VIRUS-L Digest Thursday, 6 Jun 1991 Volume 4 : Issue 98 Today's Topics: Checksumming flaws Re: denzuko and semlohe viruses (PC) Virus-writers denzuko and semlohe viruses (PC) PCs Which Don't Boot from the Floppy by Default (PC) Re: Hong Kong on MircoTough dist. disks (PC) Testing viruses - was Re: Network World Article (PC) Re: Interesting advert (PC) Viri and pop culture (general) Viri in the media (not quite so funny) (general) Strange behaviour in Mac. (Mac) Checksumming (was: Interesting advert) (PC) TSR to catch Yankee Doodle needed (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Tue, 04 Jun 91 14:11:12 -0400 From: padgett%tccslr.dnet@uvs1.orl.mmc.com (A. Padgett Peterson) Subject: Checksumming flaws >From: ccml@hippo.ru.ac.za (Mike Lawrie) >They don't cater for this scenario:- >2. Run SCAN on your hard disk - this does a DOS open on all COM/EXE > files on your hard disk, and thus infects each and every such > file _after_ SCAN has pronounced them virus-free >4. You treat checksum checking programs with utter disgust, because > they fooled you into believing that you had protection. This comes under the heading of jumping-off-the-high-board-without-looking- to-see-if-there-is-any-water-in-the-pool . I am not familiar with all virus scanners, but for some time SCAN has checked for such dangerous viruses in memory right after it checks itself for integrity. This checking has two other switches available: /NOMEM will tell SCAN to proceed without checking memory and the scenario described will result. Unless instructed properly, people often use this switch to speed up the scanning process. SCAN also provides the /M switch which tells it to check memory for every known (to SCAN) virus. V77 also has a switch to check "high" memory but since I do not have any viruses that inhabit that region, I have not used it. Point is that as several of us have said before, checksum validation of programs is am important part of integrity management, but first you must be able to trust the system else checksums can be unreliable *and through no fault of the checksum routine* . Trust is something that must be built up step by step and checksumming falls somewhere in the middle. Lacking a firm foundation, it cannot endure. Warmly, Padgett ------------------------------ Date: 04 Jun 91 18:22:18 +0000 From: kerchen@fuji.ucdavis.edu (Paul Kerchen) Subject: Re: denzuko and semlohe viruses (PC) davidh@garfield.cs.mun.ca (David Hansen) writes: >Our visiting Indonesian grad students have brought two viruses to our >campus (Memorial University), they are called denzuko (which has no > [...] >Has anyone heard of these viruses from Indonesia?? I wouldn't be surprised if this was a variant of the DenZuk virus. The name sounds too close. Paul Kerchen kerchen@fuji.eecs.ucdavis.edu - or - kerchen@holly.eecs.ucdavis.edu ------------------------------ Date: Tue, 04 Jun 91 15:10:40 -0400 From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: Virus-writers According to this (PC) week's Spencer Katt column, certain anti-viral software houses are boosting their counts by soliciting viruses for pay and programmers are taking them up for "big bucks". Gee-gosharootie, have we been missing out on an income potential: wonder what 100 more STONED clones, half with stealth would bring in ? Shouldn't take more than five minutes each. Kind of reminds me of the Byte-Brothers comical PARASCAN program's ending: "PARASCAN detects 75 viruses (this was last year) & will detect more as soon as we write some." Oh well, at least it is better than the Windows-melting virus in April. Bemusidly, Padgett Obviously my own thoughts - no one else would want them ! ------------------------------ Date: Tue, 04 Jun 91 16:05:14 -0700 From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: denzuko and semlohe viruses (PC) davidh@garfield.cs.mun.ca (David Hansen) writes: > Our visiting Indonesian grad students have brought two viruses to our > campus (Memorial University), they are called denzuko (which has no > apparent translation into english) and semlohe, which apparently means I venture that the denzuko is, in fact, the fairly widely known "Den Zuk" virus. If so, then it is a boot sector infector which is a fairly close "knock off" of the original "Brain" virus. The boot sector will look very similar to a "Brain" infected disk, with the difference being that the original text about Brain computer services has been replaced with "DEN ZUK" and an Indonesian Ham license number. More details can be found in any reasonably complete virus characteristics list. (I do remember that when this was being actively discussed on the net that two alternative translations for "Den Zuk" were "The Sweet" (or "The Suger") and "The Knife". The later may be reasonable in view of the fact that "Den Zuk" erases the original "Brain" infection.) ============= Vancouver p1@arkham.wimsey.bc.ca | "If you do buy a Institute for Robert_Slade@mtsg.sfu.ca | computer, don't Research into (SUZY) INtegrity | turn it on." User Canada V7K 2G6 | Richards' 2nd Law Security | of Data Security ------------------------------ Date: Wed, 05 Jun 91 10:20:00 -0600 From: "John Nierengarten" Subject: PCs Which Don't Boot from the Floppy by Default (PC) I have followed, with interest, the discussions on forcing PCs to boot from devices other than the floppy drive, the main purpose being containment of viruses. Mention was made of several computers which have a ROM BIOS which causes them to automatically boot from the hard disk. Does anyone know of any PCs, other than Zenith or Compaq, which have this (boot from hard disk by default, even if a floppy is present) as a standard feature? Or, alternatively, which ROM BIOS products support this technique? I am in the process of acquiring new machines for a student lab and have the opportunity to address the problem up front. Please send responses to my e-mail address below and I will summarize. |\ | |_\ | John Nierengarten, Director, Academic Computing Center \| \| University of Wisconsin - River Falls BITNET: ACS_JAN@UWRF Until June 30, 1991. Internet: John.A.Nierengarten@uwrf.edu ------------------------------ Date: Wed, 05 Jun 91 16:02:01 +0000 From: mcafee@netcom.com (McAfee Associates) Subject: Re: Hong Kong on MircoTough dist. disks (PC) csfed@ux1.cts.eiu.edu (Frank Doss) writes: >One of our users here at Eastern Illinois has discovered the Hong Kong >virus on the distribution disks included with Micro Tough's TVGA [some stuff deleted here] >Norton Anti-Virus 1.00 did NOT find the virus, but Central Point >Anti-Virus 1.00 found and purged the virus. What Central Point Anti Virus identifies as the Hong Kong virus is also known as the Azusa virus. Regards, Aryeh Goretsky McAfee Associates Technical Support - -- McAfee Associates | Voice (408) 988-3832 | mcafee@netcom.com 4423 Cheeney Street | FAX (408) 970-9727 | (Aryeh Goretsky) Santa Clara, California | BBS (408) 988-4004 | 95054-0253 USA | v.32 (408) 988-5190 | mrs@netcom.com ViruScan/CleanUp/VShield | HST (408) 988-5138 | (Morgan Schweers) ------------------------------ Date: Thu, 06 Jun 91 10:54:00 +1200 From: "Mark Aitchison" Subject: Testing viruses - was Re: Network World Article (PC) padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) writes: >>From: rtravsky@CORRAL.UWYO.EDU (Richard W Travsky) > >>An accompanying chart shows the percentage of detection by the packages >>against 921 viruses... > > Just to provide "apples vs apples" tests, possibly in conjunction with > the public domain viral list, we should make a stab at a weighted test > (e.g. Jerusalem 1000 pts for detection, Pentagon 1 pt.) if we can come > up with a probability function for infection it would certainly be > better than "We can detect 900 viruses". I agree that many virus tests are a bit irrelevant, and could be improved by weightings such as that suggested. But also there needs to be a component in the tests for measuring the product's ability to spot new viruses (and the scanners should carry out at least some simple tests for the presence of a virus - e.g. top of memory reduced, interrupt 21 redirected, etc.) Therefore I suggest that whoever is collecting new viruses hold some back (ones that have not been seen in the wild, and probably won't be), and make them available to some a-v testers, not a-v writers. This is because, in the lifetime of an anti-virus product, there is bound to be some new viruses released that aren't in the scan list. And my definition of the lifetime of the a-v software isn't "until the next version is made", but until the average user gets around to updating their copy. So those that make updated scan lists available conveniently, cheaply and often should get a better score. Also, the convenience in using the product should be taken into account, as programs that take a long time, or in other ways disencourage the user from running it often, should get lower scores. In effect, we should see a probability that, with this product, you will be free from viruses. (Personally, I like to see a more detailed analysis, including the effect of using several products together - which, I think, most sensible people do, but the majority of potential users of a-v software haven't got the time to go into those details, and I doubt many a-v testers have the time/resources to produce such detailed reports, unfortunately). Mark Aitchison. ------------------------------ Date: Wed, 05 Jun 91 16:06:45 -0700 From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Re: Interesting advert (PC) I am not quite sure what ccml@hippo.ru.ac.za (Mike Lawrie) writes: in response to > RADAI@HUJIVMS.BITNET (Y. Radai) writes: and > > Kenny Stevenson writes: > >>Vaccine anti-virus system - "Vaccine is virus-non specific detection > >>software. It uses cryptographic checksums to monitor the state of > > >There is absolutely nothing new in this ad. There are zillions of > >checksum programs for the PC which claim to do the very same thing. > > They don't cater for this scenario:- > > 1. Somehow infect the RAM of your PC with a COM/EXE targetting > virus, such as Plastique (eg run an infected program from a > floppy, or from a network). > > 2. Run SCAN on your hard disk - this does a DOS open on all COM/EXE > files on your hard disk, and thus infects each and every such > file _after_ SCAN has pronounced them virus-free SCAN is not a checksum/image/change detection program, but a scanner, which looks for specific known code sequences from known viral programs. (A further point of Mike's posting seemed to indicate that he thought SCAN was a checksum program.) However, Mike's posting also seems to indicate that he feels that Sophos' Vaccine program, because it checks for changes in the program, will not be subject to the phenomenon he describes. (At least that was my reading, my aplogies if that was not your intent.) Unfortunately, any antiviral program which examines programs, either for virus signatures or in order to calculate an "image" check, will open all the programs it examines, and therefore opens the possibility of that same happening. ============= Vancouver p1@arkham.wimsey.bc.ca | "If you do buy a Institute for Robert_Slade@mtsg.sfu.ca | computer, don't Research into (SUZY) INtegrity | turn it on." User Canada V7K 2G6 | Richards' 2nd Law Security | of Data Security ------------------------------ Date: Wed, 05 Jun 91 16:13:42 -0700 From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Viri and pop culture (general) Well, folks, we have made it big time for sure. Not only did we get the Mad Magazine "Computer Virus Issue" earlier this year, but we just got a posting on rec.humor.funny about a supplier of viri (including those that affect your phone and washing machine.) ============= Vancouver p1@arkham.wimsey.bc.ca | "If you do buy a Institute for Robert_Slade@mtsg.sfu.ca | computer, don't Research into (SUZY) INtegrity | turn it on." User Canada V7K 2G6 | Richards' 2nd Law Security | of Data Security ------------------------------ Date: Wed, 05 Jun 91 18:21:15 -0700 From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Viri in the media (not quite so funny) (general) John Dvorak's syndicated newspaper column focusses this week on viri. The headline (for which he cannot be held accountable, I realize) is "Computer viruses: their cause and cure." The first sentence runs, "It's not easy to report on something if you don't understand it at all." He then tries to do that. I probably shouldn't be all that hard on the article. He doesn't make too many really boneheaded errors. He doesn't write much of any substance, either. (Certainly there is nothing, absolutely nothing, in the article that deals with "cure".) He does state that a virus must attach itself to a program, thus eliminating all BSI's from consideration. He also belittles the definition of the Morris/Internet worm as a worm, apparently not understanding that his definition requires it. Fred Cohen is mentioned, as is "Shockwave Rider." ("The Adolescence of P1" is not. Sigh. :-) No real viral programs are mentioned, except for the brief and uninformative reference to the Morris worm. ============= Vancouver p1@arkham.wimsey.bc.ca | "If you do buy a Institute for Robert_Slade@mtsg.sfu.ca | computer, don't Research into (SUZY) INtegrity | turn it on." User Canada V7K 2G6 | Richards' 2nd Law Security | of Data Security ------------------------------ Date: Thu, 06 Jun 91 17:08:00 +1000 From: U5434700@ucsvc.ucs.unimelb.edu.au Subject: Strange behaviour in Mac. (Mac) One of our Macintoshes recently started 'pinging' whenever an application started or exited, and will now only sometimes recognise our laserwriter. A similar machine, connected to the same printer, has no pings, and prints fine. Disinfectant 2.4 cannot find any virus. Does anyone recognise the symptoms? Thanks, Danny ------------------------------ Date: Thu, 06 Jun 91 14:22:00 +0300 From: Y. Radai Subject: Checksumming (was: Interesting advert) (PC) Mike Lawrie writes: >They [checksum programs] don't cater for this scenario:- > >1. Somehow infect the RAM of your PC with a COM/EXE targetting > virus, such as Plastique (eg run an infected program from a > floppy, or from a network). >2. Run SCAN on your hard disk - this does a DOS open on all COM/EXE > files on your hard disk, and thus infects each and every such > file _after_ SCAN has pronounced them virus-free >3. You end up with every COM/EXE file on your disk having to be > reloaded, but you believe otherwise until you find out the > bitter truth >4. You treat checksum checking programs with utter disgust, because > they fooled you into believing that you had protection. First of all, Step 2 of this scenario is certainly not characteristic of COM/EXE infectors in general, as you seem to imply. (E.g., it won't happen with the Jerusalem virus.) It has to be a very special virus to do this. Secondly, what you have described shouldn't happen with SCAN, since before scanning it checks for the presence in RAM of viruses which act in this way, and that includes Plastique, unless you're using an old version of SCAN. (If this really did happen to you with a *recent* version, contact McAfee.) Finally and most important, suppose we have a virus in memory which SCAN or some other program does not recognize, and the above scenario does occur. What does this have to do with checksumming programs?? Checksum programs don't claim to *prevent* infection, only to *detect* an infection *after* it has occurred, the next time the checksum pro- gram is activated on an infected file. And this is precisely what they will do even in your scenario (provided you ensure that RAM is clean when the checksum program is activated). Thus your conclusion in Step 4 is unjustified. What you need in order to *prevent* scena- rios like this is to supplement the checksum program with a good gene- ric monitoring program. Padgett Peterson writes: >Well some form of integrity checking must go resident, even if it is >just smart enough to call the checksum program. Otherwise, what is >going to identify that a program is new or changed. (you could handle >"changed" with a zillion little .BAT files but new ?) Since you do not >want to add to the pilot's workload, it must be automatic therefore >resident. Sorry, Padgett, but I don't understand what you're trying to say. As existing checksumming programs are implemented, they notify you that a file has been changed the next time the checksum program is activated on it (which is normally long before the virus can do any damage). What are the zillion .BAT files needed for? We seem to be talking on different wavelengths, but since I don't know where the misunderstanding lies, I'll have to start from the beginning (sorry if what I say is obvious): Some types of programs can be run either *statically*, i.e. as a non-resident program activated on demand (or via the AUTOEXEC.BAT file) to do something to all files or a specified list of files all at once, or (2) *dynamically*, i.e. as a memory-resident program to do it to each executable file just before execution. (These are my terms; maybe you have a better suggestion.) For example, among known-virus scanners, McAfee's Scan is a static program, while his V-Shield is a dynamic program. In precisely the same way, a check- summing or integrity-checking program can be implemented either stati- cally or dynamically. And if it's done statically, then just as SCAN is not memory-resident, nothing here need be memory-resident either. Most checksumming programs which I know of can or must be implemen- ted statically, and for good reason: The surest way to ensure that no stealth virus can hide modifications is to do static checking immedi- ately after booting from a clean write-protected diskette. Dynamic checksumming is more convenient, but as far as I know, there's no way of guaranteeing that it can't be fooled by a stealth virus. If some- one can produce convincing evidence that there is such a way, I'd be glad to hear of it. Now perhaps what you mean to say is that only a resident program can notify the user *immediately* that an executable file has just been created or modified. If so, I agree, but I see this as the task of a generic monitoring program, not of a checksum program. (Also, when someone speaks of integrity checking, I assume he's referring to a checksum program. Do you mean something else?) Y. Radai Hebrew Univ. of Jerusalem, Israel RADAI@HUJIVMS.BITNET RADAI@VMS.HUJI.AC.IL ------------------------------ Date: 05 Jun 91 15:06:00 -0500 From: "Troy D. Taylor" Subject: TSR to catch Yankee Doodle needed (PC) I have a question for all the virus guru's out on the net. The computer rooms have been getting hit with Yankee Doodle and it is fairly easy to clean, but it is evading our TSR that should stop infected files from loading (Vshield77). I would like to find something like that to prevent the files infected from begin loaded or at least blow whistles and beep and flash if it does load an infected file. later and thanks troy /********************************************************** * Conslt13@zeus.unomaha.edu * Conslt13@unoma1 * * Troy@zeus.unomaha.edu * Troy@unoma1 * * Dragon@odin.unomaha.edu * * **********************************************************/ ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 98] ***************************************** Downloaded From P-80 International Information Systems 304-744-2253