VIRUS-L Digest Monday, 21 Oct 1991 Volume 4 : Issue 196

VIRUS-L Digest Monday, 21 Oct 1991 Volume 4 : Issue 196

Today's Topics:

re: Virus-writing course for teenagers
Disagreement
Thunderbyte
Re: Books on viruses?
Stealth and Mutation Techniques (PC)
Interpreted things
Antiviruses
Leopards
It says so...
Two subjects
Hardware!
Picky!
Thunderbyte (PC) - review available?
SVC 5.0 (PC)
What is CoolCapture? (Amiga)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to [email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: [email protected].

Ken van Wyk

----------------------------------------------------------------------

Date: Fri, 18 Oct 91 19:35:44 -0500
>From: Werner Uhrig <[email protected]>
Subject: re: Virus-writing course for teenagers

> To co-present the techniques of virus construction with the ethical
> considerations is perhaps the most desirable approach.

then you also believe that giving everyone a gun and a course
in ethics (together with the practical training) would have
kept the nut in Killeen, Texas (just up the road from here)
from shooting all those people earlier this week?
(or make the world a safer place, in general?) :-((

> But denial is not the correct manner or civilized way in which the
> problem should be tackled

I think you are making the old mistake of looking at the
empty part of a half-full glass ...

there is a difference between (ultimate) denial of information
from some who are making an effort to obtain it (because in
your judgement you "hold doubts" about the intentions) and
no-holds-barred pushing "problematic knowledge" on the general
public....

if you don't see "the fat line", you are more a part of the problem,
and not so much part of the solution ....

IMO...

what is important to spread is "defensive information", not
"knowledge of offensive techniques"

Let's not hear any more about cencoring information about viri and
concentrate more on ensuring that the people who compose our community
are more responsible with the knowledge that is given to them

can we ensure (and test) for the ethics, before we give
the guns away? And when in doubt, let's do without the
talents of those that fail the tests - I'm pretty confident
that is as healthy an attitude as not giving guns to all
would-be bounty-hunters (and before they even apply for a
weapon's permit)...

and let's not forget that computer virus knowledge is more
like having a bottle full of new Cholera-viri than a six-shooter

In times past, knowledge of a computing technique was always
considered beneficial, now such knowledge has the potential for harm.
The circumstances in which the computer professional finds h**self
have changed. It is time we changed too, and stopped trying to deny
the apparent reality which surrounds us.

exactly. so why do you appear (to me) to deny it then?!?

Sincerely, ---Werner

ps: apologies for the analogies (and cynicism); I hate analogies, actually,
but they seem to "come natural" sometimes, when one wants to make a
STRONG point, rather than a PRECISE argument. just try and (I expect)
you'll have no problem understanding my point of view (if not my views).

- ----
Time to impeach them all:
The President, the Senate, the people who answer opinion polls ...
- -----
Internet: [email protected] or [email protected]
BITnet: werner@UTXVM
UUCP: ...!uunet!cs.utexas.edu!werner
- -----

------------------------------

Date: Fri, 18 Oct 91 20:38:36 -0700
>From: [email protected] (Fred Waller)
Subject: Disagreement

Writes padgett%[email protected] (A. Padgett Peterson),
quoting my post:

>> We have more antivirus utilities than ever. There are more
>> defense variations than ever. There are also more viruses
>> than ever. They infect more machines than ever.

and responds:

> Major disagreement. It is easier to protect a single platform
> with a "mission-adaptive" approach loaded first than it is to
> subvert one.

I hope the disagreement is not with the *facts* as stated in my
message: "There are more defense variations than ever. There are
also more viruses than ever. They infect more machines than ever."
Those facts are a little difficult to disagree with.

On the other hand, if the disagreement is with the perceived
*reasons* for the proliferation of viruses:

> The only reason that viruses have been so successful is that
> the bulk of the 50 (or is it 70) million PCs have NO defenses.
> Protected PCS are still in the minority (but increasing).

then I'd have to say that I don't think that's the only reason.
It doesn't take into account the enormous increase in _new virus
species_, which has nothing at all to do with machines being
protected or not...

The incidence of infection may be dependent on protection (if the
protection is effective, a big "IF"), but it has nothing to do with
the creation of hundreds and hundreds of new viruses whose main
effect seems to be the eager encouragement of frequent updates of
the virus scanners.

Fred Waller
[email protected]

------------------------------------------------------------------
"I disagree with what you say but will defend to the death
your right to tell such LIES, LIES! ALL LIES!" :-)
------------------------------------------------------------------

------------------------------

Date: Fri, 18 Oct 91 20:22:27 -0700
>From: [email protected] (Fred Waller)
Subject: Thunderbyte

Writes [email protected] (Reinhard Kirchner):

> I got produkt information about a hardware virus protector
> called 'Thunderbyte' which intercepts all mysterious writings
> to the disk, e.g. absolute ( not through dos ), writing to exe/
> com files etc.

Yes, this is an interesting combination hardware-software antivirus
scheme. Thunderbyte attempts to give users some reasonable features
that should (and could) have been part of the IBM PC at nearly no
extra cost in the first place, but aren't. From this viewpoint,
it gets my *enthusiastic* support!

The small card which is part of the package includes some firmware
(a ROM BIOS extension), including automatic (i.e., software
controlled!) file-rights based disk-write management ability.
You have to use certain programs that come with the card. It's
really not a true hardware protection device, and some systems
seem to become unhappy with whatever it is that Thunderbyte tries
to do to them. You may have to change DIP switch settings to
change the place in RAM where the Thunderbyte BIOS code loads on
booting, and you might even find some programs that overwrite it
there, causing the card to halt the machine... but in general it's
an original and worthwhile idea.

Because it's really a software device (although it looks like
hardware!), there are ways to bypass it. But it is an innovative
approach and the two scanners (one resident, one transient) that
come with it are also fairly effective and extremely fast.

Personally, I like Thunderbyte, although it's not quite the way I
would have done things... :-) Also, the installation instructions
leave much to be desired, and the translated English .DOC files are
sometimes cryptic.

> Such a thing costs appr. the same as a software package, and
> it does not depend on updates for new viruses.

You noticed... yes, that's one of the more interesting aspects of
hardware and even pseudo-hardware protection... (but the fast
scanner that comes with it DOES need periodic updates because
it is, essentially, a signature scanner, though it seems to
operate in an unorthodox fashion. To be precise, its signatures
file gets periodically updated. And in practice, the scanner
program itself has suffered many frequent updates also.

> So I want to ask: Is there any experience with such devices,
> thunderbyte or others ? Is it worth the money ?

It's an interesting system but not a 100%-true hardware protector.
Whether it's worth buying or not must be your own decision. I would
try to use it `on approval', or at least see it demonstrated in
detail; if you like it, and it works on your machine, buy it.

You might also look at PC-cillin, a similar hardware-software
combination that got a truly bum "report" from the Virus Bulletin.
(Any faith I might have had in Virus Bulletin's reporting fairness
died after I saw their vicious "report" on PC-cillin). It's also a
useful system, and about similarly priced to Thunderbyte. PC-cillin
is even easier to install, since the hardware part simply plugs into
the parallel port, but it's also a not-100% hardware protector, also
with some problems and also with some endearing features. It, too,
includes a string scanner and has a device driver that relies on
information stored on an EEPROM chip in the hardware part to check
the system at every boot. It even automatically restores the hard
disk to clean condition if it finds it was infected by a boot
sector/partition table virus. This part is rather neat.

All these operations, however, both on the Thunderbyte device and
the PC-cillin device, are purely software-driven. In both cases,
the hardware is almost incidental. All of them use software
methods trying to ensure integrity, and these may be subverted.
The Thunderbyte author went to some pains trying to encrypt a
certain version of his scanner to prevent hacking, but it was
decrypted in the lab almost as soon as it appeared... and the
"security" and self-test methods used by PC-cillin are quite
naive.

Both these systems are interesting, but both need improvement.
But then, the available software methods aren't any better.

Fred Waller

------------------------------

Date: Sat, 19 Oct 91 22:02:34 -0700
>From: [email protected] (Rob Slade)
Subject: Re: Books on viruses?

[email protected] (Tim Martin; FSO; Soil Sciences) writes:

> I'm not sure about the book market, but there's good stuff on the
> Internet. In particular I have been appreciating Rob Slade's continuing
> "*.CVP" series of postings. Are these being collected anywhere? (Ken? Rob?)

Aw shucks. (Modestly scuffs dirt with toe.)

Microcom has just asked, and recieved, permission to post the *.CVP
articles on their BBS. They are also available on Cyberstore, which is
a pay system, but accesible from anywhere with an X.25 network.

Publisher carrying large amounts of cash will not be run off the
property. :-)

=============
Vancouver [email protected] | "Power users think
Institute for [email protected] | 'Your PC is now
Research into CyberStore | Stoned' is part of
User (Datapac 3020 8530 1030)| the DOS copyright
Security Canada V7K 2G6 | line." R. Murnane

------------------------------

Date: Sat, 19 Oct 91 15:57:00 -0400
>From: "[email protected]"@HUSC3.HARVARD.EDU
Subject: Stealth and Mutation Techniques (PC)

Some phrases that seem to get bounced around regularly in this
newsgroup, which I have been following for some time, are PC "stealth"
and "mutating" viruses. I understand that virus detectors like to
find viruses by a signature series of bytes in each version of a
virus. How does a virus mutate, and how can you detect a mutating
virus?

Although I am a programmer, I know a limited amount about PC internals.
What is PC "stealth" and where can I find out more about it?

Replies to Internet readnews or to my account...

Thank you much.

jwb
- --

The opinions expressed are not necessarily those of my employer.

------------------------------

Date: Sat, 19 Oct 91 14:51:31 -0700
>From: [email protected] (Fred Waller)
Subject: Interpreted things

Writes [email protected] (Mark Pilgrim):

>...a virus written in DBASE.... ...If Fred Waller believes this
> could not happen, or that it could happen but not spread, or
> that it could spread but not be destructive, he should e-mail
> me for further details.

I believe it could happen, and that it could spread, and that it
could be destructive. However, I also believe that it would be
much more difficult to make such virus as deceiving as our current
furtive ("stealth") viruses, or as difficult to detect. Also, it
might not spread as quickly, nor as widely, since only machines
using a specific program (e.g., dBase) would be vulnerable to it,
not all DOS machines as is the case now. (But in a related
exchange between Padgett Peterson and myself, I hold the opposite
view... <grin> which only goes to prove that one can always develop
at least two opposing viewpoints for every subject). Specific
measures, tailored to the dBase environment, would be a lot easier
to devise than DOS-universal defenses.

Finally, I believe that such a virus would be much easier to
detect and combat from the safety of a write-protected program
drive, to which the virus doesn't have access, and using low-level
resources which, unlike the case now, will no longer be readily
available to the virus.

So: I believe that such interpreted viruses would be *much* easier
to combat than the current crop. Those, Fred's machine can defend
against {ather neatly...

(However, Fred has never seen an "interpreted" virus and would be
interested in trying one on his machines, if one exists somewhere.
Has Mark Pilgrim ever seen one?)

Fred Waller
[email protected]

------------------------------

Date: Sat, 19 Oct 91 14:49:52 -0700
>From: [email protected] (Fred Waller)
Subject: Antiviruses

Writes Padgett Peterson:

> Fred ... .... is not afraid to state his convictions. However,
> his conclusion is fallacious.

It would have been so interesting to learn *why* Padgett thinks so.
Someone (especially myself!) might disagree with such conclusion,
but not knowing the reasoning that led to it, one remains cheated
of the opportunity to see things from his perspective...

> I have a real problem with this one since I firmly believe that
> a "good-enough" (quantum economics) software anti-viral solution
> is not only possible but much less complex than a hardware
> solution that does anything more than select which drive to
> boot from...

( If that's the only kind of hardware solution one can envision,
then it must indeed seem so ). It may be `possible', or it may be
`impossible', but the software methods we've seen so far haven't
been good enough. Being a mildly astute individual, I conclude
that if the software antiviruses haven't suceeded in defeating or
even stalling viruses by now, then it might be time to try something
different. Stronger medicine? Stronger medicine.

Searching for stronger medicine, the idea occurred that hardware
means of protection had never been breached by any virus - and
never could be. So, candidly, the idea was presented publicly here.
Result? Never seen so many nervous software persons trying to
convince me to abandon discussion of such "outrageous" and even
"stupid" ideas...

> While hardware will work...

Thank you, thank you. I always knew it would!

> even a "best case" retrofit would involve either a new BIOS
> (standard ones seem to be in the U$70.00 range each) or a card
> (maybe as low as U$25.00 but the cheapest I've seen in Computer
> Shopper was U$50.00 + a slot) and the real "cost" is likely to
> be in the setup.

Yes, if your aim is to install a new BIOS, then you might reasonably
expect to have to install a new BIOS <g>. I wonder why one would want
to do such a thing, though... But darn it, let's put things in
proper perspective: how much does it cost to buy a software
antivirus package? This much:

AntivirusPlus $99
CP Antivirus $129
Certus $189
Data Physician $49
Dr. S' Toolkit $150
FluShot Plus $19
Mace Vaccine $99
Vaccine $100
Virex PC $130
Virus Cure+ $100
Virus Guard $24
Virucide $49
Virus Pro $50
Virus-Safe $63
ViruSafe $99
Viruscan $25
Virus Secure $95
Vi-Spy $150

(From the listings in PC Mag latest issue - I wonder why they
didn't include Frisk's F-PROT though, at $1 per copy and some
very good performance. Maybe Iceland is not yet a recognized
country for PC Magazine's editors... or maybe they were uneasy
disclosing the performance of the $1 package vs. $100+ ones.
Also not included was Washburn's SECURE, another very effective
package which would have stopped their childish `Totally Hidden
Virus', nor IBM's VIRASCAN, nor Thunderbyte/TBScan, nor the
very interesting (albeit scanning) VSTOP, nor VBLOCK nor...
many others.)

Anyway, that comes to an average price of $90 per package. Software
usually needs to be upgraded, and the true cost over time can become
very high! Compare that with the quoted one-time price of $70
per machine and it will become apparent that hardware protection
(defined by Padgett as "changing the BIOS") may indeed seem rather
inexpensive.

Actually, if I buy the higher-priced software packages over a period
of three years, I would have spent enough money to buy hardware
protection, a new hard disk and some extra programs!

However, let me just point out that some (true) hardware protection
may cost much less than the $70 mentioned for the BIOS.

Fred Waller
[email protected]

------------------------------

Date: Sat, 19 Oct 91 14:47:28 -0700
>From: [email protected] (Fred Waller)
Subject: Leopards

Writes [email protected] (David.M.Chess):

> Well, it does stop viruses in your test, which was running
> known viruses (ones not designed with your machine in mind),
> in a test situation.

Yes, but how can I run tests against viruses that haven't been
designed yet? Objections to my incipient proposal have been
so... vibrant. I've been told that such a system couldn't possibly
work, then when I said that it HAD worked, it was said that it
couldn't be useful against some still-unknown viruses, and now I'm
taken to task for not testing the system against such still
nonexistent viruses. ... :-)

I'm reminded of an old Brazilian tale, "O amigo da Onca" (The
Leopard's Friend). Goes like this:

Two jungle buddies talk; one asks the other what would he do
if suddenly faced with a leopard. Fellow shrugs his shoulders
and replies:
"Oh, I'd just shoot it."
"But say you haven't got a gun", says the first.
"OK, I'd kill it with my knife, then", replies the other.
"Say you lost your knife."
"Well, then I'd throw some stones at him".
"Suppose there are no stones around."
"Then I'd climb to safety on the nearest tree".
"Sorry, no trees, either...", insists the first.
"Ahh.. then, I guess I'd run like hell!".
"Can't - your leg is broken".
The man looks strangely at the other and asks:
"Say, that leopard, he must be a real good friend of yours, eh?"

If somebody wishes to send me some of those famous "interpreted"
viruses one is hearing about, then I'll be delighted to try
additional tests. I've never seen one myself, apart from some
silly batch-file viruses... Or they can do the testing themselves.
Still, these wouldn't be "real world viruses" - and objections on
such grounds would also be valid. So what am I expected to do? I
haven't even fully explained "my system" yet, and I already stand
accused of not having completed tests against yet-to-be-written
viruses... sheeeeesshhhh!! Leopards, leopards everywhere, and
not even a stone in sight! But at least my leg ain't broken yet.

> I'd like to see, for instance, a large group of users somewhere
> (a department at a typical business or university, or a PC User
> Group, say) try out the approach, and see if it was both
> livable-with and effective against actual viruses in daily use.

Me too.

> I was just pointing out that the experiment hasn't been done
> yet, and that your test wasn't really proof of anything in
> particular (any number of software anti-virus solutions would
> have passed the same test, after all).

It WAS proof, and it was indicative. Small-scale proof may
rightfully be extrapolated. But which other approaches are meant?
I don't know of any existing software method that is as effective
as hardware protection. If one exists, it should be implemented
immediately everywhere! Certainly, the use of scanners hasn't
stopped the advance of viruses.

If, however, by "solution" it is meant a "method", then of course
a method can be designed to prevent infection. As many have
cynically pointed out, never allowing any input of data or
executables would prevent infection. I hope we are not playing
with concepts in this manner.

> I'm definitely interested in solving problems on a day-to-day
> basis (as well as in the long run).

Yes, I know you are. I just felt that theoretical objections to
the basic idea of hardware protection were excessively strenuous.
From a group of people dedicated to eradicating viruses, I would
have expected a much more inquiring response... But I concede
that my presentation is often confrontational, and may itself
cause rejection... :-) and that the habitue's here are just
being strict in their analyses.

> If your approach turns out to do that, and yet leave the
> machine easy enough to use for users to accept it, that'd
> be Really Good News!

That's what *I* thought... requires some retraining of habits.
Comparable, say, to what happens when changing from having a
single Drive C: to having both a C: and a D:... or working from
C: and using A: to save to - a lot less work than changing word
processors. But certain kinds of programs (self-modifying)
present difficulties, just as they do with software protection...

Fred Waller

-------------------------------------------------------------------
Some leopards have many friends.
-------------------------------------------------------------------

------------------------------

Date: Sat, 19 Oct 91 23:13:00 -0700
>From: [email protected] (Fred Waller)
Subject: It says so...

Writes [email protected] (Bill Arnold):

> Regarding Fred Waller's pecking order, one often neglected
> consideration is that the levels in the pecking order
> communicate (in some sense) with each other.

But `Communication' and `overcoming' are two rather different
things. Waller's pecking order referred to overcoming, i.e.,
power - die Macht.

> For instance, if protection hardware can be disabled by the
> operator, a virus can tell the operator to disable the
> protection hardware, and some fraction of the operators
> will obey.

Yes, that's exactly what the Pecking Order principles state:

"Neither software nor hardware are able to resist a user's
damaging or careless action..."

Fred W.

----------------------------------------------------------------
With operators like that, who needs viruses..?
----------------------------------------------------------------

------------------------------

Date: Sat, 19 Oct 91 23:11:29 -0700
>From: [email protected] (Fred Waller)
Subject: Two subjects

Wrote [email protected] (Lars J|dal):
(my apologies for mangling your surname thus. The system
doesn't pass the 8-bit ASCII characters, so your name
appears here as "J|dal").

> 1) Can computers (in principle) distinguish between a virus
> and a "normal" program?
> 2) Can computers be build to be safe from virus infection?
>
> This is two different subjects! So the proof by someone-I-don't-
> know that 1) is undecidable on a Turing machine should only (or
> rather at most) discourage people designing programs to detect
> viruses, not people trying to design a system which cannot be
> infected.

Absolutely right! Unfortunately, people may have objected because
they have a mind set that doesn't allow them to face the issue
without bias. To them, `protection against viruses' usually means
`detection', because that's what they have been doing until now:
detecting. Since they also proposed the idea that `detection'
(or worse, `perfect detection'), was THE right method, it's hard
for them to switch mental gears and examine the issue from a
different viewpoint. Even though `detection' has failed, they
still cling to it and continue searching for the Holy Grail.

> Right?

You most certainly are! When I mentioned "virus-resistant" systems
here, not one person understood the term except in the context
of "detection" - a wrong context, still being employed by most. Of
course, it's not really necessary to "detect" a virus to stop its
action - just making the machine unsuitable (or even unfriendly)
is quite enough.

Fred Waller
[email protected]

------------------------------

Date: Sat, 19 Oct 91 23:14:59 -0700
>From: [email protected] (Fred Waller)
Subject: Hardware!

> I admit that Fred's machine won't make any sort of virus
> impossible - but that's not needed. They are like biologic
> germs: if they aren't too contagious, not very destructive
> or easy enough to cure, you can live with them.

Precisely. I never proposed any "virus-proof" method or machine
- it's not really necessary. The idea that we must seek absolute
victory over viruses is questionable. It's born from a conflict
between programmers that pits wit against wit, skill against
skill, ego against ego. Such conflict aims at unconditional
destruction of the other side. But an absolute victory is not
necessary. As long as we can prevail from a statistical viewpoint,
we'll win, both statistically and individually.

There will be less glory for both sides, but viruses are becoming
a headache, so let's stop fooling around with them and put an end
to the darn things. Using hardware, we can make the world a much
harder place for viruses to live in. And that is one way to
achieve our aim, is it not?

> 1) As today's viri need only a compatible Operating System to
> infect a computer, there are a lot of potential victims for
> them. Interpreter viri need `their' interpreter *running* on
> the target system, so the density of infectable computers is
> much lower in space/time. This would slow down the spreading
> speed of this viri.

Yes.

> 2) A machine code virus uses the instruction set of the OS/BIOS,
> which is specially designed to do things like deleting,
> formatting, bending interrupts... An e.g. `spreadsheet virus'
> would have to do with the instruction set of the spreadsheet's
> interpreter language, designed for totally different tasks.
> While it might be possible to write self-propagating destructive
> programs in such a language, the coding of such neat things as
> stealth techniques would be quite difficult. The Antivirus-
> programs could still use all of the (BI)OS's services for their
> task and so the fight would be no longer `software vs. software'
> but `machine level program vs. high level language' - much
> better, compared with today!

Yes.

In reality, hardware protection ENABLES the creation of optimum
software protection because it breaks the balance of force between
viruses and antiviruses. At this time, both have the same tools and
the same weapons. Neither can ever win. But establishing hardware
protection tilts the balance in favor of software measures and
against viruses. Once hardware protection is established, it should
become possible to write fully effective protection code that cannot
be defeated by new viruses - and without having to first redesign the
Universe! (or Cohen's theories, which seem only a little less
imposing... but somewhat less unshakeable. :-)

Fred Waller

-------------------
P.S. Has anyone actually _seen_ any interpreted viruses out there...?

------------------------------

Date: Sun, 20 Oct 91 20:45:57 -0700
>From: [email protected] (Fred Waller)
Subject: Picky!

Writes Dr. Chess [email protected] (David.M.Chess):

> But hardware antiviruses haven't stopped its advance, either!
> That is, there are both hardware and software solutions that
> can completely protect any given machine against the Stoned..

There is no serious implementation of hardware defenses against
viruses. Most of what the public is offered is either pure software
or is software-based. Pure hardware antivirus protection has not
yet been used.

> P.S. The 1813 (Jerusalem) is still up there near the Stoned;
> I think we'd have to stop both of them before we could
> claim to have the great majority! *8)

Picky, picky, picky. So it's just a majority, but not the GREAT
majority. Adjectives are cheap, especially in this business...

Fred Waller

------------------------------

Date: 21 Oct 91 09:10:10 +0700
>From: Pim Clotscher <[email protected]>
Subject: Thunderbyte (PC) - review available?

Fridrik Skulason mentioned 16 Oct 91 that Thunderbyte was reviewed in
the Sept '91 issue of Virus Bulletin. Is this review available
publicly in E-mail transferable format? If so, could somebody on this
list please indicate to me where and how to get a copy? If only
available in printed form, please would it be possible to send me a
copy or FAX a copy to me == ()31 104362719 ==

Up to digest 4/194 I saw 3 messages about Thunderbyte, mixed negative
and positive. I still have no clear idea about the value of a product
like Thunderbyte compared to software-only strategy. How can we
estimate its effectiveness against 'all' future viruses? One example:
the new Dir II virus does not alter files and uses no interrupts as I
have understood. Thunderbyte is mainly based on detection of file
changes and use of interrupts. So...?!

Thank you for your coopreation,

Sincerely,

- -----------------------------> Pim Clotscher <------------------------------
Erasmus University Rotterdam
E.R.C. - Computer Support Hoboken
Roomnumber : Ee2067
Dr. Molewaterplein 50 P.O. Box 1738
NL-3015 GE Rotterdam NL-3000 DR Rotterdam
the Netherlands
Tel: +31 (0)10 4087420
Fax: +31 (0)10 4362719 E-mail (Internet): [email protected]
==============================================================================

------------------------------

Date: Mon, 21 Oct 91 11:56:25 +0700
>From: [email protected]
Subject: SVC 5.0 (PC)

Christoph Fischer <[email protected]> writes:

> I just received a new variant of SVC it is labeled SVC 6.0!
> I also talked to Dr. Alan Solomon and he has a SVC 5.0.
> Both are out in the wild!

I do know nothing about SVC 6.0, but SVC 5.0 was isolated in Poland no
later than June 1991. The virus has been written in USSR in 1990.
Also in wild (in USSR) exists simpler variants 3.1 and 4.0.

> These viruses are quite complicated and use advanced stealth
> techniques!

Again, I can say nothing about 6.0, but 5.0 is not so advanced as
Christoph sugest. The folowing is extracted from Virus Information Card
which will be published in PCvirus this month (sorry for poor english):

Virus infect COM and EXE files and install itself resident in RAM. It is
3103 bytes long. SVC 5.0 can propagate under MS DOS 2.x or higher. If
you try to trace virus with debugger it will reboot system. Sometimes
virus sets Read Only flag (error in code). Infected files are marked by
setting seconds in the file time stamp to 60 and increased in size by
3103 bytes (COM) or 3103-3108 (EXE). Virus always put its own code at
the end of file.

Before infection virus check seconds and (if they are set to 60) read
three bytes at offset 138 (from the end of file). In infected files at
this place always there is version number, i.e. '5.0'. File type virus
recognize by extension. In EXE file virus additionally check first two
bytes against 'MZ' marker. Files are infected during one of the
operation: Load and Execute (4B00), Close File (3E), Open File (3D but
only files on hard disk) and Create File (3C only on hard drive). I do
not know for what reason virus do not infect files if the file name
contains characters 'MM' or 'MB' (maybe protection of author software).
Minimum infected file length is 3103 bytes and maximum is (only for COM)
EDE1 (60897) bytes. Virus intercepts INT 08 and INT 21h and do not use
any tricks to fight any AV software. Virus signature:
E800005E83EE032E8984110C065633D2B484CD215E5681FA901975262E3ABC1E0C (code
taken from the beginning of virus body).

[I skip the algorithm of removing virus from RAM and files, because you
are not familiar with our unique virus identification method.]

Virus keep in its body first 24 bytes of victim program in encrypted
form (simple xor with byte taken from 0C1A relative to begin of virus
code).
You can easily check is SVC 5.0 active in memory. You can call INT 21h
with AH = 84h. If SVC is active you get DX = 1990h and in AX segment of
wirus code in RAM (encrypted by XOR AX,FFFF XCHG AH,AL).
Virus install itself in RAM by manipulating MCB blocks. It occupies 3376
bytes at the top of RAM.
Virus uses some stealth technic to hide increasing the file size and its
contents. If an file is checked by program called CHKDSK virus does not
make any tricks! Programs of that name are not fooled by SVC in any way
[good hint for AV software writers]. If file is loaded but not executed,
or something is written to the file then virus cure it and infect again
when file is closed.

I hope this help.
By the way, does any body know how time wasteful viruses are? It would
be interesting to know how many people all over the world waste their
time to study the same particular virus.

Regards from Warsaw,
Andrzej Kadlof <KADLOF AT PLEARN.BITNET>
Department of Mathematics, University of Warsaw, Poland
Editor-in-chief of PCvirus Bulletin

------------------------------

Date: Mon, 21 Oct 91 14:30:15 +0000
>From: [email protected] (Brett L. Kessler)
Subject: What is CoolCapture? (Amiga)

I have been doing a lot of work recently on all of my floppies using
VScan 5.10 to see whether or not I have an infection hiding in all of
my TurboImploded executables.

I've noticed that a lot of programs read and write to CoolCapture,
etc., even though VScan reports them as clean. What are the major
points of infection in an Amiga system? And what do those areas do in
a normal situation?

For example, I have heard of CoolCapture, WarmCapture, ColdCapture,
and one or two other common entry points for viri (RomTagPtr?
KickTagPtr? I can't remember...). What do all of these places do
that make them so attractive to virus-writers?

+----------------------------------------------------------------------+
| /// BRETT KESSLER [email protected] |
| /// Senior Computer Consultant, State Univ. of NY at Binghamton |
| \\\/// |
| \XX/ "Sometimes a cigar is just a cigar." -- Sigmund Freud |
+----------------------------------------------------------------------+

------------------------------

End of VIRUS-L Digest [Volume 4 Issue 196]
******************************************

Downloaded From P-80 International Information Systems 304-744-2253