VIRUS-L Digest Friday, 8 Feb 1991 Volume 4 : Issue 23

VIRUS-L Digest Friday, 8 Feb 1991 Volume 4 : Issue 23

Today's Topics:

Antivirus-Plus review (PC)
Virus questions (PC)
Too much on infection checkers
Reporter seeks help on story about a Mac virus (Mac)
Boot sector self-check (PC)
Alameda/Yale (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to [email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: [email protected].

Ken van Wyk

---------------------------------------------------------------------------

Date: Mon, 04 Feb 91 11:05:46 -0800
>From: [email protected] (Rob Slade)
Subject: Antivirus-Plus review (PC)

Comparison Review

Company and product:

Techmar Computer Products
97 - 77 Queens Blvd.
Rego Park, NY 11374
USA
718-997-6800
Antivirus Plus (purported "AI vaccine")

Summary:

Protection against major known viri and some viral type activites from
new or unknown viri. Easy setup with no requirement for user decisions,
but strong possibility of interference with normal computer operations.
If used, it is recommended that experienced viral specialists be
available to handle infections identified. Not recommended for systems
with frequent changes in software or configuration.

Cost $99.95 US

Rating (1-4, 1 = poor, 4 = very good)
"Friendliness"
Installation 2
Ease of use 4
Help systems 1
Compatibility 2
Company
Stability 3
Support ?
Documentation 2
Hardware required 2
Performance 2
Availability 2
Local Support 1

General Description:

CURE is a manual scanning program with disinfection features. IMMUNE2
is a resident scanner that checks files as they are loaded, disks when
accessed, and memory when the program is first loaded. PREVENT1 is a
resident vaccine program.

Antivirus-Plus will detect infections by currently common viri. The
promise of detection of unknown viri is possible, but not likely in the
case of more advanced viral programs.

Recommended only for situations using the computer in fairly limited and
standard fashion, where automated attendance is a primary concern.
Comparison of features and specifications

User Friendliness

Installation

Antivirus-Plus appears to require installation from the A: drive onto a
hard disk. It is possible to install onto a foppy disk, and it is
possible to install from a drive other than A:, but it will continue to
request a "writeable" disk in A:.

The documentation states that removal from the hard drive requires
"de-installation", but this does not appear to be the case.

Installation is almost completely automated. Modification of
AUTOEXEC.BAT is not sophisiticated, but did not cause problems in
testing.

Ease of use

IMMUNE2 and PREVENT1 are automatic, background processes which operate
without operator attention. When the programs "identify" a process,
they do not do so either by virus name, or by identity of infected
program. The user is requested (by IMMUNE2) to run CURE, but no
parameters are given. See also "Compatibility" regarding false alarms.

Help systems

None provided.

Compatibility

Both CURE and IMMUNE2 identify common and well known viri, although not
always by the "standard" names. Jerusalem-B is identified as "Black
Friday #1", for example. All Antivirus-Plus programs are fairly noisy
about their detection of a virus, vis the message that appears when
IMMUNE2 is invoked while a virus is present in memory:

> +==========================+
> " Warning !! "
> Fri 1-18-1991 13:02:09.49" You are using an "
> A>antvirus\immune2 " infected disk(ette). "
> !! A Virus is present in y" "
> !! Removing the virus now " Use ANTI VIRUS "cure" "
> !! A Virus is present in y" program to remove virus. "
> !! Removing the virus now " "
> !! A Virus is present in y" Hit any key to continue "
> !! Removing the virus now +==========================+
> !! A Virus is present in your computer memory !!
> !! Removing the virus now !!
> !! A Virus is present in your computer memory !!
> !! Removing the virus now !!
> !! A Virus is present in your computer memory !!
> !! Removing the virus now !!
> The ANTI-VIRUS immunity program is now resident.

The same window, without quite so much "background noise", appears when
any disk, infected with a known boot sector virus, is accessed, even by
a directory request. It also appears when an infected program is run,
and states that the program has been disinfected. The program is *not*
disinfected on disk, but the virus appears to be barred from memory.
(Note that the virus in memory which triggered the display above was not
removed from memory, but was rendered inactive.)

The PREVENT1 program, however, fairs rather worse. It does not appear
to prevent any change to the boot sector, and therefore it seems that
new boot sector viri will be undetectable by the program, unless they
are very crude. This problem, however, is pale in comparison with the
problems PREVENT1 will cause with normal, uninfected, programs.

If you use a program (such as a word processor) to delete or modify a
program file, PREVENT1 will halt program execution. This may not seem
like a big deal: after all, how many people use (as I do) Word Perfect
as a disk manager? However, some programs, Word Perfect among them,
make changes to the program itself when you change some part of the
configuration, and PREVENT1 will stop this as well, telling you:

> Set-up Menu
>
> 0 - End Set-up and enter WP
>
> 1 - Set Directories or Drives for Dictionary and Thesa
> 2 - Set Initial Settings
> 3 - Set Screen and Beep Options
> 4 - Set Backup Options +==========================+
> " Warning !! "
> Selection: 0 " You have been running "
> " an infected program. "
> Press Cancel to ignore cha" "
> " PREVENT1 has removed the "
> " memory infection ! "
> " "
> " Hit any key to continue "
> +==========================+

It is, therefore, inadvisable to use Antivirus-Plus on a system which
undergoes frequent changes in this manner.

PREVENT1 is not completely consistent here. Word Perfect is halted when
trying to delete a program file, PCTOOLS is not. It is, therefore,
quite possible that some viri may slip past this protection.

Company Stability

Techmar is the distributor of Antivirus-Plus and other IRIS products in
the United States. Fink Enterprises, which distributes IRIS products in
Canada, will not carry Antivirus-Plus.

Company Support

Help line support was not used in testing. Techmar shipped very
quickly, but did not properly identify the package, which created
problems at the border.

Documentation

Documentation is provided solely on disk. The directions are clear and
readable, but very little information is provided beyond the most basic
installation information. Some information is the documentation is not
consistent with program operation, but not to the point of preventing
installation or operation.

Hardware Requirements

Documentation states hard disk required, but this can be avoided. Disk
"wants" to be installed from A: drive.

Performance

IMMUNE2 and CURE will identify many common viri. They fail to identify
the AIDS virus, which is interesting in that, while AIDS infections are
not common, the virus source code is available and widely known to
researchers. (CURE was the first "scanning" program tested not that was
not able to identify the virus.)

PREVENT1 will prevent some disk writes to program files, but allows
others to pass, including the deletion of program files. It apparently
does not check any writes to disk boot sectors or "bad" sectors.

Local Support

None stated or found.

Support Requirements

Alarms will likely require intervention by experienced personnel.

copyright 1991 Robert M. Slade

Vancouver [email protected] _n_
Insitute for [email protected] H
Research into (SUZY) INtegrity /
User Canada V7K 2G6 O=C\
Security Radical Dude | O- /\_
/-----+---/ \_\
/ | ` ||/
"A ship in a harbour is safe, but that / ||`----'||
is not what ships are built for." || ||
- John Parks `` ``

------------------------------

Date: Wed, 06 Feb 91 14:10:57 +0000
>From: [email protected] (Roggie Boone)
Subject: Virus questions (PC)

I have 4 questions regarding computer viruses. I am rather new to the
study of compuer viruses and the texts that I have read have not answered
these questions for me.

1) I have seen the SCAN software (MaAffee) scan a computer's memory for
viruses and noticed that it only scanned the base 640K of RAM. Do
viruses typically not infect or use extended/expanded memory? Are there
virus scanning packages that will scan the additional memory? I raise
this question, because it seems I read somewhere that some computers
with certain memory management drivers may not erase the contents of
extended memory on a warm boot, and hence may not erase any virus that
may be sitting in extended memory. (My memory isn't too good on this
topic).

2) Are there anti-virus packages (for PC or any computer) that use
artificial intelligence techniques to protect the system, or is such
an effort overkill?

3) Not meaning to plant ideas, but I was talking with a facutly member
in the dept. where I work, and the question arose as to whether a virus
could be transmitted to an orbiting satellite and cause the same havoc
that viruses cause us PC users. Is this possible?

4) I have also noticed that SCAN, for instance, scans basically the .EXE,
.COM, .SYS, .OVL files in a directory. Do viruses not infect .TXT or
.DOC files or maybe C (Pascal, Basic) source code?

I hope these questions have not recently been asked (I'm a new subscriber
to this group). Thanks for any info about any or all of these questions.

Roggie Boone ([email protected])
Research Tech. III
University of Georgia

------------------------------

Date: Mon, 04 Feb 91 08:21:56 -0500
>From: padgett%[email protected] (A. Padgett Peterson)
Subject: Too much on infection checkers

>From: "Nick FitzGerald" <[email protected]>

>If a virus such as STONED infected a machine with a cherry "All is OK"
>message in the boot sector, you would continue to see this now
>terribly misleading message after the STONED code loaded and passed
>control to the original boot sector.

>If the "All is OK" boot sector did a check of the actual (physical)
>boot sector then it wouldn't give an erroneous message if the disk was
>infected with STONED or similar boot sector infectors, but it would
>still give a misleading report if a stealth boot sector infector
>struck, as the virus would intercept the attempt to read the boot
>sector and return the contents of the original from its hiding place.
>(This seems to be a lot of extra code to jam into a single sector...

Yes, it was but the following capabilities were able to be placed into 512
bytes (with NONE left over though the ASCII and some of the "nice" could be
reduced) - remember, this is in the partition table, not the boot sector:

1) Validity check of disk access through BIOS
2) Self-Check of own code (every byte)
3) Validity check absolute sector 1 (every byte)
4) Validity check of real partition table (every byte)
5) Password control of disk access - unlimited length
6) Print Logo
7) Print error messages
8) Lock system on error

Following Boot:

1) Prevent read or write to check code
2) Prevent write to partition table, hidden sectors, or first boot sector
3) Prevent low-level format to entire disk
(if a second physical disk is present, all also apply to it)
4) Display error message if any of the above occur
5) Provide verifyable direct access to disk services even if "stealth"
infection occurs.
6) Prevent DOS access to fixed disk(s) if booted from floppy.

This has been able to catch everything thrown at it so far (and my collection
is pretty good).

It seemed that every step of the way, other possibilities opened up (this
started out to be a simple password protection scheme) though I will admit
that lasagna code (spagetti code is traceable) was necessary and it kind of
pulls itself up by its bootstraps. Just to make things sillier, the whole
thing was written using DEBUG since MASM or C did not provide enough control.
("What I did on my Christmas Vacation")
- --------------------------------------------------------------------------

>[J.] Christian Kohler Keele university, csw76%[email protected]
> Isn't it easy to build a
>self-checker into a program ( as suggested WP has done )? I could
>imagine that you just check the .exe when it is running, you could
>play around with some XOR's to create a check. You could even put the
>value in a seperate file, as long as your checking algorithm is
>complexe enough.

Problem is that with the "stealth" viruses, the original, uninfected file is
what is presented to the checker. Unless you KNOW you have a clean system,
such checkers can be defeated by viruses already known. (for fun, infect
a disk with the 4096 and then run McAfee's excellent SCAN with the /nomem
switch (you don't do you? I use /m whenever in doubt which is often) set.

Padgett

(definately my own views - no-one else knows what I'm talking about)
(well, maybe Chip Hyde or Andy Hopkins)

------------------------------

Date: Wed, 06 Feb 91 18:23:10 +0000
>From: [email protected] (Adam M Gaffin)
Subject: Reporter seeks help on story about a Mac virus (Mac)

Hi, all!

I'm a reporter at the Middlesex News in Framingham, Mass. The new
governor here had some trouble getting his budget to the Legislature this
week, allegedly because of a virus, and I'd be most grateful if somebody
could help me out with a story.

Seems one of his aides was up late finishing the budget on his Mac II
(as in 3 a.m.) for delivery to the Legislature that morning. He had just
typed about 50 (!) pages of the document in MacWrite, when it refused to
save the document. He eventually was able to retrieve an early version of
the document, which he had filed under a different name, but those 50
pages were gone.

When he ran Interferon 3.1 he got this messages: "Virus Type 003 on the
TOPS network." The computer had been part of LAN in the Office of
Administration and Finance but was taken off and moved to his office so
he could work on the document (the governor's office actually uses an old
Wang system, but since the guy was new and time was short, he figured
he'd work with what he already knew). The office is now busy checking
all the other computers, of course, and the aide in question has been
told to save his documents more often!

So, does anybody know what kind of virus this might be and how common
it is? And is it true that Mac viruses are easier to write than PC
ones (one of our PC people told me that; maybe she's biased :-) ). And,
in the Dumb Question of the Week category: how might the virus have
gotten into the network in the first place? I assume it would be somebody
bringing an infected disk in from home (the LAN is not tied to any other
network), but might there be other ways (short of the Dukakoids
sabotaging the system, which I doubt, given they had no idea it was going
to be used to write the budget, since they did all that on their Wangs).

Any help would be most appreciated! Thanks!

Adam Gaffin
Middlesex News, Framingham, MA
[email protected]
Voice: (508) 626-3968
Fred the Middlesex News Computer: (508) 872-8461

------------------------------

Date: 05 Feb 91 10:29:26 -0500
>From: Steve Albrecht <[email protected]>
Subject: Boot sector self-check (PC)

> From: [email protected] (Gatliff, William A.)

> To help combat this, what would be the possibility of deliberately
> infecting ones boot-sector with a piece of code that would display
> some kind of 'ok' message if it hadn't been tampered with?

While waiting for the same type of self-check in the boot sector, we
have developed a small program (so far only intended to protect
ourselves against reinfection by the Stoned virus) which does the
following:

1. Reads the partition table sector (absolute sector 1).

2. Compares the sector with a previously saved copy of absolute sector 1
(in a DOS file).

3. Writes (using Int 13h) the saved copy to absolute sector 1 in the event
of a discrepancy.

4. Immediately reboots the machine with a system reset (hard boot).

This program is placed in the AUTOEXEC.BAT file (this does lead to the
possibility that the process can be disabled very easily). A separate
initialization program is used to save the "clean" copy of absolute
sector 1 (necessary for step 2 above). This file must be saved at a
time when the sector is known to be clean. We have used McAfee's SCAN
and direct examination of the sector with a low-level sector editor to
verify that absolute sector 1 is "clean".

The immediate reboot (step 4) is necessary because the Stoned virus is
still in memory at this point, and a reboot will prevent the virus
from rewriting itself to the partition table.

This process monitors and corrects problems in absolute sector 1 only.
If a virus changes additional sectors, this process will restore the
original code in the partition table, and the system should boot
normally, if no changes have been made to the boot sector (logical
sector 1).

This process is not as complex as programming a self-check into the
code contained in the partition table sector, and is perhaps not as
effective as a deterrent to partition table viruses in general.
However, it works very effectively against the Stoned virus. We have
not had a chance to test it against other partition table viruses.

One caveat, though, is that this process will not work against a virus
which somehow prevents the write operation in step 3 above. Luckily,
the Stoned virus does not interfere.

One additional benefit we have realized is that in the case of
accidental corruption of the partition table, the saved copy can be
found with a low-level sector editor, and restored to absolute sector
1. We haven't had cause to use this benefit yet, but it is there if
the need arises.

We will likely improve on this program (barring availability of a
commercial alternative), but I share the idea for what it may be worth
to any of you who have been plagued by pesty comments about
legalisation.

Steve Albrecht
70033,[email protected]

------------------------------

Date: Wed, 06 Feb 91 24:45:00 -0800
>From: [email protected]
Subject: Alameda/Yale (PC)

Someone just brought in 3 diskettes, 2 of which contained only text
files, the last one contained an application. None of them were boot
diskettes (although they may have been originally and someone simply
erased the command.com file). F-Prot's (version 1.13) F-Disinf
claimed that all three had the Alameda/Yale virus. But when asked to
clean the boot sector, I received that message that the virus could
not be removed, no boot sector was found. Copying the files to a new
disk and reformatting the disks solved the problem. But is there any
explanation for finding the virus in an infected boot sector that then
cannot be found?

------------------------------

End of VIRUS-L Digest [Volume 4 Issue 23]
*****************************************

Downloaded From P-80 International Information Systems 304-744-2253