Date: Thu, 27 Jun 91 10:53:42 EDT Subject: VIRUS-L Digest V4 #111 To: Multiple recipients

---
Master Index Current Directory Index Go to SkepticTank Go to Human Rights activist Keith Henson Go to Scientology cult

Skeptic Tank!

Date: Thu, 27 Jun 91 10:53:42 EDT From: "The Moderator Kenneth R. van Wyk" Subject: VIRUS-L Digest V4 #111 To: Multiple recipients of list VIRUS-L VIRUS-L Digest Thursday, 27 Jun 1991 Volume 4 : Issue 111 Today's Topics: Correction to Volume 4 Issue 110 What info is avilable on viruses? (PC) Why Patricia Hoffman's virus summary is not on SIMTEL20 (PC) Re: Can such a virus be written .... (PC) re: doom2:reply (PC) Can such a virus be written .... (PC) re: McAfee on VSUM accuracy and Microcom (PC) VIRx Version 1.5 Released (PC) Re: protecting mac files via locking (Mac) Re: Virus checking for Sun4 (UNIX) Re: Can such a virus be written .... (PC) Re: McAfee on VSUM accuracy and Microcom (PC) Re: Virus protection: what to use. VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Wed, 26 Jun 91 15:25:57 -0400 From: Kenneth R. van Wyk Subject: Correction to Volume 4 Issue 110 In V4I110, I posted the first couple sections of a product review on Central Point Anti-Virus by Chris McDonald, but forgot to add a note saying that the rest of the review (and Chris's other reviews) is available by anonymous FTP on cert.sei.cmu.edu (IP number 128.237.253.5) in the pub/virus-l/docs/reviews directory. Sorry, Ken ------------------------------ Date: Wed, 26 Jun 91 16:09:13 -0400 From: Jean-Serge Gagnon Subject: What info is avilable on viruses? (PC) Does anyone have a list of different virusus and their know effects on the computers that they infect? And where can I get the latest version of SCAN? I'm asking because I'm new to virusus. I've been in computers a while, but never in such a virus prone environment like a University. Any replies would be welcome as I have a very scarce knowledge about this subject. I.e. I know about stoned and that's about it, I don't even know what it does apart from saying "Your PC is now stoned!". Thanks. Jean-Serge Gagnon Internet: Bitnet: Specialiste en Equipement Informatique Hardware Maintenance Specialist Universite d'Ottawa / University of Ottawa (613) 564-5903 ou/or 7183 Acknowledge-To: ------------------------------ Date: Wed, 26 Jun 91 15:51:00 -0600 From: Keith Petersen Subject: Why Patricia Hoffman's virus summary is not on SIMTEL20 (PC) I have received many inquires as to why SIMTEL20 does not have VSUM, Patricia Hoffman's virus summary list. SIMTEL20 is prohibited by the author from carrying VSUM. Patricia Hoffman blamed us for a problem caused by someone who downloaded her file from our collection. Since her virus summary list is copyrighted we must comply with her wishes, even though the file is available on almost any BBS and many other FTP sites. The file is available from risc.ua.edu [130.160.4.7] in the directory pub/ibm-antivirus. Keith - -- Keith Petersen Maintainer of the MSDOS, MISC and CP/M archives at SIMTEL20 [192.88.110.20] Internet: w8sdz@WSMR-SIMTEL20.Army.Mil or w8sdz@vela.acs.oakland.edu Uucp: uunet!wsmr-simtel20.army.mil!w8sdz BITNET: w8sdz@OAKLAND ------------------------------ Date: Wed, 26 Jun 91 18:05:17 From: c-rossgr@microsoft.COM Subject: Re: Can such a virus be written .... (PC) >From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) > >vanaards@project4.computer-science.manchester.ac.uk (Steven van Aardt) writes: >> >> Is it possible to write a PC virus which installs itself whenever >> you place an infected disk in the drive and do a DIR command ? >1) No: You cannot contract a PC virus by doing a DIR, a virus must be executed . There is at least one batch file running around that, when you "exec" it, it turns into a virus. If a machine is using ANSI.SYS, it is possible to rename files to provide for reprogramming the keyboard. An argument can be made that causing the, say, F3 key to execute some program or some some batch file due to it being reprogrammed could mean that doing a simple directory could later *cause* a virus to be executed. Ross ------------------------------ Date: Wed, 26 Jun 91 18:20:33 From: c-rossgr@microsoft.COM Subject: re: doom2:reply (PC) >From: Eric_Florack.Wbst311@xerox.com > >>Actually, the strings are trivially "encrypted" to prevent the image >>out on disk from triggering who-knows-how-many other scanners out >>there. >On /DISK/, yes. But consider the amount of scanners, including MAcAffee that >look at RAM, as well. False trip city, as we have seen. Sigh. Look, I simply didn;t remove the strings from memory. What's your point? >...[why should I bother to encrupt the strings except trivially?]... >This misses the point altogether. My point was simply that without encryption >of one sort or another, even in RAM, another package wil false trip. If you >think that people are going to depend on your package alone for protection, >this might not cause a problem. But a realitry check, ( facilitated by a quick >peek at the postings in here) will prove that doesn't happen. No, I get the point: my income depends on it. I had a bug. It's fixed in Version 1.5, released about ten minutes ago. A reality check would show that out of the thousands of people who run our code daily, about ten have complained about the interaction due to a bug that is now fixed. >My point in this case was the person doing the altering >to routre around your code being the original author. Moreover, we >have seen several varieties of a particular virus around, indicating >more than one person altered one person's code. This is commonplace. >(Can you say 'Stoned'? Sure. I knew you could.) Obviously, virus code >is being passed around, by writers of such code, like a wine bottle at >a garbage can fire. Getting the original code is therefore no problem. No matter what string is used, and no matter what the encryption routine for that string might be, it would be trivial to ascertain what that string is -- and without having to break the encryption. I know that your intentions are most likely good, sir, but you really have not stopped to consider all the issues before you post. You may think you have the solution to a non-problem, but your solution does nothing except add another area where a bug can creep in without providing anything but a *potential* feel-good- warm-fuzzy feeling. It does nothing but provide me with extra work and does not provide any benefit to the end user community. >>>Encrypting the search strings in your code, therefore is always a good >>>idea, as is cleaning up the mess your program makes in RAM. VIRx, >>>apparently doesn't address these two points. >>Wrong on both counts. It is interesting, though, that about 20 beta >>testers did not find that problem at all.... >First point: How on earth is cleaning up RAM you've allocated with >your program before the program closes to be considered a BAD idea? >Diito a string encryption? Simply becasue somebody says that encrypting the strings is a good idea does not make it a good idea. And, except for a bug that occurred in certain circumstances, the cleanup was typically done. >As for your beta testers not finding the problem, I suggest to you >that perhaps they missed a major problem. WIthout being judgemental, >here, finding this problem after beta was complete would seem to call >into question the validity of certain of your test results. Actually, it just showed that our beta testers did not run into that problem (recall that the reports I mentioned above were limited in number). This implies that they don't use one of our competitor's products. So what? There are many people who opt not to use our competitor's products. In fact, I hope to make sure that hardly anyone uses any of my competitor's products by providing better code than anybody else. And, sometimes, a minor mistake is make and is blown way out of proportion. Ross ------------------------------ Date: Wed, 26 Jun 91 12:10:19 +0100 From: "Pete Lucas" Subject: Can such a virus be written .... (PC) Most DOS PCs do not implement a hardware 'media change' flag, so they do not know that a diskette has been inserted until you try reading from it. (this is unlike an Apple Mac that has a 'media change' sense on its diskette drive). A virus doesnt 'know' that a new diskette has been inserted on a PC until the virus has had a look at whats there. Of course the write-protect notch/slide is 99.99% effective in my experience at preventing any illicit writes; you would, of course, have write-protected any diskette you put in the drive before doing the hypothetical DIR command, wouldnt you? (I do actually have a notchless diskette that on *some* drives can be written to - the diskette jacket is semi-transparent and on drives that use optical notch-sensing, enough light *sometimes* gets past to make the thing writable.... oh confusion!) Pete Lucas PJML@UK.AC.NWL.IA PJML%IA.NWL.AC.UK@UKACRL ------------------------------ Date: Wed, 26 Jun 91 18:37:03 From: c-rossgr@microsoft.COM Subject: re: McAfee on VSUM accuracy and Microcom (PC) >From: mcafee@netcom.com (McAfee Associates) > >>From: Ross Greenburg >>One of the interesting things: Microcom, the people who publish and >>market my code, is expressly forbidden from using McAfee products by >>the vendor itself. > We have >never refused to sell our products to anyone, and our policies will >not change. It's a strange comment considering that 99.9% of all of >our users use our products without telling us or paying us anyway (one >of the side effects of shareware). How would we ever know? This is good news. I was under the impression that Microcom attempted to license a copy from you and was told that they may not use it without a license and that a license would not be issued to Microcom under any circumstances. I am glad that the information given to me is false and that Microcom is expressly being given permission to utilize this product from the vendor. I would presume there is a charge for such usage: what would that charge be for *only* one computer to use your product? I'll be sure to report that amount to the Microcom people I deal with. Ross ------------------------------ Date: Wed, 26 Jun 91 18:42:35 From: c-rossgr@microsoft.COM Subject: VIRx Version 1.5 Released (PC) I'm pleased to announce that version 1.5 of VIRx has been released, today, for distribution. VIRx is a freely distributable scanning program -- there is *no* charge associated with it, although copyrights *are* maintained by both Microcom and me. You should be able to grab a copy off of SIMTEL-20 almost immediately. Additionally, it is available on CIS and on my BBS at 212-889-6438. === What's New In VIRx Version 1.5 ============================== Date: 6/26/91 1. VIRx 1.5 detects over 80 additional newly discovered viruses, bringing the total to almost 500. This was accomplished without slowing down the scanner. 2. Wildcard string scanning is included for detecting viruses otherwise resistant to general scanner detection. 3. VIRx scans PKLite pre-compressed files internally about 10% faster than previous versions; probably not noticable except on slower machines. Problems Corrected from v1.4: 1. Another rare problem with scanning certain Novell Network server volumes has been corrected. 2. The technique used to clean our scanning search strings out of memory has been changed. This change will prevent certain other anti-virus scanners from erroneously reporting an assortment of viruses active in the computer's memory immediately after a VIRx scan has completed. 3. Certain rare situations would result in VIRx scanning extremely slowly. This has been fixed. ------------------------------ Date: Thu, 27 Jun 91 00:22:25 +0000 From: mike@pyrite.SOM.CWRU.Edu (Michael Kerner) Subject: Re: protecting mac files via locking (Mac) In regards to the "Well, you can override the bit settings" (sorry, I forgot to copy the article in here), the point I was making was that even beyond that, this little bugger (no it's not in the Sector Editor group that was listed), will also overrun open resources - this is something that I have not seen any other "utility" accomplish. I know it is possible to do, but I just haven't seen anybody do it. Mike. Mac Admin WSOM CSG CWRU mike@pyrite.som.cwru.edu ------------------------------ Date: 27 Jun 91 11:13:40 +0000 From: tommyp@ida.liu.se (Tommy Pedersen) Subject: Re: Virus checking for Sun4 (UNIX) xcaret@teal.csn.org (Xcaret Research) writes: >Can someone point me to information about virus checking for a Sun4 >computer. Is there ftp'able software or any good commercial software? I don't know if there are any ftp'able software but there is a product called TCell which the company I work for manufactures. ***** BE AWARE!! Information about this commersial product follows... ***** TCell is more than an antivirus system, it detects any kinds of unexpected changes to the file system. Thus it can also be used in software management for example to keep control that software not is changed after it's release. You can probably think of yet other use in your organization. TCell can also be used as a virus detection tool for PC's using software residuing on a unix server. If you like more information, give me an email to tommyp@isy.liu.se, call me at +46 13 235200 in Sweden, fax me at +46 13 212185 or write to the address below. Tommy Pedersen SECTRA AB Teknikringen 2 S-583 30 LINKOPING - -- /Tommy Pedersen ________________________________________________________________ |E-mail: tommyp@isy.liu.se /\ | |S-mail: Tommy Pedersen / / Telephone: +46 13 282369 | | Dept. of EE | | FAX: +46 13 289282 | | Linkoping University |.> | | S-581 83 Linkoping |/ | |_______ SWEDEN ________________________________________________| ------------------------------ Date: Thu, 27 Jun 91 12:40:19 +0000 From: thomas@diku.dk (Thomas Nikolajsen) Subject: Re: Can such a virus be written .... (PC) frisk@rhi.hi.is (Fridrik Skulason) writes: >>vanaards@project4.computer-science.manchester.ac.uk (Steven van Aardt) writes : >> Is it possible to write a PC virus which installs itself whenever >>you place an infected disk in the drive and do a DIR command ? >The answer to that question is a definite NO - on a PC, that is - but >I am not sure if the same applies to the Amiga or the Mac - perhaps >somebody else can clarify that. Amiga : yes it is possible, and done, I only know of one virus which does that, this one is called SADDAM. The "bug" that allows the method used by SADDAM is fixed in the (more or less released) new version of the operating system (AmigaDOS 2.0). I don't think it should be possible in AmigaDOS 2.0. >- -frisk thomas ------------------------------ Date: Thu, 27 Jun 91 10:18:32 -0500 From: "Bonnie Scollon" Subject: Re: McAfee on VSUM accuracy and Microcom (PC) John McAfee writes: >This is news to the alleged vendor. Since McAfee Associates is the >only vendor of the McAfee products I assume Ross means us. We have >never refused to sell our products to anyone, and our policies will >not change. It's a strange comment considering that 99.9% of all of >our users use our products without telling us or paying us anyway (one >of the side effects of shareware). How would we ever know? This is not true. As the college virus tracker, I try to keep up-to-date copies of most anti-viral products. Of course, I can obtain copies of McAfee's software but when I try to pay the fee, I get back a form letter saying they will not sell a single copy to a college -- we must spend thousands to obtain a site license for ALL our PC's, whether we would install the programs or not. If this is not a refusal to sell, I would not know what else to call it. We have a site license from another vendor which was considerably cheaper. Even that one is quite expensive considering that we don't actually use the product on all the college computers. We are also looking into a site license for F-PROT, since that is certainly the cheapest site license around. I did notice the inaccuracy in VSUM's Joshi listing. I, too, did not want to nitpick a document that obviously requires great time and effort to produce. I have tested several products with the Joshi virus and all can now remove it. I have not been keeping up with my VIRUS-L reading or I would have responded to that posting. CPAV, Vi-Spy and F-PROT will all find and remove it. My copy of Virex-PC did not but the dates on the files are over a year old, even though we purchased from Egghead only 4 months ago. (I have never received any update info). I do not remember if NAV removed it or not. I rarely use it any more in tests since it performed poorly when first tried. Bonnie Scollon Oakland Community College (in Oakland County MICHIGAN, not California) ------------------------------ Date: 26 Jun 91 09:47:22 +0000 From: mcafee@netcom.COM (McAfee Associates) Subject: Re: Virus protection: what to use. Summary: Reposted by Keith Petersen avinash@felix.contex.com (Avinash Chopde) writes: >I was looking around on the garbo.uwasa.fi site and found it had >plenty of virus scanners/fixer programs. >Do I need to get hold of all of them, or are there one or two >which should suffice ? > >And, I'm interested in hearing about any of your own procedures that you >follow to prevent virus infections and perform virus cleanups. Hello Mr. Chopde, There are lots of anti-viral programs available now, both shareware and commercial, so without trying to be too specific, here are some things you may wish to look for: 1.Type of virus detection offered: That is, upon what criteria does the anti-viral program base its "decision" that a virus has been found? This is generally broken down into three categories: filters, changer checkers, and scanners. A filter is a program that installs itself as a TSR and monitors the system for virus-like activity (i.e., attempting to format a hard disk, write to a program file, and so forth). Filters have the advantage of being able to detect new viruses because they are not looking for specific viruses, but rather virus-methods. The disadvantage is that they can be prone to false-alarms by programs which may do virus-like activities for legitimate reasons (say an OS or application update program that patches the executable code of the original program); they also have to be periodically updated when new virus-techniques appear that the program did not monitor; also they may have to be configured to allow programs that may do virus-like activities (say, a disk optimization program) to function--this is not really a problem with individual (home) users, but if you're responsible for several 100's of PC's, installation could be painful. A change checker (and this is a category that includes checksum, cyclic redundancy checks (CRC's), cryptographic checks, and so on) is a program that computes a known value for a program file (or other area of the system) and is then periodically run to compare the program file against. If the known value and the just-computed value don't match, then the file has been modified and may be infected with a virus or otherwise tampered with. The advantages to change checkers are that they will detect known and unknown viruses, like the filter, because they are not checking for specific pieces of code, but rather for changes to a computed value. They're also good for spotting tampering--more of a computer security-related concern then virus- specific, but it is a function. The disadvantages of this method are that this only works if the change checker is installed on a virus-free machine, otherwise the known values computed will reflect the viral code attached to its host; also, it's been theorized that if the method of change checking is known, a virus could be written to add itself to files in such a way that a checksum identical to the known (good) checksum is generated; the last problem I can think of with change checkers is that if there is a "stealth" virus present (A virus that installs itself as kind of a "file handler" in the OS) then the virus will trap reads by the change checking program, remove the viral code from the infected file, and then pass on to the CC program a "clean" file. This last one can be prevented by booting the computer with a clean (virus-free) operating system and then running the change checking program. A scanner works by checking the system for pieces of code unique to each virus. The scanner reads the files (boot sector, partition table, etc) of a disk and does a match against a database of bytes that are segments of viral code unique to each virus. When a match occurs, a virus is reported. This is effective for finding known viruses, since a positive ID against the virus is made. Of course, a false alarm could also occur if a file had the same instructions in it. Scanners can also check for "generic" routines, like a series of program instructions to format a disk, but these are not as reliable as the matching of viral code with its "fingerprint" of bytes because a file may have use such a routine for legitimate purposes. Disadvantages to this are that a scanner will only detect known viruses and must be updated frequently, a "stealth" virus could hide from the scanner, and possible false alarms. And of course, as more viruses are added, the scanner gets s l o w e r. 2. Vendor Support: That is, what sort of assistance will the manufacturer provide? Anti-viral software (like any software tool, only more so ) generally requires more assistance then other forms of software, or perhaps I should say, more assistance of a specialized nature. Removing a virus can be somewhat tricky because a long set of steps have to be precisely followed to remove a virus AND prevent re-infection. And of course, there is the matter of any data on infected media that may have been corrupted in some way. So, knowledge (and it's accompanying twin, experience) are a factor. What sort of assistance does the vendor provide? Does the vendor have a telephone number, a fax, a BBS, internet or online services address that you can access? Is the telephone number 24 hours toll free? Or limited hours and toll. Is there a charge for assistance or is it free? If there is a charge, do you have a certain amount of free assistance? What about local reps? Is support handled through the head office which may be in another country, or are there manufacturer's reps or a branch office in your state (province, district) or country? Another factor is currency (yes, money too, but more about that next), by which I mean how current is the program? Does it need to regularly updated? Does an update file need to be added, or does the package have to be completely reinstalled each time? How are updates made available, and for how long? Can they be downloaded or mailed or faxed to you? Are they free or do you have to pay for them? Do you get a certain amount of free updates? If so, how is this handled? If there is a cost for updates, how much is it? Is the software purchased (or licensed) for life or for a certain amount of time? If for a limited time, then how long? What happens when the license period runs out? And how much does it all cost? And referrals. Does the manufacturer have satisfied customers whom you can ask about product? Well, sorry for making such a long post, but I did want to address as many issues as I could think of off the top of my head. I hope this gives you some factors to consider. DISCLAIMER: Yes, I am an employee of McAfee Associates, makers othe VIRUSCAN and CLEAN-UP anti-viral programs. However, I have tried to make this as objective as possible, without mention of anyone's products, goods, or services. Aryeh Goretsky - -- McAfee Associates | Voice (408) 988-3832| mcafee@netcom.com 4423 Cheeney Street | FAX (408) 970-9727| (Aryeh Goretsky) Santa Clara, California | BBS (408) 988-4004| 95054-0253 USA | v.32 (408) 988-5190| mrs@netcom.com ViruScan/CleanUp/VShield | HST (408) 988-5138 | (Morgan Schweers) ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 111] ******************************************

---

E-Mail Fredric L. Rice / The Skeptic Tank