VIRUS-L Digest   Tuesday, 15 Oct 1991    Volume 4 : Issue 189

Today's Topics:

re: Dr. Fred's Contest
Norton Antivirus 1.5 + 707 virus (PC)
Virus on Mac (Mac)
Multipe Anti-viral approaches
Re: Need help with Empire virus (PC)
RE: Books on Viruses
Re: Hardware not solution
Re: Books on viruses?
Re: Books on viruses?
Re: DIR II (Cluster) Virus (PC)
Partition viruses?? (PC)
Re: Hardware
Misc. information (PC and other)
New files on risc (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed.  Contributions should be relevant, concise,
polite, etc.  Please sign submissions with your real name.  Send
contributions to [email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks).  Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list.  Administrative mail (comments, suggestions,
and so forth) should be sent to me at: [email protected].

  Ken van Wyk

----------------------------------------------------------------------

Date:    Fri, 11 Oct 91 10:23:59 -0400
>From:    Joe McMahon <[email protected]>
Subject: re: Dr. Fred's Contest

On Fri, 11 Oct 1991 09:27:47 EDT Padgett Peterson wrote:
>The major diversion occurs if the LOGIN script determines that the
>required management safeguards are NOT in place on the client
>requesting connection and the script then gives the client the choice
>of having the software (which includes a mix of TSRs and replacement
>MBR and boot records) installed on his/her machine or being denied
>access. If the INSTALL option is selected, does the subsequent action
>fulfill the requirements of a "virus" ? e.g. propagation to a platform
>that was not known at the time the program "set" (executables and
>script files) was installed.

The problem is guaranteeing that the program which is saying "I'm
going to mess with your data now" is really the maintenance program
and not something that will kill every machine on the LAN.
Most users will just say "OK" if the prompt to "fix" things looks OK.
How else do they check it?

--- Joe M.

------------------------------

Date:    Fri, 11 Oct 91 14:54:01 +0000
>From:    [email protected] (n. michelis)
Subject: Norton Antivirus 1.5 + 707 virus (PC)

I downloaded the latest Norton Antivirus 1.5 virus definitions from
Symantec Australia today.  They definition was dated 10-10-91
(15all04.def).

Anyway it gave me a warning while loading the new definitions that the
definitions for 707 (virus) requires Norton Antivirus version 1.5.3.

The same message was given for the Sentinel virus.

When I went to scan the hard disk after running this installation I
found that I had the "Z, Zero" viruses in memory and that I had the
707 virus when NAV began scanning the files.

When I go and install the original NAV 1.5 disks I have no problems.
I also have no problems using 15all04.def definition file.

What I want to know, seeing that I am in Australia, what the latest
version of Norton Antivirus is and if anyone else has had any problems
installing the definition file "15all04.def".

P.S.  I ran scanv82 from McAffee and this didn't report any viruses.

Also what is this 707 virus NAV has created a definition for.  Scanv82
doesn't scan for this under that name.

I would really appreciate and comments as I don't know if I am getting
a false alarm from NAV due to an old version or if I really do have a
memory resident virus on my computer.

                                          Nick Michelis
                                          Monash University Caulfield Campus
                                          Melbourne Australia.

------------------------------

Date:    11 Oct 91 16:32:52 +0000
>From:    [email protected] (Olivier BAUDON)
Subject: Virus on Mac (Mac)

We have find a new Virus. The message given is 'Don't Panic' given by
virus-check 1.2. We don't remember to have neither install this init.
(We use SAM Intercept).  The virus is on an internal hard disk and
it's now impossible to boot the Mac from a protected/not protected
floppy or external hard disk.

If someone know something about this, please help us.
Thanks in advance

*--------------------------------------*--------------------------------------*
|             Olivier BAUDON           |                                      |
|  Laboratoire Bordelais de Recherche  | phone  : 33 - 56 84 69 21            |
|            en Informatique           | fax    : 33 - 56 84 66 69            |
|         Universite Bordeaux I        | e-mail : [email protected] |
|      351, Cours de la Liberation     |                                      |
|     F-33405 TALENCE Cedex, FRANCE    |                                      |
*--------------------------------------*--------------------------------------*

------------------------------

Date:    Fri, 11 Oct 91 11:34:16 -0400
>From:    padgett%[email protected] (A. Padgett Peterson)
Subject: Multipe Anti-viral approaches

I wrote:
> >  Now  if everyone used DiskSecure, virus writers  could  just
> > target  it, however if MicroSoft, Norton, Mace,  Central Point,
> > Digital Research, and all the others came out with similar but
> > different software, and AMI, Phoenix, Award, and Tandon each
> > had a different BIOS implementation a  generic  virus  becomes
> > so difficult to write and would have to be so big to handle all
> > of the cases the it would become uneconomical...

>From:    [email protected] (Fred Waller)
> Yes, a single virus would be unwieldy.  But should we expect that?
> Shouldn't we rather expect the prompt appearance of many viruses,
> each one capable of attacking one of those systems?  The net result
> would be similar to having one virus capable of attacking all of them.
> Worse actually, since it would require many times the effort to guard
> against.

No, not at all. Since each time a "specific" virus ran up againast one
of the other approaches, it would be detected, possibly as "DiskSecure
Specific Attack Attempt" by NAV. Given that ALL approaches are in the
minority, such a specific virus would not spread very far. Only a virus
able to attack a significant number of the different systems would have
a chance in the Macro (and why I prefer a layered defense). Given an
installation/network using a single approach, something targetting THAT
installation would be possible (and we have seen a few of these), but again
would probably not spread very far and would be almost certainly an
"inside" job.

> All our experience shows us that devising virus-specific defenses,
> or `distributing' defenses in the hope of diluting the effort of
> virus authors, is ineffective. It only causes proliferation of new
> `species'. We can't outwrite them.  This is one reason why scanners
> are bad, and this is also why every other taxon-specific approach
> is bad.

> If any proof is needed, just look at the field. We have more
> antivirus utilities than ever. There are more defense variations
> than ever. There are also more viruses than ever. They infect more
> machines than ever.

Major disagreement. It is easier to protect a single platform with a
"mission-adaptive" approach loaded first than it is to subvert one.
The hard part is making it "user-transparant" unles a valid exception
occurs and permitting the user to make his/her own exceptions when needed.
The only reason that viruses have been so successful is that the
bulk of the 50 (or is it 70) million PCs have NO defenses. Protected PCS
are still in the minority (but increasing).

                                               Padgett

------------------------------

Date:    Fri, 11 Oct 91 10:56:50 -0600
>From:    [email protected] (Tim Martin; FSO; Soil Sciences)
Subject: Re: Need help with Empire virus (PC)

[email protected] (Kees denHartigh) writes:

>I have been attacked by the Empire virus. Both fprot and scan detected
>the virus in the boot sector of both my hard drives. fprot was unable
>to remove the virus for the boot sector but clean82 reported successfully
>removing it. The problems the Empire virus originally caused seems to have
>dissappeared however fprot200 still reports the virus in the boot sector
>of both drives. I backed up my D drive insuring that I the virus was not
>infecting any backed up files and reformatted the drive and restored and
>still fprot200 reports the Empire in the boot sector of the reformatted
>drive. Is it really there or fprot200 lying to me. Scan82 detects no viruses
>after clean82. Does anyone have any ideas?

It sounds to me like a ghosting problem.  I know that if a partition
record is rebuilt by repairing only the executable code of the sector,
leaving "dead" parts of the Empire code in place, then FPROT will see
these and identify the Empire virus as being present.  It seems the
scan string Frisk uses is found in this later part of the virus.
We saw this effect when rebuilding partition records using "Norton
disk doctor".

I suspect that Scan82 simply rebuilds the MBR by rewriting the executable
code into place, leaving the partition table data portion -- and a dead
part of the virus code -- in place.

I hope to check this out when I get in touch with Kees.  (Shouldn't take
long: Elect. Eng. is actually closer than my usual morning coffee stop!)

-------------------------------------------------------------
 Tim Martin                 *
 Soil Science               *     These opinions are my own:
 University of Alberta      *        My employer has none!
 [email protected]      *
-------------------------------------------------------------

------------------------------

Date:    Fri, 11 Oct 91 12:15:00 -0500
>From:    <[email protected]>
Subject: RE: Books on Viruses

Joseph:
There will be a new book appearing in the next few weeks that I
believe is just what you are looking for.  It will be published by the
National Computer Security Association and be titled "Computer
Viruses: An Executive's Guide".  Call the NCSA at 717-258-1816 for
more info...
                            Charles

------------------------------

Date:    Fri, 11 Oct 91 16:38:30 -0400
>From:    Yary Richard Phillip Hluchan <[email protected]>
Subject: Re: Hardware not solution

]From: [email protected] (Fred Waller)

]                      Fred's Virus-Resistant Machine
]                     ------------------------------
]Fred's Virus-Resistant Machine also had two disk drives, a "program"
]disk and a "data" disk.   It, too, had a _small_ switch (not red),
]labeled: "Install/Run".
]
]  (Notice that unlike Jay's Machine, Fred's machine was not Virus-
] Proof but only Virus-Resistant. Is Fred more modest in his goals
] than Jay...?    He also added some few extra touches that Jay
] didn't think of, and his switch was rather smallish, and not red).
....
] While sleeping thus, he tried Boot infectors and he tried executable
] infectors. He tried stealth viruses and candid ones, viruses that
] self-encrypt and mutate and he tried others that do none of those
] things.  He even intentionally allowed viruses on the `program'
] disk, but kept the little switch in its safe position.  He had TSR
] viruses, and transient viruses, big ones, little ones, American,
] Israeli and Bulgarian, "wild" and "research" viruses, smart and
] dumb ones... he tried them all.
]
] In this way, while Jay decided that his machine couldn't possibly
] work, Fred discovered that his machine (which wasn't virus-proof,
] but only virus-resistant)  *did* work, and extremely well. None of
] his favorite viruses (hundreds of them, my goodness!) succeeded in
] infecting it.

In other words, you built one computer and ran viruses designed for a
completely different computer.  If Fred Waller's Virus-Resistant machine
became widely available, all viruses that infect .COM, .EXE, etc files
would become obsolete, granted.  But about six months after we all
upgraded to the protected-disk scheme we'd start seeing the spreadsheet
/ .BAT / terminal viruses...

]While viruses are programs they do things that programs should not do
]except in special (and trackable) cases: one of these is to attempt to
]write to executable programs, another is to go resident (at least
]sucessful viruses do).  Both of these are detectable and flaggable.
](The flagging is where many early programs failed since it was not
]selective. BYPASS makes it selective.)

A "new" virus would write to a shell / macro / etc. data file, and would
execute from within some third-party software other than the operating
system.

Hardware is a help, but not the answer.  I don't think there is an
answer.  Follow mom's advice::  "Just be careful out there."

------------------------------

Date:    11 Oct 91 22:06:58 +0000
>From:    [email protected] (Gene Spafford)
Subject: Re: Books on viruses?

To get an overview of computer viruses and related beasties, the two
best books are without doubt:

"Computers Under Attack: Intruders, Worms, and Viruses" edited by
Peter J. Denning and published by ACM Press/Addison-Wesley (1990)

"Rogue Programs: Viruses, Worms, and Trojan Horses" edited by Lance
Hoffman and published by Van Nostrand Reinhold (1990).

Both books present material from many different sources, covering a
full range of theory, practice, law, defenses, etc.  They are also
significant because they look at a somewhat broader perspective than
just viruses, and neither editor is involved in the sale or marketing
of antivirus technology or classes.  Both are scholarly compilations.
- --
Gene Spafford
NSF/Purdue/U of Florida  Software Engineering Research Center,
Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-1398
Internet:  [email protected]   phone:  (317) 494-7825

------------------------------

Date:    Fri, 11 Oct 91 15:54:59 -0600
>From:    [email protected] (Tim Martin; FSO; Soil Sciences)
Subject: Re: Books on viruses?

[email protected] (Joseph Costanzo) writes:

>Surely there must have been a good book published recently about
>viruses - the basics.  I really don't know much about them, but would
.
>Anyway, to protect my system, I'd like to know a bit about viruses:
>how they work, how to protect/defeat them, etc.

>Any suggestions?

I'm not sure about the book market, but there's good stuff on the
Internet.  In particular I have been appreciating Rob Slade's continuing
"*.CVP" series of postings.  Are these being collected anywhere? (Ken? Rob?)

-------------------------------------------------------------
 Tim Martin                 *
 Soil Science               *     These opinions are my own:
 University of Alberta      *        My employer has none!
 [email protected]      *
-------------------------------------------------------------

------------------------------

Date:    Fri, 11 Oct 91 15:46:20 -0600
>From:    [email protected] (Tim Martin; FSO; Soil Sciences)
Subject: Re: DIR II (Cluster) Virus (PC)

[email protected] (Johnathan Vail) writes:

>My claim is that DIR 2 can legitimately be called a virus since it is
>logically still part of another program and relies on a host program
>being run in order to get an execution thread.

Logically, isn't DIR 2 a "Dynamically linked library"?  Hmmm: what to
use as a biological analogy?  Maybe DIR 2 should be called a
"computer fungus".  :)   Actually my biologist friends get upset
as it is, with our use of "virus" to refer to computer code!

-------------------------------------------------------------
 Tim Martin                 *
 Soil Science               *     These opinions are my own:
 University of Alberta      *        My employer has none!
 [email protected]      *
-------------------------------------------------------------

------------------------------

Date:    Fri, 11 Oct 91 16:55:57 +0000
>From:    [email protected] (Vlod Kalicun.)
Subject: Partition viruses?? (PC)

Hello all,

Can someone please explain the removal of partition viruses?
Is there any way of removing teh A-Tel from the partition???

All help will be gratefully appreciated..

Thanks..
Vlod.
cs_b152@@ux.kingston.ac.uk

------------------------------

Date:    Fri, 11 Oct 91 17:05:00 -0500
>From:    [email protected]
Subject: Re: Hardware

[on the thread of a virus-resistant computer system]
>
> He forgets that some data-files are also program files (not for the
> cpu but for a program on the program-disk) and a virus written in the
> interpreted language can infect all the other "data" files of this
> interpreter.
>
> Fred said he uses his spreadsheed whitout worrying, but if I write a
> virus in his spread-sheed language and put it on his machine, than
> after usgage all his spread-sheeds are infected. If it is a
> distructive virus than I may distroy all his spreadsheeds on friday
> the 13th.
>
> Right, the speadsheed program itself is still clean, but still he lost
> all his files on this "virus-resistant" computer-system!

Even easier (and possibly more dangerous) would be a virus written in
DBASE.  A virus which spread through program files (which would have
to be on the data disk unless you want a static system) could
devastate _all_ your DBASE files (on the data disk), since you have an
extraordinary amount of control over your environment from within the
DBASE programming language.

If Fred Waller believes this could not happen, or that it could happen
but not spread, or that it could spread but not be destructive, he
should e-mail me for further details.

Mark

- --
Mark "mostly harmless" Pilgrim                ___/_ Here's to the days of hole
f8dy@crnlvax5 -=- [email protected]   \___/ punchers, joysticks, non-
Disclaimer: My boss disavows this disclaimer.   |   standard RWTS, 4C 00 C6,
"Elephants are kindly but they're dumb." -S&G  _|_  and 8K operating systems.

------------------------------

Date:    Fri, 11 Oct 91 11:45:24 -0500
>From:    James Ford <[email protected]>
Subject: Misc. information (PC and other)

On Thursday, October 10th at 3:20pm, a backhoe decided to cut some
fiber-optic cable at a location 60 miles away from the University of
Alabama.  As a result, the domain "ua.edu" (and probably some other
sites) was isolated from the rest of the net.  At around 6:30pm(ish),
service was restored.

There are 2 new directories available on risc.ua.edu....

                        pub/virus-text/docs
                        pub/virus-text/reviews

These directories contain all the information located at cert.sei.cmu.edu's
directories pub/virus-l/docs and pub/virus-l/docs/reviews.

If you have any questions/suggestions/problems, please drop me a line.
- --------------
Favorite DOS error msg:  "Keyboard not found.  Strike F1 to continue....."
- --------------
James Ford - Consultant II, Seebeck Computer Center
            [email protected], [email protected]
            The University of Alabama (in Tuscaloosa)

- ------------ directory of pub/virus-text/docs -------------

12tricks.txt                pc.lab.config.mgt.1
aids.tech.info              pc.lab.config.mgt.2
anti.virus.measures         pc_virus_list.ferbrache
bulgarian.factory.ps        pc_virus_list.solomon
bulgarian.factory.tex       six.bytes.padgett
call.for.papers.sigsac      stoned.descript.lawrie
comp.sec.novell.david       tour.crt
eval.txt                    tour.n
fido.rsa                    tour.ps
goodwin.list                tr823.doc
grad.schools.summary        tr823.ps
ibm.paper                   universal.detector.molini
identify.txt                vguide.txt
implement.mcafee            virus.kiel
levine.paper                virus.strategy.whm
mac.guide.shull             virus101.1
mac.guide.shull.hex         virus101.2
mac.list.1                  virus101.3
md4.rsa.paper               virus101.4
mit.ps                      viruses.ussr
net.hormones                vproinfo.txt

- ---------- directory of pub/virus-text/reviews --------------------

louw.carmel               mcdonald.viruc            slade.eliminator
mcdonald.avsearch         mcdonald.virucide         slade.fprot
mcdonald.central.point    mcdonald.virus            slade.guidelin
mcdonald.disin            mcdonald.virusafe         slade.guidelines
mcdonald.disinfectant     mcdonald.viruscan         slade.ibm.virscan
mcdonald.flushot          mcdonald.virusdetective   slade.mace
mcdonald.fprot            mcdonald.virx             slade.norton
mcdonald.ibm.anti-virus   slade.advanced.security   slade.scan
mcdonald.index            slade.antiviru            slade.tbscan
mcdonald.norto            slade.antivirus           slade.vendors
mcdonald.norton           slade.av-plus             slade.victor.charlie
mcdonald.sam              slade.central.point       slade.viraway
mcdonald.seer             slade.certus              slade.virex-pc
mcdonald.tbscan           slade.cillan              slade.virucide
mcdonald.virex            slade.contacts            slade.virus-safe
mcdonald.virexmac         slade.control.room        slade.virus.buster
mcdonald.virexpc          slade.disksecure

------------------------------

Date:    Sat, 12 Oct 91 13:02:12 -0500
>From:    James Ford <[email protected]>
Subject: New files on risc (PC)

The following files have been placed on risc.ua.edu (130.160.4.7) for
anonymous FTP in the directory pub/ibm-antivirus:


           scanv84.zip  - McAfee's Scan v84
           clean84.zip  -          Clean v84
           netscn84.zip -          NetScan v84
           vshld84.zip  -          Vshield v84

           secur231.zip - Secure v2.31 (by Mark A. Washburn)

If you have any problems, please drop me a line.  Older versions of these
programs will be removed.
- ----------
The only alternative to perseverance is failure.
- ----------
James Ford -  Consultant II, Seebeck Computer Center
             The University of Alabama (in Tuscaloosa, Alabama)
             [email protected], [email protected]

------------------------------

End of VIRUS-L Digest [Volume 4 Issue 189]
******************************************

Downloaded From P-80 International Information Systems 304-744-2253

You are viewing proxied material from infinitelyremote.com. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.