LUKEN@IBM1.CC.Lehigh.EDU (The Moderator Kenneth R. van Wyk) (05/16/89)
VIRUS-L Digest Tuesday, 16 May 1989 Volume 2 : Issue 116 Today's Topics: "Virus-Proof" PC - an oxymoron? Certus (PC) disagreement Comment on Stop a BOOT virus at boot time (PC) Certus (PC) PC Virus List --------------------------------------------------------------------------- Date: Mon, 15 May 89 10:26:04 EDT From: luken@ubu.cc.lehigh.edu (Kenneth R. van Wyk) Subject: "Virus-Proof" PC - an oxymoron? I just saw this in the May 1989 Byte magazine (page 65): "The Immune System, a DOS-based 80286 computer, is designed for security by one of the largest computer security companies in the nation. Along with some things you'd expect on a standard clone, such as 1 Mb of RAM, a 1.2 Mb 5 1/4 inch floppy disk drive, and a 40 Mb hard disk drive, there's a 'virus-proof' feature that keeps unauthorized .EXE and .COM files from entering or running on the system. There's also a modem package that purports to secure and encrypt real-time conversations, as well as provide a system-use audit trail, a system-access audit trail, and nearly 25 more security features. American Computer Security Industries has even gone so far as to secure the clock so only specified users can set or change the time." Sounds like quite a claim. Anyone have any more specific information or comments? Ken ------------------------------ Date: Mon, 15 May 89 13:42:52 EDT From: "W. K. (Bill) Gorman" <34AEJ7D@CMUVM.BITNET> Subject: Certus (PC) disagreement Disagree? With what? I reported precisely what happened when this routine was evaluated here. One installation went flawlessly, the next produced the events previously reported. I am certainly glad to hear of the experiences of others with this package - but since I was not with tham at the time, I cannot "disagree" with their re- sults any more than they can "disagree" with mine. We each report the results of our investigations, be they convergent or divergent, according to our perceptions at the time. :-) ^^^^^^^^^ ^^ ^^^ ^^^^^^^^^^^ ^^ ^^^ ^^^^ ........................................................................ |W. K. "Bill" Gorman Foust Hall # 5 | |PROFS System Administrator E-Mail & Message Computer Services | |Central Michigan University Encryption/Security Mt. Pleasant, MI 48859| |34AEJ7D@CMUVM.BITNET Virus Countermeasures (517) 774-3183 | |_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_| These comments reflect personal opinions held at the time this was written. Copyright (C) 1989 W. K. Gorman. All rights reserved. ------------------------------ Date: Mon, 15 May 1989 13:47:12 EDT From: Steven C. Woronick <XRAYSROK@SBCCVM.BITNET> Subject: Comment on Stop a BOOT virus at boot time (PC) Stanley Fragakis suggests altering boot sectors so that the boot program over-writes everything in memory with F4FA, but this of course kills the machine, should you attempt to boot from such a disk(ette). So I must assume that the intention is to do this only to non-system diskettes which nobody in their right mind would want to boot from anyway (although some of us try). Hence, the penalty for trying to boot a non-system diskette is no longer the usual message, but a (temporarily) dead computer which must be powered down and back up again. Of course, going through this a few times ought to be good memory-training for remembering to remove non-system diskettes before re-booting (ironically, if you remembered not to do this, all the time, then it would be entirely unnecessary). I don't however understand the concern over halting the PC in a proper manner if it's dead anyway. Correct me if I'm wrong. Steven C. Woronick | Disclaimer: These are my own opinions. Physics Dept. | Check it out for yourself! SUNY at Stony Brook | Stony Brook, NY 11794 | Acknowledge-To: <XRAYSROK@SBCCVM> ------------------------------ Date: Mon, 15 May 89 16:29 EDT From: "J. D. Abolins" <OJA@NCCIBM1.BITNET> Subject: Certus (PC) While I have not tested FoudationWare's CERTUS package, I have tested two versions of its predecessors (VACCINE and CORPORATE VACCINE). With each version improvements were definitely made. When I tested VACCINE, I had it crash during installation due to insufficient disk space. When that happens, one cannot move forward nor backwards, so to say. Regular software will not run because VACCINE has not approved it and VACCINE could not be uninstall using its uninstall utility unless it was properly installed. In CORPORATE VACCINE, the manual addresses this and other problems. My overall impression of FoundationWare's products is that they are dealing with various methods of protection (fine) but they are very strict and require much "fine-tuning". They are best used on systems that need the special security feautures, that are intended for limited functionality (a word processing/database workstation) and that are stable (not undergoing constant change). NOTE: This is my last week at this ID. I am transferring to another position, one that doesn't entail working with NCC. Although I may have an alternate BITNET access later on, little is known now. Should anybody need ot contact me- By post: J. D. Abolins 301 N. Harrison Street; # 197 Princeton, NJ 08540 By phone: (609) 448-7814 By BITNET via Ralph Mortensen: RMX@NCCIBM1 Thank you. ------------------------------ Date: Tue, 16 May 89 15:08:24 +0300 From: Y. Radai <RADAI1@HBUNOS.BITNET> Subject: PC Virus List With the exponential increase in the frequency of new PC virus re- ports, I've come to feel that I'm getting lost without a catalog of such viruses. Evidently several others have felt the same way, for they have prepared, or are in the process of preparing, catalogs which include descriptions of each of the viruses. My goal is more modest: to simply *list* them. And that's far from easy considering that lately I hear of at least one new virus every week (and, of course, there may be many which I haven't heard of). Anyway, here's what I've got so far, arranged in (hopefully) chronological order. PC-DOS/MS-DOS Viruses ===================== Min # of Names Strains Type First Appearance ----- ------- ---- ---------------- 1. Brain, Pakistani 7 Boot sector Jan 86 2. Merritt, Alameda, Yale 7 Boot sector Apr? 87 3. South African, Friday 13th 2 COM D 87 4. Lehigh 2 COMMAND.COM Nov 87 5. Vienna, Austrian 2 COM D 648 Dec? 87 6. Israeli, Friday-13, Jerusalem 9 COM/EXE R 1813/1808 Dec 87 7. April-1-Com 1 COM R 897 Jan 88 8. April-1-Exe 1 EXE R 1488 Jan 88 9. Ping-Pong, Bouncing-Ball, Italian 2 Boot sector Mar 88 10. Dos-62, Unesco 2 COM D Apr 88 11. Marijuana, Stoned, New Zealand, 2 Boot sector; Early 88 Australian partition record on hard disk 12. Cascade, Autumn, Blackjack 6 COM R 1701/1704 Sep 88 (87?) 13. Agiplan 1 COM 1536 Oct 88 14. Oropax, Music 1 COM RD 2756 to 2806 Feb 89 15. Venezuelan, Den Zuk, Search 6 Boot sector Early 89? 16. dBASE 1 COM/EXE R Mar 89 17. DataCrime 2? COM D 1168 (1280?) Mar 89 18. Missouri 1 ? Apr 89 19. Nichols 2? Boot sector ? 20. 405 1 COM DO 405 Apr? 89 -- Total # of strains 58 Notes: 1. In the "Type" column, "COM" or "EXE" indicates the type of files infected. "R" stands for "resident", meaning that when an infected program is run the virus makes itself RAM-resident (hooking one or more interrupts); usually such a virus infects each subsequently executed program (of the appropriate type, e.g. COM files). "D" stands for "direct", meaning that it searches the disk for an uninfected file and infects it; normally such a virus does not stay resident. (How- ever, it is possible for a virus to be both resident and direct in this sense, as in the case of the Oropax.) "O" indicates that the virus overwrites the beginning of the file instead of appending or prepending itself to it. The number(s) after the "R" or "D" indicate the number of bytes by which the virus extends files which it infects; the number after the "O" is the number of bytes overwritten. 2. I include only those viruses which have spread publicly, as opposed to localized test viruses (of which there may be hundreds). 3. Questionable cases: (a) Although I have included the dBASE virus reported by Ross Greenberg, Jim Goodwin claims that it does not repli- cate and hence is not a virus. But it's possible that Jim and Ross are talking about two different things. (b) Similarly, I have heard of spreadsheet viruses which occasionally change a value by a small amount, but I have not included them in the table. Jim says that the Lotus 123 virus does not replicate either, but again it's possible that he's speaking of something else. A difficult question is when to say that two given viruses are (a) distinct viruses, (b) different strains of the same virus, or (c) the same strain of the same virus. I have adopted the following rule: If one virus has apparently been obtained from the other by improving the code in some sense, then we have case (b). If the code is the same, and the only differences are messages or other strings, then we have case (c). However, if something which makes a more important difference in the behavior, such as the target date or the triggering value of the number of infections, has been changed, then I classify it as case (b). Otherwise (i.e. if the code is significantly differ- ent), we have case (a). I'm sure there will be disagreements with my table on certain points, particularly the dates. In any case, corrections and additions are welcome. (Please send your corrections directly to me; I'll post an updated version of this table whenever the need arises.) For those interested in descriptions of these viruses, 11 of them are described in Jim Goodwin's catalog. (He says that his catalog describes 48 viruses, but he is counting each strain of each virus separately.) Dave Ferbrache has rearranged Jim's catalog so that all strains of the same virus are grouped together. He has also added a few more viruses and made the resulting document available on the Heriot-Watt server. There are several additional catalogs in existence or in prepara- tion. One is currently being prepared by the Virus Test Center at the Univ. of Hamburg under the direction of Prof. Klaus Brunnstein. An- other is being prepared by David Ferbrache (his will include algo- rithms or pseudo-code for each of the viruses). Finally, acknowledgments: Since I have only 7 viruses in my posses- sion at present, I have obviously had to draw on information provided by others. Postings in VIRUS-L are too numerous to mention individual names, but among those who have corresponded with me personally, I would like to thank Dave Ferbrache, Alan Solomon, Klaus Brunnstein, Bernd Fix, and Otto Stolz. Y. Radai Hebrew Univ. of Jerusalem ------------------------------ End of VIRUS-L Digest *********************