From: SDS::"virus-l@lehigh.edu" 17-SEP-1992 16:24:16.93 To: 3338$SPAN::HENDEE CC: Subj: VIRUS-L Digest V5 #152 Received: from Fidoii.CC.Lehigh.EDU by Sdsc.Edu (sds.sdsc.edu STMG) via INTERNET; Thu, 17 Sep 92 20:19:24 GMT Received: from (localhost) by Fidoii.CC.Lehigh.EDU with SMTP id AA17501 (5.65c/IDA-1.4.4 for ); Thu, 17 Sep 1992 16:02:58 -0400 Date: Thu, 17 Sep 1992 16:02:58 -0400 Message-Id: <9209171851.AA03997@barnabas.cert.org> Comment: Virus Discussion List Originator: virus-l@lehigh.edu Errors-To: krvw@cert.org Reply-To: Sender: virus-l@lehigh.edu Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas From: Kenneth R. van Wyk To: Multiple recipients of list Subject: VIRUS-L Digest V5 #152 VIRUS-L Digest Thursday, 17 Sep 1992 Volume 5 : Issue 152 Today's Topics: Re: "New" 1530 virus ? (PC) Re: Problems with F-PROT (V2.05) (PC) Re: F-prot false alarm? (PC) McAfee vs CPAV information needed (PC) New virus that scanv95b cannot pick it up!!!(HELP) (PC) Re: Auto-detecting Virus (PC) CCOMMAND.COM? (PC) F-prot false alarm? (PC) Re: V-Sign Virus (Pc) Comments On Untouchable.. (PC) PC Guardian contact info? (PC) Re: NetWare and viruses - some new results (PC) Re: NetWare and viruses - some new results (PC) Re: Netware Rights again (PC) Os/2 Boot Sectors (Os/2) HELP!! Something is DELETING my files!!! HELP!! (UNIX) Re: Virus scan for AIX 3.2? (UNIX) Virus calendar / catalog Re: Virus conference Self-checking programs The MacMag/Brandow/Peace virus (CVP) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk ---------------------------------------------------------------------- Date: 11 Sep 92 09:07:08 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: "New" 1530 virus ? (PC) KDC@ccm.UManitoba.CA (Ken De Cruyenaere 204-474-8340) writes: > A new virus has turned up on our campus. > McAfee v95 identifies it as "1530" but will not clean it. Hmm, problem is, since version 91 SCAN is -very- unreliable in identifying viruses. For instance, it calls "1530 [1530]" the following viruses, some of which are completely unrelated: Dark_Avenger.1530 Dark_Avenger.Father Dark_Avenger.1028 Eastern_Digital Hymn.Hymn Hymn.Sverdlov Murphy.Brothers Rape.500 Rape.747 Rape_II SVC.5_0.C > F-PROT (V2.05) does not detect it (even in HEURISTICS) (!) Hmm, F-Prot 2.05 detects all of the above... Seems that you have a new variant. I suggest that you send a copy to Frisk. > It appears to infect .EXEs and .COMs. It seems to go for > COMMAND.COM first. Infected files increase in size (by apprx 1960) > but the date doesn't change. Sounds like a Dark_Avenger variant to me... Beware, most of the Dark_Avenger viruses are very destructive! Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN ** PGP public key available on request. ** Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 11 Sep 92 09:16:36 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Problems with F-PROT (V2.05) (PC) KDC@ccm.UManitoba.CA (Ken De Cruyenaere 204-474-8340) writes: > As a satisfied user of F-PROT I have to comment on a > couple of problems I have with the latest version. > 1) It no longer has the "SCANNING MEMORY FOR VIRUSES" box > come up at start-up time, though that is apparently what > it is doing. Result is an span of several seconds where the > menu appears ready for action but does not respond. Yes, I noticed that too. Seems like a bug to me. If you setup your system with the country code for Germany (049) and then start the program (and if you don't have the German language modules), F-Prot will display a window saying (in German) that a German version of the product is available. At the bottom line of this window, you can see the percentage counter for the memory scan. I have to verify whether the pure-English version of the product actually scans the memory (without displaying a counter) or does not perform memory scan at all... > 2) VIRSTOP no longer hangs up the boot when it notices that > it has been changed. It still produces the warning message, > with the recommendation to boot from a clean floppy, then > allows the boot to continue. Haven't tried this. Also seems like a bug to me, unless it is a feature, of course... :-) > 3) This might not be new to 2.05. When you define some > signature strings a file called USER.DEF is created. > When you INSTALL F-PROT, USER.DEF is NOT one of the files > copied over. That's normal, there's no file USER.DEF in the distribution package, so the installation program does not try to copy it. It is created by the user and it is the responsibility of the user to take care of it. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN ** PGP public key available on request. ** Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 11 Sep 92 11:51:07 +0100 From: Francesco Dalla Libera Subject: Re: F-prot false alarm? (PC) andy@exp.uvs.edu.sr writes: >Just obtained F-prot 2.05 from simtel. Unpacked it and did a secure >scan. To my surprise backup.exe (from dos 5.0) was reported as being >infected with the Stanco virus. The file was packed with pklite. I >Looked the virus up in the info table of f-prot and it says the virus >replicates only in compressed form??! Also Virstop didn't stop >backup.exe from running. I think this is a false alarm (or I hope it >is). I too, running F-prot 2.05, found a Stanco infection on an "old" PKUNZIP.EXE file. Virstop didn'nt stop the file from running...... I wrote to Frisk, but he is in vacation. Francesco Dalla Libera - -- franz@iveuncc.unive.it University of Venice (Italy) ------------------------------ Date: Fri, 11 Sep 92 01:45:17 +0000 From: sengteik@iti.gov.sg (Chua Seng Teik (RC)) Subject: McAfee vs CPAV information needed (PC) I am evaluating McAfee and Central Point Anti-Virus as part of a tender evaluation process. I wonder if anyone out there has done a similar comparison between the 2 products. I would appreciate if you could e-mail me a copy your reports. From the limited testing that I have done, it comes down to cost and frequency of upgrades for McAfee and ease of use for CPAV. Any help would be appreciated Cheers - -- Chua Seng Teik | Information Technology Institute internet : sengteik@iti.gov.sg | National Computer Board bitnet : sengteik@itivax.bitnet | 71 Science Park Drive voice : (65)772-0439 | Singapore 0511 ------------------------------ Date: Fri, 11 Sep 92 17:27:58 -0000 From: pd@nwavbbs.demon.co.uk (Peter Duffield) Subject: New virus that scanv95b cannot pick it up!!!(HELP) (PC) AMN@vms.brighton.ac.uk writes: >Henry Chan, , says: >> I just found out that my computer is attacked by a new virus(may be). >> The signatures of that virus is always attack the "format.com" file. >> When I viewed the file, the file contain "-stack!--stack!--stack!--" >> string. And this string has about 10 or more "-stack!-" in it. > >In MS-DOS 4.0 it is normal to have this in Format.Com, I don't have a >copy of 5 to hand, but suspect that does as well. Dos 5's Format.Com does indeed have the -stack!- string repeated in it a number of times. The size of the file is 33087 bytes and the CRC-32 for the file is 2087080915 Dec or 7C6653D3 hex. Peter - -- Peter Duffield pd@nwavbbs.demon.co.uk (Internet) Voice: +44 244 545669 BBS: +44 244 550332 North Wales Anti-Virus Support BBS, FidoNet: 2:250/201, VirNet: 9:441/110 ------------------------------ Date: Fri, 11 Sep 92 16:29:34 -0400 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: Re: Auto-detecting Virus (PC) >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) >Alexander_Ofek@p8.f101.n9721.z9.virnet.bad.se (Alexander Ofek) writes: >> Of course it might be useful to >> check whether the interrupt vectot of int 13h still points to the BIOS area. >Unfortunately, since DOS 3.20 the interrupt vector for INT 13h never >points to the BIOS area (except at boot time), since DOS intercepts it >itself... I must respectfully disagree. Every version of DOS since then including DOS 5.0 provides a method for validating the original Int 13h vector. Personally, I use a program that runs before DOS (from the BIOS level) to check it and it is posible to plant a vector flag in memory that would be impervious to all but a specifically directed attack (and even that is detectable) Warmly, Padgett ------------------------------ Date: Sat, 12 Sep 92 01:10:34 +0000 From: cass8806@elan.glassboro.edu (KYLE CASSIDY) Subject: CCOMMAND.COM? (PC) recently there has been a rash of viri in the lab where i work, we managed to catch the holocost virus in time, but we've lost four machines to a mystery virus which formatted the hard drives.... i've noticed that a number of machines in here now, when formatting a system disk have begun to spell "command.com" with two c's, "ccommand.com" this must be a virus ... i think anyway, has anybody heard anything about this? i'm paranoid now thanks. kc ------------------------------ Date: Sat, 12 Sep 92 06:44:57 -0000 From: pd@nwavbbs.demon.co.uk (Peter Duffield) Subject: F-prot false alarm? (PC) bontchev@fbihh.informatik.uni-hamburg.de writes: >andy@exp.uvs.edu.sr writes: > >> Just obtained F-prot 2.05 from simtel. Unpacked it and did a secure >> scan. To my surprise backup.exe (from dos 5.0) was reported as being >> infected with the Stanco virus. The file was packed with pklite. I > >I didn't know that BACKUP.EXE from DOS 5.0 is PKLite'd... (I am using >DR-DOS 6.0.) DR-DOS -does- have most of its utilities in a PKLite'd >form, but I thought that Microsoft/IBM don't do that... Unless Andy has a different version of Dos 5 to mine then I think he really might have a problem. My copy is not PkLited, nor are any of the Dos 5 files for that matter, nor does FP-205 report any infection. Backup.Exe is 36092 bytes and the CRC-32 is 5591A20A hex. Peter - -- Peter Duffield pd@nwavbbs.demon.co.uk (Internet) Voice: +44 244 545669 BBS: +44 244 550332 North Wales Anti-Virus Support BBS, FidoNet: 2:250/201, VirNet: 9:441/110 ------------------------------ Date: Fri, 04 Sep 92 17:33:07 -0000 From: Enea_Meroni@f102.n331.z9.virnet.bad.se (Enea Meroni) Subject: Re: V-Sign Virus (Pc) the Cansu virus. DMC>(This is the format that the IBM Virus Scanning Program uses, but it DMC>should be readily convertible.) If you have the IBM Virus Scanning DMC>Program version 2.2.1 or better, it will detect the virus. I dont remember but perhaps Scan95B (or C?) recognize Cansu Virus so Use it. I've tested TBSCAN 4.2 but I think It'd be recognize it. ENEA ------------------------------ Date: Fri, 04 Sep 92 17:19:05 -0000 From: Enea_Meroni@f102.n331.z9.virnet.bad.se (Enea Meroni) Subject: Comments On Untouchable.. (PC) SI>I would very much like to hear your worthy comments of the following SI>Virus detection/terminator software on the market: SI> * Untouchable (by Fifth Generation Systems), SI> * Turbo-Anti virus (by CARMEL Software Engineering), SI> * McAFee Hi dude, I'm able to report comments only on MCAFEE products cuz I've seen only once Carmel product (1+ year ago) and I never seen 'bout Fifth Generation Systems' Products. As Vsum Reports MCAfee shouls be best detector all around the world. I have always latest version and I run it every day cuz I'm in habit to visit many BBS so I dont want strange joke with viruses. I've tried F-Prot also (V2.40a) and It's a good product. The faster I've ever seen is TBSCAN (V4.2 is latest version) and it reports a memory scan of strange instructions found in scanned files. It's useful for new virus code. Enea ------------------------------ Date: 12 Sep 92 17:04:00 -0700 From: Robert Slade Subject: PC Guardian contact info? (PC) A recent report in Computing Canada says that the Ontario government has switched from McAfee to a company called PC Guardian out of San Rafael, CA. I have absolutely no info on them in the CONTACTS.LST. Can anyone supply me with any? ============== Vancouver ROBERTS@decus.ca | "A ship in a harbour Institute for Robert_Slade@sfu.ca | is safe, but that is Research into rslade@cue.bc.ca | not what ships are User p1@CyberStore.ca | built for." Security Canada V7K 2G6 | John Parks ------------------------------ Date: 14 Sep 92 08:18:52 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: NetWare and viruses - some new results (PC) padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) writes: > Specifically, you must have NOT SUPERVISOR AND NOT WRITE AND NOT > MODIFY AND (NOT CREATE OR READ). (Boolean math in ASCII is difficult). Dr. Cohen's equations, given in his paper, are slightly different. See my next message. > >considered "secure" do not actually prevent a virus attack. It -IS- > >possible to set the right in a way that will stop viruses, it is just > >not easy to figure out how exactly. > Not really difficult once the rules of RIGHTS and INHERITANCE are > understood, see above. Ummm... I disagree... I'll give the secure settings here (quoted from Dr. Cohen's paper) and invite everybody to check whether their LAN is set in a secure way. You'll be surprised how many of them are not... > Incidently, we have also been testing both Intel's LANPROTECT and > McAfee's NETSHIELD and I would consider both to be a good version 1.0 In Edinburgh somebody from Novell quoted a public domain NLM that performs integrity checks. As far as I understand, it will be possible to subvert it by using any of the attacks against integrity checking programs, described in my paper, but nevertheless I would like to give it a try. It was reported to be available through CompuServe. Unfortunately, I forgot its name... (Was it NETCHECK?) Has anybody heard about this utility and could any kind soul make it available for us ftp users? Oh, and BTW, where is NETSHIELD available from? It wasn't on Simtel20 the last time I checked... (Please reply by private e-mail to this question. I know that somebody posted the location some time ago, but I lost the message... :-() > heard that before ?) 1) Integrity TSR active on CLIENT to ensure cleanliness > said that other products exist for the other three items e.g. McAfee's > VSHIELD for item 1 and Intel's LPSCAN for item 2 but I like one-stop Hmm, why do you classify VSHield as an integrity TSR? Because you can instruct it to check for the validation codes added by SCAN? This is a bit forced, IMHO... VShield is mainly a resident scanner and is rather far from a resident integrity checker... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.0 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 14 Sep 92 08:32:51 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: NetWare and viruses - some new results (PC) padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) writes: > One of the things I feel to have been fortunate in my education was > exposure to such things as Set Theory, Boolean Algebra, and Linear > Programming at a tender age, courses that I fear are rarely taught to CS > majors nowadays. Well, in our (probably faulty) educational system in Bulgaria, we are thought Boolean Algebra and Linear Programming. I have to admit that some advanced topics in Set Theory are escaping me, however... :-) > Possibly the best way to look at the difference is that RIGHTS state what > the user is permitted to do to a file or a directory. ATTRIBUTES state what > is *not* permitted to be done to a file or directory: RIGHTS allow, > ATTRIBUTES disallow. RIGHTS refer to the user, ATTRIBUTES refer to the Not always. For instance, what do the Archive, Indexed, Sharable, Directory, and VolumeLabel ATTRIBUTES -disallow-? :-) > Thus for a particular file (say MAPMEM.COM), the user rights NOT SUPERVISOR > AND NOT ACCESS AND NOT MODIFY ANDed with the file attribute READONLY > *should* protect MAPMEM.COM from direct infection (says nothing about Correct. This is one of the equations for secure settings, described in Dr. Cohen's paper. (In ASCII I would denote it as "~S.~A.~M.Ro.) > companion or path viruses, just that this particular copy of MAPMEM.COM is > protected). For the companion viruses, see below. > In contrast, while contextually NOT SUPERVISOR AND NOT ACCESS AND NOT WRITE > has the same protection for MAPMEM.COM, the protection is extended to all > files in the directory. In short attributes protect a file or directory > from everybody while a lack of rights protects the file or directory from > the user. Correct, this the second equation in the paper. (~S.~W.~A) As you have pointed out, this includes protection against a virus which knows about Novell NetWare and which can modify the rights/attributes of the protected files, if the protection allows that. If we restrict ourselves to the currently existing viruses only, we get that ~S.(~F+~R+~W) is sufficient. (That is, NOT SUPERVISOR AND ANY OF THE FILESCAN, READ, WRITE RIGHTS TURNED OFF.) (Note that all the equations in this article are just quoted from Dr. Cohen's paper; they have not been verified by my yet.) In order to stop the companion viruses (more exactly, the regular companions), you need to prohibit Modify, AccessControl, Create, and Supervisor rights. Thus, combining the first two equations with this requirement, we get the following settings for a secure installation: ~S.~M.~A.~C.(~W+Ro) That is: NOT SUPERVISOR AND NOT MODIFY AND NOT ACCESS CONTROL AND NOT CREATE AND EITHER NOT WRITE OR THE READONLY ATTRIBUTE SET TO ON, OR BOTH. Now, how many of the exiting LANs based on Novell NetWare are set up in this way? And how many of the Novell LAN supervisors who are reading this forum could figure out that the above are the -only- secure settings themselves? BTW, the above settings still leave the door wide open for a PATH-companion attack. The exact attack is described in the improved version of my paper, which I'll make available for anonymous ftp later today (shameless plug). Fortunately, such infections cannot spread between users. Oh, and one last note. The above equations hold for the EFFECTIVE access rights. That is, the rights that are effective after you take into account all inheritance masks. > Again IMHO LANs that are at risk (that is *all* that are not single-user > like mine 8*) need a properly layered mix of Novell, third party NLMs, > exception reporting, and TSRs to achieve a high degree of confidence but it > *can* be done. Fully agree with you here. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.0 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 14 Sep 92 08:58:48 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Netware Rights again (PC) gscobie@castle.edinburgh.ac.uk (G J Scobie) writes: > Certainly on page 227 on the Concepts manual for netware 3.11 it states: > "Attribute security overrides rights granted with trustee assignments > and can prevent tasks that effective rights would allow". > So what does this mean in reality? Let us suppose I have all rights in a As Padgett said, in order to be able to do something under Novell, you must have the Rights that permit you to do it, and not have any Attributes that forbid you to do it. So, neither the Rights override the Attributes, nor vice versa. They just complement themselves in a complicated way. > As for viruses, I feel that we should all assume that if a user has > certain rights then a virus will have those rights as well. Infection of This is a very key observation! It holds for all multi-user environments, which provide discretionary access controls. It is exactly this fact, which allows the viruses to spread in those environments, regardless of the discretionary access controls. It is not a Novell-specific problem, it's a general security issue. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.0 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Fri, 04 Sep 92 17:25:06 -0000 From: Enea_Meroni@f102.n331.z9.virnet.bad.se (Enea Meroni) Subject: Os/2 Boot Sectors (Os/2) KE>Yaron Goland asks KE> >And finally, is there any known virus KE> >which targets cmos and clears out sections of it? I doonu if there is a virus that clears CMOS but I've experimented that QEMM 6.02 is able to do it!!! Installing QEMM first times I've got many and many probs and at the end my computer locked up! I'm never able to enter CMOS setup! I must use jumper for resetting CMOS parameters then everything gone right! So I think there is a way to do it! If you think I've failed in something plz tell me. Bye ENEA ------------------------------ Date: Fri, 11 Sep 92 08:30:53 +0000 From: meyer@geomatic.no (Harald Martens Meyer) Subject: HELP!! Something is DELETING my files!!! HELP!! (UNIX) I'm wondering if there's some sort of virus in emacs (or a lisp-package). Or if there's a SERIOUS BUG in emacs. I was happily reading my mail with VM, when I wanted to take a look at the News. I use GNUS for News Reading. When I started up GNUS, I realised that some of my files were missing: - ~/.newsrc - ~/.newsrc.el - ~/.mailrc and all backup-files of these files. This is the FIFTH TIME this happened in two or three days!! So I won't accept that it's something I've done wrong. Have anyone else experienced this?? I think it could be something with GNUS, VM, Mail or RMAIL in emacs. I'm using an HP9000/720 with HP-UX 8.07, and my emacs version is 18.58.6. PLEASE HELP!!! 2 HM - -- < Harald Martens Meyer | Geomatic a.s > < Email:meyer@geomatic.no | PO.Box 165 Skoyen > < Tel: +47 2 50 43 30 | N-0212 OSLO 2 > < Tfx: +47 2 50 05 55 | NORWAY > ------------------------------ Date: Mon, 14 Sep 92 06:57:41 +0000 From: robmack@bsc.no (Rob MacKinnon) Subject: Re: Virus scan for AIX 3.2? (UNIX) jin@spdcc.com (Jerry Natowitz) writes: >I have never heard of a Unix based virus scanner, but I have been >asked to investigate virus scanning of software built on, and running >on, an RS6000 running AIX 3.2. > >Any leads, freeware or commercialware, would be appreciated. AIX 3.2 has a virus checker built-in (/usr/bin/virscan). Check out the man page in Info. - -- Robert MacKinnon, UNIX Support | Internet/Email: robmack@bsc.no Bergen Environmental Sciences and | robmack at nobscvm Solution Centre, Bergen, NORWAY | Phone: +47-5-544618 ****************************************************************** ------------------------------ Date: Fri, 11 Sep 92 14:11:52 -0400 From: Jacques Deslauriers Subject: Virus calendar / catalog I am looking for a chronological list or calendar for known virus. Also a catalog of virus descrip- tions. Jacques ------------------------------ Date: Sat, 12 Sep 92 08:43:07 -0400 From: John Kida (jhk) (Vienna) Subject: Re: Virus conference Understand there will be a virus conference upcoming shortly in New York and another in Washington DC in Nov. Which is better? Who are the Point of Contacts What are the dates +----------------------------------+----------------------------------------+ | John H. Kida | Voice: (919) 867-7738 | | Network Administrator | Data : (919) 867-0754 | | SSDS, Inc. (Remote) +----------------------------------------+ | 601 Dashland Ave. | Internet: jhk@washington.ssds.com | | Fayetteville, N.C. 28303 | UUCP : !uunet!ssds!jhk | +----------------------------------+----------------------------------------+ ------------------------------ Date: 13 Sep 92 22:58:16 -0400 From: Kevin Dean <76336.3114@CompuServe.COM> Subject: Self-checking programs In a message to All <02 Sep 92 17:52> Denis Beauregard wrote: DB> I would like to write a program that will check if it is per se DB> holder of a virus. The method I have in view : DB> Compile the program. DB> Compute the checksum of the program. DB> Put the checksum in the program. DB> When starting the program : Stop the DB> program if the checksum has been altered. Alexander Ofek replies: AO> Your approach will fail to detect a stealth virus like 1963 or dir2. AO> To be on the safe side you will have to read the directory using AO> absolute read (int 13h) and follow the FAT chains yourself. Stealth Bomber &@`ld be available from several sites via anonymous FTP (I've been off VIRUS-L for a while so I don't remember where exactly). Stealth Bomber is a set of C- and Pascal-callable routines that perform a CRC check on the running program and do a system check for any suspicious behaviour related to stealth viruses. If you have trouble finding it, drop me a note and I'll send you a UU-encoded copy via mail. Kevin Dean Author: Stealth Bomber ------------------------------ Date: Fri, 11 Sep 92 15:28:34 -0700 From: rslade@sfu.ca Subject: The MacMag/Brandow/Peace virus (CVP) HISVIRA.CVP 920903 MacMag virus - part 1 (I know that nobody is going to believe the fact that my schedule of columns for this series was set months ago. No one is going to believe my protestations that I have not been swayed by the recent news reports of the charges against Richard Brandow (they were right, I was wrong, that's how you spell it) so I simply won't make any. In any case, it's Canadian Content time.) On February 7, 1988, users of Compuserve's Hypercard Forum were greeted with an intriguing warning message. It told them that the NEWAPP.STK Hypercard stack file was no longer on the system. The notice suggested that if they had downloaded the file, they should not use it. If they had used it, they should isolate the system the file had run on. The story, on Compuserve, had actually started a day earlier. A user had earlier downloaded the same Hypercard stack from the Genie system, and noticed, when he used it, that an INIT resource had been copied into his system folder. (In the Mac world, this generally means that a program is executed upon startup. Many of these programs are "background" utilities which remain active during the course of the session.) The user, noticing that this same file was posted on Compuserve, had put up a warning that this file was not to be trusted. The moderator of the Forum initially downplayed the warning. He stated that there was no danger of any such activity, since Hypercard "stacks" are data files, rather than programs. Fortunately, the moderator did check out the warning, and found that everything happened as the user had said. Furthermore, the INIT resource was "viral": it spread to other "systems" that it came in contact with. (At that time "system" disks were more common among Mac users, as "bootable" disks were among MS-DOS users.) The moderator apologized, posted the warning, and a number of people started looking into the structure of the virus. The virus appeared to be benign. It attempted to reproduce until March 2, 1988. When an infected computer was booted on that date, the virus would activate a message that "RICHARD BRANDOW, publisher of MacMag, and its entire staff would like to take this opportunity to convey their UNIVERSAL MESSAGE OF PEACE to all Macintosh users around the world." A laudable sentiment, perhaps, although the means of distribution was unlikely to promote a "peaceful, easy feeling" among the targeted community. Fortunately, on March 3 the message would appear once and then the virus would erase itself. copyright Robert M. Slade, 1992 HISVIRA.CVP 920903 ============== Vancouver ROBERTS@decus.ca | Omne ignotum pro magnifico. Institute for Robert_Slade@sfu.ca | - Anything little known Research into rslade@cue.bc.ca | is assumed to be User p1@CyberStore.ca | wonderful. Security Canada V7K 2G6 | - Tacitus ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 152] ******************************************