VIRUS-L Digest Wednesday, 20 Feb 1991 Volume 4 : Issue 30 ****************************************************************************** Today's Topics: Hardware question (PC) (TANDY) Response to Editor's Questions F-PROT site license fee (PC) Re: Norton Antivirus (PC) Mac virus frequency & Disinfectant (Mac) Mac vulnerability vs. PCs Virus frequencies stoned again Model of "Safe" (PC) Re: STONED virus/ McAfee Associates (PC) Re: Preventing booting from floppy (PC) Viruses vs. DOS; Stoned information (PC) Mac viruses (Mac) Compucilina (PC) Re: IBM Virus Scanner. (PC) McAfee Products (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: 19 Feb 91 16:51:32 +0000 From: lev@suned2.Nswses.Navy.Mil (Lloyd E Vancil) Subject: Hardware question (PC) (TANDY) I have been interested in the discussion of bootsector viruses, hard drives and other beasties. And, wonder of wonders, a thought occurs. To wit: The Tandy (radio shack) ne 80286 machines have an extra 128k of ram that is used to contain the IBMSYS & IO .coms, Command.com, Format.com and a few other things. These files fill the 128k and allow you to bring up the machine without booting from a disk at all. The "extra ram" is treated as a write protected disk. The thought that occurs is, isn't this a better way? Since the "disk" is full and write protected the bad beasties can't get in can they? Wouldn't this stop any but the Trojan programs? - -- * suned1!lev@elroy.JPL.Nasa.Gov sun!suntzu!suned1!lev . lev@suned1.nswses.navy.mil + . + * S.T.A.R.S.! The revolution has begun! * My employer has no opinions. These are mine! ------------------------------ Date: Tue, 19 Feb 91 12:01:30 -0700 From: Chris McDonald Subject: Response to Editor's Questions Ken asked in a recent posting if anyone had tried PC/DACS. I used the package for over a year. My experience was that it did what it was supposed to do, and essentially gave a user the impression of mainframe system controls on a personal computer. I would be happy to send anyone an electronic copy of my product test report. Other commercial products with comparable features have been discussed in this form, but a few additional ones are Watchdog, SecurePC, Protec, etc. Watchdog like PC/DACS has an NCSC subsystem evaluation report. I have done test reports on SecurePC and Protec. These are not the only products available. I have no stock or relationship with any of the vendors. While these are software solutions, there are comparable hardware/software products available, but usually at a greater cost. To the user who asked about site licensing for F-PROT, the answer is YES. Fridrik has very generous agreements. Depending upon the number of systems involved the cost may be as low as $2.00 per machine. Government agencies have to my knowledge encountered at least two cases in which the Buy American Act precluded acquisition. I have no way of knowing how significant an obstacle this legislation may be for the government as a whole. Chris Mc Donald cmcdonald@wsmr-simtel20.army.mil White Sands Missile Range - ------- ------------------------------ Date: Tue, 19 Feb 91 10:03:35 -0800 From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: F-PROT site license fee (PC) JS05STAF%MIAMIU.BITNET@OHSTVMA.IRCC.OHIO-STATE.EDU (Joe Simpson) writes: > the anti-viral problem. Is anyone using F-Prot. Does Fredrik > Skullasan (appologies to FS for spelling) have a site liscence policy? Fridrik Skulason has just changed his fee structure (with version 1.14) and the price is now *lower*. (The bad news is that the fee is now yearly, ala McAfee.) The yearly fee is now $1 per machine for commercial and $0.75 per machine for educational institutions. For those good people who have been supporting frisk all along, and are cursing your fate for having paid the higher price - good news. Your "one-time" fee is still valid. :-) Vancouver p1@arkham.wimsey.bc.ca _n_ Insitute for Robert_Slade@mtsg.sfu.ca H Research into (SUZY) INtegrity / User Canada V7K 2G6 O=C\ Security Radical Dude | O- /\_ /-----+---/ \_\ / | ` ||/ "A ship in a harbour is safe, but that / ||`----'|| is not what ships are built for." || || - John Parks `` `` ------------------------------ Date: Tue, 19 Feb 91 15:11:56 +0000 From: Ian Leitch Subject: Re: Norton Antivirus (PC) DEL2@phoenix.cambridge.ac.uk (Douglas de Lacey) writes on 25 Jan about the Norton Antivirus product: > ... it got a slashing review in PC Business World last > week, for making unfair claims about its abilities ... I understand that the review did not receive universal acclaim, as some readers suggested that it may have lacked objectivity. I am told that its author has now parted company with PC Business World! Ian Leitch ------------------------------ Date: Tue, 19 Feb 91 17:10:07 -0500 From: Joe McMahon Subject: Mac virus frequency & Disinfectant (Mac) Fred Davidson asks: > ... there is a MAC Plus with an external drive at the monitor's >desk. The external drive has a big note taped to the top of it: >"Check All Mac Disks For Viruses". If you come in and use a MAC, when >you sign in, you are supposed to check any disk you bring for MAC >viruses. What is odd is that there is no such requirement for users >of the PCs. Does this reflect the statistical proportions of viruses >in the real world? More on MACs than on PCs? No this is simply a reflection of the fact that John Norstad, the author of Disinfectant, was thinking about such an environment when he wrote his program. Disinfectant has an "unattended operation" mode which allows you to simply pop in a disk and have it scanned, cleaned up, and ejected with no intervention on the part of the persons managing the lab. It's simply very convenient to do it this way. --- Joe M. ------------------------------ Date: Tue, 19 Feb 91 17:18:02 -0500 From: Joe McMahon Subject: Mac vulnerability vs. PCs Ross Miller notes (on Mac vulnerability vs. PCs): >It's not a question of Bias, the mac system is very powerful, but part >of that power comes from openness. Openness leaves one vulnerable. And Fridrik Skulason also notes: >David Gursky dg@titanium.mitre.org writes >> At the time, the number of PC viruses numbered 23 distinct strains and >> over a 100 total viruses. > >That was a loooooong time ago - now we have around 150 families, and >over 400 different variants - 30-40% written in Eastern Europe. The current Mac virus count is 10-12 families, with about 20 variations total. There are many more PCs than Macs. I think this is the only reason for the difference. As far as which is easier, I don't think it really matters, unless you plan on taking up virus-writing for a living. *Both* Mac and PC systems, as shipped by the manufacturer, are so wide-open to attack that it's hard to say whether one or the other is "worse". Most often, a statement as to which is "worse" is simply a reflection of the expositor's prejudices about the systems in question. Ever ask an MVS expert about unix security? --- Joe M. ------------------------------ Date: Tue, 19 Feb 91 17:12:00 -0600 From: MDCLARK@UALR.BITNET Subject: Virus frequencies > If you come in and use a MAC, when >you sign in, you are supposed to check any disk you bring for MAC >viruses. What is odd is that there is no such requirement for users >of the PCs. Does this reflect the statistical proportions of viruses >in the real world? More on MACs than on PCs? On the contrary, there are far more PC viruses than Mac varieties. Offhand, it sounds as if the Mac systems analyst is on the ball, and I'd wager that John Norstadt's Disinfectant is being used. Although it might be a fair argument that it is more difficult to protect against PC viruses, this is no excuse not to try. It may simply be that the person responsible for PCs knows less about viruses than does the Mac person (or it may be the *same* person responsible for both systems). The fact is, thanks to John Norstadt and others like him, dealing with Mac viruses is fairly painless. ------------------------------ Date: 19 Feb 91 22:55:30 +0000 From: "William C Tom" Subject: stoned again The stoned virus has cropped up again in my work-place. I wish I had kept all the replies I got after my last infection. Anyways, Iemoved the virus with CLEAN, but I want to restore my hard disk to its pre-infection pristine condition (just a fetish of mine). My question is: to what sector does "Stoned" move the original partition table? I would like to delete this "duplicate" code. Thanks. - -------------------------------------------------- wct1@unix.cis.pitt.edu ------------------------------ Date: 19 Feb 91 11:57:25 -0500 From: Steve Albrecht <70033.1271@CompuServe.COM> Subject: Model of "Safe" (PC) >[Ed. I saw one product which seems (IMHO) to come close to this >-PC/DACS by Pyramid (note: I have no affiliation with them...). >It provides boot protection, optional hard disk encryption >(required to prevent absolute sector access), username/password >protection, file access control, etc. Anyone with experience with >this, or similar, systems care to comment?] We have evaluated the possible use of PCDACS as a security packages in our Field Offices. One of the primary reasons why we have not installed this to date, and will likely not install this, is that computer viruses, in our opinion, are not adequately addressed by PCDACS. In fairness to Pyramid, I don't think that PCDACS was originally intended to provide virus protection. The earlier versions (prior to Version 2.01) did not prevent infection by the Stoned virus (and other viruses which employ absolute disk writes), and did not detect the virus once the hard disk had become infected. Pyramid has since employed a means of detecting this virus (and I assume other similar viruses) when the computer is booted. The program will restore the original partition table, and then force an immediate reboot. However, even with boot protection installed, PCDACS does not prevent a boot from an unknown (and possibly infected) floppy. The problem with this strategy seems to me to be that it may not be able to remove the "stealth" type viruses, which (I have learned via this forum) trap the Int 13 interrupt used by PCDACS. In my conversations with Pyramid, their technical support claims that PCDACS will provide adequate protection against the 4096 virus. Someone who has actually tested PCDACS with the 4096 virus might perhaps like to comment on this. With regards to viruses which operate on files, PCDACS (version 2.02 is the latest version which I have tested) will prevent viruses from infecting files if a user has no WRITE access to the executable files targeted by the virus, but will not prevent the virus from going resident in memory (to the best of my knowledge). This seems to lead to a scenario where a user logs off with a virus resident in memory, only to have the virus infect the targeted files when an administrator (or other person with WRITE access to the executable files) logs on. PCDACS does not monitor the integrity of the executable files. PCDACS does allow for the encryption of the entire hard disk, or optionally, DOS area encryption. While the former may provide protection against absolute disk writes, the amount of time which this option requires at boot time is unacceptable. DOS area encryption is more acceptable, but I am not convinced that boot sector viruses will not do damage which only a backup will remedy. (As a side note, restoring a backup to a corrupted hard disk with PCDACS boot protection enabled is frought with difficulties). Again, someone who has actually tested PCDACS with this option should comment on this. In summary, I think PCDACS is an excellent security program if confidentiality and restricted access are the primary objectives, but I think that the "layered" protection which Padgett has described provides much more acceptable virus protection. Steve Albrecht 70033.1271@compuserve.com ------------------------------ Date: Wed, 20 Feb 91 09:49:54 -0400 From: pjc@melb.bull.oz.au (Paul Carapetis) Subject: Re: STONED virus/ McAfee Associates (PC) Wayne Bobarge said: > I have a similar problem and a question. The McAfee Scan program has > detected the Stone virus on some commercial software I just bought to > run some lab equipment. I called them and they were surprised to hear > about it as none of the disks they sold me were system disks yet the > SCAN program says that the virus is in the boot sector. Are these > disks infected or not? If they are infected, will the virus infect > other machines if I do not boot from these disks. All DOS diskettes, regardless of whether they were formatted to be system bootable diskettes or not, possess boot sectors. The boot sector is written to the diskette by the FORMAT program (and all other commercial format programs that I know of) EVERY time, even if the diskette is not going to be bootable. This means that your diskettes are most likely infected. Beware of rebooting your machine if you have any of these diskettes in the A: drive as the boot sector will be loaded into memory and the code executed, thereby activating the virus if present, before the missing system files are discovered and the old "Non-system disk or boot error" message is displayed. Either "clean" the diskettes of their virus, or copy off all of the files you want and then format them all from a known "clean" machine. - --Paul +-----------------------------------------------+-------------------------+ | Paul Carapetis, Software Advisor (Unix, DOS) | Phone: 61 3 4200944 | | Melbourne Development Centre | Fax: 61 3 4200445 | | Bull HN Information Systems Australia Pty Ltd |-------------------------| | Internet: pjc@melb.bull.oz.au | What's said here is my | | ACSnet : pjc@bull.oz | opinion (so I am told!) | +-----------------------------------------------+-------------------------+ ------------------------------ Date: Tue, 19 Feb 91 18:04:45 -0800 From: cthulhu@arkham.wimsey.bc.ca (Jono Moore) Subject: Re: Preventing booting from floppy (PC) padgett%tccslr.dnet@uvs1.orl.mmc.com (Padgett Peterson) writes: > Several MS-DOS platforms can do this (Zenith, Compaq) and any PC could > impliment it by storing a flag in CMOS. However, only a few > manufacturers have chosen to impliment it in the BIOS (it must be done > in ROM). Unfortunately in the case of my Zenith, it will only look > for disks that its BIOS can find. Failing this it will check for a > floppy even if told not to. (I have a hardcard that uses its own ROM > extension and no matter how the CMOS is set, the Zenith will always go > for the floppy first.) Computer Shopper ads indicate that a 386 BIOS > chipset (choice of several) goes for about $70 but I do not know if > any of those replacements impliment this. > > Incidently, there must be an override somewhere or maintenance would > be a nightmare. My 286 came with a Quadtel bios which has this feature. You can set it up to "quickboot" your system, which skips the memory test and doesn't check the floppy drives. It also has a password protect built into the bios. I can see problems arising if you forget your password :-) I don't have my manual handy, but I imagine there would be a way to get around this, like disconnecting your battery for a while or something like that. - ------------------------------------------------------------------------------- jono@{arkham.UUCP|arkham.wimsey.bc.ca} | Fuck 'em if they can't take a joke. {uunet|ubc-cs}!van-bc!cynic!arkham!jono | Pull the wool over your own eyes! ------------------------------ Date: Sun, 17 Feb 91 19:30:28 -0500 From: padgett%tccslr.dnet@uvs1.orl.mmc.com (A. Padgett Peterson) Subject: Viruses vs. DOS; Stoned information (PC) >From: "Olivier M.J. Crepin-Leblond" >Subject: Virus or DOS clash ? (PC) > A strange file has started appearing on some of the disks... >4MSDOS 3.3 0 15-00-80 12:00a What has happened is that the boot sector of the floppy (DOS sector 1) has been copied to the first sector of the root directory (DOS sector 5) and has probably wiped out the root directory. Whether or not it is a virus or an accident is the question. In any event, the disk may be able to be recovered (if the FAT did not get wiped also) by writing all zeros to the root directory and trying CHKDSK/F. The FILExxxx.CHK entries will match the original file entries if the first FAT is intact. This is WHAT, I cannot answer WHY, it does not match any virus I have seen but sounds like a logic bomb. - --------------------------------------------------------------------- From: Scott Morgan Subject: Information on the "Stoned Virus" (PC) From: amewalduck@trillium.uwaterloo.ca (Andrew Walduck) Subject: STONED virus (PC) From: Wayne Robarge Subject: Re: STONED virus/ McAfee Associates (PC) Boy, this must be STONED week. In simple terms (Patricia Hoffman does it MUCH better) the STONED, like BRAIN and JOSHI is a boot sector infector on floppies. EVERY PC floppy contains executable code on the boot sector if only just enough to tell you it is not bootable. Unless you have a special machine, if it boots, hot or cold, with a floppy in drive A, a PC will execute this code. (MACs are worse - put a floppy in the drive and code gets executed, you do not have to boot) If a machine is booted with an STONED infected disk in A, the first thing that happens is that the viral code is run (it is in sector 1). After doing its thing (which may or may not include the message "Your PC is Stoned" (or some variant or none) but does include going resident at the TOM, it then runs the original boot sector that it stored in the last of the seven root directory sectors (this will occasionally corrupt a disk). To remove from a floppy, you can just use DEBUG to replace the boot sector with good code. (two keystrokes and change the disk - repeat as often as necessary). No code or data usually need be lost. In the case of a hard disk, it still infects sector 1 but here this is the partition table. It then stores the real table in (hidden) sector 7. On boot, the same process occurs: the BIOS calls sector 1 which has the virus. It goes resident and then calls the real partition table. Again, to disinfect all that is necessary is to copy sector seven onto sector one but be sure you know what you are doing (multiple infections such as JOSHI/STONED which is possible are more tricky). A couple of products such as McAfee's VSHIELD can protect against accidental warm boots. Again, it takes hardware to protect a cold boot though integrity checking software at the BIOS level can detect such an infection immediately. Personally, I am now MORE sick of seeing the STONED than the JERUSALEM. Warmly, Padgett ps Anyone know where the party at the World Trade Center is going to be ? ------------------------------ Date: Tue, 19 Feb 91 23:17:00 -0400 From: Subject: Mac viruses (Mac) Although Mac viruses are easier to write, they are written much simply-minded. That is, it just has one thing in mind...to mess up a Mac. However, if you're keeping count of viruses, there are fewer Mac viruses (I think the last count was at 16) than there are for PC's, although PC viruses are usually much more sophisticated. - ------------------ My opinion is my very own, and does not necessarily represent the opinion of my employers. Melissa Jehnings Student Manager | Academic Computing Center Wheaton College's Technologist User's Group | Secretary Wheaton College Norton, MA 02766 BITNET: LISSA@WHEATNMA, WUG@WHEATNMA ------------------------------ Date: Mon, 18 Feb 91 18:11:25 -1100 From: "Luis B. Chicaiza S." Subject: Compucilina (PC) Due to the great quantity of mail that I have receive about Compucilina, I do the next preciseness: Compucilina vaccinates programs (.EXE, .COM, disk boots, and system programs) adding a little piece of executable code. The net effect is that when a vaccinate-programan are executed, if in these moment a virus is installed in the computer, the vaccine (the code added to program) avoid that the virus infect the program. Compucilina is a non-scaning anti-virus, it's works not depends of a particular virus, therefore it's equaly effective against the actual and the future viruses. Luis Bernardo Chicaiza Sandoval More information: Luis B. Chicaiza S. Phone: (91)2 02 23 78 Universidad de los Andes Bogota, Colombia mail address: PS: Free copies are not available. Compucilina is a comercial product and costs US$70, plus remit costs. ------------------------------ Date: 19 Feb 91 15:55:09 +0000 From: campbell@dev8n.mdcbbs.com (Tim Campbell) Subject: Re: IBM Virus Scanner. (PC) CHESS@YKTVMV.BITNET (David.M.Chess) writes: > "Pete Lucas" : >>Can anyone tell me whether any new signature files have been released >>for the IBM Virus Scanner? I currently have release 1.2 of this >>program, which is at a guess around 6 months old; has there been any >>update of the program?? > > The current version is 1.3; another version should be out pretty soon. > Price continues to be $35 for an enterprise-wide license, and > something like $10 for upgrades. Available through your IBM marketing > rep, branch office, IBMLINK, etc. I have the IBM Virscan program (don't recall version) and am looking for same files. These files are just ascii text organized with a line which describes the virus (it's name - a short comment about it) followed by a line containing a hex-string (in the form: xx xx xx xx xx, etc.) to find indicating that this disk/file contains this virus. This makes it real easy to add new viri signatures to the library using any text editor. My disk only has about 30 signatures. These signatures do not need to come from IBM - they can come from anywhere. To re-state the question - is there anywhere that I can find a list of such signatures? Reading this forum for a while - I occasionally see one posted for an individual virus in a post. I'm wondering if there is any list being maintained by some individual or organization. I understand there are now more than 300 signatures. My 30 means I'm < 10% protected. I will search IBMLink for information on Virscan signatures and post results if I find anything. If anybody else knows a source, posting the list, or at least the name of the source would be GREATLY appreciated. Thanks -Tim --------------------------------------------------------------------------- In real life: Tim Campbell - Electronic Data Systems Corp. Usenet: campbell@dev8.mdcbbs.com @ McDonnell Douglas M&E - Cypress, CA also: tcampbel@einstein.eds.com @ EDS - Troy, MI CompuServe: 71631,654 Prodigy: MPTX77A P.S. If anyone asks, just remember, you never saw any of this -- in fact, I wasn't even here. ------------------------------ Date: Wed, 20 Feb 91 06:20:00 -0500 From: John Perry KG5RG Subject: McAfee Products (PC) This is just a short note to let everyone know that the new McAfee suite of products is available on beach.gal.utexas.edu. John Perry KG5RG University of Texas Medical Branch Galveston, Texas 77550-2772 You can send mail to me at any of the following addresses: DECnet : BEACH::PERRY THEnet : BEACH::PERRY Internet : perry@beach.gal.utexas.edu Internet : john.perry@f365.n106.z1.fidonet.org BITNET : PERRY@UTMBEACH SPAN : UTSPAN::UTADNX::BEACH::PERRY FIDOnet : 1:106/365.0 ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 30] *****************************************