VIRUS-L Digest Monday, 11 Feb 1991 Volume 4 : Issue 25 ****************************************************************************** Today's Topics: "Virus" story I need help !!! (PC) FPROT and F-XCHK (PC) Re: Virus questions (PC) re: VAX/VMS and Viruses New Leprosy signiture? (PC) Re: Virus questions (PC) Re: Alameda/Yale (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: Fri, 08 Feb 91 17:39:11 +0000 From: adamg@world.std.com (Adam M Gaffin) Subject: "Virus" story Thanks to all who sent me e-mail on this. Here's the story that ran in the paper, but please read it with two caveats. I got Ilene Hoffman's first name wrong, and she did NOT say Mac hard drives are prone to mechanical failure (what she said was that Mac owners are less likely to do such things as run de-fragmentation programs and I, in my Stupid Reporter mode, tried to write something the average reader would understand). Adam Gaffin Middlesex News, Framingham, MA adamg@world.std.com Voice: (508) 626-3968 Fred the Middlesex News Computer: (508) 872-8461 Middlesex News, Framingham, Mass., 2/7/91 Expert: Virus unlikely budget bug By Adam Gaffin NEWS STAFF WRITER BOSTON - State officials say a computer virus destroyed 50 pages of Gov. Weld's budget proposal earlier this week, but a computer consultant with experience in fighting the bugs says it sounds more like a case of inadequate maintenance than anything sinister. Michael Sentance of Maynard, a legislative aide to Weld, had typed in 50 pages of the governor's proposed budget on a Macintosh computer when he tried saving the document to the machine's hard drive around 3 a.m. on Monday - only a few hours before it was due to be submitted to the Legislature. But instead of being saved, the document disappeared, according to Liz Lattimore, a Weld spokeswoman. Sentance was eventually able to retrieve an earlier draft, filed under a different name, minus the 50 pages, she said. When Sentance ran a program to check for the presence of viruses on the machine, it responded with a message indicating a ``type 003 TOPS network'' virus, Lattimore said. TOPS is the name of the network used by the Executive Office of Administration and Finance to connect its Macintoshes. Sentance had borrowed one of that office's computers because he was more familiar with Macs than with the older Wang system in the governor's suite, Lattimore said. Viruses are small programs that can take control of a computer's operating system and destroy other programs and data, and can be spread through people unwittingly sharing ``infected'' programs or disks. Lattimore said officials managed to transfer data from the ailing computer to another machine, adding that they are now checking all of Administration and Finance's Macintosh computers for possible infection. But Eileen Hoffman of Needham, a Macintosh consultant, says what happened to Sentance sounds more like a hard-drive ``crash'' than a virus - something she said is potentially far more destructive. A document that disappears when the user tries to save it onto the hard drive usually means there is something physically wrong with the computer's hard drive, not that it is under viral attack, Hoffman said. Hoffman, who keeps three or four infected disks in a safe so that she can test new anti-viral software, said the software that runs TOPS networks is written in such a way that it can show up as a ``virus'' in programs that check for viruses. She said a ``Type 003'' virus is one of these phantom ``sneak'' viruses. Hoffman said Macintosh users are often more lax about maintaining their computer's hard drives than users of IBM compatible machines, because Macintoshes are aimed at people who do not want to have anything to do with the hardware of their machines. The Macintoshes were installed during the Dukakis administration. But even Mac hard drives require regular maintenance, she said. She said she often gets calls from clients who blame disappearing data or strange things on their screens on viruses, but that almost always the problem is caused by a mechanical hard-drive problem. She added that the particular version of anti-viral software Sentance used is two years out of date. Since new viruses are created all the time, this means the software might not be able to detect one even if the machine were infected, she said. ------------------------------ Date: Fri, 08 Feb 91 18:12:00 +0000 From: cdbenaiah@trillium.uwaterloo.ca () Subject: I need help !!! (PC) Help!!! I think I was savaged by a virus/trojan/nasty type of thing. My hard drive (120 MB PS/2 ESDI drive) has been savaged. It no longer is recognized at boot up. Apparently this virus thing or whatever wrote over the partition table. I ran fdisk and set up the original partition, and now it recognizes my hard drive, but when I try to read C: it says 'Invalid media type drive C'. I can run Norton Utilities in maintenance mode, and it will read the info on the disk, but otherwise I can't read it. When I run the technical information section of norton it says my hard drive is a 360K drive :-(. What can I do? Am I toast forever, or is the data/directories recoverable? I was running FRECOVER from norton before it bombed, will this help? Can Norton help? Do I need something else like MACE utilities (I have heard they can recover from this)? The way I see it is the nasty tried to write its boot sector over the hard drive, thus making it think it is a 360K floppy and just die. What are my chances of data recovery here? Can anyone recommend a program to help, or better yet, send me one??? All help appreciated! Please send mail right away - I need help quickly!!! Thanks in advance... ------------------------------ Date: Fri, 08 Feb 91 08:55:30 -0800 From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: FPROT and F-XCHK (PC) I received an emergency call yesterday from one of the members of INtegrity. She had tried out a few of the FPROT programs, and found them easy enough to use that she decided to experiment with the other programs without reading the documentation.... == INtegrity > GrapeVine > Virus protection > Slade, Robert - INte ====== Subject: FPROT and F-XCHK From Danielle Trottier: I was glad I had downloaded the F-PROT programm until today... but I have no fear, thanks to Robert Slade I am still glad I did I was playing around and decided to trust that each program of F-PROT would guide me as how to use it so that way I wouldn't have to read trought the entire litterature that came with it... So I used the F-XCHK command before using the F-XLOCK and because of that, all .exe or .com (absolutely everything... except for your basic DIR COPY TYPE commands) answered me back with ACCESS DENIED... I 've learned my lesson I will definitely always read the litterature that comes with the software from now on. ========= Just to add a little to Danielle's posting: The documentation for FPROT does stated quite clearly what must be done before F-XCHK is used. It also warns that F-XCHK is something that you may not be able to use on your system. Fortunately we were able to solve Danielle's problem quite quickly, since she had not installed F-XCHK in the AUTOEXEC.BAT file. F-XCHK prevent any "non-F-XLOCKed" programs from running, but rebooting removed F-XCHK from memory. Vancouver p1@arkham.wimsey.bc.ca _n_ Insitute for Robert_Slade@mtsg.sfu.ca H Research into (SUZY) INtegrity / User Canada V7K 2G6 O=C\ Security Radical Dude | O- /\_ /-----+---/ \_\ / | ` ||/ "A ship in a harbour is safe, but that / ||`----'|| is not what ships are built for." || || - John Parks `` `` ------------------------------ Date: 09 Feb 91 05:34:50 +0000 From: ms@pogo.ai.mit.edu (Morgan Schweers) Subject: Re: Virus questions (PC) Greetings, In regards to the question about viruses loading themselves high... No viruses as yet have the capability to place themselves high in memory. To understand why, look at it like this... First you would need a memory manager. You can't assume that every system you infect will have one, so you need to carry it around with you. Then you need a load-high routine (much less difficult). For Some Reason (tm) viruses don't successfully load high. It may be due to the oft-used technique of determining their own location and modifying themselves thereby. This may not be supported by the memory managers I've tested viruses under. I just recieved a new environment, and will be testing to see if this is susceptible. If anyone has experience with a virus which successfully loaded high, I would *VERY* much like to know! -- Morgan Schweers P.S. No, viruses do not infect non-executable code on PC's. P.P.S. What sort of AI techniques were you thinking of? ------------------------------ Date: Sat, 09 Feb 91 10:07:16 -0400 From: Jerry Leichter Subject: re: VAX/VMS and Viruses Bert Medley asks for information about virus protection software for VAX/VMS and Unix systems. I'll leave it to others to speak about Unix - - though I suspect the answers will be pretty much the same - but the story in the VMS world appears to be as follows: - As far as I'm aware, no VMS viruses have been reported so far. That's not at all to say that they can't be, or even haven't been, written; it's just that if there are any, they have either not spread much, or (if you insist on the paranoid view) are so good that no one has detected them yet. Note that most of the PC world's virus detectors are based on scanning for known viruses (of which so far hundreds are known). Since there are no known VMS viruses, it's meaning- less to use a VMS virus scanner of this sort at this point. - The protection mechanisms available on VMS (or Unix) are much more sophisticated than those on PC's. Again, this doesn't mean that viruses can't be written; it just means that they are harder to write, will likely be bigger - and will have to use more elaborate mechanisms to spread. In particular: "Boot sector"-like viruses - which gain con- trol during system boot - could only be inserted by software that managed to gain privileges. Similarly, viruses that wished to take over system calls would first have to gain privileges. On both Unix and VMS, this would be true even for a viral program trying to take over only calls made by programs run subsequently, in the same login session, by the same user. This means that some of the other common kinds of PC anti-virals - the boot-sector checkers and, particularly, the disk-write-monitors, are also pretty pointless on VMS systems. Actually, it even goes beyond that: On VMS, it is possible to set alarms on files that will log messages if any attempt is made to modify them. Turning the alarms off without set- ting off yet other alarms is quite difficult. Alternatively, the VMS on-disk structure is very complex; while a privileged program COULD write directly to the physical disk, it would require a lot of code for it to write to a particular block of a particular file without help from the file system (which could raise an alarm). Note that on any PARTICULAR system, one could determine ahead of time just what to write where; but that doesn't help a virus, which must be able to survive on its own. - On a VMS system with properly set up security, the most a virus could do is spread from one user's infected files, to other files he owns. If a user made an infected program available for others to run, anyone running the program could likewise see his files infected. However, unless an infected program were run by a privileged user, the virus could never gain privileges this way. A good security policy INSISTS that privileged users run ONLY trusted software - a Trojan Horse run by a privileged user is at least as much of a threat as a virus, in practice probably much more so. One way to think about this is that on a properly run system, each individual non-privileged user account acts like its own private PC and disk. Infections can spread within a PC/disk, but can only move from one to another by sharing. A privi- leged user is someone who gathers up all the private disks and perhaps looks at them on his machine. If he isn't care- ful, he can serve as a vector and spread a virus far and wide. - It is simple on a VMS system to configure an account for an end- user which does not allow the end-user to create new execu- tables, only run executables TO WHICH HE DOES NOT HAVE WRITE ACCESS. Such an account is immune to viruses: Even if one of those executables came to be infected, the virus in it couldn't spread, as it couldn't write to any other execut- ables. (Yes, we can get into all sorts of theoretical discussions about what constitutes an "executable" if there are things like macros and interpreters around - but nothing of this sort has been observed "in the field" as far as I know.) - The "infections" that have been reported on VMS systems have usually been network-related, and were not viruses in any real sense. (They were self-propagating command files that relied on the fact that, in a more innocent time, VMS systems usually allowed remote users to run small programs in a default account.) In summary: If someone tries to sell you a VMS anti-viral package AT THIS TIME, you should probably tell them to take a hike. Better, put them on the spot: Don't let them tell you in general terms what their package does, insist that they tell you IN DETAIL what risks they claim you face, what evidence they have that those risks are real, and how their product protects you from those risks in a way that the base system does not. -- Jerry ------------------------------ Date: Sat, 09 Feb 91 16:06:46 -0500 From: jguo@cs.NYU.EDU (Jun Guo) Subject: New Leprosy signiture? (PC) Hi, I downloaded the new signature file anonymous/pub/virus/pc/virus.new from beach.gal.utexas.edu. But then F-FCHK tell me Turbo Debugger 1.0 TD.OVL and Turbo C++ 1.0 TCLASSS.LIB was infected by Leprosy. Is the new signature appropreate? The new signature is: Leprosy iHNjpjKmumoXO8rHxotuxiWmtHW5mK4bD51CMK4Em5tnCG When I use F-DISINF, it reported possible unknown virus infection. I use NEC MS-DOS 3.30 to get around the 32MB partition limit. But is there really some virus? The dump of the boot by F-BOOT: F-BOOT Shows the boot sector Version 1.14A - Jan. '91 eb34 904e 4543 4953 332e 3300 0402 0100 0200 0219 aaf8 2b00 1100 0700 1100 0000 0000 0000 0004 0000 0000 0000 0000 0012 0000 0000 0100 fa33 c08e d0bc 007c 1607 bb78 0036 c537 1e56 1653 bf2b 7cb9 0b00 fcac 2680 3d00 7403 268a 05aa 8ac4 e2f1 061f 8947 02c7 072b 7cfb 8a16 fd7d cd13 7303 e980 00f6 0624 7c20 7405 c606 9004 54a0 107c 98f7 2616 7c03 060e 7ca3 3f7c a337 7cb8 2000 f726 117c 8b1e 0b7c 03c3 48f7 f303 0637 7ca3 3d7c e8cb 00a3 377c a13f 7ce8 c200 a33f 7cbb 0005 a13f 7ce8 7300 b001 e888 0072 198b fbb9 0b00 bee0 7df3 a675 0d8d 7f20 beeb 7db9 0b00 f3a6 7418 be87 7de8 4000 32e4 cd16 5e1f 8f04 8f44 02cd 19be cf7d ebeb b902 00bb 0007 a137 7ce8 2f00 b001 e844 0072 e8ff 0637 7c81 c300 02e2 e98a 2e15 7c8a 16fd 7d8b 1e3d 7cea 0000 7000 ac0a c074 21b4 0eb3 ffcd 10eb f333 d2f7 3618 7cfe c288 163b 7c33 d2f7 361a 7c88 162a 7ca3 397c c351 b402 8b16 397c 0316 1e7c 8aea d0ce d0ce 80e6 c08a 0e3b 7c80 e13f 0ace 8a36 2a7c 8a16 fd7d cd13 59c3 8b16 0b7c b109 d3ea f7e2 0306 1c7c c30d 0a4e 6f6e 2d53 7973 7465 6d20 6469 736b 206f 7220 6469 736b 2065 7272 6f72 0d0a 5265 706c 6163 6520 616e 6420 7072 6573 7320 616e 7920 6b65 7920 7768 656e 2072 6561 6479 0d0a 000d 0a42 6f6f 7420 4661 696c 7572 650d 0a00 494f 2020 2020 2020 5359 534d 5344 4f53 2020 2053 5953 0000 0000 0000 0080 55aa And when I use F-SYSCHK, the process slows down considerably when it gets to Lehigh. Before that one, I can hardly tell which virus is currently checking on, but begin from Lehigh, it is much slower. Is that normal? Or does that suggest some problem? Thanks a lot. Jun ------------------------------ Date: 10 Feb 91 13:27:35 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Re: Virus questions (PC) Roggie Boone wrote: >I have 4 questions regarding computer viruses. >1) I have seen the SCAN software (MaAffee) scan a computer's memory for > viruses and noticed that it only scanned the base 640K of RAM. Do > viruses typically not infect or use extended/expanded memory? There are no viruses which use or infect extended/expanded memory. A virus could theoretically place a part of itself there, but it would also have to change something in tke lowest 640K, in order to load and execute this code. There is one virus, however, which locates itself between 640K and 1Meg. > Are there virus scanning packages that will scan the additional memory? No - there is no need to do so (yet). > I raise this question, because it seems I read somewhere that some > computers with certain memory management drivers may not erase the > contents of extended memory on a warm boot, and hence may not erase any > virus that may be sitting in extended memory. (My memory isn't too good > on this topic). So what? The virus code would be "dead", as it could never be activated. Just having it in memory will not do any harm whatsoever, as it is not active. >2) Are there anti-virus packages (for PC or any computer) that use > artificial intelligence techniques to protect the system, or is such > an effort overkill? Several packages claim to use AI methods - none do. The closest thing to AI in anti-virus products are the sets of rules some packages use to search for previously unknown viruses. >3) Not meaning to plant ideas, but I was talking with a facutly member > in the dept. where I work, and the question arose as to whether a virus > could be transmitted to an orbiting satellite and cause the same havoc > that viruses cause us PC users. Is this possible? A Trojan, yes - it could be sent to the satellite, just as any other software "update". A virus ? Well, why bother making the program replicate inside the satellite, when a simple Trojan will do the job ? >4) I have also noticed that SCAN, for instance, scans basically the .EXE, > .COM, .SYS, .OVL files in a directory. Do viruses not infect .TXT or > .DOC files or maybe C (Pascal, Basic) source code? Known viruses may either: infect EXE and/or COM files. (unconfirmed reports of SYS-infecting viruses) The one or two BAT viruses are not a serious threat. or Infect any file which is loaded/executed by INT 21/4B. That is, programs and overlays. The latter group typically includes COM/EXE/APP/OVL/OVR/OV1/BIN and a few other extensions. A file which cannot be executed/ loaded as overlay cannot be infected. A virus could infect source or object code, but no such viruses exist. DOC and TXT files cannot be infected. ------------------------------ Date: 10 Feb 91 13:35:47 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Re: Alameda/Yale (PC) Michael_Kessler.Hum@mailgate.bitnet writes: >But when asked to clean the boot sector, I received that message that the >virus could not be removed, no boot sector was found. Copying the files to >a new disk and reformatting the disks solved the problem. But is there any >explanation for finding the virus in an infected boot sector that then >cannot be found? The diskettes are infected, all right - the problem is just that the original boot sector, (which is normally stored on track 39) cannot be found. This could be because the diskettes did not contain a valid boot sector when they were infected - the disinfector could remove the virus, but when it attempts to locate a valid boot sector to replace it with, it fails. Another possibility is that the diskettes were infected by a new variant of the virus, (which stores the boot sector elsewhere) but this cannot be determined as the diskettes were (unfortunately) formatted. - -frisk Fridrik Skulason University of Iceland | Technical Editor of the Virus Bulletin (UK) | Reserved for future expansion E-Mail: frisk@rhi.hi.is Fax: 354-1-28801 | ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 25] *****************************************