VIRUS-L Digest Wednesday, 24 Apr 1991 Volume 4 : Issue 69

VIRUS-L Digest Wednesday, 24 Apr 1991 Volume 4 : Issue 69

Today's Topics:

Virucide query (PC)
Zenith Dos Writes (PC)
PREVENTION of Drive A: boots - Suggestions Please (PC)
Re: AF/91 and April Foolism in general
Azusa Virus Found on factory diskettes (PC)
Stoner (PC)
Certus Testimonials Wanted (PC)
Re: Infoworld Column
Invader help needed (PC)
New VIRUS file uploads to SIMTEL20 (PC)
Re: Error in F-PROT 1.15 (PC)
The success of existing viruses (PC)
Gatekeeper 1.2 (Mac)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to [email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: [email protected].

Ken van Wyk

----------------------------------------------------------------------

Date: Tue, 23 Apr 91 12:09:36 -0400
>From: Ramon Bartschat <[email protected]>
Subject: Virucide query (PC)

Hi there....

I have the following question:

A friend of mine was using the VIRUCIDE program, so I copied it
to try it out, but when I got home and scanned it with SCAN V67 the
program told me that VIRUCIDE was compressed with LZEXE and that it
was infected internally with the Kennedy Virus and with the 12 Tricks
Troyan Horse. I could never find out any unusual behaviour in
VIRUCIDE. So what's wrong with VIRUCIDE ???? Right now I got a
secured copy of VIRUCIDE, in case it's really infected with Kennedy &
12 Tricks.

Ramon.

*******************************************************************************
RAMON BARTSCHAT AL380382@VMTECCHI (Bitnet)
[email protected] (Internet)
Computer Science Student at: ITESM
INSTITUTO TECNOLOGICO Y DE ESTUDIOS SUPERIORES DE MONTERREY CAMPUS CHIHUAHUA
*******************************************************************************
[BEWARE: This file will self-destruct, not in 5 seconds... but in 3 seconds]
*******************************************************************************

------------------------------

Date: Tue, 23 Apr 91 14:33:12 -0400
>From: padgett%[email protected] (A. Padgett Peterson)
Subject: Zenith Dos Writes (PC)

>From: [email protected] (Arthur I. Larky)

>Some versions (or maybe all versions) of Zenith MSDOS write the date
>and time someplace in the system every time you write a file.

Think this is only on models 158 & 159. ATs do not seem to exhibit
this. Have seen it with ZDOS 3.0-3.3 - writes to the C drive boot
record (not the MBR). Different locations with each OS. Possible that
if you zero the locations in the boot record (just the ones it writes)
it might stop writing but cannot confirm this.

------------------------------

Date: Tue, 23 Apr 91 14:33:12 -0400
>From: padgett%[email protected] (A. Padgett Peterson)
Subject: PREVENTION of Drive A: boots - Suggestions Please (PC)

>From: [email protected] (Andrew Turner)

>a. Use of a ROM.

The best way. According to Computer Shopper, ROMs run about $70 qty 1. Certain
PS/2, Compaq, & Zenith PC have this standard. A ROM extension on a 8-bit card
would also be simple & could be cheap but would have two drawbacks:
1) Memory would have to be allocated in the region of C800-F000 (segment)
2) Would use a slot.

>b. Use of hardware modifications connected to a key switch mounted on
> the case which would be used to enable/disable floppy boots.

Don't think this would work since all that is required to boot is for the
disk to be read. I do not think a switch could prevent selective reads without
disbling any read. (unless you have a use for a write-only floppy).

If you only have one floppy, you might be able to connect it as drive B to
prevent booting if the BIOS does not halt with an error on boot - this is
machine depandant but the cost (if it works) is essentially zero.

The other possibility is via software. This will not protect against a cold
(power-off) boot, but can trap <cntrl><alt><del>. I believe McAfee's F-Prot
does this. Not a 100% solution, but possibly into the 90's.

------------------------------

Date: Tue, 23 Apr 91 14:33:12 -0400
>From: padgett%[email protected] (A. Padgett Peterson)
Subject: Re: AF/91 and April Foolism in general

>From: [email protected] (Jyrki Kuoppala)

>What I really should have pointed out is that computer viruses wouldn't
>be a serious problem if the commonly-used operating systems had even
>some decent protection mechanisms provided by the operating system.

Exactly. MS-DOS has zero integrity checking and access control. This includes
the beta and release 5.00 versions. However, wishing for something different
(like unix) is not going to help the bulk of the people. Controls can be added
(after all, a PC is a fully functioning computer before DOS is loaded), but to
do so while allowing the incredible installed base of MS-DOS applications to
run (not to mention some of the odder BIUOSes) as users expect is somewhat more
difficult. Until MicroSoft decides to ad at least minimal integrity checking
to the OS, life will remain difficult (but not impossible).

>I have source source code to every program I run on my
>home system and every part of the system, even the ROM monitor and the
>PCB.

Really ? Where do you find room for it ? Just my 386 BIOS is nearly a meg and
a half of ASCII (20,000+ lines) and is less than 64k of binaries. I shudder
to think how big the 4+ Mb of WordStar 5.5 would be.

------------------------------

Date: Tue, 23 Apr 91 14:33:12 -0400
>From: padgett%[email protected] (A. Padgett Peterson)
Subject: Azusa Virus Found on factory diskettes (PC)

>From: [email protected] (Robert Martin)

>This disk was a 5 1/4 1.2mb HD floppy and was factory read only (no
>notch). The virus was on disk one of a three disk set.

>The disks were labeled TVGA - 8916. According to the manual, TVGA is
>a trademark of "Trident Microsystems, Inc.

Bring in the lawyers ! We need some civil actions to force manufacturers
to take due care (I'm amazed it hasn't happened before).

Warmly, Padgett

------------------------------

Date: Tue, 23 Apr 91 16:14:30 -0500
>From: [email protected] (Carlos Dragonslayer Butler)
Subject: Stoner (PC)

I work in a computer lab at Chicago State University, and we
seem to have been struck with the Stoner PC virus. I need a way to
remove the virus without losing the data. We have no virus software
and don't seem to be able to get any (our downloading capabilities are
nill). I'm new to the job, but have plenty of PC experience, everyone
else here is practically igorant of PC matters. The most advanced
software we have is what I brought from home. So the bottom line is:
Can U remove the Stoner virus in a primative lab setup? And if so,
how?

- --
Carlos Dragonslayer Butler| "People often condescend
[email protected] | what they fail to comprehend.
Lord of House | Ignorance makes life easier.
| Peace, knowledge, love and happiness."

------------------------------

Date: Tue, 23 Apr 91 17:05:00 -0500
>From: John Venable <[email protected]>
Subject: Certus Testimonials Wanted (PC)

I recently heard an impressive vendor presentation concerning Certus'
anti-virus, networked software. For large LAN's the cost is about
$50-75 per copy. Seems to possess some significant advantages over
stand-alone scanning software.

I'd appreciate any feedback on experiences with this product. I'll be
happy to summarize for the list. Thanks in advance.

John Venable
Samford University
Birmingham AL 35229
(205) 870-2685
BITNET JMVENABL@SAMFORD

------------------------------

Date: Tue, 23 Apr 91 19:11:24 -0400
>From: [email protected]
Subject: Re: Infoworld Column

On April 17, 1991 [email protected] (Kevin "auric" Crocker
Athabasca University) writes:

>I've keep quite about this because I enjoy a good yuck as much as the
>next person.

I was also trying to keep quiet about this, but it's at the point
where I feel I have to put my two cents worth in. This is not an
attack (well, not an intentional one) on you but rather on some
sillyness that just riled me.

> However, there are a lot of people that read a variety
>of magazines just for info and pleasure that do not have the
>math/physics/computer background to understand the sillyness of what
>was written.

Perhaps those without the background should be a little more
cautious about accepting what I generally refer to as "The Gospel
According to In-Flight Magazines". Far too many "Computer Experts"
haven't got a clue about computers outside of what is printed
in the media. Anyone who feels offended by having read this
April Fools joke should be concentrating more on educating
themselves than on formulating lawsuits against the publishers.

>There are a lot of neophytes running around making all kinds of
>decisions about computers that affect entire companies.

This is my pet peeve. If there were people in the medical profession
who showed the same level of irresponsibility and billed themselves
as 'experts', we would be very quickly approaching extinction. If
I had a nickel for every time I argued technical points with somebody
who had no technical background but 'read it in a magazine', I would
be a rich man. A company should not rely on an 'expert' simply
because they know how to spell 'computer'. If they do, then they
get everything that they deserve.

>Articles like
>this one do an incredible disservice and create more uneasiness about
>computers and viruses.

I disagree. Articles like this help to loosen the stifling paranoia
that seems to have set in whenever the word 'Virus' is concerned.

> Computer viruses are NOT something to joke about.

Sure they are. Everything is open to humour. The moment that you
start putting subjects off-limits is the moment you start adding
to the paranoia. 'Virus' is not a dirty word. It's not a 'taboo'
subject. I think that the humourous articles help to open up
lines of communication that otherwise get closed down for fear
of giving other people 'dangerous ideas'.

> Several years ago I lost an entire 40Mb hard disk to something
>(probably a trojan but I could never find it) Even though I had
>backups I lost quite a bit of work that cost me several months to
>recreate.

They couldn't have been very good backups if they were 'several
months' out of date. Sorry to say it, but it sounds like your
backup strategy was at fault. You were just as likely to have
a hardware failure as getting zapped by a virus. I won't bother
to 'rub in' the fact that your computing practices resulted in
you being infected.

>Viruses and trojans are not something that should be joked about,
>especially if there is the slightest chance that the "joke" could fall
>into a novices lap.

The same argument can be used about virtually any type of satirical
humour. What if I was to tell you that placing a pound of plastic
explosive into your engine would give you better acceleration? If you
knew nothing about cars and nothing about explosives, you shouldn't be
messing with either. (except at the user level). A typical user
shouldn't have to worry about virus infection (<---general statement.
There are always exceptions to the rule). If you buy your software out
of the box, you don't pirate software or connect to BBS's, (or share
disks and data with machines that do) there is very little chance of
being infected. I actually met somebody who refused to buy a modem
because 'hackers would be able to break into his machine' if he had a
modem connected. Even now, he still unplugs his modem from the phone
line when it's not in use (even when the machine is powered off!).
He's convinced that there is a command that a hacker can send to force
his modem to power up, answer the phone and power up his system. This
is the result of 'magazine expertise'. Not humourists, but the
mainstream 'experts' ranting on about how serious viruses are and how
there's no defense. The hard facts are that good computing practices
are more likely to save your user's ass than trying to put the fear of
viruses into them. Lighten up and relax (this isn't directed primarily
at you, Kevin...your letter just got me going.) Everybody on this list
realizes that viruses ARE a threat, but they aren't the end of the
world that some sources make them out to be.

______Opinions stated are my own. Transcripts available by request______
===
=--==== AT&T Canada Inc. John Benfield
=----==== 3650 Victoria Park Ave. Network Support Analyst (MIS)
=----==== Suite 800
==--===== Willowdale, Ontario attmail : ~jbenfield
======= M2H-3P7 email : uunet!attcan!john
=== (416) 756-5221 Compu$erve: 72137,722

____Eagles may soar, but weasels don't get sucked into jet engines._____

------------------------------

Date: Tue, 23 Apr 91 12:45:00 +1200
>From: ANDREW CHAMBERS <[email protected]>
Subject: Invader help needed (PC)

Help!
A colleagues harddisk has been infected with the Invader virus
which was imported on a disk from Malaysia.
the version of Fprotect that I have (113) shows this as the Plastique
virus but cant remove it saying it is a new variant.
However McAfees scan76 shows it is actually Invader, clean then removes it
from everywhere but the boot sector.
How do you remove it from there?
- --
Andrew Chambers
Computer Services
University of Waikato
New Zealand

[email protected]

------------------------------

Date: Wed, 24 Apr 91 09:10:00 +0700
>From: "Jeroen W. Pluimers" <FTHSMULD%[email protected]>
Subject: New VIRUS file uploads to SIMTEL20 (PC)

Hello all,

I uploaded the next files to SIMTEL20 <MSDOS.TROJAN-PRO>:

TBSCNX26.ZIP - Thunderbyte ScanX v 2.6 - needs VIRUSSIG.ZIP
VIRUSSIG.ZIP - Newest virus-signature file for TBSCAN/TBSCNX/HTSCAN

They will soon be available on TRICKLE.

jeroen

------------------------------

Date: 24 Apr 91 08:53:05 +0000
>From: [email protected] (Fridrik Skulason)
Subject: Re: Error in F-PROT 1.15 (PC)

I wrote:
>>Fix: Either just give the command
>
>> F-UNLOCK F-TEST.COM

[email protected] (Snugglupagus) writes:
>
>tried it, but it didn't work. now i run f-test only to get the
>following message:
>
>program infected with the f-test- virus.
>access denied.
>
It works...

This is exactly the message you should get when the program is
working. The "Program infected..." is the message you get when
F-DRIVER stops a program it suspects of being infected with a virus.
Note that F-TEST.COM does not contain a virus, however.

>> or replace the F-TEST.COM with the following program.
>
>>begin 755 f-test.com
>>hY70u1U4o0QoVi+-AnG349IFGGJN3IW-dQm-iPrEUOKtnR43gP4JY64xm64tj
>>BR0-rPr7fOKtb6Eo87034
>>+
>>end

>well, this is all we got at this site. obviously, it's not the whole
>thing.

It is the whole thing. The above program is an xxencoded correct
version of F-TEST.COM

I have also fixed a few other problems with F-PROT 1.15 - if your
program reports a "possible infection" by "10 past 3" or "Kamikaze",
ignore it.

- -frisk

------------------------------

Date: Tue, 23 Apr 91 20:24:00 +0000
>From: William Hugh Murray <[email protected]>
Subject: The success of existing viruses (PC)

>From: [email protected] (Dan King)
>Viruses are a problem. A big one. Are they're going to get worse.
>Come on, don't pick on the users. Attack, instead, the virus authors.

The "real problem" is the success of the existing viruses. The
motives of the authors are irrelevant. Attacking the authors, even
they had the courage to identify themselves, would have no impact at
all on the problem.

If we only had to cope with Stoned and Jerusalem-B, we would still
have a serious problem.

The problem is independent of origin or motive. We do not know what
the motives of the authors of these programs were. What we do know is
that they could not have predicted the success or resulting disruption
of these programs when they released them.

It is likely to get much worse before it gets better.

>Padgett Peterson:
>The real problem is that MS-DOS, like the Mac OS, has NO integrity
>checking and that viruses are remarkably easy to write.

It is true that MS-DOS has no integrity checking. It is equally true
that viruses are easy to write. The "real problem" is still Stoned,
Jerusalem-B and a few others.

Implied in Padgett's suggestion that the absence of integrity checking
is the problem is an assumption that somehow or another MS-DOS is
deficient because it has no such checking. While I am prepared to
grant that such checking would help, I am not prepared to grant that
the problem has its origin in the absence of that checking.

MVS has no such checking, though it is available in add-on packages.
UNIX has no such checking. Yet they are free of viruses.

I am afraid that Padgett is reasoning "post hoc." Having concluded
that integrity checking, pervasively applied, might help deal with the
problem, he then asserts that the operating system is deficient
because it is not there. Even he is willing to admit, in other
contexts, that the operating system gets control too late to deal with
some viruses.

While I am willing to admit that architecture can contribute to the
solution, only over a very long period, I am prepared to associate it
with the problem only to the extent that it makes it EASY TO GET A
PROGRAM EXECUTED. I was taught that that was a feature, a
vulnerability, but not a flaw.

I refuse to forget that we have this entire industry, with its
problems, because MS-DOS would run, with an application yet, in less
than 64K (yes, that is sixty-four thousand) bytes. If it had been
burdened with all of the security that some of today's uses of it
require and which today's gurus project on to it, it might never have
been successful enough to support viruses.

The PC is a target for viruses only because it is successful. If
there is a "real problem," then that is it. When looking for
solutions, remember Murray's first law of computer security: "Be
careful what you ask for; you might get it."

------------------------------

Date: 23 Apr 91 18:57:42 +0000
>From: [email protected] (Robert Stewart)
Subject: Gatekeeper 1.2 (Mac)

This is a pretty long report on Gatekeeper 1.2. Almost all of it consists
of direct quotes from the info sent out from Chris to all beta-testers.

DESIGN PHILOSOPHY
"I wanted a product that was modular both internally and externally so
that it could be maintained and expanded in simplest and most reliable
possible fashion. I particularly wanted a modular user interface
because even in the days of 1.1.1, there were featues in Gatekeeper
that nobody could use because there wasn't enough space in the already
overcrowded cdev for the controls necessary to turn those features on
and off. I also wanted a radically improved form of the privilege
list (one that was, among other things, self documenting), a totally
different sort of log file (one whose length could be limited, for a
start), a way to move privileges between copies of Gatekeeper (even if
the versions differed), and I wanted all the configuration information
stored in a file separate from the Gatekeeper cdev."

1.2 VS. 2.0
"This version is being renovated to include as many of the bug fixes
and other improvements of 2.0 as possible, *without* restructuring or
rewritting the bulk of the code. So you really won't see much of
2.0's functionality in 1.2 when it's released, but a number of the
features you're accustomed to in 1.1.1 will work more smoothly and
reliably than they have in the past, and the user interface will be a
tad more convenient. And, of course, it'll work with File Sharing in
System 7 and won't be dependent on Gatekeeper Aid for retroactive
fixes to its problems."

FEATURE LIST
"What's new in Gatekeeper 1.2b0? I'm not entirely sure... I lost track a while
back. :-) A few of the changes I remember are listed (in no particular
order) below.

* System 7.0 compatibility. All other versions of Gatekeeper like to die
when the File Sharing feature of System 7 is used. This version cures this
problem very effectively, if not elegantly. Elegant solutions may come in
version 2.0, but there are still questions remaining to be answered, and
neither users nor viruses should notice the difference in the mean time.

Note that this was the only imcompatibility between other versions of
Gatekeeper and System 7, but it's a big one.

* The interface has a new look. Where 1.1.1 supported 3 "screens" (Info,
Settings and Help), 1.2 supports 6 screens in order to make room for a
(hopefully) more pleasant and sensible user interface.

* Gatekeeper's Help display now supports Styled TextEdit in it's System 6.0
and beyond implementations. This means that the help text will appear
nicely formatted in Helvetica, Times and Monaco. This helps to differen-
tiate the different sections of the Help display and adds useful emphasis
throughout.

If you want to view the help text as an undifferentiated mass of Geneva
9 point for old times' sake, just hold down the Option key when you access
the Help for the first time after opening the Gatekeeper control panel.

Text in the Help display may be selected and copied to the Clipboard so
it can be pasted into more convenient environments, like word processors.

All of the Help text in this beta version is left over from 1.1.1 and is,
as a result, totally out of date. Don't even try to read it; it's just a
placeholder for the moment.

* The Gatekeeper control panel now includes a section that allows the user
to view the log file and to clear the log file when it gets too big.

* The privilege list is now sorted, and using the Clear button doesn't scroll
the list back to the first item anymore.

* The settings section now includes a check box called "Display a Mode Warn-
ing Alert". This check box allows the user to determine whether Gatekeeper
will display its "Notify Only" alert everytime the Mac boots in Notify
Only mode. A "Notify & Veto" alert is also supported now, and the same
check box regulates whether it appears or not.

* A "New" button has been added to the privilege list section. This button
allows the user to add an item to the privilege list without going through
all the business with the "Add..." button and the Open dialog box.

* Some privileges are no longer required. Programs and INITs that install
drivers used to need Res(Self) privileges to do so, in many cases. In most
cases these programs and INITs no longer need the Res(Self) privilege, so
most of them have been removed from the default privilege list.

***If you find programs that need any sort of privileges at all which aren't
***included in this privilege list, please let me know so I can get them added.
***This version of the list dates back to 1.1.1, so it's not likely to be
***particularly complete.

* Gatekeeper now supports privileges for Control Panel and Chooser documents,
in addition to privileges for Desk Accessories, Drivers and Applications.
Nobody should ever have to grant privileges to DA Handler again.

* Internal Errors are history. The problem was found and fixed.

* Gatekeeper no longer crashes Macs while they attempt to switch launch.
Sluething around in the bowels of the Mac during switch launches finally
yielded some useful answers (and a few interesting questions).

* It is no longer necessary to grant the System 7 Finder Res(Other & Sys)
privileges in order to move desk accessories around. Gatekeeper detects
these cases internally and deals with them very carefully
without reference to the privilege list. This "hard-wired" approach is far
more secure than granting those privileges and will probably be carried
over into Gatekeeper 2.0. So, DO NOT grant anything other than File(Other)
privileges to the Finder.

* Gatekeeper deals with the bizarre (or, at least, unexplained) RsrcMapEntry
calls made by the print driver in System 6.0.7 without assistance from
Gatekeeper Aid.

* Gatekeeper now allows resources like the infamous Adobe Separator 'ADBS'
to be added to the Desktop file without any fuss or privilege violations.
Adobe still shouldn't have used that creator code, but nobody should have
to deal with the fallout from this problem anymore.

* Gatekeeper will no longer allow an odd value in its 'sysz' 0 resource.
This will take care of an incredibly rare and obscure source of boot-time
crashes on some Macs. Gatekeeper Aid, of course, has been retroactively
correcting this problem for some time.

* Since Gatekeeper now allows users to read the Log file from the control
panel, there's no need to continue locking the Gatekeeper Log file in order
to make programs like MS Word happy. The log file is still stored as
text, though, so users can read it with other prgrams, like their favorite
spreadsheets, if they so desire.

* Special keys like the arrow keys, page up/down, and home/end are supported
where appropriate.

* StuffIt and Compact Pro (Compactor) self extracting archives (SEAs) are now
fully and transparently supported. No privileges are necessary in order
for SEAs to do their stuff."

"* Gatekeeper 1.2 is now split into two parts; an INIT (which does the real
work) and a cdev (which provides the user interface). In this respect
it's very similar to the structure of Gatekeeper 2.0."

The last feature occurred in the second beta. The main reason for it is that
system 7 installs inits before cdevs, unless the cdevs are put into the
extensions folder by the user. He also said that he split it up
because it had grown so large. People using GK on a floppy can configure it
with the cdev, then just keep around the init, sort of like how Moire works.

I like the new interface a lot. After selecting the Gatekeeper Controls icon
in the control panel, you get a scrolling list of the main windows.
The titles are General, Help, Override, Settings, Log and Privileges.
The General window is always selected when you enter Gatekeeper Controls.

It is really nice to be able to view the log file while in the control panel.
It's even very nicely formatted. You can select a privilege violation, and
click on a get info button to get very useful info about the violation.
Clicking on the grant privilege button automatically grants the
offending program the necessary privileges.

If anyone has any specific questions about how the interface in 1.2 looks,
I'll be glad to answer them, it just might take me a while to scrape together
the time to do it.

Robert Stewart
[email protected]
University of Texas at Austin

------------------------------

End of VIRUS-L Digest [Volume 4 Issue 69]
*****************************************

Downloaded From P-80 International Information Systems 304-744-2253