VIRUS-L Digest Wednesday, 6 Mar 1991 Volume 4 : Issue 38

VIRUS-L Digest Wednesday, 6 Mar 1991 Volume 4 : Issue 38

Today's Topics:

Re: Stoned - new version? (PC)
Re: Research viruses
Interesting use of viruses
Mini-viruses
Standarized virus signatures
Virus Checking in ROM
Legislation and Protection
Windows 3.0 / F-Prot (PC)
National Computer Security Assn.
Re: ALERT: WDEF A, found on Rodime utilities for Mac. (Mac)
Uk Computer Crime Unit
Weird Stuff Happening to Pc's Here at Ohio Univ. (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to [email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: [email protected].

Ken van Wyk

---------------------------------------------------------------------------

Date: 03 Mar 91 00:19:09 +0000
>From: [email protected] (John Carson)
Subject: Re: Stoned - new version? (PC)

My friend Paul..purchased a MICROSOFT DOS 4.01 at a Computer store and
also purchased some BRAND NAME 3 1/2 DISKS. The salesman copied the
dos onto the 3 1/2. Later we found the VIRUS Stoned II on the system.
After cleaning up the system. We found the virus was on the original
MICROSOFT DOS 5 1/4 DISKS. Can this virus jump on to the original as
you copy it to another....OR is there a chance it was on the MICROSOFT
DOS.

********************************************************************
D.John Carson J & H Concepts [email protected] 604-589-5118
uunet!van-bc!rsoft!mindlink!a29
***********************************************************************

------------------------------

Date: Mon, 04 Mar 91 16:54:50 -0500
>From: Joe McMahon <[email protected]>
Subject: Re: Research viruses

Research viruses: just say no.

Case in point: the purported author of the Scores virus, who is
reportedly under arrest at the moment, wrote in the documentation for
the Vaxene program (which removes Scores) that s/he never expected the
virus to get loose.

A research virus. A fine and a jail term. Thanks, I'll pass. I have
enough troubles. If you have all of this inventive energy, why not
write a real program and get some real recognition for your talents?

--- Joe M.

------------------------------

Date: Tue, 05 Mar 91 04:27:09 -0500
>From: [email protected] (Larry Nathanson)
Subject: Interesting use of viruses

This is an edited version of something I wrote for
comp.risks 6.29 on 19 Feb 88.
- -----------------------------------------------------------------------

A few years ago, while I was in high school, I read a short
desciption (in Sci. Am.) of 'a neat thingy' called a computer virus.
For the hell of it, I decided to write my own. (This was before
"computer virus" was a buzzword in every household). It was short,
(<500 lines source code) and contagious to Apple // DOS 3.3 disks.
Since it was a challenge and not a malicous attempt to destroy data,
when it triggered, all it said was "BOO". It was never 'released' and
I have the only copies of it.

After a while I started wondering what use viruses could have, besides
the destruction of data. One of the things I came upon, was that it
could be used to get information out of a secure system. For example,
let's take 3 sample computer systems: A, B, and C. Someone at A has a
file that someone at C wants. B is a computer system that exchanges
software, with both A and C. (B could also be multiple computer
systems, that exchange software among themselves, and form a link from
A to C.) C introduces a virus to B's system, with the hope that it
will get to A's system. (Divergent phase) Of course a lot of other
people get this, but to them, it is innocuous.

All this virus does is check the date, and scan for a character string.
When a given character string is located, (ie "Apple Computer Secret
Plans for 1992") it either 1) opens up a communication channel
{modem|ftp|mail} to A, and dumps all relevant information, or 2)
appends a certain amount of the information to itself, and subtly
changes itself: it is now an outbound virus, and will only transfer the
information to an already infected system. (convergent phase)

Thus eventually, the information will slowly come back to A. If a copy
of the divergent virus finds that the date is greater than a certain
limit, it decides that it has diverged too far, and is on a dead end,
and just nukes itself.

If a group of programmers, sat down, and came up with such a "smart"
virus, the implications could be staggering.

- ------------- If you cut here you'll ruin your monitor -----------
3/5/91

In these modern times, when everyone and their brother is doing
constant scans of every disk they have (hopefully), this wouldn't be
as easy to pull off, as when I wrote it. But the idea of 'hidden
interdisk networks' is quite intriguing.

- --Larry Nathanson [email protected] 617 266 7419

------------------------------

Date: Tue, 05 Mar 91 14:48:37 +0000
>From: [email protected] (Fridrik Skulason)
Subject: Mini-viruses

We have seen viruses evolve in various direction. In some virus
families, the variants tend to become more sophisticated, harder to
detect or add new functions.

In other families the viruses just become smaller and smaller.

When I first became involved in viruses, the smallest virus known was
Vienna, 648 bytes long, but the latest Bulgarian variants of the
Vienna family are much smaller, only around 350 bytes.

Another family of small viruses are the 'Burger' viruses. The naming
of the variants is in a mess, and I have several identical samples
with different names from various sources. In this family we have 5
560 byte variants, the '405' virus and the '382'.

The Kennydy virus is small, only 333 bytes, but the related 'Tiny'
virus was for a while the smallest virus known - 163 bytes.

Then the Bulgarian wirus writers started writing really small viruses.
The "Bulgarian Tiny" family has several members, the smallest of which
is only 132 bytes long.

An unrelated virus, which I propose to call "Micro-128", written by a
different person (but also in Bulgaria) is currently the smallest
resident virus - only 128 bytes long.

It is of course possible to write an even smaller non-resident virus,
and (naturally) a Bulgarian virus writer did just that - the result,
which I propose to call 'Minimal' is only 45 bytes.

Yes, 45

According To Vesselin Bontchev, the author could theoretically remove
some unnecessary code - reducing the size to 30 bytes or so.

The chances of becoming infected with this virus are practically nil,
as it is not known in the wild, but users of F-PROT can add the
following line to SIGN.TXT to detect it.

Minimal-45 dOT5v5ememVLstmMnMLdjSmmWtMpGfnBv2w7U7GFTBWdhvtgjLErsbwR71YJI1xfLd

- -frisk

Fridrik Skulason University of Iceland |
Technical Editor of the Virus Bulletin (UK) | Reserved for future expansion
E-Mail: [email protected] Fax: 354-1-28801 |

------------------------------

Date: Tue, 05 Mar 91 14:35:00 +0700
>From: "Jeroen W. Pluimers / Jeroen Smulders" <[email protected]>
Subject: Standarized virus signatures

Friday, 22 Feb 1991, Jim Pinson wrote:

> noticed that som eof them (virus-scan programs) can use an external file
> containing virus signatures. This seems very usefull......
> There does not seem to be a standard format of these files

Well, there is some sort of standard. IT is being used by VIRSCAN,
HTSCAN and TBSCAN/TBSCANX.

The file consists of a list of signatures. All lines atrting with ;
are considered to be a comment. Every signature has three lines. The
first line contains the virus name (Jerusalem-B) for instance. The
second line consists of keywords BOOT COM or EXE (and defines the type
of infection). The third line has the virus signature (a HEX string
of bytes).

There is some provision for byte skips and random bytes.

I don't have the format handy, but if anyone is interested, I can post
the full specs.

Jeroen W. Pluimers - Gorleaus Labs, Leiden University

------------------------------

Date: Tue, 05 Mar 91 03:51:12 -0500
>From: [email protected] (Larry Nathanson)
Subject: Virus Checking in ROM

[email protected] writes:

>I agree with Bob Bosen that signature checking is the ONLY anti-viral
>protection that will detect future viruses as well as known ones. My
>"preferred implementation", however, is to put the checking in the BIOS
>ROM so that any executable can be checked while it is being loaded.
>With the checker in ROM, I don't think it is "too easy to fake the all
>clear signal" as Bob says.

Putting the signatures of the executables into the ROM, is very
impracticable. The 'good' information changes almost daily. If the
ROM contains every software package, I'm sure that you would need a
new chip every week, to keep up with the new revisions. If the ROM
contains a personalized version, then you need someone to burn custom
ROMs for you. This would still need to be updated on a fairly short
term basis. Also, not "concerned user" (tm) has the knowledge/skills
to install a ROM. That's probably a $75 service call. Also, what if
your friend brings over a new program? Do we have to burn it's
checksum into the ROM first?

*IF: we just put major software packages used on the machine in the
ROM, and ignore the little used ones, we could still wind up with a
virus "subpopulation" only in the non-checked software.

*IF: we put every package into the ROM, the number of updates required
would be ungodly. Every last patch and bug fix would mean a new chip
burn.

*IF: we use software that changes itself (to reflect user preferences,
for example) we need a new burn every time we change a default.

Writing a virus that gives the same checksum for every infected and
uninfected program is impossible, but it may be possible to write a
virus that infects just one package, and keeps the checksum intact.
Now this assumes that the virus writer knows what scheme is being used
to calculate the signature. The countermeasure to this is to use
multiple checksum schemes. Thus while one might show a false "OK",
another might catch the change.

Caveat: the only unique "number" that represents a given program ONLY,
is the program itself. A checksum is a smaller number, that is
thought to reasonably uniquely identify it. For example, Wordperfect
4.2 is really just a number that contains ~432,000 digits (assuming
file size 432K - I have no idea of the real size.) We are trying to
semi-intellegently reduce those digits to around 4-8 that will
uniquely identify those 432 thousand. Obviously, if we could get 4 or
8, or even 100 digits that do so, we'd have the most incredible
compression system in the world. I'll let the mathematicians out
there chew on this one for a while - the feasability of
number-crunching the finite viral code into the finite program code to
yeild the same checksum.

>What is probably needed to get the manufacturers to go along is either
>Federal legislation forcing every commercial software vendor to provide
>a signature or else a Federal standard requiring it on all software
>bought by the Federal government. Or maybe if MicroSoft, AMI, Phoenix
>Technologies, IBM, and RSA Data Systems all got together and offered it
>as an option for people who wanted it... Unfortunately, we have here an
>example of what I like to call the "Railroad Problem" (literary
>reference, Heinlein's "Door Into Summer"): If there are no tracks, who
>wants to spend money to develop locomotives, but if there are no
>locomotives, who wants to spend money to lay down tracks?

Whoa!!! Why do the vendors need to provide the signature? You have
to have the algorithm to produce the run-time checksum.. Why not just
run it on the LOCKED software disk, when you receive it. Those that
want the option, can do so. I fail to see how making the company
perform some simple computation before shipping the package, versus
you doing so after receiving it would accomplish.

>And in the
>present case, there may well be software vendors who don't like the idea
>that someone can prove their negligence if an employee sneaks a virus
>into their shipped products. That's why legislation may be necessary.

Most reputable software vendors compile the source onto a master disk
which is NEVER executed in a machine. It is copied exactly as it is
compiled. Thus any resultant virus HAS to be in the source code. If
so, there's no hiding from it. Most of the "virus in the
shrink-wrapped package" stories I've heard resulted from either 1) the
company not following this rule, or 2) the computer store opening and
using the package, then re-shrinkwrapping it.

Federal virus legislation would severely discourage software companies
from coming out with minor releases (read: bug fixes). If they had to
file 500 government forms to release the software, they'd just wait
for the next major revision before fixing the small problems.
"Federal Legislation" is not a panacea. It would add red tape, and
loads of beurocracy to a system that is 99% honest and reliable.

- --Larry Nathanson

// Larry Nathanson . 726 Comm Av #5J . Boston, MA 02215 . 617 266 7419 \\
I've heard they just built a tunnel from England to France. The French
drive on the right hand side, the English on the left. Can they save
money by building only one lane?

------------------------------

Date: 4 March, 1991
>From: padgett%[email protected] (A. Padgett Peterson)
Subject: Legislation and Protection

>From: [email protected]
>Subject: Low-level signature checking protection

>With the checker in ROM, I don't think it is "too easy to fake the all
>clear signal" as Bob says.

Agree: hardware is the only real answer but there is another place to
put it that can be as effective (and simpler to install) than a new
BIOS (plus be compatable with every oddball machine that can run
MS-DOS).

What I am referring to is a ROM extension that could be as simple as
an 8-bit card with a ROM on it. Properly setup, it would take control
after all other ROM-extensions have been loaded and would be able to
perform functions not available until then (such as properly
re-directing INT 13) as well as boot drive selection (warm or cold),
password access, and disk encryption. In fact, I know of a couple of
vendors who have such products.

Of course, with some thought, it would be possible to design software
that "would not be too easy to fake" provided that the checking path
could be authenticated as we have been discussing for some time.

>What is probably needed to get the manufacturers to go along is either
>Federal legislation forcing every commercial software vendor to provide
>a signature or else a Federal standard requiring it on all software
>bought by the Federal government.

NO ! A thousand times NO ! If the fed had gotten into the act a
sequi-decade ago we would all be using EBCDIC instead of ASCII on our
8080s. (and R. A. must be spinning in his grave to hear one of his
works being used to support such a scheme: ref. "If This Goes On"). I
agree that provable negligence is a powerful tool as an incentive for
authentication, but as used by the court system, not legislation
(considering the number of lawyers in this country, I am surprised
that this hasn't already happened).

Given that there are something on the close order of 75 million MS-DOS
based PCs worldwide, I would be surprised if more than 3-5% would
require such a high degree of protection though probably 90% need more
than the none that comes with them. Circa 4 million platforms then
require the rigorous protection that specialized companies like
Enigma-Logic, Certus, Fischer, etc. can provide. Possibly ten million
are pure stand-alone machines that never will access outside software,
thus need nothing, leaving someting over sixty million PCs that would
probably benefit by something simple that is also cheap (<$10/PC) and
effective. (note: these numbers are pure guesses but are probably on
the right order). This means software. Simple software.

This also means that if, starting today, EVERY new PC had such
checking built into the ROM (and there would have to be an O/S
dependant component also), it would be quite a few years before a
significant dent in the population would be made.

The beta DOS 5.00 in test does not seem to have anything new for
integrity checking. (Heck, it doesn't even have the 10 bytes it takes
to make a .BAT file interactive - see the end of this posting). So it
will probably be 6.0 at least (if ever) before security is bundled.

So we are left with add-ons. Sure, a hardware ROM-extension could be
sold for under $50 but I would be surprised to see one unless someone
sets out to corner the market. However, what I would like to see is a
layered product, starting very simply with "optional extras" that play
together to build up to whatever is necessary. In fact I would be
surprised if several people are not already working on them.

Enough for now,

Padgett

Interactive .COM for batch files (use DEBUG):

a
mov ah,00 ;
int 16 ;wait for keyboard input & return in al
and al, 5F ;makes all alphas upper case, numbers become 10h-19h
mov ah, 4C
int 21 ;terminate with errorlevel return stored in al

rcx
a ;10 bytes
nask.com
w
q

Use of IF statements and ERRORLEVELs is well documented in DOS (since
3.0 I think) & will allow very simple (and fast) interactive batch
files: just give the user choices selectable with a single key, call
ASK, and branch on the errorlevel return. I use it with WINDOWS to
allow switch selection on launches such as PKUNZIP- app

------------------------------

Date: Tue, 05 Mar 91 14:41:00 +0700
>From: "Jeroen W. Pluimers / Jeroen Smulders" <[email protected]>
Subject: Windows 3.0 / F-Prot (PC)

Tue, 26 Feb 91, Jeff Payne wrote:

> I was curious if there was a windows 3.0 version (or wven aware)
> of any anti virus software?

There is a Dutch anti-virus program that is Windows 3.0 aware. It is
called TBSCANX (ThunderByte Scanner Resident). It knows when windows
start up, and you can put it on or off in every DOS window without
loading the program again.

TBSCANX is a resident scanner that scans for writes to .EXE and .COM files.
When it finds that a virus signature is going to be written, it alarms you.

I'm planning to do an upload of this scanner (+ virus signatures)
to the SIMTEL20 archives ASAP.

> Whoch brings... Is there a "harmless" virus that I could use to test
> my config...

It is included with TBSCAN/TBSCANX.

Jeroen W. Pluimers - Gorlaeus Labs, Leiden University

------------------------------

Date: Tue, 05 Mar 91 17:13:12 +0000
>From: [email protected] (Carolyn M. Kotlas)
Subject: National Computer Security Assn.

Can anyone tell me about the National Computer Security Association
(NCSA)? Are they a for-profit company? Is their virus information
more timely than that posted in comp.virus newsarticles? Are their
books & reports any good? Before we consider spending the money on
membership, we would greatly appreciate hearing from anyone with any
experience with this organization.

Thanks in advance!
- --carolyn
- --
Carolyn Kotlas ([email protected] or [email protected])
UNC Ed. Comp. Serv., POB 12035, Res. Triangle Pk., NC 27709 919/549-0671
"Serving the 16 campuses of The University of North Carolina system"

------------------------------

Date: 05 Mar 91 19:55:26 +0000
>From: [email protected] (Chuck Hoffman)
Subject: Re: ALERT: WDEF A, found on Rodime utilities for Mac. (Mac)

[email protected] (Paul Woodman) writes:
> When you consider the damage that could
> have been caused if trusty disinfectant hadn't come to my rescue (...)

I agree with all of Paul's points except this one. WDEF probably
would not have caused any great damage, but it can be a pain to get
rid of. (Pardon my grammar.)

- - Chuck Hoffman, GTE Laboratories, Inc. | I'm not sure why we're here,
[email protected] | but I am sure that while we're
Telephone (U.S.A.) 617-466-2131 | here, we're supposed to help
GTE VoiceNet: 679-2131 | each other.
GTE Telemail: C.HOFFMAN |

------------------------------

Date: Mon, 04 Mar 91 17:38:32 +0000
>From: Nigel Metheringham <[email protected]>
Subject: Uk Computer Crime Unit

Following last December's note about the UK computer crime unit, and a
pair of very minor hits here (Stoned & Joshi - both nipped in the
bud), I tried reporting the infections to the UK Computer Crime Unit.

They are basically in a position of trying to justify their
existance at the moment - if they do not get reports of viruses,
then the government will see no reason to consider viruses a
problem, and will not fund them. It is therefore in our best
interest to ensure that all virus infections discovered in the UK
are reported to the unit.

The sort of information they want is:-
Name, (company) address, phone etc.
Type of virus (if known).
Machines affected (number, type, sensitivity of data).
Tools used to detect/remove.
Source of infection (if known).
"Live" copy.

The live copy is required for evidential purposes - they will
arrange for collection of a disk by one of the local police (or I
assume you could send it by post). Most people who call them have
already cleaned their systems up, so they are not getting many live
ones yet!

The person to contact is:-
Noel Bonczonzek
Computer Crime Unit
071 725 2490 (the number was incorrect in the Dec virus-l-digest).

They don't have a network connection (as far as I know), but if
there is a demonstrated need then maybe they would get one, so
report any virus hits - PLEASE!

Nigel.

[ I asked Noel Bonczonzek if distributing this sort of information ]
[ would be useful to them. He said that it would be useful, but the ]
[ contents of this message are my interpretation of what he said to ]
[ me, so I am responsible for any misinformation, not the UK-CCU. ]

- --
% Nigel Metheringham, System Administrator, Department of Electronics %
% University of York, Heslington, York, UK, YO1 5DD %
% Phone: +44 904 432374 Fax: +44 904 432335 Mail: [email protected] %
% #include <std_disclaimer.h> % Keyboard error - fingers dumped! %

------------------------------

Date: 05 Mar 91 20:29:08 +0000
>From: [email protected] (Scott Mash)
Subject: Weird Stuff Happening to Pc's Here at Ohio Univ. (PC)

In one of our computer labs we have developed a very serious problem
with our pc's. Most of the computers will not recognize the printers.
We have tried everything short of formating the hard drive and
rebuilding it.

We have been scanning almost everyone's disks because of prior
problems with stoned and ping pong. Last week one of our lab
guardians came up to the office and reported that he scanned someone's
disk and found a virus called "ohio". When he tried to clean it V72
couldn't recognize or clean it.

Does this problem sound like something a virus could cause. Any
suggestions or anything that could possibly help us.

Thanks in advance,

Scott Mash

- --
| Scott (Smasher) Mash | |
| | Elvis lives ! |
| Internet: [email protected] | Buddy Holly is the dead guy ! |
| Bitnet: cs819@ouaccvmb | |

------------------------------

End of VIRUS-L Digest [Volume 4 Issue 38]
*****************************************

Downloaded From P-80 International Information Systems 304-744-2253