VIRUS-L Digest Wednesday, 26 Jun 1991 Volume 4 : Issue 110 Today's Topics: I'm not official! McAfee on VSUM accuracy and Microcom (PC) Re: protecting mac files via locking (Mac) Self-Modifying SETVER.EXE (PC) Re: Hypercard Antiviral Script? (Mac) Re: Hypercard Antiviral Script? (Mac) FPROT116.ZIP uploaded (PC) Re: Can such a virus be written .... (PC) Re: Can such a virus be written .... (PC) Re: Can such a virus be written .... (PC) Re: Can such a virus be written .... (PC) Inside the Whale-Virus (PC) Announcing McAfee VIRUSCAN Version 80 (PC) Product Test - - Central Point Anti-Virus (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: 24 Jun 91 14:55:48 -0400 >From: "David.M.Chess" Subject: I'm not official! A couple of (excellant) informational posts by Rob Slade recently have listed me and/or Bill Arnold as contacts for IBM's Anti-Virus Product. This is just a note to clarify: I'm just a humble researcher, *not* an official IBM contact of any kind. You can't buy the product from me, I'm not an Official Support Person, you shouldn't send me Purchase Orders, etc. This applies to Bill as well. I'm happy to answer questions about the product that come up on VIRUS-L when I have a chance, of course. But to actually buy the product, talk to an IBM Rep (call your nearest IBM Branch Office; if they don't know about the product, tell them to "look in the SECURE section of NATBOARD", or give them my name), or look in the Electronic Software Delivery section of IBMLINK (if you're an IBMLINK customer). This all applies to Bill as well (unless he posts otherwise, hehe). Dave Chess High Integrity Computing Lab IBM Watson Research ------------------------------ Date: Tue, 25 Jun 91 10:04:30 -0700 >From: mcafee@netcom.com (McAfee Associates) Subject: McAfee on VSUM accuracy and Microcom (PC) The following message is forwarded from John McAfee: I regret that I haven't had much time to keep up with Virus-L recently, especially since it is one of the more informative sources of virus information. Fortunately, Aryeh Goretsky, Morgan Schweers, Fritz Schneider and others have been kind enough to digest the bulk of the Virus-L information and forward to me bits and pieces that they feel my feeble mind can manage. A couple of postings made recently by Terry Reeves Ross Greenburg need a response. Specifically: >From: treeves@magnus.acs.ohio-state.edu (Terry N Reeves) >Vsum still says no utility will remove joshi and that a low level >format is required..... > Is there a utility Ms. Hoffman? perhaps you just don't want to >admit it because McAffe's can't? (i have not tried McAfee but I assume >she'd say if his did.) The McAfee Clean-Up program has been able to cure the Joshi since the Joshi first appeared more than ten months ago. What is curious about this message is that Terry has not tried our product, yet tacitly assumes that it cannot perform a given function. The reason he gives for this assumption is that the VSUM author doesn't want to admit that anyone could cure the Joshi because McAfee cannot. Have we really reached this level of acrimony within this industry? Isn't it enough that most of us are trying our best to thwart a growing number of virus writers and an escalating infection incidence? Is there that much spare energy left to throw stones at people like Patricia Hoffman? If Patricia, who works harder at analyzing and reporting viruses than anyone I know, is now a flame target, then what's left? I have been aware that VSUM did not report a disinfector for Joshi (even though Clean-Up had been disinfecting it for 8 releases of VSUM) but so what? Out of 500,000 bytes of fine reporting in VSUM, should I be so insecure that I have to correct Patricia's document so the world will know that the McAfee products disinfect yet another virus? Is there really time and energy for such trivia? And the second posting: >From: Ross Greenburg >One of the interesting things: Microcom, the people who publish and >market my code, is expressly forbidden from using McAfee products by >the vendor itself. This is news to the alleged vendor. Since McAfee Associates is the only vendor of the McAfee products I assume Ross means us. We have never refused to sell our products to anyone, and our policies will not change. It's a strange comment considering that 99.9% of all of our users use our products without telling us or paying us anyway (one of the side effects of shareware). How would we ever know? In any case, it's good to exercise my fingers again and communicate with this growing body of concerned persons. My best wishes to my detractors (many), admirers (few) and lethargics (the silent majority) alike. - - - - End of forwarded message. While John is not regularly on the Internet, I will forward any replies to him, however, it would probably be best to contact him directly via telephone or fax at any of the numbers below. Aryeh Goretsky McAfee Associates Technical Support ------------------------------ Date: Tue, 25 Jun 91 10:56:52 -0900 >From: "Jo Knox - UAF Academic Computing" Subject: Re: protecting mac files via locking (Mac) On 21 Jun 91, mike@pyrite.SOM.CWRU.Edu (Michael Kerner) says: > NO! ABSOLUTELY NOT TRUE IN ANY WAY, SHAPE, OR FORM. IT IS IMPOSSIBLE TO > PROTECT A FILE BY LOCKING IT. PERIOD. ABSOLUTELY NOT. IT DOESN'T HAPPEN. Agreed. > The only way to protect a file is to have it on a locked volume. Depends upon how the volume is locked; the only true locking is hardware write protection, available on floppies and some optical drives (I think). > However, I have an "utility" which will > overwrite any resource in any file, and that's all the more specific I am > going to get about it because I don't want some amateur hack reading this > to get any ideas. Saying that it can be done is bad enough - it encourages > the ones that don't know ... yet. At any rate, file locking AND PROTECTING > (via some sector editor) do not stop this "utility" from working - no, it's > not ResEdit, but I haven't tried ResEdit, although I would assume that it > won't work. I don't think any hacker's going to be surprised at this information; "File Locked", "File Busy", "File Protect" are just bits in the header information of the file; there are lots of utilities which can modify some or all of these file attribute bits---if Finder (just another program to the Mac) can set these bits, it's evident that other programs can, too, such as ResEdit, MacTools/ FileEdit, SUM Tools, Fedit Plus, and DiskTop DA, to name just a few. jo ------------------------------ Date: Tue, 25 Jun 91 15:11:00 -0400 >From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: Self-Modifying SETVER.EXE (PC) >From: Robert McClenon <76476.337@CompuServe.COM> > I just discovered after twenty minutes of unpleasantness that >SETVER.EXE, a feature of DOS 5.00, is implemented via SELF-MODIFYING >CODE. Actually, this is much better than earlier (beta) verions in which SETVER modified other things (even nastier). Since I did not bother to install SETVER, this is not a problem for me and have not yet run into an application/game/etc that requires its use. Though I have heard rumors of such programs. Further, one one teaches SETVER which (shouldn't be many) programs require DOS to report/act like a different version to work, SETVER should not be changing unless a new non-conforming program is added. Even so, the rate should not be a problem, & the user should know that something "legal" was done. For some time, my feeling has been that "intelligent" anti-viral software should be able to recognize when a program is allowed to write to itself (SETVER, LIST) or to a limited subset of other programs (WSCHANGE - WORDSTAR) & notify the user but not make a fuss about it. Now if SETVER tries to modify LIST, I would be concerned, but not when it modifies itself when I ask it to. To me, strict checksum coverage of 98% of my files is "good enough" (quantum economics) that not much safety would be lost if the other 2% were permitted LIMITED privilege with notification. Heck, the whole concept of "privilege" receives only lip service (and much obfustication) from DOS. IMHO, it would seem that MicroSoft had a choice: let SETVER modify system files (tried & rejected in beta), a separate data file (possible but must always be able to find it), or itself. Given all the variables, I think they probably made the most efficient (but not necessarily the most popular to anti-virus program writers) decision. Cooly, Padgett Might be some one else's opinion also but probably not my employer's. ------------------------------ Date: Tue, 25 Jun 91 19:21:10 +0000 >From: EIVERSO@cms.cc.wayne.edu Subject: Re: Hypercard Antiviral Script? (Mac) >From: mike@pyrite.SOM.CWRU.Edu (Michael Kerner) [stuff deleted]... >and as long as LockMessages is set, and as long as one checks the >script of stack xxx before opening it, it's essentially impossible to >infect yourself by opening a stack - ASSUMING YOU CHECK THE SCRIPT OF >THE STACK FIRST. >The code to scan a stack is essentially the same as the SearchScript >code that y'all will find in your HOME stack, only you have to modify >it to accept a file name (answer file...everyone remember now?...) >anyway, after you do that, the search string is "set the script of". >HOWEVER, it is possible that someone has the viri sitting in an XCMD >or XFCN which they invoke, so you should also check the resources they >have attached to their stack...so you see, it becomes a pain to simply >scan the stack script because you also need to scan the resources to >be effective. Mike, I appreciate what you're about & am not trying to engage in one-upmanship but.... Don't forget that the script could be in any object not just the stack script or an XCMD. Maybe SearchScript checks all objects, I forget. You won't find the string if it's cocantenated--i.e.: on openCard put "set the scr" & "ipt of ..." into virusVariable --search would miss this --other malicious code goes here end openCard Thanks for the advice about being able to check for a "set" within a "send" I will really believe it after I test it, though. If you'd like, I could send you the exact script which I believe can bypass any HC "vaccine". Others need not ask, especially don't contact my ID directly. - --Eric ------------------------------ Date: Wed, 26 Jun 91 01:01:06 +0000 >From: mike@pyrite.SOM.CWRU.Edu (Michael Kerner) Subject: Re: Hypercard Antiviral Script? (Mac) I agree that with do's it becomes harder to insure that you catch a virus, but I also think that it would be relatively easy to spawn out (e.g. if the virus writer came up with his or her own encryption method and used the stack script with do's to unencrypt the scripts) and check fields and so forth for the necessary SETs. I hadn't thought about your idea before, but it is clever and does cloud the issue some more. What can make it even harder is if the commands to be DOne are in a file which is also encrypted, and the stack first unencrypts the files then uses the code in the files and in the fields to unencrypt the other scripts that must be run. My biggest concern, though, is that there will also be a resource lurking in a stack whose name and type and contents, obviously, can be changed to disguise them by the virus calling a code resource that it has attached to itself and thus fooling everyone, including the GateKeeper-like module of SAM. Why some virus hack hasn't done this yet is beyond me. The virus could be coded to encrypt itself on some date or time parameter and need the system date or some similar mechanism to untie itself, thereby making detection pretty difficult at best. The detection program would then have to look for the decoding resource, which may also be obscured by making it look like something else. My head is spinning from all the possibilities. I'm just glad I don't have a PC and have to tolerate all their virus problems. To think this all started on a Mac. Mike ------------------------------ Date: Sun, 23 Jun 91 23:07:08 -0500 >From: James Ford Subject: FPROT116.ZIP uploaded (PC) The file FPROT116.ZIP has been uploaded to risc.ua.edu (130.160.4.7) in the directory pub/ibm-antivirus. Please note (once again) that mibsrv.mib.eng.ua.edu will no longer be available after June 24, 1991. The archive has moved to RISC.UA.EDU. Please send all problems/complaints/suggestions to jford@ua1vm.ua.edu or jford@risc.ua.edu. - ---------- You cannot antagonize and influence at the same time. - ---------- James Ford - jford@ua1vm.ua.edu, jford@risc.ua.edu The University of Alabama (in Tuscaloosa, Alabama) ------------------------------ Date: Wed, 26 Jun 91 11:00:42 +0000 >From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Re: Can such a virus be written .... (PC) It seems I misunderstood a question which was posted here a while ago, so please disregard my earlier reply.... >vanaards@project4.computer-science.manchester.ac.uk (Steven van Aardt) writes: > Is it possible to write a PC virus which installs itself whenever >you place an infected disk in the drive and do a DIR command ? I wrote: >Not only possible - many such viruses already exist. They are either boot >sector infectors which intercept INT13 and infect a disk whenever it is read >from, or file infectors which intercept the FindFirst/FindNext functions - >the DIR and DIR-2 viruses are a prime example. But, as I said, this was a misunderstanding - I thought the original poster meant whether a resident virus could infect a diskette simply when the user issued a 'DIR' command. However, the question was whether a virus-infected diskette could infect the system, when the user issued a 'DIR' command. The answer to that question is a definite NO - on a PC, that is - but I am not sure if the same applies to the Amiga or the Mac - perhaps somebody else can clarify that. Sorry about any confusion caused by my earlier reply... - -frisk ------------------------------ Date: Wed, 26 Jun 91 11:19:00 +1200 >From: "Mark Aitchison, U of Canty; Physics" Subject: Re: Can such a virus be written .... (PC) Kevin_Haney%NIHCR31.BITNET@CU.NIH.GOV writes: > vanaards@project4.computer-science.manchester.ac.uk (Steven van Aardt) > writes: >> >> Is it possible to write a PC virus which installs itself whenever >> you place an infected disk in the drive and do a DIR command ? I wrote... > Yes. But on a PC this requires certain conditions, which mean it > probably wouldn't spread very far. > > I would like to know just what these conditions are. I'm not sure if I should broadcast the way in which a virus could do this, but I suppose I could mention the conditions... (1) Have ANSI.SYS (or similar) loaded, (2) Possibly make assumptions about what the user will type next, (3) Assume the user doesn't look too hard at the directory listing. I would expect such a virus, if it can be written, to have a low chance of spreading far. However, it is important to accept that *possibly* a virus could spread on PC's this way. Mark Aitchison. ------------------------------ Date: Tue, 25 Jun 91 15:10:24 -0700 >From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Re: Can such a virus be written .... (PC) dkrause@miami.acs.uci.edu (Doug Krause) writes: > vanaards@project4.computer-science.manchester.ac.uk (Steven van Aardt) writes > # > # Is it possible to write a PC virus which installs itself whenever > #you place an infected disk in the drive and do a DIR command ? > > Doesn't STONED act that way? Well, yes and no. (Parenthetically here, let me state that it is hard to state with much assurance "what 'Stoned' does", since it must be the most widely "strained" viral program around today. But anyway ...) The Stoned virus usually will infect any disk that you "read" with a DIR command. But, in fact, it will infect just about any disk that it does access, regardless of how it does it. That said, the various strains show tremendous differences. I have one which will only infect disks in the A: drive, and another which refuses to infect anything unless som{ odd conditions{are satisfied. (I haven't figured them out compltely, but one sure way to infect a di{k is to read it with PCTOOLS.) {(Sorry for the line noise today.) ============= Vancouver p1@arkham.wimsey.bc.ca | "If you do buy a Institute for Robert_Slade@mtsg.sfu.ca | computer, don't Research into (SUZY) INtegrity | turn it on." User Canada V7K 2G6 | Richards' 2nd Law Security | of Data Security ------------------------------ Date: Tue, 25 Jun 91 17:17:19 +0000 >From: kenm@maccs.dcss.mcmaster.ca (...Jose) Subject: Re: Can such a virus be written .... (PC) frisk@rhi.hi.is (Fridrik Skulason) writes: >>vanaards@project4.computer-science.manchester.ac.uk (Steven van Aardt) writes : >> Is it possible to write a PC virus which installs itself whenever >>you place an infected disk in the drive and do a DIR command ? > >Not only possible - many such viruses already exist. They are either boot >sector infectors which intercept INT13 and infect a disk whenever it is read >from, or file infectors which intercept the FindFirst/FindNext functions - >the DIR and DIR-2 viruses are a prime example. I'm not sure that this (very correct) answer actually responds to the question. If I'm not mistaken, the question is whether a virus on a diskette can infect the system/hard drive simply by doing a DIR of the infected diskette; ie. can simply reading the infected disk cause the virus to be loaded into memory. I can't see how. Mr. Skulason, I think, is referring to a virus already in memory subverting the DIR command to place itself on a clean diskette. Have I interpretted everyone's statements correctly? ....Jose - ----------------------------------------------------------------------------- ".sig quotes are dippy"|Kenneth C. Moyle kenm@maccs.dcss.mcmaster.ca - Kenneth C. Moyle |Department of Biochemistry MOYLEK@MCMASTER.BITNET |McMaster University ...!uunet!mnetor!maccs!kenm ------------------------------ Date: 26 Jun 91 14:40:21 -0400 >From: "David.M.Chess" Subject: Inside the Whale-Virus (PC) No, I don't think anyone's ever found any evidence of any significant "payload" inside the Whale. It spent so much (primarily futile) effort in being hard to analyze that it didn't have room for any sophisticated payload (or even for correct operation, hehe!). DC ------------------------------ Date: Tue, 25 Jun 91 18:01:29 -0700 >From: mcafee@netcom.com (McAfee Associates) Subject: Announcing McAfee VIRUSCAN Version 80 (PC) WHAT'S NEW VIRUSCAN Versions 78 and 79 of VIRUSCAN were skipped because of two trojan horse versions that appeared. Version 80 of SCAN logically follows V77. Version 80 adds several new features to VIRUSCAN: The first is that SCAN now checks inside of files compressed with PKWare's PKLITE program for viruses. Files infected before compression will be reported as being infected internally. Files infected after compression will be reported as being infected externally. When a subdirectory is scanned, SCAN will check subdirectories below that subdirectory when the /SUB option is used. The extension .SWP has been added to the list of extensions scanned by default. The /REPORT option now displays version number, options used, date and time, and validation code results. Also, the capabilty to detect unknown boot sector viruses by scanning for virus-like code has been added. If a boot sector is found that contains suspicious code, SCAN will report that the disk contains a Unrecognized Boot Sector Virus. 51 new viruses have been added. Ones that were reported at multiple sites are: The Telephonica virus -- a memory-resident multipartite virus that infects the boot sectors of floppy disks, the hard disk partition table, and .COM files. The virus infects .COM files at about 15 minute intervals, and keeps a counter of the number of reboots that have occurred. When 400 reboots have occurred, the virus displays the message "VIRUS ANTITELEFONICA (BARCELONA)" and formats the hard disk. The virus has been reported at multiple sites in Barcelona, Spain and in England. The Loa Duong virus -- a memory-resident floppy disk and hard disk boot sector infector. It is named after a Laotian funeral dirge that it plays after every 128 disk accesses. The Michelangelo -- a floppy disk boot sector and hard disk partition table infector based on the Stoned virus. On March 6, Michelangelo's birthdate, it formats the hard disk of infected PC's. The Tequila virus -- sent to us from the United Kingdom but originates in Switzerland. It is a memory-resident multipartite virus uses stealth techniques and attaches to the boot sector of floppies, partition table of hard disks, and .EXE files. It contains messages saying "Welcome to T.TEQUILA's latest production.", "Loving thoughts to L.I.N.D.A", and "BEER and TEQUILA forever !" CLEAN-UP The Empire, Form, Loa Duong, Michaelangelo, Nomenclature, Tequila and V-801 viruses have been added to the list of viruses that can be successfully removed. VSHIELD Version 80 of VSHIELD adds a command to ignore program loads off of specified drives. When the /IGNORE option is activated, the user can specify from which drives VSHIELD will NOT monitor program loads. Also, the capabilty to detect unknown boot sector viruses by scanning for virus-like code has been added. If a diskette boot sector contains suspicious code and a re-boot request is attempted from the diskette, VSHIELD will disallow the re-boot and will report that the disk contains a Unrecognized Boot Sector Virus. NETSCAN Version 80 of NETSCAN adds 51 new viruses. VCOPY VCOPY Version 80 hasn't been released yet, but should follow in a couple of days, as usual. THE NUMBER OF VIRUSES Version 80 adds 51 computer viruses, bringing the number of strains to 293, or, counting variants, 714. Aryeh Goretsky McAfee Associates Technical Support ------------------------------ Date: Tue, 25 Jun 91 08:02:40 -0600 >From: Chris McDonald ASQNC-TWS-R-SO Subject: Product Test - - Central Point Anti-Virus (PC) ******************************************************************************* PT-36 June 1991 ******************************************************************************* 1. Product Description: Central Point Anti-Virus (CPAV) is a product to detect, disinfect and prevent virus infections as well as protection against the introduction of "unknown" and/or malicious code. 2. Product Acquisition: CPAV is available from Central Point Software, Inc., 15220 NEW Greenbrier Pkwy., Suite 200, Beaverton, OR 97006. A marketing number, current as of 6 Jun 91, is 1-800-445-4064. The retail price of the product is $129.00. Site licenses are available. 3. Product Testers: Don Rhodes, Information Systems Management Specialist, Information Systems Command, White Sands Missile Range, NM 88002-5506, DSN: 258-8174, DDN: drhodes@wsmr-emh04.army.mil; Chris Mc Donald, Computer Systems Analyst, Information Systems Command, White Sands Missile Range, NM 88002-5506, DSN: 258-4176, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20. army.mil. ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 110] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253