home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Monster Media 1993 #2
/
Image.iso
/
magazine
/
vl6_083.zip
/
VL6-083.TXT
Wrap
Internet Message Format
|
1993-05-26
|
46KB
From lehigh.edu!virus-l Tue May 25 04:05:20 1993 remote from vhc
Received: by vhc.se (1.65/waf)
via UUCP; Tue, 25 May 93 16:29:28 1
for mikael
Received: from fidoii.CC.Lehigh.EDU by mail.swip.net (5.65c8-/1.2)
id AA08472; Tue, 25 May 1993 14:12:05 +0200
Received: from (localhost) by Fidoii.CC.Lehigh.EDU with SMTP id AA18835
(5.67a/IDA-1.5 for <mikael@vhc.se>); Tue, 25 May 1993 08:05:20 -0400
Date: Tue, 25 May 1993 08:05:20 -0400
Message-Id: <9305251043.AA07340@agarne.ims.disa.mil>
Comment: Virus Discussion List
Originator: virus-l@lehigh.edu
Errors-To: virus-l@agarne.ims.disa.mil
Reply-To: <virus-l@lehigh.edu>
Sender: virus-l@lehigh.edu
Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas
From: VIRUS-L Moderator <virus-l@agarne.ims.disa.mil>
To: Multiple recipients of list <virus-l@lehigh.edu>
Subject: VIRUS-L Digest V6 #83
VIRUS-L Digest Tuesday, 25 May 1993 Volume 6 : Issue 83
Today's Topics:
Should viral tricks be publicized?
Anti-viral file on gopher
Copyrighting viruses
Unix viruses (UNIX)
TREMOR Chronology (PC)
Re: TREMOR-infected virus-scanner? (PC)
Port Writes (PC)
"DIR" infection, or "Can internal commands infect" (PC)
Cansu or V-Sign virus (PC)
Can virus infect a hard drive that one cannot access? (PC)
NAV Updates (was Central Point Anti-Virus Updates) (PC)
DOS v6.0 and Virus Functionality (PC)
Port Writes (PC)
F-Prot 2.07 (PC)
Port Writes (PC)
Can virus infect a hard drive that one cannot access? (PC)
??Hidden file: 386spart.par?? What is this? (PC)
A New Virus ? (PC)
"Dirty Tricks" (PC)
CPAV updates? (PC)
Re: McAfee's Scan and Compressors (PC)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. (The complete set of posting guidelines is available by
FTP on cert.org or upon request.) Please sign submissions with your
real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on
accessing anti-virus, documentation, and back-issue archives is
distributed periodically on the list. A FAQ (Frequently Asked
Questions) document and all of the back-issues are available by
anonymous FTP on cert.org (192.88.209.5). Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
<krvw@FIRST.ORG>.
Ken van Wyk, krvw@first.org
----------------------------------------------------------------------
Date: Fri, 21 May 93 14:49:00 +0200
From: Nemrod_Kedem@f101.n9721.z9.virnet.bad.se (Nemrod Kedem)
Subject: Should viral tricks be publicized?
> As I read this, his primary interest is in avoiding disassembly of
> viruses by AV people; copy protection comes only in second place. But
> even if we ignore the implied ranking, the very fact that he is aware
> that the tricks he has published can be used to defeat AV techniques
> (even if only among other things) says a lot, as far as I'm concerned.
> Let me put it this way: Would *you* think of posting an article of
> the type which he wrote (which includes code) in a public forum? More
> important, would you be proud of being "ON BOTH SIDES", as Inbar
> describes himself?? When you say that you're defending Inbar, is that
> really the type of person or position you want to defend?
Dear Mr, Radai.
Inbar is working under my supervision in Chief Data Recover Ltd. (Which you
probably know) and the things you write about him actually damage the name of
the company he works in. I can guaranty that if Inbar was involved in anything
related to computer viruses, he wouldn't have worked in Chief D.R.
Inbar is a very talented programmer that writes assembler better then you
speak hebrew and that is the only reason he is working with us. his anti-
debugging tricks are very widely used in Chief's commercial programs and his
knowledge in computer viruses only helps us in giving a better service to our
clients. Inbar is by no means a virus writer nor are he intentions to improve
the knowledge of other virus writers in anti-debugging tricks.
I think you should apologize to both Inbar Raz and Chief Data Recovery Ltd for
these words you wrote.
See you on the same table in the next virus convention.
Regards,
Nemrod Kedem,
Development Dpt.
Chief Data Recovery Ltd.
Nemrod.Kedem@f138.n403.z2.fidonet.org (Nemrod Kedem)
FidoNet: 2:403/138 VirNet: 9:972/0 CI$ ID: 100274,73
(972)3-966-7562 (14.4K) (972)3-967-0348 (Voice)
Pvt: P.O.Box 8394, Rishon Le-Zion, Zip 75253, Israel.
- --- FastEcho/386 B0426/Real! (Beta)
* Origin: <Rudy's Place - VirNet, Israel> Make Safe Hex! (9:9721/101)
------------------------------
Date: Mon, 24 May 93 10:32:11 -0400
From: John Perry <perry@phil.utmb.edu>
Subject: Anti-viral file on gopher
- -----BEGIN PGP SIGNED MESSAGE-----
The anonymous FTP archives available on phil.utmb.edu are now
available by gopher. If you are running a gopher client, you can
connect to the gopher on phil.utmb.edu and download the latest
anti-viral files automatically. Just pick the menu selection "FTPable
files on phil" and away you go! If you have any questions, please send
email to perry@phil.utmb.edu.
- - --
John A. Perry - perry@phil.utmb.edu
PGP Key available on request by sending e-mail to any of the following:
pgp-public-keys@jpunix.com
pgp-public-keys@phil.utmb.edu
- -----BEGIN PGP SIGNATURE-----
Version: 2.2
iQCVAgUBLADcTehUav9uyLDpAQHAVgP/Zeo49REhB4suNxpH4YA+r9IDWM9WIUUv
x2+4BD+CrE1Sa064Q5fo/1vb+Khi87i4/BXA0Jyh3H936bto/7Cew565+bnkCay0
viKUBaw73FaBUTPZKAKn4HV2zwLWDx+wZyip8WePji7FJKHm+5qkchiN6Ppimx8N
NAAEf4YlYTQ=
=Z8Sn
- -----END PGP SIGNATURE-----
------------------------------
Date: Mon, 24 May 93 11:27:25 -0400
From: Donald G Peters <Peters@DOCKMASTER.NCSC.MIL>
Subject: Copyrighting viruses
I have been informed that some viruses are "copyrighted" by the author.
No doubt the author did not register the copyright at the Library of
Congress with the first 25 pages of source code. (If they did, it would
be publically available! I wonder if they would want to?) But I think
that is not necessary for a valid copyright, although I think it helps in
court.
I would propose here that to keep anti-virus products legal and above
board, all copyrights on malicious software should be considered invalid.
I would appreciate comments for or against this idea. Any ACLU-type here?
If one court could issue a ruling, or if one city could pass a law to this
effect, it would probably hold a lot of precedence value in this country.
Remember, despite the "free speech amendment", that does NOT prevent this
country from passing anti-slander or anti-libel laws. It seems to me that
anti-malicioussoftware laws fall into the same category. Correct?
------------------------------
Date: Mon, 24 May 93 21:33:33 -0400
From: radatti@cyber.com (Pete Radatti)
Subject: Unix viruses (UNIX)
>>From: "David M. Chess" <chess@watson.ibm.com>
> That depends on what you consider "wild". My company tracks Unix
> attacks and provides generic information on such. Last year there
> were at least 2 attacks of which I was directly aware. So far this
> year, there was one attack of which I received 2ed hand information
> from a reliable source.
>>Really?! That's very interesting. Can you give any more detail (to
>>the list or directly to me) about the nature of these "attacks"? What
>>sorts of viruses were involved? Were these just traditional direct
>>attacks that happened to use a custom virus of some sort as a tool, or
>>were they cases in which a virus spread to systems beyond the one
>>targetted by the writer? (And, of course, are you sure there were
>>really viruses involved, rather than just misuse of words by someone
>>reporting a normal Unix security incident?)
Ok, however CyberSoft will never supply information that might lead
to disclosing who the infected party was. This policy is necessary
to insure that people keep telling us when they get hit. So few do so.
During the first quarter of 1992 three Unix attacks were reported to me:
1. A virus attack using a script virus. The person appeared to not
believe that the virus would work and found out the hard way.
2. A trojan named choosegirl.game which was distributed on the
internet as an executable binary
3. A worm/virus like attack that was deliberity placed in the source
code of a custom contract program by a staff member that lost
their position.
During the second quarter of 1992 I was personally aware of 1 Unix attack
4. An employee that lost their job installed a timebomb in the
operating system.
During the first 5 months of 1993 I received reports of 3 Unix attacks
5. Two separate sites that execute Unix on a i80386 based PC reported
that an MS-DOS virus attacked their system. This is possible since
these systems can execute MS-DOS programs. Samples were not provided
therefor I only count these as one-half reports.
6. A professional security officer reported to me a virus attack against
their Unix datacenter. This only counts as a maybe since details and
samples were not provided, however the reporter was a professional full
time security officer of a major organization.
7. Two reports of Typhoid Mary Syndrome attacks. (Typhoid Mary Syndrome
describes systems that are unaffected carriers of computer viruses.
Unix systems act as carriers for MS-DOS and Apple Mac because NFS makes
it easy for Unix servers to also act as file servers for these systems.)
Not all of these attacks were from the genus computer virus, however
they were all of the family of undirected attack software. I define
undirected to infer software that was created and let loose into the
wild to "fend" for itself without control by its authors. This
therefor does not include software used as tools by crackers in a real
time attack to secure access or privilege.
I understand that my use of the word virus may have caused some
confusion. In the course of normal business I have found that the
average person does not understand the difference between Worms,
Viruses, Trojans, etc... I have becom e used to using the word virus,
which most people think they know the meaning of, to describe attack
software. It is, from my view point, much better to impart knowledge
that is correct except for the name than to impart no knowledge at
all. When writing in this forum I will now use the correct names.
Hard to learn hab its are hard to break. :-)
In closing, I wish to add that these attacks are not yet wide spread
and that t here is no need to panic. Products like VFind solve
several problems, not just Unix vi ruses. VFind scans for Unix,
MSDOS, Apple Mac, Amiga and user programmed patters. Net works that
are heterogeneous and require high reliablity or data migration
tracking a re better customers for scanners like VFind. Additionally,
some people find the e xtra protection provided by searching for all
forms of Unix attack software, not jus t viruses to be of great value.
To insure that my comments are not used out of context and that they
are reproduced in their whole:
Copyright 1993 by Peter V. Radatti.
My comments may be used by individuals and educational institutions as long as
they
are reproduced whole, complete with this notice.
Pete Radatti
radatti@cyber.com
------------------------------
Date: Mon, 24 May 93 21:48:55 +0600
From: Fischer@rz.uni-karlsruhe.de
Subject: TREMOR Chronology (PC)
Chronology of the Channel Videodat incident
On May 6th the Micro-BIT Virus Center was contacted by an anti-virus
consultant, who couldn't cope with a new virus a user had sent him. The facts
he described clearly indicated that TREMOR was the cause of the problems. The
user, who had initially sent in the virus claimed he had downloaded the first
infected file through Channel Videodat. (There were several calls before that
stated this as a source too, but weren't able to provide any clues for their
suspicion)
This is a system that broadcasts software in 3 of the invisible lines of a TV
picture. The TV program on the same channel is called PRO-7 and is
broadcasted via satellite, terrestrially and via cable. It can be received in
most of Europe. The company providing the software distribution (Channel
Videodat Medien GmbH in Cologne, Germany) claims to have some 60 000
registered users in Europe. They are not connected to PRO-7, they just use the
same channel for broadcasting.
On May 7th a disk arrived and the TREMOR infection was verified. Channel
Videodat Medien GmbH was contacted, but denied that they had sent out
infected software. But they told about how they checked their systems, since
they had a written complaint from one of their users, which was acompanied by
some samples. It became evident, that their search method was insufficient
and that they might well be infected. A special TREMOR detector was sent to
them, but no reply was sent back, so the MVC monitored their program.
Friday 14th 2pm a TREMOR infected file was received! It was a PKUNZIP.EXE
accompanying McAfees V104 ZIP files. The ZIPs were ok, but the unpacker the
company had bundled was infected. This was also dicovered by the source and 2
hours later they broadcasted a replacement PKUNZIP.EXE and overwrote the
infected file on those machines that were still online.
Since Tuesday 18th they have broadcasted several anti-virus programs and alert
messages 3 times per day to all online systems.
Several of the "victims" claim, that there were infected files distributed at
earlier times through this source, some even claim as early as the beginning
of March. Fact is that TREMOR is in the wild and was quoted every other day
on the Micro-BIT Virus Center's help phone for the last two months.
Christoph Fischer
Micro-BIT Virus Center
University of Karlsruhe
Zirkel 2
W-7500 KARLSRUHE 1
Germany
+49 721 376422 Phone
+49 721 32550 FAX
email: ry15@rz.uni-karlsruhe.de
------------------------------
Date: Fri, 21 May 93 19:36:50 +0000
From: bontchev@news.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: TREMOR-infected virus-scanner? (PC)
Karsten Steffens (steffens@VTP147.UNI-MUENSTER.DE) writes:
> bad news is circulating in Germany: a private televison station
> usually spreads shareware among the people by sending it in a datachannel
> overlaid to their normal TV-program, using a special decoder hardware
> people can separate the data from the movies and download. They call it
> CHANNEL VIDEODAT. Now, newspapers claim that during the transmission last
> friday also the latest version of "a famous american virus scanner", which
> itself was infected by the TREMOR virus had been transmitted, and lots of
> computers had been infected. As no newspaper calls the "famous scanner" by
> its name, my question is:
> Which scanner is infected by TREMOR?
> Which scanner can disinfect TREMOR?
Here are some corrections and additional information.
First, the "famous American virus scanner" mentioned is McAfee's SCAN,
version 104. Second, the scanner itself was not infected. However, it
was sent together with an infected copy of PKUNZIP. Third, version 104
of SCAN does NOT detect the virus at all. F-Prot 2.08a detects it, but
not reliably - that is, some infected files could be missed. Dr.
Solomon's Anti-Virus ToolKit seems to detect it reliably, but I have
not done detailled tests.
It is very difficult to run good tests. While the virus has a big
mutating potential (something of the range of TPE), it mutates slowly,
which means that even if you generate thousands of samples, you'll
generate only a small number of different mutations.
Fortunately, the virus does not spread well between computers - if you
copy an infected file to a floppy with the virus active in memory, the
copy on the diskette will be uninfected. The only way to spread the
virus between different machines are:
1) If you boot from a clean floppy (i.e., no virus in memory) and copy
one of the infected file on a diskette, and execute it later on
another machine. Unlikely.
2) If you execute a file on a diskette - then this file will become
infected, if the diskette is not write-protected, of course.
3) If you download an infected file from a BBS (from from the TV
<grin>).
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany
------------------------------
Date: Fri, 14 May 93 10:00:05 +0200
From: Inbar_Raz@f210.n9721.z9.virnet.bad.se (Inbar Raz)
Subject: Port Writes (PC)
trimm@netcom.com (Trimm Industries) writes:
> You could simply use the interrupt controller to mask the IRQ of the
> disk drive. But yes, the disk can be operated in purely a polling
I don't think it will work. Didn't try it, though.
> There are two 8 bit regs you load up with the cylinder, one for the
> head, one for the sector, and one for the count. Then by writing
> an opcode into the control register, the operation begins. I've
> posted at length on this issue on Fido Virus_Info, should I cross-
> post it here?
I don't think so.
This is a sensitive issue, and the less people know about it, the more secure
we are.
Inbar Raz
Chief Data Recovery
- - --
Inbar Raz 5 Henegev, Yavne 70600, ISRAEL. Phone: +972-8-438660
Chief Data Recovery, 15 Habanim, Nes-Ziona 70400, ISRAEL. Phone: +972-8-400070
Netmail: 2:401/100.1, 2:403/100.42, 9:9721/210 nyvirus@weizmann.weizmann.ac.il
- --- FMail 0.94
* Origin: Inbar's Point - Home of the first UnTinyProg. (9:9721/210)
------------------------------
Date: Tue, 18 May 93 13:57:00 +0200
From: Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv)
Subject: "DIR" infection, or "Can internal commands infect" (PC)
bontchev@news.informatik.uni-hamburg.de (Vesselin Bontchev) suggested the
following:
> would you agree with the following addition to the FAQ:
> Q: Is it possible to infect a virus-free computer by
> just executing the DIR command on an infected diskette?
> A: The only way to infect a computer with a virus is
> to execute (transfer control to) the virus code. The DIR command
> reads various parts of the disk(ette)s, but does not execute
> anything. Therefore, it is not possible to catch a virus by simply
> doing a DIR on an infected diskette. There are a few caveats, however.
Yep...
> First, some systems have a special device driver loaded. This driver
> is called ANSI.SYS and its purpose is to provide ANSI terminal like
> compatibility. Unfortunately, one of its features is that it allows
> the keys of the keyboard to be reprogramed by sending special codes
> ("escape sequences") to the screen. These codes can be contained in a
> text file - simply displaying the contents of this file will cause one
> or more keys to be reprogrammed.
> It is possible to create a diskette, the directory of which contains
> files with "names" that consist of such escape sequences. Executing
> DIR on such a diskette will cause the contents of its directory to be
> displayed, and therefore one or more keys to be reprogrammed. The
> result could be that the next time you press one of those keys, you
> could get unexpected results - files deleted, some program from the
> diskette executed, etc. Since this could result in execution of an
> external code, it means that it is (theoretically) possible to catch a
> virus this way.
> The solution is to disable the ANSI.SYS driver completely, or at
> least its keyboard programming capability. There are several free
> programs that allow you to do this (PKSFANSI is one of them). As an
> alternative, you could use a different ANSI dirver instead of the one
> that comes with DOS - and select one that does not have the keyboard
> reprogrammability feature or that at least has means to disable it.
Splendid...
> Second, while the DIR command alone will not execute any external
> code, for many users it is equivalent to "display the contents of a
> particular directory". Unfortunately, some sites might have installed
> more elaborated front-ends of DOS - shell programs which provide an
> easy and convenient way to use the services of the operating system.
> In particular, the function "display the contents of a directory" of
> such systems might be implemented in a complex way and might not be a
> simple DIR. It may load new copies of the command interpreter, execute
> external programs, etc. All these actions involve the execution of
> external code, which in some cases may cause a virus to be executed.
Great...
> Finally, the DIR command causes various parts of the examined disk(s)
> to be read in memory, and in particular - the boot sector.
Just add here:
On the *first* time a floppy is accessed the bios
attempts to read the boot sector sometimes for several times if the read has
failed (reseting the floppy drive between attempts).
Later the Boot-sector is read once (or not at all) on each floppy access.
The aim of this is to read the BPB (Bios Parameter Block) holding the
information of how to read this floppy.
> If this boot sector contains a virus, the virus code will be read in
> memory - but will remain inactive, since control is never passed to it.
> However, if the user now executes a scanner which plainly scans the
> whole memory for some virus scan strings, it may detect the virus
> code. If the scanner is not intelligent enough to figure out that this
> particular boot sector virus just cannot reside at that place of
> memory and be active, then it will incorrectly report that there is an
> active virus in the computer's memory. This is often called a "ghost
> positive alert" or simply a "ghost positive", see question C8. It DOES
> NOT mean that the computer is really infected.
I cannot think of a better way to write it 8-)
Warm regards
* Amir Netiv. V-CARE Anti-Virus, head team *
- ---
* Origin: <<< NSE Software >>> Israel (9:9721/120)
------------------------------
Date: Tue, 18 May 93 15:08:00 +0200
From: Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv)
Subject: Cansu or V-Sign virus (PC)
gj9@prism.gatech.edu (georgia deakin) asks:
> I checked the computer with F-Prot 2.08a and got a message
> that the boot sector was infected with the V-Sign virus.
> McAfee detected the Cansu virus.
...
> find out anything I can about either or both of these
> viruses. Did I have both or just one? What do they do and where did
> they come from?
The V-sign and the Cansu viruses are one. these are different names used for
the same virus.
It general operation is described in VSUM, however the virus is a BOOT
infector on floppies, and an MBR infector on hard-disks, unlike other BOOT or
MBR infectors this virus does not keep a backup of the original sector.
Therefore in some cases an infected disk will not boot, and it will not be
possible to access it with normal means.
The way to catch it is to try to BOOT from an infected floppy, (EVEN IF ITS
ONLY A DATA LOPPY THAT IS NOT CAPABLE OF BOOTING).
The attempt to boot is enough to infect (blindly) the disk, and the next boot (
normal from the disk) is loading the virus to memory.
The way to clean it is simple, but it will work only if the disk allocation
tabe (offset 446 and on of the MBR) is not damaged. That is FDISK /MBR.
regards
* Amir Netiv. V-CARE Anti-Virus, head team *
- ---
* Origin: <<< NSE Software >>> Israel (9:9721/120)
------------------------------
Date: Tue, 18 May 93 14:56:00 +0200
From: Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv)
Subject: Can virus infect a hard drive that one cannot access? (PC)
Yi Hong asks:
> If I had a hard drive in my computer, but I
> reconfigured the ROM set up and put that there is no hard drive,
> and i boot from a floppy, so that i won't be able to access the
> C: drive.
> Can a virus affect the C: drive if there is no partition to link
> to it? I don't think so, but I am justing trying to make sure..
Usually it is not possible to access the drive via INT 13h (in most PCs) and
this is sufficiant against viruses (declare "HARD DISK TYPE: None" in the
setup menu), however it was brought to my knowledge (although I've never
experianced it myself) thet in some computers this is not enough to avoid disk
access (the BIOS treats the setup information differently).
So generally I would say the answer to your question is NO.
Regards
* Amir Netiv. V-CARE Anti Virus, head team *
- ---
* Origin: <<< NSE Software >>> Israel (9:9721/120)
------------------------------
Date: Sat, 01 May 93 14:35:00 +0200
From: Chris_Franzen@f3020.n491.z9.virnet.bad.se (Chris Franzen)
Subject: NAV Updates (was Central Point Anti-Virus Updates) (PC)
> Mr. Slade mentioned ftp servers. Will Symantec permit the distribution
> of the updates via ftp servers?
There were updates of Norton Antivirus distributed via VirNet. I think
Symantec is one iof the first non-shareware av contenders who understand how
nice file echo distribution is, and how clumsy diskette mailing is.
> If you don't support ftp access, would you allow to others to do it
> for you? We also have a BBS at the VTC-Hamburg, but I am not
> maintaining it, so I cannot decide what is there and what not. But I
> do maintain our ftp site, so I can put there the latest NAV definition
> updates, if Symantec allows us to do so.
If you were VirNet node, you would be allowed to let others do file-requests
or free BBS downloads for all files that pop up in VirNet. In fact, you *have*
*to* do this.
Anonymious FTP is kinda file-request, like in Fido-style networks, ey? So I
don't see any problems doing it the FTP way as well?
> Regards,
> Vesselin
Chris, The Blast I
- --- GEcho 1.00/beta+
* Origin: The Blast I BBS, D-2942 Jever, ++49-4461-73696 (9:491/3020)
------------------------------
Date: Wed, 19 May 93 09:18:01 +0200
From: Inbar_Raz@f210.n9721.z9.virnet.bad.se (Inbar Raz)
Subject: DOS v6.0 and Virus Functionality (PC)
bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) wrote:
I Write:
>> few experiments myself, I can safely tell you that it's the DOS=HIGH
>> that disabled a lot of viruses.
> What actually causes troubles in DOS 5.0 loaded high is the "dirty"
> way it installs its INT 21h handler (first sets an IV handler, then
> moves itself high, then "fixes" only the segment part of the IV), and
> the fact that many offsets in the handler are different from the
> previous versions...
Yes.
Going through DOS will show you what it does:
1. Call a routine that CMPs 0:0 and FFFF:10h. If the A20 address line is
DOWN, the segment wrap-around will cause both addresses to point to the
beginning of physical memory - the Vector Table.
2. If the comparison didn't make out, issue a call to the XMS Handler, and
enable the A20 line.
3. Jump to whatever address in the HMA.
>> 2. Based on articles in PCMagazine and PCToday, I gather that DOS 6.0 is
>> merely 'DOS 5.0 + ToolCase'. Not many enhancements, and most of the new
> Well, don't forget that one of the "tools" is a disk compression
> device driver a la Stacker. This already causes a lot of mess when a
> virus is present - either the virus doesn't work properly, or damages
> the compressed volume, or other messy things... :-)
If you are implying that people moved to DOS 6 just becuase of DoubleSpace,
then I can guarentee you that the same people used Stacker before. However, I
fear that the fact that Microsoft has approved of this by including it in
___DOS___, people will actually believe this program is worth anything,
namely risking data. I'm not going to fall for this...
>> Again, you almost say it yourself. DOS 6 is probably DOS 5, with minor
>> improvements and a toolcase. Nothing to be worried about.
> Again - could please somebody who has MS-DOS 6.0 verify whether the
> FDISK/MBR trick still works? Please?
I have DOS 6 (naturally... It involves with my work. Chief Data Recovery's
programs have to be up-to-date with the latest changes, therefore supporting
as many end-users as possible, and those who use DOS 6.0 w/ or w/o
DoubleSpace are included. )
However, would you like me to /MBR a
1. normal disk,
2. infected disk,
3. DoubleSpaced disk?
[Text added later (17:41, original message 9:18)]
I tried infecting my 100Mb HardDisk with Stoned, and from DOS 6.0 I ran FDisk
/MBR.
Stoned was successfully removed, and my harddisk is no longer infected.
Inbar Raz
Chief Data Recovery
- - --
Inbar Raz 5 Henegev, Yavne 70600, ISRAEL. Phone: +972-8-438660
Chief Data Recovery, 15 Habanim, Nes-Ziona 70400, ISRAEL. Phone: +972-8-400070
Netmail: 2:401/100.1, 2:403/100.42, 9:9721/210 nyvirus@weizmann.weizmann.ac.il
- --- FMail 0.94
* Origin: Inbar's Point - Home of the first UnTinyProg. (9:9721/210)
------------------------------
Date: Wed, 19 May 93 09:25:02 +0200
From: Inbar_Raz@f210.n9721.z9.virnet.bad.se (Inbar Raz)
Subject: Port Writes (PC)
bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) wrote:
>> I mean, if someone already
>> takes the trouble to learn and implement Port-Write disk access, what is
it >> for him to add a Vector Change before and after?
> I thought that this would crash the computer. DOS seems to intercept
^^^^^^^^^^^^^^^^^^^^^^
Exactly. DOS. But _I_ am NOT dos. I am 'interacting' with the disk directly,
and I don't need any IRQs from it when I can LOOP until it's not busy.
> It is possible. The question is whether the computer will continue to
> work without problems. I don't know.
Again - DOS won't work with it. But I said - you only need to disable it when
YOU do your dirty stuff. Turn it on later, and no one will ever know you've
been around...
> by a small TSR handler that just does IRET and see what happens.
This disables the harddisk. Old trick against [stupid?] viruses.
>> please remind you that the BIOS itself also uses port writes? And you CAN'
T >> link into the BIOS and tell it to tell you when it's OUTting a port...
> I know that... :-) I meant that the BIOS performs its port writes on
> user requests, not when it damn pleases. By "user requests" I mean INT
> 13h requests. So, the idea is to hook -both- INT 13h and the "device
> ready" interrupts and to check if the INT 13h requests match the
> "device ready" reports.
As far as I've checked, through single-stepping my AMI 386DX33 BIOS, INT 13
calls INT 15/90 sometime, and that's all. All other interaction with the
harddisk is through pure port writes, and reading the Status Register.
>> True, virus writers really don't care MUCH about portability. Nevertheless,
>> the only portability problems would occur on change of interface. For
>> example,
>> if the author had an IDE drive, then his virus wouldn't work on SCSI's and
>> ESDI's, but then again, most of the AT class computers use IDE...
> There are still a lot of MFMs around there... But you are right - a
> program that controls IDEs and SCSIs through the ports might be
> portable enough.
When I read the 'you are right' part, I was sure you were going to say that I
was right about saying that virus writers don't care about portability. If
your program would like, for whatever ligitimate or illegitimate reason, use
port writes instead of conventional INT 13 calls, it would be wise enough to
distinguish an MFM from an IDE from a SCSI. At the time being, what I
remember at the moment (I might know more, but on sourcefiles), I know how to
distinguish an IDE DEFINITELY, how to determine a SCSI is installed, and
then, by eliminating, determine that it's an MFM if it wasn't either.
Inbar Raz
Chief Data Recovery
- - --
Inbar Raz 5 Henegev, Yavne 70600, ISRAEL. Phone: +972-8-438660
Chief Data Recovery, 15 Habanim, Nes-Ziona 70400, ISRAEL. Phone: +972-8-400070
Netmail: 2:401/100.1, 2:403/100.42, 9:9721/210 nyvirus@weizmann.weizmann.ac.il
- --- FMail 0.94
* Origin: Inbar's Point - Home of the first UnTinyProg. (9:9721/210)
------------------------------
Date: Wed, 19 May 93 09:34:03 +0200
From: Inbar_Raz@f210.n9721.z9.virnet.bad.se (Inbar Raz)
Subject: F-Prot 2.07 (PC)
bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) wrote:
>> I don't understand why you don't allow the extraction. SCAN does. The
>> original
>> SCAN comes PkLited. If you PkLite -X SCAN/CLEAN, they still run normally.
>> Why can't you?
> Well, SCAN says that it has been "damaged" - why do you think that
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
That's the whole point! It DOESN'T.
SCAN is compressed with PkLite NONPROFESSIONAL. It allows its extraction, and
it runs JUST AS WELL, compressed or not. If you try to re-compress it,
however, it WILL say it has been tampered with.
> Maybe a compromise would be an option to force F-Prot to run even if
> it has been modified...
I believe that such programs should ask me wether it was I who tampered with
them. Only if I say yes, will they agree to run.
How does that sound? That's much like resident virus detectors that ask you
before any harddisk write attempt...
Inbar Raz
Chief Data Recovery
- - --
Inbar Raz 5 Henegev, Yavne 70600, ISRAEL. Phone: +972-8-438660
Chief Data Recovery, 15 Habanim, Nes-Ziona 70400, ISRAEL. Phone: +972-8-400070
Netmail: 2:401/100.1, 2:403/100.42, 9:9721/210 nyvirus@weizmann.weizmann.ac.il
- --- FMail 0.94
* Origin: Inbar's Point - Home of the first UnTinyProg. (9:9721/210)
------------------------------
Date: Wed, 19 May 93 09:48:05 +0200
From: Inbar_Raz@f210.n9721.z9.virnet.bad.se (Inbar Raz)
Subject: Port Writes (PC)
padgett@tccslr.dnet.mmc.com (A. PADGETT PETERSON) wrote:
>>From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
>>There are still a lot of MFMs around there... But you are right - a
>>program that controls IDEs and SCSIs through the ports might be
>>portable enough.
> Vesselin as usual is correct, but you have to wonder what is the point
> of a
> port write when a FAR CALL to the proper location will do the same thing
> and is independant of drive type.
The moment someone uses QEMM386 in stealth mode, there goes your FAR call.
> The problem a virus has is not being able to write to the disk but in
> being able to spread. This requires that the virus be executed whether
> as part of a program or as an intercept. If it is going to use port calls
> for stealthy reasons, then it must capture the interrupt so that it knows
> when to use its "stealth". This capture is detectable if a program knows
> what to look for.
Who told you I have to capture INT 13? FYI, it's enough to stay resident on
INT 15, Service 90 (I think) - Device Busy. The BIOS always calls that before
calling the disk, and you can use that ISR merely as a trigger to call your
own code.
> Therefore, IMHO it is possible to use direct port calls to bypass both
> DOS and the BIOS to reach the disk provided you know what calls to use
> for a particular disk but it really does not buy anything that a FAR CALL
> to the BIOS cannot do. To intercept the verification for this might make
^^^^^^^^^^^^^^^^^^^^^
Sorry to disappoint you. I thought you would know better.
If you only had the slightest idea what I can do with port writes to the
disk, you'd flip out of your skin. Unfortunately, (or Furtunately, Mr. Radai
would say), I am not at liberty to expose those techniques, for numerous
reasons.
> some sense but any a-v program that can check this can also check the
> validity of the intercept & detect if it has already been captured -
> Turing again.
Remember what Vesselin wrote about the new russian virus? It was
undetectable. And it uses a one-degree-less technique from port-writes.
Inbar Raz
Chief Data Recovery
- - --
Inbar Raz 5 Henegev, Yavne 70600, ISRAEL. Phone: +972-8-438660
Chief Data Recovery, 15 Habanim, Nes-Ziona 70400, ISRAEL. Phone: +972-8-400070
Netmail: 2:401/100.1, 2:403/100.42, 9:9721/210 nyvirus@weizmann.weizmann.ac.il
- --- FMail 0.94
* Origin: Inbar's Point - Home of the first UnTinyProg. (9:9721/210)
------------------------------
Date: Wed, 19 May 93 09:51:06 +0200
From: Inbar_Raz@f210.n9721.z9.virnet.bad.se (Inbar Raz)
Subject: Can virus infect a hard drive that one cannot access? (PC)
> If I had a hard drive in my computer, but I reconfigured
> the ROM set up and put that there is no hard drive, and i boot
> from a floppy, so that i won't be able to access the C: drive.
> Can a virus affect the C: drive if there is no partition to link
> to it? I don't think so, but I am justing trying to make sure..
Ofcourse.
Using my suggested port-write technique, you can freely access any harddisk
conntected to your controller, regardless of what your computer thinks about
it.
I did it myself. Once, I lost my CMOS info, in a computer not mine, that was
not backed up. My harddisk was Type 47, and I had no idea what the setup was.
SO, I removed the HardDisk from the CMOS setup, loaded DOS from a diskette,
and wrote a small diagnostical program to tell me the drive's parameters, by
accessing it through port writes.
In less than 5 minutes, the disk was back on.
Inbar Raz
Chief Data Recovery
- - --
Inbar Raz 5 Henegev, Yavne 70600, ISRAEL. Phone: +972-8-438660
Chief Data Recovery, 15 Habanim, Nes-Ziona 70400, ISRAEL. Phone: +972-8-400070
Netmail: 2:401/100.1, 2:403/100.42, 9:9721/210 nyvirus@weizmann.weizmann.ac.il
- --- FMail 0.94
* Origin: Inbar's Point - Home of the first UnTinyProg. (9:9721/210)
------------------------------
Date: Wed, 19 May 93 06:39:00 +0200
From: Micha_Kersloot@f8.n317.z9.virnet.bad.se (Micha Kersloot)
Subject: ??Hidden file: 386spart.par?? What is this? (PC)
Hallo Inbar,
Monday May 10 1993, Inbar Raz schrijft aan Forked Tongue Redlich:
>> why a hidden file in the root directory.
>> Any help would be appreciated.
IR> This is the swap file of Windows. You may erase it every time you exit
IR> windows.
Not when you've installed a permenent swap-file in windows. Then it is better
to leave it on your HDD b'cause else it could be difficault for windows to
find another place to put a swapfile.
Greotjes,
Micha
Sysop KovoKs
- --- FastEcho 1.25
* Origin: KovoKs / 074-504834 / 24uur / V32b / V42b (9:317/8)
------------------------------
Date: Mon, 24 May 93 11:58:45 +0500
From: Dr.Varol Keskin <EFEAST05@TREARN.BITNET>
Subject: A New Virus ? (PC)
I've sent a message about a suspected virus on Friday.
I've worked on this virus at weekend and found that :
It infects only .COM files and the file size increases
604 bytes.
When you execute an infected file the system hangs.
The virus does not decrease the amount of RAM, instead,
it uses Upper Memory. When you ask the memory situation
using MEM command with /C parameter, it shows no upper
memory.
The virus puts hexadecimal codes E9 and 6D in front of the file
and then skips a character and puts 88 and 31 hex coded ( I think
these are the GOTO statements of this virus). At the and of a COM
file there is virus body and it includes the following hex codes:
88 31 74 58 B8 02 42 8B ....... and so on.
I've searched my C disk using this code and I've found that
no files have the characteristic 88 31 hex code. Only infected
files have.
SCAN 104 from McAfee couldn't find this virus, so I don't know it
is a new or known. There are two virus names in the VIRLIST of
McAfee which increase the file sizes 604 bytes. But this virus
is not one of them.
Is there anybody who knows anything about this virus ?
If so, is there any program to remove it?
Thanks in advance,
V. Keskin
=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+
Dr. Varol Keskin Ege University Observatory
Bornova, Izmir - TURKEY
e-mail : efeast01 at trearn.bitnet
=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+
------------------------------
Date: Mon, 24 May 93 11:51:46 -0400
From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson)
Subject: "Dirty Tricks" (PC)
>Subject: Re: DOS 6.0 and Virus Functionality (PC)
>From: bontchev@news.informatik.uni-hamburg.de (Vesselin Bontchev)
I wrote:
> In defense of Microsoft (oh my), this mechanism is not really "dirty"
> since the operative code is present in low memory at this point. After
> the copy to high memory, all that is necessary to change is the
> segment.
Vesselin Responded:
>Well, this is exactly what I call "dirty"... :-) After all, we have
>been always tought that the correct way to set an interrupt handler is
>to use the appropriate DOS finction call or (oh, my) to turn off the
>interrupts, change the segment AND the offset of the vector in the
>IVT, and turn the interrupts on again...
Well, my formal schooling began before there was such a thing as "structured
programming" though I think ANSI 77 Fortran is easier to read than the
Fortran II (2) learned originally.
IMHO, this comes under the heading of "If you have to ask...". The
key element is an understanding of how interrupts work e.g. on the competion
of an instruction. The interrupt branch is part of the microcode and *cannot*
interrupt an instruction, rather it interrupts an instruction sequence.
Now if it had been necessary to change more than a single RAM word, the
process would have qualified as "dirty" since there would be an unguarded
point between the instructions in which an interrupt would have unpredictable
effects. In this case, since only a single word is changed (the segment
address) and since *both* addresses are valid during the process, there is no
point at which execution of an interrupt would do anything except what it is
supposed to. (could think of a multi-tasking scenario in which this would not
be valid but DOS is single-tasking at this point).
Thus, since the operation takes place wholly during the execution of a
single instruction, there is no need for using CLI/STI since it cannot
be interrupted.
Warmly,
Padgett
ps I also like "equivalence" instructions.
------------------------------
Date: Mon, 24 May 93 19:55:38 +0000
From: ee1ckb@sunlab1.bath.ac.uk (Alan Boon)
Subject: CPAV updates? (PC)
Hi All,
I am currently using CP Anti-Virus v1.4 and before anyone say anything
bad about it, I like it and think it's one of the best around! Does
anybody knows where I can download virus signature files from so I can
update my CPAV detection capabilities? It will be lovely if anyone
can. Thankx in advance.
Please e-mail or post with me with the responses. Cheers!
Alan
.___________________________________________________________________________.
| | "Hope is the denial of reality. It is the carrot |
| Alan C. K. Boon | dangled before the draft horse to keep him |
| ee1ckb@uk.ac.bath.ss1 | plodding along in a vain attempt to reach it."|
| | - Raistlin |
|_______________________|____________________(Dragonlance Chronicles Vol.1)_|
------------------------------
Date: Tue, 25 May 93 00:04:52 -0400
From: al026@YFN.YSU.EDU (Joe Norton)
Subject: Re: McAfee's Scan and Compressors (PC)
>SCAN currently checks inside PKLITE and LZEXE compressed files
>for viruses. We do plan on adding other "run-time compression"
>routines, such as DIET, but it is a fairly low priority for us.
Are you going to have SCAN do some type of integrity testing?
Versions 1.02 and 1.04 you can un-pklite with any normal unregistered
PKlite, then infect with something like Coffeeshop 3. Scan doesn't
care. It seems like some type of serious self test is in order if it
is to be distributed in it's new and improved? form. On the FIDO
virus echos there are reports of many trojanized copys of SCAN being
distributed because of it's lack of self testing.
No fancy signature file. I'm just Joe
------------------------------
End of VIRUS-L Digest [Volume 6 Issue 83]
*****************************************
