Return-Path: Received: from IBM1.CC.Lehigh.EDU by abacus (SunOS 4.1/SMI-4.1-01) with sendmail 4.1/SMI-4.1-01 id AA11958; Wed, 15 Apr 92 15:30:26 +0200 Message-Id: <9204151330.AA11958@abacus> Received: from LEHIIBM1.BITNET by IBM1.CC.Lehigh.EDU (IBM VM SMTP R1.2.2MX) with BSMTP id 0911; Wed, 15 Apr 92 09:06:58 EDT Received: from LEHIIBM1.BITNET by LEHIIBM1.BITNET (Mailer R2.08) with BSMTP id 5292; Wed, 15 Apr 92 09:06:40 EDT Date: Wed, 15 Apr 1992 08:58:28 EDT Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU Sender: Virus Discussion List From: "The Moderator Kenneth R. van Wyk" Subject: VIRUS-L Digest V5 #89 Comments: To: VIRUS-L@ibm1.cc.lehigh.edu To: Multiple recipients of list VIRUS-L Status: RO VIRUS-L Digest Wednesday, 15 Apr 1992 Volume 5 : Issue 89 Today's Topics: Re: Stoned, No-Int, and SCANV86B (PC) LANs, Viruses, & Detection (PC) Re: Protection from Boot Sector Viruses (PC) Re: Norton Optlink... (PC) Viruses, humor, and then some (PC) VDS... (PC) netscan and net$obj.sys (PC) Nightline on Michelangelo (PC) RE:Vesselin B. on NOVELL-VIRUS in #87. (PC) Re: Boot Record Disinfection (DOS) (PC) Re: Defence from mutating viruses. (PC) Re: F-PROT warning: false positive? (PC) Re: home made anti-virus tricks and questions (PC) Re: Mutation Detection (PC) Re: mystery TSR ... (PC) Re: Vlad the Inhaler? (Win 3.1 upgrade) (PC) Re: New Anti-viral ... (PC) Re: Computer Hazzard Symbol Questions about Virus Authors Re: Does anyone know what are companies doing about viruses? VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Fri, 10 Apr 92 16:15:19 -0600 From: martin@cs.ualberta.ca (Tim Martin; FSO; Soil Sciences) Subject: Re: Stoned, No-Int, and SCANV86B (PC) WALKER@aedc-vax.af.mil (William Walker C60223 x4570) writes: >In reply to Padgett Peterson's "walks and sounds like a duck" message: >How does one determine if a virus is actually a "strain" of another >virus, and not just distantly related to it? The code for >"Michelangelo" does not look to me very much like "Stoned," though I >can see that they function similarly (except for the payload). There >are some major differences, such as the structure of the data area and >the fact that "Stoned" (and closely-related viri) have two consecutive >jumps which start the code, while "Michelangelo" has just one. >Something like "Azusa," on the other hand, is obviously a strain of >"Stoned," as several sections of the code are not only the same as >those in "Stoned," but are also in the same location, and it also has >the two consecutive jumps. I would think that a "virus strain" should >have a code-level resemblance to the virus of which it is a strain, >while a virus that is just "related" to another should have just a >functional resemblance to its counterpart. It gets a bit trickier when a number of viruses all by the same author represent a chronological evolution. The earliest "Empire" viruses are simply stoned with a few bytes saved and the message changed. The last of the family, found near the end of last summer, have very little resemblence to stoned anymore. But all the inbetween stages are evident in the inbetween variants. So are these viruses different strains, different variants of one strain -- Stoned, or several variants of several strains? I find the naming convention Vesselin has been promoting is useful, wherein an Empire variant might be, for example, stoned.empire.canadian. This way the name shows the ancestry, the similar grouping, and the particular strain. Of course it might be argued that another level of resolution is needed: for example stoned.empire.b has variations 1, 4, and 6, because of one or two bytes that vary. Tim. ------------------------------------------------------------- Tim Martin * Soil Science * These opinions are my own: University of Alberta * My employer has none! martin@cs.ualberta.ca * ------------------------------------------------------------- ------------------------------ Date: Sat, 11 Apr 92 14:38:48 -0400 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: LANs, Viruses, & Detection (PC) I received my upgrade copy of Artisoft's Lantastic 4.1 this week and my "first look" indicates that it is still impossible for a Lantastic "server" to force a "workstation" to authenticate itself prior to allowing login other than with a simple password e.g. login scripting capability controlled by the server that can force the "workstation" to run anti-virus software or other user selected validation during the login process and permiting denial of the login on failure is still not provided. IMHO, while I find Lantastic to be a very nice product otherwise, this omission makes anti-viral defenses at the server level much more difficult. I suspect that this may be a shortcoming of any peer-peer network but it certainly does not have to be. If I am wrong in this assessment, I would be very glad to be corrected and will post the correction but the preceeding is based both on study of the Lantastic upgrade book and conversation with the Artisoft staff. Warmly, Padgett ------------------------------ Date: Sat, 11 Apr 92 11:03:45 -0700 From: Russ Ether (219) 231-3527 Subject: Re: Protection from Boot Sector Viruses (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: > ... I only didn't like that the program (as far as I > understood) "corrects" the boot sector if it thinks it's wrong. I agree with your concern. Was that what R. Riordan was suggesting? Maybe P. Stuckey could post a clarification. > This must be done only when the user explicitely requests it, and the > original contents of the corrected boot sector must be saved in a > file. I hate the "I know better what programs you must be running" > approach. Yes, agreed. >> How do you find the Int13 entry point? Simple, really. Use >> DEBUG to search system ROM for typical int13 code, and try it: > >> C:>DEBUG > >> - - s f000:0 l FFFF 80 FA 80 > > Good guess... But totally wrong. :-) On my XT the INT 13h handler for > the hard disk is on the hard disk controllers's EPROM and is at > address 0C800:0000h. Well, not totally wrong. It works for all the 286 and 386 machines I've tried it on so far (I used to have an XT around here somewhere:-) And if you don't find the code as suggested above, that should be a clue that there may be a ROM BIOS extension, in which case the second method I suggested should work. >> look at the first offset reported, and back up a byte (or two) if >> the preceeding bytes are FB (or FC). That will be your entry >> point. Un-assemble the code to make sure it looks like an >> int13 service routine, then try it. > Are you serious is proposing the average user to perform the above > operation, in order to install the anti-virus program? The same user > who can't make the difference between a boot sector and a partition > table and between a virus and a spreadsheet? No, certainly not! :-) It was my understanding that R. Riordan was personally installing this, not user-installed. You are correct in pointing out that this must only be done by someone who understands what they're doing. BTW, another check you can do before trying to run the code is to search the BIOS for the code "MOV AX, ####", where #### is the offset of the start of what you think is the INT13 entry point. (The BIOS has to load the vector into low memory, and this code snippet seems to be fairly universal on the machines I've looked at - with the exception of some Compaq's. But, all revs of Compaq system BIOS I've seen so far always have INT13 entry at 02E12H; does anyone know of an exception? Compaq BIOS can be identified by the string COMPAQ at F000:FFEA). >> Another (sure-fire) way is to write a small machine-code program >> to replace the boot sector of a diskette. This program just >> grabs the Int13 vector (before DOS or any virus can change it) >> and displays it on the screen. > This sounds much better... Yes, this is preferred approach. This should also work for your XT :-) ( It works for our machines with Hard-Cards installed, which have ROM BIOS extensions for INT13 ). > ... Another idea is to trace INT 13h (like some > viruses do). Interesting... I had considered that, but there seemed to be too many pitfalls to implement it reliably. Ether (ether@enc.gedlab.allied.com) ------------------------------ Date: Sat, 11 Apr 92 15:22:00 -0400 From: SINGH_HA@BENTLEY.BITNET Subject: Re: Norton Optlink... (PC) I wrote : >pre-release) skipped them during a SECURE scan, all except NORTON.EXE >and NHELP.EXE (the integrator, and the help-engine). These were not >expanded by the installation routine. However, I didn't try the Just read the above message, and Sorry, I didn't make myself clear. The files that were skipped in the scan were NORTON.EXE and NHELP.EXE, and these were the ones that were not expanded by the installation program. The other files were expanded and were scanned as not-infected by the Secure scan. The Heuristics scan DOES give the message "...moves itself in memory....suspicious..." even on expanded files, and I guess that's what Vesselin meant by his statement {and I thought Vesselin doesn't even look at Heuristic scans :) }. However, the Heuristic scan does skip Non-expanded files. Harpreet Singh Singh_Harp@Bentley.BitNet - --------------------------------------------------------------------- Lab Supervisor | Bentley College | Waltham | Massachusetts - --------------------------------------------------------------------- "..A person fills in the missing pieces of the puzzle with his own personality, resulting in a conclusion based as much on instinct and intuition as on fact" - Mr. Data in "The Defector" | Star Trek - The Next Generation ------------------------------ Date: 11 Apr 92 16:20:35 -0400 From: "Tarkan Yetiser" Subject: Viruses, humor, and then some (PC) Hello netters, Joe Wells <0004886415@mcimail.com> writes: > Subject: RE: Mutation Detection (PC) > kiae!rtech!vl!ALS@vl.ts.kiev.ua (Alexander Shehovtsov) writes: >> Just now there is no any idea to increase scanners capability of >> checking polymorphic viruses. > Indeed, the purpose of this virus technology is beat scanning systems. > However, there are already scanners that will detect Pogue, as well as > the Mutation Engine. McAfee's scan claims 100 accuracy, Alan Soloman > (at my last discussion with him) was at 99% on the MTE, Fridrik I know > is working on it and undoubtedly will be detecting it very soon, and > our product, Novi 1.1 is currently at about 99.7% on the MTE (current > misses being failures of the Engine to work properly, detection for > which I have yet to add). I don't have my calculator handy, but how do these people come up with these numbers? Science, magic or marketing? I mean, 99.7% is pretty close. Such accuracy! > Moreover, all four of these scanners work well on all of the current > polymorphic viruses. And a few others may also. Generally though, > scanners that lack algorithmic detection schemes and anti-stealth > capabilities are doomed to fare poorer and poorer. Scanners are doomed, period. Wait until another mutation hack comes out. Hey, the market is alive! > This also true to an extent. Dependence on scanners alone should be > removed. Much truth in that. But if the end-user is only exposed to hype and misinformation, how can he expect to see the light? Almost all major anti-viral developers boast about their capability to identify four-digit virus variants. > But polymorphics are not the biggest problem scanner developers face. > The biggest problem is glut. The constant influx of new viruses to > scan for. Straight string scanners will grow larger and slower as new > virus strings are added. When, for example, I plugged the downloaded > update for CPAV 1.1 strings in, the TSR grew by about 4k. Gluttony is a major sin, my son :-)) > Alternate technologies are needed to compliment scanning. One > discussed much here of late is CRC or Checksum integrity checking. > This system is reliable, but only as far as the user impliments it > and, at best only reports infections "after the fact". Relying on Yes, they are much needed to contain the spread without draining financial resources of MIS departments. > users to run software doesn't have the defensive level of a TSR Nor the conflicts and other ramifications of juggling a dozen TSRs in memory under good-ol' DOS. > though. i.e. Users scan on a human timescale (based on human decision > and action (and convienence)), viruses and TSRs work with binary > certainity on a computer's timescale. Please, get out of the lab, and take a look at the reality. "Stoned" is still around even in places where such TSRs are used. > One aspect of a some products (including ours) is incorporating > unknown detection in the TSR. e.g. When I first received Pogue I ran Such magical qualities do sell. > it against the unknown-virus systems in our TSR. We detected it going > memory resident but didn't interfere since it wasn't a known virus. > However, when I ran another program and Pogue infected it, the TSR > announced the infection, restored the victem program, and blew the > virus out of memory. I don't know how other products handle this Hot damn! Do you take a snapshot of each program on disk during installation to be able restore like that? > I do not however think scanners should be scrapped yet. Even the best > unknown-virus TSR system needs a good scanner for installation time if > nothing else. It's also good to be able to name a virus so you know > what you're dealing with. They should never be scrapped, but used in conjunction with stronger and more viable solutions. We need scanners, just don't buy one for each computer in your company if you have an option to license a few and use when needed. Many anti-viral product sellers do not offer such options. > Actually, since virus-writers have aimed viruses at specific products, > there is no reason not to use more than one. Oh, yeah? The pie is big enough, and the end-user is supposed to pay the bill for defeating their knight's foes. > Provided of course the two are compatible. At the last CARO meeting > in NY we discussed having a CARO compatibility list where included > products would not false-positive or otherwise interfere with one > another. > Products not on the list would not be recommended. In the meantime I have Boyz 'n the hood! Don't step on my foot, I won't step on yours; or was it "you scratch my back, and I will yours" :-)). > been doing compatibility testing on my machine for AVPD members and > others, at lease to the extent of scanning each other. I generally have > the latest versions of CPAV, NAV, ViruSafe, McAfee, Virex-PC, Virx, Virus > Buster, Untouchable, AV Toolkit, F-Prot, PCRX, PC-Cillin, and Novi on > one of my test machines for just such testing. Petty cash, donation, hobby, or complimentary versions of each one? Maybe, it's just know thy competition. > Depending on a string scanner alone can be dangerous, since it detects > and filters out the common stuff, creates a breeding ground ripe for > advanced virus-types, and gives you a nice (false) sense of security > while doing so. You are right. Isn't it about time the end-user is made aware of better solutions? Many people out there do not have the expertise/time/interest to perform a sound evaluation and then choose something that better suits their personal as well as organizational needs? Of course, IBM sells a new service now :-). So, maybe there is still hope. > Joseph Wells - Virus Specialist|- Certus International - (216)546-1500 > Novi Development Team Leader - 0004886415@mcimail.com - CIS 70750,3457 Aha, so you do this for a living. Keep up the good work. I hear NOVI is well-designed and has convenient features for networked environments. Regards, Tarkan Yetiser VDS Advanced Research Group P.O. Box 9393 (410) 247-7117 Baltimore, MD 21228 e-mail: tyetiser@ssw02.ab.umd.edu ------------------------------ Date: Sat, 11 Apr 92 20:51:49 -0700 From: tck@netlink.cts.com (Kevin Marcus) Subject: VDS... (PC) Tyetiser@ssw02.ab.umd.edu writes: > We do not scan memory at all! Well, I hope that you use some method to make sure there are no viruses present in memory at the time of scanning, or you are going to make a real big mess with any fast virus that happens to be memory resident. If, for example, Dark Avenger were in memory and you started examining files, they're all gunna be infected. - -- INTERNET: tck@netlink.cts.com (Kevin Marcus) UUCP: ...!nosc!ryptyde!netlink!tck NetLink Online Communications * Public Access in San Diego, CA (619) 435-6181 ------------------------------ Date: Sun, 12 Apr 92 14:09:51 -0400 From: gene shackman Subject: netscan and net$obj.sys (PC) Pat Rossiter wrote about using netscan on a novell network, and having a problem with net$obj.sys. Netscan stopped at this open file. We had a similar problem with net$val.sys. We ran netscan with the /unattend option, which seemed to work. This was using netscan 86b, so I can't say for sure that it will work on the new version, but give it a try. Gene Shackman Network Supervisor Department of Sociology Suny at Albany gs6206@albnyvm1 ------------------------------ Date: Mon, 13 Apr 92 00:39:00 -0400 From: Dan Sline Subject: Nightline on Michelangelo (PC) I apologize for posting this summary to the net so late but here is a basic summary of the Nightline on Michelangelo several weeks ago. A few people have asked me how to get a hold of a copy of the tape. The phone number they gave at the end of the show was 1-800-ABC-9420 to order copies of the tape. The information part of the show: Basically the show talked about how viruses spread. The show also mentioned that New Jersey Institute of Technology and other institutions were hit. John Mcafee confirmed that a virus threat does exist. They stereotyped virus writers as being white 14-28 years old who have serious emotional problems. They talked about the Morris case. The discussion part of the show: In a nutshell, the discussion part of the show had the panelists discuss some of the laws governing viruses (Including the Morris case), and why these laws are necessary. They also discussed what kind of laws need to be written because people will try to circumvent the law and violate some other principle (as well as sentencing guidelines). They discussed what other common other problems that users made (like accidently deleting an important file) that are not viruses that the general public is not aware of. Finally, they talked about if notices should be given to the public if the bank has some catastrophe happen (ie. a virus, deleting an important file with all of the customers information on it in a bank). I hope this information helped, Dan Sline Bitnet: Sline@Ithaca Internet:Sline@Ithaca.bitnet Compuseve:71161,1455 Disclaimer: The views expressed are my own. ------------------------------ Date: 13 Apr 92 08:41:00 +0200 From: J|rgen Olsen Subject: RE:Vesselin B. on NOVELL-VIRUS in #87. (PC) At the time I was a member of the NOVELL-MAILBOARD - and there was a message - I belive it was that issue it covered - from NOVELL describing how they hired John David to demonstrate the spread of the VIRUS on a NOVELL network that they sat up according to his specifications! He failed to do so - the VIRUS - when analyzed by an outside expert was demonstrated to be a common variant (I belive it was of Jerusalem) with no special features! John D. disagreed with the NOVELL conclusion that the incident he described involved someone who was careless in SUPERVISOR mode! Time since then - however - seems to have demonstrated that NOVELL was right! Our personal experience in a wide open environment is that the NOVELL NETWARE is a quite good protection against the spread of Virus, provided : a) you have strict guidelines for people with SUPERVISOR rights (may only be used from a trusted and newly scanned machine - not a unit in the ZOO (student Lab)). b) Users have individual passwords and directories so that they cannot use the system as a library for infected games. Combine that with - a) periodic scanning of all user directories, b) sitewide distribution of an up-to-date scanner, with the recommendation that people take home a copy for their personal machine and give a copy to all non-commercial entities with whome they occationally swap data/diskette's, (YES, our licensing of F-PROT actually allows us to do that), and you are - if not safe - because no one will ever be so - but at a level where you can concentrate on the real bad ones and let the users handle ' STONED', Jerusalem, Cascade etc themselves. Some kind of proof - we had 4 reports on Michaelangelo - all from users who had caught it, disposed of it - but out of cortesy would like to know, if the center would like a copy (we always say YES, THANK YOU). Regards J Olsen University of Odense, Denmark (masjol@dou.dk) **************************************************************************** ------------------------------ Date: 13 Apr 92 10:09:15 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Boot Record Disinfection (DOS) (PC) padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) writes: > The problem is that while it can handle all OSs that I have seen, samples > are needed of the "off-brands" to ensure compatability. In particular, > I need the European "ERS" and "P16" variants (the first hidden file is > called ERSBIO.COM for the first and P16BIO.COM for the second. I do not > know if there is more than one variant of each or what DOS # they are > analogous to. Where did you get the information about the P16BIO?!! I thought that currently only Fridrik Skulason knows about it... Anyway, FYI: P16 is a Bulgarian version of PC-DOS 3.1. The name comes from "Pravetz-16" - the name of the Bulgarian IBM XT clone. Essentially the OS is just an illegal hack - with IBM's copyright messages replaced... Otherwise it's perfectly equivalent to PC-DOS 3.1. In Bulgaria there was even a rumor that IBM or Microsoft actually sued the producers of the hacked OS and even won the case, but I don't believe that... Unfortunately, this OS is no more used and I don't have copies of it... Anyway, I'll forward your request to Bulgaria and will try to find you a copy. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 13 Apr 92 10:22:21 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Defence from mutating viruses. (PC) kiae!rtech!vl!ALS@vl.ts.kiev.ua writes: > Just now there is no any idea to increase scanners capability of checking > polymorphic viruses. It looks like virus scanners would be removed from > front line of battle against viruses. It seems to me that there is time Unfortunately, it seems to be that the scanners will be with us at least for the next two years... It's still easier to write and maintain a good scanner (which simply does not try to detect anything it can't with wildcard strings) than a good integrity checker... And the polymorphic viruses are not that many right now. They are just a trend - a dangerous trend - and I am trying to tell all those who produce or rely on known-virus scanning that they should look a bit more far than their noses... > First idea was to make ReadOnly attribute stronger. I wrote a little > program that makes changes in MSDOS.SYS (in memory, of course, not > in disk file). After that nobody can remove ReadOnly attribute (it > receives error code: Access denied), so it can't infect files with this > attribute set via file operations (open file, write to file, close file). > More than that, you can freely set or remove all other file attributes > except ReadOnly. For info purposes my program also writes red border > on EGA/VGA display if somebody tries to remove ReadOnly. > It is possible in my program (called RLock) to restore old MS-DOS > attributes manipulations if you really need to do something with protected > by this method files (for examle, to delete it or move). If your program RLock can restore the attribute handling, then so can a virus, since there is no memory protection in DOS. Your program is successful not because it is secure, but because the viruses are not aware of it (security through obscurity). As soon as it becomes as widely used as SCAN, there will be viruses which get around it. I have seen a better way to achieve the same in the ThundeByte anti-virus card. When you try to turn the ReadOnly attribute off, the card displays a pop-up window and asks you for permission. It reamins silent if you are trying to set the attribute ON. Since it is hardware-based and takes some anti-virus measures (constant checksumming of its memory data areas; each card comes with different version of the program in the EPROM; etc.), it's more tricky to bypass it. But it's still possible - just not easy. > Results were surprising - nearly 95% of viruses were unable to infect I'll be interested to know which viruses belonged to the 5 % category... BTW, the fact that they exist means that as soon as your methos gets widely used, the viruses will begin to use infection methods that belong to the 5 % category... > And what about 5%? These viruses used direct access to disk via Int 13h > or DOS internal tables to infect files without removing ReadOnly attribute. Let me guess: Dir II, Int13, maybe the Number of the Beast and the Phoenix family, right? Any others? > I used the second idea to prevent their deeds: wrote another programm > modifying IO.SYS and MSDOS.SYS that can prevent direct access to disk > to all programs EXCEPT COMMAND.COM. As a result disk is opened for any > standart file IO (open, close, write, read) and any file editors and > compilers work correctly, but it is WRITE PROTECTED for direct writing Why exactly is COMMAND.COM excluded? Does some program need to manipulate its sectors directly?! And, yes, the above method won't work if (1) the virus modifies the FST in memory, or (2) uses the Norvegian infection method (Frisk, is there a virus which actually uses it? Which one?), or (3) masquerades writes as reads like the Phoenix family. > to it. And also I filled this programm with trips that can make impossible > for virus to access DOS internal tables. If anybody tries to do it, > resident part of my second programm (called HDD - Hard Disks Defender) > returnes COPY of the DOS table with incorrect values in critical fields. OK, this whould take care of (1). But I bet that you have just written an INT 2Fh handler for that. Have you thought about the possibility for a virus to access the FST not by using the undocumented functions, but directly? > As a result only very DOS-depended viruses can ignore this defence. > I don't know such viruses just now, but even if anybody can write them, > these viruses can die with the next MS-DOS version because of their > DOS-dependence. How about Dir II? Oh, I guess it doesn't qualify as a file infector (it's file system infector). But how about a virus which uses a similar approach (i.e., using device driver requests instead of interrupts)? > I think that idea of writing of virus defence as native part of DOS has Sure, it is a good idea. However, in order to be successful, you need memory protection, which you cannot have under DOS... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 13 Apr 92 10:58:49 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: F-PROT warning: false positive? (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: Sorry for quoting myself, but here's some additional info: > frisk@complex.is (Fridrik Skulason) writes: > > >>> A related question: f-prot identifies nearly all the Norton Utilities > > >>> programs > > The reason for this is that the programs use OPTLINK, (a linker which > > adds PKLITE-like compression to executables as they are linked). My > > heuristics did not include a rule to specifically exclude OPTLINK > > (I have rules to exclude PKLITE, LZEXE, DIET, KVETCH, ICE, EXEPACK etc) > > so it detected "highly suspicious self-modifying code" - which, > > strictly speaking is true. This was fixed in 2.03. Nope. The heuristic analyser of F-Prot 2.03a still flags all the Norton Utilities (version 6.01, English, unpacked during the installation) as very suspicious. > > This (at least WORD.COM) is a documented false positive - see ANALYSE.DOC. > > I am working on reducing the number of false positives, but I fully agree > > that heuristic analysis should only be used by experienced users....there > > are still some false positives.... WORD.COM from Microsoft Word 4.0 seems to be a very badly written program... A Russian heuristic checker that I got recently flags it as "infected by a 130-byte virus"... :-) BTW, Frisk, your heuristic analyser now seems to flag the COM files that are produced by a Borland C++ 2.0 program, compiled to EXE file with full debug information and then the debug information tripped into a TDS file (by TDSTRIP) with the simultaneous converion of the program into COM file (Tiny model and TDStrip options -s -c). Not that this is completely wrong, since those files really modify their first three bytes in memory when executed - just like viruses, but maybe you should exclude this case particularly... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 13 Apr 92 11:12:10 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: home made anti-virus tricks and questions (PC) cosc15yc@rosie.uh.edu (92S10711) writes: > 1. If I set the attribute of all files on disk to read only, would > that trip any known/popular virus that trying to infect say command.co m Most viruses will continue to infect happily. For more information, read the FAQ. > 2. Can virus infect any file extension or just .com and .exe? Yes, most viruses can infect any file that is executed, regardless of its name. > 3. Can virus infect( not destroy) a disk with no .com and .exe > files and no bad sector Yes, some (not all) boot sector infectors will infect (and spread from) such diskettes. And any virus (in fact any program) can damage them, of course. > 4. Can virus infect a nonbootable floppy with only .zip file with no > bad sector ? This is equivalent to question 3. So is the answer. > Did you ever del the command.com in the root directory? Take 3 weeks Yep! And it's no more there! :-) Jokes aside, recently a silly anti-virus program tried to find the file C:\COMMAND.COM. Unfortunately for it, my command interpretter is called 4DOS, is an EXE file, resides in the \DOS subdirectory and all this on drive D:... :-) > to find/learn that only dos 3.3 or above can access 40meg partition HD > when I first buy a computer. Hm, DOS 3.3 cannot access a primary DOS partition larger than 32 megs... You either mean version 3.31 or an extended partition. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 13 Apr 92 12:01:10 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Mutation Detection (PC) 0004886415@mcimail.com (Joe Wells) writes: > However, there are already scanners that will detect Pogue, as well as > the Mutation Engine. McAfee's scan claims 100 accuracy, Alan Soloman > (at my last discussion with him) was at 99% on the MTE, Fridrik I know > is working on it and undoubtedly will be detecting it very soon, and > our product, Novi 1.1 is currently at about 99.7% on the MTE (current > misses being failures of the Engine to work properly, detection for > which I have yet to add). I haven't tested the other claims yet, but Alan's program has at most 85-90 % detection rate of the MtE-based viruses. > But polymorphics are not the biggest problem scanner developers face. > The biggest problem is glut. The constant influx of new viruses to Right, the real danger is a flood of polymorphic viruses, not a single one... > scan for. Straight string scanners will grow larger and slower as new Not necessarily slower. At least not noticeably in the near future. This can be achieved by using more modern search algorithms. Currently I know about at least four scanners that are using hashing - IBM's VIRSCAN, Dr. Solomon's Anti-Virus ToolKit, TbScan, and the scanner that is shipped with the Untouchable. > Alternate technologies are needed to compliment scanning. One > discussed much here of late is CRC or Checksum integrity checking. > This system is reliable, but only as far as the user impliments it > and, at best only reports infections "after the fact". Relying on > users to run software doesn't have the defensive level of a TSR Right, but here comes Fred Cohen's idea about the integrity shells... > One aspect of a some products (including ours) is incorporating > unknown detection in the TSR. e.g. When I first received Pogue I ran > it against the unknown-virus systems in our TSR. We detected it going > memory resident but didn't interfere since it wasn't a known virus. > However, when I ran another program and Pogue infected it, the TSR > announced the infection, restored the victem program, and blew the Hmm, maybe this was because Pogue was not aware of the technique that you are using... If you explain it (privately) to me, maybe I'll be able to point you out its drawbacks... As to the automatic restoration of the infected program, Pogue is not designed to counter that. You should try Phoenix.2000 (SCAN calls it V82) instead. See what it does with the EXE files and tell me the news... :-) > Actually, since virus-writers have aimed viruses at specific products, Yep, and while there's no memory protection, any particular TSR-based protection could be disabled by a virus, if it lets the virus code to be executed. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 13 Apr 92 12:14:06 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: mystery TSR ... (PC) tww40334@uxa.cso.uiuc.edu (Harvey Smith ) writes: > I have a program that reports the use of TSR's etc.. and it reports > that there is some sort of program running at segment 0DFD, takes up > 4.3 KB's of memory, and uses int's 22 2e and 2f. This "mysterious" > program is always present, even if I boot up without config.sys + > autoexec.bat The misterious program is probably COMMAND.COM. It loads in low memory and intercepts the listed interrupts. However, without more knowledge about your system (memory; DOS version; etc.) it's not possible to provide a more exact answer. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 13 Apr 92 08:28:00 -0500 From: "24893, HODGE,ROBERT E." Subject: Re: Vlad the Inhaler? (Win 3.1 upgrade) (PC) dmarcher@acsu.buffalo.edu (Dave Archer) writes: > I upgraded to Windows 3.1, and had an interesting problem. My D: > drive got semi-trashed and I saw that a task with the title "Vlad the > Inhaler" was running. (Saw Vlad while using Alt-Tab to switch > windows, trying to bring it up gave me the problems accessing D: that > I started having.) > > While the D: problem is perhaps a problem with Win 3.1, Stacker, a > SCSI drive with an ST-02 interface, and the new SmartDrive, this Vlad > the Inhaler thing is a bit odd. > > I was thinking that it might be some screensaver that comes with Win > 3.1, but I looked at the screen savers, and it's not one of them. > > I don't know what it is, so I ask, anybody know? At this time I > don't think it's a virus, but until I find out what it is, it's a > possibility. That phrase, "Vlad the Inhaler", shows up in the file NWRES.DLL, which is part of the Norton Desktop program. (At least on my system.) ++++ Bob Hodge ++++++++++++++++++++++++++++++++++++++++++++ + Phase One! In which Doris gets her oats! + + ( Happy, Happy! Joy, Joy! ) + +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ------------------------------ Date: 13 Apr 92 12:20:25 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: New Anti-viral ... (PC) TYETISER@ssw02.ab.umd.edu (Tarkan Yetiser) writes: > >> Sigh... It sounds pretty tempting, like an anti-virus programs > >> everybody would like to have, but unfortunately, it seems more like > >> and April Fool joke to me... > He, he, he, the joke is on you Vesselin. This thing is for real, and > everyone is invited to try it at their convenience. Re-sigh... It'd better be a joke... :-( I donloaded the package and took a look at it. Gosh, I had to set up a special system just to install it! The damn thing is not compatible with Sacker, SuperStor, Disk Manager, any disks containing non-dos partitions, produces memory faults with DR-DOS loaded high on a 386, etc... In non-installed state the program mostly refuses to run. However, when I tried it with the -Scan only option, it did start and hung the machine. During installation it insists that I boot from a diskette (which is good), but when I booted from a diskette, containing DR-DOS 6.0 and some of the fancy things that come with it, the program thought that I have -not- booted from a dikette (which is not good). When trying to recognize my CPU type it reported a 286 while in fact it was a 386. This, combined with the warning that the driver that the program generates may damage data if run on a different machine, sounds pretty dangerous. How do you determine "different machine"? What if I only change a printer controller? A disk controller? A hard disk? The documentation makes some blatant claims and tends to present the answer "this is a bad practice" or "we do not intend to support such systems" almost always when it mentiones a problem. The "risk analisys test" presented there is just plain silly and designed to promote the useage of anti-virus programs. To justify my claims: the "test" divides the users into 4 groups, dependening on how risky are viruses for them. If you are in group 3 or 4, you are strongly warned that there is a high risk of being infected. Well, but due to the scoring system, just answering "Yes" to the question "Have you been infected in the past two years?" makes almost certain that you'll get into group 3 (you need 11 points for this and the answer to the above question gives 10 points). Now, suppose that two years ago I was infected once by the Cascade virus and since then have been highly disappointed in PCs and decided to work only on VAXes. Is there a - -high- risk that I'll be infected in the near future? :-) Furthermore, the description of the methods that some stealth viruses use seem to show a good understanding of -some- stealth viruses (4096) but a remarkable lack of fantasy about what a stealth virus (a really good one) is able to achieve. If you describe me how do you detect that a virus is present in memory, I'll show you that it is possible to construct a virus, using only the currently known techiniques, wich will pass undetected. > > VDS uses a proprietary triple-pass verification technique to catch > > the most evasive "stealth" viruses even when they are active in > >> I fail to see why a triple memory scan is needed. Any stealth virus > >> can be caught in memory with a simple one-pass scan. They are stealth > >> in files, not in memory you know... > Maybe we mean something different when we talk about "verification". > We do not scan memory at all! Stealth in files? What does that mean? I initially misunderstood you that you are checking the memory for the signatures of the known stealth viruses. I meant that the stealth technology consists in concealing the presence of the virus in the files, not in memory, and therefore such viruses are easily detected in memory by scanning for the known signatures. They can't be encrypted there, since as Whale proved, this slows down the computer unacceptably and leads to the discovery of the virus. > > optimized internal cache), VDS represents the strongest software > > solution currently available. > >> Nope... When speaking about strong solutions, nothing that doesn't > >> involve integrity checking does not sound strong to me... > Agreed. Its emphasis is on integrity checking as it should be. Sounds > like you have not had a chance to look at the package. Too busy with > sorting out the cute virus names? Yep, but now I got the package and didn't like it too much. It's less secure than other integrity software that I know about (the Untouchable, the ASP Integrity Toolkit). It's very prone to companion viruses, since any new files are automatically checksummed and the checksum database updated. It doesn't know about the DOS files fragmenting attack. It's capabilities to bypass stealth viruses make me think that it won't be compatible with local area networks... And many other drawbacks. This certainly means that VDS DOES NOT represent the strongest software solution currently available. Of course, if the user succeeds to install and use the package, relying on it is better than relying on SCAN. :-) > >> The only problem is to convince the virus to infect the decoy... :-) > If a virus is so difficult to convince, it may also be slowing down > its own infection rate. No, it won't catch them all with decoys. Yep. Like boot and master boot infectors, but they are not a problem to detect and remove. Like non-resident infectors, but they are not so dangerous. Like system attacking viruses (Lehigh), but they are also relatively easy to catch and erradicate. Or like device driver infectors. Or like those of them that get the information form your CONFIG.SYS file (the Involuntary virus). Or like the ones that infect the programs listed in AUTOEXEC.BAT only. Or like the StarShip virus. Or.... Besides, the decoys seem to be launched only in the root directory, so it's pretty easy to program the virus to avoid them. Speaking about root directories, why do you think that everybody's command interpretter is the file C:\COMMAND.COM? Couldn't you follow the COMSPEC variable? Several viruses do it better than you... :-) > >> Jokes aside, I think that something like this can be found in Fred > >> Cohen's manual for ASP IT or at least in his "Short Course on > >> Computer Viruses". > Is it availale for anon FTP? Or should we contact Mr Cohen and beg > for a copy? How much is it? ASP IT is a commercial product. I don't know his exact price; you should contact Dr. Cohen (he reads this list). The "Short course" is a book, not a program or a file. You should check your book shop about it or again ask Dr. Cohen directly. I suggest everybody to read this book; it's very readable (unlike some of Dr. Cohen's scientific papers ) and contains a very good cost evaluation of the different types of anti-virus defenses. Contains a lot of other useful stuff too; some of it can be gathered from Cohen's papers in Computers & Security, but it's better to have them gathered in one booklet. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: Sat, 11 Apr 92 04:57:09 +0000 From: cmcl2!mcclb0.med.nyu.edu!huff@uunet.UU.NET (Edward J. Huff) Subject: Re: Computer Hazzard Symbol linc@tongue1.Berkeley.EDU (Linc Madison) writes: > C_PUFFER@unhh.unh.edu (Charles Puffer) writes: > >I have been thinking about the a computer hazzard symbol for some time > >now and would like to suggest somthing like this. > > Personally, I like the standard "biohazard" symbol (a vertical line > and two lines at 120-degree angles, each splitting into two curved > lines) as a symbol for computer viruses. The meaning is reasonably > unambiguous -- there is very likely not any literal biohazard > associated with a computer diskette. Use of the biohazard symbol, like use of the radiation hazard symbol, is forbidden by regulations where no biohazard exists. When you discard the package materials from a radioactive shipment, regulations require that you deface the radiation hazard symbol prior to disposal (but after checking with a geiger counter). The (very valid) purpose of this regulation is to avoid "crying wolf" too often. If people see this symbol where no hazard actually exists, they will tend to ignore it when there is a hazard. The computer hazard symbol should be considerably different from the biohazard symbol. ------------------------------ Date: Sun, 12 Apr 92 15:35:00 -0400 From: KPETERSO@BENTLEY.BITNET Subject: Questions about Virus Authors Hello all! I am in the MBA program at Bentley College, taking a course in "End User Computing". I am working on a paper about PC virus software and was hoping that some of you may be able to help me out in my research (and join my bibliography list!). I am still short on information about the authors of virus software, particularly: 1) what type of person writes a virus? 2) author's education/background, 3) what is the author's motivation? If anyone would like to share any information, please respond to me at the address listed below. Any information will be accepted and appreciated. Thanks in advance! Karen Peterson Bitnet ID: KPETERSO@BENTLEY DBA Bentley College Waltham, MA ------------------------------ Date: 13 Apr 92 10:49:03 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Does anyone know what are companies doing about viruses? yates@eff.org (yates) writes: > 2) current: who's creating viruses now (a friend told me Bulgaria !) To be exact, Bulgaria is a large producer of known viruses. The other two "great forces" in this field seem to be the former Soviet Union and the USA. Together they have probably created about two thirds of the known viruses. Most the the rest are viruses with unknown origin, but if you want a classification of the virus writing countries, probably the next ones are Taiwan, Italy, Israel, Canada, Germany. However, don't believe if somebody tells you that "most of the viruses come from Bulgaria". Most of them stay quite happily there... :-) Only very few of the Bulgarian viruses are widely spread around the world. I have to admit, however, that some of them (Dark Avenger, Dir II) are - -really- quite widespread... As to the question where the first virus came from: the first really widespread in the wild virus was Brain and it came from Pakistan. > Does anyone have answers to the above questions, or have any > suggestions on where to find answers for them? I suggest that you take a look at my paper about the Bulgarian virus factory. Available for anonymous ftp from ftp.informatik.uni-hamburg.de (IP=134.100.4.42), file pub/virus/texts/viruses/factory.zip Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 89] *****************************************