VIRUS-L Digest Thursday, 6 Jun 1991 Volume 4 : Issue 98
Today's Topics:
Checksumming flaws
Re: denzuko and semlohe viruses (PC)
Virus-writers
denzuko and semlohe viruses (PC)
PCs Which Don't Boot from the Floppy by Default (PC)
Re: Hong Kong on MircoTough dist. disks (PC)
Testing viruses - was Re: Network World Article (PC)
Re: Interesting advert (PC)
Viri and pop culture (general)
Viri in the media (not quite so funny) (general)
Strange behaviour in Mac. (Mac)
Checksumming (was: Interesting advert) (PC)
TSR to catch Yankee Doodle needed (PC)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to
[email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at:
[email protected].
Ken van Wyk
----------------------------------------------------------------------
Date: Tue, 04 Jun 91 14:11:12 -0400
From: padgett%
[email protected] (A. Padgett Peterson)
Subject: Checksumming flaws
>From:
[email protected] (Mike Lawrie)
>They don't cater for this scenario:-
>2. Run SCAN on your hard disk - this does a DOS open on all COM/EXE
> files on your hard disk, and thus infects each and every such
> file _after_ SCAN has pronounced them virus-free
>4. You treat checksum checking programs with utter disgust, because
> they fooled you into believing that you had protection.
This comes under the heading of jumping-off-the-high-board-without-looking-
to-see-if-there-is-any-water-in-the-pool <whew>.
I am not familiar with all virus scanners, but for some time
SCAN has checked for such dangerous viruses in memory right after it
checks itself for integrity. This checking has two other switches
available: /NOMEM will tell SCAN to proceed without checking memory
and the scenario described will result. Unless instructed properly,
people often use this switch to speed up the scanning process.
SCAN also provides the /M switch which tells it to check
memory for every known (to SCAN) virus. V77 also has a switch to check
"high" memory but since I do not have any viruses that inhabit that
region, I have not used it.
Point is that as several of us have said before, checksum
validation of programs is am important part of integrity management,
but first you must be able to trust the system else checksums can be
unreliable *and through no fault of the checksum routine* <wish we had
italics>.
Trust is something that must be built up step by step and
checksumming falls somewhere in the middle. Lacking a firm foundation,
it cannot endure.
Warmly,
Padgett
------------------------------
Date: 04 Jun 91 18:22:18 +0000
From:
[email protected] (Paul Kerchen)
Subject: Re: denzuko and semlohe viruses (PC)
[email protected] (David Hansen) writes:
>Our visiting Indonesian grad students have brought two viruses to our
>campus (Memorial University), they are called denzuko (which has no
> [...]
>Has anyone heard of these viruses from Indonesia??
I wouldn't be surprised if this was a variant of the DenZuk virus.
The name sounds too close.
Paul Kerchen
[email protected] - or -
[email protected]
------------------------------
Date: Tue, 04 Jun 91 15:10:40 -0400
From: padgett%
[email protected] (A. Padgett Peterson)
Subject: Virus-writers
According to this (PC) week's Spencer Katt column, certain anti-viral
software houses are boosting their counts by soliciting viruses for
pay and programmers are taking them up for "big bucks".
Gee-gosharootie, have we been missing out on an income potential:
wonder what 100 more STONED clones, half with stealth would bring in ?
Shouldn't take more than five minutes each.
Kind of reminds me of the Byte-Brothers comical PARASCAN program's
ending: "PARASCAN detects 75 viruses (this was last year) & will
detect more as soon as we write some." <from memory so may be
mis-quoted>
Oh well, at least it is better than the Windows-melting virus in
April.
Bemusidly,
Padgett
Obviously my own thoughts - no one else would want them !
------------------------------
Date: Tue, 04 Jun 91 16:05:14 -0700
From:
[email protected] (Rob Slade)
Subject: denzuko and semlohe viruses (PC)
[email protected] (David Hansen) writes:
> Our visiting Indonesian grad students have brought two viruses to our
> campus (Memorial University), they are called denzuko (which has no
> apparent translation into english) and semlohe, which apparently means
I venture that the denzuko is, in fact, the fairly widely known "Den Zuk"
virus. If so, then it is a boot sector infector which is a fairly close
"knock off" of the original "Brain" virus.
The boot sector will look very similar to a "Brain" infected disk, with
the difference being that the original text about Brain computer services
has been replaced with "DEN ZUK" and an Indonesian Ham license number.
More details can be found in any reasonably complete virus
characteristics list.
(I do remember that when this was being actively discussed on the net
that two alternative translations for "Den Zuk" were "The Sweet" (or "The
Suger") and "The Knife". The later may be reasonable in view of the fact
that "Den Zuk" erases the original "Brain" infection.)
=============
Vancouver
[email protected] | "If you do buy a
Institute for
[email protected] | computer, don't
Research into (SUZY) INtegrity | turn it on."
User Canada V7K 2G6 | Richards' 2nd Law
Security | of Data Security
------------------------------
Date: Wed, 05 Jun 91 10:20:00 -0600
From: "John Nierengarten" <
[email protected]>
Subject: PCs Which Don't Boot from the Floppy by Default (PC)
I have followed, with interest, the discussions on forcing PCs to boot
from devices other than the floppy drive, the main purpose being
containment of viruses. Mention was made of several computers which
have a ROM BIOS which causes them to automatically boot from the hard
disk.
Does anyone know of any PCs, other than Zenith or Compaq, which have
this (boot from hard disk by default, even if a floppy is present) as
a standard feature? Or, alternatively, which ROM BIOS products
support this technique? I am in the process of acquiring new machines
for a student lab and have the opportunity to address the problem up
front.
Please send responses to my e-mail address below and I will summarize.
|\ |
|_\ | John Nierengarten, Director, Academic Computing Center
\| \| University of Wisconsin - River Falls
BITNET: ACS_JAN@UWRF Until June 30, 1991.
Internet:
[email protected]
------------------------------
Date: Wed, 05 Jun 91 16:02:01 +0000
From:
[email protected] (McAfee Associates)
Subject: Re: Hong Kong on MircoTough dist. disks (PC)
[email protected] (Frank Doss) writes:
>One of our users here at Eastern Illinois has discovered the Hong Kong
>virus on the distribution disks included with Micro Tough's TVGA
[some stuff deleted here]
>Norton Anti-Virus 1.00 did NOT find the virus, but Central Point
>Anti-Virus 1.00 found and purged the virus.
What Central Point Anti Virus identifies as the Hong Kong virus is
also known as the Azusa virus.
Regards,
Aryeh Goretsky
McAfee Associates Technical Support
- --
McAfee Associates | Voice (408) 988-3832 |
[email protected]
4423 Cheeney Street | FAX (408) 970-9727 | (Aryeh Goretsky)
Santa Clara, California | BBS (408) 988-4004 |
95054-0253 USA | v.32 (408) 988-5190 |
[email protected]
ViruScan/CleanUp/VShield | HST (408) 988-5138 | (Morgan Schweers)
------------------------------
Date: Thu, 06 Jun 91 10:54:00 +1200
From: "Mark Aitchison" <
[email protected]>
Subject: Testing viruses - was Re: Network World Article (PC)
padgett%
[email protected] (A. Padgett Peterson) writes:
>>From:
[email protected] (Richard W Travsky)
>
>>An accompanying chart shows the percentage of detection by the packages
>>against 921 viruses...
>
> Just to provide "apples vs apples" tests, possibly in conjunction with
> the public domain viral list, we should make a stab at a weighted test
> (e.g. Jerusalem 1000 pts for detection, Pentagon 1 pt.) if we can come
> up with a probability function for infection it would certainly be
> better than "We can detect 900 viruses".
I agree that many virus tests are a bit irrelevant, and could be
improved by weightings such as that suggested. But also there needs to
be a component in the tests for measuring the product's ability to
spot new viruses (and the scanners should carry out at least some
simple tests for the presence of a virus - e.g. top of memory reduced,
interrupt 21 redirected, etc.)
Therefore I suggest that whoever is collecting new viruses hold some
back (ones that have not been seen in the wild, and probably won't
be), and make them available to some a-v testers, not a-v writers.
This is because, in the lifetime of an anti-virus product, there is
bound to be some new viruses released that aren't in the scan list.
And my definition of the lifetime of the a-v software isn't "until the
next version is made", but until the average user gets around to
updating their copy. So those that make updated scan lists available
conveniently, cheaply and often should get a better score.
Also, the convenience in using the product should be taken into
account, as programs that take a long time, or in other ways
disencourage the user from running it often, should get lower scores.
In effect, we should see a probability that, with this product, you
will be free from viruses.
(Personally, I like to see a more detailed analysis, including the
effect of using several products together - which, I think, most
sensible people do, but the majority of potential users of a-v
software haven't got the time to go into those details, and I doubt
many a-v testers have the time/resources to produce such detailed
reports, unfortunately).
Mark Aitchison.
------------------------------
Date: Wed, 05 Jun 91 16:06:45 -0700
From:
[email protected] (Rob Slade)
Subject: Re: Interesting advert (PC)
I am not quite sure what
[email protected] (Mike Lawrie) writes:
in response to
>
[email protected] (Y. Radai) writes:
and
> > Kenny Stevenson writes:
> >>Vaccine anti-virus system - "Vaccine is virus-non specific detection
> >>software. It uses cryptographic checksums to monitor the state of
>
> >There is absolutely nothing new in this ad. There are zillions of
> >checksum programs for the PC which claim to do the very same thing.
>
> They don't cater for this scenario:-
>
> 1. Somehow infect the RAM of your PC with a COM/EXE targetting
> virus, such as Plastique (eg run an infected program from a
> floppy, or from a network).
>
> 2. Run SCAN on your hard disk - this does a DOS open on all COM/EXE
> files on your hard disk, and thus infects each and every such
> file _after_ SCAN has pronounced them virus-free
SCAN is not a checksum/image/change detection program, but a scanner,
which looks for specific known code sequences from known viral
programs. (A further point of Mike's posting seemed to indicate that
he thought SCAN was a checksum program.)
However, Mike's posting also seems to indicate that he feels that
Sophos' Vaccine program, because it checks for changes in the program,
will not be subject to the phenomenon he describes. (At least that
was my reading, my aplogies if that was not your intent.)
Unfortunately, any antiviral program which examines programs, either
for virus signatures or in order to calculate an "image" check, will
open all the programs it examines, and therefore opens the possibility
of that same happening.
=============
Vancouver
[email protected] | "If you do buy a
Institute for
[email protected] | computer, don't
Research into (SUZY) INtegrity | turn it on."
User Canada V7K 2G6 | Richards' 2nd Law
Security | of Data Security
------------------------------
Date: Wed, 05 Jun 91 16:13:42 -0700
From:
[email protected] (Rob Slade)
Subject: Viri and pop culture (general)
Well, folks, we have made it big time for sure.
Not only did we get the Mad Magazine "Computer Virus Issue" earlier this
year, but we just got a posting on rec.humor.funny about a supplier of
viri (including those that affect your phone and washing machine.)
=============
Vancouver
[email protected] | "If you do buy a
Institute for
[email protected] | computer, don't
Research into (SUZY) INtegrity | turn it on."
User Canada V7K 2G6 | Richards' 2nd Law
Security | of Data Security
------------------------------
Date: Wed, 05 Jun 91 18:21:15 -0700
From:
[email protected] (Rob Slade)
Subject: Viri in the media (not quite so funny) (general)
John Dvorak's syndicated newspaper column focusses this week on viri.
The headline (for which he cannot be held accountable, I realize) is
"Computer viruses: their cause and cure." The first sentence runs,
"It's not easy to report on something if you don't understand it at
all." He then tries to do that.
I probably shouldn't be all that hard on the article. He doesn't make
too many really boneheaded errors. He doesn't write much of any
substance, either. (Certainly there is nothing, absolutely nothing,
in the article that deals with "cure".)
He does state that a virus must attach itself to a program, thus
eliminating all BSI's from consideration. He also belittles the
definition of the Morris/Internet worm as a worm, apparently not
understanding that his definition requires it. Fred Cohen is
mentioned, as is "Shockwave Rider." ("The Adolescence of P1" is not.
Sigh. :-)
No real viral programs are mentioned, except for the brief and
uninformative reference to the Morris worm.
=============
Vancouver
[email protected] | "If you do buy a
Institute for
[email protected] | computer, don't
Research into (SUZY) INtegrity | turn it on."
User Canada V7K 2G6 | Richards' 2nd Law
Security | of Data Security
------------------------------
Date: Thu, 06 Jun 91 17:08:00 +1000
From:
[email protected]
Subject: Strange behaviour in Mac. (Mac)
One of our Macintoshes recently started 'pinging' whenever an
application started or exited, and will now only sometimes recognise
our laserwriter.
A similar machine, connected to the same printer, has no pings, and
prints fine.
Disinfectant 2.4 cannot find any virus. Does anyone recognise the
symptoms?
Thanks,
Danny
------------------------------
Date: Thu, 06 Jun 91 14:22:00 +0300
From: Y. Radai <
[email protected]>
Subject: Checksumming (was: Interesting advert) (PC)
Mike Lawrie writes:
>They [checksum programs] don't cater for this scenario:-
>
>1. Somehow infect the RAM of your PC with a COM/EXE targetting
> virus, such as Plastique (eg run an infected program from a
> floppy, or from a network).
>2. Run SCAN on your hard disk - this does a DOS open on all COM/EXE
> files on your hard disk, and thus infects each and every such
> file _after_ SCAN has pronounced them virus-free
>3. You end up with every COM/EXE file on your disk having to be
> reloaded, but you believe otherwise until you find out the
> bitter truth
>4. You treat checksum checking programs with utter disgust, because
> they fooled you into believing that you had protection.
First of all, Step 2 of this scenario is certainly not characteristic
of COM/EXE infectors in general, as you seem to imply. (E.g., it
won't happen with the Jerusalem virus.) It has to be a very special
virus to do this.
Secondly, what you have described shouldn't happen with SCAN, since
before scanning it checks for the presence in RAM of viruses which act
in this way, and that includes Plastique, unless you're using an old
version of SCAN. (If this really did happen to you with a *recent*
version, contact McAfee.)
Finally and most important, suppose we have a virus in memory which
SCAN or some other program does not recognize, and the above scenario
does occur. What does this have to do with checksumming programs??
Checksum programs don't claim to *prevent* infection, only to *detect*
an infection *after* it has occurred, the next time the checksum pro-
gram is activated on an infected file. And this is precisely what
they will do even in your scenario (provided you ensure that RAM is
clean when the checksum program is activated). Thus your conclusion
in Step 4 is unjustified. What you need in order to *prevent* scena-
rios like this is to supplement the checksum program with a good gene-
ric monitoring program.
Padgett Peterson writes:
>Well some form of integrity checking must go resident, even if it is
>just smart enough to call the checksum program. Otherwise, what is
>going to identify that a program is new or changed. (you could handle
>"changed" with a zillion little .BAT files but new ?) Since you do not
>want to add to the pilot's workload, it must be automatic therefore
>resident.
Sorry, Padgett, but I don't understand what you're trying to say. As
existing checksumming programs are implemented, they notify you that a
file has been changed the next time the checksum program is activated
on it (which is normally long before the virus can do any damage).
What are the zillion .BAT files needed for?
We seem to be talking on different wavelengths, but since I don't
know where the misunderstanding lies, I'll have to start from the
beginning (sorry if what I say is obvious):
Some types of programs can be run either *statically*, i.e. as a
non-resident program activated on demand (or via the AUTOEXEC.BAT
file) to do something to all files or a specified list of files all at
once, or (2) *dynamically*, i.e. as a memory-resident program to do
it to each executable file just before execution. (These are my
terms; maybe you have a better suggestion.) For example, among
known-virus scanners, McAfee's Scan is a static program, while his
V-Shield is a dynamic program. In precisely the same way, a check-
summing or integrity-checking program can be implemented either stati-
cally or dynamically. And if it's done statically, then just as SCAN
is not memory-resident, nothing here need be memory-resident either.
Most checksumming programs which I know of can or must be implemen-
ted statically, and for good reason: The surest way to ensure that no
stealth virus can hide modifications is to do static checking immedi-
ately after booting from a clean write-protected diskette. Dynamic
checksumming is more convenient, but as far as I know, there's no way
of guaranteeing that it can't be fooled by a stealth virus. If some-
one can produce convincing evidence that there is such a way, I'd be
glad to hear of it.
Now perhaps what you mean to say is that only a resident program can
notify the user *immediately* that an executable file has just been
created or modified. If so, I agree, but I see this as the task of a
generic monitoring program, not of a checksum program. (Also, when
someone speaks of integrity checking, I assume he's referring to a
checksum program. Do you mean something else?)
Y. Radai
Hebrew Univ. of Jerusalem, Israel
[email protected]
[email protected]
------------------------------
Date: 05 Jun 91 15:06:00 -0500
From: "Troy D. Taylor" <
[email protected]>
Subject: TSR to catch Yankee Doodle needed (PC)
I have a question for all the virus guru's out on the net. The
computer rooms have been getting hit with Yankee Doodle and it is
fairly easy to clean, but it is evading our TSR that should stop
infected files from loading (Vshield77). I would like to find
something like that to prevent the files infected from begin loaded or
at least blow whistles and beep and flash if it does load an infected
file.
later and thanks
troy
/**********************************************************
*
[email protected] * Conslt13@unoma1 *
*
[email protected] * Troy@unoma1 *
*
[email protected] * *
**********************************************************/
------------------------------
End of VIRUS-L Digest [Volume 4 Issue 98]
*****************************************
Downloaded From P-80 International Information Systems 304-744-2253
