VIRUS-L Digest Wednesday, 16 Oct 1991 Volume 4 : Issue 192
Today's Topics:
Dr. Fred's Contest
Re: disable ctrl/break? (PC)
Re: SF Worms/Viruses (Re: HW not a solution)
Re: SF Worms/Viruses (Re: HW not a solution)
Generalized opinion question about Mac/IBM arrangement
DIR II virus and DOS 3.31 (PC)
Counter-Measures
re: Interesting?
Joshi has struck.... (PC)
An anti-virus patent
Need help with Form (PC)
BGS-9 Amiga file virus (Amiga)
Hardware defenses
scanner for all files (PC)
Re: Experiences with hardware protection (Thunderbyte)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to
[email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at:
[email protected].
Ken van Wyk
----------------------------------------------------------------------
Date: Tue, 15 Oct 91 11:02:27 -0400
>From: padgett%
[email protected] (A. Padgett Peterson)
Subject: Dr. Fred's Contest
>From: Joe McMahon <
[email protected]>
>On Fri, 11 Oct 1991 09:27:47 EDT Padgett Peterson wrote:
>>The major diversion occurs if the LOGIN script determines that the
>>required management safeguards are NOT in place on the client
>>requesting connection and the script then gives the client the choice
>>of having the software (which includes a mix of TSRs and replacement
>>MBR and boot records) installed on his/her machine or being denied
>>access.
>The problem is guaranteeing that the program which is saying "I'm
>going to mess with your data now" is really the maintenance program
>and not something that will kill every machine on the LAN.
>Most users will just say "OK" if the prompt to "fix" things looks OK.
>How else do they check it?
First this is a technical problem (solvable) & there are several choices:
1) allow the server script to proceed.
2) call the administrator first (number should be in message) to verify
what is going on.
3) allow the login to abort and call a tech to perform the installation.
4) provide some means of electronic authentication.
5) forget using the server (spackle).
See, the user has a choice - real viruses won't ask.
However the question is really one of "can you trust the system
administrator to do his/her job properly". The correct answer is "you
gotta trust somebody" and dates back before the first Christmas.
Since the technique is the same as we have been using successfully on
mainframes for years, it does have a good track record (or do you check
the SYLOGIN.COM each time you login to a VAX ?)
Padgett
ps there seems to be some confusion about ProgramDisk and DataDisk - on my
Tandon laptop & office Zenith they are two partitions on a single drive.
On my home "conglomeration" they are two different drives. It doesn't really
matter (could be more too e.g. DevelopmentDisk, UnixDisk, etc all with
different permissions/restrictions).
------------------------------
Date: Tue, 15 Oct 91 14:53:35 +0000
>From:
[email protected] (Gary Heston)
Subject: Re: disable ctrl/break? (PC)
[email protected] writes:
>Our lab machines run a virus check at boot and are SUPPOSED to hang if
>a virus is found. Unfortunately, our instructors have been saving
>time by teaching the students to press Ctrl/Break at boot in order to
>skip the test. The result is of course that the lab machines are all
>infected. Can this (ctrl/break) be disabled?
Yes, put:
BREAK=OFF
in your config.sys files, preferrably as the first line.
Then, explain to the instructors that they can be held personally
liable for the expense of cleaning up the systems if they make any
further attempts to bypass the virus checking. This behavior is akin
to teaching students that they can cut a hole in a fence rather than
walking a few extra steps to a gate. At the very least, write them a
nasty memo and copy it to their department head.
- --
Gary Heston System Mismanager and technoflunky uunet!sci34hub!gary or
My opinions, not theirs. SCI Systems, Inc.
[email protected]
Become a pheresis donor. Loan your blood to the Red Cross for a couple
of hours. They, and cancer patients, will appreciate it.
------------------------------
Date: Tue, 15 Oct 91 14:33:30 +0000
>From:
[email protected] (Gary Heston)
Subject: Re: SF Worms/Viruses (Re: HW not a solution)
[email protected] (Rick Smith) writes:
|
[email protected] (Jay Skeer) writes:
|>P.P.S. I got the idea of a computer virus from an old S.F. book. In
|>the book they actually describe a worm (and called it that) ...
|There's Gerrold's "When Harlie was One" which dates at least to the
|early 70s. There's "Adolescence of P1" (a Morris-like worm) which I
|read in the mid-late 70s, but I don't remember the author.
|I've heard people refer to "Shockwave Rider" as a classic example
|of worm/virus SF though I've never read it and don't remember the
|author's name.
"Shockwave Rider" is by John Brunner. I have it and "The Adolescence of
P1" at home; I'll check on it. I don't know if I would quite classify
"P1" as a virus; more of a haywire AI project.
"Shockwave" describes the construction and release of worms into a
worldwide network as a common practice, used for everything from
fraud to revenge, and is probably the book Jay is thinking of.
- --
Gary Heston System Mismanager and technoflunky uunet!sci34hub!gary or
My opinions, not theirs. SCI Systems, Inc.
[email protected]
Become a pheresis donor. Loan your blood to the Red Cross for a couple
of hours. They, and cancer patients, will appreciate it.
------------------------------
Date: 13 Oct 91 21:18:41 +0000
>From: "Kent.Dalton" <
[email protected]>
Subject: Re: SF Worms/Viruses (Re: HW not a solution)
>>>>> On 8 Oct 91 20:01:21 GMT,
[email protected] (Rick Smith) said:
>P.P.S. I got the idea of a computer virus from an old S.F. book. In
>the book they actually describe a worm (and called it that) ...
>.... This was in 1983 or 4.
>Does any one know the name of that book, or of an earlyer reference to
>computer viruses?
Rick> There's Gerrold's "When Harlie was One" which dates at least to the
Rick> early 70s. There's "Adolescence of P1" (a Morris-like worm) which I
Rick> read in the mid-late 70s, but I don't remember the author.
Rick> I've heard people refer to "Shockwave Rider" as a classic example
Rick> of worm/virus SF though I've never read it and don't remember the
Rick> author's name.
Rick> Rick.
Rick>
[email protected] Arden Hills, Minnesota
John Brunner wrote "Shockwave Rider" it was published in 1975. He called
them "Tapeworms" as I remember.
It has often been cited as a precursor to the Cyberpunk SF Subgenre.
Actually, now that I think of it, I read an article about the Robert
Morris Internet worm case where the book was mentioned several times.
For those interested checking it out:
ISBN: 0-345-24853-8-150
Library of Congress Catalog Card Number: 74-23861
- --
/**************************************************************************/
/* Kent Dalton * EMail:
[email protected] */
/* NCR Microelectronics * CIS: 72320,3306 */
/* 2001 Danfield Ct. MS470A * */
/* Fort Collins, Colorado 80525 * (303) 223-5100 X-319 */
/**************************************************************************/
Fortune:
An effective way to deal with predators is to taste terrible.
------------------------------
Date: Tue, 15 Oct 91 15:04:00 -0400
>From: <
[email protected]>
Subject: Generalized opinion question about Mac/IBM arrangement
Just out of curiosity (and please forgive me if this has already been
discussed, I was off the list for the summer) what does everyone think
the arrangement between Apple and IBM will do to the propogation of
viruses? Will there be more of them, or will new machines be infected
with the same old viruses once they get around to offering their joint
OS (Okay...I realize it'll be some time before we see this, but I'm
being really, really optimistic.)
Melissa Jehnings
Student Manager | Treasurer
Academic Computing Center | Computer Users' Group
Wheaton College
Norton, MA
BITNET: LISSA@WHEATNMA
WUG@WHEATNMA
"Men go crazy in congregations/ They only get better one by one."
---Sting, "All This Time"
------------------------------
Date: Tue, 15 Oct 91 18:30:32 +0300
>From:
[email protected] (Dmitry O. Gryaznov)
Subject: DIR II virus and DOS 3.31 (PC)
There was a PC here running COMPAQ DOS 3.31 with 40Mb hard disk in a
single partition C:. It began to "hang" during bootstrap. During
investigation was found that the PC was infected with DIR II virus.
All affected .EXE and .COM (COMMAND.COM as well) were cross-linked to
the last cluster marked as FFFEH. But there was NO the virus body in
this cluster! The virus body was found in sectors 65535-65536 (hex
FFFFH-10000H) instead. An additional analysis of the DIR II code
revealed that this is a bug in the virus. When the virus forms a
driver request to write its body to disk it uses request headers
formats correct for DOS versions previous to 3.31 and for DOS 4.0+.
BUT COMPAQ DOS 3.31 USES DIFFERENT REQUEST HEADER LAYOUT! This leads
to the virus body being written to sectors 65535-65536 (FFFFH-10000H)
instead of the last cluster. If any file occupies these sectors -
it'll be corrupted. It is still possible to recover affected files if
these sectors were not overwritten which is possible since the virus
doesn't protect them being sure it resides in the last cluster. All
DIR II disinfectors are to be changed to detect the above case.
- --
Sincerely,
Dmitry O. Gryaznov | PSI AS USSR
[email protected] or
[email protected] | Pereslavl-Zalessky
Phones: office: (08535)-2-0715 home:(08535)-2-1465| 152140 USSR
------------------------------
Date: Tue, 15 Oct 91 16:27:26 -0400
>From: padgett%
[email protected] (A. Padgett Peterson)
Subject: Counter-Measures
>From:
[email protected] (Fred Waller)
Fred is an intelligent and thought provoking individual who is not
afraid to state his convictions. However, his conclusion is
fallacious. The wonderful part is that this has lead to what may be a
real-world solution for the large-site, large network problem that is
driving managers up the wall. Read on. Vendors take notes.
> From (Waller's) Pecking-order Metaphysics, one readily derives the
> Waller Principle:
> "If You Really Want to Stop a Software Virus, Stop
> it with Hardware".
> and the Waller Afterthought:
> "Anything Else is Probably a Waste of Time and Effort, and
> May Actually Be Counterproductive".
I have a real problem with this one since I firmly believe that a
"good-enough" (quantum economics) software anti-viral solution is
not only possible but much less complex than a hardware solution that
does anything more than select which drive to boot from (and several
BIOSes will do this for you - in fact this may be the only "hardware"
needed).
While hardware will work, even a "best case" retrofit would involve
either a new BIOS (standard ones seem to be in the U$70.00 range each)
or a card (maybe as low as U$25.00 but the cheapest I've seen in Computer
Shopper was U$50.00 + a slot) and the real "cost" is likely to be in
the setup. On the other hand, my technology demonstrator, DiskSecure, can
install in less than 30 seconds, works with MFM, RLL, IDE, and SCSI
drives (haven't tried an EDSI drive) and provides for even faster
recovery in case of a misteak.
Also "economys of scale" work much more favorably for software than
hardware: the delta cost of acquisition is essentially zero for a
site or server license.
More importantly, as pointed out with respect to Dr. Fred's contest,
update/installation could even be performed automatically on a network
that would also serve as a repository for the recovery information.
(do I sense a glimmer of what might be a "true solution" for large
networked sites ? - obviously impossible with hardware - might be a
paper in this).
> Why not just send Spafford to a remote (but tropical) island
> instead? His rounded figure will get a suntan that should go well
> with the beard... :-)
It's called Florida (see Gene's secondary address) & no place is remote
any more (just look at the other V-L return addresses). I'm beginning to
think that New Zealand is just off South Carolina.
> .... and we're back in the forties.
Never left the sixties myself, just ask my wife 8*)
> Of course it's easier to infect MS DOS systems (Can many users
> write to a mainframe executable or system file?). But another (not
> minor) consideration is that there are some 60 million MS DOS PCs
> out there. That's a market. Both viruses and antiviruses must
> perceive that fact. It's likely to be a main motivator.
> In both cases.
Partly true - it is harder to write a proper master boot record (and requires
some tweaking of MASM) for a PC than to create a file infector using VMS
FORTRAN. Getting permission to infect the file is, of course, another matter.
However, few people have a VAX in their den closet, and, while I actually
wrote a working VMS device driver once, I never want to do it again.
However, even VMS has had more "compatability" changes than MS-DOS: Just a
few years ago, new releases required recompiled code as the run-time
library would change and even more recently uVAX VMS was merged with "real"
VMS so that executables for one would run on the other.
Just to avoid bashing DEC alone, I'll say that EBCDIC is not really encryption.
However the important point of this posting was about a screen and a half
ago (I keep trying to forget JCL). Given proper site licensed software
designed with the network in mind, we are ready for a quantum leap in defense
from malicious software. Everything is here already, it is just a matter
of doing it.
Consider the following: (already mentioned to John and Roger) major anti-viral
software and disk protection software is maintained on server. One stop
updates as new releases occur.
When client logs in server (in login script) authenticates presence of
anti-viral/access control software on client (Tim can tell you that this
works - nothing blue-sky here). If not found, server prompts client for
permission to install software - if refused, connection is terminated.
Next, server checks for client having latest version of software, if not,
client is again prompted for permission to update if necessary. (PRODIGY
(sm) is said to do this without prompting on connection).
Following update, server and client handshake to verify that all systems
are GO & normal login procedures follow.
Would you believe update of 5000 clients in a 1 hour period is possible ?
(Have you seen how fast the Jerusalem can spread in an unprotected system ?)
Would you believe that even in the unlikely case of infection (resident
systems remember), it would be caught almost immediately ?
Would you believe that nasty software would have to subvert the server first
or be caught quickly (and we have trained people whose job is to watch for
that - 1 per thousand PCs is about right) ?
Sure there are RISKS (hello Peter), but technical ones and solutions are
possible.
Think about it.
Padgett
Now if I can just find a way around the IRQ-5 conflict between LPT2 and my
FAX board when the zero-slot LAN is established in my den closet...
------------------------------
Date: 15 Oct 91 17:02:56 -0400
>From: "David.M.Chess" <
[email protected]>
Subject: re: Interesting?
> From:
[email protected] (Fred Waller)
> But if one is a practically-oriented person who seeks to solve
> problems on a day-to-day basis, the statement may seem very
> attractive and interesting. The reason is simple: hardware
> protection DOES stop viruses. In reality.
> The fact is, it has done that. In practice.
Well, it does stop viruses in your test, which was running known
viruses (ones not designed with your machine in mind), in a test
situation. It remains to be seen to what extent it can do it in more
day-to-day practice. I'd like to see, for instance, a large group of
users somewhere (a department at a typical business or university, or
a PC User Group, say) try out the approach, and see if it was both
livable-with and effective against actual viruses in daily use. It
might very well be! I think it'd be a very interesting experiment. I
was just pointing out that the experiment hasn't been done yet, and
that your test wasn't really proof of anything in particular (any
number of software anti-virus solutions would have passed the same
test, after all). I'm definitely interested in solving problems on a
day-to-day basis (as well as in the long run). If your approach turns
out to do that, and yet leave the machine easy enough to use for users
to accept it, that'd be Really Good News!
> But doesn't the same reasoning apply to software protection? Users
> can defeat both hardware protection and software protection just as
> easily.
Yep. That was really my main point: although they sound very
different, software and hardware have similar vulnerabilities and
tradeoffs. Either one must be used in a real life setting to see
whether it's cost-effective. The Test of the Marketplace, if you
will...
DC
------------------------------
Date: Tue, 15 Oct 91 21:32:31 +0000
>From:
[email protected] (Brett L. Kessler)
Subject: Joshi has struck.... (PC)
A friend of mine here at school has managed to infect every one of his
bootable disks, including his hard drive, and a whole bunch of his
friends' computers with the Joshi virus.
I've tried using both F2 and CLEANv82 to get rid of the virus (after
booting from a clean system) to no avail. Can somebody please send me
(via EMail) a sure-fire way of eradicating Joshi?
We'd really rather not have to format a couple of 40-MB hard drives.
+----------------------------------------------------------------------+
| /// BRETT KESSLER
[email protected] |
| /// Senior Computer Consultant, State Univ. of NY at Binghamton |
| \\\/// |
| \XX/ "Sometimes a cigar is just a cigar." -- Sigmund Freud |
+----------------------------------------------------------------------+
------------------------------
Date: 15 Oct 91 17:15:26 -0400
>From: "David.M.Chess" <
[email protected]>
Subject: An anti-virus patent
I've just run across an interesting U.S. patent. It's number
4,975,950, granted to Stephen A. Lentz, entitled "System and Method of
Protecting Integrity of Computer Data and Software". The filing date
is November 3, 1988.
It basically patents the idea of having a virus-checker get control
before the operating system, and not allowing boot if it finds a
virus. One sample PC implementation is code in an additional ROM
module (on a "virus protector board") that would get control during
boot (like the hard disk BIOS, the EGA BIOS, and so on), and load and
test "the system files" (not clear if he means the boot records, or
things like IBMBIO, IBMDOS, COMMAND.COM), and not allow boot if a
virus was found (how it tells isn't spelled out). This is just one
sample implementation; the actual claims are quite broad, and seem to
cover anything that gets control between the "program for controlling
said central processing unit" and the "program for interfacing said
storage memory with said system", by which he presumably means
ROM-like things and operating-system-like things.
Has anyone else seen this patent? The date (November, 1988) seems
rather late to me. Is it really the case that no one had published
that idea before then? (It doesn't count if someone just *used* the
idea, of course; it has to have been published somewhere, if only in
the documentation of something that uses it.) Gee, we're slow! *8)
DC
------------------------------
Date: Tue, 15 Oct 91 17:41:00 -0400
>From: B0G46426%
[email protected]
Subject: Need help with Form (PC)
Greeting.
Can anybody out there help me with this problem ? I have an 486
machine with 2 hard drivers. Yesterday when I used scan80 to check my
system, the program reported the viruse 'form' appeared on my "C"
driver's partition. I tried to remove the viruse with 'clean', which
came with the scan, but it said it could not remove it. Then I used
the Norton Utility to check the disk, it reported there is a byte in
either the boot sector or the partition table, I forgot which one, was
set incorrect. I have some important datas on the disks, and I don't
have the latest backup. Can anyone tell me what happened to my
disks,and how to clear the viruse without formating the disks ? In
case I have to format the disks, how do I backup datas from the
drivers without taking the viruse with the datas.
Thankyou for any help in advance
Venmoon Soo
B0G46426@CCNYVME
or
VESCC@CUNYVM
------------------------------
Date: Wed, 16 Oct 91 01:52:39 +0000
>From:
[email protected] (Peter David THOMPSON)
Subject: BGS-9 Amiga file virus (Amiga)
The BGS-9 is a file virus in the Amiga. It's infection routine is as
follows;
1) Open startup-sequence, and find the first executable file.
2) Rename that file to "devs:__________" where _ is character $A0 (number
of them is not necessarily the same as posted here).
3) Copy itself into the place of that executable.
Protection measures:
1) Keep your boot disk write protected. If on a hard drive, use the LOCK
command. This is the best protection measure to take if using new or
suspect software.
2) Run a virus checker (Nic Wilson's NoVirus or Jonathon Potter's ZeroVirus)
every so often.
3) Use one of the BGS protection programs, which create a zero-length
file in the DEVS: directory of the name referred to above so that the
rename fails. NOTE: This may cause some virus checkers to describe your
disk as infected.
I hope that you find this information useful. All followups via
email - I don't read this group.
/******************************Disclaimer*********************************
** My opinion(s) are wholly my own (No-one else wants them) and is(are) **
** independant of any part of the University of Melbourne, Australia. **
******* Followups to
[email protected]; flames to /dev/null. *******/
NOTE: This sentence does not in fact have the property it claims it lacks.
------------------------------
Date: 15 Oct 91 22:31:07 -0400
>From:
[email protected]
Subject: Hardware defenses
Regarding Fred Waller's pecking order, one often neglected
consideration is that the levels in the pecking order communicate (in
some sense) with each other. For instance, if protection hardware can
be disabled by the operator, a virus can tell the operator to disable
the protection hardware, and some fraction of the operators will obey.
Bill Arnold
[email protected]
------------------------------
Date: Tue, 15 Oct 91 23:14:00 -0400
>From: Bob Babcock <
[email protected]>
Subject: scanner for all files (PC)
Recently I corrupted some files on my hard disk, not by a virus
infection but by changing my QEMM setup and crashing while downloading
in the background. The end result was a few corrupted files with
unchanged time stamps, and maybe a few more such files that I haven't
found yet. What I would like for future use is a checksumming program
which would look at all files on my hard disk and tell me which ones
have changed without the time stamp changing. Will any of the
anti-virus programs do this? The closest I've found is one which only
looks at executable files.
------------------------------
Date: 16 Oct 91 08:15:14 +0000
>From:
[email protected] (Harry Stox)
Subject: Re: Experiences with hardware protection (Thunderbyte)
[email protected] (Reinhard Kirchner) writes:
>I got produkt information about a hardware virus protector called
>'Thunderbyte' which intercepts all mysterious writings to the disk, e.g.
>absolute ( not through dos ), writing to exe/com files etc.
>
>So I want to ask: Is there any experience with such devices, thunderbyte
>or others ? Is it worth the money ?
Although personally I don't have any experiences with the Thunderbyte
hardware, my guess is that is is unusable with modern IDE or SCSI
drives, since the hardware is placed between your MFM/RLL controller
and your harddisk.
The idea behind Thunderbyte resembles that of FluShot, with the
exception that instead of in software, the locking of the hard disk is
now done in hardware.
Given the abominable quality of the TBScan software, which stems from
the same company, I personally wouldn't trust the software which
controls their hardware lock.
If you want to protect your ST506-based harddisk, a simple switch in
the write enable logic is far more cheaper and - at least in my
opinion - as effective as the Thunderbyte system.
- -Harry
------------------------------
End of VIRUS-L Digest [Volume 4 Issue 192]
******************************************
Downloaded From P-80 International Information Systems 304-744-2253
