ITEC Home PageC S S C N E W S L E T T E R Vol 1 No 7 July 21, 1993 There is more CSSC news forthcoming. Stay tuned for issue 8 which will be coming out hopefully in the next week. TABLE OF CONTENTS 1.0 PMDF documentation...available on SBSCVA's Bookreader 2.0 Viruses 3.0 Calls received/answered by SCACAD, SCADM and SCSYS for May 1993 1.0 PMDF documentation...available on SBSCVA's BOOKREADER The latest available version (thru GETSOFTWARE) of PMDF (v 4.2) no longer has postscript files for the documentation set. Instead, they have made the documentation available in BOOKREADER format. If you don't have BOOKREADER on your own system, this PMDF documentation is now up on the Support Center's BOOKREADER system, under Third Party Products, listed last under the main LIBRARY menu. If you have questions related to accessing the Support Center BOOKREADER system, email your questions to either SCSYS (if using VS3100 type workstation) or SCACAD (if using Pathworks). 2.0 Viruses With PC's and Mac's in abundance in our academic institutions and the "shareware" mentality of all users, computer viruses are bound to appear. We would like to give you some information on viruses currently in existence and how to obtain information about them. Four classifications of viruses in existence today: "1. Boot Sector Viruses - typically hide or embed themselves into the first sector of a disk. This type of virus loads itself into memory before the traditional anti-viral software can come on line and detect it. Prevention programs alone are defenseless against Boot Sector Viruses because the virus runs every time you boot up or when any software is being run. Types: Stoned Virus, Marijuana 2. TSR RAM Virus - install themselves in RAM and take control of the operating system. They affect I/O routines, command interpreters, SYS. files, etc. They usually enter memory by replacing the DOS Function Interrupt. Thus, each time DOS is executed, the virus gains control to do what it wants and passes this request on to DOS. As a result, many files are infected by running a TSR RAM Virus only once, and the system continues to operate under the influence and control of this virus. TSR RAM viruses are the most widespread of all viruses. Types: Autumn, Cascade-B, Virus 1701 3. Application Software Viruses - generic viruses that attack a .COM, .EXE, or SYS. file by appending (or inserting and prepending) itself to an executable or overlay file. Application Software Viruses are offensive because they search for an uninfected file, infect it, and operate each time the infected file is run. The original application program runs seemingly unaffected whenever the infected file is executed. That makes this type of virus the most difficult to detect. Types: Vienna, PC Boot, Austrian, Virus 648 4. New Generation Viruses - written by skilled authors who have expended a great deal of effort to build-in scan detection avoidance, just as the U.S. built "Stealth" fighter/bomber avoids detection by enemy radar. This virus installs itself as a memory resident program and bypasses DOS interrupt vectors and directs access to the ROM BIOS disk I/O routine. In doing so, these new generation viruses are able to avoid checksum algorithms and anti-viral software monitoring. The "Stealth" virus is a popular strain of new generation virus that constantly changes its pattern so that it cannot be detected by the traditional anti-viral software. During the replication stage, the Stealth virus recognizes the file size as the initial number (the seed), then encrypts this code into the file to be infected and generates an entirely new set of program codes. Since the seed is constantly changing, the Stealth virus will never have the same pattern from one infection to another. It is clear to see how a Virus Pattern Bank, which scans and matches sets of virus patterns, would be ineffective against the ever-changing Stealth virus. This is a new strain of virus that is rapidly spreading throughout the world."* Types: Virus 4096, Stealth, 100 year Preventive maintenance suggestions: 1. "Obtain your software from a reputable source, i.e. in original shrink-wrap from a reputable dealer. 2. If you receive your programs from a network, quarantine them as you would a new diskette. 3. Develop proper disk handling techniques that prevent contamination or data loss. 4. Use the DOS ATTRIB command to make your key programs Read-Only. 5. Check for viruses before backing up your programs or files. 6. Install and use a reliable anti-virus program."* There is an excellent document, FAQ.virus-l, provided through the VIRUS-L list which discusses a) Sources of information and anti-viral software b) definitions c) virus detection d) protection plans e) facts and fibs about computer viruses f) miscellaneous questions g) specific virus and anti-viral software questions It's a little dated (November 18, 1992) but an excellent document. You can access it by ftping to cert.org (pub/virus-l/FAQ.virus-l) Also X-VIRUS-L can be accessed on the Support Center's machine's VAX Notes. This is the best way to get up-to-the-minute virus information. * source taken from "Six Important Questions about Computer Viruses... What you Need to Know But Didn't Know to Ask" booklet by Trend Micro Devices, Inc., September, 1990, pages 3-4 and page 17. 3.0 Calls received/answered by SCACAD, SCADM and SCSYS for May 1993 Vendor support SCACAD 22 DSN - 1 SCADM 79 Oracle - 1 SCSYS 198 DSN - 1 Editor: Betty Spencer SCACAD@SNYBSCVA