VIRUS-L Digest Wednesday, 20 Mar 1991 Volume 4 : Issue 45 Today's Topics: Re: Research viruses Anti-Virus programs from Holland uploaded to SIMTEL20 (PC) VCOPY version 75 available (PC) Comp. Security...help needed... Forward from RED-UG, problems with SCAN (PC) McAfee anti-viral programs and SIMTEL20 (PC) Virus-Construction-Set (VCS 1.0) (PC) 1701/1704 virus (PC) Fprot vs Scan ?? (PC) Trojan Horses, Logic Bombs, Viruses, etc. New Virus ? Smiley Virus - Amiga Re: PROTEC System & Stoned Virus (PC) vshield (PC) Review of Norton Antivirus (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: 16 Mar 91 02:20:27 +0000 >From: spaf@cs.purdue.edu (Gene Spafford) Subject: Re: Research viruses Research ethics are fairly well defined in other fields, and can be extended to computer viruses with a little thought. For instance, a researcher working on flu virus strains would be ethically (and legally) responsible for a mutated virus escaping into the population at large. Saying "I'm sorry -- I didn't mean for it to happen" is not an excuse. Good intentions do not substitute for taking precautions. Research on (computer) viruses that escape into the general population are clearly unethical because they affect subjects who have not given their informed consent to be part of the "experiment," and there is no way to end the "experiment." Also, there is no valid control for the experiment (e.g., "What would be the results in a similar population for the null hypothesis?"). Worse, most people "experimenting" doen't understand the basics of good scientific method. Research by writing viruses to see what happens is akin to throwing chemicals in a test tube to see if it explodes. Proper experimental research procedure requires that you establish a hypothesis that can be tested, establish a test with controls, and then analyze your test results with respect to the hypothesis. Some of the people who claim they are doing "research" in viruses and related areas are doing no such thing. I have refereed papers for professional forums that show a surprising lack of understanding of the basic principles of science or ethics -- then these individuals complain they are being "conspired against" because they can't get their work published. Sad. - -- Gene Spafford NSF/Purdue/U of Florida Software Engineering Research Center, Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-2004 Internet: spaf@cs.purdue.edu phone: (317) 494-7825 ------------------------------ Date: Thu, 14 Mar 91 19:47:00 +0700 >From: FTHSMULD%rulgl.LeidenUniv.nl@CUNYVM.CUNY.EDU Subject: Anti-Virus programs from Holland uploaded to SIMTEL20 (PC) I have uploaded the following programs to the SIMTEL20 archives. All come from Holland. The TBxxx software is written by Frans Veldman, the VIRUSSIG file is described below: ;% Virus information file for TBSCAN and HTSCAN virus scanners ;% (C) Copyright 1989-1991 by Jan Terpstra of FIDONET 2:512/10.0 ;% P.O. Box 66, 1462 ZH, Beemster, The Netherlands ;% Revision: 910308 (yymmdd) pd1: TBRESC12.ZIP Thunderbyte Resque Boot Sector version 1.2 TBSCAN21.ZIP Thunderbyte Scan version 2.1 - needs VIRUSSIG TBSCNX23.ZIP Thunderbyte XScan (TSR) v 2.3 - needs VIRUSSIG VIRUSSIG.ZIP Virus Signatures for TBSCAN/HTSCAN - day 67 jeroen FTHSMULD%rulgl.LeidenUniv.nl@CUNYVM.CUNY.EDU ------------------------------ Date: Mon, 18 Mar 91 13:00:00 -0700 >From: ozonebbs!aryehg@apple.com (Aryeh Goretsky) Subject: VCOPY version 75 available (PC) VCOPY Version 75 is now available. Version 75 of VCOPY detects all viruses detected by the VIRUSCAN Version 75 release. Sorry for the delay, folks; I've been out for four days due to a (biological) virus. Aryeh Goretsky - ----------------------------------------------------------------------------- Aryeh Goretsky,Tech Sup.|voice (408) 988-3832 |INTERNET McAfee Associates | fax (408) 970-9727 |aryehg@ozonebbs.uucp -OR- 4423 Cheeney Street | BBS (408) 988-4004 |aryehg@tacom-emh1.army.mil Santa Clara, CA 95054 | UUCP apple!netcom!nusjecs!ozonebbs!aryehg "Opinions expressed are my own and may not reflect those of my employer." ------------------------------ Date: 17 Mar 91 13:39:33 +0000 >From: ncorcorn%unix1.tcd.ie@BITNET.CC.CMU.EDU Subject: Comp. Security...help needed... Dear whoever, I have the misfortune to be doing a project on computer security, particularly computer crime. Having ploughed through most of the usual research I thought I write to the net in the hope of getting some ORIGINAL opinions. All input welcome. Yours, a desperate person with deadlines to meet ps mail any responses to me at ncorcorn@unix1.tcd.ie or post to the net PLEASE!!!!!!!!! ------------------------------ Date: Tue, 12 Mar 91 22:56:00 +0700 >From: "Jeroen W. Pluimers" Subject: Forward from RED-UG, problems with SCAN (PC) Original-Date: Tue, 12 Mar 91 12:21:00 +0100 Original- From: IVRI0@CC.UAB.ES Hi, RED-users. I have a hard disk with 2048 bytes per sector, and when I run the newest versions of SCAN (74b and 75) the program reports the following message : "Sorry, the partition table of disk C is 2048 bytes long." "That's too big for me." Is that a bug in the program? Am I doing anything wrong? Thanks in advance for your answers, Pere J. Francisco, ------------------------------ Date: Mon, 18 Mar 91 01:45:00 -0700 >From: Keith Petersen Subject: McAfee anti-viral programs and SIMTEL20 (PC) I just received word from McAfee Associates that they have agreed to upload each new release of McAfee anti-viral programs for MS-DOS to Detroit Download Central, the BBS I co-SysOp. From there I will transfer the files in their original form to SIMTEL20. What this means to Internet users is that the programs will be available for downloading from SIMTEL20, and the mirror sites, within 12 hours of their release by McAfee. Keith - -- Keith Petersen Maintainer of SIMTEL20's MSDOS, MISC & CP/M archives [IP address 26.2.0.74] Co-SysOp, Detroit Download Central 313-885-3956 (V22bis/HST/V32/V42bis/MNP5) Internet: w8sdz@WSMR-SIMTEL20.Army.Mil or w8sdz@vela.acs.oakland.edu Uucp: uunet!wsmr-simtel20.army.mil!w8sdz BITNET: w8sdz@OAKLAND ------------------------------ Date: 18 Mar 91 09:49:00 +0100 >From: Matthias Jaenichen Subject: Virus-Construction-Set (VCS 1.0) (PC) On the Hannover-fair "CeBit" a Virus-Construction-Set for MS-DOS was found in a BBS. The BBS is a German system called "ZERBERUS". The program was uploaded in Hamburg. The Box-Sysops are informed and will (hopefully) delete the entries. It is possible to build a virus that will display a massage at a selectable generation-count. At the same time the files "CONFIG.SYS" and "AUTOEXEC.BAT" will be deleted. The virus will be given the name "VCS-1.0". The virus extends programs by 1077 Bytes. The following string can be found at offset 50h:"A5 A5 A4 68 00 C1 C3 8A" At the end of the virus "C:\AUTOEXEC.BAT" and "C:\CONFIG.SYS" Codeanalysis will begin soon after the fair. - ---------------------------------------------------------------------------- Best wishes form Hamburg \\ // /==#==\ /==\ Matthias Jaenichen \\ // # / VTC-Hamburg \\// # # e-mail: jaenichen@rz.informatik.uni-hamburg.dbp.de \/ _#_ \==/ - ---------------------------------------------------------------------------- ------------------------------ Date: Mon, 18 Mar 91 10:39:00 +0000 >From: LYNNE@vax.oxford.ac.uk Subject: 1701/1704 virus (PC) One of my colleagues was sent the english version demo disk of the program VCH BIBLIO. Disk 2 (of 2) was found to be infected by the virus 1701/1704 by McAfee's VIRUSCAN. We have reported this to the British distributors of this disk. They are A-MAIL of Oxford. They found their systems to be infected when we reported it to them. The VCH program originates in Germany though we do not know if the German version was infected. I have reported this finding to Noel Bonczonzek at the UK Computer Crime Unit. Lynne Munro Oxford University Computing Service ------------------------------ Date: Fri, 15 Mar 91 17:47:49 -0500 >From: Jeff Subject: Fprot vs Scan ?? (PC) I am looking for some info regarding FPROT114 vs. SCANV75. What are the advantages disadvantages of each. I would also like some info on FPROT114 vs. NETSCAN75. Please respond directly to me. Thanks in advance. [Ed. You might want to look at Rob Slade's reviews of both of these products. The reviews are available via the VIRUS-L/comp.virus archives, including anonymous FTP on cert.sei.cmu.edu in the pub/virus-l/docs/reviews directory.] Jeff usgjej@gsuvm1 usgjej@gsuvm1.gsu.edu ------------------------------ Date: Mon, 18 Mar 91 15:59:17 +0000 >From: Muthiah.Chidambaram@newcastle.ac.uk (Mat (M.Chidambaram)) Subject: Trojan Horses, Logic Bombs, Viruses, etc. I am a first year here, at the University of Newcastle-Upon-Tyne, in the uk, studying MicroElectronics and Software Engineering. I am fairly new to computing and an absolute novice to this (or any other) newsgroup. I am currently preparing information on a seminar, which I am giving on next Monday about computer security, viruses, logic bombs, trojan horses, etc. I would be grateful if anyone out there can give me any information at all on the above named subjects. ------------------------------ Date: 18 Mar 91 16:32:32 +0000 >From: borzieri@king.ICO.Olivetti.Com (Ivan Borzieri) Subject: New Virus ? Smiley Virus - Amiga I was playing with my WB disk when the mouse pointer turned into a PacMan like object, with a scrolling message under it saying something like : "This is a new virus from Centurions, and it's called Smiley Virus. It seems that some of your disks have been infected !" I tried to take it away with ZeroVirus III, but it did not recognize it. I took a look into memory, using VMK tool, included in DW 1.2. I saw that there was something like "startup-sequence", ares, etc. Looking in my startup-sequence, I saw that the first command was "Ares", so I thought the virus had copied itself in that command. I reinstalled Arp on the infected disk (to prevent the virus had infected some other command). Then I turned down the machine and bootstrapped from the infected disk. Looking in memory with VMK gave "No Virus Present" as result, so I felt immediately happy ! Anyway, I'd just love to know which is the latest Anti-Virus for The Amy. Thanx, Ivan Borzieri ------------------------------ Date: 18 Mar 91 19:31:45 +0000 >From: bdh@uchicago.UCAR.EDU (Brian D. Howard) Subject: Re: PROTEC System & Stoned Virus (PC) rtravsky@CORRAL.UWyo.Edu (Richard W Travsky) writes: >I find this interesting. Short of re-infecting the machine to >investigate further, I'm curious as to why Stoned didn't show in >memory when a boot from floppy hadn't been done. Probably because stoned steals 2K for itself(why 2K I dunno, I think he only needs to dec al once?, figured its a bug). It then updates the BIOS data segment (413h) to indicate that the tip-top of memory is right below it. Scan utilities that rely on that table being accurate might not bother to check any higher. (An aside note: the 'stoned' program compares the jump at its first location with that of the boot sector on the potential target in order to decide if its already 'infected' said target. If you haven't already you might dis-assemble and modify your boot sector code to reflect the identical jump so that it looks like its already infected...) - -- "Hire the young while they still know everything." ------------------------------ Date: Mon, 18 Mar 91 17:14:27 -0500 >From: Jeff Subject: vshield (PC) Has anyone experienced any difficulties running VSHIELD while attached to a network. Jeff usgjej@gsuvm1 usgjej@gsuvm1.gsu.edu ------------------------------ Date: Fri, 15 Mar 91 16:54:13 -0800 >From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Review of Norton Antivirus (PC) Comparison Review Company and product: Symantec/Peter Norton 10201 Torre Avenue Cupertino, CA 95014 USA 408-253-9600 800-343-4714 800-441-7234 408-252-3570 416-923-1033 Norton AntiVirus Summary: Manual and TSR virus scanning, as well as change detection. Cost $130 US Rating (1-4, 1 = poor, 4 = very good) "Friendliness" Installation 3 Ease of use 2 Help systems 2 Compatibility 3 Company Stability 3 Support 3 Documentation 2 Hardware required 4 Performance 3 Availability 4 Local Support 1 General Description: The NAV.EXE program has the ability to scan memory, boot sectors and files for the presence of known viral programs, and to "inoculate" programs against change. It can also recover some damage to programs and boot sectors. The NAV_.SYS program provides TSR checking of files, although it does not detect viral programs in memory, or deal effectively with boot sector viri. Comparison of features and specifications User Friendliness Installation The program is shipped on "read only" disks, therefore cannot be infected at the user's site without active intervention. It is absolutely essential to read the on disk READ.ME file, as the documentation is incorrect in many places including installation. The printed documentation fails to mention the NAV.DEF virus definition file and the program will not function without it. Installation can be done from any drive to any drive, including floppy drives. If old versions of Norton Antivirus are found they can be overwritten or backed up at the user's discretion. The installation program is clear and simple to use, and gives clear instructions and explanations of the various options. (With some exceptions. For example, the program assumes that old copies of NAV are to be found in C:\NAV, and states that there is no old version if nothing is found there. If this is not the path for the files, and the proper path is specified, the request to choose between backing up and overwriting old versions comes shortly after the announcement that there are no old versions.) A "completion bar" shows the progress of most lengthy operations (throughout the program.) The installation is quite intelligent and useful in dealing with the necessary changes to system files. An editing screen is presented for the insertion of the command line in CONFIG.SYS. The default placement is explained clearly enough to give novices confidence, but will allow more advanced users the ability to select optimum positioning. Backup files are created for the original AUTOEXEC.BAT and CONFIG.SYS. The installation program is not very intelligent in dealing with configuration options. Upon invocation of the installation program, it asks about the type of monitor used. Upon completion, however, the configuration of the NAV program defaults to "CGA" monitor type, which does not allow some options or "command keys" to be seen on monochrome screens. Also upon completion, if "Quit" is chosen instead of "Reboot", the "target" drive and directory becomes default. Ease of use The program is "menu driven", but use without a mouse is not necessarily intuitive, nor do all menus work consistently. (For example, all options on the main menu are accessed by initial letter except "Exit" which is only accessible by pressing the "X" or "ESC" keys.) Ten pages of the manual are devoted to the use of the interface. The menus are, however, generally clear and readable. (Unless, as mentioned above, the monitor type is not consistent with "highlights" generated in CGA mode.) The "Advanced scan" and "Auto-inoculate" features of the system are simply variations on checksumming and change detection, but are set up and explained in a manner which appears to be unnecessarily confusing. The options available in the "Options/Configuration" menu allow for a considerable degree of customization, but reasons for choosing certain options are not clear in the initial installation section of the manual. The monitor "box" in the menu is not accessible in any way, nor is it explained in either the manual or the help text. Some options do not appear to work: I did not chose to "Disable scan Cancel *b*utton" (*b* being the letter used to access this option), but the "cancel scan" option was disabled on my program anyway. If a virus is detected in memory at the beginning of a scan, the program will refuse to scan further. This is an advantage in that it prevents infection by viri which infect each file as it is open, but there is no "discretion" on this feature, and it activates even when boot sector viri are found. The program does not terminate, but will not perform (in terms of scanning). No help is given at this point: the user is referred to a section of the manual. Help systems The program contains an extensive help file. Personally, I did not find the onscreen help to be very useful, generally having to go to the reference section of the manual if I could not figure out the operation from the menus. Compatibility Norton Antivirus is stated to be compatible with Windows. However, careful examination of the disk READ.ME file indicates that this compatibility is true only in that the TSR scanner can continue to alert users through the "siren" if the "alert boxes" are turned off while Windows is in operation. NAV is not compatible with Desqview, and has difficulty with a number of other TSRs and related utilities. Careful reading of the READ.ME file is suggested on systems with extensive use of TSR programs. The program shipped as of December 7, 1990 identifies a significant proportion of the viral programs identified by the Brunnstein, Hoffman, McAfee and Skulason lists. The company has also provided a means of regular updates of "signature" information. The "change detection" information is not added to the file to be checked, so it does not interfere with "internal" self checks. However, the information is not stored in a single outside file, but in a "hidden, system" file created for each program to be checked. As the READ.ME file indicates, this may take up considerable space on a hard disk, and may be difficult to recover even after programs are removed. Company Stability Symantec and Peter Norton have both been solid companies in their respective environments. Company Support The company provides both a technical support line and a "Virus Newsline" for update information on new viral signatures. There is provision for access to information through "voice mail", fax and commercial information services. Suggestions from the company indicate that this is seen as valuable primarily to corporate customers, who can take advantage of economies of scale in distributing the information internally and recovering the cost of obtaining the information. It should be noted that although the program was promised to the reviewer in November, that it required eleven return phone calls to five different offices to finally have it delivered over three months later. Documentation The documentation is extensive, but the layout would not be simple for a novice to follow. While the information is all there, even after a thorough reading it is hard to remember where a specific item is. The "Quick Start" section does provide an acceptable installation, if default values are all valid in the user's system. The "clean start" provisions of both the "Quick Start" and installation sections should prevent installation on an infected system *if followed rigorously*. However, even here the directions may be confusing to a novice. The "About Viruses" section is of little use. As mentioned before, many corrections and omissions from the manual are pointed out in the READ.ME file on disk, and the documentation should not be considered complete without it. Hardware Requirements No special hardware is required. Performance As mentioned, the NAV program identifies a larger number of viral signatures than does any commercial product reviewed to date, with provisions for constant updating of the signature files. The scanning is also very fast, approaching the speed of TBSCAN and VPCSCAN. The TSR scanner, NAV_.SYS, is invoked from CONFIG.SYS (cf F-DRIVER.SYS in the FPROT package.) While it cannot prevent infection of the system from a "boot sector" infected diskette, it does not detect the presence of such a virus in memory, and it neither prevents infection of diskettes, nor alerts the user to the use of an infected diskette or the operation of infecting. Repair of viral programs appeared to be affective. Local Support Although local sales offices of Symantec/Peter Norton are widely available, support is only provided through the central technical support and "Virus Newsline" numbers. Support Requirements In its current form, the product is suitable for novice users, but installation and actions when a virus is found may require more expert support. General Notes The provision of access to update information gives this product a significant advantage. There are, however, some weaknesses to be dealt with, and a general improvement is needed in the documentation and ease of use before it is suitable for all users. copyright Robert M. Slade 1991 PCNRTNAV.RVW 910315 ============= Vancouver p1@arkham.wimsey.bc.ca | You realize, of Institute for Robert_Slade@mtsg.sfu.ca | course, that these Research into (SUZY) INtegrity | new facts do not User Canada V7K 2G6 | coincide with my Security | preconceived ideas ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 45] ***************************************** Downloaded From P-80 International Information Systems 304-744-2253