VIRUS-L Digest Monday, 12 Aug 1991 Volume 4 : Issue 138
Today's Topics:
re: Reply to Virus Bulletin
Re: Floppy Door Close TSR? (PC)
Need info on 1575/1591 virus. (PC)
Re: Infects on ANY access?
Viral operations in brief
Jerusalem Virus (PC)
Re: Infects on ANY access?
Re: Proposal for standard virus signatures notation
Proposal for virus signature notation.
Boot Sector and Terminology (PC)
Viruses in IO.SYS (PC)
Uploads to risc.ua.edu (PC)
computer virus classifications
Code Execution Simulator?
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to
[email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at:
[email protected].
Ken van Wyk
----------------------------------------------------------------------
Date: Mon, 05 Aug 91 21:10:40 +0100
>From:
[email protected]
Subject: re: Reply to Virus Bulletin
For you chaps across the pond who haven't seen the August Virus
Bulletin yet, a couple of quick notes:
1. Particularly for those who follow virus-l but don't get VB; Dave Chess's
public letter (virus-l4 i126) leads the letters page, accompanied by
editorial apologies.
2. And for those of you do get VB; my copy is fine but I have heard of
one subscriber who had blank pages in his copy, so check with the
publishers if you have a problem.
This was a public informaton broadcast.
Ta ta for now, Anthony Naggs.
------------------------------
Date: Tue, 06 Aug 91 11:11:00 +1200
>From: "Mark Aitchison, U of Canty; Physics" <
[email protected]>
Subject: Re: Floppy Door Close TSR? (PC)
[email protected] (Jesse Chisholm AAC-RjesseD) writes:
> Folks:
> Is there a TSR program available that scans a floppy whenever
> the floppy door closes? Is it even possible to write one? Are any of
> you all working on one (McAfee, Padgett, ...)?
This came up a while ago; basically the answer is that scanning when
the door of the floppy disk drive closes (or a diskette is inserted)
is sometimes possible but inefficient. A better method is to scan when
DOS itself scanns the boot sector (it has code to work out if there is
any chance the diskette has been changed, and uses the change-detect
line if it is there). Such a TSR can be very effective in spotting
viruses before they do any harm to your system, and a good one (in
terms of what it catches, how few "false alarms" it gives, and the
miniscule RAM it uses), is SCANBOOT, available by anonymous ftp from
cantva.canterbury.ac.nz [132.181.30.3], and should be coming out of
comp.binaries.ibm.pc soon.
MArk. Aitchison.
------------------------------
Date: 06 Aug 91 03:12:48 +0000
>From:
[email protected] (daniel t wesolowski)
Subject: Need info on 1575/1591 virus. (PC)
Hello,
A laptop that had come from Canada was thought to have a virus. A few
different virus checkers were used to test the laptop and nothing was
found. A few weeks later the virus came alive. We did destroy the
virus, but it did corrupt some programs before its death. Can this
virus fake out the virus checkers or do we have a nasty floppy disk
floating around the property? Any info/history on the 1575/1591 virus
would be most welcome.
-
-------------------------------------------------------------------------------
Dan Wesolowski
[email protected]
[email protected]
-
-------------------------------------------------------------------------------
------------------------------
Date: Tue, 06 Aug 91 09:36:22 +0300
>From: Tapio Keih{nen <
[email protected]>
Subject: Re: Infects on ANY access?
(quote from Price Waterhouse's book)
>Re the boot sector virus "Search" = "Den Zuk" = "Venezuelan".
>DESCRIPTION: "It infects through ANY ACCESS TO host diskette. ....."
>
>Now it may be just my understanding and usage of english words, but have I
>really missed something about how DIR accesses a floppy disk?
If Den Zuk is resident in memory, and user does DIR on clean,
non-write protected diskette, the virus will infect the disk. But you
can't get Den Zuk in memory any other way than booting from infected
disk. This same thing applies to most boot sector viruses, too.
BTW, there's a mistake in Price Waterhouse's Computer Virus Handbook
under Search (=Den Zuk) entry. It says that Den Zuk survives a warm
re-boot, which it can't do. When user presses CTRL-ALT-DEL, the virus
draws red "DEN ZUKO" text on screen and boots the computer then. But
it won't stay in memory.
- --
Tapio Keih{nen |
[email protected] | DIO COMES - ARE YOU READY TO ROCK?
Disclaimer: This posting has nothing to do with nic.funet.fi archive server.
------------------------------
Date: Tue, 06 Aug 91 10:48:38 -0400
>From: padgett%
[email protected] (A. Padgett Peterson)
Subject: Viral operations in brief
>From:
[email protected] (Rob Slade)
>Although the "original" definition of computer viral programs
>refers to reproduction by attaching to other programs, viri that
>act in this manner having been less successful than those that
>use other means.
This is something that keeps going back & forth. Certainly at the
moment, the STONED seems have a lead over the JERUSALEM but this
is a far cry from being a statistic. Most of what I have been
doing lately has been cleaning J-B and Sunday off of LANs.
Certainly there are far more "crude" file infectors than boot
infectors since they are much easier to write. It may just be
that the difficulty of writing a BSI makes for more "stillbirths"
and those that do survive "in the wild" tend do spread further.
As a consequence, the "average" BSI tends to be more successful
than the "average" file infector and they have received a boost
lately though distribution on manufacturers disks, a trend which
I hope should soon be curtailed.
>Examples in the Mac realm are not as clear, but the WDEF virus
>could be said to be a type of boot sector infector, as the WDEF
>resource is one that is run automatically as soon as any Mac
>disk is inserted, although this has changed under System 7.)
Tend to disagree: BSIs run before DOS loads and only once per
boot while the WDEF resource is a part of the OS as demonstrated
by the System 7 exclusion, and is invoked often. A better analogy
would be the Lehigh which goes exclusively after COMMAND.COM and
I doubt that anyone will disagree that this is a file infector.
>In larger systems, mini and mainframe computers, network and
>mail viral programs have, so far, had the greatest impact.
This problem is quickly spreading to the micro arena. In recent
months I have had occasion to clean several LANs including one of
500 clients and another having 2000+ clients. The techniques
developed to disinfect individual PCs (quarantine and clean) are
costly, often ineffective, and are not the One True Solution.
Other techniques that we have discussed in this forum that
involve authentication of the health of a client before
permitting access to the server are IMHO a more elegant
procedure.
>The last payload, or function, which a viral program may carry,
>is some kind of intelligence to enable it to evade detection.
>So far the various kinds of evasive action; self-modification,
>multiple encryption and "stealth" activity; have not proven to
>have any advantageous "survival" characteristics. In one sense,
>this is to be regretted, as it demonstrates that the majority of
>computer users are not taking the most elementary precautions to
>defend against viral programs.
Depends on your point of view. The Pakistani BRAIN is still
providing a significant number of infections and was the first
"stealth" virus. I suspect that the failure to spread far of most
is because most of the "stealth" seen so far is easy to detect in
memory (most just with CHKDSK) and as implemented causes other
problems by lying to the operating system. e.g. lost clusters and
cross-linked files.
On the whole, I agree with most of Mr. Slade's observations,
however I suspect that the next great threat is going to be to
the LANs via file infectors and unless steps are taken
immediately to protect them, serious disruptions are going to
result. Fortunately, there are solutions, and not particularly
expensive ones, either in cost or reduced performance, just they
are different.
Padgett
"A virus does nothing a computer cannot do which makes detection
difficult. However they do things a computer should not do and
this is detectable".
------------------------------
Date: 06 Aug 91 18:34:42 +0000
>From:
[email protected] (Joseph Mocker)
Subject: Jerusalem Virus (PC)
Hi all,
Got a fairly simple question. Does anyone have any information on what
the Jerusalem version B virus can do? Does anyone know where I can
find out anything about this virus?
Thanks...Joe
- --
- ------------------------------------------------------------------------------
Joe Mocker//USAC//PC-NFS Support ::
[email protected] :: Sun Microsystems Inc.
:: there's still lofty dreams :: meager desires :: still sillyness ::
------------------------------
Date: 06 Aug 91 21:40:59 +0000
>From:
[email protected] (Fridrik Skulason)
Subject: Re: Infects on ANY access?
[email protected] writes:
>DESCRIPTION: "It infects through ANY ACCESS TO host diskette. ....."
>
>Now it may be just my understanding and usage of english words, but have I
>really missed something about how DIR accesses a floppy disk?
The author probably meant that if the computer is infected, the virus
will infect any diskette which is accessed, not that an infected
diskette could infect the computer regardless of how it was accessed.
- -frisk
------------------------------
Date: Tue, 06 Aug 91 20:38:32 +0000
>From:
[email protected] (Peter da Silva)
Subject: Re: Proposal for standard virus signatures notation
[email protected] (Mark Aitchison, U of Canty; Physics) writes:
> Comments on my comments are welcome, of course.
Well, my only comment is about your comments... :->
Speaking as one who has written lots of dumb little programs to parse
various data files over the years, I do have one suggestion...
> # This is an imaginary signature file, by
[email protected]; 05-aug-91
> #05BXP7B.E1R, "Stoned (variant 7a)", "PORTUGESE STONED"
> @00:00@017B:B40206CD130914
I would recommand, for parsing simplicity, that comments and data be
syntactically distinct. For example, anything after "//" is a comment...
// This is an imaginary signature file...
#05BXP7B.E1R, "Stoned (variant 7a)", "PORTUGUESE STONED"
@00:00@017B:B40206CD130914
#0TEEGYB.RB0, "Not harmful, MS-DOS 3.3 immunised by V-Basher 1.2"
17675A6C34D0@007E:17FFFF000023
#X587BG6.37Z-1280, "Dim Revenger virus"
19A6????53CD21ABBADABBAD00 // random in-line comment.
##IF OS=OS/2
- - -147:AC??55C9129B // for code segments >64K
##ENDIF
It adds a minor bit of complexity to Really Dumb Parsers. It might be
better to do something like this:
# This is an imaginary signature file...
#!05BXP7B.E1R, "Stoned (variant 7a)", "PORTUGUESE STONED"
@00:00@017B:B40206CD130914
#!0TEEGYB.RB0, "Not harmful, MS-DOS 3.3 immunised by V-Basher 1.2"
17675A6C34D0@007E:17FFFF000023
#!X587BG6.37Z-1280, "Dim Revenger virus"
19A6????53CD21ABBADABBAD00 # random in-line comment.
##IF OS=OS/2
- - -147:AC??55C9129B # for code segments >64K
##ENDIF
Again, Really Dumb Programs simply strip out anything after #. But now
smart programs look at the following character to see how to interpret
that line. ! is a code string, # is a directive, space is just a comment,
and so on.
- --
Peter da Silva; Ferranti International Controls Corporation; +1 713 274 5180;
Sugar Land, TX 77487-5012; `-_-' "Have you hugged your wolf, today?"
------------------------------
Date: Wed, 07 Aug 91 10:58:08 +0700
>From: "Jan R. Terpstra" <
[email protected]>
Subject: Proposal for virus signature notation.
I have received several comments on the proposal. First let my clarify
the thoughts behind the proposal.
It was ONLY intended to achieve a standard notation method for virus
SIGNATURES and not a proposal for file formats, naming conventions and
other things. With a standard notation, it is very easy to check if
the signature you have just extracted from a new virus specimen does
not already duplicate the scan string in someone lese's virus report.
Comparing virus signatures from different sources if quite cumbersome
at this time, due to the many different ways people write up their
scan patterns. his usually forces you to do the analysis all over, and
then find out you already had all the info in an entirely different
format.
Also, I have has several suggestions to employ existing techniques
like Regular Expressions commonly used on Unix systems. While that is
a widely used notation, I think the use of regular expressions may
complicate the matter or make the notation too flexible and thus error
prone.
I realize that the proposal I wrote up isn't the only way, nor is it
the best way. But it is simple, straightforward, easy to implement in
just about any scanner program and doesn't rely on obscure algorithms.
Nor is the proposal a "law" telling every anti-virus program must use
this method. Whatever the internal workings of an anti-virus product
are, is up to the author. However, if the product allows the use of
externally supplied data, using a common format for the virus
signatures will prevent the double, triple or quadruple efforts of
converting virus signature data to the different formats used by
various anti-virus products. And that will free up time to do more
useful things.
The main line is that the info published on detecting viruses should
be usable by as many inti-virus programs possible, without the need to
convert the info.
Jan R. Terpstra
Usual disclaimers implied.
------------------------------
Date: 07 Aug 91 08:26:47 -0400
>From: "Robert McClenon" <
[email protected]>
Subject: Boot Sector and Terminology (PC)
Rob Slade notes that viruses are traditionally defined as
fragments of malicious code which attach themselves to programs. He
notes however that the most successful viruses have not satisfied this
definition because they have been boot sector infectors on the PC
family or start-up resource infectors on the Macintosh.
One can retain the original definition of viruses while
recognizing Stoned and WDEF as viruses if one defines "program"
expansively. The boot record is a special-purpose program, as is any
resource contained in the Desktop file. All viruses attach themselves
to programs. Special-purpose program infectors have been even more
prolific than application program infectors.
Robert McClenon
Neither my employer nor anyone else paid me to say this.
------------------------------
Date: 07 Aug 91 08:26:01 -0400
>From: "Robert McClenon" <
[email protected]>
Subject: Viruses in IO.SYS (PC)
The question is asked by Willi Grueber in Virus-L 4.133 whether
IO.SYS can be infected by viruses, and whether any checker exists for
such viruses. I assume that it is at least theoretically possible for
viruses to infect IO.SYS, although I have not heard of any virus which
infects it. At least one anti- viral package, Virex-PC, can be
configured to protect IO.SYS, either by verifying its checksum at
startup or by intercepting suspicious writes to IO.SYS or both. I
have it set up to do both. Other anti-viral packages should also be
capable of protecting IO.SYS unless they are limited to files with
certain extensions. However, even a checker which is limited to
certain executable extensions should be able to check *.SYS files,
because some Bulgarian viruses will infect installable device drivers
of type *.SYS.
There is a risk that IO.SYS viruses can be written. However, it
is a risk that can be anticipated and contained with a little
foresight.
Robert McClenon
Neither my employer nor anyone else paid me to say this.
------------------------------
Date: Wed, 07 Aug 91 08:52:00 -0500
>From: James Ford <
[email protected]>
Subject: Uploads to risc.ua.edu (PC)
The following files have been uploaded to risc.ua.edu (130.160.4.7) in
the directory pub/ibm-antivirus:
vsumx107.zip - Virus Summary Listing
vc300ega.zip - Virus Central (ega version)
vc300lte.zip - Virus Central (LITE version)
The directory pub/00uploads is now available for people who wish to upload
files to risc.ua.edu. Mail must be sent to JFORD informing me of your
your upload.
Below is a listing of files available in pub/ibm-antivirus (list is available
as the file "0files.9108". If you see something that is out of date, please
let me know.
- ----------
Absence makes the heart go wander.
- ----------
James Ford -
[email protected],
[email protected]
The University of Alabama (in Tuscaloosa, Alabama)
- ---------------- file listing of pub/ibm-antivirus on risc.ua.edu ----------
0REVIEWS/ htscan12.zip unvir902.zip vc300lte.zip vstop54.zip
0files.9107 innoc5.zip uu-help.text vcheck11.zip vsum9105.txt
0files.9108 m-disk.zip uudecode.bas vdetect.zip vsumx107.zip
INDEX.291 navupd01.zip uudecode.pas virpres.zip vtac48.zip
MsDosVir.291 netscn80.zip uuencode.pas virsimul.zip wp-hdisk.zip
MsDosVir.690 pcv4.zip uxencode.pas virstop.zip xxdecode.bas
MsDosVir.790 pkz110eu.exe vacbrain.zip virusck.zip xxdecode.c
avs_e224.zip scanv80.zip vaccine.zip virusgrd.zip xxencode.c
bbug.zip secur222.zip vaccinea.zip virx16.zip xxencode.cms
clean80.zip sentry02.zip validat3.zip vkill10.zip zzap54a.zip
fprot116.zip tbresc12.zip validate.crc vshell10.zip
fshld15.zip trapdisk.zip vc300ega.zip vshld80b.zip
------------------------------
Date: Wed, 07 Aug 91 14:56:16 +0000
>From:
[email protected] (Igor Smirnov)
Subject: computer virus classifications
Dear colleagues:
I'm system programmer. I'm interested in a computer viruses problem.
Help me please: What is the PLO viruses? I've read about that in
Computers&Security.
I've some ideas for computer virus classification and methods of
anti-virus adaptation. I would like to know about your interests
in this fields.
Thank you.
Sincerely, Maxim Titov,
leading engineer of
International Centre on Informatics & Electronics
(Moscow, SU)
Return adress: E-mail:
[email protected],su
phone: +7 095 252 0688
------------------------------
Date: Wed, 07 Aug 91 18:24:33 +0000
>From:
[email protected] (Daniel J Karnes)
Subject: Code Execution Simulator?
Working with a new 'virus scanner' program named CES (Code Execution
Simulator) which appears to be an enhanced 'algorithmic' type of
scanner.
The thing is catching 99% of the hundred or so viruses I have tested
against so far with only a few false positives.
Does anyone else have any experience with this thing that they might
like to share?
The distribution file that I have is CES_402.ZIP if anyone happens to
be interested.
- -djk
- -----------------------------------------------------------------
Daniel J. Karnes - WA6NDT | Do I know UNIX?
[email protected] |
POB 7007 | - well.. I've met a few..
------------------------------
End of VIRUS-L Digest [Volume 4 Issue 138]
******************************************
Downloaded From P-80 International Information Systems 304-744-2253
