VIRUS-L Digest Monday, 6 Nov 1989 Volume 2 : Issue 233 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Re: Virus source available in Toronto Re: Where are the Sophisticated Viruses? virus protection strategy questions New anti-virus programs uploaded to SIMTEL20 (PC) More CRC suggestions Re: Brain and Ashar virus (PC) Re: Brain Virus Query (PC) KillVirus (Mac) CRC Checking. Typo vs. Typo (PC) NP completeness --------------------------------------------------------------------------- Date: 06 Nov 89 11:48:16 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Re: Virus source available in Toronto kelly@uts.amdahl.com (Kelly Goen) writes: >the published sources working or non working are really not >that much of a threat... Wrong ! One concrete example why: The "Ghost" virus recently found here in Iceland seems to have been based on the listing of the Vienna virus from the book "Computer Viruses: A High Tech Disease" This is clear becuse the virus contains the two patches added there to make the virus a little less harmful than the original Vienna virus. Since any assembly language programmer should be able to create a new working virus in a day given a listing or a good (commented) disassembly, this gives us a good reason to limit the availability of virus listings as much as possible. - -frisk Fridrik Skulason University of Iceland frisk@rhi.hi.is Computing Sevices Guvf yvar vagragvbanyyl yrsg oynax ................. ------------------------------ Date: Sun, 05 Nov 89 23:04:41 -0700 From: ctycal!ingoldsb@cpsc.ucalgary.ca Subject: Re: Where are the Sophisticated Viruses? There are probably two reasons why the viruses you suggest do not exist: 1) If the system code is bypassed, then it must be rewritten. Most hackers are not at that level. Those that are that proficient are busy making money. 2) Code to do all the stuff needed would be quite large, and therefore noticeable. If you add 20 K to somebody's programs they will likely notice. Anyway, viruses experience exponential growth. At the beginning the spread is very slow and only becomes rapid after a fair while (say 6 months). This allows the wary to catch most viruses. Terry Ingoldsby ctycal!ingoldsb@calgary.UUCP Land Information Systems or The City of Calgary ...{alberta,ubc-cs,utai}!calgary!ctycal!ingoldsb ------------------------------ Date: 06 Nov 89 16:14:57 +0000 From: n8243274@unicorn.wwu.edu (steven l. odegard) Subject: virus protection strategy questions For personal computers, I can imagine Mom giving me advice to keep me from catching cold, [a biological virus]: 1. Wear your coat. Keep yourself warm. Don't expose yourself. The 3 1/2 inch disks have a little write-protect tab. If the disk is set to safe (where you may see through the hole), no data may be written to it, including virus's data. 5 1/4 or 8 inchers have a side slot which must be covered with black vinal tape to write-protected them. Is it reasonable to install write-protect toggle switches for hard disks on a personal computers? I use the write-protect all the time on larger computers -- once a machine (software) crashed and destroyied the work of one-hundred people the previous week! 2. Stay out of garbage. Use only reliable 'clean' software purchased from reputible software dealers. How often is food-poisioning contracted from eating food from clean restaurants? There are a few cases software published with unknown viruses lurking in them, but such are usually detected quite rapidly. 3. Quarantine: I have no experience here, is it practical to switch infected systems off of local-area networks? (unplug them)? What other common-sense strategies (as opposed to unreasonable panic strategies) are there to prevent these infections? Should terminate and stay resident programs be purged and reloaded from time to time, for example? I am reminded of a similar phenomena occurring on larger computer systems, where the terminals they employ have a code for "transmit 25th line". Then simply typing some file can cause you to lose all your files: the file contains the code to put "ERASE *.*" on the 25 line, and transmit. The computer sees the data stream "ERASE *.*" and proceeds to erase all files on the account. The cycle can be broken by disallowing the 25line code from appearing in the output -- use special 'display' program, or disabling the transmit 25th line command - -- install a toggle switch on the terminal, or by being careful what you look at -- be aware of the problem. - --SLO 8243274@wwu.edu uw-beaver!wwu.edu!8243274 n8243274@unicorn.wwu.edu ------------------------------ Date: Sun, 05 Nov 89 19:37:00 -0700 From: Keith Petersen Subject: New anti-virus programs uploaded to SIMTEL20 (PC) I have uploaded the following files to SIMTEL20: pd: SHEZ49.ARC Shell for archive manipulation, w/virus check pd: CKOT094.ARC Checks archived files for viruses (req. SCANV) NETSCAN.ARC Network compatible - scan for 46 viruses, v46 SCANRS47.ARC Resident program to scan for many viruses SCANV47.ARC VirusScan, scans disk files for 47 viruses VALIDAT3.ARC Validate shareware programs for authenticity CKOT094, NETSCAN, SCANRS47 and SCANV47 were obtained directly from the Homebase BBS. - --Keith Petersen Maintainer of SIMTEL20's CP/M, MSDOS, & MISC archives [IP address 26.2.0.74] Internet: w8sdz@WSMR-SIMTEL20.Army.Mil, w8sdz@brl.arpa BITNET: w8sdz@NDSUVM1 Uucp: {ames,decwrl,harvard,rutgers,ucbvax,uunet}!wsmr-simtel20.army.mil!w8sdz ------------------------------ Date: Sat, 04 Nov 00 19:89:58 +0000 From: agora.hf.intel.com!greg%medusa.intel.com@RELAY.CS.NET Subject: More CRC suggestions len@csd4.csd.uwm.edu (Leonard P Levine) writes: > A satisfactory system is one in which each user can use a polynomial > of his/her choice and where the list of files and their crc's > (for example) is stored in some arbitrary location. No virus writer > will be looking for YOU, rather just a collection of systems that > are alike enough to infect. The CRC program should encrypt and authenticate its stored data file(s); otherwise, it'd be easy for a savvy virus to essentially 'grep' for strings matching the format of those used by common CRC programs, and then modify that file. Even niftier would be 'roll-your-own' CRC programs, that encourage the user to modify and recompile them from available source; that way, virus authors couldn't compensate for just a few very popular CRC checkers, and would have to contend with thousands (probably millions) of different versions with different filenames and methods of storing the CRCs. [However, the above immediately brings to mind hacked versions of the source, intended to trick nontechnical users into compiling and running evil programs. I suppose we could get the source code from a few (authentic) sources, along with CRCs for that source code... :) Sigh.] Another thought: for people with access to EPROM burners, howzabout burning the (encrypted) CRCs into EPROMs? (I'm thinking primarily of PC clones, with their relatively easily accessible ROM sockets) Whenever new software is installed, the old EPROM could be wiped and reprogrammed. - -- ".. organized crime is the price we pay for organization." - Raymond Chandler Greg Broiles | CI$: 74017,3623 | greg@agora.hf.intel.com 3105 Pine St. | WWIVnet: 1@5312 | Riverside, CA 92501 | Peacenet: gbroiles | tektronix!tessi!agora!greg ------------------------------ Date: Sun, 05 Nov 89 15:34:17 -0500 From: KHV%NIHCU.BITNET@VMA.CC.CMU.EDU Subject: Re: Brain and Ashar virus (PC) I had the same experience as you did Tom, when using SCANV42 to scan a diskette I knew was infected by the Brain virus. I contacted John McAfee, the author of the program, and was told that that was a bug in that particular version of the program. Evidently, he choose overlapping hex strings as his virus signatures, so even though only the Brain virus was actually present, a false positive reading was obtained for the Ashar virus. I haven't tested it yet, but I'm sure that this bug has been corrected in the latest versions of the program (what are we up to now, version 48 or so?). Hope this clears things up. ------------------------------ Date: Mon, 06 Nov 89 09:31:23 -0500 From: Kevin_Haney%NIHDCRT.BITNET@VMA.CC.CMU.EDU Subject: Re: Brain Virus Query (PC) In response to your query about the Brain virus, I have included some information below that was put out by the Computer Virus Industry Assoc. The only things I would add to that description are that the virus does not infect hard disks, only floppies. The virus is non-destructive in that it is not specifically designed to damage any files (except the boot sector)--the damage comes in when it writes over the seven sectors, in a random location in the data area of the diskette, which may be part of a program or data file. The program may then not run or the data may be corrupted, but this is just a side-effect, so to speak. The virus is prevalent at locations which have public-access floppy-based systems such as universities. An infected disk (but not the files) can be recovered by formatting. The sectors flagged as bad can even be recovered if you have a utility such as Norton's that can directly modify the File Allocation Table, and you use it before you reformat the disk. If you perform the DOS SYS command, it will render the virus inactive by rewriting the boot sector and your files will still be there, although the bad sectors will also still be present and whatever damage was done will not be repaired. Hope this information helps! - ----------------------------------------------------------------- Name: Pakistani Brain Origin: Lahore, Pakistan, January 1986; developed by two brothers as an experiment Host: IBM PCs and compatibles Class: Boot sector infector Description: - - Replaces original boot sector with itself - - Moves original boot sector to another location - - Adds seven sectors that contain remainder of virus - - Flags all modified sectors as unusable to protect itself - - Replicates onto all inserted bootable floppies How spread: - - Booting from unknown or shared disks - - Infects through any access to an inserted disk Listing directories, executing programs and so on Through software reboot sequence Symptoms: - - Copyright @BRAIN label displayed in directory of infected disk - - Reboot sequence slowed down - - Excessive floppy activity for simple tasks - - Program crashes for some versions of DOS - - Interrupt vectors modified Potential damage: - - System crash can cause loss of data - - Spreads quickly to all bootable disks Precautions: - - Do not boot from unknown floppies - - Boot only from the hard disk if one exists - - Write-protect all boot disks Recovery: - - Shut down infected systems - - Reboot from a clean, write-protected original boot disk - - List directory of all disks - look for @BRAIN label - - When found, destroy the disk, or: Perform DOS SYS command to rewrite boot sector Recreate volume serial label using any available utility (This procedure will still leave 7 bad sectors with dead virus) Notes: Will live through software reboot. ------------------------------ Date: Mon, 06 Nov 89 12:27:20 -0500 From: "Gregory E. Gilbert" Subject: KillVirus (Mac) Does KillVirus have an nVir "resource". ("nVir" visible when examined with ResEdit.) Or do I have problems with my copy of KillVirus. Thanks much. Gregory E. Gilbert Computer Services Division University of South Carolina Columbia, South Carolina USA 29208 (803) 777-6015 Acknowledge-To: ------------------------------ Date: Mon, 06 Nov 89 10:34:26 +0000 From: Martin Ward Subject: CRC Checking. How about this for a system: Keep the CRC checker program and file of checksums on a separate bootable floppy, which has a suitable AUTOEXEC.BAT file. At the end of the day, power down, insert this floppy and power up. The machine boots off this floppy and is therefore guaranteed free from active viruses, it then automatically checks all executables on the hard disk for any changes. The same disk could go on to do a backup automatically once the machine has been declared free of infections. Martin. My ARPANET address is: martin%EASBY.DUR.AC.UK@CUNYVM.CUNY.EDU OR: martin%uk.ac.dur.easby@nfsnet-relay.ac.uk UUCP:...!mcvax!ukc!easby!martin JANET: martin@uk.ac.dur.easby BITNET: martin%dur.easby@ac.uk ------------------------------ Date: Mon, 06 Nov 89 19:12:45 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Typo vs. Typo (PC) There have been two viruses reported in the PC world, with the name "Typo". One is a boot sector virus - a modification of the Ping-Pong virus. This virus was written in Israel. The other virus is a resident .COM infector, 867 bytes long. This one is of U.S. origin. Since having two viruses with the same name will only lead to confusion, something needs to be done. Any suggestions ? - -frisk ------------------------------ Date: 06 Nov 89 20:27:02 +0000 From: kerchen@iris.ucdavis.edu (Paul Kerchen) Subject: NP completeness Recently, I posted an article in which I stated that the virus problem was NP complete. Well, a number of people pointed out my error and so I'd like to apologize. What I meant to say was that the virus problem (at least detection, anyway) is undecideable. However, despite this problem, I still contend that no virus solution will be a 100% solution. I'd like to thank the people who politely pointed out my mistake and the folks who were less than gracious can...well, you know what you can do. I'll have to watch my NP's and Q's more closely (sorry, I couldn't resist). Paul Kerchen | kerchen@iris.ucdavis.edu ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253