VIRUS-L Digest Wednesday, 22 May 1991 Volume 4 : Issue 87

VIRUS-L Digest Wednesday, 22 May 1991 Volume 4 : Issue 87

Today's Topics:

re: Tequila virus (PC)
Software Upgradable BIOS (PC)
Re: Q: Yankee Doodle ?? (PC)
re: Green Caterpillar question (PC)
Re: Bug in VirusScan (PC)
Anti-viral approaches (PC)
re: MS-DOS in ROM? (PC)
How to get papers ?
Stoned / Azusa (PC)
Virus statistics request
Which format for Partition Table Viruses (PC)
Core Wars (PC)
VSUMBROW - Virus Summary Browser (PC)
2ND CALL, COMPUTING & VALUES CONFERENCE, AUG 12-16

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to [email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: [email protected].

Ken van Wyk

----------------------------------------------------------------------

Date: 20 May 91 14:39:33 -0400
From: "David.M.Chess" <[email protected]>
Subject: re: Tequila virus (PC)

>From: [email protected]
>
>Additionally, it looks a lot like a combo of 1260 and v101:
>it is impossible to get a scan string for it.

While I know what you mean, Ross, I'd like to clarify for our readers:
the Tequila doesn't actually seem to share any code with the 1260 or
Virus-101 (no evidence that the author of the Tequila had seen either
of those), and a scanner that can handle variable-length "don't care"
areas can detect it with no problems. DC

------------------------------

Date: 20 May 91 14:22:00 -0600
From: "William Walker C60223 x4570" <[email protected]>
Subject: Software Upgradable BIOS (PC)

Here's something that should make the anti-virus community cringe.
Intel has announced a chip which would allow users to upgrade their
BIOS using a floppy disk. The term I saw was "erasable programmable
read-only memory (EPROM)," but more likely the actual technology in
the chip is EEPROM (electrically erasable programmable ROM) or EAROM
(electrically alterable ROM). But the technology is beside the point.

Up until now, the only trusted portion of the computer has been the
ROM BIOS, while the partition table, boot sectors, DOS, and program
files have been prone to virus attack (or merely unintentional
changes). Software-upgradable BIOS would change that, making even the
most trusted part of the computer "subject to change without notice."

It does make sense to simplify the BIOS field upgrade, but to do it
using something as transient as software in this day and age probably
would not be wise. More logical would be a small cartridge, not
unlike an HP font cartridge, which can be changed without having to
open the case. Sure, it would be more expensive up front, but
compared to the possibility of a "BIOS resident" virus, it would be
much less expensive overall. The same type of thing could be used for
a ROM-based DOS cartridge, which could have a switch that selects
booting from cartridge or disk, much as Krishna E. Bera suggests.

I feel that the prominent anti-virus researchers (and some of us
others) ought to collectively rise up and protest the software-
upgradable BIOS before it gets any acceptance.

Bill Walker ( [email protected] ) |
OAO Corporation |
Arnold Engineering Development Center | "I'd like to solve the puzzle, Pat"
M.S. 120 |
Arnold Air Force Base, TN 37389-9998 |

------------------------------

Date: 20 May 91 14:23:00 -0600
From: "William Walker C60223 x4570" <[email protected]>
Subject: Re: Q: Yankee Doodle ?? (PC)

Michael Stribick ([email protected]) writes:
> What kind of virus is the YANKEE DOODLE ?? What happens to a (sic)
> infected PC ??

Yankee Doodle is a variant of a virus called Vacsina, both of which,
along with Yankee Doodle-B, belong to the "TP" family of about 48 viri
(last time I checked). The second to the last byte of an infected
file is believed to be the "version number" of the virus. In the most
common Yankee Doodle virus, this number is 2C hex, or 44 decimal,
therefore the name "TP-44" which many virus scanners give it. The
viri from about 25 (19 hex) earlier are called Vacsina, while the
later ones are called Yankee Doodle.

When a program infected with Yankee Doodle is run, the virus becomes
memory-resident. I'm not 100% sure when the infection takes place,
but I believe that it occurs when a .COM or .EXE file is run. At a
few seconds before 5:00 PM, most versions of the virus will play
"Yankee Doodle" on the speaker. Some variants do not play music. One
interesting characteristic: some versions of Yankee Doodle hunt down
some other viri, such as Ping and Cascade.

Hope this helps. For more info, see Patricia Hoffman's VIRUSSUM document.

Bill Walker ( [email protected] ) |
OAO Corporation | "I think, therefore I am.
Arnold Engineering Development Center | Nah, I think not."
M.S. 120 | *POOF*
Arnold Air Force Base, TN 37389-9998 |

------------------------------

Date: Tue, 21 May 91 11:41:53 +0100
From: T Dowling <[email protected]>
Subject: re: Green Caterpillar question (PC)

Thanks to all who replied to my query regarding the 'Green
Caterpillar' virus. I have tried the suggestions, and the situation is
under control !

I must apologise to several people (Frisk, Alan at MCC) for
not replying - I attempted to, but there must be something wrong with
the mailer here, as the daemon returned the letter each time, saying
'address unknown'.

Thanks again for your help,

Tim Dowling.
([email protected]).

------------------------------

Date: Tue, 21 May 91 10:19:00 -0700
From: [email protected] (Aryeh Goretsky)
Subject: Re: Bug in VirusScan (PC)

padgett%[email protected] (Padgett Peterson) writes:

>A JERUSALEM infection was encountered in which the .EXE was properly
>diagnosed but an infected .OVL was missed despite being checked as
>part of the default. Use of the /A swich resulted in the infected .OVL
>being detected. Since the .EXE will always be infected also, there is
>no real danger, however, if an infection occurs that may also infect
>.OVL files (see the VIRLIST.TXT file iside the SCANxx.ZIP file), a
>rescan using the /A switch following a CLEAN activity is recommended.

This has been verified and will be fixed in the next release of
VIRUSCAN. Since the Jerusalem (and sundry variants) infects overlays
in addition to .COM and .EXE files, it's always a good idea to run
SCAN (and CLEAN) with the /A option, or use the /E option and list the
extensions you would like to add.

> I do not know if this is particular to the Jerusalem-related
>viruses or if others are affected also.

It's particular to the Jerusalem-related virus string.

> We have reported this to McAfee associates and a fix or
>explination should be forthcoming. Incidently, the infection appears
>to be the original sUMsDos version.

The next release (incorporating the fix) is scheduled for mid-June but will
probably be released earlier because of this.

Aryeh Goretsky
McAfee Associates Technical Support
"Just 10 minutes from Great America"

- --
McAfee Associates | Voice (408) 988-3832 | [email protected]
4423 Cheeney Street | FAX (408) 970-9727 | (Aryeh Goretsky)
Santa Clara, California | BBS (408) 988-4004 |
95054-0253 USA | v.32 (408) 988-5190 | [email protected]
ViruScan/CleanUp/VShield | HST (408) 988-5138 | (Morgan Schweers)

------------------------------

Date: Tue, 21 May 91 13:43:01 -0400
From: Padgett Peterson <padgett%[email protected]>
Subject: Anti-viral approaches (PC)

>From: [email protected]

>With all due respect, everybody has always been taught that if an
>ounce of prevention is worth a pound of cure, then two ounces of
>prevention must be even better.

(Philosophy)

The way I always heard it was "If enough is good, too much is better".
Unfortunately, today we have to live with finite resources - this
places increasing reliance on intelligent thought rather than blind
acceptance. Old standbys like "sound as the dollar" & "no one ever
got fired for buying IBM" just cannot be accepted anymore. The design
of a sound digital system requires careful planning and intelligent
trades between to provide confidentiality, availability, and
integrity.

Just to make matters worse, disciplines are becoming so specialized as
to be completely "magic" to an outsider, even one who must rely on
them. Consequently, today most computer security is based on trust:
trust in the machines, trust in the users, and trust in the
salesmen/vendors. It has to be since for the millions of personal
computers existant today, judging from the limited sampling I see, the
number of people actually capable of designing good protection is
probably on the order of a thousand. (and I may be high).

For basic protection, almost all of the anti-viral software on the
market is adequate, just like few people take more than basic
protection from being stung by a wasp. More is considered
contra-productive & is an accepted risk in working in a garden. When
it happens, it is annoying but remedies are at hand.

Others though have allergic reactions & a sting could be fatal & much
more stringent precautions are taken.

Computer viruses come under the same heading with one major
difference: we have not lived side by side with them for thousands of
years & most people have no idea what the risks are. Consequently,
they have no concept of what is "enough" & for the most part, we are
not doing a good job of educating them.

To me, seven people stand out in this area: Ross Greenberg, Fridrik
Skulasson, John McAfee, John Norstad, Andy Hopkins/Pam Kane, and Bob
Bosen not because they are necessarily wonderful people, meetings can
be explosive, but because they have made available to the public
information and programs specificaly designed to combat viruses as
shareware/freeware, not the best way to squeeze the last dollar out of
the public.

Back to Reality

Along these lines, DISKSECURE v.95 BIOS level protection is now out
that checks for disk controllers that write to the MBR (I haven't seen
one but have been told that they exist so in went some code - had to
simulate it with CODEVIEW though). (.94 was a special private
version) Unless something unusual pops up, this will probably be the
last "beta" version (besides am running out of numbers under the dread
1.00).

Meanwhile, Back at Ross...

>If my code merely did integrity checks, instead of doing integrity
>checks *and* known signature scanning, I'd lose out to somebody who
>offers both.

That is why I would suggest two packages: the integrity check routine
on the bulk of the machines (remember, I am talking the corporate/
government/educational environment), and the signature check (or
combo) for the technicians and machines used for scanning new
software. In large groups, this would be around 1 per 1000 PCs. This
is why many anti-viral programs are now offered on service licenses
(tied to physical copies, not #s of PCs).

The best word processors stopped being single programs some time ago
and installations typically ask just which features you wish to
install with descriptions of the assets/liabilities of each

>That honesty is costing marketshare, I bet.

Possibly temporarily but builds trust in the long run. In any complex
technology (e.g. magic) trust in the practitioner is the most
important element.

>I agree...to a point. I would think that updating 5000 PC's for a new
>scanner that differs from the previous one in a bunch of new viral
>strings for a bunch of "research only" viruses is a waste of time.

That is why we do not. However our "virus response team" and screening
labs get every update that comes out while the integrity management
programs we use have not needed any updates since the attack of the
Zenith Boot Records. These flag difficulties promptly and then we
bring out the big guns.

>I can't simply say "Yo! *NOBODY* gets the Whale Virus, so why do you care?"

I've seen two reports this month (may or may not be true) but the
WHALE is an excellent case of a virus that is trivial to detect on a
PC. It is the identification of what the infection is that can be
difficult, not the fact that a machine is infected. The problem with a
one part solution reminds me of the saying "Jack of all trades, master
of none" (of course "knowing more and more about less and less until
you know everything about nothing" comes to mind also). "Moderation in
everything" is my motto, this is why I favor a layered approach so
strongly. The most important first step is to determine that SOMETHING
has happened. WHAT & HOW TO RECOVER come later.

My body usually warns me when a cold is coming on. Zink and massive
vitamin C can work wonders so long as I pay attention & react
immediately.

------------------------------

Date: Tue, 21 May 91 13:43:01 -0400
From: Padgett Peterson <padgett%[email protected]>
Subject: re: MS-DOS in ROM? (PC)

>From: "Krishna E. Bera" <[email protected]>

>Is there any effort underway to produce a ROM version of MS-DOS or
>clone that is:
> 1. inexpensive
> 2. easy to upgrade (by changing a board, for example)
> 3. standardized in interface (i.e., DOS interrupt calls)
> 4. bootable (obviously), but DIP switch selectable from a disk
> 5. preferably not patented

Not that I am aware of though several laptops have attempted this.
The major problems would be:
1) Hardware is always more expensive than software to produce
2) Would make it difficult to upgrade
3) Would provide no protection from viruses - too many popular programs
and peripherals rely on tailoring the BIOS (e.g. hard disk controllers)
MBR (e.g. FDISK), and DOS (most TSRs) in approved methods. Unfortunately
many of these methods can also be used by malicious software.
4) Undocumented necessities (such as necessary to use a CD-ROM or NETWARE).
5) "Bug" fixed would be much more expensive.

Warmly,
Padgett

------------------------------

Date: Wed, 22 May 91 02:18:29 -0500
From: Mac Su-Cheong <[email protected]>
Subject: How to get papers ?

Dear netters :

I am looking for the following thesis :

F. Cohen, "Computer Viruses", Ph.D. Dissertation, University of Southern
California, 1986.

Can I get it from some anonymous ftp sites ? If no, how can I get
it. I am trying to gather papers about viruses. Any help is
appreciated.

MSC
- ---
Mac Su-Cheong
nckus089@twnmoe10
[email protected]

------------------------------

Date: Tue, 21 May 91 14:03:26 -0500
From: THE GAR <[email protected]>
Subject: Stoned / Azusa (PC)

I noticed something interesting using a McAfee Mix of V77. Vshield 77
reported that it had found STONED and AZUSA, but after I cleaned
STONED it no longer saw AZUSA. Turns out it is a double identifier.

McAfee says this will be corrected in 79 (recall that 78 is BOGUS and
there will NOT be a real version 78.) They also told me the test
would be if it had found AZUSA first, it probably would have only had
AZUSA, and if it found STONED first it would probably only have
STONED.

This does not apply to every virus, as we have seen many cases where
both STONED and PING PONG B have been on the same machine, and it took
two passes with CLEAN to get them both.

Samford just licensed VSHIELD and hopefully this will help us quickly
bring the STONED/PING PONG battle to an end. We have been engaged
since December in this battle, but without the funds to win. I'll
have a report later as to how effective VSHIELD is, but I am quite
optomistic.

(It might be September before I report, since we just lost 80% of our
student body to summer.)

/++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\
! Later + Systems Programmer !
! Gary Warner + Samford University Computer Services !
! + II TIMOTHY 2:15 !
\+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++/

------------------------------

Date: 21 May 91 22:24:05 +0000
From: [email protected] (David F. Pfafman)
Subject: Virus statistics request

Does anybody out there have any general figures on virus infections in
the US? I know that the Jerusalem, Ping-pong and Stoned viruses make
up the majority of virus infection. What I would like is the a number
of total virus infections or total reported virus infections. A
breakdown of the total number or percentage of infections by
individual virus would also be nice.

Thanks in advance.

Dave Pfafman
Computer Resource Center
Naval Ocean Systems Center
Email = [email protected]
Phone = (619) 553-2309
Autovon = 553-2309

------------------------------

Date: Tue, 21 May 91 15:48:44 -0700
From: [email protected] (Rob Slade)
Subject: Which format for Partition Table Viruses (PC)

[email protected] (Anthony H. Galway) writes:

> Which way is correct? I know the LOW level format guarantee's
> results, but this method also destroys any additional partitions. We

Hold on a second here.

As Padgett (and others) keep trying to point out, formatting is not
necessary. There are plenty of tools to "disinfect" your system
without it.

Secondly, and more importantly, even a low level format does not
"garantee" any measure of safety. Most (all?) common viri are memory
resident, and they will happily reinfect your system once you have
reformatted.

=============
Vancouver [email protected] | "If you do buy a
Institute for [email protected] | computer, don't
Research into (SUZY) INtegrity | turn it on."
User Canada V7K 2G6 | Richards' 2nd Law
Security | of Data Security

------------------------------

Date: Tue, 21 May 91 16:08:07 -0700
From: [email protected] (Rob Slade)
Subject: Core Wars (PC)

First let me thank Keith Petersen for the wonderful job he does in
maintaining the SIMTEL20 archives. There are a number of very helpful
programs there which are *not* listed in TROJAN-PRO.

I found one such in <MSDOS.EDUCATION>. CORWP20.ZIP is an
implementation of the Core Wars program, with Redstone code processor.
As venerable (old) researchers will know, Core Wars is a simulation of
computer memory that allows programs to "battle" each other. As such,
it allows an insight into factors that go into security and
penetration programs, with some fun attached to the process.

Background to the program can be found in a number of sources, the
most accessible of which would probably be A. K. Dewdney's columns in
the Scientific American over the past few years.

[Ed. There was also just a UNIX version (for X11R4 color workstations)
of a Core Wars program announced on alt.sources within the last day or
two. It is available for anonymous FTP from soda.berkeley.edu
(128.32.131.179)]

=============
Vancouver [email protected] | "If you do buy a
Institute for [email protected] | computer, don't
Research into (SUZY) INtegrity | turn it on."
User Canada V7K 2G6 | Richards' 2nd Law
Security | of Data Security

------------------------------

Date: Tue, 21 May 91 22:48:56 +0200
From: Mikael Larsson <[email protected]>
Subject: VSUMBROW - Virus Summary Browser (PC)

Since there have been a lots of discussion about the VSUM format/size, I
asked my friend to write a explanation of VSUMBROW.

* * * * * * * * * *
I have followed the discussion about the increasing size of the VSUM document.
It is true that the size is becoming a problem, but I feel that there is no
better way to distribute this document than as a pure ASCII-file.

When it comes to accessing the information on the other hand, there I have a
good solution. I am currently developing a program for PC-compatibles called
VSUMBROW, short for 'Virus Summary Database Browser'. What this program does
is offering the user to access the VSUM document as a database file. And it
does this fast as well. It is currently only in early (but working) beta-
testing, but the few functions I have put in really works like a charm. And I
have plans for more functions as well. The hard work has already been done,
what I am currently working on is the new functions.

To date VSUMBROW has the following functions:
* Browse the virus listing, virus by virus.
* Search for a given virus.
* Display and choose from a hitlist of matching virusnames.
* Support for the alias in the virusdescription as well as in the X-ref part.
* Printing of information about a virus.
* Support for 43/50 rows on EGA/VGA graphic cards.

Functions that are to be implemented before final version:
* Search on virus type code.
* Search on virus status (New is a good candidate).
* Search on origin.
* Search on effective length. (A bit harder due to the format of VSUM)
* Export to file of a hitlist that matches a search..
* Printing of a hitlist that matches a search.
* Freetext search, for searching on any word.
* Suggestions anyone?

VSUMBROW is to be released as ShareWare, and as such can be used freely for
non-commercial use. Some of the above functions will only be active for
registered users though, to reward those who rewards hard work.
I dare not promise any release date, but it will be released as fast as
possibible. :-)

Virus Help Centre will be the registrator and distributor for VSUMBROW, and
if You have any questions, please contact Mikael Larsson at the address below.

Jonny Bergdahl
New Age Productions
* * * * * * * * *
End of description of VSUMBROW;

Rgds,

MiL

Virus Help Centre Phone : +46-26 100518
Box 7018 Fax : +46-26 275720
S-81107 SANDVIKEN BBS : +46-26 275710 (HST)
SWEDEN FidoNet : 2:205/204
VirNet : 9:461/101
SigNet : 27:5346/108
Email : [email protected]

------------------------------

Date: 21 May 91 06:47:54 +0000
From: [email protected] (Walter Maner)
Subject: 2ND CALL, COMPUTING & VALUES CONFERENCE, AUG 12-16

The National Conference on Computing and Values will convene August
12-16, 1991, in New Haven, CT. N C C V / 91 is a project of the
National Science Foundation and the Research Center on Computing and
Society. Specific themes (tracks) include

- Computer Privacy & Confidentiality
- Computer Security & Crime
- Ownership of Software & Intellectual Property
- Equity & Access to Computing Resources
- Teaching Computing & Values
- Policy Issues in the Campus Computing Environment

The workshop structure of the conference limits participation to
approximately 400 registrants, but space *IS* still available at this
time (mid-May).

Confirmed speakers include Ronald E. Anderson, Daniel Appleman, John
Perry Barlow, Tora Bikson, Della Bonnette, Leslie Burkholder, Terrell
Ward Bynum, David Carey, Jacques N. Catudal, Gary Chapman, Marvin
Croy, Charles E. M. Dunlop, Batya Friedman, Donald Gotterbarn,
Barbara Heinisch, Deborah Johnson, Mitch Kapor, John Ladd, Marianne
LaFrance, Ann-Marie Lancaster, Doris Lidtke, Walter Maner, Diane
Martin, Keith Miller, James H. Moor, William Hugh Murray, Peter
Neumann, George Nicholson, Helen Nissenbaum, Judith Perolle, Amy
Rubin, Sanford Sherizen, John Snapper, Richard Stallman, T. C. Ting,
Willis Ware, Terry Winograd, and Richard A. Wright.

The registration fee is low ($175) and deeply discounted air fares are
available into New Haven.

To request a registration packet, please send your name, your email AND
paper mail addresses to ...

BITNet [email protected]
InterNet [email protected] (129.1.1.2)

or, by fax ...

(419) 372-8061

or, by phone ...

(419) 372-8719 (answering machine)
(419) 372-2337 (secretary)

or, by regular mail ...

Professor Walter Maner
Dept. of Computer Science
Bowling Green State University
Bowling Green, OH 43403 USA

With best wishes,
Terrell Ward Bynum and Walter Maner, Conference Co-chairs
- --

InterNet [email protected] (129.1.1.2) | BGSU, Comp Science Dept
Relays maner%[email protected] | Bowling Green, OH 43403
maner%[email protected] | 419/372-2337 Secretary
BITNet MANER@BGSUOPIE | 419/372-8061 Fax

------------------------------

End of VIRUS-L Digest [Volume 4 Issue 87]
*****************************************

Downloaded From P-80 International Information Systems 304-744-2253