krvw@CERT.SEI.CMU.EDU ("The Moderator Kenneth R. van Wyk") (02/14/91)
VIRUS-L Digest Wednesday, 13 Feb 1991 Volume 4 : Issue 27 Today's Topics: Observation On An Observation BOOTCOMP.ZIP - Use BIOS-ints to compare bootsector with saved (PC) Translation of POLIMER VIRUS (PC) Is this a virus? (PC) Re: Boot Sector/Partition Table Protection (PC) Viruses Via Radio IBM Virus Scanner. (PC) Observations & Comments Request for info on the Ohio virus (PC) Disinfecting an Appleshare fileserver (Mac) Leprosy virus signature error (PC) University Lab Protection (PC) Viruses in text files MSDOS built in anti-viral for 40 meg or up hard drive (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: Mon, 11 Feb 91 15:47:42 -0700 From: rtravsky@CORRAL.UWyo.Edu (Richard W Travsky) Subject: Observation On An Observation An observation on an observation... David Gursky dg@titanium.mitre.org writes > Observation 2: Mac viruses are not easier to write than PC viruses for > ]...various reasons deleted...( > that infect each platform. When I last checked (and this was awhile > ago), there were some 5 different Mac viruses, with no more than five > variations on a particular strain: total of about a dozen Mac viruses. > At the time, the number of PC viruses numbered 23 distinct strains and > over a 100 total viruses. Alot of has to do with the number of > vandals writing viruses for the Mac vs. DOS, but it also has to do the > relative ease with which viruses can be written for DOS vs. the Mac. There are possibly more practical reasons as to why there are more pc viruses than mac viruses: There are MORE pcs than macs, not just more "vandals writing", tho the two quantities are clearly related. I saw a blurb a while back in PC Week saying there were around 45 million pcs in the US (apparently not counting Europe and elsewhere). Unfortunately, there was not a corresponding figure for macs. Be that as it may, more pcs means more people working on them (for one reason or another - some to do work, some to write viruses). Something else of note that I've learned from this list is that most recent viruses have been written in (eastern) Europe. What is the ratio of pcs to macs in Europe? Predominance of the platform easily leads to more viruses. And if it's easier to do on a pc...well, it's a frightening scenario. Richard Travsky Bitnet: RTRAVSKY @ UWYO Division of Information Technology Internet: RTRAVSKY @ CORRAL.UWYO.EDU University of Wyoming (307) 766 - 3663 / 3668 ------------------------------ Date: Mon, 11 Feb 91 11:36:00 +0700 From: AMBASE%RUG.NL@CUNYVM.CUNY.EDU Subject: BOOTCOMP.ZIP - Use BIOS-ints to compare bootsector with saved (PC) Summary: Reposted by Keith Petersen I have uploaded to SIMTEL20: pd1:<msdos.virus> BOOTCOMP.ZIP Use BIOS-ints to compare bootsector with saved This package uses the original BIOS interrupts to get the "current" bootsector and partitiontable and compare it with a previously saved copy. Since the original interrupts are used, no virus can mislead the program. Arjen Merckens (ambase@rugr86.rug.nl) ------------------------------ Date: Mon, 11 Feb 91 00:00:00 From: "Richard Budd" <KLUB@MARISTB.BITNET> Subject: Translation of POLIMER VIRUS (PC) In answer to Fridrik Skulason's request in VIRUS-L last month for a translation of a sentence appearing on the POLIMER Virus: A le' jobb kazetta a POLIMER kazetta! Vegye ezt! I. Szarka at IBM's Budapest office confirmed to me today that the sentence is in Magyar. It translates as: The best cassette is the POLIMER cassette! Buy this! As a systems engineer with our Budapest office, he is very interested in knowing as much information about this POLIMER virus as possible. Could Mr. Skulason please forward details of the POLIMER virus to klub@maristb on BITNET. At this time, my IBM account is unfortunately not connected with any outside networks. ====================================================================== Richard Budd | E-Mail: IBMers - rcbudd@rhqvm19.ibm VM Systems Programmer | All Others- klub@maristb.bitnet IBM - Sterling Forest, NY | Phone: (914) 578-3746 - ---------------------------------------------------------------------- IBM and Marist College don't ask me for my opinions. They just let me play with their computers. ------------------------------ Date: Tue, 12 Feb 91 09:33:00 +0700 From: MIKAEL LINDBERG MORTENSEN <MIKAEL@vax.psl.ku.dk> Subject: Is this a virus? (PC) I Would like some good advice on VIRUS. I am trying to figure out whether a computer has a virus or the computer is just sick, here goes: While being inside a word processor (MS-Word 5.0) the computer suddenly hung up, at least the keyboard was disabled. The speaker started pipping realy madly. The mouse still worked though. If the computer was hung the mouse would not work, if the computer was hung the speaker would not be beeping, but just make a tone, Have I got a known Virus on my hand or what? Any suggestions are welcomed. ******************************************* * Mikael Lindberg Mortensen * * University of Copenhagen DDBD? * * Psychological Laboratory @EY * * Denmark. @D * * mikael@vax.psl.ku.dk * ******************************************* ------------------------------ Date: 12 Feb 91 12:01:30 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Re: Boot Sector/Partition Table Protection (PC) Regarding the subject of automatically detecting infections by boot sector viruses, I just wanted to point out that F-DRIVER.SYS (a part of my F-PROT package) will detect all known boot sector viruses, and is also designed to detect new/unknown boot sector and partition table viruses. I will, however include an option in version 1.15 to disable this check, as it may cause problems on machines with network boot ROMs. - -frisk ------------------------------ Date: Mon, 11 Feb 91 11:41:04 -0700 From: rtravsky@CORRAL.UWyo.Edu (Richard W Travsky) Subject: Viruses Via Radio The January 28th edition of Computer World has an article in the viewpoint section entitled "Fighting Terminal Terroism". The appears within: Radio frequency interception is a nearly trivial task today. Using an "intercept/transmit" model, viruses can be injected into communications systems with relative ease. The U.S. government has issued contracts for studies on methods of infecting enemy military computers with viruses... I was not aware virus transmission by radio had been accomplished. I recall a news blurb a few months or so ago about the contracts for radio transmission of viruses, but I also vaguely remember that the general conscensus was that it was not possible ('course, that wouldn't stop the government! ;). So, fact or hype? Anyone have any information? Richard Travsky Bitnet: RTRAVSKY @ UWYO Division of Information Technology Internet: RTRAVSKY @ CORRAL.UWYO.EDU University of Wyoming (307) 766 - 3663 / 3668 ------------------------------ Date: Tue, 12 Feb 91 11:08:55 +0000 From: "Pete Lucas" <PJML@ibma.nerc-wallingford.ac.uk> Subject: IBM Virus Scanner. (PC) Can anyone tell me whether any new signature files have been released for the IBM Virus Scanner? I currently have release 1.2 of this program, which is at a guess around 6 months old; has there been any update of the program?? Pete Lucas PJML@UK.AC.NWL.IA G6WBJ@GB7SDN.GBR.EU ------------------------------ Date: 12 February, 1991 From: Padgett Peterson <padgett%tccslr.dnet@uvs1.orl.mmc.com> Subject: Observations & Comments From: millerje@holst.tmc.edu (jeffrey scott miller) >Artifical intelligence? For what purpose. 99% of scanning for >viruses just requires looking for a "search string". However, scanners are only one form of integrity protection for a PC. A good AI program will be able to "learn" a system configuration, which programs are allowed to do what, and flag the user if something unusual takes place. The prime problem with such schemes today result from too many "false positives" to avoid any "false negatives". Enigma-Logics VIRUS-SAFE, Certus Int'l's CERTUS, and Mr. McAfee's VSHIELD are good second generation products available today, but the third generation is going to have to include some form of AI as described above. - --------------------------------------------------------------- From: merckens@dbf.kun.nl (Merckens A) >The solution, which can be found in BOOTCOMP.ZIP, is based on methods used >by these viruses (to catch a thief ....) >After this has been done, the computer should be booted from this floppy. >The code in the bootsector then catches the original BIOS >interrupts and patches them to the file BOOTCOMP.exe. >When the program BOOTCOMP.exe is called, it uses the original >interrupts to get the "current" bootsector and partition table. So even >if a virus has taken the interrupts, we will indeed get the true >information, and comparison is correct. This certainly is a better answer than exists under DOS alone but there are methods that can be used to achieve tha same result with much less effort. First, the "booting from floppy" requirement was found to be unacceptable to most users: it was easier to perform the integrity checking at the BIOS level as suggested and then pass the BIOS "hooks" in memory. Additional problems are that you will not be notified of an infection until you run BOOTCOMP after DOS has loaded and each machine must have its own floppy making maintenance more complicated. Also this is a difficult proposition when coupled with a "never boot from floppy" policy or any sort of paswword protection for the hard disk. - ----------------------------------------------------------------------- From: dg@titanium.mitre.org >Observation 2: Mac viruses are not easier to write than PC viruses for >the same reason Mac application are not easier to write than PC >applications...Alot of has to do with the number of >vandals writing viruses for the Mac vs. DOS, but it also has to do the >relative ease with which viruses can be written for DOS vs the Mac. The real point is not the difficulty of writing the application, either is simple in comparison to writing a good word processor, rather it is the total lack of integrity checking in either platform. Larger systems were forced to design in such systems (and accept the impact on performance) so that accidental (or malicious) actions by one user could not take down an entire system. IBM learned this in the '50s as has every other multi-user system manufacturer, but the original 4.77 mHz PC could not compete with the CP/M machines if the overhead of a "real" OS was added. MACs are the same way - performance takes precidence over protection. This is neither good nor bad, just a fact. Today with 40 mHz 68040s and 33 mHz 80386s, the performance it there to allow effective integrity assurance unnoticably (in fact it can be done on a 4.77 mHz PC), there just has not been much of a market for it. MS DOS 5.00 does not seem to have any more than 1.00 did and I would be surprised to find anything in MAC 7. On both platforms, if you can write a properly constucted executable file, the CPU will happily execute it even if it causes self-destruction. Today, what development has been done has largely been by a small group of dedicated people such as Frisk, Ross Greenberg, Chip Hyde, Dennis Yelle, Morgan Schweers, Kelly Goen, John Norstad, and Andy Hopkins (I know this isn't complete) who have taken the time and trouble to really understand the architecture before making an attempt at a solution. As far as viruses are concerned, it is difficult to have twenty years experience in a field that has only existed for four (Yes, Fred C. wrote one in 1984 on the VAX but I start PCs with the Brain). From one standpoint, It is amazing that we have come so far in a short time - the trouble is that we all want more and know that it can be done. Warmly, Padgett ps Have sent a beta copy of DISKSECURE to Ken since my "baroque" system prevents binary uploads. This is the partition table replacement experiment mentioned earlier. No promises or guarentees nor does it have anything to do with my employer. It just seems to work. app ------------------------------ Date: Tue, 12 Feb 91 13:03:16 -0400 From: BOWMAN@morekypr.bitnet Subject: Request for info on the Ohio virus (PC) Hello virus-l, I just joined the list and I am interested in finding out information regarding the "Ohio" virus. I've been told it only hits 360K floppies and it infects the boot sector. What I would like to know is what the virus does. Does it destroy data? Does it destroy FATs? etc... We have discovered a large number of floppies infected with this virus and are in the process of cleaning it up. Please respond directly to me. I will summarize if appropriate. Thanks in advance. Todd Bowman bowman@morekypr.bitnet Manager of Academic Computing Morehead State University Morehead, Kentucky ------------------------------ Date: Tue, 12 Feb 91 11:07:37 -0700 From: James Fish <ISTJWF@ASUVM.INRE.ASU.EDU> Subject: Disinfecting an Appleshare fileserver (Mac) Can anyone give me some advice on how to disinfect an Appleshare fileserver and protect it from further infection? The machine is a Mac SE/30, 4MB RAM, 80MB HD that is used in a computer lab open to general student use. Thanks! Jim Fish Student Information Systems Arizona State University istjwf@asuvm.inre.asu.edu >>*<< Advice to the Arizona Legislature: "Beware of things you might step in... that foot may later wind up in your mouth." >>*<< ------------------------------ Date: Tue, 12 Feb 91 09:48:00 -0500 From: John Perry KG5RG <PERRY@UTMBEACH.BITNET> Subject: Leprosy virus signature error (PC) It has been brought to my attention that the virus signature in the file VIRUS.NEW on beach.gal.utexas.edu for the Leprosy virus is in error. VIRUS.NEW is an addendum to SIGN.TXT used by FPROT114. Fridrik Skulason has verified that this new signature may cause a false alarm in some instances. If you have downloaded VIRUS.NEW from beach.gal.utexas.edu and receive a warning pertaining to the Leprosy virus it is probably a false alarm. An updated/corrected version of the file will be available shortly and I will announce it's availabilty in VIRUS-L. John Perry KG5RG University of Texas Medical Branch Galveston, Texas 77550-2772 You can send mail to me at any of the following addresses: DECnet : BEACH::PERRY THEnet : BEACH::PERRY Internet : perry@beach.gal.utexas.edu Internet : john.perry@f365.n106.z1.fidonet.org BITNET : PERRY@UTMBEACH SPAN : UTSPAN::UTADNX::BEACH::PERRY FIDOnet : 1:106/365.0 ------------------------------ Date: Tue, 12 Feb 91 10:11:51 -0800 From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: University Lab Protection (PC) ACRAY@ECUVM1.BITNET (RAY) writes: > virus protection packages. We have a copy of Virex for our use but > would like to implement something in the labs. We have look at SCAN > but McAfee shareware site licences prices are exceptionally high. The > minimum purchase is for use on 100 machines for $3250. We would I would suggest you get a copy of F-PROT from one of the server sites or a local bulletin board. We just purchased a site license for 100 machines in a government office for $200, the same for your university would be $100, I believe. Vancouver p1@arkham.wimsey.bc.ca _n_ Insitute for Robert_Slade@mtsg.sfu.ca H Research into (SUZY) INtegrity / User Canada V7K 2G6 O=C\ Security Radical Dude | O- /\_ /-----+---/ \_\ / | ` ||/ "A ship in a harbour is safe, but that / ||`----'|| is not what ships are built for." || || - John Parks `` `` ------------------------------ Date: Tue, 12 Feb 91 11:21:24 +0000 From: Anthony Appleyard <XPUM04@prime-a.central-services.umist.ac.uk> Subject: Viruses in text files With reference to this message:- :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Date: 11 Feb 91 01:16:47 +0000 From: millerje@holst.tmc.edu (jeffrey scott miller) Subject: Re: Virus questions (PC) ........... True. Viruses cannot infect text files, as they are never executed. Viruses CAN look to see if a certain filetype is being accesses (i.e. .DBF), but since there is no executable code in a text file, there is no way a virus can "latch" onto the file. ........... :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: There was a long discussion in Virus-L in the past about viruses infecting text files. Some systems and programs when reading text files treat some character sequences as escape sequences to tell them to obey the following characters specially, e.g. reading them as binary into store, or trojanizing keyboard keys by altering what those keys do. So viruses <can> infect or trojanize text files. {A.Appleyard} (email: APPLEYARD@UK.AC.UMIST), Tue, 12 Feb 91 11:14:56 GMT ------------------------------ Date: 13 Feb 91 11:34:04 -0600 From: cosc13gb@jetson.uh.edu Subject: MSDOS built in anti-viral for 40 meg or up hard drive (PC) using a well known MSDOS 3.2 problem of not recognize 40 megabytes hard drives I run suspicous program on floppies only Now can any know virus infect my hard drive anyway? thanks in advance bye (sp.) the way, University of Houston can disable boot up from drive A: no matter that you has turn the machine off that is pretty impressive hu? But I don't how they do it please reply to this message or email cosc13gb.jetson.uh.edu ------------------------------ End of VIRUS-L Digest ]Volume 4 Issue 27( *****************************************