VIRUS-L Digest Thursday, 20 Jun 1991 Volume 4 : Issue 106
Today's Topics:
Re: Virus scanners (PC)
Questons about "Disinfectant" are ANSWERED.. Thanks (Mac)
virus detection by scanners ? (PC)
re: FSP and sales figures (was: Into the 1990s)
Int 24 virus info needed (PC)
Re: Checksumming
How viruses actually spread
Review of Victor Charlie (addendum) (PC)
Spanish Virus/Telefonica (PC)
Re: Scanning infected files (PC)
Re: joshi & vsum & f-prot & ll format (PC)
Re: virus detection by scanners ? (PC)
Requirements for Virus Checkers (PC)
Re: Interesting interaction ( VIRx & SCAN ) (PC)
is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to
[email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at:
[email protected].
Ken van Wyk
--------------------------------------------------------------------------------
Date: 18 Jun 91 11:53:35 -0400
From: "David.M.Chess" <
[email protected]>
Subject: Re: Virus scanners (PC)
>Date: Mon, 17 Jun 91 13:05:00 -0400
>From: Al Woodhull <
[email protected]>
>The new files contain all of the infected code and so are
>good test targets, but since there is no way to execute the infected
>code it is essentially just a block of data.
They aren't necessarily good test targets. "Bulk" scanners (like
IBM's), that look through every byte of every file for patterns, will
identify them as infected, but scanners that look at, for instance,
specific areas based on the file's entrypoint will not see them as
infected, even if they work fine on actually-infected files. I
believe Alan Solomon's Anti-Virus Toolkit (I may have the name wrong)
is of the latter kind, for instance. So if a scanner doesn't see
those files as infected, it doesn't necessarily mean that it wouldn't
see a normally-infected file as such...
DC
------------------------------
Date: Tue, 18 Jun 91 11:11:11 -0600
From: James Firmiss <
[email protected]>
Subject: Questons about "Disinfectant" are ANSWERED.. Thanks (Mac)
Thanks for all the info...
"Vaccine (TM) 1.0.1", "KillVirus", and "Kill WDEF - virus INIT" have
been cast into our pit of obsolete & useless programs (with "Ferret"
and "Kill Scores").
Disinfectant 2.4 and it's init are on all our MACs.
Sam Intercept is on all of them too. I hear it requres some sort
of password to remove it. I've never tried to but I don't think anyone
here remembers what the password is. I'll have to RTFM (if I can FIND TFM).
+ - - + |... P_lasma --- James Firmiss (Foxx Fox) ---
- + + - |... S_ource ---
[email protected] ---
+ + - =====>+ I_on --- Univ. of Wisc. Madison ---
- + - |... I_mplantation --- Materials Science Program ---
- + - + - |..._______________________________________________________
"Beep. Beep Beep. Beep Beep." - vi editor
------------------------------
Date: 18 Jun 91 13:05:32 -0400
From: "David.M.Chess" <
[email protected]>
Subject: virus detection by scanners ? (PC)
>From:
[email protected] (Hermann Stamm)
>Date: 07 Jun 91 14:33:23 +0000
>I have a few questions concerning detection of virii in general and
>1701 in special.
The main thing you've discovered here is that scanners only reliably
detect the viruses that they know about. If you create a new virus
(from scratch, or by modifying an old one), it's very likely that some
scanners will no longer detect it. No big surprises there!
>First of all, I hope that only good guys are on this list, because the
>remarks made here would otherwise result in hundreds of newly virii.
Almost certainly a false hope; there's no reason to think that no
virus writers are reading this. On the other hand, I think they
already understand the principle! One could have wished you'd been a
little less explicitly helpful to them, but I don't it'll hurt, at
least in the long run.
> - what other scanner should I try for these versions ?
Some scanners may be "lucky", and see your home-grown variants as
infected. IBM's Virus Scanning Product, for instance, will recognize
the first of your monsters as a variant of the 1701.
> - is it true, that any scanner must try to look at the
> semantics of such decoders, and not at the shape ?
> (undecidable problem ?)
Yep, deciding whether or not a given program is a virus is definitely
undecidable. Fred Cohen proved that awhile back. So if you take some
existing virus, and make some changes to it, the question of whether
or not the result is still a virus is not one that *any* program is
going to get right all the time. Scanners reliably detect only
*exactly* the viruses they know about, not variants that you (probably
unwisely) choose to create.
> - which systems are good by looking at the length of
> files and reporting differences ?
Any good modification-detection program will look at the *contents* of
files (not just the length), and tell you what's changed. Of course,
if you want to be able to trust the result, you have to get the
machine into a known state first (cold-boot from a trusted floppy,
don't run anything from the suspect hard disk).
> - Is the following behaviour possible for a virus:
>
> After getting resident, it forces to do a warm-start
> with ctrl-alt-del, and then it copies itself to all
> .com-files encountered during rebooting
> (like command.com, ...).
>
> I think, that this is the way most of my .com-files
> were infected.
A virus could certainly do that, but the 1701 doesn't. Most likely it
infected something in the autoexec, so that the next time you booted,
it got control early, and then infected everything else executed
thereafter (that's how the 1701 works; it infects every com executed
after you run the first infected one).
DC
P.S. Assume that anything you post in public will be read by
large number of virus authors. Please *don't* post
live virus code, or suggestions for improvements to
existing viruses! *8)
------------------------------
Date: Tue, 18 Jun 91 13:24:44
From:
[email protected]
Subject: re: FSP and sales figures (was: Into the 1990s)
>From: padgett%
[email protected] (A. Padgett Peterson)
(Sorry for the delay...off line for a while)
>Ross: we seem to be cross communicating. In our shop we do not use "pre-
>installed" copies, no two machines are alike anyway & we are running
>everything from DOS 2.0 up. On installation, the package we use takes
>3-5 minutes to take a "snapshot" of the PC and record every executable
>on it during installation.
So, then, you have to install the program on each machine. Taking
that "snapshot" is a good idea, but still has problems if you use a)a
new seed on each machine and b) store that seed someplace where it can
be seen by "the bad guy".
If someone is going to subvert the code, they're gonna subvert the code
and there's nothing we can do about it. It's not as if DOS were a real
operating system -- it provides no real protection and simply putting
more and more layers of "feel-good-and-warm-and-fuzzy" dressing on DOS
simply makes a person *feel* better, but provides them with nothing.
If somebody wanted to mcreate a virus that gets around my stuff and the
code of everybody else out there, they probably could. Targetting my
code is sorta silly: it's too easy to simply go right out to the disk
controller if you really needed to.
>Only if the "bad guy" knows where it is stored and if the offsets are
>the same on every machine - one of the drawbacks to
>"pre-installation". If you cannot ensure the physical integrity of the
>machine all bets are off. It would take a complex and specifically
>targetted piece of software to be able to determin that you were there
>(and not some other routine) and bypass it - not for an amateur.
Right. So, if they're targetting my code, no protection will suffice,
if they are not targetting my code, why bother making things more
complex. Your mileage may, of course, vary.
> One
>of the problems is that at present there is a single criteria for
>judging PC protection programs: the number of viruses it detects. In
>actuality, this is one of the lesser threats that a full package
>should take care of.
Well, the efficiency of a package in stopping viral infections has yet
to have any scale to measure it by. When such a scale exists, all the
vendors will be climbing to the top of that heap, too.
Ross
(My views, not Microsoft's)
------------------------------
Date: Tue, 18 Jun 91 14:26:47 -0400
From: Alex Nemeth <
[email protected]>
Subject: Int 24 virus info needed (PC)
I remember something about an INT 24 virus that was discussed several
months ago. could someone pleas send me some info on it, or tell me
which back issue of Virus-L where i might find more.
Thanks
Alex Nemeth
[email protected]
[email protected]
------------------------------
Date: Tue, 18 Jun 91 15:17:36 -0400
From: padgett%
[email protected] (A. Padgett Peterson)
Subject: Re: Checksumming
>From: Y. Radai <
[email protected]>
> Mike Lawrie writes:
>> ... sooner or later this scenario [infecting
>>files by performing SCAN while a virus like Plastique is in RAM] will
>>re-occur, as you will get hit with a similar type of virus that McAfee
>>has not yet catered for, even if you have their very latest version.
>Right;
First, organizations have been woefully lacking in training of
personnel expected to deal with malicious software (a management
problem). Our technicians get two days of targetted training before
being certified to respond to suspected viruses.
That said, since employees are instructed to power down and quarentine
any PC suspected of having a virus, the first action after questioning
the employee for symptoms is to cold boot from a write-protected
floppy and check the system out in that manner including a "scan" of
the disk and examination of the MBR and DOS Boot Record
Only if that comes up negative is the PC allowed to boot itself. At
this point the system integrity is repeatedly validated using
MEM/DEBUG and CHKDSK to determine if something is trying to go
resident.
At this point, McAfee's SCAN is often used in a different way: the
command "SCAN NUL /M" results in only memory (no files) being checked
for all viruses it knows about. If this fails then file comparisons
are done and the audit trails are checked (all PCs including employees
home machines are authorized to use a site-licensed checksumming
program).
Again a layered approach by trained personnel is necessary to protect
against the sort of global disaster mentioned (incidently, during my
training session at the CSI Conference in Denver, I thoroughly
infected the demo PC with the 4096 only to discover that there was no
5 1/4 boot floppy to use for recovery - Had several 3 1/2s for the
laptop, but no 5 1/4s. Entertaining.)
BTW the McAfee product .DOCs do mention in several places the
advisability of booting from a known clean, write-protected floppy
first.
>>A checksummer gives you no
>>security whatsoever, because it does not prevent a viral infection.
>True, a checksummer does not prevent infection, but at least it can
>*detect* infections, and that's a lot better than no security at all!!
Depends on the checksummer - the one we use performs the checksum
routine on any program presented for execution. If the program is not
known to the audit trail, a screen warns the user that the program is
unknown. Depending on the setting, the user may or may not be
permitted to execute the program. I suppose that this really comes
under the heading of access control but should be part of any
integrity management solution.
>... a program which prevents infections through floppy boots (to
>be mentioned soon)...
I believe that VSHIELD protects from hot-boots now - do not believe
that prevention from cold boots can be done without hardware or
special BIOS. My next project now that DISKSECURE is essentially
complete will be a small addition to warn the user on boot if a floppy
is in the drive - should not be difficult or require much code (trap
cntrl-alt-del, check for floppy, write warning message, loop for
response), several viruses make use of this technique already so it
cannot be too difficult (famous last words).
Cooly (a/c working again)
Padgett
------------------------------
Date: Wed, 19 Jun 91 00:50:00 +0000
From: William Hugh Murray <
[email protected]>
Subject: How viruses actually spread
>Of course I don't do much with shareware or BBS downloading which is
>where I imagine most of the problems are.
Along with many others, you imagine an untruth. Both PC and Mac
viruses spread by sharing of machines and diskettes. They might have
been spread by BBSs but they have not been. They might have been
spread by shareware, but they have not been.
Regular readers of this forum are aware of this, but it bears
re-stating, particularly in the face of specualtion to the contrary.
The most successful viruses infect boot sectors of diskettes,
partition tables or boot sectors of hard drives, and go resident,
i.e., they are TSRs. They spread when users permit strange diskettes
to be inserted in their machines, or when they put their diskettes in
machines that they did not themselves boot from a known source. While
they can and do spread marginally in other ways, this high-risk
behavior accounts for their current success.
------------------------------
Date: Tue, 18 Jun 91 18:23:54 -0700
From:
[email protected] (Rob Slade)
Subject: Review of Victor Charlie (addendum) (PC)
For those who want to "try before you buy", Victor Charlie version 3.2 is
a "freeware" demo version. The file VC3-2.ZIP should be available on
BBS's, and is posted on SUZY.
=============
Vancouver
[email protected] | "If you do buy a
Institute for
[email protected] | computer, don't
Research into (SUZY) INtegrity | turn it on."
User Canada V7K 2G6 | Richards' 2nd Law
Security | of Data Security
------------------------------
Date: Wed, 19 Jun 91 04:14:00 +0000
From: Ben Zajac <
[email protected]>
Subject: Spanish Virus/Telefonica (PC)
Recently, a virus was discovered at Oxford University, Oxford
(England) and the City Univerity at London (England). It has been
named, "Spanish Telecom," and also, "Telefonica."
According to information that I have received from the UK, the
virus does not kick in until after the system has been booted up
400 times.
The code reportedly contains the following message:
"Menos tarifes y mas servivios"
Which means: "Lower tariffs, more service"
Damage -- When triggered, destroys (overwrites) hard disks.
Detection:
The virus is in *.COM files and boot sector.
Pattern:
Header 1 - 881D 8200 83FB 0074 188F 5500 B2; OFFSET 034H
Header 2 - 83ED 09BE 2001 03F5 FC86; OFFSET 024H
Boot Sector -
8A0E EC00 8E700 0003 F18A 4C02 8A74 03C3;OFFSET 083H
I have not personally examined this virus, however the I have no
reason to doubt the source.
Bernard P. Zajac, Jr.
MCI MAIL -
[email protected]
------------------------------
Date: 19 Jun 91 08:26:44 +0000
From:
[email protected] (Fridrik Skulason)
Subject: Re: Scanning infected files (PC)
>Good question, but: wouldn't it be possible for the stealthy virus to
>trap the sector I/O and "fix" it to also hide its tracks?
Not only possible - it has already been done. At least one virus,
simply known as INT13 does just this.
- -frisk
------------------------------
Date: 19 Jun 91 08:30:32 +0000
From:
[email protected] (Fridrik Skulason)
Subject: Re: joshi & vsum & f-prot & ll format (PC)
[email protected] (Terry N Reeves) writes:
> f-prot must be intended to work - "cured" - so can the author
>speak to this?
As far as I knew, F-DISINF should have been able to remove the Joshi virus.
I'll look into this right away and check what the problem is.
- -frisk
------------------------------
Date: 19 Jun 91 08:22:54 +0000
From:
[email protected] (Fridrik Skulason)
Subject: Re: virus detection by scanners ? (PC)
[email protected] (Hermann Stamm) writes:
> - what other scanner should I try for these versions ?
It does not matter - you will get practically the same results. My
scanner may detect some of those SCAN missed or vice versa, but that
is not important.
What is important is that you cannot expect a scanner to detect a
modified virus. It may work, or it may not, but there is absolutely no
guarantee. A scanner is designed to detect existing viruses, not new
ones or new variants of older viruses, although some scanners may
detect some new variants of some viruses.
> - is it true, that any scanner must try to look at the
> semantics of such decoders, and not at the shape ?
Well, if it looked at something else, it would not be a scanner.... :-)
Don't misunderstand me - there are programs which may look at the 1701
virus, or some of your modified variants, and report something like:
This program seems to cotain additional code at the end,
which starts by performing decryption of itself. This is
typical of a virus.
But, a program like this is not a scanner - it is a generic analysis
tool, unable to identify viruses - it just reports anything
"suspicious".
> - which systems are good by looking at the length of
> files and reporting differences ?
Differences between what ?
> - Is the following behaviour possible for a virus:
>
> After getting resident, it forces to do a warm-start
> with ctrl-alt-del, and then it copies itself to all
> .com-files encountered during rebooting
> (like command.com, ...).
No - it is not possible.
------------------------------
Date: Tue, 18 Jun 91 23:11:30
From:
[email protected]
Subject: Requirements for Virus Checkers (PC)
>From: Robert McClenon <
[email protected]>
(Sorry for the delay...offline for a while)
>Excuse me, but I use Virex-PC, which is Ross's product. I do
>occasionally need to remove it, not to troubleshoot IT, but because
>something is incompatible with it. One commercial game requires 540K
>of FREE memory, not counting MOUSE.SYS, which it uses, and can't fit
>if Virex-PC is installed.
The next version of the code runs the resident virus checker in 608
bytes, Robert. I think I can shave about 150 more off of that....
> A third-party fax board program has TSR
>conflicts with Virex-PC. I don't know what it is doing, but it tries
>to take over the same interrupts as Virex-PC and the results are
>unpredictable. (Sometimes it refuses to run. Sometimes it crashes.)
Have you called tech support @ Microcom (919-490-1277) and told them
about it? We might have a fix someplace around, or can attempt to
figure out what's wrong and fix it in the next release.
EVERYBODY: Never accept a problem with a piece of code: the vendor
can't fix it if they don't know there is a problem.
Ross
------------------------------
Date: Wed, 19 Jun 91 16:30:21 +0000
From:
[email protected] (Ken Forward)
Subject: Re: Interesting interaction ( VIRx & SCAN ) (PC)
[email protected] (Rob Slade) writes:
> Noted an interesting interaction between two antivirals the other day,
> and finally tracked it down. If VIRx 1.4 is run before SCAN 77, SCAN
> will "detect" the presence of the 3445 and Doom 2 viri in memory and
> refuse to run.
Tried this out for myself; no 3445 or Doom 2, but Taiwan3 [T3] was
"found" in memory. Has anyone experienced any other false positives
with this combination ?
Cheers,
- ---------------------------------------------------------------------------
Kenneth Forward | "...don't plant your bad days,
MUN Dept of Physics | they grow into weeks..."
[email protected] | -Tom Waits-
- ---------------------------------------------------------------------------
------------------------------
End of VIRUS-L Digest [Volume 4 Issue 106]
******************************************
Downloaded From P-80 International Information Systems 304-744-2253
