VIRUS-L Digest Friday, 5 Apr 1991 Volume 4 : Issue 53

VIRUS-L Digest Friday, 5 Apr 1991 Volume 4 : Issue 53

Today's Topics:

Bug in DISKSECURE (PC)
Re: Mutation of Stoned/Implications for self check boot sectors(PC)
Unix viruses and damaging programs (UNIX)
A personal announcement
WANTED: Virus Detectors for Suns running UNIX (UNIX)
1813 Virus on a PC (PC)
MDC questions
F-DRIVER.SYS (v 1.14) problems & questions (PC)
April Fool's Day virus (PC)
Re: New Mac Hypercard Virus (Mac)
Joshi Virus in part. table (PC)
Virus (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to [email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: [email protected].

Ken van Wyk

---------------------------------------------------------------------------

Date: Wed, 03 Apr 91 10:02:43 -0500
>From: padgett%[email protected] (A. Padgett Peterson)
Subject: Bug in DISKSECURE (PC)

For those who have received the distribution of DISKSECURE
(v.93) containing the batch file lines for checking if DS is present
(contained in DS.B supplied with distribution) the lines containing
"if not errorlevel 0" is a null statement. The lines (2) should start
"if not errorlevel 1" otherwise the failure message and pause will not
occur. Since this should be seen if someone removes DISKSECURE or it
is somehow bypassed, the check from DOS is an important element.

Oh well, that's what beta versions are for, but I apologise for
any inconvenience.
Warmly,
Padgett

------------------------------

Date: 03 Apr 91 21:22:01 +0000
>From: [email protected] (Fridrik Skulason)
Subject: Re: Mutation of Stoned/Implications for self check boot sectors(PC)

[email protected] (David.M.Chess) writes:
"Nick FitzGerald" <[email protected]>:
> David - are you thinking about the (I think) Zenith machines that
> write the boot time and date in the MBR each boot up, or do you mean
> something different?

Huh ?

I have never heard of any machine which would modify the MBR on each
bootup. If this is true I would very much like to see it confirmed.

I think somebody may be confusing this with the practice of Zenith DOS
(or at least some versions of it) to write to the DOS boot record -
that is it updates an area containing information on where to start
looking for "free" space on the disk.

I discovered this when people started complaining that my F-OSCHK
(which among other things does a checksum test of the boot sector)
reported constant changes on some Zenith machines.

- -frisk

------------------------------

Date: Wed, 03 Apr 91 21:10:57 +0000
>From: [email protected] (Van Cleef Henry H)
Subject: Unix viruses and damaging programs (UNIX)

I have been asked to consider the possibility of virus, trojan horse,
etc. attacks on a distributed Unix fileserver system. My role with
Iowa State is as a consultant--Unix is new here, and the system we are
building, known as "Vincent," while not new in concept, is new in many
details of its implementation. My credentials may be verified with
Dr. George Strawn, director, and George Covert, associate director, of
the Iowa State Computation Center.

My study begins with some assumptions, which I should state here.

a. That MS-Dos viruses (is this an all-encompassing term for things
that tamper with and destroy the OS and programs?) have conceptual
parallels in the Unix o/s. i.e. the kernel is equivalent to
COMMAND.COM, the file system superblock is equivalent to the FAT, etc.

b. That all "security" to read and write as a superuser has already
been breached and that this breach has gone undetected.

c. That one workstation with a bootable hard disk is accessible to the
individual planning to damage the system.

d. That the individual is sufficiently sophisticated to avoid leaving
obvious clues (file sizes, dates, etc.).

e. We should consider that the individual may have access to the o/s
source code.

I am particularly interested in comments about:

a. Known attacks on Unix o/s involving tampering with the o/s kernel
and commands.

b. Methodes for checking integrity of these.

c. Methods for damage control to prevent propogation throughout the
net.

The purpose in making this post is to establish contact with others
working with similar issues. Iowa State is not presently prepared to
quarantine or work with actual "virus" code. Our concern is to plan
for dealing with attacks of this nature when, as, and if they appear.

(Since they are not in my signature file)
Henry van Cleef 219 Durham Center, Iowa State Univ.
515-294-2903 (voice)

------------------------------

Date: Wed, 03 Apr 91 21:53:25 +0000
>From: [email protected] (Fridrik Skulason)
Subject: A personal announcement

As of today, I am no longer working at the University of Iceland. The
reason is simply the increased number of viruses - I just do not have
the time.

Instead I will work full-time on virus-analysis and the development of
anti-virus products.

My phone number (+354-1-694749), fax number (+354-1-28801) and E-mail
address ([email protected]) will not change, as I simply move from one
office to another.

If you have sent me E-mail the past week, please be patient - I have
been busy moving and just have not had any time to reply to my mail.

And yes, version 1.15 of F-PROT was delayed because of this, but will
be distributed within the next week.

- -frisk

------------------------------

Date: Thu, 04 Apr 91 13:45:44 +0000
>From: [email protected] (eRic Donaldson)
Subject: WANTED: Virus Detectors for Suns running UNIX (UNIX)

I was wondering if anyone out there knew of any Virus Detection
packages for Suns running UNIX (just like the Subject says).

Of course, Public Domain software is preferable, but the new for a
package may lead to actually purchasing one.

Any reviews of any such products would also be greatly appreciated.

Thanks kindly,

eRic

([email protected])

[Ed. While not a virus detection program per se, COPS is a good tool
(IMHO) for pointing out system configuration problems in UNIX systems.
It's available by anonymous FTP on cert.sei.cmu.edu.]

------------------------------

Date: Thu, 04 Apr 91 13:02:45 -0500
>From: [email protected] (Joseph M Geigel)
Subject: 1813 Virus on a PC (PC)

Hello..

A friend of mine's PC just got infected with an "1813 Virus". I
was wondering if anyone had any specifics about this virus: what it
is, what it does, and how to get rid of it.

Any help would be greately appreciated.

Thanks in advance,

-- jogle
att!floyd!jogle
[email protected]

------------------------------

Date: Thu, 04 Apr 91 13:14:51 -0700
>From: [email protected] (James Kirkpatrick)
Subject: MDC questions

I've been looking into Manipulation Detection Codes (MDCs), partly by
reading Virus-L archives, and have a few questions:

- Robert Jueneman published a paper describing his own QCMDCV4 algorithm,
but Don Coppersmith published a review in which he states:
... "the described scheme is insecure (a fact apparently not noted
elsewhere); its simple construction allows a direct attack. The reader
is hereby warned against its implementation."

My question is, has Coppersmith ever published or described the
attack? I have not been able to find anything other than the above
claim. Also, has anybody implemented it, or obtained Jueneman's
implementation?

- SNEFRU was discussed on this list, but I was dismayed to find it
had been broken, and that Merkle's response was to increase the
number of passes. This worries me because of the experience of
knapsack cryptosystems, where a single-iteration system was first
broken, followed by the introduction of multiple-iteration systems,
which were in turn broken (at least, that is my recollection; I may
have some details wrong).

Questions: does anybody have a better feel for the probable security
of the multi-pass SNEFRU, knowing that the earlier version was
broken? Does the multi-pass version slow down the whole process
(or is it still acceptably quick)?

- MD4 was also discussed, and I have obtained the paper from
CERT.SEI.CMU.EDU in pub/virus-l/docs md4.rsa.paper. However,
the paper appears to be incomplete, in that it claims to contain
an example implementation, but only contains a few declarations and
seems to be missing actual code.

Questions: How does one get MD4? Has anybody broken it yet or
even proposed a method?

General question (last one!): Jueneman carefully points out weaknesses
in other MDCs, such as the inability to distinguish between a last
block that has been padded with (say) zeros, as opposed to a last
block that is "short." He points out that, for example, ANSI/ISO
standards (X9.9? I don't have the paper handy, sorry) have this flaw.
Do MD4 and/or SNEFRU suffer from this? (MD4 appears to be free of
this problem, but it is not explicitly stated as far as I can tell.)

Thanks in advance!

Jim Kirkpatrick [email protected]

------------------------------

Date: Thu, 04 Apr 91 22:30:20 +0000
>From: [email protected] (Nelson Bolyard)
Subject: F-DRIVER.SYS (v 1.14) problems & questions (PC)

With F-DRIVER.SYS installed, there is a 24 second delay when I run a
TSR called PSFX. NO error message is displayed, and no warning sounds
are emitted from the speaker during this inexplicable 24 second delay.
At the end of this delay, the PSFX program displays its
successful-installation banner, and terminates. The TSR seems to work
correctly, once the 24 second delay is past.

With F-DRIVER.SYS removed from CONFIG.SYS, PSFX takes much less than
one second to run and install.

To solve this problem, I've removed F-DRIVER.SYS from my
configuration. I surely wish I could run F-DRIVER.SYS *and* PSFX, but
a 24 second delay in AUTOEXEC.BAT is simply unacceptable. Can enyone
help me solve this?

For some time now, I've had the F-DRIVER.SYS driver from the FPROT114
package installed on my 386 PC system at home, along with QEMM 5.11
and HyperDisk, without any apparent problems. Recently, I purchased
PSFX, an EPSON FX-85 printer emulator that converts FX-85 output sent
to LPT1 into PostScript, which it then sends to a PostScript printer
on the real LPT1. This PSFX TSR should install in a flash, and does,
*except* when F-DRIVER.SYS is installed.

In truth, I don't know exactly what protection F-DRIVER.SYS supposedly
gives me, what types of problems it supposedly prevents, nor what I
should expect to experience (i.e. what F-DRIVER will do) if and when I
actually encounter a virus. I hope the answer is *not* a 24 second
delay 8-(.

I have read a posting that suggested that F-DRIVER gets involved in
the execution of programs by DOS, and then every time a new program is
executed, F-DRIVER checks the program for viruses first, and doesn't
allow the program to be executed if it finds a virus. Is this true?
Is this 24 second delay its clever 8-( way of telling me that it
thinks PSFX is infected?

I have also read that it's only function is to check for and detect
boot-sector viruses, immediately after boot-up, and that if/when it
detects boot sector viruses, it hangs the system hard, to prevent the
boot sector virus from doing any more damage, without displaying any
kind of explanation message. Is this true?

I would appreciate it very much if someone would post a message to
this newsgroup (comp.virus) that says exactly what F-DRIVER does, what
kind of viruses it looks for, when it looks for them, and what it does
when it finds them. A suggested set of remedial steps to be taken
when F-DRIVER reports a virus (or whatever it does) would also be
appreciated.

Thanks in advance.

- -----------------------------------------------------------------------------
Nelson Bolyard [email protected] {decwrl,sun}!sgi!whizzer!nelson
Disclaimer: Views expressed herein do not represent the views of my employer.
- -----------------------------------------------------------------------------

------------------------------

Date: 05 Apr 91 02:27:41 +0000
>From: [email protected] (Victoria Harkey)
Subject: April Fool's Day virus (PC)

There was a posting on April 2 regarding a trojan horse that had activated
on April 1, and was now a full force virus. Has this virus been identified?
Has anyone been able to get rid of it?

I need this info fast. Please help.

E-mail or news group comp.virus is fine with me.

Viki

[email protected]
[email protected]

Victoria Harkey
Certified NetWare Engineer

------------------------------

Date: Fri, 05 Apr 91 03:06:49 +0000
>From: [email protected] (Michael Kerner)
Subject: Re: New Mac Hypercard Virus (Mac)

[email protected] (SoftPlus, Paul Cozza,PRT) writes:
>For SAM 3.0 Users:
>
>A new Macintosh HyperCard virus has been found and has been named the
>HC Virus. The virus infects only HyperCard stacks, and is mostly
>annoying. With SAM 3.0 you can download the latest Virus Definitions
>file from the Symantec bulletin board which includes both detection
>and repair of stacks infected with this virus. You can also enter a
>virus definition via SAM Virus Clinic 3.0 if you only require
>detection capabilities for this virus. The proper virus definition for
>SAM 3.0 is included here.
>
> ...
>
>Paul Cozza
>SAM Author

Yo folks, it's me again. The question of the day is, "Is this virus a
virus or a Trojan Horse (Like Dukakis was)". If this "virus" attacks
stacks from a script, what does the script look like? The easiest way
to kill Dukakis (not to slam SAM, but it's overkill), is to (in your
HOME stack), intercept the SET command and check if the params
includes "Script", and then do further checks to see if it's Dukakis
(I don't remember the entire script, if anyone wants it EMAIL me, go
for it). Anyway, the script can also be easily changed to intercept
ALL SET THE SCRIPT's and stop them, if the user wants.

So, is this virus caused by a script, and thus a Trojan Horse that I
can counter with a script of my own, or is it a real virus, caused by
a binary operation in one of the CODE resources of a stack?

Mikey
Mac Admin
WSOM CSG
CWRU
[email protected]

------------------------------

Date: 05 Apr 91 05:48:18 +0000
>From: [email protected] (Tony Locke)
Subject: Joshi Virus in part. table (PC)

We have a machine with Joshi on it and can't find something to kill
it. Anyone have any ideas (have tried SCAN 74B)

Tony Locke
Sydney University Computing Service
Australia

------------------------------

Date: 05 Apr 91 07:27:45 +0000
>From: [email protected] (Victoria Harkey)
Subject: Virus (PC)

Has anyone been able to de-virus the trojan horse that became an active
virus on 4/1/91 yet? Is it a stealth virus? Do any of the scanners work
on finding and removing it?

Need help fast!

[email protected]
[email protected]

I read the group as well as e-mail. If you have any info, please advise
as soon as possible.

Thanks in advance.

Viki

- --
Victoria Harkey
Certified NetWare Engineer

------------------------------

End of VIRUS-L Digest [Volume 4 Issue 53]
*****************************************

Downloaded From P-80 International Information Systems 304-744-2253