Received: from fidoii.CC.Lehigh.EDU by abacus.hgs.se (5.65c/1.5)
id AA08213; Thu, 4 Mar 1993 14:48:01 +0100
Received: from (localhost) by Fidoii.CC.Lehigh.EDU with SMTP id AA23523
(5.67a/IDA-1.5 for <
[email protected]>); Thu, 4 Mar 1993 08:15:43 -0500
Date: Thu, 4 Mar 1993 08:15:43 -0500
Message-Id: <
[email protected]>
Comment: Virus Discussion List
Originator:
[email protected]
Errors-To:
[email protected]
Reply-To: <
[email protected]>
Sender:
[email protected]
Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas
From: "Kenneth R. van Wyk" <
[email protected]>
To: Multiple recipients of list <
[email protected]>
Subject: VIRUS-L Digest V6 #39
Status: RO
VIRUS-L Digest Thursday, 4 Mar 1993 Volume 6 : Issue 39
Today's Topics:
Re: Why only PC's?
Laws and Viruses
Re: Why only PCs?
Re: Sale of Viri
Re: Question about Patricia Hoffman and John McAfee
Canada and viruses
Re: Gender switching virus
re: Diana P
wordperfect virus? (PC)
Re: EXE/COM switch (PC)
New disinfector for Slow/Zerotime virus. (PC)
Kudos to McAfee (PC)
Re[2]: Twelve Tricks (PC)
Re: PC Magazine reviews virus scanners (PC)
Central Point Antivirus and Stacker (PC)
Re: EXE/COM switch (PC)
standardization (PC)
scanners. (PC)
Scanning memory (PC)
file name virus? (PC)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. (The complete set of posting guidelines is available by
FTP on cert.org or upon request.) Please sign submissions with your
real name. Send contributions to
[email protected]. Information on
accessing anti-virus, documentation, and back-issue archives is
distributed periodically on the list. A FAQ (Frequently Asked
Questions) document and all of the back-issues are available by
anonymous FTP on cert.org (192.88.209.5). Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
<
[email protected]>.
Ken van Wyk,
[email protected]
----------------------------------------------------------------------
Date: Wed, 03 Mar 93 08:33:55 -0500
From:
[email protected] (Scott A. McIntyre)
Subject: Re: Why only PC's?
> From:
[email protected] (Jason Price)
> I have a question. Why is it that all the virus discussions are about
> PC's and Mac's? There ARE other computers out there. What about NeXt,
> C-64, Amiga's. I never see hardly anything on those types of computers.
> Is it possible those types don't have as many virus problems as PC's?
Computer viruses are by no means limited to PC's, Macs and so on,
indeed, the internet worm of a few years ago demonstrated that a virus
on highly networked machines can be disasterous.
I don't know if there is an easy answer to why it seems to be the PC's
of the world that are infected; I would hazard a guess that it is a
combination of factors, some technical some sociological. The writing
of a Virus for a particular machine requires technical knowledge of
the software and in some cases hardware operation of that machine.
People who write viruses for computers must have access -- usually at
home as writing in a public lab could draw attention to oneself.
So, more expensive machines, such as Suns, SGI's, NeXTs and so on are
in a way self prohibative against viruses as the average writer will
not probably have one or access to one. Further, if they do have
access, a form of psychological respect for the machine may override
the urge to write a virus (for whatever reason people write viruses).
Another factor is that to a large extent viruses are passed between
machines which are floppy intensive and therefore have an easy weak
point. Machines where the software is either pre-installed,
distributed via a network, CD-ROM and so on may to some degree have
some immunity...
Finally, the software itself which contains viruses is usually fairly
inexpensive, you don't hear too many cases of getting Frame Maker
purchased from Frame with a virus that deleted someones hard drive,
for example. More expensive software probably has tighter controls
during production, less chance for disgruntled employees to write bad
code, and undergoes lots of quality control after production, to
ensure that the software doesn't contain viruses or other problems.
I'm sure that there is also the technical side of how viruses work --
on a Unix machine, unless a virus is executed as root, then the damage
would be limited most likely to one user's files, and could quickly be
found...processes without owners can be tracked down and so on.
Just my tuppence worth.
Scott
- ---
EMAIL:
[email protected] OR
[email protected] (NeXTmail)
SNAIL: Pyschment of Departology, University of Durham, Durham, DH1 3LE
"Did you know that the computer invented itself?" - SNL
------------------------------
Date: Wed, 03 Mar 93 09:56:29 -0500
From:
[email protected] (A. Padgett Peterson)
Subject: Laws and Viruses
For some time now we have been concerned about a "textbook"
definition of viruses, perhaps it is time to discuss a legal one
(obviously it is difficult to pass a law against something that is
not defined):
From a legal standpoint it might be enough to define a virus
as "a sequence of instructions that intentionally performs an unwanted
and undocumented modification within a computing system for which it is
intended."
Possibly "malicious software" would be a better term but IMHO
the word "computer virus" has passed beyond any hope of control.
"Intentional" removes "bugs" from being classified as a virus
- - after all laws are usually meant to protect the innocent.
The odd phraseology "unwanted and undocumented" is again IMHO
necessary to the definition - first nearly any condition including
intentional destruction may be desirable at some point, second because too
many people accidently do things that hurt them, usually because they haven't
read the documentation (UNDERSANDING it is something else, ignorance should
not be protected by law) and there should be a presumption of innocence if
the action is properly documented.
Bugs, on the other hand, are often subjective ("It's not a bug, it's a
feature") but there should be some regulation concerning maximum time between
discovery/notification by the manufacturer and correction/notice to the
registered users. Given the diversity of architectures, it is impossible
for any developer to test on every possible platform capable of running the
code. Something that runs perfectly on every known PC might blow up on
an HP/Apollo with a DOS box. "For which it is inteded covers this
contingency.
Note that the above definition deliberately leaves some things unclear e.g.
unwanted by whom ? I tried to use the minimum number of words to convey a
thought (and am sure that many words will be added in the future).
Finally, keep in mind that the current discussion is limited to *criminal*
actions and not civil (damages) ones. Two entire different things in the US.
Warmly,
Padgett
Weasel-words: am not now nor have ever been a lawyer, barrister, or solicitor
& drive Pontiacs (plug)
------------------------------
Date: Wed, 03 Mar 93 11:18:46 -0500
From: Olivier MJ Crepin-Leblond <
[email protected]>
Subject: Re: Why only PCs?
>Date: Tue, 02 Mar 93 15:38:23 +0000
>From:
[email protected] (Jason Price)
>Subject: Why only PCs?
>
>I have a question. Why is it that all the virus discussions are about
>PC's and Mac's? There ARE other computers out there. What about NeXt,
>C-64, Amiga's. I never see hardly anything on those types of computers.
>Is it possible those types don't have as many virus problems as PC's?
Most (not all) of the discussions taking place on virus-l are about PC's
and Mac's because most viruses occur on these two platforms.
Sure, there are viruses on other platforms, but not that widespread,
and there are not that many people reading/writing in virus-l that
have encountered them.
For one, it is harder to write a virus for a workstation (ie: NeXt,
DEC, Sun et al.) because of the privilege levels required for direct
addressing of the memory of those machines, etc. etc.
Secondly, if one looks at the number of computers in use in the world,
I'm quite convinced that PCs are far ahead at the nr.1 spot, Macs in
second place, and then workstations in 3rd place. Amigas, C-64 etc.
are further down the line.
So here it is. If you want to talk about other computers, feel free to
do so. I think that the guidelines of virus-l don't restrict discussion
to any kind of computer.
- --
Olivier M.J. Crepin-Leblond, Digital Comms. Section, Elec. Eng. Department
Imperial College of Science, Technology and Medicine, London SW7 2BT, UK
Internet/Bitnet: <
[email protected]> - Janet: <
[email protected]>
------------------------------
Date: Wed, 03 Mar 93 13:57:45 -0500
From: Doug <
[email protected]>
Subject: Re: Sale of Viri
[email protected] (Vesselin Bontchev) says:
> >And, because a virus is able to spread by itself, an incompetent >person
who -knows- that s/he has virus code could (involuntarily) >infect other
innocent and incompetent people, who even do not know >strict conditions,
and to a very restricted set of knowledgeable >anti-virus experts is a VERY
WRONG THING and must NEVER be done, for >whatever purpose. Never. > >
You are simply mistaken, sir. Distributing virus code to those who want it
is NOT a very wrong thing which should never be done. You are talking about
censorship. Virus code is NOT "taboo" except to a few who believe in their
heads that by preventing it from getting out, they will make the problem
disappear. I learned a LOT about viruses - not from reading comp.virus, or
VSUM, but from actually STUDYING the virus code itself, AND reading the info
available. I used to be paranoid about viruses, simply because I didn't
understand them. I no longer am. Unfortunately, there are many who don't
understand them. If we educate these people, viruses will no longer be the
fearful things they are. You are correct in saying that not everyone is
compitant enough to handle viruses. I will not disagree. but there are
PLENTY of people who are MORE than compitant enough, but are still "not
allowed" to handle them, because they "could do evil things" with them. You
are telling ME, and the rest of us, that we are not as knowledgeable about
virus code as you are, therefore we may not have it, but you can. I don't
like that. Nor do a lot of others. You may personally censor all the
information you want, but there are plenty of others who are willing to
share. You're fooling yourself if you think keeping the general public
ignorant will help them. That will only help line the pockets of the
anti-virus software publishers. (Which may well be what you're shooting
for) Anyone can get the information they seek through magazines like Crypt,
40-Hex, the Nuke Infojournal, or ARCV newsletters which are published simply
because there are people like you out there. The "censor it and it'll fix
it" attitude is not that of everyone. Thank God there are still those who
believe in TRUE education, and not the idea that "ignorance is bliss".
-- Doug AKA
[email protected]
======= WARNING - RADICAL LEFT WINGERS: DO NOT READ BELOW THIS LINE! ========
The opinions expressed above are mine. ALL MINE! AND YOU CAN'T HAVE THEM!!!
The opinions expressed below are (c)1992-93 The Republican Party Ltd.
1) It's a child, not a choice. 2) Clinton won; every American lost.
4) Remove the ban? NOT! 5) Gun control is being able to hit your target.
6) *The rest of this .SIG has been censored by the Clinton Administration
=============================================================================
------------------------------
Date: Wed, 03 Mar 93 21:19:10 +0000
From:
[email protected] (Robert Slade)
Subject: Re: Question about Patricia Hoffman and John McAfee
[email protected] (Vesselin Bontchev) writes:
>
[email protected] (007) writes:
>
>> VSUM is a potentially very useful product. How many times on this
>> list alone have we seen people asking "I've got XXXX virus, what does
>> it do??" My only beef with VSUM is that the information is SO
>> inaccurate. The VSUM hypertext interface is extremely easy to use, if
>There are two other alternatives. First, we are working on a browsing
>program for the Computer Virus Catalog (of which MSDOSVIR is only a
>The second alternative is produced by ICSA and is called V-Base. A
Just to add to the list, there is now a product called VID (Virus
Information Database, I think), produced by an outfit called "Cairo
Research". It is not available at any ftp site that I am aware of,
and I have no idea how good it is, not having seen a copy.
(PS - Greetings from the "Delegate Dial-Home" booth at DECUS Symposium
in Montreal.)
------------------------------
Date: Wed, 03 Mar 93 18:54:47 -0500
From: Donald G Peters <
[email protected]>
Subject: Canada and viruses
A friend of mine at the RCMP said that if it can be proven that you
intended to cause harm by posting a virus, they could get you on a
"misdemeanor" charge. However, "law enforcement is driven by
economics", so you don't have to worry about your life unless you do
something big.
Sorry I haven't been able to reply about the EXE/COM thing yet. I
havebeen unable to login much this week because I am calling long
distance right now.
------------------------------
Date: Thu, 04 Mar 93 00:53:08 +0000
From:
[email protected] (Ryan Kolter)
Subject: Re: Gender switching virus
Colin Eric Johnson (
[email protected]) writes:
:
: I have just heard (through the grapevine here) of a virus that
: will scan through text documents and replace any gender specific nouns
: and pronouns with their gender-opposites (he -> she).
:
: Is this in fact a virus? And does it exist?
I'm not by any close means a "strong" programmer (as of yet), but
programming such a thing would seem easy enough, considering what
viruses already can do, editing a text file would seem like
child's play. Further, if I -had- to be infected by a virus, this
would certainly be one of the more preferential ones. ;)
- --Hills
------------------------------
Date: Wed, 03 Mar 93 19:57:49 -0500
From: "Paul D. Bradshaw" <
[email protected]>
Subject: re: Diana P
With regards to Diana Princess of Wales's last name, it would be
Spence (her maiden) or Windsor (Charles's last name).
This Diana P being the Princess of Wales sounds like a real
long shot to me too.
- -------------------------------------------------------------------------
Paul D. Bradshaw Computing and Communications Services
[email protected] University of Guelph,
[email protected] Guelph, Ontario, Canada
- -------------------------------------------------------------------------
------------------------------
Date: Wed, 03 Mar 93 09:31:51 -0500
From: "Gerry Santoro - CAC/PSU 814-863-7896" <
[email protected]>
Subject: wordperfect virus? (PC)
After scanning the past years worth of VIRUS-L offerings I've seen
this question asked before, but with no reply. Since it has now hit
at my institution I will ask it again in the hopes that someone knows
what is happening.
A number of our lab machines are exhibiting very strange WordPerfect
behavior. For example, very small user documents are growing to
extremely large size, until they fill up available disk space. Scans
with F-PROT do not identify any known virus.
Can anyone clue me into what is happening? In all cases the version
of WP5.1 is being run from a read-only volume of a Banyan network
server.
Any info would be greatly appreciated!
gerry santoro (
[email protected]) |
academic computing/speech communication -(*)-
penn state university ..... | .....
------------------------------
Date: Wed, 03 Mar 93 10:50:08 -0500
From:
[email protected] (A. Padgett Peterson)
Subject: Re: EXE/COM switch (PC)
>From:
[email protected] (Chris Antkow)
> The fact of the matter is, that any resident virus that monitors
>function 4Bh, subfunction 00h (Int 21h) WILL be able to infect a file,
>even if the extention has been renamed... (Provided the virus is written
>"correctly"... Gack).
A good comment though perhaps incomprehensible to some readers. A computer
really does not care very much what it will run so long as it is presented
properly to it (will now talk about PCs specifically since that is the current
topic but applies to most architectures, EXEC is taken from UNIX).
It has been correctly stated that .COM .EXE and .BAT are identifiers used by
COMMAND.COM and not DOS or the BIOS other than COMMAND.COM being a default
called by MSDOS.SYS (IBMDOS.COM for PC-DOS). Also, if C.C is altered
using DEBUG or some other editor, COMMAND.COM will very happily use those
extensions instead. Further, most GUIs add additional extensions/formats
that may be executed.
Next, when given a program name that matches one of the three allowable
extensions, COMMAND.COM will load that program and attempt to execute it
even if it is a LOTUS worksheet.
> Whenever a file is executed, it is immediately passed to AX,4B00h/INT
>21h. The rest is at the mercy of the viral code... If the file can't be
>executed, then it's never passed to AX,4B00h/INT 21h...
> (Someone correct me if I'm wrong...)
Well, real close 8*) actually when the EXEC interrupt (nickname) occurs,
various parameters and tables are set up for the program, the program is
loaded into memory, certain values are saved and flags set, and control
is transferred to the program. Any program can use this call to load a
program just as COMMAND.COM does or can duplicate the functions (not
easy but can be done, do not forget that *everything* DOS does can be
duplicated using only BIOS interrupts).
Cetainly any virus that intercepts the EXEC call will have access to any
program executed reguardless of extension however, a properly written
Integrity Management routine will have trapped it first and can detect any
attempt to take it away. For every attack there is a defense. I have been
using one for several years now and the nice thing is that the only updates
needed have been to reduce the TSR size.
The problem is that we are still dealing with first generation constructs:
For example - a) IM program can take control of EXEC.
b) Virus can take control also
c) IM program can detect removal of control
d) Legitemate programs may also take control & be blocked by IM
(c) is a second generation response and (d) is a problem that occurs because
of that response so we need (e) Table of permitted programs & (f)
following permitted program, IM moves self to end of chain again and
continues watching for (b).
Now this leads to (g) Virus removes IM program which requires (h) IM validation
routine (continue iterating ad nauseum). It is now nearly ten years PC (Post
Cohen) and still most a-v programs are still working at the (a)(b) level.
Fortunately, most viruses are also, but the keyword is "most" - not all.
Just as a final thought, consider the following: the problem with converting
EXE, COM, & BAT in COMMAND.COM is the fact that EXEC receives the actual
& complete file name so it can retrieve it from the disk. As a result a virus
intercepting Int 21 Fn 4B can locate & infect the file whatever the extension.
However, what if the name passed by COMMAND.COM was *not* necessarily the
executable filename ? What would be necessary for the PC to operate properly ?
The exercise is left to the students 8*)
Warmly,
Padgett
ps my picture was not in the Lefkonference brochure but I am planning to
be there. Try the bar first.
------------------------------
Date: Wed, 03 Mar 93 12:55:04 -0500
From: "Mario Rodriguez (virus researcher)" <
[email protected]>
Subject: New disinfector for Slow/Zerotime virus. (PC)
Hello, I'm a virus researcher of Mexico. I made a disinfector for Slow/Zerotime
virus. This virus seems to have striked in Australia. The disinfcetor is named
NOSLOW v1.0 and is available to any one who ask for it via direct mail.
I uploaded it garbo.uwasa.fi but I think it would take to much to become av
ailable in there. I aslo send it to a some of the main researchers, so it's pos
sible that soon their vacsines will detect and remove the virus too.
Unfortunately, NOSLOW only removes the virus from .COM files. .EXE files ar
e renamed to .VIR.
Regards Mario Rodriguez
Instituto de Estudios Superiores
de Monterrey. Campus Estado de Mexico
em436861 at itesmvf1.cem.itesm.mx
em436861 at rsserv.cem.itesm.mx
------------------------------
Date: 03 Mar 93 12:35:31 -0600
From:
[email protected]
Subject: Kudos to McAfee (PC)
I would just like to congratulate Mcafee. From what I have gotten in the past
to what I downloaded Mar. 2 (V102). I have seen a great improvement and
turnaround. many thanks. Bauman.MSU.Mankato State
------------------------------
Date: Wed, 03 Mar 93 17:58:00 -0500
From: Jimmy Kuo <
[email protected]>
Subject: Re[2]: Twelve Tricks (PC)
Vesselin writes:
>
[email protected] writes:
>> Norton anti-virus detected Twelve-Tricks virus on one of our PCs but
>> f-prot 2.06a reported the PC as clean. Is this virus one that the
>> current f-prot misses or have we found a NAV false +ve?
>NAV is definitively wrong. Twelve Tricks is a trojan, not a virus, and
>it does not spread. It is very unlikely that it is on your computer.
>On the other side, F-Prot 2.06a -does- detect this trojan (and
>properly reports it as trojan).
In this case, the person reporting the incident made an incorrect
translation of what was presented on the screen, prompting your
accusation that NAV was wrong. NAV's message in this case would have
been:
FILENAME.COM contains a strain of 12 Tricks Trojan
>There is one remote possibility that there is -something- on your
>computer that just happens to contain the scan string for Twelve
>Tricks that NAV uses. Where is the "virus" find? In a file? In many
>files? In the MBR? Are you using the latest version of NAV? Have you
>contacted your local tech support for NAV?
In this case, there is a CRC at a specific point into a file. Please
send us the file and we will gladly determine if it is in fact a copy
of 12 Tricks Trojan or if it is a false id. If it is a false id, we
will fix the definition.
NAV contains a memory def, a MBR check and repair (should you have been
afflicted), and checks COM files for "12 Tricks Trojan". And as always,
you may choose to delete the def from your set if you so choose. But
easiest is to send it to me and I'll tell you.
But this situation does punctuate why I am considering removing Trojans
as a class from our def set.
Jimmy Kuo
[email protected]
Norton AntiVirus Research
------------------------------
Date: Wed, 03 Mar 93 21:28:58 -0500
From: Jimmy Kuo <
[email protected]>
Subject: Re: PC Magazine reviews virus scanners (PC)
First, I'd like to state that I am an employee of Symantec in the
NAV group. That out of the way...
There's a fundamental wrong in your (plural) interpretation of the
PC Magazine review. The fundamental problem is that the article
reviewed "Antivirus Software" and the subject line above says "virus
scanners."
Vesselin wrote, re: scanners, in digest #22:
>... scanners are -useful- and should be used as a
>first line of defense. (Up-to-date scanners, of course; an old scanner
>is worse than no scanner at all, because it gives you a false sense of
>security...) However, no defense should rely on scanners -alone-,
>because they are a -weak- defense. You must use a layered approach,
>with several protection levels, like integrity checking software, some
>kind of access control, and, of course, backup.
Chris Wong states:
>4. Review emphasized completeness of package: disinfection,
> comprehensiveness of service etc, not detection ability.
Although winning the award was a nice morale booster, the last paragraph
of our review was far better. The paragraph starts:
(PC Magazine, March 16, 1993, p240)
Symantec recently acquired Certus International, which makes
NOVI, and expects ...
Hopefully, in this light, you will go back and re-read the article
with understanding instead of disbelief.
Jimmy Kuo
[email protected]
Norton AntiVirus Research
------------------------------
Date: Sun, 28 Feb 93 11:36:00 +0100
From:
[email protected] (Amir Netiv)
Subject: Central Point Antivirus and Stacker (PC)
Hi.
You write:
> I use stacker, and recently have begun Internet, etc.
more...
> Are Central Point Antivirus and Stacker compatible?
Well: I truely recommend NOT to optimize your disk too frequently, and
make frequent backup for ALL the DATA on your disk BEFORE using the
TSR parts of that Anti Virus. Remember that stacker (or any other
disk doubler) uses the DOS environment to do what ever it is doing,
and so does Anti Virus TSRs (especially those that use many interrupt
monitoring). A conflict might be fatal (generally speaking).
The best answer to your question is: Try !
But be prepared.
Regards.
* Amir Netiv. V-CARE Anti Virus, head team *
- --- FastEcho 1.21
* Origin: <<< NSE Software >>> Israel (9:9721/120)
------------------------------
Date: Sun, 28 Feb 93 12:36:00 +0100
From:
[email protected] (Amir Netiv)
Subject: Re: EXE/COM switch (PC)
[email protected] (Donald G Peters) writes:
> Viruses which infect files often *look* for the
> extensions EXE and COM.
Well, that is not allways true, nor is it true in most cases, but mor like:
viruses look for executable files.
> you should rename your EXE files as XXX so that a virus
> will not find it and it will remain safe from infection.
Generally you are right. In this case most common viruses will not infect such
a file, but neither will it run as you yourself mention.
> From what I have read, many viruses are *either* EXE or COM
> infectors, but not both.
Not likely. Unfortunatelly the viruses that you refer to are ancient history
or do not propose a threat any more. Many of the modern viruses infect both.
> The trouble with the XXX idea above is that the
> programs cannot be found and cannot be run with such a name.
Right.
> rename all your EXE files as COM and rename all your
> COM files as EXE. Believe it or not, DOS is still able
> to run your programs after you make this switch. DOS does
> not rely on the extension to determine if the program is
> relocatable (a la EXE) or not (a la COM), rather it looks
> for the file signature ("MZ",
Definitly true. DOS will not be fooled by the trick, but neither will most of
the viruses. since most of the EXE infectors will check the MZ header as will
DOS, since this is a way to determine a type of infection by viruses that get
their information from DOS OPEN FILE function, Using the FCB to retrieve
information or by other means.
BTW: Check the header of 4DOS.COM... you will be surprized.
> perhaps a simple modification to the boot sector may
> make this possible.
BOOT sector does not have any implications on the working environment, but
only on DOS loading at startup, and on determining how to read from a floppy
or disk each time in is replaced (using the BPB of the boot sector).
> A handful of programs may not run with the EXE/COM
> switch, and some programs may require "reconfiguration"
> especially if they are looking for programs of a given name,
> although some of them allow you to change the name to search
> for.
You really thought of everything...
Many programs look for a file with a certain name, and this will cause
problems.
> In the future, viruses WILL be able to defeat this
> approach,
Even today.
> Remember where you heard this from!
> (because I always wanted to be famous as a kid...)
Good of you to invest the time in solving one of the biggest problems of out
time. Keep up the good work.
Just to summerize: The method that you mentioned is in use already today in
several virus traps that anti viruses use. But these work with certain viruses
(not all), and are used usually to detect that the virus is active. Non of it
will give a sufficient solution to the problem, neither will the methods of
changing the attribute of command.com to Hidden System ReadOnly, or others.
Viruses are still a problem, and will continue to be so for yet some time.
Regards
* Amir Netiv. V-CARE Anti Virus, head team *
- --- FastEcho 1.21
* Origin: <<< NSE Software >>> Israel (9:9721/120)
------------------------------
Date: Sun, 28 Feb 93 13:08:00 +0100
From:
[email protected] (Amir Netiv)
Subject: standardization (PC)
[email protected] (Vesselin Bontchev) writes:
> First, somebody has to come up with a good naming
> scheme. But what is a "good" naming scheme? For instance, for me, a good
> naming scheme is a scheme that allows two people to understand each
> other that they are talking about a particular virus variant. That is,
> when I'm saying Jerusalem.AntiCAD.4096.Mozart, Frisk knows what I
> mean.
I would differentiate the interests of Virus researchers from this of
the common user. You would very much like to have a scanner that
supplies the NAME the full CHAIN of parrential viruses and sub viruses
etc... while the common user's only wish would be to know what desease
he has, and ger cured! Suppose you tell a user: "You have the
Parkinson.AtzeliCholine.Flue desease" (not that such exists), what do
you think his/her reaction will be? I suggest that an ambulance will
be on stendby when breaking the news to such a patient.
> But the producer of product XYZ does not like it, because it
> takes too much memory in its resident scanner to keep such long
> names. Anyway,
What is the purpose of telling the virus name in a TSR. Is it not
enough to tell the user "You've got a problem, Check it !" ?
> (CARO) have come up with such a naming scheme and now
> we are waiting the other anti-virus producers to use it. The latest
> status of the proposal is available for anonymous ftp from our site:
Its great for researching purpose, but not for common users wich are the
majority that suffers from the problem.
> The second problem is that different producers of
> virus scanners use different approaches to scan for viruses.
......
> the scanner ZYX, who calls all the 200 Jerusalem subvariants
> "Jerusalem-B". So, obviously, he is not likely to adopt this naming
> scheme.
Do you think its a wise idea to give aname to each variant of Jerusalem (from
the example that you used) a name of its one? Do you know how manny variant of
the virus exist that you don't even know about? Doeas it cause any problem in
cleaning these viruses from an infected site even if their name is simply "
Jerusalem-B" ?
> Third, even if two producers of scanners agree to use
> one and the same names, it is very difficult to keep their products
> synchronized. For instance, both F-Prot and FindVirus are using the CARO
> naming scheme (although they use a different notation), and they -
> tend- to use the same names for the viruses, and both Frisk and Dr.
> Solomon are getting the new viruses practically at one and the same time,
> yet if you look at that "naming" file mentioned above, you'll see how
> different the names used by their programs still are... The anti-
> virus researchers are really overloaded with new viruses popping up
> literally every day, and they have more important things to do than to sit
> and ponder whether to call the yet another silly overwriting
> Burger variant Burger.V or Burger.Y. (Yet, they are doing this
> too...) The problem increases in difficulty in an exponential rate, if
> more than two scanners have to be synchronized...
It is our responsibility (SCANNERs developers) to make sure that a virus is
cleaned or detected. No matter if you call it "Poteto" and we call it "Potato"
(phonetically expressed) as long as the cleaning procedure is working well.
I think there is already a naming scheame present.
It gose like this:
McAfee gets a virus, Releases the next VIRLIST.TXT, and
everyone just uses it. If a new virus apears that is not
there, a name is given to it according to its behaviour,
and so on...
Regards
* Amir Netiv. V-CARE Anti Virus, head team *
- --- FastEcho 1.21
* Origin: <<< NSE Software >>> Israel (9:9721/120)
------------------------------
Date: Sun, 28 Feb 93 11:50:00 +0100
From:
[email protected] (Inbar Raz)
Subject: scanners. (PC)
Amir Netiv writes:
> You write:
Just a side notice - when this goes to the virus-l, people don't know who you
wrote the message to. In VirNEt, it's to Inbar Raz, but all they see is a post
by Amir.Netiv@<virnetnode>, to All. 'You write' is not very clear, I hope you
agree...
> That is not the entirely correct. There are other ways to detect new
> viruses, these are what we call generic programs. However you are right
> in the manner that PASSIVE scanning will detect only known viruses, or
> possibly new ones with heuristic scanners only.
I was categorizing scanners. About defending against NEW viruses, there are a
lot of ways. For example, a protective shield that is mounted on a file. True,
it's effective only against the normal end-of-file-leaching viruses, but still,
a lot of them DO work like that, including the new ones.
Making CRC checks from a BOOTING FLOPPY will also catch ANY virus, provided it
hasn't infected your floppy yet. BRM's V-Analyst, I believe, also gives you
some means of protection by storing vital information about the file in its
database - just like the shield, but an external program.
> Yet there are programs that detects new viruses while attempting to
> execute (such is IRIS's TSR module, and some optional McAfee's VSHIELD
> functions, and there are others...) Our software for example, will
> detect new viruses, and even eliminate them while they are completelly
> unknown to the program.
The problem with TSRs is, that as simple as they are to INSTALL resident, they
are also easy do remove from memory.
The moment a virus writer acquires your module, he can write a relatively
small piece of code that will unload your TSR, without it knowing about it.
A friend of mine once wrote an 80byte routine to unload Carmel's TSafe. I
believe that after a little research, I could unload almost anything.
Inbar Raz
- - --
Inbar Raz 5 Henegev, Yavne 70600 ISRAEL. Phone: +972-8-438660
Netmail: 2:401/100.1, 2:403/100.42, 9:9721/210
[email protected]
- ---
* Origin: Inbar's. (9:9721/210)
------------------------------
Date: Sun, 28 Feb 93 12:28:00 +0100
From:
[email protected] (Inbar Raz)
Subject: Scanning memory (PC)
ac999512 writes:
> I agree that scanners shouldn't scream and yell when they detect a
> virus floating in RAM that isn't active. Yet on the other hand,
> nothing should be taken for granted as to where a virus is, as stated
> above.
And how, excatly, are you supposed to determine wether the virus is active or
not? I mean, it's not only HOW each software detecets it (what searchstring),
but what it does to deactivate him. Now, unless all anti virus softwares
disable viruses in the same method, you can't know wether a virus is active or
not, UNLESS you know EXACTLY how the entire virus code is supposed to look,
and you look for exceptions.
When a program detects a virus, not only should it wipe the search string it
was looking for from the virus code, it should also erase any other non
necessary information.
> I think it best that scanners should check interrupt vectors and so
> forth to determine if the virus is active, then inform the user as to
> the presence of the virus, and whether or not it is active.
> Flexibility is the best policy.
Viruses as early as the 4096 would beat this technique. I think that most of
the stealths would, too.
And, if you're running QEMM, and someone got smart enough and user the IDT,
you're lost.
Inbar Raz
- - --
Inbar Raz 5 Henegev, Yavne 70600 ISRAEL. Phone: +972-8-438660
Netmail: 2:401/100.1, 2:403/100.42, 9:9721/210
[email protected]
- ---
* Origin: Inbar's. (9:9721/210)
------------------------------
Date: Sun, 28 Feb 93 11:48:00 +0100
From:
[email protected] (Amir Netiv)
Subject: file name virus? (PC)
Scott Hayes
[email protected] (UMR Usenet News Post) writes:
> now when it attempts to create a file it says "ERROR,
> CAN'T CREATE bMYFILE.BAT" where the "b" is a beta (ASCII 225
> in the English version of the extended character set).
Well it looks like your program was corrupted, but this can checked by using a
copy of the suspected program from an old backup.
Another possibility might be that there is something that was copied from the
guy's friend has created the problem, but it could be somthing simple like:
the "copy" has overwritten autoexec.bat or config.sys and loaded a program
that causes the problem, or caused to unload a program (driver mabe? or change
to FILES=XXX in config.sys?) that your program requires.
Fortunatelly most problems are not so glorious (regarding the virus's point of
view).
Regards
* Amir Netiv. V-CARE Anti Virus, Head team. *
- --- FastEcho 1.21
* Origin: <<< NSE Software >>> Israel (9:9721/120)
------------------------------
End of VIRUS-L Digest [Volume 6 Issue 39]
*****************************************
Downloaded From P-80 International Information Systems 304-744-2253
