VIRUS-L Digest Thursday, 23 Jun 1994 Volume 7 : Issue 41 Today's Topics: Best products for open systems security Re: Wanted: Infos on ARJ-Virus Re: GOOD vs. BAD HUH? Re: CARO and EICAR danger from used disks? The underground and 'good' viruses re: Parity Boot B on OS/2 bootdrive (OS/2) FYI: "Form-detector" (PC) info on 2 viruses (PC) Re: DIR-Virus? (PC) Re: FORM and SPANISH Telecom (PC) Re: Vet software (PC) Re: Good anti-virus software recommedation needed (PC) Re: Any Iper Info? (PC) Re: DANGEROUS VIRUS (PC) Re: ** Date recovery after Michelangelo virus infection ** (PC) Re: Anti-CMOS virus.... (PC) Re: Information requested on Doom virus (PC) Re: InVirible (???) (PC) Virus in Norton Commander 4.0! (PC) RE: Attack by MOnkey ... (PC) virus destroyed disk driver (PC) info wanted on NiceDay and NewBug (PC) NOINT virus (PC) New virus (Trashed?) in Ann Arbor Mi? (PC) "New" Virus found? (PC) Re: Anti-CMOS virus.... (PC) New virus - Ear.Interceptor (PC) Re: antivirus products (PC) Re: Virstop.exe and 386Max 7.0 (PC) re: What about long partitions (PC) Joshi virus - False alarm? (PC) Harmless Viruses VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Tue, 31 May 94 01:12:49 -0400 From: jonbines@panix.com (Jonathan Bines) Subject: Best products for open systems security environments? A while back, I asked for input on Best Products for Open Systems Security as part of my research for a report on this topic in my newsletter, the Best Practices Report. Alas, I can't provide a summary of responses, because nobody responded to either of my two queries (except a couple of people who requested summaries...). However, in the interests of stirring the pot a bit, here's some of what I've found in the course of my investigation. Perhaps it will incline some of you to share your own experiences. THE IMPORTANCE OF POLICY First off, there was universal agreement that without a comprehensive, well-thought-out security policy, based on a thorough analysis of your computing and organizational environment, no amount of technology was going to give you adequate security. An article in the May issue of the Best Practices Report discussed the areas where security can fail, including: * Inadequate employee education and training * Vague or inadequately-defined responsibilities * Uncontrolled or inadequately-controlled access to information * Inadequate backup and storage management policies * Inadequate physical security * Inadequate controls against viruses * Exposure of employees and outsiders to unnecessary temptation * Inadequate definition and restriction of privileges In addition to addressing all of these concerns, managers need to assess the value of their data to determine the necessary level of protection. Managers also agreed that without the support of top management, a security policy is probably doomed to failure. The topic of developing a security policy was also addressed in the May issue of BPR, from a broad, organizational perspective. In the next issue, we'll be discussing the technologies that are are available for open systems security. Here's an overview of what we've found so far: THE TECHNOLOGY: Of course, a security policy is only as good as your ability to implement/enforce it. And while a great deal of this enforcement comes down to people and politics in your organization, technology also has an important role to play. Here are some of the products that people mentioned as worthwhile in implementing network security in open enviornments: A. SECURITY MANAGEMENT Security Management involves going out on the network to ensure that your policies are being followed. It includes checking to ensure that users have valid, up-to-date passwords, that user privileges are correctly assigned, that users log off properly, etc. The two market leaders for this technology are Raxco's Security Toolkit and SecureMax from OpenVision. Both of these products have received good reports from users, who say that they greatly simplify their management tasks. Raxco's product gets additional praise for its comprehensive reporting capabilities. OpenVision has strong -- SecureMax and Security Detective--for the OpenVMS environment. CA Unicenter also provides extensive security features, although it is only available as part of the complete CA solution and involves changing the OS kernel. Fisher International provides the Watchdog suite of data security products for PC-LANs. Mergent offers a similar function which a couple of people said is somewhat less functional than the Fisher product. B. USER AUTHENTICATION/IDENTIFICATION This is the gatekeeper to to your environment--ensuring that the person logging on is authorized to log on, and that they are who they claim to be. One problem many large sites are facing is the need of users to carry around 40 different passwords to access each different environment/resource in an organization--various solutions seek "single- sign-on" across the entire computing environment, although I've yet to hear of a successful example of this in practice (except in very limited environments) Products available for Access Control include - -Security Dynamics offers SecurID, which employs a credit-card-sized (two-card thickness) number generator which users carry with them. They log in using their PIN plus the number on the SecurID card. Thus, if the card is lost, it's of no use to anyone without the PIN - -Dallas Semiconductor offers "Dallas Sign On," based on its "Button" technology--a button-sized authenticator which connects to a port on the computer for "bring-something, know-something" authentication. They are looking at including encryption technology inside the button. - -Enigma Logic provides SafeWord software which communicate with ID verification technologies such as smart cards, handheld tokens, and some biometric technologies. Enigma Logic offers a token which includes the PIN in the token--without knowing the PIN, the user can't activate the token to get the authentication number. - -Mergent International provides Single Sign-On/Data Access Control (SSO/Dacs) for DOS and OS/2 compatibles, ostenstibly providing single-sign-on to workstation, network and mainframe environments. - -IBM released a new version of NetSP, a single sign-on product providing a third-party security server that controls userID and user access to applications. - -Fifth Generation Systems provides Secure Access Facility for Enterprise (SAFE), a PC-based product that creates a "security kernel" on each PC conatining relevant security information (encrypted). SAFE handles the negotiation of access to network resources. Fischer's Watchdog product offers similar functionality. - -BoKS, distributed by SECURIX, Inc. in the US, provides flexible access control, including the ability to define access control to complement security policy (for example, limiting the time period when a user can access the system, or the hosts he/she can access). Authentication is through passwords. - -Firewalls represent the point of entry to a computing environment from the Internet--so that only a single computer talks directly to the Net. Firewall vendors include: Raptor Eagle, Enigma Logic, Trusted Information Systems, ANS Interlock - -A number of products provide remote access security, for users logging into systems from remote locations. Typical schemes include software or hardware that "dials back" the user, combined with other authentication methods. Los Altos Technologies' TermServ is an example of a software- based remote access product--in addition to modem security, it provides detailed reporting for capacity planning and management. C. PRIVILEGE DEFINITION Kerberos is the premier product for defining and maintaining levels of user privilege. The software provides authentication of a user to various resources in a computing environment. Developed at MIT, various implementations are currently available, including a number of commercial implementations. Difficulties with Kerberos include the lack of support from key applications, continued reliance on passwords (it is not an user identification/authentication product) complexity of implementation (and problems with scalability), and lack of interoperability among competing versions (DCE vs. MIT, for example). Commercial Kerberos providers include CyberSAFE (formerly Open Computing Security Group), and Cygnus Network Security. D. DATA INTEGRITY PRODUCTS Data integrity products include backup and storage management products (If you haven't read the summary of Best Backup Product for Open Systems, I'm happy to send it to you), encryption products, and virus protection products--making sure data is not lost or compromised on the system or in transit. Despite user complaints that encryption should be linked to the token device used for user identification/authentication, no company is currently providing this capability. Many security management products also provide some data integrity functionality-- virus control, primarily--and utilities such as the Norton suite are available as well. Now then. If you have experience with any of these products, or know of others which should be included in my report, I'd really appreciate hearing about them. A summary of all responses will be posted. Complete confidentiality is guaranteed. - -- Jon Bines (jonbines@panix.com) ^ If you're not part of the solution, ^ NSM Best Practices Rept. ^ you're part of the precipitate. ^ 203 1st Ave #1 NY NY 10003 ^ ^ Phone/Fax 212-254-7064 ^ -Steven Wright ^ ------------------------------ Date: Tue, 31 May 94 05:57:47 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Wanted: Infos on ARJ-Virus P. Immond (pi@europe.pha.oche.de) writes: > I'm looking for infos on ARJ-Virus. I *suspect* that you mean Archive_Worm - the Russian virus that infects ARJ archives and that was described in Virus Bulletin. If my assumptions are wrong, please specify more information. I am including the original description of the virus that I got from Eugene Kaspersky. > Can it really infect an ARJ with > Securtiy envelope? Yes, it can, but the resulting infected archive will have its security envelope broken, of course. BTW, the "security envelope" is not secure at all. If you want a *really* secure (in the cryptographical sense) archiver, supporting symmetric and assymmetric (public-key) encryption and public-key authentication, compatible with PGP-generated keys - use HPACK. Regards, Vesselin Arjvirus ======== It's a not memory resident virus which searches for the archive ARJ files and infects them. This virus, which is a worm more than a standard DOS virus, is 5000 bytes of length. It updates these files by its (virus) copy. On execution this infector searches for the files with ARJ extension by using "*.arj" mask (the files with ARJ extension are created by the ARJ.EXE utility and contain the compressed files). It searches for ARJ files in the current and all the parent directories. If the ARJ archive file is found, the virus creates the temporary file with the random selected name and COM extension. This name consist of four letters from 'A' till 'V', the 'V' limitation is because this virus uses the 0Fh limit for letter number, the 15th (0Fh) letter is 'V'. The result names looks as BHPL.COM, NLJJ.COM, OKPD.COM etc. Then the virus writes itself (5000 bytes) into this COM file, and for hiding it appends to the file the garbage bytes of random selected length, the virus checks that the length of that garbage should not exceed the maximum length of executable COM file. The length of the result worm files are more than 5000 bytes, the 5000 bytes is the length of worm's body which is stored in file on any infection. Then the virus inserts that file into the archive was found. It does it by easiest way - the virus forces the ARJ.EXE utility to make it. One of ARJ.EXE switches is "a" character, it forces to add the file(s) in ARJ archive file. And the virus uses this option, it executes the ARJ.EXE with "a" character by using the standard C function. The string which is executed looks as: c:\command.com /c arj a .com where is the name with extension of ARJ archive was found, is the four bytes of length random selected name described above. The "/c" switch causes COMMAND.COM to execute the pointed program (ARJ.EXE) and immediately exit. On execution of this command the archiver ARJ.EXE compresses and adds the worm into the archive file was found. And the virus deletes the temporary file and searches for next ARJ file. If there are not the archive files in the current directory, the virus jumps to the parent one. If the current directory is the disk root directory, the virus returns to DOS. One of the features of this infector is duplicate infection. On execution of archive the virus does not check the file for its presence, and how can it do this? To check the archive inside is not the easy task, and I see that the author of this virus do not set it (to prevent the duplicate infection) as an object. It realized the new idea by the easiest way, not more. The second, the virus generate the random names of the worm files. Sometimes it can generate the name which is present in ARJ file which is for infection. As the result, that file will be overwritten by the virus and the contents of that file will be lost. For hiding its spreading the virus hooks INT 10h - the video interrupt. It sets it to IRET instruction which disables the standard output to the screen. This feature hide the virus, but if on virus activity one of errors will appear, the ARJ.EXE program or DOS will displays the error message (for example, "Write protect error writing drive A:") and waits for the answer. But the virus disables the output, and the user will see the blank screen only. It looks as the computer hangs up. By the way, the virtual DOS machine under MS-Windows switches for full screen text mode on write protect error, and there is impossibly to switch to another task. And the last note, this virus contains the short internal text string: *.arj .. 0000.com /c arj a c:\command.com - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 31 May 94 06:12:16 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: GOOD vs. BAD HUH? Bradley (bradleym@netcom.com) writes: > How about KOH? Also the Potassium Hydroxide virus. It will encrypt your > HD for you using the IDEA algorythm. And it includes an option for > removal from your HD as well as a couple other options. How nice from its part, isn't it? However... First, as I already pointed out in another message of mine, just asking the user for permission to infect is not enough, because it causes an interruption that may be unwanted. No, a virus that claims to be "beneficial" *must* not infect a system, unless the owner of that system *actively* invites the virus. And there should be no place for mistakes, that is, cryptographically strong means should be used to authenticate the virus to the system and the system to the virus. Second, what does KOH do exactly that cannot be done by a non-viral program like SFS, SecureDevice or SecureDrive? (All the three are available in the USA and the first two are available to the whole world. Also, unlike KOH, the last two come in source, so you can check them yourself for security bugs and/or backdoors.) And why should I use a virus instead of a non-viral program to encrypt my disks? Third, since the virus installs the encryption program on each disk it infects, it is so easy to forget it there while traveling abroad (this concerns mostly US citizens). Now, if your disks were encrypted by a stand-alone program, you could simply leave that program home. (Hint to the non-US people: the US export regulations forbid exporting of encryption software without a special license. The penalty is 41 to 51 months prison.) You can't simply "leave home" the KOH virus, because it is on the boot sector of all your encrypted disks... Beneficial virus? NOT. > And CPAV will also modify your files for you, under the guise > of protecting you. Yeah, but first, it doesn't do so unless you explicitely tell it to do it, and second, if you feel unhappy about it, you can always call CPS' tech support number and bitch about it. Now, when the virus writers begin to provide tech support for their creations, I'll reconsider. > Besides, only a small amount of viruses have > malicious code. You mean - only a small amount (about 1/3) of the known viruses are intentionally destructive. That's true - most of the damage caused by viruses is because of the lost time, efforts, and money, spent to remove them. But so what? It doesn't make them less damaging... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 31 May 94 07:52:01 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: CARO and EICAR Keith A. Peer (dm252@cleveland.freenet.edu) writes: > I am trying to find out about 2 organizations that I > heard are PC Security/Virus related but I do not know > where or how to contact them. The organizations are > "CARO" and "EICAR". Any help is greatly appreciated. EICAR (European Institute for Computer Anti-virus Research) is an organization of companies (either producing anti-virus software or interested in virus protection) - much like NCSA in the USA. Anybody can become a member - they have only to pay the membership fee. Contact information: Dr. Paul Langemeyer c/o Siemens Nixdorf AG Otto-Hahn-Ring 6 85739 Muenchen Germany Telephone: +49-89-636-45400 Telefax: +49-89-636-47326 CARO (Computer Anti-virus Researchers' Organization) is not a formal organization per se. It is something like a private club of the technical virus experts. Membership is *very* limited. We are just friends who exchange technical knowledge about computer virus, in order to help each other to fight them. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 31 May 94 10:34:47 -0400 From: nschechtman@pppl.gov (Nathan Schechtman) Subject: danger from used disks? I just bought several hundred used disks from someone on the internet. I'd like to guarantee that they're safe. Any suggestions out there? Will reformatting them remove all viruses? Thanks Nathan Schechtman email: nschechtman@pppl.gov Princeton Plasma Physics Lab phone: 609-243-3465 Princeton, NJ 08543 ------------------------------ Date: Tue, 31 May 94 14:51:34 -0400 From: Ian Douglas Subject: The underground and 'good' viruses I see messers Cohen and Bontchev are discussing the merits of 'good' viruses. We are having a similar discussion in the FidoNet echos. The Underground is doing its best to persuade us that 1) good viruses can exist ('cos Fred Cohen says so) 2) these viruses can actually do useful, beneficial things 3) research into these viruses is a Good Thing, and actually nothing but research into Artificial Intelligence (wow!). However they have not clearly defined exactly what they mean by 'good' virus. The definition is also very flexible, and changes shape when objections against it are raised. They usually talk about some small program, limited to one machine (or network) only, that goes around deleting .bak files older than a month; or other similar tasks. IMHO these sort of things can better be done by a simple tsr or even via bat files. So why the necessity for using a program that replicates? Simply to blur the distinction between right and wrong. They are implying that since 'good' viruses exist, then all research into writing viruses is a Good Thing and should be encouraged, admired, etc. They take pains to distance themselves from those OTHER evil people who write nasty viruses that destroy data. Horrors! Of course they are not shy about dragging Fred's name in when it helps them either.. They have also invented new names for their creations, like CyberPet. Which brings us back to the question of What Is A Virus. While I understand Fred's definitions (ok, not the maths one, have not seen it yet), a boot disk with diskcopy on is not the sort of thing that is causing problems in the world right now. So I propose a slight modification to the working definition of a virus being a program that can replicate in the right environment: A virus is a program that can replicate in the right environment, and that alters the 'normal', 'expected' flow of execution to ensure that a copy of itself gets executed. For example: MBR infectors: Normal flow: BIOS, MBR, Dos BS, etc.. After infection: BIOS, MBR (virus), MBR (real), Dos BS, etc.. Similarly with other types of infections. And that is my 2c worth to the great debate :-) Cheers, Ian ------------------------------ Date: Thu, 02 Jun 94 15:42:27 -0400 From: "David M. Chess" Subject: re: Parity Boot B on OS/2 bootdrive (OS/2) > From: jan@myhost.subdomain.domain (Jan H. Bergesen) ?? Is that really the Internet address? Seems unlikely! > I've somehow managed to get the virus Parity Boot B on my OS/2 boot partition > this is drive d: formatted with HPFS. > I know one can use fdisk/m under DOS, but what do I do under OS/2??? The Parity Boot B infects the master boot record, and doesn't care what the operating system involved is. If you can find a bootable DOS 5+ diskette with FDISK on it, FDISK /MBR should still do the Right Thing. Do make sure you have good backups first, though! Or find an antivirus program that disinfects it explicitly. - - -- - David M. Chess High Integrity Computing Lab IBM Watson Research ------------------------------ Date: Tue, 31 May 94 01:51:14 -0400 From: "A.Jilka" Subject: FYI: "Form-detector" (PC) Hi all, I thought you might be interested: Whenever a PC is infected by FORM and you run QEMM 6 or 7 the machine locks up after executing DOSDATA.SYS . As we do swap floppies now and then with Uni-Vienna it happens that one of our PCs gets infected. Uni-Vienna seems to have an infectionrate of +70%. So: if your PC locks during boot, give your favourite AV a chance. Greetings, Alfred - -- ...^^^^^.. ********************************** A U S T R I A . Linz : * Geological Survey, Austria * : * * : * * :* Vienna: * jilka@gbaws4.zamg.ac.at * :^^^.........:. Salzburg : * * : * Innsbruck : * Phone: +43/222/712-56-74/85 * ........... HOME Graz : * Fax: +43/222/712-56-74/56 * :.. * * ...: * * :........: ********************************** ! Enjoy life, you'll be dead long enough ! ------------------------------ Date: Tue, 31 May 94 02:04:14 -0400 From: sa1737976@v9001.ntu.ac.sg Subject: info on 2 viruses (PC) i need some info on what McAfee's scan identified as NewBug and NiceDay viruses. thunder-byte anti-virus identified both of them as anti-exe. the problem is that i can't find any of these entries in vsum !! the NiceDay sample that i have doesn't seem to infect another diskette. does it have an internal timer ? or what r its infection criteria ? and where can i get a copy of f-prot ? seems like quite a lot of ppl r talking abt it and using it. i can accept uuencoded stuff :). thanx !! ------------------------------ Date: Tue, 31 May 94 02:57:10 -0400 From: tluten@delphi.com Subject: Re: DIR-Virus? (PC) I ran into similar problems several years ago,and concluded that the "format" commands used by various systems were potentially incompatible, as were some floppy drives. I would like to hope that these mismatches have been worked out in the succeeding yea rs, but maybe they have not. ------------------------------ Date: Tue, 31 May 94 05:42:59 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: FORM and SPANISH Telecom (PC) Alan Coombe (a.coombe@east-anglia.ac.uk) writes: > We run diskless PC's on a Novell server. We have a Ram drive. In this case you don't have to worry about neither Form, nor Spanish Telecom (presuming that you mean the widespread boot virus, not the rare COM-infecting dropper). Both are boot sector viruses and cannot spread accross networks. > Does anyone know if these viruses have stealth capabilities, whereby they can Form is not stealth, but the boot variety of Spanish Telecom is. > survive a RESET (Either RESET button or CTRL+ALT+DEL) No, neither of them attempts to survive a warm reboot and no virus can ever *survive* (EXE_Bug tricks excluded) the cold reboot initiated by depressing the RESET button. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 31 May 94 05:46:37 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Vet software (PC) John Guynn (jag@univel.telescan.com) writes: > Is Vet commercial or shareware? Commercial, sold by Cybec Pty Ltd. PO Box 205, Hampton, VIC 3188. Australia. > If it's shareware where can I ftp it > from? It's not and you can't. > I looked in the FAQ but it didn't mention anything specific > about any anti-virus software (as far as commercial or shareware and > locations). This is intentional. The FAQ is not meant for advertising purposes and we didn't want all the anti-virus producers to bother us with questions why their excellent product is not mentioned there. :-) Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 31 May 94 06:23:46 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Good anti-virus software recommedation needed (PC) Johnson C. Lee (jclee@netcom.com) writes: > Does anybody know if there is any anti-virus software that will > detect the virus automatically ? Since there is no such thing as "the virus" (there are about 4,300 known IBM PC virusES), the answer to the above question is "NO". > What I mean is every two weeks I have > to run my anti-virus software to do detection and it took a long time. Maybe you have to get a better anti-virus program. What kind of anti-virus program are you using? If it is a scanner, I advise you to take a look at TBAV and F-Prot. Both are very good and very fast. (TBAV is faster, but F-Prot has a better detection rate.) If it is an integrity checker, take a look at Integrity Master and VDS. > It will be nice if there is an anti-virus software which will do the > detection when there is disk operation etc etc. Or is it a *memory-resident* scanner that you need? Many (most) scanner-based anti-virus products include one. > And can someone recommend me some good anti-virus software either > in the shareware domain or in the market ? Some of the best scanners *are* shareware. In fact, the commercial products are often (not always) far behind. The best integrity checker I know about was commercial (Untouchable by Finth Generation Systems), but since Symantec bought the company, I don't know how it is sold any more. > I am particularily looking > for something that will work in a networked (both netware and > TCP) environment. That's a more difficult requirement. I am not aware of any good TCP/IP-based scanner. Most NetWare (NLM) based products are nothing exceptional... You might look at the NLM produced by S&S International (they sell Dr. Solomon's Anti-Virus ToolKit) - their scanner is very good, but I have no experience with the NLM. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 31 May 94 07:11:35 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Any Iper Info? (PC) Jerry Billette (jer@netcom.com) writes: > viruses. While we were disinfecting our systems using NAV 3.0 we came > across multiple .exe files that contained the iper virus. The best NAV 3.0 is most probably wrong, because the Iper virus infects only COM files. It could be anything - from a different virus to a false positive. I would advise you to use a scanner that performs a better identification. > information that we could come up with is that the iper virus infects > com files. This is correct. > So, my questions are 1) does this virus do any damage > besides replicate and It seems to have a date trigger that activates in 17th of any months. The code that is activated does something with the ports, which might be causing some damage, but I don't have the necessary help files handy, so I can't tell it exactly. However, you almost certainly do not have this virus. > 2) why did it only show up in .exe files and not > any .com files? Probably because NAV 3.0 is simply wrong and you do not have this virus. As I said, it might be a different virus, or no virus at all. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 31 May 94 07:19:16 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: DANGEROUS VIRUS (PC) Dale (slash@ccinet.ab.ca) writes: > Chinon America Inc. last week reported the existence of a virus named > "CD-IT" that reportedly surfaced on the Internet. A file identified as That was a typical example of the uninformed journalistic hype that surrounds the virus problem. First, it was not a virus. It was a trojan horse - and a very well known one - Worpal.2. Second, most good scanners (e.g., F-Prot) have been able to detect it for years. Third, it was seen on a BBS - it was not "spreading on the Internet", as the article seemed to imply. In short - junk information in a junk article. Ignore it. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 31 May 94 07:23:17 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: ** Date recovery after Michelangelo virus infection ** (PC) Spandan Choudury (schoudhu@ucunix.san.uc.EDU) writes: > For a hard disk infected with the M. virus, does anyone > have info on > * Whether there is a shareware/commercial_software > that will recover most/all the data present on the > damaged hard-disk. It cannot be done automatically and therefore no software exists that does it. Only with the qualified help of a data recovery expert you might be able to recover some of the lost information - and in most cases it is likely to cost you more than the information that has been lost. A much better solution is to simply restore from a backup. And if you don't have one, *now* is the time to understand that all those people telling you to make regular backups have been right... :-) Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 31 May 94 07:32:40 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Anti-CMOS virus.... (PC) jeff@lab.bus.utah.edu (jeff@lab.bus.utah.edu) writes: > In the last week I have had four computers in our lab infected by > a virus called Anti-CMOS. > So far the only way to disinfect it has been a low-level format which > is not the option I want. Low level format is *never* necessary. Try McAfee's CLEAN, telling it to remove the [genp] virus. It *might* work, although it is not guaranteed to. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 31 May 94 07:40:22 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Information requested on Doom virus (PC) Unknown (Unknown@sun4.bham.ac.uk) writes: > Does anyone know of the Doom virus, supposedly undetectable (!), and Undetectable, huh? I know two viruses with similar name (Taiwan.677, sometimes called Doom, and Doom_II), and both have been known to the scanners for years. > corrupts PC FAT's on Friday 13th (my goodness - that's today, panic) Taiwan.677 activates on 8th of any month and Doom_II activates in March, so maybe you mean something else. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 31 May 94 07:46:14 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: InVirible (???) (PC) Francis Ng-Cheng-Hin (FNGCHENG@1308.watstar.uwaterloo.ca) writes: > A while ago on Fido, I heard of a program called InVirible (or something > like that) that was an integrity checker or something similar to that. > Anyways I think the author was from the Middle East. I haven't been able to Israel. > find this program at oak.oakland.edu and do remember the author saying it > was available for FTP somewhere, but I can't remember where. I would As far as I know, it is commercial. I might be wrong, and if it is indeed shareware, I'd be happy to offer it from our ftp site. I think that the author reads this forum, so he might be able to reply to you directly. > has this file. Thanks. Also is it just me or does this newgroup have very > few if any posts? There seems to be some problem - not all articles published in Virus-L appear on comp.virus. This used to happen every now and then, but has increased lately. I am often receiving feedback of articles I have sent to comp.virus, but have never seen them there (but obviously other people have seen them in Virus-L). Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 31 May 94 13:04:21 -0400 From: gorbiel@student.uci.agh.edu.pl (Andrzej Gorbiel) Subject: Virus in Norton Commander 4.0! (PC) [ Article crossposted from comp.os.msdos.apps ] [ Author was Andrzej Gorbiel ] [ Posted on 31 May 1994 16:59:57 GMT ] Hello, Some days ago I had problems with Norton Commander 4.0 It behaved strange! The left pannel was moved right by 8 columns. The right pannel displayed mostly garbage. It used to hang more often. After ALT_F1 it displayed a window "Choose RIGHT drive:" (instead of LEFT). I started searching for the reason. I ran all the antiviral software I had. Nothing! I compared VALIDATE checksums of NC.EXE and NCMAIN.EXE - - nothing! I boot from a write protected floppy and did all the tests again - nothing! I deleted NC.INI (AFTER exiting Norton Commander!) - it helped! Fortunately I have a backup of this fatal NC.INI. I appended it in this mail. You won't beleive my words until you try it yourself! So do try! It's not very dangerous (I hope!). BTW Does any one know what is inside NC.INI? There is CWD in left pannel, CWD in right pannel, a path to user echosen editor, file-filer mask and everything found in "Configuration" dialog box. The size of the file seems to be constant (774 bytes). And there must be a byte (or a bit) that cause NC to go mad with no hope of recovery by configuration changes (you must exit NC first and than delete NC.INI). Enjoy! Andrzej BTW if you find whitch bit of NC.INI is critical (i.e. causes this effect) do not hesitate to inform me (by e-mail). Or write a virus that changes that bit and call it Symantec! QUUNCD Ver. 1.2, by Theodore A. Kaldis. BEGIN--cut here--CUT HERE-- begin 600 nc.ini M0E5)3$0T,````"@$`0`I``(``P`,`!(`WP```(;,-*X$``KV=1J*Z#8````` M`*D`=@$"`"D`$P">`;E\`8/&/H/'/O.DPPZX``*+V#'),/8``"@````5`%X. M`0````(`7`!44D%.1T4N(2$A```````````````````````````````````` M``````````````````````````````````!-```````````````````````` M-*X``(=.W"A!5TQ!3@!25P!S``````````![8@```````````0`````````J M+F5X92`J+F1L;"`J+C,X-@```````````#<```!$.EPA(2%<8GHN>FEP`%13 M```````````````````````````````````````````````````````````` M``````````````````````````C#`@`#``P`$@#?````?@$0UP0``````-`$ M3P```````0`F``(`",,3`"W#````````````````````````````````!\,` M`!4````!``$``P!<4U1204Y'12XA(2$````````````````````````````` M```````````````````````````````````````````````````````````` M```````0UP``25G<*"XN``!3`%````!E```````"`'MB```````````!```` M`````"HN='1F````````````````````````````-P```$,Z7%1%6%1<1T%: M151!7&MA9S`W.30N>FEP```````````````````````````````````````` M```````````````````````````````````%``,``P````$````!``$````` M``$````!``$``0`!``$```````(````!``$````!``$````!`"P&[`0!``$` M``````$`"``(``$`8SI<141)5%Q17%$N15A%("$N(0`````````````````` )``````````#: ` end END--cut here--CUT HERE-- ------------------------------ Date: Tue, 31 May 94 16:33:15 -0400 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) Subject: RE: Attack by MOnkey ... (PC) >From: lubkt@Lehigh.EDU (Binod Taterway) >Subject: Attack by MOnkey ... (PC) >I noticed that after doing the DIR on an infected diskette, the virus >becomes memory resident but does not infect the hard disk. I have >looked at Patricia Huffman's summary on MONKEY, but the description >does not tell how (at what point) infection takes place. Am sure that by now several have explained what to do with the MONKEY (yet another beneficial virus ?) but the philodendrum of "ghosting" of boot sector infectors is worthy of some thought: When you do a DIR of a floppy disk, it is necessary for DOS to first examine the boot sector to determine what kind of disk it is. In the case of most current DOS versions, the boot sector is read into a designated area of the first 64k of memory. Since this area is used only for this purpose, it will not be overwritten until the next disk is inserted. Thus when a DIR of an infected disk is done, the infected code is read into this area as data (it is NOT executed or truely "memory resident" in the TSR meaning, it is just there). Many scanners are unable to make this distinction and finding nothing unusual about a BSI virus being found in low memory rather than at the TOM feel obliged to report the condition. To check, simply place a clean write-protected (just in case) disk in the PC, do a DIR of that disk (DIRing the hard disk will not generally work), and rerun the scanner. If everything comes up clean then the floppy and not the PC is what was infected. Padgett stepanography: hiding a message in a duck ------------------------------ Date: Wed, 01 Jun 94 08:21:28 +0000 From: wdwitte@cs.vu.nl (Witte de W) Subject: virus destroyed disk driver (PC) Hi, a few days ago i had the form virus on my system (boot sector virus). I succesfully deleted it, but now my b-drive (3.5" HD) does not work probably anymore. Only (very) now and then it will respond to a 'dir' command, but most of the times i get a 'General Failure'. The internal setup - as far i can see it - are fine. The diskette's are formatted and reformatting does not work either. Has anyone an idea what might be going on? please respond! wiebe de witte (wdwitte@cs.vu.nl) - -- - --- guns don't kill men, bullets do - Sledge Hammer ------------------------------ Date: Wed, 01 Jun 94 14:37:49 -0400 From: sa1737976@v9001.ntu.ac.sg Subject: info wanted on NiceDay and NewBug (PC) can someone out there help me by providing info on the virus NewBug as identified by McAfee's scan. the only thing i know abt it is that it displays a message Have a nice day (c)YCP on 1st June (actually i found this out accidentally). i haven't been able to find anything abt it in vsum. and vsum doesn't say anything abt the NewBug virus either. another problem is that thunderbyte anti-virus identifies both of them as anti-exe virus !!? i'm really lost ! another thing is, how good is f-prot ? i've heard abt it but haven't tried it. i'd appreciate it if someone can mail me an uuencoded copy. thanx :) ! ------------------------------ Date: Wed, 01 Jun 94 15:36:17 -0400 From: marty@gsbnetop.UCAR.EDU (Martin Moses) Subject: NOINT virus (PC) Recently we have had several cases of the NOINT PC virus. This virus appears to attack the boot sector very nasty. Are there any known cures for this virus. If you have any information please send me E-Mail martin.moses@gsb.uchicago.edu Thanks Marty ------------------------------ Date: Thu, 02 Jun 94 03:44:41 -0400 From: rebel@engin.umich.edu (Johnny Yuma) Subject: New virus (Trashed?) in Ann Arbor Mi? (PC) Has anyone heard anything about the new(?) virus found in Ann Arbor? I saw some overly hyped peice about it on the news, claiming that 'No Virus Scanners can detect it'..'and infact, could spread it farther'. Has anyone heard anything? Or even touched a live copy? I would love to hear more about this virus. I beleive they called it the 'Trashed' virus. I'm kinda bummed, that since it was found in Ann Arbor, (according to the News people here... go figure), that it wasent named after Ann Arbor... Oh well, cant have everything I guess. =) Rebel - -- Everyone should know of all information that others have deemed unfit for for public knowledge. -Author Unknown rebel@engin.umich.edu -- Rebel without a clue -- Finger for PGP Key Key fingerprint = 6E AF E6 6D E3 2E 87 40 CA 54 64 D3 B7 1A D0 3E ------------------------------ Date: Thu, 02 Jun 94 06:34:43 -0400 From: bullingt@sfu.ca (Keith Gordon Bullington) Subject: "New" Virus found? (PC) I've come across a .COM infecting virus that fails to be caught by SCAN v2.01, TBScan or F-Prot 2.12. This virus infected my system quite rapidly and the only scanner I could find to pick it up (except by simple debug hunt-and-peck) was VPCScan v2.93. Here's the lowdown on what I found, more information can be acquired if anyone is interested by e-mailing me. Virus ???: .COM infection only (so far) Approximately 1k in size added on to file (date is stable) Volatile encryption seems to be used (different for every file) Contains the text strings: "Dr. White - Sweden 1994.3" and "Junkie Virus - written in Malmo" I have an isolated infection sample if anyone needs one. (B.T.W. VPCScan flagged it as a "PS_MPC-23" infection, if that means anything to you...) bullingt@sfu.ca (Adam) ------------------------------ Date: Thu, 02 Jun 94 07:35:03 -0400 From: panther!jaguar!cmeli@relay.iunet.it (Clyde Meli) Subject: Re: Anti-CMOS virus.... (PC) jeff@lab.bus.utah.edu (Jeff Hasset) wrote: >In the last week I have had four computers in our lab infected by >a virus called Anti-CMOS. > [stuff deleted] >P.S. This virus has only shown up since we updated our virus scan >(we are using F-Prot). Are you using F-Prot 2.12? I tested it on some old PC's in our lab, and it reported a new variant of Anti-CMOS in the MBR. However it was not a virus as the MBR contained some code relating to a protection device driver (ADM.SYS) which was used to write-protect drive C. It did not contain any virus code however. It is just a false positive, nothing to get worried about. You could rewrite the MBR code with FDISK /MBR, after booting from a clean floppy (assuming drive C is visible after booting), especially if this protection driver is not used any more. Regards, Clyde - ----- Clyde Meli, B.Sc., Teaching Assistant, Dept. of Computer Information Systems, University of Malta, Malta. Internet: cmeli@unimt.mt Telephone: (+356) 3290-2509 ------------------------------ Date: Wed, 01 Jun 94 19:52:06 +0200 From: Rob_Vlaardingerbroek@f0.n3110.z9.virnet.bad.se (Rob Vlaardingerbroek) Subject: New virus - Ear.Interceptor (PC) Hello, The following virus was isolated in Sassenheim, The Netherlands. It is spreading to the eastern part of Holland towards Germany by now. Thomas Schlangen will hatch the disinfector into virnet Germany. First and temporary description of the virus by Rob Vlaardingerbroek: Ear.Interceptor virus : (temporary name) The Interceptor virus is possible a variant of the Ear virus. It's a resident .COM and .EXE infector. It will check it's residency by comparing if the vector is changed. This indicates that it will load itself again when another program also chains interrupt 21h. When resident, the virus will infect .COM and .EXE files when executed. The following message is encrypted in the virus : The E-262, gone in our presence, living in our minds... The only iNTeRCePToR capable of speeds over Mach 3... The 'eXeCuToR' was the fear of all USAF pilots facing the iNTeRCePToR. This message can be displayed sometimes. The rest of the virus isn't encrypted. The virus does not contain a destructive payload. It plays tricks by hanging the system, intercepting printing and so on. It should be possible to disinfect all files, though the virus overwrites already infected files, meaning that it does not check whether a file is infected already. As no scanner is able to find this virus yet, a disinfector is put on our bbs. Freq or download K-EARINT.ZIP Samples of the virus are sent out to the av-developers. Sincerely, Rob Vlaardingerbroek - --- GEcho 1.01+ * Origin: Virus Research Centre Holland LAB (9:3110/0) ------------------------------ Date: Thu, 02 Jun 94 13:42:13 -0400 From: Mikko Hypponen Subject: Re: antivirus products (PC) Vesselin Bontchev (bontchev@fbihh.informatik.uni-hamburg.de) writes: > F-Check - a program from an obsolete version of the package F-Prot. Uhh, no...F-CHECK is the DOS-based integrity checker from the current F-PROT Professional anti-virus suite. It's not included in the shareware version. The old (pre-version 2.0) F-PROT shareware packages contained programs called F-FCHK and F-XCHK, but these are not related to F-CHECK. - -- Mikko Hypponen // mikko.hypponen@datafellows.fi // Finland Data Fellows Ltd's F-PROT Professional Support: f-prot@datafellows.fi PGP public key available, check the keyservs ------------------------------ Date: Thu, 02 Jun 94 13:56:24 -0400 From: Mikko Hypponen Subject: Re: Virstop.exe and 386Max 7.0 (PC) Ralf Grisard (ralf@meaddata.com) writes: > I'm running MS-DOS6.2 with 386Max on a Dell 486/50 with 8 megs of RAM. > Among other things, I'm connected to a Banyan network, but I'm running > VIRSTOP after connecting to the network, as per the VIRSTOP doc. F-Prot > itself runs fine -- it's only VIRSTOP that I'm having a problem with. > Any ideas? (Helpful ones only, please :-) You're problem is related to the 386Max memory manager you are using, not to the network. See below. Juan Carlos Perez (juan@fiu.edu) writes: > I would like to know if upcoming versions of F-Prot will solve the > problem of VIRSTOP.EXE not working with 386MAX v7.0. Thanks...:) Version 2.12 introduced a new switch to VIRSTOP: /NOTRACE. This switch makes VIRSTOP compatible with 386Max 7.x and BlueMax 7.x memory managers from Qualitas. This switch also makes it possible to use VIRSTOP in machines which are using the older 486 clone chips from Cyrix. These processors had a bug which caused the single-stepping mechanism of the processor to fail in certain situations. - -- Mikko Hypponen // mikko.hypponen@datafellows.fi // Finland Data Fellows Ltd's F-PROT Professional Support: f-prot@datafellows.fi PGP public key available, check the keyservs ------------------------------ Date: Thu, 02 Jun 94 15:46:10 -0400 From: "David M. Chess" Subject: re: What about long partitions (PC) >From: we34329@vub.ac.be (DE KERPEL SVEN) >A virus (flip) messed with my HD now It claims that i have now >long partitions (116MB) is reduced to 33MB (the max for normal >partitions. A partition longer than 32Meg has zero in the old "Total sectors" word in the BPB, and the true total sector count further out. The Flip doesn't know about this, and always lowers the old field's value by six, without checking. Use Norton or something to look at the DOS boot record of each partition; you should find the hex value FFFA in the word at offset 13 (hex). If you change that to a zero and reboot, you should get the true partition size back, assuming that nothing has written to the partition in the meantime in a disastrous way. - - -- - David M. Chess | IBM Computer Virus Information Center High Integrity Computing Lab | gopher: index.almaden.ibm.com IBM Watson Research | http://index.almaden.ibm.com ------------------------------ Date: Thu, 02 Jun 94 17:09:30 -0400 From: gbesko@bldgeduc.lan1.umanitoba.ca (Geoff Besko) Subject: Joshi virus - False alarm? (PC) When I scan a machine on my network with the Microsoft Anti-Virus utility, that came with MS-DOS 6.1, it says that the machine has the Joshi virus. However, when I check the same machine with the newest (v2.12) of F-Prot it doesn't register any viruses at all. Has anyone heard about problems with the reliability of the MS Antivirus program? I will probably try another program to see if it finds anything but I was wondering if anyone has had any similar experiences? Any help would be much appreciated! Thanks! Geoff - ---------------------------------------------------------------- Geoff Besko Network Administrator (BLDG_EDUC) University of Manitoba Geoff_Besko@UManitoba.CA ------------------------------ Date: Tue, 31 May 94 14:55:19 -0400 From: Ian Douglas Subject: Harmless Viruses The following article was published in a local electronic mag at the beginning of the year, and also posted onto the FidoNet virus echos. I am posting it here as it has some relevance to the debate about good and bad viruses. Unarmed and Dangerous ===================== (c) Ian Douglas 1994 There is a myth going around that, if a computer virus does not have a payload, then it is not dangerous, and is in fact harmless. Some people even refer to these as toys. I want to examine this in more detail, and show why it is a myth, but we first need to do a short history of warfare. Once upon a time, a long time ago, Og woke up to find Gonta playing rather closely with Sheema, who was what we would call Og's wife. Og got rather upset, and punched Gonta. Unfortunately Gonta was rather larger than Og, and puched him back, knocking him out, before turning his attention once again to Sheema. When Og woke up, he made a plan. He went outside the cave, and climbed up above it. When Gonta came out, Og dropped a large rock on Gonta's head, killing him. And thus was born the principle of *long range violence* - whereby a person can inflict violence on another with little or no danger to themselves. As time went by, improvements were made in the methodology - spears, bows and arrows, catapults, guns, bombs, missiles. While most of these were used in conventional warfare, a new breed of Ogs arose - the terrorist. They use long range violence against innocent people, with little care about WHO actually gets hurt. Their favourite tool is the time bomb. Then came computers, and a new twist for the terrorists: computer viruses and trojans. ------------------------ The term 'virus writer' needs clarification. There are three groups of people who might write viruses: 1) a computer scientist working for a company developing a new operating system, and who has to test just how secure the operating system is. 2) a programmer working for the military, who has to develop programs designed to knock out enemy computer systems. (Although I can't see HOW they will (a) introduce it to the enemy systems; (b) expect it to remain undetected; and (c) activate all copies at the same time (except by time/date)) These two groups work in carefully controlled labs, and their creations do not get out, and thus do not bother the rest of us. While people in both these groups can be described as 'virus writers', they are not the cause of the current computer virus problem. 3) the underground and people of similar mindset, who think it is 'cute', 'neat', 'k00l', 'fun', or whatever the current slang phrase is, to write and distribute computer viruses and other rogue code (trojans, ansi bombs etc). To avoid confusion when referring to this group as opposed to the other two above, I have coined a new word - compterr (computer terrorist) - - to refer to such people. The plural is compterrs, not compterri. ------------------------ Now, to the subject of the 'harmless' computer virus. There are basically four types of computer viruses: file infectors, boot record infectors, companion infectors, and FAT infectors. Let us look at each of these in turn. File infectors: assume that a 'harmless' file infector exists. It has no payload, i.e. it has no code specifically written to do damage, like formatting C:. It infects .com and .exe files perfectly - the host program should always run after infection. Surely this virus is 'harmless'? No. (1) On a purely non-physical level, it harmful in two ways: Firstly, it is unethical to modify someone elses programs without permission. Secondly, it destroys the trust that the user has in his machine and the software on it. Now he is never sure if running a program will result in a virus spreading or activating. Remember, the user does not know that the virus has no payload. And even if he did, do you suppose that he really wants all the files on his disk infected? The situation is that people have more implicit trust in a $5 calculator than in a $2000 computer. (2) On the physical level, there is also damage. Firstly, the virus has to alter the code of the infected host, to ensure that the virus is executed. Viruses usually change the beginning of the host to allow the virus code to be executed first, before returning control to the host. So, the original file is damaged. Even running an anti-virus repair program is unlikely to restore the program to its original state. (3) Then there are legal implications. Altering a program may be in violation of copyright. It may also invalidate the warranty on a program. Some programs which check themselves before running will refuse to run if infected by a virus. The user is denied the use of the programs for which he paid. (4) Then there is the matter of trespassing. A hard disk is private property. You decide what you want to store on it. A virus removes that choice from you, and just invades. (5) Consider the implications for a company which gives it's clients diskettes which have infected files on. The client detects the virus. Now do they still trust their supplier? A vital relationship has been damaged. (6) The user has the inconvenience of checking every file and disk that he receives, and the hassle of cleaning the virus off of his system. This is wasteful of both time and money. (7) Computer viruses waste disk space with useless code. (8) Computer viruses slow the machine down with useless code. (9) Memory resident viruses waste memory. Some analogies to put the matter in perspective: You have a letterbox. Everytime you get a letter, you also get an invisible letter with it. You remove the visible letter, but not the invisible letter. Pretty soon, your letterbox is full of invisible letters, and there is no space for your legitimate normal mail. Or I come into your bedroom and spraypaint graffitti (Iron Maiden Rulez!) all over the walls. According to the compterrs, I have not damaged your walls - the original walls are still there, under the graffitti. Anyone agree that the walls are not damaged? How about if the original of the Mona Lisa was hanging on the wall at the time? Or I come into your room, remove the blankets from your bed, place them under your bed, and put a small black suitcase on your bed. The compterrs say that the bed is not damaged, just rearranged. Time for you to go to bed. How do you? You have no way of knowing if the suitcase contains pressure-sensitive explosives or not. I have denied you access to your bed. Some of the examples used about file damage also apply to the other forms of virus infection. Boot sector infectors: Assume that a perfect boot sector infector exists. It does not matter whether it is a Main Boot Record (Partition Table) or DOS Boot Record infector - the operation is similar. The virus will move the original boot sector elsewhere, and insert itself where the boot sector was. Let us assume that the virus is well written and does not accidently put the moved boot sector over the directory table or the FAT. Surely such a virus is harmless? No. See points (1), (4), (5), (6), (7), (8) and (9) above. In addition, the boot sector is no longer where it should be. The user might do certain operations assuming that it WAS still there, with disasterous consequences. In addition, some Main Boot Record viruses use that part of the first sector reserved for the partition table. If a user booted off a diskette, his hard drive would be inaccessible to DOS. Also, most boot sector viruses manage to wreck part of the FAT or directory tables on diskettes. Analogy: I come into your room, move your bed out into the passageway, and put a camping bed in its place. Now when you want to go to bed, you find your bed is not what you thought it was. Companion Virus infectors: These viruses create matching, usually hidden, com files with the same name as .exe files. The .com files contain the virus code. Since DOS executes filename.com before filename.exe, the virus gets executed first. Now assume that a perfect such virus exists, with no malicious code. Is it harmless? No. See points (1), (4), (5), (6), (7) and (8) above. In addition, this method of infection wastes more disk space than normal file infectors, since it creates new files. This clogs up the directory table with junk, and, since viruses are usually short, leads to lots of small files. For example, assume the virus is around 1000 bytes long, and your hard disk has allocation units of 2048 bytes. This is the minimum amount of space that DOS will allocate to a file, even if it is smaller. So for every copy of the virus, around 1k is totally wasted space. Now if you had 100 infected files on your hard disk...you lose 200k, half of which is empty.. Analogy: same as boot sector viruses. File Allocation Table / Directory infectors: These are a variant of companion infectors. The difference is that instead of using DOS to execute the virus, the virus creates a copy of itself, and alters the pointers to a real executable to point to the virus instead. So when you execute filename.exe, you actually execute the virus, which replicates, and then passes control to filename.exe. Again, assume such a perfect virus exists. It is harmless? No. All points raised in the discussion about companion infectors also apply. Worse, cleaning up such a virus is often a nightmare, and can result in major data loss. This is because the virus manipulates the FAT directly, totally destroying what was there before. Conclusion: there is no such thing as a 'harmless' virus. The second bottom line: Viruses destroy time. Users have to waste time checking all files and disks, and cleaning up after an infection. Remember too that time costs money... The bottom line: Viruses destroy money. Users are forced into taking expensive security measures, which costs money: the cost of the product, the cost of obtaining the product, cost of training, cost of cleaning up after an infection, cost of liability insurance. This money could have been put to more productive use. The cost is recovered by increasing the price of goods and services to the consumer. In the end, the consumer in the street (YOU!) ends up paying for the virus problem... Cheers, Ian ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 41] *****************************************