VIRUS-L Digest   Monday, 11 Mar 1991    Volume 4 : Issue 42

Today's Topics:

Re: Research viruses
Help ! Fellowship virus on IBM-386 (PC)
VIRUSCAN Version 1.51 is Available (PC)
Stoned again (PC)
FLIP (PC)
Confusion of names (PC)
Latest VSUM (PC)
Re: File format for virus signatures (PC)
Re: Life, Turing Machines, viruses.
Testing help wanted (PC)
Bug in SCANV75? (forwarded) (PC)
Review of Antivirus (not -Plus) (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed.  Contributions should be relevant, concise,
polite, etc.  Please sign submissions with your real name.  Send
contributions to [email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks).  Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list.  Administrative mail (comments, suggestions,
and so forth) should be sent to me at: [email protected].

  Ken van Wyk

---------------------------------------------------------------------------

Date:    08 Mar 91 10:30:32
>From:    [email protected] (Rick Keir, MACC)
Subject: Re: Research viruses

[email protected] (Joe McMahon) writes...

>Research viruses: just say no.

(goes on to quote rumor that the Mac Scores virus author "didn't
expect it to get out", with implication that it was a "research"
virus.)

Several points:
I said "rumor" since no one has ever admitted to being the author of
Scores (numerous news stories in MacWeek, etc., quoting FBI and EDS
officials as saying they "suspect" they know who it it -- i.e. no one
has said they're the one).  This makes is hard for the Vaxene
documentation to quote the author of Scores in any believable fashion.

Second, the comment about "didn't expect it to get out" is also
subject to the interpretation that he/she meant "I just thought I'd
screw up computers at EDS in Dallas and not anyone else's computers."

While Scores does specifically target internally developed software of
EDS, it infects all bootable systems and all applications that it
comes in contact with, and does not distinguish the EDS systems from
any other.  This makes a claim that he/she was surprised by its spread
not very believable.

"Research" is becoming the computer equivalent of the claim that "I
didn't know the gun was loaded", whether uttered by the virus writer
or by the geek who abuses the net.  Research is noted for :
publication, sharing of information, useful purpose, and most
importantly ETHICS OVERVIEW by one's peers.  The so-called research of
the average virus writer would fail on all counts: no knowledge is
published; there is no knowledge to be gained; and no group of one's
peers would judge the writing and release of the virus to be ethical.
There can be useful research done on viruses, and for those purposes
viruses may be written; however, those authors are working openly,
publishing their work, and experimenting in conditions that prevent
the spread of a virus to the general public.  I can count the number
of legitimate researchers I know of on one hand, and have fingers left
over.

------------------------------

Date:    Fri, 08 Mar 91 15:04:16 -0500
>From:    Daniel Pan <[email protected]>
Subject: Help ! Fellowship virus on IBM-386 (PC)

DO ANY ONE KNOW HOW DOES THE "FELLOWSHIP VIRUS" WORK AND IS THERE ANY
ANTI VIRUS SOFTWARE CAN CLEAN IT ?   ONE OF MY FRIEND'S HARD DRIVE GETS
THIS VIRUS ON HIS HARD DRIVE.   IT CAN NOT FIND OUT USE MCAFEE'S SCAN
VERSION 72 BUT VIRXDEMO - PC-VIREX, GREENBERG'S, COULD FIND IT OUT.  WHAT
SHOULD HE DO ?  ANY HELP WILL BE APPRICIATED.

                            --- DANIEL PAN
                                I87BC@CUNYVM (BITNET)
                                (718)-253-3393

------------------------------

Date:    Fri, 08 Mar 91 18:21:00 -0800
>From:    "David K. Mickle" <[email protected]>
Subject: VIRUSCAN Version 1.51 is Available (PC)

I got my copy through our PC vendor, Microage of Beverly Hills.  They
obtained it at my request from their IBM rep who downloaded it from an
IBM internal service.  The version number 1.51 is correct.

------------------------------

Date:    Fri, 08 Mar 91 17:37:50 -0800
>From:    [email protected] (Rob Slade)
Subject: Stoned again (PC)

[email protected] (Kamran Farahi) writes:

> On both occasions, he had installed F- DRIVERS on the hard disk, the
> partition table was gone so he could not reboot from the hard disk. As
> a result he had to do a low level format. My question is , how is it

One despairs, one really does.

When F-DRIVER.SYS is installed, it will detect the presence of the
"Stoned" virus and lock up the system.  This does not mean that your
computer is ruined.  I assume it is intended to *force* you to deal
with the problem.

The solution is simple.  Boot from a clean floppy.  Run F-DISINF and
"cure" the hard disk.  Reboot the computer normally.  Simple.  And
effective.

There was no need to reformat the disk.

As to "prevention" of infection by a boot sector virus, that is not so
simple.  If you stick an infected disk into the A: drive and boot up,
you are going to be infected before *anything* can come into play.
The only solutions involve specialized boot ROMs, cards or mechanical
disabling of the A: drive.

==============
Vancouver          [email protected]   | "It says 'Hit any
Institute for      [email protected] | key to continue.'
Research into      (SUZY) INtegrity         | I can't find the
User               Canada V7K 2G6           | 'Any' key on my
Security                                    | keyboard."

------------------------------

Date:    Fri, 08 Mar 91 17:51:39 -0800
>From:    [email protected] (Rob Slade)
Subject: FLIP (PC)

[email protected] (Javier H. Diez de Baldeon) writes:

> I need all kind of information about the FLIP VIRUS.  May anybody send
> me the SIGNATURE FILE of this particular virus?????  I noticed
> yesterday that I had got it and it hasn{t done any damage yet.  The
> FLIP virus seems to be a mixed one. I thing it infects the boot sector
> and some of the root directory files.  One more thing. It looks
> indetectable for most known virus-detector. I{ve tried several thing
> with no result.  Any help will be usefull.

There is a "Flip" virus which infects both files and the boot sectors
of hard disks.  FPROT should be able to deal with it for you.

If it is the same one that you are seeing it will "reverse" the screen
(horizontally) on the second day of the month, between 4 and 5pm.  You
could set your system clock to that, and see what happens ...

==============
Vancouver          [email protected]   | "It says 'Hit any
Institute for      [email protected] | key to continue.'
Research into      (SUZY) INtegrity         | I can't find the
User               Canada V7K 2G6           | 'Any' key on my
Security                                    | keyboard."

------------------------------

Date:    Fri, 08 Mar 91 17:59:02 -0800
>From:    [email protected] (Rob Slade)
Subject: Confusion of names (PC)

[email protected] (James Nash) writes:

> I have a copy of a virus that seems to confuse the various virus
> checkers I'm evaluating (and trying to convince my superiors to buy
> lots of!!!).
>
> Fridik's F-PROT calls it Plastique
> McAffee's SCAN calls it Taiwan 3 (as does AVSEARCH)
> Solomon's FINDVIRUS calls it Anticad 2

If you look up the FILVIR-2.TXT that came with the FPROT package, you
will see that they are all variants of the same family, albeit quite
different.

Naming conventions have been a difficulty for a ong time, especially
since so many viri are modifications of others.

Q - How many virus writers does it take to change a lightbulb?
A - 17.  One to change the bulb, and an average of 16 to watch him do it,
and then all try it again a slightly different way ...

==============
Vancouver          [email protected]   | "It says 'Hit any
Institute for      [email protected] | key to continue.'
Research into      (SUZY) INtegrity         | I can't find the
User               Canada V7K 2G6           | 'Any' key on my
Security                                    | keyboard."

------------------------------

Date:    Sat, 09 Mar 91 07:37:00 -0500
>From:    John Perry KG5RG <[email protected]>
Subject: Latest VSUM (PC)

       I consider Pat Hoffman's VSUM to be a very good document on
viruses. I was wondering where I could FTP the latest version from? I
maintain the viral archives on beach.gal.utexas.edu and would be
tickled if I could post a current version there for others to have
access to.

[Ed. Note that VSUM is $hareware.]

                             John Perry KG5RG
                             University of Texas Medical Branch
                             Galveston, Texas  77550-2772

You can send mail to me at any of the following addresses:

DECnet   : BEACH::PERRY
THEnet   : BEACH::PERRY
Internet : [email protected]
Internet : [email protected]
BITNET   : PERRY@UTMBEACH
SPAN     : UTSPAN::UTADNX::BEACH::PERRY
FIDOnet  : 1:106/365.0

------------------------------

Date:    10 Mar 91 16:44:41 +0000
>From:    [email protected] (Morgan Schweers)
Subject: Re: File format for virus signatures (PC)

Greetings,
   Hmmm...  I'll point out that the VIRSCAN/TBSCAN file format is
similar enough to the ViruScan external data file that a conversion
utility SHOULD be relatively trivial.

   For reference, our strings are one line/one virus, no 'BOOT' or
'COM', etc. seperators.  The string format is similar, but rather than
have a single hex-digit after the '*' you put a number in parentheses.
(I.E.  "01020304 *(4) 050607?090a" <virus name> )

   The '?' wildcard ignores that hex-byte, the '*' will detect the
next byte if it is within (x) bytes.

   Now for another 'flame' from me...  "Unreadable/non-clear update
scan strings."  This makes it difficult for a user to add their own
strings.  These products might as well not have user-updatability, in
effect.  Unless the user has access to documentation on creating a
virus 'string' through that particular utility, they can't expand it.

   I've got an open mind on this subject, however.  (Not so open that
my brain falls out, but anyhow...)  If someone who uses this method
can explain the rationale to me, I'll respond.  I can think of two
products which do this, and MAYBE a third.
                                                    --  Morgan Schweers

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|  I *AM* [email protected], and [email protected].  I'd prefer you use |
|  the netcom.com address, since MIT is now a WEE bit further away from |
|  me than I like calling...  <Grin>  In any case, I don't represent my |
|  employers.  They don't listen to what I say, and I return the        |
|  compliment whenever possible.  <Grin>                                |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

------------------------------

Date:    Sun, 10 Mar 91 19:47:54 -0500
>From:    The Sanj-Machine aka Ice <[email protected]>
Subject: Re: Life, Turing Machines, viruses.

Quick question I've been wanting to ask for a while.

If automata are capable of reproducing themselves, by following the
laws of a Turing machine, for a particular hardware architecture and
instruction set, how do you determine the minimum number of bytes that
this can be achieved in?

On a related note, I was talking with a friend about how CDs have
error correcting codes through redundancy. Does anyone know if viruses
yet exist which are capable of being fault tolerant so that if they
try to mutate, and the mutation inhibits its ability for continued
self reproduction, it will return to its former state and try again?

Ice. "Flesh and blood, sacrifice, melts the heart like fire and
ice."-Poison

- --
"No one had the guts... until now!"
$anjay $ingh     Fire & "Ice"     ssingh@watserv1.[u]waterloo.{edu|cdn}/[ca]
ROBOTRON Hi-Score: 20 Million Points | A new level of (in)human throughput...
!blade_runner!terminator!terminator_II_judgement_day!watmath!watserv1!ssingh!

------------------------------

Date:    Sun, 10 Mar 91 22:20:04 +0100
>From:    [email protected] (Jeremy Buckley)
Subject: Testing help wanted (PC)

We need people who have access to one or more viruses to help beta-test a
new antiviral product developed here in New Zealand.

Quite a number of unique detection/sterilization techniques are used
which provide a good overall level of protection against file
infectors, trojans and boot sector viruses. It has the ability to
detect and sterilize viruses as opposed to just suspicious activity.

The entire program is written as a device driver, which adds a litte
more security.

So far it has only been tested on the 4096, slow, dark avenger,
cascade, stoned variants and a number of research viruses, all with
good results but we need a wider range of testing due to the limited
number of viruses in this part of the world. Any help would be more
than appreciated, however the only remuneration we can provide is free
mailed updates of the package as we release them (if wanted).

Please e-mail if you are interested in beta-testing this program and
we will send you the latest version in UUEncoded or other format of
your choice. Please also e-mail details of virus(es) that you will be
able to test with.

Thanks in advance,

Jerry.

-
-------------------------------------------------------------------------------
Jeremy Buckley                                             [email protected]
-
-------------------------------------------------------------------------------

------------------------------

Date:    Mon, 11 Mar 91 12:18:00 +0700
>From:    "Jeroen W. Pluimers" <FTHSMULD%[email protected]>
Subject: Bug in SCANV75? (forwarded) (PC)

Original-Date: Mon, 11 Mar 91 01:14:09 +0100
Original-From: P7MAI016@FRCIRP81

Hello everyone,

Today I ran into a problem that can be serious, and if somebody can
forward this message to Mac Afee & Associate, thanks.

Here it is:
a friend of mine show me a file that was infected by the "Whale" virus. Scann
v75 reports it, good. BUT when I run clean v75 on that file, NOTHING ! Clean
didn't report any virus at all. I was happy to have clean v74b at hand and it
identify and kill that damned virus.

I think all of ours are interested...

Best regards and happy computing,
- --Ollivier

/-------------------------------+-----------------------------------\
| Ollivier ROBERT               | INTERNET: [email protected] |
| Universite de Jussieu PARIS 7 | BITNET:  [email protected] |
| PARIS, FRANCE                 |                                   |
\-------------------------------+-----------------------------------/

------------------------------

Date:    Fri, 08 Mar 91 18:07:26 -0800
>From:    [email protected] (Rob Slade)
Subject: Review of Antivirus (not -Plus) (PC)

                              Comparison Review

Company and product:

Fink Enterprises
11 Glen Cameron Road, Unit 11
Thornhill, Ontario
L3T 4N3
416-764-5648
Telecopier: 416-764-5649
IRIS Antivirus

Summary:

Vaccine program with scanner.

Cost  $199 CDN, site licenses available

Rating (1-4, 1 = poor, 4 = very good)
     "Friendliness"
           Installation      3
           Ease of use       3
           Help systems      1
     Compatibility           3
     Company
           Stability         3
           Support           2
     Documentation           2
     Hardware required       3
     Performance             3
     Availability            2
     Local Support           ?

General Description:

The forerunner of Antivirus-Plus (reviewed earlier, cf PCANTIVP.RVW),
Antivirus makes no claims of artificial intelligence.  The program
structure is very similar.

For simple virus detection, Antivirus is recommended over Antivirus-
Plus.
                 Comparison of features and specifications

User Friendliness

Installation

The disk is shipped write protected.  The accompanying documentation is
very terse (less than one loose leaf sheet), but sufficient to install
and run the programs.  (The distributor has stated that he is increasing
the documentation, but is interested in keeping it short so as not to be
too intimidating.)  Further documentation is available on disk.

Installation can only be performed from the A: drive.  Installation is,
however, very simple, although the options that are available are not
explained.

Ease of use

Options for use of the CURE program (scanner/disinfection portion) are
available from the command line, but also from an onscreen menu if
invoked with no parameters.

Alerts to the presence of a virus are not clear as to which program or
disk is infected.

The problem in Antivirus-Plus of not being able to run certain programs
which amend or delete program files is not present in Antivirus.

Any access to a boot sector infected disk will trigger an alert.  The
infected disk is not identified, but attention to which disk is being
accessed will make this clear.  How a boot sector is identified as being
infected is not clear, but the behaviour of the program is indicative of
"scanning" type operation.  Therefore it is unlikely that "new" boot
sector viri will be detected.  However, there is some "change checking"
with regard to the boot sector.  How this is accomplished is not stated,
and it did give one false alarm (showing a changed boot sector on a
write protected disk.)

Help systems

None provided.

Compatibility

The program will detect and stop most common viri.  The problem in
Antivirus-Plus of not being able to run certain programs which amend or
delete program files is not present in Antivirus.

Company Stability

IRIS has been a small but consistent presence in the antiviral field.

Company Support

Little available.

Documentation

Documentation is brief but clear, although the information given deals
almost exclusively with installation.  Reasons for choosing various
options are not given.

Hardware Requirements

No special hardware required, but will only install from drive A:
(shipped on 5 1/4" media).

Performance

The program will detect most common viri.  The IMMUNE program will
detect and "eliminate" a virus within a program, but will usually be
able to allow the original program to run unhindered.

Boot sector infections are "detected" on each access to the disk.  When
the system is booted from a viral infected disk, the viral program will
become resident in memory.  At the invocation of the IMMUNE program, the
alert for an infected disk will appear.  (Interestingly, the IMMUNE
program will state that "!!No virus detected!!" on completion.)  Memory
scanners will still detect the virus resident in memory, but disks will
no longer be infected.  Disk editors are still able to write to the boot
sector.  (Note that this has only been checked with common boot viri.
Others may not yield the same behaviour.)

Local Support

None available.

Support Requirements

The program is simple enough that support should not be needed for most
instances.

                                General Notes

The Antivirus program appears, in most respects, to be better behaved
than its Antivirus-Plus successor.

copyright Robert M. Slade 1991, PCANTIVR.RVW 910308


==============
Vancouver          [email protected]   | "It says 'Hit any
Institute for      [email protected] | key to continue.'
Research into      (SUZY) INtegrity         | I can't find the
User               Canada V7K 2G6           | 'Any' key on my
Security                                    | keyboard."

------------------------------

End of VIRUS-L Digest [Volume 4 Issue 42]
*****************************************

Downloaded From P-80 International Information Systems 304-744-2253

You are viewing proxied material from infinitelyremote.com. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.