VIRUS-L Digest Monday, 13 May 1991 Volume 4 : Issue 80 Today's Topics: SCAN hangs while checking Window's SOL.EXE file (PC) F-PROT & FluShot+ (1.81) problems 3 . . . (PC) Virii in Factory Software; Legal Stuff; "Eddie Lives" Follow-up to Certus LAN review (PC) Virii on Factory Software & Legal Issues Re: Packard-Bell (PC) re: Odd 77-byte files (PC) re: Odd 77-byte files (PC) Re: Odd 77-byte files (PC) re: F-PROT and FluShot problems (PC) Virus cheking of archives from a batch (PC) Gatekeeper 1.2 Release Announcement (Mac) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Fri, 10 May 91 10:14:00 -0500 >From: "Sant." Subject: SCAN hangs while checking Window's SOL.EXE file (PC) Has anyone had problems with SCANV77? When I scan my hard drive, the program hangs on one particular file, SOL.EXE, Window's solitaire program. I don't have problems with running the game and SCAN doesn't have problems with any other file. In order to continue, I have to press 'F' to accept the failure. Does anyone know why this is happening? +------------------------------------------------------------------------------ + | Santanu Sircar BITNET: ssircar@umaecs.bitnet | | University of Massachusetts/Amherst INTERNET: ssircar@ecs.umass.edu | +------------------------------------------------------------------------------ + ------------------------------ Date: Fri, 10 May 91 14:37:59 +0000 >From: umbc3!umbc3.umbc.edu!cs106132@uunet.UU.NET (cs106132) Subject: F-PROT & FluShot+ (1.81) problems 3 . . . (PC) >this strain, it could not detect it. This is expected as the documentation >hints. However, when I ran F-OSCHK, the virus infected the system files >.....This is not a bug type of thing, it is a design flaw! *This problem is of course not unique to F-PROT - every other scanner *has this same problem. In fact, the DOS 'COPY' command can also cause *a similar effect - infection of files when they are read. Is it a *design flaw in DOS ? Amazing! You totally missed the point sir. Neither DOS, nor any of its utility programs (the ones that come with DOS) make any claims for being capable of dealing with viruses. In that regard, the criticism does not apply to them. F-PROT and FluShot+ (1.81) are full-blown, widely-used ANTI-VIRAL packages. If DOS etc. could have handled the problem, we would not have been unfortunate enough to shell out more bucks to feel secure from viruses. *So - with the current generation of scanners, this problem cannot be *avoided. Not at all. I have seen at least one beta-test version of a new product that does not suffer from the mentioned problems. Because of an agreement, I am not allowed to say more on this. But, it will be available in the near future according to the developers. *- -frisk Regards, Tarkan ------------------------------ Date: Fri, 10 May 91 13:20:18 -0700 >From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Virii in Factory Software; Legal Stuff; "Eddie Lives" walker@AEDC-VAX.AF.MIL (William Walker C60223 x4570) writes: > I haven't yet read enough of the back issues of VIRUS-L, so please > excuse what duplication I may make. ... > One unrelated comment: I had thought that the phrase, "Eddie lives... > somewhere in time" referred to the film "Eddie and the Cruisers," in > which the lead singer is thought to be dead, but no one is 100% sure. > Sorta like Elvis, huh? ;-) Comparative Modern Culture 101, final exam Question 5: Who is "Eddie"? (10 points) You would have a great time going through the old issues researching this one. I think the Heavy Metal crew have one the day on this one. "Eddie" is the mascot of "Iron Maiden", one of whose albums/songs/lines is "somewhere in time". ============= Vancouver p1@arkham.wimsey.bc.ca | "If you do buy a Institute for Robert_Slade@mtsg.sfu.ca | computer, don't Research into (SUZY) INtegrity | turn it on." User Canada V7K 2G6 | Richards' 2nd Law Security | of Data Security ------------------------------ Date: Fri, 10 May 91 14:01:14 -0700 >From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Follow-up to Certus LAN review (PC) I got a call from Certus today. I got *two* calls from Certus today. Even before I had seen my review "in print". A couple of items to note. The version I received was 2.0, 2.1 is now out and has some changes. The scanning portion has been increased in speed. The documentation is apparently unchanged except for the installation section. Apparently even BOOTLOCK does not prevent infection by the Stoned virus. (A disinfection package to deal with the problem is now in beta test.) I will aparently be receiving an updated copy soon, and will send out a new review when complete. Somewhat related, and pursuant to Ross's anecdote: In my seminars i have found that the Stoned virus is more "successful" (in terms of number of people infected) than all other viral programs combined. So far ... ============= Vancouver p1@arkham.wimsey.bc.ca | "If you do buy a Institute for Robert_Slade@mtsg.sfu.ca | computer, don't Research into (SUZY) INtegrity | turn it on." User Canada V7K 2G6 | Richards' 2nd Law Security | of Data Security ------------------------------ Date: Fri, 10 May 91 13:12:12 -0700 >From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Virii on Factory Software & Legal Issues walker@AEDC-VAX.AF.MIL (William Walker C60223 x4570) writes: > On the other hand, once informed about a virus problem with their > product, a vendor must be prompt to correct the problem, or it is > indeed time to bring in the lawyers. Padgett: We must sue the vendors! Rob: You're right. Bill: No, they'll come around. Rob: You're right too. Someone-else-on-the-net: Rob, they can't *both* be right! Rob: You know, you're right too! Well, apologies to Sholem Aleichim and everyone else concerned, but there probably isn't any real disagreement here, it's more a matter of differing perspectives. I've had (too) numerous occasions where I've sent a computer owner back to the vendor because of problems with a virus on a new system, only to have the vendor admit it, admit that he (or she) *knew* about a virus loose in the shop, and didn't do anything about it. On one occasion I reported a potential virus to the software manufacturer. This particular company has a very small "core" staff, and yet I kept getting calls back from the company for a week, pointing fingers in all directions, before they would even agree to check their software. (After they agreed to do that, I heard nothing more. An admission of guilt?) ============= Vancouver p1@arkham.wimsey.bc.ca | "If you do buy a Institute for Robert_Slade@mtsg.sfu.ca | computer, don't Research into (SUZY) INtegrity | turn it on." User Canada V7K 2G6 | Richards' 2nd Law Security | of Data Security ------------------------------ Date: Fri, 10 May 91 14:39:51 -0400 >From: Peter Jones Subject: Re: Packard-Bell (PC) On Thu, 09 May 91 15:55:59 -0400 you said: >For those having problems. (800)767-9898 appears to be a tech support >line for Packard-Bell. > Padgett The above number isn't accessible from the Montreal (514) callling area. The local Packard Bell distributor readily gave me (800)-263-0089 for Technical Support. I called this number and got someone named Morris, who explained that the virus had come from a subcontractor who had reproduced Packard's diskettes. Said subcontractor was "severely reprimanded", according to Morris. Those having virus problems on Packard Bell are encouraged to call the above number. Packard seemed to think the problem was solved last winter. Perhaps the recent sightings are due to diskettes remaining in storage for 6 months or so. Peter Jones (514)-987-3542 Internet:Peter Jones UUCP: ...psuvax1!uqam.bitnet!maint N.B. "Our customers will forgive a one-time error far more quickly than they will forgive our inability to correct that error." - Karen Ward (wardk@cse.ogi.edu) ------------------------------ Date: Fri, 10 May 91 15:21:29 -0400 >From: Chuck Eater Subject: re: Odd 77-byte files (PC) > Some utility on my PC (running MS DOS 3.3) has been creating several > hundred hidden files. All had a filename of an existing COM or EXE > file, but with the corresponding extension ._OM or ._XE, and all were > 77 bytes long. The files are all deleted -- sorry not to have saved a > copy -- and no available virus scanning utility reports any odd files > anywhere. Has anyone seen this elsewhere? These files sound like the checksum files created by the auto-inoculate feature of the Norton Antivirus package. They are 77-bytes in length and are created with the system and hidden file attributes. - --chuck - ------------------------------------------------------------------------ Charles L. Eater, National Institute of Standards & Technology (NIST) Snail : Administration A738, Gaithersburg, MD 20899 Email : eater@nbsmicf eater@micf.nist.gov (129.6.16.4) Phone : (301) 975-4065 - ------------------------------------------------------------------------ In-Reply-To: note of 05/10/91 12:36 ------------------------------ Date: Fri, 10 May 91 13:40:59 -0700 >From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: re: Odd 77-byte files (PC) zlsiial@cs.man.ac.uk writes: > Some utility on my PC (running MS DOS 3.3) has been creating several > hundred hidden files. All had a filename of an existing COM or EXE If it was hidden .COM files for each .EXE, then it would indicate the new type of viral programs which Patricia Hoffman refers to as "spawning". However, since the hidden files do not have executable filenames, it might be similar to the Norton Antivirus change detection scheme. NAV does not store all the checksum information for "innoculated" files in one file, but in one hidden file for each innoculated program. The checksum files have filenames related to the program files, but one character in the extension is altered. Sorry not to have more details, but I can't find the specifics in the manual. (Thinks: what are READ.ME files for? Sure enough.) Yes, in the READ.ME file, you will find (at about line 125) a description of the checksum files it creates. For .COM it is ._OM, for .EXE, ._XE, for .SYS, ._YS etc. ============= Vancouver p1@arkham.wimsey.bc.ca | "If you do buy a Institute for Robert_Slade@mtsg.sfu.ca | computer, don't Research into (SUZY) INtegrity | turn it on." User Canada V7K 2G6 | Richards' 2nd Law Security | of Data Security ------------------------------ Date: Sat, 11 May 91 14:05:00 -0700 >From: f18@clark.edu (Torry V Schreiner) Subject: Re: Odd 77-byte files (PC) zlsiial@cs.man.ac.uk writes: >Some utility on my PC (running MS DOS 3.3) has been creating several >hundred hidden files. All had a filename of an existing COM or EXE >file, but with the corresponding extension ._OM or ._XE, and all were >77 bytes long. The files are all deleted -- sorry not to have saved a >copy -- and no available virus scanning utility reports any odd files >anywhere. Has anyone seen this elsewhere? Norton's AntiVirus made all of those files. They were checksums(or something like that) of those .EXE and .COM files. If you look there should be ._VL files too. You just killed Norton's protection scheme. Hope you aren't still using that. ------------------------------ Date: Thu, 09 May 91 11:03:02 >From: microsoft!c-rossgr@uunet.uu.net Subject: re: F-PROT and FluShot problems (PC) >From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) > >Simple integrity checking (e.g. intelligent use of CHKDSK-type values) >would have revealed that something unusual was going on, particularly >with the varieties of 4096 that I have seen since a memory mis-match >occurs. You get what you pay for. Oh! I see now. Anybody know where I can get six bytes worth of integrity checking, cheap? A simple problem was posted to the mailing list, and it'll be fixed in my code shortly and, I would presume, in frisk's code, too. By stating that you "get what you pay for", I would presume that you're advising both frisk and me to raise our rock bottom prices? Sorry.....Homey don't play that. Ross M. Greenberg Author, FLU_SHOT+ ------------------------------ Date: Sun, 12 May 91 07:47:23 +0000 >From: ts@uwasa.fi (Timo Salmi) Subject: Virus cheking of archives from a batch (PC) Sun 12-May-91: I have updated my collection of useful batch files to be /pc/ts/tsbat25.arc. One of the constant worries of downloaders of archived packages is the threat of viruses. (Games from shady BBSes are particularly susceptibe, but even commercial products have been known to be infected). Fortunately there are good virus checkers like McAfee's /pc/virus/scanv77.zip and Fridrik Skulason's /pc/virus/fp-115a.zip available to check for infections. There are, however, two dilemmas in checking archived packages on a routine basis. (Since the format garbo.uwasa.fi archives mostly uses is .zip let's speak of zipped files). The first problem is that there are so many executable compressors in use currently (such as lzexe, pklite, diet, tinyprog, etc). This means that unless the virus checking programs can observe all these variations, a virus can be hiding in an execompressed form. Therefore it is advisable to expand the executables for the check. A second problem is that .zip files occasionally contain embedded .zip files (eg PC-Magazine's collections often do). These embedded .zip files must be unzipped for a closer examination. The earlier versions of the tsbat collection included a batch called scanzip.bat. I have completely rewritten this batch to take care of the two eventualities discussed above. I have renamed the rewritten batch scanz.bat. Note that before using this new batch, you have to go through scanz.bat and edit all the directory path references to correspond to your own configuration. This is, of course, an inconvenience, but it is the best way of guaranteeing that a batch complicated as this stays reasonably efficient. The /ts/pc/tsbat25.arc package is available from garbo.uwasa.fi and SIMTEL20 archives. TSBAT25.ARC Batch file collection, T.Salmi Filename Comment Date Time - -------- -------------------------------- ---- ---- ADDPATH.BAT Append directories to the path 10-21-90 17:44:06 APATH-OM.BAT Otto Makela's version of addpath 01-13-90 12:32:30 ARC2ZIP.BAT Single .arc to .zip with comment 10-21-90 11:11:02 ASK.EXE Ask questions in a batch file 12-29-90 13:50:10 BLANK.BAT Poor man's screen saver 03-28-90 10:42:54 BLK.BAT Poor man's screen saver & popup 10-21-90 19:51:38 C.BAT Lazy changing of directory 03-14-90 15:39:46 COLOR.BAT Set screen color attributes 10-21-90 20:00:02 D.BAT Directory with sort & wildsearch 10-21-90 20:09:32 DAILY.BAT Run a program only once a day 10-21-90 20:11:52 DELDIR.BAT Remove directory and its files 01-22-91 19:34:20 DELPATH.BAT Delete a directory from the path 10-21-90 18:34:30 FU.BAT Poor man's function evaluator 03-12-91 08:00:32 LASTBOOT.BAT Show date + time of previos boot 10-21-90 20:22:12 LINK1.BAT How to link batch files together 10-31-89 14:26:14 LINK2.BAT Batch link demo's second file 11-15-89 12:23:24 LOCATE.BAT Wildcard file find 01-14-90 11:22:56 LOGRUN.BAT Log program usage & time and run 04-15-90 22:46:54 M.BAT Give multiple MsDos commands 03-04-90 11:08:08 MAKESURE.BAT Simple command.com virus warning 01-14-90 11:54:56 MENU.BAT Run programs from a menu 12-29-90 16:55:30 POPDIRE.BAT Restore (pop) saved directory 01-14-90 11:57:14 POPPATH.BAT Restore the saved path 01-14-90 11:59:44 PUSHDIRE.BAT Non-resident push directory 01-14-90 11:58:18 PUSHPATH.BAT Save the current path 01-14-90 11:58:44 RUN.BAT Testing for viruses 01-14-90 12:11:24 SAFEDEL.BAT Safe delete of files 12-28-90 18:53:46 SAFEDEL1.BAT Auxiliary batch to safedel.bat 12-28-90 19:01:28 SCANZ.BAT Scan for viruses (incl. execomp) 05-12-91 07:24:16 SCOPY.BAT Copy a file with a single device 06-28-90 12:09:08 SETCOM.BAT Secure your command.com 10-28-89 19:41:08 SETPRN.BAT Set an Epson compatible printer 03-13-91 07:39:10 SETPUSHD.EXE Program for nonresident pushdire 01-13-90 17:33:42 SETVAR.BAT Sets a variable for delpath.bat 01-15-90 22:19:38 SHOW.BAT Wildcard multifile type command 10-21-90 20:40:20 SHOW1.BAT Auxiliary batch for show.bat 06-01-90 06:07:08 TSBAT.INF Document 05-12-91 08:39:28 TSBAT.NWS News concerning this package 05-12-91 07:36:34 TSPROG.INF List of PD programs from T.Salmi 03-30-91 10:23:20 UNPACK.BAT Unpack-test-view any archivetype 12-28-90 19:30:56 VAASA.INF Info: Finland, Vaasa, U of Vaasa 02-02-90 11:52:54 VIRUS.BAT Another batch-based virus test 10-21-90 20:47:04 WHERE.BAT Generic searchstring fname find 10-21-90 20:48:26 ZIPDATE.BAT Equate .zip date to latest file 01-10-90 22:49:00 ZOO2ZIPH.BAT Single .zoo to .zip on harddisk 03-27-91 22:06:16 - ---- ------ ------ ----- 0045 104534 59924 43% ................................................................... Prof. Timo Salmi Moderating at garbo.uwasa.fi anonymous ftp archives 128.214.12.37 School of Business Studies, University of Vaasa, SF-65101, Finland Internet: ts@chyde.uwasa.fi Funet: gado::salmi Bitnet: salmi@finfun ------------------------------ Date: 10 May 91 20:42:07 +0000 >From: ut-emx!chrisj@emx.utexas.edu (Chris Johnson) Subject: Gatekeeper 1.2 Release Announcement (Mac) Gatekeeper 1.2 and Gatekeeper 1.2 have finally be released. The complete distribution set will be sent to comp.binaries.mac and the info-mac archives. It is immediately available for anonymous ftp from the following archive sites: Machine Name IP Number ------------ --------- ix1.cc.utexas.edu 128.83.1.21 ix2.cc.utexas.edu 128.83.1.29 bongo.cc.utexas.edu 128.83.186.13 The file is named gatekeeper-12.hqx and is located in the microlib/mac/virus directory on each of these machines. This BinHexed self extracting archive file contains Gatekeeper 1.2, Gatekeeper Aid 1.2 and all associated documen- tation. Since it is a self extracting archive file, users of current Gate- keeper versions should place their copies of Gatekeeper in Override mode before clicking on the "Gatekeeper 1.2 Distribution.sea" file which be generated by decoding the gatekeeper-12.hqx BinHex file. Listed below, in no particular order, is a selection of brief descriptions of new features in Gatekeeper 1.2 and changes between version 1.1.1 and 1.2. This list is by no means complete but should serve to provide an impression of the scope of the changes to this version. * System 7.0 compatibility. All other versions of Gatekeeper like to die when the File Sharing feature of System 7 is used. This version cures this problem very effectively. * The interface has a new look. Where 1.1.1 supported 3 "screens" (Info, Settings and Help), 1.2 supports 6 screens in order to make room for a (hopefully) more pleasant and sensible user interface. * Gatekeeper's Help display now supports Styled TextEdit in it's System 6.0 and beyond implementations. This means that the help text will appear nicely formatted in Helvetica, Times and Monaco. This helps to differen- tiate the different sections of the Help display and adds useful emphasis throughout. Text in the Help display may be selected and copied to the Clipboard so it can be pasted into more convenient environments, like word processors. * The Gatekeeper control panel now includes a section that allows the user to view the log file and to clear the log file when it gets too big. * The privilege list is now sorted, and using the Clear button doesn't scroll the list back to the first item like it did in 1.1.1. * The settings section now includes a check box called "Display a Mode Warn- ing Alert". This check box allows the user to determine whether Gatekeeper will display its "Notify Only" alert everytime the Mac boots in Notify Only mode. A "Notify & Veto" alert is also supported now, and the same check box regulates whether it appears or not. * A "New" button has been added to the privilege list section. This button allows the user to add an item to the privilege list without going through all the business with the "Add..." button and the Open dialog box. * Some privileges are no longer required. Programs and INITs that install drivers used to need Res(Self) privileges to do so, in many cases. In most cases these programs and INITs no longer need the Res(Self) privilege, so most of them have been removed from the default privilege list. * Gatekeeper now supports privileges for Control Panel and Chooser documents, in addition to privileges for Desk Accessories, Drivers and Applications. * Internal Errors are history. The problem was found and fixed. * Gatekeeper no longer crashes Macs while they attempt to switch launch. * It is no longer necessary to grant the System 7 Finder Res(Other & Sys) privileges in order to move desk accessories around. Gatekeeper detects these cases internally and deals with them very carefully without reference to the privilege list. So, DO NOT grant anything other than File(Other) privileges to the Finder. * Gatekeeper deals with the bizarre (or, at least, unexplained) RsrcMapEntry calls made by the print driver in System 6.0.7 without assistance from Gatekeeper Aid. * Gatekeeper now allows resources like the infamous Adobe Separator 'ADBS' to be added to the Desktop file without any fuss or privilege violations. * Gatekeeper will no longer allow an odd value in its 'sysz' 0 resource. This will take care of an incredibly rare and obscure source of boot-time crashes on some Macs. Gatekeeper Aid, of course, has been retroactively correcting this problem for some time. * Since Gatekeeper now allows users to read the Log file from the control panel, there's no need to continue locking the Gatekeeper Log file in order to make programs like MS Word happy. The log file is still stored as text, though, so users can read it with other prgrams, like their favorite spreadsheets, if they so desire. * Special keys like the arrow keys, page up/down, and home/end are supported where appropriate. * StuffIt, Compact Pro (Compactor), and Disk Doubler self extracting archives (SEAs) are now fully and transparently supported. No privileges are necess- ary in order for SEAs to do their stuff correctly. * When viewing a privilege violation record, a button will be available which is labeled "Grant Privilege". Clicking on the button will cause the program listed in the dialog as "Guilty" to be granted the listed privilege. If you go to the Privilege section after clicking on the "Grant Privilege" button you'll find the "guilty" program selected in the privilege list for convenience. If an entry for that program already existed in the privilege list, the new privilege will be added to the existing ones. * Items in the privilege list can now be selected by typing the first few letters of their names (just like you'd select files and folders in a conventional "Open" or "Save As" dialog box). * Gatekeeper 1.2 is split into two parts; an INIT (which does the real work) and a cdev (which provides the user interface). In this respect it's very similar to the structure of Gatekeeper 2.0. There are several reasons for doing this: a. Since System 7 installs INITs *before* it installs any cdevs, having Gatekeeper continue to be a cdev file would mean that all the INITs would install before Gatekeeper and could potentially get around its protections as a result. Of course, users can explicitly put cdevs in the Extensions folder and thereby guarantee that they install at the same time as the INITs, but I don't think folks should have to deal with that kind of thing. b. Gatekeeper 1.1.1 was large. 1.2 is much larger. This means that it wouldn't stand a chance of fitting on a bootable 800K floppy disk as used in many university computer labs, for instance. By breaking it into two parts, the situation is much improved (although even the INIT portion of 1.2 is pretty big) since a preconfigured Gatekeeper can be placed on those systems without the large cdev. This leaves Gatekeeper fully operational but non-configurable (which is often a desirable thing in computer labs and similar environments) and reduces its storage requirements from 126K to about 60K. * Another difference you'll notice is that there is now a Gatekeeper Prefs file. This file stores all the configuration information for Gatekeeper including all the privileges. There were a number of internal reasons for using a separate prefs file, but I think it may be useful to users as well since it provides an easy way of moving the configuration data between compatible versions of Gatekeeper. The Gatekeeper Prefs file will be created from scratch if the need should ever arise, but a default Prefs file is provided with an extensive set of default privileges already in place, for the convenience of everyone. * Gatekeeper, Gatekeeper Controls, Gatekeeper Log, Gatekeeper Prefs and Gatekeeper Aid all have color icons. I hope they qualify as the "spiffy" icons people have been asking for for so long. :-) * Gatekeeper Aid is now capable of running properly even when there is no free memory available. This should eliminate once and for all the -108 errors that have bugged users here and there for so long. I hope everyone finds it useful. Chris Johnson Internet: chrisj@emx.utexas.edu UUCP: {husc6|uunet}!cs.utexas.edu!ut-emx!chrisj BitNet: chrisj@utxvm.bitnet AppleLink: chrisj@emx.utexas.edu@internet# CompuServe: >INTERNET:chrisj@emx.utexas.edu ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 80] ***************************************** Downloaded From P-80 International Information Systems 304-744-2253