VIRUS-L Digest Tuesday, 3 Sep 1991 Volume 4 : Issue 153 Today's Topics: Re: Norton reports "Italian" - help (PC) Re: Drive assignments... (PC) Re: CAPV conflict with FPROT116 (PC) Re: Preventing boot from floppy - problem with Int 13 from TSR (PC) Re: Disassembler Info Re: Norton Anti Virus (PC) Re: Disassembler Info Re: New virscan.dat exepack question (PC) Re: Virus Simulator available (PC) Re: Hard disk locking ? (PC) LANs and virus propagation (PC) Re: Experiment with virus Re: Hard Disk Locking.... (PC) Disassembler Info Virus Information Summary List...? (PC) Computer Abuse Amendments Act of 1991 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Sat, 31 Aug 91 03:41:01 +0000 >From: mcafee@netcom.com (McAfee Associates) Subject: Re: Norton reports "Italian" - help (PC) APP@CORNELLA.cit.cornell.edu (Alan Pierce) writes: >I have a question about a virus that was found by Norton Antivirus. >It found a virus called Italian - A that McAfee's SCAN v80 doesn't >seem to recognize. Can anyone give me any further info on this >"virus"? Thanks. The Italian virus is probably the Ping Pong virus, a floppy disk and hard disk boot sector infector that makes its presence known by making a ball character (IBM ASCII 07, if I recall correctly) bounce around the screen. It could also be referring to one of the file-infecting viruses created in Italy by "Cracker Jack," although this is unlikely as there have not been many reports of this family of viruses. To remove the Ping Pong virus from a hard disk, power down (shut off) the infected PC, insert a clean (virus-free, that is) DOS boot disk, and switch the power back on. This will allow you to boot up with a clean copy of the operating system. Next, run the DOS SYS command (filename SYS.COM) by typing "SYS C:" at the prompt. This will overwrite the existing infected boot sector with a clean one. SCAN V80 detects the Ping Pong virus quite well (it's one of the few things that hasn't been changed in a long time), so another possibility you may wish to consider is that it's a false alarm from NAV, or correspondingly, it could be a new variant of the virus that SCAN V80 doesn't detect. >Alan Pierce >Technical Consultant >Office of Computing and Statistical Consulting >Cornell University > >app@cornella.cit.cornell.edu Regards, Aryeh Goretsky McAfee Associates Technical Support - -- McAfee Associates | Voice (408) 988-3832 | mcafee@netcom.com (business) 4423 Cheeney Street | FAX (408) 970-9727 | aryehg@darkside.com(personal) Santa Clara, California | BBS (408) 988-4004 | 95054-0253 USA | v.32 (408) 988-5190 | CompuServe ID: 76702,1714 ViruScan/CleanUp/VShield | HST (408) 988-5138 | or GO VIRUSFORUM ------------------------------ Date: 31 Aug 91 12:35:17 +0000 >From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Re: Drive assignments... (PC) APP@CORNELLA.BITNET (Alan Pierce) writes: >A brief note on drive assignments to clear things up... > >First 2 floppy drives: A and B >First hard drive: > Primary partition: C >Drives will then be assigned in the following order: > Secondary partition(s) on first hard drive > Primary partition on second hard drive > Secondary partition(s) on second hard drive > Any other floppy/tape/misc. drives in the order they are installed. Hm.....I was replacing my old 100MB ESDI disk with a 640MB SCSI disk, and had them both installed while I was copying everything from the old disk to the new one. Much to my surprise the order turned out to be: C: Primary partition on disk 1 D: Primary partition on disk 2 E,F,G: secondary partitions on disk 1 H,I: secondary partitions on disk 2 - -frisk ------------------------------ Date: 31 Aug 91 12:39:12 +0000 >From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Re: CAPV conflict with FPROT116 (PC) vy10+@andrew.cmu.edu (Vannevar Y. Yu) writes: >Incidentally, the tech support rep told me that this was the "problem" >with using "more than one anti-viral package." I would rather use a >couple of different anti-viral packages (knowing all the possible >conflicts) rather than trust just one package. Well, I agree that it is wise to use a couple of packages, but conflicts like this may arise when a program does not keep its signatures encrypted internally or wipe the memory after use.... - -frisk ------------------------------ Date: Sat, 31 Aug 91 14:29:37 -0400 >From: flaps@dgp.toronto.edu (Alan J Rosenthal) Subject: Re: Preventing boot from floppy - problem with Int 13 from TSR (PC) padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) writes: > 1: Trap cntrl-alt-del sequence > 2: Check for floppy in drive A: > 3: Disallow boot if floppy in drive Won't this leave a window during which the user can insert a floppy disk? Insert floppy but leave the drive door open, press control-alt-delete, close the door. ajr ------------------------------ Date: 31 Aug 91 21:38:13 +0000 >From: ccml@hippo.ru.ac.za (Mike Lawrie) Subject: Re: Disassembler Info BOXALL@qut.edu.au writes: >To all virus researchers, >What disassembler do you use? >At the Queensland University of Technology we use Sourcer by V >communications. Is there anything better? I use a homebrew disassembler that I call "loot". It uses a command structure similar to something that Christiansen (?) wrote for CP/M. It allows you to assign a name/label to an address, and then see the effect immediately, and then take corrective action or better guesses. There is provision for comments, and ways to separate code from data. It is to be driven by the person who is cracking the code. Unfortunately, at the time that I wrote this, I knew very little about C (I used small C from Hendricks (sp?)), and had no info on what an .EXE file looked like. So there are some limitations, like a bug in detecting one of the opcodes, comments that may not be more than 127 chars long, .COM files only and then no bigger than 32 K. I published a disassembly of the Stoned virus that was produced with this program, if you need to see an example of what it can do. I've not seen anything to beat loot, and I can disassemble stuff pretty quickly, thinking on the screen as it were. I've tried Sourcer, and admire anyone who can get it to produce what loot can. The program could do with a windows package added to it, and I could probably dig out the source code from somewhere if someone feels enthusiastic enough to soup it up and let me have the improved version. I really don't have the time or desire to do any improvements myself. Mike - -- Mike Lawrie Director Computing Services, Rhodes University, South Africa ............................................... Rhodes University condemns racism and racial segregation ------------------------------ Date: Sat, 31 Aug 91 17:04:44 +0000 >From: nils@f109f.mil.se (Nils Hammar) Subject: Re: Norton Anti Virus (PC) Probably Nortons anti-virus detected it's own check-string... But you could not be sure! There are several methods to detect viruses, and the most common are checking for a known string. Another method is checking for irregular jump instructions in the startupsequence of the code. If a disc-access occurs very early in the program execution, there may be a virus. Most viruses are assembly-coded to be as small as possible, and programs written in another language will execute more code before accessing the disc. If the norton program checks itself, there will be early disc access, and resulting in a indication of a possible virus. This wasn't a real answer, but an idea of a possible explanation. ------------------------------ Date: 01 Sep 91 09:12:45 +0000 >From: cssr@hippo.ru.ac.za ( Mr S. Rahim ) Subject: Re: Disassembler Info I have also been using Sorcer. The other disassembler you can use is the Turbo Disassembler plus CodeView. The later two are not very helpful. Sorcer gives at least in my experience better comments. Sajid - -- ============================================================================ Computer Science Dept, Rhodes University, Grahamstown, South Africa Internet : cssr@hippo.ru.ac.za - ---------------------------------------------------------------------------- ------------------------------ Date: 01 Sep 91 15:35:32 +0000 >From: ccoprdg@prism.gatech.edu (Drew Gonczi) Subject: Re: New virscan.dat exepack question (PC) I was wondering if someone out there could answer a quick (hopefully) question for me. I just downloaded the July 31 version of the virscan.dat (vs910731.zip) and ran tbscan on my computer. The virus checker complained about ALOT of file saying "infected by [file compress by EXEPACK]." Now most of the stuff it flagged was MASM 5.0 related (although there were others). Is / was there a virus problem related to EXEPACK and should I delete these files -or- is the checker just being _cautious_ ? Thanks... (trying to avoid deleting the entire /bin directory ;-) ) Drew - -- Drew Gonczi | No one but me can save myself, Georgia Institute of Technology | but it's too late OIT / TS / OD | Now I can't think, think why ccoprdg@prism.gatech.edu | I should even try. ------------------------------ Date: Sun, 01 Sep 91 16:32:06 +0000 >From: as194@cleveland.Freenet.Edu (Doren Rosenthal) Subject: Re: Virus Simulator available (PC) Frisk, Thanks for making the effort once again let readers of this forum know your opinion of my Virus Simulator 2.0 program. I was disappointed the first time your comments were posted on this forum, weeks before I'd written it. It's now available from a number of sources if you'd reconsider actually trying it. Compuserve as "VIRSM2.COM", EXEC-PC and several other BBS ( including SLO- BYTES (805) 528-3753 ) as "VIRSIM20.COM". Although appreciated, your opinion seems to be overshadowed by the overwhelming majority of positive reaction I've had from people who have actually tried my Virus Simulator 2.0 for themselves. Even though your comment that perfect virus detectors will not find these simulations, and any that are reported are false alarms, I don't consider those setting off your own F-PROT to demonstrate a defect. Rather, system administrators can use my Virus Simulator to determine if anyone is actually following their security policies and really using your product. They can demonstrate which products are the fastest and easiest to use when considering vendor recommendations for a site license. They can perform their own tests, and needn't take anything on faith to form their own opinions. It's not my intention that anyone be placed in the awkward position of trying to convince potential customers that their product performs well with real viruses, even though it fails to find the simulations. Especially when a collection of hundreds of real viruses is not available and confronted with a competitors product that finds the same simulated viruses without difficulty. So far the response and cooperation from producers of anti-virus products to my Virus Simulator 2.0 has been overwhelmingly positive. I'll be updating Virus Simulator periodically, so if you'd like to participate, I'll do my best to see that your product detects my simulated viruses. Doren Rosenthal ------------------------------ Date: Sun, 01 Sep 91 19:25:07 +0000 >From: mstr@vipunen.hut.fi (Markus Strand) Subject: Re: Hard disk locking ? (PC) eric@zen.maths.uts.edu.au (Eric Lindsay) writes: >Simply pull the write gate line via a resistor to either +5 or ground >(sorry, I've forgotten if it is active high or low). The resistor I would pull it to write error. Then the os will be aware of it. >Some (possibly many) hard disk controllers test the hard disk by >accessing it on power up, and they won't allow this scheme. I've had An other problem is that not all operating systems chech if write failed or succeeded. It gives sometimes interesting features. Markus Strand mstr@vipunen.hut.fi ------------------------------ Date: Sun, 01 Sep 91 15:46:00 -0600 >From: kev@inel.gov (Kevin Hemsley) Subject: LANs and virus propagation (PC) Here are some thoughts and questions about viral infections of a NetWare file server. It is my understanding that standard NetWare disk device drivers do not support direct sector addressing through either the BIOS interrupt 13h or DOS interrupts 25h and 26h. I also believe that the MBR is different than a standard DOS MBR. As such, a virus which infects the DOS boot record or the MBR would likely overwrite areas of the disk used by NetWare. In doing so, would cause the system to crash, or prevent the server from loading properly. Therefor it seems that booting a server from a boot sector infected diskette would likely do terminal damage and could not execute normally. So in theory, it is *not* possible to infect a Novell file server with a boot sector virus by booting the server from an infected diskette. Any comments? Would such an infection first require that a NetWare device driver be installed on the server that would allow special calls from the virus to access individual sectors of the disk? (an unlikely scenario) As for file infecting viruses: If an executable file, which is stored in the DOS partition, were to become infected with a normal file infecting virus, would it be possible for this virus to execute properly? (i.e. SERVER.EXE) It seems that a file infecting virus could *not* successfully write to a NetWare partition because of the redirection of BIOS and DOS interrupts. I also don't believe that the virus would be able to see a file being opened by NetWare. Is my understanding correct, or am I off track? A final question, not intended as a malevolent thought provocation! Could a "NetWare-specific" virus be written that could spread through normal file infection, normal DOS boot record infection, and could distinguish between a normal boot record and a NetWare boot record, and infect both? It seems possible. Any thoughts? - ------------------------------------------------------------------------------- Kevin Hemsley | Information & Technical Security | If you think that you have someone Idaho National Engineering Laboratory | eating out of your hand, it's a (208) 526-9322 | good idea to count your fingers! kev@inel.gov | - ------------------------------------------------------------------------------- ------------------------------ Date: Mon, 02 Sep 91 11:06:00 +1200 >From: "Mark Aitchison, U of Canty; Physics" Subject: Re: Experiment with virus monta_l@dist.dist.unige.it (Luciano Montanaro && Marco Gualdi) writes: > I have a Ms-Dos 386 with Dos 3.30 and 80 Mb HD, 3 partitions. I want > to do some experiment of controlled propagation of viruses (on > floppies, of course) whithout risks for my HD. > > Which of the follow is the security level that I should use? > > 1 ) Unplug the power cable of HD. (what about the controller ?) > > 2 ) Set the CMos data to no Hard Disk > > 3 ) Write in the partion table that every partition is write protected. The correct answer is: 1... switch the power off, disconnect both the controller and power supply cables to the hard disk, do the experimentation, switch the power off to the computer, wipe all the diskettes with a magnet* and then restore the cables and then power on, reformat all those diskettes again, and run some virus checkers regularly - just in case you forgot a diskette! *When wiping disks with a magnet I've found that the best thing to do is keep the diskette in its dust jacket (the thing that protects the exposed slots in teh envelope from dust), wipe the magnet over the entire surface, both sides (if you have something a lot more powerful than the sort of magnet that sticks little plastic things on the fridge, well, you might not need to be fussy). The ability of magnets to completely wipe diskettes falls of surprisingly quickly with distance. Reformatting alone isn't safe enough since: (a) there might be a part of the virus on the 41st track, probably it will never get executed, but you want to be safe, and (b) if you reformat a 360Kb diskette on an AT's 1.2Mb drive, the virus can survive! (anyone that wants an explanation can e-mail me). Above all, be careful! 2 out of 3 careful virus researchers I know of locally have infected their computer accidentally once. You really have to concentrate, and leave clear warnings or lock the room the computer is in! Hope this helps, Mark Aitchison. ------------------------------ Date: Sun, 01 Sep 91 17:29:30 -0600 >From: John Kida (Raleigh) Subject: Re: Hard Disk Locking.... (PC) Try the PASSPORT it comes in 20 and 40 mb.... The case and the Drive will run you less than 699.00 ( 20mb) It has the that READ & WRITE or READ ONLY switch ... you want The access time is good at around 28msec.. and its REMOVEABLE for security also... Yasha Kida jhk@ssds.com ------------------------------ Date: Tue, 20 Aug 91 15:08:45 +0700 >From: swimmer@stage.hanse.de (Morton Swimmer) Subject: Disassembler Info BOXALL@qut.edu.au writes: > To all virus researchers, > > What disassembler do you use? > > At the Queensland University of Technology we use Sourcer by V > communications. Is there anything better? Well, there really in not a better disassembler as such, but Sourcer is not the best for analysing viruses. I'm still waiting for the disassembler that can handle viruses well. Cheers, Morton .............................................................................. .morton swimmer..odenwaldstr.9..2000 hamburg 20..germany..tel: +49 40 4910247. .internet: swimmer@stage.hanse.de or swimmer@rzsun1.informatik.uni-hamburg.de. ..............to leave only footprints, and take only memories................ ------------------------------ Date: 02 Sep 91 03:48:33 +0000 >From: x91scott@techno.nepean.uws.EDU.AU (Scott Golby) Subject: Virus Information Summary List...? (PC) Hi Everyone, Late last week a friend of mine lost a lot of his files on his 600Meg HD to some sort of Virus. :-( What is the best solution to keep viruses out of a large HD like that? Seams that only the very latest virus checker found the little beast, and the previous month one didn't... Oh well, he's restoring the HD from backup, probably working away at it right this moment. He was after so info going by this name :- Patricia M Hoffman's Virus Information Summary List. Anyone have any idea's where he or I could pick this up from? What is the Absolute Latest Virus Checker for the IBM PC? Thanks! Scott Golby. x91scott@techno.nepean.uws.edu.au ------------------------------ Date: 02 Sep 91 14:42:00 -0500 >From: "zmudzinski, thomas" Subject: Computer Abuse Amendments Act of 1991 Zmurgy's First Law of Evolving Systems Dynamics -- "Once you open a can of worms, the only way to recan them is to place them in a even larger can." Zmurgy's Second Law [etc.] -- "Tarantulas are even worse!" -- The following is presented as tarantula bait -- Tom Zmudzinski ZmudzinskiT @ IMO-UVAX.DCA.MIL Defense Information Systems Agency (703) 285-5459 [We used to be DCA, but DoD decided to make us a four letter word.] 1991 S. 1322 SYNOPSIS: A BILL To amend title 18 of the United States Code to clarify and expand legal prohibitions against computer abuse. DATE OF INTRODUCTION: JUNE 18, 1991 DATE OF VERSION: JUNE 20, 1991 - - VERSION: 1 SPONSOR(S): Mr. LEAHY (for himself, Mr. BROWN, and Mr. KOHL) introduced the following bill; which was read twice and referred to the Committee on the Judiciary TEXT: A BILL To amend title 18 of the United States Code to clarify and expand legal prohibitions against computer abuse * Be it enacted by the Senate and House of Representatives of the United* *States of America in Congress assembled, * SECTION 1. SHORT TITLE This Act may be cited as the "Computer Abuse Amendments Act of 1991". SEC. 2. AMENDMENTS TO THE COMPUTER FRAUD AND ABUSE ACT. (a) PROHIBITION.-Section 1030(a)(5) of title 18, United States Code is amended to read as follows: "(5)(A) through means of or in a manner affecting a computer used in interstate commerce or communications, knowingly causes the transmission of a program, information, code, or command to a computer or computer system if- "(i) the person causing the transmission intends that such transmission will- "(I) damage, or cause damage to, a computer, computer system, network, information, data, or program; or "(II) withhold or deny, or cause the withholding or denial, of the use of a computer, computer services, system or network, information, data, or program; and "(ii) the transmission of the harmful component of the program, information, code, or command- "(I) occurred without the knowledge and authorization of the persons or entities who own or are responsible for the computer system receiving the program, information, code, or command; and "(II)(aa) causes loss or damage to one or more other persons of value aggregating $ 1,000 or more during any 1-year period; or "(bb) modifies or impairs, or potentially modifies or impairs, the medical examination, medical diagnosis, medical treatment, or medical care of one or more individuals; or "(B) through means of or in a manner affecting a computer used in interstate commerce or communication, knowingly causes the transmission of a program, information, code, or command to a computer or computer system- "(i) with reckless disregard of a substantial and unjustifiable risk that the transmission will- "(I) damage, or cause damage to, a computer, computer system, network, information, data, or program; or "(II) withhold or deny, or cause the withholding or denial, of the use of a computer, computer services, system or network, information, data, or program; and "(ii) the transmission of the harmful component of the program, information, code, or command- "(I) occurred without the knowledge and authorization of the persons or entities who own or are responsible for the computer system receiving the program, information, code, or command; and "(II)(aa) causes loss or damage to one or more other persons of value aggregating $ 1,000 or more during any 1-year period; or "(bb) modifies or impairs, or potentially modifies or impairs, the medical examination, medical diagnosis, medical treatment, or medical care of one or more individuals; or (b) PENALTY.-Section 1030(c) of title 18, United States Code is amended- (1) in paragraph (2)(B) by striking "and" after the semicolon; (2) in paragraph (3)(B) by inserting "(A)" after "(a)(5); and (3) in paragraph (3)(B) by striking the period at the end thereof and inserting ", and"; and (4) by adding at the end thereof the following: "(4) a fine under this title or imprisonment for not more than 1 year, or both, in the case of an offense under subsection (a)(5)(B).". (c) CIVIL ACTION.-Section 1030 of title 18, United States Code is amended by adding at the end thereof the following new subsection: "(g) Any person who suffers damage or loss by reason of a violation of the section, other than a violation of subsection (a)(5)(B), may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief. Damages for violations of any subsection other than subsection (a)(5)(A)(ii)(II)(bb) or (a)(5)(B)(ii)(II)(bb) are limited to economic damages. No action may be brought under this subsection unless such action is begun within 2 years of the date of the act complained of or the date of the discovery of the damage.". (d) REPORTING REQUIREMENTS.-Section 1030 of title 18 United States Code, is amended by adding at the end thereof the following new subsection: "(h) The Attorney General shall report to the Congress annually, during the first 3 years following the date of the enactment of this subsection, concerning prosecutions under section 1030(a)(5) of title 18, United States Code.". (e) DEFINITION.-Section 1030(e)(1) of title 18 United States Code, is amended by striking ",but such term does not include a automated typewriter or typesetter, a portable hand held calculator, or other similar device". (f) PROHIBITION.-Section 1030(a)(3) of title 18 United States Code, is amended by inserting "adversely" before "affects the use of the Government's operation of such computer". |------------------------"Cogito, ergo nomics"------------------------| |---------- Latin for "Typing this has given me a backache!"----------| ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 153] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253