VIRUS-L Digest Monday, 26 Aug 1991 Volume 4 : Issue 148 Today's Topics: Re: Hard disk locking (PC) Re: Hard disk locking ? (PC) Can virus infect PC data diskettes? (PC) Bad hit on KENNEDY/12 Tricks Trojan?? (PC) RE: where is VSUM9108.ZIP or TXT Re: Double quote char appear all over - virus? (PC) Can a virus be LAGAL?! Re: Bad hit on KENNEDY/12 Tricks Trojan?? (PC) Re: Bad hit on KENNEDY/12 Tricks Trojan?? (PC) 4096 help needed (PC) Re: Ghosting The Wisconsin Virus???!!! (PC) EICAR & CARO adresses needed Virus Simulator available (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: 23 Aug 91 13:29:00 -0500 >From: "William Walker C60223 x4570" Subject: Re: Hard disk locking (PC) frisk@rhi.hi.is (Fridrik Skulason) writes: >It was possible to trace the source of the infection, but now he wants > some method to prevent anyone from working on his machine while he is > away - for example by asking for a password on boot-up. > This is easily solvable with additional hardware - some machines > include this feature in the BIOS, but it is also possible to get an > add-in card for this purpose. JDR Microdevices now has a password security card which they call "Gatekeeper." This plugs into an 8-bit slot, prevents the machine from booting without a valid password (even from floppy), and can have up to 15 passwords per card (could be useful for shared machines). It does not modify the partition table or any other part of the disk, and it does not encrypt data. I have no affiliation with JDR, and I have not tested the card -- I'm merely mentioning its availability and advertised functions. > Software-only solutions are less secure of course, but they are > sufficient in his case. It is possible to create a small program > which asks for a password when you boot from the hard disk, and cannot > be bypassed simply by booting from a diskette. Vesselin and several others are right in that software alone cannot provide adequate security for a PC. In fact, the National Computer Security Center states that "... users should be wary of claims for products (particularly software) which claim to provide 'absolute' security" (NCSC-WA-002-85, "Personal Computer Security Considerations"). Because of how PCs are implemented, any software-only security system cannot possibly guarantee a secure system. I have successfully bypassed software security schemes, including two commercial packages which supposedly prevent access to the hard disk when booted from a floppy. I'm sure Vesselin, Padgett, and others have done so as well. Anyway, to make a long story short ("too late" :-) ), it is NOT possible to write a program which cannot be bypassed by booting from a diskette. Bill Walker ( WALKER@AEDC-VAX.AF.MIL ) | OAO Corporation | Arnold Engineering Development Center | "I'd like to solve the puzzle, Pat" M.S. 120 | Arnold Air Force Base, TN 37389-9998 | ------------------------------ Date: Fri, 23 Aug 91 10:08:38 -0700 >From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Re: Hard disk locking ? (PC) I have long decried that fact that hard drive manufacturers still have not thought to include a cheap and simple write protect switch on hard drives. (Yes, I do know that most removable media drives have write protect tabs, I'd just like to find a drive under $1000 that'll do it.) It was pointed out to me at a recent seminar, by one of the attendees who had access to a bunch of old equipment, that very old hard drives for PC's, based on mainframe models, did, indeed, have such a switch. Anybody wanna sell a really old drive? :-) ============= Vancouver p1@arkham.wimsey.bc.ca | "If you do buy a Institute for Robert_Slade@mtsg.sfu.ca | computer, don't Research into (SUZY) INtegrity | turn it on." User Canada V7K 2G6 | Richards' 2nd Law Security | of Data Security ------------------------------ Date: Fri, 23 Aug 91 10:51:27 -0700 >From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Can virus infect PC data diskettes? (PC) masticol@athos.rutgers.edu (Steve Masticola) writes: > 1. Can a virus infect data diskettes and propagate from them (possibly > by rewriting the boot track)? Yes, boot sector infectors, such as the Stoned, BRAIN, Joshi, Azusa etc., do exactly this. All disks have a boot sector, and therefore all disks can be infected, even if they have no programs on them, and even if they are not "bootable". > 2. Can viruses infect data files (not executables) downloaded from > BBSes? In the Macintosh world this has already happened. Hypercard contains a "language" which can be extended to perform system level activities, and Hypercard "stacks", which are basically data, have been made to contain viral functions. In the PC world this has not, to my knowledge, been done, but it is quite possible with the right systems. Any program which has a scripting or macro language is a possibility. > Also, if someone has a pointer to an archive with info about PC I have all of my articles archived on the SUZY system, and soon on Cyberstore as well. > viruses (in plain text), or good magazine articles, I'd appreciate > knowing that, too. We'd *all* love to know that. ============= Vancouver p1@arkham.wimsey.bc.ca | "If you do buy a Institute for Robert_Slade@mtsg.sfu.ca | computer, don't Research into (SUZY) INtegrity | turn it on." User Canada V7K 2G6 | Richards' 2nd Law Security | of Data Security ------------------------------ Date: Fri, 23 Aug 91 10:58:07 -0700 >From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Bad hit on KENNEDY/12 Tricks Trojan?? (PC) As you stated, the version of VIRUCIDE that you first tested is an older one. And, both SCAN and VIRUCIDE are written by McAfee Associates. As I believe they stated, when the issue was raised before, both programs contain the same "signature strings". Because the signature strings are contained within the program code, SCAN sees VIRUCIDE as being infected. They fixed this in the later version of VIRUCIDE. ============= Vancouver p1@arkham.wimsey.bc.ca | "If you do buy a Institute for Robert_Slade@mtsg.sfu.ca | computer, don't Research into (SUZY) INtegrity | turn it on." User Canada V7K 2G6 | Richards' 2nd Law Security | of Data Security ------------------------------ Date: Fri, 23 Aug 91 20:58:51 +0000 >From: cadguest%opua.Berkeley.EDU@ucbvax.Berkeley.EDU (CAD Group Guest Accoun t) Subject: RE: where is VSUM9108.ZIP or TXT |> ============================================================================ |> HyperText VSUM X9107 READ_ME.1ST |> |> With the June, 1991 release, the Virus Information Summary List |> has been converted from its original ASCII list format into a custom, |> hypertext database format. With the new format, the product name has |> been changed to HyperText VSUM. The previous ASCII list product has |> been discontinued, and will no longer be updated. |> |> Why the change to a hypertext database? The original ASCII format |> had become extremely large and unwieldy, it was difficult for most |> people to effectively use. Printing also had become a problem unless one |> had a very high speed laser printer. More importantly, the information |> presented in the ASCII version was never really intended to be read |> sequentially as a book, but instead to be a reference book or |> encyclopedia. |> ============================================================================ = But what is hypertext? Is it a shareware/freeware product? If yes, where can I get it? Thanks, Nadav Har'El ------------------------------ Date: 23 Aug 91 17:16:24 +0000 >From: attcan!ram@uunet.uu.net (Richard Meesters) Subject: Re: Double quote char appear all over - virus? (PC) twong@civil.ubc.ca (Thomas Wong) writes: > One of the 386s in our lab has been having a strange problem. Double > quote characters slowly appears all over the screen. I've checked the > computer with VirusScan (SCAN 7.6V80)(latest?) and no virus was > found. Has anyone seen this before? How can I tell if this is a new > (yet to be discovered) virus? What to do? What to do.... It's completely possible that there's no virus at all. Does the machine lock up when this happens? My thoughts would be that if the SCAN package doesn't detect the virus, you should have someone look at your video hardware (the video card, in particular). I've seen cards go bad in such a way that they print spurious characters over the screen (usually bad video memory/decode). Hope this helps, Regards, - ------------------------------------------------------------------------------ Richard A Meesters | Technical Support Specialist | Insert std.logo here AT&T Canada | | "Waste is a terrible thing ATTMAIL: ....attmail!rmeesters | to mind...clean up your act" UUCP: ...att!attcan!ram | - ------------------------------------------------------------------------------ ------------------------------ Date: Sun, 25 Aug 91 13:21:59 +0000 >From: bloom@ai4.huji.ac.il (Yaron Bloom) Subject: Can a virus be LAGAL?! Since I'm quite interested in the subject, I wanted to ask if a virus can be lagal. I now every country has it's own rules, but I haven't heard of a law agains viruses, have you? One more point: Viruses may be thought as a way of corrupting other user's data. But what about software piracy? If one copies hacked software, then why shouldn't viruses hit him? I'd like to hear you comments. Yaron Bloom bloom@cs.huji.ac.il ------------------------------ Date: 25 Aug 91 00:37:48 -0400 >From: Robert McClenon <76476.337@CompuServe.COM> Subject: Re: Bad hit on KENNEDY/12 Tricks Trojan?? (PC) Eric N. Lipscomb writes: >OK. Here's a good one. . . > >For whatever reason, one of our Business Profs decided to scan the >copy of VIRUCIDE on his hard disk, and lo and behold, SCAN 5.3C67 >finds Kennedy and 12 Tricks Trojan in VIRUCIDE.EXE. VIRUCIDE, >scanning itself, finds nothing. SCAN also tells us that the file is >compressed with LZEXE and is infected internally. Hmmmm. > >it seems to me that McAfee SCAN is giving a false positive on the >Kennedy virus in VIRUCIDE. VIRUCIDE (another, later version that >scanned clean by everything we threw at it) and F-PROT don't identify >anything. And an old version of SCAN identified the 12 Tricks Trojan. >Unfortunately, I don't have any other disk scanners laying around that >I can check it against. But our techies are looking a little more >closely into this suspicious disk write behaviour exhibited by the >suspect VIRUCIDE. > >Any thoughts/ideas from the list at lagre, specifically the McAfee >crew (since both SCAN and VIRUCIDE came from McAfee)? This is >certainly something that our University will take into serious >consideration as talks finalize on which product to go with as a >campus standard. There have been previous reports to Virus-L of false positives where one anti-viral package identified another as being infected. In particular, reports of SCAN saying that VIRUCIDE might be the 12 Tricks Trojan have been common. These reports are indeed false positive. There is a simple reason for these false positives. An anti-viral scan package looks for virus signature strings. Another anti-viral package may legitimately contain the same virus signature strings. These false positives would be even more common except that some anti-viral packages conceal the signature strings by encryption. False positives where one anti-viral package says another is infected are common, and are caused by finding a signature in the signature search code. ------------------------------ Date: Sun, 25 Aug 91 23:08:20 +0000 >From: mcafee@netcom.com (McAfee Associates) Subject: Re: Bad hit on KENNEDY/12 Tricks Trojan?? (PC) comb@sol.acs.unt.edu (Eric N. Lipscomb) writes: >OK. Here's a good one. . . Okay >For whatever reason, one of our Business Profs decided to scan the >copy of VIRUCIDE on his hard disk, and lo and behold, SCAN 5.3C67 (the current version of VIRUSCAN is V80) >finds Kennedy and 12 Tricks Trojan in VIRUCIDE.EXE. VIRUCIDE, >scanning itself, finds nothing. SCAN also tells us that the file is >compressed with LZEXE and is infected internally. Hmmmm. This problem is due to an old version of VIRUCIDE containing the same strings as VIRUSCAN and has been corrected for quite a while. I don't remember the version of VIRUCIDE it was fixed in, but I believe it was 2.1x or 2.2x. The current version of VIRUCIDE that Parsons' Technology is shipping is 2.30. They've got new packaging with a picture of what looks like a beetle on the cover. >Next step, we run SCAN 6.3V72 on VIRUCIDE.EXE, and the Kennedy virus (still an old version of VIRUSCAN :-) ) >reveals itself again, but not the 12 Tricks Trojan. Hmmm. Next step, >run the latest release of SCAN. Bingo, it finds Kennedy. All >versions of SCAN that we throw at it find Kennedy and tell us that the >file is LZEXE compressed. Well, one out of two isn't bad. It is compressed with LZEXE. >Now, a bit of info about VIRUCIDE: the file is 40209 bytes long, dated >5-8-90. It appears to the user to be functioning properly, and even A really old version of VIRUCIDE. Last time I looked at it, it was around 60 or 80Kb long... >though SCAN says it's infected, nothing *apparently* happens to the >system as a result. However, one of our techies is looking at the >execution of the program, and has found that as VIRUCIDE scans a file, >it also attempts to perform a write to side 0 track 0 sector 6, thus >far unsuccessfully. One of the strings it attempted to write was >"Disk Killer". Hmmmmm. Hmm... VIRUCIDE shouldn't write to the disk, are you sure you aren't running any other TSR anti-viral programs? >Now, except for the suspicious attempts to write to the boot sector, >it seems to me that McAfee SCAN is giving a false positive on the >Kennedy virus in VIRUCIDE. VIRUCIDE (another, later version that >scanned clean by everything we threw at it) and F-PROT don't identify >anything. And an old version of SCAN identified the 12 Tricks Trojan. >Unfortunately, I don't have any other disk scanners laying around that >I can check it against. But our techies are looking a little more >closely into this suspicious disk write behaviour exhibited by the >suspect VIRUCIDE. This is one of the subjects that continually comes up in comp.virus, so let me reiterate it, at the possible expense of wasting bandwidth and boring one or two of you: It's always a good idea to have the latest version of anti-viral software available, and not rely on old, outdated versions which may have compatibility problems of some sort or another. Keep a copy of the last release on a floppy or somewhere safe as a backup in case problems are reported and you need to migrate back to an older version, but still, try to keep up to date and watch the network or the manufacturer's BBS, fax, etcetera for notices of bugs in the software or announcements of new releases... >Any thoughts/ideas from the list at lagre, specifically the McAfee >crew (since both SCAN and VIRUCIDE came from McAfee)? This is >certainly something that our University will take into serious >consideration as talks finalize on which product to go with as a >campus standard. Most of the comments are above :-) >Thanks for your time! Welcome. Aryeh Goretsky McAfee Associates Technical Support - -- McAfee Associates | Voice (408) 988-3832 | mcafee@netcom.com (business) 4423 Cheeney Street | FAX (408) 970-9727 | aryehg@darkside.com(personal) Santa Clara, California | BBS (408) 988-4004 | 95054-0253 USA | v.32 (408) 988-5190 | CompuServe ID: 76702,1714 ViruScan/CleanUp/VShield | HST (408) 988-5138 | or GO VIRUSFORUM ------------------------------ Date: 26 Aug 91 08:46:53 -0700 >From: CCA3609@SAKAAU03.BITNET Subject: 4096 help needed (PC) Hello My PC is inficted by 4096 virus. I remove it by clean software but it returnd back. Can anybody send me some information about it and how remove it. Thanks Fuad B. King Abdul Aziz University Saudi Arabia - Jeddah ------------------------------ Date: 26 Aug 91 10:13:59 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Ghosting padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) writes: > Vendors face the problem that while most viruses are >relatively easy find in a program (commands are usually found at >specific offsets), in memory the viral signature could be anywhere >(well, almost anywhere) in memory. We are starting to see products >that are more specific about where they look but while some viruses >will only inhabit certain locations, others could be anywhere in RAM, >high or low. Well, almost all of the currect memory resident viruses contain their signatures at a fixed offset of a paragraph boundary. You have only to scan memory in 16-byte paragraphs and to check whether the signature is at the known offset. This speeds up the things. Unfortunately, there are still viruses like Whale that use run-time sliding window encryption, but they are rare enough. Anyway, the problem with "ghosting" has occured with files long time ago. Some scanners still cause false positives because they find the signature that another anti-virus program also uses. Fortunately, now most self-respecting scanners use some kind of encoding (not encryption!) and solve such problems. How much have we to wait, until these scanners also clean up the memory they have used before exiting? > In any event, as the number of viruses (and signatures) >continue to increase and the avaialble signatures decrease, it would >not be surprising to see the tendancy for ghosting as a result of >using multiple products to increase. IMHO, ghosting will decrease in the near future, because those that make scanners sill become aware of it and will take measures against it. > Meanwhile, we still have the second of the two causes of >ghosting to account for: the "disinfected" file. > Here we have an oddity of DOS at work, the cluster. Consider a >2k .COM file that contracts the Jerusalem (1808 bytes) virus. Many >older machines with 32 Mb disks use a 4096 byte (4K) cluster size. >This is the minimum disk quanta that DOS can allocate so the original >file occupied 1 cluster (the minimum). Not surprisingly, the infected >file also occupied 1 cluster, just filling more of it. > When the virus disinfectant came along, chances are that it >just removed the virus vector at the start of the program, replaced >the first few bytes with the ones from the original file that the >virus stored, and adjusted the file size. The virus is now >disconnected and the code following the program is just noise. Yeah, the same problem occures when someone browes such a disinfected program with PCTools or Norton Utilities. I kept getting quiestions like "why after disinfecting Dark Avenger with your program I still can see the 'Eddie lives' message in files?", until I began to overwrite the virus body with zeroes before disconnecting it from the file. Now I think that every disinfector should perform this way, regardless which virus is disinfected... > However, unless the viral code is stripped off manually, it is >still there and when the program is executed next, the whole cluster >is mapped into memory and often into the disk buffer (though these >generally have a finer granularity). If the program was larger than >the scanner that runs next (obviously not in the example) or goes TSR, >guess what is liable to happen ? Well, I still cannot understand why a scanner should look for, say, the Dark Avenger virus in DOS' buffers! McAfee's SCAN causes a ghost false positive immediately after you copy an infected file... Regards, Vesselin ------------------------------ Date: Mon, 26 Aug 91 09:10:00 -0400 >From: CRK5@pittvms.BITNET Subject: The Wisconsin Virus???!!! (PC) HELLO, has anybody out there heard of the Wisconsin virus on the IBM and compatibles? It showed up on one of our PC's here at Pitt and our Virus scan software would not remove it. We have version 6.8B74 of Virus Scan. Is this the latest version? The only thing it does so far as I can see is it freezes up the PC and it must be rebooted. Please reply if you know anything about this virus. Thank you. Chris Kunselman ------------------------------ Date: 26 Aug 91 09:26:28 +0700 >From: Pim Clotscher Subject: EICAR & CARO adresses needed Please could somebody out there in free netspace tell me the addresses, telephone numbers and E-mail addresses of EICAR and CARO? They are virus security an -research centres is n't it? What exactly stand the digits E.I.C.A.R. and C.A.R.O. for?? I remember to have read info about these organisations on this list in the past, but I skipped it that time... Thank you very much, - -----------------------------> Pim Clotscher <------------------------------ Erasmus University Rotterdam E.R.C. - Computer Support Hoboken Roomnumber : Ee2067 Dr. Molewaterplein 50 P.O. Box 1738 NL-3015 GE Rotterdam NL-3000 DR Rotterdam the Netherlands Tel: +31 (0)10 4087420 Fax: +31 (0)10 4362719 E-mail (Internet): clotscher@coh.fgg.eur.nl ============================================================================== ------------------------------ Date: Fri, 23 Aug 91 18:32:52 +0000 >From: as194@cleveland.Freenet.Edu (Doren Rosenthal) Subject: Virus Simulator available (PC) -------------------------------------------------------------------- Virus Simulator - Safe and Sterile Virus Security Validation -------------------------------------------------------------------- Virus Simulator version 2.0 is now available as shareware for downloading from several sources including EXEC-PC (VIRSIM20.COM), SLO- Bytes BBS (805) 528-3753 and Compuserve (VIRSM2.COM), as well as directly from the author. Virus Simulator generates controlled programs infected with the signatures (only) of every known virus available. Because Virus Simulator has ability to harmlessly compile and infect with safe viruses, it is valuable for demonstrating and evaluating anti-virus security measures without harm or contamination of the system. The infected programs can be renamed and copied to other disks and directories as bait for virus detecting programs. Viruses are a form of terrorism and require many of the same precautionary measures. Airports test the effectiveness of their security measures in much the same way. An official disguised as a passenger will attempt to bring a disarmed bomb through, trying to evade security measures and avoid detection. Real viruses, like real terrorists, are much more difficult to test with. The test viruses generated by Virus Simulator are safe and sterile, but form a validation test suite that trigger vigilant virus detectors. Virus Simulator creates simulated test suites for every known virus available at the time of release. These test suites are only safe and sterile simulations to evaluate your security measures. A virus detecting program is validated when it reports the simulations. Virus detecting programs that fail to find these simulations may indeed discover their real counterparts and variations, but should only be trusted after that ability is demonstrated. No virus protection program will ever be effective without the cooperation of its users, and Virus Simulator provides a means to verify compliance with established security procedures. System Administrators should design their own tests to see which users are practicing safe computing and complying with established safeguards. The amount of user cooperation required by anti-virus programs varies. Some users require more automatic and regimented procedures, and Virus Simulator provides system administrators with a practical way to evaluate the overall effectiveness of their security measures. These simulated test viruses are sterile; they won't reproduce and spread by themselves, so they have to be planted (copied). Such an exercise can go a long way to raising the vigilance of complacent users, so when a real virus attacks, destructive damage is held to a minimum. Comments and suggestions are would be appreciated and should be addressed directly to: Doren Rosenthal Phone (805) 541-0910 Rosenthal Engineering 3737 Sequoia San Luis Obispo, CA 93401 USA ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 148] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253