VIRUS-L Digest Tuesday, 27 Aug 1991 Volume 4 : Issue 149

VIRUS-L Digest Tuesday, 27 Aug 1991 Volume 4 : Issue 149

Today's Topics:

Re: Hard disk locking ? (PC)
Polish anti-virus group info
CPAV + SCAN conflict (PC)
Re: Hardware and software protection mechanisms
Re: Self-scanning executables (PC)
Re: Can a virus be LAGAL?!
Re: Hard disk locking (PC)
Scan Memory (was: Questions regarding Novell, Viruses & policy)
Re: CARO / EICAR address
Re: copyright of infected files
Re: Ghosting
Preventing boot from floppy - problem with Int 13 from TSR (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to [email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: [email protected].

Ken van Wyk

----------------------------------------------------------------------

Date: Tue, 27 Aug 91 11:49:00 +1200
>From: "Mark Aitchison, U of Canty; Physics" <[email protected]>
Subject: Re: Hard disk locking ? (PC)

[email protected] (Rob Slade) writes:
> I have long decried that fact that hard drive manufacturers still have
> not thought to include a cheap and simple write protect switch on hard
> drives. (Yes, I do know that most removable media drives have write
> protect tabs, I'd just like to find a drive under $1000 that'll do it.)

I agree.

> It was pointed out to me at a recent seminar, by one of the attendees who
> had access to a bunch of old equipment, that very old hard drives for
> PC's, based on mainframe models, did, indeed, have such a switch.

Well, I've got a 12.5Mb disk drive with a write-protect switch. It
also has a switch that (from memory) makes either the hard disk or the
floppy drive the bootable drive. Apart from the fact that it is a 19"
rack-mounting monstrosity, and designed to run on a Data General
minicomputer, I'd be happy to sell it to you ;-)

Seriously, how come modern manufacturers *uninvent* features that were
presnt on minicomputers a decade or two ago?? I am interested in
security, not only against viruses and fiddling, but against
breakdown; it seems that old ideas of dual porting and watchdog timers
and so on have gone, yet the need for them is at least as great.

When the computer was in one, big room, it was easy to make it
physically secure and control its environment. The present discussion
of "absolute security" being impossible with software-only measures,
although having some merit, should consider the difficulty in
attaining such high ideals in the typical pc workplace. A
write-protect switch, or a card that can be removed, is not absolute
protection, and people should not be given any false sense of
security. If you know the situation well enough, you might be able to
say that such things are "good enough" - but in some situations a
software-only solution might also be good enough. I agree that
hardware solutions are basically better, of course, and they should be
built into the hardware rather than provided as add-ons, but it is
important to avoid crediting hardware solutions with too much security
when anyone could lift the lid and flick a switch or replace a card.

In the mean time, the best way to stop anyone putting a virus on your
computer is to stick a write-protect tab on the magnetic surface of
the hard disk drive. Okay, it stops *all* accesses to the disk, and
the surface is ruined when you take the tab off, but it is *absolute*
protection! ;-)

Mark Aitchison
(e-mail debates welcome)

------------------------------

Date: Tue, 27 Aug 91 11:55:00 +1000
>From: [email protected]
Subject: Polish anti-virus group info

Has anybody heard of the "Polish Section of Virus Information Bank".
We have recieved a ;letter from them and would like to know more.

Any information would be appreciated.

Wayne Boxall
Computer Virus Information Group
Queensland University of Technology

P.S They seem to have a product called : PCvirus (disk magazine)

------------------------------

Date: 27 Aug 91 07:07:43 +0000
>From: [email protected] (Jesse Chisholm AAC-RjesseD)
Subject: CPAV + SCAN conflict (PC)

I was testing the CentralPoint Anti Virus package (CPAV) and found an
interesting interaction with McAfee SCAN. If I run the full TSR in
the CPAV package, VSAFE, then they get along OK. But if I run the
faster and simpler, VWATCH, then SCAN v80 complains about the
Pakistani/Brain virus being in memory. I suspect this is a false
alarm from VWATCH holding in memory the patterns it is looking for
when programs run, and SCAN finds them. I spent an hour checking my
entire system the first time I got that message.

- -jesse [email protected]
- --
| "Don't just do something, stand there!" | "Curiouser and curiouser!"
| -- The White Rabbit | -- Alice

------------------------------

Date: Tue, 27 Aug 91 05:39:30 -0400
>From: Valdis Kletnieks <[email protected]>
Subject: Re: Hardware and software protection mechanisms

>Date: Fri, 23 Aug 91 01:02:00 +0000
>From: William Hugh Murray <[email protected]>
>
>....
>That having been said, there is still a kernel of truth here. That is,
>hardware mechanisms may not be as vulnerable to software is as is other
>software. On the other hand, the strength of hardware mechanisms is
>limited by the laws of physics, while software mechanisms can be made
>arbitrarily strong.

Actually, this last sentence is not *quite* true. You *cannot* make a
software mechanism "arbitrarily strong" in the mathematician's sense -
this is an outcome of Godel's Theorem and the Turing Halting Problem.
Interested readers are referred to Hofstaeder's "Godel, Escher, Bach"
- - in particular, the sections of the Dialogues dealing with record
players and records that destroy them....

However, it *should* be noted that any "attack software" capable of
mounting a Godelian attack on a system would most probably be well
past the point of "economic return"... So it is *quite* possible to
create a software mechanism that is "strong enough to resist any
plausible threat in production usage".

Valdis Kletnieks
Computer Systems Engineer
Virginia Polytechnic Institute

------------------------------

Date: 27 Aug 91 10:54:27 +0000
>From: [email protected] (Laura Creighton)
Subject: Re: Self-scanning executables (PC)

[email protected] (Eric Vaitl) writes:
> I started thinking about self scanning executables again.
>Unfortunately, it was way to easy to write myself a virus which gets
>around the whole damn thing. Here is what it does: When the victim
>program is activated, the virus gets control. The virus then totally
>removes itself from the program on the disk (remember, the victim's
>name is in the psp). The virus then hooks itself into the timer
>interrupt and the idle interrupt and goes tsr. Two timer ticks later
>a flag is set and on the next idle interrupt the virus loads and
>executes the original program. Any self scanning the original program
>does won't find anything. About ten minutes after going tsr, the virus
>sets another flag. On a following idle interrupt, the virus attacks
>two .exe files in the hard disk. It then unhooks the interrupt vectors
>and returns it's saved memory to dos.
> I'm not a real whiz at assembler programming and I was able to get
>this thing under 2k and write it over the weekend.

You are damn right, absolutely damn right. That is the
way to write it and it seems close to impossible to detect.
That is how I wrote mine.

aside ----

remeber the big Internet Crash?

At the time it happened, I had just written such a program for Chevron
who hired me to demonstrate that no cracker could get in. Instead, I
kept claiming that they were wide open. So I wrote such a program,
and ran it on isolated ``secure'' systems to tell them that they had a
real damn actual problem here, and hiring me to cover it up wouldn't
work....

Bingo. TV coverage of the Internet crash happens after I come home
from a theatre evening, and my first thought was, holy shit, this was
not what I was promised, an isolated non-internet community, and my
problem has spread to the whole damn Internet. Oh hell! They will
barbq me and maybe jail me... oh shit....

And I phone around and discover that it is another, more simple minded
problem.

And life goes on, I convince Chevron, I get paid, all is happy.... I
needed to write a virus in order for them to see that they had a
problem. But I trusted them that their machines were isolated. I got
lucky, that was true.

But that is pure luck.

If you ever get to write a virus for a company make damn certain that
it is off the internet before you go to work.

I lucked out.

Don't make that mistake.

Laura

------------------------------

Date: Tue, 27 Aug 91 12:52:17 +0000
>From: [email protected] (Terry N Reeves)
Subject: Re: Can a virus be LAGAL?!

[email protected] (Yaron Bloom) writes:
>I haven't
>heard of a law agains viruses, have you? One more point: Viruses may
>be thought as a way of corrupting other user's data.

Under the laws of the United States and many of the states within it,
viruses are illegal for exactly the reason stated - the alter the data
or programs of others.

Further comments about viruses being the just deserts of pirates are
ill informed at best. Many many people have been harmed by viruses
without being pirates. In any case punishment for copyright violation
is a matter for the courts not "progammmer-vigilantes"
- --
_____________________________________________________________________________
| That's my story, and I'm sticking to it! |
|_____________________________________________________________________________|
| Public Sites micro software support | [email protected] |

------------------------------

Date: 26 Aug 91 15:50:47 -0400
>From: Jon Freivald <[email protected]>
Subject: Re: Hard disk locking (PC)

>>It requests a password on boot (installs via config.sys). If the
>>system is booted via floppy disk, the hard disk cannot be accessed
>>without running a special utility on the PC-Vault diskette (unlike a
>>couple other programs where you just plain can't access the hard disk
>>period!).
>
>As I wrote in one of my previous postings, it depends on what do you
>understand by "cannot". You probably mean that when DOS boots, it
>cannot recognize the disk (says "invalid disk drive" when you try to
>switch to that disk). This, of course, does not mean that the disk is
>not accessible to BIOS (using INT 13h, not INT 25h/26h). More
>exactly,
>this means that any boot sector virus that is able to infect MBRs
>(Master Boot Records - where the partition table resides), will be
>able to infect a disk "protected" in this way.
>
>Such protection schemes usually install themselves in the MBR, then
>either encrypt the partition table, or move the original MBR to
>another place. If a virus attacks such disk, it will just install
>itself in the MBR and move the MBR, containing the protection program
>to another place. When the computer is booted, the virus receives
>control, stays resident in memory, then reads the moved MBR and
>transfers control to it. Since the protection program resides there,
>it will just ask for the password and so on.
>
>Since all MBR infectors use BIOS to access the disk, there is no
>possibility to "hide" the disk from them. It is possible, however, to
>disinfect the disk automatically on reboot, but this is another
>story.

You are indeed correct. I was answering in the same context as I
percieved the question to have been asked - that of keeping an
"average" user from "borrowing" the system. My brother proved to me
that someone who knows what he's doing can circumvent it in well under
an hour (I think he got in - actually booting from the HD - in about 12
minutes or so...), however, I run a 165 user LAN & it stops them *all*
dead in their tracks... Good enough for the intended purpose.

Yes, I should be much more careful about using words like "can't" in a
conference that attracts so many technically proficient people. (When
I was working as a machinist the easiest way to get a project out of me
was to insinuate that I couldn't do it with the equipment at hand...!)

Chastisement accepted constructively...

Regards,

Jon

------------------------------

Date: 27 Aug 91 11:13:20 -0400
>From: "David.M.Chess" <[email protected]>
Subject: Scan Memory (was: Questions regarding Novell, Viruses & policy)

>Date: Thu, 22 Aug 91 15:16:11 -0400
>From: padgett%[email protected] (A. Padgett Peterson)

>* - At present I know of no virus scanner other than McAfee's that can
>scan memory only for resident viruses (and he does not document it).
>The CHKHI switch for high memory is a recent addition.

The IBM Virus Scanning Program can do that: "VIRSCAN -MEM" to scan
only memory for only the dangerous viruses, or "VIRSCAN -MEM -G" to
scan only memory for all viruses.

DC

------------------------------

Date: Tue, 27 Aug 91 17:17:17 +0600
>From: [email protected]
Subject: Re: CARO / EICAR address

Hi, here are infos you requested:

CARO = Computer Antivirus Research Organisation
This is a group of researchers
at present there are:
Vesselin Bontschev (used to be Academy of science in Sofia,
now University of Hamburg)
Christoph Fischer (University of Karlsruhe Micro-BIT Virus Center)
Fridrik Skulason (University of Reykjavik)
Morton Swimmer (University of Hamburg)
Michael Weiner (University of Vienna)

EICAR = European Institute of Computer Antivirus Research
The above members and a couple of other people will found
this officially on 23rd of September during the European Conference
on computer viruses in Brussles 24th to 25th of September.
This is an industry, science, and user organisation.

The address of the secretariat will be in Belgium. As an interim solution
you might contact any of the above institutions.
More will follow after the officiall founding.....
A invitation to the conference will be posted as soon as I have the final
text.
Sincerely
Christoph Fischer

Christoph Fischer
Micro-BIT Virus Center
University of Karlsruhe
Zirkel 2
W-7500 KARLSRUHE 1
Germany
+49 721 376422 Phone
+49 721 32550 FAX
email: [email protected]

------------------------------

Date: Mon, 19 Aug 91 20:05:16 -0600
>From: [email protected]
Subject: Re: copyright of infected files

[email protected] (Warren Burstein) writes:
>It occurred to me that anyone who deals with viruses must of course
>have a collection of infected files for comparison, dissasembly, and
>testing of anti-viral methods. It would not be surprising for such
>people to thereby acquire lots of copies of software that they don't
>have licenses for (and what if the virus has a copyright, too :-) ?).
>Not that they ever intend to use the software for its intended
>purpose, but might the manufactures get upset anyway?

An interesting point. The manufacturers would certainly be upset if
this person were to distribute a) illegal, and b) infected copies of
their software. If he contributed to the safer use of the
manufacturers software through his having an infected copy, I think it
quite unlikely that they would charge him with copyright infringement.

Copyrighted viruses?! Actually, the sort of person who gets his
jollies inflicting the rest of the world with his ego, just _might_ be
stupid enough to try to charge those infected with having illegal
copies. It would make an interesting plot for a novel, but I don't
think we'll see it in the news.

- -------------------+-------------------------------------------
Al Dunbar |
Edmonton, Alberta | Disclaimer: "not much better than
CANADA | datclaimer"
- -------------------+-------------------------------------------

------------------------------

Date: Tue, 27 Aug 91 13:03:30 -0600
>From: [email protected] (Tim Martin; FSO; Soil Sciences)
Subject: Re: Ghosting

A few previous postings have talked about the "ghosting"
effect some scanners cause: false positives because of remnants
of viruses on disk or in memory. I had an interesting experience
with this effect recently.

At U of Alberta we have been installing DiskSecure and FPROT
in all our computer labs. When we added an "f-disinf" line to
our autoexec.bat file, a couple computers reported an infection
by the Empire virus, on boot-up. This seemed odd, since DiskSecure
was already in place, and CHKSEC had reported that DiskSecure was
working ok. On inspection, we found that what we were seeing was
a ghost effect:

DiskSecure was in its proper place in sector 1. DiskSecure
had properly copied the "real" partition table to its favorite hiding
places. But these couple stations previously had had an infection by
the empire virus, and the main partition table had been rebuilt (months
ago) using Norton Disk Doctor. NDD puts the partition table code and
error statements into place, and builds the table, but leaves the
remaining bytes of the sector (almost half the sector) unchanged. So
the remnants of Empire were still to be seen in these remaining bytes.

On boot-up, DiskSecure was working, so when f-disinf asked to see
the main partition table, DiskSecure showed it (using stealth) the
"clean" main partition table, which still had a few remnants of
the Empire virus in it. My complements to Frisk: f-disinf caught these
remnants (despite the fact most of them were randomly encrypted) and
recognised an "infection" present.

A ghosting error like that is one I am quite willing to live with. It
suggests Frisk is using a good scan string. And it re-affirms Padgett's
continual contention, that general users should use virus detection tools
to trigger a warning, then get competent technical help in to do the
testing / clean-up. Third observation you might have made: using
"f-disinf c:" in the autoexec.bat on a DiskSecure-protected computer
is not terribly useful, given DiskSecure's "stealth" techniques. Except
maybe for finding this kind of a ghosting effect!

Tim Martin
University Of Alberta
** The opinions expressed are my won: my employer has none **

------------------------------

Date: Tue, 27 Aug 91 15:28:03 -0400
>From: padgett%[email protected] (A. Padgett Peterson)
Subject: Preventing boot from floppy - problem with Int 13 from TSR (PC)

Having finally found some free time, I started looking at a "kill
floppy boots" TSR. The criteria was to:
1: Trap cntrl-alt-del sequence
2: Check for floppy in drive A:
3: Disallow boot if floppy in drive
4: Provide separate mechanism for a maintenance floppy boot
(cntrl-alt-F)

The code itself is not difficult and takes up about 800 bytes as
a TSR (0 impact with DiskSecure) but I ran into a glitch with the
floppy detection sequence. The code used looks like this:
(see Ray Duncan's BIOS book in the description of INT 13 fn 04)

MOV SI, 0003 ;try three times
LP1: MOV AX, 0401 ;verify one sector
MOV CX, 0001 ;sector 1, head 0
MOV DX, 0000 ;track 0, drive 0 (BR floppy A)
INT 13
JNC XXX ;NC = floppy in drive. C = access failed
DEC SI ;(try three times with reset before each retry)
JZ YYY ;ZR = assume no floppy in drive
XOR AX,AX ;reset drive
INT 13
JMP LP1

(code simplified for readability but does the essentials).

The problem is that this works just fine when run as a .COM but
as soon as it is installed TSR & invoked from a ctrl-alt-del
sequence, it runs bog sloooow & is not always accurate. This was
reproducable both on an 8088/DOS 3.3 and a 386/DOS 5.0. The
question is, does anyone know why & how to fix ? I know that
eventually a workaround can be found but can't spend a lot of
time on it. Once the One True Answer is found, the TSR will be
posted as FreeWare.
Padgett

386 the .COM runs in 1-3 seconds. When TSR it takes 10-13
seconds. I assume (you know what that means) that some kind
of additional setup is necessary & done by DOS for a .COM
ps: thought of floppy door flag but it is not necessarily set or
universally used.

------------------------------

End of VIRUS-L Digest [Volume 4 Issue 149]
******************************************

Downloaded From P-80 International Information Systems 304-744-2253