VIRUS-L Digest Wednesday, 28 Aug 1991 Volume 4 : Issue 150
Today's Topics:
Re: Hard disk locking ? (PC)
RE: where is VSUM9108.ZIP or TXT
Bad hit on KENNEDY/12 Tricks Trojan?? (PC)
Re: Hard disk locking ? (PC)
Re: Polish anti-virus group info
Re: CPAV + SCAN conflict (PC)
Re: CARO / EICAR address
Norton reports "Italian" - help (PC)
Drive assignments... (PC)
CAPV conflict with FPROT116 (PC)
Ten Bytes False Positive with VIRX fixed (PC)
Re: CPAV + SCAN conflict (PC)
Dark Avenger'r mutating engine (PC)
NoFBoot (PC)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to
[email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at:
[email protected].
Ken van Wyk
----------------------------------------------------------------------
Date: Tue, 27 Aug 91 17:43:44 -0400
>From: padgett%
[email protected] (A. Padgett Peterson)
Subject: Re: Hard disk locking ? (PC)
>
[email protected] (Rob Slade) writes:
> I have long decried that fact that hard drive manufacturers still have
> not thought to include a cheap and simple write protect switch on hard
> drives. (Yes, I do know that most removable media drives have write
> protect tabs, I'd just like to find a drive under $1000 that'll do it.)
I understand the vendors, disk drives are hidden inside the case and
would require some extra hardware to do what you ask. Nowadays they
are cutting costs to the penny. All is not lost however:
Seems to me that on a standard MFM or RLL drive, lead 6 on the 34 pin
cable is the WRITE ENABLE NOT lead. I forget what the logic is but
seem to remember that if you tie 6 to a logic "1" (+5 vdc most
likely), the disk never permits writes. Some experimenting and a dpst
switch should prove effective and cost less than U$1.00.
Padgett
"The clockwork on the inside goes"
------------------------------
Date: Tue, 27 Aug 91 16:31:05 -0700
>From:
[email protected] (Rob Slade)
Subject: RE: where is VSUM9108.ZIP or TXT
cadguest%
[email protected] (CAD Group Guest Accoun) writes:
> But what is hypertext? Is it a shareware/freeware product? If yes,
> where can I get it?
Hypertext is more of a concept, sort of like "information processing"
or "spreadsheet". What is meant is that you should be able to quickly
access related information in order to explain a concept of term you
find.
In the case of VSUM, it is going a bit far to call it hypertext, but
the information is now in data base format rather than the earlier
"plain text". The reader program is included in the .ZIP file.
By the way, I thought that "beach" had posted VSUMX107.ZIP, but when I
went to look for it, no luck.
=============
Vancouver
[email protected] | "If you do buy a
Institute for
[email protected] | computer, don't
Research into (SUZY) INtegrity | turn it on."
User Canada V7K 2G6 | Richards' 2nd Law
Security | of Data Security
------------------------------
Date: 27 Aug 91 23:26:09 -0400
>From: Robert McClenon <
[email protected]>
Subject: Bad hit on KENNEDY/12 Tricks Trojan?? (PC)
Eric N. Lipscomb writes:
>OK. Here's a good one. . .
>
>For whatever reason, one of our Business Profs decided to scan the
>copy of VIRUCIDE on his hard disk, and lo and behold, SCAN 5.3C67
>finds Kennedy and 12 Tricks Trojan in VIRUCIDE.EXE. VIRUCIDE,
>scanning itself, finds nothing. SCAN also tells us that the file is
>compressed with LZEXE and is infected internally. Hmmmm.
>
>it seems to me that McAfee SCAN is giving a false positive on the
>Kennedy virus in VIRUCIDE. VIRUCIDE (another, later version that
>scanned clean by everything we threw at it) and F-PROT don't identify
>anything. And an old version of SCAN identified the 12 Tricks Trojan.
>Unfortunately, I don't have any other disk scanners laying around that
>I can check it against. But our techies are looking a little more
>closely into this suspicious disk write behaviour exhibited by the
>suspect VIRUCIDE.
>
>Any thoughts/ideas from the list at lagre, specifically the McAfee
>crew (since both SCAN and VIRUCIDE came from McAfee)? This is
>certainly something that our University will take into serious
>consideration as talks finalize on which product to go with as a
>campus standard.
There have been previous reports to Virus-L of false positives where
one anti-viral package identified another as being infected. In
particular, reports of SCAN saying that VIRUCIDE might be the 12
Tricks Trojan have been common. These reports are indeed false
positive. There is a simple reason for these false positives. An
anti-viral scan package looks for virus signature strings. Another
anti-viral package may legitimately contain the same virus signature
strings. These false positives would be even more common except that
some anti-viral packages conceal the signature strings by encryption.
False positives where one anti-viral package says another is infected
are common, and are caused by finding a signature in the signature
search code.
------------------------------
Date: 28 Aug 91 09:07:58 +0000
>From:
[email protected] (Vesselin Bontchev)
Subject: Re: Hard disk locking ? (PC)
[email protected] (Mark Aitchison, U of Canty; Physics) writes:
>attaining such high ideals in the typical pc workplace. A
>write-protect switch, or a card that can be removed, is not absolute
>protection, and people should not be given any false sense of
>security. If you know the situation well enough, you might be able to
>say that such things are "good enough" - but in some situations a
>software-only solution might also be good enough. I agree that
>hardware solutions are basically better, of course, and they should be
>built into the hardware rather than provided as add-ons, but it is
>important to avoid crediting hardware solutions with too much security
>when anyone could lift the lid and flick a switch or replace a card.
I've heard about the existence of "physically secure" PC, which, when
you turn the key to lock the keyboard, also slide lids on their
screws, so you cannot open the computer (and unplug any cards), if you
don't have the key... Well, you just need a larger hammer... :-)
Regards,
Vesselin
------------------------------
Date: 28 Aug 91 09:20:08 +0000
>From:
[email protected] (Vesselin Bontchev)
Subject: Re: Polish anti-virus group info
[email protected] writes:
>Has anybody heard of the "Polish Section of Virus Information Bank".
>We have recieved a ;letter from them and would like to know more.
>Any information would be appreciated.
Yes, I know them. I know one of them (Andrzej Kadloff) personally and
have read some articles and have seen some disassemblies from Marek
Fillipiak. (Note: maybe the spelling of the names is not quite
correct, but I don't have them in front of me right now. If you are
interrested, I can try to find the exact spelling and the addresses.)
Maybe there are others, but I have heard only about these two guys.
Both are quite capable anti-virus researchers. Their disassemblies are
wonderful, although they have the bad habit to comment them in Polish
or in bad English... :-)
They have invented the brilliant idea to create some kind of map for
each virus, describing which parts of it are code, data, text, or
garbage, with the appropriate offsets of these areas from the virus
entry point and checksums of the unchanging parts. I had a student in
my anti-virus lab in Sofia to design a program that generates such
maps automatically, when you supply it with different files of the
same type (either COM or EXE), infected by one and the same virus.
Unfortunately, this method does not work with the encrypted and
mutating viruses. Currently at the VTC Morton Swimmer is developping a
special language, which will permit to describe how to decrypt an
encrypted virus and which parts of it to checksum. This will hopefully
improve the virus maps and such maps could be used to determine
whether an infected file contains a known virus or even if two viruses
are "close variants" automatically and reliably...
>P.S They seem to have a product called : PCvirus (disk magazine)
Yes, this is true. Unfortunately, it is published in Polish. They had
plans to publish it in English too, but I don't know whether it will
happen soon.
Regards,
Vesselin
------------------------------
Date: 28 Aug 91 09:34:46 +0000
>From:
[email protected] (Vesselin Bontchev)
Subject: Re: CPAV + SCAN conflict (PC)
[email protected] (Jesse Chisholm AAC-RjesseD) writes:
>I was testing the CentralPoint Anti Virus package (CPAV) and found an
>interesting interaction with McAfee SCAN. If I run the full TSR in
>the CPAV package, VSAFE, then they get along OK. But if I run the
>faster and simpler, VWATCH, then SCAN v80 complains about the
>Pakistani/Brain virus being in memory. I suspect this is a false
>alarm from VWATCH holding in memory the patterns it is looking for
>when programs run, and SCAN finds them. I spent an hour checking my
>entire system the first time I got that message.
Yes, this is a false positive. Nevertheless, it's SCAN's fault to
scan the WHOLE memory for the Brain virus, while in fact the latter
could be only in its upper end...
Regards,
Vesselin
------------------------------
Date: 28 Aug 91 09:41:34 +0000
>From:
[email protected] (Vesselin Bontchev)
Subject: Re: CARO / EICAR address
[email protected] writes:
> CARO = Computer Antivirus Research Organisation
> This is a group of researchers
> at present there are:
> Vesselin Bontschev (used to be Academy of science in Sofia,
> now University of Hamburg)
> Christoph Fischer (University of Karlsruhe Micro-BIT Virus Center)
> Fridrik Skulason (University of Reykjavik)
> Morton Swimmer (University of Hamburg)
> Michael Weiner (University of Vienna)
Hi, Chris!
You forgot:
Dr. Alan Solomon (S & S International, UK)
Prof. Klaus Brunnstein (University of Hamburg) (my current
boss :-))
Or am I wrong?
Regards,
Vesselin
------------------------------
Date: Wed, 28 Aug 91 09:10:59 -0400
>From: Alan Pierce <
[email protected]>
Subject: Norton reports "Italian" - help (PC)
I have a question about a virus that was found by Norton Antivirus.
It found a virus called Italian - A that McAfee's SCAN v80 doesn't
seem to recognize. Can anyone give me any further info on this
"virus"? Thanks.
Alan Pierce
Technical Consultant
Office of Computing and Statistical Consulting
Cornell University
[email protected]
------------------------------
Date: Wed, 28 Aug 91 09:39:24 -0400
>From: Alan Pierce <
[email protected]>
Subject: Drive assignments... (PC)
A brief note on drive assignments to clear things up...
First 2 floppy drives: A and B
First hard drive:
Primary partition: C
Drives will then be assigned in the following order:
Secondary partition(s) on first hard drive
Primary partition on second hard drive
Secondary partition(s) on second hard drive
Any other floppy/tape/misc. drives in the order they are installed.
Hope this helps.
Alan Pierce
Technical Consultant
Office of Computing and Statistical Consulting
Cornell University
[email protected]
------------------------------
Date: Wed, 28 Aug 91 14:48:46 -0400
>From: "Vannevar Y. Yu" <
[email protected]>
Subject: CAPV conflict with FPROT116 (PC)
I just installed my copy of Central Point Software's Anti-Virus
program and Frisk's FPROT 1.16 F-SYSCHK program flags CAPV's VSAFE as
the "Flip" virus. A call to Central Point Software's CAPV tech
support confirmed this anomaly. When I run F-FCHK /ALL through the
CAPV subdirectory, none of the files are flagged as "infected."
Incidentally, the tech support rep told me that this was the "problem"
with using "more than one anti-viral package." I would rather use a
couple of different anti-viral packages (knowing all the possible
conflicts) rather than trust just one package. Given the choice of
CAPV and FPROT, I would go with FPROT.
Vannevar Yu
------------------------------
Date: Wed, 28 Aug 91 12:01:05 -0700
>From:
[email protected] (Karyn Pichnarczyk)
Subject: Ten Bytes False Positive with VIRX fixed (PC)
I just spoke with Chris Hipgrave of Microcom (the Virex-PC vendor).
He just told me that VirX 1.4 (a demo version) as well as Virex 1.2
(full release) would identify a false positive of the Ten Bytes virus
(aka V-Alert, 1554) within the product Virucide v2.0. This has been
fixed in a later version, VirX 1.7 (demo version) and in the full
release of Virex 2.0, which was released August 28, 1991.
Karyn Pichnarczyk
CIAC
[email protected]
(415) 422-1779
------------------------------
Date: Wed, 28 Aug 91 18:48:11 +0000
>From:
[email protected] (McAfee Associates)
Subject: Re: CPAV + SCAN conflict (PC)
[email protected] (Jesse Chisholm AAC-RjesseD) writes:
>I was testing the CentralPoint Anti Virus package (CPAV) and found an
>interesting interaction with McAfee SCAN. If I run the full TSR in
>the CPAV package, VSAFE, then they get along OK. But if I run the
>faster and simpler, VWATCH, then SCAN v80 complains about the
>Pakistani/Brain virus being in memory. I suspect this is a false
>alarm from VWATCH holding in memory the patterns it is looking for
>when programs run, and SCAN finds them. I spent an hour checking my
>entire system the first time I got that message.
Your suspicions are correct. The VWATCH program stores its strings in
memory in plain (unencrypted) form, and if any of the strings match up
to those in SCAN, a false alarm is generated.
>- -jesse
[email protected]
Aryeh Goretsky
McAfee Associates Technical Support
- --
McAfee Associates | Voice (408) 988-3832 |
[email protected] (business)
4423 Cheeney Street | FAX (408) 970-9727 |
[email protected](personal)
Santa Clara, California | BBS (408) 988-4004 |
95054-0253 USA | v.32 (408) 988-5190 | CompuServe ID: 76702,1714
ViruScan/CleanUp/VShield | HST (408) 988-5138 | or GO VIRUSFORUM
------------------------------
Date: 28 Aug 91 17:33:46 +0000
>From:
[email protected] (Vesselin Bontchev)
Subject: Dark Avenger'r mutating engine (PC)
Hello, everybody!
Recently the so-called Dark Avenger's mutation engine was discussed on
this forum. As I already noticed, it can be used to produce mutating
viruses indeed, but they all will be related to the
1226/Proud/Evil/Phoenix family. I also promissed to publish scan
strings for such viruses. Well, here they are.
Using SCAN's format to add user signatures, all such viruses can be
detected by using the wildcard description:
#P1 related virus (the weird name that McAfee uses)
#More exactly - a virus, generated by
# the Dark Avenger's mutating engine
"95?0001?03?8B?33*(5)33?22*(4)F8?31?22*(4)F8" P1r [P1r]
Well, that is in theory, unfortunately there should be some bug in
SCAN's external virus definition parser, since the above string
confuses it. The scan string is constructed strictly after the
documentation - there are no more than 10 wildcards in it.
Nevertheless, the only way to force SCAN to swallow it is to shorter
it a bit, like this:
"95?0001?03?8B?33*(5)33?22*(4)F8?31?22" P1r [P1r]
I hope that someone from McAfee Associates (Aryeh?) will explain why
the first string does not work, since the shortened string will
probably cause more false positives.
Well, let's see now another scanner, namely HTScan. It's entry looks
like this:
;
Phoenix related virus
COM HIGH
95??0001??03??8B??33*533??22*4F8??31??22*4F8
;
TbScan accepts the same format, but I found it to be somewhat less
reliable. Also, it is not able to cope with scan strings that have a
wildcard in the second byte - it requires that the first two bytes of
the virus signature are free of wildcards. Note that this restriction
also applies to all versions of HTScan, prior to 1.15.
But with version 1.15 we can also use the extended wildcard language
that was posted by Jan Terpstra here some time ago. This way we can
use the fact that some nibbles of the virus' signature never change
and therefore can obtain a much more reliable virus scan string. Here
it is:
;
Phoenix related virus
COM HIGH
95B?00014?03??8B??33??B?*25?33??224?4?4?7?F85?31??224?4?4?7?F8
; --
Well, maybe someone who has the MUTATE.ASM file (Frisk?) has
understood the exact algorithm that it uses to change the registers
that are used during the decryption process. If this is the case, he
might be able to provide an even more specific wildcard string (if
he's able to determine that some nibbles never change and therefore
replacing the respective nibble of one of the ?? bytes by its
constant value).
Note that in the string above the two consequtive wildcard bytes
(those that are "underlined"), contain the infective length of the
virus. Also, in the HTScan entries, HIGH means that the virus has to
be searched in memory only above the current PSP. All viruses of the
Phoenix family that currently exist install themselves there, however
it is possible for a new virus to use a different area, so I would
suggest to add the keyword LOW as well.
A last note, all such viruses can infect only COM files.
Regards,
Vesselin
P.S. I don't know much about copyright, so I dedicate the above
signatures to the public domain. They can be used freely in any
comercial and/or non-comercial program. In short, you can do with them
whatever you wish. Well, I used the computers at the VTC Hamburg to
determine them, so if something is not legally OK, please tell me.
And, of course, I do not warrant anything, except that during my tests
the signatures matched all examples of the mutating code that I
generated. :-)
------------------------------
Date: Wed, 28 Aug 91 15:25:27 -0400
>From: padgett%
[email protected] (A. Padgett Peterson)
Subject: NoFBoot (PC)
Thanks to Mark Aitchison in New Zealand, the alpha version of
NoFBoot is available. A TSR, it occupies c.a. 500 bytes when loaded
low and can be loaded high if desired.
It seems to work and should not interfere with anything though
I would suspect that it should be loaded before programs using
ctrl-alt sequences (will get DesqView loaded & try RSN).
There are acually two programs: NoFBoot and SumFBoot, the
first disallows warm boots from floppies entirely when invoked with
ctrl-alt-del while the second allows a floppy boot to be invoked via
ctrl-alt-F.
If anyone would care to try "alpha" freeware, I can send it
via uuencoded .ZIP.
IMHO when coupled with a good integrity checker from the BIOS
level, checksum routine for known programs and signature scanner for
unknown programs, this should provide reasonable protection against
everything except a reset (cold boot) from an infected floppy. Only
custom hardware or a special BIOS can do more.
Padgett
"FreeWare: worth every penny you didn't pay for it"
------------------------------
End of VIRUS-L Digest [Volume 4 Issue 150]
******************************************
Downloaded From P-80 International Information Systems 304-744-2253
