VIRUS-L Digest Monday, 12 Aug 1991 Volume 4 : Issue 140
Today's Topics:
Virus Implants in DoD Weapons
New DOS and old virus checkers? (PC)
Infects on ANY access?
re: Can such a virus be written... (PC) (Amiga)
Virus article in Byte (PC)
infected files with nonstandard extension (PC)
copyright of infected files
Virus Bulletin search strings (PC)
Re: Self-scanning executables (PC)
Problem cleaning "LIBERTY" virus? (PC)
Re: Brunnstein (CARO) virus catalog files
TRACER (PC)
Proposal for standard virus signatures notation
Stoned at EPO (PC)
New Anti-Virus Consortium Announced
System calls
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to
[email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at:
[email protected].
Ken van Wyk
----------------------------------------------------------------------
Date: 07 Aug 91 20:28:57 +0000
>From:
[email protected] (David Risler)
Subject: Virus Implants in DoD Weapons
>From the August 1991 "Armed Forces Journal International"
"A draft Pentagon directive that called for implanting a computer
"virus" or software disabling mechanism in every major new US weapon
system - one that could be remotely triggered if the weapon fell into
enemy hands - was under consideration last December at a high DoD
level, a knowledgeable source told AFJI recently...If that is the
case, the device is more likely to function as a variable duration
"enabler"...rather than a disabler that could be remotely activated to
prevent a weapon from being used. In all likelihood, no decision
regarding implanting either kind of device in advanced weapons will
come before the DARPA provides an assessment to Congress of how best
to handle the issue. That report is expected on Capitol Hill by
August."
The article goes on to say that this would be great for weapons
exports and that EEPROMS could carry such "Trojan Horses" that could
be activated using electrical signals.
Hmmmmmm. Comments?
------------------------------
Date: 08 Aug 91 01:08:42 +0000
>From:
[email protected]
Subject: New DOS and old virus checkers? (PC)
Is there any raeson to worry about problems using some of the standard
antivirus programs (e.g. Scan/Clean, or F-Prot) that have been out for
a while on systems using MS-DOS 5?
To put it another way:
can one safely upgrade to DOS 5, reformat the hard disk to one big
partition, re-install the virus checkers being used before, and still
enjoy the same levels of protection.
(I've noted the earlier suggestions in this group about putting F-driver.sys
the last thing in config.sys. Any other tricks to know about?)
------------------------------
Date: Wed, 07 Aug 91 11:09:56 -0700
>From:
[email protected] (Rob Slade)
Subject: Infects on ANY access?
[email protected] writes:
> Re the boot sector virus "Search" = "Den Zuk" = "Venezuelan".
> DESCRIPTION: "It infects through ANY ACCESS TO host diskette. ....."
It might be helpful to have more of the reference, but I suspect what
they intended to say was that an infected system (ie. the virus is active
in memory) will infect a diskette that is accessed in any way.
And why on earth are you trying to get virus info out of the print media?
:-)
=============
Vancouver
[email protected] | "If you do buy a
Institute for
[email protected] | computer, don't
Research into (SUZY) INtegrity | turn it on."
User Canada V7K 2G6 | Richards' 2nd Law
Security | of Data Security
------------------------------
Date: Wed, 07 Aug 91 22:43:56 -0400
>From:
[email protected]
Subject: re: Can such a virus be written... (PC) (Amiga)
[email protected] (Brett Simcock) writes:
> Original to: acdfinn
> AA > heard that
> AA > Kickstart 2.0 has most AmigaDos commands in ROM (the ROMs
> AA > are shipping
> AA > now) but I'm not sure. That would be great from the virus
> AA > perspective...
>
> As far as I know all the AmigaDOS commands are in ROM.
>
> - ---
> * Origin: S.A. CENTRAL BBS, Serving South Australia Better! (3:681/859)
Sorry, but the previous author was more correct than yourself.
In AmigaDOS, the shell scriptinng commands and some of the utilities have
been moved into ROM, but the core utilities remain on disk, so people can use
their own preferred implementations.
Besides, the 2.0x "ROMs," so far, are released as Kickstart disks to be
loaded into memory. Chip releases of 2.04 are not yet available.
Rachel K. McGregor :
[email protected] : {tredysvr,uunet}!cellar!rogue
------------------------------
Date: Thu, 08 Aug 91 21:10:03 +0000
>From: Fridrik Skulason <
[email protected]>
Subject: Virus article in Byte (PC)
Byte (August '91) just arrived on my desk, and I read the virus
article with considerable interest. I was obvious that the authors
are not experts in the area of computer viruses, but there were not
too many serious errors in the article. The worst was regarding their
selection of viruses. They wrote:
"we ran tests using eight of the most pervasive and destructive
viruses in circulation."
If that had only been true....
The viruses they used were:
"1701/1704" (Cascade) - Common, but not very destructive.
"Izrael" (Jerusalem) - Common, and a bit destructive.
"Musician" (probably Oropax) - Rare, and not destructive at all.
"Vienna" - fairly common, and somewhat destructive.
"W13 A/B" and "Jocker" - They must be joking...."the most pervasive
and destructive viruses in existence" ????
I think Jocker has only been reported once, and it took a long time to
get it to work - in fact, many researchers were not convinced that it was
a virus, until David Chess figured out that the original sample had to be
renamed to WABIKEXE.EXE to get it to infect anything at all.
No stealth viruses, no boot sector viruses, only a few old viruses, which
are certainly not typical of the threats today.
No, a better description of their viruses would have been:
"we ran tests using eight fairly harmless two year old viruses, half
of which are practically unknown in the wild."
- -frisk
------------------------------
Date: 07 Aug 91 21:56:30 +0000
>From:
[email protected] (Warren Burstein)
Subject: infected files with nonstandard extension (PC)
I had a recurring Sunday infection. I couldn't figure out how Sunday
could be hiding, it turned out that it had latched onto files that did
not end in .COM or .EXE. (Sunday, at least the version that only
triggers on day-of-week == 7) it turns out, was just lucky, it
assumes that if the file doesn't end with M it's an EXE.
So some other program or programs must be execing these files
directly. The files are pw.prg (part of Perfect Writer, I guess), and
scomlv3.cmd and scom2v3.cmd (from SmartComm ?).
How common is this? Should a virus scanner scan all files regardless
of extension against the chance that they might be executed by some
other program?
[Yes, of course they should have been running a TSR.]
- --
/|/-\/-\ The entire world Jerusalem
|__/__/_/ is a very strange carrot
|warren@ But the farmer
/ worlds.COM is not worried at all.
------------------------------
Date: 07 Aug 91 22:25:14 +0000
>From:
[email protected] (Warren Burstein)
Subject: copyright of infected files
It occurred to me that anyone who deals with viruses must of course
have a collection of infected files for comparison, dissasembly, and
testing of anti-viral methods. It would not be surprising for such
people to thereby acquire lots of copies of software that they don't
have licenses for (and what if the virus has a copyright, too :-) ?).
Not that they ever intend to use the software for its intended
purpose, but might the manufactures get upset anyway?
- --
/|/-\/-\ The entire world Jerusalem
|__/__/_/ is a very strange carrot
|warren@ But the farmer
/ worlds.COM is not worried at all.
------------------------------
Date: 08 Aug 91 13:37:47 +0000
>From:
[email protected] (Warren Burstein)
Subject: Virus Bulletin search strings (PC)
The sunday virus has two entry points, one for a COM file (0 jumps
to 95), one for an EXE file (at C4). It happens that the search
string in the Virus Bulletin starts at the COM entry point, which
means that if you were scanning starting at the entry point of
an infecte EXE file, you would not find it.
This is the version of Sunday that never triggers because it
waits until day-of-week is 7.
- --
/|/-\/-\ The entire world Jerusalem
|__/__/_/ is a very strange carrot
|warren@ But the farmer
/ worlds.COM is not worried at all.
------------------------------
Date: 09 Aug 91 00:38:47 -0400
>From: Kevin Dean <
[email protected]>
Subject: Re: Self-scanning executables (PC)
CRCSET version 1.3 has been uploaded in UU-encoded form to the
following sites if anyone wants a copy:
risc.ua.edu
ux1.cso.uiuc.edu
wsmr-simtel20.army.mil
------------------------------
Date: Fri, 09 Aug 91 10:43:00 -0500
>From: Ken De Cruyenaere 204-474-8340 <
[email protected]>
Subject: Problem cleaning "LIBERTY" virus? (PC)
The LIBERTY virus made another appearance on our campus recently.
CLEAN V80 was unable to clean it though. I beleive the message
was something like "Unable to clean this file, delete ? y/n "
(Over a dozen infected files and none of them could be cleaned.)
We next tried Central Point's ANTIVIRUS and it cleaned it up
quickly. Central Point identified it as the MYSTIC virus,
which caused a little confusion as MYSTIC isn't listed as
and alias of LIBERTY...
I have checked back issues of this digest for any other
similar problems with CLEAN (version80) and LIBERTY and didn't
find any. Has anyone else bumped into this?
Ken
- ---------------------------------------------------------------------
Ken De Cruyenaere - Computer Security Coordinator
Computer Services - University of Manitoba - Winnipeg, Manitoba, Canada, R3T 2N
2
Bitnet:
[email protected] Voice:(204)474-8340 FAX:(204)275-5420
------------------------------
Date: 09 Aug 91 03:22:55 +0000
>From:
[email protected] (Ray Mann)
Subject: Re: Brunnstein (CARO) virus catalog files
Are these the early virus catalog files, published elsewhere, or are
they new, recently-produced ones...?
- --- Opus-CBCS 1.14
* Origin: Universal Electronics, Inc. [714 939-1041] (1:103/208.0)
- --
Ray Mann
Internet:
[email protected]
Compuserve: >internet:
[email protected]
------------------------------
Date: Fri, 09 Aug 91 12:03:18 -0700
>From:
[email protected] (Jesse Chisholm AAC-RJesseD)
Subject: TRACER (PC)
Does anyone know anything about the antivirus program called TRACER
by a company called GODWARE? All I know is they are based in Taiwan.
Has anyone had experience with it? Is it any good? It certainly is
inexpensive: NT$130 which comes to about $5.
- -Jesse Chisholm
[email protected]
- --
| "As I was going up the stair
| I met a man who wasn't there.
| He wasn't there again today.
| I think he's with the C.I.A." -- Ann Onymous
------------------------------
Date: 08 Aug 91 01:53:01 +0000
>From:
[email protected] (garth kidd)
Subject: Proposal for standard virus signatures notation
I like the proposal.
Now, are we going to see publication of, say, lists of virus signatures for the
more common viruses, mayhap in VSUM?
Down: virus writers could use the lists to check that the virus they're writing
doesn't match anything else. Of course, they can use the latest copies of
anti-viral software to check this, but the signatures will tell them =exactly=
what to avoid.
One solution for this is to use two or more different signatures for each virus
in the more wildly popular anti-viral software, but only publish one in VSUM.
Up: people can write quick'n'grotty virus scanners to check to see whether
their system is infected with X without having to find a copy of (say) SCAN
that checks for it. Even if SCAN allowed signature files, (and for all I know,
it does), they might not =have= it.
Email reponses welcome; I'm still not sure whether the gate works in the
fido->usenet direction.
gk
- --- FD 1.99c
* Origin:
[email protected] (3:680/828)
------------------------------
Date: Mon, 12 Aug 91 15:45:02 +0100
>From:
[email protected]
Subject: Stoned at EPO (PC)
New Scientist 10 August 1991, p. 24 under byline "Computers Get Stoned
On Patent Discs" reports that the European Patent Office in Munich has
been sending clients a floppy disc containing the Stoned virus.
The EPO has sepnt nearly #20,000 warning recipients of the disc all
around the world not to use it and helping those who did get rid of
the virus.
The disc causing all the trouble contained publicity samples of an
electronic version of the weekly Bulletin which lists all new patents.
IInApril the EPO sent copies of the disc to 1000 ormore patent agencies
etc. The office has sepnt 3 months tracking down the source of the virus
and now believes it came from an independent software company in Germany
which helped with the preparation of the disc. If it can find firm
evidence it will sue the company.
Iain Noble
- -----------------------------------------------------------------------------
Iain Noble |
[email protected] | Post: Main Site Library,
JANET:
[email protected] | Teesside Polytechnic,
EARN/BITNET: LBA002%pa.tp.ac.uk@UKACRL | Middlesbrough,
INTERNET: LBA002%
[email protected] | Cleveland, UK, TS1 3BA
UUCP: LBA002%
[email protected] | Phone: +44 642 342121
- -----------------------------------------------------------------------------
------------------------------
Date: Mon, 12 Aug 91 09:21:00 -0600
>From: "Rich Travsky (307) 766-3663/3668" <
[email protected]>
Subject: New Anti-Virus Consortium Announced
The August 5th Network World has an article on a new consortium: The
AntiVirus Product Developers Consortium (AVPD). Goals are: establish
standards for reporting, classifying, and counting viruses; adopt a
code of developers ethics; increase the public's awareness; sponsor
research by vendor-independent organizations. Members currently are:
Central Point Software, Certus International, Symantec/Peter Norton,
and XTree Co. Membership is open to all other vendors.
AVPD will rely on a virus database operated and maintained by the NCSA.
This database currently has about 900 viruses.
First AVPD meeting is scheduled for Nov. 25-26 in Washington DC.
Richard Travsky
Division of Information Technology RTRAVSKY @ CORRAL.UWYO.EDU
University of Wyoming (307) 766 - 3663 / 3668
------------------------------
Date: Sun, 11 Aug 91 18:22:57 -0700
>From:
[email protected] (Rob Slade)
Subject: System calls
FUNGEN3.CVP 910811
Viral use of operating systems
Viral programs use basic computer functions in more ways than
one. It is easier to use standard system calls for purposes
such as accessing disks and writing files or formatting. Most
programs use the standard operating system calls, rather than
write their own system function when "using" the hardware. For
one thing, it's more "polite" to do this with applications
programs, which, if they follow "the rules" will be better
"behaved" when it comes to other programs, particularly resident
programs and drivers. But it is also easier to use system
functions than write your own.
Operating system functions are generally accessible if you know
the memory address at which the function starts, or the specific
"interrupt" that invokes it. Viral programs can use this fact
in two possible ways.
The first is to use the standard system calls in order to
perform the copying, writing or destructive actions. This,
however, has unfortunate consequences for the viral author (and
fortunate for the computer community) in that it is easy to
identify these system calls within program code. Therefore, if
viral programs used only this method of operation, it would be
possible to write a "universal" virus scanner which would be
able to identify any potentially damaging code. It would also
be possible to write programs which "trapped" all such system
calls, and allowed the user to decide whether a particular
operation should proceed. (In fact, in the MS-DOS world, two
such programs, BOMBSQAD and WORMCHEK, are available, and were
used to check for early trojan programs.)
Operating systems are, however, programs, and therefore it is
possible for any program, including any viral program, to
implement a completely different piece of code which writes
directly to the hardware. The "Stoned" virus has used this very
successfully.
Unfortunately, viral programs have even more options, one of
which is to perform the same "trapping" functions themselves.
Viral programs can trap all functions which perform disk access
in order to hide the fact that the virus is copying itself to
the disk under the "cover" of a directory listing. Viral
programs can also trap system calls in order to evade detection.
Some viri will "sense" an effort to "read" the section of memory
that they occupy, and will cause the system to hang. Others
trap all reading of disk information and will return only the
"original" information for a file or disk: the commonly named
"stealth" viral technology.
copyright Robert M. Slade, 1991 FUNGEN3.CVP 910811
=============
Vancouver
[email protected] | "If you do buy a
Institute for
[email protected] | computer, don't
Research into (SUZY) INtegrity | turn it on."
User Canada V7K 2G6 | Richards' 2nd Law
Security | of Data Security
------------------------------
End of VIRUS-L Digest [Volume 4 Issue 140]
******************************************
Downloaded From P-80 International Information Systems 304-744-2253
