VIRUS-L Digest Wednesday, 20 Mar 1991 Volume 4 : Issue 45
Today's Topics:
Re: Research viruses
Anti-Virus programs from Holland uploaded to SIMTEL20 (PC)
VCOPY version 75 available (PC)
Comp. Security...help needed...
Forward from RED-UG, problems with SCAN (PC)
McAfee anti-viral programs and SIMTEL20 (PC)
Virus-Construction-Set (VCS 1.0) (PC)
1701/1704 virus (PC)
Fprot vs Scan ?? (PC)
Trojan Horses, Logic Bombs, Viruses, etc.
New Virus ? Smiley Virus - Amiga
Re: PROTEC System & Stoned Virus (PC)
vshield (PC)
Review of Norton Antivirus (PC)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to
[email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at:
[email protected].
Ken van Wyk
---------------------------------------------------------------------------
Date: 16 Mar 91 02:20:27 +0000
>From:
[email protected] (Gene Spafford)
Subject: Re: Research viruses
Research ethics are fairly well defined in other fields, and can be
extended to computer viruses with a little thought.
For instance, a researcher working on flu virus strains would be
ethically (and legally) responsible for a mutated virus escaping into
the population at large. Saying "I'm sorry -- I didn't mean for it to
happen" is not an excuse. Good intentions do not substitute for
taking precautions.
Research on (computer) viruses that escape into the general population
are clearly unethical because they affect subjects who have not given
their informed consent to be part of the "experiment," and there is no
way to end the "experiment." Also, there is no valid control for the
experiment (e.g., "What would be the results in a similar population
for the null hypothesis?").
Worse, most people "experimenting" doen't understand the basics of
good scientific method. Research by writing viruses to see what
happens is akin to throwing chemicals in a test tube to see if it
explodes. Proper experimental research procedure requires that you
establish a hypothesis that can be tested, establish a test with
controls, and then analyze your test results with respect to the
hypothesis.
Some of the people who claim they are doing "research" in viruses and
related areas are doing no such thing. I have refereed papers for
professional forums that show a surprising lack of understanding of
the basic principles of science or ethics -- then these individuals
complain they are being "conspired against" because they can't get
their work published. Sad.
- --
Gene Spafford
NSF/Purdue/U of Florida Software Engineering Research Center,
Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-2004
Internet:
[email protected] phone: (317) 494-7825
------------------------------
Date: Thu, 14 Mar 91 19:47:00 +0700
>From: FTHSMULD%
[email protected]
Subject: Anti-Virus programs from Holland uploaded to SIMTEL20 (PC)
I have uploaded the following programs to the SIMTEL20 archives. All
come from Holland. The TBxxx software is written by Frans Veldman,
the VIRUSSIG file is described below:
;% Virus information file for TBSCAN and HTSCAN virus scanners
;% (C) Copyright 1989-1991 by Jan Terpstra of FIDONET 2:512/10.0
;% P.O. Box 66, 1462 ZH, Beemster, The Netherlands
;% Revision: 910308 (yymmdd)
pd1:<msdos.troj-pro>
TBRESC12.ZIP Thunderbyte Resque Boot Sector version 1.2
TBSCAN21.ZIP Thunderbyte Scan version 2.1 - needs VIRUSSIG
TBSCNX23.ZIP Thunderbyte XScan (TSR) v 2.3 - needs VIRUSSIG
VIRUSSIG.ZIP Virus Signatures for TBSCAN/HTSCAN - day 67
jeroen
FTHSMULD%
[email protected]
------------------------------
Date: Mon, 18 Mar 91 13:00:00 -0700
>From:
[email protected] (Aryeh Goretsky)
Subject: VCOPY version 75 available (PC)
VCOPY Version 75 is now available. Version 75 of VCOPY detects all
viruses detected by the VIRUSCAN Version 75 release. Sorry for the
delay, folks; I've been out for four days due to a (biological) virus.
Aryeh Goretsky
- -----------------------------------------------------------------------------
Aryeh Goretsky,Tech Sup.|voice (408) 988-3832 |INTERNET
McAfee Associates | fax (408) 970-9727 |
[email protected] -OR-
4423 Cheeney Street | BBS (408) 988-4004 |
[email protected]
Santa Clara, CA 95054 | UUCP apple!netcom!nusjecs!ozonebbs!aryehg
"Opinions expressed are my own and may not reflect those of my employer."
------------------------------
Date: 17 Mar 91 13:39:33 +0000
>From: ncorcorn%
[email protected]
Subject: Comp. Security...help needed...
Dear whoever,
I have the misfortune to be doing a project on computer
security, particularly computer crime. Having ploughed through most
of the usual research I thought I write to the net in the hope of
getting some ORIGINAL opinions. All input welcome.
Yours,
a desperate person with deadlines to meet
ps mail any responses to me at
[email protected] or post to the
net PLEASE!!!!!!!!!
------------------------------
Date: Tue, 12 Mar 91 22:56:00 +0700
>From: "Jeroen W. Pluimers" <FTHSMULD%
[email protected]>
Subject: Forward from RED-UG, problems with SCAN (PC)
Original-Date: Tue, 12 Mar 91 12:21:00 +0100
Original- From:
[email protected]
Hi, RED-users.
I have a hard disk with 2048 bytes per sector, and when I run the
newest versions of SCAN (74b and 75) the program reports the following
message :
"Sorry, the partition table of disk C is 2048 bytes long."
"That's too big for me."
Is that a bug in the program? Am I doing anything wrong?
Thanks in advance for your answers,
Pere J. Francisco,
------------------------------
Date: Mon, 18 Mar 91 01:45:00 -0700
>From: Keith Petersen <
[email protected]>
Subject: McAfee anti-viral programs and SIMTEL20 (PC)
I just received word from McAfee Associates that they have agreed to
upload each new release of McAfee anti-viral programs for MS-DOS to
Detroit Download Central, the BBS I co-SysOp. From there I will
transfer the files in their original form to SIMTEL20.
What this means to Internet users is that the programs will be
available for downloading from SIMTEL20, and the mirror sites, within
12 hours of their release by McAfee.
Keith
- --
Keith Petersen
Maintainer of SIMTEL20's MSDOS, MISC & CP/M archives [IP address 26.2.0.74]
Co-SysOp, Detroit Download Central 313-885-3956 (V22bis/HST/V32/V42bis/MNP5)
Internet:
[email protected] or
[email protected]
Uucp: uunet!wsmr-simtel20.army.mil!w8sdz BITNET: w8sdz@OAKLAND
------------------------------
Date: 18 Mar 91 09:49:00 +0100
>From: Matthias Jaenichen <
[email protected]>
Subject: Virus-Construction-Set (VCS 1.0) (PC)
On the Hannover-fair "CeBit" a Virus-Construction-Set for MS-DOS was
found in a BBS. The BBS is a German system called "ZERBERUS". The
program was uploaded in Hamburg. The Box-Sysops are informed and will
(hopefully) delete the entries.
It is possible to build a virus that will display a massage at a
selectable generation-count. At the same time the files "CONFIG.SYS"
and "AUTOEXEC.BAT" will be deleted.
The virus will be given the name "VCS-1.0".
The virus extends programs by 1077 Bytes.
The following string can be found at offset 50h:"A5 A5 A4 68 00 C1 C3 8A"
At the end of the virus "C:\AUTOEXEC.BAT" and "C:\CONFIG.SYS"
Codeanalysis will begin soon after the fair.
- ----------------------------------------------------------------------------
Best wishes form Hamburg \\ // /==#==\ /==\
Matthias Jaenichen \\ // # /
VTC-Hamburg \\// # #
e-mail:
[email protected] \/ _#_ \==/
- ----------------------------------------------------------------------------
------------------------------
Date: Mon, 18 Mar 91 10:39:00 +0000
>From:
[email protected]
Subject: 1701/1704 virus (PC)
One of my colleagues was sent the english version demo disk of the
program VCH BIBLIO. Disk 2 (of 2) was found to be infected by the
virus 1701/1704 by McAfee's VIRUSCAN. We have reported this to the
British distributors of this disk. They are A-MAIL of Oxford. They
found their systems to be infected when we reported it to them. The
VCH program originates in Germany though we do not know if the German
version was infected. I have reported this finding to Noel Bonczonzek
at the UK Computer Crime Unit.
Lynne Munro
Oxford University Computing Service
------------------------------
Date: Fri, 15 Mar 91 17:47:49 -0500
>From: Jeff <
[email protected]>
Subject: Fprot vs Scan ?? (PC)
I am looking for some info regarding FPROT114 vs. SCANV75. What are
the advantages disadvantages of each. I would also like some info on
FPROT114 vs. NETSCAN75. Please respond directly to me. Thanks in
advance.
[Ed. You might want to look at Rob Slade's reviews of both of these
products. The reviews are available via the VIRUS-L/comp.virus
archives, including anonymous FTP on cert.sei.cmu.edu in the
pub/virus-l/docs/reviews directory.]
Jeff
usgjej@gsuvm1
[email protected]
------------------------------
Date: Mon, 18 Mar 91 15:59:17 +0000
>From:
[email protected] (Mat (M.Chidambaram))
Subject: Trojan Horses, Logic Bombs, Viruses, etc.
I am a first year here, at the University of Newcastle-Upon-Tyne, in
the uk, studying MicroElectronics and Software Engineering. I am
fairly new to computing and an absolute novice to this (or any other)
newsgroup.
I am currently preparing information on a seminar, which I am giving
on next Monday about computer security, viruses, logic bombs, trojan
horses, etc.
I would be grateful if anyone out there can give me any information at
all on the above named subjects.
------------------------------
Date: 18 Mar 91 16:32:32 +0000
>From:
[email protected] (Ivan Borzieri)
Subject: New Virus ? Smiley Virus - Amiga
I was playing with my WB disk when the mouse pointer turned into a
PacMan like object, with a scrolling message under it saying something
like :
"This is a new virus from Centurions, and it's called Smiley Virus.
It seems that some of your disks have been infected !"
I tried to take it away with ZeroVirus III, but it did not recognize it.
I took a look into memory, using VMK tool, included in DW 1.2.
I saw that there was something like "startup-sequence", ares, etc.
Looking in my startup-sequence, I saw that the first command was
"Ares", so I thought the virus had copied itself in that command. I
reinstalled Arp on the infected disk (to prevent the virus had
infected some other command). Then I turned down the machine and
bootstrapped from the infected disk. Looking in memory with VMK gave
"No Virus Present" as result, so I felt immediately happy !
Anyway, I'd just love to know which is the latest Anti-Virus for The Amy.
Thanx,
Ivan Borzieri
------------------------------
Date: 18 Mar 91 19:31:45 +0000
>From:
[email protected] (Brian D. Howard)
Subject: Re: PROTEC System & Stoned Virus (PC)
[email protected] (Richard W Travsky) writes:
>I find this interesting. Short of re-infecting the machine to
>investigate further, I'm curious as to why Stoned didn't show in
>memory when a boot from floppy hadn't been done.
Probably because stoned steals 2K for itself(why 2K I dunno, I think
he only needs to dec al once?, figured its a bug). It then updates the
BIOS data segment (413h) to indicate that the tip-top of memory is
right below it. Scan utilities that rely on that table being accurate
might not bother to check any higher.
(An aside note: the 'stoned' program compares the jump at its first
location with that of the boot sector on the potential target in order
to decide if its already 'infected' said target. If you haven't
already you might dis-assemble and modify your boot sector code to
reflect the identical jump so that it looks like its already
infected...)
- --
"Hire the young while they still know everything."
------------------------------
Date: Mon, 18 Mar 91 17:14:27 -0500
>From: Jeff <
[email protected]>
Subject: vshield (PC)
Has anyone experienced any difficulties running VSHIELD while attached
to a network.
Jeff
usgjej@gsuvm1
[email protected]
------------------------------
Date: Fri, 15 Mar 91 16:54:13 -0800
>From:
[email protected] (Rob Slade)
Subject: Review of Norton Antivirus (PC)
Comparison Review
Company and product:
Symantec/Peter Norton
10201 Torre Avenue
Cupertino, CA 95014
USA
408-253-9600
800-343-4714
800-441-7234
408-252-3570
416-923-1033
Norton AntiVirus
Summary:
Manual and TSR virus scanning, as well as change detection.
Cost $130 US
Rating (1-4, 1 = poor, 4 = very good)
"Friendliness"
Installation 3
Ease of use 2
Help systems 2
Compatibility 3
Company
Stability 3
Support 3
Documentation 2
Hardware required 4
Performance 3
Availability 4
Local Support 1
General Description:
The NAV.EXE program has the ability to scan memory, boot sectors and
files for the presence of known viral programs, and to "inoculate"
programs against change. It can also recover some damage to programs
and boot sectors. The NAV_.SYS program provides TSR checking of files,
although it does not detect viral programs in memory, or deal
effectively with boot sector viri.
Comparison of features and specifications
User Friendliness
Installation
The program is shipped on "read only" disks, therefore cannot be
infected at the user's site without active intervention.
It is absolutely essential to read the on disk READ.ME file, as the
documentation is incorrect in many places including installation. The
printed documentation fails to mention the NAV.DEF virus definition file
and the program will not function without it.
Installation can be done from any drive to any drive, including floppy
drives. If old versions of Norton Antivirus are found they can be
overwritten or backed up at the user's discretion. The installation
program is clear and simple to use, and gives clear instructions and
explanations of the various options. (With some exceptions. For
example, the program assumes that old copies of NAV are to be found in
C:\NAV, and states that there is no old version if nothing is found
there. If this is not the path for the files, and the proper path is
specified, the request to choose between backing up and overwriting old
versions comes shortly after the announcement that there are no old
versions.) A "completion bar" shows the progress of most lengthy
operations (throughout the program.)
The installation is quite intelligent and useful in dealing with the
necessary changes to system files. An editing screen is presented for
the insertion of the command line in CONFIG.SYS. The default placement
is explained clearly enough to give novices confidence, but will allow
more advanced users the ability to select optimum positioning. Backup
files are created for the original AUTOEXEC.BAT and CONFIG.SYS.
The installation program is not very intelligent in dealing with
configuration options. Upon invocation of the installation program, it
asks about the type of monitor used. Upon completion, however, the
configuration of the NAV program defaults to "CGA" monitor type, which
does not allow some options or "command keys" to be seen on monochrome
screens. Also upon completion, if "Quit" is chosen instead of "Reboot",
the "target" drive and directory becomes default.
Ease of use
The program is "menu driven", but use without a mouse is not necessarily
intuitive, nor do all menus work consistently. (For example, all
options on the main menu are accessed by initial letter except "Exit"
which is only accessible by pressing the "X" or "ESC" keys.) Ten pages
of the manual are devoted to the use of the interface. The menus are,
however, generally clear and readable. (Unless, as mentioned above, the
monitor type is not consistent with "highlights" generated in CGA mode.)
The "Advanced scan" and "Auto-inoculate" features of the system are
simply variations on checksumming and change detection, but are set up
and explained in a manner which appears to be unnecessarily confusing.
The options available in the "Options/Configuration" menu allow for a
considerable degree of customization, but reasons for choosing certain
options are not clear in the initial installation section of the manual.
The monitor "box" in the menu is not accessible in any way, nor is it
explained in either the manual or the help text. Some options do not
appear to work: I did not chose to "Disable scan Cancel *b*utton" (*b*
being the letter used to access this option), but the "cancel scan"
option was disabled on my program anyway.
If a virus is detected in memory at the beginning of a scan, the program
will refuse to scan further. This is an advantage in that it prevents
infection by viri which infect each file as it is open, but there is no
"discretion" on this feature, and it activates even when boot sector
viri are found. The program does not terminate, but will not perform
(in terms of scanning). No help is given at this point: the user is
referred to a section of the manual.
Help systems
The program contains an extensive help file. Personally, I did not find
the onscreen help to be very useful, generally having to go to the
reference section of the manual if I could not figure out the operation
from the menus.
Compatibility
Norton Antivirus is stated to be compatible with Windows. However,
careful examination of the disk READ.ME file indicates that this
compatibility is true only in that the TSR scanner can continue to alert
users through the "siren" if the "alert boxes" are turned off while
Windows is in operation. NAV is not compatible with Desqview, and has
difficulty with a number of other TSRs and related utilities. Careful
reading of the READ.ME file is suggested on systems with extensive use
of TSR programs.
The program shipped as of December 7, 1990 identifies a significant
proportion of the viral programs identified by the Brunnstein, Hoffman,
McAfee and Skulason lists. The company has also provided a means of
regular updates of "signature" information.
The "change detection" information is not added to the file to be
checked, so it does not interfere with "internal" self checks. However,
the information is not stored in a single outside file, but in a
"hidden, system" file created for each program to be checked. As the
READ.ME file indicates, this may take up considerable space on a hard
disk, and may be difficult to recover even after programs are removed.
Company Stability
Symantec and Peter Norton have both been solid companies in their
respective environments.
Company Support
The company provides both a technical support line and a "Virus
Newsline" for update information on new viral signatures. There is
provision for access to information through "voice mail", fax and
commercial information services. Suggestions from the company indicate
that this is seen as valuable primarily to corporate customers, who can
take advantage of economies of scale in distributing the information
internally and recovering the cost of obtaining the information.
It should be noted that although the program was promised to the
reviewer in November, that it required eleven return phone calls to five
different offices to finally have it delivered over three months later.
Documentation
The documentation is extensive, but the layout would not be simple for a
novice to follow. While the information is all there, even after a
thorough reading it is hard to remember where a specific item is. The
"Quick Start" section does provide an acceptable installation, if
default values are all valid in the user's system.
The "clean start" provisions of both the "Quick Start" and installation
sections should prevent installation on an infected system *if followed
rigorously*. However, even here the directions may be confusing to a
novice. The "About Viruses" section is of little use.
As mentioned before, many corrections and omissions from the manual are
pointed out in the READ.ME file on disk, and the documentation should
not be considered complete without it.
Hardware Requirements
No special hardware is required.
Performance
As mentioned, the NAV program identifies a larger number of viral
signatures than does any commercial product reviewed to date, with
provisions for constant updating of the signature files. The scanning
is also very fast, approaching the speed of TBSCAN and VPCSCAN.
The TSR scanner, NAV_.SYS, is invoked from CONFIG.SYS (cf F-DRIVER.SYS
in the FPROT package.) While it cannot prevent infection of the system
from a "boot sector" infected diskette, it does not detect the presence
of such a virus in memory, and it neither prevents infection of
diskettes, nor alerts the user to the use of an infected diskette or the
operation of infecting.
Repair of viral programs appeared to be affective.
Local Support
Although local sales offices of Symantec/Peter Norton are widely
available, support is only provided through the central technical
support and "Virus Newsline" numbers.
Support Requirements
In its current form, the product is suitable for novice users, but
installation and actions when a virus is found may require more expert
support.
General Notes
The provision of access to update information gives this product a
significant advantage. There are, however, some weaknesses to be dealt
with, and a general improvement is needed in the documentation and ease
of use before it is suitable for all users.
copyright Robert M. Slade 1991 PCNRTNAV.RVW 910315
=============
Vancouver
[email protected] | You realize, of
Institute for
[email protected] | course, that these
Research into (SUZY) INtegrity | new facts do not
User Canada V7K 2G6 | coincide with my
Security | preconceived ideas
------------------------------
End of VIRUS-L Digest [Volume 4 Issue 45]
*****************************************
Downloaded From P-80 International Information Systems 304-744-2253
