VIRUS-L Digest Wednesday, 28 Aug 1991 Volume 4 : Issue 150 Today's Topics: Re: Hard disk locking ? (PC) RE: where is VSUM9108.ZIP or TXT Bad hit on KENNEDY/12 Tricks Trojan?? (PC) Re: Hard disk locking ? (PC) Re: Polish anti-virus group info Re: CPAV + SCAN conflict (PC) Re: CARO / EICAR address Norton reports "Italian" - help (PC) Drive assignments... (PC) CAPV conflict with FPROT116 (PC) Ten Bytes False Positive with VIRX fixed (PC) Re: CPAV + SCAN conflict (PC) Dark Avenger'r mutating engine (PC) NoFBoot (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Tue, 27 Aug 91 17:43:44 -0400 >From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: Re: Hard disk locking ? (PC) >p1@arkham.wimsey.bc.ca (Rob Slade) writes: > I have long decried that fact that hard drive manufacturers still have > not thought to include a cheap and simple write protect switch on hard > drives. (Yes, I do know that most removable media drives have write > protect tabs, I'd just like to find a drive under $1000 that'll do it.) I understand the vendors, disk drives are hidden inside the case and would require some extra hardware to do what you ask. Nowadays they are cutting costs to the penny. All is not lost however: Seems to me that on a standard MFM or RLL drive, lead 6 on the 34 pin cable is the WRITE ENABLE NOT lead. I forget what the logic is but seem to remember that if you tie 6 to a logic "1" (+5 vdc most likely), the disk never permits writes. Some experimenting and a dpst switch should prove effective and cost less than U$1.00. Padgett "The clockwork on the inside goes" ------------------------------ Date: Tue, 27 Aug 91 16:31:05 -0700 >From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: RE: where is VSUM9108.ZIP or TXT cadguest%opua.Berkeley.EDU@ucbvax.Berkeley.EDU (CAD Group Guest Accoun) writes: > But what is hypertext? Is it a shareware/freeware product? If yes, > where can I get it? Hypertext is more of a concept, sort of like "information processing" or "spreadsheet". What is meant is that you should be able to quickly access related information in order to explain a concept of term you find. In the case of VSUM, it is going a bit far to call it hypertext, but the information is now in data base format rather than the earlier "plain text". The reader program is included in the .ZIP file. By the way, I thought that "beach" had posted VSUMX107.ZIP, but when I went to look for it, no luck. ============= Vancouver p1@arkham.wimsey.bc.ca | "If you do buy a Institute for Robert_Slade@mtsg.sfu.ca | computer, don't Research into (SUZY) INtegrity | turn it on." User Canada V7K 2G6 | Richards' 2nd Law Security | of Data Security ------------------------------ Date: 27 Aug 91 23:26:09 -0400 >From: Robert McClenon <76476.337@CompuServe.COM> Subject: Bad hit on KENNEDY/12 Tricks Trojan?? (PC) Eric N. Lipscomb writes: >OK. Here's a good one. . . > >For whatever reason, one of our Business Profs decided to scan the >copy of VIRUCIDE on his hard disk, and lo and behold, SCAN 5.3C67 >finds Kennedy and 12 Tricks Trojan in VIRUCIDE.EXE. VIRUCIDE, >scanning itself, finds nothing. SCAN also tells us that the file is >compressed with LZEXE and is infected internally. Hmmmm. > >it seems to me that McAfee SCAN is giving a false positive on the >Kennedy virus in VIRUCIDE. VIRUCIDE (another, later version that >scanned clean by everything we threw at it) and F-PROT don't identify >anything. And an old version of SCAN identified the 12 Tricks Trojan. >Unfortunately, I don't have any other disk scanners laying around that >I can check it against. But our techies are looking a little more >closely into this suspicious disk write behaviour exhibited by the >suspect VIRUCIDE. > >Any thoughts/ideas from the list at lagre, specifically the McAfee >crew (since both SCAN and VIRUCIDE came from McAfee)? This is >certainly something that our University will take into serious >consideration as talks finalize on which product to go with as a >campus standard. There have been previous reports to Virus-L of false positives where one anti-viral package identified another as being infected. In particular, reports of SCAN saying that VIRUCIDE might be the 12 Tricks Trojan have been common. These reports are indeed false positive. There is a simple reason for these false positives. An anti-viral scan package looks for virus signature strings. Another anti-viral package may legitimately contain the same virus signature strings. These false positives would be even more common except that some anti-viral packages conceal the signature strings by encryption. False positives where one anti-viral package says another is infected are common, and are caused by finding a signature in the signature search code. ------------------------------ Date: 28 Aug 91 09:07:58 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Hard disk locking ? (PC) PHYS169@csc.canterbury.ac.nz (Mark Aitchison, U of Canty; Physics) writes: >attaining such high ideals in the typical pc workplace. A >write-protect switch, or a card that can be removed, is not absolute >protection, and people should not be given any false sense of >security. If you know the situation well enough, you might be able to >say that such things are "good enough" - but in some situations a >software-only solution might also be good enough. I agree that >hardware solutions are basically better, of course, and they should be >built into the hardware rather than provided as add-ons, but it is >important to avoid crediting hardware solutions with too much security >when anyone could lift the lid and flick a switch or replace a card. I've heard about the existence of "physically secure" PC, which, when you turn the key to lock the keyboard, also slide lids on their screws, so you cannot open the computer (and unplug any cards), if you don't have the key... Well, you just need a larger hammer... :-) Regards, Vesselin ------------------------------ Date: 28 Aug 91 09:20:08 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Polish anti-virus group info BOXALL@qut.edu.au writes: >Has anybody heard of the "Polish Section of Virus Information Bank". >We have recieved a ;letter from them and would like to know more. >Any information would be appreciated. Yes, I know them. I know one of them (Andrzej Kadloff) personally and have read some articles and have seen some disassemblies from Marek Fillipiak. (Note: maybe the spelling of the names is not quite correct, but I don't have them in front of me right now. If you are interrested, I can try to find the exact spelling and the addresses.) Maybe there are others, but I have heard only about these two guys. Both are quite capable anti-virus researchers. Their disassemblies are wonderful, although they have the bad habit to comment them in Polish or in bad English... :-) They have invented the brilliant idea to create some kind of map for each virus, describing which parts of it are code, data, text, or garbage, with the appropriate offsets of these areas from the virus entry point and checksums of the unchanging parts. I had a student in my anti-virus lab in Sofia to design a program that generates such maps automatically, when you supply it with different files of the same type (either COM or EXE), infected by one and the same virus. Unfortunately, this method does not work with the encrypted and mutating viruses. Currently at the VTC Morton Swimmer is developping a special language, which will permit to describe how to decrypt an encrypted virus and which parts of it to checksum. This will hopefully improve the virus maps and such maps could be used to determine whether an infected file contains a known virus or even if two viruses are "close variants" automatically and reliably... >P.S They seem to have a product called : PCvirus (disk magazine) Yes, this is true. Unfortunately, it is published in Polish. They had plans to publish it in English too, but I don't know whether it will happen soon. Regards, Vesselin ------------------------------ Date: 28 Aug 91 09:34:46 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: CPAV + SCAN conflict (PC) jesse@gumby.Altos.COM (Jesse Chisholm AAC-RjesseD) writes: >I was testing the CentralPoint Anti Virus package (CPAV) and found an >interesting interaction with McAfee SCAN. If I run the full TSR in >the CPAV package, VSAFE, then they get along OK. But if I run the >faster and simpler, VWATCH, then SCAN v80 complains about the >Pakistani/Brain virus being in memory. I suspect this is a false >alarm from VWATCH holding in memory the patterns it is looking for >when programs run, and SCAN finds them. I spent an hour checking my >entire system the first time I got that message. Yes, this is a false positive. Nevertheless, it's SCAN's fault to scan the WHOLE memory for the Brain virus, while in fact the latter could be only in its upper end... Regards, Vesselin ------------------------------ Date: 28 Aug 91 09:41:34 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: CARO / EICAR address ry15@rz.uni-karlsruhe.de writes: > CARO = Computer Antivirus Research Organisation > This is a group of researchers > at present there are: > Vesselin Bontschev (used to be Academy of science in Sofia, > now University of Hamburg) > Christoph Fischer (University of Karlsruhe Micro-BIT Virus Center) > Fridrik Skulason (University of Reykjavik) > Morton Swimmer (University of Hamburg) > Michael Weiner (University of Vienna) Hi, Chris! You forgot: Dr. Alan Solomon (S & S International, UK) Prof. Klaus Brunnstein (University of Hamburg) (my current boss :-)) Or am I wrong? Regards, Vesselin ------------------------------ Date: Wed, 28 Aug 91 09:10:59 -0400 >From: Alan Pierce Subject: Norton reports "Italian" - help (PC) I have a question about a virus that was found by Norton Antivirus. It found a virus called Italian - A that McAfee's SCAN v80 doesn't seem to recognize. Can anyone give me any further info on this "virus"? Thanks. Alan Pierce Technical Consultant Office of Computing and Statistical Consulting Cornell University app@cornella.cit.cornell.edu ------------------------------ Date: Wed, 28 Aug 91 09:39:24 -0400 >From: Alan Pierce Subject: Drive assignments... (PC) A brief note on drive assignments to clear things up... First 2 floppy drives: A and B First hard drive: Primary partition: C Drives will then be assigned in the following order: Secondary partition(s) on first hard drive Primary partition on second hard drive Secondary partition(s) on second hard drive Any other floppy/tape/misc. drives in the order they are installed. Hope this helps. Alan Pierce Technical Consultant Office of Computing and Statistical Consulting Cornell University app@cornella.cit.cornell.edu ------------------------------ Date: Wed, 28 Aug 91 14:48:46 -0400 >From: "Vannevar Y. Yu" Subject: CAPV conflict with FPROT116 (PC) I just installed my copy of Central Point Software's Anti-Virus program and Frisk's FPROT 1.16 F-SYSCHK program flags CAPV's VSAFE as the "Flip" virus. A call to Central Point Software's CAPV tech support confirmed this anomaly. When I run F-FCHK /ALL through the CAPV subdirectory, none of the files are flagged as "infected." Incidentally, the tech support rep told me that this was the "problem" with using "more than one anti-viral package." I would rather use a couple of different anti-viral packages (knowing all the possible conflicts) rather than trust just one package. Given the choice of CAPV and FPROT, I would go with FPROT. Vannevar Yu ------------------------------ Date: Wed, 28 Aug 91 12:01:05 -0700 >From: karyn@cheetah.llnl.gov (Karyn Pichnarczyk) Subject: Ten Bytes False Positive with VIRX fixed (PC) I just spoke with Chris Hipgrave of Microcom (the Virex-PC vendor). He just told me that VirX 1.4 (a demo version) as well as Virex 1.2 (full release) would identify a false positive of the Ten Bytes virus (aka V-Alert, 1554) within the product Virucide v2.0. This has been fixed in a later version, VirX 1.7 (demo version) and in the full release of Virex 2.0, which was released August 28, 1991. Karyn Pichnarczyk CIAC karyn@cheetah.llnl.gov (415) 422-1779 ------------------------------ Date: Wed, 28 Aug 91 18:48:11 +0000 >From: mcafee@netcom.com (McAfee Associates) Subject: Re: CPAV + SCAN conflict (PC) jesse@gumby.Altos.COM (Jesse Chisholm AAC-RjesseD) writes: >I was testing the CentralPoint Anti Virus package (CPAV) and found an >interesting interaction with McAfee SCAN. If I run the full TSR in >the CPAV package, VSAFE, then they get along OK. But if I run the >faster and simpler, VWATCH, then SCAN v80 complains about the >Pakistani/Brain virus being in memory. I suspect this is a false >alarm from VWATCH holding in memory the patterns it is looking for >when programs run, and SCAN finds them. I spent an hour checking my >entire system the first time I got that message. Your suspicions are correct. The VWATCH program stores its strings in memory in plain (unencrypted) form, and if any of the strings match up to those in SCAN, a false alarm is generated. >- -jesse jesse@gumby.altos.com Aryeh Goretsky McAfee Associates Technical Support - -- McAfee Associates | Voice (408) 988-3832 | mcafee@netcom.com (business) 4423 Cheeney Street | FAX (408) 970-9727 | aryehg@darkside.com(personal) Santa Clara, California | BBS (408) 988-4004 | 95054-0253 USA | v.32 (408) 988-5190 | CompuServe ID: 76702,1714 ViruScan/CleanUp/VShield | HST (408) 988-5138 | or GO VIRUSFORUM ------------------------------ Date: 28 Aug 91 17:33:46 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Dark Avenger'r mutating engine (PC) Hello, everybody! Recently the so-called Dark Avenger's mutation engine was discussed on this forum. As I already noticed, it can be used to produce mutating viruses indeed, but they all will be related to the 1226/Proud/Evil/Phoenix family. I also promissed to publish scan strings for such viruses. Well, here they are. Using SCAN's format to add user signatures, all such viruses can be detected by using the wildcard description: #P1 related virus (the weird name that McAfee uses) #More exactly - a virus, generated by # the Dark Avenger's mutating engine "95?0001?03?8B?33*(5)33?22*(4)F8?31?22*(4)F8" P1r [P1r] Well, that is in theory, unfortunately there should be some bug in SCAN's external virus definition parser, since the above string confuses it. The scan string is constructed strictly after the documentation - there are no more than 10 wildcards in it. Nevertheless, the only way to force SCAN to swallow it is to shorter it a bit, like this: "95?0001?03?8B?33*(5)33?22*(4)F8?31?22" P1r [P1r] I hope that someone from McAfee Associates (Aryeh?) will explain why the first string does not work, since the shortened string will probably cause more false positives. Well, let's see now another scanner, namely HTScan. It's entry looks like this: ; Phoenix related virus COM HIGH 95??0001??03??8B??33*533??22*4F8??31??22*4F8 ; TbScan accepts the same format, but I found it to be somewhat less reliable. Also, it is not able to cope with scan strings that have a wildcard in the second byte - it requires that the first two bytes of the virus signature are free of wildcards. Note that this restriction also applies to all versions of HTScan, prior to 1.15. But with version 1.15 we can also use the extended wildcard language that was posted by Jan Terpstra here some time ago. This way we can use the fact that some nibbles of the virus' signature never change and therefore can obtain a much more reliable virus scan string. Here it is: ; Phoenix related virus COM HIGH 95B?00014?03??8B??33??B?*25?33??224?4?4?7?F85?31??224?4?4?7?F8 ; -- Well, maybe someone who has the MUTATE.ASM file (Frisk?) has understood the exact algorithm that it uses to change the registers that are used during the decryption process. If this is the case, he might be able to provide an even more specific wildcard string (if he's able to determine that some nibbles never change and therefore replacing the respective nibble of one of the ?? bytes by its constant value). Note that in the string above the two consequtive wildcard bytes (those that are "underlined"), contain the infective length of the virus. Also, in the HTScan entries, HIGH means that the virus has to be searched in memory only above the current PSP. All viruses of the Phoenix family that currently exist install themselves there, however it is possible for a new virus to use a different area, so I would suggest to add the keyword LOW as well. A last note, all such viruses can infect only COM files. Regards, Vesselin P.S. I don't know much about copyright, so I dedicate the above signatures to the public domain. They can be used freely in any comercial and/or non-comercial program. In short, you can do with them whatever you wish. Well, I used the computers at the VTC Hamburg to determine them, so if something is not legally OK, please tell me. And, of course, I do not warrant anything, except that during my tests the signatures matched all examples of the mutating code that I generated. :-) ------------------------------ Date: Wed, 28 Aug 91 15:25:27 -0400 >From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: NoFBoot (PC) Thanks to Mark Aitchison in New Zealand, the alpha version of NoFBoot is available. A TSR, it occupies c.a. 500 bytes when loaded low and can be loaded high if desired. It seems to work and should not interfere with anything though I would suspect that it should be loaded before programs using ctrl-alt sequences (will get DesqView loaded & try RSN). There are acually two programs: NoFBoot and SumFBoot, the first disallows warm boots from floppies entirely when invoked with ctrl-alt-del while the second allows a floppy boot to be invoked via ctrl-alt-F. If anyone would care to try "alpha" freeware, I can send it via uuencoded .ZIP. IMHO when coupled with a good integrity checker from the BIOS level, checksum routine for known programs and signature scanner for unknown programs, this should provide reasonable protection against everything except a reset (cold boot) from an infected floppy. Only custom hardware or a special BIOS can do more. Padgett "FreeWare: worth every penny you didn't pay for it" ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 150] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253