VIRUS-L Digest Monday, 4 Nov 1991 Volume 4 : Issue 208 Today's Topics: WARNING - incorrect search patterns (PC) Re: Hardware forever! re: Furtivity re: Real User re: Organ music/black monitor-Mac (Mac) Zipped files (PC) Disk Compression (PC) VSHIELD. DOS 5.0, & QEMM (PC) New Fprot avail.? (PC) Re: Harry Anto (PC) Re: Only Scan Floppies? (PC) re:viruses and "viruses" Re: Organ music/black monitor-Mac (Mac) Re: Only Scan Floppies? (general) Vesselin Bontchev's history paper VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Mon, 04 Nov 91 11:48:05 -0500 >From: Kenneth R. van Wyk Subject: WARNING - incorrect search patterns (PC) I received the following FAX this morning from the Virus Bulletin: IMPORTANT NOTICE Anti-virus software developers using VB search patterns The hexadecimal search pattern for the Gosia virus published on page 5 of Virus Bulletin, November 1991 should NOT be used as it produces numerous false positives. A suitable alternative pattern will be published in December. ------------------------------ Date: Fri, 01 Nov 91 17:57:27 +0000 >From: peter@ficc.ferranti.com (Peter da Silva) Subject: Re: Hardware forever! turtle@darkside.com (Fred Waller) writes: > There is NO software defense that's fully reliable. There IS > hardware defense that is fully reliable. Yes. It's called the power switch. - -- - -- Peter da Silva - -- Ferranti International Controls Corporation - -- Sugar Land, TX 77487-5012; +1 713 274 5180 - -- "Have you hugged your wolf today?" ------------------------------ Date: 01 Nov 91 14:01:30 -0500 >From: "David.M.Chess" Subject: re: Furtivity > From: turtle@darkside.com (Fred Waller) > So, speaking of "most" stealthed viruses may be > a little misleading, as is speaking of "most" viruses in general, > since the non-furtive ones haven't had equal time... > I don't think so. We have to take into account that, if furtive > viruses become an impossibility, and many of the tricks they now > use become more difficult for them, then it will be that much easier > to design effective software defenses against such debilitated > attackers. :-) Hm. We seem to be talking past each other here; I get the impression that you didn't really understand my argument, and I *know* I don't understand yous! *8) I was just seeing your original posting as saying "if interpreter viruses can't be stealthed, they're less likely to succeed". The obvious answer to that was the rather trivial (I thought!) observation that viruses don't *have* to be stealthed to succeed, and that there isn't even any evidence that it helps in the least. I'm not sure how your most recent posting (and in particular the two paragraphs I've copied) are a reply to that argument? Anyway, I hate these "but you said that I said that you said that I didn't understand that I didn't say that..." threads. I will reiterate, perhaps more clearly, and then drop the subject (unless it comes up again!). There's currently no correlation between how widespread a virus is and whether or not it is "stealthed". The fact that a certain type of virus cannot be stealthed is therefore not particularly suggestive of how widespread viruses of that type might become. There! I *think* that should be uncontroversial... *8) DC ------------------------------ Date: 01 Nov 91 14:11:43 -0500 >From: "David.M.Chess" Subject: re: Real User > From: turtle@darkside.com (Fred Waller) > Until then, I would expect a more open mind (and a more > candid and less defensive reception) from people who are ostensibly > dedicated to combating viruses. An open mind doesn't require believing everything you hear! You proposed a solution, and people mentioned problems that they saw with it. I don't think this really suggests that these people are only "ostensibly" dedicated. People have been *quite* candid in response to your postings; I think that's part of what's bothering you... *8) If people were a little strong in their replies, I think it just reflects the strong tone of your earlier postings (on the near-perfection of write-protect tabs and so forth). Hearty conversation does not imply evil intent, on either side! > This may come as a surprise to some, but I'm actually a very frugal > and ascetic person who requires Puilly-Fuisse' only twice a year, > and only in moderate quantities. My intervention here is not > market-motivated. Nor, in the final analysis, is wealth a gauge > of rightfulness. OK, then we'll have to wait until someone *else* markets it, and we'll see what happens. No, wealth isn't a measure of truth. But if we're looking for a way to keep most people's machines free of viruses (I know that's that I'm looking for), we won't know whether or not we've found it until someone makes at least a middling-strong attempt to make it available to most people. And no one's likely to do that unless they see at least a hint of profit (or at least break-even) in it. Think of it this way: more people today are protecting their machines with software than are doing so with hardware. There are a number of possible reasons for this, including: 1) A conspiracy of people who are only "ostensibly" dedicated to fighting viruses, but who in fact are software fanatics, have ganged up to push only software solutions, and have brainwashed the entire computer-using population of the world into ignoring the obviously-superior hardware methods, 2) Hardware solutions, while potentially better than software solutions in some sense, are more difficult to design, market, and distribute, and no one has yet made the investment to make a good one generally available, 3) Hardware solutions, while theoretically superior to software solutions, are in fact no better in the majority of user environments, and they are inherently more difficult to install and maintain. I suspect you are somewhere between (1) and (2), while I am somewhere between (2) and (3). Only time will tell, and I don't think disagreement is automatically a sign of closedmindedness on the part of one of the parties... DC P.S. I notice you always seem to change the Subject: line when replying to a posting. Is that intentional? The tradition is to leave the Subject: line alone, just sticking a "re:" at the front if there isn't one. This would make it easier for folks to follow (or avoid) specific threads in the conversation... ------------------------------ Date: Fri, 01 Nov 91 14:09:00 -0500 >From: "Sue Hay (tm)" Subject: re: Organ music/black monitor-Mac (Mac) from Fran Holtsberry: >We have two systems playing organ music and no monitor response. Any >ideas about whether this is a virus or a prank? My first reaction is >that it is a Halloween prank. But it still is debilitating two Macs. That chord means that your Macintosh has a hardware problem and it needs to be taken to an authorized Apple service and repair technician. No virus is involved. Susan Hay, User Services Consultant/Analyst, Brown University ------------------------------ Date: Fri, 01 Nov 91 13:15:18 -0500 >From: usgjej@gsusgi2.gsu.edu (Jeffry Johnson) Subject: Zipped files (PC) Are there any programs which will scan inside of Zipped files? Thanks in advance. Jeff ------------------------------ Date: Fri, 01 Nov 91 13:43:25 -0500 >From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: Disk Compression (PC) >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) >Oh, no! It is enough that the users are trying to force the producers >of virus scanners to scan inside self-compressed executable files... >They really don't need to be forced to handle also Stacker/SuperStore/ >DoubleDisk, etc. formats! They may not have a choice - I see this as the next real "must have" utilitiy as no-one ever has enough disk space. Meanwhile LZEXE and PKLITE have proven that the extra time required to decompress in memory is less than the time gained from reading half the number of sectors. For people with slow disks, they gain speed AND space and at essentially no cost other than that required to obtain the software. DR-DOS 6.0 is bundling Addstor's SUPERSTOR. Northgate (I think) is including Stac Electronic's STACKER with its laptops. It would not surprise me to see something like this bundled with all of those nice laptop and notebook PCs caught in the pipeline with 20 Mb drives. In fact, it would not surprise me to see Microsoft bundle in a compression routine with Windows 3.1, not so much to be nice to the user, as to make files totally incompatable with OS/2. Who would want to give up half their disk space just to run a new OS ? The point is that disk compression routines work, are as safe as anything else & can double effective disk space at a time when GUIs and their programs are requiring more and more storage. That it is a software solution to a hardware problem makes it all the more elegant. My only question now is "which one am I going to use ?", not am I going to use one. Add to the fact that the cost is dropping dramatically (the price of DR-DOS 6.0 with SUPERSTOR from a reputable mail order house is U$69.00 and Stac just "realigned" their prices) and it is easy to see that we are poised for another dislocation. Software utilities and anti-viral vendors are going to just have to accomodate the change. The good news is that accomodation will not be difficult since it will be a global change not a question of "is this file compressed or not". However, anyone who doubts that it is going to occur might just be in the market for a new buggy whip 8*) Padgett ------------------------------ Date: Fri, 01 Nov 91 15:00:15 -0500 >From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: VSHIELD. DOS 5.0, & QEMM (PC) I tried to send via E-Mail but failed & this might be of interest to others. (550 <@UUNET.UU.NET:jaf@jaflrn.uucp>... Host unknown) Subject: QEMM, DOS 5.0, & VSHIELD v84 Jon: LOADHI VSHIELD /LH ... works on my PC with DOS 5.0 & QEMM 5.11. By any chance do you have the line "DOS=HIGH,UMB" in CONFIG.SYS ? It will confuse QEMM & might lead to the problem mentioned. If so try replacing with "DOS=HIGH". Also QEMM versions earlier than 5.11 are said to have problems with DOS 5.0. Finally, QEMM must be invoked with the RAM switch to create high RAM. If all else fails, use the LOADHI command alone after DOS loads to see what high memory is available - if there is not enough free high memory, then LOADHI will put VSHIELD in low memory with an error message. I am also using the NOEMS switch to maximise high RAM. Just some thoughts. Padgett ------------------------------ Date: Fri, 01 Nov 91 16:15:31 -0600 >From: tneuhaus@uwspmail.uwsp.edu Subject: New Fprot avail.? (PC) I thought I saw a reference to FPROT 2.01, if so, where is it posted for FTP download? Thanks, ------------------------------------------------------------------- | Tom Neuhauser | tneuhaus@uwspmail.uwsp.edu | | Information Technology, LRC 26 | attmail!tneuhaus | | University of Wisconsin | | | Stevens Point, WI 54481 | "He who hesitates, waits..." | | 715-346-3058 | | ------------------------------------------------------------------- ------------------------------ Date: Thu, 31 Oct 91 20:57:07 +0000 >From: csh060@cck.coventry.ac.uk (-= WAD =-) Subject: Re: Harry Anto (PC) frisk@complex.is (Fridrik Skulason) writes: >>I think we ( A friend and I ) have found a new virus for PC !!!! > >Well, not quite new....but fairly recent at least - it can be detected >(and alse removed) by version 2.01 of F-PROT. > >- -frisk Thank god for that !!!!... Where can I ftp/mail/etc this from then Cheers - -- =--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--= | Fleshy : -= WAD =- E-mail : csh060%uk.ac.cov.cck@uk.ac.earn-relay | | Voice : (0203) 449274 | | Address: 6, Kingsway, Stoke, Quote: Strange how such a man could| ------------------------------ Date: Fri, 01 Nov 91 23:21:15 -0330 >From: Noel Roy Subject: Re: Only Scan Floppies? (PC) jesse@gumby.Altos.COM (Jesse Chisholm AAC-RjesseD) writes: >Question: of the various TSRs that check programs before I execute >or copy them, do any allow me to only check those coming from a floppy? >Reason being a performance degradation issue. Floppies are slow >anyway and adding the time to scan the file is a very small percentage. >But adding the time to a hard disk access is a larger percentage >(though I admit still small) and not really necessary as I checked >my hard disk thoroughly at boot up time. Does this make sense? It takes just as long to scan a file on a floppy as it does a file on a hard disk. In fact, it takes longer -- precisely because file access is so slow on floppies. - -- Dr. Noel Roy Department of Economics internet: noelroy@morgan.ucs.mun.ca Memorial University of Newfoundland BITNET: use Internet address St. John's, Newfoundland A1C 5S7 Canada cdnnet: noelroy@morgan.mun.cdn ------------------------------ Date: Sat, 02 Nov 91 16:25:00 >From: "Axel Gutmann" Subject: re:viruses and "viruses" >From: turtle@darkside.com (Fred Waller) >Subject: Viruses and "viruses" > >Writes davidsen@crdos1.crd.ge.com (Bill Davidsen): >(...) >> In disease terms, if you vaccinate enough people so that an >> infected person is unlikely to come in contact with a vulnerable >> person, the disease will die. >Apart from the fact that we don't know any diseases that have >actually been "killed" that way (smallpox wasn't!), I don't like >the parallel for other reasons. Computer viruses and biological >diseases are unrelated in nature, action and mode of spreading. >One of the worst misnomers ever concocted was calling these programs >"viruses". They aren't viruses nor anything near. There are far >more differences than similarities between computer "viruses" and >the biological ones. (Has anyone ever seen a non-TSR disease?) > >Unlike biological ones, computer "viruses" never need an active >host to "survive". They can be kept safely tucked away in a desk >drawer, and be brought out at the owner's whim two years later. >Nothing whatsoever to do with the theoretical "dying" of animal >diseases. Nor do they jump from computer to computer across the >air. >(...) I don't think virus is such a bad name for "viruses". They are clearly different from biological ones, right, but there are lot's of analogies (BTW: and fewer differences than You think: biological viruses don't neccessarily need an active host to sur- vive - consider tobacco-mosaic virus-crystals - and don't generally jump from host to host across the air - thank God AIDS doesn't!) The analogy that's most important in this discussion is the similarity in the dynamics of the spreading of diseases and virus-like-trojans. The differential equations that correlate the rate of newly infected humans with the percentage of vaccination and the density of the observed population should be equally valid for the variables trojan-spreading-rate/percentage-of-(somehow)-protected-computers/ density-of-compatible-computers(OS or interpreter). So if You "vaccinate" enough computers, the "virus"-spreading would slow down to a point where the new infections can be handled by other data-security measures. Right, we wouldn't have eradicated the "viruses", but we could live with the remaining risk. I'd like to do to old STONED what we did to the smallpox-virus! ************************************************************************ *Axel Gutmann, uh2m@DKAUNI2, Internet: uh2m@IBM3090.RZ.UNI-KARLSRUHE.DE* ************************************************************************ ------------------------------ Date: Sat, 02 Nov 91 14:45:05 -0500 >From: flaps@dgp.toronto.edu (Alan J Rosenthal) Subject: Re: Organ music/black monitor-Mac (Mac) Fran_Holtsberry@msmailgw.csuchico.edu (Fran Holtsberry) writes: >We have two systems playing organ music and no monitor response. I don't know exactly what you mean by "organ music", but if it's a mac II, and the sound is something like this: like "do, mi, soh, do", with the last "do" being higher than the other notes, with the initial sound the mac makes when being turned on somewhere around "la", then this is the normal sound made by a mac failing certain hardware tests at power-on. I've experienced this from bad memory boards and from memory boards not being seated properly, but I believe that there are other possible causes for this particular sound. ------------------------------ Date: Sat, 02 Nov 91 14:46:32 -0500 >From: flaps@dgp.toronto.edu (Alan J Rosenthal) Subject: Re: Only Scan Floppies? (general) jesse@gumby.Altos.COM (Jesse Chisholm AAC-RjesseD) writes: >Reason being a performance degradation issue. Floppies are slow >anyway and adding the time to scan the file is a very small percentage. >But adding the time to a hard disk access is a larger percentage >(though I admit still small) and not really necessary as I checked >my hard disk thoroughly at boot up time. Is it feasible not to check files on your disk at boot time, and *only* to check files when running them? This sort of meets the same objective. Of course, you still have to scan boot sectors, etc, upon boot, but not every file on the disk. ------------------------------ Date: Sat, 02 Nov 91 21:46:53 -0800 >From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Vesselin Bontchev's history paper I finally got around to reading Vesselin's "Bulgarian Virus Factory" paper, which Ken archived in TeX, PS and text format at cert. I am sorry I waited so long. This paper is excellent, not only for its fascinating account of the "Factory", but also the excellent primer on viral operations in general. It is also a "must read" for those who want to know "why do these people do that?" ============= Vancouver p1@arkham.wimsey.bc.ca | "Power users think Institute for Robert_Slade@mtsg.sfu.ca | 'Your PC is now Research into CyberStore | Stoned' is part of User (Datapac 3020 8530 1030)| the DOS copyright Security Canada V7K 2G6 | line." R. Murnane ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 208] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253