VIRUS-L Digest Monday, 24 Apr 1989 Volume 2 : Issue 98 Today's Topics: Re: CheckSum Methods of Virus Detection (PC) re: Information wanted on "Stoned" virus (PC) Write protecting a hard disk (Mac) Virus papers (finally) available on Lehigh LISTSERV --------------------------------------------------------------------------- Date: Mon, 24 Apr 89 15:37:13 +0200 From: Y. Radai Subject: Re: CheckSum Methods of Virus Detection (PC) Peter Jaspers-Fayer (in Issue 93) mentioned that CHECKOUT does not checksum the boot sector. It's strange, but despite the abundance of boot sector viruses, few checksum programs are any better in this respect than CHECKOUT. In fact, of the over 20 such programs I have heard of for the PC, none of the freeware/shareware ones and not too many of the commercial ones checksum the boot sector. And even of those who are aware of the need to checksum the boot sector in addition to files, most seem to miss the fact that the *partition record* also contains code which is executed when booting from a hard disk. And there's at least one virus (the "Stoned" or "Marijuana" virus, which apparently originated in New Zealand) which exploits this fact. Note, by the way, that Len Levine's method (in Issue 95) of copying the content of the boot block to a file won't work in the case of the partition record since DEBUG can't access it. Concerning Len's solution for the boot block, he writes: >Note that a virus that affects every read made from the disk, >detects an attempt to read the boot block, and passes you a copy >of the good boot block instead of the infected one, will defeat >this. But that's only if the virus is already in memory. You can avoid this problem by running the checksum program immediately after cold booting from a system which is known to be clean (as was mentioned recently by David Chess). Y. Radai Hebrew Univ. of Jerusalem ------------------------------ Date: 24 April 1989, 11:26:40 EDT From: David M. Chess Subject: re: Information wanted on "Stoned" virus (PC) Tom Sheriff asked about this virus back on 4/17. I've seen it, and done a certain amount of analysis. It seems to infect both floppies and hard disks. It captures INT13, and uses that to try to infect any floppies read or written in drive A: (BIOS 00). If an infected floppy is used to boot a machine with a C: drive (BIOS 80), the c: drive will become infected. If an infected floppy is booted at just the right time (it tests the system clock), the message (or at least the first sentence) is displayed on the screen before the boot occurs. The message will not be displayed when booting from an infected hard disk. The virus is rather lazy, and uses hard-wired locations to store the original boot record. So it will overlay possibly-in-use tracks when it infects a new disk or diskette. That's the only "destructive" behavior that I saw. It makes no attempt to hide, and an infected boot record can be visually identified by the presence of the message. Automatic programs that watch for changes to boot sectors should have no trouble spotting it, either. Usual disclaimers: the virus that I'm describing here may not be the same one you're infected with!! Get a guru to analyze yours thoroughly before deciding that you're clean. (If it *is* the same one I've seen, it'll be pretty simple to analyze...) Dave Chess Watson Research ------------------------------ Date: Mon, 24 Apr 89 15:21:50 EDT From: "Gregory E. Gilbert" Subject: Write protecting a hard disk (Mac) Is it possible to lock a Macintosh hard disk so as to protect it from an infection? ------------------------------ Date: Mon, 24 Apr 89 15:32:19 EDT From: luken@ubu.cc.lehigh.edu (Kenneth R. van Wyk) Subject: Virus papers (finally) available on Lehigh LISTSERV After much prodding, I've placed most of the virus papers that we've accumulated on the LISTSERV@LEHIIBM1.BITNET. BITNET users can now obtain these files from LISTSERV (please don't send your requests to the list - it won't work). Note that the series of reports on the Internet worm are not included on the LISTSERV, primarily for reasons of size (most of them exceed the BITNET limit of 300000 characters, as stated in the BITNET Usage Guidelines). These files, as with the ones on lll-winken.llnl.gov, are also accessible via anonymous FTP to IBM1.CC.Lehigh.EDU. Also, I was asked to include a description (or abstract) of each of the documents. Here is what I have (along with filenames in CAPS), in no particular order: "Coping with Computer Viruses and Related Problems" by Steve R. White, David M. Chess, and Chengi Jimmy Kuo of IBM January 1989 LISTSERV Filename: IBM PAPER ABSTRACT: We discuss computer viruses and related problems. Our intent is to help both executive and technical managers understand the problems that viruses pose, and to suggest practical steps they can take to help protect their computing systems. "Developing Virus Identification Products" by Tim Sankary Copyright (c) 1989, all rights reserved. (April) 1989 LISTSERV Filename: IDENTIFY TXT DESCRIPTION: This paper presents techniques for virus identification. "Net Hormones" by David S. Stodolsky, PhD. of Copenhagen University Copyright (c) 1989, all rights reserved. March 1989 LISTSERV Filename: HORMONES NET ABSTRACT: A new type of infection control mechanism based upon contact tracing is introduced. Detection of an infectious agent triggers an alerting response that propagates through an affected network. A result of the alert is containment of the infectious agent as all hosts at risk respond automatically to restrict further transmission of the agent. Individually specified diagnostic and treatment methods are then activated to identify and destroy the infective agent. The title "Net Hormones" was chosen to indicate the systemic nature of this programmed response to infection. "Computer Viruses: A Rational View" by Raymond M. Glath of RG Software Systems, Inc. April 1988. LISTSERV Filename: VIRUS GLATH DESCRIPTION: This paper presents an overview of viruses and associated terminology. It examines such topics as how one might become infected by a virus, and what to do if one does become infected. It also sets guidelines for virus prevention and removal. "The Infection of PC Compatible Computers" by Stephen E. Kiel and Raymond K. Lee of Georgia Tech Summer 1988. LISTSERV Filename: VIRUS KIEL DESCRIPTION: The recent publicity over computer viruses has produced mixed reactions and much confusion inside, as well as outside, of the computing industry. The conflicting opinions are caused either by a misunderstanding of what viruses are or a lack of understanding of their potential problems. This paper answers those questions and in addition, gives a description of currently suggested methods for IBM PC's and compatibles for detecting, preventing, and eliminating viruses. A highly technical discussion is not the objective, but rather a broad overview is given along with sources of additional information and assistance. "Potential Virus Attack" by L. P. Levine of University of Wisconsin-Milwaukee September 1988 LISTSERV Filename: VIRUS LEVINE DESCRIPTION: This paper examines the vulnerability to viruses of Dr. Levine's computing environment and suggests methods for reducing its risk. "Virus 101" (Chapters 1-4) by George Woodside March 1989 LISTSERV Filenames: V101 1 V101 2 V101 3 V101 4 DESCRIPTION: This series of papers present an in-depth look at viruses, in the form of a virus "course" of four chapters. Note that many of the author's statements are specific to his ATARI ST. Enjoy, Ken ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253