VIRUS-L Digest Tuesday, 29 Oct 1991 Volume 4 : Issue 201

VIRUS-L Digest Tuesday, 29 Oct 1991 Volume 4 : Issue 201

Today's Topics:

Re: nVIR was Re: Virus on Mac (Mac)
Re: Seeking Info on stoned virus (PC)
Disinfectant 2.x (Mac)
Immunization
VGA color spots, Word page breaks, corrupts files. (Novell) (PC)
Network World mag virus tool review
help ... i have infected .... Dark Avenger (PC)
Hardware qustions
Taxonomy and Nomenclature
Request for Standards
Hardware
Viruses and "viruses"
New file on risc (PC)
ansikill.zip (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to [email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: [email protected].

Ken van Wyk

----------------------------------------------------------------------

Date: Fri, 25 Oct 91 17:42:00 +0000
>From: "Nigel Stanger, Information Science" <[email protected]>
Subject: Re: nVIR was Re: Virus on Mac (Mac)

Dave Martin ([email protected]) writes:
>I have always wondered something about nVIR, ... I booted from a
>clean, locked System floppy and used ResEdit to clean out the nVIR
>resources and correct the CODE resources. I copied rather than cut or
>cleared the nVIR resources so I could move them to a separate disk to
>examine them later. Immediately an alert popped up saying that it
>couldn't write to the System file (disk locked). It seems that simply
>by copying the nVIR resources was enough to activate it. Anyone know
>if this is possible (copy enabling code execution)? Now remember this
>was a couple years ago, so I can't recall everything that occurred,
>but I'm still curious as to whether that was enough to get nVIR to try
>and spread.

Was it actually trying to write to the System *file* or just to the
System *disk*? If the latter, it may just have been ResEdit trying to
write its scrap to disk when you did the copy. If the resources were
large enough, it would spool the copy onto disk rather than store it
in memory. You would probably find that with any large cut/copy in
just about any application. Just a thought. Just ignore me if I'm way
off base :)

- --
See ya
Nigel.
- ----------------------------------------------------------------------
Nigel Stanger, Internet: [email protected]
c/o University of Otago,
P.O. Box 56, Phone: +64 3 479-8179
Dunedin, NEW ZEALAND. Fax: +64 3 479-8311
- ----------------------------------------------------------------------
"If I had a quote, I'd be wearing it." -- Bob Dylan
- ----------------------------------------------------------------------

------------------------------

Date: Fri, 25 Oct 91 04:43:53 +0000
>From: [email protected] (Thomas L. Bodine)
Subject: Re: Seeking Info on stoned virus (PC)

[email protected] (Anne L. Scism) writes:
>If anyone has information on how the stoned virus works, where it
>lives, how it finds its home on a PC, I would be grateful for any
>information you could pass on to me. Thanks for your help!

The stoned virus infects the boot sector of any disk. Booting appears
normal before and after infection. From time to time the computer
with the virus will display the message "Your computer is now
stoned!". I've heard rumors that it also increases the length of the
boot file or some other file by a byte each time it runs.

It infects disks by infecting any disks that are inserted into the
machine when they are made the default drive. It is terminate and
stay resident . It grabs the soft boot vector so that ctrl-alt-del
doesn't remove it from memory. Therefore it will infect any "clean"
boot disks. The garaunteed way to rid it from memory is to power down
the computer.

McAFEE and associates supply a share ware virus destroyer which will
recognize and distroy this virus. I highly recommend it. You should
get it directly from their BBS for which I do not have the phone
number

good Luck, regards Tom Bodine

note: My opinions are my own.

------------------------------

Date: Thu, 24 Oct 91 21:30:42 -0700
>From: [email protected] (Rob Slade)
Subject: Disinfectant 2.x (Mac)

[email protected] (RAY) writes:

> I have Disinfectant 2.4 I have not installed System 7 yet. Is 2.4
> compatiable with System 7. If not, can someone send me the latest

When you install System 7.0, it will tell you that Disinfectant 2.4 is
not compatible, and to upgrade to 2.5. (The interesting part is that
it told you this before there *was* a 2.5.) However, 2.4 *will* work
with System 7. You must, however, leave the Disinfectant INIT in the
System folder itself, rather than moving it to the Extensions folder
as suggested by System 7. You may also find the Disinfectant
complains about running with Multifinder, which cannot be turned off
with System 7.

The latest release (to the best of my recollection and files) is 2.5.1.
This is available via ftp from ftp.acns.nwu.edu (129.105.113.52) and
numerous other sites as well as many commercial services.

(Sorry if this is a duplication, our mailer has been very slow of late.)

=============
Vancouver [email protected] | "Power users think
Institute for [email protected] | 'Your PC is now
Research into CyberStore | Stoned' is part of
User (Datapac 3020 8530 1030)| the DOS copyright
Security Canada V7K 2G6 | line." R. Murnane

------------------------------

Date: Thu, 24 Oct 91 19:50:47 -0700
>From: [email protected] (Fred Waller)
Subject: Immunization

Writes [email protected] (TEE LUNS), on the subject
of disk immunization:

> The catch with hardware is that it costs more money than
> some people may be willing to pay.

Not at all! Some effective hardware protection devices cost
less money than most software antivirals.

> An idea I've been toying with lately has been to write a
> dummy partition table which Stoned will recognize as being
> itself. This would defer infection.

The Stoned spreads via infected diskettes. Your idea has already
been implemented by several authors. There's a public program (by
Mike McCune), available from the SIMTEL archives and probably at
CMU, which immunizes diskettes against several boot viruses at the
same time, including the Stoned, the Joshi, the Brain, the Ashar,
the NoInt and several others. It does this by exploiting the fact
that those viruses will not reinfect disks that are already
infected, and look for a few bytes of their own code to determine
whether the disk is infected or not. Writing those bytes into
the disk at the appropriate place fools the virus into thinking
that the disk is already infected. The program isn't particularly
fancy, but works. It includes full source code (.ASM).

One problem is that such immunized disk(ettes) loose their ability
to be booting disks. Generally not important, because most diskettes
don't need to be booting. They may be made into booting disks again,
but then they loose the immunization.

> For $5 a shot, do you think anybody would go for it?

The above program is available free, but the author asks a voluntary
contribution if it's found to be useful.

Regarding immunization against the Jerusalem, this too has been
available for some time, but since the Jerusalem is a file infector,
all files, not just the Boot Sector, have to be protected. An early
program that does that, "vaccinate" systems against the action of
the Jerusalem virus, is called IMMUNE and was written by Y. Rakavy
and Omri Mann. It's a very small (800-byte) TSR which specifically
monitors the system for the appearance of the Jerusalem virus.

IMMUNE is also free.

There are others. Some of the general-purpose utilities include
variations of the above methods.

Fred W.
[email protected]

------------------------------

Date: Fri, 25 Oct 91 11:47:18 +0000
>From: Rotan <[email protected]>
Subject: VGA color spots, Word page breaks, corrupts files. (Novell) (PC)

Need help. Fellow lecturer at another university reports strange
virus-like behaviour. Says virus scanners do not register it. 1000
Novell users now without access to network because it had to be shut
down until a solution is found. I'm not familiar enough with Novell
environments to be of use.

NOVELL USERS FAMILIAR WITH NOVELL VIRI, PLEASE HELP.

Symptoms: PC's with VGA cards display random color dots on screen.
MS-Word files develop up to 3000 additional page breaks, sometimes
result in complete corruption. Corruption of other files reported.

Thanks for any assistance...
Rotan Hanrahan (hanrah88@irlearn or [email protected])
Direct mail reply would be preferred.

------------------------------

Date: Fri, 25 Oct 91 10:58:00 -0600
>From: Steven Klepzig <[email protected]>
Subject: Network World mag virus tool review

The Oct. 21 1991 edition of Network World contains an article/review/test of
11 different "virus removal tool" software packages. The tests are reported
to have been done by National Computer Security Association (NCSA).

A comprehensive report on virus removal tools, including the results that are
published in the article can be purchased from NCSA for $75, $44 if your a
member. NCSA, 227 W. Main St., Mechanicsburg PA. 17055. (717)258-1816,
(717)243-8642 (fax).

I am not a member of NCSA, just passing on what is in Network World. A brief
synopsis of the scorecard: (for a more detailed listing, write me privately,
get Network World, or write NCSA)

Company Product Score (142 is perfect)

Central Point Software AnitVirus 99
Computer Consulting Grp Virus Clean v2.10 release A 66
S&S International Dr. Solomon's Toolkit v5.15 103
IRIS Software & Comp Ltd Antivirus-Plus v3.7 rel 15.7 64
Leprechaun Software Int Virus Buster v3.75 116
McAfee Associates Scan/Clean v7.6v80 102
McAfee Associates Pro-Scan v2.32 90
Microcom Inc. Virex-PC v2.00b 103
Symantec/Peter Norton Norton Anti-Virus v1.5 98
Fridrik Skulason F-Prot v2.0 129
XTree Company ViruSafe v4.50 99

Posted just for general info. I have no association with NCSA, Network
World, or any software vendor. Just an interested PC/Network manager.

- -- Steven
========================================
Steven R. Klepzig =
University of Utah =
135 Student Services Building = Murphy's Law, v.1.7 "The time it
Salt Lake City, Utah 84112 = takes to pinpoint a LAN problem is
= directly proportional to its
Phone -- 801-581-3437 = gravity."
FAX -- 801-585-3034 =
InterNet -- [email protected] =
========================================

------------------------------

Date: Fri, 25 Oct 91 21:05:10
>From: "Hernan Lobos *Mitzio*" <[email protected]>
Subject: help ... i have infected .... Dark Avenger (PC)

Hai all,

I have a big problem.... very big....

I'm INFECTED !!!! by Dark Avenger (Dav) virus,

Anyone know how can i disinfect my hard disk (Dav infected
COMMAND.COM, and other files)...

My PC is a Hyundai... and I've tried to clean it with SCANv80
and CLEANv80, but nothing happened...

Help please!!!!! I love my pc's , Operating System and .. MY JOB..

NOTICE: I can't format my hard disk because my O.S. is the ONLY
ONE.

Hernan Lobos
Universidad Tecnica Federico Santa Maria
E-Mail: [email protected]

------------------------------

Date: Sat, 26 Oct 91 19:16:39 -0700
>From: [email protected] (Fred Waller)
Subject: Hardware qustions

apple!Athena.MIT.EDU!pshuang, writing about hardware protection:

> I am not convinced that this is totally true. I have often
> heard my floppy drive make extremely loud noises in normal
> operation, which reminds me of the Apple II disk drives which
> broke down often due to mechanical programs.

"mechanical problems", not mechanical programs, probably. Certainly,
defective hardware is that: defective. The noise may or may not be
normal, but doesn't mean that software can overcome hardware.

If a software command can cause a drive to park its head so that
it damages it, then obviously it wasn't designed to avoid such a
possibility. From the design standpoint, the remedy is simple to
conceive and implement.

We can say that the software command was within allowed limits and
that one of these limits included the possibility of damage.
I never said that software cannot *damage* hardware - though it's
generally not easy to do. It can damage it IF the hardware is
so designed that it ALLOWS the software to cause damage.

This has nothing to do with reliability of hardware protection.
An illustration offered many times before: the simplest hardware
write-protection available is the piece of black paper called
a write-protect tab; no software can overcome it. Ever. No
matter how sophisticated.

>... but repeated lengthy seeks could conceivably cause mechanical
> damage.

If the drive is made to withstand 100,000 seeks before failure,
it should be expected to do that. But if it fails before, well
then, it failed. Nothing to do with software overcoming hardware
protection: once the drive fails, it becomes a non-drive. At no
point, however, did the software succeed in making a disk write.
And THAT was the object of protection. It was never defeated.

> I agree with you in that hardware protection is a substantial
> level better, but it is not impenetrable in practice.

As a class, hardware can readily be made TOTALLY impenetrable to
SOFTWARE attack of the kind considered when discussing viruses.
Totally. But it's easily defeatable by the operator, or by other
hardware. Just as the Pecking Order says.

The main reason for this is that functioning software only exists
as a FUNCTION OF hardware, but not the other way around.

Note that hardware MAY BE intentionally (or carelessly) designed
so that it is vulnerable to software attack; but there's nothing
inherent in hardware that must allow such vulnerability.

Software, however, is always vulnerable to the actions of hardware,
and CANNOT avoid or bypass them UNLESS permitted by the hardware.

Just as the Pecking Order says.

------------------------------

Date: Sat, 26 Oct 91 19:15:02 -0700
>From: [email protected] (Fred Waller)
Subject: Taxonomy and Nomenclature

Writes [email protected] (Vesselin Bontchev):

> Definitively yes. I have a program, written by a friend of mine,
> which tries to disinfect something he calls "generic Jerusalem
> variant". When I tested it on Fu Manchu, it disinfected it
> successfully, although the author has never seen this virus.
> The program called it Jerusalem-2080.

I believe this is not a good reason. As an analogy illustrating
my opinion, let me say that Certus' Novi will cure infections by
the new SVC 5.0 and will also remove it from memory - although it
doesn't *identify* the virus because Novi was created before SVC 5
was known. Does this mean that SVC 5.0 is related to... the Devil's
Dance, which NOVI also cures? Of course not!

The criterion proposed above (cure/removal by a utility) shouldn't
be accepted as a basis for establishing taxonomical relationships.

What we need is:

1. A much better definition of what are the accepted *distinguishing
classification characteristics* for each accepted "class, group,
subgroup, family, subfamily, genus, species, variety, etc.",
whatever TAXONOMICAL subdivisions are settled on. These could be
based on either functional or structural characteristics. Better
structural rather than functional (not system-dependent).

Once such guidelines are accepted, they should be enforced, even if
proven inconsistent at times. (Formal revisions can be made, of
course). It's the only way to have a practical taxonomy of viruses.
Otherwise, it will continue being just about anybody's mess, as
it is now.

2. Paralell with the development of such taxonomy, a suitable
NOMENCLATURE should also be developed. All the current ones simply
stink. Virus nomenclature should be strict, should be bound by
rules, BUT it should simultanously allow considerable naming
latitude to the describing author. The strictest date priority
would prevail. The epithet(s) chosen by a species' author should
be unassailable, and could be ammended only to the extent needed to
produce compliance with agreed-upon naming rules, or if his
description was so ambiguous as to leave doubt about the object
being described. Hopefully, the nomenclature convention should
also yield easy-to-remember names. I vote for a binomial
nomenclature, analogous to the Linnean used in the natural
sciences. (This is actually binomial+plus, since it supports
"varieties", which add a third epithet to the binomial).

3. Supporting both taxonomy and nomenclature, a system for the
definition and storage of authentic virus TYPES should be
established. Holotypes should be defined and segregated by
species authors at the time of first description. The storage
system might be centralized but preferably shouldn't be, to
prevent hoarding and for other reasons. Repositories and
curators should be established at several points, well situated
geographically. Type material, wherever stored, should be
specially protected and handled to insure continued and reliable
identity.

Unlike other taxonomical entities, virus holotypes can be copied
perfectly and inexpensively, yielding perfect isotypes. This means
that decentralized storage of virus types need not have any of the
disadvantages often presented by decentralized storage of other
taxonomical types.

The existenced of such type-material collections would not preclude
the establishment and development of non-type collections elsewhere,
either commercial or other.

Only after we do all the above, can we let Vesselin create Computer
Virology.

Fred Waller
[email protected]

------------------------------

Date: Sun, 27 Oct 91 07:22:37 -0700
>From: John Kida (Vienna) <[email protected]>
Subject: Request for Standards

Reading every article I can find on computer viruses, I find a
recurring error on the part of many writers. They try to compare
apples to oranges.

I continue to see attempts to compare products of one category to
products which fall into a different type of operational category.

I continue to see reviews where a new product is being compared
to a year old version of another product.
(ie... rating SCANV77, when the current ver. is 84)

Is it a fair review, where the author writes a NEW, never released
virus to test, programmable scannng programs, which don't have the
Virus-ID string?

Is it fair for an author to write a test virus program designed to
circumvent the abilities of one category program, but test it
againist a category program designed to find it, then compare the
two.

The new user who is reading about viruses, can surely be mislead
as to the effectiveness of any given product with this type of
review.

One of the biggest problems faced in fighting the threat of
computer viruses is misleading information. For this reason, I
suggest that standards be agreed upon for assessment of Anti-Virus
software, Product categories, Testing criteria and etc...

Hopefully, some type of STANDARDS it will reduce much of the
misleading information and allow for better comparison of products
by less experienced users.

If such a standard is written, we will all benefit from more
accurate reviews and ratings of Anti-virus products.

John Kida
[email protected]

------------------------------

Date: Sun, 27 Oct 91 19:16:16 -0800
>From: [email protected] (Fred Waller)
Subject: Hardware

Writes [email protected] (Y. Radai):

> Yes, these are different subjects, and if we could design a
> system which could never be infected, this would be preferable
> to detection after infection.

I feel that it's really unnecessary to invent systems that could
*never* be infected. A virus-resistant system is quite enough.
We don't really need a totally virusproof approach. Some head-
banging-against-the-wall seen here is (as always) self-inflicted
and caused by the search for such absolutely foolproof protection
- even though, as the reasonable persons we are, we have knowledge
that it, like most other "absolutely" solutions, is not achievable.

So what if we allow a small leak? If the leak is small enough, it
will be easy to monitor. Much easier than monitoring an entire
system!

The matter of TIME is also overlooked. We don't need to make our
machines both safe and functional at the same time. They can be safe
most of the time, but only partially functional, and they can be
fully functional (but less safe) at certain special, carefully
monitored times. This, too, would not require a virus-proof machine,
but rather a virus-resistant one.

Finally, the best way to achieve very high security (and stil have a
functioning machine) is with the help of hardware. While even this
may not yield a totally virus-proof system, it doesn't really have
to, since we don't really need virus-proof systems.

Fred Waller

------------------------------

Date: Sun, 27 Oct 91 19:15:03 -0800
>From: [email protected] (Fred Waller)
Subject: Viruses and "viruses"

Writes [email protected] (Bill Davidsen):

> The reason a PC virus can spread is that it attacks a feature
> common to all machines. By having a set of environments the
> virus is less likely to come in contact with a viable host.

Generally speaking, yes, but maybe not, sometimes. And only
on Wednesdays, but nobody REALLY knows. There are many viruses
capable of "attacking" PC clones running MS-DOS. Some, however,
will stumble at some point of their execution, on finding a kind
of hardware or software their author did not consider. I have an
old Compaq 286 which unceremoniously freezes up some viruses
considered to be successful infectors elsewhere. On such systems,
the virus might not run, or if it runs it may fail to infect, or
if it infects it may not infect properly, or if it does, it may
not activate as intended, etc., etc. Viruses often are rather
delicate things. Not "robust" at all, he he.

So, an unintended form of "discrimination" exists already, in
reality. However, because of the number of "virus species"
if a machine is not infectable by one, it will be infectable by
another. And there's more than enough of them to go around.

> In disease terms, if you vaccinate enough people so that an
> infected person is unlikely to come in contact with a vulnerable
> person, the disease will die.

Apart from the fact that we don't know any diseases that have
actually been "killed" that way (smallpox wasn't!), I don't like
the parallel for other reasons. Computer viruses and biological
diseases are unrelated in nature, action and mode of spreading.
One of the worst misnomers ever concocted was calling these programs
"viruses". They aren't viruses nor anything near. There are far
more differences than similarities between computer "viruses" and
the biological ones. (Has anyone ever seen a non-TSR disease?)

Unlike biological ones, computer "viruses" never need an active
host to "survive". They can be kept safely tucked away in a desk
drawer, and be brought out at the owner's whim two years later.
Nothing whatsoever to do with the theoretical "dying" of animal
diseases. Nor do they jump from computer to computer across the
air.

Computer viruses are programs with some special characteristics,
that's all.

Virus-writing is not a cost-conscious activity. Virus fighting, on
the other hand, is! If, instead of designing ONE virus to infect
all MS DOS machines, they have to design seven viruses to infect
SEVEN machine variations, then we can be sure that there will soon
be SEVENTEEN new kinds floating around, instead of just one, or
even seven. What, exactly, does such response do to infection-
likelihood statistics?

Fred Waller
[email protected]

------------------------------------------------------------------
> "Stupidity, like virtue, is its own reward" -me

"But be not eager to find stupidity, lest you discover
your own." -me also
------------------------------------------------------------------

------------------------------

Date: Thu, 24 Oct 91 23:38:32 -0500
>From: James Ford <[email protected]>
Subject: New file on risc (PC)

The file vsumx110.zip has been placed on risc.ua.edu for anonymous FTP
in the directory pub/ibm-antivirus.
- ----------
Sometimes silence is the best way to yell at the top of your voice.
- ----------
James Ford - Consultant II, Seebeck Computer Center
The University of Alabama (in Tuscaloosa, Alabama)
[email protected], [email protected]

------------------------------

Date: Fri, 25 Oct 91 09:01:00 -0400
>From: [email protected]
Subject: ansikill.zip (PC)

Hello.
Just received and made available in our FTP'able directory:
ANSIKILL.ZIP

This shareware program removes the possibly embedded escape sequences
(ANSI "bombs") from any comment file included in a self-extracting
ZIP archive. It does not remove completely the comment file, like
STRIPZIP does.

SCANV84 found the file "clean".

Best to all, Claude.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Claude Bersano-Hayes HAYES @ URVAX (Vanilla BITNET)
University of Richmond [email protected] (Bitnet or Internet)
Richmond, VA 23173

------------------------------

End of VIRUS-L Digest [Volume 4 Issue 201]
******************************************

Downloaded From P-80 International Information Systems 304-744-2253