VIRUS-L Digest Wednesday, 10 Apr 1991 Volume 4 : Issue 57

VIRUS-L Digest Wednesday, 10 Apr 1991 Volume 4 : Issue 57

Today's Topics:

re: PKLITE and hidden virus (PC)
Re: Review of Norton Antivirus (PC)
re: VPCScan Demo Version (PC)
Possible HyperCard virus (mac)
Script to kill new HC (and all other HC) viruses/trojans, etc. (Mac)
Protection of Sun PC-NFS server (UNIX) (PC)
Re: Unix viruses and damaging programs (UNIX)
Is virus infection by inserting floppy disk possible? (PC) (Mac)
Modems
How big is the virus problem ??
MS-DOS Protection (PC)
Need help with Beijing Virus (PC)
McAfee files v76 (PC)
Questions concerning IBM anti-viral programs
Virus Program Information request
Stoned virus (PC)
Do I have a virus? (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to [email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: [email protected].

Ken van Wyk

---------------------------------------------------------------------------

Date: Mon, 08 Apr 91 13:02:51
>From: [email protected]
Subject: re: PKLITE and hidden virus (PC)

>Date: Fri, 15 Mar 91 16:12:59 -0500
>From: Jim Pinson <[email protected]>
>
>I know some of the virus scanners will look within executable files
>that have been compressed with LZEXE. I believe they scan both before
>and after expansion.
>
>Lately I have been using PKLITE to compress executables, and wonder if
>any Virus scanners are capable of looking within the compressed files.
>
>Does anyone have any info on the subject?

Jim, by the time you read this the next demo version of the Virex-PC
scanner should be available. Virex-PC now handles PKLITE compressed
files as well as LZEXE compressed files. Next step: LH compressed and
ZIP files.

I should have responded to this earlier, but I've been in
"one-last-bug" mode for the last month. The demo gets released today
- -- just writing the final cut of the docs for it. The old one handled
150 strings, this one handles 350. The old one was faster, so's this
one. Grab a copy, and lemme know what you think?

Oh! I convinced The Powers That Be at Microcom to let me release
monthly (or near monthly) updates of the free scanner. Stay tuned!

Ross M. Greenberg
Author, Virex-PC & FLU_SHOT+

------------------------------

Date: Mon, 08 Apr 91 13:55:49
>From: [email protected]
Subject: Re: Review of Norton Antivirus (PC)

>Date: Thu, 28 Mar 91 16:13:24 +0000
>From: [email protected] (Tomasz R. Zdrojewski)
>
>The NAV program is not suitable for normal virus removal. It a
>personal test, I was able to infect my command.com, NAV itself and
>quite a few other files. The program ignored the sample virus I ran
>and said the system was fine. I would only recommend it for its
>ability to add new virus tags.

Not to take away from Norton's new entry in the anti-virus field, lots
of scanners have the ability to add new virus tags through an external
file, including my own.

In fact, to document this file for the first time publicly:

1) The file must be on the C: drive in a directory called "C:\VIREXPC"
2) The file must be called "VIREXPC.VIR"
3) The file consists of lines. Each line starts with a 'P', a 'B' or a '#'.
A line starting with a '#' is a comment line.
A line starting with a 'P' is a "Program Virus"
A line starting with a 'B' is a "Boot Virus"
4) Following the 'B' or 'P' is a single space.
5) Following the single space is the hex representation of upto sixteen
bytes of signature information. Although you may have less then
sixteen bytes, you must have at least ten bytes. Additionally, you
must have an even number of bytes. This is the ASCII representation
of the value of these signature bytes: If searching for 'AB', then the
resulting hex search string would be "4141".
6) Optionally, after the signature bytes maybe come a checksum and a
"nasty" flag.
If you're including either, follow the signature bytes by a single
space.
If the virus is a "nasty" virus -- one that you'd want to halt the
scanner if you find it in memory, use the "Nasty Virus" flag: a single
exclamation point.
The checksum is a simple unsigned checksum of the signature byte's
real value: not the value of the ASCII representation of these values,
but the actual values.

An example:

# This here is a comment
P ProgVName 123434565678789090121234 1234!

No, the checksums don't add up on that example.

Ross M. Greenberg
Author, Virex-PC & FLU_SHOT+

------------------------------

Date: Mon, 08 Apr 91 13:38:40
>From: [email protected]
Subject: re: VPCScan Demo Version (PC)

>Date: Wed, 27 Mar 91 11:49:57 -0700
>From: Chris McDonald <[email protected]>

Sorry for the delay, Chris: why is the last 1% of any new release
always the hardest part to get out the door?

>As a registered user of Ross Greenberg's program Flu-Shot+, I received
>a demonstration version of VPCScan of the commercial program Virex-PC
>bundled within version 1.8 of Flu-Shot+. I used the demonstration for
>several days, and then purchased the full commercial product.

Ah hah! The clever marketing ploy worked! You used the demo, then
bought the product. I'll tell the marketing guy at Microcom - he'll
be pleased. Don't worry: I get serious in just a sec....

>Since I routinely evaluate security-related software products for my
>agency, I had occasion to run the demonstration version on Tuesday, 26
>March since I wanted to compare its feature against the actual
>commercial product. I received the following message prior to the
>execution of the demo: "This demonstration expires in 6 days." This
>morning I ran the demo again, and the counter was down to "5 days". I
>am waiting with anticipation to see what happens on April 1st.
>
>I must note that the read.me file contained within Flu-Shot+ which
>described the demo at no time indicated a shelf life. In fact, the
>file states: "This demo may be distributed freely, but may not be sold
>without the express written permission of Microcom, Inc. and Ross M.
>Greenberg." I have no objection to someone offering a demo, or in
>encouraging that someone "freely" distribute it under the vendor's
>instructions.
>
>I would think that it sure would have been nice to have included some
>type of statement in the read.me file alerting REGISTERED, fee paying
>customers of Flu-Shot+ of the demo's expiration date--particularly
>when it appears April 1st is the drop-dead date.

You're 100% absolutely right, Chris. Not sticking in some information
regarding the drop-dead date was a dumb mistake on my part -- I wish I
could blame it on somebody else.

The new scanner (discussed below) has a drop-dead date of September 1,
1991. Between now and then, I expect to release a number of new
demos, each updated with new features and new strings. Until the July
release, or thereabout, all of them will have the 9/1/91 drop-dead
date. Starting with the July release the drop-dead date will be
somewhat further removed into the future: I'm not sure what I'll set
it for, but I'll certainly let it be known in advance: a bonehead
mistake like letting the expiration date on the current scanner lapse
before releasing the new one should never have happened.

Did I mention how much I hate Windows at all recently? :-)

Picking a date back in October of 1990 (allowing for what was supposed
to be six months of operation sounded so good on paper, too: I never
thought about an expiry of April 1 having any significance. Yeah,
that was dumb, too.)

>Since I know Ross has access to this forum, I would simply like to ask
>if this was a designed feature on his and Microcom's part, or whether
>I perhaps have a "hacked" version of Flu-Shot+.

Nope. No hacked version of the code. Just stupidity on my part.
However, now that I'm done with the Windows version of the code, I've
gotten some commonsense back.

I'm better now! :-)

Ross M. Greenberg
Author, Virex-PC & FLU_SHOT+

Disclaimer: These are my opinions only. Chances are good that
Microsoft thinks that Windows programming is good clean fun, building
character or something.....

------------------------------

Date: 08 Apr 91 21:22:14 +0000
>From: [email protected] (Joseph Wagner)
Subject: Possible HyperCard virus (mac)

I'm hoping someone out there can help me. I have a user (I'm a
consultant) who thinks he may have a virus. When he is using
HyperCard 1.2.5 with a stack that is 300-400 K in size (it is just one
specific stack) he is getting a lot of bombs. When he tries to script
a new card for the stack he gets a bomb at various times as follows:
As soon as he starts scripting
When he tries to end the scripting

His machine also freezes at times when he does the above. Sometimes
the bomb is an out of memory error.

All this work has been done on an SE/30 with 5mb of RAM and also on a
IIci with 4mb RAM with the same results. Both machines are running
system version 6.0.5.

Any ideas would be greatly appreciated. Since this is within HC, I
doubt if Disinfectant 2.4 will pick it up. He is currently trying
Disinfectant.

Thanks in advance.

___________________________________________________________________________
| Joseph Wagner | Life is divided into the horrible |
| [email protected] | and the miserable - Woody Allen |
___________________________________________________________________________

------------------------------

Date: Mon, 08 Apr 91 23:18:53 +0000
>From: [email protected] (Michael Kerner)
Subject: Script to kill new HC (and all other HC) viruses/trojans, etc. (Mac)

Alright already! Enough with the EMAIL! Stop! First, I disagree
that Dukakis was a virus since it lacked the capacity to replicate and
spread - it would simply make one move and stop. I think it would be
better to call it a trojan since it was disguised as somthing else
(i.e. nude pictures). HOWEVER I DON'T CARE HOW WE CLASSIFY IT!!!
I'VE GOTTEN LOTS OF MAIL ABOUT THIS NEW CRITTER, SO HERE IS A GENERAL
PURPOSE SCRIPT THAT WILL STOP ALL KNOWN HC VIRUSES AND TROJANS.
Install this script in your HOME stack (in the stack info) - if you
run 2.0, and are redirecting the inheritence path to include a
library, put it there. The only stipulation is that this be the only
script that intercepts the SET command. If others intercept the
command, then parts of this must be imbedded (if you can't figure it
out, EMAIL me).

on set -- primitive anti-HC trojan/virus protection
if the params contains "script " then -- notice the space after script
-- THE SPACE IS ESSENTIAL SINCE ANY BUTTONS THAT HAVE THE WORD "SCRIPT"
-- IN THEM WILL SEND THIS MESSAGE WHEN THEY ARE HILITED, ETC.
play "boing"
answer the params with "YES" or "NO"
if it is "YES" then pass set
end if -- the params contains "script " then
end set

this will intercept all "set the script of " type commands.

hope it helps...

Mikey.
mac admin
wsom csg
cwru
[email protected]

------------------------------

Date: Tue, 09 Apr 91 01:23:20 +0000
>From: [email protected] (Christoph Uloth - operator)
Subject: Protection of Sun PC-NFS server (UNIX) (PC)

Does anyone have any experience in the protection of networks of PC's
running an ethernet and served via a SUN using PC-NFS.

How does one make the Sun secure from viral infection where users
require read/write access to the networked disk?

What is the recommended software that we should use in this case?

thanks, Chris.

Christoph Uloth Division of Commerce Economics Law & Education
Systems Networks Officer University of Western Australia
Phone: +61-9-380 2198 || +61-9-364 7181 Fax: +61-9-380 XXXX
email: [email protected] :-)

------------------------------

Date: 08 Apr 91 20:22:43 +0000
>From: [email protected] (Lloyd E Vancil)
Subject: Re: Unix viruses and damaging programs (UNIX)

[email protected] (Valdis Kletnieks) writes:
to [email protected] (Van Cleef Henry H)

>"Testing can show the presence of bugs, but not their absence."
>
>So if you DONT find anything, that does NOT prove your system is
>clean, it only means that it's *either* clean *or* the intruder is a
>step ahead of you.
>
>computer criminal. The best is so good that we'll never catch him.
>If your system check (whatever its form) actually *finds* anything,
>then it won't be an undetected breach anymore.

A very scary thought when you consider that the bad guy in "The
Cookoo's egg" was caught because of a billing error and the tenacity
of one individual. The insights that book offers into the foilables
of the typical system manager and the attitudes towards this type of
thing are interesting. Would it be better to take for granted that
your security has been breached and operate based on that? If you did
make that assumption, what would you do to make a first level check?
Trust....

- --
* [email protected] sun!suntzu!suned1!lev
. [email protected] + .
+ * S.T.A.R.S.! The revolution has begun! *
- ----------------- My employer has no opinions. These are mine!
---------------
- -

------------------------------

Date: Tue, 09 Apr 91 10:33:56 -0400
>From: Thomas DiBlasi <[email protected]>
Subject: Is virus infection by inserting floppy disk possible? (PC) (Mac)

Hi,

I've been monitoring Virus-l digest since December and now for the
first time have a question.

Is it possible for a virus, trojan, worm, etc. to infect a hard disk
or RAM simply by inserting an infected floppy into a drive without
execution??

I thought I saw something on how some PC's /MAC's can recognize the
presence of a floppy after insertion without the benefit of an access
command being entered.

------------------------------

Date: Tue, 09 Apr 91 11:31:57 -0400
>From: padgett%[email protected] (A. Padgett Peterson)
Subject: Modems

>From: [email protected]

>If I connect to a site where I always initiate the call, only exchange
>email and receive netnews, am I subject to receiving a virus. My
>modem is never left on and the port is not enabled for a login.

With a single restriction, you are not subject to a virus under these
conditions. The sole caveat being that you are not connected to a system
the performs on-line updates to the communications software in your PC.
(the PC software would have to permit this, it cannot be done unilaterally)
Since I know of several commercial packages that appear to have this
capability and do not know which you are using, the restriction may or may
not apply.

------------------------------

Date: 9 April, 1991
>From: Padgett Peterson <padgett%[email protected]>
Subject: How big is the virus problem ??

>From: [email protected]

I have seen figures that seem reasonable from personal experience that
large sites (over 1000 PCs) rarely have a month go by without a confirmed
virus report. (and I am SICK of the Jerusalem and Stoned).

------------------------------

Date: 9 April, 1991
>From: Padgett Peterson <padgett%[email protected]>
Subject: MS-DOS Protection (PC)

>From: [email protected] (Morgan Schweers)

> Under MS-DOS, it's not possible to close all the security holes
>without throwing out the OS and starting anew.

Partly true: once you are under MS-DOS, you can't close all the holes
(especially the undocumented ones), but if you start before MS-DOS and
encapsulate it, you can come close enough for government work. I keep
mentioning this since a good system starting at the BIOS level is able
to creating a reasonably secure system. Once that is available, we can
quit worrying about the next "super stealth" killer virus that infects
extended memory and get back to some real work.

For all of its faults, there are a lot of good things to be said about
MS-DOS since it has transformed the way we think about computers. The
biggest is that it demonstates the law of quantum economics: The market
forces change until something becomes "Good Enough", once this occurs,
the market becomes resistant to change and rewards only improvement.

A good example is the proliferation of pointing devices (mice, trackballs,
pens, etc.) that just shows that "Good Enough" has not appeared yet.
Similarly, the plethora of menuing schemes that existed before Windows 3.0
was another example that has now resolved.

It will be interesting to see how MAC 7.0 is received.

------------------------------

Date: 9 April, 1991
>From: Padgett Peterson <padgett%[email protected]>
Subject: Need help with Beijing Virus (PC)

>From: [email protected]

>...and is infecting any diskette I happen to boot with...

The "Bloody" (apologies to UK readers) virus cannot remain resident through
a cold (power off) boot from an uninfected floppy in a normal PC. period. If
it is, then something strange is going on (like a BIOS that forces boots from
C & I hope the readers understand the implications of this in view of some
earlier discussions).

This virus is similar to the STONED and functions in much the same way. The
original partition table/code (MBR) is stored at cyl 0 head 0 sector 6 and
a good technician or the current version of McAfee's SCAN/CLEAN will take
care of the problem. When resident, it can be detected by the si...(oops,
promised no more mention of my "primitive" technique) by CHKDSK which will
report a loss of 2k from the TOM (640k machine will report 653312 "total
bytes memory" instead of 655360. If in memory, it must be removed (through
clean reboot) for any disinfection to be effective.

Note: as in any infection of this type, it is essential that all infected
diskettes (and there must be at least ONE or there is a bigger problem)
be found and disinfected else you will get a lot of practise in removal.

Warmly,
Padgett

------------------------------

Date: Tue, 09 Apr 91 10:15:34 -0500
>From: James Ford <[email protected]>
Subject: McAfee files v76 (PC)

The following McAfee files have been uploaded to mibsrv:

scanv76.zip
clean76.zip
netscn76.zip
vshld76.zip

Users who can not FTP directly can send mail to [email protected]
for uuENcoded files. Mail to JFORD@UA1VM will *NOT* get the files. :-)
- ----------
James Ford - [email protected], [email protected]
The University of Alabama (in Tuscaloosa, Alabama)

------------------------------

Date: Tue, 09 Apr 91 16:01:00 -0500
>From: "Sant." <[email protected]>
Subject: Questions concerning IBM anti-viral programs

I'm wondering what is the most efficient virus detector/remover
available. I currently execute SCAN.EXE version 75 automatically upon
boot-up. I've seen commercial programs, such as, Virex and Norton
AntiVirus. Are these so superior that I should pay $90? Is there a
virus checker which would scan programs executed under Windows 3.0?

+------------------------------------------------------------------------------
+
| Santanu Sircar BITNET: [email protected]
|
| University of Massachusetts/Amherst INTERNET: [email protected]
|
+------------------------------------------------------------------------------
+

------------------------------

Date: Tue, 09 Apr 91 14:34:28 -0800
>From: [email protected]
Subject: Virus Program Information request

Hello.

I need information regarding the different virus protection programs
for both the Macintosh and the IBM pc. I'd appreaciate it if you
would send me your opinions on which are the best programs and their
plus's and minus's.

[Ed. You may want to start by reading the various PC and Mac
independent product reviews in the VIRUS-L/comp.virus archives.
They're available by anonymous FTP from cert.sei.cmu.edu in the
pub/virus-l/docs/reviews directory.]

Thank you for your help <in advance>

Tam Pikey
[email protected]
[email protected]

------------------------------

Date: Tue, 09 Apr 91 08:28:00 -0800
>From: [email protected]
Subject: Stoned virus (PC)

I was having problems with Vidram by QEMM on a Zenith 386 SX. It
would not load properly for a couple of days, using the same unchanged
batch files. I ran F-FCHK and F-Disinf on the machine, and the Stoned
virus was removed. However, F-DRIVER (of F-PROT 1.14) is installed on
the machine, and it did not detect it. The machine had been cleaned
before installing F-DRIVER. 1.13 worked sucessfully at detecting the
STONED virus. Is there a detection problem with F-DRIVER from F-PROT
1.14?

------------------------------

Date: Tue, 09 Apr 91 20:01:10 -0400
>From: <IO91472%[email protected]>
Subject: Do I have a virus? (PC)

My computer's been locking up on me for about a week now and it's
driving me NUTS! Every once in a while, it will just lock up and say
Divide overflow. I then have to reset (warm reboot doesn't work - I'm
using an IBM compatible by the way). I have one program (TrakBlaster
for my soundblaster) that will lock it up every time - but other
programs that do the same thing don't. If I load up Turbo C, I can
run it all day with no problem, but if I exit it and start running
some other programs the thing freezes. It seems to be based on the
number of different programs executed instead of on a time limit.
Has anyone out there had this problem or is this more likely to be
just a hardware problem? I've tried several shareware virus detectors
but none of them have found anything - of course none of them could
find the test virus signature in the program that came with tbscanx
either. Does anybody want to buy a computer - cheap?

------------------------------

End of VIRUS-L Digest [Volume 4 Issue 57]
*****************************************

Downloaded From P-80 International Information Systems 304-744-2253