V.I.R.U.S. Weekly - December 3, 1993 A weekly digest of virus and related news, V.I.R.U.S. Weekly BBS feed and newsletter is prepared by the Vancouver Institute for Research into User Security. For those without online service feeds, both V.I.R.U.S. Weekly and Monthly are available in hardcopy. For more information contact Robert Slade or CyberStore. copyright 1993, Robert M. Slade Other columns this week: 15 Getting help 16 "Terminal Compromise" by Schwartau NEW ANTIVIRALS Untouchable will continue (MS-DOS) In the wake of the Symantec purchase of Fifth Generation have come reports of un immediate cessation of support for the Untouchable and Search and Destroy antivirals. Ysraeli Radai has contacted BRM, the actual developers of the product in Israel. He has been told that no final decision has been reached. In addition, whatever the outcome, these programs and their features will continue to be made available, albeit possibly in another form. NAV updates (MS-DOS) Symantec apparently is making the updates for the Norton AntiVirus available to the online community. They have been available for a while at various ftp sites on the Internet, and are now being distributed through the VirNet distribution system to BBSes. The marketing department giveth, and the marketing department taketh away. NEW VIRAL PROGRAMS Freddy 2.1 (MS-DOS) A student now studying in Montreal reports that in early 1993 Brazilian researchers found a new virus that contained the strings "Frisk" and "Hi Fridrik!". The virus is polymorphic and also contained the string "Freddy 2.1". CONFERENCES AND COURSES VSI '94 The Virus Security Institute is presenting a conference in Philadelphia, Pennsylvania on March 29-30, 1994. Presented as "A Different Kind of Information Security Conference", the symposium will involve a high degree of participation in challenging models of security as applied to the "real world". Papers are solicited by the conference chair padgett@tccslr.dnet.mmc.com (A. Padgett Peterson). For more information, E-Mail or Fax: VSI94_info@dockmaster.ncsc.mil (case sensitive) or (302)764-6186 (include E-Mail address, please). 10th Chaos Communication Congress The Chaos Computer Club is holding its tenth convention in Hamburg, Germany December 27th - 29th 1993. Contact ccc93@t42.ccc.de. RESEARCH More MS-DOS 6.2 update updates Apparently one of the things that the Microsoft MS-DOS 6.2 upgrade checks is the length of the 6.0 files and refuses to upgrade any that do not match. If a PC has been infected, this can result in a number of programs that are not updated. No word on whether this applies to SETVER (which always changes itself when you use it.) This could be considered an antiviral feature except that no virus scanning is done first, and there is no provision for a manual update. Most likely this is aimed at those who use other vendor versions of DOS. And still more MS-DOS 6.2 update updates The update mechanism appears to be buggy: repeated attempts appear to fail regularly with different programs. Also, the hidden system files IO.SYS and MSDOS.SYS are the first to be changed in the process while COMMAND.COM is updated near the end. This means that any interruption of the process can leave you with an unbootable computer. Better have a boot disk and a backup handy before you try it. GOSSIP Rosenthal hype Messages posted to several Usenet newsgroups have been promoting Rosenthal's WinLite program. Nothing wrong with that, but they also carry ads implying that the Virus Bulletin recommends the Rosenthal Virus Simulator. This is diametrically opposed to the truth: Virus Bulletin has stated that the Virus Simulator is of no use whatsoever, and may do harm by "recommending" an inferior antivirus product ... Dangerous and useless too Rumour has it that a certain company making an antivirus product is sending out copies of "crippled" viral programs so that potential users can test the effectiveness of the product. (It may be that this is the action of an overzealous salesperson operation without sanction.) In the first place, it should be fairly easy to "uncripple" the virus. (The report has it that only the first ten bytes or so are changed.) In the second place, such a "test" is highly suspect. The producer would, of course, ensure that his product would pass it. There is no particular reason anyone else would: it isn't testing "real" programs. Commercial and government infections For those who don't believe that commercial software can be a source of infections, send a message to LIBRARY@hemkosys.com with the keyword MC.INFECTIONS in the subject line. You will get back almost six typed pages of listings of commercial software and government disk distributions which contained viral infections. That was no virus, that was my logic bomb The-media-aren't-taking-this-seriously-dept.: From the front page of the New York Times of November 23rd: "Software Maker Accused of Using Virus to Compel Client to Pay." Michael Lofaro, 29, owner of MJL Design of Manhattan, and his technician, John Puzzo, 22, planted extra code in a program they wrote for a furniture company in Westbury, NY. The piece, not written by more virus aware John Markoff, refers not to a virus, of course, but to a simple logic bomb. It is, however, called a virus several times throughout the article. The story was also picked up by EduPage. Mich Kabay posted an article to RISKS in which he comments that it's strange to have the media mirror this confusion, to which editor PGN replied tersely, "Not surprising at all." More accuracy for less pay? It has been noted by the antivirus community that the antiviral "certification" list in VSUMX310 is closer to the results expected by other researchers. One posting noted that this time around only Symantec is paying for the privilege of being tested. This led to the ironic observation that perhaps if more people refused to pay, the results would get even better. Help wanted, apply VIRUS-L First Paul Ferguson, and now Ken van Wyk. While Ken is still moderating the VIRUS-L/comp.virus postings, he is looking for some help in the related areas such as updating and maintaining the FAQ sheet, coordinating the posting of product reviews, and maintaining the FTP area. How *not* to review Readers are advised to look for Sarah Tanner's article published in "Virus News International", November 1993, pp. 40-41, 48. For those who can't find VNI, it is also available from the CARO ftp site. Hilarious to those who have done some reviewing, all of its 26 "rules" are taken from the actual practices of some of the more well known reviews. ============== _________________________ Vancouver ROBERTS@decus.ca | | |\^/| | | swiped Institute for Robert_Slade@sfu.ca | | _|\| |/|_ | | from Research into rslade@cue.bc.ca | | > < | | Alan User p1@CyberStore.ca | | >_./|\._< | | Tai Security Canada V7K 2G6 |____|_______^_______|____|