VIRUS-L Digest Tuesday, 14 May 1991 Volume 4 : Issue 82
Today's Topics:
Bloody! (PC)
Information on Joshi Virus (PC)
Address; Eddie; "Virii;" 12 Tricks (PC)
Re: Odd 77-byte files (PC)
Re: TSR Virus Detector (PC)
Re: What's so bad about self-extracting archives?
re: Comparing virus scanners (PC)
re: Into the 1990's
re: Stealth viruses (PC)
Re: F-PROT & FluShot+ (1.81) problems 3 . . . (PC)
Re: Fw: Trojan version of VIRUSCAN version 78 (PC)
Revised Product Test - - VIREX-PC, version 1.20 (PC)
Revision to Product Test, F-PROT Version 1.15A (PC)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to
[email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at:
[email protected].
Ken van Wyk
----------------------------------------------------------------------
Date: Tue, 14 May 91 09:22:05 -0230
>From: Patrick Ryan <
[email protected]>
Subject: Bloody! (PC)
I recently found one of my floppy disks to be corrupted. When I
scanned the diskette with Scan v. 77, I was told it was infected with
the Bloody! virus. I ran Clean-Up v. 77, and it was successfully
removed. However, I have since scanned *all* the software I used in
the previous week or two, and found no trace of it. Does anybody have
an explanation for this? Is it possible that a corrupt file header
could be misconstrued as a virus? Or is the "gestation" period of the
Bloody! virus longer than a week or two? Help!
- --
+----------------------+-------------------------------+----------------------+
|D. Patrick Ryan |"As the people here grow colder| Support freedom of |
|Faculty of Engineering| I turn to my computer | expression! Protest |
|Memorial University | And spend my evenings with it | the censorship of |
------------------------------
Date: 14 May 91 17:41:28 +0000
>From:
[email protected] (Apurva Shah)
Subject: Information on Joshi Virus (PC)
This is in relation to the couple of questions that were raised about
the Joshi virus. I am a student from India and while there I had done
some work on virus detection and cure.
Coming to the point. Joshi is a partition table virus (much like
Stone). According to popular belief it originated in Pune (a city very
close to Bombay). The reason why the virus got its name is that on the
5th of Jan, if one is to boot the machine with the virus active, a
message appears wishing Mr. Joshi a very happy birthday. In fact one
is asked to type this very message out in order to proceed further.
This is a general description of the virus behaviour.
Now, for the more interesting part on how the virus works. When the
user boots with a infected desk. The virus copies itself to the
partition table (first physical sector on disk). The original
partition table is moved to sector 7 (or is it 11? Can' remember
exactly.) This is necessary cause once the machine is normally booted
and the virus is activated control needs to be passed ot the original
partition table.
Here we have a catch. If the machine is once again booted with the
virused disk. Joshi has a hard time figuring out if it is already on
the first sector. So what it does in such a situation is to paste a
copy of itself on the 7th sector and once again copying itself on the
1st sector. The result ofcourse is disastorous, since no signs of the
original partition table remain and the machine will refuse to boot.
This explains the apparent time delay in the viruse being activated.
About the real time clock err orm I have never faced such a problem.
Finally, at least to my knowledege, the Joshi virus does not deal with
files. One has to keep in mind that it is a partition table virus and
enters the picture before DOS loads, namely when there is no concept
of files. However, if the version of the virus running around in the
U.S. is a modification of the original virus that might explain it.
What is the solution to this problem? I have a program with me which
recreates the partition table. In fact, I have a interesting little
set of programs which do some simple yet effective things. That apart
thet are all written in C including the TSRs. Actually that is not
completely correct, there is a bit of assembly embedded in there. I
would like to post this programs including the source at some ftp site
after having them verified by some virus 'guru'. Any volunteers?
Regards
Apurva Shah
(
[email protected])
------------------------------
Date: 14 May 91 12:14:00 -0600
>From: "William Walker C60223 x4570" <
[email protected]>
Subject: Address; Eddie; "Virii;" 12 Tricks (PC)
Four things:
First, Greg Broiles (
[email protected] ) writes:
> > Bill Walker (
[email protected] )
> old signature - address bad!
That is my current address -- the VIRUS-L server sends the VIRUS-L
issues to it successfully. Perhaps your name server didn't recognize
it -- try using 26.14.0.41 instead of AEDC-VAX.AF.MIL.
Second, Rob Slade (
[email protected] ) writes:
> Question 5: Who is "Eddie"? (10 points)
> You would have a great time going through the old issues researching
> this one. I think the Heavy Metal crew have one the day on this one.
I have read back. My comment about "Eddie and the Cruisers" was just
my two cents worth, and an alternative to the "Iron Maiden" idea.
Third, A. Padgett Peterson ( padgett%
[email protected] ) writes:
> Subject: re: Virii (sic) in Factory Software
You're right, I'm wrong. I looked it up. The correct plural of
"virus" is "viri," with one "i," not "virii" like I've been spelling
it. That's what I get for believing what people tell me. :-)
Fourth, I have uploaded a file, 12TRICKS.TXT, to CERT.SEI.CMU.EDU
(128.237.253.5). Ken has made it available in /pub/virus-l/docs. It
contains an in-depth analysis of the Twelve Tricks Trojan Horse by Dr.
Alan Solomon of S&S Anti Virus Group and Christoph Fischer of
Micro-BIT Virus Centre, University of Karlsruhe.
Bill Walker (
[email protected] ) |
OAO Corporation | "I think, therefore I am.
Arnold Engineering Development Center | Nah, I think not."
M.S. 120 | *POOF*
Arnold Air Force Base, TN 37389-9998 |
------------------------------
Date: 12 May 91 23:13:35 +0000
>From:
[email protected] (Apurva Shah)
Subject: Re: Odd 77-byte files (PC)
It is very likely that the files that were created having the _xe and
_om extensions contained the headers of the respective EXE and COM
files.
This files are then used by some virus detection program to look for
changes in the header of the original files. The assumption of course
being that the infecting virus would have to change the header of the
original file.
To sum up these files are absolutely harmless! and erasing them also
is no cause for concern.
Since this is the first time I am posting in this news group, let me
introduce my self. My name is Apurva Shah and I am a student from
India. At present I am doing my Masters in Computer Science at the
Texas A&M University. I have been working with PC based viruses for
about two years. I was heading the anti-virus cell for V.M.C.I., which
is a computer class in Bombay and have also authored the first public
domain Indian anti-virus software called the NASSCOM Vaccine set.
The NASSCOM vaccine set is a bunch of generic vaccines and anti-virus
programs. I have a copy of the set with me, but would like to know how
I may put it up on some intrested bulliten board so that others may
use this software. Any help in this direction would be appreciated.
Regards
Apurva Shah
------------------------------
Date: Mon, 13 May 91 13:15:00 +0300
>From: Y. Radai <
[email protected]>
Subject: Re: TSR Virus Detector (PC)
In connection with my comparison of F-LOCK, FSP, SECURE, TSAFE, and
VTAC, Esa Holmberg writes:
> I'm afraid you have tested a wrong program; F-DRIVER
> would be the actual resident virus tester of the F-PROT
> package, and not F-LOCK.
No, that's incorrect. I don't know if your mistake is in not
knowing how F-DRIVER works or in confusing two different types of
resident anti-viral programs:
(I) Those which search for *specific strings* (or patterns), each
characteristic of a particular *known* virus, within program
files which are about to be executed, and (usually) also in boot
records when the anti-viral program is loaded. Such programs
must be updated continually to catch new viruses.
(II) Those which warn of suspicious activity by intercepting attempts
to modify executable files, to stay resident, to format disks,
etc., regardless of the source of this activity. (It might be a
virus, a Trojan, or some perfectly innocuous program; and if a
virus, it may be a known one or an unknown one.) Such programs
do not ordinarily require updating.
Now John Councill's question certainly resembled Type II more than
Type I, so I referred to the five programs of this type which I had
compared, and that includes F-LOCK. F-DRIVER, on the other hand, is
of Type I, and therefore was not an appropriate program for my compa-
rison. (When I say that a program is of Type I, it may include a few
Type-II features as well, but certainly F-DRIVER and V-Shield are
basically of Type I.)
Perhaps my posting would have been clearer if, instead of calling
Type-II programs simply "monitoring" programs, I had called them
*generic* monitoring programs. F-LOCK is generic; F-DRIVER is not.
(Btw, there are also generic *disinfection* programs, i.e. programs
which in the great majority of cases can restore a file to its original
state regardless of the virus which infected it.)
Y. Radai
Hebrew Univ. of Jerusalem, Israel
[email protected]
[email protected]
------------------------------
Date: Tue, 14 May 91 08:51:00
>From:
[email protected]
Subject: Re: What's so bad about self-extracting archives?
[email protected] (Henk de Groot) writes:
>
[email protected] writes:
>
>>magnus%
[email protected] (Magnus Olsson) writes:
>>> Can't you just first run the archive file through your favourite virus
>>> checker, and if it passes the test extract it, and then test the
>>> individual files that were inside it? Or have I missed something?
>
>> Well, yes, I suppose you could, but it involves an extra step which
>>is unnecessary. The other objection I have with self-extracting
>>archives is that you're stuck with extracting the whole lot, even if
>>you only want to find out what the !@#$%^&*() thing does.
>
> Most of the popular archiveing programs (ZIP, LHA, ARJ) are able to
> extract files from their SFX files. If you insist on using a shell on
> it just rename the .EXE file to a file with the proper extension. You
> can avoid virus problems this way.
Very, very good. Ten points out of ten. See me after class.
Only one problem: How do I find out what format the thing was
archived in in the first place, when all I'm confronted with is a .EXE
file? If there was only one standardised archive format then there
wouldn't be any problem, but that was apparently too simple.
My contention is that self-extracting archives are one of those
things that became technically possible, and were implemented before
it was found that they were a complete waste of time.
Perhaps we should move this discussion elsewhere: it's getting less
and less to do with viruses (virii?)
....Ron
===============================================================================
Internet:
[email protected] | "A pipe gives a wise man
Bitnet: Murray_RJ%
[email protected] | time to think, and a
UUCP : uunet!munnari.oz!cc.curtin.edu.au!Murray_RJ | fool something to stick
Amateur Packet Radio: VK6ZJM@VK6BBS.#WA.AUS.OC | in his mouth"
TCP/IP: 44.136.204.14, 44.136.204.19 | -- Murphy's Law I
===============================================================================
------------------------------
Date: 14 May 91 11:00:54 -0400
>From: "David.M.Chess" <
[email protected]>
Subject: re: Comparing virus scanners (PC)
> From:
[email protected] (Fridrik Skulason)
>
> ...
> Virscan 1.45 [very bad numbers]
> ...
I hope that's not IBM's VIRSCAN? If it is, it's a version from *last
June* (and an internal, not a product, version at that). If that's
"available" in Austria, it shouldn't be. On the other hand, there are
a few different products in the world called "Virscan", so perhaps
this line is about something else. It might be helpful if the
manufacturer were listed for all the programs named in lists like
this. (It's also in general not a good idea to do timing-tests on
infected files; IBM's scanner, for instance, stops for a good
half-second to "beep" when it finds an infected file, which will add
greatly to the timings if infected files are used for tests! Real
users, of course, probably don't care how long it takes to scan
infected files, just clean (normal) ones.)
DC
------------------------------
Date: Tue, 14 May 91 14:15:53
>From:
[email protected]
Subject: re: Into the 1990's
>From: Padgett Peterson <
[email protected]>
>
>First I would like to offer an apology to Ross Greenberg (Flu-Shot)
>and Fridrik Skulasson (F-Prot).
Most happily accepted, Padgett. Sometimes we sorta forget there are
real people on either end of these silly tubes before us. Sorry I was
a bit hasty in my response to you originally.
>communications capability. These people [end users]are not interested in which
>strain of the 4096 they have been infected with, their concern is that
>the machine is operating properly and without any hidden "extras".
Stop for a moment and consider what we're dealing with here: a
modified 4096 that was not released into the wild. It was a "lab"
virus and scanners and monitors that are tuned to Version A might not
find/detect/stop some Version B until they, themselves, have been
modified. One of the big problems we, as anti-virus vendors and
researchers, have is in getting these "lab" viruses to add to our
product/knowledge-base. (See below in my response to Dave Chess why
this is still important).
This does not mean, however, that you're wrong.
>What the user needs to know is that SOMETHING has happened and that a
>technician is needed to interpret WHAT - wheter it be a problem caused
>by power supply (I see a lot of these), drive, ICs, or malicious
>software.
Yes, just as most people do not work on their own cars when the
problem is serious enough, but you're not really expected to call in
AAA when you have a flat tire -- you should fix it yourself.
I think the virus problem is growing. I think the anti-virus
solutions are still in their infancy. Code such as my FLU_SHOT+ was
initially designed to help out the more techie among us: the interface
is, certainly, not user friendly. Newer code, such as my Virex-PC
(and, giving credit where credit is due, my worthy competitors from
Symantec and Central Point) is being constantly tweaked to make it not
only better anti-virus software, but easier to use anti-virus
software: the simple "Abort, Retry, Ignore" message is no longer
acceptable in a product. Instead lots of time is spent in making the
product user friendly enough that the number of tech support calls
goes down to virtually zero. There is considerable incentive in
making the product easy for *everyone* to use: the techie and
non-techie alike.
I don't see that a technician is going to be required for the more
"popular" problems: they must be dealt with eventually if for no other
reason than that tech support calls are very expensive.
A new and hidden strain of a virus hasn't reached that category yet,
obviously.
>Today, viruses seem to account for on the order of 10-20% of the
>trouble calls I get. They are significant enough to warrant avoidance
>measures, but not anything to panic about.
*This* is what the news media should be reporting. It's not something
to panic over, true, but that's an *amazing* percentage of trouble
calls due to viruses. Think of the cost to business today when their
copy of a program doesn't work and they call up tech support because
of the problem!
>The real point I have been trying to make for some time is that such
>[integrity]checking IS NOT DIFFICULT, orders of magnitude less
> than what it takes to write a good word processor, it just has not
> been done yet.
You mentioned a few products and their methods, so its obvious that
this integrity checking *IS* being done (FLU_SHOT+ has had integrity
checking on program run for about three years, I guess). Now, is this
integrity checking being done *properly*? Interesting question and
one that only the marketplace can answer by what they select for their
purchase (or freeware usage). Something like the example you gave of
Norton's potential 9Mb overhead is ridiculous (not the example, but
the instance!). That showsd a considerable lack of understanding
about the market. Wanna bet that the next release of the code does
things differently? If not, it'll probably be a dead product.
Your subsequent points (not quoted herein) are good ones. Resident
integrity checking, and access control, is a worthy goal of any of the
anti-virus products. However, remember that it can and *will* be
circumvented the first time somebody boots off a floppy. Signature
checking, integrity checking, whatever: none of them can slap the
wrist of somebody who boots off an infected disk with stealthing
viruses on it, combined with people who really think that extra five
seconds (or whatever) on a memory scan is too much "wasted" time.
That's why the anti-virus code out there has to do more than simple
integrity checking.
> Comments welcome,
> Padgett
Okey doke: who do I send them to? :-)
Ross M. Greenberg
Author, Virex-PC & FLU_SHOT+
------------------------------
Date: Tue, 14 May 91 14:18:19
>From:
[email protected]
Subject: re: Stealth viruses (PC)
>From:
[email protected] (Fridrik Skulason)
>
>I am working on an article on "stealth" viruses, and was wondering if I had
>missed any of them - here is my list:
>Did I overlook something ?
Perhaps the Tequila virus? Seems to be gaining in "popularity".
Ross
------------------------------
Date: 14 May 91 19:09:55 +0000
>From:
[email protected] (Fridrik Skulason)
Subject: Re: F-PROT & FluShot+ (1.81) problems 3 . . . (PC)
I wrote:
>*So - with the current generation of scanners, this problem cannot be
>*avoided.
[email protected] (cs106132) replied:
> Not at all. I have seen at least one beta-test version of a
>new product that does not suffer from the mentioned problems.
Please read wnat I wrote - "current generation of scanners". It is
possible to write anti-virus procucts which can handle some of the
"unsolved" problems of today, such as...
...stopping interrupt "stripping" viruses.
...stopping viruses which jump directly into ROM.
...detecting all "stealth" viruses, even if they are active
(the problem i refered to).
and so on. The point is that such software does not exist today, but
many anti-virus companies are working on this - and we can expect
those features soon.
However, those products are the "next generation" of anti-virus
software.
- -frisk
------------------------------
Date: Tue, 14 May 91 14:06:54 -0500
>From:
[email protected] (Michael Baker;LMSC/SXSC)
Subject: Re: Fw: Trojan version of VIRUSCAN version 78 (PC)
> TROJAN VERSION OF VIRUSCAN VERSION 78
Aryeh,
MSgt Michael Baker here from Wright-Patterson AFB, Oh. There is
also another version of McAfee's virus scan program called vscan82.
This version surfaced in the Dayton Oh area a few months back and
McAfee was notified. He seemed really upset, which I can understand,
cause the someone who is doing this is out to ruin McAfee. One of the
local BBS sysops here is on a first name basis with McAfee. I think
his bbs alone has had about 10 virus infected programs uploaded to
him.
In our organization here we had 8 cpu's infected with the 4096
virus. We think that it came from a game, but with it infecting just
about all files, it is hard to narrow it down.
Now there is a scare out on the "STONED" virus. Have not seen it
as yet, but the way things go, I am sure it won't be long.
If you find any other info on the virus scare, let me know if you
would, please. I operate a bbs for the HQ AFLC called the Info Center
BBS, (513)257-7416, and pass along information like this out to the
gov't users.
Later
Michael Baker
------------------------------
Date: Mon, 13 May 91 12:03:44 -0600
>From: Chris McDonald ASQNC-TWS-R-SO <
[email protected]>
Subject: Revised Product Test - - VIREX-PC, version 1.20 (PC)
*******************************************************************************
PT-23
March 1991
Revised May 1991
*******************************************************************************
1. Product Description: Virex-PC is a software package to detect, disinfect
and prevent computer viruses and malicious programs for the MS-DOS environment.
2. Product Acquisition: Virex-PC is available from Microcom Software
Division, P.O. Box 51816, Durham, NC 27717. The telephone number is 919-490-
1277. The price is $99.00. There are several third party vendors who sell
single copies at a significantly reduced cost.
3. Product Testers: Chris Mc Donald, Computer Systems Analyst, Information
Systems Command, White Sands Missile Range, NM 88002-5506, DSN: 258-4176, DDN:
[email protected] or
[email protected].
4. Product Test:
a. I acquired Version 1.0 in December 1990 for $70.00 from Telemart in
Phoenix, Arizona. After I completed and mailed the registration card, Microcom
shipped me Version 1.1a. I thought this was a good marketing strategy on their
part, even though they were under no obligation to do so. In May 1991 I
received Version 1.20 directly from Microcom. This was a surprise since I
expected to have to pay for any upgrade and because I had not subscribed to
their annual update service. A telephone conversation with a Microcom
represented confirmed that the vendor had chosen to send out the upgrade to all
registered users free of charge. I have no idea how long this will continue.
[Ed. The remainder of this revised product review is available for
anonymous FTP on cert.sei.cmu.edu in pub/virus-l/docs/reviews.]
------------------------------
Date: Tue, 14 May 91 08:38:28 -0600
>From: Chris McDonald ASQNC-TWS-R-SO <
[email protected]>
Subject: Revision to Product Test, F-PROT Version 1.15A (PC)
******************************************************************************
PT-17
August 1990
Revised May 1991
******************************************************************************
1. Product Description: F-PROT is a complete package of programs designed to
provide viral detection, disinfection, and protection. The individual user has
the discretion to activate specific programs in the package.
2. Product Acquisition: F-PROT is a shareware program distributed by
Fridrik Skulason, Box 7180, IS-127 Reykjavik, Iceland. His E-mail address, as
of April 1991, is
[email protected]. Mr. Skulason has posted F-PROT on a number
of Internet sites. The program is on the USAISC-White Sands host simtel20.
With version 1.14 the program is free if a user utilizes it on his or her
personally-owned computer. There is a registration fee for commercial and
government users. Site licenses are available as well as discounts for
multiple copy registrations. This revision addresses version 1.15a, available
in the simtel20 path: pd1:<msdos.trojan-pro>fp-115a.zip.
3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Information
Systems Command, White Sands Missile Range, NM 88002-5506, DSN 258-4176, DDN:
[email protected] or
[email protected].
[Ed. The remainder of this revised product review is available for
anonymous FTP on cert.sei.cmu.edu in pub/virus-l/docs/reviews.]
------------------------------
End of VIRUS-L Digest [Volume 4 Issue 82]
*****************************************
Downloaded From P-80 International Information Systems 304-744-2253
