Return-Path: Received: from IBM1.CC.Lehigh.EDU by abacus (SunOS 4.1/SMI-4.1-01) with sendmail 4.1/SMI-4.1-01 id AA24379; Thu, 9 Apr 92 20:42:08 +0200 Message-Id: <9204091842.AA24379@abacus> Received: from LEHIIBM1.BITNET by IBM1.CC.Lehigh.EDU (IBM VM SMTP R1.2.2MX) with BSMTP id 5531; Thu, 09 Apr 92 14:27:42 EDT Received: from LEHIIBM1.BITNET by LEHIIBM1.BITNET (Mailer R2.08) with BSMTP id 9001; Thu, 09 Apr 92 14:27:24 EDT Date: Thu, 9 Apr 1992 14:21:38 EDT Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU Sender: Virus Discussion List From: "The Moderator Kenneth R. van Wyk" Subject: VIRUS-L Digest V5 #85 Comments: To: VIRUS-L@ibm1.cc.lehigh.edu To: Multiple recipients of list VIRUS-L Status: RO VIRUS-L Digest Thursday, 9 Apr 1992 Volume 5 : Issue 85 Today's Topics: Re: Which Package is Best? (PC) Defence from mutating viruses. (PC) home made anti-virus tricks and questions (PC) Queries about F-Prot 2.02D (PC) The word 'Cascade' in my hardware ?? (PC) Boot Record Disinfection (DOS) (PC) Re: Measuring Michelangelo (PC) Re: Questions about AAVIRUS (PC) LAN PROTECT by Intel?? (PC) Re: Stoned/SBC (PC) Re: Questions about AAVIRUS (PC) OS/2 anti-virus programs (OS/2) Possible SYSMAN trojan horse (VAX/VMS) Does anyone know what are companies doing about viruses? Virus infection tracking International virus symbol.. Re: Computer Hazzard Symbol New files on Eugene New files on eugene again! (PC) New Integrity Master (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Mon, 06 Apr 92 16:26:00 +0200 From: Y. Radai Subject: Re: Which Package is Best? (PC) Wolfgang Stiller writes: > > However, when I answered Vesselin's question, my criterion in > >comparing the two checkers for speed was to use the *fastest* mode > >which each product provides. > >Come on now! If we're comparing two products like this, it makes >sense to compare the modes of operation that are most alike. If in full >check mode, Integrity Master reads and checks each and every byte on >each and every file (or just executables). This would seem the most >"apples to apples" basis for comparison, since UT does basically the same >thing. "Come on now" yourself! You know very well that the day after I wrote the lines which you quote at the top, I published a clarification ex- plaining that I did not mean "fastest" in an absolute sense, but the fastest *practically secure* mode, and that I conceded that since I would never be able to convince you that IM's quick update does not meet that requirement while UT's does, I was withdrawing my former claim concerning relative speed. Moreover, you know very well that I sent you a personal copy of that clarification and that you acknow- ledged it!! So why are you now, a week after my clarification, rever- ting to what you know very well is not what I intended???? > Will UT check ALL files (not just executables) like IM? Will >UT check source files (intended for programmers) along with executables? Absolutely, if you request it. >You don't seriously still maintain that UT's quick check is as secure as >a full check????? Consider if a single file is infected or corrupted, >UT's quick check will miss this, while Integrity Master's full check >will certainly detect it. Just why do you decide that "UT's quick check will miss this"? In the great majority of infections, it won't miss it even on a single run. And if it does, it will eventually be picked up because of the fact that the quick check actually does a full check on a random 10% of the viruses. (Btw, I like Vesselin's suggestion of making this percentage selectable by the user.) > >I think what you're trying to describe is what I referred to as an > >"ambiguity" virus in my paper. It can't be detected by a checksummer > >*alone*, but there are other measures which can be taken in this case, > >and who says that the burden must be on a checksummer alone? > >I believe the fifth generation folks say this ;-)! Their ads claim >that once you buy UT you will not need to update or buy another product >and be safe forever. Or do I misunderstand? First of all, I don't see that *you* say anywhere that *IM* cannot de- tect such a virus, although what I wrote above is just as true for IM as for UT. Did you ever think of such a virus? Secondly, I state for the third time that I have not seen FGS's ads. However, Vesselin has stated: >Oh, the guys from the marketing company did a pretty good job! They >wrote: "Only Untouchable guarantees 100% safe recovery of infected >files". Which is true - if the UT ever succeeds to remove a virus with >its generic algorithm, you can be sure that the file is 100% recovered >to its original state - since a checksum of the clean file is kept and >verified. What you have claimed is that this might be interpreted to mean that UT can be relied upon to provide recovery of all infected files. Ok, so please take your complaint to FGS, not to me. I'm a satisfied user of UT, not the defense attorney for FGS's advertising dept., though you seem to be trying to force me into that position. From an earlier reply of yours to Vesselin: >IM has the quick check for a totally different reason than UT's. >Actually IM calls it a "quick integrity update". This does not do a >sampling as UT does, but provides a fast way to do a full check of all >files which are new and do a full check also of any files which show >signs of having changed such time/date stamps or file size changes. Since almost all viruses preserve the date and time, that means it will not detect viruses which do not change the file size, i.e. those (like Number of the Beast) which hide the increase behind the eof mark, those (like ZeroHunt) which inhabit stack space, and those (not yet in existence?) which compensate for an increase in size by com- pressing the file. (Of course, that's also true for stealth and semi-stealth viruses which are active in memory, but that's common to all programs if booting isn't done from a clean diskette.) Admittedly, such viruses are not very common. However, in contrast to UT's quick check, which eventually performs a full check on all files, the above types of viruses will *never* be detected as long as only IM-type quick checks are performed. That's the main reason why I wrote that I consider UT's quick check to be more secure than IM's quick update. Y. Radai Hebrew Univ. of Jerusalem, Israel RADAI@HUJIVMS.BITNET RADAI@VMS.HUJI.AC.IL ------------------------------ Date: Mon, 06 Apr 92 13:28:36 +0300 From: kiae!rtech!vl!ALS@vl.ts.kiev.ua Subject: Defence from mutating viruses. (PC) > mike.opzoomer@canrem.com (Mike Opzoomer) writes: > > The polymorphic engine is just that, and once infected it mutates on > > an ongoing basis, rendering any scan utility useless (unless you have > > a copy of the size of the original file) > > I tend to agree that there cannot be a virus for which there is no > protection, but it looks like we are starting to see viruses for which > the vast majority of conventional methods fail. > > Rememberring that there are more ways of stopping a virus than simply > scanning for it, what other anti-viral methods (e.g. change detectors, > software write-protection, anything) actually succeed? Has anyone > carried out the tests? If not, could someone with the engine do so - > quick, please! > Just now there is no any idea to increase scanners capability of checking polymorphic viruses. It looks like virus scanners would be removed from front line of battle against viruses. It seems to me that there is time for non-traditional methods for preventing virus infection. I made some testing of what would be if I can change some codes of MS-DOS resident part to make it more virus-safe. First idea was to make ReadOnly attribute stronger. I wrote a little program that makes changes in MSDOS.SYS (in memory, of course, not in disk file). After that nobody can remove ReadOnly attribute (it receives error code: Access denied), so it can't infect files with this attribute set via file operations (open file, write to file, close file). More than that, you can freely set or remove all other file attributes except ReadOnly. For info purposes my program also writes red border on EGA/VGA display if somebody tries to remove ReadOnly. It is possible in my program (called RLock) to restore old MS-DOS attributes manipulations if you really need to do something with protected by this method files (for examle, to delete it or move). Results were surprising - nearly 95% of viruses were unable to infect files after setting RLock defence. Some of them even didn't try to remove Readonly and failured, other failured with removing and very intellectual viruses that used tracing Int 21 chain to jump directly into MS-DOS Int 21h routine failured too because RLock protection of ReadOnly attribute became a part of MS-DOS itself. And what about 5%? These viruses used direct access to disk via Int 13h or DOS internal tables to infect files without removing ReadOnly attribute. I used the second idea to prevent their deeds: wrote another programm modifying IO.SYS and MSDOS.SYS that can prevent direct access to disk to all programs EXCEPT COMMAND.COM. As a result disk is opened for any standart file IO (open, close, write, read) and any file editors and compilers work correctly, but it is WRITE PROTECTED for direct writing to it. And also I filled this programm with trips that can make impossible for virus to access DOS internal tables. If anybody tries to do it, resident part of my second programm (called HDD - Hard Disks Defender) returnes COPY of the DOS table with incorrect values in critical fields. RLock and HDD are DOS-depended and were written for MS-DOS 4.0, 4.01 and 5.0. As a result only very DOS-depended viruses can ignore this defence. I don't know such viruses just now, but even if anybody can write them, these viruses can die with the next MS-DOS version because of their DOS-dependence. I think that idea of writing of virus defence as native part of DOS has future. Anti-viral packets can be simply modified and quickly sent to PC users when new DOS version was upgraded, while viruses have long way to their "users". And what are you thiking about it? - -- Alexander Shehovtsov, (8-044)266-70-28 (9:00 - 18:00 Kiev, Ukraine) voice als@vl.ts.kiev.ua Relcom | 2:463/30.5 or 2:463/34.4 FidoNet ------------------------------ Date: Mon, 06 Apr 92 22:55:00 +0000 From: cosc15yc@rosie.uh.edu (92S10711) Subject: home made anti-virus tricks and questions (PC) Please answer these questions for a new computer owner. 1. If I set the attribute of all files on disk to read only, would that trip any known/popular virus that trying to infect say command.com (i. e. dos would say *.com readonly message alert me to virus present). 2. Can virus infect any file extension or just .com and .exe? 3. Can virus infect( not destroy) a disk with no .com and .exe files and no bad sector 4. Can virus infect a nonbootable floppy with only .zip file with no bad sector ? Did you ever del the command.com in the root directory? Take 3 weeks to find/learn that only dos 3.3 or above can access 40meg partition HD when I first buy a computer. Thank in advance Tony cosc15yc@jetson.uh.edu ------------------------------ Date: 06 Apr 92 14:44:00 +0100 From: sgr4211@uk0x08.ggr.co.uk Subject: Queries about F-Prot 2.02D (PC) I find that (running in interactive mode) I only get a report if something "suspicious" was found. It doesn't appear to consider packed files as "suspicious", so there is no mention of them being present *unless* I have some sort of problem, eg viruses present or some kind of "invalid" file. When I *do* get a report, it notes all the PKLITE, DIET and EXEPACK files as "not scanned". I thought 2.02D was supposed to scan such compressed files - is this a bug in the reporting, or is it really not scanning them? Personally, I think that all files genuinely not scanned should *always* appear in a report, regardless of whether or not F-Prot "thinks" that there was a "problem". Also, I notice that some of the viruses in the "information" browser are picked-out in yellow, and these ones have an asterisk against their names when you look at the accompanying text. Any idea what this represents? Didn't notice any link between them. Couldn't see anything in the documentation about it (don't think it's been updated for 2.02D). Steve Richards. ------------------------------ Date: Tue, 07 Apr 92 04:56:06 +0000 From: alamma@craft.camp.clarkson.edu (Munir A. Alam) Subject: The word 'Cascade' in my hardware ?? (PC) I just recently got Norton Utilties Version 6.0, while checking out all the new features, I noticed on System Info under the 'Hardware Interrupts' the following: Number Address Name Owner ----- --------- ------------------------- --------------- IRQ 00 1934:003C Timer Output 0 DOS System Area IRQ 01 1934:0045 Keyboard DOS System Area IRQ 02 F000:1F1A [Cascade] BIOS IRQ 03 F000:1F1A COM2 BIOS Cascade ? Cascade the virus ? This was on a 286, IBM PS/2 Model 30. I checked it out (With Norton 6) on a friends 386. Same thing. So I scanned the memory for the text 'Cascade'. Sure enough I found it, but thats about all it was....the word 'Cascade'.... just sitting in my memory. I booted up from a clean floppy. And it was still there. I'm not worried, nothings wrong with my computer and I doubt a simple virus like Cascade could be in my ROM, but it sure is intriqing. I also checked it out with Norton 5.0 and PCTools but it failed to show it. Is this some Norton 6.0 thing ? Any info on this would be appreciated. Thanks......... - -Munir alamma@logic.camp.clarkson.edu ------------------------------ Date: Tue, 07 Apr 92 10:40:58 -0400 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: Boot Record Disinfection (DOS) (PC) Posted for Roger Riordan > In Australia dealers often >booted PCs from infected master disks before partitioning the >hard disk. CLEAN puts back the whole of the hidden MBR, including >the now incorrect partition information. This is why my FixMBR takes a different approach, looking at the P-Table, determining its validity, and (preferably though at the users option) replacing all of the code. The major differences between FDISK/MBR and FixMBR is that the SafeMBR code adds BIOS integrity checking to the boot process and, unlike FDISK, FixMBR looks at more than just the first sector for valid partition tables. >With things like Stacker, etc, around we will be very wary of doing >any more delving in the hardware. If a virus crashes on 30 (or even >50)% of PCs it will still propagate happily, but if our program >crashes on one PC in 1000 we will get complaints about it. Again, code operating from the BIOS level can do this kind of checking without such risks (ask Rob Slade), it is only after DOS has loaded that the path gets murkey. IMHO BIOS code can establish such hardware paths, authenticate them, establish system integrity at this point, and pass such information onto software loading after the OS. Further, since disk compression drivers often make it impossible to check they system files, boot record, MBR, or even CONFIG.SYS safely or reliably from the DOS level, such BIOS checking will become even more necessary in the future (only been pushing it for two years now). - ---------------------- Having said that, I would like to solicit some help. As you know FixFBR is unbootable repair for floppy disk boot records. Like FixMBR, it does not trust code on an infected disk, instead replacing the entire boot record, generating the BPB from scratch if necessary. My current project (code named "FixDBR") will complete the loop by providing code replacement with virus detection to bootable disks both hard and floppy. The code is complete and I have tested (so far) with fourteen different DOS variants ranging from PC-DOS 2.10 to MS-DOS 5.0 and intermediate stops at Compaq, Zenith, & DRI. What I have discovered is that unlike most MBRs where the termination status is easy, Boot Records are liable to expect particular values to be left in memory and in the registers. There is enough difference that for example a boot record configured for Compaq 3.31 will hang a Zenith 3.30+ OS and turnabout even though both call their first system file IBMBIO.SYS so a small custom "termination" module is necessary. The problem is that while it can handle all OSs that I have seen, samples are needed of the "off-brands" to ensure compatability. In particular, I need the European "ERS" and "P16" variants (the first hidden file is called ERSBIO.COM for the first and P16BIO.COM for the second. I do not know if there is more than one variant of each or what DOS # they are analogous to. If anyone on V-L has copies of these, I do not need the whole thing (though a formatted, bootable floppy with COMMAND.COM, FORMAT.*, and DEBUG.* or equivalent would be welcome). What I need is: 1) Name of the Operating System 2) Ascii dump of the DOS boot record (NOT the MBR if from hard disk) 3) Name, size, and date of the first hidden system file (*BIO.COM or *IO.SYS) 4) Ascii dump of the first executable sector of the above file (may start with a Jump - I need the initial code that is executed). 5) When booted, what does the "ver" command return ? UUencoded Zips are the easiest way to E-Mail. I can also handle TeleDisk or SendDisk (can be very small if a newly formatted bootable 360k floppy disk is used containing only programs (COMMAND, DEBUG, & FORMAT) described above and then ZIPped). In particular, I would appreciate such copies of those systems for which a generic anti-viral remover (such as M-DISK) has *failed* OTHER than the Zenith varients (I have them). In any event I should be able to release a "beta" RSN. Warmly, Padgett E-Mail: padgett@tccslr.dnet.mmc.com Surface Mail: POB 1203, Windermere, Florida, USA 34786 ------------------------------ Date: Tue, 07 Apr 92 11:00:00 -0600 From: Sharon Strauss 5244 Subject: Re: Measuring Michelangelo (PC) Frisk writes, >However, in my opinion the real danger is elsewhere - some companies >distributed Michelangelo-specific detection programs free of charge - >many people may have received them, found that they did not have >Michelangleo and belive their machines are "clean"....but in reality >they may be infected with "Stoned" or any other (common) virus. This is my experience. Michelangelo generated lots of interest in virus protection here. Thanks to Frisk's F-Prot, we could easily afford to give virus checkers to all PC users here. In the few weeks before March 6 we found plenty of Stoned, Yankee Doodle and Forms viruses--but no Michelangelo. We even found a number of other critical problems (no working floppy drive, corrupted DOS programs, general confusion about PC fundamentals) which we were able to identify and fix. (Well, I'm sure there is still plenty of confusion about the PC.) Thanks to the publicity about Michelangelo we raised general awareness about viruses here--at least for now. However, if people had used programs which only detect Michelangelo (and some probably did) we would not have found the real virus and other problems our PC users face. ------------------------------ Date: Tue, 07 Apr 92 18:37:38 +0000 From: rslade@sfu.ca (Robert Slade) Subject: Re: Questions about AAVIRUS (PC) James_Williams%ESS%NIAID@nih3plus.BITNET writes: >1. Have any of the virus experts on this list looked at AAVIRUS? What > is your opinion of it? I have had a brief look at it, and, yes, I agree it is a neat and needed program. I have not reviewed it in depth yet. >2. How affective is a checksum of the boot record again stealth viruses > or polymorphic viruses? This would not be effective against stealth BSIs unless there is additional security checking. To the best of my knowledge, there are, as yet, no polymorphic BSIs. >3. Are there better packages which do the same the thing? Yes. Padgett Peterson's DISKSECURE, FixMBR and SafeMBR work along the same lines, as well as supplying the additional security checking necessary. I have not, as I said, fully reviewed AAVIRUS, but at present I would recommend Padgett's stuff. at ------------------------------ Date: Wed, 08 Apr 92 14:11:00 +1000 From: W.BOXALL@qut.edu.au Subject: LAN PROTECT by Intel?? (PC) Is there a product called LAN PROTECT by Intel?? Any information would be appreciated. Wayne Boxall COMPUTER VIRUS INFORMATION GROUP BRISBANE AUSTRALIA ------------------------------ Date: Wed, 08 Apr 92 09:42:55 +0000 From: Fridrik Skulason Subject: Re: Stoned/SBC (PC) In Message 30 Mar 92 14:17:57 GMT, d246@uni05.larc.nasa.gov (Braden Glen) writes: >positive and reran F-PROT. It reported SBC again, on the same >program. This is indded a false alarm, as you suspected - Version 2.02 of F-PROT did produce some false alarms: "Possibly a new variant of Sylvia" in TUTOR.COM (Word Perfect 4.2) "Shirley" (Quick Scan), in DIET 1.10A overlay-mode compressed files. "SBC" in several small EXE files. "Yaunch" (Quick Scan) in a few programs. "AIDS" in a few programs from Personal Bibliographic Software The reason was basically that in 2.02 I rewrote my scanning "engine" completely from scratch, and a few problems slipped in...they were all corrected, and no false alarms have been reported from users of the current version (2.03a) - -frisk ------------------------------ Date: Wed, 08 Apr 92 14:32:42 -0600 From: martin@cs.ualberta.ca (Tim Martin; FSO; Soil Sciences) Subject: Re: Questions about AAVIRUS (PC) James_Williams%ESS%NIAID@nih3plus.BITNET writes: >Their is a really neat looking program called AAVIRUS on SIMTEL20 in >the TROJAN-PRO directory. It creates a checksum and backup of your >boot sector. > >Three general questions: > >1. Have any of the virus experts on this list looked at AAVIRUS? What > is your opinion of it? > >2. How affective is a checksum of the boot record again stealth viruses > or polymorphic viruses? I just hauled it down and had a look at it. It simply doesn't deal with stealth at all. If I do a checksum, then infect the system with a stealthy Empire virus, then use aavirus to test the system, it claims the system is ok. The same thing happens if I install DiskSecure in the interim, since Disk Secure uses similar "stealth" methods to protect the Main Boot Record. The other serious shortcoming is that if a boot sector virus is already in the MBR when aavirus is "installed", the program happily makes a chksum that is dependent on the virus. This is not good, and not necessary. The program does have one or two lines in the documentation telling the user to first scan for known viruses, before "installing". It should do some checking of its own, as well, though. Tim. ------------------------------------------------------------- Tim Martin * Soil Science * These opinions are my own: University of Alberta * My employer has none! martin@cs.ualberta.ca * ------------------------------------------------------------- ------------------------------ Date: Mon, 06 Apr 92 15:55:28 -0400 From: DTM102@psuvm.psu.edu Subject: OS/2 anti-virus programs (OS/2) I think I caught a virus on my hardisk. It runs OS/2 ver. 1.3 with a DOS partition. I have no knowledge of any anti-virus program that scans OS/2. I tried to use F-PROT thinking that it may be able to scan because I have the DOS partition but that did not work. Please write me back if you know of any programs that run on OS/2, and where I can get them. Thanks *------------------------------------------------------* * David Mojock dtm102@psuvm.psu.edu * * * * Pennsylvania State University, State College, PA * *------------------------------------------------------* ------------------------------ Date: 08 Apr 92 16:32:10 -0400 From: ake@dayton.saic.com (Earle Ake) Subject: Possible SYSMAN trojan horse (VAX/VMS) This warning came across my desk today from our security people. I have typed it in verbatim. SUBJ: COMPUTER VIRUS WARNING 1. A POTENTIAL TROJAN HORSE EXISTS WHICH INFECTS THE SYSMAN.EXE UTILITY ON VAX/VMS SYSTEMS. 2. THE SYSMAN.EXE TROJAN HORSE WILL PROVIDE A KNOWLEDGEABLE USER WITH A BACK DOOR INTO THE VMS OPERATING SYSTEM AND INCREASE USER'S PRIVILEGES. 3. DETECTION METHODS: A. CHECK FOR A LIBRARY ENTRY - SYSDOLLAR SIGNLIBRARY:OBJ.EXE B. THE LENGTH OF SYSDOLLAR SIGNSYSTEM:SYSMAN.EXE EQUALS 166 BLOCKS C. EXECUTE THE FOLLOWING VMS COMMAND: DOLLAR SIGNANALYZE/IMAGE SYSDOLLAR SIGNSYSTEM:SYSMAN.EXE CHECK THE IMAGE IDENTIFICATION INFORMATION SECTION. MAKE SURE FIELD IMAGE NAME EQUALS SYSMAN, NOT VA6 4. NOTE: ANY OF THE ABOVE COULD INDICATE THE PRESENSE OF THE SYSMAN TROJAN HORSE. Comments: It is interesting how someone tried to translate some special characters into english verbs and made this message much harded to read. The things to check are the existance of a file sys$library:obj.exe. The author also mentions checking the size of the sys$system:sysman.exe file to make sure it is 166 blocks. While sysman.exe may have been 166 blocks long for a previous release of VMS, currently under VMS 5.4-2 it is 192 blocks long. The VMS 5.3 version is 179 blocks long. Not a very good check. The third way to detect the trojan mentioned should have read: $ analyze/image sys$system:sysman.exe That might be a good check to see if it was linked as the program SYSMAN or VA6. I have no direct knowledge of this reported trojan horse. I am simply passing along information given to me in the interest of computer security. Earle Ake ------------------------------ Date: Mon, 06 Apr 92 15:57:41 +0000 From: yates@eff.org (yates) Subject: Does anyone know what are companies doing about viruses? Hi, I am writing a paper about the virus scare. In particular I would like to get information on: 1) past trends: a general history of where viruses came from 2) current: who's creating viruses now (a friend told me Bulgaria !) 3) what are corporations doing to protect themselves 4) and finally, what should corporations be doing? I realize it may be hard to explain, but I am very interested in what steps companies take to prevent spreading a virus through their products. Does anyone have answers to the above questions, or have any suggestions on where to find answers for them? I would like to give credit where it is due, so all suggestions unless accompanied by an anonymity request, will be properly cited to whomever responds. Responses can be to me via e-mail (preferred since it will make it easier for me to track who said what) or through this group. Thanks very much in advance... -Steve Yates yates@eff.org ------------------------------ Date: Tue, 07 Apr 92 14:55:02 -0600 From: kev@inel.gov (Kevin Hemsley) Subject: Virus infection tracking rslade@sfu.ca (Robert Slade) writes: > Antiviral checklist - part 6 > > For each office: (cont.) > >_ List of all hardware and software purchased, supplier and serial > number >In order to effectively track infections, however, even data >diskettes and customer data diskettes have to be identifiable. The Maybe I am missing something, but I fail to see the value in cataloging the source of all incoming diskettes for later use in tracking the source of virus infections. It seems to me that a scan of all incomming diskettes will reveal any known viruses and prevent an infection in the first place. Once the diskettes are delivered to users across the company, the actual source of a virus infection could be any machine that the disk touches, providing that the disk is not write-protected. Therefore, if you really wanted to track the source and history of a virus infection, you would need to keep a record of every machine which every disk touches. This is not a viable tool. I believe that a better approach to tracking virus infections is to use principals of epidemiology to trace possible infections. See "The Application of Epidemiology to Computer Viruses" by Bill Murray in the Procedings of the Fourth Annual Computer Virus and Security Conference. In actual practice, it is not always easy to trace the infection path without missing a disk, or, more commonly, without loosing the scent. My experience has been to trace an infection back one or two machines before loosing the scent. If you can't trace the infection back to where it entered the organization, it will always come back to haunt you. When this hapens, you can pick up the scent again and try to find the source. In an organization with thousands of computers which share media across multiple locations, the task becomes very interesting to say the least. Add to all this a large network and you have a headache. - - Kevin Hemsley | The cute message that used Information & Technical Security | to be here was destroyed by Idaho National Engineering Laboratory | a nasty .sig virus! (208) 526-9322 | kev@inel.gov | Please control your .sigs - - ------------------------------ Date: Tue, 07 Apr 92 10:01:14 +0100 From: "Vaughan.Bell" Subject: International virus symbol.. I have had a bigger reponse than I expected to the virus symbol stuff so... The virus symbol is now available in .PCX .BMP .EPS and .GIF formats. Mail me for a uuencoded copy of the .ZIP file. Also the virus symbol in any of it's format is (C) Copyright 1992 Vaughan Bell but is released into the public domain so it can be copied, printed, distributed or whatever free of charge. Also I have been told that people have had trouble printing the PostScript file, It was produced from Harvard Graphics 2.6 and exported to postscript. So if any one has had problems mail me for a new copy, this should hopefully work... )===---> Vaughan Bell - vaughan@uk.ac.psw.cd <---===( )===---> Polytechnic South West - Drakes Circus <---===( )===---> Babbage Building - Room 112 - Plymouth <---===( )===---> Devon - UNITED KINGDOM <---===( ------------------------------ Date: 08 Apr 92 07:06:54 +0000 From: linc@tongue1.Berkeley.EDU (Linc Madison) Subject: Re: Computer Hazzard Symbol C_PUFFER@unhh.unh.edu (Charles Puffer) writes: >I have been thinking about the a computer hazzard symbol for some time >now and would like to suggest somthing like this. Personally, I like the standard "biohazard" symbol (a vertical line and two lines at 120-degree angles, each splitting into two curved lines) as a symbol for computer viruses. The meaning is reasonably unambiguous -- there is very likely not any literal biohazard associated with a computer diskette. - -- Linc Madison == Linc@Tongue1.Berkeley.EDU ------------------------------ Date: Tue, 07 Apr 92 15:53:40 -0500 From: John Perry Subject: New files on Eugene Hello Everyone! It is with great pleasure that I make the following announcement. Thanks to Ken van Wyk, eugene.gal.utexas.edu (129.109.9.21) now carries almost all of the anti-viral and security-related documents and software found on cert.sei.cmu.edu. This is in addition to the latest in anti-viral software. As part of the re-organization, the anti-viral software can be found in /pub/virus-software rather than /pub/virus. If you encounter any problems accessing the new files, please send mail to perry@eugene.gal.utexas.edu. - -- John Perry - perry@eugene.gal.utexas.edu ------------------------------ Date: Tue, 07 Apr 92 16:26:17 -0500 From: John Perry Subject: New files on eugene again! (PC) The following files have been added to eugene.gal.utexas.edu (129.109.9.21) and will be posted on beach.gal.utexas.edu as soon as possible. FIXUTIL2.ZIP FULLVIEW.ZIP HTSCAN16.ZIP TBRESC17.ZIP TBSCAN32.ZIP TBSCNX30.ZIP VSIG9201.ZIP - -- John Perry - perry@eugene.gal.utexas.edu ------------------------------ Date: 08 Apr 92 20:33:29 -0400 From: Wolfgang Stiller <72571.3352@CompuServe.COM> Subject: New Integrity Master (PC) Stiller Research announces release of Integrity Master version 1.12b Integrity Master(tm) provides complete, easy to use, data integrity for your PC plus virus protection. It can also be used to provide file change management and security on your PC. As well as scanning for known viruses, it detects unknown viruses and unlike other products (such as McAfee's scan) will detect files which have been damaged but not infected by a virus. New with V1.12: - -------------- Version 1.12b recognizes over 50 additional viruses by name (since V1.11a). For people who want to run totally unattended or who don't want to have to hit a key to acknowledge serious problems, we have added the /NE (Nonstop except for Emergencies) command line parameter and halt option. IM does additional consistency checking between the files themselves and their associated directory entries. This allows detection of missing or incorrectly chained clusters even if IM has never been used before on the disk. The programs SETUPIM.EXE and IM.EXE are now further compressed for use on smaller disks. Unattended (batch) checking runs faster. Integrity Master V1.12b was released on March 18th and should by now be available on most systems. It is available on all SDN and ASP afiliated BBSes as well as SIMTEL-20 here on internet. Regards, Wolfgang Wolfgang Stiller Stiller Research 2625 Ridgeway St. Tallahassee, FL 32310 U.S.A. ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 85] *****************************************