VIRUS-L Digest Tuesday, 29 Oct 1991 Volume 4 : Issue 201 Today's Topics: Re: nVIR was Re: Virus on Mac (Mac) Re: Seeking Info on stoned virus (PC) Disinfectant 2.x (Mac) Immunization VGA color spots, Word page breaks, corrupts files. (Novell) (PC) Network World mag virus tool review help ... i have infected .... Dark Avenger (PC) Hardware qustions Taxonomy and Nomenclature Request for Standards Hardware Viruses and "viruses" New file on risc (PC) ansikill.zip (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Fri, 25 Oct 91 17:42:00 +0000 >From: "Nigel Stanger, Information Science" Subject: Re: nVIR was Re: Virus on Mac (Mac) Dave Martin (dave@gergo.tamu.edu) writes: >I have always wondered something about nVIR, ... I booted from a >clean, locked System floppy and used ResEdit to clean out the nVIR >resources and correct the CODE resources. I copied rather than cut or >cleared the nVIR resources so I could move them to a separate disk to >examine them later. Immediately an alert popped up saying that it >couldn't write to the System file (disk locked). It seems that simply >by copying the nVIR resources was enough to activate it. Anyone know >if this is possible (copy enabling code execution)? Now remember this >was a couple years ago, so I can't recall everything that occurred, >but I'm still curious as to whether that was enough to get nVIR to try >and spread. Was it actually trying to write to the System *file* or just to the System *disk*? If the latter, it may just have been ResEdit trying to write its scrap to disk when you did the copy. If the resources were large enough, it would spool the copy onto disk rather than store it in memory. You would probably find that with any large cut/copy in just about any application. Just a thought. Just ignore me if I'm way off base :) - -- See ya Nigel. - ---------------------------------------------------------------------- Nigel Stanger, Internet: stanger@otago.ac.nz c/o University of Otago, P.O. Box 56, Phone: +64 3 479-8179 Dunedin, NEW ZEALAND. Fax: +64 3 479-8311 - ---------------------------------------------------------------------- "If I had a quote, I'd be wearing it." -- Bob Dylan - ---------------------------------------------------------------------- ------------------------------ Date: Fri, 25 Oct 91 04:43:53 +0000 >From: tbodine@sunstroke.sdsu.edu (Thomas L. Bodine) Subject: Re: Seeking Info on stoned virus (PC) casey!annes@uunet.uu.net (Anne L. Scism) writes: >If anyone has information on how the stoned virus works, where it >lives, how it finds its home on a PC, I would be grateful for any >information you could pass on to me. Thanks for your help! The stoned virus infects the boot sector of any disk. Booting appears normal before and after infection. From time to time the computer with the virus will display the message "Your computer is now stoned!". I've heard rumors that it also increases the length of the boot file or some other file by a byte each time it runs. It infects disks by infecting any disks that are inserted into the machine when they are made the default drive. It is terminate and stay resident . It grabs the soft boot vector so that ctrl-alt-del doesn't remove it from memory. Therefore it will infect any "clean" boot disks. The garaunteed way to rid it from memory is to power down the computer. McAFEE and associates supply a share ware virus destroyer which will recognize and distroy this virus. I highly recommend it. You should get it directly from their BBS for which I do not have the phone number good Luck, regards Tom Bodine note: My opinions are my own. ------------------------------ Date: Thu, 24 Oct 91 21:30:42 -0700 >From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Disinfectant 2.x (Mac) ACRAY@ECUVM1.BITNET (RAY) writes: > I have Disinfectant 2.4 I have not installed System 7 yet. Is 2.4 > compatiable with System 7. If not, can someone send me the latest When you install System 7.0, it will tell you that Disinfectant 2.4 is not compatible, and to upgrade to 2.5. (The interesting part is that it told you this before there *was* a 2.5.) However, 2.4 *will* work with System 7. You must, however, leave the Disinfectant INIT in the System folder itself, rather than moving it to the Extensions folder as suggested by System 7. You may also find the Disinfectant complains about running with Multifinder, which cannot be turned off with System 7. The latest release (to the best of my recollection and files) is 2.5.1. This is available via ftp from ftp.acns.nwu.edu (129.105.113.52) and numerous other sites as well as many commercial services. (Sorry if this is a duplication, our mailer has been very slow of late.) ============= Vancouver p1@arkham.wimsey.bc.ca | "Power users think Institute for Robert_Slade@mtsg.sfu.ca | 'Your PC is now Research into CyberStore | Stoned' is part of User (Datapac 3020 8530 1030)| the DOS copyright Security Canada V7K 2G6 | line." R. Murnane ------------------------------ Date: Thu, 24 Oct 91 19:50:47 -0700 >From: turtle@darkside.com (Fred Waller) Subject: Immunization Writes tee@bullet.ecf.toronto.edu (TEE LUNS), on the subject of disk immunization: > The catch with hardware is that it costs more money than > some people may be willing to pay. Not at all! Some effective hardware protection devices cost less money than most software antivirals. > An idea I've been toying with lately has been to write a > dummy partition table which Stoned will recognize as being > itself. This would defer infection. The Stoned spreads via infected diskettes. Your idea has already been implemented by several authors. There's a public program (by Mike McCune), available from the SIMTEL archives and probably at CMU, which immunizes diskettes against several boot viruses at the same time, including the Stoned, the Joshi, the Brain, the Ashar, the NoInt and several others. It does this by exploiting the fact that those viruses will not reinfect disks that are already infected, and look for a few bytes of their own code to determine whether the disk is infected or not. Writing those bytes into the disk at the appropriate place fools the virus into thinking that the disk is already infected. The program isn't particularly fancy, but works. It includes full source code (.ASM). One problem is that such immunized disk(ettes) loose their ability to be booting disks. Generally not important, because most diskettes don't need to be booting. They may be made into booting disks again, but then they loose the immunization. > For $5 a shot, do you think anybody would go for it? The above program is available free, but the author asks a voluntary contribution if it's found to be useful. Regarding immunization against the Jerusalem, this too has been available for some time, but since the Jerusalem is a file infector, all files, not just the Boot Sector, have to be protected. An early program that does that, "vaccinate" systems against the action of the Jerusalem virus, is called IMMUNE and was written by Y. Rakavy and Omri Mann. It's a very small (800-byte) TSR which specifically monitors the system for the appearance of the Jerusalem virus. IMMUNE is also free. There are others. Some of the general-purpose utilities include variations of the above methods. Fred W. turtle@darkside.com ------------------------------ Date: Fri, 25 Oct 91 11:47:18 +0000 >From: Rotan Subject: VGA color spots, Word page breaks, corrupts files. (Novell) (PC) Need help. Fellow lecturer at another university reports strange virus-like behaviour. Says virus scanners do not register it. 1000 Novell users now without access to network because it had to be shut down until a solution is found. I'm not familiar enough with Novell environments to be of use. NOVELL USERS FAMILIAR WITH NOVELL VIRI, PLEASE HELP. Symptoms: PC's with VGA cards display random color dots on screen. MS-Word files develop up to 3000 additional page breaks, sometimes result in complete corruption. Corruption of other files reported. Thanks for any assistance... Rotan Hanrahan (hanrah88@irlearn or rotan@ccvax.ucd.ie) Direct mail reply would be preferred. ------------------------------ Date: Fri, 25 Oct 91 10:58:00 -0600 >From: Steven Klepzig Subject: Network World mag virus tool review The Oct. 21 1991 edition of Network World contains an article/review/test of 11 different "virus removal tool" software packages. The tests are reported to have been done by National Computer Security Association (NCSA). A comprehensive report on virus removal tools, including the results that are published in the article can be purchased from NCSA for $75, $44 if your a member. NCSA, 227 W. Main St., Mechanicsburg PA. 17055. (717)258-1816, (717)243-8642 (fax). I am not a member of NCSA, just passing on what is in Network World. A brief synopsis of the scorecard: (for a more detailed listing, write me privately, get Network World, or write NCSA) Company Product Score (142 is perfect) Central Point Software AnitVirus 99 Computer Consulting Grp Virus Clean v2.10 release A 66 S&S International Dr. Solomon's Toolkit v5.15 103 IRIS Software & Comp Ltd Antivirus-Plus v3.7 rel 15.7 64 Leprechaun Software Int Virus Buster v3.75 116 McAfee Associates Scan/Clean v7.6v80 102 McAfee Associates Pro-Scan v2.32 90 Microcom Inc. Virex-PC v2.00b 103 Symantec/Peter Norton Norton Anti-Virus v1.5 98 Fridrik Skulason F-Prot v2.0 129 XTree Company ViruSafe v4.50 99 Posted just for general info. I have no association with NCSA, Network World, or any software vendor. Just an interested PC/Network manager. - -- Steven ======================================== Steven R. Klepzig = University of Utah = 135 Student Services Building = Murphy's Law, v.1.7 "The time it Salt Lake City, Utah 84112 = takes to pinpoint a LAN problem is = directly proportional to its Phone -- 801-581-3437 = gravity." FAX -- 801-585-3034 = InterNet -- sklepzi@ssb1.saff.utah.edu = ======================================== ------------------------------ Date: Fri, 25 Oct 91 21:05:10 >From: "Hernan Lobos *Mitzio*" Subject: help ... i have infected .... Dark Avenger (PC) Hai all, I have a big problem.... very big.... I'm INFECTED !!!! by Dark Avenger (Dav) virus, Anyone know how can i disinfect my hard disk (Dav infected COMMAND.COM, and other files)... My PC is a Hyundai... and I've tried to clean it with SCANv80 and CLEANv80, but nothing happened... Help please!!!!! I love my pc's , Operating System and .. MY JOB.. NOTICE: I can't format my hard disk because my O.S. is the ONLY ONE. Hernan Lobos Universidad Tecnica Federico Santa Maria E-Mail: I5HLOBOS@UTFSM.BITNET ------------------------------ Date: Sat, 26 Oct 91 19:16:39 -0700 >From: turtle@darkside.com (Fred Waller) Subject: Hardware qustions apple!Athena.MIT.EDU!pshuang, writing about hardware protection: > I am not convinced that this is totally true. I have often > heard my floppy drive make extremely loud noises in normal > operation, which reminds me of the Apple II disk drives which > broke down often due to mechanical programs. "mechanical problems", not mechanical programs, probably. Certainly, defective hardware is that: defective. The noise may or may not be normal, but doesn't mean that software can overcome hardware. If a software command can cause a drive to park its head so that it damages it, then obviously it wasn't designed to avoid such a possibility. From the design standpoint, the remedy is simple to conceive and implement. We can say that the software command was within allowed limits and that one of these limits included the possibility of damage. I never said that software cannot *damage* hardware - though it's generally not easy to do. It can damage it IF the hardware is so designed that it ALLOWS the software to cause damage. This has nothing to do with reliability of hardware protection. An illustration offered many times before: the simplest hardware write-protection available is the piece of black paper called a write-protect tab; no software can overcome it. Ever. No matter how sophisticated. >... but repeated lengthy seeks could conceivably cause mechanical > damage. If the drive is made to withstand 100,000 seeks before failure, it should be expected to do that. But if it fails before, well then, it failed. Nothing to do with software overcoming hardware protection: once the drive fails, it becomes a non-drive. At no point, however, did the software succeed in making a disk write. And THAT was the object of protection. It was never defeated. > I agree with you in that hardware protection is a substantial > level better, but it is not impenetrable in practice. As a class, hardware can readily be made TOTALLY impenetrable to SOFTWARE attack of the kind considered when discussing viruses. Totally. But it's easily defeatable by the operator, or by other hardware. Just as the Pecking Order says. The main reason for this is that functioning software only exists as a FUNCTION OF hardware, but not the other way around. Note that hardware MAY BE intentionally (or carelessly) designed so that it is vulnerable to software attack; but there's nothing inherent in hardware that must allow such vulnerability. Software, however, is always vulnerable to the actions of hardware, and CANNOT avoid or bypass them UNLESS permitted by the hardware. Just as the Pecking Order says. ------------------------------ Date: Sat, 26 Oct 91 19:15:02 -0700 >From: turtle@darkside.com (Fred Waller) Subject: Taxonomy and Nomenclature Writes bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev): > Definitively yes. I have a program, written by a friend of mine, > which tries to disinfect something he calls "generic Jerusalem > variant". When I tested it on Fu Manchu, it disinfected it > successfully, although the author has never seen this virus. > The program called it Jerusalem-2080. I believe this is not a good reason. As an analogy illustrating my opinion, let me say that Certus' Novi will cure infections by the new SVC 5.0 and will also remove it from memory - although it doesn't *identify* the virus because Novi was created before SVC 5 was known. Does this mean that SVC 5.0 is related to... the Devil's Dance, which NOVI also cures? Of course not! The criterion proposed above (cure/removal by a utility) shouldn't be accepted as a basis for establishing taxonomical relationships. What we need is: 1. A much better definition of what are the accepted *distinguishing classification characteristics* for each accepted "class, group, subgroup, family, subfamily, genus, species, variety, etc.", whatever TAXONOMICAL subdivisions are settled on. These could be based on either functional or structural characteristics. Better structural rather than functional (not system-dependent). Once such guidelines are accepted, they should be enforced, even if proven inconsistent at times. (Formal revisions can be made, of course). It's the only way to have a practical taxonomy of viruses. Otherwise, it will continue being just about anybody's mess, as it is now. 2. Paralell with the development of such taxonomy, a suitable NOMENCLATURE should also be developed. All the current ones simply stink. Virus nomenclature should be strict, should be bound by rules, BUT it should simultanously allow considerable naming latitude to the describing author. The strictest date priority would prevail. The epithet(s) chosen by a species' author should be unassailable, and could be ammended only to the extent needed to produce compliance with agreed-upon naming rules, or if his description was so ambiguous as to leave doubt about the object being described. Hopefully, the nomenclature convention should also yield easy-to-remember names. I vote for a binomial nomenclature, analogous to the Linnean used in the natural sciences. (This is actually binomial+plus, since it supports "varieties", which add a third epithet to the binomial). 3. Supporting both taxonomy and nomenclature, a system for the definition and storage of authentic virus TYPES should be established. Holotypes should be defined and segregated by species authors at the time of first description. The storage system might be centralized but preferably shouldn't be, to prevent hoarding and for other reasons. Repositories and curators should be established at several points, well situated geographically. Type material, wherever stored, should be specially protected and handled to insure continued and reliable identity. Unlike other taxonomical entities, virus holotypes can be copied perfectly and inexpensively, yielding perfect isotypes. This means that decentralized storage of virus types need not have any of the disadvantages often presented by decentralized storage of other taxonomical types. The existenced of such type-material collections would not preclude the establishment and development of non-type collections elsewhere, either commercial or other. Only after we do all the above, can we let Vesselin create Computer Virology. Fred Waller turtle@darkside.com ------------------------------ Date: Sun, 27 Oct 91 07:22:37 -0700 >From: John Kida (Vienna) Subject: Request for Standards Reading every article I can find on computer viruses, I find a recurring error on the part of many writers. They try to compare apples to oranges. I continue to see attempts to compare products of one category to products which fall into a different type of operational category. I continue to see reviews where a new product is being compared to a year old version of another product. (ie... rating SCANV77, when the current ver. is 84) Is it a fair review, where the author writes a NEW, never released virus to test, programmable scannng programs, which don't have the Virus-ID string? Is it fair for an author to write a test virus program designed to circumvent the abilities of one category program, but test it againist a category program designed to find it, then compare the two. The new user who is reading about viruses, can surely be mislead as to the effectiveness of any given product with this type of review. One of the biggest problems faced in fighting the threat of computer viruses is misleading information. For this reason, I suggest that standards be agreed upon for assessment of Anti-Virus software, Product categories, Testing criteria and etc... Hopefully, some type of STANDARDS it will reduce much of the misleading information and allow for better comparison of products by less experienced users. If such a standard is written, we will all benefit from more accurate reviews and ratings of Anti-virus products. John Kida jhk@ssds.com ------------------------------ Date: Sun, 27 Oct 91 19:16:16 -0800 >From: turtle@darkside.com (Fred Waller) Subject: Hardware Writes RADAI@HUJIVMS.BITNET (Y. Radai): > Yes, these are different subjects, and if we could design a > system which could never be infected, this would be preferable > to detection after infection. I feel that it's really unnecessary to invent systems that could *never* be infected. A virus-resistant system is quite enough. We don't really need a totally virusproof approach. Some head- banging-against-the-wall seen here is (as always) self-inflicted and caused by the search for such absolutely foolproof protection - even though, as the reasonable persons we are, we have knowledge that it, like most other "absolutely" solutions, is not achievable. So what if we allow a small leak? If the leak is small enough, it will be easy to monitor. Much easier than monitoring an entire system! The matter of TIME is also overlooked. We don't need to make our machines both safe and functional at the same time. They can be safe most of the time, but only partially functional, and they can be fully functional (but less safe) at certain special, carefully monitored times. This, too, would not require a virus-proof machine, but rather a virus-resistant one. Finally, the best way to achieve very high security (and stil have a functioning machine) is with the help of hardware. While even this may not yield a totally virus-proof system, it doesn't really have to, since we don't really need virus-proof systems. Fred Waller ------------------------------ Date: Sun, 27 Oct 91 19:15:03 -0800 >From: turtle@darkside.com (Fred Waller) Subject: Viruses and "viruses" Writes davidsen@crdos1.crd.ge.com (Bill Davidsen): > The reason a PC virus can spread is that it attacks a feature > common to all machines. By having a set of environments the > virus is less likely to come in contact with a viable host. Generally speaking, yes, but maybe not, sometimes. And only on Wednesdays, but nobody REALLY knows. There are many viruses capable of "attacking" PC clones running MS-DOS. Some, however, will stumble at some point of their execution, on finding a kind of hardware or software their author did not consider. I have an old Compaq 286 which unceremoniously freezes up some viruses considered to be successful infectors elsewhere. On such systems, the virus might not run, or if it runs it may fail to infect, or if it infects it may not infect properly, or if it does, it may not activate as intended, etc., etc. Viruses often are rather delicate things. Not "robust" at all, he he. So, an unintended form of "discrimination" exists already, in reality. However, because of the number of "virus species" if a machine is not infectable by one, it will be infectable by another. And there's more than enough of them to go around. > In disease terms, if you vaccinate enough people so that an > infected person is unlikely to come in contact with a vulnerable > person, the disease will die. Apart from the fact that we don't know any diseases that have actually been "killed" that way (smallpox wasn't!), I don't like the parallel for other reasons. Computer viruses and biological diseases are unrelated in nature, action and mode of spreading. One of the worst misnomers ever concocted was calling these programs "viruses". They aren't viruses nor anything near. There are far more differences than similarities between computer "viruses" and the biological ones. (Has anyone ever seen a non-TSR disease?) Unlike biological ones, computer "viruses" never need an active host to "survive". They can be kept safely tucked away in a desk drawer, and be brought out at the owner's whim two years later. Nothing whatsoever to do with the theoretical "dying" of animal diseases. Nor do they jump from computer to computer across the air. Computer viruses are programs with some special characteristics, that's all. Virus-writing is not a cost-conscious activity. Virus fighting, on the other hand, is! If, instead of designing ONE virus to infect all MS DOS machines, they have to design seven viruses to infect SEVEN machine variations, then we can be sure that there will soon be SEVENTEEN new kinds floating around, instead of just one, or even seven. What, exactly, does such response do to infection- likelihood statistics? Fred Waller turtle@darkside.com ------------------------------------------------------------------ > "Stupidity, like virtue, is its own reward" -me "But be not eager to find stupidity, lest you discover your own." -me also ------------------------------------------------------------------ ------------------------------ Date: Thu, 24 Oct 91 23:38:32 -0500 >From: James Ford Subject: New file on risc (PC) The file vsumx110.zip has been placed on risc.ua.edu for anonymous FTP in the directory pub/ibm-antivirus. - ---------- Sometimes silence is the best way to yell at the top of your voice. - ---------- James Ford - Consultant II, Seebeck Computer Center The University of Alabama (in Tuscaloosa, Alabama) jford@ua1vm.ua.edu, jford@risc.ua.edu ------------------------------ Date: Fri, 25 Oct 91 09:01:00 -0400 >From: HAYES@urvax.urich.edu Subject: ansikill.zip (PC) Hello. Just received and made available in our FTP'able directory: ANSIKILL.ZIP This shareware program removes the possibly embedded escape sequences (ANSI "bombs") from any comment file included in a self-extracting .ZIP archive. It does not remove completely the comment file, like STRIPZIP does. SCANV84 found the file "clean". Best to all, Claude. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Claude Bersano-Hayes HAYES @ URVAX (Vanilla BITNET) University of Richmond hayes@urvax.urich.edu (Bitnet or Internet) Richmond, VA 23173 ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 201] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253