VIRUS-L Digest Friday, 8 Nov 1991 Volume 4 : Issue 214
Today's Topics:
Virus Experts
Hardware? How about software...?
Furtivity
Real User
Viruses and "viruses"
F-Prot 2.01 (PC)
Re: PC Soft (PC)
A couple questions (Mac) (Commodore)
Re: Only Scan Floppies? (PC)
Re: Only Scan Floppies? (general)
Disk Compression (PC for now)
False Alarm (PC)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to
[email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at:
[email protected].
Ken van Wyk
----------------------------------------------------------------------
Date: Wed, 06 Nov 91 17:56:44 -0800
>From:
[email protected] (Rob Slade)
Subject: Virus Experts
[email protected] (Charlie Lear) writes:
> This posting is not pointing derisively at computer users who in 90%
> of cases simply don't know better; it is rather bringing to your
> attention the sort of people claiming to be "experts" in the field of
> virus control.
Oh, how true, how true. And the *egos* involved ... !
Having recently been tech support manager for KEA systems, I rather
dreaded the day that I had to inform a customer that they were infected.
I knew it would happen, as the product had a very distinctive error
message if it became infected with a file infector. In actual fact, the
one time I had to do it, the caller was very pleased to be informed of
it, and eagerly asked advice on antiviral software and procedures. (I
was pleasantly surprised.)
I would like to add some experiences in a related field. Shortly after I
opened the antiviral area on SUZY, and only yesterday from Cyberstore, I
got calls from the staff relaying messages from users who stated they had
become infected with a virus by using the online service. Of course, in
both cases the virus was "Stoned", and in both cases I informed both the
staff and the user that it was impossible unless they were a) technically
competent enough to know better than to do that and b) willing
participants in their own infection. (Yes, it *is* possible to transfer
a BSI via BBS. But you havwe to try pretty hard.)
> It's taught me a lesson. Every minute tonight during the hour and a
> half it took to reformat those disks and reload the software, I told
> myself, "I *MUST* remember to write protect every disk I send out, I
> *MUST* remember to write protect every disk I send out, I *MUST* ..."
Goodonya. Please do. As I hope my iterated refrain in the anitviral
reviews has pointed out, I am appalled at the commercial software houses
who still insist on sending out disks which are not only writable, but
lack any write protection at all. (Yes, I realize that shareware authors
do not have access to the type of disk duplication hardware that can
write on "notchless" disks. i encourage all of you who do deal in
shareware to write protect disks before you send them out. My real
contempt is reserved for the commercials who have access to the
resources, and simply can't be bothered. Or who like fancy copy
protection schemes better than security for us peons.)
=============
Vancouver
[email protected] | "Power users think
Institute for
[email protected] | 'Your PC is now
Research into CyberStore | Stoned' is part of
User (Datapac 3020 8530 1030)| the DOS copyright
Security Canada V7K 2G6 | line." R. Murnane
------------------------------
Date: Wed, 06 Nov 91 20:55:56 -0800
>From:
[email protected] (Fred Waller)
Subject: Hardware? How about software...?
Writes
[email protected] (Henk de Groot):
> We have UNIX systems with a Software-switch-off function. If an
> "Antiviral" package immediately activates this function the system
> will be switched off and can not be infected. Is this Hardware
> protection? No, because Hardware alone can not do it (it will not
> switch off by itself). Is this Software protection? No software
> alone can not do it (after software triggered the hardware, the
> hardware will switch the system off).
Fascinating. That's exactly how Mark Washburn's SECURE program
works under MS DOS, only I was led to believe here that SECURE
wasn't useful. Could it be that such methods, first pioneered by
Ross Greenberg in FluShot, and then expanded by Washburn in SECURE,
are a good way of doing things, after all? Better than string
scanning?
I always thought it was better, but with all the protestations here,
I had more or less given it up. Should we retake the subject of
SECURE, then? If it's good, then we should look at it much more
carefully, even as a model for other antivirus software.
Fred Waller
[email protected]
----------------------------------------------------------------
"So, which way should we go: North or South?"
----------------------------------------------------------------
------------------------------
Date: Wed, 06 Nov 91 20:46:59 -0800
>From:
[email protected] (Fred Waller)
Subject: Furtivity
Writes
[email protected] (David.M.Chess):
> Anyway, I hate these "but you said that I said that you said
> that I didn't understand that I didn't say that..." threads.
Me too, but sometimes they help to clarify things.
My original post was in response to people who said that `interpreted
mode' viruses could still attack under conditions that protected
executables. I replied that such `interpreted viruses' would be
easier to combat; one reason I advanced for this belief was that
they probably couldn't become furtive ("stealth") viruses.
> I will reiterate, perhaps more clearly, and then drop the
> subject (unless it comes up again!).
>
> There's currently no correlation between how
> widespread a virus is and whether or not it is
> "stealthed".
No known statistical correlation, but I say we don't really know
whether there is no relationship in fact. Only a few viruses are
really widespread, and ONE of them IS furtive ("stealth"). It so
happens that the furtive widepread virus is also the oldest virus
known, so its width of spread MAY be due to time, not furtiveness.
> The fact that a certain type of
> virus cannot be stealthed is therefore not
> particularly suggestive of how widespread
> viruses of that type might become.
It looked suggestive to me. The other viruses that are widespread
are not furtive, true. But they are also old viruses, while most
furtive ones are much newer. So, while we don't KNOW that, given
equal time, the furtive viruses might not become VERY widespread
or that furtiveness is not a factor in virus spread, neither do
we know the reverse to be true.
Besides experience with old (non-interpreted) viruses, one may
rightfully use other (speculative) criteria when considering those
new, yet-to-be-written, speculative interpreted viruses. And that's
the kind of consideration that was being made.
> There! I *think* that should be uncontroversial... *8)
Sorry... seems that it still was.. a little... :-)
Fred Waller
------------------------------
Date: Wed, 06 Nov 91 20:45:19 -0800
>From:
[email protected] (Fred Waller)
Subject: Real User
Writes
[email protected] (David M. Chess):
> Think of it this way: more people today are protecting their
> machines with software than are doing so with hardware. There
> are a number of possible reasons for this, including....
I think the most obvious reason is that viruses themselves are
the creature of programmers, and so are antiviruses. Since we are
in a programmer's-devised environment, both attacks and defenses
tend to be programmer-devised also.
Of course more people are protecting their machines with software;
that's what the antivirus suppliers have mainly been feeding to the
public. It's the only widely-available protection against the
widely-promoted threat, and the public panic, trigered by the same
antivirus publishers. Shouldn't loose sight of those facts.
Any "popularity" of software protection is -totally- unrelated to
effectiveness. It's due to promotion, availability and distribution.
People are not protecting their machines with hardware for the same
reason they are not protecting them with angel-wing feathers:
both are effective, but difficult to find. Most important, neither
one has been getting the daily promotion to millions of users that
software antiviruses get via free advertising on 60,000 BBS.
That's unrelated to effectiveness.
It costs nearly nothing to duplicate software, so free samples are
cheap to produce. And somebody else (i.e., the BBSs) advertise
and distribute them for free. That's another reason people use them,
because it costs them nothing to try. They have ABSOLUTELY NO IDEA
whether it's effective or not. The have absolutely NO WAY TO
MEASURE whether the antivirus software is of any use whatsoever.
In fact, much of the time, it's unprovable placebo. Nothing to do
with effectiveness.
The fact that they are using it hasn't done one thing to stop
viruses from spreading. Unrelated to effectiveness, again.
> An open mind doesn't require believing everything you hear!
But it most certainly doesn't allow rejecting everything you
don't like!
> People have been *quite* candid in response to your postings;
> I think that's part of what's bothering you... *8)
Sure. I'm human. I don't like to be contradicted any more than the
next fellow; there's no shame in admitting that. But I try to handle
contradiction in a mature way, not by demeaning oponents with
personal remarks, as we've seen done here (not from you, I hasten
to say).
> ... the strong tone of your earlier postings (on the
> near-perfection of write-protect tabs and so forth).
Write-protect tabs are not `near'-perfect - they ARE perfect.
Totally, not just `near'; there's no software bypass of a write-
protect tab. True, a write-protected disk cannot be updated. True,
the inconvenience of using only write-protected disks is
overwhelming. So, we have to make them a little less perfect...
I never said we should just look at the write-protect tab and STOP
THERE... I offered it as an illustration, a starting point. After
all, I propose not Virus-Proof Machines, but only Virus-Resistant
ones... remember? :-)
Unfortunately, some `open minds' became noticeably nervous at this
point and the conversation, instead of evolving, became derailed.
Which, I suspect, is what the `open minds' may have wanted in the
first place.
Fred Waller
[email protected]
-----------------------------------------------------------------
"Oh, give me a virus-resistant machine, a virus-resistant
machine..." -old folk tune, ca. 1991
-----------------------------------------------------------------
------------------------------
Date: Wed, 06 Nov 91 20:50:02 -0800
>From:
[email protected] (Fred Waller)
Subject: Viruses and "viruses"
Writes
[email protected] (Axel Gutmann):
> ...biological viruses don't neccessarily need an active host to
> survive - consider tobacco-mosaic virus-crystals -
The great majority of viruses do not resemble the so-called tobacco
mosaic virus. Tobacco mosaic virus seems to be at the boundary
between `crystallizable' protein and live organisms. In fact,
because it can be `crystallized' and remain active in such form,
I would tend to classify it not as a living organism, but as a
chemical... "anomaly". This is not at all difficult to do (a
"malchemical"...? ouch!).
Most live viruses ARE highly labile. They usually cannot stay alive
for any long time outside of a host, not to speak of reproducing by
themselves. True, some few can survive. But ALL computer "viruses"
can, and do, exist by themselves and can even be endlessly
"reproduced" (copied) without any need for "hosts"!
The mosaic virus is a bad example. We should keep in mind that there
are many such "borderline" cases in science. At some point, it
becomes difficult to distinguish between animals and vegetals, but
we emphatically distinguish between the two at all other levels.
I think it's bad thinking and bad practice to make emphasis on such
borderline cases to draw analogies between the extremes. They are
curiosities and exceptions, not rules. Analogies drawn from them
will be plainly inaccurate, as is the analogy between biological
viruses and computer "viruses".
> The analogy that's most important in this discussion is the
> similarity in the dynamics of the spreading of diseases and
> virus-like-trojans.
In that's the important analogy, then the differences far outweigh
the similarities. Computer viruses are not independent organisms.
They are the intentional product of ill-willing programmers. They
do not evolve as part of a natural environment. They are grossly
artificial. Their complexity is several ORDERS of MAGNITUDE smaller
than that of even the simplest virus.
Whereas the spread of real viruses can be studied and conclusions
drawn from their study, computer "viruses" are manipulated by their
authors and distributors, and their spread may have nothing at all
to do with their "ability to spread", or with whether they are
"stealthed" or not, or whether they infect this or that.
Anytime a virus author feels that his "creature" is not spreading
fast enough, he can add a dozen new ones. If the virus was
unsuccessful, he can "repair" it instantly and we have a new,
"evolved" (sic) "strain" (sic). In other words, viruses ARE NOT
organisms, the are the PRODUCTS OF organisms.
But if we are ignorant of the "seeding" mechanism, (as we are in
practice) and if we are ignorant of many aspects of the "transport"
mechanism (as we also are), and if "reproduction" may actually be
nothing but repeated artificial "seeding", HOW can we even think of
drawing parallels? Where, I ask, is the analogy between this and
natural viruses? HOW can we speak of analogies? Ill-applied
equations. False parallels.
In my opinion, the main reason antivirus publishers (and the news
editors...) are insisting on keeping the false parallel between real
viruses and computer "viruses" is for its psychological effect,
certainly not out of any kind of scientific necessity! Witness, for
example, the lingo that has developed among those who study computer
"viruses": "infection"; "to isolate" (not to copy) a "specimen" (not
a file); "strains" (not revised programs); even I, myself, am caught
writing about "taxonomy" as if the damn things were some kind of
natural entities!
The habit is pervasive, and plays to the public's imagination. And
THAT is its main value, a commercial one. Also, it plays to
programmers' vanity, because it allows them to feel that they are
the "creators" of "living creatures", i.e., that they are gods in
some way. Considering the size of some of the egos that populate
this environment, THAT might very well be the main cause... :-)
> I'd like to do to old STONED what we did to the smallpox-virus!
Easy. A vaccination for the Stoned has existed for a long time.
Several, in fact. Use it on your diskettes, and the Stoned will
never attack them. :-)
Fred Waller
[email protected]
------------------------------
Date: Thu, 07 Nov 91 11:06:37 -0500
>From: MONAT%
[email protected]
Subject: F-Prot 2.01 (PC)
I have some questions/wish list for F-Prot.
1. I have a lot of clients who work on their stand-alone computer
for quite some time and then decide to access a network. They
load virstop.exe at boot time but then at network time, the load
gets rejected with an "already installed" message. Couldn't
virstop.exe disable its first copy and then reload itself?
(P.S.: Until this problem is resolved, I'm still loading
f-driver.sys from version 1.16 at boot time, then virstop.exe
at network login in).
2. What are we suppose to do with the file virstop.bin? It's exactly
identical to virstop.exe and both can be loaded at boot time.
3. I would like a new f-test.exe so that I can test if virstop.exe
worksa once installed in memory. There are so many ways to install
TSRs nowadays and so many operating systems, that it is necessary
to find out if it works. Just the fact that a program loads doesn't
mean success!
4. What's the command line switch to remove virstop.exe from memory?
(It's useful if you want to detach yourself from Novell without
rebooting).
Thank you for listening.
Paul Faculty of Administration Phone: 613-564-6895/6500
Massue-Monat University of Ottawa Fax: 613-564-6518
Lab Mgr. Canada K1N 6N5 Internet:
[email protected]
------------------------------
Date: Thu, 07 Nov 91 11:34:15 -0500
>From: Chris Jones <
[email protected]>
Subject: Re: PC Soft (PC)
>Recently I heard a commercial for the Mac advertising a product called
>"PC Soft" (I think...) it claims to run MSDOS software "just like the
>?pc's at the office" (I don't own a mac and NEVER would).
It is called SoftPC, by Insignia Software. And it *does* run ibm software,
admittedly slower than the regular clock speed of the machine that it is on,
but what can you expect from software emulation? As for never owning a Mac,
that's too bad.. Maybe the Ibm will develope a *real* interface some day, so
that you hard-core ibm users can have one too...:)
> It occured to me...what if an infected program was run using such
>an interface...would it infect other MSDOS software on the disk...
>or would fail miserably, poosibly destroying the infected software.
>
> I figured that someone here would have a comment...
As a matter of fact, the emulation is good enough that viruses *are* able to
infect and transmit. As has been recently discussed on the INFO-MAC discussion
list, ibm virus scanners are required (and work well) while running SoftPC
or SoftAT. (Mac virus scanners are useless in defeating pc viruses, they
just cannot recognize anything is happening..)
Several people on the info-mac stated for fact that their mac had been the
transfer point for a couple of ibm viruses, transmitted while running either
SoftPC or SoftAT.
Chris Jones
[email protected]
------------------------------
Date: Thu, 07 Nov 91 12:01:00 -0600
>From:
[email protected]
Subject: A couple questions (Mac) (Commodore)
I was reading the article about alternatives to virus protection
programs. Ones that will work.
Well, I use this MacIntosh SE that the school has provided me and it
works nicely, but recently my roommate erased all of the anti-viral
programs and thus I was prone for an attack, which occurred. An OLD
virus, nVIR B, hit. No biggie, but the ANTI-virus program VIRUS
DETECTIVE removed the virus resource, but didn't redirect the
pointers, so I had a useless System, Finder, and Term program.
I also own a Commodore 128. Strangely, over the 6 years I have had it
I have never once had a single virus in it. Recently a few trojan
horses appeared, but they were easy to spot.
What makes the difference between the two is this, one is constantly
on - going from one application to another, while the other has to
constantly be shut off. On a Mac, (OR IBM for that matter) if you
want to increase the ANTI-virus protection, just after EACH
application shut the system off. The virus MAY still spread, but then
again, it may not.
Another reason why my Commodore can't be infected is that it has its
DOS in ROM not in a modifyable DISK which is then loaded into RAM.
Both are loaded into RAM, but on the Commodore, it cannot be changed
with software.
Just a thought,
ParaPsykotically Yours,
Tony
AB5891A@Drake
------------------------------
Date: Thu, 07 Nov 91 10:01:34 -0800
>From: jesse%
[email protected] (Jesse Chisholm AAC-RJesseD)
Subject: Re: Only Scan Floppies? (PC)
[email protected] (Noel Roy) writes:
:
[email protected] (Jesse Chisholm AAC-RjesseD) writes:
:
: >Question: of the various TSRs that check programs before I execute
: >or copy them, do any allow me to only check those coming from a floppy?
:
: >Reason being a performance degradation issue. Floppies are slow
: >anyway and adding the time to scan the file is a very small percentage.
: >But adding the time to a hard disk access is a larger percentage
: >(though I admit still small) and not really necessary as I checked
: >my hard disk thoroughly at boot up time.
:
: Does this make sense? It takes just as long to scan a file on a
: floppy as it does a file on a hard disk. In fact, it takes longer --
: precisely because file access is so slow on floppies.
True, the scanning process itself takes the same amount of time. The
speed difference is from the access time on the floppy drive. I have
some users who do not want to know that their system is checking
for viruses except when it finds one. The problem is that the time for
scanning programs and file copies is noticable, if slight. At
least, they tell me it is noticable.
According to my users, those pesky little milliseconds add up. ;-)
They are willing to accept some speed degradation from the floppy
because floppies are slow anyway, and not used that often. If being
a little slower on floppy access is the price of relative safety,
that's OK; as long as it doesn't interfere with the user.
Since they have allowed the virus protectors and checkers to test
their hard disk at power up time, they are confident that the HD
is clean. Whether they can actually perceive the extra time to scan
programs from a hard disk load, or a network load, I don't know.
But they know it is happening and they know it takes some time
and they don't want to spend the time double/triple checking
files they know are clean.
Fortunately, the current version of VSHIELD from McAfee (for instance)
has command line options to limit which drives are checked on
program loads. If vendors keep adding features, I may someday
have happy users. ;-) Then again, some users always want more.
Jesse Chisholm | Disclaimer: My opinions are rarely understood, let
[email protected] | tel: 1-408-432-6200 | alone held, by this company.
[email protected] | fax: 1-408-435-8517 |-----------------------------
======== This company has officially disavowed all knowledge of my opinions.
- --
"I'm up in the morning, before daylight;
before I sleep the moon shines bright.
Come a ti-yi-yippy-yippy-ay yippy-ay.
Come a ti-yi-yippy-yippy-ay." -- from an old song, "The Chisholm Trail"
------------------------------
Date: 07 Nov 91 20:27:42 +0000
>From:
[email protected] (Jesse Chisholm AAC-RjesseD)
Subject: Re: Only Scan Floppies? (general)
[email protected] (Alan J Rosenthal) writes:
:
:
[email protected] (Jesse Chisholm AAC-RjesseD) writes:
: >Reason being a performance degradation issue. Floppies are slow
: >anyway and adding the time to scan the file is a very small percentage.
: >But adding the time to a hard disk access is a larger percentage
: >(though I admit still small) and not really necessary as I checked
: >my hard disk thoroughly at boot up time.
:
: Is it feasible not to check files on your disk at boot time, and *only* to
: check files when running them? This sort of meets the same objective. Of
: course, you still have to scan boot sectors, etc, upon boot, but not every
: file on the disk.
It is a question of perception rather than actual effeciency. I 1 or 2
minute check at power up time means there is time for a cup of coffee
before throwing the brain in gear. A perceived delay every time the
user runs a program is sand in the gearbox. My users have asked for
a way to maintain relative health without checking each and every
file on each and every load or copy. Since most infections come via
floppies, restricting the checking to loads or copies from floppy
seemed acceptable.
I have learned that v84 of McAfee's VSHIELD has command line options
to restrict which drives checks are done on.
- --
"I'm up in the morning, before daylight;
before I sleep the moon shines bright.
Come a ti-yi-yippy-yippy-ay yippy-ay.
Come a ti-yi-yippy-yippy-ay." -- from an old song, "The Chisholm Trail"
------------------------------
Date: Thu, 07 Nov 91 14:51:34 -0500
>From: padgett%
[email protected] (A. Padgett Peterson)
Subject: Disk Compression (PC for now)
>From: "Mark Aitchison, U of Canty; Physics" <
[email protected]>
>Now (dare I say it?) for the question of the next generation of
>viruses that "know" about Stacker and SuperStore, etc. I presume that
>such viruses would have to be big, and they're hardly likely to handle
>all the brands and versions of compression software out there.
Doubt it - the Jerusalem (& any other virus that follows DOS Disk access
techniques) will work just fine. What is going to have trouble is anything
that tries to lock/access the FAT directly.
>The down side is that virus scanners are going to have to understand a lot
>about compressed disks (in conjunction with all sorts of other drivers
>and hardware) to ensure there isn't a "super virus" there. Not too
>much of a disadvantage, IMHO.
Same comment. Incidently DiskSecure works just fine with SuperStore etc
as do the other products I have tested (VSHIELD, Virus-Safe, etc.) VSHIELD
does have a problem loading high with DRDOS 6.0 but have been promised a
fix.
Have had more problems trying to install Windows (have WordStar for Windows
coming in & was SuperStor impetus) since each time I try to load it, the
installation blows up & am left with a corrupt disk. DR wasn't surprised
& I suppose I am just going to have to "trick" something. Whoopie.
Incidently, DS I protects itself, the MBR, hidden sectors, & the DOS boot
record - I do not understand why something else (mentioned in this issue
but I forget the name) would have a problem - to me it would be *more*
difficult to just protect part of a disk. DS II will just allow
extension of write protection to a whole disk just like DS I
prevents BIOS (not DOS) formats to any track. RSN 8*).
Padgett
------------------------------
Date: Fri, 08 Nov 91 10:17:01 -0500
>From: Loren Mendelsohn <
[email protected]>
Subject: False Alarm (PC)
ATTENTION!
McAfee SCAN82 falsely identifies one of the files on the DayStar
Digital LT200 PC LocalTalk software disk as being infected with the
Posessed Virus. The falsely identified file is the DNET2.COM file.
When contacted, DayStar Digital stated that Central Point's virus
detection software will not identify the virus, nor will the latest
version of McAfee Scan (SCAN84).
Loren Mendelsohn
Wayne State University
Detroit, Michigan
------------------------------
End of VIRUS-L Digest [Volume 4 Issue 214]
******************************************
Downloaded From P-80 International Information Systems 304-744-2253
