Received: from fidoii.CC.Lehigh.EDU by abacus.hgs.se (5.65c/1.5)
	id AA08036; Wed, 3 Feb 1993 17:50:32 +0100
Received: from  (localhost) by Fidoii.CC.Lehigh.EDU with SMTP id AA26376
  (5.67a/IDA-1.5 for <mikael@abacus.hgs.se>); Wed, 3 Feb 1993 10:16:42 -0500
Date: Wed, 3 Feb 1993 10:16:42 -0500
Message-Id: <9302031310.AA24606@barnabas.cert.org>
Comment: Virus Discussion List
Originator: virus-l@lehigh.edu
Errors-To: krvw@cert.org
Reply-To: <virus-l@lehigh.edu>
Sender: virus-l@lehigh.edu
Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas
From: "Kenneth R. van Wyk" <krvw@cert.org>
To: Multiple recipients of list <virus-l@lehigh.edu>
Subject: VIRUS-L Digest V6 #16
Status: RO

VIRUS-L Digest   Wednesday,  3 Feb 1993    Volume 6 : Issue 16

Today's Topics:

Re: On the definition of viruses
Re: On the definition of viruses
Patriotic Virus Writers?
Re: On the definition of viruses
Re: How to measure polymorphism
Re: Assymetric Cryptographic Checksums
Way to go, AP (Not)!
Complexity of polymorphic viruses.
RE: LAT
Re: Infection question
Re: On the definition of viruses
Re: Sale of Viri
Re: os2-stuff (OS/2)
Re: os2-stuff (OS/2)
DOS CHKDSK bug: a first (?) victim (PC)
VIRSCAN.DAT: Error in line 2178 (PC)
re: windows virus (PC)
Re: windows virus (PC)
can anybody help my little lost computer? (PC)
Cansu virus plague! (PC)
How do MtE utilizing viruses detect themselves? (PC)
Cascade & SCANV99 (PC)
TBAV 5.03 and VSIG9301 upload (PC)
Internet Worm - the "Perp" (CVP)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed.  Contributions should be relevant, concise,
polite, etc.  (The complete set of posting guidelines is available by
FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with
your real name.  Send contributions to VIRUS-L@LEHIGH.EDU.
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list.  A FAQ (Frequently
Asked Questions) document and all of the back-issues are available by
anonymous FTP on cert.org (192.88.209.5).  Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
<krvw@CERT.ORG>.

   Ken van Wyk

----------------------------------------------------------------------

Date:    Fri, 29 Jan 93 09:25:52 -0500
From:    fc@turing.duq.edu (Fred Cohen)
Subject: Re: On the definition of viruses

> "David M. Chess (863-6665)" <chess@watson.ibm.com> writes:
> 
> In Hoffman's "Rogue Programs", there's a paper by Len Adleman called
> "An Abstract Theory of Computer Viruses".  It contains what seems to
> be a proof that it's possible to design a virus so that given one
> instance of an infected object, it's not decidable whether or not
> another object might be a descendant of it.  However, I don't
> understand the proof; I'd love to hear from someone that does!  The
> next proof in the paper softens the blow: it seems to be a proof that
> you can come close enough, by deciding whether or not another object
> is EITHER a descendant of the captured virus OR an element of the
> "germ set" for the virus, where the "germs" of a virus are the set
> (roughly) of droppers of the virus.

I've read Adleman's paper, but I also have problems understanding it.
Is there a good mathematician in the house?  I'm pretty much convinced
that Adleman's definition is very different than mine, and one of the
differences is that under my definition of viruses, both finding
descendants and progenitors is undecidable.

eugene@kamis.msk.su (Eugene V. Kaspersky) writes:
> 
> One my friend wrote a virus. It's a extremely primitive program that
> contains several MS-DOS commands which are united into one BAT-file named
> VIRUS.BAT.
> 
> echo  ---
> echo  Hello! I'm the virus!
> echo  Look at your watch. Waiting ...
> pause
> echo  Is today Friday, 13th ?
> echo  If 'yes' please type FORMAT C: and say YES for all the questions.
> echo         If it's not enough please drop your monitor and
> echo         [...skiped...]
> echo  If 'no' please copy this program to all your friends because
> echo  this is a very useful program!
> echo  ---
> 
> Several color effects were added to this BAT file also.
> Is this a virus? No? One week after first execution of this program
> about 100 computers were 'infected' by this ... program? ... virus? Those
> are about a half of all the computers of the company where this gay works
                                                                   ^u?
> now. The users like this program-joke and copy it. So this program
> replicates very well, its name is VIRUS.BAT and it's a dangerous because it
> say "FORMAT C:"  and 'good user' can do this. Is this not a virus?
> 

In your environment, it seems to be a virus.

> Another one example: virus-packer.
> This imaginary program stays resident and on running any not packed COM or
> EXE files asks: "Do you wish to PACK your program? <Y/N>" and then packs
> and appends itself to the packed file at 'Y' pressing. On execution
> 'infected' program types "I'm infected by VIRUS-PACK, do you wish to
> remove me? <Y/N>" and then unpacks the file and removes its body on 'Y' or
> stays memory resident on 'N'. Is this the virus-like utility only and not a
> virus?

Seems like a virus to me.

> > So what is a computer virus? In simple terms, it is a sequence
> > of instructions that, when interpreted in an appropriate environment,
> > "replicates" in that at least one replica also "replicates", etc., ad
> > infinitum.
> 
> The last condition is incorrect because there are the viruses which
> replicates a limited times. I forgot the name of example but this virus
> contains the 'generation counter' and it not replicates on N generation. So
> the condition must be as: "it 'replicates' at least several (more than 1)
> times, on other cases this is a Trojan horse installator".

Ah!! The partitioning problem.  The counter is really no different than
a conditional.  If we redefine the virus as the part of the program that
replicates, and the counter as part of the environment that the virus
carries with it, we have a virus that extincts itself by destroying it's
environment.  To exhaustively test against my definition requires that
we try all possible partitionings of environment and virus.  Just as
Shannon's information theory is usually applied by choosing symbols of 1
byte each, most people choose to look only at the `whole' program as the
virus.  Just as we can try different symbol sets and get different
information content under Shannon's theory, we can try different
partitionings under my definition of viruses.  In this sense (alluding
to a previous question) I am talking about Popper's refutation for
testing against the definition of viruses.
> 
> > Want an example? A backup program replicates by making an
> > exact copy of itself (if it does a good job) on the backup media.  In
> 
> It's a bad example. MS-DOS, PC-DOS (I operate the IBM-PC terms only, sorry)
> are the viruses also:
> 
> - - they replicate:
>  SYS A:
>  COPY *.* A:
> ...
> - - they load itself silently and without user consent.
> 
> MS-DOS is a virus! That is a shock for antiviral researchers and vendors!
> It's need to update all the antiviral databases.

That program seems to be a virus under DOS - but you might like to add a
format command to prepare the disk first - that would likely make the virus
work in more environments.  That doesn't make DOS a virus however. It
also isn't much of a surprise to most virus researchers.

> 
> So I'll try to set several virus definitions.
> 
..

> And who say that the virus is 'a sequence of instructions'? The real
> virus can consists of several parts of code, a *sequences* of instructions
> i.e. several different files, sectors, RAM areas. Well, let this virus
> named as 'multipartite virus'.

The formal definition speaks of sequences of symbols in the `viral set'
of symbol sequences.  A multipartite virus is no problem.  We have (as
one element of the set) something like this:

s1, s2, ..., sn, ANY OTHER SYMBOLS, sn+1, ..., sm, ANY OTHER SYMBOLS, ...

Note that the size of the set is enormous in this case because the sequences
of ANY OTHER SYMBOLS really just identify a set of x^y different sequences
where x is the size of the symbol set and y is the length of the sequence.

> 
> So, the MS-DOS is useful programs, but the MS-DOS floppy with specific
> AUTOEXEC.BAT is a multipartite-virus:
> 
> AUTOEXEC.BAT:
> 
>    sys a:
>    copy *.* a:\
>    sys b:
>    copy *.* b:\
>    ...
>    sys z:
>    copy *.* z:\
> 

Right, assuming we have all formatted floppy disks.

> This MP-virus (multipartite virus) infects all the accessible logical disks
> very well.
> 
> Well, lets examine all the sequences of instructions of all the computers.
> This multitude of files, sectors, RAMs is one great MP-virus (it's very
> dangerous and it can replicate). So,

Not so!! Some of these sequences may be parts of viruses, and other may not.
See the discussion above about the partitioning problem.

> DEF_2: All the programs of all the computers are the parts of the World
> MegaVirus.

Not true - As above

> 
> DEF_3: It's impossible to set the virus definition.
> 
Not true - As above.

> It's because the viruses are manufactured by men and the virus definitions
> are produced by men also. So if we say new virus definition there are
> someone who can write the counter-example virus. As the result the true
> virus definition is DEF_2 only.

Not true - As above.

In the formal definition, it is proven that the set of viruses and
non-viruses are both infinite for a Universal Computing Machine.  The
real problem with writing a good definition is that you have to anticipate
all of these sorts of arguments ahead of time (although that is done almost
automatically by using a mathematical system which has known properties of
consistency, etc.).  That's why the formal definition may seem like it's
not exactly what you mean in some cases.  For example:

I would have liked to define viruses so that they involve using mechanisms
of a host for some purpose, but when you try to do this formally, you end
up being unable to differentiate the `host' from the rest of the environment.
A side effect is that this anticipates the partitioning problem, the so-called
companion viruses, multipartite viruses, evolutionary viruses, and all of
the other things we have come upon.

FC
__________________________________________________________________________
8:30AM-2PM Eastern		Protection		2PM-8:30PM Eastern
US+412-422-4134			 Experts		   US+907-344-5164
	FAX US+412-422-4135 -OR- 907-344-3069 24 hours - 7 days
__________________________________________________________________________

------------------------------

Date:    Fri, 29 Jan 93 10:06:40 -0500
From:    Y. Radai <RADAI@vms.huji.ac.il>
Subject: Re: On the definition of viruses

  Bob Babcock quotes the following lines from a posting of mine:
>>Note that this argument does not require the assumption that the
>>computer has an infinite amount of storage, as Fred's proof does.
>>  If the definition is (a) or (b), then we can do even better: we can
>>show that in some cases the question cannot be decided even by running
>>the program any finite number of times.  For example, suppose the
>>program asks the user to input four positive integers i, j, k, n
>>(where n must be > 2).  If you choose definition (b), I shall take
>><condition> to be "i^n + j^n = k^n".

  He then replies:
> Minor quibble: the integers i,j,k,n can be arbitrarily large, so the storage
> necessary is unbounded.

I anticipated that someone would make such a comment.  It's for pre-
cisely that reason that I placed the lines
  >>Note that this argument does not require the assumption that the
  >>computer has an infinite amount of storage, as Fred's proof does.
*before* the i,j,k,n example, where they refer only to the argument
which *precedes* what you have quoted, i.e. to the argument for unde-
cidability by the program's *appearance alone*, and not necessarily to
the argument which you have quoted, which applies to undecidability by
its run-time behavior as well.

                                     Y. Radai
                                     Hebrew Univ. of Jerusalem, Israel
                                     RADAI@HUJIVMS.BITNET
                                     RADAI@VMS.HUJI.AC.IL

------------------------------

Date:    29 Jan 93 15:59:00 +0000
From:    Sam Wilson <ercm20@festival.edinburgh.ac.uk>
Subject: Patriotic Virus Writers?

The following letter and editorial response appears in the February
1993 issue of the UK magazine 'Personal Computer World' under the
heading "Spreading viruses":

      We are a bunch of programmers who, depressed with the lack of
   viruses that have originated in England, have sought to change
   matters.  We presently write viruses for the PC, Archimedes and Atari
   ST.  We have increased the few viruses written in England by about
   25, though this number is increasing all the time as our ptogrammers
   churn out more quality computer viruses. 
      Although there are many viruses about we hope to dominate the UK
   'market'.  Won't it be nice, though, for England to have at least one
   export?
      Finally, we as an organisation like to stress that, contrary to
   public opinion, we are *not* boring people who wear anoraks, nor are
   we depraved people who were beaten as children and so grew up with a
   hatred of humanity. 
      We are highly intelligent and good at programming and are just
   ordinary people.  But we are gonna get you soon!

                                                                   ARCV
                                  (Association of Really Cruel Viruses)
[And the editor replies:]

   You say you're not depraved people? Perhaps you weren't beaten as
   children, but as far as we're concerned you should be beaten as
   adults. 


I wish it were the April issue...

Sam Wilson
Network Services Division
Computing Services, The University of Edinburgh
Edinburgh, Scotland, UK

------------------------------

Date:    Wed, 27 Jan 93 17:13:20 -0500
From:    peprbv@cfa0.harvard.edu (Bob Babcock)
Subject: Re: On the definition of viruses

>Note that this argument does not require the assumption that the
>computer has an infinite amount of storage, as Fred's proof does.
>  If the definition is (a) or (b), then we can do even better: we can
>show that in some cases the question cannot be decided even by running
>the program any finite number of times.  For example, suppose the
>program asks the user to input four positive integers i, j, k, n
>(where n must be > 2).  If you choose definition (b), I shall take
><condition> to be "i^n + j^n = k^n".

Minor quibble: the integers i,j,k,n can be arbitrarily large, so the storage
necessary is unbounded.


------------------------------

Date:    29 Jan 93 19:47:58 +0000
From:    favor@ecst.csuchico.edu (Michael Favor)
Subject: Re: How to measure polymorphism

chess@watson.ibm.com (David M. Chess) writes:

>measure the randomness of a string of bits by finding the smallest
>program for some standard Turing Machine that produces those bits.

In his paper, did Grep Chaitin explain how to 'find' the 'smallest'
program in an objective way?  It seems easy enough to measure two
programs and decide which one is smaller or simpler, but how can one
generate these programs in the first place without using all of the
subjective intuition of the programmer?

regards,
michael.

------------------------------

Date:    Fri, 29 Jan 93 20:20:45 +0000
From:    raph@panache.demon.co.uk (Raphael Mankin)
Subject: Re: Assymetric Cryptographic Checksums 

padgett@tccslr.dnet.mmc.com writes:

>>  In reply to me, Vesselin Bontchev writes:
>
>>> Well, a CRC is usually computer like this:
>>>
>>>      crc = INITIAL_VALUE;
>>>      while ((c = getc (file)) != EOF)
>>>              crc = crc_table [(crc & 0x00FF) ^ c] ^ (crc >> 8);
>>>
>>> Usually INITIAL_VALUE is 0, but you could set it to anything you would
>>> like...
>
>>Well, I think that comes from using a particular (table-driven) *im-
>>plementation* of CRC, and is not an essential feature of CRC as it
>>is defined.  Also, while I agree that in this implementation

All the polynomial-residue CRCs can be calculated like this (HDLC,
CRC-16, V42).  For an n-bit polynomial the value of crc_table[i] is
just the remainder that you get from dividing (polynomial division)
(i<<n) by the polynomial.

This means that every CRC can be calculated with very few instructions
per byte just by pre-computing a 256-entry table of 16- or 32-bit
values.

- --------------
Raphael Mankin			Nil taurus excretum

------------------------------

Date:    30 Jan 93 19:56:10 +0000
From:    alberg@hudlink.hoboken.nj.us (Al Berg)
Subject: Way to go, AP (Not)!


I saw an article in today's _Jersey Journal_ that was headlined:

"World Fears Bulgarian Hacker"

>From the article (identified as an AP story):

"The mysterious Dark Avenger lurks in Bulgaria brewing 'viruses' to 
infect and rot computer programs and data around the world.  He is a
scourge in the West but a kind of hero in is own country, computer experts
say."

The article goes on to identify Russia and Bulgaria as prime sources of
viruses and says that 

"One East Coast company lost $1 million because of the Avenger's electronic
pranks."

David Stang was quoted as well:

"My guess is that he has a regular job and works regular hours and looks 
like a normal guy but comes home at night to a computer, stays up real late
and works on viruses."

It seems to me that this is exactly the kind of coverage that would 
encourage virus authors to practice their craft.  It glorifies the electro
terrorism that they commit and gives users no real information on what
viruses are and how to protect themselves from viruses.  

A suggestion to the AV organizations (like Mr. Stang's) - 

Why not prepare a "Computer Virus Media Guide" that would explain the 
virus problem and steps that users can take to protect themselves?  
This guide could start as a simplified version of the Virus FAQ.  Another
thing that would help would be the issuing of press releases to major
media outlets when scares like the Michaelangelo virus occur.

I'd like to hear others' opinions on this...

Al


- -- 
=========================================================================
Al Berg, Net Rider                                        The Hudson Link
                                                       Cyberspace Gateway
alberg@hudlink.hoboken.nj.us                     Public access email/news
Phone: 201/659-5387                                          201/659-3935
=========================================================================

------------------------------

Date:    Sat, 30 Jan 93 22:26:15 -0500
From:    barnold@watson.ibm.com
Subject: Complexity of polymorphic viruses.

Fridrik Skulason recently posted lines-of-code counts for some
algorithmic virus detectors in F-PROT.  I'm assuming his detectors are
written in C. Here are lines-of-code counts for a few algorithmic
detectors (written in C) included in IBM AntiVirus.  The lines of code
counts for each detector include a 25-line structure initialization
that is arguably data, so the real counts are arguably 249, 20 and 52
lines respectively.  The V2P2 detector is a bulk scanner, and it could
be made considerably smaller.  The lines-of-code counts agree quite
nicely with Fridrik's counts.  (File I/O handling is *not* included in
these counts.  The lines-of-code counter is a standard counter used in
many IBM development projects.  I'm not completely sure what rules
this lines-of-code counter uses.  Obviously, some lines are counted as
both code and comment lines.)

MtE ::= 330 physical lines, 105 lines of comments, and 274 source lines
V2P6 ::= 89 physical lines, 57 lines of comments, and 45 source lines
V2P2 ::= 145 physical lines, 38 lines of comments, and 77 source lines

Bill Arnold

------------------------------

Date:    Sun, 31 Jan 93 00:07:39 -0500
From:    fergp@sytex.com (Paul Ferguson)
Subject: RE: LAT

On 17 Jan 93 21:32:00 GMT, <bill.lambdin%acc1bbs@ssr.com>,
 (Bill Lambdin), writes -
 
> Some have asked me about certain aspects of LAT, and I
> have decided to send one public message insead of
> multiple messages via Email.
 
> 1. I started LAT because of the hype in advertizing.
 
[ some deleted ]
 
> 2. LAT is an acronym it means "Lambdin's Accuracy Tests"
 
 All of the reasons that you mentioned are well and good, Bill,
 but there are a few points that you seem to have overlooked.
 Simply running an antivirus "product" against a "zoo" of
 viruses is no way to evaluate an antivirus product. Unless you
 can test the product in a "real-world" environment (including
 whatever TSR monitor/filter, integrity manager, etc.), tossing
 detection numbers around not only misrepresents the antivirus
 products' effectiveness or lack of effectiveness, as the case
 may be.
 
 As far as I can see, your "accuracy" test reflects no measure of:
 
 o Detecting a virus at runtime (file_open)
 o Detecting a virus resident in memory (fairly important as you
   certainly wouldn't want to perform any file_open functions with
   a fast infector resident)
 o Accurate detection/catagorization of detection
 o Detecting unknown viruses or other file discrepancies
 o Speed of scanning
 
 Nothing personal, but tossing a few hundred viruses at a few
 scanners and then posting the results as "accuracy" tests is
 about as irresponsible as chiding the vendors themselves about
 hype in advertising.
 
Paul Ferguson                 |  "Making duplicate copies and computer
Network Integration Consultant|   printouts of things no one wanted
Alexandria, Virginia USA      |   even one of in the first place is
fergp@sytex.com               |   giving America a new sense of
FidoNet - 1:109/229           |   purpose."  - Andy Rooney

- ---
fergp@sytex.com (Paul Ferguson)
Sytex Systems Communications, Arlington VA, 1-703-358-9022


------------------------------

Date:    Mon, 01 Feb 93 05:29:04 -0500
From:    David_Conrad@MTS.cc.Wayne.edu
Subject: Re: Infection question

In VIRUS-L v6i13 hutchinson@wrair-emh1.army.mil writes:
>bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes:
>> the currently existing types of viruses on the IBM PC. These viruses
>> (boot sector infectors, file system infectors, companion viruses) do
>> not match even Dr. Cohen's natural-language definition of the term
>> "virus", unless you define "program" and "attach" too broadly. And
>
>Then maybe "program" is the wrong word.  Maybe it should be something
>like "function" or "process" instead.  F'rinstance, a boot sector
>infector doesn't exactly attach itself to any program.  But it *does*
>attach itself to the boot *Process*.
 
But in my (humble?) opinion, a boot sector infector does attach itself to
a program, i.e. the bootstrap loader.  This program just doesn't happen to
be contained in a file.
 
Messy details about the file system shouldn't get involved in the 
definition of a computer virus.
 
I'm not quite as certain what to say about companion viruses.  I don't
think calling the bootstrap loader a program is too broad a use of the
word, but saying that a companion virus is "attached" to the program
it has infected may be too broad a use of "attach."
 
Still, without the "host" program the companion virus would never be
executed by the user, would it?  Imagine if it used a name consisting
of a random string of {, }, $, and % with a .COM extension, rather
than the name of another program on the system.  Probably wouldn't
ever be executed.  So the connection between the virus and the program
which is its host is certainly important, if tenuous.
 
David R. Conrad
David_Conrad@mts.cc.wayne.edu

------------------------------

Date:    Mon, 01 Feb 93 08:25:45 -0500
From:    keith.watson@stucen.gatech.edu
Subject: Re: On the definition of viruses

For brevity I will not repeat what Y. Radai stated in VIRUS-L Digest
V6 #11. In the case of undecidabilty by the program to infect the fact
that it can makes it a virus by my 'practical definition' so I don't
want it on my system. As for my practical definition I'll state it via
a question. Why is it that none of the anti-viral packages call backup
or xcopy viruses when a system is scanned (yes, assuming they are not
infected)? It seems obvious that we have agreed with users that Stoned
is indeed different than xcopy.  The question to be answered is what
is it about a program that the user perceives as a virus where virus =
bad and everything else is just a program where program = benevolent.
Can fuzzy logic be applied here? Define bad and benevolent. They too
are undecidable, or in more metaphysical terms, all things are
relative. However, in the real world of trashed files and dead hard
drives we make real decisions. Stoned is a virus and xcopy isn't. In
twenty five words or less explain how we make this decision and you
will be a hero in AI programming.


Keith R. Watson
Georgia Institute of Technology, Atlanta Georgia, 30332-0453
uucp:  ...!{decvax,hplabs,ncar,purdue,rutgers}!gatech!prism!kw3
Internet: keith.watson@stucen.gatech.edu

------------------------------

Date:    01 Feb 93 13:57:49 +0000
From:    johan@blade.stack.urc.tue.nl (Johan Wevers)
Subject: Re: Sale of Viri

frisk@complex.is (Fridrik Skulason) writes:

>As I have said before - the lack of any action against virus writers
>is the primary reason why viruses are a problem today.

Really? Then tell me, how would you take any legal action against virus
writers? How would you even find them?
- -- 
*************************************************************** 
* J.C.A. Wevers                * LaTeX  * The only nature of  * 
* johan@blade.stack.urc.tue.nl * wizard * reality is physics. * 
*************************************************************** 

------------------------------

Date:    Fri, 29 Jan 93 11:06:57 -0500
From:    "David M. Chess" <chess@watson.ibm.com>
Subject: Re: os2-stuff (OS/2)

>From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)

>          Does OS/2 access some DLLs in order to handle the running of
>a DOS program in a DOS window?

Yes.

>                               Are those accesses visible to the
>program running in the DOS window?

No.  At least, not in any way I'm aware of, and I'd be surprised
if there were any way.  In any case, they won't be visible to
a DOS program just watching INT 21 / 4B calls.

>So, it seems that there is indeed no need to scan the DLL files,
>right? Or am I missing something?

For existing viruses, I'd say there's no strong reason to scan
DLL files by default (they should get scanned, along with every
other file on the system, during cleanup, just in case).  Anything
that wants to watch out for new viruses should watch DLLs, though,
because they do contain code.

- - -- -
David M. Chess                    |    "This chicken has a *very*
High Integrity Computing Lab      |        small opening book!"
IBM Watson Research               |


------------------------------

Date:    Wed, 27 Jan 93 21:28:29 -0500
From:    Anthony Naggs <AMN@vms.brighton.ac.uk>
Subject: Re: os2-stuff (OS/2)

Vesselin Bontchev, <bontchev@fbihh.informatik.uni-hamburg.de>, wrote:
> OK, but suppose that the user opens a DOS window. Suppose also that
> s/he runs an infected DOS program in this window and the virus becomes
> resident. ...

Okay.

> ...  Does OS/2 access some DLLs in order to handle the running of
> a DOS program in a DOS window? Are those accesses visible to the
> program running in the DOS window? If they are not, then none of the
> currently existing viruses will infect a DLL file and there is no need
> to scan such files...

I don't think so, but OS/2 (2.x) DLLs run in the CPU's 'Protected Mode'
and so will not be visible to the DOS box.  If the virus is OS/2 aware
then it can interact with OS/2 form the DOS box, but I don't know what
the scope of that is.

> Another possibility is a virus like Frodo, which (erroneously)
> infects files with different extensions, because it thinks they are
> COM or EXE. But Frodo's criteria for executable extension does not
> classify "DLL" as such and I don't know other viruses which do the
> same stupidity...

There are three big reasons not to worry at the moment:
1   OS/2 DLL files have a different internal layout from DOS programs,
    preventing DOS viruses from successfully infecting them.
2   OS/2 (2.x) programs (including DLLs) run in "Protected Mode" which
    means that code for the "Real" or "Virtual" modes used by DOS is
    unlikely to work.
3   Even if these could be overcome a DOS virus would fail as soon as it
    tried an Int 21h call.

> So, it seems that there is indeed no need to scan the DLL files,
> right? Or am I missing something?

In anticipation that OS/2 specific viruses may be written it is wise to
include DLLs as files to be checked by your integrity software, but you
knew that anyway, :-)

Regards,
Anthony Naggs
Software/Electronics Engineer                   P O Box 1080, Peacehaven
(and virus researcher)                          East Sussex  BN10 8PZ
Phone: +44 273 589701                           Great Britain
Email: (c/o Univ of Brighton) amn@vms.brighton.ac.uk  or  xa329@city.ac.uk


------------------------------

Date:    Fri, 29 Jan 93 07:27:21 -0500
From:    fwf@gisa.uucp (Frank W. Felzmann)
Subject: DOS CHKDSK bug: a first (?) victim (PC)

A small German company in the field of picture data processing
is a first (?) victim of the DOS CHKDSK bug.

6th January 1993: Data processing with a huge picture file.
The error message "Disk full" appeared at the attempt to save
this file. The user deleted all files with the extension *.BAK.
Then he used the DOS command CHKDSK to proof that the whole
memory was usable.
He got the message: "x files in 7 lost clusters".
After looking in the manual he executed the command 
"CHKDSK /F" -  and .... afterwards
using the DIR command the user got a very curios display
of the content of the root directory.
It was a hard disk with capacity of 1 gigabyte in 1 partition.
He called a specialist and after some hours of work they fixed
that the FAT was existing but no data were available in the root
directory. Because of the urgency to finish the job the user
decided to reformat his harddisk and restored his data with
loss of actual work.

The restored configuration made some problems in addressing the
whole memory, therefore he supposed a hardware error. The result
of a two-day diagnosis at his vendor was negative.
By chance his vendor read the description of the CHKDSK bug in a
computer newspaper (PC Woche, 11th Jan.).

The user informed GISA to confirm his suspicion.

I checked his information and this company must be a victim,
because:

- -    it was a harddisk with a 256 sector FAT
- -    there was a chaining error
- -    it was the unfixed CHKDSK.EXE
- -    and there was a correction attempt with the /F parameter

The damage in this case is about 7.000 Dollars.

If you get information about other victims and you can check
the case, please inform me or VIRUS-L.
I will collect all cases for a report.

Frank W. Felzmann
- ----------------------------------------------------------------
G   German
I   Information         <>  Voice    +49-228-9582-248
S   Security            <>  FAX      +49-228-9582-400
A   Agency
- ----------------------------------------------------------------
   "It's a Snark!" ... Then the ominous words, "It's a Boo---"
- ----------------------------------------------------------------

------------------------------

Date:    Fri, 29 Jan 93 14:10:13 +0000
From:    boone@athena.cs.uga.edu (Roggie Boone)
Subject: VIRSCAN.DAT: Error in line 2178 (PC)

I downloaded the latest VSIGxxxx.ZIP file from OAK.OAKLAND.EDU to use
with the TBSCANX program.  This file unzips into a file called 
VIRSCAN.DAT.  The previous one that I was using worked with no problem.
This latest one has an error apparently.  Here is the basic info of 
what I see:

	-----------------------------------------------
        VIRSCAN.DAT
        REVISION: 9212220

        ERROR IN LINE 2178
        -----------------------------------------------

I have looked at line 2178, but it appears to be a normal line.
Is there a bug in this version of VIRSCAN.DAT?

Thanks,

Roggie Boone
boone@athena.cs.uga.edu


- -- 
Roggie Boone
Dept. of Ag and Applied Economics
University of Georgia

------------------------------

Date:    Fri, 29 Jan 93 11:12:13 -0500
From:    "David M. Chess" <chess@watson.ibm.com>
Subject: re: windows virus (PC)

>From:    S.M.Baines@sheffield.ac.uk
>
>I am sorry to be a nuisance, but several users of Windows at Sheffield
>appear to have been hit by a virus that isn't detected directly. Using
>memory resident virus checkers only detect a write to a protected file
>or disc, but not the name. Scanning the disc and memory also fails to
>show up the 'virus'.

Well, the possibilities seem to be:
  - A genuine Windows-targetted virus, although that seems unlikely
    since you say that the Windows files fail to run after
    being altered,
  - A Trojan Horse program that's just damaging the Windows files,
  - A DOS virus that your "memory resident virus checkers" don't
    have a specific signature for, but that they are able to
    notice now and then,
  - A system problem that's causing some component of the system
    to mistakenly alter other components,
  - A problem with your resident anti-viral, that's causing it
    to give false reports and then mess up the system.

The best way I can think of to decide which it is would be to
examine one of the files after your TSRs tell you that a write
has occurred.  Has it gotten larger?  Have the first 512 bytes
just been overwritten with zeros?  Has it been replaced with
a file containing the words "Destroyed by MegaFoo"?  (Just
a made-up example!)

- - -- -
David M. Chess
High Integrity Computing Lab
IBM Watson Research


------------------------------

Date:    Wed, 27 Jan 93 21:20:21 -0500
From:    Anthony Naggs <AMN@vms.brighton.ac.uk>
Subject: Re: windows virus (PC)

Stephen Baines, <S.M.Baines@sheffield.ac.uk>, reports:
> I am sorry to be a nuisance, but several users of Windows at Sheffield
> appear to have been hit by a virus that isn't detected directly. Using
> memory resident virus checkers only detect a write to a protected file
> or disc, but not the name. Scanning the disc and memory also fails to
> show up the 'virus'.

You probably have a virus that is too recent to be found by the scanner(s)
you are using.

I don't want to pick on you, so a quick aside:
> > >     General Reminder To All Posters With Virus Problems:     < < <
> > >     For best advice it helps other readers to know details   < < <
> > >     of the results of all products (& versions) you tried!   < < <


> It appears only to infect the Windows files, and these fail to run.

Many DOS viruses travel without generally announcing themselves, but corrupt
large DOS programs (eg WordPerfect) and those for Windows - drawing attention
to themselves.

> ... this has occured to 2 different users, not using the same computers,
> or ...  In both cases the only solution was to reinstall windows and all
> other software ...

Often the most reliable way of clearing up.

> ...  The common link between the two was use of HENSA to
> download software at terminals at the University of Sheffield. Has
> this 'virus', if it is a virus, been reported before or is it just a
> bug and an unhappy co-incidence?

Many viruses could give similar effects, but without knowing whether the
scanner(s) you have used is recent it is hard to say how new it might be.

Downloading software from HENSA shouldn't be a problem, but all DOS programs
are provided in a (IMO) horrible 'BOO' format.  So the first suspect is the
"DeBoo" software that restores the archive files to a usable state, a virus
infected copy of this is a likely point of infection of multiple students.

In the event of finding a new, or suspected new, virus you should send copies
of the infected files to the author of your anti-virus software.  It is also
worth sending the same files to other anti-virus producers that you know of,
particularly in your own country where other local users may lack protection.


Hope this helps,
Anthony Naggs
Software/Electronics Engineer                   P O Box 1080, Peacehaven
(and virus researcher)                          East Sussex  BN10 8PZ
Phone: +44 273 589701                           Great Britain
Email: (c/o Univ of Brighton) amn@vms.brighton.ac.uk  or  xa329@city.ac.uk


------------------------------

Date:    Sat, 30 Jan 93 00:03:47 +0000
From:    gree7015@elan.rowan.edu (DAN GREENSPAN)
Subject: can anybody help my little lost computer? (PC)

	I run an ibm type machine.  Lately my machine began acting up
and now I have three invisible files in my hard drive instead of two.
No antivirus software that I have run finds anything (norton, clean).
A directory utility that I use shows the invisible dos files but
nothing else.  The only way I can tell there is a third invisible file
is by doing a chkdsk command!  Other disks used on my computer soon
get this problem too.  I got rid of it once by doing a low-level
format, but recently I used an old floppy and whatever this is must
have transferred itself back to my system.  It seems to interfere with
the keyboard interpreter.  Anybody got a suggestion?

	Gratefully, gree@elan.rown.edu

------------------------------

Date:    Thu, 28 Jan 93 23:14:00 +0100
From:    Malte_Eppert@f6050.n491.z9.virnet.bad.se (Malte Eppert)
Subject: Cansu virus plague! (PC)

Hi Amir!

 > From hard-disks: If your disk is a DOS disk, (no disk-manager)
 > run CHKDSK /MBR and your troubles will be over. (Obviously boot
 > the PC from a clean DOS diskette first).

Sorry, it was FDISK /MBR!

cu!
eppi

- --- Via SCANTOSS V 1.37
 * Origin: Another Virus Help Node - The EpiCentre! (9:491/6050)

------------------------------

Date:    Wed, 27 Jan 93 11:20:00 +0100
From:    Inbar_Raz@f210.n9721.z9.virnet.bad.se (Inbar Raz)
Subject: How do MtE utilizing viruses detect themselves? (PC)

 >> Can't an algorithmic scanner use the method used
 >> by MtE itself to detect it?


 > Unfortunately - not. The virus author does not care if his virus does
 > not infect some infectable files, while a producer of an anti-virus
 > program cannot permit himself to erroneously flag a perfectly valid
 > file as infected... The only thing that can be done is to use the

I think that ThunderByte implicated an interesting line of thought in their 
scanner, in whatever concerns detecting polymorphic viruses.

They work like that:

MtE has certain characteristics, and certain opcodes that always appear there.
Then again, it has things that NEVER appear there.

So.

When you scan a file, you assume it as INFECTED, and you are trying to find 
evidence to the fact that it's NOT infected. If you find a series of bytes 
that can't possible be an MtE product, there you have it. If you can't find 
that, and assuming you did enough tests, your file is infected.

Inbar Raz
- - --
Inbar Raz                  5 Henegev, Yavne 70600 ISRAEL. Phone: +972-8-438660
Netmail: 2:401/100.1, 2:403/100.42, 9:9721/210 nyvirus@weizmann.weizmann.ac.il

- ---
 * Origin: MadMax BBS - Co-SysOp's Point.  (9:9721/210)

------------------------------

Date:    Mon, 01 Feb 93 10:58:14 +0100
From:    zimmerms@Informatik.TU-Muenchen.DE (Stephan Zimmermann)
Subject: Cascade & SCANV99 (PC)

Yesteday I scaned a disk with McAfees' ScanV99 and found the Cascade
[170x] Virus. In a second run Scan found this virus 'active in memory'
?!? But I haven't used any of the files on the disk, and none of the
files on the HD were corupted.  Is this a false alarm due to my first
scaning, or is it possible that this virus gets active after scanning
it ?

Thanks in advance ... Ciao Stephan.

------------------------------

Date:    Sun, 31 Jan 93 18:43:59 +0700
From:    jeroenp@rulfc1.LeidenUniv.nl (Jeroen W. Pluimers)
Subject: TBAV 5.03 and VSIG9301 upload (PC)

Hi all,

I just uploaded to oak.oakland.edu and garbo.uwasa.fi the following
files:

<MSDOS.TROJAN-PRO>
VSIG9301.ZIP VIRSCAN.DAT virus signatures Jan 1993
ASIG9301.ZIP Additional virus signatures Jan 1993
TBAV503.ZIP  TBAV utils 5.03 (was tbscanXX.zip) 
TBAVU503.ZIP TBAV utils upgrade 5.02 to 5.03

These replace all the other VSIG and TBAV files

- -- 
jeroen                             voice: +31-2522-20908 (19:00-23:00 UTC)
                                   snail: P.O. Box 266
jeroenp@rulfc1.LeidenUniv.nl              2170 AG Sassenheim
jeroen_pluimers@f256.n281.z2.fidonet.org  The Netherlands

------------------------------

Date:    Fri, 29 Jan 93 14:47:03 -0800
From:    rslade@sfu.ca
Subject: Internet Worm - the "Perp" (CVP)

HISVIRT.CVP   921215
 
                The Internet Worm - the perpetrator
 
Robert Tappan Morris.  Son of Bob Morris.  (Hence often referred to
as Robert Tappan Morris Junior, in spite of the fact that Bob
Morris' middle name is not Tappan.)  Since the "birth" of the Worm
of sufficient fame to be known simply by his initials: RTM.
 
Robert Tappan Morris was a student at Cornell University when he
wrote the Worm.  He was a student of data security.  The Worm is
often referred to as a part of his research, although it was neither
an assigned project, nor had it been discussed with his advisor.
 
The release of the Worm, at the time that it was released, seems to
have been accidental.  Whatever the motivations for its creation,
and whatever the intentions for its future use, both internal
evidence of incomplete coding and the early generation of "alerts"
from the author would seem to support the theory of accidental
release.
 
At the same time, RTM was not exactly immediately forthcoming in
warning the net.  The first recorded warning was one generated by a
friend (and anonymously at that) about ten hours after the first
release.
 
In reading various documents studying the Worm, there is a division
of opinion regarding the quality of the program itself.  However, an
"averaging" of the comments might yield the following: the Worm
shows a lot of knowledge of security "holes, and competent,
occasionally flawed, but no brilliant coding.  The Worm might be
considered to be a "proof of concept", except that it contains too
many concepts at once.  There is no evidence that Bob Morris Senior
had any part in, or knowledge of, the Worm under construction. 
Nevertheless, it is unreasonable to expect that there was never any
"shop talk" around the dinner table.
 
RTM was convicted of violating the computer Fraud and Abuse Act on
May 16, 1990.  An appeal was denied in March of 1991.  He was
sentenced to three years probation, a $10,000 fine and 400 hours of
community service.
 
Opinion about what the sentence should be started even before the
last copy of the Worm was shut down.  It ranged from "hanging's too
good for him" to "he's done us all a great favour".  This range of
opinion still exists today.  Estimates of the damage done range from
$100,000 to $97 million.  In addition, it is very instructive to
read the appeal court's decision.  The arguments all hinge on very
fine interpretations of the law, over matters of intentionality and
the extension of authority to use machine covering the use of the
network it is attached to.
 
copyright Robert M. Slade, 1992   HISVIRT.CVP   921215

==============
Vancouver      p1@arkham.wimsey.bc.ca   | You realize, of
Institute for  Robert_Slade@sfu.ca      | course, that these
Research into  rslade@cue.bc.ca         | new facts do not 
User           p1@CyberStore.ca         | coincide with my
Security       Canada V7K 2G6           | preconceived ideas


------------------------------

End of VIRUS-L Digest [Volume 6 Issue 16]
*****************************************

