VIRUS-L Digest Friday, 8 Mar 1991 Volume 4 : Issue 41

VIRUS-L Digest Friday, 8 Mar 1991 Volume 4 : Issue 41

Today's Topics:

Looking for software
PC-cillin Info (PC)
PC MS-DOS vs BIOS protection (PC)
Re: Weird Stuff Happening to Pc's Here At Ohio Univ. (PC)
What does Compucilina do? (PC)
Unknown Malicious Code Message Writer (PC)
Integrated Drive Electronics, Flopticals, and Freddy
computer security research
Virus V2000 (PC)
File format for virus signatures (PC)
False alarms using scan (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to [email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: [email protected].

Ken van Wyk

---------------------------------------------------------------------------

Date: 07 Mar 91 13:58:44 +0000
>From: [email protected] (Peach)
Subject: Looking for software

We are looking for a good virus detection package that can be
purchased on a site license. Periodic updates would be nice and we
would like something that does not charge on a per-machine basis.

Please direct reply to: [email protected] (128.163.192.1)

------------------------------

Date: Thu, 07 Mar 91 16:38:22 +0000
>From: [email protected] (Anup C. Patel)
Subject: PC-cillin Info (PC)

Has anyone heard of a anti-virus package called PC-cillin? I am in
the process of evaluating it, and wish to share my experience with it.

PC-cillin is a combination of hardware and software solution. The
package consists of an "Immunizer Box". The purpose of the box is "to
preserve a record of your computer's boot sector and partition table."
Whenever the system is turned on , the current partition is compared
with the record stored in the Box. The Immunizer Box gets attached to
the parallel port.

The software portion consists of a program called PCCILLIN and PCC.
PCC is used to install the software, scan the system, and create a
rescue diskette. One noticable feature of PCC is that it checks high
memory as well as conventinal memory. ALthough I'm not sure how many
viruses hide themselves in memory above 1MB. PCCILLIN is a TSR that
gets installed at boot time from the AUTOEXEC.BAT file.

Upon bootup, PC-cillin compares information in the Immunizer Box with
the current partition table and boot sector. It also installs a TSR
that is supposed to monitor system activity.

I ran an application infected with the 4096 virus while PCCILLIN was
memory resident. PCCILLIN should have intercepted this infection, but
did not report anything abnormal. However, PCC reported the infection
when I performed a memory scan.

I know this may not be enough information to make a final judgement,
but how do others feel about virus protection scheme such as this.

Loading PCCILLIN from AUTOEXEC.BAT is obviously a bad idea. I'm not
too confident on its ability to check for viruses either, when
PCCILLIN is resident.

Thanks for listening!!

------------------------------

Date: 7 March, 1991
>From: Padgett Peterson <padgett%[email protected]>
Subject: PC MS-DOS vs BIOS protection (PC)

(The following is my opinion only and has nothing to do with anyone else)

I think it is time stand back from the PC and take a fresh
look at how protection can be placed on the system. Too many products
today rely on MS-DOS and its documentation to protect PCs. Since many
functions of DOS and Windows are either mis-documented or
un-documented and since there exist many opportunities for malicious
software to attack before DOS, this is obviously not the place to
start.

Consequently, I must question any protection scheme that
becomes active only with CONFIG.SYS or AUTOEXEC.BAT, this is too late.
This is not to say that a program that goes resident earlier is going
to be a cure-all, just that it is necessary to have even a chance at
being effective.

Hardware, in the form of a custom BIOS or ROM-extension, is
the best solution, but in many cases, may not be a cost-effective one.
For most machines, software alone is probably sufficient. It may not
be able to stop everything, but it should be able to at least detect
an exception before MS-DOS loads and stop anything thereafter.

There are a number of good products out today to fill various
functions (I use several, both home-built and commercial) but as yet I
know of none that do everything necessary.

Quite often, complaints are made about compatability with
MicroSoft products, that certain functions may be "hidden" from
detection. Again, this is a problem experienced from being layered on
top of DOS or Windows that goes away if operation is performed "under
the rainbow" (no reference to the ex-DEC product, either express or
implied, is intended).

It is understood that it is somewhat more difficult to
determine from a sector write request at the BIOS level, exactly what
is being written to, than interception of a DOS Int 21 would require,
but requires no knowlege of any windowing, multi-tasking, or
networking software to do so. Even if a program has established an
application interrupt (and there are many available) to handle disk
functions outside of DOS, they still go through the BIOS to do so and
this is both detectable and re-directable.

There are simply too many ways to "get around" what is
published about MS-DOS (not to mention DR-DOS and several others) for
their calls to be used as a first line of detection, this must be done
at the "choke point" of the BIOS. Certainly DOS or any other O/S can
be used to determine the cause of an exception, once it has been
determined that an exception has occurred (wish I could use italics),
but the important thing is to know that something has occurred (I
can't fix it if I don't know its broke).

Given this, intelligence can be applied to determine if what
happened was permitted or to be disallowed.

It is time that some ground rules be established for any
protection scenario. I tried to make a "first pass" with the model a
few issues ago, but it is up to the population to decide what (if
anything) the vendors will produce. Just do not accept any claim that
"it cannot be done". For me, if it does not start with the BIOS, it is
not enough.

See you in New York folks,

Padgett

------------------------------

Date: Thu, 07 Mar 91 11:34:16 +0000
>From: Anthony Appleyard <[email protected]>
Subject: Re: Weird Stuff Happening to Pc's Here At Ohio Univ. (PC)

from: {A.Appleyard} (email: [email protected]), Thu, 07 Mar 91 11:19:20 GMT
On 05 Mar 91 20:29:08 +0000 [email protected] (Scott Mash) wrote:
(1) "....Most of the computers will not recognize the printers. We have
tried everything short of formating the hard drive and rebuilding it.... "
(2) "....Last week one of our lab guardians came up to the office and
reported that he scanned someone's disk and found a virus called "ohio".
When he tried to clean it V72 couldn't recognize or clean it....".
.......................................
There may or may not be a connection between these two events. There is a
PC virus called 'Ohio' which has been known of for quite a time. It could
be that why Version 72 (of which antiviral please?) found it and then
couldn't clean it, is that a file on that PC contained an innocent program
containing a section of code that accidentally duplicated the part of the
Ohio virus used as a search signature. That sort of thing happens from time
to time, e.g. these messages in Virus-L vol4:- ISSUE
["Virus" story] hard disk crash?;
antiviral thought that TOPS network software was a virus (longish) 025
[SCANv74B false positive (PC)] thought that KILLER.COM (a small Stoned
remover) had/was Invader virus 032
F-FCHK with [New Leprosy signiture? (PC)] thought that Turbo Debugger 1.0
TD.OVL & Turbo C++ 1.0 TCLASSS.LIB had or were Leprosy virus 025

------------------------------

Date: Thu, 07 Mar 91 11:46:12 +0000
>From: Anthony Appleyard <[email protected]>
Subject: What does Compucilina do? (PC)

The new antiviral called Compucilina has caused discussion in these
messages in Virus-L vol4:- ISSUE
[non-sacaning anti-virus techniques] preventing infection (sacan = scan)
I have a program vaccinater called COMPUCILINA 028
info re [Compucilina (PC)] 030
[non-scanin anti-virus techniques] (scanin=scanning) How Compucilina works
is a commercial secret. It does not scan for particular viruses 034
[Re: Compucilina (PC)] will not prevent infection 034

If Compucilina doesn't scan for each known virus, how does it distinguish
between viruses and valid programs? Ref a long discussion on possibility or
impossibility of a 'general virus detector', that took place in Virus-L
vol3. I mistrust 'black boxes', and it seems that how Compucilina works is
a commercial secret. It seems that someone should print out a copy of
Compucilina and go through its code, to find what it does.
{A.Appleyard} (email: [email protected]), Thu, 07 Mar 91 11:35:56 GMT

------------------------------

Date: Thu, 07 Mar 91 13:57:44 -0700
>From: Peter Johnston <USERGOLD%[email protected]>
Subject: Unknown Malicious Code Message Writer (PC)

We have observed in one of our PC computer labs in the last few days a
piece of malicious code that places a message on the screen
overwriting whatever is there. The text (in part) reads:

"If we paid attention, if we cared, we would realize just how
unethical this impending war with Iraq is, and how impure the American
motives are for wanting to force it. I'm becoming a little confused as
to where the "evil amoire" is these days."

There is more but I do not have a complete printout of the text in
front of me. Because of the way it overwrites things, it quite often
overwrites itself. Other than displaying the message, we have not
detected that the code performs any other function or causes any other
damage. we do not know whether it reproduces or not, nor how it got on
the machines. In fact, we have not yet been able to find it.

Investigation of the hard disks of the affected machines via Norton
Utilities Explore function yielded no matches to the actual wording,
which suggests that the text has been enciphered or otherwise hidden.

The message appears at random times, overwriting whatever is on the
screen (including Norton Anti-Virus). My programmer feels that the
periodicity is tied somehow to the number of sector accesses, and has
clocked it at approcimately once every 700 accesses. However, this is
not an exact number.

None of the PC anti-viral packages we have (and we try to obtain a
copy of the latest version of every package we can find) report or
detect this malicious code.

Is this something new? Is it home grown? Has anyone else seen anything
like this? Any suggestions or assistance would be appreciated.

Thanks for the help. If/when we get this beastie nailed down I'll
forward appropriate info...

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Peter Johnston | Voice : 403/492-2462
University Comput Systems | FAX : 403/492-1729
352 GenSvcBldg, | BitNET : usergold@ualtamts
The University of Alberta | Internet : [email protected]
Edmonton, Alberta | QuickMail: Peter_Johnston@
Canada T6G 2H1 | quest.ucs.ualberta.ca
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

------------------------------

Date: 7 March, 1991
>From: Padgett Peterson <padgett%[email protected]>
Subject: Integrated Drive Electronics, Flopticals, and Freddy

Recently I have talked to a number of people who have been on
the receiving end of viruses and other malicious activities who have
the idea that the one true solution is a low-level format of the fixed
disk involved. Loss of all data/programs is considered an acceptable
risk.

There also seem to be a number of management types who feel
that rather than invest in any protection software, if attacked, a
low-level format is acceptable to their disaster plan.

Just to help those of you who may think the same way, consider
that many current PCs (I think Compaq started it all) come with nice,
small, power-sipping IDE drives. Consider that these now provide the
size and speed of the best conventional drives at the cost of a bare
MFM (ST06) drive. This is now a selling point for many manufacturers
and a plus for power users who do not have to give up any high memory
(potential RAM for TSRs) to a disk controller.

Now consider that these drives arrive pre-formatted from the
manufacturer and many CANNOT be low-level formatted (the same goes for
the new 20 Mb 3 1/2 flopticals).

It is time that users like these realize that there are
alternatives (most of them have been discussed on Virus-L) and that
viral protection/removal/recovery does not have to include brute force
formatting, high or low level, rather the application of some
intelligence is appropriate.

Pleasant dreams,

Padgett

------------------------------

Date: 07 Mar 91 16:30:22 +0000
>From: [email protected]
Subject: computer security research

Can anyone help?
I'm in the second year of a PhD dealing with the rise of the computer
security industry along with system break-ins, browsing and virus
incidents.

1. Is anyone out there prepared to answer a questionnaire for me and
perhaps if they have the time discuss with me by e-mail some of the
issues?

2. I'm planning a jaunt into The Netherlands and Germany in approx 4
weeks time. Would any digest readers from either of those countries be
prepared to have a face-to-face interview with me? Do you know of
anyone who would? The request also stands with anyone from the United
Kingdom.

Verification of my academic status can be sought from my supervisors
here at the University of Edinburgh, at the same mail site as myself
with the names Charles Raab and R.Williams.

ALL MY WORK IS FOR STRICTLY ACADEMIC PURPOSES AND TOTAL
CONFIDENTIALITY IS GUARANTEED FOR ANY RESPONDENTS.

Hope to hear from some of you soon,
Best Wishes,

Paul A. Taylor

------------------------------

Date: Fri, 08 Mar 91 12:07:09 +0000
>From: [email protected] (Kjetil Krag)
Subject: Virus V2000 (PC)

HELP!!! My PC is infected by the V2000 virus.

I have a problem. Sometimes when I starts McAffee's PRO-SCAN.EXE there
comes a message that tells me that the memory is infected with the
V2000 virus and tells me that the program can't remove the virus and
tells me the turn the machine off and reboot from a clean diskett.
Then I turn the machine off and starts up with a clean boot-diskette.
I starts up the PRO-SCAN.EXE and scan all drives on my harddisk, but
the harddisk are clean! The programs can't find any viruses. Later
when I start up PRO-SCAN again the V2000-virus is back! I've also
tried McAffe's SCANV75 and VSHIELD75, but none of them can find the
virus!

If you can help me. Please tell!

Thanks!

Kjetil Krag
([email protected])

------------------------------

Date: Fri, 08 Mar 91 11:23:00 +0700
>From: "Jeroen W. Pluimers" <FTHSMULD%[email protected]>
Subject: File format for virus signatures (PC)

Dear readers,

A few digests agi, there was a question about standard formats of
data files for virus signatures. VIRSCAN and TBSCAN/TBSCANX use
the format below.

It has been copied from the documentation that was with TBSCANX v 2.1.
The format may be spread freely and is fully public domain.

Jeroen W. Pluimers - Gorlaeus labs, Leiden University

- -=-=-=-=-=-=-=-=- VIRSCAN.DAT / TBSCAN.DAT format -=-=-=-=-=-=-=-=-=-

FORMAT OF THE DATA FILE
- -----------------------

The data file (called TBSCAN.DAT or VIRSCAN.DAT) can be read and/or
modified with every ASCII editor.

All lines beginning with ";" are comment lines. TbScanX ignores
these lines completely. When the ";" character is followed by a
percent-sign the remaining part of the line will be displayed on
the screen. A maximum of 15 lines can be printed on the screen.
Nice for "HOT NEWS"...

In the first line the name of a virus is expected. The second line
contains one or more of the next words:
BOOT SYS EXE COM HIGH LOW

These words may be separated by spaces, tabs or commas.

TbScanX will only scan for viruses with the keywords COM or EXE.
The other keywords will be ignored, and are only used by the
non-resident version: TBSCAN. Also note that TbScanX will not
distinguish between COM and EXE files. All executable files will be
scanned for both EXE and COM viruses. This saves some memory.

BOOT means that the virus is a bootsector virus. SYS, EXE and COM
indicate the virus can occur in files with these extensions. Also
overlay files (with the extension OV?) will be searched for EXE
viruses. HIGH shows that the virus can occur in the memory of your
PC, namely in the memory located above the TBSCAN program itself.
LOW means that the virus can occur in the memory of your PC, namely
in the memory located under the TBSCAN program itself.

In the third line the signature is expected in ASCII-HEX. Every
virus character is described by means of two characters. Instead
of two HEX characters, two question marks (the wild- card) may also
occur. The latter means that every byte on that position matches
the signature. Below you will find an example of a signature:
A5E623CB??CD21??83FF3E

You can also use the asterisk followed by an ASCII-HEX character to
skip a variable amount of bytes in the signature. The ASCII-HEX
character specifies the amount of bytes that should be skipped. The
signature could be:
A5E623CB*3CD2155??83FF3E
The next sequence of bytes will be recognised as a virus:
A5E623CB142434CD21554583FF3E

Instead of a signature in ASCII-HEX you can also specify a normal
text. This should be put between double quotation marks. A correct
signature is for example:
"I have got you!"

This series of three lines should be repeated for every virus.
Between all lines comment lines may occur.

------------------------------

Date: Fri, 08 Mar 91 14:54:19 +0000
>From: martin zejma <[email protected]>
Subject: False alarms using scan (PC)

Hello hunters |

Long time ago, around end of June 90', I posted a question about false
alarms when scanning memory using scan ( happend with all versions I
know ).

The solution : Once upon a time... i've been infected with the 170x
virus. I detected the infection instantly and healed all corrupted
files. BUT | the viral part behind the EOF of each file naturally
didn't disappear ( filling up the last cluster of the file ) , and
that also happend to command.com , only invoked from within a
different directory when using the Norton Commander, so then scan
reported an active 170x virus in memory. After watching behind the
EOF with Norton Utilities, I erased the dumb virus part, and voila |
no more false alarms .
Simple solution this time , Martin

+-----------------------------------------------------------------------+
| Martin Zejma 8326442 @ AWIWUW11.BITNET |
| |
| Wirtschaftsuniversitaet Wien --- Univ. of Economics Vienna/Austria |
+-----------------------------------------------------------------------+

------------------------------

End of VIRUS-L Digest [Volume 4 Issue 41]
*****************************************

Downloaded From P-80 International Information Systems 304-744-2253