VIRUS-L Digest Tuesday, 24 Sep 1991 Volume 4 : Issue 172 Today's Topics: More info on CompuServe Accidentally Distributing Viruses (PC) Re: Belch_Virus? (Mac) FPROT on Zenith 386 (PC) Boot variations Review of Control Room (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: 24 Sep 91 09:42:52 -0400 >From: krvw@cert.sei.cmu.edu Subject: More info on CompuServe Accidentally Distributing Viruses (PC) [Ed. The following article is forwarded in its entirety from the Clarinet newsgroup, clari.nb.telecom. I would like to thank Clarinet for granting me permission to distribute this article to VIRUS-L/comp.virus. Clarinet is a commercial electronic news system which, among other things, provides UPI news information in Usenet newsgroup format. For information on Clarinet, contact info@Clarinet.com or 800-USE-NETS. Disclaimer: I have no affiliation with Clarinet other than being a happy customer.] COLUMBUS, OHIO, U.S.A., 1991 SEP 20 (NB) -- Noel Bonczoszek of Scotland Yard, acting on a tip from a London-based virus expert, has notified CompuServe that one of the infected files in a library of the VIRUSFORUM was downloaded by someone in London. The file, MOUSE.COM, was on the forum from September 9 through 18 and during that time was downloaded nine times, but, according to John McAfee, whose company operates the forum, it was only copied by people who were virus specialists. According to Mr. McAfee, who, on behalf of his company, accepts complete responsibility, the library was created as a place that users could upload suspected files to be checked for possible virus infection by the forum's sysop, Aryeh Goretsky 76702,1714, manager of the technical support department for McAfee Associates. Because of a misunderstanding of how CompuServe libraries are managed by the system software, Mcafee Associates was, according to Mr. McAfee, unaware that it was possible to also download an infected file stored in the forum. Mr. McAfee told Newsbytes that his company's own BBS did not permit downloading of such files and they just weren't aware that it could be done on CompuServe, but he emphasized that the error was entirely on their part and not due to any problem or mistake on the part of CompuServe itself. Mr. McAfee said that, despite the offer to aid any of the nine people who downloaded the file, only one woman contacted the sysop and she actually apologized for downloading what she knew was an infected file. He reported that she had done it to experiment with the virus and had taken precautions not to infect her system; thus, she had suffered no damage. Two virus experts known to this bureau also downloaded the file to check it and their systems were likewise not in any way infected. One of those experts contacted Scotland Yard, which immediately contacted CompuServe to block further spread of the virus. The following is the statement now being carried on the CompuServe VIRUSFORUM: "IMPORTANT NOTE - PLEASE READ "On September 18, it was discovered that a file uploaded to the suspect file area of the Compuserve Virus Forum had been accidentally unlocked and made available for downloading from the suspected file area. The file, MOUSE.COM, was uploaded by user 73750,2417 for analysis as a suspected infected file. It contained the Taiwan 4 virus and it clearly identified itself as containing a suspected virus during a download. Our records indicate that nine people downloaded the infected file before the oversight was noticed and corrected. "While the library area containing this file clearly indicated that the enclosed files were suspect and that the library should be used for uploads only, we must assume that one or more of the downloaders may have downloaded in error and are unaware of the potential danger. Accordingly, we are urging all 9 people who downloaded this file to contact McAfee Associates for instructions or assistance. As a result of this error, we have decided to close down Library #0, the Suspect Virus upload library. Forum users may continue to submit suspected viruses for review through Compuserve Mail to Aryeh Goretsky (76702,1714) or Spencer Clark (76702,1713). This change will prevent this error from recurring. We regret any inconvenience caused by closing Library 0, and we further regret that anyone may have downloaded the infected file in error. For assistance or further questions, please contact McAfee Associates at (408) 988-3832 during office hours, or send email to the SysOps." End quote from Aryeh Goretsky 76702,1714 (his e-mail CompuServe address). Asked if his anti-virus software would have caught the infected program when it was eventually scanned, Mr. McAfee told Newsbytes, "Our scan program would have detected it and our clean program would have removed it. It is a very common virus." Mr. McAfee also said that the virus only attacks the AUTOCAD.EXE file. Another virus expert said that, while he hadn't completely analyzed the file yet, it appeared to be full of obscenities and that in its original form it was probably portrayed to unsuspecting potential users as an enhanced Logitech mouse driver. There is absolutely no indication that this virus-infected program could have infected any other CompuServe files, and a computer security specialist not connected with CompuServe or McAfee Associates has pointed out that by the nature of the file it could only infect an MS-DOS system anyway and that there is no logical way CompuServe's operating environment could have activated the virus. Although Mr. McAfee doesn't report, and may not know, just how the infected file was originally discovered to be downloadable, Newsbytes has learned that it was discovered by one of Mr. McAfee's competitors who passed along the word, and Mr. McAfee and CompuServe were first made aware of the problem by Scotland Yard. Mr. McAfee does credit Scotland Yard's Noel Bonczoszek with being the one who brought the problem to his attention. (John McCormick/19910920/Press Contact: John McAfee, McAfee Associates, 408-988-3832) ------------------------------ Date: Mon, 23 Sep 91 17:35:38 +0000 >From: plains!umn-cs!LOCAL!aslakson@uunet.uu.net (Brian Aslakson) Subject: Re: Belch_Virus? (Mac) APPLEREP%MTUS5.BITNET@BITNET.CC.CMU.EDU writes: >periodically. The belch does not replace the normal beep sound, it Look for things that are Control Panel devices (like Soundmaster) but are renamed. Look for folder(s) with sounds in them (you probably did this already). Get info on everything in the System Folder (with ResEdit 1.3 cuz it's handier) and note everything that is an init. Something with an innocent name might be making naughty noises. Check the Sound cdev in the control panel and see what is listed as it's sound. Lastly, using ResEdit 2.1 or 2.1.1 if System 7, open the System folder and actually play all the sounds in there. It'll be obvious what are sound resources. Virus? Doubtful tho possible. If you have a question about what I said (or don't know how to get the latest ResEdit) send mail. =-=-=-=-= Note to all who sent mail Re: Mac vs. PC viruses. No I haven't lost your mail, I'll be getting to it when I have time to reply properly. =-=-=-=-= - -- Brian Aslakson brian@cs.umn.edu (mail) aslakson@cs.umn.edu (talk) mac-admin@cs.umn.edu (Not me!!) ------------------------------ Date: 23 Sep 91 13:26:03 +0800 >From: "Fran Holtsberry" Subject: FPROT on Zenith 386 (PC) Anyone else getting "Error reading drive C" when using this combo. We are using the new version of FPROT 2.00. Works with 286 just fine, works with other systems fine...but not with any of the 386 guys. Oh, I see that this is a problem: Subject: When will FPROT 2.00 work with Zenith Dos 3.30.1 (PC) When will the fix be out? - - -- Douglas Bell dab6@po.cwru Is the problem with the DOS? I second the question...When will a fix be out? Fran Holtsberry fran_holtsberry@msmailgw.csuchico.edu ------------------------------ Date: Fri, 20 Sep 91 13:29:07 -0700 >From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Boot variations FUNBOT4.CVP 910920 Boot variations There are some interesting variations in the boot process which can have implications for security. On pre-System 7 Macintosh computers, each floppy disk that was inserted in the computer was "booted", in a sense. The "Desktop" information, and the description of how it would appear on the screen was in program format, and so any program identified as WDEF would run automatically. This was used quite successfully by one Mac virus. The Atari computer may reserve up to six sectors for the "boot sector": only one is ever used in the normal course of events. This, of course, provides an excellent "hiding place" for a virus. The additional five sectors can contain a reasonably capable virus, and there is no danger of overwriting, or any need to try to avoid detection in changing file sizes. In terms of hiding places, the variations in the size of system areas and tables has caused some viral programs to be unintentionally destructive. Stoned, for example, places the original boot sector "out of harms way" in a sector which, on a normal 360K disk, was generally redundant. That area would only be used if more than 95 files were placed on the disk; a highly unlikely occurrence. With high density disks, however, that section of the disk is more important to the file allocation table, leading to the loss of access to dat on some diskettes. A similar situation occurred with hard disks. On MS-DOS computers with extended partitioning of the hard disk, the master boot record may be read while accessing a different drive. It is therefore possible to become infected with a virus which takes over the MBR even if the computer is booted from a floppy disk. Zenith computes have always had a fairly distinctive boot sequence. Latterly, Zenith BIOS will allow you to specify whether the computer is to be booted from the floppy or the hard disk, and which disk. This is a handy safety feature (and equally handy for virus research.) Formerly, however, Zenith computers, among others, would change the boot sector on every startup. This was sometimes used as a pseudo "clock backup". The fact that the boot sector was changing at all times, however, conflicted with change detection software which checked the boot sector. copyright Robert M. Slade, 1991 FUNBOT4.CVP 910920 ============= Vancouver p1@arkham.wimsey.bc.ca | "If you do buy a Institute for Robert_Slade@mtsg.sfu.ca | computer, don't Research into CyberStore | turn it on." User (Datapac 3020 8530 1030)| Richards' 2d Law Security Canada V7K 2G6 | of Data Security ------------------------------ Date: Fri, 20 Sep 91 12:26:54 -0700 >From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Review of Control Room (PC) Comparison Review Company and product: Ashton-Tate 20101 Hamilton Ave. Torrance, CA 90509-9972 USA 213-329-9989 BBS: 213-324-2188 or Department CR-10 52 Oakland Avenue East Hartford CT 06108 Control Room system management package with antiviral utility Summary: Control Room is intended to assist in managing system specifications. Viral detection is a limited and minor part of the package. Cost Rating (1-4, 1 = poor, 4 = very good) "Friendliness" Installation 4 Ease of use 4 Help systems 4 Compatibility 4 Company Stability 3 Support 3 Documentation 2 Hardware required 4 Performance 2 Availability 3 Local Support 3 General Description: Control Room provides extensive management of a wide variety of system parameters, with thorough explanation of all aspects so as to be suitable for even the most naive users. Although such systems are available to provide system informaton for experienced users, Control Room is unique in the amount of assistance given to the average user. Virus checking is intended to be automated at run time, and is restricted to file image checking. Comparison of features and specifications User Friendliness Installation The product is shipped on unprotected diskettes. The distribution files appear to be self-extracting archives. The security risks involved in this practice have been discussed extensively on VIRUS-L. The installation process is quick, clear and well thought out. The program is well prompted, and will install "from" anywhere "to" anywhere. The only change made to system files is the addition of one line to the AUTOEXEC.BAT. This change is optional, and can be made automatically at a later date. The implications of not allowing the program to make th change are clearly stated. Changes made to the system often wait for the next "reboot" to become effective. Additions of files to be added to the virus checking list requires that the user know the names of program or susceptible files on the system. Addition of files after installation is easy enough with a text editor, but must be done manually. Ease of use The program is extremely easy to use, with menus, mouse support and context sensitive help. Virus protection is a bit hard to find, being "buried" under the "general" menu. For those used to more "active" antiviral systems, it will appear quite passive. Help systems Help is available for all menus, screens and fields, as well as a "searchable" index. Compatibility As is appropriate for a "system information" package, the program does not appear to conflict with any ardware tested. In terms of virus protection, the program appears only to check for file infecting viri at boot time. Boot sectors and memory are not checked. Company Stability Ashton-Tate is well established. Company Support Support is provided for a number of products, and a standard "Support and Services Guide" is included with all Ashton-Tate products. Unfortunately, support for Control Room itself seems quite limited. Documentation The documentation is very brief, and not particularly clear in regard to the operation of the program. Hardware Requirements 384K minimum, DOS 3.x or higher and at least two drives. Performance Virus detection is limited to file "image" checking at boot time. This would appear to limit detection to file infectors. Since the check is run at boot time, it may catch "stealth" infectors which have not yet been invoked. However, the check is run at the beginning (by default) of the AUTOEXEC.BAT, and so may be affected by programs run in the CONFIG.SYS, or by an infection of COMMAND.COM. Boot sector infectors are not detected. The fact that the check is run at boot time makes its operation automatic, but the lack of opportunity to run at other times limits the possibility of checking "suspect" programs, or of catching an infection before it has spread too far. Since the detection is limited to file image changes, it will "trigger" on programs which make changes to themselves, such as WordPerfect, Muse or SETVER. The alert that is given, when a change is found, is quite mild, and offers to option to "recertify" the file. It is very similar to the notice that a new file has been added to the list. Local Support Ashton-Tate maintains offices in most major centres. Support Requirements Since the virus protection is only detection, removal of the virus will require expert intervention. (It should be noted that the program does have a "Wipe Out" file overwrite deletion capability.) General Notes Control Room is not intended primarily as an antiviral package, and is reviewed for completeness sake because of its virus protection claims. Personally, as one involved in technical support, I wish all my clients had it, so as to be able to answer my questions about the state of their machinery! copyright Robert M. Slade, 1991 PCCTRLRM.RVW 910910 ============= Vancouver p1@arkham.wimsey.bc.ca | "If you do buy a Institute for Robert_Slade@mtsg.sfu.ca | computer, don't Research into CyberStore | turn it on." User (Datapac 3020 8530 1030)| Richards' 2d Law Security Canada V7K 2G6 | of Data Security ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 172] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253