To:	   VIRUS-L@LEHIGH.EDU
Subject:   VIRUS-L Digest V6 #98
--------
VIRUS-L Digest   Monday, 28 Jun 1993    Volume 6 : Issue 98

Today's Topics:

WARNING: Telemate 411 Virus (PC)
More fun and games from Central Point....
MSDOS 6 Vsafe False Reports (PC)
LRICK Virus? Help! (PC)
PC: Stoned (Standard) and F-Prot (PC)
cmpromise in PC protection. (was CPAV updates? (PC))
VIRSCAN.DAT maintenance (PC)
Reading the volume serial number from a disk (PC)
Campana Virus (PC)
S.H.R.A.K. (PC)
Re: Are there any viruses known that McAffee can't detect? (PC)
Re: Where are the newest NAV virus definitions? (PC)
McAfee VIRUSCAN V106 uploaded to SIMTEL20 and OAK (PC)
I-M151.ZIP - Integrity Master data integrity/anti-virus sys
Philosophy
Scanners (CVP)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a gatewayed and non-digested USENET
counterpart.  Discussions are not limited to any one hardware/software
platform - diversity is welcomed.  Contributions should be relevant,
concise, polite, etc.  (The complete set of posting guidelines is
available by FTP on CERT.org or upon request.)  Please sign submissions
with your real name; anonymous postings will not be accepted.
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list.  A FAQ (Frequently
Asked Questions) document and all of the back-issues are available by
anonymous FTP on CERT.org (192.88.209.5).

Administrative mail (e.g., comments, suggestions, beer recipes)
should be sent to me at: krvw@AGARNE.IMS.DISA.MIL.

All submissions should be sent to: VIRUS-L@Lehigh.edu.

   Ken van Wyk

----------------------------------------------------------------------

Date:    Sun, 27 Jun 93 01:49:31 -0400
From:    Eric.Poole@leotech.mv.com (Eric Poole)
Subject: WARNING: Telemate 411 Virus (PC)

The following notice was received today at The New England
Technology Information Service:

 = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

* IMPORTANT: PLEASE READ THE FOLLOWING CAREFULLY
   ---------------------------------------------

I was informed that the self-extract VESA.EXE in TM411-4.ZIP
contains two virus-infected VESA drivers:

    OAK\37VESA.COM
    OAK\67VESA.COM

They can be detected by F-PROT.

If you have them in your directories, please erase them
immediately. This is the only known method to remove the
virus. I shall post further details as soon as I received
more information from the author of F-PROT.

This is no virus inside Telemate and GIFLink. Only the two
VESA drivers are inflected.

As a result, I removed those drivers and upload TM411-4A.ZIP
to our support BBSs, distribution sites, EXEC-PC and
Channel-1, with the following description:

TELEMATE 4.11a, Powerful comm program, 4 of 4 This new part
4 of 4 contains a bug-fixed GIFLink. It also removes the
virus-infected VESA drivers OAK\37VESA.COM and
OAK\67VESA.COM from the self-extract VESA.EXE. Please remove
TM411-4.ZIP from your BBS and use this clean TM411-4A.ZIP.

Please help to spread this message and STOP distributing
TM411-4.ZIP. Thank you very much.

The clean TM411-4A.ZIP should contains the following files:

Searching ZIP: TM411-4A.ZIP

 Length  Method   Size  Ratio   Date    Time    CRC-32  Attr  Name
 ------  ------   ----- -----   ----    ----   -------- ----  ----
   2162  DeflatX    875  60%  06-23-93  01:12  e98f610b --w-
README.TXT
  58946  DeflatX  14701  76%  06-23-93  01:12  acf20559 --w-
GIFLINK.DOC
  89076  DeflatX  87999   2%  06-23-93  01:12  4b3c6fa3 --w-
GIFLINK.EXE
  50686  Stored   50686   0%  06-23-93  01:12  a3f909ee --w-
GIFLINK.GIF
   1773  DeflatX    897  50%  06-23-93  01:12  f3cfcd80 --w-
VESA.TXT
  93029  DeflatX  92847   1%  06-23-93  01:12  1b83ef92 --w-
VESA.EXE
   1019  DeflatX    579  44%  06-23-93  01:12  4e0b280d --w-
VENDOR.DOC
    290  DeflatX    241  17%  06-23-93  04:11  715ecbe6 --w-
FILE_ID.DIZ
 ------          ------  ---                                  -------
 296981          248825  17%                                        8

Winfred Hu
Author of Telemate

 = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

 * Origin: NETIS (603)432-2517/432-0922 (HST/V32) (1:132/189)

------------------------------

Date:    Fri, 25 Jun 93 15:40:31 -0400
From:    gary@sci34hub.sci.com (Gary Heston)
Subject: More fun and games from Central Point....

  Central Point seems determined to cut off their nose to spite 
their face. From an article in _Communications Week_, 6/21/93:

[Tori Case, a manager at Central Point Software, Inc.]
  "We need to send a very clear message to the perpetrators of
computer crimes: writing and intentionally distributing viruses
is illegal, and those who do so will go to jail."

  I wonder if Ms. Case realizes that this would make it illegal for
a person to send them a sample ("intentionally distributing") of
an infected program for analysis (not to mention sending one to
other companies as well). Not real good for business, IMHO.

  McAfee disparages part of the problem as being "these hackers [who]
collect and trade viruses like baseball cards". I guess he doesn't
want customers to be able to validate his software, since that's
the reason we keep a few around here (and don't bother asking for
copies, we don't even distribute them within the company). Wonder 
what penalties he wants to assess for possession of a virus? 10 years
in the federal penitentary? A court order to use nothing but SCAN?
Forfeiture of the possessors' computer?

  It's amazing how some people in this industry lose touch with 
reality so easily...

- -- 
Gary Heston    SCI Systems, Inc.  gary@sci34hub.sci.com   site admin
The Chairman of the Board and the CFO speak for SCI. I'm neither.
Hestons' First Law: I qualify virtually everything I say.

------------------------------

Date:    Thu, 24 Jun 93 09:07:16 -0400
From:    padgett@tccslr.dnet.mmc.com (A. Padgett Peterson)
Subject: MSDOS 6 Vsafe False Reports (PC)

From:    q8520533@helios.usq.edu.au (kevin davies)

>I have a friend who installed MSDOS 6.0 on his computer and we ended
>up with Vsafe giving SCAN 104 false virus detection in the top of 1MB
>memory.  When we changed the options in VSafe the virus type changed
>as well.  Interesting.... The virus was reported in the 1088 KB region
>of memory.

This is a rather old problem and it usually is the result of having 
used a BSI infected floppy (even though the PC did not become infected)
immediately previously. This leaves the virus code in the boot record 
buffer (in low memory) and this disconnected code is what SCAN detects. 
That SCAN does not report the detected virus until the SCAN is complete 
(so it looks as if it is in high memory) has also been documented.

Incidently v105 is the current version (haven't checked for this yet though).

					Warmly,
						Padgett

------------------------------

Date:    24 Jun 93 09:18:59 -0500
From:    tims@bvc.edu
Subject: LRICK Virus? Help! (PC)

Can anyone tell me about the LRICK virus? A colleague of mine just bought a 
Compaq laptop and somehow managed to find this virus at startup. I am a 
Macintosh consultant, but I claim no specific knowledge of the mysterious 
DOS world. His machine is a 4/120 configuration and is running DOS 6.0 and 
Windows. He DOES have MS Anti-Virus, but obviously, it needs to be updated. 
Is there anywhere one of us can download information or an update for MS 
Anti-Virus? Or is there a known fix he could try?

Thanks for any suggestions,

TIM
...
TIM SEYDEL/TIMS@BVC.EDU
BUENA VISTA COLLEGE/STORM LAKE/IOWA

.../  TIM SEYDEL > TIMS@BVC.EDU
..//  Assistant Director - College Relations
.///  Managing Editor - Buena Vista Today magazine
////  BUENA VISTA COLLEGE > STORM LAKE > IOWA

------------------------------

Date:    Thu, 24 Jun 93 16:45:30 +0000
From:    Eriq Oliver Neale <neale@unt.edu>
Subject: PC: Stoned (Standard) and F-Prot (PC)

I just encountered a disk which F-Prot 2.08a identified as having
Stoned (Standard), and promptly refused to disinfect it. Is this a
new strain of Stoned that hasn't been fully examined yet, or is 
this a problem that I've not seen encountered here yet?

We were, of course, able to disinfect via other means, but if 
we've got a new strain of Stoned out there, I need to let my 
colleagues know about it quickly.

Thanks for an e-mail response.

- -Q

 Eriq O. Neale                              BITNET : LIPS@UNTVAX
 Lab/Network Manager                      Internet : neale@acs.unt.edu
 Academic Computing Services                   FAX : (817) 565-4060
 University of North Texas                 Ma Bell : (817) 565-2324
"If I got paid for what I say, I'd either be very rich or very quiet!"

------------------------------

Date:    Wed, 16 Jun 93 10:27:01 +0200
From:    Inbar_Raz@f210.n9721.z9.virnet.bad.se (Inbar Raz)
Subject: cmpromise in PC protection. (was CPAV updates? (PC))

I wrote:

 >> I am not justifying __Safe, but you must make some
 >> kind of compromise if you want this kind of on-line
 >> protection.

Amir Netiv replied:

 > True. Life is a one big compromise all together, but still there are
 > compromises and there are COMPROMISES... I mean you don't have to
 > swallow an aspirin every hour all your life due to a toothache just to
 > keep your teeth in place, sometimes a simple treatment will solve the
 > problem for good. In other words: There are MUCH better choices the
 > ?safe to protect your PC and stay alive.

 > ?safe is your everyday pill to my opinion. I'd much better recommend any
 > other TSR then this including Vshield. The reason is that ?safe chains
 > to the timer interrupt and preforms a periodic test. This is an
 > intersting idea, but also a harmfull one.

Then I gather that by classifying ?safe as a 'daily pill', you almost 
completely disqualify on-line protections... Note that I say almost, because 
some DO serve their purposes.

I wrote:

 >> To my opinion, if you keep yourself a rescue diskette
 >> with, say, your MBR, Boot Sector and other important
 >> stuff, you may as well skip BootSafe,

Amir:

 > ...
 > And a frequent backup, and all other things that people usually do not
 > do!

When I got my 200Mb, it took me exactly 4 seconds to understand that backing 
that up on disks is hopeless... So I got myself a Collorado 60/120 Backup Tape,
and as far as I am concerned now, my harddisks can fry for as long as they 
like, PROVIDED I have the most recent backup with me.

One of my biggest fears ever, was not losing my computer. (as opposed to what 
everyone thinks :-) ). My fear was losing all my sources and programs. What I 
didn't write, someone else has. What I wrote, either one of the commercials or 
not, no one else might have, and it would be exceptionally hard to restore it, 
so now, when I've got that backed up, I worry less...

 > However I was not talking about Bootsafe but rather Tsafe or Vsafe!

Well, BootSafe is also a nuisance. I have long boots, even though mine is one 
of them, but not because of SAFEs.

Amir:

 > No it won't! if you chain to int 21h and check programs before they are
 > executed (4Bh etc...) it will increase the response time (from request
 > to execution) of the program but not the overall performance of the PC.

This is what I meant. Sorry. I know it doesn't hook the timer or something, 
but it does take longer to execute stuff.

Inbar Raz
Chief Data Recovery
- - --
Inbar Raz                 5 Henegev, Yavne 70600, ISRAEL. Phone: +972-8-438660
Chief Data Recovery, 15 Habanim, Nes-Ziona 70400, ISRAEL. Phone: +972-8-400070
Netmail: 2:401/100.1, 2:403/100.42, 9:9721/210            Fax:   +972-8-403295

- --- FMail 0.94
 * Origin: Inbar's Point - Home of the first UnTinyProg. (9:9721/210)

------------------------------

Date:    Fri, 25 Jun 93 06:57:19 -0400
From:    TSPIGP@RBKC.DEMON.CO.UK
Subject: VIRSCAN.DAT maintenance (PC)

Is anyone maintaining the VIRSCAN.DAT signature file now that Jan
Terpstra is no longer doing it ? Where is the latest version of the
file kept nowadays ?

Cheers,

Ian

+----------------------------------------------------------------------+
! Ian Pleasance, Systems Programmer,                                   !
! The Royal Borough of Kensington & Chelsea, (44) 71 937 5464 x2034    !
! tspigp@rbkc.demon.co.uk (Preferably) or rbkc@cix.compulink.co.uk     !
+----------------------------------------------------------------------+

------------------------------

Date:    Fri, 25 Jun 93 11:34:51 -0400
From:    smtplink%Ted_E_Davis_at_UMR-MAEM-PO1@Ext.missouri.edu
Subject: Reading the volume serial number from a disk (PC)

Charles Howes writes on the Subject: Reading the volume serial number 
from a disk (PC)

> Does anybody know of a dos call that returns the volume serial number from
> a floppy or hard disk?  Or has another way to do it?

 I have used three ways:
        1 - For DOS 4 and up, INT 21 (hex), function 69 (hex)
        2 - Read the boot sector directly
        3 - SHELL a VOL command, with redirection to a file, then
            read and delete the file.

Int 21, function 69 is called with:
(all numbers are HEX)
        AH = 69         ; function
        AL = 00         ; subfunction (GET SERIAL NUMBER)
        BL = drive      ; 0 = default, 1 = A, etc.
        DS:DX = pointer to disk info structure

Disk info structure:
        Offset  Size            Content
        00      WORD            info level (zero)
        02      DWORD           disk serial number in binary
        06      11 bytes        volume label
        11      8 bytes         string "FAT12" or "FAT16"

Since you are using a flavor of BASIC, the third option may be the
only one that is usable.  Ugly, but workable.  I seem to remember that
there is something else to it, though.  "COMMAND /c VOL > foo.foo" ?
something like that.  Sorry I didn't have time to test, but a *PANIC*
has just been declared.

T.E.D.

------------------------------

Date:    Fri, 25 Jun 93 16:43:09 -0400
From:    Jahed Sukhun <a2js@loki.cc.pdx.edu>
Subject: Campana Virus (PC)

I am using F-PROT 2.08a, and have the campana virus, and F-PROT
can't clean my hard disk nor a floppy disk.

Any suggestions?

Thank you.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Jahed Sukhun, User Support Analyst    +    a2js@loki.cc.pdx.edu +
                                      +                         +
Portland State University             +    (503) 725-3112       + 
Office of Information Systems         +                         +
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

------------------------------

Date:    Fri, 25 Jun 93 17:00:50 -0400
From:    janssen@cpu.nl
Subject: S.H.R.A.K. (PC)

Hello everybody,

Recently we are observing peculier things here in the Netherlands;

A company called S.H.A.R.K. (Sales department of A.S.S.a.S. ??) is sending
so-called 'viruses' to clients-to-be. The files in question are TPE-GEN.COM
and CRYPGEN.COM.

TPE-GEN.COM is supposed to produce 50 TPE viruses when run. CRYPGEN.COM
should produce 200 MTE viruses.

My analyses showed the files were non-replicating, thus not real live
viruses. They even do not look like TPE or MTE viruses.

None of the current Anti-Virus packages detect all the so-called infected
files 100%, except for TBAV.

With the disk goes a copy out P.C.M. (dutch computer magazine) of a test
of several anti-virus packages. It seems this test was taken to court by
Data Alert (dutch S&S representative) a few months ago.

The court's verdict left the test invalid, as the viruses were considered
not real, according to Alan Solomon who talked about this at one of his
dealer meetings I attended some time ago here in the Netherlands.

What I would like to know from you, the Anti-Virus Community, is whether
you appreciatethis way of promotings one's software.

The files in question will provided to 'certified' researchers at first
request. Please send an email to <Janssen@cpu.nl>.

With regards,

Fred Janssen
CPU, The Netherlands
Authorised Agent of McAfee Associates

------------------------------

Date:    Sat, 26 Jun 93 07:27:30 -0400
From:    frisk@complex.is (Fridrik Skulason)
Subject: Re: Are there any viruses known that McAffee can't detect? (PC)

mgt@willard.atl.ga.us writes:

>Are there any viruses known that McAffee can't detect, and if there are
>any, what are the signs?

Even though the question was about McAfee's SCAN, the answer applies to all
other scanners as well.

There are always viruses any given scanner will not detect.  This can be
because the scanner is out of date, the programmers do not have a copy of
the virus, or because they have been unable to come up with a reliable
detection method.

I guess that no scanner ever detects more than 95% of the viruses that are
going around - and some well-known scanners get a lot less.

With well over 2000 viruses now in existence, getting 95% still means that you 
will miss over 100 different viruses - usually only very new, rare or difficult
ones.

All scanners miss viruses, which may be detected by other scanners. For example
SCAN 105beta misses Alex.818, Itti.Toxic and Leprosy.Crawler. FindVirus 6.3
misses Cascade 1704.N, Dark_Avenger.1693 and Zherkov.2435.  My own F-PROT 2.08a
misses Abbas, Plagiarist and Sandra. In all cases the missing viruses are
detected by both of the other scanners.

However, the scanners will be updated to detect those now viruses, and all the
examples given above will probably be detected by all the scanners very soon -
but other new viruses will just appear instead.

- -frisk
- -- 
Fridrik Skulason      Frisk Software International     phone: +354-1-694749
Author of F-PROT      E-mail: frisk@complex.is         fax:   +354-1-28801

------------------------------

Date:    Sat, 26 Jun 93 18:47:34 -0400
From:    "Jimmy Kuo" <cjkuo@symantec.com>
Subject: Re: Where are the newest NAV virus definitions? (PC)

Lucas Dambergs writes:
>Basically, I want to know where I can find the newest virus
>definitions for Norton Antivirus.  I used to get them from Compuserve,
>but it costs too much.

I'd like to clarify that it's free on Compuserve.  Whatever costs are
the incidental Compuserve costs.  You can also get the updates by
calling Symantec's BBS.  You can find the number in your NAV manual.

For ftp of NAV updates:

Vesselin wrote in DIGEST #082:

>They [CPAV updates] are available from our anonymous ftp site, with the
>permission of Central Point Software. The full reference is

>ftp.informatik.uni-hamburg.de:/pub/virus/progs/cpav_upd.zip

>The updates for NAV 2.0 and 2.1 are also there.
 [with permission of Symantec]

Jimmy Kuo                                       cjkuo@symantec.com
Norton AntiVirus Research

------------------------------

Date:    Sun, 27 Jun 93 12:31:08 -0400
From:    aryeh@mcafee.com (McAfee Associates)
Subject: McAfee VIRUSCAN V106 uploaded to SIMTEL20 and OAK (PC)

I have uploaded to WSMR-SIMTEL20.ARMY.MIL and OAK.Oakland.Edu:

pd1:<msdos.virus>
SCANV106.ZIP    Scans PC's and LAN's for computers viruses
CLEAN106.ZIP    Removes (disinfects) viruses from PC's and LAN's
VSHLD106.ZIP    Memory-resident virus-prevention program (TSR)
WSCAN106.ZIP    Windows 3.x version of SCAN (included)
LANGV106.ZIP    Foreign language modules for SCAN and CLEAN

WHAT'S NEW

     Version 106 of the VIRUSCAN (SCAN, CLEAN, VSHIELD, and WSCAN)
programs have been released.  These replace V105, which was NOT
released on the Internet, but was available from our BBS and other
venues.  This release (V106) adds of 319 viruses since V104, bringing
the total number of known viruses scanned for to 1,453, or counting
variants, 2,146.

VIRUSCAN

     SCAN now detects all known iterations of the Tremor virus.
The /MAINT (scan master boot record and boot sector of a non-DOS
or damaged disk) and /UNATTEND (scan multiuser or multitasking
system) disk have been made default options.  SCAN will check for
these cases and automatically run itself with these options.  The
actual switches have been left in the program so that users will
not have to update their .BAT file or shell programs.

CLEAN-UP

     CLEAN now has removers for the 2878, ExeBug1, ExeBug2, Green
Caterpillar, and Paradise viruses.  CLEAN also recognizes a variant
of the ExeBug1 virus that was sent to us from France.

VSHIELD

     The incompatibility between VSHIELD, SHARE, and Windows is
fixed.  Additionally, the documentation of the /SWAP option, the
/WINDOWS option, and the CHKSHLD option has been improved (which
should help me receive less support calls :-).
     Also, CHKSHLD now tells what options VSHIELD was run with.

FOREIGN LANGUAGE FILES

     Foreign language files are now available in the following
languages:  Bulgarian, Catalan, Danish, Dutch, Finnish, French,
Gallego, German (2 files--I'm not sure what the difference is),
Hungarian, Italian, Portugese, Spanish (both European and South
American),  Swedish, and Swiss-German.
     Foreign language support for other languages can be demanded
from your local McAfee Associates agent (agents are, as you may
have guessed, responsible for translations).
     There are no plans for a Latin message file, as Latin is
not commonly used in everyday computing.

OS/2 PROGRAMS

     The OS/2 versions of VIRUSCAN and CLEAN-UP are available by
anonymous ftp from the mcafee.com site (IP# 192.187.128.1) in the
pub/antivirus directory.

VALIDATE VALUES FOR V106:

CHECKSHIELD 0.4 (CHKSHLD.EXE)       S:8,171    D:06-09-93   M1: 26EB  M2: 1393
CLEAN FOR OS/2 V106 (OS2CLEAN.EXE)  S:292,544  D:06-22-93   M1: FF11  M2: 033B
CLEAN-UP 9.17V106 (CLEAN.EXE)       S:166,248  D:06-22-93   M1: C495  M2: 1FCC
LANGUAGE 9.17 (bulgaria.msg)        S:12,208   D:06-24-93   M1: E150  M2: 15EA
LANGUAGE 9.17 (catalan.msg)         S:16,446   D:06-24-93   M1: 438B  M2: 00DA
LANGUAGE 9.17 (danish.msg)          S:15,832   D:06-24-93   M1: 238C  M2: 185C
LANGUAGE 9.17 (dutch.msg)           S:16,588   D:06-24-93   M1: 7FA7  M2: 1AAD
LANGUAGE 9.17 (finnish.msg)         S:15,771   D:06-24-93   M1: 5A42  M2: 01F8
LANGUAGE 9.17 (french.msg)          S:16,090   D:06-24-93   M1: 9AC5  M2: 09E8
LANGUAGE 9.17 (gallego.msg)         S:16,551   D:06-24-93   M1: D233  M2: 0A81
LANGUAGE 9.17 (german1.msg)         S:17,214   D:06-24-93   M1: 1C4E  M2: 0A6E
LANGUAGE 9.17 (german2.msg)         S:17,212   D:06-24-93   M1: 01ED  M2: 0AA4
LANGUAGE 9.17 (hungaria.msg)        S:15,708   D:06-24-93   M1: 82FB  M2: 1C0C
LANGUAGE 9.17 (italian.msg)         S:16,576   D:06-24-93   M1: 4042  M2: 101E
LANGUAGE 9.17 (portugse.msg)        S:17,071   D:06-24-93   M1: FD7D  M2: 0B50
LANGUAGE 9.17 (spanish.msg)         S:17,045   D:06-24-93   M1: 1F82  M2: 0106
LANGUAGE 9.17 (span_sa.msg)         S:16,275   D:06-24-93   M1: B76A  M2: 0665
LANGUAGE 9.17 (swedish.msg)         S:15,892   D:06-24-93   M1: 9397  M2: 1276
LANGUAGE 9.17 (swger.msg)           S:17,846   D:06-24-93   M1: 640A  M2: 0453
SCAN FOR OS/2 9.17V106 (OS2SCAN.EXE)S:220,064  D:06-22-93   M1: 4A1B  M2: 0C8F
SCAN FOR WINDOWS 106 (WINSTALL.EXE) S:19,606   D:06-22-93   M1: 84A5  M2: 02FD
SCAN FOR WINDOWS 106 (WSCAN106.EXE) S:76,882   D:06-22-93   M1: 8BDD  M2: 111B
VALIDATE for OS/2 (OS2VAL.EXE)      S:37,168   D:01-20-93   M1: 2BC1  M2: 01CA
VALIDATE V04 (VALIDATE.COM)         S:12,197   D:03-24-92   M1: D5BB  M2: 166F
VIRUSCAN SCAN 9.17V106 (SCAN.EXE)   S:138,558  D:06-22-93   M1: F886  M2: 02C1
VSHIELD 5.42V106 (VSHIELD.EXE)      S:47,665   D:06-22-93   M1: 9E98  M2: 086B

Regards,

Aryeh Goretsky
McAfee Associates Technical Support
- - -
McAfee Associates, Inc.  | Voice (408) 988-3832 | INTERNET: aryeh@mcafee.COM
3350 Scott Blvd, Bldg 14 | FAX   (408) 970-9727 | IP# 192.187.128.1
Santa Clara, California  | BBS   (408) 988-4004 | CompuServe ID: 76702,1714
95054-3107  USA          | USR HST Courier DS   | or GO MCAFEE

------------------------------

Date:    Sat, 26 Jun 93 18:17:45 -0400
From:    krvw@agarne.ims.disa.mil (Kenneth R. van Wyk)
Subject: I-M151.ZIP - Integrity Master data integrity/anti-virus sys

I have uploaded to WSMR-SIMTEL20.ARMY.MIL and OAK.Oakland.Edu:

pd1:<msdos.virus>
I-M151.ZIP      Integrity Master data integrity/anti-virus sys

This is version 1.51b of Wolfgang Stiller's Integrity Master program.
I received it on diskette from the author.

Quoting from the author's description:

Integrity Master(tm) is a high performance (100% assembler) program
offering virus protection, data integrity, security and change
management all in one package.  It detects hardware glitches, software
bugs, and even deliberate sabotage to your data.  If a virus strikes,
Integrity Master identifies it by name and also identifies any damage
caused by the virus.  It will also detect new and unknown viruses.

- - -
Ken van Wyk
krvw@agarne.ims.disa.mil

------------------------------

Date:    Sat, 26 Jun 93 11:34:38 -0400
From:    "Padgett Peterson" <padgett@tccslr.dnet.mmc.com>
Subject: Philosophy

                 Viruses and the art of Cybernetic Psychophysics
        
                   Padgett (padgett@tccslr.dnet.mmc.com)
                         standard disclaimers apply
        
        Once again I have seen the bleating of little minds clamoring for 
        virus code. People rising up in the defense of Kim Clancy and the 
        "underground" areas of her BBS. Children crying out "Show us your 
        Viruses".
        
        Kim  claimed to be filling the need for "freedom of  information" 
        but  wanted  no  responsibility  & was guilty  of  the  two  most 
        heinous  sins  one  can commit in  Washington:  "Thou  shalt  not 
        surprise  the administration." and "Thou shalt not embarrass  the 
        administration."
        
        It  was inevitable from the time that the Europeans noticed  what 
        was   on  the  "Department  of  Public  Debt"   bulletin   board. 
        Unrestricted.  Without  any tracing. True, the  same  things  are 
        found  on many private BBSes in this country as  elsewhere,  here 
        there  are  no laws prohibiting dissemination of virus  code  but 
        none the less, IMHO such code can be dangerous.
        
        Viruses  are an attractive nuisance. *ALL* create damage on  some 
        platforms and this is inherently unavoidable. *ALL* take time and 
        effort  to remove, usually much more effort than went into  their 
        creation.  
        
        Further  *ALL* are easily detected by anyone who looks but  items 
        one and two are why I do not release viral code or discuss  virii 
        with  anyone I do not personally know to be capable  of  handling 
        them properly and "mature" enough to share my views on them.
        
        In  Florida it is not a crime to possess firearms. It is a  crime 
        to  permit  one to fall into the hands of a  juvenile  if  injury 
        ensues unless "due care" can be proven. It is my right to  decide 
        to use what I consider "due care" with viral code.
        
        I  also  believe  that what makes a virus  a  virus  is  trivial. 
        Replication  is easy and only takes a few bytes of code  (usually 
        viral authors even skimp on this and damage ensues). 
        
        In  the last year I have only seen two  "interesting"  techniques 
        show  up  in viruses and they did not have to be  viruses  to  be 
        interesting. One was the CMOS manipulation used by the EXEBUG and 
        represents a technique that might well be able to be used on some 
        AT class machines to avoid accidental cold-boots from floppy.
        
        Neither involves mutating engines nor is such an engine likely to 
        be any more advanced than that shown  by Mark Washburn's V-series
        (also  easy to detect but can be very difficult to remove  -  see 
        item number two again).
        
        In  each  case I have experienced, people asking for  virus  code 
        have  shown not the least level of expertise that would  indicate 
        that  they are capable of understanding what the code does. I  am 
        often  reminded  of  Picasso's  requirement  that  a  prospective 
        student  paint  a  perfectly realistic  flower  before  he  would 
        consider  teaching  his  style. One must master  the  art  before 
        creating it.
        
        The  difficult  part about writing code at the BIOS level  is  in 
        knowing  what  cannot  be done: you  must  first  understand  the 
        envelope before you can exist within it.
        
        For  instance,  several others and myself have for years  used  a 
        CMOS  manipulation  to "hide" the hard disk  while  experimenting 
        with viruses or to safeguard a setup during demonstration. I have 
        "skeleton" code that does this for me that works on most machines 
        but would be disastrous to use on a PS/2. Its what you don't  see 
        that gets you (IWYDSTGY).
        
        As another example, the writer of the Michelangelo had  evidently 
        never  heard of 3 1/2" floppy disks and "assumed" (you know  what 
        that  means)  that  anything not a 360k must be  a  1.2  Mb  with 
        predictable  results. Meanwhile students of the  literature  knew 
        several years earlier how to handle these. At least the  original 
        STONED  author  included validation code that  would  not  infect 
        anything other than a 360k - he was not aware of the early  FDISK 
        format however & did not consider the possibility of UNIX on a PC
        so the resulting "awsh*t" takes away the "attaboy".
        
        Or  consider the BRAIN, the first "stealth" virus. "Stealth"  not 
        because  it was trying to hide, but "Stealth" because  the  disks 
        would be unbootable otherwise.
        
        Repeatedly  people  have  asked me about viral  source  code  and 
        turned away churlishly when I suggest that they read the works of 
        Ray  Duncan,  Leo Scanlon, Ralf Brown, Terry Dettmann,  and  Neil 
        Colvin first.
        
        I do not take students but should this change, I would say "First 
        write  a perfect MBR with the minimum number of  bytes  necessary 
        for  use  with MS/PC-DOS 2.0-6.0 and useful with  both  8088  and 
        Pentium CPUs. Explain."
        
                                                Warmly,
        
                                                     Padgett
        
        ps  You  do not drive my Judge before *I* know you can  handle  a
            400+ HP four-speed either.

------------------------------

Date:    Fri, 25 Jun 93 15:38:58 -0400
From:    "Rob Slade" <roberts@decus.ca>
Subject: Scanners (CVP)

PRTAVSE.CVP   930625
 
                             Scanners
 
Scanning software is, paradoxically, the least protective and
historically most useful of anti-viral software.  These programs
examine files, boot sectors and/or memory for evidence of viral
infection.  They generally look for viral "signatures", sections of
program code that are known to be in specific viri but not in most
other programs.  Because of this, scanning software will generally
only detect "known" viri, and must be updated regularly.  Some
scanning software has "resident" versions that check each file as it
is run, but most require that you run the software "manually".  It
is also the classic case of "bolting the door after the horse is
gone" since "scanners" only find infections after they occur.
 
Why then, with all the disadvantages of scanning software, are they
the most successful of anti-viral packages?  Generally speaking, it
is because they force the user to pay attention to the system. 
Again, when a user relies on one particular method of protection
they are most vulnerable.
 
I have stated that scanners can only find infections after they
occur, but that does not mean that scanners cannot play a
preventative role in protecting the system.  If scanning software is
used consistently to check each disk or file that "enters" a system
(and kept up to date), the chance of a viral infection being allowed
to enter is greatly reduced.  Unfortunately, the use of scanners
tends to be less than effective in many cases.  My own experience
tends to suggest that the most widely used scanning software,
generally updated every month or two, tends to be an average of
eleven months out of date on most user systems.  In one case I was
assured that a computer was protected because the vendor had
installed antiviral software.  On examination, this turned out to be
a "manually" invoked scanner, long out of date, in an archived (and
therefore non-executable) file, with no provision for either
automated invocation or instructions for the users.
 
A recent addition to scanners is intelligent analysis of unknown
code, currently referred to as "heuristic" scanning.  More closely
akin to activity monitoring functions than traditional signature
scanning (and previously examined in that section), this looks for
"suspicious" sections of code that are generally found in viral
programs.  While it is possible for normal programs to want to "go
resident", look for other program files, or modify their own code,
these are tell-tale signs that would help an informed user to come
to some decision about the advisability of running or installing a
given "new and unknown" program.  "Heuristics", however, may
generate a lot of false alarms, and may either scare novice users,
or give them a false sense of security after "wolf" has been cried
too often.
 
copyright Robert M. Slade, 1993   PRTAVSE.CVP   930625
 
============= 
Vancouver      ROBERTS@decus.ca         | "Remember, by the
Institute for  Robert_Slade@sfu.ca      |  rules of the game, I
Research into  rslade@cue.bc.ca         |  *must* lie.  *Now* do
User           p1@CyberStore.ca         |  you believe me?"
Security       Canada V7K 2G6           |    Margaret Atwood

------------------------------

End of VIRUS-L Digest [Volume 6 Issue 98]
*****************************************
