From: Kenneth R. van Wyk (The Moderator) Errors-To: krvw@CERT.SEI.CMU.EDU To: VIRUS-L@IBM1.CC.LEHIGH.EDU Path: cert.sei.cmu.edu!krvw Subject: VIRUS-L Digest V5 #6 Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU -------- VIRUS-L Digest Tuesday, 14 Jan 1992 Volume 5 : Issue 6 Today's Topics: Virus vector Identified (PC) Odd Problem with F-PROT 2.01 (PC) Re: Looking for info on "Friday the 13th" virus (PC) Re: Question re Stoned (PC) Re: password program (PC) Re: List of Viruses (PC) Re: Norton Anty Virus (PC) Re: Joshi Virus and IDE Hard Drives (PC) Re: Norton Anty Virus (PC) Re: List of Viruses (PC) Re: Looking for info on "Friday the 13th" virus (PC) Philosophy and Time (PC) Info about UNIX viruses (UNIX) I/O bound CPU bound definitions New Antivirus Organization Announced Write protection - software VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: 09 Jan 92 15:57:05 +0000 From: suned1!slced1.Nswses.Navy.Mil!lev@elroy.Jpl.Nasa.Gov (Lloyd E Vancil) Subject: Virus vector Identified (PC) The following received wide distribution at this location. I strongly advise anyone out there who works for Uncle Sam to be aware and take proper steps. L.V. [Printed with permission] 5230 01-MB 8 JAN 92 MEMORANDUM From: Executive Officer Subj: COMPUTER VIRUS Ref: (a) CINCPACFLT Pearl Harbor HI 250649Z Dec 91 1. Following extracted from reference (a) and forwarded for your information: QUOTE 1. Information has been received concerning the receipt (principally by Public Affairs Offices (PAO)) of a quantity of rambling, disjointed literature and a computer disk from a "Masterfard Muhammad" of Chicago, IL. Some of the packages were mailed from Manhattan and Junction City, Kansas. 2. The diskette enclosed with the material has been found to contain a version of the "stoned" computer virus which is a boot sector virus which will contaminate the hard disk of a personal computer when booted and cause a "hard disk crash" to the infected microcomputer. 3. If the material described above is received, do not open the package. Contact your servicing NIS activity for disposition instructions. UNQUOTE M. S. BACIN Distribution D - -- |suned1!lev@elroy.JPL.Nasa.Gov|lev@suned1.nswses.navy.mil|sun!suntzu!suned1!lev | |S.T.A.R.S. The revolution has begun!| My Opinions are Mine mine mine hahahah! | ------------------------------ Date: 09 Jan 92 12:40:00 -0600 From: "William Walker C60223 x4570" Subject: Odd Problem with F-PROT 2.01 (PC) While testing F-PROT 2.01 against my suite of captive viri, I noticed a curious behavior. When F-PROT prompted to "Press ENTER to scan next diskette," I swapped diskettes, pressed ENTER, and F-PROT began scanning the diskette, but the files it reported scanning were those on the previous diskette. Removing and reinserting the diskette didn't help any. Only when I quit and restarted the program did it scan the diskette correctly. However, this was 100% repeatable -- when I changed diskettes again F-PROT reported scanning the files on the first diskette. Other scanners work correctly when scanning multiple diskettes, and the machine (Unisys 3256 25MHz 386 w/12MB RAM, 3.5" and 5.25" floppies, 340MB SCSI hard disk, DOS 4.01) is working OK. No disk-caching programs are resident. Booting from a clean, pure DOS 4.01 floppy didn't help, either. Also, this problem was only present with drive B: (5.25" 360K). F-PROT otherwise worked OK, and when it correctly read the diskettes, it detected all viri presented. Has anyone else encountered this problem with F-PROT 2.01? Does anyone have any ideas what might be causing this, if it's not F-PROT? Please excuse me if this has already been brought up -- I haven't had the opportunity to read through all of my back issues of VIRUS-L as thoroughly as I would like to. Bill Walker ( WALKER@AEDC-VAX.AF.MIL ) | OAO Corporation | "That's not a bug, Arnold Engineering Development Center | that's a feature!" M.S. 120 | - Anonymous Arnold Air Force Base, TN 37389-9998 | ------------------------------ Date: 09 Jan 92 19:17:38 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Looking for info on "Friday the 13th" virus (PC) forbes@cbnewsf.cb.att.com (scott.forbes) writes: > I also have a PC which recently lost its hard drive, at approximately > the stroke of midnight on Friday, December 13. :-) I don't think this > is a coincidence, and would like to find out more about the virus in > question to prevent a recurrence. > The hard disk received a low-level format, but I still don't know the All the viruses which activate on Friday 13th that I know (lots of Jerusalems and South Africans) delete files; do not format the drive. The Hybrid virus overwrites the hard disk, but as far as I remember, it does this only on Friday 13th in 1992 and later... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -246 Vogt-Koeln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 09 Jan 92 19:37:12 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Question re Stoned (PC) HAYES@urvax.urich.edu writes: > At any rate, "Stoned" seems to be history in our lab, if only because > it does not seem to infect 3.5" diskettes (which we've recently > switched to). Stoned infects 3.5" diskettes perfectly, but it only does this on drive A: (on the first physical drive, more exactly). They have probably installed 3.5" drives as dirve B: and/or above. > My question is this. For the benefit of many users who only have > 5.25" drives at home and want to use one of our 3.5" PC's, we set up a > 3-floppy PC with menu-driven software for file copying and diskette > formatting. A: & B: drives are 360K and 1.2M (respectively); C: is > 1.44M. D: is the hard drive. If ever a PC would be succeptable to With this configuration, even if both the floppies in drive A: and the hard disk (D:) are infected and even if the virus is active in memory, the copies from drive B: and above will never get infected. > (Like I say--I know "Stoned" is still around here.) Is there > something about the four-disk controller setup (or the drive name > "D:") that creates an immunity to "Stoned"? Or have we been > incredibly lucky? As I said, you cannot infect the copies you make. As to why you have not been infected yet, I guess you just had luck and didn't try to boot from an infected disk (that is, didn't forget an infected disk in drive A:). Hope the above helps. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -246 Vogt-Koeln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 09 Jan 92 20:14:05 +0000 From: bob1@cos.com (Bob Blackshaw) Subject: Re: password program (PC) bdrake@oxy.edu (Barry T. Drake) writes: >Another way to reset the CMOS is to disconnect the battery. >If it's a soldered-in NiCad, try draining it completely with a light bulb >or other load (unless you *really* want to unsolder it). >- --Barry (bdrake@oxy.edu) Please don't use a light bulb. Look around the motherboard near the built-in NiCad for an in-line 4 pin Berg connector (4 vertical pins) which are usually provided for replacement of the NiCad by an out- board battery. Two pins should be jumpered together, sort of like so o o o o + N - where + and - are the usual external battery connections and N is the positive side of the NiCad, so the + and the N would be jumpered to- gether. The negative side of the NiCad is connected to the ground plane of the MB. Removing the jumper and shorting + and - will drain your CMOS. I think most MB mfrs did this so that we would not have to take a soldering iron to a six-layer MB (shudder). Bob B. ------------------------------ Date: 09 Jan 92 17:57:10 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: List of Viruses (PC) GLWARNER@SAMFORD.BITNET (THE GAR) writes: > Someone faxed me a list of viruses, that I believe he got from Center > Point, with codes for him to enter to update his virus information for > the package. He sent it to me to show how many viruses Center Point > protected him from that McAfee fails to protect me from. Unfortunately, I don't have the latest version of CPAV, but I'm rather disappointed by the one I last saw. It has a lot of fancy menus but is not a -very- good anti-virus tool. Especially having in mind that it is based on TNTVIRUS, which is an -extremely- bad anti-virus tool. As to SCAN, its latest version (85) is pretty good in detecting infections. During the tests it didn't detect only about 63 different variants of our virus collection, which consists of more than 1,000 different virus variants. Unfortunately, you must always have in mind that you MUST NOT DRAW ANY CONCLUSIONS FROM THE SCAN'S OUTPUT OTHERS THAN WHETHER A PARTICULAR FILE IS INFECTED OR NOT. Any information SCAN may give you about the actual name of the virus, the number of viruses in the file, the properties of the virus, the relationship of the virus to other viruses, very often has nothing to do with the truth and can be quite misleading. Fortunately, most users do not need anything more than a program, which tells them whether any new files they get are infected or not. > My question (McAfee rep?) is whether these are actually detected by > McAfee but called something else. Very often SCAN uses a different name; replies to this question follow each of the viruses you ask about. > Also, can anyone identify any of the following that are especially > prevalent? Or are these mostly "laboratory" viruses? Most of them are not widespread. > Twelve Tricks This is not a virus, it's a trojan. It does not spread, so it cannot be widespread. SCAN recognizes it as 12 Tricks Trojan [Tricks]. The following are boot sector viruses. I don't have them in live form, so I was unable to test how we does SCAN recognize them. > Golden Gate 1 > Golden Gate 2 These are supposed to be Yale variants. I have only one variant of Yale and I doubt pretty much that others exist - until I see them. > Stoned III This is known also as NoINT. > Zapper Stoned variant. > Den-Zuk 2 Probably the virus, called Ohio. > Anthrax PT > Omicron PT (More well known as Flip) The above two are multi-partite viruses. This means that they infect both files and boot sectors. Probably by PT the guys at CPS mean that they can detect the virus not only in the files, but also in the partition table. Big deal. Well, now about the file infectors. > Kylie > Faggot I never succeeded to make these work and spread. In fact, I suspect that Faggot is a trojan, not a virus. You can guess how "widespread" they are. Anyway, SCAN identifies them as Kylie: Jerusalem Related [Jeru] Faggot: VHP Related [VHP] > 740 > April 15 > France I don't know what they mean by these names. In general, it's a bad practice to use a number, a date, or a place as a name of a virus. I certainly don't know all the infective lengths of our more than 1,000 viruses by heart, but I don't remember one with infective length of exactly 740 bytes. Maybe Fridrik Skulason can correct me. April 15th is the activation date of a variant of the Murphy virus, called Swami. SCAN detects is as Murphy [Murphy]. There are at least three viruses from France; what they probably mean is the Paris virus. SCAN detects it as Paris [Paris]. > Lunch > PC Bandit > Doctor > Drug Never heard about these. They are either new ones, or very obscure names of old viruses. > 805 This is probably one of the Stardot variants. SCAN detects it as V-801 [V801]. Not spread at all. > 1590 This is probably the Green Caterpillar. Scan detects it as 1591/1575 [15xx]. Not spread. > Amoeba 2 This is probably the Maltese Amoeba. Watch out if you live in Ireland; the virus is quite widespread there. It's a dangerous polymorphic multi-partite fast infector. SCAN detects it as Irish [Irish]. > Anarkia A Jerusalem variant. SCAN detects it as Jerusalem Related [Jeru] and Fu Manchu - Version A [Fu]. Not spread. > Beast C > Beast D These are No. of the Beast variants. This virus has 13 variants, all of them detected as 512 [512] by SCAN. Some of the variants are (not very widely) spread in Bulgaria. > Cascade YAP There is a misunderstanding here; in fact two different Cascade variants were called with this name. SCAN recognizes both as Yap [Yap]. Not spread at all. > Dark Lord A Terror variant. SCAN recognizes it as Terror [Ter]. Found once in the wild in Bulgaria. > Decide SCAN recognizes it as Deicide [Dei]. Not spead at all. > Diamond SCAN recognizes it as Alfa Related [Alf]. More exactly is to say "reports it", since it reports like this a lot of other (completely unrelated) viruses as well. Two variants were once uploaded to a BBS in Bulgaria. > HIV A Murphy variant. SCAN recognizes it as Murphy [Murphy]. Never found in the wild. > Horse II There are 9 variants of the Horse viruses, so I don't know what they mean by that. SCAN recognizes the first 8 only as Horse [Hrs] (and sometimes reports also 512 [512], which has nothing to do here). Most of them are not very widespread in Bulgaria, mainly in some schools in Sofia. Probably Horse II is the last variant, which SCAN does not detect, since it is a bit different from the others. > Justice SCAN recognizes it as Justice [Justice]. Once found in the wild in Bulgaria. > Phoenix There are 6 variants of this virus. SCAN recognizes 800 as V800 [V800], 1226, Phoenix, Proud, and Evil as P1 Related [P1r], and V82 as [V82]. Relatively widespread in Bulgaria and several times uploaded to BBSes in West Europe. > Suomi SCAN recognizes it as 1008 [1008]. Not very widespread in Finnland. > Tequila SCAN recognizes it as Tequila [Teq]. Widespread in West Europe, a polymorphic multi-patrtite fast infector. Beware. > Vienna 656 SCAN recognizes it as Lisbon Virus [Lisbon] and VHP Related Virus [VHP]. Not spread at all. > Virdem 792 SCAN recognizes it as Burger [Burger]. Not spread at all. > Vriest SCAN recognizes it as Vriest [Vrst]. Not spread. Hope the above helps. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -246 Vogt-Koeln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: Thu, 09 Jan 92 21:12:29 +0000 From: brian@norton.com (Brian Yoder) Subject: Re: Norton Anty Virus (PC) CEZAR@PLEARN.BITNET (Cezar Cichocki) writes: > Hi folks, > I use Peter Norton's programm and I very interesting in his antyviral > program. Somebody said me that there is Shareware version of NAV > (about 1.5 or something like this). Is this true ? No, there is no version of NAV in the public domain or as shareware. I suspect that someone is pulling your leg (and perhaps his own). - -- - -- Brian K. Yoder (brian@norton.com) - Q: What do you get when you cross -- - -- Peter Norton Computing Group - Apple & IBM? -- - -- Symantec Corporation - A: IBM. -- ------------------------------ Date: Fri, 10 Jan 92 01:59:39 +0000 From: mcafee@netcom.netcom.com (McAfee Associates) Subject: Re: Joshi Virus and IDE Hard Drives (PC) arg@netcom.netcom.com (Greg Argendelli) writes: >How are people removing the Joshi virus from IDE hard drives? Based >on what I have read in Patricia's VSUM program, the only way to reomve >the virus is via a low-level format. Since we can't do such a format >on an IDE, do we wind up trashing the drive? Inquiring minds need to >know. McAfee's scan/clean find it, and claim to clean it, but >don't.... Hi Greg, I'm not sure that the problem is that you are having with VIRUSCAN and CLEAN-UP but it sounds like the PC in question is becoming re-infected after removal of the virus. You may want to check any floppies in the vicinity of the PC and see if they have the virus on them and are re-introducing it. In any case, if CLEAN-UP says that a virus cannot safely be removed from the partition table, you have several options available to you other then doing a low-level format. 1. If you're so inclined, you can copy the partition table off of an identically partitioned hard disk and copy it over the PT of the infected hard disk. 2. If you have MS-DOS 5.00, you can run the DOS FDISK command with the /MBR option. This is an undocumented switch in the FDISK command that replaces the Master Boot Record code (alias partition table) while leaving the data portion intact. 3. Use a sector editor to change the last two bytes of the partition table, which are "55 AA" to anything else. This will invalidate the partition table information, and you can then re-FDISK and FORMAT the disk. Naturally, there is always a small amount of risk in doing any of this, so it's always a good idea to make a backup of the hard disk before proceeding. Another possibility is that you do not have the virus at all and instead are experiencing a "ghost" effect, that is, when a fragment of viral code is left at the end of a file somewhere on the disk that is loaded into memory with the file and causes a false alarm. This can be fixed by running a disk optimizing program to defragment the disk, or there's a program somwhere in the simtel archives called COVERUP or COVERUP1 that will null-out the ends of files. BTW, I assume that you have tried using the latest (V85) version of CLEAN-UP to remove the virus, both with the [JOSHI] and [GENP] ID codes, as well as giving M-DISK a shot (if formatted with DOS 3-4). Regards, Aryeh Goretsky McAfee Associiates Technical Support - -- - - - - McAfee Associates | Voice (408) 988-3832 | mcafee@netcom.com (business) 4423 Cheeney Street | FAX (408) 970-9727 | "Welcome to the alligator Santa Clara, California | BBS (408) 988-4004 | farm..." 95054-0253 USA | v.32 (408) 988-5190 | CompuServe ID: 76702,1714 ViruScan/CleanUp/VShield | HST (408) 988-5138 | or GO VIRUSFORUM ------------------------------ Date: Fri, 10 Jan 92 05:33:23 +0000 From: rslade@cue.bc.ca (Rob Slade) Subject: Re: Norton Anty Virus (PC) CEZAR@PLEARN.BITNET (Cezar Cichocki) writes: >program. Somebody said me that there is Shareware version of NAV >(about 1.5 or something like this). Is this true ? No, it is not true. A number of people are posting the upgrade virus signature files on private BBSes. Norton does not condone this either. ============== Vancouver p1@arkham.wimsey.bc.ca | "If you do buy a Institute for Robert_Slade@sfu.ca | computer, don't Research into rslade@cue.bc.ca | turn it on." User CyberStore Dpac 85301030 | Richards' 2nd Law Security Canada V7K 2G6 | of Data Security ------------------------------ Date: Fri, 10 Jan 92 09:05:58 +0000 From: Fridrik Skulason Subject: Re: List of Viruses (PC) In Message 3 Jan 92 20:09:42 GMT, GLWARNER@SAMFORD.BITNET (THE GAR) writes: >1590 Golden Gate 1 >740 Golden Gate 2 >805 HIV >Amoeba 2 Horse II >Anarkia Justice >Anthrax PT Kylie >April 15 Lunch >Beast C Omicron PT >Beast D PC Bandit >Cascade YAP Phoenix >Dark Lord Stoned III >Decide Suomi >Den-Zuk 2 Tequila >Diamond Twelve Tricks >Doctor Vienna 656 >Drug Virdem 792 >Faggot Vriest >France Zapper Some of the names in the list are old and well-known viruses, such as Anarkia, Cascade YAP, Dark Lord, Deicide, Diamond, HIV, Justice, Kylie, Phoenix, Suomi, Tequila, the Vienna variants and Vriest. The others are either not viruses (12 Tricks) a case of bad naming practices, or (in a few cases) something I have never heard of, such as Drug and Lunch. - -frisk ------------------------------ Date: Fri, 10 Jan 92 09:28:26 +0000 From: Fridrik Skulason Subject: Re: Looking for info on "Friday the 13th" virus (PC) There are around 20 viruses which activate on Friday the 13th, such as "South African" (which may not be South African at all), Jerusalem (with a bunch of variants), Datacrime (well, sort of...), Relzfu (Fake-VirX), Monxla, Leningrad and Omega. Unfortunately the available information is not specific enough to determine which virus is the cause in this case. - -frisk ------------------------------ Date: Fri, 10 Jan 92 11:10:42 -0500 From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: Philosophy and Time (PC) For over a year now we have be discussing simple techniques for virus prevention - not 100% techniques but then stopping the spread does not require 100%, it is significantly less. Lately, I have come to realize that virus spread is best modeled using a diffusion-limited aggregation process from Fractal Geometry: infected populations grow in clusters and larger clusters grow faster but slow again as they approach a limit imposed by the envelope. While the math is complex, the underlying fact is not - if the clusters never exceed a certain size, epidemics do not occur. Consequently, I have focused my work not on 100% prevention with the draconian measures that this would incur but a gentler process that provides a near-certain likelihood (I have not mastered all of the math yet) of blocking viruses. With little or no effect on the PC. Initially, I decided to concentrate on the BIOS viruses - those infecting the MBR (master boot record) and BR (DOS Boot Record) of hard disks. There were two reasons for this: First, not many people seemed to be working in this primeval area. Second, the rules were simpler and I felt that it would be possible to avoid the Turing "halting" difficulty since the system at that point is rigorously defined. The results were several: DISKSECURE was the first technology demonstrator though its roots go back several years to a pair of programs designed to detect the Pakistani Brain (also see the "Six Byte" method). Observations made at that time led to some DS principles. Of course, the real problems came from compatibility with all of the diverse systems used around the world, only discoverable in practice. I wish to thank all of the V-L people who provided feedback on what did not work that permitted me to accumulate a database of "compatibility requirements" - seventeen bytes in one area that could not be depended on to be stable, operating systems that expected certain registers to be passed intact, etc. In comparison, a manufacturer who only has to worry about his current hardware and software has it easy. I have a tremendous respect for all of the anti-virus vendors who manage to write programs that WORK. The marvel is not that they work so well, the marvel is that they work at all (paraphrased from a quote but have no idea whose). - No wonder most third-party FORMAT routines simply put code in the BR that says "This disk is not Bootable". As is usual in later generations, I found that while DS was effective in its purpose, less rigorous methods would suffice: for anti-virus work. This led to the SafeMBR concept - an MBR that also did integrity checking using a special pair of rules but did not have to go resident (unlike DS) to be effective. This was followed by NoFBoot, a small TSR designed to prevent "accidents" that (IMHO) cause most MBR infections. The final step, CHKSMBR (a non-resident program included in FixMBR v 2.1), simply verifies that SMBR has not been tampered with and permits Network authentication as well. This complete "layered" system is IMHO capable of knocking out the spread of all known MBR viruses (that account for over 50% of all computer virus infections - data from McAfee Associates - and all of the latest round of "shrink-wrapped" infections including the Dec. Novell incident). Of course, and again IMHO, where this technology belongs is in the Operating Systems. It is trivial to incorporate SafeMBR techniques into FDISK and NoFBoot could easily be incorporated into either the hidden files or COMMAND.COM. FixMBR simply demonstrates a virus-aware repair capability easily included in FDISK as an extension of the /MBR switch in 5.0. One clone manufacturer has shown an interest and I have seen an indication that Compaq may be working this area also (though how seriously I have no idea) but thusfar that is the extent. In any event, with the completion of FixMBR v 2.1, my feeling is that this study has gone far enough and that other things are more interesting (besides, over the holidays I came close to exhaustion and zero-free-time has been a fact of life for too long now). Consequently, for the next while I plan to use what time is available for studying networks (I see the potential for some serious liabilities implicit in peer-peer networks that cannot require use of login scripts), Fractals, and putting my Pontiacs together. Warmly, Padgett ------------------------------ Date: Thu, 09 Jan 92 17:57:00 +0100 From: "Olivier M.J. Crepin-Leblond" Subject: Info about UNIX viruses (UNIX) Could someone please forward me info about *any* UNIX viruses. I'm not talking about worms, but actual viruses, comparable to MS-DOS viruses, for example. I'd just like a description of them (if any). Pointers to sources of info are also welcome. Thanks, Olivier M.J. Crepin-Leblond, Communications Sys., Elec. Eng. Dept. Imperial College of Science, Technology and Medicine, London, UK. - Internet/Bitnet ------------------------------ Date: Thu, 09 Jan 92 08:45:19 -0800 From: ROBERTS@ratvax.dnet.EDA.Teradyne.COM Subject: I/O bound CPU bound definitions nkjle@locus.com (John Elghani) writes: > 1- A virus obviously is a program that is CPU bound, io bound, ..etc. > i.e. it occupies system's resources. Some could probably delete > all files on a system? right? Let's clarify I/O bound (input/output bound) and CPU bound. These terms refer to computers, not the programs. They simply point out the "weakest link" or "bottleneck". An I/O bound computer means that it is using all of its I/O resources to the maximum, but the CPU is often idle. CPU bound means that the CPU is processing at its maximum, but there is plenty of unused DMA or I/O channels. To improve the performance of a CPU bound computer, one could buy a faster cpu (not necessarily true for the I/O bound computer). - - George Roberts roberts@ratvax.DNET.EDA.Teradyne.COM decwrl.dec.com!teda!ratvax.dnet!roberts ------------------------------ Date: Thu, 09 Jan 92 16:36:00 -0700 From: "Rich Travsky 3668 (307) 766-3663/3668" Subject: New Antivirus Organization Announced The following is from the Dec 30,1991/Jan 6,1992 issue of Network World. Virus Busters Join Hands -- The Antivirus Methods Congress, a newly formed organization to combat computer viruses, was announced last week with the goal of bringing users, vendors and researchers together to tackle virus attacks on networks in the private and government sectors. Dick Lefkon, associate professor at New York University and chair- man of the new group, said the organization already has 50 members, including representatives from Martin Marietta Corp., the insurance industry, the state of Arizona's legal department, Northern Telecom, Inc. and universities in Hamburg, Germany, and Iceland. Any typos are without a doubt mine! (BTW, anyone have a list/whatever of existing antivirus orgs? Just curious.) +-----------------+ Richard Travsky | | Division of Information Technology | | University of Wyoming | | | | RTRAVSKY @ CORRAL.UWYO.EDU | U W | (307) 766 - 3663 / 3668 | * | "Wyoming is the capital of Denver." - a tourist +-----------------+ "One of those square states." - another tourist Home state of Dick Cheney, Secretary of Defense of these here UNITED STATES! ------------------------------ Date: Mon, 06 Jan 92 12:37:22 -0800 From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Write protection - software DEFMTH3.CVP 920105 Write protection - software An aspect related to hardware damage is that of "write protection". Although this aspect of security is a part of normal computer operation, the details are not necessarily well understood by the general public. In addition, certain procedures related to write protection often recommended as anti-viral measures are of little or no use. They may, indeed, be "dangerous", in that they encourage users to think themselves safe and not to take further measures. First of all, there is software write protection. Many user manuals for antiviral programs have suggested changing the file attributes of all program files to "read-only" and "hidden". A minor problem with this is that a number of programs write to themselves when making a change in configuration. However, the more major problem is that this action provides almost no real protection. What software (the operating system or protection program) can do, software (a virus) can undo. The overcoming of this protection in MS-DOS is so trivially simple that utility programs, asked to make a change to a protected program, simply remind the user that the file is protected and ask for permission to proceed. (At least, the better written ones ask. Such is the contempt for "read-only" flags, that some programs just "do it".) There are, as well, programs which attempt to write protect the hard disk as a whole, or individual files. Since these programs use methods other than the standard OS calls they are generally more successful in protecting against "outside intrusion". However, I must again repeat that what software can prevent, software can circumvent. Software write protection must, of course, be running to do any good. Thus boot sector infectors, and any other viri which manage to start up before the software protection is invoked, have little to fear from these programs. Some of the protection programs start themselves as replacements for the master or partition boot record, in order to get around such "early" infectors. However, in testing none have been able to prevent infection by the ubiquitous "Stoned" virus. (Regular readers of the reviews will note the recent trial of one such hard disk security program which not only did not prevent the infection, but would not, thereafter, allow disinfection! In my reviewing I have come to be much Downloaded From P-80 International Information Systems 304-744-2253