VIRUS-L Digest Wednesday, 6 Mar 1991 Volume 4 : Issue 38 Today's Topics: Re: Stoned - new version? (PC) Re: Research viruses Interesting use of viruses Mini-viruses Standarized virus signatures Virus Checking in ROM Legislation and Protection Windows 3.0 / F-Prot (PC) National Computer Security Assn. Re: ALERT: WDEF A, found on Rodime utilities for Mac. (Mac) Uk Computer Crime Unit Weird Stuff Happening to Pc's Here at Ohio Univ. (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: 03 Mar 91 00:19:09 +0000 >From: rsoft!mindlink!John_Carson@van-bc.wimsey.bc.ca (John Carson) Subject: Re: Stoned - new version? (PC) My friend Paul..purchased a MICROSOFT DOS 4.01 at a Computer store and also purchased some BRAND NAME 3 1/2 DISKS. The salesman copied the dos onto the 3 1/2. Later we found the VIRUS Stoned II on the system. After cleaning up the system. We found the virus was on the original MICROSOFT DOS 5 1/4 DISKS. Can this virus jump on to the original as you copy it to another....OR is there a chance it was on the MICROSOFT DOS. ******************************************************************** D.John Carson J & H Concepts a29@mindlink.UUCP 604-589-5118 uunet!van-bc!rsoft!mindlink!a29 *********************************************************************** ------------------------------ Date: Mon, 04 Mar 91 16:54:50 -0500 >From: Joe McMahon Subject: Re: Research viruses Research viruses: just say no. Case in point: the purported author of the Scores virus, who is reportedly under arrest at the moment, wrote in the documentation for the Vaxene program (which removes Scores) that s/he never expected the virus to get loose. A research virus. A fine and a jail term. Thanks, I'll pass. I have enough troubles. If you have all of this inventive energy, why not write a real program and get some real recognition for your talents? --- Joe M. ------------------------------ Date: Tue, 05 Mar 91 04:27:09 -0500 >From: lan@bucsf.bu.edu (Larry Nathanson) Subject: Interesting use of viruses This is an edited version of something I wrote for comp.risks 6.29 on 19 Feb 88. - ----------------------------------------------------------------------- A few years ago, while I was in high school, I read a short desciption (in Sci. Am.) of 'a neat thingy' called a computer virus. For the hell of it, I decided to write my own. (This was before "computer virus" was a buzzword in every household). It was short, (<500 lines source code) and contagious to Apple // DOS 3.3 disks. Since it was a challenge and not a malicous attempt to destroy data, when it triggered, all it said was "BOO". It was never 'released' and I have the only copies of it. After a while I started wondering what use viruses could have, besides the destruction of data. One of the things I came upon, was that it could be used to get information out of a secure system. For example, let's take 3 sample computer systems: A, B, and C. Someone at A has a file that someone at C wants. B is a computer system that exchanges software, with both A and C. (B could also be multiple computer systems, that exchange software among themselves, and form a link from A to C.) C introduces a virus to B's system, with the hope that it will get to A's system. (Divergent phase) Of course a lot of other people get this, but to them, it is innocuous. All this virus does is check the date, and scan for a character string. When a given character string is located, (ie "Apple Computer Secret Plans for 1992") it either 1) opens up a communication channel {modem|ftp|mail} to A, and dumps all relevant information, or 2) appends a certain amount of the information to itself, and subtly changes itself: it is now an outbound virus, and will only transfer the information to an already infected system. (convergent phase) Thus eventually, the information will slowly come back to A. If a copy of the divergent virus finds that the date is greater than a certain limit, it decides that it has diverged too far, and is on a dead end, and just nukes itself. If a group of programmers, sat down, and came up with such a "smart" virus, the implications could be staggering. - ------------- If you cut here you'll ruin your monitor ----------- 3/5/91 In these modern times, when everyone and their brother is doing constant scans of every disk they have (hopefully), this wouldn't be as easy to pull off, as when I wrote it. But the idea of 'hidden interdisk networks' is quite intriguing. - --Larry Nathanson lan@bucsf.bu.edu 617 266 7419 ------------------------------ Date: Tue, 05 Mar 91 14:48:37 +0000 >From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Mini-viruses We have seen viruses evolve in various direction. In some virus families, the variants tend to become more sophisticated, harder to detect or add new functions. In other families the viruses just become smaller and smaller. When I first became involved in viruses, the smallest virus known was Vienna, 648 bytes long, but the latest Bulgarian variants of the Vienna family are much smaller, only around 350 bytes. Another family of small viruses are the 'Burger' viruses. The naming of the variants is in a mess, and I have several identical samples with different names from various sources. In this family we have 5 560 byte variants, the '405' virus and the '382'. The Kennydy virus is small, only 333 bytes, but the related 'Tiny' virus was for a while the smallest virus known - 163 bytes. Then the Bulgarian wirus writers started writing really small viruses. The "Bulgarian Tiny" family has several members, the smallest of which is only 132 bytes long. An unrelated virus, which I propose to call "Micro-128", written by a different person (but also in Bulgaria) is currently the smallest resident virus - only 128 bytes long. It is of course possible to write an even smaller non-resident virus, and (naturally) a Bulgarian virus writer did just that - the result, which I propose to call 'Minimal' is only 45 bytes. Yes, 45 According To Vesselin Bontchev, the author could theoretically remove some unnecessary code - reducing the size to 30 bytes or so. The chances of becoming infected with this virus are practically nil, as it is not known in the wild, but users of F-PROT can add the following line to SIGN.TXT to detect it. Minimal-45 dOT5v5ememVLstmMnMLdjSmmWtMpGfnBv2w7U7GFTBWdhvtgjLErsbwR71YJI1xfLd - -frisk Fridrik Skulason University of Iceland | Technical Editor of the Virus Bulletin (UK) | Reserved for future expansion E-Mail: frisk@rhi.hi.is Fax: 354-1-28801 | ------------------------------ Date: Tue, 05 Mar 91 14:35:00 +0700 >From: "Jeroen W. Pluimers / Jeroen Smulders" Subject: Standarized virus signatures Friday, 22 Feb 1991, Jim Pinson wrote: > noticed that som eof them (virus-scan programs) can use an external file > containing virus signatures. This seems very usefull...... > There does not seem to be a standard format of these files Well, there is some sort of standard. IT is being used by VIRSCAN, HTSCAN and TBSCAN/TBSCANX. The file consists of a list of signatures. All lines atrting with ; are considered to be a comment. Every signature has three lines. The first line contains the virus name (Jerusalem-B) for instance. The second line consists of keywords BOOT COM or EXE (and defines the type of infection). The third line has the virus signature (a HEX string of bytes). There is some provision for byte skips and random bytes. I don't have the format handy, but if anyone is interested, I can post the full specs. Jeroen W. Pluimers - Gorleaus Labs, Leiden University ------------------------------ Date: Tue, 05 Mar 91 03:51:12 -0500 >From: lan@bucsf.bu.edu (Larry Nathanson) Subject: Virus Checking in ROM JHSangster@DOCKMASTER.NCSC.MIL writes: >I agree with Bob Bosen that signature checking is the ONLY anti-viral >protection that will detect future viruses as well as known ones. My >"preferred implementation", however, is to put the checking in the BIOS >ROM so that any executable can be checked while it is being loaded. >With the checker in ROM, I don't think it is "too easy to fake the all >clear signal" as Bob says. Putting the signatures of the executables into the ROM, is very impracticable. The 'good' information changes almost daily. If the ROM contains every software package, I'm sure that you would need a new chip every week, to keep up with the new revisions. If the ROM contains a personalized version, then you need someone to burn custom ROMs for you. This would still need to be updated on a fairly short term basis. Also, not "concerned user" (tm) has the knowledge/skills to install a ROM. That's probably a $75 service call. Also, what if your friend brings over a new program? Do we have to burn it's checksum into the ROM first? *IF: we just put major software packages used on the machine in the ROM, and ignore the little used ones, we could still wind up with a virus "subpopulation" only in the non-checked software. *IF: we put every package into the ROM, the number of updates required would be ungodly. Every last patch and bug fix would mean a new chip burn. *IF: we use software that changes itself (to reflect user preferences, for example) we need a new burn every time we change a default. Writing a virus that gives the same checksum for every infected and uninfected program is impossible, but it may be possible to write a virus that infects just one package, and keeps the checksum intact. Now this assumes that the virus writer knows what scheme is being used to calculate the signature. The countermeasure to this is to use multiple checksum schemes. Thus while one might show a false "OK", another might catch the change. Caveat: the only unique "number" that represents a given program ONLY, is the program itself. A checksum is a smaller number, that is thought to reasonably uniquely identify it. For example, Wordperfect 4.2 is really just a number that contains ~432,000 digits (assuming file size 432K - I have no idea of the real size.) We are trying to semi-intellegently reduce those digits to around 4-8 that will uniquely identify those 432 thousand. Obviously, if we could get 4 or 8, or even 100 digits that do so, we'd have the most incredible compression system in the world. I'll let the mathematicians out there chew on this one for a while - the feasability of number-crunching the finite viral code into the finite program code to yeild the same checksum. >What is probably needed to get the manufacturers to go along is either >Federal legislation forcing every commercial software vendor to provide >a signature or else a Federal standard requiring it on all software >bought by the Federal government. Or maybe if MicroSoft, AMI, Phoenix >Technologies, IBM, and RSA Data Systems all got together and offered it >as an option for people who wanted it... Unfortunately, we have here an >example of what I like to call the "Railroad Problem" (literary >reference, Heinlein's "Door Into Summer"): If there are no tracks, who >wants to spend money to develop locomotives, but if there are no >locomotives, who wants to spend money to lay down tracks? Whoa!!! Why do the vendors need to provide the signature? You have to have the algorithm to produce the run-time checksum.. Why not just run it on the LOCKED software disk, when you receive it. Those that want the option, can do so. I fail to see how making the company perform some simple computation before shipping the package, versus you doing so after receiving it would accomplish. >And in the >present case, there may well be software vendors who don't like the idea >that someone can prove their negligence if an employee sneaks a virus >into their shipped products. That's why legislation may be necessary. Most reputable software vendors compile the source onto a master disk which is NEVER executed in a machine. It is copied exactly as it is compiled. Thus any resultant virus HAS to be in the source code. If so, there's no hiding from it. Most of the "virus in the shrink-wrapped package" stories I've heard resulted from either 1) the company not following this rule, or 2) the computer store opening and using the package, then re-shrinkwrapping it. Federal virus legislation would severely discourage software companies from coming out with minor releases (read: bug fixes). If they had to file 500 government forms to release the software, they'd just wait for the next major revision before fixing the small problems. "Federal Legislation" is not a panacea. It would add red tape, and loads of beurocracy to a system that is 99% honest and reliable. - --Larry Nathanson // Larry Nathanson . 726 Comm Av #5J . Boston, MA 02215 . 617 266 7419 \\ I've heard they just built a tunnel from England to France. The French drive on the right hand side, the English on the left. Can they save money by building only one lane? ------------------------------ Date: 4 March, 1991 >From: padgett%tccslr.dnet@uvs1.orl.mmc.com (A. Padgett Peterson) Subject: Legislation and Protection >From: JHSangster@DOCKMASTER.NCSC.MIL >Subject: Low-level signature checking protection >With the checker in ROM, I don't think it is "too easy to fake the all >clear signal" as Bob says. Agree: hardware is the only real answer but there is another place to put it that can be as effective (and simpler to install) than a new BIOS (plus be compatable with every oddball machine that can run MS-DOS). What I am referring to is a ROM extension that could be as simple as an 8-bit card with a ROM on it. Properly setup, it would take control after all other ROM-extensions have been loaded and would be able to perform functions not available until then (such as properly re-directing INT 13) as well as boot drive selection (warm or cold), password access, and disk encryption. In fact, I know of a couple of vendors who have such products. Of course, with some thought, it would be possible to design software that "would not be too easy to fake" provided that the checking path could be authenticated as we have been discussing for some time. >What is probably needed to get the manufacturers to go along is either >Federal legislation forcing every commercial software vendor to provide >a signature or else a Federal standard requiring it on all software >bought by the Federal government. NO ! A thousand times NO ! If the fed had gotten into the act a sequi-decade ago we would all be using EBCDIC instead of ASCII on our 8080s. (and R. A. must be spinning in his grave to hear one of his works being used to support such a scheme: ref. "If This Goes On"). I agree that provable negligence is a powerful tool as an incentive for authentication, but as used by the court system, not legislation (considering the number of lawyers in this country, I am surprised that this hasn't already happened). Given that there are something on the close order of 75 million MS-DOS based PCs worldwide, I would be surprised if more than 3-5% would require such a high degree of protection though probably 90% need more than the none that comes with them. Circa 4 million platforms then require the rigorous protection that specialized companies like Enigma-Logic, Certus, Fischer, etc. can provide. Possibly ten million are pure stand-alone machines that never will access outside software, thus need nothing, leaving someting over sixty million PCs that would probably benefit by something simple that is also cheap (<$10/PC) and effective. (note: these numbers are pure guesses but are probably on the right order). This means software. Simple software. This also means that if, starting today, EVERY new PC had such checking built into the ROM (and there would have to be an O/S dependant component also), it would be quite a few years before a significant dent in the population would be made. The beta DOS 5.00 in test does not seem to have anything new for integrity checking. (Heck, it doesn't even have the 10 bytes it takes to make a .BAT file interactive - see the end of this posting). So it will probably be 6.0 at least (if ever) before security is bundled. So we are left with add-ons. Sure, a hardware ROM-extension could be sold for under $50 but I would be surprised to see one unless someone sets out to corner the market. However, what I would like to see is a layered product, starting very simply with "optional extras" that play together to build up to whatever is necessary. In fact I would be surprised if several people are not already working on them. Enough for now, Padgett Interactive .COM for batch files (use DEBUG): a mov ah,00 ; int 16 ;wait for keyboard input & return in al and al, 5F ;makes all alphas upper case, numbers become 10h-19h mov ah, 4C int 21 ;terminate with errorlevel return stored in al rcx a ;10 bytes nask.com w q Use of IF statements and ERRORLEVELs is well documented in DOS (since 3.0 I think) & will allow very simple (and fast) interactive batch files: just give the user choices selectable with a single key, call ASK, and branch on the errorlevel return. I use it with WINDOWS to allow switch selection on launches such as PKUNZIP- app ------------------------------ Date: Tue, 05 Mar 91 14:41:00 +0700 >From: "Jeroen W. Pluimers / Jeroen Smulders" Subject: Windows 3.0 / F-Prot (PC) Tue, 26 Feb 91, Jeff Payne wrote: > I was curious if there was a windows 3.0 version (or wven aware) > of any anti virus software? There is a Dutch anti-virus program that is Windows 3.0 aware. It is called TBSCANX (ThunderByte Scanner Resident). It knows when windows start up, and you can put it on or off in every DOS window without loading the program again. TBSCANX is a resident scanner that scans for writes to .EXE and .COM files. When it finds that a virus signature is going to be written, it alarms you. I'm planning to do an upload of this scanner (+ virus signatures) to the SIMTEL20 archives ASAP. > Whoch brings... Is there a "harmless" virus that I could use to test > my config... It is included with TBSCAN/TBSCANX. Jeroen W. Pluimers - Gorlaeus Labs, Leiden University ------------------------------ Date: Tue, 05 Mar 91 17:13:12 +0000 >From: kotlas@uncecs.edu (Carolyn M. Kotlas) Subject: National Computer Security Assn. Can anyone tell me about the National Computer Security Association (NCSA)? Are they a for-profit company? Is their virus information more timely than that posted in comp.virus newsarticles? Are their books & reports any good? Before we consider spending the money on membership, we would greatly appreciate hearing from anyone with any experience with this organization. Thanks in advance! - --carolyn - -- Carolyn Kotlas (kotlas@uncecs.edu or kotlas@ecsvax.bitnet) UNC Ed. Comp. Serv., POB 12035, Res. Triangle Pk., NC 27709 919/549-0671 "Serving the 16 campuses of The University of North Carolina system" ------------------------------ Date: 05 Mar 91 19:55:26 +0000 >From: CAH0@gte.com (Chuck Hoffman) Subject: Re: ALERT: WDEF A, found on Rodime utilities for Mac. (Mac) woody@praxis.co.uk (Paul Woodman) writes: > When you consider the damage that could > have been caused if trusty disinfectant hadn't come to my rescue (...) I agree with all of Paul's points except this one. WDEF probably would not have caused any great damage, but it can be a pain to get rid of. (Pardon my grammar.) - - Chuck Hoffman, GTE Laboratories, Inc. | I'm not sure why we're here, cah0@bunny.gte.com | but I am sure that while we're Telephone (U.S.A.) 617-466-2131 | here, we're supposed to help GTE VoiceNet: 679-2131 | each other. GTE Telemail: C.HOFFMAN | ------------------------------ Date: Mon, 04 Mar 91 17:38:32 +0000 >From: Nigel Metheringham Subject: Uk Computer Crime Unit Following last December's note about the UK computer crime unit, and a pair of very minor hits here (Stoned & Joshi - both nipped in the bud), I tried reporting the infections to the UK Computer Crime Unit. They are basically in a position of trying to justify their existance at the moment - if they do not get reports of viruses, then the government will see no reason to consider viruses a problem, and will not fund them. It is therefore in our best interest to ensure that all virus infections discovered in the UK are reported to the unit. The sort of information they want is:- Name, (company) address, phone etc. Type of virus (if known). Machines affected (number, type, sensitivity of data). Tools used to detect/remove. Source of infection (if known). "Live" copy. The live copy is required for evidential purposes - they will arrange for collection of a disk by one of the local police (or I assume you could send it by post). Most people who call them have already cleaned their systems up, so they are not getting many live ones yet! The person to contact is:- Noel Bonczonzek Computer Crime Unit 071 725 2490 (the number was incorrect in the Dec virus-l-digest). They don't have a network connection (as far as I know), but if there is a demonstrated need then maybe they would get one, so report any virus hits - PLEASE! Nigel. [ I asked Noel Bonczonzek if distributing this sort of information ] [ would be useful to them. He said that it would be useful, but the ] [ contents of this message are my interpretation of what he said to ] [ me, so I am responsible for any misinformation, not the UK-CCU. ] - -- % Nigel Metheringham, System Administrator, Department of Electronics % % University of York, Heslington, York, UK, YO1 5DD % % Phone: +44 904 432374 Fax: +44 904 432335 Mail: nigelm@ohm.york.ac.uk % % #include % Keyboard error - fingers dumped! % ------------------------------ Date: 05 Mar 91 20:29:08 +0000 >From: smash@oucsace.cs.ohiou.edu (Scott Mash) Subject: Weird Stuff Happening to Pc's Here at Ohio Univ. (PC) In one of our computer labs we have developed a very serious problem with our pc's. Most of the computers will not recognize the printers. We have tried everything short of formating the hard drive and rebuilding it. We have been scanning almost everyone's disks because of prior problems with stoned and ping pong. Last week one of our lab guardians came up to the office and reported that he scanned someone's disk and found a virus called "ohio". When he tried to clean it V72 couldn't recognize or clean it. Does this problem sound like something a virus could cause. Any suggestions or anything that could possibly help us. Thanks in advance, Scott Mash - -- | Scott (Smasher) Mash | | | | Elvis lives ! | | Internet: smash@oucsace.cs.ohiou.edu | Buddy Holly is the dead guy ! | | Bitnet: cs819@ouaccvmb | | ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 38] ***************************************** Downloaded From P-80 International Information Systems 304-744-2253