home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
High Voltage Shareware
/
high1.zip
/
high1
/
DIR14
/
VL6_094.ZIP
/
VIRUSL6.094
Wrap
Text File
|
1993-06-14
|
20KB
|
510 lines
VIRUS-L Digest Monday, 14 Jun 1993 Volume 6 : Issue 94
Today's Topics:
Re: about Digital Enterprises $5,000 challenge...
DFN-CERT gopher
Re: Virus as extortion
Thompson Paper on UNIX Viruses (UNIX)
Anti-Virus Techniques and direct Port Writes (PC)
Flip atack again (PC)
DOS 6 - on a PC with 2 harddisks (PC)
viruscopy-protection (PC)
Re: Cure against Tremor available? (PC)
Change detection software (CVP)
(Really short) Review of (really silly) VIRUSDIE for Atari
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a gatewayed and non-digested USENET
counterpart. Discussions are not limited to any one hardware/software
platform - diversity is welcomed. Contributions should be relevant,
concise, polite, etc. (The complete set of posting guidelines is
available by FTP on cert.org or upon request.) Please sign submissions
with your real name; anonymous postings will not be accepted.
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list. A FAQ (Frequently
Asked Questions) document and all of the back-issues are available by
anonymous FTP on CERT.org (192.88.209.5).
Administrative mail (e.g., comments, suggestions, beer recipes)
should be sent to me at: krvw@AGARNE.IMS.DISA.MIL.
All submissions should be sent to: VIRUS-L@Lehigh.edu.
Ken van Wyk
----------------------------------------------------------------------
Date: Fri, 11 Jun 93 14:10:39 -0400
>From: ejo@kaja.gi.alaska.edu (Eric J. Olson)
Subject: Re: about Digital Enterprises $5,000 challenge...
hobbit@babyoil.ftp.com (*Hobbit*) writes:
>Taken from Prodigy. Figures.
Actually this is a common sort of challenge and has been used for all
sorts of things historically, from safes to codes to computers.
Eric Olson <ejo@kaja.gi.alaska.edu>
------------------------------
Date: Fri, 11 Jun 93 21:27:03 +0000
>From: jdc@selway.umt.edu (John-David Childs)
Subject: DFN-CERT gopher
Forwarded from the NET-HAPPENINGS list (maybe Vesselin has already posted
this by now :-) :
>Date: 10 Jun 93 11:30:55 GMT
>From: hille@fbihh.informatik.uni-hamburg.de (Gunter Hille)
>Subject: Announcing the DFN-CERT gopher server
>Newsgroups: comp.infosystems.gopher
>Organization: University of Hamburg, Germany
The DFN-CERT is pleased to announce a new gopher server containing an archive
of texts related to computer security. The majority of these texts was
collected from different ftp servers and other archives.
The headlines are short descriptions of the contents and most of them show
the approximate size in the headline, so browsing through the texts
can be helpful. At the top level you can use the WAIS search engine
to search for special keywords.
The address of the gopher server is:
gopher.informatik.uni-hamburg.de port 70
Please note that this gopher server is a mirror of our ftp-archive of
security related literature:
ftp.informatik.uni-hamburg.de/pub/security
If you find literature related to computer security not yet in this gopher,
please send a note to:
dfncert@informatik.uni-hamburg.de
- --
John-David Childs
Consultant, University of Montana CIS
UM Student Health Service HEALTHLINE Gopher Admin
jdc@selway.umt.edu, con_jdc@lewis.umt.edu
------------------------------
Date: 11 Jun 93 23:14:22 -0500
>From: x92jinnah@gw.wmich.edu
Subject: Re: Virus as extortion
wouter@stack.urc.tue.nl (Wouter Slegers) writes:
> This may not be common for this group, but as this is about virusses...
> A friend of mine who programs a up/download-protocol got a threath (sp?)
> from Russia: Either he sold the program to them for $5 (normally $15) or
> they would release a virus with his name in it (maybe even with the
> protocol, I don't know for sure). He didn't comply and changed the
> coding/protection of his program radically to make it more difficult to
> hack/infect it.
> How do you feel about this? Can you give us advise as to how to handle this?
> Do you have tips to prevent deliberate infections and hacks? (Although this
> program is already quite protected with encryption e.g. ideas are always
> welcome).
> BTW: this is all on the PC-platform.
> Wouter Slegers, 1st year CS at TUE (nl), wouter@stack.urc.tue.nl.
I would suggest you keep the letter (or email) you received as
proof, in case they really carry out the threat. Don't worry about
having your name in a virus; some of the most famous virus-busters
(including Bontchev and Frisk, I believe) have had their name inserted
into a virus. It won't fool anyone because it's obvious no-one's that
dumb to be associated with a virus. No author would put his name in to
be traced.
Perhaps you could arrange with the local authorities to plan some
kind of "sting" operation to grab these guys and put them away. It's
quite a clear case of extortion.
------------------------------
Date: Sun, 13 Jun 93 14:49:57 -0400
>From: SPIRIT@WILDWOOD.DEMON.CO.UK
Subject: Thompson Paper on UNIX Viruses (UNIX)
I have been trying to locate a copy of the paper by J. David Thompson
titled "Why UNIX is Immune to Computer Viruses".
It was discussed some time ago in this group.
Any suggestions as to how I can obtain a copy, in electronic or paper
form, would be helpful.
Regards, MikeH
- --------------------------------------------------------------
* Mike Horrell spirit@wildwood.demon.co.uk *
* *
* wildwood is not affiliated with any other demon.co.uk site *
------------------------------
Date: Fri, 11 Jun 93 09:42:18 -0400
>From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson)
Subject: Anti-Virus Techniques and direct Port Writes (PC)
Inbar asks about QEMM "stealth" and it really is some very good code
that doesn't always work. The premise is that the BIOS takes up RAM in
the first meg that could be used for other programs. The 386 allows
dynamic memory mapping so it is just a matter of having the right page
mapped to segment F000h at the right time.
Now QEMM's mechanism requires that expanded memory (page frameing) be
available before "stealth" will work and I do not need EMS so I find
that the "stelth" gain is offset by the page frame loss so do not use
it. However, there is no architectural requiremnt for a page frame
when using "stealth" & I suspect that it is a drive loading issue.
Now, QEMM "stealth" relies on knowing *when* to swap memory. This relies
on knowing when the BIOS is needed. The first and easiest to determine is
the interrupt table. If an interrupt points to segment F000 then all that
QEMM "stealth" needs to do is to redirect the interrupt to itself, and on
call swap the BIOS in, and when done, swap it out again (actually not the
most efficient mechanism but the easiest to impliment).
The hooker is when "something" already took away the interrupt so that when
QEMM loads, the interrupt points to RAM rather than to ROM. Apparently,
QEMM during installation "walks" such interrupts looking for a JMP FAR or
CALL FAR to the BIOS. When it finds one, it replaces the vector with
one to its own code that does the swap and files the original call (where
my stuff got bothered).
One exercise for the student would be to examine how QEMM "stealth" would
handle an indexed CALL FAR / JMP FAR, self modifying code (oh no), a
pre-stacked RETF (oy und veh) to the BIOS, or a double jump routine.
Inbar's INs and OUTs would be immune of course since these do not
involve any code in segment F000h but the problem is still how to know
*when* to do those INs and OUTs. For this reason the technique is
useful for user- initiated actions such as data recovery and not much
use by themselves to a virus writer 8*). In particular, heuristic
scanners might find it a good idea to scan for INs and OUTs since few
programs would have any to use them.
Warmly,
Padgett
------------------------------
Date: Fri, 11 Jun 93 10:16:46 -0400
>From: SALVA@vm.cpd.ua.es
Subject: Flip atack again (PC)
Hi, I have a 386 pc computer with 120 Mb of HD and 4Mb of MMemory.
This compute r was infected by te Flip. The Flip was cleaned, but the
100 Mb was transform to 32 Mb (the fdisk detect 120 Mb), but DOS 5.0
detect 32. Any idea to recover the information above 32 mb thru 120?
If this an old problem, please answer directly to me, not to the list.
Thanks.
____________________________________________________________
> <
| Salvador P. Sanchez Salva@ealiun11.bitnet |
| University of Alicante Salva@vm.cpd.ua.es |
| Spain Fax 34-6-5903464 |
>____________________________________________________________<
------------------------------
Date: Sun, 13 Jun 93 06:53:50 -0400
>From: "Jorgen Olsen" <masjol@dou.ou.dk>
Subject: DOS 6 - on a PC with 2 harddisks (PC)
Today many PC-users believe that the moment their PC runs into
problems - they are infected by a Virus. So though this has nothing to
do with an infection - the information might save you some time.
Background:
486/33DX clone, 8MB, DOS-6, 204 MB (IDE)-disk, expanded with another
disk (245MB) with the new big one as the primary (C:) disk - and the
old one as the secondary (D:). No fancy DOS-6 utilities installed,
as the version was installed for testing purposes.
However MEMMAKER had been run and provided me with another 3KB.
Problem(s):
a. The weekly run of Norton Disk Doctor reported
'error in the CMOS-setup of D:',
and i) hang up the system,
or ii) aborted with the result that afterwards DOS
refused to recognize the existence of D:,
until a reboot was performed.
b. my streamer software also refused to accept the existence of D:.
So suddenly backup of the disk (my DATA-DISK) was impossible
and regaining access demanded a reboot,
c. trying to look at the configuration with FDISK (in display mode)
yielded - 'run time error rn305 (or something like that),
divide by zero'!! Cold Boot needed!
d. CKSETUP (a program in the CHK-IT-package) - halted the system
(said it could not reload COMMAND.COM) when asked to look at D:!
Reboot!
Theories:
a. something wrong with the CMOS-setup,
b. timer problem - if the timer of the secondary had not
been disabled (it had!!),
c. disk problem,
d. others - BUT not an infection
(I am the guy who has the responsibility of the distribution
of the anti-virus software and that machine is loaded with
all the goodies that access to the INTERNET as well as money
can provide you with - everything properly licensed - if needed)!
(No DOS6 Anti-virus tools installed at the moment)!
So being out of the office on business a couple of days ago the tech team
of the Center with first class system support took care of the backup
and went in - if need be 'able and willing' to do what might have to be
done - up (or rather down) to low level formatting!
The fact finding:
a. By mistake they booted with a DOS-5 write protected diskette
- and then could not recreate the problems!
b. Reboot for the installed DOS-6 enabled them!!
c. BOOT from a DOS-6 (write protected safety-diskette) - no problems.
The solution:
The difference between the 'hard disk' boot and the diskette ditto
was in CONFIG.SYS and AUTOEXEC.BAT.
MEMMAKER had added 'HIGHSCAN' to the EMM386-line in CONFIG.SYS -
removing that solved the problem!!
My Question:
The team fined me - for installing hazardous non-standard software on my
machine without being able to foresee the consequences and thus
wasting their time! - I have to finance the cake for our next general
meeting.
NOW - where (and how) do I get my refund from MicroSoft??
Jorgen Olsen
------------------------------
Date: Mon, 14 Jun 93 02:16:24 -0400
>From: KARGRA@GBA930.ZAMG.AC.AT
Subject: viruscopy-protection (PC)
Hi all,
I just came across an interesting question for windows-users:
If I have installed virstop or something similar, it should scan floppies
before they are accessed from a DOS-prompt. Is this effective, if I access
a floppy from WINDOWS-filemanager, too?
This brings me to another idea for OS2 users: as programs like virstop may
either not run at all (didn't try it) or will never know, that the floppy is
accessed (by the nature of a mulitasking environment), the only way to set up
some kind of protection would be to put the internal copy command to an externa
l
which could scan before copying. However, drag an drop with PM would fail
again. :(
Greetings, Alfred
################################################################################
Alfred Jilka #This place intentionally left blank. This place inteti
Geologic Survey, Austria #onally left blank. This place intentionally left blank
KARGRA@GBA930.ZAMG.AC.AT #. This place intentionally left blank. This place inte
################################################################################
------------------------------
Date: Mon, 14 Jun 93 08:34:25 -0400
>From: al026@yfn.ysu.edu (Joe Norton)
Subject: Re: Cure against Tremor available? (PC)
RH>I checked TBCLEAN against one tremor-infected file and it
RH>cleaned it perfectly. Since TBCLEAN uses something like a
RH>soft-ICE to find the original codeentry I am sure that it
RH> will clean all other files, too.
I tried TBCLEAN v6.01 on a PC-Tools v6 or v7 COMPRESS.EXE
that was infected with Tremor. When cleaned it was left
non-operational. After attempting to clean 30-40 Tremor
infected files I've found that it is sucessfull only about
50% of the time. Maybe v6.02 is better...
Joe
------------------------------
Date: Fri, 11 Jun 93 13:24:39 -0400
>From: "Rob Slade" <roberts@decus.ca>
Subject: Change detection software (CVP)
PRTAVSC.CVP 930522
Change detection software
Change detection software, also often referred to as "integrity"
checking software, examines system and/or program files and
configuration, stores the information, and compares it against the
actual configuration at a later time. Most of these programs
perform a "checksum" or "cyclic redundancy check" (CRC) that will
detect changes to a file even if the length is unchanged. Some
programs will even use sophisticated encryption techniques to
generate a signature that is, if not absolutely "immune" to
malicious attack, prohibitively "expensive", in processing terms,
from the point of view of a virus.
A sufficiently advanced change detection system, which takes all
factors including "system" areas of the disk and the computer memory
into account, has the best chance of detecting "all current and
future" viral strains. However, change detection also has the
highest probability of "false alarms" since it will not know whether
a change is viral or valid. (Additional thought put into the
installation of change detection software will go a long way to
reducing the level of false positive results. As always with
security systems, there is a trade-off between the "easy" and the
"effective".) Addition of "intelligent" analysis of the changes
detected may assist with this failing.
There are three major shortcomings of change detection software. It
provides no protection, but only notification after the fact of an
infection. It is, therefore, quite possible to install an infected
program on your system and have it continue to infect other
programs. The subsequent infections will (or should) be detected,
but the change detection software will not identify the original
culprit. (Deductive reasoning, along with the software's
assistance, may, though.)
Secondly, you must "inform" the software of any changes *you* make
in the system, otherwise the change detection software will generate
a false alarm. This means having sufficient knowledge of the system
to know *when* you are making changes. Each invocation of SETVER,
for example, changes the program file, whereas "setup" changes made
to Word Perfect sometimes alter the program file and sometimes
change an external data file.
Thirdly, as with scanning software, change detection software may
not "see" changes made, and "hidden", by "stealth" viri. However,
even with the most esoteric "stealth" technology a virus must change
*something* within the system. Therefore, sufficiently broadly
based change detection is the best bet for absolute detection of all
viral programs -- if you can put up with the false alarms.
copyright Robert M. Slade, 1993 PRTAVSC.CVP 930522
==============
Vancouver ROBERTS@decus.ca | "I finally realized why Windows is truly
Institute for Robert_Slade@sfu.ca | multitasking. I find myself keeping some
Research into rslade@cue.bc.ca | secondary task (like ... mail) handy so I
User p1@CyberStore.ca | can make good use of the time I spend
Security Canada V7K 2G6 | waiting for Windows." -Steve Edelson
------------------------------
Date: Fri, 11 Jun 93 13:38:25 -0400
>From: "Rob Slade" <roberts@decus.ca>
Subject: (Really short) Review of (really silly) VIRUSDIE for Atari
ATVIRDIE.RVW 930430
Comparison Review
Company and product:
VIRUSDIE, no contact info available
Summary: scanner (with "game" interface?)
Cost Unknown
Rating (1-4, 1 = poor, 4 = very good)
"Friendliness"
Installation
Ease of use
Help systems
Compatibility
Company
Stability
Support
Documentation
Hardware required
Performance
Availability
Local Support
General Description:
Comparison of features and specifications
User Friendliness
Installation
All files said to be needed are included in the distribution archive.
Ease of use
The "game" interface seems simple, but may unnecessarily complicate operation.
Help systems
None provided.
Compatibility
Must have low resolution monitor. May corrupt certain disks.
Company Stability
Unknown. Latest archive found dated December, 1989.
Company Support
Unknown.
Documentation
Extremely brief. No contact info included.
System Requirements
Low resolution monitor. Only standard Atari ST formatted disks.
Performance
Unknown.
Local Support
None provided.
Support Requirements
Unknown.
copyright Robert M. Slade, 1993 ATVIRDIE.RVW 930430
==============
Vancouver ROBERTS@decus.ca | "If you do buy a
Institute for Robert_Slade@sfu.ca | computer, don't
Research into rslade@cue.bc.ca | turn it on."
User p1@CyberStore.ca | Richards' 2nd Law
Security Canada V7K 2G6 | of Data Security
------------------------------
End of VIRUS-L Digest [Volume 6 Issue 94]
*****************************************