VIRUS-L Digest Tuesday, 14 May 1991 Volume 4 : Issue 81

VIRUS-L Digest Tuesday, 14 May 1991 Volume 4 : Issue 81

Today's Topics:

Joshi Virus questions (PC)
Into the 1990's
FLIP or OMICRON (PC)
Stealth viruses (PC)
Virii (sic) on Factory Software & Legal Issues
re: The Shape of the World (PC)
Re: TSR Virus Detector (PC)
Gatekeeper 1.2 released (Mac)
Comparing virus scanners (PC)
Trojan version of VIRUSCAN version 78 (PC)
Re: SCAN hangs while checking Window's SOL.EXE file (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to [email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: [email protected].

Ken van Wyk

----------------------------------------------------------------------

Date: 13 May 91 14:05:12 +0000
>From: [email protected] (Kate Wilson)
Subject: Joshi Virus questions (PC)

After months of fighting the Stoned virus, we now have had at least one
occurance of Joshi. There are a couple questions I have about this
virus -

First, the infected machine was checked (by me) using McAfee's Scan76 on
Monday. On Tuesday the PC started having "real time clock errors". By
Wednesday morning it wouldn't boot - hung up when it hit the first line
of the config.sys file. After several hours of troubleshooting, we
checked for viruses again, and this time Joshi showed up. The user
swears she hadn't used ANY floppy disks in the last couple days (not even
her own)...I don't known anything about this virus - what are the typical
symptoms? Is there some time delay before it activates?

Second question: according to VIRLIST.TXT included with the McAfee program,
Joshi corrupts data files. Does this mean that it could reside in a data
file, or just that it could damage them? I always thought that viruses
only damaged executable files. If I had scanned the PC using SCAN /A (to
scan all files, not just executables) might I have caught this sooner?

Kate Wilson
UT School of Public Health
Houston, TX [email protected]

------------------------------

Date: Mon, 13 May 91 11:21:18 -0400
>From: Padgett Peterson <[email protected]>
Subject: Into the 1990's

First I would like to offer an apology to Ross Greenberg (Flu-Shot)
and Fridrik Skulasson (F-Prot). You can count on your fingers the
number of people who have made real contributions to the anti-viral
scene and these are two of them. My choice of words ("You get what you
pay for") in the circumstances was unfortunate.

At the same time, I constantly deal with more and more users of PCs
who could care less what kind of platform they are dealing with, all
they are interested in is their spreadsheet/publications/
communications capability. These people are not interested in which
strain of the 4096 they have been infected with, their concern is that
the machine is operating properly and without any hidden "extras".

Consequently, those techniques that were developed when mere ownership
of a PC qualified one as a "hacker" (in the original sense), are more
suited to the technicians who are paid to understand the architecture.
What the user needs to know is that SOMETHING has happened and that a
technician is needed to interpret WHAT - wheter it be a problem caused
by power supply (I see a lot of these), drive, ICs, or malicious
software.

Today, viruses seem to account for on the order of 10-20% of the
trouble calls I get. They are significant enough to warrant avoidance
measures, but not anything to panic about.

The fact of the matter is that today EVERY "common" virus allocates
resources to itself, most in obvious manners, and all are detectable
to the user/program that bothers to look. Trojans & logic bombs as
well as simple failures are another matter entirely but protection is
possible (just not as "glamorous").

Since the PC (and MAC) have only rudimentary integrity checking built
in, the first order of business should be to add-on some additional
measures to ensure the validity of the machine. Because problems
(including malicious software) can begin at the BIOS level, so must
integrity checking.

The real point I have been trying to make for some time is that such
checking IS NOT DIFFICULT, orders of magnitude less than what it takes
to write a good word processor, it just has not been done yet.

There are some guidelines and dead ends to be avoided: for example
McAfee's SCAN /AV adds ten bytes of authentication to each program
that can be retrieved by the resident VSHIELD program. Enigma-Logic's
Virus-Safe stores the checksums in a single separate data file. Either
is to be preferred to Norton's Anti-Virus method which reportedly
creates a 77 byte file for each executable since given a disk like
mine with 1100 executables and 2k clusters, this would take up over 2
Mb for those 77 byte files. With an 8k cluster size such as I have
seen on many machines, we would be talking almost 9 Mb (each file
takes up at least one cluster). Few users could afford this.

Consequently, IMHO the first priority should be given to a resident
integrity checking package designed for the single user system that
uses authenticated data paths to each peripheral, and adds the program
validation and permission process that exists on mainframes. The major
difference would be that instead of user privileges we would have a
set of program privileges on record.

In this way, if a program were permitted to go resident, this
attribute would be recorded and the location, hooked vectors, size,
and memory checksum would be kept on file. Similarly, a self modifying
program such as WordPerfect would be permitted to do so, but only to
its own executables.

I also believe that in the near future, signature scanning programs
will be limited to the technicians, researchers, and hobbyists who
need such sophisticated tools, and will not be in general use by the
average user.
Comments welcome,
Padgett

------------------------------

Date: 13 May 91 11:32:00 +0200
>From: [email protected]
Subject: FLIP or OMICRON (PC)

Hello everybody

I have an IBM Clone 386/25 and suddenly I detected a virus with the
following outlook.It converted EXE-,COM- and BAT-Files to files with
the name of the little greek letter GAMMA and the attributes
Read-Only,System,Archive and Hidden, though the files couldn't be
deleted. After having detected it with two different programs
(VIRScan, TNTVirus) I had two different names of the virus: FLIP ,
OMICRON.

Now my questions:
1) Is 'FLIP' another name for 'OMICRON' ?
2) Infected files can be desinfected by TNTVirus 7.02. Are these
files after desinfection 100% executable ?

Many thanks in advance to everybody who can send me an answer !

Pascal

------------------------------

Date: Mon, 13 May 91 11:19:24 +0000
>From: [email protected] (Fridrik Skulason)
Subject: Stealth viruses (PC)

I am working on an article on "stealth" viruses, and was wondering if I had
missed any of them - here is my list:

Boot sector stealth viruses: Azusa, Brain, EDV, Evil Empire, Joshi and
Spanish Telecom (boot)

Program stealth viruses: Fish6, Frodo, INT13, Number of the Beast, Whale
ZeroHunt (Minnow)

Note that I do not consider any of the following program viruses to
belong to the "stealth" category, as they only fulfill one of the two
necessary conditions (hiding increase in length), but make no attempt
to hide the virus code, when an infected file is read.

3445, Diamond, Dir, Eddie-2000, Eddie-2100, Eddie-2, MG, PcVrsDs,
Spanish Telecom (file), SVC 4.0 and Zero Bug.

Did I overlook something ?

- -frisk

Fridrik Skulason Technical Editor of the Virus Bulletin (UK)
(author of F-PROT) E-Mail: [email protected] Fax: 354-1-28801

------------------------------

Date: Mon, 13 May 91 13:56:58 -0400
>From: padgett%[email protected] (A. Padgett Peterson)
Subject: Virii (sic) on Factory Software & Legal Issues

>From: [email protected] (Rob Slade)
>Padgett: We must sue the vendors!

Well, this isn't quite what I said, however what we have here is a
simple lesson in perception and economics. Quality assurance, which
includes sampling and integrity validation (what we are shipping is
what we said we would ship), has a cost.

Traditionally, the most difficult cost centers to justify are security
and quality assurance since anything they find can keep the product
from going out the door. In the case of security, the risk is
apparent, but quality assurance is usually the result of contractual
clauses that specify it.

Most electrical appliances carry the Underwriters Laboratories seal of
approval because vendors have discovered that the seal works both
ways, protecting both the consumer and the vendor.

The problem is that with software, there is no such seal, nor is there
any demand for one. To the vendors, QA is not a justifiable expense at
the disk level since there is no requirement for it. Similarly, if a
problem is discovered, most vendors will try to sweep it under the rug
since to admit that a problem exists would open them to liability and
lost sales. Since at present there is no risk in doing so, it is the
exceptional company that will "go public" with a problem.

The only way this is going to change is if the risks of not "going
public" becomes greater than the risks from "going public". Hopefully,
the cost of either will also make effective QA cost effective. Hence
my comment "bring in the lawyers", not necessarily to sue, but to
explain such concepts as "culpable negligence" in such a way that
no-one can plead ignorance & the corporate managers can go to their
bosses for QA funding with some hope of success.

Unfortunately, as with the SPA, it is probably going to take a few
publicised civil actions before the vendors are going to do the "right
thing", I was surprised a year ago that it had not already happened.
Of course a full recall of all such software is a bitter and expensive
pill for a company to swallow (and why most automotive recalls, while
always publicised as "for our customer's safety" by the manufacturers,
are often the result of a tooth & nail fight with NHTSA (did I get the
letters right ?) before they become official.

At the moment there is no computer industry "NHTSA" (and few qualified
people who would be willing to serve on it).

Having been in the corporate world since leaving the unfriendly skies
of SouthEast Asia. I KNOW that there must be good people at companies
like Packard-Bell who are being forced to follow a "party line"
against their better judgement (incidently, from what I have seen, the
equipment is pretty good and reasonably priced).

However, this does not help the customer with their third largest
investment (?) who finds their PC useless shortly after arriving home,
something that is going ultimately to hurt the entire industry for
some time to come (see below).

>From: Peter Jones <[email protected]>
>Subject: Re: Packard-Bell (PC)

>Perhaps the recent sightings are due to diskettes remaining in
>storage for 6 months or so.

Quite likely, though the reports of the Azusa are new. However,
considering how these units are sold (department stores, mail order),
that inventory is liable to be around for quite some time to come. You
would think that the manufacturer could at least identify which lots
and models are liable to have infected disks, certainly the two
viruses involved (MusicBug & Azusa) are easy to identify & the
distribution disks reported to be infected (COMBASE, TVGA, & SVGA) are
limited.

In short, while I am sure that Ken will be glad to see an end to this
issue, to me it is a vital one that we can either learn from and
insist on safeguards from those best able to provide them, or have the
interesting experience of repeating it again in another six months or
so.

Warmly,
Padgett

------------------------------

Date: 13 May 91 09:50:26 -0400
>From: "David.M.Chess" <[email protected]>
Subject: re: The Shape of the World (PC)

>From: [email protected]
>
>This loud cry for protection against research-only viruses is quite
>quite bothersome -- the numbers game we have to play (as a vendor) in
>order to counter "my scanner can beat up your scanner" type of games
>is sorta foolish -- yet we must play the game.

Must we? Or rather, given that we must at the moment, must we always?
Is there any hope that the anti-virus community might band together
(for a moment, at least!) and decide that the numbers game shall be
played ONLY with viruses that have appeared in reliably-confirmed
real-world incidents? I'm not sure; the hope that we might is part of
why I asked those questions. It would mean restraining ourselves in
advertising and in talking to the press, getting publications like the
Virus Bulletin (and others less respectable) to stop using 300+
viruses, including losers like the Anti-Pascals, in their evaluations,
and so on.

It might be marketingly impossible, of course. On the other hand, is
it possible that eventually people making buying decisions will get
tired of "We Detect 100 More Viruses Than Our Competitors!!!" sorts of
claims, and be more impressed by "We Detect Every Virus Known To Have
Caused A Real Infection, and We're <faster, cheaper, easier to use,
etc>"?

DC

------------------------------

Date: 12 May 91 09:25:06 +0000
>From: [email protected] (Fridrik Skulason)
Subject: Re: TSR Virus Detector (PC)

[email protected] (Esa Holmberg) writes:
>[email protected] (Y. Radai) writes:
>
>> The programs which I compared were F-LOCK, FSP, SECURE, TSAFE, and
>
> I'm afraid you have tested a wrong program; F-DRIVER
> would be the actual resident virus tester of the F-PROT
> package, and not F-LOCK. I wonder, what the results
> would look like with F-DRIVER instead of F-LOCK ?

Well, no - Y. Radai tested the correct program - the important
question was not how effective the programs were against KNOWN
viruses, but rather how effective they were against the methods used,
and how effective they would be against new viruses using those
methods.

I had a version of F-LOCK which was able to stop all the viruses from
accessing the system directly, but I removed that feature in version
1.08, (I think) as it conflicted with some programs, including my
cache program.

Besides - I don't currently put much emphasis on the F-LOCK part of my
package, for two reasons - it does not work with Windows (F-DRIVER
will), and it is being rewritten for version 2.0

Regarding version 2.0, which was originally scheduled to be released
two months ago - I have been seriously considering to change the name
of the product. The most likely new name is taken from the Greek
mythology, 'Argus' - the name of the hundred-eye all-seeing giant.

Any suggestions ?

- -frisk

Fridrik Skulason Technical Editor of the Virus Bulletin (UK)
(author of F-PROT) E-Mail: [email protected] Fax: 354-1-28801

------------------------------

Date: 13 May 91 15:40:21 +0000
>From: [email protected] (Robert Stewart)
Subject: Gatekeeper 1.2 released (Mac)

Machine Name IP Number
------------ ---------
ix1.cc.utexas.edu 128.83.1.21
ix2.cc.utexas.edu 128.83.1.29
bongo.cc.utexas.edu 128.83.186.13
sumex-aim.stanford.edu 36.44.0.6

I can vouch for its existence at bongo, having retrieved it from there
this morning. In addition to this list of features in the announcement
on comp.sys.mac.announce (very similar to the list I posted a week or
so ago), the new versions do some self-validation checks in an attempt
to determine whether they have been corrupted, and they also provide
more informative error messages.

Robert Stewart
[email protected]

------------------------------

Date: Mon, 13 May 91 19:05:53 +0000
>From: [email protected] (Fridrik Skulason)
Subject: Comparing virus scanners (PC)

What follows is a table comparing several virus scanners. I am
obviously not unbiased, being the author of one of the programs, but
the table was not compiled by me, but rather Franz Swoboda in Austria.

He does not list all anti-virus programs known today - only those on
the market in Austria.

Also, he is testing the programs against his personal collection,
which may not represent accurately the world's virus scene.

The table lists the programs, the "hit rate" and the time required for
scanning.

Findviru 2.0 (S&S) 97% 75 sec
F-FCHK 1.14A 93% 259 sec
Virusdet 3.00 (Puls) 85% 223 sec
Watchdog 4.16 (KDT) 82% 512 sec
Scanv75 (McAfee) 80% 260 sec
Unvirus 3.08 (Elia Shim) 73% 65 sec
Stopvir 2.31 73% 96 sec
Virutest 1.0 (JP Landen) 66% 518 sec
Pro-scan 2.1 65% 184 sec
Norton 1.00 62% 130 sec
VU-Advanced 1.03 61% 479 sec
Viru-Spy 4.0 58% 178 sec
AVsearch 2.23 57% 750 sec
TBscan 1.7 46% 105 sec
TNTvirus 7.00A (Carmel) 45% 190 sec
Virscan 1.45 38% 200 sec

Note that in many cases the products compared are not the latest
versions, but according to Swoboda, they were the latest available in
Austria.

- -frisk

Fridrik Skulason Technical Editor of the Virus Bulletin (UK)
(author of F-PROT) E-Mail: [email protected] Fax: 354-1-28801

------------------------------

Date: Mon, 13 May 91 14:50:16 -0700
>From: Aryeh Goretsky <aryehg%[email protected]>
Subject: Trojan version of VIRUSCAN version 78 (PC)

TROJAN VERSION OF VIRUSCAN VERSION 78

We have received a trojan horse version of VIRUSCAN. The hacked SCAN
has apparently been uploaded to BBSes in Michigan, USA under the
filename SCANV78.ZIP. Running PKZIP -V on the file reveals:

.PKUNZIP (R) FAST! Extract Utility Version 1.1 03-15-90
.Copr. 1989-1990 PKWARE Inc. All Rights Reserved. PKUNZIP/h for help
.PKUNZIP Reg. U.S. Pat. and Tm. Off.
.
.Searching ZIP: SCANV78.ZIP - Fantasia BBS (313)/788-0882
.
. Length Method Size Ratio Date Time CRC-32 Attr Name
. ------ ------ ----- ----- ---- ---- ------ ---- ----
. 12816 Implode 5255 59% 04-08-91 14:28 08a87ed8 --w AGENTS.TXT
. 9406 Stored 9406 0% 02-03-91 17:04 42cf9931 --w REGISTER.DOC
. 23008 Implode 12550 46% 05-06-91 18:15 f9735dd5 --w SCAN.EXE
. 6495 Implode 1895 71% 10-31-89 16:16 0449b09d --w VALIDATE.COM
. 3626 Implode 1802 51% 11-29-90 01:59 ab76470f --w README.1ST
. 21257 Implode 5767 73% 05-06-91 19:35 a0728a17 --w VIRLIST.TXT
. 2844 Implode 1406 51% 02-14-91 14:25 aa330b57 --w VALIDATE.DOC
. 24515 Implode 9188 63% 05-06-91 19:34 172a967f --w SCAN78.DOC
. ------ ------ --- -------
. 103967 47269 55% 8

The number listed for the Fantasia BBS is NOT a BBS number and has no
connection with the trojan horse. I have called the phone number and
asked the party at the other end to contact me.

Running PKUNZIP on the file reveals the following:

.PKUNZIP (R) FAST! Extract Utility Version 1.1 03-15-90
.Copr. 1989-1990 PKWARE Inc. All Rights Reserved. PKUNZIP/h for help
.PKUNZIP Reg. U.S. Pat. and Tm. Off.
.
.Searching ZIP: SCANV78.ZIP - Fantasia BBS (313)/788-0882
. Exploding: AGENTS.TXT -AV
. Extracting: REGISTER.DOC -AV
. Exploding: SCAN.EXE -AV
. Exploding: VALIDATE.COM -AV
. Exploding: README.1ST -AV
. Exploding: VIRLIST.TXT -AV
. Exploding: VALIDATE.DOC -AV
. Exploding: SCAN78.DOC -AV
.
. Authentic files Verified! # TJB859 Zip Source: McAFEE ASSOCIATES

While the Authentic Files Verified Message appears, the Serial Number is
NOT correct. McAfee Associate's Serial Number is NWM405.

Examination of the AGENTS.TXT, README.1ST, VALIDATE.*, and VIRLIST.TXT
files revealed that these are straight from VIRUSCAN Version 77--the
version number in the VIRLIST.TXT file was still V77.

The SCAN78.DOC file had been modified so that all occurrences of V77
were switched to V78. Additionally, the following text was added for
the validation data:

. The validation results for Version 77 should be:
.
. FILE NAME: SCAN.EXE
. SIZE: 23,008
. DATE: 05-06-1991
. FILE AUTHENTICATION
. Check Method 1: 2C21
. Check Method 2: 022E
.

For the What's New section, the following text was added:

. WHAT'S NEW
. Version 78 of SCAN removes a few small bugs and continues
. to optimize the procedures SCAN uses to find viruses, as in Version 77,
. as well as adding a few more to the list of known viruses. SCAN is now much
. more compressed than was previously thought possible, so please enjoy the
. shortened file size, it should still work just fine.
. Refer to the enclosed VIRLIST.TXT file for a schematic
. description of the new viruses. For a complete description, please
. refer to Patricia Hoffman's VSUM document.
.

Examination of the SCAN.EXE file has show that it contains the help
message that VIRUSCAN displays as well as the program information
message. However, the program does not contain any of the other
messages that VIRUSCAN has in it.

The REGISTER.DOC file distributed with the trojan version of VIRUSCAN is
not a text file, but rather another .ZIP file containing a file named
TB1.COM:

. PKUNZIP (R) FAST! Extract Utility Version 1.1 03-15-90
. Copr. 1989-1990 PKWARE Inc. All Rights Reserved. PKUNZIP/h for help
. PKUNZIP Reg. U.S. Pat. and Tm. Off.
.
. Searching ZIP: REGISTER.DOC
. Extracting: TB1.COM -AV
.
. Authentic files Verified! # TJB859 Zip Source: McAFEE ASSOCIATES
.

When unZIPped, the REGISTER.DOC file displays the same Authentic Files
Verified Message as the SCANV78.ZIP file did. Examination of the of the
TB1.COM file revealed that it contains the Whale virus.

This is all I currently know about the SCANV78.ZIP trojan. If you see
any copies of this file, please ask the system administrator or sysop to
remove it and ask them to contact the uploader to warn them that it
contains a virus.

Aryeh Goretsky
McAfee Associates Technical Support
- - - -
[email protected]

------------------------------

Date: 14 May 91 11:31:24 +0000
>From: [email protected] (Werner Icking)
Subject: Re: SCAN hangs while checking Window's SOL.EXE file (PC)

[email protected] (Sant.) writes:

>Has anyone had problems with SCANV77? When I scan my hard drive, the
>program hangs on one particular file, SOL.EXE, Window's solitaire
>program. I don't have problems with running the game and SCAN doesn't
>have problems with any other file. In order to continue, I have to
>press 'F' to accept the failure. Does anyone know why this is
>happening?

As far as I have seen, the problem does not depend on the version of SCAN.
It depends on running SCAN under Windows in conjunction with SHARE.
It seems to me that Windows opens a lot of files and the error occurs if
SCAN attempts to open one of these files, too.

The problem disappeared on my PC since I replaced loading SHARE by using
NOSHARE (Simtel or mirror-sites: <MSDOS.SYSUTL>NOSHARE.ZIP)
- --
Werner Icking [email protected] (+49 2241) 14-2443
Gesellschaft fuer Mathematik und Datenverarbeitung mbH (GMD)
Schloss Birlinghoven, P.O.Box 1240, D-5205 Sankt Augustin 1, FRGermany
"Der Dativ ist dem Genitiv sein Tod."

------------------------------

End of VIRUS-L Digest [Volume 4 Issue 81]
*****************************************

Downloaded From P-80 International Information Systems 304-744-2253