness to take the time
to research some code and for joining the "gang".
- Mr Bill Lambdin, for his council, time and efforts which have been
a big part of The Scanner since its conception.
Most of all thank you, the readers, for taking the time to read
The Scanner and sending me your views and suggestions. Keep them coming
we have only just begun.
Best to you all from Biloxi, Mississippi
Woody
