VIRUS-L Digest Thursday, 16 Nov 1989 Volume 2 : Issue 241 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Re: Identify Ashar Virus (PC) VACSINA contains update facility (PC) New viruses - 867 and 648 (PC) Any quantitative studies of computer virus epidemiology 80386 and viruses (PC & UNIX) Known PC Virus List Signature Programs XTREE virus clarification... (PC) Re: Sophisticated Viruses --------------------------------------------------------------------------- Date: 15 Nov 89 15:59:59 +0000 From: kelly@uts.amdahl.com (Kelly Goen) Subject: Re: Identify Ashar Virus (PC) Now at least I hear the case being correctly stated... and I will say it myself...in the Antiviral industry(sic) there has been a distinct lack of quality control of most popular nostrums......while small bugs may not shake up the experienced bugs do INDEED cause the less computer literate to really wonder about running this or that vendors product on their system...(what with tales of FAT and primary format wiping running rampant over the net ....... VENDORS do you hear me??? dave is stating a very salient point... I do hope someone is indeed listening... cheers kelly p.s. Hi dave!! Kelly Goen CSS Inc. DISCLAIMER: I Dont represent Amdahl Corp or Onsite consulting. Any statements ,opinions or additional data are solely my opinion and mine alone... Seen in alt.sex recently "SEX is FUN, Thats why there are so many of us!!" My Opinion: Sex between Consenting Computers leads to Social Data Diseases! ------------------------------ Date: Tue, 14 Nov 89 21:57:05 -0500 From: Christoph Fischer Subject: VACSINA contains update facility (PC) Hi, we just completed our virus catalog entry for the VACSINA virus and checked with some friends. One of them: David M. Chess pointed out that we overlooked a fact. Well it is a very important fact: VACSINA contains an update facility. The last 4 bytes of an infected file contain F4 7A 05 00. The F4 7A is the VACSINA id and 05 00 is the version number ( lo byte first ) so we have version 0005 of VACSINA. If the virus finds anything less than 0005 it will reconstruct the original file and then it will infect with the new version of VACSINA. Now we understand why the author left so much space in the head of the virus. Also the 3 byte used for the 'VACSINA-TSR is in memory' flag contain a 05 so future versions of VACSINA will know if an older version of VACSINA installed its TSR. If anybody has virus infected files that show F4 7A 06 00 or higher please post a note. Thanks to David again! Chris ***************************************************************** * Torsten Boerstler and Christoph Fischer and Rainer Stober * * Micro-BIT Virus Team / University of Karlsruhe / West-Germany * * D-7500 Karlsruhe 1, Zirkel 2, Tel.: (0)721-608-4041 or 2067 * * E-Mail: RY15 at DKAUNI11.BITNET or RY12 at DKAUNI11.BITNET * ***************************************************************** ------------------------------ Date: 15 Nov 89 00:00:00 +0000 From: David.M..Chess.CHESS@YKTVMV Subject: New viruses - 867 and 648 (PC) I've been looking through a couple of new PC viruses (thanks to John M. and Fridrik S. for the samples), and thought I'd write down a couple of things: - The 867-long COM-infector that only infects on even-numbered days and sometimes messes up one's typing has been called "Typo" and "Fumble" here. To either add to or subtract from the confusion, I'd suggest calling it the "867" until a good reason not to comes along... - The 648-long COM-infector that Alan Roberts reported above is in fact Vienna-derived. It's functionally identical to the Vienna, except that it overwrites the occasional victim with "@AIDS" instead of the Vienna's 5-byte reboot program. The code has been messed with considerably; the author seems to have taken a sample of the Vienna, and asked, for every instruction, "how can I change this to do exactly the same thing using a different set of bytes?". In many places the code is identical; in others, it has been tightened up, or expanded with NOOPS, or tiny and non-functional changes in register usage have been made. The perpetrator was clearly interested in fooling any virus scanner looking for Vienna identification strings (to use Joe Hirst's phrase). DC ------------------------------ Date: 16 Nov 89 00:20:32 +0000 From: pz@apple.com (Peter Zukoski) Subject: Any quantitative studies of computer virus epidemiology out there? Hi - I recently received a request from Richard Dawkins (A zoology professor at Cambridge, author of the "Blind Watchmaker" which is a summary of Darwinian evolution, and the software which helps one understand the power of slight mutations coupled with huge numbers of generations.) for information about computer viruses. Following is his request. He doesn't have access to the interNet, so please send any responses to me, even if this prompts a discussion in this group, as I don't normally read it and wouldn't want to miss anything pertinent. Please mention/send any past discussion of these issues which you might have lying about as well. Thanks "Do what you want -- you will anyway." peterz pz@apple.com Bell: 408-974-2920 Snail: Apple Computer 20525 Mariani MS/76-3C Cupertino, CA 95014 - ---------- My interest is as follows: I want to develop a 3-way analogy between 'real' viruses, computer viruses, andviruses of the mind. To give the idea, I'm pasting in the following draftproposal for a BBC television program that nearly appeared with me as Presenter(in the end the project was shelved, but I now want to pursue the idea further anyway). "PROPOSAL FOR TV PROGRAM: VIRUSES OF THE MIND Three kinds of virus. In all three cases there is information-handling machinery as a sitting target for parasitic self-replicating information or 'viruses'. 1. 'Real' viruses, made of DNA or RNA. They are almost pure information, digital information just like in computers. They use the reading and translating machinery provided by hosts. Build up a picture of host cellular machinery as a sitting target for viruses, rather like a room full of information-handling equipment - xeroxes, teleprinters, computers and so on. The machinery is all there, vulnerable to being exploited. It is good at handling DNA, almost eager to handle DNA, copy it, splice it in, decode it, build the proteins specified by the DNA code. Viral information is like a computer program whose only real purpose is to make copies of itself. The protein jacket etc is just the apparatus needed to propagate copies of the information specifying it. Actually, that is true of all living bodies too (the central message of The Selfish Gene and The Extended Phenotype), but it is particularly stark for viruses. And the special point about viruses is that they use other organi sms' handling machinery. Viruses are propagated through the air (common cold), through saliva (rabies) or other bodily fluids (AIDS). 2. Computer viruses. These are computer programs, written by malicious individuals, whose essential purpose is simply to make copies of themselves. They may also, like 'real' viruses, have deleterious effects upon the host. For instance some viruses delete files at random from the hard disc. Once again we have the same picture of information-handling machinery as a sitting target for parasitic information. Computers are so good at handling information, so powerful at doing what programs tell them to do, that they are, in a sense, asking for trouble, asking to be the victim of malicious, self-replicating information. Computer viruses are propagated by borrowed or pirated floppy discs, over e-mail networks and so on. Unknown before 1980s, they are now alarmingly common. My own hard disc picked up an infection last year and it was a sinister and eerie sensation. 3. Mind viruses. Human minds, too, consist of sophisticated information-processing machinery, like computers and like the DNA-processing machinery of cells. Once again, because of its normal information-processing functions, it is a sitting target for 'viruses'; it is vulnerable to being invaded and taken over by malicious self-copying programs. In this case they propagate themselves via word of mouth, print, television etc. I think the best examples (in the sense of most strongly resembling the other kinds of virus) are to be found in religion, especially the kinds of fundamentalist religion that have become so prominent in the 80s. People actually use the word 'possessed' for the state of being taken over by one of these influences. I suspect that we could actually find film of people in religious trances whose behaviour would strongly resemble the behaviour of people mentally ill with a brain virus. Even if not literally the same, I think that the analogy between the three kinds of virus could be put across convincingly, emphasizing especially fundamentalist faith as an infectious disease of the mind. My own experience of getting letters from religious people (especially in Northern Ireland) after my article in Daily Telegraph forcibly made me think of the behaviour of computers infected by a virus. In particular, there is the weird phenomenon of quoting scriptural verses. These people had read my article, so ought to realise that I'd be unmoved by biblical quotations. Yet their own mind is so taken over by the 'operating system' that is programmed to accept every word of the bible that they cannot conceive of another mind not instantly succumbing to the same thing." So, I'm really after any studies of the details of how computer viruses spread that lend support to the thesis described in the above proposal. Best wishes Richard - ----------------------- Thanks ------------------------------ Date: Tue, 14 Nov 89 17:05:05 -0600 From: Peter da Silva Subject: 80386 and viruses (PC & UNIX) > The isolation hardware in the I386 makes it possible to construct a > contained execution environment... Such an environment would be a > useful place to test untrusted programs. > Has anyone constructed such an environment? Yes. It's called "Merge 386" or "Vp/IX". `-_-' Peter da Silva, Xenix Support. R2419 X5180 'U` "Have you hugged your wolf today?" [Ed. These products, by the way, are DOS emulation boxes for i386 based UNIX and XENIX products.] ------------------------------ Date: Wed, 15 Nov 89 12:53:57 -0800 From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM Subject: Known PC Virus List The following list was put together by John McAfee. The naming conventions follow the ViruScan conventions. Many thanks to David Chess for the concept for the list's format. VIRUS CHARACTERISTICS LIST Copyright 1989, McAfee Associates 408 988 3832 The following list outlines the critical characteristics of the known IBM PC and compatible viruses. Comments and suggestions welcomed. ==========================================================================] Infects Fixed Disk Partition Table-------------+ Infects Fixed Disk Boot Sector---------------+ | Infects Floppy Diskette Boot --------------+ | | Infects Overlay Files--------------------+ | | | Infects EXE Files----------------------+ | | | | Infects COM files--------------------+ | | | | | Infects COMMAND.COM----------------+ | | | | | | Virus Remains Resident-----------+ | | | | | | | Virus Uses Self-Encryption-----+ | | | | | | | | | | | | | | | | | | | | | | | | | | Increase in | | | | | | | | | Infected | | | | | | | | | Program's | | | | | | | | | Size | | | | | | | | | | | | | | | | | | | | Virus V V V V V V V V V V Damage - -------------------------------------------------------------------------- Do-Nothing . . . x . . . . . 608 p Sunday . x . x x x . . . 1636 O,P Lisbon . . . x . . . . . 648 P Typo/Fumble . x . x . . . . . 867 O,P Dbase . x . x . . . . . 1864 D,O,P Ghost Boot Version . x . . . . x x . N/A B,O Ghost COM Version . . . x . . . . . 2351 B,P New Jerusalem . x . x x x . . . 1808 O,P Alabama . x . . x . . . . 1560 O,P,L Yankee Doodle . x . x x . . . . 2885 O,P 2930 . x . x x . . . . 2930 P Ashar . x . . . . x . . N/A B AIDS . . . x . . . . . Overwrites Program Disk Killer . x . . . . x x . N/A B,O,P,D,F 1536/Zero Bug . x . x . . . . . 1536 O,P MIX1 . x . . x . . . . 1618 O,P Dark Avenger . x x x x x . . . 1800 O,P,L 3551/Syslock x . . x x . . . . 3551 P,D VACSINA . x . x x x . . . 1206 O,P Ohio . x . . . . x . . N/A B Typo (Boot Virus) . x . . . . x x . N/A O,B Swap/Israeli Boot . x . . . . x . . N/A B 1514/Datacrime II x . . x x . . . . 1514 P,F Icelandic II . x . . x . . . . 661 O,P Pentagon . . . . . . x . . N/A B 3066/Traceback . x . x x . . . . 3066 P 1168/Datacrime-B x . . x . . . . . 1168 P,F Icelandic . x . . x . . . . 642 O,P Saratoga . x . . x . . . . 632 O,P 405 . . . x . . . . . Overwrites Program 1704 Format x x . x . . . . . 1704 O,P,F Fu Manchu . x . x x x . . . 2086 O,P 1280/Datacrime x . . x . . . . . 1280 P,F 1701/Cascade x x . x . . . . . 1701 O,P 1704/CASCADE-B x x . x . . . . . 1704 O,P Stoned/Marijuana . x . . . . x . x N/A O,B,L 1704/CASCADE x x . x . . . . . 1704 O,P Ping Pong-B . x . . . . x x . N/A O,B Den Zuk . x . . . . x . . N/A O,B Ping Pong . x . . . . x . . N/A O,B Vienna-B . . . x . . . . . 648 P Lehigh . x x . . . . . . Overwrites P,F Vienna/648 . . . x . . . . . 648 P Jerusalem-B . x . x x x . . . 1808 O,P Yale/Alameda . x . . . . x . . N/A B Friday 13th COM Virus . . . x . . . . . 512 P Jerusalem . x . x x x . . . 1808 O,P SURIV03 . x . x x x . . . O,P SURIV02 . x . . x . . . . 1488 O,P SURIV01 . x . x . . . . . 897 O,P Pakistani Brain . x . . . . x . . N/A B Legend: Damage Fields - B - Corrupts or overwrites Boot Sector O - Affects system run-time operation P - Corrupts program or overlay files D - Corrupts data files F - Formats or erases all/part of disk L - Directly or indirectly corrupts file linkage Size Increase - The length, in bytes, by which an infected program or overlay file will increase Characteristics - x - Yes . - No ------------------------------ Date: 16 Nov 89 01:02:36 -0500 From: Bob Bosen <71435.1777@CompuServe.COM> Subject: Signature Programs As a member of the American National Standards Institute's (ANSI) X9E9 working group and an active participant in standards activities regarding computer security and authentication, I have been reading the various comments on "Checksum" programs with a lot of interest ever since this forum became accessible to me about 2 weeks ago. If the comments which follow are way off-base, please forgive my newness to the forum; perhaps these things have been discussed in the less recent past.... I've been surprised at the lack of content regarding sophisticated authentication algorithms. In this forum of late,I've been reading about checksums and CRCs but I haven't heard any mention of ANSI X9.9 or ISO 8731-2, which are both extremely relevant standards. Both of these authentication algorithms have served the international banking community well, having been used for years to secure billions of dollars worth of daily wire-funds transfers without a single verified case of compromise. Checksum programs work by attempting to "authenticate" a program or file by calculating a number, based upon the content of the file. That number serves as a digital "signature" reflecting the exact status of the file at the moment when the calculation was made. Unfortunately, authentication in hostile environments is not a trivial subject, and has been shown to be susceptible to forgery and compromise. Furthermore, as Paul Kerchen and Y. Radai have recently commented, very serious attention must be paid to exactly where the signatures (and any component parts critical to their calculation) are stored. In my opinion, if properly implemented, signature programs have the potential for being much more useful than "scanners" (or any other known anti-viral technique) in most instances, since they don't require any foreknowledge about the viruses which may attack in the future. Relying on simplistic algorithms to calculate these signatures suffers from an obvious disadvantage: Future viruses can compensate for the way the signature is calculated, or forge signatures that appear to be valid. Relying on supposedly "secret, proprietary" algorithms is very risky: the annals of cryptography are littered with the bones of algorithms that couldn't withstand the scrutiny of dedicated adversaries. If the history of algorithmic research can teach us anything, it is that we shouldn't trust any cryptographic algorithms unless they've been examined by a very large population of experts. There is a developing science of "authentication technology" that is revealing important facts about the kinds of algorithms that can be relied upon to resist the scrutiny of adversaries. It's amazing how many people are unaware of these things, and it's DANGEROUS to base virus detection products on insecure algorithms. As this knowledge grows and becomes more easily available to the people that write viruses, commercial vendors of virus detection programs will be forced to learn about this stuff the hard way. The American Bankers Association, in cooperation with the American National Standards Institute, (with representation from NSA, NIST, Federal Reserve, the Vendor community, etc.) and the International Standards Organization have endorsed standardized ways of calculating digital signatures. There are powerful ways of using these respected, standardized algorithms in the reliable detection of viral contamination. It's complex and expensive to put together a practical implementation, but once it's done it can provide a very reliable first line of defense that won't need 49 different revisions per year to keep up with identified threats. By the way, for those of you that are wondering if performance will suffer, the answer is that it need NOT suffer. Certainly, unsophisticated implementations might turn out to be abysmally slow, but it is quite possible and practical, with careful design and implementation, to adapt combinations of these standards to the IBM PC world, for example, in a way that users hardly notice. Practical defenses based on ANSI X9.9, for example, can now authenticate a 100K file in 3.2 seconds on an IBM "AT"-class machine running at 10 Mhz without any extra hardware or fancy disk drives. This is best done by applying a judicious combination of DES encryption with CRC techniques on a random sampling of file contents, rippling the cryptographic residue through the entire calculation with a technique that crypto people call "cipher-block chaining". Furthermore, files don't need to be checked every single time they are used, so these modest delays need not occur more than a few times per month per file. While I'm rambling on, I can't resist the urge to comment on a related subject. Paul Kerchen writes: > where does one store these checksums and their keys? if they > are stored on disk, they are vulnerable to attack.... and Y. Radai comments on "static" versus "dynamic" invocation of signature calculation, leading to discussion of the various advantages and disadvantages of storing keys and signatures (and maybe even protection logic) on an active hard disk versus off-line storage on a diskette. In my experience, all of these viewpoints have advantages and disadvantages, and a sophisticated defense must allow users to pick and choose from all of these techniques according to his own needs. A heirarchy of interlocking defenses must be put together, with "dialy" or "dynamic" (continuous but random) checks acting as the first line of defense based on an active hard disk, and with periodic (weekly or monthly) off-line checks based on a "sterile kernel" stored on a bootable diskette that's kept locked up when not in use. In essence, the monthly checkup from the sterile kernel checks up on the defenses that've been exposed to viruses in the "dirty" world.... So how 'bout it? Anybody against using respected industry standard authentication algorithms? Anybody got a better idea? (By the way, my comments should not be construed to represent any official viewpoints of the American National Standards Institute. I'm just a member of the working group....) Bob Bosen Vice President Enigma Logic, Inc. 2151 Salvio Street #301 Concord, CA 94565 Tel: (415) 827-5707 Internet: 71435.1777@COMPUSERVE.COM ------------------------------ Date: 15 Nov 89 05:46:55 +0000 From: Bill.Weston@f12.n376.z1.FIDONET.ORG (Bill Weston) Subject: XTREE virus clarification... (PC) Just goes to show what I get for typing before reading.. (I should have recognized the "Stoned" virus... XTREE.EXE *MAY* be a vector, however a more likely candidate is a, pirated I suspect, version of Norton Utilities. (I guess he got what he paid for..) Like I said, he is very new to the MS-DOS community and really did not know the Norton Utils from Sub-Hunter... We sterilized his drive and isolated the infected disks. However, I would still like to know if anyone has a "CURE" program for it.. Bill Weston == ...!usceast!uscacm!12!Bill.Weston ------------------------------ Date: 15 Nov 89 02:21:24 +0000 From: ttidca.TTI.COM!hollombe%sdcsvax@ucsd.edu (The Polymath) Subject: Re: Sophisticated Viruses krvw@SEI.CMU.EDU (Kenneth R. van Wyk) writes: }WHMurray@DOCKMASTER.ARPA writes: } }>> ...in part because writing a virus that no one notices is not any }>> fun. If no one notices, then it is not possible to know about }>> propagation or survival. What fun is that? } }There's an important distinction to be made here - detection during }propagation vs. detection after (presumably) successful propagation. }A virus could well attempt to conceal its existence while propagating, }and then do quite the opposite (!) during a destructive phase. No one }would notice until it would be too late. Here's another scary thought. All the viruses I've heard of so far appear to be the work of malicious amateurs. I can think of motivations that might inspire a professional: An unfriendly government wants to cause dislocation in the United States. It commissions a difficult to detect virus that spends 5 years propagating, then wipes the hard disks of every machine it's on, without warning or explanation. A spy puts out a sophisticated virus that does no damage. It just looks for modems on serial ports and sends what looks like sensitive information to a central collection point. (What sort of information? How about comm program macro files containing account IDs and passwords?) I'm sure you can think of other scenarios. So can "they", whoever "they" are. The Polymath (aka: Jerry Hollombe, hollombe@ttidca.tti.com) Illegitimis non Citicorp(+)TTI Carborundum 3100 Ocean Park Blvd. (213) 452-9191, x2483 Santa Monica, CA 90405 {csun|philabs|psivax}!ttidca!hollombe ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253