VIRUS-L Digest Tuesday, 25 Jun 1991 Volume 4 : Issue 109 Today's Topics: Re: protecting mac files via locking (Mac) Locking Disinfectant (Mac) Source for M-disk (PC) Inside the Whale-Virus (PC) Re: Hypercard Antiviral Script? (Mac) Re: Can such a virus be written .... (PC) Re: Can such a virus be written .... (PC) doom2:reply (PC) Virus checking for Sun4 (UNIX) Self-Modifying SETVER.EXE (PC) Product Review (PC Plus Mag) (PC) Re: Can such a virus be written .... (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Mon, 24 Jun 91 09:16:00 -0400 >From: John Chapman Subject: Re: protecting mac files via locking (Mac) ratzan@rwja.umdnj.edu (Lee Ratzan) writes: > Aplication locking on a Macintosh prevents a file from accidentally > being destroyed (trashed) and to some extent from being altered. > A user wants to know if locking Disinfectant on a hard disk will > prevent it from being itself infected from a virus emanating > from an infected floppy. > > The issue is whether we can trust a resident locked copy of > Disinfectant to remain clean even if the hard disk on which it resides > becomes infected. From what I understand, Disinfectant checks itself first thing when it is launched. If it has been altered in ANY way, it supposedly renames itself to something like 'Trash Me' and quits immediately. I think the check it performs on itself is a little more complex than just simple checksumming, but I am not sure. Anyway, the theory is that even if something were able to infect Disinfectant, it would not allow itself to be run. (For those interested, I think this is also why you cannot alter the MultiFinder partition size - it is somehow 'hard-coded' into Disinfectant such that changing it in the Finder Get Info box doesn't work). If you are particularly concerned, run the Disinfectant INIT on all boot volumes. This should prevent the infection of any program (not just Disinfectant) from any known virus. The INIT is unobtrusive, VERY small (read 5K) and is very effective against anything that's been found. If you want more complete protection, I would suggest trying GateKeeper (freeware) or the commercial packages SAM, Rival, or Virex. From what I have seen, all are excellent at blocking all known virus, but their main strength is their ability to catch & block new, unidentified viruses. Unfortunately, this means they are far more picky and sensitive than the Disinfectant INIT and may cause conflicts with (a few) software packages and INITs. By the way, the current version of Disinfectant is 2.4 and may be found on most good FTP archives (eg. sumex-aim.stanford.edu) as well as several mail server archives. > Lee Ratzan - - John T. Chapman ke2y@vax5.cit.cornell.edu ke2y@crnlvax5.bitnet Disclaimer: These opinions are my own and do not necessarily reflect those of the University or of the manufacturers of the products mentioned above. ------------------------------ Date: Mon, 24 Jun 91 09:15:49 -0400 >From: Joe McMahon Subject: Locking Disinfectant (Mac) On Thu, 20 Jun 91, Lee Ratzan asked: >A user wants to know if locking Disinfectant on a hard disk will >prevent it from being itself infected from a virus emanating >from an infected floppy. No, but it's not necessary to do that anyway. See below. >The issue is whether we can trust a resident locked copy of >Disinfectant to remain clean even if the hard disk on which it resides >becomes infected. Yes, you can. Disinfectant has two methods of dealing with attempted viral attacks on itself. First, its resource map is locked, meaning that Disinfectant's resources can't be diddled with by unsophisticated viruses; several of the older viruses are smart enough to unlock the file it it is locked, but are not smart enough to deal with a locked resource map. Second, Disinfectant verifies itself at startup, and will refuse to operate if it finds that it has been corrupted. I know of no virus smart enough to break into it as yet. >I have advocated that since we have no automatic virus checking >software which is activated upon disk insertion or start up and since >anyone can use the machine, the only way to be absolutely certain that >integrity has not been compromised each morning is to boot up first >with a trusted disk and run the trusted disk copy of Disinfectant >against the hard disk files. This is a reasonable procedure, especially since it really doesn't take that long, and it is definitely safe. You might want to consider augmenting Disinfectant with Gatekeeper and Gatekeeper Aid as well. This would help in stopping WDEF/CDEF infections, as Gatekeeper Aid checks disks as they are inserted. --- Joe M. ------------------------------ Date: Mon, 24 Jun 91 13:59:17 +0100 >From: ukpoit!dave@relay.EU.net Subject: Source for M-disk (PC) Does anyone know of a source for M-disk, purchase, BBS, etc ? Thanks in advance Dave ------------------------------ Date: Mon, 24 Jun 91 15:47:41 +0000 >From: Martin Zejma <8326442@AWIWUW11.BITNET> Subject: Inside the Whale-Virus (PC) Hello virus-community | About 2 month ago I got a (the) Whale-Virus from a friend, cause I've been interested in dissasembling that famous monster ( just from the size ). After long nights of work I discovered almost all of the code, and it seemed to be quite trivial , the unbelieveable mysterious actions I expected to see didn't exist. So the question is: IS there ANY action triggered beside copying the MBR from the 1st harddisk to a file appended with a warning message about the Fish #6 Virus and leaving some infected files destroyed ??? ( something like the nice falling letters triggered by the Cascade Virus ?? ) So long, Martin PS.: if anybody wants more or less specific information about the Whale , feel free to e-mail me. +-----------------------------------------------------------------------+ | Martin Zejma 8326442 @ AWIWUW11.BITNET | | | | Wirtschaftsuniversitaet Wien --- Univ. of Economics Vienna/Austria | +-----------------------------------------------------------------------+ ------------------------------ Date: Mon, 24 Jun 91 08:53:39 +0800 >From: bcarter@claven.idbsu.edu Subject: Re: Hypercard Antiviral Script? (Mac) Greetings, >The code to scan a stack is essentially the same as the SearchScript >code that y'all will find in your HOME stack, only you have to modify >it to accept a file name (answer file...everyone remember now?...) >anyway, after you do that, the search string is "set the script of". >HOWEVER, it is possible that someone has the viri sitting in an XCMD >or XFCN which they invoke, so you should also check the resources they >have attached to their stack...so you see, it becomes a pain to simply >scan the stack script because you also need to scan the resources to >be effective. I doubt that a general scanner for HyperTalk viruses can be created due to the fact that all one has to do is encode the text of the script to be inserted, and make decoding part of the infection process. Using this method along with "do"s you would never see a plain text "set the script of" until it was too late. It wil probably be necessary to do as utilities such as Virex do, and enter specific characteristics of each virus for which to search. This is a tough area, every time someone here comes up with a way of blocking this sort of thing someone else comes up with a way around it. <-> Bruce Carter, Courseware Development Coordinator bcarter@claven.idbsu.edu Boise State University, Boise, ID 83725 duscarte@idbsu.bitnet (This message contains personal opinions only) (208)385-1250@phone ------------------------------ Date: Mon, 24 Jun 91 11:11:06 -0400 >From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: Re: Can such a virus be written .... (PC) vanaards@project4.computer-science.manchester.ac.uk (Steven van Aardt) writes: > > Is it possible to write a PC virus which installs itself whenever > you place an infected disk in the drive and do a DIR command ? Boy, I was hoping this one would go away but was rong again. 1) No: You cannot contract a PC virus by doing a DIR, a virus must be executed. 2) Once you have executed a virus, it could take control of the PC and infect floppies in this manner as several people have pointed out, but you cannot BECOME infected in this manner. Padgett ------------------------------ Date: Mon, 24 Jun 91 11:11:20 -0400 >From: Kevin_Haney%NIHCR31.BITNET@CU.NIH.GOV Subject: Re: Can such a virus be written .... (PC) vanaards@project4.computer-science.manchester.ac.uk (Steven van Aardt) writes: > > Is it possible to write a PC virus which installs itself whenever > you place an infected disk in the drive and do a DIR command ? Yes. But on a PC this requires certain conditions, which mean it probably wouldn't spread very far. Mark Aitchison, Physics, University of Canterbury, New Zealand. I would like to know just what these conditions are. If you have an clean, uninfected system with the normal system files, COMMAND.COM, etc., I would think that it is impossible to infect system memory or another disk by doing a directory listing on an infected diskette. (Of course, if you don't have a clean system with unmodified system files, anything can happen.) At no time does COMMAND.COM transfer program control to any executable code on a diskette when it does a directory listing via the DIR command. It looks at the diskette's root directory, files, and all other areas of the diskette as pure data. There is no way for a virus to become activated and infect a system if control is not passed to it at some point. With regard to the comment about the Stoned virus behaving this way, Stoned will infect a diskette if you do a DIR on it from a system which has the virus active in memory (as will most other memory-resident viruses). The only way for it to become active is by booting a system from an infected floppy or hard disk - it cannot become active if you do a DIR on an infected diskette from a clean system. And I would venture to say that this holds true for viruses in general. ------------------------------ Date: Mon, 24 Jun 91 08:26:53 -0700 >From: Eric_Florack.Wbst311@xerox.com Subject: doom2:reply (PC) Ross says: =-=-=-= >It would appear to me that VIRx 1.4 isn't cleaning up after itself. >You guys just ran accross different bits of code because of different >ares of RAM being used to store the search strings. (Will I ever live this down? One mistake and *bingo!* all over the place. Sigh.) - -=-=-=-=-= Ha. You mean I wasn't the first? :*> You say: - -=-=-=-=" Actually, the strings are trivially "encrypted" to prevent the image out on disk from triggering who-knows-how-many other scanners out there. =-=-=- On /DISK/, yes. But consider the amount of scanners, including MAcAffee that look at RAM, as well. False trip city, as we have seen. You say: - -=-=-= The answer is simple: whatever for? The bad guys can certainly break whatever coding scheme I use, thereby using the string list just as if it were not encoded at all. =-=-= This misses the point altogether. My point was simply that without encryption of one sort or another, even in RAM, another package wil false trip. If you think that people are going to depend on your package alone for protection, this might not cause a problem. But a realitry check, ( facilitated by a quick peek at the postings in here) will prove that doesn't happen. You say: - -=-=- The signature a scanner uses is of no use to a bad guy unless he or she already has the subject virus on hand, in any case. =-=-=- Of course not. My point in this case was the person doing the altering to routre around your code being the original author. Moreover, we have seen several varieties of a particular virus around, indicating more than one person altered one person's code. This is commonplace. (Can you say 'Stoned'? Sure. I knew you could.) Obviously, virus code is being passed around, by writers of such code, like a wine bottle at a garbage can fire. Getting the original code is therefore no problem. You say: - -=-=-= >Encrypting the search strings in your code, therefore is always a good >idea, as is cleaning up the mess your program makes in RAM. VIRx, >apparently doesn't address these two points. Wrong on both counts. It is interesting, though, that about 20 beta testers did not find that problem at all.... =-=-= First point: How on earth is cleaning up RAM you've allocated with your program before the program closes to be considered a BAD idea? Diito a string encryption? As for your beta testers not finding the problem, I suggest to you that perhaps they missed a major problem. WIthout being judgemental, here, finding this problem after beta was complete would seem to call into question the validity of certain of your test results. Regards to you. E (Normal employer isolation disclaimers apply here... IE: They may or may not agree with my thoughts in this matter) ------------------------------ Date: Mon, 24 Jun 91 14:33:45 -0600 >From: Xcaret Research Subject: Virus checking for Sun4 (UNIX) Can someone point me to information about virus checking for a Sun4 computer. Is there ftp'able software or any good commercial software? Thanks, John [Ed. While not specifically an anti-virus program, you might want to start by looking at COPS. It's available from comp.sources.unix and by anonymous FTP on cert.sei.cmu.edu.] ------------------------------ Date: 24 Jun 91 23:38:48 -0400 >From: Robert McClenon <76476.337@CompuServe.COM> Subject: Self-Modifying SETVER.EXE (PC) I just discovered after twenty minutes of unpleasantness that SETVER.EXE, a feature of DOS 5.00, is implemented via SELF-MODIFYING CODE. The SETVER command is used to fake out applications which check the version of DOS. It seems that, rather than maintain a data file separate from the .EXE file, Microsoft has chosen to implement SETVER.EXE as a program which modifies itself whenever it is executed, so as to change a table that is part of itself. This is very unfriendly behavior for users who try to maintain any sort of discipline to control viruses, or any of various other sorts of discipline. Virex-PC gave me multiple alerts telling me that SETVER was trying to alter SETVER. Since the syntax of SETVER is a little peculiar and complex, I at first assumed that I had entered the command wrong and was doing something improper and that Virex-PC was protecting me from a mistake. It took me a while to realize that SETVER was REALLY trying to MODIFY itself and that Virex-PC was trying to protect me from a technically legitimate but undisciplined operation. Is anyone from Microsoft on this distribution list? Would they care to explain why they did such an undisciplined thing? Robert McClenon Neither my employer nor anyone else paid me to say this. ------------------------------ Date: Tue, 25 Jun 91 09:54:36 +0700 >From: James Nash Subject: Product Review (PC Plus Mag) (PC) A well written article (for a change!) appears in the current issue of UK magazine PC Plus, called "Immune Systems". It sets out to explain viruses, offering concise understandable defintions of all those terms you know and love (plus "Armoured Virus"!). Anyway, the main body of Mark Hamilton's article is a review of 10 anti-viral software products. Nearly all of these are UK products, half of which I've never heard of before. It gives a real lashing to Defiant Systems' "Virus Hunter" and verbally assualts Visionsoft's "Immunizer". That latter one comes last in all the tests! The one he recommends is Jim Bates' (Bates Associates) "VIS Utilities" (5 * rating). Also praised are RG Software's "VI-SPY" - 'best US package' - - , Sophos' "Sweep" and S&S's "Dr. Solomon's". Software not included in the review were Mcaffee and F-PROT to name a few. For scanning accuracy, Bates came top, Solomon and Sophos close; only Norton, Visionsoft, Defiant Systems and Virex-Pc (1.1a) came below 75%. For scanning floppies (Speed), Bates came top, Central Point close, others struggling. For scanning Hard Disks (Speed), Norton came top (just), followed by Defiant Systems, Solomons, Bates and Central Point (ITO). If anyone wants more info, buy a copy of PC Plus or e-mail me direct. Please don't clog up the list with "me too" messages :-) - -- James Nash // Computing Services // Phone: x8644 // User ID: ccx020 (cck) - -I spilt Spot Remover on my dog and now he's gone. ccx020@uk.ac.cov.cck ------------------------------ Date: 25 Jun 91 10:12:24 +0000 >From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Re: Can such a virus be written .... (PC) >vanaards@project4.computer-science.manchester.ac.uk (Steven van Aardt) writes: > Is it possible to write a PC virus which installs itself whenever >you place an infected disk in the drive and do a DIR command ? Not only possible - many such viruses already exist. They are either boot sector infectors which intercept INT13 and infect a disk whenever it is read from, or file infectors which intercept the FindFirst/FindNext functions - the DIR and DIR-2 viruses are a prime example. - -frisk ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 109] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253