Return-Path: Received: from columba.udac.uu.se ([130.238.4.133]) by abacus (SunOS 4.1/SMI-4.1-01) with sendmail 4.1/SMI-4.1-01 id AA26866; Fri, 10 Apr 92 01:24:45 +0200 Received: from IBM1.CC.Lehigh.EDU by columba.udac.uu.se with SMTP id AA05256 (5.65c8/IDA-1.4.4 for vhc@ABACUS.HGS.SE); Fri, 10 Apr 1992 00:02:11 +0200 Message-Id: <199204092202.AA05256@columba.udac.uu.se> Received: from LEHIIBM1.BITNET by IBM1.CC.Lehigh.EDU (IBM VM SMTP R1.2.2MX) with BSMTP id 6500; Thu, 09 Apr 92 17:39:19 EDT Received: from LEHIIBM1.BITNET by LEHIIBM1.BITNET (Mailer R2.08) with BSMTP id 0811; Thu, 09 Apr 92 17:39:10 EDT Date: Thu, 9 Apr 1992 17:33:06 EDT Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU Sender: Virus Discussion List From: "The Moderator Kenneth R. van Wyk" Subject: VIRUS-L Digest V5 #86 Comments: To: VIRUS-L@ibm1.cc.lehigh.edu To: Multiple recipients of list VIRUS-L X-Charset: ASCII X-Char-Esc: 29 Status: RO VIRUS-L Digest Thursday, 9 Apr 1992 Volume 5 : Issue 86 Today's Topics: Viruses from DIR Command (PC) Polymorphic List (PC) Re: virus classification? (PC) Re: Heuristic scanner flaws (PC) Re: Questions about AAVIRUS (PC) Re: Stoned, No-Int, and SCANV86B (PC) Clarification on VDS 2.0 decoys (PC) Virstop.exe version 2.03A locks my machine (PC) Re: Elated virus (PC) Re: F-PROT warning: false positive? (PC) Re: help - green catepillar! (PC) Write protecting with software (PC) Re: New Anti-viral Product Announcement (PC) Re: Increasing CBCS Security (PC) HELP !!! FRANKIE-VIRUS and ALADIN ('ST) Re: heuristic scanners Re: IBM Anti-virus Service (PC) Re: APL virus reference FAQ & files available by E-Mail Re: Introduction to the Anti-viral archives listing of 01 April 1991 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Wed, 08 Apr 92 22:53:00 -0400 From: SINGH_HA@BENTLEY.BITNET Subject: Viruses from DIR Command (PC) Hi! >for this disk), did a Dir, deleted the student's assignment files, then ran >F-Prot on the A drive. I had previously confirmed the infection at school >with F-prot. F-prot said "The Stoned virus search pattern has been found >in memory..." I had a similar problem about a month back, and thanks to everyone who responded. I found that this occurred only with DOS 5.0. As my understanding of Boot Sector Infectors was the same as this Scot's, I was highly surprised at the scanning results after a DIR. Maybe this can be added to the FAQ. To answer Scot's question, DOS stores the Boot sector information in the buffers, and that triggers F-Prot. Having researched this a lot, I can add that this only occurs if you are using DOS 5.0 (have tried DOS 3.2, and 3.3) What I realized was that after upgrading to DOS 5.0 at home, I had never come across an infected disk (can you believe that?!). I always scan the disks in the labs before taking them home (Labs use DOS 3.30, and thus I never had this problem earlier. Only clean disks make it to my home). Anyway we have a very clean environment over here, having a site licence from Frisk. Secondly, Does anyone know of a site where detailed information about a particular virus? That's the reason I wasn't able to send copies of my Joshi to the guys who requested; I don't know in which sectors Joshi stores itself (didn't wanna send an image of the whole disk). A couple of comments about VET. I think it seems to be pretty neat program, and Vesselin might be being too critical about it. In hands of a Novice, it can cause problems, but so can a disinfector, or programs like SAFEMBR. What about Hueristic analysis! (not to add false positives to it) All these programs can only work in the hands a power user, and so will VET. Harpreet Singh Singh_Harp@Bentley.BitNet - --------------------------------------------------------------------- Lab Supervisor | Bentley College | Waltham | Massachusetts - --------------------------------------------------------------------- "..A person fills in the missing pieces of the puzzle with his own personality, resulting in a conclusion based as much on instinct and intuition as on fact" - Mr. Data in "The Defector" | Star Trek - The Next Generation ------------------------------ Date: Thu, 09 Apr 92 03:09:00 +0000 From: Joe Wells <0004886415@mcimail.com> Subject: Polymorphic List (PC) The subject of Polymorphic viruses seems to be poping up here and there. So here is a list of the current viruses of this ilk: POLYMORPHIC VIRUS LIST ====================================================================== Ones I have replicated out multiple samples of: 1260 (V2P1) Casper DM-330 Flip Flip-Prism Haifa Invol Maltese Amoeba Marauder Moctzuma Moctzuma-B MTE-Dedicated MTE-Fear PC-Flu 2 Phoenix-1226 Phoenix-1302 (Proud) Phoenix-1701 (Evil) Phoenix-1704 (Phoenix) Phoenix-2000 Pogue (MTE-Pogue) Russian Mutant (914) SBC-1024 Simulation Suomi (1008) Telecom 1 (Kamp-3700) Telecom 2 (Kamp-3784, Holo) Tequila Whale Wordswap 1485 Wordswap 1504 V2P2 V2P6 (V2P6Z & Adolph) Virus 101 Ontario is slightly polymorphic, it toggles one bit is all. USSR-1594 only alters one byte. Starship won't replicate for me. But I have several infections. Wordswap 1385 & 1391 also don't like my machines. Joe ====================================================================== Joseph Wells - Virus Specialist - Certus International - (216)546-1500 Novi Development Team Leader - 0004886415@mcimail.com - CIS 70750,3457 ====================================================================== I may speak English but Assembler is my native tongue. ====================================================================== ------------------------------ Date: Thu, 09 Apr 92 07:24:20 +0000 From: Fridrik Skulason Subject: Re: virus classification? (PC) In Message 1 Apr 92 20:28:38 GMT, rsr@garnet.berkeley.edu (Roger Rosenblum) writes: >Are viruses that use the Mutating Engine classified as "stealth" >viruses or as "polymorphic" viruses? Or either? They are always polymorphic - in fact, the only thing the MtE does is to add polymorphic ability to a virus. It may or may not be stealth - Pogue, Dedicated and Fear are not, but somebody could add the engine to a "stealth" virus... - -frisk ------------------------------ Date: Thu, 09 Apr 92 07:35:08 +0000 From: Fridrik Skulason Subject: Re: Heuristic scanner flaws (PC) In Message 1 Apr 92 18:44:00 GMT, CSCRDW%CURIE@epavax.rtpnc.epa.gov (Ron Whittle) writes: >>for speed - first determine if a program is "suspicious", then try to >>identify a specific signature if something is questionable. The text of >>the message indicates that F-Prot has found "suspicious" behaviour (which >>it has) that does not match any of the known signatures (which it does not) >>but has warned the user that it is similar to that used by MBR "droppers" >>(which it is). I guess I should clarify this. My heuristic search does not find anything suspicious in the programs in question - which is how it should be - they are not viruses... The program responsible for creating the message Possibly a dropper program for a new variant of Stoned is my regular scanner. It picks up one of the "Stoned" signature strings in the file, but ..as it is not a boot sector, the program does not say "Infection" ..as it is not a boot sector dump (image) file, it is not identified as such. therefore my program assumes it is a dropper - intended to place some code on the boot sector. However - it does not contain the "Stoned" virus -> therefore "possibly a new variant. The problem is really that a piece of the code (used to write to the MBR) is exactly like the code used by Stoned, and it is also the piece of code I happened to use in my signature. > This posting shows that the heuristic analysis is already flawed, >and most people haven't even implemented it yet. If you can write a >program that will overwrite the MBR and F-Prot 2.02d heuristic scanner >doesn't trip on it, then a virus could use the same code that you are >using. No, this is incorrect. A virus by definition has to replicate itself - just writing to the MBR or the boot sector is not sufficient. - -frisk ------------------------------ Date: 09 Apr 92 11:05:40 +0000 From: M.Meijer@cc.ruu.nl (Maarten Meijer) Subject: Re: Questions about AAVIRUS (PC) James_Williams%ESS%NIAID@nih3plus.BITNET writes: >Their is a really neat looking program called AAVIRUS on SIMTEL20 in >the TROJAN-PRO directory. It creates a checksum and backup of your >boot sector. >Three general questions: >1. Have any of the virus experts on this list looked at AAVIRUS? What > is your opinion of it? >2. How affective is a checksum of the boot record again stealth viruses > or polymorphic viruses? >3. Are there better packages which do the same the thing? Hello James. Thank you for your attention to my little program AAVIRUS on SIMTEL20. Concerning your question #2: *any* change to the boot sector or master boot record will be noticed by AAVIRUS. So the question whether these changes are caused by stealth or polymorphic viruses, or by viruses of any kind, isn't as relevant as whether the reading (and writing) of the boot sectors has been *redirected*, as some sophisticated boot sector viruses do. In that case, AAVIRUS will read the original boot records despite the presence of a bootsector virus, and will report "everything looks fine". The Tequila virus is an example. Likewise, restoring boot sectors with AAVIRUS -r (or -e) might seem to be successful, yet the memory resident virus could redirect this writing to another location on the disk, leaving the corrupted boot sector unchanged. With the current version of AAVIRUS, the only remedy to both cases is to start the pc with a clean system floppy, and then run AAVIRUS, specifying [filename] and [disk]. That's far from ideal. Of course, AAVIRUS could register the address of the disk read/write routine at installation time, and compare this to the one at test time. Up to now, I deliberately didn't implement this, because some memory resident utilities like PC Tools, Sidekick, etc. also change this interrupt vector. It would result in inconsistent warnings of AAVIRUS, depending on whether you have loaded or unloaded such TSR's. Perhaps I should make it an option, but on the other hand I would like to keep the program as simple as possible. Besides its ability to restore things under critical circumstances, simplicity should be a feature of AAVIRUS. In the next version of AAVIRUS I will work this out. Also, I will extend the program to checksum a limited number of program files (the user's most frequently used). In case of contamination with a .EXE or .COM virus, the programs most frequently used are the most likely to be infected. And finally, the next version of AAVIRUS will be able to check and restore CMOS data if present. I hope having answered part of your questions. Kind regards, - -- Maarten Meijer, ACCU - Academic Computing Centre of Utrecht University Budapestlaan 8, De Uithof, 3584 CD Utrecht, P.O.Box 80011, 3508 TA Utrecht, the Netherlands. Fax: (31) 30 531633 Phone: (31) 30-531660 / (31) 30-531436 Email: mmeijer@cc.ruu.nl ------------------------------ Date: 08 Apr 92 08:55:00 -0600 From: "William Walker C60223 x4570" Subject: Re: Stoned, No-Int, and SCANV86B (PC) To Ken and VIRUS-L readers, I apologize for the duplicate message about "Stoned" and "No-Int." I never received acknowledgement that the first message was received, so I incorrectly assumed that the list server never received the message, and sent it again (bad choice). Sorry. [Moderator's note: It's at least partially my fault for not noticing the duplicates... (Sigh.) I do get a lot of duplicates - particularly from comp.virus readers who post to the newsgroup multiple times when their message does not appear in the group immediately - and I spot _most_ of them, but occasionally, they slip through.] - - - - - - - - - - - - In reply to Padgett Peterson's "walks and sounds like a duck" message: How does one determine if a virus is actually a "strain" of another virus, and not just distantly related to it? The code for "Michelangelo" does not look to me very much like "Stoned," though I can see that they function similarly (except for the payload). There are some major differences, such as the structure of the data area and the fact that "Stoned" (and closely-related viri) have two consecutive jumps which start the code, while "Michelangelo" has just one. Something like "Azusa," on the other hand, is obviously a strain of "Stoned," as several sections of the code are not only the same as those in "Stoned," but are also in the same location, and it also has the two consecutive jumps. I would think that a "virus strain" should have a code-level resemblance to the virus of which it is a strain, while a virus that is just "related" to another should have just a functional resemblance to its counterpart. I guess that this is what the AMC's Identification/Classification committee is set up to decide. Bill Walker ( WALKER@AEDC-VAX.AF.MIL ) | OAO Corporation | "... but as we say on Earth, Arnold Engineering Development Center | c'est la vie." M.S. 120 | - James T. Kirk Arnold Air Force Base, TN 37389-9998 | ------------------------------ Date: 08 Apr 92 14:37:38 -0400 From: "Tarkan Yetiser" Subject: Clarification on VDS 2.0 decoys (PC) Hello everyone, I hope the following will answer a few questions about VDS 2.0 decoys: - ------------------------------------------------------------------------- CLARIFICATION ON VDS DECOYS & A WORD TO THE WISE The registered versions of VDS 2.0 have an enhanced decoy launching mechanism to analyze the infection method used by an active virus in memory, and to provide the user with various pieces of information. This information includes the number of bytes added to (or removed from) the decoy, the virus entry point, whether the original stack is relocated (EXE only), and whether the virus attached to the end of the file (as most do), and so on. We would like to point out that the results reported should be taken as an automated attempt to provide the curious user with general information about the observed behavior of a memory-resident virus, but not as an accurate analysis of the viral code. The best way to obtain an accurate analysis is by careful examination of the viral code both statically and by running it under a debugger. The POV.CCC (corresponding to COM attacker), and POV.XXX (corresponding to EXE attacker) files can be analyzed for this purpose. Of course, the person attempting such analysis should be familiar with the evasive tactics some viruses use to complicate reverse-engineering by removing single- step or traces set, or encrypting a portion of their code. Some viruses are encrypted and defy static analysis attempts. In such cases, it is necessary to determine the decryption routine, write a little program to decrypt the concealed areas of the virus, and then examine the viral code. All this involves a human expert with enough patience, a sharp eye, and good assembler skills. No automated tool that we are aware of can be an adeqaute substitute. This is one of the reasons why so-called "heuristic" analyzers should be used with caution. The purpose of the VDS decoy launching mechanism is quite different: it provides the user with general information about the observed behavior of a memory-resident virus as far as the modifications it makes to its victims are concerned. To attach other meanings or purposes to the decoy launching mechanism of VDS is unwarranted. Of course, it also serves to indicate whether there is an active virus in memory regardless of its name! Even then, some viruses cannot be captured in this way. Today, there are some products that attempt to do a similar analysis and even remove such infections without establishing exact identification. We prefer to avoid adding such a capability to VDS at this point, since we believe that the primary purpose of any anti-viral program is to contain the spread of viruses by providing early detection (not identification). Recovery is a matter of restoring the affected areas using good copies. In other words, we do not foresee much usefulness to a generic disinfection capability in practice, and caution the user that some companies have marketing departments with full-time hype-generating individuals. If someone tells you they can disinfect any virus without (even with) specific identification of a virus, they are engaged in other endeavors besides science dedicated to serving people's needs. Tarkan Yetiser VDS Advanced Research Group P.O. Box 9393 (410) 247-7117 Baltimore, MD 21228 e-mail: tyetiser@ssw02.ab.umd.edu ------------------------------ Date: Thu, 09 Apr 92 18:23:38 +0000 From: leo@hoss.unl.edu (Leo Chouinard) Subject: Virstop.exe version 2.03A locks my machine (PC) I tried installing F-PROT 2.03A on my work machine yesterday. Unfortunately, it refused to boot when I put virstop.exe in my autoexec.bat. Details: I run a 486-25 clone (ISA bus) with a 64k RAM cache, under MS-DOS 4.01. Config.sys is: DEVICE=C:\util\CBLTRON\csipd_e.exe /H:5 /P:300 stacks=16,256 files= 30 break=on buffers=20 lastdrive=g device=c:\dos\himem.sys device=c:\dos\ansi.sys install=c:\dos\share.exe install=c:\dos\fastopen.exe c:=(50,25) device=c:\dos\ramdrive.sys 1536 /e device=c:\dos\windows\smartdrv.sys 256 shell=c:\dos\command.com /e:1024 /p Autoexec.bat was: @ECHO OFF VERIFY On PATH c:\batch;C:\DOS;C:\UTIL;C:\util\CUTCP set COMSPEC=c:\dos\command.com flip num off PROMPT $P$G VER PRINT /D:LPT1 c:\util\mouse\mouse C:\util\CUTCP\NOVELL\IPXCPD C:\util\CUTCP\NOVELL\NET4 c:\util\f-prot\virstop.exe Tests seem to indicate the conflict is with NET4 - i.e., with either of the last two lines deleted from the autoexec.bat, the system boots okay. Almost forgot - I also booted from a clean diskette and ran F-PROT 2.03A to scan the hard disk, and it reports no problem, so I am assuming that NET4 is in fact clean. - -- :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: These are my opinions. Any similarities to the | Leo C. opinions of others are purely coincidental. | leo@hoss.unl.edu ------------------------------ Date: 09 Apr 92 18:36:58 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Elated virus (PC) wjh0265@tamsun.tamu.edu (William Hobson) writes: > Has anyone heard of a virus called 'Elated'. The victim claims to > have been infected by this virus and said that VSHIELD reported it. > This virus is not listed in any information I have and I have no idea > of removal procedures. Thanks for any info you have. Hm, this sounds more like a bug in VSHield... Maybe it's trying to display information about a "xxx rELATED" virus... And, please, read the FAQ list about how to report possible virus infections and what kind of information to supply... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 09 Apr 92 18:51:27 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: F-PROT warning: false positive? (PC) frisk@complex.is (Fridrik Skulason) writes: > >>> A related question: f-prot identifies nearly all the Norton Utilities > >>> programs > The reason for this is that the programs use OPTLINK, (a linker which > adds PKLITE-like compression to executables as they are linked). My > heuristics did not include a rule to specifically exclude OPTLINK > (I have rules to exclude PKLITE, LZEXE, DIET, KVETCH, ICE, EXEPACK etc) > so it detected "highly suspicious self-modifying code" - which, > strictly speaking is true. This was fixed in 2.03. The problem is that it detected them even when I instructed the instalation program to unpack them. However, I guess that this is OPTILINK's (or more exactly the unpacker's) problem, not yours... :-) > This (at least WORD.COM) is a documented false positive - see ANALYSE.DOC. > I am working on reducing the number of false positives, but I fully agree > that heuristic analysis should only be used by experienced users....there > are still some false positives.... How about -scanning- for the known false positives? After all, they are less than the known viruses... :-) > I am working on my heuristic analysis - which (and I think nobody in > the anti-virus community disagrees with me) is able to detect the > majority of unknown viruses, but it is not perfect - I don't analyse > boot sectors yet, and I detect only a low percentage of viruses > written in high-level languages. However, as I said...the analysis is > improving. The problam, I believe, is that a virus writer can -always- fool your heuristics if he knows them... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 09 Apr 92 18:56:22 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: help - green catepillar! (PC) hurd@sfu.ca (Peter L. Hurd) writes: > Howdy, I just noticed one of those dreaded anonymous posters appeared > on our departmental mailboxes. Found GReen Catepillar virus. Scan > 86B (I think) I'm running doesn't include it in the virus list, and > F-prot says it isn't analyzed (what does this mean). Anyway since my > PC has been running ominously slowly of late I thought I'd panic. > What scans for Green Catepillar?, What removes it? SCAN -does- detect it. It calls it 1575 / 1591 [15xx] (arrgh, when shal we standartize all those silly names...). The latest version (89-B) claims to be able to remove it, but I haven't verified that. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: Thu, 09 Apr 92 14:49:57 -0400 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: Write protecting with software (PC) writes: Alexander Shehovtsov, (8-044)266-70-28 (9:00 - 18:00 Kiev, Ukraine) > Results were surprising - nearly 95% of viruses were unable to infect > files after setting RLock defence. Some of them even didn't try to remove > Readonly and failured, other failured with removing and very intellectual > viruses that used tracing Int 21 chain to jump directly into MS-DOS > Int 21h routine failured too because RLock protection of ReadOnly attribute > became a part of MS-DOS itself. Actually confirms the V-L discussions over the last two years about software protections - almost anything will work so long as it is unknown and unanticipated. The read-only bit worked as long as no-one knew about it (not very long). > And what about 5%? These viruses used direct access to disk via Int 13h > or DOS internal tables to infect files without removing ReadOnly attribute. > I used the second idea to prevent their deeds: wrote another programm > modifying IO.SYS and MSDOS.SYS that can prevent direct access to disk > to all programs EXCEPT COMMAND.COM. More dangerous since while this will protect against Int 21 functions, what about direct calls to Int 13 ? Things operating from the BIOS can always bypass DOS. > RLock and HDD are DOS-depended and were written for MS-DOS 4.0, 4.01 > and 5.0. > As a result only very DOS-depended viruses can ignore this defence. Again, this will not provide any protection against things operating on the BIOS level or even things reading from the DOS level and writing through the BIOS. The versions mentioned will even tell you how to reach the BIOS directly if you ask nicely. I agree that this mechanism could be effective against most common file infectors seen thusfar, but what about the DIR-II class which uses a BIOS technique. Having said that, the programs will probably work as indicated to reduce the 50% +/- of infections that stem from file infectors. My feeling though is that a much more effective defense can be mounted from the BIOS level to do the same thing (remember BYPASS) by write protecting an entire partition, will also protect against MBR and Boot Sector infections the other 50 % +/-), and is not DOS version or even necessarily OS dependant. Am glad to see people thinking about solutions though. Warmly, Padgett ------------------------------ Date: 09 Apr 92 19:47:26 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: New Anti-viral Product Announcement (PC) TYETISER@ssw02.ab.umd.edu writes: > New Anti-viral Package Featuring Real Intelligence, > not Artificial Sigh... It sounds pretty tempting, like an anti-virus programs everybody would like to have, but unfortunately, it seems more like and April Fool joke to me... > Description: VDS (Virus Detection System) 2.0 is an anti-viral > software package designed to contain the spread of computer viruses by > providing early detection and quick recovery. What distinguishes VDS > from other anti-viral products is that its operation is based on > analyzing viral behavior rather than just looking for known byte > sequences extracted from virus samples. Therefore, VDS does not > require frequent upgrades. A heuristic analyser? Beurk... I would prefer something more reliable. > VDS uses a proprietary triple-pass verification technique to catch > the most evasive "stealth" viruses even when they are active in > memory. Coupled with its blazing operational speed (thanks to its I fail to see why a triple memory scan is needed. Any stealth virus can be caught in memory with a simple one-pass scan. They are stealth in files, not in memory you know... > optimized internal cache), VDS represents the strongest software > solution currently available. Nope... When speaking about strong solutions, nothing that doesn't involve integrity checking does not sound strong to me... > VDS generates a customized device driver during installation. The > device driver barely adds three seconds to bootup time and catches all > system infectors with ease. It can recover vital system areas such as > the master boot record and the partition boot record automatically, > and place a copy of the affected area in a file so that the user can > examine it later. The user is given an opportunity to embed his own > message inside the device driver. This message is displayed if a > possible infection is detected. Businesses will find this feature > very useful since it can be used to prompt users to report any > incidents as instructed by the message. The device driver can also be > configured to freeze the computer after displaying the customized > message to ensure that it is not ignored. Even if the whole message is a joke, the above is pretty realizable. In fact, several anti-virus products already offer similar options (or at least some of them, like automatic restoration of the boot sectors and customized alert messages). > A unique feature of VDS is its decoy launching mechanism. > The decoys are used to lure any viruses active in memory and to > capture them in a POV (Prisoner Of VDS) file for examination. The > captured intruders can speed up diagnosis process since you will know > which virus you are dealing with or whether it is a new virus. The only problem is to convince the virus to infect the decoy... :-) Victor Charlie used a similar approach in the past... maybe still uses it. > VDS documentation rivals many books on computer viruses not Name some of them. > only by its readability but also by its technical content. It offers > practical guidelines and a risk analysis test designed to evaluate the > vulnerability of your computers to viral attacks. Jokes aside, I think that something like this can be found in Fred Cohen's manual for ASP IT or at least in his "Short Course on Computer Viruses". > The package includes a special utility program that helps users to > recover from all system infectors that target vital areas of hard > drives such as the master boot record. Another program in the package > allows users to search DOS-compatible (including network) drives for > known viruses. This program sports an easy-to-use menu-driven user > interface as well as a spartan command-line mode for individuals who > do not mind remembering half a dozen options. It also has a mechanism > to add new virus patterns externally. All this is possible and in fact already available in several products. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 09 Apr 92 19:12:08 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Increasing CBCS Security (PC) Toria@cup.portal.com writes: > >virus (so the scanners won't catch it, and if he's clever enough, > >he'll avoid the heuristic analyser of F-Prot too), a clever tunnelling > >virus (so that it will be able to bypass a monitoring program) and a > What do you exactly mean by a "tunnelling" virus? Ooops, mea culpa, I should have supplied this to the FAQ list... Anyway, here is the answer: Most monitoring programs stay resident in memory, intercept some interrupts and DOS functions and monitor them for dangerous activities (like modification of an executable file and so on). However, due to the total lack of memory protection under MS-DOS, a clever virus is able to disable the monitoring program if it detects it in memory, or even invoce the "dangerous" functions in a way that cannot be intercepted (e.g., using CALLs to the ROM BIOS). Virus which are able to do this are called "tunnelling", since they are able to bypass the monitoring programs just as the electrons are able to bypass an energetic barrier (the "tunnelling effect"). If correctly implemented, these techniques are able to bypass -any- monitoring program, and therefore the monitoring programs (like FliShot+) are the weakest line in the anti-virus defense (even weaker than the scanners). Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: Thu, 09 Apr 92 07:38:28 +0000 From: GROSSER@rzmain.rz.uni-ulm.de (Grosser Martin) Subject: HELP !!! FRANKIE-VIRUS and ALADIN ('ST) Help !!! Help !!! Help !!! Is there anyone using ALADIN 3.0 on the ST?? Is there anyone who has experience with the horrible FRANKIE virus-infection?? The FRANKIE virus begins his work after about 15 to 30 minutes. There is a message: " Frankie says: no more piracy" and the system crashed. After that time you usually changed a few discs and the virus is everywhere and you have to clean up the whole system. Is there any ANTI-Virus for this bullshit FRANKIE-virus on ST available. please answer martin ------------------------------ Date: 09 Apr 92 19:01:53 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: heuristic scanners 0004839378@mcimail.com (Joshua Proschan) writes: > Upon reflection, I must side with those who want the heuristic > scanners to continue to be available. Available - yes. Used by Joe Users and relied entirely on them (as some people are relying entirely on SCAN) - definitively not. Currently the anti-virus researchers are the only software producers that must also support the product of their competitors... Have you thought how many times McAfee or Frisk had to answer the question why they are detecting CPAV as a virus? > The problems of avoiding a > deluge of inquiries from casual users with false positives can be > avoided by including a prominent warning in the documentation that Yeah, right. Unfortunately, the casual users mentioned above tend not to read the docs... :-(( > false positives can occur; and by the previous suggestion of including > it in the FAQ and simply not responding. The latter is the attitude that I am proposing. Anybody who is competent enough to use a heuristic scanner should know about the potential problems and not ask silly questions... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 09 Apr 92 19:07:03 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: IBM Anti-virus Service (PC) ian@vnet.ibm.com (Ian Stirling) writes: > I just picked up this announcment on our internal board and have been > given permission by both IBM and the newsgroup moderator to post it here. > o Access to all of the anti-virus software used by IBM (VIRSCAN, > VSTOP, Verifiers, Disinfectors, CHECKUP) plus any new software > developed on any platform during the contract period. As an IBM employee, you should know that the product mentioned above are restricted to IBM Internal Use Only and not generally available to the rest of the world (except VIRSCAN). It's a pity, though, since VSTOP seemed pretty good to me the last time I saw it... Or am I mistaken and the programs made generally available? Dave? Donny? Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 09 Apr 92 18:13:43 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: APL virus reference FBCohen@DOCKMASTER.NCSC.MIL (fc) writes: Hello, Dr. Cohen! Congratulations with your new e-mail address and welcome on Virus-L. > The first virus given that name was described in 1984 and > demonstrated in November of 1983. The first network viruses I am > vaguely aware of were supposedly written in the 1960s, but this is all > quite fuzzy since there were only indirect reports of these events in > the Shoch and Hupp paper, and therefore, tyhey cannot be accurately > verified. > The first virus that can be accurately verified as such and > which was used for the purpose of attack rather than experiment was > launched in the middle 1980s. I am sorry I cannot give further details. It's really amazing then that the Polish SF writer Stanislav Lem described in his novel "Peace to the Earth" (in 1984) the possible use of computer viruses as warfare... The description looks rather realistic and naturally follows from his early ideas about machine evolution guided by natural selection first expressed in "The Invincible"... > As to integrity checkers, it is clear from your many articles > back and forth on the subject that most of you haven't thought the > matter out very well. > There are and have been integrity checkers that defeat all > current and probably most future stealth viruses - even in the > partition table! I wish the people who market anti-virus software had the same exactness of expression... :-) Indeed, there are integrity checkers that are already able to defeat all current and -probably- -most- of the future viruses, if they are used correctly... Yet the marketing people are constantly trying to convince us that their product defeats ALL POSSIBLE viruses, including ANY possible future ones... You understand very well that this is, of course, impossible... > Several integrity checking systems are "perfect" at repairing > infected files that they are able to repair. The ASP Integrity Toolkit > either does it right or tells you that it couldn't (assuming you have > not told it to be silent about things). Yep, but they differ in how often are they able to actually repair the file... The ASP IT succeeds more often, since it relies on on-line - -backups- (but needs more space), while another product that has been discussed here recently (The Untouchable) succeeds less often (but takes -much- less space), since it store only some information about the files. Recently Dr. Solomon told me the idea to reach a compromise - - to allow the user to specify how much of the file should be saved. If it is 100 % this is equivalent to the on-line backups; if it is a few bytes from the entry point this is equivalent to UT. Each user should be able to specify the ratio to a value that meets his/her feelings of "safety". > By the way, I now have an at least relatively permanent > temporary network mailing address. DO NOT USE THIS TO SEND PRIVATE > MESSAGES - If you want confidential communication with me, I am now > providing RSA messaging for the PC, and you can use my system to do > this. Get in touch with me for details. :-) There are obviously some problems with the private messages, since I got only the first line of the one that you have sent me... Will try to get in touch with you nevertheless... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: Wed, 08 Apr 92 21:26:21 -0400 From: Jon Freivald Subject: FAQ & files available by E-Mail As previously posted, the Virus-L FAQ is available via E-mail here. The mail-server has passed local testing with for sending non-text files and should be ready for general use. For instructions, send E-mail to file-request@jaflrn.uucp (if that bounces, try jaflrn!file-request@uunet.UU.NET) with the word "help" in the message body. For a file listing or the Virus-L FAQ, send a message with one of the following lines: get index get dos/virus/virus-l.faq If you have any problems, please report them to me ASAP! I hope this to be a reliable service and will endeavor to correct any reported problems. Jon ============================================================================= Jon Freivald ( jaf@jaflrn.uucp ) Nothing is impossible for the man who doesn't have to do it. ============================================================================= ------------------------------ Date: 09 Apr 92 19:34:04 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Introduction to the Anti-viral archives listing of 01 April 1991 jwright@cfht.hawaii.edu (Jim Wright) writes: > Introduction to the Anti-viral archives listing of 01 April 1991 Ha-hem... Not to be picky, but isn't the above a little bit outdated (with one year)? Or is it just a typo? Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 86] *****************************************