VIRUS-L Digest Wednesday, 30 Oct 1991 Volume 4 : Issue 203 Today's Topics: Re: Viral code association Companion virus detection (was: Viral code association) McAfee84 fails to remove Cascade (PC) Cascade Re: Seeking Info on stoned virus (PC) VDEFEND 7.1 and ViruScan 84 (PC) UNIX anti-virus program (UNIX) RE:Network World Mag Virus Tool Review RE:Request for Standards F-PROT Wanted (PC) Organ music/black monitor-Mac (Mac) Re: McAfee VIRUSCAN at bootup (PC) Re: Typo in Validation Data for NETSCAN V84 (PC) Re: Viruses and "viruses" Re: Protection for Desqview users (PC) Re: Harry Anto (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: 29 Oct 91 09:08:00 -0600 >From: "William Walker C60223 x4570" Subject: Re: Viral code association >From: p1@arkham.wimsey.bc.ca (Rob Slade) > In a given situation, computers may be presented with a number > of possible courses of action. The action taken first is > decided by pre-programmed precedence. A number of programs may > have very similar names, leading to potential confusion about > which one is to be run in a given invocation. In the case of > MS-DOS, for example, SET.COM, SET.EXE and SET.BAT are all > "executable" files. In the normal course of events, any one > could be invoked by giving the command "SET". If all three > files exist, which one is to be run? > The precedence of program invocation under MS-DOS is that .COM > files are first, .EXE second and .BAT last. If three files of > the same name do exist, this does not imply that all three will > be run in that sequence, but rather that giving the command > "SET" will always invoke only the SET.COM file. While I have no argument with Rob's explanation of "precedence of program invocation," I must state that the particular example he uses is extremely poor. In the example given, *NONE* of the executable files listed will be run, as "SET" is an internal command to MS-DOS. It, like "DIR," "COPY," "ERASE," etc., will be interpreted before DOS ever looks on the disk for an executable file. In other words, the order of precedence is that internal commands are first, then .COM files, .EXE files, and .BAT files. On a related subject, I've noticed a strange quirk of DOS (which may be confined only to Zenith DOS 3.30 Plus). If a device driver is loaded which has an 8-character device name (NOT the file name), an attempt to run an executable file with that name will result in a "Bad command or file name" message WITHOUT EVER HAVING ACCESSED THE DISK. For example, I was using the CONFIG.CTL device from PC- Magazine, which identifies itself to DOS as CONFIGURE (which is truncated to CONFIGUR). With this loaded, I could no longer run the Zenith DOS external command CONFIGUR.EXE. This is only true for devices which have 8-character names -- 7 characters or less will not cause this problem. I don't think viri will ever exploit this, but it could be useful to know if your machine exhibits this behavior. Try running "MS$MOUSE" (if you have a mouse installed) or "EMMXXXX0" (if you have expanded memory installed), and watch the drive light. If nothing happens except that DOS says "Bad command or file name," then your version of DOS does this too. Occasionally, maybe for non-block devices, the disk light will blink on the first try, but later trys will have no disk activity. Bill Walker ( WALKER@AEDC-VAX.AF.MIL ) | OAO Corporation | "If Honeywell merged with Arnold Engineering Development Center | Fairchild, would they become M.S. 120 | 'Farewell Honeychild?'" Arnold Air Force Base, TN 37389-9998 | -- Scott Williams ------------------------------ Date: Tue, 29 Oct 91 17:41:00 +0200 >From: Y. Radai Subject: Companion virus detection (was: Viral code association) Rob Slade writes: >A certain class of viral programs; known variously as >"companion", "spawning" or "precedence" viri; use [DOS's COM-EXE- >BAT execution precedence]. They "infect" a file with an .EXE >extension simply by creating another file with the same name, >but a .COM extension. Thus the .COM file is always executed in >place of the original .EXE file. The original file remains >unchanged, and no manner of "change detection" will tell you any >different. ....... Of the antiviral packages tested so far, no >change detector alerts to duplicate names .... The checksumming program "V-Analyst", by B.R.M., Israel, has been doing this ever since its release in 1988. I.e., the authors were aware of the possibility of companion viruses two years before they began to appear in the wild. (They also took measures against two other possible techniques, which have not yet been exploited, for infecting without modifying files.) The checksummer, augmented by a generic disinfector and extensive network support, has been licensed to Fifth Generation, which will soon market it under the name "Untouchable". (An announcement should be made by FG within a week or two.) Y. Radai Hebrew Univ. of Jerusalem, Israel RADAI@HUJIVMS.BITNET RADAI@VMS.HUJI.AC.IL ------------------------------ Date: 29 Oct 91 17:27:46 +0700 >From: si0_ab90038@debet.nhh.no (Audun Bringsvor) Subject: McAfee84 fails to remove Cascade (PC) McAfee fails to remove the Cascade 1701... I have just downloaded a series of anti-virus prog's from Garbo, and I also have access to some other programmes. When I found the Cascade 1701 one some of the students' machines, I decided to test these utilities out. As the Cascade is an old and common virus, to say the least, it should be no match to the recognized virus programmes - or so I thought... All programmes tested was able to detect the virus, but disinfecting proved to be far more difficult: Norton AntiVirus 1.0.0 did not even tell me it had failed removing the strains. It just stated "all repairable files cured" and left me to scan them all over again to find that nothing had been fixed at all! McAfee Clean 84 could not remove the virus, but offered to delete and wipe my infected files. F-prot 1.15 cured all my infected files after prompting me first. F-prot 2.00 also cured all infected files without hesitating!!! I also had to specialized programmes for the Cascade virus; FIND1701 which removed the virus successfully, and DVIR1701 which "healed" three bytes to stop it from spreading... I would also like to mentions that I tried the heuristic analysis in F-prot 2.00, and after analyzing the infected files I was told that they "almost certainly contained a virus". So, even though this latter test doesn't say anything about ability to discover new virii, my conclusion is thanks to Fridrik Skulason who was able to disinfect my files - and that with a programme that is distributed as freeware. Finally, I would like a comment from McAfee, how is it possible that your programme is not able to disinfect such an old and well-known virus??? Audun Bringsvor Norwegian School of Economics si0_ab90038@debet.nhh.no ------------------------------ Date: 29 Oct 91 17:34:34 +0700 >From: si0_ab90038@debet.nhh.no (Audun Bringsvor) Subject: Cascade <---> Yap (same family?) (PC) Cascade <---> Yap ??? I found some files infected with the Cascade 1701 on some of the students' machines the other day, and I took the opportunity to test them against some disinfectors I had at hand (see previous article). I also tried to copy them using McAfee's VCOPY v.82 - which correctly identified the Cascade virus. However, VCOPY also claimed to have found the Yap virus. McAfee's CLEAN v.84 also identified Yap. This leads to my question: What is the relationship between these two??? Fridrik Skulason identifies Yap as a variant of the Cascade virus; "only two instructions are switched", and lists it under 1701/1704 bytes. Patricia Hoffman claims the Yap virus has 6258 bytes. Although she mentions its similarities (in encryption technique) to Cascade, she does not list them together in her relationship chart. Vcopy and Clean identified Yap in a file of 2114 bytes (413 wo/Cascade). Audun Bringsvor Norwegian School of Economics si0_ab90038@debet.nhh.no ------------------------------ Date: 29 Oct 91 11:50:50 -0500 >From: "David.M.Chess" Subject: Re: Seeking Info on stoned virus (PC) The Stoned virus sits in the boot sectors of diskettes and the master boot records of hard disks (where the partition table is). When you boot from an infected disk or diskette, the virus loads into high memory, and infects diskettes that are used in the A: drive from then on. When you boot from an infected floppy, it will infect the hard disk, and sometimes display the message "Your PC is now stoned!". That's about it. Due to a bug in the virus, if your system was last FDISK'd with DOS 2, the virus will overwrite part of the hard disk FAT when it infects (it stores the original boot record in what it think is unused space, but is really part of the FAT). There are variants of the virus that will never display the "stoned" message. >From: tbodine@sunstroke.sdsu.edu (Thomas L. Bodine) > I've heard rumors that it also increases the length of the > boot file or some other file by a byte each time it runs. Nope. > It infects disks by infecting any disks that are inserted into the > machine when they are made the default drive. Actually, it only infects diskettes used in A:. It works below the DOS level, and has no concept of a default drive. > It grabs the soft boot vector so that ctrl-alt-del > doesn't remove it from memory. No, actually it doesn't do that; I would expect c-a-d to remove it from memory just fine, but as you say > The garaunteed way to rid it from memory is to power down > the computer. That's always the safest thing to do. DC ------------------------------ Date: 29 Oct 91 11:17:00 -0600 >From: "William Walker C60223 x4570" Subject: VDEFEND 7.1 and ViruScan 84 (PC) For those of you who track or correct scanner conflicts, here is another one. When Central Point VDEFEND.SYS 7.1 is active in memory and McAfee ViruScan 7.9v84 is run, ViruScan reports "Israeli Boot Virus [IBoot] active in memory." VDEFEND didn't report anything. Rebooting from a clean floppy and rescanning revealed the truth: a clean drive. Bill Walker ( WALKER@AEDC-VAX.AF.MIL ) | OAO Corporation | "Non sequitur -- your facts are Arnold Engineering Development Center | un-coordinated." M.S. 120 | -- NOMAD Arnold Air Force Base, TN 37389-9998 | ------------------------------ Date: Tue, 29 Oct 91 20:29:13 +0000 >From: schieb@dingo.gsfc.nasa.gov (Brian Schieber) Subject: UNIX anti-virus program (UNIX) I'm looking for sources for virus checking for UNIX boxes. Whats available ? Cheers, Brian ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^ Brian D. Schieber NASA/Goddard Space Flight Center ^ ^ schieb@shark.gsfc.nasa.gov Laboratory for Hydrospheric ^ ^ DECnet: urchin::schieb Processes ^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^ Its just a matter of time before all life on Earth is killed ^ ^ by the .... ^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ------------------------------ Date: Tue, 29 Oct 91 16:11:00 -0500 >From: Subject: RE:Network World Mag Virus Tool Review On the topic of the virus tool review... I've got the copy of the full report here in front of me...it's quite comprehensive and well done (author was Stang). It's worth the money for those of you who need up-to-date info to make purchasing decisions (especially for large sites). One of the other reports from the National Computer Security Association (NCSA) is on scanners...same principle involved, different products. Aslo high quality. NCSA is at 717-258-1816.... Charles ------------------------------ Date: Tue, 29 Oct 91 16:30:00 -0500 >From: Subject: RE:Request for Standards John: There is a movement under way right now to address your concerns. On November 25 and 26 of this year, the National Computer Security Association (NCSA) will sponsor the First International Anti-Virus Product Developer's Conference. All anti-virus developers are invited to attend. The main focus of the conference will be (1) to reach a consensus in support of resolutions on a "Code of Ethics", (2) to address the standardization of virus counting, (3) to further develop plans for virus prevalence studies, and (4) to focus on the user's point of view. The NCSA has also started a program to certify virus scanners against the NCSA collection (and quite a substantial collection it is). All of these things are designed to promote ethics within the industry and provide some standards for outsiders to make quality purchasing decisions. Any Comments, anyone? Charles ------------------------------ Date: Tue, 29 Oct 91 16:39:00 -0500 >From: Subject: F-PROT Wanted (PC) After reading Network World October 21,1991 Volume 8, Number 42, I am interested in getting a copy of F-PROT Virus Protection Program. Does anyone know where F-PROT is available via anonymous FTP? [Ed. Try the various VIRUS-L/comp.virus PC archive sites, including risc.ua.edu. Updated information on the archive sites is posted here once a month.] Thanks, Gordon - ---------------------------------------------------------------------------- UNIX Lab Supervisor Academic Computing Services Fairfield University - ---------------------------------------------------------------------------- ------------------------------ Date: 29 Oct 91 15:42:15 +0800 >From: "Fran Holtsberry" Subject: Organ music/black monitor-Mac (Mac) We have two systems playing organ music and no monitor response. Any ideas about whether this is a virus or a prank? My first reaction is that it is a Halloween prank. But it still is debilitating two Macs. Fran Holtsberry fran_holtsberry@msmailgw.csuchico.edu ------------------------------ Date: Tue, 29 Oct 91 16:39:00 -0600 >From: TODD TURNBLOM Subject: Re: McAfee VIRUSCAN at bootup (PC) psgrbbc@prism.gatech.edu (Brian Cooper) writes: > I would like to have my PC run McAfee's SCAN whenever I turn on my > computer. Is there any problem with doing this??? You can do this, we have done it here in the student computer labs for a while now. The main problem seems to be that the users ignore the message saying that the computer is infected. We solved the problem by having one of the consultants write a program that uses scan to check for viruses, then sets off bells, sirens, and flashes a red message if it finds an infection. Now at least they pay attention to the message. > For example, > suppose a virus entered my system and immediately altered SCAN so that > it would not detect the virus. Is this possible? Does scan check > itself before SCANning the rest of the disk? Scan will only find viruses that have been discovered. That is why you should make sure you use the latest version. I think that McAfee's vshild will give you some protection against new viruses if you set it up right. Read the documentation. > Any comments would be appreciated. Thanks in advance. > Brian Cooper - -- _______________________________________________________________________________ Todd A. Turnblom | Utah State University | SL4R7@cc.usu.edu or ToddT@cc.usu.edu - ------------------------------------------------------------------------------- "If I had wanted to be a _well-known_ crook, I should have gone into politics." -Guido, 'Colection Specialist', _M.Y.T.H. Inc. in Action_ _______________________________________________________________________________ ------------------------------ Date: Tue, 29 Oct 91 12:56:18 +0000 >From: csh060@cck.coventry.ac.uk (-= WAD =-) Subject: Re: Typo in Validation Data for NETSCAN V84 (PC) Has anyone heard for a virus called HaryAnto's Virus ???? If you have please help ...... - -- =--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--= | Fleshy : -= WAD =- E-mail : csh060%uk.ac.cov.cck@uk.ac.earn-relay | | Voice : (0203) 449274 Quote : Sitting in the morning sun | =--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--= ------------------------------ Date: Wed, 30 Oct 91 04:37:02 +0000 >From: calvin@leland.stanford.edu (Dukhyung Chang) Subject: Re: Viruses and "viruses" >Unlike biological ones, computer "viruses" never need an active >host to "survive". They can be kept safely tucked away in a desk >drawer, and be brought out at the owner's whim two years later. >Nothing whatsoever to do with the theoretical "dying" of animal >diseases. Nor do they jump from computer to computer across the >air. Biological viruses do not need a living host to survive either. The living host is required for propagation. This is very much similar to how computer viri "reproduce". Sorry about splitting hairs, but the name is more appropriate than you think. - ----------------------------------------------------------------------------- Peter Chang | "Better to Trade Knowledge than" E-Mail: calvin@portia.stanford.edu | Something of Value" Snail Mail: PO Box 9603 | Stanford, CA 94309 | "Eagles may soar, free and proud, | but Weasels never get sucked into | Jet Engines" ------------------------------ Date: Wed, 30 Oct 91 09:32:14 +0000 >From: Fridrik Skulason Subject: Re: Protection for Desqview users (PC) In Message 24 Oct 91 01:29:15 GMT, heinicke@uwovax.uwo.ca (Allan Heinicke) writes: >Do the standard TSR virus-protection schemes (F-Prot, Vshield, Central >Point's anti-virus for example) work inside a DOS window if one is >operating under Desqview? The reason for the problem with Desqview is that it takes over the "Load-and-Execute" function and does not pass control to the previous handler - including any antivirus programs that only check programs when they are executed. I am aware of the problem - it is documented in version 2.01, but I do not yet have a solution for F-PROT - hopefully in 2.02. As for the other programs I have no information. - -frisk ------------------------------ Date: Wed, 30 Oct 91 09:41:38 +0000 >From: Fridrik Skulason Subject: Re: Harry Anto (PC) >I think we ( A friend and I ) have found a new virus for PC !!!! Well, not quite new....but fairly recent at least - it can be detected (and alse removed) by version 2.01 of F-PROT. - -frisk ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 203] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253