VIRUS-L Digest Tuesday, 28 May 1991 Volume 4 : Issue 91

VIRUS-L Digest Tuesday, 28 May 1991 Volume 4 : Issue 91

Today's Topics:

A question regarding commercial dial-up services
Software Upgradable BIOS (PC)
Interesting advert (PC)
Virus detection via crcs
Virus-Buster (PC)
MBOU101.ZIP (PC)
Hard Disk R/W errors (PC)
FSP and sales figures (was: Into the 1990s)
Trends (Network World, May 13, 1991
Re: Tequila virus (PC)
new virus ? (PC)
Review of Mace Vaccine (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to [email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: [email protected].

Ken van Wyk

----------------------------------------------------------------------

Date: Sat, 25 May 91 21:15:46 -0700
From: [email protected] (Lloyd E Vancil)
Subject: A question regarding commercial dial-up services

I have a question.

In the form of a senario;

Given: A BBS service distributes a program that you must run in your
machine to use the service. ( ;-) guess who! ) This service becomes
very popular with computer users who are less technically inclined.
It is very flashy and popular with children. As part of the program a
very large file is installed in the PC's disk that is used to "stage"
graphics "primitives" screens.

Investigation reveals whole blocks of ram have been dumped to the
file. Typical finds include, dos environment information, disk
directories, pieces of files that were deleted by dos (but not removed
from the disk surface).

I'm just enough of a skeptic to ask why "Whole chunks of ram" are
dumped, but that's a question for comp.programmer

Here's the virus question.

Question:
Would it be possible;
1. for a memory resident virus to be scooped up by this service..
and return to reinfect the machine at a later date? Presumably
by the service's reusing of the file fragment that contains the
"screen primitive" and the "scooped" virus code.

2. for a virus to be written to take advantage of this transmission
method?

(I'm not sure that the "service" retains a complete copy of it's
users "staging file"; after all they claim nearly 1 million
users and at ~1meg per user that's 10^12 bytes? (wow) And I'm
not sure the data from one user is seen by another's machine.)

- --
| [email protected] | * S.T.A.R.S.! . + o |
| [email protected] | The Revolution has begun! . + |
| sun!suntzu!suned1!lev | My Opinions are Mine mine mine hahahah!|

------------------------------

Date: Sat, 25 May 91 10:02:00 +0700
From: "Jeroen. W. Pluimers" <[email protected]>
Subject: Software Upgradable BIOS (PC)

>Intel has announced a chip which would allow users to upgrade their
>BIOS using a floppy disk. The term I saw was "erasable programmable
>read-only memory (EPROM)," but more likely the actual technology
>in the chip is EEPROM (electrically erasable programmable ROM) or
>EAROM (electrically alterable ROM).

>From what I understand this is quite common, most ROM BIOS
manufacturers use EEPROMS which can be repogrammed when you have:
a) the new EEPROM image (on disk or as an (EEP)ROM)
b) and EEPROM programming device that can program that kind of EEPROM
c) a very strong UV lamp to erase a programmed EEPROM

At first sight I wouldn't be too much afraid from what Intel says
now. It would be a whole other story if PC's became able to deliver
the programming voltages and some way of eraseing pieces of an
EEPROM. That way, virusses might possibly alter the BIOS in such a
way a virus would be effective from before the POST and protect
itself in a very nasty way.

Cheers,
Jeroen W. Pluimers

P.S.O.

snail: P.O. Box 266
2170 AG Sassenheim
The Netherlands

phone: +31-2522-11809 18:00-21:00 UTC

fidonet: 2:281/521
2:281/515.3

bitnet: [email protected]
[email protected]

internet: [email protected]
[email protected]

------------------------------

Date: 27 May 91 16:42:58 +0100
From: "K.Stevenson" <[email protected]>
Subject: Interesting advert (PC)

Just read an interesting ad in Personal Computer Magazine, April 1991
VNU 404, page 135. It seems that most of us can now sleep easy if the
claim made in this advert is true - what will all you EXPERTS do ?!
Before I pass the details to you please note my disclaimer that I do
NOT represent this company in any way and vievs are my own etc etc

Ok whats all the fuss about then ...

Vaccine anti-virus system - "Vaccine is virus-non specific detection
software. It uses cryptographic checksums to monitor the state of
executables on a PC or file-server. Any change, however caused will
be detected. Since Vaccine does not need to know about particular
viruses in order to detect them, it is future proof. Once installed,
Vaccine will detect all viruses, past, present and future."

Various other details follow on price etc

This product is sold by S|O|P|H|O|S of England

Well - this should cut down the e-mail to Virusl-l if we can ALL
afford it!

Comments welcome ! (and I can't imagine that there woun't be some)

Kenny Stevenson Edinburgh Uni Comp Service [email protected]

------------------------------

Date: 22 May 91 13:21:10 +0000
From: [email protected] (John Blakeney)
Subject: Virus detection via crcs

crd check is only effective way of looking for viral activity unless
search strings are known for the viruses listed in letters. trhere is
no known virus(to my knowledge which does not alter crc check. the
only way to dodge this check would be to alter files so that there is
no change in crc. there has been a rumour of a virus which was written
in a command.com file and the alteration of the crc was only by one
bit! even in this case the truncating of the command com files to
accomodate the virus was unsuccessful in hiding it. There havew even
been rumours ofscan being infected because another viral check found a
string which resembled that of a known virus.(sorry about lousy
typing!)

- --- TMail v1.21j
* Origin: Prophet BBS (3:713/1701)

------------------------------

Date: Tue, 28 May 91 05:44:59 +0000
From: [email protected] (Trieu B Phan)
Subject: Virus-Buster (PC)

Has anyone ever used that(Virus-buster).
It seems strange to me,I have installed it on my PC and after I
reboot the PC is hang,I have to use a bootdisk to turn on.
Any ideas,please drop me a line.
Thanks in advance !

------------------------------

Date: Tue, 28 May 91 01:18:19 +0000
From: [email protected] (Eric Jacksch)
Subject: MBOU101.ZIP (PC)

It has come to my attention that one of my utilities (for FidoNet and
other compatible PC networks) is being labelled a trojan by an Ottawa
system operator.

Due to other activities by this person, which I will refrain from
discussing here, I strongly suspect that this claim is being made
maliciously and without cause. The software was beta tested on
systems which contained the same files which the said person claims
are corrupted. In fact, the software does not access these files. In
addition, the software was released in late January, this is the only
such claim which has been made, and the timing corresponds with the
release of a larger network utility with commercial possibilities.

I am unable to reproduce the claimed results.

Notwithstanding the above, users of MBOU101.ZIP are cautioned that it
is possible that someone has tampered with the program. Should you
have any doubts whatsoever, a clean copy can be file requested from
Fidonet 1:163/111, or from any Fidonet SDS site.

If you have any concerns whatsoever, please feel free to contact me.

- --
Eric Jacksch, [email protected] (UUCP: aficom!insom!jacksch)

------------------------------

Date: Tue, 28 May 91 14:30:00 +0100
From: "Schwegler Ralph" <[email protected]>
Subject: Hard Disk R/W errors (PC)

Hello,

When i first switch on my computer, my HD (Seagate SR-238) works well.
But after some minutes, there are many R/W errors. I am using DOS 3.21;
i have low level formated my HD as a SR-238R HD, with Seagate's
Diskmanager.

I could not find a virus, either with f-prot 115 or scan 77. If i list
the TSR, there is a 3120 bytes long file labelled ?.

Could that be the cause of the harddisk problems ?

Thanks for your advices.

Ralph Schwegler, student at University St.Gallen for Economics (CH).
E-Mail : [email protected] / [email protected]

------------------------------

Date: Tue, 28 May 91 15:49:00 +0300
From: Y. Radai <[email protected]>
Subject: FSP and sales figures (was: Into the 1990s)

Ross Greenberg writes in response to my posting:
> To paraphrase your past arguments for the readership, I believe you
> commented that FSP's installation was such a pain in the butt that few
>people used the integrity checking feature FSP includes.

Well yes, I was referring to that ... plus the fact that after three
years of existence FSP still has no provision for checking the
partition record (master boot record) ... plus the fact that for any
given file, FSP gives the same checksum for all users, which (imho) is
a security hole. (At least, these were true the last time I looked.)
But just to show that I don't think your integrity checking is *all*
bad :-) , I found that FSP was faster than any program based on a CRC
over the entire file.

I gladly accept your suggestion to continue the discussion on these
points at the Virus Bulletin conference. (In fact, part of my lecture
will deal with weaknesses like the above even if I don't specifically
mention FSP.) But in my last posting I was concerned with FSP not in
itself, but merely as an *example*: Since the vast majority of users
don't check for weaknesses like these before they buy a program like
FSP, high sales figures do not prove that the software is good.

I don't deny that quality of software has *some* relevance to sales
volume. The question is *how much?*. You didn't react to my
statement that if the correlation were high, "we could completely
dispense with all the quality comparisons that are continually being
made in the literature, and simply quote sales figures." Is that what
you're suggesting?

Anyone else in this forum have an opinion on how high the correla-
tion is between quality of software and sales volume (for products in
the same price range)?

Y. Radai
Hebrew Univ. of Jerusalem, Israel
[email protected]
[email protected]

------------------------------

Date: Tue, 28 May 91 09:34:00 -0400
From: [email protected]
Subject: Trends (Network World, May 13, 1991

The "Trends and Technologies" page of "Network World," May 13, 1991
carried the following headline in a box: "Viruses specially made to
destroy nets."

"Science hasn't cured the common cold after decades of trying. The
prognosisis, unfortunately, is equally gloomy where the diseases of
networking -- computer viruses and worms -- are concerned.

"And the virus stituation is worsening. Virus experts predict a trend
of virus strains -- and other plagues -- that are aimed specifically at
bringing down networks," writes Kris Herbst.

One expert "says the new threats will be designed to more effectively
cause damage to a network." "Specifically" and "designed." Strong
language. The viruses that we have are bad enough, yet most of them
were loosed in comparative innocence.

Now few people are any more aware than I am of the difficullty of
getting reporters to print it straight. I am sympathetic to the
"expert" embarrassed by this prediction. (Read on; it could be almost
any of you.) Embarrassed for him (well, that eliminates about half of
you.) If he said it, he should be embarrassed because such speculation
is unwarranted by the evidence, except to the extent that it tends to be
self-fulfilling. If he did not say it, I hope that he will write a
letter to the editor.

Now, who is the expert? The victim? The perpetrator? Why our very own
Klaus Brunnstein. Too bad.

William Hugh Murray, Executive Consultant, Information System Security
21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840
203 966 4769, WHMurray at DOCKMASTER.NCSC.MIL

------------------------------

Date: Tue, 28 May 91 11:15:02
From: [email protected]
Subject: Re: Tequila virus (PC)

>From: Padgett Peterson <padgett%[email protected]>
>
>Ross: It would be interesting if you, Frisk, & I ever get together
>at a bar but they'll have to provide a padded room & unbreakable glasses.

Hey, take some time off and come on over to the UK this September for
Ed Wilding's little get together in the Channel. I expect it to be
*very* good [for those who are not aware of it, the Virus Bulletin is
having an international virus seminar where just about everybody who
is anybody will either a)be speaking or b)be in the audience making
fun of those who are speaking. It ain't cheap, but I think it'll be
real good.]

>>Sorry: I don't count "wild card" strings as a search pattern. There's
>>too much chance for false positives.

>Why do you disagree with "wild cards"? For example, if I find a boot
>sector that contains MOV AX,[413] <some code> MOV [413],AX I would
>suspect a virus reguardless of what went on in the <some code> area.
>To me a variable length "wild card" to replace <some code> would be
>very useful in this case.

In our tests for Virex-PC's scanner, we throw it up against a coupla
network servers filled to the brim with every piece of software we can
find. When we let a new scanner with new strings loose on it, any
false positives based upon our string library and our program library
will show up quickly. I've found far too many false positives with
wild card patterns than with either fixed patterns or algorithmic
pattern matching schemes. Since false positives remove some of the
credibility of the product with corporate clients, we've worked long
and hard to make sure that we don't have them: only two false
positives to date for a product about a year old; that's not too bad
at all (> 400 strings in the current release).

When I report that there is a virus in a program or in a boot sector,
I want to be sure.

>I agree that the potential for false positives exists, but as an
>intial mechanism that determines a maxterm/minterm decision tree
>structure or to provide a public signature without revealing to much
>of the viral design, such a "wild card" function would be very
>effective.

Part of the advantage of working hard on a fast search engine: some
cycles to spare. If I put in a search string that is "wild carded"
and get a hit on some program to verify later with some other method,
why not just check that other method first? That's what I'm doing
with about a half dozen viruses and I was able to accept a 1-2% hit on
speed as a consequence of the action of checkinbg completely for the
virus instead of playing with wild cards.

Although I understand the desire for wildcarding (it certainly makes
turning out a new piece of code a quick turnaround!), I just don't
think it buys enough to feel safe with.

But, well, to each their own! Cheers!

Ross

------------------------------

Date: 28 May 91 19:04:28 +0000
From: [email protected] (doug d'glaren)
Subject: new virus ? (PC)

I just finished cleaning up my hard disk after getting a virus from
a local BBS, and I've told them about it, and they've removed the
offending program, and everything is fixed, but some questions remain.
I know some things about virii, mostly from what I've read in
various text files on the subject and anti-virus program's doc files,
so I was able to figure out what was going on and get rid of it, and I
had backups of most of the files that were damaged so I came out ok,
but I would like to know if anybody else has had problems with this
virus.
First of all, SCAN77 does not recognize this virus. So I am led to
believe that it is rather new. If only SCAN77 did recognize it, it
would have saved me a lot of aggravation! I now use a disk monitoring
program when checking new programs, but hindsight is always 20-20 ...
Well, here's some characteristics of this virus:
I got it from a program called DI.Exe, which is a small directory
making program. When this program ran, it ran drives A and B (I
noticed this, but paid it no mind! Once again, hindsight ...) It
was, I later learned, looking for files to infect.
What it did was copy a copy of the virus to every EXE file it could
find. When these programs were run, they again tried to copy the
virus. The virus apparantly does NOT go TSR, but infected EXE files
seem to only have about 24k to run in, (An infected MEM.Exe file said
maximum executable file size was about 24k) so most of my EXE programs
wouldn't work after that, complaining about lack of memory. DI.EXE
ran fine, of course. These EXE files grew by about 3k, the exact
amount varying from file to file. The virus did not seem to care if a
file was read only or not. It also created hidden system files in
every subdirectory, named just A, B, C, D, E etc. I don't know what
their purpose was, but as the infection progressed, I saw higher and
higher letters. Perhaps a countdown of some sort? I don't know.
The virus did not appear to do anything else other than infecting
EXE files which propagated it.
The virus contains this string which I used to search for it (it
doesn't appear to be self encrypting or anything funky like that ...)
43 83 FB 0A 72 ED 2B DB EB E9 C3 2E FF 06 FD 00 2E FF 2E FF 00
In the scanning program that I made I looked for the text string of
Alt-114, Alt-237, ... 043 219 235 233 195 046 (you get the idea ...)

Does anybody know anything about this particular virus? I would
like to know a little more about it. Besides the sysop of the BBS
isn't convinced that it was a virus, and I'd like to know it's not
just me.

[email protected] aka Doug McLaren

------------------------------

Date: Fri, 24 May 91 16:41:02 -0700
From: [email protected] (Rob Slade)
Subject: Review of Mace Vaccine (PC)

Comparison Review

Company and product:

Paul Mace Software
400 Williamson Way
Ashland, OR 97520
USA
tech support 503-488-0224
fax: 503-488-1549
sold and supported through:
Fifth Generation Systems, Inc.
10049 N. Reiger Rd.
Baton Rouge, Louisiana
USA 70809
1-800-873-4384 sales and info
504-291-7283 tech support
504-291-7221 admin
telecopier: 504-292-4465

Mace Vaccine-Anti-viral software version 3.0, 890505

Summary:

Activity monitoring software, plus change detection

Cost

Rating (1-4, 1 = poor, 4 = very good)
"Friendliness"
Installation 3
Ease of use 2
Help systems 1
Compatibility 2
Company
Stability 3
Support 1
Documentation 1
Hardware required 1
Performance 2
Availability 2
Local Support ?

General Description:

SURVEY.EXE is a change detection program which calculates and stores
signatures of files. VACCINE.EXE monitors attempts to modify system
areas of hard disks, and may use the data from SURVEY.EXE to alert to
changes in programs as they are invoked. Recommendation limited to
*hard disk only* systems in situations where technical support staff are
responsible for system integrity and need to have records of changes.

Comparison of features and specifications

User Friendliness

Installation

The program disk is shipped write protected, but on a writeable disk.
The first line of the installation instructions, however, do stress the
importance of write protecting the disk before putting it into any
drive.

The README.TXT file is referred to in the installation documentation,
but (with this version) contains only the note that the documentation is
up to date. (The fact that this note is dated two years past is not
reassuring.) The README.TXT file is suggested to be viewed by running
README.BAT, but this requires that the MORE program be in the effective
path.

Installation consists simply of copying the files. The files can be
renamed, but the documentation does not note the necessity of keeping
the proper extensions. (Admittedly, any user who knows how to rename
files will likely also know the importance of extensions.)

Ease of use

There are two separate programs in the package. SURVEY.EXE calculates a
"check value" for each file in all subdirectories on the current, or any
specified, disk. The values are kept in a file called HELP.CRC on the
root directory of the checked disk. The check value is a four digit
hexadecimal code, and the name of the file would seem to indicate that
this is a CRC calculation rather than a checksum. Once the "survey" has
been done once, all, or specified individual, files may be checked
against it for changes. If a program has been altered the user is
alerted (but no action is suggested) and any changes are noted in a file
called CHANGES.CRC. New programs are not noted in the CHANGES.CRC file.
System areas are not checked: the package relies on the action of
VACCINE to stop any attacks on the boot sector or partition table.

The other program, VACCINE.EXE, is a resident program which can be
invoked with a number of switches to allow for three different levels of
protection to direct action against hard disk system areas. Although
the different levels are explained clearly, the decision as to which
level or option to use is not supported by discussion in the manual.

The package gives the initial impression that these functions are
integrated, and that complete protection against viral infection is
provided. Further exploration, however, reveals that each program must
be used indepenently, and that checks for modification of files or
system areas are by no means assured.

Help systems

There are no help systems.

Compatibility

The program does not protect against infection by the Stoned virus, or
any other boot virus. In testing, it did not detect the presence of the
infection on the hard disk, and did not prevent infection of floppy
diskettes. Although the documentation refers to protection of floppy
diskettes (and how to turn it off), further reading indicates that this
refers only to prevention of formatting of diskettes.

Further testing, in fact, reveals that there is almost no protection
provided to floppy disks, and, indeed, that it is *not possible to run
the program on a floppy only system*. The VACCINE program will not go
resident if a hard disk is not present. This is nowhere mentioned in
the documentation (which states that it "works on all IBM and compatible
machines with DOS 2.0 or higher, and uses slightly more that 6K of
memory." It is also not noted by the program: when invoked it merely
states that a hard disk is not present.

The VACCINE program apparently makes no attempt to prevent changes to
program or other files, but does prevent changes to system areas of the
hard disk. (Depending upon the level of protection selected, this may
only be extended to the first hard disk.) Therefore, system management
utilities may conflict with the package. The documentation specifically
warns against the use of disk testers, defragmenters or sector editors
while VACCINE is operating. The program can be "turned off" to allow
operation of such programs.

Also, any programs which alter their own code will generate alerts by
the SURVEY program, or by VACCINE at level 3.

Company Stability

Unknown.

Company Support

Unknown.

Documentation

The documentation is clear and understandable, but quite sparse (only 15
pages long.) While directions for operating the program are plain, the
implications of what the program will do are not, even after several
readings. (After testing, the careful wording fo some of the passages
becomes clear. Personally, I find the documentation almost misleading
in many areas, although few can be said to be inaccurate when looked at
carefully.)

Hardware Requirements

A hard disk is required, although that is *not* mentioned in the
package.

Performance

Able to detect (manually) changes to previously surveyed program files.

Local Support

None provided.

Support Requirements

The package is simple enough for an intermediate user to install. Given
the current climate of viral activity, naive users would have to have
immediate access to experienced advice to interpret the activity of this
package, and any alerts it would generate. Intermediate users would be
able to use the program effectively most of the time, but should have
access to skilled help for many situations.

General Notes

This product has a very high reputation with many as one of the first
commercial antiviral programs. However, the fact that it has not been
updated in two years is surprising. Given that fact, however, the
weaknesses of the program may be understandable. Nonetheless, they are
enough to prevent one from recommending the product in any but the most
restricted situation.

copyright Robert M. Slade, 1991 PCMACE.RVW 910524

=============
Vancouver [email protected] | "If you do buy a
Institute for [email protected] | computer, don't
Research into (SUZY) INtegrity | turn it on."
User Canada V7K 2G6 | Richards' 2nd Law
Security | of Data Security

------------------------------

End of VIRUS-L Digest [Volume 4 Issue 91]
*****************************************

Downloaded From P-80 International Information Systems 304-744-2253