VIRUS-L Digest Monday, 26 Aug 1991 Volume 4 : Issue 148
Today's Topics:
Re: Hard disk locking (PC)
Re: Hard disk locking ? (PC)
Can virus infect PC data diskettes? (PC)
Bad hit on KENNEDY/12 Tricks Trojan?? (PC)
RE: where is VSUM9108.ZIP or TXT
Re: Double quote char appear all over - virus? (PC)
Can a virus be LAGAL?!
Re: Bad hit on KENNEDY/12 Tricks Trojan?? (PC)
Re: Bad hit on KENNEDY/12 Tricks Trojan?? (PC)
4096 help needed (PC)
Re: Ghosting
The Wisconsin Virus???!!! (PC)
EICAR & CARO adresses needed
Virus Simulator available (PC)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to
[email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at:
[email protected].
Ken van Wyk
----------------------------------------------------------------------
Date: 23 Aug 91 13:29:00 -0500
>From: "William Walker C60223 x4570" <
[email protected]>
Subject: Re: Hard disk locking (PC)
[email protected] (Fridrik Skulason) writes:
>It was possible to trace the source of the infection, but now he wants
> some method to prevent anyone from working on his machine while he is
> away - for example by asking for a password on boot-up.
> This is easily solvable with additional hardware - some machines
> include this feature in the BIOS, but it is also possible to get an
> add-in card for this purpose.
JDR Microdevices now has a password security card which they call
"Gatekeeper." This plugs into an 8-bit slot, prevents the machine from
booting without a valid password (even from floppy), and can have up to
15 passwords per card (could be useful for shared machines). It does
not modify the partition table or any other part of the disk, and it
does not encrypt data. I have no affiliation with JDR, and I have not
tested the card -- I'm merely mentioning its availability and advertised
functions.
> Software-only solutions are less secure of course, but they are
> sufficient in his case. It is possible to create a small program
> which asks for a password when you boot from the hard disk, and cannot
> be bypassed simply by booting from a diskette.
Vesselin and several others are right in that software alone cannot
provide adequate security for a PC. In fact, the National Computer
Security Center states that "... users should be wary of claims for
products (particularly software) which claim to provide 'absolute'
security" (NCSC-WA-002-85, "Personal Computer Security
Considerations"). Because of how PCs are implemented, any software-only
security system cannot possibly guarantee a secure system. I have
successfully bypassed software security schemes, including two
commercial packages which supposedly prevent access to the hard disk
when booted from a floppy. I'm sure Vesselin, Padgett, and others have
done so as well. Anyway, to make a long story short ("too late" :-) ),
it is NOT possible to write a program which cannot be bypassed by
booting from a diskette.
Bill Walker (
[email protected] ) |
OAO Corporation |
Arnold Engineering Development Center | "I'd like to solve the puzzle, Pat"
M.S. 120 |
Arnold Air Force Base, TN 37389-9998 |
------------------------------
Date: Fri, 23 Aug 91 10:08:38 -0700
>From:
[email protected] (Rob Slade)
Subject: Re: Hard disk locking ? (PC)
I have long decried that fact that hard drive manufacturers still have
not thought to include a cheap and simple write protect switch on hard
drives. (Yes, I do know that most removable media drives have write
protect tabs, I'd just like to find a drive under $1000 that'll do it.)
It was pointed out to me at a recent seminar, by one of the attendees who
had access to a bunch of old equipment, that very old hard drives for
PC's, based on mainframe models, did, indeed, have such a switch.
Anybody wanna sell a really old drive? :-)
=============
Vancouver
[email protected] | "If you do buy a
Institute for
[email protected] | computer, don't
Research into (SUZY) INtegrity | turn it on."
User Canada V7K 2G6 | Richards' 2nd Law
Security | of Data Security
------------------------------
Date: Fri, 23 Aug 91 10:51:27 -0700
>From:
[email protected] (Rob Slade)
Subject: Can virus infect PC data diskettes? (PC)
[email protected] (Steve Masticola) writes:
> 1. Can a virus infect data diskettes and propagate from them (possibly
> by rewriting the boot track)?
Yes, boot sector infectors, such as the Stoned, BRAIN, Joshi, Azusa etc.,
do exactly this. All disks have a boot sector, and therefore all disks
can be infected, even if they have no programs on them, and even if they
are not "bootable".
> 2. Can viruses infect data files (not executables) downloaded from
> BBSes?
In the Macintosh world this has already happened. Hypercard contains a
"language" which can be extended to perform system level activities, and
Hypercard "stacks", which are basically data, have been made to contain
viral functions. In the PC world this has not, to my knowledge, been
done, but it is quite possible with the right systems. Any program which
has a scripting or macro language is a possibility.
> Also, if someone has a pointer to an archive with info about PC
I have all of my articles archived on the SUZY system, and soon on
Cyberstore as well.
> viruses (in plain text), or good magazine articles, I'd appreciate
> knowing that, too.
We'd *all* love to know that.
=============
Vancouver
[email protected] | "If you do buy a
Institute for
[email protected] | computer, don't
Research into (SUZY) INtegrity | turn it on."
User Canada V7K 2G6 | Richards' 2nd Law
Security | of Data Security
------------------------------
Date: Fri, 23 Aug 91 10:58:07 -0700
>From:
[email protected] (Rob Slade)
Subject: Bad hit on KENNEDY/12 Tricks Trojan?? (PC)
As you stated, the version of VIRUCIDE that you first tested is an
older one. And, both SCAN and VIRUCIDE are written by McAfee
Associates. As I believe they stated, when the issue was raised
before, both programs contain the same "signature strings". Because
the signature strings are contained within the program code, SCAN sees
VIRUCIDE as being infected.
They fixed this in the later version of VIRUCIDE.
=============
Vancouver
[email protected] | "If you do buy a
Institute for
[email protected] | computer, don't
Research into (SUZY) INtegrity | turn it on."
User Canada V7K 2G6 | Richards' 2nd Law
Security | of Data Security
------------------------------
Date: Fri, 23 Aug 91 20:58:51 +0000
>From: cadguest%
[email protected] (CAD Group Guest Accoun
t)
Subject: RE: where is VSUM9108.ZIP or TXT
|> ============================================================================
|> HyperText VSUM X9107 READ_ME.1ST
|>
|> With the June, 1991 release, the Virus Information Summary List
|> has been converted from its original ASCII list format into a custom,
|> hypertext database format. With the new format, the product name has
|> been changed to HyperText VSUM. The previous ASCII list product has
|> been discontinued, and will no longer be updated.
|>
|> Why the change to a hypertext database? The original ASCII format
|> had become extremely large and unwieldy, it was difficult for most
|> people to effectively use. Printing also had become a problem unless one
|> had a very high speed laser printer. More importantly, the information
|> presented in the ASCII version was never really intended to be read
|> sequentially as a book, but instead to be a reference book or
|> encyclopedia.
|> ============================================================================
=
But what is hypertext? Is it a shareware/freeware product? If yes,
where can I get it?
Thanks,
Nadav Har'El
------------------------------
Date: 23 Aug 91 17:16:24 +0000
>From:
[email protected] (Richard Meesters)
Subject: Re: Double quote char appear all over - virus? (PC)
[email protected] (Thomas Wong) writes:
> One of the 386s in our lab has been having a strange problem. Double
> quote characters slowly appears all over the screen. I've checked the
> computer with VirusScan (SCAN 7.6V80)(latest?) and no virus was
> found. Has anyone seen this before? How can I tell if this is a new
> (yet to be discovered) virus? What to do? What to do....
It's completely possible that there's no virus at all. Does the
machine lock up when this happens? My thoughts would be that if the
SCAN package doesn't detect the virus, you should have someone look at
your video hardware (the video card, in particular). I've seen cards
go bad in such a way that they print spurious characters over the
screen (usually bad video memory/decode).
Hope this helps,
Regards,
- ------------------------------------------------------------------------------
Richard A Meesters |
Technical Support Specialist | Insert std.logo here
AT&T Canada |
| "Waste is a terrible thing
ATTMAIL: ....attmail!rmeesters | to mind...clean up your act"
UUCP: ...att!attcan!ram |
- ------------------------------------------------------------------------------
------------------------------
Date: Sun, 25 Aug 91 13:21:59 +0000
>From:
[email protected] (Yaron Bloom)
Subject: Can a virus be LAGAL?!
Since I'm quite interested in the subject, I wanted to ask if a virus
can be lagal. I now every country has it's own rules, but I haven't
heard of a law agains viruses, have you? One more point: Viruses may
be thought as a way of corrupting other user's data. But what about
software piracy? If one copies hacked software, then why shouldn't
viruses hit him?
I'd like to hear you comments.
Yaron Bloom
[email protected]
------------------------------
Date: 25 Aug 91 00:37:48 -0400
>From: Robert McClenon <
[email protected]>
Subject: Re: Bad hit on KENNEDY/12 Tricks Trojan?? (PC)
Eric N. Lipscomb writes:
>OK. Here's a good one. . .
>
>For whatever reason, one of our Business Profs decided to scan the
>copy of VIRUCIDE on his hard disk, and lo and behold, SCAN 5.3C67
>finds Kennedy and 12 Tricks Trojan in VIRUCIDE.EXE. VIRUCIDE,
>scanning itself, finds nothing. SCAN also tells us that the file is
>compressed with LZEXE and is infected internally. Hmmmm.
>
>it seems to me that McAfee SCAN is giving a false positive on the
>Kennedy virus in VIRUCIDE. VIRUCIDE (another, later version that
>scanned clean by everything we threw at it) and F-PROT don't identify
>anything. And an old version of SCAN identified the 12 Tricks Trojan.
>Unfortunately, I don't have any other disk scanners laying around that
>I can check it against. But our techies are looking a little more
>closely into this suspicious disk write behaviour exhibited by the
>suspect VIRUCIDE.
>
>Any thoughts/ideas from the list at lagre, specifically the McAfee
>crew (since both SCAN and VIRUCIDE came from McAfee)? This is
>certainly something that our University will take into serious
>consideration as talks finalize on which product to go with as a
>campus standard.
There have been previous reports to Virus-L of false positives where
one anti-viral package identified another as being infected. In
particular, reports of SCAN saying that VIRUCIDE might be the 12
Tricks Trojan have been common. These reports are indeed false
positive. There is a simple reason for these false positives. An
anti-viral scan package looks for virus signature strings. Another
anti-viral package may legitimately contain the same virus signature
strings. These false positives would be even more common except that
some anti-viral packages conceal the signature strings by encryption.
False positives where one anti-viral package says another is infected
are common, and are caused by finding a signature in the signature
search code.
------------------------------
Date: Sun, 25 Aug 91 23:08:20 +0000
>From:
[email protected] (McAfee Associates)
Subject: Re: Bad hit on KENNEDY/12 Tricks Trojan?? (PC)
[email protected] (Eric N. Lipscomb) writes:
>OK. Here's a good one. . .
Okay
>For whatever reason, one of our Business Profs decided to scan the
>copy of VIRUCIDE on his hard disk, and lo and behold, SCAN 5.3C67
(the current version of VIRUSCAN is V80)
>finds Kennedy and 12 Tricks Trojan in VIRUCIDE.EXE. VIRUCIDE,
>scanning itself, finds nothing. SCAN also tells us that the file is
>compressed with LZEXE and is infected internally. Hmmmm.
This problem is due to an old version of VIRUCIDE containing the same
strings as VIRUSCAN and has been corrected for quite a while. I don't
remember the version of VIRUCIDE it was fixed in, but I believe it was
2.1x or 2.2x. The current version of VIRUCIDE that Parsons' Technology
is shipping is 2.30. They've got new packaging with a picture of what
looks like a beetle on the cover.
>Next step, we run SCAN 6.3V72 on VIRUCIDE.EXE, and the Kennedy virus
(still an old version of VIRUSCAN :-) )
>reveals itself again, but not the 12 Tricks Trojan. Hmmm. Next step,
>run the latest release of SCAN. Bingo, it finds Kennedy. All
>versions of SCAN that we throw at it find Kennedy and tell us that the
>file is LZEXE compressed.
Well, one out of two isn't bad. It is compressed with LZEXE.
>Now, a bit of info about VIRUCIDE: the file is 40209 bytes long, dated
>5-8-90. It appears to the user to be functioning properly, and even
A really old version of VIRUCIDE. Last time I looked at it, it was around
60 or 80Kb long...
>though SCAN says it's infected, nothing *apparently* happens to the
>system as a result. However, one of our techies is looking at the
>execution of the program, and has found that as VIRUCIDE scans a file,
>it also attempts to perform a write to side 0 track 0 sector 6, thus
>far unsuccessfully. One of the strings it attempted to write was
>"Disk Killer". Hmmmmm.
Hmm... VIRUCIDE shouldn't write to the disk, are you sure you aren't running
any other TSR anti-viral programs?
<paragraph about F-PROT not finding anything deleted here>
>Now, except for the suspicious attempts to write to the boot sector,
>it seems to me that McAfee SCAN is giving a false positive on the
>Kennedy virus in VIRUCIDE. VIRUCIDE (another, later version that
>scanned clean by everything we threw at it) and F-PROT don't identify
>anything. And an old version of SCAN identified the 12 Tricks Trojan.
>Unfortunately, I don't have any other disk scanners laying around that
>I can check it against. But our techies are looking a little more
>closely into this suspicious disk write behaviour exhibited by the
>suspect VIRUCIDE.
This is one of the subjects that continually comes up in comp.virus, so
let me reiterate it, at the possible expense of wasting bandwidth and
boring one or two of you: It's always a good idea to have the latest
version of anti-viral software available, and not rely on old, outdated
versions which may have compatibility problems of some sort or another.
Keep a copy of the last release on a floppy or somewhere safe as a backup
in case problems are reported and you need to migrate back to an older
version, but still, try to keep up to date and watch the network or the
manufacturer's BBS, fax, etcetera for notices of bugs in the software or
announcements of new releases...
>Any thoughts/ideas from the list at lagre, specifically the McAfee
>crew (since both SCAN and VIRUCIDE came from McAfee)? This is
>certainly something that our University will take into serious
>consideration as talks finalize on which product to go with as a
>campus standard.
Most of the comments are above :-)
>Thanks for your time!
Welcome.
Aryeh Goretsky
McAfee Associates Technical Support
- --
McAfee Associates | Voice (408) 988-3832 |
[email protected] (business)
4423 Cheeney Street | FAX (408) 970-9727 |
[email protected](personal)
Santa Clara, California | BBS (408) 988-4004 |
95054-0253 USA | v.32 (408) 988-5190 | CompuServe ID: 76702,1714
ViruScan/CleanUp/VShield | HST (408) 988-5138 | or GO VIRUSFORUM
------------------------------
Date: 26 Aug 91 08:46:53 -0700
>From:
[email protected]
Subject: 4096 help needed (PC)
Hello
My PC is inficted by 4096 virus. I remove it by clean software but it
returnd back. Can anybody send me some information about it and
how remove it.
Thanks
Fuad B.
King Abdul Aziz University
Saudi Arabia - Jeddah
------------------------------
Date: 26 Aug 91 10:13:59 +0000
>From:
[email protected] (Vesselin Bontchev)
Subject: Re: Ghosting
padgett%
[email protected] (A. Padgett Peterson) writes:
> Vendors face the problem that while most viruses are
>relatively easy find in a program (commands are usually found at
>specific offsets), in memory the viral signature could be anywhere
>(well, almost anywhere) in memory. We are starting to see products
>that are more specific about where they look but while some viruses
>will only inhabit certain locations, others could be anywhere in RAM,
>high or low.
Well, almost all of the currect memory resident viruses contain their
signatures at a fixed offset of a paragraph boundary. You have only to
scan memory in 16-byte paragraphs and to check whether the signature
is at the known offset. This speeds up the things. Unfortunately,
there are still viruses like Whale that use run-time sliding window
encryption, but they are rare enough.
Anyway, the problem with "ghosting" has occured with files long time
ago. Some scanners still cause false positives because they find the
signature that another anti-virus program also uses. Fortunately, now
most self-respecting scanners use some kind of encoding (not
encryption!) and solve such problems. How much have we to wait, until
these scanners also clean up the memory they have used before exiting?
> In any event, as the number of viruses (and signatures)
>continue to increase and the avaialble signatures decrease, it would
>not be surprising to see the tendancy for ghosting as a result of
>using multiple products to increase.
IMHO, ghosting will decrease in the near future, because those that
make scanners sill become aware of it and will take measures against
it.
> Meanwhile, we still have the second of the two causes of
>ghosting to account for: the "disinfected" file.
> Here we have an oddity of DOS at work, the cluster. Consider a
>2k .COM file that contracts the Jerusalem (1808 bytes) virus. Many
>older machines with 32 Mb disks use a 4096 byte (4K) cluster size.
>This is the minimum disk quanta that DOS can allocate so the original
>file occupied 1 cluster (the minimum). Not surprisingly, the infected
>file also occupied 1 cluster, just filling more of it.
> When the virus disinfectant came along, chances are that it
>just removed the virus vector at the start of the program, replaced
>the first few bytes with the ones from the original file that the
>virus stored, and adjusted the file size. The virus is now
>disconnected and the code following the program is just noise.
Yeah, the same problem occures when someone browes such a disinfected
program with PCTools or Norton Utilities. I kept getting quiestions
like "why after disinfecting Dark Avenger with your program I still
can see the 'Eddie lives' message in files?", until I began to
overwrite the virus body with zeroes before disconnecting it from the
file. Now I think that every disinfector should perform this way,
regardless which virus is disinfected...
> However, unless the viral code is stripped off manually, it is
>still there and when the program is executed next, the whole cluster
>is mapped into memory and often into the disk buffer (though these
>generally have a finer granularity). If the program was larger than
>the scanner that runs next (obviously not in the example) or goes TSR,
>guess what is liable to happen ?
Well, I still cannot understand why a scanner should look for, say,
the Dark Avenger virus in DOS' buffers! McAfee's SCAN causes a ghost
false positive immediately after you copy an infected file...
Regards,
Vesselin
------------------------------
Date: Mon, 26 Aug 91 09:10:00 -0400
>From:
[email protected]
Subject: The Wisconsin Virus???!!! (PC)
HELLO, has anybody out there heard of the Wisconsin virus on the IBM
and compatibles? It showed up on one of our PC's here at Pitt and our
Virus scan software would not remove it. We have version 6.8B74 of
Virus Scan. Is this the latest version?
The only thing it does so far as I can see is it freezes up the PC and
it must be rebooted. Please reply if you know anything about this
virus.
Thank you.
Chris Kunselman
------------------------------
Date: 26 Aug 91 09:26:28 +0700
>From: Pim Clotscher <
[email protected]>
Subject: EICAR & CARO adresses needed
Please could somebody out there in free netspace tell me the
addresses, telephone numbers and E-mail addresses of EICAR and CARO?
They are virus security an -research centres is n't it? What exactly
stand the digits E.I.C.A.R. and C.A.R.O. for?? I remember to have read
info about these organisations on this list in the past, but I skipped
it that time...
Thank you very much,
- -----------------------------> Pim Clotscher <------------------------------
Erasmus University Rotterdam
E.R.C. - Computer Support Hoboken
Roomnumber : Ee2067
Dr. Molewaterplein 50 P.O. Box 1738
NL-3015 GE Rotterdam NL-3000 DR Rotterdam
the Netherlands
Tel: +31 (0)10 4087420
Fax: +31 (0)10 4362719 E-mail (Internet):
[email protected]
==============================================================================
------------------------------
Date: Fri, 23 Aug 91 18:32:52 +0000
>From:
[email protected] (Doren Rosenthal)
Subject: Virus Simulator available (PC)
--------------------------------------------------------------------
Virus Simulator - Safe and Sterile Virus Security Validation
--------------------------------------------------------------------
Virus Simulator version 2.0 is now available as shareware for
downloading from several sources including EXEC-PC (VIRSIM20.COM), SLO-
Bytes BBS (805) 528-3753 and Compuserve (VIRSM2.COM), as well as
directly from the author.
Virus Simulator generates controlled programs infected with the
signatures (only) of every known virus available. Because Virus
Simulator has ability to harmlessly compile and infect with safe
viruses, it is valuable for demonstrating and evaluating anti-virus
security measures without harm or contamination of the system. The
infected programs can be renamed and copied to other disks and
directories as bait for virus detecting programs.
Viruses are a form of terrorism and require many of the same
precautionary measures. Airports test the effectiveness of their
security measures in much the same way. An official disguised as a
passenger will attempt to bring a disarmed bomb through, trying to evade
security measures and avoid detection. Real viruses, like real
terrorists, are much more difficult to test with. The test viruses
generated by Virus Simulator are safe and sterile, but form a validation
test suite that trigger vigilant virus detectors.
Virus Simulator creates simulated test suites for every known virus
available at the time of release. These test suites are only safe and
sterile simulations to evaluate your security measures. A virus
detecting program is validated when it reports the simulations. Virus
detecting programs that fail to find these simulations may indeed
discover their real counterparts and variations, but should only be
trusted after that ability is demonstrated.
No virus protection program will ever be effective without the
cooperation of its users, and Virus Simulator provides a means to verify
compliance with established security procedures.
System Administrators should design their own tests to see which users
are practicing safe computing and complying with established safeguards.
The amount of user cooperation required by anti-virus programs varies.
Some users require more automatic and regimented procedures, and Virus
Simulator provides system administrators with a practical way to
evaluate the overall effectiveness of their security measures. These
simulated test viruses are sterile; they won't reproduce and spread by
themselves, so they have to be planted (copied). Such an exercise can go
a long way to raising the vigilance of complacent users, so when a real
virus attacks, destructive damage is held to a minimum.
Comments and suggestions are would be appreciated and should be
addressed directly to:
Doren Rosenthal Phone (805) 541-0910
Rosenthal Engineering
3737 Sequoia
San Luis Obispo, CA 93401 USA
------------------------------
End of VIRUS-L Digest [Volume 4 Issue 148]
******************************************
Downloaded From P-80 International Information Systems 304-744-2253
