Return-Path: <
[email protected]>
Received: from csmes.ncsl.nist.gov (MACBETH.NCSL.NIST.GOV) by csrc.ncsl.nist.gov (4.1/NIST)
id AA15798; Thu, 3 Sep 92 15:11:21 EDT
Posted-Date: Thu, 3 Sep 1992 14:50:24 -0400
Received-Date: Thu, 3 Sep 92 15:11:21 EDT
Errors-To:
[email protected]
Received: from CS2.CC.Lehigh.EDU by csmes.ncsl.nist.gov (4.1/NIST(rbj/dougm))
id AA20001; Thu, 3 Sep 92 15:06:19 EDT
Received: from (localhost) by CS2.CC.Lehigh.EDU with SMTP id AA20911
(5.65c/IDA-1.4.4); Thu, 3 Sep 1992 14:50:24 -0400
Date: Thu, 3 Sep 1992 14:50:24 -0400
Message-Id: <
[email protected]>
Comment: Virus Discussion List
Originator:
[email protected]
Errors-To:
[email protected]
Reply-To: <
[email protected]>
Sender:
[email protected]
Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas
From: Kenneth R. van Wyk <
[email protected]>
To: Multiple recipients of list <
[email protected]>
Subject: VIRUS-L Digest V5 #146
Status: R
VIRUS-L Digest Thursday, 3 Sep 1992 Volume 5 : Issue 146
Today's Topics:
LANs & Viruses (PC)
Re: VACSINA Information Wanted (PC)
Re: hardware protection against PC viruses (PC)
Re: CMOS "viruses" (PC)
Re: new virus found (PC)
Re: Anyone for a Feist ??? (PC)
Any info on Gobbler-II a-v sw or Comrac (its publisher) ? (PC)
Auto-detecting virus (PC)
Re: McAfee's 95 series (PC)
F-PROT reports Bugsres 3 Jokes program? (PC)
Re: HELP with partition infector!! (PC)
Re: Datalision Inc fractal program (PC)
F-Prot & SuperStor (PC)
Amiga virus info (Amiga)
Bugs on my Atari (Atari)
Virus Armour
Re: What is the best anti-virus program???
On daily scanning (general)
Bull(____) Virus used for mischief (general)
Mail-server software updates
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. (The complete set of posting guidelines is available by
FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with
your real name. Send contributions to
[email protected].
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list. A FAQ (Frequently
Asked Questions) document and all of the back-issues are available by
anonymous FTP on cert.org (192.88.209.5). Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
<
[email protected]>.
Ken van Wyk
----------------------------------------------------------------------
Date: Mon, 31 Aug 92 16:38:38 -0400
>From:
[email protected] (A. Padgett Peterson)
Subject: LANs & Viruses (PC)
I have received word that our test LAN is ready for experimentation &
will commence tomorrow. Before I get into that, I would like to make
some comments about Netware (R) in general.
1) It is possible to protect a LAN server from viruses using only
the capabilities built into the LAN.
2) The methodology is somewhat obscure and may impact the way the
users are accustomed to having the LAN operate.
3) Access to files is controlled by "rights" and may be assigned
to users, groups, volumes, directories, and files.
4) Rights may be tranferred and "inherited" in certain ways.
5) Rights granted at one level can often override a lack of rights
at another.
6) Out of 256 possible combinations of file rights (SRWCEMFA) alone,
240 will permit viral attacks. The sixteen remaining combinations
can be subverted by rights granted at other levels.
Warmly,
Padgett
------------------------------
Date: Mon, 31 Aug 92 20:34:03 -0400
>From: Anthony Naggs <
[email protected]>
Subject: Re: VACSINA Information Wanted (PC)
[A quick apology to anyone whose mail I haven't replied to - a hard
disk failed one morning. Backup? No need - nothing important on
there; only a couple of packages and some files (& mail) off the net.
Even I am not perfect, :-) ]
Garry Scobie, <
[email protected]>, reports a VACSINA incident:
> Bates Anti-Virus Utilities v3.37
>
> TREE.COM Found Vacsina - TP05 <1206>
> MEM.EXE Found Vacsina - TP05 <1206>
>
> F-PROT v2.04
>
> TREE.COM Infection: Vacsina (TP-5)
> MEM.EXE Infection: Vacsina (TP-5)
> CHKDSK.EXE Infection: Vacsina-loader
>
> I am interested in the result of F-PROT indicating CHKDSK. Is this
> file infected - probably but to what extent?
First I should remind/explain that MS-DOS supports two executable file
formats, (omitting batch files from this discussion). These are known
as 'COM' and 'EXE' formats, often the format used is reflected by the
filename extension, but this is not necessarily the case.
The infection function of Vacsina viruses recognises 'COM' format files
and will infect them when they are found. Some of the early variants
infect 'EXE' files in two passes, when they are first encountered the
virus modifies them to become 'COM' format files. So when the file is
encountered on another occasion the infection will be completed.
CHKDSK.EXE is in this state where it has been converted to a 'COM' file,
but the second stage of infection hasn't occurred.
> Is it important that one utility recognised CHKDSK while the other did not?
Yes, 'EXE' files modified in this way may be corrupted and either fail to
work or work incorrectly. This includes a number of programs that
use overlays or include configuration information in the executable file.
Software that misses these files may leave continuing problems, and resolving
these will be difficult if you believe that the virus has been removed.
Yours,
Anthony Naggs
Software/Electronics Engineer P O Box 1080, Peacehaven
(and virus researcher) East Sussex BN10 8PZ
Phone: +44 273 589701 Great Britain
Email: (c/o Univ of Brighton)
[email protected] or
[email protected]
-- Oe Noe! Danny Quale is in the shrubbery! --
------------------------------
Date: Tue, 01 Sep 92 02:06:46 +0000
>From:
[email protected] (Suresh Thennarangam - Research Scholar)
Subject: Re: hardware protection against PC viruses (PC)
[email protected] (Barry S. Fagin) writes:
>I have recently seen some literature on ViruGuard, a PC expansion card
>that claims to defeat all IBM PC viruses. Does anybody know anything
>about this? Is it all it's cracked up to be? Please reply to this
>account; any help would be much appreciated. Thanks.
Take a look at the Virus Bulletin Feb 1992, product review on page 24
by Keith Jackson.
FYI: The conclusion reads - ( I quote verbatim)
________________________________________________________________________
CONCLUSIONS
ViruGuard can detect viruses. It can do this before execution commences
for about 50% of viruses. It can detect over 90% of viruses when infected
files are allowed to execute, However, the vendor's original claim that
"ViruGuard traps all present and future viruses" is shown to be untrue.
________________________________________________________________________
Regards,
__
(_ o_ o o |_
__)/(_( _) (_(_ /_)| )_
***************************************************************************
* Suresh Thennarangam * EMail:
[email protected](Internet) *
* Research Scholar *
[email protected] *
* Institute Of Systems Science * Tel: (065) 772 2588. *
* National University Of Singapore * Facs.: (065) 778 2571 *
* Heng Mui Keng Terrace * Telex: ISSNUS RS 39988 *
* Singapore 0511. * *
***************************************************************************
------------------------------
Date: Mon, 31 Aug 92 22:36:55 -0400
>From:
[email protected] (A. Padgett Peterson)
Subject: Re: CMOS "viruses" (PC)
>Kevin Haney Internet: khv%
[email protected]
>About the possibility of a CMOS virus, as far as I know, the CMOS
>memory is not in the address range of 80x86 processors, so a program
>usually cannot access this memory directly or change it.
Not quite true: a PC canot *execute* a program in the CMOS memory but
it can be read and written to with proper assembly language
statements. Consequently, CMOS can be corrupted by a PC virus that is
executing (Azusa is the most common example).
Since PC and XT class machines did not come with any CMOS memory and
the amount of CMOS memory can be as little as 32 bytes, nearly all of
which is used, and different BIOSes use the CMOS memory differently,
it is not even a good place for a virus to store data.
For the hysterically minded, CMOS memory (actually battery backed RAM)
is a byproduct of the Motorola MC146818 (or eq.) Real Time Clock chip.
Back in pre-AT times, people had to set the clock every time the
system booted (even DOS 5.0 will ask if you want to set it if no
AUTOEXEC.BAT if found on boot). Consequently, one of the first
peripheral cards was a clock/calendar containing this chip.
So that an accurate date could be maintained, the clock had to
continue to run and the date/time stored even though the computer was
turned off. Consequently, these cards also contained a battery to
keep the clock running. Since the chip was constantly powered it also
contained a small amount of RAM for storing the date. So that the
clock could be read and set it contained read/write logic accessable
from the CPU.
The name, CMOS, stands for Complementary Metal Oxide Semiconductor - a
chip manufcturing process that runs on exceptionally low power,
necessary for the original batteries to have a decent life - today
most batteries are rechargable lithium units that can last for several
years so long as the PC is used regularly.
Quickly, manufacturers found out that only a small part of the RAM was
needed for the clock (10 bytes) leaving quite a bit for "other"
activities. First exploited by the IBM AT (Advanced Technology) it
can be used for many things. Just not viruses.
More than you ever wanted to know about penguins,
Padgett
------------------------------
Date: Tue, 01 Sep 92 04:41:31 -0400
>From: Otto Stolz <
[email protected]>
Subject: Re: new virus found (PC)
Hello Frisk,
On Sat, 01 Sep 90 23:41:26 -0700
[email protected] (Sulistio
Muljadi) said:
> This is the translated version of an article in an Indonesian
> Computer Magazine, as I noted in a posting of VIRUS-L edition
> Friday, August 31, 1990 about mysterious message. [...]
> No more information I have instead of this one.
>
> INDONESIAN VIRUS
>
> * FREDDY
> Freddy was made by one of a student in a academy of
> computer in Indonesia. It infected the program, not a boot
> sector virus. The program infected is IBMBIO.COM
> The characteristic of this virus is the appearance of
> FREDDY in a box.
Now
[email protected] writes:
> A new virus not detected by McAfee's Scan93 nor Virx version 2.3 was
> found in Brazil. F-prot said it's a new variant of jerusalem.
And on 26 Aug 92 15:33:10 +0000 you said:
> Well, it turned out that it is not. This virus belongs to a separate
> family. It contains an encrypted text string "Freddy Krg", so I have
> proposed the name "Freddy" for it.
I fear, this name has already been given to another virus (cf. the
above quote from an old VIRUS-L posting). If I'm right, you'd better
choose another name for the new beast, otherwise please tell us which
name the Indonesioan virus has acquired, meanwhile.
Best wishes,
Otto Stolz <
[email protected]>
<
[email protected]>
------------------------------
Date: 01 Sep 92 19:51:11 -0500
>From:
[email protected] (Did somebody say Coffee ??????)
Subject: Re: Anyone for a Feist ??? (PC)
>>A few days ago I came across a machine absolutely
>>covered by the feist virus..
>
>Hm - strange. As fas as I know, Feist is unknown outside Russia.
>
>>Clean 93 wouldn't remove it, although it was in F-Prot 2.04a's
>>database, wouldn't even recoginise it !!
>
>In that case there are two possibilities:
>
> 1) This is a false alarm - F-PROT detects Feist without problems,
> I just checked.
>
> 2) This is a new virus, that (whatever other program you used)
> just happens to mis-identify as Feist. In this case I would
> need a sample of it to update F-PROT.
>
>However, It might also be interesting to see what other scanners report, or
>what F-PROT's Quick and Heuristic scan report.
>
>- -frisk
Ok, update time.
The virus I found wasn't the feist virus. I viewed the file using a
simple file viewer and found the string "No Frills 2.0" towards the
end.
F-prot 2.05 does NOT have this virus in its database however the
heuristic scan does say that is almost certainly a virus.
Clean 95 incorrectly identifies it as Feist.
No Frills is not in Scan 95 virlist.txt either.
Question: What does No Frills do and can it be removed.
E-mail me if you want a copy of the file.
- -Fodd
[email protected]
[email protected]
------------------------------
Date: 02 Sep 92 18:12:32 +1200
>From: "Nick FitzGerald" <
[email protected]>
Subject: Any info on Gobbler-II a-v sw or Comrac (its publisher) ? (PC)
This morning I received a "beta evaluation copy" of Gobbler-II version
2.99B in the mail from Comrac - a Dutch software producer. From the
way the accompanying letter was addressed, Comrac clearly got my name
and address from the net (only my sig says "PC Applications
Consultant" - my business card says "Consultant (PC Support)" and on
forms and things like electoral rolls I put my occupation as "Computer
Consultant").
Can anyone give me some more background on Comrac? Have other regular
(?) posters to Virus-L/comp.virus also been sent one of these
diskettes (I haven't had time to look at it yet - looks like something
for tomorrow now). Interestingly, whilst they got their original
contact with me via Email, the letter didn't mention an email address
to contact them.
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z.
[email protected] (64)(3) 364-2337 Voice, 364-2332 FAX
------------------------------
Date: Wed, 02 Sep 92 17:52:27 +0000
>From:
[email protected] (Denis Beauregard)
Subject: Auto-detecting virus (PC)
I would like to write a program that will check if it is per se
holder of a virus. The method I have in view :
Compile the program.
Compute the checksum of the program.
Put the checksum in the program.
When starting the program : Stop the program if the checksum has been altered.
Advantages :
1- User can not modify the program to remove the copyright notice
(whic I can code anyway)
2- Virus modifying hte program would be catched immediately so that
my programs will be reputed for being virus-safe
Inconvenients :
1- This won't work on older DOS versions (since the file name is not available)
2- This will slow down the program loading, but by a small amount
I would like to get feedback (I will keep subscription for that group
for one month as I usually subscribe only to a group when I have a
specific interest).
Also, I never saw a self-protected program. Even an anti-virus program
has as instructions : use the included diskette if infection is known.
I think this is because DOS can be infected, but I feel these programs
are not self-immunated (but I can be wrong).
Would it be safer to use a 32 bit checksum (I understand a 16 bit
checksum would mean if something if wrong, odd are 1 to 65536 not to
find it). A 32 bit machine will just count faster a 32 bit sum.
So I would use 32 bit for speed reason instead of security (while
changing the checksum will be harder if 32 bit, and still more if
instead of adding 32 bits, I mask some bits and add them twice).
- --
\_\ Denis Beauregard * internet:
[email protected]
/ \ Genealogiste officiel : Beauregard/Jarret/Jarest/Vincent
J __> Un Quebec renouvele dans une Amerique renovee
\_.-=== Opinions ? Et pis non
!
------------------------------
Date: Wed, 02 Sep 92 14:50:10 +0000
>From:
[email protected] (Gary Heston)
Subject: Re: McAfee's 95 series (PC)
[email protected] writes:
>In reply to my query about the authenticity of McAfee Associates "95"
>serie of programs i got a message from a Belgian user who mentionned
>that the files were on the GARBO server. It seemed to me that US
>programs should also been made available from a US site <grin>, so I
>fetched the files which are now available from us too.
They're also on uunet, along with F-Prot 2.05:
~/systems/msdos/simtel20/trojan-pro/fp-205.zip
~/systems/msdos/simtel20/trojan-pro/clean95c.zip
~/systems/msdos/simtel20/trojan-pro/netsc95b.zip
~/systems/msdos/simtel20/trojan-pro/scanv95b.zip
~/systems/msdos/simtel20/trojan-pro/vshld95c.zip
Available via FTP or anonymous 900-number uucp. Unless, of course,
you have an account with uunet..... :-)
- --
Gary Heston SCI Systems, Inc.
[email protected] site admin
The Chairman of the Board and the CFO speak for SCI. I'm neither.
The most dangerous person in the world is Jessica Fletcher.
Everywhere she goes, people die.
------------------------------
Date: 03 Sep 92 02:34:40 +0000
>From: dana%
[email protected] (Dana E. Keil)
Subject: F-PROT reports Bugsres 3 Jokes program? (PC)
I just obtained F-PROT. Running a scan with it reports that a file
named bugres.com is infected with a virus named "bugsres 3 jokes
program". I can find no mention of this virus anywhere in F-PROT
documentation (nor elsewhere). Can anyone enlighten me about it?
- --
Dana E. Keil Department of Agricultural and Resource Economics
[email protected] University of California, Berkeley
------------------------------
Date: Wed, 02 Sep 92 22:48:19 -0400
>From: Anthony Naggs <
[email protected]>
Subject: Re: HELP with partition infector!! (PC)
Tim Simmonds reports:
> I have scanned a PC for virus's using SCANv8.7B95 and it reported
> that the Partition table was infected with the Cansu[Can] virus.
> And the CLEAN-UP program reported that the virus could not be
> removed safely....Is there anything else that can be donee
> and how can you get a copy of the Partition Boot Record.
>
> The PC is a IBMPC 386 running DOS 5.
The solution you require is:
1. Assuming you have a write protected boot diskette, use this to start your
system. If you don't then with this virus you should be safe in booting
from the hard drive.
2. Run FDISK /MBR which will replace the partition boot record, (alias
partition sector or MBR - Master Boot Record), with the standard program
& retain the correct partition info.
Getting a copy of the partition sector is usually done with a disk
editor, such as that in the Norton Utilities or Central Point PC
Tools. For Norton 4.5 Advanced Edition you should start the program
in 'maintenance mode' with "NU /M". Look at Absolute sector 0 on your
hard drive, and you can save this (in FILE mode).
pragma sermon (on)
** Everyone should have a boot diskette **
Not so long ago everybody had a [PC/MS/DR]-DOS diskette with their
system, which could be used to boot it. However many cheap PCs now
seem to ship with only a partial version on the hard drive, and the
standard MS-DOS 5 upgrade will not boot. Also systems change over the
years an your boot diskette may not be appropriate anymore.
So you should think about preparing a suitable boot diskette, "just in
case". Use "FORMAT A: /S", or if the disk is already formatted "SYS
A:", to make a basic boot disk.
If you use a command shell, such as 4DOS, you will need to ensure that
the relevant files are copied to the diskette, and a minimum
"CONFIG.SYS" is prepared to start it correctly.
Copy some basic utilities onto the diskette, such as "DEBUG" (SID in
DR-DOS), "CHKDSK", "FDISK", ... This is your 'bare bones' boot disk,
test it by booting from it, write-protect it, make an extra copy (with
DISKCOPY) and keep them safe.
If use special software, such as DISK MANAGER or STACKER, to access
your hard drive(s) then you need a second version of the diskette.
This needs to include the software & appropriate "CONFIG.SYS" and/or
"AUTOEXEC.BAT" to start these programs. Again test the disk,
write-protect, copy & store safely.
DO NOT put WINDOWS, DESQVIEW, QEMM, 386MAX, ... onto these diskettes
as they are likely to obstruct investigation of your system for faults
or viruses.
Your favourite anti-virus s/w, system checking software (such as
Quarterdeck MANIFEST), should be kept on seperate write protected
diskettes, (so that you don't have to remove the protect on your boot
disks). Use these after booting from your diskettes, as the copies on
the hard drive may be corrupt or infected.
pragma sermon (off)
Take care & compute safely,
Anthony Naggs
Software/Electronics Engineer P O Box 1080, Peacehaven
(and virus researcher) East Sussex BN10 8PZ
Phone: +44 273 589701 Great Britain
Email: (c/o Univ of Brighton)
[email protected] or
[email protected]
------------------------------
Date: Wed, 02 Sep 92 22:49:14 -0400
>From: Anthony Naggs <
[email protected]>
Subject: Re: Datalision Inc fractal program (PC)
Homer Smith, <
[email protected]> reports:
> Being into fractals and all I get lots of fractal disks
> in the mail from would be fractal types. A few years
> back I got a disk called MANJU87 from a company called
> DATALISION PULISHERS, INC. New York 10017.
>
> [.. stuff deleted ..]
>
> Anyhow a few weeks ago I got around to installing it for
> the first time to see what the competition was like.
> A few days later I found my hard disk will missing 16 million bytes
> in 8110 lost clusters!
>
> ... I fixed my disk with pctools and reinstalled manju87 and lo and behold
> 8110 lost clusters.
>
> What is this joker doing anyhow? Besides placing a hidden file
> in my root directory named !_235053 which was filled with sniblets of
> random files on my disk, how did he manage to lose that many clusters
> and cross allocate files in my fat to the point where pctools just
> gave us and went to the mirror file?
Well, the good news is that this is almost certainly not a virus.
The bad news is that the s/w is dire, but you'd guessed that already.
The probable explanation is: the software is trying to use a security
mechanism, presumably to prevent duplication (?). However it was
written with the 32Mb partition limit of DOS versions up to 3.3 in
mind. So it is mucking around at a low level with your hard drive,
and all references to disk areas are calculated modulo 32Mb. Meaning
that the first protion of your disk is getting mangled in a
particularly unpleasant manner. Time to reach for those backups, ...
Anthony Naggs
Software/Electronics Engineer P O Box 1080, Peacehaven
(and virus researcher) East Sussex BN10 8PZ
Phone: +44 273 589701 Great Britain
Email: (c/o Univ of Brighton)
[email protected] or
[email protected]
------------------------------
Date: Thu, 03 Sep 92 03:34:38 -0400
>From:
[email protected]
Subject: F-Prot & SuperStor (PC)
Has anyone used F-Prot's F-Driver.SYS with SuperStor from DR-DOS6.
I tried to install this but got the message INT 13h modified....
I am sure that I do not have a virus, and am assuming the INT 13h is
used for disk access (which superstor would need to modify to redirect
disk accesses to itself)
Second: IBM PC question.
Can anyone advise me whether there is a virus that modifies the
seconds field in a files time value to 62. I seem to recall that there
is a virus which does this.
If there is then how do I remove it? what does it do etc.
Anyone help?
Thanks,
Andy
------------------------------
Date: Tue, 01 Sep 92 18:59:26 +0000
>From: cmontoya%
[email protected] (Red Dragon)
Subject: Amiga virus info (Amiga)
Where can I get Amiga virus information?
/cm
[email protected]
------------------------------
Date: Tue, 01 Sep 92 19:45:23 +0000
>From: cmontoya%
[email protected] (Red Dragon)
Subject: Bugs on my Atari (Atari)
I know I'm the not the only person with an old Atari. I just had a
bunch of bugs appear on my screen and eat up the screen and trash my
disk. Help please. I was just going to help a friend with an Amiga
virus and this happens! BTW, can PC viruses infect my Atari? I was
using a DOS disk when this happened.
/cm
[email protected]
------------------------------
Date: Mon, 31 Aug 92 13:08:50 +0000
>From:
[email protected] (Suresh Thennarangam - Research Scholar)
Subject: Virus Armour
In the Jan 1992 issue of Virus Bulletin,column Virus Anlysis,
James Beckett writes:
<> Designers realized some time ago that the efficiency of micro-processors
<> can be increased by using the spare bus time to pre-fetch the next few
<> bytes of instructions. This has the curious corollary that if the
<> memory is modified a very short distance in front of the current
<> instruction, the processor never sees the change, as it has already
<> read the relevant bytes ........
While this seems somewhat plausible I wonder if Intel's chip designers
didn't make the 80x86 processors smart enough to detect memory changes
in the vicinity of the current instruction and reload the pre-fetch
queue in response.
Well, if not then this is a hazard for programs that modify themselves
during runtime.
------------------------------
Date: 31 Aug 92 11:51:37 -0800
>From: "
[email protected]"@BIIVAX.DP.BECKMAN.COM
Subject: Re: What is the best anti-virus program???
[email protected] (Bleys Ahrens) writes:
>All Anti-Virus programs are not created equal.
>Most anti-virus packages on the market today (Norton, Central Point,
>Untouchable, MacAffee) rely on pattern scanning as their primary method
>of detecting a virus. In other words, they have a database of some sort
>containing hundreds of strings or attributes that known viruses produce
>when they infect a computer. This has worked relatively well in the
>past, but unfortunately it is rapidly becoming unpractical. When new
>viruses and strains are identified, the appropriate patterns must be
>added to the databases of pattern scanning programs. This may be done
>with updates to the program on disk, via download or manually typing
>strings into the database.
>The problem is that an average of three new viruses are being created
>everyday. Add to this, the number of new mutating viruses which change
>their appearance and method of operation as they spread and it quickly
>becomes impossible to keep up with the spread of viruses. As more and
>more users become interconnected though networks like the Internet,
>Compuserve, Fidonet, etc. it becomes increasing easy to move a virus
>from one side of the world to the other.
>Another relatively new and dangerous sort of virus is the stealth
>viruses. These viruses intercept calls from anti-virus programs as they
>scan memory and disks. Boot sector stealth viruses generally make a copy
>of the uninfected original areas and direct scanning programs to the
>location of the copy, which appears to be normal. Stealth file viruses
>on the other hand are often able to remove themselves from a file as it
>is being scanned, so that the file appears clean. After the scan is
>complete, the virus in memory then moves its code back into the infected
>files.
>Other recent threats to computer security include the publishing of a book
>that tells how to write viruses and includes source code. (I would
>prefer not to publicize it and intentionally left out the title.)
>Another new threat is the recent posting on various BBSes of a some
>programs that help people write mutating viruses.
>In fairness to the makers of various anti-virus software manufacturers,
>it must be pointed out that most programs on the market include methods
>other than pattern scanning. Most also include TSR's which monitor for
>suspicious disk and memory reads and writes. Some also include various
>CRC checking methods which run some sort of algorithm on each file to
>create a checksum which is then compared each time the file is executed.
>A simple checksum works relatively well if you are absolutely sure that
>your files aren't already infected. The problem is that some viruses
>are smart enough to change the checksum values stored on the disk.
>So what is the optimal solution... Well, I have been evaluating several
>programs lately (Norton Anti-Virus, Central Point Anti-Virus, Fifth
>Generation Untouchable, Certus Novi, Intel LanProtect, Brightworks
>Development Sitelock and MacAffee Scan) and the one that seems have the
>best potential to deal with the possibility of stealth and mutating
>viruses is the relative newcomer, Novi from Certus.
>This product does do some pattern scanning, but that is not the basic
>paradigm used by this product. As I understand from my research, all
>executable files have essentially the same type of header records. This
>contains the basic information about the program and points to the
>beginning of the code to run. What a virus will do is attach to the end
>of the file and change the initial pointer to the start of the virus
>code. At the end of the virus code is a pointer to the start of the
>program code. Thus, the user runs the program, the virus executes and
>most likely places itself into memory and then executes the program.
>Novi works by checking the critical areas of the file (or disk boot records
>for a boot sector scan) to see that everthing is the way it should be. If
>pointers appear invalid or out of place, the product alerts the user to
>a problem and then depending on the user response, can attempt to remove
>the improper pointers and code. By not relying on pattern scanning, the
>program will working with existing viruses as well as new mutations or
>strains. I am still testing with it and others, but my opinion is that
>this program offers the best protection into the future, without the
>need of updates.
>(This program has also rated very, very well in a variety of recent
>magazine article and evaluations. It's file integrity checking is very
>fast and is compatible with the major LAN OSes and with Windows.)
>I suspect this article will provoke quite a few responses, and I hope
>that some of the above anti-virus manufacturers with be available for
>comments. I'm sure the folks from Certus can tell you a great deal more
>about their product and would be more than happy to send you some
>literature. (I'm not here to sell products for them, so I would prefer
>not to answer a zillion questions about exactly how the product works.)
>Bleys Ahrens
>Disclaimer: I am not affiliated in any way with any of the above
>mentioned products and/or companies. I am an IS professional with a
>large international corporation. While the above evaluations occured
>on company time, the opinions and views are strictly my own.
>Comments generally welcomed. Direct flames to /dev/nul...
>--
>
[email protected] (Bleys Ahrens)
>Infoplus BBS, +1 708 537 0247, v32bis. Home of Infoplus.
Comments, anyone?
- --
Arthur L. Rubin:
[email protected] (work) Beckman Instruments/Brea
[email protected] [email protected] [email protected] (personal)
My opinions are my own, and do not represent those of my employer.
My interaction with our news system is unstable; if you want to be sure I see a
post, mail it.
------------------------------
Date: Tue, 01 Sep 92 12:36:43 -0700
>From:
[email protected]
Subject: On daily scanning (general)
In the ongoing debate concerning scanning versus other types of antiviral
protection, a thought.
Scanning has been denigrated not only for its inability to deal with "new"
viral programs, but also due to time consumption. David Stang, in his
seminars, stresses that a five minute scan every day adds up to a full
20 hours, half a working week, over the course of a year.
However, in doing some work on a fairly average machine this week (386/25,
80 meg HD with 75 meg of files, 350 executable out of 2400 files), I noted
that Thunderbyte Scan took only 22 seconds to scan the entire thing. (I
didn't time any of the others, but none of them took five minutes.)
Not necessarily as *reason* to scan on a daily basis, but less reason *not*
to.
============== ______________________
Vancouver
[email protected] | | /\ | | swiped
Institute for
[email protected] | | __ | | __ | | from
Research into
[email protected] | | \ \ / / | | Mike
User
[email protected] | | /________\ | | Church
Security Canada V7K 2G6 |____|_____][_____|____| @sfu.ca
------------------------------
Date: Wed, 02 Sep 92 19:40:28 +0000
>From:
[email protected] (Robert Slade)
Subject: Bull(____) Virus used for mischief (general)
A report in InformationWeek in the Aug. 24 edition states that someone
called a Toronto TV station and said that he had put a virus into the
Toronto Stock Exchange which would shut it down at 9:30 the next
morning.
(If true, it would have been much more likely to be a trojan rather
than a virus.)
A tech support team spent all night checking the system for "all known
viruses".
(The TSO uses PCs?)
Trading continued the next day without incident.
(I'm rather surprised that I never saw any media reports about this.)
Comment: although we all know that the existence of computer viral
programs is a real and growing problem, it is getting to the point
where false alarms are creating almost as much "damager" as the
"malware" itself. There is still *so* much mythical information out
there, and so little hard data in the hands of the public or the
average user.
==============
Vancouver
[email protected] | "virtual information"
Institute for
[email protected] | - technical description of
Research into
[email protected] | marketing info disguised
User
[email protected] | as technical description
Security Canada V7K 2G6 | - Greg Rose
------------------------------
Date: Mon, 31 Aug 92 22:59:17 -0400
>From: Jon Freivald <
[email protected]>
Subject: Mail-server software updates
The following software has been added to the mail-server at
jaflrn.UUCP. To get UUEncoded copies via E-mail, send a message to
[email protected] containing a line "get dos/virus/filename" for
each of the files you want sent. If you have problems, please send
mail to
[email protected].
New files:
SCAN95B.ZIP 145022 23-Aug-92 McAfee ViruScan V95B
CLEAN95C.ZIP 153633 23-Aug-92 McAfee Clean-Up V95C
VSHLD95C.ZIP 120216 23-Aug-92 McAfee VShield V95C
NETSC95B.ZIP 135263 23-Aug-92 McAfee NetScan V95B
WSCAN95B.ZIP 195605 23-Aug-92 McAfee Windows shell for ViruScan V95B
NETSHLD.ZIP 104838 23-Aug-92 McAfee NLM virus scanner
(The McAfee files above were downloaded from the McAfee BBS by me
personally. The following files were obtained from Compu$erve.)
FPR204.ZIP 267838 26-Aug-92 Fridrick Skulason's F-Prot virus scanner
I-MAST.EXE 282383 26-Aug-92 Integrigy Master 1.23a
=============================================================================
Jon Freivald (
[email protected] )
Nothing is impossible for the man who doesn't have to do it.
=============================================================================
------------------------------
End of VIRUS-L Digest [Volume 5 Issue 146]
******************************************
Downloaded From P-80 International Information Systems 304-744-2253
