VIRUS-L Digest Wednesday, 20 Nov 1991 Volume 4 : Issue 222 Today's Topics: Re: SCAN & VSUM questions (PC) Re: Only Scan Floppies? (general) re: stoned virus (PC) Re: F-PROT v2.01 (PC) Aircop (PC) Re: Am I infected ? (PC) Re: Am I infected ? (PC) Re: Only Scan Floppies? (general) Cascade & IRQ2 (PC) Re: Norton SI 6.01 and Cascade? (PC) Serial port virus detection (PC) Re: Taxonomy Smiley Cancer (Amiga) File checking - 2 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Fri, 15 Nov 91 17:45:41 +0000 >From: mcafee@netcom.com (McAfee Associates) Subject: Re: SCAN & VSUM questions (PC) JTUCKER@VAX2.CSTP.UMKC.EDU writes: >Greetings all, Greetings :-) >Could someone explain why SCAN goes over all .sys and all .prg files when >scanning a drive??? Also where can I find the latest VSUM? Hello Joseph, VIRUSCAN will by default check files with certain extensions for computer viruses in case there are some renamed .COM or .EXE or overlay files. I think VSUM is on garbo.uwasa.fi. If you can't find it there, your best best would be to contact the author directly. Regards, Aryeh Goretsky McAfee Associates Technical Support - - - - McAfee Associates | Voice (408) 988-3832 | mcafee@netcom.com (business) 4423 Cheeney Street | FAX (408) 970-9727 | aryehg@darkside.com(personal) Santa Clara, California | BBS (408) 988-4004 | 95054-0253 USA | v.32 (408) 988-5190 | CompuServe ID: 76702,1714 ViruScan/CleanUp/VShield | HST (408) 988-5138 | or GO VIRUSFORUM ------------------------------ Date: Fri, 15 Nov 91 18:02:47 +0000 >From: Albert-Lunde@nwu.edu (Albert Lunde) Subject: Re: Only Scan Floppies? (general) flaps@dgp.toronto.edu (Alan J Rosenthal) writes: >jesse@gumby.Altos.COM (Jesse Chisholm AAC-RjesseD) writes: >>A perceived delay every time the user runs a program is sand in the gearbox. >agreed. But Disinfectant init on the mac scans each time the program is run, >and it is not a perceivable delay. The Disinfectant INIT does not "scan" disks when they are inserted. It contains custom patches which intercept a list of known viruses *at the time they try to infect*. In the case of Desktop file viruses like WDEF, this may indeed be when the disk is inserted. In the case of other viruses, this may not happen until an infected application (or other code) is run. Thus it can still be wise to scan with the Disfinfectant application. The relatively specific nature of the Disinfectant's INIT's patches, the small number of Mac viruses and the fact it does not try to prevent unknown viruses are what make it small and unobtrusive. - -- Albert Lunde Albert-Lunde@nwu.edu alunde@nuacvm.bitnet ------------------------------ Date: Fri, 15 Nov 91 12:22:24 -0500 >From: "Fran Murello" Subject: re: stoned virus (PC) Somehow I also ended up with the stoned virus (or a similar strain as Norton anti virus say) on my pc. I first noticed it when I had an error on the dos 5 shell menu stating that I had a wordperfect savestate error. From this point on the machine started acting real spooky..losing screen defalut files, unable to acces dos commands etc. After rebooting I saw a message saying my pc was stoned! I used norton utilites to look at the boot track and found a message saying "leagalise marijuana" (must have been stoned, they legalize wrong!) anyways I finally got rid of the virus BUT the cmos values of my hard drive were corrupted. My 40 mg hard drive was now only 33 and showed 100% usage. After finally figuring out that this is what happened I was able to change the values and restore data. I learned many hard lessons during this disaster. I have no understanding as to why someone can get off on doing this. It is pure vandalism and shows not the persons intelligence, but the their overall ignorance. I hope that they can put their programming skills to some good use someday. ------------------------------ Date: Fri, 15 Nov 91 11:33:00 -0600 >From: Steven Klepzig Subject: Re: F-PROT v2.01 (PC) >Does anyone out there have any experience loading VIRSTOP.EXE into >upper memory with 386Max? My Zenith 386/20 crashes when I add the >line C:\386MAX\386LOAD PROG=C:\F-PROT\VIRSTOP.EXE to autoexec.bat. The following works for me on my IBM PS/2 P70: c:\bluemax\386load size=65792 prgreg=2 flexframe prog=c:\f-prot\virstop BTW: Bluemax is essentially the same as 386max, just with a different install & maximize program. When I run F-TEST (1.16) I get an ACCESS DENIED message back. Not quite the same message as with F-DRIVER but if VIRSTOP isn't loaded I don't get the message. I guess that means VIRSTOP is working... - -- Steven ======================================== Steven R. Klepzig = University of Utah = 135 Student Services Building = Murphy's Law, v.1.7 "The time it Salt Lake City, Utah 84112 = takes to pinpoint a LAN problem is = directly proportional to its Phone -- 801-581-3437 = gravity." FAX -- 801-585-3034 = InterNet -- sklepzi@ssb1.saff.utah.edu = ======================================== ------------------------------ Date: Fri, 15 Nov 91 13:58:58 -0500 >From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: Aircop (PC) >From: Tom Killalea >CLEAN 7.9v84 says "Virus cannot be safely removed from boot sector". >DOS\SYS says "Not able to SYS to .3L File System" >(That's a superscripted L, and is the same for all floppies.) Mr. Killalea must be using DOS 5.0 (possibly 4.x also) which uses extended boot parameter blocks. One of the entries in this area is the "FAT12" or "FAT16" ASCII identifier and the Aircop sample I have overwrites this area with hex "33 c0" (would display as a numeral three followed by a super- scripted "L"). Since SYS sees the extended BPB yet cannot resolve the FAT, the error occurs. (untested assumption but matches symptoms). Incidently, with all due respect to Ms. Hoffman, (VSum) I have seen 3 1/2" disks as well as 5 1/4" infected with the AirCop. In fact the first time I encountered the Aircop, it was on a 3 1/2 MS-DOS distribution disk (not from Mircrosoft) that accomanied a new laptop. Debug may be used to replace the Boot Record with a new, clean version by loading a valid BR from a known clean floppy of the same size and density and using this to replace the infected sector. It is possible that these disks have incurred a double infection with resultant loss of the original boot record. This could account for the inability for a "generic" disinfection to properly restore the virus since without a valid BPB the only way to tell what kind of disk it is would be to look at the letters on the disk cover (difficult for software to do). (yes, I know it could be derived from the FAT and CMOS information but it takes an intuitive jump to find it). Padgett ------------------------------ Date: Fri, 15 Nov 91 18:44:00 +0000 >From: Old Baldie Subject: Re: Am I infected ? (PC) bdh@gsbsun.uchicago.edu (Brian D. Howard (CS)) writes: > HSR4@vax.oxford.ac.uk (Old Baldie) writes: > >>My apologies to all and sundry if this is a FAQ, but I'm wondering if I am >>infected :-). > >>My PS/2 55sx developed an odd condition without warning - memory is recorded >>as 639K instead of 640K, but none of the anti-viral packages which I use has >>been able to identify any virus being present. > > Thats the normal state of affairs for the PS/2. I believe some other > systems such as Hewlett-Packard Vectras also have the same 'feature'. It does seem that way - except that mine clearly (and unequivocally) had 640K earlier in its life. However, the likely cause is close to identification, and many thanks to all those who have either mailed me direct, or made polite suggestions on the Net. Once I have run a couple of suggested checks (soon, if I can persuade someone to make days 48 hours long...) I will post the details for those interested. +--------------------------------------+ | Peter G. Q. Brooks HSR4@OX.VAX.AC.UK | | Health Services Research Unit | | Dept of Public Health & Primary Care | | University of Oxford | +--------------------------------------+ | +44 (0) 865 224375 8.30 am - 7.30pm | +--------------------------------------+ ------------------------------ Date: Fri, 15 Nov 91 18:50:00 +0000 >From: Old Baldie Subject: Re: Am I infected ? (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: > HSR4@vax.oxford.ac.uk (Old Baldie) writes: > >> My PS/2 55sx developed an odd condition without warning - memory is recorded >> as 639K instead of 640K, but none of the anti-viral packages which I use has >> been able to identify any virus being present. > > A lot of resident viruses show such behaviour, indeed, especially the > boot sector ones. However, the controller configuration of some > computers make them eat up 1 Kb of RAM too. On most intelligent setups > (those that are built in ROM), it is possible to specify whether this > amount of memory will be taken from the top of the available memory > (therefore reducing the amount of memory available to DOS) or from one > of the low-address segments (was it 0300h?). The latter does not show > any decreasing of the amount of memory available. Unfortunately, the > PS/2 systems do not have this good feature (what is really good on IBM > originals?). They are meant to be set up by a special setup program, > which is specific for the particular model. I believe that in your > case you are not infected. BTW, the PS/2 50 Z on which I am working > right now says that it has 639 Kb available only as well... :-) > >> It's a failure on my part, I know, but I wasn't aware that the RAM had been >> reduced until I ran NEWDET (the only package which reports the size as being >> suspicious) after installing a tapestreamer card. > > No, I bet that this is how you received your machine - with 639 Kb > memory available. This is what set off the alarm bells - it was set up with 640K, and I even have screen dumps somewhere which show this. Also, running NEWDET previously had not reported 'suspicious...memory size is 639K' - - it was NEWDET which alerted me to the anomaly. >> I had wondered if a PS/2 specific virus had somehow got itself into battery- >>backed system configuration RAM, but I can find no sources of information which >> would confirm/deny this possibility. > > Sorry, but the above has almost no sense... I have received messages which suggest otherwise, and I will collate all the useful and relevant pieces into a report to be posted soon. >> I have checked through a list of known viruses looking for one which fits the >> bill, but without success to date. If anyone can offer advice or (polite and >> biologically feasible) suggestions, I would be grateful. > > Again, you're probably not infected, but nevertheless, check it with a > good scanner, just to be on the safe side. Hope the above helps. Many thanks for your suggestions (and say Hallo to Hamburg - I last visited some 23 years ago! Beautiful city, marvellous people.) Auf wiederhoeren, +--------------------------------------+ | Peter G. Q. Brooks HSR4@OX.VAX.AC.UK | | Health Services Research Unit | | Dept of Public Health & Primary Care | | University of Oxford | +--------------------------------------+ | +44 (0) 865 224375 8.30 am - 7.30pm | +--------------------------------------+ ------------------------------ Date: Fri, 15 Nov 91 18:54:00 -0500 >From: F8DY@VAX5.CIT.CORNELL.EDU Subject: Re: Only Scan Floppies? (general) flaps@dgp.toronto.edu (Alan J Rosenthal) writes: > jesse@gumby.Altos.COM (Jesse Chisholm AAC-RjesseD) writes: >>A perceived delay every time the user runs a program is sand in the gearbox. > > agreed. But Disinfectant init on the mac scans each time the program is run, > and it is not a perceivable delay. No, this is _false_! Disinfectant INIT does _not_ scan the file when it is run; it stops the virus if and only if it attacks. With file infectors such as nVIR, this is immediately when the infected file is run, but with Desktop infectors such as WDEF and CDEF, Disinfectant INIT will not notify you of the virus until its resource is called, usually by opening a window (in the case of CDEF) or legitimately modifying the desktop file by copying a file or creating a folder (in the case of WDEF). You can verify this by using a CDEF/WDEF infected disk under System 7 -- the new OS never passes control to a CDEF (Control DEFinition) or WDEF (Window DEFinition) in the Desktop file, so the virus never gets a chance to spread, so Disinfectant INIT will never alert you that the disk is infected, since it is non-contagious. For this reason, many people like Gatekeeper Aid, since it _does_ scan the Desktop file on disk insert and automatically removes specific viruses, including CDEF, WDEF, MDEF, and possibly (but don't quote me on this one) INIT-29. Mark - -- Mark "mostly harmless" Pilgrim ___/_ Here's to anyone who knows f8dy@crnlvax5 -=- f8dy@vax5.cit.cornell.edu \___/ which hex doesn't belong: Disclaimer: My boss disavows this disclaimer. | D5 AA 96, D5 AA AD, B7B5, "Elephants are kindly but they're dumb." -S&G _|_ A56E, C600, FF69, or 9D84. ------------------------------ Date: Fri, 15 Nov 91 21:45:15 -0500 >From: Scott Begin <34RXESC@CMUVM.BITNET> Subject: Cascade & IRQ2 (PC) Ken West was asking about the CASCADE that showes up for IRQ 2 when using the Norton Utilities SYSINFO program. This is an operating system kludge, and I'll try to explain it the best I can (from the explanation I was given by Microsoft Tech Support when I was trouble shooting a MS bus mouse). I may not have this right. When the PC was origionally designed, it was not expected that any computer could need more than 8 hardware addresses, with an address taken up by the hard disk, LPT1, LPT2, COM1, COM2, the floppy disk, etc... When the AT came out, cascading was used to allow for more hardware interupts, where IRQ2 cascaded. Addressing IRQ's higher than 7 were done through IRQ2 (for compatability reasons). Although this was first used on the AT (a 80286 based computer), It has even been used on 8088 computers, I think especially anything using ISA (Industry Standard Archetecture). This includes my computer (an 8088 with a bios dated 1989 by Central Point Software), as well as the Zeneth 8088 computers we have in the computer lab where I work. So far, of the computers I have tested using my Norton Uitlities SYSINFO, I have only found one (a REALLY incompatable 8088 based computer with a Sperry name on it) that does NOT use cascading. While not related to the subject at hand, after I found this out, the next guy I talked with at Tech support for Microsoft told me I had a '286 when I read off my interrupts to him, because of the cascading. Mark it up to another case of poorly trained tech reps. I hope this helps. Scott A. Begin E-Mail: 34RXESC@CMUVM.BITNET _Same "The Graveyard Madman" 34RXESC@cmuvm.csv.cmich.edu / Account Student Consultant 70334.376@compuserve.com Ronan Computer Lab CSV310@V8530 (CMU Campus Only) Central Michigan University AT&T: (517) 772-6327 USnail: 1418 E. Gaylord #M-9;Mt.Pleasant,MI 48858 ------------------------------ Date: 15 Nov 91 21:39:23 -0500 >From: Leonard Erickson <70524.2603@CompuServe.COM> Subject: Re: Norton SI 6.01 and Cascade? (PC) In Virus-L #4.219 westk@cgrb.orst.edu (Ken West - Entomology) writes: >I just installed Norton Utilities version 6.01 with DOS 5.0 running >on my 386-25. The SI (system information) utility has a function to >list hardware interupt usage. When I make this selection, it reports >[Cascade] grabbing interrupt 2 (IRQ 02). I scanned the machine with >McAfee Scan v. 84, and F-prot version 2.01 and neither report >infection. Can anyone tell me what is going on here? Has anyone >else seen this with Norton 6.01? > >I realize that Cascade is harmless but I don't want it around. Also, >when I look at the interrupt usage with Quarterdeck's Manifest it >shows IRQ 02 being used by the system ROM. I'm confused! The reference to "Cascade" in SI is to the fact that on AT class machines, IRQ 2 is used to "cascade" the intrrrupts from the first interrupt controller to the second. Thus it is likely used by the System ROM as well, and both programs are correct. You are the victim of terminology overlap. Not of a virus attack. ------------------------------ Date: 07 Nov 91 22:04:00 +0000 >From: paul.munsie@f12.n8690.z3.fido.zeta.org.au (Paul Munsie) Subject: Serial port virus detection (PC) I have a puzzling problem that I'm not sure anyone can solve, however a few replies to this may shed some light on the problem. An 80286 processor is running in a "machine" that only has a serial port for programming, and a virus infects the data in memory via the port. This machine hasn't got a conventional qwerty keyboard or VDU or disk drive. Access to the programme is via simple user terminals and breaking out of the programme to key in a virus checker / cleaner isn't possible. The data - not the programme - can be downloaded and uploaded via the serial port to disk via a laptop or similar. A limited amount of data space would be available above the data in memory Now my question is, If the data in the machine is infected and the data on disk is also, can either of these be cleaned and the good data transfered via the port to clean the virus completely. The only way to clean it now is to delete the data and manually reload it; a very time intensive procedure. The only other information I can offer is that I believe the virus on the disk wouldn't be active because it would be stored as part of a data file, and could even be undetected by its normal virus checker. Also there would be a limited amount of spare memory in the machine above the data in memory. For those that are interested the Virus could possibly be "Asuzu" (not sure though) and the machine is a PABX. Thanks in advance, Paul. - --- * Origin: Mount Isa - Biggest city in the world. (3:8690/12) ------------------------------ Date: Thu, 14 Nov 91 09:32:21 +0000 >From: Norman Paterson Subject: Re: Taxonomy I note that most of the schemes for virus taxonomy use a Linnean (?) approach. I wonder if this approach can work in principle, since computer viruses do not evolve in quite the same way as biological ones. Life usually evolves by gradual diversification. It is not common for genetic material from one species to be grafted into another. And each creature must be viable at every stage in the game. Computer viruses don't have these restrictions. Their authors can copy material from one to another, and test their viruses in special conditions where viability is not necessary. So should we expect a tree-structured approach to work? Another approach might be based on a string comparison, treating the viruses as strings of characters, and comparing them. Some years ago I was interested in this and came up with a method that suited my purposes then, which was to find mis-spelled names in a register. The algorithm defines a function "sim" which measures the "similarity" betwen two strings, as follows: 1 Let A and B be two strings. 2 Let sim (A, B) = sim (A', B') + sqr (length (S)) + sim (A'', B'') where S = longest nonempty common substring of A and B, and A = A'SA'', and B = B'SB'' For example, suppose A = "Paterson" and B = "Patterson". The longest nonempty common substring to these is "terson", so that: S = "terson" A' = "Pa" B' = "Pat" A'' = B'' = "" So sim (A, B) = sim ("Pa", "Pat") + 36 We now recursively call sim with A = "Pa" and B = "Pat". The longest nonempty common substring to "Pa" and "Pat" is "Pa", giving: S = "Pa" A' = B' = "" A'' = "" B'' = "t" Therefore, sim ("Pa", "Pat") = 0 + 4 + sim ("", "t") To calculate sim ("", "t"), we see that there is no non-empty common substring, ie the strings have nothing in common at all. So their similarity is zero. Adding up gives sim ("Paterson", "Patterson") = 40. Some of sim's properties are noteworthy. It ranges over the positive integers, with no upper bound. If two strings are identical, their similarity is the square of their length, so long identical strings are more similar than short ones. Another property is that in general sim (A, B) <> sim (B, A). I expect you could explain these properties in terms of information theory, and the chance of mistaking A for B (which is not necessarily the same as the chance of mistaking B for A). In implementing sim, there is scope for clever programming to keep it efficient. I suggest we could use sim as the basis for a metric to define a virus space in which we could pinpoint our viruses by their distance from one another. For example, we could define the distance between two viruses A and B as the reciprocal of the mean of sim (A, B) and sim (B, A). Then variants would all be close together, presumably in little clusters. Perhaps we could even project the space onto 2 dimensions and look at it. How about it, Frisk? Norman ------------------------------ Date: Sun, 17 Nov 91 01:04:31 +0000 >From: graaff@gvu5.cc.gatech.edu (Hans de Graaff) Subject: Smiley Cancer (Amiga) Hi, I would like to know if anyone has information about a virus called the 'Smiley Cancer'. I've got it all over my disks, and I haven't found a program yet that can deal with it. The virus is not a bootblock-virus, but it isn't a link-virus in the true sense of the word either. It uses a method similar to the DIR II virus for the PC, because it changes some information in the file- headers. I can probably give more info on request. Thanks in advance, Hans - -- +---------------------------------+------------------------------------+ | Hans de Graaff | If the only tool you're used to | | graaff@cc.gatech.edu | is a hammer, | | GVU Center | the whole world looks like a nail | | College of Computing | | | Georgia Institute of Technology | Abraham Maslow | +---------------------------------+------------------------------------+ ------------------------------ Date: Fri, 15 Nov 91 22:44:02 -0800 >From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: File checking - 2 FUNGEN8.CVP 911115 File checking - part 2 Historically, it is interesting to note that, initially, operation monitoring and restricting software was the preferred means of antiviral protection. Subsequently signature scanning software became more prevalent, and currently holds dominance in terms of number of programs in use. Change detection software, however, has recently become very popular and, from my reviews of software, at least, now leads in terms of number of different programs implementing the technique. The most basic type of change detection program could simply automate the process of manual file checking outlined in the previous column. However, this would not catch "overwriting" viri, as long as they did not change the file date. Therefore, most change detection software performs some type of "image checking" as well. "Image", "numerical" or "statistical" file checking is based on calculations performed on the data making up the file. At its most rudimentary, this is based on the "checksum". As the name suggests, this is nothing more than a check of the "summing" of all data in the file, or sometimes the modulus of that sum. More complex is the CRC or "cyclic redundancy check", which performs more complex calculations on matrices of the data. (This is done in a fashion similar to the Hamming encoding used for error detection and correction.) It would be fairly simple for an overwriting virus to calculate the checksum for a given file, and then to modify the code of the infected file in such a way that the checksum would still match. This is the reason for some of the more complex calculations which are implemented. While the initial checking of files is fairly standard, there are a wide variety of implementations for the subsequent checking of files. The original information must, of course, be stored somewhere. Some programs create a single file for this, others attach the information to the program to be protected. Each means has advantages and disadvantages. A single file means a single entity which virus authors may find out about and "target". Attaching of data to programs which may be altered means that the calculated codes may be altered or erased as well. Sometimes small modules of code are attached to the programs in order to allow the programs to check themselves. Unfortunately, adding such modules to programs which already check themselves for changes may prevent the programs from running. (Norton AntiVirus stores the information in a number of hidden, 77 byte files, with names similar to that of the protected file. This caused a number of users to suspect that the results of Norton's protection were actually the results of a virus. One fairly unique ploy is used by "Victor Charlie", which, in its earliest incarnation, simply offered itself as "bait" to viral programs -- and then checked itself.) copyright Robert M. Slade, 1991 FUNGEN8.CVP 911115 ============= Vancouver p1@arkham.wimsey.bc.ca | "If a train station Institute for Robert_Slade@mtsg.sfu.ca | is where a train Research into CyberStore | stops, what happens User (Datapac 3020 8530 1030)| at a workstation?" Security Canada V7K 2G6 | Frederick Wheeler ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 222] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253