VIRUS-L Digest Monday, 4 Nov 1991 Volume 4 : Issue 208
Today's Topics:
WARNING - incorrect search patterns (PC)
Re: Hardware forever!
re: Furtivity
re: Real User
re: Organ music/black monitor-Mac (Mac)
Zipped files (PC)
Disk Compression (PC)
VSHIELD. DOS 5.0, & QEMM (PC)
New Fprot avail.? (PC)
Re: Harry Anto (PC)
Re: Only Scan Floppies? (PC)
re:viruses and "viruses"
Re: Organ music/black monitor-Mac (Mac)
Re: Only Scan Floppies? (general)
Vesselin Bontchev's history paper
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to
[email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at:
[email protected].
Ken van Wyk
----------------------------------------------------------------------
Date: Mon, 04 Nov 91 11:48:05 -0500
>From: Kenneth R. van Wyk <
[email protected]>
Subject: WARNING - incorrect search patterns (PC)
I received the following FAX this morning from the Virus Bulletin:
IMPORTANT NOTICE
Anti-virus software developers using VB search patterns
The hexadecimal search pattern for the Gosia virus published on page 5
of Virus Bulletin, November 1991 should NOT be used as it produces
numerous false positives. A suitable alternative pattern will be
published in December.
------------------------------
Date: Fri, 01 Nov 91 17:57:27 +0000
>From:
[email protected] (Peter da Silva)
Subject: Re: Hardware forever!
[email protected] (Fred Waller) writes:
> There is NO software defense that's fully reliable. There IS
> hardware defense that is fully reliable.
Yes. It's called the power switch.
- --
- -- Peter da Silva
- -- Ferranti International Controls Corporation
- -- Sugar Land, TX 77487-5012; +1 713 274 5180
- -- "Have you hugged your wolf today?"
------------------------------
Date: 01 Nov 91 14:01:30 -0500
>From: "David.M.Chess" <
[email protected]>
Subject: re: Furtivity
> From:
[email protected] (Fred Waller)
> So, speaking of "most" stealthed viruses may be
> a little misleading, as is speaking of "most" viruses in general,
> since the non-furtive ones haven't had equal time...
> I don't think so. We have to take into account that, if furtive
> viruses become an impossibility, and many of the tricks they now
> use become more difficult for them, then it will be that much easier
> to design effective software defenses against such debilitated
> attackers. :-)
Hm. We seem to be talking past each other here; I get the impression
that you didn't really understand my argument, and I *know* I don't
understand yous! *8) I was just seeing your original posting as
saying "if interpreter viruses can't be stealthed, they're less likely
to succeed". The obvious answer to that was the rather trivial (I
thought!) observation that viruses don't *have* to be stealthed to
succeed, and that there isn't even any evidence that it helps in the
least. I'm not sure how your most recent posting (and in particular
the two paragraphs I've copied) are a reply to that argument?
Anyway, I hate these "but you said that I said that you said that I
didn't understand that I didn't say that..." threads. I will
reiterate, perhaps more clearly, and then drop the subject (unless it
comes up again!).
There's currently no correlation between how
widespread a virus is and whether or not it is
"stealthed". The fact that a certain type of
virus cannot be stealthed is therefore not
particularly suggestive of how widespread
viruses of that type might become.
There! I *think* that should be uncontroversial... *8)
DC
------------------------------
Date: 01 Nov 91 14:11:43 -0500
>From: "David.M.Chess" <
[email protected]>
Subject: re: Real User
> From:
[email protected] (Fred Waller)
> Until then, I would expect a more open mind (and a more
> candid and less defensive reception) from people who are ostensibly
> dedicated to combating viruses.
An open mind doesn't require believing everything you hear! You
proposed a solution, and people mentioned problems that they saw with
it. I don't think this really suggests that these people are only
"ostensibly" dedicated. People have been *quite* candid in response
to your postings; I think that's part of what's bothering you... *8)
If people were a little strong in their replies, I think it just
reflects the strong tone of your earlier postings (on the
near-perfection of write-protect tabs and so forth). Hearty
conversation does not imply evil intent, on either side!
> This may come as a surprise to some, but I'm actually a very frugal
> and ascetic person who requires Puilly-Fuisse' only twice a year,
> and only in moderate quantities. My intervention here is not
> market-motivated. Nor, in the final analysis, is wealth a gauge
> of rightfulness.
OK, then we'll have to wait until someone *else* markets it, and we'll
see what happens. No, wealth isn't a measure of truth. But if we're
looking for a way to keep most people's machines free of viruses (I
know that's that I'm looking for), we won't know whether or not we've
found it until someone makes at least a middling-strong attempt to
make it available to most people. And no one's likely to do that
unless they see at least a hint of profit (or at least break-even) in
it.
Think of it this way: more people today are protecting their machines
with software than are doing so with hardware. There are a number of
possible reasons for this, including:
1) A conspiracy of people who are only "ostensibly" dedicated
to fighting viruses, but who in fact are software fanatics,
have ganged up to push only software solutions, and have
brainwashed the entire computer-using population of the
world into ignoring the obviously-superior hardware methods,
2) Hardware solutions, while potentially better than software
solutions in some sense, are more difficult to design,
market, and distribute, and no one has yet made the
investment to make a good one generally available,
3) Hardware solutions, while theoretically superior to
software solutions, are in fact no better in the majority
of user environments, and they are inherently more
difficult to install and maintain.
I suspect you are somewhere between (1) and (2), while I am somewhere
between (2) and (3). Only time will tell, and I don't think
disagreement is automatically a sign of closedmindedness on the part
of one of the parties...
DC
P.S. I notice you always seem to change the Subject: line
when replying to a posting. Is that intentional?
The tradition is to leave the Subject: line alone,
just sticking a "re:" at the front if there isn't one.
This would make it easier for folks to follow (or
avoid) specific threads in the conversation...
------------------------------
Date: Fri, 01 Nov 91 14:09:00 -0500
>From: "Sue Hay (tm)" <
[email protected]>
Subject: re: Organ music/black monitor-Mac (Mac)
from Fran Holtsberry:
>We have two systems playing organ music and no monitor response. Any
>ideas about whether this is a virus or a prank? My first reaction is
>that it is a Halloween prank. But it still is debilitating two Macs.
That chord means that your Macintosh has a hardware problem and it
needs to be taken to an authorized Apple service and repair technician.
No virus is involved.
Susan Hay, User Services Consultant/Analyst, Brown University
------------------------------
Date: Fri, 01 Nov 91 13:15:18 -0500
>From:
[email protected] (Jeffry Johnson)
Subject: Zipped files (PC)
Are there any programs which will scan inside of Zipped files?
Thanks in advance.
Jeff
------------------------------
Date: Fri, 01 Nov 91 13:43:25 -0500
>From: padgett%
[email protected] (A. Padgett Peterson)
Subject: Disk Compression (PC)
>From:
[email protected] (Vesselin Bontchev)
>Oh, no! It is enough that the users are trying to force the producers
>of virus scanners to scan inside self-compressed executable files...
>They really don't need to be forced to handle also Stacker/SuperStore/
>DoubleDisk, etc. formats!
They may not have a choice - I see this as the next real "must have"
utilitiy as no-one ever has enough disk space. Meanwhile LZEXE and
PKLITE have proven that the extra time required to decompress in
memory is less than the time gained from reading half the number of
sectors.
For people with slow disks, they gain speed AND space and at
essentially no cost other than that required to obtain the software.
DR-DOS 6.0 is bundling Addstor's SUPERSTOR. Northgate (I think) is
including Stac Electronic's STACKER with its laptops. It would not
surprise me to see something like this bundled with all of those nice
laptop and notebook PCs caught in the pipeline with 20 Mb drives.
In fact, it would not surprise me to see Microsoft bundle in a
compression routine with Windows 3.1, not so much to be nice to the
user, as to make files totally incompatable with OS/2. Who would want
to give up half their disk space just to run a new OS ?
The point is that disk compression routines work, are as safe as
anything else & can double effective disk space at a time when GUIs
and their programs are requiring more and more storage. That it is a
software solution to a hardware problem makes it all the more elegant.
My only question now is "which one am I going to use ?", not am I
going to use one.
Add to the fact that the cost is dropping dramatically (the price of
DR-DOS 6.0 with SUPERSTOR from a reputable mail order house is U$69.00
and Stac just "realigned" their prices) and it is easy to see that we
are poised for another dislocation. Software utilities and anti-viral
vendors are going to just have to accomodate the change. The good news
is that accomodation will not be difficult since it will be a global
change not a question of "is this file compressed or not". However,
anyone who doubts that it is going to occur might just be in the
market for a new buggy whip 8*)
Padgett
------------------------------
Date: Fri, 01 Nov 91 15:00:15 -0500
>From: padgett%
[email protected] (A. Padgett Peterson)
Subject: VSHIELD. DOS 5.0, & QEMM (PC)
I tried to send via E-Mail but failed & this might be of interest to others.
(550 <@UUNET.UU.NET:
[email protected]>... Host unknown)
Subject: QEMM, DOS 5.0, & VSHIELD v84
Jon: LOADHI VSHIELD /LH ... works on my PC with DOS 5.0 & QEMM 5.11. By any
chance do you have the line "DOS=HIGH,UMB" in CONFIG.SYS ? It will
confuse QEMM & might lead to the problem mentioned. If so try replacing
with "DOS=HIGH". Also QEMM versions earlier than 5.11 are said to have
problems with DOS 5.0. Finally, QEMM must be invoked with the RAM switch
to create high RAM. If all else fails, use the LOADHI command alone
after DOS loads to see what high memory is available - if there is
not enough free high memory, then LOADHI will put VSHIELD in low
memory with an error message. I am also using the NOEMS switch to
maximise high RAM. Just some thoughts.
Padgett
------------------------------
Date: Fri, 01 Nov 91 16:15:31 -0600
>From:
[email protected]
Subject: New Fprot avail.? (PC)
I thought I saw a reference to FPROT 2.01, if so, where is it posted
for FTP download?
Thanks,
-------------------------------------------------------------------
| Tom Neuhauser |
[email protected] |
| Information Technology, LRC 26 | attmail!tneuhaus |
| University of Wisconsin | |
| Stevens Point, WI 54481 | "He who hesitates, waits..." |
| 715-346-3058 | |
-------------------------------------------------------------------
------------------------------
Date: Thu, 31 Oct 91 20:57:07 +0000
>From:
[email protected] (-= WAD =-)
Subject: Re: Harry Anto (PC)
[email protected] (Fridrik Skulason) writes:
>>I think we ( A friend and I ) have found a new virus for PC !!!!
>
>Well, not quite new....but fairly recent at least - it can be detected
>(and alse removed) by version 2.01 of F-PROT.
>
>- -frisk
Thank god for that !!!!... Where can I ftp/mail/etc this from then
Cheers
- --
=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=
| Fleshy : -= WAD =- E-mail : csh060%
[email protected] |
| Voice : (0203) 449274 |
| Address: 6, Kingsway, Stoke, Quote: Strange how such a man could|
------------------------------
Date: Fri, 01 Nov 91 23:21:15 -0330
>From: Noel Roy <
[email protected]>
Subject: Re: Only Scan Floppies? (PC)
[email protected] (Jesse Chisholm AAC-RjesseD) writes:
>Question: of the various TSRs that check programs before I execute
>or copy them, do any allow me to only check those coming from a floppy?
>Reason being a performance degradation issue. Floppies are slow
>anyway and adding the time to scan the file is a very small percentage.
>But adding the time to a hard disk access is a larger percentage
>(though I admit still small) and not really necessary as I checked
>my hard disk thoroughly at boot up time.
Does this make sense? It takes just as long to scan a file on a
floppy as it does a file on a hard disk. In fact, it takes longer --
precisely because file access is so slow on floppies.
- --
Dr. Noel Roy
Department of Economics internet:
[email protected]
Memorial University of Newfoundland BITNET: use Internet address
St. John's, Newfoundland A1C 5S7 Canada cdnnet:
[email protected]
------------------------------
Date: Sat, 02 Nov 91 16:25:00
>From: "Axel Gutmann" <
[email protected]>
Subject: re:viruses and "viruses"
>From:
[email protected] (Fred Waller)
>Subject: Viruses and "viruses"
>
>Writes
[email protected] (Bill Davidsen):
>(...)
>> In disease terms, if you vaccinate enough people so that an
>> infected person is unlikely to come in contact with a vulnerable
>> person, the disease will die.
>Apart from the fact that we don't know any diseases that have
>actually been "killed" that way (smallpox wasn't!), I don't like
>the parallel for other reasons. Computer viruses and biological
>diseases are unrelated in nature, action and mode of spreading.
>One of the worst misnomers ever concocted was calling these programs
>"viruses". They aren't viruses nor anything near. There are far
>more differences than similarities between computer "viruses" and
>the biological ones. (Has anyone ever seen a non-TSR disease?)
>
>Unlike biological ones, computer "viruses" never need an active
>host to "survive". They can be kept safely tucked away in a desk
>drawer, and be brought out at the owner's whim two years later.
>Nothing whatsoever to do with the theoretical "dying" of animal
>diseases. Nor do they jump from computer to computer across the
>air.
>(...)
I don't think virus is such a bad name for "viruses". They are
clearly different from biological ones, right, but there are
lot's of analogies (BTW: and fewer differences than You think:
biological viruses don't neccessarily need an active host to sur-
vive - consider tobacco-mosaic virus-crystals - and don't generally
jump from host to host across the air - thank God AIDS doesn't!)
The analogy that's most important in this discussion is the similarity
in the dynamics of the spreading of diseases and virus-like-trojans.
The differential equations that correlate the rate of newly infected
humans with the percentage of vaccination and the density of the
observed population should be equally valid for the variables
trojan-spreading-rate/percentage-of-(somehow)-protected-computers/
density-of-compatible-computers(OS or interpreter).
So if You "vaccinate" enough computers, the "virus"-spreading would
slow down to a point where the new infections can be handled by
other data-security measures.
Right, we wouldn't have eradicated the "viruses", but we could live
with the remaining risk.
I'd like to do to old STONED what we did to the smallpox-virus!
************************************************************************
*Axel Gutmann, uh2m@DKAUNI2, Internet:
[email protected]*
************************************************************************
------------------------------
Date: Sat, 02 Nov 91 14:45:05 -0500
>From:
[email protected] (Alan J Rosenthal)
Subject: Re: Organ music/black monitor-Mac (Mac)
[email protected] (Fran Holtsberry) writes:
>We have two systems playing organ music and no monitor response.
I don't know exactly what you mean by "organ music", but if it's a mac II, and
the sound is something like this: like "do, mi, soh, do", with the last "do"
being higher than the other notes, with the initial sound the mac makes when
being turned on somewhere around "la", then this is the normal sound made by a
mac failing certain hardware tests at power-on. I've experienced this from bad
memory boards and from memory boards not being seated properly, but I believe
that there are other possible causes for this particular sound.
------------------------------
Date: Sat, 02 Nov 91 14:46:32 -0500
>From:
[email protected] (Alan J Rosenthal)
Subject: Re: Only Scan Floppies? (general)
[email protected] (Jesse Chisholm AAC-RjesseD) writes:
>Reason being a performance degradation issue. Floppies are slow
>anyway and adding the time to scan the file is a very small percentage.
>But adding the time to a hard disk access is a larger percentage
>(though I admit still small) and not really necessary as I checked
>my hard disk thoroughly at boot up time.
Is it feasible not to check files on your disk at boot time, and *only* to
check files when running them? This sort of meets the same objective. Of
course, you still have to scan boot sectors, etc, upon boot, but not every file
on the disk.
------------------------------
Date: Sat, 02 Nov 91 21:46:53 -0800
>From:
[email protected] (Rob Slade)
Subject: Vesselin Bontchev's history paper
I finally got around to reading Vesselin's "Bulgarian Virus Factory"
paper, which Ken archived in TeX, PS and text format at cert. I am sorry
I waited so long.
This paper is excellent, not only for its fascinating account of the
"Factory", but also the excellent primer on viral operations in general.
It is also a "must read" for those who want to know "why do these people
do that?"
=============
Vancouver
[email protected] | "Power users think
Institute for
[email protected] | 'Your PC is now
Research into CyberStore | Stoned' is part of
User (Datapac 3020 8530 1030)| the DOS copyright
Security Canada V7K 2G6 | line." R. Murnane
------------------------------
End of VIRUS-L Digest [Volume 4 Issue 208]
******************************************
Downloaded From P-80 International Information Systems 304-744-2253
