Return-Path: <[email protected]>
Received: from csmes.ncsl.nist.gov (MACBETH.NCSL.NIST.GOV) by csrc.ncsl.nist.gov (4.1/NIST)
       id AA17773; Thu, 25 Jun 92 20:16:05 EDT
Posted-Date:         Thu, 25 Jun 1992 19:53:17 EDT
Received-Date: Thu, 25 Jun 92 20:16:05 EDT
Received: from IBM1.CC.Lehigh.EDU by csmes.ncsl.nist.gov (4.1/NIST(rbj/dougm))
       id AA29964; Thu, 25 Jun 92 20:11:31 EDT
Message-Id: <[email protected]>
Received: from LEHIIBM1.BITNET by IBM1.CC.Lehigh.EDU (IBM VM SMTP R1.2.2MX) with BSMTP id 6722; Thu, 25 Jun 92 20:04:06 EDT
Received: from LEHIIBM1.BITNET by LEHIIBM1.BITNET (Mailer R2.08) with BSMTP id
7611; Thu, 25 Jun 92 20:03:52 EDT
Date:         Thu, 25 Jun 1992 19:53:17 EDT
Reply-To: [email protected]
Sender: Virus Discussion List <[email protected]>
From: "The Moderator Kenneth R. van Wyk" <[email protected]>
Subject:      VIRUS-L Digest V5 #121
Comments: To: [email protected]
To: Multiple recipients of list VIRUS-L <[email protected]>
Status: R
VIRUS-L Digest   Thursday, 25 Jun 1992    Volume 5 : Issue 121

Today's Topics:

re: Viruses, Anti-virals, & change (PC)
Re: VIRx version 2.3 released (PC)
re: Hardware protection (PC)
Re: Zipped Viruses (PC)
Scanners & Integrity Management (PC directed but not specific)
HDTUNE.ZIP trojan (PC)
NAV killed, etc (PC)
Vshield 91 locks up windows 3.1 (PC)
Re: mutating - polymorphic (PC)
re: Scanning for encrypted viruses
F-PROT 2.04a released (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed.  Contributions should be relevant, concise,
polite, etc.  (The complete set of posting guidelines is available by
FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with
your real name.  Send contributions to [email protected]
(that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks).
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list.  A FAQ (Frequently
Asked Questions) document and all of the back-issues are available by
anonymous FTP on cert.org (192.88.209.5).  Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
<[email protected]>.

  Ken van Wyk

----------------------------------------------------------------------

Date:    Wed, 24 Jun 92 23:19:00 +0100
>From:    Anthony Naggs <[email protected]>
Subject: re: Viruses, Anti-virals, & change (PC)

A. Padgett Peterson ([email protected]) says:
>Getting back to the original subject, scanners have been called "flawed" for
>a 95+% detection rate. To me this is acceptable because there is another means
>for achieving 100% every time. Once you know that "something" has happened,
>all else falls out. The hard part is being able to say "This is enough".

Remember scanners have applications where nothing else will do:
1.  Vetting of incoming software before use, some destructive viruses can
   cause damage the very first time their run.
2.  Identifying the cause of a suspected intrusion.  I expect to see some
   products attempt exact identification of viruses found before the end
   of the year.
3.  Trace back of the virus's propagation, by identifying media and PCs
   where the same strain of virus is present.

Regards, Anthony Naggs

Internet:  [email protected]  or  [email protected]
Janet:     [email protected]  (  cbs%uk.ac.brighton.vms::amn  )
   or     [email protected]        (  cbs%uk.ac.city::xa329        )

------------------------------

Date:    Wed, 24 Jun 92 23:20:00 +0100
>From:    Anthony Naggs <[email protected]>
Subject: Re: VIRx version 2.3 released (PC)

I think I ought to maintain my reputation, such as it is, by explaining my
recent errors.

Vesselin Bontchev ([email protected]) says:
>
> [email protected] (Anthony Naggs) writes:
>
> > Vesselin you are over looking the fact that there are already 2
> > versions of MtE in circulation, one ('0.92' I think) is found on
> > "Dedicated" & "Fear" and the other ('0.90') is on "Pogue".  I have
> > only looked at the one on "Pogue" so far, and around 20% of the files
> > I infected were corrupt.
>
> No, all the three viruses - Dedicated, Fear, and Pogue use one and the
> same version of MtE - 0.90-beta. Look at the code and you'll see that
> I am right. ...

I apologise for my slightly confused recollection of, (virus-l digest v5 #31):
   >Date:    10 Feb 92 20:40:23 +0000
   >From:    [email protected] (Vesselin Bontchev)
   >Subject: Re: DAV/Sourcer/Rape (PC)
   >
   [... stuff deleted ...]
   >
   >    .., but the source of the Mutating Engine (called MtE) is not
   >provided. According to the docs, what we have is version 0.90-beta of
   >the MtE, but version 0.91 is also known to exist... I'm wondering what
   >will be implemented more in version 1.00... :-(((

Having only looked at Pogue so far, I drew the incorrect inference that the
later MtE version exists in Fear &/or Dedicated.

>         ... If Pogue destroys some files, the reason is that the virus
> is buggy, not the MtE. MtE has another bug - that in about 10% of the
> cases it produces non-encrypted mutations.

It is the MtE generated decryptor that is corrupt - I can see no way in
which any code in Pogue, other than the MtE, could be causing this effect.

> > If the MtE detection tests that you are performing are going to be of
> > relevance you will need to test for the variations produced by "Pogue"
> > as well.
>
> I am testing the scanners for detection of MtE-based viruses.
> Therefore, it doesn't matter what virus I am using for the tests
> (except in the case of the non-encrypted mutations). If Pogue is buggy
> and damages some of the infected files, then this is yet another
> reason not to use it for the tests ...

My assertion was based upon my reliance on Vesselin's previous claim of
multiple versions of MtE, in which case viruses using all versions would
need to be tested.

Regards, Anthony Naggs

Internet:  [email protected]  or  [email protected]
Janet:     [email protected]  (  cbs%uk.ac.brighton.vms::amn  )
   or     [email protected]        (  cbs%uk.ac.city::xa329        )

------------------------------

Date:    Wed, 24 Jun 92 23:21:00 +0100
>From:    Anthony Naggs <[email protected]>
Subject: re: Hardware protection (PC)

Raju M. Daryanani ([email protected]) says:
> In recent weeks I've been seeing a growing number of advertisements
> for boards that plug into PCs and supposedly protect the machine not
> just from currently known viruses, but from viruses that have not even
> been written yet.  The latest board I've come across is from Certus
> and is called Novi (or something like that).  ...

Certainly a number of protection techniques are made possible or more
reliable by using an add-in adapter card.  For example the program ROM on
such a card has an opportunity to execute before the PC boots, virtually
assuring a virus free environment.  I don't know anything about Certus's
product, but I expect Joe Wells will illuminate us all.

> ...  The first such hardware
> device I came across last year claimed that it monitored the bus for
> virus activity at all times & hence stopped them from working.  In
> discussions with some other persons who were interested in stopping
> viruses we came to conclusion that as far as detection of new viruses
> was concerned this claim was a load of crap.  ...

Sounds like the "Knoxcard", which is imported into the UK by a company which
seems to have little technical understanding of viruses or the operation of
their product.

>                                          ...  To me these boards seem
> especially vulnerable since a virus writer who had access to one can
> specifically write his virus to detect the presence of the board and
> circumvent it.

At the software level it is simlar to a virus writer who has access to an
anti-virus software product, his virus could equally detect that product
and circumvent it.  Practically such a card has several advantages, in this
respect at least: relatively few of any one type of card will be in use
(price & production limits), so the virus writer is unlikely to have the same
type of card as you; the card may be bypassed but code cannot be easily
patched, because it is in ROM; the card will always be run at the next re-boot,
but software can be patched or deleted to prevent any further use.

> Since I'm no expert on viruses, just someone who's has enough problems
> with them already, I was wondering what those more knowledgeable about
> viruses than me think about these boards.

I am interested enough to be experimenting with such boards, which I hope
to show to potential evaluators in a month or two, for comment as to which
features ought to included in a production edition.  Prefered criteria for
such evaluators: UK based (allows me to visit and/or provide telephone
support); testing on "vulnerable" PCs where there is a high probability of
encountering wild viruses, eg students pools at universities.

Regards, Anthony Naggs

Internet:  [email protected]  or  [email protected]
Janet:     [email protected]  (  cbs%uk.ac.brighton.vms::amn  )
   or     [email protected]        (  cbs%uk.ac.city::xa329        )

------------------------------

Date:    Thu, 25 Jun 92 10:59:12 +0200
>From:    Magnus Olsson <[email protected]>
Subject: Re: Zipped Viruses (PC)

[email protected] writes:
>[email protected] (Magnus Olsson) writes:
>> this one. IMHO, exaggerating the dangers of, say, stealth viruses is
>> potentially dangerous, as it may lead to exaggerated actions by people
>> who believe they're infected - such as people throwing away SCANV
>> because hey've heard somewhere that "scanners are dangerous".
>
>They are correct to throw it away - not because "scanner are
>dangerous", but because "scanners alone do not provide a sufficient
>level of protection". A multi-level defense must be used, with the
>accent made on the integrity checking.

Well, in that case, it is not "correct to throw it away", is it? If
they are to use a multi-level defence, shouldn't they keep the scanner
anyway, as one component of the multi-level defence?

(This doesn't mean that I disagree with your earlier conclusions)
- --
Magnus Olsson                   | \e+      /_
Dept. of Theoretical Physics    |  \  Z   / q
University of Lund, Sweden      |   >----<
Internet: [email protected]     |  /      \===== g
Bitnet: THEPMO@SELDC52          | /e-      \q

------------------------------

Date:    Thu, 25 Jun 92 08:30:15 -0400
>From:    [email protected] (A. Padgett Peterson)
Subject: Scanners & Integrity Management (PC directed but not specific)

>From:    [email protected] (Vesselin Bontchev)
>Subject: Re: Viruses, Anti-virals, & change (PC)

>[email protected] (A. Padgett Peterson) writes:

>2) "The only way to achieve 100 % detection of all possible viruses is
>through integrity management." Unfortunately, this is not true. There
>are several kinds of attacks against the integrity checking software.

Vess: The integrity management I was talking about includes knowlege of what
     the processor memory is supposed to look like as well as the programs.

>> Meanwhile, the scanners are recognizing this. Frisk's heuristic analysis and
>> McAfee's /AF and /CERTIFY switches are good examples. More and more good

>Frisk's heuristic analyzer has nothing to do with integrity management
>- - it is just a scanner which scans for particular (not virus-specific)
>pieces of code. McAfee's implementation of /AF is insecure and can be
>bypassed by any attack against an integrity checking program I can
>think of.

Here, I was referring to an encouraging trend, not the current products. The
anti-viral product vendors are evolving, I agree they are not there yet, but
are now going in the right (IMHO) direction.

>> systems first determine that *something* has happened before trying to
>> determine *what*.

Again, this includes memory changes as well as program. For the so-called
"slow infectors" to infect-on-creation, they must be memory resident and
*that* can be detected.

Also, again IMHO viruses, at least of the kinds we know about, are not much
of a threat to a vigilant system even now. However, I agree that it is possible
to defeat any known system, but today the "bad guys" are less likely to
use a virus than a worm, trojan, or directed attack. The *children* will
continue to play with viruses but what I am concerned about are professionals.

(note: please remember that I live in a "different" environment).

                                       Warmly,
                                               Padgett

------------------------------

Date:    Thu, 25 Jun 92 10:35:02 -0500
>From:    Eric Carlson <[email protected]>
Subject: HDTUNE.ZIP trojan (PC)

Someone uploaded a small program called HDTUNE.ZIP to our BBS.

The program is supposedly a hard drive optimizer but it is only about
4.K, so it is obviously not a normal hard drive optimizer.

Scan v.91 and F-prot 2.04 (Secure and Heuristic) don't flag it as
anything.

A user downloaded it and tried it, and it erased his hard drive. He has
no fragmented files now, but that is not how he expected it to happen.

After hearing this, I removed the file and looked at it.

The EXE file contains the text "Ok, asshole.  Your dead."

This program should probably be detected as a Trojan horse.

   - Eric Carlson - Microcomputer Software Support -
    - Northern Virginia Community College System -
        - NOVA BBS 703-323-3321 - 14,400 BPS -
- MY OPINIONS ARE MY OWN, AND NOT THOSE OF MY EMPLOYER -

------------------------------

Date:    25 Jun 92 15:25:34 +0000
>From:    [email protected] (Vern Chibber)
Subject: NAV killed, etc (PC)

       Hi!  Last night I was trying to install windows on my
386-40MHz and I came across a very interesting dilema.  It ran the
first time without a problem.  The second time it told me that
win386.exe was corrupt.  I run NAV.EXE (Norton Anti Virus) and it said
that it was corrupt too.  I downloaded another copy from a friend and
the file increased by 1808 bytes.  I copied it to another directory
and it increased by another 1815 bytes.  I copied it over twice more
and the size stayed the same.  Also, my machine appeared to slow down
somewhat.  I also got a rectangle 6 lines by 12 rows of a different
color on the screen.  This box also moved the text above it by a few
lines.

       I'm not really sure what this is.  Sounded like a virus to me
so I just wanted to check.  This happen to anybody anytime?  I would
appreciate any help.  Thanks in advance.

------------------------------

Date:    25 Jun 92 16:29:28 +0000
>From:    [email protected]
Subject: Vshield 91 locks up windows 3.1 (PC)

> I am experiencing a lockup of windows 3.1 when version 91 of McAfee
> VSHIELD is installed on my 386. VSHIELD is being installed in
> autoexec.bat with /windows option.

Norton Desktop V1.0 has *known* problems similar to what you describe
when it is running under win3.1. Try changing back to the Windows
program manager and see if that helps, however, Ross' best bet is to
upgrade to Norton Desktop V2.

Geri Finkelstein
Business Systems Analyst

The opinions stated here are my own.

------------------------------

Date:    Thu, 25 Jun 92 22:09:32 +0000
>From:    [email protected] (Paul Ducklin)
Subject: Re: mutating - polymorphic (PC)

Thus spake [email protected]:
>How about dropping scanstrings of old viruses, which are not likely to
>reappear again? Just like in medicine: if the is an illness which
>disappeared, why waste more serum than necessesary?

In Africa, one required smallpox jabs long after the last recorded
case had faded from people's memories. Of course, not long after
everyone had finally stopped asking you to show innoculation
certificates at their border posts, along comes a scare: someone who
had recently holidayed in Borneo, or somewhere, had been admitted to
hospital with the dreaded smallpox! Probably an urban legend, but
there you are.

Anyway, towrards the end of 1990, the Harare (or Superhacker) virus
popped up in Harare, Zimbabwe. Although it apparently turned out to
have been written in Scotland (isn't epidemiology wonderful..), the
virus got the name Harare from its first reported appearance. This is
a poor virus: run an infected file and you'll instantly see the virus
ask you to Insert diskette for drive B:, then drive A:. Only on a twin
floppy system could this thing get anywhere. This was a flash in the
pan; a virus doomed to extinction.

A year later, it resurfaced in Johannesburg, South Africa (1200km
South of Harare). Presumably some happy-go-lucky schoolboy virus
collector let it escape from his butterfly jar in a class lab filled
with twin-floppy PCs. So much for extinction..

Still, dropping (or at least having an option to drop) "old" viruses
might not be a bad idea. Lots of support calls I get revolve around
users who take fear at the sight of "extinct" viruses reported by
their favourite scanner. We've had some pretty rare viruses around
theses parts of late -- all false alarms, of course. Naturally, the
apparent rarity of such "viruses" only serves to convice users that
it is to be expected that the other n pirated scanners they have
should miss the virus. After all, doesn't "rare" have something to do
with "hard to find"...

Anyway, here's another feather in Vesselin's "integrity checker" cap.

Paul Ducklin
Somewhere near the middle of the City of Pretoria
South Africa

------------------------------

Date:    Wed, 24 Jun 92 23:18:00 +0100
>From:    Anthony Naggs <[email protected]>
Subject: re: Scanning for encrypted viruses

Raphael Finkel ([email protected]) says:
> If a virus encrypts itself by a variable key that is a single byte, and
> uses that byte to xor its code, then the xor of adjacent bytes of its
> code is unaffected.
>
> So a 'first-derivative' scan string could contain not the bytes of the
> virus, but the xor of adjacent bytes of the virus.  This scan string
> would still be very virus-specific, but would be encryption-invariant.
> If the key is longer than a byte, the same idea works, with appropriate
> adjustments.

This is a good idea, and may aid some scan algorithims, unfortunately very
few viruses use such a simple encryption.  So far as I can recall, for all
viruses where this may be applied the actual decryption code is relatively
easy to scan for.  Also this technique may be more susceptible to giving
false alarms, (the domain of matching byte sequences is larger).

Regards,
   Anthony Naggs               + "Curiouser and curiouser!" cried Alice (she
                               + was so much surprised, that for a moment she
Email: [email protected]   + quite forgot to speak good English).
  or [email protected]          +   - Alice's Adventures in Wonderland

------------------------------

Date:    Thu, 25 Jun 92 14:19:58 +0700
>From:    [email protected] (Fridrik Skulason)
Subject: F-PROT 2.04a released (PC)

Because of a few minor problems with version 2.04, I have released a
minor update, named 2.04a.  It is not necessary to upgrade, as the
problems are relatively minor, but I would recommend it though.

The problems were:

   Virstop could not be installed with the "Install" option, but
   had to be copied to the target directory.

   The program would occasionally report that files infected with
   certain variants of the Dark Avenger, SVC, Cascade and V2Px
   families had been modified, by adding some extra bytes to the
   end.  This had no effect on detection/removal of the viruses,
   however.

   The virus information database was fixed a bit - sometimes the
   names used there did not correspond exactly with the names the
   scanner reported, for example "SADAM" and "SADDAM".

I just uploaded FP-204A.ZIP to my usual archive sites:

     141.210.10.117 oak.oakland.edu
     129.109.9.21 eugene.utmb.edu
     192.88.110.20 wsmr-simtel20.army.mil

However, the programs might not be avaialble for downloading, until they
are moved to their proper directories by the archive administrators.

FP-204A.ZIP contains the following files:

Length  Method   Size  Ratio   Date    Time   CRC-32  Attr  Name
------  ------   ----- -----   ----    ----   ------  ----  ----
  3791  Implode   2233  42%  14-06-92  14:11  6426f8dd --w  NEW.204
110703  Stored  110703   0%  25-06-92  10:55  90bb814e --w  F-PROT.EXE
 12799  Implode   8832  31%  25-06-92  10:53  676f5ba3 --w  VIRSTOP.EXE
    58  Stored      58   0%  03-04-92  08:22  76a33484 --w  F-TEST.COM
 22337  Stored   22337   0%  25-06-92  08:52  90880125 --w  SIGN.DEF
  2220  Implode   1595  29%  31-03-92  23:34  03af3eea --w  TROJAN.DEF
 98706  Implode  83376  16%  25-06-92  10:52  6abd17a5 --w  VIR-HELP.ENG
 21162  Implode  18155  15%  25-06-92  09:16  2b057cf6 --w  ENGLISH.TX0
  3168  Implode   1640  49%  28-12-91  17:20  563cb2c5 --w  READ_ME.DOC
 10662  Implode   4381  59%  03-02-92  09:00  137ab957 --w  VIRUS.DOC
  9689  Implode   4131  58%  11-06-92  21:03  a6cfa065 --w  SCAN.DOC
  1631  Implode   1008  39%  03-04-92  10:33  1e1fa287 --w  LANGUAGE.DOC
  3087  Implode   1574  50%  30-12-91  09:10  f5d92b99 --w  ANALYSE.DOC
  2508  Implode   1351  47%  03-04-92  08:20  ae1c67dd --w  VIRSTOP.DOC
  2940  Implode   1572  47%  14-06-92  16:29  ce30f7d8 --w  COMMAND.DOC
   796  Implode    535  33%  27-02-92  09:38  f1651847 --w  FUTURE.DOC
  3469  Implode   1726  51%  28-01-92  14:38  9e2884af --w  INSTALL.DOC
  1302  Implode    848  35%  21-01-92  19:37  ced10744 --w  PROBLEM.DOC
  3107  Implode   1500  52%  03-04-92  10:38  de0db71c --w  PRICING.DOC

------------------------------

End of VIRUS-L Digest [Volume 5 Issue 121]
******************************************


Downloaded From P-80 International Information Systems 304-744-2253

You are viewing proxied material from infinitelyremote.com. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.