VIRUS-L Digest Tuesday, 3 Sep 1991 Volume 4 : Issue 152 Today's Topics: How Many Anti-Virus Sales? Re: Virus Simulator available (PC) F-PROT version 2.0 (PC) Re: Virus Simulator available (PC) re: The Tenbytes virus (PC) Vshield not loading into high memory? Viruses more common in Mac environment? Re: Drive assignments (PC) Hard Disk Locking (PC) Re: Virus Simulator available (PC) Re: Self-scanning executables (PC) FPROT200.ZIP - The F-PROT anti-virus package, with a 'new look' FPROT200.ZIP available (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Fri, 30 Aug 91 13:40:00 +0000 >From: Sanford Sherizen <0003965782@mcimail.com> Subject: How Many Anti-Virus Sales? Does anyone have any guestimates about the aggregate number of sales of anti-virus products? One measure of how much serious the interest is in the virus problem is to compare how many anti-virus packages (covering the various options) have been sold and/or are in use. That number could be compared to some baseline of the number of pc's, networks, etc. as well as changes in the number of viruses. I will summarize responses for Virus-L. Thanks Sandy ------------------------------ Date: Fri, 30 Aug 91 08:05:02 -0700 >From: Eric_Florack.Wbst311@xerox.com Subject: Re: Virus Simulator available (PC) Fridrik Skulason IN VLD #151: >>Saying that something is "infected with virus signatures" is meaningless nonsense. A program is either infected with a virus or it is not - creating a file which contains bits and pieces from a virus does not make it virus infected<< True enough,. as far as you go... howvever: >>therefore there is no reason why an anti-virus program should report any of the files it creates to be infected<< Since most anti-viral programs use the same search strings, it's reasonable to assume that if it can't find the simulation, an anti-viral product using these published strings won't find the real thing, either, >>> The infected programs can be renamed and copied to other disks and > directories as bait for virus detecting programs. So what ?<< The so what is simple, and it amazes me that you don't see it! How about someone developing an anti-viral product that wants to have some kind of test pattern? >>> terrorists, are much more difficult to test with. The test viruses > generated by Virus Simulator are safe and sterile, but form a validation > test suite that trigger vigilant virus detectors. Bullsh*t! The files created by the Virus Simulator may cause some virus scanners to trigger in some cases, but a perfect virus detector should be able to determine that the files are not viruses, and should not trigger at all.<< Tell ya what: You write a perfect detector, and then get back to me. Perhaps you can help pay my telco bills with all the money you'll be making. >>The only thing the Virus simulator is able to test is if virus scanners which use publically available signatures, which are included in the Virus Simulator will indeed detect the viruses they claim to detect. << Ah, so now we come to the heart of the matter: You, apparently, are a proponant of using /NON/-published strings to scan against. OK, I see some merit in this. Keeping the creeps guessing what strings you're using might serve top hold them off somewhat,. I can also see the idea of using published strings. I guess what it comes down to, is that the usefulness of such a device depends on the type of scanning you are using or developing. ------------------------------ Date: Fri, 30 Aug 91 15:08:38 +0000 >From: Fridrik Skulason Subject: F-PROT version 2.0 (PC) This version of F-PROT is now (finally) ready. There are several significant changes from the last version. 1) Fewer programs - the old version had around 20 programs, some with overlapping functions - the new version only has two - the resident part and the main program. Some functions have been removed from the package - in some cases they were outdated or just not good enough - n other cases they were more or less static (F-MMAP for example), and no need to include them in a regularly updated package. 2) Totally redesigned user-interface. It is possible to use command-line options like before, but it is primarily menu-driven now. 3) Faster scanning - the "Quick Scan" option is....well....a lot faster than the old one.... 4) Heuristic analysis - generic analysis of programs intended to detect unknown viruses. It is still in the experimental stage, but seems to have around 90% chance of detecting any unknown viruses. 5) Plus a whole lot more..."pop-up" virus information...simplified installation...improved support for multiple languages..improved variant identification... I have sent the program to SIMTEL20, and it should appear there and on other archive sites soon - just give it a few days... I have been busy the past weeks finishing the program, and meanwhile mail has been piling up in my E-mail box - if you have sent me mail recently and not received a reply it is probably one of the 250+ messages waiting. My plan is to spend the next week answering my mail - and then I'm off... first to the Virus conference in Jersey, then on a two week vacation somewhere far from all computers....Don't expect to be able to reach me between Sept. 7th and Sept. 29th. - -frisk ------------------------------ Date: 30 Aug 91 10:57:48 -0400 >From: "David.M.Chess" Subject: Re: Virus Simulator available (PC) > From: Fridrik Skulason > > I fail to understand why the author of this program believes that > anyone might find it of any use whatsoever. I have to agree with Fridrik. This product's only conceivable use is to make sure that some specific anti-virus program, the one that the author of the "simulator" got his signatures from, is installed and working correctly. It cannot be used to correctly test other anti-virus products; in fact, as Fridrik says, any anti-virus products that identifies the output of the "simulator" as virus-infected will be, strictly speaking, wrong! The results obtained from testing any anti-virus product with this "simulator" will be essentially meaningless. If, for instance, a product identifies the simulator's dummy files as infected, it really tells you nothing about how it will react to real-life files. It may report other not-really-infected files as infected, for instance. If some other product does not identify the dummy files as infected, that tells you nothing about how it would react to actually-infected files; it might very well detect them all correctly! I say all this having no idea how IBM's anti-virus products fare when exposed to the "simulator". *8) If anyone tries it, I would actually be grateful if they would *not* tell me, and *not* post the results here, as they can only cause confusion. The "simulator" is not a bad idea at heart; people often want a way to figure out if their anti-virus software is correctly installed and working. But this particular approach, particularly given the tone of the claims the author makes for it, is much too likely to mislead. I think a more promising approach would be for each anti-virus program to have a corresponding test suite, which would contain a few files that the anti-virus program would report as infected (or as "containing the test signature", or something like that). Any further thoughts in that direction? DC ------------------------------ Date: 30 Aug 91 12:17:14 -0400 >From: "David.M.Chess" Subject: re: The Tenbytes virus (PC) >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) >It seems that nobody has noticed that the Tenbytes virus, which has >been posted accidentally on Valert some time ago (two years? one >year?) is able to mutate. It's not actually mutating, and I don't think there's anything random about it. I admit I haven't studied this one very hard (it just hangs most of the machines I've tried it on), or written a disinfector for it. But from looking at the code, it looks like it's just infecting EXE files slightly differently depending on how long they are; the amount the virus writes to the file, and the initial IP value it'll have, can therefore be different from infection to infection. I think it's basically avoiding the bug that lots of other EXE-infecting viruses have that causes the infected EXE file to be slightly invalid (a ridiculous number in the "CS Offset" field, as I recall) when a very small EXE file is infected. Doesn't look like anything too sophisticated (although I can't get it to spread this morning to check!). DC ------------------------------ Date: Fri, 30 Aug 91 17:42:06 +0000 >From: dbarlow@na.novell.com (Doug Barlow) Subject: Vshield not loading into high memory? Has anyone tried to load vshield (version 3.9B80) into high memory? I've tried MS-DOS 5.0 and Dr. DOS 5.0 and 6.0 BETA and nothing seems to work. MS-DOS doesn't load it at all and DR. DOS just loads it into conventional memory. I have tried it with many configurations on different machines. Any help would be appreciated. Could someone please forward this to Mcaffee.. Thanks. Doug Barlow - -------------------------------------------------------------------------- Doug Barlow Email: DBARLOW@NA.NOVELL.COM Software Testing Novell, Inc. Provo, UT Standard Disclaimer applies...... - -------------------------------------------------------------------------- ------------------------------ Date: 30 Aug 91 17:12:46 +0000 >From: delwiche@well.sf.ca.us (Aaron Delwiche) Subject: Viruses more common in Mac environment? Somebody recently tried to convince me that viruses were more widespread in the Macintosh environment than the PC environment. Is this true? It seems to me that the opposite would be true. ------------------------------ Date: Fri, 30 Aug 91 15:30:02 -0400 >From: Alan Pierce Subject: Re: Drive assignments (PC) I would like to apologize for posting my comments on drive assignments to VIRUS-L...talk about misdirection. Alan Pierce ------------------------------ Date: Fri, 30 Aug 91 14:20:59 -0400 >From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: Hard Disk Locking (PC) Eric Lindsay points out something that I forgot to mention, i.e. that you should use a ballast resistor on the line. I have not looked at the controller but given a high input impedance to the drive, anything from Eric's suggestion of 200 ohms up to about 5k should work. The write enable line is lead 6 of the 34 pin connector (lead 1 is usually indicated by a red stripe on the cable). And hardware is certainly infallible. I believe that a similar line exists on the 50-pin SCSI cable but you must keep in mind that anything downstream of the break will also be unwritable. A while ago I used this method to protect the C drive on a dual- disk PC by breaking the cable between D: and C: (C: was on the end). Putting such a switch in at the controller would make it unable to write to any drive. Don't forget, the side of the break you want to tie high is the one to the DRIVE not the end going to the CONTROLLER. One of the things I had planned for DiskSecure II (when and if) was an option to write protect any partition on a drive, easy when you are working at the BIOS level and since I can trust & control access, reasonably secure (anything lower just can see sectors, not files). Winter is slowly easing*, Padgett * winter - that time of year when your utility bills go up & you do not go outside unless you have to. ------------------------------ Date: Fri, 30 Aug 91 13:23:17 -0600 >From: martin@cs.ualberta.ca (Tim Martin; FSO; Soil Sciences) Subject: Re: Virus Simulator available (PC) Concerning the Virus Simulator previously announced by (?), frisk@rhi.hi.is (Fridrik Skulason) writes: >I fail to understand why the author of this program believes that >anyone might find it of any use whatsoever. ... >meaningless nonsense. ... >So what ? > ... this is of no interest at all. ... >Bullsh*t! ... >This statement is highly misleading. ... >Huh ? > ... is totally useless. ... >I only hope that the author of the program realizes soon how useless >it is... Well, I don't think I would say it with quite as much *FLAME ON*, but maybe that's simply because I'm not writing a virus protection package! ;-) I think Frisk is right, in the points he makes -- between the exerpts I've extracted here! The virus simulator is NOT of ANY USE I can see, and will simply generate false security and false paranoia, not to mention horribly inaccurate reviews in already inaccurate magazines and journals. There is a problem though for those of us who don't have access to a bank of viruses. We would feel a lot more confidence in the protection packages if we had some way of testing them. Just today I finally was able to confirm that FPROT's f-driver does indeed stop at least one species of file infector virus from running on *MY* computer. Not that I've doubted Frisk or any of the other virus protection writers -- well, maybe some of the others! ;-) The problem is that computer users have learned not to trust claims of any software until they have tested it on their own system with its own peculiar configuration. I see no solution to this problem, though. Hopefully the protection writers have calmed down now, maybe taken a shot of Canadian Whiskey, (what does one drink at such a time, in Iceland?), and the *flames* can subside, so we can think rationally about this problem. ------------------------------------------------------------- Tim Martin * Soil Science * These opinions are my own: University of Alberta * My employer has none! martin@cs.ualberta.ca * ------------------------------------------------------------- ------------------------------ Date: Fri, 30 Aug 91 13:25:47 -0600 >From: martin@cs.ualberta.ca (Tim Martin; FSO; Soil Sciences) Subject: Re: Self-scanning executables (PC) hartnegg@sun1.ruf.uni-freiburg.de (Klaus Hartnegg) writes: >vaitl@ucselx.sdsu.edu (Eric Vaitl) writes: >> I started thinking about self scanning executables again. >>Unfortunately, it was way to easy to write myself a virus which gets >>around the whole damn thing. Here is what it does: >>[...] >Great idea to publish this on the net. You can be sure that such >viruses will appear very soon now. I'm sure the virus writers have or would have thought of it themselves. Personally I'd rather have the rest of us made aware of the problem with using self-scanning executables, so that we don't put trust in them. If the problem is there, let's not hide from it; rather recognise and avoid it. ------------------------------------------------------------- Tim Martin * Soil Science * These opinions are my own: University of Alberta * My employer has none! martin@cs.ualberta.ca * ------------------------------------------------------------- ------------------------------ Date: Fri, 30 Aug 91 08:41:21 +0000 >From: Fridrik Skulason Subject: FPROT200.ZIP - The F-PROT anti-virus package, with a 'new look' I have uploaded to SIMTEL20: pd1: FPROT200.ZIP The F-PROT anti-virus package, with a 'new look' Just like the "old" version 1, this program is designed to find, stop and disinfect known viruses. It is however much faster than the previous versions, with a friendlier and simplified user-interface, and several new features, such as heuristic analysis and pop-up virus information. - - -frisk Fridrik Skulason frisk@rhi.hi.is ------------------------------ Date: Sat, 31 Aug 91 23:19:48 -0500 >From: James Ford Subject: FPROT200.ZIP available (PC) The file fprot200.zip is now available from risc.ua.edu (130.160.4.7) in the directory pub/ibm-antivirus. This file was downloaded direct from Simtel20. - ---------- Consistency is the last refuge of the unimaginative. - ---------- James Ford - jford@ua1vm.ua.edu, jford@risc.ua.edu The University of Alabama (in Tuscaloosa, Alabama) ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 152] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253