VIRUS-L Digest Wednesday, 10 Apr 1991 Volume 4 : Issue 58
Today's Topics:
Re: My final comments on the six-byte method (PC)
VIRUSCAN v76 announcement (PC)
Re: New Mac Hypercard Virus (Mac)
Do any viruses affect Novell? (PC)
Boot sector viruses on IDE hard disks (PC)
Re: Am I subject to viruses?
Gatekeeper 2.0 (Mac)
HyperCard anti-virus script bad (Mac)
Re: UNIX & Viruses (UNIX)
Unix viruses (UNIX)
new virus? ("evil empire" Stoned derivative) (PC)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to
[email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at:
[email protected].
Ken van Wyk
---------------------------------------------------------------------------
Date: Wed, 10 Apr 91 13:04:00 +1200
>From: "Mark Aitchison, U of Canty; Physics" <
[email protected]>
Subject: Re: My final comments on the six-byte method (PC)
A few thoughts...
(1) It would be best to check a few key interrupt vectors (via their
low memory locations, not via DOS), as well as the memory size, since
either a virus may be living in video RAM (and some key vector would
point there), or in an used area of the vector table (etc), again the
check would help spot a virus freshly resident.
(2) The mention of direct calls to BIOS by viruses... A friend of mine
has a method (well, two really, one for diskettes and one for hard
disks) that should prevent this, but we can't test it with many real
viruses- any volunteers?
(3) Does any virus take interrupts by not changing the vector but by
changing the first few bytes of the present routine to be a far jump
to the virus? If so, my comments in (1) need the addition of checking
the first few bytes.
(4) I really prefer blocking viruses before they get a chance to run,
but spotting them very soon after they load is at least better than
scanning disk every few days or weeks.
(5) I had hoped that the checksum in the header of .EXE files would
help spot viruses, but few programs have a valid checksum. Can anyone
tell me whether, if I go to the effort of correcting the checksum in
all my programs, will any virus be smart enough to rewrite a corrected
checksum?
Personally, I think that ultimately boot sector viruses will
disappear, since the odds are in the favour of the anti-virus people,
assuming users do sensible things. That doesn't involve inconveniences
to operations, or changes to DOS or BIOS (although the latter would be
very nice). However, IMHO, non-boot sector viruses will probably
eventually win over the best efforts of anti-virus software coupled
with the present generation of BIOSes and DOS (even DRDOS), and that
will hurt "serious" users of the PC, like businesses and universities.
The answer is going to have to mean radical changes to BIOS, DOS and
MSWINDOWS (which, for a new product, makes a lot of stupid mistakes,
it seems). In the short term, a slight change to BIOS, and a not much
more than DRDOS's password protection system, should suffice.
By the way, I keep asking, has anyone found a virus that gets past
DRDOS 5.0's password protection system yet? Has anyone else tried? (I
haven't got a lot of viruses to test).
Mark Aitchison, University of Canterbury, New Zealand.
------------------------------
Date: Tue, 09 Apr 91 10:07:58 -0700
>From:
[email protected] (Aryeh Goretsky)
Subject: VIRUSCAN v76 announcement (PC)
VIRUSCAN
Version 76 of VIRUSCAN adds 18 new viruses, bringing the
total number of known computer viruses to 239, for a total of 501
viruses including strains. The enclosed VIRLIST.TXT file outlines
the characteristics of the new viruses. For a comprehensive
discussion of each of the viruses, we recommend that you access the
VSUM document copyrighted by Patricia Hoffman. It is available on
most bulletin board systems.
In addition, two new command line options have been added to
improve batch mode operation of SCAN: The /NOPAUSE option turns
off the screen pause that occurs when SCAN fills up a screen with
messages. The /NOBREAK option will prevent SCAN from stopping when
a Control-C or Control-Break is issued.
CLEAN-UP
Version 76 adds nineteen viruses to the list of computer
viruses that can be safely removed. They are the 555, 651, 3066,
Air Cop, Beeper, Black Monday, Den Zuk, Fellowship, Filler, Ghost
Korea, Lazy, Lisbon, Mardi Brothers, Murphy, Print Screen-2, RPKS,
Striker, and Typo Boot viruses. For more information about these
viruses, please refer to the accompanying VIRLIST.TXT file.
Additionally, a new command, /NOPAUSE, has been added. When
CLEAN is run with the /NOPAUSE option it will not stop when it
fills the screen with messages.
VSHIELD
Version 76 has been completely re-structured to provide a
major increase in the execution speed. Version 76 will run twice
as fast as previous versions. The amount of time added to program
loads will now be cut in half.
Version 76 of VSHIELD adds 18 new viruses, bring the number
of discrete computer viruses detected to 239 and the number of
variants to 501 viruses.
Version 76 of VSHIELD adds two new options, /WINDOWS
option and /CHKHI. When run with the /WINDOWS option, VSHIELD
will intercept viruses in DOS processes under Microsoft Windows.
The /CHKHI command allows the scanning of the high memory area
present on 286 and 386 machines.
NETSCAN
NETSCAN Version 76 adds nineteen new viruses. For a listing of
complete listing of viruses, refer to the VIRLIST.TXT file.
Version 76 of NETSCAN adds a critical error handler that allows
NETSCAN to continue scanning if a file-open error occurs. For more
information about the /UNATTEND option, see the COMMANDS section.
NOTE: For Version 76 of the documents, the synopsis of new
viruses that usually appears was removed for space
reasons. I'd like to know if people would prefer to
have a brief listing (1/2 page) of the viruses in the
documentation or not. Please respond by email.
Aryeh Goretsky
- --------------------------------------------------------------------------
Aryeh Goretsky,Tech Sup.|voice (408) 988-3832 |INTERNET
McAfee Associates | fax (408) 970-9727 |
[email protected] -OR-
4423 Cheeney Street | BBS (408) 988-4004 |
[email protected]
Santa Clara, CA 95054 | UUCP apple!netcom!nusjecs!ozonebbs!aryehg
"Opinions expressed are my own and may not reflect those of my employer."
------------------------------
Date: 10 Apr 91 09:36:56 +0000
>From:
[email protected] (Margit Gaertner)
Subject: Re: New Mac Hypercard Virus (Mac)
[email protected] (SoftPlus, Paul Cozza,PRT) writes:
> For SAM 3.0 Users:
>
> [lines deleted]
>
> Note that SAM 2.0 had the capability to detect and repair Hypercard
> viruses (such as Dukakis), but did NOT have a data definitions entry
> dialog. This is new to SAM 3.0.
Could someone give me the SAM 2.0 Virus Definition for the HC Virus?
thanks in advance
Margit Gaertner
Ps: We are registered users of SAM 2.0, but SAM 3.0 isn't available from
PRISMA, Germany.
E-mail address UUCP: uunet!unido!linod!gaertner
Linotype AG dept. S/CC
Mergenthaler Allee 55-75
D-6236 Eschborn, West Germany
------------------------------
Date: 10 Apr 91 11:57:14 +0000
>From:
[email protected] (WiseGuy)
Subject: Do any viruses affect Novell? (PC)
What viruses (if any) affect Novell local area networks? Any DOS
virus? Over a broadband/ethernet LAN?
===============================================================================
=
Dave Weissman - Broadband and FDDI LAN Operations Group
Snail mail: NSI DECNET (SPAN) - 6153::DWEISSMAN
Code 543.8 NSI TCP/IP -
[email protected]
Goddard Space Flight Center SPRINTnet's X.400 -
Greenbelt, Maryland 20771 (C:USA,A:TELEMAIL,P:GSFC,FN:DAVID,SN:WEISSMAN
)
*DISCLAIMER*DISCLAIMER*DISCLAIMER*DISCLAIMER*DISCLAIMER*DISCLAIMER*DISCLAIMER*
I don't speak for nor represent the views of NASA or my company although
they would both be happy if I just shut up for once.........
*DISCLAIMER*DISCLAIMER*DISCLAIMER*DISCLAIMER*DISCLAIMER*DISCLAIMER*DISCLAIMER*
------------------------------
Date: Wed, 10 Apr 91 14:39:00 +0000
>From:
[email protected]
Subject: Boot sector viruses on IDE hard disks (PC)
Can anyone offer me preventative and curative measures for the new IDE
hard disks if they become infected with a boot sector virus. If the
virus is one that cannot be successfully removed by any of the current
anti-viral software, I believe we will be reduced to doing a low-level
format on the disk in order to rewrite the boot sector. This will, as
far as I know, erase the information that on older drive types was
stored in the CMOS, thereby making the disk unusable. As the
manufacturers seem very reluctant to supply us with the information
needed to correctly rewrite the boot sector we are looking at other
means to avoid this eventuality.
In the way of preventative measures we think that a solution would be
to advise our users who are purchasing IDE drives to take several
backup copies of the boot sector which they can then copy back to the
disk if it becomes infected. We believe we can use Norton Utilities to
rewrite the boot sector but are unsure about the procedure for writing
the correct boot sector contents. Has anyone got information that
would help us with this?
Does anyone know of a simple (and optimally free) utility that
provides a fool-proof mechanism for copying and writing the boot sector?
As far as curative measures are concerned (where a copy has not
been taken of the BS) we are stymied! Has anyone any suggestions?
Again on the subject of boot sector viruses does anyone know of some
anti-viral software that will remove the Spanish Telecom or Telefonica
virus?
Please mail me directly at
[email protected].
Thanks in advance.
Lynne Munro
Oxford University Computing Service
------------------------------
Date: 10 Apr 91 16:57:47
>From:
[email protected] (Pandy Holmberg)
Subject: Re: Am I subject to viruses?
[email protected] writes:
I know that this is the kind of question that only a novice would ask.
Well, I am a *rank* novice in Usenet, UUCP, and telecommunications in
general. Please bear with me. The question is:
If I connect to a site where I always initiate the call, only exchange
email and receive netnews, am I subject to receiving a virus. My
modem is never left on and the port is not enabled for a login.
The answer is NO. As long as you just use your computer as a terminal.
As soon as you start downloading files, the danger appears...
And how to protect yourself against viruses, well, my friend, I
wouldn't know, since I do not know what kind of computer you use...
Tsaukki says
Pandy
--
"All things are possible except skiing through a revolving door."
*******************************************************************************
/! ! Andreas "Pandy" Holmberg
[email protected]
/_!_! Helsinki University of Technology
[email protected]
/ ! ! Faculty of Electrical Engineering
[email protected]
/ ! !
[email protected]
*******************************************************************************
------------------------------
Date: Wed, 10 Apr 91 15:02:58 +0000
>From:
[email protected]
Subject: Gatekeeper 2.0 (Mac)
Does anyone on the net know when Gatekeeper 2.0 will come out?
Please post any answers on comp.virus.
------------------------------
Date: Wed, 10 Apr 91 10:49:12 +0800
>From:
[email protected]
Subject: HyperCard anti-virus script bad (Mac)
Greetings,
The script posted by
[email protected] (Michael Kerner) to
prevent HyperCard virus attacks has several problems. First of all,
it doesn't pass any set messages that DON'T have script in the params,
thereby disabling every other use of the set command. Secondly, it
gives a false sense of security since any such handler anywhere can be
bypassed by a simple statement of the form:
send "set whatever to whatever" to HyperCard
Using the send ... to HyperCard format bypasses all intermediate handlers.
Bruce Carter, Courseware Development Coordinator Lab: (208) 385-1859
Faculty Development Lab - Room 213 Office: (208) 385-1250
Simplot/Micron Technology Center CompuServe ID: 76666,511
Boise State University CREN (BITNET): duscarte@idbsu
1910 University Drive Internet:
[email protected]
Boise, ID 83725 --> Preferred:
[email protected]
------------------------------
Date: 10 Apr 91 12:25:22 +0000
>From:
[email protected] (
[email protected])
Subject: Re: UNIX & Viruses (UNIX)
padgett%
[email protected] (A. Padgett Peterson) writes:
Greetings -
In continuation of the *NIX Virus Thread I would like a add a
few points. First off I would like to direct you to
'Computer Systems' Volume 2 Spring 1989, Experiences with
Viruses on *NIX Systems and Virology 101
> Basically, the sheer diversity of UNIX platforms provides the best
> defense against malicious software. Mix in the user/kernel and
> "rights" requirements and you have the basis for a good protection
> scheme.
This is correct if your virus model excludes the shell script
world. I have not seen *any* published model to define a virus
vs Trojan Horse in the group. Was one published and I missed it?
The simplest form of a *NIX virus is :
cp $0 .
Now *every* *NIX platform I know of will run this "virus"
Thanks,
\Ethan\
P.S. **NOTE DO NOT RUN THIS VIRUS, SO I DON'T HAVE TO SAY "I TOLD YOU SO"**
- --
"If everyone swept his own doorstep, the whole world would be clean"
A Chinese proverb
[email protected] _____ 1.301.652.0651 _____ {uunet,anagld}!thinc!ethan
Tomorrow's Horizons, Inc. 4807 Bethesda Ave, #330, Bethesda, MD 20814-5299
------------------------------
Date: 10 Apr 91 17:23:58 +0000
>From:
[email protected] (Gene Spafford)
Subject: Unix viruses (UNIX)
First of all, Unix viruses are definitely possible, and they aren't
all that difficult to write. See the articles in the Spring 1989
issue of "Computing Systems" (Usenix, 2(2)). Tom Duff describes his
experience with writing a machine code version, and he and Doug
McIlroy discuss shell viruses too. As I remember (my copy of the
issue is out on loan right now), McIlroy has some comments on why Unix
viruses aren't all that interesting.
If you accept Cohen's formal definition of a virus (roughly stated as
"code that makes a (possibly modified) copy of itself in another
program") as most of us do, then Ken Thompson wrote perhaps the first
Unix virus in his login/cc combination; see "Reflections on Trusting
Trust" in the August 84 issue of Communications of the ACM, 27(8).
\footnote{BTW, Cohen did not write the first virus; I see so many
people claim this (incorrectly) in their writings. Cohen gets the
credit for first describing them in a formal way. However, there is
evidence of viruses as we know them appearing 2 years before Fred
started his thesis work, and Thompson's work also predates Fred's.
Furthermore, Fred did not coin the name "virus" -- his advisor Len
Adelman suggested it. Even that is not the first use of the term --
see my ADAPSO book, or the excerpts in Hoffman's or Denning's books.}
So, the answer to the question of, is it possible to write a Unix
virus, is a definite "yes." It can easily be done as a shell script,
which makes it portable to any form of Unix, or it can be done in
machine language, which makes it a little less portable but easier to
hide.
The real question here is "How much should we worry about them?" The
answer to that is, "Not much." Viruses under Unix are likely to serve
only two purposes: enable an attacker to get root, or vandalize a
system. If your system is configured reasonably to audit accesses,
and privileged users are careful about booby-trapped files and PATH
variables, it is unlikely a virus will give someone root access that
they shouldn't have.
Vandalizing a system is more likely. Imagine a virus that would
delete all files in your $HOME directory after a certain date! If
that spread to a number of executable files, it could be very
damaging. Again, if the system is configured reasonably and the
superuser is appropriately cautious, then none of the system programs
would likely be affected, and thus the damage would be limited.
Having good backups means this would be limited annoyance.
The fear that people have is that a Unix virus could spread to many
machines. Unix systems don't normally share removable media and
programs in the same manner as PCs, so spreading a virus might be more
difficult than PCs. However, Unix systems in the same administrative
domain often get source code installed on all machines from a single
point, and files are often shared via networked file systems, so
spread is not inconceivable. This would require the virus writer
defeating what should be common security practices in order to infect
those sources. Prudent administration and regular auditing for
integrity changes will prevent this kind of problem.
Widespread infection of Unix machines is very unlikely except in cases
where sys admins regularly install binaries or programs from outside
sources without examining them. That could cause widespread virus
propagation. (Before you say you don't do this, ask if you are
running emacs or gcc -- when was the last time you read through all
the code for the program and libraries before installing them?)
However, in a a case like this, it is more likely that the same goals
could be accomplied with less effort by just building in some form of
logic bomb or Trojan Horse mechanism and be done with it. Again, some
prudent administration and regular integrity auditing would spot
changes before much damage would occur.
Overall, I'm pretty certain that we have little reason to fear Unix
viruses on properly configured systems where the sys admin is a little
bit cautious and takes proper precautions. The structure of the
system and the normal patterns of use indicate that anyone with a
particular agenda that might be satisfied with a virus is more likely
to use some other mechanism (worm, logic bomb, cracking) instead.
Warning! Shameless plug follows....:-) If you want further
information on how to protect against viruses, Trojan Horses, and more
in the Unix environment, consider getting a copy of "Practical Unix
Security" by Simson Garfinkel and me. It's published by O'Reilly &
Associates (the Nutshell Handbook & X Windows reference people), and
is due out in mid-May. It's about 500 pages, 19 chapters, and 5
appendices of information on Unix security, including programmed
threats, network security, and much more. The book will be $29.95,
and can be ordered at
[email protected], 1-800-338-6887 (US & Canada) or
01-707-829-0515 (Europe).
- --
Gene Spafford
NSF/Purdue/U of Florida Software Engineering Research Center,
Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-2004
Internet:
[email protected] phone: (317) 494-7825
------------------------------
Date: Wed, 10 Apr 91 18:29:37 +0000
>From:
[email protected] (Tim Martin; FSO; Soil Sciences)
Subject: new virus? ("evil empire" Stoned derivative) (PC)
Has anyone else seen the boot sector virus that is plaguing some of
the DOS computers at U of A? It displays an eight line text about the
USA being the "evil empire" in the "impending war with Iraq".
Obviously it was written before Jan 15, 1991. It wreaks havoc in the
partition table of hard disks, and doesn't know how to properly format
3.5" floppies. McAfee's SCAN calls it "Stoned / Swedish", and the
F-DISINF program calls it "a new version of stoned", and doesn't offer
to remove it. We are now trying to decide whether this is a local
virus, and also whether it has spread elsewhere.
Tim Martin
Soil Science,
University of Alberta
[email protected]
------------------------------
End of VIRUS-L Digest [Volume 4 Issue 58]
*****************************************
Downloaded From P-80 International Information Systems 304-744-2253
