VIRUS-L Digest Wednesday, 3 Jul 1991 Volume 4 : Issue 116 Today's Topics: General definition part 1 (general) Requirements for Virus Checkers (PC) New Release of VIRx: Version 1.6 now available (PC) FROD/4096 (PC) Disinfectant 2.5 (Mac) re: Can such a virus be written... (PC) (Amiga) Words, Words, Words Re: Dos Boot control with pascal. (PC) Disinfectant 2.5, To be or not to be? (Mac) Re: Software pricing IBM Write-Protection (was: Can such a virus be written ... ) (PC) sideshow on doom2:reply (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Mon, 01 Jul 91 20:59:49 -0700 >From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: General definition part 1 (general) DEFGEN1.CVP 910701 Towards a Definition of computer Viral Programs The "man on the street" is now often aware of the term "computer virus" even if he (or she) does not use a computer. However, it is often the case that those who are otherwise technically literate do not understand some of the implications of the phrase. This is not surprising in that the term is slang, is often misused, and that "hard" information is difficult to come by. It is important to know what a computer virus is if you are going to defend yourself against the many that are "out there." It is also important to know what a computer virus is not. There are other types of programs and situations which can do damage to your computer or data, and many of these will not be caught by the same methods which must trap viral programs. A biological analogy, which we find in the dictionary, is helpful. The Oxford English Dictionary, which speaks of: "... a moral or intelletual poison, or poisonous influence..." while satisfying to the wounded ego of those who have been hit is not terribly helpful in a technical sense. Webster, however, steers us in a more helpful route in stating that a virus is: "... dependent on the host's living cells for their growth and reproduction..." By elimating the biological references, we can come to the definition that a virus is an entity which uses the resources of the host to spread and reproduce itself without informed operator action. Let me stress here, the word "informed." A virus cannot run completely on its own. The computer user must always take some action, even if it is only to turn the computer on. This is the major strength of a virus: it uses *normal* computer operations to do its dirty work, and therefore there is no single identifying code that can be used to find a viral program. I must make mention, before I continue, of the work of Fred Cohen. Dr. Cohen is generally held to have coined the term "computer virus" in his thesis, published in 1984. However, his definition covers only those sections of code which, when active, attach themselves to other programs. This, however, neglects many of the programs which have been most successful "in the wild". Many researchers still insist on this definition, and therefore use other terms such as "worm" and "bacterium" for those viri which do not attack programs. copyright Robert M. Slade, 1991 DEFGEN1.CVP 910701 ============= Vancouver p1@arkham.wimsey.bc.ca | "If you do buy a Institute for Robert_Slade@mtsg.sfu.ca | computer, don't Research into (SUZY) INtegrity | turn it on." User Canada V7K 2G6 | Richards' 2nd Law Security | of Data Security ------------------------------ Date: Tue, 02 Jul 91 12:30:07 >From: c-rossgr@microsoft.COM Subject: Requirements for Virus Checkers (PC) >From: Robert McClenon <76476.337@CompuServe.COM> > The second clause is true but sadly irrelevant. I wish every >developer were as attentive as Ross is to complaints. I wish every >vendor were as responsive as Ross and Microcom are. For those reasons >the first clause is good advice in general but not worth fighting >over. and thanks, but I think we could do better, frankly. All that, however, requires that users *actively* take part in the process of product development. If you're using a company's product and there's stuff about it that you don't like, think is needed, want in the next version --- call them up and tell them. Microcom actually pays people to listen to your suggestions (and the odd complaint, I guess) and writes them up. When we start talking about what to include in the next version of the code, the end user (the people with the money to buy the product) dictate what we stick into that next release. Be vocal! This isn't just for anti-virus products, of course: I've been involved in the commercial programming end of a number of products. We always work in an ideal world of what we think the world wants and neds...until them pesky end-users start telling us where we're wrong.... Heck, *I* was under the impression that everybody *loved* command line interfaces (maybe my UNIX background showing through?) --- but it seems people are in love with those hgorrid little drop and shadow boxes. Guess what Version 2.0 has in it.... Ross ------------------------------ Date: Tue, 02 Jul 91 12:37:00 >From: c-rossgr@microsoft.COM Subject: New Release of VIRx: Version 1.6 now available (PC) There were some problems with Version 1.5. Version 1.6 is now available on CIS, my BBS (212-889-6438) and, shortly, on SIMTEL-20. Hightlights: What's New In VIRx Version 1.6 ============================== Date: 7/01/91 1. VIRx Version 1.6 now detects six newly discovered viruses, bringing the total count to just over 500. 2. VIRx now indicates whether an infected compressed program was infected before or after the compression (PKLITE and LZEXE). This was trivial to implement, but a useful addition. 3. Another few cycles were shaved off our decompression routines: experience pays. For those wondering, all decompression routines are completely internal and done in memory --- and always have been. Problems Corrected from v1.5: 1. False positives for the "Sathanyc/Goblin/Necrop" viruses. VIRx Version 1.5 was incorrectly identifying "ICE'ed" programs as infected. An example of this was the well known TIMESET program: our apologies and gratitude to Peter Petrakis for being a good sport about our mistake. 2. Occasional false positives for "Scrnched" files: fixed. 3. The P1 Virus string was occasionally left in DOS buffers: another scanner program which apparently used the same string would make erroneous reports of an active P1 Virus in memory. This has been fixed. 4. Due to similar templating of the V2P6 Virus, VIRx would find a possible infection in the VDEFEND program. This was rectified. ------------------------------ Date: Tue, 02 Jul 91 15:31:51 -0400 >From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: FROD/4096 (PC) >From: Aviel Roy-Shapira >Clean (V. 77) cleaned the disk alright, but the infection >keeps poping up. It has become even wierder. Both Clean, Virus Scan, >and F-Fchk (115) report that all the files on my hard disk are free >from the virus. But, if I boot from the hard disk, and I run >F-SYSCHK, it says the virus is lurking in memory. I don't get this >warning if I boot from a floppy. This being the second time I have seen this type of posting with regard to Frodo/4096 & have two comments to make: the 4096 is a "stealth" virus & goes resident in memory. At least two of the scan programs mentioned will detect the 4096 in memory unless they are explicitly told not to (/nomem) in which case use will infect every file on the disk (yes I did, publicly, once, nevermore) However, this is one of the viruses that can be detected very easily in memory using CHKDSK. Most clean 640k PCs will report "655360 bytes total memory". If the 4096 is resident, this value will be somewhere below 652xxx bytes (CMA- do not have my notes here). If you have 655360 (everyone got it memorized now ?) you do not have the 4096 "classic" version. Cooly (monsoon season has started), Padgett ------------------------------ Date: Tue, 02 Jul 91 15:29:03 -0400 >From: Ed Maioriello Subject: Disinfectant 2.5 (Mac) All, I have seen many questions regarding the compatibility of Disinfectant 2.4 with Macintosh System 7 and the availability of Disinfectant 2.5. I have experienced no problems using Disinfectant 2.4 with System 7, though I understand the Disinfectant init should be left in the System Folder proper - not placed in the Extensions folder. The same is true of Disinfectant 2.5 and its init which is available off Sumex-aim.stanford.edu via anonymous ftp now. Ed Maioriello Bitnet: EMAIORIE @ UGA University Computing & Networking Servs. Internet: emaiorie@uga.cc.uga.edu University of Georgia Athens, Ga. 30602 (404)-542-8780 Where are the Snowdens of yesteryear? ------------------------------ Date: Tue, 02 Jul 91 19:12:28 -0500 >From: Finnegan Southey Subject: re: Can such a virus be written... (PC) (Amiga) Fridrik Skulason writes: >However, the question was >whether a virus-infected diskette could infect the system, when the >user issued a 'DIR' command. >The answer to that question is a definite NO - on a PC, that is - but >I am not sure if the same applies to the Amiga or the Mac - perhaps >omebody else can clarify that. This is definatly possible on Amiga's running Kickstart/Workbench 1.3 or lower. All AmigaDos commands are executable files so a file infector could easily use the dir or list commands. I've heard that Kickstart 2.0 has most AmigaDos commands in ROM (the ROMs are shipping now) but I'm not sure. That would be great from the virus perspective... - ----------------------------------------------------------------------------- Finnegan Southey - CCS HELP DESK, University of Guelph, Ontario, CANADA BitNet: ACDFINN.VM.UOGUELPH.CA CoSy: fsouthey@COSY.UOGUELPH.CA You are in a maze of twisty little passages, all alike. ------------------------------ Date: 02 Jul 91 23:20:29 -0400 >From: Robert McClenon <76476.337@CompuServe.COM> Subject: Words, Words, Words >Date: Mon, 01 Jul 91 20:39:06 -0700 >From: p1@arkham.wimsey.bc.ca (Rob Slade) >Subject: re: Words >vail@tegra.com (Johnathan Vail) writes: >> virus - a piece of code that is executed as part of another >>program >> and can replicate itself in other programs. The analogy to >>real >> viruses is pertinent ("a core of nucleic acid, having the >>ability to >> reproduce only inside a living cell"). Most viruses on PCs >>really are >> viruses. >> worm - a program that can replicate itself, usually over a >>network. A >> worm is a complete program by itself unlike a virus which is >>part of >> another program. Robert Morris's program, the Internet >>Worm, is an >> example of a worm although it has been mistakenly identified >>in the >> popular media as a virus. > >Question: > >Given that under these definitions boot sector infectors, > "spawning" viri and items such as Mac's WDEF are excluded from > "virus", does that make them all "worms"? > >If so, you will have to define "most viruses on PCs", since many >of the more successful PC viri are BSI's. This is very much a terminological issue at two levels. However, I would agree with Vail that the definitions are sound and do not require a modification of the statements that he made. The real issue is: "What is a program?" I submit that the Master Boot Record of a PC is a special-purpose program. Therefore a Boot Sector Infector such as Stoned is a virus using Vail's definition. Any code executed in the Desktop is a program, even if it is a Trojan horse program because it is taking advantage of a weakness in System less than 7.0. Therefore WDEF is a program infecting virus. A program is any stand-alone sequence of executable instructions, not just those executed by a valid call to the operating system. Slade has a good question. He is basically demanding clarification of terminology. We need that. Stoned is a virus. WDEF is a virus. The Morris worm was not a virus. It was a worm. Robert McClenon Neither my employer nor anyone else paid me to say this. ------------------------------ Date: Wed, 03 Jul 91 05:30:58 +0000 >From: dave@tygra.Michigan.COM (David Conrad) Subject: Re: Dos Boot control with pascal. (PC) phys169@csc.canterbury.ac.nz writes: >SJS132@psuvm.psu.edu (Steve Shimatzki) writes: >> Does anyone know how I would make a program to boot off of floppy >> (fist, not boot, and then run...) or add it to the existing boot, >> so that I could have my program run first. >> >> I got curious about the new portable computer security software, that >> makes sure that it is booted with a 'KEY' disk, and I wanted to do >> something like that, but as PD (commercial is 99$!!!!) >> >(1) you can encode the hard disk (scramble sectors) so you have to boot off > a special floppy that replaces the BIOS to decode them correctly, Please, I have enough nightmares after my hard disk made that funny sound last week, I don't need the disk to be in some weird, non-standard and insufficiently well-tested format, thank you. >[Mark suggests that the BIOS could be replaced, and that the BIOS writers >need to help out the security/anti-viral effort. Amen.] > >Mark Aitchison. This has little to do with pascal, so I'm directing followups to comp.virus. David R. Conrad dave@michigan.com - -- = CAT-TALK Conferencing Network, Computer Conferencing and File Archive = - - 1-313-343-0800, 300/1200/2400/9600 baud, 8/N/1. New users use 'new' - = as a login id. AVAILABLE VIA PC-PURSUIT!!! (City code "MIDET") = E-MAIL Address: dave@Michigan.COM ------------------------------ Date: Wed, 03 Jul 91 09:20:00 -0400 >From: "Mark Nutter, Apple Support" Subject: Disinfectant 2.5, To be or not to be? (Mac) p1@arkham.wimsey.bc.ca quotes from John Norstad: >>There is no Disinfectant 2.5, and there won't be one! Disinfectant 2.4 >>works fine with System 7, provided you leave the Disinfectant INIT in He then quotes "John's friend Chris" as saying: >>I already have 2.5, and it is already posted on DDCBBS, in case you do >>not believe that there is a version 2.5. I would suggest looking into He then asks: >========= > >What gives? > >========= I think the answer lies in the dates of the messages. I downloaded Disinfectant 2.5 yesterday (July 2), and noted in the help file that John is working on a 3.0 version that will be a lot more at home in System 7. Presumably, he was already working on this on 20 May 91, when his original message was posted, and was therefore expecting to go from 2.4 straight to 3.0. The recent discovery of a new strain of the ZUC virus, however, prompted him to release an interim update to 2.5. Unless someone has any proof to the contrary, I see no reason to suspect that 2.5 is not a bona fide release of Disinfectant. - ----------------------------------------------------------------------------- Mark Nutter MANUTTER@IUP Apple Support Manager Indiana University of Pennsylvania G-4 Stright Hall, IUP Indiana, PA 15705 "You can lead a horse to water, but you can't look in his mouth." - Archie B. ============================================================================= ------------------------------ Date: 03 Jul 91 13:44:53 +0000 >From: "Brian W. Gamble" Subject: Re: Software pricing padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) writes: >I think I've missed something somewhere. $30/year for a single user >Hypercard stack of virus information (a very good one though I liked >it better as a flat ASCII file), $350/year for a soft cover anti-viral >magazine, and people are b*tch*ng about $1500/2 years with unlimited >updates to license software for 10 technicians to service (one would >expect) 10,000 PCs ? $0.15/pc ? They even give telephone support! The >answer is simple: if you don't like the price, buy something else (or >nothing), there are plenty of alternatives. > >Better yet, write your own software and support it yourself, that just >takes learning and effort. > >Problem is not many people today seem to have heard of John Galt or >TANSTAAFL. Yes Padgett, life is strange Your society and mine both seem to think that anything needed should be free for the asking. Any company who stands up and asks to be paid for their efforts is going to get lots of complaints. Actually, your postings and those from Aryeh Goretsky are clear and useful reading. My thanks to both of you. I would hardly call a license policy based on human nature a refusal to sell a product. Everything I read from the McAfee group about their license policies make a good deal of semse. They have a flexable policy that covers everybody from the single PC owner user, right up to a multinational company like the one I work for. You get what you pay for people, and frankly, I think the product is worth the price. Those who don't think the product is worth the price should quit wasting bandwith and buy something else. It is abundantly clear that McAfee has a product for sale, and very easy to find out what their sales policies are for any given situation. The only free lunch comes from friends, and even then it often isn't. The above line(s) are mine, but may be the result of too much exposure to a fictional character called L. Long. TANSTAAFL makes sense to me! - -- Brian W. Gamble, Brian.Gamble@Waterloo.NCR.COM NCR Canada Ltd. E&M Waterloo Charter Member -- The ShoeString Racing Team ------------------------------ Date: 03 Jul 91 09:09:00 -0500 >From: "William Walker C60223 x4570" Subject: IBM Write-Protection (was: Can such a virus be written ... ) (PC) Here we go again ... >From: mfr3@cunixb.cc.columbia.edu (Matthew F Ringel) > Is it possible for a virus to circumvent an IBM's > write-protection of a disk ... NO! If a diskette is write-protected (cover the notch, slide the slide, whatever), the IBM floppy controller will not allow any writes to that diskette. Now, there have been weird failures of the write- protect mechanism which have allowed writes (light bouncing around because of a silver tab, light passing through a translucent disk cover, a short in the write-protect detector, etc.). One which I've seen myself is an "electrical tape-like" write-protect tab which, when used in a drive with a mechanical detector (a switch), eventually got an indentation deep enough to let the switch engage, allowing writes to the diskette. In all of these cases, HARDWARE was at fault. With the present floppy controller system, software CANNOT bypass the write-protect mechanism "...and there's no doing anything about it!" -- The Rum Tum Tugger, "Cats" Bill Walker ( WALKER@AEDC-VAX.AF.MIL ) | OAO Corporation | Arnold Engineering Development Center | "I'd like to solve the puzzle, Pat" M.S. 120 | Arnold Air Force Base, TN 37389-9998 | ------------------------------ Date: 01 Jul 91 16:43:00 -0500 >From: "zmudzinski, thomas" Subject: sideshow on doom2:reply (PC) While I agree with Mr. Slade on the benefits of encrypting search strings to prevent false positives, his statement: > As Ross [Greenburg] has pointed out, no matter how well strings are > encrypted, eventually someone will break the code, and then it is a > trivial matter to write a virus that circumvents that package. should not go uncontested. This paraphrase contains two (mathematical, not grammatical) infinitives, "no matter how well ... encrypted" and "eventually". If I can play with one infinitive, let alone two, I can probably prove the world is flat (well, it _is_, locally) or some such. Actually, what Mr. Greenburg wrote was: >> The bad guys can certainly break >> whatever coding scheme I use, thereby using the string list just as if >> it were not encoded at all. Mr. Greenburg's statement describes his assessment of his abilities to develop/implement a cryptographic system. If he says that he cannot do something he believes to be difficult, so be it -- he knows where his strengths lie. On one hand, if all one is trying to do is prevent false positives from other scanners, trivial bit flipping when the program is loaded (to avoid "finding" their images on disk) and again at EOJ (to clean up memory) will do just fine. And on the other hand, does anyone _really_ believe that the "bad guys" _don't_ run the latest crop of anti-viral software to check that their "products" won't be caught immediately? Tom Zmudzinski * * * ZmudzinskiT @ IMO-UVAX.DCA.MIL #include /* To keep the lawyers happy */ #include /* To keep the reader happy */ #exclude /* To keep ME happy */ ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 116] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253