VIRUS-L Digest Wednesday, 21 Aug 1991 Volume 4 : Issue 145 Today's Topics: VIRx on a 3COM network (PC) System Layers and Hiding Places Re: When can a virus infect (AMIGA) Hard disk locking software (PC) Where can I find VSUM9108.zip o .txt? Re: Double quote char appear all over - virus? (PC) Re: Hard disk password protection (PC) Liberty virus (PC) Re: Hard disk locking PC SECURITY (PC) Scan (PC) New Virus ? (PC) Questions regarding Novell, Viruses & policy Partition table virus on Toshiba 1200XE (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Mon, 19 Aug 91 16:56:37 +0000 >From: acrosby@uafhp.uark.edu (Albert Crosby,AG ENG 210,4452,5014447866) Subject: VIRx on a 3COM network (PC) I just tried using the VIRx scanning program on network volumes attahed via 3Com 3+Open. The scanner reported "Bad status reading partition table" and stopped for a key press. The program then presented a message that it was "Scanning: \\ \DOSAPPS\" and paused. ^^^^^^^^^^^^^^ <= this space was filled with high order garbage characters. The command I had issued was: VIRX D:\ D: is actually \\AGHELAB\DOSAPPS. The scanner was apparently able to obtain the last part of the name correctly. VIRx then reported that it had scanned 0 files and 0 subdirectories. If I scan a floppy, it works correctly, and if I scan a directory on D: other than root it appears to work correctly. The version of VIRx I tried was "Current as of 07/01/91", version 1.6. SCAN (McAfee Assoc.) reports that there are 46 directories and 1468 files on the drive. Has anyone else encountered problems like this? Or have any pointers for correcting it? (SCAN also reported the drive free of viruses, BTW) Albert ------------------------------ Date: Mon, 19 Aug 91 12:22:32 -0700 >From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: System Layers and Hiding Places This week's column has been slightly delayed due to the marriage, this weekend, of the columnist's daughter. FUNGEN4.CVP 910819 Hiding in System Layers One additional use that viral programs can make of operating systems is as a source of hiding places. Anyone who has ever tried to manage accounts on mainframes or local area networks will recognize that there is a constant battle between the aspects of security and "user friendliness" in computer use. This tension arises from the definition of the two functions: if a computer is easy to use, it is easy to misuse. If a password is hard to guess, it is hard to remember. If access to information is simple for the owner, it is simple for the "cracker". (This axiom often gives rise to two false "corollares". First, the reverse; that those systems which are difficult to use must therefore be more secure; does not hold. Secondly, many assume that restricting the availability of information about a system will make that system secure. While this strategy will work in the short term, its effectiveness as protection is limited. Indeed, it often has the unfortunate side effect of restricting information to those who should have it, such as systems managers, while slowing the "attackers" only marginally.) "User friendly" programs and operating systems tend to hide information from the user. There are two reasons for this. In order to reduce "clutter", and the amount of information that a user needs to operate a given system, it is necessary to remove options, and therefore, to a certain extent, functionality. A user friendly system is also more complex in terms of it's own programming. In order for the computer to behave "intuitively", it must be able to provide for the many "counter-intuitive" ways that people work. Therefore the most basic levels of a graphical user interface system tend to be more complex than the corresponding levels of a command line interface system, and are hidden from the user by additional intervening layers (which also tend to add more complexity.) The additional layers in an operating system, and the fact that a great deal of management takes place automatically, without the user's awareness, is an ideal situation for a viral program. Since many legitimate and necessary operations and changes are performed without the user being aware of it, viral operations can also proceed at a level completely hidden from the user. Also, because the user is basically unaware of the structure and operations of the computer, changes to that structure and operation are difficult to detect. copyright Robert M. Slade, 1991 FUNGEN4.CVP 910819 ============= Vancouver p1@arkham.wimsey.bc.ca | "If you do buy a Institute for Robert_Slade@mtsg.sfu.ca | computer, don't Research into (SUZY) INtegrity | turn it on." User Canada V7K 2G6 | Richards' 2nd Law Security | of Data Security ------------------------------ Date: Mon, 19 Aug 91 20:29:37 +0000 >From: erd@anaconda.cis.ohio-state.edu (Ethan R Dicks) Subject: Re: When can a virus infect (AMIGA) technews@iitmax.iit.edu (Kevin Kadow) writes: >With ZEROVIRUS running, after booting from a TC500 hard drive, I ran >across a newly acquired disk which, upon being inserted, resulted in: > >ZeroVirus gave a warning "ColdCapture has been changed!" >I was >under the impression that a boot-block virus could only start-up if >you booted from an infected disk, not by simple insertion? On the Amiga, there are two types of viruses: boot-block and executable. Boot Block viruses are only loaded into RAM when an infected disk is booted. Executable viruses are loaded into RAM whenever an infected file is run. I suspect that your infected disk was a system disk, with the program :l/disk-validator on it. Under AmigaDOS 1.3 and lower, the system will load and run the disk validator LOCATED ON THE DISK INSERTED if one is present and the bit in the root block is set which indicated that the bit-map is invalid and needs to be rebuilt. If the disk-validator program is infected and the disk is in need of validation, AmigaDOS will cheerfully run the validator WITHOUT ASKING. Under AmigaDOS 2.0, l:disk-validator is run (from the system disk), not :l/disk-validator (from the inserted disk), eliminating this security hole. BTW, write protecting a disk with an invalid bit-map prevents the system from updating the bit-map and will cause the system to be infected all over again when the disk is inserted. - -ethan - -- Ethan R. Dicks | ###### This signifies that the poster is a member in Software Results Corp| ## good sitting of Inertia House: Bodies at rest. 940 Freeway Drive N. | ## Columbus OH 43229 | ###### "You get it, you're closer." ------------------------------ Date: Mon, 19 Aug 91 14:15:54 -0700 >From: Steve Clancy Subject: Hard disk locking software (PC) In Virus-L 4-142 Fridirk Skulason writes: >Software-only solutions are less secure of course, but they are >sufficient in his case. It is possible to create a small program >which asks for a password when you boot from the hard disk, and cannot >be bypassed simply by booting from a diskette. > >My questions: > > #1 I guess that such a program already exists - but I have not yet > been able to find it. Does anyone know of something like this ? I have had a program called PC-Lock 1.1 for several years on our BBS. According to the documentation, it does what you are asking. The docs say: THE PC-Lock HARD DISK PROTECTION SYSTEM Version 1.1 (c) Copyright 1986 by Johnson Computer Systems 20 Dinwiddie Place Newport News, VA 23602 WHAT PC-Lock DOES After you install PC-Lock you will be asked to enter your password each time you boot your computer from your hard disk. Just type your password and press return. The boot process will continue normally. If you make an error, just re-type it correctly and press return. When you boot from a diskette the system will boot normally, but you will not be able to access your hard disk. I have not had personal exeprience in using it, so I don't really know of any weaknesses it might have. There may even be a more current version. However, I would be happy to UUENCODE the ZIP file and mail it to you. - -- Steve Clancy =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= % Steve Clancy, Biomedical Library % WELLSPRING RBBS % % University of California, Irvine % 714-856-7996 300-2400 24hrs % % P.O. Box 19556 % 714-856-5087 300-9600 24hrs % % Irvine, CA 92713 U.S.A. % SLCLANCY@UCI.BITNET % % % SLCLANCY@UCI.EDU % %.....................................................................% % "As long as I'm alive, I figure I'm making a profit." % % -- John Leas, 1973 % =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ------------------------------ Date: Mon, 19 Aug 91 15:01:40 -0600 >From: al161926@mtecv2.mty.itesm.mx (JESUS BARRERA RAMOS) Subject: Where can I find VSUM9108.zip o .txt? Hi all!!! I've been lookin' for VSUM9108.zip o .txt de Patricia M. Hoffman 'n I've not found it...could some body tell me where can I get a copy of that document?...I'd thank ya a lot...oh!...by the way...I've also been lookin' for a program that convert executable code to source code I know there're programs to do that but I've not found one...If somebody has one...please send me a copy (if it's shareware) or tell me where can I get one...thank ya in advance...bye. friendly Jesus Barrera Ramos (Eqix) P.S. May be (and I'm almost sure) no body know me, I've been a member of this list since last january but I'm quite a novice'n I've not sent a lot of sugestions...anyway..I'm interested a lot on virus. ------------------------------ Date: 20 Aug 91 09:36:43 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Double quote char appear all over - virus? (PC) twong@civil.ubc.ca (Thomas Wong) writes: >One of the 386s in our lab has been having a strange problem. Double >quote characters slowly appears all over the screen. I've checked the >computer with VirusScan (SCAN 7.6V80)(latest?) and no virus was >found. Has anyone seen this before? How can I tell if this is a new >(yet to be discovered) virus? What to do? What to do.... My best guess is that this is not a virus. Probaly your video controller is malfunctioning. Try changing it and see what happens. Regards, Vesselin ------------------------------ Date: 20 Aug 91 09:48:37 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Hard disk password protection (PC) 70274.666@CompuServe.COM (Jon Freivald) writes: >It requests a password on boot (installs via config.sys). If the >system is booted via floppy disk, the hard disk cannot be accessed >without running a special utility on the PC-Vault diskette (unlike a >couple other programs where you just plain can't access the hard disk >period!). As I wrote in one of my previous postings, it depends on what do you understand by "cannot". You probably mean that when DOS boots, it cannot recognize the disk (says "invalid disk drive" when you try to switch to that disk). This, of course, does not mean that the disk is not accessible to BIOS (using INT 13h, not INT 25h/26h). More exactly, this means that any boot sector virus that is able to infect MBRs (Master Boot Records - where the partition table resides), will be able to infect a disk "protected" in this way. Such protection schemes usually install themselves in the MBR, then either encrypt the partition table, or move the original MBR to another place. If a virus attacks such disk, it will just install itself in the MBR and move the MBR, containing the protection program to another place. When the computer is booted, the virus receives control, stays resident in memory, then reads the moved MBR and transfers control to it. Since the protection program resides there, it will just ask for the password and so on. Since all MBR infectors use BIOS to access the disk, there is no possibility to "hide" the disk from them. It is possible, however, to disinfect the disk automatically on reboot, but this is another story. Regards, Vesselin ------------------------------ Date: Tue, 20 Aug 91 14:53:23 -0400 >From: tfarrell@lynx.northeastern.edu Subject: Liberty virus (PC) The Liberty virus showed up here in Boston last week at my employer's Novell network. (My employer is NOT Northeastern University.) The infection wasn't very bad and we cleaned it up quickly. I note that there have been several mentions on the net lately that people have gotten this virus and been unable to remove it with CLEAN, and were forced to delete the files. We also experienced this problem. I have mailed a copy to McAffee today for their examination, at the request of their tech support department. Hopefully this will be resolved in a future version of CLEAN. Incidentally, is there a site from which I can FTP the latest version of Flu Shot? I have an old (very old) copy on a floppy somewhere, but I'd much rather have the newest version. (Please answer that by private mail, no need to waste bandwidth.) Tom Farrell ------------------------------ Date: Tue, 20 Aug 91 19:08:18 +0000 >From: technews@iitmax.iit.edu (Kevin Kadow) Subject: Re: Hard disk locking PC SECURITY (PC) Most of the small-round-key PC locks can be opened by using a fired .22 shell like a key (to turn the peg in the lock). DO NOT trust the keyboard lock to keep people from "playing" with your machine. The only foolproof protection would be to disassemble the machine and install a REAL lock in place of the factory-installed keyboard lock, get a TSR that can lock the MOUSE when the keyboard is locked, and lastly install a lock such that the case cannot be opened without the appropriate key. - -- technews@iitmax.iit.edu kadokev@iitvax (bitnet) My Employer Disagrees. ------------------------------ Date: Tue, 20 Aug 91 16:29:02 -0600 >From: Jesus Miguel Garcia Subject: Scan (PC) Whats the new Scan antivirus of Mcaffe? I heard about version 83.... Thanks for help... Miguel Garcia Rdz. Monterrey, N.L. Mexico ------------------------------ Date: Tue, 20 Aug 91 21:05:00 -0400 >From: SINGH_HARP@BENTLEY.BITNET Subject: New Virus ? (PC) I am having a problem running a program that requires 541K of free conventional memory (according to the manual). I get the message "Program too big to fit in memory", even though I have about 552k of free conventional memory (according to CHKDSK and some other programs too). The peculiar thing is that the program was running a few days back, under this same configuration. No change has been made to the CONFIG.SYS or the AUTOEXEC.BAT files. There are no TSR's in the memory other than SHARE (even if there were, the largest free memory block is larger than required). The program does run if I get about 580K free. I have checked the program for infection using F-PROT V1.16, and using Norton Anti-Virus V2.00. In both cases the results were negative. Could this program be infected with a new virus? Any comments? Is there any place I could upload this program to have it checked (can E-Mail be used for sending binary files) ? Harpreet Singh Singh_Harp@Bentley.Bitnet ------------------------------ Date: Wed, 21 Aug 91 02:19:56 +0000 >From: cumber@runx.oz.au (Cumberland Newspapers) Subject: Questions regarding Novell, Viruses & policy We have a novell network running v3.11 and have (touch wood) largely been unaffected by virus attack. We thus far have only PC compatibles on our net but soon will be adding some macs. We are looking to create and adopt a policy to prevent virus infection but it is not practical to prevent users bringing in floppies or prevent some users from using BBS's. If anyone has ANY suggestions I am open to them. and a few other questions.... 1) Do there exist viruses that can infect novell fileservers ? (I don't mean .EXEs or .COMs or whatever on the server but the files that it runs like .NLMs etc ) 2) Is there a way of putting a task on the server that scans for viruses when users try to conect ? 3) Is there some way I can keep the viruses off the executables on the server ? many thanks iain. - -- Cumberland Newspapers (Software Development) cumber@runxtsa.runx.oz.au Iain Holmes. Ph: (02) 689 5470 (B) (02) 959 3174 (H) Fax: (02) 689 3846 Craig Mitchel. Ph: (02) 689 5191 (B) ------------------------------ Date: Wed, 21 Aug 91 10:55:26 +0000 >From: Leila Burrell-Davis Subject: Partition table virus on Toshiba 1200XE (PC) We have a Toshiba 1200XE which has been diagnosed as having the Telephonica Virus in the partition table of the 20MB hard disk. I've tried repartitioning and reformatting the disk, but it is still infected. I asked our local Toshiba dealer how to low level reformat the disk and he said it was an IDE disk and it could only be done with a special program which dealers have and can't resell. They'll quite happily do it for us, but it's an hour's drive so I thought I would enquire here first if there is any alternative solution. Thanks Leila - -- Leila Burrell-Davis, Computing Service, University of Sussex, Brighton, UK Tel: +44 273 678390 Fax: +44 273 678470 Email: leilabd@syma.sussex.ac.uk (JANET: leilabd@uk.ac.sussex.syma) ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 145] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253