Return-Path: XPUM04@prime-a.central-services.umist.ac.uk Received: from G.SEI.CMU.EDU by ubu.cert.sei.cmu.edu (5.61/2.3) id AA04566; Wed, 20 Jun 90 17:29:32 -0400 Received: from SEI.CMU.EDU by g.sei.cmu.edu (5.61/2.5) id AA07161; Wed, 20 Jun 90 17:29:31 -0400 Received: from nsfnet-relay.ac.uk by sei.cmu.edu (5.61/2.3) id AA23481; Wed, 20 Jun 90 17:29:20 -0400 Received: from sun.nsfnet-relay.ac.uk by vax.NSFnet-Relay.AC.UK via Janet with NIFTP id aa23369; 20 Jun 90 16:25 BST From: Anthony Appleyard To: DAVIDF@cs.heriot-watt.ac.uk Date: Wed, 20 Jun 90 16:35:16 BST Message-Id: <$TGWGCZNQBTRW at UMPA> Subject: Virus-L vol 0 issue #1031 Virus-L Digest Mon, 31 Oct 88, Volume 0 : Issue #1031 Today's Topics ** no subject, date = Mon, 31 Oct 88 00:03:00 CST Anti-Viral Software Re: UUDECODE.PAS Debrain.exe A new one on me. FEV and EEV, long memo FEV and EEV Re: FEV and EEV Re: FEV and EEVV thanks Re: Debrain.exe ------------------------------ Date: Mon, 31 Oct 88 00:03:00 CST From: TP19000 In-Reply-To: In reply to your message of SUN 30 OCT 1988 16:57:16 EDT Hello my name is Matt Johnson. I am also interested in recieving anti-viral software. If you find out anything I would aprecate it if you would drop me a line. I'm at the SDSUMUS node and my ID number is TP19000. Thank You. -------------------- Date: Mon, 31 Oct 88 00:23:41 EST From: "David A. Bader" Subject: Anti-Viral Software I think that we all are interested in Anti-Viral software. Instead of having everyone post a memo here requesting such, how about having it in UUENCODED format on the ListServ? (Any ideas, Ken?) -David Bader DAB3@LEHIGH -------------------- Date: Mon, 31 Oct 88 08:02:23 EST From: Ken van Wyk Subject: Re: UUDECODE.PAS In-Reply-To: Your message of Sat, 29 Oct 88 14:13:00 EST > Can anyone tell me what version of PASCAL the above program is in?? The uudecode.pas program on the LISTSERV at LEHIIBM1 is written for Turbo Pascal v 3.0 on a DOS-based PC. Ken -------------------- Date: Mon, 31 Oct 88 10:23:02 EST From: SHERK@UMDD Subject: Debrain.exe In-Reply-To: Message received on Sun, 30 Oct 88 18:11:01 EST Debrain.exe is available through anonymous ftp @ umd5.umd.edu Cd into the /pub directory. There is a readme file, a Turbo C source file, and an executable version. Erik Sherk, Workstation Programmer, Computer Science Center University of Maryland sherk@umd5.umd.edu -------------------- Date: Mon, 31 Oct 88 08:55:00 MDT From: "David D. Grisham" Subject: A new one on me. Hi group, One of our student consultants mailed this to me. Note: This happened in a Mac Lab, with 512s and SEs. I don't have a copy of this yet. HAS ANYONE HEARD OF THIS TROJAN OR VIRUS? This afternoon, I found that we have what I think is some form of mutated virus. IT CHANGED MY VIRUS RX PROGRAM TO A GENERIC DOCUMENT ENTITLED "PLEASE THROW ME IN THE TRASH". This is no joke. It did it right in front of my eyes. I got a message box, which stated "There is a penetration attempt on VirusRx, if the disc is unlocked, it will be changed to "Please throw me in the trash"". This sounded like so much BS to me, but when I looked, IT WAS NO JOKE! I don't have any time to devote to isolation because of comps this Wed. Joseph has the altered VirusRx (now a 44k generic document). Let me know your thoughts on this subject. ****************************************************************************** * Dave Grisham * * Senior Staff Consultant/Virus Security Phone (505) 277-8148 * * Information Resource Center * * Computer & Information Resources & Technology * * University of New Mexico USENET DAVE@UNMA.UNM.EDU * * Albuquerque, New Mexico 87131 BITNET DAVE@UNMB * ****************************************************************************** -------------------- Date: Mon, 31 Oct 88 10:38:40 CDT From: Len Levine Subject: FEV and EEV, long memo Let me suggest a couple of definitions. We have two sorts of ways virii carry on their work, either by using a known and expected system feature, or by using a systemic bug or error. In either case, the virus infects files, but the problem, understanding and solution to the two cases is different. In one case a system feature, the ability to set the date in the MSDOS world at the user level, allows a virus to infect a file (which normally would cause the file to have the date of last writing set to the present date and time) and then reset the file's date to what it was before infection. We know this, we are aware that in MSDOS there is no way to prevent it, and our problems and solutions work in such a way that the date on a file must mean little or nothing. In another case, in a VMS system, where a file's last write date is system enforced, a user can depend on a file having its date changed if it is written to by a virus. Of course, if a bug in VMS were to permit a user to change the date on a file (not normally allowed to an ordinary user by VMS) that error would permit a virus to do the same as above. Our method of attack in the second case would be to fix the error. Our method of attack in the first case would have to be some other approach. The point of this lengthening memo is to stress the difference between the two kinds of virii, those that exploit errors (Error Exploiting Virii or EEV) and those that exploit system features (Feature Exploiting Virii or FEV). In the case of the FEV when we see such a virus, we generally nod sagely and say "that is caused by the ___ feature of the system and such a feature must be avoided". In the case of the EEV we first state with alarm "That cannot be done!". Then we examine the detail of the (fill in the blank here) program, note that it has a defect and only then say "The program ___ has a defect. Let us fix it and then never again will the system be unsafe." Some nice examples: I recently heard about a virus that infects the hard disk and survives a reformatting of the hard disk, but not a low level reformatting. Might this virus do a low level format of track 0 of the hard disk and create 18 rather than 17 blocks on that disk? (We know that a low level reformat of a hard disk can be done without loss of data, spinrite does it.) If there were two blocks named 0, then when Format was executed, only the first block 0 found would be reformatted, the other would go unnoticed. Later, when the system was rebooted, the chance of getting the second block 0 rather than the first, would depend on the relative distance between them on the disk. In the worst case it would be 1/18, in the best case 1/2. An error in the way format finds blocks to reformat on a hard disk will support this EEV virus in its method of hiding. A second example: A recent NET letter discusses a potential virus that might work in the UNIX environment by creating a second copy of a program used in normal file allocation routines. This ghost copy is written at the source level by a program that would come hidden with some trojan horse package. Once installed, the virus would install its own version of the allocation code which does whatever it does. No system error is needed for this FEV virus, only an careless UNIX root owner who installs code that works without very careful examination of the sources. Sorry about the length of this, but this point about FEV and EEV seems worth discussing. + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + | Leonard P. Levine e-mail len@evax.milw.wisc.edu | | Professor, Computer Science Office (414) 229-5170 | | University of Wisconsin-Milwaukee Home (414) 962-4719 | | Milwaukee, WI 53201 U.S.A. Modem (414) 962-6228 | + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + -------------------- Date: Mon, 31 Oct 88 13:26:42 EST From: "David M. Chess" Subject: FEV and EEV I think that's a worthwhile distinction (although there could be viruses that are halfway between; that would spread in a correct system, but spread even better in one with a certain error). A couple of small points: > Then we examine the detail of the (fill in the blank here) program, > note that it has a defect and only then say "The program ___ has a > defect. Let us fix it and then never again will the system be unsafe." Not "never again", surely! Even in the example you cite, once you've fixed ___ so that the virus can no longer meddle with dates, it can still spread, and only if users bother to check the dates on the executables to which they have write access will the virus be in trouble. It will not spread as well as it used to, but it may still spread. Even if the error-virus relationship was such that the virus depended on the error for its very life, all you could say after fixing the error was "never again will the system be in danger from this exact virus". I know that's what you meant... > ... I recently heard about a virus that infects the > hard disk and survives a reformatting of the hard disk, but not a low > level reformatting. Might this virus do a low level format of track 0 > of the hard disk and create 18 rather than 17 blocks on that disk? Well, possibly. But more likely (if this was a PC-DOS virus) it's just that the thing alters the hard disk boot record. A normal DOS FORMAT will not (as I understand it) rewrite a hard disk's boot record if there's already one in place. Only a "low level" format does that. (Both kinds of formats apparently write a new boot record on floppy disks.) DC -------------------- Date: Mon, 31 Oct 88 15:58:49 CDT From: Len Levine Subject: Re: FEV and EEV In-Reply-To: Message from "David M. Chess" of Oct 31, 88 at 1:26 pm >> Then we examine the detail of the (fill in the blank here) program, >> note that it has a defect and only then say "The program ___ has a >> defect. Let us fix it and then never again will the system be unsafe." >Not "never again", surely! Even in the example you cite, once you've I knew that. Just a bit of humor. >Well, possibly. But more likely (if this was a PC-DOS virus) it's >just that the thing alters the hard disk boot record. A normal >DOS FORMAT will not (as I understand it) rewrite a hard disk's >boot record if there's already one in place. Only a "low level" >format does that. (Both kinds of formats apparently write a new Well, possibly. But more likely (if this was a PC-DOS virus) it's just that the thing alters the hard disk boot record. A normal DOS FORMAT will not (as I understand it) rewrite a hard disk's boot record if there's already one in place. Only a "low level" format does that. (Both kinds of formats apparently write a new boot record on floppy disks.) DC -------------------- Date: Mon, 31 Oct 88 15:58:49 CDT From: Len Levine Subject: Re: FEV and EEV In-Reply-To: Message from "David M. Chess" of Oct 31, 88 at 1:26 pm >> Then we examine the detail of the (fill in the blank here) program, >> note that it has a defect and only then say "The program ___ has a >> defect. Let us fix it and then never again will the system be unsafe." >Not "never again", surely! Even in the example you cite, once you've I knew that. Just a bit of humor. >Well, possibly. But more likely (if this was a PC-DOS virus) it's >just that the thing alters the hard disk boot record. A normal >DOS FORMAT will not (as I understand it) rewrite a hard disk's >boot record if there's already one in place. Only a "low level" >format does that. (Both kinds of formats apparently write a new >boot record on floppy disks.) In any event, the error would be marked as a FEV or EEV and would be dealt with accordingly. + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + | Leonard P. Levine e-mail len@evax.milw.wisc.edu | | Professor, Computer Science Office (414) 229-5170 | | University of Wisconsin-Milwaukee Home (414) 962-4719 | | Milwaukee, WI 53201 U.S.A. Modem (414) 962-6228 | + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + -------------------- Date: Mon, 31 Oct 88 18:20:00 EST From: TFD@CUNYVMS1 Subject: thanks I hope nobody thinks I'm hogging the net because I'm writing to thank lotsa people for replying to my problem with such alacrity, over the list, and directly to me! Anyway, a real smart guy (and a sharp dresser) here at CUNY is going to help me out, and if that doesn't work out, I'll take one of you up on your generous offers . . . Thanks again, Theresa Muir -------------------- Date: Mon, 31 Oct 88 15:25:51 PLT From: Wim Bonner <27313853@WSUVM1> Subject: Re: Debrain.exe In-Reply-To: Message of Mon, 31 Oct 88 10:23:02 EST from If possible, when people post where code is available via FTP, could you also list the network numbers? I am interested in getting the Dbrain code, but Our machine which can do FTP does not have a full listing of hosts. I can call out if I know the number though. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -=-=-=-=-=-=-=-=-=- 10,000 Lemmings can't be wrong! -=-=-=-=-=-=-=-=- =-=-=-=-=-=-=-= Lemmings never grow old, they just die. =-=-=-=-=-=-= Wim Bonner Bitnet:27313853@WSUVM1 Compuserve:72561,3135 (King-Rat) The Loft - (509)335-7407 - 300/1200/2400 - 24hrs/day - PCboard 12.1/d -------------------- *** end of Virus-L issue ***