VIRUS-L Digest Wednesday, 22 May 1991 Volume 4 : Issue 87 Today's Topics: re: Tequila virus (PC) Software Upgradable BIOS (PC) Re: Q: Yankee Doodle ?? (PC) re: Green Caterpillar question (PC) Re: Bug in VirusScan (PC) Anti-viral approaches (PC) re: MS-DOS in ROM? (PC) How to get papers ? Stoned / Azusa (PC) Virus statistics request Which format for Partition Table Viruses (PC) Core Wars (PC) VSUMBROW - Virus Summary Browser (PC) 2ND CALL, COMPUTING & VALUES CONFERENCE, AUG 12-16 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: 20 May 91 14:39:33 -0400 From: "David.M.Chess" Subject: re: Tequila virus (PC) >From: microsoft!c-rossgr@uunet.uu.net > >Additionally, it looks a lot like a combo of 1260 and v101: >it is impossible to get a scan string for it. While I know what you mean, Ross, I'd like to clarify for our readers: the Tequila doesn't actually seem to share any code with the 1260 or Virus-101 (no evidence that the author of the Tequila had seen either of those), and a scanner that can handle variable-length "don't care" areas can detect it with no problems. DC ------------------------------ Date: 20 May 91 14:22:00 -0600 From: "William Walker C60223 x4570" Subject: Software Upgradable BIOS (PC) Here's something that should make the anti-virus community cringe. Intel has announced a chip which would allow users to upgrade their BIOS using a floppy disk. The term I saw was "erasable programmable read-only memory (EPROM)," but more likely the actual technology in the chip is EEPROM (electrically erasable programmable ROM) or EAROM (electrically alterable ROM). But the technology is beside the point. Up until now, the only trusted portion of the computer has been the ROM BIOS, while the partition table, boot sectors, DOS, and program files have been prone to virus attack (or merely unintentional changes). Software-upgradable BIOS would change that, making even the most trusted part of the computer "subject to change without notice." It does make sense to simplify the BIOS field upgrade, but to do it using something as transient as software in this day and age probably would not be wise. More logical would be a small cartridge, not unlike an HP font cartridge, which can be changed without having to open the case. Sure, it would be more expensive up front, but compared to the possibility of a "BIOS resident" virus, it would be much less expensive overall. The same type of thing could be used for a ROM-based DOS cartridge, which could have a switch that selects booting from cartridge or disk, much as Krishna E. Bera suggests. I feel that the prominent anti-virus researchers (and some of us others) ought to collectively rise up and protest the software- upgradable BIOS before it gets any acceptance. Bill Walker ( WALKER@AEDC-VAX.AF.MIL ) | OAO Corporation | Arnold Engineering Development Center | "I'd like to solve the puzzle, Pat" M.S. 120 | Arnold Air Force Base, TN 37389-9998 | ------------------------------ Date: 20 May 91 14:23:00 -0600 From: "William Walker C60223 x4570" Subject: Re: Q: Yankee Doodle ?? (PC) Michael Stribick (mikes@aragon.stgt.sub.org) writes: > What kind of virus is the YANKEE DOODLE ?? What happens to a (sic) > infected PC ?? Yankee Doodle is a variant of a virus called Vacsina, both of which, along with Yankee Doodle-B, belong to the "TP" family of about 48 viri (last time I checked). The second to the last byte of an infected file is believed to be the "version number" of the virus. In the most common Yankee Doodle virus, this number is 2C hex, or 44 decimal, therefore the name "TP-44" which many virus scanners give it. The viri from about 25 (19 hex) earlier are called Vacsina, while the later ones are called Yankee Doodle. When a program infected with Yankee Doodle is run, the virus becomes memory-resident. I'm not 100% sure when the infection takes place, but I believe that it occurs when a .COM or .EXE file is run. At a few seconds before 5:00 PM, most versions of the virus will play "Yankee Doodle" on the speaker. Some variants do not play music. One interesting characteristic: some versions of Yankee Doodle hunt down some other viri, such as Ping and Cascade. Hope this helps. For more info, see Patricia Hoffman's VIRUSSUM document. Bill Walker ( WALKER@AEDC-VAX.AF.MIL ) | OAO Corporation | "I think, therefore I am. Arnold Engineering Development Center | Nah, I think not." M.S. 120 | *POOF* Arnold Air Force Base, TN 37389-9998 | ------------------------------ Date: Tue, 21 May 91 11:41:53 +0100 From: T Dowling Subject: re: Green Caterpillar question (PC) Thanks to all who replied to my query regarding the 'Green Caterpillar' virus. I have tried the suggestions, and the situation is under control ! I must apologise to several people (Frisk, Alan at MCC) for not replying - I attempted to, but there must be something wrong with the mailer here, as the daemon returned the letter each time, saying 'address unknown'. Thanks again for your help, Tim Dowling. (csc216@uk.ac.lancs.cent1). ------------------------------ Date: Tue, 21 May 91 10:19:00 -0700 From: mcafee@netcom.com (Aryeh Goretsky) Subject: Re: Bug in VirusScan (PC) padgett%tccslr.dnet@mmc.com (Padgett Peterson) writes: >A JERUSALEM infection was encountered in which the .EXE was properly >diagnosed but an infected .OVL was missed despite being checked as >part of the default. Use of the /A swich resulted in the infected .OVL >being detected. Since the .EXE will always be infected also, there is >no real danger, however, if an infection occurs that may also infect >.OVL files (see the VIRLIST.TXT file iside the SCANxx.ZIP file), a >rescan using the /A switch following a CLEAN activity is recommended. This has been verified and will be fixed in the next release of VIRUSCAN. Since the Jerusalem (and sundry variants) infects overlays in addition to .COM and .EXE files, it's always a good idea to run SCAN (and CLEAN) with the /A option, or use the /E option and list the extensions you would like to add. > I do not know if this is particular to the Jerusalem-related >viruses or if others are affected also. It's particular to the Jerusalem-related virus string. > We have reported this to McAfee associates and a fix or >explination should be forthcoming. Incidently, the infection appears >to be the original sUMsDos version. The next release (incorporating the fix) is scheduled for mid-June but will probably be released earlier because of this. Aryeh Goretsky McAfee Associates Technical Support "Just 10 minutes from Great America" - -- McAfee Associates | Voice (408) 988-3832 | mcafee@netcom.com 4423 Cheeney Street | FAX (408) 970-9727 | (Aryeh Goretsky) Santa Clara, California | BBS (408) 988-4004 | 95054-0253 USA | v.32 (408) 988-5190 | mrs@netcom.com ViruScan/CleanUp/VShield | HST (408) 988-5138 | (Morgan Schweers) ------------------------------ Date: Tue, 21 May 91 13:43:01 -0400 From: Padgett Peterson Subject: Anti-viral approaches (PC) >From: microsoft!c-rossgr@uunet.uu.net >With all due respect, everybody has always been taught that if an >ounce of prevention is worth a pound of cure, then two ounces of >prevention must be even better. (Philosophy) The way I always heard it was "If enough is good, too much is better". Unfortunately, today we have to live with finite resources - this places increasing reliance on intelligent thought rather than blind acceptance. Old standbys like "sound as the dollar" & "no one ever got fired for buying IBM" just cannot be accepted anymore. The design of a sound digital system requires careful planning and intelligent trades between to provide confidentiality, availability, and integrity. Just to make matters worse, disciplines are becoming so specialized as to be completely "magic" to an outsider, even one who must rely on them. Consequently, today most computer security is based on trust: trust in the machines, trust in the users, and trust in the salesmen/vendors. It has to be since for the millions of personal computers existant today, judging from the limited sampling I see, the number of people actually capable of designing good protection is probably on the order of a thousand. (and I may be high). For basic protection, almost all of the anti-viral software on the market is adequate, just like few people take more than basic protection from being stung by a wasp. More is considered contra-productive & is an accepted risk in working in a garden. When it happens, it is annoying but remedies are at hand. Others though have allergic reactions & a sting could be fatal & much more stringent precautions are taken. Computer viruses come under the same heading with one major difference: we have not lived side by side with them for thousands of years & most people have no idea what the risks are. Consequently, they have no concept of what is "enough" & for the most part, we are not doing a good job of educating them. To me, seven people stand out in this area: Ross Greenberg, Fridrik Skulasson, John McAfee, John Norstad, Andy Hopkins/Pam Kane, and Bob Bosen not because they are necessarily wonderful people, meetings can be explosive, but because they have made available to the public information and programs specificaly designed to combat viruses as shareware/freeware, not the best way to squeeze the last dollar out of the public. Back to Reality Along these lines, DISKSECURE v.95 BIOS level protection is now out that checks for disk controllers that write to the MBR (I haven't seen one but have been told that they exist so in went some code - had to simulate it with CODEVIEW though). (.94 was a special private version) Unless something unusual pops up, this will probably be the last "beta" version (besides am running out of numbers under the dread 1.00). Meanwhile, Back at Ross... >If my code merely did integrity checks, instead of doing integrity >checks *and* known signature scanning, I'd lose out to somebody who >offers both. That is why I would suggest two packages: the integrity check routine on the bulk of the machines (remember, I am talking the corporate/ government/educational environment), and the signature check (or combo) for the technicians and machines used for scanning new software. In large groups, this would be around 1 per 1000 PCs. This is why many anti-viral programs are now offered on service licenses (tied to physical copies, not #s of PCs). The best word processors stopped being single programs some time ago and installations typically ask just which features you wish to install with descriptions of the assets/liabilities of each >That honesty is costing marketshare, I bet. Possibly temporarily but builds trust in the long run. In any complex technology (e.g. magic) trust in the practitioner is the most important element. >I agree...to a point. I would think that updating 5000 PC's for a new >scanner that differs from the previous one in a bunch of new viral >strings for a bunch of "research only" viruses is a waste of time. That is why we do not. However our "virus response team" and screening labs get every update that comes out while the integrity management programs we use have not needed any updates since the attack of the Zenith Boot Records. These flag difficulties promptly and then we bring out the big guns. >I can't simply say "Yo! *NOBODY* gets the Whale Virus, so why do you care?" I've seen two reports this month (may or may not be true) but the WHALE is an excellent case of a virus that is trivial to detect on a PC. It is the identification of what the infection is that can be difficult, not the fact that a machine is infected. The problem with a one part solution reminds me of the saying "Jack of all trades, master of none" (of course "knowing more and more about less and less until you know everything about nothing" comes to mind also). "Moderation in everything" is my motto, this is why I favor a layered approach so strongly. The most important first step is to determine that SOMETHING has happened. WHAT & HOW TO RECOVER come later. My body usually warns me when a cold is coming on. Zink and massive vitamin C can work wonders so long as I pay attention & react immediately. ------------------------------ Date: Tue, 21 May 91 13:43:01 -0400 From: Padgett Peterson Subject: re: MS-DOS in ROM? (PC) >From: "Krishna E. Bera" >Is there any effort underway to produce a ROM version of MS-DOS or >clone that is: > 1. inexpensive > 2. easy to upgrade (by changing a board, for example) > 3. standardized in interface (i.e., DOS interrupt calls) > 4. bootable (obviously), but DIP switch selectable from a disk > 5. preferably not patented Not that I am aware of though several laptops have attempted this. The major problems would be: 1) Hardware is always more expensive than software to produce 2) Would make it difficult to upgrade 3) Would provide no protection from viruses - too many popular programs and peripherals rely on tailoring the BIOS (e.g. hard disk controllers) MBR (e.g. FDISK), and DOS (most TSRs) in approved methods. Unfortunately many of these methods can also be used by malicious software. 4) Undocumented necessities (such as necessary to use a CD-ROM or NETWARE). 5) "Bug" fixed would be much more expensive. Warmly, Padgett ------------------------------ Date: Wed, 22 May 91 02:18:29 -0500 From: Mac Su-Cheong Subject: How to get papers ? Dear netters : I am looking for the following thesis : F. Cohen, "Computer Viruses", Ph.D. Dissertation, University of Southern California, 1986. Can I get it from some anonymous ftp sites ? If no, how can I get it. I am trying to gather papers about viruses. Any help is appreciated. MSC - --- Mac Su-Cheong nckus089@twnmoe10 msc@sun4.ee.ncku.edu.tw ------------------------------ Date: Tue, 21 May 91 14:03:26 -0500 From: THE GAR Subject: Stoned / Azusa (PC) I noticed something interesting using a McAfee Mix of V77. Vshield 77 reported that it had found STONED and AZUSA, but after I cleaned STONED it no longer saw AZUSA. Turns out it is a double identifier. McAfee says this will be corrected in 79 (recall that 78 is BOGUS and there will NOT be a real version 78.) They also told me the test would be if it had found AZUSA first, it probably would have only had AZUSA, and if it found STONED first it would probably only have STONED. This does not apply to every virus, as we have seen many cases where both STONED and PING PONG B have been on the same machine, and it took two passes with CLEAN to get them both. Samford just licensed VSHIELD and hopefully this will help us quickly bring the STONED/PING PONG battle to an end. We have been engaged since December in this battle, but without the funds to win. I'll have a report later as to how effective VSHIELD is, but I am quite optomistic. (It might be September before I report, since we just lost 80% of our student body to summer.) /++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\ ! Later + Systems Programmer ! ! Gary Warner + Samford University Computer Services ! ! + II TIMOTHY 2:15 ! \+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++/ ------------------------------ Date: 21 May 91 22:24:05 +0000 From: pfafman@manta.nosc.mil (David F. Pfafman) Subject: Virus statistics request Does anybody out there have any general figures on virus infections in the US? I know that the Jerusalem, Ping-pong and Stoned viruses make up the majority of virus infection. What I would like is the a number of total virus infections or total reported virus infections. A breakdown of the total number or percentage of infections by individual virus would also be nice. Thanks in advance. Dave Pfafman Computer Resource Center Naval Ocean Systems Center Email = pfafman@nosc.mil Phone = (619) 553-2309 Autovon = 553-2309 ------------------------------ Date: Tue, 21 May 91 15:48:44 -0700 From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Which format for Partition Table Viruses (PC) tony4@garfield.cs.mun.ca (Anthony H. Galway) writes: > Which way is correct? I know the LOW level format guarantee's > results, but this method also destroys any additional partitions. We Hold on a second here. As Padgett (and others) keep trying to point out, formatting is not necessary. There are plenty of tools to "disinfect" your system without it. Secondly, and more importantly, even a low level format does not "garantee" any measure of safety. Most (all?) common viri are memory resident, and they will happily reinfect your system once you have reformatted. ============= Vancouver p1@arkham.wimsey.bc.ca | "If you do buy a Institute for Robert_Slade@mtsg.sfu.ca | computer, don't Research into (SUZY) INtegrity | turn it on." User Canada V7K 2G6 | Richards' 2nd Law Security | of Data Security ------------------------------ Date: Tue, 21 May 91 16:08:07 -0700 From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Core Wars (PC) First let me thank Keith Petersen for the wonderful job he does in maintaining the SIMTEL20 archives. There are a number of very helpful programs there which are *not* listed in TROJAN-PRO. I found one such in . CORWP20.ZIP is an implementation of the Core Wars program, with Redstone code processor. As venerable (old) researchers will know, Core Wars is a simulation of computer memory that allows programs to "battle" each other. As such, it allows an insight into factors that go into security and penetration programs, with some fun attached to the process. Background to the program can be found in a number of sources, the most accessible of which would probably be A. K. Dewdney's columns in the Scientific American over the past few years. [Ed. There was also just a UNIX version (for X11R4 color workstations) of a Core Wars program announced on alt.sources within the last day or two. It is available for anonymous FTP from soda.berkeley.edu (128.32.131.179)] ============= Vancouver p1@arkham.wimsey.bc.ca | "If you do buy a Institute for Robert_Slade@mtsg.sfu.ca | computer, don't Research into (SUZY) INtegrity | turn it on." User Canada V7K 2G6 | Richards' 2nd Law Security | of Data Security ------------------------------ Date: Tue, 21 May 91 22:48:56 +0200 From: Mikael Larsson Subject: VSUMBROW - Virus Summary Browser (PC) Since there have been a lots of discussion about the VSUM format/size, I asked my friend to write a explanation of VSUMBROW. * * * * * * * * * * I have followed the discussion about the increasing size of the VSUM document. It is true that the size is becoming a problem, but I feel that there is no better way to distribute this document than as a pure ASCII-file. When it comes to accessing the information on the other hand, there I have a good solution. I am currently developing a program for PC-compatibles called VSUMBROW, short for 'Virus Summary Database Browser'. What this program does is offering the user to access the VSUM document as a database file. And it does this fast as well. It is currently only in early (but working) beta- testing, but the few functions I have put in really works like a charm. And I have plans for more functions as well. The hard work has already been done, what I am currently working on is the new functions. To date VSUMBROW has the following functions: * Browse the virus listing, virus by virus. * Search for a given virus. * Display and choose from a hitlist of matching virusnames. * Support for the alias in the virusdescription as well as in the X-ref part. * Printing of information about a virus. * Support for 43/50 rows on EGA/VGA graphic cards. Functions that are to be implemented before final version: * Search on virus type code. * Search on virus status (New is a good candidate). * Search on origin. * Search on effective length. (A bit harder due to the format of VSUM) * Export to file of a hitlist that matches a search.. * Printing of a hitlist that matches a search. * Freetext search, for searching on any word. * Suggestions anyone? VSUMBROW is to be released as ShareWare, and as such can be used freely for non-commercial use. Some of the above functions will only be active for registered users though, to reward those who rewards hard work. I dare not promise any release date, but it will be released as fast as possibible. :-) Virus Help Centre will be the registrator and distributor for VSUMBROW, and if You have any questions, please contact Mikael Larsson at the address below. Jonny Bergdahl New Age Productions * * * * * * * * * End of description of VSUMBROW; Rgds, MiL Virus Help Centre Phone : +46-26 100518 Box 7018 Fax : +46-26 275720 S-81107 SANDVIKEN BBS : +46-26 275710 (HST) SWEDEN FidoNet : 2:205/204 VirNet : 9:461/101 SigNet : 27:5346/108 Email : vhc@abacus.hgs.se ------------------------------ Date: 21 May 91 06:47:54 +0000 From: bgsuvax!maner@cis.ohio-state.edu (Walter Maner) Subject: 2ND CALL, COMPUTING & VALUES CONFERENCE, AUG 12-16 The National Conference on Computing and Values will convene August 12-16, 1991, in New Haven, CT. N C C V / 91 is a project of the National Science Foundation and the Research Center on Computing and Society. Specific themes (tracks) include - Computer Privacy & Confidentiality - Computer Security & Crime - Ownership of Software & Intellectual Property - Equity & Access to Computing Resources - Teaching Computing & Values - Policy Issues in the Campus Computing Environment The workshop structure of the conference limits participation to approximately 400 registrants, but space *IS* still available at this time (mid-May). Confirmed speakers include Ronald E. Anderson, Daniel Appleman, John Perry Barlow, Tora Bikson, Della Bonnette, Leslie Burkholder, Terrell Ward Bynum, David Carey, Jacques N. Catudal, Gary Chapman, Marvin Croy, Charles E. M. Dunlop, Batya Friedman, Donald Gotterbarn, Barbara Heinisch, Deborah Johnson, Mitch Kapor, John Ladd, Marianne LaFrance, Ann-Marie Lancaster, Doris Lidtke, Walter Maner, Diane Martin, Keith Miller, James H. Moor, William Hugh Murray, Peter Neumann, George Nicholson, Helen Nissenbaum, Judith Perolle, Amy Rubin, Sanford Sherizen, John Snapper, Richard Stallman, T. C. Ting, Willis Ware, Terry Winograd, and Richard A. Wright. The registration fee is low ($175) and deeply discounted air fares are available into New Haven. To request a registration packet, please send your name, your email AND paper mail addresses to ... BITNet MANER@BGSUOPIE.BITNET InterNet maner@andy.bgsu.edu (129.1.1.2) or, by fax ... (419) 372-8061 or, by phone ... (419) 372-8719 (answering machine) (419) 372-2337 (secretary) or, by regular mail ... Professor Walter Maner Dept. of Computer Science Bowling Green State University Bowling Green, OH 43403 USA With best wishes, Terrell Ward Bynum and Walter Maner, Conference Co-chairs - -- InterNet maner@andy.bgsu.edu (129.1.1.2) | BGSU, Comp Science Dept Relays maner%bgsu.edu@relay.cs.net | Bowling Green, OH 43403 maner%bgsu.edu@nsfnet-relay.ac.uk | 419/372-2337 Secretary BITNet MANER@BGSUOPIE | 419/372-8061 Fax ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 87] ***************************************** Downloaded From P-80 International Information Systems 304-744-2253