VIRUS-L Digest Monday, 12 Aug 1991 Volume 4 : Issue 140 Today's Topics: Virus Implants in DoD Weapons New DOS and old virus checkers? (PC) Infects on ANY access? re: Can such a virus be written... (PC) (Amiga) Virus article in Byte (PC) infected files with nonstandard extension (PC) copyright of infected files Virus Bulletin search strings (PC) Re: Self-scanning executables (PC) Problem cleaning "LIBERTY" virus? (PC) Re: Brunnstein (CARO) virus catalog files TRACER (PC) Proposal for standard virus signatures notation Stoned at EPO (PC) New Anti-Virus Consortium Announced System calls VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: 07 Aug 91 20:28:57 +0000 >From: dar@reef.cis.ufl.edu (David Risler) Subject: Virus Implants in DoD Weapons >From the August 1991 "Armed Forces Journal International" "A draft Pentagon directive that called for implanting a computer "virus" or software disabling mechanism in every major new US weapon system - one that could be remotely triggered if the weapon fell into enemy hands - was under consideration last December at a high DoD level, a knowledgeable source told AFJI recently...If that is the case, the device is more likely to function as a variable duration "enabler"...rather than a disabler that could be remotely activated to prevent a weapon from being used. In all likelihood, no decision regarding implanting either kind of device in advanced weapons will come before the DARPA provides an assessment to Congress of how best to handle the issue. That report is expected on Capitol Hill by August." The article goes on to say that this would be great for weapons exports and that EEPROMS could carry such "Trojan Horses" that could be activated using electrical signals. Hmmmmmm. Comments? ------------------------------ Date: 08 Aug 91 01:08:42 +0000 >From: heinicke@uwovax.uwo.ca Subject: New DOS and old virus checkers? (PC) Is there any raeson to worry about problems using some of the standard antivirus programs (e.g. Scan/Clean, or F-Prot) that have been out for a while on systems using MS-DOS 5? To put it another way: can one safely upgrade to DOS 5, reformat the hard disk to one big partition, re-install the virus checkers being used before, and still enjoy the same levels of protection. (I've noted the earlier suggestions in this group about putting F-driver.sys the last thing in config.sys. Any other tricks to know about?) ------------------------------ Date: Wed, 07 Aug 91 11:09:56 -0700 >From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Infects on ANY access? STEVED@vaxc.cc.monash.edu.au writes: > Re the boot sector virus "Search" = "Den Zuk" = "Venezuelan". > DESCRIPTION: "It infects through ANY ACCESS TO host diskette. ....." It might be helpful to have more of the reference, but I suspect what they intended to say was that an infected system (ie. the virus is active in memory) will infect a diskette that is accessed in any way. And why on earth are you trying to get virus info out of the print media? :-) ============= Vancouver p1@arkham.wimsey.bc.ca | "If you do buy a Institute for Robert_Slade@mtsg.sfu.ca | computer, don't Research into (SUZY) INtegrity | turn it on." User Canada V7K 2G6 | Richards' 2nd Law Security | of Data Security ------------------------------ Date: Wed, 07 Aug 91 22:43:56 -0400 >From: cellar!rogue@uunet.uu.net Subject: re: Can such a virus be written... (PC) (Amiga) brett.simcock@f859.n681.z3.fido.oz.au (Brett Simcock) writes: > Original to: acdfinn > AA > heard that > AA > Kickstart 2.0 has most AmigaDos commands in ROM (the ROMs > AA > are shipping > AA > now) but I'm not sure. That would be great from the virus > AA > perspective... > > As far as I know all the AmigaDOS commands are in ROM. > > - --- > * Origin: S.A. CENTRAL BBS, Serving South Australia Better! (3:681/859) Sorry, but the previous author was more correct than yourself. In AmigaDOS, the shell scriptinng commands and some of the utilities have been moved into ROM, but the core utilities remain on disk, so people can use their own preferred implementations. Besides, the 2.0x "ROMs," so far, are released as Kickstart disks to be loaded into memory. Chip releases of 2.04 are not yet available. Rachel K. McGregor : rogue@cellar.uucp : {tredysvr,uunet}!cellar!rogue ------------------------------ Date: Thu, 08 Aug 91 21:10:03 +0000 >From: Fridrik Skulason Subject: Virus article in Byte (PC) Byte (August '91) just arrived on my desk, and I read the virus article with considerable interest. I was obvious that the authors are not experts in the area of computer viruses, but there were not too many serious errors in the article. The worst was regarding their selection of viruses. They wrote: "we ran tests using eight of the most pervasive and destructive viruses in circulation." If that had only been true.... The viruses they used were: "1701/1704" (Cascade) - Common, but not very destructive. "Izrael" (Jerusalem) - Common, and a bit destructive. "Musician" (probably Oropax) - Rare, and not destructive at all. "Vienna" - fairly common, and somewhat destructive. "W13 A/B" and "Jocker" - They must be joking...."the most pervasive and destructive viruses in existence" ???? I think Jocker has only been reported once, and it took a long time to get it to work - in fact, many researchers were not convinced that it was a virus, until David Chess figured out that the original sample had to be renamed to WABIKEXE.EXE to get it to infect anything at all. No stealth viruses, no boot sector viruses, only a few old viruses, which are certainly not typical of the threats today. No, a better description of their viruses would have been: "we ran tests using eight fairly harmless two year old viruses, half of which are practically unknown in the wild." - -frisk ------------------------------ Date: 07 Aug 91 21:56:30 +0000 >From: warren@worlds.COM (Warren Burstein) Subject: infected files with nonstandard extension (PC) I had a recurring Sunday infection. I couldn't figure out how Sunday could be hiding, it turned out that it had latched onto files that did not end in .COM or .EXE. (Sunday, at least the version that only triggers on day-of-week == 7) it turns out, was just lucky, it assumes that if the file doesn't end with M it's an EXE. So some other program or programs must be execing these files directly. The files are pw.prg (part of Perfect Writer, I guess), and scomlv3.cmd and scom2v3.cmd (from SmartComm ?). How common is this? Should a virus scanner scan all files regardless of extension against the chance that they might be executed by some other program? [Yes, of course they should have been running a TSR.] - -- /|/-\/-\ The entire world Jerusalem |__/__/_/ is a very strange carrot |warren@ But the farmer / worlds.COM is not worried at all. ------------------------------ Date: 07 Aug 91 22:25:14 +0000 >From: warren@worlds.COM (Warren Burstein) Subject: copyright of infected files It occurred to me that anyone who deals with viruses must of course have a collection of infected files for comparison, dissasembly, and testing of anti-viral methods. It would not be surprising for such people to thereby acquire lots of copies of software that they don't have licenses for (and what if the virus has a copyright, too :-) ?). Not that they ever intend to use the software for its intended purpose, but might the manufactures get upset anyway? - -- /|/-\/-\ The entire world Jerusalem |__/__/_/ is a very strange carrot |warren@ But the farmer / worlds.COM is not worried at all. ------------------------------ Date: 08 Aug 91 13:37:47 +0000 >From: warren@worlds.COM (Warren Burstein) Subject: Virus Bulletin search strings (PC) The sunday virus has two entry points, one for a COM file (0 jumps to 95), one for an EXE file (at C4). It happens that the search string in the Virus Bulletin starts at the COM entry point, which means that if you were scanning starting at the entry point of an infecte EXE file, you would not find it. This is the version of Sunday that never triggers because it waits until day-of-week is 7. - -- /|/-\/-\ The entire world Jerusalem |__/__/_/ is a very strange carrot |warren@ But the farmer / worlds.COM is not worried at all. ------------------------------ Date: 09 Aug 91 00:38:47 -0400 >From: Kevin Dean <76336.3114@CompuServe.COM> Subject: Re: Self-scanning executables (PC) CRCSET version 1.3 has been uploaded in UU-encoded form to the following sites if anyone wants a copy: risc.ua.edu ux1.cso.uiuc.edu wsmr-simtel20.army.mil ------------------------------ Date: Fri, 09 Aug 91 10:43:00 -0500 >From: Ken De Cruyenaere 204-474-8340 Subject: Problem cleaning "LIBERTY" virus? (PC) The LIBERTY virus made another appearance on our campus recently. CLEAN V80 was unable to clean it though. I beleive the message was something like "Unable to clean this file, delete ? y/n " (Over a dozen infected files and none of them could be cleaned.) We next tried Central Point's ANTIVIRUS and it cleaned it up quickly. Central Point identified it as the MYSTIC virus, which caused a little confusion as MYSTIC isn't listed as and alias of LIBERTY... I have checked back issues of this digest for any other similar problems with CLEAN (version80) and LIBERTY and didn't find any. Has anyone else bumped into this? Ken - --------------------------------------------------------------------- Ken De Cruyenaere - Computer Security Coordinator Computer Services - University of Manitoba - Winnipeg, Manitoba, Canada, R3T 2N 2 Bitnet: KDC@CCM.UManitoba.CA Voice:(204)474-8340 FAX:(204)275-5420 ------------------------------ Date: 09 Aug 91 03:22:55 +0000 >From: p4tustin!ofa123.fidonet.org!Ray.Mann@uunet.uu.net (Ray Mann) Subject: Re: Brunnstein (CARO) virus catalog files Are these the early virus catalog files, published elsewhere, or are they new, recently-produced ones...? - --- Opus-CBCS 1.14 * Origin: Universal Electronics, Inc. [714 939-1041] (1:103/208.0) - -- Ray Mann Internet: Ray.Mann@ofa123.fidonet.org Compuserve: >internet:Ray.Mann@ofa123.fidonet.org ------------------------------ Date: Fri, 09 Aug 91 12:03:18 -0700 >From: altos!jesse@vicom.com (Jesse Chisholm AAC-RJesseD) Subject: TRACER (PC) Does anyone know anything about the antivirus program called TRACER by a company called GODWARE? All I know is they are based in Taiwan. Has anyone had experience with it? Is it any good? It certainly is inexpensive: NT$130 which comes to about $5. - -Jesse Chisholm jesse@gumby.altos.com - -- | "As I was going up the stair | I met a man who wasn't there. | He wasn't there again today. | I think he's with the C.I.A." -- Ann Onymous ------------------------------ Date: 08 Aug 91 01:53:01 +0000 >From: garth.kidd@f828.n680.z3.fido.oz.au (garth kidd) Subject: Proposal for standard virus signatures notation I like the proposal. Now, are we going to see publication of, say, lists of virus signatures for the more common viruses, mayhap in VSUM? Down: virus writers could use the lists to check that the virus they're writing doesn't match anything else. Of course, they can use the latest copies of anti-viral software to check this, but the signatures will tell them =exactly= what to avoid. One solution for this is to use two or more different signatures for each virus in the more wildly popular anti-viral software, but only publish one in VSUM. Up: people can write quick'n'grotty virus scanners to check to see whether their system is infected with X without having to find a copy of (say) SCAN that checks for it. Even if SCAN allowed signature files, (and for all I know, it does), they might not =have= it. Email reponses welcome; I'm still not sure whether the gate works in the fido->usenet direction. gk - --- FD 1.99c * Origin: garth_kidd@f828.n680.z3.fido.oz (3:680/828) ------------------------------ Date: Mon, 12 Aug 91 15:45:02 +0100 >From: LBA002@PRIME-A.TEES-POLY.AC.UK Subject: Stoned at EPO (PC) New Scientist 10 August 1991, p. 24 under byline "Computers Get Stoned On Patent Discs" reports that the European Patent Office in Munich has been sending clients a floppy disc containing the Stoned virus. The EPO has sepnt nearly #20,000 warning recipients of the disc all around the world not to use it and helping those who did get rid of the virus. The disc causing all the trouble contained publicity samples of an electronic version of the weekly Bulletin which lists all new patents. IInApril the EPO sent copies of the disc to 1000 ormore patent agencies etc. The office has sepnt 3 months tracking down the source of the virus and now believes it came from an independent software company in Germany which helped with the preparation of the disc. If it can find firm evidence it will sue the company. Iain Noble - ----------------------------------------------------------------------------- Iain Noble | LBA002@pa.tp.ac.uk | Post: Main Site Library, JANET: LBA002@uk.ac.tp.pa | Teesside Polytechnic, EARN/BITNET: LBA002%pa.tp.ac.uk@UKACRL | Middlesbrough, INTERNET: LBA002%pa.tp.ac.uk@cunyvm.cuny.edu | Cleveland, UK, TS1 3BA UUCP: LBA002%tp-pa.ac.uk@ukc.uucp | Phone: +44 642 342121 - ----------------------------------------------------------------------------- ------------------------------ Date: Mon, 12 Aug 91 09:21:00 -0600 >From: "Rich Travsky (307) 766-3663/3668" Subject: New Anti-Virus Consortium Announced The August 5th Network World has an article on a new consortium: The AntiVirus Product Developers Consortium (AVPD). Goals are: establish standards for reporting, classifying, and counting viruses; adopt a code of developers ethics; increase the public's awareness; sponsor research by vendor-independent organizations. Members currently are: Central Point Software, Certus International, Symantec/Peter Norton, and XTree Co. Membership is open to all other vendors. AVPD will rely on a virus database operated and maintained by the NCSA. This database currently has about 900 viruses. First AVPD meeting is scheduled for Nov. 25-26 in Washington DC. Richard Travsky Division of Information Technology RTRAVSKY @ CORRAL.UWYO.EDU University of Wyoming (307) 766 - 3663 / 3668 ------------------------------ Date: Sun, 11 Aug 91 18:22:57 -0700 >From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: System calls FUNGEN3.CVP 910811 Viral use of operating systems Viral programs use basic computer functions in more ways than one. It is easier to use standard system calls for purposes such as accessing disks and writing files or formatting. Most programs use the standard operating system calls, rather than write their own system function when "using" the hardware. For one thing, it's more "polite" to do this with applications programs, which, if they follow "the rules" will be better "behaved" when it comes to other programs, particularly resident programs and drivers. But it is also easier to use system functions than write your own. Operating system functions are generally accessible if you know the memory address at which the function starts, or the specific "interrupt" that invokes it. Viral programs can use this fact in two possible ways. The first is to use the standard system calls in order to perform the copying, writing or destructive actions. This, however, has unfortunate consequences for the viral author (and fortunate for the computer community) in that it is easy to identify these system calls within program code. Therefore, if viral programs used only this method of operation, it would be possible to write a "universal" virus scanner which would be able to identify any potentially damaging code. It would also be possible to write programs which "trapped" all such system calls, and allowed the user to decide whether a particular operation should proceed. (In fact, in the MS-DOS world, two such programs, BOMBSQAD and WORMCHEK, are available, and were used to check for early trojan programs.) Operating systems are, however, programs, and therefore it is possible for any program, including any viral program, to implement a completely different piece of code which writes directly to the hardware. The "Stoned" virus has used this very successfully. Unfortunately, viral programs have even more options, one of which is to perform the same "trapping" functions themselves. Viral programs can trap all functions which perform disk access in order to hide the fact that the virus is copying itself to the disk under the "cover" of a directory listing. Viral programs can also trap system calls in order to evade detection. Some viri will "sense" an effort to "read" the section of memory that they occupy, and will cause the system to hang. Others trap all reading of disk information and will return only the "original" information for a file or disk: the commonly named "stealth" viral technology. copyright Robert M. Slade, 1991 FUNGEN3.CVP 910811 ============= Vancouver p1@arkham.wimsey.bc.ca | "If you do buy a Institute for Robert_Slade@mtsg.sfu.ca | computer, don't Research into (SUZY) INtegrity | turn it on." User Canada V7K 2G6 | Richards' 2nd Law Security | of Data Security ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 140] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253