VIRUS-L Digest Monday, 10 Jun 1991 Volume 4 : Issue 99

VIRUS-L Digest Monday, 10 Jun 1991 Volume 4 : Issue 99

Today's Topics:

RE:CERTUS STUDY mentioned in - VIRUS-L Digest V4 #94
Possible Bug in VIRUSCAN V77 (PC)
Hypercard Antiviral Script? (Mac)
Auto scanning of drive a (PC)
Re: What is DOD?
Re: Software Upgradable BIOS (PC)
Scanning infected files (PC)
Is there a 1024 virus? (PC)
Re: TSR to catch Yankee Doodle needed (PC)
Re: PCs Which Don't Boot from the Floppy by Default (PC)
Variant of Stoned (PC)
Questions about "Disinfectant" (Mac).
New Virus? (PC)
Re: Virus-writers

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to [email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: [email protected].

Ken van Wyk

----------------------------------------------------------------------

Date: Thu, 06 Jun 91 10:37:45 -0400
From: padgett%[email protected] (A. Padgett Peterson)
Subject: RE:CERTUS STUDY mentioned in - VIRUS-L Digest V4 #94

>From: J|rgen Olsen <[email protected]>
>RE: LAN's as vehicle for spreading virii!
>This is mainly a question of network management.

Agreed, but one easy possibility does not seem to have been covered that
is widely used on BBSes: separate upload and download directories.

By making the upload directory write only for users and the download
directory execute only, the administrator can provide an effective
filter of what is made available to the community.

Of course this places added responsibility on the administrator since
a problem is traceable to him (I wonder if this is why many manufacturers
ship products on non-write-protected disks, there is not much question of
where an infection occurred with a notchless disk), and does introduce
a delay between posting and availability.

Such a scenario would have user A posting a file to the upload directory.
The administrator would then SCAN the program, check for malicious
behavior using an account that is unpriv'd, and check for any license
restrictions.

Only when satisfied that the program is low-risk would it be placed in a
user-accessable area.

Such a filter should also be used between software developers and user
areas (but rarely is). In practise, the technique is much simpler than
it sounds and need not be a burden.

Padgett
It works for me

------------------------------

Date: 06 Jun 91 09:43:00 -0500
From: "William Walker" <[email protected]>
Subject: Possible Bug in VIRUSCAN V77 (PC)

I have found what seems (to me) to be a bug in VIRUSCAN V77. When
scanning multiple floppies (SCAN A: /M /MANY), the first virus
encountered prompts the message

Found 1 file containing viruses.

If the next diskette also contains a virus, SCAN reports

2 viruses found.

So far, so good. Here's the problem: SCAN says "2 viruses found."
for every subsequent diskette with a virus, so long as no clean
floppies are scanned. If a clean floppy is encountered, the message
returns to "Found 1 file containing viruses." and the cycle repeats.
CLEAN does not have the same problem, as its counter is accurate.

I guess this is a trivial problem, and it doesn't matter to me as it
still detects viri without problems (that I've seen). However, it
does not inspire confidence in the user whose diskettes I'm scanning
when he or she asks, "Why isn't the count right?" and I reply, "It's
just a bug in the detection program."

Incedentally, VIRUSCAN V75 and V76C don't show this problem, and
judging from their behavior, this is not supposed to be a running
count, but merely a count of viri on the diskette just scanned. Also
incedentally, this behavior only occurs with the Stoned virus, not any
of the other viri with which I tested it (Jerusalem-B, Yankee Doodle,
Music Bug, or 1701/1704). Has anyone else seen this?

Bill Walker ( [email protected] ) |
OAO Corporation | "That's not a bug,
Arnold Engineering Development Center | that's a feature!"
M.S. 120 | - Anonymous
Arnold Air Force Base, TN 37389-9998 |

------------------------------

Date: Thu, 06 Jun 91 15:34:04 +0000
From: [email protected] (Joshua M. Alden)
Subject: Hypercard Antiviral Script? (Mac)

Awhile back people mentioned a Hypercard script to deal with the
recent Hypercard virus. Then someone mentioned that their script
wasn't reliable, and someone else said he'd write a new one, and that
was the last I've heard of it.

Has anyone got a reliable script? Or at least a script which
works in known circumstances?

- -Josh.
- --
Josh Alden, Consultant, Dartmouth Computing | #61 Hidden Lane
Private mail: [email protected] | West Lebanon, NH 03784-9720
Virus mail: [email protected] | (603) 643-2840

------------------------------

Date: Thu, 06 Jun 91 13:26:23 -0400
From: Dmitri Schoeman <[email protected]>
Subject: Auto scanning of drive a (PC)

A while back, there was a question as to if any programs will
automatically scan a disk in drive A. I think it would be possible by
having a TSR hooked to the clock which would check the interupt for a
changed disk (if asked I will try to find which interrupt) If the
interrupt returns that the disk has been changed then the scan will
automaticly begin, at most 1/18.2th of a second after the disk door
was closed. If this were implimented in a virus scanner (ideally for
a computer lab full of virus ignorant people) I think it would be able
to control virus's for people who are unable to check for themselves.

- -----Dmitri Schoeman

------------------------------

Date: 06 Jun 91 22:12:01 +0000
From: [email protected] (John M Twilley)
Subject: Re: What is DOD?

[email protected] (Mac Su-Cheong) writes:

> May someone please give me information on DOD Computer Security Center ?
>Is it possible to get reports or papers of DOD ?

DOD stands for the United States Department of Defense.

I am pretty sure that they publish unclassified information on
virii, but I wouldn't know where to find it.
- --
|John M. Twilley (Nautilus)|"Electricity is the dangerous|Disclaimer: Take|
|Internet: [email protected]| stuff in an extension cord."|what I say with |
|BITNet: Nautilus@RPITSMTS|(paraphrased from S. Dorner) |a grain of salt.|

------------------------------

Date: 06 Jun 91 18:54:17 +0000
From: ingoldsb%[email protected] (Terry Ingoldsby)
Subject: Re: Software Upgradable BIOS (PC)

padgett%[email protected] (Padgett Peterson) writes:
> >From: "William Walker C60223 x4570" <[email protected]>
..
> >I feel that the prominent anti-virus researchers (and some of uss
> >others) ought to collectively rise up and protest the software-
> >upgradable BIOS before it gets any acceptance.
..
> Tullahoma in the seventies - Hi Bill), there does not have to be a problem
> if the hardware designers do their job. A EEPROM requires a special signal
> on one lead to tell it to write. If that lead is under hardware control and
> accessable only with the case open and a special plug in place that disables
> everything except a "load & verify BIOS" program, risk can be minimal.

It is not even necessary to place it under hardware control, rather if
the hardware incorporates an interlock that requires a special,
possibly unique, code, then the viruses could bash at it forever
(almost) without success.

For example if each machine thus manufactured were assigned a unique
value in EPROM (which could not be read by the CPU), say of length 64
bits, then the user could be queried, by the software upgrade program,
to enter the key. If the key matched, the EAROM would be modified,
otherwise nothing would happen.

Note that if my quick calculations are correct, at a rate of 1 million
tries per second it takes about 1800 years to try all the
combinations. Surely after a year or so even the most patient of
users would realize that something was wrong. The number could even
be printed on the back of the machine, in case the user should forget.

- Terry

- --
Terry Ingoldsby ingoldsb%[email protected]
Land Information Services or
The City of Calgary ...{alberta,ubc-cs,utai}!calgary!ctycal!ingoldsb

------------------------------

Date: Thu, 06 Jun 91 20:31:23 -0500
From: Finnegan Southey <[email protected]>
Subject: Scanning infected files (PC)

In regards to the problem of anti-viral programs infecting files
they scan when a memory-resident virus is present: Wouldn't it be
possible to read disks sector by sector instead of opening files
through DOS calls? This reading would be much the same as a disk
editor program. The scanner could consult directory listings to find
program boundaries and then check approp- riate areas without opening
the files as a file? As I'm not an MS-DOS expert I'm not sure if this
makes sense, but I thought I'd ask.

-
-------------------------------------------------------------------------------
Finnegan Southey - Computing Services, University of Guelph, Ontario, CANADA
BitNet: ACDFINN.VM.UOGUELPH.CA CoSy: [email protected]
You are in a maze of twisty little passages, all alike...
-
-------------------------------------------------------------------------------

------------------------------

Date: Thu, 06 Jun 91 21:07:30 -0600
From: "Stan Orrell" <[email protected]>
Subject: Is there a 1024 virus? (PC)

Can anyone suggest an explanation of our observation on several
computers (various IBM pc types) of a result from chkdsk of 654336
bytes of total memory?

The value is confirmed, in kbytes, when Norton SI is run. The
machines are always booted from floppies, and are networked, but only
data files are moved over the network connection. Everything seems to
be OK otherwise, i.e. the usual applications work correctly and no
other weird files have appeared.

What is this? And, what should one do about it?

Any help appreciated. Thanks, Stan.

------------------------------

Date: Fri, 07 Jun 91 09:06:00 -0400
From: Al Woodhull <[email protected]>
Subject: Re: TSR to catch Yankee Doodle needed (PC)

> The computer rooms have been getting hit with Yankee Doodle and it is
> fairly easy to clean, but it is evading our TSR that should stop
> infected files from loading (Vshield77).

Yankee Doodle and Jerusalem are the only two viruses I have
had actual encounters with, and the situation is similar here, one or
more of my assembly language programming students reinfect files on
the LAN where MASM and Codeview are kept. I have been using VIRSTOP (a
TSR scanner) on my own system.
VIRSTOP is fast and unobtrusive and is very reliable in
preventing execution of small .COM files infected with either of the
viruses that have been a problem here. But I find it doesn't always
find infected files. I should do a controlled test sometime, but I
have a subjective impression that when I do find one of my programs
infected it is always a large .EXE file, either ProComm or Emacs. I
can't imagine a scanner would be so limited as to be able to scan only
one 64K segment, but that would explain what I think I have seen. Can
anyone tell me if there are other reasons why a scanner might have
problems with a large .EXE file?
I understand that VIRSTOP uses the same signature information
as McAfee's SCAN V68, so this could be relevant to the problem with
VSHIELD77.

! Albert S. Woodhull
! School of Natural Science, Hampshire College, Amherst, MA 01002
! tel: (413) 549-4600 ext 581
! [email protected], [email protected]

------------------------------

Date: Fri, 07 Jun 91 11:11:32 -0600
From: [email protected] (Todd Bradley x293)
Subject: Re: PCs Which Don't Boot from the Floppy by Default (PC)

>Does anyone know of any PCs, other than Zenith or Compaq, which have
>this (boot from hard disk by default, even if a floppy is present) as
>a standard feature? Or, alternatively, which ROM BIOS products
>support this technique? I am in the process of acquiring new machines
>for a student lab and have the opportunity to address the problem up
>front.

My CACHE motherboard uses their own proprietary BIOS and has a
configurable boot sequence, either C then A or A then C. So if you
know there is a system on drive C, you can set it to the first mode
and it will never boot from A. This saves time, too.

Todd.

- --
Todd Bradley (extension AXE) Disclaimers are for wimps who have
Supreme Ruler of The Galaxy some sort of job security.
Precision Visuals, Inc. Boulder, CO (303) 530-9000

------------------------------

Date: Fri, 07 Jun 91 10:31:37 -0700
From: [email protected] (McAfee Associates)
Subject: Variant of Stoned (PC)

A new Stoned variant is becoming widespread in the US and Canada
which is not detected by version 77 of SCAN. The /EXT external virus
data option in SCAN and CLEAN can be used to identify and disinfect
the virus. The external virus data file should read:

"A1 13 04 48 48 A3 13 04 B1 06 D3" PS-Stoned Variant [Stoned]

To scan a system for the virus, type in:

SCAN x: /EXT filename

Where "x:" is the drive to be scanned, and "filename" is the name of
the external virus data file.

To remove the virus, type in:

CLEAN x: /EXT filename [STONED]

Where "x:" is the drive to be scanned, and "filename" is the name of
the external virus data file.

The symptoms for thia variant are similar to the Stoned virus,
however, no message is displayed.

Aryeh Goretsky
McAfee Associates Technical Support

------------------------------

Date: Fri, 07 Jun 91 17:01:57 -0500
From: [email protected]
Subject: Questions about "Disinfectant" (Mac).

I've been using Disinfectant since version 1.6 and I've had a few
questions I've wanted to ask for quite a while.

1. I believe since version 2.0, Disinfectant had the ability to install
a protection INIT. The thing is only 5k... What does it DO?...
Does it just give a warning if something is being infected?
What does it look for?

2. I remember hearing that using Disinfectant AND the old virus protection
CDEV(?) "Vaccine (TM) 1.0.1" was a bad idea (Vaccine somehow rendered the
Disinfectant INIT useless or something to that effect).
Is it also a good idea to remove the INITs "KillVirus" (Icon is a
needle with the word nVIR next to it). and "Kill WDEF - virus INIT"
(Icon is just a standard document icon)? I know these are pretty old
too. (at least I don't have "Ferret" and "Kill Scores" and those other
related relics)

2a. Almost forgot... What about "SAM (TM) Intercept" INIT... I know it's
newer but do "SAM" and "Disinfectant" interfere with each other?

My current version of Disinfectant is 2.4... Is this the most current
one? I've had it for about 6 months now.

+ - - + |... P_lasma --- James Firmiss (Foxx Fox) ---
- + + - |... S_ource --- [email protected] ---
+ + - =====>+ I_on --- Univ. of Wisc. Madison ---
- + - |... I_mplantation --- Materials Science Program ---
- + - + - |..._______________________________________________________
"Beep. Beep Beep. Beep Beep." - vi editor

------------------------------

Date: 07 Jun 91 17:35:16 -0500
From: <[email protected]>
Subject: New Virus? (PC)

Hello Netlanders,

we yesterday observed strange behaviour on one PC with 386 DX (in
Osnabrueck W-Germany). Chkdsk reported an "Allocation error, size
adjusted" on several Exe-Files. For example KRNL386.EXE and KERNEL.EXE
of Win 3.0 but not the KRNL286.EXE. Windows worked only in
Standard-Mode but in Real and 386 Enhanced the System crashed.
Scanning the HD after booting from Floppy (I hope a clean one :-))
with F-PROT 1.15a and SCAN v 77 revealed nothing.

Restoring the obviously damaged files we observed an increase of the
File-Length of 4280 bytes in case of the damaged (infected ?!) files.
Maybe any kind of Tequila shows his (ugly :-() face?

Any suggestions?

Regards, Frank Petersen

B.t.w.: I'll send a copy of an infected file together with the
uninfected version to Ken. Maybe he'll be so kind to pass it to the
masses of famous :-) and intelligent (and so on) virus researchers, so
they can have a close look at the nasty stuff. (Thanks Ken).

****************************************************************************
* _________ _________ * *
* / ______/ / ___ / * via EARN/BITNET: PETI1010 @ DOSUNI1 *
* / /____ / /__/ / * *
* / _____/ / _____ / * via FIDONET: (2:245/20.9) *
* / / / / * *
* /__/ rank /__/ etersen * Reserved for future expansion *
* * *
****************************************************************************

------------------------------

Date: 08 Jun 91 13:21:28 +0000
From: [email protected] (Fridrik Skulason)
Subject: Re: Virus-writers

padgett%[email protected] (A. Padgett Peterson) writes:
>According to this (PC) week's Spencer Katt column, certain anti-viral
>software houses are boosting their counts by soliciting viruses for
>pay and programmers are taking them up for "big bucks".

If that is true, I and and the Virus Bulletim would very much like to
know which companies are involved - I would do my best to drive them
out of business.....

Actually, this reminds me of a chat I had with Todor Todorov - the
SysOp of the largest Virus BBS - He said he had samples of 70 viruses
not detected by any anti-virus program, and was negotiating with a
certain US-based anti-virus company - offering to sell them (and
nobody else) the viruses....

- -frisk

Fridrik Skulason Technical Editor of the Virus Bulletin (UK)
(author of F-PROT) E-Mail: [email protected] Fax: 354-1-28801

------------------------------

End of VIRUS-L Digest [Volume 4 Issue 99]
*****************************************

Downloaded From P-80 International Information Systems 304-744-2253