VIRUS-L Digest Friday, 29 Mar 1991 Volume 4 : Issue 50
Today's Topics:
Al Woodhull's Request for virus information
How safe is a Write-protected diskette?
Re: Review of Norton Antivirus (PC)
Re:Mutation of Stoned/Implications for self check boot sectors(PC)
Request for general virus info
Hardware failures & viruses (PC)
Mutation of Stoned (PC)
Taking out A: & USSR BBS
Re: Integrity Checking, programs, etc
Partitions (PC)
Re: Virus naming
"Six Bytes" (PC)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to
[email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at:
[email protected].
Ken van Wyk
---------------------------------------------------------------------------
Date: Wed, 27 Mar 91 14:11:22 -0700
>From:
[email protected] (Richard W Travsky)
Subject: Al Woodhull's Request for virus information
Al <AWOODHULL@HAMPVMS> Woodhull's request for virus info strikes a
chord here as we're going through some similar gyrations. Does it
seem like a good idea to anyone else to perhaps have some FTPable
repository for such things? Myself I would've found it very helpful a
month or so ago, but still, it would be useful to others' approach.
[Ed. There is some information of this type available via the
VIRUS-L/comp.virus archives; take a look at the information in the
anonymous FTP on cert.sei.cmu.edu for starters.]
Richard Travsky
Division of Information Technology Internet: RTRAVSKY @ CORRAL.UWYO.EDU
University of Wyoming (307) 766 - 3663 / 3668
------------------------------
Date: Thu, 28 Mar 91 11:17:00 +1200
>From: "Mark Aitchison, U of Canty; Physics" <
[email protected]>
Subject: How safe is a Write-protected diskette?
[Ed. WARNING! DANGER! This topic has come up before in the past and
has lead to much speculation and drawn out conversations. At one
point, a submitter consulted the IBM PC Technical Reference manual and
determined that the write protection on a standard IBM PC 5.25" disk
drive to be indeed located in hardware. While I welcome open
discussion on this issue, I will only post follow-ups which cite
specific technical references. That is, no "I heard that you can..."
type of stories! I thank everyone in advance for helping me out on
this.]
Someone asked me recently whether it is possible that some disk drives
can write on a write-protected floppy. I know that modern drives (that
are working properly) block this at the controller level, so even if a
virus wrote directly to the diskette controller ports, bypassing BIOS
as well as DOS, it wouldn't be able to write. But can anyone answer
for sure whether there any, perhaps older, drives where it is
possible? I know that some 8" diskette drives used the opposite
standard for write-protection (a tab *enables* writing). Anyone know
of 5.25" drives that are non-standard or bypassable??
Otherwise, I'm guessing his disk was already infected, or he used it
on a drive where the write protect or cable was faulty. Morale of
story: Check even your write-protected diskettes!
Thanks,
Mark Aitchison, Physics, University of Canterbury, New Zealand.
------------------------------
Date: Thu, 28 Mar 91 16:13:24 +0000
>From:
[email protected] (Tomasz R. Zdrojewski)
Subject: Re: Review of Norton Antivirus (PC)
The NAV program is not suitable for normal virus removal. It a
personal test, I was able to infect my command.com, NAV itself and
quite a few other files. The program ignored the sample virus I ran
and said the system was fine. I would only recommend it for its
ability to add new virus tags.
Tom
------------------------------
Date: 28 Mar 91 15:28:47 -0500
>From: "David.M.Chess" <
[email protected]>
Subject: Re:Mutation of Stoned/Implications for self check boot sectors(PC)
"Nick FitzGerald" <
[email protected]>:
> David - are you thinking about the (I think) Zenith machines that
> write the boot time and date in the MBR each boot up, or do you mean
> something different?
I don't know! *8) Someone that I trust to be reasonably knowledgeable
in such things told me awhile back something like (I didn't write it
down) this: some hard disk controllers keep some information about the
structure of the hard disk on the hard disk itself, in the MBR. If
something changes that information, they write it back there again.
This didn't sound terribly likely to me, and I wouldn't be surprised
if it's either subtly misstated, or I've misremembered it. The only
machines I deal with are True Blue IBM's, and I don't know of any that
do things like that... DC
------------------------------
Date: Thu, 28 Mar 91 10:47:45 -0800
>From:
[email protected] (Rob Slade)
Subject: Request for general virus info
AWOODHULL%
[email protected] (Al Woodhull) writes:
> Dear VIRUS-L readers,
> I can't claim to be a virus expert, but I am trying to learn
> as much as possible about virus action and prevention. As the only
> faculty member at Hampshire College who teaches assembly language
> programming and computer architecture I am the best candidate to
> become a local semi-expert.
For those on the east coast, a two day seminar will be presented in
Arlington, VA April 23 - 24, and New York City April 25-26. For
information contact the Center for Advanced Professional Development
at (714) 261-0240.
=============
Vancouver
[email protected] | You realize, of
Institute for
[email protected] | course, that these
Research into (SUZY) INtegrity | new facts do not
User Canada V7K 2G6 | coincide with my
Security | preconceived ideas
------------------------------
Date: Thu, 28 Mar 91 11:11:00 -0800
>From:
[email protected] (Rob Slade)
Subject: Hardware failures & viruses (PC)
[email protected] (Eldar A. Musaev) writes:
> often disturbed by users who takes hardware failures for a virus. And
> some time a hardware problems managed someone to note the presense of
> a virus. I think the similar situation was in the case noted by Adam
> M. Gaffin last month. What could we do to help users to distinct
> viruses and failures ? Except scanners, of course.
I think Padgett's plan has considerable merit, but I suggest that we
are going to see a lot of this type of confusion for a long time to
come. Computer users, even very skilled and experienced computer
users, have very little understanding of what a computer viral type
program is, and what it is not.
I still find that I have to begin all presentations, whether to
clerical staff or computer support experts, with a definition of a
virus, and a number of instances of "things" that are not viri. The
AIDS "trojan" extortion program was described in a major write-up in a
major journal as a virus. McAfee's book speak's of the existence of
various viri that damage hardware, even though we have yet to received
an authentic account of one doing so. I cringe at some of the advice
given out on local bulletin boards by some of the self-styled
"experts".
Viral programs are now at least acknowledged by the general
population, and the media is probably over the worst of the "errors"
that have been published. But there is still a looonng way to got in
educating the general computer using populace.
=============
Vancouver
[email protected] | You realize, of
Institute for
[email protected] | course, that these
Research into (SUZY) INtegrity | new facts do not
User Canada V7K 2G6 | coincide with my
Security | preconceived ideas
------------------------------
Date: Thu, 28 Mar 91 10:32:53 -0800
>From:
[email protected] (Rob Slade)
Subject: Mutation of Stoned (PC)
[email protected] (David.M.Chess) writes:
> Now I'm taking an unusual (for me) risk here, as I'm at home with the
> tail end of a nasty cold, and can't verify it, but I'm Pretty Sure
> that the standard normal everyday Stoned virus spells the word with an
> "S" ("LEGALISE"). There are also many cases in which the word
Just to confirm David's posting, of the four variants of "Stoned" that I
have, all are spelled "LEGALISE".
=============
Vancouver
[email protected] | You realize, of
Institute for
[email protected] | course, that these
Research into (SUZY) INtegrity | new facts do not
User Canada V7K 2G6 | coincide with my
Security | preconceived ideas
------------------------------
Date: Thu, 28 Mar 91 20:00:02 -0400
>From: George Svetlichny <
[email protected]>
Subject: Taking out A: & USSR BBS
I - Taking out A:
After a recent attack by Joshi on my department's XT used for TeX
editing, I decided to try a dirty approach against boot viruses:
taking out the A: drive and leaving only drive B: around. The
hardware complains at boot-up but continues on to boot from the
Winchester. With this success, I did the same on most other
two-drive machines (a few administrative programs require a disk in
A: to function), and reconfigured the one-drive machine's drives to
be B: also. Some fiddling with set-up's and hardware is usually
required. Since no user *really* needs two floppy drives this should
take care of all boot infectors which by the way are the most common
viruses around here (Ping-Pong, Stoned, and Joshi are endemic in Rio
de Janeiro). Of course, if I ever need to boot from a floppy, I will
have to open the machine and mess around with cables or jumpers, but
this is so rare that it doesn't seem like an unreasonable price. Any
comments?
DICLAIMER - If anyone else tries this, he/she does at own risk, I
cannot be held responsible for any damage or inconvenience resulting
from unusual hardware configurations.
II - USSR BBS
In Virus-l 4/48 Selden E. Ball, Jr. <
[email protected]>
writes:
> It is now possible to direct-dial computer bulletin boards in the USSR
> and eastern European countries. Many of them are already on FidoNet.
> The following list of BBSs was recently posted to a widely read
> news group.
>
> The potential transmission speed for computer viruses is
> increasing faster than your favorite comparison.
> sigh.
Selden is here trying to perpetrate the popular myth that BBSs are a
major vector for computer virus transmission. Discounting the rare
"Virus BBSs" the opposite is usually true. Instead of seeing in the
increased number of Soviet BBSs a new virus threat, the prolifiration
of networked BBSs should be welcomed as a potential and strong ally in
the dissimination of proper anti-virus information and tools. This
has certainly been the case here in Brazil.
George Svetlichny |
Department of Mathematics |
Pontificia Universidade Catolica |
Rio de Janeiro, Brasil |
[email protected] |
------------------------------
Date: Fri, 29 Mar 91 11:37:00 +1200
>From: "Nick FitzGerald" <
[email protected]>
Subject: Re: Integrity Checking, programs, etc
In VIRUS-L V4 #49
[email protected] (Fridrik Skulason) wrote:
>padgett%
[email protected] (Padgett Peterson) writes:
>>NO ! It will not defeat "any kind of integrity check" though "stealth"
>>will defeat SCAN's if the /nomem switch is in use (wish we had italics) While
>>the "stealth" seen so far will defeat a program integrity check, it will NOT
>>defeat a system integrity check (the six bytes).
>
>I don't mean to be insulting, but I have said it before, and I will
>say it again: The six-byte check is no sustitute for a full system
>integrity check! Athough it will detect most wiruses, it will NOT
>detect them all, in particular it will miss some "stealth" viruses,
>like the "Number of the Beast".
I've been following along for about eight months or so now, and have
seen a few references to the "six-byte check" referred to above, but
don't recall ever seeing an _explanation_ of what this is.
If I've missed something simple or fundamental - common knowledge -
please reply by mail with a description. If it hasn't appeared here
already (or was a long time ago), is it time to re-post something to
the group.
Thanks,
- ---------------------------------------------------------------------------
Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z.
Internet:
[email protected] Phone: (64)(3) 642-337
------------------------------
Date: Thu, 28 Mar 91 19:31:09 -0500
>From: padgett%
[email protected] (A. Padgett Peterson)
Subject: Partitions (PC)
>From: "Nick FitzGerald" <
[email protected]>
>Subject: STONED Problems (PC)
>Padgett Peterson <padgett%
[email protected]> wrote:
> Some OEM versions of DOS (some of them still
>labelled MS DOS) with version numbers 3.0 and above have versions of
>FDISK that still begin the first partition at 0,0,2 - from memory, I
>think Falcon DOS 3.1 is one such. This may give a tiny bit more
>usable disk space, but causes grief after a Stoned strike.
This is very interesting, I had wondered since machines loaded with
DOS 2.X have been advertised until recently. Since I have not seen
many of the OEM versions of DOS this is quite possible. One point
though: A disk could be partitioned with FDISK 1.00 even though a
later version of DOS is loaded. I would like to hear from the readers
if they have come across any later partitioning software that does not
use "hidden sectors" as described.
>So Padgett's recovery scheme only works if you happen to discover your
>HD is infected between the actual infection (booting from an infected
>floppy) and the first attempt to create or update a file, which
>results in the 6th sector of FAT#1 being updated (at which point the
>Stoned code is copied to FAT#2).
Agree: the anti-viral mechanism I use detects such happenings
immediately and does not even allow a boot to complete if this has
occured. Also none of my disks are partitioned this way. Still, it's
worth a try and beats the alternatives. I would recommend that anyone
who feels their system is at risk from malicious software and is
partitioned as above take the time to repartition their disk with the
"hidden sectors" method. You lose a whopping 8k on a MFM drive.
I would expect that the user would experience massive failures before
getting to the writing stage. The most likely problem would stem from
an attempt to use CHKDSK/F or Norton's to recover before finding the
real cause of the trouble.
Nick's points are very well taken and demonstrate the value of doing
your homework on the architecture. He has taught me some new things.
Padgett
------------------------------
Date: 29 Mar 91 14:40:18 +0000
>From:
[email protected] (Fridrik Skulason)
Subject: Re: Virus naming
[email protected] (David.M.Chess) writes:
>Our current rather tentative approach is to use a
>generally-non-numeric stem for each virus family, and then tack on a
>number or similar object to pin down exactly which object we're
>discussing. So we talk about the "Flip-2343" and the "Flip-2153"
This is same as I do, but possibly with a letter added at the end, if
two variants have the same length, like
Plastique/AntiCAD-4096A
Plastigue/AntiCAD-4096B alias "Invader"
Plastique/AntiCAD-4096C alias "Invader B"
With 4-5 new viruses every week, the naming problem is getting pretty
bad...
- -frisk
------------------------------
Date: Thu, 28 Mar 91 19:32:00 -0500
>From: Padgett Peterson <padgett%
[email protected]>
Subject: "Six Bytes" (PC)
>From:
[email protected] (Fridrik Skulason)
>Subject: Re: Integrity Checking, programs & system
>I don't mean to be insulting, but I have said it before, and I will
>say it again: The six-byte check is no sustitute for a full system
>integrity check! Athough it will detect most wiruses, it will NOT
>detect them all, in particular it will miss some "stealth" viruses,
>like the "Number of the Beast".
I did not think I ever said that it was. In fact in my New York paper
specific mention was made that it did not detect the 512 (Number of
the Beast). It will also not detect the Alabama, Icelandic, EDV, or
any virus that does not go resident. What was said was that it will
detect all currently "common" viruses (though to detect the
Jerusalem/Sunday or 1701/1704 variants, knowlege of the system is
required). Also, thought I usually tell people that intelligent use of
CHKDSK will perform essentially the same function. Sure, a lot more
can be done, but my purpose was to defuse some of the "undetectable
viruses" hysteria that was surrounding the last crop of "stealth"
(FLIP, 4096, WHALE, JOSHI) viruses when they are really easy to spot
(also BRAIN {the first "stealth"}, YALE, STONED, DATALOCK, AZUSA,
MUSICBUG, etc).
Point is that most of the postings I see here asking for assistance
are not from experts with some new research virus that can expoit an
obscure hole in a specific system (or does the INT13 understand both
DOS 3.X and 4.X buffer chains ?), but real people needing real help
now.
CHKDSK or Int 12/Int 21 fn 48 values are also an easy way for someone
a continent away and without any software tools that don't come with
DOS to describe what is happening, something I have done several times
on the telephone. 655360 "total bytes memory" should be engraved in
every technicians mind.
I will admit to tailoring most of my postings to be educational for
the participant who is reasonably PC-lucid but has not had the
opportunity to spend years of in depth study on undocumented
interrupts. For this reason, my public comments have been slanted
toward what can be done in five minutes with DEBUG and be stated as
easily. Private conversations with people in trouble have gone into
much greater depth but I have found that the simple techniques are
effective most of the time.
Possibly, my last posting on removal of AZUSA was too technical but
did not know another way to phrase it. "Send all your money and a
plane ticket" seems a bit commercial and enough people had asked that
I felt it might be useful.
>However, my main point is this - it is possible to make a program
>integrity check which will detect infection by all "stealth" viruses
>known today, and (I hope) tomorrow's viruses as well.
I agree completely, such a program is not only feasible, but
relatively simple. Readers who have been following our discussions
will recall one statement I have been making for sometime: an
effective defense MUST start at the BIOS level, something that has
nothing to do with the "six bytes". Such a program's major difficulty
will be to handle every oddball O/S, patitioning scheme, and
non-compliant application around.
One of my detectors went off on a MicroSoft WORD for Windows ver 1.1
installation disk. For some reason the disk was formatted with IBM 3.3
as used by COMPAQ (figure that one out). To get the COMPAQ logo into
the boot record, the information was one byte too long to follow the
MicroSoft specification so the code appeared to start one byte back in
a "reserved" area. BONG !
>I cannot go into details, but I do have a working program which is
>able to do this - more details next month.
Is this why the "insulting" of the "six bytes" ? I admit to being
surprised that someone with your well-deserved reputation and many
contributions would feel it necessary to harp on admitted flaws in
something that is not a commercial product but merely a technique some
people find useful.
Bemusedly,
Padgett
------------------------------
End of VIRUS-L Digest [Volume 4 Issue 50]
*****************************************
Downloaded From P-80 International Information Systems 304-744-2253
