|
Virus- L Digest Vol 6 Issue #026
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
Received: from fidoii.CC.Lehigh.EDU by abacus.hgs.se (5.65c/1.5)
id AA00419; Tue, 16 Feb 1993 18:22:17 +0100
Received: from (localhost) by Fidoii.CC.Lehigh.EDU with SMTP id AA05065
(5.67a/IDA-1.5 for <[email protected]>); Tue, 16 Feb 1993 11:35:33 -0500
Date: Tue, 16 Feb 1993 11:35:33 -0500
Message-Id: <[email protected]>
Comment: Virus Discussion List
Originator: [email protected]
Errors-To: [email protected]
Reply-To: <[email protected]>
Sender: [email protected]
Version: 5.5 -- Copyright © 1991/92, Anastasios Kotsikonas
From: "Kenneth R. van Wyk" <[email protected]>
To: Multiple recipients of list <[email protected]>
Subject: VIRUS-L Digest V6 #26
Status: RO
VIRUS-L Digest Tuesday, 16 Feb 1993 Volume 6 : Issue 26
Today's Topics:
First digest from new address
Re: Sale of Viri
Re: Undecidability (was: On the definition of viruses)
Re: virus-definitions
Re: Virus education
Re: What is a virus ?
Re: general entertainment
Gender switching virus
my idea for detecting file infectors
Re: Norton buggy??? (or I have a PROBLEM!) (PC)
Michelangelo (oh noooooo) (PC)
Re: PKZIP 2'S AV is cracked (PC)
Re: STONED, Scanv99/Clean 99 Questions/Concerns (PC)
Re: Twelve Tricks (PC)
Re: Virstop 2.07 in Icelandic (PC)
Re: Vshield vs Virstop (PC)
STONED in Memory (PC)
Re: Help! Help, with FORM virus (PC)
Jeruslem variant (PC)
Tokyo Virus in NETCB or a false positive? (PC)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. (The complete set of posting guidelines is available by
FTP on cert.org or upon request.) Please sign submissions with your
real name. Send contributions to [email protected]. Information on
accessing anti-virus, documentation, and back-issue archives is
distributed periodically on the list. A FAQ (Frequently Asked
Questions) document and all of the back-issues are available by
anonymous FTP on cert.org (192.88.209.5). Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
<[email protected]>.
Ken van Wyk, [email protected]
----------------------------------------------------------------------
Date: Tue, 16 Feb 93 10:38:57 -0500
>From: "Kenneth R. van Wyk" <[email protected]>
Subject: First digest from new address
This is the first digest that I'm sending from [email protected].
Hopefully, all will go well. If things do break, however, please bear
with me.
With fingers crossed,
Ken
Kenneth R. van Wyk
Moderator VIRUS-L/comp.virus
[email protected] (Moderator account)
[email protected] (home - until I've relocated to DC)
------------------------------
Date: 12 Feb 93 14:37:07 +0000
>From: [email protected] (Vesselin Bontchev)
Subject: Re: Sale of Viri
[email protected] (Rikhardur Egilsson) writes:
> There seems to be continous 'fright-propaganda' about viruses and the
> idea is to let people think "viruswriter = criminal"
Most people think that virus writing is so damaging to the society,
that it should be criminal.
> I don't remember what group it was but someone posted a request resently
> for virus-code.
It was cross-posted to several non-moderated newsgroups, one of them was
comp.security.misc.
> In short 'hell broke loose' almost anyone reading the posting seemed to
> belive he was going to use that code for evil purposes.
The way the message was constructed showed a low level of competence
of the person who posted it. Providing viral code to people who are
not competent enough to handle it properly is harmful.
> It seemes impossible for those interested, to get the code/data for viruses.
No, because as you are admitting yourself:
> As widespread as Viruses have come it does not take a long time to create
> the source for, let's say, 1704 bytes virus and comment it to the point
> that there is no trace of the source-code-generator.
Thus, if somebody is really interested, there is no problem for them
to obtain a few widespread viruses. Gosh, they just have to take a
scanner and to look on the computers around. According to some
statistics, about one in every 400 computers gets infected at least
once in a year. Some environments (e.g., academia) are more
prolificient for viruses to spread than others (e.g., banks, military,
etc.).
> Of course that does not surprice me, as I know what most people think of
> viruses and that there would always be someone to misuse that.
..Or not to be able to handle them properly. There are so many cases
of virus code being misused and so many people that are not competent
to handle virus code properly, that when somebody posts a virus
request it is very probable that s/he belongs to one of these
categories. Besides, if one is competent enough, s/he could find some
viruses "from the field", instead of posting silly requests to the
newsgroups.
> On the other hand it shouldn't be that strange that someone offered to sell
> the code/data to whoomever is interested.
Yes, it is not strange at all. There are always unethical people who
are determined to use any weaknesses in the law to make money,
regardless what will this cost to the society.
> In short : do viruses realy have to be that 'taboo'
> Informing people about them and how they work and even distribute simple
> samples could be just as effective as the fright-propaganda.
Informing people about them and how they work is OK. I am trying to do
this all the time here and some people even accuse me to be "too
open". However, "distributing simple samples" is a no-no. Believe me,
I know it from my own bitter experience. Long time ago, when a virus
first appeared in Bulgaria (it was the Vienna virus), I distributed a
diskette with the virus, explanation of how it works and what it does,
and an anti-virus program for it. Just like you, I meant well - to
educate people that viruses are not "black magic", that they are
simple programs and here is what they look like, what they do, and how
to fight them. The result was sad - instead of reading my
explanations, people used to just "try" all programs on the diskette,
including the infected one...
Remember, most users are incompetent to handle virus code properly.
And, because a virus is able to spread by itself, an incompetent
person who -knows- that s/he has virus code could (involuntarily)
infect other innocent and incompetent people, who even do not know
that they are infected. No, distributing viruses, except under very
strict conditions, and to a very restricted set of knowledgeable
anti-virus experts is a VERY WRONG THING and must NEVER be done, for
whatever purpose. Never.
Please, believe my own experience - this will save you a bitter
disappointment...
> Then Stealth-viruses came along and that tecnology excited me.
> But as I learned more about them and how they work the 'miracle' tag
> dropped off.
But it was enough that you were explained how they work, right? It
wasn't necessary to give you a live virus?
> anything new. I got issue 1 of CVDQ and there virus there shows me that
> poople have to spent anourmous time to make a virus that is going to
> have a faint-change of surviving in the modern-world.
Uh, sorry, what is CVDQ?
> I guess that most of those who do write viruses and release them wouldn't
> if they knew better. They probably think that they're adding new variants
> to a pool of a couple of viruses and that a lottsa people are going to
> see and inspect/admire there code.
It depends. There are all kinds of people. Some of them are blissfully
ignorant, as you suspect. Others are doing it "for kicks", to prove to
their adolescent minds that they are "something" by opposing
themselves to the established values of the society. Others are just
vandals, who like the thought that they will destroy somebody's data.
Others feel "happy" when they read in the newspaper about "their"
virus, or when they learn that a popular scanner is able to handle
"their" virus.
For more information about how one such twisted mind reasons, you
could read the interview with Dark Avenger by Sara Gordon in "Virus
News International", January and February (and probably March) issues.
He literally says "When I saw that McAfee's SCAN was able to detect my
virus, I was almost happy"...
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: [email protected] D-2000 Hamburg 54, Germany
------------------------------
Date: 12 Feb 93 15:30:56 +0000
>From: [email protected] (Vesselin Bontchev)
Subject: Re: Undecidability (was: On the definition of viruses)
[email protected] (Y. Radai) writes:
> Perhaps we mean different things by "undecidable". Maybe you mean
> undecidable by *any* means, appearance *or* behavior. I claim that if
> one chooses definition ©, and if <condition> is something which is
> sometimes satisfied and sometimes not (e.g., if it is "x < y" where x
> and y are numbers supplied at runtime by the user), then the question
> whether the program is a virus is obviously undecidable *BY APPEARANCE
> ALONE*, even on a *finite* machine.
It seems to me that your claim is wrong. On a *finite* machine the
size of x and y is *finite*, therefore the total number of
combinations of values for x and y is also *finite*. Thus, you can
(theoretically) list them all and say that for those of them the
program is a virus, while for others it is not. Therefore, the
problem, as stated by you -is- solvable (theoretically) on a *finite*
machine.
> As I mentioned above, the "x < y" case with definition © is undecid-
> able by *appearance alone*, even on a finite machine.
Nope, on a finite machine it is solvable.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: [email protected] D-2000 Hamburg 54, Germany
------------------------------
Date: 12 Feb 93 15:42:03 +0000
>From: [email protected] (Vesselin Bontchev)
Subject: Re: virus-definitions
[email protected] writes:
> I was and am still missing the point wether a piece of software is necessary
> for a user to do what he wants or not. If we add this question to the last
> definition of Vesselin, then Diskcopy will not show up as virus, as it is
> necessary to use this program to copy a floppy.
Won't help, because:
1) There are a couple of viruses that ask the user for permission
before infecting the next object.
2) It is possible to make a bootable diskette with DOS, Diskcopy, and
the proper AUTOEXEC.BAT file that will try to copy the diskette to all
accessible drives, without asking for permission, just when you boot
from it. What will be the virus in this case - Diskcopy, DOS,
AUTOEXEC.BAT, or the whole diskette?
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: [email protected] D-2000 Hamburg 54, Germany
------------------------------
Date: Fri, 12 Feb 93 19:04:46 +0000
>From: [email protected].edu (John Mechalas)
Subject: Re: Virus education
[email protected].COM (Chip Seymour) writes:
>BTW, all the talk over the definition of a virus is ok, but how do I
>apply that to the protection of my work here? The viruses themselves
>don't care - they just do what they're told.
Yes, but it's the anti-virus software that needs to have a working
definition. Scanners are an ever-weakening defense, and it is
necessary to develop other means of protecting the computer from
infection. Heuristic methods rely on a a series of algorithms which
are designed to analyze instructions for virus-like behavior. Without
a proper virus definition, there is a danger of false positives and
(worse yet) false negatives.
I could write a program, for example, that interrupts all I/O
access to the hard drive. This simple, and stupid, program indirectly
uses the definition of "a virus is any program that writes to my hard
drive" or something similar. Obviously, this would be a silly idea,
born out from a silly definition. Without a precise definition, it is
difficult to analyze code and accurately determine whether or not a
virus actually exists.
- --
John Mechalas \ If you think my opinions are Purdue's, then
[email protected].edu \ you vastly overestimate my importance.
Purdue University Computing Center \ Stamp out and abolish redundancy.
General Consulting \ #include disclaimer.h
------------------------------
Date: Fri, 12 Feb 93 23:26:52 +0000
>From: [email protected] (Johnathan Vail)
Subject: Re: What is a virus ?
I came into this late and really don't want to get involved too deep
since I probably will miss the original point. But this is a good
time to repost my glossary. To keep any relevence to this thread I
copied the definitions of virus and worm at the beginning.
virus - a piece of code that is executed as part of another program
and can replicate itself in other programs. The analogy to real
viruses is pertinent ("a core of nucleic acid, having the ability to
reproduce only inside a living cell"). Most viruses on PCs really are
viruses.
worm - An autonomous program (or set of programs) that can replicate
itself, usually over a network. A worm is a complete program by
itself unlike a virus which is either part of another program or
requires another program's thread of execution to operate. Robert
Morris's program, the Internet Worm, is an example of a worm although
it has been mistakenly identified in the popular media as a virus.
jv
_____
| | Johnathan Vail [email protected] (508) 663-7435
|Tegra| [email protected] [email protected](WorldNet)
----- MEMBER: League for Programming Freedom ([email protected])
________________________________________________________________________
Glossary of Computer Insecurity
Compiled by Johnathan Vail ([email protected])
This list started out as a collection of a few computer virus related
terms that I wrote for discussion in comp.virus. Several people have
contributed comments and suggestions to my original list. Tom
Zmudzinski contributed an excellent list of computer security terms
that now form the bulk of this list. At this time, I will serve as
the focus and maintainer of this list. Please submit any comments and
additions to me. My address is [email protected].
HISTORY:
12 Feb 1993 JV - Update compiled changes.
20 Dec 1991 JV - Tweaked some words.
6 Aug 1991 JV - First release.
________________________________________________________________________
async interrupt (attack) - to exploit system vulnerabilities arising
from deficiencies in the interrupt management facilities of an
operating system.
back door - This is an undocumented feature added to a product which
can allow those who know about it to gain access to features that are
otherwise protected. The original Tempest video game was supposed to
have a key sequence that would allow the author of the firmware to get
free games in an arcade. Some military systems are rumored to have
back doors in their software that prevents their being used against
the countries that built them.
blivet (attack) - A denial-of-service attack performed by hogging
limited resources that have no access controls (for example, shared
spool space on a multi-user system). [Classically defined as "ten pounds
of horsesh*t in a five pound bag".]
browsing - Gaining unauthorized read-only access to files.
C2 Catch-22 - Refers to the paradox that all federal computers are
required to be certified to the C2 level of Trust (or better) by 1992
(especially if they are to be permitted access to a network), yet
because no C2 certification has ever been performed with the network
software active, NSA will revoke the certification of any system as
soon as it is connected to a network. [Also "C2-by-'92 Catch-22".]
cascading - To gain additional privileges on a host (or within a
process) by using those privileges legitimately (if perhaps unwisely)
granted to casual users.
crayola books - A disparaging reference to the "rainbow books",
commonly used when referring to the upcoming rewrite of NSA's
technical computer security guidelines.
crypt (attack) - Stealing the system password file and looking for
known encrypted passwords.
data diddling - To alter another's data (especially, to do so subtly
so it will not be detected); a major breach of the hacker ethic.
denial-of-service attack - Any method which an intruder might use to injure
authorized users of a system by making its facilities unavailable. Often
easier to accomplish than hijacking a privileged account.
dictionary (attack) - Trying a dictionary of commonly used or vendor
installed passwords.
Easter Egg - This is a usually benign feature added to a product by
the programmer without official knowledge or consent. One example of
the is the 'xyzzy' command in Data General's AOS operating system.
Another is the "RESIST THE DRAFT" message in an unused sector of Apple
Logo.
ethical hacker - Someone who espouses the view that he/she may
"ethically" penetrate any computer or network so long as no data is
altered. [Colloquially among computer security professionals: a dead
hacker (or one who has ceased hacking).]
leapfrog (attack) - Using userid and password information obtained
illicitly from one host (e.g., downloading a file of account IDs and
passwords, tapping TELNET, etc.) to compromise another host. Also, to
TELNET through one or more hosts in order to confuse a trace (standard
cracker procedure).
masquerading - To assume the identity of another user to gain
unauthorized access to a host or network.
mockingbird - Software that intercepts communications (especially
logon processes) between users and hosts and provides system-like
responses to the users while obtaining information (especially account
IDs and passwords).
pest - A set of instructions that self-replicates uncontrollably,
eventually rendering a network or system unusable via a
blivet attack. [sometimes called "wabbits"]
phage - An autonomous program that inserts malicious code into
other autonomous programs (e.g., a computer worm or probe
that carries a virus or trojan horse program).
polymorphic virus - 1. A virus using variable encryption with a
variable decryption routine to avoid detection by its
"signature". V2P6, Whale, Maltese, Amoeba, Russian Mutant
and PC-Flu 2 are examples. 2. Any virus that changes it's
behaviour such as infect different types of host or change
their mode of operation. A virus that infects both .COM and
.EXE programs as well as boot sectors can be considered
polymorphic.
probe - A non-self-replicating, autonomous program (or set of
programs) that has the ability to execute indirectly
through a network or multi-partition computer system
(e.g., various hacker utilities).
rainbow books - NSA's technical computer security guidelines.
So named because each of the books is published with a
different color cover. [See "crayola books".]
scavenging - To exploit unerased residual data. The controversy with
the Prodigy [users finding pieces of the their data in the
STAGE.DAT file] service is an alleged example of this.
spoofing - An attack which relies on the inability of users or computer
systems to verify the identity or location of a communication partner.
A `mockingbird' spoofs the computer's login sequence to fool a user;
some cracking software repeatedly spoofs human login actions to fool the
computer.
stealth virus - A type of virus that attempts to hide its existence.
A common way of doing this on IBM PCs is for the virus to hook
itself into the BIOS or DOS and trap sector reads and writes that
might reveal its existence.
trapdoor - A method of bypassing a sequence of instructions, often
some part of the security code (e.g. the computer logon).
time bomb - This is code or a program that checks the systems clock in
order to trigger its active symptoms. The popular legend of the time
bomb is the programmer that installs one in his employer's computers
to go off in case he is laid off or fired.
trojan (horse) - This is some (usually nasty) code that is added to,
or in place of, a harmless program. This could include many viruses
but is usually reserved to describe code that does not replicate
itself.
unknown system-state (attack) - To exploit the conditions that occur
after a partial or total system crash (e.g., some files remain open
without an end-of-file condition allowing an intruder to obtain
unauthorized access to other files by reading beyond the real EOF when
service is resumed).
virus - a piece of code that is executed as part of another program
and can replicate itself in other programs. The analogy to real
viruses is pertinent ("a core of nucleic acid, having the ability to
reproduce only inside a living cell"). Most viruses on PCs really are
viruses.
worm - An autonomous program (or set of programs) that can replicate
itself, usually over a network. A worm is a complete program by
itself unlike a virus which is either part of another program or
requires another program's thread of execution to operate. Robert
Morris's program, the Internet Worm, is an example of a worm although
it has been mistakenly identified in the popular media as a virus.
________________________________________________________________________
------------------------------
Date: Fri, 12 Feb 93 20:07:24 -0500
>From: Ian Leitch <[email protected]>
Subject: Re: general entertainment
[email protected] (Vesselin Bontchev) writes:
> kelty_h@aci_1.aci.ns.ca (KELTY HAMILTON) writes:
> > Just mentioning a good virus article in the February "Discover"
> > magazine. Thought you virus fanatics would be interested in its coverage
> > of virus origins.
> This so-called article is in fact one chapter of the book "Approaching
> Zero" by Bryan Clough and Paul Mungo. They are calling it "forthcoming
> book" which sounds rather surprising to me - it was published in the
> UK about one year ago and I have read it since a long time...
> The book is not just about viruses, it is about computer crime in
> general. It's a very entertaining reading and I recommend it.
> Unfortunately, it is also full of technical and factual mistakes. In
> fact, every story described there, for which I know how it actually
> happened, there is something misrepresented in the book. In several
> cases I know that the declination of the truth is deliberate, because
> it was me who has told the authors some of the facts and they are
> represented differently in the book...
> The article is "Discover" does not make an exception - lots of
> technical and factual details are wrong. Maybe the funniest of them is
> the conjecture that "Diana P." in Dark Avenger's viruses has something
> to do with Lady Diana, Princess of Wells. However, the general
> analysis of the situation in Bulgaria that leaded to the creation of
> so many viruses there is rather exact.
Some months ago I posted a notice to the list about this book saying
how interesting and informative I found it to be. I was most concerned
to read Vesselin considers it to be "full of technical and factual
mistakes". Consequently, I contacted the authors, and Bryan Clough has
sent me the following reply:
- -------
The 'Discover' article (February 1993) was taken from the U.S.
edition of "Approaching Zero", which is being published by Random
House in March. A UK paperback is now available overseas (but not
in UK until March). There is also a Spanish edition called 'Los
Pirateas del Chip - La Mafia Information Al Desnudo'. Japanese
and Bulgarian editions are also in preparation.
There has been no 'deliberate distortion' of any facts within
the book, except as declared in the Acknowledgements.
Vesselin was an important and informative source, but nothing
was taken at face value, without being cross-checked.
A matter of speculation (such as the identity of 'Diana P') can
hardly be considered 'a factual error'. It may be wrong, but we
have yet to learn who 'Diana P' is. And, even then, who knows?
One guess is as good as another.
Some of the 'facts' may be disputed but contributors' memories
tend to be selective and self-serving, and it is always difficult
to ascertain 'the truth'. For example, on one occasion Captain
Crunch swore that he had only used his legendary plastic whistle
'once'. On another occasion, he claimed to have used it 'hundreds
of times'.
It would be interesting for Vesselin to identify the
distortions, so that these can be compared with the research
material and recorded interviews. Perhaps, he could also identify
'Diana P'?
- --------
----------------------------------------------------------------------------
| Ian Leitch JANET: [email protected] |
| Information Technology Unit Tel: 071 927 2260 |
| London School of Hygiene and Tropical Medicine FAX: 071 436 5389 |
| Keppel St., London WC1E 7HT Telex: 8 95 34 74 |
----------------------------------------------------------------------------
------------------------------
Date: 13 Feb 93 19:52:37 +0000
>From: [email protected] (Colin Eric Johnson)
Subject: Gender switching virus
I have just heard (through the grapevine here) of a virus that
will scan through text documents and replace any gender specific nouns
and pronouns with their gender-opposites (he -> she).
Is this in fact a virus? And does it exist?
[Moderator's note: I'd suggest not jumping to any conclusions in the
absense of technical information to support them.]
- --
- ---------------
Colin E. Johnson [email protected]
Lab Monitor (Rover) Univ. of Mich. ITD/ITS/CCS
When Knowledge Is Outlawed Then Only Outlaws Will Have Knowledge
------------------------------
Date: 09 Feb 93 20:31:00 +0000
>From: bill.lambdin%[email protected] (Bill Lambdin)
Subject: my idea for detecting file infectors
I have an idea to detect new and unknown viruses.
Let me tell you up front, my idea is only for detecting file infectors,
and should be used in conjunction with other virus detection software.
It's only another tool for the virus detection toolkit. This will not give
the users the name of the virus or tell how to remove it. Simply a Yes or
No if the user has a file infector on the loose.
This idea is as simple as archive software. two archives, FC or COMP from
DOS, and one .BAT. file. or merge the .BAT file below into your
AUTOEXEC.BAT
While you are reasonably sure that your computer is virus free archive a
few small files that you use on a constant basis. I would recommend at
least one .COM file, and 1 .EXE file, and they should be at least 10K in
size.
Some viruses only attach to .COM files, and there are viruses that only
attaches to .EXE files. Lastly some viruses will not attach to very small
files.
1575, and Frodo will attach to two byte .COM files. But 8 Tunes will not
attach to any file smaller than 9216 bytes.
use archive software and create an archive, and add these files.
I recommend PKzip or LHA, but not ARJ because the files size fluctuates.
BAIT.BAT
@ECHO OFF
C:
CD\RECOVERY
DEL VIRUS.LZH
LHA A -A VIRUS \COMMAND.COM \DOS\CHKDSK.*
FC BAIT.LZH VIRUS.LZH
CD\
by deleting the previous test, you can be sure that you will get valid
results every time.
LHA A -A adds files to the archive regardless of the attribute, and using
wild cards on the .EXE files will pick up companion infectors like AIDS 2,
Power Pump, and others. If you want to use PKzip as your archive software,
use the .BAT file below.
@ECHO OFF
C:
CD\RECOVERY
DEL VIRUS.ZIP
PKZIP -wHS VIRUS \COMMAND.COM \DOS CHKDSK.*
FC BAIT.ZIP VIRUS.ZIP
CD\
FC comes with DOS 4.0 and above. If you don't have FC, COMP will do just
as well.
As long as FC or COMP do not report any differences in the two archives,
you can be reasonably sure that you don't have a file infector.
This should detect any file infector except for stealth infectors.
If you want this to detect stealth viruses, copy, this .BAT file, the
archive software, and FC.COM or COMP.COM to a known clean bootable
diskette. Once ever week or two; cold boot from this known clean diskette
(preferably write protected) and run this test.
If FC or COMP ever reports a difference in these two archives, send the
new archive to a virus researcher for study so that scanners like F-Prot,
VIRx, Scan, and others can be updated to detect this new or unknown virus.
In my tests, I archive six files.
COMMAND.COM
FORMAT.COM
PKZIP.*
WINLOAD.*
DRWATSON.EXE
NOTEPAD.EXE
These files are run on a daily basis, WINLOAD is a program that loads
Windows after a delay of a few seconds.
On my 33 MHZ 486 I can complete this test in approximately 5 seconds.
Since I use both DOS and Windows, I try to detect viruses that infects DOS
or Windows applications. Someone else may need to use more or less files
than I do.
I run this test at bootup, and after I try new software.
This is my idea, and I want to think the following people to trying to
shoot holes in my theory.
Glenn Jordan
Mike Lambert
Wolfgang Stiller
I know that i'm not very good at writing, but I hope this has helped
someone.
I am releasing this idea to the public domain, so authors of virus
detection software can incorporate this idea into their software if they
care to.
Bill
- ---
* WinQwk 2.0 a#383 * JERUSALEM (Skism-1) Fridays (after the 15th)
------------------------------
Date: 12 Feb 93 13:48:27 +0000
>From: [email protected] (Vesselin Bontchev)
Subject: Re: Norton buggy??? (or I have a PROBLEM!) (PC)
[email protected] (Alan Mead) writes:
> Susan gets home with the Norton disk. We use the Norton scanner
> (NAV.EXE) on my C: and it fails to find anything. BUT, it turns out I
> deleted the file that allegedly carries the virus ("a strain of
> CVIR").
This is likely to be a false positive, not a virus. Cvir is a silly
overwriting virus written in C and it is unlikely to spread at all. In
the same time, because it is written in a high level language, it is
very difficult to pick a good scan string for it - because most of it
is just code found in the C libraries, and if you pick a scan string
from -there-, you're likely to flag any compiled program that contains
the same library function as infected. Obviously, this is what
happened to NAV. It might be fixed in the later versions, however, so
you should advise your wife to check what the latest version is and to
upgrade if necessary.
> What do you think? I find it unlikely that I have a virus and
> (snicker, snicker) I LOVE the fact that these morons are spending their
> Friday night disinfecting clean machines.
I think that this is a rather irresponsible behavior from your
part... A false positive could be very costly to a business - as much
as a real virus. You wouldn't want that business to have to close and
your wife to become unemployed, would you?
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: [email protected] D-2000 Hamburg 54, Germany
------------------------------
Date: Fri, 12 Feb 93 09:53:25 -0500
>From: [email protected] (A. Padgett Peterson)
Subject: Michelangelo (oh noooooo) (PC)
>From: [email protected] (Marcio Migueletto de Andrade)
Subject: Michaelangelo's payload (PC)
>It is known that the Michaelangelo virus makes use of INT 1Ah (AH=4)
>to read the system date. It works on a 386, but fails on a XT (nothing
>is returned). The virus still works but the payload is never
>achieved. Is it due to an old BIOS ? Is there a *standard* way to
>read the system date at *boot time* on a XT ? If not, any virus that
>uses the same function cannot work properly in such machines.
>(Below the equator line the XT still lives...)
Actually this function was introduced on the IBM-AT (Advanced
Technology) in 1984 which was/is 286 based. Subsequently *some* clock
calendar cards also supported the interrupt. In other words it works
on those PCs or XTs with the right card and everything later. The easy
way to find out is to just use DEBUG & try it.
Boot: An XT lacks CMOS memory and consequently has no way to remember
what day/time it is. PC/XT Clock/Calender cards use either ROM
extensions or special drivers to load the system clock on boot.
Warmly,
Padgett
------------------------------
Date: 12 Feb 93 14:02:17 +0000
>From: [email protected] (Vesselin Bontchev)
Subject: Re: PKZIP 2'S AV is cracked (PC)
[email protected] (McAfee Associates) writes:
> We will continue to use PKZIP Version 1.10 to compress our files for
> the forseeable future because 1.10 is still used more frequently then
> 2.04C, there is no "exportable" version of PKUNZIP V2.04C available
You are misinformed. PKWare has obtained an export license for PKZIP
2.04whatever, which allows it to be exported to almost the whole
world, except a very short list of countries (e.g., Iraq, etc.). If
you are troubled that people in those countries won't be able to
unpack your software, then you should be aware that there are probably
regulations which forbid the export of your software to these
countries as well.
> from PKWare (yet), and lastly, PKZIP Version 2.04C has several bugs
> in it that make it undesirable for use in distributing software
This is a significantly more valid argument not to use it.
> (PKWare has released a newer version, 2.04E, but we will wait to
> see how stable that is before we consider using it.).
Sigh... They have now released version 2.04g. Obviously, the product
is still in beta test and we are all beta testers... :-( But I
digress...
> this: You need not present the Internet with a forged .ZIP file
> merely to prove that PKWare's Authenticity Verification for Version
> 2.04C of their program has been cracked.
Wrong, he needed to post that, otherwise people like you just refuse
to believe - see below.
> The Authenticity Verification and accompanying serial number generated
> by the PKZIP program are used by us for providing our users with a
> degree of security, they are by no means final or absolute. However,
> it is very unlikely that both the -AV and serial number will match up
> in a cracked version of PKZIP.
THIS IS WRONG AND MISLEADING! It is TRIVIAL to forge BOTH the text and
the -AV and the serial number in PKZIP 1.10. What will convince you?
Do you want me to send you an archive for which all the above matches?
Do you want me to send you your serial number that you obtained from
PKWare? Do you want me to send you a 50-line program that is able to
find this number in LESS THAN A MINUTE on a XT? The security provided
by the -AV thingo in PKZIP is NON-EXISTENT! And everybody must be
warned about that! That's why people like the original poster need to
post examples that prove that possibility to crack the security,
without showing how it is done. Otherwise people like you will insist
that it is "unlikely" to be done!
[Moderator's note: Folks, please keep the discussions civil.]
> I believe that it is far better that some means of protection be
> provided then none at all.
That's true, but what you seem to fail to understand is that the means
of protection against tampering in your product are minimal, nearly
non-existent! In particular:
1) It is TRIVIAL to disable the self-check in SCAN or to modify its
checksum after tampering.
2) It is TRIVIAL to change the documentation that lists the VALIDATE
codes.
3) It is TRIVIAL to forge the -AV protection.
4) It is only moderately easy to forge the VALIDATE checksums (i.e.,
to modify SCAN without modifying its VALIDATE checksums), but it is
even not needed, because of 2).
As a result, it is TRIVIAL to make a trojanized, forged copy of your
product. The proof is that it is often being done - do you keep track
of how many versions of SCAN have been "skipped", because a trojan
with such number has appeared? Your product is probably the most often
trojanized program in the world...
I have explained multiple times to people from McAfee Associates,
including to yourself, what has to be done in order to provide -real-
authentication. You must use a public-key authentication system. If
you provide authentication ONLY (i.e., no encryption, which you don't
need anyway), there are NO export problems. If you are concerned about
the RSA patents - use the DSS algorithm, which is NOT patented and
works for authentication ONLY. But naw, nobody's listening... :-(
> Our programs are directly available
> from us via our BBS, forum on CompuServe, and mcafee.com ftp site
> on the Internet, in addition to sites such as the SIMTEL20 archives
> and garbo.uwasa.fi which I directly send the programs to. If any
> one ever has a question about the integrity of a .ZIP file they've
> received, then they should delete it and download it from one of
> these avenues instead.
That's not enough. There hundreds of thousands of users of your
product that (a) don't have Internet access (thus, no Simtel20, no
garbo, not even Virus-L/comp.virus), (b) don't have access to
Compu$erve (because it is too expensive or because there's just no
CompuServe in their countries), and © live too far away from
California, so a long-distance call to your BBS or tech support
numbers is not exactly what they would like to do every month. What
kind of protection are you offering to those people?
> PS: Please (!) direct any follow-up comments to me via e-mail, I have
> no desire for this newsgroup to become a battleground. :-)
You are welcome to continue this discussion with me via private
e-mail, but I felt that this reply had to be posted publicly, because
> Like many other readers of the comp.virus newsgroup (and its digest
> counterpart, VIRUS-L), I appreciate it when computer security and
> integrity are discussed, especially when they relate to our (McAfee
> Associates, that is) programs.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: [email protected] D-2000 Hamburg 54, Germany
------------------------------
Date: 12 Feb 93 15:07:37 +0000
>From: [email protected] (Vesselin Bontchev)
Subject: Re: STONED, Scanv99/Clean 99 Questions/Concerns (PC)
[email protected] writes:
> 1) When Untouchable is used, it says that No-Int has been found but
> that it cannot fix it.
You mean UTScan, right? Have you installed the integrity checker? If
not, why not? If yes, why not using it to recover the boot sectors?
> 2) When McAfee's Scan v99 is used, it finds the Stoned virus,
> and the Clean can clean it. HOWEVER, when scanning AGAIN for the
> virus, we find it in memory. This is after having booted from a
> write-protected virus free floppy disk. Further tests apparently
> show that Stoned can load into memory by a simple read on an
> infected disk. The documentation I've read via FTP land say that that
> is impossible. Some people have suggested that Scan is not correct.
This is indeed impossible and Scan is indeed not correct, or more
exactly, it is not designed correctly. Read the FAQ, question E11 for
more information. We've put a lot of efforts in this FAQ, it is a good
idea to read it before asking...
> Questions: Why doesn't Untouchable work right?
Because it is probably a new variant of No_INT and you are using a
scanner. Remember, scanners can detect/remove only known viruses.
Install the integrity checker of Untouchable and -use- it. It is very
good and, if installed on a virus-free system, can remove practically
any boot sector infector.
> CAN the Stoned virus
> load into memory by a simple read from an infected floppy?? Is there
> a strain of stoned that can do this?
Yes, it can. All strains of Stoned are doing this - loading in memory
when you read an infected floppy. In fact, it is not the virus that
does it - it is DOS itself. It reads the boot sector of the diskette
(where the virus resides), thus loading the virus in memory - in one
of the DOS buffers.
However, the fact that the virus is in memory does NOT mean that it is
active - something that a poorly designed memory checking scheme (like
the one used by SCAN) will fail to notice. The virus code is there,
but it never gets control. Just like copying an executable file will
put this file (or parts of it) somewhere in memory, but will not
execute it.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: [email protected] D-2000 Hamburg 54, Germany
------------------------------
Date: 12 Feb 93 15:17:42 +0000
>From: [email protected] (Vesselin Bontchev)
Subject: Re: Twelve Tricks (PC)
[email protected] writes:
> Norton anti-virus detected Twelve-Tricks virus on one of our PCs but
> f-prot 2.06a reported the PC as clean. Is this virus one that the
> current f-prot misses or have we found a NAV false +ve?
NAV is definitively wrong. Twelve Tricks is a trojan, not a virus, and
it does not spread. It is very unlikely that it is on your computer.
On the other side, F-Prot 2.06a -does- detect this trojan (and
properly reports it as trojan).
There is one remote possibility that there is -something- on your
computer that just happens to contain the scan string for Twelve
Tricks that NAV uses. Where is the "virus" find? In a file? In many
files? In the MBR? Are you using the latest version of NAV? Have you
contacted your local tech support for NAV?
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: [email protected] D-2000 Hamburg 54, Germany
------------------------------
Date: 12 Feb 93 15:38:50 +0000
>From: [email protected] (Vesselin Bontchev)
Subject: Re: Virstop 2.07 in Icelandic (PC)
jdh@medicine.newcastle.edu.au (John Hendriks) writes:
> We have just downloaded the latest version of f-prot (2.07). Of course
> all is well as far a scan is concerned. At least I can understand the
> reports. When loading virstop though and testing with f-test the
> diagnostics are incomprehensible. Is there an English version of
> virstop?
You seem to have gotten a version of the package that Frisk
distributed by mistake. The archive with the English version of
VirStop can be obtained from him or from our ftp site:
ftp.informatik.uni-hamburg.de:/pub/virus/progs/fp-207.zip
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: [email protected] D-2000 Hamburg 54, Germany
------------------------------
Date: 12 Feb 93 15:50:21 +0000
>From: [email protected] (Vesselin Bontchev)
Subject: Re: Vshield vs Virstop (PC)
[email protected] writes:
[Long list of unknown viruses that VShield would not be able to detect
deleted for brevity.]
> Isn't this also true for VIRSTOP??????????????????
Of course it is - and it is also true for any known-virus scanner, be
it a resident or a non-resident one. That's why scanners are a weak
line of defense against viruses. That's why you must use an integrity
checker as a second and more powerful line of defense. But we were
mainly discussing the capabilities of VShield for integrity checking
and I pointed out many kinds of attacks that it does not protect you
against. There are integrity checkers that -do- protect you against
most of these attacks.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: [email protected] D-2000 Hamburg 54, Germany
------------------------------
Date: Fri, 12 Feb 93 11:54:04 -0500
>From: [email protected] (A. Padgett Peterson)
Subject: STONED in Memory (PC)
>From: [email protected] (Ulysses Castillo)
>1) Cold booted from a write-protected virus free disk.
>2) Used SCAN v99 on C:, no virus was found in memory or on C:.
>3) Inserted an infected floppy in B:.
>4) Ran scan on b:. No virus found in memory, stoned virus found
>in boot sector of B:.
Ok, here's what has happened - PC not infected. on (4) SCAN checked
the memory (4a)- was clean - then checked to infected disk (4b). In the second
action the DBR of the floppy was read into the DOS buffer in low memory.
*But SCAN had already finished checking memory*.
>5) Ran scan on B: again. Virus found in memory and in boot sector
>of B:. (HOW???)
On the second run of SCAN the memory is again checked first (5a). This time the
infected DBR is still in the DOS Buffer from (4b).
6) Reboot (cold boot, not control-alt-delete).
7) Inserted infected disk in B:.
8) Ran CLEAN on B:. Virus NOT in memory, but found in boot sector
of B:. Virus removed from B:.
9) Ran scan on B:. Virus found in memory. (Again, HOW???), but NOT
found on B:.
Repeat of same process. After reboot, the C: drive DBR is in the buffer -
SCAN finds nothing but loaded the infected DBR into the buffer *after*
checking memory (during 8) for second SCAN (9) to find.
Now if between (7) and (8) a DIR were performed on the infected floppy, DOS
would have loaded the buffer and the memory check in (8) would have discovered
the virus. The same would have occured if done between (3) & (4).
Now DOS only reads the DBR when it receives a request after detecting
a changed disk. If between (8) and (9) a second clean floppy had been
put in the drive and a DIR performed, SCAN (9) would have found memory
to be virus free (famous last words - well it worked when I tried it).
Warmly,
Padgett
------------------------------
Date: 12 Feb 93 09:35:06 -0800
>From: [email protected].beckman.com
Subject: Re: Help! Help, with FORM virus (PC)
[email protected] (Bill Hayes) writes:
>Recently, a professor here armed his students with a custom program
>written for him by a student programmer. He had a secretary make
>about twenty copies of the program for his students. Unfortunately,
>the secretary's machine was infected with FORM, a boot sector virus.
>Now my student computer labs have been infected with it.
..
>Although I would much rather buy enough licenses to cover my machines,
>I am now trying to find public domain (and I mean FREE) software.
>McAffee and Associates quoted me a whopping $17,000 dollars to site
>license their products. I might be able to wring out $5.00 to $10.00
>per machine to license a product. Is their anything out there, or am
>I doomed to spend my life chained to a chair cleaning off FORM from
>student diskettes?
>From ORDER.DOC (FP-207), F-PROT is shareware, with $1/machine license
for the first 2500, (decresing for more machines) with a 25%
educational discount (min $20); plus $20 for an actual copy or $100
for an annual subscription (bi-monthly updates), if you don't have ftp
access.
(There, now I've said it. You don't have to violate network
advertising guidlines, Frisk.)
- --
Arthur L. Rubin: [email protected].beckman.com (work) Beckman Instruments/Brea
[email protected] 70707.453@compuserve.com [email protected] (personal)
My opinions are my own, and do not represent those of my employer.
My interaction with our news system is unstable; please mail anything important.
------------------------------
Date: Fri, 12 Feb 93 22:07:56 +0000
>From: [email protected] (Le L. Chen)
Subject: Jeruslem variant (PC)
I got the Jersulem standard and variant few weeks ago . The thing
confused was that it was infected on Jan 20th, before this day, i got
some software and scan them with Mcafee scan97, f-prot2.05, nothing
happened. Everything was OK. But on Jan. 20th, I booted up and saw the
messege showed: win386 was damged. Since it was about 2 am, too late.
The second day, another person sho booted up again, the same sign he
saw. Then used the scan97 and f-prot2.05 checked, found the viruses. I
can not understand how come the first time checked it was ok, later,
after the computer was infected, it can detect them. suppose some
viruses infect software in certain time, can them be detected not on
the exact day? Every softwares i got was scanned first. But now i
doubt the scan some.
Every information is appreciate.
Thanks a lot. e-mail or post to reply is fine
e-mail: [email protected]
------------------------------
Date: Fri, 12 Feb 93 19:59:20 -0500
>From: Ian Leitch <[email protected]>
Subject: Tokyo Virus in NETCB or a false positive? (PC)
I have recently downloaded NETCB v0.3b from the UK HENSA (Higher
Education National Software Archive) directory
micros/ibmpc/dos/h/h112. (NETCB is Chat box for Novell networks
and was written by Koos van den Hout.) On scanning the unpacked
executable with F-Prot before trying to use it, Secure Scan finds
no infection. However, any attempt at execution is intercepted
by VIRSTOP which reports infection with Tokyo virus. As expected,
Quick Scan returns the same report. The Heuristic Scan reports
a self-modifying program, which may indicate a self-encrypting
virus (or just unusual code).
Identical reports are obtained from both F-Prot v2.06a and v2.07.
None of the other scanners available to me (including McAfee's
SCAN100 and Dr Solomon's ToolKit report any problem). I do not
believe that the infection (if any) occurred at this site as I
have repeated the download on micros of two independent
organisations with identical results. Also, the program file size
is identical with that indicated in the accompanying message file
(H112.MSG).
These and other indications lead me to think that I may have hit
a false positive. If so, how can I run it and retain protection
from VIRSTOP?
Ian Leitch
----------------------------------------------------------------------------
| Ian Leitch JANET: [email protected] |
| Information Technology Unit Tel: 071 927 2260 |
| London School of Hygiene and Tropical Medicine FAX: 071 436 5389 |
| Keppel St., London WC1E 7HT Telex: 8 95 34 74 |
----------------------------------------------------------------------------
------------------------------
End of VIRUS-L Digest [Volume 6 Issue 26]
*****************************************
|
|
