VIRUS-L Digest Monday, 19 Aug 1991 Volume 4 : Issue 143

VIRUS-L Digest Monday, 19 Aug 1991 Volume 4 : Issue 143

Today's Topics:

Forwarded from Dr. Fred Cohen
Re: copyright of infected files
Hoffman Cat. & VSUM.EXE / ftp site ??? (PC)
Double quote char appear all over - virus? (PC)
Re: Self-scanning executables (PC)
Hard disk locking ? (PC), new prices, musings
LAN scanning (PC)
Re: When can a virus infect (AMIGA)
Hard disk password protection (PC)
Proposal for standard virus signatures notation
Bus Error, Teenager Abuse (Mac)
Re: Hard disk locking ? (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to [email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: [email protected].

Ken van Wyk

----------------------------------------------------------------------

Date: Fri, 16 Aug 91 11:12:45 -0400
>From: Kenneth R. van Wyk <[email protected]>
Subject: Forwarded from Dr. Fred Cohen

[Ed. Dr. Cohen asked me to relay the following message to VIRUS-L.
Three comments first (mine, not Dr. Cohen's)... 1) Dr. Cohen does not
have a network address, so I typed this in from a FAX (I don't have a
scanner...), hence any typos are undoubtedly mine, not his. 2) I
don't normally offer this "service" (typos notwithstanding), so please
don't ask me to transcribe messages; I did this as a personal favor to
Dr. Cohen. 3) I would be happy to collect any replies to this message
and FAX them to Dr. Cohen. Any reply received by Friday, 23 Aug 1991
will be included; any received after that will be forwarded to
/dev/null. Finally, the views expressed here are Dr. Cohen's,
verbatim.]

Dear VIRUS-L readers:

Normally, I do not participate in bulletin boards such as this one
because there is more noise than signal, but I have been looking over
some of the recent comments about my work, and I thought it was about
time to clarify a lot of misperceptions.

1) All of my books (and my software products) are available through
ASP Press, which can be reached at PO Box 81270, Pittsburgh, PA
15217, USA.

2) The thesis was first published in 1985, and was accepted by the
committee in 1986. A much better book for the average computer
literate reader is "A Short Course on Computer Viruses" (also
available through ASP Press).

3) The formal definition of viruses first published in the thesis
encompasses ALL self-replicating programs, and I never claimed
(as far as I am aware) to have written the first computer virus.
I think that I have seen over 20 other authors (some who even
claim to be legitimate researchers) who have claimed otherwise.
They shouldn't cite what they haven't read and understood.

4) I did do the first SCIENTIFIC experiments on the protection
issues related to viruses. I also published more than 1/2 of
the refereed journal articles on viruses, and I derived many of
the interesting research results on viruses to date.

5) I resent the network being used for commercial purposes, which I
felt it is being used for in "describing" features of virus
defense products. I think it might even be against the law. I
find it interesting that when someone asks where to get a copy
of my thesis, they get met with solicitations regarding other
books on the subject. I'm not sure, but I think soliciting this
way on the net is against the law.

6) Thank you Dave Chess for providing relatively factual
information to this forum. I think you guys at IBM should be
congratulated for your fine work on analyzing virus spread in
the last DPMA conference and putting the foolishness brought on
by people who make unsupportable assumptions into proper
perspective.

7) Thank you in advance Ken, for posting this for me. [Ed. You're
welcome.]

Fred (no network address - try ASP Press above)

P.S. Anyone that thinks you need a network address to perform useful
work should try turning off the network for a few months and observe
how much more work you get done when you don't have to sift through
all of that noise. FC

------------------------------

Date: 15 Aug 91 19:27:59 +0000
>From: [email protected] (Jesse Chisholm AAC-RjesseD)
Subject: Re: copyright of infected files

[email protected] (Warren Burstein) writes:
| It occurred to me that anyone who deals with viruses must of course
| have a collection of infected files for comparison, dissasembly, and
| testing of anti-viral methods. It would not be surprising for such
| people to thereby acquire lots of copies of software that they don't
| have licenses for (and what if the virus has a copyright, too :-) ?).
| Not that they ever intend to use the software for its intended
| purpose, but might the manufactures get upset anyway?

I avoided this problem by writing a small "Hello, world." program in
both .EXE and .COM form. Once these are infected I rename them to
something appropriate and delete the original program I got the virus
from. This also saves disk space. When it comes time for
disassembly, my own code is easy to recognize; no trying to figure out
the distinction between a virus and some vendor's code.
- --
"I woke up one morning, October 23rd.
Riding the range with the 2-U herd.
Come a ti-yi-yippy-yippy-ay yippy-ay.
Come a ti-yi-yippy-yippy-ay." -- from an old song, "The Chisholm Trail"

------------------------------

Date: 16 Aug 91 17:34:38 +0700
>From: [email protected]
Subject: Hoffman Cat. & VSUM.EXE / ftp site ??? (PC)

which ftp sites carry:

- - Hoffman Catalog (PC)
- - VSUM.EXE

?????

thanx in advance

bye .................................................................... Didi

******************************************************************************
* Universitas Basiliensis InfoCenter *
******************************************************************************

------------------------------

Date: Fri, 16 Aug 91 16:46:11 +0000
>From: [email protected] (Thomas Wong)
Subject: Double quote char appear all over - virus? (PC)

One of the 386s in our lab has been having a strange problem. Double
quote characters slowly appears all over the screen. I've checked the
computer with VirusScan (SCAN 7.6V80)(latest?) and no virus was
found. Has anyone seen this before? How can I tell if this is a new
(yet to be discovered) virus? What to do? What to do....

Thomas.

------------------------------

Date: Fri, 16 Aug 91 18:33:48 +0000
>From: [email protected] (Eric Vaitl)
Subject: Re: Self-scanning executables (PC)

I started thinking about self scanning executables again.
Unfortunately, it was way to easy to write myself a virus which gets
around the whole damn thing. Here is what it does: When the victim
program is activated, the virus gets control. The virus then totally
removes itself from the program on the disk (remember, the victim's
name is in the psp). The virus then hooks itself into the timer
interrupt and the idle interrupt and goes tsr. Two timer ticks later
a flag is set and on the next idle interrupt the virus loads and
executes the original program. Any self scanning the original program
does won't find anything. About ten minutes after going tsr, the virus
sets another flag. On a following idle interrupt, the virus attacks
two .exe files in the hard disk. It then unhooks the interrupt vectors
and returns it's saved memory to dos.
I'm not a real whiz at assembler programming and I was able to get
this thing under 2k and write it over the weekend. It will
successfully attack programs using variants of my vscan() function
without being found. I also had it attack a copy of pkz110.exe and it
wasn't found. (Although I haven't checked if pkz110 is actually self
scanning or if it just does a crc on the contained files).
Anyhow, my point here is that self-scanning executables might be a
dead end and that I just don't think that we should spend too much
time arguing over whether it's best to do a simple checksum or a crc
when, if a virus writer were worried about the subject he could just
bypass the whole thing.

[email protected]
flames>/dev/nul

------------------------------

Date: Fri, 16 Aug 91 14:31:00 -0400
>From: padgett%[email protected] (A. Padgett Peterson)
Subject: Hard disk locking ? (PC), new prices, musings

>From: Fridrik Skulason <[email protected]>
(referring to a friend)
> ...now he wants some method to prevent anyone from working on
>his machine while he is away - for example by asking for a
>password on boot-up.

>Software-only solutions are less secure of course, but they are
>sufficient in his case.

> #1 I guess that such a program already exists - but I have not
>yet been able to find it. Does anyone know of something like
>this ?

Quite some time ago I wrote DISKSECURE as an experiment. It is a
technology demonstrator rather than a commercial product (no
flames please) but should do what you ask. It is available from
several sites or I can send a UUENCODED ZIP over the net.

It is a BIOS level virus detection/block, prevents DOS access of
the disk when booted from a floppy (cannot prevent a cold boot
without special BIOS or hardware). Can be booted "bare" with a
special maintenance disk (still requires password) for defragging
and allows the user to create a "recovery" disk in case an
inadvertant boot from an infected floppy corrupts the file. Once
resident, the MBR, hidden sectors, and Boot Record are protected
from alteration and BIOS format calls are trapped.

This forms part of the triad I use personally for protection of
my home machine (DiskSecure, McAfee's Vshield, Enigma-Logic's
Virus-Safe) plus some other "home-brew" integrity checkers.

On another note, I just received the September Computer Shopper
and have noticed considerable price erosion taking place - two
items I am interested in particular - 386sx Notebooks (8"x12"x2"
- 6 lbs) w/2MB RAM and 20 MB hd have been spotted with what
appear to be a nice mix of features for $1699 while laptops
(larger & c.a. 13 lbs) with similar features are to be had for
around $1200.

Given the availability of more memory, up to 100 MB disks, and
expansion chassis for other peripherals, we may soon be in for a
return to the single PC with just a separate keyboard and monitor
at home and the office. Since sub-$1000 386 desktops are already
plentiful and in theory a notebook should be about the same cost
to manufacture,
On the other hand, there were two ads for 9600 baud/MNP5/V42bis
modems under $300, both with Rockwell chip sets. Given text/image
transmissions between compatable machines, these can give an
effective throughput of 38,400.

I expect a plethora for $200 by years end - already low-line 2400
baud units are under $50 and you can't give away a 1200 baud
modem - my historical collection includes a Racal-Vadic 1200 baud
that had no auto-features and must have cost $700 new (the power
supply alone is larger than most modems today) - and it is less
than 10 years old ! - State of the art 15 years ago was a 300
baud TI silent 700 with acoustic coupler. Seems like we are on a
log curve.

What meaning does this have for Virus-L ? Namely, the 386
platform and DOS 5.0 is becomming a defacto standard just like
the 8088 did. Already some vulnerabilities are being exploited,
usually by accident (I am told that the next release on prominent
scanners will include the ability to scan "high" for memory
resident viruses.

In the last six months, the number of LAN infections have
increased dramatically and it taskes a different philosophy to
protect a LAN than a individual client while the rise of
affordable 9600 baud modems and Notebooks are going to increase
transmission vectors dramatically.

Will this result in the Virus that ate Cincinatti ? I doubt it,
the statistics are that it is hard to affect a 70 million
platform installed base. But to the 100 pc company or 2000 client
LAN that gets hit by something they did not bother to prepare for
- Hasta la vista, baby. (what about the offsite backups ? - see
T3).

Padgett

------------------------------

Date: 16 Aug 91 16:09:55 -0400
>From: Jon Freivald <[email protected]>
Subject: LAN scanning (PC)

> This problem is quickly spreading to the micro arena. In recent
> months I have had occasion to clean several LANs including one of
> 500 clients and another having 2000+ clients. The techniques
> developed to disinfect individual PCs (quarantine and clean) are
> costly, often ineffective, and are not the One True Solution.
>
> Other techniques that we have discussed in this forum that
> involve authentication of the health of a client before
> permitting access to the server are IMHO a more elegant
> procedure.

I've written a program that's implemented on our (Banyan Vines) LAN
that does just that -- it's a two part program that works in
conjunction with McAfee's ViruScan.

Part 1 (the shell) the user is *supposed* to include in his
autoexec.bat - it interrogates the system for # of drives, then
executes the McAfee software on all found hard drives. It updates a
control file after the McAfee software has run successfully.

Part 2 (the "enforcer") is a part of all the users login profile (which
we don't allow them to change) - it checks for proper installation,
then checks the control file -- if it can't find Viruschk (my prog) or
ViruScan, it logs them out with a nasty-gram - if the control file is
too old, it logs them out, initiates the scan & if the scan completes
successfully, brings them back to the login screen...

If anyone's interested, it's Freeware. The shell is generic (works
with all PC/MS-DOS systems from 2.11 - 5.0), however, the enforcer only
currently supports Banyan Vines 3.xx & 4.xx (I intend to expand this in
the future, but only have access to Vines). It's available for
download as vchk21.zip either from the Compuserve Banforum or from my
BBS @ (516) 483-7968 (N,8,1 - 300-2400 + 9600 HST).

Jon Freivald
SSgt, USMC

------------------------------

Date: 16 Aug 91 20:21:56 +0000
>From: [email protected] (SCHILDBACH WOLFGANG)
Subject: Re: When can a virus infect (AMIGA)

[email protected] (Kevin Kadow) writes:

>With ZEROVIRUS running, after booting from a TC500 hard drive, I ran
>across a newly acquired disk which, upon being inserted, resulted in:

>ZeroVirus gave a warning "ColdCapture has been changed!"

>options: retry clear

>choosing clear resulted in the warning coming back up in about 1/10 second.

>I did a cold start, then switched to VIRUSX...

>Upon inserting the suspect disk, VirusX warned: Australian Parasite
>detected!

>Choosing clear seemed to work, since VirusX went back to sleep. I was
>under the impression that a boot-block virus could only start-up if
>you booted from an infected disk, not by simple insertion?

There is a new virus out that uses a simple but very efficient way of
spreading. It uses the Disk-Validator located in the L/ directory. It
works this way: The infected disk has a checksum error on it. So as
soon as you insert it, the system will call the Disk-Validator, but
not the one from your L: directory, BUT THE ONE FROM THE df?:L
directory. This one is infected. So as soon as you just insert the
disk, your system is infected!

It then does some other things as overwriting the Disk-Validator in your
L: directory and so on... I think it will additionally crypt one specific
track when it is written and decrypt it when it is read. The knack is:
As soon as you have removed the virus, you'll have read errors on all
disk inserted while your AMIGA was infected. As long as the virus is ac-
tive, you won't notice.

Wish you good luck desinfecting your computer...

- --- Wolfgang Schildbach

------------------------------

Date: 16 Aug 91 17:15:20 -0400
>From: Jon Freivald <[email protected]>
Subject: Hard disk password protection (PC)

>One person here at the University of Iceland had the misfortune of
>having his hard disk trashed by the Spanish Telecom virus recently.
>It was possible to trace the source of the infection, but now he wants
>some method to prevent anyone from working on his machine while he is
>away - for example by asking for a password on boot-up.

>My questions:

> #1 I guess that such a program already exists - but I have not
> yet been able to find it. Does anyone know of something like
> this ?

Yes, I use and can highly recommend "PC-Vault".

It is software only and has done well in my evolution from an 8088 XT
up through a 386/40 monster with MFM, RLL & ESDI drives being involved
in the upgrade process... (I've got version 4.1 - no idea what's
current..)

It requests a password on boot (installs via config.sys). If the
system is booted via floppy disk, the hard disk cannot be accessed
without running a special utility on the PC-Vault diskette (unlike a
couple other programs where you just plain can't access the hard disk
period!).

Here's the info you'll need to order (I have no ties to this company
other than being a one time customer!):

Johnson Computer Systems, Inc.
20 Dinwiddie Place
Newport News, Virginia 23602
(804) 872-9583

If I recall correctly (it's been a couple years!), the cost was about
$20.00 and I was impressed that I received it so quickly (2 days I
think).

They also offer PC-Vault Plus which offers multiple passwords &
directory level access by which password was used.

At the time I called them, they offerred free demo versions (limited to
one character passwords) of both products...

Jon

------------------------------

Date: 09 Aug 91 12:33:04 +0000
>From: [email protected] (garth kidd)
Subject: Proposal for standard virus signatures notation

Original to: nl84479
<looks at floor, shuffles feet> Apology for the return address I included in my
origin line in the last message. The actual message header should be correct.
The origin line should read something like:

- --- FD 1.99c
* Origin: reply-to [email protected], please. (3:680/828)

------------------------------

Date: 17 Aug 91 23:59:57 -0400
>From: "Robert McClenon" <[email protected]>
Subject: Bus Error, Teenager Abuse (Mac)

I received no less than ten (yes, ten) replies via E-mail to
my inquiry. I thank those of you who replied.

The consensus seems to be as follows. The "bus error" is not
a SCSI bus error but a data bus error, which is really a memory
address error. This in turn indicates either a buggy program or a
corrupted program. Some sound utilities are buggy and can cause
various sorts of damage.

Everyone said that the user's System file and Control Panel
had been trashed and that he should reinstall the System and the
Control Panel. Several people suggested that he run a hard disk
integrity utility, such as Apple Disk First Aid, SUM Disk Clinic,
or Norton Disk Doctor (for Macintosh), to determine whether there
was further damage.

One correspondent suggested the use of Suitcase or
MasterJuggler as a way of avoiding putting the music into the
System.

There seemed to be general agreement that there was no
evidence of a virus, and that bugs in the sound facility were the
explanation.

Thank you for your replies.

Robert McClenon
Neither my employer nor anyone else paid me to say this.

------------------------------

Date: Mon, 19 Aug 91 10:29:00 +1200
>From: "Mark Aitchison" <[email protected]>
Subject: Re: Hard disk locking ? (PC)

[email protected] (Fridrik Skulason) writes:
> One person here at the University of Iceland had the misfortune of
> having his hard disk trashed by the Spanish Telecom virus recently.
> It was possible to trace the source of the infection, but now he wants
> some method to prevent anyone from working on his machine while he is
> away - for example by asking for a password on boot-up.
>
> Hardware solutions...

The simplest of the lot is to unplug the disk, of course. It all
depends how long you're away from the computer as to whether yanking
out the cable is worthwhile or not. If it is to cover someone leaving
his machine on while going to lunch, etc, then a boot-up password
isn't much help either, of course. The keyboard lock switch supplied
with most modern computers *should* be the answer, but for some reason
they almost all seem to take the same key! Still, there are some
zero-cost hardware solutions.

> Software-only solutions...

I remember hearing about two programs that require a boot-up password
(other than special BIOS'es), and I think both prevent access to the
hard disk when booting from floppy by presenting a "wrong" partition
table. This, of course, can be circumvented by anyone determined
enough (as Norton's NDD does, for instance), but might be good enough.
Although I don't have either program, I can get hold of one of them if
needed tomorrow, and I think there was some talk about the other in
comp.virus within the last month or so.

There are some alternative software solutions...

(1) change CMOS to say there are no hard disks
Advantage: A wee bit more secure
Disadvantage: You have to manually change it, or boot from a special diskette

(2) change CMOS to say there is a much smaller disk, and put all your valuable
data in a partition after that.
Advantages: More convenient boot-up, and probably more secure, since people and
programs might think *no* hard disk is odd and so look for one, but when findin
g
a small disk (i.e. less cylinders) probably would not look any further.
Disadvantage: Could cause confusion if you ever need to take the computer to
the fixit-guys, and will probably upset some anti-virus software... but then
again, so will all of the solutions.

(3) Use Digital Research's DRDOS 5.0, to put passwords on the important files,
e.g. read/write/delete protection on key directories.
Adavantages: "off the shelf" software, can be useful in cases where the
computer is left running at lunch time, etc, plus some other advantages (such
as the ability to select differring levels of protection for different files)
that may or may not be of value.
Disadvantages: Still lets you boot, so people could use int 13 or Norton's
tools etc (not trying to advertise one brand here, its just that people know
what they do - I personally use all sorts of disk editors). Also, depending on
how you organise things such as global passwords, directory permissions, etc,
you may need to keep giving the password or end up with a less secure system.

(4) Encrypt the hard disk.
This mainly makes reading of private data difficult - someone could still ruin
the disk by formatting, etc. Now that I think about it, perhaps that was what
was being discussed recently. (I must get my archives fixed up so I can search
them by keywords!)

(5) Swap drives, so your hard disk is the second hard disk, and there is either
no first hard disk, or a small one as the boot disk (e.g. a cheap faulty disk -
in most large organsiations people eventually accumulate old disks which only
work on one cylinder, or some of the heads are unreliable, etc - all you need
is a boot sector).
Adavantages: I can't really think of any advantages over (1) or (2), except
that under-describing the disk (i.e. the 2nd alternative) depends heavily on
the disk types known to your BIOS.

Discussion welcomed,
Mark Aitchison.

------------------------------

End of VIRUS-L Digest [Volume 4 Issue 143]
******************************************

Downloaded From P-80 International Information Systems 304-744-2253