VIRUS-L Digest Friday, 8 Mar 1991 Volume 4 : Issue 41 Today's Topics: Looking for software PC-cillin Info (PC) PC MS-DOS vs BIOS protection (PC) Re: Weird Stuff Happening to Pc's Here At Ohio Univ. (PC) What does Compucilina do? (PC) Unknown Malicious Code Message Writer (PC) Integrated Drive Electronics, Flopticals, and Freddy computer security research Virus V2000 (PC) File format for virus signatures (PC) False alarms using scan (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: 07 Mar 91 13:58:44 +0000 >From: andreap@ms.uky.edu (Peach) Subject: Looking for software We are looking for a good virus detection package that can be purchased on a site license. Periodic updates would be nice and we would like something that does not charge on a per-machine basis. Please direct reply to: rfehr@ca.uky.edu (128.163.192.1) ------------------------------ Date: Thu, 07 Mar 91 16:38:22 +0000 >From: patel@mwunix.mitre.org (Anup C. Patel) Subject: PC-cillin Info (PC) Has anyone heard of a anti-virus package called PC-cillin? I am in the process of evaluating it, and wish to share my experience with it. PC-cillin is a combination of hardware and software solution. The package consists of an "Immunizer Box". The purpose of the box is "to preserve a record of your computer's boot sector and partition table." Whenever the system is turned on , the current partition is compared with the record stored in the Box. The Immunizer Box gets attached to the parallel port. The software portion consists of a program called PCCILLIN and PCC. PCC is used to install the software, scan the system, and create a rescue diskette. One noticable feature of PCC is that it checks high memory as well as conventinal memory. ALthough I'm not sure how many viruses hide themselves in memory above 1MB. PCCILLIN is a TSR that gets installed at boot time from the AUTOEXEC.BAT file. Upon bootup, PC-cillin compares information in the Immunizer Box with the current partition table and boot sector. It also installs a TSR that is supposed to monitor system activity. I ran an application infected with the 4096 virus while PCCILLIN was memory resident. PCCILLIN should have intercepted this infection, but did not report anything abnormal. However, PCC reported the infection when I performed a memory scan. I know this may not be enough information to make a final judgement, but how do others feel about virus protection scheme such as this. Loading PCCILLIN from AUTOEXEC.BAT is obviously a bad idea. I'm not too confident on its ability to check for viruses either, when PCCILLIN is resident. Thanks for listening!! ------------------------------ Date: 7 March, 1991 >From: Padgett Peterson Subject: PC MS-DOS vs BIOS protection (PC) (The following is my opinion only and has nothing to do with anyone else) I think it is time stand back from the PC and take a fresh look at how protection can be placed on the system. Too many products today rely on MS-DOS and its documentation to protect PCs. Since many functions of DOS and Windows are either mis-documented or un-documented and since there exist many opportunities for malicious software to attack before DOS, this is obviously not the place to start. Consequently, I must question any protection scheme that becomes active only with CONFIG.SYS or AUTOEXEC.BAT, this is too late. This is not to say that a program that goes resident earlier is going to be a cure-all, just that it is necessary to have even a chance at being effective. Hardware, in the form of a custom BIOS or ROM-extension, is the best solution, but in many cases, may not be a cost-effective one. For most machines, software alone is probably sufficient. It may not be able to stop everything, but it should be able to at least detect an exception before MS-DOS loads and stop anything thereafter. There are a number of good products out today to fill various functions (I use several, both home-built and commercial) but as yet I know of none that do everything necessary. Quite often, complaints are made about compatability with MicroSoft products, that certain functions may be "hidden" from detection. Again, this is a problem experienced from being layered on top of DOS or Windows that goes away if operation is performed "under the rainbow" (no reference to the ex-DEC product, either express or implied, is intended). It is understood that it is somewhat more difficult to determine from a sector write request at the BIOS level, exactly what is being written to, than interception of a DOS Int 21 would require, but requires no knowlege of any windowing, multi-tasking, or networking software to do so. Even if a program has established an application interrupt (and there are many available) to handle disk functions outside of DOS, they still go through the BIOS to do so and this is both detectable and re-directable. There are simply too many ways to "get around" what is published about MS-DOS (not to mention DR-DOS and several others) for their calls to be used as a first line of detection, this must be done at the "choke point" of the BIOS. Certainly DOS or any other O/S can be used to determine the cause of an exception, once it has been determined that an exception has occurred (wish I could use italics), but the important thing is to know that something has occurred (I can't fix it if I don't know its broke). Given this, intelligence can be applied to determine if what happened was permitted or to be disallowed. It is time that some ground rules be established for any protection scenario. I tried to make a "first pass" with the model a few issues ago, but it is up to the population to decide what (if anything) the vendors will produce. Just do not accept any claim that "it cannot be done". For me, if it does not start with the BIOS, it is not enough. See you in New York folks, Padgett ------------------------------ Date: Thu, 07 Mar 91 11:34:16 +0000 >From: Anthony Appleyard Subject: Re: Weird Stuff Happening to Pc's Here At Ohio Univ. (PC) from: {A.Appleyard} (email: APPLEYARD@UK.AC.UMIST), Thu, 07 Mar 91 11:19:20 GMT On 05 Mar 91 20:29:08 +0000 smash@oucsace.cs.ohiou.edu (Scott Mash) wrote: (1) "....Most of the computers will not recognize the printers. We have tried everything short of formating the hard drive and rebuilding it.... " (2) "....Last week one of our lab guardians came up to the office and reported that he scanned someone's disk and found a virus called "ohio". When he tried to clean it V72 couldn't recognize or clean it....". ........................................ There may or may not be a connection between these two events. There is a PC virus called 'Ohio' which has been known of for quite a time. It could be that why Version 72 (of which antiviral please?) found it and then couldn't clean it, is that a file on that PC contained an innocent program containing a section of code that accidentally duplicated the part of the Ohio virus used as a search signature. That sort of thing happens from time to time, e.g. these messages in Virus-L vol4:- ISSUE ["Virus" story] hard disk crash?; antiviral thought that TOPS network software was a virus (longish) 025 [SCANv74B false positive (PC)] thought that KILLER.COM (a small Stoned remover) had/was Invader virus 032 F-FCHK with [New Leprosy signiture? (PC)] thought that Turbo Debugger 1.0 TD.OVL & Turbo C++ 1.0 TCLASSS.LIB had or were Leprosy virus 025 ------------------------------ Date: Thu, 07 Mar 91 11:46:12 +0000 >From: Anthony Appleyard Subject: What does Compucilina do? (PC) The new antiviral called Compucilina has caused discussion in these messages in Virus-L vol4:- ISSUE [non-sacaning anti-virus techniques] preventing infection (sacan = scan) I have a program vaccinater called COMPUCILINA 028 info re [Compucilina (PC)] 030 [non-scanin anti-virus techniques] (scanin=scanning) How Compucilina works is a commercial secret. It does not scan for particular viruses 034 [Re: Compucilina (PC)] will not prevent infection 034 If Compucilina doesn't scan for each known virus, how does it distinguish between viruses and valid programs? Ref a long discussion on possibility or impossibility of a 'general virus detector', that took place in Virus-L vol3. I mistrust 'black boxes', and it seems that how Compucilina works is a commercial secret. It seems that someone should print out a copy of Compucilina and go through its code, to find what it does. {A.Appleyard} (email: APPLEYARD@UK.AC.UMIST), Thu, 07 Mar 91 11:35:56 GMT ------------------------------ Date: Thu, 07 Mar 91 13:57:44 -0700 >From: Peter Johnston Subject: Unknown Malicious Code Message Writer (PC) We have observed in one of our PC computer labs in the last few days a piece of malicious code that places a message on the screen overwriting whatever is there. The text (in part) reads: "If we paid attention, if we cared, we would realize just how unethical this impending war with Iraq is, and how impure the American motives are for wanting to force it. I'm becoming a little confused as to where the "evil amoire" is these days." There is more but I do not have a complete printout of the text in front of me. Because of the way it overwrites things, it quite often overwrites itself. Other than displaying the message, we have not detected that the code performs any other function or causes any other damage. we do not know whether it reproduces or not, nor how it got on the machines. In fact, we have not yet been able to find it. Investigation of the hard disks of the affected machines via Norton Utilities Explore function yielded no matches to the actual wording, which suggests that the text has been enciphered or otherwise hidden. The message appears at random times, overwriting whatever is on the screen (including Norton Anti-Virus). My programmer feels that the periodicity is tied somehow to the number of sector accesses, and has clocked it at approcimately once every 700 accesses. However, this is not an exact number. None of the PC anti-viral packages we have (and we try to obtain a copy of the latest version of every package we can find) report or detect this malicious code. Is this something new? Is it home grown? Has anyone else seen anything like this? Any suggestions or assistance would be appreciated. Thanks for the help. If/when we get this beastie nailed down I'll forward appropriate info... - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Peter Johnston | Voice : 403/492-2462 University Comput Systems | FAX : 403/492-1729 352 GenSvcBldg, | BitNET : usergold@ualtamts The University of Alberta | Internet : usergold@mts.ucs.ualberta.ca Edmonton, Alberta | QuickMail: Peter_Johnston@ Canada T6G 2H1 | quest.ucs.ualberta.ca - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ------------------------------ Date: 7 March, 1991 >From: Padgett Peterson Subject: Integrated Drive Electronics, Flopticals, and Freddy Recently I have talked to a number of people who have been on the receiving end of viruses and other malicious activities who have the idea that the one true solution is a low-level format of the fixed disk involved. Loss of all data/programs is considered an acceptable risk. There also seem to be a number of management types who feel that rather than invest in any protection software, if attacked, a low-level format is acceptable to their disaster plan. Just to help those of you who may think the same way, consider that many current PCs (I think Compaq started it all) come with nice, small, power-sipping IDE drives. Consider that these now provide the size and speed of the best conventional drives at the cost of a bare MFM (ST06) drive. This is now a selling point for many manufacturers and a plus for power users who do not have to give up any high memory (potential RAM for TSRs) to a disk controller. Now consider that these drives arrive pre-formatted from the manufacturer and many CANNOT be low-level formatted (the same goes for the new 20 Mb 3 1/2 flopticals). It is time that users like these realize that there are alternatives (most of them have been discussed on Virus-L) and that viral protection/removal/recovery does not have to include brute force formatting, high or low level, rather the application of some intelligence is appropriate. Pleasant dreams, Padgett ------------------------------ Date: 07 Mar 91 16:30:22 +0000 >From: P.A.Taylor@edinburgh.ac.uk Subject: computer security research Can anyone help? I'm in the second year of a PhD dealing with the rise of the computer security industry along with system break-ins, browsing and virus incidents. 1. Is anyone out there prepared to answer a questionnaire for me and perhaps if they have the time discuss with me by e-mail some of the issues? 2. I'm planning a jaunt into The Netherlands and Germany in approx 4 weeks time. Would any digest readers from either of those countries be prepared to have a face-to-face interview with me? Do you know of anyone who would? The request also stands with anyone from the United Kingdom. Verification of my academic status can be sought from my supervisors here at the University of Edinburgh, at the same mail site as myself with the names Charles Raab and R.Williams. ALL MY WORK IS FOR STRICTLY ACADEMIC PURPOSES AND TOTAL CONFIDENTIALITY IS GUARANTEED FOR ANY RESPONDENTS. Hope to hear from some of you soon, Best Wishes, Paul A. Taylor ------------------------------ Date: Fri, 08 Mar 91 12:07:09 +0000 >From: k-krag@newshost.hsr.no (Kjetil Krag) Subject: Virus V2000 (PC) HELP!!! My PC is infected by the V2000 virus. I have a problem. Sometimes when I starts McAffee's PRO-SCAN.EXE there comes a message that tells me that the memory is infected with the V2000 virus and tells me that the program can't remove the virus and tells me the turn the machine off and reboot from a clean diskett. Then I turn the machine off and starts up with a clean boot-diskette. I starts up the PRO-SCAN.EXE and scan all drives on my harddisk, but the harddisk are clean! The programs can't find any viruses. Later when I start up PRO-SCAN again the V2000-virus is back! I've also tried McAffe's SCANV75 and VSHIELD75, but none of them can find the virus! If you can help me. Please tell! Thanks! Kjetil Krag (k-krag@broremann.hsr.no) ------------------------------ Date: Fri, 08 Mar 91 11:23:00 +0700 >From: "Jeroen W. Pluimers" Subject: File format for virus signatures (PC) Dear readers, A few digests agi, there was a question about standard formats of data files for virus signatures. VIRSCAN and TBSCAN/TBSCANX use the format below. It has been copied from the documentation that was with TBSCANX v 2.1. The format may be spread freely and is fully public domain. Jeroen W. Pluimers - Gorlaeus labs, Leiden University - -=-=-=-=-=-=-=-=- VIRSCAN.DAT / TBSCAN.DAT format -=-=-=-=-=-=-=-=-=- FORMAT OF THE DATA FILE - ----------------------- The data file (called TBSCAN.DAT or VIRSCAN.DAT) can be read and/or modified with every ASCII editor. All lines beginning with ";" are comment lines. TbScanX ignores these lines completely. When the ";" character is followed by a percent-sign the remaining part of the line will be displayed on the screen. A maximum of 15 lines can be printed on the screen. Nice for "HOT NEWS"... In the first line the name of a virus is expected. The second line contains one or more of the next words: BOOT SYS EXE COM HIGH LOW These words may be separated by spaces, tabs or commas. TbScanX will only scan for viruses with the keywords COM or EXE. The other keywords will be ignored, and are only used by the non-resident version: TBSCAN. Also note that TbScanX will not distinguish between COM and EXE files. All executable files will be scanned for both EXE and COM viruses. This saves some memory. BOOT means that the virus is a bootsector virus. SYS, EXE and COM indicate the virus can occur in files with these extensions. Also overlay files (with the extension OV?) will be searched for EXE viruses. HIGH shows that the virus can occur in the memory of your PC, namely in the memory located above the TBSCAN program itself. LOW means that the virus can occur in the memory of your PC, namely in the memory located under the TBSCAN program itself. In the third line the signature is expected in ASCII-HEX. Every virus character is described by means of two characters. Instead of two HEX characters, two question marks (the wild- card) may also occur. The latter means that every byte on that position matches the signature. Below you will find an example of a signature: A5E623CB??CD21??83FF3E You can also use the asterisk followed by an ASCII-HEX character to skip a variable amount of bytes in the signature. The ASCII-HEX character specifies the amount of bytes that should be skipped. The signature could be: A5E623CB*3CD2155??83FF3E The next sequence of bytes will be recognised as a virus: A5E623CB142434CD21554583FF3E Instead of a signature in ASCII-HEX you can also specify a normal text. This should be put between double quotation marks. A correct signature is for example: "I have got you!" This series of three lines should be repeated for every virus. Between all lines comment lines may occur. ------------------------------ Date: Fri, 08 Mar 91 14:54:19 +0000 >From: martin zejma <8326442@AWIWUW11.BITNET> Subject: False alarms using scan (PC) Hello hunters | Long time ago, around end of June 90', I posted a question about false alarms when scanning memory using scan ( happend with all versions I know ). The solution : Once upon a time... i've been infected with the 170x virus. I detected the infection instantly and healed all corrupted files. BUT | the viral part behind the EOF of each file naturally didn't disappear ( filling up the last cluster of the file ) , and that also happend to command.com , only invoked from within a different directory when using the Norton Commander, so then scan reported an active 170x virus in memory. After watching behind the EOF with Norton Utilities, I erased the dumb virus part, and voila | no more false alarms . Simple solution this time , Martin +-----------------------------------------------------------------------+ | Martin Zejma 8326442 @ AWIWUW11.BITNET | | | | Wirtschaftsuniversitaet Wien --- Univ. of Economics Vienna/Austria | +-----------------------------------------------------------------------+ ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 41] ***************************************** Downloaded From P-80 International Information Systems 304-744-2253