VIRUS-L Digest Friday, 9 Feb 1990 Volume 3 : Issue 35 Today's Topics: There is no Ultimate Anti-Viral Solution! More general questions about known viruses (PC) Re: Identification strings Towards a programmable virus scanner/cleaner Re: GateKeeper Aid on AppleShare Server (Mac) WDEF & rebuilding the desktop (MAC) My Jerusalem B nightmare! (PC) Gates of Hades ? (PC) Virus insurance offered Novell network virus ??? (PC) Re: More about 847 (PC) F-PROT Question (PC) Disinfectant 1.6 (Mac) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk --------------------------------------------------------------------------- Date: 06 Feb 90 01:40:05 +0000 From: eachus@aries.mitre.org (Robert I. Eachus) Subject: There is no Ultimate Anti-Viral Solution! I read this group to keep track of potential new virus that I may have to deal with, but there has been a lot of wasted bandwidth on whether or not some scheme or other will prevent viruses. If you are thoroughly convinced of this, press n now. For the rest of you: There are three classes of unsolved problems: First, there are those which are theorically soluble, but are, to the best of anyone's current knowledge, infeasable in practice. The second group is those problems which are provably infeasible. The third group is problems which have been proven insoluble using any type of solution, imaginable or otherwise. This group includes problems like the Post Correspondence Problem, the Halting problem, and universal virus detectors. Note that there are NO qualifications about the third group which allow anyone to hope that ANY problem in the third group is amenable to practical (as opposed to theoretical) workarounds. Realize that any assumptions about what a virus author will or won't do have to assume that he or she is a "determined adversary" who will take every opportunity to make things difficult for virus detectors. It is easy to show that "prior" detection of virus programs, or detection of all virus programs is in the third group. It is more complicated, but not significantly more difficult to show that any universal viral detector (UVD from here on...) must define its own counterexample, just like the flask of universal solvent, and that virus authors will be able to take advantage of this. (Since this is directed at some unspecified group of unintelligent people, not at YOU, I feel compelled to explain that last remark. :-) It is impossible to have a FLASK which can contain a universal solvent, if a universal solvent exists. Similarly, if I had the magical UVD that some people think can exist, I can create from it a virus that it cannot detect! If you don't understand this go read "Godel, Escher, Bach" by D. Hofstater, or any other lucid explanation of what Godel's Proof means, then if you still don't understand it, try the following... A month later already? Oh, you skipped GEB. No fair! Go back and read it, or give up your right to flame me because you don't understand the terminology. Assume that I have a UVD that allows useful programs to execute, including scripts and interpreted programs, etc. while blocking (or detecting) all viruses. A program which blocks all, not just useful programs, from executing is easy to write and is usually called a virus of a Trojan horse. (No, I take that back--it is called a lot of things, one of the printable things such a program is called is a virus.) The UVD on the other hand, would certainly fit the definition of a useful program, so it must allow itself (and programs equivalent to itself) to execute. For any UVD there will be a class of programs which for which it is undecideable whether they are equivalent to the UVD by ANY means. This class will include programs which accept a slightly different set of programs...for example, which allow viruses to execute while banning virus checkers (whoops!, smells like a virus to me.) This is based on the undecidable question of whether two arbitrary progams accept the same language. Now finding a program which, in general, cannot be distinguished from some other hypothetical program is a theoretical possiblity, but in practice is impossible. The problem of finding a program (a virus) which cannot be excluded by a particular program (your UVD) from a particular set of programs (all UVD's), is easily solvable. In fact, it is the problem that Godel solved back before Turing machines were invented, so the method is independent of things like whether computers are used. Godel proved (constructively remember--he didn't just show it was possible, he included the recipe) that a universal theorem prover could not exist, because if it accepted all true theorems (read good programs) then it was possible to create a false theorem (virus) which it would also accept. He also proved that trying to build theorem provers with restrictions of the form "accepts most true theorems" (allows most useful programs to run) were a waste of time. He did this by showing that any theorem prover that accepted all theorems which could be proven using only the axioms of Peano arithmetic would also accept false theorems. The equivalent for virus checker programs would be to show not that UVD's that permit spreadsheet programs to run are flawed, but that a UVD which allows "Hello, World" to run can be compromised. If this still seems esoteric to you, just notice that many viruses try specifically to hide from virus checkers. In fact, some seem to have been created only after studying the code of the existing virus checkers to figure out how to avoid them. (It should go without saying, but... I hope no one will seriously propose that distribution of virus checker programs should be limited for this reason!) What happens then? The author of the virus checker gets a copy of the newest virus, and designs a new detector which finds this new virus, and so on ad infinitum, or until virus authors give up. This is the reality. As long as virus authors exist, even inadvertent ones, (once upon a time, way back before Robert Morris, Jr. the ARPAnet was brought to its knees by a bad message created by line noise...) there will be viruses around. If computer programs get smart enough to write their own virus checkers, you will still have the same problem, you won't be able to tell the good programming computer programs from the bad ones, just like the current situation with computer programmers. Or to put it differently, if it is possible to create a program which detects ALL viruses, we can use it to find all potential virus authors. What nonsense! We now return you to your regularly scheduled newsgroup. Where hopefully no further proposals of UVD's will appear. :^) (I'm not that much of an optimist. Some software vendors are STILL using copy protection schemes, even though every copy protection scheme tells anyone who studies it how to disable it. No, I don't pirate software. Yes, I do try to boycott any vendor stupid enough to use them.) Robert I. Eachus with STANDARD_DISCLAIMER; use STANDARD_DISCLAIMER; function MESSAGE (TEXT: in CLEVER_IDEAS) return BETTER_IDEAS is... ------------------------------ Date: 08 Feb 90 14:54:00 +0700 From: T762102@DM0LRZ01.BITNET Subject: More general questions about known viruses (PC) Hi! I have another three general questions about the known viruses. (1). Is there a virus which can infect properly the two hidden DOS files (IBMBIO.COM & IBMDOS.COM or their MS-DOS equivalents)? Yes, I know that The Dark Avenger, for instance, will infect them --- just because they are .COM-files --- but after that the system will become non-bootable. What I mean is --- is there a virus which targets these files --- like the Lehigh virus targets COMMAND.COM? (2). Is there a virus which can infect *properly* overlays? Again, I know that some viruses will infect overlays but the later will be damaged. (3). Are there viruses which infect .OBJ, .LIB, or .BIN files? Of course, such viruses can be designed, but is this already done? Vesselin ------------------------------ Date: 08 Feb 90 14:56:00 +0700 From: T762102@DM0LRZ01.BITNET Subject: Re: Identification strings Hi! In issue #32 Fridrik Skulason writes: >So - you anti-virus writers out there: Please store identification >strings encrypted, reversed or somehow modified. And what if virus-scanning programs are written in such way that they search the identification string only in the place it has to be --- not in the whole file? Vesselin ------------------------------ Date: 08 Feb 90 14:55:00 +0700 From: T762102@DM0LRZ01.BITNET Subject: Towards a programmable virus scanner/cleaner Hi! Just a few hours ago I got an idea. I think that it's a good one, that's why I'm pretty sure that I'm not the first one who proposes this. If it is so (or if the idea is not good enough) just tell me. We almost already have a programmable virus scanner. If memory serves, its name is VIRSCAN or something about that. It takes a text file which contains several entries. Each entry consists of a virus name (e.g., Jerusalem A), where to search for this virus (e.g., COM EXE) and a hex string (in ASCII form), unique for this virus. This idea can be developed further. We can design a high level language for searching and *clearing* viruses. For example, we can write such "procedures": SearchProc DarkAvenger; /* Search procedure */ Set VirName 'Dark Avenger'; OnFound Message '$VirName found in $Media'; Search For Hex '2E899C53002E8B9CFD062E899C51008C' At Offset -(1800 - 48) From End In (*.COM *.EXE); EndProc; ClearProc DarkAvenger; Move Word From Offset -11 From End To Offset ?? From Beginning; . . . Truncate By 1800; EndProc; The operators of the language are obvious: ; - ends each operator /* comment */ SearchProc - defines a search procedure. ClearProc - defines a clear procedure. EndProc - procedure end. Set /* or */ - assigns a string ('Dark Avenger') or a number to a variable. Message - outputs a message to the screen. If the string contains $, the expected substitution occurs. If you want to output the '$' character, use '$$'. OnFound - executes every time the Search procedure finds a virus. Accept - reads a variable from the keyboard Search For At In () - searches for the in the mentioned places. If found, assigns the respective to the system variable Media. Move From To - does just what it says. Truncate By - truncates file by a given number. Unmark - marks DosSector as free in FAT. Here ::= Hex '' : Ascii '*' ::= : 0x ::= Byte : Word : ::= Boot : Partition : DosSector : Sector ( ) ::= * : * ::= : Offset From Beginning : Offset From End The interpreter of the language will read the file and execute each search procedure. If one of them finds a virus, the respective clear procedure (if present) will be executed --- unless an option (e.g., - -n) is given. The language described above is much less sofisticated than, say, C or Pascal. The interpreter may be even a commercial product (hey, Borland, how about a Turbo Virus Cleaner?) --- it needs not to be updated with each new virus. Instead the "programs" will be updated and they can be public domain or can be distributed via e-mail by the antivirus researchers. If you are concerned that the virus writers will see how you recognize their virus (Hi John McAfee!) then you may use some form of compilation or even encryption by a user-supplied key. Maybe the above idea is not so good, can be improved, or features have to be added to the language --- I'm waiting for your opinions. Vesselin ------------------------------ Date: 08 Feb 90 15:43:51 +0000 From: blob@apple.com (Brian Bechtel) Subject: Re: GateKeeper Aid on AppleShare Server (Mac) PRUSSELL@OCVAXC.BITNET (Roberta Russell) writes: > I installed Gatekeeper Aid on our AppleShare File and Print Server > today. Gatekeeper Aid is designed to prevent infection and spread of the WDEF virus. This virus affects the "Desktop" file, which is used by the Finder to store information about which icons go with which program, which application to open when you open a document, etc. AppleShare doesn't use the Desktop file. Instead, it uses two invisible files called "Desktop DB" and "Desktop DF" which are kept at the root of your volume. You can safely delete the "Desktop" file, using FEdit, MacSnoop, ResEdit, or similar tools. Once you do that, WDEF has no home, and no way to propogate from such a server. GateKeeper Aid then becomes superfluous on the server machine (only.) The message "GateKeeper Aid encountered FCB expansion" probably means that GateKeeper Aid noticed that AppleShare expands the number of File Control Blocks so that more files may be open on an AppleShare server than would be allowed on a user machine. Disclaimer: I'm just another grunt. I haven't been actively fighting viruses, so don't take this message as Word From On High. - --Brian Bechtel blob@apple.com "My opinion, not Apple's" ------------------------------ Date: Thu, 08 Feb 90 10:30:00 -0600 From: Meesh Subject: WDEF & rebuilding the desktop (MAC) This may sound like a dumb question, but if WDEF infects the desktop, why don't you just hold down the option-command keys and rebuild your desktop the next time you reboot? Wouldn't that bump WDEF out of your system? Obviously, I wouldn't know, we haven't been infected by it. If you're running under Finder, you can rebuild your desktop while you're quitting from an application. michelle g. computing information services ------------------------------ Date: Thu, 08 Feb 90 10:45:00 -0400 From: Michael Greve Subject: My Jerusalem B nightmare! (PC) I want to thank all the people who sent me messages on using the CLEAN program. Unfortunately the program did not work. It removed the virus and shrank the .exe file from 260,000+ bytes to 84,000. Needless to say this file didn't run. Does anybody have any other ways of getting rid of this virus. Is the Jerusalem virus a particularly difficult virus to get rid of??? Are PC viruses generally nastier and more difficult to get rid of than PC viruses?? We have 3 PC labs here at Wharton and haven't had any viruses hit them. I we have one small MAC lab that has seen nearly every virus imaginable. Nearly every student's MAC disk has some kind of virus. I guess what I'm asking is with all the PC viruses around why aren't more machines infected. ARe PC viruses harder to catch and harder to get rid of? In the early days of viruses 1986-1987 we had a couple disks that had what was called a C-BRAIN virus. From what I remember all it did was change the volume name of your PC disk to C-BRAIN. I think there was a similar one called ASHUR. Were these really viruses?? Did they do any real damage? They seem tame compared to today's viruses. I remember everyone in my office panicking when a C-BRAIN showed up on a students disk. We had meetings, planned strategy, issued fliers to the whole school. Seems kind of silly if this virus did no damage. Thanks for any assistance. Michael Greve University of Pa. Wharton Computing greve@wharton.upenn.edu ------------------------------ Date: Thu, 08 Feb 90 15:57:30 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Gates of Hades ? (PC) I just received a (unconfirmed) virus report - has anyone heard of a virus called "Gates of Hades" ? It is reported to be able to do physical damage to hard disks. Fridrik Skulason - University of Iceland, Computing Services. frisk@rhi.hi.is Technical Editor, Virus Bulletin. ------------------------------ Date: Thu, 08 Feb 90 15:59:06 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Virus insurance offered The Allstate Insurance Co. is now said to offer virus insurance. Its home and business insurance policies are also said to have been extended to cover virus damage to PCs. Can anybody provide more details on what the fine print looks like ? :-) "...virus damage to PCs" sounds like insurance against viruses that make a computer go ***BOOOOOOMMMMM*** or turn into molten metal. :-) Do they also cover damage to data and lost work ? Fridrik Skulason - University of Iceland, Computing Services. frisk@rhi.hi.is Technical Editor, Virus Bulletin. ------------------------------ Date: Thu, 08 Feb 90 16:00:31 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Novell network virus ??? (PC) Can anyone confirm a report that a virus designed to attack Novell networks exists ? This "virus" is said to scrabmle FAT information on the server, making all files there useless. It is quite possible that this "virus" does not exist, or that the original report was incorrect - maybe they just got attacked by a trojan (or a disk failure). Fridrik Skulason - University of Iceland, Computing Services. frisk@rhi.hi.is Technical Editor, Virus Bulletin. ------------------------------ Date: Thu, 08 Feb 90 13:09:57 +0600 From: G7AHN Subject: Re: More about 847 (PC) This virus has been around for years. It was published in the April 1987 edition of PIXEL magazine, as an example of virus program and 3 months later the 'antibiotic' was published in the same magazine. They said that they delayed the release of the disinfector so that readers could set up a few practical jokes. I have the assembler source code with the original comments and the BASIC program. I got them from a friend of the author of the virus. The author is a well known computer wizard in Greece, known as Nick the Greek... Costas Krallis Imperial College London, UK E-Mail: g7ahn@cc.ic.ac.uk ukc!iccc!g7ahn ------------------------------ Date: Thu, 08 Feb 90 10:12:00 -0400 From: "SCOTT D. GREGORY" <8805763@SCIvax.McMaster.CA> Subject: F-PROT Question (PC) An open question to frisk and the VIRUS list - I have been using F-PROT as an installable device to check viruses since I downloaded it off SIMTEL (A while ago). My question concerns its actions/methods. I understand basically how SCANRES works as a TSR by trapping interrups, does F-PROT work in a similar way? It seems such a small program when installed (1.5k), I assume it does what it is supposed to; though I hope it never needs to tell me that I'm loading a virus. Scott G. 8805763@SCIVax.McMaster.CA P.S. The docs say that it is supposed to notify of its installation - mine doesn't, but shows up on a device driver list (TSR 2.9 Utilities), is it working? - - Opinions Bought and Sold - Really Cheap - Polititians Welcome ------------------------------ Date: 08 Feb 90 17:56:41 +0000 From: wahl-e@cis.ohio-state.edu (Edward A Wahl) Subject: Disinfectant 1.6 (Mac) YES! There is a disinfectant 1.6. It is a quick release before version 2 is released to the public. It has a new algorithim that scans for a general virus of the nVira and nVirb strains. This does NOT protect against the NEW trojan designed to go off on 2/10/90! But it is a powerful tool. If anyone gets a copy and finds the new nVIR strains, please let me know. - ------------------------------------------------------------------------------ only a mediocre man is always at his best -W Somerset Maugham It's better to be silent and thought a fool than speak and remove all doubt. -Abraham Lincoln Wahl-e@cis.ohio-state.edu wahl-e@osu-20.ircc.ohio-state.edu Ed Wahl CIS/ENG "What opinion, I'm brainwashed?!" - ------------------------------------------------------------------------------ ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253