VIRUS-L Digest Tuesday, 14 May 1991 Volume 4 : Issue 82 Today's Topics: Bloody! (PC) Information on Joshi Virus (PC) Address; Eddie; "Virii;" 12 Tricks (PC) Re: Odd 77-byte files (PC) Re: TSR Virus Detector (PC) Re: What's so bad about self-extracting archives? re: Comparing virus scanners (PC) re: Into the 1990's re: Stealth viruses (PC) Re: F-PROT & FluShot+ (1.81) problems 3 . . . (PC) Re: Fw: Trojan version of VIRUSCAN version 78 (PC) Revised Product Test - - VIREX-PC, version 1.20 (PC) Revision to Product Test, F-PROT Version 1.15A (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Tue, 14 May 91 09:22:05 -0230 >From: Patrick Ryan Subject: Bloody! (PC) I recently found one of my floppy disks to be corrupted. When I scanned the diskette with Scan v. 77, I was told it was infected with the Bloody! virus. I ran Clean-Up v. 77, and it was successfully removed. However, I have since scanned *all* the software I used in the previous week or two, and found no trace of it. Does anybody have an explanation for this? Is it possible that a corrupt file header could be misconstrued as a virus? Or is the "gestation" period of the Bloody! virus longer than a week or two? Help! - -- +----------------------+-------------------------------+----------------------+ |D. Patrick Ryan |"As the people here grow colder| Support freedom of | |Faculty of Engineering| I turn to my computer | expression! Protest | |Memorial University | And spend my evenings with it | the censorship of | ------------------------------ Date: 14 May 91 17:41:28 +0000 >From: n054gi@tamuts.tamu.edu (Apurva Shah) Subject: Information on Joshi Virus (PC) This is in relation to the couple of questions that were raised about the Joshi virus. I am a student from India and while there I had done some work on virus detection and cure. Coming to the point. Joshi is a partition table virus (much like Stone). According to popular belief it originated in Pune (a city very close to Bombay). The reason why the virus got its name is that on the 5th of Jan, if one is to boot the machine with the virus active, a message appears wishing Mr. Joshi a very happy birthday. In fact one is asked to type this very message out in order to proceed further. This is a general description of the virus behaviour. Now, for the more interesting part on how the virus works. When the user boots with a infected desk. The virus copies itself to the partition table (first physical sector on disk). The original partition table is moved to sector 7 (or is it 11? Can' remember exactly.) This is necessary cause once the machine is normally booted and the virus is activated control needs to be passed ot the original partition table. Here we have a catch. If the machine is once again booted with the virused disk. Joshi has a hard time figuring out if it is already on the first sector. So what it does in such a situation is to paste a copy of itself on the 7th sector and once again copying itself on the 1st sector. The result ofcourse is disastorous, since no signs of the original partition table remain and the machine will refuse to boot. This explains the apparent time delay in the viruse being activated. About the real time clock err orm I have never faced such a problem. Finally, at least to my knowledege, the Joshi virus does not deal with files. One has to keep in mind that it is a partition table virus and enters the picture before DOS loads, namely when there is no concept of files. However, if the version of the virus running around in the U.S. is a modification of the original virus that might explain it. What is the solution to this problem? I have a program with me which recreates the partition table. In fact, I have a interesting little set of programs which do some simple yet effective things. That apart thet are all written in C including the TSRs. Actually that is not completely correct, there is a bit of assembly embedded in there. I would like to post this programs including the source at some ftp site after having them verified by some virus 'guru'. Any volunteers? Regards Apurva Shah (ashah@cs.tamu.edu) ------------------------------ Date: 14 May 91 12:14:00 -0600 >From: "William Walker C60223 x4570" Subject: Address; Eddie; "Virii;" 12 Tricks (PC) Four things: First, Greg Broiles ( greg@agora.rain.com ) writes: > > Bill Walker ( WALKER@AEDC-VAX.AF.MIL ) > old signature - address bad! That is my current address -- the VIRUS-L server sends the VIRUS-L issues to it successfully. Perhaps your name server didn't recognize it -- try using 26.14.0.41 instead of AEDC-VAX.AF.MIL. Second, Rob Slade ( p1@arkham.wimsey.bc.ca ) writes: > Question 5: Who is "Eddie"? (10 points) > You would have a great time going through the old issues researching > this one. I think the Heavy Metal crew have one the day on this one. I have read back. My comment about "Eddie and the Cruisers" was just my two cents worth, and an alternative to the "Iron Maiden" idea. Third, A. Padgett Peterson ( padgett%tccslr.dnet@mmc.com ) writes: > Subject: re: Virii (sic) in Factory Software You're right, I'm wrong. I looked it up. The correct plural of "virus" is "viri," with one "i," not "virii" like I've been spelling it. That's what I get for believing what people tell me. :-) Fourth, I have uploaded a file, 12TRICKS.TXT, to CERT.SEI.CMU.EDU (128.237.253.5). Ken has made it available in /pub/virus-l/docs. It contains an in-depth analysis of the Twelve Tricks Trojan Horse by Dr. Alan Solomon of S&S Anti Virus Group and Christoph Fischer of Micro-BIT Virus Centre, University of Karlsruhe. Bill Walker ( WALKER@AEDC-VAX.AF.MIL ) | OAO Corporation | "I think, therefore I am. Arnold Engineering Development Center | Nah, I think not." M.S. 120 | *POOF* Arnold Air Force Base, TN 37389-9998 | ------------------------------ Date: 12 May 91 23:13:35 +0000 >From: n054gi@tamuts.tamu.edu (Apurva Shah) Subject: Re: Odd 77-byte files (PC) It is very likely that the files that were created having the _xe and _om extensions contained the headers of the respective EXE and COM files. This files are then used by some virus detection program to look for changes in the header of the original files. The assumption of course being that the infecting virus would have to change the header of the original file. To sum up these files are absolutely harmless! and erasing them also is no cause for concern. Since this is the first time I am posting in this news group, let me introduce my self. My name is Apurva Shah and I am a student from India. At present I am doing my Masters in Computer Science at the Texas A&M University. I have been working with PC based viruses for about two years. I was heading the anti-virus cell for V.M.C.I., which is a computer class in Bombay and have also authored the first public domain Indian anti-virus software called the NASSCOM Vaccine set. The NASSCOM vaccine set is a bunch of generic vaccines and anti-virus programs. I have a copy of the set with me, but would like to know how I may put it up on some intrested bulliten board so that others may use this software. Any help in this direction would be appreciated. Regards Apurva Shah ------------------------------ Date: Mon, 13 May 91 13:15:00 +0300 >From: Y. Radai Subject: Re: TSR Virus Detector (PC) In connection with my comparison of F-LOCK, FSP, SECURE, TSAFE, and VTAC, Esa Holmberg writes: > I'm afraid you have tested a wrong program; F-DRIVER > would be the actual resident virus tester of the F-PROT > package, and not F-LOCK. No, that's incorrect. I don't know if your mistake is in not knowing how F-DRIVER works or in confusing two different types of resident anti-viral programs: (I) Those which search for *specific strings* (or patterns), each characteristic of a particular *known* virus, within program files which are about to be executed, and (usually) also in boot records when the anti-viral program is loaded. Such programs must be updated continually to catch new viruses. (II) Those which warn of suspicious activity by intercepting attempts to modify executable files, to stay resident, to format disks, etc., regardless of the source of this activity. (It might be a virus, a Trojan, or some perfectly innocuous program; and if a virus, it may be a known one or an unknown one.) Such programs do not ordinarily require updating. Now John Councill's question certainly resembled Type II more than Type I, so I referred to the five programs of this type which I had compared, and that includes F-LOCK. F-DRIVER, on the other hand, is of Type I, and therefore was not an appropriate program for my compa- rison. (When I say that a program is of Type I, it may include a few Type-II features as well, but certainly F-DRIVER and V-Shield are basically of Type I.) Perhaps my posting would have been clearer if, instead of calling Type-II programs simply "monitoring" programs, I had called them *generic* monitoring programs. F-LOCK is generic; F-DRIVER is not. (Btw, there are also generic *disinfection* programs, i.e. programs which in the great majority of cases can restore a file to its original state regardless of the virus which infected it.) Y. Radai Hebrew Univ. of Jerusalem, Israel RADAI@HUJIVMS.BITNET RADAI@VMS.HUJI.AC.IL ------------------------------ Date: Tue, 14 May 91 08:51:00 >From: Murray_RJ@cc.curtin.edu.au Subject: Re: What's so bad about self-extracting archives? groot@idca.tds.philips.nl (Henk de Groot) writes: > Murray_RJ@cc.curtin.edu.au writes: > >>magnus%thep.lu.se@Urd.lth.se (Magnus Olsson) writes: >>> Can't you just first run the archive file through your favourite virus >>> checker, and if it passes the test extract it, and then test the >>> individual files that were inside it? Or have I missed something? > >> Well, yes, I suppose you could, but it involves an extra step which >>is unnecessary. The other objection I have with self-extracting >>archives is that you're stuck with extracting the whole lot, even if >>you only want to find out what the !@#$%^&*() thing does. > > Most of the popular archiveing programs (ZIP, LHA, ARJ) are able to > extract files from their SFX files. If you insist on using a shell on > it just rename the .EXE file to a file with the proper extension. You > can avoid virus problems this way. Very, very good. Ten points out of ten. See me after class. Only one problem: How do I find out what format the thing was archived in in the first place, when all I'm confronted with is a .EXE file? If there was only one standardised archive format then there wouldn't be any problem, but that was apparently too simple. My contention is that self-extracting archives are one of those things that became technically possible, and were implemented before it was found that they were a complete waste of time. Perhaps we should move this discussion elsewhere: it's getting less and less to do with viruses (virii?) .....Ron =============================================================================== Internet: Murray_RJ@cc.curtin.edu.au | "A pipe gives a wise man Bitnet: Murray_RJ%cc.curtin.edu.au@cunyvm.bitnet | time to think, and a UUCP : uunet!munnari.oz!cc.curtin.edu.au!Murray_RJ | fool something to stick Amateur Packet Radio: VK6ZJM@VK6BBS.#WA.AUS.OC | in his mouth" TCP/IP: 44.136.204.14, 44.136.204.19 | -- Murphy's Law I =============================================================================== ------------------------------ Date: 14 May 91 11:00:54 -0400 >From: "David.M.Chess" Subject: re: Comparing virus scanners (PC) > From: frisk@rhi.hi.is (Fridrik Skulason) > > ... > Virscan 1.45 [very bad numbers] > ... I hope that's not IBM's VIRSCAN? If it is, it's a version from *last June* (and an internal, not a product, version at that). If that's "available" in Austria, it shouldn't be. On the other hand, there are a few different products in the world called "Virscan", so perhaps this line is about something else. It might be helpful if the manufacturer were listed for all the programs named in lists like this. (It's also in general not a good idea to do timing-tests on infected files; IBM's scanner, for instance, stops for a good half-second to "beep" when it finds an infected file, which will add greatly to the timings if infected files are used for tests! Real users, of course, probably don't care how long it takes to scan infected files, just clean (normal) ones.) DC ------------------------------ Date: Tue, 14 May 91 14:15:53 >From: microsoft!c-rossgr@uunet.uu.net Subject: re: Into the 1990's >From: Padgett Peterson > >First I would like to offer an apology to Ross Greenberg (Flu-Shot) >and Fridrik Skulasson (F-Prot). Most happily accepted, Padgett. Sometimes we sorta forget there are real people on either end of these silly tubes before us. Sorry I was a bit hasty in my response to you originally. >communications capability. These people [end users]are not interested in which >strain of the 4096 they have been infected with, their concern is that >the machine is operating properly and without any hidden "extras". Stop for a moment and consider what we're dealing with here: a modified 4096 that was not released into the wild. It was a "lab" virus and scanners and monitors that are tuned to Version A might not find/detect/stop some Version B until they, themselves, have been modified. One of the big problems we, as anti-virus vendors and researchers, have is in getting these "lab" viruses to add to our product/knowledge-base. (See below in my response to Dave Chess why this is still important). This does not mean, however, that you're wrong. >What the user needs to know is that SOMETHING has happened and that a >technician is needed to interpret WHAT - wheter it be a problem caused >by power supply (I see a lot of these), drive, ICs, or malicious >software. Yes, just as most people do not work on their own cars when the problem is serious enough, but you're not really expected to call in AAA when you have a flat tire -- you should fix it yourself. I think the virus problem is growing. I think the anti-virus solutions are still in their infancy. Code such as my FLU_SHOT+ was initially designed to help out the more techie among us: the interface is, certainly, not user friendly. Newer code, such as my Virex-PC (and, giving credit where credit is due, my worthy competitors from Symantec and Central Point) is being constantly tweaked to make it not only better anti-virus software, but easier to use anti-virus software: the simple "Abort, Retry, Ignore" message is no longer acceptable in a product. Instead lots of time is spent in making the product user friendly enough that the number of tech support calls goes down to virtually zero. There is considerable incentive in making the product easy for *everyone* to use: the techie and non-techie alike. I don't see that a technician is going to be required for the more "popular" problems: they must be dealt with eventually if for no other reason than that tech support calls are very expensive. A new and hidden strain of a virus hasn't reached that category yet, obviously. >Today, viruses seem to account for on the order of 10-20% of the >trouble calls I get. They are significant enough to warrant avoidance >measures, but not anything to panic about. *This* is what the news media should be reporting. It's not something to panic over, true, but that's an *amazing* percentage of trouble calls due to viruses. Think of the cost to business today when their copy of a program doesn't work and they call up tech support because of the problem! >The real point I have been trying to make for some time is that such >[integrity]checking IS NOT DIFFICULT, orders of magnitude less > than what it takes to write a good word processor, it just has not > been done yet. You mentioned a few products and their methods, so its obvious that this integrity checking *IS* being done (FLU_SHOT+ has had integrity checking on program run for about three years, I guess). Now, is this integrity checking being done *properly*? Interesting question and one that only the marketplace can answer by what they select for their purchase (or freeware usage). Something like the example you gave of Norton's potential 9Mb overhead is ridiculous (not the example, but the instance!). That showsd a considerable lack of understanding about the market. Wanna bet that the next release of the code does things differently? If not, it'll probably be a dead product. Your subsequent points (not quoted herein) are good ones. Resident integrity checking, and access control, is a worthy goal of any of the anti-virus products. However, remember that it can and *will* be circumvented the first time somebody boots off a floppy. Signature checking, integrity checking, whatever: none of them can slap the wrist of somebody who boots off an infected disk with stealthing viruses on it, combined with people who really think that extra five seconds (or whatever) on a memory scan is too much "wasted" time. That's why the anti-virus code out there has to do more than simple integrity checking. > Comments welcome, > Padgett Okey doke: who do I send them to? :-) Ross M. Greenberg Author, Virex-PC & FLU_SHOT+ ------------------------------ Date: Tue, 14 May 91 14:18:19 >From: microsoft!c-rossgr@uunet.uu.net Subject: re: Stealth viruses (PC) >From: frisk@rhi.hi.is (Fridrik Skulason) > >I am working on an article on "stealth" viruses, and was wondering if I had >missed any of them - here is my list: >Did I overlook something ? Perhaps the Tequila virus? Seems to be gaining in "popularity". Ross ------------------------------ Date: 14 May 91 19:09:55 +0000 >From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Re: F-PROT & FluShot+ (1.81) problems 3 . . . (PC) I wrote: >*So - with the current generation of scanners, this problem cannot be >*avoided. umbc3!umbc3.umbc.edu!cs106132@uunet.UU.NET (cs106132) replied: > Not at all. I have seen at least one beta-test version of a >new product that does not suffer from the mentioned problems. Please read wnat I wrote - "current generation of scanners". It is possible to write anti-virus procucts which can handle some of the "unsolved" problems of today, such as... ...stopping interrupt "stripping" viruses. ...stopping viruses which jump directly into ROM. ...detecting all "stealth" viruses, even if they are active (the problem i refered to). and so on. The point is that such software does not exist today, but many anti-virus companies are working on this - and we can expect those features soon. However, those products are the "next generation" of anti-virus software. - -frisk ------------------------------ Date: Tue, 14 May 91 14:06:54 -0500 >From: mbaker@logdis1.hq.aflc.af.mil (Michael Baker;LMSC/SXSC) Subject: Re: Fw: Trojan version of VIRUSCAN version 78 (PC) > TROJAN VERSION OF VIRUSCAN VERSION 78 Aryeh, MSgt Michael Baker here from Wright-Patterson AFB, Oh. There is also another version of McAfee's virus scan program called vscan82. This version surfaced in the Dayton Oh area a few months back and McAfee was notified. He seemed really upset, which I can understand, cause the someone who is doing this is out to ruin McAfee. One of the local BBS sysops here is on a first name basis with McAfee. I think his bbs alone has had about 10 virus infected programs uploaded to him. In our organization here we had 8 cpu's infected with the 4096 virus. We think that it came from a game, but with it infecting just about all files, it is hard to narrow it down. Now there is a scare out on the "STONED" virus. Have not seen it as yet, but the way things go, I am sure it won't be long. If you find any other info on the virus scare, let me know if you would, please. I operate a bbs for the HQ AFLC called the Info Center BBS, (513)257-7416, and pass along information like this out to the gov't users. Later Michael Baker ------------------------------ Date: Mon, 13 May 91 12:03:44 -0600 >From: Chris McDonald ASQNC-TWS-R-SO Subject: Revised Product Test - - VIREX-PC, version 1.20 (PC) ******************************************************************************* PT-23 March 1991 Revised May 1991 ******************************************************************************* 1. Product Description: Virex-PC is a software package to detect, disinfect and prevent computer viruses and malicious programs for the MS-DOS environment. 2. Product Acquisition: Virex-PC is available from Microcom Software Division, P.O. Box 51816, Durham, NC 27717. The telephone number is 919-490- 1277. The price is $99.00. There are several third party vendors who sell single copies at a significantly reduced cost. 3. Product Testers: Chris Mc Donald, Computer Systems Analyst, Information Systems Command, White Sands Missile Range, NM 88002-5506, DSN: 258-4176, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil. 4. Product Test: a. I acquired Version 1.0 in December 1990 for $70.00 from Telemart in Phoenix, Arizona. After I completed and mailed the registration card, Microcom shipped me Version 1.1a. I thought this was a good marketing strategy on their part, even though they were under no obligation to do so. In May 1991 I received Version 1.20 directly from Microcom. This was a surprise since I expected to have to pay for any upgrade and because I had not subscribed to their annual update service. A telephone conversation with a Microcom represented confirmed that the vendor had chosen to send out the upgrade to all registered users free of charge. I have no idea how long this will continue. [Ed. The remainder of this revised product review is available for anonymous FTP on cert.sei.cmu.edu in pub/virus-l/docs/reviews.] ------------------------------ Date: Tue, 14 May 91 08:38:28 -0600 >From: Chris McDonald ASQNC-TWS-R-SO Subject: Revision to Product Test, F-PROT Version 1.15A (PC) ****************************************************************************** PT-17 August 1990 Revised May 1991 ****************************************************************************** 1. Product Description: F-PROT is a complete package of programs designed to provide viral detection, disinfection, and protection. The individual user has the discretion to activate specific programs in the package. 2. Product Acquisition: F-PROT is a shareware program distributed by Fridrik Skulason, Box 7180, IS-127 Reykjavik, Iceland. His E-mail address, as of April 1991, is frisk@rhi.hi.is. Mr. Skulason has posted F-PROT on a number of Internet sites. The program is on the USAISC-White Sands host simtel20. With version 1.14 the program is free if a user utilizes it on his or her personally-owned computer. There is a registration fee for commercial and government users. Site licenses are available as well as discounts for multiple copy registrations. This revision addresses version 1.15a, available in the simtel20 path: pd1:fp-115a.zip. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Information Systems Command, White Sands Missile Range, NM 88002-5506, DSN 258-4176, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil. [Ed. The remainder of this revised product review is available for anonymous FTP on cert.sei.cmu.edu in pub/virus-l/docs/reviews.] ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 82] ***************************************** Downloaded From P-80 International Information Systems 304-744-2253