From: Kenneth R. van Wyk (The Moderator) Errors-To: krvw@CERT.SEI.CMU.EDU To: VIRUS-L@IBM1.CC.LEHIGH.EDU Path: cert.sei.cmu.edu!krvw Subject: VIRUS-L Digest V3 #143 Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU -------- VIRUS-L Digest Wednesday, 15 Aug 1990 Volume 3 : Issue 143 Today's Topics: Odd string "DIES" appears in allocated memory map (PC) Re: bouncing ball...watch it! (PC) SCANV66B uploaded to SIMTEL20 (PC) Antivirus viruses Cost of Protection (Philosophy) Re: Stealth viruses VTAC Re: Problems with NARC.EXE (PC) Info on Virus's Requested Getting Virus-L back issues in USA Re: Responses to F-PROT query computer crime:sources and researchers VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: Tue, 14 Aug 90 12:02:04 -0400 From: Ken Bell Subject: Odd string "DIES" appears in allocated memory map (PC) A user's PS/2 model 70 was brought to us recently. It simply locks up (dies?) after a few minutes, even if it hasn't yet completed the boot process (e.g., before the boot password is entered). A 201 error code suggests that the problem is with the memory modules. However, we observed that when the machine is booted from the user's hard drive, the MAPMEM utility reports that a program named DIES has been loaded just 0x83 bytes past the DOS-EDIT utility (i.e., it has apparently overlaid DOS-EDIT), and has stolen the INT-21 vector from DOS-EDIT. We are treating the first as a hardware problem, but we are curious about the "DIES" string. Is this familiar to anyone (and, if so, is it possibly related to, or the cause of, our "hardware problem")? Thanks.. Ken Bell (SYKLB@NASAGISS SYKLB@NASAGISS.GISS.NASA.GOV) Acknowledge-To: ------------------------------ Date: 14 Aug 90 16:39:37 +0000 From: bcstec!gentry@uunet.UU.NET (Tim Gentry) Subject: Re: bouncing ball...watch it! (PC) Amr Malik writes: > ... I was reading John McAfee's book about viruses a > few days ago and it said about some virus of the same sort which shows a > bouncing ball while it is reproducing and infecting other programs in > the system. > > This book said about another sort of virus which shows small bugs coming > out of all four corners which eat (delete) the words on the screen and > destroy all the data files meanwhile, OK, the "bouncing ball" effect >is< a characteristic of a virus, but the "small bugs" visual effect is (to the best of my knowledge) not. A small TSR .com file called "bugres.com" is responsible for this effect. When the program is installed pressing Alt-B will invoke the visual effect. It's really a lot of fun to watch, and it is NOT a virus! (Unless, of course, somebody has hacked into the code) -Tim Tim Gentry Boeing Computer Services (206) 234-1640 gentry@bcstec.boeing.com uunet!bcstec!gentry ------------------------------ Date: Tue, 14 Aug 90 12:11:00 -0600 From: Keith Petersen Subject: SCANV66B uploaded to SIMTEL20 (PC) McAfee Associates has corrected a bug in SCAN's validation code removal processing. Version 66-B has been released and is now available on SIMTEL20. It was obtained from McAfee's BBS. Directory pd1: SCANV66B.ZIP VirusScan, scans disk files for 134 viruses If you are unable to access SIMTEL20 via Internet FTP or through one of the BITNET/EARN file servers, most SIMTEL20 MSDOS files, including the PC-Blue collection, are available for downloading on the Detroit Download Central network at 313-885-3956. DDC has multiple lines which support 300, 1200, 2400, and 9600 bps (HST/V.32/V.42/V.42bis). This is a subscription system with an average hourly cost of 17 cents. It is also accessable on Telenet via PC Pursuit and on Tymnet via StarLink outdial. New files uploaded to SIMTEL20 are usually available on DDC within 24 hours. Keith Petersen Internet: w8sdz@WSMR-SIMTEL20.Army.Mil, w8sdz@brl.mil BITNET: w8sdz@NDSUVM1 Uucp: {ames,decwrl,harvard,rutgers,ucbvax,uunet}!wsmr-simtel20.army.mil!w8sdz ------------------------------ Date: Tue, 14 Aug 90 10:39:33 -0700 From: erickson@lclark.BITNET Subject: Antivirus viruses I am a sophomore here at Lewis & Clark College in Portland, and I work in the campus computer support services. I have been subsribing to the comp.virus journal for a few months now, mainly to keep an eye out for any information about viruses that we may have to brace for out here. Up until now I have never felt inclined to submit anything to this journal. However, this new discussion on the ethics of producing viruses to kill harmful viruses is a fascinating one. Peter Ukra from somewhere or another (I am not yet Unix-path fluent) posed an interesting argument against the use of antiviruses. If antiviruses become an accepted phenomena, there is nothing to stop those perverts who write the viruses from writing new ones that will initially convince the user that they are a "good" virus before turning around and doing some form of damage. The scenerio Ukra uses is one where a virus pops up on a user's screen, identifying itself as a "virus that hunts down others" and gives the user a choice -- press "A" to proceed with the hunt, or "B" to delete this virus. If the user presses "A," the virus may show its true colors and inform the user that it has just erased his hard disk. Thus, there is an apparent danger in producing two kinds of viruses (good and bad). My point is this: How many "bad" viruses do you know of that ask the user if he wants to delete it before it does anything? None. Let's examine that scenerio and a couple of different possibilities for it: #1) The virus really DOES turn out to be a "good," virus-killing virus. The user wins if he choose either "A" (begin hunt) or "B" (delete virus). #2) The virus only says that it's a good virus, but it is really a badnastyevilugly virus. There is no guarantee, and in fact it would be naive to assume, that the virus would actually delete itself if the user chose "B." Seeing as how most if not all of today's badnastyevilugly viruses don't give any options at all -- they just erase a disk, etc. -- I don't see where the new and urgent danger is. My point is I don't see any additional danger the average user is put into with the innovation of antiviruses. Yes, it gives the virus perverts another way to make fools out of computer users. But the only difference between, say, a WDEF virus and this "Virus Hunter" virus in the scenerio is that a little more text is dumped on the screen and the user feels a bit more foolish when the virus erases his hard disk. Any other virus would have done the same thing and would never have given him the cute little option greeting in the first place. Viruses don't have to ask for user permission to infect files. Viruses do not spread by beguiling computer users; they simply hide in the shadows and slither from disk to disk. I see no new dangers users could find themselves in if antiviruses do in fact make an appearance in the computer world. - -- Scott Erickson (I have no idea what Lewis & Clark's opinions on this subject are, but it's safe to say that I probably don't represent them.) ------------------------------ Date: Tue, 14 Aug 90 16:59:00 -0400 From: "Gerry Santoro - CAC/PSU 814-863-4356" Subject: Cost of Protection (Philosophy) Jim Powlesland writes: >Earlier, Padgett Peterson comments seemed to imply that some people >resent having to pay McAfee for virus protection - despite SCAN's >relative inexpensiveness. It's my impression that this resentment is >very real and much of it comes from the fact that users can get >relatively the samelevel of protection on their Macintoshes (ie. >Disinfectant and GateKeeper) FREE OF CHARGE. Not entirely true. Part of the 'resentment' (if you can call it that) comes from the fact that the organizational license is rather restrictive. I certainly support all of McAfee's efforts and also believe he is certainly entitled to renumeration. However, my understanding is that much of the license fee is based on support calls from users. There should therefore be some provision whereby a college/university can designate a local support person and pay a smaller fixed fee for the license. I see the inflexibility as being the primary culprit. I realize that other software vendors charge a heck of a lot more but then again we can simply ignore them in many cases. Also, with alternatives like F-PROT and the IBM VIRSCAN that cost substantially less it is real hard to justify major expenditures or overhead-laden cost-recovery to our administrators. Again I want to say that I VERY STRONGLY SUPPORT Mr. McAfee's efforts and agree that he is absolutely entitled to make whatever rules he wishes regarding his product. However I believe that Mr. Powlesland's analysis is a tad simplistic. Gerry Santoro -- Penn State University ------------------------------ Date: Tue, 14 Aug 90 23:36:48 +0600 From: mweiner@bene.at (Michael Weiner) Subject: Re: Stealth viruses frisk wrote: > I never proposed this - what I said was simply "viruses that > attempt to hide > from detection, using a variety of methods". The methods may > include: > > Disinfecting the file when it is read (4096 method) > > Redirecting INT 13H and/or INT 21H, so the file will > appear to be > unchanged when read. > > Redirecting INT 13, so the boot sector appears > unchanged, while the > virus is active in memory (Brain) INT 40h should definitely be included, it might also become necessary to check INT 0Dh and INT 0Eh at some point in the future. > Stealth: Any malicious code that vanishes or appears to vanish > from the infected media, while it is active in memory. I would like to add: [...] under certain trigger conditions. Something else: Does anyone know of a virus scanner that examines high memory (as used by 386max and similar utilities) for "stealth-type" viruses ? Michael Weiner +-----------------+-----------------------------------------------------+ I mweiner@bene.at I Michael Weiner, Ghelengasse 4, A-1130 Wien, Austria I +-----------------+-----------------------------------------------------+ ------------------------------ Date: Tue, 14 Aug 90 14:24:46 -0500 From: martha rapp Subject: VTAC I have recently seen in VIRUS-L, several mentions of VTAC. Does the program works as the author states? Has anyone had problems with it? Thanks. Martha Rapp Computing Services IUPUI ------------------------------ Date: 15 Aug 90 01:53:03 +0000 From: woody@chinacat.Unicom.COM (Woody Baker @ Eagle Signal) Subject: Re: Problems with NARC.EXE (PC) 3501P@NAVPGS.BITNET (Jeffrey I. Weill) writes: > that functions as a shell for pkarc or pkzip. The program is called > NARC.EXE 4.0, and has an authorship by Infinity Design Concepts Inc. > 1987. Using the option for changing the drive designation calls up a I have used narc 2.4 for a long time. The problem that you are describing does not exist in version 2.4 Here is the address of infinity 1052 Parkway Drive Louisvill, Kentucky 40217 Gary Conway. 2.4 does have a bug, it generaly trashes (i.e. truncates files at) approx 30K when extracting for some reason. Cheers Woody ------------------------------ Date: Wed, 15 Aug 90 13:36:00 +1000 From: C8845530@cc.nu.oz.au Subject: Info on Virus's Requested Virus Information. ================== I recently had my first run in with a virus. It was a Jerusalem-B virus which somehow found its way onto a version of WordPerfect and created great problems. I would like any information on virus's, especially technical information on how a virus can infect a file, and virus's currently around. Thank You Andrew Foote...... University of Newcastle Computer Science. [Ed. You'll find a lot of information ranging from basic virus issues to management issues to technical details on the comp.virus archives, including the anonymous FTP on cert.sei.cmu.edu - take a look in pub/virus-l/docs.] ------------------------------ Date: Wed, 15 Aug 90 08:38:12 +0100 From: Anthony Appleyard Subject: Getting Virus-L back issues in USA With reference to such queries as this one:- - --------------------------------------------------------------------------- Date: Tue, 14 Aug 90 19:49:18 edt From: "Peter J. Dotzauer" To: XPUM04@uk.ac.umist.central-services.prime-a Subject: Re: Twelve Tricks Sir: Thank you very much for the virus info. One thing I did not figure out is the listserv filenames for the issues. They are not in the 'index' I received from listserv at lehigh. Regards, --pjd (pjd+@osu.edu) - --------------------------------------------------------------------------- How do USA users get back issues of Virus-L? What directory where are they on? - --------------------------------------------------------------------------- {A.Appleyard} (email: APPLEYARD@UK.AC.UMIST), Wed, 15 Aug 90 08:34:24 BST [Ed. VIRUS-L back issues are available by FTP on cert.sei.cmu.edu in pub/virus-l/archives as well as via the LISTSERV at LEHIIBM1 (or ibm1.cc.lehigh.edu for Internetters). The filename convention on the LISTSERV archive is as follows: VIRUS-L LOGyymmx where "yy" is the year, "mm" is the month, and "x" is the week of the month (A, B, C, etc.). As an example, to retrieve the second week of July, 1990 VIRUS-L digests, send email to LISTSERV@LEHIIBM1 containing the line: GET VIRUS-L LOG9007B This service is available to *EVERYONE* on the list, not just Internet or BITNET or USA users.] ------------------------------ Date: 15 Aug 90 09:03:23 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Re: Responses to F-PROT query Well, it is nice to know that people like my programs, but I just wanted to add a few comments about F-PROT. Version 1.12 is the latest available, but it is not 100% up to date. The reason is that a number of new viruses arrived while I was on vacation, and I am busy adding the detection/removal of them to version 1.13, which will be distributed sometimes around Sept 1. Detecting the viruses is of course just a matter of finding a good search pattern, but writing a disinfector for every virus takes a bit of time. The viruses not detected by 1.12 include some of the latest Bulgarian viruses (2100, the Bulgarian "Tiny" family) as well as some recent viruses from Taiwan, and a few other (Joshi, Casper, Anti-CAD and Subliminal + a few more). I am working on bringing the program up to date again, but it will take me a few more days. Some people have complained that the programs are a bit hard to use and install. I know - I know.... :-) I am working on what I call version 2, which is much improved in this area - Menus, auto-install etc. I have not yet had the time to finish version 2, but when I do, I have do decide whether to... ...turn version 2.x into a commercial program, quite serparate from the sharevare version 1.x. The commercial program would of course be more expensive, but buyers would get telephone support and a printed manual. ...make 2.0 shareware as well - personally I would want to make it freeware, but I just cannot afford it .... see below... What I do depends partially on how much money I make from registration. Writing/distributing F-PROT is no personal gold mine - in fact, my involvement in the anti-virus area has probably resulted in a reduction in my income - as the virus-related work continues to increase, I have had to cut back my work outside the university. I have asked people registering a copy for a single computer to send in $15. I have, however, discovered that the work involved in cashing the checks and mailing out a new copy of the program takes up too much of my time. It has also turned out that the amounts I receive are usually either $15 (single copy) or $500 (500+ machines), so what I am planning to do is make the programs free of charge to individuals, using them on a single computer. Anyhow - I'm not 100% sure what I will do - I just want to spend my time programming, not mailing out programs.... :-) The problem is also that even though I would like to make the programs free of charge to anybody, I have to make a living from this as I spend 50% of my time on viruses and F-PROT. Freeware programs may be possible on the Mac, with only 10-20 viruses, but on the PC with over 200 different virus variants they are totally impractical. So, this is the situation. I must assure you, that whatever happens I will continue to support the program and update it in one form or another. -frisk - -- Fridrik Skulason University of Iceland | Technical Editor of the Virus Bulletin (UK) | Reserved for future expansion E-Mail: frisk@rhi.hi.is Fax: 354-1-28801 | ------------------------------ Date: 15 Aug 90 06:18:56 +0000 From: pmorriso@gara.une.oz.au (Perry Morrison MATH) Subject: computer crime:sources and researchers I am interested in researching the history, incidence,forms of and motivations behind computer "crime". I'm not certain how the latter can (should) be defined (hopefully this will be clarified in the research process) but I'm interested in system break-ins, unauthorized copying, computer mediated fraud or theft, and various interpretations of hacking, as well as any other behaviours that verge (in some minds) upon criminality. This is an enormous area, but this I'm making a boots 'n all effort. Pointers to research summaries, key articles/journals/books and authorities in these areas would be greatly appreciated. I'm not particularly interested in the legal situation regarding these activities- mostly estimates of scale, methods and techniques, the "kind" of persons involved and what their motivations are. I'll post a summary if there is sufficient demand. Please don't flame this possibly naive and uninformed request. And thanks for any help. Perry Morrison ------------------------------ End of VIRUS-L Digest [Volume 3 Issue 143] ******************************************