Return-Path: Received: from IBM1.CC.Lehigh.EDU by abacus (SunOS 4.1/SMI-4.1-01) with sendmail 4.1/SMI-4.1-01 id AA08646; Fri, 10 Apr 92 20:19:14 +0200 Message-Id: <9204101819.AA08646@abacus> Received: from LEHIIBM1.BITNET by IBM1.CC.Lehigh.EDU (IBM VM SMTP R1.2.2MX) with BSMTP id 8655; Fri, 10 Apr 92 14:07:50 EDT Received: from LEHIIBM1.BITNET by LEHIIBM1.BITNET (Mailer R2.08) with BSMTP id 5612; Fri, 10 Apr 92 14:07:29 EDT Date: Fri, 10 Apr 1992 14:03:04 EDT Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU Sender: Virus Discussion List From: "The Moderator Kenneth R. van Wyk" Subject: VIRUS-L Digest V5 #87 Comments: To: VIRUS-L@ibm1.cc.lehigh.edu To: Multiple recipients of list VIRUS-L Status: RO VIRUS-L Digest Friday, 10 Apr 1992 Volume 5 : Issue 87 Today's Topics: Re: Increasing CBCS Security (PC) Re: MDISK & FDISK - Are they the same? (PC) Re: Novell Virus? (PC) Re: OMICROM virus (PC) Re: polymorph virus questions (PC) Re: Post March 6 Michelangelo Infections (PC) Re: The word 'Cascade' in my hardware ?? (PC) Re: polymorph virus questions (PC) Re: Protection from Boot Sector Viruses (PC) Re: Question about Central Point VSAFE message (PC) Re: Removing BS viruses with McAfee CLEAN (PC). Re: Telephonica and Floppy Discs (PC) Re: Virus surving format (PC) Re: The word 'Cascade' in my hardware ?? (PC) Re: warning about mutation engine (PC) Re: warning about mutation engine (PC) NY Newsday Article on McAfee & Viruses VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: 09 Apr 92 19:23:26 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Increasing CBCS Security (PC) frisk@complex.is (Fridrik Skulason) writes: > Thanks for the free advertising :-) :-) :-) Actually, I agree with Alan > Solomon the we have the two best scanners - we just disagree which is number > one and which is number two. It depends what the user wants. When sorting out a virus collection I'm using both, but if the two scanners disagree, I tend to believe more to Alan's (since it has better identification). In the same time, yours has better disinfection (but I'm not interested in that). And, Alan tend to support the researcher's requrements better... :-) > Saying that Alans AVTK detects more viruses is slightly misleading - > there are a few viruses that I don't detect - either very new ones > that Alan has, but I don't or "garbage" viruses that don't work... Nope, I was relying on actual numbers. And I count viruses that you report as "Possibly a new variant of" and "New or modified variant of" as detected, regardless of the fact that your scanner obviously doesn't know them. I'll run the tests again as soon as I get the newest version of yours, but I simply suspect that you haven't tried Alan's FindVirus 4.10... > For example, the AVTK detects the Starship virus, but as far as I know > nobody in the West has been able to make it replicate, so I have > simply not bothered to detect it. We received enough information from the Soviet researchers on how to make it replicate. As soon as I get some spare time (not soon with all those 83 messages pending in my e-mail box), I'll try to replicate it. Just remember that several viruses what "didn't seem able to replicate" later turned out to be perfectly working ones which didn't work only on some conditions... And, do you remember The Rat? No one has bothered to see what it requires in order to replicate... > Also, If you consider my heuristic analysis (yes, yes, Vesselin, I > know what you think about it)...I detect practically all of those > "extra" new/garbage viruses that my scanner misses. I admit that due to my biasment I never bothered to check how many of the undetected viruses will be detected by the heuristic analyser. Shame on me. I'll perform those tests later. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 09 Apr 92 19:38:05 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: MDISK & FDISK - Are they the same? (PC) mcafee@netcom.com (McAfee Associates) writes: > The FDISK program is MS-DOS's utility to partition a hard disk after > low-level formatting or change the sizes of the partiions, etc. > M-DISK is a set of utility programs for replacing the Master Boot > Record (partition table) and DOS Boot Sector code when infected by a > virus. M-DISK works for MS-DOS (and PC-DOS) 3.00 through 4.01. > MS-DOS 5.00 has it's own built-in "M-DISK" for removing partition > table infectors. It's the undocumented /MBR switch, which will remove > the existing code in the MBR and replace it with a clean copy from > inside itself, while leaving the data (the actual partition table) > intact. Unfortunately, FDISK /MBR does not fix the diskETTE boot sectors... I really wish there were a similar option for SYS... So maybe a MS-DOS 5.0-aware version of M-DISK is not that silly as idea? But I guess that Padgett will have the problem solved earlier and (he promisses) independent of the DOS versions... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 09 Apr 92 20:02:02 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Novell Virus? (PC) gscobie@castle.edinburgh.ac.uk (G J Scobie) writes: > Last year I ftp'd an article which apparently had been published in > Computers and Security Nov 1990 issue (I forget which site). This > paper written by Jon David outlines a virus which seemed to infect a > Netware server without the appropriate rights to do so. Anyone any > upto date info on this given the recent discussion on this topic? Unfortunately, Jon David has refused to supply an example of the actual virus used to the other anti-virus researchers for testing. I myself tested the behaviour reported in the article, using the functions that the virus mentioned there (Jerusalem) uses, but couldn't confirm Mr. David's observations. To those who have not read the article, the reported behaviour is that the virus is able to -slightly- bypass the granted rights (e.g., modify the file attributes without having the MODIFY right, but not writing to the file; infecting the file without having the WRITE right, it at least READ right is granted, but not delete the file, etc.). Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 09 Apr 92 20:08:29 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: OMICROM virus (PC) MANTONIO@PTEARN.BITNET (Antonio Joao Nunes Cardoso) writes: > A friend of mine asked me to ask this : How to remove the NEW OMICROM > virus reported by CPAv ? > He used CPAV to remove it and he couldn't remove that properly. Step 1. Remove CPAV. Step 2. Get something more useful. > Another thing is that someone told him that the OMICROM virus is a > mutating virus wich can be traced as FRODO or 4096. First, it's probably Omicron, not Omicrom. Second, it's an alias for Flip, not fro Frodo. Third, most good removers are able to remove it. Try F-Prot, Dr. Solomon's Anti-Virus ToolKit, CLEAN 89-B (in that order). If you don't succeed, contact either Fridrik Skulason (author of F-Prot) or John McAfee (author of CLEAN). Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 09 Apr 92 20:17:27 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: polymorph virus questions (PC) ukcy@sunyit.sunyit.edu (Kevin Yager) writes: > I am also interested in learning more about polymorph. My boss read Read the FAQ list then... :-) > about it in a magazine and had me write a program that will document > the length of every com and exe. On subsequent runs it will check to > be sure the file length is the same and add or delete executables that > have been created or deleted. The main problem with the above procedure is that it won't catch a stealth virus if it is active in memory. It will also not catch a virus which does not change the length of the file (Lehigh, Number of the Beast, 1963, the silly overwriting ones, the Phoenix family under some conditions, The Rat, and many others). Also, it will not catch any boot, master boot, or file system infector (Dir II). > Since I wrote the program I have learned that some of the "stealth" > viruses are smart enough to change the length data so that when a dir > listing is done you will so the old length of the file instead of the Yep. And this is even called semi-stealth only... The fully stealth viruses are so smart that even if you read the whole file, you will not notice any changes in it, if the virus is active in memory. > actual length. How many viruses can really do this?? Many enough. > How usefull is the program that I wrote?? It can detect silly (but widespread) viruses like Jerusalem or Dark Avenger. However, it also provides you a false sense of security... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 09 Apr 92 20:30:37 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Post March 6 Michelangelo Infections (PC) RCTE4@Jetson.UH.EDU writes: > look at it (I know, curiosity felled the feline.....). Took it home, booted > my pc, put the infected diskette in the A: drive (my b: drive is wrong size > for this disk), did a Dir, deleted the student's assignment files, then ran > F-Prot on the A drive. I had previously confirmed the infection at school > with F-prot. F-prot said "The Stoned virus search pattern has been found > in memory..." Sigh... It's called a ghost false positive. The reason is that the infected boot sector is read in the DOS buffers during the DIR command and F-Prot detect the scan string in the buffer... Frisk, I thought that F-Prot uses a more intelligent approach... Why are you looking for a Stoned variant in the low memory? > Is this something as simple as Dir copying the boot sector and FAT into > memory and F-prot finding it there, or is there a risk of infection from > (this version of) Michelangelo even after booting? I also re-booted from Don't worry, you are not infected. Simply reading the infected boot sector put the virus in memory, but it has not been activated. The only way to activate it is to actually execute it (that is, to try to boot from that diskette). F-Prot got fooled (and it shouldn't). Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: Thu, 09 Apr 92 16:38:26 -0400 From: Ken Bell Subject: Re: The word 'Cascade' in my hardware ?? (PC) >Date: Tue, 07 Apr 92 04:56:06 +0000 >From: alamma@craft.camp.clarkson.edu (Munir A. Alam) > >I just recently got Norton Utilties Version 6.0, while checking out all >the new features, I noticed on System Info under the 'Hardware Interrupts' >the following: > >Number Address Name Owner > ----- --------- ------------------------- --------------- > >IRQ 00 1934:003C Timer Output 0 DOS System Area >IRQ 01 1934:0045 Keyboard DOS System Area >IRQ 02 F000:1F1A [Cascade] BIOS >IRQ 03 F000:1F1A COM2 BIOS > >Cascade ? Cascade the virus ? No, Cascade, the interrupt line into which the 2nd 8259 programmable interrupt controller on an AT-type PC feeds its output. FWIW, that's why a single 8259 (XT) yields 8 IRQs, and a pair of 8259s yields 15; one (IRQ 02) is used up in connecting the two chips. Ken Bell (SYKLB@NASAGISS * SYKLB@NASAGISS.GISS.NASA.GOV * 212-678-5545) ------------------------------ Date: 09 Apr 92 20:23:03 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: polymorph virus questions (PC) frisk@complex.is (Fridrik Skulason) writes: > >First, it is "polymorphic", not "polymorph". Second, it doesn't need > >to be self-encrypting (although all of the current ones are). > Uh, how could you get polymorphism without self-encryption - moving > blocks around, maybe, but that might also qualify as a primitive > encryption... > Or were you thinking of something else ? Yes, I was thinking about swapping around blocks of code... Tiny blocks of code... Blocks, consisting of two intructions only: the actual instruction and a JMP to the next one. This is not encryption, since all instructions are there in plain text; they are just permutated. However, this is much more difficult to achive than using a simple variable encryption, so it is quite unprobable that somebody will implement this. It is only a theoretical possibility. > Of course, one program that is (usually) effective against polymorphic > viruses (at least the self-encrypting ones) is heuristic analysis :-) The keyword here is "usually". In fact, even a known virus scanner is "usually" effective against polymorphic viruses... The problem is that - -some- of them are -sometimes- missed... As to the heuristic analyser, it doesn't seem too difficult for me to develop an encrypted virus which is not detected by the heuristic rules, especially if those rules are known. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 09 Apr 92 20:45:56 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Protection from Boot Sector Viruses (PC) pjs@mulga.cs.mu.oz.au (Peter Stuckey) writes: > Peter Stuckey didn't write anything. He merely acted as postman for Sorry, the above statement is put automatically by my netnews reader. [Moderator's (tongue-in-cheek) note: I think that we're going to have a recursive situation (or at least a perpetually iterating one) here in a moment - Vesselin's reply is to a note from Roger Riordan, not Peter Stuckey. Could this be a RISK of having someone forward e-mail to a discussion group on your behalf? :-\] > I won't answer Vesselins comments in detail, except to re-iterate > my statement; > "IF you replace any boot sector VET does not recognise on any > new disk, or any disk that has been in anyone elses PC, you > CANNOT get a pure boot sector virus." My main complain was that it might "automatically" destroy something that is not a virus. > I did not explain that our documentation says that if you get any > valuable software from anyone else the first thing you should do > is to check if the disks are write protected, and if not write > protect them. Then check them, & if VET does not like the boot > sector (or finds a virus) copy the files to a clean disk & check > (& disinfect) that. This way you won't destroy anything valuable, > & if a disk is infected you still have the evidence, & can't be > accused of infecting it yourself. Sure, if you have backups... Unfortunately, persuading the users to make them seems to be just as difficult as to persuade them to boot from the proverbial non-infected write-protected system diskette. > Many of us are so busy thinking of obscure holes in each others Yeah, those of us that try not to be as shortsighted as the people who made the users rely entirely on known-virus scanning... > products that we overlook the fact that 99% of viral incidents > involve a few well known & readily detectable & removable > viruses. It is nice thinking of ways of preventing exotic > attacks, but meanwhile our PCs are being overrun with Stoned, M, > & similar trivia. Yep, but if your claims were true, then these viruses should have been already erradicated, since all self-respecting virus scanners are able to detect them... Meanwhile I am trying to forsee and provide ways to prevent the exotic attacks that would provide the current sophisticated viruses to become just as widespread as Stoned after four years or so... > I fully agree that no system is foolproof, and we never claim so > in our advertisements, but keeping viruses out is very largely My main disagreement with your philosophy is that I claim that a known virus scanner is unsecure. Since it is unsecure, it cannot prevent you well enough from being infected - because it only detects the known viruses. OK, then, since it is able to do only this, it must be able to do it WELL, damn it, and detect ALL known viruses, not only a subjectively selected subset of "the most common ones". > majority of actual virus attacks. Furthermore a scanner is the > only form of defence that will detect viruses before they have > any chance do anything to your system. Of course it isn't the only one... Even if you classify the hardware write protection and the heurisitc analysers as "scanners", there are the monitoring programs. True, they can be easily bypassed, but so can the known virus scanners. > Assuredly someone has to be hit by a new virus before the > scanners can find it, Yep. And if the "thing" is a highly polymorphic stealth multi-partite fast infector, it might spread pretty far while you are busy updating your scanner... So far, that you will be unable to erradicate it - just like Stoned. > but refusing to use a scanner because it is > not 100% secure is like refusing to use a condom because they > sometimes have holes in them, or may burst. First, I didn't propose to refuse to use scanners. I am proposing to stop RELYING entirely on them. Second, the analogy does not hold. It's more like refusing to rely on certificates that your partner is not AIDS-infected - which are good only for the next half an hour, especially if s/he has had sex with the nurse who has administered the test afterwards... :-) I have no objections against the condoms - yes, do use those write-protect tabs on your diskettes... :-) > Integrity checkers provide a valuable second line of defence, but My oppinion is that they are a valuable MAIN line of defense. Of course, the full defense must not exclude the scanners, the monitors, the heuristic analysers, the integrity shells, the generic removers, and of course, the backups... Did I forget something? Oh, yes, the hardware-based protection devices... > they are not entirely reliable unless the user can be persuaded > to boot from a clean DOS disk, and experience has shown that they > do not work well in the hands of unskilled users. The same goes for the scanners... > Relying entirely on an integrity checker is akin to relying on > blood checks to protect yourself against AIDs. Granted they will Right, but I'm not suggesting that. I'm suggesting to build a multi-level line of defense, with accent on the integrity checking. > usually detect viruses before they do any damage, but are you > prepared to stake your life on it? Yep, if you can provide me with a good life backup system... :-) Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 09 Apr 92 21:09:20 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Question about Central Point VSAFE message (PC) CHUCKM@UCRDG.UCR.EDU (Chuck McDaniels, UCR Academic Computing) writes: > COMMAND.COM was changed > What he's been doing is deleting his COMMAND.COM, and reloading it > from a master DOS floppy. Tell him to check whether this is the same file (same DOS version and brand - MS or PC or DR) as the originally installed. Also, ask him whether he has run SCAN with the /AV or /GV options, or any anti-virus program (-especially- CPAV) in "immunize" mode. > He asked me today if he needs to do this, > since his scanning software can't find a virus (he says he's just had > it for a month, and that it can detect Michelangelo). First, the scanning software can detect only KNOWN viruses. Second, Michelangelo has nothing to do with COMMAND.COM - it's a master boot sector infector. Third, Michelangelo is not the ONLY virus one has to worry about. > So, does this seem symptomatic of a virus? Yes, it's symptomatic. But nothing more than that. The real thing that is detected is that the command interpretter has changed. All viruses cause changes, but not all changes are caused by viruses. If there's no change, there's (well, probably) no virus, but if there's a change, it is not necessarily caused by a virus. > The next time I talk to him, I'll try to > get a copy of his "modified" COMMAND.COM, if that would help in > tracking this down. Get also a copy of the "original" COMMAND.COM. It will be usefult to compare the two copies. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 09 Apr 92 21:21:03 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Removing BS viruses with McAfee CLEAN (PC). pjs@mulga.cs.mu.oz.au (Peter Stuckey) writes: > POSTED for Roger Riordan > - -------------------------------------- > Occasionally we would find Stoned/Brain/Stoned. If you run CLEAN > repeatedly on such a disk you will get the two viruses > alternately for ever, but no warning that the disk is still > infected. IF you use CLEAN to remove a BS virus ALWAYS run SCAN > again to make sure the disk is really clean. In fact, I strongly advise the users to do so even when dealing with file infectors. Just for the same reason, CLEAN will remove only the - -last- virus in the file. If there are more, you must run SCAN again, then Clean again, and so on. The worst case I have seen was a system infected with Yankee Doodle, Murphy, and Terror. All of them are resident and infect on file execution. The program MODE.COM (which is normally about 300 bytes) had become so large that it was not possible to load it... Of course, in such cases it better not to waste your time with the endless SCAN/CLEAN procedure... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 09 Apr 92 21:40:19 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Telephonica and Floppy Discs (PC) Robert.Turner@brunel.ac.uk (Robert Turner) writes: > Our 386 machines run Dr. Solomons' Guard program along with an INT-13h > modifier written by one of our people here that protects a small 'C' > disc (with DOS etc). Anyway, I was carrying out a disinfection of > telephonica as I have done hundreds of times before, typing 'XCOPY A:\ > D:\TMP /S /E', without even doing a 'DIR' on the disc, prior to > re-formatting. Anyway, Guard obediently put up a warning message, this > was bypassed, and the disc motor started. Was Guard configured to complain when you are copying an infected file? Because this can be disabled... > Then without any warning the computer complained about 'Write Protect on > Drive C' (from out INT-13h program). Now, nothing else was running, and > therefore the only assumption that I can make is that somehow Telephonica > managed to get executed. There is a possibility that the XCOPY program has been already infected. However, I tend to believe that there's another reason. Where is GUARD.DRV? Is it on the "write-protected" hard disk? Is it configured to swap the virus signatures? Maybe Dr. Solomon just opens the signature file for both reading and writing and the write protection caused problems? Although it seems quite unbelivable; his programs are not usually that stupid... Try to call S & S International and ask for help - I was told that they have a pretty good tech support... From my own experience, even their secretary seems to understand viruses... :-) > My question is whether it is possible for a boot sector virus to be > executed by doing a 'DIR' or other directory access. I believe that this No way. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 09 Apr 92 21:53:45 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Virus surving format (PC) michael.blackwell@f820.n680.z3.fido.zeta.org.au (Michael Blackwell) writes: > In a recent arcticle [New Scientist no.1813 p48] the author stated > "...some viruses may transfer from floppy to hard disk DURING > FORMATTING" {caps mine}. > As far as my little knowledge tells me, this cannot be. I h ave yet to It depends on what the original author meant... If you boot from an infected floppy and format the (non-infected) hard disk you can be sure that you'll transfer the virus to it. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 09 Apr 92 21:51:11 +0000 From: georgep@vice.ico.tek.com (George Pell) Subject: Re: The word 'Cascade' in my hardware ?? (PC) alamma@craft.camp.clarkson.edu (Munir A. Alam) writes: +I just recently got Norton Utilties Version 6.0, while checking out all +the new features, I noticed on System Info under the 'Hardware Interrupts' +the following: + +Number Address Name Owner + ----- --------- ------------------------- --------------- + +IRQ 00 1934:003C Timer Output 0 DOS System Area +IRQ 01 1934:0045 Keyboard DOS System Area +IRQ 02 F000:1F1A [Cascade] BIOS +IRQ 03 F000:1F1A COM2 BIOS + +Cascade ? Cascade the virus ? +This was on a 286, IBM PS/2 Model 30. I checked it out (With Norton 6) on +a friends 386. Same thing...... The PC and the PC-XT had only one interrupt controller chip. This turned out to be a major hardware limitation, so when the 286 was brought out a second interrupt controller chip was included which was CASCADED (connected) to interrupt 02 (and re-mapped to interrupt 09). [Cascade] when referring to interrupt 02 is normal. geo ------------------------------ Date: 09 Apr 92 21:58:17 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: warning about mutation engine (PC) mike.opzoomer@canrem.com (Mike Opzoomer) writes: > > Three new viruses have appeared in the past two months that > > utilize the Bulgarian Dark Avenger Mutation Engine. The source > > code for this mutation engine has appeared on numerous virus- > > exchange bulletin boards and is now in the hands of virus writers. > VB>The source?! Are you sure? What we have here is a virus development > VB>kit, which contains the MtE as a compiled, ready to link OBJ file, > The source IS available as after a great concern about the polymorphic I meant are you sure that the source of the MUTATING ENGINE is available? Can you provide some information about it; e.g. how many lines has the file that contains it? > engine and a call the McAffee in Canada I found out THEY have a copy > of the code for the engine and virus. Sure, they do have a copy of the code for the engine and the source for the virus. It was me who sent it to them, so I should know... :-) My question however was whether they have a copy of the source of the MtE, not of the demo virus that is supplied with it. To my knowledge, currently nobody has seen the source of the MtE, but I might be wrong. > Yes.. the Pogue was detected and cleaned (most of the time) but the > NEW polymorphic engine (not the one that spawned Pogue and the others) > has a way of wiggling its way through vshield or any other memory > resident checker. The MtE itself has -no- means to bypass VSHield or any other memory resident checker. It is a library function to create random mutations of a piece of code. Any additional tricks like fast infection, tunnelling, and stealth must be provided by the writer of the virus. > The polymorphic engine is just that, and once infected it mutates on > an ongoing basis, rendering any scan utility useless (unless you have > a copy of the size of the original file) The MtE does not mutate at all. It only provides a library function which can be called to mutate (i.e., encrypt and construct a random decryptor) the virus code. As to "rending any scan utility useless", this is, of course, rubbish. Any particular virus can be scanned for, including all those made with the MtE. The real problem is that when there are A LOT OF such viruses, which use DIFFERENT polymorphic mechanisms, it is very tedious and time-consumming to update the scanners. Look at the new SCAN - it has increased by about 14 Kb - and have in mind that it is PKLited... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 09 Apr 92 22:08:48 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: warning about mutation engine (PC) PHYS169@csc.canterbury.ac.nz (Mark Aitchison, U of Canty; Physics) writes: > I can understand scanners failing on mutating viruses - that's "old > hat" , but the claim it can wiggle past "any other memory resident > checker" has me worrying; does that mean only memory-resident scanners > or *any* memory resident checker? > I suspect that these viruses, even if their code differs greatly, will > still always use just one or two methods of infecting - it should be > stoppable at that stage, with a checker that looks at what it does, > rather than the code it uses to do that. Oh, bypassing the monitoring programs is pretty trivial. All modern tunnelling viruses do it. Till there's no memory protection, there's no way to stop them from doing so. > Rememberring that there are more ways of stopping a virus than simply > scanning for it, what other anti-viral methods (e.g. change detectors, > software write-protection, anything) actually succeed? Has anyone > carried out the tests? If not, could someone with the engine do so - > quick, please! The MtE is just that - a polymorphic engine. Everything else must by supplied by the virus writer. The real problem is that it can be done. I won't be surprized to see "stealth engines", "tunnelling engines", and "infecting engines" to appear, so we'd better be prepared... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: Mon, 06 Apr 92 14:18:09 -0400 From: Joseph Halloran Subject: NY Newsday Article on McAfee & Viruses (NOTE: The following article was published as a whole in the April 5, 1992 edition of New York Newsday, page 68. It is reprinted below without the express consent of Joshua Quittner, New York Newsday, or the Times-Mirror Company) [Moderator's note: Hot off the FAX, a correction to the above - this article is reprinted below WITH permission as follows: "A Newsday article reprinted by permission. Newsday, Inc., Copyright, 1992." My thanks to Joseph for doing the groundwork and for typing this article in and to Newsday.] SOFTWARE HARD SELL ------------------ "Are computer viruses running rampant, or is John McAfee's antivirus campaign running amok?" -By Joshua Quittner, staff writer John McAfee is doing one of the things he does best: warning a reporter about the perils of a new computer virus. "We're into the next major nightmare -- the Dark Avenger Mutating Engine," McAfee says, ever calm in the face of calamity. "It can attach to any virus and make it mutate." The ability to "mutate" makes it virtually undetectable to antivirus software, he explains. "It's turning the virus world upside down." But wait. This is John David McAfee, the man who once ran a service that revolved around the curious premise that, if you paid him a member- ship fee and tested HIV-negative, you could have AIDS-free sex with other members for six months. This is the man who jumped from biological viruses to computer viruses and quickly became a flamboyant expert on the new demi-plague, showing up at the scene of infected PCs in his Winnebago "antivirus paramedic unit." And this is the same man who started something called the Computer Virus Industry Association, and, as chairman, made national headlines last month by saying that as many as _five million_ computers might be infected with a virus named Michelangelo. The virus turned out to be a dud, in the opinion of many industry experts. But not before McAfee became a media magnet: In the weeks be- fore March 6, when Michelangelo was supposed to erase the hard disks of infected IBM and compatible PCs, he was featured by Reuters, the Associated Press, USA Today, the Wall Street Journal, "MacNeil/Lehrer News Hour," CNN, "Nightline," National Public Radio and "Today." What some news reports failed to point out, however, is that McAfee is also the man who runs Santa Clara, Calif.-based McAfee Associates, a leading manufacturer of antivirus software, and that he stood to benefit from publicity about Michelangelo. McAfee won't reveal sales, but it seems clear they shot up during the two-week frenzy. "People kept saying I hyped this, I hyped this," said McAfee, who still defends the notion that Michelangelo was widespread. "I never contacted the press -- they called me." McAfee's detractors say the Michelangelo scare was mainly hype and media manipulation, a parade in which most of the floats were built by McAfee. They say McAfee helped drive the rush to buy antivirus soft- ware -- with his products poised to sell the most -- while boosting the profile of McAfee Associates, a company that recently received $10 million from venture capitalists McAfee says are waiting to sell stock publicly. And, critics say, while McAfee touts a recent evaluation that rated his software alone as 100 percent effective in finding virtually every known virus, he funded the evaluation and picked his competitors. "He does know the issue of viruses, no doubt about it," said Ken Wasch, executive director of the 900-member Software Publishers Assoc- iation. "But his tactics are designed to sell _his_ software." McAfee says the media consistently misquoted him about how widespread Michelangelo was. And his company didn't profit from the virus, he says, but actually suffered due to the free advice his staff was dispensing. "It does not benefit me in any way or shape or form to exaggerate the virus problem." Even McAfee's detractors admit his programs do what they're supposed to do: track down coding that's maliciously placed in software to make it do anything from whistle "Yankee Doodle" to erase valuable data. His strongest distribution channel is shareware, a kind of software honor system common on electronic bulletin boards. PC users can download the programs over phone lines and pay later if they find them useful. McAfee's programs are "probably the most popular shareware programs of all time, second only to PKZIP," which compresses data, said George Pulido, technical editor of Shareware Magazine. He said McAfee's programs have been copied by millions of people, although only about 10 percent of shareware users actually pay. A more reliable money-maker is corporate site licenses, where McAfee is one of the three biggest players. Michael Schirf, sales manager of Jetic Inc., a Vienna, Va., company that is McAfee's sales agent for the Mid-Atlantic region, claimed more than 300 of the Fortune 500 companies have licensed his software, paying $3,250 to $20,000, depending on the number of PCs. During the Michelangelo scare, "you couldn't get through to us at one point because of people asking about it and trying to get it," Schirf said. Certainly, McAfee's software wasn't the only antivirus software selling. Fueled by giveaways of "special edition" programs that scanned exclusively for the Michelangelo virus, sales of general antivirus packages were a bonanza for everyone in the business, including Norton/ Symantec and Central Point Software, two other leading sellers. "Our sales of antivirus software were up 3,000 percent," said Tamese Gribble, a spokesman for Egghead Software, the largest discount software retailer in the country. "We were absolutely swamped." Rod Turner, a Norton executive vice president, said antivirus sales increased fivefold. "We didn't make any product in advance," he said, "so we were caught with our pants down." Companies like Norton that sell factory-shipped software couldn't ramp up quickly enough to take full advantage of the situation. But McAfee's software comes mostly through electronic bulletin boards and sales agents, giving him a nearly limitless capability to meet demand. "I can supply as many copies of the software as I have blank diskettes to put it on," Schirf said. The Michelangelo scare was also good for pay-by-the-hour on-line information services such as Compuserve, which saw a huge increase in the time users logged on looking for advice on Michelangelo. Indeed, a virus forum on Compuserve was hugely popular, with users downloading antivirus programs, including McAfee's, 49,000 times that week, Compuserve spokesman Dave Kishler said. Compuserve made more than $100,000 from the online time. McAfee makes an attractive industry spokesman. Tall and lean, with a mellifluous voice, he speaks in perfect sound bites -- an antidote to the unquotably bland men who otherwise dominate the antivirus business. A mathematician who got into programming when he graduated from Roanoke College, McAfee, 47, said he has held a dozen jobs, ranging from work on a voice-recognition board for PCs to consulting for the Brazilian national phone company in Rio de Janeiro. His first mention in the media was in connection with the American Association for Safe Sex Practices, a Santa Clara club formed so that its members could engage in AIDS-free sex. For a $22 fee, members whose blood tested HIV-negative were given cards certifying them AIDS-free, buttons saying "Play it Safe," and were entered on McAfee's on-line data base. Updates, every six months, cost $7. Anyone who knows anything about AIDS knows a certificate that someone is AIDS-free is good only until the person has sex with or shares an intravenous needle with an infected person. When asked now about the safe-sex group, McAfee at first denied anything but a passing affiliation: "I worked for those people as a con- tractor," he said, adding, "It was not my company." But later, when he was reminded that both the San Diego Tribune and the San Francisco Chronicle described him in feature stories as the entrepreneur who started the organization ("I believe I am providing an environment where people who are sexually active can feel more safe and secure," he told the Tribune in a March 9, 1987, story), McAfee sidestepped the ownership question. He said the group performed a valuable function, maintaining a data base on AIDS and information about the disease. "I thought they were pretty well ahead of their time," he said, quickly locating a 1987 newsletter put out by the group, which featured articles such as "Kissing and AIDS" and "The Apparent Racial Bias of the AIDS Virus." The association no longer exists. "They came and went pretty fast," McAfee said, chuckling. McAfee got his first taste of computer viruses at around that time. "It was an accident, like anything else in life," he recalled. "I got a copy of the Pakistani Brain. I think I got it from one of the local colleges. It was the program of the year." The program, reportedly written by two Pakistani students trying to foil software pirates, destroyed some PC data. By 1989, McAfee was a virus expert, selling the first antivirus software and offering to make house calls with his Winnebago cum computer lab. "John's antivirus unit is the first specially customized unit to wage effective, on-the-spot counterattacks in the virus war," McAfee and a co-author reported in "Computer Viruses, Worms, Data Diddlers, Killer Programs, and Other Threats to Your System," their 1989 book. "Event- ually, there will be many such mobile search, capture and destroy anti- virus paramedic units deployed around the world." He had also founded the Computer Virus Industry Association, with himself as chairman. "The CVIA is nothing more than McAfee," said Wasch, of the Software Publishers Association. "I had a run-in with him three years ago about that." Wasch said he had been asked by other antivirus businesses to look into McAfee's group after claims surfaced that he was railroading companies into joining -- something McAfee vigorously denies. Wasch said he believes the assocation was a self-serving group that did little more than support McAfee's business. "It would be like Microsoft creating the Windows Support Association as a front to promote its Windows software," Wasch said. McAfee denies the CVIA is a front and said Wasch's group was threatened by the creation of the virus association. "They wanted to take us over," he said. In any event, he said, the association is now managed by others and his involvement is minimal, adding, "It's more of a nuisance to me." But he does say the association is dependent on his private business for much of its virus data. "McAfee Associates has all the numbers," he said. Detractors say McAfee now uses another association to hype his programs. The National Computer Security Association released one of the few ratings of antivirus software, with McAfee's program on top -- a comparison he's quick to cite. But that may be because he influenced which software would be compared with his and how the tests were run, said David Stang, who founded the for-profit association in Washington, D.C., two years ago. Stang recently left the association and started a new one after a falling-out with McAfee over testing procedures. Stang said one of the assocation's functions was to "certify" antivirus software -- to test and rate competing programs. "It was his [McAfee's] idea that we certify products," Stang said. And when no company rushed forward to pay $500 to have its software rated, McAfee "sent me the products and the check and said 'go certify.'" McAfee says he spent thousands of dollars to evaluate some of his competitors' programs. In February, 1992, in fact, he paid for his own and the other five programs to be certified. His was ranked 100 percent effective. The others ranged from 44 percent to 88 percent effective. "If your product competes with mine, I'd like for those customers of mine to know that your product isn't as good as mine," he said. But in the February certification, notably absent were McAfee's biggest competitors: Dr. Solomon's ToolKit and Skulason's F-Prot. "I've got 75 competitors. I pick the ones who are going to give me the most trouble that month," McAfee explained. The February evaluation was actually a second, and more favorable test, that Stang says he performed at McAfee's request. Stang said McAfee was dissatisfied with the assocation's methods -- it tested the software against a "library" of viruses that McAfee thought wasn't comprehensive enough. So Stang said he agreed to use a new library that he claims was built on viruses McAfee found and supplied. Scores for McAfee's program rose while some others dropped sharply. McAfee said Stang's virus library was incomplete and his testing methods "wishy- washy," and he defended the new library's independence. "This is not something that anybody, let alone me, could mess with," said McAfee. "You can't jimmy these scores. You can't say that McAfee buys more certifications, therefore he'll get a better score, because other vendors would complain." "They wouldn't let me get away with it." ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 87] *****************************************