Return-Path: Received: from CS2.CC.Lehigh.EDU by abacus (SunOS 4.1/SMI-4.1-01) with sendmail 4.1/SMI-4.1-01 id AA25229; Thu, 3 Sep 92 20:15:19 +0200 Errors-To: krvw@cert.org Received: from (localhost) by CS2.CC.Lehigh.EDU with SMTP id AA23021 (5.65c/IDA-1.4.4 for ); Thu, 3 Sep 1992 13:53:13 -0400 Date: Thu, 3 Sep 1992 13:53:13 -0400 Message-Id: <9209031748.AA14082@barnabas.cert.org> Comment: Virus Discussion List Originator: virus-l@lehigh.edu Errors-To: krvw@cert.org Reply-To: Sender: virus-l@lehigh.edu Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas From: Kenneth R. van Wyk To: Multiple recipients of list Subject: VIRUS-L Digest V5 #146 Status: RO VIRUS-L Digest Thursday, 3 Sep 1992 Volume 5 : Issue 146 Today's Topics: LANs & Viruses (PC) Re: VACSINA Information Wanted (PC) Re: hardware protection against PC viruses (PC) Re: CMOS "viruses" (PC) Re: new virus found (PC) Re: Anyone for a Feist ??? (PC) Any info on Gobbler-II a-v sw or Comrac (its publisher) ? (PC) Auto-detecting virus (PC) Re: McAfee's 95 series (PC) F-PROT reports Bugsres 3 Jokes program? (PC) Re: HELP with partition infector!! (PC) Re: Datalision Inc fractal program (PC) F-Prot & SuperStor (PC) Amiga virus info (Amiga) Bugs on my Atari (Atari) Virus Armour Re: What is the best anti-virus program??? On daily scanning (general) Bull(____) Virus used for mischief (general) Mail-server software updates VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk ---------------------------------------------------------------------- Date: Mon, 31 Aug 92 16:38:38 -0400 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: LANs & Viruses (PC) I have received word that our test LAN is ready for experimentation & will commence tomorrow. Before I get into that, I would like to make some comments about Netware (R) in general. 1) It is possible to protect a LAN server from viruses using only the capabilities built into the LAN. 2) The methodology is somewhat obscure and may impact the way the users are accustomed to having the LAN operate. 3) Access to files is controlled by "rights" and may be assigned to users, groups, volumes, directories, and files. 4) Rights may be tranferred and "inherited" in certain ways. 5) Rights granted at one level can often override a lack of rights at another. 6) Out of 256 possible combinations of file rights (SRWCEMFA) alone, 240 will permit viral attacks. The sixteen remaining combinations can be subverted by rights granted at other levels. Warmly, Padgett ------------------------------ Date: Mon, 31 Aug 92 20:34:03 -0400 From: Anthony Naggs Subject: Re: VACSINA Information Wanted (PC) [A quick apology to anyone whose mail I haven't replied to - a hard disk failed one morning. Backup? No need - nothing important on there; only a couple of packages and some files (& mail) off the net. Even I am not perfect, :-) ] Garry Scobie, , reports a VACSINA incident: > Bates Anti-Virus Utilities v3.37 > > TREE.COM Found Vacsina - TP05 <1206> > MEM.EXE Found Vacsina - TP05 <1206> > > F-PROT v2.04 > > TREE.COM Infection: Vacsina (TP-5) > MEM.EXE Infection: Vacsina (TP-5) > CHKDSK.EXE Infection: Vacsina-loader > > I am interested in the result of F-PROT indicating CHKDSK. Is this > file infected - probably but to what extent? First I should remind/explain that MS-DOS supports two executable file formats, (omitting batch files from this discussion). These are known as 'COM' and 'EXE' formats, often the format used is reflected by the filename extension, but this is not necessarily the case. The infection function of Vacsina viruses recognises 'COM' format files and will infect them when they are found. Some of the early variants infect 'EXE' files in two passes, when they are first encountered the virus modifies them to become 'COM' format files. So when the file is encountered on another occasion the infection will be completed. CHKDSK.EXE is in this state where it has been converted to a 'COM' file, but the second stage of infection hasn't occurred. > Is it important that one utility recognised CHKDSK while the other did not? Yes, 'EXE' files modified in this way may be corrupted and either fail to work or work incorrectly. This includes a number of programs that use overlays or include configuration information in the executable file. Software that misses these files may leave continuing problems, and resolving these will be difficult if you believe that the virus has been removed. Yours, Anthony Naggs Software/Electronics Engineer P O Box 1080, Peacehaven (and virus researcher) East Sussex BN10 8PZ Phone: +44 273 589701 Great Britain Email: (c/o Univ of Brighton) amn@vms.brighton.ac.uk or xa329@city.ac.uk -- Oe Noe! Danny Quale is in the shrubbery! -- ------------------------------ Date: Tue, 01 Sep 92 02:06:46 +0000 From: suresh@papaya.iss.nus.sg (Suresh Thennarangam - Research Scholar) Subject: Re: hardware protection against PC viruses (PC) barry.fagin@dartmouth.edu (Barry S. Fagin) writes: >I have recently seen some literature on ViruGuard, a PC expansion card >that claims to defeat all IBM PC viruses. Does anybody know anything >about this? Is it all it's cracked up to be? Please reply to this >account; any help would be much appreciated. Thanks. Take a look at the Virus Bulletin Feb 1992, product review on page 24 by Keith Jackson. FYI: The conclusion reads - ( I quote verbatim) ________________________________________________________________________ CONCLUSIONS ViruGuard can detect viruses. It can do this before execution commences for about 50% of viruses. It can detect over 90% of viruses when infected files are allowed to execute, However, the vendor's original claim that "ViruGuard traps all present and future viruses" is shown to be untrue. ________________________________________________________________________ Regards, __ (_ o_ o o |_ __)/(_( _) (_(_ /_)| )_ *************************************************************************** * Suresh Thennarangam * EMail: suresh@iss.nus.sg(Internet) * * Research Scholar * ISSST@NUSVM.BITNET * * Institute Of Systems Science * Tel: (065) 772 2588. * * National University Of Singapore * Facs.: (065) 778 2571 * * Heng Mui Keng Terrace * Telex: ISSNUS RS 39988 * * Singapore 0511. * * *************************************************************************** ------------------------------ Date: Mon, 31 Aug 92 22:36:55 -0400 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: Re: CMOS "viruses" (PC) >Kevin Haney Internet: khv%nihcr31.bitnet@cu.nih.gov >About the possibility of a CMOS virus, as far as I know, the CMOS >memory is not in the address range of 80x86 processors, so a program >usually cannot access this memory directly or change it. Not quite true: a PC canot *execute* a program in the CMOS memory but it can be read and written to with proper assembly language statements. Consequently, CMOS can be corrupted by a PC virus that is executing (Azusa is the most common example). Since PC and XT class machines did not come with any CMOS memory and the amount of CMOS memory can be as little as 32 bytes, nearly all of which is used, and different BIOSes use the CMOS memory differently, it is not even a good place for a virus to store data. For the hysterically minded, CMOS memory (actually battery backed RAM) is a byproduct of the Motorola MC146818 (or eq.) Real Time Clock chip. Back in pre-AT times, people had to set the clock every time the system booted (even DOS 5.0 will ask if you want to set it if no AUTOEXEC.BAT if found on boot). Consequently, one of the first peripheral cards was a clock/calendar containing this chip. So that an accurate date could be maintained, the clock had to continue to run and the date/time stored even though the computer was turned off. Consequently, these cards also contained a battery to keep the clock running. Since the chip was constantly powered it also contained a small amount of RAM for storing the date. So that the clock could be read and set it contained read/write logic accessable from the CPU. The name, CMOS, stands for Complementary Metal Oxide Semiconductor - a chip manufcturing process that runs on exceptionally low power, necessary for the original batteries to have a decent life - today most batteries are rechargable lithium units that can last for several years so long as the PC is used regularly. Quickly, manufacturers found out that only a small part of the RAM was needed for the clock (10 bytes) leaving quite a bit for "other" activities. First exploited by the IBM AT (Advanced Technology) it can be used for many things. Just not viruses. More than you ever wanted to know about penguins, Padgett ------------------------------ Date: Tue, 01 Sep 92 04:41:31 -0400 From: Otto Stolz Subject: Re: new virus found (PC) Hello Frisk, On Sat, 01 Sep 90 23:41:26 -0700 sulistio@sutro.SFSU.EDU (Sulistio Muljadi) said: > This is the translated version of an article in an Indonesian > Computer Magazine, as I noted in a posting of VIRUS-L edition > Friday, August 31, 1990 about mysterious message. [...] > No more information I have instead of this one. > > INDONESIAN VIRUS > > * FREDDY > Freddy was made by one of a student in a academy of > computer in Indonesia. It infected the program, not a boot > sector virus. The program infected is IBMBIO.COM > The characteristic of this virus is the appearance of > FREDDY in a box. Now sapao@dcc.ufmg.br writes: > A new virus not detected by McAfee's Scan93 nor Virx version 2.3 was > found in Brazil. F-prot said it's a new variant of jerusalem. And on 26 Aug 92 15:33:10 +0000 you said: > Well, it turned out that it is not. This virus belongs to a separate > family. It contains an encrypted text string "Freddy Krg", so I have > proposed the name "Freddy" for it. I fear, this name has already been given to another virus (cf. the above quote from an old VIRUS-L posting). If I'm right, you'd better choose another name for the new beast, otherwise please tell us which name the Indonesioan virus has acquired, meanwhile. Best wishes, Otto Stolz ------------------------------ Date: 01 Sep 92 19:51:11 -0500 From: ISB202REID@redgum.qut.edu.au (Did somebody say Coffee ??????) Subject: Re: Anyone for a Feist ??? (PC) >>A few days ago I came across a machine absolutely >>covered by the feist virus.. > >Hm - strange. As fas as I know, Feist is unknown outside Russia. > >>Clean 93 wouldn't remove it, although it was in F-Prot 2.04a's >>database, wouldn't even recoginise it !! > >In that case there are two possibilities: > > 1) This is a false alarm - F-PROT detects Feist without problems, > I just checked. > > 2) This is a new virus, that (whatever other program you used) > just happens to mis-identify as Feist. In this case I would > need a sample of it to update F-PROT. > >However, It might also be interesting to see what other scanners report, or >what F-PROT's Quick and Heuristic scan report. > >- -frisk Ok, update time. The virus I found wasn't the feist virus. I viewed the file using a simple file viewer and found the string "No Frills 2.0" towards the end. F-prot 2.05 does NOT have this virus in its database however the heuristic scan does say that is almost certainly a virus. Clean 95 incorrectly identifies it as Feist. No Frills is not in Scan 95 virlist.txt either. Question: What does No Frills do and can it be removed. E-mail me if you want a copy of the file. - -Fodd isb202reid@qut.edu.au n1019031@water.fit.qut.edu.au ------------------------------ Date: 02 Sep 92 18:12:32 +1200 From: "Nick FitzGerald" Subject: Any info on Gobbler-II a-v sw or Comrac (its publisher) ? (PC) This morning I received a "beta evaluation copy" of Gobbler-II version 2.99B in the mail from Comrac - a Dutch software producer. From the way the accompanying letter was addressed, Comrac clearly got my name and address from the net (only my sig says "PC Applications Consultant" - my business card says "Consultant (PC Support)" and on forms and things like electoral rolls I put my occupation as "Computer Consultant"). Can anyone give me some more background on Comrac? Have other regular (?) posters to Virus-L/comp.virus also been sent one of these diskettes (I haven't had time to look at it yet - looks like something for tomorrow now). Interestingly, whilst they got their original contact with me via Email, the letter didn't mention an email address to contact them. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z. n.fitzgerald@csc.canterbury.ac.nz (64)(3) 364-2337 Voice, 364-2332 FAX ------------------------------ Date: Wed, 02 Sep 92 17:52:27 +0000 From: beaurega@ireq.hydro.qc.ca (Denis Beauregard) Subject: Auto-detecting virus (PC) I would like to write a program that will check if it is per se holder of a virus. The method I have in view : Compile the program. Compute the checksum of the program. Put the checksum in the program. When starting the program : Stop the program if the checksum has been altered. Advantages : 1- User can not modify the program to remove the copyright notice (whic I can code anyway) 2- Virus modifying hte program would be catched immediately so that my programs will be reputed for being virus-safe Inconvenients : 1- This won't work on older DOS versions (since the file name is not available) 2- This will slow down the program loading, but by a small amount I would like to get feedback (I will keep subscription for that group for one month as I usually subscribe only to a group when I have a specific interest). Also, I never saw a self-protected program. Even an anti-virus program has as instructions : use the included diskette if infection is known. I think this is because DOS can be infected, but I feel these programs are not self-immunated (but I can be wrong). Would it be safer to use a 32 bit checksum (I understand a 16 bit checksum would mean if something if wrong, odd are 1 to 65536 not to find it). A 32 bit machine will just count faster a 32 bit sum. So I would use 32 bit for speed reason instead of security (while changing the checksum will be harder if 32 bit, and still more if instead of adding 32 bits, I mask some bits and add them twice). - -- \_\ Denis Beauregard * internet:beaurega@ireq.hydro.qc.ca / \ Genealogiste officiel : Beauregard/Jarret/Jarest/Vincent J __> Un Quebec renouvele dans une Amerique renovee \_.-=== Opinions ? Et pis non ! ------------------------------ Date: Wed, 02 Sep 92 14:50:10 +0000 From: gary@sci34hub.sci.com (Gary Heston) Subject: Re: McAfee's 95 series (PC) HAYES@urvax.urich.edu writes: >In reply to my query about the authenticity of McAfee Associates "95" >serie of programs i got a message from a Belgian user who mentionned >that the files were on the GARBO server. It seemed to me that US >programs should also been made available from a US site , so I >fetched the files which are now available from us too. They're also on uunet, along with F-Prot 2.05: ~/systems/msdos/simtel20/trojan-pro/fp-205.zip ~/systems/msdos/simtel20/trojan-pro/clean95c.zip ~/systems/msdos/simtel20/trojan-pro/netsc95b.zip ~/systems/msdos/simtel20/trojan-pro/scanv95b.zip ~/systems/msdos/simtel20/trojan-pro/vshld95c.zip Available via FTP or anonymous 900-number uucp. Unless, of course, you have an account with uunet..... :-) - -- Gary Heston SCI Systems, Inc. gary@sci34hub.sci.com site admin The Chairman of the Board and the CFO speak for SCI. I'm neither. The most dangerous person in the world is Jessica Fletcher. Everywhere she goes, people die. ------------------------------ Date: 03 Sep 92 02:34:40 +0000 From: dana%are.Berkeley.EDU@ucbvax.Berkeley.EDU (Dana E. Keil) Subject: F-PROT reports Bugsres 3 Jokes program? (PC) I just obtained F-PROT. Running a scan with it reports that a file named bugres.com is infected with a virus named "bugsres 3 jokes program". I can find no mention of this virus anywhere in F-PROT documentation (nor elsewhere). Can anyone enlighten me about it? - -- Dana E. Keil Department of Agricultural and Resource Economics dana@are.Berkeley.EDU University of California, Berkeley ------------------------------ Date: Wed, 02 Sep 92 22:48:19 -0400 From: Anthony Naggs Subject: Re: HELP with partition infector!! (PC) Tim Simmonds reports: > I have scanned a PC for virus's using SCANv8.7B95 and it reported > that the Partition table was infected with the Cansu[Can] virus. > And the CLEAN-UP program reported that the virus could not be > removed safely....Is there anything else that can be donee > and how can you get a copy of the Partition Boot Record. > > The PC is a IBMPC 386 running DOS 5. The solution you require is: 1. Assuming you have a write protected boot diskette, use this to start your system. If you don't then with this virus you should be safe in booting from the hard drive. 2. Run FDISK /MBR which will replace the partition boot record, (alias partition sector or MBR - Master Boot Record), with the standard program & retain the correct partition info. Getting a copy of the partition sector is usually done with a disk editor, such as that in the Norton Utilities or Central Point PC Tools. For Norton 4.5 Advanced Edition you should start the program in 'maintenance mode' with "NU /M". Look at Absolute sector 0 on your hard drive, and you can save this (in FILE mode). pragma sermon (on) ** Everyone should have a boot diskette ** Not so long ago everybody had a [PC/MS/DR]-DOS diskette with their system, which could be used to boot it. However many cheap PCs now seem to ship with only a partial version on the hard drive, and the standard MS-DOS 5 upgrade will not boot. Also systems change over the years an your boot diskette may not be appropriate anymore. So you should think about preparing a suitable boot diskette, "just in case". Use "FORMAT A: /S", or if the disk is already formatted "SYS A:", to make a basic boot disk. If you use a command shell, such as 4DOS, you will need to ensure that the relevant files are copied to the diskette, and a minimum "CONFIG.SYS" is prepared to start it correctly. Copy some basic utilities onto the diskette, such as "DEBUG" (SID in DR-DOS), "CHKDSK", "FDISK", ... This is your 'bare bones' boot disk, test it by booting from it, write-protect it, make an extra copy (with DISKCOPY) and keep them safe. If use special software, such as DISK MANAGER or STACKER, to access your hard drive(s) then you need a second version of the diskette. This needs to include the software & appropriate "CONFIG.SYS" and/or "AUTOEXEC.BAT" to start these programs. Again test the disk, write-protect, copy & store safely. DO NOT put WINDOWS, DESQVIEW, QEMM, 386MAX, ... onto these diskettes as they are likely to obstruct investigation of your system for faults or viruses. Your favourite anti-virus s/w, system checking software (such as Quarterdeck MANIFEST), should be kept on seperate write protected diskettes, (so that you don't have to remove the protect on your boot disks). Use these after booting from your diskettes, as the copies on the hard drive may be corrupt or infected. pragma sermon (off) Take care & compute safely, Anthony Naggs Software/Electronics Engineer P O Box 1080, Peacehaven (and virus researcher) East Sussex BN10 8PZ Phone: +44 273 589701 Great Britain Email: (c/o Univ of Brighton) amn@vms.brighton.ac.uk or xa329@city.ac.uk ------------------------------ Date: Wed, 02 Sep 92 22:49:14 -0400 From: Anthony Naggs Subject: Re: Datalision Inc fractal program (PC) Homer Smith, reports: > Being into fractals and all I get lots of fractal disks > in the mail from would be fractal types. A few years > back I got a disk called MANJU87 from a company called > DATALISION PULISHERS, INC. New York 10017. > > [.. stuff deleted ..] > > Anyhow a few weeks ago I got around to installing it for > the first time to see what the competition was like. > A few days later I found my hard disk will missing 16 million bytes > in 8110 lost clusters! > > ... I fixed my disk with pctools and reinstalled manju87 and lo and behold > 8110 lost clusters. > > What is this joker doing anyhow? Besides placing a hidden file > in my root directory named !_235053 which was filled with sniblets of > random files on my disk, how did he manage to lose that many clusters > and cross allocate files in my fat to the point where pctools just > gave us and went to the mirror file? Well, the good news is that this is almost certainly not a virus. The bad news is that the s/w is dire, but you'd guessed that already. The probable explanation is: the software is trying to use a security mechanism, presumably to prevent duplication (?). However it was written with the 32Mb partition limit of DOS versions up to 3.3 in mind. So it is mucking around at a low level with your hard drive, and all references to disk areas are calculated modulo 32Mb. Meaning that the first protion of your disk is getting mangled in a particularly unpleasant manner. Time to reach for those backups, ... Anthony Naggs Software/Electronics Engineer P O Box 1080, Peacehaven (and virus researcher) East Sussex BN10 8PZ Phone: +44 273 589701 Great Britain Email: (c/o Univ of Brighton) amn@vms.brighton.ac.uk or xa329@city.ac.uk ------------------------------ Date: Thu, 03 Sep 92 03:34:38 -0400 From: Andrew_Clark.sdb-e@rx.xerox.com Subject: F-Prot & SuperStor (PC) Has anyone used F-Prot's F-Driver.SYS with SuperStor from DR-DOS6. I tried to install this but got the message INT 13h modified.... I am sure that I do not have a virus, and am assuming the INT 13h is used for disk access (which superstor would need to modify to redirect disk accesses to itself) Second: IBM PC question. Can anyone advise me whether there is a virus that modifies the seconds field in a files time value to 62. I seem to recall that there is a virus which does this. If there is then how do I remove it? what does it do etc. Anyone help? Thanks, Andy ------------------------------ Date: Tue, 01 Sep 92 18:59:26 +0000 From: cmontoya%carina.unm.edu@lynx.unm.edu (Red Dragon) Subject: Amiga virus info (Amiga) Where can I get Amiga virus information? /cm cmontoya@carina.unm.edu ------------------------------ Date: Tue, 01 Sep 92 19:45:23 +0000 From: cmontoya%carina.unm.edu@lynx.unm.edu (Red Dragon) Subject: Bugs on my Atari (Atari) I know I'm the not the only person with an old Atari. I just had a bunch of bugs appear on my screen and eat up the screen and trash my disk. Help please. I was just going to help a friend with an Amiga virus and this happens! BTW, can PC viruses infect my Atari? I was using a DOS disk when this happened. /cm cmontoya@carina.unm.edu ------------------------------ Date: Mon, 31 Aug 92 13:08:50 +0000 From: suresh@papaya.iss.nus.sg (Suresh Thennarangam - Research Scholar) Subject: Virus Armour In the Jan 1992 issue of Virus Bulletin,column Virus Anlysis, James Beckett writes: <> Designers realized some time ago that the efficiency of micro-processors <> can be increased by using the spare bus time to pre-fetch the next few <> bytes of instructions. This has the curious corollary that if the <> memory is modified a very short distance in front of the current <> instruction, the processor never sees the change, as it has already <> read the relevant bytes ........ While this seems somewhat plausible I wonder if Intel's chip designers didn't make the 80x86 processors smart enough to detect memory changes in the vicinity of the current instruction and reload the pre-fetch queue in response. Well, if not then this is a hazard for programs that modify themselves during runtime. ------------------------------ Date: 31 Aug 92 11:51:37 -0800 From: "a_rubin@dsg4.dse.beckman.com"@BIIVAX.DP.BECKMAN.COM Subject: Re: What is the best anti-virus program??? bleys@infopls.chi.il.us (Bleys Ahrens) writes: >All Anti-Virus programs are not created equal. >Most anti-virus packages on the market today (Norton, Central Point, >Untouchable, MacAffee) rely on pattern scanning as their primary method >of detecting a virus. In other words, they have a database of some sort >containing hundreds of strings or attributes that known viruses produce >when they infect a computer. This has worked relatively well in the >past, but unfortunately it is rapidly becoming unpractical. When new >viruses and strains are identified, the appropriate patterns must be >added to the databases of pattern scanning programs. This may be done >with updates to the program on disk, via download or manually typing >strings into the database. >The problem is that an average of three new viruses are being created >everyday. Add to this, the number of new mutating viruses which change >their appearance and method of operation as they spread and it quickly >becomes impossible to keep up with the spread of viruses. As more and >more users become interconnected though networks like the Internet, >Compuserve, Fidonet, etc. it becomes increasing easy to move a virus >from one side of the world to the other. >Another relatively new and dangerous sort of virus is the stealth >viruses. These viruses intercept calls from anti-virus programs as they >scan memory and disks. Boot sector stealth viruses generally make a copy >of the uninfected original areas and direct scanning programs to the >location of the copy, which appears to be normal. Stealth file viruses >on the other hand are often able to remove themselves from a file as it >is being scanned, so that the file appears clean. After the scan is >complete, the virus in memory then moves its code back into the infected >files. >Other recent threats to computer security include the publishing of a book >that tells how to write viruses and includes source code. (I would >prefer not to publicize it and intentionally left out the title.) >Another new threat is the recent posting on various BBSes of a some >programs that help people write mutating viruses. >In fairness to the makers of various anti-virus software manufacturers, >it must be pointed out that most programs on the market include methods >other than pattern scanning. Most also include TSR's which monitor for >suspicious disk and memory reads and writes. Some also include various >CRC checking methods which run some sort of algorithm on each file to >create a checksum which is then compared each time the file is executed. >A simple checksum works relatively well if you are absolutely sure that >your files aren't already infected. The problem is that some viruses >are smart enough to change the checksum values stored on the disk. >So what is the optimal solution... Well, I have been evaluating several >programs lately (Norton Anti-Virus, Central Point Anti-Virus, Fifth >Generation Untouchable, Certus Novi, Intel LanProtect, Brightworks >Development Sitelock and MacAffee Scan) and the one that seems have the >best potential to deal with the possibility of stealth and mutating >viruses is the relative newcomer, Novi from Certus. >This product does do some pattern scanning, but that is not the basic >paradigm used by this product. As I understand from my research, all >executable files have essentially the same type of header records. This >contains the basic information about the program and points to the >beginning of the code to run. What a virus will do is attach to the end >of the file and change the initial pointer to the start of the virus >code. At the end of the virus code is a pointer to the start of the >program code. Thus, the user runs the program, the virus executes and >most likely places itself into memory and then executes the program. >Novi works by checking the critical areas of the file (or disk boot records >for a boot sector scan) to see that everthing is the way it should be. If >pointers appear invalid or out of place, the product alerts the user to >a problem and then depending on the user response, can attempt to remove >the improper pointers and code. By not relying on pattern scanning, the >program will working with existing viruses as well as new mutations or >strains. I am still testing with it and others, but my opinion is that >this program offers the best protection into the future, without the >need of updates. >(This program has also rated very, very well in a variety of recent >magazine article and evaluations. It's file integrity checking is very >fast and is compatible with the major LAN OSes and with Windows.) >I suspect this article will provoke quite a few responses, and I hope >that some of the above anti-virus manufacturers with be available for >comments. I'm sure the folks from Certus can tell you a great deal more >about their product and would be more than happy to send you some >literature. (I'm not here to sell products for them, so I would prefer >not to answer a zillion questions about exactly how the product works.) >Bleys Ahrens >Disclaimer: I am not affiliated in any way with any of the above >mentioned products and/or companies. I am an IS professional with a >large international corporation. While the above evaluations occured >on company time, the opinions and views are strictly my own. >Comments generally welcomed. Direct flames to /dev/nul... >-- >bleys@infopls.chi.il.us (Bleys Ahrens) >Infoplus BBS, +1 708 537 0247, v32bis. Home of Infoplus. Comments, anyone? - -- Arthur L. Rubin: a_rubin@dsg4.dse.beckman.com (work) Beckman Instruments/Brea 216-5888@mcimail.com 70707.453@compuserve.com arthur@pnet01.cts.com (personal) My opinions are my own, and do not represent those of my employer. My interaction with our news system is unstable; if you want to be sure I see a post, mail it. ------------------------------ Date: Tue, 01 Sep 92 12:36:43 -0700 From: rslade@sfu.ca Subject: On daily scanning (general) In the ongoing debate concerning scanning versus other types of antiviral protection, a thought. Scanning has been denigrated not only for its inability to deal with "new" viral programs, but also due to time consumption. David Stang, in his seminars, stresses that a five minute scan every day adds up to a full 20 hours, half a working week, over the course of a year. However, in doing some work on a fairly average machine this week (386/25, 80 meg HD with 75 meg of files, 350 executable out of 2400 files), I noted that Thunderbyte Scan took only 22 seconds to scan the entire thing. (I didn't time any of the others, but none of them took five minutes.) Not necessarily as *reason* to scan on a daily basis, but less reason *not* to. ============== ______________________ Vancouver ROBERTS@decus.ca | | /\ | | swiped Institute for Robert_Slade@sfu.ca | | __ | | __ | | from Research into rslade@cue.bc.ca | | \ \ / / | | Mike User p1@CyberStore.ca | | /________\ | | Church Security Canada V7K 2G6 |____|_____][_____|____| @sfu.ca ------------------------------ Date: Wed, 02 Sep 92 19:40:28 +0000 From: rslade@sfu.ca (Robert Slade) Subject: Bull(____) Virus used for mischief (general) A report in InformationWeek in the Aug. 24 edition states that someone called a Toronto TV station and said that he had put a virus into the Toronto Stock Exchange which would shut it down at 9:30 the next morning. (If true, it would have been much more likely to be a trojan rather than a virus.) A tech support team spent all night checking the system for "all known viruses". (The TSO uses PCs?) Trading continued the next day without incident. (I'm rather surprised that I never saw any media reports about this.) Comment: although we all know that the existence of computer viral programs is a real and growing problem, it is getting to the point where false alarms are creating almost as much "damager" as the "malware" itself. There is still *so* much mythical information out there, and so little hard data in the hands of the public or the average user. ============== Vancouver ROBERTS@decus.ca | "virtual information" Institute for Robert_Slade@sfu.ca | - technical description of Research into rslade@cue.bc.ca | marketing info disguised User p1@CyberStore.ca | as technical description Security Canada V7K 2G6 | - Greg Rose ------------------------------ Date: Mon, 31 Aug 92 22:59:17 -0400 From: Jon Freivald Subject: Mail-server software updates The following software has been added to the mail-server at jaflrn.UUCP. To get UUEncoded copies via E-mail, send a message to mail-server@jaflrn.UUCP containing a line "get dos/virus/filename" for each of the files you want sent. If you have problems, please send mail to jaf@jaflrn.uucp. New files: SCAN95B.ZIP 145022 23-Aug-92 McAfee ViruScan V95B CLEAN95C.ZIP 153633 23-Aug-92 McAfee Clean-Up V95C VSHLD95C.ZIP 120216 23-Aug-92 McAfee VShield V95C NETSC95B.ZIP 135263 23-Aug-92 McAfee NetScan V95B WSCAN95B.ZIP 195605 23-Aug-92 McAfee Windows shell for ViruScan V95B NETSHLD.ZIP 104838 23-Aug-92 McAfee NLM virus scanner (The McAfee files above were downloaded from the McAfee BBS by me personally. The following files were obtained from Compu$erve.) FPR204.ZIP 267838 26-Aug-92 Fridrick Skulason's F-Prot virus scanner I-MAST.EXE 282383 26-Aug-92 Integrigy Master 1.23a ============================================================================= Jon Freivald ( jaflrn!jaf@uunet.UU.NET ) Nothing is impossible for the man who doesn't have to do it. ============================================================================= ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 146] ******************************************