VIRUS-L Digest Monday, 22 Jul 1991 Volume 4 : Issue 128 Today's Topics: Re: multi-compression re: virus for sale SCAN Prices? (PC) Inaccuracies in Press Philosophy, comments & Re: long and technical (PC) Partition Table Query (PC) (was Re: long and technical ) Help! I'm STONED (PC) F-PROT configuration question (PC) SECURE.COM (PC) Norton AntiVirus question (PC) re: multiple compressions Questions - list of viruses, writing a scanner DOS virus attack (PC) The smiling face (PC) Re: Inaccuracies in Press on Viruses VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: 17 Jul 91 20:40:03 +0000 >From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Re: multi-compression Eric_Florack.Wbst311@xerox.com writes: >Let's say I have an EXE that I've run through LZEXE. PKLITE, regardless of >version will do a test on the file to see if the file is smaller after the >compression is added. Since the file's already compressed, PK won't make the >file any smaller, and will crash off, and inform the user that it can't >compress the file.... leaving the file untouched. Ah, but what if you first use a compression program which is not as good as LZEXE or PKLITE. Try for example to compress a program with EXEPACK - PKLITE is oftem able to compress them still further... - -frisk ------------------------------ Date: Wed, 17 Jul 91 23:50:00 +0000 >From: William Hugh Murray <0003158580@mcimail.com> Subject: re: virus for sale > Granted, that to me sounds like the Hi-Tech version of selling >anthrax... On the other hand, there are some people in the world who >are interested in how a virus works. (Myself included.) Yes, this is >not such a good idea to sell a virus, but I would rather have one >arrive in the mail when I'm waiting for it, rather than let it sneak >up on me some night when I'm downloading... I am a little disappointed at such a narrow and egocentric view. The offering of the virus for sale increases, rather than decreases, the possibility that one will "sneak up on you some night." Getting one in the mail when you expect it, does not reduce, but increases, the chance that you will get one when you do not expect it. You reason like the man who when told the chances of a two bombs on a plane was vanishingly small, decided to always carry his own. Seeing the content of Jerusalem-B will tell you nothing that is not already public. There are no clever secrets in Jerusalem-B, and nothing that you can learn about it from having your own copy that will reduce your vulnerability to it. The ability to satisfy your morbid curiosity, at the expense of giving it a boost which it does not need, seems to me a very bad trade indeed. Your vulnerability is related to the total number of copies in the world; someone offering it for sale can only influence that in one direction. What makes you think that all of the purchasers will treat it with the respect with which such a dangerous artifact should be treated? One way to view the ethics of something that you would like to do is to ask yourself how you would be affected if everyone else did it too. William Hugh Murray 203-966-4769 Information System Security 203-326-1833 (CELLULAR) Consultant to Deloitte & Touche 203-761-3088 Wilton, Connecticut email: 315-8580@MCIMAIL.COM WHMurray@DOCKMASTER.NCSC.MIL MCI-Mail: 315-8580 TELEX: 6503158580 FAX: 203-966-8612 Compu-Serve: 75126,1722 21 Locust Avenue, Suite 2D DASnet: [DCM1WM]WMURRAY New Canaan, Connecticut 06840 PRODIGY: DXBM57A ------------------------------ Date: Thu, 18 Jul 91 02:09:18 -0400 >From: dkarnes@world.std.com (Daniel J Karnes) Subject: SCAN Prices? (PC) >>Date: Tue, 16 Jul 91 16:25:36 +0000 >>From: mcafee@netcom.com (McAfee Associates) >> >>Pricing depends on many factors such as the type of usage, number of >>machines, which programs, type of upgrades, and so forth. This makes >>it difficult to give you a simple response. RG>Why is it so bloody hard to get a friggin' price out of you guys, eh? RG>Do you have a price list? If so, publish it? Hi Ross.. Last time I looked, the prices were very clearly listed in the .DOC files for SCAN and the other utilities... Says right there what it costs. Also says that if you need any other information or a quote for a site license to give 'em a call too. I assume that your talents include being able to read. SPEAKING of being hard to get an answer from... I tried many times over a period of two years to get information or even an answer from you on your bbs and also a time or two via telephone, and finally just gave up. What gives? - -djk ********************************************************************* Daniel J. Karnes - An entity of one. * Ring MY chime sometime guy! dkarnes@world.std.com / WA6NDT / POB 7007 Nashua, NH USA 03060-7007 ********************************************************************* ------------------------------ Date: Thu, 18 Jul 91 09:03:15 -0400 >From: Helena M Vonville Subject: Inaccuracies in Press Robert McClennon wrote on the Washington Post article which discussed the possibility of a virus in the telephone software. He was disturbed (and rightly so) that the press does not use the jargon correctly when describing such problems. Fortunately (or maybe not so fortunately since we are dealing with a certain amount of potential incompetence) the problem was not virus, trojan, or worm related. It was just bad programming. The story was updated on NPR late last week, I believe. Helena VonVille Ohio State Universiy ------------------------------ Date: Thu, 18 Jul 91 10:13:26 -0400 >From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: Philosophy, comments & Re: long and technical (PC) First, the number of column inches devoted to one vendor yammering about another's failure to publish (in Virus-L !) a price list is getting out of hand. This kind of diatribe serves no constructive purpose in this forum. In the same vein, I have learned that to a journalist, credibility is everything & once lost is very difficult to regain. Quoting recognized experts out of context and distorting papers to fit maligning prose is a quick way to ruin credibility so that even valuable contributions are distrusted. Combining the two paragraphs above, I have decided that any response to such merely allows opportunity for more yammering or yet another distorted response & thus personally decline to do so. "Once bitten" & all that. Back to the main subject, the responses and suggestions seen so far to the question of authentication of a system (e.q. how do you tell is an "extra added attraction" is present) again seems to be missing a point settled some time ago: The simplest answer to the dilemma is to separate into two tasks: 1) Determine the BIOS entry points for interrupts needed to authenticate the system. 2) Authenticate the system. The easiest way to do this is to accomplish (1) during the BIOS load before DOS (or any other O/S) has had a chance to muddy the waters. Since at BIOS time, a PC is a fully functioning computer, it is posible to retrieve the pointers to essential elements (Interrupts 0-1Fh) and store these values in an accessable location, possibly encrypted. Since these vectors (keyboard, local storage, monitor) are still usable even after loading of the O/S. Programs can be run at any time that use only these known clean accesses. Such programs can be effective even in an infected single-tasking machine. These access values may be stored either on-line, at the server level, or off-line on floppy disks. If necessary, the entire subroutine for such access to the INs & OUTs level could be maintained separately so that use of potentially-corrupted interrupts would never be necessary. Given clean and authenticatable periperal paths, integrity programs and scanners can be run at any later time with the ability to bypass possibly untrustable elements thus rendering all currently known stealth techniques useless. The authentication task may then be invoked at any time before or after the loading of the O/S with expectation of valid results being obtained. It is interesting to note that such a methodology would remove the necessity for memory scans that have caused so much trouble lately since no resident routines would be necessary for execution. Padgett "All is simple. If it looks complex, it has not been properly broken down." ------------------------------ Date: Thu, 18 Jul 91 18:26:00 +0000 >From: glratt@is.rice.edu (Glenn Forbes Larratt) Subject: Partition Table Query (PC) (was Re: long and technical ) glratt@is.rice.edu (I) wrote: >Every Saturday, the operations staff here take the time to boot each >machine in the lab from a specially-prepared "wiper" diskette. The >diskette is programmed (via autoexec.bat and some special widgets >written in-house) to format all logical hard disks in the machine, >rebuild DOS, and reinstall the necessary drivers to connect to the >network. ... >we are currently working on one of our widgets so that it can >automatically rebuild and overwrite the partition table for a complete >"wipe". In the course of putting the partition table aspect of this together, I've come across some questions which I need to answer before I can go further: 1) I am implementing the partition table rebuild code as a device driver to be launched from a cold boot from a floppy. However, the partition table has to have been already read for DOS to be setting up drive letters internally (I assume, with all that implies :-). Is there a chance of having a partition table virus already in memory from that process? 2) Is it absolutely necessary to reboot to rebuild the DOS drive designations after making changes to the partition table? 3) If the answer to 2) is yes, I am considering ways of preventing any unnecessary monkeying with the partition table. Is a byte-by-byte compare of the partition table bootstrap code with a known good copy an effective means of doing this? I thank you all in advance for any assistance. - -- ===/| Glenn Forbes Larratt | CRC OCIS | "So, what do we need?" |/ ==/| glratt@rice.edu (Internet) | Rice University | "To get laid!" |/= =/| GLRATT@RICEVM2 (Bitnet) |=================| "Can we get that |/== /| The Lab Ratt (not briggs :-) | Neil Talian? | at the 7-11?" |/=== ------------------------------ Date: 18 Jul 91 16:23:15 +0000 >From: peersen%sos.DECNET@CS.YALE.EDU Subject: Help! I'm STONED (PC) I have run into a PC which ended up "Stoned" when booted off a floppy, and a quick look at comp.virus seemed to indicate that this is potentially not good! So, not being up to date on the PC anti-virus stuff out there, how should I deal with this. A few posted hinted at virX, but where do a find it? Or is there something better to use. Any help would be appreciated. Replies can go to comp.virus or by E-mail to "peersen%sos@venus.ycc.yale.edu" (ignore the DECNET reply address). Thanks in advance Olve Peersen ------------------------------ Date: Thu, 18 Jul 91 14:42:08 -0500 >From: BJ Watts Subject: F-PROT configuration question (PC) Hello, We are currently in the process of obtaining F-PROT for our 100 PCs in the Business Computer Lab at The University of Alabama. We are also using the Novell 3.1 NetWare. Our workstation's C drives are write-protected, so our users can only infect the memory, their own floppies, and the D drive which is used as a temporary drive. We do however have a couple of workstations for the uses of the consultants in which the hard drives are not write-protected. My question - Do we need to use the F-DRIVER.SYS? The only people who can infect the network are those who have access to places on the server other than their own personal directory. These are only the consultants, and we are aware about scanning anything before we download or use a floppy. Any comments would be appreciated. BJ Watts WWATTS1@UA1VM.UA.EDU ________________________________________ ____________________________ : : : : BJ Watts : Marriage is a wonderful : : BITNET: WWATTS1@UA1VM.BITNET : institution, but who : : INTERNET: WWATTS1@UA1VM.UA.EDU : wants to live in an : : The University of Alabama : institution? : :________________________________________:____________________________: ------------------------------ Date: Tue, 16 Jul 91 10:11:00 +1200 >From: PAT ROSSITER Subject: SECURE.COM (PC) There has been some discussion in comp.sys.novell about a new "virus" called SECURE.COM which opens up and damages netware binderies. No-one has seen it themselves yet, everyone has heard about it, so it may be another "urban legend". It is likely that if it does exist someone in this group will have heard of it, or be CERTAIN that it does not exist. If you have information of SECURE.COM, please post something to comp.sys.novell. [Ed. Rumors of this program have been floating around for several years; to my knowledge, the rumors have never been substantiated. Unless someone can cite some specifics, I suggest that we treat this as merely another unfounded rumor.] Thanks Pat Rossiter Rossiter_P@kosmos.wcc.govt.nz ------------------------------ Date: Fri, 19 Jul 91 11:20:25 -0400 >From: lwv27%CAS.BITNET@OHSTVMA.ACS.OHIO-STATE.EDU (Larry W. Virden ext. 2487 ) Subject: Norton AntiVirus question (PC) I am a novice at MS-DOS environment, and have been asked to install and evaluate the Norton AntiVirus software. I would be interested in finding out any tips, pointers, warnings, etc. concerning this package. Is there a mailing list for customers, or online services thru Compuserve, etc.? I am looking for any and all sources of assistance in this endeavor. My goal is to test this software on the various types of IBM PC type machines available in house and to evaluate the package's worthwhileness. - -- Larry W. Virden UUCP: osu-cis!chemabs!lwv27 Same Mbox: BITNET: lwv27@cas INET: lwv27%cas.BITNET@CUNYVM.CUNY.Edu Personal: 674 Falls Place, Reynoldsburg,OH 43068-1614 America Online: lvirden ------------------------------ Date: Fri, 19 Jul 91 12:45:27 -0700 >From: Eric_Florack.wbst311@xerox.com Subject: re: multiple compressions >From: Dmitri Schoeman I would like to say that multiple compressions are possible for someone who desires to do so. It took me approximatly 30 seconds to succesfully accomplish a compression with both pklite and lzexe on a program I had just written. The method is a trivial method, which involves no modification of any of the programs and, as I said can be accomplished in less than 30 seconds. - -=-=-=-= It may be worthwhile to mention whgat version of each you are using, Dimitri. It occurs to me that this wouold make a difference. Also, please indicate in what order this was accomplished. For some reason, in the versions I was running I was unable to do what you suggest, in any order... ------------------------------ Date: Fri, 19 Jul 91 21:22:39 -0400 >From: "Jack a.k.a. Wildside" Subject: Questions - list of viruses, writing a scanner This may seem like a totally rehashed question, but pleasse bear with me. I have been on this list some time now, and feel that I have enough of a grasp of viri (virii?) to try and write my own version of a detector/ fixer for virii. Question 1: I know that there is a list, accessible by ftp, that specifies a lot of the PC viruses, ways to detect them, and ways to fix the data that has been corrupted. Can someone please give me a pointer to this? Question 2: From all of the experienced writers out there, any hints on what is the best approach to writing a scanner/detector/fixer? There have been a lot of views expressed in this list and they vary widely. Any help on this would be very greatly appreciated. A budding virus scanner writer (fingers crossed), Jack a.k.a. Wildside ------------------------------ Date: 20 Jul 91 18:12:00 +0000 >From: prbrig01%ULKYVX.BITNET@jade.Berkeley.EDU Subject: DOS virus attack (PC) Please be alerted... A virus has appeared in Detroit for DOS. The virus changes files to hidden type and adds charters to file names. The standard DOS scan program are not effective for this virus. First infection was found on July 20, original infection occurred within the previous 3 days. As always Ed Wright ------------------------------ Date: Sat, 20 Jul 91 18:19:00 -0400 >From: PROVCS@CCNYVME.BITNET Subject: The smiling face (PC) I had a bug. The little animal locks up the keyboard and puts the blinking smiling face character on the bottom left hand corner of the screen. It showed up once during a pcshell session. I had to reboot. I have checked the drives with vpscan V1.10 & and TnTVIRUS 6.80a nothing doing. I guess I kill the animal before it got onto the hard drive, but I have to go through all my disk and find the carrier. While I'm doing that, does any know what this beast might be??? Colin St Rose Provcs@ccnyvme A wise man/woman knows what he/she does not know. Direct mail will be fine thank you. ------------------------------ Date: Mon, 22 Jul 91 15:00:17 +0000 >From: jba@gorm.ruc.dk (Jan B. Andersen) Subject: Re: Inaccuracies in Press on Viruses 76476.337@CompuServe.COM (Robert McClenon) writes: >[from] The Washington Post, [...] >>Phone system experts have suggested that a virus might explain >>why the failures have been occurring within days of each other >>and at the same time of day. >It was possible as of the date of this article (but unlikely) that >the phone system failures were caused by a time bomb, but if so, it >was planted as a Trojan Not if we're talking of the same incident. The company that develops the software in the swithes, has admitted the bug was introduced as part of an upgrade. But, because it was such a minor upgrade, the software had not been tested af rigourusly as it should have been. See comp.risk (or was is comp.dcom.telecom) for more details. ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 128] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253