krvw@CERT.SEI.CMU.EDU ("The Moderator Kenneth R. van Wyk") (02/21/91)
VIRUS-L Digest Wednesday, 20 Feb 1991 Volume 4 : Issue 30
Today's Topics:
Hardware question (PC) (TANDY)
Response to Editor's Questions
F-PROT site license fee (PC)
Re: Norton Antivirus (PC)
Mac virus frequency & Disinfectant (Mac)
Mac vulnerability vs. PCs
Virus frequencies
stoned again
Model of "Safe" (PC)
Re: STONED virus/ McAfee Associates (PC)
Re: Preventing booting from floppy (PC)
Viruses vs. DOS; Stoned information (PC)
Mac viruses (Mac)
Compucilina (PC)
Re: IBM Virus Scanner. (PC)
McAfee Products (PC)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU.
Ken van Wyk
---------------------------------------------------------------------------
Date: 19 Feb 91 16:51:32 +0000
From: lev@suned2.Nswses.Navy.Mil (Lloyd E Vancil)
Subject: Hardware question (PC) (TANDY)
I have been interested in the discussion of bootsector viruses, hard drives
and other beasties.
And, wonder of wonders, a thought occurs.
To wit:
The Tandy (radio shack) ne 80286 machines have an extra 128k of ram
that is used to contain the IBMSYS & IO .coms, Command.com, Format.com
and a few other things. These files fill the 128k and allow you to
bring up the machine without booting from a disk at all. The "extra
ram" is treated as a write protected disk.
The thought that occurs is, isn't this a better way? Since the
"disk" is full and write protected the bad beasties can't get in can
they? Wouldn't this stop any but the Trojan programs?
- --
* suned1!lev@elroy.JPL.Nasa.Gov sun!suntzu!suned1!lev
. lev@suned1.nswses.navy.mil + .
+ * S.T.A.R.S.! The revolution has begun! *
My employer has no opinions. These are mine!
------------------------------
Date: Tue, 19 Feb 91 12:01:30 -0700
From: Chris McDonald <CMCDONALD@WSMR-SIMTEL20.ARMY.MIL>
Subject: Response to Editor's Questions
Ken asked in a recent posting if anyone had tried PC/DACS. I used the
package for over a year. My experience was that it did what it was
supposed to do, and essentially gave a user the impression of
mainframe system controls on a personal computer. I would be happy to
send anyone an electronic copy of my product test report. Other
commercial products with comparable features have been discussed in
this form, but a few additional ones are Watchdog, SecurePC, Protec,
etc. Watchdog like PC/DACS has an NCSC subsystem evaluation report.
I have done test reports on SecurePC and Protec. These are not the
only products available. I have no stock or relationship with any of
the vendors. While these are software solutions, there are comparable
hardware/software products available, but usually at a greater cost.
To the user who asked about site licensing for F-PROT, the answer is
YES. Fridrik has very generous agreements. Depending upon the number
of systems involved the cost may be as low as $2.00 per machine.
Government agencies have to my knowledge encountered at least two
cases in which the Buy American Act precluded acquisition. I have no
way of knowing how significant an obstacle this legislation may be for
the government as a whole.
Chris Mc Donald
cmcdonald@wsmr-simtel20.army.mil
White Sands Missile Range
- -------
------------------------------
Date: Tue, 19 Feb 91 10:03:35 -0800
From: p1@arkham.wimsey.bc.ca (Rob Slade)
Subject: F-PROT site license fee (PC)
JS05STAF%MIAMIU.BITNET@OHSTVMA.IRCC.OHIO-STATE.EDU (Joe Simpson) writes:
> the anti-viral problem. Is anyone using F-Prot. Does Fredrik
> Skullasan (appologies to FS for spelling) have a site liscence policy?
Fridrik Skulason has just changed his fee structure (with version
1.14) and the price is now *lower*. (The bad news is that the fee is
now yearly, ala McAfee.)
The yearly fee is now $1 per machine for commercial and $0.75 per machine
for educational institutions.
For those good people who have been supporting frisk all along, and are
cursing your fate for having paid the higher price - good news. Your
"one-time" fee is still valid. :-)
Vancouver p1@arkham.wimsey.bc.ca _n_
Insitute for Robert_Slade@mtsg.sfu.ca H
Research into (SUZY) INtegrity /
User Canada V7K 2G6 O=C\
Security Radical Dude | O- /\_
/-----+---/ \_\
/ | ` ||/
"A ship in a harbour is safe, but that / ||`----'||
is not what ships are built for." || ||
- John Parks `` ``
------------------------------
Date: Tue, 19 Feb 91 15:11:56 +0000
From: Ian Leitch <uqak940@MVS.ULCC.AC.UK>
Subject: Re: Norton Antivirus (PC)
DEL2@phoenix.cambridge.ac.uk (Douglas de Lacey) writes on 25 Jan
about the Norton Antivirus product:
> ... it got a slashing review in PC Business World last
> week, for making unfair claims about its abilities ...
I understand that the review did not receive universal acclaim, as
some readers suggested that it may have lacked objectivity. I am told
that its author has now parted company with PC Business World!
Ian Leitch
------------------------------
Date: Tue, 19 Feb 91 17:10:07 -0500
From: Joe McMahon <XRJDM@SCFVM.GSFC.NASA.GOV>
Subject: Mac virus frequency & Disinfectant (Mac)
Fred Davidson <DAVIDSON@vmd.cso.uiuc.edu> asks:
> ... there is a MAC Plus with an external drive at the monitor's
>desk. The external drive has a big note taped to the top of it:
>"Check All Mac Disks For Viruses". If you come in and use a MAC, when
>you sign in, you are supposed to check any disk you bring for MAC
>viruses. What is odd is that there is no such requirement for users
>of the PCs. Does this reflect the statistical proportions of viruses
>in the real world? More on MACs than on PCs?
No this is simply a reflection of the fact that John Norstad, the
author of Disinfectant, was thinking about such an environment when he
wrote his program. Disinfectant has an "unattended operation" mode
which allows you to simply pop in a disk and have it scanned, cleaned
up, and ejected with no intervention on the part of the persons
managing the lab. It's simply very convenient to do it this way.
--- Joe M.
------------------------------
Date: Tue, 19 Feb 91 17:18:02 -0500
From: Joe McMahon <XRJDM@SCFVM.GSFC.NASA.GOV>
Subject: Mac vulnerability vs. PCs
Ross Miller notes (on Mac vulnerability vs. PCs):
>It's not a question of Bias, the mac system is very powerful, but part
>of that power comes from openness. Openness leaves one vulnerable.
And Fridrik Skulason also notes:
>David Gursky dg@titanium.mitre.org writes
>> At the time, the number of PC viruses numbered 23 distinct strains and
>> over a 100 total viruses.
>
>That was a loooooong time ago - now we have around 150 families, and
>over 400 different variants - 30-40% written in Eastern Europe.
The current Mac virus count is 10-12 families, with about 20
variations total.
There are many more PCs than Macs. I think this is the only reason for
the difference. As far as which is easier, I don't think it really
matters, unless you plan on taking up virus-writing for a living.
*Both* Mac and PC systems, as shipped by the manufacturer, are so
wide-open to attack that it's hard to say whether one or the other is
"worse". Most often, a statement as to which is "worse" is simply a
reflection of the expositor's prejudices about the systems in
question. Ever ask an MVS expert about unix security?
--- Joe M.
------------------------------
Date: Tue, 19 Feb 91 17:12:00 -0600
From: MDCLARK@UALR.BITNET
Subject: Virus frequencies
> If you come in and use a MAC, when
>you sign in, you are supposed to check any disk you bring for MAC
>viruses. What is odd is that there is no such requirement for users
>of the PCs. Does this reflect the statistical proportions of viruses
>in the real world? More on MACs than on PCs?
On the contrary, there are far more PC viruses than Mac varieties.
Offhand, it sounds as if the Mac systems analyst is on the ball, and
I'd wager that John Norstadt's Disinfectant is being used. Although
it might be a fair argument that it is more difficult to protect
against PC viruses, this is no excuse not to try. It may simply be
that the person responsible for PCs knows less about viruses than does
the Mac person (or it may be the *same* person responsible for both
systems). The fact is, thanks to John Norstadt and others like him,
dealing with Mac viruses is fairly painless.
------------------------------
Date: 19 Feb 91 22:55:30 +0000
From: "William C Tom" <wct1@unix.cis.pitt.edu>
Subject: stoned again
The stoned virus has cropped up again in my work-place. I wish I had
kept all the replies I got after my last infection. Anyways, Iemoved
the virus with CLEAN, but I want to restore my hard disk to its
pre-infection pristine condition (just a fetish of mine). My question
is: to what sector does "Stoned" move the original partition table? I
would like to delete this "duplicate" code.
Thanks.
- --------------------------------------------------
wct1@unix.cis.pitt.edu
------------------------------
Date: 19 Feb 91 11:57:25 -0500
From: Steve Albrecht <70033.1271@CompuServe.COM>
Subject: Model of "Safe" (PC)
>]Ed. I saw one product which seems (IMHO) to come close to this
>-PC/DACS by Pyramid (note: I have no affiliation with them...).
>It provides boot protection, optional hard disk encryption
>(required to prevent absolute sector access), username/password
>protection, file access control, etc. Anyone with experience with
>this, or similar, systems care to comment?(
We have evaluated the possible use of PCDACS as a security packages in
our Field Offices. One of the primary reasons why we have not
installed this to date, and will likely not install this, is that
computer viruses, in our opinion, are not adequately addressed by
PCDACS. In fairness to Pyramid, I don't think that PCDACS was
originally intended to provide virus protection.
The earlier versions (prior to Version 2.01) did not prevent infection
by the Stoned virus (and other viruses which employ absolute disk
writes), and did not detect the virus once the hard disk had become
infected. Pyramid has since employed a means of detecting this virus
(and I assume other similar viruses) when the computer is booted. The
program will restore the original partition table, and then force an
immediate reboot. However, even with boot protection installed,
PCDACS does not prevent a boot from an unknown (and possibly infected)
floppy.
The problem with this strategy seems to me to be that it may not be
able to remove the "stealth" type viruses, which (I have learned via
this forum) trap the Int 13 interrupt used by PCDACS. In my
conversations with Pyramid, their technical support claims that PCDACS
will provide adequate protection against the 4096 virus. Someone who
has actually tested PCDACS with the 4096 virus might perhaps like to
comment on this.
With regards to viruses which operate on files, PCDACS (version 2.02
is the latest version which I have tested) will prevent viruses from
infecting files if a user has no WRITE access to the executable files
targeted by the virus, but will not prevent the virus from going
resident in memory (to the best of my knowledge). This seems to lead
to a scenario where a user logs off with a virus resident in memory,
only to have the virus infect the targeted files when an administrator
(or other person with WRITE access to the executable files) logs on.
PCDACS does not monitor the integrity of the executable files.
PCDACS does allow for the encryption of the entire hard disk, or
optionally, DOS area encryption. While the former may provide
protection against absolute disk writes, the amount of time which this
option requires at boot time is unacceptable. DOS area encryption is
more acceptable, but I am not convinced that boot sector viruses will
not do damage which only a backup will remedy. (As a side note,
restoring a backup to a corrupted hard disk with PCDACS boot
protection enabled is frought with difficulties). Again, someone who
has actually tested PCDACS with this option should comment on this.
In summary, I think PCDACS is an excellent security program if
confidentiality and restricted access are the primary objectives, but
I think that the "layered" protection which Padgett has described
provides much more acceptable virus protection.
Steve Albrecht
70033.1271@compuserve.com
------------------------------
Date: Wed, 20 Feb 91 09:49:54 -0400
From: pjc@melb.bull.oz.au (Paul Carapetis)
Subject: Re: STONED virus/ McAfee Associates (PC)
Wayne Bobarge said:
> I have a similar problem and a question. The McAfee Scan program has
> detected the Stone virus on some commercial software I just bought to
> run some lab equipment. I called them and they were surprised to hear
> about it as none of the disks they sold me were system disks yet the
> SCAN program says that the virus is in the boot sector. Are these
> disks infected or not? If they are infected, will the virus infect
> other machines if I do not boot from these disks.
All DOS diskettes, regardless of whether they were formatted to be
system bootable diskettes or not, possess boot sectors. The boot
sector is written to the diskette by the FORMAT program (and all other
commercial format programs that I know of) EVERY time, even if the
diskette is not going to be bootable.
This means that your diskettes are most likely infected. Beware of
rebooting your machine if you have any of these diskettes in the A:
drive as the boot sector will be loaded into memory and the code
executed, thereby activating the virus if present, before the missing
system files are discovered and the old "Non-system disk or boot
error" message is displayed.
Either "clean" the diskettes of their virus, or copy off all of the
files you want and then format them all from a known "clean" machine.
- --Paul
+-----------------------------------------------+-------------------------+
| Paul Carapetis, Software Advisor (Unix, DOS) | Phone: 61 3 4200944 |
| Melbourne Development Centre | Fax: 61 3 4200445 |
| Bull HN Information Systems Australia Pty Ltd |-------------------------|
| Internet: pjc@melb.bull.oz.au | What's said here is my |
| ACSnet : pjc@bull.oz | opinion (so I am told!) |
+-----------------------------------------------+-------------------------+
------------------------------
Date: Tue, 19 Feb 91 18:04:45 -0800
From: cthulhu@arkham.wimsey.bc.ca (Jono Moore)
Subject: Re: Preventing booting from floppy (PC)
padgett%tccslr.dnet@uvs1.orl.mmc.com (Padgett Peterson) writes:
> Several MS-DOS platforms can do this (Zenith, Compaq) and any PC could
> impliment it by storing a flag in CMOS. However, only a few
> manufacturers have chosen to impliment it in the BIOS (it must be done
> in ROM). Unfortunately in the case of my Zenith, it will only look
> for disks that its BIOS can find. Failing this it will check for a
> floppy even if told not to. (I have a hardcard that uses its own ROM
> extension and no matter how the CMOS is set, the Zenith will always go
> for the floppy first.) Computer Shopper ads indicate that a 386 BIOS
> chipset (choice of several) goes for about $70 but I do not know if
> any of those replacements impliment this.
>
> Incidently, there must be an override somewhere or maintenance would
> be a nightmare.
My 286 came with a Quadtel bios which has this feature. You can set
it up to "quickboot" your system, which skips the memory test and
doesn't check the floppy drives.
It also has a password protect built into the bios. I can see
problems arising if you forget your password :-) I don't have my
manual handy, but I imagine there would be a way to get around this,
like disconnecting your battery for a while or something like that.
-
-------------------------------------------------------------------------------
jono@{arkham.UUCP|arkham.wimsey.bc.ca} | Fuck 'em if they can't take a joke.
{uunet|ubc-cs}!van-bc!cynic!arkham!jono | Pull the wool over your own eyes!
------------------------------
Date: Sun, 17 Feb 91 19:30:28 -0500
From: padgett%tccslr.dnet@uvs1.orl.mmc.com (A. Padgett Peterson)
Subject: Viruses vs. DOS; Stoned information (PC)
>From: "Olivier M.J. Crepin-Leblond" <UMEEB37@VAXA.CC.IMPERIAL.AC.UK>
>Subject: Virus or DOS clash ? (PC)
> A strange file has started appearing on some of the disks...
><delta>4<e-accent>MSDOS 3.3 0 15-00-80 12:00a
What has happened is that the boot sector of the floppy (DOS sector 1)
has been copied to the first sector of the root directory (DOS sector
5) and has probably wiped out the root directory. Whether or not it is
a virus or an accident is the question. In any event, the disk may be
able to be recovered (if the FAT did not get wiped also) by writing
all zeros to the root directory and trying CHKDSK/F. The FILExxxx.CHK
entries will match the original file entries if the first FAT is
intact.
This is WHAT, I cannot answer WHY, it does not match any virus I have seen
but sounds like a logic bomb.
- ---------------------------------------------------------------------
From: Scott Morgan <SMORGAN@FSUAVM.BITNET>
Subject: Information on the "Stoned Virus" (PC)
From: amewalduck@trillium.uwaterloo.ca (Andrew Walduck)
Subject: STONED virus (PC)
From: Wayne Robarge <augsec@uncecs.edu>
Subject: Re: STONED virus/ McAfee Associates (PC)
Boy, this must be STONED week. In simple terms (Patricia Hoffman does
it MUCH better) the STONED, like BRAIN and JOSHI is a boot sector
infector on floppies. EVERY PC floppy contains executable code on the
boot sector if only just enough to tell you it is not bootable. Unless
you have a special machine, if it boots, hot or cold, with a floppy in
drive A, a PC will execute this code. (MACs are worse - put a floppy
in the drive and code gets executed, you do not have to boot)
If a machine is booted with an STONED infected disk in A, the first
thing that happens is that the viral code is run (it is in sector 1).
After doing its thing (which may or may not include the message "Your
PC is Stoned" (or some variant or none) but does include going
resident at the TOM, it then runs the original boot sector that it
stored in the last of the seven root directory sectors (this will
occasionally corrupt a disk). To remove from a floppy, you can just
use DEBUG to replace the boot sector with good code. (two keystrokes
and change the disk - repeat as often as necessary). No code or data
usually need be lost.
In the case of a hard disk, it still infects sector 1 but here this is
the partition table. It then stores the real table in (hidden) sector
7. On boot, the same process occurs: the BIOS calls sector 1 which has
the virus. It goes resident and then calls the real partition table.
Again, to disinfect all that is necessary is to copy sector seven onto
sector one but be sure you know what you are doing (multiple
infections such as JOSHI/STONED which is possible are more tricky).
A couple of products such as McAfee's VSHIELD can protect against
accidental warm boots. Again, it takes hardware to protect a cold boot
though integrity checking software at the BIOS level can detect such
an infection immediately.
Personally, I am now MORE sick of seeing the STONED than the
JERUSALEM.
Warmly, Padgett
ps Anyone know where the party at the World Trade Center is going to
be ?
------------------------------
Date: Tue, 19 Feb 91 23:17:00 -0400
From: <LISSA@WHEATNMA.BITNET>
Subject: Mac viruses (Mac)
Although Mac viruses are easier to write, they are written much
simply-minded. That is, it just has one thing in mind...to mess up a
Mac. However, if you're keeping count of viruses, there are fewer Mac
viruses (I think the last count was at 16) than there are for PC's,
although PC viruses are usually much more sophisticated.
- ------------------
My opinion is my very own, and does not necessarily represent the
opinion of my employers.
Melissa Jehnings
Student Manager | Academic Computing Center
Wheaton College's Technologist User's Group | Secretary
Wheaton College
Norton, MA 02766
BITNET: LISSA@WHEATNMA, WUG@WHEATNMA
------------------------------
Date: Mon, 18 Feb 91 18:11:25 -1100
From: "Luis B. Chicaiza S." <LCHICAIZ@ANDESCOL.BITNET>
Subject: Compucilina (PC)
Due to the great quantity of mail that I have receive about
Compucilina, I do the next preciseness:
Compucilina vaccinates programs (.EXE, .COM, disk boots, and system
programs) adding a little piece of executable code. The net effect is
that when a vaccinate-programan are executed, if in these moment a
virus is installed in the computer, the vaccine (the code added to
program) avoid that the virus infect the program.
Compucilina is a non-scaning anti-virus, it's works not depends of a
particular virus, therefore it's equaly effective against the actual
and the future viruses.
Luis Bernardo Chicaiza Sandoval
More information:
Luis B. Chicaiza S.
Phone: (91)2 02 23 78
Universidad de los Andes Bogota, Colombia
mail address: <LCHICAIZ@ANDESCOL.BITNET>
PS: Free copies are not available. Compucilina is a comercial product and
costs US$70, plus remit costs.
------------------------------
Date: 19 Feb 91 15:55:09 +0000
From: campbell@dev8n.mdcbbs.com (Tim Campbell)
Subject: Re: IBM Virus Scanner. (PC)
CHESS@YKTVMV.BITNET (David.M.Chess) writes:
> "Pete Lucas" <PJML@ibma.nerc-wallingford.ac.uk>:
>>Can anyone tell me whether any new signature files have been released
>>for the IBM Virus Scanner? I currently have release 1.2 of this
>>program, which is at a guess around 6 months old; has there been any
>>update of the program??
>
> The current version is 1.3; another version should be out pretty soon.
> Price continues to be $35 for an enterprise-wide license, and
> something like $10 for upgrades. Available through your IBM marketing
> rep, branch office, IBMLINK, etc.
I have the IBM Virscan program (don't recall version) and am looking
for same files. These files are just ascii text organized with a line
which describes the virus (it's name - a short comment about it)
followed by a line containing a hex-string (in the form: xx xx xx xx
xx, etc.) to find indicating that this disk/file contains this virus.
This makes it real easy to add new viri signatures to the library
using any text editor.
My disk only has about 30 signatures. These signatures do not need to
come from IBM - they can come from anywhere.
To re-state the question - is there anywhere that I can find a list of
such signatures? Reading this forum for a while - I occasionally see
one posted for an individual virus in a post. I'm wondering if there
is any list being maintained by some individual or organization. I
understand there are now more than 300 signatures. My 30 means I'm <
10% protected.
I will search IBMLink for information on Virscan signatures and post
results if I find anything. If anybody else knows a source, posting
the list, or at least the name of the source would be GREATLY
appreciated.
Thanks
-Tim
---------------------------------------------------------------------------
In real life: Tim Campbell - Electronic Data Systems Corp.
Usenet: campbell@dev8.mdcbbs.com @ McDonnell Douglas M&E - Cypress, CA
also: tcampbel@einstein.eds.com @ EDS - Troy, MI
CompuServe: 71631,654 Prodigy: MPTX77A
P.S. If anyone asks, just remember, you never saw any of this -- in fact, I
wasn't even here.
------------------------------
Date: Wed, 20 Feb 91 06:20:00 -0500
From: John Perry KG5RG <PERRY@UTMBEACH.BITNET>
Subject: McAfee Products (PC)
This is just a short note to let everyone know that the new
McAfee suite of products is available on beach.gal.utexas.edu.
John Perry KG5RG
University of Texas Medical Branch
Galveston, Texas 77550-2772
You can send mail to me at any of the following addresses:
DECnet : BEACH::PERRY
THEnet : BEACH::PERRY
Internet : perry@beach.gal.utexas.edu
Internet : john.perry@f365.n106.z1.fidonet.org
BITNET : PERRY@UTMBEACH
SPAN : UTSPAN::UTADNX::BEACH::PERRY
FIDOnet : 1:106/365.0
------------------------------
End of VIRUS-L Digest ]Volume 4 Issue 30(
*****************************************