Virus Bulletin, March 1998
Contents
1. ItW Boot tW File elas Macro Polymorphic Standard On demand tests Number Number Number Number Number Alwil AVAST32 89 100 0 629 98 8 99 2 744 100 0 12998 95 4 887 100 0 Cheyenne Inoculan 88 98 9 643 98 8 98 8 691 93 1 12699 90 9 883 99 6 Command F PROT Pro 89 100 0 621 98 2 98 8 744 100 0 7066 47 6 887 100 0 Cybec VET 76 85 4 651 100 0 94 9 744 100 0 13500 100 0 887 100 0 Dr Solomon s AVTK 89 100 0 651 100 0 100 0 744 00 100 0 13500 100 0 887 100 0 EliaShim ViruSafe 86 96 6 649 99 9 98 7 733 98 5 2823 93 5 878 99 4 GeCAD RAV 77 86 5 507 80 9 82 8 485 64 3 3494 98 1 821 92 6 Grisoft AVG 68 76 4 514 81 9 80 0 663 88 3 1026 81 6 629 78 6 H BEDV AntiVir NT 87 97 8 586 92 3 94 2 723 96 4 1455 83 1 849 96 5 IBM AntiVirus 87 97 8 647 99 4 98 8 744 100 0 3000 96 3 887 100 0 Intel LANDesk Virus Protect 79 88 8 623 97 9 94 7 744 100 0 2825 92 5 861 97 8 iRiS AntiVirus 88 98 9 643 98 8 98 8 690 93 0 2699 90 9 883 99 6 KAMI AVP 76 85 4 651 100 0 94 9 744 100 0 3499 99 1 887 100 0 McAfee VirusScan 1 1 1 651 100 0 65 8 744 100 0 13441 98 7 870 98 9 Norman ThunderByte 89 100 0 644 99 8 99 8 741 99 6 13496 98 1 878 99 2 Norman Virus C ontrol 89 100 0 633 99 4 99 6 740 99 5 1296 94 2 881 99 7 Sophos SWEEP 89 100 0 647 99 4 99 6 744 100 0 13495 99 0 885 99 7 Symantec Norton AntiVirus 89 100 0 611 97 0 98 1 735 982. VIRUS BULLETIN 1998 Virus Bulletin Ltd The Pentagon Abingdon Oxfordshire OX14 3YP England Tel 44 1235 555139 98 0 00 2 50 No part of this publication may be reproduced stored in a retrieval system or transmitted in any form without the prior written permission of the publishers 18 VIRUS BULLETIN MARCH 1998 PRODUCT REVIEW 1 AVG v5 0 for Windows 95 Dr Keith J ackson Czech developers Grisoft claim that AVG is a sophisticated antivirus system for detecting and removing viruses The product can operate under DOS Windows 3 1 Windows 95 and NT or across a network However this review only covers the standalone Windows 95 version Installation AVG was provided for review on three 3 5 inch 1 44 MB floppy disks In fact two identical sets of disks were provided I know not why Installation was initiated by executing SETUP EXE After reading warnings about the licensing conditions I had to enter my name a company name and the program serial number before installation could proceed The name of the subdirectory where AVG s files were to be stored could be altered if required and an option was provided to install AVG s memory resident component The usual bargraphs whirred the other floppy disks were requested and a reboot was performed All in all a painless program installation much as we have come to expect Documentation AVG arrived with three small A5 books entitled Instal lation
3. 401 778 08 48 Virus detected c 1997 j Energy Boot anti virus For details amp upgrades call 0123456789ABCDEF and INT 13h points to gt F000 97F4 Energy 2681 BFE9 OOAF AE74 3F80 FCO3 741F E80B 01B0 01E8 1B01 7229 MDR A family of boot sector viruses infecting hard disk MBRs and floppy DOS Boot Sectors Variant A contains the text M A Blanco Garrido Ermua King Lizard variant B wLady Div and C King Lizard variant C Lady Di and King Lizard The virus stores the original MBR in cylinder 0 head 0 sector 2 Variant A infects only 1 44 MB diskettes and stores the original DBS in cylinder 79 head 1 sector 18 Variants B and C store the original DBS in cylinder 0 head 1 sector 3 360 KB or sector 14 720 KB 1 2 MB or sector 15 others Ermua A O4FF 7703 5848 508F 4703 6BCO 4050 0787 064E 0050 8F06 4D7D Ermua B O4FF 7703 5848 508F 4703 6BCO 4050 0787 064E 0050 8F06 617D Ermua C O4FF 7703 5848 508F 4703 6BCO 4050 0787 064E 0050 8F06 6C7D ER A stealth 406 byte virus inserting its code into the headers of EXE files It requires the presence of HIMEM SYS and contains the text gt Joan v1 2 by Kiko NoMo of T N T Taipei Taiwan 1995 08 lt Exeheader 406 354D 5A74 1126 803F EB75 4426 817F 5CB4 0D74 2EE9 3900 2683 ER A 453 byte virus inserting its code into the headers of EXE files The virus contains the text Work448 Bob Infected files have the word 0000h at
4. stances a clean disc inserted and scanned would produce a large red infected notice With these results such niggles are not however a major issue McAfee VirusScan v3 1 4 11 Dec 1997 tW Overall 65 8 Macro 100 0 tW Overall o a 88 4 Polymorphic 98 7 tW Boot 1 1 Standard 98 9 aw oh oie go an or wot of oe of en oe On demand we ae Bh ior eh V oe s V s e pz on ye cot K x Rte ot oI ost ot 0 ae nn eC of we a ow D yo ac McAfee VirusScan proved one of the more interesting products to test The on demand scanner was effective at spotting all In the Wild Files and macro viruses in the test sets used and put in a creditable 98 7 score in the Polymorphic set Speed of scanning is at a rather plodding rate but nothing was detected that should not have been On access the polymorphics proved rather too elusive to VirusScan though detection of other file infectors was fair This leaves the boot sector viruses Of the 89 boot sector viruses provided VirusScan detected just one on demand Yes one We were surprised too VB has no great wish to be sued and so we checked this and came to the following conclusion ABCD the boot virus that was detected is on the only diskette that contains a file a relic of an atypical replication procedure Sure enough if a file is placed on other boot virus test diskettes VirusScan inspects the diskette properly With no files present it retur
5. In the Wild File Macro Polymorphic and Standard see the summary box for details The virus signature list tested was identified as SCN 2 28 with Macro definitions updated to MDEF 980203 Although the scanner had been set to delete infected files the default option of copying files to the quarantine directory before deletion was in operation and made copies of all files which were detected as infected or suspicious Despite achieving 100 against the Macro test set the other results were poor Thirty samples were missed from the In the Wild File test set four of Anxiety 6093 eighteen of Morphine 3500 and eight of Spanska 4250 these were all new to the WildList in December 1997 While 79 samples were missed in the Standard test set the worst results were observed against the Polymorphics with CSAV barely achieving 50 success In fact lower if the weighting algorithm used in the comparative reviews is applied Ed Of greatest concern here was the near total failure to detect the Spanska 4250 replicants a widely distributed In the Wild polymorph VIRUS BULLETIN 1998 Virus Bulletin Ltd The Pentagon Abingdon Oxfordshire OX14 3YP England Tel 44 1235 555139 98 0 00 2 50 No part of this publication may be reproduced stored in a retrieval system or transmitted in any form without the prior written permission of the publishers VIRUS BULLETIN MARCH 1998 23 Real time Scanning Overhead To determine the
6. equipment not 100 compatible with a standard IBM PC Note that no attempt is made to define a standard IBM PC Nor could it be such a beast no longer exists if it ever did When things get rough any half decent lawyer has enough in that one phrase to defend the developers of AVG against anything Absolutely anything The User Manual is well written but suffers somewhat because it applies to several versions of AVG running under various operating systems This inevitably makes it vague on detail Still given that many most anti virus vendors seem to have given up on manuals completely at least AVG provides something in printed form Computer Viruses and You a slim A5 volume contains a good description of computer viruses how they operate their history and the parts of the PC that they attack It would be especially easy for a first time user to follow the explanations provided Interface In last month s review I complained that all Windows 95 anti virus software looked the same No sooner had the words tripped off my keyboard and into print than some thing comes along that looks completely different Down the left hand side of AVG s main window a list of section headings is provided Tests Utilities Help etc Each of these headings can be expanded by double clicking on it to reveal the options available within that section Once an action has been selected activity takes place
7. n a Polymorphic 83 1 tW Boot 97 8 Standard 96 5 With a longer established product than the previous pair H BEDV have yet to translate their help files into English though menus general instructions and icons are available in either German or English AntiVirNT has no on access scanning function Speed wise it kept with the pack though five suspected viruses in the Clean set was a little disap pointing This product certainly won the added messages available in the clean scan award producing warnings of damaged files and an over large COM file in addition to the viruses supposedly spotted The CRC function in the program was not tested leaving the usual collection of on demand tests to contend with The boot sector tests missed the perennial favourites of Moloch and Hare 7750 but found no trouble at all in spotting the hidden evils on the disks having possibly tricky formats This gave a much improved set of detection figures over the September NT comparative which was to a lesser extent carried over to the other test sets It is to be hoped that such improvement can be maintained IBM AntiVirus v3 02w tW Overall 98 8 Macro 100 0 tW Overall o a 98 8 Polymorphic 96 3 tW Boot 97 8 Standard 100 0 Another big company faring as befits its size Against the In the Wild File set only Win95 Anxiety evaded IBMAV but with two samples of Hare in the boot test this was enough to dash any hopes of 100 In the Wild detecti
8. 482 Solar 123 Timber Wolf 546 Unashamed C CER A 2272 byte virus containing the plain text message Fatal error A3041 and the encrypted texts EXEexeCOMcomMASMmasmTASMtasmFANTfantWEBwebAIDSaidsANTIantiSCANscanCOMMcomm Hammer 96 0WY VRN 1600 BASE and ANTI DBE 2222 213 SLAYER OWY 1 00 Hammer 2272 E800 0058 1E2D 0400 50B4 D5CD 213D 5634 7503 E9B8 005F 5706 CN A double encrypted appending 777 byte direct infector containing the texts HOODLUM VIRUS SAYZ gt FUCK ALL YA HOES com and command com Hoodlum 777 80BE 2001 B974 4FB9 0C04 8DBE 2001 2E80 3501 47E2 F9B8 0D05 CN A polymorphic appending 391 byte slow direct infector infecting two files at a time It contains the text BUBBLE HOUSE Infected files have their time stamps set to two seconds The virus implements a short but effective table driven polymorphic encryption mechanism with a number of appended bytes varying between 391 and 397 It is impossible to select a simple virus template however the infected files always end with the sequence 47h 4Dh 75h F h C3h CR An encrypted 271 byte prepender infecting on File Create Int 21h AH 3Ch or AH 5Bh It contains the text Insert Darkman VLAD It is impossible to select a template longer than 12 bytes Insert 271 B97E 0081 3527 47 47E2 F8C3 CR An appending 585 byte virus containing the text KATE 1996 C ORIEL software company In
9. IBM Research USA No responsibility is assumed by the Publisher for any injury and or damage to persons or property as a matter of products liability negligence or otherwise or from any use or operation of any methods products instructions or ideas contained in the material herein SUBSCRIPTION RATES Subscription price for 1 year 12 issues including first class airmail delivery UK 195 Europe 225 International 245 US 395 Editorial enquiries subscription enquiries orders and payments Virus Bulletin Ltd The Pentagon Abingdon Science Park Abingdon Oxfordshire OX14 3YP England Tel 01235 555139 International Tel 44 1235 555139 Fax 01235 531889 International Fax 44 1235 531889 Email editorial virusbtn com World Wide Web http www virusbtn com US subscriptions only Virus Bulletin 18 Commerce Way Woburn MA 01801 USA Tel 781 9377768 Fax 781 9320251 JS tee ve NCNATT This publication has been registered with the Copyright Clearance Centre Ltd Consent is given for copying of articles for personal or internal use or for personal use of specific clients The consent is given on the condition that the copier pays through the Centre the per copy fee stated on each page END NOTES AND NEWS The ICSA s conference IVPC 98 Protecting the Workplace of the Future will take place at Lake Buena Vista Florida from 28 29 April 1998 For the first time it will run concurrently with a
10. Protect 69 77 5 623 97 9 90 9 744 100 0 12824 92 5 861 97 8 McAfee VirusScan 88 98 9 530 82 9 88 4 688 91 7 6385 44 7 767 88 6 Norman Virus Control n a n a 424 67 6 n a 717 96 6 7997 44 4 632 69 1 Sophos SWEEP 89 100 0 647 99 4 99 6 744 100 0 13495 99 0 885 99 7 Symantec Norton AntiVirus 70 78 7 611 97 0 90 7 743 99 5 11499 84 3 841 97 2 Trend Micro PC cillin NT n a n a 625 98 1 n a 744 100 0 12883 93 8 861 97 8 Cybec VET v9 61 Macro test set where full detection was achieved This turns out to be the most common area where full scores are tW Overall 94 9 Macro 100 0 possible a reassuring thought in corporate settings where tW Overall o a 95 1 Polymorphic 100 0 macro viruses are more commonly encountered than other tW Boot 85 4 Standard 100 0 types Reassuring for Cybec is the fact that theoretically The product for the people to whom velocity is almost everything VET churned through the 500 MB of the Clean test set in a mere 102 seconds yet still showed an impres sive on demand detection rate The detections against the In the Wild File Standard Polymorphic and Macro test sets all gained the much sought after full marks so far so good Those who crave speed so much may of course have no desire for lowly 3 5 inch disks which is where VET failed to deliver VET detected all boot sectors it saw on what it considered valid disks but failed to recognize thirteen of the samples as actually being on any
11. Similarly the added problems with boot sectors came as no shock Once more the errors thrown up by strange formats prevented detection of any viruses on a fair number of the samples This took LANDesk to the bottom of the stack for programs with operating on access boot scanners As for speed LANDesk is one of the more ponderous of the products and it still manages to discover four viruses in places where they do not exist iRiS AntiVirus v22 03 16 Dec 1997 ItW Overall 98 8 Macro 93 0 tW Overall o a n a Polymorphic 90 9 tW Boot 98 9 Standard 99 6 VIRUS BULLETIN 1998 Virus Bulletin Ltd The Pentagon Abingdon Oxfordshire OX14 3YP England Tel 44 1235 555139 98 0 00 2 50 No part of this publication may be reproduced stored in a retrieval system or transmitted in any form without the prior written permission of the publishers VIRUS BULLETIN MARCH 1998 15 No on access scanner here and a display of on demand scanning ae Macro Detection Rates mOn access Ca which would impress but for the better scores common in this review At 720 seconds iRiS AntiVirus 20 required longer than average to scan the Clean test set Somewhat bizarrely the program claimed that anes it had been altered when run though we did not count this as a false ies positive to add to the two generated against the Clean set Remembering that in the past iRiS AntiVirus has 20 produced up to 139 false pos
12. a free upgrade to EagleNT 5 0 customers when it ships later in 1998 Network Systems amp Applications Management 98 will be held from 28 30 April 1998 at London s Olympia The event is the result of the amalgamation of three major IT exhibitions Infosecurity has joined forces with Customer Service amp Support 98 and Network Systems amp Applications Management 98 More informaton can be found at http www infosec co uk In early March Integralis Technology Ltd ships MIMEsweeper 3 2 for Microsoft Exchange versions 5 0 and 5 5 More information can be found at http www mimesweeper com The North America Computer Audit Control and Security CACS conference will be held at the Hyatt Regency O Hare in Rosemont Chicago from 26 30 April 1998 Subjects covered include disaster recovery and Internet security Contact the Information Systems Audit and Control Association for information email conference isaca org Integralis Technology Ltd and Trend Micro Inc have reached a settlement of the patent lawsuit between them The case pending for seven months in a US District Court in Washington has been dropped as part of the resulting mutual agreement The two companies have also signed a cross licence agreement sharing some of each other s technology and patents Network Associates has launched VirusScan 3 0 for Macintosh As well as all the usual features real time and on demand scanning with McAfee s Hunter tec
13. a large variety of instructions which can be divided into five groups Consecutive instructions are unrelated making it obvious at first glance that the decryptor is full of garbage The first group is composed of nineteen single byte instructions These mainly involve flag manipulations segment override prefixes packed and unpacked BCD adjust instructions plus DEC INC and XCHG with the accumulator of a random register apart from SP which the virus carefully avoids The second group contains twelve assignments shift arithmetic and logic instructions NOT NEG MUL and IMUL nine arithmetic and logic instructions with a random immediate value as second argument and the two byte versions of INC and DEC These instructions are really templates corresponding to opcode masks opcodes plus random byte or word registers and variable arguments The second group is also supposed to contain nine arithmetic and logic two byte instructions but due to a bug in the engine these are never generated The third group consists of eight single byte instructions including string instructions LAHF and XLAT The fourth contains ten assignments arithmetic and logic instructions that may use any byte register in the destination argument and indirect either based or indexed addressing without a displacement in the source argument The fifth and last group is composed not of opcodes but rather of atomic instruction groups forming Int 21h
14. calls that contain a MOV AH lt byte gt Int 21h Where necessary these may be framed by a PUSH ES and a POP ES The functions are 0Bh Get STDIN status 19h Get Current Drive 2Ah Get Date 2Ch Get Time 30h Get DOS Version 4Dh Get return code 51h Get PSP 54h Get Verify Setting 62h Get PSP 2Fh Get DTA 34h Get INDOS flag 35h Get Vector and 52h Get list of lists When it is called by the replication routine the polymor phic engine proceeds as follows It loads various tables which describe how many encryption methods to use which register to use as the pointer and which to use as the counter in the decryption loop Then it computes a check sum on a copyright message messing up the stack if it does not match eventually leading to a crash in most cases Next comes the polymorphic head generation where the virus generates between 40 and 80 random instructions from any of the five groups described above This code is absolutely useless The useful stage is where the registers are loaded and the body is decrypted The virus generates this decryption and the inverse encryption in parallel An important point to mention here is that the values of all the general use registers are used as the key in Cryptor s decryption loop rather than just a single value as in simpler encrypted viruses A variable piece of code loads FFFFh into AX and either sets or resets the carry flag This isolates the usel
15. in the main part of the window while there are os Tenen bem mai eee ee ee eee mrar yeen me gees l ta AVG s user interface breaks the mould somewhat but is an eminently usable design VIRUS BULLETIN 1998 Virus Bulletin Ltd The Pentagon Abingdon Oxfordshire OX14 3YP England Tel 44 1235 555139 98 0 00 2 50 No part of this publication may be reproduced stored in a retrieval system or transmitted in any form without the prior written permission of the publishers VIRUS BULLETIN MARCH 1998 19 several large buttons across the bottom edge It is refresh ingly different from the usual drop down Windows menus and it works rather well Heuristics A short excursion into AVG s heuristic capability is called for at this point One of the main components in AVG s armoury is its Complete Test This option scans every thing using both an ordinary scanner and a heuristic scanner If AVG is sure that a particular file is clean it adds it to the validation database Future Complete Test activations need only scan files whose checksums have changed since the database entry was created with a consequent reduction in scan time JBM s scanner uses the same tactic So far so good However the AVG documentation warns that the heuristic scanner can produce false alarms and sure enough it does Before installing AVG I re installed Windows 95 on my test PC Therefore
16. names No doubt in due course all references to F PROT will be replaced by the appropriate CSAV nomenclature and documentation Unfortunately there are a number of more pressing problems which need to be addressed Firstly the real time statistics display on the main screen does not appear to be working at all Secondly although macro detection is excellent the detection rate in the other areas is hardly inspiring Having said all that the configura tion options are good and I feel it is always a good thing to have the ability to control activity from both console and workstation Furthermore the extra option of having a central INI file which allows the standard settings to be propagated onto other servers eases deployment issues The detection engine needs sorting out but overall the product holds a lot of promise for the future Command AntiVirus for NetWare v4 0 Detection Results Test set Viruses Detected Score tW File 621 651 95 4 Standard 798 887 90 0 Macro 745 745 100 0 Polymorphic 7071 13500 52 4 Overhead of On access Scanning Time in seconds to copy 63 EXE files 4 6 MB Each test was repeated ten times and an average taken Time Overhead NLM not loaded 7 1 NLM loaded inactive 7 7 8 5 enabled scan incoming 12 8 80 3 scan outgoing 13 1 84 5 scan both 13 0 83 1 immediate scan 14 6 105 6 NLM unloaded 7 2 1 4 Technical Details Product Command AntiV
17. new event Remote Access Building and Managing the Workplace of the Future is to be presented by GartnerGroup For more information about registration discounts and availability contact Ashley Pearce Tel 1 203 316 6757 or email ashley pearce gartner com Trend Micro Inc announces the release of ScanMail and InterScan Virus Wall for Microsoft Exchange which are now available for Digital Alpha Server systems running Windows NT Prices starts at 955 for 50 users ScanMail was recently chosen by Hewlett Packard to protect its OpenMail facility For further details on these products email trend peapod co uk The eighth annual NetSec conference will take place at the Hyatt Regency in San Antonio Texas from 15 17 June 1998 NetSec 98 Network Security in the Open Environment focuses exclusively on the security issues problems and solutions facing networked environ ments There are exhibitions throughout the programme and one and two day seminars planned for before and after the conference Contact CSI for details Tel 1 415 905 2626 fax 1 415 905 2218 email csi mfi com or visit the web site at http www gocsi com Raptor Systems announces Eagle 5 0 the latest addition to the Eagle family of firewalls Using a new data fastpath this version can support in excess of 45 MB s of mixed data throughput Prices range from 3 995 to 15 000 Raptor is moving to a native NT GUI in the new firewall Named Hawk 6 0 it will be offered as
18. not possible for Concept and most other common macro viruses to spread So Concept appeared mainly in organizations which cooperated with foreign especially American partners Apart from this nothing important happened for almost two years except for occasional reports of Date MDMA and Npad Last summer Bertik emerged It had the potential to spread more widely because it works properly under both Czech and English versions of Word However there was no mass expansion such as that caused later by CAP This virus caused a big epidemic here as in many other countries and was like a cold shower with many users meeting a macro virus for the first time Nowadays CAP is the most widespread virus in the Czech Republic but in the last six months Laroux for Excel 5 7 has spread notably too The Situation Today CAP A leads the field with Laroux quite far behind J amp M is the most prominent of the boot viruses followed by Ripper Form AntiCMOS WelcomB Parity_Boot Spirit and Angelina File viruses are also relatively widespread especially Pieck 4444 Pojer 4028 TMC especially in Slovakia and Helloween 1376 The Alfons 1344 and Burglar 1150 viruses have been distributed on CDs accom panying computer game magazines The geographical locations of the Czech Republic and Slovakia and their interactive relations with surrounding countries facilitates the spread of viruses but the situation is far from critical Almost all organizatio
19. offset 0008h size of actual header Exeheader 448 B9CO 010E 1FBA 0600 B440 CD78 33D2 3BEA 740F 8BCD 03C9 03CD ER An encrypted 813 byte appender containing the texts F LoGiN LoGiN eXe TB SC KR WI F and FAIRGROUND c BlackFlash It only replicates from May to December Fairground 813 81C3 3E00 B9EC 028A 07E8 0800 8807 43E2 F61F EB12 5053 51B8 DR A one sector boot virus infecting both hard disk and floppy DOS Boot Sectors The original DBS is stored in cylinder 0 head 0 sector 7 hard disks and cylinder 0 head 1 sector 3 floppies Flag 2E81 3E40 04B8 0074 31B8 0103 B907 OOBA 8000 CD13 FCOE 1FBE CN An encrypted 2207 byte appender infecting COM and SYS files device drivers It contains the text w Glitter ver 1 0 Coded by Siddharth SID IS IN YOUR RAM CHIPS v v Greetings From Siddharth Bombay 92 and CHKL Glitter 2207 83EE 050E 07C6 441D 908A 5420 B995 04BB 2300 3 010 43E2 FBC3 VIRUS BULLETIN 1998 Virus Bulletin Ltd The Pentagon Abingdon Oxfordshire OX14 3YP England Tel 44 1235 555139 98 0 00 2 50 No part of this publication may be reproduced stored in a retrieval system or transmitted in any form without the prior written permission of the publishers VIRUS BULLETIN MARCH 1998 5 Hammer 2272 Hoodlum 777 House 391 Insert 271 Kate 585 Madman 1663 Mainman 407 Moskau 800 Mrodehna 5154 Piz 1176 Small_comp 155 SillyRC
20. part of this publication may be reproduced stored in a retrieval system or transmitted in any form without the prior written permission of the publishers 2 e VIRUS BULLETIN MARCH 1998 EDITORIAL c lt no software can protect you from Trojans 99 Trojan Sciamachy Recently there has been a flurry over a new not released to the wild email virus A well meaning press release didn t quite get the right message clear enough the result being dozens of concerned citizens posting to Usenet and mailing lists about this new real email virus The point missed in this is that a virus just using email as a file transfer mechanism is not an email virus The you can get a virus just by opening an email message myth may well have been strengthened Probably not bad news for the shysters selling email scanners as the solution to your virus problem but also I suspect not the intended outcome of the press release I guess it may be coincidental but we seem to have seen a huge resurgence in the Join the Crew Return to Sender etc mass email hoax messages since that fateful press release Interestingly press releases and email borne nasties of another sort have been on my mind for some time I pointed out at VB 97 that you should be wary of the hypesters with vested interests in convincing you or someone that email distributed Trojan Horses were the next big worry Well those people are still
21. quirks are also found throughout the documentation Presentation and Installation The software was supplied on four floppy diskettes You have two installation options The first is to install directly at the server console but this does not install the Windows Administration program The other option is to install from a workstation I chose the latter using InstallShield to handle the installation options The first screen of the workstation installation presents a choice of components Command AntiVirus Server Files Command AntiVirus Client Files AlertTrack Server Files and AlertTrack Client Files Initially just the first two options were chosen The default folder for the program files for the workstation is still set to C F PROT Incidentally if the installer has not logged in and starts installing software Error 1 cannot create server list comes up when loading the second disk After clicking OK the installation reports Set up com plete at this point The software is idiot proof but not quite reviewer proof Next the target server directory for NLM files must be selected the default is SERVER SYS S YSTEM F PROT At this stage there is the option to add a LOAD F PROT line to the server s AUTOEXEC NCF file Having per formed the main installation all that remains is to install any updates to the virus signatures Command AntiVirus for NetWare Loading the NLM without any command line options
22. sort of valid diskette and unworthy of its attentions as a result These are real viruses which can infect on boot up despite the inability of the operating system to access data stored upon the disk ettes involved This problem has been addressed before in VB reviews and here prevents the attainment of a VB100 award by Cybec Curiouser and curiouser VET is clearly able to scan these types of boot sector as the on access scanner failed to spot a completely different selection of undesirables There was a slight slippage seen in all other categories except the their product can detect all viruses in VB s test sets but VetNT needs some reworking to do so Dr Solomon s AVTK v7 79 1 Dec 1997 tW Overall 100 0 Macro 100 0 tW Overall o a 100 0 Polymorphic 100 0 tW Boot 100 0 Standard 100 0 Virus Bulletin s considered opinion was that the ETA awards than the recent DOS equivalent The full extent of this prediction is more significant than expected All this is of course verbiage for Dr Solomon s AntiVirus Toolkit detected everything in every set and did so both on demand and on access It is the only product to receive a VB 100 award in this review NT comparative would produce fewer VB 100 ane ey With a speed that lies in the firmly efficient range rather than fast or slow there is of course room for improvement if such has to be found and a product is never really perfect until the last virus is written
23. their DOS based brethren Unfortunately it appears that the macro detection gains are the roundabouts to the boot virus swings This is our third Windows NT comparative and this is the third time we have shown the general inadequacy of certain approaches to dealing with boot sector viruses under this operating system Although supplanted as commonest by some macro viruses boot viruses still account for a signifi cant slice of infections reported in our monthly Prevalence Tables Moreover we still receive many panicked reports of infected systems clearly many users are still not using the common BIOS based against protections Thus reliable detection of these viruses is still important We hope to not have to repeat this complaint in the next NT comparative An interesting feature of the current results is how the recent appearance of Win95 Anxiety and its relatively rapid appearrance in the WildList had such a major influence on the ItW File detection results Although not necessarily the sole malefactor it was missed by ten of the products tested and was the single detractor from a perfect ItW File score for two products denying one of them a VB 100 award Another new entrant to the ItW File set which also acted as a spoiler for many was Morphine 3500 again contributing to the collapse of ten products VB 100 hopes Congratulations to the Dr Solomon s team for their second consecutive perfect score across the board
24. ye yw ge os OO oet at Nef oa o a Oa me oe eo eo co V A E e E N oa KO a ore pe ae ao So wo issue supplies a much fuller descrip tion of the nuts and bolts of the program AVG s user interface is consistent across the two platforms oo we or w p W a ow sot xe rO ae VIRUS BULLETIN 1998 Virus Bulletin Ltd The Pentagon Abingdon Oxfordshire OX14 3YP England Tel 44 1235 555139 98 0 00 2 50 No part of this publication may be reproduced stored in a retrieval system or transmitted in any form without the prior written permission of the publishers 14 VIRUS BULLETIN MARCH 1998 In the Wild Overall Detection Rates On demand m On access 100 not spectacular with the expected lack of false positives The mandatory checksumming technique meant the first run through the Clean set took 240 seconds 2225 5 KB s IBMAV s on access scanner claimed to detect viruses only in boot sectors in memory or upon execution This is presumably a simplification since the on access scanner picked up exactly the same specimens that its on demand 80 4 60 4 40 4 20 4 0 z counterpart found The on access scanner does not name infections ot KO a sf a rst on p on fe ot us oo Y s oe go en er oh oe Te e oo oe a se ot oo ww 7 ae P cre H BEDV AntiVirNT v5 10 01 10 Jan 1998 tW Overall 94 2 Macro 96 4 tW Overall o a
25. 00 Brno Czech Republic Tel 420 5 4124 3865 fax 420 5 4121 1432 BBS 420 5 4124 3858 email grisoft grisoft anet cz WWW hittp www grisoft com Availability AVG requires at least 5 MB of hard disk space Version evaluated 5 0P build number 1207 resident VxD driver version 1 7 Serial number 50U 1 102955 MVJ Price Licence price for single user 49 with a sliding scale to 30 per licence for 51 to 100 users Large volume discounts can be negotiated with the vendor Hardware used A 133 MHz Pentium with 16 MB of RAM a 3 5 inch floppy disk drive a CD ROM drive and a 1 2 GB hard disk divided into drive C 315 MB and drive D 965 MB This PC can be configured to run Windows 95 Windows 3 11 Windows 3 1 or DOS 6 22 Test sets See VB September 1997 p 16 VIRUS BULLETIN 1998 Virus Bulletin Ltd The Pentagon Abingdon Oxfordshire OX14 3YP England Tel 44 1235 555139 98 0 00 2 50 No part of this publication may be reproduced stored in a retrieval system or transmitted in any form without the prior written permission of the publishers VIRUS BULLETIN MARCH 1998 21 PRODUCT REVIEW 2 Command AntiVirus for NetWare v4 0 Martyn Peny Although Command AntiVirus CSAV draws heavily on its predecessor changes are being made to differentiate it from Command F PROT However in this period of transition some screens show CSAV information while the console commands still refer to F PROT Similar
26. 5 11501 84 3 872 99 1 Trend Micro PC cillin NT 84 94 4 625 98 1 96 8 744 100 0 12883 93 8 861 97 8 This leaves the boots where Cheyenne s product was confused by uncommon disk formats but managed to produce an error for both format and virus which is to its credit Consistency between on demand and on access detection was maintained since other than these only Hare 7610 was missed Jnoculan falls in that middle ground where improvements and declines are as noticeable as they are important Command F PROT Professional v3 01 2 27a tW Overall 98 8 Macro 100 0 tW Overall o a 64 2 Polymorphic 47 6 tW Boot 100 0 Standard 100 0 F PROT s speed is among that of the top few and it makes no spurious detections hardly conversation pieces Close to the coveted perfect ItW Overall score missing a handful of file viruses knocked F PROT back to mid field The great bane of its detection prowess is however the polymor phics This situation is getting worse monthly moreover and the suspicion must be that the imminent v3 0 engine is being developed at the expense of maintaining the older of the species Standard Macro and Boot samples all per fectly detected back up this theory requiring not so much an advanced emulator as good scan strings usable by the older F PROT The odd formats caused no problems in the boot virus tests though Paula_Boot did throw up an unable to read
27. 54 3DCD 4D75 05B8 O8CD 9DCF 80FC 4C75 072E C606 3D0F 0090 2E80 CER An encrypted 1176 byte appender containing the text o p p o u Infected files start with the word E94Dh Piz 1176 3DAF FA75 12B8 BOBO CF2E 803E 7001 E974 F82E C606 7001 E9F7 PN A companion 155 byte direct infector containing the text exe The virus creates up to four hidden read only system identical COM files at one go Small_comp 155 B440 B19B 32D2 CD21 B40E ODOA 30CD 21B4 4A33 F68D 5C1D CD21 CR A 482 byte appender similar to SillyRC 212 and SillyRC 476 see VB September 1995 p 5 It contains the same texts Subconsious virus Conzouler IR 1995 Mina tankar r det sista som ni tar and LOVE LOVE LOVE LOVE LOVE LOVE LOVE LOVE Infected files have the byte EAh at the end of the code It can be detected using the same template published for the 476 byte variant SillyRC 476 482 4F56 453D 7742 7501 CF3D 004B 756C 5053 5152 1EB8 823D CD21 ER A 123 byte appender infecting files on execution of the Write function AH 40h INT 21h Infected files start with the signature ZM Solar 123 80FC 4075 4D8B F2AD 3D4D 5A75 45AD 3D85 0173 3F8B E9C1 ED09 CN A prepending 546 byte direct infector containing the texts Timber Wolf by Quantum VLAD ATH and com TimberWolf 546 B922 02BA CEFA CD21 E825 00B9 2202 BACE FAE8 2C00 5AE8 0C00 MDR A boot sector virus containing the encrypted text I m the great UN
28. Enough philosophy roll on the next product VIRUS BULLETIN 1998 Virus Bulletin Ltd The Pentagon Abingdon Oxfordshire OX14 3YP England Tel 44 1235 555139 98 0 00 2 50 No part of this publication may be reproduced stored in a retrieval system or transmitted in any form without the prior written permission of the publishers VIRUS BULLETIN MARCH 1998 13 EliaShim ViruSafe v2 5 tW Overall 98 7 Macro 98 5 tW Overall o a 65 3 Polymorphic 93 5 tW Boot 96 6 Standard 99 4 Tantalizingly close to omniscience in the on demand tests on the whole ViruSafe is the sixth consecutive product whose performance would have been seen to be remarkable two years ago With the increasingly high expectations of the anti virus market and the efficiency of the engines used to meet these expectations EliaShim s program is in the upper echelons with a good few close competitors The detection rate has increased from its last outing into the high nineties in all fields and just a slight improvement will produce a few fully detected test sets Boot sector detection for example was thrown by three variants of Hare which should be expected and detected in the future With such jostling for the top spot any faults are of vital importance and ViruSafe falls down on false alarms Similar to its DOS scanning the scanner threw up twenty five cases where Cruncher 4000 was detected in absentia Despite this being done in a respectable t
29. ISSN 0956 9979 NWT ToT TON MARCH 1998 n Os Oe oe ee i iti VOW THE INTERNATIONAL PUBLICATION ON COMPUTER VIRUS PREVENTION RECOGNITION AND REMOVAL Editor Nick FitzGerald Editorial Assistant Francesca Thorneloe Technical Editor Jakub Kaminski Consulting Editors Ian Whalley Sophos Plc UK Richard Ford IBM USA Edward Wilding Network Security UK IN THIS ISSUE e N Tried N Tested Several new viruses In the me H Wild and the old boot virus scanning problems meee contributed to just one vendor attaining a VB 100 award This month s NT comparative starts on p 10 e Czech it out Pavel Baudis shows how Slovakia has become a real virus empire compared to its neighbour Read his report from the former Czechoslovakia on p 8 e Where in the World The News Page contains long awaited information about the dates and location of this year s Virus Bulletin conference on p 3 CONTENTS EDITORIAL Trojan Sciamachy VIRUS PREVALENCE TABLE NEWS 1 VB 98 2 Errata 3 Czech or Slovakian IBM PC VIRUSES UPDATE VIRUS ANALYSIS Tales from the Cryptor FEATURE Virus Czech COMPARATIVE REVIEW Scanning on NT PRODUCT REVIEWS 1 AVG v5 0 for Windows 95 2 Command AntiVirus for NetWare v4 0 END NOTES AND NEWS Ww N Ae Www a oo 10 VIRUS BULLETIN 1998 Virus Bulletin Ltd The Pentagon Abingdon Oxfordshire OX14 3YP England Tel 44 1235 555139 98 0 00 2 50 No
30. OX14 3YP England Tel 44 1235 555139 98 0 00 2 50 No part of this publication may be reproduced stored in a retrieval system or transmitted in any form without the prior written permission of the publishers VIRUS BULLETIN MARCH 1998 9 tional So it is polymorphic not only in files but also in memory TMC s so called compiler creates a copy of the virus in memory modified from pseudo code stored in the infected file This pseudo code is static but encrypted Nowadays this virus is successfully spreading in the wild in the Czech Republic and especially in Slovakia This is particularly true of the Level 69 variant Today Slovak virus authors are working on macro viruses too Even in this field they seem to specialize in technical advances It all began with Slow or SlovakDictator see VB August 1997 p 15 which marks the first attempt to create a polymorphic macro virus However its operation was too slow and so noticeable to users that it earned itself the name Slow The next attempt a virus called UglyKid was more sophisticated The third Slovak macro virus was Navrhar HZDS which like Anarchy 6093 infects both Word documents and Windows 95 VxD drivers see VB Novem ber 1997 p 15 The texts in these macros and attached files are directed against the Slovak political party HZDS or more directly against its leader the Slovak Prime Minister Vladimir Meciar The electronic virus magazine Asteri
31. On access 80 60 40 4 20 0 RS n o ys 9 3 oo se so amp a g e o ow a A one co We A pwr eo gat on a eo oot P N rs xh g ot ow AT nie 09 go o AN ic 59 Q o 4 py KO 00 X 2 3h ps ow go N VA cer E 9 Aa ax 9 i gor C aY co a PO ae K Trend Micro PC cillin NT v1 0 VPN 347 tW Overall 96 8 Macro 100 0 tW Overall o a n a Polymorphic 93 8 tW Boot 94 4 Standard 97 8 Trend s PC cillin NT suffers a little by being at the end of the alphabetical trail where it nevertheless manages to raise some points not yet addressed On demand Macro detection was a perfect 100 The three Hare variants Moloch and Neuroquila A were the only misses in the on demand Boot sector test Though the scan speed is slower than average it was by no means frustratingly so and threw up no false positives PC cillin s other on demand results were unex ceptional by dint of resembling those of other products The on access scanner does not test for boot viruses but all other test sets were detected equally well on access and on demand Given how few products detected and missed the same viruses in on access as in on demand modes this is actually an encouraging result in terms of what it says about the product s developmental consistency Conclusion A comparison with last month s DOS comparative shows perhaps not surprisingly that NT products handle macro scanning more effectively than
32. PC in 20 9 seconds It is interesting and highly confusing that this is actually faster than the 22 seconds quoted above for a Complete Test during which only the files that have been altered are actually scanned What is the point in having the Complete Test inspect its valida tion database if this process is slower than actually scan ning the files Most odd I scanned inside internally compressed files the scan time went up to 23 6 seconds and inside archive files ZIP ARJ etc which further increased it to 28 3 seconds Finally I used the heuristic scanner and this pushed the scan time to 51 1 seconds For comparison purposes the DOS version of Dr Solo mon s Anti Virus Toolkit took 57 seconds and the DOS version of SWEEP from Sophos 48 seconds to perform the same scan AVG is no slowcoach it whizzes along much faster than competitor products on the market Memory resident Scanning The memory resident scanner provided with AVG can be set up to check floppy disks or files and to ask the user what to do if an infection is found Note that I have not mentioned any options that can tailor how this software actually operates there do not appear to be any The control program for the memory resident software still has a few obvious bugs Click the schedule tab and the program closes This is not exactly an endearing habit Likewise the boxes that activate scanning of floppy disks and or files can be
33. V unless it already is V in which case is used instead Further actions include Disinfect which attempts to clean up the infection and Report which simply adds the information to the log file When Quarantine Delete or Disinfect are selected a copy of the original file is put in the quarantine directory using a hexadecimal number for identification This is the default action on virus detection unless the SAVE option is used when the software is first loaded You can choose on access scanning of files when they are opened closed or both To relieve the load on the server when a file is closed and has been modified it is put in a queue to be scanned within a five minute window Should the file be re opened during this period it is automatically scanned even if scan on file open is disabled Multiple scheduled scans can be set up independently with a description to identify the scan options and the item to scan Scans can be scheduled by frequency or by period including Daily Weekly Monthly or Quarterly Alterna tively a delayed scan can be defined with a period of Hours Days Weeks or Months The duration of scheduled scans can also be configured and there are three options in case a scan runs past its defined stop time Finish continues scanning until completed Wait stops the scan and remembers which files are still to be scanned so the next time that scanning configuration is run it picks up f
34. acro 98 5 tW Overall o a 90 7 Polymorphic 84 3 tW Boot 100 0 Standard 99 1 NAV s discovery of all samples in the on demand boot test continues its good recent record there Detection of Standard test set viruses has improved yet in other on demand areas the new specimens proved problematic for NAV No false positives were produced on the other hand Scanning speed 80 60 was decidedly average Worse news was in evidence 40 with the on access boot tests where a combination of simple misses and inability to access 20 diskettes gave rise to nineteen misses As an addition to these 0 2 AMM imperfections the buffering syndrome similar to that seen with GeCAD RAV and McAfee Hye Qe NPT HO eA ye D ra N est A or ot wt i D BG PC sit ge N ws or gi ee pot ec p of ot of wo AS at g ow wo we Tat VirusScan was again apparent oo ye oe et wo w O N K pao of j K 8 K ot Results other than these were S oye comparable to those of the on demand tests VIRUS BULLETIN 1998 Virus Bulletin Ltd The Pentagon Abingdon Oxfordshire OX14 3YP England Tel 44 1235 555139 98 0 00 2 50 No part of this publication may be reproduced stored in a retrieval system or transmitted in any form without the prior written permission of the publishers VIRUS BULLETIN MARCH 1998 17 Standard Detection Rates mw On demand 100 mw
35. activated from almost anywhere along a VIRUS BULLETIN 1998 Virus Bulletin Ltd The Pentagon Abingdon Oxfordshire OX14 3YP England Tel 44 1235 555139 98 0 00 2 50 No part of this publication may be reproduced stored in a retrieval system or transmitted in any form without the prior written permission of the publishers 20 VIRUS BULLETIN MARCH 1998 The general settings page is one of the many pages of configuration options horizontal line stretching out from the box itself through its title and on towards the right hand side of the window The invoice for my consultancy fee is in the post AVG s memory resident scanner checks for viruses while infected files are being copied from one location to another It seemed reasonable at detection although absolute figures are hard to come by as it always interrupted a file copy whenever an infected file was found I waded through hundreds of individual keypresses for the ItW test set only to find that after 248 viruses had been detected the screen informing me of a virus detection was replaced by a series of apparently randomly coloured rectangles This is called a software bug As expected the memory resident software was far less efficient at spotting polymorphic test samples Indeed it had got about one third of the way through copying the entire 13 000 strong Polymorphic test set before it detected a single file as being infected When I tried to d
36. and First Steps User Manual and Computer Viruses and You The titles are fairly self explanatory The Installation booklet is very short and to the point It contains just over eight pages nearly half of which are taken up with the licence conditions and details of the warranty This manual can be succinctly summarized thus use the floppy disks follow the instructions to install the AVG software and do not forget to read the licence conditions or else Speaking of the AVG licence it contains some very odd clauses for instance the product is not sold it is licensed for a period of time which is fairly standard However all parts of the packaging must be kept for when the licence expires which is presumably when you no longer require the product and stop paying for upgrades The licence explicitly includes the wrapping of the distribution package in the list of things that must be retained for subsequent return to the vendors Lawyers are wonderful just when you thought that they might inhabit the real world after all they come up with nonsense like that and shatter the illusion Hands up all those users who not only keep the box in which a software product is packed but also keep the wrapping paper Nobody I thought so The licence also includes a wonderful cop out which states that and I quote The manufacturer does not guarantee the perfect operation of the system if the system is used on
37. anti virus software can really afford any significant degree of protection against this menace growing quickly at a rate of around one to three each day In case you haven t guessed I don t believe that any software can protect you from Trojans They are unlike viruses not self spreading Trojan Horse events tend to be point occurrences a Trojan appears often in highly localized settings draws attention to itself and is never seen again apart from in the collections of people who might otherwise find trainspotting a worthwhile pastime Advocating scanning as protection against Trojans fosters an inaccurate image of what the anti virus industry can do for its users Just as you cannot definitively determine whether an aribitrary file is a virus you cannot tell whether it is a Trojan As Trojans don t tend to last detecting them whilst not completely pointless is much less valuable than adding detection of viruses to a scanner Anti virus users seem to accept that new viruses might not be properly dealt with when first they arise The flip side is that any virus incident they have is quite unlikely to involve a new virus However the balance is quite different with Trojans Setting itself and by association the rest of the industry up as the Trojan protectors this developer is courting trouble It will be pointed out that a few Trojans have reappeared repetitively in Usenet postings and many new AOL pas
38. cally focused Pojer and nationalistic Slovakian viruses Tiso a Murgas On 1 January 1993 Czechoslovakia was divided into two individual states the Czech Republic and Slovakia Fortunately the split was very calm and peaceful and both new states maintain common interests close economic relations and many other contacts The virus scene devel oped quite differently however While nothing really interesting happened in the Czech Republic apart from a few local boring viruses within a few years Slovakia became a real virus empire In Slovakia Slovak viruses include Dzino Monte_Carlo Explosion and the infamous One_Half there are several variants but those most widely spread are 3544 and 3577 One_Half appeared in the spring of 1994 and remained the most widespread virus in the Czech Republic and Slovakia for years Undoubtedly the fact that many foreign anti virus products were unable to detect this virus for more than a year contributed to this situation The virus is unpleasant mainly because it encrypts data on the hard drive removing the virus outright can cause serious data loss Interestingly one Slovak newspaper reprinted an IRC debate about software piracy in which Vyvojar Devel oper the author of One_Half participated anonymously Asked why he built data encryption into his creation he replied that he did not want users to remove the virus but to share their computers with it Then came Lion_Ki
39. come imprac tical Finding the flag s equation for each processor is sometimes possible but takes a long time The commonest problem is that of the MUL IMUL followed by BCD adjust preventing some 386 486 generated samples from decrypt ing correctly on Pentium or Pentium Pro CPUs true for about 8 of replicants Other problems involve TEST followed by BCD adjust and shift instructions Document ing all these instructions is certainly tedious work and may become an impossible task as chips get more complex A different approach would simply note that a problem flag was involved in the instruction to be emulated Should it eventually be decided there is no virus the emulator would rewind to that point and the other flag state would be emulated Even if Cryptor 2169 makes emulation more difficult it is still perfectly easy to detect based on the analysis of the decryption head Moreover it does not spread well and it generates a lot of V86 mode intendeds This applies equally well to the other two Cryptors Cryptor 2169 is a true polymorphic virus but observing its polymorphic heads reveals a constant architecture This can be used for detection purposes obviating any advantage its author may have hoped to gain from its polymorphic convolutions Seeing beyond its decryption layer in a reliable way involves tons of tricky processor details but is ultimately unnecessary for the virus scanner Fortunately like the o
40. cryption loop being generated in parallel at another place in memory It starts with code to load the counter with LEA or MOV and the pointer with a variable CALL POP relocator There are three to sixteen encryption instruc tions that can be anything from NEG NOT INC ROLI ADD DEC ROR1 SUB to XOR applied to the de referenced pointer using a random register as the second argument if one is required There follows the pointer increment and counter decrement once again variable and the loop instruction LOOP or JNZ Pffff Done with it After the engine has generated both the decryption and inverse encryption routine it applies the encryption to the virus body prepends the decryption routine and returns the length of the new sample to the replication code which can then write it to the host file Anti emulator Features Cryptor may have been designed to cause problems to emulators Whether it was or not it has caused some discussion amongst anti virus developers The virus attempt to fool emulators into thinking that the decryptor code is just casual program code is obvious from its use of numerous Int 21h function calls see the list above This is not that much of a problem because the return values from these functions are never used As we saw earlier these function calls appear only in the first useless part of the decryptor and are surrounded by completely unrelated code Thus an emulator treating th
41. cts the virus in memory Alia 1023 2EA1 9000 3D4D 5A74 03E9 1002 2EA0 AA00 3C43 7503 E905 02B0 DMR A one sector boot sector virus infecting hard disk MBRs and floppy DOS boot sectors It does not save the original boot sectors The system always boots from an active hard disk partition It contains the text AntiWin95 at offset 003Eh the first two characters are used in self recognition AntiWin95 B801 008E D880 3E72 043C 7448 FABE 0304 AD48 4E4E 8904 FBB1 MCER A multi partite stealth encrypted 2260 byte appender containing the text Coup De Main Please Say She Don t Annoy Me When infecting a hard disk the virus stores its code in cylinder 0 head 0 sectors 3 4 5 6 7 and the original MBR in cylinder 0 head 0 sector 8 After a machine boots from an infected disk ten times the virus displays its message after fifteen boots it disinfects itself and restores the original MBR Both patterns can be used for memory detection Coup 2260 MBRs BA80 OOFA 8306 8600 0483 2E13 0404 B800 9F8E C050 FBB8 0602 Coup 2260 files 2E28 042E 8034 8046 2EFE 0629 0459 E2D1 2E80 3E2A 0401 740D MDR A boot sector virus infecting hard disk MBRs and floppy DOS Boot Sectors Two sectors long it stores the original MBR and its second sector on hard disks in cylinder 0 head 0 sectors 14 and 15 On floppies the original DBS and the virus second sector are stored in cylinder 0 head 1 sectors 14 and 15 The virus contains the texts Tel
42. e In the Wild Boot test results published in the January Windows 95 comparative review We reported that both products missed two samples from that test set Michelangelo and MISiS On re testing these products on the original test machine and several others IBM AntiVirus and iRiS AntiVirus always detected these viruses Other products that also failed to detect these viruses in the original test still failed to detect them in the re testing Efforts to reproduce the conditions that led to the original testing failure have been unsuccessful As a precautionary measure Virus Bulletin will not use the computer that gave rise to the suspect January results in future boot sector testing Unfortunately this error means that JBM AntiVirus for Windows 95 was not recognized with the VB 100 award it deserved Virus Bulletin would like to thank the technical staff at JBM for their assistance in attempting to locate the source of this error Subsequent reprints of the January test results will contain the correct scores Czech or Slovakian Our apologies are also due to two anti virus companies based in the former Czechoslovakia which participated in February s DOS comparative review In last month s issue we referred to the anti virus company Grisoft as Slovakian and to Slovakian ESET as Czech To clarify Grisoft the developers of AVG are based in the Czech Republic while ESET the company which produces NOD iCE operates out of Slo
43. e only tradi tional on access scanner is the macro detector Cat s Claw Polymorphic Detection Rates On demand 100 m On access This component did not quite detect as many macro viruses as the on demand scanner Logging of on access scanning was less controllable than suggested This proved a com mon flaw in the tested programs too many of which on access relied upon binary log files or provided no log file Sophos SWEEP v3 05 5 Jan 1998 tW Overall 99 6 Macro 100 0 tW Overall o a 99 6 Polymorphic 99 0 tW Boot 100 0 Standard 99 7 A good result for Sophos but a definite downturn from past near perfect detection SWEEP missed the new ItW File virus Win95 Anxiety and mysteriously five samples of Neuroquila A from the Polymorphic test set The latter is surprising given that SWEEP has consistently detected all samples in this test set for many reviews In the Standard set Positron was undetected which is almost certainly by design as it has been the lone missed sample from the Standard test set for several consecutive comparatives SWEEP s on access component proved the only equal to Dr Solomon s in detecting all boot sector viruses and like AVTK and IBM AntiVirus the results obtained by on access and on demand scanning were exactly comparable Speed on demand was neither good nor bad and the clean files were all correctly reported as uninfected Symantec Norton AntiVirus v4 0 tW Overall 98 1 M
44. elete files that had been used in this copying test the memory resident software indicated files that were in the Windows Recycling Bin as infected This may be thorough but it is also a thorough nuisance There should be an option available to disable this action The Rest A Quick Test can be executed which just looks at the disk locations and files that are deemed to be either important or likely to be infected This list can be tailored by the user Using its default settings the Quick Test option checked the C drive of my test PC in about one second almost too quick to measure It really lives up to its name A specific menu option is provided to check out floppy disks I like this idea many a time I have wrestled with a product s intricate menu system trying to find out how to scan a floppy disk Having an easy way to kick start this process is a real boon On line information about viruses and families of viruses is provided What is there is very helpful easy to under stand and most comprehensive However there are about 170 names of individual viruses in the list entitled Virus Information Some of these contain more than one entry but even so this does not even begin to compare with the total of well over 10 000 viruses of which many scanners claim knowledge Finally utilities are included to make an emergency diskette introduce scan strings entered by the user update the software and run so
45. em as no ops will do fine However strict emulators may encounter problems in this first part because it often contains instructions that access words across segment boundaries The real problem comes after that while trying to emulate the key generation portion of the decryptor This piece of code affects the register loading and contains random instructions from the first and second groups Thus it can include BCD adjust and MUL IMUL instructions The behaviour of BCD adjust is partially determined by the value of the auxiliary carry flag AF which after MUL or IMUL is undefined This however does not mean that it is unknown For instance on some processors AF is un changed after a MUL on others it will be reset and on yet others AF s state after a MUL depends on the input values Thus in order to obtain the same decryption key under emulation as at encryption time the emulator would have to imitate exactly the processor of the machine on which the virus sample was generated The emulator may have to mimic all processors behaviours for each potential virus sample This raises a performance problem which can be solved by selecting only those samples containing some instruction patterns for multi emulation A second problem is how to emulate the exact behaviour of a specific processor for a given partially undocumented instruction like MUL The one table per processor approach is simple but would very quickly be
46. error on top of a virus alert Affairs are not so promising on access where boot sector scanning was ignored completely Polymorphic detection is again a trifle over the on demand rate with similar com ments applying as were warranted by Inoculan Other detection rates dropped due to the need for speed rather than massive detection efficiency A product which shows its age and will hopefully have a worthy successor VIRUS BULLETIN 1998 Virus Bulletin Ltd The Pentagon Abingdon Oxfordshire OX14 3YP England Tel 44 1235 555139 98 0 00 2 50 No part of this publication may be reproduced stored in a retrieval system or transmitted in any form without the prior written permission of the publishers 12 VIRUS BULLETIN MARCH 1998 RW Boot tW File re Macro Polymorphic Standard On access tests Number Number Number Number Number Alwil AVAST32 80 89 9 n a n a n a n a n a n a n a n a n a Cheyenne Inoculan 75 84 3 643 98 8 93 8 690 93 0 12750 91 2 883 99 6 Command F PROT Pro 0 0 0 621 98 2 64 2 733 98 5 7082 47 1 798 92 6 Cybec VET 79 88 8 622 98 4 95 1 744 100 0 12998 95 4 867 97 9 Dr Solomon s AVTK 89 100 0 651 100 0 100 0 744 100 0 13500 100 0 887 100 0 EliaShim ViruSafe 0 0 0 649 99 9 65 3 731 98 2 13163 95 4 878 99 4 IBM AntiVirus 87 97 8 647 99 4 98 8 744 100 0 13000 96 3 887 100 0 Intel LANDesk Virus
47. ess I believe that anti virus companies will face up to new viruses other dangerous programs and threats with the same success in the future as they have done in the past VIRUS BULLETIN 1998 Virus Bulletin Ltd The Pentagon Abingdon Oxfordshire OX14 3YP England Tel 44 1235 555139 98 0 00 2 50 No part of this publication may be reproduced stored in a retrieval system or transmitted in any form without the prior written permission of the publishers 10 VIRUS BULLETIN MARCH 1998 COMPARATIVE REVIEW Scanning on NT The last time we ran an NT comparative review was in September 1997 where we predicted the wider deployment of NT as a desktop operating system rather than as a server platform see VB September 1997 p 10 It appears we were right and this current comparative concentrates again on NT workstation Nineteen products were submitted for review and as expected an on access scanning option is fast becoming standard Several companies which had not included an on access scanner with the product submitted for this test claim that the option is scheduled for addition in the next release Testing testing All tests were run from the Administrator usercode on a standalone Windows NT 4 0 workstation with Service Pack 3 installed Boot sector detection tests were run simultane ously with the file scanning tests but on another machine to save time Sector level image backups were used to restore the workstati
48. ess code and seeds the processor state None of the random instructions generated thereafter using AX or the carry flag will then yield a result dependent on an exterior factor which is more than likely to vary from the time of the encryption to that of the decryption Then comes code to load the seven word registers not SP in random order interspersed with random instructions from the first group VIRUS BULLETIN 1998 Virus Bulletin Ltd The Pentagon Abingdon Oxfordshire OX14 3YP England Tel 44 1235 555139 98 0 00 2 50 No part of this publication may be reproduced stored in a retrieval system or transmitted in any form without the prior written permission of the publishers VIRUS BULLETIN MARCH 1998 7 DEC INC XCHG with AX excluded since these might cause undefined parameters from the useless bit to influ ence the key generation At this point the state of the processor is well defined and the piece of code that follows in the decryptor head is designed to make it evolve in a deterministic way inde pendent of the program s environment The particular piece of code after the register loading is composed of 40 to 80 instructions taken exclusively from the first and second groups which guarantees that nothing outside the processor state influences the key This key generation phase appears in both the decryption and encryption routines Finally the decryption loop itself is generated the inverse en
49. fect detection of the ItW Boot set on demand The Standard and Macro sets were also perfectly detected a slight improvement in the macros over the last NT comparative This places Alwil with only four other products which scored over 99 In the Wild Overall in this comparative A good improvement was seen against the Polymorphic test set Although Alwil provides an on access scanner we could not test its detection rate This is because apart from its boot virus detection it only intercepts attempts to execute potentially infected objects and our testing facility is set up to run tests where the whole system needs rebuilding between each sample to ensure an accurate test This was by far the slowest of the scanners tested six times slower than its nearest competitor and fifty times more sedentary than its speediest competitor Alwil has opted to give AVAST32 a very low thread priority to the extent that a full scan should be almost invisible in terms of overhead on other applications The clean scan did show up a pair of false positives however so perhaps this area will be the next to see some very fine tuning Cheyenne Inoculan v4 04 15 Jan 1998 tW Overall 98 8 Macro 93 1 tW Overall o a 93 8 Polymorphic 90 9 tW Boot 98 9 Standard 99 6 The on demand boot test slipped up on the Hare 7610 sample and caused non fatal errors on the thirteen samples with less than standard disk formats caused by the virus meddlings This sli
50. fected files have the word 4B4Dh MK at the end of their code Kate 585 9C3D 4D99 7504 BO4B 9DCF 80FC 4B74 0580 FC3D 75E6 60FC E800 ER An encrypted 1663 byte appender containing the text Nothing can save you here friend you re in my world now ECHO I m watching you and MadMan The first message is displayed when Alt Ctrl Del keys are pressed the second is appended to BAT files Infected files have the word 4D4Dh MM at offset 0004h from the end ladman 1663 8CC8 2D10 OOFA 8EDO B9FF 0231 ED81 B664 02E7 F345 4590 9090 CN An appending 407 byte direct infector containing the text com On Sundays the virus does not replicate but displays the word VIRUS jainman 407 B640 B997 018A E68D 9603 01CD 21B4 3ECD 21B4 3B8D 968D CN An encrypted 800 byte appender containing the text lt MOSKAU98 gt Stas Infected files start with the word DE03h ADD BX SD loskau 800 OA8B F581 C659 018C C8CD 013E C686 C400 568B C505 C602 FFEO CER A polymorphic stealth encrypted 5154 byte virus containing the texts Hello Mr Odehnal GRISOFT c SOFTWARE 1989 96 BE CAREFUL CMOS DEAD DATA DESTROYED V F TB SYS SCAN CLEAN WIN GUARD 286 386 CHK and EXECOM03 28 96 The payload overwrites the MBR of the first physical hard disk The following template only detects the virus in memory Mrodehna 51
51. ght deviation from perfection was a common thread running through Jnoculan and there is a tiny slip from the In the Wild scores of the last outing There were improvements healthy against the Polymor phic test set and slight in the other on demand tests Presentation is of course a strong point and it must be admitted that there were many features in the package which a workstation only review cannot address The missing of small numbers of samples across the board points to a weakness in identities rather than overall mechanics which is all the more perplexing since this was the most recently built product of all those tested Despite a slight difficulty in logging it on access scanning was fully supported and produced similar results to those of the on demand option One remarkable feature is that the Polymorphic set was slightly better detected on access than on demand File Macro and Standard tests dropped two samples fewer than their on demand counterparts a creditable result indeed Scanning speed was at the slower end of the pack and a brace of false alarms were reported VIRUS BULLETIN 1998 Virus Bulletin Ltd The Pentagon Abingdon Oxfordshire OX14 3YP England Tel 44 1235 555139 98 0 00 2 50 No part of this publication may be reproduced stored in a retrieval system or transmitted in any form without the prior written permission of the publishers VIRUS BULLETIN MARCH 1998 11
52. hnology a pre configuration wizard customizes VirusScan according to how often the user downloads files from the Internet friends or floppies Virus Alerts are via Claris E Mailer and Eudora VirusScan 3 0 costs 29 95 and free 30 day evaluations are available For more information refer to the company s web page at http www networkassociates com The Audit Commission s February 1998 update is entitled Ghost in the Machine Analysis of IT Fraud and Abuse New research conducted in the form of a survey of 900 public and private sector companies reveals that the UK currently spends 26 billion on IT and that computer fraud and abuse affects 46 of businesses up from 36 in 1994 Computer viruses were the most prevalent form of IT abuse reported with the cost to organizations of each virus alert rising from 1000 per incident in 1994 to over 1700 in 1997 After three years of technical cooperation Norman is to acquire ThunderByte ThunderByte Headquarters in Wijchen the Nether lands now known as ESaSS BV is to be renamed Norman Data Defense Systems BV All ThunderByte security products will be incorporated into the Norman product range Gunnel Wullstein President of Norman Data Defense Systems believes In the future only the strong technical players will survive Good marketing is not enough Contact Harald Zeeman for details Tel 31 24 6488555 or email zeeman norman nl VIRUS BULLETIN 1998 Virus Bullet
53. hoslovakia signifi cantly In addition to the Yankee_Doodle family PingPong MusicBug Green_Caterpillar 1575 Stoned and Michelangelo appeared at this time The first Czech virus was probably Yankee Login which recorded all the user names and passwords entered via the NetWare LOGIN EXE utility It was possible to misuse this information to access unauthorized networks Semtex was the first virus created in Slovakia Regrettably the Czecho slovak media took part in the exaggerated campaign which forecast catastrophe and made Michelangelo the hit of 1992 Although the events of 6 March made a mockery of that prediction there were painful data losses in some cases The DIR_II virus also caused great excitement when it spread and later disappeared equally rapidly On the other hand Civil_Defense 6672 achieved long term success It was much more successful in Czechoslovakia than in Russia its country of origin This quite long and complex virus contains many effects Russian songs political slogans and even poems flashing keyboard lights and simulated keyboard errors In many cases it was detected only because of its conflict with disk types in the CMOS memory on some computers This virus infects the MBR on hard drives and EXE files on diskettes spreading from one PC to another It is interesting that a similar principle was used later in the Slovak virus One_Half Other examples of local viruses include the Helloween family the politi
54. ime it is still a considerable flaw EliaShim is the third of this month s products to be more effective against the polymorphics when using on access scanning In contrast on access scanning does not apply to boot sectors and changes to other categories are in the expected range of small drops in detection GeCAD RAV v5 20 tW Overall 82 8 Macro 64 3 tW Overall o a n a Polymorphic 98 1 tW Boot 86 5 Standard 92 6 Hard Disk Scan Rates 9000 GeCAD s RAV is relatively new to VB tests and this is its NT comparative debut It is the first alphabetically of six products not to include an on access scanner Despite its Romanian provenance the program suffered no problems in translation but several in implementation The detection rates were not high with the exception of the Polymorphic set 98 1 detection here places it an impres sive fourth amongst some lofty company Speed is a little on the sluggish side and 33 false alarms are far too many All this accepted the real problems came in the boot sector test where buffering problems proved a nightmare Each diskette was only detected as being virus ridden once and then not again until a different virus had been tested Worse still if for example a Stoned variant was tested it caused other successive but different Stoned variants to be ignored until a different family had been interpolated into the series Somewhat disturbingly the error message there is so
55. impact of the real time scanner on the server s performance the following test was executed Sixty three files totalling 4 641 722 bytes EXE files from SYS PUBLIC were copied from one server directory to another using Novell s NCOPY which keeps the data transfer within the server itself minimizing network effects Various combinations of settings were used including running the on demand scanner concurrently with on access scanning The directories used for the source and target were excluded from the on demand scan to avoid the risk of a file being scanned while waiting to be copied As mentioned earlier there is a delay with real time scanning to ease the load on the server In order to test the real time scan sensibly it was necessary to introduce an extra routine which performed an open and close on each file copied to the target directory Due to the different processes which occur within the server the time tests were run ten times for each setting and an average taken The utilization was left at the default of 40 and the number of buffers left at their default of 20 The test conditions were e NLM not loaded This establishes the baseline time for copying the files on the server e NLM loaded Open No Close No and Scan No This tests the impact of the scanner in its quiescent state with no real time or immediate scan in progress e NLM loaded Open Yes Close No and Scan No This shows the overhead when
56. in Ltd The Pentagon Abingdon Oxfordshire OX14 3YP England Tel 44 1235 555139 98 0 00 2 50 No part of this publication may be reproduced stored in a retrieval system or transmitted in any form without the prior written permission of the publishers
57. irus for NetWare v 4 0 Developer Command Software Systems Ltd Millbank Tower London SW1 4PQ UK Tel 44 171 931 9301 fax 44 171 931 9302 email sales command co uk WWW http www commandcom com Price Single sever 360 Volume discounts are available Hardware Used Server Compaq Prolinea 590 80 MB of RAM 2 GB hard disk running NetWare 3 12 Workstation Compaq Deskpro XE 466 16 MB of RAM 207 MB hard disk running Windows 95 1 Test sets Complete listings of the test sets used are at http www virusbtn com Comparatives NT 199803 test_sets html VIRUS BULLETIN 1998 Virus Bulletin Ltd The Pentagon Abingdon Oxfordshire OX14 3YP England Tel 44 1235 555139 98 0 00 2 50 No part of this publication may be reproduced stored in a retrieval system or transmitted in any form without the prior written permission of the publishers 24 VIRUS BULLETIN MARCH 1998 ADVISORY BOARD Pavel Baudis Alwil Software Czech Republic Ray Glath RG Software Inc USA Sarah Gordon WildList Organization International USA Shimon Gruper EliaShim Israel Dmitry Gryaznov Dr Solomon s Software UK Dr Jan Hruska Sophos Plc UK Eugene Kaspersky KAMI Ltd Russia Jimmy Kuo McAfee Associates USA Charles Renert Symantec Corporation USA Roger Riordan Cybec Pty Ltd Australia Roger Thompson ICSA USA Fridrik Skulason FRISK Software International Iceland Joseph Wells Wells Research USA Dr Steve White
58. it creates the daily scan options The load time option NoDailyScan prevents this from happening Other load time options include setting the server utilization level to something other than the default of 40 changing the maximum number of buffers default 20 and choosing whether to save infected files There are four ways of controlling the server software the first being to use the console command line This will display a table of the various options available from the console Secondly FENCON NLM provides a menu driven version of the console commands Thirdly the F PROT INI configuration file can be edited This can contain settings for Log File Global Settings Real Time scanning Manual scanning Scheduled scanning and Reports After modifying the F PROT INI file the running NLM must be re initialized for the changes to take effect This can be done in three ways the first being to unload then reload the NLM The second method is by issuing the console command F PROT REI and the third and most convenient method is to use the Windows Administration program from a workstation This is also the fourth method of controlling the server software alluded to above Cmte fied ios he Aer dee de The CSAV scanner provides the usual three modes of operation Immediate Scheduled and On access Real time In addition there is a Global option which allows all three modes to be updated with an identical setting with
59. itives this shows a massive improvement 0 somewhere in the code This apart the program operated as expected and missed only the Hare 7610 on the boot test RSi P KO we or oe Detection rates were somewhat down from previous Windows NT incarnations of iRiS AntiVirus though this can with hope be ascribed to the rather old scan string files submitted for testing On a more positive note polymorphic detection was up significantly an area of noted weakness last September KAMI AVP v3 0 Build 117 5 Jan 1998 tW Overall 94 9 Macro 100 0 tW Overall o a n a Polymorphic 99 1 tW Boot 85 4 Standard 100 0 Rumours of great changes afoot at KAMI are clearly not based upon any great problems with the product as can be seen by these results AVP fell well within the commonest range of speeds at 286 seconds and threw up no false alarms an improvement upon the previous NT comparative This improvement was apparent in all facets of the detec tion ability of the program which missed just one sample of DSCE Demo in the Polymorphic test set The boot sector problems on the other hand remained much the same as before Failure to read the thirteen confusing disks without producing errors prevented AVP from displaying its full ability to detect In the Wild Boot samples A slightly confusing artifact could also be generated if infected disks were interrupted in scanning after they had been declared infected on screen Under these circum
60. ka 4250 Stealth_Boot Stoned Tentacle Tentacle_ll Tequila TPVO Tubo Twno Uruguay V2P6 and V 947 VIRUS BULLETIN 1998 Virus Bulletin Ltd The Pentagon Abingdon Oxfordshire OX14 3YP England Tel 44 1235 555139 98 0 00 2 50 No part of this publication may be reproduced stored in a retrieval system or transmitted in any form without the prior written permission of the publishers 4 VIRUS BULLETIN MARCH 1998 IBM PC VIRUSES UPDATE The following is a list of updates and amendments to the Virus Bulletin Table of Known IBM PC Viruses as Type Codes of 15 February 1998 Each entry consists of the virus name its aliases if any and the virus type This is followed by a short description if available and a 24 D Infects DOS Boot Sector byte hexadecimal search pattern to detect the presence logical sector 0 on disk N Not memory resident of the virus with a disk utility or a dedicated scanner E MECS EXE tiles P Companion virus which contains a user updatable pattern library Alia 1023 AntiWin95 Coup 2260 Energy Ermua Exeheader 406 Exeheader 448 Fairground 813 Flag Glitter 2207 C Infects COM files M Infects Master Boot Sector Track 0 Head 0 Sector 1 Link virus R Memory resident after infection ER A polymorphic encrypted 1023 byte appender containing the text ALIA All infected files have the byte 43h C at offset 0001Ah The following template only dete
61. mething called Code Emulation This last facility allows expert Grisoft s word users to analyse suspicious programs by stepping through their code with the emulator from the AVG heuristic engine not for the faint hearted this one Conclusion Face facts the basic detection rate of AVG needs some more work Competitor products are much better at the core task of detecting viruses Having said that the operational aspects of AVG are good it is a delight to use works very quickly indeed and provides all the usual features The developers of AVG are probably perfectly well aware of these conclusions they must know their current hit rate It is obvious in their own Virus Information section which is somewhat short on content The question is are they prepared to put in the sheer number of man hours that are required to increase the virus knowledge incorporated into AVG We shall see Do not even consider purchasing AVG unless the developers agree to remove the standard IBM PC clause from their licence It is onerous and makes it impossible ever to have a legal claim against the developers Likewise unless you have a fetish for collecting waste paper insist that the clause about keeping the product s wrapping paper for ever and a day is removed from the AVG licence it is just daft Technical Details Product AVG v5 0 for Windows 95 Developer Grisoft Software Ltd Lidicka 81 602
62. mething missing please verify a appeared consistently during testing and detection seemed to fail when the program was present as a tray icon Problems there are but promise too and it must be remembered that some of todays high fliers made less than stunning debuts Grisoft AVG v5 0 Build 1207 tW Overall 80 0 Macro 88 3 tW Overall o a n a Polymorphic 81 6 tW Boot 76 4 Standard 78 6 Another Eastern European product relatively new to VB tests AVG claims resident protection for its product which is designed to serve both Windows 95 and NT equally Some platforms are more equal than others however and the resident protection is in the form of a VxD which of course does not work under NT On a happier note AVG saw no aberrations in the Clean test set which it ran through in an entirely respectable 185 seconds 8000 Detection rates were very similar to those seen in the DOS comparative 7000 review in the February issue with 6000 the In the Wild Boot test set being the particular sticking point once more AVG failed to read any of those disks with less than absolutely standard formats and thus dropped down by the unlucky thirteen into Throughput KB s the realms of poor performance The detection rates in the compara o hua ahn tive give an overview but the standalone review on p 18 of this 5000 4000 3000 2000 1000 hel y geo o S
63. nation of various reports depending on requirements Details of infected files scan summaries or scan progress can be shown on the CSAV administration screen and or log file Scan summaries can also be dis played on the console while infection details can be reported to AlertTrack and the console as well as both the CSAV screen and the log file When working with multiple servers it is possible to define a master log server as a focal point for all the reports Alert Management and Updates Alert management for workstation infections is handled separately using an additional NLM AlertTrack Lite This needs to be installed only on a single server and can be loaded separately at a later date It provides the facility to send warning messages via various communication chan nels Pager Alpha numeric Pager MHS Mail Pegasus Mail SNMP Broadcast Messages and FaxWare This is provided simply by installing the appropriate workstation version of Command AntiVirus on the workstation There is a software deployment option which allows files to be updated on selected servers running CSAV within a domain Two choices are offered One deploys the CSAV for NetWare files and the other can deploy selected files from a defined list This list could include the files for the worksta tion anti virus software which then could be pushed down to the client machines as needed Detection Results The scanner was tested against the four VB test sets
64. ng 3531 but it did not spread much and another One_Half descend ant Explosion Level 3 Two new Slovak viruses appeared in 1996 DarkParanoid see VB January 1998 p 8 and Tiny Mutation Compiler there are two variants of TMC Level 42 and Level 69 DarkParanoid contains an interesting innovation It is fully polymorphic in memory The virus is encrypted in memory and is decrypted one instruction at a time Encryption and decryption are done via Int 01h but even this routine is polymorphic and it is created when the virus installs itself in memory The principle behind the process is explained in the text which reads ENGINE OF ETERNAL ENCRYPTION However the virus operation itself is so complex and computer slowdown so visible that its spread is almost impossible The TMC virus is a memory resident parasitic COM and EXE infector of 4835 bytes It infects on file opening and rename and on program execution setting files seconds value to eight It contains the following text TMC 1 0 by Ender from Slovakia Welcome to the Tiny Mutation Compiler Dis is level 42 Greetings to virus makers Dark Avenger Vyvojar Hell Angel Personal greetings K K Dark Punisher Tiny Mutation Compiler s text reveals how this virus is unique When active in memory TMC is able to change its body by switching instructions yet it still remains func VIRUS BULLETIN 1998 Virus Bulletin Ltd The Pentagon Abingdon Oxfordshire
65. ns government offices large banks and important companies have worked out their anti virus policies and use an anti virus program The great interest in this issue is reflected in the fact that there are also hundreds of participants at regular anti virus conferences in one case I read over 600 The use of the Internet has increased rapidly during the last two years The biggest danger comes not from VX web pages but from the use of electronic mail with attached files Many Czech and Slovak companies are still not aware of the risks involved in the use of email and so there have been cases where 200 computers belonging to the same organization were infected by CAP in one afternoon It shows that the scanning of electronic mail is becoming more and more important The virus problem here is such that there are three anti virus products for a combined population of about fifteen million two Czech AVAST my product and Grisoft s AVG and the Slovakian NOD iCE from ESET The Future It is always very difficult to predict the future with confi dence However increasing use of the Internet and further development of operating systems and applications espe cially Microsoft s will definitely influence the virus situation Local events will probably contribute to it as well especially as nobody knows what the local virus authors especially Slovak will bring out next Of course there will be many random factors too Neverthel
66. ns the error Path A does not exist and fails to look at the boot sector Consider the misinformed but ubiquitous Joe Bloggs who knows that deleting all files on a disk will destroy viruses on it if he performs this task VirusScan could incorrectly agree that he has been successful This bug will also see VirusScan fail to detect boot infections on new pre formatted but infected diskettes At this point optimists are allowed to mention the detection rates on access These are a bit better though suffering like RAV from a buffering problem which makes detection possible if somewhat hit and miss The on access scanner is on by default so a user would have to turn it off deliber ately In a compounding sin however the resident program makes scanning boot sectors an unstable affair at best The scanner crashed NT to a featureless desktop no fewer than seven times in the boot sector testing process and not on any particular subset of disks Joe Bloggs might take this as a fair enough reason to turn off the on access scanner you can imagine the rest VIRUS BULLETIN 1998 Virus Bulletin Ltd The Pentagon Abingdon Oxfordshire OX14 3YP England Tel 44 1235 555139 98 0 00 2 50 No part of this publication may be reproduced stored in a retrieval system or transmitted in any form without the prior written permission of the publishers 16 VIRUS BULLETIN MARCH 1998 Norman ThunderByte v8 04 29 Dec 1997 tW O
67. omewhat but it only raised the number to 713 92 1 when the default heuristic was used sensitive heuristic detection obtained exactly the same result When the 716 files of the Macro test set were scanned no matter which method of scanning or what type of heuristic scanning was used the result was always the same 650 were detected as being infected 90 7 i e heuristic detection does not increase the chance of detecting a macro virus This is perhaps unsurprising and many products exhibit exactly the same property The Polymorphic test set contains 13 000 viruses 500 samples of 26 viruses and the AVG standalone scanner detected 10 526 80 9 Heuristic detection fared better raising the detection rate to 11 996 92 2 This result remained the same no matter whether default or sensi tive heuristic detection was used In the Wild Boot sector virus detection was a little better at 94 5 86 from 91 but this is a test where you should expect 100 detection False Alarms When I tested AVG against the VB Clean test set 5500 executable files held on CD ROM all of which have been copied from well known software products none of which are infected with a virus it did not find any virus infections Given that AVG had informed me that three Windows 95 files were infected see above this result seemed rather curious Speed Using its default settings AVG scanned the C drive of my test
68. on Polymor phics saw Cryptor 2582 the only failure though a full set of failures admittedly but besides these JBMAV detected all samples in the non ItW test sets Speed was fine though oo wo roa we suggesting you run the on demand scanner instead During testing there was a perverse hope that the on access scanner would detect some of the on demand missed samples just to see the resulting confusion Another product for whom the full set was close but not quite there N r wt aA ae ory we or pe a Intel LANDesk Virus Protect v5 01 16 Dec 1997 tW Overall 94 7 Macro 100 0 tW Overall o a 90 9 Polymorphic 92 5 tW Boot 88 8 Standard 97 8 Intel suffered once more at the hands of the boot sector test Thankfully this was simpler to discover than in some programs multiple disk scanning being a feature more common in DOS products but supported well here Unfor tunately LANDesk Virus Protect was unable to detect a selection of rather aged viruses still in the wild again including the venerable Stoned standard which caught it out in the previous NT comparative A perfect score on the Macro test set is encouraging and on demand scores against the other three test sets were respectable but hardly earth shattering in their magnitude On access results were pretty much the same as the on demand ones in the Macro Polymorphic and Standard sets In the Wild File was a little worse for on access detection than on demand
69. on between tests The usual Virus Bulletin test sets In the Wild File and Boot Macro Polymorphic and Standard were used in this review The ItW sets were updated to the December 1997 WildList which was the current listing at product submis sion date 5 January The standard Clean test set was used for on access overhead and on demand scanning time tests Generally default settings were used throughout with the exception that on access components where available were disabled during all on demand tests In most cases log files were checked in order to collate detection results With some scanners it was necessary to use the delete infected files option or to quarantine files As in most real world operation the scanners faced a large number of uninfected programs in the main speed tests Here the scanner in question is the foreground application with NT s scheduling set to Maximum boost for the foreground application and no other programs running This procedure also acts as the false positive test in which no viruses should be reported The complete detection results are reported in the main tables The results reported in the product summaries are only the on demand ones plus the on access result for the combined In the Wild test sets Alwil AVAST32 v7 70 12 5 Jan 1998 tW Overall 99 2 Macro 100 0 tW Overall o a n a Polymorphic 95 4 tW Boot 100 0 Standard 100 0 AVAST32 started out with per
70. out having to visit each one in turn These override the ready to go or hard coded settings shipped with the product The former are a set of options pre defined to handle most of the routine activities required of a scanner A number of configuration options are common to all three scan modes and can be defined under Global Defaults The Include List not only contains the default file extensions but can also contain volumes directories and specific files Default file extensions are COM DO DRV EXE FON OV PGM SYS XL There is a separate Exclude List for volumes directories and files to be ignored during a scan Three exclusions are made by default but not displayed These are SYS BACKOUT TTS NetWare bindery files and any quarantine directory you may have configured Scanning Options In the case of Immediate scanning a specific path can be defined just prior to running the scan The actions available if a virus is detected are various Quarantine moves the file to the chosen directory default QUARANT INE Delete VIRUS BULLETIN 1998 Virus Bulletin Ltd The Pentagon Abingdon Oxfordshire OX14 3YP England Tel 44 1235 555139 98 0 00 2 50 No part of this publication may be reproduced stored in a retrieval system or transmitted in any form without the prior written permission of the publishers 22 VIRUS BULLETIN MARCH 1998 removes the file and Rename changes the first character in the file extension to
71. out there and they have a product to help protect you against this new threat Sales must not be going well they have recently been promoting this as a major concern At the VB office we recently received a press release from a major anti virus vendor listing the ten most prevalent viruses it had had reported in the previous month it must have been a slow day in their marketing department that day Cap Concept AntiEXE Form you get the picture nearly as riveting a read as a year s back issues of the VB Prevalence Tables As we seldom have slow days in the VB office at least none that slow it was soon arcing toward the circular file But wait what was that lurking down the bottom of the list rated tenth equal with but nearly overshadowed by Laroux amp various password stealing trojans Tell me more And they did A senior technology consultant had been shaken down and dusted off to inform the awaiting hordes of the press of this terrible new scourge Let s not beat about the bush here We are talking about AOL password stealing Trojans There are of course others but the only ones of any consequence recently are these AOL does not officially admit they are a problem After all when you are the best you don t have problems right just ask Microsoft The press release politely skirts the issue that these are mainly only of concern to AOL users Worse however it ignores the issue of whether
72. reading incoming files e NLM loaded Open No Close Yes and Scan No This shows the overhead when writing outgoing files e NLM loaded Open Yes Close Yes and Scan No This shows the overhead when having both read and write scans in effect e NLM loaded Open Yes Close Yes and Scan Yes This shows the incremental effect of running an immediate scan in addition to the real time scan e NLM unloaded This is run after the other tests to check how well the server returns to its former state See the summary for the detailed results The timing tests were repeated with AlertTrack Lite loaded No interesting variations were noticed in those results The initial impact of loading the scanner software is minimal However it begins to take effect when one of the real time scans is selected The impact of the real time scanner does not vary a great deal between different selections and therefore checking when both opening and closing files is an option The overhead when running AlertTrack was negligible and within the accepted variabil ity of timing results The residual overhead when the NLM is unloaded is minimal and is due to CLIB and Streams NLMs remaining loaded on the server Conclusion Command AntiVirus for NetWare is going through a period of transition as the developers make efforts to customize the product as their own Consequently there is still inconsist ency between product name and file directory
73. rom where it left off Finally Quit stops the scan at the appointed time re running this scan will cause it to start from the beginning Administration As stated earlier changes to configurations can be per formed from the server console by editing F PROT INI but more usually from the administration workstation When the Administration program is first called it requests the selection of the primary server and whether to display all CSAV servers or just the domain controllers There are also facilities for deploying software upgrades from a master server to other servers Reports and Activity Logs A number of logging options are available F PROT HST keeps a history of files that have been quarantined deleted or disinfected These actions are denoted by 0 1 or 2 respectively in the report along with the hexadecimal name of the file and its original location This information can be used in conjunction with the hexadecimal value of the file name to identify the original name and location F PROT LOG contains the results of the scans performed with summaries for manual and scheduled scans To control the size of this log file it is possible to set a maximum and minimum limit either under the Administration program or by setting the values in the INI file Another option is to have detection reports written to the system error log SYS LOG ERR The Administration program has a separate facility to help define the desti
74. say the Unashamed Naked Yeah of course I m the pride of yo nud ll ity I m here to nakedly spread my HELPS say my AIDS along with my UNashamed amp AmeriKindily famous dinocracy yo girly amp pearl in my heart Uh I v this game Pray fo peace guys while I seize strip kisw amp queeze You d enjoy the scene amp hold yo hate I ve no shame once I m spreading AIDS for the sake of yo peace Sure In Songola Moznia Amalia Bozambique my stripsqueeze s going on UNashamed amp NAKEDly UN watch yoself Black Synapse advises Unashamed C BEOO 7C8B E68B FBB9 0300 298C 1388 8B84 1388 DOE1 D3E0 B900 VIRUS BULLETIN 1998 Virus Bulletin Ltd The Pentagon Abingdon Oxfordshire OX14 3YP England Tel 44 1235 555139 98 0 00 2 50 No part of this publication may be reproduced stored in a retrieval system or transmitted in any form without the prior written permission of the publishers 6 VIRUS BULLETIN MARCH 1998 VIRUS ANALYSIS Tales from the Cryptor Fr d ric Perriot IBM Cryptor is a family of very basic direct action file infectors Its members do have a fairly complex polymorphic engine and some anti emulator features which make them interest ing This analysis focuses on the smallest member of the family of polymorphics composed of Cryptor 2169 Cryptor 2582 and Cryptor 3612 versions 1 0 1 5 and 2 0 according to their author Night Spirit Cryptor 2169 causes problems for se
75. sword stealers can be found heuristically True and detecting these could be a worthwhile addition to a scanner However using these historical oddities to project a profitable future in bolting Trojan detection onto anti virus software is folly Your users should simply not run untrusted software VIRUS BULLETIN 1998 Virus Bulletin Ltd The Pentagon Abingdon Oxfordshire OX14 3YP England Tel 44 1235 555139 98 0 00 2 50 No part of this publication may be reproduced stored in a retrieval system or transmitted in any form without the prior written permission of the publishers VIRUS BULLETIN MARCH 1998 3 NEWS VB 98 This year s Virus Bulletin conference is to be held at the Hilton Park Hotel Munich in Germany The two day conference will again present corporate and technical streams and runs from Thursday 22 to Friday 23 October 1998 A welcome drinks reception is scheduled for Wednesday 21 October Contact our Conference Manager for details Tel 44 1235 555139 fax 44 1235 531889 or email alie virusbtn com VB 98 coincides with the second largest IT show in Europe For the first time Systems 98 will take place in the purpose built Munich Trade Fair Centre running for the week commencing 19 October 1998 More information about Systems 98 can be found at http www systems de Errata Virus Bulletin apologizes to IBM and iRiS Software Following a lengthy investigation we have found some errors in th
76. the only files on the C drive were either from Windows 95 or they were in stalled by AVG The first time I requested a Complete Test AVG found that three of the Windows 95 files were infected two by an unknown virus More worryingly one file was thought to be infected by the LSD virus The first Complete Test execution took 1 minute and 2 seconds to execute having tested 800 objects their word The second and subsequent executions took just 22 seconds to complete with the same three COM files found to be infected Scanning I tested AVG s detection capabilities against the VB test sets see the Technical Details section below which are stored on CD ROM The AVG scanner stated that it detected 514 of the 549 samples contained in the In the Wild test set 93 6 Frankly this figure is disappointing it should be closer to 100 When the heuristic scanner was used the detection rate increased to 95 6 or 525 of the ItW test files This was better but still nowhere near 100 which belied many of the claims made for the efficacy of the heuristic scanner Heuristic detection still had one trick up its sleeve a sensitive mode of operation but this did not increase the number of viruses detected However the above result was better than the 536 out of a possible 774 viruses 69 2 that the AVG scanner detected against the Standard test set Once again the heuristic scanner improved things s
77. ther Cryptors it is a dumb direct infector and carries no payload Next Aliases None known Variants Cryptor 2169 2582 and 3612 Type Direct action parasitic polymorphic COM infectors Self recognition in Files 24h at offset 04h Hex Pattern None possible Under clean system conditions identify and replace infected files Removal VIRUS BULLETIN 1998 Virus Bulletin Ltd The Pentagon Abingdon Oxfordshire OX14 3YP England Tel 44 1235 555139 98 0 00 2 50 No part of this publication may be reproduced stored in a retrieval system or transmitted in any form without the prior written permission of the publishers 8 VIRUS BULLETIN MARCH 1998 FEATURE Virus Czech Pavel Baudis Alwil Software In the Beginning The former Czechoslovakia experienced its first computer virus Vienna 648 at the same time as neighbouring countries in the spring of 1988 It took almost a year for others including Cascade 1701 Dark_Avenger 1800 Vacsina and Yankee_Doodle to be seen Several variants of Yankee_Doodle appeared among the most widespread viruses over the next few years The so called Velvet revolution brought not only political change but also extensive economic expansion This was reflected in the increased use of computers especially IBM compatible PCs The computer boom coupled with the growth in international contacts both far and near influenced the virus situation in Czec
78. vakia Had we already read Pavel Baudis article published this month see p 8 this faux pas would have been avoided Prevalence Table J anuary 1998 Virus Type Incidents Reports CAP Macro 97 20 7 Concept Macro 29 6 2 Form Boot 29 6 2 AntiEXE Boot 27 5 8 Parity Boot Boot 22 4 7 Monkey Boot 17 3 6 Ripper Boot 17 3 6 Laroux Macro 16 3 4 Npad Macro 15 3 2 Dodgy Boot 13 2 8 NYB Boot 13 2 8 Wazzu Macro 10 2 1 AntiCMOS Boot 8 1 7 Temple Macro 8 1 7 DelCMOS Boot 7 1 5 Appder Macro 5 1 1 Goldfish Macro 5 1 1 Imposter Macro 5 1 1 J unkie Multipartite 5 1 1 Maverick 1536 File 5 1 1 PayC heck Macro 5 1 1 Schumann Macro 5 1 1 WelcomB Boot 5 1 1 ABCD Boot 4 0 9 Galicia 800 M ultipartite 4 0 9 J ohnny Macro 4 0 9 NiceDay Macro 4 0 9 Sampo Boot 4 0 9 Show0 ff Macro 4 0 9 DZT Macro 3 0 6 Exebug Multipartite 3 0 6 Lunch Macro 3 0 6 Natas M ultipartite 3 0 6 Quandary Boot 3 0 6 V Sign Boot 3 0 6 Others H 59 12 6 Total 469 100 Comprising two reports each of ABC Bleah Eco GoodNight Kompu Moloch Mtf Razer She_Has and Swlabs and single reports of Angelina Bandung Barrotes Bonus Cascade Colors CountTen Delwin Demon Dinamo Dub Edwin Flip Helper Int12 J erusalem Zerotime Australian A J imi Kampana MDMA Muck Munch NF Nolnt NOP Oxana Pieck Rapi Spans
79. veral emulators because the polymorphic heads it generates can contain instructions that behave slightly differently from one processor to another Given compatibility with the PC Cryptor 2169 s body will be decrypted restoring the first four bytes to the host carrying out the infection and finally executing There is no payload in this virus The Replication Code Cryptor is a direct action parasitic infector It will infect every COM file in the current directory with a length between 1000 and 60 000 bytes The fourth byte is com pared to 24h On a match the file is closed and passed over Otherwise the virus checks the file size and if within the above bounds calls the polymorphic engine to generate a new sample which is written at the end of the host It continues by seeking back to the beginning writing the jump and the marker closing the file and using FindNext to find another victim until it has tried all the files in the current directory The code dedicated to replication is only 181 bytes long and its error checking is minimal No check is made for EXE files with COM extensions nor for attributes Read only files are not infected Infection changes the file s time and date and adds an average 2525 bytes In tests on 10 000 samples the standard deviation was 37 bytes The Polymorphic Engine The engine in Cryptor 2169 or Universal Polymorphic Device v1 0 as the author calls it can generate
80. verall 99 8 Macro 99 6 tW Overall o a n a Polymorphic 98 1 tW Boot 100 0 Standard 99 2 After such a set of comments it takes something special to be noticed NTVC can thankfully provide this however in the amazing speed at which it scanned the Clean set Eighty eight seconds represents over 6 MB s and with no false positives and without the assistance of checksumming as used by the only faster product is a very creditable result In all test sets NTVC missed a smattering of samples at the risk of being repetitive close but no cigar NTVC provides no on access scanner but instead supplies an installation checksum routine and scheduled background scanning Neither were tested in this review Norman Virus Control v4 30a 5 Jan 1998 tW Overall 99 6 Macro 99 5 tW Overall o a n a Polymorphic 94 2 tW Boot 100 0 Standard 99 7 The last false alarm reared its head in a middle ranking speed test from NVC On demand NVC is efficient but failed to deliver the raft of 100 results we have seen from its brethren in recent comparatives Responsibility for this is entirely attributable to its failure to detect all eighteen samples of Morphine 3500 Polymorphics were also less comprehensively detected than is ideal despite improving considerably over the last three months Testing NVC s interesting approach to on access virus protection involving behaviour blockers and other mecha nisms is beyond the scope of this review Th
81. x was released in Slovakia last year So far only one issue exists containing a short description of Dark_Paranoid TMC and Slow in addition to the four byte long Kyjacisko Asterix magazine is also mentioned in a file attached to Navrhar in which the next issue is announced In the Czech Republic The simple boot virus J amp M appeared in the Czech Republic in 1993 It tries to format track zero of the hard drive on 15 November The media campaign invoked by one local anti virus firm prior to that date resembled that of Michelangelo but again there was no apocalypse More over the damage caused by J amp M could be repaired quite easily J amp M is still very widespread and every year reports of inaccessible disks are received in mid November Much more dangerous is Ripper which with fixed probability swaps two words during disk write operations It is also widespread Tremor arrived shortly after Ripper soon to be followed by Natas 4744 imported directly from Mexico Local Czech viruses include the Helloween family several Pojer variants Raptor variants Vzpomen Velvet Vic Czech Happy Klepavka Ebola Pivrnec several variants of CMOSDeath and also brand new viruses Pastika 2049 December 1997 and Animals 2400 January 1998 The first macro virus appeared in the Czech Republic in September 1995 Of course it was Concept Most users and companies use the Czech version of Word under which due to localization it is
Download Pdf Manuals
Related Search