VIRUS-L Digest Tuesday, 19 Mar 1991 Volume 4 : Issue 44 Today's Topics: Unknown virus help! (PC) Preformatted disks, flopticals, etc. Re: PC MS-DOS vs BIOS protection (PC) Re: Stoned - new version? (PC) IBM VIRSCAN version (PC) Source for F-DISINF (Stoned) (PC) Replies to questions about INNOC (PC) Infecting scanners and "archived" files (PC and general) Virus naming VIREX/Disinfectant all seem to freeze scanning Appleshare vols (PC) Has anyone heard of Central Point Anti-Virus? (PC) Mathematica reports Scores virus, Disinfectant can't find it (Mac) PKLITE and hidden virus (PC) Info on virus products wanted - PD and commercial VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: Wed, 13 Mar 91 14:45:25 +0000 >From: ***CURTIS*** Subject: Unknown virus help! (PC) Hello all. I have a little problem with my 386 PC. A few days ago I had the Jeruselem B virus on my machine (it's going ripe round here). I got rid of it but somehow it kept coming back.... (I know about the memory resident thingies etc etc) In the end I got rid of it. Yesterday, I ran my virus checker from hard disk. It came up with the warning "Virus checker Infected. Do not use" So I ran the write-protected version I had on floppy, No virus's found. Next I copied the virus checker from floppy to HD and ran it. It, again, said it had been infected. On further investigation I found that whatever I had was appending itself onto the end of the file, around 10-15K worth. However, the virus only appends to a file once. Has anyone out there got a good virus killer (shareware of course!) that they could arc and mail me?? Or any suggestions as to what to do (I don't particulaly want to HDWIPE the hard disk as I have only just recovered from doing the last one! I do not think the boot sector is infected which was my first thought. Cheers for any help, - -- _______________________________________________________________________________ _ | Flesh : ***CURTIS*** E-mail : csg020%uk.ac.cov.cck@uk.ac.earn-relay | | Voice : (0203) 599500 Quote : What a great day, watch some bastard spoil it! | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ------------------------------ Date: 13 Mar 91 12:53:43 +0000 >From: CAH0@gte.com (Chuck Hoffman) Subject: Preformatted disks, flopticals, etc. padgett%tccslr.dnet@uvs1.orl.mmc.com (Padgett Peterson) writes: > Now consider that these drives arrive pre-formatted from the > manufacturer and many CANNOT be low-level formatted (the same goes for > the new 20 Mb 3 1/2 flopticals). I'm not familiar with DOS / x86 systems, and this was a surprise. Why can't the disks be formatted? Is the problem related to software or hardware, or both? - - Chuck Hoffman, GTE Laboratories, Inc. | I'm not sure why we're here, cah0@bunny.gte.com | but I am sure that while we're Telephone (U.S.A.) 617-466-2131 | here, we're supposed to help GTE VoiceNet: 679-2131 | each other. GTE Telemail: C.HOFFMAN | ------------------------------ Date: Thu, 14 Mar 91 10:45:00 +0100 >From: "Mark Aitchison, U of Canty; Physics" Subject: Re: PC MS-DOS vs BIOS protection (PC) padgett%tccslr.dnet@uvs1.orl.mmc.com (Padgett Peterson) writes: > I think it is time stand back from the PC and take a fresh > look at how protection can be placed on the system. Too many products > today rely on MS-DOS and its documentation to protect PCs. Personally, I blame Lotus 123. Well, what I mean is: back in the early days when MSDOS could have gone the many and varied ways of CPM (and there was little need for "exact" clones of the IBM), really high performance software like Lotus 123 bypassed DOS to get at the hardware. All of a sudden, micros had to be able to run Lotus 123 (and Flight Simulator). This required such a high degree of compatibility that viruses can be written to circumvent DOS and have a high chance of working. If DOS became the sort of standard that CPM or (better) Unix is, where all manner of incompatible hardware run the same o/s, then viruses would have a tough time spreading. > Hardware, in the form of a custom BIOS or ROM-extension, is > the best solution, but in many cases, may not be a cost-effective one. This is basically a good idea, but for it to work you have to restrict some things that "good" software has come to expect. This is the problem. While you can make some areas (like the partition table) fairly well protected from change, what is there to stop a virus modifying another executable, for example? Having some combination of low-down hardware protection PLUS ties with DOS so that it understands the context in which a write is generated, is better. Now comes the tricky bit: some installation programs, and compilers, legitamately change executable files. It is difficult to automatically tell the difference between what they do and what a virus does. So a third level is required... the person using the computer. This might come in the form of an annoying pop-up window everytime you reconfigure (or recompile), or some sort of list of known-to-be-okay exceptions (which has to be *very* well protected). So a good anti-virus approach is going to consider the whole system: hardware, BIOS, DOS, applications and end-user education. That, I think, is a good idea, but you soon end up with something that looks nothing like the present PC (or Mac or whatever). > It is time that some ground rules be established for any > protection scenario. I suggest: (1) DOS includes Read/Write/Delete protection on all files at a level that cannot be circumvented without relatively LARGE areas of virus code. I like DRDOS's password protection system - good enough to stop most viruses around today (I guess - someone may like to come up with a thorough survey). Better still would be internal work areas (like the "list of lists") that are not only undocuments, but vary enormously in their location and format randomly from version to version (or even have each copy of the operating system different!) (2) An "executable" flag, that can only be set by compilers, and only be reset by operator intervention. Files with this flag cannot be openned and accessed in the normal way, and (optionally) only files with this flag can be executed. (3) All directory clusters, boot sectors, FAT, and the first cluster of each executable (what a list!) can only be written to by DOS. This is easy to do if the BIOS knows the version of DOS being used, and checks the stack to see the return address. (4) BIOS should check the partition table, boot sector and o/s files before starting up, e.g. by calculating a checksum (with each BIOS chip using a different algorithm) and comparing it with a location in CMOS that can only be changed at start-up time. (5) Compilers should produce programs with several different checksums embedded in the program, at known locations (preferrably within the first 512 bytes), and external programs should be able to check they all match. A virus might be clever enough to install itself and fudge bytes so one checksum comes out okay, but not all of them. Of course, the program itself should check one or all as it starts up, to make sure it is the same checksum that was there when it was compiled (this code, and the second copy of the checksum, would be scattered in a different place in each program, and impossible for a virus to locate in all programs it may try to infect). The aim here is to avoid you getting already-infected programs, since the above suggestions only protect files once they are on your system. The first two simply bring DOS up to the level of mini-computer operating systems, and implement a relatively hassel-free method of protection, good enough for most cases, and the cheapest solution for existing users. The next two (plus, perhaps, hardware lock-out of certain IO instructions and interrupt vector tamperring), are much more powerful, and would probably need either an add-on board, or changes to the design of new computers. Notice that now BIOS and DOS have to be designed together, to some extent. Moreover, if the changes go as far as they should, LOTS of existing sofware simply won't run (e.g. Norton's DS & NU, all disk "optimisers", many fast backup schemes, some networking software, compilers, compressors of executables, and so on). Not something people will want to see introduced over night, but if the beginnings are introduced soon, in particular into the DOS, new software can start using these features now. Notice I say that this has to go *into* DOS, not another layer above or below DOS (although these are useful as well), since it is the operating system that has the best chance of "knowing" the context of the disk write of whatever, and thus avoiding unpleasant false alarms. It also is the software that should be setting the compatibility standards, not the hardware or add-on software. What do you think? Mark Aitchison, Physics, University of Canterbury, New Zealand. ------------------------------ Date: Wed, 13 Mar 91 23:12:31 +0000 >From: nelson@sgi.com (Nelson Bolyard) Subject: Re: Stoned - new version? (PC) rsoft!mindlink!John_Carson@van-bc.wimsey.bc.ca (John Carson) writes: >My friend Paul..purchased a MICROSOFT DOS 4.01 at a Computer store and >also purchased some BRAND NAME 3 1/2 DISKS. The salesman copied the >dos onto the 3 1/2. Later we found the VIRUS Stoned II on the system. >After cleaning up the system. We found the virus was on the original >MICROSOFT DOS 5 1/4 DISKS. Can this virus jump on to the original as >you copy it to another....OR is there a chance it was on the MICROSOFT >DOS. John, Most boot sector viruses (like Stoned, for example) will "infect" any diskette that is put into your diskette drive that is not write protected!! As I understand your story, your friend Paul bought a machine with only 3.5 inch disk drives, but the MSDOS disks were 5.25 inch, so the salesman copied the 5.25 inch MSDOS originals onto some brand new 3.5 inch disks for Paul. If the 5.25 inch MSDOS original disks were NOT write protected when the salesman stuck them into his (evidently) infected machine, then the MSDOS masters got infected at that point, and probably so did the 3.5 inch disks onto which MSDOS was copied. IMHO, master software disks should come out of the box write protected. They shouldn't even have the write enable notches cut into them. I NEVER put a write-enabled master diskette for ANY program into my machines. I ALWAYS put a write protect tab on a master before inserting it. I know that there is an increasing trend in the install programs for commerically purchased software to write on the master disk as part of the installation program. Programs that do this include MultiMate, Windows 3.0, and the newer Sierra games (e.g. King's Quest V). I have installed legal copies of all those programs, and I have never written on my master disks. This is accomplished by making a backup copy (using diskcopy) of the master and installing using that copy. For software with copy-protected masters, I have found that I can initiate the installation using the write-protected master, and then substitute a write-enabled copy just before the writing occurs. I'd suggest that your friend Paul take the people at that computer store to task for selling him infected software. - ----------------------------------------------------------------------------- Nelson Bolyard nelson@sgi.COM {decwrl,sun}!sgi!whizzer!nelson Disclaimer: Views expressed herein do not represent the views of my employer. - ----------------------------------------------------------------------------- ------------------------------ Date: Thu, 14 Mar 91 11:40:56 -0800 >From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: IBM VIRSCAN version (PC) MICKLE@CSMCMVAX.BITNET (David K. Mickle) writes: > I got my copy through our PC vendor, Microage of Beverly Hills. They > obtained it at my request from their IBM rep who downloaded it from an > IBM internal service. The version number 1.51 is correct. My understanding is that, until March 8th, the correct "public" version of IBM's VIRSCAN product was 1.3, 1.51 being a corresponding "internal" product. However, I believe version 2.00.01 is now available for both internal and public use. I'm sure David will correct any errors i've made :-) ============= Vancouver p1@arkham.wimsey.bc.ca | You realize, of Institute for Robert_Slade@mtsg.sfu.ca | course, that these Research into (SUZY) INtegrity | new facts do not User Canada V7K 2G6 | coincide with my Security | preconceived ideas ------------------------------ Date: Thu, 14 Mar 91 16:30:00 -0500 >From: ESIEWICK@pbs.org Subject: Source for F-DISINF (Stoned) (PC) Does anyone know of a source for "F-DISINF" or other antiviral program for use against the STONED virus? The virus has apparently gotten into my Partition Table. ------------------------------ Date: Thu, 14 Mar 91 16:44:18 -0400 >From: MMCCUNE@sctnve.BITNET Subject: Replies to questions about INNOC (PC) I have received numerous questions and comments about my program INNOC.COM. Rather than answering the same questions several times, I will answer them here: HOW DOES IT WORK? All boot viruses look for hex strings in the boot sectors to determine if the disk is already infected. INNOC simply puts several of these strings in the boot sector so that the virus thinks the boot sector is already infected. The current version of INNOC inoculates against the Stoned, Brain, Ashar and the Ping_Pong viruses. WHY DID YOU SPELL IT WRONG? I added the extra "n" to distinguish it from several other products with similar names (unfortunately I also misspelled it in the docs as INNOCULATE.) I RAN INNOC ON AN INFECTED DISKETTE AND SCAN SAYS IT IS STILL INFECT- ED? INNOC disables the virus but doesn't remove it. The virus will still trigger SCAN and F-PROT, although the virus will no longer infect. If this is a problem, run CLEAN or F-DISINF (F-PROT) on the diskette then run INNOC on the diskette again. WHAT IS NEXT? The Joshi or Disk Killer can be added to INNOC without changing it's effectiveness against the other viruses. I will proba- bly make these separate programs, though. Any suggestions for viruses to write inoculation programs for? I have several boot infectors (Ashar, Brain, Disk Killer, EDV, Joshi, Mardi Brothers, Microbes, Music Bug, Stoned, Stoned II and Yale.) If anybody wants another virus inoculator, I will have to get a working copy of the virus. ANY OTHER QUESTIONS? Leave me a note on Virus-L or at MMCCUNE@SCTNVE on BITNET. Mike McCune.... ------------------------------ Date: Thu, 14 Mar 91 12:42:51 -0800 >From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Infecting scanners and "archived" files (PC and general) A query from a local BBS: Message #1690 - Anti-virus forum Date : 12-Mar-91 10:42 From : Stan Pickthall SP> He said that there are viruses that attach themselves to the SP> scan program itself and will not be discovered by a SP> self-scan. So he said it is not really safe to scan from SP> your hard drive, but that you must scan from a SP> write-protected floppy to be ABSOLUTELY SURE you are safe. Yes, the prof was quite correct. File infecting viri are not choosy about which files they infect, and will do it to "scanners" as easily as normal programs. SCAN does have an "internal" self check, but if a "stealth" virus is active in memory, it will defeat any kind of integrity check. Indeed, some viri actively "target" certain antiviral programs, although I do not know of any current ones that target SCAN. SP> PS If it is necessary to scan from a floppy, the next SP> question is: Am I safe to unzip the files?? Or can a virus SP> attach itself while I am unzipping?? Good question, and the answer is, yes, you can infect a file while you are unZIPping it. If you have a file infecting virus in memory (active), it can infect any file it likes, including one that you have just downloaded, unzipped or copied from floppy. Some infect in that way, others do not. The standard procedure in cases like this, is to boot from a known "clean", write protected floppy. That assures that you have nothing resident in memory. Then perform your unZIPping with a "known clean" copy of PKUNZIP. If you do not "know" the copy is clean, it is best to "cold boot" after the unzipping. Note that this does *not* garantee that the unzipped file is safe, but it removes any infection from memory before you start. SCAN does a self check and memory check before it starts, so you should catch any "known" virus that way, and the "new" ones are very uncommon to begin with. The odds are that you will be safe using this procedure. ============= Vancouver p1@arkham.wimsey.bc.ca | You realize, of Institute for Robert_Slade@mtsg.sfu.ca | course, that these Research into (SUZY) INtegrity | new facts do not User Canada V7K 2G6 | coincide with my Security | preconceived ideas ------------------------------ Date: 14 Mar 91 16:49:00 +1600 >From: VANVLECK_TOM@prune.bitnet Subject: Virus naming I like the idea of a "virus hash ID" if one could be computed. For the popular name, suppose we named viruses like they name comets, with computer type, discoverer's name, year, and a letter? e.g. "PC Skulason 1990c" If you discover a new virus, you name it and report it to a central place. Earliest accepted report is the one that's recognized. Doing so would glorify the virus fighters instead of the jerks. The name wouldn't depend on sizes (vary, different viruses same size), or strings in the virus (sometimes offensive). Old viruses: leave the names alone; they're cute. Arguments about priority, renaming when more info comes in: bio science puts up with this. Who's the central authority? Some "virus researcher" who can tell when 2 viruses are the same, and has safe storage for samples. Volunteers? Tom Van Vleck ------------------------------ Date: 15 Mar 91 13:46:53 +0000 >From: hhg1@gte.com (Hallett German) Subject: VIREX/Disinfectant all seem to freeze scanning Appleshare vols (PC) Has anyone else had a problem where they are scanning a large AlisaShare volume (1200 files) and it freezes up? With Virex, it seems to do better with file names off (Version 3.1). Disinfectant scans through more files but still freezes. Is thereavirus detector available that won't do this? hhg1@gte.com ------------------------------ Date: Fri, 15 Mar 91 09:53:53 -0500 >From: KARYN@NSSDCA.GSFC.NASA.GOV Subject: Has anyone heard of Central Point Anti-Virus? (PC) Has anyone ever heard of a PC product called ANTI-VIRUS put out by Central Point Software of Beaverton, Oregon? I just got a glossy ad dropped on my desk from someone who went to FOSE. I checked thru some past Virus-L digests, and found two reviews of products called Antivirus: one in digest V4-23 for a product by Techmar Computer Products and one in digest V4-42 for a product by Fink Enterprises. Karen Pichnarczyk karyn@nssdca.gsfc.nasa.gov ------------------------------ Date: Thu, 14 Mar 91 20:42:29 +0000 >From: horus!reedp@harvard.harvard.edu (Paul Reed) Subject: Mathematica reports Scores virus, Disinfectant can't find it (Mac) I have an old version of Mathematica (version 1.03) that displays a message about the Scores virus when I run it. It says that the system is infected with the Scores virus, and some other stuff about Mathematica not working properly. But I used Disinfectant 2.4 to scan the hard disk, and it didn't find any viruses. Can the Scores virus hide from Disinfectant, or is Mathematica finding something that looks like Scores but really isn't? Thanks, Paul Reed Internet: reedp@horus.cem.msu.edu 119 Chemistry Bldg. reedp@frith.egr.msu.edu Michigan State University BITNET: REEDP@MSUCEM East Lansing, MI 48824 Phone: (517) 355-9715 ext. 331 ------------------------------ Date: Fri, 15 Mar 91 16:12:59 -0500 >From: Jim Pinson Subject: PKLITE and hidden virus (PC) I know some of the virus scanners will look within executable files that have been compressed with LZEXE. I believe they scan both before and after expansion. Lately I have been using PKLITE to compress executables, and wonder if any Virus scanners are capable of looking within the compressed files. Does anyone have any info on the subject? Thanks. Jim Pinson University of Georgia ------------------------------ Date: Fri, 15 Mar 91 19:29:05 -0500 >From: wcs@erebus.att.com (William Clare Stewart) Subject: Info on virus products wanted - PD and commercial What products are out there to deal with viruses? I'm especially interested in products to clean up virused disks, as well as detection. I've tried looking at the archives on beach.gal.*, but unfortunately they seem to be in PKARC or ZIP forms which I'm not able to decode on my UNIX system (I've got regular ARC, and the unzip stuff I've found in the archives doesn't seem to work on System V.) Are there other archive sites? Aside from a problem at work, which we've mostly cleaned out now, the person whose machine was infected says his kid says all the PCs at school have the same problem (Jerusalem-B black spots), so we're trying to find a public-domain cleanup solution. ( The commercial products I've seen require licensing, which I doubt the school would spring for, and I'd rather not see them ripping off code which is presumably what got them in this trouble. Do any of the commercial products allow schools to use them free?) Pray for peace; Bill # Bill Stewart 908-949-0705 erebus.att.com!wcs AT&T Bell Labs 4M-312 Holmdel NJ # Hacker. System Designer. Troublemaker. ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 44] ***************************************** Downloaded From P-80 International Information Systems 304-744-2253