Return-Path: Received: from IBM1.CC.Lehigh.EDU by abacus (SunOS 4.1/SMI-4.1-01) with sendmail 4.1/SMI-4.1-01 id AA00670; Tue, 21 Apr 92 01:38:15 +0200 Message-Id: <9204202338.AA00670@abacus> Received: from LEHIIBM1.BITNET by IBM1.CC.Lehigh.EDU (IBM VM SMTP R1.2.2MX) with BSMTP id 1337; Mon, 20 Apr 92 19:24:22 EDT Received: from LEHIIBM1.BITNET by LEHIIBM1.BITNET (Mailer R2.08) with BSMTP id 5878; Mon, 20 Apr 92 19:24:12 EDT Date: Mon, 20 Apr 1992 19:11:05 EDT Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU Sender: Virus Discussion List From: "The Moderator Kenneth R. van Wyk" Subject: VIRUS-L Digest V5 #90 Comments: To: VIRUS-L@ibm1.cc.lehigh.edu To: Multiple recipients of list VIRUS-L Status: RO VIRUS-L Digest Monday, 20 Apr 1992 Volume 5 : Issue 90 Today's Topics: Mac announcement - new virus (Mac) CODE 252 - urgent new virus warning. (Mac) best integrity checker? (PC) Re: Polymorphic listing, Stealth in memory (PC) Novell virus, Jon David, etc. (PC) Viruses via MS Windows OLE? (PC) Ping-Pong virus (PC) Re: Increasing CBCS Security (PC) Virstop Stops (PC) Re: mystery TSR ... (PC) Re: Vlad the Inhaler? (Win 3.1 upgrade) (PC) NET$OBJ.SYS / Netware (PC) Re: Write protecting with software (PC) Does any virus do this...? (PC) Re: Computer Hazzard Symbol new version of virx available (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Fri, 17 Apr 92 11:34:50 -0500 From: Gene Spafford Subject: Mac announcement - new virus (Mac) New Macintosh Virus Discovered 17 April 1992 Virus: CODE 252 Damage: some, possibly severe (see text) Spread: unknown (see text) Systems affected: Apple Macintosh computers. All types, but see text. A new virus, which has been designated "CODE 252", has been discovered on Apple Macintosh computer systems. This virus is designed to trigger if an infected application is run or system booted between June 6 and December 31, inclusive. When triggered, the virus brings up a dialog box with the message: You have a virus. Ha Ha Ha Ha Ha Ha Ha Now erasing all disks... Ha Ha Ha Ha Ha Ha Ha P.S. Have a nice day. Ha Ha Ha Ha Ha Ha Ha (Click to continue...) Despite this message, no files or directories are deleted in the versions of the virus we have seen; however, a worried user might power down the system upon seeing the message, and thus corrupt the disk -- this could lead to significant damage. Furthermore, the virus may interact with some applications in such a manner as to damage them. Under System 7, the System file can be seriously damaged by the virus under at least some circumstances as the virus attempts to spread. This may lead to a system that will not boot, crashes, or other unusual behavior. Between January 1 and June 5, inclusive, the virus simply spreads from applications to system files, and then on to other application files. At the present moment, we have no indication that the virus causes direct damage to any existing applications. The virus does not spread to other applications under MultiFinder on System 6.x systems, nor will it spread under System 7. However, it will run on those systems if an infected application is executed. Even if you are running one of these systems, we recommend you obtain an use one of latest versions of appropriate anti-virus software. As of the date of this announcement (17 April 92), we have had limited reported sightings of this virus. This, combined with the nature of operation of the virus, leads us to believe that the virus is not yet widespread. The current versions of Gatekeeper and SAM Intercept (in advanced and custom mode) are effective against this virus. Either program should generate an alert if the virus is present and attempts to spread to other files. The Virex Record/Scan feature will also detect the virus. Authors of all major Macintosh anti-virus tools are planning updates to their tools to locate and/or eliminate this virus. Some of these are listed below. We recommend that you obtain and run a CURRENT version of AT LEAST ONE of these programs. Some specific information on updated Mac anti-virus products follows: Tool: Disinfectant Status: Free software (courtesy of Northwestern University and John Norstad) Revision to be released: 2.8 Where to find: usual archive sites and bulletin boards -- ftp.acns.nwu.edu, sumex-aim.stanford.edu, rascal.ics.utexas.edu, AppleLink, America Online, CompuServe, Genie, Calvacom, MacNet, Delphi, comp.binaries.mac When available: soon Tool: Gatekeeper Status: Free software (courtesy of Chris Johnson) Revision to be released: 1.2.6 (probably) Where to find: usual archive sites and bulletin boards -- microlib.cc.utexas.edu, sumex-aim.stanford.edu, rascal.ics.utexas.edu, comp.binaries.mac When available: eventually Comments: Gatekeeper should find this virus if it attempts to infect your system or applications, and thus does not need an update. Gatekeeper Aid will need an update to "know" exactly what virus it is seeing so it can remove the virus, but the update is not crucial for continued protection. As Gatekeeper is freeware and Chris has a "real" life, this update may not be immediate. Tool: Rival Status: Commercial software Revision to be released: Rival 1.1.9v (CODE 252 Vaccine or Refresh 1.1.9v) Where to find it: AppleLink, America Online, Internet, Compuserve. When available: Immediately. Tool: SAM (Virus Clinic and Intercept) Status: Commercial software Revision to be released: 3.0.8 Where to find: CompuServe, America Online, Applelink, Symantec's Bulletin Board @ 408-973-9598 When available: 17 April 1992. Version 3.0.8 of the Virus Definitions file are also available. Tool: Virex INIT Status: Commercial software Revision to be released: 3.8 Where to find: Microcom, Inc (919) 490-1277 When available: Immediately. Comments: Virex 3.8 will detect and repair the virus. All Virex subscribers will automatically be sent an update on diskette. All other registered users will receive a notice with information to update prior versions to be able to detect CODE 252. This information is also available on Microcom's BBS. (919)419-1602, and is presented here: Guide Number = 6324448 1: 0203 3001 7778 2A00 / 79 2: 0C50 4EFA 0003 A9AB / C4 3: 0004 A9AA 0002 A647 / B2 4: 8180 9090 9090 9090 / 1B Tool: Virus Detective Status: Shareware Revision to be released: 5.0.4 Where to find: Usual bulletin boards will announce a new search string. Registered users will also get a mailing with the new search string. When available: Immediately. Comments: search strings are: Resource Start & Size < 1200 & WData 2F2C#23F3C#2A9A0*3F3C#24878#2A9AB ; For fi nd CODE 252 in Appl's Filetype=ZSYS & Resource INIT & Size < 1200 & WData 2F2C#23F3C#2A9A0*3F3C#24878 #2A9AB ; For find CODE 252 in System If you discover what you believe to be a virus on your Macintosh system, please report it to the vendor/author of your anti-virus software package for analysis. Such reports make early, informed warnings like this one possible for the rest of the Mac community. ------------------------------ Date: Fri, 17 Apr 92 12:55:24 -0500 From: Werner Uhrig Subject: CODE 252 - urgent new virus warning. (Mac) a new Macintosh virus has been "caught" and "dissected", and was given the name "CODE 252". a more detailed announcement about it and anti-viral updates will follow shortly. updates for all the anti-virals are in the pipeline and most will be released later today. Whereas the initial analysis of the virus did not indicate that its structure was cause for (great) alarm, it has now been confirmed to me that its (mis)behavior may well be the cause of a lot of trouble reports I have seen lately, which seem to indicate corrupted System files. The virus makes an attempt to bypass the SAM protection, but is not succesful in a majority of cases, but rather will set off SAM's alarms (so if SAM-users have seen new alerts lately, you may have been "visited") It infects both Applications and the System file, and it is in the infection of the System file that it can corrupt it in a way that can cause crashes, either at boot up or later. If you have seen such happening lately, it is a possibility that you have to replace your System file (if you do not know about such things in some detail, you may have to reinstall from distribution floppies). The only anti-viral which will reliably stop it from spreading AT THIS TIME (until updates are announced) is GateKeeper, and I recommend at this time that anyone with problems should install the latest version of GateKeeper (Vn 1.5.1+) *NOW* (it was just recently distributed in comp.binaries.mac and is FTPable from RASCAL.ICS.UTEXAS.EDU in binary format, in the directory mac/virus-catchers, and in binhex format from MICROLIB.CC.UTEXAS.EDU in the directory microlib/mac/virus; many other FTPable sites also have it available) Given that GateKeeper reports not only all KNOWN viruses, but ALSO (what it considers) SUSPICIOUS BEHAVIOR, be advised (read the docs) that GateKeeper may complain about some activity on your computer which is permissable (and until you have recognized those in YOUR particular environment, you may have to add some things to the GateKeeper permissions list, to avoid warnings which are not caused by a virus infection) If, like me, you normally keep GateKeeper installed always in NOTIFY-ONLY mode, you probably would have also already noticed (and acted upon) any reported attempts to modify the System file (which is the ONE indicator that everyone infected by the virus is likely to see, and which should cause you to investigate whichever program is doing this). In any case, I recommend that you switch GateKeeper mode to NOTIFY & VETO now, and reboot and exercise some of the applications that you most often use, to see if any cause alerts of attempted modifications which seem "unreasonable" (it may also be a good idea to move the System file out of the System folder, and replace it with a back-up copy -- I routinely always make a copy of the System file after an installation, keep it around in stuffed format, for just such occassions. One caveat, however, if the System file backup was never used together with the latest Tune Up extension: the first time it is booted, Tune Up WILL modify the System file, so don't let that one surprise or alarm you (once you see GateKeeper veto it, simple modify GateKeeper's permissions appropriately - read the docs - and reboot; that should take care of that one, at least, and is a good exercise to familiarize yourself with GateKeeper management anyway ..;-) Removal of the virus: Disinfectant neither notices nor can remove this new virus and, currently, I believe that only GateKeeper can stop its spread reliably, but cannot remove it from an infected application (that will require a new release of GateKeeper-Aid). But the important thing at this time, is for you to become aware of the infection, should you have it. And to stop the spread. I will post updated information about all anti-virals shortly. I apologize in advance for any errors or unclear advice, but I hope to be able to provide better thought out information shortly. do not flood me with question or request for advice today, though, I am likely to ignore it, but may get helpers to respond back to you later. But this is not a good weekend, Easter and all, and many helpers are travelling to attend a conference next week. Regards, ---Werner - ---- Internet: werner@rascal.ics.utexas.edu BITnet: werner@UTXVM UUCP: ...!uunet!cs.utexas.edu!werner AppleLink: werner@rascal.ics.utexas.edu@Internet# - ----- One Moonbeam is worth MORE than a thousand points of light! (and several "...but I never inhaled...") RIP: Isaac Assimov (1919-Aril 6, 1992) ------------------------------ Date: Mon, 13 Apr 92 13:23:00 +0000 From: treeves@magnus.acs.ohio-state.edu (Terry N Reeves) Subject: best integrity checker? (PC) I think I know what the best scanners are, but what do you all (especially Vesselin Bontchev) think is the best integrity checker? I would be interested in opinions of the best with out regard to cost, and the best cheap alternative if not the same. Unfortunately money must always be factored into such a decision. ------------------------------ Date: 13 Apr 92 13:48:45 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Polymorphic listing, Stealth in memory (PC) tck@netlink.cts.com (Kevin Marcus) writes: > believde that a truly polymorphic virus would actually mutate some of > it's code -> therefore making it so it would require more than a > "decryptor", as a decryptor could change. I believe a large portion In general, you are right. The polymorphic viruses are viruses which look differently in the different infected files. For this purpose, the currently existing polymorphic viruses are using variable encryption and modification of the encryption routine. Some viruses use only variable encryption (Cascade), but they are not polymorphic, since they can be detected by their decryption routine, which is always one and the same. > of the viruses you listed were in fact Encryptive viruses, with no > metamorphosis features at all. Some of them weren't, in fact, but "a large portion" is too strong. See my other message on this subject. > From my understanding, the current "mutating/polymorphic" viruses are > all encryptive, BUT they actually change their encryption algortyhms. The current - yes, although it is not mandatory. And, they usually change the decryption routine only. Very few of them (Whale, MtE) change the algorithm as well. > Therefore, if one discovers one of the encryption algorythms, it will > not be useable to identify all strains, whereas with a virus such as > V2P1/1260, V2P2, V2P6, and V2P6Z, for example, the encryption > algorythm does not change at all, though the key does. Therefore, one Wrong. It's enough that the decryption routine changes (as it does with all the representatives of the V2Px family). This makes it hard enough to detect that the file is infected at all. > could find the encryption algorythm (and decryption, for that matter) > and actually decrypt the virus itself into the real virus. With a First you have to determine that the file is infected... > Perhaps my terminology is a bit messed up, Lets get it cleared up... > Polymorphic = Metamorphic = Mutation > Encryptive does NOT equal any of the above. Yes, but it is usually used by them. > Yes, true, but I beileve the Fish Virus re-encrypts itself in memory, > which coudl make a simple string scanner a bit messed up if they > didnt' have a good string, yes? It doesn't do it well enough to make memory scanning prohibitive. Whale is much better in that; it uses the so-called "sliding window" technique much more, but it makes it slow down the infected machine a lot and likely to be detected by the user. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 11 Apr 92 13:26:12 -0400 From: "Tarkan Yetiser" Subject: Novell virus, Jon David, etc. (PC) Hello, For those of you interested, here is some relevant information about the purported Novell virus, or a variant of Jerusalem that was supposedly able to bypass Novell security, as claimed by Mr. Jon David in 1990. I will also quote sections from a response published in Netware Connection (Sep/Oct 1990), titled Comments on Computers Viruses & Netware Security by Mr. Eric Babcock. This way, we will be looking at both sides of the story. Computers & Security published an article titled "The Novell Virus" by Jon David in volume 9 (1990) 593-599. In this article, the author tells about the experiments he and a few others performed in a Netware 2.15c environment, and the results based on the performance of a virus identified as Jerusalem-B. Some of the points in the article: 1. Even though the worksation was given only Open and Read-Only access to programs on the server, the virus was able to change the date/time stamp of the program without being able to modify their contents. The article claims this is a violation of Netware security. 2. When the workstation was given the Modify write, but not Write right, the virus was able to infect programs on the server. 3. The virus was able to delete programs even if the workstation did not have Delete right, but only Write and Modify. Mr. Babcock wrote: "On a netware network, a workstation without the right to alter a file can change the file's date/time stamp. Novell was not able to include protection of the date/time stamp because a number of applications would not operate without the ability to manipulate the stamp." He did not name any such applications. Even if this is true, it seems that a correctly-implemented network app should not need such a capability. Anyway, Jon David's claim in the first case is too strong in my opinion. Although the ability to change a file's date/time stamp without Write permission can be considered strange, it does not provide any virus with a plattform to spread infection. As such, Netware security in this regard is not flawed. Mr. Babcock continues to explain the Modify right and file attributes. He states that much confusion exists in this area since Novell rights and extended file attributes are mechanisms enforced by Netware quite differently. Jon David's second observation, if true, is quite alarming. If a virus can alter files that it should not be able write to, then something is not working correctly. Did anyone out there perform similar experiments? Anyway, everyone is encouraged to read the references above before paying attention to Network World hype which implied that the virus in question had Netware-specific code to bypass security, which is incorrect. Regards, Tarkan Yetiser VDS Advanced Research Group P.O. Box 9393 (410) 247-7117 Baltimore, MD 21228 e-mail: tyetiser@ssw02.ab.umd.edu ------------------------------ Date: 11 Apr 92 21:17:00 +0100 From: sgr4211@uk0x08.ggr.co.uk Subject: Viruses via MS Windows OLE? (PC) Microsoft Windows v3.1 provides a facility for embedding executable code within datafiles (part of the "Object Linking and Embedding" philosophy). It occurs to me that this could allow viruses to sneak in through the anti-virus procedures adopted by many organisations - scanning "standard executables" and boot-sectors only. Also, I have heard that some virus scanners search for virus patterns only in places where the virus code would occur - if this means, for example, the beginning or the end of a file, would this make a virus invisible to such "smart" scanners? Any comments would be appreciated. Steve Richards. ------------------------------ Date: Mon, 13 Apr 92 15:01:46 -0500 From: JEDI Subject: Ping-Pong virus (PC) Hello! I have a question... Does anybody know what the Ping-Pong virus version b does? I've never heard of it. Thanks! - --Jedi ------------------------------ Date: Mon, 13 Apr 92 15:30:00 -0800 From: "a_rubin@dsg4.dse.beckman.com"@BIIVAX.DP.BECKMAN.COM Subject: Re: Increasing CBCS Security (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >Most monitoring programs stay resident in memory, intercept some >interrupts and DOS functions and monitor them for dangerous activities >(like modification of an executable file and so on). However, due to >the total lack of memory protection under MS-DOS, a clever virus is >able to disable the monitoring program if it detects it in memory, or >even invoce the "dangerous" functions in a way that cannot be >intercepted (e.g., using CALLs to the ROM BIOS). Virus which are able >to do this are called "tunnelling", since they are able to bypass the >monitoring programs just as the electrons are able to bypass an >energetic barrier (the "tunnelling effect"). If correctly implemented, >these techniques are able to bypass -any- monitoring program, and >therefore the monitoring programs (like FliShot+) are the weakest >line in the anti-virus defense (even weaker than the scanners). Does that mean that they will fail under QEMM 6 STEALTH mode? - -- Arthur L. Rubin: a_rubin@dsg4.dse.beckman.com (work) Beckman Instruments/Brea 216-5888@mcimail.com 70707.453@compuserve.com arthur@pnet01.cts.com (personal) My opinions are my own, and do not represent those of my employer. Ich bin ein Virus. Mach' mit und kopiere mich in Deine .signature. ------------------------------ Date: Tue, 14 Apr 92 02:28:38 +0000 From: Jim.Baltaxe@vuw.ac.nz (Jim Baltaxe) Subject: Virstop Stops (PC) I just downloaded F-Protect 2.03a and ran into a strange problem. If I run VIRSTOP twice, the machine hangs, the 3-finger salute doesn't work and I have to cold boot. The first time virstop appears to work properly; at least according to F-Test. To be more specific, the machine locks up immediately after displaying the message that virstop is already installed. No system prompt, no keyboard response. Just to make sure, I went back to the virstop from version 2.02d and it does the same thing. I also checked the system very carefully, including re-booting from a known clean copy of DOS 5.0 and running F-Prot 2.03a over the whole system, which found nothing. I am running a Zenith 386/33 with MSDOS 5.0 and PC-NFS (but virstop is run after it loads). Is this something new, or did I just miss this quirk before? I would imagine that this could cause some difficulties for novice users. Me included, obviously. BTW could anybody tell me why some of the entries in the virus informaiton list are coloured yellow and others are white (in v. 2.02d - - I haven't had the time to look at 2.03a's information panel yet)? Thanks. - -- Jim Baltaxe - jim.baltaxe@vuw.ac.nz Computing Services Centre - Victoria University of Wellington - New Zealand - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Time is such a valuable commodity because they're not making it any more. ------------------------------ Date: 13 Apr 92 14:39:06 +0000 From: Daniel.Rudy@f901.n914.z8.rbbs-net.ORG (Daniel Rudy) Subject: Re: mystery TSR ... (PC) HS> I have a program that reports the use of TSR's etc.. and it HS> reports that there is some sort of program running at segment HS> 0DFD, takes up 4.3 KB's of memory, and uses int's 22 2e and 2f. HS> This "mysterious" program is always present, even if I boot up HS> without config.sys + autoexec.bat HS> My question is ... Is this normal and if not, what can I do?? HS> McAfee scan show's nothing ..... Did you try booting from a clean floppy? I'll bet that your infected with a boot sector virus... If not, then DOS is doing something.... Maybe it could be the DOS internal device drivers that are causing the reading. Give more info... Like giving the name that the lister gives on it. If it says something to the effect of unknown, then you'r probally infected with a computer virus that has either infected the HD master boot record OR has infected the MS-DOS main system files. * Origin: Speaking of Bug's... Virus - ScPcc BBS (8:914/901) ------------------------------ Date: Tue, 14 Apr 92 06:10:06 +0000 From: brian@norton.com (Brian Yoder) Subject: Re: Vlad the Inhaler? (Win 3.1 upgrade) (PC) dmarcher@acsu.buffalo.edu (Dave Archer) wrote: > I upgraded to Windows 3.1, and had an interesting problem. My D: > drive got semi-trashed and I saw that a task with the title "Vlad the > Inhaler" was running. (Saw Vlad while using Alt-Tab to switch > windows, trying to bring it up gave me the problems accessing D: that > I started having.) > I don't know what it is, so I ask, anybody know? At this time I > don't think it's a virus, but until I find out what it is, it's a > possibility. Don't worry. Vlad was just a phony label a programmer put into an earlier (pre-release) version of NDW. Either by omission, or because it's kind of a funny name, it was left in there subsequently. It's not a virus, and I'm sure old Vladimir wasn't the culprit in your disk crash. - -- Brian K. Yoder (brian@norton.com) - Maier's Law: -- - -- Peter Norton Computing Group - If the facts do not fit the theory, -- - -- Symantec Corporation - they must be disposed of. -- - -- NeXT Mail Accepted (preferred!) - -- ------------------------------ Date: Tue, 14 Apr 92 09:18:43 From: (Steven W. Smith) Subject: NET$OBJ.SYS / Netware (PC) >From: Pat Rossiter >Subject: NETSCAN 89B and NET$OBJ.SYS (PC) > >I have just loaded and tested McAfee Version 89b on my Novell 3.11 >network. In testing NETSCAN, I found that it reported a file in use >during open operation - NET$OBJ.SYS - and gave only the options ... On a Netware server, the file SYS:SYSTEM\NET$OBJ.SYS contains the "bindery" information for the server, similar to SYSUAF.DAT with VMS, or passwd with UNIX. It is locked and inaccessable during normal operation of the server, but if you truly want to see what's in it do the following: o login as supervisor o cd to SYS:SYSTEM o run BINDFIX.EXE (type bindfix, hit return) o answer the prompts (bindfix is a maintenance program for the bindery) When BINDFIX is finished, you'll have a file called NET$OBJ.OLD, this is the old version of NET$OBJ.SYS. If for some reason you want to restore your old NET$OBJ.SYS, go through the previous instructions and substitute BINDREST.EXE for BINDFIX. To summarize (isn't verbosity a virtue on this list? ;-) There's no need to scan NET$OBJ.SYS for infection; it's both inaccessable through common means, and non-executable. You might try using F-PROT for server scanning, I've found it very convenient to work with. Log in as a READ ONLY user with read access to SYS:, map a drive to SYS: (or the 'root' of whichever volume you need scanned) select "network" as the target and go. For the whole story, look up BINDFIX in the "Utilities Reference" manual. _,_/| \o.O; Steven W. Smith, Programmer/Analyst =(___)= Glendale Community College, Glendale Az. USA U SMITH_S@GC.BITNET smith_s@gc.maricopa.edu Disclaimer: I said nothing; you can't prove a thing. I don't want to discuss it. ------------------------------ Date: Tue, 14 Apr 92 15:32:16 +0300 From: kiae!rtech!vl!ALS@vl.ts.kiev.ua Subject: Re: Write protecting with software (PC) writes A.Padgett Peterson, > writes: Alexander Shehovtsov > > > and very intellectual > > viruses that used tracing Int 21 chain to jump directly into MS-DOS > > Int 21h routine failured too because RLock protection of ReadOnly > > attribute became a part of MS-DOS itself. > > Actually confirms the V-L discussions over the last two years > about software protections - almost anything will work so long as it > is unknown and unanticipated. The read-only bit worked as long as > no-one knew about it (not very long). Ok, you just know about it. If you or somebody tries to write virus that removes this protection, you can: 1. Have DOS 4.0 , 4.01 and 5.0 ( if you don't want to make virus very DOS-depended, i.e. to write virus, that removes protection in DOS 5.0 but can't in DOS 4.0 ). 2. Analyze different methods (and they are REALLY different) of RLock protection in DOS 4.0 and 5.0. 3. Be sure that I can't make changes in RLock, especially in its splicing position to DOS (and I MAKE them regularly). 4. Be sure that your virus can't work in DOS 6.0, because RLock method would be changed again for the new DOS version. > > modifying IO.SYS and MSDOS.SYS that can prevent direct access to disk > > to all programs EXCEPT COMMAND.COM. > > More dangerous since while this will protect against Int 21 functions, > what about direct calls to Int 13 ? Things operating from the BIOS can > always bypass DOS. Direct calls to Int 13 are not allowed for any program at all, except DOS itself. Some software can't work with this restriction, but all other can. 99% of text editors, spreadsheets, compilers don't need direct disk access. > > As a result only very DOS-depended viruses can ignore this defence. > > Again, this will not provide any protection against things operating > on the BIOS level or even things reading from the DOS level and > writing through the BIOS. The versions mentioned will even tell you > how to reach the BIOS directly if you ask nicely. If you ask DOS nicely about BIOS direct access then my defence can answer to your asking nicely too, but you can not receive address of BIOS itself. This call returns with address of Int 13, and becomes equil to call of Get Interrupt Vector. I doesn't find any software that worked incorrectly while receiving this address (except viruses, of course :-) > Am glad to see people thinking about solutions though. I don't propose solution for all times and peoples. I look to thing as they are, without any optimism. But this idea can work for some time (may be long enough to move from DOS to OS :-) preventing DOS and disks from 95-99% of file viruses. - -- Alexander Shehovtsov, (044) 266-70-28 (9:00 - 18:00 Kiev, Ukraine) voice als@vl.ts.kiev.ua Relcom | 2:463/30.5 or 2:463/34.4 FidoNet ------------------------------ Date: Wed, 15 Apr 92 09:28:00 +1200 From: "Mark Aitchison, U of Canty; Physics" Subject: Does any virus do this...? (PC) A quick question: does any virus write a byte (generation number or whatever) to the first byte of the boot sector (the rest of the boot sector remaining okay)? I know it would be a silly byte to change, but I recall that some viruses change a byte somewhere (and I can't imagine how it would have changed to zero otherwise). Thanks in advance, Mark Aitchison. ------------------------------ Date: Tue, 14 Apr 92 17:22:36 +0000 From: bcarter@claven.idbsu.edu (Bruce Carter) Subject: Re: Computer Hazzard Symbol linc@tongue1.Berkeley.EDU (Linc Madison) writes: >Personally, I like the standard "biohazard" symbol (a vertical line >and two lines at 120-degree angles, each splitting into two curved >lines) as a symbol for computer viruses. The meaning is reasonably >unambiguous -- there is very likely not any literal biohazard >associated with a computer diskette. No offense, but this is a terrible and dangerous idea. The whole point of a distinctive biohazard symbol is so that people will notice it and take appropriate action. If it becomes something that is just seen around casually, and has multiple meanings it will completely lose its impact. <-> Bruce Carter, CBI Product Development bcarter@claven.idbsu.edu Simplot/Micron Instructional Technology Center amccarte@idbsu (Bitnet) Boise State University, Boise, ID 83725 (208)385-1851@phone ------------------------------ Date: Tue, 14 Apr 92 20:15:00 -0400 From: HAYES@urvax.urich.edu Subject: new version of virx available (PC) Hello. I am please to announce the availability of FTP processing of the new version of VIRX, as VIRX22.ZIP. Following is the announcement sent (with the file) by C. Glenn Jordan of the Microcom team. Thanks Glenn! Best to all, Claude. - ---- begin forwarded message -- Announcing a new release of VIRx ! ---------------------------------- Microcom, Inc. and Ross Greenberg are proud to release the 2.2 version of the VIRx anti-virus scanner. As always, it detects the vast majority of known MS-DOS viruses. This version detects 126 new ones, for a total of 852 signatures. It does not disinfect or provide integrity checking like our commercial VIREX for the PC product suite, and Microcom does not provide any support to VIRx users. However, it is free for individual or educational institution use. It is not shareware. It is available from the usual Anti-Viral FTP sites, CompuServe, GEnie, Fido-Net and our own support BBS at (919) 419-1602 v.32bis. Below is the archive VIRx22.ZIP's contents as distributed: Length Method Size Ratio Date Time CRC-32 Attr Name - ------ ------ ----- ----- ---- ---- ------ ---- ---- 911 Implode 554 40% 04-14-92 00:00 b5493a3a --w $TOC 7129 Implode 2615 64% 04-14-92 00:00 505730b1 --w VIREX.TXT 13184 Implode 5516 59% 04-14-92 00:00 f79005aa --w README.VRX 122062 Implode 68062 45% 04-14-92 00:00 f039a06d --w VIRX.EXE 13184 Implode 5114 62% 04-14-92 00:00 bc4cc488 --w OLD_NEWS.TXT 3456 Implode 1606 54% 04-14-92 00:00 bff8714c --w WHATSNEW.22 - ------ ------ --- ------- 159926 83467 48% 6 We are grateful for the continued support of the anti-virus community. C. Glenn Jordan and the VIREX PC Development Team - ----- end forwarded message -- Site: urvax.urich.edu, [141.166.1.6] (VAX/VMS using Multinet) Directory: [anonymous.msdos.antivirus] FTP to urvax.urich.edu with username anonymous and your email address as password. You are in the [anonymous] directory when you connect. cd msdos.antivirus, and remember to use binary mode for the zip files. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Claude Bersano-Hayes HAYES @ URVAX (Vanilla BITNET) University of Richmond hayes@urvax.urich.edu (Bitnet or Internet) Richmond, VA 23173 ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 90] *****************************************