VIRUS-L Digest Thursday, 20 Jun 1991 Volume 4 : Issue 107

VIRUS-L Digest Thursday, 20 Jun 1991 Volume 4 : Issue 107

Today's Topics:

Re: virus detection by scanners ? (PC)
Pro vs Reactive Protection (PC)
Re: Boot sector viruses on IDE drives (PC)
FPROT116 is on BEACH (PC)
Can such a virus be written .... (PC)
Boot sector viruses on IDE drives (PC)
doom 2 (PC)
protecting mac files via locking (Mac)
Stoned & Novell? (PC)
VSHIELD and Warm Boots (was Re: Checksumming) (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to [email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: [email protected].

Ken van Wyk

----------------------------------------------------------------------

Date: 19 Jun 91 15:53:28 +0000
From: [email protected] (Arthur Rubin)
Subject: Re: virus detection by scanners ? (PC)

I'm somewhat suspicious of any code with the following instructions:

E80000 CALL (next instruction)

(except that some linkers produce that for a near call to an
unsatisfied external, and it could be required for
ROM/position-independent code that needs to access data)

3134 XOR [SI],SI

(except that that is ASCII '14')

There doesn't appear to much else fixed in there except

B*8206 MOV ??,0682

which could also be changed if you have a spare byte, which you can
get in your last try. (Details omitted -- let's not make it TOO
easy.)

I hope some virus scanners have a signature for 1701 in the encrypted
portion.

- --
[email protected] [email protected] [email protected] (personal)
[email protected] (work)
My opinions are my own, and do not represent those of my employer.

------------------------------

Date: Wed, 19 Jun 91 12:51:57 -0400
From: padgett%[email protected] (A. Padgett Peterson)
Subject: Pro vs Reactive Protection (PC)

In recent issues, there has been considerable outcry concerning the
"unremovable" infections that seem to plague many users and that the
generic anti-viral packages are not able to deal with them.

To repond, I have one PC (an XT) that has been infected with everything
possible yet recovery is trivial, it has been low-level formatted only
once (when it was delivered), and high-level formated an equal amount.

Of course, being an "infection" machine, it has some special qualities,
but none that I do not practise on my home machines as well.

For one, before every infection, the machine is fully backed up including
MBR, hidden sectors, DOS Boot Record, and both FATs (Bernoullis help &
it is only a 10 MB disk), however the special portions mentioned all fit
on a bootable 360k floppy and are self-restoring (similar disks exists
for each of the other machines except I usually do not save the FATs on
these).

This process has a number of advantages but does require a "recovery" disk
(preferably two) for each PC, however the process is nothing a good tech
cannot accomplish in five minutes using nothing more sophisticated than
DEBUG - less if automated, then the longest delay is SYSing the recovery disk
with the OS in use & copying any special drivers in use.

Unfortunately for many users, this MUST be done with an uninfected machine.
Since many call for help only after infection, this pro-active activity is
useless at that point.

Currently, the tool of choice seems to be McAfee's CLEAN, a generic
tool that is designed along the lines of the Oath of Hippocrates:
"First, Do No Harm". Even if it recognizes the virus (e.g. MusicBug),
and knows where the it stores the Boot Record, it must verify each
step of the way (is this really the mk 1 MusicBug or might it be a
clone ? Does it look like register values in the proper location ?
Does the retrieved sector look like a real Boot Sector ? Do the table
values match this disk ?) If any step fails, a generic disinfector
MUST refuse to continue. (those who have experienced total loss as a
result of certain "doctor" programs please raise your hands).

One of the things that can cause such problems are multiple
infections, another is the sheer diversity of boot record/MBR codes -
last year a european testing program recorded a PNCI boot record as
suspect, early versions of PC-Tools had an incredible boot record that
is the only one I have ever seen that would work with both MS-DOS and
PC-DOS. Sometimes it is hard to tell the good guys from the bad guys.

Recently, I have seen reports that some viruses use code that is so
close to each others that many scanners cannot tell the difference yet
the EMPIRE and the AZUSA need radically different cures if the
original table was not backed up somewhere off-PC (have had reports of
EMPIRE being reorted as AZUSA/Hong Cong).

In this case, you are just going to have to re-read your back issues
of Virus-L for the identifiers of each strain and the manual removal
methods that should have appeared along with the report (or soon
after).

Just to add one final note of cheer: as the strins keep increasing,
the likelyhood of misidentification will continue to increase but for
me, I would rather have a "false positive" to alert me to changes than
"false negatives" any day. After all, we have the tools, training, and
backups to handle just about anything but we "can't fix it if we don't
know its broke".
Cooly,
Padgett

------------------------------

Date: 19 Jun 91 14:58:45 -0500
From: [email protected]
Subject: Re: Boot sector viruses on IDE drives (PC)

[email protected] (John Boyd;LAHDI) writes:

> not possible on an IDE drive. So the question becomes; for an IDE
> drive, what DO you do to get rid of a boot sector virus?

McAfee Associates ( The ScanV folks) have a program that will remove a
boot sector virus. Its name is Clean-up, They also have another
called Mdisk. I'll vouch for it, as It removed the Stoned virus from
my Seagate ST-1144A IDE drive without a hitch. I don't know of a FTP
location, But it can be obtained from the authors BBS at 408-988-4004.

------------------------------

Date: Wed, 19 Jun 91 11:22:27 -0500
From: [email protected] (John Perry)
Subject: FPROT116 is on BEACH (PC)

Hello Everyone!

FPROT116.ZIP is now available on BEACH.GAL.UTEXAS.EDU. Come on
by and pick up a copy.

John Perry KG5RG

You can send mail to me at any of the following addresses:

Internet : [email protected]
UUCP : nuchat!farwest!perry

------------------------------

Date: 20 Jun 91 09:36:40 +0000
From: Steven van Aardt <[email protected]>
Subject: Can such a virus be written .... (PC)

Is it possible to write a PC virus which installs itself whenever
you place an infected disk in the drive and do a DIR command ?

Steve.

- --
---------------------------------------------------------------------------
- JANET E-mail : [email protected] (Steven van Aardt) --
-- Warning this user has been designated for termination on the 21.6.91 --
---------------------------------------------------------------------------

------------------------------

Date: Thu, 20 Jun 91 09:59:25 -0400
From: Ronnie Judd <[email protected]>
Subject: Boot sector viruses on IDE drives (PC)

[email protected] (John Boyd:LAHDI) writes;
> It recently occured to me that we get rid of most boot-sector viruses
> by routinely doing a low-level format on a drive. However, this is
> not possible on an IDE drive...

Seems I keep seeing over and over on this list that one *almost never*
has to do a low level format to remove boot sector viruses. However
on the question of how does one format an IDE drive there are programs
out there that will do such a thing. I recently upgraded a couple of
Compaq machines and found Disk Manager 4.0 did the trick just fine.
So if you feel that you *absolutely must* low level format to get rid
of the offending virus give it a shot.

Ronnie N. Judd | _ _ _ / | BITNET: RNJUDD@SUVM
Dept. Civ/Env Engineering | / (o o) _ _ _ / | Phone: (315) 443-5796
220 Hinds Hall | |_/| |_| | | FAX: (315) 443-1243
Syracuse University | (._.)||_ _( / | A failure is a chance
Syracuse, NY 13244-1190 | U _|| _|| | to start again smarter
(Of course these are my opinoins, no one else wants them!)

------------------------------

Date: Thu, 20 Jun 91 08:16:55 -0700
From: [email protected]
Subject: doom 2 (PC)

It would appear to me that VIRx 1.4 isn't cleaning up after itself.
You guys just ran accross different bits of code because of different
ares of RAM being used to store the search strings.

I state this obvious point, to make a point. This would seem slopy
code on two points: One that VIRx doesn't clean up after itself,
allowing other programs to find it's code fragments, is of course a
major concern to the users of the program. (Should also be of great
concern to the authors, but no matter for that for now..)

The second point is that it's a security problem for all computer
users. Consider: It's simplicity itself for someone who can write a
virus to tear apart the non-encrypted VIRx code and determine the
search strings used in VIRx.

Now, this in itself wouldn't be a problem, I guess, but consider that
what SCAN saw, were the search strings that VIRx was using.... meaning
they're using the SAME strings. Based on this info, anyone who wanted
to, could, in theory, modify the virus enough that the string would no
longer bee caught by the current search strings.

Encrypting the search strings in your code, therefore is always a good
idea, as is cleaning up the mess your program makes in RAM. VIRx,
apparently doesn't address these two points.

------------------------------

Date: Thu, 20 Jun 91 13:41:57 -0400
From: Lee Ratzan <[email protected]>
Subject: protecting mac files via locking (Mac)

Aplication locking on a Macintosh prevents a file from accidentally
being destroyed (trashed) and to some extent from being altered.
A user wants to know if locking Disinfectant on a hard disk will
prevent it from being itself infected from a virus emanating
from an infected floppy.

The issue is whether we can trust a resident locked copy of
Disinfectant to remain clean even if the hard disk on which it resides
becomes infected.

I have advocated that since we have no automatic virus checking
software which is activated upon disk insertion or start up and since
anyone can use the machine, the only way to be absolutely certain that
integrity has not been compromised each morning is to boot up first
with a trusted disk and run the trusted disk copy of Disinfectant
against the hard disk files.

Comments?

Lee Ratzan

------------------------------

Date: Thu, 20 Jun 91 12:18:17 -0600
From: [email protected] (Richard W Travsky)
Subject: Stoned & Novell? (PC)

Does anyone have any information on Stoned and Novell 3.X networks?
Like can a Novell server pick up Stoned (or any other boot sector
infector)? I've some information that indicates it can but not much
more than that. Tales, experiences, caveats? Please reply by email,
I need info ASAP. Many many thanks!

Richard Travsky
Division of Information Technology RTRAVSKY @ CORRAL.UWYO.EDU
University of Wyoming (307) 766 - 3663 / 3668

------------------------------

Date: Thu, 20 Jun 91 19:23:00 +0000
From: [email protected] (McAfee Associates)
Subject: VSHIELD and Warm Boots (was Re: Checksumming) (PC)

padgett%[email protected] (A. Padgett Peterson) writes:

(a lot of stuff deleted here...)
>I believe that VSHIELD protects from hot-boots now - do not believe
>that prevention from cold boots can be done without hardware or
>special BIOS. My next project now that DISKSECURE is essentially
>complete will be a small addition to warn the user on boot if a floppy
>is in the drive - should not be difficult or require much code (trap
>cntrl-alt-del, check for floppy, write warning message, loop for
>response), several viruses make use of this technique already so it
>cannot be too difficult (famous last words).

VSHIELD traps warm (hot) boots (aka Ctrl-Alt-Dels, Three Finger
Salutes) to check the floppy drive and then the hard disk for boot
sector and partition table infecting viruses. If a virus is found,
VSHIELD displays it's "found virus X in area Y" message and prompts
the user to power down and boot off a clean system disk. If no virus
is found, then VSHIELD reboots the system as normal.

Some XT systems apparently have problems with this, causing a reboot
to take a long time (5 minutes or more). If so, the option can be
turned off by using the /NB (No Boot) checking.

Regards,

Aryeh Goretsky
McAfee Associates Technical Support

- --
McAfee Associates | Voice (408) 988-3832 | [email protected]
4423 Cheeney Street | FAX (408) 970-9727 | (Aryeh Goretsky)
Santa Clara, California | BBS (408) 988-4004 |
95054-0253 USA | v.32 (408) 988-5190 | [email protected]
ViruScan/CleanUp/VShield | HST (408) 988-5138 | (Morgan Schweers)

------------------------------

End of VIRUS-L Digest [Volume 4 Issue 107]
******************************************

Downloaded From P-80 International Information Systems 304-744-2253