VIRUS-L Digest Thursday, 18 Apr 1991 Volume 4 : Issue 65 Today's Topics: Re: EMPIRE Virus (PC) Re: The National Computer Security Association Re: Stoned and Dark Avenger mutations (PC) New variant of Dark Avenger (PC) Re: Do any viruses affect Novell? (PC) PC Emulator on an ST (PC) Looking for latest PC virus checker program (PC) Mainframe (VM) viruses Update review of PC-cillin (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: 17 Apr 91 17:34:35 +0000 >From: lev@slced1.Nswses.Navy.Mil (Lloyd E Vancil) Subject: Re: EMPIRE Virus (PC) padgett%tccslr.dnet@uvs1.orl.mmc.com (A. Padgett Peterson) writes: >this also and thanks to WordStar (plug) here is the decrypted text. ......later, possibly by a different person - is this a quote ? >Text of encrypted message follows: > >I'm becoming a little confused as to where the "evil empire" is these >days. > >If we paid attention, if we cared, we would realize just how unethical >this mpending war with Iraq is, and how impure the American motives >are for wanting to force it. > >It is ironic that when Iran held American hostages, for a few lives >the Americans were willing to drag negotiation on for months; yet when >oil is held hostage, they are willing to sacrifice hundreds of >thousands of lives, and refuse to negotiate ....... I believe this is a garbled and partial quote from Ron Kovick who claimed to speak for All Vietnam Vets. I won't bore the net with my opinion of this individual, Suffice it to say I don't agree with his attitude. I doubt Mr Kovick would use a virus to spread his drek, but I'm sure the freaks and fops that follow people like this think they are "nobel warriors" "striking a blow." #$%^&*()Bleck!!@#$%^&* - ------------------------------------------------------------------------------- | * suned1!lev@elroy.JPL.Nasa.Gov sun!suntzu!suned1!lev | | . lev@suned1.nswses.navy.mil + . | | + * S.T.A.R.S.! The revolution has begun! * | ------------------------------ Date: 17 Apr 91 22:31:41 +0000 >From: ilan@eesun.gwu.edu (Ilan Berkner) Subject: Re: The National Computer Security Association kdante@nsf.gov writes: >Does anyone know anything about this group? It is stationed in >Washington, D.C., and "conducts research on computer security >problems, evaluates computer security products, and presents its >findings to the public." (Taken from its brochure.) It has a free BBS >with 9300 files for downloading "certified virus-free." Yes, I have heard of this group and I did actually deal with them in the past. They seem to be very well organized and capable. I believe that for a small fee, last time I checked ($45) one could purchase a full clean up utility and get their monthly report on any new viruses and whats out there. They also have I think if memory serves me right on line help via the phone and the modem as you mentioned above. If you need anything more specific then send me E-mail and I'll try to dig up my old information about them. I remember I had to do a report on viruses for one of my CS classes and they came in very handy. Ilan -- ilan@seas.gwu.edu - -- - ------------------------------------------------------------------------------- You only live once, so enjoy it. - ------------------------------------------------------------------------------- ------------------------------ Date: Thu, 18 Apr 91 12:18:00 +1200 >From: "Nick FitzGerald" Subject: Re: Stoned and Dark Avenger mutations (PC) In VIRUS-L V4 #64 Raul Fernando Weber wrote: >Three slightly different versions of the Stoned virus were detected >during the last months in Porto Alegre (Southern Brazil). >The first version contains the string "Your PC is now Stoned! > LEGALISE MARIJUANA!". In the second version this >string now reads "Your PC is now Stoned! >LEGALISEm disk or d". Curiously, the last part of the modified string >seems to be derived from the original boot sector, where the string >"Non-System disk or disk error" can be found at the same offset. I >wonder if this can happen due to a failure at the propagation routine? This is not uncommon with Stoned. I have seen exactly the same string Raul mentions. Stoned sometimes doesn't seem to replicate this last part of itself correctly - I have seen several other variations on the last part of the "Legalise" message getting munged. As was mentioned a week or two ago, on HD systems this can be due to the HD controller writing up to 17 bytes to the MBR, immediately before the partition table's reserved area, thus partially overwriting the "Legalise" message on Stoned HD's. This has no real significance for the virus as it never attempts to do anything with this "message" except replicate it. - --------------------------------------------------------------------------- Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z. Internet: n.fitzgerald@csc.canterbury.ac.nz Phone: (64)(3) 642-337 ------------------------------ Date: Wed, 17 Apr 91 12:55:59 -0700 >From: ozonebbs!aryehg@apple.com (Aryeh Goretsky) Subject: New variant of Dark Avenger (PC) We've received a new variant of the Dark Avenger or "Eddie" virus that is not picked up by the current version of SCAN. It has been modified slightly to avoid detection, and all the text strings that appear in the original Dark Avenger have been changed: "Eat us !" "<- Thanks to the Dark Avenger ->" "(C) 1991 RABID International Development Corp! Scan String Killer Test" (Quotes do not appear in the virus and are inserted for clarification) The virus itself is a trivial variation, and will be incorporated into the next release of SCAN and CLEAN. The virus can be detected with the following scan string: #Dark Avenger Virus Variant "43 75 EF 74 19 2E A1 51" Rabid Avenger [DAV] The virus can be removed by CLEAN, using the /EXT external virus data file option as long as the [DAV] identification code is left intact to tell it to remove it as the Dark Avenger virus. For example: CLEAN C: /A /EXT davv.txt [DAV] NOTE: We have had several reports that this virus is circulating in the Toronto, Ontario (CANADA) area in a file named SHOWGIF or SHWGIF which is a hacked copy of an older version of CSHOW Aryeh Goretsky,Tech Sup.|voice (408) 988-3832 |INTERNET McAfee Associates | fax (408) 970-9727 |aryehg@ozonebbs.uucp -OR- 4423 Cheeney Street | BBS (408) 988-4004 |aryehg@tacom-emh1.army.mil Santa Clara, CA 95054 | UUCP apple!netcom!nusjecs!ozonebbs!aryehg "Opinions expressed are my own and may not reflect those of my employer." ------------------------------ Date: 18 Apr 91 04:06:34 +0700 >From: viki@crash.cts.com (Victoria Harkey) Subject: Re: Do any viruses affect Novell? (PC) It jumped around, infected and reinfected files; and it beeped at you as if it was saying , "Here's Johnny!" Another system I cleaned up had the Jerusalem-B virus; about 75 exe, com and ovl were infected on the network. They had to be deleted (cleaned and written over with a binary pattern); and then reinstalled. The Platinum package this banking system was running had a large number of files that had to be removed, and then platinum had to be reinstalled; files replaced and one module replaced. All floppy disks were inspected, and the virus was found on the 2 suspected disks. One more incident of an "Unknown virus" -- a trojan horse that activated on 4/1; it played music and that was appropriate when symphony was executed. It sounded benign -- but in the procedures to trap and erradicate it, it went into the panic mode and wiped out total access to the hard drive. Fortunately, the company had pulled this machine off line as soon as it was acting abnormally. When de-virusing a network, all workstations have to be devirused as well as all floppy disks -- something brought it in... This is a good recommendationffor diskless workstations that keep anyone from taking your valuable data off site,to the malicious or unintentional introduction of a virus on the network. There are viruses that infect data files as well as the executables and overlays. I have a favorite virus fighter than remains resident in the workstations attached to the server (or they are not allowed to attach); and the net is secure. Please be aware that the above viruses paid no heed to NetWare's SRO; they might have been secure had they been flagged EXE ONLY -- but I'm not willing to test this on a production unit. Viki Victoria Harkey Certified NetWare Engineer ------------------------------ Date: Wed, 17 Apr 91 20:05:53 -0400 >From: pro-angmar!jerryf@alfalfa.com (Jerry Feldman) Subject: PC Emulator on an ST (PC) In reply to Andrew Mclean's query about the Atari ST. First, when running PC-DITTO, PC-DITTO II, or other PC emulator, the Atari ST is a PC CLONE. However, a PC VIRUS cannot place itself onto a write-protected diskette. The Atari file system is identical to the PC file system, and a PC virus could install itself onto an ST or PC partition on the hard disk. Since the Atari's OS (GEM and GEMDOS) is in ROM, viruses are not as prevatent on the ST. Regards, Jerry Feldman Director, Atari ST User Group The Boston Computer Society One Kendall Square Building 1400 Cambridge, MA 02139 USA - ---- ProLine: jerryf@pro-angmar Internet: pro-angmar!jerryf@alfalfa.com UUCP: uunet!alfalfa!pro-angmar!jerryf ------------------------------ Date: Thu, 18 Apr 91 11:43:00 -0500 >From: "Steve Huff, U. of Kansas, Lawrence" Subject: Looking for latest PC virus checker program (PC) I'm experiencing a very slow PC for normal operations, and am thinking it might be infected. McAfee's Scan 7.1 reports no viruses, but ver 7.1 is a bit old. Does another virus checker program exist that searches for more viruses? Is it FTPable? Thanks. Steve - ----- Steve Huff, student, University of Kansas "Still love that KU basketball!" Microcomputer Consultant, Hill's Pet Products, Topeka, Kansas Internet: HUFF@kuhub.cc.ukans.edu Bitnet: HUFF@UKANVAX GEIS: HUFF@HILLCORP# ------------------------------ Date: 18 Apr 91 09:45:19 +0000 >From: "DANBURY -BILLW" Subject: Mainframe (VM) viruses In reply to the comments concerning mainframe viruses, in particular, viruses infecting IBM VM systems: It would be very difficult for a virus to infect any shared system progam because of the write protection enforced on shared disks. This protection is maintained at the "hypervisor" level and cannot be circumvented by any "ordinary" user. Of course a system type could open the problem up by virtue of having write access to the common disks. With the advent of the new shared file system on VM this protection is more vulnerable but with proper system controls should be manageable. Of course user programs could easily become infected by virtue of the user having write access to his own disks. Viruses for mainframe (again I'm referring to VM/CMS) software are very easy to do. We even employ a program which is a form of virus for our program accounting system. We knowingly infect the accountable programs with this "virus" which then reports (silently) to a central server, the begin and end of execution of each program. This accounting virus even loads and executes other programs without the user having any knowledge of its doing so. We attach this "virus" to other vendor's software completely without any provision being made for its attachment. It simply does what many other PC-style viruses does and inserts itself as the entry point of the program. The reason that I think this hasn't caught on as a malicious virus is because of the above restriction on common programs. Most users don't write their own programs and therefore don't provide a fertile environment for the spread of that sort of virus. And I sure hope it stays that way. Bill Waggoner "Generic cute quote." - Anonymous ------------------------------ Date: Wed, 17 Apr 91 18:38:36 -0700 >From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Update review of PC-cillin (PC) Due to a request from one of the PC rags, the review of PC-cillin has been updated. PC-cillin has released a new version since last reviewed, but the changes, as noted in the review, are fairly minor. [Ed. The archive copy of this review has been updated on cert.sei.cmu.edu. Along with this review, the rest of Rob Slade's product reviews and Chris McDonald's product reviews are available for anonymous FTP on cert.sei.cmu.edu in pub/virus-l/docs/reviews] Comparison Review Company and product: Trend Micro Devices Inc. 2421 W. 205th St., #D-100 Torrance, CA 90501 USA 213-782-8190 PC-cillin - program change detection hardware/software - version 2.95L Summary: A change detection and vaccine program with some scanning functions. Change detection is applied to boot sectors and partition boot records as well. System status information is stored in a hardware device connected to a parallel port. Cost US $139.00 Rating (1-4, 1 = poor, 4 = very good) "Friendliness" Installation 3 Ease of use 3 Help systems 2 Compatibility 2 Company Stability ? Support 2 Documentation 3 Hardware required 3 Performance 2 Availability 2 Local Support ? General Description: The best functioning parts of the package appear to be the scanning, and "resident scanning" operations. Not highly recommended; most suitable for novice users with operations primarily limited to a single hard disk and strictly limited disk swapping. Comparison of features and specifications User Friendliness Installation Note that there is no indication on the packaging as to version number. The first version tested had files dated November 2, 1990 and was stated to be version 2.95 in the README.DOC file on disk. The second package received (from a different source) was identical except for two added stickers identifying the item as "Made in Taiwan R O C", but had file dates of November 8, 1990 to January 23, 1991 and was stated to be version 2.95L in the README.DOC file. Further reading of the README.DOC indicates that this version is now "LAN aware", more viral programs are recognized, scanning is faster and that minor cosmetic changes are made to the display. (Previous problems with documentation have also been rectified, and the package now contains both disk sizes.) The disk is shipped write protected, although only by a write protect tab. (The disk is not a "notchless" read-only disk.) The installation procedure is written with a "pre-infected" system in mind, and, if followed carefully, should provide against infection by any virus known to the program. (The procedure to be followed in case of partition table infection, although quite clear in its explanation of the problem, is deficient in not recommending making a backup before beginning the procedure.) PC-cillin can install from, or to, any drive, but will not install to the drive from which the installation files are being run. Installation is simple and reasonably quick. Modification to AUTOEXEC.BAT or CONFIG.SYS is simple, but non-destructive and maintains a backup file. When "verifying for known viruses" during installation, PC-cillin states that it is checking high memory. This is an intriguing report, as the machine used for testing has only the standard 640K and a CGA card. Based on relative times, the program appeared to be checking aproximately 2 megabyte of memory that did not exist. Upon installation to a boot virus infected system, PC-cillin identified the virus, but allowed the installation to proceed. Upon "rebooting", PC-cillin alerted for the presence of a boot sector virus. Interestingly, once the disk was disinfected, PC-cillin allowed the disk to boot normally. Without having access to the encoding system used, it is difficult to say what check is used to detect a change in the boot sector. A deliberate change made in the boot sector text had no effect. The package makes provision for software updates of the "signature" programs without the need for reinstallation of the entire system. Ease of use A single program, PCC.EXE, gives access to all functions, installation, scanning (called "Quarantine" by PC-cillin) and the production of a "rescue diskette". Installation and scanning are clear and self- explanatory in operation. The making of a rescue diskette is less so, involving unnecessary disk swapping. When scanning, PC-cillin does not disinfect infected files, but does offer to delete them. The decision is left to the user. Boot sector viri on floppies are not disinfected, even if they are the "boot floppy" that PC-cillin was installed on. Repair information is apparently only stored for the hard disk PC-cillin is installed on. Because of its "background" operation, PC-cillin presents an "inverse face" (PC graphics character 02H) in the upper right hand corner of the screen when in operation. The documentation states that this display can be toggled off or on with , and that the operation of PC-cillin in background can be toggled on and off with . The message displayed by the PCCILLIN program at invocation now indicates the same key sequence, but the toggle still does not work. Help systems None provided. Compatibility The scanning function of PC-cillin is now stated to recognize 176 different viri, and it does recognize the most common viri that make up the bulk of current infections. The "vaccine" functions of the product are either very intelligent or very doubtful: the program will allow programs to modify themselves, other programs and disk boot sectors, as well as deleting program files. (Disk writing by certain programs appears to be restricted, but in testing no alarms were generated by multiple attempts to write to program files through the use of different programs and editors.) Protection of boot sectors appears limited to the "installed" hard disk: the program will not recover an infected boot sector floppy. Company Stability Unknown. Company Support When the company first shipped the product for review, an incorrect Customs declaration for shipping to Canada delayed shipping of the review copy. The program makes provision for software updates of the "signature" programs, but does not indicate any definite way to keep customers informed. Although my copies are registered, I have received no notice of the change in versions. Documentation The documentation is clear and well laid out, and contains an excellent discussion of general viral operations. The progression through the book is logical, and novice users should be able to follow it clearly. Advanced users will still find items of interest in the section on general viral concepts. The "stiff" binding and grammatical errors in the README.DOC file have been corrected. Hardware Requirements At least one parallel (printer) port is required. The "Immunizer Box" attachment is said to be transparent to user data. Performance The product is "aware" of the currently most common viri. Identification in various areas relies on known viral activity: although memory is checked, it does not appear to "find" memory resident viri which can also be found on disk. Vaccine or recovery activities are restricted at best. Local Support None provided Support Requirements The program is easy enough for a novice to use and install without assistance. If a virus is found, it is recommended that experienced personnel deal with it. General Notes A great deal of thought and planning has gone into the concept and packaging of this product. Provision for the use of floppy diskettes, and a general strengthening of the "vaccine" and change detection portions of the program would benefit it immensely. copyright Robert M. Slade 1991 PCCILL2N.RVW 910417 ============= Vancouver p1@arkham.wimsey.bc.ca | "Don't buy a Institute for Robert_Slade@mtsg.sfu.ca | computer." Research into (SUZY) INtegrity | Richards' First User Canada V7K 2G6 | Law of Data Security | Security ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 65] ***************************************** Downloaded From P-80 International Information Systems 304-744-2253