VIRUS-L Digest Tuesday, 15 Oct 1991 Volume 4 : Issue 189 Today's Topics: re: Dr. Fred's Contest Norton Antivirus 1.5 + 707 virus (PC) Virus on Mac (Mac) Multipe Anti-viral approaches Re: Need help with Empire virus (PC) RE: Books on Viruses Re: Hardware not solution Re: Books on viruses? Re: Books on viruses? Re: DIR II (Cluster) Virus (PC) Partition viruses?? (PC) Re: Hardware Misc. information (PC and other) New files on risc (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Fri, 11 Oct 91 10:23:59 -0400 >From: Joe McMahon Subject: re: Dr. Fred's Contest On Fri, 11 Oct 1991 09:27:47 EDT Padgett Peterson wrote: >The major diversion occurs if the LOGIN script determines that the >required management safeguards are NOT in place on the client >requesting connection and the script then gives the client the choice >of having the software (which includes a mix of TSRs and replacement >MBR and boot records) installed on his/her machine or being denied >access. If the INSTALL option is selected, does the subsequent action >fulfill the requirements of a "virus" ? e.g. propagation to a platform >that was not known at the time the program "set" (executables and >script files) was installed. The problem is guaranteeing that the program which is saying "I'm going to mess with your data now" is really the maintenance program and not something that will kill every machine on the LAN. Most users will just say "OK" if the prompt to "fix" things looks OK. How else do they check it? --- Joe M. ------------------------------ Date: Fri, 11 Oct 91 14:54:01 +0000 >From: edc242u@monu6.cc.monash.edu.au (n. michelis) Subject: Norton Antivirus 1.5 + 707 virus (PC) I downloaded the latest Norton Antivirus 1.5 virus definitions from Symantec Australia today. They definition was dated 10-10-91 (15all04.def). Anyway it gave me a warning while loading the new definitions that the definitions for 707 (virus) requires Norton Antivirus version 1.5.3. The same message was given for the Sentinel virus. When I went to scan the hard disk after running this installation I found that I had the "Z, Zero" viruses in memory and that I had the 707 virus when NAV began scanning the files. When I go and install the original NAV 1.5 disks I have no problems. I also have no problems using 15all04.def definition file. What I want to know, seeing that I am in Australia, what the latest version of Norton Antivirus is and if anyone else has had any problems installing the definition file "15all04.def". P.S. I ran scanv82 from McAffee and this didn't report any viruses. Also what is this 707 virus NAV has created a definition for. Scanv82 doesn't scan for this under that name. I would really appreciate and comments as I don't know if I am getting a false alarm from NAV due to an old version or if I really do have a memory resident virus on my computer. Nick Michelis Monash University Caulfield Campus Melbourne Australia. ------------------------------ Date: 11 Oct 91 16:32:52 +0000 >From: baudon@nestor.Greco-Prog.fr (Olivier BAUDON) Subject: Virus on Mac (Mac) We have find a new Virus. The message given is 'Don't Panic' given by virus-check 1.2. We don't remember to have neither install this init. (We use SAM Intercept). The virus is on an internal hard disk and it's now impossible to boot the Mac from a protected/not protected floppy or external hard disk. If someone know something about this, please help us. Thanks in advance *--------------------------------------*--------------------------------------* | Olivier BAUDON | | | Laboratoire Bordelais de Recherche | phone : 33 - 56 84 69 21 | | en Informatique | fax : 33 - 56 84 66 69 | | Universite Bordeaux I | e-mail : baudon@geocub.greco-prog.fr | | 351, Cours de la Liberation | | | F-33405 TALENCE Cedex, FRANCE | | *--------------------------------------*--------------------------------------* ------------------------------ Date: Fri, 11 Oct 91 11:34:16 -0400 >From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: Multipe Anti-viral approaches I wrote: > > Now if everyone used DiskSecure, virus writers could just > > target it, however if MicroSoft, Norton, Mace, Central Point, > > Digital Research, and all the others came out with similar but > > different software, and AMI, Phoenix, Award, and Tandon each > > had a different BIOS implementation a generic virus becomes > > so difficult to write and would have to be so big to handle all > > of the cases the it would become uneconomical... >From: turtle@darkside.com (Fred Waller) > Yes, a single virus would be unwieldy. But should we expect that? > Shouldn't we rather expect the prompt appearance of many viruses, > each one capable of attacking one of those systems? The net result > would be similar to having one virus capable of attacking all of them. > Worse actually, since it would require many times the effort to guard > against. No, not at all. Since each time a "specific" virus ran up againast one of the other approaches, it would be detected, possibly as "DiskSecure Specific Attack Attempt" by NAV. Given that ALL approaches are in the minority, such a specific virus would not spread very far. Only a virus able to attack a significant number of the different systems would have a chance in the Macro (and why I prefer a layered defense). Given an installation/network using a single approach, something targetting THAT installation would be possible (and we have seen a few of these), but again would probably not spread very far and would be almost certainly an "inside" job. > All our experience shows us that devising virus-specific defenses, > or `distributing' defenses in the hope of diluting the effort of > virus authors, is ineffective. It only causes proliferation of new > `species'. We can't outwrite them. This is one reason why scanners > are bad, and this is also why every other taxon-specific approach > is bad. > If any proof is needed, just look at the field. We have more > antivirus utilities than ever. There are more defense variations > than ever. There are also more viruses than ever. They infect more > machines than ever. Major disagreement. It is easier to protect a single platform with a "mission-adaptive" approach loaded first than it is to subvert one. The hard part is making it "user-transparant" unles a valid exception occurs and permitting the user to make his/her own exceptions when needed. The only reason that viruses have been so successful is that the bulk of the 50 (or is it 70) million PCs have NO defenses. Protected PCS are still in the minority (but increasing). Padgett ------------------------------ Date: Fri, 11 Oct 91 10:56:50 -0600 >From: martin@cs.ualberta.ca (Tim Martin; FSO; Soil Sciences) Subject: Re: Need help with Empire virus (PC) kees@ee.ualberta.ca (Kees denHartigh) writes: >I have been attacked by the Empire virus. Both fprot and scan detected >the virus in the boot sector of both my hard drives. fprot was unable >to remove the virus for the boot sector but clean82 reported successfully >removing it. The problems the Empire virus originally caused seems to have >dissappeared however fprot200 still reports the virus in the boot sector >of both drives. I backed up my D drive insuring that I the virus was not >infecting any backed up files and reformatted the drive and restored and >still fprot200 reports the Empire in the boot sector of the reformatted >drive. Is it really there or fprot200 lying to me. Scan82 detects no viruses >after clean82. Does anyone have any ideas? It sounds to me like a ghosting problem. I know that if a partition record is rebuilt by repairing only the executable code of the sector, leaving "dead" parts of the Empire code in place, then FPROT will see these and identify the Empire virus as being present. It seems the scan string Frisk uses is found in this later part of the virus. We saw this effect when rebuilding partition records using "Norton disk doctor". I suspect that Scan82 simply rebuilds the MBR by rewriting the executable code into place, leaving the partition table data portion -- and a dead part of the virus code -- in place. I hope to check this out when I get in touch with Kees. (Shouldn't take long: Elect. Eng. is actually closer than my usual morning coffee stop!) ------------------------------------------------------------- Tim Martin * Soil Science * These opinions are my own: University of Alberta * My employer has none! martin@cs.ualberta.ca * ------------------------------------------------------------- ------------------------------ Date: Fri, 11 Oct 91 12:15:00 -0500 >From: Subject: RE: Books on Viruses Joseph: There will be a new book appearing in the next few weeks that I believe is just what you are looking for. It will be published by the National Computer Security Association and be titled "Computer Viruses: An Executive's Guide". Call the NCSA at 717-258-1816 for more info... Charles ------------------------------ Date: Fri, 11 Oct 91 16:38:30 -0400 >From: Yary Richard Phillip Hluchan Subject: Re: Hardware not solution ]From: turtle@darkside.com (Fred Waller) ] Fred's Virus-Resistant Machine ] ------------------------------ ]Fred's Virus-Resistant Machine also had two disk drives, a "program" ]disk and a "data" disk. It, too, had a _small_ switch (not red), ]labeled: "Install/Run". ] ] (Notice that unlike Jay's Machine, Fred's machine was not Virus- ] Proof but only Virus-Resistant. Is Fred more modest in his goals ] than Jay...? He also added some few extra touches that Jay ] didn't think of, and his switch was rather smallish, and not red). ..... ] While sleeping thus, he tried Boot infectors and he tried executable ] infectors. He tried stealth viruses and candid ones, viruses that ] self-encrypt and mutate and he tried others that do none of those ] things. He even intentionally allowed viruses on the `program' ] disk, but kept the little switch in its safe position. He had TSR ] viruses, and transient viruses, big ones, little ones, American, ] Israeli and Bulgarian, "wild" and "research" viruses, smart and ] dumb ones... he tried them all. ] ] In this way, while Jay decided that his machine couldn't possibly ] work, Fred discovered that his machine (which wasn't virus-proof, ] but only virus-resistant) *did* work, and extremely well. None of ] his favorite viruses (hundreds of them, my goodness!) succeeded in ] infecting it. In other words, you built one computer and ran viruses designed for a completely different computer. If Fred Waller's Virus-Resistant machine became widely available, all viruses that infect .COM, .EXE, etc files would become obsolete, granted. But about six months after we all upgraded to the protected-disk scheme we'd start seeing the spreadsheet / .BAT / terminal viruses... ]While viruses are programs they do things that programs should not do ]except in special (and trackable) cases: one of these is to attempt to ]write to executable programs, another is to go resident (at least ]sucessful viruses do). Both of these are detectable and flaggable. ](The flagging is where many early programs failed since it was not ]selective. BYPASS makes it selective.) A "new" virus would write to a shell / macro / etc. data file, and would execute from within some third-party software other than the operating system. Hardware is a help, but not the answer. I don't think there is an answer. Follow mom's advice:: "Just be careful out there." ------------------------------ Date: 11 Oct 91 22:06:58 +0000 >From: spaf@cs.purdue.edu (Gene Spafford) Subject: Re: Books on viruses? To get an overview of computer viruses and related beasties, the two best books are without doubt: "Computers Under Attack: Intruders, Worms, and Viruses" edited by Peter J. Denning and published by ACM Press/Addison-Wesley (1990) "Rogue Programs: Viruses, Worms, and Trojan Horses" edited by Lance Hoffman and published by Van Nostrand Reinhold (1990). Both books present material from many different sources, covering a full range of theory, practice, law, defenses, etc. They are also significant because they look at a somewhat broader perspective than just viruses, and neither editor is involved in the sale or marketing of antivirus technology or classes. Both are scholarly compilations. - -- Gene Spafford NSF/Purdue/U of Florida Software Engineering Research Center, Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-1398 Internet: spaf@cs.purdue.edu phone: (317) 494-7825 ------------------------------ Date: Fri, 11 Oct 91 15:54:59 -0600 >From: martin@cs.ualberta.ca (Tim Martin; FSO; Soil Sciences) Subject: Re: Books on viruses? JAC6@ns.cc.lehigh.edu (Joseph Costanzo) writes: >Surely there must have been a good book published recently about >viruses - the basics. I really don't know much about them, but would .. >Anyway, to protect my system, I'd like to know a bit about viruses: >how they work, how to protect/defeat them, etc. >Any suggestions? I'm not sure about the book market, but there's good stuff on the Internet. In particular I have been appreciating Rob Slade's continuing "*.CVP" series of postings. Are these being collected anywhere? (Ken? Rob?) ------------------------------------------------------------- Tim Martin * Soil Science * These opinions are my own: University of Alberta * My employer has none! martin@cs.ualberta.ca * ------------------------------------------------------------- ------------------------------ Date: Fri, 11 Oct 91 15:46:20 -0600 >From: martin@cs.ualberta.ca (Tim Martin; FSO; Soil Sciences) Subject: Re: DIR II (Cluster) Virus (PC) vail@tegra.com (Johnathan Vail) writes: >My claim is that DIR 2 can legitimately be called a virus since it is >logically still part of another program and relies on a host program >being run in order to get an execution thread. Logically, isn't DIR 2 a "Dynamically linked library"? Hmmm: what to use as a biological analogy? Maybe DIR 2 should be called a "computer fungus". :) Actually my biologist friends get upset as it is, with our use of "virus" to refer to computer code! ------------------------------------------------------------- Tim Martin * Soil Science * These opinions are my own: University of Alberta * My employer has none! martin@cs.ualberta.ca * ------------------------------------------------------------- ------------------------------ Date: Fri, 11 Oct 91 16:55:57 +0000 >From: cs_b152@ux.kingston.ac.uk (Vlod Kalicun.) Subject: Partition viruses?? (PC) Hello all, Can someone please explain the removal of partition viruses? Is there any way of removing teh A-Tel from the partition??? All help will be gratefully appreciated.. Thanks.. Vlod. cs_b152@@ux.kingston.ac.uk ------------------------------ Date: Fri, 11 Oct 91 17:05:00 -0500 >From: F8DY@VAX5.CIT.CORNELL.EDU Subject: Re: Hardware [on the thread of a virus-resistant computer system] > > He forgets that some data-files are also program files (not for the > cpu but for a program on the program-disk) and a virus written in the > interpreted language can infect all the other "data" files of this > interpreter. > > Fred said he uses his spreadsheed whitout worrying, but if I write a > virus in his spread-sheed language and put it on his machine, than > after usgage all his spread-sheeds are infected. If it is a > distructive virus than I may distroy all his spreadsheeds on friday > the 13th. > > Right, the speadsheed program itself is still clean, but still he lost > all his files on this "virus-resistant" computer-system! Even easier (and possibly more dangerous) would be a virus written in DBASE. A virus which spread through program files (which would have to be on the data disk unless you want a static system) could devastate _all_ your DBASE files (on the data disk), since you have an extraordinary amount of control over your environment from within the DBASE programming language. If Fred Waller believes this could not happen, or that it could happen but not spread, or that it could spread but not be destructive, he should e-mail me for further details. Mark - -- Mark "mostly harmless" Pilgrim ___/_ Here's to the days of hole f8dy@crnlvax5 -=- f8dy@vax5.cit.cornell.edu \___/ punchers, joysticks, non- Disclaimer: My boss disavows this disclaimer. | standard RWTS, 4C 00 C6, "Elephants are kindly but they're dumb." -S&G _|_ and 8K operating systems. ------------------------------ Date: Fri, 11 Oct 91 11:45:24 -0500 >From: James Ford Subject: Misc. information (PC and other) On Thursday, October 10th at 3:20pm, a backhoe decided to cut some fiber-optic cable at a location 60 miles away from the University of Alabama. As a result, the domain "ua.edu" (and probably some other sites) was isolated from the rest of the net. At around 6:30pm(ish), service was restored. There are 2 new directories available on risc.ua.edu.... pub/virus-text/docs pub/virus-text/reviews These directories contain all the information located at cert.sei.cmu.edu's directories pub/virus-l/docs and pub/virus-l/docs/reviews. If you have any questions/suggestions/problems, please drop me a line. - -------------- Favorite DOS error msg: "Keyboard not found. Strike F1 to continue....." - -------------- James Ford - Consultant II, Seebeck Computer Center jford@ua1vm.ua.edu, jford@risc.ua.edu The University of Alabama (in Tuscaloosa) - ------------ directory of pub/virus-text/docs ------------- 12tricks.txt pc.lab.config.mgt.1 aids.tech.info pc.lab.config.mgt.2 anti.virus.measures pc_virus_list.ferbrache bulgarian.factory.ps pc_virus_list.solomon bulgarian.factory.tex six.bytes.padgett call.for.papers.sigsac stoned.descript.lawrie comp.sec.novell.david tour.crt eval.txt tour.n fido.rsa tour.ps goodwin.list tr823.doc grad.schools.summary tr823.ps ibm.paper universal.detector.molini identify.txt vguide.txt implement.mcafee virus.kiel levine.paper virus.strategy.whm mac.guide.shull virus101.1 mac.guide.shull.hex virus101.2 mac.list.1 virus101.3 md4.rsa.paper virus101.4 mit.ps viruses.ussr net.hormones vproinfo.txt - ---------- directory of pub/virus-text/reviews -------------------- louw.carmel mcdonald.viruc slade.eliminator mcdonald.avsearch mcdonald.virucide slade.fprot mcdonald.central.point mcdonald.virus slade.guidelin mcdonald.disin mcdonald.virusafe slade.guidelines mcdonald.disinfectant mcdonald.viruscan slade.ibm.virscan mcdonald.flushot mcdonald.virusdetective slade.mace mcdonald.fprot mcdonald.virx slade.norton mcdonald.ibm.anti-virus slade.advanced.security slade.scan mcdonald.index slade.antiviru slade.tbscan mcdonald.norto slade.antivirus slade.vendors mcdonald.norton slade.av-plus slade.victor.charlie mcdonald.sam slade.central.point slade.viraway mcdonald.seer slade.certus slade.virex-pc mcdonald.tbscan slade.cillan slade.virucide mcdonald.virex slade.contacts slade.virus-safe mcdonald.virexmac slade.control.room slade.virus.buster mcdonald.virexpc slade.disksecure ------------------------------ Date: Sat, 12 Oct 91 13:02:12 -0500 >From: James Ford Subject: New files on risc (PC) The following files have been placed on risc.ua.edu (130.160.4.7) for anonymous FTP in the directory pub/ibm-antivirus: scanv84.zip - McAfee's Scan v84 clean84.zip - Clean v84 netscn84.zip - NetScan v84 vshld84.zip - Vshield v84 secur231.zip - Secure v2.31 (by Mark A. Washburn) If you have any problems, please drop me a line. Older versions of these programs will be removed. - ---------- The only alternative to perseverance is failure. - ---------- James Ford - Consultant II, Seebeck Computer Center The University of Alabama (in Tuscaloosa, Alabama) jford@ua1vm.ua.edu, jford@risc.ua.edu ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 189] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253