Return-Path: XPUM04@prime-a.central-services.umist.ac.uk Received: from G.SEI.CMU.EDU by ubu.cert.sei.cmu.edu (5.61/2.3) id AA04511; Wed, 20 Jun 90 17:25:47 -0400 Received: from SEI.CMU.EDU by g.sei.cmu.edu (5.61/2.5) id AA07089; Wed, 20 Jun 90 17:25:44 -0400 Received: from nsfnet-relay.ac.uk by sei.cmu.edu (5.61/2.3) id AA23325; Wed, 20 Jun 90 17:25:36 -0400 Received: from sun.nsfnet-relay.ac.uk by vax.NSFnet-Relay.AC.UK via Janet with NIFTP id aa23229; 20 Jun 90 16:20 BST From: Anthony Appleyard To: DAVIDF@cs.heriot-watt.ac.uk Date: Wed, 20 Jun 90 16:28:44 BST Message-Id: <$TGWGCZNQBTKH at UMPA> Subject: Virus-L vol 0 issue #1004 Virus-L Digest Tue, 4 Oct 88, Volume 0 : Issue #1004 Today's Topics TRAPDISK Re: TRAPDISK nVir help appreciated Earnest request ------------------------------ Date: Tue, 4 Oct 88 14:11:15 EDT From: "David A. Bader" Subject: TRAPDISK I found a new TSR utility floating around to protect disks from random INT 13h read/writes etc. Anyone hear of this program or have any comments? -David Bader DAB3@LEHIGH - --------------------------------------------------------------------- TRAPDISK.COM Version 1.0 PURPOSE "Trap Disk" (TRAPDISK.COM) is NOT a game! It is a further attempt to prevent pranksters from destroying your data. The proliferation of the "Trojan Horse" type programs which proport to be games but actually plant bombs in your system which format your hard disk or erase the disk directory, has prompted the writing of this program, as well as CHK4BOMB.EXE ("Check for Bomb"). This program is based on BOMBSQAD.COM by Andy Hopkins. CHK4BOMB.EXE reads the program file from disk and attempts to spot dangerous code and suspicious messages, but since code is often a function of run time memory situations, it could miss spotting the "bombs". TRAPDISK.COM is a program that intercepts calls to the BIOS code in ROM as a suspicious program is run, displays what is going to happen during the call, and asks if you want to continue. You can abort or continue as you see fit. INSTRUCTIONS FOR RUNNING TRAPDISK.COM Type "TRAPDISK" and one or more of the following letters (upper or lower): "R" to stop on a request to READ a sector "W" to stop on a request to WRITE to a sector "V" to stop on a request to VERIFY a sector "F" to stop on a request to FORMAT a track "U" to 'UNINSTALL' TRAPDISK - note that program will not be active, but memory can not be reused until the system is rebooted. "H" or "?" to display a brief command summary (will not install TRAPDISK). To change any of the instructions, just run the program again with the new letters; although TRAPDISK is a memory-resident program, once installed it will not attempt to re-install itself. Remember that TRAPDISK will stop only on those requests specified the last time it was invoked. If you start it with "F" only to stop on a FORMAT call, and later want to add "W" to stop on a WRITE call, you must specify: TRAPDISK FW on the DOS command line. IF NO LETTERS ARE SPECIFIED: TRAPDISK will remain active but will not stop on any disk calls. If TRAPDISK is not installed, a "blank" call will install it in memory. SUGGESTION: Try TRAPDISK R to stop on a READ request and then try a DIR command. Watch the operation on TRAPDISK when disk READS are called. This will give you an indication of how the program works. MESSAGES When TRAPDISK detects a call to the BIOS routines, it checks to see if the stop condition is met. If the function has not been selected, TRAPDISK will pass control directly to the BIOS disk routine. If, however, a stop has been requested before a disk function occurs, TRAPDISK will display the following message: |--------------------------------------| | DISK MONITOR | |--------------------------------------| | Break on request to READ | | | | DRIVE HEAD TRACK SECTOR NUMBER | | A: 0 26 1 9 | | Data address 0BA9:00F0 | | Return address 0070:0143 | | | | to Abort to Perform | | to perform & disable trapdisk | |--------------------------------------| DRIVE is the requested drive (A-D). HEAD is the side or head (0-1) for diskette (0-3 or more) for hard disk. TRACK is the cylinder or track in decimal (0-39 or more). SECTOR is the starting sector number in decimal(1-8 or 1-9 or more) NUMBER is the number of sectors involved in the operation. DATA ADDRESS (in HEX) is where the data is stored or read from. RETURN ADDRESS (in Hex) is the return address for the calling program (i.e. the address where execution will resume after Int 13 completes) PRESSING THE ESCAPE KEY causes TRAPDISK to return to the calling program with the error code for time out. The disk operation is NOT performed. The action the program may take on this error will vary, but the requested disk function will NOT take place. PRESSING THE RETURN KEY causes the program to carry on as if TRAPDISK did not exist for this call. Be warned that if you request a stop on a READ operation, you will press the Return key many times just to read one file as DOS searches directories and the FAT! Instructive, but not too useful. PRESSING THE DEL KEY causes the program to carry on (just like RETURN), but there is a difference. DEL will shut down any further checking. The only way to enable checking again is to call TRAPDISK with command-line arguments (as described above). This key is very useful in cases where you have forgotten that TRAPDISK is installed and want to disable it so you can get on with your work! CHANGES & IMPROVEMENTS versus BOMBSQAD.EXE "TRAPDISK" has added a command-line help that functions without installing the resident code. It corrects a bug in "BOMBSQAD" that incorrectly reported hard disk drive letters. It extends the BIOS calls beyond the diskette interrupt calls to some of the hard disk specific calls (Read Long, Write Long, Format Bad Sector, Format Whole Disk) that "BOMBSQAD" does not handle. And it has added the "RETURN ADDRESS" information and the "Del" key to the pop-up window. TECHNICAL NOTES This program can only trap access requests that go through Int 13h. All of the DOS disk calls for standard disk/diskette devices are routed through this interrupt. However, access to installed devices (like some RAM disks or OEM add-on packages like TALLGRASS & SYSGEN) is often through vendor-sipplied device drivers. These drivers are known to DOS and are used in lieu of Int 13h to access these devices. TRAPDISK CAN ONLY CAPTURE ACCESS REQUESTS FOR DEVICES THAT ARE CONTROLLED VIA INT 13h!!! Ergo, any "devices" that use installed device drivers could be compromised by a well- placed trojan horse program, even if TRAPDISK is active. The moral: DO NOT depend on TRAPDISK to protect your add-on hard disks from damage from a trojan horse algorithm! COPYRIGHT AND DISTRIBUTION In the spirit of Mr. Hopkins original program, feel free to copy and distribute this program. We make no claim on any sort of copyright, since this program is based on BOMBSQAD! -------------------- Date: Tue, 4 Oct 88 14:56:18 EDT From: Ken van Wyk Subject: Re: TRAPDISK In-Reply-To: Your message of Tue, 4 Oct 88 14:11:15 EDT > I found a new TSR utility floating around to protect disks from > random INT 13h read/writes etc. Anyone hear of this program or have any > comments? There are a few big problems with just trapping INT 13h. First, it's rather easy to circumvent. Also, almost all programs (if not all!) that read/write to, for example, data files use INT 13h either directly or indirectly via DOS INT 21h calls. Trapping out every sector read or write can get downright annoying to the user. To illustrate this, try setting TRAPDISK to stop all disk writes, and then use your favorite editor to edit *and save* a large text file. You will slowly watch TRAPDISK count all the sectors that that one file uses. You will also learn to not trust, or just ignore, TRAPDISK every time it pops up on your screen. Ken Kenneth R. van Wyk Calvin: I'm gonna learn to ride this bike User Services Senior Consultant if it kills me! ... AAAAAUUUGGGHHH!!! Lehigh University Computing Center Hobbes: Did it kill you?! Internet: Calvin: No, it decided to maim me first. BITNET: -------------------- Date: Tue, 4 Oct 88 21:05:39 EDT From: Ed Nilges Subject: nVir help appreciated Any assistance on the Macintosh nVir virus will be appreciated. -------------------- Date: Tue, 4 Oct 88 19:16:28 +02 From: "Ittai Klein Home 471488 Xt. 2363" Subject: Earnest request On behalf of some people that I know and many others, I am sure, that I do not know, I am voicing this earnest request: We are a group that has signed on to this Newsletter out of genuine concern about the issue at hand, and with real hope of learning about what could be done to stymie the very serious problem of computer viruses. But alas we find ourselves flooded by a torrent of material which is unnecessarily verbose, much of it simply not related at all to the subject at hand, often plain smart-alecky, and many times just plain irrelevant. Examples abound. I am including here just a short one, which I selected more or less at random: ...................................................................... From: _____@____ Subject: 2 years probation To: ... In-Reply-To: Message received on Thu, 22 Sep 88 11:15:03 EDT >It's fascinating that there has actually been a conviction, but I must >say two years probation is not likely to serve as the least deterrent >to future virus attacks. Probation is a breeze. >- ' name withheld ' (I.K.) Is that from personal experience ?? VIRUS-L LEHIIBM1 9/27/88 - ----------------------------------------------------------- end of letter - I do not propose that this is the worst kind and I am not directing it personally at the authors (they may turn out, in the long run, to be the greatest contributors to this newsletter). But I do call upon all of you to economize on words and to try sticking tenaciously to the point. As one wise man said long ago: "IF YOU HAVE NOTHING TO SAY, DO NOT PROVE IT WITH WORDS.". We thank you all in advance. Ittai Klein et al. -------------------- *** end of Virus-L issue ***