VIRUS-L Digest Monday, 14 Aug 1989 Volume 2 : Issue 174 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU. Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Re: DataCrime II - tiny clarification (PC) Re: LaserWriter viruses Disk Killer (PC) Accessing the archives without ftp Re: Unix archive site Viruscan test (PC) ------------------------------------------------------------ Date: 11 Aug 89 00:00:00 +0000 From: David M. Chess Subject: Re: DataCrime II - tiny clarification (PC) Not to prolong the technical discussion too long, but... Kelly Goen and Alan Roberts are both completely correct (or, actually, I'll assume they are, not knowing myself!); CodeView probably does get confused by the odd things the virus does. I always use good old DEBUG for initial examination of viruses, because I know exactly what it's doing! (CodeView is much more powerful, but for that reason also more complex.) I didn't get thrown out to DOS at any point, but I *did* notice that the virus was doing some bizarre self-alteration, decided that it was trying to avoid being single-stepped, and then confirmed that by experiment. (If you single-step through it, it degarbles to garbage, rather then to the actual virus code.) So I never got to observe the effect that Kelly and Alan saw! (So I don't think anything I said was "fallacious"; we were just talking about different effects.) Alan asks a good question about disassemblies. I think it's probably a Good Thing if at least two or three people do independant disassemblies of each virus, just to make it less likely that something subtle will be missed. I know my disassemblies (except the ones I've spent lots of time on) always contain sections marked with vaguenesses like "Does something subtle with the EXE file header here". At some point, I guess, some time does start to be wasted by duplication of effort; hard to say where, though. I probably tend to lean towards "the more the merrier"! DC ------------------------------ Date: Fri, 11 Aug 89 10:34:27 -0700 From: forags@violet.berkeley.edu Subject: Re: LaserWriter viruses Networked Apple Laserwriters aren't really subject to permanent virus infestation, since a power-off cycle will clear their RAM. HOWEVER, a proficient Postscript programmer can deposit code in an LW's memory which can stay resident and affect other users' output until the power is cycled. These modifications can include re-defining standard Postscript operators to do different things (such as "showpage" could be extended to overprint the word "CLASSIFIED" on every page printed). PostScript has a password mechanism to prevent some alterations to persistent parameters (such as printing a start-up page), but many users leave the password un-set. Al Stangenberger Dept. of Forestry & Resource Mgt. forags@violet.berkeley.edu 145 Mulford Hall - Univ. of Calif. uucp: ucbvax!ucbviolet!forags Berkeley, CA 94720 BITNET: FORAGS AT UCBVIOLE (415) 642-4424 ------------------------------ Date: 12 Aug 89 03:34:00 +0000 From: tyl@cbnews.ATT.COM (Ten-Yu Lee) Subject: Disk Killer (PC) Does anyone know of a virus called "Disk Killer" ? My IBM PC is seriously being infected with this virus. The system hung and can't be brought up by any means. I tried to use firmware to re-format the hard disk. The formatting completed without any error message but the computer still does not work. I need help to remove or kill this virus. ------------------------------ Date: 12 Aug 89 20:18:59 +0000 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: Accessing the archives without ftp In article <0003.8908111142.AA01970@ge.sei.cmu.edu> bnr-vpa!bnr-fos!bnr-public! mlord@gpu.utcs.toronto.edu (Mark Lord) writes: | Would you consider perhaps someday posting VIRUSCAN to | comp.binaries.ibm.pc ? Not a good idea. At the rate it is being updated, anything that eventually got through c.b.i.p would be long out of date. | I know I would love to have a copy, and there are probably thousands | of other interested onlookers as well. I know there are archive | sites, but that doesn't help those of us who lack BITNET and FTP | access. If you can send email, you can access some of the archive sites. I think its safe to say that you have access to email, right? Here is a note I received from a VIRUS-L reader. He was able to get through to simtel using only email. Before trying this, CHECK THE ARCHIVE SITE LIST FOR THE SERVER NEAR YOU. Overloading this one poor site would not be a nice thing to do. > I have just managed to access WSMR-SIMTEL20.ARMY.MIL from mail via > LISTSERV@NDSUVM1. The commands I used are : > > 1) For a listing of the files in the directory : > > /pddir pd:*.* 9999 > > 2) To retreive a specified file : > > /pdget pd:fname.ext You can also get help, which will explain what is going on here. ------------------------------ Date: Fri, 11 Aug 89 16:45:26 -0400 From: fitz@wang.WANG.COM (Tom Fitzgerald) Subject: Re: Unix archive site About the UNIX anti-archive site at wustl.edu. This sounds great, but since we (and a lot of other people) aren't on the Internet, we can't get to it. Would it be possible to set up an anonymous UUCP account or an archive-server mail demon on the system? Many people would be grateful. [Ed. This was sent to me personally, but I thought that others may be interested... The answer is that the people coordinating the Unix archive sites are working on the problems. We hope to be able to make a mail-archive and an anonymous UUCP available in addition to the current anonymous FTP. No estimate on time, but it's being worked on...] - --- Tom Fitzgerald Wang Labs, 1 Industrial ave. 019-890, Lowell MA 01851 fitz@wang.com uunet!wang!fitz 508-967-5865 ------------------------------ Date: Sun, 13 Aug 89 09:48:20 -0700 From: portal!cup.portal.com!Charles_M_Preston@Sun.COM Subject: Viruscan test (PC) For the past couple weeks I have been testing the latest versions of John McAfee's virus scanning program, Viruscan, downloaded as SCANV29.ARC, SCANV33.ARC, etc., and very briefly the resident version archived as SCANRES4.ARC. While I have not completed the testing protocol with each virus, perhaps an interim report will be of interest. The testing protocol is: 1. Scan a disk containing a copy of a virus in some form; 2. Have the virus infect at least one other program (for .COM and .EXE infectors) or disk (for boot infectors) so Viruscan must locate the virus signature as it would normally be found in an infected machine; 3. Modify the virus in the most common ways people change them (cosmetic changes to ASCII text messages or small modifications to the code and try Viruscan again. Step 2 arises from testing another PC anti-virus product which was supposed to scan for viruses. When I found that it would not detect a particular boot virus on an infected floppy, I asked the software vendor about it. I was told that it would detect a .COM program which would produce an infected disk - not useful to most people with infected disks, the common way this virus is seen Even though the viruses tested are not technically self-mutating, my intent is to test Viruscan against later generation infections, as they would be found in a normal computing environment. Naturally, there is a problem knowing which virus is actually being found, since they go under different names and are frequently modified. The viruses are currently identified by their length, method of infection, symptoms of activity or trigger, and any imbedded text strings, based on virus descriptions from a variety of sources. These include Computers & Security journal, and articles which have been on Virus-L, such as Jim Goodwin's descriptions modified by Dave Ferbrache, and reports by Joe Hirst from the British Computer Virus Research Centre. There is a proposal for checksumming of viruses in the June Computers & Security, which would allow confirmation that a found virus is the identical one already disassembled and described by someone. In the meantime, identification has been made as mentioned. So far, Viruscan has detected the following viruses: Boot infectors - Brain, Alameda/Yale, Ping-Pong, Den Zuk, Stoned, Israeli virus that causes characters to fall down the screen; .COM or .EXE infectors - Jerusalem -several versions including sURIV variants, 1701-1704-several versions, Lehigh, 1168, 1280, DOS62-Vienna, Saratoga, Icelandic, Icelandic 2, April First, and Fu Manchu. SCANV33 has a byte string to check for the 405.com virus, but does not detect it. SCANV34 has been modified to allow proper detection. SCANRES 0.7V34, the resident version of Viruscan, correctly detects the 405 virus when an infected program is run. I have not had any false positives on other commercial or shareware programs that have been scanned. Viruscan appears to check for viruses only in reasonable locations for those particular strains. If there is a virus that infects only .COM files, and an infected file has a .VOM or other extension, it will not be reported. Of course, it is not immediately executable, either. On the other side of the coin, if a disk has been infected by a boot infector, and still has a modified boot record, it will be reported by Viruscan. This is true even if the rest of the virus code normally hidden in other sectors has been destroyed, thus making the disk non-bootable and non infectious. This is a desirable warning, however, since the boot record is not original, and since other disks may be still infected. Disclaimer: I am a computer security consultant and have been working with PC and Macintosh microcomputer viruses and anti- virus products for about 18 months. I have no obligation to John McAfee except to report the outcome of the tests. I am a member of the Computer Virus Industry Association, which is operated by John McAfee. Charles M. Preston 907-344-5164 Information Integrity MCI Mail 214-1369 Box 240027 BIX cpreston Anchorage, AK 99524 cpreston@cup.portal.com ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253