VIRUS-L Digest Tuesday, 28 May 1991 Volume 4 : Issue 91 Today's Topics: A question regarding commercial dial-up services Software Upgradable BIOS (PC) Interesting advert (PC) Virus detection via crcs Virus-Buster (PC) MBOU101.ZIP (PC) Hard Disk R/W errors (PC) FSP and sales figures (was: Into the 1990s) Trends (Network World, May 13, 1991 Re: Tequila virus (PC) new virus ? (PC) Review of Mace Vaccine (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Sat, 25 May 91 21:15:46 -0700 From: lev@suned1.Nswses.Navy.Mil (Lloyd E Vancil) Subject: A question regarding commercial dial-up services I have a question. In the form of a senario; Given: A BBS service distributes a program that you must run in your machine to use the service. ( ;-) guess who! ) This service becomes very popular with computer users who are less technically inclined. It is very flashy and popular with children. As part of the program a very large file is installed in the PC's disk that is used to "stage" graphics "primitives" screens. Investigation reveals whole blocks of ram have been dumped to the file. Typical finds include, dos environment information, disk directories, pieces of files that were deleted by dos (but not removed from the disk surface). I'm just enough of a skeptic to ask why "Whole chunks of ram" are dumped, but that's a question for comp.programmer Here's the virus question. Question: Would it be possible; 1. for a memory resident virus to be scooped up by this service.. and return to reinfect the machine at a later date? Presumably by the service's reusing of the file fragment that contains the "screen primitive" and the "scooped" virus code. 2. for a virus to be written to take advantage of this transmission method? (I'm not sure that the "service" retains a complete copy of it's users "staging file"; after all they claim nearly 1 million users and at ~1meg per user that's 10^12 bytes? (wow) And I'm not sure the data from one user is seen by another's machine.) - -- | suned1!lev@elroy.JPL.Nasa.Gov | * S.T.A.R.S.! . + o | | lev@suned1.nswses.navy.mil | The Revolution has begun! . + | | sun!suntzu!suned1!lev | My Opinions are Mine mine mine hahahah!| ------------------------------ Date: Sat, 25 May 91 10:02:00 +0700 From: "Jeroen. W. Pluimers" Subject: Software Upgradable BIOS (PC) >Intel has announced a chip which would allow users to upgrade their >BIOS using a floppy disk. The term I saw was "erasable programmable >read-only memory (EPROM)," but more likely the actual technology >in the chip is EEPROM (electrically erasable programmable ROM) or >EAROM (electrically alterable ROM). >From what I understand this is quite common, most ROM BIOS manufacturers use EEPROMS which can be repogrammed when you have: a) the new EEPROM image (on disk or as an (EEP)ROM) b) and EEPROM programming device that can program that kind of EEPROM c) a very strong UV lamp to erase a programmed EEPROM At first sight I wouldn't be too much afraid from what Intel says now. It would be a whole other story if PC's became able to deliver the programming voltages and some way of eraseing pieces of an EEPROM. That way, virusses might possibly alter the BIOS in such a way a virus would be effective from before the POST and protect itself in a very nasty way. Cheers, Jeroen W. Pluimers P.S.O. snail: P.O. Box 266 2170 AG Sassenheim The Netherlands phone: +31-2522-11809 18:00-21:00 UTC fidonet: 2:281/521 2:281/515.3 bitnet: FTHSMULD@HLERUL52.BITNET PLUIMERS@HLERUL5.BITNET internet: fthsmuld@rulgl.LeidenUniv.nl pluimers@rulcri.LeidenUniv.nl ------------------------------ Date: 27 May 91 16:42:58 +0100 From: "K.Stevenson" Subject: Interesting advert (PC) Just read an interesting ad in Personal Computer Magazine, April 1991 VNU 404, page 135. It seems that most of us can now sleep easy if the claim made in this advert is true - what will all you EXPERTS do ?! Before I pass the details to you please note my disclaimer that I do NOT represent this company in any way and vievs are my own etc etc Ok whats all the fuss about then ... Vaccine anti-virus system - "Vaccine is virus-non specific detection software. It uses cryptographic checksums to monitor the state of executables on a PC or file-server. Any change, however caused will be detected. Since Vaccine does not need to know about particular viruses in order to detect them, it is future proof. Once installed, Vaccine will detect all viruses, past, present and future." Various other details follow on price etc This product is sold by S|O|P|H|O|S of England Well - this should cut down the e-mail to Virusl-l if we can ALL afford it! Comments welcome ! (and I can't imagine that there woun't be some) Kenny Stevenson Edinburgh Uni Comp Service ercn53@uk.ac.ed.ercvax ------------------------------ Date: 22 May 91 13:21:10 +0000 From: john.blakeney@f1701.n713.z3.fido.oz.au (John Blakeney) Subject: Virus detection via crcs crd check is only effective way of looking for viral activity unless search strings are known for the viruses listed in letters. trhere is no known virus(to my knowledge which does not alter crc check. the only way to dodge this check would be to alter files so that there is no change in crc. there has been a rumour of a virus which was written in a command.com file and the alteration of the crc was only by one bit! even in this case the truncating of the command com files to accomodate the virus was unsuccessful in hiding it. There havew even been rumours ofscan being infected because another viral check found a string which resembled that of a known virus.(sorry about lousy typing!) - --- TMail v1.21j * Origin: Prophet BBS (3:713/1701) ------------------------------ Date: Tue, 28 May 91 05:44:59 +0000 From: phan@latcs1.lat.oz.au (Trieu B Phan) Subject: Virus-Buster (PC) Has anyone ever used that(Virus-buster). It seems strange to me,I have installed it on my PC and after I reboot the PC is hang,I have to use a bootdisk to turn on. Any ideas,please drop me a line. Thanks in advance ! ------------------------------ Date: Tue, 28 May 91 01:18:19 +0000 From: jacksch@insom.pc.ocunix.on.ca (Eric Jacksch) Subject: MBOU101.ZIP (PC) It has come to my attention that one of my utilities (for FidoNet and other compatible PC networks) is being labelled a trojan by an Ottawa system operator. Due to other activities by this person, which I will refrain from discussing here, I strongly suspect that this claim is being made maliciously and without cause. The software was beta tested on systems which contained the same files which the said person claims are corrupted. In fact, the software does not access these files. In addition, the software was released in late January, this is the only such claim which has been made, and the timing corresponds with the release of a larger network utility with commercial possibilities. I am unable to reproduce the claimed results. Notwithstanding the above, users of MBOU101.ZIP are cautioned that it is possible that someone has tampered with the program. Should you have any doubts whatsoever, a clean copy can be file requested from Fidonet 1:163/111, or from any Fidonet SDS site. If you have any concerns whatsoever, please feel free to contact me. - -- Eric Jacksch, jacksch@insom.pc.ocunix.on.ca (UUCP: aficom!insom!jacksch) ------------------------------ Date: Tue, 28 May 91 14:30:00 +0100 From: "Schwegler Ralph" Subject: Hard Disk R/W errors (PC) Hello, When i first switch on my computer, my HD (Seagate SR-238) works well. But after some minutes, there are many R/W errors. I am using DOS 3.21; i have low level formated my HD as a SR-238R HD, with Seagate's Diskmanager. I could not find a virus, either with f-prot 115 or scan 77. If i list the TSR, there is a 3120 bytes long file labelled ?. Could that be the cause of the harddisk problems ? Thanks for your advices. Ralph Schwegler, student at University St.Gallen for Economics (CH). E-Mail : 89611628@csghsg54.bitnet / 89611628S@gamma.unisg.ch ------------------------------ Date: Tue, 28 May 91 15:49:00 +0300 From: Y. Radai Subject: FSP and sales figures (was: Into the 1990s) Ross Greenberg writes in response to my posting: > To paraphrase your past arguments for the readership, I believe you > commented that FSP's installation was such a pain in the butt that few >people used the integrity checking feature FSP includes. Well yes, I was referring to that ... plus the fact that after three years of existence FSP still has no provision for checking the partition record (master boot record) ... plus the fact that for any given file, FSP gives the same checksum for all users, which (imho) is a security hole. (At least, these were true the last time I looked.) But just to show that I don't think your integrity checking is *all* bad :-) , I found that FSP was faster than any program based on a CRC over the entire file. I gladly accept your suggestion to continue the discussion on these points at the Virus Bulletin conference. (In fact, part of my lecture will deal with weaknesses like the above even if I don't specifically mention FSP.) But in my last posting I was concerned with FSP not in itself, but merely as an *example*: Since the vast majority of users don't check for weaknesses like these before they buy a program like FSP, high sales figures do not prove that the software is good. I don't deny that quality of software has *some* relevance to sales volume. The question is *how much?*. You didn't react to my statement that if the correlation were high, "we could completely dispense with all the quality comparisons that are continually being made in the literature, and simply quote sales figures." Is that what you're suggesting? Anyone else in this forum have an opinion on how high the correla- tion is between quality of software and sales volume (for products in the same price range)? Y. Radai Hebrew Univ. of Jerusalem, Israel RADAI@HUJIVMS.BITNET RADAI@VMS.HUJI.AC.IL ------------------------------ Date: Tue, 28 May 91 09:34:00 -0400 From: WHMurray@DOCKMASTER.NCSC.MIL Subject: Trends (Network World, May 13, 1991 The "Trends and Technologies" page of "Network World," May 13, 1991 carried the following headline in a box: "Viruses specially made to destroy nets." "Science hasn't cured the common cold after decades of trying. The prognosisis, unfortunately, is equally gloomy where the diseases of networking -- computer viruses and worms -- are concerned. "And the virus stituation is worsening. Virus experts predict a trend of virus strains -- and other plagues -- that are aimed specifically at bringing down networks," writes Kris Herbst. One expert "says the new threats will be designed to more effectively cause damage to a network." "Specifically" and "designed." Strong language. The viruses that we have are bad enough, yet most of them were loosed in comparative innocence. Now few people are any more aware than I am of the difficullty of getting reporters to print it straight. I am sympathetic to the "expert" embarrassed by this prediction. (Read on; it could be almost any of you.) Embarrassed for him (well, that eliminates about half of you.) If he said it, he should be embarrassed because such speculation is unwarranted by the evidence, except to the extent that it tends to be self-fulfilling. If he did not say it, I hope that he will write a letter to the editor. Now, who is the expert? The victim? The perpetrator? Why our very own Klaus Brunnstein. Too bad. William Hugh Murray, Executive Consultant, Information System Security 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 203 966 4769, WHMurray at DOCKMASTER.NCSC.MIL ------------------------------ Date: Tue, 28 May 91 11:15:02 From: microsoft!c-rossgr@uunet.uu.net Subject: Re: Tequila virus (PC) >From: Padgett Peterson > >Ross: It would be interesting if you, Frisk, & I ever get together >at a bar but they'll have to provide a padded room & unbreakable glasses. Hey, take some time off and come on over to the UK this September for Ed Wilding's little get together in the Channel. I expect it to be *very* good [for those who are not aware of it, the Virus Bulletin is having an international virus seminar where just about everybody who is anybody will either a)be speaking or b)be in the audience making fun of those who are speaking. It ain't cheap, but I think it'll be real good.] >>Sorry: I don't count "wild card" strings as a search pattern. There's >>too much chance for false positives. >Why do you disagree with "wild cards"? For example, if I find a boot >sector that contains MOV AX,[413] MOV [413],AX I would >suspect a virus reguardless of what went on in the area. >To me a variable length "wild card" to replace would be >very useful in this case. In our tests for Virex-PC's scanner, we throw it up against a coupla network servers filled to the brim with every piece of software we can find. When we let a new scanner with new strings loose on it, any false positives based upon our string library and our program library will show up quickly. I've found far too many false positives with wild card patterns than with either fixed patterns or algorithmic pattern matching schemes. Since false positives remove some of the credibility of the product with corporate clients, we've worked long and hard to make sure that we don't have them: only two false positives to date for a product about a year old; that's not too bad at all (> 400 strings in the current release). When I report that there is a virus in a program or in a boot sector, I want to be sure. >I agree that the potential for false positives exists, but as an >intial mechanism that determines a maxterm/minterm decision tree >structure or to provide a public signature without revealing to much >of the viral design, such a "wild card" function would be very >effective. Part of the advantage of working hard on a fast search engine: some cycles to spare. If I put in a search string that is "wild carded" and get a hit on some program to verify later with some other method, why not just check that other method first? That's what I'm doing with about a half dozen viruses and I was able to accept a 1-2% hit on speed as a consequence of the action of checkinbg completely for the virus instead of playing with wild cards. Although I understand the desire for wildcarding (it certainly makes turning out a new piece of code a quick turnaround!), I just don't think it buys enough to feel safe with. But, well, to each their own! Cheers! Ross ------------------------------ Date: 28 May 91 19:04:28 +0000 From: dougmc@ccwf.cc.utexas.edu (doug d'glaren) Subject: new virus ? (PC) I just finished cleaning up my hard disk after getting a virus from a local BBS, and I've told them about it, and they've removed the offending program, and everything is fixed, but some questions remain. I know some things about virii, mostly from what I've read in various text files on the subject and anti-virus program's doc files, so I was able to figure out what was going on and get rid of it, and I had backups of most of the files that were damaged so I came out ok, but I would like to know if anybody else has had problems with this virus. First of all, SCAN77 does not recognize this virus. So I am led to believe that it is rather new. If only SCAN77 did recognize it, it would have saved me a lot of aggravation! I now use a disk monitoring program when checking new programs, but hindsight is always 20-20 ... Well, here's some characteristics of this virus: I got it from a program called DI.Exe, which is a small directory making program. When this program ran, it ran drives A and B (I noticed this, but paid it no mind! Once again, hindsight ...) It was, I later learned, looking for files to infect. What it did was copy a copy of the virus to every EXE file it could find. When these programs were run, they again tried to copy the virus. The virus apparantly does NOT go TSR, but infected EXE files seem to only have about 24k to run in, (An infected MEM.Exe file said maximum executable file size was about 24k) so most of my EXE programs wouldn't work after that, complaining about lack of memory. DI.EXE ran fine, of course. These EXE files grew by about 3k, the exact amount varying from file to file. The virus did not seem to care if a file was read only or not. It also created hidden system files in every subdirectory, named just A, B, C, D, E etc. I don't know what their purpose was, but as the infection progressed, I saw higher and higher letters. Perhaps a countdown of some sort? I don't know. The virus did not appear to do anything else other than infecting EXE files which propagated it. The virus contains this string which I used to search for it (it doesn't appear to be self encrypting or anything funky like that ...) 43 83 FB 0A 72 ED 2B DB EB E9 C3 2E FF 06 FD 00 2E FF 2E FF 00 In the scanning program that I made I looked for the text string of Alt-114, Alt-237, ... 043 219 235 233 195 046 (you get the idea ...) Does anybody know anything about this particular virus? I would like to know a little more about it. Besides the sysop of the BBS isn't convinced that it was a virus, and I'd like to know it's not just me. dougmc@ccwf.cc.utexas.edu aka Doug McLaren ------------------------------ Date: Fri, 24 May 91 16:41:02 -0700 From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Review of Mace Vaccine (PC) Comparison Review Company and product: Paul Mace Software 400 Williamson Way Ashland, OR 97520 USA tech support 503-488-0224 fax: 503-488-1549 sold and supported through: Fifth Generation Systems, Inc. 10049 N. Reiger Rd. Baton Rouge, Louisiana USA 70809 1-800-873-4384 sales and info 504-291-7283 tech support 504-291-7221 admin telecopier: 504-292-4465 Mace Vaccine-Anti-viral software version 3.0, 890505 Summary: Activity monitoring software, plus change detection Cost Rating (1-4, 1 = poor, 4 = very good) "Friendliness" Installation 3 Ease of use 2 Help systems 1 Compatibility 2 Company Stability 3 Support 1 Documentation 1 Hardware required 1 Performance 2 Availability 2 Local Support ? General Description: SURVEY.EXE is a change detection program which calculates and stores signatures of files. VACCINE.EXE monitors attempts to modify system areas of hard disks, and may use the data from SURVEY.EXE to alert to changes in programs as they are invoked. Recommendation limited to *hard disk only* systems in situations where technical support staff are responsible for system integrity and need to have records of changes. Comparison of features and specifications User Friendliness Installation The program disk is shipped write protected, but on a writeable disk. The first line of the installation instructions, however, do stress the importance of write protecting the disk before putting it into any drive. The README.TXT file is referred to in the installation documentation, but (with this version) contains only the note that the documentation is up to date. (The fact that this note is dated two years past is not reassuring.) The README.TXT file is suggested to be viewed by running README.BAT, but this requires that the MORE program be in the effective path. Installation consists simply of copying the files. The files can be renamed, but the documentation does not note the necessity of keeping the proper extensions. (Admittedly, any user who knows how to rename files will likely also know the importance of extensions.) Ease of use There are two separate programs in the package. SURVEY.EXE calculates a "check value" for each file in all subdirectories on the current, or any specified, disk. The values are kept in a file called HELP.CRC on the root directory of the checked disk. The check value is a four digit hexadecimal code, and the name of the file would seem to indicate that this is a CRC calculation rather than a checksum. Once the "survey" has been done once, all, or specified individual, files may be checked against it for changes. If a program has been altered the user is alerted (but no action is suggested) and any changes are noted in a file called CHANGES.CRC. New programs are not noted in the CHANGES.CRC file. System areas are not checked: the package relies on the action of VACCINE to stop any attacks on the boot sector or partition table. The other program, VACCINE.EXE, is a resident program which can be invoked with a number of switches to allow for three different levels of protection to direct action against hard disk system areas. Although the different levels are explained clearly, the decision as to which level or option to use is not supported by discussion in the manual. The package gives the initial impression that these functions are integrated, and that complete protection against viral infection is provided. Further exploration, however, reveals that each program must be used indepenently, and that checks for modification of files or system areas are by no means assured. Help systems There are no help systems. Compatibility The program does not protect against infection by the Stoned virus, or any other boot virus. In testing, it did not detect the presence of the infection on the hard disk, and did not prevent infection of floppy diskettes. Although the documentation refers to protection of floppy diskettes (and how to turn it off), further reading indicates that this refers only to prevention of formatting of diskettes. Further testing, in fact, reveals that there is almost no protection provided to floppy disks, and, indeed, that it is *not possible to run the program on a floppy only system*. The VACCINE program will not go resident if a hard disk is not present. This is nowhere mentioned in the documentation (which states that it "works on all IBM and compatible machines with DOS 2.0 or higher, and uses slightly more that 6K of memory." It is also not noted by the program: when invoked it merely states that a hard disk is not present. The VACCINE program apparently makes no attempt to prevent changes to program or other files, but does prevent changes to system areas of the hard disk. (Depending upon the level of protection selected, this may only be extended to the first hard disk.) Therefore, system management utilities may conflict with the package. The documentation specifically warns against the use of disk testers, defragmenters or sector editors while VACCINE is operating. The program can be "turned off" to allow operation of such programs. Also, any programs which alter their own code will generate alerts by the SURVEY program, or by VACCINE at level 3. Company Stability Unknown. Company Support Unknown. Documentation The documentation is clear and understandable, but quite sparse (only 15 pages long.) While directions for operating the program are plain, the implications of what the program will do are not, even after several readings. (After testing, the careful wording fo some of the passages becomes clear. Personally, I find the documentation almost misleading in many areas, although few can be said to be inaccurate when looked at carefully.) Hardware Requirements A hard disk is required, although that is *not* mentioned in the package. Performance Able to detect (manually) changes to previously surveyed program files. Local Support None provided. Support Requirements The package is simple enough for an intermediate user to install. Given the current climate of viral activity, naive users would have to have immediate access to experienced advice to interpret the activity of this package, and any alerts it would generate. Intermediate users would be able to use the program effectively most of the time, but should have access to skilled help for many situations. General Notes This product has a very high reputation with many as one of the first commercial antiviral programs. However, the fact that it has not been updated in two years is surprising. Given that fact, however, the weaknesses of the program may be understandable. Nonetheless, they are enough to prevent one from recommending the product in any but the most restricted situation. copyright Robert M. Slade, 1991 PCMACE.RVW 910524 ============= Vancouver p1@arkham.wimsey.bc.ca | "If you do buy a Institute for Robert_Slade@mtsg.sfu.ca | computer, don't Research into (SUZY) INtegrity | turn it on." User Canada V7K 2G6 | Richards' 2nd Law Security | of Data Security ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 91] ***************************************** Downloaded From P-80 International Information Systems 304-744-2253