VIRUS-L Digest Wednesday, 20 Nov 1991 Volume 4 : Issue 222

VIRUS-L Digest Wednesday, 20 Nov 1991 Volume 4 : Issue 222

Today's Topics:

Re: SCAN & VSUM questions (PC)
Re: Only Scan Floppies? (general)
re: stoned virus (PC)
Re: F-PROT v2.01 (PC)
Aircop (PC)
Re: Am I infected ? (PC)
Re: Am I infected ? (PC)
Re: Only Scan Floppies? (general)
Cascade & IRQ2 (PC)
Re: Norton SI 6.01 and Cascade? (PC)
Serial port virus detection (PC)
Re: Taxonomy
Smiley Cancer (Amiga)
File checking - 2

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to [email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: [email protected].

Ken van Wyk

----------------------------------------------------------------------

Date: Fri, 15 Nov 91 17:45:41 +0000
>From: [email protected] (McAfee Associates)
Subject: Re: SCAN & VSUM questions (PC)

[email protected] writes:
>Greetings all,
Greetings :-)

>Could someone explain why SCAN goes over all .sys and all .prg files when
>scanning a drive??? Also where can I find the latest VSUM?

Hello Joseph,

VIRUSCAN will by default check files with certain extensions for
computer viruses in case there are some renamed .COM or .EXE or
overlay files.

I think VSUM is on garbo.uwasa.fi. If you can't find it there, your
best best would be to contact the author directly.

Regards,

Aryeh Goretsky
McAfee Associates Technical Support
- - - -
McAfee Associates | Voice (408) 988-3832 | [email protected] (business)
4423 Cheeney Street | FAX (408) 970-9727 | [email protected](personal)
Santa Clara, California | BBS (408) 988-4004 |
95054-0253 USA | v.32 (408) 988-5190 | CompuServe ID: 76702,1714
ViruScan/CleanUp/VShield | HST (408) 988-5138 | or GO VIRUSFORUM

------------------------------

Date: Fri, 15 Nov 91 18:02:47 +0000
>From: [email protected] (Albert Lunde)
Subject: Re: Only Scan Floppies? (general)

[email protected] (Alan J Rosenthal) writes:
>[email protected] (Jesse Chisholm AAC-RjesseD) writes:
>>A perceived delay every time the user runs a program is sand in the gearbox.
>agreed. But Disinfectant init on the mac scans each time the program is run,
>and it is not a perceivable delay.

The Disinfectant INIT does not "scan" disks when they are inserted.

It contains custom patches which intercept a list of known viruses *at
the time they try to infect*. In the case of Desktop file viruses
like WDEF, this may indeed be when the disk is inserted. In the case
of other viruses, this may not happen until an infected application
(or other code) is run. Thus it can still be wise to scan with the
Disfinfectant application.

The relatively specific nature of the Disinfectant's INIT's patches,
the small number of Mac viruses and the fact it does not try to prevent
unknown viruses are what make it small and unobtrusive.
- --
Albert Lunde [email protected]
[email protected]

------------------------------

Date: Fri, 15 Nov 91 12:22:24 -0500
>From: "Fran Murello" <[email protected]>
Subject: re: stoned virus (PC)

Somehow I also ended up with the stoned virus (or a similar strain as
Norton anti virus say) on my pc. I first noticed it when I had an
error on the dos 5 shell menu stating that I had a wordperfect
savestate error. From this point on the machine started acting real
spooky..losing screen defalut files, unable to acces dos commands etc.
After rebooting I saw a message saying my pc was stoned! I used norton
utilites to look at the boot track and found a message saying
"leagalise marijuana" (must have been stoned, they legalize wrong!)
anyways I finally got rid of the virus BUT the cmos values of my hard
drive were corrupted. My 40 mg hard drive was now only 33 and showed
100% usage. After finally figuring out that this is what happened I
was able to change the values and restore data. I learned many hard
lessons during this disaster. I have no understanding as to why
someone can get off on doing this. It is pure vandalism and shows not
the persons intelligence, but the their overall ignorance. I hope that
they can put their programming skills to some good use someday.

------------------------------

Date: Fri, 15 Nov 91 11:33:00 -0600
>From: Steven Klepzig <[email protected]>
Subject: Re: F-PROT v2.01 (PC)

>Does anyone out there have any experience loading VIRSTOP.EXE into
>upper memory with 386Max? My Zenith 386/20 crashes when I add the
>line C:\386MAX\386LOAD PROG=C:\F-PROT\VIRSTOP.EXE to autoexec.bat.

The following works for me on my IBM PS/2 P70:

c:\bluemax\386load size=65792 prgreg=2 flexframe prog=c:\f-prot\virstop

BTW: Bluemax is essentially the same as 386max, just with a different install
& maximize program.

When I run F-TEST (1.16) I get an ACCESS DENIED message back. Not quite the
same message as with F-DRIVER but if VIRSTOP isn't loaded I don't get the
message. I guess that means VIRSTOP is working...

- -- Steven
========================================
Steven R. Klepzig =
University of Utah =
135 Student Services Building = Murphy's Law, v.1.7 "The time it
Salt Lake City, Utah 84112 = takes to pinpoint a LAN problem is
= directly proportional to its
Phone -- 801-581-3437 = gravity."
FAX -- 801-585-3034 =
InterNet -- [email protected] =
========================================

------------------------------

Date: Fri, 15 Nov 91 13:58:58 -0500
>From: padgett%[email protected] (A. Padgett Peterson)
Subject: Aircop (PC)

>From: Tom Killalea <[email protected]>

>CLEAN 7.9v84 says "Virus cannot be safely removed from boot sector".

>DOS\SYS says "Not able to SYS to .3L File System"
>(That's a superscripted L, and is the same for all floppies.)

Mr. Killalea must be using DOS 5.0 (possibly 4.x also) which uses extended
boot parameter blocks. One of the entries in this area is the "FAT12" or
"FAT16" ASCII identifier and the Aircop sample I have overwrites this area
with hex "33 c0" (would display as a numeral three followed by a super-
scripted "L"). Since SYS sees the extended BPB yet cannot resolve the FAT,
the error occurs. (untested assumption but matches symptoms).

Incidently, with all due respect to Ms. Hoffman, (VSum) I have seen 3 1/2"
disks as well as 5 1/4" infected with the AirCop. In fact the first time I
encountered the Aircop, it was on a 3 1/2 MS-DOS distribution disk (not
from Mircrosoft) that accomanied a new laptop.

Debug may be used to replace the Boot Record with a new, clean version by
loading a valid BR from a known clean floppy of the same size and density
and using this to replace the infected sector. It is possible that these
disks have incurred a double infection with resultant loss of the original
boot record. This could account for the inability for a "generic" disinfection
to properly restore the virus since without a valid BPB the only way to tell
what kind of disk it is would be to look at the letters on the disk cover
(difficult for software to do). (yes, I know it could be derived from the
FAT and CMOS information but it takes an intuitive jump to find it).

Padgett

<padgett%[email protected]>

------------------------------

Date: Fri, 15 Nov 91 18:44:00 +0000
>From: Old Baldie <[email protected]>
Subject: Re: Am I infected ? (PC)

[email protected] (Brian D. Howard (CS)) writes:
> [email protected] (Old Baldie) writes:
>
>>My apologies to all and sundry if this is a FAQ, but I'm wondering if I am
>>infected :-).
>
>>My PS/2 55sx developed an odd condition without warning - memory is recorded
>>as 639K instead of 640K, but none of the anti-viral packages which I use has
>>been able to identify any virus being present.
>
> Thats the normal state of affairs for the PS/2. I believe some other
> systems such as Hewlett-Packard Vectras also have the same 'feature'.

It does seem that way - except that mine clearly (and unequivocally)
had 640K earlier in its life. However, the likely cause is close to
identification, and many thanks to all those who have either mailed me
direct, or made polite suggestions on the Net. Once I have run a
couple of suggested checks (soon, if I can persuade someone to make
days 48 hours long...) I will post the details for those interested.

+--------------------------------------+
| Peter G. Q. Brooks [email protected] |
| Health Services Research Unit |
| Dept of Public Health & Primary Care |
| University of Oxford |
+--------------------------------------+
| +44 (0) 865 224375 8.30 am - 7.30pm |
+--------------------------------------+

------------------------------

Date: Fri, 15 Nov 91 18:50:00 +0000
>From: Old Baldie <[email protected]>
Subject: Re: Am I infected ? (PC)

[email protected] (Vesselin Bontchev) writes:
> [email protected] (Old Baldie) writes:
>
>> My PS/2 55sx developed an odd condition without warning - memory is recorded
>> as 639K instead of 640K, but none of the anti-viral packages which I use has
>> been able to identify any virus being present.
>
> A lot of resident viruses show such behaviour, indeed, especially the
> boot sector ones. However, the controller configuration of some
> computers make them eat up 1 Kb of RAM too. On most intelligent setups
> (those that are built in ROM), it is possible to specify whether this
> amount of memory will be taken from the top of the available memory
> (therefore reducing the amount of memory available to DOS) or from one
> of the low-address segments (was it 0300h?). The latter does not show
> any decreasing of the amount of memory available. Unfortunately, the
> PS/2 systems do not have this good feature (what is really good on IBM
> originals?). They are meant to be set up by a special setup program,
> which is specific for the particular model. I believe that in your
> case you are not infected. BTW, the PS/2 50 Z on which I am working
> right now says that it has 639 Kb available only as well... :-)
>
>> It's a failure on my part, I know, but I wasn't aware that the RAM had been
>> reduced until I ran NEWDET (the only package which reports the size as being
>> suspicious) after installing a tapestreamer card.
>
> No, I bet that this is how you received your machine - with 639 Kb
> memory available.

This is what set off the alarm bells - it was set up with 640K, and I
even have screen dumps somewhere which show this. Also, running
NEWDET previously had not reported 'suspicious...memory size is 639K'
- - it was NEWDET which alerted me to the anomaly.

>> I had wondered if a PS/2 specific virus had somehow got itself into battery-
>>backed system configuration RAM, but I can find no sources of information
which
>> would confirm/deny this possibility.
>
> Sorry, but the above has almost no sense...

I have received messages which suggest otherwise, and I will collate all the
useful and relevant pieces into a report to be posted soon.

>> I have checked through a list of known viruses looking for one which fits the
>> bill, but without success to date. If anyone can offer advice or (polite and
>> biologically feasible) suggestions, I would be grateful.
>
> Again, you're probably not infected, but nevertheless, check it with a
> good scanner, just to be on the safe side. Hope the above helps.

Many thanks for your suggestions (and say Hallo to Hamburg - I last
visited some 23 years ago! Beautiful city, marvellous people.)

Auf wiederhoeren,

+--------------------------------------+
| Peter G. Q. Brooks [email protected] |
| Health Services Research Unit |
| Dept of Public Health & Primary Care |
| University of Oxford |
+--------------------------------------+
| +44 (0) 865 224375 8.30 am - 7.30pm |
+--------------------------------------+

------------------------------

Date: Fri, 15 Nov 91 18:54:00 -0500
>From: [email protected]
Subject: Re: Only Scan Floppies? (general)

[email protected] (Alan J Rosenthal) writes:
> [email protected] (Jesse Chisholm AAC-RjesseD) writes:
>>A perceived delay every time the user runs a program is sand in the gearbox.
>
> agreed. But Disinfectant init on the mac scans each time the program is run,
> and it is not a perceivable delay.

No, this is _false_! Disinfectant INIT does _not_ scan the file when
it is run; it stops the virus if and only if it attacks. With file
infectors such as nVIR, this is immediately when the infected file is
run, but with Desktop infectors such as WDEF and CDEF, Disinfectant
INIT will not notify you of the virus until its resource is called,
usually by opening a window (in the case of CDEF) or legitimately
modifying the desktop file by copying a file or creating a folder (in
the case of WDEF). You can verify this by using a CDEF/WDEF infected
disk under System 7 -- the new OS never passes control to a CDEF
(Control DEFinition) or WDEF (Window DEFinition) in the Desktop file,
so the virus never gets a chance to spread, so Disinfectant INIT will
never alert you that the disk is infected, since it is non-contagious.
For this reason, many people like Gatekeeper Aid, since it _does_ scan
the Desktop file on disk insert and automatically removes specific
viruses, including CDEF, WDEF, MDEF, and possibly (but don't quote me
on this one) INIT-29.

Mark

- --
Mark "mostly harmless" Pilgrim ___/_ Here's to anyone who knows
f8dy@crnlvax5 -=- [email protected] \___/ which hex doesn't belong:
Disclaimer: My boss disavows this disclaimer. | D5 AA 96, D5 AA AD, B7B5,
"Elephants are kindly but they're dumb." -S&G _|_ A56E, C600, FF69, or 9D84.

------------------------------

Date: Fri, 15 Nov 91 21:45:15 -0500
>From: Scott Begin <[email protected]>
Subject: Cascade & IRQ2 (PC)

Ken West was asking about the CASCADE that showes up for IRQ 2 when
using the Norton Utilities SYSINFO program.

This is an operating system kludge, and I'll try to explain it the
best I can (from the explanation I was given by Microsoft Tech Support
when I was trouble shooting a MS bus mouse). I may not have this
right.

When the PC was origionally designed, it was not expected that any
computer could need more than 8 hardware addresses, with an address
taken up by the hard disk, LPT1, LPT2, COM1, COM2, the floppy disk,
etc... When the AT came out, cascading was used to allow for more
hardware interupts, where IRQ2 cascaded. Addressing IRQ's higher than
7 were done through IRQ2 (for compatability reasons).

Although this was first used on the AT (a 80286 based computer), It
has even been used on 8088 computers, I think especially anything
using ISA (Industry Standard Archetecture). This includes my computer
(an 8088 with a bios dated 1989 by Central Point Software), as well as
the Zeneth 8088 computers we have in the computer lab where I work.
So far, of the computers I have tested using my Norton Uitlities
SYSINFO, I have only found one (a REALLY incompatable 8088 based
computer with a Sperry name on it) that does NOT use cascading.

While not related to the subject at hand, after I found this out, the
next guy I talked with at Tech support for Microsoft told me I had a
'286 when I read off my interrupts to him, because of the cascading.
Mark it up to another case of poorly trained tech reps.

I hope this helps.

Scott A. Begin E-Mail: [email protected] _Same
"The Graveyard Madman" [email protected] / Account
Student Consultant [email protected]
Ronan Computer Lab CSV310@V8530 (CMU Campus Only)
Central Michigan University AT&T: (517) 772-6327
USnail: 1418 E. Gaylord #M-9;Mt.Pleasant,MI 48858

------------------------------

Date: 15 Nov 91 21:39:23 -0500
>From: Leonard Erickson <[email protected]>
Subject: Re: Norton SI 6.01 and Cascade? (PC)

In Virus-L #4.219 [email protected] (Ken West - Entomology) writes:

>I just installed Norton Utilities version 6.01 with DOS 5.0 running
>on my 386-25. The SI (system information) utility has a function to
>list hardware interupt usage. When I make this selection, it reports
>[Cascade] grabbing interrupt 2 (IRQ 02). I scanned the machine with
>McAfee Scan v. 84, and F-prot version 2.01 and neither report
>infection. Can anyone tell me what is going on here? Has anyone
>else seen this with Norton 6.01?
>
>I realize that Cascade is harmless but I don't want it around. Also,
>when I look at the interrupt usage with Quarterdeck's Manifest it
>shows IRQ 02 being used by the system ROM. I'm confused!

The reference to "Cascade" in SI is to the fact that on AT class
machines, IRQ 2 is used to "cascade" the intrrrupts from the first
interrupt controller to the second. Thus it is likely used by the
System ROM as well, and both programs are correct.

You are the victim of terminology overlap. Not of a virus attack.

------------------------------

Date: 07 Nov 91 22:04:00 +0000
>From: [email protected] (Paul Munsie)
Subject: Serial port virus detection (PC)

I have a puzzling problem that I'm not sure anyone can solve,
however a few replies to this may shed some light on the problem.

An 80286 processor is running in a "machine" that only has a serial
port for programming, and a virus infects the data in memory via the
port.

This machine hasn't got a conventional qwerty keyboard or VDU or
disk drive. Access to the programme is via simple user terminals and
breaking out of the programme to key in a virus checker / cleaner
isn't possible.

The data - not the programme - can be downloaded and uploaded via
the serial port to disk via a laptop or similar. A limited amount of
data space would be available above the data in memory

Now my question is, If the data in the machine is infected and the
data on disk is also, can either of these be cleaned and the good data
transfered via the port to clean the virus completely. The only way to
clean it now is to delete the data and manually reload it; a very time
intensive procedure.

The only other information I can offer is that I believe the virus
on the disk wouldn't be active because it would be stored as part of a
data file, and could even be undetected by its normal virus checker.
Also there would be a limited amount of spare memory in the machine
above the data in memory.

For those that are interested the Virus could possibly be "Asuzu"
(not sure though) and the machine is a PABX.

Thanks in advance, Paul.

- ---
* Origin: Mount Isa - Biggest city in the world. (3:8690/12)

------------------------------

Date: Thu, 14 Nov 91 09:32:21 +0000
>From: Norman Paterson <[email protected]>
Subject: Re: Taxonomy

I note that most of the schemes for virus taxonomy use a Linnean (?)
approach. I wonder if this approach can work in principle, since
computer viruses do not evolve in quite the same way as biological
ones. Life usually evolves by gradual diversification. It is not
common for genetic material from one species to be grafted into
another. And each creature must be viable at every stage in the game.
Computer viruses don't have these restrictions. Their authors can
copy material from one to another, and test their viruses in special
conditions where viability is not necessary. So should we expect a
tree-structured approach to work?

Another approach might be based on a string comparison, treating the
viruses as strings of characters, and comparing them. Some years ago
I was interested in this and came up with a method that suited my
purposes then, which was to find mis-spelled names in a register. The
algorithm defines a function "sim" which measures the "similarity"
betwen two strings, as follows:

1 Let A and B be two strings.
2 Let sim (A, B) = sim (A', B') + sqr (length (S)) + sim (A'', B'')
where S = longest nonempty common substring of A and B, and
A = A'SA'', and
B = B'SB''

For example, suppose A = "Paterson" and B = "Patterson". The longest nonempty
common substring to these is "terson", so that:
S = "terson"
A' = "Pa"
B' = "Pat"
A'' = B'' = ""
So sim (A, B) = sim ("Pa", "Pat") + 36
We now recursively call sim with A = "Pa" and B = "Pat".
The longest nonempty common substring to "Pa" and "Pat" is "Pa", giving:
S = "Pa"
A' = B' = ""
A'' = ""
B'' = "t"

Therefore, sim ("Pa", "Pat") = 0 + 4 + sim ("", "t")
To calculate sim ("", "t"), we see that there is no non-empty common
substring, ie the strings have nothing in common at all. So their
similarity is zero.

Adding up gives sim ("Paterson", "Patterson") = 40.

Some of sim's properties are noteworthy. It ranges over the positive
integers, with no upper bound. If two strings are identical, their
similarity is the square of their length, so long identical strings
are more similar than short ones. Another property is that in general
sim (A, B) <> sim (B, A). I expect you could explain these properties
in terms of information theory, and the chance of mistaking A for B
(which is not necessarily the same as the chance of mistaking B for
A).

In implementing sim, there is scope for clever programming to keep it
efficient.

I suggest we could use sim as the basis for a metric to define a virus
space in which we could pinpoint our viruses by their distance from
one another. For example, we could define the distance between two
viruses A and B as the reciprocal of the mean of sim (A, B) and sim
(B, A). Then variants would all be close together, presumably in
little clusters. Perhaps we could even project the space onto 2
dimensions and look at it.

How about it, Frisk?

Norman

------------------------------

Date: Sun, 17 Nov 91 01:04:31 +0000
>From: [email protected] (Hans de Graaff)
Subject: Smiley Cancer (Amiga)

Hi,

I would like to know if anyone has information about a virus called
the 'Smiley Cancer'. I've got it all over my disks, and I haven't
found a program yet that can deal with it.

The virus is not a bootblock-virus, but it isn't a link-virus in the
true sense of the word either. It uses a method similar to the DIR II
virus for the PC, because it changes some information in the file-
headers. I can probably give more info on request.

Thanks in advance,

Hans
- --
+---------------------------------+------------------------------------+
| Hans de Graaff | If the only tool you're used to |
| [email protected] | is a hammer, |
| GVU Center | the whole world looks like a nail |
| College of Computing | |
| Georgia Institute of Technology | Abraham Maslow |
+---------------------------------+------------------------------------+

------------------------------

Date: Fri, 15 Nov 91 22:44:02 -0800
>From: [email protected] (Rob Slade)
Subject: File checking - 2

FUNGEN8.CVP 911115

File checking - part 2

Historically, it is interesting to note that, initially,
operation monitoring and restricting software was the preferred
means of antiviral protection. Subsequently signature scanning
software became more prevalent, and currently holds dominance in
terms of number of programs in use. Change detection software,
however, has recently become very popular and, from my reviews
of software, at least, now leads in terms of number of different
programs implementing the technique.

The most basic type of change detection program could simply
automate the process of manual file checking outlined in the
previous column. However, this would not catch "overwriting"
viri, as long as they did not change the file date. Therefore,
most change detection software performs some type of "image
checking" as well.

"Image", "numerical" or "statistical" file checking is based on
calculations performed on the data making up the file. At its
most rudimentary, this is based on the "checksum". As the name
suggests, this is nothing more than a check of the "summing" of
all data in the file, or sometimes the modulus of that sum.
More complex is the CRC or "cyclic redundancy check", which
performs more complex calculations on matrices of the data.
(This is done in a fashion similar to the Hamming encoding used
for error detection and correction.)

It would be fairly simple for an overwriting virus to calculate
the checksum for a given file, and then to modify the code of
the infected file in such a way that the checksum would still
match. This is the reason for some of the more complex
calculations which are implemented.

While the initial checking of files is fairly standard, there
are a wide variety of implementations for the subsequent
checking of files. The original information must, of course, be
stored somewhere. Some programs create a single file for this,
others attach the information to the program to be protected.
Each means has advantages and disadvantages. A single file
means a single entity which virus authors may find out about and
"target". Attaching of data to programs which may be altered
means that the calculated codes may be altered or erased as
well. Sometimes small modules of code are attached to the
programs in order to allow the programs to check themselves.
Unfortunately, adding such modules to programs which already
check themselves for changes may prevent the programs from
running. (Norton AntiVirus stores the information in a number
of hidden, 77 byte files, with names similar to that of the
protected file. This caused a number of users to suspect that
the results of Norton's protection were actually the results of
a virus. One fairly unique ploy is used by "Victor Charlie",
which, in its earliest incarnation, simply offered itself as
"bait" to viral programs -- and then checked itself.)

copyright Robert M. Slade, 1991 FUNGEN8.CVP 911115

=============
Vancouver [email protected] | "If a train station
Institute for [email protected] | is where a train
Research into CyberStore | stops, what happens
User (Datapac 3020 8530 1030)| at a workstation?"
Security Canada V7K 2G6 | Frederick Wheeler

------------------------------

End of VIRUS-L Digest [Volume 4 Issue 222]
******************************************

Downloaded From P-80 International Information Systems 304-744-2253