VIRUS-L Digest Friday, 6 Sep 1991 Volume 4 : Issue 158 Today's Topics: Administrivia More about F-PROT 2.00 (PC) Official word from Mcafee (was: can't load vshield into high mem) (PC) Hoffman's List or Similar (PC) NFS security query - msdos virus Re: Experiment with virus Re: Viruses more common in Mac environment? re: FPROT 2.0/MIRROR conflict (PC) Virus Simulator (long) (PC) Re: McAfee question (PC) Re: scan (PC) Re: Computer Abuse Amendments Act of 1991 Jerusalem help needed (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Fri, 06 Sep 91 12:08:06 -0400 >From: "Kenneth R. van Wyk" Subject: Administrivia I will be out of town next week, so VIRUS-L/comp.virus activity will be intermittent at best. If I can get to a terminal with network access, then I will make every effort to send out a couple digests. Otherwise, activity will resume next weekend. Sorry for any inconvenience. Ken Kenneth R. van Wyk Moderator VIRUS-L/comp.virus Technical Coordinator, Computer Emergency Response Team Software Engineering Institute Carnegie Mellon University krvw@CERT.SEI.CMU.EDU (work) ken@OLDALE.PGH.PA.US (home) (412) 268-7090 (CERT 24 hour hotline) ------------------------------ Date: Thu, 05 Sep 91 17:17:06 +0000 >From: Fridrik Skulason Subject: More about F-PROT 2.00 (PC) It now seems that there are a few bugs in version 2.00 of F-PROT - which means that 2.01 will be released earlier than expected. The problems are: Inability to scan for boot sector viruses on large (>32M) partitions under Zenith DOS 3.30 Plus. The program does not have any problems with DOS 4 or DOS 5, however. F2.EXE does not work in interactive mode on machines with an XGA-adapter, and only displays a blank screen. The same happens on certain machines with a colour adapter, but B/W displays. If used in the DOS box under OS/2 to scan the active swap file, the program will crash. VIRSTOP.EXE seems to conflict somehow with MIRROR from Central Point. I hope I will have a new version ready before I go on vacation on the 7th. - -frisk ------------------------------ Date: Fri, 06 Sep 91 14:32:23 +0000 >From: dbarlow@na.novell.com (Doug Barlow) Subject: Official word from Mcafee (was: can't load vshield into high mem) (PC) Here is the answer I received from Mcafee, the makers of Vshield: - ------------------------------------------------------------------- To: dbarlow >From: mcafee@netcom.netcom.com Subject: Re: can't load vshield into Date: 09-05-91 Time: 12:29a Hello Mr Barlow, We're currently "experimenting" with loading VSHIELD in high memory in the office. However, it is not something that is officially supported or universally tested. But, if you feel like experimenting, here's what we've found out: You need to have a contigious block of 112Kb free to load VSHIELD into. When VSHIELD installs itself, it decompresses its code which takes up this much space. >From then on, it's the normal 34Kb of memory used up, though. While loaded high, VSHIELD can not be removed with the /REMOVE option, and you will be able to load it into conventional memory if you try to. We have tested this on several 386/25's with OPTi chipsets and AMI BIOSes. You're mileage may vary :-) Seriously, though, if you have any different results, I'd appreciated hearing about them. Regards, Aryeh Goretsky McAfee Associates Technical Support PS: Remember, this isn't "officially" supported currently. If any problems arise, you may have to go back to loading VSHIELD into conventional memory. Did I mention that the steps I previously outlined to you were using MS-DOS 5.00? I haven't had a chance to check with DR-DOS 5.00 or DR-DOS 6.0Beta. - -------------------------------------------------------------------------- Doug Barlow Email: DBARLOW@NA.NOVELL.COM Software Testing Novell, Inc. Provo, UT Standard Disclaimer applies...... - -------------------------------------------------------------------------- ------------------------------ Date: 06 Sep 91 13:43:30 +0000 >From: csaw@hippo.ru.ac.za (Avron Welgemoed) Subject: Hoffman's List or Similar (PC) I'm trying to get hold of a copy of the latest Patricia Hoffman Virus List, or similar detailed Virus listing. I din't yet have FTP access, so am looking for a copy through Email. Thanx Avron - --------------------------------------------------------------------------- Avron Welgemoed - Computer Science - Rhodes University Grahamstown - South Africa Internet: csaw@hippo.ru.ac.za ------------------------------ Date: Fri, 06 Sep 91 11:24:48 -0500 >From: Joe Simpson Subject: NFS security query - msdos virus Miami University operates a mixed Macintosh, Ms-Dos, Unix, VMS network in support of office automation and instruction. Recently a serious virus infection disrupted this network. Every MS-DOS machine on the network was infected with the Sunday virus. Applications on the NFS file server were infected. This has led to an exploration of file protection and security options on NFS servers. We request references on NFS file permissions and security. I would also be interested in a brief correspondence with someone using NFS to share MS-DOS applications. I am interested in the protection strategies used at such sites. I am also interested in applications that can run from a read only subdirectory. Thank you ------------------------------ Date: Fri, 06 Sep 91 13:50:24 +0000 >From: gary@sci34hub.sci.com (Gary Heston) Subject: Re: Experiment with virus PHYS169@csc.canterbury.ac.nz (Mark Aitchison, U of Canty; Physics) writes: > [ .... ] wipe all the diskettes with a magnet* [ .... ] Better yet, run by Radio Shack and pick up a degausser, normally used on audio cassettes. My experiences with magnets has been disappointing. Seems like they cost less than $20, which is cheap insurance. - -- Gary Heston System Mismanager and technoflunky uunet!sci34hub!gary or My opinions, not theirs. SCI Systems, Inc. gary@sci34hub.sci.com Become a pheresis donor. Loan your blood to the Red Cross for a couple of hours. They, and cancer patients, will appreciate it. ------------------------------ Date: 05 Sep 91 20:03:09 +0000 >From: bdrake@oxy.edu (Barry T. Drake) Subject: Re: Viruses more common in Mac environment? Viruses spread more easily in the Mac environment because a program is run every time a diskette is inserted: the desktop. On our campus there is an extremely high contamination of viruses among students (and their floppies) because they swap and share diskettes fairly freely. Our faculty members are more likely to use anti-virus software because they can get the college to pay for it :-). In six years of working with primarily IBM PC's, I have seen *one* diskette infected (with Stone-B and Ping Pong-B); it came from off campus via a research assistant (from her workplace). So, in my experience, Mac viruses are more common. - --Barry (bdrake@oxy.edu) ------------------------------ Date: Thu, 05 Sep 91 15:29:23 -0400 >From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: re: FPROT 2.0/MIRROR conflict (PC) >From: Diskmuncher > There are other conflicts that VIRSTOP sseems to have with >Central Point Software's PC Tools Deluxe programs. During the >beta-test phase (I haven't tried it since receiving the official >release) I discovered that if VIRSTOP is loaded AFTER PC-SHELL goes >resident (TSR), the PC will crash when you load a program of any >significant size (i.e. FORMAT worked, but DOSSHELL (DOS 5.0) crashed). Afraid this is not a conflict but rather a DOS charactoristic that most Netware administators are aware of: there are many programs such as PC-SHELL and LOGIN.EXE that shell other executable files during their operation then, when operation is complete, remove themselves from memory and release the memory they were using to DOS. Unfortunately, if a program went TSR from the shell, DOS cannot de-allocate the memory. In the case of PC-SHELL, I suspect that the spawning process examines the requested program to determine if there is sufficient memory to run the request. If there is, PC-SHELL just spawns a new CLI to run the program. If the program is larger, PC-SHELL will swap itself out before running the new program. Consequently, VIRSTOP must be small enough that PC-SHELL does not swap out and once VIRSTOP is resident, PC-SHELL is no longer able to swap, hence the problem. I suspect that somewhere in the PC-SHELL documentation there is a warning about loading all TSRs prior to loading PC-SHELL. Padgett ------------------------------ Date: Thu, 05 Sep 91 15:29:50 -0400 >From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: Virus Simulator (long) (PC) turtle@darkside.com (Fred Waller) writes: (hope I have the author correct, this is getting confusing) > Currently, there is no independent means of testing and verifying > virus software. Simply having the word of a seller/producer has, of > course, never been enough, and is not likely to ever be; the danger > of collusion is simply too great for any reasonably-cautious > consumer to accept it blindly. Well, this is not quite true, the means are redily available, it is having a good sample of viruses to test that is the problem for most people. Personally, I have a write protected Bernoulli disk that is chock full of viruses (I have a policy of not distributing them so please do not ask) and an XT with a 10 MB ST-412 disk (street value >$300) that is used for infection. To test a new anti-viral product, the detection part is run against my infected disk to see how many it finds (what they are called is often both entertaining and informative). Next, I go through a series of infections of the XT to see what happens. Other than starting with easy ones like Jerusalem and Sunday then working my way up, there is no particular pattern other than all of the "common" ones are tried plus a random mix of other classes. Other than the viral collection, a duplicate could be assembled by anyone for under $1000 in equipment and the Bernoullis make restoration easy. This has been effective for several years but lately, I am starting to wonder if something more is needed since there are apparantely high memory and network specific viruses around. Probably to stay current, will have to add a 386 with 4 MB & Netware (less than $1000 including another ST-412) and a PPI for the Bernoulli) - think I have most of what is needed lying around. The point is that for less than $3000 (under $2000 if you want to scrounge) all of the equipment necessary for an effective virus analysis lab (PC) can be had. Add a few bucks for software and all of the tools are in place. The hard part is to find the experience necessary to perform the testing and accurately analyze the data. Padgett ------------------------------ Date: Thu, 05 Sep 91 19:48:48 +0000 >From: mcafee@netcom.com (McAfee Associates) Subject: Re: McAfee question (PC) laughner@odin.cc.nd.edu (Tom Laughner) writes: >We are currently evaluating the McAfee anti-virus program. Specifically, >I know that the Norton TSR will detect infected files as they are being >copied. Is there any way to get the McAfee TSR to do this? I've been >testing with ver. 8.0 and had used VSHIELD and VSHIELD1. The current (Version 80-B) version of VSHIELD does not check files as they are being copied. The next release (should be going into beta today) will. >Anyone done side-by-side testing of both Norton and McAfee? What are >your impressions? I think the January 7, 1991 edition of PC Week had a comparison, as well as the August, 1991 edition of Byte. >Tom Laughner >Consultant/Analyst Regards, Aryeh Goretsky McAfee Associates Technical Support - -- McAfee Associates | Voice (408) 988-3832 | mcafee@netcom.com (business) 4423 Cheeney Street | FAX (408) 970-9727 | aryehg@darkside.com(personal) Santa Clara, California | BBS (408) 988-4004 | 95054-0253 USA | v.32 (408) 988-5190 | CompuServe ID: 76702,1714 ViruScan/CleanUp/VShield | HST (408) 988-5138 | or GO VIRUSFORUM ------------------------------ Date: Thu, 05 Sep 91 19:55:00 +0000 >From: mcafee@netcom.com (McAfee Associates) Subject: Re: scan (PC) ZDCBCRAMER@qut.edu.au writes: >We had someone come in the other day with a disk infected with the >Keypress virus, the infected files had been renamed to .BAD. > >So I renamed them to .COM and scanned them, no virus. When we checked >they were .EXE files, so we renamed them and guess what, scan found >the keypress virus. Since the KeyPress virus only infects .EXE files only, we do not, by default look for it in .COM files. If you wish to force VIRUSCAN to look inside of files with non-standard extensions, either use the /E option to add the extension to the default list of extensions scanned or use the /A option to force VIRUSCAN to search through all files on the disk (lengthy, but useful). >+--------------------------------------+------------------------------+ >| Mark G. P. Cramer. | Sig!, /\_|\ | >| Operations Manager, CBE Section | Sig a sog!, / QUT>\ | >| Queensland University of Technology. | Sig it loud!, ( __ | | >| Australia. | Sig it strog! -- \/ | >| Ph. 07 8642073. Fax 07 8641525. | Karen Carpenter v | >| M.Cramer@qut.edu.au | with a cold! | >+--------------------------------------+------------------------------+ Aryeh Goretsky McAfee Associates Technical Support - -- McAfee Associates | Voice (408) 988-3832 | mcafee@netcom.com (business) 4423 Cheeney Street | FAX (408) 970-9727 | aryehg@darkside.com(personal) Santa Clara, California | BBS (408) 988-4004 | 95054-0253 USA | v.32 (408) 988-5190 | CompuServe ID: 76702,1714 ViruScan/CleanUp/VShield | HST (408) 988-5138 | or GO VIRUSFORUM ------------------------------ Date: 05 Sep 91 20:43:37 +0000 >From: kent@sunfs3.bos.Camex.COM (Kent Borg) Subject: Re: Computer Abuse Amendments Act of 1991 In reading the bill, it occured to me that it might outlaw some copy protection schemes, and that that might be a good thing. Imagine a copy protection scheme. It installs itself on your hard disk, does secret things you don't know about. Now imagine it goes bad and causes some trouble. Say the computer refuses to boot because of something in the copy protection scheme. Say a company is without their computer for a day as a result. That could easily cause lots of damage, easily over the $1,000 limit I saw in the bill. The copy protection didn't *intend* to do damage, but it had a bug. Compare that to a virus. It installs itself on your hard disk, does secret things you don't know about, but that is all it intends to do (Mac viruses are like that, none of the current crop try to erase disks or anything nasty like that). Now imagine it goes bad and causes some trouble. Say the comuter refuses to boot because of something in the virus. Say a company is without their computer for a day as a result. That could easily cause lots of damage, easily over the $1,000 limit I saw in the bill. The virus didn't *intend* to do damage, but it had a bug. How do you write a bill which outlaws one behavior but not the other? It seems that they are doing very similar things. Maybe an antivirus law should outlaw some forms of copy protection?? - -- Kent Borg internet: kent@camex.com AOL: kent borg H:(617) 776-6899 W:(617) 426-3577 "Conservatives rarely think beyond their own experiences." - my Mom ------------------------------ Date: 06 Sep 91 05:58:01 +0000 >From: p4tustin!ofa123.fidonet.org!Scott.Marks@uunet.uu.net (Scott Marks) Subject: Jerusalem help needed (PC) Does anyone know of the Jeru. virus HELP! - --- Opus-CBCS 1.14 * Origin: Universal Electronics, Inc. [714 939-1041] (1:103/208.0) - -- Scott Marks Internet: Scott.Marks@ofa123.fidonet.org Compuserve: >internet:Scott.Marks@ofa123.fidonet.org ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 158] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253