VIRUS-L Digest Wednesday, 30 Oct 1991 Volume 4 : Issue 204

VIRUS-L Digest Wednesday, 30 Oct 1991 Volume 4 : Issue 204

Today's Topics:

question about viruses (UNIX) (PC)
Re: New virus-advanced syphtoms ( WAS: warning new virus (PC))
Questions about VIRLIST.TXT (PC)
Re: VSHIELD.... (PC)
"Precidence" (PC)
Can I Load FPROT's VIRSTOP High? (PC)
Product Test Report--Rival (Mac)
Revision to Product Test--FPROT, version 2.0 (PC)
Revision to Product Test -- Virucide, Version 2.33 (PC)
CALL FOR PAPERS - Third USENIX UNIX Security Symposium

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to [email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: [email protected].

Ken van Wyk

----------------------------------------------------------------------

Date: 30 Oct 91 13:45:29 +0000
>From: petter%[email protected] (Petter Henrik Hansen)
Subject: question about viruses (UNIX) (PC)

Does anyone have a list over Unix virus?

I have the impression that most virus are infecting pc's and not Unix
machines. (To difficult?)

Does anyone know a product that are able to check UNIX and
look for virus and remove them if possible?

All comments are welcome

Petter Henrik Hansen, Fellesdata a.s, P.O. Box 248, 0212 OSLO 2, NORWAY
Phone : +47 2 52 84 02 Fax : +47 2 52 85 10
E-mail : ...!mcsun!nuug!fdmetd!petter or [email protected]
<The opinions expressed, if any, do not represent Fellesdata a.s>

------------------------------

Date: 30 Oct 91 13:28:48 +0000
>From: [email protected] (Vesselin Bontchev)
Subject: Re: New virus-advanced syphtoms ( WAS: warning new virus (PC))

[email protected] (Shulman Ilya A.) writes:

> What do you mean "stealthy"? There are few symphtoms that can help us to

By "stealthy" I mean the usual things. That is, if the virus is active
in memory, reading an infected file results in a clean file being
read. Also, no changes in the file sizes can be observed.

> 1 --- Try to delete all files at the write protected disk. You don't get
> any error if virus is active.

I already explained in one of my previous messages, why this method is
not reliable in Bulgaria (no the Pravetz computers, more exactly).

> 2 --- As I have already explain, start up NU or DiskEdit and compare last
> (or prelast) not BAD cluster. If you found the mismatch then virus is
> present with more or less possibily.

Also not reliable, since as pointed out, sometimes both FAT copies are
markes as infected. Besides, the average user seldom is able to use NU
at all, otherwise I would propose to check for the 0(F)FFEh mark.

> As to me, I think that this algoritm is incorrect because of lot of possible
> situations.

Could you elaborate this?

> 1 Check any directory as the one directory on disk. But not kill virus in it'
s
> cluster location while not searching up to the end of the disk.

That's what my disinfector does. It kills the virus in the last
cluster only when all directory entries (including the ones that
belong to -deleted- EXE and COM files) are disinfected.

> 1.a Check all COM and EXE files (not SubDir Vol) due to it's crosslinked.
> if found then get magic number and cure them and save virus cluster no.
> if virus not found in the last cluster the you antivirus must
> be able to analytically restore start cluster.
> there is thefew ways to do it, I think.

It's safer to check the directories, instead of the files, because of
the fact that the virus infects directory entries that belong to
deleted executables as well. The only advantage to the file search is
that it allows you to find files that really contain the virus,
without their directory entries being infected. IMHO, the best
solution is to combine both approaches in a disinfector, which looks
for several viruses. Then you can include three loops in it. The first
one scans the master boot sector for all master boot sector infectors,
the second scans the DOS boot sector for boot sector infectors, then
for each directory (1) scan the directory itself for infected entries
and (2) scan all files that are contained in the directory for
infection(s).

> if not found check all files due to the virus body. If found the
> think yourself what to do. As to me, I was very angry when some
> ANTI-DIR killed all virus bodies stored on my HD as a files
> during checking, without any Q.

Correct, any self-respecting disinfecto should provide an option not
to disinfect, but only to report. This should be even the default mode
(it is -not- in my disinfector).

> 2. At this step you cure all files and have the virus cluster no. No it's
> time to kill it.

That's what I do. I kill it then.

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
[email protected] Fachbereich Informatik - AGN
Tel.:+49-40-54715-224, Fax: -246 Vogt-Koeln-Strasse 30, D-2000, Hamburg 54

------------------------------

Date: Wed, 30 Oct 91 14:50:00 -0300
>From: Raul Fernando Weber <[email protected]>
Subject: Questions about VIRLIST.TXT (PC)

I am trying to plot some curves about viruses grown and, among other
sources, I use the file VIRLIST.TXT that cames with McAffe's package.
However, adding each virus individually (and their variants) doesn't
match the total supplied in the file. Here are the numbers I got:

Virlist version Virlist total Evaluated total

66B 213 217
67C 223 231
71B 223 247
72 241 251
74B 475 469
75 481 473
76C 501 496
77 505 500
80 714 675
82 893 898
84 897 902

I assumed that each line of VIRLIST.TXT corresponds to an
unique virus and, if there is a number between parenthesis,
this number means the total number of known variants
(main strain plus mutations). Adding the viruses this way,
however, gives the discrepancies listed above. Can anybody
from McAffe Associates explain what I'm doing wrong?
Or how the list is to be interpreted?

Particularly interesting is the difference that occurs
with version 80 of VIRLIST.TXT. In the file the total is
714, but I got 675. The difference (39) is too big when
compared with those from the other versions (about 5).
Examining the list carefully I discover a great growing of
Whale variants (from 3 to 34). I wonder if this grown really
exists or was a typo when replacing the 3 with a 4 :-).
The number 34 for Whale remains the same in the next versions
of VIRLIST.TXT (82 and 84). There are really so many variants
for the Whale virus?

Other question is related with the scan I.D. Viruses with
the same I.D are the same virus or not? As an example, in
version 84 both Datacrime II and Datacrime II-B have the
same I.D. ([Crime-2]). Should they be added to the "unique
known viruses" or to the "known viruses variants"?

Another related question is about viruses that appear in two forms:
a "boot" and a "file" version. They are different viruses (with
no other relations than the name) or are the to be interpreted
as the same virus that is able to propagate using boot sectors
and files? If this last hypothesis is true, why the Horse Boot,
Invader and Virus-101 (all listed as able to infect boot sectors and
files) aren't listed in the same way?

Raul F. Weber
Informatics Institute
Federal University of Rio Grande do Sul
Brazil

------------------------------

Date: Wed, 30 Oct 91 20:04:19 +0000
>From: [email protected] (McAfee Associates)
Subject: Re: VSHIELD.... (PC)

[email protected] (Robert Yung) writes:
>To anyone...hopefully the maker.

Well, I wrote the .DOC file, does that count?

> Does VSHIELD v84 work with Super PcKwik v2.X when VSHIELD is
>loaded high?

The Super PC Kwik disk caching program by Multisoft, Inc. should work
just fine with VSHIELD. In earlier versions of the VSHIELD program, a
warning was given about using disk caching software in general. Some
disk caching programs buffer writes to the disk as well as reads. From
our POV, buffering disk writes is a Bad Idea(tm). Here's why: If a
computer was reset or turned off while there was something in the write
buffer, it's contents would be irrevocably lost. This could havee all sorts
of dangerous side effects, such as a file being left open, damage to the
root directory or FAT, or other unpredictable nasty results. If you do
use disk caching software that has the option of buffering disk writes, I
would recommend that you turn that feature off or set it to 0. Incidentally,
I did speak to someone over at Multisoft about this, and they said it
wasn't a problem with their program, then at V4.03. I would assume that
they either don't buffer disk writes and/or trap reboots and flush the
cache to disk before allowing the reboot sequence to proceed. Of course,
the latter still wont protect you against a hardware reset or power off,
but it's better then nothing :-)

> In previous versions of Vshield, I needed about 110K UMB to load
>it high. Now that it has the /LH switch, can I make due with less UMB
>available prior to loading?

VSHIELD V84 with the /LH switch requires a (approximately) 31Kb UMB. So
about a third of the original size. The actual ~110Kb requirement was
for VSHIELD to initialize its code prior to going resident, it would
then "shrink back" to it's 30-whatever Kb size.

> In the latest PC-MAG, it says that a device driver is better
>against certain viruses that can run circles around TSRs. Why not make
>Vshield a device driver? It certainly would have more memory to load
>into when it is the first loaded (that is after the memory driver).

[SHRUG] I would think that a device driver would provide very little
additional security, if any, compared to a TSR. I have not come across
any virus that "ran circles" around our TSR-based program, I do think
that VSHIELD did intercept all the viruses in their test suite, though.

Regards,

Aryeh Goretsky
McAfee Associates Technical Support

- --
- - - -
McAfee Associates | Voice (408) 988-3832 | [email protected] (business)
4423 Cheeney Street | FAX (408) 970-9727 | [email protected](personal)
Santa Clara, California | BBS (408) 988-4004 |
95054-0253 USA | v.32 (408) 988-5190 | CompuServe ID: 76702,1714
ViruScan/CleanUp/VShield | HST (408) 988-5138 | or GO VIRUSFORUM

------------------------------

Date: Wed, 30 Oct 91 15:16:24 -0500
>From: padgett%[email protected] (A. Padgett Peterson)
Subject: "Precidence" (PC)

The "precidence" of execution is a function of the Command Line
Interpreter (CLI) or Shell, not of MS-DOS. In DOS 5.0 COMMAND.COM
(47845 bytes dated 03-22-91) this is found at offset A956h and
consists of the string ".COM .EXE.BAT". Alteration of the string &
spawning a new CLI can have "interesting" results though the form of
the new file must match that of the old. e.g. If the string is
changed to ".CCC.EXE.BAT" files with extension .COM will no longer
execute however those with .CCC will *so long as they follow .COM file
standards*.

A more complex modification would be required to redirect the mode of
the file so that it is possible to change the precidence to anything
you might while maintaining the current file extension(s) or changing
them. The question is whether it is worth the effort.

Incidently, while on the subject of "companion viruses" (more
accurately "spoofs"), a good integrity checker that maintains a list
of all files on a drive such as McAfee's VSHIELD /CERTIFY,
Enigma-Logic's Virus-Safe, or Certus's Novi (I forget the switches but
nothing at the Brickyard ever sounded like that supercharged 8) would
notify the user that a program not in the database had been requested
for execution and ask the user if they *really* wanted to execute it.

Everybody is using this kind of protection aren't you ? I have for
over a year now (one layer).

Padgett

------------------------------

Date: Wed, 30 Oct 91 14:27:00 -0700
>From: "Rich Travsky" <[email protected]>
Subject: Can I Load FPROT's VIRSTOP High? (PC)

Can I load FPROT 2.0's VIRSTOP high under dos 5.0 (and still have it
functional)? I don't have much in the way of viruses to test with nor
a machine to dedicate to same.

(A qwikie question I hope!) Replies to the list or to me personally. Thanks
in advance!

Rich Travsky [email protected]

------------------------------

Date: Fri, 18 Oct 91 08:44:28 -0600
>From: Chris McDonald ASQNC-TWS-R-SO <[email protected]>
Subject: Product Test Report--Rival (Mac)

******************************************************************************
PT-44
October 1991
******************************************************************************

1. Product Description: RIVAL is a commercial software program for the
prevention, detection, and elimination of known computer viruses and trojan
horses for the Macintosh.

2. Product Acquisition: Rival is available at a list price of $99.00 from
the Microseeds Publishing, Inc., 5801 Benjamin Center Drive, Suite 103, Tampa,
Florida 33634. Their telephone number is 813-882-8635. The authors of the
program are actually Frederic Miserey and Jean-Michel Decombe from France.
Site licenses are available. There are also a variety of mail order companies
which have recently advertised significantly reduced prices for a single copy.

3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Information
Systems Command, White Sands Missile Range, NM 88002-5506, DSN: 258-4176, DDN:
[email protected] or [email protected].

[Ed. The remainder of this review can be obtained by anonymous FTP on
cert.sei.cmu.edu in the pub/virus-l/docs/reviews directory.]

------------------------------

Date: Wed, 23 Oct 91 15:22:28 -0600
>From: Chris McDonald ASQNC-TWS-R-SO <[email protected]>
Subject: Revision to Product Test--FPROT, version 2.0 (PC)

*******************************************************************************
PT-17
August 1990
Revised October 1991
*******************************************************************************

1. Product Description: F-PROT is a program designed to provide malicious
program detection, disinfection, and protection. This product test addresses
version 2.0.

2. Product Acquisition: F-PROT is a shareware program distributed by
Fridrik Skulason, Box 7180, IS-127 Reykjavik, Iceland. Mr. Skulason has posted
F-PROT on a number of Internet sites. The program is on the USAISC-White Sands
host simtel20. With version 1.14 the program became free if a user utilizes it
on a single personally-owned computer. There is a registration fee for
commercial and government users. Site licenses are available as well as
discounts for multiple copy registrations. The path on simtel20 [192.88.110.
20] for anonymous ftp downloading is: pd1:<msdos.trojan-pro>.

3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Information
Systems Command, White Sands Missile Range, NM 88002-5506, DSN 258-4176, DDN:
[email protected] or [email protected].

[Ed. The remainder of this review can be obtained by anonymous FTP on
cert.sei.cmu.edu in the pub/virus-l/docs/reviews directory.]

------------------------------

Date: Tue, 29 Oct 91 09:27:02 -0700
>From: Chris McDonald ASQNC-TWS-R-SO <[email protected]>
Subject: Revision to Product Test -- Virucide, Version 2.33 (PC)

******************************************************************************
PT-12
June 1990
Revised October 1991
*******************************************************************************

1. Product Description: VIRUCIDE is a commercial anti-virus program to detect
and to repair known computer viruses for the MS-DOS computer environment. The
report addresses version 2.33, released 15 October 1991.

2. Product Acquisition: The product is available from Parsons Technology, Inc.
The address is Parsons Technology, Inc., One Parsons Drive, Hiawatha, IA 52233.
The company has a toll free number for orders, 1-800-223-6925. The cost of a
single copy, as of 28 October 1991, was $49.00. Each of four program upgrades
has been $15.00 which includes shipping and handling.

3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Information
Systems Command, White Sands Missile Range, NM 88002-5506, DSN 258-4176, DDN:
[email protected] or [email protected].

[Ed. The remainder of this review can be obtained by anonymous FTP on
cert.sei.cmu.edu in the pub/virus-l/docs/reviews directory.]

------------------------------

Date: 30 Oct 91 20:17:06 +0000
>From: [email protected] (Edward DeHart)
Subject: Third USENIX UNIX Security Symposium - Call for Papers

Preliminary Announcement and Call for Papers

The Third USENIX UNIX Security Symposium
Fall 1992

In cooperation with
The Computer Emergency Response Team (CERT)

The goal of this symposium is to bring together security
practitioners, system administrators and system programmers, and
anyone with an interest in computer security as it relates to
networks and the UNIX operating system. The symposium will
consist of tutorials, invited speakers, technical presentations,
and panel sessions.

This will be a three-day, single-track symposium. The first day
will be devoted to tutorial presentations. The following two
days will include technical presentations and panel sessions.
There will also be two evenings available for birds-of-a-feather
sessions and work-in-progress sessions. The dates and location
of this symposium have not yet been determined.

Papers are being solicited in areas including but not limited to:
o User/system authentication
o File system security
o Network security
o Security and system management
o Security-enhanced versions of the UNIX operating system
o Security tools
o Network intrusions (including case studies and intrusion
detection efforts)

Important Dates

Extended abstracts due May 15, 1992
Program Committee decisions made June 15, 1992
Camera-ready papers due July 31, 1992

Send seven copies of each submission to the program chair:

Edward DeHart
Computer Emergency Response Team
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890
(412) 268-6179
[email protected]

Program Committee

Ed DeHart (Program Chair) Matt Bishop
Computer Emergency Response Team Dartmouth College

Bill Cheswick Ana Maria De Alvare'
Bell Laboratories Silicon Graphics, Inc.

Jim Ellis Barbara Fraser
Computer Emergency Response Team Computer Emergency Response Team

Ken van Wyk
Computer Emergency Response Team

------------------------------

End of VIRUS-L Digest [Volume 4 Issue 204]
******************************************

Downloaded From P-80 International Information Systems 304-744-2253