VIRUS-L Digest Friday, 10 May 1991 Volume 4 : Issue 79 Today's Topics: SNEAK: Not for real... (Mac) Odd 77-byte files (PC) Packard-Bell (PC) Washburn (Was: Re: TSR Virus Detector (PC)) A Partition sector virus called Modem (PC) Re: TSR Virus Detector (PC) Re: Viral or other problem? (Mac) re: The Shape of the World (PC) Re: Virii in Factory Software; Legal Stuff; "Eddie Lives" re: The Shape of the World (PC) Review of Certus LAN (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Thu, 09 May 91 10:36:57 -0400 >From: Joe McMahon Subject: SNEAK: Not for real... (Mac) Sigh. I will reiterate for those who do not yet know. 1) SNEAK is not a virus. It was an attempt by the author of Interferon to try to catch unnamed possible viruses. It looks for a certain pattern of jumps between code segments and labels that pattern a possible virus. It so happens that there may very well be reasons for a normal, non-viral program to use this pattern. As a matter of fact, TOPS *does*. Bingo, a false positive for the SNEAK virus. 2) Interferon has not had any work done on it for a long, long time. If it is your sole means of detecting viruses, you have a problem. You should get a copy of the latest version of Disinfectant *now*. There are at least 5 viruses that Interferon will not detect, not counting the 438 (OK, I exaggerate. Slightly.) variants of nVIR, which it does *not* detect in a generic way. Please. Tell your co-workers to dump Interferon *and* Vaccine, and to use Disinfectant and its INIT instead. You'll be much safer, and you won't have to deal with these false positives. --- Joe M. ------------------------------ Date: 09 May 91 14:00:24 +0000 >From: zlsiial@cs.man.ac.uk Subject: Odd 77-byte files (PC) Some utility on my PC (running MS DOS 3.3) has been creating several hundred hidden files. All had a filename of an existing COM or EXE file, but with the corresponding extension ._OM or ._XE, and all were 77 bytes long. The files are all deleted -- sorry not to have saved a copy -- and no available virus scanning utility reports any odd files anywhere. Has anyone seen this elsewhere? A. V. Le Blanc Manchester Computing Centre University of Manchester ZLSIIAL@uk.ac.mcc.cms ------------------------------ Date: Thu, 09 May 91 15:55:59 -0400 >From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: Packard-Bell (PC) For those having problems. (800)767-9898 appears to be a tech support line for Packard-Bell. Padgett ------------------------------ Date: 10 May 91 08:41:32 +0000 >From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Washburn (Was: Re: TSR Virus Detector (PC)) RADAI@HUJIVMS.BITNET (Y. Radai) writes: >V2P1 (better known as the 1260) was distributed publicly, and while it >is not itself destructive, someone evidently used its disassembly as >the basis for the Casper virus, which is quite destructive. The source to Casper is in circulation and it is obviously not based on a disassembly, but rather the original source of V2P1, which somebody must have obtained from Washburn. - -frisk Fridrik Skulason Technical Editor of the Virus Bulletin (UK) (author of F-PROT) E-Mail: frisk@rhi.hi.is Fax: 354-1-28801 ------------------------------ Date: Fri, 10 May 91 07:46:17 -0500 >From: Josep Fortiana Gregori Subject: A Partition sector virus called Modem (PC) A virus apparently called "MODEM" has been found in our machines. It is a boot sector virus in diskettes and infects partition sector and FAT in hard disks. Local representatives of McAfee antivirus products here at Barcelona (DATAMON S.A.), distribute the following script with the strings which allow the SCAN program to detect it since some weeks ago: "566972757320416e7469202d20432e542e4e2e452e2076322e" VIRUS MODEM1 "e800008bdcb6?33c9b2?fa5151" VIRUS MODEM2 "7C33C0FA8ED08BE3FB8ED8A1130448A3" VIRUS MODEM3 I can't understand why it has not been included in the current version (release 77) of the scan program, as it seems to be well identified since release 76 or before. Josep Josep Fortiana Departament d'Estadistica (Facultat de Biologia) phone : 3308851 ext. 200 Universitat de Barcelona E-mail: D3ESJFG0@EB0UB011.BITNET Av. Diagonal 645 08028 - Barcelona SPAIN ------------------------------ Date: Thu, 09 May 91 19:16:34 +0300 >From: esaholm@utu.fi (Esa Holmberg) Subject: Re: TSR Virus Detector (PC) RADAI@HUJIVMS.BITNET (Y. Radai) writes: > The programs which I compared were F-LOCK, FSP, SECURE, TSAFE, and I'm afraid you have tested a wrong program; F-DRIVER would be the actual resident virus tester of the F-PROT package, and not F-LOCK. I wonder, what the results would look like with F-DRIVER instead of F-LOCK ? - -- __________________________________________________ ) Esa Holmberg -- esaholm@utu.fi, ekho@ttl.fi, ) / ekho@f152.n222.z2.fidonet.org / / fax : +358 21 510 017, Elisa : Holmberg Esa TTL / ------------------------------ Date: 09 May 91 19:06:25 +0000 >From: CAH0@gte.com (Chuck Hoffman) Subject: Re: Viral or other problem? (Mac) dennisp@AIC.NRL.Navy.Mil writes: > I get messages stating either that the document type is > unknown (the documents were created with resident applications on an > older machine!) You can get this a couple of ways: .. Your DeskTop file for your hard disk could be corrupted. To correct, boot the system while holding down the Command and Option keys until you get the dialog prompt to rebuild the DeskTop. You also can correct it on an application by application basis by clicking on the application, rather than the document, and selecting Open from the application's File menu. .. The vendor of software may have changed the product's four character signature from the version you have on the older machine to the version you have on the newer machines. I believe MacDraw-II did change between Release 3 and Release 4. To correct, either install the older version of the software on your new system (ugh!) or, as in the case of MacDraw-II, click on the application, then open the document from the application's File menu, hoping the software will convert from old format to new. > My local Apple techie has told > me to remove 6.0.7 and install 6.0.5 to correct the problem (seems > that 6.0.7 and certain Mac models have problems?). That's a new one on me. I use 6.0.7 and all three of the products you mentioned on all kinds of Mac-II's. Out of memory usually means just that. To check, click on the small icon in the upper right corner of your screen (I'm assuming you run MultiFinder) to get back to the icon of a little Mac, then select "About the Finder" from the Apple menu. Chuck Hoffman, GTE Laboratories, Inc. | I'm not sure why we're here, cah0@bunny.gte.com | but I am sure that while we're Telephone (U.S.A.) 617-466-2131 | here, we're supposed to help GTE VoiceNet: 679-2131 | each other. GTE Telemail: C.HOFFMAN | ------------------------------ Date: Fri, 10 May 91 00:39:54 >From: microsoft!c-rossgr@uunet.uu.net Subject: re: The Shape of the World (PC) >From: "David.M.Chess" > >Do these two things match the experience of other anti-virus workers? >Can anyone give some examples of viruses that were at one time thought >to be "collector only", but later showed up in the wild? (Very >isolated incidents, such as the rather obvious direct 'seeding' of an >end-user machine with a stupid virus like the Whale, don't really >count.) >As a sort of a spot-check, has anyone ever seen any of the >"Anti-Pascal" viruses (AP-400, -440, -480, -529, -605, I think they >are; something like that) infecting an end-user machine? (I ask about >these just because they're sort of prototypical "collector-only" >viruses; rather stupid, and seemingly unlikely to spread.) Dave: A telling anecdote: at the Trenton Computer Fair last month, about 100 people crammed into a room to hear about some of the new virues. When asked who had been infected with a virus, about 80% of the people raised their hands. I asked those infected with Jerusalum, Stoned and Ping-Pong to drop their hands. One hand was left. Cascade. This loud cry for protection against research-only viruses is quite quite bothersome -- the numbers game we have to play (as a vendor) in order to counter "my scanner can beat up your scanner" type of games is sorta foolish -- yet we must play the game. Ross ------------------------------ Date: Thu, 09 May 91 15:48:00 -0700 >From: greg@agora.rain.com (Greg Broiles) Subject: Re: Virii in Factory Software; Legal Stuff; "Eddie Lives" walker@AEDC-VAX.AF.MIL (William Walker C60223 x4570) writes: >One unrelated comment: I had thought that the phrase, "Eddie lives... >somewhere in time" referred to the film "Eddie and the Cruisers," in >which the lead singer is thought to be dead, but no one is 100% sure. >Sorta like Elvis, huh? ;-) No, this is (I think) pretty clearly a reference to an Iron Maiden album, "Somewhere in Time" (released 1986? 1987?). Iron Maiden features some sort of skeleton-monster mascot on their album covers named "Eddie". >Bill Walker ( WALKER@AEDC-VAX.AF.MIL ) | "If you were locked in a room with >OAO Corporation | Saddam Hussein, the Ayatullah, and >Arnold Engineering Development Center | a lawyer, but you had only two >M.S. 120 | bullets, which would you shoot?" >Arnold Air Force Base, TN 37389-9998 | "I'd shoot the lawyer twice." old signature - address bad! - -- ".. organized crime is the price we pay for organization." - Raymond Chandler Greg Broiles | CI$: 74017,3623 | greg@agora.hf.intel.com Peacenet: gbroiles | WWIVnet: 1@5312 | MCIMail: gbroiles ------------------------------ Date: Thu, 09 May 91 12:36:41 -0400 >From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: re: The Shape of the World (PC) >From: "David.M.Chess" >1) Most viruses in the collections of anti-virus worker have, as far as > anyone knows, never been found on an end-user system. True, most of the 500+ viruses are too stupid or blatent to spread very far on their own. Like any emerging industry (did you know that in the early 1900's there were over 2000 mamufacturers of Automobiles in the US ?), there are a large number of attempts before an effective "product" is found. However, what we are seeing now are refinements of the "best" of the first generation products, the dead ends are obvious to anyone who seriously reviews the literature. >2) That is, it's very rare for a virus from the "collectors only" category > to move into the "in the wild" category. Probably true for now, but only demonstrates the poor "quality" of most viruses. - ------------------------------ Date: Thu, 9 May 91 12:36:41 -0400 >From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: re: Virii (sic) in Factory Software >From: "William Walker C60223 x4570" >In both of these instances, the manufacturers took full responsibility >and made efforts to remedy the situation, once they were informed of >the problem. Am glad to find that some manufacturers (Aldus, Bitcom) take their responsibilities seriously. I'm still bothered that infected disks were sent out in the first place, however up through 1989 such ignorance was excusable. In 1991 IT IS NOT. >Also, how do you know they're NOT checking the disks? Suppose they're using >VIRUSCAN V74, which won't find Azusa. Or worse, suppose they're using Norton >Antivirus. Then they are worse than negligent, they are stupid ! (personal opinion). A manufacturer should know what every byte on their distribution disks should be and use this for comparison, not generic commercial signature checkers that contain disclaimers that only known viruses will be detected. ANY change from what is supposed to be on the disks should be detected. One would expect any effective statistical QA procedure to include this. I can see coming shortly, large users requiring from manufacturers/distributers certification that their distributions are free from any malicious software. Govenmental organizations will probably be first. Warmly, Padgett ------------------------------ Date: Thu, 02 May 91 21:20:48 -0700 >From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Review of Certus LAN (PC) Coincidentally, there was a recent request for information on Certus just as I was finishing this ... [Ed. This review is also on-line (with the rest of the independent reviews) for anonymous FTP on cert.sei.cmu.edu in pub/virus-l/docs/reviews.] Comparison Review Company and product: Certus International 13110 Shaker Square Cleveland, Ohio 44120 USA 216-752-8181 fax 216-752-8188 800-722-8737 Certus LAN version 2.0 Summary: Scanning, change detection and operation restricting software, particularly for LANs. Cost Rating (1-4, 1 = poor, 4 = very good) "Friendliness" Installation 1 Ease of use 3 Help systems 3 Compatibility 2 Company Stability 2 Support 3 Documentation 2 Hardware required 3 Performance 2 Availability 3 Local Support ? General Description: A suite of programs and utilities to provide for security and hard disk integrity, with special attention paid to compatibility with LAN systems. Most important are CERTUS, resident change detection and operation restricting; CERTUSVS, signature scanning; QUICK, program approval/verification and attribute setting utility; and BOOTLOCK, protection of the hard disk against password access bypass or boot sector infection from booting off a floppy. VSRES, stated to be a resident signature scanning program, was not available in the package received for review. A number of other utilities verify or safeguard system areas or CMOS, and the system will provide a "Critical disk" to help recover from hard disk failures. Comparison of features and specifications User Friendliness Installation Disks are shipped write protected, but on writable disks. Files on the disk are marked with read-only attribute. Directions in the documentation are to give the command INSTALL CERTUS. When installing to a disk for which the defaults are not appropriate this gives an error message regarding disk space, along with the injunction to "Press any key: Install will terminate". The program does not terminate unless the ESC key is pressed. Although the system requirements are stated to be only one floppy drive for installation, the program will not install onto a floppy drive. The documentation states that "default" installation and operation of CERTUS is for security level 3, which means that "new or modified" programs will generate an alert, but the user has the option of allowing them to run. This is not the case: by default CERTUS apparently runs at security level 1 and will not allow any "new" program to run, including programs from the Certus package. This allows the possibility of "locking up" the system on installation. Although non-standard installation of Certus should not be attempted by other than experienced personnel, the problem of installation in a large and disparate user environment has been addressed in the form of a "clone" installation option, whereby a specialised installation can be made once and then "copied" to subsequent machines. The documentation states that installation is possible with as little as 50K free space available on disk, but details about the specifics about the operation of each program, and the necessity for each program, are not sufficiently clear in the documentation to make this a simple operation, even for skilled personnel. Ease of use All programs in the package can be run with command line switches, even those that are interactive and present windows and menus. This dual access is much appreciated by experienced users. Options and defaults in the interactive programs, however, are not always well chosen, and the features and implications of some choices will not always be clear to naive users (cf the choice of "Quick" scanning as the default in CERTUSVS.) Help systems Onscreen help is available for any interactive program in the package through the F1 key. Help is context sensitive, but cannot be obtained for the package as a whole. Compatibility The package is said to be compatible with Windows 3, but this "compatibility" is strictly limited. The resident portion of the program will pass an alert to Windows, and windows will generate an error message before an infected file is run, but the message to the user will only state that an unknown error has occurred before the attempt to run the program is aborted. Any utility software which attempts any direct disk writing will come into conflict with CERTUS, and therefore it is suggested, by Certus, that any such programs be run from batch files which will disable CERTUS operations during the invocation of the utility program. As protection levels are set "globally" and cannot be determined for individual programs, this is the only means of running programs which use direct disk writes or "self-modifying" programs such as Word Perfect (which would otherwise be prevented from running because of being "altered".) This leaves a security hole for the infection of such programs. One function of the program is "validity checking" of known "good" program signatures (checksum or CRC is not made clear.) The "Certus Blue Disk" contains a file of shareware signatures which is said to be updated quarterly. Of the ten programs I checked for, six were unknown to the program, and of the remaining four (CED, MS/PC/KERMIT, SCAN and LIST), none of the entries matched any of the versions I have. Company Stability Certus is apparently the successor to FoundationWare. Certus currently has a significant presence in security/integrity software, particularly in LAN installations. The company is presently sponsoring research into the size of the virus problem. Company Support Technical support phone numbers are listed for voice, fax and BBS. Documentation Certus' hardcopy documentation is well written and uses appealing and effective layout. While the content and progression should be easily understandable by a naive computer user, the size of the manual would be daunting. For experienced users the lack of explanation of certain injunctions and the "delay" in explaining operations (explanation of the individual program towards the back of the manual) is frustrating. The necessary "positioning" of commands to call the various programs from CONFIG.SYS and AUTOEXEC.BAT is never discussed for some of the programs, and what discussion there is must be searched for under various locations in the manual. This is a pity, since the strengths of the package require well informed installation and choice to be most effective. The disk documentation file (README.CTS) is stated in the hardcopy documentation to be, variously; special instructions for installation on infected systems, a "bare bones" installation procedure and the latest information on the program. The file contained with my version did contain some changes, but was primarily concerned with omissions from the printed manual and problems with Windows compatibility.. Hardware Requirements While the box and documentation state that a minimum of one floppy drive is required for installation, default installation requires a hard disk with at least one megabyte of free space. Performance CERTUS will not, of course, prevent infection of the computer memory or hard disk by booting from a boot sector infected floppy disk. CERTUS does provide checking for direct disk writes, and so in theory is able to prevent spread of boot sector infectors even when the computer is infected, but in practice this is, by default, limited to the hard disk. Therefore, CERTUS does not, by default, protect against spread of infection by such viral programs as "Stoned" and, in testing, did not do so. The security "hole" provided by booting from an infected floppy disk is said to be covered by the use of the CHKBOOT and BOOTLOCK programs. CHKBOOT checks the boot sector at startup and compares it with a stored copy of the boot sector as it was at installation. This, of course, does not address the problem of an existing boot sector infection at the time of installation, nor would it suffice to catch a "stealth" boot sector infection. The BOOTLOCK program promises considerably more. It is stated to, once installed, run "before any other part of DOS or the operating system is loaded, and before any part of the hard disk boot-up has been performed." This, together with the statement that BOOTLOCK prevents booting from the A: drive, indicates a replacement of the partition boot record, and possibly a non-standard formatting of the hard disk system areas. I must admit that at this point my nerve gave out: BOOTLOCK will not be fully tested until I have access to a redundant hard drive. (Certus is not very forthcoming about the dangers inherent here. The closest they come to admitting that you can be locked out of your own computer is in the statements "... [if] you lose ... your passwords ... [Certus] will not be useful in gaining access to your computer ... " (p. 142) and "Losing your password can be very unforgiving if your system is fully secured with Certus and BOOTLOCK." (p.148) Caveat emptor.) The CERTUSVS scanning program is exceptionally slow, particularly when checking memory. (So much so that during testing several runs were aborted by rebooting under the mistaken impression that the program had "hung". Scanning 640K of memory on an original IBM PC will take over 20 minutes.) When an infected program is detected, the screen is "shifted" up one line, then a second (never more than two) and never corrected so that it becomes difficult to read. Also, of the scanning programs reviewed so far, CERTUSVS has the poorest record for identifying viral infections, identifying just over half of the relatively common infections presented to it. An unusual feature, in a scanning program, is that by default it checks only the first and last 2K of any file, and therefore will only find appenders, prependers or overwriters that happen to be close to the beginning or end of the file. CERTUSVS does not provide any disinfection functions other than an overwriting deletion. Local Support None available. Support Requirements Basic installation of the program is possible for a naive user, but problems are likely if the defaults, as initially obtained by the package, are used. Installation by experienced support personnel will give best results, but even sophisticated users will require a period of thorough testing of the product before the system can be used on a trouble free basis. The more advanced (and secure) features definitely require supported installation to ensure that the user isn't "painted into a corner" and locked out. General Notes The documentation makes many claims which give the impression that the Certus package is a complete disk and computer management system, and that other utilities are unnecessary. The problem with running other utility software is constantly downplayed. The protection provided by the program, while potentially very powerful, is overplayed to the point of being inaccurate. (For example, the documentation states that file attributes cannot be set or altered except through the use of the QUICK program.) Also, the documentation emphasizes the utility of the "Critical Disk", which will be helpful in recovering a lost boot sector or MBR/PBR, but will not help in the case of a "hard failure." The package potentially provides significant protection against viral program attacks, but possibly at the cost of functionality of the computer system. Careful installation should alleviate most problems. A period of testing and tuning of the installation should be provided for before the installation is considered complete. copyright Robert M. Slade 1991 PCCERTUS.RVW 910502 ============= Vancouver p1@arkham.wimsey.bc.ca | "Don't buy a Institute for Robert_Slade@mtsg.sfu.ca | computer." Research into (SUZY) INtegrity | Richards' First User Canada V7K 2G6 | Law of Data Security | Security ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 79] ***************************************** Downloaded From P-80 International Information Systems 304-744-2253