From lehigh.edu!virus-l Thu Aug 13 23:18:47 1992 Date: Thu, 13 Aug 1992 15:50:40 -0400 Message-Id: <9208131902.AA05714@barnabas.cert.org> Comment: Virus Discussion List Originator: virus-l@lehigh.edu Errors-To: krvw@cert.org Reply-To: Sender: virus-l@lehigh.edu Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas From: To: Multiple recipients of list Subject: VIRUS-L Digest V5 #139 Status: R VIRUS-L Digest Thursday, 13 Aug 1992 Volume 5 : Issue 139 Today's Topics: Re: Forward of Re: viruses (PC) Re: Troi Virus (PC) Re: F-PROT 2.04b? (PC) Request For Information (PC) Windows, Multitasking, & Viruses (PC) Running SCAN under OS/2 (Was: Re: Stone virus and OS/2. (PC) (OS/2)) Re: 4096 (frodo) false alarm? (PC) Re: 4096 (frodo) false alarm? (PC) Re: MS-DOS 6.0 with Anti-Virus ? (PC) I Need an unattended scanner (PC) f-prot 2.04c ??? (PC) Re: VM viruses from PCs (IBM VM/CMS) Re: VM viruses from PCs (IBM VM/CMS) Floptical Disk Update Re: Jerusalem virus (CVP) (c) Brain - part 1 (CVP) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk ---------------------------------------------------------------------- Date: 11 Aug 92 08:37:34 +0000 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Forward of Re: viruses (PC) KARGRA@GBA930.ZAMG.AC.AT writes: >Eric Webb asked, if it would be a good advice, to use f-prot's tsr >under windows, too. I think yes, but don't know if it works. Did not >try it until now. Nope, it is not of much use. I am working on designing a Windows version of my F-PROT package, but the current VIRSTOP only works within DOS, not under Windows. - -frisk ------------------------------ Date: 11 Aug 92 08:41:21 +0000 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Troi Virus (PC) king@ug.cs.dal.ca (Brian David King) writes: >set to 00-02-80. Checking by hand, we found approximately 25 of these >files, yet scan only detected 17 infections. Is there any way of being >sure they are all removed? Sure...use a different scanner :-) :-) - -frisk ------------------------------ Date: 11 Aug 92 08:45:58 +0000 From: frisk@complex.is (Fridrik Skulason) Subject: Re: F-PROT 2.04b? (PC) PCOEN@drunivac.drew.edu (Paul R. Coen) writes: >I've only seen F-Prot 2.04b available at one or two sites, and no mention >of an official release. Does anyone know whether or not it's been officially >released? If not, what is it that those few sites are distributing? 2.04b is a real version, but it was never officially distributed, and should not be in general circulation. I sent a copy to a few users that encountered totally new viruses, that 2.04a could not handle, but I (by mistake) left a copy in the anonymous ftp directory on complex.is, and some people must have downloaded it from there. Anyhow, I just finished 2.04c (which I might release under that name or rename to 2.05).... - -frisk ------------------------------ Date: 11 Aug 92 09:30:51 +0000 From: ygoland@edison.SEAS.UCLA.EDU (The Jester) Subject: Request For Information (PC) I have recently joined this group and the Virus Research community in general and am looking for information regarding viruses, the more technical the better. More specifically, however, I am looking for information regarding the hardware level set up of the IBM pc. For example:Information regarding what interupts exist, what their location is, and what triggers them. The fundamentals behind the bios, the structure of a disk boot record, etc. Basically information regarding all the things viruses destroy or use to replicate themselves. I would ask for virus code but having seen what an irrational outbreak this causes, I will refrain (grin). Towards this end I have accessed all sites listed in the 'Anti-viral Documentation archive sites' I got from this list. I have amassed 4 megs of information and have reviewed all of it and have read in detail 90% of it (I should have the last few articles done by tomorrow). Unfortunatly there is a definate 'conspiracy of silence' in these papers as they regularly refuse to go into the sort of detail I need in order to write an anti-viral product. While the reasoning behind this may be that this also prevents me from writting a virus, I assure you that if this is the intention, its a futile one. But, from what I'v seen so far, this debate is a long winded one and has been re-treaded far to many times for me to seriously rehash it now. Suffice it to say that I am looking for more detailed information regarding encryptions used, modes of transportation, and most importantly:Specifics on IBM pc architecture. My goal is to determine the feasability of writting an active protection program which will be loaded before whatever os the 80x86 machine is running and act as a 'supervisior'. To this end I have nicknamed my idea TRON, based on the movie of the same name. Thank you for your time, Yaron (The Jester) Goland - -- The Jester "You can lead a herring to water, but you have to walk really fast, or he'll die."-Stolen from my Evil Mistress (TM) NWILSON@MIAVX1.ACS.MUOHIO.EDU ------------------------------ Date: Tue, 11 Aug 92 10:34:31 -0400 From: virus-l@lehigh.edu Subject: Windows, Multitasking, & Viruses (PC) >After asking for tech advice, I got the following answers on win3-l. >These make me think, that the danger of infections is not bigger >within windows than under plain dos. Though the claims of these >companies are still dangerous and produce a wrong sense of security. The danger of Windows infections lies not in Windows itself but in two other areas: 1) Windows will execute more files (extensions) than DOS 2) Windows will *hide* some activities from DOS that could include a virus. Of course the same holds true for a Unix or OS/2 "DOS box" or DesqView (which I use) or any other shell. Element 1 is a natural outgrowth of the fact that DOS will execute *anything* presented to it for execution, the .COM, .EXE, and .BAT convention is an easily modified function of COMMAND.COM not DOS. Element 2 is more subtle and deals with the fact that Windows (etc.) are more closely intertwined with DOS than any anti-viral product that I know of and can bypass the best current TSRs that I know of through use of the "undocumented" functions. For example, in one of my Desqview "windows" that I use for new files, it is necessary to reload the DOS level antivirus routines again inside the Window because they were "disconnected" when DesqView loaded. In the same manner, the best "tunneling" I have seen is QEMM's "stealth" mode of memory management - I only found out what was happening because one of my BIOS programs checks itself and found that its Int 13 access had been taken away from it ! NetWare loaded after anti-virus routines (since the best AV routines load from CONFIG.SYS or earlier, this is common) will "take away" network access making it easy to accidently run an infected file even though the user *knows* (s)he is runiing an AV product. IMHO, future AV products *must* cease to be "one-stop" loads and will require a load sequence starting with the BIOS, another from DOS, and a "reconnect/ verify" for each critical Window coupled with self-checking along the way. There are several interesting possibilities for this but again IMHO the dynamicism of the malicious software field makes it evident that what we consider "state of the art" today will be trivial tomorrow. Warmly, Padgett "Gauntlet" was the first of Clint Eastwood's comedies. ------------------------------ Date: Tue, 11 Aug 92 22:23:49 +0000 From: mcafee@netcom.com (McAfee Associates) Subject: Running SCAN under OS/2 (Was: Re: Stone virus and OS/2. (PC) (OS/2)) Hello John, REGY106@csc.canterbury.ac.nz (John, RegyTech Systems.) writes: > We have found the stoned virus on some of our dos pc's. So I >thought I would run scan over mine. I'm using OS/2 2.0 with a HPFS >disk. Scan found a file open and died. Is there a way around this? Try running SCAN with the /UNATTEND switch, this tells SCAN to skip over any files that are in use by another program and can not be shared (accessed) while in use. Regards, Aryeh Goretsky McAfee Associates Technical Support - -- - - - - McAfee Associates | Voice (408) 988-3832 | mcafee@netcom.com (business) 3350 Scott Blvd, Bldg 14 | FAX (408) 970-9727 | ObQuote: "Log... from Blammo" Santa Clara, California | | 95054-3107 USA | BBS (408) 988-4004 | CompuServe ID: 76702,1714 ViruScan/CleanUp/VShield | USR Courier DS 14.4Kb| or GO VIRUSFORUM ------------------------------ Date: 12 Aug 92 00:49:17 +0000 From: frisk@complex.is (Fridrik Skulason) Subject: Re: 4096 (frodo) false alarm? (PC) nyh@gauss.technion.ac.il (Nadav Har'El) writes: >is the way they return since I got the computer. Also, I used f-prot >after using scan ant it came to the same conclusions - frodo in >memory, but when rebooting from a clean diskette, there was no frodo >in memory but no files infected as well. I see two possibilities. Try running a scanner and scan all files, not just executables - you might have an "infected" data file - or a file that has been renamed. DOS reads data from the disk in whole sectors, and there is a possibility that you have a file that was infected once, it was cleaned, but a virus fragment might be in the "dead" area between the file and the end of the sector, and the scanners might be finding this in some disk buffer. - -frisk ------------------------------ Date: Wed, 12 Aug 92 08:41:48 -0400 From: padgett%tccslr.dnet%uvs1@uvs1.orl.mmc.com (A. Padgett Peterson) Subject: Re: 4096 (frodo) false alarm? (PC) >(How on earth can random memory or parts from tsr's I load look like > a 4096 virus???) Actually not that difficult. All scanners look for strings in memory, generally in the range of 8-20 bytes long. Though 4096 reduces available memory when it loads, you are *assuming* that SCAN (or whichever) only checks that part of memory. T'aint necessarily so since it is famous for detecting inactive viruses in the disk buffers. One cross-check is the memory count that scan gives while searching memory since this indicates the 64k block currently being searched. For the 4096, if this is not at the TOM, it either is not an active virus OR it's not the "plain vanilla" 4096. (I suspect that this last is the reason SCAN does not restrict 4096 memory SCAN to the TOM. Then again...). What apparently happened was that Windows *happened* to put a string in memory matching the 4096 signature (remember the room full of monkeys with typewriters). The question is: would you rather have an occasional false alarm or false "safe". Even Vessilin admits that SCAN is one of the better detectors, its main liability is in identifying what it has detected, but then that's why everyone has more than one protection layer, right ? This is a natural fallout of the competitive nature of the business that has put a higher premium on speed of scanning than accuracy (editorial). Warmly, Padgett ------------------------------ Date: Wed, 12 Aug 92 09:31:21 -0400 From: padgett%tccslr.dnet%uvs1@uvs1.orl.mmc.com (A. Padgett Peterson) Subject: Re: MS-DOS 6.0 with Anti-Virus ? (PC) I wrote: >>I see in the new PC-Week that MS-DOS 6.0 is scheduled to contain anti- >>virus software from Central Point. Frisk replied: >Well, if they do this, they could hardly have picked a better product >for the rest of the anti-virus community to compete against, as >outperforming CPAV is generally considered extremely easy... Actually, it would be a surprise if the entire CPAV product was included. More likely would be some sort of trivial checksumming routine that would tell you *something* virus-like happened, and a discount coupon for the *real* product. This could easily be part of a disk-compression device driver (also rumored) since disk compression routines generally use checksumming to verify integrity and operate at the file (not sector) level. I have had some discussions with one of the major aftermarket compression companies on this subject and on "read-only" container files (partitions). Still vulnerable to a sophisticated attack but an order of maganatude better than what is in OSs today. I would be pleasently surprised to see an effective MBR/DBR routine included. Of course that would give a number of disk protection products fits (Watchdog, PC-Safe, PC-Guardian, my DiskSecure, etc.) if it were effective as would any sort of BIOS Interrupt validation (but then CP, like most other AV vendors have been slow to do any BIOS-level programming (dig)). However, as I have been saying for the last few years, the above two techniques would stop the spread of all of today's viruses and that would not be a bad thing. Warmly, Padgett ------------------------------ Date: Wed, 12 Aug 92 14:54:23 +0000 From: cass8806@elan.glassboro.edu (KYLE CASSIDY) Subject: I Need an unattended scanner (PC) I'm using V-shield93 right now, and i'm wondering if i should use this in conjunction with a more sophisticated scan program, but i'd like one that i can set to scan the disk when i'm not around (like at 3 in the morning) i'm running windows and i leave the machine on 24 hours. are there programs that do this? sorry for taking the lazy way out and posting this. thanks. - -- kyle cassidy ------------------------------ Date: Wed, 12 Aug 92 16:51:58 +0000 From: dab6@po.CWRU.Edu (Douglas A. Bell) Subject: f-prot 2.04c ??? (PC) I found f-prot2.04c on wuarchive.wustl.edu in the pub/MSDOS_UPLOADS directory. Is it for real ? Its release date is 8/12/92, and that's today. Douglas Bell- ------------------------------ Date: Tue, 11 Aug 92 08:40:26 -0400 From: padgett%tccslr.dnet%uvs1@uvs1.orl.mmc.com (A. Padgett Peterson) Subject: Re: VM viruses from PCs (IBM VM/CMS) >- - Is there a case of VM virus infiltrated from a PC ? There are none but it could be written (code to select one of two environments would be (relatively) easy, one of three (e.g. PC, MAC, 3090) more difficult, etc. Haven't seen one yet unless you count the Morris Worm. Like the worm (and unlike virus writers) it would take a professional. The hard part would be getting it *executed* on the mainframe. >- - What is the usual procedure of uploading files from PCs to VM > in the States? I mean, do you let a PC user upload his/her files > to VM or are those files scanned by the computer center to make > sure that they are "clean" before uploading ? None, people like to live on the slope of a volcano (soil is so rich that it supports laziness). Warmly, Padgett "Define the essential spirit defined by both *Smokey and the Bandit* (1977) and *The Gumball Rally* (1976)" Contrast with the Iranian Desert Incident (1980)." ------------------------------ Date: Tue, 11 Aug 92 16:08:17 +0000 From: rslade@sfu.ca (Robert Slade) Subject: Re: VM viruses from PCs (IBM VM/CMS) D03G005@saksu00.bitnet (Umit Dericioglu 4676034 (Work)) writes: >- - Is there a case of VM virus infiltrated from a PC ? Mainframe viral programs tend to use source code, mail systems and interpretters. Therefore, a terminal is jsut as likely a point of access as a PC. >- - What is the usual procedure of uploading files from PCs to VM > in the States? I mean, do you let a PC user upload his/her files > to VM or are those files scanned by the computer center to make > sure that they are "clean" before uploading ? Object code uploaded from a PC would not "infect" the mainframe in the sense of becoming active and reproducing or affecting operations. However, mainframes are often used as file servers for PCs, and therefore it would be a good idea to scan all software before upload so that the mainframe does not become a vector for viral spread amongst the PCs themselves. ============== Vancouver ROBERTS@decus.ca | "If you do buy a Institute for Robert_Slade@sfu.ca | computer, don't Research into rslade@cue.bc.ca | turn it on." User p1@CyberStore.ca | Richards' 2nd Law Security Canada V7K 2G6 | of Data Security ------------------------------ Date: Tue, 11 Aug 92 11:02:06 -0400 From: padgett%tccslr.dnet%uvs1@uvs1.orl.mmc.com (A. Padgett Peterson) Subject: Floptical Disk Update You may recall that some months ago I mentioned some products that are liable to cause a step cahnge in how we think about PCs. One was Disk Compression and the other was Floptical Disks. Disk Compression (being software) was accepted first. Floptical Drives took a bit longer but in this weeks InfoWorld (Aug. 10 pg 78) I see that the hardware is here and getting close to the predicted price (touch higher on the drive/lower on the disks). I know nothing about the company other than I plan to order some disks for my drive but the virtues of 21MB (42 MB compressed) floppy storage are evident. The first thought from an anti-virus standpoint is the ability to have an entire software recovery suite on a single disk. Those of you fortunate enough to have Bernoulli drives know how much of an advantage this can be ( oops, just infected everything with 4096 - no problem, just recover the whole 40 MB from the image file). The other advantages should be obvious: mail/fax/bbs system that only spins when needed. OS/2 on a single floppy (compressed). No more hour-long swap-the-floppy installations. Now if they would just come out with a plug replacement module to connect to a regular floppy controller.... Warmly, Padgett ------------------------------ Date: Tue, 11 Aug 92 09:31:30 -0700 From: rslade@sfu.ca (Robert Slade) Subject: Re: Jerusalem virus (CVP) > Robert Slade writes: >>addition of the virus code to the end of the file, with a redirecting >>jump added to the beginning of the program. > >This is accurate for infection of EXE files, but not for COM files. Yep. Blew that one. >> .... In an effort to avoid anti-semitism, it >>was referred to by its "infective length" of 1813 bytes. For COM >>files. .... > >I agree with almost everything here, but I think it's a bit presump- >tuous to conclude that the reason for the name "1813" had anything to True. However I *do* recall a message (in the early days before V-L) by one Y. Radai complaining that it was unfair and possibly anti-semitic to call it the Israeli virus ... :-) In any case, a warning to me not to get too cute. Apologies. >>Press article, and, of course, made much of. It also gave rise to >>another alias, the I.D.F. virus. > >I think you're confusing the Jerusalem with another virus here. The >above story and name fit the Frodo (= 4096) virus. To the best of my >knowledge, they do not fit the Jerusalem. Absolutely correct, I *did* get the names mixed up. When I went back and checked the files, I found that the alias for the Jerusalem arising out of this was only "Defence Forces", not IDF. It was, in any case, used only rarely and for a short time. ============== Vancouver ROBERTS@decus.ca | "A ship in a harbour Institute for Robert_Slade@sfu.ca | is safe, but that is Research into rslade@cue.bc.ca | not what ships are User p1@CyberStore.ca | built for." Security Canada V7K 2G6 | John Parks ------------------------------ Date: Thu, 13 Aug 92 11:59:17 -0700 From: rslade@sfu.ca (Robert Slade) Subject: (c) Brain - part 1 (CVP) HISVIR6.CVP 920810 (c) Brain - part 1 The "Brain" virus is probably the earliest MS-DOS virus. At one time it was the most widespread of PC viral programs. (Yet more support for the "superiority" of boot sector viral programs in terms of numbers of infections.) Extensive study has been done on the Brain family, and those wishing further details should consult Alan Solomon's analyses (which, unfortunately, are too detailed for full inclusion in the Anti-Virus Toolkit). In spite of this, and in spite of the existence of address and phone number information for the supposed author, we still have no first, second or even third hand reports of the production of the virus, and so little can be said with absolute certainty. (We do have a first hand report from the author of the Den Zuk variant, for which I am grateful to Fridrik Skulason.) The Brain "family" is prolific, although less so than Jerusalem. (Seemingly, any "successful" virus spawns a plague of copies as virus-writer-wannabes use it as a template.) Again, like the Jerusalem, it seems that one of the lesser variants might be the "original". The "ashar" version appears to be somewhat less sophisticated than the most common "Brain", and Brain contains text which makes no sense unless it is "derived" from ashar. Brain contains other "timing" information: a "copyright" date of 1986, and an apparent "version" number of 9.0. Brain is a boot sector infector, somewhat longer than some of the more recent BSIs. Brain occupies three sectors itself, and, as is usual with BSIs, repositions the normal boot sector in order to "mimic" the boot process. As the boot sector is only a single sector, Brain, in infecting a disk, reserves two additional sectors on the disk for the remainder of itself, plus a third for the original boot sector. This is done by occupying unused space on the diskette, and then marking those sectors as "bad" so that they will not be used and overwritten. The "original" Brain virus is relatively harmless. It does not infect hard disks, or disks with formats other than 360K. (Other variants are less careful, and can overlay FAT and data areas.) Brain is at once sly and brazen about its work. It is, in fact, the first "stealth" virus, in that a request to view the boot sector of an infected disk, on an infected system will result in a display of the original boot sector. However, the Brain virus is designed *not* to hide its light under a bushel in another way: the volume label of infected diskettes becomes "(c) Brain" (or "(c) ashar" or "Y.C.1.E.R.P" for different variants). Hence the name of the virus. copyright Robert M. Slade, 1992 HISVIR6.CVP 920810 =================== Vancouver ROBERTS@decus.ca | "Power users think Institute for Robert_Slade@sfu.ca | 'Your PC is now Research into rslade@cue.bc.ca | Stoned' is part of User p1@CyberStore.ca | the DOS copyright Security Canada V7K 2G6 | line." R. Murnane ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 139] ******************************************