From: Kenneth R. van Wyk (The Moderator) Errors-To: krvw@CERT.SEI.CMU.EDU To: VIRUS-L@IBM1.CC.LEHIGH.EDU Path: cert.sei.cmu.edu!krvw Subject: VIRUS-L Digest V5 #20 Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU -------- VIRUS-L Digest Monday, 3 Feb 1992 Volume 5 : Issue 20 Today's Topics: re: Boot Sectors Nomenclature (PC) .SYS Infector Mentioned In Ferbrache's Book (PC) Empire Virus/Central Point AV (PC) CHKDSK and Viruses (PC) Re: Stoned (PC) virus or hardware failure ? (PC) Flip Virus and Prof. Brunnstein (PC) Naming conventions (PC) VMS Virus detection (VAX/VMS) Comment on Cohen (was re: Cohen's Error) Collecting Infection Information for Paper. Re: FAQ: benign use of viri... Re: Trojan definition? Special case Re: Iraqi Virus Question? Re: New to the forum - question (Beware the) Ides of March VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: 30 Jan 92 11:25:44 -0500 From: "David.M.Chess" Subject: re: Boot Sectors Nomenclature (PC) >From: "Otto.Stolz" Good summary of the situation! We always use "MBR" for the MBR around here, so I like the choice of term... *8) One tiny extra complication: I believe that the secondary boot sectors (the ones that the MBR loads) sometimes behave just like the MBR does; that is, they divide up the space that they own into still more partitions, and load and pass control to yet another level of boot sector. I've never had this confirmed directly, but of course since those boot sectors can do anything at all, they can certainly do this. The important question is whether or not the third-level boot sectors can get infected by any existing virus; I think the answer is no, but I'm not sure (It would also be nice to know if DOS ever does this, with "logical partitions" for instance, or if it's just theoretically possible.) >I'd rather see a better term for the following one (suggestions?): > >Partition Boot Sector : A genuine term for the 1st (logical) sector of > a partition on a HD, if you do not want to > refer to a particular operating system. > **Try to avoid this term, as some readers will > confuse it with the PT (or even with the MBR, > due to sloppy language in the past)** We tend to use "System Boot Sector" for this, since that's the boot sector that actually loads an operating SYSTEM. An even less ambiguous term, for when confusion is likely, would be "Operating System Boot Sector". Although that's a little long for everyday use. OSBS? *8) - - -- David M. Chess mI' jIHbe' jay'! High Integrity Computing Lab loD tlhab jIH! IBM Watson Research -- qama''e' ------------------------------ Date: Thu, 30 Jan 92 11:17:00 -0700 From: "Rich Travsky 3668 (307) 766-3663/3668" Subject: .SYS Infector Mentioned In Ferbrache's Book (PC) I'd asked about .SYS infectors in an earlier post. I came across a mention of one in David Ferbrache's new book (A Pathology Of Computer Viruses). This .SYS infecting virus was called Pac-Man (makes a pacman character that eats characters on the screen). It infected MSDOS.SYS and was reported to this list by its author, Roger Gonzalez. Time frame for this was around 1988 it appears. The virus was never released. Apparently its purpose was only to demonstrate the feasiblity of .sys infectors. Hmmm. I wonder if I feel motivated enough to poke through the archives of this list to find this old reference... :) Richard Travsky Division of Information Technology RTRAVSKY @ CORRAL.UWYO.EDU University of Wyoming (307) 766 - 3663 / 3668 ------------------------------ Date: Thu, 30 Jan 92 13:44:26 -0500 From: James_Williams%ESS%NIAID@nih3plus Subject: Empire Virus/Central Point AV (PC) I just got hit by a version of the Empire Virus which is not detected by Central Point AV but is detected by F-Prot and McAfee's Scan. If anyone has any documentation about this virus, please let me know. Thanks - -------------------------------------------- | James Williams | | Bitnet: JWW%ESS%NIAID@NIH3PLUS.BITNET | | Internet: JWW@ESS.NIAID.PC.NIAID.NIH.GOV | | CompuServ: 70304,2462 | - -------------------------------------------- ------------------------------ Date: Thu, 30 Jan 92 16:05:59 -0500 From: Arthur Gutowski Subject: CHKDSK and Viruses (PC) In issue 17, padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) writes: >Actually, there are quite a few things that can cause CHKDSK to return >less than "655,360". >{details deleted} Just like to add some experience with recently putting DOS 5.0 on my machine. I noticed when running DOS 3.3 on my IBM PS/2 Mod50Z that chkdsk used to report 654336 of memory. Now, with DOS 5.0, CHKDSK reports 655360. I don't really know what the cause of this was, and I'm not too interested in finding out (now that I'm DOS 5, I plan to wipe out all my DOS 3 bootable utility floppies, and recreate them with DOS 5). More interesting, though, is the new MEM command available with DOS 5. When I run MEM, it reports 655360 total conventional memory, and 654336 bytes available to IBM DOS. Since I'm reasonably sure that my DOS distribution diskettes were clean (and write protected), and I know I haven't booted from a floppy since installing DOS 5, I am reasonably sure that my system is not infected. F-Prot 2.01 also reports that the system is fine. However, the F-MMAP program from F-Port 1.16 reports 654336 (639K) base memory. This could be because it is talking to DOS, and not the hardware. The memory allocation analysis part of F-Prot 2.01 doesn't reveal anything abnormal. Does anyone have enough experience with DOS 5 to explain this 1K discrepancy (Padgett?) ? Regards, Art ***************** Arthur J. Gutowski Agutows@cms.cc.wayne.edu Wayne State University "There is no dark side of the moon, really. Matter of fact, it's all dark." ------------------------------ Date: 30 Jan 92 15:54:00 -0600 From: "William Walker C60223 x4570" Subject: Re: Stoned (PC) Gary Huntress ( ) writes: > I found and cleaned Stoned from my system this weekend (f-prot is > *GREAT*). I have no idea how long it had been resident, and since I > never saw it trigger (never got the message "You have been stoned"), I > started to wonder what causes it to trigger. A date? A number of > boots? Random? Stoned (or at least Stoned-E) displays its message according to the following: 1. If the machine was booted from an infected floppy, and 2. If the timer byte at 0000:046C is 07. So, for all boots from infected floppies, this has the effect of displaying the message in a pseudo-random pattern, averaging about 1 out of every 8 boots. This number matches what I have seen, both experimentally and "in the wild." However, the hard disk will be infected following ANY boot from an infected floppy. If the machine is booted from an infected hard drive, the message is never displayed. Hope this answers your questions. Bill Walker ( WALKER@AEDC-VAX.AF.MIL ) | "If 'pro-' is the opposite of OAO Corporation | 'con-,' then is 'progress' the Arnold Engineering Development Center | opposite of 'Congress?'" M.S. 120 | - Gallagher Arnold Air Force Base, TN 37389-9998 | ------------------------------ Date: Thu, 30 Jan 92 23:24:13 +0000 From: mbeyer@ub-gate.UB.com (Mark Beyer) Subject: virus or hardware failure ? (PC) Hi, folks. I'm having a problem with my PC and I'm wondering if I've got a virus. Lately I've had problems running certain programs which had been running fine. These programs fail with illegal instructions (trapped by QEMM) or they just won't load. The problems have been getting progressively worse. And yesterday, my floppies died and the whole machine now locks up if I hit "Num Lock". I figured it must be hardware failure or a virus, but hardware diags and McAfee Scan don't report anything unusual. I also thought it might be a UMB conflict, but I removed QEMM and it still croaks. Any clues ? Does this sound like a familiar virus to you ? Thanks! - -- Mark Beyer mbeyer@ub.com ------------------------------ Date: Thu, 30 Jan 92 19:50:08 -0500 From: Paul Bradshaw Subject: Flip Virus and Prof. Brunnstein (PC) In light of the recent conflict between Fprotect and CPAV I decided I was interested in getting more information about the Flip virus. I was astonished to find that it's not contained in the copies of Prof. Brunnsteins virus list at cert.sei.cmu.edu, nor at any of the other ibm-anti-viral sites. Does anyone out there know where I can get a complete up-to-date version of this list? Does anyone know where I can get a good description of the Flip virus? Additionaly, where are Patricia Hoffmann's virus lists at? Are they not available as shareware? I know this has likely already been covered in Virus-L but my memory is only so good :-) Thanks very much in advance for replying to my post. Paul Bradshaw acdpaul@vm.uoguelph.ca cs0872@snowhite.uoguelph.ca ------------------------------ Date: Thu, 30 Jan 92 11:30:44 -0500 From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: Naming conventions (PC) >From: "Otto.Stolz" >Summary of the terms suggested: >Master Boot Record (MBR) : The 1st physical sector on a hard disk > **Cease calling it Partition Table|** and add: must follow format proscribed by the BIOS. After all Sun stations and Macintoshes have MBRs like PCs just follow different formats. >Partition Table : A particular part of the MBR. > **Use this term only when particularaly > referring to this part of the MBR, as opposed > to other parts** and add Used to define the logical partition structure of the disk Then we should also have the following: Master Boot Record Program: Executable program placed in the Master Boot Record area preceeding the Partition Table that begins the boot of a fixed disk. >DOS Boot Sector : The 1st (logical) sector of a DOS partition on > a hard disk, or the 1st (physical and logical) > sector of a DOS diskette. > (Similar terms to be coined for other > operating systems) >Partition Boot Sector : A genuine term for the 1st (logical) sector of > a partition on a HD, if you do not want to > refer to a particular operating system. > **Try to avoid this term, as some readers will > confuse it with the PT (or even with the MBR, > due to sloppy language in the past)** These would actually refer to the same thing only that the PBR (I like Logical Boot Sector or LBR better) The following applies only to a DOS system though I would expect similar constructs to exist in OS/2 and Unix for Intel platforms. DOS Boot Record (DBR) : The first logical sector of a DOS partition (first logical is also the first physical sector on most floppies) Contains the BPB (Boot Parameter Block - analagous to the partition table) and Boot Record Code DOS Boot Record Code : Executable code found in the first logical sector of a DOS partition. If the partion is to be used for booting (is ACTIVE partition), it must conform to DOS specifications. DOS BPB : Data table found at a specified location in the first logical sector of a DOS partition that specifies the organization of the partition. Warmly, Padgett ------------------------------ Date: 30 Jan 92 16:51:32 +0000 From: peterh@richsun.cpg.trs.reuter.com (Peter Heinicke) Subject: VMS Virus detection (VAX/VMS) One of my clients has a contract which specifies that some VMS software be virus-free. Right. Now is there any avaliable way of checking that to the best of our ability. (Like Norton Anti Virus for VMS). Its obvious to me that such a package would not be foolproof, but at least it would show a prudent man effort. I have heard of one VMS DECnet worm, but no viruses, and I would be interested if anybody had heard of a VMS virus. Please email responses and I will summarize, within a week. +-------------------------------------------------------------------------+ |Peter H. Heinicke Would you feel comfortable owing |Technical Consultant three times your annual income to the Japanese | and other potentially hostile creditors? | Then why add to the National Debt? |708-393-6478 (voice) |708-574-7424 x2817 (voice) |708-393-4203 (fax) |peterh@richsun.cpg.trs.reuter.com (Email) ------------------------------ Date: Thu, 30 Jan 92 11:14:41 -0500 From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: Comment on Cohen (was re: Cohen's Error) >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Vesselin makes an excellent description of logic (which I haven't entirely gone through, yet) but do wish to reiterate a simple concept. Computers are designed to run programs. Viruses are programs. e.g. Computers are designed to run viruses. - Old Adage Viruses perform actions which SHOULDN'T occur during normal computer operation except in special cases. - My thought. Viruses cause changes - its in their charter. Therefore, viruses ARE detectable by looking for changes (or attempted changes) that should not occur. The basic problem with most anti-virus defenses is that they are layered on top of the operating system while according to industry reports most infections occur before the operating system is loaded. For several years, I have been trying to present the concept of BIOS level integrity management & have been giving away demonstrators, yet no-one seems particularly interested. I do believe that if simple integrity checking were put into the code used by FDISK and FORMAT, the spread of MBR infections including STONED, AZUSA, AIRCOP, EMPIRE, MICHELANGELO, etc could be stopped. Period. Warmly, Padgett ------------------------------ Date: Thu, 30 Jan 92 17:16:13 -0500 From: Uwe Hauck Subject: Collecting Infection Information for Paper. I am working at the University of Osnabrueck (Germany) on a Paper concerning Viral Infections of Research Computer Systems, how they infected, how they were detect and what the Departments do to get rid of them. So I am searching for actual Information about ''Infections'' in the last 6 Month, and about your Experiences with Virus-Protection methods. Any comments on that topic will be welcome and when the paper is finished I will send the Textfile to everyone interested (Preprints will go to everyone, who contributed directly !) This Paper will have the status of a free of charge documentation for our university and will not be published for money. Please send any contributions to UweHauck at dosuni1.bitnet UweHauck at dosuni1.rz.uni-osnabrueck.de Thanx a lot.... ------------------------------ Date: 30 Jan 92 21:18:17 +0000 From: vail@tegra.com (Johnathan Vail) Subject: Re: FAQ: benign use of viri... euzebio%dcc.unicamp.ansp.br@UICVM.UIC.EDU (Marcos J. C. Euzebio) writes: Does anybody have any experience/references/etc. on the use of viri/worms as a paradigm for distributed applications? Back in 1980 as a high school senior I read a newspaper article about research at xerox PARC. It was research on "worms". This was the inspiration for me to try and make one on an Apple ][, although mine was technically a virus (a boot sector virus if you want to be really technical). I have asked here before if anyone has pointers to the xerox research but no one else remembers it. Maybe this time it rings a bell? jv "Koukinaries" _____ | | Johnathan Vail vail@tegra.com (508) 663-7435 |Tegra| jv@n1dxg.ampr.org N1DXG@448.625-(WorldNet) ----- MEMBER: League for Programming Freedom (league@prep.ai.mit.edu) ------------------------------ Date: 30 Jan 92 21:52:45 +0000 From: vail@tegra.com (Johnathan Vail) Subject: Re: Trojan definition? Special case bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: vail@tegra.com (Johnathan Vail) writes: > ________________ > trojan (horse) - This is some (usually nasty) code that is added to, > or in place of, a harmless program. This could include many viruses > but is usually reserved to describe code that does not replicate > itself. > ________________ Hmm, the definition is not that bad, but I think that a more exact one would be "a program, which intentionally performs some undocumented functions"... Oh well. In a clinical sense your definition is correct but in reality can apply to most "real" programs, like DOS. When I think of a Trojan Horse program I would think of something like the "tampered" versions of PKZIP that were around a year or two ago. Or a program called soemthing like FREESEX that would lecture you about morality and lock format your hard disk. jv "Don't try this at home kids" _____ | | Johnathan Vail vail@tegra.com (508) 663-7435 |Tegra| jv@n1dxg.ampr.org N1DXG@448.625-(WorldNet) ----- MEMBER: League for Programming Freedom (league@prep.ai.mit.edu) ------------------------------ Date: 30 Jan 92 21:42:21 +0000 From: vail@tegra.com (Johnathan Vail) Subject: Re: Iraqi Virus Question? 379BMWMASQ@sacemnet.af.mil (379BMWMASQ) writes: I have been watching in the list the message treads on the Iraqi printer virus, and I have a question to pose to the group. 1. Postscript printers receive printouts in the form of Postscript Program Code, which is in turn run by the printer to printout the Page. Now if that Postscript printer is on a Network and is capable of sending information to the network, then could the printer CPU be programmed to access the well known and some not so well known security features of the network to plant code or overload the system with bogus traffic. Yes, this is entirely possible, but not very likely. It would be especially hard for the postscript code itself to contain a virus or worm. I am speculating about what could be possible with a bogus printer. Note that this is an entirely separate issue from the postscript password issue. Some types of networked postscript printers: Appletalk - I am not an expert on the protocol and it may be that "printer" devices cannot legally go out on the network of their own accord. But one could, in theory, mimic being a computer itself and alter files on connected machines. TCP/IP Etherent (BSD spooling) - Here the printer is actually a full blown "host" computer as far as the network is concerned. It could, in theory, use NFS, Telnet, FTP, finger, etc., and exploit whatever holes there are to be found. SCSI - Not a full blown network but if the hosts system's disks are on the same physical bus then the printer can get at them any way it wants. jv "Koukinaries" _____ | | Johnathan Vail vail@tegra.com (508) 663-7435 |Tegra| jv@n1dxg.ampr.org N1DXG@448.625-(WorldNet) ----- MEMBER: League for Programming Freedom (league@prep.ai.mit.edu) ------------------------------ Date: Fri, 31 Jan 92 03:23:46 +0000 From: seeger@oceania.com(Seeger Fisher) Subject: Re: New to the forum - question bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: > geoffb@coos.dartmouth.edu (Geoff Bronner) writes: > > > Since I run a cluster and support dozens of macs and ibms directly I > > see them more often. ... > > ...I see an infected disk maybe once a week. > > Just out of interest, here at the VTC, we get averagely one to two > requests for help per week, from all over the Germany. I don't know, > maybe for some people this means that the computers in Germany are > "very prone" to viruses... I suppose some people might think that the computers in Germany are "very prone" to viruses, but none that ever posted to this newsgroup. Unless, of course, there are a grand total of several dozen computers in all of Germany! ;) - -- seeger@oceania.com ------------------------------ Date: Fri, 31 Jan 92 11:37:38 -0500 From: Kenneth R. van Wyk Subject: (Beware the) Ides of March Who SHOULD attend this year's Ides-of-March Fifth International Computer VIRUS & SECURITY Conference at the New York Marriott Marquis and Loews New York Summit MIS Directors, Security Analysts, Software Engineers, Operations Managers, Academic Researchers, Technical Writers, Criminal Investigators, Hardware Manufacturers, Lead Programmers who are interested in: WORLD-RENOWNED SECURITY EXPERTS CRIMINAL JUSTICE LEADERS: Marchall Abrams - Mitre Carol Bernstein - IBM Counsel Robert Campbell - AIM Buck Bloombecker - NCCD Jon David - Systems R&D Scott Charney - US Justice Dept Harold Highland - Comp & Security Ken Citarella - Westchester DA Bill Murray - Deloitte Don Delaney - NY Comp. Crime Lab Jane Paradise - Apple Dennis Jackson - Scotland Yard adv. Donn Parker - SRI Steve Purdy - Kroll (former US SecSvc) Maria (Pozzo) King Marc Rotenberg - CPSR Dennis Steinauer - NIST Gail Thackeray - Phoenix County UNIVERSITY: PRODUCTS: TELECOM: Vesselin Bontchev Dave Chess - IBM SCAN Manuel Barbero (Fr. Tel) FrB Klaus Brunnstein Fred Cohen - ASP Bill Cheswick (AT&T) Yvo Desmedt (Wis) Andy Hopkins - Panda Tom Duff (AT&T) Dmitry Gryaznov* John McAfee - SCAN Ed Fulford (Northern Tel) Karl Levitt (UC Davis) Dick McClung - Watchman Tom Papa (Locate) Fugene Spafford (Purdue) Fridrik Skulason - F-PROT Meg Reilly (MCI) Yisrael Radai* Al Solomon - Dr. Toolkit John Toomey (LeeMah) Ken van Wyk - Carnegie Mellon (* Possible Alternates) Over 53 PRODUCT DEMOS including: Candle's Deltamon, HJC's Virex, McAfeeSCAN, Symantic's SAM, Norton Antivirus, Central Point, ASP 3.0, DDI's Physician, Gilmore's FICHEK, Certus, FluShot Plus, PC Cillin, Virus Free, Quarantine, PC Tools, Virex, Detective, Assassin, Untouchable, Vaccine, Bear Trap, Disk Defender, Top Secret, Omni, ACF2, RACF, and OTHERS AS REGISTRANTS REQUEST. SIXTY ONE PRESENTATIONS INCLUDE: Trust & Org Policy, OSI/PBX/ISDN/voice, Euro '92 (Law, USSR), Access & Encryption, UNIX I - PC & Mainframes, Warfare Programs, Disinfecting the LAN Server, LAN HW/SW Defenses, LAN Policy & Disaster, Risk Software, DEC products, MAC products, LAN products, UNIX II - Networks, Stalking Intruders, Telecom Security, Security/Virus Countermeasures, Anti-Virus Tekkies Delight, Dissecting the Pakistani Virus (Brain Surgery), What the Law Says, How We Caught 'Em - Current Crime Cases, Pursuing and Avoiding Telecom Fraud, Research and New Trends, Info Theft by Radiation, the Great Hacker Debate III... INTERESTED? ONLY $275 one day (Thurs 3/112 - Fri 3/13) or $375 both days: * Bound, 600-page Proceedings containing ALL materials - no loose paper! * Eight meal breaks, including Meet-the-Experts cocktail party * Two 2-day tracks of product demo's * Optional Security course Wed 3/11 * Full-time LAN Track * Full-time Legal & Justice Track $20 additional for those who are not ACM/IEEE/CMA, ISSA/DPMA members. Fourth member in each group gets in for no charge! Late fee after 2/17/92. To register by mail, send check payable to DPMA, card number (VISA/MC/AMESX) or purchase order to: Virus Conference Security Conference DPMA Financial Industries Chapter Box 894 New York, NY 10268 or fax to (303) 825-9151. Be sure to include your member number if requesting the discounted rate. Registrations received after 2/17/92 are $425, so register now! For registration information/assistance, call (800) Downloaded From P-80 International Information Systems 304-744-2253