User`s guide

ManualsBrandsAMSTRAD ManualsComputer equipmentPC-ECD

/90/$0.00+2.50 This bulletin is available only to qualified subscribers. No part of this publication may be reproduced, stored in a retrieval system, or transmitted

by any form or by any means, electronic, magnetic, optical or photocopying, without the prior written permission of the publishers.

Page 13

VIRUS BULLETINAugust 1991

➤ The inherited rights mask of a directory determines the

effective rights of that directory (read, write, open, close,

delete, search) which are set separately and can be used to

limit access to certain directories such as those containing

executables. Trustee assignments override the directory

effective rights.

➤ File/directory attributes (read-only, read-write, share) can

be set separately.

Even if a user’s PC becomes infected, the infection cannot

spread to the file-server, if the security features are properly

implemented. This security does break down if the network

supervisor’s PC becomes infected. Care should be taken when

setting network security features, as the appropriate features

may not be enabled by default.

NETWARE 3.11 PRACTICAL EXPERIMENTS

An experimental network consisting of a dedicated file-server

(on a Compaq 486/25, 310 MByte hard disk, 4M RAM) and a

workstation (Amstrad PC-ECD, 20 MByte hard disk, 640K

RAM) was set up with default security parameters.

Parasitic Viruses

It was decided to investigate NetWare 3.11 resistance to attack

with different levels of protection. A workstation not logged

in was infected with Jerusalem (memory-resident, parasitic

virus). IPX was executed (and infected) and NET3 was

executed (and infected). From then on, any COM or EXE file

did not become infected when run; this applied to files held

on floppy, hard or network drives. The interaction between the

virus and NET3 appeared to prevent the virus from infecting

other executables.

If the sequence is reversed, i.e. if a clean workstation is

loaded with IPX and NET3 and then infected, the following

error message is produced:

Network Error on Server SERVER: Error receiving

from network

Abort, Retry?

This error arises because Jerusalem uses INT 21H function

E0H to check whether it is memory-resident. This function is

also used by the NetWare print command. When the virus

issues this function call, NetWare intercepts it and tries to

send a print command leading to unpredictable results.

The same trial was repeated with Cascade and Vacsina, and in

both cases the viruses lost the ability to infect immediately

after infecting NET3.COM. Unlike Jerusalem, Cascade and

Vacsina did not crash the workstation if loaded after

IPX.COM and NET3.COM.

The same trial was then undertaken with the 4K virus. The

virus did infect IPX and NET3, did not crash the workstation

and proceeded to be infectious in its normal way on floppy

and hard disks, but not on the file-server.

The test was repeated with the Eddie-2 virus. A clean worksta-

tion was logged into the network and an infected application

executed from drive A:. This virus proved infective on all

drives, including the file-server.

We then tested the infectiousness of Eddie-2 with various

NetWare 3.11 file attribute settings. Eddie-2 is a virus with

limited stealth capability. It intercepts the DIR find-first and

find-next calls and displays the original file lengths. In order

to establish whether a file is infected or not, a secure bootstrap

must be performed.

DEFAULT NETWARE 3.11 SECURITY

By default the users have full access rights to their home

directory (created at the time of user creation) and no write-

rights to any subdirectories containing executables.

The Eddie-2 virus could infect files in the user’s own direc-

tory, irrespective of the setting of file read-only attributes, but

could not infect any other files on the server.

Rights Set To Read-Only

The virus could not infect files to which the user did not have

‘effective rights’ to write, irrespective of whether this right

was denied at a directory or file level, or from the ‘Inherited

Rights’ mask.

File Attributes Set To Read-Only

The virus could infect files which had their file attributes set

to read-only. This attribute is the same R/O attribute used by

DOS and set by Eddie-2 (and most other parasitic viruses) to

R/W before infection and reset back to R/O after infection.

File Attributes Set To Execute-Only

NetWare 3.11 allows file attributes to be set to execute-only

and such files cannot be read even by the supervisor. An

Eddie-2 infected workstation was used to execute an execute-

only file as well as a file marked read-only. The workstation

was rebooted. Looking at the file DIR entries, the execute-

only file was not infected while the read-only file was.

Running Under Supervisor Mode

Supervisors have all rights to all directories and files. A clean

workstation was used to log into the network as a supervisor

which was then infected with Eddie-2.

The virus was able to infect all files on the file-server, except

those marked as execute-only.

Boot Sector Viruses

Although boot sector viruses have no means of infecting a

network drive (since NetWare does not allow individual sector

addressing), an experiment was nevertheless undertaken.

A workstation was infected with the New Zealand virus,

which infects the Master Boot Sector on hard disks and the