Received: from fidoii.CC.Lehigh.EDU by abacus.hgs.se (5.65c/1.5) id AA08213; Thu, 4 Mar 1993 14:48:01 +0100 Received: from (localhost) by Fidoii.CC.Lehigh.EDU with SMTP id AA23523 (5.67a/IDA-1.5 for ); Thu, 4 Mar 1993 08:15:43 -0500 Date: Thu, 4 Mar 1993 08:15:43 -0500 Message-Id: <9303041259.AA21084@first.org> Comment: Virus Discussion List Originator: virus-l@lehigh.edu Errors-To: krvw@first.org Reply-To: Sender: virus-l@lehigh.edu Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas From: "Kenneth R. van Wyk" To: Multiple recipients of list Subject: VIRUS-L Digest V6 #39 Status: RO VIRUS-L Digest Thursday, 4 Mar 1993 Volume 6 : Issue 39 Today's Topics: Re: Why only PC's? Laws and Viruses Re: Why only PCs? Re: Sale of Viri Re: Question about Patricia Hoffman and John McAfee Canada and viruses Re: Gender switching virus re: Diana P wordperfect virus? (PC) Re: EXE/COM switch (PC) New disinfector for Slow/Zerotime virus. (PC) Kudos to McAfee (PC) Re[2]: Twelve Tricks (PC) Re: PC Magazine reviews virus scanners (PC) Central Point Antivirus and Stacker (PC) Re: EXE/COM switch (PC) standardization (PC) scanners. (PC) Scanning memory (PC) file name virus? (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.org or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk, krvw@first.org ---------------------------------------------------------------------- Date: Wed, 03 Mar 93 08:33:55 -0500 From: scott@shrug.dur.ac.uk (Scott A. McIntyre) Subject: Re: Why only PC's? > From: Jason.Price@lambada.oit.unc.edu (Jason Price) > I have a question. Why is it that all the virus discussions are about > PC's and Mac's? There ARE other computers out there. What about NeXt, > C-64, Amiga's. I never see hardly anything on those types of computers. > Is it possible those types don't have as many virus problems as PC's? Computer viruses are by no means limited to PC's, Macs and so on, indeed, the internet worm of a few years ago demonstrated that a virus on highly networked machines can be disasterous. I don't know if there is an easy answer to why it seems to be the PC's of the world that are infected; I would hazard a guess that it is a combination of factors, some technical some sociological. The writing of a Virus for a particular machine requires technical knowledge of the software and in some cases hardware operation of that machine. People who write viruses for computers must have access -- usually at home as writing in a public lab could draw attention to oneself. So, more expensive machines, such as Suns, SGI's, NeXTs and so on are in a way self prohibative against viruses as the average writer will not probably have one or access to one. Further, if they do have access, a form of psychological respect for the machine may override the urge to write a virus (for whatever reason people write viruses). Another factor is that to a large extent viruses are passed between machines which are floppy intensive and therefore have an easy weak point. Machines where the software is either pre-installed, distributed via a network, CD-ROM and so on may to some degree have some immunity... Finally, the software itself which contains viruses is usually fairly inexpensive, you don't hear too many cases of getting Frame Maker purchased from Frame with a virus that deleted someones hard drive, for example. More expensive software probably has tighter controls during production, less chance for disgruntled employees to write bad code, and undergoes lots of quality control after production, to ensure that the software doesn't contain viruses or other problems. I'm sure that there is also the technical side of how viruses work -- on a Unix machine, unless a virus is executed as root, then the damage would be limited most likely to one user's files, and could quickly be found...processes without owners can be tracked down and so on. Just my tuppence worth. Scott - --- EMAIL: S.A.McIntyre@durham.ac.uk OR scott@shrug.dur.ac.uk (NeXTmail) SNAIL: Pyschment of Departology, University of Durham, Durham, DH1 3LE "Did you know that the computer invented itself?" - SNL ------------------------------ Date: Wed, 03 Mar 93 09:56:29 -0500 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: Laws and Viruses For some time now we have been concerned about a "textbook" definition of viruses, perhaps it is time to discuss a legal one (obviously it is difficult to pass a law against something that is not defined): From a legal standpoint it might be enough to define a virus as "a sequence of instructions that intentionally performs an unwanted and undocumented modification within a computing system for which it is intended." Possibly "malicious software" would be a better term but IMHO the word "computer virus" has passed beyond any hope of control. "Intentional" removes "bugs" from being classified as a virus - - after all laws are usually meant to protect the innocent. The odd phraseology "unwanted and undocumented" is again IMHO necessary to the definition - first nearly any condition including intentional destruction may be desirable at some point, second because too many people accidently do things that hurt them, usually because they haven't read the documentation (UNDERSANDING it is something else, ignorance should not be protected by law) and there should be a presumption of innocence if the action is properly documented. Bugs, on the other hand, are often subjective ("It's not a bug, it's a feature") but there should be some regulation concerning maximum time between discovery/notification by the manufacturer and correction/notice to the registered users. Given the diversity of architectures, it is impossible for any developer to test on every possible platform capable of running the code. Something that runs perfectly on every known PC might blow up on an HP/Apollo with a DOS box. "For which it is inteded covers this contingency. Note that the above definition deliberately leaves some things unclear e.g. unwanted by whom ? I tried to use the minimum number of words to convey a thought (and am sure that many words will be added in the future). Finally, keep in mind that the current discussion is limited to *criminal* actions and not civil (damages) ones. Two entire different things in the US. Warmly, Padgett Weasel-words: am not now nor have ever been a lawyer, barrister, or solicitor & drive Pontiacs (plug) ------------------------------ Date: Wed, 03 Mar 93 11:18:46 -0500 From: Olivier MJ Crepin-Leblond Subject: Re: Why only PCs? >Date: Tue, 02 Mar 93 15:38:23 +0000 >From: Jason.Price@lambada.oit.unc.edu (Jason Price) >Subject: Why only PCs? > >I have a question. Why is it that all the virus discussions are about >PC's and Mac's? There ARE other computers out there. What about NeXt, >C-64, Amiga's. I never see hardly anything on those types of computers. >Is it possible those types don't have as many virus problems as PC's? Most (not all) of the discussions taking place on virus-l are about PC's and Mac's because most viruses occur on these two platforms. Sure, there are viruses on other platforms, but not that widespread, and there are not that many people reading/writing in virus-l that have encountered them. For one, it is harder to write a virus for a workstation (ie: NeXt, DEC, Sun et al.) because of the privilege levels required for direct addressing of the memory of those machines, etc. etc. Secondly, if one looks at the number of computers in use in the world, I'm quite convinced that PCs are far ahead at the nr.1 spot, Macs in second place, and then workstations in 3rd place. Amigas, C-64 etc. are further down the line. So here it is. If you want to talk about other computers, feel free to do so. I think that the guidelines of virus-l don't restrict discussion to any kind of computer. - -- Olivier M.J. Crepin-Leblond, Digital Comms. Section, Elec. Eng. Department Imperial College of Science, Technology and Medicine, London SW7 2BT, UK Internet/Bitnet: - Janet: ------------------------------ Date: Wed, 03 Mar 93 13:57:45 -0500 From: Doug Subject: Re: Sale of Viri bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) says: > >And, because a virus is able to spread by itself, an incompetent >person who -knows- that s/he has virus code could (involuntarily) >infect other innocent and incompetent people, who even do not know >strict conditions, and to a very restricted set of knowledgeable >anti-virus experts is a VERY WRONG THING and must NEVER be done, for >whatever purpose. Never. > > You are simply mistaken, sir. Distributing virus code to those who want it is NOT a very wrong thing which should never be done. You are talking about censorship. Virus code is NOT "taboo" except to a few who believe in their heads that by preventing it from getting out, they will make the problem disappear. I learned a LOT about viruses - not from reading comp.virus, or VSUM, but from actually STUDYING the virus code itself, AND reading the info available. I used to be paranoid about viruses, simply because I didn't understand them. I no longer am. Unfortunately, there are many who don't understand them. If we educate these people, viruses will no longer be the fearful things they are. You are correct in saying that not everyone is compitant enough to handle viruses. I will not disagree. but there are PLENTY of people who are MORE than compitant enough, but are still "not allowed" to handle them, because they "could do evil things" with them. You are telling ME, and the rest of us, that we are not as knowledgeable about virus code as you are, therefore we may not have it, but you can. I don't like that. Nor do a lot of others. You may personally censor all the information you want, but there are plenty of others who are willing to share. You're fooling yourself if you think keeping the general public ignorant will help them. That will only help line the pockets of the anti-virus software publishers. (Which may well be what you're shooting for) Anyone can get the information they seek through magazines like Crypt, 40-Hex, the Nuke Infojournal, or ARCV newsletters which are published simply because there are people like you out there. The "censor it and it'll fix it" attitude is not that of everyone. Thank God there are still those who believe in TRUE education, and not the idea that "ignorance is bliss". -- Doug AKA jdg111@psuvm.psu.edu ======= WARNING - RADICAL LEFT WINGERS: DO NOT READ BELOW THIS LINE! ======== The opinions expressed above are mine. ALL MINE! AND YOU CAN'T HAVE THEM!!! The opinions expressed below are (c)1992-93 The Republican Party Ltd. 1) It's a child, not a choice. 2) Clinton won; every American lost. 4) Remove the ban? NOT! 5) Gun control is being able to hit your target. 6) *The rest of this .SIG has been censored by the Clinton Administration ============================================================================= ------------------------------ Date: Wed, 03 Mar 93 21:19:10 +0000 From: rslade@sfu.ca (Robert Slade) Subject: Re: Question about Patricia Hoffman and John McAfee bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >sbonds@jarthur.Claremont.EDU (007) writes: > >> VSUM is a potentially very useful product. How many times on this >> list alone have we seen people asking "I've got XXXX virus, what does >> it do??" My only beef with VSUM is that the information is SO >> inaccurate. The VSUM hypertext interface is extremely easy to use, if >There are two other alternatives. First, we are working on a browsing >program for the Computer Virus Catalog (of which MSDOSVIR is only a >The second alternative is produced by ICSA and is called V-Base. A Just to add to the list, there is now a product called VID (Virus Information Database, I think), produced by an outfit called "Cairo Research". It is not available at any ftp site that I am aware of, and I have no idea how good it is, not having seen a copy. (PS - Greetings from the "Delegate Dial-Home" booth at DECUS Symposium in Montreal.) ------------------------------ Date: Wed, 03 Mar 93 18:54:47 -0500 From: Donald G Peters Subject: Canada and viruses A friend of mine at the RCMP said that if it can be proven that you intended to cause harm by posting a virus, they could get you on a "misdemeanor" charge. However, "law enforcement is driven by economics", so you don't have to worry about your life unless you do something big. Sorry I haven't been able to reply about the EXE/COM thing yet. I havebeen unable to login much this week because I am calling long distance right now. ------------------------------ Date: Thu, 04 Mar 93 00:53:08 +0000 From: rkolter@csuohio.edu (Ryan Kolter) Subject: Re: Gender switching virus Colin Eric Johnson (colinj@monet.ccs.itd.umich.edu) writes: : : I have just heard (through the grapevine here) of a virus that : will scan through text documents and replace any gender specific nouns : and pronouns with their gender-opposites (he -> she). : : Is this in fact a virus? And does it exist? I'm not by any close means a "strong" programmer (as of yet), but programming such a thing would seem easy enough, considering what viruses already can do, editing a text file would seem like child's play. Further, if I -had- to be infected by a virus, this would certainly be one of the more preferential ones. ;) - --Hills ------------------------------ Date: Wed, 03 Mar 93 19:57:49 -0500 From: "Paul D. Bradshaw" Subject: re: Diana P With regards to Diana Princess of Wales's last name, it would be Spence (her maiden) or Windsor (Charles's last name). This Diana P being the Princess of Wales sounds like a real long shot to me too. - ------------------------------------------------------------------------- Paul D. Bradshaw Computing and Communications Services ACDPaul@VM.UoGuelph.Ca University of Guelph, PaulB@SuppServ.CIS.UoGuelph.Ca Guelph, Ontario, Canada - ------------------------------------------------------------------------- ------------------------------ Date: Wed, 03 Mar 93 09:31:51 -0500 From: "Gerry Santoro - CAC/PSU 814-863-7896" Subject: wordperfect virus? (PC) After scanning the past years worth of VIRUS-L offerings I've seen this question asked before, but with no reply. Since it has now hit at my institution I will ask it again in the hopes that someone knows what is happening. A number of our lab machines are exhibiting very strange WordPerfect behavior. For example, very small user documents are growing to extremely large size, until they fill up available disk space. Scans with F-PROT do not identify any known virus. Can anyone clue me into what is happening? In all cases the version of WP5.1 is being run from a read-only volume of a Banyan network server. Any info would be greatly appreciated! gerry santoro (gms@psuvm.psu.edu) | academic computing/speech communication -(*)- penn state university ..... | ..... ------------------------------ Date: Wed, 03 Mar 93 10:50:08 -0500 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: Re: EXE/COM switch (PC) >From: antkow@eclipse.sheridanc.on.ca (Chris Antkow) > The fact of the matter is, that any resident virus that monitors >function 4Bh, subfunction 00h (Int 21h) WILL be able to infect a file, >even if the extention has been renamed... (Provided the virus is written >"correctly"... Gack). A good comment though perhaps incomprehensible to some readers. A computer really does not care very much what it will run so long as it is presented properly to it (will now talk about PCs specifically since that is the current topic but applies to most architectures, EXEC is taken from UNIX). It has been correctly stated that .COM .EXE and .BAT are identifiers used by COMMAND.COM and not DOS or the BIOS other than COMMAND.COM being a default called by MSDOS.SYS (IBMDOS.COM for PC-DOS). Also, if C.C is altered using DEBUG or some other editor, COMMAND.COM will very happily use those extensions instead. Further, most GUIs add additional extensions/formats that may be executed. Next, when given a program name that matches one of the three allowable extensions, COMMAND.COM will load that program and attempt to execute it even if it is a LOTUS worksheet. > Whenever a file is executed, it is immediately passed to AX,4B00h/INT >21h. The rest is at the mercy of the viral code... If the file can't be >executed, then it's never passed to AX,4B00h/INT 21h... > (Someone correct me if I'm wrong...) Well, real close 8*) actually when the EXEC interrupt (nickname) occurs, various parameters and tables are set up for the program, the program is loaded into memory, certain values are saved and flags set, and control is transferred to the program. Any program can use this call to load a program just as COMMAND.COM does or can duplicate the functions (not easy but can be done, do not forget that *everything* DOS does can be duplicated using only BIOS interrupts). Cetainly any virus that intercepts the EXEC call will have access to any program executed reguardless of extension however, a properly written Integrity Management routine will have trapped it first and can detect any attempt to take it away. For every attack there is a defense. I have been using one for several years now and the nice thing is that the only updates needed have been to reduce the TSR size. The problem is that we are still dealing with first generation constructs: For example - a) IM program can take control of EXEC. b) Virus can take control also c) IM program can detect removal of control d) Legitemate programs may also take control & be blocked by IM (c) is a second generation response and (d) is a problem that occurs because of that response so we need (e) Table of permitted programs & (f) following permitted program, IM moves self to end of chain again and continues watching for (b). Now this leads to (g) Virus removes IM program which requires (h) IM validation routine (continue iterating ad nauseum). It is now nearly ten years PC (Post Cohen) and still most a-v programs are still working at the (a)(b) level. Fortunately, most viruses are also, but the keyword is "most" - not all. Just as a final thought, consider the following: the problem with converting EXE, COM, & BAT in COMMAND.COM is the fact that EXEC receives the actual & complete file name so it can retrieve it from the disk. As a result a virus intercepting Int 21 Fn 4B can locate & infect the file whatever the extension. However, what if the name passed by COMMAND.COM was *not* necessarily the executable filename ? What would be necessary for the PC to operate properly ? The exercise is left to the students 8*) Warmly, Padgett ps my picture was not in the Lefkonference brochure but I am planning to be there. Try the bar first. ------------------------------ Date: Wed, 03 Mar 93 12:55:04 -0500 From: "Mario Rodriguez (virus researcher)" Subject: New disinfector for Slow/Zerotime virus. (PC) Hello, I'm a virus researcher of Mexico. I made a disinfector for Slow/Zerotime virus. This virus seems to have striked in Australia. The disinfcetor is named NOSLOW v1.0 and is available to any one who ask for it via direct mail. I uploaded it garbo.uwasa.fi but I think it would take to much to become av ailable in there. I aslo send it to a some of the main researchers, so it's pos sible that soon their vacsines will detect and remove the virus too. Unfortunately, NOSLOW only removes the virus from .COM files. .EXE files ar e renamed to .VIR. Regards Mario Rodriguez Instituto de Estudios Superiores de Monterrey. Campus Estado de Mexico em436861 at itesmvf1.cem.itesm.mx em436861 at rsserv.cem.itesm.mx ------------------------------ Date: 03 Mar 93 12:35:31 -0600 From: bauman@vax1.mankato.msus.edu Subject: Kudos to McAfee (PC) I would just like to congratulate Mcafee. From what I have gotten in the past to what I downloaded Mar. 2 (V102). I have seen a great improvement and turnaround. many thanks. Bauman.MSU.Mankato State ------------------------------ Date: Wed, 03 Mar 93 17:58:00 -0500 From: Jimmy Kuo Subject: Re[2]: Twelve Tricks (PC) Vesselin writes: >REEDA@ibm3090.bham.ac.uk writes: >> Norton anti-virus detected Twelve-Tricks virus on one of our PCs but >> f-prot 2.06a reported the PC as clean. Is this virus one that the >> current f-prot misses or have we found a NAV false +ve? >NAV is definitively wrong. Twelve Tricks is a trojan, not a virus, and >it does not spread. It is very unlikely that it is on your computer. >On the other side, F-Prot 2.06a -does- detect this trojan (and >properly reports it as trojan). In this case, the person reporting the incident made an incorrect translation of what was presented on the screen, prompting your accusation that NAV was wrong. NAV's message in this case would have been: FILENAME.COM contains a strain of 12 Tricks Trojan >There is one remote possibility that there is -something- on your >computer that just happens to contain the scan string for Twelve >Tricks that NAV uses. Where is the "virus" find? In a file? In many >files? In the MBR? Are you using the latest version of NAV? Have you >contacted your local tech support for NAV? In this case, there is a CRC at a specific point into a file. Please send us the file and we will gladly determine if it is in fact a copy of 12 Tricks Trojan or if it is a false id. If it is a false id, we will fix the definition. NAV contains a memory def, a MBR check and repair (should you have been afflicted), and checks COM files for "12 Tricks Trojan". And as always, you may choose to delete the def from your set if you so choose. But easiest is to send it to me and I'll tell you. But this situation does punctuate why I am considering removing Trojans as a class from our def set. Jimmy Kuo cjkuo@symantec.com Norton AntiVirus Research ------------------------------ Date: Wed, 03 Mar 93 21:28:58 -0500 From: Jimmy Kuo Subject: Re: PC Magazine reviews virus scanners (PC) First, I'd like to state that I am an employee of Symantec in the NAV group. That out of the way... There's a fundamental wrong in your (plural) interpretation of the PC Magazine review. The fundamental problem is that the article reviewed "Antivirus Software" and the subject line above says "virus scanners." Vesselin wrote, re: scanners, in digest #22: >... scanners are -useful- and should be used as a >first line of defense. (Up-to-date scanners, of course; an old scanner >is worse than no scanner at all, because it gives you a false sense of >security...) However, no defense should rely on scanners -alone-, >because they are a -weak- defense. You must use a layered approach, >with several protection levels, like integrity checking software, some >kind of access control, and, of course, backup. Chris Wong states: >4. Review emphasized completeness of package: disinfection, > comprehensiveness of service etc, not detection ability. Although winning the award was a nice morale booster, the last paragraph of our review was far better. The paragraph starts: (PC Magazine, March 16, 1993, p240) Symantec recently acquired Certus International, which makes NOVI, and expects ... Hopefully, in this light, you will go back and re-read the article with understanding instead of disbelief. Jimmy Kuo cjkuo@symantec.com Norton AntiVirus Research ------------------------------ Date: Sun, 28 Feb 93 11:36:00 +0100 From: Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv) Subject: Central Point Antivirus and Stacker (PC) Hi. You write: > I use stacker, and recently have begun Internet, etc. more... > Are Central Point Antivirus and Stacker compatible? Well: I truely recommend NOT to optimize your disk too frequently, and make frequent backup for ALL the DATA on your disk BEFORE using the TSR parts of that Anti Virus. Remember that stacker (or any other disk doubler) uses the DOS environment to do what ever it is doing, and so does Anti Virus TSRs (especially those that use many interrupt monitoring). A conflict might be fatal (generally speaking). The best answer to your question is: Try ! But be prepared. Regards. * Amir Netiv. V-CARE Anti Virus, head team * - --- FastEcho 1.21 * Origin: <<< NSE Software >>> Israel (9:9721/120) ------------------------------ Date: Sun, 28 Feb 93 12:36:00 +0100 From: Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv) Subject: Re: EXE/COM switch (PC) Peters@DOCKMASTER.NCSC.MIL (Donald G Peters) writes: > Viruses which infect files often *look* for the > extensions EXE and COM. Well, that is not allways true, nor is it true in most cases, but mor like: viruses look for executable files. > you should rename your EXE files as XXX so that a virus > will not find it and it will remain safe from infection. Generally you are right. In this case most common viruses will not infect such a file, but neither will it run as you yourself mention. > From what I have read, many viruses are *either* EXE or COM > infectors, but not both. Not likely. Unfortunatelly the viruses that you refer to are ancient history or do not propose a threat any more. Many of the modern viruses infect both. > The trouble with the XXX idea above is that the > programs cannot be found and cannot be run with such a name. Right. > rename all your EXE files as COM and rename all your > COM files as EXE. Believe it or not, DOS is still able > to run your programs after you make this switch. DOS does > not rely on the extension to determine if the program is > relocatable (a la EXE) or not (a la COM), rather it looks > for the file signature ("MZ", Definitly true. DOS will not be fooled by the trick, but neither will most of the viruses. since most of the EXE infectors will check the MZ header as will DOS, since this is a way to determine a type of infection by viruses that get their information from DOS OPEN FILE function, Using the FCB to retrieve information or by other means. BTW: Check the header of 4DOS.COM... you will be surprized. > perhaps a simple modification to the boot sector may > make this possible. BOOT sector does not have any implications on the working environment, but only on DOS loading at startup, and on determining how to read from a floppy or disk each time in is replaced (using the BPB of the boot sector). > A handful of programs may not run with the EXE/COM > switch, and some programs may require "reconfiguration" > especially if they are looking for programs of a given name, > although some of them allow you to change the name to search > for. You really thought of everything... Many programs look for a file with a certain name, and this will cause problems. > In the future, viruses WILL be able to defeat this > approach, Even today. > Remember where you heard this from! > (because I always wanted to be famous as a kid...) Good of you to invest the time in solving one of the biggest problems of out time. Keep up the good work. Just to summerize: The method that you mentioned is in use already today in several virus traps that anti viruses use. But these work with certain viruses (not all), and are used usually to detect that the virus is active. Non of it will give a sufficient solution to the problem, neither will the methods of changing the attribute of command.com to Hidden System ReadOnly, or others. Viruses are still a problem, and will continue to be so for yet some time. Regards * Amir Netiv. V-CARE Anti Virus, head team * - --- FastEcho 1.21 * Origin: <<< NSE Software >>> Israel (9:9721/120) ------------------------------ Date: Sun, 28 Feb 93 13:08:00 +0100 From: Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv) Subject: standardization (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: > First, somebody has to come up with a good naming > scheme. But what is a "good" naming scheme? For instance, for me, a good > naming scheme is a scheme that allows two people to understand each > other that they are talking about a particular virus variant. That is, > when I'm saying Jerusalem.AntiCAD.4096.Mozart, Frisk knows what I > mean. I would differentiate the interests of Virus researchers from this of the common user. You would very much like to have a scanner that supplies the NAME the full CHAIN of parrential viruses and sub viruses etc... while the common user's only wish would be to know what desease he has, and ger cured! Suppose you tell a user: "You have the Parkinson.AtzeliCholine.Flue desease" (not that such exists), what do you think his/her reaction will be? I suggest that an ambulance will be on stendby when breaking the news to such a patient. > But the producer of product XYZ does not like it, because it > takes too much memory in its resident scanner to keep such long > names. Anyway, What is the purpose of telling the virus name in a TSR. Is it not enough to tell the user "You've got a problem, Check it !" ? > (CARO) have come up with such a naming scheme and now > we are waiting the other anti-virus producers to use it. The latest > status of the proposal is available for anonymous ftp from our site: Its great for researching purpose, but not for common users wich are the majority that suffers from the problem. > The second problem is that different producers of > virus scanners use different approaches to scan for viruses. ....... > the scanner ZYX, who calls all the 200 Jerusalem subvariants > "Jerusalem-B". So, obviously, he is not likely to adopt this naming > scheme. Do you think its a wise idea to give aname to each variant of Jerusalem (from the example that you used) a name of its one? Do you know how manny variant of the virus exist that you don't even know about? Doeas it cause any problem in cleaning these viruses from an infected site even if their name is simply " Jerusalem-B" ? > Third, even if two producers of scanners agree to use > one and the same names, it is very difficult to keep their products > synchronized. For instance, both F-Prot and FindVirus are using the CARO > naming scheme (although they use a different notation), and they - > tend- to use the same names for the viruses, and both Frisk and Dr. > Solomon are getting the new viruses practically at one and the same time, > yet if you look at that "naming" file mentioned above, you'll see how > different the names used by their programs still are... The anti- > virus researchers are really overloaded with new viruses popping up > literally every day, and they have more important things to do than to sit > and ponder whether to call the yet another silly overwriting > Burger variant Burger.V or Burger.Y. (Yet, they are doing this > too...) The problem increases in difficulty in an exponential rate, if > more than two scanners have to be synchronized... It is our responsibility (SCANNERs developers) to make sure that a virus is cleaned or detected. No matter if you call it "Poteto" and we call it "Potato" (phonetically expressed) as long as the cleaning procedure is working well. I think there is already a naming scheame present. It gose like this: McAfee gets a virus, Releases the next VIRLIST.TXT, and everyone just uses it. If a new virus apears that is not there, a name is given to it according to its behaviour, and so on... Regards * Amir Netiv. V-CARE Anti Virus, head team * - --- FastEcho 1.21 * Origin: <<< NSE Software >>> Israel (9:9721/120) ------------------------------ Date: Sun, 28 Feb 93 11:50:00 +0100 From: Inbar_Raz@f210.n9721.z9.virnet.bad.se (Inbar Raz) Subject: scanners. (PC) Amir Netiv writes: > You write: Just a side notice - when this goes to the virus-l, people don't know who you wrote the message to. In VirNEt, it's to Inbar Raz, but all they see is a post by Amir.Netiv@, to All. 'You write' is not very clear, I hope you agree... > That is not the entirely correct. There are other ways to detect new > viruses, these are what we call generic programs. However you are right > in the manner that PASSIVE scanning will detect only known viruses, or > possibly new ones with heuristic scanners only. I was categorizing scanners. About defending against NEW viruses, there are a lot of ways. For example, a protective shield that is mounted on a file. True, it's effective only against the normal end-of-file-leaching viruses, but still, a lot of them DO work like that, including the new ones. Making CRC checks from a BOOTING FLOPPY will also catch ANY virus, provided it hasn't infected your floppy yet. BRM's V-Analyst, I believe, also gives you some means of protection by storing vital information about the file in its database - just like the shield, but an external program. > Yet there are programs that detects new viruses while attempting to > execute (such is IRIS's TSR module, and some optional McAfee's VSHIELD > functions, and there are others...) Our software for example, will > detect new viruses, and even eliminate them while they are completelly > unknown to the program. The problem with TSRs is, that as simple as they are to INSTALL resident, they are also easy do remove from memory. The moment a virus writer acquires your module, he can write a relatively small piece of code that will unload your TSR, without it knowing about it. A friend of mine once wrote an 80byte routine to unload Carmel's TSafe. I believe that after a little research, I could unload almost anything. Inbar Raz - - -- Inbar Raz 5 Henegev, Yavne 70600 ISRAEL. Phone: +972-8-438660 Netmail: 2:401/100.1, 2:403/100.42, 9:9721/210 nyvirus@weizmann.weizmann.ac.il - --- * Origin: Inbar's. (9:9721/210) ------------------------------ Date: Sun, 28 Feb 93 12:28:00 +0100 From: Inbar_Raz@f210.n9721.z9.virnet.bad.se (Inbar Raz) Subject: Scanning memory (PC) ac999512 writes: > I agree that scanners shouldn't scream and yell when they detect a > virus floating in RAM that isn't active. Yet on the other hand, > nothing should be taken for granted as to where a virus is, as stated > above. And how, excatly, are you supposed to determine wether the virus is active or not? I mean, it's not only HOW each software detecets it (what searchstring), but what it does to deactivate him. Now, unless all anti virus softwares disable viruses in the same method, you can't know wether a virus is active or not, UNLESS you know EXACTLY how the entire virus code is supposed to look, and you look for exceptions. When a program detects a virus, not only should it wipe the search string it was looking for from the virus code, it should also erase any other non necessary information. > I think it best that scanners should check interrupt vectors and so > forth to determine if the virus is active, then inform the user as to > the presence of the virus, and whether or not it is active. > Flexibility is the best policy. Viruses as early as the 4096 would beat this technique. I think that most of the stealths would, too. And, if you're running QEMM, and someone got smart enough and user the IDT, you're lost. Inbar Raz - - -- Inbar Raz 5 Henegev, Yavne 70600 ISRAEL. Phone: +972-8-438660 Netmail: 2:401/100.1, 2:403/100.42, 9:9721/210 nyvirus@weizmann.weizmann.ac.il - --- * Origin: Inbar's. (9:9721/210) ------------------------------ Date: Sun, 28 Feb 93 11:48:00 +0100 From: Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv) Subject: file name virus? (PC) Scott Hayes cnews@umr.edu (UMR Usenet News Post) writes: > now when it attempts to create a file it says "ERROR, > CAN'T CREATE bMYFILE.BAT" where the "b" is a beta (ASCII 225 > in the English version of the extended character set). Well it looks like your program was corrupted, but this can checked by using a copy of the suspected program from an old backup. Another possibility might be that there is something that was copied from the guy's friend has created the problem, but it could be somthing simple like: the "copy" has overwritten autoexec.bat or config.sys and loaded a program that causes the problem, or caused to unload a program (driver mabe? or change to FILES=XXX in config.sys?) that your program requires. Fortunatelly most problems are not so glorious (regarding the virus's point of view). Regards * Amir Netiv. V-CARE Anti Virus, Head team. * - --- FastEcho 1.21 * Origin: <<< NSE Software >>> Israel (9:9721/120) ------------------------------ End of VIRUS-L Digest [Volume 6 Issue 39] *****************************************