tlhingan@unsvax.UUCP (Eugene Tramaglino) (03/30/88)
Fellow NETters: First, I apologize if this note is out of line or unduly alarming; I have never posted a warning before. Second, Apologies in advance to Len Levine if this posting causes problems---this is a CAUTIONARY posting. Third, Please forward this to Ross Greenberg, I cannot login to RAMNET. I have FluShot3 installed on my XT-compatible (from AUTOEXEC.BAT). I recently downloaded from comp.binaries.ibm.pc a set of programs in Turbo Pascal 3.0 (Source and Executables and Docs) called FILETEST.ARC in PKARC format. According to the Docs, it is a modified version of FILECRC by Ted Emigh. The modifications, again, according to documentation, were made by Len Levine. On running FILEREAD.COM, FluShot3 sent a message that a "write to COMMAND.COM" was being performed. Since I am under the impression that COMMAND.COM should NEVER be written to, I am posting this warning. I am NOT stating that the program is a Trojan, only that I got the above error message. Under the assumption that you would rather be over-cautious, I have posted immediately. I will gladly co-operate with NET experts who wish to resolve this to the benefit of all. DISCLAIMER: I do not represent or speak for the University of Nevada, or any of its branches or divisions. The above posting is cautionary in nature and should be read as such. =================================================================== Eugene Tramaglino USS Mahagonny, NCC-1929 tlhingan@unsvax.uns.edu USMail: 1450 E Harmon 207A; Las Vegas, NV 89119 Data: "All paths are equally dangerous." Riker: "Let's go! Yeah!"
campbell@maynard.BSW.COM (Larry Campbell) (04/03/88)
In article <225@unsvax.UUCP> tlhingan@unsvax.uucp (Eugene Tramaglino) writes:
<>I recently downloaded from comp.binaries.ibm.pc a set of programs
<>in Turbo Pascal 3.0 (Source and Executables and Docs) called
<>FILETEST.ARC in PKARC format. ... On running
<>FILEREAD.COM, FluShot3 sent a message that a "write to COMMAND.COM"
<>was being performed.
Give me a break! You said you had the SOURCES to this program!! Are your
eyes broken? Before wasting net bandwidth and perhaps needlessly alarming
hundreds of people, why don't you just take a look at the source and see
if there's a legitimate reason for what it's doing? And how about compiling
the source and comparing the result to the binaries that came with it?
--
Larry Campbell The Boston Software Works, Inc.
Internet: campbell@maynard.bsw.com 120 Fulton Street, Boston MA 02109
uucp: {husc6,mirror,think}!maynard!campbell +1 617 367 6846
sld@beach.cis.ufl.edu (Steven Louis Davis) (04/04/88)
In article <1069@maynard.BSW.COM> campbell@maynard.UUCP (Larry Campbell) writes: :In article <225@unsvax.UUCP> tlhingan@unsvax.uucp (Eugene Tramaglino) writes: :<>I recently downloaded from comp.binaries.ibm.pc a set of programs :<>in Turbo Pascal 3.0 (Source and Executables and Docs) called :<>FILETEST.ARC in PKARC format. ... On running :<>FILEREAD.COM, FluShot3 sent a message that a "write to COMMAND.COM" :<>was being performed. : :Give me a break! You said you had the SOURCES to this program!! Are your :eyes broken? Before wasting net bandwidth and perhaps needlessly alarming :hundreds of people, why don't you just take a look at the source and see :if there's a legitimate reason for what it's doing? And how about compiling :the source and comparing the result to the binaries that came with it? It would be a shame to let a reasonable warning go because of a policy of not posting unless you were SURE that there was a problem. Many people detecting possible virus's might not want to go throutg the trouble of satisfying your mandate to "not waste network bandwidth unless you're sure", and then the virus is free to do its work. I thank the original poster for the warning. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Steven L. Davis sld@beach.cis.ufl.edu ..!ihnp4!codas!ufcsv!beach.ufl.cis.edu!sld
emigh@ncsugn.ncsu.edu (Ted H. Emigh) (04/04/88)
In article <225@unsvax.UUCP> tlhingan@unsvax.uucp (Eugene Tramaglino) writes: > I have FluShot3 installed on my XT-compatible (from AUTOEXEC.BAT). >I recently downloaded from comp.binaries.ibm.pc a set of programs >in Turbo Pascal 3.0 (Source and Executables and Docs) called >FILETEST.ARC in PKARC format. According to the Docs, it is a >modified version of FILECRC by Ted Emigh. The modifications, again, >according to documentation, were made by Len Levine. On running >FILEREAD.COM, FluShot3 sent a message that a "write to COMMAND.COM" >was being performed. > Since I am under the impression that COMMAND.COM should NEVER >be written to, I am posting this warning. I am NOT stating that >the program is a Trojan, only that I got the above error message. >Under the assumption that you would rather be over-cautious, I have >posted immediately. I have not tried FILETEST. However, I am the original author of FILECRC. I have never used FluShot3, so I do not know what it looks for in detecting viruses. In particular, I do not know what it means by "write to COMMAND.COM". Due to a bug in TURBO Pascal 3.0, a file that is R/O cannot be read. I had to change the file attributes in order to read in the file. It is possible that is the problem. It also could be possible that TURBO Pascal does something weird with files even if only reading them. I have NEVER seen files change due to a read operation with TURBO Pascal, but I suppose that is possible. Of course, you are always better off recompiling the programs from source. I can vouch for the sources for FILECRC as *I* distributed them. But, of course, I cannot possibly know whether any changes others introduce will be benign. -- Ted H. Emigh, Dept. Genetics and Statistics, NCSU, Raleigh, NC uucp: mcnc!ncsuvx!ncsugn!emigh internet: emigh%ncsugn.ncsu.edu BITNET: NEMIGH@TUCC @ncsuvx.ncsu.edu:emigh@ncsugn.ncsu.edu
cpt.k9@netmbx.UUCP (Bob George) (04/08/88)
In article <1069@maynard.BSW.COM> campbell@maynard.UUCP (Larry Campbell) writes: >In article <225@unsvax.UUCP> tlhingan@unsvax.uucp (Eugene Tramaglino) writes: [...SHORT excerpt from original posting deleted...] ><>FILEREAD.COM, FluShot3 sent a message that a "write to COMMAND.COM" ><>was being performed. >Give me a break! You said you had the SOURCES to this program!! Are your >eyes broken? Before wasting net bandwidth and perhaps needlessly alarming >hundreds of people, why don't you just take a look at the source and see >if there's a legitimate reason for what it's doing? And how about compiling >the source and comparing the result to the binaries that came with it? Er, if the entire article is reviewed, he DID state that it might no be a problem but that he was alarmed at having received the warning from what is, after all, a Trojan detector. Actually, I'd rather have false alarms than not know about one ahead of time. As to not reviewing sources and compiling the program, could it be that not everyone HAS the correct compiler on hand? I've not seen the sources myself, but I know that it's not always easy to tell at first glance what exactly a program does even if you've got the sources... While I'm sure the program is harmless, has anybody WHO HAS compiled, tested and reviewed the program explained WHY this message is received? I'd rather not chastize someone for telling us the alarm bells are going off, even if it IS a false alarm this time! If anything is to criticized, it is perhaps the Subject line rather than the actual content. Alerting users to such situations is not what I'd consider waste of bandwidth. Thanks for the advisory Eugene. -- cpt.k9@netmbx.UUCP ---------Bob-George-------- ----Unter-den-Eichen-97---- -----1000-Berlin-45-------- ------W.-Germany----------- Tel : (049-030) 832-8319
tlhingan@unsvax.UUCP (Eugene Tramaglino) (04/09/88)
This is part of Larry Campbell's (campbell@maynard.BSW.COM) response
to my posting warning about an intercepted write to COMMAND.COM in
a NET PD program I downloaded.
===== begin edited include =====
Keywords: chicken little
Organization: The Boston Software Works, Inc.
In article <225@unsvax.UUCP> tlhingan@unsvax.uucp (Eugene Tramaglino) writes:
<>I recently downloaded from comp.binaries.ibm.pc a set of programs
<>in Turbo Pascal 3.0 (Source and Executables and Docs) called
<>FILETEST.ARC in PKARC format. ... On running
<>FILEREAD.COM, FluShot3 sent a message that a "write to COMMAND.COM"
<>was being performed.
Give me a break! You said you had the SOURCES to this program!! Are your
eyes broken? Before wasting net bandwidth and perhaps needlessly alarming
hundreds of people, why don't you just take a look at the source and see
if there's a legitimate reason for what it's doing? And how about compiling
the source and comparing the result to the binaries that came with it?
--
Larry Campbell The Boston Software Works, Inc.
Internet: campbell@maynard.bsw.com 120 Fulton Street, Boston MA 02109
uucp: {husc6,mirror,think}!maynard!campbell +1 617 367 6846
===== end edited include =====
1) I cannot instantly read code like English and determine what it does.
2) I don't have Turbo Pascal 3.0, so I cant "compile and compare."
3) How in the world could there be a legitimate WRITE to COMMAND.COM,
posted on the NET, that doesn't say in the DOCs, "by the way, this
program writes to COMMAND.COM?? For that matter, How in the world
could there be a legitimate write to COMMAND.COM?
4) A WRITE TO COMMAND.COM deserves an immediate scream to the NET.
5) I did not needlessly alarm people. If I saved one person's hard
disk, I feel the posting was a net gain. If I reduced the POTENTIAL
of a hard disk crash, the posting was justified. Perhaps someone might
run the program without checking the sources, and without protection like
flushot or trapdisk.
6) I feel more comfortable sending something like this to the net, where
a lot of people, some of whom are more experienced than I, and all of
whom have different perspectives, can look at it. I also like the idea
that someone like Ross Greenberg, who has gone out of his way to help
NETters with his flushot programs, and who is apparrently somewhat of a
specialist in VIRUSes, could look at this program.
7) Considering the material that is regularly posted to the NET, I don't
consider this a big "waste of bandwidth."
8) Finally, the first bloody thing I said was "Excuse me if this posting
is over-alrarming or panicky." SO GO GET LAID! MAKE UP WITH YOUR GIRL!
DON'T TAKE OUT YOUR FRUSTRATIONS ON ME! YOUR POSTING IS RUDE AND HURT
MY FEELINGS!
===
These statements are mine and mine only. I do not represent or speak
for the University of Nevada or any of its branches or divisions.
#==============================================#=========================#
# Eugene Tramaglino -- tlhingan@unsvax.uns.edu # USS Mahagonny, NCC-1929 #
# 1450 E Harmon 207A, Las Vegas, NV 89119 #=========================#
# Data: "All paths are equally dangerous." # Member, Institute of #
# Riker: "Let's go!" # General Semantics. #
#==============================================#=========================#