From: Kenneth R. van Wyk (The Moderator) Errors-To: krvw@CERT.SEI.CMU.EDU To: VIRUS-L@IBM1.CC.LEHIGH.EDU Path: cert.sei.cmu.edu!krvw Subject: VIRUS-L Digest V5 #68 Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU -------- VIRUS-L Digest Wednesday, 18 Mar 1992 Volume 5 : Issue 68 Today's Topics: Revision to Product Test 30, VirusDetective, Version 5.0.2 (Mac) Revision to Product Test 9, Disinfectant, Version 2.6 (Mac) Revised Product Test 20, SAM (Mac) Revision to Product Test 44, Rival, Version 1.1.9 (Mac) Revision to Product Test 10, Virex, Version 3.5 (Mac) Revision to Product Test # 36, CPAV, February 1992 (PC) BBS danger myth Antiviral protection background Checklist part 1 Checklist part 2 Checklist part 3 Checklist part 4 Checklist part 5 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Tue, 25 Feb 92 14:47:42 -0700 From: Chris McDonald ASQNC-TWS-R-SO Subject: Revision to Product Test 30, VirusDetective, Version 5.0.2 (Mac) ****************************************************************************** PT-30 May 1991 Revised February 1992 ****************************************************************************** 1. Product Description: VirusDetective and VirusBlockade II are shareware programs to detect and to delete known viruses and trojan horses for the Macintosh. This product test addresses VirusDetective 5.0.2 and VirusBlockade II 2.0. 2. Product Acquisition: Both programs are available from their author Jeffrey S. Shulman through Shulman Software CO., 364 1/2 Patteson Drive, Suite 300, Morgantown, WV 26505-3202. The cost for registering VirusDetective is $40.00 for U.S. customers and $45.00 for others. If one registers VirusDetective and VirusBlockade II at the same time the cost is $70.00 for U.S. customers and $75.00 for others. A registered user receives a program diskette, an overview guide, a user license, and automatic notification of future malicious code search strings. Registered users also receive a discount on any future upgrade to either program. Site licenses are available. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Information Systems Command, White Sands Missile Range, NM 88002-5506, DSN 258-4176, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil. [Moderator's Note: The complete text of this product review, and the other product reviews in this digest, is available via anonymous FTP from cert.sei.cmu.edu (192.88.209.5) in the pub/virus-l/docs/reviews directories. (The pc directory contains PC product reviews and the mac directory contains - you guessed it - Macintosh product reviews.) Also see the pub/virus-l/docs/reviews/mcdonald.index file for an index of Chris McDonald's product reviews. All of the reviews provided in these directories are independently written by volunteers with no commercial ties to any of the vendors whose products are reviewed. Kudos to the reviewers for their time and effort!] ------------------------------ Date: Wed, 26 Feb 92 09:16:01 -0700 From: Chris McDonald ASQNC-TWS-R-SO Subject: Revision to Product Test 9, Disinfectant, Version 2.6 (Mac) ****************************************************************************** PT-9 January 1990 Revised February 1992 ****************************************************************************** 1. Product Description: Disinfectant is a public domain program to detect and to repair virus activity for Macintosh systems. The author is Dr. John Norstad, Academic Computing and Network Services, Northwestern University, 2129 Sheridan Road, Evanston, IL 60208. Dr. Norstad's BITNET address is jln@nuacc; the INTERNET address is jln@acns.nwu.edu. This product test addresses version 2.6. 2. Product Acquisition: Disinfectant is available on the Internet, bulletin boards, and Apple User Groups. It resides in the Macintosh repository on the Information Systems Command host simtel20 [192.88.110.20] at White Sands Missile Range: pd3:. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Information Systems Command, White Sands Missile Range, NM 88002-5506, DSN 258-4176, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil. ------------------------------ Date: Fri, 28 Feb 92 15:10:27 -0700 From: Chris McDonald ASQNC-TWS-R-SO Subject: Revised Product Test 20, SAM (Mac) ****************************************************************************** PT-20 November 1990 Revised February 1992 ****************************************************************************** 1. Product Description: Symantec AntiVirus for Macintosh (MAC) is a commercial software program for the prevention, detection, and elimination of viruses for the Macintosh. The product test addresses version 3.5 with update definitions for the HyperCard virus (Three Tunes) and MBDF A virus/trojan horse. 2. Product Acquisition: SAM is available from Symantec Corporation, 10201 Torre Avenue, Cupertino, CA 95014-2132 for $99.95. However, there are several mail order services which offer a single copy of the product at a reduced cost. Site licensing arrangements are available. Symantec's telephone number is 408- 253-9600. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Information Systems Command, White Sands Missile Range, NM 88002-5506, DSN: 258-4176, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil; and Robert Thum, Systems Administrator, Information Systems Command, White Sands Missile Range, NM 88002-5506, DSN: 258-7739, DDN: rthum@simtel20.army.mil. ------------------------------ Date: Mon, 02 Mar 92 08:45:41 -0700 From: Chris McDonald ASQNC-TWS-R-SO Subject: Revision to Product Test 44, Rival, Version 1.1.9 (Mac) ****************************************************************************** PT-44 October 1991 February 1992 ****************************************************************************** 1. Product Description: RIVAL is a commercial software program for the prevention, detection, and elimination of known computer viruses and trojan horses for the Macintosh. This product test addresses version 1.1.9. 2. Product Acquisition: Rival is available at a list price of $99.00 from the Microseeds Publishing, Inc., 5801 Benjamin Center Drive, Suite 103, Tampa, Florida 33634. Their telephone number is 813-882-8635. The authors of the program are actually Frederic Miserey and Jean-Michel Decombe from France. Site licenses are available. There are also a variety of mail order companies which have recently advertised significantly reduced prices for a single copy. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Information Systems Command, White Sands Missile Range, NM 88002-5506, DSN: 258-4176, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil. ------------------------------ Date: Mon, 02 Mar 92 11:22:26 -0700 From: Chris McDonald ASQNC-TWS-R-SO Subject: Revision to Product Test 10, Virex, Version 3.5 (Mac) ******************************************************************************* PT-10 March 1990 Revised February 1992 ******************************************************************************* 1. Product Description: VIREX is a commercial program which includes virus detection, virus treatment, and virus prevention. The program also identifies "major" Macintosh trojan horses. The current version is 3.5 as of February 1992 with user added definitions. 2. Product Acquisition: The product is available from Microcom, P.O. Box 51489, Durham, NC 27717. There are also several mail order software firms which market VIREX, generally at substantial savings for a single copy. Site licensing arrangements are available from the vendor. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Information Systems Command, White Sands Missile Range, NM 88002-5506, DSN 258-4176, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil. ------------------------------ Date: Fri, 13 Mar 92 13:56:32 -0700 From: Chris McDonald ASQNC-TWS-R-SO Subject: Revision to Product Test # 36, CPAV, February 1992 (PC) ******************************************************************************* PT-36 June 1991 March 1992 ******************************************************************************* 1. Product Description: Central Point Anti-Virus (CPAV) is a product to detect, disinfect and prevent virus infections as well as protection against the introduction of "unknown" and/or malicious code. This test report discusses version 1.2. 2. Product Acquisition: CPAV is available from Central Point Software, Inc., 15220 NEW Greenbrier Pkwy., Suite 200, Beaverton, OR 97006. A marketing number, current as of 6 Jun 91, is 1-800-445-4064. The retail price of the product is $129.00. Site licenses are available. 3. Product Testers: Don Rhodes, Information Systems Management Specialist, Information Systems Command, White Sands Missile Range, NM 88002-5506, DSN: 258-8174, DDN: drhodes@wsmr-emh04.army.mil; Chris Mc Donald, Computer Systems Analyst, Information Systems Command, White Sands Missile Range, NM 88002-5506, DSN: 258-4176, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20. army.mil. ------------------------------ Date: Mon, 02 Mar 92 22:57:46 -0800 From: rslade@sfu.ca (Robert Slade) Subject: BBS danger myth 920302 DEFMTH9.CVP BBS danger myth I hear it from almost everyone I talk to about viri: "I'm in no danger, I don't use a modem". Yes, there are pirates, crackers and phreaks out there who frequent bulletin board systems. Yes, there are even pirates, crackers and phreaks who run boards. Yes, if you hang around even the best BBSes, you will find lots of messages from ankies, techno-weenies and people to who spelling and grammar are foreign concepts. But bulletin board systems are not going to "automatically" infect you. Modems cannot infect you. Reading messages cannot infect you (albeit you might come across an ANSI bomb, but they can't "infect" you). Even downloading and running programs is not that dangerous. (In nine years of working with the local and remote "on-line" community I have not yet downloaded a single infected file, at least not one that wasn't sent to me by another researcher.) Bulletin boards are not the major "vector" in the spread of computer viral infections. I can even go a fair way to "proving" that statement. The most "successful" viral programs have always been boot sector infectors. From my experience and studies, there are more copies of "Stoned" out there than all other viral programs combined. And boot sector infectors are not spread over bulletin boards. (I said "are not". I didn't say "can't". Yes, you can use TELEDISK or SENDDISK. Yes, "droppers" are possible, and even known. But droppers are extremely rare, and most people don't even know what TELEDISK is.) Thus, the major vector *must* be disk swapping. Bulletin boards are not the enemy. In the computer virus arena, bulletin boards may be your greatest friend. Where can you get information about computer viral programs: from newspapers which state that backups are all the protection you need against Michelangelo? from magazines which state that you need to disconnect the hard drive if you get an infection? from television stations which speak of BSIs and show the screen produced by Cascade? You read a lot of nonsense on BBSes and networks about viri, but you get some information, too. And the shareware programs are generally the best, cheapest and most up to date. After all, you can't even get DISKSECURE commercially. copyright Robert M. Slade, 1992 920302 DEFMTH9.CVP ============== Vancouver | "Don't buy a Institute for Robert_Slade@sfu.ca | computer." Research into rslade@cue.bc.ca | Jeff Richards' User CyberStore Dpac 85301030 | First Law of Security Canada V7K 2G6 | Data Security PS - Ken, I figure I'm about 5 weeks behind, so there's 3 tongiht and probably two more tomorrow (and then I'll settle down for a while ... :-) ------------------------------ Date: Mon, 02 Mar 92 23:01:07 -0800 From: rslade@sfu.ca (Robert Slade) Subject: Antiviral protection background PRTGEN1.CVP 920302 Antiviral protection background Having meandered around various academic and technical aspects of viral programs for a while, it's probably now time to get down to brass tacks and direct some attention at how the average user, or office, can detect the presence of computer viral programs and deal with them when detected. In the coming weeks, I'll be laying out a guideline blueprint that any user can follow, even without specialized software. I'll also be dealing with the various types of antiviral software, and how to evaluate them. First, though, a few strategies and attitudes to give you a better chance of success in your defence. Assume you are going to fail. Or rather, not to be too fatalistic about it, *don't* assume you are going to succeed. Any program which claims that it will be able to deal with all future viral programs is flat out lying, and the software byways are littered with the corpses of those programs which figured they knew it all. Make redundant provision for checking and don't trust any one antiviral program or system. Keep testing it, and keep up to date. Which brings us to the second point: inform yourself and inform others. Not every computer user needs to read the VIRUS-L Digest (or comp.virus on Usenet) or the Fidonet VIRUS_INFO, VIRUS and *WARNINGS* echoes. But every computer user should know of someone who does. You can't trust CNN for the latest virus bulletin: they still think the NSA shut down Iraq's air defence with a printer. By the same token, let the word out a bit more if *you* find out something. If you get hit, make sure you send a copy of the infection to a researcher. (It's terribly frustrating to try to deal with the aftermath of a bad disinfection, when you don't have a copy of the virus to work with. "Oh, we just reformatted the drive ...") If you get hit, admit it. Don't imagine that you can ignore it and it will go away. (We are continually asked how bad the problem is ... by the same people who will not answer surveys so that we can find out how bad the problem is.) This last is a bit of a touchy issue with those who feel that we should not say anything for fear of giving virus writers ideas. Never fear. Virus writers don't need any help. "The Cuckoo's Egg" proves that the only result of keeping information to yourself is that the people who really *need* the data won't have it. copyright Robert M. Slade, 1992 PRTGEN1.CVP 920302 ============= Vancouver | Life is Institute for Robert_Slade@sfu.ca | unpredictable: Research into rslade@cue.bc.ca | eat dessert User CyberStore Dpac 85301030 | first. Security Canada V7K 2G6 | ------------------------------ Date: Mon, 02 Mar 92 23:02:22 -0800 From: rslade@sfu.ca (Robert Slade) Subject: Checklist part 1 920302 PRTCKL1.CVP Antiviral checklist - part 1 The next several columns are going to outline, and explain, a checklist of steps that any computer user can take to reduce the risk of computer viral program infection, and increase the chances of detecting an infection early -- hopefully before it has much chance to do any damage. The points will be presented with an explanation of each item, and therefore the whole checklist will not be complete until this set of columns is finished. To begin: For each computer: I really feel that the following list is reasonable, achievable and necessary for each individual computer. All of the items, with one exception, can be obtained by any intermediate user with only the software supplied with the computer. Most of the items should be done in any case as they are good "technical support" practice. _ Directory list of all program files, date and size This, of course, is completely straightforward, and yet it is so seldom done. Yet the vast majority of file infecting viri would be instantly detected by a comparison between the original "clean" list and a directory listing taken after an infection. For best results, of course, other factors are needed, which will be covered in due course. _ List of programs run at startup With the number of "background" and "resident" programs running on computers today, it's a wonder *anything* can operate at all. If you don't know what your computer is supposed to be running, how on earth do you know when something unusual creeps in? For the MSDOS world, this list can be obtained simply by printing a copy of the CONFIG.SYS and AUTOEXEC.BAT files. It may be felt that, because these files are present on the computer anyway, it is redundant to print them out. A fair point, but a booklet of this information at each computer will save time and trouble all round. _ "Source code" for menus These days the computer vendor/reseller or a technical support person installs the computer hardware and software, and then installs a simple menuing system for the user. It is not always obvious, from the disk structure, which program the user may be using on a regular basis. copyright Robert M. Slade, 1992 PRTCKL1.CVP 920302 ============= Vancouver | "The client interface Institute for Robert_Slade@sfu.ca | is the boundary of Research into rslade@cue.bc.ca | trustworthiness." User CyberStore Dpac 85301030 | - Tony Buckland, UBC Security Canada V7K 2G6 | ------------------------------ Date: Sun, 15 Mar 92 01:11:07 -0800 From: rslade@sfu.ca (Robert Slade) Subject: Checklist part 2 920314 PRTCKL2.CVP Antiviral checklist - part 2 For each computer: (con't) Last week's checklist items were, I am sure, unchallenged by anyone. They were things that the most naive user could find, and that any reasonably intelligent person could understand. The following may not be as readily accepted. However, I stand by them as items which every computer should have. In fact, they may be even more important than the forgoing. _ Description of boot sector By a description I mean something as simple as a copy on a separate diskette or a "hex dump" listing. But even this is a formidable object for a novice user to understand, let alone produce. This, however, is not an insurmountable objection. The user does *not* have to understand what the listing means, only that a change occurs. As for generating the listing, that can be done by the qualified people who install the system. With DEBUG on the system, batch files can be written to show the user the first few lines of the current boot sector. It might also be a good idea to have printouts (of the most common) and batch files to check the boot sectors of floppy disks. _ Description of partition boot record Similar objections will be raised, and similar arguments defeat them. With the prevalence of Stoned and Michelangelo, the master/partition record is even more important than the boot sector. For MS-DOS machines, FixMBR allows capture, and F-PBR from the 1.xx versions of F-PROT allows examination, of the relevant sector. (FixMBR, by the way, should be a part of any BIOS DOS, and all users should be part of a massive letter writing campaign to Microsoft and Digital Research, demanding to know why the twits haven't licensed it yet.) _ Description of memory map at startup _ Description of interrupts at startup These two can really be handled together, both in concept and in execution. Again, while the novice user can't be expected to know what all the numbers mean, anyone of sound mind can see whether or not they change. The one problem here is that, during the normal running of programs, some of these numbers do change. Therefore, it should be stressed that, if any change is noted, it should be checked again after a "reboot" of the system. At this point some of the benefit is lost, as the novice user may not be able to differentiate between a valid program which is sloppy in its use of memory, and a viral infection. Having this item on the checklist, however, will give the experienced support person an immediate baseline. copyright Robert M. Slade, 1992 PRTCKL2.CVP 920314 ============== Vancouver | "It says 'Hit any Institute for Robert_Slade@sfu.ca | key to continue.' Research into rslade@cue.bc.ca | I can't find the User CyberStore Dpac 85301030 | 'Any' key on my Security Canada V7K 2G6 | keyboard." ------------------------------ Date: Sun, 15 Mar 92 01:15:26 -0800 From: rslade@sfu.ca (Robert Slade) Subject: Checklist part 3 920314 PRTCKL3.CVP Antiviral checklist - part 3 For each computer: (con't) >From the esoteric, we move back into the mundane, and some uncontroversial measures. _ Backup "originals" of software As we progress through the list, it will be noted that a number of the measures proposed are no more than those proposed for good computer management and support without regard to viral programs. This should not be surprising. The operations of viral programs are not different in kind from normal computer operations. (This is why it is impossible to identify a viral, as opposed to a valid, program by examination of the code alone.) Therefore, any operation of a viral program could just as easily be done by the proverbial "ingenious idiot" who has historically been far more deadly than any kind of malware. As will be noted in future columns, I recommend that all software be installed from "backup originals". These disks, or copies made after installation, should there be any customization involved, should be kept with the computer. This serves two purposes. It allows for quick access to "known clean" software for re-installation, if necessary. (These "originals" may reduce or eliminate the need for "full" backups of the system, as the software is often the larger portion of material on the user's disk, and generally the most stable.) It also provides a "baseline" for a quick check for any changes to the software. _ Backup of hard disk directory structure Backups are a part of good procedure (and are a part of this checklist, further on, as well). However, while provisions are more often made for the programs and data to be backed up, the directory structure itself is often forgotten. Rebuilding the directory structure may, in fact, be the most time consuming part of a recovery. Keeping a copy of the directory may help in other ways. Some malware, the "AIDS Information" trojan being a notable example, build extra directories in order to escape detection. Having a baseline copy of the valid directories gives one another means of detecting viral programs, rather than another place for them to hide. copyright Robert M. Slade, 1992 PRTCKL3.CVP 920314 ============= Vancouver | Lotteries are a tax Institute for Robert_Slade@sfu.ca | on the arithmetically Research into rslade@cue.bc.ca | impaired. User CyberStore Dpac 85301030 | Security Canada V7K 2G6 | ------------------------------ Date: Sun, 15 Mar 92 01:17:51 -0800 From: rslade@sfu.ca (Robert Slade) Subject: Checklist part 4 920314 PRTCKL4.CVP Antiviral checklist - part 4 For each office: "Each computer" is pretty easy to define. An office is less so. For the purposes of this checklist, an office is defined as a group of people who interact on a regular basis. "Regular", for this purpose, need be no more than once per week. An office is, therefore, defined less in terms of locale and walls than in terms of communication. For this definition an office may consist more of those working on a common project in far-flung cities than of those in the next cubicle whom we never speak to. However, it need not follow "official" reporting lines either. An office is defined more in terms of how fast you can find information when you need it. The items in this next section of the checklist are those which may not be referred to for long periods of time while things are going well, but which may need to be found quickly once an anomaly has been identified. _ Description of current common viri This may be a prepared list, or it may be maintained in the office. For all systems, the major prepared list must be the Virus Catalog prepared by CARO/EICAR. This list is not complete, but it does cover all platforms and the most widely distributed viri. In the MS-DOS world, another possible source is the shareware summary list collated by Patricia Hoffman. While this list is more complete in covering the 1200 (1300? 1500? by the time you read this, who knows?) MS-DOS viri, it is, of necessity, less accurate at times. Antiviral software, especially that which incorporates scanning, often includes listings of viri, their symptoms and features. Some of these are good, some less so. All of these lists must be kept up to date, and it is probably an idea to have someone within the organization who is supporting the prepared lists with additional information from sources such as VIRUS-L. copyright Robert M. Slade, 1992 PRTCKL4.CVP 920314 ============== Vancouver | "Is it plugged in?" Institute for Robert_Slade@sfu.ca | "I can't see." Research into rslade@cue.bc.ca | "Why not?" User CyberStore Dpac 85301030 | "The power's off Security Canada V7K 2G6 | here." ------------------------------ Date: Sun, 15 Mar 92 01:20:23 -0800 From: rslade@sfu.ca (Robert Slade) Subject: Checklist part 5 920314 PRTCKL5.CVP Antiviral checklist - part 5 For each office: (cont.) _ List of local virus information contacts Who ya gonna call? This is a very difficult section to advise on. For my part, I can think of perhaps twenty people in the world of whom I could state, with confidence, that they were competent in the field. This is not to say that there are not more, but it is an esoteric field, with few standards to judge by. The information is hard to come by, for one thing. The popular, and even the technology trade media, has very little appreciation for the difficulties and traps of virus hunting. The recent experience with Michelangelo points this out sharply. Almost all the articles in advance of the March 6 date stressed that the virus could be defeated by making backups or resetting the date. None mentioned that a BSI could corrupt non-standard disk formats used by many backup programs, and none pointed out the difference between the "DOS" date and the "system" or "clock" date. Virus "experts", in common with most system level hackers, tend to be charter members of "Egos-R-Us". This is bad enough. However, what is worse is that everyone with an outdated copy of SCAN thinks he or she is a virus expert, and assumes the arrogance without necessarily having the expertise to back it up. (Given that the general population, even of advanced computer users, has very little background in the subject, the problem of proving credentials is often moot.) So, how can you find a local expert? Some indications: Points for: - is a "member" of VIRUS-L, and has been for a least a year - if no Internet access, reads all three Fidonet echoes - is a contributing member Points against: - "one antiviral fits all" - boasts of the size of his/her virus collection - warns against BBSes and online services - recently joined the net and immediately flamed the moderator :-) copyright Robert M. Slade, 1992 PRTCKL5.CVP 920314 ============== Vancouver | "Don't buy a Institute for Robert_Slade@sfu.ca | computer." Research into rslade@cue.bc.ca | Jeff Richards' User CyberStore Dpac 85301030 | First Law of Security Canada V7K 2G6 | Data Security ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 68] *****************************************