VIRUS-L Digest Monday, 12 Aug 1991 Volume 4 : Issue 138 Today's Topics: re: Reply to Virus Bulletin Re: Floppy Door Close TSR? (PC) Need info on 1575/1591 virus. (PC) Re: Infects on ANY access? Viral operations in brief Jerusalem Virus (PC) Re: Infects on ANY access? Re: Proposal for standard virus signatures notation Proposal for virus signature notation. Boot Sector and Terminology (PC) Viruses in IO.SYS (PC) Uploads to risc.ua.edu (PC) computer virus classifications Code Execution Simulator? VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Mon, 05 Aug 91 21:10:40 +0100 >From: xa329@city.ac.uk Subject: re: Reply to Virus Bulletin For you chaps across the pond who haven't seen the August Virus Bulletin yet, a couple of quick notes: 1. Particularly for those who follow virus-l but don't get VB; Dave Chess's public letter (virus-l4 i126) leads the letters page, accompanied by editorial apologies. 2. And for those of you do get VB; my copy is fine but I have heard of one subscriber who had blank pages in his copy, so check with the publishers if you have a problem. This was a public informaton broadcast. Ta ta for now, Anthony Naggs. ------------------------------ Date: Tue, 06 Aug 91 11:11:00 +1200 >From: "Mark Aitchison, U of Canty; Physics" Subject: Re: Floppy Door Close TSR? (PC) jesse@gumby.Altos.COM (Jesse Chisholm AAC-RjesseD) writes: > Folks: > Is there a TSR program available that scans a floppy whenever > the floppy door closes? Is it even possible to write one? Are any of > you all working on one (McAfee, Padgett, ...)? This came up a while ago; basically the answer is that scanning when the door of the floppy disk drive closes (or a diskette is inserted) is sometimes possible but inefficient. A better method is to scan when DOS itself scanns the boot sector (it has code to work out if there is any chance the diskette has been changed, and uses the change-detect line if it is there). Such a TSR can be very effective in spotting viruses before they do any harm to your system, and a good one (in terms of what it catches, how few "false alarms" it gives, and the miniscule RAM it uses), is SCANBOOT, available by anonymous ftp from cantva.canterbury.ac.nz [132.181.30.3], and should be coming out of comp.binaries.ibm.pc soon. MArk. Aitchison. ------------------------------ Date: 06 Aug 91 03:12:48 +0000 >From: dtw@acsu.buffalo.edu (daniel t wesolowski) Subject: Need info on 1575/1591 virus. (PC) Hello, A laptop that had come from Canada was thought to have a virus. A few different virus checkers were used to test the laptop and nothing was found. A few weeks later the virus came alive. We did destroy the virus, but it did corrupt some programs before its death. Can this virus fake out the virus checkers or do we have a nasty floppy disk floating around the property? Any info/history on the 1575/1591 virus would be most welcome. - ------------------------------------------------------------------------------- Dan Wesolowski dtw@sunybcs.BITNET dtw@cs.Buffalo.EDU - ------------------------------------------------------------------------------- ------------------------------ Date: Tue, 06 Aug 91 09:36:22 +0300 >From: Tapio Keih{nen Subject: Re: Infects on ANY access? (quote from Price Waterhouse's book) >Re the boot sector virus "Search" = "Den Zuk" = "Venezuelan". >DESCRIPTION: "It infects through ANY ACCESS TO host diskette. ....." > >Now it may be just my understanding and usage of english words, but have I >really missed something about how DIR accesses a floppy disk? If Den Zuk is resident in memory, and user does DIR on clean, non-write protected diskette, the virus will infect the disk. But you can't get Den Zuk in memory any other way than booting from infected disk. This same thing applies to most boot sector viruses, too. BTW, there's a mistake in Price Waterhouse's Computer Virus Handbook under Search (=Den Zuk) entry. It says that Den Zuk survives a warm re-boot, which it can't do. When user presses CTRL-ALT-DEL, the virus draws red "DEN ZUKO" text on screen and boots the computer then. But it won't stay in memory. - -- Tapio Keih{nen | tapio@nic.funet.fi | DIO COMES - ARE YOU READY TO ROCK? Disclaimer: This posting has nothing to do with nic.funet.fi archive server. ------------------------------ Date: Tue, 06 Aug 91 10:48:38 -0400 >From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: Viral operations in brief >From: p1@arkham.wimsey.bc.ca (Rob Slade) >Although the "original" definition of computer viral programs >refers to reproduction by attaching to other programs, viri that >act in this manner having been less successful than those that >use other means. This is something that keeps going back & forth. Certainly at the moment, the STONED seems have a lead over the JERUSALEM but this is a far cry from being a statistic. Most of what I have been doing lately has been cleaning J-B and Sunday off of LANs. Certainly there are far more "crude" file infectors than boot infectors since they are much easier to write. It may just be that the difficulty of writing a BSI makes for more "stillbirths" and those that do survive "in the wild" tend do spread further. As a consequence, the "average" BSI tends to be more successful than the "average" file infector and they have received a boost lately though distribution on manufacturers disks, a trend which I hope should soon be curtailed. >Examples in the Mac realm are not as clear, but the WDEF virus >could be said to be a type of boot sector infector, as the WDEF >resource is one that is run automatically as soon as any Mac >disk is inserted, although this has changed under System 7.) Tend to disagree: BSIs run before DOS loads and only once per boot while the WDEF resource is a part of the OS as demonstrated by the System 7 exclusion, and is invoked often. A better analogy would be the Lehigh which goes exclusively after COMMAND.COM and I doubt that anyone will disagree that this is a file infector. >In larger systems, mini and mainframe computers, network and >mail viral programs have, so far, had the greatest impact. This problem is quickly spreading to the micro arena. In recent months I have had occasion to clean several LANs including one of 500 clients and another having 2000+ clients. The techniques developed to disinfect individual PCs (quarantine and clean) are costly, often ineffective, and are not the One True Solution. Other techniques that we have discussed in this forum that involve authentication of the health of a client before permitting access to the server are IMHO a more elegant procedure. >The last payload, or function, which a viral program may carry, >is some kind of intelligence to enable it to evade detection. >So far the various kinds of evasive action; self-modification, >multiple encryption and "stealth" activity; have not proven to >have any advantageous "survival" characteristics. In one sense, >this is to be regretted, as it demonstrates that the majority of >computer users are not taking the most elementary precautions to >defend against viral programs. Depends on your point of view. The Pakistani BRAIN is still providing a significant number of infections and was the first "stealth" virus. I suspect that the failure to spread far of most is because most of the "stealth" seen so far is easy to detect in memory (most just with CHKDSK) and as implemented causes other problems by lying to the operating system. e.g. lost clusters and cross-linked files. On the whole, I agree with most of Mr. Slade's observations, however I suspect that the next great threat is going to be to the LANs via file infectors and unless steps are taken immediately to protect them, serious disruptions are going to result. Fortunately, there are solutions, and not particularly expensive ones, either in cost or reduced performance, just they are different. Padgett "A virus does nothing a computer cannot do which makes detection difficult. However they do things a computer should not do and this is detectable". ------------------------------ Date: 06 Aug 91 18:34:42 +0000 >From: mock@watt.support.Corp.Sun.COM (Joseph Mocker) Subject: Jerusalem Virus (PC) Hi all, Got a fairly simple question. Does anyone have any information on what the Jerusalem version B virus can do? Does anyone know where I can find out anything about this virus? Thanks...Joe - -- - ------------------------------------------------------------------------------ Joe Mocker//USAC//PC-NFS Support :: mock@Corp.Sun.COM :: Sun Microsystems Inc. :: there's still lofty dreams :: meager desires :: still sillyness :: ------------------------------ Date: 06 Aug 91 21:40:59 +0000 >From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Re: Infects on ANY access? STEVED@vaxc.cc.monash.edu.au writes: >DESCRIPTION: "It infects through ANY ACCESS TO host diskette. ....." > >Now it may be just my understanding and usage of english words, but have I >really missed something about how DIR accesses a floppy disk? The author probably meant that if the computer is infected, the virus will infect any diskette which is accessed, not that an infected diskette could infect the computer regardless of how it was accessed. - -frisk ------------------------------ Date: Tue, 06 Aug 91 20:38:32 +0000 >From: peter@ficc.ferranti.com (Peter da Silva) Subject: Re: Proposal for standard virus signatures notation PHYS169@csc.canterbury.ac.nz (Mark Aitchison, U of Canty; Physics) writes: > Comments on my comments are welcome, of course. Well, my only comment is about your comments... :-> Speaking as one who has written lots of dumb little programs to parse various data files over the years, I do have one suggestion... > # This is an imaginary signature file, by msa@phys.canterbury.ac.nz; 05-aug-91 > #05BXP7B.E1R, "Stoned (variant 7a)", "PORTUGESE STONED" > @00:00@017B:B40206CD130914 I would recommand, for parsing simplicity, that comments and data be syntactically distinct. For example, anything after "//" is a comment... // This is an imaginary signature file... #05BXP7B.E1R, "Stoned (variant 7a)", "PORTUGUESE STONED" @00:00@017B:B40206CD130914 #0TEEGYB.RB0, "Not harmful, MS-DOS 3.3 immunised by V-Basher 1.2" 17675A6C34D0@007E:17FFFF000023 #X587BG6.37Z-1280, "Dim Revenger virus" 19A6????53CD21ABBADABBAD00 // random in-line comment. ##IF OS=OS/2 - - -147:AC??55C9129B // for code segments >64K ##ENDIF It adds a minor bit of complexity to Really Dumb Parsers. It might be better to do something like this: # This is an imaginary signature file... #!05BXP7B.E1R, "Stoned (variant 7a)", "PORTUGUESE STONED" @00:00@017B:B40206CD130914 #!0TEEGYB.RB0, "Not harmful, MS-DOS 3.3 immunised by V-Basher 1.2" 17675A6C34D0@007E:17FFFF000023 #!X587BG6.37Z-1280, "Dim Revenger virus" 19A6????53CD21ABBADABBAD00 # random in-line comment. ##IF OS=OS/2 - - -147:AC??55C9129B # for code segments >64K ##ENDIF Again, Really Dumb Programs simply strip out anything after #. But now smart programs look at the following character to see how to interpret that line. ! is a code string, # is a directive, space is just a comment, and so on. - -- Peter da Silva; Ferranti International Controls Corporation; +1 713 274 5180; Sugar Land, TX 77487-5012; `-_-' "Have you hugged your wolf, today?" ------------------------------ Date: Wed, 07 Aug 91 10:58:08 +0700 >From: "Jan R. Terpstra" Subject: Proposal for virus signature notation. I have received several comments on the proposal. First let my clarify the thoughts behind the proposal. It was ONLY intended to achieve a standard notation method for virus SIGNATURES and not a proposal for file formats, naming conventions and other things. With a standard notation, it is very easy to check if the signature you have just extracted from a new virus specimen does not already duplicate the scan string in someone lese's virus report. Comparing virus signatures from different sources if quite cumbersome at this time, due to the many different ways people write up their scan patterns. his usually forces you to do the analysis all over, and then find out you already had all the info in an entirely different format. Also, I have has several suggestions to employ existing techniques like Regular Expressions commonly used on Unix systems. While that is a widely used notation, I think the use of regular expressions may complicate the matter or make the notation too flexible and thus error prone. I realize that the proposal I wrote up isn't the only way, nor is it the best way. But it is simple, straightforward, easy to implement in just about any scanner program and doesn't rely on obscure algorithms. Nor is the proposal a "law" telling every anti-virus program must use this method. Whatever the internal workings of an anti-virus product are, is up to the author. However, if the product allows the use of externally supplied data, using a common format for the virus signatures will prevent the double, triple or quadruple efforts of converting virus signature data to the different formats used by various anti-virus products. And that will free up time to do more useful things. The main line is that the info published on detecting viruses should be usable by as many inti-virus programs possible, without the need to convert the info. Jan R. Terpstra Usual disclaimers implied. ------------------------------ Date: 07 Aug 91 08:26:47 -0400 >From: "Robert McClenon" <76476.337@CompuServe.COM> Subject: Boot Sector and Terminology (PC) Rob Slade notes that viruses are traditionally defined as fragments of malicious code which attach themselves to programs. He notes however that the most successful viruses have not satisfied this definition because they have been boot sector infectors on the PC family or start-up resource infectors on the Macintosh. One can retain the original definition of viruses while recognizing Stoned and WDEF as viruses if one defines "program" expansively. The boot record is a special-purpose program, as is any resource contained in the Desktop file. All viruses attach themselves to programs. Special-purpose program infectors have been even more prolific than application program infectors. Robert McClenon Neither my employer nor anyone else paid me to say this. ------------------------------ Date: 07 Aug 91 08:26:01 -0400 >From: "Robert McClenon" <76476.337@CompuServe.COM> Subject: Viruses in IO.SYS (PC) The question is asked by Willi Grueber in Virus-L 4.133 whether IO.SYS can be infected by viruses, and whether any checker exists for such viruses. I assume that it is at least theoretically possible for viruses to infect IO.SYS, although I have not heard of any virus which infects it. At least one anti- viral package, Virex-PC, can be configured to protect IO.SYS, either by verifying its checksum at startup or by intercepting suspicious writes to IO.SYS or both. I have it set up to do both. Other anti-viral packages should also be capable of protecting IO.SYS unless they are limited to files with certain extensions. However, even a checker which is limited to certain executable extensions should be able to check *.SYS files, because some Bulgarian viruses will infect installable device drivers of type *.SYS. There is a risk that IO.SYS viruses can be written. However, it is a risk that can be anticipated and contained with a little foresight. Robert McClenon Neither my employer nor anyone else paid me to say this. ------------------------------ Date: Wed, 07 Aug 91 08:52:00 -0500 >From: James Ford Subject: Uploads to risc.ua.edu (PC) The following files have been uploaded to risc.ua.edu (130.160.4.7) in the directory pub/ibm-antivirus: vsumx107.zip - Virus Summary Listing vc300ega.zip - Virus Central (ega version) vc300lte.zip - Virus Central (LITE version) The directory pub/00uploads is now available for people who wish to upload files to risc.ua.edu. Mail must be sent to JFORD informing me of your your upload. Below is a listing of files available in pub/ibm-antivirus (list is available as the file "0files.9108". If you see something that is out of date, please let me know. - ---------- Absence makes the heart go wander. - ---------- James Ford - jford@ua1vm.ua.edu, jford@risc.ua.edu The University of Alabama (in Tuscaloosa, Alabama) - ---------------- file listing of pub/ibm-antivirus on risc.ua.edu ---------- 0REVIEWS/ htscan12.zip unvir902.zip vc300lte.zip vstop54.zip 0files.9107 innoc5.zip uu-help.text vcheck11.zip vsum9105.txt 0files.9108 m-disk.zip uudecode.bas vdetect.zip vsumx107.zip INDEX.291 navupd01.zip uudecode.pas virpres.zip vtac48.zip MsDosVir.291 netscn80.zip uuencode.pas virsimul.zip wp-hdisk.zip MsDosVir.690 pcv4.zip uxencode.pas virstop.zip xxdecode.bas MsDosVir.790 pkz110eu.exe vacbrain.zip virusck.zip xxdecode.c avs_e224.zip scanv80.zip vaccine.zip virusgrd.zip xxencode.c bbug.zip secur222.zip vaccinea.zip virx16.zip xxencode.cms clean80.zip sentry02.zip validat3.zip vkill10.zip zzap54a.zip fprot116.zip tbresc12.zip validate.crc vshell10.zip fshld15.zip trapdisk.zip vc300ega.zip vshld80b.zip ------------------------------ Date: Wed, 07 Aug 91 14:56:16 +0000 >From: igor@prima.icie.msk.su (Igor Smirnov) Subject: computer virus classifications Dear colleagues: I'm system programmer. I'm interested in a computer viruses problem. Help me please: What is the PLO viruses? I've read about that in Computers&Security. I've some ideas for computer virus classification and methods of anti-virus adaptation. I would like to know about your interests in this fields. Thank you. Sincerely, Maxim Titov, leading engineer of International Centre on Informatics & Electronics (Moscow, SU) Return adress: E-mail: igor@prima.icie.msk,su phone: +7 095 252 0688 ------------------------------ Date: Wed, 07 Aug 91 18:24:33 +0000 >From: dkarnes@world.std.com (Daniel J Karnes) Subject: Code Execution Simulator? Working with a new 'virus scanner' program named CES (Code Execution Simulator) which appears to be an enhanced 'algorithmic' type of scanner. The thing is catching 99% of the hundred or so viruses I have tested against so far with only a few false positives. Does anyone else have any experience with this thing that they might like to share? The distribution file that I have is CES_402.ZIP if anyone happens to be interested. - -djk - ----------------------------------------------------------------- Daniel J. Karnes - WA6NDT | Do I know UNIX? dkarnes@world.std.com | POB 7007 | - well.. I've met a few.. ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 138] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253