VIRUS-L Digest Friday, 10 May 1991 Volume 4 : Issue 79

VIRUS-L Digest Friday, 10 May 1991 Volume 4 : Issue 79

Today's Topics:

SNEAK: Not for real... (Mac)
Odd 77-byte files (PC)
Packard-Bell (PC)
Washburn (Was: Re: TSR Virus Detector (PC))
A Partition sector virus called Modem (PC)
Re: TSR Virus Detector (PC)
Re: Viral or other problem? (Mac)
re: The Shape of the World (PC)
Re: Virii in Factory Software; Legal Stuff; "Eddie Lives"
re: The Shape of the World (PC)
Review of Certus LAN (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to [email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: [email protected].

Ken van Wyk

----------------------------------------------------------------------

Date: Thu, 09 May 91 10:36:57 -0400
>From: Joe McMahon <[email protected]>
Subject: SNEAK: Not for real... (Mac)

Sigh. I will reiterate for those who do not yet know.

1) SNEAK is not a virus. It was an attempt by the author of Interferon
to try to catch unnamed possible viruses. It looks for a certain
pattern of jumps between code segments and labels that pattern a
possible virus. It so happens that there may very well be reasons
for a normal, non-viral program to use this pattern. As a matter
of fact, TOPS *does*. Bingo, a false positive for the SNEAK virus.
2) Interferon has not had any work done on it for a long, long time.
If it is your sole means of detecting viruses, you have a problem.
You should get a copy of the latest version of Disinfectant *now*.
There are at least 5 viruses that Interferon will not detect, not
counting the 438 (OK, I exaggerate. Slightly.) variants of nVIR,
which it does *not* detect in a generic way.

Please. Tell your co-workers to dump Interferon *and* Vaccine, and to
use Disinfectant and its INIT instead. You'll be much safer, and you
won't have to deal with these false positives.

--- Joe M.

------------------------------

Date: 09 May 91 14:00:24 +0000
>From: [email protected]
Subject: Odd 77-byte files (PC)

Some utility on my PC (running MS DOS 3.3) has been creating several
hundred hidden files. All had a filename of an existing COM or EXE
file, but with the corresponding extension ._OM or ._XE, and all were
77 bytes long. The files are all deleted -- sorry not to have saved a
copy -- and no available virus scanning utility reports any odd files
anywhere. Has anyone seen this elsewhere?

A. V. Le Blanc
Manchester Computing Centre
University of Manchester
[email protected]

------------------------------

Date: Thu, 09 May 91 15:55:59 -0400
>From: padgett%[email protected] (A. Padgett Peterson)
Subject: Packard-Bell (PC)

For those having problems. (800)767-9898 appears to be a tech support
line for Packard-Bell.
Padgett

------------------------------

Date: 10 May 91 08:41:32 +0000
>From: [email protected] (Fridrik Skulason)
Subject: Washburn (Was: Re: TSR Virus Detector (PC))

[email protected] (Y. Radai) writes:
>V2P1 (better known as the 1260) was distributed publicly, and while it
>is not itself destructive, someone evidently used its disassembly as
>the basis for the Casper virus, which is quite destructive.

The source to Casper is in circulation and it is obviously not based
on a disassembly, but rather the original source of V2P1, which
somebody must have obtained from Washburn.

- -frisk

Fridrik Skulason Technical Editor of the Virus Bulletin (UK)
(author of F-PROT) E-Mail: [email protected] Fax: 354-1-28801

------------------------------

Date: Fri, 10 May 91 07:46:17 -0500
>From: Josep Fortiana Gregori <[email protected]>
Subject: A Partition sector virus called Modem (PC)

A virus apparently called "MODEM" has been found
in our machines. It is a boot sector virus in diskettes
and infects partition sector and FAT in hard disks.
Local representatives of McAfee antivirus products here
at Barcelona (DATAMON S.A.), distribute the following script
with the strings which allow the SCAN program to detect
it since some weeks ago:

"566972757320416e7469202d20432e542e4e2e452e2076322e" VIRUS MODEM1
"e800008bdcb6?33c9b2?fa5151" VIRUS MODEM2
"7C33C0FA8ED08BE3FB8ED8A1130448A3" VIRUS MODEM3

I can't understand why it has not been included in the
current version (release 77) of the scan program, as it
seems to be well identified since release 76 or before.

Josep

Josep Fortiana
Departament d'Estadistica
(Facultat de Biologia) phone : 3308851 ext. 200
Universitat de Barcelona E-mail: [email protected]
Av. Diagonal 645
08028 - Barcelona
SPAIN

------------------------------

Date: Thu, 09 May 91 19:16:34 +0300
>From: [email protected] (Esa Holmberg)
Subject: Re: TSR Virus Detector (PC)

[email protected] (Y. Radai) writes:

> The programs which I compared were F-LOCK, FSP, SECURE, TSAFE, and

I'm afraid you have tested a wrong program; F-DRIVER
would be the actual resident virus tester of the F-PROT
package, and not F-LOCK. I wonder, what the results
would look like with F-DRIVER instead of F-LOCK ?

- --
__________________________________________________
) Esa Holmberg -- [email protected], [email protected], )
/ [email protected] /
/ fax : +358 21 510 017, Elisa : Holmberg Esa TTL /

------------------------------

Date: 09 May 91 19:06:25 +0000
>From: [email protected] (Chuck Hoffman)
Subject: Re: Viral or other problem? (Mac)

[email protected] writes:
> I get messages stating either that the document type is
> unknown (the documents were created with resident applications on an
> older machine!)
You can get this a couple of ways:

. Your DeskTop file for your hard disk could be corrupted. To
correct, boot the system while holding down the Command and Option
keys until you get the dialog prompt to rebuild the DeskTop. You also
can correct it on an application by application basis by clicking on
the application, rather than the document, and selecting Open from the
application's File menu.

. The vendor of software may have changed the product's four
character signature from the version you have on the older machine to
the version you have on the newer machines. I believe MacDraw-II did
change between Release 3 and Release 4. To correct, either install
the older version of the software on your new system (ugh!) or, as in
the case of MacDraw-II, click on the application, then open the
document from the application's File menu, hoping the software will
convert from old format to new.

> My local Apple techie has told
> me to remove 6.0.7 and install 6.0.5 to correct the problem (seems
> that 6.0.7 and certain Mac models have problems?).

That's a new one on me. I use 6.0.7 and all three of the products you
mentioned on all kinds of Mac-II's. Out of memory usually means just
that. To check, click on the small icon in the upper right corner of
your screen (I'm assuming you run MultiFinder) to get back to the icon
of a little Mac, then select "About the Finder" from the Apple menu.

Chuck Hoffman, GTE Laboratories, Inc. | I'm not sure why we're here,
[email protected] | but I am sure that while we're
Telephone (U.S.A.) 617-466-2131 | here, we're supposed to help
GTE VoiceNet: 679-2131 | each other.
GTE Telemail: C.HOFFMAN |

------------------------------

Date: Fri, 10 May 91 00:39:54
>From: [email protected]
Subject: re: The Shape of the World (PC)

>From: "David.M.Chess" <[email protected]>
>
>Do these two things match the experience of other anti-virus workers?
>Can anyone give some examples of viruses that were at one time thought
>to be "collector only", but later showed up in the wild? (Very
>isolated incidents, such as the rather obvious direct 'seeding' of an
>end-user machine with a stupid virus like the Whale, don't really
>count.)

>As a sort of a spot-check, has anyone ever seen any of the
>"Anti-Pascal" viruses (AP-400, -440, -480, -529, -605, I think they
>are; something like that) infecting an end-user machine? (I ask about
>these just because they're sort of prototypical "collector-only"
>viruses; rather stupid, and seemingly unlikely to spread.)

Dave: A telling anecdote: at the Trenton Computer Fair last month,
about 100 people crammed into a room to hear about some of the new
virues. When asked who had been infected with a virus, about 80% of
the people raised their hands. I asked those infected with Jerusalum,
Stoned and Ping-Pong to drop their hands. One hand was left. Cascade.

This loud cry for protection against research-only viruses is quite
quite bothersome -- the numbers game we have to play (as a vendor) in
order to counter "my scanner can beat up your scanner" type of games
is sorta foolish -- yet we must play the game.

Ross

------------------------------

Date: Thu, 09 May 91 15:48:00 -0700
>From: [email protected] (Greg Broiles)
Subject: Re: Virii in Factory Software; Legal Stuff; "Eddie Lives"

[email protected] (William Walker C60223 x4570) writes:
>One unrelated comment: I had thought that the phrase, "Eddie lives...
>somewhere in time" referred to the film "Eddie and the Cruisers," in
>which the lead singer is thought to be dead, but no one is 100% sure.
>Sorta like Elvis, huh? ;-)

No, this is (I think) pretty clearly a reference to an Iron Maiden
album, "Somewhere in Time" (released 1986? 1987?). Iron Maiden
features some sort of skeleton-monster mascot on their album covers
named "Eddie".

>Bill Walker ( [email protected] ) | "If you were locked in a room with
>OAO Corporation | Saddam Hussein, the Ayatullah, and
>Arnold Engineering Development Center | a lawyer, but you had only two
>M.S. 120 | bullets, which would you shoot?"
>Arnold Air Force Base, TN 37389-9998 | "I'd shoot the lawyer twice."

old signature - address bad!
- --
".. organized crime is the price we pay for organization." - Raymond Chandler
Greg Broiles | CI$: 74017,3623 | [email protected]
Peacenet: gbroiles | WWIVnet: 1@5312 | MCIMail: gbroiles

------------------------------

Date: Thu, 09 May 91 12:36:41 -0400
>From: padgett%[email protected] (A. Padgett Peterson)
Subject: re: The Shape of the World (PC)

>From: "David.M.Chess" <[email protected]>

>1) Most viruses in the collections of anti-virus worker have, as far as
> anyone knows, never been found on an end-user system.

True, most of the 500+ viruses are too stupid or blatent to spread
very far on their own. Like any emerging industry (did you know that
in the early 1900's there were over 2000 mamufacturers of Automobiles
in the US ?), there are a large number of attempts before an effective
"product" is found. However, what we are seeing now are refinements of
the "best" of the first generation products, the dead ends are obvious
to anyone who seriously reviews the literature.

>2) That is, it's very rare for a virus from the "collectors only" category
> to move into the "in the wild" category.

Probably true for now, but only demonstrates the poor "quality" of
most viruses.

- ------------------------------
Date: Thu, 9 May 91 12:36:41 -0400
>From: padgett%[email protected] (A. Padgett Peterson)
Subject: re: Virii (sic) in Factory Software

>From: "William Walker C60223 x4570" <[email protected]>

>In both of these instances, the manufacturers took full responsibility
>and made efforts to remedy the situation, once they were informed of
>the problem.

Am glad to find that some manufacturers (Aldus, Bitcom) take their
responsibilities seriously. I'm still bothered that infected disks
were sent out in the first place, however up through 1989 such
ignorance was excusable. In 1991 IT IS NOT.

>Also, how do you know they're NOT checking the disks? Suppose they're using
>VIRUSCAN V74, which won't find Azusa. Or worse, suppose they're using Norton
>Antivirus.

Then they are worse than negligent, they are stupid ! (personal
opinion). A manufacturer should know what every byte on their
distribution disks should be and use this for comparison, not generic
commercial signature checkers that contain disclaimers that only known
viruses will be detected. ANY change from what is supposed to be on
the disks should be detected. One would expect any effective
statistical QA procedure to include this.

I can see coming shortly, large users requiring from
manufacturers/distributers certification that their distributions are
free from any malicious software. Govenmental organizations will
probably be first.

Warmly, Padgett

------------------------------

Date: Thu, 02 May 91 21:20:48 -0700
>From: [email protected] (Rob Slade)
Subject: Review of Certus LAN (PC)

Coincidentally, there was a recent request for information on Certus just
as I was finishing this ...

[Ed. This review is also on-line (with the rest of the independent
reviews) for anonymous FTP on cert.sei.cmu.edu in
pub/virus-l/docs/reviews.]

Comparison Review

Company and product:

Certus International
13110 Shaker Square
Cleveland, Ohio 44120
USA
216-752-8181
fax 216-752-8188
800-722-8737
Certus LAN version 2.0

Summary:

Scanning, change detection and operation restricting software,
particularly for LANs.

Cost

Rating (1-4, 1 = poor, 4 = very good)
"Friendliness"
Installation 1
Ease of use 3
Help systems 3
Compatibility 2
Company
Stability 2
Support 3
Documentation 2
Hardware required 3
Performance 2
Availability 3
Local Support ?

General Description:

A suite of programs and utilities to provide for security and hard disk
integrity, with special attention paid to compatibility with LAN
systems. Most important are CERTUS, resident change detection and
operation restricting; CERTUSVS, signature scanning; QUICK, program
approval/verification and attribute setting utility; and BOOTLOCK,
protection of the hard disk against password access bypass or boot
sector infection from booting off a floppy. VSRES, stated to be a
resident signature scanning program, was not available in the package
received for review. A number of other utilities verify or safeguard
system areas or CMOS, and the system will provide a "Critical disk" to
help recover from hard disk failures.

Comparison of features and specifications

User Friendliness

Installation

Disks are shipped write protected, but on writable disks. Files on the
disk are marked with read-only attribute.

Directions in the documentation are to give the command INSTALL CERTUS.
When installing to a disk for which the defaults are not appropriate
this gives an error message regarding disk space, along with the
injunction to "Press any key: Install will terminate". The program does
not terminate unless the ESC key is pressed.

Although the system requirements are stated to be only one floppy drive
for installation, the program will not install onto a floppy drive.

The documentation states that "default" installation and operation of
CERTUS is for security level 3, which means that "new or modified"
programs will generate an alert, but the user has the option of allowing
them to run. This is not the case: by default CERTUS apparently runs at
security level 1 and will not allow any "new" program to run, including
programs from the Certus package. This allows the possibility of
"locking up" the system on installation.

Although non-standard installation of Certus should not be attempted by
other than experienced personnel, the problem of installation in a large
and disparate user environment has been addressed in the form of a
"clone" installation option, whereby a specialised installation can be
made once and then "copied" to subsequent machines.

The documentation states that installation is possible with as little as
50K free space available on disk, but details about the specifics about
the operation of each program, and the necessity for each program, are
not sufficiently clear in the documentation to make this a simple
operation, even for skilled personnel.

Ease of use

All programs in the package can be run with command line switches, even
those that are interactive and present windows and menus. This dual
access is much appreciated by experienced users. Options and defaults
in the interactive programs, however, are not always well chosen, and
the features and implications of some choices will not always be clear
to naive users (cf the choice of "Quick" scanning as the default in
CERTUSVS.)

Help systems

Onscreen help is available for any interactive program in the package
through the F1 key. Help is context sensitive, but cannot be obtained
for the package as a whole.

Compatibility

The package is said to be compatible with Windows 3, but this
"compatibility" is strictly limited. The resident portion of the
program will pass an alert to Windows, and windows will generate an
error message before an infected file is run, but the message to the
user will only state that an unknown error has occurred before the
attempt to run the program is aborted.

Any utility software which attempts any direct disk writing will come
into conflict with CERTUS, and therefore it is suggested, by Certus,
that any such programs be run from batch files which will disable CERTUS
operations during the invocation of the utility program. As protection
levels are set "globally" and cannot be determined for individual
programs, this is the only means of running programs which use direct
disk writes or "self-modifying" programs such as Word Perfect (which
would otherwise be prevented from running because of being "altered".)
This leaves a security hole for the infection of such programs.

One function of the program is "validity checking" of known "good"
program signatures (checksum or CRC is not made clear.) The "Certus
Blue Disk" contains a file of shareware signatures which is said to be
updated quarterly. Of the ten programs I checked for, six were unknown
to the program, and of the remaining four (CED, MS/PC/KERMIT, SCAN and
LIST), none of the entries matched any of the versions I have.

Company Stability

Certus is apparently the successor to FoundationWare. Certus currently
has a significant presence in security/integrity software, particularly
in LAN installations. The company is presently sponsoring research into
the size of the virus problem.

Company Support

Technical support phone numbers are listed for voice, fax and BBS.

Documentation

Certus' hardcopy documentation is well written and uses appealing and
effective layout. While the content and progression should be easily
understandable by a naive computer user, the size of the manual would be
daunting. For experienced users the lack of explanation of certain
injunctions and the "delay" in explaining operations (explanation of the
individual program towards the back of the manual) is frustrating. The
necessary "positioning" of commands to call the various programs from
CONFIG.SYS and AUTOEXEC.BAT is never discussed for some of the programs,
and what discussion there is must be searched for under various
locations in the manual. This is a pity, since the strengths of the
package require well informed installation and choice to be most
effective.

The disk documentation file (README.CTS) is stated in the hardcopy
documentation to be, variously; special instructions for installation on
infected systems, a "bare bones" installation procedure and the latest
information on the program. The file contained with my version did
contain some changes, but was primarily concerned with omissions from
the printed manual and problems with Windows compatibility..

Hardware Requirements

While the box and documentation state that a minimum of one floppy drive
is required for installation, default installation requires a hard disk
with at least one megabyte of free space.

Performance

CERTUS will not, of course, prevent infection of the computer memory or
hard disk by booting from a boot sector infected floppy disk. CERTUS
does provide checking for direct disk writes, and so in theory is able
to prevent spread of boot sector infectors even when the computer is
infected, but in practice this is, by default, limited to the hard disk.
Therefore, CERTUS does not, by default, protect against spread of
infection by such viral programs as "Stoned" and, in testing, did not do
so.

The security "hole" provided by booting from an infected floppy disk is
said to be covered by the use of the CHKBOOT and BOOTLOCK programs.
CHKBOOT checks the boot sector at startup and compares it with a stored
copy of the boot sector as it was at installation. This, of course,
does not address the problem of an existing boot sector infection at the
time of installation, nor would it suffice to catch a "stealth" boot
sector infection. The BOOTLOCK program promises considerably more. It
is stated to, once installed, run "before any other part of DOS or the
operating system is loaded, and before any part of the hard disk boot-up
has been performed." This, together with the statement that BOOTLOCK
prevents booting from the A: drive, indicates a replacement of the
partition boot record, and possibly a non-standard formatting of the
hard disk system areas. I must admit that at this point my nerve gave
out: BOOTLOCK will not be fully tested until I have access to a
redundant hard drive.

(Certus is not very forthcoming about the dangers inherent here. The
closest they come to admitting that you can be locked out of your own
computer is in the statements "... [if] you lose ... your passwords ...
[Certus] will not be useful in gaining access to your computer ... " (p.
142) and "Losing your password can be very unforgiving if your system is
fully secured with Certus and BOOTLOCK." (p.148) Caveat emptor.)

The CERTUSVS scanning program is exceptionally slow, particularly when
checking memory. (So much so that during testing several runs were
aborted by rebooting under the mistaken impression that the program had
"hung". Scanning 640K of memory on an original IBM PC will take over 20
minutes.) When an infected program is detected, the screen is "shifted"
up one line, then a second (never more than two) and never corrected so
that it becomes difficult to read.

Also, of the scanning programs reviewed so far, CERTUSVS has the poorest
record for identifying viral infections, identifying just over half of
the relatively common infections presented to it. An unusual feature,
in a scanning program, is that by default it checks only the first and
last 2K of any file, and therefore will only find appenders, prependers
or overwriters that happen to be close to the beginning or end of the
file.

CERTUSVS does not provide any disinfection functions other than an
overwriting deletion.

Local Support

None available.

Support Requirements

Basic installation of the program is possible for a naive user, but
problems are likely if the defaults, as initially obtained by the
package, are used. Installation by experienced support personnel will
give best results, but even sophisticated users will require a period of
thorough testing of the product before the system can be used on a
trouble free basis. The more advanced (and secure) features definitely
require supported installation to ensure that the user isn't "painted
into a corner" and locked out.

General Notes

The documentation makes many claims which give the impression that the
Certus package is a complete disk and computer management system, and
that other utilities are unnecessary. The problem with running other
utility software is constantly downplayed. The protection provided by
the program, while potentially very powerful, is overplayed to the point
of being inaccurate. (For example, the documentation states that file
attributes cannot be set or altered except through the use of the QUICK
program.) Also, the documentation emphasizes the utility of the
"Critical Disk", which will be helpful in recovering a lost boot sector
or MBR/PBR, but will not help in the case of a "hard failure."

The package potentially provides significant protection against viral
program attacks, but possibly at the cost of functionality of the
computer system. Careful installation should alleviate most problems.
A period of testing and tuning of the installation should be provided
for before the installation is considered complete.

copyright Robert M. Slade 1991 PCCERTUS.RVW 910502

=============
Vancouver [email protected] | "Don't buy a
Institute for [email protected] | computer."
Research into (SUZY) INtegrity | Richards' First
User Canada V7K 2G6 | Law of Data
Security | Security

------------------------------

End of VIRUS-L Digest [Volume 4 Issue 79]
*****************************************

Downloaded From P-80 International Information Systems 304-744-2253