VIRUS-L Digest Friday, 30 Aug 1991 Volume 4 : Issue 151 Today's Topics: Re: Hard disk locking ? (PC) Virus List Requested (PC) (Mac) Re: Drive assignments... (PC) Norton Anti Virus (PC) Disassembler Info Re: Virus Simulator available (PC) Re: Self-scanning executables (PC) Experiment with virus Correction for bboard number Virus dictionary sought The Tenbytes virus mutates! (PC) 'Legalize Marijuana' virus (PC) When is it active? VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: 29 Aug 91 15:36:56 +0000 >From: eric@zen.maths.uts.edu.au (Eric Lindsay) Subject: Re: Hard disk locking ? (PC) Do it yourself hard disk locking is possible, if you have an MFM or RLL drive (don't know enough about IDE, but I suspect it is impossible). Simply pull the write gate line via a resistor to either +5 or ground (sorry, I've forgotten if it is active high or low). The resistor should be round 200 ohms or so (not very critical). I do it on the cntroller card, because access is easier, and take it via a 3.5 mm normally closed socket that I mount in a hole on the card support. That way, when you want to make the drive writable, you just plug a 3.5 mm audio plug into it. Some (possibly many) hard disk controllers test the hard disk by accessing it on power up, and they won't allow this scheme. I've had good results with the Taiwanese LCS-6210D cards. - -- eric@zen.maths.uts.edu.au Eric Lindsay, Sch of Maths, Uni of Tech Don't take life too seriously. It is only temporary. ------------------------------ Date: Wed, 28 Aug 91 18:40:02 -0600 >From: Ing Antonio Quesada-Duarte Subject: Virus List Requested (PC) (Mac) Hi there! I have this problem: I need to find an updated (let's say one month old is updated) list of viruses, for both IBM-PC and Macintosh machines. If somebody can please tell me where i can find it i will really appreciate it. I do have ftp access. I am not subscribed to this list, so please answer me via e-mail. If you want, you may write asking me for summaries, and i may mail them (or send them to the list if the ammount of requests is big enough). Thanks a lot for your help! >From Monterrey, Mexico: Antonio Quesada-Duarte ------------------------------ Date: Thu, 29 Aug 91 18:34:00 +1200 >From: "Nick FitzGerald" Subject: Re: Drive assignments... (PC) Alan Pierce wrote: >A brief note on drive assignments to clear things up... > >First 2 floppy drives: A and B >First hard drive: > Primary partition: C >Drives will then be assigned in the following order: > Secondary partition(s) on first hard drive > Primary partition on second hard drive > Secondary partition(s) on second hard drive > Any other floppy/tape/misc. drives in the order they are installed. > >Hope this helps. Sorry - but it doesn't. This is exactly the sort of mis-information that members of this forum shouldn't be spreading. If you are going to "tell it like it is" please get it right. This reply is not directed personally to Alan - he just happened to be the latest purveyor of this very commonly held misbelief. >From my experience, in anXT or AT with a four floppy controller the first four drive letters (A-D) will all represent floppy drives. Any HD's/partitions will come _after_ this. Further, only _some_ machines follow the naming scheme laid out for HD's. Most I've seen do, but the one I'm currently writing from has C: as the first partition on first physical HD (it only has 2 floppies), D: as first partition on second HD, E: as second partition on first, and F: as second partition on second. (In case you are wondering, this is not done with a bunch of SUBSTS/ASSIGNS/whatever. Machine is 386, AMI BIOS, DOS 4.01 (unfortunately), 1st HD has primary bootable DOS partition (30 Meg) and 10 Meg second partition (hangover from DOS 3.3?). Second HD is 60 Meg with primary partition of 1 track (approx 64K all up?) and an extended partition of the rest. (I did _not_ set this up - I inherited it and am too busy to reconfigure things - which I will when I get my DOS 5 upgrade.) I suspect that Alan got his info (directly or indirectly) from that great source of knowledge an light about PC's - The DOS Technical Reference. Unfortunately, many programmers believe what they read in this mighty work, resulting in programs that we can't easily install (and sometimes never even run) on the main PC our Operations staff use, because C: is hard-coded into their prog, because it is designed for bootable HD's only. Most PC "gurus" seem to "know" that the first HD _must always_ be C: - - believe me, _IT BLODDY WELL IS'NT TRUE_. Thanks for reading, sorry for shouting, but this one really p***es me off. - --------------------------------------------------------------------------- Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z. Internet: n.fitzgerald@csc.canterbury.ac.nz Phone: (64)(3) 642-337 ------------------------------ Date: Thu, 29 Aug 91 09:04:10 +0200 >From: Knut Torgersen Subject: Norton Anti Virus (PC) I borrowed Norton Anti Virus from a friend to check up my system. The first thing I did, however, was to run the program on the diskette I borrowed it on. First I used McAFee's SCAN.EXE. Nothing nasty showed up. Then I asked NAV to scan itself. NAV told me that "NAV.EXE is infected with an unknown strain." And what may I ask does that mean? +----------------------------------------------+-----------------------------+ |If you stick a stock of liquor in your locker,| Bart! You're no longer in | |It is slick to stick a lock upon your stock. | Sunday School. Don't swear! | | Or some joker who is slicker, |-----------------------------+ | Will trick you of your liquor, | Knut Torgersen | |If you fail to lock your liquor with a lock. | knutt@ifi.uio.no | +----------------------------------------------+-----------------------------+ ------------------------------ Date: Thu, 29 Aug 91 14:39:00 +1000 >From: BOXALL@qut.edu.au Subject: Disassembler Info To all virus researchers, What disassembler do you use? At the Queensland University of Technology we use Sourcer by V communications. Is there anything better? Thanks for any information. Wayne Boxall Computer Virus Information Group Queensland University of Technology Australia ------------------------------ Date: Thu, 29 Aug 91 12:36:00 +0000 >From: Fridrik Skulason Subject: Re: Virus Simulator available (PC) I fail to understand why the author of this program believes that anyone might find it of any use whatsoever. > Virus Simulator generates controlled programs infected with the > signatures (only) of every known virus available. Saying that something is "infected with virus signatures" is meaningless nonsense. A program is either infected with a virus or it is not - creating a file which contains bits and pieces from a virus does not make it virus infected. > Because Virus > Simulator has ability to harmlessly compile and infect with safe > viruses, it is valuable for demonstrating and evaluating anti-virus > security measures without harm or contamination of the system. To start with, there is no such thing as a "safe virus" - the Virus Simulator does not create viruses - therefore there is no reason why an anti-virus program should report any of the files it creates to be infected. In fact, all reports of viruses in the virus-simulator files should be considered to be false alarms, as the files are not infected at all. > The infected programs can be renamed and copied to other disks and > directories as bait for virus detecting programs. So what ? The programs are not viruses, and there is no reason why they should be reported as such. Even if a virus scanner happens by chance to use a signature contained in one of the virus fragments, and might therefore report the file as infected, this is of no interest at all. > terrorists, are much more difficult to test with. The test viruses > generated by Virus Simulator are safe and sterile, but form a validation > test suite that trigger vigilant virus detectors. Bullsh*t! The files created by the Virus Simulator may cause some virus scanners to trigger in some cases, but a perfect virus detector should be able to determine that the files are not viruses, and should not trigger at all. > Virus > detecting programs that fail to find these simulations may indeed > discover their real counterparts and variations, but should only be > trusted after that ability is demonstrated. This statement is highly misleading. If the author of an anti-virus program has not supplied the author of the Virus Simulator with his signatures, there is no guarantee that the scanner will detect the simulated viruses. Also, if the scanner requires the signature to be located at a specific offset, or uses an algorithmic approach to detect some viruses, it will probably not detect anything in the "simulated" files. > No virus protection program will ever be effective without the > cooperation of its users, and Virus Simulator provides a means to verify > compliance with established security procedures. Huh ? "Established security procedures" ? The only thing the Virus simulator is able to test is if virus scanners which use publically available signatures, which are included in the Virus Simulator will indeed detect the viruses they claim to detect. As a general tool for testing and comparing virus scanners it is totally useless. I only hope that the author of the program realizes soon how useless it is... - -frisk ------------------------------ Date: Thu, 29 Aug 91 13:34:27 +0000 >From: hartnegg@sun1.ruf.uni-freiburg.de (Klaus Hartnegg) Subject: Re: Self-scanning executables (PC) vaitl@ucselx.sdsu.edu (Eric Vaitl) writes: > I started thinking about self scanning executables again. >Unfortunately, it was way to easy to write myself a virus which gets >around the whole damn thing. Here is what it does: >[...] Great idea to publish this on the net. You can be sure that such viruses will appear very soon now. - -------------------------------------------------------------------------- Klaus Hartnegg, Kleist-Str. 7, D-7835 Teningen, Germany | include standard Bitnet : hartnegg@dfrruf1 or hartnegg@cernvm | disclaimer here! Internet : hartnegg@ibm.ruf.uni-freiburg.de | ------------------------------ Date: Thu, 29 Aug 91 14:38:19 +0000 >From: monta_l@dist.dist.unige.it (Luciano Montanaro && Marco Gualdi) Subject: Experiment with virus I have a Ms-Dos 386 with Dos 3.30 and 80 Mb HD, 3 partitions. I want to do some experiment of controlled propagation of viruses (on floppies, of course) whithout risks for my HD. Which of the follow is the security level that I should use? 1 ) Unplug the power cable of HD. (what about the controller ?) 2 ) Set the CMos data to no Hard Disk 3 ) Write in the partion table that every partition is write protected. Thanks a lot for your suggest. _______________________________ | According to the latest official figures, __/~\_______/~\____/~~~~~~~\___ | 43% of all statistics are totally worthless. __/~~\_____/~~\___/~\_____/~\__ | ____________________________________________ __/~~~\___/~~~\___/~\_____/~\__ | Marco Gualdi --- MaGu on irc __/~\/~\_/~\/~\___/~\__________ | (monta_l@dist.dist.unige.it) __/~\_/~~~\_/~\___/~\__/~~~~\__ | _____________________________________________ __/~\__/~\__/~\___/~\_____/~\__ | To be sure of hitting the target, shoot first __/~\_______/~\___/~\_____/~\__ | and, whatever you hit, call it the target. __/~\_______/~\____/~~~~~~~\___ | _____________________________________________ ------------------------------ Date: 29 Aug 91 12:22:57 -0400 >From: Jon Freivald <70274.666@CompuServe.COM> Subject: Correction for bboard number Oops... Seems in my message about my shell program (Viruschk) for the McAfee software, I listed my voice # as the BBS #... The right # is: (516) 483-5841, N-8-1, 300-2400 + 9600 HST Sorry for the inconvenience! Jon Freivald ------------------------------ Date: Thu, 29 Aug 91 10:49:30 -0600 >From: Jesus Miguel Garcia Subject: Virus dictionary sought Any Dictionary about viruses? Where can i get it? And, I heard about Virus Simulation, Its a new version? Where is it? Thanks... Oh, I heard about a virus called Kamikaze, F-Prot detect it, but Scan of Mcaffe no...its a virus, or a ghost? Thanks once again, Miguel Garcia Rodriguez Monterrey, N.L. Mexico ------------------------------ Date: 29 Aug 91 16:44:22 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: The Tenbytes virus mutates! (PC) Hello, everybody! It seems that nobody has noticed that the Tenbytes virus, which has been posted accidentally on Valert some time ago (two years? one year?) is able to mutate. The virus itself is not encrypted, that's why all virus scanners are able to detect all its mutations. However, programs that try to disinfect the infected files and therefore have to check them very carefully, are very confused to discover that the scan string of the virus is present, but not where it is expected. What the virus does? First of all, it only mutates when it infects EXE files. All infected COM files look in the same way, and the disinfectors have no problem to remove the virus from them. However, when the virus infects an EXE file, it changes its entry point to point to on of three (if I'm not wrong) different places in the virus body. The selection is random. The two good disinfectors that I've tried - Dr. Solomon's Anti-virus Toolkit 5.13 and F-Prot 1.16 both were unable to disinfect all infected EXE files. They claimed that this is a new variant of the virus, which obviously was not the case, since I infected them from a COM file, which was recognized as infected exactly by the Tenbytes virus. I haven't tried CLEAN v80 yet. Can anybody who has experience with this virus (Dave? Frisk?) to confirm these results? Regards, Vesselin ------------------------------ Date: 30 Aug 91 13:59:24 +0000 >From: schnitzi@osceola.cs.ucf.edu (Mark Schnitzius) Subject: 'Legalize Marijuana' virus (PC) A PC in our office appears to have been infected by a virus that left a message in our partition table. The message reads 'Your computer is stoned. Legalize marijuana'. It seems to me that I've heard of the virus before. Sorry if this has been asked before, but has anyone seen this before? How dangerous is it? What can I do about it? Thanks in advance, Mark Schnitzius schnitzi@eola.cs.ucf.edu ------------------------------ Date: Thu, 29 Aug 91 10:24:51 -0700 >From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: When is it active? FUNGEN5.CVP 910828 Viral activation In attempting to protect against viral infection, and particularly when trying to disinfect systems, it is important to bear in mind the times that the virus is actively "infectious". The viral activation is not the same as the activation of the payload that a virus may carry. For example, the payload of the original "Stoned" virus was a message which appeared on the screen saying "Your PC is now Stoned!". This message only appears at boot time, and on only one eighth of the times the computer is rebooted. The virus, however, is infectious at all times, if it has infected the hard disk. There are basically three possibilities for the infectious period: now ("one-shot"), during program run ("while called") or from now on (resident). These periods may be modified by other circumstances. A resident virus may remain in memory, but only be actively infecting when a disk is accessed. A "while called" virus may only infect a new program when a directory is changed. "One-shot" viri only get one chance on each "run" of the infected program. The viral code will seek out and infect a target program. They then pass control to the original program, and perform no further functions. These are, of course, the simplest of the viral programs. Mainframe "mail" viri are generally of this type. The second class will activate when the infected program is called, and then pass partial control to the original program. The virus, however, will remain operational during the time that the infected program is running. If this can be accomplished, it is only a slight jump to write a fully memory resident virus. Resident viri are the most successful, and the most dangerous, of viral programs. A resident virus will become active when an infected program is run (or at boot time for boot sector infectors), and remain active until the computer is rebooted or turned off. (Some viral programs are even able to trap the rebooting sequence that is normally called when you press Ctrl- Alt-Del on an MS-DOS PC, and thus are able to survive a "warm boot.") The most successful of the file infectors, the Jerusalem virus, is resident, as are all boot sector infectors. (For fairly obvious reasons; the boot sector is never "called" in normal operation.) If a virus is active in memory, it is a waste of time trying to disinfect a file or disk. No sooner is the file "cleaned", than it becomes a suitable target for re-infection. You may try to disinfect a hard disk right down to performing a low level format: as soon as the disk is reformatted it may be infected all over again. This is why all directions for disinfection stress the necessity of "cold" booting from a disk that is known to be free of infection before attempting any cleanup. copyright Robert M. Slade, 1991 FUNGEN5.CVP 910828 ============= Vancouver p1@arkham.wimsey.bc.ca | "If you do buy a Institute for Robert_Slade@mtsg.sfu.ca | computer, don't Research into (SUZY) INtegrity | turn it on." User Canada V7K 2G6 | Richards' 2nd Law Security | of Data Security ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 151] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253