LUKEN@IBM1.CC.Lehigh.EDU (The Moderator Kenneth R. van Wyk) (05/06/89)
VIRUS-L Digest Friday, 5 May 1989 Volume 2 : Issue 107 Today's Topics: Bad sectors and viruses (PC) Re: UK Conference (Anti-Virus Software) Anti-Virus Progs against Boot Sector Viruses (PC) "Benign" Viruses Den Zuk Virus (PC) Forward Message From J. McAfee regarding boot viruses (PC) More papers available --------------------------------------------------------------------------- Date: Thu, 4 May 89 19:12:43 -0400 From: Joe Sieczkowski <joes@scarecrow.csee.Lehigh.EDU> Subject: Bad sectors and viruses (PC) >I think this has been discussed before, but is there a mechanism >by which a virus can hide in a bad sector? How does DOS declare >that a given sector is "bad", i.e. where on the disk does the >information reside? Can a bad sector be protected from being >reformatted if the virus author was clever enough? Yes, this topic has been discussed. If a virus is on a sector before format, it needs some kind of driver (a program) to read it off the sector and into memory to become executed. If that sector is marked bad by prep (this is possible), I believe the data that was contained on the sector will still be there. Joe ------------------------------ Date: Fri May 5 00:04:06 1989 From: utoday!greenber@uunet.uu.net Subject: Re: UK Conference (Anti-Virus Software) I can't speak of what else is on the disk in the UK, but I have given them full permission to include FLU_SHOT+ on that disk.... Ross M. Greenberg, Author, FLU_SHOT+ ------------------------------ Date: Fri May 5 00:10:43 1989 From: utoday!greenber@uunet.uu.net Subject: Anti-Virus Progs against Boot Sector Viruses (PC) Agreed: no program which runs *after* a boot (which defines just about all programs, right?) is going to be effective against a boot time virus. Just as no matter how good the lock on your door, it won't work against Da Bad Guys unless you take the precaution of actually turning the key and locking the door. Simply don't boot off somebody else's diskette and you have effectively locked your door against them. In the event that you're already infected with a boot virus, there are quite a few anti-virus products which will prevent such a virus from further spreading off your system to some innocent floppy you might be accessing... Ross M. Greenberg ------------------------------ Date: Thu, 4 May 89 23:48:16 pdt From: well!odawa@lll-winken.llnl.gov (Michael Odawa) Subject: "Benign" Viruses In VIRUS-L 2.105 (May 4, 1989), David Stodolsky said, > The virus - worm combination has both negative and positive implications. > In the biological world, virii have been very effective in controlling > bacteria that cause disease in farm animals, etc. ... The key problem seems > to be how to develop a virus that has no negative affects, except on an > invading agent. Are there any wizards, virus writers, etc. who will accept > this challenge? I certainly hope not. If you've written software for general public use, you know it is extremely difficult to identify and eliminate subtle, unintended bugs. The last thing I want is for some self-proclaimed wizard to release viral code that s/he "thinks" has no negative side effects. The thing about viral propagation is that there's no calling the virus back; once it's been released it spreads all over, and you can't recall the code for a bug fix. It will pollute the environment for time immemorial. The only good virus is a dead one; they're too dangerous even for programs with good intentions. Michael Odawa Software Development Council odawa@well.uucp ------------------------------ Date: Fri, 5-May-89 02:57:03 PDT From: portal!cup.portal.com!Gary_F_Tom@Sun.COM Subject: Den Zuk Virus (PC) The following message was originally posted on the Homebase BBS (408 988-4004) in Santa Clara, CA. Original-Date: 05/02/89 17:14:26 Original-Sender: JOHN MCAFEE Original-To: HOMEBASE VIRUS RESEARCHERS The Den Zuk (The Search) virus that I received from Ball State University appears to be yet another version of the original floppy-only variety. From an external observation I determined that it still contained the bug that causes it to attempt (incorrectly) to infect 3.5" floppies, thereby causing the file allocation table to be accidentally overwritten. It does not activate on monochrome systems but still contains the time delay at <Ctrl>-<Alt>-<Del> entry, and will remove itself from memory if a hard disk boot occurs. It will infect non-system disks and if such disks are then booted, the virus installs itself, displays a the message - "non-system disk or disk error" and then infects the next diskette loaded and booted. There was no apparent destructive code within this version. Jim Goodwin currently has this sample under the knife and should have a full report momentarily. I want to again caution all Homebase researchers not to *FIX* this virus. It isn't broken. The 3.5" infection bug is the only thing that has alerted us to the corruptive versions that have replaced the graphic display with a date/time activation check (usually followed by bad news). If this bug is fixed for testing or other purposes, and the resultant modification escapes (as you know it will), we will have the worst virus yet seen. If you find something *WRONG* with any virus, please note the code discrepancy and refer it here for logging, along with any comments you might like to make about the slovenly techniques of the original designer. Just don't fix it. Thanks. John ------------------------------ Date: Fri, 5-May-89 09:31:41 PDT From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM Subject: Forward Message From J. McAfee regarding boot viruses (PC) Forwarding message from John McAfee, dated 5/5/89: I noticed David Chess' comments on the SYS command and boot sector viruses. It is important for everyone to understand that the SYS command will ALWAYS remove a boot sector virus. The command does overwrite the boot sector and will remove the virus control code. Now, it will not, of course, replace any bad sectors created by the virus or remove the virus extension code, where the main body of the virus may be saved. Bit this doesn't matter since that code can never be executed without the virus boot sector being active. The result is that the diskette my have one or two K less in available space. The only drawback to using the SYS command is that all versions of the Pakistani Brain will continue to have BRAIN as the volume label, even after the SYS command is executed. The reason that I am taking the time to belabor what appears to be a minor difference in opinion, is that the SYS command is, and has been, our front line of action whenever we receive calls about boot infectors. Everyone has this command in the DOS utilities and everyone who can type the three letters of the command can successfully use it. I ask Mr. Chess to PLEASE take a live virus and verify what I have just stated. It would be unfortunate for people not to use this simple and effective tool. ------------------------------ Date: Fri, 5 May 89 14:55:23 EDT From: luken@ubu.cc.lehigh.edu (Kenneth R. van Wyk) Subject: More papers available The folks at the HomeBase BBS have been kind enough to send us a couple more papers. Here is the info: "Implementing Anti-Viral Programs" by John McAfee. Copyright (C) 1989. available on lll-winken.llnl.gov for anonymous FTP in ~ftp/virus-l/docs/av-imple.hb "Anti-Viral Product Evaluation" by Jim Goodwin, Lynn Marsh, and Tim Sankary. Copyright (C) 1989. available on lll-winken.llnl.gov for anonymous FTP in ~ftp/virus-l/docs/av-eval.hb These papers will be available via other sources (e.g., LISTSERV@LEHIIBM1) as soon as I get the time to put them there. Thanks to the authors of these papers! Ken ------------------------------ End of VIRUS-L Digest *********************