VIRUS-L Digest Thursday, 5 Sep 1991 Volume 4 : Issue 156

VIRUS-L Digest Thursday, 5 Sep 1991 Volume 4 : Issue 156

Today's Topics:

Infections: PC vs MAC
Flash EPROM BIOS (PC)
Virus Simulators
Vshield not loading into high memory? (PC)
Re: Norton Anti Virus (PC)
McAfee question (PC)
F-PROT 2.00 and MIRROR conflict (PC)
Scan80 doesn't find all it could or should. (PC)
scan (PC)
Disassembler Info
Hard Disk Locking (PC)
Re: Virus Simulator available (PC)
Update to Product Test -- IBM Anti-Virus Product (2.1.2)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to [email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: [email protected].

Ken van Wyk

----------------------------------------------------------------------

Date: Wed, 04 Sep 91 12:48:42 -0400
>From: padgett%[email protected] (A. Padgett Peterson)
Subject: Infections: PC vs MAC

In the population that I follow the PCs outnumber the MACs by about
10-1 yet the incidence of reported infections seems about equal (in
both cases this refers to viruses detected by anti-viral software that
has not infected the target machine).

To base any opinion on the different number of viruses on the two
platforms (successful viruses are something else) is flawed because it
is much easier to write a PC virus than a MAC, all of the tools necessary
come with a PC and are explained. On the other hand, the internals of a
MAC take some digging and are not nearly as well documented.

Next, while in the PC world, programs written in 1981 are still
executable on any manufacturer's 486 Tower running DOS 5.0, on the
Apple side in the same time span we have the Apple III, Lisa, MAC 128.
Consider that the BRAIN (still infecting a significant number of PCs)
was written in 1986 and then name the 1986 Apple software packages
that will still run without modification under system 7.

Finally, while the $1000 PC has been around for a while, until the MAC
"classic" came out, low priced MACs were not plentiful, nor was there
the incredible diversity of programs available.

Therefore, IMHO, the reasons for the "low" number of MAC viruses stem
from differences in design philosophy that are not necessarily
strengths.

Personally, I do not care for GUIs but recognize the attractiveness to
those who do not really want to know or care exactly what is
happening. However, often I work on Unix-based systems such as an
Apollo or Sun workstation (also primarilly Motorola 680x0 based but
moving toward RISCs), and my question is: "How does Apple make it run
so slow ?".
Warmly,
Padgett

------------------------------

Date: Wed, 04 Sep 91 11:15:18 -0600
>From: [email protected] (Kevin Hemsley)
Subject: Flash EPROM BIOS (PC)

I received a catalog in the mail today from a popular mail order vendor. As
I was browsing the pages dream shopping for components to build the ultimate
home system, my eyes caught the following text:

"The `Ugly Duckling' 486/33E includes another new technological
advance - flash EPROM BIOS. The EISA flash EPROM is electrically
reprogrammable ROM which allows for in-circuit reprogramming.
With this new technology the end-user can upgrade the system
board BIOS without disassembling the system, simply by using a
floppy disk."

This subject was discussed a few months ago. I just wonder who will
make it to the BIOS first, the good guys or the bad guys?

P.S. I didn't receive much response from a recent posting on LANs and
viruses. I'm curious to know if there is a lack of interest in
the subject, or a lack of experience.

-
-------------------------------------------------------------------------------
Kevin Hemsley |
Information & Technical Security | If you think that you have someone
Idaho National Engineering Laboratory | eating out of your hand, it's a
(208) 526-9322 | good idea to count your fingers!
[email protected] |
-
-------------------------------------------------------------------------------

------------------------------

Date: 04 Sep 91 10:52:25 -0400
>From: [email protected]
Subject: Virus Simulators

Fred Waller writes:
> It is of great interest. It demonstrates to prospective users how easy
> it is to produce false alarms using virus scanners and how deeply
> unspecific and unreliable string scanning is as a general method for
> detecting viruses. In fact, I'm surprised that a program similar to
> Rosenthal's Virus Simulator has not emerged before.

I rarely see complaints that virus scanning is a non-specific approach.
Seriously, the reason that vendors use identification strings is that it
is *easy*; id (or search) strings are easy to extract, easy to transmit
and share, it's easy to write efficient scanners for search strings,
etc. Search strings also happen to be compact (at least relative to the
size of most of the viruses that they detect). Precise identification
doesn't require much more space per virus, but it does require a
complete analysis of each virus to be reliable. The virus needs to be
mapped, the constant extents in the virus need to be determined, a
degarbler functionally identical to the virus degarbler may need to be
written, etc.

I can speak to the IBM VIRSCAN; the detection goals are (a) minimizing
the number of false positives, (b) maximizing the probability that a
variant of a known virus will be detected, and (c) minimizing the number
of false negatives, all while keeping performance reasonable. Notice
that goal (a) conflicts with goals (b) and (c). Admittedly, we're
trying to work wonders with short search strings, but this is at least
partly a result of the necessity for the use of a compact virus
description, due to the numbers of PC viruses in circulation (at least
among collectors :). There's certainly room for improvement; search
strings are a rather primitive identification mechanism.

Note that Alan Solomon's Toolkit (which you don't mention) does do a
verification for most of the viruses that it detects. I expect we'll
see more scanners doing verification as the industry matures, and
liability issues may force vendors to make their tools do a complete
verification before disinfecting.

Bill Arnold

------------------------------

Date: Wed, 04 Sep 91 15:32:00 -0400
>From: "Monty Hinten" <[email protected]>
Subject: Vshield not loading into high memory? (PC)

[email protected] (Doug Barlow) writes:
>Has anyone tried to load vshield (version 3.9B80) into high memory?
>I've tried MS-DOS 5.0 and Dr. DOS 5.0 and 6.0 BETA and nothing seems
>to work. MS-DOS doesn't load it at all and DR. DOS just loads it into
>conventional memory.

According to the LOADHI utility from QEMM386 V5.13, my copy of VSHIELD V80
has a run-time size of 500k when memory checking is enabled, and a run-time
size of 111k with the /NOMEM switch. The resident size on my machine (NCR
PC386sx, 5.3MB RAM, DOS 5.0) is 34720. The run-time size is the minimum
amount of contiguous high memory required to load the program high. In
other words, while you may have a "high" region that has 35k, if you don't
have the required room for the initial program load, you won't be able to
load it high. I don't know about anyone else, but I certainly don't have
100k of free high memory by the time AUTOEXEC is processed. Further, I run
VSHIELD with the /M and /CHKHI switches, to see if any nasties have loaded,
so the loadhigh option is not available. As a side note, I have
successfully loaded F-DRIVER from F-PROT, as well as VWATCH and VSAFE from
CPAV, into high memory.

Hope this helps.

==========================================================================
Monty Hinten VOICE: (617)565-3634
Information Security Officer BITNET: RHZ@NCCIBM1
US EPA, Region I, Boston
==========================================================================

------------------------------

Date: Wed, 04 Sep 91 15:59:55 -0500
>From: [email protected] (Sara Gordon)
Subject: Re: Norton Anti Virus (PC)

I have a question (probably asked earlier but I was not here). Is NAV
known for finding AIDS virus in error? I recall seeing this
- -somewhere- but cannot find reference. This information would help me
restore peace of mind (or utter terror) to the mind of a local sysop.
Thanks for any info.

- --
Sara Gordon
Northern Star 8 line BBS
219-289-0287/317-251-7391
internet: [email protected]
uucp: ..!uunet!nstar.rn.com!sara
-= newsfeeds available, contact [email protected] =-

------------------------------

Date: Wed, 04 Sep 91 21:32:29 +0000
>From: [email protected] (Tom Laughner)
Subject: McAfee question (PC)

We are currently evaluating the McAfee anti-virus program. Specifically,
I know that the Norton TSR will detect infected files as they are being
copied. Is there any way to get the McAfee TSR to do this? I've been
testing with ver. 8.0 and had used VSHIELD and VSHIELD1.

Anyone done side-by-side testing of both Norton and McAfee? What are
your impressions?

Tom Laughner
Consultant/Analyst

------------------------------

Date: Wed, 04 Sep 91 16:11:49 +0000
>From: Fridrik Skulason <[email protected]>
Subject: F-PROT 2.00 and MIRROR conflict (PC)

Several people have informed me of a conflict between VIRSTOP.EXE (a
part of version 2) and MIRROR from Central Point Software.

This will be corrected in version 2.01, but until then don't load both
programs at the same time.

- -frisk

------------------------------

Date: 05 Sep 91 11:52:02 +1000
>From: Mark Cramer <[email protected]>
Subject: Scan80 doesn't find all it could or should. (PC)

A few notes on Scan v80.
- ------------------------

We had someone come in the other day with a disk infected with the
Keypress virus, the infected files had been renamed to .BAD.

So I renamed them to .COM and scanned them, no virus. When we checked
they were .EXE files, so we renamed them and guess what, scan found the
keypress virus.

Would someone like to pass this on to Mc.Afee before this technique for
hiding virii (viruses, whatever the convention is) by renaming files gets
used, if it hasn't been already. COM files will still run when renamed as
EXE and vice versa.

The infection recurred on the hard drive and was eventually tracked down
to one of XtGold 2's overlay files. Scan apparently doesn't scan these
files correctly. The file was XTG_EDIT.XTG.

+--------------------------------------+------------------------------+
| Mark G. P. Cramer. | Sig!, /\_|\ |
| Operations Manager, CBE Section | Sig a sog!, / QUT>\ |
| Queensland University of Technology. | Sig it loud!, ( __ | |
| Australia. | Sig it strog! -- \/ |
| Ph. 07 8642073. Fax 07 8641525. | Karen Carpenter v |
| [email protected] | with a cold! |
+--------------------------------------+------------------------------+

------------------------------

Date: Thu, 05 Sep 91 11:52:00 +1000
>From: [email protected]
Subject: scan (PC)

A few notes on the Scan v80.
- ----------------------------

We had someone come in the other day with a disk infected with the
Keypress virus, the infected files had been renamed to .BAD.

So I renamed them to .COM and scanned them, no virus. When we checked
they were .EXE files, so we renamed them and guess what, scan found
the keypress virus.

Would someone like to pass this on to Mc.Afee before this technique
for hiding virii (viruses, whatever the convention is) by renaming
files gets used, if it hasn't been already. COM files will still run
when renamed as .EXE and vice versa.

The infection recurred on the hard drive and was eventually tracked
down to one of XtGold 2's overlay files. Scan apparently doesn't scan
these files correctly. The file was XTG_EDIT.XTG.

+--------------------------------------+------------------------------+
| Mark G. P. Cramer. | Sig!, /\_|\ |
| Operations Manager, CBE Section | Sig a sog!, / QUT>\ |
| Queensland University of Technology. | Sig it loud!, ( __ | |
| Australia. | Sig it strog! -- \/ |
| Ph. 07 8642073. Fax 07 8641525. | Karen Carpenter v |
| [email protected] | with a cold! |
+--------------------------------------+------------------------------+

------------------------------

Date: Wed, 04 Sep 91 22:47:00 -0400
>From: John Mildner <[email protected]>
Subject: Disassembler Info

We also use use Sorcer to supplement the DOS Debugger.

*******************************************************************
John Mildner (COML) (202) 282-0738 (STU-III), (DSN) 292-0738
naval computer incident response team (NAVCIRT)
Naval Electronic Systems Security Engineering Center
3801 Nebraska Ave. NW, Washington DC 20393-5270
*******************************************************************

------------------------------

Date: Wed, 04 Sep 91 22:49:00 -0400
>From: John Mildner <[email protected]>
Subject: Hard Disk Locking (PC)

This is NOT a commercial solicitation. But, after noting the recent
exchanges on preventing unintentional writes to PC hard disks I
thought it appropriate to share some of our efforts in this area.
Many Navy users need to process sensitive data but don't want it
ending up on their system's hard disk where it would be accessable to
unauthorized parties. For this reason we developed the Write Protect
Switch System (WPSS) for our installed base of 85,000+ PC's using
ST506 compatible disk drives. (As a side benefit it also limits the
spread of viruses).

The WPSS contains a PC board, external five position switch,
associated cables, and PROM software. WPSS protects two floppy and
two hard drives by interupting the "write gate". The PROM software
traps attempted writes to protected disks and flags the BIOS/DOS error
routines. The PROM also contains security officer configuarable
routines which can lock-out floppy boots, write protect specified
files, log users, and audit their activity.

Twenty-five systems are in test and production is scheduled to begin
in December. US Government agencies interested in WPSS are encouraged
to contact us for further information.

*******************************************************************
John Mildner (COML) (202) 282-0738 (STU-III), (DSN) 292-0738
naval computer incident response team (NAVCIRT)
Naval Electronic Systems Security Engineering Center
3801 Nebraska Ave. NW, Washington DC 20393-5270
*******************************************************************

------------------------------

Date: 05 Sep 91 08:18:51 +0000
>From: [email protected] (Fridrik Skulason)
Subject: Re: Virus Simulator available (PC)

[email protected] writes:
>Since most anti-viral programs use the same search strings,

Nonsense - "most" anti-viral products don't use the same strings.
There are several products which only rely on published search
strings, but they are not very secure - virus writers have access to
the same search patterns and they often modify their viruses so they
will not be detected by those patterns.

>it's reasonable to
>assume that if it can't find the simulation, an anti-viral product using
>these published strings won't find the real thing, either,

Yes, if it indeed uses the patterns included in the virus simulator -
but how can you know if it does ?

You cannot - which is another reason why the "virus simulator" is an
useless program.

>Ah, so now we come to the heart of the matter: You, apparently, are a proponant
>of using /NON/-published strings to scan against.

Yes, I am - and that is no secret.

I also maintain that it is advisable to use a couple of scanners,
which use different set of patterns (or a single scanner using two
different sets), as it increases the chances of detecting real-world
viruses. Frankly, however I don't care if my scanner detects the
"simulated" viruses - but I find it extremely annoying when the author
of the program claims it should.

- -frisk

------------------------------

Date: Tue, 03 Sep 91 10:49:23 -0600
>From: Chris McDonald ASQNC-TWS-R-SO <[email protected]>
Subject: Update to Product Test -- IBM Anti-Virus Product (2.1.2)

*******************************************************************************
PT-34
April 1991
Revised September 1991
*******************************************************************************

1. Product Description: The IBM Anti-Virus Product is a program to detect
computer viruses in the PC-DOS (MS-DOS) and OS/2 environments. This test
report addresses version 2.1.2.

2. Product Acquisition: The program is available from the IBM Corporation
through a variety of means. The licensing cost of the program is $35.00. IBM
retains title to the scanning program but licenses its use in the United States
and Puerto Rico. Updates cost $10.00.

3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Information
Systems Command, White Sands Missile Range, NM 88002-5506, DSN: 258-4176, DDN:
[email protected] or [email protected].

[Ed. The complete text of this product test is available for anonymous
FTP on cert.sei.cmu.edu in pub/virus-l/docs/reviews under the filename
of mcdonald.ibm.antivirus]

------------------------------

End of VIRUS-L Digest [Volume 4 Issue 156]
******************************************

Downloaded From P-80 International Information Systems 304-744-2253