VIRUS-L Digest Thursday, 20 Jun 1991 Volume 4 : Issue 107 Today's Topics: Re: virus detection by scanners ? (PC) Pro vs Reactive Protection (PC) Re: Boot sector viruses on IDE drives (PC) FPROT116 is on BEACH (PC) Can such a virus be written .... (PC) Boot sector viruses on IDE drives (PC) doom 2 (PC) protecting mac files via locking (Mac) Stoned & Novell? (PC) VSHIELD and Warm Boots (was Re: Checksumming) (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: 19 Jun 91 15:53:28 +0000 From: a_rubin@dsg4.dse.beckman.com (Arthur Rubin) Subject: Re: virus detection by scanners ? (PC) I'm somewhat suspicious of any code with the following instructions: E80000 CALL (next instruction) (except that some linkers produce that for a near call to an unsatisfied external, and it could be required for ROM/position-independent code that needs to access data) 3134 XOR [SI],SI (except that that is ASCII '14') There doesn't appear to much else fixed in there except B*8206 MOV ??,0682 which could also be changed if you have a spare byte, which you can get in your last try. (Details omitted -- let's not make it TOO easy.) I hope some virus scanners have a signature for 1701 in the encrypted portion. - -- 2165888@mcimail.com 70707.453@compuserve.com arthur@pnet01.cts.com (personal) a_rubin@dsg4.dse.beckman.com (work) My opinions are my own, and do not represent those of my employer. ------------------------------ Date: Wed, 19 Jun 91 12:51:57 -0400 From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: Pro vs Reactive Protection (PC) In recent issues, there has been considerable outcry concerning the "unremovable" infections that seem to plague many users and that the generic anti-viral packages are not able to deal with them. To repond, I have one PC (an XT) that has been infected with everything possible yet recovery is trivial, it has been low-level formatted only once (when it was delivered), and high-level formated an equal amount. Of course, being an "infection" machine, it has some special qualities, but none that I do not practise on my home machines as well. For one, before every infection, the machine is fully backed up including MBR, hidden sectors, DOS Boot Record, and both FATs (Bernoullis help & it is only a 10 MB disk), however the special portions mentioned all fit on a bootable 360k floppy and are self-restoring (similar disks exists for each of the other machines except I usually do not save the FATs on these). This process has a number of advantages but does require a "recovery" disk (preferably two) for each PC, however the process is nothing a good tech cannot accomplish in five minutes using nothing more sophisticated than DEBUG - less if automated, then the longest delay is SYSing the recovery disk with the OS in use & copying any special drivers in use. Unfortunately for many users, this MUST be done with an uninfected machine. Since many call for help only after infection, this pro-active activity is useless at that point. Currently, the tool of choice seems to be McAfee's CLEAN, a generic tool that is designed along the lines of the Oath of Hippocrates: "First, Do No Harm". Even if it recognizes the virus (e.g. MusicBug), and knows where the it stores the Boot Record, it must verify each step of the way (is this really the mk 1 MusicBug or might it be a clone ? Does it look like register values in the proper location ? Does the retrieved sector look like a real Boot Sector ? Do the table values match this disk ?) If any step fails, a generic disinfector MUST refuse to continue. (those who have experienced total loss as a result of certain "doctor" programs please raise your hands). One of the things that can cause such problems are multiple infections, another is the sheer diversity of boot record/MBR codes - last year a european testing program recorded a PNCI boot record as suspect, early versions of PC-Tools had an incredible boot record that is the only one I have ever seen that would work with both MS-DOS and PC-DOS. Sometimes it is hard to tell the good guys from the bad guys. Recently, I have seen reports that some viruses use code that is so close to each others that many scanners cannot tell the difference yet the EMPIRE and the AZUSA need radically different cures if the original table was not backed up somewhere off-PC (have had reports of EMPIRE being reorted as AZUSA/Hong Cong). In this case, you are just going to have to re-read your back issues of Virus-L for the identifiers of each strain and the manual removal methods that should have appeared along with the report (or soon after). Just to add one final note of cheer: as the strins keep increasing, the likelyhood of misidentification will continue to increase but for me, I would rather have a "false positive" to alert me to changes than "false negatives" any day. After all, we have the tools, training, and backups to handle just about anything but we "can't fix it if we don't know its broke". Cooly, Padgett ------------------------------ Date: 19 Jun 91 14:58:45 -0500 From: short@evax9.eng.fsu.edu Subject: Re: Boot sector viruses on IDE drives (PC) johnboyd@logdis1.oc.aflc.af.mil (John Boyd;LAHDI) writes: > not possible on an IDE drive. So the question becomes; for an IDE > drive, what DO you do to get rid of a boot sector virus? McAfee Associates ( The ScanV folks) have a program that will remove a boot sector virus. Its name is Clean-up, They also have another called Mdisk. I'll vouch for it, as It removed the Stoned virus from my Seagate ST-1144A IDE drive without a hitch. I don't know of a FTP location, But it can be obtained from the authors BBS at 408-988-4004. ------------------------------ Date: Wed, 19 Jun 91 11:22:27 -0500 From: root@farwest.sccsi.com (John Perry) Subject: FPROT116 is on BEACH (PC) Hello Everyone! FPROT116.ZIP is now available on BEACH.GAL.UTEXAS.EDU. Come on by and pick up a copy. John Perry KG5RG You can send mail to me at any of the following addresses: Internet : perry@farwest.sccsi.com UUCP : nuchat!farwest!perry ------------------------------ Date: 20 Jun 91 09:36:40 +0000 From: Steven van Aardt Subject: Can such a virus be written .... (PC) Is it possible to write a PC virus which installs itself whenever you place an infected disk in the drive and do a DIR command ? Steve. - -- --------------------------------------------------------------------------- - JANET E-mail : vanaards@uk.ac.man.cs.p4 (Steven van Aardt) -- -- Warning this user has been designated for termination on the 21.6.91 -- --------------------------------------------------------------------------- ------------------------------ Date: Thu, 20 Jun 91 09:59:25 -0400 From: Ronnie Judd Subject: Boot sector viruses on IDE drives (PC) johnboyd@logdis1.oc.aflc.ar.mil (John Boyd:LAHDI) writes; > It recently occured to me that we get rid of most boot-sector viruses > by routinely doing a low-level format on a drive. However, this is > not possible on an IDE drive... Seems I keep seeing over and over on this list that one *almost never* has to do a low level format to remove boot sector viruses. However on the question of how does one format an IDE drive there are programs out there that will do such a thing. I recently upgraded a couple of Compaq machines and found Disk Manager 4.0 did the trick just fine. So if you feel that you *absolutely must* low level format to get rid of the offending virus give it a shot. Ronnie N. Judd | _ _ _ / | BITNET: RNJUDD@SUVM Dept. Civ/Env Engineering | / (o o)  _ _ _ / | Phone: (315) 443-5796 220 Hinds Hall | |_/| |_| | | FAX: (315) 443-1243 Syracuse University | (._.)||_ _( / | A failure is a chance Syracuse, NY 13244-1190 | U _|| _|| | to start again smarter (Of course these are my opinoins, no one else wants them!) ------------------------------ Date: Thu, 20 Jun 91 08:16:55 -0700 From: Eric_Florack.Wbst311@xerox.com Subject: doom 2 (PC) It would appear to me that VIRx 1.4 isn't cleaning up after itself. You guys just ran accross different bits of code because of different ares of RAM being used to store the search strings. I state this obvious point, to make a point. This would seem slopy code on two points: One that VIRx doesn't clean up after itself, allowing other programs to find it's code fragments, is of course a major concern to the users of the program. (Should also be of great concern to the authors, but no matter for that for now..) The second point is that it's a security problem for all computer users. Consider: It's simplicity itself for someone who can write a virus to tear apart the non-encrypted VIRx code and determine the search strings used in VIRx. Now, this in itself wouldn't be a problem, I guess, but consider that what SCAN saw, were the search strings that VIRx was using.... meaning they're using the SAME strings. Based on this info, anyone who wanted to, could, in theory, modify the virus enough that the string would no longer bee caught by the current search strings. Encrypting the search strings in your code, therefore is always a good idea, as is cleaning up the mess your program makes in RAM. VIRx, apparently doesn't address these two points. ------------------------------ Date: Thu, 20 Jun 91 13:41:57 -0400 From: Lee Ratzan Subject: protecting mac files via locking (Mac) Aplication locking on a Macintosh prevents a file from accidentally being destroyed (trashed) and to some extent from being altered. A user wants to know if locking Disinfectant on a hard disk will prevent it from being itself infected from a virus emanating from an infected floppy. The issue is whether we can trust a resident locked copy of Disinfectant to remain clean even if the hard disk on which it resides becomes infected. I have advocated that since we have no automatic virus checking software which is activated upon disk insertion or start up and since anyone can use the machine, the only way to be absolutely certain that integrity has not been compromised each morning is to boot up first with a trusted disk and run the trusted disk copy of Disinfectant against the hard disk files. Comments? Lee Ratzan ------------------------------ Date: Thu, 20 Jun 91 12:18:17 -0600 From: rtravsky@CORRAL.UWYO.EDU (Richard W Travsky) Subject: Stoned & Novell? (PC) Does anyone have any information on Stoned and Novell 3.X networks? Like can a Novell server pick up Stoned (or any other boot sector infector)? I've some information that indicates it can but not much more than that. Tales, experiences, caveats? Please reply by email, I need info ASAP. Many many thanks! Richard Travsky Division of Information Technology RTRAVSKY @ CORRAL.UWYO.EDU University of Wyoming (307) 766 - 3663 / 3668 ------------------------------ Date: Thu, 20 Jun 91 19:23:00 +0000 From: mcafee@netcom.com (McAfee Associates) Subject: VSHIELD and Warm Boots (was Re: Checksumming) (PC) padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) writes: (a lot of stuff deleted here...) >I believe that VSHIELD protects from hot-boots now - do not believe >that prevention from cold boots can be done without hardware or >special BIOS. My next project now that DISKSECURE is essentially >complete will be a small addition to warn the user on boot if a floppy >is in the drive - should not be difficult or require much code (trap >cntrl-alt-del, check for floppy, write warning message, loop for >response), several viruses make use of this technique already so it >cannot be too difficult (famous last words). VSHIELD traps warm (hot) boots (aka Ctrl-Alt-Dels, Three Finger Salutes) to check the floppy drive and then the hard disk for boot sector and partition table infecting viruses. If a virus is found, VSHIELD displays it's "found virus X in area Y" message and prompts the user to power down and boot off a clean system disk. If no virus is found, then VSHIELD reboots the system as normal. Some XT systems apparently have problems with this, causing a reboot to take a long time (5 minutes or more). If so, the option can be turned off by using the /NB (No Boot) checking. Regards, Aryeh Goretsky McAfee Associates Technical Support - -- McAfee Associates | Voice (408) 988-3832 | mcafee@netcom.com 4423 Cheeney Street | FAX (408) 970-9727 | (Aryeh Goretsky) Santa Clara, California | BBS (408) 988-4004 | 95054-0253 USA | v.32 (408) 988-5190 | mrs@netcom.com ViruScan/CleanUp/VShield | HST (408) 988-5138 | (Morgan Schweers) ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 107] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253