VIRUS-L Digest Monday, 16 Sep 1991 Volume 4 : Issue 159
Today's Topics:
Back on the air
Re: Disassembler Info
Norton Anti Virus (PC)
Re: Virus Simulators
Re: Viruses more common in Mac environment?
Re: Boot sectors
Mutant viruses (PC)
Re: compressed with EXEPACK ?? (PC)
New files on risc.ua.edu (PC)
Re: Viruses more common in Mac environment?
BBS's For Virus Information...Or sites..
RE: F-PROT 2.00 (VIRSTOP) and PC-Shell/Mirror
vsumx108.zip on risc (PC)
Re: Experiment with virus
Re: Virus Simulator available (PC)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to
[email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at:
[email protected].
Ken van Wyk
----------------------------------------------------------------------
Date: Mon, 16 Sep 91 10:13:14 -0400
>From: Kenneth R. van Wyk <
[email protected]>
Subject: Back on the air
Greetings all,
As is self evident, VIRUS-L/comp.virus is back on the air. I have a
*huge* backlog of submissions to get to, so if you don't see your
message right away, please be patient.
On my way home from last week's Virus Bulletin conference, it occurred
to me that the only two times that I've caught a cold this year have
been at virus conferences. Hmmm... ;-)
Cheers,
Ken
------------------------------
Date: 03 Sep 91 21:58:00 +0000
>From:
[email protected] (Mark Aitchison, U of Canty; Physics)
Subject: Re: Disassembler Info
>>What disassembler do you use?
I have a disassembler specifically for scrutinising boot sectors,
which is part of the CHECKOUT program I wrote. It is free, and a bit
buggy, I'm afraid. I made CHECKOUT available a while ago - I'm working
on a new version & will announce when it's available; in the mean
time, the way to use the old version is:
CHECKOUT/A A:
and you might want the /D switch as well. What it does is work out
what parts of the code get executed, what are the contents of
registers at the time of interrupt calls (okay, this bit is pretty
buggy), and puts in labels and BPB structure if appropriate, etc.
Mark Aitchison.
------------------------------
Date: 03 Sep 91 20:03:39 +0000
>From:
[email protected] (Rob Slade)
Subject: Norton Anti Virus (PC)
[email protected] (Knut Torgersen) writes:
> first thing I did, however, was to run the program on the diskette I
> borrowed it on. First I used McAFee's SCAN.EXE. Nothing nasty showed
> up. Then I asked NAV to scan itself. NAV told me that "NAV.EXE is
> infected with an unknown strain."
Did you, purchance, run SCAN with the /AV (if I remember correctly)
switch? The one that adds self-checking code to the target file, and
would therefore confuse NAV's *own* self check?
=============
Vancouver
[email protected] | "If you do buy a
Institute for
[email protected] | computer, don't
Research into (SUZY) INtegrity | turn it on."
User Canada V7K 2G6 | Richards' 2nd Law
Security | of Data Security
or try
[email protected] once in a while.
------------------------------
Date: Fri, 06 Sep 91 16:35:34 +0000
>From:
[email protected] (Albert Lunde)
Subject: Re: Virus Simulators
[email protected] (Fred Waller) writes:
> Of course. And as soon as somebody invents this "perfect virus
> detector", Rosenthal's Virus Simulator will cease to be of interest.
> Until then, it remains a remarkable and interesting program which
> demonstrates how imperfect the virus scanners really are.
As prior threads have illustrated, a "perfect virus detector" is in
general impossible. Virus scanners are not an elegant solution, but
they are a reasonable way of producing a "good enough" solution for
the current "state of the art" in virus writing and removal. Short of
a change in social norms that would drastically reduce the rate of new
virus production, there is no "light at the end of the tunnel" for DOS
or MAC OS users - anti-virus writers will have to keep updating their
products to deal with new viruses. I aggree that the "virus
simulator" is not a realistic test of anti-virus products. Some people
may like it, it may cause problems for others, but it does not address
the major issues of performance. It is actually a bad thing if all
anti-virus tools use the same signatures. Ability to disinfect common
viruses is more valuable than numbers games.
------------------------------
Date: Fri, 06 Sep 91 13:03:26 -0400
>From: Joe McMahon <
[email protected]>
Subject: Re: Viruses more common in Mac environment?
On Fri, 6 Sep 1991 12:12:39 EDT Barry T. Drake said:
>
>Date: 05 Sep 91 20:03:09 +0000
>From:
[email protected] (Barry T. Drake)
>
>Viruses spread more easily in the Mac environment because a program is run
>every time a diskette is inserted: the desktop. On our campus there is an
>extremely high contamination of viruses among students (and their floppies)
>because they swap and share diskettes fairly freely. Our faculty members
>are more likely to use anti-virus software because they can get the college
>to pay for it :-).
The best Mac anti-viral, Disinfectant, is free. Why don't students
have it? Is there someone there to whom I can send a copy?
--- Joe M.
------------------------------
Date: Fri, 06 Sep 91 19:55:27 +0300
>From:
[email protected]
Subject: Re: Boot sectors
[email protected] (Rob Slade) writes:
> In addition to the psychological advantage, "BSI"s have some
> technical values as well. For one thing, they get the first
> chance at the system, before most "protection" has started. For
> another, a BSI, to be effective at all, must be memory resient.
> For a third, because hy make changes to system areas which are
> not normally seen, te changes are often undetected in normal
> operation.
In fact there is a way to overcome ANY boot sector infector on PC. To
do this it is enough to restore the contents of interrupt vectors area
just before booting DOS - virus will lost control. It is also desired
to set a correct amount of RAM into an appropriate BIOS variable (loc.
0:413H). It is possible to place a necessary program code into a DOS
BOOT sector (not MBR - such a code must be loaded AFTER all possible
Boot sector viruses). Being installed on a virus-free PC such a
program can "remember" the necessary info and then check it and, if
neccessary, restore each time PC is booted. Such an approach was
implemented at least in one program in USSR.
- --
Sincerely,
Dmitry O. Gryaznov
E-mail:
[email protected] or
[email protected]
Phones: office: (08535)-2-1731, (08535)-2-0715 home:(08535)-2-1465
------------------------------
Date: Fri, 06 Sep 91 19:52:33 +0300
>From:
[email protected]
Subject: Mutant viruses (PC)
At least two viruses wich can NOT be detected by scanning programs
(SCAN etc.) have been reported in USSR. These are mutant viruses.
They do not contain any constant scan strings. They are self-encrypted
and decrypting parts differ from file to file. These viruses use the fact
that many *86 instructions can be represented by quiet different hex
codes. And between two meaningful instructions a random number of
randomly chosen do-nothing instructions is placed. "Do-nothing"
instruction is not just a NOP. For example, if a decryption algorithm
does not use SI register, then any instruction modifying SI (INC SI,
DEC SI, XOR SI,AX etc.) may be treated as do-nothing. It is still
possible to implement scanning algorithms using powerful enough
regular expressions.
- --
Sincerely,
Dmitry O. Gryaznov
E-mail:
[email protected] or
[email protected]
Phones: office: (08535)-2-1731, (08535)-2-0715 home:(08535)-2-1465
------------------------------
Date: Fri, 06 Sep 91 19:56:39 +0300
>From:
[email protected]
Subject: Re: compressed with EXEPACK ?? (PC)
[email protected] (Drew Gonczi) writes:
> I just ran tbscan with the 7-31-91 copy of virscan.dat. It flagged
> alot of files saying "infected by [compressed with EXEPACK]" I was
> wondering if this is a virus or just a warning about a possible
> infection.
I think those files were just compressed with EXEPACK. This is a
usual thing for a lot of DOS utilities. The only danger while
using EXEPACK or other executable files compressing programs is
to pack an infected program and in this way to hide a virus from
being detected by virus detectors. EXEPACK converts files in such
a way that all packed files have the same a little bit "virus-like"
start code. Several years ago when I started to deal with viruses I
was fooled by EXEPACK myself. I noticed that many files on my PC had
the same suspicious start code. In fact there were several different
strains of start code. Some of them appeared to be real viruses. But
one was just an EXEPACK start code.
There is a virus detector in USSR which reports not only infected files,
but also EXEPACK'ed, compiled with Turbo C, Microsoft C, etc.
- --
Sincerely,
Dmitry O. Gryaznov
E-mail:
[email protected] or
[email protected]
Phones: office: (08535)-2-1731, (08535)-2-0715 home:(08535)-2-1465
------------------------------
Date: Fri, 06 Sep 91 15:38:04 -0500
>From: James Ford <
[email protected]>
Subject: New files on risc.ua.edu (PC)
The following files have been placed on risc.ua.edu (130.160.4.7) in
the directory pub/ibm-antivirus:
tbscan28.zip - Thunderbyte Scan
tbscnx29.zip - Thunderbyte Scan (tsr)
vs910816.zip - virus signatures (to be used with tbscan,tbscnx)
virx17.zip - Virus Detection version of VPSCan (Microcom's Virex)
0files.9109 - Text file, current pub/ibm-antivirus listing
- ----------
Those who think they know it all upset those of us who do.
- ----------
James Ford - Consultant II, Seebeck Computer Center
[email protected],
[email protected]
The University of Alabama (in Tuscaloosa, Alabama)
------------------------------
Date: Fri, 06 Sep 91 17:19:24 -0400
>From: Tom Coradeschi <
[email protected]>
Subject: Re: Viruses more common in Mac environment?
[email protected] (Barry T. Drake) writes:
>Viruses spread more easily in the Mac environment because a program is run
>every time a diskette is inserted: the desktop. On our campus there is an
That is a valid data point only for those viruses which spread via the
desktop. Macs running System 7 don't even have desktop files on their hard
disks anymore, so the floppy->hard disk->floppy infection path is
disappearing.
>extremely high contamination of viruses among students (and their floppies)
>because they swap and share diskettes fairly freely. Our faculty members
>are more likely to use anti-virus software because they can get the college
>to pay for it :-).
Well that's a pretty ridiculous stance. Disinfectant is (arguably) the best
anti-viral for the Mac, and it's FREE!
>In six years of working with primarily IBM PC's, I have seen *one* diskette
>infected (with Stone-B and Ping Pong-B); it came from off campus via a
>research assistant (from her workplace).
For what it's worth: Of the 2000+ Macs at this installation, the only viral
infection I've seen reported came from a *sealed* distribution copy of an
application. It was snuffed by GateKeeper when the disk was inserted.
On the other hand, one of our summer hires brought in some diskettes from
school last year. Stuffed one in a PC-AT. Bells, whistles and sirens went
off! All his floppies were infected, several w/ multiple virii.
We practice "safe computing" on all our machines (Mac & DOS).
tom coradeschi <+>
[email protected]
------------------------------
Date: Fri, 06 Sep 91 19:04:24 -0500
>From:
[email protected] (HUGO DIZFINCK CORTES )
Subject: BBS's For Virus Information...Or sites..
Hi All,
Im searching for place internet (i only have access telnet, no dial up)
for get a bbs where can get a articles of viruses. Any Help?
Thanks,
Saludos de Mexico,
J. Miguel Garcia R.
Monterrey, N.L.
Mexico
------------------------------
Date: Sat, 07 Sep 91 08:52:45 -0600
>From: Diskmuncher <
[email protected]>
Subject: RE: F-PROT 2.00 (VIRSTOP) and PC-Shell/Mirror
from A. Padgett Peterson, regarding PC-Shell and VIRSTOP interaction
>Afraid this is not a conflict but rather a DOS charactoristic that
>most Netware administators are aware of: there are many programs such
>as PC-SHELL and LOGIN.EXE that shell other executable files during
>their operation then, when operation is complete, remove themselves
>from memory and release the memory they were using to DOS. Unfortunately,
>if a program went TSR from the shell, DOS cannot de-allocate the memory.
Padgett,
It seems to me that your comments about PC-Shell, while true in a
general sense, weren't true in this particular case. Specifically, I
*never* activated PC-Shell as the interface to DOS. (I did set it up
as a TSR, but never pressed the hotkeys to activate it and never ran a
program from within PC-Shell). In addition, I did not invoke
VIRSTOP.EXE from *within* PC-Tools (I did try once to load it after
PC-Shell had become resident, and the computer worked fine until I
used a large program like WordPerfect). When I did load VIRSTOP from
within PC-Shell (testing your comments), the computer hung immediately
(during the loading of VIRSTOP). There was plenty of conventional
memory left to run WordPerfect (570K) so it shouldn't have had to swap
anything (even if it's capable of doing so, I don't know).
Nowhere in the documentation did it say that PC-Shell had to be loaded
last, other than saying that if you load any TSR's after PC-Shell, you
won't be able to remove PC-Shell from memory until you remove the
other TSR's first (that's just what you mentioned :). PC-Shell keeps a
10K kernal in conventional memory, but when activated, it uses up to
380K of EXPANDED memory or writes to a temp file on the hard disk
("saving the state of memory").
>In the case of PC-SHELL, I suspect that the spawning process examines
>the requested program to determine if there is sufficient memory
>to run the request. If there is, PC-SHELL just spawns a new CLI
>to run the program. If the program is larger, PC-SHELL will swap
>itself out before running the new program.
>
>Consequently, VIRSTOP must be small enough that PC-SHELL does not
>swap out and once VIRSTOP is resident, PC-SHELL is no longer able
>to swap, hence the problem.
Agreed. But again, I never used PC-Shell to launch a program.
After loading all TSR's, device drivers, etc. I still had 570K
conventional memory free (and ~500K of expanded memory). I have two
TSR's that are loaded AFTER PC-Shell (one is PC-Desktop, another PC
Tools program which PC-Shell "knows" about, and Erase Protect (Norton
Utils equiv. to Mirror)) and neither one complains when I use PC-Shell
to launch Paradox or WordPerfect. Yet as you stated, I cannot remove
PC-Shell from memory until I remove Erase Protect and PC-Desktop
first. Thus I still believe that there is a definite conflict between
VIRSTOP and PC-Shell (and Mirror) but it's easily solved by loading
MIRROR first, then VIRSTOP, then PC-Shell so I'm happy.
John-David Childs
Consultant, University ofMontana
[email protected]
------------------------------
Date: Sun, 08 Sep 91 15:26:50 -0500
>From: James Ford <
[email protected]>
Subject: vsumx108.zip on risc (PC)
The following file has been uploaded to risc.ua.edu (130.160.4.7) in the
directory pub/ibm-antivirus:
vsumx108.zip - Hoffman's Virus Summary Listing (Hyperstack format)
- ----------
It takes as much energy to wish as it does to plan.
- ----------
James Ford - Consultant II, Seebeck Computer Center
The University of Alabama (in Tuscaloosa, Alabama)
[email protected],
[email protected]
------------------------------
Date: Mon, 09 Sep 91 09:41:00 +1200
>From: "Mark Aitchison, U of Canty; Physics" <
[email protected]>
Subject: Re: Experiment with virus
I (Mark Aitchison, U of Canty; Physics) wrote:
> (b) if you reformat a 360Kb diskette on an AT's 1.2Mb drive, the virus can
> survive! (anyone that wants an explanation can e-mail me).
I've had enough queries to make it worth posting the explanation: A
1.2Mb drive has a narrower head, so when it writes over the top of a
track written by a 360Kb drive, some of the original is left beside
it. When reading the diskette on a 1.2Mb drive, you won't notice it,
but on a 360Kb drive one of three things can happen:
1. The newer, 1.2Mb drive's signal is stronger, so you get that (i.e no virus,
just the newly formatted empty diskette), or
2. The signals are roughly equal, so you get garbage (CRC errors), or
3. If the 360Kb drive's heads are a bit out of alignment, which is reasonably
likely (because they tend to be older, and because they never needed to be
so accurately positioned in the first place), then it could read more of
the old data than the new data, and get whole sectors of the original
(infected programs, etc) without errors. Yes, I have found this with one of
my 360Kb drives.
The most common case is to get the new data with (mostly) CRC errors,
but it is enough of a risk to have a policy of wiping the disks with a
magnet (or degausser or whatever is proven to work). Remember that the
360Kb drive might read data from other 360Kb drives without a glitch,
but be out of alignment enough to get some sectors from the original
tracks.
Mark Aitchison.
------------------------------
Date: Mon, 09 Sep 91 10:02:00 +1200
>From: "Mark Aitchison, U of Canty; Physics" <
[email protected]>
Subject: Re: Virus Simulator available (PC)
[email protected] (Fridrik Skulason) writes:
> There are several products which only rely on published search
> strings, but they are not very secure - virus writers have access to
> the same search patterns and they often modify their viruses so they
> will not be detected by those patterns.
Just wonderring... how many viruses exist that are trying to avoid
published search patterns? I still agree that serious virus scanners
should keep their scan details secret, by the way. There is a good
case for distributing the scan patterns for known viruses, for
identification purposes, and I almost hope that virus writers waste
their time tinkerring with viruses to avoid those strings, rather than
try to write serious new viruses. Of course, nobody should consider
virus simulators based on such strings as a good test of a scanner;
the only valid use of a virus simulator would be to demonstrate to the
unintiated what a virus looks like, so they can watch for it in "real
life".
Mark Aitchison.
------------------------------
End of VIRUS-L Digest [Volume 4 Issue 159]
******************************************
Downloaded From P-80 International Information Systems 304-744-2253
