VIRUS-L Digest Tuesday, 20 Dec 1988 Volume 1 : Issue 53 Today's Topics: Viruses in Commercial Software; Write-Tabs Thwarting the Brain... (PC) Cold boot vs. warm boot... (PC) Virus file and the nets --------------------------------------------------------------------------- Date: Mon, 19 Dec 88 18:19:42 EST From: Steve Subject: Viruses in Commercial Software; Write-Tabs In regard to Homer Smith's letter about his risks from unintentional virus contamination of the commercial disks he produces: 1) Disks containing only source code are *not* absolutely safe, but they would be much safer, in my opinion, if carefully examined. There is nothing to prevent a virus or some such thing from writing hidden files or storing things in "bad" sectors where the average person doing a DIR wouldn't see them. Furthermore, a virus could write the essential part of itself onto the boot sector (like brain does) and wait for someone to boot their system with the disk in place, at which time it could become active. 2) I would recommend that you periodically examine your disks for known viruses (like looking at the boot sector with Norton utilities or the like) and running detection programs for known viruses. It should not be necessary to examine every single disk --- only a small representative sample, assuming that potential viruses will always infect a disk if presented (except that one can imagine a virus that only attacks on Tuesdays). For example, periodically inspect some of the most recent disks and also whenever you have introduced something from outside your system (e.g. a new program or somebody else's disk). If you don't have the time or perhaps expertise, I would think it would be well worth your while to get someone to do it for you (at least find out which programs you should be using to look for viruses). Does anybody know of anyone who specializes in examining other people's disks for viruses (like for $)? 3) If you keep the system used to produce your product well isolated, then your risks should be lessened considerably. 4) Maybe consulting a lawyer would help, but couldn't you state in the fine print in the literature distributed with your disks that you have taken great pains to isolate your system (and product) from potential sources of viral contamination, and that you regularly check your system and disks for common, known viruses... BUT (here comes the disclaimer) you assume no responsibility for anything harmful that might be on any of your disks, and that the buyer in buying the product acknowledges this and uses it at his own risk? That is, you state that you have taken every reasonable measure to protect the consumer, but for legal reasons wash your hands of any liability --- a licensing agreement. 5) About a virus writing on a disk inspite of a write-protect tab, I don't believe it. I think there must be a misunderstanding somewhere. I suppose the details of enforcing a write-lock vary, but they all rely on hardware that disables the write-mode of the disk drive. There is no way software can circumvent this protection, unless your drive is defective and the write-lock-tab feature isn't working properly. Steven C. Woronick | Disclaimer: I'm just a physicist. These are Physics Dept. | entirely my own opinions and not necessarily SUNY | anybody else's and may not even be right... Stony Brook, NY 11794 | Acknowledge-To: ------------------------------ Date: Mon, 19 Dec 88 17:43 EST From: Subject: Thwarting the Brain... (PC) Reading all the comments about the brain virus one thing becomes clear: It can be detected because it announces itself in the Boot record with messages like "Welcome to the dungeon", "BRAIN COMPUTER SERVICES" etc etc etc... I can't help but wonder what would happen if some wily person decided to create his or her own strain with absolutely no messages (including not modifying the volume label). I shudder even as I write this. Could detection be that easy then atleast for lay persons like me. Most of the preventive measures that I've read so far say something like "Use a disk editor like Norton Utilities and examine the Boot record. If you see a message saying Brain etc etc, then your disk is infected" What if there were no messages. I c wouldn't know the difference between the boot record of an uninfected disk and that of an infected disk.(of late I've been peering into the boot record of every 5.25" floppy I own ! Thats how paranoid I've become) . What's a possible solution. Pre formatted floppy disks of two kinds (bootable and non bootable) where only the manufacturer does any work with the boot record. (Vendors are already sellin g pre formatted disks so thats not so absurd, is it?) A special material for the boot record which can cause it to be read but not written to, except by special devices which only manufacturers will own. This may seem off the wall right now but I think we all need to think of some solution to this "modification of boot record" business, especially because most programs can't treat it like a normal file and hence can't check for any changes to the boot record. (I'm referring to programs like flushot and checkup which can be made to check files for changes since the last run). Any comments/additions to the theme? Mathew Mathai Virginia Tech bitnet : MATHAIMT@VTCC1 ------------------------------ Date: 19 December 1988 21:22:30 CST From: "Michael J. Steiner " Subject: Cold boot vs. warm boot... (PC) How can a virus stay "effective" after a warm boot? Aren't both kinds of boots the same? (Evidently, there must be differences; what are they?) Michael Steiner Email: U23405@UICVM.BITNET ------------------------------ Date: Mon, 19 Dec 88 22:38:24 PST From: Robert Slade Subject: Virus file and the nets I am being flooded with requests for the files, so you may get delayed responses. You may also get no responses. For some reason, many messages get through to me, but the return path won't work. Sorry about that. Not much I can do. KLOTZBUECHER@MPI-MUELHEIM.MPG.DBP.DE - he changed his name to "Silver Donald Cameron. What disks do you use? $15-20. ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253