VIRUS-L Digest   Tuesday,  3 Sep 1991    Volume 4 : Issue 152

Today's Topics:

How Many Anti-Virus Sales?
Re: Virus Simulator available (PC)
F-PROT version 2.0 (PC)
Re: Virus Simulator available (PC)
re: The Tenbytes virus (PC)
Vshield not loading into high memory?
Viruses more common in Mac environment?
Re: Drive assignments (PC)
Hard Disk Locking (PC)
Re: Virus Simulator available (PC)
Re: Self-scanning executables (PC)
FPROT200.ZIP - The F-PROT anti-virus package, with a 'new look'
FPROT200.ZIP available (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed.  Contributions should be relevant, concise,
polite, etc.  Please sign submissions with your real name.  Send
contributions to [email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks).  Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list.  Administrative mail (comments, suggestions,
and so forth) should be sent to me at: [email protected].

  Ken van Wyk

----------------------------------------------------------------------

Date:    Fri, 30 Aug 91 13:40:00 +0000
>From:    Sanford Sherizen <[email protected]>
Subject: How Many Anti-Virus Sales?

Does anyone have any guestimates about the aggregate number of sales
of anti-virus products?  One measure of how much serious the interest
is in the virus problem is to compare how many anti-virus packages
(covering the various options) have been sold and/or are in use.  That
number could be compared to some baseline of the number of pc's,
networks, etc. as well as changes in the number of viruses.  I will
summarize responses for Virus-L.

Thanks

Sandy

------------------------------

Date:    Fri, 30 Aug 91 08:05:02 -0700
>From:    [email protected]
Subject: Re: Virus Simulator available (PC)

Fridrik Skulason IN VLD #151:

>>Saying that something is "infected with virus signatures" is
meaningless nonsense.  A program is either infected with a virus or it
is not - creating a file which contains bits and pieces from a virus
does not make it virus infected<<

True enough,. as far as you go... howvever:

>>therefore there is no reason why
an anti-virus program should report any of the files it creates to be
infected<<

Since most anti-viral programs use the same search strings, it's reasonable to
assume that if it can't find the simulation,  an anti-viral product  using
these published strings won't find the real thing, either,

>>> The infected programs can be renamed and copied to other disks and
> directories as bait for virus detecting programs.

So what ?<<

The so what is simple, and it amazes me that you don't see it! How about
someone developing an anti-viral product that wants to have some kind of test
pattern?

>>>   terrorists,  are  much  more difficult to test with.  The  test  viruses
>   generated by Virus Simulator are safe and sterile, but form a validation
>   test suite that trigger vigilant virus detectors.

Bullsh*t!

The files created by the Virus Simulator may cause some virus scanners
to trigger in some cases, but a perfect virus detector should be able
to determine that the files are not viruses, and should not trigger at
all.<<

Tell ya what: You write a perfect detector, and then get back to me. Perhaps
you can help pay my telco bills with all the money you'll be making.

>>The only thing the Virus
simulator is able to test is if virus scanners which use publically
available signatures, which are included in the Virus Simulator will
indeed detect the viruses they claim to detect. <<

Ah, so now we come to the heart of the matter: You, apparently, are a proponant
of using /NON/-published strings to scan against. OK, I see some merit in this.
Keeping the creeps guessing what strings you're using might serve top hold them
off somewhat,. I can also see the idea of using published strings.

I guess what it comes down to,  is that the usefulness of such a device depends
on the type of scanning you are using or developing.

------------------------------

Date:    Fri, 30 Aug 91 15:08:38 +0000
>From:    Fridrik Skulason <[email protected]>
Subject: F-PROT version 2.0 (PC)

This version of F-PROT is now (finally) ready.  There are several
significant changes from the last version.

  1) Fewer programs - the old version had around 20 programs, some
     with overlapping functions - the new version only has two - the
     resident part and the main program.  Some functions have been
     removed from the package - in some cases they were outdated or
     just not good enough - n other cases they were more or less static
     (F-MMAP for example), and no need to include them in a regularly
     updated package.

  2) Totally redesigned user-interface. It is possible to use command-line
     options like before, but it is primarily menu-driven now.

  3) Faster scanning - the "Quick Scan" option is....well....a lot faster
     than the old one....

  4) Heuristic analysis - generic analysis of programs intended to detect
     unknown viruses.  It is still in the experimental stage, but seems
     to have around 90% chance of detecting any unknown viruses.

  5) Plus a whole lot more..."pop-up" virus information...simplified
     installation...improved support for multiple languages..improved
     variant identification...

I have sent the program to SIMTEL20, and it should appear there and on
other archive sites soon - just give it a few days...

I have been busy the past weeks finishing the program, and meanwhile mail
has been piling up in my E-mail box - if you have sent me mail recently
and not received a reply it is probably one of the 250+ messages waiting.

My plan is to spend the next week answering my mail - and then I'm off...
first to the Virus conference in Jersey, then on a two week vacation
somewhere far from all computers....Don't expect to be able to reach me
between Sept. 7th and Sept. 29th.

- -frisk

------------------------------

Date:    30 Aug 91 10:57:48 -0400
>From:    "David.M.Chess" <[email protected]>
Subject: Re: Virus Simulator available (PC)

> From:    Fridrik Skulason <[email protected]>
>
> I fail to understand why the author of this program believes that
> anyone might find it of any use whatsoever.

I have to agree with Fridrik.  This product's only conceivable use is
to make sure that some specific anti-virus program, the one that the
author of the "simulator" got his signatures from, is installed and
working correctly.

It cannot be used to correctly test other anti-virus products; in
fact, as Fridrik says, any anti-virus products that identifies the
output of the "simulator" as virus-infected will be, strictly
speaking, wrong!  The results obtained from testing any anti-virus
product with this "simulator" will be essentially meaningless.

If, for instance, a product identifies the simulator's dummy files as
infected, it really tells you nothing about how it will react to
real-life files.  It may report other not-really-infected files as
infected, for instance.  If some other product does not identify the
dummy files as infected, that tells you nothing about how it would
react to actually-infected files; it might very well detect them all
correctly!

I say all this having no idea how IBM's anti-virus products fare when
exposed to the "simulator".  *8) If anyone tries it, I would actually
be grateful if they would *not* tell me, and *not* post the results
here, as they can only cause confusion.

The "simulator" is not a bad idea at heart; people often want a way to
figure out if their anti-virus software is correctly installed and
working.  But this particular approach, particularly given the tone of
the claims the author makes for it, is much too likely to mislead.  I
think a more promising approach would be for each anti-virus program
to have a corresponding test suite, which would contain a few files
that the anti-virus program would report as infected (or as
"containing the test signature", or something like that).  Any further
thoughts in that direction?

DC

------------------------------

Date:    30 Aug 91 12:17:14 -0400
>From:    "David.M.Chess" <[email protected]>
Subject: re: The Tenbytes virus (PC)

>From:    [email protected] (Vesselin Bontchev)

>It seems that nobody has noticed that the Tenbytes virus, which has
>been posted accidentally on Valert some time ago (two years? one
>year?) is able to mutate.

It's not actually mutating, and I don't think there's anything random
about it.  I admit I haven't studied this one very hard (it just hangs
most of the machines I've tried it on), or written a disinfector for
it.  But from looking at the code, it looks like it's just infecting
EXE files slightly differently depending on how long they are; the
amount the virus writes to the file, and the initial IP value it'll
have, can therefore be different from infection to infection.  I think
it's basically avoiding the bug that lots of other EXE-infecting
viruses have that causes the infected EXE file to be slightly invalid
(a ridiculous number in the "CS Offset" field, as I recall) when a
very small EXE file is infected.  Doesn't look like anything too
sophisticated (although I can't get it to spread this morning to
check!).

DC

------------------------------

Date:    Fri, 30 Aug 91 17:42:06 +0000
>From:    [email protected] (Doug Barlow)
Subject: Vshield not loading into high memory?

Has anyone tried to load vshield (version 3.9B80) into high memory?
I've tried MS-DOS 5.0 and Dr. DOS 5.0 and 6.0 BETA and nothing seems
to work.  MS-DOS doesn't load it at all and DR. DOS just loads it into
conventional memory.

  I have tried it with many configurations on different machines.
Any help would be appreciated.  Could someone please forward this to
Mcaffee..

Thanks.
Doug Barlow

- --------------------------------------------------------------------------
Doug Barlow                   Email: [email protected]
Software Testing
Novell, Inc.  Provo, UT
                 Standard Disclaimer applies......
- --------------------------------------------------------------------------

------------------------------

Date:    30 Aug 91 17:12:46 +0000
>From:    [email protected] (Aaron Delwiche)
Subject: Viruses more common in Mac environment?

Somebody recently tried to convince me that viruses were more
widespread in the Macintosh environment than the PC environment.  Is
this true?  It seems to me that the opposite would be true.

------------------------------

Date:    Fri, 30 Aug 91 15:30:02 -0400
>From:    Alan Pierce <[email protected]>
Subject: Re: Drive assignments (PC)

I would like to apologize for posting my comments on drive assignments to
VIRUS-L...talk about misdirection.

Alan Pierce

------------------------------

Date:    Fri, 30 Aug 91 14:20:59 -0400
>From:    padgett%[email protected] (A. Padgett Peterson)
Subject: Hard Disk Locking (PC)

       Eric Lindsay points out something that I forgot to mention,
i.e.  that you should use a ballast resistor on the line. I have not
looked at the controller but given a high input impedance to the
drive, anything from Eric's suggestion of 200 ohms up to about 5k
should work. The write enable line is lead 6 of the 34 pin connector
(lead 1 is usually indicated by a red stripe on the cable). And
hardware is certainly infallible.

       I believe that a similar line exists on the 50-pin SCSI cable
but you must keep in mind that anything downstream of the break will
also be unwritable.

       A while ago I used this method to protect the C drive on a
dual- disk PC by breaking the cable between D: and C: (C: was on the
end). Putting such a switch in at the controller would make it unable
to write to any drive.

       Don't forget, the side of the break you want to tie high is
the one to the DRIVE not the end going to the CONTROLLER.

       One of the things I had planned for DiskSecure II (when and
if) was an option to write protect any partition on a drive, easy when
you are working at the BIOS level and since I can trust & control
access, reasonably secure (anything lower just can see sectors, not
files).

                                       Winter is slowly easing*,

                                               Padgett

* winter - that time of year when your utility bills go up & you do not go
          outside unless you have to.

------------------------------

Date:    Fri, 30 Aug 91 13:23:17 -0600
>From:    [email protected] (Tim Martin; FSO; Soil Sciences)
Subject: Re: Virus Simulator available (PC)

Concerning the Virus Simulator previously announced by (?),
[email protected] (Fridrik Skulason) writes:

>I fail to understand why the author of this program believes that
>anyone might find it of any use whatsoever.
...
>meaningless nonsense.
...
>So what ?
> ...  this is of no interest at all.
...
>Bullsh*t!
...
>This statement is highly misleading.
...
>Huh ?
> ... is totally useless.
...
>I only hope that the author of the program realizes soon how useless
>it is...

  Well, I don't think I would say it with quite as much *FLAME ON*,
but maybe that's simply because I'm not writing a virus protection
package! ;-)  I think Frisk is right, in the points he makes -- between the
exerpts I've extracted here!  The virus simulator is NOT of ANY USE
I can see, and will simply generate false security and false paranoia,
not to mention horribly inaccurate reviews in already inaccurate
magazines and journals.

  There is a problem though for those of us who don't have access to
a bank of viruses.  We would feel a lot more confidence in the protection
packages if we had some way of testing them.  Just today I finally
was able to confirm that FPROT's f-driver does indeed stop at least one
species of file infector virus from running on *MY* computer.  Not that
I've doubted Frisk or any of the other virus protection writers -- well,
maybe some of the others! ;-)  The problem is that computer users have
learned not to trust claims of any software until they have tested it
on their own system with its own peculiar configuration.  I see no
solution to this problem, though.

Hopefully the protection writers have calmed down now, maybe taken a shot
of Canadian Whiskey, (what does one drink at such a time, in Iceland?),
and the *flames* can subside, so we can think rationally about this
problem.

-------------------------------------------------------------
 Tim Martin                 *
 Soil Science               *     These opinions are my own:
 University of Alberta      *        My employer has none!
 [email protected]      *
-------------------------------------------------------------

------------------------------

Date:    Fri, 30 Aug 91 13:25:47 -0600
>From:    [email protected] (Tim Martin; FSO; Soil Sciences)
Subject: Re: Self-scanning executables (PC)

[email protected] (Klaus Hartnegg) writes:

>[email protected] (Eric Vaitl) writes:
>>    I started thinking about self scanning executables again.
>>Unfortunately, it was way to easy to write myself a virus which gets
>>around the whole damn thing. Here is what it does:
>>[...]

>Great idea to publish this on the net. You can be sure that such
>viruses will appear very soon now.

I'm sure the virus writers have or would have thought of it themselves.
Personally I'd rather have the rest of us made aware of the problem
with using self-scanning executables, so that we don't put trust in
them.  If the problem is there, let's not hide from it; rather recognise
and avoid it.

-------------------------------------------------------------
 Tim Martin                 *
 Soil Science               *     These opinions are my own:
 University of Alberta      *        My employer has none!
 [email protected]      *
-------------------------------------------------------------

------------------------------

Date:    Fri, 30 Aug 91 08:41:21 +0000
>From:    Fridrik Skulason <[email protected]>
Subject: FPROT200.ZIP - The F-PROT anti-virus package, with a 'new look'

I have uploaded to SIMTEL20:

pd1:<msdos.trojan-pro>
FPROT200.ZIP      The F-PROT anti-virus package, with a 'new look'

Just like the "old" version 1, this program is designed to find, stop
and disinfect known viruses.  It is however much faster than the previous
versions, with a friendlier and simplified user-interface, and several new
features, such as heuristic analysis and pop-up virus information.

- - -frisk
Fridrik Skulason
[email protected]

------------------------------

Date:    Sat, 31 Aug 91 23:19:48 -0500
>From:    James Ford <[email protected]>
Subject: FPROT200.ZIP available (PC)

The file fprot200.zip is now available from risc.ua.edu (130.160.4.7)
in the directory pub/ibm-antivirus.  This file was downloaded direct
from Simtel20.
- ----------
Consistency is the last refuge of the unimaginative.
- ----------
James Ford -  [email protected], [email protected]
             The University of Alabama (in Tuscaloosa, Alabama)

------------------------------

End of VIRUS-L Digest [Volume 4 Issue 152]
******************************************

Downloaded From P-80 International Information Systems 304-744-2253