VIRUS-L Digest Monday, 22 Jul 1991 Volume 4 : Issue 128

VIRUS-L Digest Monday, 22 Jul 1991 Volume 4 : Issue 128

Today's Topics:

Re: multi-compression
re: virus for sale
SCAN Prices? (PC)
Inaccuracies in Press
Philosophy, comments & Re: long and technical (PC)
Partition Table Query (PC) (was Re: long and technical )
Help! I'm STONED (PC)
F-PROT configuration question (PC)
SECURE.COM (PC)
Norton AntiVirus question (PC)
re: multiple compressions
Questions - list of viruses, writing a scanner
DOS virus attack (PC)
The smiling face (PC)
Re: Inaccuracies in Press on Viruses

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to [email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: [email protected].

Ken van Wyk

----------------------------------------------------------------------

Date: 17 Jul 91 20:40:03 +0000
>From: [email protected] (Fridrik Skulason)
Subject: Re: multi-compression

[email protected] writes:
>Let's say I have an EXE that I've run through LZEXE. PKLITE, regardless of
>version will do a test on the file to see if the file is smaller after the
>compression is added. Since the file's already compressed, PK won't make the
>file any smaller, and will crash off, and inform the user that it can't
>compress the file.... leaving the file untouched.

Ah, but what if you first use a compression program which is not as
good as LZEXE or PKLITE. Try for example to compress a program with
EXEPACK - PKLITE is oftem able to compress them still further...

- -frisk

------------------------------

Date: Wed, 17 Jul 91 23:50:00 +0000
>From: William Hugh Murray <[email protected]>
Subject: re: virus for sale

> Granted, that to me sounds like the Hi-Tech version of selling
>anthrax... On the other hand, there are some people in the world who
>are interested in how a virus works. (Myself included.) Yes, this is
>not such a good idea to sell a virus, but I would rather have one
>arrive in the mail when I'm waiting for it, rather than let it sneak
>up on me some night when I'm downloading...

I am a little disappointed at such a narrow and egocentric view.
The offering of the virus for sale increases, rather than decreases,
the possibility that one will "sneak up on you some night." Getting one
in the mail when you expect it, does not reduce, but increases, the
chance that you will get one when you do not expect it.

You reason like the man who when told the chances of a two bombs on a
plane was vanishingly small, decided to always carry his own.

Seeing the content of Jerusalem-B will tell you nothing that is not
already public. There are no clever secrets in Jerusalem-B, and nothing
that you can learn about it from having your own copy that will reduce
your vulnerability to it. The ability to satisfy your morbid curiosity,
at the expense of giving it a boost which it does not need, seems to me
a very bad trade indeed.

Your vulnerability is related to the total number of copies in the
world; someone offering it for sale can only influence that in one
direction. What makes you think that all of the purchasers will treat
it with the respect with which such a dangerous artifact should be
treated?

One way to view the ethics of something that you would like to do is to ask
yourself how you would be affected if everyone else did it too.

William Hugh Murray 203-966-4769
Information System Security 203-326-1833 (CELLULAR)
Consultant to Deloitte & Touche 203-761-3088
Wilton, Connecticut email: [email protected]
[email protected]
MCI-Mail: 315-8580
TELEX: 6503158580
FAX: 203-966-8612
Compu-Serve: 75126,1722
21 Locust Avenue, Suite 2D DASnet: [DCM1WM]WMURRAY
New Canaan, Connecticut 06840 PRODIGY: DXBM57A

------------------------------

Date: Thu, 18 Jul 91 02:09:18 -0400
>From: [email protected] (Daniel J Karnes)
Subject: SCAN Prices? (PC)

>>Date: Tue, 16 Jul 91 16:25:36 +0000
>>From: [email protected] (McAfee Associates)
>>
>>Pricing depends on many factors such as the type of usage, number of
>>machines, which programs, type of upgrades, and so forth. This makes
>>it difficult to give you a simple response.

RG>Why is it so bloody hard to get a friggin' price out of you guys, eh?

RG>Do you have a price list? If so, publish it?

Hi Ross.. Last time I looked, the prices were very clearly listed in
the .DOC files for SCAN and the other utilities... Says right there
what it costs. Also says that if you need any other information or a
quote for a site license to give 'em a call too.

I assume that your talents include being able to read.

SPEAKING of being hard to get an answer from... I tried many times
over a period of two years to get information or even an answer from
you on your bbs and also a time or two via telephone, and finally
just gave up. What gives?

- -djk

*********************************************************************
Daniel J. Karnes - An entity of one. * Ring MY chime sometime guy!
[email protected] / WA6NDT / POB 7007 Nashua, NH USA 03060-7007
*********************************************************************

------------------------------

Date: Thu, 18 Jul 91 09:03:15 -0400
>From: Helena M Vonville <[email protected]>
Subject: Inaccuracies in Press

Robert McClennon wrote on the Washington Post article which discussed
the possibility of a virus in the telephone software. He was
disturbed (and rightly so) that the press does not use the jargon
correctly when describing such problems.

Fortunately (or maybe not so fortunately since we are dealing with a
certain amount of potential incompetence) the problem was not virus,
trojan, or worm related. It was just bad programming. The story was
updated on NPR late last week, I believe.
Helena VonVille
Ohio State Universiy

------------------------------

Date: Thu, 18 Jul 91 10:13:26 -0400
>From: padgett%[email protected] (A. Padgett Peterson)
Subject: Philosophy, comments & Re: long and technical (PC)

First, the number of column inches devoted to one vendor
yammering about another's failure to publish (in Virus-L !) a price
list is getting out of hand. This kind of diatribe serves no
constructive purpose in this forum.

In the same vein, I have learned that to a journalist,
credibility is everything & once lost is very difficult to regain.
Quoting recognized experts out of context and distorting papers to fit
maligning prose is a quick way to ruin credibility so that even
valuable contributions are distrusted.

Combining the two paragraphs above, I have decided that any
response to such merely allows opportunity for more yammering or yet
another distorted response & thus personally decline to do so. "Once
bitten" & all that.

Back to the main subject, the responses and suggestions seen
so far to the question of authentication of a system (e.q. how do you
tell is an "extra added attraction" is present) again seems to be
missing a point settled some time ago:

The simplest answer to the dilemma is to separate into two tasks:

1) Determine the BIOS entry points for interrupts needed to authenticate
the system.

2) Authenticate the system.

The easiest way to do this is to accomplish (1) during the
BIOS load before DOS (or any other O/S) has had a chance to muddy the
waters. Since at BIOS time, a PC is a fully functioning computer, it
is posible to retrieve the pointers to essential elements (Interrupts
0-1Fh) and store these values in an accessable location, possibly
encrypted.

Since these vectors (keyboard, local storage, monitor) are
still usable even after loading of the O/S. Programs can be run at any
time that use only these known clean accesses. Such programs can be
effective even in an infected single-tasking machine. These access
values may be stored either on-line, at the server level, or off-line
on floppy disks.

If necessary, the entire subroutine for such access to the INs
& OUTs level could be maintained separately so that use of
potentially-corrupted interrupts would never be necessary.

Given clean and authenticatable periperal paths, integrity
programs and scanners can be run at any later time with the ability to
bypass possibly untrustable elements thus rendering all currently
known stealth techniques useless.

The authentication task may then be invoked at any time before
or after the loading of the O/S with expectation of valid results
being obtained.

It is interesting to note that such a methodology would remove
the necessity for memory scans that have caused so much trouble lately
since no resident routines would be necessary for execution.

Padgett

"All is simple. If it looks complex, it has not been properly broken down."

------------------------------

Date: Thu, 18 Jul 91 18:26:00 +0000
>From: [email protected] (Glenn Forbes Larratt)
Subject: Partition Table Query (PC) (was Re: long and technical )

[email protected] (I) wrote:

>Every Saturday, the operations staff here take the time to boot each
>machine in the lab from a specially-prepared "wiper" diskette. The
>diskette is programmed (via autoexec.bat and some special widgets
>written in-house) to format all logical hard disks in the machine,
>rebuild DOS, and reinstall the necessary drivers to connect to the
>network.
..
>we are currently working on one of our widgets so that it can
>automatically rebuild and overwrite the partition table for a complete
>"wipe".

In the course of putting the partition table aspect of this together,
I've come across some questions which I need to answer before I can go
further:

1) I am implementing the partition table rebuild code as a
device driver to be launched from a cold boot from a floppy. However,
the partition table has to have been already read for DOS to be
setting up drive letters internally (I assume, with all that implies
:-). Is there a chance of having a partition table virus already in
memory from that process?

2) Is it absolutely necessary to reboot to rebuild the DOS
drive designations after making changes to the partition table?

3) If the answer to 2) is yes, I am considering ways of
preventing any unnecessary monkeying with the partition table. Is a
byte-by-byte compare of the partition table bootstrap code with a
known good copy an effective means of doing this?

I thank you all in advance for any assistance.

- --
===/| Glenn Forbes Larratt | CRC OCIS | "So, what do we need?" |/
==/| [email protected] (Internet) | Rice University | "To get laid!" |/=
=/| GLRATT@RICEVM2 (Bitnet) |=================| "Can we get that |/==
/| The Lab Ratt (not briggs :-) | Neil Talian? | at the 7-11?" |/===

------------------------------

Date: 18 Jul 91 16:23:15 +0000
>From: peersen%[email protected]
Subject: Help! I'm STONED (PC)

I have run into a PC which ended up "Stoned" when booted off a
floppy, and a quick look at comp.virus seemed to indicate that this is
potentially not good!

So, not being up to date on the PC anti-virus stuff out there, how
should I deal with this. A few posted hinted at virX, but where do a find
it? Or is there something better to use.

Any help would be appreciated. Replies can go to comp.virus
or by E-mail to "peersen%[email protected]" (ignore the DECNET reply
address).

Thanks in advance
Olve Peersen

------------------------------

Date: Thu, 18 Jul 91 14:42:08 -0500
>From: BJ Watts <[email protected]>
Subject: F-PROT configuration question (PC)

Hello,

We are currently in the process of obtaining F-PROT for our 100 PCs
in the Business Computer Lab at The University of Alabama. We are
also using the Novell 3.1 NetWare. Our workstation's C drives are
write-protected, so our users can only infect the memory, their own
floppies, and the D drive which is used as a temporary drive. We do
however have a couple of workstations for the uses of the consultants
in which the hard drives are not write-protected. My question - Do we
need to use the F-DRIVER.SYS? The only people who can infect the
network are those who have access to places on the server other than
their own personal directory. These are only the consultants, and we
are aware about scanning anything before we download or use a floppy.
Any comments would be appreciated.

BJ Watts
[email protected]

________________________________________ ____________________________
: : :
: BJ Watts : Marriage is a wonderful :
: BITNET: [email protected] : institution, but who :
: INTERNET: [email protected] : wants to live in an :
: The University of Alabama : institution? :
:________________________________________:____________________________:

------------------------------

Date: Tue, 16 Jul 91 10:11:00 +1200
>From: PAT ROSSITER <[email protected]>
Subject: SECURE.COM (PC)

There has been some discussion in comp.sys.novell about a new "virus"
called SECURE.COM which opens up and damages netware binderies.
No-one has seen it themselves yet, everyone has heard about it, so it
may be another "urban legend". It is likely that if it does exist
someone in this group will have heard of it, or be CERTAIN that it
does not exist.

If you have information of SECURE.COM, please post something to
comp.sys.novell.

[Ed. Rumors of this program have been floating around for several
years; to my knowledge, the rumors have never been substantiated.
Unless someone can cite some specifics, I suggest that we treat this
as merely another unfounded rumor.]

Thanks
Pat Rossiter [email protected]

------------------------------

Date: Fri, 19 Jul 91 11:20:25 -0400
>From: lwv27%[email protected] (Larry W. Virden ext. 2487
)
Subject: Norton AntiVirus question (PC)

I am a novice at MS-DOS environment, and have been asked to install
and evaluate the Norton AntiVirus software. I would be interested in
finding out any tips, pointers, warnings, etc. concerning this package.
Is there a mailing list for customers, or online services thru
Compuserve, etc.? I am looking for any and all sources of assistance
in this endeavor.

My goal is to test this software on the various types of IBM PC type
machines available in house and to evaluate the package's worthwhileness.
- --
Larry W. Virden UUCP: osu-cis!chemabs!lwv27
Same Mbox: BITNET: lwv27@cas INET: lwv27%[email protected]
Personal: 674 Falls Place, Reynoldsburg,OH 43068-1614
America Online: lvirden

------------------------------

Date: Fri, 19 Jul 91 12:45:27 -0700
>From: [email protected]
Subject: re: multiple compressions

>From: Dmitri Schoeman <[email protected]>

I would like to say that multiple compressions are possible for
someone who desires to do so. It took me approximatly 30 seconds to
succesfully accomplish a compression with both pklite and lzexe on a
program I had just written. The method is a trivial method, which
involves no modification of any of the programs and, as I said can be
accomplished in less than 30 seconds.
- -=-=-=-=

It may be worthwhile to mention whgat version of each you are using, Dimitri.
It occurs to me that this wouold make a difference. Also, please indicate in
what order this was accomplished. For some reason, in the versions I was
running I was unable to do what you suggest, in any order...

------------------------------

Date: Fri, 19 Jul 91 21:22:39 -0400
>From: "Jack a.k.a. Wildside" <[email protected]>
Subject: Questions - list of viruses, writing a scanner

This may seem like a totally rehashed question, but pleasse bear with
me. I have been on this list some time now, and feel that I have
enough of a grasp of viri (virii?) to try and write my own version of
a detector/ fixer for virii.

Question 1: I know that there is a list, accessible by ftp, that
specifies a lot of the PC viruses, ways to detect them, and ways to
fix the data that has been corrupted. Can someone please give me a
pointer to this?

Question 2: From all of the experienced writers out there, any hints
on what is the best approach to writing a scanner/detector/fixer?
There have been a lot of views expressed in this list and they vary
widely.

Any help on this would be very greatly appreciated.

A budding virus scanner writer (fingers crossed),
Jack a.k.a. Wildside

------------------------------

Date: 20 Jul 91 18:12:00 +0000
>From: prbrig01%[email protected]
Subject: DOS virus attack (PC)

Please be alerted...

A virus has appeared in Detroit for DOS. The virus changes files to
hidden type and adds charters to file names.

The standard DOS scan program are not effective for this virus.

First infection was found on July 20, original infection occurred
within the previous 3 days.

As always

Ed Wright

------------------------------

Date: Sat, 20 Jul 91 18:19:00 -0400
>From: [email protected]
Subject: The smiling face (PC)

I had a bug. The little animal locks up the keyboard and puts the
blinking smiling face character on the bottom left hand corner of the
screen.

It showed up once during a pcshell session. I had to reboot. I have
checked the drives with vpscan V1.10 & and TnTVIRUS 6.80a nothing
doing. I guess I kill the animal before it got onto the hard drive,
but I have to go through all my disk and find the carrier. While I'm
doing that, does any know what this beast might be???

Colin St Rose
Provcs@ccnyvme

A wise man/woman knows what he/she does not know.
Direct mail will be fine thank you.

------------------------------

Date: Mon, 22 Jul 91 15:00:17 +0000
>From: [email protected] (Jan B. Andersen)
Subject: Re: Inaccuracies in Press on Viruses

[email protected] (Robert McClenon) writes:

>[from] The Washington Post, [...]
>>Phone system experts have suggested that a virus might explain
>>why the failures have been occurring within days of each other
>>and at the same time of day.

>It was possible as of the date of this article (but unlikely) that
>the phone system failures were caused by a time bomb, but if so, it
>was planted as a Trojan

Not if we're talking of the same incident. The company that develops
the software in the swithes, has admitted the bug was introduced as
part of an upgrade. But, because it was such a minor upgrade, the
software had not been tested af rigourusly as it should have been. See
comp.risk (or was is comp.dcom.telecom) for more details.

------------------------------

End of VIRUS-L Digest [Volume 4 Issue 128]
******************************************

Downloaded From P-80 International Information Systems 304-744-2253