VIRUS-L Digest Friday, 1 Nov 1991 Volume 4 : Issue 206 Today's Topics: Re: Can you help me with this? (Apple ][) Re: question about viruses (UNIX) (PC) Re: UNIX anti-virus program (UNIX) Re: Seeking Info on stoned virus (PC) Device Drivers vs TSRs (PC) nVIR A&B vs. SAM (Mac) RE:Request for Standards Re: Viruses and "viruses" TSRs and device drivers (PC) Re: UNIX virus checker (UNIX) Necropolas virus info!!!!!!! (PC) VShield problem with DOS 5.0 & QEMM? (PC) Courses on Viri for teenagers, (General) Re: Viruses and "viruses" Product Test - - VirusCure Plus Infection variations VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: 31 Oct 91 15:46:14 +0000 >From: vail@tegra.com (Johnathan Vail) Subject: Re: Can you help me with this? (Apple ][) scm3775@tamsun.TAMU.EDU (Sean Malloy) writes: Okay, a friend of mine sent me a copy of an article which claims to have been posted to usenet (I assume it was to here). It dealt with one of the earilest documentable computer viruses, written for the Apple ][ in 1981-2, at Texas A&M. This friend of mine would very much like to talk to the author of this article, but doesn't have Usenet access. I don't know about that one but I wrote my first virus in 1980 followed by a second one in 1981, for the Apple-][. The first was "written" by using the mini-assembler to stick instructions into "unused" parts of DOS and hooking the "CATALOG" command. CATALOG would trigger itself into checking on the disk for a special byte in the directory and then copying itself onto the disk if necessary. Formatting a new disk would copy itelsf without any specific action by the virus code (which, actually used part of the format code to copy dos and itself) onto the bootable tracks. I had never heard of viruses before and came up with the concept myself. I did hear about research on network worms being done at Xerox PARC and tried to do something similar for the Apple. If anyone is interested I can try and dig up some old listings or code. jv "Even Marilyn Monroe was a man, but, this, tends to get overlooked, by, our mother fixated overweight sexist media" -- Robin Hitchcock _____ | | Johnathan Vail | vail@tegra.com |Tegra| Member: LPF | N1DXG@448.625-(WorldNet) ----- (508) 663-7435 | jv@n1dxg.ampr.org ------------------------------ Date: 31 Oct 91 17:42:47 +0000 >From: spaf@cs.purdue.edu (Gene Spafford) Subject: Re: question about viruses (UNIX) (PC) The only true viruses around for Unix systems are research-oriented. Cohen has written some, Duff has written a very well-known one, and many other people have written simple examples to describe them. However, none of these appear to exist outside isolated research machines (if they still exist there). Perhaps the first true virus ever discussed in the literature is the compiler/login modification that Thompson discussed in his Turing Award lecture on trust. Of course, you might actually consider Unix itself to be a virus if you interpret the term "virus" as broadly as Cohen is doing these days. :-) The topic of Unix viruses has come up again and again at conferences and in mailing lists. Many people wonder why we haven't seen any "in the wild." The general conclusion is that because of the user community, the usual forms of software sharing, and the possible motives behind writing viruses, it is extremely unlikely that a virus would be written for Unix and spread very far. Any products that *charge money* for scanning for a virus in a Unix environment (as opposed to a worm or a trojan horse) is a waste of money. You might as well have spend money on a program to warn you when a meteorite is about to strike your computer. - -- Gene Spafford NSF/Purdue/U of Florida Software Engineering Research Center, Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-1398 Internet: spaf@cs.purdue.edu phone: (317) 494-7825 ------------------------------ Date: Thu, 31 Oct 91 17:50:31 +0000 >From: peter@ficc.ferranti.com (Peter da Silva) Subject: Re: UNIX anti-virus program (UNIX) Are there any viruses on UNIX to actually *check* for? - -- - -- Peter da Silva - -- Ferranti International Controls Corporation - -- Sugar Land, TX 77487-5012; +1 713 274 5180 - -- "Have you hugged your wolf today?" ------------------------------ Date: Thu, 31 Oct 91 14:42:42 +0000 >From: bsrdp@warwick.ac.uk (Hylton Boothroyd) Subject: Re: Seeking Info on stoned virus (PC) David.M.Chess writes: > The Stoned virus sits in the boot sectors of diskettes > [...] > When you boot from an infected disk or diskette, the virus [...] > infects diskettes that are used in the A: drive from then on. > [...] > That's about it. I wish it were. My experience was that * my machine became infected during a rebuild of the hard disk, * for a few days I did not know that, * each interruption of reading the special format PCTools set of backup disks from which I was rebuilding the disk led to that disk becoming unreadable to PCTools. Not just infected! Unreadable. - -- Hylton Boothroyd h.boothroyd@warwick.ac.uk or, if necessary: Warwick Business School Janet: h.boothroyd@uk.ac.warwick University of Warwick Internet: h.boothroyd%warwick.ac.uk@nsfnet-relay.ac.uk COVENTRY, CV4 7AL Uucp: h.boothroyd@warwick.uucp ------------------------------ Date: Thu, 31 Oct 91 15:04:17 -0500 >From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: Device Drivers vs TSRs (PC) mcafee@netcom.com (McAfee Associates) writes: > [SHRUG] I would think that a device driver would provide very little > additional security, if any, compared to a TSR. I have not come across > any virus that "ran circles" around our TSR-based program, I do think > that VSHIELD did intercept all the viruses in their test suite, though. On rumination, now I remember one of the thinks I liked about Enigma-Logic's Virus-Safe, the ability to install itself either as a TSR (from autoexec.bat) OR as a device driver (from CONFIG.SYS). There are some definate advantages to such installation though "running rings" is not how I would describe it. The obvious one is that the program goes resident prior to the CLI (COMMAND.COM). Since COMMAND.COM is the immediate target of several viruses including the 4096 family of "stealth" viruses, such a technique can (and has in my testing) allowed detection of the virus on boot BEFORE it has a chance to go resident. Another advantage is that as Vesselin says you can call a device driver anything you want (I am partial to a .FLA extension), the OS will happily load and execute anything following a DEVICE= prefix, making it difficult for a .COM or .EXE infector to find it. Consequently, while I still think that beginning protection functions from the DOS level (either AUTOEXEC or CONFIG) is too late for that warm and fuzzy feeling. There are some advantages to choosing the device driver route so long as nothing loaded later takes control away from you. (Why means of verification from the command line is needed). Padgett ------------------------------ Date: Thu, 31 Oct 91 14:13:40 -0600 >From: THE GAR Subject: nVIR A&B vs. SAM (Mac) My Mac just lost it to nVIR A & B, which seem to have been placed on my machine due to someone using it to play a game (Strategic Conquest). Unfortunately I can't control access to my Mac. When I lock my office door my boss worries! Anyway, I got six files infected by nVIR A, one by nVIR B, and here is the point my note was about: My Symantec Anti-Virus program is BROKEN! Its not infected (according to Disinfect) but it is reported as "damaged or in an unknown format" Does nVIR A do this to SAM intentionally? Or is this coincidence? ____ _____________________________________ ____ / \ A Halloween Reminder from THE GAR / \ |R.I.P.| |R.I.P.| | | The Dead WILL Rise | | | | Praise God! Happy Hallelujah! | | | | _____________________________________ | | ------------------------------ Date: Thu, 31 Oct 91 15:08:00 -0500 >From: Subject: RE:Request for Standards Vesselin Bontchev writes:" > What? NCSA will test other people's scanners against their > collection?! God forbid, unless they have gained significant amount > of expertise recently. I'd very much like to see someone from the > NCSA to comment on this. First things first: I've not employed by the NCSA, and they've never paid me a cent. I have worked with them for the past several years and been substantially impressed. Impressed enough that I offerred my book to them for publication (they accepted). But as of this time, I've not been paid a cent. I believe the reason that the files were numbered as opposed to named, Vesselin, is that they are trying to avoid the problem that seems to be cropping up more and more recently: that of different names for the same virus in different parts of the world. The NCSA scanner report uses these numbers and reports what the different scanners decided was in the infected files. The results are interesting, to say the least: different scanners called the same file many different names. Therefore, I believe (I've not talked to Stang about this recently) that they are going to hold off putting names on the files at least until the anti-virus product developers conference next month. At the conference, they are going to try to work out some common names among the vendors and researchers present. As for the organization of the "collection", I haven't had to deal with it myself...so you may be quite right about the fact that it is unwieldy. I can say, however, that Stang has always been able to pick out the virus I needed in a matter of seconds. So, I can only es infer that it must make sense to someone :). Finally, you commented on the fact that you feel the people at NCSA do not have the expertise necessary to reliable and careful testing. Once again, you may be right. IMHO, however, the past research reports they've generated have been quite useful. Perhaps more useful to users than to researchers, but users seem to be their target audience. As always, comments are welcome...even encouraged! :) Regards, Charles *************************************************** Rutstein@HWS.BITNET *************************************************** ------------------------------ Date: Fri, 01 Nov 91 13:07:24 +0000 >From: Fridrik Skulason Subject: Re: Viruses and "viruses" In Message 30 Oct 91 04:37:02 GMT, calvin@leland.stanford.edu (Dukhyung Chang) writes: >Biological viruses do not need a living host to survive either. The >living host is required for propagation. This is very much similar to >how computer viri "reproduce". Agreed - actually, the majority of computer viruses only exist as "laboratory samples" in the hands of researchers - they are not active "in the wild". In fact, a large percentage of them are not known to have infected any "real" user at all. The authors just uploaded them to one of the virus BBSes or sent samples directly to a member of the anti-virus community. Sometimes a virus apperars to become extinct - no reports of infections are received for a long time - two years in the case of "Agiplan", and then suddenly the virus appears out of nowhere - possibly from somebody's drawer. - -frisk ------------------------------ Date: Fri, 01 Nov 91 13:19:42 +0000 >From: Fridrik Skulason Subject: TSRs and device drivers (PC) > In the latest PC-MAG, it says that a device driver is better >against certain viruses that can run circles around TSRs. Partially correct, but this is for a simple reason - anti-virus programs are generally not 100% effective if a virus is active when they are run. This means that it is desireable to run the anti-virus program as early as possible - and as device drivers are loaded before TSRs this makes them preferable. A device-driver virus monitor can prevent an infected COMMAND.COM from loading - The TSR can only alert you to the fact that COMMAND.COM has been infected. However, device drivers have one problem - they may not be effective if loaded on a networked machine, as the network software may take over the interrupt functions monitored by the device driver, such as INT 21H, 4BH (Load and Execute). A TSR program which can be loaded after the network software does not have this particular problem. This is basically the reason my VIRSTOP (2.01) program can both be run as an EXE file from AUTOEXEC.BAT, or it can be loaded as a decice driver in CONFIG.SYS. - -frisk ------------------------------ Date: Fri, 01 Nov 91 13:35:50 +0000 >From: Fridrik Skulason Subject: Re: UNIX virus checker (UNIX) >At the UNIX Expo in New York, a company called CyberSoft was promoting >their UNIX virus checker called VFIND. This is the first I have heard >of such a product. He he...Writing a virus checker for UNIX is easy...here is one, which will find all UNIX-viruses that are a real problem at this time: #include main() { printf("Your system is clean.\n"); exit(0); } Seriously, though - they are probably selling something more than a "virus" checker - probably a program to detect changes to executable files in general, not just virus infections - or perhaps they have some "worm" detection there as well....does anybody have some information on the program ? - -frisk ------------------------------ Date: Fri, 01 Nov 91 10:41:00 +1000 >From: BOXALL@qut.edu.au Subject: Necropolas virus info!!!!!!! (PC) Does anybody know of the NECROPOLAS virus?? Dr Solomon's toolkit V5.15 detectected it, but more information is required. Any help would be appreciated. Wayne Boxall Computer Virus Information Group Queensland University of Technology Australia ------------------------------ Date: Thu, 31 Oct 91 19:03:09 -0500 >From: jaf@jaflrn.UUCP Subject: VShield problem with DOS 5.0 & QEMM? (PC) Aryeh, this one's for you... I've got a question about VShield. On a system using strictly DOS 5.0, the /LH works fine, however, on a system using DOS 5.0 & QEMM, it won't - tells me there's no UMB's available... Any suggestions? Jon Jon Freivald ( jaf@jaflrn.UUCP ) =========================================================================== The opinions expressed herein are not necessarily endorsed by anyone other than myself. Then again, maybe not even by me. =========================================================================== ------------------------------ Date: Fri, 01 Nov 91 01:10:38 +0000 >From: Rotan Subject: Courses on Viri for teenagers, (General) Colleagues... I have just had some time to sift amongst my non-urgent mail to observe that my reply to the original posting (Courses in virus techniques...) has caused a bit of a stir. I have a few things to say, which I hope will avoid an unnecessary flame war. Firstly, with respect to the potential dangers of such a course, I concur with Werner Uhrig. The dangers are obvious. I don't agree with the guns analogy (nor does Kevin Buhr, by the sounds of it). Nevertheless, I still maintain that it is wrong to condemn such courses purely on the grounds that they are teaching people about the very things that so many of us are fighting against. However, when I think of the audience of such a course (teenagers!) I worry. In fact, I am very worried. Y. Radai rightly states that kids are more interested in being able to make viri and spread them around than in ethical considerations. Yes, the suggested audience is an extremely poor choice. I suspect (as I already indicated) that the advertisement of the availablity of such a course (as part of another course) was merely to attract as large an audience as possible. Probably there was a financial motive behind this, I can comment no further. What about Burger's book? Many of us have condemned this book, and I include myself amongst these numbers. The book makes available the techniques of virus creation without any supervision whatsoever. (In this case, the guns analogy isn't too far from the mark.) So, who should be allowed access to such information? And how should this dissemination be monitored without there being a sense of censorship? Well, consider this: the army/navy/... is given weapons training because the purpose of this training is known. (I omit the armies of nations intent on unprovoked agression.) Biological viri are normally placed into the care of persons already prepared for the responsibilities which accompany this trust. Therefore, the most suitable audience for a course on virus creation would be the people who are already committed to defense against computer viri. Committment would imply a degree of responsibility. The dangers of the course are thereby reduced, the benefits enhanced. Censorship is sidestepped. To obtain the information, one must undergo the training that would ensure that one behaves responsibly with the information. The complete course would thereby broaden, to include complete courses on computer security, law, ethics, ... and finally (after passing through the earlier stages) techniques and counter-techniques. Would anybody dispute such a course? I have given this much thought, spurned on by the various private messages (some for, some against, some rather bad-mannered). I stick to my premiss that a course on virus construction should be available, I have reservations about who should be allowed attend them. Rotan Hanrahan. PS. Thanks to all who helped with a recent Novell infection. Also, for Y. Radai's information, "apparent reality" via OED'74 means "something clearly seen, experienced or understood". Metaphysics? Perhaps :-) ------------------------------ Date: 01 Nov 91 02:47:31 +0000 >From: gt0202b@prism.gatech.edu (MORSE,JAMES E) Subject: Re: Viruses and "viruses" In article calvin@leland.stanford.edu (Dukhyung Chang) writes: > > >Unlike biological ones, computer "viruses" never need an active > >host to "survive". They can be kept safely tucked away in a desk > >drawer, and be brought out at the owner's whim two years later. > >Nothing whatsoever to do with the theoretical "dying" of animal > >diseases. Nor do they jump from computer to computer across the > >air. > >Biological viruses do not need a living host to survive either. The >living host is required for propagation. This is very much similar to >how computer viri "reproduce". Actually they can jump from computer to computer across the air as well. With wireless LANs and radio waves and stuff, it wouldn't be too hard to simulate. Each dying breath flung from his breast swift, bubbling jets of gore, and the dark sprinklings of the rain of blood fell upon me... MORSE,JAMES ERNEST Georgia Institute of Technology, Atlanta Georgia, 30332 uucp: ...!{allegra,amd,hplabs,seismo,ut-ngp}!gatech!prism!gt0202b ARPA: gt0202b@prism.gatech.edu ------------------------------ Date: Thu, 31 Oct 91 11:17:26 -0700 >From: Chris McDonald ASQNC-TWS-R-SO Subject: Product Test - - VirusCure Plus ******************************************************************************* PT-48 October 1991 ******************************************************************************* 1. Product Description: VIRUSCURE PLUS is a commercial anti-virus program to detect and to repair known computer viruses for the MS-DOS computer environment. The report addresses version 2.30, released 5 August 1991. 2. Product Acquisition: The program is available from International Microcomputer Software Inc. (IMSI), 1938 Fourth Street, San Rafael, CA 94901. The telephone number is 415-454-7101 or 800-833-4674. The price of the program is approximately $100.00. IMSI does have an aggressive marketing campaign which has resulted in significantly reduced prices for a single copy. Documentation states that site licenses are also available. The User's Guide contains this statement: "The VirusCure Plus software is licensed property of IMSI, and is Copyright 1990 by IRIS Software & Computers LTD. and by McAfee Associates". 3. Product Testers: Chris Mc Donald, Computer Systems Analyst, Information Systems Command, White Sands Missile Range, NM 88002-5506, DSN 258-4176, DDN cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil; and Michael Oszman, Information Systems Security Manager, White Sands Missile Range, NM 88002-5041, DSN 258-2503, DDN moszman@wsmr-emh10.army.mil. [Ed. The remainder of this review is available by anonymous FTP on cert.sei.cmu.edu in the pub/virus-l/docs/reviews directory. The filename is mcdonald.viruscure.plus] ------------------------------ Date: Thu, 31 Oct 91 00:04:53 -0800 >From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Infection variations FUNPIV5.CVP 911030 Infection variations This months columns have dealt with a number of possible ways that computer viral programs may infect program files. Unfortunately the overwriters, prependers, appenders and companions mentioned do not exhaust the possibilities. (By the way, this week's column is basically courtesy of Vesselin Bontchev, who did all the research.) In discussing overwriting viri I mentioned, by concept although not by name, the Zerohunt virus, which looks for a string of nul characters of sufficient length to accommodate it. However, there is also the Nina virus, which overwrites the beginning of a file, and the Phoenix family, which overwrites a random section of a file, both of which append the overwritten part to the end. The Number of the Beast/512 virus and 1963 both overwrite the beginning of the file and then move the contents of the overwritten section beyond the *physical* end of the file into a portion of the last cluster the file occupies. Because the clusters are always of a fixed size, and because it is very unusual for a file to exactly match a "multiple of cluster" size, there is generally some space there which is, essentially, invisible to the operating system. In the world of prependers, a similar consideration is used by the Rat virus. EXE file headers are always a multiple of 512 bytes, so there is often an unused block of space in the header itself, which the Rat assumes. The Suriv 2.01 works a bit harder: it moves the body of the file and inserts itself between the header and original file, and then changes the relocation information in the header. Then there is the DIR II. The viral code is written to one section of the disk ... and then the directory and file allocation information is altered in such a way that all programs seem to start in that one section of the disk. Because of the convoluted way this virus works, it is possible to "lose" all the programs on the disk by attempting to "repair" them. At this point in my seminar, there is an overhead foil marked "This page intentionally left blank." The point being that there are all kinds of subtle variations on the themes covered here ... and quite a few not so subtle means which will only become obvious after they have been used. However, it is important to note that the most "successful" viri in terms of numbers of infections are not necessarily the "new models", but the older and often less sophisticated versions. On the one hand, this indicates that novelty is not a "viral survival factor." On the other hand, it points out, in rather depressing manner, that most computer users are still not using even the most basic forms of antiviral protection. copyright Robert M. Slade, 1991 FUNPIV5.CVP 911030 ============= Vancouver p1@arkham.wimsey.bc.ca | "Power users think Institute for Robert_Slade@mtsg.sfu.ca | 'Your PC is now Research into CyberStore | Stoned' is part of User (Datapac 3020 8530 1030)| the DOS copyright Security Canada V7K 2G6 | line." R. Murnane ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 206] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253