VIRUS-L Digest Monday, 21 Oct 1991 Volume 4 : Issue 196 Today's Topics: re: Virus-writing course for teenagers Disagreement Thunderbyte Re: Books on viruses? Stealth and Mutation Techniques (PC) Interpreted things Antiviruses Leopards It says so... Two subjects Hardware! Picky! Thunderbyte (PC) - review available? SVC 5.0 (PC) What is CoolCapture? (Amiga) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Fri, 18 Oct 91 19:35:44 -0500 >From: Werner Uhrig Subject: re: Virus-writing course for teenagers > To co-present the techniques of virus construction with the ethical > considerations is perhaps the most desirable approach. then you also believe that giving everyone a gun and a course in ethics (together with the practical training) would have kept the nut in Killeen, Texas (just up the road from here) from shooting all those people earlier this week? (or make the world a safer place, in general?) :-(( > But denial is not the correct manner or civilized way in which the > problem should be tackled I think you are making the old mistake of looking at the empty part of a half-full glass ... there is a difference between (ultimate) denial of information from some who are making an effort to obtain it (because in your judgement you "hold doubts" about the intentions) and no-holds-barred pushing "problematic knowledge" on the general public.... if you don't see "the fat line", you are more a part of the problem, and not so much part of the solution .... IMO... what is important to spread is "defensive information", not "knowledge of offensive techniques" Let's not hear any more about cencoring information about viri and concentrate more on ensuring that the people who compose our community are more responsible with the knowledge that is given to them can we ensure (and test) for the ethics, before we give the guns away? And when in doubt, let's do without the talents of those that fail the tests - I'm pretty confident that is as healthy an attitude as not giving guns to all would-be bounty-hunters (and before they even apply for a weapon's permit)... and let's not forget that computer virus knowledge is more like having a bottle full of new Cholera-viri than a six-shooter In times past, knowledge of a computing technique was always considered beneficial, now such knowledge has the potential for harm. The circumstances in which the computer professional finds h**self have changed. It is time we changed too, and stopped trying to deny the apparent reality which surrounds us. exactly. so why do you appear (to me) to deny it then?!? Sincerely, ---Werner ps: apologies for the analogies (and cynicism); I hate analogies, actually, but they seem to "come natural" sometimes, when one wants to make a STRONG point, rather than a PRECISE argument. just try and (I expect) you'll have no problem understanding my point of view (if not my views). - ---- Time to impeach them all: The President, the Senate, the people who answer opinion polls ... - ----- Internet: werner@rascal.ics.utexas.edu or werner@cs.utexas.edu BITnet: werner@UTXVM UUCP: ...!uunet!cs.utexas.edu!werner - ----- ------------------------------ Date: Fri, 18 Oct 91 20:38:36 -0700 >From: turtle@darkside.com (Fred Waller) Subject: Disagreement Writes padgett%tccslr.dnet@mmc.com (A. Padgett Peterson), quoting my post: >> We have more antivirus utilities than ever. There are more >> defense variations than ever. There are also more viruses >> than ever. They infect more machines than ever. and responds: > Major disagreement. It is easier to protect a single platform > with a "mission-adaptive" approach loaded first than it is to > subvert one. I hope the disagreement is not with the *facts* as stated in my message: "There are more defense variations than ever. There are also more viruses than ever. They infect more machines than ever." Those facts are a little difficult to disagree with. On the other hand, if the disagreement is with the perceived *reasons* for the proliferation of viruses: > The only reason that viruses have been so successful is that > the bulk of the 50 (or is it 70) million PCs have NO defenses. > Protected PCS are still in the minority (but increasing). then I'd have to say that I don't think that's the only reason. It doesn't take into account the enormous increase in _new virus species_, which has nothing at all to do with machines being protected or not... The incidence of infection may be dependent on protection (if the protection is effective, a big "IF"), but it has nothing to do with the creation of hundreds and hundreds of new viruses whose main effect seems to be the eager encouragement of frequent updates of the virus scanners. Fred Waller turtle@darkside.com ------------------------------------------------------------------ "I disagree with what you say but will defend to the death your right to tell such LIES, LIES! ALL LIES!" :-) ------------------------------------------------------------------ ------------------------------ Date: Fri, 18 Oct 91 20:22:27 -0700 >From: turtle@darkside.com (Fred Waller) Subject: Thunderbyte Writes kirchner@uklirb.informatik.uni-kl.de (Reinhard Kirchner): > I got produkt information about a hardware virus protector > called 'Thunderbyte' which intercepts all mysterious writings > to the disk, e.g. absolute ( not through dos ), writing to exe/ > com files etc. Yes, this is an interesting combination hardware-software antivirus scheme. Thunderbyte attempts to give users some reasonable features that should (and could) have been part of the IBM PC at nearly no extra cost in the first place, but aren't. From this viewpoint, it gets my *enthusiastic* support! The small card which is part of the package includes some firmware (a ROM BIOS extension), including automatic (i.e., software controlled!) file-rights based disk-write management ability. You have to use certain programs that come with the card. It's really not a true hardware protection device, and some systems seem to become unhappy with whatever it is that Thunderbyte tries to do to them. You may have to change DIP switch settings to change the place in RAM where the Thunderbyte BIOS code loads on booting, and you might even find some programs that overwrite it there, causing the card to halt the machine... but in general it's an original and worthwhile idea. Because it's really a software device (although it looks like hardware!), there are ways to bypass it. But it is an innovative approach and the two scanners (one resident, one transient) that come with it are also fairly effective and extremely fast. Personally, I like Thunderbyte, although it's not quite the way I would have done things... :-) Also, the installation instructions leave much to be desired, and the translated English .DOC files are sometimes cryptic. > Such a thing costs appr. the same as a software package, and > it does not depend on updates for new viruses. You noticed... yes, that's one of the more interesting aspects of hardware and even pseudo-hardware protection... (but the fast scanner that comes with it DOES need periodic updates because it is, essentially, a signature scanner, though it seems to operate in an unorthodox fashion. To be precise, its signatures file gets periodically updated. And in practice, the scanner program itself has suffered many frequent updates also. > So I want to ask: Is there any experience with such devices, > thunderbyte or others ? Is it worth the money ? It's an interesting system but not a 100%-true hardware protector. Whether it's worth buying or not must be your own decision. I would try to use it `on approval', or at least see it demonstrated in detail; if you like it, and it works on your machine, buy it. You might also look at PC-cillin, a similar hardware-software combination that got a truly bum "report" from the Virus Bulletin. (Any faith I might have had in Virus Bulletin's reporting fairness died after I saw their vicious "report" on PC-cillin). It's also a useful system, and about similarly priced to Thunderbyte. PC-cillin is even easier to install, since the hardware part simply plugs into the parallel port, but it's also a not-100% hardware protector, also with some problems and also with some endearing features. It, too, includes a string scanner and has a device driver that relies on information stored on an EEPROM chip in the hardware part to check the system at every boot. It even automatically restores the hard disk to clean condition if it finds it was infected by a boot sector/partition table virus. This part is rather neat. All these operations, however, both on the Thunderbyte device and the PC-cillin device, are purely software-driven. In both cases, the hardware is almost incidental. All of them use software methods trying to ensure integrity, and these may be subverted. The Thunderbyte author went to some pains trying to encrypt a certain version of his scanner to prevent hacking, but it was decrypted in the lab almost as soon as it appeared... and the "security" and self-test methods used by PC-cillin are quite naive. Both these systems are interesting, but both need improvement. But then, the available software methods aren't any better. Fred Waller ------------------------------ Date: Sat, 19 Oct 91 22:02:34 -0700 >From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Re: Books on viruses? martin@cs.ualberta.ca (Tim Martin; FSO; Soil Sciences) writes: > I'm not sure about the book market, but there's good stuff on the > Internet. In particular I have been appreciating Rob Slade's continuing > "*.CVP" series of postings. Are these being collected anywhere? (Ken? Rob?) Aw shucks. (Modestly scuffs dirt with toe.) Microcom has just asked, and recieved, permission to post the *.CVP articles on their BBS. They are also available on Cyberstore, which is a pay system, but accesible from anywhere with an X.25 network. Publisher carrying large amounts of cash will not be run off the property. :-) ============= Vancouver p1@arkham.wimsey.bc.ca | "Power users think Institute for Robert_Slade@mtsg.sfu.ca | 'Your PC is now Research into CyberStore | Stoned' is part of User (Datapac 3020 8530 1030)| the DOS copyright Security Canada V7K 2G6 | line." R. Murnane ------------------------------ Date: Sat, 19 Oct 91 15:57:00 -0400 >From: "jbyrd@husc8.harvard.edu"@HUSC3.HARVARD.EDU Subject: Stealth and Mutation Techniques (PC) Some phrases that seem to get bounced around regularly in this newsgroup, which I have been following for some time, are PC "stealth" and "mutating" viruses. I understand that virus detectors like to find viruses by a signature series of bytes in each version of a virus. How does a virus mutate, and how can you detect a mutating virus? Although I am a programmer, I know a limited amount about PC internals. What is PC "stealth" and where can I find out more about it? Replies to Internet readnews or to my account... Thank you much. jwb - -- The opinions expressed are not necessarily those of my employer. ------------------------------ Date: Sat, 19 Oct 91 14:51:31 -0700 >From: turtle@darkside.com (Fred Waller) Subject: Interpreted things Writes F8DY@VAX5.CIT.CORNELL.EDU (Mark Pilgrim): >...a virus written in DBASE.... ...If Fred Waller believes this > could not happen, or that it could happen but not spread, or > that it could spread but not be destructive, he should e-mail > me for further details. I believe it could happen, and that it could spread, and that it could be destructive. However, I also believe that it would be much more difficult to make such virus as deceiving as our current furtive ("stealth") viruses, or as difficult to detect. Also, it might not spread as quickly, nor as widely, since only machines using a specific program (e.g., dBase) would be vulnerable to it, not all DOS machines as is the case now. (But in a related exchange between Padgett Peterson and myself, I hold the opposite view... which only goes to prove that one can always develop at least two opposing viewpoints for every subject). Specific measures, tailored to the dBase environment, would be a lot easier to devise than DOS-universal defenses. Finally, I believe that such a virus would be much easier to detect and combat from the safety of a write-protected program drive, to which the virus doesn't have access, and using low-level resources which, unlike the case now, will no longer be readily available to the virus. So: I believe that such interpreted viruses would be *much* easier to combat than the current crop. Those, Fred's machine can defend against {ather neatly... (However, Fred has never seen an "interpreted" virus and would be interested in trying one on his machines, if one exists somewhere. Has Mark Pilgrim ever seen one?) Fred Waller turtle@darkside.com ------------------------------ Date: Sat, 19 Oct 91 14:49:52 -0700 >From: turtle@darkside.com (Fred Waller) Subject: Antiviruses Writes Padgett Peterson: > Fred ... .... is not afraid to state his convictions. However, > his conclusion is fallacious. It would have been so interesting to learn *why* Padgett thinks so. Someone (especially myself!) might disagree with such conclusion, but not knowing the reasoning that led to it, one remains cheated of the opportunity to see things from his perspective... > I have a real problem with this one since I firmly believe that > a "good-enough" (quantum economics) software anti-viral solution > is not only possible but much less complex than a hardware > solution that does anything more than select which drive to > boot from... ( If that's the only kind of hardware solution one can envision, then it must indeed seem so ). It may be `possible', or it may be `impossible', but the software methods we've seen so far haven't been good enough. Being a mildly astute individual, I conclude that if the software antiviruses haven't suceeded in defeating or even stalling viruses by now, then it might be time to try something different. Stronger medicine? Stronger medicine. Searching for stronger medicine, the idea occurred that hardware means of protection had never been breached by any virus - and never could be. So, candidly, the idea was presented publicly here. Result? Never seen so many nervous software persons trying to convince me to abandon discussion of such "outrageous" and even "stupid" ideas... > While hardware will work... Thank you, thank you. I always knew it would! > even a "best case" retrofit would involve either a new BIOS > (standard ones seem to be in the U$70.00 range each) or a card > (maybe as low as U$25.00 but the cheapest I've seen in Computer > Shopper was U$50.00 + a slot) and the real "cost" is likely to > be in the setup. Yes, if your aim is to install a new BIOS, then you might reasonably expect to have to install a new BIOS . I wonder why one would want to do such a thing, though... But darn it, let's put things in proper perspective: how much does it cost to buy a software antivirus package? This much: AntivirusPlus $99 CP Antivirus $129 Certus $189 Data Physician $49 Dr. S' Toolkit $150 FluShot Plus $19 Mace Vaccine $99 Vaccine $100 Virex PC $130 Virus Cure+ $100 Virus Guard $24 Virucide $49 Virus Pro $50 Virus-Safe $63 ViruSafe $99 Viruscan $25 Virus Secure $95 Vi-Spy $150 (From the listings in PC Mag latest issue - I wonder why they didn't include Frisk's F-PROT though, at $1 per copy and some very good performance. Maybe Iceland is not yet a recognized country for PC Magazine's editors... or maybe they were uneasy disclosing the performance of the $1 package vs. $100+ ones. Also not included was Washburn's SECURE, another very effective package which would have stopped their childish `Totally Hidden Virus', nor IBM's VIRASCAN, nor Thunderbyte/TBScan, nor the very interesting (albeit scanning) VSTOP, nor VBLOCK nor... many others.) Anyway, that comes to an average price of $90 per package. Software usually needs to be upgraded, and the true cost over time can become very high! Compare that with the quoted one-time price of $70 per machine and it will become apparent that hardware protection (defined by Padgett as "changing the BIOS") may indeed seem rather inexpensive. Actually, if I buy the higher-priced software packages over a period of three years, I would have spent enough money to buy hardware protection, a new hard disk and some extra programs! However, let me just point out that some (true) hardware protection may cost much less than the $70 mentioned for the BIOS. Fred Waller turtle@darkside.com ------------------------------ Date: Sat, 19 Oct 91 14:47:28 -0700 >From: turtle@darkside.com (Fred Waller) Subject: Leopards Writes CHESS@YKTVMV.BITNET (David.M.Chess): > Well, it does stop viruses in your test, which was running > known viruses (ones not designed with your machine in mind), > in a test situation. Yes, but how can I run tests against viruses that haven't been designed yet? Objections to my incipient proposal have been so... vibrant. I've been told that such a system couldn't possibly work, then when I said that it HAD worked, it was said that it couldn't be useful against some still-unknown viruses, and now I'm taken to task for not testing the system against such still nonexistent viruses. ... :-) I'm reminded of an old Brazilian tale, "O amigo da Onca" (The Leopard's Friend). Goes like this: Two jungle buddies talk; one asks the other what would he do if suddenly faced with a leopard. Fellow shrugs his shoulders and replies: "Oh, I'd just shoot it." "But say you haven't got a gun", says the first. "OK, I'd kill it with my knife, then", replies the other. "Say you lost your knife." "Well, then I'd throw some stones at him". "Suppose there are no stones around." "Then I'd climb to safety on the nearest tree". "Sorry, no trees, either...", insists the first. "Ahh.. then, I guess I'd run like hell!". "Can't - your leg is broken". The man looks strangely at the other and asks: "Say, that leopard, he must be a real good friend of yours, eh?" If somebody wishes to send me some of those famous "interpreted" viruses one is hearing about, then I'll be delighted to try additional tests. I've never seen one myself, apart from some silly batch-file viruses... Or they can do the testing themselves. Still, these wouldn't be "real world viruses" - and objections on such grounds would also be valid. So what am I expected to do? I haven't even fully explained "my system" yet, and I already stand accused of not having completed tests against yet-to-be-written viruses... sheeeeesshhhh!! Leopards, leopards everywhere, and not even a stone in sight! But at least my leg ain't broken yet. > I'd like to see, for instance, a large group of users somewhere > (a department at a typical business or university, or a PC User > Group, say) try out the approach, and see if it was both > livable-with and effective against actual viruses in daily use. Me too. > I was just pointing out that the experiment hasn't been done > yet, and that your test wasn't really proof of anything in > particular (any number of software anti-virus solutions would > have passed the same test, after all). It WAS proof, and it was indicative. Small-scale proof may rightfully be extrapolated. But which other approaches are meant? I don't know of any existing software method that is as effective as hardware protection. If one exists, it should be implemented immediately everywhere! Certainly, the use of scanners hasn't stopped the advance of viruses. If, however, by "solution" it is meant a "method", then of course a method can be designed to prevent infection. As many have cynically pointed out, never allowing any input of data or executables would prevent infection. I hope we are not playing with concepts in this manner. > I'm definitely interested in solving problems on a day-to-day > basis (as well as in the long run). Yes, I know you are. I just felt that theoretical objections to the basic idea of hardware protection were excessively strenuous. From a group of people dedicated to eradicating viruses, I would have expected a much more inquiring response... But I concede that my presentation is often confrontational, and may itself cause rejection... :-) and that the habitue's here are just being strict in their analyses. > If your approach turns out to do that, and yet leave the > machine easy enough to use for users to accept it, that'd > be Really Good News! That's what *I* thought... requires some retraining of habits. Comparable, say, to what happens when changing from having a single Drive C: to having both a C: and a D:... or working from C: and using A: to save to - a lot less work than changing word processors. But certain kinds of programs (self-modifying) present difficulties, just as they do with software protection... Fred Waller ------------------------------------------------------------------- Some leopards have many friends. ------------------------------------------------------------------- ------------------------------ Date: Sat, 19 Oct 91 23:13:00 -0700 >From: turtle@darkside.com (Fred Waller) Subject: It says so... Writes BARNOLD@YKTVMH.BITNET (Bill Arnold): > Regarding Fred Waller's pecking order, one often neglected > consideration is that the levels in the pecking order > communicate (in some sense) with each other. But `Communication' and `overcoming' are two rather different things. Waller's pecking order referred to overcoming, i.e., power - die Macht. > For instance, if protection hardware can be disabled by the > operator, a virus can tell the operator to disable the > protection hardware, and some fraction of the operators > will obey. Yes, that's exactly what the Pecking Order principles state: "Neither software nor hardware are able to resist a user's damaging or careless action..." Fred W. ---------------------------------------------------------------- With operators like that, who needs viruses..? ---------------------------------------------------------------- ------------------------------ Date: Sat, 19 Oct 91 23:11:29 -0700 >From: turtle@darkside.com (Fred Waller) Subject: Two subjects Wrote protonen@daimi.aau.dk (Lars J|dal): (my apologies for mangling your surname thus. The system doesn't pass the 8-bit ASCII characters, so your name appears here as "J|dal"). > 1) Can computers (in principle) distinguish between a virus > and a "normal" program? > 2) Can computers be build to be safe from virus infection? > > This is two different subjects! So the proof by someone-I-don't- > know that 1) is undecidable on a Turing machine should only (or > rather at most) discourage people designing programs to detect > viruses, not people trying to design a system which cannot be > infected. Absolutely right! Unfortunately, people may have objected because they have a mind set that doesn't allow them to face the issue without bias. To them, `protection against viruses' usually means `detection', because that's what they have been doing until now: detecting. Since they also proposed the idea that `detection' (or worse, `perfect detection'), was THE right method, it's hard for them to switch mental gears and examine the issue from a different viewpoint. Even though `detection' has failed, they still cling to it and continue searching for the Holy Grail. > Right? You most certainly are! When I mentioned "virus-resistant" systems here, not one person understood the term except in the context of "detection" - a wrong context, still being employed by most. Of course, it's not really necessary to "detect" a virus to stop its action - just making the machine unsuitable (or even unfriendly) is quite enough. Fred Waller turtle@darkside.com ------------------------------ Date: Sat, 19 Oct 91 23:14:59 -0700 >From: turtle@darkside.com (Fred Waller) Subject: Hardware! > I admit that Fred's machine won't make any sort of virus > impossible - but that's not needed. They are like biologic > germs: if they aren't too contagious, not very destructive > or easy enough to cure, you can live with them. Precisely. I never proposed any "virus-proof" method or machine - it's not really necessary. The idea that we must seek absolute victory over viruses is questionable. It's born from a conflict between programmers that pits wit against wit, skill against skill, ego against ego. Such conflict aims at unconditional destruction of the other side. But an absolute victory is not necessary. As long as we can prevail from a statistical viewpoint, we'll win, both statistically and individually. There will be less glory for both sides, but viruses are becoming a headache, so let's stop fooling around with them and put an end to the darn things. Using hardware, we can make the world a much harder place for viruses to live in. And that is one way to achieve our aim, is it not? > 1) As today's viri need only a compatible Operating System to > infect a computer, there are a lot of potential victims for > them. Interpreter viri need `their' interpreter *running* on > the target system, so the density of infectable computers is > much lower in space/time. This would slow down the spreading > speed of this viri. Yes. > 2) A machine code virus uses the instruction set of the OS/BIOS, > which is specially designed to do things like deleting, > formatting, bending interrupts... An e.g. `spreadsheet virus' > would have to do with the instruction set of the spreadsheet's > interpreter language, designed for totally different tasks. > While it might be possible to write self-propagating destructive > programs in such a language, the coding of such neat things as > stealth techniques would be quite difficult. The Antivirus- > programs could still use all of the (BI)OS's services for their > task and so the fight would be no longer `software vs. software' > but `machine level program vs. high level language' - much > better, compared with today! Yes. In reality, hardware protection ENABLES the creation of optimum software protection because it breaks the balance of force between viruses and antiviruses. At this time, both have the same tools and the same weapons. Neither can ever win. But establishing hardware protection tilts the balance in favor of software measures and against viruses. Once hardware protection is established, it should become possible to write fully effective protection code that cannot be defeated by new viruses - and without having to first redesign the Universe! (or Cohen's theories, which seem only a little less imposing... but somewhat less unshakeable. :-) Fred Waller ------------------- P.S. Has anyone actually _seen_ any interpreted viruses out there...? ------------------------------ Date: Sun, 20 Oct 91 20:45:57 -0700 >From: turtle@darkside.com (Fred Waller) Subject: Picky! Writes Dr. Chess CHESS@YKTVMV.BITNET (David.M.Chess): > But hardware antiviruses haven't stopped its advance, either! > That is, there are both hardware and software solutions that > can completely protect any given machine against the Stoned.. There is no serious implementation of hardware defenses against viruses. Most of what the public is offered is either pure software or is software-based. Pure hardware antivirus protection has not yet been used. > P.S. The 1813 (Jerusalem) is still up there near the Stoned; > I think we'd have to stop both of them before we could > claim to have the great majority! *8) Picky, picky, picky. So it's just a majority, but not the GREAT majority. Adjectives are cheap, especially in this business... Fred Waller ------------------------------ Date: 21 Oct 91 09:10:10 +0700 >From: Pim Clotscher Subject: Thunderbyte (PC) - review available? Fridrik Skulason mentioned 16 Oct 91 that Thunderbyte was reviewed in the Sept '91 issue of Virus Bulletin. Is this review available publicly in E-mail transferable format? If so, could somebody on this list please indicate to me where and how to get a copy? If only available in printed form, please would it be possible to send me a copy or FAX a copy to me == ()31 104362719 == Up to digest 4/194 I saw 3 messages about Thunderbyte, mixed negative and positive. I still have no clear idea about the value of a product like Thunderbyte compared to software-only strategy. How can we estimate its effectiveness against 'all' future viruses? One example: the new Dir II virus does not alter files and uses no interrupts as I have understood. Thunderbyte is mainly based on detection of file changes and use of interrupts. So...?! Thank you for your coopreation, Sincerely, - -----------------------------> Pim Clotscher <------------------------------ Erasmus University Rotterdam E.R.C. - Computer Support Hoboken Roomnumber : Ee2067 Dr. Molewaterplein 50 P.O. Box 1738 NL-3015 GE Rotterdam NL-3000 DR Rotterdam the Netherlands Tel: +31 (0)10 4087420 Fax: +31 (0)10 4362719 E-mail (Internet): clotscher@coh.fgg.eur.nl ============================================================================== ------------------------------ Date: Mon, 21 Oct 91 11:56:25 +0700 >From: KADLOF@PLEARN.BITNET Subject: SVC 5.0 (PC) Christoph Fischer writes: > I just received a new variant of SVC it is labeled SVC 6.0! > I also talked to Dr. Alan Solomon and he has a SVC 5.0. > Both are out in the wild! I do know nothing about SVC 6.0, but SVC 5.0 was isolated in Poland no later than June 1991. The virus has been written in USSR in 1990. Also in wild (in USSR) exists simpler variants 3.1 and 4.0. > These viruses are quite complicated and use advanced stealth > techniques! Again, I can say nothing about 6.0, but 5.0 is not so advanced as Christoph sugest. The folowing is extracted from Virus Information Card which will be published in PCvirus this month (sorry for poor english): Virus infect COM and EXE files and install itself resident in RAM. It is 3103 bytes long. SVC 5.0 can propagate under MS DOS 2.x or higher. If you try to trace virus with debugger it will reboot system. Sometimes virus sets Read Only flag (error in code). Infected files are marked by setting seconds in the file time stamp to 60 and increased in size by 3103 bytes (COM) or 3103-3108 (EXE). Virus always put its own code at the end of file. Before infection virus check seconds and (if they are set to 60) read three bytes at offset 138 (from the end of file). In infected files at this place always there is version number, i.e. '5.0'. File type virus recognize by extension. In EXE file virus additionally check first two bytes against 'MZ' marker. Files are infected during one of the operation: Load and Execute (4B00), Close File (3E), Open File (3D but only files on hard disk) and Create File (3C only on hard drive). I do not know for what reason virus do not infect files if the file name contains characters 'MM' or 'MB' (maybe protection of author software). Minimum infected file length is 3103 bytes and maximum is (only for COM) EDE1 (60897) bytes. Virus intercepts INT 08 and INT 21h and do not use any tricks to fight any AV software. Virus signature: E800005E83EE032E8984110C065633D2B484CD215E5681FA901975262E3ABC1E0C (code taken from the beginning of virus body). [I skip the algorithm of removing virus from RAM and files, because you are not familiar with our unique virus identification method.] Virus keep in its body first 24 bytes of victim program in encrypted form (simple xor with byte taken from 0C1A relative to begin of virus code). You can easily check is SVC 5.0 active in memory. You can call INT 21h with AH = 84h. If SVC is active you get DX = 1990h and in AX segment of wirus code in RAM (encrypted by XOR AX,FFFF XCHG AH,AL). Virus install itself in RAM by manipulating MCB blocks. It occupies 3376 bytes at the top of RAM. Virus uses some stealth technic to hide increasing the file size and its contents. If an file is checked by program called CHKDSK virus does not make any tricks! Programs of that name are not fooled by SVC in any way [good hint for AV software writers]. If file is loaded but not executed, or something is written to the file then virus cure it and infect again when file is closed. I hope this help. By the way, does any body know how time wasteful viruses are? It would be interesting to know how many people all over the world waste their time to study the same particular virus. Regards from Warsaw, Andrzej Kadlof Department of Mathematics, University of Warsaw, Poland Editor-in-chief of PCvirus Bulletin ------------------------------ Date: Mon, 21 Oct 91 14:30:15 +0000 >From: consp11@bingvaxu.cc.binghamton.edu (Brett L. Kessler) Subject: What is CoolCapture? (Amiga) I have been doing a lot of work recently on all of my floppies using VScan 5.10 to see whether or not I have an infection hiding in all of my TurboImploded executables. I've noticed that a lot of programs read and write to CoolCapture, etc., even though VScan reports them as clean. What are the major points of infection in an Amiga system? And what do those areas do in a normal situation? For example, I have heard of CoolCapture, WarmCapture, ColdCapture, and one or two other common entry points for viri (RomTagPtr? KickTagPtr? I can't remember...). What do all of these places do that make them so attractive to virus-writers? +----------------------------------------------------------------------+ | /// BRETT KESSLER consp11@bingsuns.pod.binghamton.edu | | /// Senior Computer Consultant, State Univ. of NY at Binghamton | | \\\/// | | \XX/ "Sometimes a cigar is just a cigar." -- Sigmund Freud | +----------------------------------------------------------------------+ ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 196] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253