VIRUS-L Digest Thursday, 7 Mar 1991 Volume 4 : Issue 40

VIRUS-L Digest Thursday, 7 Mar 1991 Volume 4 : Issue 40

Today's Topics:

Re: Windows v3.0 / F-Prot (PC)
Virex-PC review (PC)
Azusa details (PC)
Leprosy, possible mistake in F-PROT (PC)
Recovery and Protection
Review of PC-cillin (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to [email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: [email protected].

Ken van Wyk

---------------------------------------------------------------------------

Date: Wed, 06 Mar 91 13:04:46
>From: [email protected]
Subject: Re: Windows v3.0 / F-Prot (PC)

>[email protected] (Jeff Payne) writes:
>>I was curious if there was a Windows 3.0 version (or even aware) of
>>any anti virus software?
>
>I do not (yet) offer a Windows version of my programs, but I seem to recall
>that Ross Greenberg is working on that (sorry, Ross if I'm not right).

Oy, you wouldn't believe what a mess Windows internals are! I'm
starting to come to the conclusion that the only thing worse than
viruses is Windows. All a new virus has to do to spread is be
marketed as some GUI. Make it big, stick it on a few disks, and spend
lotsa bucks marketing: Voila!

Seriously, though: I'm just a few days away from going beta on a full
Windows compliant anti-virus version of Virex-PC -- unless I get hit
with Still-Yet-Another-Undoc'ed-Whoops-We-Were-Just-Kidding Microsoft
internal inconsistancy -- something I've learned to expect.

Learning WIN on a crash course in order to produce this code, I gotta
tell ya: WIN has *lots* of holes that a specially tailored virus will
easily slip through. Taking a "regular" anti-virus program and making
it work under Windows is fine to keep any of the discovered viruses to
date from infecting machines -- and even that entails a great deal of
work, playing lots of funky games because of missing components to
Windows.

When a true "Windows Virus" comes out, it will slice through all of
the current Win anti-virus programs like a red hot knife through
butter: it scares me to realize what Win does and how and what holes
it leaves for the bad guys.

I'm sorta pleased that my code will fill those holes in advance, but I
do find it a tad depressing: the amount of time spent trying to fight
a probable future infection is certainly taking away from time better
spent doing other things -- things not virus related at all!

>In the case of my own program, I do not recommend using F-LOCK/F-POPUP
>with Windows - they are just character-based TSR, and may cause problems.
>The F-DRIVER program works without problems, however, and should provide
>sufficient protection from known viruses.

I agree with you on the F-Driver code, by the way (although networking
through Win leaves other holes, too!) In the case of many of the TSR
variety of programs (including my own FLU_SHOT+), they work properly
to avoid infections, but the required keystroke to cause a pop-up to
go away is simply not getting through.

>I am looking into the possibility of developing a Windows anti-virus program,
>but I think that is 8-12 months away.

I would think that our own development of the Win anti-virus code for
Virex-PC is about 6 person months of work to date, by the way..

Ross M. Greenberg
Author, Virex-PC, FLU_SHOT+

Disclaimer: this account is merely on a Microsoft machine and my viewpoints
are my own.

------------------------------

Date: Wed, 06 Mar 91 14:24:15
>From: [email protected]
Subject: Virex-PC review (PC)

Just a few notes on the Virex-PC review.

>VPCSCAN is the fastest scanning product yet reviewed. VIREX-PC vaccine
>is customizable with multiple options and allows "protection" of
>specified files as well as alerts on "formatting" and "program
>modification" and is recommended for "expert" users. Documentation is
>an excellent overview of viral and PC operations.

A great deal of thought went into the next version of the code to make
it more suitable for not just the "expert" user, but for the "novice"
user as well -- as well as the person in between the two extremes. As
much as I resisted changing the code from its inherent "hacker" roots
(based upon my FLU_SHOT+ code), Microcom was able to change my mind by
waving vast reams of money in front of my face and saying the magic
words "user friendly".

>Ross Greenburg was one of the first to produce an anti-viral product,
>Flu-Shot. Microcom's Virex product for the Macintosh is also well
>established. SCANDEMO, a "scan only" demonstration product, is
>available free of charge on some electronic bulletin board systems.

FLU_SHOT+ is still available, but most (if not all) of my development
work is in Virex-PC: a good portion of that trickles down, eventually,
to FLU_SHOT+, but Virex-PC is amazingly more complete.

The SCANDEMO program available on BBS's will expire at the end of this
month. Before then they'll be a new SCANDEMO available that will
expire sometime in September. This new one is much more complete in
its virus string collection (see below).

>Installation
>
>Disks shipped write protected. Documentation stresses the importance of
>write protecting the disks, suggests making "working copy" of the
>original disk, and checking the computer system with VPCSCAN before
>making installation onto the hard disk, but the suggested procedure
>could leave the "working copy" infected.

Hey! I didn't write the manual! I've forwarded the complaint on to the
manual writers (documentalists -- aren't large corporations great in
verbifying things? :-) ), and it'll be fixed in Version 2.0: thanks
for pointing it out.

>Effective installation is impossible without reading the documentation
>and understanding the concepts and system configuration thoroughly. The
>documentation is complete and quite clear, but "naive" users may find
>the number of functions and features, and the explanations, daunting to
>tackle.

As mentioned above, the new release is specifically designed to be
more "user friendly" - pop-up help screens, a nice front end on the
install program, etc. Those help screens can even be made user
configurable by large sites. If there's enough interest, I'll try to
convince the marketing guys at Microcom to include the help compiler
into a release of the code so that people who don't like my help text
can use their own. Send me notes via E-mail: I'll letcha know what
Microcom has to say.

>VPCSCAN, in contrast to the lists known to SCAN and FPROT, finds
>relatively few viri. Those that it does find, however, would likely
>account for better than 99% of actual infections.

The next release of the code should have well over 300 virus
signatures in it. We keep up to date on this stuff and have the
facility of using an external file if a serious infection that we
don't carry in our distributed version suddenly sems important. I've
been just a tad busy on the next release....

>The manual states
>that updates are made quarterly, and that registered users will receive
>"notification" of updates. (According to the registration cards,
>updates will be $25 each, or you may receive a year's "subscription" for
>$75.) However, it is now three months (one "quarter") since I
>registered my copy, and I have yet to receive any notification. (It is
>possible, although improbable, that this period exactly coincides with
>one "update period.")

..did I mention how much I hate and dispise Windows? Argh! Internal
inconsistancies and documentation that makes good landfill -- they do
cause some delays. However, every registered user will get a free
update (those using the code currently will get the free update to the
Windows version I'm working on now: the one with the new install
program, etc.) Those who subscribe to the update service (a bargain!)
will get their full four updates without a question, by the way, even
if I'm a bit late in releasing new code.

Did I mention how much I hate Windows?

>Although one of the standard alerts in the package is for "direct writes
>to diskette", and even though the Stoned/New Zealand virus is one which
>VPCSCAN will identify (although not disinfect), VIREX-PC was not able to
>protect against, and did not warn of, infection by the Stoned virus.
>Although VIREX-PC will make a checksum of disk or diskette boot sectors,
>it does not checksum partition boot records.

Sighted: one bug, one oversight. Sank same. You'll se a fix for both
of these problems in the V2.0 release.

>Company Stability
>
>Microcom is a stable and diverisfied company, if somewhat samller than a
>Lotus or Microsoft. Virex for the Mac has been around for some time,
>although it is not one fo the current "leaders" among Mac antivirals.
>Ross Greenburg was one of the first to write an antiviral program for
>MS-DOS (Flu-Shot) and it is still a viable program.

>From my understanding, the Mac Virex is either number two or number
three on the Mac side of things, depending upon how you measure these
things. Naturally, since I only use real computers I don't know about
Mac's...<grin>

Ross M. Greenberg
Author, Virex-PC & Flu_Shot+

Disclaimer: This account does not imply that my opinions and Microsoft's
are the same. Take my word for it: they're not!

------------------------------

Date: 6 March, 1991
>From: Padgett Peterson <padgett%[email protected]>
Subject: Azusa details (PC)

[Ed. Thanks for the quick work, Padgett!]

Virus Name: AZUSA
Aliases:
V Status: New
Discovery: January, 1991 (?)
Symptoms: Computer is not able to talk to COM1 or LPT1 ports, missing
memory, extra floppy disk activity. May cause boot failure
on machines with security programs in place.
Origin:
Eff. Length: 1k at TOM
Type Code: BXRt (infects boot sector of floppy, partition table of
fixed disk, goes resident at TOM)
Detection Method: SCAN v75, DISKSECURE, E9 8B 00 are first three bytes of
infected boot record or partition table, 1k missing at TOM (640k
PC returns 654336 bytes total memory instead of 655360).
Removal Instructions: Reload boot record on floppy, Use partition table
data maintained inside virus to reconstruct partition table.
General Comments: Virus is extremely virulent and will infect hard disk
even if partition table cannot be found (cannot boot thereafter).
Will then attempt to infect all floppies not previously infected.
On floppy, original boot record is stored at track 28h head 1
sector 8 reguardless of floppy size (may overwrite data). Will
corrupt any data stored at this location. After approximately
20h reboots will "lose" COM1 and LPT1 by zeroing pointers in
data table. On fixed disk, virus will replace absolute sector
one (partition code & table) with itself, maintaing table data
in proper location internally. Virus does not have any evasive
measures or encryption code.
Opinion: Odd coding techniques and lack of understanding of floppy disk
characteristics indicate self-taught writer/experimenter,
possibly more than one or written at different times, possibly
foreign, with good theoretical background.

------------------------------

Date: 07 Mar 91 08:49:40 +0000
>From: Paul Evans <[email protected]>
Subject: Leprosy, possible mistake in F-PROT (PC)

The new f-fchk from f-prot114a mistakenly says that install.com from a
game called Stellar 7 maybe infected with Leprosy.

Install.com 19504 bytes

[email protected]

------------------------------

Date: 6 March, 1991
>From: Padgett Peterson <padgett%[email protected]>
Subject: Recovery and Protection

>From: "Kamran Farahi" <[email protected]>
>Subject: Stoned Again (PC)

>We lost everything because of the low-level format, do we have to go
>through this each time we get infected or is there a way to recover
>the data?

Certainly the data can be recovered (I play with viruses a lot and
have NEVER had to do a low level reformat - yet), it just requires a
certain amount of skill and procedure. Frisk's software as well as
several others (MACE I think) routinely save the partition table
information and someone good can recover a thoroughly trashed
partition table-boot record in about an hour even without any backups.
If the FATs are gone, it still can be done but takes longer (how much
depends on how fragmented the disk is and a few other things). But I
have not seen any disk that was still physically sound and had not
been overwritten that could not be recovered if important enough.
(sometimes even if overwritten and damaged but that's expensive).

>From: "Jeroen W. Pluimers / Jeroen Smulders" <[email protected]>
>Subject: Re: How to disable boot up from A: (PC)

>A may-be solution is to use an encreption method on the hard-disk for
>which the user has to us a password, or modify your BIOS to disable
>floppy-disk booting. These methods are very tricky and only suitable
>for people that know what they are doing.

That's what the commercial vendors are for. Modifying the BIOS is not
only tricky (do-able though) but requires the ability to blow a new
prom (though use of EE-PROMs have been tossed around before.

The big thing is that you do not store all of the information in the
PROM, just the executable code. Choice selection is done with
non-volatile RAM (thats what the CMOS is for) so updates do not have
to be a problem unless the code is poorly designed. GM puts all of
their automotive control programs into a couple of big PROMs and puts
the table look-ups and car configuration data on a smaller UV-PROM.
This way they can use the same program for the entire car line.
Something goes wrong or a revision comes out, the just change one
chip.

>>The "scan on floppy insertion" is
>>possible (and should be a part of any good protection scheme) on the
>>PC, it just hasn't been done yet....

>In the PC that is rather difficult. It is possible if you dig into DOS
>very deep. This would be incompatible for many DOS versions. It is a
>very good idea however, but the PC doesn't give a signal when a new
>disk inserted. Only a changeline-signale if the drive door has been
>opened.

I did not say it is easy but nothing like writing a device driver for
a VAX. It CAN be done though and need not take up much code. One
possibility would be an intercept on any floppy access. Another would
be a ten byte check every few milliseconds. Neither requires anything
that has not been in DOS since version 2 and if done at the BIOS level
will not impact any MS-DOS compatable O/S.

- -------------------------------------------------------------------------
>From: Peter Arien <[email protected]>
>Subject: vshield V75 and QEMM 5.00 (PC)

>Trying to loadhi vshield gives a 'not enough memory to load hi'
>message. How comes, when I've got 31K and 96K free high memory?
>Installing vshield with the /SWAP option gives a 'loadhi EXEC error'
>on all the following loadhi's

VSHIELD is compressed. When executed it expands to occupy much more
memory than LOADHI expects. Since with /SWAP it only occupys 4k, just
load it low (I have over 630k free on my 386 clone).

- --------------------------------------------------------------------------

Philosophy: My feeling is that the purpose of this forum is to spread
knowlege of malicous software, first so that users will not be
suprised, second so that the vulnerabilities of the various platforms
can be exposed, and thirdly so that people can make intelligent
choices concerning protection. Whether or not something is "difficult"
or "easy" has nothing to do with the question "is it possible",
computer people are famous for is doing the impossible on pizza and
twinkies. It was summed up the best by Burt Reynolds in "Smokey and
the Bandit" (UA 1977): "...because they said it couldn't be done".
- -----------------------------------------------------------------------------
Sorry about the mixed subjects Anthony, but it is difficult to split and send
multiple messages on our "baroque" system.

Padgett

------------------------------

Date: Tue, 05 Mar 91 12:42:28 -0800
>From: [email protected] (Rob Slade)
Subject: Review of PC-cillin (PC)

Comparison Review

Company and product:

Trend Micro Devices Inc.
2421 W. 205th St., #D-100
Torrance, CA 90501
USA
213-782-8190
PC-cillin - program change detection hardware/software

Summary:

A change detection and vaccine program with some scanning functions.
Change detection is applied to boot sectors and partition boot records
as well. System status information is stored in a hardware device
connected to a parallel port.

Cost US $139.00

Rating (1-4, 1 = poor, 4 = very good)
"Friendliness"
Installation 3
Ease of use 3
Help systems 2
Compatibility 2
Company
Stability ?
Support 2
Documentation 3
Hardware required 3
Performance 2
Availability 2
Local Support ?

General Description:

The best functioning parts of the package appear to be the scanning, and
"resident scanning" operations. Not highly recommended; most suitable
for novice users with operations primarily limited to a single hard disk
and strictly limited disk swapping.

Comparison of features and specifications

User Friendliness

Installation

The disk is shipped write protected, although only by a write protect
tab. (The disk is not a "notchless" read-only disk.) The installation
procedure is written with a "pre-infected" system in mind, and, if
followed carefully, should provide against infection by any virus known
to the program. (The procedure to be followed in case of partition
table infection, although quite clear in its explanation of the problem,
is deficient in not recommending making a backup before beginning the
procedure.)

PC-cillin can install from, or to, any drive, but will not install to
the drive from which the installation files are being run. Installation
is simple and reasonably quick. Modification to AUTOEXEC.BAT or
CONFIG.SYS is simple, but non-destructive and maintains a backup file.

Upon installation to a boot virus infected system, PC-cillin identified
the virus, but allowed the installation to proceed. Upon "rebooting",
PC-cillin alerted for the presence of a boot sector virus.
Interestingly, once the disk was disinfected, PC-cillin allowed the disk
to boot normally. Without having access to the encoding system used, it
is difficult to say what check is used to detect a change in the boot
sector. A deliberate change made in the boot sector text had no effect.

The package makes provision for software updates of the "signature"
programs without the need for reinstallation of the entire system.

Ease of use

A single program, PCC.EXE, gives access to all functions, installation,
scanning (called "Quarantine" by PC-cillin) and the production of a
"rescue diskette". Installation and scanning are clear and self-
explanatory in operation. The making of a rescue diskette is less so,
involving unnecessary disk swapping.

When scanning, PC-cillin does not disinfect infected files, but does
offer to delete them. The decision is left to the user. Boot sector
viri on floppies are not disinfected, even if they are the "boot floppy"
that PC-cillin was installed on. Repair information is apparently only
stored for the hard disk PC-cillin is installed on.

Because of its "background" operation, PC-cillin presents an "inverse
face" (PC graphics character 02H) in the upper right hand corner of the
screen when in operation. The documentation states that this display
can be toggled off or on with <Alt><Tab><Backspace>, and that the
operation of PC-cillin in background can be toggled on and off with
<Alt><Backspace>. The message displayed by the PCCILLIN program at
invocation indicates a different key sequence. Neither appear to work.

Help systems

None provided.

Compatibility

The scanning function of PC-cillin is stated to recognize 146 different
viri, and it does recognize the most common viri that make up the bulk
of current infections. The "vaccine" functions of the product are
either very intelligent or very doubtful: the program will allow
programs to modify themselves, other programs and disk boot sectors, as
well as deleting program files. (Disk writing by certain programs
appears to be restricted, by in testing no alarms were generated by
multiple attempts to write to program files through the use of different
programs and editors.) Protection of boot sectors appears limited to
the "installed" hard disk: the program will not recover an infected boot
sector floppy.

Company Stability

Unknown.

Company Support

When the company first shipped the product for review, an incorrect
Customs declaration for shipping to Canada delayed shipping of the
review copy.

The program makes provision for software updates of the "signature"
programs, but does not indicate any definite way to keep customers
informed.

Documentation

The documentation is clear and well laid out, and contains an excellent
discussion of general viral operations. The progression through the
book is logical, and novice users should be able to follow it clearly.
Advanced users will still find items of interest in the section on
general viral concepts.

One complaint about the documentation concerns the binding. The book is
paperback size, and very stiffly bound, with cardboard dividers between
the sections. Thus the book is *physically* hard to read.

The "disk documentation" (README.DOC file) is not up to the same
standard. It is full of grammatical errors, and in some places is
nearly impossible to read.

Hardware Requirements

At least one parallel (printer) port is required. The "Immunizer Box"
attachment is said to be transparent to user data.

Performance

The product is "aware" of the currently most common viri.
Identification in various areas relies on known viral activity: although
memory is checked, it does not appear to "find" memory resident viri
which can also be found on disk. Vaccine or recovery activities are
restricted at best.

Local Support

None provided

Support Requirements

The program is easy enough for a novice to use and install without
assistance. If a virus is found, it is recommended that experienced
personnel deal with it.

General Notes

A great deal of thought and planning has gone into the concept and
packaging of this product. Provision for the use of floppy diskettes,
and a general strengthening of the "vaccine" and change detection
portions of the program would benefit it immensely.

copyright Robert M. Slade 1991

==============
Vancouver [email protected] | "It says 'Hit any
Institute for [email protected] | key to continue.'
Research into (SUZY) INtegrity | I can't find the
User Canada V7K 2G6 | 'Any' key on my
Security | keyboard."

------------------------------

End of VIRUS-L Digest [Volume 4 Issue 40]
*****************************************

Downloaded From P-80 International Information Systems 304-744-2253