Return-Path: Received: from IBM1.CC.Lehigh.EDU by abacus.HGS.SE (SunOS 4.1/SMI-4.1-01) with sendmail 4.1/SMI-4.1-01 id AA07225; Fri, 26 Jun 92 02:10:44 +0200 Message-Id: <9206260010.AA07225@abacus.HGS.SE> Received: from LEHIIBM1.BITNET by IBM1.CC.Lehigh.EDU (IBM VM SMTP R1.2.2MX) with BSMTP id 6722; Thu, 25 Jun 92 20:04:06 EDT Received: from LEHIIBM1.BITNET by LEHIIBM1.BITNET (Mailer R2.08) with BSMTP id 7611; Thu, 25 Jun 92 20:03:52 EDT Date: Thu, 25 Jun 1992 19:53:17 EDT Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU Sender: Virus Discussion List From: "The Moderator Kenneth R. van Wyk" Subject: VIRUS-L Digest V5 #121 Comments: To: VIRUS-L@ibm1.cc.lehigh.edu To: Multiple recipients of list VIRUS-L Status: RO VIRUS-L Digest Thursday, 25 Jun 1992 Volume 5 : Issue 121 Today's Topics: re: Viruses, Anti-virals, & change (PC) Re: VIRx version 2.3 released (PC) re: Hardware protection (PC) Re: Zipped Viruses (PC) Scanners & Integrity Management (PC directed but not specific) HDTUNE.ZIP trojan (PC) NAV killed, etc (PC) Vshield 91 locks up windows 3.1 (PC) Re: mutating - polymorphic (PC) re: Scanning for encrypted viruses F-PROT 2.04a released (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk ---------------------------------------------------------------------- Date: Wed, 24 Jun 92 23:19:00 +0100 From: Anthony Naggs Subject: re: Viruses, Anti-virals, & change (PC) A. Padgett Peterson (padgett@tccslr.dnet.mmc.com) says: >Getting back to the original subject, scanners have been called "flawed" for >a 95+% detection rate. To me this is acceptable because there is another means >for achieving 100% every time. Once you know that "something" has happened, >all else falls out. The hard part is being able to say "This is enough". Remember scanners have applications where nothing else will do: 1. Vetting of incoming software before use, some destructive viruses can cause damage the very first time their run. 2. Identifying the cause of a suspected intrusion. I expect to see some products attempt exact identification of viruses found before the end of the year. 3. Trace back of the virus's propagation, by identifying media and PCs where the same strain of virus is present. Regards, Anthony Naggs Internet: amn@vms.brighton.ac.uk or xa329@city.ac.uk Janet: amn@uk.ac.brighton.vms ( cbs%uk.ac.brighton.vms::amn ) or xa329@uk.ac.city ( cbs%uk.ac.city::xa329 ) ------------------------------ Date: Wed, 24 Jun 92 23:20:00 +0100 From: Anthony Naggs Subject: Re: VIRx version 2.3 released (PC) I think I ought to maintain my reputation, such as it is, by explaining my recent errors. Vesselin Bontchev (bontchev@fbihh.informatik.uni-hamburg.de) says: > > AMN@VMS.BRIGHTON.AC.UK (Anthony Naggs) writes: > > > Vesselin you are over looking the fact that there are already 2 > > versions of MtE in circulation, one ('0.92' I think) is found on > > "Dedicated" & "Fear" and the other ('0.90') is on "Pogue". I have > > only looked at the one on "Pogue" so far, and around 20% of the files > > I infected were corrupt. > > No, all the three viruses - Dedicated, Fear, and Pogue use one and the > same version of MtE - 0.90-beta. Look at the code and you'll see that > I am right. ... I apologise for my slightly confused recollection of, (virus-l digest v5 #31): >Date: 10 Feb 92 20:40:23 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) >Subject: Re: DAV/Sourcer/Rape (PC) > [... stuff deleted ...] > > .., but the source of the Mutating Engine (called MtE) is not >provided. According to the docs, what we have is version 0.90-beta of >the MtE, but version 0.91 is also known to exist... I'm wondering what >will be implemented more in version 1.00... :-((( Having only looked at Pogue so far, I drew the incorrect inference that the later MtE version exists in Fear &/or Dedicated. > ... If Pogue destroys some files, the reason is that the virus > is buggy, not the MtE. MtE has another bug - that in about 10% of the > cases it produces non-encrypted mutations. It is the MtE generated decryptor that is corrupt - I can see no way in which any code in Pogue, other than the MtE, could be causing this effect. > > If the MtE detection tests that you are performing are going to be of > > relevance you will need to test for the variations produced by "Pogue" > > as well. > > I am testing the scanners for detection of MtE-based viruses. > Therefore, it doesn't matter what virus I am using for the tests > (except in the case of the non-encrypted mutations). If Pogue is buggy > and damages some of the infected files, then this is yet another > reason not to use it for the tests ... My assertion was based upon my reliance on Vesselin's previous claim of multiple versions of MtE, in which case viruses using all versions would need to be tested. Regards, Anthony Naggs Internet: amn@vms.brighton.ac.uk or xa329@city.ac.uk Janet: amn@uk.ac.brighton.vms ( cbs%uk.ac.brighton.vms::amn ) or xa329@uk.ac.city ( cbs%uk.ac.city::xa329 ) ------------------------------ Date: Wed, 24 Jun 92 23:21:00 +0100 From: Anthony Naggs Subject: re: Hardware protection (PC) Raju M. Daryanani (raju@dcs.qmw.ac.uk) says: > In recent weeks I've been seeing a growing number of advertisements > for boards that plug into PCs and supposedly protect the machine not > just from currently known viruses, but from viruses that have not even > been written yet. The latest board I've come across is from Certus > and is called Novi (or something like that). ... Certainly a number of protection techniques are made possible or more reliable by using an add-in adapter card. For example the program ROM on such a card has an opportunity to execute before the PC boots, virtually assuring a virus free environment. I don't know anything about Certus's product, but I expect Joe Wells will illuminate us all. > ... The first such hardware > device I came across last year claimed that it monitored the bus for > virus activity at all times & hence stopped them from working. In > discussions with some other persons who were interested in stopping > viruses we came to conclusion that as far as detection of new viruses > was concerned this claim was a load of crap. ... Sounds like the "Knoxcard", which is imported into the UK by a company which seems to have little technical understanding of viruses or the operation of their product. > ... To me these boards seem > especially vulnerable since a virus writer who had access to one can > specifically write his virus to detect the presence of the board and > circumvent it. At the software level it is simlar to a virus writer who has access to an anti-virus software product, his virus could equally detect that product and circumvent it. Practically such a card has several advantages, in this respect at least: relatively few of any one type of card will be in use (price & production limits), so the virus writer is unlikely to have the same type of card as you; the card may be bypassed but code cannot be easily patched, because it is in ROM; the card will always be run at the next re-boot, but software can be patched or deleted to prevent any further use. > Since I'm no expert on viruses, just someone who's has enough problems > with them already, I was wondering what those more knowledgeable about > viruses than me think about these boards. I am interested enough to be experimenting with such boards, which I hope to show to potential evaluators in a month or two, for comment as to which features ought to included in a production edition. Prefered criteria for such evaluators: UK based (allows me to visit and/or provide telephone support); testing on "vulnerable" PCs where there is a high probability of encountering wild viruses, eg students pools at universities. Regards, Anthony Naggs Internet: amn@vms.brighton.ac.uk or xa329@city.ac.uk Janet: amn@uk.ac.brighton.vms ( cbs%uk.ac.brighton.vms::amn ) or xa329@uk.ac.city ( cbs%uk.ac.city::xa329 ) ------------------------------ Date: Thu, 25 Jun 92 10:59:12 +0200 From: Magnus Olsson Subject: Re: Zipped Viruses (PC) bontchev@fbihh.informatik.uni-hamburg.de writes: >magnus@thep.lu.se (Magnus Olsson) writes: >> this one. IMHO, exaggerating the dangers of, say, stealth viruses is >> potentially dangerous, as it may lead to exaggerated actions by people >> who believe they're infected - such as people throwing away SCANV >> because hey've heard somewhere that "scanners are dangerous". > >They are correct to throw it away - not because "scanner are >dangerous", but because "scanners alone do not provide a sufficient >level of protection". A multi-level defense must be used, with the >accent made on the integrity checking. Well, in that case, it is not "correct to throw it away", is it? If they are to use a multi-level defence, shouldn't they keep the scanner anyway, as one component of the multi-level defence? (This doesn't mean that I disagree with your earlier conclusions) - -- Magnus Olsson | \e+ /_ Dept. of Theoretical Physics | \ Z / q University of Lund, Sweden | >----< Internet: magnus@thep.lu.se | / \===== g Bitnet: THEPMO@SELDC52 | /e- \q ------------------------------ Date: Thu, 25 Jun 92 08:30:15 -0400 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: Scanners & Integrity Management (PC directed but not specific) >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) >Subject: Re: Viruses, Anti-virals, & change (PC) >padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) writes: >2) "The only way to achieve 100 % detection of all possible viruses is >through integrity management." Unfortunately, this is not true. There >are several kinds of attacks against the integrity checking software. Vess: The integrity management I was talking about includes knowlege of what the processor memory is supposed to look like as well as the programs. >> Meanwhile, the scanners are recognizing this. Frisk's heuristic analysis and >> McAfee's /AF and /CERTIFY switches are good examples. More and more good >Frisk's heuristic analyzer has nothing to do with integrity management >- - it is just a scanner which scans for particular (not virus-specific) >pieces of code. McAfee's implementation of /AF is insecure and can be >bypassed by any attack against an integrity checking program I can >think of. Here, I was referring to an encouraging trend, not the current products. The anti-viral product vendors are evolving, I agree they are not there yet, but are now going in the right (IMHO) direction. >> systems first determine that *something* has happened before trying to >> determine *what*. Again, this includes memory changes as well as program. For the so-called "slow infectors" to infect-on-creation, they must be memory resident and *that* can be detected. Also, again IMHO viruses, at least of the kinds we know about, are not much of a threat to a vigilant system even now. However, I agree that it is possible to defeat any known system, but today the "bad guys" are less likely to use a virus than a worm, trojan, or directed attack. The *children* will continue to play with viruses but what I am concerned about are professionals. (note: please remember that I live in a "different" environment). Warmly, Padgett ------------------------------ Date: Thu, 25 Jun 92 10:35:02 -0500 From: Eric Carlson Subject: HDTUNE.ZIP trojan (PC) Someone uploaded a small program called HDTUNE.ZIP to our BBS. The program is supposedly a hard drive optimizer but it is only about 4.K, so it is obviously not a normal hard drive optimizer. Scan v.91 and F-prot 2.04 (Secure and Heuristic) don't flag it as anything. A user downloaded it and tried it, and it erased his hard drive. He has no fragmented files now, but that is not how he expected it to happen. After hearing this, I removed the file and looked at it. The EXE file contains the text "Ok, asshole. Your dead." This program should probably be detected as a Trojan horse. - Eric Carlson - Microcomputer Software Support - - Northern Virginia Community College System - - NOVA BBS 703-323-3321 - 14,400 BPS - - MY OPINIONS ARE MY OWN, AND NOT THOSE OF MY EMPLOYER - ------------------------------ Date: 25 Jun 92 15:25:34 +0000 From: chhibber@andromeda.rutgers.edu (Vern Chibber) Subject: NAV killed, etc (PC) Hi! Last night I was trying to install windows on my 386-40MHz and I came across a very interesting dilema. It ran the first time without a problem. The second time it told me that win386.exe was corrupt. I run NAV.EXE (Norton Anti Virus) and it said that it was corrupt too. I downloaded another copy from a friend and the file increased by 1808 bytes. I copied it to another directory and it increased by another 1815 bytes. I copied it over twice more and the size stayed the same. Also, my machine appeared to slow down somewhat. I also got a rectangle 6 lines by 12 rows of a different color on the screen. This box also moved the text above it by a few lines. I'm not really sure what this is. Sounded like a virus to me so I just wanted to check. This happen to anybody anytime? I would appreciate any help. Thanks in advance. ------------------------------ Date: 25 Jun 92 16:29:28 +0000 From: geri.finkelstein@amail.amdahl.com Subject: Vshield 91 locks up windows 3.1 (PC) > I am experiencing a lockup of windows 3.1 when version 91 of McAfee > VSHIELD is installed on my 386. VSHIELD is being installed in > autoexec.bat with /windows option. Norton Desktop V1.0 has *known* problems similar to what you describe when it is running under win3.1. Try changing back to the Windows program manager and see if that helps, however, Ross' best bet is to upgrade to Norton Desktop V2. Geri Finkelstein Business Systems Analyst The opinions stated here are my own. ------------------------------ Date: Thu, 25 Jun 92 22:09:32 +0000 From: duck@frcs.Alt.ZA (Paul Ducklin) Subject: Re: mutating - polymorphic (PC) Thus spake KARGRA@GBA930.ZAMG.AC.AT: >How about dropping scanstrings of old viruses, which are not likely to >reappear again? Just like in medicine: if the is an illness which >disappeared, why waste more serum than necessesary? In Africa, one required smallpox jabs long after the last recorded case had faded from people's memories. Of course, not long after everyone had finally stopped asking you to show innoculation certificates at their border posts, along comes a scare: someone who had recently holidayed in Borneo, or somewhere, had been admitted to hospital with the dreaded smallpox! Probably an urban legend, but there you are. Anyway, towrards the end of 1990, the Harare (or Superhacker) virus popped up in Harare, Zimbabwe. Although it apparently turned out to have been written in Scotland (isn't epidemiology wonderful..), the virus got the name Harare from its first reported appearance. This is a poor virus: run an infected file and you'll instantly see the virus ask you to Insert diskette for drive B:, then drive A:. Only on a twin floppy system could this thing get anywhere. This was a flash in the pan; a virus doomed to extinction. A year later, it resurfaced in Johannesburg, South Africa (1200km South of Harare). Presumably some happy-go-lucky schoolboy virus collector let it escape from his butterfly jar in a class lab filled with twin-floppy PCs. So much for extinction.. Still, dropping (or at least having an option to drop) "old" viruses might not be a bad idea. Lots of support calls I get revolve around users who take fear at the sight of "extinct" viruses reported by their favourite scanner. We've had some pretty rare viruses around theses parts of late -- all false alarms, of course. Naturally, the apparent rarity of such "viruses" only serves to convice users that it is to be expected that the other n pirated scanners they have should miss the virus. After all, doesn't "rare" have something to do with "hard to find"... Anyway, here's another feather in Vesselin's "integrity checker" cap. Paul Ducklin Somewhere near the middle of the City of Pretoria South Africa ------------------------------ Date: Wed, 24 Jun 92 23:18:00 +0100 From: Anthony Naggs Subject: re: Scanning for encrypted viruses Raphael Finkel (raphael@ms.uky.edu) says: > If a virus encrypts itself by a variable key that is a single byte, and > uses that byte to xor its code, then the xor of adjacent bytes of its > code is unaffected. > > So a 'first-derivative' scan string could contain not the bytes of the > virus, but the xor of adjacent bytes of the virus. This scan string > would still be very virus-specific, but would be encryption-invariant. > If the key is longer than a byte, the same idea works, with appropriate > adjustments. This is a good idea, and may aid some scan algorithims, unfortunately very few viruses use such a simple encryption. So far as I can recall, for all viruses where this may be applied the actual decryption code is relatively easy to scan for. Also this technique may be more susceptible to giving false alarms, (the domain of matching byte sequences is larger). Regards, Anthony Naggs + "Curiouser and curiouser!" cried Alice (she + was so much surprised, that for a moment she Email: amn@vms.brighton.ac.uk + quite forgot to speak good English). or xa329@city.ac.uk + - Alice's Adventures in Wonderland ------------------------------ Date: Thu, 25 Jun 92 14:19:58 +0700 From: frisk@complex.is (Fridrik Skulason) Subject: F-PROT 2.04a released (PC) Because of a few minor problems with version 2.04, I have released a minor update, named 2.04a. It is not necessary to upgrade, as the problems are relatively minor, but I would recommend it though. The problems were: Virstop could not be installed with the "Install" option, but had to be copied to the target directory. The program would occasionally report that files infected with certain variants of the Dark Avenger, SVC, Cascade and V2Px families had been modified, by adding some extra bytes to the end. This had no effect on detection/removal of the viruses, however. The virus information database was fixed a bit - sometimes the names used there did not correspond exactly with the names the scanner reported, for example "SADAM" and "SADDAM". I just uploaded FP-204A.ZIP to my usual archive sites: 141.210.10.117 oak.oakland.edu 129.109.9.21 eugene.utmb.edu 192.88.110.20 wsmr-simtel20.army.mil However, the programs might not be avaialble for downloading, until they are moved to their proper directories by the archive administrators. FP-204A.ZIP contains the following files: Length Method Size Ratio Date Time CRC-32 Attr Name ------ ------ ----- ----- ---- ---- ------ ---- ---- 3791 Implode 2233 42% 14-06-92 14:11 6426f8dd --w NEW.204 110703 Stored 110703 0% 25-06-92 10:55 90bb814e --w F-PROT.EXE 12799 Implode 8832 31% 25-06-92 10:53 676f5ba3 --w VIRSTOP.EXE 58 Stored 58 0% 03-04-92 08:22 76a33484 --w F-TEST.COM 22337 Stored 22337 0% 25-06-92 08:52 90880125 --w SIGN.DEF 2220 Implode 1595 29% 31-03-92 23:34 03af3eea --w TROJAN.DEF 98706 Implode 83376 16% 25-06-92 10:52 6abd17a5 --w VIR-HELP.ENG 21162 Implode 18155 15% 25-06-92 09:16 2b057cf6 --w ENGLISH.TX0 3168 Implode 1640 49% 28-12-91 17:20 563cb2c5 --w READ_ME.DOC 10662 Implode 4381 59% 03-02-92 09:00 137ab957 --w VIRUS.DOC 9689 Implode 4131 58% 11-06-92 21:03 a6cfa065 --w SCAN.DOC 1631 Implode 1008 39% 03-04-92 10:33 1e1fa287 --w LANGUAGE.DOC 3087 Implode 1574 50% 30-12-91 09:10 f5d92b99 --w ANALYSE.DOC 2508 Implode 1351 47% 03-04-92 08:20 ae1c67dd --w VIRSTOP.DOC 2940 Implode 1572 47% 14-06-92 16:29 ce30f7d8 --w COMMAND.DOC 796 Implode 535 33% 27-02-92 09:38 f1651847 --w FUTURE.DOC 3469 Implode 1726 51% 28-01-92 14:38 9e2884af --w INSTALL.DOC 1302 Implode 848 35% 21-01-92 19:37 ced10744 --w PROBLEM.DOC 3107 Implode 1500 52% 03-04-92 10:38 de0db71c --w PRICING.DOC ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 121] ******************************************