Received: from fidoii.CC.Lehigh.EDU by abacus.hgs.se (5.65c/1.5) id AA00419; Tue, 16 Feb 1993 18:22:17 +0100 Received: from (localhost) by Fidoii.CC.Lehigh.EDU with SMTP id AA05065 (5.67a/IDA-1.5 for ); Tue, 16 Feb 1993 11:35:33 -0500 Date: Tue, 16 Feb 1993 11:35:33 -0500 Message-Id: <9302161550.AA23100@first.org> Comment: Virus Discussion List Originator: virus-l@lehigh.edu Errors-To: krvw@first.org Reply-To: Sender: virus-l@lehigh.edu Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas From: "Kenneth R. van Wyk" To: Multiple recipients of list Subject: VIRUS-L Digest V6 #26 Status: RO VIRUS-L Digest Tuesday, 16 Feb 1993 Volume 6 : Issue 26 Today's Topics: First digest from new address Re: Sale of Viri Re: Undecidability (was: On the definition of viruses) Re: virus-definitions Re: Virus education Re: What is a virus ? Re: general entertainment Gender switching virus my idea for detecting file infectors Re: Norton buggy??? (or I have a PROBLEM!) (PC) Michelangelo (oh noooooo) (PC) Re: PKZIP 2'S AV is cracked (PC) Re: STONED, Scanv99/Clean 99 Questions/Concerns (PC) Re: Twelve Tricks (PC) Re: Virstop 2.07 in Icelandic (PC) Re: Vshield vs Virstop (PC) STONED in Memory (PC) Re: Help! Help, with FORM virus (PC) Jeruslem variant (PC) Tokyo Virus in NETCB or a false positive? (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.org or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk, krvw@first.org ---------------------------------------------------------------------- Date: Tue, 16 Feb 93 10:38:57 -0500 >From: "Kenneth R. van Wyk" Subject: First digest from new address This is the first digest that I'm sending from krvw@first.org. Hopefully, all will go well. If things do break, however, please bear with me. With fingers crossed, Ken Kenneth R. van Wyk Moderator VIRUS-L/comp.virus krvw@FIRST.ORG (Moderator account) ken@THANG.PGH.PA.US (home - until I've relocated to DC) ------------------------------ Date: 12 Feb 93 14:37:07 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Sale of Viri rikardur@rhi.hi.is (Rikhardur Egilsson) writes: > There seems to be continous 'fright-propaganda' about viruses and the > idea is to let people think "viruswriter = criminal" Most people think that virus writing is so damaging to the society, that it should be criminal. > I don't remember what group it was but someone posted a request resently > for virus-code. It was cross-posted to several non-moderated newsgroups, one of them was comp.security.misc. > In short 'hell broke loose' almost anyone reading the posting seemed to > belive he was going to use that code for evil purposes. The way the message was constructed showed a low level of competence of the person who posted it. Providing viral code to people who are not competent enough to handle it properly is harmful. > It seemes impossible for those interested, to get the code/data for viruses. No, because as you are admitting yourself: > As widespread as Viruses have come it does not take a long time to create > the source for, let's say, 1704 bytes virus and comment it to the point > that there is no trace of the source-code-generator. Thus, if somebody is really interested, there is no problem for them to obtain a few widespread viruses. Gosh, they just have to take a scanner and to look on the computers around. According to some statistics, about one in every 400 computers gets infected at least once in a year. Some environments (e.g., academia) are more prolificient for viruses to spread than others (e.g., banks, military, etc.). > Of course that does not surprice me, as I know what most people think of > viruses and that there would always be someone to misuse that. ..Or not to be able to handle them properly. There are so many cases of virus code being misused and so many people that are not competent to handle virus code properly, that when somebody posts a virus request it is very probable that s/he belongs to one of these categories. Besides, if one is competent enough, s/he could find some viruses "from the field", instead of posting silly requests to the newsgroups. > On the other hand it shouldn't be that strange that someone offered to sell > the code/data to whoomever is interested. Yes, it is not strange at all. There are always unethical people who are determined to use any weaknesses in the law to make money, regardless what will this cost to the society. > In short : do viruses realy have to be that 'taboo' > Informing people about them and how they work and even distribute simple > samples could be just as effective as the fright-propaganda. Informing people about them and how they work is OK. I am trying to do this all the time here and some people even accuse me to be "too open". However, "distributing simple samples" is a no-no. Believe me, I know it from my own bitter experience. Long time ago, when a virus first appeared in Bulgaria (it was the Vienna virus), I distributed a diskette with the virus, explanation of how it works and what it does, and an anti-virus program for it. Just like you, I meant well - to educate people that viruses are not "black magic", that they are simple programs and here is what they look like, what they do, and how to fight them. The result was sad - instead of reading my explanations, people used to just "try" all programs on the diskette, including the infected one... Remember, most users are incompetent to handle virus code properly. And, because a virus is able to spread by itself, an incompetent person who -knows- that s/he has virus code could (involuntarily) infect other innocent and incompetent people, who even do not know that they are infected. No, distributing viruses, except under very strict conditions, and to a very restricted set of knowledgeable anti-virus experts is a VERY WRONG THING and must NEVER be done, for whatever purpose. Never. Please, believe my own experience - this will save you a bitter disappointment... > Then Stealth-viruses came along and that tecnology excited me. > But as I learned more about them and how they work the 'miracle' tag > dropped off. But it was enough that you were explained how they work, right? It wasn't necessary to give you a live virus? > anything new. I got issue 1 of CVDQ and there virus there shows me that > poople have to spent anourmous time to make a virus that is going to > have a faint-change of surviving in the modern-world. Uh, sorry, what is CVDQ? > I guess that most of those who do write viruses and release them wouldn't > if they knew better. They probably think that they're adding new variants > to a pool of a couple of viruses and that a lottsa people are going to > see and inspect/admire there code. It depends. There are all kinds of people. Some of them are blissfully ignorant, as you suspect. Others are doing it "for kicks", to prove to their adolescent minds that they are "something" by opposing themselves to the established values of the society. Others are just vandals, who like the thought that they will destroy somebody's data. Others feel "happy" when they read in the newspaper about "their" virus, or when they learn that a popular scanner is able to handle "their" virus. For more information about how one such twisted mind reasons, you could read the interview with Dark Avenger by Sara Gordon in "Virus News International", January and February (and probably March) issues. He literally says "When I saw that McAfee's SCAN was able to detect my virus, I was almost happy"... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 12 Feb 93 15:30:56 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Undecidability (was: On the definition of viruses) RADAI@vms.huji.ac.il (Y. Radai) writes: > Perhaps we mean different things by "undecidable". Maybe you mean > undecidable by *any* means, appearance *or* behavior. I claim that if > one chooses definition (c), and if is something which is > sometimes satisfied and sometimes not (e.g., if it is "x < y" where x > and y are numbers supplied at runtime by the user), then the question > whether the program is a virus is obviously undecidable *BY APPEARANCE > ALONE*, even on a *finite* machine. It seems to me that your claim is wrong. On a *finite* machine the size of x and y is *finite*, therefore the total number of combinations of values for x and y is also *finite*. Thus, you can (theoretically) list them all and say that for those of them the program is a virus, while for others it is not. Therefore, the problem, as stated by you -is- solvable (theoretically) on a *finite* machine. > As I mentioned above, the "x < y" case with definition (c) is undecid- > able by *appearance alone*, even on a finite machine. Nope, on a finite machine it is solvable. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 12 Feb 93 15:42:03 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: virus-definitions KARGRA@GBA930.ZAMG.AC.AT writes: > I was and am still missing the point wether a piece of software is necessary > for a user to do what he wants or not. If we add this question to the last > definition of Vesselin, then Diskcopy will not show up as virus, as it is > necessary to use this program to copy a floppy. Won't help, because: 1) There are a couple of viruses that ask the user for permission before infecting the next object. 2) It is possible to make a bootable diskette with DOS, Diskcopy, and the proper AUTOEXEC.BAT file that will try to copy the diskette to all accessible drives, without asking for permission, just when you boot from it. What will be the virus in this case - Diskcopy, DOS, AUTOEXEC.BAT, or the whole diskette? Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Fri, 12 Feb 93 19:04:46 +0000 >From: mechalas@expert.cc.purdue.edu (John Mechalas) Subject: Re: Virus education CHIP@BDSO.Prime.COM (Chip Seymour) writes: >BTW, all the talk over the definition of a virus is ok, but how do I >apply that to the protection of my work here? The viruses themselves >don't care - they just do what they're told. Yes, but it's the anti-virus software that needs to have a working definition. Scanners are an ever-weakening defense, and it is necessary to develop other means of protecting the computer from infection. Heuristic methods rely on a a series of algorithms which are designed to analyze instructions for virus-like behavior. Without a proper virus definition, there is a danger of false positives and (worse yet) false negatives. I could write a program, for example, that interrupts all I/O access to the hard drive. This simple, and stupid, program indirectly uses the definition of "a virus is any program that writes to my hard drive" or something similar. Obviously, this would be a silly idea, born out from a silly definition. Without a precise definition, it is difficult to analyze code and accurately determine whether or not a virus actually exists. - -- John Mechalas \ If you think my opinions are Purdue's, then mechalas@expert.cc.purdue.edu \ you vastly overestimate my importance. Purdue University Computing Center \ Stamp out and abolish redundancy. General Consulting \ #include disclaimer.h ------------------------------ Date: Fri, 12 Feb 93 23:26:52 +0000 >From: tegra!vail@uunet.UU.NET (Johnathan Vail) Subject: Re: What is a virus ? I came into this late and really don't want to get involved too deep since I probably will miss the original point. But this is a good time to repost my glossary. To keep any relevence to this thread I copied the definitions of virus and worm at the beginning. virus - a piece of code that is executed as part of another program and can replicate itself in other programs. The analogy to real viruses is pertinent ("a core of nucleic acid, having the ability to reproduce only inside a living cell"). Most viruses on PCs really are viruses. worm - An autonomous program (or set of programs) that can replicate itself, usually over a network. A worm is a complete program by itself unlike a virus which is either part of another program or requires another program's thread of execution to operate. Robert Morris's program, the Internet Worm, is an example of a worm although it has been mistakenly identified in the popular media as a virus. jv _____ | | Johnathan Vail vail@tegra.com (508) 663-7435 |Tegra| jv@n1dxg.ampr.org N1DXG@448.625-(WorldNet) ----- MEMBER: League for Programming Freedom (league@prep.ai.mit.edu) ________________________________________________________________________ Glossary of Computer Insecurity Compiled by Johnathan Vail (vail@tegra.com) This list started out as a collection of a few computer virus related terms that I wrote for discussion in comp.virus. Several people have contributed comments and suggestions to my original list. Tom Zmudzinski contributed an excellent list of computer security terms that now form the bulk of this list. At this time, I will serve as the focus and maintainer of this list. Please submit any comments and additions to me. My address is vail@tegra.com. HISTORY: 12 Feb 1993 JV - Update compiled changes. 20 Dec 1991 JV - Tweaked some words. 6 Aug 1991 JV - First release. ________________________________________________________________________ async interrupt (attack) - to exploit system vulnerabilities arising from deficiencies in the interrupt management facilities of an operating system. back door - This is an undocumented feature added to a product which can allow those who know about it to gain access to features that are otherwise protected. The original Tempest video game was supposed to have a key sequence that would allow the author of the firmware to get free games in an arcade. Some military systems are rumored to have back doors in their software that prevents their being used against the countries that built them. blivet (attack) - A denial-of-service attack performed by hogging limited resources that have no access controls (for example, shared spool space on a multi-user system). [Classically defined as "ten pounds of horsesh*t in a five pound bag".] browsing - Gaining unauthorized read-only access to files. C2 Catch-22 - Refers to the paradox that all federal computers are required to be certified to the C2 level of Trust (or better) by 1992 (especially if they are to be permitted access to a network), yet because no C2 certification has ever been performed with the network software active, NSA will revoke the certification of any system as soon as it is connected to a network. [Also "C2-by-'92 Catch-22".] cascading - To gain additional privileges on a host (or within a process) by using those privileges legitimately (if perhaps unwisely) granted to casual users. crayola books - A disparaging reference to the "rainbow books", commonly used when referring to the upcoming rewrite of NSA's technical computer security guidelines. crypt (attack) - Stealing the system password file and looking for known encrypted passwords. data diddling - To alter another's data (especially, to do so subtly so it will not be detected); a major breach of the hacker ethic. denial-of-service attack - Any method which an intruder might use to injure authorized users of a system by making its facilities unavailable. Often easier to accomplish than hijacking a privileged account. dictionary (attack) - Trying a dictionary of commonly used or vendor installed passwords. Easter Egg - This is a usually benign feature added to a product by the programmer without official knowledge or consent. One example of the is the 'xyzzy' command in Data General's AOS operating system. Another is the "RESIST THE DRAFT" message in an unused sector of Apple Logo. ethical hacker - Someone who espouses the view that he/she may "ethically" penetrate any computer or network so long as no data is altered. [Colloquially among computer security professionals: a dead hacker (or one who has ceased hacking).] leapfrog (attack) - Using userid and password information obtained illicitly from one host (e.g., downloading a file of account IDs and passwords, tapping TELNET, etc.) to compromise another host. Also, to TELNET through one or more hosts in order to confuse a trace (standard cracker procedure). masquerading - To assume the identity of another user to gain unauthorized access to a host or network. mockingbird - Software that intercepts communications (especially logon processes) between users and hosts and provides system-like responses to the users while obtaining information (especially account IDs and passwords). pest - A set of instructions that self-replicates uncontrollably, eventually rendering a network or system unusable via a blivet attack. [sometimes called "wabbits"] phage - An autonomous program that inserts malicious code into other autonomous programs (e.g., a computer worm or probe that carries a virus or trojan horse program). polymorphic virus - 1. A virus using variable encryption with a variable decryption routine to avoid detection by its "signature". V2P6, Whale, Maltese, Amoeba, Russian Mutant and PC-Flu 2 are examples. 2. Any virus that changes it's behaviour such as infect different types of host or change their mode of operation. A virus that infects both .COM and .EXE programs as well as boot sectors can be considered polymorphic. probe - A non-self-replicating, autonomous program (or set of programs) that has the ability to execute indirectly through a network or multi-partition computer system (e.g., various hacker utilities). rainbow books - NSA's technical computer security guidelines. So named because each of the books is published with a different color cover. [See "crayola books".] scavenging - To exploit unerased residual data. The controversy with the Prodigy [users finding pieces of the their data in the STAGE.DAT file] service is an alleged example of this. spoofing - An attack which relies on the inability of users or computer systems to verify the identity or location of a communication partner. A `mockingbird' spoofs the computer's login sequence to fool a user; some cracking software repeatedly spoofs human login actions to fool the computer. stealth virus - A type of virus that attempts to hide its existence. A common way of doing this on IBM PCs is for the virus to hook itself into the BIOS or DOS and trap sector reads and writes that might reveal its existence. trapdoor - A method of bypassing a sequence of instructions, often some part of the security code (e.g. the computer logon). time bomb - This is code or a program that checks the systems clock in order to trigger its active symptoms. The popular legend of the time bomb is the programmer that installs one in his employer's computers to go off in case he is laid off or fired. trojan (horse) - This is some (usually nasty) code that is added to, or in place of, a harmless program. This could include many viruses but is usually reserved to describe code that does not replicate itself. unknown system-state (attack) - To exploit the conditions that occur after a partial or total system crash (e.g., some files remain open without an end-of-file condition allowing an intruder to obtain unauthorized access to other files by reading beyond the real EOF when service is resumed). virus - a piece of code that is executed as part of another program and can replicate itself in other programs. The analogy to real viruses is pertinent ("a core of nucleic acid, having the ability to reproduce only inside a living cell"). Most viruses on PCs really are viruses. worm - An autonomous program (or set of programs) that can replicate itself, usually over a network. A worm is a complete program by itself unlike a virus which is either part of another program or requires another program's thread of execution to operate. Robert Morris's program, the Internet Worm, is an example of a worm although it has been mistakenly identified in the popular media as a virus. ________________________________________________________________________ ------------------------------ Date: Fri, 12 Feb 93 20:07:24 -0500 >From: Ian Leitch Subject: Re: general entertainment bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: > kelty_h@aci_1.aci.ns.ca (KELTY HAMILTON) writes: > > Just mentioning a good virus article in the February "Discover" > > magazine. Thought you virus fanatics would be interested in its coverage > > of virus origins. > This so-called article is in fact one chapter of the book "Approaching > Zero" by Bryan Clough and Paul Mungo. They are calling it "forthcoming > book" which sounds rather surprising to me - it was published in the > UK about one year ago and I have read it since a long time... > The book is not just about viruses, it is about computer crime in > general. It's a very entertaining reading and I recommend it. > Unfortunately, it is also full of technical and factual mistakes. In > fact, every story described there, for which I know how it actually > happened, there is something misrepresented in the book. In several > cases I know that the declination of the truth is deliberate, because > it was me who has told the authors some of the facts and they are > represented differently in the book... > The article is "Discover" does not make an exception - lots of > technical and factual details are wrong. Maybe the funniest of them is > the conjecture that "Diana P." in Dark Avenger's viruses has something > to do with Lady Diana, Princess of Wells. However, the general > analysis of the situation in Bulgaria that leaded to the creation of > so many viruses there is rather exact. Some months ago I posted a notice to the list about this book saying how interesting and informative I found it to be. I was most concerned to read Vesselin considers it to be "full of technical and factual mistakes". Consequently, I contacted the authors, and Bryan Clough has sent me the following reply: - ------- The 'Discover' article (February 1993) was taken from the U.S. edition of "Approaching Zero", which is being published by Random House in March. A UK paperback is now available overseas (but not in UK until March). There is also a Spanish edition called 'Los Pirateas del Chip - La Mafia Information Al Desnudo'. Japanese and Bulgarian editions are also in preparation. There has been no 'deliberate distortion' of any facts within the book, except as declared in the Acknowledgements. Vesselin was an important and informative source, but nothing was taken at face value, without being cross-checked. A matter of speculation (such as the identity of 'Diana P') can hardly be considered 'a factual error'. It may be wrong, but we have yet to learn who 'Diana P' is. And, even then, who knows? One guess is as good as another. Some of the 'facts' may be disputed but contributors' memories tend to be selective and self-serving, and it is always difficult to ascertain 'the truth'. For example, on one occasion Captain Crunch swore that he had only used his legendary plastic whistle 'once'. On another occasion, he claimed to have used it 'hundreds of times'. It would be interesting for Vesselin to identify the distortions, so that these can be compared with the research material and recorded interviews. Perhaps, he could also identify 'Diana P'? - -------- ---------------------------------------------------------------------------- | Ian Leitch JANET: i.leitch@uk.ac.lshtm | | Information Technology Unit Tel: 071 927 2260 | | London School of Hygiene and Tropical Medicine FAX: 071 436 5389 | | Keppel St., London WC1E 7HT Telex: 8 95 34 74 | ---------------------------------------------------------------------------- ------------------------------ Date: 13 Feb 93 19:52:37 +0000 >From: colinj@monet.ccs.itd.umich.edu (Colin Eric Johnson) Subject: Gender switching virus I have just heard (through the grapevine here) of a virus that will scan through text documents and replace any gender specific nouns and pronouns with their gender-opposites (he -> she). Is this in fact a virus? And does it exist? [Moderator's note: I'd suggest not jumping to any conclusions in the absense of technical information to support them.] - -- - --------------- Colin E. Johnson colinj@ccs.itd.umich.edu Lab Monitor (Rover) Univ. of Mich. ITD/ITS/CCS When Knowledge Is Outlawed Then Only Outlaws Will Have Knowledge ------------------------------ Date: 09 Feb 93 20:31:00 +0000 >From: bill.lambdin%acc1bbs@ssr.com (Bill Lambdin) Subject: my idea for detecting file infectors I have an idea to detect new and unknown viruses. Let me tell you up front, my idea is only for detecting file infectors, and should be used in conjunction with other virus detection software. It's only another tool for the virus detection toolkit. This will not give the users the name of the virus or tell how to remove it. Simply a Yes or No if the user has a file infector on the loose. This idea is as simple as archive software. two archives, FC or COMP from DOS, and one .BAT. file. or merge the .BAT file below into your AUTOEXEC.BAT While you are reasonably sure that your computer is virus free archive a few small files that you use on a constant basis. I would recommend at least one .COM file, and 1 .EXE file, and they should be at least 10K in size. Some viruses only attach to .COM files, and there are viruses that only attaches to .EXE files. Lastly some viruses will not attach to very small files. 1575, and Frodo will attach to two byte .COM files. But 8 Tunes will not attach to any file smaller than 9216 bytes. use archive software and create an archive, and add these files. I recommend PKzip or LHA, but not ARJ because the files size fluctuates. BAIT.BAT @ECHO OFF C: CD\RECOVERY DEL VIRUS.LZH LHA A -A VIRUS \COMMAND.COM \DOS\CHKDSK.* FC BAIT.LZH VIRUS.LZH CD\ by deleting the previous test, you can be sure that you will get valid results every time. LHA A -A adds files to the archive regardless of the attribute, and using wild cards on the .EXE files will pick up companion infectors like AIDS 2, Power Pump, and others. If you want to use PKzip as your archive software, use the .BAT file below. @ECHO OFF C: CD\RECOVERY DEL VIRUS.ZIP PKZIP -wHS VIRUS \COMMAND.COM \DOS CHKDSK.* FC BAIT.ZIP VIRUS.ZIP CD\ FC comes with DOS 4.0 and above. If you don't have FC, COMP will do just as well. As long as FC or COMP do not report any differences in the two archives, you can be reasonably sure that you don't have a file infector. This should detect any file infector except for stealth infectors. If you want this to detect stealth viruses, copy, this .BAT file, the archive software, and FC.COM or COMP.COM to a known clean bootable diskette. Once ever week or two; cold boot from this known clean diskette (preferably write protected) and run this test. If FC or COMP ever reports a difference in these two archives, send the new archive to a virus researcher for study so that scanners like F-Prot, VIRx, Scan, and others can be updated to detect this new or unknown virus. In my tests, I archive six files. COMMAND.COM FORMAT.COM PKZIP.* WINLOAD.* DRWATSON.EXE NOTEPAD.EXE These files are run on a daily basis, WINLOAD is a program that loads Windows after a delay of a few seconds. On my 33 MHZ 486 I can complete this test in approximately 5 seconds. Since I use both DOS and Windows, I try to detect viruses that infects DOS or Windows applications. Someone else may need to use more or less files than I do. I run this test at bootup, and after I try new software. This is my idea, and I want to think the following people to trying to shoot holes in my theory. Glenn Jordan Mike Lambert Wolfgang Stiller I know that i'm not very good at writing, but I hope this has helped someone. I am releasing this idea to the public domain, so authors of virus detection software can incorporate this idea into their software if they care to. Bill - --- * WinQwk 2.0 a#383 * JERUSALEM (Skism-1) Fridays (after the 15th) ------------------------------ Date: 12 Feb 93 13:48:27 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Norton buggy??? (or I have a PROBLEM!) (PC) amead@s.psych.uiuc.edu (Alan Mead) writes: > Susan gets home with the Norton disk. We use the Norton scanner > (NAV.EXE) on my C: and it fails to find anything. BUT, it turns out I > deleted the file that allegedly carries the virus ("a strain of > CVIR"). This is likely to be a false positive, not a virus. Cvir is a silly overwriting virus written in C and it is unlikely to spread at all. In the same time, because it is written in a high level language, it is very difficult to pick a good scan string for it - because most of it is just code found in the C libraries, and if you pick a scan string from -there-, you're likely to flag any compiled program that contains the same library function as infected. Obviously, this is what happened to NAV. It might be fixed in the later versions, however, so you should advise your wife to check what the latest version is and to upgrade if necessary. > What do you think? I find it unlikely that I have a virus and > (snicker, snicker) I LOVE the fact that these morons are spending their > Friday night disinfecting clean machines. I think that this is a rather irresponsible behavior from your part... A false positive could be very costly to a business - as much as a real virus. You wouldn't want that business to have to close and your wife to become unemployed, would you? Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Fri, 12 Feb 93 09:53:25 -0500 >From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: Michelangelo (oh noooooo) (PC) >From: mar@dcc.ufmg.br (Marcio Migueletto de Andrade) Subject: Michaelangelo's payload (PC) >It is known that the Michaelangelo virus makes use of INT 1Ah (AH=4) >to read the system date. It works on a 386, but fails on a XT (nothing >is returned). The virus still works but the payload is never >achieved. Is it due to an old BIOS ? Is there a *standard* way to >read the system date at *boot time* on a XT ? If not, any virus that >uses the same function cannot work properly in such machines. >(Below the equator line the XT still lives...) Actually this function was introduced on the IBM-AT (Advanced Technology) in 1984 which was/is 286 based. Subsequently *some* clock calendar cards also supported the interrupt. In other words it works on those PCs or XTs with the right card and everything later. The easy way to find out is to just use DEBUG & try it. Boot: An XT lacks CMOS memory and consequently has no way to remember what day/time it is. PC/XT Clock/Calender cards use either ROM extensions or special drivers to load the system clock on boot. Warmly, Padgett ------------------------------ Date: 12 Feb 93 14:02:17 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: PKZIP 2'S AV is cracked (PC) mcafee@netcom.com (McAfee Associates) writes: > We will continue to use PKZIP Version 1.10 to compress our files for > the forseeable future because 1.10 is still used more frequently then > 2.04C, there is no "exportable" version of PKUNZIP V2.04C available You are misinformed. PKWare has obtained an export license for PKZIP 2.04whatever, which allows it to be exported to almost the whole world, except a very short list of countries (e.g., Iraq, etc.). If you are troubled that people in those countries won't be able to unpack your software, then you should be aware that there are probably regulations which forbid the export of your software to these countries as well. > from PKWare (yet), and lastly, PKZIP Version 2.04C has several bugs > in it that make it undesirable for use in distributing software This is a significantly more valid argument not to use it. > (PKWare has released a newer version, 2.04E, but we will wait to > see how stable that is before we consider using it.). Sigh... They have now released version 2.04g. Obviously, the product is still in beta test and we are all beta testers... :-( But I digress... > this: You need not present the Internet with a forged .ZIP file > merely to prove that PKWare's Authenticity Verification for Version > 2.04C of their program has been cracked. Wrong, he needed to post that, otherwise people like you just refuse to believe - see below. > The Authenticity Verification and accompanying serial number generated > by the PKZIP program are used by us for providing our users with a > degree of security, they are by no means final or absolute. However, > it is very unlikely that both the -AV and serial number will match up > in a cracked version of PKZIP. THIS IS WRONG AND MISLEADING! It is TRIVIAL to forge BOTH the text and the -AV and the serial number in PKZIP 1.10. What will convince you? Do you want me to send you an archive for which all the above matches? Do you want me to send you your serial number that you obtained from PKWare? Do you want me to send you a 50-line program that is able to find this number in LESS THAN A MINUTE on a XT? The security provided by the -AV thingo in PKZIP is NON-EXISTENT! And everybody must be warned about that! That's why people like the original poster need to post examples that prove that possibility to crack the security, without showing how it is done. Otherwise people like you will insist that it is "unlikely" to be done! [Moderator's note: Folks, please keep the discussions civil.] > I believe that it is far better that some means of protection be > provided then none at all. That's true, but what you seem to fail to understand is that the means of protection against tampering in your product are minimal, nearly non-existent! In particular: 1) It is TRIVIAL to disable the self-check in SCAN or to modify its checksum after tampering. 2) It is TRIVIAL to change the documentation that lists the VALIDATE codes. 3) It is TRIVIAL to forge the -AV protection. 4) It is only moderately easy to forge the VALIDATE checksums (i.e., to modify SCAN without modifying its VALIDATE checksums), but it is even not needed, because of 2). As a result, it is TRIVIAL to make a trojanized, forged copy of your product. The proof is that it is often being done - do you keep track of how many versions of SCAN have been "skipped", because a trojan with such number has appeared? Your product is probably the most often trojanized program in the world... I have explained multiple times to people from McAfee Associates, including to yourself, what has to be done in order to provide -real- authentication. You must use a public-key authentication system. If you provide authentication ONLY (i.e., no encryption, which you don't need anyway), there are NO export problems. If you are concerned about the RSA patents - use the DSS algorithm, which is NOT patented and works for authentication ONLY. But naw, nobody's listening... :-( > Our programs are directly available > from us via our BBS, forum on CompuServe, and mcafee.com ftp site > on the Internet, in addition to sites such as the SIMTEL20 archives > and garbo.uwasa.fi which I directly send the programs to. If any > one ever has a question about the integrity of a .ZIP file they've > received, then they should delete it and download it from one of > these avenues instead. That's not enough. There hundreds of thousands of users of your product that (a) don't have Internet access (thus, no Simtel20, no garbo, not even Virus-L/comp.virus), (b) don't have access to Compu$erve (because it is too expensive or because there's just no CompuServe in their countries), and (c) live too far away from California, so a long-distance call to your BBS or tech support numbers is not exactly what they would like to do every month. What kind of protection are you offering to those people? > PS: Please (!) direct any follow-up comments to me via e-mail, I have > no desire for this newsgroup to become a battleground. :-) You are welcome to continue this discussion with me via private e-mail, but I felt that this reply had to be posted publicly, because > Like many other readers of the comp.virus newsgroup (and its digest > counterpart, VIRUS-L), I appreciate it when computer security and > integrity are discussed, especially when they relate to our (McAfee > Associates, that is) programs. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 12 Feb 93 15:07:37 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: STONED, Scanv99/Clean 99 Questions/Concerns (PC) CASTILLO@nauvax.ucc.nau.edu writes: > 1) When Untouchable is used, it says that No-Int has been found but > that it cannot fix it. You mean UTScan, right? Have you installed the integrity checker? If not, why not? If yes, why not using it to recover the boot sectors? > 2) When McAfee's Scan v99 is used, it finds the Stoned virus, > and the Clean can clean it. HOWEVER, when scanning AGAIN for the > virus, we find it in memory. This is after having booted from a > write-protected virus free floppy disk. Further tests apparently > show that Stoned can load into memory by a simple read on an > infected disk. The documentation I've read via FTP land say that that > is impossible. Some people have suggested that Scan is not correct. This is indeed impossible and Scan is indeed not correct, or more exactly, it is not designed correctly. Read the FAQ, question E11 for more information. We've put a lot of efforts in this FAQ, it is a good idea to read it before asking... > Questions: Why doesn't Untouchable work right? Because it is probably a new variant of No_INT and you are using a scanner. Remember, scanners can detect/remove only known viruses. Install the integrity checker of Untouchable and -use- it. It is very good and, if installed on a virus-free system, can remove practically any boot sector infector. > CAN the Stoned virus > load into memory by a simple read from an infected floppy?? Is there > a strain of stoned that can do this? Yes, it can. All strains of Stoned are doing this - loading in memory when you read an infected floppy. In fact, it is not the virus that does it - it is DOS itself. It reads the boot sector of the diskette (where the virus resides), thus loading the virus in memory - in one of the DOS buffers. However, the fact that the virus is in memory does NOT mean that it is active - something that a poorly designed memory checking scheme (like the one used by SCAN) will fail to notice. The virus code is there, but it never gets control. Just like copying an executable file will put this file (or parts of it) somewhere in memory, but will not execute it. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 12 Feb 93 15:17:42 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Twelve Tricks (PC) REEDA@ibm3090.bham.ac.uk writes: > Norton anti-virus detected Twelve-Tricks virus on one of our PCs but > f-prot 2.06a reported the PC as clean. Is this virus one that the > current f-prot misses or have we found a NAV false +ve? NAV is definitively wrong. Twelve Tricks is a trojan, not a virus, and it does not spread. It is very unlikely that it is on your computer. On the other side, F-Prot 2.06a -does- detect this trojan (and properly reports it as trojan). There is one remote possibility that there is -something- on your computer that just happens to contain the scan string for Twelve Tricks that NAV uses. Where is the "virus" find? In a file? In many files? In the MBR? Are you using the latest version of NAV? Have you contacted your local tech support for NAV? Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 12 Feb 93 15:38:50 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Virstop 2.07 in Icelandic (PC) jdh@medicine.newcastle.edu.au (John Hendriks) writes: > We have just downloaded the latest version of f-prot (2.07). Of course > all is well as far a scan is concerned. At least I can understand the > reports. When loading virstop though and testing with f-test the > diagnostics are incomprehensible. Is there an English version of > virstop? You seem to have gotten a version of the package that Frisk distributed by mistake. The archive with the English version of VirStop can be obtained from him or from our ftp site: ftp.informatik.uni-hamburg.de:/pub/virus/progs/fp-207.zip Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 12 Feb 93 15:50:21 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Vshield vs Virstop (PC) ST29701@vm.cc.latech.edu writes: [Long list of unknown viruses that VShield would not be able to detect deleted for brevity.] > Isn't this also true for VIRSTOP?????????????????? Of course it is - and it is also true for any known-virus scanner, be it a resident or a non-resident one. That's why scanners are a weak line of defense against viruses. That's why you must use an integrity checker as a second and more powerful line of defense. But we were mainly discussing the capabilities of VShield for integrity checking and I pointed out many kinds of attacks that it does not protect you against. There are integrity checkers that -do- protect you against most of these attacks. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Fri, 12 Feb 93 11:54:04 -0500 >From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: STONED in Memory (PC) >From: CASTILLO@nauvax.ucc.nau.edu (Ulysses Castillo) >1) Cold booted from a write-protected virus free disk. >2) Used SCAN v99 on C:, no virus was found in memory or on C:. >3) Inserted an infected floppy in B:. >4) Ran scan on b:. No virus found in memory, stoned virus found >in boot sector of B:. Ok, here's what has happened - PC not infected. on (4) SCAN checked the memory (4a)- was clean - then checked to infected disk (4b). In the second action the DBR of the floppy was read into the DOS buffer in low memory. *But SCAN had already finished checking memory*. >5) Ran scan on B: again. Virus found in memory and in boot sector >of B:. (HOW???) On the second run of SCAN the memory is again checked first (5a). This time the infected DBR is still in the DOS Buffer from (4b). 6) Reboot (cold boot, not control-alt-delete). 7) Inserted infected disk in B:. 8) Ran CLEAN on B:. Virus NOT in memory, but found in boot sector of B:. Virus removed from B:. 9) Ran scan on B:. Virus found in memory. (Again, HOW???), but NOT found on B:. Repeat of same process. After reboot, the C: drive DBR is in the buffer - SCAN finds nothing but loaded the infected DBR into the buffer *after* checking memory (during 8) for second SCAN (9) to find. Now if between (7) and (8) a DIR were performed on the infected floppy, DOS would have loaded the buffer and the memory check in (8) would have discovered the virus. The same would have occured if done between (3) & (4). Now DOS only reads the DBR when it receives a request after detecting a changed disk. If between (8) and (9) a second clean floppy had been put in the drive and a DIR performed, SCAN (9) would have found memory to be virus free (famous last words - well it worked when I tried it). Warmly, Padgett ------------------------------ Date: 12 Feb 93 09:35:06 -0800 >From: a_rubin@dsg4.dse.beckman.com Subject: Re: Help! Help, with FORM virus (PC) IANR012@UNLVM.UNL.EDU (Bill Hayes) writes: >Recently, a professor here armed his students with a custom program >written for him by a student programmer. He had a secretary make >about twenty copies of the program for his students. Unfortunately, >the secretary's machine was infected with FORM, a boot sector virus. >Now my student computer labs have been infected with it. .. >Although I would much rather buy enough licenses to cover my machines, >I am now trying to find public domain (and I mean FREE) software. >McAffee and Associates quoted me a whopping $17,000 dollars to site >license their products. I might be able to wring out $5.00 to $10.00 >per machine to license a product. Is their anything out there, or am >I doomed to spend my life chained to a chair cleaning off FORM from >student diskettes? >From ORDER.DOC (FP-207), F-PROT is shareware, with $1/machine license for the first 2500, (decresing for more machines) with a 25% educational discount (min $20); plus $20 for an actual copy or $100 for an annual subscription (bi-monthly updates), if you don't have ftp access. (There, now I've said it. You don't have to violate network advertising guidlines, Frisk.) - -- Arthur L. Rubin: a_rubin@dsg4.dse.beckman.com (work) Beckman Instruments/Brea 216-5888@mcimail.com 70707.453@compuserve.com arthur@pnet01.cts.com (personal) My opinions are my own, and do not represent those of my employer. My interaction with our news system is unstable; please mail anything important. ------------------------------ Date: Fri, 12 Feb 93 22:07:56 +0000 >From: lx523c@seas.gwu.edu (Le L. Chen) Subject: Jeruslem variant (PC) I got the Jersulem standard and variant few weeks ago . The thing confused was that it was infected on Jan 20th, before this day, i got some software and scan them with Mcafee scan97, f-prot2.05, nothing happened. Everything was OK. But on Jan. 20th, I booted up and saw the messege showed: win386 was damged. Since it was about 2 am, too late. The second day, another person sho booted up again, the same sign he saw. Then used the scan97 and f-prot2.05 checked, found the viruses. I can not understand how come the first time checked it was ok, later, after the computer was infected, it can detect them. suppose some viruses infect software in certain time, can them be detected not on the exact day? Every softwares i got was scanned first. But now i doubt the scan some. Every information is appreciate. Thanks a lot. e-mail or post to reply is fine e-mail: lx523c@seas.gwu.edu ------------------------------ Date: Fri, 12 Feb 93 19:59:20 -0500 >From: Ian Leitch Subject: Tokyo Virus in NETCB or a false positive? (PC) I have recently downloaded NETCB v0.3b from the UK HENSA (Higher Education National Software Archive) directory micros/ibmpc/dos/h/h112. (NETCB is Chat box for Novell networks and was written by Koos van den Hout.) On scanning the unpacked executable with F-Prot before trying to use it, Secure Scan finds no infection. However, any attempt at execution is intercepted by VIRSTOP which reports infection with Tokyo virus. As expected, Quick Scan returns the same report. The Heuristic Scan reports a self-modifying program, which may indicate a self-encrypting virus (or just unusual code). Identical reports are obtained from both F-Prot v2.06a and v2.07. None of the other scanners available to me (including McAfee's SCAN100 and Dr Solomon's ToolKit report any problem). I do not believe that the infection (if any) occurred at this site as I have repeated the download on micros of two independent organisations with identical results. Also, the program file size is identical with that indicated in the accompanying message file (H112.MSG). These and other indications lead me to think that I may have hit a false positive. If so, how can I run it and retain protection from VIRSTOP? Ian Leitch ---------------------------------------------------------------------------- | Ian Leitch JANET: i.leitch@uk.ac.lshtm | | Information Technology Unit Tel: 071 927 2260 | | London School of Hygiene and Tropical Medicine FAX: 071 436 5389 | | Keppel St., London WC1E 7HT Telex: 8 95 34 74 | ---------------------------------------------------------------------------- ------------------------------ End of VIRUS-L Digest [Volume 6 Issue 26] *****************************************