VIRUS-L Digest Wednesday, 16 Oct 1991 Volume 4 : Issue 192 Today's Topics: Dr. Fred's Contest Re: disable ctrl/break? (PC) Re: SF Worms/Viruses (Re: HW not a solution) Re: SF Worms/Viruses (Re: HW not a solution) Generalized opinion question about Mac/IBM arrangement DIR II virus and DOS 3.31 (PC) Counter-Measures re: Interesting? Joshi has struck.... (PC) An anti-virus patent Need help with Form (PC) BGS-9 Amiga file virus (Amiga) Hardware defenses scanner for all files (PC) Re: Experiences with hardware protection (Thunderbyte) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Tue, 15 Oct 91 11:02:27 -0400 >From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: Dr. Fred's Contest >From: Joe McMahon >On Fri, 11 Oct 1991 09:27:47 EDT Padgett Peterson wrote: >>The major diversion occurs if the LOGIN script determines that the >>required management safeguards are NOT in place on the client >>requesting connection and the script then gives the client the choice >>of having the software (which includes a mix of TSRs and replacement >>MBR and boot records) installed on his/her machine or being denied >>access. >The problem is guaranteeing that the program which is saying "I'm >going to mess with your data now" is really the maintenance program >and not something that will kill every machine on the LAN. >Most users will just say "OK" if the prompt to "fix" things looks OK. >How else do they check it? First this is a technical problem (solvable) & there are several choices: 1) allow the server script to proceed. 2) call the administrator first (number should be in message) to verify what is going on. 3) allow the login to abort and call a tech to perform the installation. 4) provide some means of electronic authentication. 5) forget using the server (spackle). See, the user has a choice - real viruses won't ask. However the question is really one of "can you trust the system administrator to do his/her job properly". The correct answer is "you gotta trust somebody" and dates back before the first Christmas. Since the technique is the same as we have been using successfully on mainframes for years, it does have a good track record (or do you check the SYLOGIN.COM each time you login to a VAX ?) Padgett ps there seems to be some confusion about ProgramDisk and DataDisk - on my Tandon laptop & office Zenith they are two partitions on a single drive. On my home "conglomeration" they are two different drives. It doesn't really matter (could be more too e.g. DevelopmentDisk, UnixDisk, etc all with different permissions/restrictions). ------------------------------ Date: Tue, 15 Oct 91 14:53:35 +0000 >From: gary@sci34hub.sci.com (Gary Heston) Subject: Re: disable ctrl/break? (PC) VIRUS-L@mail.crk.umn.edu writes: >Our lab machines run a virus check at boot and are SUPPOSED to hang if >a virus is found. Unfortunately, our instructors have been saving >time by teaching the students to press Ctrl/Break at boot in order to >skip the test. The result is of course that the lab machines are all >infected. Can this (ctrl/break) be disabled? Yes, put: BREAK=OFF in your config.sys files, preferrably as the first line. Then, explain to the instructors that they can be held personally liable for the expense of cleaning up the systems if they make any further attempts to bypass the virus checking. This behavior is akin to teaching students that they can cut a hole in a fence rather than walking a few extra steps to a gate. At the very least, write them a nasty memo and copy it to their department head. - -- Gary Heston System Mismanager and technoflunky uunet!sci34hub!gary or My opinions, not theirs. SCI Systems, Inc. gary@sci34hub.sci.com Become a pheresis donor. Loan your blood to the Red Cross for a couple of hours. They, and cancer patients, will appreciate it. ------------------------------ Date: Tue, 15 Oct 91 14:33:30 +0000 >From: gary@sci34hub.sci.com (Gary Heston) Subject: Re: SF Worms/Viruses (Re: HW not a solution) smith@sctc.com (Rick Smith) writes: |jay@markv.com (Jay Skeer) writes: |>P.P.S. I got the idea of a computer virus from an old S.F. book. In |>the book they actually describe a worm (and called it that) ... |There's Gerrold's "When Harlie was One" which dates at least to the |early 70s. There's "Adolescence of P1" (a Morris-like worm) which I |read in the mid-late 70s, but I don't remember the author. |I've heard people refer to "Shockwave Rider" as a classic example |of worm/virus SF though I've never read it and don't remember the |author's name. "Shockwave Rider" is by John Brunner. I have it and "The Adolescence of P1" at home; I'll check on it. I don't know if I would quite classify "P1" as a virus; more of a haywire AI project. "Shockwave" describes the construction and release of worms into a worldwide network as a common practice, used for everything from fraud to revenge, and is probably the book Jay is thinking of. - -- Gary Heston System Mismanager and technoflunky uunet!sci34hub!gary or My opinions, not theirs. SCI Systems, Inc. gary@sci34hub.sci.com Become a pheresis donor. Loan your blood to the Red Cross for a couple of hours. They, and cancer patients, will appreciate it. ------------------------------ Date: 13 Oct 91 21:18:41 +0000 >From: "Kent.Dalton" Subject: Re: SF Worms/Viruses (Re: HW not a solution) >>>>> On 8 Oct 91 20:01:21 GMT, smith@sctc.com (Rick Smith) said: >P.P.S. I got the idea of a computer virus from an old S.F. book. In >the book they actually describe a worm (and called it that) ... >.... This was in 1983 or 4. >Does any one know the name of that book, or of an earlyer reference to >computer viruses? Rick> There's Gerrold's "When Harlie was One" which dates at least to the Rick> early 70s. There's "Adolescence of P1" (a Morris-like worm) which I Rick> read in the mid-late 70s, but I don't remember the author. Rick> I've heard people refer to "Shockwave Rider" as a classic example Rick> of worm/virus SF though I've never read it and don't remember the Rick> author's name. Rick> Rick. Rick> smith@sctc.com Arden Hills, Minnesota John Brunner wrote "Shockwave Rider" it was published in 1975. He called them "Tapeworms" as I remember. It has often been cited as a precursor to the Cyberpunk SF Subgenre. Actually, now that I think of it, I read an article about the Robert Morris Internet worm case where the book was mentioned several times. For those interested checking it out: ISBN: 0-345-24853-8-150 Library of Congress Catalog Card Number: 74-23861 - -- /**************************************************************************/ /* Kent Dalton * EMail: Kent.Dalton@FtCollins.NCR.COM */ /* NCR Microelectronics * CIS: 72320,3306 */ /* 2001 Danfield Ct. MS470A * */ /* Fort Collins, Colorado 80525 * (303) 223-5100 X-319 */ /**************************************************************************/ Fortune: An effective way to deal with predators is to taste terrible. ------------------------------ Date: Tue, 15 Oct 91 15:04:00 -0400 >From: Subject: Generalized opinion question about Mac/IBM arrangement Just out of curiosity (and please forgive me if this has already been discussed, I was off the list for the summer) what does everyone think the arrangement between Apple and IBM will do to the propogation of viruses? Will there be more of them, or will new machines be infected with the same old viruses once they get around to offering their joint OS (Okay...I realize it'll be some time before we see this, but I'm being really, really optimistic.) Melissa Jehnings Student Manager | Treasurer Academic Computing Center | Computer Users' Group Wheaton College Norton, MA BITNET: LISSA@WHEATNMA WUG@WHEATNMA "Men go crazy in congregations/ They only get better one by one." ---Sting, "All This Time" ------------------------------ Date: Tue, 15 Oct 91 18:30:32 +0300 >From: grdo@botik.yaroslavl.su (Dmitry O. Gryaznov) Subject: DIR II virus and DOS 3.31 (PC) There was a PC here running COMPAQ DOS 3.31 with 40Mb hard disk in a single partition C:. It began to "hang" during bootstrap. During investigation was found that the PC was infected with DIR II virus. All affected .EXE and .COM (COMMAND.COM as well) were cross-linked to the last cluster marked as FFFEH. But there was NO the virus body in this cluster! The virus body was found in sectors 65535-65536 (hex FFFFH-10000H) instead. An additional analysis of the DIR II code revealed that this is a bug in the virus. When the virus forms a driver request to write its body to disk it uses request headers formats correct for DOS versions previous to 3.31 and for DOS 4.0+. BUT COMPAQ DOS 3.31 USES DIFFERENT REQUEST HEADER LAYOUT! This leads to the virus body being written to sectors 65535-65536 (FFFFH-10000H) instead of the last cluster. If any file occupies these sectors - it'll be corrupted. It is still possible to recover affected files if these sectors were not overwritten which is possible since the virus doesn't protect them being sure it resides in the last cluster. All DIR II disinfectors are to be changed to detect the above case. - -- Sincerely, Dmitry O. Gryaznov | PSI AS USSR grdo@botik.yaroslavl.su or grdo1@node.ias.msk.su | Pereslavl-Zalessky Phones: office: (08535)-2-0715 home:(08535)-2-1465| 152140 USSR ------------------------------ Date: Tue, 15 Oct 91 16:27:26 -0400 >From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: Counter-Measures >From: turtle@darkside.com (Fred Waller) Fred is an intelligent and thought provoking individual who is not afraid to state his convictions. However, his conclusion is fallacious. The wonderful part is that this has lead to what may be a real-world solution for the large-site, large network problem that is driving managers up the wall. Read on. Vendors take notes. > From (Waller's) Pecking-order Metaphysics, one readily derives the > Waller Principle: > "If You Really Want to Stop a Software Virus, Stop > it with Hardware". > and the Waller Afterthought: > "Anything Else is Probably a Waste of Time and Effort, and > May Actually Be Counterproductive". I have a real problem with this one since I firmly believe that a "good-enough" (quantum economics) software anti-viral solution is not only possible but much less complex than a hardware solution that does anything more than select which drive to boot from (and several BIOSes will do this for you - in fact this may be the only "hardware" needed). While hardware will work, even a "best case" retrofit would involve either a new BIOS (standard ones seem to be in the U$70.00 range each) or a card (maybe as low as U$25.00 but the cheapest I've seen in Computer Shopper was U$50.00 + a slot) and the real "cost" is likely to be in the setup. On the other hand, my technology demonstrator, DiskSecure, can install in less than 30 seconds, works with MFM, RLL, IDE, and SCSI drives (haven't tried an EDSI drive) and provides for even faster recovery in case of a misteak. Also "economys of scale" work much more favorably for software than hardware: the delta cost of acquisition is essentially zero for a site or server license. More importantly, as pointed out with respect to Dr. Fred's contest, update/installation could even be performed automatically on a network that would also serve as a repository for the recovery information. (do I sense a glimmer of what might be a "true solution" for large networked sites ? - obviously impossible with hardware - might be a paper in this). > Why not just send Spafford to a remote (but tropical) island > instead? His rounded figure will get a suntan that should go well > with the beard... :-) It's called Florida (see Gene's secondary address) & no place is remote any more (just look at the other V-L return addresses). I'm beginning to think that New Zealand is just off South Carolina. > .... and we're back in the forties. Never left the sixties myself, just ask my wife 8*) > Of course it's easier to infect MS DOS systems (Can many users > write to a mainframe executable or system file?). But another (not > minor) consideration is that there are some 60 million MS DOS PCs > out there. That's a market. Both viruses and antiviruses must > perceive that fact. It's likely to be a main motivator. > In both cases. Partly true - it is harder to write a proper master boot record (and requires some tweaking of MASM) for a PC than to create a file infector using VMS FORTRAN. Getting permission to infect the file is, of course, another matter. However, few people have a VAX in their den closet, and, while I actually wrote a working VMS device driver once, I never want to do it again. However, even VMS has had more "compatability" changes than MS-DOS: Just a few years ago, new releases required recompiled code as the run-time library would change and even more recently uVAX VMS was merged with "real" VMS so that executables for one would run on the other. Just to avoid bashing DEC alone, I'll say that EBCDIC is not really encryption. However the important point of this posting was about a screen and a half ago (I keep trying to forget JCL). Given proper site licensed software designed with the network in mind, we are ready for a quantum leap in defense from malicious software. Everything is here already, it is just a matter of doing it. Consider the following: (already mentioned to John and Roger) major anti-viral software and disk protection software is maintained on server. One stop updates as new releases occur. When client logs in server (in login script) authenticates presence of anti-viral/access control software on client (Tim can tell you that this works - nothing blue-sky here). If not found, server prompts client for permission to install software - if refused, connection is terminated. Next, server checks for client having latest version of software, if not, client is again prompted for permission to update if necessary. (PRODIGY (sm) is said to do this without prompting on connection). Following update, server and client handshake to verify that all systems are GO & normal login procedures follow. Would you believe update of 5000 clients in a 1 hour period is possible ? (Have you seen how fast the Jerusalem can spread in an unprotected system ?) Would you believe that even in the unlikely case of infection (resident systems remember), it would be caught almost immediately ? Would you believe that nasty software would have to subvert the server first or be caught quickly (and we have trained people whose job is to watch for that - 1 per thousand PCs is about right) ? Sure there are RISKS (hello Peter), but technical ones and solutions are possible. Think about it. Padgett Now if I can just find a way around the IRQ-5 conflict between LPT2 and my FAX board when the zero-slot LAN is established in my den closet... ------------------------------ Date: 15 Oct 91 17:02:56 -0400 >From: "David.M.Chess" Subject: re: Interesting? > From: turtle@darkside.com (Fred Waller) > But if one is a practically-oriented person who seeks to solve > problems on a day-to-day basis, the statement may seem very > attractive and interesting. The reason is simple: hardware > protection DOES stop viruses. In reality. > The fact is, it has done that. In practice. Well, it does stop viruses in your test, which was running known viruses (ones not designed with your machine in mind), in a test situation. It remains to be seen to what extent it can do it in more day-to-day practice. I'd like to see, for instance, a large group of users somewhere (a department at a typical business or university, or a PC User Group, say) try out the approach, and see if it was both livable-with and effective against actual viruses in daily use. It might very well be! I think it'd be a very interesting experiment. I was just pointing out that the experiment hasn't been done yet, and that your test wasn't really proof of anything in particular (any number of software anti-virus solutions would have passed the same test, after all). I'm definitely interested in solving problems on a day-to-day basis (as well as in the long run). If your approach turns out to do that, and yet leave the machine easy enough to use for users to accept it, that'd be Really Good News! > But doesn't the same reasoning apply to software protection? Users > can defeat both hardware protection and software protection just as > easily. Yep. That was really my main point: although they sound very different, software and hardware have similar vulnerabilities and tradeoffs. Either one must be used in a real life setting to see whether it's cost-effective. The Test of the Marketplace, if you will... DC ------------------------------ Date: Tue, 15 Oct 91 21:32:31 +0000 >From: consp11@bingvaxu.cc.binghamton.edu (Brett L. Kessler) Subject: Joshi has struck.... (PC) A friend of mine here at school has managed to infect every one of his bootable disks, including his hard drive, and a whole bunch of his friends' computers with the Joshi virus. I've tried using both F2 and CLEANv82 to get rid of the virus (after booting from a clean system) to no avail. Can somebody please send me (via EMail) a sure-fire way of eradicating Joshi? We'd really rather not have to format a couple of 40-MB hard drives. +----------------------------------------------------------------------+ | /// BRETT KESSLER consp11@bingvaxu.cc.binghamton.edu | | /// Senior Computer Consultant, State Univ. of NY at Binghamton | | \\\/// | | \XX/ "Sometimes a cigar is just a cigar." -- Sigmund Freud | +----------------------------------------------------------------------+ ------------------------------ Date: 15 Oct 91 17:15:26 -0400 >From: "David.M.Chess" Subject: An anti-virus patent I've just run across an interesting U.S. patent. It's number 4,975,950, granted to Stephen A. Lentz, entitled "System and Method of Protecting Integrity of Computer Data and Software". The filing date is November 3, 1988. It basically patents the idea of having a virus-checker get control before the operating system, and not allowing boot if it finds a virus. One sample PC implementation is code in an additional ROM module (on a "virus protector board") that would get control during boot (like the hard disk BIOS, the EGA BIOS, and so on), and load and test "the system files" (not clear if he means the boot records, or things like IBMBIO, IBMDOS, COMMAND.COM), and not allow boot if a virus was found (how it tells isn't spelled out). This is just one sample implementation; the actual claims are quite broad, and seem to cover anything that gets control between the "program for controlling said central processing unit" and the "program for interfacing said storage memory with said system", by which he presumably means ROM-like things and operating-system-like things. Has anyone else seen this patent? The date (November, 1988) seems rather late to me. Is it really the case that no one had published that idea before then? (It doesn't count if someone just *used* the idea, of course; it has to have been published somewhere, if only in the documentation of something that uses it.) Gee, we're slow! *8) DC ------------------------------ Date: Tue, 15 Oct 91 17:41:00 -0400 >From: B0G46426%CCNYVME.BITNET@vma.cc.cmu.edu Subject: Need help with Form (PC) Greeting. Can anybody out there help me with this problem ? I have an 486 machine with 2 hard drivers. Yesterday when I used scan80 to check my system, the program reported the viruse 'form' appeared on my "C" driver's partition. I tried to remove the viruse with 'clean', which came with the scan, but it said it could not remove it. Then I used the Norton Utility to check the disk, it reported there is a byte in either the boot sector or the partition table, I forgot which one, was set incorrect. I have some important datas on the disks, and I don't have the latest backup. Can anyone tell me what happened to my disks,and how to clear the viruse without formating the disks ? In case I have to format the disks, how do I backup datas from the drivers without taking the viruse with the datas. Thankyou for any help in advance Venmoon Soo B0G46426@CCNYVME or VESCC@CUNYVM ------------------------------ Date: Wed, 16 Oct 91 01:52:39 +0000 >From: pdt@mundil.cs.mu.OZ.AU (Peter David THOMPSON) Subject: BGS-9 Amiga file virus (Amiga) The BGS-9 is a file virus in the Amiga. It's infection routine is as follows; 1) Open startup-sequence, and find the first executable file. 2) Rename that file to "devs:__________" where _ is character $A0 (number of them is not necessarily the same as posted here). 3) Copy itself into the place of that executable. Protection measures: 1) Keep your boot disk write protected. If on a hard drive, use the LOCK command. This is the best protection measure to take if using new or suspect software. 2) Run a virus checker (Nic Wilson's NoVirus or Jonathon Potter's ZeroVirus) every so often. 3) Use one of the BGS protection programs, which create a zero-length file in the DEVS: directory of the name referred to above so that the rename fails. NOTE: This may cause some virus checkers to describe your disk as infected. I hope that you find this information useful. All followups via email - I don't read this group. /******************************Disclaimer********************************* ** My opinion(s) are wholly my own (No-one else wants them) and is(are) ** ** independant of any part of the University of Melbourne, Australia. ** ******* Followups to pdt@mundil.cs.mu.OZ.AU; flames to /dev/null. *******/ NOTE: This sentence does not in fact have the property it claims it lacks. ------------------------------ Date: 15 Oct 91 22:31:07 -0400 >From: BARNOLD@YKTVMH.BITNET Subject: Hardware defenses Regarding Fred Waller's pecking order, one often neglected consideration is that the levels in the pecking order communicate (in some sense) with each other. For instance, if protection hardware can be disabled by the operator, a virus can tell the operator to disable the protection hardware, and some fraction of the operators will obey. Bill Arnold barnold@watson.ibm.com ------------------------------ Date: Tue, 15 Oct 91 23:14:00 -0400 >From: Bob Babcock Subject: scanner for all files (PC) Recently I corrupted some files on my hard disk, not by a virus infection but by changing my QEMM setup and crashing while downloading in the background. The end result was a few corrupted files with unchanged time stamps, and maybe a few more such files that I haven't found yet. What I would like for future use is a checksumming program which would look at all files on my hard disk and tell me which ones have changed without the time stamp changing. Will any of the anti-virus programs do this? The closest I've found is one which only looks at executable files. ------------------------------ Date: 16 Oct 91 08:15:14 +0000 >From: harry@gem.stack.urc.tue.nl (Harry Stox) Subject: Re: Experiences with hardware protection (Thunderbyte) kirchner@uklirb.informatik.uni-kl.de (Reinhard Kirchner) writes: >I got produkt information about a hardware virus protector called >'Thunderbyte' which intercepts all mysterious writings to the disk, e.g. >absolute ( not through dos ), writing to exe/com files etc. > >So I want to ask: Is there any experience with such devices, thunderbyte >or others ? Is it worth the money ? Although personally I don't have any experiences with the Thunderbyte hardware, my guess is that is is unusable with modern IDE or SCSI drives, since the hardware is placed between your MFM/RLL controller and your harddisk. The idea behind Thunderbyte resembles that of FluShot, with the exception that instead of in software, the locking of the hard disk is now done in hardware. Given the abominable quality of the TBScan software, which stems from the same company, I personally wouldn't trust the software which controls their hardware lock. If you want to protect your ST506-based harddisk, a simple switch in the write enable logic is far more cheaper and - at least in my opinion - as effective as the Thunderbyte system. - -Harry ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 192] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253