home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
The World of Computer Software
/
World_Of_Computer_Software-02-385-Vol-1of3.iso
/
v
/
vl5-207.zip
/
VL5-207.TXT
< prev
Wrap
Internet Message Format
|
1993-01-06
|
29KB
From lehigh.edu!virus-l Thu Dec 24 09:56:36 1992
Date: Tue, 22 Dec 1992 09:26:08 -0500
Message-Id: <9212221358.AA03720@barnabas.cert.org>
Comment: Virus Discussion List
Originator: virus-l@lehigh.edu
Errors-To: krvw@cert.org
Reply-To: <virus-l@lehigh.edu>
Sender: virus-l@lehigh.edu
Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas
From: "Kenneth R. van Wyk" <krvw@cert.org>
To: Multiple recipients of list <virus-l@lehigh.edu>
Subject: VIRUS-L Digest V5 #207
Status: R
VIRUS-L Digest Tuesday, 22 Dec 1992 Volume 5 : Issue 207
Today's Topics:
CPAV leftovers: summary (PC)
Another Kind Of Droppers (PC)
Re: Integrity Master update (PC)
VSHIELD, VIRSTOP, ... comparison ? (PC)
Pink dos color -Virus? (PC)
Re: Is this a new virus? (PC)
Re: Virus Simulator MtE Available (PC)
Tequila on the Pc (PC)
CHKDSK & PC-DOS 5.00 (IBM) (PC)
RE: VI-SPY 10.0 spitting out strange numbers... (PC)
Re: INFO SOUGHT: FILLED virus (PC)
Re: DAME update (PC)
Re[2]: Stoned Virus (PC)
Re: Vshield vs Virstop (PC)
Viruses in OS/2 HPFS (OS/2)
Problems in MCAFEE OS/2 Clean (OS/2)
viruses in OS/2 environment (OS/2)
Questions about OS2SCAN and OS/2-based AV software in general (OS/2)
Re: Questions about OS2SCAN and OS/2-based AV software in general (OS/2)
Re: Viral Based Distribution System
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. (The complete set of posting guidelines is available by
FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with
your real name. Send contributions to VIRUS-L@LEHIGH.EDU.
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list. A FAQ (Frequently
Asked Questions) document and all of the back-issues are available by
anonymous FTP on cert.org (192.88.209.5). Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
<krvw@CERT.ORG>.
Ken van Wyk
----------------------------------------------------------------------
Date: Sat, 19 Dec 92 17:15:09 -0500
From: Luca Parisi <MC1980@mclink.it>
Subject: CPAV leftovers: summary (PC)
Here is what I've found out about the "leftovers" I mentioned.
The "CARMEL Software" string is indeed added to files by the
"Immunize" option of Central Point Anti Virus 1.0 and 1.2 (At least; I
could only find those versions, and the new Windows one that has no
such option).
It is not part of the integrity checking program, however. It seems to
be used to pad the executable file to a multiple of 16 before adding
the self-checker, but only under certain conditions (I was unable to
replicate it except on NU.EXE, and I found another padding string
elsewhere). It is not deleted by the "Remove Immunization" option,
although the file is restored to its original size. The padding string
and a copy of the first bytes of the original immunized program can be
read in the slack space and will disappear as expected when the
deimmunized file is copied.
The user who originally faced the program had indeed used CPAV, not
the original CARMEL product.
Thanks to those who supported me with suggestions.
Luca Parisi
<MC1980@mclink.it>
------------------------------
Date: Sat, 19 Dec 92 17:15:35 -0500
From: Luca Parisi <MC1980@mclink.it>
Subject: Another Kind Of Droppers (PC)
Not much time ago, a posting by Stefano Turci (Stefano_Turci@
f108.n391.z9.virnet.bad.se) prompted discussion about the fact that
converting a file from .COM to .EXE caused scanners not to recognize
some virus infections any more.
I don't have much to object to the views expressed by the scanners
themselves (well, actually their authors :-) but I faced the same
problem while dealing with the "leftovers" of my previous posting.
That is, files infected with virus 855 (Nov. 17th) and subsequently
immunized with CPAV 1.2 are not recognized as such by F-Prot 2.06,
Scan 97 or VirX 2.4 (I know they are not entirely up-to-date, but all
three recognize the 'vanilla' infection on the same files).
I don't think this is more than an "academic" problem unless the
current DOS version of CPAV still offers immunization, and a bit more
if the rumored MSDOS 6.0-bundled one does (the most recent plain DOS
CPAV I have is 1.2, and WinCPAV doesn't). More generally, I'd say that
the integrity check should be a built-in function, otherwise it can
only build false security. But somebody here must have said that
before and better than me...
Luca Parisi
<MC1980@mclink.it>
------------------------------
Date: Fri, 18 Dec 92 22:38:06 +0000
From: Sara_Gordon@f0.n10.z9.virnet.bad.se (Sara Gordon)
Subject: Re: Integrity Master update (PC)
just a note..
some people reading the virus-l/comp.virus want to get the a-v files,
but aren' t able to use ftp, etc. the list rob slade made of bbs that
have the files is really quite good, but i'm not sure if they would
all have the latest files such as integrity master, f-prot, tbscan,
scan.
for people who do not know how to ftp or do file requests, simple
downloading of files is available on 'traditional' type bbs (not the
internet sites), and rob's list is very good for helping find a bbs
near you that has these files.
anyone who wants to file request, or download these files can do so
from my ( private) system :), the number is 219-273-2431. the login,
if you wish to not identify yourself, is demo account. the password
is system. of course, i dont really want my system tied up all day and
night doing this, so please look near you first, but if you cant find,
consider this an invitation to get them here.
If you want to read the virus-L faq and cant ftp it, you can d/l it
here, or read it online.
Intergrity Master is sent to this system directly from the author as
is VirX. F-Prot, Scan, TBscan, and the other programs are obtained
from either the author's ftp sites, or a site utilized by the author.
With all of the hacked a- v programs floating around, it is of course
important to verify that the file you get is really -helping- you.
# talk to me about those computer viruses....
# sara@gator.use.com
# vfr@netcom.com
# SGordon@Dockmaster.ncsc.mil
- --- GEcho 1.00
* Origin: VFR SYSTEMS (219)273-2431 'ask us about VIRNET' (9:10/0)
------------------------------
Date: Sat, 19 Dec 92 06:03:00 +0000
From: Nemrod_Kedem@f101.n9721.z9.virnet.bad.se (Nemrod Kedem)
Subject: VSHIELD, VIRSTOP, ... comparison ? (PC)
(Sorry, Aryeh... I just have to...)
> 1) VShield can check the authentication codes added to the files by
> SCAN /AV (it is a BAD idea to modify other people's files!) and refuse
> to run those that are not "checksummed". Unfortunately, this feature
> can be trivially bypassed (i.e., it is trivial to write a virus that
> adds a correct checksum to the file it infects).
This is true when using VSHIELD with the /CV option. A better option
to use is the /CF one, which compares the checksums from an external
file created by SCAN /AF command and does not alter any executable
file.
> 3) VShield uses much more memory than VirStop.
But may be loaded to high memory, and then needs less then 1K of
conventional memory.
> 6) VShield can be removed from memory (very BAD idea!).
That's why there is the /NOREMOVE option...
Regards,
Rudy.
- ----------------------------------------------------------
Nemrod.Kedem@f101.n9721.z9.virnet.ftn (Nemrod Kedem)
FidoNet: 2:403/138 VirNet: 9:972/0, 9:9721/0, 9:9721/101
(972)3-966-7562 (14.4K) (972)3-967-0348 (Voice)
P.O.Box 8394, Rishon Le-Zion, Zip 75253, Israel.
- ----------------------------------------------------------
- --- FastEcho 1.21/Real!
* Origin: <Rudy's Place - VirNet, Israel> Make Safe Hex! (9:9721/101)
------------------------------
Date: Sat, 19 Dec 92 20:58:00 +0000
From: Malte_Eppert@f6002.n491.z9.virnet.bad.se (Malte Eppert)
Subject: Pink dos color -Virus? (PC)
Hello!
> My default dos foreground color is Pink not low intensity
> white. Is this possibly a virus? I booted from a protected floppy
> master disk - - no change!
Does your monitor display the default gray at all after the failure?
If not, try to fix your video cable. It just may be a loose contact.
Had that before, and all the gray on the screen turned pink, until I
fixed the cable.
cu!
eppi
- --- Via SCANTOSS V 1.37
* Origin: No Point for viruses - The EpiCentre! (9:491/6002)
------------------------------
Date: 21 Dec 92 11:50:23 +0000
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Is this a new virus? (PC)
tck@fold.ucsd.edu (Kevin Marcus) writes:
> I have varients of stoned which copy to 0,0,15, and 0,0,7, as well as a
> few other locations. They do not necessarily copy to the same spot.
And we have here variants that put the original MBR at 0,0,2 and
0,0,8. This is irrelevant. What is rellevant is that the problem with
Michelangelo occurs exactly because the "standard" Stoned variant put
the original MBR at 0,0,7 - at the same place as Michelangelo, and
because the two viruses do not recognize each other.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany
------------------------------
Date: 21 Dec 92 12:45:03 +0000
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Virus Simulator MtE Available (PC)
as194@cleveland.Freenet.Edu (Doren Rosenthal) writes:
> Virus Simulator MtE Supplement Available
[stuff deleted]
> Virus Simulator (introduced earlier) and this new Virus
> Simulator MtE Supplement are not intended to replace the
> comprehensive collection of real virus samples as
> maintained by Rosenthal Engineering and other anti-virus
> product developers for testing. Virus Simulator MtE
> Supplement produces safe and controlled dummy test files
> that enable users to verify that they have installed and
> are using their MtE virus detecting programs correctly,
> additionally affording an opportunity for a practice
> training drill under safe and controlled conditions.
I've had some very strong objections against your virus simulator in
the past. I have not seen yet your MtE simulator, but I have the
following questions about it:
1) Does is simulate perfectly the behavior of the MtE? I.e., are the
dummy files generated by it the same as if generated by the MtE? If
not, then it is not good as a simulator, because the simulation is not
perfect enough.
2) If the answer of the above question is "yes", then it means that it
uses the MtE itself to encrypt the dummy files - because using
anything else would mean imperfect simulation. If it uses the MtE, do
you include the MtE itself in the generated dummies?
3) If the answer of the above question is "no", then the simulation is
again not good enough, since the only way a scanner could detect the
unencrypted replicants of an MtE-based virus is to scan for a scan
signature of the unencrypted body of MtE. If the answer of the above
question is "yes", then it is pretty easy to extract the MtE from the
unencrypted dummies... Therefore, you are distributing malicious
software...
Conclusion: regardless how you answer to the above questions, either
the simulator is useless, or you are distributing malicious
software... Hmm, I was able to draw this conclusion even without
having to look at the simulator... Pretty good, isn't it?... :-)
Leaving the ethical problems aside, do you try all kinds of flags
(i.e., the contents of the AX register before calling the MtE)?
Because, if you don't, you'll be able to generate only a small subset
of the code that can be generated with the MtE...
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany
------------------------------
Date: Mon, 21 Dec 92 09:01:07 -0500
From: Mike Mulrooney <mulroonm@marvin.edge-hill-college.ac.uk>
Subject: Tequila on the Pc (PC)
Could somebody out there please give me some info on the various
strains of the TEQUILA virus. We have unfortunately contracted it at
one of our sites here and there was no virus protection there to stop
it (they feel pretty daft).
So I am left to try and pick up there pieces and would like to know a
little background info on the little critter. Also I am sorry if this
is a FAQ but - what is the best SHAREWARE-FREEWARE-ETC software to use
for the first line of defence, the RAM overhead and sig updates is
important. Many Thanks Mike Mulrooney -- Senior Network Technician
Edge Hill College of HE - Lancs - UK
------------------------------
Date: Mon, 21 Dec 92 10:01:08 -0500
From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson)
Subject: CHKDSK & PC-DOS 5.00 (IBM) (PC)
My last last word on DOS 5.00 CHKDSK problem with big disks (promise)
It seems that the same problem *may* exist in PC-DOS 5.00 from IBM
however I do not have PC-DOS 5.00 so cannot say for sure. However if
it does exist, here is how to tell.
First PC-DOS VER/R is said to give a slightly different output than
MS-DOS 5.00 VER/R e.g.
IBM DOS Version 5.00
Revision 1 CSD URxxxxx 02/92
(note: this version apparently has the "fix")
According the report, PC-DOS uses CHKDSK.COM instead of CHKDSK.EXE
(though still in .EXE format) and further, it is 16 bytes shorter than
the MS-DOS 5.00 CHKDSK.EXE (16,184 bytes vs 16,200).
Accordingly, the fragment in question appears to be at DEBUG offset
DS:2633h instead of DS:263Eh (offset used in my .BAT file was
different since file was "converted" to permit update).
The same check should be valid (8B 4F 0F 8B F9 indicates the "early"
version while 8B 7F 0F 32 ED is an indicator of the "fixed" CHKDSK)
just at the different offset, but as said, I do not have a copy of
either version of PC-DOS 5.00 so your guess is probably better than
mine.
*
|
abc
defgh And a Merry Christmas to All,
ijklmno
pqrstuvwx Padgett
yzabcdefghi
jklmnopqrstuv
wxyz
__||__
------------------------------
Date: 21 Dec 92 17:08:51 +0000
From: yoshida@microsupport.sas.upenn.edu (Dan P. Yoshida)
Subject: RE: VI-SPY 10.0 spitting out strange numbers... (PC)
12/21 I talked to RG Software:
According to them the numbers are debugging codes that only beta
versions of 10.0 should display. The numbers only showed up when
vi-spy was being run by the AUTOVS program, so this could have been
the problem somehow.
Their recommendation: erase the current version of vi-spy and
reinstall from an original disk know to be a release version.
- --dan
[Moderator's note: Thanks for the follow-up, Dan. This is exactly the
sort of thing that I had in mind with regards to posting product
support questions and summaries here. I hope that others follow this
example.]
Original post:
> VI-SPY 10.0
> RG Software Systems, Inc.
>
> Has anyone encountered this problem with VI-SPY 10.0?
>
> I have vi-spy running from the autoexec.bat on a Northgate
> 386 that has a Stacker "stacked" drive.
>
> On boot up, vi-spy starts to check for viruses, then it spits
> out four numbers, <<3031>>,<<3120>>,<<E8F4>>,<<4549>>,
> then the system freezes (need to hit the reset button).
------------------------------
Date: Mon, 21 Dec 92 21:49:06 +0000
From: aryeh@mcafee.com (McAfee Associates)
Subject: Re: INFO SOUGHT: FILLED virus (PC)
Hello Ken McVa,
You write:
[...deleted...]
>When SCANV was run, it warned of FILLED three times, after the format
^^^^^^
Filler virus, perhaps?
>- - local rumour has it FILLED resides on an area of the disk DOS
>doesn't read - at any rate, after three warnings, the system was shut
>down.
[...deleted...]
When SCAN is run in the presence of certain other anti-viral programs,
such as Central Point Anti Virus, it can erroneously report the presence
of viruses because if the other program uses the same piece of code SCAN
does to detect the virus but does not hide that code in memory.
Regards,
Aryeh Goretsky
Technical Support
- --
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: aryeh@mcafee.COM
3350 Scott Blvd, Bldg 14 | FAX (408) 970-9727 | IP# 192.187.128.1
Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714
------------------------------
Date: Mon, 21 Dec 92 18:23:54 -0500
From: Jimmy Kuo <cjkuo@ccmail.norton.com>
Subject: Re: DAME update (PC)
Dave Mickle x5205 <MICKLE@csmcmvax.bitnet> reports:
>Further investigation reveals DAME was reported by NAV V9.5, *NOT*
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>some infected program running on the machine. SCAN V99 did not find
>it. The owner has good habits, controls access to the PC and is
>careful about installing new software. I'm concluding it's a false
>positive. I'd like to thank the folks at MacAfee and HI Industries
>who were kind enough to call and offer the benefit of their
>experience.
Um... DAME could *NOT* have been reported by NAV V9.5. NAV does not
have a version 9.5 and NAV uses the name "MtE", not "DAME".
Jimmy Kuo cjkuo@ccmail.norton.com
Norton AntiVirus Research
------------------------------
Date: Mon, 21 Dec 92 18:27:59 -0500
From: Jimmy Kuo <cjkuo@ccmail.norton.com>
Subject: Re[2]: Stoned Virus (PC)
mrosen@nyx.cs.du.edu (Michael Rosen) writes:
>I've encountered what seems to be a new variant of stoned (according
>to a guy who works in the computer center here) on my diskettes when I
>use them in our computer labs occassionally. Norton Anti-Virus sees
>as it as my boot sector being infected by Bloomington, while f-prot
>says I have stoned. According to f-prot's files in viruses,
>Bloomington is a cousin to stoned.
What NAV reports as Bloomington is more commonly known as NoInt and has
since had its name changed in NAV to NoInt. NoInt is a stoned variant.
>The guy I spoke to is sending my diskette to the author of f-prot.
>It's quite annoying; it creates invisible junk files on my diskettes.
>I'll get a file name on there with portions of garbage characters and
>some partial words like "DOS 5.0" or other words. Just recently it
>destroyed a bunch of files that thankfully I couldn't find again,
>though it was a major pain.
Your data corruption is likely the result of the virus overwriting one of
the sectors with its saved copy of the original boot sector. The original
boot sector looks to have been written over a sector that serves as your
directory sector thus creating a number of strange looking files. It is
not that you have invisible junk files on your diskettes but rather the
directory table is bad. (Garbage in certain fields that get translated as
file names, garbage in other fields that translated into where the supposed
file begins...) You can edit the directory to eradicate the bad filenames
or better yet, copy off the files you know and reformat the diskettes.
Jimmy Kuo cjkuo@ccmail.norton.com
Norton AntiVirus Research
------------------------------
Date: 22 Dec 92 00:24:47 +0000
From: frisk@complex.is (Fridrik Skulason)
Subject: Re: Vshield vs Virstop (PC)
maven@kauri.vuw.ac.nz (Jim Baltaxe) writes:
>Maybe this is being greedy, but would it be possible for you to put a
>switch into VIRSTOP that would force it to use the Secure scan
>mechanism?
Possible, but difficult. The biggest problem is that VIRSTOP is written in
100% assembly, while the Secure scan is in a C/assembly mix. If I created
a "Secure Scan" version of Virstop, I don't see how I could get the memory
requirements below 30K. The 2K size (if using /DISK) is ok for most users,
but 30K is a different story...
- -frisk
------------------------------
Date: Sun, 20 Dec 92 15:02:25 +0000
From: bjl1@Ra.MsState.Edu (Brett J.L. Landry)
Subject: Viruses in OS/2 HPFS (OS/2)
There has been aa lot of talk about OS/2 not being able to be infected
from regular old DOS boot sector viruses using the HPFS. This is false
since regular old STONED can infect both logical and physical parttions
on OS/2 using HPFS. Why wait for true OS/2 viruses when you can suffer
from regular DOS viruses.
- --
- ---------------------------------------------------------------------
|------------------ Brett J.L. Landry, bjl1@ra.msstate.edu, -------|
------------------------------
Date: Sun, 20 Dec 92 15:12:05 +0000
From: bjl1@Ra.MsState.Edu (Brett J.L. Landry)
Subject: Problems in MCAFEE OS/2 Clean (OS/2)
I downloaded the new OS/2 wares from Mcafee and had mixed results.
OScan discovered that there was stoned in two partitions on 120 meg
drive that was partitioned into a 40 and 80 meg C and D respective
drives. The problem came into play when I cleaned using OSclean.
It removed stoned but also removed the second partition loosing the 80
meg section. This was in a single boot HPFS scenario.
Any thoughts on this would be appreciated.
Brett J.L. Landry
- --
- ---------------------------------------------------------------------
|------------------ Brett J.L. Landry, bjl1@ra.msstate.edu, -------|
------------------------------
Date: Mon, 21 Dec 92 11:32:23 +0000
From: tytgat@esat.kuleuven.ac.be
Subject: viruses in OS/2 environment (OS/2)
I'm looking for information (books, articles, news-items...) about the
spread of virusses in an OS/2-environment : have any infections (DOS
or OS/2 viruses) been reported yet ; what's the impact of
compartmentalisation on the infection power of DOS-viruses ; how is
this compartmentalisation actually realised within OS/2, etc. ...
Thanks.
Pedro Tytgat
------------------------------
Date: Mon, 21 Dec 92 22:07:12 +0000
From: aryeh@mcafee.com (McAfee Associates)
Subject: Questions about OS2SCAN and OS/2-based AV software in general (OS/2)
Hello Vesselin,
You write:
>>I write:
>This is not actually a problem. Since the scanner runs in its own area
>of memory, protected from the other processes, it cannot be fooled by
>a stealth virus and cannot be made to spread a fast infector on all
>files it scans... In fact, I am wondering why a memory check is
>performed at all by an OS/2-based scanner...
Are you aware OS/2 scanners that do? I know that IBM's Antivirus/2
has a DOS-based TSR component which scans memory when a DOS session is
started up. But that's really an anti-viral for DOS, not OS/2.
>> - - OS2SCAN checks "extended filenames" and HPFS-partitioned
>> drives as well as DOS (FAT) drives.
>Do you know any way in which a known DOS virus can infect an extended
>filename on an HPFS partition?
Nope. But I myself create directories under OS/2 HPFS with names like
"MS-DOS 3.3 Files" and "Today's Downloads" in which I keep normal DOS
files. I'm sure other people do as well :-)
Regards,
Aryeh Goretsky
Technical Support
- --
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: aryeh@mcafee.COM
3350 Scott Blvd, Bldg 14 | FAX (408) 970-9727 | IP# 192.187.128.1
Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714
------------------------------
Date: Tue, 22 Dec 92 08:51:58 -0500
From: Kenneth R. van Wyk <krvw@cert.org>
Subject: Re: Questions about OS2SCAN and OS/2-based AV software in general (OS/
2)
Aryeh Goretsky writes (in response to Vesselin):
> >Do you know any way in which a known DOS virus can infect an extended
> >filename on an HPFS partition?
>
> Nope. But I myself create directories under OS/2 HPFS with names like
> "MS-DOS 3.3 Files" and "Today's Downloads" in which I keep normal DOS
> files. I'm sure other people do as well :-)
I, for one, use long file/dir names (such as these) extensively on my
home OS/2 system. A short filename scanner (e.g., a DOS-based product
running in a DOS session) would see only a very small portion of my
primary HPFS partition, which has DOS files strewn all over it. That
is why I use an OS/2-specific product. Opinion: long filenames is one
of the things that makes HPFS so nice to work with, especially when
combined with a command interpreter that can do name completion.
Cheers,
Ken van Wyk
------------------------------
Date: 21 Dec 92 12:35:04 +0000
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Viral Based Distribution System
ygoland@edison.SEAS.UCLA.EDU (The Jester) writes:
> If the purpose of the program is to automatically cause some
> 'change' in various computers, then the program must execute from a
> loader or an infected file. If its being launched from a loader then
> the need for the distribution system is nullified. Assuming the goal
> is to still keep absolute system security, then the loader will be
> 'allowed' in by the administrator but the virus it is loading won't
> be allowed to attach itself to another program, just make the change
> for the single user that activated the loader.
Yes, this is exactly how the current products with virus-like
distribution work. The "loader" is the system login script of Novell
NetWare. When the user logs in, the script checks whether his/her
workstation has an up-to-date version of the software, and if not
copies the newest version of the software from a secure directory on
the server to the workstation and requests a reboot.
> If this is an
> effective means of distribution then why use a virus at all?
The question is incorrect. According to Dr. Cohen's definition, "this"
- -is- a virus. And, since you are using it to do something you would
like to be done, it is obviously a benevolent virus. Do you see the
misunderstanding now? It's all matter of definitions...
> In conclusion, a system that changes in an unpredictable manner,
> that uses hard to track mechanisms of change, is a security
> nightmare.
Yup... Ever tried MS Windows?... :-)
> Just as self modifying programs have been given a very
> bad reputation for very good reasons, a viral based distribution
> system deserves a similarly bad reputation.
Does it? Why? Because of the word "virus"? But they just don't use
that word when selling you the package! They call it "Installs and
Updates Hundreds of PCs on a Network in One Easy Step" (Symantec),
"Completely Centralized Anti-Virus Strategy" (Central Point Software)
or others some such...
> The Jester-PGP Ver2 upon Request
Please consider this a request... :-)
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany
------------------------------
End of VIRUS-L Digest [Volume 5 Issue 207]
******************************************