Virus Bulletin, December 1992
Total Page:16
File Type:pdf, Size:1020Kb
December 1992 ISSN 0956-9979 THE AUTHORITATIVE INTERNATIONAL PUBLICATION ON COMPUTER VIRUS PREVENTION, RECOGNITION AND REMOVAL Editor: Edward Wilding Technical Editor: Fridrik Skulason Executive Editor: Richard Ford Editorial Advisors: Jim Bates, Bates Associates, UK, Andrew Busey, Datawatch Corporation, USA, Phil Crewe, Fingerprint, UK, David Ferbrache, Defence Research Agency, UK, Ray Glath, RG Software Inc., USA, Hans Gliss, Datenschutz Berater, West Germany, Ross M. Greenberg, Software Concepts Design, USA, Dr. Harold Joseph Highland, Compulit Microcomputer Security Evaluation Laboratory, USA, Dr. Jan Hruska, Sophos, UK, Dr. Keith Jackson, Walsham Contracts, UK, Owen Keane, Barrister, UK, John Laws, Defence Research Agency, UK, David T. Lindsay, Digital Equipment Corporation, UK, Yisrael Radai, Hebrew University of Jerusalem, Israel, Martin Samociuk, Network Security Management, UK, John Sherwood, Sherwood Associates, UK, Prof. Eugene Spafford, Purdue University, USA, Dr. Peter Tippett, Certus Corporation, USA, Dr. Ken Wong, PA Consulting Group, UK, Ken van Wyk, CERT, USA. CONTENTS NETWORKING Anti-Virus NLMs 14 EDITORIAL Terminate-but-Stay-Resident 2 NLM SURVEY Virus Protection Under NetWare 15 TECHNICAL NOTES Proto-T - Grist to the Rumour PRODUCT REVIEW Mill 3 IRIS’ AntiVirus Plus from Menorah 20 IBM PC VIRUSES (UPDATE) 4 CHKDSK ALERT INSIGHT A Wolf in the Fold 23 The Scanner to End All Scanners? 6 CONFERENCE REPORT VIRUS ANALYSES 1. The Power Pump 8 ‘News from a Radiant Future’ 23 2. Commander Bomber 10 3. Uruguay 3 - A Slippery Eel 12 END NOTES & NEWS 24 VIRUS BULLETIN ©1992 Virus Bulletin Ltd, 21 The Quadrant, Abingdon Science Park, Oxon, OX14 3YS, England. Tel (+44) 235 555139. /90/$0.00+2.50 This bulletin is available only to qualified subscribers. No part of this publication may be reproduced, stored in a retrieval system, or transmitted by any form or by any means, electronic, magnetic, optical or photocopying, without the prior written permission of the publishers. Page 2 VIRUS BULLETIN December 1992 publishing of a hex pattern found in COMMAND.COM! EDITORIAL As a result of these and countless other faux pas I never describe anybody these days as an ‘expert’ except in a Terminate-but-Stay-Resident derogatory context. The Datacrime fiasco provided an early insight into the The new year will see a new editor at the helm of Virus dangers of pontificating. It was due to trigger on October Bulletin. My successor, Richard Ford, will inject enormous 12th, 1989. The world held its breath... and nothing hap- enthusiasm, energy and new ideas into the journal, ensuring pened, anywhere. Perhaps, as Peter Norton had declared, that it remains fit and healthy to report the challenges which viruses were indeed a ‘myth’ (an excruciatingly embarrass- will face computer users in the foreseeable future. ing statement which Symantec Corporation, current owner of the Peter Norton Group, has subsequently quietly Forty-two months have passed since the first edition of VB forgotten). The Michelangelo virus, three years later, was published. On the day it first rolled from the press in proved to be less of a damp squib but caused more red faces July 1989 it had just one subscriber. That first edition amongst the pundits, one of whom had predicted that five reported a manageable fourteen PC viruses and epitomised million computers were afflicted worldwide! a time when each new specimen was treated with perverse reverence by a motley crew of fledgling researchers. There was nothing mythical, however, about certain product developers, who guarded their interests zealously and In those pioneering, innocent days, certain people held occasionally resorted to bullying (and even more distasteful wholly irrational blood convictions. I distinctly remember a tactics) to prevent the publication of poor product reviews. belligerent telephone call from an irate member of the In all such cases, including threats of injunction, litigation public, ‘How dare you publish a magazine about computer and worse, VB stuck to its guns and, I believe, our reader- viruses when you know full well that no such things exist!’ ship is genuinely the wiser for it. Virus-specific software, one ‘expert’ assured me, would The journal has certainly made its enemies. It has crossed continue for ever and ever, Amen. Whether he is still saying swords with the more unscrupulous product manufacturers, this, with the number of viruses approaching (or exceeding) it has caused a number of quack doctors, snake oil salesmen 3,000, I do not know. He certainly had not predicted the and charlatans to froth at the mouth. Mr Washburn (devel- arrival of self-modifying encryption. ‘Impossible’ said oper of the aforementioned 1260 virus) has described another specialist when the first such specimen, the 1260 anyone associated with VB as ‘criminal’ while even virus, appeared two years ago. Certain ‘experts’ arrogantly respected ‘insiders’ have cold-shouldered the journal when pronounced that they had predicted such ‘polymorphism’ it has reported unpalatable truths. Virus Bulletin has been from the outset, claims which were patently untrue. described as a ‘rag’, its editor as a ‘rogue’. So be it. I have variously been assured that a virus undetectable by a The biggest relief is that amongst so many loud and empty scanner will never be developed (Dr Alan Solomon, vessels is that there are still a handful of talented and Washington D.C., June 1992), and that a virus which does knowledgeable people in this industry whose motivations not recognise itself on files but which at the same time does are driven by more than the accumulation of wealth. I am not multiply infect them is ‘impossible’ (Dr Jan Hruska, not in the business of sycophantic back-slapping - the best Oxford, November 1992). The second assertion has already people know who they are, but a special plaudit must go to been shown to be optimistic (see pages 10-11) while the Fridrik Skulason for his stoic and supportive work as first is highly questionable - as shown in this month’s technical editor, to the editorial board, to the contributors edition of VB, the fundamental methods to evade virus- and to the many hundreds of computer users I have had the specific detection are already developed, but have simply pleasure to meet in the course of my work on VB. not [yet] been concatenated. I leave knowing that the journal is in safe hands and that it Indeed, it has been the constant failure of the ‘experts’ to will continue to report the facts accurately, bravely and get things right which has been the cause of my continuing without prejudice, at all times aiming to assist its readership astonishment. I remember the terrifying prospect of a tackle an increasingly complex and burdensome problem. ‘Novell virus’ which transpired to be a humble sample of Jerusalem. Then there was the Datacrime II virus which A happy Christmas and a prosperous new year to friends triggered ‘before October 12th of any year’ - how on earth and foes alike. could it spread? A paper by Dr Peter Tippett, which gained short-lived respectability, completely missed the point, Edward Wilding while our own momentary lapse in vigilance resulted in the Editor VIRUS BULLETIN ©1992 Virus Bulletin Ltd, 21 The Quadrant, Abingdon Science Park, Oxon, OX14 3YS, England. Tel (+44) 235 555139. /90/$0.00+2.50 This bulletin is available only to qualified subscribers. No part of this publication may be reproduced, stored in a retrieval system, or transmitted by any form or by any means, electronic, magnetic, optical or photocopying, without the prior written permission of the publishers. December 1992 VIRUS BULLETIN Page 3 Dr Peter Lammer, Managing Director of Sophos, com- TECHNICAL NOTES mented ‘We have already taken steps to deal with the false positive problem in the November update of Sweep. As part Proto-T - Grist to the Rumour Mill of our impending BS5750 registration we are also introduc- ing enhancements to our quality system, which will help avoid problems like this in the future.’ The discovery in the wild of a new virus which is not detected by well known anti-virus software products is a A contributory factor to the problems encountered was the genuine cause for alarm. However, discerning fact from introduction of a more powerful scanning engine within the fiction is not always easy, and false alarms and rumours are software. False positive testing within the company is being a frequent occurrence. One report which turned out to be overhauled and the number of beta-test sites is being completely unfounded concerned the Proto-T virus. expanded to pre-empt such problems in the future. How- ever, it is arguably preferable to delay the detection of a The same report has been faxed to Virus Bulletin by readers rare, laboratory virus until a reliable detection mechanism is several times concerning a virus known as Proto-T. The discovered than to race ahead in an attempt to climb up virus claims ‘to hide in the RAM of VGA cards, hard disks, virus detection league tables. and possibly in modem buffers’ and users are warned that ‘there is no known defence against this virus, save format- ting your hard/floppy disks.’ A Veiled Threat It is clear that the author of the Commander Bomber virus The rumours gained credence when a Norwegian computer [See page 10. Ed.] is well aware of the threat his latest magazine reported the virus to be in the wild in Norway creation poses to the anti-virus industry. From examination where ‘it had caused extensive damage’. of the code it is evident that the author is simply playing an The virus which turned out to be the cause of all this panic elaborate game of ‘cat and mouse’ with the developers of is a 695 byte parasitic virus which infects COM files.