VIRUS-L Digest Monday, 24 Jun 1991 Volume 4 : Issue 108 Today's Topics: Weird things in our LAN! (Mac) Re: Can such a virus be written .... (PC) Re: Can such a virus be written .... (PC) DesasterMaster 2 Re: Interesting interaction ( VIRx & SCAN ) (PC) Interesting interaction (PC) doom 2 (PC) Re: Hypercard Antiviral Script? (Mac) Re: Can such a virus be written .... (PC) Disk Killer Virus (PC) Re: Software Upgradable BIOS (PC) Re: protecting mac files via locking (Mac) Thanks for help (virus papers) joshi & vsum & f-prot & ll format (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Fri, 21 Jun 91 01:32:11 +0000 >From: choda@milton.u.washington.edu (Bob Marley) Subject: Weird things in our LAN! (Mac) We have a small problem in our LAN here. We have a dedicated server (SE/30) serving about 30 pluses (1meg mem etc). We have to start them off of workstation disks. This has been happening periodically throught the year, every once and a while one of the workstation disks appears to be turned invisible. All the files are GONE. They are there, it says that the space is being used, and the disks boot etc. They are NOT invisible however. I have gone in with absolutly every file/disk/etc utility to look for them. Resedit, disktools, the works. The only invisible file on any of the disks was the (obviously) desktop. Now, the other day, we got one of our pluses back that we had loaned out, and we discoverd that on the 20meg hard drive, it happend AGIAN. ALL the files invisble. The person who had it was freaked, for he thought he had deleted the entire harddrive. We have checked for viruses, and havent found any... It is just plain WEIRD. Anyone have any ideas on what could be done, to fix this before it hits our server and makes EVERYTHING there invis? Help! ------------------------------ Date: Fri, 21 Jun 91 17:43:00 +1200 >From: "Mark Aitchison, U of Canty; Physics" Subject: Re: Can such a virus be written .... (PC) vanaards@project4.computer-science.manchester.ac.uk (Steven van Aardt) writes: > > Is it possible to write a PC virus which installs itself whenever > you place an infected disk in the drive and do a DIR command ? Yes. But on a PC this requires certain conditions, which mean it probably wouldn't spread very far. Mark Aitchison, Physics, University of Canterbury, New Zealand. ------------------------------ Date: 21 Jun 91 09:39:26 +0000 >From: Doug Krause Subject: Re: Can such a virus be written .... (PC) vanaards@project4.computer-science.manchester.ac.uk (Steven van Aardt) writes: # # Is it possible to write a PC virus which installs itself whenever #you place an infected disk in the drive and do a DIR command ? Doesn't STONED act that way? Douglas Krause One yuppie can ruin your whole day. - ---------------------------------------------------------------------- University of California, Irvine Internet: dkrause@orion.oac.uci.edu Welcome to Irvine, Yuppieland USA BITNET: DJKrause@uci.edu ------------------------------ Date: Fri, 21 Jun 91 11:45:29 +0000 >From: tsruland@faui09.informatik.uni-erlangen.de (Tobias Ruland) Subject: DesasterMaster 2 high all! does anybody know the amiga "desastermaster 2"-virus how it works and what it does? cu Tobias ------------------------------ Date: Thu, 20 Jun 91 17:23:19 >From: c-rossgr@microsoft.COM Subject: Re: Interesting interaction ( VIRx & SCAN ) (PC) >From: kforward@kean.ucs.mun.ca (Ken Forward) > >p1@arkham.wimsey.bc.ca (Rob Slade) writes: >> Noted an interesting interaction between two antivirals the other day, > >Tried this out for myself; no 3445 or Doom 2, but Taiwan3 [T3] was >"found" in memory. Has anyone experienced any other false positives >with this combination ? It goes to show that the viral strings used in Program A might also be used in Program B. The string database is large enough that it probably spanned more than a few DOS buffers: depending on what buffers were used by subsequent code, different portions of the string database might be left in different areas of memory, thereby those who share our strings will have different "hits" at different times. The new cut of VIRx with new strings added (a bunch) and some bug fixes is due out any second... Ross ------------------------------ Date: Wed, 19 Jun 91 18:53:21 >From: c-rossgr@microsoft.COM Subject: Interesting interaction (PC) >From: p1@arkham.wimsey.bc.ca (Rob Slade) > >Noted an interesting interaction between two antivirals the other day, >and finally tracked it down. If VIRx 1.4 is run before SCAN 77, SCAN >will "detect" the presence of the 3445 and Doom 2 viri in memory and >refuse to run. Sigh. Color me dumb. I forgot to call the zap_virus_strings() routine under certain conditions, so I left a lot of strings in memory. It looks like the McAfee scanner uses some of the same strings we do... This has been fixed in the next release of VIRx, due out in a few days. Lots of other good stuff in the new one, too. Ross - ------------------------------ Date: Wed Jun 19 18:53:21 1991 >From: c-rossgr@microsoft.COM Subject: joshi & vsum & f-prot & ll format (PC) >From: treeves@magnus.acs.ohio-state.edu (Terry N Reeves) > >Vsum still says no utility will remove joshi and that low >level format is required... Vsum is totally wrong. Virex-PC has been able to cure Joshi for quite a while (> six months, at least). > Is their a utility Ms Hoffman? perhaps yuou just don't want to >admit it because McAffe's can't? (i have not tried McAffee but I >assume she'd say if his did.) Interesting idea.... Ross ------------------------------ Date: Thu, 20 Jun 91 19:34:27 >From: c-rossgr@microsoft.COM Subject: doom 2 (PC) >From: Eric_Florack.Wbst311@xerox.com > >It would appear to me that VIRx 1.4 isn't cleaning up after itself. >You guys just ran accross different bits of code because of different >ares of RAM being used to store the search strings. (Will I ever live this down? One mistake and *bingo!* all over the place. Sigh.) >The second point is that it's a security problem for all computer >users. Consider: It's simplicity itself for someone who can write a >virus to tear apart the non-encrypted VIRx code and determine the >search strings used in VIRx. Actually, the strings are trivially "encrypted" to prevent the image out on disk from triggering who-knows-how-many other scanners out there. The image I left in memory is *after* the decryption. Why, you might wonder, don't I use a more complex en/de-cryption scheme? The answer is simple: whatever for? The bad guys can certainly break whatever coding scheme I use, thereby using the string list just as if it were not encoded at all. Since it is trivial to make a program that can determine what string a scanner is using, using complex schemes serves no purpose except to a)give more areas for weird bugs to show up, b)a tad of time spent by *every* user in the decrypt routine. The signature a scanner uses is of no use to a bad guy unless he or she already has the subject virus on hand, in any case. >Now, this in itself wouldn't be a problem, I guess, but consider that >what SCAN saw, were the search strings that VIRx was using.... meaning >they're using the SAME strings. Based on this info, anyone who wanted >to, could, in theory, modify the virus enough that the string would no >longer bee caught by the current search strings. In many viruses (virii?) there is only a small area that you can use to figure out a decent signature. Two scanners using a similar area should not be considered unusual. One of my favorite areas to use is the "Are you there?" call most resident viruses use: I assume most others use it, too. For viruses that I don't have on hand, I use the Virus Bulletin list: I would presume that the bad guys have as much access to that list as McAfee's scanner programmers do, too.... >Encrypting the search strings in your code, therefore is always a good >idea, as is cleaning up the mess your program makes in RAM. VIRx, >apparently doesn't address these two points. Wrong on both counts. It is interesting, though, that about 20 beta testers did not find that problem at all.... One of the interesting things: Microcom, the people who publish and market my code, is expressly forbidden from using McAfee products by the vendor itself. This is interesting since Microcom was, until recently, a member of the so-called CVIA, paying their dues and getting *absolutely* none of the privs supposedly associated with that membership. Ross ------------------------------ Date: Thu, 20 Jun 91 23:53:45 +0000 >From: mike@pyrite.SOM.CWRU.Edu (Michael Kerner) Subject: Re: Hypercard Antiviral Script? (Mac) Actually, Eric, you will find that there appears to be a bug in 2.0v2, and you can intercept SETs that are SEND'ed (sorry, but SEN(t)D?)...anyway, having not tried this trick in 2.1, I don't know if it will work...and, as usual, I wouldn't trust the documentation - try looking at the params of the SET command. As far as the rest of this discussion goes, I have been playing with fire & my own viri (for test purposes, folks, so relax...then again, with the couple of times I've been corrected, these critters wouldn't do much harm anyway...) and as long as LockMessages is set, and as long as one checks the script of stack xxx before opening it, it's essentially impossible to infect yourself by opening a stack - ASSUMING YOU CHECK THE SCRIPT OF THE STACK FIRST. The code to scan a stack is essentially the same as the SearchScript code that y'all will find in your HOME stack, only you have to modify it to accept a file name (answer file...everyone remember now?...) anyway, after you do that, the search string is "set the script of". HOWEVER, it is possible that someone has the viri sitting in an XCMD or XFCN which they invoke, so you should also check the resources they have attached to their stack...so you see, it becomes a pain to simply scan the stack script because you also need to scan the resources to be effective. Mike. Mac Admin WSOM CSG CWRU mike@pyrite.som.cwru.edu ------------------------------ Date: Fri, 21 Jun 91 17:08:31 +0000 >From: bdh@gsbsun.uchicago.edu (Brian D. Howard) Subject: Re: Can such a virus be written .... (PC) vanaards@project4.computer-science.manchester.ac.uk (Steven van Aardt) writes: > Is it possible to write a PC virus which installs itself whenever >you place an infected disk in the drive and do a DIR command ? Yes. You'd have to change command.com and have a dir.com or dir.bat just sitting there. I've actually manually done something like that as a prank (stay away from me on april 1...) (You asked merely if it was *possible*. Now, do you think you've got something like that going on?) - -- "Hire the young while they still know everything." ------------------------------ Date: Fri, 21 Jun 91 14:36:00 +0000 >From: Jim Schenk Subject: Disk Killer Virus (PC) Hello, Does anyone have information on the Disk Killer Virus? (I've already got Patricia Hoffman's VSUM - I need some more detailed info). Running F-PROT 1.15A on a DTK 286 under MS-DOS 4.01 results in the following: This boot sector is infected with the Disk Killer virus. Disinfect? Y Can not cure - original boot sector not found. Any help would be greatly appreciated. Jim Schenk University Computer Services Florida International University Bitnet: jims@servax Internet: jims@servax.fiu.edu ------------------------------ Date: 21 Jun 91 21:22:40 +0000 >From: rick@pavlov.ssctr.bcm.tmc.edu (Richard H. Miller) Subject: Re: Software Upgradable BIOS (PC) ingoldsb%ctycal@cpsc.ucalgary.ca (Terry Ingoldsby) writes: > It is not even necessary to place it under hardware control, rather if > the hardware incorporates an interlock that requires a special, > possibly unique, code, then the viruses could bash at it forever > (almost) without success. > > For example if each machine thus manufactured were assigned a unique > value in EPROM (which could not be read by the CPU), say of length 64 > bits, then the user could be queried, by the software upgrade program, > to enter the key. If the key matched, the EAROM would be modified, > otherwise nothing would happen. this is a nice though in theory, but in practical terms, would be a logistical nightmare for sites which have a large number of PCs or that swap components. This would require that detailed records be kept each PC and each time a motherboard is swapped or the BIOS is replaced rather than updated.In all likelyhood, two things would happen 1) The 'key' would be written on the PC which would give you the same protection as hardware control. 2) Someone would loose their key and the BIOS chips would have to be replaced. Another approach is to use a lock mechanism with a key to update the BIOS. For the single user or sites which do not require central configuration management, the key could stay in the PC [as it does not in most cases.] For sites which do use central configuration management, the key would be kept away from the PC to prevent BIOS upgrades except under controlled circumstances I do think that upgradeable BIOS under these circumstances is a good idea. This is a concept which has been very successful in the larger systems for quite a long time as would work well with necessary controls. It would certainly be much easier to load the BIOS from floppy for 1,000 PC's than to replace the BIOS PROMS. - -- Richard H. Miller Email: rick@bcm.tmc.edu Asst. Dir. for Technical Support Voice: (713)798-3532 Baylor College of Medicine US Mail: One Baylor Plaza, 302H Houston, Texas 77030 ------------------------------ Date: Fri, 21 Jun 91 23:46:32 +0000 >From: mike@pyrite.SOM.CWRU.Edu (Michael Kerner) Subject: Re: protecting mac files via locking (Mac) NO! ABSOLUTELY NOT TRUE IN ANY WAY, SHAPE, OR FORM. IT IS IMPOSSIBLE TO PROTECT A FILE BY LOCKING IT. PERIOD. ABSOLUTELY NOT. IT DOESN'T HAPPEN. The only way to protect a file is to have it on a locked volume. Now I don't know if SAM is beyond this, because I haven't tried it...yet (hey, c'mon, I read newsgroups on Internet in what little free time I have between my job at xxx and handling the lab here. However, I have an "utility" which will overwrite any resource in any file, and that's all the more specific I am going to get about it because I don't want some amateur hack reading this to get any ideas. Saying that it can be done is bad enough - it encourages the ones that don't know ... yet. At any rate, file locking AND PROTECTING (via some sector editor) do not stop this "utility" from working - no, it's not ResEdit, but I haven't tried ResEdit, although I would assume that it won't work. So, there is NO WAY to stop a file on an unlocked volume from being written to, changed, etc. Sorry. Mike. Mac Admin WSOM CSG CWRU mike@pyrite.som.cwru.edu ------------------------------ Date: Sun, 23 Jun 91 22:11:24 -0500 >From: Mac Su-Cheong Subject: Thanks for help (virus papers) Dear netters : About a month ago I had asked for help with virus papers. Here is the original request : > I am looking for the following thesis : > > F. Cohen, "Computer Viruses", Ph.D. Dissertation, University of Southern > California, 1986. > > Can I get it from some anonymous ftp sites ? If no, how can I get it. I am >trying to gather papers about viruses. Any help is appreciated. I have got several responses for the request. Someone suggest me to get the books COMPUTE!'s COMPUTER VIRUSES and COMPUTE!'s COMPUTER SECURITY, but I have not found them yet. Another one suggest me to log on ftp.cs.widener.edu (192.55.239.132) but I can't find virus paper. A nice guy find the paper in library and send me the abstract. Later I have found some papers from the following anonymous ftp sites : cert.sei.cmu.edu pub/virus-l/docs cs.toronto.edu doc/pc-virus.notes There are many virus papers on the Magazine "Computers & Security", but they are not collected in my local library :-( Especially thanks to Ralph Roberts, Alan Jones, Mark, and Malcolm. They are so kind for doing such a lot to me. This is the first time I write a summary. If there is something wrong, please tell me. Thanks for your time. Mac Su-Cheong (MSC) nckus089@twnmoe10 msc@sun2.ee.ncku.edu.tw ------------------------------ Date: Wed, 19 Jun 91 18:53:21 >From: c-rossgr@microsoft.COM Subject: joshi & vsum & f-prot & ll format (PC) >From: treeves@magnus.acs.ohio-state.edu (Terry N Reeves) > >Vsum still says no utility will remove joshi and that low >level format is required... Vsum is totally wrong. Virex-PC has been able to cure Joshi for quite a while (> six months, at least). > Is their a utility Ms Hoffman? perhaps yuou just don't want to >admit it because McAffe's can't? (i have not tried McAffee but I >assume she'd say if his did.) Interesting idea.... Ross ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 108] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253