VIRUS-L Digest Wednesday, 30 Oct 1991 Volume 4 : Issue 204 Today's Topics: question about viruses (UNIX) (PC) Re: New virus-advanced syphtoms ( WAS: warning new virus (PC)) Questions about VIRLIST.TXT (PC) Re: VSHIELD.... (PC) "Precidence" (PC) Can I Load FPROT's VIRSTOP High? (PC) Product Test Report--Rival (Mac) Revision to Product Test--FPROT, version 2.0 (PC) Revision to Product Test -- Virucide, Version 2.33 (PC) CALL FOR PAPERS - Third USENIX UNIX Security Symposium VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: 30 Oct 91 13:45:29 +0000 >From: petter%fdmetd.uucp@nac.no (Petter Henrik Hansen) Subject: question about viruses (UNIX) (PC) Does anyone have a list over Unix virus? I have the impression that most virus are infecting pc's and not Unix machines. (To difficult?) Does anyone know a product that are able to check UNIX and look for virus and remove them if possible? All comments are welcome Petter Henrik Hansen, Fellesdata a.s, P.O. Box 248, 0212 OSLO 2, NORWAY Phone : +47 2 52 84 02 Fax : +47 2 52 85 10 E-mail : ...!mcsun!nuug!fdmetd!petter or petter@fdmetd.uucp ------------------------------ Date: 30 Oct 91 13:28:48 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: New virus-advanced syphtoms ( WAS: warning new virus (PC)) ish@ire.msk.su (Shulman Ilya A.) writes: > What do you mean "stealthy"? There are few symphtoms that can help us to By "stealthy" I mean the usual things. That is, if the virus is active in memory, reading an infected file results in a clean file being read. Also, no changes in the file sizes can be observed. > 1 --- Try to delete all files at the write protected disk. You don't get > any error if virus is active. I already explained in one of my previous messages, why this method is not reliable in Bulgaria (no the Pravetz computers, more exactly). > 2 --- As I have already explain, start up NU or DiskEdit and compare last > (or prelast) not BAD cluster. If you found the mismatch then virus is > present with more or less possibily. Also not reliable, since as pointed out, sometimes both FAT copies are markes as infected. Besides, the average user seldom is able to use NU at all, otherwise I would propose to check for the 0(F)FFEh mark. > As to me, I think that this algoritm is incorrect because of lot of possible > situations. Could you elaborate this? > 1 Check any directory as the one directory on disk. But not kill virus in it' s > cluster location while not searching up to the end of the disk. That's what my disinfector does. It kills the virus in the last cluster only when all directory entries (including the ones that belong to -deleted- EXE and COM files) are disinfected. > 1.a Check all COM and EXE files (not SubDir Vol) due to it's crosslinked. > if found then get magic number and cure them and save virus cluster no. > if virus not found in the last cluster the you antivirus must > be able to analytically restore start cluster. > there is thefew ways to do it, I think. It's safer to check the directories, instead of the files, because of the fact that the virus infects directory entries that belong to deleted executables as well. The only advantage to the file search is that it allows you to find files that really contain the virus, without their directory entries being infected. IMHO, the best solution is to combine both approaches in a disinfector, which looks for several viruses. Then you can include three loops in it. The first one scans the master boot sector for all master boot sector infectors, the second scans the DOS boot sector for boot sector infectors, then for each directory (1) scan the directory itself for infected entries and (2) scan all files that are contained in the directory for infection(s). > if not found check all files due to the virus body. If found the > think yourself what to do. As to me, I was very angry when some > ANTI-DIR killed all virus bodies stored on my HD as a files > during checking, without any Q. Correct, any self-respecting disinfecto should provide an option not to disinfect, but only to report. This should be even the default mode (it is -not- in my disinfector). > 2. At this step you cure all files and have the virus cluster no. No it's > time to kill it. That's what I do. I kill it then. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN Tel.:+49-40-54715-224, Fax: -246 Vogt-Koeln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: Wed, 30 Oct 91 14:50:00 -0300 >From: Raul Fernando Weber Subject: Questions about VIRLIST.TXT (PC) I am trying to plot some curves about viruses grown and, among other sources, I use the file VIRLIST.TXT that cames with McAffe's package. However, adding each virus individually (and their variants) doesn't match the total supplied in the file. Here are the numbers I got: Virlist version Virlist total Evaluated total 66B 213 217 67C 223 231 71B 223 247 72 241 251 74B 475 469 75 481 473 76C 501 496 77 505 500 80 714 675 82 893 898 84 897 902 I assumed that each line of VIRLIST.TXT corresponds to an unique virus and, if there is a number between parenthesis, this number means the total number of known variants (main strain plus mutations). Adding the viruses this way, however, gives the discrepancies listed above. Can anybody from McAffe Associates explain what I'm doing wrong? Or how the list is to be interpreted? Particularly interesting is the difference that occurs with version 80 of VIRLIST.TXT. In the file the total is 714, but I got 675. The difference (39) is too big when compared with those from the other versions (about 5). Examining the list carefully I discover a great growing of Whale variants (from 3 to 34). I wonder if this grown really exists or was a typo when replacing the 3 with a 4 :-). The number 34 for Whale remains the same in the next versions of VIRLIST.TXT (82 and 84). There are really so many variants for the Whale virus? Other question is related with the scan I.D. Viruses with the same I.D are the same virus or not? As an example, in version 84 both Datacrime II and Datacrime II-B have the same I.D. ([Crime-2]). Should they be added to the "unique known viruses" or to the "known viruses variants"? Another related question is about viruses that appear in two forms: a "boot" and a "file" version. They are different viruses (with no other relations than the name) or are the to be interpreted as the same virus that is able to propagate using boot sectors and files? If this last hypothesis is true, why the Horse Boot, Invader and Virus-101 (all listed as able to infect boot sectors and files) aren't listed in the same way? Raul F. Weber Informatics Institute Federal University of Rio Grande do Sul Brazil ------------------------------ Date: Wed, 30 Oct 91 20:04:19 +0000 >From: mcafee@netcom.com (McAfee Associates) Subject: Re: VSHIELD.... (PC) RY01@ns.cc.lehigh.edu (Robert Yung) writes: >To anyone...hopefully the maker. Well, I wrote the .DOC file, does that count? > Does VSHIELD v84 work with Super PcKwik v2.X when VSHIELD is >loaded high? The Super PC Kwik disk caching program by Multisoft, Inc. should work just fine with VSHIELD. In earlier versions of the VSHIELD program, a warning was given about using disk caching software in general. Some disk caching programs buffer writes to the disk as well as reads. From our POV, buffering disk writes is a Bad Idea(tm). Here's why: If a computer was reset or turned off while there was something in the write buffer, it's contents would be irrevocably lost. This could havee all sorts of dangerous side effects, such as a file being left open, damage to the root directory or FAT, or other unpredictable nasty results. If you do use disk caching software that has the option of buffering disk writes, I would recommend that you turn that feature off or set it to 0. Incidentally, I did speak to someone over at Multisoft about this, and they said it wasn't a problem with their program, then at V4.03. I would assume that they either don't buffer disk writes and/or trap reboots and flush the cache to disk before allowing the reboot sequence to proceed. Of course, the latter still wont protect you against a hardware reset or power off, but it's better then nothing :-) > In previous versions of Vshield, I needed about 110K UMB to load >it high. Now that it has the /LH switch, can I make due with less UMB >available prior to loading? VSHIELD V84 with the /LH switch requires a (approximately) 31Kb UMB. So about a third of the original size. The actual ~110Kb requirement was for VSHIELD to initialize its code prior to going resident, it would then "shrink back" to it's 30-whatever Kb size. > In the latest PC-MAG, it says that a device driver is better >against certain viruses that can run circles around TSRs. Why not make >Vshield a device driver? It certainly would have more memory to load >into when it is the first loaded (that is after the memory driver). [SHRUG] I would think that a device driver would provide very little additional security, if any, compared to a TSR. I have not come across any virus that "ran circles" around our TSR-based program, I do think that VSHIELD did intercept all the viruses in their test suite, though. Regards, Aryeh Goretsky McAfee Associates Technical Support - -- - - - - McAfee Associates | Voice (408) 988-3832 | mcafee@netcom.com (business) 4423 Cheeney Street | FAX (408) 970-9727 | aryehg@darkside.com(personal) Santa Clara, California | BBS (408) 988-4004 | 95054-0253 USA | v.32 (408) 988-5190 | CompuServe ID: 76702,1714 ViruScan/CleanUp/VShield | HST (408) 988-5138 | or GO VIRUSFORUM ------------------------------ Date: Wed, 30 Oct 91 15:16:24 -0500 >From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: "Precidence" (PC) The "precidence" of execution is a function of the Command Line Interpreter (CLI) or Shell, not of MS-DOS. In DOS 5.0 COMMAND.COM (47845 bytes dated 03-22-91) this is found at offset A956h and consists of the string ".COM .EXE.BAT". Alteration of the string & spawning a new CLI can have "interesting" results though the form of the new file must match that of the old. e.g. If the string is changed to ".CCC.EXE.BAT" files with extension .COM will no longer execute however those with .CCC will *so long as they follow .COM file standards*. A more complex modification would be required to redirect the mode of the file so that it is possible to change the precidence to anything you might while maintaining the current file extension(s) or changing them. The question is whether it is worth the effort. Incidently, while on the subject of "companion viruses" (more accurately "spoofs"), a good integrity checker that maintains a list of all files on a drive such as McAfee's VSHIELD /CERTIFY, Enigma-Logic's Virus-Safe, or Certus's Novi (I forget the switches but nothing at the Brickyard ever sounded like that supercharged 8) would notify the user that a program not in the database had been requested for execution and ask the user if they *really* wanted to execute it. Everybody is using this kind of protection aren't you ? I have for over a year now (one layer). Padgett ------------------------------ Date: Wed, 30 Oct 91 14:27:00 -0700 >From: "Rich Travsky" Subject: Can I Load FPROT's VIRSTOP High? (PC) Can I load FPROT 2.0's VIRSTOP high under dos 5.0 (and still have it functional)? I don't have much in the way of viruses to test with nor a machine to dedicate to same. (A qwikie question I hope!) Replies to the list or to me personally. Thanks in advance! Rich Travsky rtravsky@corral.uwyo.edu ------------------------------ Date: Fri, 18 Oct 91 08:44:28 -0600 >From: Chris McDonald ASQNC-TWS-R-SO Subject: Product Test Report--Rival (Mac) ****************************************************************************** PT-44 October 1991 ****************************************************************************** 1. Product Description: RIVAL is a commercial software program for the prevention, detection, and elimination of known computer viruses and trojan horses for the Macintosh. 2. Product Acquisition: Rival is available at a list price of $99.00 from the Microseeds Publishing, Inc., 5801 Benjamin Center Drive, Suite 103, Tampa, Florida 33634. Their telephone number is 813-882-8635. The authors of the program are actually Frederic Miserey and Jean-Michel Decombe from France. Site licenses are available. There are also a variety of mail order companies which have recently advertised significantly reduced prices for a single copy. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Information Systems Command, White Sands Missile Range, NM 88002-5506, DSN: 258-4176, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil. [Ed. The remainder of this review can be obtained by anonymous FTP on cert.sei.cmu.edu in the pub/virus-l/docs/reviews directory.] ------------------------------ Date: Wed, 23 Oct 91 15:22:28 -0600 >From: Chris McDonald ASQNC-TWS-R-SO Subject: Revision to Product Test--FPROT, version 2.0 (PC) ******************************************************************************* PT-17 August 1990 Revised October 1991 ******************************************************************************* 1. Product Description: F-PROT is a program designed to provide malicious program detection, disinfection, and protection. This product test addresses version 2.0. 2. Product Acquisition: F-PROT is a shareware program distributed by Fridrik Skulason, Box 7180, IS-127 Reykjavik, Iceland. Mr. Skulason has posted F-PROT on a number of Internet sites. The program is on the USAISC-White Sands host simtel20. With version 1.14 the program became free if a user utilizes it on a single personally-owned computer. There is a registration fee for commercial and government users. Site licenses are available as well as discounts for multiple copy registrations. The path on simtel20 [192.88.110. 20] for anonymous ftp downloading is: pd1:. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Information Systems Command, White Sands Missile Range, NM 88002-5506, DSN 258-4176, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil. [Ed. The remainder of this review can be obtained by anonymous FTP on cert.sei.cmu.edu in the pub/virus-l/docs/reviews directory.] ------------------------------ Date: Tue, 29 Oct 91 09:27:02 -0700 >From: Chris McDonald ASQNC-TWS-R-SO Subject: Revision to Product Test -- Virucide, Version 2.33 (PC) ****************************************************************************** PT-12 June 1990 Revised October 1991 ******************************************************************************* 1. Product Description: VIRUCIDE is a commercial anti-virus program to detect and to repair known computer viruses for the MS-DOS computer environment. The report addresses version 2.33, released 15 October 1991. 2. Product Acquisition: The product is available from Parsons Technology, Inc. The address is Parsons Technology, Inc., One Parsons Drive, Hiawatha, IA 52233. The company has a toll free number for orders, 1-800-223-6925. The cost of a single copy, as of 28 October 1991, was $49.00. Each of four program upgrades has been $15.00 which includes shipping and handling. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Information Systems Command, White Sands Missile Range, NM 88002-5506, DSN 258-4176, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil. [Ed. The remainder of this review can be obtained by anonymous FTP on cert.sei.cmu.edu in the pub/virus-l/docs/reviews directory.] ------------------------------ Date: 30 Oct 91 20:17:06 +0000 >From: ecd@cert.sei.cmu.edu (Edward DeHart) Subject: Third USENIX UNIX Security Symposium - Call for Papers Preliminary Announcement and Call for Papers The Third USENIX UNIX Security Symposium Fall 1992 In cooperation with The Computer Emergency Response Team (CERT) The goal of this symposium is to bring together security practitioners, system administrators and system programmers, and anyone with an interest in computer security as it relates to networks and the UNIX operating system. The symposium will consist of tutorials, invited speakers, technical presentations, and panel sessions. This will be a three-day, single-track symposium. The first day will be devoted to tutorial presentations. The following two days will include technical presentations and panel sessions. There will also be two evenings available for birds-of-a-feather sessions and work-in-progress sessions. The dates and location of this symposium have not yet been determined. Papers are being solicited in areas including but not limited to: o User/system authentication o File system security o Network security o Security and system management o Security-enhanced versions of the UNIX operating system o Security tools o Network intrusions (including case studies and intrusion detection efforts) Important Dates Extended abstracts due May 15, 1992 Program Committee decisions made June 15, 1992 Camera-ready papers due July 31, 1992 Send seven copies of each submission to the program chair: Edward DeHart Computer Emergency Response Team Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 (412) 268-6179 ecd@cert.sei.cmu.edu Program Committee Ed DeHart (Program Chair) Matt Bishop Computer Emergency Response Team Dartmouth College Bill Cheswick Ana Maria De Alvare' Bell Laboratories Silicon Graphics, Inc. Jim Ellis Barbara Fraser Computer Emergency Response Team Computer Emergency Response Team Ken van Wyk Computer Emergency Response Team ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 204] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253