home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
virus
/
virusl2
/
virusl2.233
< prev
next >
Wrap
Text File
|
1995-01-03
|
15KB
|
372 lines
VIRUS-L Digest Monday, 6 Nov 1989 Volume 2 : Issue 233
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's
LEHIIBM1.BITNET for BITNET folks). Information on accessing
anti-virus, document, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: krvw@SEI.CMU.EDU.
- Ken van Wyk
Today's Topics:
Re: Virus source available in Toronto
Re: Where are the Sophisticated Viruses?
virus protection strategy questions
New anti-virus programs uploaded to SIMTEL20 (PC)
More CRC suggestions
Re: Brain and Ashar virus (PC)
Re: Brain Virus Query (PC)
KillVirus (Mac)
CRC Checking.
Typo vs. Typo (PC)
NP completeness
---------------------------------------------------------------------------
Date: 06 Nov 89 11:48:16 +0000
From: frisk@rhi.hi.is (Fridrik Skulason)
Subject: Re: Virus source available in Toronto
kelly@uts.amdahl.com (Kelly Goen) writes:
>the published sources working or non working are really not
>that much of a threat...
Wrong !
One concrete example why: The "Ghost" virus recently found here in
Iceland seems to have been based on the listing of the Vienna virus
from the book "Computer Viruses: A High Tech Disease" This is clear
becuse the virus contains the two patches added there to make the
virus a little less harmful than the original Vienna virus.
Since any assembly language programmer should be able to create a new
working virus in a day given a listing or a good (commented)
disassembly, this gives us a good reason to limit the availability of
virus listings as much as possible.
- -frisk
Fridrik Skulason University of Iceland
frisk@rhi.hi.is Computing Sevices
Guvf yvar vagragvbanyyl yrsg oynax .................
------------------------------
Date: Sun, 05 Nov 89 23:04:41 -0700
From: ctycal!ingoldsb@cpsc.ucalgary.ca
Subject: Re: Where are the Sophisticated Viruses?
There are probably two reasons why the viruses you suggest do not
exist:
1) If the system code is bypassed, then it must be rewritten.
Most hackers are not at that level. Those that are that
proficient are busy making money.
2) Code to do all the stuff needed would be quite large, and
therefore noticeable. If you add 20 K to somebody's
programs they will likely notice.
Anyway, viruses experience exponential growth. At the beginning
the spread is very slow and only becomes rapid after a fair while
(say 6 months). This allows the wary to catch most viruses.
Terry Ingoldsby ctycal!ingoldsb@calgary.UUCP
Land Information Systems or
The City of Calgary ...{alberta,ubc-cs,utai}!calgary!ctycal!ingoldsb
------------------------------
Date: 06 Nov 89 16:14:57 +0000
From: n8243274@unicorn.wwu.edu (steven l. odegard)
Subject: virus protection strategy questions
For personal computers, I can imagine Mom giving me advice to keep me
from catching cold, [a biological virus]:
1. Wear your coat. Keep yourself warm. Don't expose yourself.
The 3 1/2 inch disks have a little write-protect tab. If the disk is
set to safe (where you may see through the hole), no data may be
written to it, including virus's data. 5 1/4 or 8 inchers have a side
slot which must be covered with black vinal tape to write-protected
them. Is it reasonable to install write-protect toggle switches for
hard disks on a personal computers? I use the write-protect all the
time on larger computers -- once a machine (software) crashed and
destroyied the work of one-hundred people the previous week!
2. Stay out of garbage. Use only reliable 'clean' software
purchased from reputible software dealers. How often is
food-poisioning contracted from eating food from clean restaurants?
There are a few cases software published with unknown viruses lurking
in them, but such are usually detected quite rapidly.
3. Quarantine: I have no experience here, is it practical to switch
infected systems off of local-area networks? (unplug them)?
What other common-sense strategies (as opposed to unreasonable
panic strategies) are there to prevent these infections? Should
terminate and stay resident programs be purged and reloaded from time
to time, for example?
I am reminded of a similar phenomena occurring on larger computer
systems, where the terminals they employ have a code for "transmit
25th line". Then simply typing some file can cause you to lose all
your files: the file contains the code to put "ERASE *.*" on the 25
line, and transmit. The computer sees the data stream "ERASE *.*" and
proceeds to erase all files on the account. The cycle can be broken
by disallowing the 25line code from appearing in the output -- use
special 'display' program, or disabling the transmit 25th line command
- -- install a toggle switch on the terminal, or by being careful what
you look at -- be aware of the problem.
- --SLO 8243274@wwu.edu uw-beaver!wwu.edu!8243274 n8243274@unicorn.wwu.edu
------------------------------
Date: Sun, 05 Nov 89 19:37:00 -0700
From: Keith Petersen <w8sdz@WSMR-SIMTEL20.ARMY.MIL>
Subject: New anti-virus programs uploaded to SIMTEL20 (PC)
I have uploaded the following files to SIMTEL20:
pd:<msdos.arc-lbr>
SHEZ49.ARC Shell for archive manipulation, w/virus check
pd:<msdos.trojan-pro>
CKOT094.ARC Checks archived files for viruses (req. SCANV)
NETSCAN.ARC Network compatible - scan for 46 viruses, v46
SCANRS47.ARC Resident program to scan for many viruses
SCANV47.ARC VirusScan, scans disk files for 47 viruses
VALIDAT3.ARC Validate shareware programs for authenticity
CKOT094, NETSCAN, SCANRS47 and SCANV47 were obtained directly from the
Homebase BBS.
- --Keith Petersen
Maintainer of SIMTEL20's CP/M, MSDOS, & MISC archives [IP address 26.2.0.74]
Internet: w8sdz@WSMR-SIMTEL20.Army.Mil, w8sdz@brl.arpa BITNET: w8sdz@NDSUVM1
Uucp: {ames,decwrl,harvard,rutgers,ucbvax,uunet}!wsmr-simtel20.army.mil!w8sdz
------------------------------
Date: Sat, 04 Nov 00 19:89:58 +0000
From: agora.hf.intel.com!greg%medusa.intel.com@RELAY.CS.NET
Subject: More CRC suggestions
len@csd4.csd.uwm.edu (Leonard P Levine) writes:
> A satisfactory system is one in which each user can use a polynomial
> of his/her choice and where the list of files and their crc's
> (for example) is stored in some arbitrary location. No virus writer
> will be looking for YOU, rather just a collection of systems that
> are alike enough to infect.
The CRC program should encrypt and authenticate its stored data file(s);
otherwise, it'd be easy for a savvy virus to essentially 'grep' for strings
matching the format of those used by common CRC programs, and then modify
that file.
Even niftier would be 'roll-your-own' CRC programs, that encourage the user
to modify and recompile them from available source; that way, virus authors
couldn't compensate for just a few very popular CRC checkers, and would
have to contend with thousands (probably millions) of different versions
with different filenames and methods of storing the CRCs.
[However, the above immediately brings to mind hacked versions of the
source, intended to trick nontechnical users into compiling and running
evil programs. I suppose we could get the source code from a few
(authentic) sources, along with CRCs for that source code... :) Sigh.]
Another thought: for people with access to EPROM burners, howzabout
burning the (encrypted) CRCs into EPROMs? (I'm thinking primarily of PC
clones, with their relatively easily accessible ROM sockets) Whenever new
software is installed, the old EPROM could be wiped and reprogrammed.
- --
".. organized crime is the price we pay for organization." - Raymond Chandler
Greg Broiles | CI$: 74017,3623 | greg@agora.hf.intel.com
3105 Pine St. | WWIVnet: 1@5312 |
Riverside, CA 92501 | Peacenet: gbroiles | tektronix!tessi!agora!greg
------------------------------
Date: Sun, 05 Nov 89 15:34:17 -0500
From: KHV%NIHCU.BITNET@VMA.CC.CMU.EDU
Subject: Re: Brain and Ashar virus (PC)
I had the same experience as you did Tom, when using SCANV42 to scan a
diskette I knew was infected by the Brain virus. I contacted John
McAfee, the author of the program, and was told that that was a bug in
that particular version of the program. Evidently, he choose
overlapping hex strings as his virus signatures, so even though only
the Brain virus was actually present, a false positive reading was
obtained for the Ashar virus. I haven't tested it yet, but I'm sure
that this bug has been corrected in the latest versions of the program
(what are we up to now, version 48 or so?). Hope this clears things
up.
------------------------------
Date: Mon, 06 Nov 89 09:31:23 -0500
From: Kevin_Haney%NIHDCRT.BITNET@VMA.CC.CMU.EDU
Subject: Re: Brain Virus Query (PC)
In response to your query about the Brain virus, I have included
some information below that was put out by the Computer Virus
Industry Assoc. The only things I would add to that description
are that the virus does not infect hard disks, only floppies. The
virus is non-destructive in that it is not specifically designed
to damage any files (except the boot sector)--the damage comes in
when it writes over the seven sectors, in a random location in the
data area of the diskette, which may be part of a program or data
file. The program may then not run or the data may be corrupted,
but this is just a side-effect, so to speak. The virus is
prevalent at locations which have public-access floppy-based
systems such as universities.
An infected disk (but not the files) can be recovered by
formatting. The sectors flagged as bad can even be recovered if
you have a utility such as Norton's that can directly modify the
File Allocation Table, and you use it before you reformat the disk.
If you perform the DOS SYS command, it will render the virus
inactive by rewriting the boot sector and your files will still be
there, although the bad sectors will also still be present and
whatever damage was done will not be repaired.
Hope this information helps!
- -----------------------------------------------------------------
Name: Pakistani Brain
Origin: Lahore, Pakistan, January 1986; developed
by two brothers as an experiment
Host: IBM PCs and compatibles
Class: Boot sector infector
Description:
- - Replaces original boot sector with itself
- - Moves original boot sector to another location
- - Adds seven sectors that contain remainder of virus
- - Flags all modified sectors as unusable to protect itself
- - Replicates onto all inserted bootable floppies
How spread:
- - Booting from unknown or shared disks
- - Infects through any access to an inserted disk
Listing directories, executing programs and so on
Through software reboot sequence
Symptoms:
- - Copyright @BRAIN label displayed in directory of infected disk
- - Reboot sequence slowed down
- - Excessive floppy activity for simple tasks
- - Program crashes for some versions of DOS
- - Interrupt vectors modified
Potential damage:
- - System crash can cause loss of data
- - Spreads quickly to all bootable disks
Precautions:
- - Do not boot from unknown floppies
- - Boot only from the hard disk if one exists
- - Write-protect all boot disks
Recovery:
- - Shut down infected systems
- - Reboot from a clean, write-protected original boot disk
- - List directory of all disks - look for @BRAIN label
- - When found, destroy the disk, or:
Perform DOS SYS command to rewrite boot sector
Recreate volume serial label using any available utility
(This procedure will still leave 7 bad sectors with dead virus)
Notes: Will live through software reboot.
------------------------------
Date: Mon, 06 Nov 89 12:27:20 -0500
From: "Gregory E. Gilbert" <C0195%UNIVSCVM.BITNET@VMA.CC.CMU.EDU>
Subject: KillVirus (Mac)
Does KillVirus have an nVir "resource". ("nVir" visible when examined
with ResEdit.) Or do I have problems with my copy of KillVirus.
Thanks much.
Gregory E. Gilbert
Computer Services Division
University of South Carolina
Columbia, South Carolina USA 29208
(803) 777-6015
Acknowledge-To: <C0195@UNIVSCVM>
------------------------------
Date: Mon, 06 Nov 89 10:34:26 +0000
From: Martin Ward <martin%EASBY.DURHAM.AC.UK@IBM1.CC.Lehigh.Edu>
Subject: CRC Checking.
How about this for a system:
Keep the CRC checker program and file of checksums on a separate
bootable floppy, which has a suitable AUTOEXEC.BAT file. At the end of
the day, power down, insert this floppy and power up. The machine
boots off this floppy and is therefore guaranteed free from active
viruses, it then automatically checks all executables on the hard disk
for any changes. The same disk could go on to do a backup
automatically once the machine has been declared free of infections.
Martin.
My ARPANET address is: martin%EASBY.DUR.AC.UK@CUNYVM.CUNY.EDU
OR: martin%uk.ac.dur.easby@nfsnet-relay.ac.uk UUCP:...!mcvax!ukc!easby!martin
JANET: martin@uk.ac.dur.easby BITNET: martin%dur.easby@ac.uk
------------------------------
Date: Mon, 06 Nov 89 19:12:45 +0000
From: frisk@rhi.hi.is (Fridrik Skulason)
Subject: Typo vs. Typo (PC)
There have been two viruses reported in the PC world, with the name "Typo".
One is a boot sector virus - a modification of the Ping-Pong
virus. This virus was written in Israel.
The other virus is a resident .COM infector, 867 bytes long.
This one is of U.S. origin.
Since having two viruses with the same name will only lead to confusion,
something needs to be done. Any suggestions ?
- -frisk
------------------------------
Date: 06 Nov 89 20:27:02 +0000
From: kerchen@iris.ucdavis.edu (Paul Kerchen)
Subject: NP completeness
Recently, I posted an article in which I stated that the virus problem
was NP complete. Well, a number of people pointed out my error and so
I'd like to apologize. What I meant to say was that the virus problem
(at least detection, anyway) is undecideable. However, despite this
problem, I still contend that no virus solution will be a 100%
solution. I'd like to thank the people who politely pointed out my
mistake and the folks who were less than gracious can...well, you know
what you can do. I'll have to watch my NP's and Q's more closely
(sorry, I couldn't resist).
Paul Kerchen | kerchen@iris.ucdavis.edu
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253