VIRUS-L Digest Monday, 16 Sep 1991 Volume 4 : Issue 159 Today's Topics: Back on the air Re: Disassembler Info Norton Anti Virus (PC) Re: Virus Simulators Re: Viruses more common in Mac environment? Re: Boot sectors Mutant viruses (PC) Re: compressed with EXEPACK ?? (PC) New files on risc.ua.edu (PC) Re: Viruses more common in Mac environment? BBS's For Virus Information...Or sites.. RE: F-PROT 2.00 (VIRSTOP) and PC-Shell/Mirror vsumx108.zip on risc (PC) Re: Experiment with virus Re: Virus Simulator available (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Mon, 16 Sep 91 10:13:14 -0400 >From: Kenneth R. van Wyk Subject: Back on the air Greetings all, As is self evident, VIRUS-L/comp.virus is back on the air. I have a *huge* backlog of submissions to get to, so if you don't see your message right away, please be patient. On my way home from last week's Virus Bulletin conference, it occurred to me that the only two times that I've caught a cold this year have been at virus conferences. Hmmm... ;-) Cheers, Ken ------------------------------ Date: 03 Sep 91 21:58:00 +0000 >From: PHYS169@cantva.canterbury.ac.nz (Mark Aitchison, U of Canty; Physics) Subject: Re: Disassembler Info >>What disassembler do you use? I have a disassembler specifically for scrutinising boot sectors, which is part of the CHECKOUT program I wrote. It is free, and a bit buggy, I'm afraid. I made CHECKOUT available a while ago - I'm working on a new version & will announce when it's available; in the mean time, the way to use the old version is: CHECKOUT/A A: and you might want the /D switch as well. What it does is work out what parts of the code get executed, what are the contents of registers at the time of interrupt calls (okay, this bit is pretty buggy), and puts in labels and BPB structure if appropriate, etc. Mark Aitchison. ------------------------------ Date: 03 Sep 91 20:03:39 +0000 >From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Norton Anti Virus (PC) knutt@ifi.uio.no (Knut Torgersen) writes: > first thing I did, however, was to run the program on the diskette I > borrowed it on. First I used McAFee's SCAN.EXE. Nothing nasty showed > up. Then I asked NAV to scan itself. NAV told me that "NAV.EXE is > infected with an unknown strain." Did you, purchance, run SCAN with the /AV (if I remember correctly) switch? The one that adds self-checking code to the target file, and would therefore confuse NAV's *own* self check? ============= Vancouver p1@arkham.wimsey.bc.ca | "If you do buy a Institute for Robert_Slade@mtsg.sfu.ca | computer, don't Research into (SUZY) INtegrity | turn it on." User Canada V7K 2G6 | Richards' 2nd Law Security | of Data Security or try rslade@keadb.kea.bc.ca once in a while. ------------------------------ Date: Fri, 06 Sep 91 16:35:34 +0000 >From: lunde@casbah.acns.nwu.edu (Albert Lunde) Subject: Re: Virus Simulators turtle@darkside.com (Fred Waller) writes: > Of course. And as soon as somebody invents this "perfect virus > detector", Rosenthal's Virus Simulator will cease to be of interest. > Until then, it remains a remarkable and interesting program which > demonstrates how imperfect the virus scanners really are. As prior threads have illustrated, a "perfect virus detector" is in general impossible. Virus scanners are not an elegant solution, but they are a reasonable way of producing a "good enough" solution for the current "state of the art" in virus writing and removal. Short of a change in social norms that would drastically reduce the rate of new virus production, there is no "light at the end of the tunnel" for DOS or MAC OS users - anti-virus writers will have to keep updating their products to deal with new viruses. I aggree that the "virus simulator" is not a realistic test of anti-virus products. Some people may like it, it may cause problems for others, but it does not address the major issues of performance. It is actually a bad thing if all anti-virus tools use the same signatures. Ability to disinfect common viruses is more valuable than numbers games. ------------------------------ Date: Fri, 06 Sep 91 13:03:26 -0400 >From: Joe McMahon Subject: Re: Viruses more common in Mac environment? On Fri, 6 Sep 1991 12:12:39 EDT Barry T. Drake said: > >Date: 05 Sep 91 20:03:09 +0000 >From: bdrake@oxy.edu (Barry T. Drake) > >Viruses spread more easily in the Mac environment because a program is run >every time a diskette is inserted: the desktop. On our campus there is an >extremely high contamination of viruses among students (and their floppies) >because they swap and share diskettes fairly freely. Our faculty members >are more likely to use anti-virus software because they can get the college >to pay for it :-). The best Mac anti-viral, Disinfectant, is free. Why don't students have it? Is there someone there to whom I can send a copy? --- Joe M. ------------------------------ Date: Fri, 06 Sep 91 19:55:27 +0300 >From: grdo@botik.yaroslavl.su Subject: Re: Boot sectors p1@arkham.wimsey.bc.ca (Rob Slade) writes: > In addition to the psychological advantage, "BSI"s have some > technical values as well. For one thing, they get the first > chance at the system, before most "protection" has started. For > another, a BSI, to be effective at all, must be memory resient. > For a third, because hy make changes to system areas which are > not normally seen, te changes are often undetected in normal > operation. In fact there is a way to overcome ANY boot sector infector on PC. To do this it is enough to restore the contents of interrupt vectors area just before booting DOS - virus will lost control. It is also desired to set a correct amount of RAM into an appropriate BIOS variable (loc. 0:413H). It is possible to place a necessary program code into a DOS BOOT sector (not MBR - such a code must be loaded AFTER all possible Boot sector viruses). Being installed on a virus-free PC such a program can "remember" the necessary info and then check it and, if neccessary, restore each time PC is booted. Such an approach was implemented at least in one program in USSR. - -- Sincerely, Dmitry O. Gryaznov E-mail: grdo@botik.yaroslavl.su or grdo1@node.ias.msk.su Phones: office: (08535)-2-1731, (08535)-2-0715 home:(08535)-2-1465 ------------------------------ Date: Fri, 06 Sep 91 19:52:33 +0300 >From: grdo@botik.yaroslavl.su Subject: Mutant viruses (PC) At least two viruses wich can NOT be detected by scanning programs (SCAN etc.) have been reported in USSR. These are mutant viruses. They do not contain any constant scan strings. They are self-encrypted and decrypting parts differ from file to file. These viruses use the fact that many *86 instructions can be represented by quiet different hex codes. And between two meaningful instructions a random number of randomly chosen do-nothing instructions is placed. "Do-nothing" instruction is not just a NOP. For example, if a decryption algorithm does not use SI register, then any instruction modifying SI (INC SI, DEC SI, XOR SI,AX etc.) may be treated as do-nothing. It is still possible to implement scanning algorithms using powerful enough regular expressions. - -- Sincerely, Dmitry O. Gryaznov E-mail: grdo@botik.yaroslavl.su or grdo1@node.ias.msk.su Phones: office: (08535)-2-1731, (08535)-2-0715 home:(08535)-2-1465 ------------------------------ Date: Fri, 06 Sep 91 19:56:39 +0300 >From: grdo@botik.yaroslavl.su Subject: Re: compressed with EXEPACK ?? (PC) ccoprdg@prism.gatech.edu (Drew Gonczi) writes: > I just ran tbscan with the 7-31-91 copy of virscan.dat. It flagged > alot of files saying "infected by [compressed with EXEPACK]" I was > wondering if this is a virus or just a warning about a possible > infection. I think those files were just compressed with EXEPACK. This is a usual thing for a lot of DOS utilities. The only danger while using EXEPACK or other executable files compressing programs is to pack an infected program and in this way to hide a virus from being detected by virus detectors. EXEPACK converts files in such a way that all packed files have the same a little bit "virus-like" start code. Several years ago when I started to deal with viruses I was fooled by EXEPACK myself. I noticed that many files on my PC had the same suspicious start code. In fact there were several different strains of start code. Some of them appeared to be real viruses. But one was just an EXEPACK start code. There is a virus detector in USSR which reports not only infected files, but also EXEPACK'ed, compiled with Turbo C, Microsoft C, etc. - -- Sincerely, Dmitry O. Gryaznov E-mail: grdo@botik.yaroslavl.su or grdo1@node.ias.msk.su Phones: office: (08535)-2-1731, (08535)-2-0715 home:(08535)-2-1465 ------------------------------ Date: Fri, 06 Sep 91 15:38:04 -0500 >From: James Ford Subject: New files on risc.ua.edu (PC) The following files have been placed on risc.ua.edu (130.160.4.7) in the directory pub/ibm-antivirus: tbscan28.zip - Thunderbyte Scan tbscnx29.zip - Thunderbyte Scan (tsr) vs910816.zip - virus signatures (to be used with tbscan,tbscnx) virx17.zip - Virus Detection version of VPSCan (Microcom's Virex) 0files.9109 - Text file, current pub/ibm-antivirus listing - ---------- Those who think they know it all upset those of us who do. - ---------- James Ford - Consultant II, Seebeck Computer Center jford@ua1vm.ua.edu, jford@risc.ua.edu The University of Alabama (in Tuscaloosa, Alabama) ------------------------------ Date: Fri, 06 Sep 91 17:19:24 -0400 >From: Tom Coradeschi Subject: Re: Viruses more common in Mac environment? bdrake@oxy.edu (Barry T. Drake) writes: >Viruses spread more easily in the Mac environment because a program is run >every time a diskette is inserted: the desktop. On our campus there is an That is a valid data point only for those viruses which spread via the desktop. Macs running System 7 don't even have desktop files on their hard disks anymore, so the floppy->hard disk->floppy infection path is disappearing. >extremely high contamination of viruses among students (and their floppies) >because they swap and share diskettes fairly freely. Our faculty members >are more likely to use anti-virus software because they can get the college >to pay for it :-). Well that's a pretty ridiculous stance. Disinfectant is (arguably) the best anti-viral for the Mac, and it's FREE! >In six years of working with primarily IBM PC's, I have seen *one* diskette >infected (with Stone-B and Ping Pong-B); it came from off campus via a >research assistant (from her workplace). For what it's worth: Of the 2000+ Macs at this installation, the only viral infection I've seen reported came from a *sealed* distribution copy of an application. It was snuffed by GateKeeper when the disk was inserted. On the other hand, one of our summer hires brought in some diskettes from school last year. Stuffed one in a PC-AT. Bells, whistles and sirens went off! All his floppies were infected, several w/ multiple virii. We practice "safe computing" on all our machines (Mac & DOS). tom coradeschi <+> tcora@pica.army.mil ------------------------------ Date: Fri, 06 Sep 91 19:04:24 -0500 >From: al165161@mtecv2.mty.itesm.mx (HUGO DIZFINCK CORTES ) Subject: BBS's For Virus Information...Or sites.. Hi All, Im searching for place internet (i only have access telnet, no dial up) for get a bbs where can get a articles of viruses. Any Help? Thanks, Saludos de Mexico, J. Miguel Garcia R. Monterrey, N.L. Mexico ------------------------------ Date: Sat, 07 Sep 91 08:52:45 -0600 >From: Diskmuncher Subject: RE: F-PROT 2.00 (VIRSTOP) and PC-Shell/Mirror from A. Padgett Peterson, regarding PC-Shell and VIRSTOP interaction >Afraid this is not a conflict but rather a DOS charactoristic that >most Netware administators are aware of: there are many programs such >as PC-SHELL and LOGIN.EXE that shell other executable files during >their operation then, when operation is complete, remove themselves >from memory and release the memory they were using to DOS. Unfortunately, >if a program went TSR from the shell, DOS cannot de-allocate the memory. Padgett, It seems to me that your comments about PC-Shell, while true in a general sense, weren't true in this particular case. Specifically, I *never* activated PC-Shell as the interface to DOS. (I did set it up as a TSR, but never pressed the hotkeys to activate it and never ran a program from within PC-Shell). In addition, I did not invoke VIRSTOP.EXE from *within* PC-Tools (I did try once to load it after PC-Shell had become resident, and the computer worked fine until I used a large program like WordPerfect). When I did load VIRSTOP from within PC-Shell (testing your comments), the computer hung immediately (during the loading of VIRSTOP). There was plenty of conventional memory left to run WordPerfect (570K) so it shouldn't have had to swap anything (even if it's capable of doing so, I don't know). Nowhere in the documentation did it say that PC-Shell had to be loaded last, other than saying that if you load any TSR's after PC-Shell, you won't be able to remove PC-Shell from memory until you remove the other TSR's first (that's just what you mentioned :). PC-Shell keeps a 10K kernal in conventional memory, but when activated, it uses up to 380K of EXPANDED memory or writes to a temp file on the hard disk ("saving the state of memory"). >In the case of PC-SHELL, I suspect that the spawning process examines >the requested program to determine if there is sufficient memory >to run the request. If there is, PC-SHELL just spawns a new CLI >to run the program. If the program is larger, PC-SHELL will swap >itself out before running the new program. > >Consequently, VIRSTOP must be small enough that PC-SHELL does not >swap out and once VIRSTOP is resident, PC-SHELL is no longer able >to swap, hence the problem. Agreed. But again, I never used PC-Shell to launch a program. After loading all TSR's, device drivers, etc. I still had 570K conventional memory free (and ~500K of expanded memory). I have two TSR's that are loaded AFTER PC-Shell (one is PC-Desktop, another PC Tools program which PC-Shell "knows" about, and Erase Protect (Norton Utils equiv. to Mirror)) and neither one complains when I use PC-Shell to launch Paradox or WordPerfect. Yet as you stated, I cannot remove PC-Shell from memory until I remove Erase Protect and PC-Desktop first. Thus I still believe that there is a definite conflict between VIRSTOP and PC-Shell (and Mirror) but it's easily solved by loading MIRROR first, then VIRSTOP, then PC-Shell so I'm happy. John-David Childs Consultant, University ofMontana con_jdc@lewis.umt.edu ------------------------------ Date: Sun, 08 Sep 91 15:26:50 -0500 >From: James Ford Subject: vsumx108.zip on risc (PC) The following file has been uploaded to risc.ua.edu (130.160.4.7) in the directory pub/ibm-antivirus: vsumx108.zip - Hoffman's Virus Summary Listing (Hyperstack format) - ---------- It takes as much energy to wish as it does to plan. - ---------- James Ford - Consultant II, Seebeck Computer Center The University of Alabama (in Tuscaloosa, Alabama) jford@ua1vm.ua.edu, jford@risc.ua.edu ------------------------------ Date: Mon, 09 Sep 91 09:41:00 +1200 >From: "Mark Aitchison, U of Canty; Physics" Subject: Re: Experiment with virus I (Mark Aitchison, U of Canty; Physics) wrote: > (b) if you reformat a 360Kb diskette on an AT's 1.2Mb drive, the virus can > survive! (anyone that wants an explanation can e-mail me). I've had enough queries to make it worth posting the explanation: A 1.2Mb drive has a narrower head, so when it writes over the top of a track written by a 360Kb drive, some of the original is left beside it. When reading the diskette on a 1.2Mb drive, you won't notice it, but on a 360Kb drive one of three things can happen: 1. The newer, 1.2Mb drive's signal is stronger, so you get that (i.e no virus, just the newly formatted empty diskette), or 2. The signals are roughly equal, so you get garbage (CRC errors), or 3. If the 360Kb drive's heads are a bit out of alignment, which is reasonably likely (because they tend to be older, and because they never needed to be so accurately positioned in the first place), then it could read more of the old data than the new data, and get whole sectors of the original (infected programs, etc) without errors. Yes, I have found this with one of my 360Kb drives. The most common case is to get the new data with (mostly) CRC errors, but it is enough of a risk to have a policy of wiping the disks with a magnet (or degausser or whatever is proven to work). Remember that the 360Kb drive might read data from other 360Kb drives without a glitch, but be out of alignment enough to get some sectors from the original tracks. Mark Aitchison. ------------------------------ Date: Mon, 09 Sep 91 10:02:00 +1200 >From: "Mark Aitchison, U of Canty; Physics" Subject: Re: Virus Simulator available (PC) frisk@rhi.hi.is (Fridrik Skulason) writes: > There are several products which only rely on published search > strings, but they are not very secure - virus writers have access to > the same search patterns and they often modify their viruses so they > will not be detected by those patterns. Just wonderring... how many viruses exist that are trying to avoid published search patterns? I still agree that serious virus scanners should keep their scan details secret, by the way. There is a good case for distributing the scan patterns for known viruses, for identification purposes, and I almost hope that virus writers waste their time tinkerring with viruses to avoid those strings, rather than try to write serious new viruses. Of course, nobody should consider virus simulators based on such strings as a good test of a scanner; the only valid use of a virus simulator would be to demonstrate to the unintiated what a virus looks like, so they can watch for it in "real life". Mark Aitchison. ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 159] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253