VIRUS-L Digest Friday, 8 Feb 1991 Volume 4 : Issue 23 ****************************************************************************** Today's Topics: Antivirus-Plus review (PC) Virus questions (PC) Too much on infection checkers Reporter seeks help on story about a Mac virus (Mac) Boot sector self-check (PC) Alameda/Yale (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: Mon, 04 Feb 91 11:05:46 -0800 From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Antivirus-Plus review (PC) Comparison Review Company and product: Techmar Computer Products 97 - 77 Queens Blvd. Rego Park, NY 11374 USA 718-997-6800 Antivirus Plus (purported "AI vaccine") Summary: Protection against major known viri and some viral type activites from new or unknown viri. Easy setup with no requirement for user decisions, but strong possibility of interference with normal computer operations. If used, it is recommended that experienced viral specialists be available to handle infections identified. Not recommended for systems with frequent changes in software or configuration. Cost $99.95 US Rating (1-4, 1 = poor, 4 = very good) "Friendliness" Installation 2 Ease of use 4 Help systems 1 Compatibility 2 Company Stability 3 Support ? Documentation 2 Hardware required 2 Performance 2 Availability 2 Local Support 1 General Description: CURE is a manual scanning program with disinfection features. IMMUNE2 is a resident scanner that checks files as they are loaded, disks when accessed, and memory when the program is first loaded. PREVENT1 is a resident vaccine program. Antivirus-Plus will detect infections by currently common viri. The promise of detection of unknown viri is possible, but not likely in the case of more advanced viral programs. Recommended only for situations using the computer in fairly limited and standard fashion, where automated attendance is a primary concern. Comparison of features and specifications User Friendliness Installation Antivirus-Plus appears to require installation from the A: drive onto a hard disk. It is possible to install onto a foppy disk, and it is possible to install from a drive other than A:, but it will continue to request a "writeable" disk in A:. The documentation states that removal from the hard drive requires "de-installation", but this does not appear to be the case. Installation is almost completely automated. Modification of AUTOEXEC.BAT is not sophisiticated, but did not cause problems in testing. Ease of use IMMUNE2 and PREVENT1 are automatic, background processes which operate without operator attention. When the programs "identify" a process, they do not do so either by virus name, or by identity of infected program. The user is requested (by IMMUNE2) to run CURE, but no parameters are given. See also "Compatibility" regarding false alarms. Help systems None provided. Compatibility Both CURE and IMMUNE2 identify common and well known viri, although not always by the "standard" names. Jerusalem-B is identified as "Black Friday #1", for example. All Antivirus-Plus programs are fairly noisy about their detection of a virus, vis the message that appears when IMMUNE2 is invoked while a virus is present in memory: > +==========================+ > " Warning !! " > Fri 1-18-1991 13:02:09.49" You are using an " > A>antvirus\immune2 " infected disk(ette). " > !! A Virus is present in y" " > !! Removing the virus now " Use ANTI VIRUS "cure" " > !! A Virus is present in y" program to remove virus. " > !! Removing the virus now " " > !! A Virus is present in y" Hit any key to continue " > !! Removing the virus now +==========================+ > !! A Virus is present in your computer memory !! > !! Removing the virus now !! > !! A Virus is present in your computer memory !! > !! Removing the virus now !! > !! A Virus is present in your computer memory !! > !! Removing the virus now !! > The ANTI-VIRUS immunity program is now resident. The same window, without quite so much "background noise", appears when any disk, infected with a known boot sector virus, is accessed, even by a directory request. It also appears when an infected program is run, and states that the program has been disinfected. The program is *not* disinfected on disk, but the virus appears to be barred from memory. (Note that the virus in memory which triggered the display above was not removed from memory, but was rendered inactive.) The PREVENT1 program, however, fairs rather worse. It does not appear to prevent any change to the boot sector, and therefore it seems that new boot sector viri will be undetectable by the program, unless they are very crude. This problem, however, is pale in comparison with the problems PREVENT1 will cause with normal, uninfected, programs. If you use a program (such as a word processor) to delete or modify a program file, PREVENT1 will halt program execution. This may not seem like a big deal: after all, how many people use (as I do) Word Perfect as a disk manager? However, some programs, Word Perfect among them, make changes to the program itself when you change some part of the configuration, and PREVENT1 will stop this as well, telling you: > Set-up Menu > > 0 - End Set-up and enter WP > > 1 - Set Directories or Drives for Dictionary and Thesa > 2 - Set Initial Settings > 3 - Set Screen and Beep Options > 4 - Set Backup Options +==========================+ > " Warning !! " > Selection: 0 " You have been running " > " an infected program. " > Press Cancel to ignore cha" " > " PREVENT1 has removed the " > " memory infection ! " > " " > " Hit any key to continue " > +==========================+ It is, therefore, inadvisable to use Antivirus-Plus on a system which undergoes frequent changes in this manner. PREVENT1 is not completely consistent here. Word Perfect is halted when trying to delete a program file, PCTOOLS is not. It is, therefore, quite possible that some viri may slip past this protection. Company Stability Techmar is the distributor of Antivirus-Plus and other IRIS products in the United States. Fink Enterprises, which distributes IRIS products in Canada, will not carry Antivirus-Plus. Company Support Help line support was not used in testing. Techmar shipped very quickly, but did not properly identify the package, which created problems at the border. Documentation Documentation is provided solely on disk. The directions are clear and readable, but very little information is provided beyond the most basic installation information. Some information is the documentation is not consistent with program operation, but not to the point of preventing installation or operation. Hardware Requirements Documentation states hard disk required, but this can be avoided. Disk "wants" to be installed from A: drive. Performance IMMUNE2 and CURE will identify many common viri. They fail to identify the AIDS virus, which is interesting in that, while AIDS infections are not common, the virus source code is available and widely known to researchers. (CURE was the first "scanning" program tested not that was not able to identify the virus.) PREVENT1 will prevent some disk writes to program files, but allows others to pass, including the deletion of program files. It apparently does not check any writes to disk boot sectors or "bad" sectors. Local Support None stated or found. Support Requirements Alarms will likely require intervention by experienced personnel. copyright 1991 Robert M. Slade Vancouver p1@arkham.wimsey.bc.ca _n_ Insitute for Robert_Slade@mtsg.sfu.ca H Research into (SUZY) INtegrity / User Canada V7K 2G6 O=C\ Security Radical Dude | O- /\_ /-----+---/ \_\ / | ` ||/ "A ship in a harbour is safe, but that / ||`----'|| is not what ships are built for." || || - John Parks `` `` ------------------------------ Date: Wed, 06 Feb 91 14:10:57 +0000 From: boone@athena.cs.uga.edu (Roggie Boone) Subject: Virus questions (PC) I have 4 questions regarding computer viruses. I am rather new to the study of compuer viruses and the texts that I have read have not answered these questions for me. 1) I have seen the SCAN software (MaAffee) scan a computer's memory for viruses and noticed that it only scanned the base 640K of RAM. Do viruses typically not infect or use extended/expanded memory? Are there virus scanning packages that will scan the additional memory? I raise this question, because it seems I read somewhere that some computers with certain memory management drivers may not erase the contents of extended memory on a warm boot, and hence may not erase any virus that may be sitting in extended memory. (My memory isn't too good on this topic). 2) Are there anti-virus packages (for PC or any computer) that use artificial intelligence techniques to protect the system, or is such an effort overkill? 3) Not meaning to plant ideas, but I was talking with a facutly member in the dept. where I work, and the question arose as to whether a virus could be transmitted to an orbiting satellite and cause the same havoc that viruses cause us PC users. Is this possible? 4) I have also noticed that SCAN, for instance, scans basically the .EXE, .COM, .SYS, .OVL files in a directory. Do viruses not infect .TXT or .DOC files or maybe C (Pascal, Basic) source code? I hope these questions have not recently been asked (I'm a new subscriber to this group). Thanks for any info about any or all of these questions. Roggie Boone (boone@athena.cs.uga.edu) Research Tech. III University of Georgia ------------------------------ Date: Mon, 04 Feb 91 08:21:56 -0500 From: padgett%tccslr.dnet@uvs1.orl.mmc.com (A. Padgett Peterson) Subject: Too much on infection checkers >From: "Nick FitzGerald" >If a virus such as STONED infected a machine with a cherry "All is OK" >message in the boot sector, you would continue to see this now >terribly misleading message after the STONED code loaded and passed >control to the original boot sector. >If the "All is OK" boot sector did a check of the actual (physical) >boot sector then it wouldn't give an erroneous message if the disk was >infected with STONED or similar boot sector infectors, but it would >still give a misleading report if a stealth boot sector infector >struck, as the virus would intercept the attempt to read the boot >sector and return the contents of the original from its hiding place. >(This seems to be a lot of extra code to jam into a single sector... Yes, it was but the following capabilities were able to be placed into 512 bytes (with NONE left over though the ASCII and some of the "nice" could be reduced) - remember, this is in the partition table, not the boot sector: 1) Validity check of disk access through BIOS 2) Self-Check of own code (every byte) 3) Validity check absolute sector 1 (every byte) 4) Validity check of real partition table (every byte) 5) Password control of disk access - unlimited length 6) Print Logo 7) Print error messages 8) Lock system on error Following Boot: 1) Prevent read or write to check code 2) Prevent write to partition table, hidden sectors, or first boot sector 3) Prevent low-level format to entire disk (if a second physical disk is present, all also apply to it) 4) Display error message if any of the above occur 5) Provide verifyable direct access to disk services even if "stealth" infection occurs. 6) Prevent DOS access to fixed disk(s) if booted from floppy. This has been able to catch everything thrown at it so far (and my collection is pretty good). It seemed that every step of the way, other possibilities opened up (this started out to be a simple password protection scheme) though I will admit that lasagna code (spagetti code is traceable) was necessary and it kind of pulls itself up by its bootstraps. Just to make things sillier, the whole thing was written using DEBUG since MASM or C did not provide enough control. ("What I did on my Christmas Vacation") - -------------------------------------------------------------------------- >[J.] Christian Kohler Keele university, csw76%keele.ac.uk@nsfnet-relay.ac.uk > Isn't it easy to build a >self-checker into a program ( as suggested WP has done )? I could >imagine that you just check the .exe when it is running, you could >play around with some XOR's to create a check. You could even put the >value in a seperate file, as long as your checking algorithm is >complexe enough. Problem is that with the "stealth" viruses, the original, uninfected file is what is presented to the checker. Unless you KNOW you have a clean system, such checkers can be defeated by viruses already known. (for fun, infect a disk with the 4096 and then run McAfee's excellent SCAN with the /nomem switch (you don't do you? I use /m whenever in doubt which is often) set. Padgett (definately my own views - no-one else knows what I'm talking about) (well, maybe Chip Hyde or Andy Hopkins) ------------------------------ Date: Wed, 06 Feb 91 18:23:10 +0000 From: adamg@world.std.com (Adam M Gaffin) Subject: Reporter seeks help on story about a Mac virus (Mac) Hi, all! I'm a reporter at the Middlesex News in Framingham, Mass. The new governor here had some trouble getting his budget to the Legislature this week, allegedly because of a virus, and I'd be most grateful if somebody could help me out with a story. Seems one of his aides was up late finishing the budget on his Mac II (as in 3 a.m.) for delivery to the Legislature that morning. He had just typed about 50 (!) pages of the document in MacWrite, when it refused to save the document. He eventually was able to retrieve an early version of the document, which he had filed under a different name, but those 50 pages were gone. When he ran Interferon 3.1 he got this messages: "Virus Type 003 on the TOPS network." The computer had been part of LAN in the Office of Administration and Finance but was taken off and moved to his office so he could work on the document (the governor's office actually uses an old Wang system, but since the guy was new and time was short, he figured he'd work with what he already knew). The office is now busy checking all the other computers, of course, and the aide in question has been told to save his documents more often! So, does anybody know what kind of virus this might be and how common it is? And is it true that Mac viruses are easier to write than PC ones (one of our PC people told me that; maybe she's biased :-) ). And, in the Dumb Question of the Week category: how might the virus have gotten into the network in the first place? I assume it would be somebody bringing an infected disk in from home (the LAN is not tied to any other network), but might there be other ways (short of the Dukakoids sabotaging the system, which I doubt, given they had no idea it was going to be used to write the budget, since they did all that on their Wangs). Any help would be most appreciated! Thanks! Adam Gaffin Middlesex News, Framingham, MA adamg@world.std.com Voice: (508) 626-3968 Fred the Middlesex News Computer: (508) 872-8461 ------------------------------ Date: 05 Feb 91 10:29:26 -0500 From: Steve Albrecht <70033.1271@CompuServe.COM> Subject: Boot sector self-check (PC) > From: gt154c@prism.gatech.edu (Gatliff, William A.) > To help combat this, what would be the possibility of deliberately > infecting ones boot-sector with a piece of code that would display > some kind of 'ok' message if it hadn't been tampered with? While waiting for the same type of self-check in the boot sector, we have developed a small program (so far only intended to protect ourselves against reinfection by the Stoned virus) which does the following: 1. Reads the partition table sector (absolute sector 1). 2. Compares the sector with a previously saved copy of absolute sector 1 (in a DOS file). 3. Writes (using Int 13h) the saved copy to absolute sector 1 in the event of a discrepancy. 4. Immediately reboots the machine with a system reset (hard boot). This program is placed in the AUTOEXEC.BAT file (this does lead to the possibility that the process can be disabled very easily). A separate initialization program is used to save the "clean" copy of absolute sector 1 (necessary for step 2 above). This file must be saved at a time when the sector is known to be clean. We have used McAfee's SCAN and direct examination of the sector with a low-level sector editor to verify that absolute sector 1 is "clean". The immediate reboot (step 4) is necessary because the Stoned virus is still in memory at this point, and a reboot will prevent the virus from rewriting itself to the partition table. This process monitors and corrects problems in absolute sector 1 only. If a virus changes additional sectors, this process will restore the original code in the partition table, and the system should boot normally, if no changes have been made to the boot sector (logical sector 1). This process is not as complex as programming a self-check into the code contained in the partition table sector, and is perhaps not as effective as a deterrent to partition table viruses in general. However, it works very effectively against the Stoned virus. We have not had a chance to test it against other partition table viruses. One caveat, though, is that this process will not work against a virus which somehow prevents the write operation in step 3 above. Luckily, the Stoned virus does not interfere. One additional benefit we have realized is that in the case of accidental corruption of the partition table, the saved copy can be found with a low-level sector editor, and restored to absolute sector 1. We haven't had cause to use this benefit yet, but it is there if the need arises. We will likely improve on this program (barring availability of a commercial alternative), but I share the idea for what it may be worth to any of you who have been plagued by pesty comments about legalisation. Steve Albrecht 70033,1271@compuserve.com ------------------------------ Date: Wed, 06 Feb 91 24:45:00 -0800 From: Michael_Kessler.Hum@mailgate.bitnet Subject: Alameda/Yale (PC) Someone just brought in 3 diskettes, 2 of which contained only text files, the last one contained an application. None of them were boot diskettes (although they may have been originally and someone simply erased the command.com file). F-Prot's (version 1.13) F-Disinf claimed that all three had the Alameda/Yale virus. But when asked to clean the boot sector, I received that message that the virus could not be removed, no boot sector was found. Copying the files to a new disk and reformatting the disks solved the problem. But is there any explanation for finding the virus in an infected boot sector that then cannot be found? ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 23] *****************************************