Return-Path: Received: from IBM1.CC.Lehigh.EDU by abacus (SunOS 4.1/SMI-4.1-01) with sendmail 4.1/SMI-4.1-01 id AA10687; Thu, 23 Apr 92 22:40:18 +0200 Message-Id: <9204232040.AA10687@abacus> Received: from LEHIIBM1.BITNET by IBM1.CC.Lehigh.EDU (IBM VM SMTP R1.2.2MX) with BSMTP id 0736; Thu, 23 Apr 92 16:33:32 EDT Received: from LEHIIBM1.BITNET by LEHIIBM1.BITNET (Mailer R2.08) with BSMTP id 3158; Thu, 23 Apr 92 16:33:13 EDT Date: Thu, 23 Apr 1992 16:18:38 EDT Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU Sender: Virus Discussion List From: "The Moderator Kenneth R. van Wyk" Subject: VIRUS-L Digest V5 #94 Comments: To: VIRUS-L@ibm1.cc.lehigh.edu To: Multiple recipients of list VIRUS-L Status: R VIRUS-L Digest Thursday, 23 Apr 1992 Volume 5 : Issue 94 Today's Topics: Reading on Novell & virus defenses (PC) DIR-2 virus help needed (PC) Re: Which Package is Best? (PC) Re: Misinfo detected, A/R/ or name a Bulgarian virus (PC) Re: Misinfo detected, A/R/ or name a Bulgarian virus (PC) Impossible error occurred in SCANV V89B (PC) I've been hit by a slooowing virus - have you ? (PC) HTSCAN17.ZIP - HTScan virus scanner v1.17; needs VSIGyy##.ZIP (PC) Update to Product Test PT-28, NAV, version 2.0 (PC) Product Test # 52, VirusClean, version 2.15 (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: 22 Apr 92 14:36:07 -0400 From: "Tarkan Yetiser" Subject: Reading on Novell & virus defenses (PC) Novell's Netware Application Notes dated March 1992 contained an excellent article titled "Detecting Viruses in the Netware Environment" by Mr. Morgan B. Adair. It is a realistic overview of the virus problem as far as Netware LANs are concerned and provides useful info on many issues such as why boot sector infector cannot infect the server from a workstation, and describes a scenario a LAN admin may face. It also includes a section titled Prescriptions. Although concise and well-done, the article seems to underestimate the trouble a LAN admin can get in if a virus manages to infect commonly used apps on the server. Downtime in such cases are usually longer than just an hour or two, not because the server recovery takes long but because of the fear and confusion it entails. It is usually difficult to contain the spread in networked environments because the number of virus entry points are numerous, not because the server cannot be cleaned easily. Reinfection is a bigger problem in such cases. Anyway, interested individuals are encouraged to read the mentioned document at their convenience. Here are some specific comments on the article: On page 7: "Some viruses also infect overlay files (.OVL) or the hidden DOS system files (IBMBIO.SYS and IBMDOS.SYS or IO.SYS and MSDOS.SYS)." Comment: This is a little misleading. It is not common for DOS viruses to target hidden DOS system files. In fact, they are avoided. BTW, it is IBMBIO.COM and IBMDOS.COM on many systems. On page 10: "Resident Above Top of Memory, but Below 640K. A large number of viruses place themselves resident at the top of memory, just below the 640K boundary. They then redirect BIOS interrupt 12h, which reports the total amount of conventional memory available in the system." Comment: Most viruses do not hook Int 12h for such a purpose. Many boot sector infectors simply reduce the value at 40:13, which contains the base memory size. File infectors remain resident by directly manipulating DOS memory control blocks to protect themselves. This, again, does not require hooking Int 12h. On page 18: "If you suspect a virus infection: Do not log in as SUPERVISOR. Power off the suspect machine. ... " Comment: Although, this advice is reasonable, a better approach exists. Creation of an account, say HUNTER, which has only FILESCAN and READ rights on every file in every directory. HUNTER can safely scan the whole server even when his workstation is infected, and the virus is active. Since HUNTER cannot write to any executables, the virus cannot spread. Non-Malicious Hackers (NMHs) take note: The article also mentions a program, rather an NLM, that provides integrity checking for Netware servers. The source code (in C) is supposedly available by mailing in a card. Regards, Tarkan Yetiser VDS Advanced Research Group P.O. Box 9393 (410) 247-7117 Baltimore, MD 21228 e-mail: tyetiser@ssw02.ab.umd.edu ------------------------------ Date: Wed, 22 Apr 92 13:38:16 +0500 From: Harold Sanchez Subject: DIR-2 virus help needed (PC) Some of our PC compatibles have been infected by DIR-2 virus. It was detected with SCAN86 but not cleaned. Attempts to clean with SCAN86 damaged more files. What can we do? Please e-mail directly. Thanks for any help. Harold Sanchez Unidad de Investigacion y Desarrollo - DOT - San Pedro Instituto Costarricense de Electricidad Apartado 10032 San Jose COSTA RICA Fax (506) 245980 BITNET: hsanchez@ucrvm2 X.400 : C=ch;A=arcom;P=itu;O=rpoa;OU1=ctr;OU2=ice;S=sanchez;G=harold ------------------------------ Date: Wed, 22 Apr 92 23:19:44 +0300 From: Tapio Keih{nen Subject: Re: Which Package is Best? (PC) >I'm looking for anyone who's used/heard of two packages: > >F-PROT for PCs I can really recommend F-PROT. I just tested several scanners against my virus collection and F-PROT 2.03a catched almost all of them (98%). Dr Solomon's Anti-Virus Toolkit 5.56 detected only one virus less than F-PROT though. (Disclaimer: Frisk or Solomon didn't pay me to say this:-) - -- Tapio Keihanen, Mesiheinankatu 2 B 6, 33340 Tampere, Finland | Rare/unique Dio Internet: tapio@nic.funet.fi Tel. +358-31-432478 (evenings) | records wanted! ------------------------------ Date: Wed, 22 Apr 92 22:52:23 +0000 From: comb@sol.acs.unt.edu (Eric N. Lipscomb) Subject: Re: Misinfo detected, A/R/ or name a Bulgarian virus (PC) {Author's note: >> = Vesselin Bontchev > = Tarkan Yetiser everything else is mine} >> Re-sigh... It'd better be a joke... :-( I donloaded the package >> and took a look at it. Gosh, I had to set up a special system just to >> install it! The damn thing is not compatible with Sacker, SuperStor, >> Disk Manager, any disks containing non-dos partitions, produces memory >> faults with DR-DOS loaded high on a 386, etc... > The SPECIAL system is standard MS/PC DOS based PCs most people >use. They are prepared using FDISK, and are not compressed or protected by >an exotic security system. You seem to argue by the exception rather than >the rule :-) I must disagree with you on this point, Tarkan. More and more users in the Intel world are using the items Vesselin mentioned and many others. In fact, what you claim as a "standard" PC system is becoming an endangered species. (I love this part:) >Sure, VDS is not for everyone. It sure is the >strongest software solution available, maybe not as convenient as some >other packages with flashy user interfaces. Not as expensive either :-) How can your software package be the strongest software solution available, yet not be for everyone? It seems to me that you may have a very good package for a limited user base, but if it can't be run on every system configuration that someone might use, it's not a really viable package in the current market. I can (for example) user F-Prot, which works under every setup I've been able to throw at it, and I can use it for FREE! As far as I can tell, because I haven't taken the time to test it, your program may be just as effective as F-Prot, yet you imply it's better because it won't run on my Stacker-ed hard disk, and F-Prot will. Sorry, I can't buy that. >And if you repartition the hard drive, re-installation is a safe bet. >On alike machines, it may work fine, but why not install it as intended. I'll give you a darn good reason: computer-phobic students. I pass out F-Prot to any student who wants it that comes into my lab, and they *very simply* go home and copy it on their hard disk. Boom. I even wrote a thorough stupid- user batch file for installation for those kids who don't even know how to do a directory on their computer at home. What's the point in doing backups of your software if you have to reinstall packages every time you make a change on your hard disk or it crashes and you get to start from scratch? I'm sorry, but I just can't see using a program that has limited use on different hardware/software/OS configurations and recommends reinstallation (not a trivial task from the description I read) any time a change is made. I hope you and your organization rethink your approach. }lips - -- Eric N. Lipscomb, Lab/Network Manager Academic Computing Services Email: comb@sol.acs.unt.edu "Golf is something you do to make lips@vaxb.acs.unt.edu the rest of your life look good." lipscomb@cc1.unt.edu -- Phil Baczewski ------------------------------ Date: Thu, 23 Apr 92 02:12:50 +0000 From: 007 Subject: Re: Misinfo detected, A/R/ or name a Bulgarian virus (PC) TYETISER@ssw02.ab.umd.edu (Tarkan Yetiser) writes: > bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes >> Subject: Re: New Anti-viral ... (PC) >> TYETISER@ssw02.ab.umd.edu (Tarkan Yetiser) writes: >> Re-sigh... It'd better be a joke... :-( I donloaded the package >> and took a look at it. Gosh, I had to set up a special system just to >> install it! The damn thing is not compatible with Sacker, SuperStor, >> Disk Manager, any disks containing non-dos partitions, produces memory >> faults with DR-DOS loaded high on a 386, etc... > The SPECIAL system is standard MS/PC DOS based PCs most people >use. They are prepared using FDISK, and are not compressed or protected by >an exotic security system. You seem to argue by the exception rather than >the rule :-) In my experience, these "exceptions" are the rule with people who use virus protection. If a user has the experience/presence of mind to install virus protection, I'd give good odds he/she is a fairly advanced user, and may well have Stacker, DR-DOS, NDOS, $DOS, or any of a number of "exceptions" which make a PC easier to use. What if a user shells to DOS from Windows and tries to use your program? > If you have DR-DOS, Stacker, or some other non-standard stuff on your >machine, please do not waste your time, VDS is not for such systems. This is quite apparent. It seems to make poor economic sense to limit the compatibility of your product so tightly. You had some good ideas, it is a pity those who are best suited to use them can't. >> Besides, the decoys seem to be launched only in the root directory, so >> it's pretty easy to program the virus to avoid them. > Aha, a direct attack. Yes, you are correct, that is always possible. Vesselin seems to have been a bit unfair here. It is a given that a virus can be written to evade any given detection scheme it knows about. But we have so many virus detection methods that is seems impossible to write a common virus that will evade ALL detection schemes. I really like your idea of launching "decoys". I use this quite a bit to see if my system is infected. If I think I might have a virus, I pop in a diskette which has been newly formatted or wiped clean, which has a 4 byte .COM file on it that does nothing but terminate. If I notice any changes in the file (after rebooting from a know clean disk, of course) odds are I have both proof of viral activity, and a clean copy of the virus for analysis. This method is far from foolproof, it is merely another layer in my virus defense armada. (Scanners, heuristics, TSR virus interceptors, integrity checkers, and common sense.) For example, Cinderella won't infect my file since it is less than 390 bytes long. Here is the tiny file, uuencoded, for any who wish to use this method of virus detection. - -----Cut Here------ begin 400 infectme.com $M$S-(0"; end - -----Cut Here------ -- 007 - -- 000 000 7777 | sbonds@jarthur.claremont.edu 0 0 0 0 7 |----------------------------------------------------------- 0 0 0 0 7 | Just say NO to Quantum Mechanics 000 000 7 | ------------------------------ Date: Thu, 23 Apr 92 10:53:31 +0000 From: berg@physik.tu-muenchen.de (Stephen R. van den Berg) Subject: Impossible error occurred in SCANV V89B (PC) I don't really know where to send the report, here seems like a good place. The other day, scan v89b reported something like: Impossible error occurred: Error number 4494 And it immediately aborted. Well, normally, I would not be so picky, but since it is a virus scanning program, I'd very much like to know what this supposedly impossible error is all about? Anyone from McAfee who cares to comment about this? In case it helps, it was a 80286 running MSDOS 5.0 - -- Sincerely, berg@messua.informatik.rwth-aachen.de Stephen R. van den Berg (AKA BuGless). berg@physik.tu-muenchen.de Real programmers don't just die, they produce core dumps. ------------------------------ Date: Thu, 23 Apr 92 17:56:56 +0000 From: sl@sun.central-services.umist.ac.uk (Stuart Lea) Subject: I've been hit by a slooowing virus - have you ? (PC) I've been hit by a virus that slows my PC down to almost the speed of an XT ! It happened at 17:30 (ish) Thursday 23rd April GMT to two other machines as well. Scan 89B was not able to detect it. After a while it disappeared totally (I hope) help ! - -- Stuart Lea------------Tel:+44 61 200 4768------Fax:+44 61 200 4019------------ JANET: sl@uk.ac.umist.cns UMIST University, INTERNET :sl%cns.umist.ac.uk@nsf-relay.ac.uk B18, Main Bldg., PO Box 88 ------------------------------ Date: Thu, 23 Apr 92 03:42:14 -0400 From: jeroenp@rulfc1.LeidenUniv.nl (Jeroen W. Pluimers) Subject: HTSCAN17.ZIP - HTScan virus scanner v1.17; needs VSIGyy##.ZIP (PC) I have uploaded to WSMR-SIMTEL20.Army.Mil: pd1: HTSCAN17.ZIP HTScan virus scanner v1.17; needs VSIGyy##.ZIP VSIG9204.ZIP Virus signatures for HTSCAN/TBSCAN - 920412 Please note there was a version number mismatch in the description of the previous version of HTSCAN (it read 1.6 and should have been 1.16). Here is an excerpt from the `whatsnew.doc': Version 1.17 (April 1992) - - Starting with version 1.17 HTScan will be available in several languages. - - With /$? it is possible to get help for the advanced options. - - A new option /$M has been introduced. With this option you can specify a directory to which infected files should be moved. - - An other new option /$U has been introduced for running unattended. When used HTScan will not ask whether a file should be moved, renamed or deleted. - - The boot-record markers are no longer checked. This will eliminate the high number of warnings about an unusual boot-sector. - - HTScan now supports AVR's (Algorithmic Virus Recognition) modules. - - HTScan will use the new ADDNSIGS.DAT file. - - HTScan now check's the checksum in VIRSCAN.DAT - - HTScan now supports external compressed file signatures in the file COMPRSCA.DAT - - HTScan will abort with errorlevel 75..99 if a run-time error occurred. - - It is now possible to generate a more accurate message with the first character of the signature. - - - o _ _ _ _ _ voice: +31-2522-20908 (19:00-24:00 UTC) / (_' | (_) (_' | | snail: P.S.O. __/ attn. Jeroen W. Pluimers P.O. Box 266 jeroenp@rulfc1.LeidenUniv.nl 2170 AG Sassenheim jeroen_pluimers@f521.n281.z2.fidonet.org The Netherlands ------------------------------ Date: Fri, 03 Apr 92 09:01:51 -0700 From: Chris McDonald ASQNC-TWS-R-SO Subject: Update to Product Test PT-28, NAV, version 2.0 (PC) ******************************************************************************* PT-28 February 1991 Revised March 1992 ******************************************************************************* 1. Product Description: Norton AntiVirus is a virus protection utility for the IBM PC and its compatibles. The product includes virus detection, disinfection, and protection. This revision addresses version 2.0. 2. Product Acquisition: Norton AntiVirus is available from Symantec Corporation, Peter Norton Group, 10201 Torre Avenue, Cupertino, CA 95014-2132. The retail price is $129.95; but there are numerous secondary sources with single copy prices that have ranged from $78.00 to $83.00 in trade publication advertisements. Site licenses are also available. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, White Sands Missile Range, NM 88002-5506, DSN: 258-4176, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil. 4. Product Test: a. I acquired version 1.0 in December 1990 for $83.00 from Telemart in Phoenix, Arizona. As a registered user, Symantec Corporation sent a free upgrade to version 1.5 in September 1991. I acquired version 2.0 in January 1992 for $29.00. [Moderator's note: The remainder of this product review (and MANY other product reviews) is available by anonymous FTP on cert.org (192.88.209.5) in the pub/virus-l/docs/reviews directories.] ------------------------------ Date: Thu, 09 Apr 92 10:52:49 -0600 From: Chris McDonald ASQNC-TWS-R-SO Subject: Product Test # 52, VirusClean, version 2.15 (PC) ******************************************************************************* PT-52 April 1992 ******************************************************************************* 1. Product Description: VirusClean is a viral detection and disinfection program for IBM personal computers or compatibles. This product test addresses version 2.15, February 1992. 2. Product Acquisition: VirusClean is available from Computer Consulting Group, Inc., 1130 Old Highway 99 South, Ashland, Oregon 97520. The telephone number is 503-488-3237. The program cost is $99.00 for a single copy. Site licenses are available. The copyrighted author of VirusClean is Joe Hirst, Thecia Systems Ltd. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, White Sands Missile Range, NM 88002-5506, DSN: 258-4176, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil. 4. Product Test: a. I acquired VirusClean, version 2.15, directly from Computer Consulting Group, Inc., by answering a special offer to acquire the program for $49.00 which would include updates for 1 year. This represented a $50.00 saving over the normal advertised cost. [Moderator's note: The remainder of this product review (and MANY other product reviews) is available by anonymous FTP on cert.org (192.88.209.5) in the pub/virus-l/docs/reviews directories.] ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 94] *****************************************