VIRUS-L Digest Tuesday, 25 Jun 1991 Volume 4 : Issue 109
Today's Topics:
Re: protecting mac files via locking (Mac)
Locking Disinfectant (Mac)
Source for M-disk (PC)
Inside the Whale-Virus (PC)
Re: Hypercard Antiviral Script? (Mac)
Re: Can such a virus be written .... (PC)
Re: Can such a virus be written .... (PC)
doom2:reply (PC)
Virus checking for Sun4 (UNIX)
Self-Modifying SETVER.EXE (PC)
Product Review (PC Plus Mag) (PC)
Re: Can such a virus be written .... (PC)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to
[email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at:
[email protected].
Ken van Wyk
----------------------------------------------------------------------
Date: Mon, 24 Jun 91 09:16:00 -0400
>From: John Chapman <
[email protected]>
Subject: Re: protecting mac files via locking (Mac)
[email protected] (Lee Ratzan) writes:
> Aplication locking on a Macintosh prevents a file from accidentally
> being destroyed (trashed) and to some extent from being altered.
> A user wants to know if locking Disinfectant on a hard disk will
> prevent it from being itself infected from a virus emanating
> from an infected floppy.
>
> The issue is whether we can trust a resident locked copy of
> Disinfectant to remain clean even if the hard disk on which it resides
> becomes infected.
From what I understand, Disinfectant checks itself first thing when
it is launched. If it has been altered in ANY way, it supposedly
renames itself to something like 'Trash Me' and quits immediately. I
think the check it performs on itself is a little more complex than
just simple checksumming, but I am not sure. Anyway, the theory is
that even if something were able to infect Disinfectant, it would not
allow itself to be run.
(For those interested, I think this is also why you cannot alter the
MultiFinder partition size - it is somehow 'hard-coded' into
Disinfectant such that changing it in the Finder Get Info box doesn't
work).
If you are particularly concerned, run the Disinfectant INIT on all
boot volumes. This should prevent the infection of any program (not
just Disinfectant) from any known virus. The INIT is unobtrusive,
VERY small (read 5K) and is very effective against anything that's
been found. If you want more complete protection, I would suggest
trying GateKeeper (freeware) or the commercial packages SAM, Rival, or
Virex. From what I have seen, all are excellent at blocking all known
virus, but their main strength is their ability to catch & block new,
unidentified viruses. Unfortunately, this means they are far more
picky and sensitive than the Disinfectant INIT and may cause conflicts
with (a few) software packages and INITs.
By the way, the current version of Disinfectant is 2.4 and may be
found on most good FTP archives (eg. sumex-aim.stanford.edu) as well
as several mail server archives.
> Lee Ratzan
- - John T. Chapman
[email protected]
[email protected]
Disclaimer: These opinions are my own and do not necessarily reflect
those of the University or of the manufacturers of
the products mentioned above.
------------------------------
Date: Mon, 24 Jun 91 09:15:49 -0400
>From: Joe McMahon <
[email protected]>
Subject: Locking Disinfectant (Mac)
On Thu, 20 Jun 91, Lee Ratzan asked:
>A user wants to know if locking Disinfectant on a hard disk will
>prevent it from being itself infected from a virus emanating
>from an infected floppy.
No, but it's not necessary to do that anyway. See below.
>The issue is whether we can trust a resident locked copy of
>Disinfectant to remain clean even if the hard disk on which it resides
>becomes infected.
Yes, you can. Disinfectant has two methods of dealing with attempted
viral attacks on itself. First, its resource map is locked, meaning
that Disinfectant's resources can't be diddled with by unsophisticated
viruses; several of the older viruses are smart enough to unlock the
file it it is locked, but are not smart enough to deal with a locked
resource map.
Second, Disinfectant verifies itself at startup, and will refuse to
operate if it finds that it has been corrupted. I know of no virus
smart enough to break into it as yet.
>I have advocated that since we have no automatic virus checking
>software which is activated upon disk insertion or start up and since
>anyone can use the machine, the only way to be absolutely certain that
>integrity has not been compromised each morning is to boot up first
>with a trusted disk and run the trusted disk copy of Disinfectant
>against the hard disk files.
This is a reasonable procedure, especially since it really doesn't
take that long, and it is definitely safe. You might want to consider
augmenting Disinfectant with Gatekeeper and Gatekeeper Aid as well.
This would help in stopping WDEF/CDEF infections, as Gatekeeper Aid
checks disks as they are inserted.
--- Joe M.
------------------------------
Date: Mon, 24 Jun 91 13:59:17 +0100
>From:
[email protected]
Subject: Source for M-disk (PC)
Does anyone know of a source for M-disk, purchase, BBS, etc ?
Thanks in advance
Dave
------------------------------
Date: Mon, 24 Jun 91 15:47:41 +0000
>From: Martin Zejma <
[email protected]>
Subject: Inside the Whale-Virus (PC)
Hello virus-community |
About 2 month ago I got a (the) Whale-Virus from a friend, cause I've
been interested in dissasembling that famous monster ( just from the
size ).
After long nights of work I discovered almost all of the code, and it
seemed to be quite trivial , the unbelieveable mysterious actions I
expected to see didn't exist.
So the question is:
IS there ANY action triggered beside copying the MBR from the 1st
harddisk to a file appended with a warning message about the Fish #6
Virus and leaving some infected files destroyed ??? ( something like
the nice falling letters triggered by the Cascade Virus ?? )
So long, Martin
PS.: if anybody wants more or less specific information about the Whale ,
feel free to e-mail me.
+-----------------------------------------------------------------------+
| Martin Zejma 8326442 @ AWIWUW11.BITNET |
| |
| Wirtschaftsuniversitaet Wien --- Univ. of Economics Vienna/Austria |
+-----------------------------------------------------------------------+
------------------------------
Date: Mon, 24 Jun 91 08:53:39 +0800
>From:
[email protected]
Subject: Re: Hypercard Antiviral Script? (Mac)
Greetings,
>The code to scan a stack is essentially the same as the SearchScript
>code that y'all will find in your HOME stack, only you have to modify
>it to accept a file name (answer file...everyone remember now?...)
>anyway, after you do that, the search string is "set the script of".
>HOWEVER, it is possible that someone has the viri sitting in an XCMD
>or XFCN which they invoke, so you should also check the resources they
>have attached to their stack...so you see, it becomes a pain to simply
>scan the stack script because you also need to scan the resources to
>be effective.
I doubt that a general scanner for HyperTalk viruses can be created
due to the fact that all one has to do is encode the text of the
script to be inserted, and make decoding part of the infection
process. Using this method along with "do"s you would never see a
plain text "set the script of" until it was too late. It wil probably
be necessary to do as utilities such as Virex do, and enter specific
characteristics of each virus for which to search.
This is a tough area, every time someone here comes up with a way of
blocking this sort of thing someone else comes up with a way around
it.
<->
Bruce Carter, Courseware Development Coordinator
[email protected]
Boise State University, Boise, ID 83725
[email protected]
(This message contains personal opinions only) (208)385-1250@phone
------------------------------
Date: Mon, 24 Jun 91 11:11:06 -0400
>From: padgett%
[email protected] (A. Padgett Peterson)
Subject: Re: Can such a virus be written .... (PC)
[email protected] (Steven van Aardt) writes:
>
> Is it possible to write a PC virus which installs itself whenever
> you place an infected disk in the drive and do a DIR command ?
Boy, I was hoping this one would go away but was rong again.
1) No: You cannot contract a PC virus by doing a DIR, a virus must be executed.
2) Once you have executed a virus, it could take control of the PC and infect
floppies in this manner as several people have pointed out, but you cannot
BECOME infected in this manner.
Padgett
------------------------------
Date: Mon, 24 Jun 91 11:11:20 -0400
>From: Kevin_Haney%
[email protected]
Subject: Re: Can such a virus be written .... (PC)
[email protected] (Steven van Aardt)
writes:
>
> Is it possible to write a PC virus which installs itself whenever
> you place an infected disk in the drive and do a DIR command ?
Yes. But on a PC this requires certain conditions, which mean it
probably wouldn't spread very far.
Mark Aitchison, Physics, University of Canterbury, New Zealand.
I would like to know just what these conditions are. If you have an
clean, uninfected system with the normal system files, COMMAND.COM,
etc., I would think that it is impossible to infect system memory or
another disk by doing a directory listing on an infected diskette.
(Of course, if you don't have a clean system with unmodified system
files, anything can happen.) At no time does COMMAND.COM transfer
program control to any executable code on a diskette when it does a
directory listing via the DIR command. It looks at the diskette's
root directory, files, and all other areas of the diskette as pure
data. There is no way for a virus to become activated and infect a
system if control is not passed to it at some point. With regard to
the comment about the Stoned virus behaving this way, Stoned will
infect a diskette if you do a DIR on it from a system which has the
virus active in memory (as will most other memory-resident viruses).
The only way for it to become active is by booting a system from an
infected floppy or hard disk - it cannot become active if you do a DIR
on an infected diskette from a clean system. And I would venture to
say that this holds true for viruses in general.
------------------------------
Date: Mon, 24 Jun 91 08:26:53 -0700
>From:
[email protected]
Subject: doom2:reply (PC)
Ross says:
=-=-=-=
>It would appear to me that VIRx 1.4 isn't cleaning up after itself.
>You guys just ran accross different bits of code because of different
>ares of RAM being used to store the search strings.
(Will I ever live this down? One mistake and *bingo!* all over the
place. Sigh.)
- -=-=-=-=-=
Ha. You mean I wasn't the first? :*>
You say:
- -=-=-=-="
Actually, the strings are trivially "encrypted" to prevent the image
out on disk from triggering who-knows-how-many other scanners out
there.
=-=-=-
On /DISK/, yes. But consider the amount of scanners, including MAcAffee that
look at RAM, as well. False trip city, as we have seen.
You say:
- -=-=-=
The answer is simple: whatever for? The bad guys can certainly break
whatever coding scheme I use, thereby using the string list just as if
it were not encoded at all.
=-=-=
This misses the point altogether. My point was simply that without encryption
of one sort or another, even in RAM, another package wil false trip. If you
think that people are going to depend on your package alone for protection,
this might not cause a problem. But a realitry check, ( facilitated by a quick
peek at the postings in here) will prove that doesn't happen.
You say:
- -=-=-
The signature a scanner uses is of no use to a bad guy unless he or
she already has the subject virus on hand, in any case.
=-=-=-
Of course not. My point in this case was the person doing the altering
to routre around your code being the original author. Moreover, we
have seen several varieties of a particular virus around, indicating
more than one person altered one person's code. This is commonplace.
(Can you say 'Stoned'? Sure. I knew you could.) Obviously, virus code
is being passed around, by writers of such code, like a wine bottle at
a garbage can fire. Getting the original code is therefore no problem.
You say:
- -=-=-=
>Encrypting the search strings in your code, therefore is always a good
>idea, as is cleaning up the mess your program makes in RAM. VIRx,
>apparently doesn't address these two points.
Wrong on both counts. It is interesting, though, that about 20 beta
testers did not find that problem at all....
=-=-=
First point: How on earth is cleaning up RAM you've allocated with
your program before the program closes to be considered a BAD idea?
Diito a string encryption?
As for your beta testers not finding the problem, I suggest to you
that perhaps they missed a major problem. WIthout being judgemental,
here, finding this problem after beta was complete would seem to call
into question the validity of certain of your test results.
Regards to you.
E
(Normal employer isolation disclaimers apply here... IE: They may or may not
agree with my thoughts in this matter)
------------------------------
Date: Mon, 24 Jun 91 14:33:45 -0600
>From: Xcaret Research <
[email protected]>
Subject: Virus checking for Sun4 (UNIX)
Can someone point me to information about virus checking for a Sun4
computer. Is there ftp'able software or any good commercial software?
Thanks,
John
[Ed. While not specifically an anti-virus program, you might want to
start by looking at COPS. It's available from comp.sources.unix and
by anonymous FTP on cert.sei.cmu.edu.]
------------------------------
Date: 24 Jun 91 23:38:48 -0400
>From: Robert McClenon <
[email protected]>
Subject: Self-Modifying SETVER.EXE (PC)
I just discovered after twenty minutes of unpleasantness that
SETVER.EXE, a feature of DOS 5.00, is implemented via SELF-MODIFYING
CODE. The SETVER command is used to fake out applications which check
the version of DOS. It seems that, rather than maintain a data file
separate from the .EXE file, Microsoft has chosen to implement
SETVER.EXE as a program which modifies itself whenever it is executed,
so as to change a table that is part of itself.
This is very unfriendly behavior for users who try to maintain
any sort of discipline to control viruses, or any of various other
sorts of discipline. Virex-PC gave me multiple alerts telling me that
SETVER was trying to alter SETVER. Since the syntax of SETVER is a
little peculiar and complex, I at first assumed that I had entered the
command wrong and was doing something improper and that Virex-PC was
protecting me from a mistake. It took me a while to realize that
SETVER was REALLY trying to MODIFY itself and that Virex-PC was trying
to protect me from a technically legitimate but undisciplined
operation.
Is anyone from Microsoft on this distribution list? Would they
care to explain why they did such an undisciplined thing?
Robert McClenon
Neither my employer nor anyone else paid me to say this.
------------------------------
Date: Tue, 25 Jun 91 09:54:36 +0700
>From: James Nash <
[email protected]>
Subject: Product Review (PC Plus Mag) (PC)
A well written article (for a change!) appears in the current issue of
UK magazine PC Plus, called "Immune Systems". It sets out to explain
viruses, offering concise understandable defintions of all those terms
you know and love (plus "Armoured Virus"!).
Anyway, the main body of Mark Hamilton's article is a review of 10
anti-viral software products. Nearly all of these are UK products,
half of which I've never heard of before. It gives a real lashing to
Defiant Systems' "Virus Hunter" and verbally assualts Visionsoft's
"Immunizer". That latter one comes last in all the tests!
The one he recommends is Jim Bates' (Bates Associates) "VIS Utilities"
(5 * rating). Also praised are RG Software's "VI-SPY" - 'best US package'
- - , Sophos' "Sweep" and S&S's "Dr. Solomon's".
Software not included in the review were Mcaffee and F-PROT to name a
few.
For scanning accuracy, Bates came top, Solomon and Sophos close;
only Norton, Visionsoft, Defiant Systems and Virex-Pc (1.1a)
came below 75%.
For scanning floppies (Speed), Bates came top, Central Point close,
others struggling.
For scanning Hard Disks (Speed), Norton came top (just), followed by
Defiant Systems, Solomons, Bates and Central Point (ITO).
If anyone wants more info, buy a copy of PC Plus or e-mail me
direct. Please don't clog up the list with "me too" messages :-)
- --
James Nash // Computing Services // Phone: x8644 // User ID: ccx020 (cck)
- -I spilt Spot Remover on my dog and now he's gone.
[email protected]
------------------------------
Date: 25 Jun 91 10:12:24 +0000
>From:
[email protected] (Fridrik Skulason)
Subject: Re: Can such a virus be written .... (PC)
>
[email protected] (Steven van Aardt) writes:
> Is it possible to write a PC virus which installs itself whenever
>you place an infected disk in the drive and do a DIR command ?
Not only possible - many such viruses already exist. They are either boot
sector infectors which intercept INT13 and infect a disk whenever it is read
from, or file infectors which intercept the FindFirst/FindNext functions -
the DIR and DIR-2 viruses are a prime example.
- -frisk
------------------------------
End of VIRUS-L Digest [Volume 4 Issue 109]
******************************************
Downloaded From P-80 International Information Systems 304-744-2253
