LUKEN@IBM1.CC.Lehigh.EDU (The Moderator Kenneth R. van Wyk) (05/18/89)
VIRUS-L Digest Wednesday, 17 May 1989 Volume 2 : Issue 118 Today's Topics: Re: blown floppy disk (PC) INITs and CUSTOM resources (Mac) Re: blown floppy disk (PC) Non Boot Disks (PC) Virus that infect resource forks (MAC) (From Jim Goodwin) re: Certus Stop a BOOT loaded virus at BOOT time (PC) --------------------------------------------------------------------------- Date: Tue, 1989 May 16 18:51:40 EDT From: Bob Babcock <PEPRBV@CFAAMP.HARVARD.EDU> Subject: Re: blown floppy disk (PC) > I have a 5-1/4" floppy disk under examination for possible virus >damage, and have run into an interesting problem. The disk acts like >it is totally unformatted; neither CHKDSK, RECOVER, the Norton stuff, >or anything else seems to be able to access it. The result of this is >that I cannot see anything about what has happened to the disk. What I >need is a good pd or shareware sector editor that can get at the >absolute sectors w/o trying to read the directory One technique I have sometimes used for data recovery is to start out using a sector editor (PATCH is the one I usually use, but most any should do) on an undamaged disk with the same parameters (number of sides, sectors/track, etc.). Once you read past the initial sectors, swap in the damaged disk without telling the program about it. If you are lucky, you can just keep on reading. A similar swapping technique with some file copying utilities allows copying files off a disk where the directory is unreadable. Another possibility is the Ultra Utilities. These are an old shareware package, I think no longer supported. With them, you can pick a range of track numbers, sector numbers and sides and attempt to read them to see if anything is there. ------------------------------ Date: Tue, 16 May 89 16:44:08 EDT From: Joe McMahon <XRJDM@SCFVM.GSFC.NASA.GOV> Subject: INITs and CUSTOM resources (Mac) >> ... the virus as a code resource that is preloaded to override an >> application code resource... If the application in question allows custom resources (i.e., custom code supplied for a particular purpose), it could be used as a vector, but as a single source for spread, it would not be tremendously useful. The document in question could only spread infections if the CUST resource was invoked, which keeps most applications from spreading it. It might be a way that viral code could be introduced, though, especially if the custom feature was "nice to have". This is documented (although not from the virus standpoint) in some Tech Note or another, titled "Getting Through CUSToms". >INITs, cdevs, and the like are "data" files; they contain no CODE >resources that make an application an application. Conceivably, they >could be used to spread a virus as the information in the >INIT/cdev/... is executed at system startup if the file is in the >system folder... Correct, but I think the INIT 31 mechanism (at least in System 6.0 and up) limits the files that are checked to those of type INIT, cdev, or rdev, and those files are not allowed to be invisible. Most Mac viruses (except for ANTI) try to do this to ensure they get back into RAM at boot time. Some install the INIT resources in the System file (nVIR, Peace); others take over legal files (Scores). INIT 29 just hits everything in sight, depending on luck to get something appropriate in the System folder. --- Joe M. ------------------------------ Date: Wed, 17 May 89 07:44:26 EDT From: Harold Pritchett <HAROLD@UGA.UGA.EDU> Subject: Re: blown floppy disk (PC) >Date: Tue, 16 May 89 13:40:55 EDT >From: "W. K. (Bill) Gorman" <34AEJ7D@CMUVM.BITNET> >Subject: blown floppy disk (PC) > > I have a 5-1/4" floppy disk under examination for possible virus >damage, and have run into an interesting problem. The disk acts like >it is totally unformatted; neither CHKDSK, RECOVER, the Norton stuff, >or anything else seems to be able to access it. The result of this is >that I cannot see anything about what has happened to the disk. What I >need is a good pd or shareware sector editor that can get at the >absolute sectors w/o trying to read the directory (or else a >reasonably cheap commercial one), although I am not sure that will do >any good, since I cannot write to the disk (no, it is not write >protected) either. The answer here is to use Norton Utilities. While NU will not load if the bad disk is in the machine, It will work if you start NU with a good disk in the drive, and then after it is initialized, put your bad disk in and go into the sector editor. [Ed. Norton should load with the bad disk if you use its "maintenance mode", by entering: NU /M on the command line. As with any sector editor, proceed with due caution.] Hope this helps Harold C Pritchett | BITNET: HAROLD@UGA BITNET TechRep | ARPA: harold@fevax.uga.edu The University of Georgia | uucp: gatech!ugacs!csun1!harold Athens, GA 30602 | fido: 1:370/16 (404) 542-3135 | Bbs: SYSOP at (404) 354-0817 ------------------------------ Date: Wed, 17 May 89 9:51:28 CDT From: "Len Levine" <len@evax.milw.wisc.EDU> Subject: Non Boot Disks (PC) Steven C. Woronick <XRAYSROK@SBCCVM.BITNET> says, in his recent posting: > Stanley Fragakis suggests altering boot sectors so that the boot >program over-writes everything in memory with F4FA, but this of course >kills the machine, should you attempt to boot from such a disk(ette). >So I must assume that the intention is to do this only to non-system >diskettes which nobody in their right mind would want to boot from >anyway (although some of us try). Hence, the penalty for trying to >boot a non-system diskette is no longer the usual message, but a >(temporarily) dead computer which must be powered down and back up >again. >[...] The scheme would be a good one but for one problem. The virus that it intends to stop has already done its dirty work before the boot block strikes. If so, the hard disk may be already infected before the machine halts. An advantage of the system is that the penalty foor booting from a data disk is increased, thus giving a greater and more strident reminder to the user not to do this. For this reason I would recommend it. It does however really smash the user who does not fully understand the system as s/he will be sure that the symptoms are those of a hardware problem. + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + | Leonard P. Levine e-mail len@evax.milw.wisc.edu | | Professor, Computer Science Office (414) 229-5170 | | University of Wisconsin-Milwaukee Home (414) 962-4719 | | Milwaukee, WI 53201 U.S.A. Modem (414) 962-6228 | + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ------------------------------ Date: Wed, 17 May 89 10:38:47 EDT From: dmg@mwunix.mitre.org Subject: Virus that infect resource forks (MAC) I'm confused. I thought INIT 29 could infect the resource fork of any file, not ANTI, but if you are certain it is the other way around, I will not dispute you, as my knowledge of these two is not firsthand. ------------------------------ Date: Wed, 17-May-89 08:08:27 PDT From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM Subject: (From Jim Goodwin) re: Certus David Zoz was not entirely correct in his comments about the Certus program. He did indeed help us with the initial selection for our evaluation and I appreciate his time and efforts. We did not, however, consider including Certus as a recommended product. We found numerous serious bugs in the product and we considered it overall to be too inflexible for the average user. As to Dave's statement that Certus was second only to Sentry in it's ability to detect infections, I don't know where he obtained that information. We performed full-blown tests against only the five products listed in the review. The initial selection process involved limited testing against live viruses. Jim Goodwin ------------------------------ Date: 17 May 89, 18:25:05 HMT From: Stanley Fragakis <SSTU011@GRCRUN11.BITNET> Subject: Stop a BOOT loaded virus at BOOT time (PC) Hello net-ppl Those who understood my last posting will find it easy to modify a boot sector and add the following program: (values in hex) Cld Xor ax,ax Mov ds,ax Mov si,0445 Lodsb ;get the track Or al,al Jnz Error Lodsb ;get the head Or al,al Jnz Error Jmp 36 ***** Error: In al,61 Or al,3 Out 61,al Cli Hlt The first instruction is at offset 1DBh in my MSDOS 3.2 boot sector. You should change the JMP which is at offset 0 to point to the CLD. The *ed JMP must branch to the command the offset 0 JMP used to branch. Modify the boot sector using the DEBUG i.e. Enter DEBUG, Load the boot sector, make the changes, write sector. How it works: There is a 7 byte area starting at 0:442h which contains the status of the disk controller chip e.g. where was the last read/write Using these information the BIOS can compute the total number of sectors transfered from/to disk. Location 0:445h contains the track in which the read/write was completed, 0:446h the head value. It should(?) be clear what I am trying to do. It is at least logical that, right after the BOOT sector is loaded the track we 'land on' should be 0, since the boot sector is in track 0 and we only read 1 sector. So the byte in 0:445h should be 0. For the same reason the byte at 0:446h (head) should be 0. Every boot loaded virus (any objections ?) copies the original BOOT sector in another part of the disk. When the virus initialization is completed, the original BOOT is loaded and given control. Obviously at least 0:445h will be non-zero. The program I suggest suspects that something is wrong, sounds the beeper and halts the computer. There is of course a way for a virus to bypass that 'protection'. e.g. don't use the original boot sector at all. If you have any questions, comments just let me know. Stanley Fragakis, GREECE (CSSTU011 at GRCRUN11) PS. for the greeks: Stanley=Stelios :-) ------------------------------ End of VIRUS-L Digest *********************