VIRUS-L Digest Wednesday, 21 Aug 1991 Volume 4 : Issue 145
Today's Topics:
VIRx on a 3COM network (PC)
System Layers and Hiding Places
Re: When can a virus infect (AMIGA)
Hard disk locking software (PC)
Where can I find VSUM9108.zip o .txt?
Re: Double quote char appear all over - virus? (PC)
Re: Hard disk password protection (PC)
Liberty virus (PC)
Re: Hard disk locking PC SECURITY (PC)
Scan (PC)
New Virus ? (PC)
Questions regarding Novell, Viruses & policy
Partition table virus on Toshiba 1200XE (PC)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to
[email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at:
[email protected].
Ken van Wyk
----------------------------------------------------------------------
Date: Mon, 19 Aug 91 16:56:37 +0000
>From:
[email protected] (Albert Crosby,AG ENG 210,4452,5014447866)
Subject: VIRx on a 3COM network (PC)
I just tried using the VIRx scanning program on network volumes attahed
via 3Com 3+Open. The scanner reported "Bad status reading partition table"
and stopped for a key press. The program then presented a message that it
was "Scanning: \\ \DOSAPPS\" and paused.
^^^^^^^^^^^^^^ <= this space was filled with high order
garbage characters.
The command I had issued was: VIRX D:\
D: is actually \\AGHELAB\DOSAPPS. The scanner was apparently able to obtain
the last part of the name correctly. VIRx then reported that it had scanned
0 files and 0 subdirectories. If I scan a floppy, it works correctly, and if
I scan a directory on D: other than root it appears to work correctly.
The version of VIRx I tried was "Current as of 07/01/91", version 1.6. SCAN
(McAfee Assoc.) reports that there are 46 directories and 1468 files on the
drive.
Has anyone else encountered problems like this? Or have any pointers for
correcting it? (SCAN also reported the drive free of viruses, BTW)
Albert
------------------------------
Date: Mon, 19 Aug 91 12:22:32 -0700
>From:
[email protected] (Rob Slade)
Subject: System Layers and Hiding Places
This week's column has been slightly delayed due to the marriage, this
weekend, of the columnist's daughter.
FUNGEN4.CVP 910819
Hiding in System Layers
One additional use that viral programs can make of operating
systems is as a source of hiding places.
Anyone who has ever tried to manage accounts on mainframes or
local area networks will recognize that there is a constant
battle between the aspects of security and "user friendliness" in
computer use. This tension arises from the definition of the two
functions: if a computer is easy to use, it is easy to misuse.
If a password is hard to guess, it is hard to remember. If
access to information is simple for the owner, it is simple for
the "cracker".
(This axiom often gives rise to two false "corollares". First,
the reverse; that those systems which are difficult to use must
therefore be more secure; does not hold. Secondly, many assume
that restricting the availability of information about a system
will make that system secure. While this strategy will work in
the short term, its effectiveness as protection is limited.
Indeed, it often has the unfortunate side effect of restricting
information to those who should have it, such as systems
managers, while slowing the "attackers" only marginally.)
"User friendly" programs and operating systems tend to hide
information from the user. There are two reasons for this. In
order to reduce "clutter", and the amount of information that a
user needs to operate a given system, it is necessary to remove
options, and therefore, to a certain extent, functionality. A
user friendly system is also more complex in terms of it's own
programming. In order for the computer to behave "intuitively",
it must be able to provide for the many "counter-intuitive" ways
that people work. Therefore the most basic levels of a graphical
user interface system tend to be more complex than the
corresponding levels of a command line interface system, and are
hidden from the user by additional intervening layers (which also
tend to add more complexity.)
The additional layers in an operating system, and the fact that
a great deal of management takes place automatically, without the
user's awareness, is an ideal situation for a viral program.
Since many legitimate and necessary operations and changes are
performed without the user being aware of it, viral operations
can also proceed at a level completely hidden from the user.
Also, because the user is basically unaware of the structure and
operations of the computer, changes to that structure and
operation are difficult to detect.
copyright Robert M. Slade, 1991 FUNGEN4.CVP 910819
=============
Vancouver
[email protected] | "If you do buy a
Institute for
[email protected] | computer, don't
Research into (SUZY) INtegrity | turn it on."
User Canada V7K 2G6 | Richards' 2nd Law
Security | of Data Security
------------------------------
Date: Mon, 19 Aug 91 20:29:37 +0000
>From:
[email protected] (Ethan R Dicks)
Subject: Re: When can a virus infect (AMIGA)
[email protected] (Kevin Kadow) writes:
>With ZEROVIRUS running, after booting from a TC500 hard drive, I ran
>across a newly acquired disk which, upon being inserted, resulted in:
>
>ZeroVirus gave a warning "ColdCapture has been changed!"
>I was
>under the impression that a boot-block virus could only start-up if
>you booted from an infected disk, not by simple insertion?
On the Amiga, there are two types of viruses: boot-block and
executable. Boot Block viruses are only loaded into RAM when an
infected disk is booted. Executable viruses are loaded into RAM
whenever an infected file is run. I suspect that your infected disk
was a system disk, with the program :l/disk-validator on it. Under
AmigaDOS 1.3 and lower, the system will load and run the disk
validator LOCATED ON THE DISK INSERTED if one is present and the bit
in the root block is set which indicated that the bit-map is invalid
and needs to be rebuilt. If the disk-validator program is infected
and the disk is in need of validation, AmigaDOS will cheerfully run
the validator WITHOUT ASKING. Under AmigaDOS 2.0, l:disk-validator is
run (from the system disk), not :l/disk-validator (from the inserted
disk), eliminating this security hole. BTW, write protecting a disk
with an invalid bit-map prevents the system from updating the bit-map
and will cause the system to be infected all over again when the disk
is inserted.
- -ethan
- --
Ethan R. Dicks | ###### This signifies that the poster is a member in
Software Results Corp| ## good sitting of Inertia House: Bodies at rest.
940 Freeway Drive N. | ##
Columbus OH 43229 | ###### "You get it, you're closer."
------------------------------
Date: Mon, 19 Aug 91 14:15:54 -0700
>From: Steve Clancy <
[email protected]>
Subject: Hard disk locking software (PC)
In Virus-L 4-142 Fridirk Skulason writes:
>Software-only solutions are less secure of course, but they are
>sufficient in his case. It is possible to create a small program
>which asks for a password when you boot from the hard disk, and cannot
>be bypassed simply by booting from a diskette.
>
>My questions:
>
> #1 I guess that such a program already exists - but I have not yet
> been able to find it. Does anyone know of something like this ?
I have had a program called PC-Lock 1.1 for several years on our BBS.
According to the documentation, it does what you are asking. The docs
say:
THE PC-Lock HARD DISK PROTECTION SYSTEM
Version 1.1
(c) Copyright 1986 by
Johnson Computer Systems
20 Dinwiddie Place
Newport News, VA 23602
WHAT PC-Lock DOES
After you install PC-Lock you will be asked to enter your password
each time you boot your computer from your hard disk. Just type
your password and press return. The boot process will continue
normally. If you make an error, just re-type it correctly and
press return. When you boot from a diskette the system will boot
normally, but you will not be able to access your hard disk.
I have not had personal exeprience in using it, so I don't really know
of any weaknesses it might have. There may even be a more current
version. However, I would be happy to UUENCODE the ZIP file and mail
it to you.
- -- Steve Clancy
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
% Steve Clancy, Biomedical Library % WELLSPRING RBBS %
% University of California, Irvine % 714-856-7996 300-2400 24hrs %
% P.O. Box 19556 % 714-856-5087 300-9600 24hrs %
% Irvine, CA 92713 U.S.A. %
[email protected] %
% %
[email protected] %
%.....................................................................%
% "As long as I'm alive, I figure I'm making a profit." %
% -- John Leas, 1973 %
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
------------------------------
Date: Mon, 19 Aug 91 15:01:40 -0600
>From:
[email protected] (JESUS BARRERA RAMOS)
Subject: Where can I find VSUM9108.zip o .txt?
Hi all!!!
I've been lookin' for VSUM9108.zip o .txt de Patricia M. Hoffman 'n I've
not found it...could some body tell me where can I get a copy of that
document?...I'd thank ya a lot...oh!...by the way...I've also been
lookin' for a program that convert executable code to source code I know
there're programs to do that but I've not found one...If somebody has
one...please send me a copy (if it's shareware) or tell me where can I
get one...thank ya in advance...bye.
friendly
Jesus Barrera Ramos
(Eqix)
P.S. May be (and I'm almost sure) no body know me, I've been a member
of this list since last january but I'm quite a novice'n I've not sent
a lot of sugestions...anyway..I'm interested a lot on virus.
------------------------------
Date: 20 Aug 91 09:36:43 +0000
>From:
[email protected] (Vesselin Bontchev)
Subject: Re: Double quote char appear all over - virus? (PC)
[email protected] (Thomas Wong) writes:
>One of the 386s in our lab has been having a strange problem. Double
>quote characters slowly appears all over the screen. I've checked the
>computer with VirusScan (SCAN 7.6V80)(latest?) and no virus was
>found. Has anyone seen this before? How can I tell if this is a new
>(yet to be discovered) virus? What to do? What to do....
My best guess is that this is not a virus. Probaly your video controller
is malfunctioning. Try changing it and see what happens.
Regards,
Vesselin
------------------------------
Date: 20 Aug 91 09:48:37 +0000
>From:
[email protected] (Vesselin Bontchev)
Subject: Re: Hard disk password protection (PC)
[email protected] (Jon Freivald) writes:
>It requests a password on boot (installs via config.sys). If the
>system is booted via floppy disk, the hard disk cannot be accessed
>without running a special utility on the PC-Vault diskette (unlike a
>couple other programs where you just plain can't access the hard disk
>period!).
As I wrote in one of my previous postings, it depends on what do you
understand by "cannot". You probably mean that when DOS boots, it
cannot recognize the disk (says "invalid disk drive" when you try to
switch to that disk). This, of course, does not mean that the disk is
not accessible to BIOS (using INT 13h, not INT 25h/26h). More exactly,
this means that any boot sector virus that is able to infect MBRs
(Master Boot Records - where the partition table resides), will be
able to infect a disk "protected" in this way.
Such protection schemes usually install themselves in the MBR, then
either encrypt the partition table, or move the original MBR to
another place. If a virus attacks such disk, it will just install
itself in the MBR and move the MBR, containing the protection program
to another place. When the computer is booted, the virus receives
control, stays resident in memory, then reads the moved MBR and
transfers control to it. Since the protection program resides there,
it will just ask for the password and so on.
Since all MBR infectors use BIOS to access the disk, there is no
possibility to "hide" the disk from them. It is possible, however, to
disinfect the disk automatically on reboot, but this is another story.
Regards,
Vesselin
------------------------------
Date: Tue, 20 Aug 91 14:53:23 -0400
>From:
[email protected]
Subject: Liberty virus (PC)
The Liberty virus showed up here in Boston last week at my employer's
Novell network. (My employer is NOT Northeastern University.) The
infection wasn't very bad and we cleaned it up quickly.
I note that there have been several mentions on the net lately that
people have gotten this virus and been unable to remove it with CLEAN,
and were forced to delete the files. We also experienced this problem.
I have mailed a copy to McAffee today for their examination, at the
request of their tech support department. Hopefully this will be
resolved in a future version of CLEAN.
Incidentally, is there a site from which I can FTP the latest version
of Flu Shot? I have an old (very old) copy on a floppy somewhere, but
I'd much rather have the newest version. (Please answer that by
private mail, no need to waste bandwidth.)
Tom Farrell
------------------------------
Date: Tue, 20 Aug 91 19:08:18 +0000
>From:
[email protected] (Kevin Kadow)
Subject: Re: Hard disk locking PC SECURITY (PC)
Most of the small-round-key PC locks can be opened by using a fired
22 shell like a key (to turn the peg in the lock).
DO NOT trust the keyboard lock to keep people from "playing" with your
machine.
The only foolproof protection would be to disassemble the machine
and install a REAL lock in place of the factory-installed keyboard
lock, get a TSR that can lock the MOUSE when the keyboard is locked,
and lastly install a lock such that the case cannot be opened without
the appropriate key.
- --
[email protected] kadokev@iitvax (bitnet)
My Employer Disagrees.
------------------------------
Date: Tue, 20 Aug 91 16:29:02 -0600
>From: Jesus Miguel Garcia <
[email protected]>
Subject: Scan (PC)
Whats the new Scan antivirus of Mcaffe? I heard about version 83....
Thanks for help...
Miguel Garcia Rdz.
Monterrey, N.L.
Mexico
------------------------------
Date: Tue, 20 Aug 91 21:05:00 -0400
>From:
[email protected]
Subject: New Virus ? (PC)
I am having a problem running a program that requires 541K of free
conventional memory (according to the manual). I get the message
"Program too big to fit in memory", even though I have about 552k of
free conventional memory (according to CHKDSK and some other programs
too). The peculiar thing is that the program was running a few days
back, under this same configuration. No change has been made to the
CONFIG.SYS or the AUTOEXEC.BAT files. There are no TSR's in the
memory other than SHARE (even if there were, the largest free memory
block is larger than required). The program does run if I get about
580K free.
I have checked the program for infection using F-PROT V1.16, and using
Norton Anti-Virus V2.00. In both cases the results were negative.
Could this program be infected with a new virus?
Any comments?
Is there any place I could upload this program to have it checked
(can E-Mail be used for sending binary files) ?
Harpreet Singh
[email protected]
------------------------------
Date: Wed, 21 Aug 91 02:19:56 +0000
>From:
[email protected] (Cumberland Newspapers)
Subject: Questions regarding Novell, Viruses & policy
We have a novell network running v3.11 and have (touch wood)
largely been unaffected by virus attack.
We thus far have only PC compatibles on our net but soon will
be adding some macs.
We are looking to create and adopt a policy to prevent virus
infection but it is not practical to prevent users bringing in
floppies or prevent some users from using BBS's. If anyone has
ANY suggestions I am open to them.
and a few other questions....
1) Do there exist viruses that can infect novell fileservers ?
(I don't mean .EXEs or .COMs or whatever on the server but
the files that it runs like .NLMs etc )
2) Is there a way of putting a task on the server that scans for
viruses when users try to conect ?
3) Is there some way I can keep the viruses off the executables
on the server ?
many thanks
iain.
- --
Cumberland Newspapers (Software Development)
[email protected]
Iain Holmes. Ph: (02) 689 5470 (B) (02) 959 3174 (H) Fax: (02) 689 3846
Craig Mitchel. Ph: (02) 689 5191 (B)
------------------------------
Date: Wed, 21 Aug 91 10:55:26 +0000
>From: Leila Burrell-Davis <
[email protected]>
Subject: Partition table virus on Toshiba 1200XE (PC)
We have a Toshiba 1200XE which has been diagnosed as having the
Telephonica Virus in the partition table of the 20MB hard disk. I've
tried repartitioning and reformatting the disk, but it is still
infected. I asked our local Toshiba dealer how to low level reformat
the disk and he said it was an IDE disk and it could only be done with
a special program which dealers have and can't resell. They'll quite
happily do it for us, but it's an hour's drive so I thought I would
enquire here first if there is any alternative solution.
Thanks
Leila
- --
Leila Burrell-Davis, Computing Service, University of Sussex, Brighton, UK
Tel: +44 273 678390 Fax: +44 273 678470
Email:
[email protected] (JANET:
[email protected])
------------------------------
End of VIRUS-L Digest [Volume 4 Issue 145]
******************************************
Downloaded From P-80 International Information Systems 304-744-2253
