VIRUS-L Digest Monday, 24 Jun 1991 Volume 4 : Issue 108

VIRUS-L Digest Monday, 24 Jun 1991 Volume 4 : Issue 108

Today's Topics:

Weird things in our LAN! (Mac)
Re: Can such a virus be written .... (PC)
Re: Can such a virus be written .... (PC)
DesasterMaster 2
Re: Interesting interaction ( VIRx & SCAN ) (PC)
Interesting interaction (PC)
doom 2 (PC)
Re: Hypercard Antiviral Script? (Mac)
Re: Can such a virus be written .... (PC)
Disk Killer Virus (PC)
Re: Software Upgradable BIOS (PC)
Re: protecting mac files via locking (Mac)
Thanks for help (virus papers)
joshi & vsum & f-prot & ll format (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to [email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: [email protected].

Ken van Wyk

----------------------------------------------------------------------

Date: Fri, 21 Jun 91 01:32:11 +0000
>From: [email protected] (Bob Marley)
Subject: Weird things in our LAN! (Mac)

We have a small problem in our LAN here. We have a dedicated server
(SE/30) serving about 30 pluses (1meg mem etc). We have to start them
off of workstation disks. This has been happening periodically
throught the year, every once and a while one of the workstation disks
appears to be turned invisible. All the files are GONE. They are
there, it says that the space is being used, and the disks boot etc.
They are NOT invisible however. I have gone in with absolutly every
file/disk/etc utility to look for them. Resedit, disktools, the works.
The only invisible file on any of the disks was the (obviously)
desktop. Now, the other day, we got one of our pluses back that we had
loaned out, and we discoverd that on the 20meg hard drive, it happend
AGIAN. ALL the files invisble. The person who had it was freaked, for
he thought he had deleted the entire harddrive. We have checked for
viruses, and havent found any... It is just plain WEIRD. Anyone have
any ideas on what could be done, to fix this before it hits our server
and makes EVERYTHING there invis? Help!

------------------------------

Date: Fri, 21 Jun 91 17:43:00 +1200
>From: "Mark Aitchison, U of Canty; Physics" <[email protected]>
Subject: Re: Can such a virus be written .... (PC)

[email protected] (Steven van Aardt) writes:
>
> Is it possible to write a PC virus which installs itself whenever
> you place an infected disk in the drive and do a DIR command ?

Yes. But on a PC this requires certain conditions, which mean it
probably wouldn't spread very far.

Mark Aitchison, Physics, University of Canterbury, New Zealand.

------------------------------

Date: 21 Jun 91 09:39:26 +0000
>From: Doug Krause <[email protected]>
Subject: Re: Can such a virus be written .... (PC)

[email protected] (Steven van Aardt) writes:
#
# Is it possible to write a PC virus which installs itself whenever
#you place an infected disk in the drive and do a DIR command ?

Doesn't STONED act that way?

Douglas Krause One yuppie can ruin your whole day.
- ----------------------------------------------------------------------
University of California, Irvine Internet: [email protected]
Welcome to Irvine, Yuppieland USA BITNET: [email protected]

------------------------------

Date: Fri, 21 Jun 91 11:45:29 +0000
>From: [email protected] (Tobias Ruland)
Subject: DesasterMaster 2

high all! does anybody know the amiga "desastermaster 2"-virus how it
works and what it does?

cu
Tobias

------------------------------

Date: Thu, 20 Jun 91 17:23:19
>From: [email protected]
Subject: Re: Interesting interaction ( VIRx & SCAN ) (PC)

>From: [email protected] (Ken Forward)
>
>[email protected] (Rob Slade) writes:
>> Noted an interesting interaction between two antivirals the other day,
>
>Tried this out for myself; no 3445 or Doom 2, but Taiwan3 [T3] was
>"found" in memory. Has anyone experienced any other false positives
>with this combination ?

It goes to show that the viral strings used in Program A might also be
used in Program B. The string database is large enough that it
probably spanned more than a few DOS buffers: depending on what
buffers were used by subsequent code, different portions of the string
database might be left in different areas of memory, thereby those who
share our strings will have different "hits" at different times.

The new cut of VIRx with new strings added (a bunch) and some bug
fixes is due out any second...

Ross

------------------------------

Date: Wed, 19 Jun 91 18:53:21
>From: [email protected]
Subject: Interesting interaction (PC)

>From: [email protected] (Rob Slade)
>
>Noted an interesting interaction between two antivirals the other day,
>and finally tracked it down. If VIRx 1.4 is run before SCAN 77, SCAN
>will "detect" the presence of the 3445 and Doom 2 viri in memory and
>refuse to run.

Sigh. Color me dumb. I forgot to call the zap_virus_strings()
routine under certain conditions, so I left a lot of strings in
memory. It looks like the McAfee scanner uses some of the same
strings we do...

This has been fixed in the next release of VIRx, due out in a few
days. Lots of other good stuff in the new one, too.

Ross

- ------------------------------

Date: Wed Jun 19 18:53:21 1991
>From: [email protected]
Subject: joshi & vsum & f-prot & ll format (PC)

>From: [email protected] (Terry N Reeves)
>
>Vsum still says no utility will remove joshi and that low
>level format is required...

Vsum is totally wrong. Virex-PC has been able to cure Joshi for quite
a while (> six months, at least).

> Is their a utility Ms Hoffman? perhaps yuou just don't want to
>admit it because McAffe's can't? (i have not tried McAffee but I
>assume she'd say if his did.)

Interesting idea....

Ross

------------------------------

Date: Thu, 20 Jun 91 19:34:27
>From: [email protected]
Subject: doom 2 (PC)

>From: [email protected]
>
>It would appear to me that VIRx 1.4 isn't cleaning up after itself.
>You guys just ran accross different bits of code because of different
>ares of RAM being used to store the search strings.

(Will I ever live this down? One mistake and *bingo!* all over the
place. Sigh.)

>The second point is that it's a security problem for all computer
>users. Consider: It's simplicity itself for someone who can write a
>virus to tear apart the non-encrypted VIRx code and determine the
>search strings used in VIRx.

Actually, the strings are trivially "encrypted" to prevent the image
out on disk from triggering who-knows-how-many other scanners out
there. The image I left in memory is *after* the decryption. Why, you
might wonder, don't I use a more complex en/de-cryption scheme?

The answer is simple: whatever for? The bad guys can certainly break
whatever coding scheme I use, thereby using the string list just as if
it were not encoded at all. Since it is trivial to make a program
that can determine what string a scanner is using, using complex
schemes serves no purpose except to a)give more areas for weird bugs
to show up, b)a tad of time spent by *every* user in the decrypt
routine.

The signature a scanner uses is of no use to a bad guy unless he or
she already has the subject virus on hand, in any case.

>Now, this in itself wouldn't be a problem, I guess, but consider that
>what SCAN saw, were the search strings that VIRx was using.... meaning
>they're using the SAME strings. Based on this info, anyone who wanted
>to, could, in theory, modify the virus enough that the string would no
>longer bee caught by the current search strings.

In many viruses (virii?) there is only a small area that you can use
to figure out a decent signature. Two scanners using a similar area
should not be considered unusual. One of my favorite areas to use is
the "Are you there?" call most resident viruses use: I assume most
others use it, too. For viruses that I don't have on hand, I use the
Virus Bulletin list: I would presume that the bad guys have as much
access to that list as McAfee's scanner programmers do, too....

>Encrypting the search strings in your code, therefore is always a good
>idea, as is cleaning up the mess your program makes in RAM. VIRx,
>apparently doesn't address these two points.

Wrong on both counts. It is interesting, though, that about 20 beta
testers did not find that problem at all....

One of the interesting things: Microcom, the people who publish and
market my code, is expressly forbidden from using McAfee products by
the vendor itself. This is interesting since Microcom was, until
recently, a member of the so-called CVIA, paying their dues and
getting *absolutely* none of the privs supposedly associated with that
membership.

Ross

------------------------------

Date: Thu, 20 Jun 91 23:53:45 +0000
>From: [email protected] (Michael Kerner)
Subject: Re: Hypercard Antiviral Script? (Mac)

Actually, Eric, you will find that there appears to be a bug in 2.0v2,
and you can intercept SETs that are SEND'ed (sorry, but
SEN(t)D?)...anyway, having not tried this trick in 2.1, I don't know
if it will work...and, as usual, I wouldn't trust the documentation -
try looking at the params of the SET command. As far as the rest of
this discussion goes, I have been playing with fire & my own viri (for
test purposes, folks, so relax...then again, with the couple of times
I've been corrected, these critters wouldn't do much harm anyway...)
and as long as LockMessages is set, and as long as one checks the
script of stack xxx before opening it, it's essentially impossible to
infect yourself by opening a stack - ASSUMING YOU CHECK THE SCRIPT OF
THE STACK FIRST.

The code to scan a stack is essentially the same as the SearchScript
code that y'all will find in your HOME stack, only you have to modify
it to accept a file name (answer file...everyone remember now?...)
anyway, after you do that, the search string is "set the script of".
HOWEVER, it is possible that someone has the viri sitting in an XCMD
or XFCN which they invoke, so you should also check the resources they
have attached to their stack...so you see, it becomes a pain to simply
scan the stack script because you also need to scan the resources to
be effective.

Mike.
Mac Admin
WSOM CSG
CWRU
[email protected]

------------------------------

Date: Fri, 21 Jun 91 17:08:31 +0000
>From: [email protected] (Brian D. Howard)
Subject: Re: Can such a virus be written .... (PC)

[email protected] (Steven van Aardt) writes:

> Is it possible to write a PC virus which installs itself whenever
>you place an infected disk in the drive and do a DIR command ?

Yes.

You'd have to change command.com and have a dir.com or dir.bat just
sitting there. I've actually manually done something like that as a
prank (stay away from me on april 1...)

(You asked merely if it was *possible*. Now, do you think you've got
something like that going on?)
- --
"Hire the young while they still know everything."

------------------------------

Date: Fri, 21 Jun 91 14:36:00 +0000
>From: Jim Schenk <[email protected]>
Subject: Disk Killer Virus (PC)

Hello,

Does anyone have information on the Disk Killer Virus? (I've already
got Patricia Hoffman's VSUM - I need some more detailed info).
Running F-PROT 1.15A on a DTK 286 under MS-DOS 4.01 results in the
following:

This boot sector is infected with the Disk Killer virus.
Disinfect? Y

Can not cure - original boot sector not found.

Any help would be greatly appreciated.

Jim Schenk
University Computer Services
Florida International University

Bitnet: jims@servax
Internet: [email protected]

------------------------------

Date: 21 Jun 91 21:22:40 +0000
>From: [email protected] (Richard H. Miller)
Subject: Re: Software Upgradable BIOS (PC)

ingoldsb%[email protected] (Terry Ingoldsby) writes:

> It is not even necessary to place it under hardware control, rather if
> the hardware incorporates an interlock that requires a special,
> possibly unique, code, then the viruses could bash at it forever
> (almost) without success.
>
> For example if each machine thus manufactured were assigned a unique
> value in EPROM (which could not be read by the CPU), say of length 64
> bits, then the user could be queried, by the software upgrade program,
> to enter the key. If the key matched, the EAROM would be modified,
> otherwise nothing would happen.

this is a nice though in theory, but in practical terms, would be a
logistical nightmare for sites which have a large number of PCs or
that swap components. This would require that detailed records be
kept each PC and each time a motherboard is swapped or the BIOS is
replaced rather than updated.In all likelyhood, two things would
happen

1) The 'key' would be written on the PC which would give you the same
protection as hardware control.

2) Someone would loose their key and the BIOS chips would have to be
replaced.

Another approach is to use a lock mechanism with a key to update the
BIOS. For the single user or sites which do not require central
configuration management, the key could stay in the PC [as it does not
in most cases.] For sites which do use central configuration
management, the key would be kept away from the PC to prevent BIOS
upgrades except under controlled circumstances

I do think that upgradeable BIOS under these circumstances is a good
idea. This is a concept which has been very successful in the larger
systems for quite a long time as would work well with necessary
controls. It would certainly be much easier to load the BIOS from
floppy for 1,000 PC's than to replace the BIOS PROMS.

- --
Richard H. Miller Email: [email protected]
Asst. Dir. for Technical Support Voice: (713)798-3532
Baylor College of Medicine US Mail: One Baylor Plaza, 302H
Houston, Texas 77030

------------------------------

Date: Fri, 21 Jun 91 23:46:32 +0000
>From: [email protected] (Michael Kerner)
Subject: Re: protecting mac files via locking (Mac)

NO! ABSOLUTELY NOT TRUE IN ANY WAY, SHAPE, OR FORM. IT IS IMPOSSIBLE TO
PROTECT A FILE BY LOCKING IT. PERIOD. ABSOLUTELY NOT. IT DOESN'T HAPPEN.
The only way to protect a file is to have it on a locked volume. Now I don't
know if SAM is beyond this, because I haven't tried it...yet (hey, c'mon,
I read newsgroups on Internet in what little free time I have between my job
at xxx and handling the lab here. However, I have an "utility" which will
overwrite any resource in any file, and that's all the more specific I am
going to get about it because I don't want some amateur hack reading this
to get any ideas. Saying that it can be done is bad enough - it encourages
the ones that don't know ... yet. At any rate, file locking AND PROTECTING
(via some sector editor) do not stop this "utility" from working - no, it's
not ResEdit, but I haven't tried ResEdit, although I would assume that it
won't work.

So, there is NO WAY to stop a file on an unlocked volume from being written
to, changed, etc.

Sorry.

Mike.
Mac Admin
WSOM CSG
CWRU
[email protected]

------------------------------

Date: Sun, 23 Jun 91 22:11:24 -0500
>From: Mac Su-Cheong <[email protected]>
Subject: Thanks for help (virus papers)

Dear netters :

About a month ago I had asked for help with virus papers. Here is the
original request :

> I am looking for the following thesis :
>
> F. Cohen, "Computer Viruses", Ph.D. Dissertation, University of Southern
> California, 1986.
>
> Can I get it from some anonymous ftp sites ? If no, how can I get it. I am
>trying to gather papers about viruses. Any help is appreciated.

I have got several responses for the request. Someone suggest me to
get the books COMPUTE!'s COMPUTER VIRUSES and COMPUTE!'s COMPUTER
SECURITY, but I have not found them yet. Another one suggest me to log
on ftp.cs.widener.edu (192.55.239.132) but I can't find virus paper. A
nice guy find the paper in library and send me the abstract. Later I
have found some papers from the following anonymous ftp sites :
cert.sei.cmu.edu pub/virus-l/docs
cs.toronto.edu doc/pc-virus.notes

There are many virus papers on the Magazine "Computers & Security",
but they are not collected in my local library :-(

Especially thanks to Ralph Roberts, Alan Jones, Mark, and Malcolm.
They are so kind for doing such a lot to me. This is the first time I
write a summary. If there is something wrong, please tell me. Thanks
for your time.

Mac Su-Cheong (MSC)
nckus089@twnmoe10
[email protected]

------------------------------

Date: Wed, 19 Jun 91 18:53:21
>From: [email protected]
Subject: joshi & vsum & f-prot & ll format (PC)

>From: [email protected] (Terry N Reeves)
>
>Vsum still says no utility will remove joshi and that low
>level format is required...

Vsum is totally wrong. Virex-PC has been able to cure Joshi for quite
a while (> six months, at least).

> Is their a utility Ms Hoffman? perhaps yuou just don't want to
>admit it because McAffe's can't? (i have not tried McAffee but I
>assume she'd say if his did.)

Interesting idea....

Ross

------------------------------

End of VIRUS-L Digest [Volume 4 Issue 108]
******************************************

Downloaded From P-80 International Information Systems 304-744-2253