To:	   VIRUS-L@LEHIGH.EDU
Subject:   VIRUS-L Digest V6 #77
--------
VIRUS-L Digest   Tuesday, 11 May 1993    Volume 6 : Issue 77

Today's Topics:

Human factor in infections
Re: Survey Results
Scanners getting bigger and slower
Sending viruses over Internet/Fidonet
Scanners getting bigger and slower
Re: Scanners getting bigger and slower
Re: contest
Re: Should viral tricks be publicized?
Re: YAEMA! (Yet Another Errant Magazine Article)
Re: YAEMA! (Yet Another Errant Magazine Article)
Can a virus infect NOVELL? (PC)
Re: V-Sign? (PC)
"DIR" infection, or "Can internal commands infect" (PC)
Can a virus infect NOVELL? (PC)
Is "Untouchable" (V-ANALYST) Effective (PC)
Re: DOS v6.0 and Virus Functionality (PC)
Re: MtE anti-viruses (PC)
Re: Port Writes (PC)
Re: F-Prot 2.07 (PC)
Re: COMMAND.COM Vaccination (PC)
Re: Viruses which cost $$$ (PC)
Re: Can a virus infect NOVELL? (PC)
Re: Anti-virus planning (PC)
Re: Copyright of Virus Signatures (PC)
novi says infected mcafee says not? (PC)
Re: MSAV and text-files (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed.  Contributions should be relevant, concise,
polite, etc.  (The complete set of posting guidelines is available by
FTP on cert.org or upon request.) Please sign submissions with your
real name.  Send contributions to VIRUS-L@LEHIGH.EDU.  Information on
accessing anti-virus, documentation, and back-issue archives is
distributed periodically on the list.  A FAQ (Frequently Asked
Questions) document and all of the back-issues are available by
anonymous FTP on cert.org (192.88.209.5).  Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
<krvw@FIRST.ORG>.

   Ken van Wyk, krvw@first.org

----------------------------------------------------------------------

Date:    Sun, 18 Apr 93 12:42:00 +0200
From:    Inbar_Raz@f0.n462.z9.virnet.bad.se (Inbar Raz)
Subject: Human factor in infections

From: Inbar_Raz@f210.n9721.z9.virnet.bad.se (Inbar Raz)

bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes:

I said I considered chances of infection of big companies were small.

 > Why do you think so? Just the opposite, a directed attack is the most
 > probable thing that a disgruntled employee of a big company will do...
 > It is difficult to detect, almost impossible to stop, and often
 > impracticable to trace.

In your presented case, you are right. However, this is rather an exception. I 
was more talking about the normal operation of the company. If you are ABLE to 
enforce whatever rules you find needed, and taking out exceptions such as 
fanatic employees, then this should grant you sufficient protection.

One thing, though: if an employee wants to plant you a virus, he will do that. 
I believe that someone that thinks about it is knowledgable enough to do it 
well, regardless of any anti-virus softwares. I am sure that man knows what 
program is used, and where it resides, so he may NOT run it, or disable it, or 
God knows.

 > Problem is, this is very difficult to enforce... What are you going to
 > do - searching the people each time they enter the company? A 3.5"
 > floppy fits in a wallet... And, in the worst case, a virus could be
 > brought in as a hex dump on a sheet of paper and the attacker could
 > manually type it in!

That it what I said. I find it weird to argue about something we agree. The 
human factor can not be taken out, unless you manage to produce a procedure 
that does not take ANY concious efforts from the human individual.

Inbar Raz
- - - --
Inbar Raz                 5 Henegev, Yavne 70600, ISRAEL. Phone: +972-8-438660
Chief Data Recovery, 15 Habanim, Nes-Ziona 70400, ISRAEL. Phone: +972-8-400070
Netmail: 2:401/100.1, 2:403/100.42, 9:9721/210 nyvirus@weizmann.weizmann.ac.il

- - --- FMail 0.94
 * Origin: Inbar's Point - Home of the first UnTinyProg. (9:9721/210)

====> OverDose Gateway Notice <====
Message is actually from Inbar_Raz@f210.n9721.z9.virnet.bad.se
Reply to 9:462/121.0 Internet Gateway with first line of message body beeing:
TO: Inbar_Raz@f210.n9721.z9.virnet.bad.se


------------------------------

Date:    Sat, 01 May 93 02:09:52 +1200
From:    dogbowl@dogbox.acme.gen.nz (Kennelmeister)
Subject: Re: Survey Results

bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes:
> mdallin@lamar.ColoState.EDU (MDallin) writes:
> 
> > On PC's, F-Prot was the most used scanner... 22 people used it.  8 people
> > used McAfee products (Scan, etc).
> 
> 2) You have mainly asked the participants of this forum. I often post
> here about superiority of F-Prot, so the folks here are likely to be
> informed. It might not be so with the rest of the world... :-)

With regards to scanners, people who come to me for AV software
normally have never heard of F-prot. (I maintain an anon access
dialup archive on my BBS)

In general the only AV products known to Joe Average computer user
are SCAN, NAV and CPAV. Usually they are running scanners more than
12 months old, and wonder why they've been hit. "But I've got a
virus scanner"

Complacency on the part of users is the virus writer's biggest ally.

- --
Alan Brown
dogbowl@dogbox.acme.gen.nz

------------------------------

Date:    Sun, 25 Apr 93 10:10:01 +0200
From:    Inbar_Raz@f210.n9721.z9.virnet.bad.se (Inbar Raz)
Subject: Scanners getting bigger and slower

bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes:

 > No, this is exactly what Frisk is trying to tell you - it is possible
 > to make the scanning time constant (and very short), regardless (well,
 > almost) of how many signatures you are scanning for. At the expense of
 > memory usage, of course. The technique is known as "hashing" and is
 > explained in Kunth's "bible". Roger Riordan has invented another such
 > technique, called Polysearch; it is described in the proceedings of
 > the 5th International Computer Virus and Security Conference.

Where are these "bible" and the proceedings of the 5th ICVSC available?

 > Honest, have you recently run CPAV or NAV or SCAN or F-Prot on a XT with
 > CGA, 256 Kb conventional RAM, no XMS or EMS RAM, and a 20 Mb MFM hard disk?

Honest? Almost.

I ran an Anti Virus on an XT, 640K, CGA, NO HARDDISK (was scanning
diskettes). A friend of mine got infected with 4K all over the place, so I
had to take it off.

 > Did the scanner fit into that memory? Did you have the patience to
 > wait until it finishes the memory scan? Would you run it on that
 > machine every day? (Note: some of the scanners mentioned will probably
 > run under these conditions. Whether the user will be willing to use
 > them is another question.)

Yes, it was a torture. I left in the middle and left them instructions how to
continue... (sorry, but I had to do that).

 >> Generic programs were more of effect in the days where all the viruses 
were >> leaching - adding to file. Today, you have a lot of new techniques, 
that

 > That's very true, but nevertheless there are hundreds of -silly-
 > viruses being written even nowadays, so a generic disinfector really
 > helps - just don't expect it to be able to handle everything.

Excuse my ignorance, but is such a generic method effective against one of
the main headache causesrs - the MtE?

 >> disinfector. Maybe a generic scanner, but what good is a scanner without a
 >> disinfector?

 > A generic disinfector is significantly easier to write than a generic
 > scanner. With a generic scanner you have to worry about the false
 > positives. To make a generic disinfector you just need to keep some
 > information about the uninfected files and try to restore it after
 > infection. The more information you keep, the better the chances that
 > you'll succeed to recover the file. In order to achieve 100%
 > effectiveness, it is sufficient to keep ALL the information about the
 > files.

Well, my Anti Virus is 'sort of' a general disinfector. All virus entries
have fields that describe how the virus infects, what it does and where.
Thus, one routine is enough to disinfect all viruses of one type - EXE, COM
and BOOT.

 > Such 100% effective generic disinfector exists. It is supplied with
 > every DOS version. It is called BACKUP (or something similar). Use it.
 > It can disinfect any virus, and not only viruses... :-)

It can disinfect your mind as well, if you try using that...

Inbar Raz
Chief Data Recovery
- - --
Inbar Raz                 5 Henegev, Yavne 70600, ISRAEL. Phone: +972-8-438660
Chief Data Recovery, 15 Habanim, Nes-Ziona 70400, ISRAEL. Phone: +972-8-400070
Netmail: 2:401/100.1, 2:403/100.42, 9:9721/210 nyvirus@weizmann.weizmann.ac.il

- --- FMail 0.94
 * Origin: Inbar's Point - Home of the first UnTinyProg. (9:9721/210)

------------------------------

Date:    Sun, 25 Apr 93 13:06:03 +0200
From:    Inbar_Raz@f210.n9721.z9.virnet.bad.se (Inbar Raz)
Subject: Sending viruses over Internet/Fidonet

 > From: Peters@DOCKMASTER.NCSC.MIL (Donald G Peters)

 > Personally, I would think it is fair to email it to anyone with
 > a government Internet address (is this reasonable?) or to anyone

Well, if I neglected to mention, most of the virus writers in Israel, and I
assume that it's the same situation in the rest of the world, are STUDENTS,
and as such, most, if not all, have Internet IDs. I, for example, had some
work to do in Weizmann Institure for Science two years ago - a work that
lasted less than a year, and still I was granted computer access to bitnet,
which is accessible through internet, and I was therefore assigned a name on
an internet domain - nyvirus@weizmann.weizmann.ac.il.

Does this mean anything? No. I could just as well be a virus writer, which I
am not, and the same goes for other students.

Inbar Raz
Chief Data Recovery
- - --
Inbar Raz                 5 Henegev, Yavne 70600, ISRAEL. Phone: +972-8-438660
Chief Data Recovery, 15 Habanim, Nes-Ziona 70400, ISRAEL. Phone: +972-8-400070
Netmail: 2:401/100.1, 2:403/100.42, 9:9721/210 nyvirus@weizmann.weizmann.ac.il

- --- FMail 0.94
 * Origin: Inbar's Point - Home of the first UnTinyProg. (9:9721/210)

------------------------------

Date:    Sun, 25 Apr 93 11:51:02 +0200
From:    Inbar_Raz@f210.n9721.z9.virnet.bad.se (Inbar Raz)
Subject: Scanners getting bigger and slower

t90jwh8@mp.cs.niu.edu (Jim Huguelet) writes:

IR:

 >> Data Security. More than once I had a meeting with Bank representatives,
 >> and
 >> even a Hospital representative, which wanted to know more information. All
 >> of
 >> them came to a point where they said - "But what good is a SmartCard, if
 >> people can lose it just as well as they can lose/give away their password?"
 >>
 >> There is no reply to that. The human factor will always exist, and this is

 > [stuff deleted]

 > There is a reply, of sorts, because there is a not insignificant
 > difference
 > between a password (or other "what you know" authentication schemes) and a
 > smart-card (and "what you have" authentication.)  Only one person can be
 > in possession of a smart-card at a given moment - many people can be in
 > possession of a password simultaneously.  Users cannot tell if their
 > password has been compromised, but they can determine whether or not they'
re > still in possession of their token.

Still. People can loan the smartcard to whomever they choose.

The solution, the way I see it, is something that the user is not aware of, 
such as a voice identification, pupil id or fingerprint. This is something
that needs not be in one's concious, it can not be copied (not exactly
correct, nevertheless) and can not be given away. The moment a user has to
THINK about it, it loses a little efficiency, because there is always the
chance of the user NOT thinking for a moment, and the consequences of this
may be unknown.

Inbar Raz
Chief Data Recovery
- - --
Inbar Raz                 5 Henegev, Yavne 70600, ISRAEL. Phone: +972-8-438660
Chief Data Recovery, 15 Habanim, Nes-Ziona 70400, ISRAEL. Phone: +972-8-400070
Netmail: 2:401/100.1, 2:403/100.42, 9:9721/210 nyvirus@weizmann.weizmann.ac.il

- --- FMail 0.94
 * Origin: Inbar's Point - Home of the first UnTinyProg. (9:9721/210)

------------------------------

Date:    Mon, 03 May 93 14:51:57 +0000
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Scanners getting bigger and slower

Inbar.Raz@p42.f100.n403.z2.fidonet.org (Inbar Raz) writes:

>  > Generic disinfectors exist...

> How effective are they?

Depends on the particular generic disinfector... A backup program can
be 100% effective, if used properly... :-)

Regards,
Vesselin
- -- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

------------------------------

Date:    Mon, 03 May 93 13:51:29 +0000
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: contest

CELUSTP@cslab.felk.cvut.cs writes:

> >There are a couple of hundreds of viruses that infect only a SINGLE
> >executable on the attacked computer.

> May you give exact ratio: viruses infecting only single executable/total
> number of known viruses, e.g. 200/2500 ?

For obvious reasons (there are too many viruses and I don't know all
of them by heart), I can give you only an -approximate- ratio. The
approximate ratio of the viruses that infect only a single executable
program on the attacked computer is about 10%.

Hint: this is exactly what the boot sector viruses do. There are about
2,300 known viruses, about 220 of them are boot sector infectors.
There are also a few file infectors (Lehigh, VVF, etc.), which infect
only a single executable - COMMAND.COM.

> >We've already been through all this a few times in the past. Please,
> >read the appropriate back issues. It all depends on how you define
> >"attach".

> I've read them. I wish to see clear definition of "attach". I add here

If you have read them, then you have probably seen the comments (were
they from Padgett?) that "attach" should be defined to include
"linking to the execution path" or something like that, in order to
include the boot sector viruses, the companion viruses, the file
system infectors, the overwriting viruses, etc.

BTW, I would also like to see a clear definition of this term. I was
referring to a general description of it ("it depends how you define
it", meaning that there are several possible ways), not to an exact
definition. If you find an exact and clear definition, don't forget to
tell us. :-)

> I wish to understand the meaning of "beneficial viruses".

When Dr. Cohen speaks about "beneficial viruses", the meaning he puts
in this term is "a beneficial program that is a virus, according to
his definition of the term 'virus'".

> Please, could
> you send your suggestion to category 4. Ethical definition? 

No, I don't feel competent on that subject.

> I wouldn't agree that doing damage is "optional side effect". So, I leave

Why not? It is optional, because it is possible to create a virus that
does not have it, and it is a side effect, because this is not the
main goal of a virus (its main goal is to infect).

> >I have one here. It is actually Dr. Cohen's definition, with all
> >symbols explained and without the abbreviation shortcuts he usually
> >uses. It's hand-written and is one A4 sheet of formulae.
> >Unfortunately, I don't know TeX enough to translate it into
> >electronical form.

> Please send it by fax or send the copy by snail mail to address bellow.

Yesterday I tried to photocopy it, but the result was too bleak. I'm
afraid that the fax will produce even worse results... :-( I'll seek
some expert help in TeX and will try to convert it into electronic
form. If I succeed, I'll make the result available for anonymous ftp.
However, don't expect this to happen soon - it is not on the top of my
priority list.

> Causing directly or indirectly unauthorized modifications to computer
> information is IMHO too large frame.

I intentionally tried to use the widest possible frame. We are
speaking about the legal definition here. For the lawyers it will be
best if we don't talk about such strange things like "viruses" or even
about "computers" and instead of defining new legal terms we use the
already available ones. The laws in almost any country are prepared to
deal with "damage", that's why I am trying to use this approach.

> Existing laws defined that way are
> not sufficient for effective action against virus writers.

Why not? Several countries (e.g., the UK) do not distinguish the
viruses as something particular and use the already existing laws for
computer misuse, etc.

> I agree that
> definition may be extended to trojan horses and logic bombes, but not to
> spoofs and hacking. Those are different things.

Why are they different? From the legal point of view, they are all
unathorised use of a computer that may cause direct or indirect
damage.

> The point is to find
> definition which could be possibly used as basis for adequate law (which

There is another problem here - which law? The laws in the different
countries tend to differ very much from each other...

> doesn't exist now). So, I suggest to competitors to stress what is the
> part in -written- code (virus, trojan horse, logic bomb, etc.) which
> could be considered as punishable.

No, that's not a good idea. The major laws of many countries protect
any form of written expression. Writing a virus per se is nothing
wrong - IFF the virus author succeeds to prevent the virus from
getting anywhere where it is unwanted. However, if the virus -does-
get somewhere where it is not wanted, then the virus writer should
share the responsibility for letting the virus "escape".

Regards,
Vesselin
- -- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

------------------------------

Date:    Mon, 03 May 93 15:01:12 +0000
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Should viral tricks be publicized?

RADAI@vms.huji.ac.il (Y. Radai) writes:

>   Some people expose tricks used by *virus writers* and explain to the
> *AV people* how to deal with them.  Your article does the opposite: It
> describes tricks, along with sample code, to prevent or bypass tech-
> niques used by the *AV people*, something which would be most useful
> to the *virus writers*, as is evidenced by the fact that one of them
> chose to forward it to 40 Hex.  That's not what you had in mind?
> You'll have a hard time convincing me.

Yisrael, I think I have to defend Inbar here. First, from his public
messages he has posted here and from the messages I've received from
him, I am convinced that his knowledge in viruses is less than his
knowledge in copy protection tricks, DOS internals, etc. Not that he
wouldn't be able to write a virus, but this doesn't look like his
favorite pastime. My guess is that he is interested in viruses mainly
as a source of tricks he could use in his main areas of interest.

Second, may I remind you that the discussed controversial article in
40-Hex begins with the following preamble:

> I picked this up in a collection of clips from the Fidonet 80xxx echo,
> figured it might interest someone.
>                                        --Hawkmoon

That is, the article is not published there by him, it is picked by
somebody who uses the handle "Hawkmoon" from some Fido conference.

Third, even my articles have been published in 40-Hex - without any
permission from my side, of course. Several of them have been picked
from Virus-L/comp.virus just like Inbar's article has been picked from
somewhere else. Does this imply that I am a virus writer?

Fourth, I disagree that his article teaches the virus writers how to
do something. His article mainly teaches how to try to block the
attempts of somebody to debug or disassemble your program. This is
mainly used for copy protection purposes, although of course is used
both by the virus writers and the authors of anti-virus programs.

Regards,
Vesselin
- -- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

------------------------------

Date:    Mon, 10 May 93 18:52:41 +0000
From:    bontchev@rzsun2.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: YAEMA! (Yet Another Errant Magazine Article)

Rob Slade (roberts@decus.arc.ab.ca) writes:

> The piece ends with another quote from the CPAV guy that "The virus
> writers have tried to come up with something that could not be caught,
> and they have failed".  Well, yes.  Vesselin, how well is CPAV doing
> on the MtE tests?  :-)

Well, if I recall correctly, CPAV 1.3 succeeded to detect reliably
only Fear, and that was probably just pure luck. However, why looking
so far? After all, the MtE is "modern" technology - it appeared "only"
two years ago. Let's look at something simpler and known since a long 
time - V2P6. Let's also look at some more recent eddition of the 
scanner - MSAV. Let's look carefully... It detects... ehm... 1 (one!) 
replicant of the few dozens that I have here... That much about quality...

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

------------------------------

Date:    Tue, 11 May 93 06:17:59 -0400
From:    v922340@laqueur.si.hhs.nl (Ivar Snaaijer)
Subject: Re: YAEMA! (Yet Another Errant Magazine Article)

roberts@decus.arc.ab.ca (Rob Slade) writes:
|> [ ... ]

|> The following paragraph states that "Because the new viruses are so
|> potent, there is considerable interest in hardware to exterminate
|> them".  (Send in the Daleks!  :-) Aha!  we come to the reason for the
|> article!  Western Digital's Immunizer!  Therefore, I shall be
|> releasing my review of the Immunizer immediately.
|> 

I have heard about a hardware scanner by ESaSS for as far as i know this thing
doesn't have mutch limitations (there must be a limit to limitations), as far 
as i know it's plug'n'play. It's said that it catches all write actions and 
BIOS redirections, and works without OS. (I'll seekout a test report i found
somewere ...)

Ivar.
- -----------------------------------------------------------------------------
Rule one in program optimization : Don't do it.
Rule two in program optimization (for experts only) : Don't do it yet.
Rule three in program optimization (for athlets only) : Just do it.
- -- 
E-mail : v922340@si.hhs.nl    ... i can't help it, i'm born this way ...
- -----------------------------------------------------------------------------

------------------------------

Date:    Thu, 22 Apr 93 11:28:00 +0200
From:    Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv)
Subject: Can a virus infect NOVELL? (PC)

Xianyow asks:

 > I have a question, can a virus infect NOVELL system?  Since there are
 > many read-only files in NOVELL, how can it write into that file?  If it
 > can't, how can it live when the power turned off?
 > But I really heard some viruses can infect NOVELL.

As far as I know, there are no viruses for NOVELL environment (running on the 
server), however viruses can replicate on the server's disk via a station, 
especially if the station has supervisor rights (thus able to change file 
attributes of the server files). Thats for general. I know of no virus that 
can change Netware file attributes (if no
supervisor rights are available).

There are however some viruses that tend to damage NOVELL netware (not the 
files... the system) so that when an infected station is logged in the server 
will crash. One of these viruses is a variant of jerusalem and is called "NET-
CRASHER".

Regards

* Amir Netiv. V-CARE Anti-Virus, head team *

- ---
 * Origin: <<< NSE Software >>> Israel (9:9721/120)

------------------------------

Date:    Thu, 29 Apr 93 21:36:37 +0700
From:    micke@qainfo.se (Micke Larsson)
Subject: Re: V-Sign? (PC)

bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes:

> Side question - could somebody with MS-DOS 6.0 verify whether the
> FDISK/MBR trick still works and post the results? Thanks.

Preliminary test results with MS-DOS 6.0 Upgrade Set
Swedish version, (ver /r reports rev. A):

Machine: 386SX clone with AMI BIOS 40 Mb HD and one C: partition

The machine was upgraded from MS-DOS 5.0 (still rev A...). The
installation was made as I think most users are doing it:
1. no backup made of the previous DOS 5 installation (the Install-
   program in DOS 6.0 asks you if you want to do one).
2. have DoubleSpace installed right after the DOS installation
   (in "Fast" install mode)
3. let Memmaker have a go after the DOS installation (also in "Fast"
   mode)

The installation went without any problems. The partition and boot
sectors were not changed in any way, actually the boot sector still
said "MS-DOS 5".

Doublespace left a H: partitition of 2 Mb with IO.SYS MSDOS.SYS
DBLSPACE.BIN and a COMMAND.COM. The C: partition was now a 67 Mb
compressed file.

I let Form-virus have a go. The machine booted happily with Form on
the HD. Cleanbooting from the first Upgrade-disk gave me a clean
memory and SYS.COM (uncompressed on the distribution disk) took
away the virus. The command on this machine with Doublespace had to be
SYS H:

Stoned, Joshi and Michelangelo also had a try: the machine booted with
the viruses on the HD (one at a time) and cleanbooting with disk 1 and
FDISK /MBR took away the viruses.

There have been a rumour going round that DOS 6 runs the device driver
for Doublespace from the HD when booting from a bootable DOS 6 diskette.
I did not manage to make DOS 6 do that.

Formatting a diskette with FORMAT /U /S gives a bootable diskette with a
copy of DBLSPACE.BIN. If FORMAT is run from the HD the copy of the driver
is of course taken from the HD.

If one formats a diskette after having booted off distribution disk 1
DOS 6 takes the copy of DBLSPACE.BIN from the original disk, not from
the HD.

If one takes deletes the copy of DBLSPACE.BIN from the formatted bootable
diskette and boots from it only the former H: partition is available and
the driver for Doublespace is not loaded.

It is true that the HD drive light flashes a lot when booting from a
floppy with DOS 6, but I could not understand if it had anything to do
with DBLSPACE.BIN (or dito.SYS, dito.EXE etc).

There are plenty of other things to test and the above mentioned stuff
can be more thoroughly tested and documented. This was done during a
lunch break...

Before I will have the time to do more someone else will probably already
have done it and much better. If YOU do, please let the group know.


  Micke Larsson QA Informatik AB, PO Box 596 S-175 26 Jarfalla Sweden
Tel +46-8-7602600 Fax +46-8-7602605 BBS +46-8-7602615 2:201/370@FidoNet
           e-mail micke.l@qainfo.se Compuserve Id 100135,1742
  QA Informatik distributes Dr Solomon's Anti-Virus Toolkit in Sweden

------------------------------

Date:    Thu, 29 Apr 93 10:00:00 +0200
From:    Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv)
Subject: "DIR" infection, or "Can internal commands infect" (PC)

Hi Vesselin.

On the last com. you write:

AN:
 >> As I said. It will not happened while typing "DIR" at the DOS prompt, but
 >> it might if you run DIR from a batch file or from a program.
VB:
 > No, it will happen -before- you run DIR from a batch
 > file or from a program. Which still means that DIR -cannot- cause the
 > infection of your computer. Running an external program or loading
 > a new copy of the command interpreter can - but nobody was speaking
 > about that.

Yeh, like any other program theat does something before it
runs (SMARTDRV for example will do several things before a program you've 
called is loaded) but the result is the same.

>From most common user's point of view the PC operation is transparent, and 
when he is executing commands (or maybe
selecting options from a menu) Its the same thing for him.

Do you know how common is the question: "Can a write
protected floppy be infected ?" what do you think ?

What's important is the result. If a theoretical possibility of doing 
something that might be interperted as a simple DIR by a user exists, some 
users will cosider it so.

Besides, if we were talking pure theroies and computer science not many people 
would have read this. From my point of view this is for everyone not only 
between us, so I believe that the answers should come from this angle.

Warmly

    Amir.

* Amir Netiv. V-CARE Anti-Virus, head team *

- ---
 * Origin: <<< NSE Software >>> Israel (9:9721/120)

------------------------------

Date:    Wed, 28 Apr 93 13:03:00 +0200
From:    Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv)
Subject: Can a virus infect NOVELL? (PC)

In a reply to Kam regarding:
 >>         "set executable files read only = on"

Malte Eppert writes:
 > That's why this protection is not very effective. Image a virus
 > implementing the following pseudo-code idea:

1 > copy to-infect.com temp.moc
2 > infect temp.moc
3 > del to-infect.com
4 > copy temp.moc to-infect.com
5 > del temp.moc

 > and your 'protected' executable is straight infected.

I just wanted to comment that the method cannot work on Novell netware if the 
current user does not have supervisor rights since the file attributes are 
hnadled by Novell and cannot be altered by anyone that does't have the 
supervisor privlidges.

So actually in the above mentioned method steps 3 & 4 cannot
be performed.

Moreover, If the user has limited Trustee rights assigned to the directory in 
which the infection is about to take place, he (or any program run by him) 
will never be able to perform steps 1, 2 & 5 (not to mention 3 & 4) meaning 
non of the above.

So practically the best method to protect a network drive is
by setting file attributes to [ReadOnly], [Sherable], and limit the trustee 
rights assignment to [FileScan] and [Read] only.

Unfortunatelly: not all programs will work under such conditions so the 
network manager is forced to leave some files and directories open for 
everything. I would say that is is good practice to differentiate these 
programs from others and maintain tight supervision on them elseware,
but keep all the other applications as Ro,S as recommended above.

Obviously, a user should have his own directory in which he may Read or Write 
but this directory should be out of the reach of others.

Warmly

* Amir Netiv. V-CARE Anti-Virus, head team *

- ---
 * Origin: <<< NSE Software >>> Israel (9:9721/120)

------------------------------

Date:    Fri, 30 Apr 93 21:51:00 +0200
From:    Schwartz_Gabriel@f101.n9721.z9.virnet.bad.se (Schwartz Gabriel)
Subject: Is "Untouchable" (V-ANALYST) Effective (PC)

TO: jmolini@nasamail.nasa.gov
Did you check out the ViruSafe Anti-Virus from EliaShim microcomputers ?
BTW: V-Analyst isn't as good as you mentioned it. It can't find lots of
known viruses....  
 
- --- FastEcho/386 B0426/Real! (Beta)
 * Origin: >> Rudy's Place << VirNet, Israel (9:9721/101)

------------------------------

Date:    Mon, 03 May 93 14:14:14 +0000
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: DOS v6.0 and Virus Functionality (PC)

Inbar_Raz@f210.n9721.z9.virnet.bad.se (Inbar Raz) writes:

> 1. DOS 5.0 has introduced a whole new way to handle memory. This, I believe,
>    is the main cause for many of the viruses' not working. Since I have made a
>    few experiments myself, I can safely tell you that it's the DOS=HIGH that
>    disabled a lot of viruses.

What actually causes troubles in DOS 5.0 loaded high is the "dirty"
way it installs its INT 21h handler (first sets an IV handler, then
moves itself high, then "fixes" only the segment part of the IV), and
the fact that many offsets in the handler are different from the
previous versions...

> 2. Based on articles in PCMagazine and PCToday, I gather that DOS 6.0 is
>    merely 'DOS 5.0 + ToolCase'. Not many enhancements, and most of the new
>    stuff is really handy utilities, most of them you probably already have
>    on your harddisk, such as an Anti-Virus, rs-232 File XFer utilities,
>    Backup and Restore programs, etc.

Well, don't forget that one of the "tools" is a disk compression
device driver a la Stacker. This already causes a lot of mess when a
virus is present - either the virus doesn't work properly, or damages
the compressed volume, or other messy things... :-)

> Again, you almost say it yourself. DOS 6 is probably DOS 5, with minor 
> improvements and a toolcase. Nothing to be worried about.

Again - could please somebody who has MS-DOS 6.0 verify whether the
FDISK/MBR trick still works? Please?

Regards,
Vesselin
- -- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

------------------------------

Date:    Mon, 03 May 93 14:34:25 +0000
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: MtE anti-viruses (PC)

WEIS@cc.elf.stuba.cs (Michal Weis or INFI) writes:

> does anybody know ANY MtE antiviral software that can also remove virus
> (not delete, remove!). I need it to compare with my anti-MtE program. (I
> already have TB). Any other soft in the world?

ANY anti-virus software that is able to perform MtE disinfection? That
is, you don't care whether it is any good in any other aspect, right?
OK, lemme see...

1) TbClean from the TBAV package - it is often able to repair the
infected COM files. The EXE files are also repaired by some fields in
the header are not restored correctly - unless you have previously
built the integrity database (I mean, prior to infection).

2) CPAV 1.4 and MSAV (from MS-DOS 6.0) are able to disinfect some of
the MtE-based viruses sometimes.

3) A German anti-virus product, called AntiVir IV.

There might be a couple of others, I don't know.

Regards,
Vesselin
- -- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

------------------------------

Date:    Mon, 03 May 93 14:42:07 +0000
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Port Writes (PC)

Inbar_Raz@f210.n9721.z9.virnet.bad.se (Inbar Raz) writes:

>  >> Is there any EXISTING control program to inhibit such access?

>  > Yes. Most modern hard disk controllers issue a hardware interrupt to

> STOP. Do you really think that THIS is a barrier?

I don't. You asked whether there exists such program and I replied
that yes, such program exists. I didn't claim that it is impossible to
bypass it.

> I mean, if someone already 
> takes the trouble to learn and implement Port-Write disk access, what is it 
> for him to add a Vector Change before and after?

I thought that this would crash the computer. DOS seems to intercept
these interrupts for some reason, so I supposed that there -is- a
reason then must be available...

> Besides, I haven't checked it
> yet, but I think it might be possible to tell the IDE NOT to generate this 
> interrupt.

It is possible. The question is whether the computer will continue to
work without problems. I don't know.

> Remember - even if the interrupt is not triggerable, I can still re-vector it
 
> to myself and ignore it/use it for my own purposes.

Problem is, I thought that DOS -needs- to receive this interrupt for
proper operation. It might not be the case. Try hooking this interrupt
by a small TSR handler that just does IRET and see what happens.

>  > accessed the disk in a non-natural way, so you raise an alert. At

> Someone, as I've seen, has already commented you about this remark. May I 
> please remind you that the BIOS itself also uses port writes? And you CAN'T 
> link into the BIOS and tell it to tell you when it's OUTting a port...

I know that... :-) I meant that the BIOS performs its port writes on
user requests, not when it damn pleases. By "user requests" I mean INT
13h requests. So, the idea is to hook -both- INT 13h and the "device
ready" interrupts and to check if the INT 13h requests match the
"device ready" reports.

> True, virus writers really don't care MUCH about portability. Nevertheless, 
> the only portability problems would occur on change of interface. For example,
> if the author had an IDE drive, then his virus wouldn't work on SCSI's and 
> ESDI's, but then again, most of the AT class computers use IDE...

There are still a lot of MFMs around there... But you are right - a
program that controls IDEs and SCSIs through the ports might be
portable enough.

Regards,
Vesselin
- -- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

------------------------------

Date:    Mon, 03 May 93 14:23:20 +0000
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: F-Prot 2.07 (PC)

Inbar_Raz@f210.n9721.z9.virnet.bad.se (Inbar Raz) writes:

> I did not like the fact that F-Prot 2.07 did not allow its extraction. I got 

More generally, it does not allow to be run if modified in any way.

> However, this didn't run. It sais 'Run a non-infected version'.

Well, version 2.08 says "Alert! This program has been modified.",
which is the truth, after all... :-)

> I don't understand why you don't allow the extraction. SCAN does. The original
> SCAN comes PkLited. If you PkLite -X SCAN/CLEAN, they still run normally. Why
 
> can't you?

Well, SCAN says that it has been "damaged" - why do you think that
this is better? Oh, you probably mean that it does allow you to
continue, instead of halting the computer as F-Prot does? Well, it is
arguable whether this is a reasonable behavior - what if the
modification has been caused by a virus? Then the virus is now
probably resident in memory and running the scanner may infect all
objects that are being scanned...

Maybe a compromise would be an option to force F-Prot to run even if
it has been modified...

Regards,
Vesselin
- -- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

------------------------------

Date:    Mon, 03 May 93 13:44:20 +0000
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: COMMAND.COM Vaccination (PC)

Jani_Patanen@f273.n220.z2.fidonet.org (Jani Patanen) writes:

[proposal to "immunize" COMMAND.COM by PKLiting it deleted]

> Executables that have been compressed with PKLITE are basically immune
> to infection by viruses that infect executables, including COMMAND.COM
> in this case.  The PKLITE file can still be infected externally (as
> reported by McAfee's SCAN), but the actual executable cannot be infected
> in this form.

> What do you think about this? Will it work against most of the command.com 
> infecting viruses?

The proposed method provides LESS protection than the extension
renaming or the setting of the ReadOnly attribute. In particular, it
will be able to stop only viruses which rely on the fact that
COMMAND.COM contains large area(s) of zeros.

A PKLited file can be infected just as easily as any other. SCAN will
report such file as infected "externally". The claim that "the actual
executable cannot be infected in this form" is wrong and misleading.

Regards,
Vesselin
- -- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

------------------------------

Date:    Mon, 03 May 93 14:55:18 +0000
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Viruses which cost $$$ (PC)

Jeroen.Donkers@mi.rulimburg.nl writes:

> I remember to have destroyed a EGA Color monitor by installing MS-DOS
> version 4.0 on a Sperry HT (a XT from 1986). (I was able to repeat it
> with another machine of the same type, but managed to switch it off
> quick enough...)

> Probably some switch inside this monitor was driven crazy by very
> rapid video mode changes caused by a BIOS incompatibility problem.

> So software can be really hardware destructive (IHMO).

No, the example you gave means only that hardware can be really buggy
- - just like software... :-)

I've seen several other messages of the form "once something like that
happened to me" or "I've been told that it's possible to do it that
way". Sorry, but I don't believe that. Just as I don't believe that a
particular virus exists until I have a copy of it, I won't believe
that it is possible to destroy hardware (I mean a contemporary,
working hardware, not ancient buggy one) in software. If anybody wants
to convince me in the opposite, they must send me a particular program
that does it. We have enough test systems here, so we'll be able to
try it. Until I see such a program (and that it actually works), I'll
continue to claim that hardware damage in software is not possible.

Regards,
Vesselin
- -- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

------------------------------

Date:    Mon, 03 May 93 13:38:09 +0000
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Can a virus infect NOVELL? (PC)

GSCOBIE@ml0.ucs.edinburgh.ac.uk (Garry J Scobie Ext 3360) writes:

> Indeed below 3.11 all that is needed is to enable intruder detection
> and knock.exe will lockout the account straightaway.

No, it is not! Even if you enable intruder detection, it is possible
to use the method used by the KNOCK program to crack into an account -
and the logs show nothing! This is described in an addendum of the
November issues of "Virus News International", I think.

> However, accepting the supervisor issue, it is possible to infect a
> volume where all user accounts have been set to read and filescan
> permission only, on a 3.11 novell server?

It depends... <grin> On 3.11 one could try the method used by the
program HACK to spoof a user who is currently logged in. If this user
has supervisor rights... well you get it. However, supposing than no
user with supervisor rights is logged in, I cannot figure out a way to
spread an infection across the user accounts.

Regards,
Vesselin
- -- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

------------------------------

Date:    10 May 93 07:18:29 +0000
From:    duck@nuustak.csir.co.za (Paul Ducklin)
Subject: Re: Anti-virus planning (PC)

Thus spake villas@ax.apc.org:

>      a) Let's have one workstation assigned only for virus detection and
>         cleaning. As users come into our site, they would be led to this
>	 workstation to have their diskettes checked for virus.

Nothing wrong with this. If you can get a Flash-RAM board set up to be
bootable, and install your a-v software there too, then you need not 
worry about anybody subverting a clean boot [unless they open up the
PC], nor need you worry about your a-v modules getting infected. That
would be ideal: a PC that basically boots from firmware and does nothing
but offer to scan discs.

Paint it red and put it next to the coffee machine. Your delegates are
then unlikely to miss it..

>      b) Each time a new user uses a workstation, as soon as he logs into
>         the server (automatically), we would check the workstation for
>	 virus. If it is infected, we would clean or "rebuild" it from the
>	 server, in order not to have an user diskette infecting another
>	 user's one.

The problem here is that you'd be breaking a basic rule of virus clean-up:
Boot From a Clean DOS Floppy. Whilst some (indeed many) viruses can be
cleaned up without a clean boot, others may delude you into believing they're
gone when they're not. IMO, whilst you might want to handle the reporting
of infected workstations automatically, you should arrange for your tech
support gurus (aka Emergency Response Team) to handle clean-ups manually.

>   We thought of using a TSR virus scanner, but I'm a bit worried of having
>   it together with the LAN communications TSRs.

A TSR virus scanner would be great. "On demand" scanners can help tremendously.
For instance, if delegates stick in floppies and try to run infected
programs, they won't just be alterted to the virus -- the virus will be
prevented from actuating. LAN coexistence won't be a problem.

I also suggest that if the PCs you're using as workstations permit their
boot sequence to be altered to inhibit floppy boot-up that you utilise
this "feature" to help suppress boot sector viruses. This won't stop someone
who wants to infect a PC from doing so maliciously, but it will help
stop accidents.

Lastly, I'd suggest that you don't use any "active monitor" a-v software.
Active monitors are resident utilities (also known as "behaviour blockers")
which watch for apparently virus-like behavious and attempt to prevent it.
I think you'll find that the false alarms will probably waste your tech
support people's time -- and possibly focus attention on viruses, to the
exclusion of other PC issues.

Paul

    /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
    \  Paul Ducklin                         duck@nuustak.csir.co.za  /
    /  CSIR Computer Virus Lab + Box 395 + Pretoria + 0001 S Africa  \
    \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/

------------------------------

Date:    Mon, 10 May 93 11:38:57 -0800
From:    a_rubin%dsg4.dse.beckman.com@biivax.dp.beckman.com
Subject: Re: Copyright of Virus Signatures (PC)

dudleyh@redgum.ucnv.edu.au (Dudley Horque) writes:
...

>Secondly, you cannot, indeed, copyright the letter A, but you can
>copyright a certain design of the letter A. Fonts (both computerised and
>otherwise) are subject to copyright.

I though fonts were specfically not subject to copyright in the US.
- --
Arthur L. Rubin: a_rubin@dsg4.dse.beckman.com (work) Beckman Instruments/Brea
216-5888@mcimail.com 70707.453@compuserve.com arthur@pnet01.cts.com (personal)
My opinions are my own, and do not represent those of my employer.

------------------------------

Date:    Mon, 10 May 93 16:07:09 -0400
From:    lyaa270@emx.cc.utexas.edu (Michael Bannister)
Subject: novi says infected mcafee says not? (PC)

Hi,

I just installed Borland's Turbo C++ for Windows.  Went Novi runs it
says the C++ exe file is infected with Plastique.  It can not remove
it.  Howerver Mcafee's scan does not detect the virus.  Not
surprisingly, clean won't remove the virus.  Vsum says that both Novi
and Scan will detect Plastique.

Could someone enlighten me about what this means and what I should do.

Thanks in advance
Michael
lyaa270@emx.cc.utexas.edu

------------------------------

Date:    Tue, 11 May 93 06:17:45 -0400
From:    v922340@laqueur.si.hhs.nl (Ivar Snaaijer)
Subject: Re: MSAV and text-files (PC)

frisk@complex.is (Fridrik Skulason) writes:
|> v922340@herzberg.si.hhs.nl (Ivar Snaaijer) writes:
|> > [ ... ]
|> 
|> [ ... ]
|> 
|> The most common methods to select which files to infect are:
|> 
|>    1) Seletct files with .COM and/or .EXE extensions
|> 
|>    2) Select files that are loaded/executed with INT 21H, fuction 4BH.

all kinds of overlays ...
the manual of tbav also state something like that. (you probably know that one)

|> >How can a non-exacutable be a threath to you ?
|> 
|> It cannot - not unless you rename it and run.  However, a much more serious
|> problem is that some viruses *corrupt* datafiles - 

That's what i thougt. (feared).

|> >an other thin about MS (CP) AV is that it default scans ALL files on disk.
|> >(this takes a lot of time on a 213Mb HDD). Is this realy neccesery or
|> >is huristic scanning stupid ? ....
|> 
|> Uh, I don't understand what you mean...CPAV/MSAV does not do any heuristic
|> scanning at all.

it was more a sarcastic remark, but i still don't understand why people like
Central Point and Symantec can't come up with a decent scanning program,
I think their just afraid of the people that question them if there is a false
positive, so they make shure this doesn't happen. :-(  . (acept for the amouba
in pkzip 204c  ... )

|> 
|> One note about MSAV - The May 93 Virus Bulletin just reviewed it - and one
|> interesting observation is that it performed much worse than the CPAV scanner
|> which was tested in January - missed more than twice as many viruses from
|> the "small" set.

You can't make a good scanner out of a not so good one by deleting some features.

Ivar.
- -----------------------------------------------------------------------------
Rule one in program optimization : Don't do it.
Rule two in program optimization (for experts only) : Don't do it yet.
Rule three in program optimization (for athlets only) : Just do it.
- -- 
E-mail : v922340@si.hhs.nl    ... i can't help it, i'm born this way ...
- -----------------------------------------------------------------------------

------------------------------

End of VIRUS-L Digest [Volume 6 Issue 77]
*****************************************
