3-Jun-91 20:33:44-GMT,29812;000000000001 Received: from remus.rutgers.edu by aramis.rutgers.edu (5.59/SMI4.0/RU1.4/3.08) id AA27844; Mon, 3 Jun 91 16:33:39 EDT Received: from IBM1.CC.Lehigh.EDU by remus.rutgers.edu (5.59/SMI4.0/RU1.4/3.08) id AA27080; Mon, 3 Jun 91 16:33:30 EDT Message-Id: <9106032033.AA27080@remus.rutgers.edu> Received: from LEHIIBM1.BITNET by IBM1.CC.Lehigh.EDU (IBM VM SMTP R1.2.2MX) with BSMTP id 5093; Mon, 03 Jun 91 16:27:20 EDT Received: from LEHIIBM1.BITNET by LEHIIBM1.BITNET (Mailer R2.08) with BSMTP id 5540; Mon, 03 Jun 91 16:22:27 EDT Date: Mon, 3 Jun 91 15:53:34 EDT Reply-To: VIRUS-L@ibm1.cc.lehigh.edu Sender: Virus Discussion List From: "The Moderator Kenneth R. van Wyk" Subject: VIRUS-L Digest V4 #96 Comments: To: VIRUS-L@IBM1.CC.LEHIGH.EDU To: Multiple recipients of list VIRUS-L VIRUS-L Digest Monday, 3 Jun 1991 Volume 4 : Issue 96 Today's Topics: Introduction to the Anti-viral archives, listing of 01 June 1991 Archive access without anonymous ftp, last changed 07 January 1991 Brief guide to files formats, last changed 13 April 1991 Amiga Anti-viral archive sites, last changed 03 February 1991 Apple II Anti-viral archive sites, last changed 30 September 1989 Atari ST Anti-viral archive sites, last changed 30 September 1989 Anti-viral Documentation archive sites, last changed 04 April 1990 IBMPC Anti-viral archive sites, last changed 05 May 1991 Macintosh Anti-viral archive sites, last changed 01 June 1991 Unix Anti-viral and security archive sites, last changed 05 June 1990 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Sat, 01 Jun 91 15:54:38 -1000 From: Jim Wright Subject: Introduction to the Anti-viral archives, listing of 01 June 1991 Introduction to the Anti-viral archives, listing of 01 June 1991 This posting is the introduction to the "official" anti-viral archives of VIRUS-L/comp.virus. With the generous cooperation of many sites throughout the world, we are attempting to make available to all the most recent news and programs for dealing with the virus problem. Currently we have sites for Amiga, Apple II, Atari ST, IBMPC, Macintosh and Unix computers, as well as sites carrying research papers and reports of general interest. If you have general questions regarding the archives, you can send them to this list or to me. I'll do my best to help. If you have a submission for the archives, you can send it to me or to one of the persons in charge of the relevant sites. If you have any corrections to the lists, please let me know. The files contained on the participating archive sites are provided freely on an as-is basis. To the best of our knowledge, all files contained in the archives are either Public Domain, Freely Redistributable, or Shareware. If you know of one that is not, please drop us a line and let us know. Reports of corrupt files are also welcome. PLEASE NOTE The Managers of these systems, and the Maintainers of the archives, CAN NOT and DO NOT guarantee any of these applications for any purpose. All possible precautions have been taken to assure you of a safe repository of useful tools. Jim Wright jwright@cfht.hawaii.edu jwright@UHCFHT.BITNET ------------------------------ Date: Sat, 01 Jun 91 15:55:10 -1000 From: Jim Wright Subject: Archive access without anonymous ftp, last changed 07 January 1991 Archive access without anonymous ftp, last changed 07 January 1991 To get files from the anti-viral archives, you do not need access to anonymous ftp. (However, anonymous ftp is the preferred method.) Below is information on accessing the archive sites using only email. -=- One way to get access to the archives is through the BITFTP server at Princeton. Send a message to bitftp@pucc.princeton.edu (BITNET address is BITFTP@PUCC) with the body of the message containing the single word HELP. This should get you more information, and give you access to any archive site on the internet. This service seems to be greatly overloaded, so expect response times to be a little slow. -=- You may access the archives at Heriot-Watt using email. Send a message to info-server@cs.hw.ac.uk with the message text: help If you are in the U.K., then the address is info-server@uk.ac.hw.cs. -=- Both the AppleII and the Atari ST archives have mail servers which provide access to their archives. You may receive automatic updates of Macintosh anti-viral programs via email. See the individual articles on these sites. -=- You may also retrieve files from the SIMTEL-20 and the INFO-MAC archives by using one of the many mail servers which maintain a shadow archive of these sites. Send the following message to one of the listserv sites. help See the IBMPC and Macintosh articles for a complete list of servers. ------------------------------ Date: Sat, 01 Jun 91 15:55:41 -1000 From: Jim Wright Subject: Brief guide to files formats, last changed 13 April 1991 Brief guide to files formats, last changed 13 April 1991 -- The most recent copy of the complete text may be anonymous ftp'd -- -- from ux1.cso.uiuc.edu (128.174.5.59) in the directory doc/pcnet. -- -- That file is maintained by David Lemson (lemson@uiuc.edu). -- -- Please do not strip this note from this list when passing it on. -- ARC (.arc) This format is most popular on PCs. Compresses and stores multiple files in a single archive. PC - arc 6.00, pk361 Mac - ArcMac 1.3c Unix - arc 5.21 VM/CMS - arcutil Amiga - Arc 0.23, PKAX VMS - arcvms Apple2 - dearc Atari - arc 5.21b, pkunarc OS/2 - arc2 BinHex (.hqx) A Macintosh format. Converts a binary Mac file, including data and resource forks, into an archive of only printing ASCII characters. PC - xbin 2.3 Mac - BinHex4.0 Unix - mcvert VM/CMS - binhex binscii ( ) A favorite Apple2 archive format. Apple2 - binscii Compactor (.cpt) A new Macintosh format. Compresses and stores multiple files in a single archive. Mac - Compactor1.21 compress (.Z) A Unix format. Compresses a single file in an archive. PC - u16, comprs16, comp430d Mac - MacCompress3.2A Unix - compress VM/CMS - compress Amiga - compress VMS - lzcomp Apple2 - compress Atari - compress LHarc (.lzh) This format originated on PCs, and is now popular on Amigas. Compresses and stores multiple files in a single archive. PC - lh113c Mac - MacLHarc 0.41 Unix - lharc10 Amiga - LHarc Atari - lharc113 LHWarp (.lzw) This is an Amiga format. Compresses and stores an entire floppy in a single archive. Better compression than plain Warp. Amiga - Lhwarp LU (.lbr) This is an old format that originated with CP/M. It is virtually non-existent now. Collects multiple files into a single archive with no compression. PC - lue220 Mac - ArcMac 1.3c Unix - lar VM/CMS - arcutil VMS - vmssweep nupack ( ) A favorite Apple2 archive format. Apple2 - nupack PackIt (.pit) An old Macintosh format. Compresses and stores multiple files in a single archive. PC - UnPackIt Mac - PackIt3.1.3 Unix - unpit PAK (.pak) An old PC format. Compresses and stores multiple files in a single archive. Also the name of an Amiga format which produces self-extracting archives. Also the name of a new PC format. PC - pak250 Unix - arc 5.21 Amiga - PAK 1.0 shell archive (.shar, .sh) A Unix format. Stores multiple files in a single archive without compression. PC - unshar Mac - UnShar2.0 Unix - sh, unshar Amiga - UnShar Apple2 - unshar Atari - shar Squeeze (._Q_) An old PC (CP/M?) format. Compresses and stores multiple files in a single archive. PC - sqpc131 VM/CMS - arcutil Amiga - Sq.Usq VMS - vmsusq Atari - ezsqueeze StuffIt (.sit) A Macintosh format. Compresses and stores multiple files in a single archive. PC - mactopc Mac - StuffIt 1.6 Unix - unsit Amiga - unsit tape archive (.tar) A Unix format. Stores multiple files in a single archive without compression. PC - tar, tarread, pax, pdtar Mac - UnTar2.0 Unix - tar Amiga - TarSplit, pax VMS - vmstar Atari - sttar uuencode (.uu, .uue) A Unix format. Converts a binary file into an archive of only printing ASCII characters suitable for mailing. PC - uuxref20 Mac - UMCP-Tools1.0 Unix - uuencode, uudecode VM/CMS - arcutil Amiga - uuencode, uudecode VMS - uudecode2. Apple2 - uu.en.decode Warp (.wrp) This is an Amiga format. Compresses and stores an entire floppy in a single archive. Amiga - WarpUtil xxencode (.xx, .xxe) A Unix format. Converts a binary file into an archive of only printing ASCII characters suitable for mailing. Solves many of the problems of uuencode. PC - uuxref20 Unix - xxencode, xxdecode VM/CMS - xxencode ZIP (.zip) This format is most popular on PCs. Compresses and stores multiple files in a single archive. PC - pkz110 Mac - UnZip1.02c Unix - unzip4.01 Amiga - PKAZip Atari - pkz101-2 ZOO (.zoo) This format is popular on many systems. Compresses and stores multiple files in a single archive. PC - zoo201 Mac - MacBooz2.1 Unix - zoo201 VM/CMS - zoo Amiga - amigazoo VMS - zoo201 Atari - booz OS/2 - booz ------------------------------ Date: Sat, 01 Jun 91 15:56:13 -1000 From: Jim Wright Subject: Amiga Anti-viral archive sites, last changed 03 February 1991 Amiga Anti-viral archive sites, last changed 03 February 1991 beach.gal.utexas.edu John Perry This site can be reached through anonymous ftp. The Amiga anti-viral archives can be found in the directory [ANONYMOUS.PUB.VIRUS.AMIGA]. This system is running VMS, not Unix. The IP address is 129.109.1.207. cs.hw.ac.uk Dave Ferbrache NIFTP from JANET sites, login as "guest". Electronic mail to . Main access is through mail server. The master index for the virus archives can be retrieved as request: virus topic: index The Amiga index for the virus archives can be retrieved as request: amiga topic: index For further details send a message with the text help The administrative address is ms.uky.edu Sean Casey Access is through anonymous ftp. The Amiga anti-viral archives can be found in /pub/amiga/Antivirus. The IP address is 128.163.128.6. uk.ac.lancs.pdsoft Steve Jenkins Service for UK only; no access from BITNET/Internet/UUCP Terminals : call lancs.pdsoft, login as "pdsoft", pwd "pdsoft" FTP : call lancs.pdsoft, user "pdsoft", pwd "pdsoft". Pull the file "help/basics" for starter info, "micros/index" for index. Anti-Viral stuff is held as part of larger micro software collection and is not collected into a distinct area. ux1.cso.uiuc.edu Mark Zinzow Lionel Hummel The archives are in /amiga/virus. There is also a lot of stuff to be found in the Fish collection. The IP address is 128.174.5.59. ------------------------------ Date: Sat, 01 Jun 91 15:56:44 -1000 From: Jim Wright Subject: Apple II Anti-viral archive sites, last changed 30 September 1989 Apple II Anti-viral archive sites, last changed 30 September 1989 brownvm.bitnet Chris Chung Access is through LISTSERV, using SEND, TELL and MAIL commands. Files are stored as apple2-l xx-xxxxx where the x's are the file number. cs.hw.ac.uk Dave Ferbrache NIFTP from JANET sites, login as "guest". Electronic mail to . Main access is through mail server. The master index for the virus archives can be retrieved as request: virus topic: index The Apple II index for the virus archives can be retrieved as request: apple topic: index For further details send a message with the text help The administrative address is uk.ac.lancs.pdsoft Steve Jenkins Service for UK only; no access from BITNET/Internet/UUCP Terminals : call lancs.pdsoft, login as "pdsoft", pwd "pdsoft" FTP : call lancs.pdsoft, user "pdsoft", pwd "pdsoft". Pull the file "help/basics" for starter info, "micros/index" for index. Anti-Viral stuff is held as part of larger micro software collection and is not collected into a distinct area. ------------------------------ Date: Sat, 01 Jun 91 15:57:16 -1000 From: Jim Wright Subject: Atari ST Anti-viral archive sites, last changed 30 September 1989 Atari ST Anti-viral archive sites, last changed 30 September 1989 cs.hw.ac.uk Dave Ferbrache NIFTP from JANET sites, login as "guest". Electronic mail to . Main access is through mail server. The master index for the virus archives can be retrieved as request: virus topic: index The Atari ST index for the virus archives can be retrieved as request: atari topic: index For further details send a message with the text help The administrative address is . panarthea.ebay Steve Grimm Access to the archives is through mail server. For instructions on the archiver server, send help to . uk.ac.lancs.pdsoft Steve Jenkins Service for UK only; no access from BITNET/Internet/UUCP Terminals : call lancs.pdsoft, login as "pdsoft", pwd "pdsoft" FTP : call lancs.pdsoft, user "pdsoft", pwd "pdsoft". Pull the file "help/basics" for starter info, "micros/index" for index. Anti-Viral stuff is held as part of larger micro software collection and is not collected into a distinct area. ------------------------------ Date: Sat, 01 Jun 91 15:57:48 -1000 From: Jim Wright Subject: Anti-viral Documentation archive sites, last changed 04 April 1990 Anti-viral Documentation archive sites, last changed 04 April 1990 cert.sei.cmu.edu Kenneth R. van Wyk Access is available via anonymous ftp, IP number 128.237.253.5. This site maintains archives of all VIRUS-L digests, all CERT advisories, as well as a number of informational documents. VIRUS-L/comp.virus information is in: pub/virus-l/archives pub/virus-l/archives/predig pub/virus-l/archives/1988 pub/virus-l/archives/1989 pub/virus-l/archives/1990 pub/virus-l/docs CERT information is in: pub/cert_advisories pub/cert-tools_archive csrc.ncsl.nist.gov John Wack This site is available via anonymous ftp, IP number 129.6.48.87. The archives contain all security bulletins issued thus far from organizations such as NIST, CERT, NASA-SPAN, DDN, and LLNL-CIAC. Also, other related security publications (from NIST and others) and a partial archive of VIRUS_L's and RISK forums. cs.hw.ac.uk Dave Ferbrache NIFTP from JANET sites, login as "guest". Electronic mail to . Main access is through mail server. The master index for the virus archives can be retrieved as request: virus topic: index The index for the **GENERAL** virus archives can be retrieved as request: general topic: index The index for the **MISC.** virus archives can be retrieved as request: misc topic: index **VIRUS-L** entries are stored in monthly and weekly digest form from May 1988 to December 1988. These are accessed as log.8804 where the topic substring is comprised of the year, month and a week letter. The topics are: 8804, 8805, 8806 - monthly digests up to June 1988 8806a, 8806b, 8806c, 8806d, 8807a .. 8812d - weekly digests The following daily digest format started on Wed 9 Nov 1988. Digests are stored by volume number, e.g. request: virus topic: v1.2 would retrieve issue 2 of volume 1, in addition v1.index, v2.index and v1.contents, v2.contents will retrieve an index of available digests and a extracted list of the the contents of each volume respectively. **COMP.RISKS** archives from v7.96 are available on line as: request: comp.risks topic: v7.96 where topic is the issue number, as above v7.index, v8.index and v7.contents and v8.contents will retrieve indexes and contents lists. For further details send a message with the text help The administrative address is lehiibm1.bitnet Ken van Wyk new: This site has archives of VIRUS-L, and many papers of general interest. Access is through ftp, IP address 128.180.2.1. The directories of interest are VIRUS-L and VIRUS-P. uk.ac.lancs.pdsoft Steve Jenkins Service for UK only; no access from BITNET/Internet/UUCP Terminals : call lancs.pdsoft, login as "pdsoft", pwd "pdsoft" FTP : call lancs.pdsoft, user "pdsoft", pwd "pdsoft". Pull the file "help/basics" for starter info, "micros/index" for index. Anti-Viral stuff is held as part of larger micro software collection and is not collected into a distinct area. unma.unm.edu Dave Grisham This site has a collection of ethics documents. Included are legislation from several states and policies from many institutions. Access is through ftp, IP address 129.24.8.1. Look in the directory /ethics. ------------------------------ Date: Sat, 01 Jun 91 15:58:19 -1000 From: Jim Wright Subject: IBMPC Anti-viral archive sites, last changed 05 May 1991 IBMPC Anti-viral archive sites, last changed 05 May 1991 beach.gal.utexas.edu John Perry This site can be reached through anonymous ftp. The IBMPC anti-viral archives can be found in the directory [ANONYMOUS.PUB.VIRUS.PC]. This system is running VMS, not Unix. The IP address is 129.109.1.207. cs.hw.ac.uk Dave Ferbrache NIFTP from JANET sites, login as "guest". Electronic mail to . Main access is through mail server. The master index for the virus archives can be retrieved as request: virus topic: index The IBMPC index for the virus archives can be retrieved as request: ibmpc topic: index For further details send a message with the text help The administrative address is f.ms.uky.edu Daniel Chaney This site can be reached through anonymous ftp. The IBMPC anti-viral archives can be found in /pub/msdos/AntiVirus. The IP address is 128.163.128.6. mibsrv.mib.eng.ua.edu James Ford This site can be reached through anonymous ftp. The IBM-PC anti-virals can be found in pub/ibm-antivirus. Uploads to pub/ibm-antivirus/00uploads. Uploads are screened. Requests to JFORD@UA1VM.BITNET for UUENCODED files will be filled on a limited basis as time permits. The IP address is 130.160.20.80. uk.ac.lancs.pdsoft Steve Jenkins Service for UK only; no access from BITNET/Internet/UUCP Terminals : call lancs.pdsoft, login as "pdsoft", pwd "pdsoft" FTP : call lancs.pdsoft, user "pdsoft", pwd "pdsoft". Pull the file "help/basics" for starter info, "micros/index" for index. Anti-Viral stuff is held as part of larger micro software collection and is not collected into a distinct area. ux1.cso.uiuc.edu Mark Zinzow This site can be reached through anonymous ftp. The IBMPC anti-viral archives are in /pc/virus. The IP address is 128.174.5.59. vega.hut.fi Timo Kiravuo This site (in Finland) can be reached through anonymous ftp. The IBMPC anti-viral archives are in /pub/pc/virus. The IP address is 130.233.200.42. wsmr-simtel20.army.mil Keith Peterson Direct access is through anonymous ftp, IP 192.88.110.20. The anti-viral archives are in PD1:. Please get the file 00-INDEX.TXT and review it offline. NOTE: There are also a number of servers which provide access to the archives at simtel. WSMR-SIMTEL20.Army.Mil can be accessed using LISTSERV commands from BITNET via LISTSERV@NDSUVM1, LISTSERV@RPIECS and in Europe from EARN TRICKLE servers. Send commands to TRICKLE@ (for example: TRICKLE@AWIWUW11). The following TRICKLE servers are presently available: AWIWUW11 (Austria), BANUFS11 (Belgium), DKTC11 (Denmark), DB0FUB11 (Germany), IMIPOLI (Italy), EB0UB011 (Spain) and TREARN (Turkey). ------------------------------ Date: Sat, 01 Jun 91 15:58:50 -1000 From: Jim Wright Subject: Macintosh Anti-viral archive sites, last changed 01 June 1991 Macintosh Anti-viral archive sites, last changed 01 June 1991 beach.gal.utexas.edu John Perry This site can be reached through anonymous ftp. The Macintosh anti-viral archives can be found in the directory [ANONYMOUS.PUB.VIRUS.MAC]. This system is running VMS, not Unix. The IP address is 129.109.1.207. cs.hw.ac.uk Dave Ferbrache NIFTP from JANET sites, login as "guest". Electronic mail to . Main access is through mail server. The master index for the virus archives can be retrieved as request: virus topic: index The Mac index for the virus archives can be retrieved as request: mac topic: index For further details send a message with the text help The administrative address is dftsrv.gsfc.nasa.gov Brian Lev This site offers the "MacSecure" package, made up of John Norstad's Disinfectant, and a pair of locally developed HyperCard stacks: Joe McMahon's "Anti-Viral Doc" and Brian Lev's "MacHelper". Floppy disk: Advanced Data Flow Technology Office Code 930.4 Goddard Space Flight Center Greenbelt, MD 20771 (Attn: Brian Lev) DECnet Copy from DFTNIC::CLDATA:[ANONYMOUS_FTP.FILES.MAC] BinHex (ASCII) format as MACSECURE3.HQX binary format as MACSECURE3.SIT Anonymous FTP from DFTNIC.GSFC.NASA.GOV (128.183.10.3) BinHex (ASCII) format as [.FILES.MAC]MACSECURE3.HQX binary format as [.FILES.MAC]MACSECURE3.SIT Anonymous FTP from DFTSRV.GSFC.NASA.GOV (128.183.10.134) BinHex (ASCII) format as /mac/MacSecure3.sit.hqx binary format as /mac/MacSecure3.sit ifi.ethz.ch Danny Schwendener Interactive access through DECnet (SPAN/HEPnet): $SET HOST 57434 or $SET HOST AEOLUS Username: MAC Interactive access through X.25 (022847911065) or Modem 2400 bps (+41-1-251-6271): # CALL B050 Username: MAC Files may also be copied via DECnet (SPAN/HEPnet) from 57434::DISK8:[MAC.TOP.LIBRARY.VIRUS] rascal.ics.utexas.edu Werner Uhrig Access is through anonymous ftp, IP number is 128.83.138.20. Archives can be found in the directory mac/virus-tools. scfvm.bitnet Joe McMahon Access is via LISTSERV. SCFVM offers an "automatic update" service. Send the message AFD ADD VIRUSREM PACKAGE and you will receive updates as the archive is updated. You can also subscribe to automatic file update information with FUI ADD VIRUSREM PACKAGE sumex-aim.stanford.edu Bill Lipa Access is through anonymous ftp, IP number is 36.44.0.6. Archives can be found in /info-mac/virus. Administrative queries to . Submissions to . There are a number of sites which maintain shadow archives of the info-mac archives at sumex: * MACSERV@PUCC services the Bitnet community * LISTSERV@RICE for e-mail users * FILESERV@IRLEARN for folks in Europe uk.ac.lancs.pdsoft Steve Jenkins Service for UK only; no access from BITNET/Internet/UUCP Terminals : call lancs.pdsoft, login as "pdsoft", pwd "pdsoft" FTP : call lancs.pdsoft, user "pdsoft", pwd "pdsoft". Pull the file "help/basics" for starter info, "micros/index" for index. Anti-Viral stuff is held as part of larger micro software collection and is not collected into a distinct area. wsmr-simtel20.army.mil Robert Thum Access is through anonymous ftp, IP number 192.88.110.20. Archives can be found in PD3:. Please get the file 00README.TXT and review it offline. ------------------------------ Date: Sat, 01 Jun 91 15:59:21 -1000 From: Jim Wright Subject: Unix Anti-viral and security archive sites, last changed 05 June 1990 Unix Anti-viral and security archive sites, last changed 05 June 1990 cs.hw.ac.uk Dave Ferbrache NIFTP from JANET sites, login as "guest". Electronic mail to . Main access is through mail server. The master index for the virus archives can be retrieved as request: virus topic: index For further details send a message with the text help The administrative address is funic.funet.fi Jyrki Kuoppala Accessible through anonymous ftp, IP number 128.214.6.100. Directory pub/unix/security contains programs to help in security, pub/doc/security contains various documents about security in general and unix security (like the worm documents) wuarchive.wustl.edu Chris Myers Accessible through anonymous ftp, IP number 128.252.135.4. A number of directories can be found in ~ftp/usenet/comp.virus/*. ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 96] ***************************************** 4-Jun-91 17:32:36-GMT,18063;000000000001 Received: from remus.rutgers.edu by aramis.rutgers.edu (5.59/SMI4.0/RU1.4/3.08) id AA00628; Tue, 4 Jun 91 13:32:31 EDT Received: from IBM1.CC.Lehigh.EDU by remus.rutgers.edu (5.59/SMI4.0/RU1.4/3.08) id AA22645; Tue, 4 Jun 91 13:32:21 EDT Message-Id: <9106041732.AA22645@remus.rutgers.edu> Received: from LEHIIBM1.BITNET by IBM1.CC.Lehigh.EDU (IBM VM SMTP R1.2.2MX) with BSMTP id 5877; Tue, 04 Jun 91 13:27:32 EDT Received: from LEHIIBM1.BITNET by LEHIIBM1.BITNET (Mailer R2.08) with BSMTP id 8709; Tue, 04 Jun 91 13:27:10 EDT Date: Tue, 4 Jun 91 13:13:29 EDT Reply-To: VIRUS-L@ibm1.cc.lehigh.edu Sender: Virus Discussion List From: "The Moderator Kenneth R. van Wyk" Subject: VIRUS-L Digest V4 #97 Comments: To: VIRUS-L@IBM1.CC.LEHIGH.EDU To: Multiple recipients of list VIRUS-L VIRUS-L Digest Tuesday, 4 Jun 1991 Volume 4 : Issue 97 Today's Topics: Fw: Trojan version of VIRUSCAN version 78 (PC) Virus Stats RE: MS-DOS on ROM (PC) RE:CERTUS STUDY mentioned in - VIRUS-L Digest V4 #94 Requirements for Virus Checkers (PC) Re: AIDS Information Trojan (PC) Virus Unknown (PC) Hong Kong on MircoTough dist. disks (PC) RE:My mail of June 3 - NOVELL and Virus (PC) Hong Kong/Azusa (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Mon, 13 May 91 14:50:16 -0700 From: Aryeh Goretsky Subject: Fw: Trojan version of VIRUSCAN version 78 (PC) - -------------------------- HEADS UP! - -------------------------- (original message follows) TROJAN VERSION OF VIRUSCAN VERSION 78 We have received a trojan horse version of VIRUSCAN. The hacked SCAN has apparently been uploaded to BBSes in Michigan, USA under the filename SCANV78.ZIP. Running PKZIP -V on the file reveals: .PKUNZIP (R) FAST! Extract Utility Version 1.1 03-15-90 .Copr. 1989-1990 PKWARE Inc. All Rights Reserved. PKUNZIP/h for help .PKUNZIP Reg. U.S. Pat. and Tm. Off. . .Searching ZIP: SCANV78.ZIP - Fantasia BBS (313)/788-0882 . . Length Method Size Ratio Date Time CRC-32 Attr Name . ------ ------ ----- ----- ---- ---- ------ ---- ---- . 12816 Implode 5255 59% 04-08-91 14:28 08a87ed8 --w AGENTS.TXT . 9406 Stored 9406 0% 02-03-91 17:04 42cf9931 --w REGISTER.DOC . 23008 Implode 12550 46% 05-06-91 18:15 f9735dd5 --w SCAN.EXE . 6495 Implode 1895 71% 10-31-89 16:16 0449b09d --w VALIDATE.COM . 3626 Implode 1802 51% 11-29-90 01:59 ab76470f --w README.1ST . 21257 Implode 5767 73% 05-06-91 19:35 a0728a17 --w VIRLIST.TXT . 2844 Implode 1406 51% 02-14-91 14:25 aa330b57 --w VALIDATE.DOC . 24515 Implode 9188 63% 05-06-91 19:34 172a967f --w SCAN78.DOC . ------ ------ --- ------- . 103967 47269 55% 8 The number listed for the Fantasia BBS is NOT a BBS number and has no connection with the trojan horse. I have called the phone number and asked the party at the other end to contact me. Running PKUNZIP on the file reveals the following: .PKUNZIP (R) FAST! Extract Utility Version 1.1 03-15-90 .Copr. 1989-1990 PKWARE Inc. All Rights Reserved. PKUNZIP/h for help .PKUNZIP Reg. U.S. Pat. and Tm. Off. . .Searching ZIP: SCANV78.ZIP - Fantasia BBS (313)/788-0882 . Exploding: AGENTS.TXT -AV . Extracting: REGISTER.DOC -AV . Exploding: SCAN.EXE -AV . Exploding: VALIDATE.COM -AV . Exploding: README.1ST -AV . Exploding: VIRLIST.TXT -AV . Exploding: VALIDATE.DOC -AV . Exploding: SCAN78.DOC -AV . . Authentic files Verified! # TJB859 Zip Source: McAFEE ASSOCIATES While the Authentic Files Verified Message appears, the Serial Number is NOT correct. McAfee Associate's Serial Number is NWM405. Examination of the AGENTS.TXT, README.1ST, VALIDATE.*, and VIRLIST.TXT files revealed that these are straight from VIRUSCAN Version 77--the version number in the VIRLIST.TXT file was still V77. The SCAN78.DOC file had been modified so that all occurrences of V77 were switched to V78. Additionally, the following text was added for the validation data: . The validation results for Version 77 should be: . . FILE NAME: SCAN.EXE . SIZE: 23,008 . DATE: 05-06-1991 . FILE AUTHENTICATION . Check Method 1: 2C21 . Check Method 2: 022E . For the What's New section, the following text was added: . WHAT'S NEW . Version 78 of SCAN removes a few small bugs and continues . to optimize the procedures SCAN uses to find viruses, as in Version 77, . as well as adding a few more to the list of known viruses. SCAN is now much . more compressed than was previously thought possible, so please enjoy the . shortened file size, it should still work just fine. . Refer to the enclosed VIRLIST.TXT file for a schematic . description of the new viruses. For a complete description, please . refer to Patricia Hoffman's VSUM document. . Examination of the SCAN.EXE file has show that it contains the help message that VIRUSCAN displays as well as the program information message. However, the program does not contain any of the other messages that VIRUSCAN has in it. The REGISTER.DOC file distributed with the trojan version of VIRUSCAN is not a text file, but rather another .ZIP file containing a file named TB1.COM: . PKUNZIP (R) FAST! Extract Utility Version 1.1 03-15-90 . Copr. 1989-1990 PKWARE Inc. All Rights Reserved. PKUNZIP/h for help . PKUNZIP Reg. U.S. Pat. and Tm. Off. . . Searching ZIP: REGISTER.DOC . Extracting: TB1.COM -AV . . Authentic files Verified! # TJB859 Zip Source: McAFEE ASSOCIATES . When unZIPped, the REGISTER.DOC file displays the same Authentic Files Verified Message as the SCANV78.ZIP file did. Examination of the of the TB1.COM file revealed that it contains the Whale virus. This is all I currently know about the SCANV78.ZIP trojan. If you see any copies of this file, please ask the system administrator or sysop to remove it and ask them to contact the uploader to warn them that it contains a virus. Aryeh Goretsky McAfee Associates Technical Support - - - - aryehg@tacom-emh1.army.mil ------------------------------ Date: Mon, 03 Jun 91 02:35:41 -0500 From: Fwtns Georgakopoulos Subject: Virus Stats Hi Everyone... I am wondering if anybody out there can help me... I have to write this paper on virus and I have no statistics... I couldn't possibly conduct a survey which could have been very realistic...If anyone knows where I could find some stats on virus or if someone even has anything (that would be great! :-)) I would really appreciate the help... Thanks in advance... Frank ------------------------------ Date: Mon, 03 Jun 91 10:02:46 -0400 From: "David B. Horvath" Subject: RE: MS-DOS on ROM (PC) Radio Shack, in the newer versions of the TANDY-1000 series (SL, TL, and newer) all have MS-DOS in ROM. The ROM emulates a write-protected hard disk with NO free space. The boot device is selectable in the system startup (stored in battery backed CMOS RAM) - as well as certain default AUTOEXEC.BAT/CONFIG.SYS entries. The pseudo-disk is implemented in socket ROM chips; the salesmen talk about the ease of upgrade - "just replace the chip with a new one - easier than upgrading from floppy..." - David B. Horvath +--------------------------------------------------------------------+ | David B. Horvath, CDP AT&T Net: 215-354-2468 | | Systems Analyst - GE Internet: horvath_db@scov19.dnet.ge.com | | Adjunct Instructor - CCC DecNet : SCOV19::horvath_db | | M.S. Candidate - UPENN ICBM Net: 40 N 75 E | | (dhorvath@pennsas.upenn.edu) | | Standard Disclaimer: All expressed opinions are my own and do not | | represent any of my employers or affiliated organizations. | | | +--------------------------------------------------------------------+ ------------------------------ Date: 03 Jun 91 09:45:00 +0200 From: J|rgen Olsen Subject: RE:CERTUS STUDY mentioned in - VIRUS-L Digest V4 #94 RE: LAN's as vehicle for spreading virii! - ----------------------------------------- We run an installation including 700 MAC/PC's (250+450), 8 Novell Nets, 6 3+SHARE-nets, Appletalk etc. The remarks below refers mainly to our experience with the Novell-nets in the Dep. of Social Sciences - 5 - with 120+ workstations. - ----------------------------- This is mainly a question of network management. 1. Certainly - in a university where students can load programs into the netdrives - an infected program can be spread. BUT - 2. Serious problems only arise if someone with Supervisor rights are infected when logging in to do a bit of system Admin. 3. So the combination - daily scanning of areas where users (students) can leave their (games,pirate copies (sorry) etc) and removal of same combined with carefull network management (scanning of RAM & local disk) will do the trick. 4. We still have to see a Virus infecting the Netware - without a bit of outside help - as described under 2. - ----------------- Anybody with a comment to 4. ?? - -------------------------------- Do not bother to suggest that we install TSR's etc for checking. We have tried - but a number of our applications are RAM-hungry - and some does not even like some of those TSR - e.g. they start behaving funny. But a bit of planning and prevention can do the trick - or have done so til this moment. J Olsen Academic Information Systems University of Odense Denmark ------------------------------ Date: 02 Jun 91 23:41:01 -0400 From: Robert McClenon <76476.337@CompuServe.COM> Subject: Requirements for Virus Checkers (PC) >From: microsoft!c-rossgr@uunet.uu.net >>From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) >> 6) Must be easy to remove for troubleshooting >Hey, *my* code never needs to be removed! Excuse me, but I use Virex-PC, which is Ross's product. I do occasionally need to remove it, not to troubleshoot IT, but because something is incompatible with it. One commercial game requires 540K of FREE memory, not counting MOUSE.SYS, which it uses, and can't fit if Virex-PC is installed. A third-party fax board program has TSR conflicts with Virex-PC. I don't know what it is doing, but it tries to take over the same interrupts as Virex-PC and the results are unpredictable. (Sometimes it refuses to run. Sometimes it crashes.) The need to remove an anti-viral program is not entirely a function of the anti-viral program's flaws. I have dealt with the problem by defining a batch file which creates a dummy file which signifies that on the next (warm) boot of my PC, Virex-PC is not to be loaded, and then rebooting. Anyway, Padgett is right. A program must be easy to remove in the event of trouble. The trouble may not be the fault of the program. The game admits it is a hog. The fax program is written very sloppily, but it is worth the price I paid for it. (It came free with the fax modem board.) Robert McClenon Neither my employer nor anyone else paid me to say this. ------------------------------ Date: 03 Jun 91 20:42:30 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Re: AIDS Information Trojan (PC) mcafee@netcom.com (McAfee Associates) writes: >Does anyone recall whatever happened to Joseph W Popp, the alleged >mastermind behind the AIDS Introductory Information Trojan Diskette? The trial date has been set for November 11th and will take place at Southwark Crown Court, London. - -frisk Fridrik Skulason Technical Editor of the Virus Bulletin (UK) (author of F-PROT) E-Mail: frisk@rhi.hi.is Fax: 354-1-28801 ------------------------------ Date: Tue, 04 Jun 91 06:24:13 +0000 From: ekwong@rose.waterloo.edu (Edward the Awaken) Subject: Virus Unknown (PC) Help! My PC is infected by this virus that my SCAN 3.5 can't even detect. The virus has a little bug that moves across the screen line by line shifting the text something like 10 spaces to the left. The bug seems to work in the background, ie while an application is running. The bug that moves across the screen looks like this ********=( Can someone help me id this virus and maybe suggest a possible care I will be greatful. Thankyou in advance. Edward K. Address: ekwong@lotus.uw.edu ekwong@rose.uw.edu ------------------------------ Date: Tue, 04 Jun 91 08:34:33 -0500 From: csfed@ux1.cts.eiu.edu (Frank Doss) Subject: Hong Kong on MircoTough dist. disks (PC) One of our users here at Eastern Illinois has discovered the Hong Kong virus on the distribution disks included with Micro Tough's TVGA board. This board is a MS-Windows enhancer Trident chip graphics board. The disk are labeled TVGA-8916 (disks one - three). All three of the notchless disks had the virus. As the disks were the notchless type, the virus came from either the factory or the duplicating company. Micro Tough has been notified. Norton Anti-Virus 1.00 did NOT find the virus, but Central Point Anti-Virus 1.00 found and purged the virus. To say the least, our user was most discerned with his factory-bought virus. ;-) This has been a warning . . . Frank E. Doss Academic Computing Eastern Illinois University ------------------------------ Date: 04 Jun 91 16:15:00 +0200 From: J|rgen Olsen Subject: RE:My mail of June 3 - NOVELL and Virus (PC) In my mail - I wrote on Mon, 3 Jun 1991 9:45:45 UTC+0200 >Subject: RE:CERTUS STUDY mentioned in - VIRUS-L Digest V4 #94 >RE: LAN's as vehicle for spreading virii! - ----------------------------------------- >4. We still have to see a Virus infecting the Netware - without a bit > of outside help - as described under 2. > ----------------- >Anybody with a comment to 4. ?? >-------------------------------- Later the same day the June issue of VIRUS BULLETIN hit my desk (compliments to the editor for ensuring that By FIRST CLASS MAIL you get it at the start of the month and not at a somewhat later date) - and there it was! The answer to any network managers nightmare - GP1 - - a NOVELL specific virus (variant of Jerusalem)! I have mailed the NOVELL board - asking for a comment! Any answer will be forwarded to Ken for consideration/remailing through him. J Olsen Academic Information Systems University of Odense Denmark ------------------------------ Date: Tue, 04 Jun 91 11:29:39 -0400 From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: Hong Kong/Azusa (PC) >One of our users here at Eastern Illinois has discovered the Hong Kong >virus on the distribution disks included with Micro Tough's TVGA >board. This board is a MS-Windows enhancer Trident chip graphics >board. The disk are labeled TVGA-8916 (disks one - three). The "Hong Kong" is the name Central Point Software has chosen to use for the AZUSA virus previously reported in Dayton on Trident TVGA disks. It becomes memory resident on boot and has a counter that typically after 32 boots will zero the interrupt addresses of COM1 and LPT1 in the system data area casusing access to these peripherals to fail. CHKDSK will also report something less than 640k (655360 total bytes memory) available to DOS. More importantly, this is the THIRD time that Trident's distribution disks have been reported in connection with infected boot sectors. (Packard Bell SVGA - Dec,90; TVGA disks in May) & points out the need for something more that just a warning. Other manufacturers have accidently introduced viruses before but most have instituted policies to avoid ever doing it again. (IMHO) an investigation should be launched to determine just what is going on, to determine why this has occured, and to try to ensure that it is not repeated. It has been mentioned before but (IMHO) what is needed is a national computer integrity laboratory organized to become a clearing house for viral information (to avoid AZUSA/Hong Kong & Jerusalem/1813 confusion in the future), to provide a testing mechanism for the effective *weighted* evaluation of anti-virus products, and to inspect/certify manufacturers procedures for preventing future virus disseminations. This would have to created as a disassociated not-for-profit organization to have any meaning, we seen several commercial attempts already, but is something that is needed. However, it would take resources to establish so if any of the Virus-L members know of grants available or manufacturers who would be willing to make equipment available to set up such an organization, (my den closet is not big enough) please let me know. Hotly, Padgett Somewhere west of Orlando These views are my own, most likely no one else would want them. ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 97] ***************************************** 6-Jun-91 15:46:59-GMT,22100;000000000001 Received: from remus.rutgers.edu by aramis.rutgers.edu (5.59/SMI4.0/RU1.4/3.08) id AA01091; Thu, 6 Jun 91 11:46:39 EDT Received: from IBM1.CC.Lehigh.EDU by remus.rutgers.edu (5.59/SMI4.0/RU1.4/3.08) id AA27752; Thu, 6 Jun 91 11:46:24 EDT Message-Id: <9106061546.AA27752@remus.rutgers.edu> Received: from LEHIIBM1.BITNET by IBM1.CC.Lehigh.EDU (IBM VM SMTP R1.2.2MX) with BSMTP id 7861; Thu, 06 Jun 91 11:42:08 EDT Received: from LEHIIBM1.BITNET by LEHIIBM1.BITNET (Mailer R2.08) with BSMTP id 5971; Thu, 06 Jun 91 11:41:41 EDT Date: Thu, 6 Jun 91 11:35:42 EDT Reply-To: VIRUS-L@ibm1.cc.lehigh.edu Sender: Virus Discussion List From: "The Moderator Kenneth R. van Wyk" Subject: VIRUS-L Digest V4 #98 Comments: To: VIRUS-L@IBM1.CC.LEHIGH.EDU To: Multiple recipients of list VIRUS-L VIRUS-L Digest Thursday, 6 Jun 1991 Volume 4 : Issue 98 Today's Topics: Checksumming flaws Re: denzuko and semlohe viruses (PC) Virus-writers denzuko and semlohe viruses (PC) PCs Which Don't Boot from the Floppy by Default (PC) Re: Hong Kong on MircoTough dist. disks (PC) Testing viruses - was Re: Network World Article (PC) Re: Interesting advert (PC) Viri and pop culture (general) Viri in the media (not quite so funny) (general) Strange behaviour in Mac. (Mac) Checksumming (was: Interesting advert) (PC) TSR to catch Yankee Doodle needed (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Tue, 04 Jun 91 14:11:12 -0400 From: padgett%tccslr.dnet@uvs1.orl.mmc.com (A. Padgett Peterson) Subject: Checksumming flaws >From: ccml@hippo.ru.ac.za (Mike Lawrie) >They don't cater for this scenario:- >2. Run SCAN on your hard disk - this does a DOS open on all COM/EXE > files on your hard disk, and thus infects each and every such > file _after_ SCAN has pronounced them virus-free >4. You treat checksum checking programs with utter disgust, because > they fooled you into believing that you had protection. This comes under the heading of jumping-off-the-high-board-without-looking- to-see-if-there-is-any-water-in-the-pool . I am not familiar with all virus scanners, but for some time SCAN has checked for such dangerous viruses in memory right after it checks itself for integrity. This checking has two other switches available: /NOMEM will tell SCAN to proceed without checking memory and the scenario described will result. Unless instructed properly, people often use this switch to speed up the scanning process. SCAN also provides the /M switch which tells it to check memory for every known (to SCAN) virus. V77 also has a switch to check "high" memory but since I do not have any viruses that inhabit that region, I have not used it. Point is that as several of us have said before, checksum validation of programs is am important part of integrity management, but first you must be able to trust the system else checksums can be unreliable *and through no fault of the checksum routine* . Trust is something that must be built up step by step and checksumming falls somewhere in the middle. Lacking a firm foundation, it cannot endure. Warmly, Padgett ------------------------------ Date: 04 Jun 91 18:22:18 +0000 From: kerchen@fuji.ucdavis.edu (Paul Kerchen) Subject: Re: denzuko and semlohe viruses (PC) davidh@garfield.cs.mun.ca (David Hansen) writes: >Our visiting Indonesian grad students have brought two viruses to our >campus (Memorial University), they are called denzuko (which has no > [...] >Has anyone heard of these viruses from Indonesia?? I wouldn't be surprised if this was a variant of the DenZuk virus. The name sounds too close. Paul Kerchen kerchen@fuji.eecs.ucdavis.edu - or - kerchen@holly.eecs.ucdavis.edu ------------------------------ Date: Tue, 04 Jun 91 15:10:40 -0400 From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: Virus-writers According to this (PC) week's Spencer Katt column, certain anti-viral software houses are boosting their counts by soliciting viruses for pay and programmers are taking them up for "big bucks". Gee-gosharootie, have we been missing out on an income potential: wonder what 100 more STONED clones, half with stealth would bring in ? Shouldn't take more than five minutes each. Kind of reminds me of the Byte-Brothers comical PARASCAN program's ending: "PARASCAN detects 75 viruses (this was last year) & will detect more as soon as we write some." Oh well, at least it is better than the Windows-melting virus in April. Bemusidly, Padgett Obviously my own thoughts - no one else would want them ! ------------------------------ Date: Tue, 04 Jun 91 16:05:14 -0700 From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: denzuko and semlohe viruses (PC) davidh@garfield.cs.mun.ca (David Hansen) writes: > Our visiting Indonesian grad students have brought two viruses to our > campus (Memorial University), they are called denzuko (which has no > apparent translation into english) and semlohe, which apparently means I venture that the denzuko is, in fact, the fairly widely known "Den Zuk" virus. If so, then it is a boot sector infector which is a fairly close "knock off" of the original "Brain" virus. The boot sector will look very similar to a "Brain" infected disk, with the difference being that the original text about Brain computer services has been replaced with "DEN ZUK" and an Indonesian Ham license number. More details can be found in any reasonably complete virus characteristics list. (I do remember that when this was being actively discussed on the net that two alternative translations for "Den Zuk" were "The Sweet" (or "The Suger") and "The Knife". The later may be reasonable in view of the fact that "Den Zuk" erases the original "Brain" infection.) ============= Vancouver p1@arkham.wimsey.bc.ca | "If you do buy a Institute for Robert_Slade@mtsg.sfu.ca | computer, don't Research into (SUZY) INtegrity | turn it on." User Canada V7K 2G6 | Richards' 2nd Law Security | of Data Security ------------------------------ Date: Wed, 05 Jun 91 10:20:00 -0600 From: "John Nierengarten" Subject: PCs Which Don't Boot from the Floppy by Default (PC) I have followed, with interest, the discussions on forcing PCs to boot from devices other than the floppy drive, the main purpose being containment of viruses. Mention was made of several computers which have a ROM BIOS which causes them to automatically boot from the hard disk. Does anyone know of any PCs, other than Zenith or Compaq, which have this (boot from hard disk by default, even if a floppy is present) as a standard feature? Or, alternatively, which ROM BIOS products support this technique? I am in the process of acquiring new machines for a student lab and have the opportunity to address the problem up front. Please send responses to my e-mail address below and I will summarize. |\ | |_\ | John Nierengarten, Director, Academic Computing Center \| \| University of Wisconsin - River Falls BITNET: ACS_JAN@UWRF Until June 30, 1991. Internet: John.A.Nierengarten@uwrf.edu ------------------------------ Date: Wed, 05 Jun 91 16:02:01 +0000 From: mcafee@netcom.com (McAfee Associates) Subject: Re: Hong Kong on MircoTough dist. disks (PC) csfed@ux1.cts.eiu.edu (Frank Doss) writes: >One of our users here at Eastern Illinois has discovered the Hong Kong >virus on the distribution disks included with Micro Tough's TVGA [some stuff deleted here] >Norton Anti-Virus 1.00 did NOT find the virus, but Central Point >Anti-Virus 1.00 found and purged the virus. What Central Point Anti Virus identifies as the Hong Kong virus is also known as the Azusa virus. Regards, Aryeh Goretsky McAfee Associates Technical Support - -- McAfee Associates | Voice (408) 988-3832 | mcafee@netcom.com 4423 Cheeney Street | FAX (408) 970-9727 | (Aryeh Goretsky) Santa Clara, California | BBS (408) 988-4004 | 95054-0253 USA | v.32 (408) 988-5190 | mrs@netcom.com ViruScan/CleanUp/VShield | HST (408) 988-5138 | (Morgan Schweers) ------------------------------ Date: Thu, 06 Jun 91 10:54:00 +1200 From: "Mark Aitchison" Subject: Testing viruses - was Re: Network World Article (PC) padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) writes: >>From: rtravsky@CORRAL.UWYO.EDU (Richard W Travsky) > >>An accompanying chart shows the percentage of detection by the packages >>against 921 viruses... > > Just to provide "apples vs apples" tests, possibly in conjunction with > the public domain viral list, we should make a stab at a weighted test > (e.g. Jerusalem 1000 pts for detection, Pentagon 1 pt.) if we can come > up with a probability function for infection it would certainly be > better than "We can detect 900 viruses". I agree that many virus tests are a bit irrelevant, and could be improved by weightings such as that suggested. But also there needs to be a component in the tests for measuring the product's ability to spot new viruses (and the scanners should carry out at least some simple tests for the presence of a virus - e.g. top of memory reduced, interrupt 21 redirected, etc.) Therefore I suggest that whoever is collecting new viruses hold some back (ones that have not been seen in the wild, and probably won't be), and make them available to some a-v testers, not a-v writers. This is because, in the lifetime of an anti-virus product, there is bound to be some new viruses released that aren't in the scan list. And my definition of the lifetime of the a-v software isn't "until the next version is made", but until the average user gets around to updating their copy. So those that make updated scan lists available conveniently, cheaply and often should get a better score. Also, the convenience in using the product should be taken into account, as programs that take a long time, or in other ways disencourage the user from running it often, should get lower scores. In effect, we should see a probability that, with this product, you will be free from viruses. (Personally, I like to see a more detailed analysis, including the effect of using several products together - which, I think, most sensible people do, but the majority of potential users of a-v software haven't got the time to go into those details, and I doubt many a-v testers have the time/resources to produce such detailed reports, unfortunately). Mark Aitchison. ------------------------------ Date: Wed, 05 Jun 91 16:06:45 -0700 From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Re: Interesting advert (PC) I am not quite sure what ccml@hippo.ru.ac.za (Mike Lawrie) writes: in response to > RADAI@HUJIVMS.BITNET (Y. Radai) writes: and > > Kenny Stevenson writes: > >>Vaccine anti-virus system - "Vaccine is virus-non specific detection > >>software. It uses cryptographic checksums to monitor the state of > > >There is absolutely nothing new in this ad. There are zillions of > >checksum programs for the PC which claim to do the very same thing. > > They don't cater for this scenario:- > > 1. Somehow infect the RAM of your PC with a COM/EXE targetting > virus, such as Plastique (eg run an infected program from a > floppy, or from a network). > > 2. Run SCAN on your hard disk - this does a DOS open on all COM/EXE > files on your hard disk, and thus infects each and every such > file _after_ SCAN has pronounced them virus-free SCAN is not a checksum/image/change detection program, but a scanner, which looks for specific known code sequences from known viral programs. (A further point of Mike's posting seemed to indicate that he thought SCAN was a checksum program.) However, Mike's posting also seems to indicate that he feels that Sophos' Vaccine program, because it checks for changes in the program, will not be subject to the phenomenon he describes. (At least that was my reading, my aplogies if that was not your intent.) Unfortunately, any antiviral program which examines programs, either for virus signatures or in order to calculate an "image" check, will open all the programs it examines, and therefore opens the possibility of that same happening. ============= Vancouver p1@arkham.wimsey.bc.ca | "If you do buy a Institute for Robert_Slade@mtsg.sfu.ca | computer, don't Research into (SUZY) INtegrity | turn it on." User Canada V7K 2G6 | Richards' 2nd Law Security | of Data Security ------------------------------ Date: Wed, 05 Jun 91 16:13:42 -0700 From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Viri and pop culture (general) Well, folks, we have made it big time for sure. Not only did we get the Mad Magazine "Computer Virus Issue" earlier this year, but we just got a posting on rec.humor.funny about a supplier of viri (including those that affect your phone and washing machine.) ============= Vancouver p1@arkham.wimsey.bc.ca | "If you do buy a Institute for Robert_Slade@mtsg.sfu.ca | computer, don't Research into (SUZY) INtegrity | turn it on." User Canada V7K 2G6 | Richards' 2nd Law Security | of Data Security ------------------------------ Date: Wed, 05 Jun 91 18:21:15 -0700 From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Viri in the media (not quite so funny) (general) John Dvorak's syndicated newspaper column focusses this week on viri. The headline (for which he cannot be held accountable, I realize) is "Computer viruses: their cause and cure." The first sentence runs, "It's not easy to report on something if you don't understand it at all." He then tries to do that. I probably shouldn't be all that hard on the article. He doesn't make too many really boneheaded errors. He doesn't write much of any substance, either. (Certainly there is nothing, absolutely nothing, in the article that deals with "cure".) He does state that a virus must attach itself to a program, thus eliminating all BSI's from consideration. He also belittles the definition of the Morris/Internet worm as a worm, apparently not understanding that his definition requires it. Fred Cohen is mentioned, as is "Shockwave Rider." ("The Adolescence of P1" is not. Sigh. :-) No real viral programs are mentioned, except for the brief and uninformative reference to the Morris worm. ============= Vancouver p1@arkham.wimsey.bc.ca | "If you do buy a Institute for Robert_Slade@mtsg.sfu.ca | computer, don't Research into (SUZY) INtegrity | turn it on." User Canada V7K 2G6 | Richards' 2nd Law Security | of Data Security ------------------------------ Date: Thu, 06 Jun 91 17:08:00 +1000 From: U5434700@ucsvc.ucs.unimelb.edu.au Subject: Strange behaviour in Mac. (Mac) One of our Macintoshes recently started 'pinging' whenever an application started or exited, and will now only sometimes recognise our laserwriter. A similar machine, connected to the same printer, has no pings, and prints fine. Disinfectant 2.4 cannot find any virus. Does anyone recognise the symptoms? Thanks, Danny ------------------------------ Date: Thu, 06 Jun 91 14:22:00 +0300 From: Y. Radai Subject: Checksumming (was: Interesting advert) (PC) Mike Lawrie writes: >They [checksum programs] don't cater for this scenario:- > >1. Somehow infect the RAM of your PC with a COM/EXE targetting > virus, such as Plastique (eg run an infected program from a > floppy, or from a network). >2. Run SCAN on your hard disk - this does a DOS open on all COM/EXE > files on your hard disk, and thus infects each and every such > file _after_ SCAN has pronounced them virus-free >3. You end up with every COM/EXE file on your disk having to be > reloaded, but you believe otherwise until you find out the > bitter truth >4. You treat checksum checking programs with utter disgust, because > they fooled you into believing that you had protection. First of all, Step 2 of this scenario is certainly not characteristic of COM/EXE infectors in general, as you seem to imply. (E.g., it won't happen with the Jerusalem virus.) It has to be a very special virus to do this. Secondly, what you have described shouldn't happen with SCAN, since before scanning it checks for the presence in RAM of viruses which act in this way, and that includes Plastique, unless you're using an old version of SCAN. (If this really did happen to you with a *recent* version, contact McAfee.) Finally and most important, suppose we have a virus in memory which SCAN or some other program does not recognize, and the above scenario does occur. What does this have to do with checksumming programs?? Checksum programs don't claim to *prevent* infection, only to *detect* an infection *after* it has occurred, the next time the checksum pro- gram is activated on an infected file. And this is precisely what they will do even in your scenario (provided you ensure that RAM is clean when the checksum program is activated). Thus your conclusion in Step 4 is unjustified. What you need in order to *prevent* scena- rios like this is to supplement the checksum program with a good gene- ric monitoring program. Padgett Peterson writes: >Well some form of integrity checking must go resident, even if it is >just smart enough to call the checksum program. Otherwise, what is >going to identify that a program is new or changed. (you could handle >"changed" with a zillion little .BAT files but new ?) Since you do not >want to add to the pilot's workload, it must be automatic therefore >resident. Sorry, Padgett, but I don't understand what you're trying to say. As existing checksumming programs are implemented, they notify you that a file has been changed the next time the checksum program is activated on it (which is normally long before the virus can do any damage). What are the zillion .BAT files needed for? We seem to be talking on different wavelengths, but since I don't know where the misunderstanding lies, I'll have to start from the beginning (sorry if what I say is obvious): Some types of programs can be run either *statically*, i.e. as a non-resident program activated on demand (or via the AUTOEXEC.BAT file) to do something to all files or a specified list of files all at once, or (2) *dynamically*, i.e. as a memory-resident program to do it to each executable file just before execution. (These are my terms; maybe you have a better suggestion.) For example, among known-virus scanners, McAfee's Scan is a static program, while his V-Shield is a dynamic program. In precisely the same way, a check- summing or integrity-checking program can be implemented either stati- cally or dynamically. And if it's done statically, then just as SCAN is not memory-resident, nothing here need be memory-resident either. Most checksumming programs which I know of can or must be implemen- ted statically, and for good reason: The surest way to ensure that no stealth virus can hide modifications is to do static checking immedi- ately after booting from a clean write-protected diskette. Dynamic checksumming is more convenient, but as far as I know, there's no way of guaranteeing that it can't be fooled by a stealth virus. If some- one can produce convincing evidence that there is such a way, I'd be glad to hear of it. Now perhaps what you mean to say is that only a resident program can notify the user *immediately* that an executable file has just been created or modified. If so, I agree, but I see this as the task of a generic monitoring program, not of a checksum program. (Also, when someone speaks of integrity checking, I assume he's referring to a checksum program. Do you mean something else?) Y. Radai Hebrew Univ. of Jerusalem, Israel RADAI@HUJIVMS.BITNET RADAI@VMS.HUJI.AC.IL ------------------------------ Date: 05 Jun 91 15:06:00 -0500 From: "Troy D. Taylor" Subject: TSR to catch Yankee Doodle needed (PC) I have a question for all the virus guru's out on the net. The computer rooms have been getting hit with Yankee Doodle and it is fairly easy to clean, but it is evading our TSR that should stop infected files from loading (Vshield77). I would like to find something like that to prevent the files infected from begin loaded or at least blow whistles and beep and flash if it does load an infected file. later and thanks troy /********************************************************** * Conslt13@zeus.unomaha.edu * Conslt13@unoma1 * * Troy@zeus.unomaha.edu * Troy@unoma1 * * Dragon@odin.unomaha.edu * * **********************************************************/ ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 98] ***************************************** 10-Jun-91 20:17:36-GMT,19600;000000000001 Received: from remus.rutgers.edu by aramis.rutgers.edu (5.59/SMI4.0/RU1.4/3.08) id AA15895; Mon, 10 Jun 91 16:17:25 EDT Received: from IBM1.CC.Lehigh.EDU by remus.rutgers.edu (5.59/SMI4.0/RU1.4/3.08) id AA08552; Mon, 10 Jun 91 16:17:11 EDT Message-Id: <9106102017.AA08552@remus.rutgers.edu> Received: from LEHIIBM1.BITNET by IBM1.CC.Lehigh.EDU (IBM VM SMTP R1.2.2MX) with BSMTP id 1315; Mon, 10 Jun 91 16:09:59 EDT Received: from LEHIIBM1.BITNET by LEHIIBM1.BITNET (Mailer R2.08) with BSMTP id 5815; Mon, 10 Jun 91 16:09:36 EDT Date: Mon, 10 Jun 91 15:33:14 EDT Reply-To: VIRUS-L@ibm1.cc.lehigh.edu Sender: Virus Discussion List From: "The Moderator Kenneth R. van Wyk" Subject: VIRUS-L Digest V4 #99 Comments: To: VIRUS-L@IBM1.CC.LEHIGH.EDU To: Multiple recipients of list VIRUS-L VIRUS-L Digest Monday, 10 Jun 1991 Volume 4 : Issue 99 Today's Topics: RE:CERTUS STUDY mentioned in - VIRUS-L Digest V4 #94 Possible Bug in VIRUSCAN V77 (PC) Hypercard Antiviral Script? (Mac) Auto scanning of drive a (PC) Re: What is DOD? Re: Software Upgradable BIOS (PC) Scanning infected files (PC) Is there a 1024 virus? (PC) Re: TSR to catch Yankee Doodle needed (PC) Re: PCs Which Don't Boot from the Floppy by Default (PC) Variant of Stoned (PC) Questions about "Disinfectant" (Mac). New Virus? (PC) Re: Virus-writers VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Thu, 06 Jun 91 10:37:45 -0400 From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: RE:CERTUS STUDY mentioned in - VIRUS-L Digest V4 #94 >From: J|rgen Olsen >RE: LAN's as vehicle for spreading virii! >This is mainly a question of network management. Agreed, but one easy possibility does not seem to have been covered that is widely used on BBSes: separate upload and download directories. By making the upload directory write only for users and the download directory execute only, the administrator can provide an effective filter of what is made available to the community. Of course this places added responsibility on the administrator since a problem is traceable to him (I wonder if this is why many manufacturers ship products on non-write-protected disks, there is not much question of where an infection occurred with a notchless disk), and does introduce a delay between posting and availability. Such a scenario would have user A posting a file to the upload directory. The administrator would then SCAN the program, check for malicious behavior using an account that is unpriv'd, and check for any license restrictions. Only when satisfied that the program is low-risk would it be placed in a user-accessable area. Such a filter should also be used between software developers and user areas (but rarely is). In practise, the technique is much simpler than it sounds and need not be a burden. Padgett It works for me ------------------------------ Date: 06 Jun 91 09:43:00 -0500 From: "William Walker" Subject: Possible Bug in VIRUSCAN V77 (PC) I have found what seems (to me) to be a bug in VIRUSCAN V77. When scanning multiple floppies (SCAN A: /M /MANY), the first virus encountered prompts the message Found 1 file containing viruses. If the next diskette also contains a virus, SCAN reports 2 viruses found. So far, so good. Here's the problem: SCAN says "2 viruses found." for every subsequent diskette with a virus, so long as no clean floppies are scanned. If a clean floppy is encountered, the message returns to "Found 1 file containing viruses." and the cycle repeats. CLEAN does not have the same problem, as its counter is accurate. I guess this is a trivial problem, and it doesn't matter to me as it still detects viri without problems (that I've seen). However, it does not inspire confidence in the user whose diskettes I'm scanning when he or she asks, "Why isn't the count right?" and I reply, "It's just a bug in the detection program." Incedentally, VIRUSCAN V75 and V76C don't show this problem, and judging from their behavior, this is not supposed to be a running count, but merely a count of viri on the diskette just scanned. Also incedentally, this behavior only occurs with the Stoned virus, not any of the other viri with which I tested it (Jerusalem-B, Yankee Doodle, Music Bug, or 1701/1704). Has anyone else seen this? Bill Walker ( WALKER@AEDC-VAX.AF.MIL ) | OAO Corporation | "That's not a bug, Arnold Engineering Development Center | that's a feature!" M.S. 120 | - Anonymous Arnold Air Force Base, TN 37389-9998 | ------------------------------ Date: Thu, 06 Jun 91 15:34:04 +0000 From: jalden@eleazar.dartmouth.edu (Joshua M. Alden) Subject: Hypercard Antiviral Script? (Mac) Awhile back people mentioned a Hypercard script to deal with the recent Hypercard virus. Then someone mentioned that their script wasn't reliable, and someone else said he'd write a new one, and that was the last I've heard of it. Has anyone got a reliable script? Or at least a script which works in known circumstances? - -Josh. - -- Josh Alden, Consultant, Dartmouth Computing | #61 Hidden Lane Private mail: Joshua.Alden@dartmouth.edu | West Lebanon, NH 03784-9720 Virus mail: Virus.Info@dartmouth.edu | (603) 643-2840 ------------------------------ Date: Thu, 06 Jun 91 13:26:23 -0400 From: Dmitri Schoeman Subject: Auto scanning of drive a (PC) A while back, there was a question as to if any programs will automatically scan a disk in drive A. I think it would be possible by having a TSR hooked to the clock which would check the interupt for a changed disk (if asked I will try to find which interrupt) If the interrupt returns that the disk has been changed then the scan will automaticly begin, at most 1/18.2th of a second after the disk door was closed. If this were implimented in a virus scanner (ideally for a computer lab full of virus ignorant people) I think it would be able to control virus's for people who are unable to check for themselves. - -----Dmitri Schoeman ------------------------------ Date: 06 Jun 91 22:12:01 +0000 From: nautilus@jec310.its.rpi.edu (John M Twilley) Subject: Re: What is DOD? NCKUS089@TWNMOE10.BITNET (Mac Su-Cheong) writes: > May someone please give me information on DOD Computer Security Center ? >Is it possible to get reports or papers of DOD ? DOD stands for the United States Department of Defense. I am pretty sure that they publish unclassified information on virii, but I wouldn't know where to find it. - -- |John M. Twilley (Nautilus)|"Electricity is the dangerous|Disclaimer: Take| |Internet: nautilus@rpi.edu| stuff in an extension cord."|what I say with | |BITNet: Nautilus@RPITSMTS|(paraphrased from S. Dorner) |a grain of salt.| ------------------------------ Date: 06 Jun 91 18:54:17 +0000 From: ingoldsb%ctycal@cpsc.ucalgary.ca (Terry Ingoldsby) Subject: Re: Software Upgradable BIOS (PC) padgett%tccslr.dnet@mmc.com (Padgett Peterson) writes: > >From: "William Walker C60223 x4570" ... > >I feel that the prominent anti-virus researchers (and some of uss > >others) ought to collectively rise up and protest the software- > >upgradable BIOS before it gets any acceptance. ... > Tullahoma in the seventies - Hi Bill), there does not have to be a problem > if the hardware designers do their job. A EEPROM requires a special signal > on one lead to tell it to write. If that lead is under hardware control and > accessable only with the case open and a special plug in place that disables > everything except a "load & verify BIOS" program, risk can be minimal. It is not even necessary to place it under hardware control, rather if the hardware incorporates an interlock that requires a special, possibly unique, code, then the viruses could bash at it forever (almost) without success. For example if each machine thus manufactured were assigned a unique value in EPROM (which could not be read by the CPU), say of length 64 bits, then the user could be queried, by the software upgrade program, to enter the key. If the key matched, the EAROM would be modified, otherwise nothing would happen. Note that if my quick calculations are correct, at a rate of 1 million tries per second it takes about 1800 years to try all the combinations. Surely after a year or so even the most patient of users would realize that something was wrong. The number could even be printed on the back of the machine, in case the user should forget. - Terry - -- Terry Ingoldsby ingoldsb%ctycal@cpsc.ucalgary.ca Land Information Services or The City of Calgary ...{alberta,ubc-cs,utai}!calgary!ctycal!ingoldsb ------------------------------ Date: Thu, 06 Jun 91 20:31:23 -0500 From: Finnegan Southey Subject: Scanning infected files (PC) In regards to the problem of anti-viral programs infecting files they scan when a memory-resident virus is present: Wouldn't it be possible to read disks sector by sector instead of opening files through DOS calls? This reading would be much the same as a disk editor program. The scanner could consult directory listings to find program boundaries and then check approp- riate areas without opening the files as a file? As I'm not an MS-DOS expert I'm not sure if this makes sense, but I thought I'd ask. - ------------------------------------------------------------------------------- Finnegan Southey - Computing Services, University of Guelph, Ontario, CANADA BitNet: ACDFINN.VM.UOGUELPH.CA CoSy: fsouthey@COSY.UOGUELPH.CA You are in a maze of twisty little passages, all alike... - ------------------------------------------------------------------------------- ------------------------------ Date: Thu, 06 Jun 91 21:07:30 -0600 From: "Stan Orrell" Subject: Is there a 1024 virus? (PC) Can anyone suggest an explanation of our observation on several computers (various IBM pc types) of a result from chkdsk of 654336 bytes of total memory? The value is confirmed, in kbytes, when Norton SI is run. The machines are always booted from floppies, and are networked, but only data files are moved over the network connection. Everything seems to be OK otherwise, i.e. the usual applications work correctly and no other weird files have appeared. What is this? And, what should one do about it? Any help appreciated. Thanks, Stan. ------------------------------ Date: Fri, 07 Jun 91 09:06:00 -0400 From: Al Woodhull Subject: Re: TSR to catch Yankee Doodle needed (PC) > The computer rooms have been getting hit with Yankee Doodle and it is > fairly easy to clean, but it is evading our TSR that should stop > infected files from loading (Vshield77). Yankee Doodle and Jerusalem are the only two viruses I have had actual encounters with, and the situation is similar here, one or more of my assembly language programming students reinfect files on the LAN where MASM and Codeview are kept. I have been using VIRSTOP (a TSR scanner) on my own system. VIRSTOP is fast and unobtrusive and is very reliable in preventing execution of small .COM files infected with either of the viruses that have been a problem here. But I find it doesn't always find infected files. I should do a controlled test sometime, but I have a subjective impression that when I do find one of my programs infected it is always a large .EXE file, either ProComm or Emacs. I can't imagine a scanner would be so limited as to be able to scan only one 64K segment, but that would explain what I think I have seen. Can anyone tell me if there are other reasons why a scanner might have problems with a large .EXE file? I understand that VIRSTOP uses the same signature information as McAfee's SCAN V68, so this could be relevant to the problem with VSHIELD77. ! Albert S. Woodhull ! School of Natural Science, Hampshire College, Amherst, MA 01002 ! tel: (413) 549-4600 ext 581 ! awoodhull@hampvms.bitnet, awoodhull@hamp.hampshire.edu ------------------------------ Date: Fri, 07 Jun 91 11:11:32 -0600 From: pvi!todd@elroy.Jpl.Nasa.Gov (Todd Bradley x293) Subject: Re: PCs Which Don't Boot from the Floppy by Default (PC) >Does anyone know of any PCs, other than Zenith or Compaq, which have >this (boot from hard disk by default, even if a floppy is present) as >a standard feature? Or, alternatively, which ROM BIOS products >support this technique? I am in the process of acquiring new machines >for a student lab and have the opportunity to address the problem up >front. My CACHE motherboard uses their own proprietary BIOS and has a configurable boot sequence, either C then A or A then C. So if you know there is a system on drive C, you can set it to the first mode and it will never boot from A. This saves time, too. Todd. - -- Todd Bradley (extension AXE) Disclaimers are for wimps who have Supreme Ruler of The Galaxy some sort of job security. Precision Visuals, Inc. Boulder, CO (303) 530-9000 ------------------------------ Date: Fri, 07 Jun 91 10:31:37 -0700 From: mcafee@netcom.com (McAfee Associates) Subject: Variant of Stoned (PC) A new Stoned variant is becoming widespread in the US and Canada which is not detected by version 77 of SCAN. The /EXT external virus data option in SCAN and CLEAN can be used to identify and disinfect the virus. The external virus data file should read: "A1 13 04 48 48 A3 13 04 B1 06 D3" PS-Stoned Variant [Stoned] To scan a system for the virus, type in: SCAN x: /EXT filename Where "x:" is the drive to be scanned, and "filename" is the name of the external virus data file. To remove the virus, type in: CLEAN x: /EXT filename [STONED] Where "x:" is the drive to be scanned, and "filename" is the name of the external virus data file. The symptoms for thia variant are similar to the Stoned virus, however, no message is displayed. Aryeh Goretsky McAfee Associates Technical Support ------------------------------ Date: Fri, 07 Jun 91 17:01:57 -0500 From: firmiss@cae.wisc.edu Subject: Questions about "Disinfectant" (Mac). I've been using Disinfectant since version 1.6 and I've had a few questions I've wanted to ask for quite a while. 1. I believe since version 2.0, Disinfectant had the ability to install a protection INIT. The thing is only 5k... What does it DO?... Does it just give a warning if something is being infected? What does it look for? 2. I remember hearing that using Disinfectant AND the old virus protection CDEV(?) "Vaccine (TM) 1.0.1" was a bad idea (Vaccine somehow rendered the Disinfectant INIT useless or something to that effect). Is it also a good idea to remove the INITs "KillVirus" (Icon is a needle with the word nVIR next to it). and "Kill WDEF - virus INIT" (Icon is just a standard document icon)? I know these are pretty old too. (at least I don't have "Ferret" and "Kill Scores" and those other related relics) 2a. Almost forgot... What about "SAM (TM) Intercept" INIT... I know it's newer but do "SAM" and "Disinfectant" interfere with each other? My current version of Disinfectant is 2.4... Is this the most current one? I've had it for about 6 months now. + - - + |... P_lasma --- James Firmiss (Foxx Fox) --- - + + - |... S_ource --- firmiss@cae.wisc.edu --- + + - =====>+ I_on --- Univ. of Wisc. Madison --- - + - |... I_mplantation --- Materials Science Program --- - + - + - |..._______________________________________________________ "Beep. Beep Beep. Beep Beep." - vi editor ------------------------------ Date: 07 Jun 91 17:35:16 -0500 From: Subject: New Virus? (PC) Hello Netlanders, we yesterday observed strange behaviour on one PC with 386 DX (in Osnabrueck W-Germany). Chkdsk reported an "Allocation error, size adjusted" on several Exe-Files. For example KRNL386.EXE and KERNEL.EXE of Win 3.0 but not the KRNL286.EXE. Windows worked only in Standard-Mode but in Real and 386 Enhanced the System crashed. Scanning the HD after booting from Floppy (I hope a clean one :-)) with F-PROT 1.15a and SCAN v 77 revealed nothing. Restoring the obviously damaged files we observed an increase of the File-Length of 4280 bytes in case of the damaged (infected ?!) files. Maybe any kind of Tequila shows his (ugly :-() face? Any suggestions? Regards, Frank Petersen B.t.w.: I'll send a copy of an infected file together with the uninfected version to Ken. Maybe he'll be so kind to pass it to the masses of famous :-) and intelligent (and so on) virus researchers, so they can have a close look at the nasty stuff. (Thanks Ken). **************************************************************************** * _________ _________ * * * / ______/ / ___ / * via EARN/BITNET: PETI1010 @ DOSUNI1 * * / /____ / /__/ / * * * / _____/ / _____ / * via FIDONET: (2:245/20.9) * * / / / / * * * /__/ rank /__/ etersen * Reserved for future expansion * * * * **************************************************************************** ------------------------------ Date: 08 Jun 91 13:21:28 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Re: Virus-writers padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) writes: >According to this (PC) week's Spencer Katt column, certain anti-viral >software houses are boosting their counts by soliciting viruses for >pay and programmers are taking them up for "big bucks". If that is true, I and and the Virus Bulletim would very much like to know which companies are involved - I would do my best to drive them out of business..... Actually, this reminds me of a chat I had with Todor Todorov - the SysOp of the largest Virus BBS - He said he had samples of 70 viruses not detected by any anti-virus program, and was negotiating with a certain US-based anti-virus company - offering to sell them (and nobody else) the viruses.... - -frisk Fridrik Skulason Technical Editor of the Virus Bulletin (UK) (author of F-PROT) E-Mail: frisk@rhi.hi.is Fax: 354-1-28801 ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 99] ***************************************** 11-Jun-91 15:12:40-GMT,13769;000000000001 Received: from remus.rutgers.edu by aramis.rutgers.edu (5.59/SMI4.0/RU1.4/3.08) id AA24184; Tue, 11 Jun 91 11:12:31 EDT Received: from IBM1.CC.Lehigh.EDU by remus.rutgers.edu (5.59/SMI4.0/RU1.4/3.08) id AA02799; Tue, 11 Jun 91 11:12:23 EDT Message-Id: <9106111512.AA02799@remus.rutgers.edu> Received: from LEHIIBM1.BITNET by IBM1.CC.Lehigh.EDU (IBM VM SMTP R1.2.2MX) with BSMTP id 2236; Tue, 11 Jun 91 11:07:02 EDT Received: from LEHIIBM1.BITNET by LEHIIBM1.BITNET (Mailer R2.08) with BSMTP id 8370; Tue, 11 Jun 91 11:06:36 EDT Date: Tue, 11 Jun 91 10:58:53 EDT Reply-To: VIRUS-L@ibm1.cc.lehigh.edu Sender: Virus Discussion List From: "The Moderator Kenneth R. van Wyk" Subject: VIRUS-L Digest V4 #100 Comments: To: VIRUS-L@IBM1.CC.LEHIGH.EDU To: Multiple recipients of list VIRUS-L VIRUS-L Digest Tuesday, 11 Jun 1991 Volume 4 : Issue 100 Today's Topics: Re: denzuko and semlohe viruses (PC) Man Catches Computer Virus (light reading for comp.virus) Re: Checksumming (was: Interesting advert) (PC) Re: Hoffman Summary & FPROT (PC) Re: Hong Kong on MircoTough dist. disks (PC) MIBSRV Updates (PC) Advice requested (PC) Help to remove Joshi from partion table (PC) Re: Scanning infected files (PC) Is there a 1024 virus? (PC) RE: Frisk's comment in V4 #99 on 'The Bulgarian Menace' VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: 08 Jun 91 13:26:09 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Re: denzuko and semlohe viruses (PC) p1@arkham.wimsey.bc.ca (Rob Slade) writes: >... two alternative translations for "Den Zuk" were "The Sweet" (or "The >Suger") and "The Knife". Ah - this is not correct. I have contacted the author of the virus, and got the whole story from him - quite interesting story, in fact. Anyhow, "Denzuko" is just his nickname. - -frisk ------------------------------ Date: Sat, 08 Jun 91 19:31:07 +0000 From: richards@cse.uta.edu (David Richardson) Subject: Man Catches Computer Virus (light reading for comp.virus) Disclaimer: Reproduced WITHOUT permission. These quotations are intended to inform the network reader of the public-media usage of the term "virus" as it relates to computer virii. Persons who wish to read the entire article are encouraged to do so. >From _WEEKLY WORLK NEWS_ 6/18/91 (on newsstands 6/3/91) page 29: "MAN CATCHES COMPUTER VIRUS!" by Michael Todd, special correspondent. John Stevens has a lot in common with his home computer: Both think logically, both like numbers and both are sick with a virus - the same virus! Stevens, a computer programmer who works out of his home in a Philadelphia suburb, is convinced his lingering and debilitating illness is something he got from his sick computer. And the victims's doctor agrees. [rest of article not posted] By the way, the WEEKLY WORLD NEWS can be found in major supermarkets near the National Enquierer, the SUN, and similar tabloid newspapers. We now return you to your regularly scheduled newsgroup. - -- David Richardson U. Texas at Arlington +1 817 856 6637 PO Box 192053 Usually hailing from: b645zax@utarlg.uta.edu Arlington, TX 76019 b645zax@utarlg.bitnet, SPAN: UTSPAN::UTADNX::UTARLG::B645ZAX -2053 USA The Lord is my shepherd, I shall not want. ------------------------------ Date: 08 Jun 91 15:40:46 +0000 From: ccml@hippo.ru.ac.za (Mike Lawrie) Subject: Re: Checksumming (was: Interesting advert) (PC) RADAI@HUJIVMS.BITNET (Y. Radai) writes: > Mike Lawrie writes: >>They [checksum programs] don't cater for this scenario:- >> >>1. Somehow infect the RAM of your PC with a COM/EXE targetting >> virus, such as Plastique (eg run an infected program from a >> floppy, or from a network). >>2. Run SCAN on your hard disk - this does a DOS open on all COM/EXE >> files on your hard disk, and thus infects each and every such >> file _after_ SCAN has pronounced them virus-free >>.. >First of all, Step 2 of this scenario is certainly not characteristic >of COM/EXE infectors in general, as you seem to imply. (E.g., it >won't happen with the Jerusalem virus.) It has to be a very special >virus to do this. We were hit with Plastique. Having inspected it, there seemed to be reason for me to believe that other viruses might use a similar method to trigger the infection algorithm. > Secondly, what you have described shouldn't happen with SCAN, since >before scanning it checks for the presence in RAM of viruses which act >in this way, and that includes Plastique, unless you're using an old >version of SCAN. (If this really did happen to you with a *recent* >version, contact McAfee.) Indeed, McAfee contacted me (good Company, they were concerned). We had an old SCAN at the time, but sooner or later this scenario will re-occur, as you will get hit with a similar type of virus that McAfee has not yet catered for, even if you have their very latest version. You then end up with your RAM infected, but you are living in Disneyland (like we did) believing otherwise, and you then proceed to zap your hard disk. Sure, theory says that it won't happen. hahaha. > Finally and most important, suppose we have a virus in memory which >SCAN or some other program does not recognize, and the above scenario >does occur. What does this have to do with checksumming programs?? We have a checksumming program as well - the original article to which I tried to reply asked for comments on such a thing. The checksumming program indeed may let you know that you _have_ been infected - big deal, in my opinion, if any advert lulls you into a sense of security because you have a checksummer in place. A checksummer gives you no security whatsoever, because it does not prevent a viral infection. Not that much else does either, for that matter, but that is not the point, the advert needs to be taken with a hefty pinch of salt. Just that our experience that I wished to share was that with a checksummer in place and use of SCAN, you can end up with every last EXE/COM file on you hard disk looking very sick indeed. Mike - -- Mike Lawrie Director Computing Services, Rhodes University, South Africa .............................................. Rhodes University condemns racism and racial segregation ------------------------------ Date: 10 Jun 91 03:57:56 +0000 From: Ray.Mann@ofa123.fidonet.org (Ray Mann) Subject: Re: Hoffman Summary & FPROT (PC) Richard Travsky was asking how come Patricia Hoffman's Virus Summaries keep making reference to only a very old and outdated version of F-PROT (v1.07), where the current version is v1.15, going for 1.16 and into v2.0 very soon: > Any reason why such an old version is used? My suspicion is that this is probably a result of some antagonism between Grisk and McAfee, whom Patricia Hoffman follows so closely. Frisk is a competitor... - --- Opus-CBCS 1.14 * Origin: Universal Electronics, Inc. [714 939-1041] (1:103/208.0) - -- Ray Mann Internet: Ray.Mann@ofa123.fidonet.org Compuserve: >internet:Ray.Mann@ofa123.fidonet.org ------------------------------ Date: Mon, 10 Jun 91 17:21:19 +0000 From: dwe29248@uxa.cso.uiuc.edu (Derek William Ebdon) Subject: Re: Hong Kong on MircoTough dist. disks (PC) One thing that Mr. Doss forgot to mention is that although Central Point Anti-Virus v1.0 can easily romove the Asuza virus from a floppy, it cannot remove the virus from a hard drive. The only way to disinfect a hard drive is to redo the low level format because the virus infects the boot sector and the dos partition. A high level format will not remove the virus, nor will simply removing the dos partition with the fdisk program. Derek Ebdon ------------------------------ Date: Mon, 10 Jun 91 12:16:29 -0500 From: James Ford Subject: MIBSRV Updates (PC) By Tuesday, June 11 the file VSUM9105.ZIP and VSUM9105.TXT will be placed on mibsrv. Sorry for the delay. Various other files have also been updated (thanks for the info, Keith!). A complete listing will be sent out tomorrow (June 11). Other notes: The IBM RT system on which the mibsrv files reside will be gone by June 28. The new system administrator for the College of Eng. has informed me that I will be allowed to transfer all of the archives from 130.160.20.80 to a new RISC 6000 machine.....however, the IP address is unknown at this time. Mibsrv will stay up at least until the 28th of June. As soon as I know the IP address of the new machine and get the files transfer over, I'll let you know. I have enjoyed keeping mibsrv stocked with ibm-antiviral files and will try to make the transfer as painless as possible (famous last words). - ---------- It has yet to be proven that intelligence has any survival value. - ---------- James Ford - JFORD@UA1VM.UA.EDU, JFORD@mib333.mib.eng.ua.edu The University of Alabama (in Tuscaloosa, Alabama) ------------------------------ Date: 10 Jun 91 23:02:33 +0000 From: gregm@sail.labs.tek.com (Greg Montgomery) Subject: Advice requested (PC) I am a SW Eng. for a 500 company, and I got volunteered to come up with some software to check out the PC's in our area. Is there a software package that can be LEGALLY swaped between multiple PC computers, and is not necessarily a resident program. I have been looking at Nortan, Central Point, and Virex; however, I would be interested in a list of a few more programs that are tailored for multiple PC inspection. Thanks in advance, Greg ------------------------------ Date: 11 Jun 91 07:37:36 -0700 From: CCA3607@SAKAAU03.BITNET Subject: Help to remove Joshi from partion table (PC) I try to use clean77 to remove , i get the virus removed i run the computer from new dos after i put the power off when i started ifined it again any help appreciation Terry jawberh cca3605@sakaau03.bitnet ------------------------------ Date: Tue, 11 Jun 91 17:11:00 +1200 From: "Mark Aitchison, U of Canty; Physics" Subject: Re: Scanning infected files (PC) ACDFINN@vm.uoguelph.ca (Finnegan Southey) writes: > In regards to the problem of anti-viral programs infecting files > they scan when a memory-resident virus is present: Wouldn't it be > possible to read disks sector by sector instead of opening files > through DOS calls? Yes, you can do that, and there could be other advantages too: (a) potentially faster execution (if you are doing a whole diskette, you can organise things to reduce head movement), and (b) bypass some viruses, which intercept int 21 or int 13. There are some limitations, basically involving incompatibility with some network software, RAM drives, etc, but quite a good idea for most purposes. The latest version of my CHECKOUT program uses this; earlier versions didn't check files - just the boot sector - but used int 40 instead of int 13 for similar reasons. Ultimately, anti-virus software is going to directly access the disk controller (or possibly do far calls to the BIOS), to be certain of avoiding smart viruses, and relying on DOS will be unthinkable (as it *should* be now). This leads me to a thought... suppose a virus-removal program gets rid of the virus from disk, but the infected sectors still exist in (say) an Extended memory cache system. Has anyone guarded against this? Mark Aitchison, Physics, University of Canterbury, New Zealand. ------------------------------ Date: Mon, 10 Jun 91 19:50:52 -0700 From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Is there a 1024 virus? (PC) sorrell@triton.unm.edu (Stan Orrell) writes: > Can anyone suggest an explanation of our observation on several > computers (various IBM pc types) of a result from chkdsk of 654336 > bytes of total memory? A number of viral programs would fit this bill, the most obvious being the ubiquitous "Stoned". Check the boot sectors of your boot disks with your Norton utilities. ============= Vancouver p1@arkham.wimsey.bc.ca | "If you do buy a Institute for Robert_Slade@mtsg.sfu.ca | computer, don't Research into (SUZY) INtegrity | turn it on." User Canada V7K 2G6 | Richards' 2nd Law Security | of Data Security ------------------------------ Date: 11 Jun 91 13:11:00 +0200 From: J|rgen Olsen Subject: RE: Frisk's comment in V4 #99 on 'The Bulgarian Menace' How about making the thing political? If 'certain countries' expect 'other countries' - e.g. (ours) to financially bail them out of up to 74 years of infrastructural mismanagement we could at least demand that the kill of their virus factories before we open our purses!! Maybe we should all tell our respectiv governments - the EEC - te World Bank etc about this ?? A topic for the comming Virus-conference ?? J Olsen University of Odense Denmark ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 100] ****************************************** 12-Jun-91 20:10:02-GMT,23847;000000000001 Received: from remus.rutgers.edu by aramis.rutgers.edu (5.59/SMI4.0/RU1.4/3.08) id AA24621; Wed, 12 Jun 91 16:09:39 EDT Received: from IBM1.CC.Lehigh.EDU by remus.rutgers.edu (5.59/SMI4.0/RU1.4/3.08) id AA09294; Wed, 12 Jun 91 16:09:25 EDT Message-Id: <9106122009.AA09294@remus.rutgers.edu> Received: from LEHIIBM1.BITNET by IBM1.CC.Lehigh.EDU (IBM VM SMTP R1.2.2MX) with BSMTP id 3923; Wed, 12 Jun 91 16:04:26 EDT Received: from LEHIIBM1.BITNET by LEHIIBM1.BITNET (Mailer R2.08) with BSMTP id 3626; Wed, 12 Jun 91 16:04:01 EDT Date: Wed, 12 Jun 91 15:57:47 EDT Reply-To: VIRUS-L@ibm1.cc.lehigh.edu Sender: Virus Discussion List From: "The Moderator Kenneth R. van Wyk" Subject: VIRUS-L Digest V4 #101 Comments: To: VIRUS-L@IBM1.CC.LEHIGH.EDU To: Multiple recipients of list VIRUS-L VIRUS-L Digest Wednesday, 12 Jun 1991 Volume 4 : Issue 101 Today's Topics: Infected networks (PC) Economic Impact Of Viruses stoned/NDD (PC) Re: Hoffman Summary & FPROT (PC) Is This A Virus? (PC) Re: Questions about "Disinfectant" (Mac). Re: Help to remove Joshi from partion table (PC) MIBSRV file listing - June 11, 1991 (PC) Re: What is DOD? CCCP Virus (Amiga) Boot sector viruses on IDE drives RE: Frisk's comment in V4 #99 on 'The Bulgarian Menace' Virus scaners (PC) Protection evaluation with test virus: (PC) Re: MS-DOS in ROM (PC) Help to remove Joshi from partion table (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Tue, 11 Jun 91 10:52:14 -0400 From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: Infected networks (PC) Last week I had occasion to disinfect another large network with the Jerusalem (not ours - an outside company). The traditional respons is to take down the net, clean the server, and check all of the clients before reconnection. On reflection, this seemed inordinately inefficient so I came up with a new methodology which I offer for comment. Note: this works for Jerusalem, Sunday, and non-stealth infections which infect an executable before allowing it to run - please be aware of this limitation up front. The method was as follows: a) take down net & clean server b) remove non-essential applications c) replace essential applications with a batch file that 1) copies a clean selfcheck program from a writelocked directory 2) runs the self check program 3) runs the requested application In this case I had such a self-check program (1400 bytes) that just checks its own length & checksum. If it passes, the program exits, if it fails, the client machine displays a warning message and is locked up. In this manner, the server application files are protected from infection (are never called by an infected client). Each client gets a new copy of the "goat" file so clean clients are not affected, and infected clients are identified. Admittedly, this is a special case and directed to a small number of viruses, but they seem to be the most common. Comments ? Warmly, Padgett ------------------------------ Date: Tue, 11 Jun 91 16:23:49 -0500 From: Juan Jose Perez Bueno Subject: Economic Impact Of Viruses We need information about the economic impact of viruses around the world. Particulary damages produced to companies and/or users in Europe and U.S.A. We prefer information about lost job hours for viruses. Please e-mail me directly. I{ll summarize to the list. Thanks in advance ************************************************ * ___________ Juan Jose Perez Bueno * * l_ l Servicio de Informatica * * l l Universidad Autonoma de Madrid * * l o / Ctra de Colmenar Km. 15 * * < l 28049 Madrid (SPAIN) * * l_ ___/ Phone: +34 1 397 51 44 * * l/ E-Mail: * * * ************************************************ ------------------------------ Date: Tue, 11 Jun 91 08:39:16 -0700 From: Eric_Florack.Wbst311@xerox.com Subject: stoned/NDD (PC) In a note stamped: Mon, 10 Jun 91 19:50:52 -0700, Rob Slade suggests: =-=-=-= A number of viral programs would fit this bill, the most obvious being the ubiquitous "Stoned". Check the boot sectors of your boot disks with your Norton utilities. =-=-=-=" OUCH! I've had many reports that this is the best way to scramble the content of the disk, depending on what version of NDD you're using. Be careful on this one, Stan Orrel! Eric Florack:Wbst311:Xerox ------------------------------ Date: Tue, 11 Jun 91 10:07:41 -0600 From: rtravsky@CORRAL.UWYO.EDU (Richard W Travsky) Subject: Re: Hoffman Summary & FPROT (PC) Ray Mann [Ray.Mann@ofa123.fidonet.org] writes: > Richard Travsky was asking how come Patricia Hoffman's Virus Summaries > keep making reference to only a very old and outdated version of > F-PROT (v1.07), where the current version is v1.15, going for 1.16 and > into v2.0 very soon: > > > Any reason why such an old version is used? > > My suspicion is that this is probably a result of some antagonism > between Grisk and McAfee, whom Patricia Hoffman follows so closely. > Frisk is a competitor... _*IF*_ this is the case, then I would hate to see things take such a turn as "manipulating" the summary so as to make one package or another look good or bad. Once it is done to one package, what is to stop it form happening to another? And another? Will any package that offends be "punished" by making reference to old and less capable versions? (Or "punished" in some other manner?) The summary is an informative and valuable compilation of virus data. We users can only lose by seeing it prejudiced by mere commercial concerns. Must I be reduced to viewing the summary with a grain of salt? Richard Travsky Division of Information Technology RTRAVSKY @ CORRAL.UWYO.EDU University of Wyoming (307) 766 - 3663 / 3668 ------------------------------ Date: Tue, 11 Jun 91 19:13:46 +0000 From: gburlile@magnus.acs.ohio-state.edu (Greg Burlile) Subject: Is This A Virus? (PC) Recently our department has had some problems with all of the files in the root directory being erased (even the hidden system files). This happened about a week ago to one of our PCs and to two of our PCs today! I used the files that come with F-PROT that is site licensed here and could not find anything (F-PROT version 1.13). Is this a virus? I would appreciate any suggestions. Help! ------------------------------ Date: 11 Jun 91 19:36:40 +0000 From: ebates@madvax.uop.edu Subject: Re: Questions about "Disinfectant" (Mac). firmiss@cae.wisc.edu writes: >I've been using Disinfectant since version 1.6 and I've had a few >questions I've wanted to ask for quite a while. > >1. I believe since version 2.0, Disinfectant had the ability to install > a protection INIT. The thing is only 5k... What does it DO?... > Does it just give a warning if something is being infected? > What does it look for? I'm not John Norstadt, but I have seen the INIT function when I tried to run an infected program. It displayed a dialog box stating that the application was infected and that I should run Disinfectant to get rid of the virus. The application never was started and it went back to the Finder. >2. I remember hearing that using Disinfectant AND the old virus protection > CDEV(?) "Vaccine (TM) 1.0.1" was a bad idea (Vaccine somehow rendered the > Disinfectant INIT useless or something to that effect). > Is it also a good idea to remove the INITs "KillVirus" (Icon is a > needle with the word nVIR next to it). and "Kill WDEF - virus INIT" > (Icon is just a standard document icon)? I know these are pretty old > too. (at least I don't have "Ferret" and "Kill Scores" and those other > related relics) I have not experienced these problems. The only virus protection/eradication we use in our student labs is Disinfectant 2.4 (and INIT) and Gatekeeper Aid 1.1. Gatekeeper Aid automatically removes WDEF A. >2a. Almost forgot... What about "SAM (TM) Intercept" INIT... I know it's > newer but do "SAM" and "Disinfectant" interfere with each other? I have had no problems with Disinfectant and Gatekeeper Aid, and see no reason to go through the expense of SAM with all of this good, FREE stuff. > >My current version of Disinfectant is 2.4... Is this the most current >one? I've had it for about 6 months now. Yes, it's the most current version. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Edwin J. (Ed) Bates MADVAX Administrator/Postmaster Technical Support Specialist Internet: ebates@madvax.uop.edu Office of Information Technology AppleLink: U1441 University of the Pacific Telephone: (209) 946-2251 Stockton, CA 95211 Fax: (209) 946-2898 ------------------------------ Date: Tue, 11 Jun 91 19:49:42 +0000 From: paul%parsifal@econ.YALE.EDU (Paul McGuire) Subject: Re: Help to remove Joshi from partion table (PC) CCA3607@SAKAAU03.BITNET writes: >I try to use clean77 to remove , i get the virus removed i run the >computer from new dos after i put the power off when i started ifined >it again any help appreciation > > Terry jawberh You should examine the boot sector and see what else you can find. My symptoms were that I couldn't boot from the hard disk, and I found that I had been hit with Joshi and Stoned at the same time, and neither clean77 nor f-disinf (1.15) fixed it, though they both claimed that they had. (Immediately rerunning the respective program told me I was cured again.) I wound up doing a low level format, since I wasn't able to find a clean copy of the boot sector stashed away by either of them, and wasn't sure of what I was doing anyway. General question: Is there some way of rewriting the boot record without doing a low level format, or using a disk editor or debugger? For that matter, what does one use to do a low level format? Real IBMs don't come with low level formatting software. Paul McGuire Yale Economic Growth Center ------------------------------ Date: Tue, 11 Jun 91 14:35:28 -0500 From: James Ford Subject: MIBSRV file listing - June 11, 1991 (PC) Here is a listing of files available on MIBSRV as of June 11, 1991. Please inform me of any outdated files you see on this list. James Ford - JFORD@UA1VM.UA.EDU ============================= cut here =================================== 00uploads/ innoc5.zip uudecode.bas vcheck11.zip vsum9105.txt 0REVIEWS/ m-disk.zip uudecode.doc vcopy77.zip vsum9105.zip 0files.9106 navupd01.zip uudecode.pas vdetect.zip vtac48.zip INDEX.291 netscn77.zip uuencode.pas virpres.zip wp-hdisk.zip MsDosVir.291 pcvi4.zip uxencode.pas virsimul.zip xxdecode.bas MsDosVir.690 pkz110eu.exe vacbrain.zip virstop.zip xxdecode.c MsDosVir.790 scanv77.zip vaccine.zip virusck.zip xxencode.c avs_e224.zip secur222.zip vaccinea.zip virusgrd.zip xxencode.cms clean77.zip sentry02.zip validat3.zip vkill10.zip zzap54a.zip fp-115a.zip trapdisk.zip validate.crc vshell10.zip fshld15.zip unvir902.zip vc140cga.zip vshld77.zip htscan12.zip uu-help.text vc200ega.zip vstop54.zip ------------------------------ Date: Tue, 11 Jun 91 20:24:53 +0000 From: patel@mwunix.mitre.org (Anup C. Patel) Subject: Re: What is DOD? nautilus@jec310.its.rpi.edu (John M Twilley) writes: >NCKUS089@TWNMOE10.BITNET (Mac Su-Cheong) writes: > >> May someone please give me information on DOD Computer Security Center ? >>Is it possible to get reports or papers of DOD ? > >DOD stands for the United States Department of Defense. > >I am pretty sure that they publish unclassified information on >virii, but I wouldn't know where to find it. These are some of the documents I received from the NCSC (National Computer Security Center) several years ago. More info on NCSC follows. If anyone wants to contact the NCSA, I could dig up their phone number. Most of the documents listed below are at least 4-6 years old. Department of Defense (DOD) documents: ====================================== "Department of Defense Standard: Department of Defense Trusted Copmuter System Evaluation Criteria" "Department of Defense: Password Management Guideline" "Computer Security Requirements: Guidance for Applying the Department of Defense Trusted Computer System Evaluation Criteria in Specific Environments" "Technical Rational Behind CSC-STD-003-085 (see above): Computer Security Requirements " National Security Agency (NSA) documents: ========================================= "Information Systems Security: Products and Services Catalogue" "Computer Security Subsystem: Interpretation of the Trusted Computer System Evaluation Criteria" "Trusted Network Interpretation of the Trusted Computer System Evaluation Criteria" "Design Documentation in Trusted Systems" "Configuration Management in Trusted Systems" "Glossary of Computer Security Terms" "Discretionary Access Control in Trusted Systems" "A Guide to Understanding Audit in Trusted Systems" "Personal Computer Security Considerations" **************************** Reprinted from the **************************** **************************** Computer Library **************************** Book: The Computer Glossary (The Electronic Version) * Full Text COPYRIGHT The Computer Language Co. Inc. 1990. - ----------------------------------------------------------------------------- Term: NCSC Author: Freedman, Alan. - ----------------------------------------------------------------------------- (National Computer Security Center) An arm of the U.S. National Security Agency that defines criteria for trusted computer products. The security levels in its Orange Book (Trusted Computer Systems Evaluation Criteria, DOD Standard 5200.28) follow. Each level adds more features and requirements. D - Non-secure system. Level C provides discretionary control. The owner of the data can determine who has access to it. C1 - Requires user log-on, but allows group ID. C2 - Requires individual user log-on with password and an audit mechanism. Levels B and A provide mandatory control. Access is based on standard DOD clearances. B1 - DOD clearance levels. B2 - Guarantees path between user and the security system. Provides assurances that system can be tested and clearances cannot be downgraded. B3 - System is characterized by a mathematical model that must be viable. A1 - System is characterized by a mathematical model that can be proven. Highest security. - ----------------------- End of Document ---------------------- ------------------------------ Date: 11 Jun 91 17:14:59 +0000 From: Tom Carter Subject: CCCP Virus (Amiga) Recently discovered the CCCP virus on one of my disks on 4 files. I am unfamiliar with this virus but was able to detect and (I hope) eradicate it by deleting the infected files and re-installing them off my WB disk. Can some virus wizard tell me about this virus and what it does? How bad is it? Also had Smily Cancer Virus a while back and thanks to advice found here, used MVK to get rid of that. Are there any other Virus Killer/Checkers which will detect SC? Thanx. ------------------------------ Date: Tue, 11 Jun 91 11:00:33 From: johnboyd@logdis1.oc.aflc.af.mil (John Boyd;LAHDI) Subject: Boot sector viruses on IDE drives It recently occurred to me that we get rid of most boot-sector viruses by routinely doing a low-level format on a drive. However, this is not possible on an IDE drive. So the question becomes; for an IDE drive, what DO you do to get rid of a boot sector virus? And yes, I am constantly telling the users that I support that they really should be scanning everything first; even before doing a directory, and all the other prudent precautionary steps, so hopefully we won't have a problem, but you know how that works. - ------------------------------------------------------------------------ Text contained herein is my personal opinion. This is not to be interpreted in any way as a position or statement of the DOD, USAF, or any other person or entity other than myself. ------------------------------ Date: Tue, 11 Jun 91 11:54:03 -0400 From: "Richard Budd" Subject: RE: Frisk's comment in V4 #99 on 'The Bulgarian Menace' Juergen Olsen writes in VIRUS-L Digest V4 #100: > How about making the thing political? If 'certain countries' expect > 'other countries' - e.g. (ours) to financially bail them out of up to > 74 years of infrastructural mismanagement we could at least demand > that the kill of their virus factories before we open our purses!! To take a page out of the computer underground, wouldn't it be more productive to incorporate these ' virus factories ' as part of the research into computer viruses. It could become both a source of income for nations like Bulgaria and a source of employment for bored or out-of-work programmers. ========================================================================= Richard Budd | Internet: rcbudd@rhqvm19.vnet.ibm.com VM Systems Programmer | Bitnet : klub@maristb.bitnet IBM - Sterling Forest, NY | Phone : (914) 578-3746 ========================================================================= ------------------------------ Date: Tue, 11 Jun 91 11:32:00 -0500 From: Subject: Virus scaners (PC) My PC was in the repair shop and I got a call from the guy there stating that there is a virus on my hard drive. I do not know what kind of virus it is. Can someone recomend a good virus scanner I can use to remove this virus. Thanks - -Payam ACCPHH@HOFSTRA.bitnet ------------------------------ Date: 11 Jun 91 21:45:13 +0000 From: Dennis Hollingworth Subject: Protection evaluation with test virus: (PC) (PC) Protection evaluation with test virus. Posted for Dan Hirsh (818) 505-2285 I tested McAfee's SCAN77 using Rosenthal Engineering's new release of Virus Simulator (I've seen posted as VIRSIM11.COM on EXEC-PC, Compuserve and others). It seems that SCAN77 misses three boot sector viruses that SCAN76 found on the same disk. Both versions of SCAN found nine viruses in the .COM, four in the .EXE and seven in the test memory virus. THESCAN, F-FCHK and VIRX also found the test viruses, but Norton's Anti Virus couldn't find anything. There's been a number of postings about scanner producers bragging that their scanners search for more viruses than the next guys. Well, it's not how many viruses your scanner looks for that counts.... It's how many you can find! ------------------------------ Date: Tue, 11 Jun 91 21:10:44 -0700 From: jesse%altos.Altos.COM@vicom.com (Jesse Chisholm AAC-RJesseD) Subject: Re: MS-DOS in ROM (PC) padgett%tccslr.dnet@mmc.com (Padgett Peterson) writes: | "William Walker C60223 x4570" writes: | | >We're writing from two different premises. Padgett is writing about | >MS- DOS actually running from ROM, while I'm writing about the DOS | >files, and the boot disk itself, being in ROM ( a ROM-disk, as opposed | >to a RAM-disk ). ... The method of booting from | >a ROM- disk ( with an infection-proof boot sector and system files ), | >which I wrote about, is not implemented at this time, to the best of | >my knowledge. Acer America in joint venture with Smith Corona has recently marketed a small 286 PC that has a ROM cartridge that is used as a ROM disk. SCC sells it as a PWP-100 (Personal Word Processor) and the software looks alot like their earlier WP machines. This is the first in a product line that has MS-DOS on ROM cartridge. Not all of DOS, just enough to boot. (IO.SYS, MSDOS.SYS, COMMAND.COM, AUTOEXEC.BAT, CONFIG.SYS, and maybe SHARE.EXE, HIMEM.SYS, ANSI.SYS, ..., and the WP software) | While I follow the premise better now, what you are talking about is | what I referred to in the third option - somehow swapping ROM | addresses for RAM addresses or possibly a "page frame" approach such | as used for expanded memory. It will take a special BIOS driver to | accomodate just like a RAM-disk requires a special driver and the data | areas will have to stay resident somewhere. The point is that there | are a finite number of addresses available and if some are used for | ROM then there are that many less for RAM unless some extra memory | management scheme is used such as that used for "shadow RAM" on 386s - | not difficult but requires a few extras. Acer's method doesn't use up RAM addresses, since the ROM card is seen as a read-only hard disk. The ROM card itself does use some IOcard address space since it is considered an expansion card by the hardware. | The point I was trying to make was that even with this type of | mechanism, the same holes exist in MS-DOS as did before. Some have | been moved (e.g. the first attackable point) so that specific | malicious software will be thwarted, but the hole still exists and | will just be exploited in the next crop. There is still NO integrity | management in MS-DOS. Sad but true. Jesse Chisholm | Disclaimer: My opinions are rarely understood, let jesse@altos86.altos.com | tel: 1-408-432-6200 | alone held, by this company. jesse@gumby.altos.com | fax: 1-408-435-8517 |----------------------------- ======== This company has officially disavowed all knowledge of my opinions. - -- "Question Authority!" -- Wallace Stegner "And that's an order!" ------------------------------ Date: Tue, 11 Jun 91 23:24:55 -0700 From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Help to remove Joshi from partion table (PC) CCA3607@SAKAAU03.BITNET writes: > I try to use clean77 to remove , i get the virus removed i run the > computer from new dos after i put the power off when i started ifined > it again any help appreciation > > Terry jawberh > cca3605@sakaau03.bitnett I would suggest a slight reordering of your disinfection procedure. 1) Boot from a known, clean, write protected system floppy disk. 2) Then run CLEAN/FPROT/whatever to remove the infection. 3) Test your system again, and redo if necessary. 4) Reboot. ============= Vancouver p1@arkham.wimsey.bc.ca | "If you do buy a Institute for Robert_Slade@mtsg.sfu.ca | computer, don't Research into (SUZY) INtegrity | turn it on." User Canada V7K 2G6 | Richards' 2nd Law Security | of Data Security ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 101] ****************************************** 13-Jun-91 15:30:24-GMT,21751;000000000001 Received: from remus.rutgers.edu by aramis.rutgers.edu (5.59/SMI4.0/RU1.4/3.08) id AA08295; Thu, 13 Jun 91 11:30:20 EDT Received: from IBM1.CC.Lehigh.EDU by remus.rutgers.edu (5.59/SMI4.0/RU1.4/3.08) id AA00210; Thu, 13 Jun 91 11:30:02 EDT Message-Id: <9106131530.AA00210@remus.rutgers.edu> Received: from LEHIIBM1.BITNET by IBM1.CC.Lehigh.EDU (IBM VM SMTP R1.2.2MX) with BSMTP id 4670; Thu, 13 Jun 91 11:22:53 EDT Received: from LEHIIBM1.BITNET by LEHIIBM1.BITNET (Mailer R2.08) with BSMTP id 6486; Thu, 13 Jun 91 11:22:28 EDT Date: Thu, 13 Jun 91 11:15:12 EDT Reply-To: VIRUS-L@ibm1.cc.lehigh.edu Sender: Virus Discussion List From: "The Moderator Kenneth R. van Wyk" Subject: VIRUS-L Digest V4 #102 Comments: To: VIRUS-L@IBM1.CC.LEHIGH.EDU To: Multiple recipients of list VIRUS-L VIRUS-L Digest Thursday, 13 Jun 1991 Volume 4 : Issue 102 Today's Topics: Re: Questions about "Disinfectant" (Mac). Virus detection & removal (PC) Possible Virus? (PC) Re: Removing Azusa (was: Hong Kong on...) (PC) Dave Barry's definition of a computer virus Re: Is there a 1024 virus? (PC) Re: Hypercard Antiviral Script? (Mac) F-PROT 1.16 (PC) Re: Protection evaluation with test virus: (PC) Is there a 1024 virus? (PC) Re: Hypercard Antiviral Script? (Mac) Ws and Ps now you see em.... (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Wed, 12 Jun 91 03:22:00 -0500 From: Big fish man on hippocampus Subject: Re: Questions about "Disinfectant" (Mac). firmiss@cae.wisc.edu writes: > I've been using Disinfectant since version 1.6 and I've had a few > questions I've wanted to ask for quite a while. > > 1. I believe since version 2.0, Disinfectant had the ability to install > a protection INIT. The thing is only 5k... What does it DO?... > Does it just give a warning if something is being infected? > What does it look for? If the virus is in an application, the an alert is displayed saying Disinfectant INIT found a virus and that it should be removed with Disinfectant. It will not let the program run. If the virus is in the Desktop, a similar alert will be shown, the Finder will run, but the virus will be "contained," kept from furthering the infection. This INIT only checks applications when they are run and do not check documents (i.e. Hypercard stacks). > > My current version of Disinfectant is 2.4... Is this the most current > one? I've had it for about 6 months now. As far as I know... - -- |\ \\\\__ Tony Maimer __ | \_/ o \ / | > _ (( <_ / | | / \__+___/ maimer@kuhub.cc.ukans.edu /o /_/| |/ |/ < )) _ < \ \ \| \ | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ------------------------------ Date: Wed, 12 Jun 91 09:30:56 -0400 From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: Virus detection & removal (PC) >Just that our experience that I wished to share was that with a >checksummer in place and use of SCAN, you can end up with every last >EXE/COM file on you hard disk looking very sick indeed. >Mike Lawrie >Director Computing Services, Rhodes University, South Africa >.............................................. I agree, such activity is possible which is why I recommend that techs be properly trained (ours get two full days) before being allowed to work on suspected viruses. CHKDSK & DEBUG anre powerful tools in trained hands as are MANIFEST, MEM, & MAPMEM. Scanners are very good automated tools for problems they hve seen before and can take care of 98% of our problems: the other 2% just have to be handled manually - see below - -------------------------------------------------------------------- >From: dwe29248@uxa.cso.uiuc.edu (Derek William Ebdon) >Subject: Re: Hong Kong on MircoTough dist. disks (PC) >One thing that Mr. Doss forgot to mention is that although Central >Point Anti-Virus v1.0 can easily romove the Asuza virus from a floppy, >it cannot remove the virus from a hard drive. The only way to >disinfect a hard drive is to redo the low level format because the >virus infects the boot sector and the dos partition. A high level >format will not remove the virus, nor will simply removing the dos >partition with the fdisk program. NO, NO, a thousand times NO !I have never seen an infection that requires low level formatting (besides, on some newer disks you can't) Azusa is one of the easier to remove (believe I posed instructions some time ago) - certainly easier than the MusicBug which can also be removed. If the problem is understood, formatting is never necessary. Azusa can be removed just using debug if you know what you are doing. Just because one generic tool does not know how to do it does not mean it cannot be done. Warmly, Padgett ------------------------------ Date: Wed, 12 Jun 91 11:02:12 -0400 From: evans@aplcen.apl.jhu.edu (R. B. Evans) Subject: Possible Virus? (PC) I have a Packard Bell 286 with the following problem: Every once in a while (50-300 characters typed) a character typed at the keyboard doesn't seem to *make-it* to the PC, and instead produces an audible beep. In addition, the keyboard occasionally shifts into a mode where the SHIFT key is being held down, (types !@# instead of 123), but the shift key has not been hit, so is not physically sticking. Packard Bell Technical Support has been unable to fix the problem. They have replaced three keyboards, two motherboards, and one power supply in their *troubleshooting* efforts. With all this hardware replaced, I suspect a possible virus, but Scan V77 shows no viruses found. If anyone has any ideas as to how to fix this annoying problem, please E-mail me your suggestions/ideas. Thanks in advance, Robert Evans evans@aplcen.apl.jhu.edu ------------------------------ Date: 12 Jun 91 11:12:51 -0400 From: "David.M.Chess" Subject: Re: Removing Azusa (was: Hong Kong on...) (PC) >From: dwe29248@uxa.cso.uiuc.edu (Derek William Ebdon) >The only way to >disinfect a hard drive is to redo the low level format because the >virus infects the boot sector and the dos partition. A low-level format is certainly not the *only* way to fix an Azusa-infected hard disk. Any program that can write a valid boot record to the partition-table area (preserving the partition information and just fixing the code) will remove the virus from the execution stream, and (since the Azusa uses only the partition table area on a hard disk, and no sectors in the DOS partition or anywhere else) that will disinfect the disk very nicely... DC ------------------------------ Date: Wed, 12 Jun 91 11:47:33 -0400 From: Joe McMahon Subject: Dave Barry's definition of a computer virus Dave Barry's column in the Sunday Washington Post, "Our Friend the Computer", has the following defintion of a computer virus: "...You have probably read about computer viruses, which computers get when they're left uncovered in drafty rooms. This is bad, because if you're working on an infected computer, it will periodically emit electronic sneezes (unfortunately not detectable with the naked eye) and you'll be showered with billions of tiny invisible pieces of electronic phlegm, called "bytes", which penetrate into your brain and gradually make you stupid..." --- Joe M. ------------------------------ Date: 12 Jun 91 17:28:33 +0000 From: chris@renoir.teradyne.com (Chris Maslyar) Subject: Re: Is there a 1024 virus? (PC) >> Can anyone suggest an explanation of our observation on several >> computers (various IBM pc types) of a result from chkdsk of 654336 >> bytes of total memory? >A number of viral programs would fit this bill, the most obvious being >the ubiquitous "Stoned". Check the boot sectors of your boot disks with >your Norton utilities. I noticed this 654336 anomaly as well. Unfortunately (fortunately?) SCAN V7.2V77 didn't find a culprit, and Norton utilities came up blank when I searched for "Stoned". I'll spare you the details of the painful steps taken to arrive at my solution to say that: Some PC/AT computers give the user an option to place 1K of BIOS into base memory subsequently reducing the size of memory to: (you guessed it) 654336 You may want to look for this option BEFORE you format your disks :) Good Luck Chris chris@attain.teradyne.com ------------------------------ Date: Wed, 12 Jun 91 19:31:35 +0000 From: EIVERSO@cms.cc.wayne.edu Subject: Re: Hypercard Antiviral Script? (Mac) Your best defense is locking your home stack, or constantly searching your home stack for script modifications. You can try editing the script of a stack before opening it, but the virus might be in any object in the new stack. Even though you can check the params of a set command for the word "script", no unlocked stack will be safe until Apple prevents using the set command in a end to HyperCard I'd elaborate, but wouldn't feel right about explaining how to commit sabotage. - --Eric ------------------------------ Date: Wed, 12 Jun 91 23:23:11 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: F-PROT 1.16 (PC) Well - F-PROT 1.16 is out...It was delayed a bit, as unusually many viruses have arrived in the past three weeks... Version 1.16 added the following features: Detection, but not disinfection of 27 new viruses: 200 268-plus 483 Bad Boy Cascade - 2 new variants: Formiche and JoJo-1703 Darth Vader (4 variants) Diamond - 4 new variants: Damage, Damage-B, David and Greemlin Eddie - new variant: MIR Fingers 08/15 Hero Leech Murphy - 4 variants: Cemetery, Kamasya, Migram-1 and Migram-2 Stardot Swiss-143 VCS 1.0 Warrior Witcode Detection and removal of 85 new viruses: 1024-PrScr 1575-B (alias 'Greencat-2') Backtime Bljec - 7 variants: Bljec-3, Blec-4, Bljec-5, Bljec-6, Bljec-7, Bljec-8, Bljec-9 Boys CARA Casino Cinderella Demon (overwriting) Diamond - new variant: Lucifer Eddie - 4 new variants: 1028, 1801, Apocalypse-2 and Zeleng ETC Frog Horse (alias 'Naughty Hacker') - 8 variants: Horse-1, Horse-2, Horse-2B, Horse-3, Horse-4, Horse-5, Horse-6, Horse-7 Incom Jerusalem - 6 new variants: Apocalypse, Carfield, Discom, GP1, Phenome and Skism Keypress-1228 Kiev-483 Little Pieces Magnitogorsk - new variant: 2048 MG - new variant: MG-1A Minimal-30 Murphy - 11 new variants: AntiChrist, Diabolik, Erasmus, Finger, Goblin, Guru, Murphy-3, Murphy-4, Pest, Smack-1835 and Smack-1841 Mutant - 3 variants Old Yankee - new variant: Bandit PcVrsDs Pixel - 11 new variants: 257, 275, 283, 295, 779, 837, 850, 854, 877, 892, 936 Raubkopi Sparse Striker #1 Sylvia-B (previously identified as Sylvia) Tequila Tumen - 2 variants: 0.5 and 2.0 USSR-311 Vienna - 2 new variants: Arf and Vienna-645 WWT - 2 variants: WWT-01 and WWT-02 (overwriting) Yaunch (alias 'Wench') Yukon (overwriting) ZK-900 Disinfection of the following viruses, which were detected in earlier versions: Faust (alias Chaos) (previously called 'Spyer') Form The following names have been changed, in an attempt to reduce the incredible confusion in the virus naming area. 1075 --> DBF blank June 4th --> Bloody! Spyer --> Faust Turku --> Keypress The following bugs/problems have been fixed: The signature for the 1049 virus has been changed, as it could cause false alarm in the 386COM.SYS file. F-FCHK would not detect all the possible mutations of the Whale virus in .COM files, although all infected .EXE files were found. This has been corrected. Occasional very long delays when some programs, such as SORT.EXE in DOS 4.0 were run have been eliminated. F-OSCHK will now correctly handle the case where a checksum evaluates to 0, as 0 previously meant "ignore". Instead the string ----- is now used when a checksum should be ignored. When F-DRIVER and F-NET were in use, Novell "execute-only" programs could sometimes not be executed. This has been corrected. F-DRIVER would on some computers fail to detect some boot sector viruses if it was loaded into high memory (above 640K. This has been corrected - LOADHI etc should now work without problems. F-FCHK will now indicate if a program has been compressed by DIET 1.10, ICE 1.01 or EXEPACK. This warning only indicates that a virus could possibly have been hidden in the program before it was packed - not that anything appears to be wrong. A new file has been added with information on Trojans and "Joke" programs, often found in virus collections. Those programs are not a threat like viruses - but some of my competitors detect them, so.... /QUERY switch added to F-FCHK. if it is used, F-FCHK will ask if it should disinfect any infected files - this used to be the default. A conflict has been reported between F-DRIVER and Desqview, and I am trying to determine if a problem exists. - -frisk ------------------------------ Date: Wed, 12 Jun 91 23:50:07 +0000 From: mcafee@netcom.com (McAfee Associates) Subject: Re: Protection evaluation with test virus: (PC) holly@fifi.isi.edu (Dennis Hollingworth) writes: >Posted for Dan Hirsh (818) 505-2285 > >I tested McAfee's SCAN77 using Rosenthal Engineering's new release of >Virus Simulator (I've seen posted as VIRSIM11.COM on EXEC-PC, >Compuserve and others). It seems that SCAN77 misses three boot sector >viruses that SCAN76 found on the same disk. Both versions of SCAN >found nine viruses in the .COM, four in the .EXE and seven in the test >memory virus. [rest of message deleted...] Rosenthal Engineering's VIRSIM program is a string-based virus simulator. As such, only scanners that use the same strings that VIRSIM uses will detect its "viruses." We regularly adjust our strings, so this why V76 would report viruses that V77 did not. Regards, Aryeh Goretsky McAfee Associates Technical Support - -- McAfee Associates | Voice (408) 988-3832 | mcafee@netcom.com 4423 Cheeney Street | FAX (408) 970-9727 | (Aryeh Goretsky) Santa Clara, California | BBS (408) 988-4004 | 95054-0253 USA | v.32 (408) 988-5190 | mrs@netcom.com ViruScan/CleanUp/VShield | HST (408) 988-5138 | (Morgan Schweers) ------------------------------ Date: 12 Jun 91 19:30:42 -0400 From: Arthur Buslik <74676.2537@CompuServe.COM> Subject: Is there a 1024 virus? (PC) Stan Orrell writes: "Can anyone suggest an explanation of our observation on several computers (various IBM pc types) of a result from chkdsk of 654336 bytes of total memory?" As Rob Slade suggests, one possibility is a virus. However, a much more likely possibility is that the computers have extended bios extended data areas. (See, e.g. "The New Peter Norton Programmer's Guide to the IBM PC & PS/2",2nd edition, 1988, page 62.) INT 15H, AH=C0H will return ES:BX as the segment:offset of a configuration table. The fifth byte of this configuration table gives configuration flags. Bit 2 of this byte is set if an extended Bios data area is allocated. Moreover, INT 15H, AH=C1H will return the segment address of the base of the extended bios area. The word at 0040:0013H is modified to reflect the reduced amount of memory available to programs. This is what chkdsk returns as "bytes total memory", and also what INT 12H returns in AX. On my COMPAQ 386/20e at work, I obtain the following when I use DEBUG: - -a100 1AFA:0100 mov ah,c0 1AFA:0102 int 15 1AFA:0104 - -g104 AX=0000 BX=E6F5 CX=0000 DX=0000 SP=FFEE BP=0000 SI=0000 DI=0000 DS=1AFA ES=F000 SS=1AFA CS=1AFA IP=0104 NV UP EI PL ZR NA PE NC 1AFA:0104 0000 ADD [BX+SI],AL DS:E6F5=6E - -df000:e6f5 l 9 F000:E6F0 08 00 FC-01 00 74 00 00 00 .....t... The configuration flag byte is 74H=01110100B, and since bit 2 is set, my machine has an extended bios data area allocated. Moreover, using DEBUG again, this time for INT 15H, AH=C1H, I obtain: - -a100 1C6B:0100 mov ah,c1 1C6B:0102 int 15 1C6B:0104 - -g104 AX=C100 BX=0000 CX=0000 DX=0000 SP=FFEE BP=0000 SI=0000 DI=0000 DS=1C6B ES=9FC0 SS=1C6B CS=1C6B IP=0104 NV UP DI NG NZ AC PO NC 1C6B:0104 7205 JB 010B - -d9fc0:0 9FC0:0000 01 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ etc., all following bytes being zero. My machine has 1Kb of memory reserved, at the top of memory for an extended bios data area. The first byte gives the number of Kb of memory reserved. On my machine all the other bytes are zero, whenever I look at them with DEBUG. (I don't know what they are when I don't look at them.) For what it is worth, the machines at work which have the extended bios data area implemented, and for which chkdsk returns 639K total memory, all have a socket in the back for a bus mouse. Art Buslik ------------------------------ Date: Thu, 13 Jun 91 00:49:47 +0000 From: mike@pyrite.SOM.CWRU.Edu (Michael Kerner) Subject: Re: Hypercard Antiviral Script? (Mac) I said I was going to rewrite my scripts to handle new trojans/viri, however I am trying to consider some options. The main problem is that there is no way to catch the parameters of the SET function in HC 2.1. So, while I play with different virus scenarios (i.e. writing ones that I think will do certain things, using certain HC resources, I want to try and find some common link between them. The answer, then, will be unable to intercept and stop infection, but will have to work beforehand. The problem with this is that a field of all stacks that have been checked needs to be kept, and everytime that a stack is opened, the field must be examined to see if this particular stack has been checked. However, the problem with that is that existing checked stacks may have been infected and will thus escape detection. So, while my solution appears to be the simplest (i.e. check all stacks to begin with then keep a running list), the time spent by the user seems to be very long. So, the story on this is: unless there seems to be some need/desire emerge for a new stack/utility to do this work, I'm moving slowly. As I said before, if anyone else feels like beating me to the punch with a solution of their own, feel free - but don't you DARE charge $$ for it. Mikey. Mac Admin WSOM CSG CWRU mike@pyrite.som.cwru.edu ------------------------------ Date: 11 Jun 91 21:53:35 +0000 From: Ullrich_Fischer@mindlink.bc.ca (Ullrich Fischer) Subject: Ws and Ps now you see em.... (PC) The following problem has occurred on our network over the past two days: On Monday, a user showed us two printouts from WordPerfect 5.1 (Network version) printed from the same document about 5 minutes apart. She swears she made no changes to the document between the two printouts. On one printout all the Bitstream Dutch 11 point (we use Bitstream fonts on HP Laserjet II printers) 'w's (upper and lower case) were missing (i.e. replaced by relatively narrow blank spaces). On the 2nd printout, the 'w's were all there. At the top of the document, a large capital W using a different font appeared in both printouts. It is a one-page document. Today the same sort of thing happened to another user on a different PC using Lotus 2.01 networker. This time the 'p's were missing from one printout but not another of the same spreadsheet. We are using Novell Netware 2.15C on an internet with a 3.1 server. These incidents happened to people who were using the 2.15C to store their data files and the application software. We are using Printer Assist from Fresh Technologies to print to the laser printers. The two incidents involved different printer servers and printers as well as different PCs. Both PCs used DOS 3.3 I scanned the network and both PCs involved using McAfee's SCAN version 77 but turned up no indication of any virus infection. To the best of my knowledge, this is the first time anything like this has happened on our network. No, I am not sure this is a virus, but it seems the kind of thing that malicious code might do. If anyone has any ideas as to what may be going on here, I would be grateful to hear them. - - Ullrich Fischer@mindlink.bc.ca (Let's just have 1 line signatures eh?) ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 102] ****************************************** 17-Jun-91 14:25:32-GMT,21026;000000000001 Received: from remus.rutgers.edu by aramis.rutgers.edu (5.59/SMI4.0/RU1.4/3.08) id AA21049; Mon, 17 Jun 91 10:25:29 EDT Received: from IBM1.CC.Lehigh.EDU by remus.rutgers.edu (5.59/SMI4.0/RU1.4/3.08) id AA10265; Mon, 17 Jun 91 10:25:18 EDT Message-Id: <9106171425.AA10265@remus.rutgers.edu> Received: from LEHIIBM1.BITNET by IBM1.CC.Lehigh.EDU (IBM VM SMTP R1.2.2MX) with BSMTP id 7728; Mon, 17 Jun 91 10:19:44 EDT Received: from LEHIIBM1.BITNET by LEHIIBM1.BITNET (Mailer R2.08) with BSMTP id 6280; Mon, 17 Jun 91 10:19:16 EDT Date: Mon, 17 Jun 91 10:14:35 EDT Reply-To: VIRUS-L@ibm1.cc.lehigh.edu Sender: Virus Discussion List From: "The Moderator Kenneth R. van Wyk" Subject: VIRUS-L Digest V4 #103 Comments: To: VIRUS-L@IBM1.CC.LEHIGH.EDU To: Multiple recipients of list VIRUS-L VIRUS-L Digest Monday, 17 Jun 1991 Volume 4 : Issue 103 Today's Topics: Re: Hong Kong on MircoTough dist. disks (PC) re: Is there a 1024 virus? (PC) DOS 5 Fdisk (PC) Re: Hypercard Antiviral Script? (Mac) Request for info on BBS viruses, worms, etc Possible PC Virus (PC) Re: Virus scaners (PC) Re: Help With Frodo & Yankee Doodle (PC) Infected networks (PC) Re: Questions about "Disinfectant" (Mac). Getting register contents, etc. "on the fly." (PC) Problems removing Azusa (PC) Re: Is there a 1024 virus? (PC) Fprot v1.16 (PC) Why I didn't find the virus.exe (PC) Re: Hoffman Summary & FPROT (PC) New address and hostname for MIBSRV (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Thu, 13 Jun 91 11:43:07 -0500 From: csfed@ux1.cts.eiu.edu (Frank Doss) Subject: Re: Hong Kong on MircoTough dist. disks (PC) dwe29248@uxa.cso.uiuc.edu (Derek William Ebdon) writes: >One thing that Mr. Doss forgot to mention is that although Central > . . . >it cannot remove the virus from a hard drive. The only way to >disinfect a hard drive is to redo the low level format because the For those of you with IDE hard drives, contact Seagate. They are selling Disk Manager (version 4.1 or later is needed) for $6.00. This version of Disk Manager will format the boot sector, partition table, and the data sections of the disk, but not the error table. You might want to ask Seagate and your vendors for details. I am not endorsing Disk Manager, but merely reporting what Mr. Ebdon has reported as what worked for him. Thanks, Derek, for the reminder. I hope your machine is working much better now. ;-) Frank E. Doss Eastern Illinois University ------------------------------ Date: Thu, 13 Jun 91 12:52:56 -0400 From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: re: Is there a 1024 virus? (PC) >From: Arthur Buslik <74676.2537@CompuServe.COM> > >As Rob Slade suggests, one possibility is a virus. However, a much >more likely possibility is that the computers have extended bios >extended data areas. This is certainly a vialble alternative. However, if running DOS 4.0 or later, CHKDSK will "normally" detect this and return "655360" anyway. A few years ago, when we received or first Compaq 386-20e in we discovered the same thing: 1k missing from the TOM & DEBUG revealed it to be essentially zero-filled (obviously not executable). After much prodding, Compaq told us that it was a buffer area for the mouse driver and that there is a jumper on the motherboard that can be moved to restore the missing 1k. Whenever a new machine comes in, it is a good idea to take some baseline data for later reference. For me, any time Int 12 is lowered, I check the memory area in question. If executable code is found, unless known, a look is taken at other system integrity areas for a reason. If nulled or obviously data, the manufacturer is called for an explination (often a frustating & time consuming experience). Padgett Somewhere West of Orlando ------------------------------ Date: 13 Jun 91 14:26:07 -0400 From: BARNOLD@YKTVMH.BITNET Subject: DOS 5 Fdisk (PC) Readers might want to play with an undocumented /MBR switch in DOS 5 FDISK. It appears to force FDISK to overwrite the code in a PC/PS2 master boot record, without touching the partition table, and in limited testing on a half dozen machines it succeeded in cleaning up machines infected with the Stoned, the Stoned 2, and the Joshi viruses. This was with the DOS 5 shipped by IBM, not Microsoft's DOS 5; can somebody please test MS-DOS 5? The Joshi can't be removed this way unless it isn't active in memory. (e.g. cold boot from a write protected, uninfected bootable DOS 5 disk with a copy of FDISK on it.) The command line syntax tested was FDISK /MBR Bill Arnold barnold@watson.ibm.com ------------------------------ Date: Thu, 13 Jun 91 18:38:36 +0000 From: EIVERSO@cms.cc.wayne.edu Subject: Re: Hypercard Antiviral Script? (Mac) Mike writes... - ------------------------------------------------------------------ The main problem is that there is no way to catch the parameters of the SET function in HC 2.1. - ----------------------------------------------------------------- I write... According to the release notes, you can catch the parameters of a Set in HC 2.1 But that doesn't matter since a Send to HyperCard is untrappable. Mike later writes... - ----------------------------------------------------------------- The problem with this is that a field of all stacks that have been checked needs to be kept, and everytime that a stack is opened, the field must be examined to see if this particular stack has been checked. - ------------------------------------------------------------------ I write... Unfortunately if the virus stack traps for the OpenStack Message it becomes harder to know when a new stack has been opened. You could have the user induce the checking proceedure, but then it would be too late and your Home Stack script could be wiped out or other worse things could happen by then. Mike again.... - -------------------------------------------------------------------- As I said before, if anyone else feels like beating me to the punch with a solution of their own, feel free - but don't you DARE charge $$ for it. - -------------------------------------------------------------------- Me again... The only solution seems to be, check your Home Stack periodicaly, or lock it, and always make backups of important stacks. Apple MUST prevent using a Set command within a Send to HyperCard or no stack will be safe!! Sounds scary doesn't it? >Mikey. >Mac Admin >WSOM CSG >CWRU >mike@pyrite.som.cwru.edu and me... - --Eric ------------------------------ Date: Thu, 13 Jun 91 15:33:00 -0500 From: TK0JUT1@NIU.BITNET Subject: Request for info on BBS viruses, worms, etc We are putting together a list of viruses, worms, or trojan horses specifically aimed at BBS software or are capable of being implanted in a system through BBS procedures (e.g., new user information, uploading zip files). We *ARE NOT* looking for viruses that are spread *on* BBSs by sharing of software, but rather for programs speficially designed to attack a system *using* BBS software, such as the recent bug in Telegard that allowed a user to access the system using zip files. We are trying to update a story for CuD. Responses can be sent to: jthomas@well.sf.ca.us or tk0jut2@niu.bitnet Jim Thomas / Sociology-Criminal Justice / Northern Illinois University ------------------------------ Date: Thu, 13 Jun 91 13:36:04 -0700 From: "robert c. morales" <7340P@NAVPGS.BITNET> Subject: Possible PC Virus (PC) I have a Packard Bell with an 80386X-16 Mhz CPU. It runs on MS-DOS 4.01 and a Dosshell 4.0. Everytime I do work on the computer (word processing, networking, games, etc.) DOS seems to create (on its own) a file, named numerically or alpha-numerically but in a random fashion, of about 15K in size (with a range of from 7K to 17K). When you try to view the file (which incidentally sits among the DOS files), you can make out that it is bits and pieces of what is on the hard drive. Initially, it has not affected any other program on the hard drive. However, two days ago, the DOS files appeared to have replicated themselves with such names as EDLIN._OM and AUTOEXEC._AT, all of which were 77 bytes in size with the same dates and times. This necessitated reformatting the hard drive. Also, the Dosshell was removed from the AUTOEXEC.BAT. Right now, the problem seems to have been corrected, whatever it was. Is anybody familiar with this problem? Most other resource people I I have consulted about this have indicated that they have only heard about this on Packard Bell computers. Any tips? Robert Morales 7340p@navpgs 7340p@cc.nps.navy.mil ------------------------------ Date: Wed, 12 Jun 91 23:57:53 -0700 From: msb-ce@cup.portal.com Subject: Re: Virus scaners (PC) In a recent VIRUS-L posting Dennis Hollingworth said: > I tested McAfee's SCAN77 using Rosenthal Engineering's new > release of Virus Simulator (I've seen posted as VIRSIM11.COM > on EXEC-PC, Compuserve and others). It seems that SCAN77 > misses three boot sector viruses that SCAN76 found on > the same disk. Both versions of SCAN found nine viruses > in the .COM, four in the .EXE and seven in the test memory > virus. Since no real virus was present all of these "hits" could be regarded as false alarms, theoretically. We must be careful to distinguish what is being tested here. Just because a particular anti-viral product does not declare a particular test string to be a virus, we cannot say that the scanner has failed. A good case can be made for saying that the simulator failed. The only "test target" that can be used is the entirety of a virus, and at that point you no longer have a "simulator", you have the real thing. Fritz Schneider ------------------------------ Date: Fri, 14 Jun 91 16:05:27 +0000 From: dave@nucleus (Dave Coder) Subject: Re: Help With Frodo & Yankee Doodle (PC) Alan@aj.ds.mcc.ac.uk (Alan Jones) writes: > FRODO & YANKEE DOODLE > > Has anyone got any information on these two viruses. > They have just arrived on the campus ( 2000+ computers ), Norton Antivirus 1.0.0 gets both Yankee Doodle (various forms) and Frodo (4096). You can install as RAM-resident program to check incoming files. It works. Dave dcoder@milton.u.washington.edu ------------------------------ Date: Fri, 14 Jun 91 13:12:04 -0700 From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Infected networks (PC) padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) writes: > In this case I had such a self-check program (1400 bytes) that just > checks its own length & checksum. If it passes, the program exits, if > it fails, the client machine displays a warning message and is locked > up. In this manner, the server application files are protected from > infection (are never called by an infected client). Each client gets a > new copy of the "goat" file so clean clients are not affected, and > infected clients are identified. I have been reviewing a product from Bangkok called Victor Charlie that takes a similar approach. An intriguing concept. I hope to be able to release the review shortly. ============= Vancouver p1@arkham.wimsey.bc.ca | "If you do buy a Institute for Robert_Slade@mtsg.sfu.ca | computer, don't Research into (SUZY) INtegrity | turn it on." User Canada V7K 2G6 | Richards' 2nd Law Security | of Data Security ------------------------------ Date: Sat, 15 Jun 91 01:09:56 +0000 From: lunde@casbah.acns.nwu.edu (Albert Lunde) Subject: Re: Questions about "Disinfectant" (Mac). firmiss@cae.wisc.edu writes: > 1. I believe since version 2.0, Disinfectant had the ability to install > a protection INIT. The thing is only 5k... What does it DO?... > Does it just give a warning if something is being infected? > What does it look for? It is small because it is written in assembly, with no configuration options. It tries to prevent virus infection from being successful, and issue an informative message via the notification manager. The means used to block infection vary according to the virus. Like Disinfectant it is effective against a list of known viruses, and tries to be specific enough to avoid false alarms. It does not scan files on every inserted disk for say, nVIR. > 2. I remember hearing that using Disinfectant AND the old virus > protection > CDEV(?) "Vaccine (TM) 1.0.1" was a bad idea (Vaccine somehow > rendered the > Disinfectant INIT useless or something to that effect). > Is it also a good idea to remove the INITs "KillVirus" (Icon is a > needle with the word nVIR next to it). and "Kill WDEF - virus INIT" > (Icon is just a standard document icon)? I know these are pretty old > too. (at least I don't have "Ferret" and "Kill Scores" and those > other > related relics) We are currently advocating that general users at Northwestern use only the Disinfectant INIT and not Vaccine or Gatekeeper Aid, and that they get periodic updates. The risk from unknown viruses seems balanced by the reduced grief to general users. The rate of virus spread is slow enough that this is workable. Vaccine presents unclear messages, bombs on application startup under many real infections and is bypassed by other newer viruses and has a few minor bugs unrelated to viruses. Gatekeeper Aid has occasionally removed the CODE resources from my running applications. Like the other Gatekeeper tools, I think it is useful for advanced users, but too paranoid and subject to false alarms for average Mac users. There is a tradeoff between detecting suspicious activity and being quiet and specific. (See discussion in the Disinfectant online help.) I would not recommend "KillVirus" - it seems to be one of many early nVIR tools, that are not as generally effective as the Disinfectant INIT. I know nothing about "Kill WDEF - virus INIT", but it is not needed if you use the Disinfectant INIT. > 2a. Almost forgot... What about "SAM (TM) Intercept" INIT... I know it's > newer but do "SAM" and "Disinfectant" interfere with each other? I think that these can co-exist, but I don't remember which takes priority. > My current version of Disinfectant is 2.4... Is this the most current > one? I've had it for about 6 months now. Yes 2.4 is current - see John's prior post about it and system 7. Albert Lunde - Northwestern University This post represents neither NU Albert_Lunde@nwu.edu or John Norstad ------------------------------ Date: Fri, 14 Jun 91 15:09:32 -0500 From: Paul Coen Subject: Getting register contents, etc. "on the fly." (PC) If you want to find out what's in memory at a particular location, and you're lucky enough to be using a Zenith computer (at least, on every Zenith I've seen except the Eazy-PC -- it had a non-Zenith BIOS), you can press ctrl-alt-return (enter, whatever), at pretty much any time, and be thrown into what Zenith calls a "monitor program" -- the same one you get when you press ctrl-alt-ins. Only in this state, it shows you the memory contents at the current location. You can change, examine, etc. from this point. If you type "g" and press return, you'll go back to executing the program where you left off, assuming you didn't mess with anything important. It's essentially a built-in debugger. Apologies to anyone who doesn't have a Zenith, but look on the bright side, this feature can cause incompatability problems on rare occasions. ------------------------------ Date: 15 Jun 91 09:05:24 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Problems removing Azusa (PC) padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) writes: >From: dwe29248@uxa.cso.uiuc.edu (Derek William Ebdon) >One thing that Mr. Doss forgot to mention is that although Central >Point Anti-Virus v1.0 can easily romove the Asuza virus from a floppy, >it cannot remove the virus from a hard drive. The only way to >disinfect a hard drive is to redo the low level format because the >virus infects the boot sector and the dos partition. A high level >format will not remove the virus, nor will simply removing the dos >partition with the fdisk program. Well, this is of course not correct - a format is never necessary to get rid of a virus - boot sector or otherwise. However, Azusa is rather problematic, as it does not store the original PBR anywhere - it simply replaces it. (It is easy to remove Azusa from diskettes) Suggested solutions: 1) Use NU to zero out the PBR, then use NDD to rebuild it. 2) Use a disinfection program which can replace the PBR with a "standard" PBR - such programs exist. - -frisk ------------------------------ Date: 15 Jun 91 09:12:01 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Re: Is there a 1024 virus? (PC) Arthur Buslik writes: >As Rob Slade suggests, one possibility is a virus. However, a much >more likely possibility is that the computers have extended bios >extended data areas. : >Moreover, INT 15H, AH=C1H will return the segment address >of the base of the extended bios area. Well, not always - I have a HP/Vectra, where the BIOS reserves a 4K area just below the 640K mark. However, INT 15H, AH=C1H is not implemented in the BIOS (I know - I traced through it), and INT 15H, AH=C0H will return the information that no Extended BIOS area is used. - -frisk ------------------------------ Date: Sat, 15 Jun 91 09:46:41 -0400 From: Jeff Subject: Fprot v1.16 (PC) Is Fprot v1.16 avaiable yet? If so where can I ftp it? Thanks. ------------------------------ Date: Sun, 16 Jun 91 01:19:14 -0400 From: Daniel Pan Subject: Why I didn't find the virus.exe (PC) A friend of my got viruses. I use scan v77 to check it found the partition table was infected by sotned and the file C:\DOS\KILL\VIRUS.EXE was infected by jerusalem. I also use Virx 1.14 to check the C drive, the only hard drive she has, and find stoned-b. But I could not find the file VIRUS.EXE exist. The kill subdir only has four files and neither is VIRUS.EXE. Does any one know what happened ? could it be a hidded file or Scan gave the fault alarm ? But the Clean did doing very well when cleaned those viruses. I cleaned the hard disk before I thinking about this question! ------------------------------ Date: Sat, 15 Jun 91 23:34:48 -0700 From: p4tustin!ofa123@uunet.UU.NET (ofa123) Subject: Re: Hoffman Summary & FPROT (PC) I think it's just too bad that Hoffman's summary keeps ignoring the latest versions of F-PROT. The SCANV shown is always the latest issue. Frisk, are you looking for distribution sites in the US? I may have a couple of systems that would be interested in becoming official distribution sites for F-PROT. Please let me know. - --- Opus-CBCS 1.14 * Origin: Universal Electronics, Inc. [714 939-1041] (1:103/208.0) - -- Ray Mann Internet: Ray.Mann@ofa123.fidonet.org Compuserve: >internet:Ray.Mann@ofa123.fidonet.org ------------------------------ Date: Sun, 16 Jun 91 10:56:44 -0500 From: James Ford Subject: New address and hostname for MIBSRV (PC) The mibsrv antiviral site (MIBSRV.MIB.ENG.UA.EDU) is moving to the new location RISC.UA.EDU (130.160.4.7). The directory structure will remain the same. At this time, all ibm-antivirus have been moved over. The solutions directory (pub/games/solutions) will me moved Monday. MIBSRV (130.160.20.80) will stay up until June 26. After that time, it will be gone / kaput / lost_in_time / lost_in_space. Please make any necessary changes in your script / information files regarding this. If you have any problems, please let me know. /\/\/\/\/\/\/\/\/\/\/\/\ /\/\/\/\/\/\/\/\/\/ - ---------- Life is one long process of getting tired. - ---------- James Ford - JFORD@UA1VM.UA.EDU, JFORD@mib333.mib.eng.ua.edu The University of Alabama (in Tuscaloosa, Alabama) ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 103] ****************************************** 18-Jun-91 14:12:57-GMT,24854;000000000001 Received: from remus.rutgers.edu by aramis.rutgers.edu (5.59/SMI4.0/RU1.4/3.08) id AA24937; Tue, 18 Jun 91 10:12:36 EDT Received: from IBM1.CC.Lehigh.EDU by remus.rutgers.edu (5.59/SMI4.0/RU1.4/3.08) id AA11325; Tue, 18 Jun 91 10:12:29 EDT Message-Id: <9106181412.AA11325@remus.rutgers.edu> Received: from LEHIIBM1.BITNET by IBM1.CC.Lehigh.EDU (IBM VM SMTP R1.2.2MX) with BSMTP id 8925; Tue, 18 Jun 91 10:07:25 EDT Received: from LEHIIBM1.BITNET by LEHIIBM1.BITNET (Mailer R2.08) with BSMTP id 0216; Tue, 18 Jun 91 10:06:59 EDT Date: Tue, 18 Jun 91 09:59:58 EDT Reply-To: VIRUS-L@ibm1.cc.lehigh.edu Sender: Virus Discussion List From: "The Moderator Kenneth R. van Wyk" Subject: VIRUS-L Digest V4 #104 Comments: To: VIRUS-L@IBM1.CC.LEHIGH.EDU To: Multiple recipients of list VIRUS-L VIRUS-L Digest Tuesday, 18 Jun 1991 Volume 4 : Issue 104 Today's Topics: Re: Checksumming Info on Disk Killer? (PC) virus detection by scanners ? (PC) Master Boot Record (PC) Re: Is there a 1024 virus? (PC) Re: Virus scanners (PC) "Beijing Virus - Urban Legend?" Re: Scanning infected files (PC) Re: Virus-writers Result of preliminary research for Hard Disk Write-Protect (PC) Re: Is there a 1024 virus? (PC) Re: DOS 5 Fdisk, etc (PC) Possible PC Virus (PC) Interesting interaction (PC) joshi & vsum & f-prot & ll format (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Mon, 17 Jun 91 13:07:00 +0300 From: Y. Radai Subject: Re: Checksumming Mike Lawrie writes: > ... sooner or later this scenario [infecting >files by performing SCAN while a virus like Plastique is in RAM] will >re-occur, as you will get hit with a similar type of virus that McAfee >has not yet catered for, even if you have their very latest version. Right; I specifically stated that that could happen, and I mentioned that in order to prevent such occurrences, you could add a good gene- ric monitoring program. You didn't reply to that suggestion. But actually, there is a surer solution which I mentioned only later on in my posting, but which I should have mentioned here also: If you want to be certain that such occurrences cannot occur, never run a program like SCAN or a checksummer except when you are certain that RAM is clean, i.e. only immediately after booting from a clean disk- ette. (Authors of such programs should mention this; if they don't, and that apparently includes McAfee, you have a legitimate gripe against them.) > A checksummer gives you no >security whatsoever, because it does not prevent a viral infection. True, a checksummer does not prevent infection, but at least it can *detect* infections, and that's a lot better than no security at all!! Knowing that certain files are infected, you can restore your files from backups or use a disinfector, something which you wouldn't do if the infections were not detected. Moreover, if the checksummer is properly designed and implemented, (1) it can detect *all* infections, and (2) it cannot be neutralized or circumvented by hostile software. These are advantages that are almost impossible to find in any other anti-viral software. In my opinion, the best software solution is a *combination of several* programs: a good checksummer (like V-Analyst), a good generic monitor (like Secure), a known-virus scanner (too many to mention names), a program which prevents infections through floppy boots (to be mentioned soon), and more. I use all of them; the resident programs don't take up much RAM, and they coexist peacefully (well, most of them ...). >Just that our experience that I wished to share was that with a >checksummer in place and use of SCAN, you can end up with every last >EXE/COM file on you hard disk looking very sick indeed. Quite true ... *if* you don't take the proper precautions. Y. Radai Hebrew Univ. of Jerusalem, Israel RADAI@HUJIVMS.BITNET RADAI@VMS.HUJI.AC.IL ------------------------------ Date: Mon, 17 Jun 91 08:25:00 -0800 From: RBRIGGS%NHQVAX.SPAN@STAR.STANFORD.EDU (Rose Briggs) Subject: Info on Disk Killer? (PC) I have had quite a few requests about "Disk Killer" as to the symptoms, prevention and what damage it does, etc. Does anyone have a comprehensive overview of this virus? Thanks Rose Briggs/NASA HQ Rbriggs@nhqvax.hq.nasa.gov (202)453-1767 ------------------------------ Date: 07 Jun 91 14:33:23 +0000 From: hermann@uran.informatik.uni-bonn.de (Hermann Stamm) Subject: virus detection by scanners ? (PC) Hello everybody on this list ! I have a few questions concerning detection of virii in general and 1701 in special. First of all, I hope that only good guys are on this list, because the remarks made here would otherwise result in hundreds of newly virii. Let me begin with the story: Two years ago I bought a diskette containing chess-programs from a PD-distributor. The chess-programs were ok, but the list.com on that disk was infected with the 1701 virus. I recognized this, as the first character falls down my screen with noise. After booting from a clean diskette I found the modified files, found a search-string to identify 1701, and wrote a program for detection and removing the 1701-virus. This was my first and up to now last personal contact with any virus (I hope there is none I didn't recognize). Now, as I tested scanv77 against the original diskette from the distributor, I asked myself, how one can fool the detection mechanism of virus-scanners. The keypoint in the case of 1701 is, that only 33 bytes of the decoding-mechanism are in executable form present, the rest ist coded dependent on the length of the file 1701 is appended to. Now any scanner has to look for these 33 bytes only, I think. But, after a few modifications of these 33 bytes (permuting the order of execution, changing the names of used registers, or totally rewriting an equivalent code), the modified 1701 is the same besides its decoding-part, but isn't detected by scanv77. I have tested this versions on a portable without (!) any harddisk, and, after activation, the new virii propagate in the changed form. Now my questions: - what other scanner should I try for these versions ? - is it true, that any scanner must try to look at the semantics of such decoders, and not at the shape ? (undecidable problem ?) - which systems are good by looking at the length of files and reporting differences ? - Is the following behaviour possible for a virus: After getting resident, it forces to do a warm-start with ctrl-alt-del, and then it copies itself to all .com-files encountered during rebooting (like command.com, ...). I think, that this is the way most of my .com-files were infected. Below are the decoding parts, first the one I received by the distributor, then two modifications, which aren't detected by scanv77. - ------------------------------------------------------------ Original decoding of 1701 - -u0109 012a 1DBD:0109 FA CLI 1DBD:010A 8BEC MOV BP,SP 1DBD:010C E80000 CALL 010F 1DBD:010F 5B POP BX 1DBD:0110 81EB3101 SUB BX,0131 1DBD:0114 2E CS: 1DBD:0115 F6872A0101 TEST BYTE PTR [BX+012A],01 1DBD:011A 740F JZ 012B 1DBD:011C 8DB74D01 LEA SI,[BX+014D] 1DBD:0120 BC8206 MOV SP,0682 1DBD:0123 3134 XOR [SI],SI 1DBD:0125 3124 XOR [SI],SP 1DBD:0127 46 INC SI 1DBD:0128 4C DEC SP 1DBD:0129 75F8 JNZ 0123 - -q Modified, only SP replaced by DX, switch of first 2 stats - -u 0109 012a 1DC6:0109 8BEC MOV BP,SP 1DC6:010B FA CLI 1DC6:010C E80000 CALL 010F 1DC6:010F 5B POP BX 1DC6:0110 81EB3101 SUB BX,0131 1DC6:0114 2E CS: 1DC6:0115 F6872A0101 TEST BYTE PTR [BX+012A],01 1DC6:011A 740F JZ 012B 1DC6:011C 8DB74D01 LEA SI,[BX+014D] 1DC6:0120 BA8206 MOV DX,0682 1DC6:0123 3134 XOR [SI],SI 1DC6:0125 3114 XOR [SI],DX 1DC6:0127 46 INC SI 1DC6:0128 4A DEC DX 1DC6:0129 75F8 JNZ 0123 - -q Modified, only SP replaced by AX, switch of first 2 stats, permutation of statements (i.e. 0110 MOV AX,0682) - -u 0109 012a 1DBD:0109 8BEC MOV BP,SP 1DBD:010B FA CLI 1DBD:010C E80000 CALL 010F 1DBD:010F 5B POP BX 1DBD:0110 B88206 MOV AX,0682 1DBD:0113 81EB3101 SUB BX,0131 1DBD:0117 8DB74D01 LEA SI,[BX+014D] 1DBD:011B 2E CS: 1DBD:011C F6872A0101 TEST BYTE PTR [BX+012A],01 1DBD:0121 7408 JZ 012B 1DBD:0123 3134 XOR [SI],SI 1DBD:0125 3104 XOR [SI],AX 1DBD:0127 46 INC SI 1DBD:0128 48 DEC AX 1DBD:0129 75F8 JNZ 0123 - -q Thanks in advance for any hints and answers to my questions, Hermann. hermann@holmium.informatik.uni-bonn.de ------------------------------ Date: Mon, 17 Jun 91 11:52:37 -0400 From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: Master Boot Record (PC) >From: frisk@rhi.hi.is (Fridrik Skulason) >padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) writes: >>From: dwe29248@uxa.cso.uiuc.edu (Derek William Ebdon) >>One thing that Mr. Doss forgot to mention is that although Central >>Point Anti-Virus v1.0 can easily romove the Asuza virus from a floppy, >>it cannot remove the virus from a hard drive. The only way to >>disinfect a hard drive is to redo the low level format because the >>virus infects the boot sector and the dos partition. A high level >>format will not remove the virus, nor will simply removing the dos >>partition with the fdisk program. Aw come on fella, give a fella a break: I didn't say that, Mr. Ebdon did. The Master Boot Record, aka the Partition Table Record, aka physical sector one on the hard disk contains two distinct elements: 1) The partition table located at offset 1BEh-1FCh (what is read by NU in partition table format). 2) The executable code beginning at offset 0 that uses the table to find the O/S boot record (also contains ASCII error messages). Since the AZUSA replaces part 2 with its own code, all that is necessary for recovery is to mate a good part 2 with the existing part 1 (not really difficult but more complicated than just copying a sector) and replace the infected sector. Things get a bit more complicated if special code is in use e.g. the selection code used with COHERANT or other MBR replacement code (DISKSECURE does this which is why the original MBR is backed up three times during the installation process including once on floppy). However, I have NEVER had to do a low-level format on a disk because of a virus, & have been able to restore infections from both AZUSA and MUSICBUG without any great difficulty, it is just a matter of following the correct procedure, nor have I ever advised anyone to do so. Hotly (having rolling blackouts of my a/c), Padgett ------------------------------ Date: Mon, 17 Jun 91 13:03:00 -0400 From: Al Woodhull Subject: Re: Is there a 1024 virus? (PC) > Can anyone suggest an explanation of our observation on several > computers (various IBM pc types) of a result from chkdsk of 654336 > bytes of total memory? On one of the computers I use I have determined that the ROM BIOS reserves 1 K at the top of RAM memory. I first discovered this while teaching my assembly language students about memory allocation, in preparation for an assignment to implement some of the ideas in Padgett's Six Bytes paper, and I was a little startled to think that a virus might have been present in my own system for an unknown period of time while I was playing local expert. I verified that it was the ROM by booting from floppies with different DOS versions that worked OK on other systems. I don't know the purpose of this memory reservation, when I look at it with DEBUG it seems to have been initialized to all zeros, but a few bytes scattered throughout have other values. The ROM in this machine is identified as DTK Corp. COMPUTER XT, DTK/ERSO/BIOS 2.29 (C) 1986. -- Al awoodhull@hampvms.bitnet ------------------------------ Date: Mon, 17 Jun 91 13:05:00 -0400 From: Al Woodhull Subject: Re: Virus scanners (PC) > The only "test target" that can be used is the entirety of a virus, > and at that point you no longer have a "simulator", you have the real > thing. -- Fritz Schneider I have only had serious problems with two viruses, Yankee Doodle and Jerusalem. For each of these I took a file that was infected from my "zoo" disk, and appended it to a small program that prints a message and exits. I saved the hybrid files as executables. (I did all of this with DEBUG). The new files contain all of the infected code and so are good test targets, but since there is no way to execute the infected code it is essentially just a block of data. There is no need to worry about someone else using my computer wondering "I wonder what that program does?" -- Al awoodhull@hampvms.bitnet ------------------------------ Date: Mon, 17 Jun 91 20:38:41 +0000 From: bdh@gsbsun.uchicago.edu (Brian D. Howard) Subject: "Beijing Virus - Urban Legend?" Over the weekend on CNN was a reference to a 'computer virus' triggered by the anniversary of the tianamin massacre. Other than the brief reference here to allegations of such, was there a *documented* sighting of such a beastie? (Not that I usually put much credence in CNN reporting on technical things, but I wondered if the story was based on anything *other* than an FOAF anecdote from this newsgroup.) - -- "Hire the young while they still know everything." ------------------------------ Date: 17 Jun 91 21:17:51 +0000 From: vail@tegra.com (Johnathan Vail) Subject: Re: Scanning infected files (PC) ACDFINN@vm.uoguelph.ca (Finnegan Southey) writes: In regards to the problem of anti-viral programs infecting files they scan when a memory-resident virus is present: Wouldn't it be possible to read disks sector by sector instead of opening files through DOS calls? This reading would be much the same as a disk editor program. The scanner could consult directory listings to find program boundaries and then check approp- riate areas without opening the files as a file? As I'm not an MS-DOS expert I'm not sure if this makes sense, but I thought I'd ask. Good question, but: wouldn't it be possible for the stealthy virus to trap the sector I/O and "fix" it to also hide its tracks? Hardware level I/O is about the only way to go for this and then you still have to be careful on a 386 where the MMU can trap hardware accesses. jv "Always Mount a Scratch Monkey" _____ | | Johnathan Vail | n1dxg@tegra.com |Tegra| (508) 663-7435 | N1DXG@448.625-(WorldNet) ----- jv@n1dxg.ampr.org {...sun!sunne ..uunet}!tegra!vail ------------------------------ Date: 17 Jun 91 21:13:08 +0000 From: vail@tegra.com (Johnathan Vail) Subject: Re: Virus-writers frisk@rhi.hi.is (Fridrik Skulason) writes: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) writes: >According to this (PC) week's Spencer Katt column, certain anti-viral >software houses are boosting their counts by soliciting viruses for >pay and programmers are taking them up for "big bucks". If that is true, I and and the Virus Bulletim would very much like to know which companies are involved - I would do my best to drive them out of business..... And well you should. I would find this hard to believe. I would tend believe Spencer Katt as much as I would Dave Berry or Andy Rooney. I do believe that the anti-virus companies are hyping up the fear of viruses in order to sell more product. I have been working with personal computers since 78 and with the exceptions of the viruses that I wrote myself (the first one was in 1980) and a Mac virus that went around here at work last year I have never seen or heard a first hand account of a virus. Of course I don't do much with shareware or BBS downloading which is where I imagine most of the problems are. jv <<-- Of course I will probably be bummin' when I do get hit... "It's not a cormorant it's not a shag. Its just something in a plastic bag" -- RH _____ | | Johnathan Vail | n1dxg@tegra.com |Tegra| (508) 663-7435 | N1DXG@448.625-(WorldNet) ----- jv@n1dxg.ampr.org {...sun!sunne ..uunet}!tegra!vail ------------------------------ Date: Tue, 18 Jun 91 00:53:45 +0000 From: n8243274@henson.cc.wwu.edu (steven l. odegard) Subject: Result of preliminary research for Hard Disk Write-Protect (PC) I want to leave a XT with 30Mb hard disk available for public access, and still preserve the data on it. I proposed a five-position keyed switch with the following positions: R. All of 0 below applies, and the reset line to the XT is activated. The key springs to position 0. 0. All of I below applies, and the keyboard lock on the machine is enabled. I. Hard disk is not powered up on startup, however, if the key is moved from position II, the HD is not powed down. In that case, all write and read access to the HD is blocked. II. All write access to the hard drive is blocked. III. All read and write access to the drive is permitted. The key is removable from all of the positions except R. My proposal received one reply which I foolishly misplaced, of how the write line to the disk can be shorted to high by a audio jack. However, for some controllers the machine will not boot up in that case. ------------------------------ Date: Tue, 18 Jun 91 13:16:00 +1200 From: "Mark Aitchison, U of Canty; Physics" Subject: Re: Is there a 1024 virus? (PC) frisk@rhi.hi.is (Fridrik Skulason) writes: > Arthur Buslik writes: >>As Rob Slade suggests, one possibility is a virus. However, a much >>more likely possibility is that the computers have extended bios >>extended data areas. > : >>Moreover, INT 15H, AH=C1H will return the segment address >>of the base of the extended bios area. > > Well, not always - I have a HP/Vectra, where the BIOS reserves a 4K > area just below the 640K mark. However, INT 15H, AH=C1H is not > implemented in the BIOS (I know - I traced through it), and INT 15H, > AH=C0H will return the information that no Extended BIOS area is used. > - -frisk I have heard that often the port address of LPT4 (location 40E hex) contains the segment address when a kilobyte or so is "stolen" for (e.g.) a mouse driver. So that's another thing to look for. But it, and the int 15 test, shouldn't be taken as definative answers that a virus isn't there. I suspect the answer is to: (a) go through each important interrupt (13, 21, 2F, etc), tracing to see if any use that area, and (b) look through the code to see if there are interrupt calls, far calls to BIOS, disk port accesses, signs of self-modifying code, etc. Alternatively, you could have some "known" valid users of the area in a database and check that it is one of them there (and nothing else). Wouldn't it be nice if someone compiled a list of software and BIOSes that used the area? (any volunteers?) Mark Aitchison, Physics, University of Canterbury, New Zealand. ------------------------------ Date: Tue, 18 Jun 91 13:27:00 +1200 From: "Mark Aitchison, U of Canty; Physics" Subject: Re: DOS 5 Fdisk, etc (PC) BARNOLD@YKTVMH.BITNET writes: > Readers might want to play with an undocumented /MBR switch in DOS 5 > FDISK. It appears to force FDISK to overwrite the code in a PC/PS2 > master boot record, without touching the partition table, and in > limited testing on a half dozen machines it succeeded in cleaning up > machines infected with the Stoned, the Stoned 2, and the Joshi > viruses. This was with the DOS 5 shipped by IBM, not Microsoft's DOS > 5; can somebody please test MS-DOS 5? On a related subject: You may use the DRDOS 5 sys command to rewrite the boot sector (not the MBR, I think), but watch out when you have a diskette infected in such a way that the Bios Parameter Block (that says the disk size, etc) has been junked (e.g. by stoned). The SYS command rewrites a good boot sector around it (fair enough), but acts on the size information in the BPB, and you end up with a disk that needs to be fixed with a disk editor. Remember that DOS normally ignores a lot of the BPB and goes by the ID byte at the start of the FAT; this is because early (version 1) DOS might write anything there. DRDOS reacts sensibly if it contains junk *except* when it comes to the SYS command, so beware. Mark Aitchison, Physics, University of Canterbury, New Zealand. ------------------------------ Date: Mon, 17 Jun 91 20:51:07 -0700 From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Possible PC Virus (PC) 7340P@NAVPGS.BITNET (robert c. morales) writes: > replicated themselves with such names as EDLIN._OM and AUTOEXEC._AT, > all of which were 77 bytes in size with the same dates and times. This > necessitated reformatting the hard drive. Also, the Dosshell was Ouch. I don't want to take any guesses as to your approximately 15K file, but I would venture that someone has been wandering around your office with a copy of Norton Antivirus, right? The 77 byte files are the "file signatures" that it uses to detect changes in infected programs. ============= Vancouver p1@arkham.wimsey.bc.ca | "If you do buy a Institute for Robert_Slade@mtsg.sfu.ca | computer, don't Research into (SUZY) INtegrity | turn it on." User Canada V7K 2G6 | Richards' 2nd Law Security | of Data Security ------------------------------ Date: Mon, 17 Jun 91 21:07:27 -0700 From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Interesting interaction (PC) Noted an interesting interaction between two antivirals the other day, and finally tracked it down. If VIRx 1.4 is run before SCAN 77, SCAN will "detect" the presence of the 3445 and Doom 2 viri in memory and refuse to run. ============= Vancouver p1@arkham.wimsey.bc.ca | "If you do buy a Institute for Robert_Slade@mtsg.sfu.ca | computer, don't Research into (SUZY) INtegrity | turn it on." User Canada V7K 2G6 | Richards' 2nd Law Security | of Data Security ------------------------------ Date: Tue, 18 Jun 91 11:41:48 +0000 From: treeves@magnus.acs.ohio-state.edu (Terry N Reeves) Subject: joshi & vsum & f-prot & ll format (PC) Vsum still says no utility will remove joshi and that low level format is required f-prot says "Cured" whne I use it gainst Joshi, but it still says infected after that, and the hard disk is no longer bootable. v 1.15a. those who know say ll-format NEVER needed. I do not know how to manually rebuild partition table so I have done three of these so far. Is their a utility Ms Hoffman? perhaps yuou just don't want to admit it because McAffe's can't? (i have not tried McAffee but I assume she'd say if his did.) f-prot must be intended to work - "cured" - so can the author speak to this? Thanks for any advice from any source - -- _____________________________________________________________________________ | That's my story, and I'm sticking to it! | |_____________________________________________________________________________| | Public Sites micro software support | treeves@magnus.ACS.OHIO-STATE.EDU | ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 104] ****************************************** 18-Jun-91 17:38:14-GMT,40165;000000000001 Received: from remus.rutgers.edu by aramis.rutgers.edu (5.59/SMI4.0/RU1.4/3.08) id AA17324; Tue, 18 Jun 91 13:37:57 EDT Received: from IBM1.CC.Lehigh.EDU by remus.rutgers.edu (5.59/SMI4.0/RU1.4/3.08) id AA20943; Tue, 18 Jun 91 13:37:44 EDT Message-Id: <9106181737.AA20943@remus.rutgers.edu> Received: from LEHIIBM1.BITNET by IBM1.CC.Lehigh.EDU (IBM VM SMTP R1.2.2MX) with BSMTP id 9192; Tue, 18 Jun 91 13:27:23 EDT Received: from LEHIIBM1.BITNET by LEHIIBM1.BITNET (Mailer R2.08) with BSMTP id 1440; Tue, 18 Jun 91 13:26:43 EDT Date: Tue, 18 Jun 91 12:41:19 EDT Reply-To: VIRUS-L@ibm1.cc.lehigh.edu Sender: Virus Discussion List From: "The Moderator Kenneth R. van Wyk" Subject: VIRUS-L Digest V4 #105 Comments: To: VIRUS-L@IBM1.CC.LEHIGH.EDU To: Multiple recipients of list VIRUS-L VIRUS-L Digest Tuesday, 18 Jun 1991 Volume 4 : Issue 105 Today's Topics: Review of Victor Charlie 4.01 (PC) Review of IBM VIRSCAN version 2.00.01 (PC) Review of VirAway (PC) Antivirus contact list (mostly PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Mon, 17 Jun 91 21:11:09 -0700 From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Review of Victor Charlie 4.01 (PC) [Ed. My apologies for the length of this digest. The reviews below, and the vendor list, are available on cert.sei.cmu.edu for anonymous FTP in the pub/virus-l/docs/reviews directory. Thanks once again to Rob Slade for all of this work which he is making available to all of us!] Comparison Review Company and product: Delta Base Enterprises 9800A - 140th St. Surrey, B. C. V3T 4M5 604-582-15922 Fax: (604) 582-0101 CIS# 72137,603 Bangkok Security Associates BBS: 662-255-5981 Victor Charlie 4.0 Summary: Change detection with self generating "bait" files and viral signature capture Cost $99 Cdn Rating (1-4, 1 = poor, 4 = very good) "Friendliness" Installation 2 Ease of use 3 Help systems 4 Compatibility 2 Company Stability 3 Support 3 Documentation 3 Hardware required 4 Performance 2 Availability 2 Local Support 2 General Description: Victor Charlie is a series of batch and data files that generate a number of programs for trapping of viral infections. There is also provision for the capture of viral signatures. Utilities are included for viewing of boot sectors and recovery of hard disk system areas. Requires DEBUG.COM for some operations. Version 5.0 has, as of this writing, been released, but has not yet been received for review. Due to the novelty of the program, and its relative anonymity in North America and Europe, I am releasing this review now, with some notes about version 5.0, rather than wait for the next version. Comparison of features and specifications User Friendliness Installation The installation procedure outlined in the manual starts "earlier" in the process than any other reviewed so far. Not only does it recommend booting from a floppy, but it suggests that you SYS and replace the COMMAND.COM file on the hard disk before doing anything else. An initial "Quick Start" section of the manual relies on an intermediate knowledge of MS-DOS by the user, but this is stated at the beginning. (Unfortunately, it does not immediately point novice users to the later, and more detailed, VINSTALLATION chapter, nor does it point out the possible dangers of replacing the operating system on the hard disk. Also, although there is some discussion is the alter chapter about the DOS disk, some discussion of the importance of write protection of the original disks might avoid possibilities for infection at this point.) Installation of VC is not foolproof by any means. Almost all error messages are hidden from the user, and a lack of file space or an incorrect assumption regarding drive specifications will cause the installation to fail to complete. This, however, is not communicated to the user, and may not be obvious. To the novice this can be dangerous, in that the user may consider that the system is protected when, in fact, it is not. Experienced users will be able to custom tailor the installation to their own needs, since everything is done through batch files. Although the documentation does indicate that the package can be run on floppy only systems, installations onto floppies is problematic. If the command VINSTALL A: is given, the system will determine that A: is not a hard drive, and install only a portion of the full set of files. If, however, the command VINSTALL A:\VC is given, the program will not determine that A: is a floppy. When installing to a floppy drive, the boot sector and other system areas are "protected" (VC will detect an infection by a BSI), but not reparable (the back file of the boot sector is not generated.) A floppy installation program, FINSTALL.BAT, is provided, but it does not seem to work properly unless called from VINSTALL. Even then, on every attempt to install the program terminated with an error message about an improper drive or path specification. Although not mentioned in the manual until page 64, DEBUG.COM is required by a number of VC's programs. It should be on the computer, and in a directory in the active path. Options in regard to installation are legion, but should be performed only by experienced users, as they are not necessarily well explained for the novice. Path and directory settings are vitally important, and it is quite possible to generate additional copies of the program which no longer will trap changes to programs. Ease of use The ability to use the programs effectively is very much dependent upon the installation chosen. With proper installation, occasional virus checks can be as simple as a single keystroke (Alt-V). The program can, however, give conflicting messages. When the Stoned virus was active, it correctly detected that something had happened to the boot sequence. On a floppy system it was not able to recover the boot sector, but finished the sequence with a message that "Right now, you have NO active virus on this computer." Help systems There is help of various sorts provided for, but in testing the program very often "lost" its help file, even when installed as directed. When a virus is detected, the messages that appear give a useful explanation of what has happened and why. The steps to take, and optional explanations of what has happened are realistic, and should be clear even to a novice. Compatibility Although no part of the package is "resident", it warns against having TSR's active during installation. Company Stability The program is produced by Bangkok Security Associates (programmer John DeHaven, technical writer Alan Dawson, marketing director Simon Royle and financial director Ramesh Indhewat). BSA is a Thai company registered in the British Virgin Islands from Hong Kong. Company Support In Australia, where the product has had its major success to date, the product is supported by Combat Software. Otherwise company support is provided by the BBS listed above. Documentation The manual is entertainingly written, and contains a great deal of information on viral programs in general. Parts of the manual explain computer operations to the novice in great detail. There are, however, other parts that give out brief, or even misleading, information. (A note on this business of directions to novice users. It may seem like a "fractal" type of problem, in that no matter how much you explain, there is still more to do. For example, TBSCAN's documentation suggests write protecting diskettes, and explains how to do it on a 3.5" diskette, but not on a 5.25". Victor Charlie does explain that you should put a "... sticker ... over the notch at the right-hand side of the disk when you look at it from the front." However, failing to mention that the notch is *square*, on the *side* of the disk cover and that you cannot see the magnetic disk through it might allow some to permanently read *and* write protect the disk by placing the sticker over the drive head access slot. Still, in many cases Victor Charlie gives the best explanation to novice users yet reviewed.) The tone of the documentation (both hardcopy and on disk) varies between jingoism ("... ultimate security ... defeat any current or future virus") and realism, while ultimately falling somewhat short in terms of actual details. In testing the system, I came to the conclusion that, while suitable for any users as a warning system, technical personnel will need more details as to the ultimate effectiveness, and how far to trust the package. Hardware Requirements MS-DOS 2.0 or higher and a minimum 64K of RAM. Performance Unfortunately, even at this point, I am unable to state the performance of the system with confidence. It will find viral infections of programs, and of boot sectors. (In spite of the difficulties encountered in installing the system to a floppy, it had no difficulty in identifying "Stoned" infections on floppy. Further testing revealed that it was, somehow, detecting a change in the boot sector, rather than memory. Although the program checks memory and the system areas of the disk, the "signatures" of the original system are not stored with program file signatures.) The actions of the package as a whole, regenerating itself from batch and data files, are quite fascinating. The program is a radical departure from any other reviewed system, and should be a valuable extra component for system security. The change detection of the signature list may possibly be bypassed by a sophisticated virus, as it depends upon file length and checksum, rather than some of the more rigourous mathematical methods. However, the checksum is described by the company as "double-encrypted", and the method of calculation and protection, while not user definable, is not uniform throughout any release of the product. The program, as it stands, is most useful against memory resident, program file infecting viri. Specific identification of sources of infection is not strong. Local Support In Australia, provided by Combat Software. Support Requirements Installation of the program is possible for novice users with standard computer configurations, but should likely be supported for any non- standard systems. Novice or intermediate users will require assistance to identify the source of infection if a virus is detected. General Notes This package is quite fascinating in its novel approach to virus detection. There are numerous shortcomings, but the approach could be a valuable adjunct to current methods. While the current implementation has significant shortcomings, particularly in non-standard configurations, the concept is a valuable one and, hopefully, future development will make the package more valuable as a stand alone product. Version 5.0 is said to be a major rewrite and upgrade. The virus signature library, which contains only two signatures in version 4.01, will identify all viral programs identified as "common" in the Hoffman Summary listing (the date of the listing is not specified.) The library will also "accumulate" signatures as new viral programs are encountered. Changes effective in version 5.0 will include a new interface and installation process. New utilities will be added, and protection against "stealth" viri will be enhanced. System requirements will increase to 256K RAM and DOS 3.0 or higher, but the use of DEBUG.COM will be dropped. The documentation will include a 200 page book on computer viral operations, with separate version specific technical references. copyright Robert M. Slade, 1991 PCVC.RVW 910617 ============= Vancouver p1@arkham.wimsey.bc.ca | "If you do buy a Institute for Robert_Slade@mtsg.sfu.ca | computer, don't Research into (SUZY) INtegrity | turn it on." User Canada V7K 2G6 | Richards' 2nd Law Security | of Data Security ------------------------------ Date: Mon, 17 Jun 91 23:57:37 -0700 From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Review of IBM VIRSCAN version 2.00.01 (PC) Comparison Review Company and product: IBM High Integrity Computing Lab Thomas J. Watson Research Center P. O. Box 218 Yorktown Heights, New York USA 10598 Bill Arnold, author David Chess CHESS@YKTVMV.IBM.COM, CHESS@YKTVMV.BITNET VIRSCAN 2.00.01 dated 910307 Summary: Non-resident scanner with user extensible signature file. Cost $35 US for original license, $10 for upgrades, enterprise wide license Rating (1-4, 1 = poor, 4 = very good) "Friendliness" Installation 3 Ease of use 3 Help systems 3 Compatibility 3 Company Stability 3 Support 2 Documentation 3 Hardware required 4 Performance 3 Availability 2 Local Support 1 General Description: IBM's VIRSCAN product appears to fall somewhat oddly between commercial software and shareware. Although IBM retains all rights to the program (in a license agreement written as only IBM can), there is no printed documentation, and the package is available on either single disks or via the IBMLINK service. The price is reasonable for an individual, but almost absurdly low given the "enterprise wide" license. VIRSCAN is a non-resident scanner with a non-encrypted and user extensible signature file. Command line switches can be used to obtain a variety of information about the system. The program makes no attempt to disinfect or delete infections. Recommended for any situation, but particularly for medium to large companies and for intermediate to advanced users. Comparison of features and specifications User Friendliness Installation VIRSCAN, when supplied on disk, is shipped on "non-writable" diskettes. IBM does not suggest installation on the hard drive at all. The suggested use of the program is to boot from a protected floppy, and run the program from the floppy disk. The documentation does give directions on how to prepare a bootable floppy with the scanning program on it. These directions are very complete. (Directions are even given on how to write protect a 3 1/2" floppy disk, although they are not as explicit for 5 1/4" disks.) An explanation of "resident" viri is given, and directions for booting from the original system floppy are given. The directions do assume that you have original IBM equipment and operating system disks, but should be clear for most systems, even for novice users. The documentation is written with the novice user in mind, and is, in places, excellent. Some "obvious" steps are missing in the directions, but by and large they are very clear, and cover ground often missing in the documentation of other products. Ease of use As the product has evolved, a number of command line switches have been added. The default settings, however, are very well chosen, and novice users should not need to know the various options. Advanced users will be able to use them without problems. One possible problem is that by default the scan proceeds to conclusion even when the screen has filled with warning messages. This should not be a problem in normal operation, but may be of concern in scanning a heavily infected system. (The "-Z" switch will, however, cause the program to pause at each signature found and this may be an acceptable alternative.) Help systems Two levels of help are available from the command line, called by switches. (Somewhat counterintuitively, the "?" switch gives more extensive and complicated assistance than does the "??" switch.) As the program is run from the command line only, "onscreen help" is not an issue. Compatibility VIRSCAN will run under both DOS and OS/2, and will examine drives with both DOS/FAT and HPFS file structures. The structure of the signature file is outlined in the manual, and at least one other scanning program obtained for evaluation (Thunderbyte Scan from Frans Veldman) uses this same file format as a standard. This allows the use of additional signature information with the program, and also allows users to add new signatures to update the package, or their own signatures if a new virus is found. Mention is made in the documentation of a switch to disable "high memory" checking, which appears to indicate that the program will check high memory by default. The extent of this is not, however, clearly specified in the documentation. In a communication from David Chess, it was explained that "high memory" is defined as the area between 640K and 1 meg. No scanning is done above 1 meg. (Note that when run from OS/2, the program does *not* check system memory. Memory is only checked when the program is run from DOS or the DOS compatibility box.) Company Stability They'll probably be around for a while. Company Support Those on the Internet and Usenet who receive VIRUS-L/comp.virus will have access to David Chess' postings and email address. IBMLINK subscribers will have access to upgrades and information. Documentation The documentation is available only in softcopy on the disk. While sections are excellent, the presentation and order of the manual (VIRSCAN.DOC) would likely be daunting to the novice. A major strength is the discussion of the weaknesses of the program, and a warning against trusting it too far. Hardware Requirements The documentation does not state any minimum requirements for operation. Performance While VIRSCAN does not search for as many viri as FPROT or SCAN, it catches all common viri. Speed of operation is neither the slowest nor the fastest tested, and is quite acceptable. Note that VIRSCAN makes no attempt to disinfect or delete infected files. Local Support Local support, even from IBM staff, is unfortunately undependable. There are numerous instances of those staff who should, presumably, be familiar with the product being unaware of its particulars and availability, or even giving out false information. (I was twice contacted by IBM staff who *offered* to get me copies of the program for evaluation, and then were unable to find it themselves.) There have been a number of cases of IBM local representatives giving versions intended for internal use only to outside clients. Support Requirements The program should be suitable for any user. Support staff will find additional functions that novice users would not use. If, however, an infection is detected, additional support will be required. It is likely that only advanced users would be able to take effective action, and even then would likely require other antiviral packages to correct the situation. General Notes This product is an excellent value for any company. It is easy to see that IBM could lose control over the integrity of the product if it were to be distributed as shareware or "freeware". It is also reasonable that IBM be allowed to make some return on the resources devoted to this product. That said, I still could wish for some attempt to make the product more available to the general user community. The lack of support available through IBM representatives is disturbing. Against, while it is understandable that not all staff can be expert in all products, the lack of support for a product of such universal importance is to be regretted. In comparison to other scanners, the lack of disinfection would tend to make this product an adjunct rather than the only tool used. It is still, though, a high quality tool, and could easily be chosen as the primary virus alert product. copyright Robert M. Slade, 1991 PCIBMSCN.RVW 910617 ============= Vancouver p1@arkham.wimsey.bc.ca | "If you do buy a Institute for Robert_Slade@mtsg.sfu.ca | computer, don't Research into (SUZY) INtegrity | turn it on." User Canada V7K 2G6 | Richards' 2nd Law Security | of Data Security ------------------------------ Date: Wed, 12 Jun 91 17:37:07 -0700 From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Review of VirAway (PC) Comparison Review Company and product: T.C.P. Techmar Computer Products 97 - 77 Queens Blvd. Rego Park, NY 11374 USA 800-922-0015 718-997-6800 718-997-6666 fax: 718-520-0170 VirAway scanner version 1.46 dated 910128 Summary: Non resident scanner Cost $49 US Rating (1-4, 1 = poor, 4 = very good) "Friendliness" Installation 2 Ease of use 3 Help systems 1 Compatibility 2 Company Stability 3 Support 2 Documentation 1 Hardware required 4 Performance 2 Availability 2 Local Support 1 General Description: VirAway is identical to the CURE program shipped with AntiVirus Plus from Techmar. The program is recommended only to "backstop" other systems, and should not be depended upon as the only means of antivirus protection in its current form. Comparison of features and specifications User Friendliness Installation VirAway, as shipped to me, comes completely unprotected. This may not be the usual form, as the disk documentation contains a READ.ME file which states that no changes have been made to the documentation, while I received no documentation with the package. An installation program is provided, which will only install from drive A: to the C: drive in a directory called \VIRAWAY. However, as installation consists solely of copying three files (and one "startup" batch file to the root directory), it is not difficult for the intermediate user to perform a "custom" installation. Ease of use Although VirAway came with no documentation, it responds to the same command line switches as does CURE. (Not terribly surprising: not only are the files identical in size, but CURE, when run, identifies itself as version 1.46 of VirAway.) Again, if no switches are used, the program will present a menu of options. However, command line switches seem to be only able to "add" to the default options. (For example, one cannot turn off the display of final statistics from the command line invocation.) There is an annoying bug in the program when allowed to disinfect: it appears to count both the infection detected, and the cleaning process, as an infection. The final statistics will indicate that 1 file virus was found, and one cleaned, but will show the virus named as having caused two infections. (If two files are, in fact, infected, the display shows only two infections.) Help systems None provided. Compatibility As stated in the review of AntiVirus Plus, VirAway will find most common viri, but will not find the AIDS virus. VirAway will find viri active in memory, and, in testing, rendered them inactive. However, sufficient traces remained in memory to set off alarms from other virus scanners. Company Stability Techmar is the distributor of IRIS products (from Israel) in the United States. Company Support The evaluation copy of AntiVirus Plus was shipped in good time, although Techmar had not properly filled in the customs declaration. The copy of VirAway came unsolicited, which seems to indicate an active marketing group if nothing else. Documentation Not supplied. Hardware Requirements MS-DOS 2.0 or higher, 256K memory. The promotional material states that a dual floppy system is necessary, which conflicts with the installation batch file. Performance Detection of viral programs appears to be sufficient for most situations. Disinfection of memory appears effective, with the proviso noted above about false alarms from other scanners. (According to memory mapping utilities, the memory is also still "reserved".) Disinfection of boot sector viri appears to be effective. Disinfection of program files appears effective as to the virus removal, but may leave programs damaged. During testing, the memory was infected with the Jerusalem B virus (which VirAway reports as "Black Friday #1"). When VirAway was run, the virus was rendered inactive in memory, but it had already infected the VirAway program file. VirAway then disinfected itself, but increased in size from 81835 to 81840 bytes on disk. Subsequent runs with the program against test sets of viri showed some odd behaviour and an inability to identify all previously identified viri. Also, subsequent runs of VirAway in memory showed a lack of ability to remove infections from memory. Local Support None provided. Support Requirements The program, while fairly simple to run, would not necessarily be suitable for novice users. Disinfection of viral infections is probably best left to experienced staff (and possibly other programs.) General Notes As it stands, the program cannot be highly recommended. The number of viri detected are low even by the standards of other (admittedly more expensive) programs. The disinfection ability is somewhat questionable, and therefore undependable. copyright Robert M. Slade, 1991 PCVIRAWY.RVW 910612 ============= Vancouver p1@arkham.wimsey.bc.ca | "If you do buy a Institute for Robert_Slade@mtsg.sfu.ca | computer, don't Research into (SUZY) INtegrity | turn it on." User Canada V7K 2G6 | Richards' 2nd Law Security | of Data Security ------------------------------ Date: Tue, 11 Jun 91 23:35:59 -0700 From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Antivirus contact list (mostly PC) As before .... Sandy Jenish, Dave Reid (VP Marketing) Advanced Gravis Computer Technology 7033 Antrim Avenue Burnaby, B. C. V5J 4M5 604-434-7274 Telecopier: (604) 434-7809 Advanced Security for PC and Mac Brightwork Development Inc. 766 Shrewsbury Ave. Jerral Center West Tinton Falls, NJ 07724 USA 201-530-0440 800-552-9876 (US only) fax: 201-530-0622 Sitelock, Novell add-on operation restricting software $495 product not available British Computer Virus Research Centre 12 Guildford Street, Brighton, East Sussex, BN1 3LS, England Tel: 0273-26105 Joe Hirst Virus Simulation Suite, Eliminator/Virus Monitor/Virus Clean see also ICVI Carmel Software Engineering EPG International Hans-Stiessberger-Strasse 3 D-8013 Haar by Muenchen head office Israel? Turbo Anti-Virus Set, scanner vaccine and change checker (including boot) product not available Central Point Software 15220 N. W. Greenbrier Parkway #200 Beaverton, OR 97006 USA 503-690-8090 Central Point Anti-Virus Certus International 13110 Shaker Square Cleveland, Ohio 44120 USA 216-752-8181 216-752-8183 Technical Support BBS 216-752-8134 fax 216-752-8188 800-722-8737 Mike Mytnick, Cleveland Michael Blumenthald (?), Anaheim Peter Trippett, 4295370 on MCI mail operation restricting software, particularly for LANs ComNETco, Inc. 29 Olcott Square Bernardsville, NJ 07924 USA VirusSafe-Anti-Viral Software (cf EliaShim, also Enigma SafeWord (R) Virus-Safe) mail undeliverable CSM Management and Consulting 3031 Main St. Vancouver, B. C. V5T 3G8 604-879-4162 Telecopier: 604-874-1668 Overlord product not available Cylink 110 S. Wolfe Road Sunnyvale, CA 94086 USA 408-735-5800 telecopier: 408-738-8269 SecurePC - half card DES encryptor product not available PROGRAM CHAIRPERSON: DPMA Virus Conference, 1991 Richard G. Lefkon NYU, DPMA Fin. Ind. Ch. 609 West 114th Street New York, NY 10025 (212) 663-2315 Data Fellows Ltd Finland Ari Hypponen, hyde@ng.fi hyde%daredevil.hut.fi@santra.hut.fi data security consulting Delta Base Enterprises 9800A - 140th St. Surrey, B. C. V3T 4M5 604-582-1592 Fax: (604) 582-0101 CIS# 72137,603 Victor Charlie 4.0 - change detection Digital Dispatch, Inc. 1580 Rice Creek Road Minneapolis, MN 55432 mail undeliverable 55 Lakeland Shores St. Paul Minn 55043 612-436-1000 800-221-8091 Antigen, Data Physician, Novirus-Anti-viral software product not available Director Technologies Inc. 906 University Place Evanston, IL 60201 USA Disk Defender-Half-Slot Virus Write-Interrupt Device product not available Dynamics Security Inc. Cambridge, MA USA mail undeliverable EliaShim Microcomputers 520 W. Hwy. 436, #1180-30 Altamonte Springs, Florida USA 407-682-1587 VirusSafe - TSR scanner (cf ComNETco?) Bob Bosen Enigma Logic Inc. 2151 Salvio Street, #301 Concord, CA 94565 USA Tel: (415) 827-5707 (800) 333-4416 (not from Canada) FAX: (415) 827-2593 Internet: 71435.1777@COMPUSERVE.COM Safeword - change detection software Fink Enterprises 11 Glen Cameron Road, Unit 11 Thornhill, Ontario L3T 4N3 416-764-5648 Telecopier: 416-764-5649 IRIS Antivirus (from Israel, cf Techmar) FoundationWare 2135 Renrock Rd. Cleveland, OH 44118 USA Vaccine 1.2-Anti-viral software mail undeliverable, now Certus Gee Wiz Software Company c/o Mrs. Janey Huie 10 Manton Avenue East Brunswick, NJ 08816 USA Dprotect-Anti-Trojan Software product not available Patricia M. Hoffman 1556 Halford Avenue, #127 Santa Clara, CA 95051 Voice: 1-408-246-3915 FAX : 1-408-246-3915 BBS : 1-408-244-0813 Virus Summary Document also distributed by: Roger Aucoin Vacci Virus 84 Hammond Street Waltham, MA 02154 Voice: 1-617-893-8282 FAX : 1-617-969-0385 Denny Kirk Hyper Technologies 211 - 3030 Lincoln Coquitlam, B. C. 604-464-8680 Integrity still in production, not yet available IBM High Integrity Computing Lab Thomas J. Watson Research Center P. O. Box 218 Yorktown Heights, New York USA 10598 Bill Arnold, author David Chess CHESS@YKTVMV.IBM.COM, CHESS@YKTVMV.BITNET VIRSCAN IMSI Software San Rafael, CA 415-454-7101 BBS 415-454-2893 VirusCure Plus product not available International Computer Virus Institute 1257 Siskiyou Boulevard, Suite 179 Ashland, OR 97520 USA 503-488-3237 503-482-3284 BBS 503-488-2251 Eliminator anti-viral, virus simulators plus books and consulting see also British Computer Virus Research Centre, Joe Hirst Interpath Corporation Cylene-4-Anti-Viral software, no longer produced defunct, cf McAfee IP Technologies Virus Guard address no longer valid Lasertrieve, Inc. 395 Main Street Metuchen, NJ 08840 USA Viralarm-Anti-Viral Software product not available LeeMah DataCom Security Corp. 3948 Trust Way Hayward, CA 94545 USA 415-786-0790 product not available Leprechaun Software Pty Ltd PO Box 134 Lutwyche Queensland 4003 Australia Lindsay Hough +61 7 2524037 Leprechaun International 2284 Pine Warbler Way Marietta Georgia 30062 USA 404 971 8900 fax 404 971 8988 Virus Buster product not available Look Software Cliff Livingstone Ottawa, Ontario 613-820-9450 Start - VIRUSCAN front end Paul Mace Software 400 Williamson Way Ashland, OR 97520 USA tech support 503-488-0224 fax: 503-488-1549 sold and supported through: Fifth Generation Systems, Inc. 10049 N. Reiger Rd. Baton Rouge, Louisiana USA 70809 1-800-873-4384 sales and info 504-291-7283 tech support 504-291-7221 admin telecopier: 504-292-4465 Mace Vaccine-Anti-viral software. McAfee Associates 4423 Cheeney Street Santa Clara, CA 95054 USA 408-988-3832 Viruscan-Scans disk and RAM for viri. Morgan Schweers - mrs@netcom.com Aryeh Goretsky,Tech Sup.|voice(408)988-3832|INTERNET McAfee Associates | fax(408)970-9727|aryehg@ozonebbs.uucp 4423 Cheeney Street | BBS(408)988-4004|aryehg@tacom-emh1.army.mil Santa Clara, CA 95054 | UUCP apple!netcom!nusjecs!ozonebbs!aryehg aryehg@darkside.com cynic!van-bc!apple.com!uuwest!aryehg mcafee@netcom.com cynic!van-bc!uunet!mimsy!ames!netcom.netcom.com!mcafee Mike McCune MMCCUNE@SCTNVE.... FTP from mibsrv.mib.eng.ua.edu in pub/ibm-antivirus/innoc.zip INNOC Boot Virus Immunizer, boot sector overlay renders non-booting Microcom Software Division 3700-B Lyckan Parkway Durham, NC 27717 USA also Norwood, MA 919-490-1277 800-822-8224 Virex-PC, also Virex for Mac - scanner Mary Hughes Glenn Jordan - beta list Fidonet: 1:155/223 see also Software Concepts Design Micronyx Inc 1901 N. Central Expressway Richardson, TX USA 75080 800-634-8786 fax: 214-690-0595 Triumph security package (PC and LAN) product not available Computer Security Division National Computer Systems Laboratory National Institute of Standards and Technology (NIST) 225/A216 United States Department of Commerce Gaithersburg, Maryland 20899 USA 310-975-3411 BBS 2400 bps 301-948-5717 BBS 9600 bps 301-948-5140 John P. Wack Marianne Swanson (sysop) csrc@nist.gov JWack@nist.gov wack@csmes cynic!van-bc!csmes.ncsl.nist.gov!wack dds@csmes.ncsl.nist.gov (Dennis D. Steinauer) steinauer.ncsl.nist.gov (CSME1.NCSL.NIST.GOV) cynic!van-bc!csmes.ncsl.nist.gov!dds Orion Microsystems Quebec Panda Systems 801 Wilson Road Wimington, DE 19803 USA Dr. Panda Utilities-Anti-Viral Software product not available Parsons Technology 375 Collins Road NE Cedar Rapids, IA 52402 USA 319-395-9626 Virucide A. Padgett Peterson, Computer Network Security Orlando (407)356-4054, 6384 work (407)356-2010 FAX (407)352-6007 cynic!van-bc!uvs1.orl.mmc.com!tccslr.dnet!padgett padgett%tccslr.dnet@uvs1.orl.mmc.com [host unknown] note: To: "Robert_Slade@mtsg.sfu.ca"%UVS1.dnet@uvs1.orl.mmc.com cynic!van-bc!uvs1.orl.mmc.com!tccslr.dnet!padgett@dinl.den.mmc.com uvs1.orl.mms.com!padgett%tccslr.dnet@cs.utexas.edu Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com DISKSECURE PKWare, Inc. 7545 North Port Washington Road Glendale, WI 53217-3442 USA PKZIP, PKSFX-File compression utilities with encryption option Prime Factors 1470 East 20th Avenue Eugene, OR 97403 USA VI-Raid-Anti-Viral Software product not available Publisher One Baltimore, Maryland Chris - HU349C%GWUVM.BITNET@gwuvm.gwu.edu virus protection book (Jan '92?) PYRAMID Development Corp 20 Hurlbut Street, West Hartford, CT 06110 203-953-9832 Fax: 203-953-3435 PC/DACS retail $249.00. product not available Quaid Software Ltd. 45 Charles Street East Toronto, ON M4Y 1S2 416-961-8243 Antidote-Anti-Viral Software product not available RG Software Systems Inc 6900 East Camelback Road Suite 630 Scotsdale AZ 85251 +1 602 423 8000 Diskwatcher 2.0, ViSpy product not available Fridrik Skulason Box 7180 IS-127 Reykjavik Iceland frisk@rhi.hi.is F-PROT-Virus detection/protection/disinfection and utilities Ross Greenburg Software Concepts Design 594 Third Avenue New York, NY 10016 USA Flushot-Anti-Viral Software. see also Microcom S&S International Ltd. Berkley Court, Mill Street Berkhamsted, Herts. HP4 2HB England Phone: +44 442 877 877 Fax: +44 442 877 882 BBS: +44 494 724 946 (used to be -- still valid??) E-Mail: Dr. Alan Solomon Dr. Solomon's Anti-Virus Toolkit (SHERLOCK and HOLMES?) Vendor: perComp Verlag GmbH Holzmuhlenstrasse 84 2000 Hamburg 70 Germany Phone: +49 40 693 2033 Fax: +49 40 695 9991 E-Mail: Gunter Musstopf product not available Luis Bernardo Chicaiza Sandoval Phone: (91)2 02 23 78 Universidad de los Andes Bogota, Colombia mail address: Compucilina US$70, adds self check module review copies not available SECTRA Teknikringen 2 S-583 30 Linkoping SWEDEN Telephone: +46 13 235214 FAX: +46 13 212185 tommyp@sectra.se TCell unix change checker Sophco P.O. Box 7430 Boulder, CO 80306 USA Vaccinate-Anti-Viral Software product not available Sophos Limited 20 Hawthorne Way Kidlington, Oxford, OX5 1EZ UK Vaccine-Anti-Viral Software product not available Swarthmore Software Systems 526 Walnut Lane Swarthmore, PA 19081 USA Bombsquad, Check-4-Bomb-Anti-Trojan software Stratford Software #2047-4710 Kingsway Burnaby, BC V5H 4M2 (604) 439-1311 SUZY Information System, INtegrity antivirus information network Symantec/Peter Norton 10201 Torre Avenue Cupertino, CA 95014 USA 408-253-9600 800-343-4714 800-441-7234 408-252-3570 416-923-1033 Norton AntiVirus Tacoma Software Systems 7526 John Dower Road W. Tacoma, WA 98467 VIRSTOP 1.05 T.C.P. Techmar Computer Products 97 - 77 Queens Blvd. Rego Park, NY 11374 USA 800-922-0015 718-997-6800 718-997-6666 fax: 718-520-0170 IRIS Antivirus (cf Fink), Antivirus Plus (purported "AI vaccine"), VirAway scanner Tomauri Inc. 30 West Beaver Creek Road, Unit 13 Richmond Hill, Ontario L4B 3K1 416-886-8122 Telecopier: 416-886-6452 PC Guard - password protection board, also for Mac product not available Trend Micro Devices Inc. 2421 W. 205th St., #D-100 Torrance, CA 90501 USA 213-782-8190 fax: 213-328-5892 PC-cillin - program change detection hardware/software University of Cincinnati Dep't. of Computer Engineering Mail Loc. 30 - 898 Rhodes Hall Cincinnati, OH 45221-0030 USA Cryptographic Checksum-Anti-Viral software Vacci Virus 84 Hammond Street Waltham, MA 02154 Voice: 1-617-893-8282 FAX : 1-617-969-0385 distributes Hoffman Virus Summary Document, other products unknown Vancouver Institute for Research into User Security 3118 Baird Road North Vancouver, B. C. V7K 2G6 604-984-9983 virus research archives, seminars, vendor contact list, product reviews, consulting Frans Veldman ESaSS B.V. P.o. box 1380 6501 BJ Nijmegen The Netherlands Tel: 31 - 80 - 787 771 Fax: 31 - 80 - 777 327 Data: 31 - 85 - 212 395 (2:280/200 @fidonet) c/o Jeroen W. Pluimers/Smulders P.O. Box 266 2170 AG Sassenheim The Netherlands work: +31-71-274245 9.00-17.00 CET home: +31-2522-11809 19:00-23:00 CET email: 2:281/521 or 2:281/515.3 email: PLUIMERS@HLERUL5.BITNET FTHSMULD@rulgl.LeidenUniv.nl ugw.utcs.utoronto.ca!rulgl.LeidenUniv.nl!FTHSMULD TBSCAN, TBRESCUE, TBSCANX, Thunderbyte card Mikael Larsson Virus Help Centre Box 7018 S-81107 SANDVIKEN SWEDEN Phone : +46-26 100518 Fax : +46-26 275720 BBS : +46-26 275710 (HST) FidoNet : 2:205/204 VirNet : 9:461/101 SigNet : 27:5346/108 (soon) Email : vhc@abacus.hgs.se Virus Test Center, Faculty for Informatics University of Hamburg Schlueterstr. 70, D2000 Hamburg 13, FR Germany Prof. Dr. Klaus Brunnstein, Simone Fischer-Huebner Contact: Margit Leuschner (VTC, secretary) Tel: (040) 4123-4158 (KB), -4175 (SFH), -4162 (ML) Email (EAN/BITNET): brunnstein@rz.informatik.uni-hamburg.dbp.de Computer Virus Catalog (MS-DOS, Mac, Amiga and Atari) Worldwide Software Inc. 20 Exchange Place, 27th Floor New York, NY 10005 USA 212-422-4100 Telecopier 212-422-1953 warren@worlds.com Vaccine Version 3.20 - Anti-Viral Software. ============= Vancouver p1@arkham.wimsey.bc.ca | "If you do buy a Institute for Robert_Slade@mtsg.sfu.ca | computer, don't Research into (SUZY) INtegrity | turn it on." User Canada V7K 2G6 | Richards' 2nd Law Security | of Data Security ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 105] ****************************************** 20-Jun-91 15:04:08-GMT,21684;000000000001 Received: from remus.rutgers.edu by aramis.rutgers.edu (5.59/SMI4.0/RU1.4/3.08) id AA14228; Thu, 20 Jun 91 11:03:36 EDT Received: from IBM1.CC.Lehigh.EDU by remus.rutgers.edu (5.59/SMI4.0/RU1.4/3.08) id AA12850; Thu, 20 Jun 91 11:03:24 EDT Message-Id: <9106201503.AA12850@remus.rutgers.edu> Received: from LEHIIBM1.BITNET by IBM1.CC.Lehigh.EDU (IBM VM SMTP R1.2.2MX) with BSMTP id 1509; Thu, 20 Jun 91 10:43:59 EDT Received: from LEHIIBM1.BITNET by LEHIIBM1.BITNET (Mailer R2.08) with BSMTP id 8922; Thu, 20 Jun 91 10:43:29 EDT Date: Thu, 20 Jun 91 10:37:45 EDT Reply-To: VIRUS-L@ibm1.cc.lehigh.edu Sender: Virus Discussion List From: "The Moderator Kenneth R. van Wyk" Subject: VIRUS-L Digest V4 #106 Comments: To: VIRUS-L@IBM1.CC.LEHIGH.EDU To: Multiple recipients of list VIRUS-L VIRUS-L Digest Thursday, 20 Jun 1991 Volume 4 : Issue 106 Today's Topics: Re: Virus scanners (PC) Questons about "Disinfectant" are ANSWERED.. Thanks (Mac) virus detection by scanners ? (PC) re: FSP and sales figures (was: Into the 1990s) Int 24 virus info needed (PC) Re: Checksumming How viruses actually spread Review of Victor Charlie (addendum) (PC) Spanish Virus/Telefonica (PC) Re: Scanning infected files (PC) Re: joshi & vsum & f-prot & ll format (PC) Re: virus detection by scanners ? (PC) Requirements for Virus Checkers (PC) Re: Interesting interaction ( VIRx & SCAN ) (PC) is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk -------------------------------------------------------------------------------- Date: 18 Jun 91 11:53:35 -0400 From: "David.M.Chess" Subject: Re: Virus scanners (PC) >Date: Mon, 17 Jun 91 13:05:00 -0400 >From: Al Woodhull >The new files contain all of the infected code and so are >good test targets, but since there is no way to execute the infected >code it is essentially just a block of data. They aren't necessarily good test targets. "Bulk" scanners (like IBM's), that look through every byte of every file for patterns, will identify them as infected, but scanners that look at, for instance, specific areas based on the file's entrypoint will not see them as infected, even if they work fine on actually-infected files. I believe Alan Solomon's Anti-Virus Toolkit (I may have the name wrong) is of the latter kind, for instance. So if a scanner doesn't see those files as infected, it doesn't necessarily mean that it wouldn't see a normally-infected file as such... DC ------------------------------ Date: Tue, 18 Jun 91 11:11:11 -0600 From: James Firmiss Subject: Questons about "Disinfectant" are ANSWERED.. Thanks (Mac) Thanks for all the info... "Vaccine (TM) 1.0.1", "KillVirus", and "Kill WDEF - virus INIT" have been cast into our pit of obsolete & useless programs (with "Ferret" and "Kill Scores"). Disinfectant 2.4 and it's init are on all our MACs. Sam Intercept is on all of them too. I hear it requres some sort of password to remove it. I've never tried to but I don't think anyone here remembers what the password is. I'll have to RTFM (if I can FIND TFM). + - - + |... P_lasma --- James Firmiss (Foxx Fox) --- - + + - |... S_ource --- firmiss@cae.wisc.edu --- + + - =====>+ I_on --- Univ. of Wisc. Madison --- - + - |... I_mplantation --- Materials Science Program --- - + - + - |..._______________________________________________________ "Beep. Beep Beep. Beep Beep." - vi editor ------------------------------ Date: 18 Jun 91 13:05:32 -0400 From: "David.M.Chess" Subject: virus detection by scanners ? (PC) >From: hermann@uran.informatik.uni-bonn.de (Hermann Stamm) >Date: 07 Jun 91 14:33:23 +0000 >I have a few questions concerning detection of virii in general and >1701 in special. The main thing you've discovered here is that scanners only reliably detect the viruses that they know about. If you create a new virus (from scratch, or by modifying an old one), it's very likely that some scanners will no longer detect it. No big surprises there! >First of all, I hope that only good guys are on this list, because the >remarks made here would otherwise result in hundreds of newly virii. Almost certainly a false hope; there's no reason to think that no virus writers are reading this. On the other hand, I think they already understand the principle! One could have wished you'd been a little less explicitly helpful to them, but I don't it'll hurt, at least in the long run. > - what other scanner should I try for these versions ? Some scanners may be "lucky", and see your home-grown variants as infected. IBM's Virus Scanning Product, for instance, will recognize the first of your monsters as a variant of the 1701. > - is it true, that any scanner must try to look at the > semantics of such decoders, and not at the shape ? > (undecidable problem ?) Yep, deciding whether or not a given program is a virus is definitely undecidable. Fred Cohen proved that awhile back. So if you take some existing virus, and make some changes to it, the question of whether or not the result is still a virus is not one that *any* program is going to get right all the time. Scanners reliably detect only *exactly* the viruses they know about, not variants that you (probably unwisely) choose to create. > - which systems are good by looking at the length of > files and reporting differences ? Any good modification-detection program will look at the *contents* of files (not just the length), and tell you what's changed. Of course, if you want to be able to trust the result, you have to get the machine into a known state first (cold-boot from a trusted floppy, don't run anything from the suspect hard disk). > - Is the following behaviour possible for a virus: > > After getting resident, it forces to do a warm-start > with ctrl-alt-del, and then it copies itself to all > .com-files encountered during rebooting > (like command.com, ...). > > I think, that this is the way most of my .com-files > were infected. A virus could certainly do that, but the 1701 doesn't. Most likely it infected something in the autoexec, so that the next time you booted, it got control early, and then infected everything else executed thereafter (that's how the 1701 works; it infects every com executed after you run the first infected one). DC P.S. Assume that anything you post in public will be read by large number of virus authors. Please *don't* post live virus code, or suggestions for improvements to existing viruses! *8) ------------------------------ Date: Tue, 18 Jun 91 13:24:44 From: microsoft!c-rossgr@uunet.uu.net Subject: re: FSP and sales figures (was: Into the 1990s) >From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) (Sorry for the delay...off line for a while) >Ross: we seem to be cross communicating. In our shop we do not use "pre- >installed" copies, no two machines are alike anyway & we are running >everything from DOS 2.0 up. On installation, the package we use takes >3-5 minutes to take a "snapshot" of the PC and record every executable >on it during installation. So, then, you have to install the program on each machine. Taking that "snapshot" is a good idea, but still has problems if you use a)a new seed on each machine and b) store that seed someplace where it can be seen by "the bad guy". If someone is going to subvert the code, they're gonna subvert the code and there's nothing we can do about it. It's not as if DOS were a real operating system -- it provides no real protection and simply putting more and more layers of "feel-good-and-warm-and-fuzzy" dressing on DOS simply makes a person *feel* better, but provides them with nothing. If somebody wanted to mcreate a virus that gets around my stuff and the code of everybody else out there, they probably could. Targetting my code is sorta silly: it's too easy to simply go right out to the disk controller if you really needed to. >Only if the "bad guy" knows where it is stored and if the offsets are >the same on every machine - one of the drawbacks to >"pre-installation". If you cannot ensure the physical integrity of the >machine all bets are off. It would take a complex and specifically >targetted piece of software to be able to determin that you were there >(and not some other routine) and bypass it - not for an amateur. Right. So, if they're targetting my code, no protection will suffice, if they are not targetting my code, why bother making things more complex. Your mileage may, of course, vary. > One >of the problems is that at present there is a single criteria for >judging PC protection programs: the number of viruses it detects. In >actuality, this is one of the lesser threats that a full package >should take care of. Well, the efficiency of a package in stopping viral infections has yet to have any scale to measure it by. When such a scale exists, all the vendors will be climbing to the top of that heap, too. Ross (My views, not Microsoft's) ------------------------------ Date: Tue, 18 Jun 91 14:26:47 -0400 From: Alex Nemeth Subject: Int 24 virus info needed (PC) I remember something about an INT 24 virus that was discussed several months ago. could someone pleas send me some info on it, or tell me which back issue of Virus-L where i might find more. Thanks Alex Nemeth AN5@cornellc.cit.cornell.edu AN5@CORNELLC.BITNET ------------------------------ Date: Tue, 18 Jun 91 15:17:36 -0400 From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: Re: Checksumming >From: Y. Radai > Mike Lawrie writes: >> ... sooner or later this scenario [infecting >>files by performing SCAN while a virus like Plastique is in RAM] will >>re-occur, as you will get hit with a similar type of virus that McAfee >>has not yet catered for, even if you have their very latest version. >Right; First, organizations have been woefully lacking in training of personnel expected to deal with malicious software (a management problem). Our technicians get two days of targetted training before being certified to respond to suspected viruses. That said, since employees are instructed to power down and quarentine any PC suspected of having a virus, the first action after questioning the employee for symptoms is to cold boot from a write-protected floppy and check the system out in that manner including a "scan" of the disk and examination of the MBR and DOS Boot Record Only if that comes up negative is the PC allowed to boot itself. At this point the system integrity is repeatedly validated using MEM/DEBUG and CHKDSK to determine if something is trying to go resident. At this point, McAfee's SCAN is often used in a different way: the command "SCAN NUL /M" results in only memory (no files) being checked for all viruses it knows about. If this fails then file comparisons are done and the audit trails are checked (all PCs including employees home machines are authorized to use a site-licensed checksumming program). Again a layered approach by trained personnel is necessary to protect against the sort of global disaster mentioned (incidently, during my training session at the CSI Conference in Denver, I thoroughly infected the demo PC with the 4096 only to discover that there was no 5 1/4 boot floppy to use for recovery - Had several 3 1/2s for the laptop, but no 5 1/4s. Entertaining.) BTW the McAfee product .DOCs do mention in several places the advisability of booting from a known clean, write-protected floppy first. >>A checksummer gives you no >>security whatsoever, because it does not prevent a viral infection. >True, a checksummer does not prevent infection, but at least it can >*detect* infections, and that's a lot better than no security at all!! Depends on the checksummer - the one we use performs the checksum routine on any program presented for execution. If the program is not known to the audit trail, a screen warns the user that the program is unknown. Depending on the setting, the user may or may not be permitted to execute the program. I suppose that this really comes under the heading of access control but should be part of any integrity management solution. >... a program which prevents infections through floppy boots (to >be mentioned soon)... I believe that VSHIELD protects from hot-boots now - do not believe that prevention from cold boots can be done without hardware or special BIOS. My next project now that DISKSECURE is essentially complete will be a small addition to warn the user on boot if a floppy is in the drive - should not be difficult or require much code (trap cntrl-alt-del, check for floppy, write warning message, loop for response), several viruses make use of this technique already so it cannot be too difficult (famous last words). Cooly (a/c working again) Padgett ------------------------------ Date: Wed, 19 Jun 91 00:50:00 +0000 From: William Hugh Murray <0003158580@mcimail.com> Subject: How viruses actually spread >Of course I don't do much with shareware or BBS downloading which is >where I imagine most of the problems are. Along with many others, you imagine an untruth. Both PC and Mac viruses spread by sharing of machines and diskettes. They might have been spread by BBSs but they have not been. They might have been spread by shareware, but they have not been. Regular readers of this forum are aware of this, but it bears re-stating, particularly in the face of specualtion to the contrary. The most successful viruses infect boot sectors of diskettes, partition tables or boot sectors of hard drives, and go resident, i.e., they are TSRs. They spread when users permit strange diskettes to be inserted in their machines, or when they put their diskettes in machines that they did not themselves boot from a known source. While they can and do spread marginally in other ways, this high-risk behavior accounts for their current success. ------------------------------ Date: Tue, 18 Jun 91 18:23:54 -0700 From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Review of Victor Charlie (addendum) (PC) For those who want to "try before you buy", Victor Charlie version 3.2 is a "freeware" demo version. The file VC3-2.ZIP should be available on BBS's, and is posted on SUZY. ============= Vancouver p1@arkham.wimsey.bc.ca | "If you do buy a Institute for Robert_Slade@mtsg.sfu.ca | computer, don't Research into (SUZY) INtegrity | turn it on." User Canada V7K 2G6 | Richards' 2nd Law Security | of Data Security ------------------------------ Date: Wed, 19 Jun 91 04:14:00 +0000 From: Ben Zajac <0004193926@mcimail.com> Subject: Spanish Virus/Telefonica (PC) Recently, a virus was discovered at Oxford University, Oxford (England) and the City Univerity at London (England). It has been named, "Spanish Telecom," and also, "Telefonica." According to information that I have received from the UK, the virus does not kick in until after the system has been booted up 400 times. The code reportedly contains the following message: "Menos tarifes y mas servivios" Which means: "Lower tariffs, more service" Damage -- When triggered, destroys (overwrites) hard disks. Detection: The virus is in *.COM files and boot sector. Pattern: Header 1 - 881D 8200 83FB 0074 188F 5500 B2; OFFSET 034H Header 2 - 83ED 09BE 2001 03F5 FC86; OFFSET 024H Boot Sector - 8A0E EC00 8E700 0003 F18A 4C02 8A74 03C3;OFFSET 083H I have not personally examined this virus, however the I have no reason to doubt the source. Bernard P. Zajac, Jr. MCI MAIL - 4193926@MCIMAIL.COM ------------------------------ Date: 19 Jun 91 08:26:44 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Re: Scanning infected files (PC) >Good question, but: wouldn't it be possible for the stealthy virus to >trap the sector I/O and "fix" it to also hide its tracks? Not only possible - it has already been done. At least one virus, simply known as INT13 does just this. - -frisk ------------------------------ Date: 19 Jun 91 08:30:32 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Re: joshi & vsum & f-prot & ll format (PC) treeves@magnus.acs.ohio-state.edu (Terry N Reeves) writes: > f-prot must be intended to work - "cured" - so can the author >speak to this? As far as I knew, F-DISINF should have been able to remove the Joshi virus. I'll look into this right away and check what the problem is. - -frisk ------------------------------ Date: 19 Jun 91 08:22:54 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Re: virus detection by scanners ? (PC) hermann@uran.informatik.uni-bonn.de (Hermann Stamm) writes: > - what other scanner should I try for these versions ? It does not matter - you will get practically the same results. My scanner may detect some of those SCAN missed or vice versa, but that is not important. What is important is that you cannot expect a scanner to detect a modified virus. It may work, or it may not, but there is absolutely no guarantee. A scanner is designed to detect existing viruses, not new ones or new variants of older viruses, although some scanners may detect some new variants of some viruses. > - is it true, that any scanner must try to look at the > semantics of such decoders, and not at the shape ? Well, if it looked at something else, it would not be a scanner.... :-) Don't misunderstand me - there are programs which may look at the 1701 virus, or some of your modified variants, and report something like: This program seems to cotain additional code at the end, which starts by performing decryption of itself. This is typical of a virus. But, a program like this is not a scanner - it is a generic analysis tool, unable to identify viruses - it just reports anything "suspicious". > - which systems are good by looking at the length of > files and reporting differences ? Differences between what ? > - Is the following behaviour possible for a virus: > > After getting resident, it forces to do a warm-start > with ctrl-alt-del, and then it copies itself to all > .com-files encountered during rebooting > (like command.com, ...). No - it is not possible. ------------------------------ Date: Tue, 18 Jun 91 23:11:30 From: microsoft!c-rossgr@uunet.uu.net Subject: Requirements for Virus Checkers (PC) >From: Robert McClenon <76476.337@CompuServe.COM> (Sorry for the delay...offline for a while) >Excuse me, but I use Virex-PC, which is Ross's product. I do >occasionally need to remove it, not to troubleshoot IT, but because >something is incompatible with it. One commercial game requires 540K >of FREE memory, not counting MOUSE.SYS, which it uses, and can't fit >if Virex-PC is installed. The next version of the code runs the resident virus checker in 608 bytes, Robert. I think I can shave about 150 more off of that.... > A third-party fax board program has TSR >conflicts with Virex-PC. I don't know what it is doing, but it tries >to take over the same interrupts as Virex-PC and the results are >unpredictable. (Sometimes it refuses to run. Sometimes it crashes.) Have you called tech support @ Microcom (919-490-1277) and told them about it? We might have a fix someplace around, or can attempt to figure out what's wrong and fix it in the next release. EVERYBODY: Never accept a problem with a piece of code: the vendor can't fix it if they don't know there is a problem. Ross ------------------------------ Date: Wed, 19 Jun 91 16:30:21 +0000 From: kforward@kean.ucs.mun.ca (Ken Forward) Subject: Re: Interesting interaction ( VIRx & SCAN ) (PC) p1@arkham.wimsey.bc.ca (Rob Slade) writes: > Noted an interesting interaction between two antivirals the other day, > and finally tracked it down. If VIRx 1.4 is run before SCAN 77, SCAN > will "detect" the presence of the 3445 and Doom 2 viri in memory and > refuse to run. Tried this out for myself; no 3445 or Doom 2, but Taiwan3 [T3] was "found" in memory. Has anyone experienced any other false positives with this combination ? Cheers, - --------------------------------------------------------------------------- Kenneth Forward | "...don't plant your bad days, MUN Dept of Physics | they grow into weeks..." kforward@kean.ucs.mun.ca | -Tom Waits- - --------------------------------------------------------------------------- ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 106] ****************************************** 20-Jun-91 20:22:46-GMT,14593;000000000001 Received: from remus.rutgers.edu by aramis.rutgers.edu (5.59/SMI4.0/RU1.4/3.08) id AA14407; Thu, 20 Jun 91 16:22:43 EDT Received: from IBM1.CC.Lehigh.EDU by remus.rutgers.edu (5.59/SMI4.0/RU1.4/3.08) id AA02349; Thu, 20 Jun 91 16:22:35 EDT Message-Id: <9106202022.AA02349@remus.rutgers.edu> Received: from LEHIIBM1.BITNET by IBM1.CC.Lehigh.EDU (IBM VM SMTP R1.2.2MX) with BSMTP id 1928; Thu, 20 Jun 91 16:18:32 EDT Received: from LEHIIBM1.BITNET by LEHIIBM1.BITNET (Mailer R2.08) with BSMTP id 0448; Thu, 20 Jun 91 16:18:10 EDT Date: Thu, 20 Jun 91 16:12:58 EDT Reply-To: VIRUS-L@ibm1.cc.lehigh.edu Sender: Virus Discussion List From: "The Moderator Kenneth R. van Wyk" Subject: VIRUS-L Digest V4 #107 Comments: To: VIRUS-L@IBM1.CC.LEHIGH.EDU To: Multiple recipients of list VIRUS-L VIRUS-L Digest Thursday, 20 Jun 1991 Volume 4 : Issue 107 Today's Topics: Re: virus detection by scanners ? (PC) Pro vs Reactive Protection (PC) Re: Boot sector viruses on IDE drives (PC) FPROT116 is on BEACH (PC) Can such a virus be written .... (PC) Boot sector viruses on IDE drives (PC) doom 2 (PC) protecting mac files via locking (Mac) Stoned & Novell? (PC) VSHIELD and Warm Boots (was Re: Checksumming) (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: 19 Jun 91 15:53:28 +0000 From: a_rubin@dsg4.dse.beckman.com (Arthur Rubin) Subject: Re: virus detection by scanners ? (PC) I'm somewhat suspicious of any code with the following instructions: E80000 CALL (next instruction) (except that some linkers produce that for a near call to an unsatisfied external, and it could be required for ROM/position-independent code that needs to access data) 3134 XOR [SI],SI (except that that is ASCII '14') There doesn't appear to much else fixed in there except B*8206 MOV ??,0682 which could also be changed if you have a spare byte, which you can get in your last try. (Details omitted -- let's not make it TOO easy.) I hope some virus scanners have a signature for 1701 in the encrypted portion. - -- 2165888@mcimail.com 70707.453@compuserve.com arthur@pnet01.cts.com (personal) a_rubin@dsg4.dse.beckman.com (work) My opinions are my own, and do not represent those of my employer. ------------------------------ Date: Wed, 19 Jun 91 12:51:57 -0400 From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: Pro vs Reactive Protection (PC) In recent issues, there has been considerable outcry concerning the "unremovable" infections that seem to plague many users and that the generic anti-viral packages are not able to deal with them. To repond, I have one PC (an XT) that has been infected with everything possible yet recovery is trivial, it has been low-level formatted only once (when it was delivered), and high-level formated an equal amount. Of course, being an "infection" machine, it has some special qualities, but none that I do not practise on my home machines as well. For one, before every infection, the machine is fully backed up including MBR, hidden sectors, DOS Boot Record, and both FATs (Bernoullis help & it is only a 10 MB disk), however the special portions mentioned all fit on a bootable 360k floppy and are self-restoring (similar disks exists for each of the other machines except I usually do not save the FATs on these). This process has a number of advantages but does require a "recovery" disk (preferably two) for each PC, however the process is nothing a good tech cannot accomplish in five minutes using nothing more sophisticated than DEBUG - less if automated, then the longest delay is SYSing the recovery disk with the OS in use & copying any special drivers in use. Unfortunately for many users, this MUST be done with an uninfected machine. Since many call for help only after infection, this pro-active activity is useless at that point. Currently, the tool of choice seems to be McAfee's CLEAN, a generic tool that is designed along the lines of the Oath of Hippocrates: "First, Do No Harm". Even if it recognizes the virus (e.g. MusicBug), and knows where the it stores the Boot Record, it must verify each step of the way (is this really the mk 1 MusicBug or might it be a clone ? Does it look like register values in the proper location ? Does the retrieved sector look like a real Boot Sector ? Do the table values match this disk ?) If any step fails, a generic disinfector MUST refuse to continue. (those who have experienced total loss as a result of certain "doctor" programs please raise your hands). One of the things that can cause such problems are multiple infections, another is the sheer diversity of boot record/MBR codes - last year a european testing program recorded a PNCI boot record as suspect, early versions of PC-Tools had an incredible boot record that is the only one I have ever seen that would work with both MS-DOS and PC-DOS. Sometimes it is hard to tell the good guys from the bad guys. Recently, I have seen reports that some viruses use code that is so close to each others that many scanners cannot tell the difference yet the EMPIRE and the AZUSA need radically different cures if the original table was not backed up somewhere off-PC (have had reports of EMPIRE being reorted as AZUSA/Hong Cong). In this case, you are just going to have to re-read your back issues of Virus-L for the identifiers of each strain and the manual removal methods that should have appeared along with the report (or soon after). Just to add one final note of cheer: as the strins keep increasing, the likelyhood of misidentification will continue to increase but for me, I would rather have a "false positive" to alert me to changes than "false negatives" any day. After all, we have the tools, training, and backups to handle just about anything but we "can't fix it if we don't know its broke". Cooly, Padgett ------------------------------ Date: 19 Jun 91 14:58:45 -0500 From: short@evax9.eng.fsu.edu Subject: Re: Boot sector viruses on IDE drives (PC) johnboyd@logdis1.oc.aflc.af.mil (John Boyd;LAHDI) writes: > not possible on an IDE drive. So the question becomes; for an IDE > drive, what DO you do to get rid of a boot sector virus? McAfee Associates ( The ScanV folks) have a program that will remove a boot sector virus. Its name is Clean-up, They also have another called Mdisk. I'll vouch for it, as It removed the Stoned virus from my Seagate ST-1144A IDE drive without a hitch. I don't know of a FTP location, But it can be obtained from the authors BBS at 408-988-4004. ------------------------------ Date: Wed, 19 Jun 91 11:22:27 -0500 From: root@farwest.sccsi.com (John Perry) Subject: FPROT116 is on BEACH (PC) Hello Everyone! FPROT116.ZIP is now available on BEACH.GAL.UTEXAS.EDU. Come on by and pick up a copy. John Perry KG5RG You can send mail to me at any of the following addresses: Internet : perry@farwest.sccsi.com UUCP : nuchat!farwest!perry ------------------------------ Date: 20 Jun 91 09:36:40 +0000 From: Steven van Aardt Subject: Can such a virus be written .... (PC) Is it possible to write a PC virus which installs itself whenever you place an infected disk in the drive and do a DIR command ? Steve. - -- --------------------------------------------------------------------------- - JANET E-mail : vanaards@uk.ac.man.cs.p4 (Steven van Aardt) -- -- Warning this user has been designated for termination on the 21.6.91 -- --------------------------------------------------------------------------- ------------------------------ Date: Thu, 20 Jun 91 09:59:25 -0400 From: Ronnie Judd Subject: Boot sector viruses on IDE drives (PC) johnboyd@logdis1.oc.aflc.ar.mil (John Boyd:LAHDI) writes; > It recently occured to me that we get rid of most boot-sector viruses > by routinely doing a low-level format on a drive. However, this is > not possible on an IDE drive... Seems I keep seeing over and over on this list that one *almost never* has to do a low level format to remove boot sector viruses. However on the question of how does one format an IDE drive there are programs out there that will do such a thing. I recently upgraded a couple of Compaq machines and found Disk Manager 4.0 did the trick just fine. So if you feel that you *absolutely must* low level format to get rid of the offending virus give it a shot. Ronnie N. Judd | _ _ _ / | BITNET: RNJUDD@SUVM Dept. Civ/Env Engineering | / (o o)  _ _ _ / | Phone: (315) 443-5796 220 Hinds Hall | |_/| |_| | | FAX: (315) 443-1243 Syracuse University | (._.)||_ _( / | A failure is a chance Syracuse, NY 13244-1190 | U _|| _|| | to start again smarter (Of course these are my opinoins, no one else wants them!) ------------------------------ Date: Thu, 20 Jun 91 08:16:55 -0700 From: Eric_Florack.Wbst311@xerox.com Subject: doom 2 (PC) It would appear to me that VIRx 1.4 isn't cleaning up after itself. You guys just ran accross different bits of code because of different ares of RAM being used to store the search strings. I state this obvious point, to make a point. This would seem slopy code on two points: One that VIRx doesn't clean up after itself, allowing other programs to find it's code fragments, is of course a major concern to the users of the program. (Should also be of great concern to the authors, but no matter for that for now..) The second point is that it's a security problem for all computer users. Consider: It's simplicity itself for someone who can write a virus to tear apart the non-encrypted VIRx code and determine the search strings used in VIRx. Now, this in itself wouldn't be a problem, I guess, but consider that what SCAN saw, were the search strings that VIRx was using.... meaning they're using the SAME strings. Based on this info, anyone who wanted to, could, in theory, modify the virus enough that the string would no longer bee caught by the current search strings. Encrypting the search strings in your code, therefore is always a good idea, as is cleaning up the mess your program makes in RAM. VIRx, apparently doesn't address these two points. ------------------------------ Date: Thu, 20 Jun 91 13:41:57 -0400 From: Lee Ratzan Subject: protecting mac files via locking (Mac) Aplication locking on a Macintosh prevents a file from accidentally being destroyed (trashed) and to some extent from being altered. A user wants to know if locking Disinfectant on a hard disk will prevent it from being itself infected from a virus emanating from an infected floppy. The issue is whether we can trust a resident locked copy of Disinfectant to remain clean even if the hard disk on which it resides becomes infected. I have advocated that since we have no automatic virus checking software which is activated upon disk insertion or start up and since anyone can use the machine, the only way to be absolutely certain that integrity has not been compromised each morning is to boot up first with a trusted disk and run the trusted disk copy of Disinfectant against the hard disk files. Comments? Lee Ratzan ------------------------------ Date: Thu, 20 Jun 91 12:18:17 -0600 From: rtravsky@CORRAL.UWYO.EDU (Richard W Travsky) Subject: Stoned & Novell? (PC) Does anyone have any information on Stoned and Novell 3.X networks? Like can a Novell server pick up Stoned (or any other boot sector infector)? I've some information that indicates it can but not much more than that. Tales, experiences, caveats? Please reply by email, I need info ASAP. Many many thanks! Richard Travsky Division of Information Technology RTRAVSKY @ CORRAL.UWYO.EDU University of Wyoming (307) 766 - 3663 / 3668 ------------------------------ Date: Thu, 20 Jun 91 19:23:00 +0000 From: mcafee@netcom.com (McAfee Associates) Subject: VSHIELD and Warm Boots (was Re: Checksumming) (PC) padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) writes: (a lot of stuff deleted here...) >I believe that VSHIELD protects from hot-boots now - do not believe >that prevention from cold boots can be done without hardware or >special BIOS. My next project now that DISKSECURE is essentially >complete will be a small addition to warn the user on boot if a floppy >is in the drive - should not be difficult or require much code (trap >cntrl-alt-del, check for floppy, write warning message, loop for >response), several viruses make use of this technique already so it >cannot be too difficult (famous last words). VSHIELD traps warm (hot) boots (aka Ctrl-Alt-Dels, Three Finger Salutes) to check the floppy drive and then the hard disk for boot sector and partition table infecting viruses. If a virus is found, VSHIELD displays it's "found virus X in area Y" message and prompts the user to power down and boot off a clean system disk. If no virus is found, then VSHIELD reboots the system as normal. Some XT systems apparently have problems with this, causing a reboot to take a long time (5 minutes or more). If so, the option can be turned off by using the /NB (No Boot) checking. Regards, Aryeh Goretsky McAfee Associates Technical Support - -- McAfee Associates | Voice (408) 988-3832 | mcafee@netcom.com 4423 Cheeney Street | FAX (408) 970-9727 | (Aryeh Goretsky) Santa Clara, California | BBS (408) 988-4004 | 95054-0253 USA | v.32 (408) 988-5190 | mrs@netcom.com ViruScan/CleanUp/VShield | HST (408) 988-5138 | (Morgan Schweers) ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 107] ****************************************** 24-Jun-91 14:20:32-GMT,18950;000000000001 Received: from remus.rutgers.edu by aramis.rutgers.edu (5.59/SMI4.0/RU1.4/3.08) id AA27822; Mon, 24 Jun 91 10:20:30 EDT Received: from IBM1.CC.Lehigh.EDU by remus.rutgers.edu (5.59/SMI4.0/RU1.4/3.08) id AA01409; Mon, 24 Jun 91 10:20:24 EDT Message-Id: <9106241420.AA01409@remus.rutgers.edu> Received: from LEHIIBM1.BITNET by IBM1.CC.Lehigh.EDU (IBM VM SMTP R1.2.2MX) with BSMTP id 4930; Mon, 24 Jun 91 10:12:05 EDT Received: from LEHIIBM1.BITNET by LEHIIBM1.BITNET (Mailer R2.08) with BSMTP id 7514; Mon, 24 Jun 91 10:11:42 EDT Date: Mon, 24 Jun 91 10:05:08 EDT Reply-To: VIRUS-L@ibm1.cc.lehigh.edu Sender: Virus Discussion List From: "The Moderator Kenneth R. van Wyk" Subject: VIRUS-L Digest V4 #108 Comments: To: VIRUS-L@IBM1.CC.LEHIGH.EDU To: Multiple recipients of list VIRUS-L VIRUS-L Digest Monday, 24 Jun 1991 Volume 4 : Issue 108 Today's Topics: Weird things in our LAN! (Mac) Re: Can such a virus be written .... (PC) Re: Can such a virus be written .... (PC) DesasterMaster 2 Re: Interesting interaction ( VIRx & SCAN ) (PC) Interesting interaction (PC) doom 2 (PC) Re: Hypercard Antiviral Script? (Mac) Re: Can such a virus be written .... (PC) Disk Killer Virus (PC) Re: Software Upgradable BIOS (PC) Re: protecting mac files via locking (Mac) Thanks for help (virus papers) joshi & vsum & f-prot & ll format (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Fri, 21 Jun 91 01:32:11 +0000 From: choda@milton.u.washington.edu (Bob Marley) Subject: Weird things in our LAN! (Mac) We have a small problem in our LAN here. We have a dedicated server (SE/30) serving about 30 pluses (1meg mem etc). We have to start them off of workstation disks. This has been happening periodically throught the year, every once and a while one of the workstation disks appears to be turned invisible. All the files are GONE. They are there, it says that the space is being used, and the disks boot etc. They are NOT invisible however. I have gone in with absolutly every file/disk/etc utility to look for them. Resedit, disktools, the works. The only invisible file on any of the disks was the (obviously) desktop. Now, the other day, we got one of our pluses back that we had loaned out, and we discoverd that on the 20meg hard drive, it happend AGIAN. ALL the files invisble. The person who had it was freaked, for he thought he had deleted the entire harddrive. We have checked for viruses, and havent found any... It is just plain WEIRD. Anyone have any ideas on what could be done, to fix this before it hits our server and makes EVERYTHING there invis? Help! ------------------------------ Date: Fri, 21 Jun 91 17:43:00 +1200 From: "Mark Aitchison, U of Canty; Physics" Subject: Re: Can such a virus be written .... (PC) vanaards@project4.computer-science.manchester.ac.uk (Steven van Aardt) writes: > > Is it possible to write a PC virus which installs itself whenever > you place an infected disk in the drive and do a DIR command ? Yes. But on a PC this requires certain conditions, which mean it probably wouldn't spread very far. Mark Aitchison, Physics, University of Canterbury, New Zealand. ------------------------------ Date: 21 Jun 91 09:39:26 +0000 From: Doug Krause Subject: Re: Can such a virus be written .... (PC) vanaards@project4.computer-science.manchester.ac.uk (Steven van Aardt) writes: # # Is it possible to write a PC virus which installs itself whenever #you place an infected disk in the drive and do a DIR command ? Doesn't STONED act that way? Douglas Krause One yuppie can ruin your whole day. - ---------------------------------------------------------------------- University of California, Irvine Internet: dkrause@orion.oac.uci.edu Welcome to Irvine, Yuppieland USA BITNET: DJKrause@uci.edu ------------------------------ Date: Fri, 21 Jun 91 11:45:29 +0000 From: tsruland@faui09.informatik.uni-erlangen.de (Tobias Ruland) Subject: DesasterMaster 2 high all! does anybody know the amiga "desastermaster 2"-virus how it works and what it does? cu Tobias ------------------------------ Date: Thu, 20 Jun 91 17:23:19 From: c-rossgr@microsoft.COM Subject: Re: Interesting interaction ( VIRx & SCAN ) (PC) >From: kforward@kean.ucs.mun.ca (Ken Forward) > >p1@arkham.wimsey.bc.ca (Rob Slade) writes: >> Noted an interesting interaction between two antivirals the other day, > >Tried this out for myself; no 3445 or Doom 2, but Taiwan3 [T3] was >"found" in memory. Has anyone experienced any other false positives >with this combination ? It goes to show that the viral strings used in Program A might also be used in Program B. The string database is large enough that it probably spanned more than a few DOS buffers: depending on what buffers were used by subsequent code, different portions of the string database might be left in different areas of memory, thereby those who share our strings will have different "hits" at different times. The new cut of VIRx with new strings added (a bunch) and some bug fixes is due out any second... Ross ------------------------------ Date: Wed, 19 Jun 91 18:53:21 From: c-rossgr@microsoft.COM Subject: Interesting interaction (PC) >From: p1@arkham.wimsey.bc.ca (Rob Slade) > >Noted an interesting interaction between two antivirals the other day, >and finally tracked it down. If VIRx 1.4 is run before SCAN 77, SCAN >will "detect" the presence of the 3445 and Doom 2 viri in memory and >refuse to run. Sigh. Color me dumb. I forgot to call the zap_virus_strings() routine under certain conditions, so I left a lot of strings in memory. It looks like the McAfee scanner uses some of the same strings we do... This has been fixed in the next release of VIRx, due out in a few days. Lots of other good stuff in the new one, too. Ross - ------------------------------ Date: Wed Jun 19 18:53:21 1991 From: c-rossgr@microsoft.COM Subject: joshi & vsum & f-prot & ll format (PC) >From: treeves@magnus.acs.ohio-state.edu (Terry N Reeves) > >Vsum still says no utility will remove joshi and that low >level format is required... Vsum is totally wrong. Virex-PC has been able to cure Joshi for quite a while (> six months, at least). > Is their a utility Ms Hoffman? perhaps yuou just don't want to >admit it because McAffe's can't? (i have not tried McAffee but I >assume she'd say if his did.) Interesting idea.... Ross ------------------------------ Date: Thu, 20 Jun 91 19:34:27 From: c-rossgr@microsoft.COM Subject: doom 2 (PC) >From: Eric_Florack.Wbst311@xerox.com > >It would appear to me that VIRx 1.4 isn't cleaning up after itself. >You guys just ran accross different bits of code because of different >ares of RAM being used to store the search strings. (Will I ever live this down? One mistake and *bingo!* all over the place. Sigh.) >The second point is that it's a security problem for all computer >users. Consider: It's simplicity itself for someone who can write a >virus to tear apart the non-encrypted VIRx code and determine the >search strings used in VIRx. Actually, the strings are trivially "encrypted" to prevent the image out on disk from triggering who-knows-how-many other scanners out there. The image I left in memory is *after* the decryption. Why, you might wonder, don't I use a more complex en/de-cryption scheme? The answer is simple: whatever for? The bad guys can certainly break whatever coding scheme I use, thereby using the string list just as if it were not encoded at all. Since it is trivial to make a program that can determine what string a scanner is using, using complex schemes serves no purpose except to a)give more areas for weird bugs to show up, b)a tad of time spent by *every* user in the decrypt routine. The signature a scanner uses is of no use to a bad guy unless he or she already has the subject virus on hand, in any case. >Now, this in itself wouldn't be a problem, I guess, but consider that >what SCAN saw, were the search strings that VIRx was using.... meaning >they're using the SAME strings. Based on this info, anyone who wanted >to, could, in theory, modify the virus enough that the string would no >longer bee caught by the current search strings. In many viruses (virii?) there is only a small area that you can use to figure out a decent signature. Two scanners using a similar area should not be considered unusual. One of my favorite areas to use is the "Are you there?" call most resident viruses use: I assume most others use it, too. For viruses that I don't have on hand, I use the Virus Bulletin list: I would presume that the bad guys have as much access to that list as McAfee's scanner programmers do, too.... >Encrypting the search strings in your code, therefore is always a good >idea, as is cleaning up the mess your program makes in RAM. VIRx, >apparently doesn't address these two points. Wrong on both counts. It is interesting, though, that about 20 beta testers did not find that problem at all.... One of the interesting things: Microcom, the people who publish and market my code, is expressly forbidden from using McAfee products by the vendor itself. This is interesting since Microcom was, until recently, a member of the so-called CVIA, paying their dues and getting *absolutely* none of the privs supposedly associated with that membership. Ross ------------------------------ Date: Thu, 20 Jun 91 23:53:45 +0000 From: mike@pyrite.SOM.CWRU.Edu (Michael Kerner) Subject: Re: Hypercard Antiviral Script? (Mac) Actually, Eric, you will find that there appears to be a bug in 2.0v2, and you can intercept SETs that are SEND'ed (sorry, but SEN(t)D?)...anyway, having not tried this trick in 2.1, I don't know if it will work...and, as usual, I wouldn't trust the documentation - try looking at the params of the SET command. As far as the rest of this discussion goes, I have been playing with fire & my own viri (for test purposes, folks, so relax...then again, with the couple of times I've been corrected, these critters wouldn't do much harm anyway...) and as long as LockMessages is set, and as long as one checks the script of stack xxx before opening it, it's essentially impossible to infect yourself by opening a stack - ASSUMING YOU CHECK THE SCRIPT OF THE STACK FIRST. The code to scan a stack is essentially the same as the SearchScript code that y'all will find in your HOME stack, only you have to modify it to accept a file name (answer file...everyone remember now?...) anyway, after you do that, the search string is "set the script of". HOWEVER, it is possible that someone has the viri sitting in an XCMD or XFCN which they invoke, so you should also check the resources they have attached to their stack...so you see, it becomes a pain to simply scan the stack script because you also need to scan the resources to be effective. Mike. Mac Admin WSOM CSG CWRU mike@pyrite.som.cwru.edu ------------------------------ Date: Fri, 21 Jun 91 17:08:31 +0000 From: bdh@gsbsun.uchicago.edu (Brian D. Howard) Subject: Re: Can such a virus be written .... (PC) vanaards@project4.computer-science.manchester.ac.uk (Steven van Aardt) writes: > Is it possible to write a PC virus which installs itself whenever >you place an infected disk in the drive and do a DIR command ? Yes. You'd have to change command.com and have a dir.com or dir.bat just sitting there. I've actually manually done something like that as a prank (stay away from me on april 1...) (You asked merely if it was *possible*. Now, do you think you've got something like that going on?) - -- "Hire the young while they still know everything." ------------------------------ Date: Fri, 21 Jun 91 14:36:00 +0000 From: Jim Schenk Subject: Disk Killer Virus (PC) Hello, Does anyone have information on the Disk Killer Virus? (I've already got Patricia Hoffman's VSUM - I need some more detailed info). Running F-PROT 1.15A on a DTK 286 under MS-DOS 4.01 results in the following: This boot sector is infected with the Disk Killer virus. Disinfect? Y Can not cure - original boot sector not found. Any help would be greatly appreciated. Jim Schenk University Computer Services Florida International University Bitnet: jims@servax Internet: jims@servax.fiu.edu ------------------------------ Date: 21 Jun 91 21:22:40 +0000 From: rick@pavlov.ssctr.bcm.tmc.edu (Richard H. Miller) Subject: Re: Software Upgradable BIOS (PC) ingoldsb%ctycal@cpsc.ucalgary.ca (Terry Ingoldsby) writes: > It is not even necessary to place it under hardware control, rather if > the hardware incorporates an interlock that requires a special, > possibly unique, code, then the viruses could bash at it forever > (almost) without success. > > For example if each machine thus manufactured were assigned a unique > value in EPROM (which could not be read by the CPU), say of length 64 > bits, then the user could be queried, by the software upgrade program, > to enter the key. If the key matched, the EAROM would be modified, > otherwise nothing would happen. this is a nice though in theory, but in practical terms, would be a logistical nightmare for sites which have a large number of PCs or that swap components. This would require that detailed records be kept each PC and each time a motherboard is swapped or the BIOS is replaced rather than updated.In all likelyhood, two things would happen 1) The 'key' would be written on the PC which would give you the same protection as hardware control. 2) Someone would loose their key and the BIOS chips would have to be replaced. Another approach is to use a lock mechanism with a key to update the BIOS. For the single user or sites which do not require central configuration management, the key could stay in the PC [as it does not in most cases.] For sites which do use central configuration management, the key would be kept away from the PC to prevent BIOS upgrades except under controlled circumstances I do think that upgradeable BIOS under these circumstances is a good idea. This is a concept which has been very successful in the larger systems for quite a long time as would work well with necessary controls. It would certainly be much easier to load the BIOS from floppy for 1,000 PC's than to replace the BIOS PROMS. - -- Richard H. Miller Email: rick@bcm.tmc.edu Asst. Dir. for Technical Support Voice: (713)798-3532 Baylor College of Medicine US Mail: One Baylor Plaza, 302H Houston, Texas 77030 ------------------------------ Date: Fri, 21 Jun 91 23:46:32 +0000 From: mike@pyrite.SOM.CWRU.Edu (Michael Kerner) Subject: Re: protecting mac files via locking (Mac) NO! ABSOLUTELY NOT TRUE IN ANY WAY, SHAPE, OR FORM. IT IS IMPOSSIBLE TO PROTECT A FILE BY LOCKING IT. PERIOD. ABSOLUTELY NOT. IT DOESN'T HAPPEN. The only way to protect a file is to have it on a locked volume. Now I don't know if SAM is beyond this, because I haven't tried it...yet (hey, c'mon, I read newsgroups on Internet in what little free time I have between my job at xxx and handling the lab here. However, I have an "utility" which will overwrite any resource in any file, and that's all the more specific I am going to get about it because I don't want some amateur hack reading this to get any ideas. Saying that it can be done is bad enough - it encourages the ones that don't know ... yet. At any rate, file locking AND PROTECTING (via some sector editor) do not stop this "utility" from working - no, it's not ResEdit, but I haven't tried ResEdit, although I would assume that it won't work. So, there is NO WAY to stop a file on an unlocked volume from being written to, changed, etc. Sorry. Mike. Mac Admin WSOM CSG CWRU mike@pyrite.som.cwru.edu ------------------------------ Date: Sun, 23 Jun 91 22:11:24 -0500 From: Mac Su-Cheong Subject: Thanks for help (virus papers) Dear netters : About a month ago I had asked for help with virus papers. Here is the original request : > I am looking for the following thesis : > > F. Cohen, "Computer Viruses", Ph.D. Dissertation, University of Southern > California, 1986. > > Can I get it from some anonymous ftp sites ? If no, how can I get it. I am >trying to gather papers about viruses. Any help is appreciated. I have got several responses for the request. Someone suggest me to get the books COMPUTE!'s COMPUTER VIRUSES and COMPUTE!'s COMPUTER SECURITY, but I have not found them yet. Another one suggest me to log on ftp.cs.widener.edu (192.55.239.132) but I can't find virus paper. A nice guy find the paper in library and send me the abstract. Later I have found some papers from the following anonymous ftp sites : cert.sei.cmu.edu pub/virus-l/docs cs.toronto.edu doc/pc-virus.notes There are many virus papers on the Magazine "Computers & Security", but they are not collected in my local library :-( Especially thanks to Ralph Roberts, Alan Jones, Mark, and Malcolm. They are so kind for doing such a lot to me. This is the first time I write a summary. If there is something wrong, please tell me. Thanks for your time. Mac Su-Cheong (MSC) nckus089@twnmoe10 msc@sun2.ee.ncku.edu.tw ------------------------------ Date: Wed, 19 Jun 91 18:53:21 From: c-rossgr@microsoft.COM Subject: joshi & vsum & f-prot & ll format (PC) >From: treeves@magnus.acs.ohio-state.edu (Terry N Reeves) > >Vsum still says no utility will remove joshi and that low >level format is required... Vsum is totally wrong. Virex-PC has been able to cure Joshi for quite a while (> six months, at least). > Is their a utility Ms Hoffman? perhaps yuou just don't want to >admit it because McAffe's can't? (i have not tried McAffee but I >assume she'd say if his did.) Interesting idea.... Ross ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 108] ****************************************** 25-Jun-91 16:00:36-GMT,19276;000000000001 Received: from remus.rutgers.edu by aramis.rutgers.edu (5.59/SMI4.0/RU1.4/3.08) id AA16162; Tue, 25 Jun 91 12:00:19 EDT Received: from IBM1.CC.Lehigh.EDU by remus.rutgers.edu (5.59/SMI4.0/RU1.4/3.08) id AA22361; Tue, 25 Jun 91 12:00:01 EDT Message-Id: <9106251600.AA22361@remus.rutgers.edu> Received: from LEHIIBM1.BITNET by IBM1.CC.Lehigh.EDU (IBM VM SMTP R1.2.2MX) with BSMTP id 5758; Tue, 25 Jun 91 11:53:29 EDT Received: from LEHIIBM1.BITNET by LEHIIBM1.BITNET (Mailer R2.08) with BSMTP id 9413; Tue, 25 Jun 91 11:52:57 EDT Date: Tue, 25 Jun 91 11:09:46 EDT Reply-To: VIRUS-L@ibm1.cc.lehigh.edu Sender: Virus Discussion List From: "The Moderator Kenneth R. van Wyk" Subject: VIRUS-L Digest V4 #109 Comments: To: VIRUS-L@IBM1.CC.LEHIGH.EDU To: Multiple recipients of list VIRUS-L VIRUS-L Digest Tuesday, 25 Jun 1991 Volume 4 : Issue 109 Today's Topics: Re: protecting mac files via locking (Mac) Locking Disinfectant (Mac) Source for M-disk (PC) Inside the Whale-Virus (PC) Re: Hypercard Antiviral Script? (Mac) Re: Can such a virus be written .... (PC) Re: Can such a virus be written .... (PC) doom2:reply (PC) Virus checking for Sun4 (UNIX) Self-Modifying SETVER.EXE (PC) Product Review (PC Plus Mag) (PC) Re: Can such a virus be written .... (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Mon, 24 Jun 91 09:16:00 -0400 From: John Chapman Subject: Re: protecting mac files via locking (Mac) ratzan@rwja.umdnj.edu (Lee Ratzan) writes: > Aplication locking on a Macintosh prevents a file from accidentally > being destroyed (trashed) and to some extent from being altered. > A user wants to know if locking Disinfectant on a hard disk will > prevent it from being itself infected from a virus emanating > from an infected floppy. > > The issue is whether we can trust a resident locked copy of > Disinfectant to remain clean even if the hard disk on which it resides > becomes infected. From what I understand, Disinfectant checks itself first thing when it is launched. If it has been altered in ANY way, it supposedly renames itself to something like 'Trash Me' and quits immediately. I think the check it performs on itself is a little more complex than just simple checksumming, but I am not sure. Anyway, the theory is that even if something were able to infect Disinfectant, it would not allow itself to be run. (For those interested, I think this is also why you cannot alter the MultiFinder partition size - it is somehow 'hard-coded' into Disinfectant such that changing it in the Finder Get Info box doesn't work). If you are particularly concerned, run the Disinfectant INIT on all boot volumes. This should prevent the infection of any program (not just Disinfectant) from any known virus. The INIT is unobtrusive, VERY small (read 5K) and is very effective against anything that's been found. If you want more complete protection, I would suggest trying GateKeeper (freeware) or the commercial packages SAM, Rival, or Virex. From what I have seen, all are excellent at blocking all known virus, but their main strength is their ability to catch & block new, unidentified viruses. Unfortunately, this means they are far more picky and sensitive than the Disinfectant INIT and may cause conflicts with (a few) software packages and INITs. By the way, the current version of Disinfectant is 2.4 and may be found on most good FTP archives (eg. sumex-aim.stanford.edu) as well as several mail server archives. > Lee Ratzan - - John T. Chapman ke2y@vax5.cit.cornell.edu ke2y@crnlvax5.bitnet Disclaimer: These opinions are my own and do not necessarily reflect those of the University or of the manufacturers of the products mentioned above. ------------------------------ Date: Mon, 24 Jun 91 09:15:49 -0400 From: Joe McMahon Subject: Locking Disinfectant (Mac) On Thu, 20 Jun 91, Lee Ratzan asked: >A user wants to know if locking Disinfectant on a hard disk will >prevent it from being itself infected from a virus emanating >from an infected floppy. No, but it's not necessary to do that anyway. See below. >The issue is whether we can trust a resident locked copy of >Disinfectant to remain clean even if the hard disk on which it resides >becomes infected. Yes, you can. Disinfectant has two methods of dealing with attempted viral attacks on itself. First, its resource map is locked, meaning that Disinfectant's resources can't be diddled with by unsophisticated viruses; several of the older viruses are smart enough to unlock the file it it is locked, but are not smart enough to deal with a locked resource map. Second, Disinfectant verifies itself at startup, and will refuse to operate if it finds that it has been corrupted. I know of no virus smart enough to break into it as yet. >I have advocated that since we have no automatic virus checking >software which is activated upon disk insertion or start up and since >anyone can use the machine, the only way to be absolutely certain that >integrity has not been compromised each morning is to boot up first >with a trusted disk and run the trusted disk copy of Disinfectant >against the hard disk files. This is a reasonable procedure, especially since it really doesn't take that long, and it is definitely safe. You might want to consider augmenting Disinfectant with Gatekeeper and Gatekeeper Aid as well. This would help in stopping WDEF/CDEF infections, as Gatekeeper Aid checks disks as they are inserted. --- Joe M. ------------------------------ Date: Mon, 24 Jun 91 13:59:17 +0100 From: ukpoit!dave@relay.EU.net Subject: Source for M-disk (PC) Does anyone know of a source for M-disk, purchase, BBS, etc ? Thanks in advance Dave ------------------------------ Date: Mon, 24 Jun 91 15:47:41 +0000 From: Martin Zejma <8326442@AWIWUW11.BITNET> Subject: Inside the Whale-Virus (PC) Hello virus-community | About 2 month ago I got a (the) Whale-Virus from a friend, cause I've been interested in dissasembling that famous monster ( just from the size ). After long nights of work I discovered almost all of the code, and it seemed to be quite trivial , the unbelieveable mysterious actions I expected to see didn't exist. So the question is: IS there ANY action triggered beside copying the MBR from the 1st harddisk to a file appended with a warning message about the Fish #6 Virus and leaving some infected files destroyed ??? ( something like the nice falling letters triggered by the Cascade Virus ?? ) So long, Martin PS.: if anybody wants more or less specific information about the Whale , feel free to e-mail me. +-----------------------------------------------------------------------+ | Martin Zejma 8326442 @ AWIWUW11.BITNET | | | | Wirtschaftsuniversitaet Wien --- Univ. of Economics Vienna/Austria | +-----------------------------------------------------------------------+ ------------------------------ Date: Mon, 24 Jun 91 08:53:39 +0800 From: bcarter@claven.idbsu.edu Subject: Re: Hypercard Antiviral Script? (Mac) Greetings, >The code to scan a stack is essentially the same as the SearchScript >code that y'all will find in your HOME stack, only you have to modify >it to accept a file name (answer file...everyone remember now?...) >anyway, after you do that, the search string is "set the script of". >HOWEVER, it is possible that someone has the viri sitting in an XCMD >or XFCN which they invoke, so you should also check the resources they >have attached to their stack...so you see, it becomes a pain to simply >scan the stack script because you also need to scan the resources to >be effective. I doubt that a general scanner for HyperTalk viruses can be created due to the fact that all one has to do is encode the text of the script to be inserted, and make decoding part of the infection process. Using this method along with "do"s you would never see a plain text "set the script of" until it was too late. It wil probably be necessary to do as utilities such as Virex do, and enter specific characteristics of each virus for which to search. This is a tough area, every time someone here comes up with a way of blocking this sort of thing someone else comes up with a way around it. <-> Bruce Carter, Courseware Development Coordinator bcarter@claven.idbsu.edu Boise State University, Boise, ID 83725 duscarte@idbsu.bitnet (This message contains personal opinions only) (208)385-1250@phone ------------------------------ Date: Mon, 24 Jun 91 11:11:06 -0400 From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: Re: Can such a virus be written .... (PC) vanaards@project4.computer-science.manchester.ac.uk (Steven van Aardt) writes: > > Is it possible to write a PC virus which installs itself whenever > you place an infected disk in the drive and do a DIR command ? Boy, I was hoping this one would go away but was rong again. 1) No: You cannot contract a PC virus by doing a DIR, a virus must be executed. 2) Once you have executed a virus, it could take control of the PC and infect floppies in this manner as several people have pointed out, but you cannot BECOME infected in this manner. Padgett ------------------------------ Date: Mon, 24 Jun 91 11:11:20 -0400 From: Kevin_Haney%NIHCR31.BITNET@CU.NIH.GOV Subject: Re: Can such a virus be written .... (PC) vanaards@project4.computer-science.manchester.ac.uk (Steven van Aardt) writes: > > Is it possible to write a PC virus which installs itself whenever > you place an infected disk in the drive and do a DIR command ? Yes. But on a PC this requires certain conditions, which mean it probably wouldn't spread very far. Mark Aitchison, Physics, University of Canterbury, New Zealand. I would like to know just what these conditions are. If you have an clean, uninfected system with the normal system files, COMMAND.COM, etc., I would think that it is impossible to infect system memory or another disk by doing a directory listing on an infected diskette. (Of course, if you don't have a clean system with unmodified system files, anything can happen.) At no time does COMMAND.COM transfer program control to any executable code on a diskette when it does a directory listing via the DIR command. It looks at the diskette's root directory, files, and all other areas of the diskette as pure data. There is no way for a virus to become activated and infect a system if control is not passed to it at some point. With regard to the comment about the Stoned virus behaving this way, Stoned will infect a diskette if you do a DIR on it from a system which has the virus active in memory (as will most other memory-resident viruses). The only way for it to become active is by booting a system from an infected floppy or hard disk - it cannot become active if you do a DIR on an infected diskette from a clean system. And I would venture to say that this holds true for viruses in general. ------------------------------ Date: Mon, 24 Jun 91 08:26:53 -0700 From: Eric_Florack.Wbst311@xerox.com Subject: doom2:reply (PC) Ross says: =-=-=-= >It would appear to me that VIRx 1.4 isn't cleaning up after itself. >You guys just ran accross different bits of code because of different >ares of RAM being used to store the search strings. (Will I ever live this down? One mistake and *bingo!* all over the place. Sigh.) - -=-=-=-=-= Ha. You mean I wasn't the first? :*> You say: - -=-=-=-=" Actually, the strings are trivially "encrypted" to prevent the image out on disk from triggering who-knows-how-many other scanners out there. =-=-=- On /DISK/, yes. But consider the amount of scanners, including MAcAffee that look at RAM, as well. False trip city, as we have seen. You say: - -=-=-= The answer is simple: whatever for? The bad guys can certainly break whatever coding scheme I use, thereby using the string list just as if it were not encoded at all. =-=-= This misses the point altogether. My point was simply that without encryption of one sort or another, even in RAM, another package wil false trip. If you think that people are going to depend on your package alone for protection, this might not cause a problem. But a realitry check, ( facilitated by a quick peek at the postings in here) will prove that doesn't happen. You say: - -=-=- The signature a scanner uses is of no use to a bad guy unless he or she already has the subject virus on hand, in any case. =-=-=- Of course not. My point in this case was the person doing the altering to routre around your code being the original author. Moreover, we have seen several varieties of a particular virus around, indicating more than one person altered one person's code. This is commonplace. (Can you say 'Stoned'? Sure. I knew you could.) Obviously, virus code is being passed around, by writers of such code, like a wine bottle at a garbage can fire. Getting the original code is therefore no problem. You say: - -=-=-= >Encrypting the search strings in your code, therefore is always a good >idea, as is cleaning up the mess your program makes in RAM. VIRx, >apparently doesn't address these two points. Wrong on both counts. It is interesting, though, that about 20 beta testers did not find that problem at all.... =-=-= First point: How on earth is cleaning up RAM you've allocated with your program before the program closes to be considered a BAD idea? Diito a string encryption? As for your beta testers not finding the problem, I suggest to you that perhaps they missed a major problem. WIthout being judgemental, here, finding this problem after beta was complete would seem to call into question the validity of certain of your test results. Regards to you. E (Normal employer isolation disclaimers apply here... IE: They may or may not agree with my thoughts in this matter) ------------------------------ Date: Mon, 24 Jun 91 14:33:45 -0600 From: Xcaret Research Subject: Virus checking for Sun4 (UNIX) Can someone point me to information about virus checking for a Sun4 computer. Is there ftp'able software or any good commercial software? Thanks, John [Ed. While not specifically an anti-virus program, you might want to start by looking at COPS. It's available from comp.sources.unix and by anonymous FTP on cert.sei.cmu.edu.] ------------------------------ Date: 24 Jun 91 23:38:48 -0400 From: Robert McClenon <76476.337@CompuServe.COM> Subject: Self-Modifying SETVER.EXE (PC) I just discovered after twenty minutes of unpleasantness that SETVER.EXE, a feature of DOS 5.00, is implemented via SELF-MODIFYING CODE. The SETVER command is used to fake out applications which check the version of DOS. It seems that, rather than maintain a data file separate from the .EXE file, Microsoft has chosen to implement SETVER.EXE as a program which modifies itself whenever it is executed, so as to change a table that is part of itself. This is very unfriendly behavior for users who try to maintain any sort of discipline to control viruses, or any of various other sorts of discipline. Virex-PC gave me multiple alerts telling me that SETVER was trying to alter SETVER. Since the syntax of SETVER is a little peculiar and complex, I at first assumed that I had entered the command wrong and was doing something improper and that Virex-PC was protecting me from a mistake. It took me a while to realize that SETVER was REALLY trying to MODIFY itself and that Virex-PC was trying to protect me from a technically legitimate but undisciplined operation. Is anyone from Microsoft on this distribution list? Would they care to explain why they did such an undisciplined thing? Robert McClenon Neither my employer nor anyone else paid me to say this. ------------------------------ Date: Tue, 25 Jun 91 09:54:36 +0700 From: James Nash Subject: Product Review (PC Plus Mag) (PC) A well written article (for a change!) appears in the current issue of UK magazine PC Plus, called "Immune Systems". It sets out to explain viruses, offering concise understandable defintions of all those terms you know and love (plus "Armoured Virus"!). Anyway, the main body of Mark Hamilton's article is a review of 10 anti-viral software products. Nearly all of these are UK products, half of which I've never heard of before. It gives a real lashing to Defiant Systems' "Virus Hunter" and verbally assualts Visionsoft's "Immunizer". That latter one comes last in all the tests! The one he recommends is Jim Bates' (Bates Associates) "VIS Utilities" (5 * rating). Also praised are RG Software's "VI-SPY" - 'best US package' - - , Sophos' "Sweep" and S&S's "Dr. Solomon's". Software not included in the review were Mcaffee and F-PROT to name a few. For scanning accuracy, Bates came top, Solomon and Sophos close; only Norton, Visionsoft, Defiant Systems and Virex-Pc (1.1a) came below 75%. For scanning floppies (Speed), Bates came top, Central Point close, others struggling. For scanning Hard Disks (Speed), Norton came top (just), followed by Defiant Systems, Solomons, Bates and Central Point (ITO). If anyone wants more info, buy a copy of PC Plus or e-mail me direct. Please don't clog up the list with "me too" messages :-) - -- James Nash // Computing Services // Phone: x8644 // User ID: ccx020 (cck) - -I spilt Spot Remover on my dog and now he's gone. ccx020@uk.ac.cov.cck ------------------------------ Date: 25 Jun 91 10:12:24 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Re: Can such a virus be written .... (PC) >vanaards@project4.computer-science.manchester.ac.uk (Steven van Aardt) writes: > Is it possible to write a PC virus which installs itself whenever >you place an infected disk in the drive and do a DIR command ? Not only possible - many such viruses already exist. They are either boot sector infectors which intercept INT13 and infect a disk whenever it is read from, or file infectors which intercept the FindFirst/FindNext functions - the DIR and DIR-2 viruses are a prime example. - -frisk ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 109] ****************************************** 26-Jun-91 19:31:20-GMT,25540;000000000001 Received: from remus.rutgers.edu by aramis.rutgers.edu (5.59/SMI4.0/RU1.4/3.08) id AA00772; Wed, 26 Jun 91 15:31:15 EDT Received: from IBM1.CC.Lehigh.EDU by remus.rutgers.edu (5.59/SMI4.0/RU1.4/3.08) id AA04568; Wed, 26 Jun 91 15:13:39 EDT Message-Id: <9106261913.AA04568@remus.rutgers.edu> Received: from LEHIIBM1.BITNET by IBM1.CC.Lehigh.EDU (IBM VM SMTP R1.2.2MX) with BSMTP id 7654; Wed, 26 Jun 91 15:09:17 EDT Received: from LEHIIBM1.BITNET by LEHIIBM1.BITNET (Mailer R2.08) with BSMTP id 6579; Wed, 26 Jun 91 15:08:52 EDT Date: Wed, 26 Jun 91 15:03:27 EDT Reply-To: VIRUS-L@ibm1.cc.lehigh.edu Sender: Virus Discussion List From: "The Moderator Kenneth R. van Wyk" Subject: VIRUS-L Digest V4 #110 Comments: To: VIRUS-L@IBM1.CC.LEHIGH.EDU To: Multiple recipients of list VIRUS-L VIRUS-L Digest Wednesday, 26 Jun 1991 Volume 4 : Issue 110 Today's Topics: I'm not official! McAfee on VSUM accuracy and Microcom (PC) Re: protecting mac files via locking (Mac) Self-Modifying SETVER.EXE (PC) Re: Hypercard Antiviral Script? (Mac) Re: Hypercard Antiviral Script? (Mac) FPROT116.ZIP uploaded (PC) Re: Can such a virus be written .... (PC) Re: Can such a virus be written .... (PC) Re: Can such a virus be written .... (PC) Re: Can such a virus be written .... (PC) Inside the Whale-Virus (PC) Announcing McAfee VIRUSCAN Version 80 (PC) Product Test - - Central Point Anti-Virus (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: 24 Jun 91 14:55:48 -0400 From: "David.M.Chess" Subject: I'm not official! A couple of (excellant) informational posts by Rob Slade recently have listed me and/or Bill Arnold as contacts for IBM's Anti-Virus Product. This is just a note to clarify: I'm just a humble researcher, *not* an official IBM contact of any kind. You can't buy the product from me, I'm not an Official Support Person, you shouldn't send me Purchase Orders, etc. This applies to Bill as well. I'm happy to answer questions about the product that come up on VIRUS-L when I have a chance, of course. But to actually buy the product, talk to an IBM Rep (call your nearest IBM Branch Office; if they don't know about the product, tell them to "look in the SECURE section of NATBOARD", or give them my name), or look in the Electronic Software Delivery section of IBMLINK (if you're an IBMLINK customer). This all applies to Bill as well (unless he posts otherwise, hehe). Dave Chess High Integrity Computing Lab IBM Watson Research ------------------------------ Date: Tue, 25 Jun 91 10:04:30 -0700 From: mcafee@netcom.com (McAfee Associates) Subject: McAfee on VSUM accuracy and Microcom (PC) The following message is forwarded from John McAfee: I regret that I haven't had much time to keep up with Virus-L recently, especially since it is one of the more informative sources of virus information. Fortunately, Aryeh Goretsky, Morgan Schweers, Fritz Schneider and others have been kind enough to digest the bulk of the Virus-L information and forward to me bits and pieces that they feel my feeble mind can manage. A couple of postings made recently by Terry Reeves Ross Greenburg need a response. Specifically: >From: treeves@magnus.acs.ohio-state.edu (Terry N Reeves) >Vsum still says no utility will remove joshi and that a low level >format is required..... > Is there a utility Ms. Hoffman? perhaps you just don't want to >admit it because McAffe's can't? (i have not tried McAfee but I assume >she'd say if his did.) The McAfee Clean-Up program has been able to cure the Joshi since the Joshi first appeared more than ten months ago. What is curious about this message is that Terry has not tried our product, yet tacitly assumes that it cannot perform a given function. The reason he gives for this assumption is that the VSUM author doesn't want to admit that anyone could cure the Joshi because McAfee cannot. Have we really reached this level of acrimony within this industry? Isn't it enough that most of us are trying our best to thwart a growing number of virus writers and an escalating infection incidence? Is there that much spare energy left to throw stones at people like Patricia Hoffman? If Patricia, who works harder at analyzing and reporting viruses than anyone I know, is now a flame target, then what's left? I have been aware that VSUM did not report a disinfector for Joshi (even though Clean-Up had been disinfecting it for 8 releases of VSUM) but so what? Out of 500,000 bytes of fine reporting in VSUM, should I be so insecure that I have to correct Patricia's document so the world will know that the McAfee products disinfect yet another virus? Is there really time and energy for such trivia? And the second posting: >From: Ross Greenburg >One of the interesting things: Microcom, the people who publish and >market my code, is expressly forbidden from using McAfee products by >the vendor itself. This is news to the alleged vendor. Since McAfee Associates is the only vendor of the McAfee products I assume Ross means us. We have never refused to sell our products to anyone, and our policies will not change. It's a strange comment considering that 99.9% of all of our users use our products without telling us or paying us anyway (one of the side effects of shareware). How would we ever know? In any case, it's good to exercise my fingers again and communicate with this growing body of concerned persons. My best wishes to my detractors (many), admirers (few) and lethargics (the silent majority) alike. - - - - End of forwarded message. While John is not regularly on the Internet, I will forward any replies to him, however, it would probably be best to contact him directly via telephone or fax at any of the numbers below. Aryeh Goretsky McAfee Associates Technical Support ------------------------------ Date: Tue, 25 Jun 91 10:56:52 -0900 From: "Jo Knox - UAF Academic Computing" Subject: Re: protecting mac files via locking (Mac) On 21 Jun 91, mike@pyrite.SOM.CWRU.Edu (Michael Kerner) says: > NO! ABSOLUTELY NOT TRUE IN ANY WAY, SHAPE, OR FORM. IT IS IMPOSSIBLE TO > PROTECT A FILE BY LOCKING IT. PERIOD. ABSOLUTELY NOT. IT DOESN'T HAPPEN. Agreed. > The only way to protect a file is to have it on a locked volume. Depends upon how the volume is locked; the only true locking is hardware write protection, available on floppies and some optical drives (I think). > However, I have an "utility" which will > overwrite any resource in any file, and that's all the more specific I am > going to get about it because I don't want some amateur hack reading this > to get any ideas. Saying that it can be done is bad enough - it encourages > the ones that don't know ... yet. At any rate, file locking AND PROTECTING > (via some sector editor) do not stop this "utility" from working - no, it's > not ResEdit, but I haven't tried ResEdit, although I would assume that it > won't work. I don't think any hacker's going to be surprised at this information; "File Locked", "File Busy", "File Protect" are just bits in the header information of the file; there are lots of utilities which can modify some or all of these file attribute bits---if Finder (just another program to the Mac) can set these bits, it's evident that other programs can, too, such as ResEdit, MacTools/ FileEdit, SUM Tools, Fedit Plus, and DiskTop DA, to name just a few. jo ------------------------------ Date: Tue, 25 Jun 91 15:11:00 -0400 From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: Self-Modifying SETVER.EXE (PC) >From: Robert McClenon <76476.337@CompuServe.COM> > I just discovered after twenty minutes of unpleasantness that >SETVER.EXE, a feature of DOS 5.00, is implemented via SELF-MODIFYING >CODE. Actually, this is much better than earlier (beta) verions in which SETVER modified other things (even nastier). Since I did not bother to install SETVER, this is not a problem for me and have not yet run into an application/game/etc that requires its use. Though I have heard rumors of such programs. Further, one one teaches SETVER which (shouldn't be many) programs require DOS to report/act like a different version to work, SETVER should not be changing unless a new non-conforming program is added. Even so, the rate should not be a problem, & the user should know that something "legal" was done. For some time, my feeling has been that "intelligent" anti-viral software should be able to recognize when a program is allowed to write to itself (SETVER, LIST) or to a limited subset of other programs (WSCHANGE - WORDSTAR) & notify the user but not make a fuss about it. Now if SETVER tries to modify LIST, I would be concerned, but not when it modifies itself when I ask it to. To me, strict checksum coverage of 98% of my files is "good enough" (quantum economics) that not much safety would be lost if the other 2% were permitted LIMITED privilege with notification. Heck, the whole concept of "privilege" receives only lip service (and much obfustication) from DOS. IMHO, it would seem that MicroSoft had a choice: let SETVER modify system files (tried & rejected in beta), a separate data file (possible but must always be able to find it), or itself. Given all the variables, I think they probably made the most efficient (but not necessarily the most popular to anti-virus program writers) decision. Cooly, Padgett Might be some one else's opinion also but probably not my employer's. ------------------------------ Date: Tue, 25 Jun 91 19:21:10 +0000 From: EIVERSO@cms.cc.wayne.edu Subject: Re: Hypercard Antiviral Script? (Mac) From: mike@pyrite.SOM.CWRU.Edu (Michael Kerner) [stuff deleted]... >and as long as LockMessages is set, and as long as one checks the >script of stack xxx before opening it, it's essentially impossible to >infect yourself by opening a stack - ASSUMING YOU CHECK THE SCRIPT OF >THE STACK FIRST. >The code to scan a stack is essentially the same as the SearchScript >code that y'all will find in your HOME stack, only you have to modify >it to accept a file name (answer file...everyone remember now?...) >anyway, after you do that, the search string is "set the script of". >HOWEVER, it is possible that someone has the viri sitting in an XCMD >or XFCN which they invoke, so you should also check the resources they >have attached to their stack...so you see, it becomes a pain to simply >scan the stack script because you also need to scan the resources to >be effective. Mike, I appreciate what you're about & am not trying to engage in one-upmanship but.... Don't forget that the script could be in any object not just the stack script or an XCMD. Maybe SearchScript checks all objects, I forget. You won't find the string if it's cocantenated--i.e.: on openCard put "set the scr" & "ipt of ..." into virusVariable --search would miss this --other malicious code goes here end openCard Thanks for the advice about being able to check for a "set" within a "send" I will really believe it after I test it, though. If you'd like, I could send you the exact script which I believe can bypass any HC "vaccine". Others need not ask, especially don't contact my ID directly. - --Eric ------------------------------ Date: Wed, 26 Jun 91 01:01:06 +0000 From: mike@pyrite.SOM.CWRU.Edu (Michael Kerner) Subject: Re: Hypercard Antiviral Script? (Mac) I agree that with do's it becomes harder to insure that you catch a virus, but I also think that it would be relatively easy to spawn out (e.g. if the virus writer came up with his or her own encryption method and used the stack script with do's to unencrypt the scripts) and check fields and so forth for the necessary SETs. I hadn't thought about your idea before, but it is clever and does cloud the issue some more. What can make it even harder is if the commands to be DOne are in a file which is also encrypted, and the stack first unencrypts the files then uses the code in the files and in the fields to unencrypt the other scripts that must be run. My biggest concern, though, is that there will also be a resource lurking in a stack whose name and type and contents, obviously, can be changed to disguise them by the virus calling a code resource that it has attached to itself and thus fooling everyone, including the GateKeeper-like module of SAM. Why some virus hack hasn't done this yet is beyond me. The virus could be coded to encrypt itself on some date or time parameter and need the system date or some similar mechanism to untie itself, thereby making detection pretty difficult at best. The detection program would then have to look for the decoding resource, which may also be obscured by making it look like something else. My head is spinning from all the possibilities. I'm just glad I don't have a PC and have to tolerate all their virus problems. To think this all started on a Mac. Mike ------------------------------ Date: Sun, 23 Jun 91 23:07:08 -0500 From: James Ford Subject: FPROT116.ZIP uploaded (PC) The file FPROT116.ZIP has been uploaded to risc.ua.edu (130.160.4.7) in the directory pub/ibm-antivirus. Please note (once again) that mibsrv.mib.eng.ua.edu will no longer be available after June 24, 1991. The archive has moved to RISC.UA.EDU. Please send all problems/complaints/suggestions to jford@ua1vm.ua.edu or jford@risc.ua.edu. - ---------- You cannot antagonize and influence at the same time. - ---------- James Ford - jford@ua1vm.ua.edu, jford@risc.ua.edu The University of Alabama (in Tuscaloosa, Alabama) ------------------------------ Date: Wed, 26 Jun 91 11:00:42 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Re: Can such a virus be written .... (PC) It seems I misunderstood a question which was posted here a while ago, so please disregard my earlier reply.... >vanaards@project4.computer-science.manchester.ac.uk (Steven van Aardt) writes: > Is it possible to write a PC virus which installs itself whenever >you place an infected disk in the drive and do a DIR command ? I wrote: >Not only possible - many such viruses already exist. They are either boot >sector infectors which intercept INT13 and infect a disk whenever it is read >from, or file infectors which intercept the FindFirst/FindNext functions - >the DIR and DIR-2 viruses are a prime example. But, as I said, this was a misunderstanding - I thought the original poster meant whether a resident virus could infect a diskette simply when the user issued a 'DIR' command. However, the question was whether a virus-infected diskette could infect the system, when the user issued a 'DIR' command. The answer to that question is a definite NO - on a PC, that is - but I am not sure if the same applies to the Amiga or the Mac - perhaps somebody else can clarify that. Sorry about any confusion caused by my earlier reply... - -frisk ------------------------------ Date: Wed, 26 Jun 91 11:19:00 +1200 From: "Mark Aitchison, U of Canty; Physics" Subject: Re: Can such a virus be written .... (PC) Kevin_Haney%NIHCR31.BITNET@CU.NIH.GOV writes: > vanaards@project4.computer-science.manchester.ac.uk (Steven van Aardt) > writes: >> >> Is it possible to write a PC virus which installs itself whenever >> you place an infected disk in the drive and do a DIR command ? I wrote... > Yes. But on a PC this requires certain conditions, which mean it > probably wouldn't spread very far. > > I would like to know just what these conditions are. I'm not sure if I should broadcast the way in which a virus could do this, but I suppose I could mention the conditions... (1) Have ANSI.SYS (or similar) loaded, (2) Possibly make assumptions about what the user will type next, (3) Assume the user doesn't look too hard at the directory listing. I would expect such a virus, if it can be written, to have a low chance of spreading far. However, it is important to accept that *possibly* a virus could spread on PC's this way. Mark Aitchison. ------------------------------ Date: Tue, 25 Jun 91 15:10:24 -0700 From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Re: Can such a virus be written .... (PC) dkrause@miami.acs.uci.edu (Doug Krause) writes: > vanaards@project4.computer-science.manchester.ac.uk (Steven van Aardt) writes > # > # Is it possible to write a PC virus which installs itself whenever > #you place an infected disk in the drive and do a DIR command ? > > Doesn't STONED act that way? Well, yes and no. (Parenthetically here, let me state that it is hard to state with much assurance "what 'Stoned' does", since it must be the most widely "strained" viral program around today. But anyway ...) The Stoned virus usually will infect any disk that you "read" with a DIR command. But, in fact, it will infect just about any disk that it does access, regardless of how it does it. That said, the various strains show tremendous differences. I have one which will only infect disks in the A: drive, and another which refuses to infect anything unless som{ odd conditions{are satisfied. (I haven't figured them out compltely, but one sure way to infect a di{k is to read it with PCTOOLS.) {(Sorry for the line noise today.) ============= Vancouver p1@arkham.wimsey.bc.ca | "If you do buy a Institute for Robert_Slade@mtsg.sfu.ca | computer, don't Research into (SUZY) INtegrity | turn it on." User Canada V7K 2G6 | Richards' 2nd Law Security | of Data Security ------------------------------ Date: Tue, 25 Jun 91 17:17:19 +0000 From: kenm@maccs.dcss.mcmaster.ca (...Jose) Subject: Re: Can such a virus be written .... (PC) frisk@rhi.hi.is (Fridrik Skulason) writes: >>vanaards@project4.computer-science.manchester.ac.uk (Steven van Aardt) writes : >> Is it possible to write a PC virus which installs itself whenever >>you place an infected disk in the drive and do a DIR command ? > >Not only possible - many such viruses already exist. They are either boot >sector infectors which intercept INT13 and infect a disk whenever it is read >from, or file infectors which intercept the FindFirst/FindNext functions - >the DIR and DIR-2 viruses are a prime example. I'm not sure that this (very correct) answer actually responds to the question. If I'm not mistaken, the question is whether a virus on a diskette can infect the system/hard drive simply by doing a DIR of the infected diskette; ie. can simply reading the infected disk cause the virus to be loaded into memory. I can't see how. Mr. Skulason, I think, is referring to a virus already in memory subverting the DIR command to place itself on a clean diskette. Have I interpretted everyone's statements correctly? ....Jose - ----------------------------------------------------------------------------- ".sig quotes are dippy"|Kenneth C. Moyle kenm@maccs.dcss.mcmaster.ca - Kenneth C. Moyle |Department of Biochemistry MOYLEK@MCMASTER.BITNET |McMaster University ...!uunet!mnetor!maccs!kenm ------------------------------ Date: 26 Jun 91 14:40:21 -0400 From: "David.M.Chess" Subject: Inside the Whale-Virus (PC) No, I don't think anyone's ever found any evidence of any significant "payload" inside the Whale. It spent so much (primarily futile) effort in being hard to analyze that it didn't have room for any sophisticated payload (or even for correct operation, hehe!). DC ------------------------------ Date: Tue, 25 Jun 91 18:01:29 -0700 From: mcafee@netcom.com (McAfee Associates) Subject: Announcing McAfee VIRUSCAN Version 80 (PC) WHAT'S NEW VIRUSCAN Versions 78 and 79 of VIRUSCAN were skipped because of two trojan horse versions that appeared. Version 80 of SCAN logically follows V77. Version 80 adds several new features to VIRUSCAN: The first is that SCAN now checks inside of files compressed with PKWare's PKLITE program for viruses. Files infected before compression will be reported as being infected internally. Files infected after compression will be reported as being infected externally. When a subdirectory is scanned, SCAN will check subdirectories below that subdirectory when the /SUB option is used. The extension .SWP has been added to the list of extensions scanned by default. The /REPORT option now displays version number, options used, date and time, and validation code results. Also, the capabilty to detect unknown boot sector viruses by scanning for virus-like code has been added. If a boot sector is found that contains suspicious code, SCAN will report that the disk contains a Unrecognized Boot Sector Virus. 51 new viruses have been added. Ones that were reported at multiple sites are: The Telephonica virus -- a memory-resident multipartite virus that infects the boot sectors of floppy disks, the hard disk partition table, and .COM files. The virus infects .COM files at about 15 minute intervals, and keeps a counter of the number of reboots that have occurred. When 400 reboots have occurred, the virus displays the message "VIRUS ANTITELEFONICA (BARCELONA)" and formats the hard disk. The virus has been reported at multiple sites in Barcelona, Spain and in England. The Loa Duong virus -- a memory-resident floppy disk and hard disk boot sector infector. It is named after a Laotian funeral dirge that it plays after every 128 disk accesses. The Michelangelo -- a floppy disk boot sector and hard disk partition table infector based on the Stoned virus. On March 6, Michelangelo's birthdate, it formats the hard disk of infected PC's. The Tequila virus -- sent to us from the United Kingdom but originates in Switzerland. It is a memory-resident multipartite virus uses stealth techniques and attaches to the boot sector of floppies, partition table of hard disks, and .EXE files. It contains messages saying "Welcome to T.TEQUILA's latest production.", "Loving thoughts to L.I.N.D.A", and "BEER and TEQUILA forever !" CLEAN-UP The Empire, Form, Loa Duong, Michaelangelo, Nomenclature, Tequila and V-801 viruses have been added to the list of viruses that can be successfully removed. VSHIELD Version 80 of VSHIELD adds a command to ignore program loads off of specified drives. When the /IGNORE option is activated, the user can specify from which drives VSHIELD will NOT monitor program loads. Also, the capabilty to detect unknown boot sector viruses by scanning for virus-like code has been added. If a diskette boot sector contains suspicious code and a re-boot request is attempted from the diskette, VSHIELD will disallow the re-boot and will report that the disk contains a Unrecognized Boot Sector Virus. NETSCAN Version 80 of NETSCAN adds 51 new viruses. VCOPY VCOPY Version 80 hasn't been released yet, but should follow in a couple of days, as usual. THE NUMBER OF VIRUSES Version 80 adds 51 computer viruses, bringing the number of strains to 293, or, counting variants, 714. Aryeh Goretsky McAfee Associates Technical Support ------------------------------ Date: Tue, 25 Jun 91 08:02:40 -0600 From: Chris McDonald ASQNC-TWS-R-SO Subject: Product Test - - Central Point Anti-Virus (PC) ******************************************************************************* PT-36 June 1991 ******************************************************************************* 1. Product Description: Central Point Anti-Virus (CPAV) is a product to detect, disinfect and prevent virus infections as well as protection against the introduction of "unknown" and/or malicious code. 2. Product Acquisition: CPAV is available from Central Point Software, Inc., 15220 NEW Greenbrier Pkwy., Suite 200, Beaverton, OR 97006. A marketing number, current as of 6 Jun 91, is 1-800-445-4064. The retail price of the product is $129.00. Site licenses are available. 3. Product Testers: Don Rhodes, Information Systems Management Specialist, Information Systems Command, White Sands Missile Range, NM 88002-5506, DSN: 258-8174, DDN: drhodes@wsmr-emh04.army.mil; Chris Mc Donald, Computer Systems Analyst, Information Systems Command, White Sands Missile Range, NM 88002-5506, DSN: 258-4176, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20. army.mil. ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 110] ****************************************** 27-Jun-91 15:55:12-GMT,26217;000000000001 Received: from remus.rutgers.edu by aramis.rutgers.edu (5.59/SMI4.0/RU1.4/3.08) id AA11972; Thu, 27 Jun 91 11:55:03 EDT Received: from IBM1.CC.Lehigh.EDU by remus.rutgers.edu (5.59/SMI4.0/RU1.4/3.08) id AA28801; Thu, 27 Jun 91 11:54:50 EDT Message-Id: <9106271554.AA28801@remus.rutgers.edu> Received: from LEHIIBM1.BITNET by IBM1.CC.Lehigh.EDU (IBM VM SMTP R1.2.2MX) with BSMTP id 8491; Thu, 27 Jun 91 11:49:03 EDT Received: from LEHIIBM1.BITNET by LEHIIBM1.BITNET (Mailer R2.08) with BSMTP id 9436; Thu, 27 Jun 91 11:48:38 EDT Date: Thu, 27 Jun 91 10:53:42 EDT Reply-To: VIRUS-L@ibm1.cc.lehigh.edu Sender: Virus Discussion List From: "The Moderator Kenneth R. van Wyk" Subject: VIRUS-L Digest V4 #111 Comments: To: VIRUS-L@IBM1.CC.LEHIGH.EDU To: Multiple recipients of list VIRUS-L VIRUS-L Digest Thursday, 27 Jun 1991 Volume 4 : Issue 111 Today's Topics: Correction to Volume 4 Issue 110 What info is avilable on viruses? (PC) Why Patricia Hoffman's virus summary is not on SIMTEL20 (PC) Re: Can such a virus be written .... (PC) re: doom2:reply (PC) Can such a virus be written .... (PC) re: McAfee on VSUM accuracy and Microcom (PC) VIRx Version 1.5 Released (PC) Re: protecting mac files via locking (Mac) Re: Virus checking for Sun4 (UNIX) Re: Can such a virus be written .... (PC) Re: McAfee on VSUM accuracy and Microcom (PC) Re: Virus protection: what to use. VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Wed, 26 Jun 91 15:25:57 -0400 From: Kenneth R. van Wyk Subject: Correction to Volume 4 Issue 110 In V4I110, I posted the first couple sections of a product review on Central Point Anti-Virus by Chris McDonald, but forgot to add a note saying that the rest of the review (and Chris's other reviews) is available by anonymous FTP on cert.sei.cmu.edu (IP number 128.237.253.5) in the pub/virus-l/docs/reviews directory. Sorry, Ken ------------------------------ Date: Wed, 26 Jun 91 16:09:13 -0400 From: Jean-Serge Gagnon Subject: What info is avilable on viruses? (PC) Does anyone have a list of different virusus and their know effects on the computers that they infect? And where can I get the latest version of SCAN? I'm asking because I'm new to virusus. I've been in computers a while, but never in such a virus prone environment like a University. Any replies would be welcome as I have a very scarce knowledge about this subject. I.e. I know about stoned and that's about it, I don't even know what it does apart from saying "Your PC is now stoned!". Thanks. Jean-Serge Gagnon Internet: Bitnet: Specialiste en Equipement Informatique Hardware Maintenance Specialist Universite d'Ottawa / University of Ottawa (613) 564-5903 ou/or 7183 Acknowledge-To: ------------------------------ Date: Wed, 26 Jun 91 15:51:00 -0600 From: Keith Petersen Subject: Why Patricia Hoffman's virus summary is not on SIMTEL20 (PC) I have received many inquires as to why SIMTEL20 does not have VSUM, Patricia Hoffman's virus summary list. SIMTEL20 is prohibited by the author from carrying VSUM. Patricia Hoffman blamed us for a problem caused by someone who downloaded her file from our collection. Since her virus summary list is copyrighted we must comply with her wishes, even though the file is available on almost any BBS and many other FTP sites. The file is available from risc.ua.edu [130.160.4.7] in the directory pub/ibm-antivirus. Keith - -- Keith Petersen Maintainer of the MSDOS, MISC and CP/M archives at SIMTEL20 [192.88.110.20] Internet: w8sdz@WSMR-SIMTEL20.Army.Mil or w8sdz@vela.acs.oakland.edu Uucp: uunet!wsmr-simtel20.army.mil!w8sdz BITNET: w8sdz@OAKLAND ------------------------------ Date: Wed, 26 Jun 91 18:05:17 From: c-rossgr@microsoft.COM Subject: Re: Can such a virus be written .... (PC) >From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) > >vanaards@project4.computer-science.manchester.ac.uk (Steven van Aardt) writes: >> >> Is it possible to write a PC virus which installs itself whenever >> you place an infected disk in the drive and do a DIR command ? >1) No: You cannot contract a PC virus by doing a DIR, a virus must be executed . There is at least one batch file running around that, when you "exec" it, it turns into a virus. If a machine is using ANSI.SYS, it is possible to rename files to provide for reprogramming the keyboard. An argument can be made that causing the, say, F3 key to execute some program or some some batch file due to it being reprogrammed could mean that doing a simple directory could later *cause* a virus to be executed. Ross ------------------------------ Date: Wed, 26 Jun 91 18:20:33 From: c-rossgr@microsoft.COM Subject: re: doom2:reply (PC) >From: Eric_Florack.Wbst311@xerox.com > >>Actually, the strings are trivially "encrypted" to prevent the image >>out on disk from triggering who-knows-how-many other scanners out >>there. >On /DISK/, yes. But consider the amount of scanners, including MAcAffee that >look at RAM, as well. False trip city, as we have seen. Sigh. Look, I simply didn;t remove the strings from memory. What's your point? >...[why should I bother to encrupt the strings except trivially?]... >This misses the point altogether. My point was simply that without encryption >of one sort or another, even in RAM, another package wil false trip. If you >think that people are going to depend on your package alone for protection, >this might not cause a problem. But a realitry check, ( facilitated by a quick >peek at the postings in here) will prove that doesn't happen. No, I get the point: my income depends on it. I had a bug. It's fixed in Version 1.5, released about ten minutes ago. A reality check would show that out of the thousands of people who run our code daily, about ten have complained about the interaction due to a bug that is now fixed. >My point in this case was the person doing the altering >to routre around your code being the original author. Moreover, we >have seen several varieties of a particular virus around, indicating >more than one person altered one person's code. This is commonplace. >(Can you say 'Stoned'? Sure. I knew you could.) Obviously, virus code >is being passed around, by writers of such code, like a wine bottle at >a garbage can fire. Getting the original code is therefore no problem. No matter what string is used, and no matter what the encryption routine for that string might be, it would be trivial to ascertain what that string is -- and without having to break the encryption. I know that your intentions are most likely good, sir, but you really have not stopped to consider all the issues before you post. You may think you have the solution to a non-problem, but your solution does nothing except add another area where a bug can creep in without providing anything but a *potential* feel-good- warm-fuzzy feeling. It does nothing but provide me with extra work and does not provide any benefit to the end user community. >>>Encrypting the search strings in your code, therefore is always a good >>>idea, as is cleaning up the mess your program makes in RAM. VIRx, >>>apparently doesn't address these two points. >>Wrong on both counts. It is interesting, though, that about 20 beta >>testers did not find that problem at all.... >First point: How on earth is cleaning up RAM you've allocated with >your program before the program closes to be considered a BAD idea? >Diito a string encryption? Simply becasue somebody says that encrypting the strings is a good idea does not make it a good idea. And, except for a bug that occurred in certain circumstances, the cleanup was typically done. >As for your beta testers not finding the problem, I suggest to you >that perhaps they missed a major problem. WIthout being judgemental, >here, finding this problem after beta was complete would seem to call >into question the validity of certain of your test results. Actually, it just showed that our beta testers did not run into that problem (recall that the reports I mentioned above were limited in number). This implies that they don't use one of our competitor's products. So what? There are many people who opt not to use our competitor's products. In fact, I hope to make sure that hardly anyone uses any of my competitor's products by providing better code than anybody else. And, sometimes, a minor mistake is make and is blown way out of proportion. Ross ------------------------------ Date: Wed, 26 Jun 91 12:10:19 +0100 From: "Pete Lucas" Subject: Can such a virus be written .... (PC) Most DOS PCs do not implement a hardware 'media change' flag, so they do not know that a diskette has been inserted until you try reading from it. (this is unlike an Apple Mac that has a 'media change' sense on its diskette drive). A virus doesnt 'know' that a new diskette has been inserted on a PC until the virus has had a look at whats there. Of course the write-protect notch/slide is 99.99% effective in my experience at preventing any illicit writes; you would, of course, have write-protected any diskette you put in the drive before doing the hypothetical DIR command, wouldnt you? (I do actually have a notchless diskette that on *some* drives can be written to - the diskette jacket is semi-transparent and on drives that use optical notch-sensing, enough light *sometimes* gets past to make the thing writable.... oh confusion!) Pete Lucas PJML@UK.AC.NWL.IA PJML%IA.NWL.AC.UK@UKACRL ------------------------------ Date: Wed, 26 Jun 91 18:37:03 From: c-rossgr@microsoft.COM Subject: re: McAfee on VSUM accuracy and Microcom (PC) >From: mcafee@netcom.com (McAfee Associates) > >>From: Ross Greenburg >>One of the interesting things: Microcom, the people who publish and >>market my code, is expressly forbidden from using McAfee products by >>the vendor itself. > We have >never refused to sell our products to anyone, and our policies will >not change. It's a strange comment considering that 99.9% of all of >our users use our products without telling us or paying us anyway (one >of the side effects of shareware). How would we ever know? This is good news. I was under the impression that Microcom attempted to license a copy from you and was told that they may not use it without a license and that a license would not be issued to Microcom under any circumstances. I am glad that the information given to me is false and that Microcom is expressly being given permission to utilize this product from the vendor. I would presume there is a charge for such usage: what would that charge be for *only* one computer to use your product? I'll be sure to report that amount to the Microcom people I deal with. Ross ------------------------------ Date: Wed, 26 Jun 91 18:42:35 From: c-rossgr@microsoft.COM Subject: VIRx Version 1.5 Released (PC) I'm pleased to announce that version 1.5 of VIRx has been released, today, for distribution. VIRx is a freely distributable scanning program -- there is *no* charge associated with it, although copyrights *are* maintained by both Microcom and me. You should be able to grab a copy off of SIMTEL-20 almost immediately. Additionally, it is available on CIS and on my BBS at 212-889-6438. === What's New In VIRx Version 1.5 ============================== Date: 6/26/91 1. VIRx 1.5 detects over 80 additional newly discovered viruses, bringing the total to almost 500. This was accomplished without slowing down the scanner. 2. Wildcard string scanning is included for detecting viruses otherwise resistant to general scanner detection. 3. VIRx scans PKLite pre-compressed files internally about 10% faster than previous versions; probably not noticable except on slower machines. Problems Corrected from v1.4: 1. Another rare problem with scanning certain Novell Network server volumes has been corrected. 2. The technique used to clean our scanning search strings out of memory has been changed. This change will prevent certain other anti-virus scanners from erroneously reporting an assortment of viruses active in the computer's memory immediately after a VIRx scan has completed. 3. Certain rare situations would result in VIRx scanning extremely slowly. This has been fixed. ------------------------------ Date: Thu, 27 Jun 91 00:22:25 +0000 From: mike@pyrite.SOM.CWRU.Edu (Michael Kerner) Subject: Re: protecting mac files via locking (Mac) In regards to the "Well, you can override the bit settings" (sorry, I forgot to copy the article in here), the point I was making was that even beyond that, this little bugger (no it's not in the Sector Editor group that was listed), will also overrun open resources - this is something that I have not seen any other "utility" accomplish. I know it is possible to do, but I just haven't seen anybody do it. Mike. Mac Admin WSOM CSG CWRU mike@pyrite.som.cwru.edu ------------------------------ Date: 27 Jun 91 11:13:40 +0000 From: tommyp@ida.liu.se (Tommy Pedersen) Subject: Re: Virus checking for Sun4 (UNIX) xcaret@teal.csn.org (Xcaret Research) writes: >Can someone point me to information about virus checking for a Sun4 >computer. Is there ftp'able software or any good commercial software? I don't know if there are any ftp'able software but there is a product called TCell which the company I work for manufactures. ***** BE AWARE!! Information about this commersial product follows... ***** TCell is more than an antivirus system, it detects any kinds of unexpected changes to the file system. Thus it can also be used in software management for example to keep control that software not is changed after it's release. You can probably think of yet other use in your organization. TCell can also be used as a virus detection tool for PC's using software residuing on a unix server. If you like more information, give me an email to tommyp@isy.liu.se, call me at +46 13 235200 in Sweden, fax me at +46 13 212185 or write to the address below. Tommy Pedersen SECTRA AB Teknikringen 2 S-583 30 LINKOPING - -- /Tommy Pedersen ________________________________________________________________ |E-mail: tommyp@isy.liu.se /\ | |S-mail: Tommy Pedersen / / Telephone: +46 13 282369 | | Dept. of EE | | FAX: +46 13 289282 | | Linkoping University |.> | | S-581 83 Linkoping |/ | |_______ SWEDEN ________________________________________________| ------------------------------ Date: Thu, 27 Jun 91 12:40:19 +0000 From: thomas@diku.dk (Thomas Nikolajsen) Subject: Re: Can such a virus be written .... (PC) frisk@rhi.hi.is (Fridrik Skulason) writes: >>vanaards@project4.computer-science.manchester.ac.uk (Steven van Aardt) writes : >> Is it possible to write a PC virus which installs itself whenever >>you place an infected disk in the drive and do a DIR command ? >The answer to that question is a definite NO - on a PC, that is - but >I am not sure if the same applies to the Amiga or the Mac - perhaps >somebody else can clarify that. Amiga : yes it is possible, and done, I only know of one virus which does that, this one is called SADDAM. The "bug" that allows the method used by SADDAM is fixed in the (more or less released) new version of the operating system (AmigaDOS 2.0). I don't think it should be possible in AmigaDOS 2.0. >- -frisk thomas ------------------------------ Date: Thu, 27 Jun 91 10:18:32 -0500 From: "Bonnie Scollon" Subject: Re: McAfee on VSUM accuracy and Microcom (PC) John McAfee writes: >This is news to the alleged vendor. Since McAfee Associates is the >only vendor of the McAfee products I assume Ross means us. We have >never refused to sell our products to anyone, and our policies will >not change. It's a strange comment considering that 99.9% of all of >our users use our products without telling us or paying us anyway (one >of the side effects of shareware). How would we ever know? This is not true. As the college virus tracker, I try to keep up-to-date copies of most anti-viral products. Of course, I can obtain copies of McAfee'ssoftware but when I try to pay the fee, I get back a form letter saying they will not sell a single copy to a college -- we must spend thousands to obtain a site license for ALL our PC's, whether we would install the programs or not. If this is not a refusal to sell, I would not know what else to call it. We have a site license from another vendor which was considerably cheaper. Even that one is quite expensive considering that we don't actually use the product on all the college computers. We are also looking into a site license for F-PROT, since that is certainly the cheapest site license around. I did notice the inaccuracy in VSUM's Joshi listing. I, too, did not want to nitpick a document that obviously requires great time and effort to produce. I have tested several products with the Joshi virus and all can now remove it. I have not been keeping up with my VIRUS-L reading or I would have responded to that posting. CPAV, Vi-Spy and F-PROT will all find and remove it. My copy of Virex-PC did not but the dates on the files are over a year old, even though we purchased from Egghead only 4 months ago. (I have never received any update info). I do not remember if NAV removed it or not. I rarely use it any more in tests since it performed poorly when first tried. Bonnie Scollon Oakland Community College (in Oakland County MICHIGAN, not California) ------------------------------ Date: 26 Jun 91 09:47:22 +0000 From: mcafee@netcom.COM (McAfee Associates) Subject: Re: Virus protection: what to use. Summary: Reposted by Keith Petersen avinash@felix.contex.com (Avinash Chopde) writes: >I was looking around on the garbo.uwasa.fi site and found it had >plenty of virus scanners/fixer programs. >Do I need to get hold of all of them, or are there one or two >which should suffice ? > >And, I'm interested in hearing about any of your own procedures that you >follow to prevent virus infections and perform virus cleanups. Hello Mr. Chopde, There are lots of anti-viral programs available now, both shareware and commercial, so without trying to be too specific, here are some things you may wish to look for: 1. Type of virus detection offered: That is, upon what criteria does the anti-viral program base its "decision" that a virus has been found? This is generally broken down into three categories: filters, changer checkers, and scanners. A filter is a program that installs itself as a TSR and monitors the system for virus-like activity (i.e., attempting to format a hard disk, write to a program file, and so forth). Filters have the advantage of being able to detect new viruses because they are not looking for specific viruses, but rather virus-methods. The disadvantage is that they can be prone to false-alarms by programs which may do virus-like activities for legitimate reasons (say an OS or application update program that patches the executable code of the original program); they also have to be periodically updated when new virus-techniques appear that the program did not monitor; also they may have to be configured to allow programs that may do virus-like activities (say, a disk optimization program) to function--this is not really a problem with individual (home) users, but if you're responsible for several 100's of PC's, installation could be painful. A change checker (and this is a category that includes checksum, cyclic redundancy checks (CRC's), cryptographic checks, and so on) is a program that computes a known value for a program file (or other area of the system) and is then periodically run to compare the program file against. If the known value and the just-computed value don't match, then the file has been modified and may be infected with a virus or otherwise tampered with. The advantages to change checkers are that they will detect known and unknown viruses, like the filter, because they are not checking for specific pieces of code, but rather for changes to a computed value. They're also good for spotting tampering--more of a computer security-related concern then virus- specific, but it is a function. The disadvantages of this method are that this only works if the change checker is installed on a virus-free machine, otherwise the known values computed will reflect the viral code attached to its host; also, it's been theorized that if the method of change checking is known, a virus could be written to add itself to files in such a way that a checksum identical to the known (good) checksum is generated; the last problem I can think of with change checkers is that if there is a "stealth" virus present (A virus that installs itself as kind of a "file handler" in the OS) then the virus will trap reads by the change checking program, remove the viral code from the infected file, and then pass on to the CC program a "clean" file. This last one can be prevented by booting the computer with a clean (virus-free) operating system and then running the change checking program. A scanner works by checking the system for pieces of code unique to each virus. The scanner reads the files (boot sector, partition table, etc) of a disk and does a match against a database of bytes that are segments of viral code unique to each virus. When a match occurs, a virus is reported. This is effective for finding known viruses, since a positive ID against the virus is made. Of course, a false alarm could also occur if a file had the same instructions in it. Scanners can also check for "generic" routines, like a series of program instructions to format a disk, but these are not as reliable as the matching of viral code with its "fingerprint" of bytes because a file may have use such a routine for legitimate purposes. Disadvantages to this are that a scanner will only detect known viruses and must be updated frequently, a "stealth" virus could hide from the scanner, and possible false alarms. And of course, as more viruses are added, the scanner gets s l o w e r. 2. Vendor Support: That is, what sort of assistance will the manufacturer provide? Anti-viral software (like any software tool, only more so ) generally requires more assistance then other forms of software, or perhaps I should say, more assistance of a specialized nature. Removing a virus can be somewhat tricky because a long set of steps have to be precisely followed to remove a virus AND prevent re-infection. And of course, there is the matter of any data on infected media that may have been corrupted in some way. So, knowledge (and it's accompanying twin, experience) are a factor. What sort of assistance does the vendor provide? Does the vendor have a telephone number, a fax, a BBS, internet or online services address that you can access? Is the telephone number 24 hours toll free? Or limited hours and toll. Is there a charge for assistance or is it free? If there is a charge, do you have a certain amount of free assistance? What about local reps? Is support handled through the head office which may be in another country, or are there manufacturer's reps or a branch office in your state (province, district) or country? Another factor is currency (yes, money too, but more about that next), by which I mean how current is the program? Does it need to regularly updated? Does an update file need to be added, or does the package have to be completely reinstalled each time? How are updates made available, and for how long? Can they be downloaded or mailed or faxed to you? Are they free or do you have to pay for them? Do you get a certain amount of free updates? If so, how is this handled? If there is a cost for updates, how much is it? Is the software purchased (or licensed) for life or for a certain amount of time? If for a limited time, then how long? What happens when the license period runs out? And how much does it all cost? And referrals. Does the manufacturer have satisfied customers whom you can ask about product? Well, sorry for making such a long post, but I did want to address as many issues as I could think of off the top of my head. I hope this gives you some factors to consider. DISCLAIMER: Yes, I am an employee of McAfee Associates, makers othe VIRUSCAN and CLEAN-UP anti-viral programs. However, I have tried to make this as objective as possible, without mention of anyone's products, goods, or services. Aryeh Goretsky - -- McAfee Associates | Voice (408) 988-3832 | mcafee@netcom.com 4423 Cheeney Street | FAX (408) 970-9727 | (Aryeh Goretsky) Santa Clara, California | BBS (408) 988-4004 | 95054-0253 USA | v.32 (408) 988-5190 | mrs@netcom.com ViruScan/CleanUp/VShield | HST (408) 988-5138 | (Morgan Schweers) ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 111] ****************************************** 28-Jun-91 19:09:31-GMT,24170;000000000001 Received: from remus.rutgers.edu by aramis.rutgers.edu (5.59/SMI4.0/RU1.4/3.08) id AA02501; Fri, 28 Jun 91 15:09:21 EDT Received: from IBM1.CC.Lehigh.EDU by remus.rutgers.edu (5.59/SMI4.0/RU1.4/3.08) id AA28648; Fri, 28 Jun 91 14:36:50 EDT Message-Id: <9106281836.AA28648@remus.rutgers.edu> Received: from LEHIIBM1.BITNET by IBM1.CC.Lehigh.EDU (IBM VM SMTP R1.2.2MX) with BSMTP id 9565; Fri, 28 Jun 91 14:30:39 EDT Received: from LEHIIBM1.BITNET by LEHIIBM1.BITNET (Mailer R2.08) with BSMTP id 3728; Fri, 28 Jun 91 14:30:13 EDT Date: Fri, 28 Jun 91 14:24:52 EDT Reply-To: VIRUS-L@ibm1.cc.lehigh.edu Sender: Virus Discussion List From: "The Moderator Kenneth R. van Wyk" Subject: VIRUS-L Digest V4 #112 Comments: To: VIRUS-L@IBM1.CC.LEHIGH.EDU To: Multiple recipients of list VIRUS-L VIRUS-L Digest Friday, 28 Jun 1991 Volume 4 : Issue 112 Today's Topics: Re: Can such a virus be written .... (PC) Re: VSUM accuracy and Microcom (PC) Version 80 VALIDATE Results (PC) Ross-bashing Encrypted strings Re: Can such a virus be written ... (PC) doom2:reply (PC) Self-Modifying SETVER.EXE (PC) Re: Can such a virus be written .... (PC) MacAfee Products (PC) Trojan horses in data files Interesting action with MACs (Mac) VIRUSSCAN 80 (PC) Virusafe 4.02 (PC) North American Distributor of Virus Bulletin newsletter VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Thu, 27 Jun 91 13:41:35 -0400 From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: Re: Can such a virus be written .... (PC) Good grief - this question reminds ne of John Carpwenter's "The Thing", it just will not die. >> Is it possible to write a PC virus which installs itself whenever >> you place an infected disk in the drive and do a DIR command ? NO, NEIN, NON, NEGATORY - you cannot write a virus to infect when an uninfected PC does a DIR of an infected floppy disk (unlike the Macintosh) I don't care about batch files (which also execute, just interpretedly), ANSI control sequences (which also execute), or 1-2-3 macros. In order to subvert the DIR command (not that difficult) something MUST execute and a PC will mot execute ANYTHING without being commanded to (boots result from a microcoded command designed into the CPU - part of the reason for the 640k "barrier". Of course, once resident, code can tell the processor to do anything it is capable of doing via software, the operating system doesn't care, and at any time. You want the PC to play "Yankee Doodle" at 5 pm? easy. You want all the letters to fall down in a pile on the bottom of the screen every half hour ? trivial. But they all must execute first and that takes human help either by leaving a floppy in A when booting, or by executing an infected file (.COM, .EXE, .BAT, .WK1, .SYS, .APP, or whatever). If DIR could infect, it would be easy for an infected user to say both/he/it she just put the disk in the drive to see what it was, but no, they HAD to have tried to run "ASTROT*T" or "Kermit vs the Naked Nazi Nymphs" or "1ON2" or that un-tested program with the hand-lettered label in Arabic/Swahili/Kanjii. While software commands could be hidden in a batch file with sequences that would prevent reading by TYPE (but not from LIST or even WordStar) and be passed as an unscannable uuencoded, packed, compressed file, at some point some person had to tell it to execute whether or not they knew thay were doing so. Only then can a virus (or any other malicious software) infect a PC. Padgett If this doesn't kill the subject, I'll have to use a lead pipe. ------------------------------ Date: Thu, 27 Jun 91 13:36:08 From: c-rossgr@microsoft.COM Subject: Re: VSUM accuracy and Microcom (PC) >From: "Bonnie Scollon" > >.... My copy of Virex-PC did not but >the dates on the files are over a year old, even though we purchased >from Egghead only 4 months ago. (I have never received any update >info).... Bonnie, please call 919-490-1277 and holler and scream at the folks at Microcom? I *know* that there have been many updates to the code in last year, especially in the last quarter. If you're a registered user and you didn't receive a free update to Version 1.2, there is something *very* wrong. Version 2.0 has *finally* entered into final beta, and should be available very shortly: for those who have purchased VIREX-PC recently, send in your registration card and you'll get a free update to Version 2.0. We've disinfected Joshi for quite a while and Egghead selling outdated code *really* burns my butt: please report the store number to Microcom as soon as you can? Thanks! Ross Author, Virex-PC, VIRx and FLU_SHOT+ ------------------------------ Date: Thu, 27 Jun 91 09:04:25 -0700 From: mcafee@netcom.com (McAfee Associates) Subject: Version 80 VALIDATE Results (PC) I've had a request from Europe to post the validation results for the new release of SCAN (et al) because they do not receive the "Authentic Files Verified" from the version of PKZIP distributed outside of North America. VALIDATE Results for Version 80 of SCAN/CLEAN/VSHIELD/NETSCAN CLEAN-UP V80 (CLEAN.EXE) S:119,999 D:06-24-91 M1: F8AE M2: 05DD NETSCAN V80 (NETSCAN.EXE) S:87,437 D:06-24-91 M1: 705F M2: 04F6 VIRUSCAN SCANV80 (SCAN.EXE) S:87,437 D:06-24-91 M1: 58A9 M2: 0538 VSHIELD VSHLD80 (VSHIELD.EXE) S:33,403 D:06-18-91 M1: 5607 M2: 0C19 VALIDATE Results for VALIDATE and VSHIELD1 (not changed since last release) VALIDATE V03 (VALIDATE.COM) CRC Add S:6,495 D:10-31-89 M1: 4637 M2: 1214 VSHIELD1 0.2 (VSHIELD1.EXE) S:11,281 D:02-14-91 M1: 6B40 M2: 103E Aryeh Goretsky McAfee Associates Technical Support (Sorry for the delay, Paul!) ------------------------------ Date: Thu, 27 Jun 91 16:00:34 -0400 From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: Ross-bashing Allright, enough already. So there was a conflict between two SCAN programs that caused a "false positive" when one was run immediately following another. This is nothing new to the anti-virus industry, a few months ago two products much closer related than Vir-X and whatever the other one was consistantly reported the "12-Tricks" when run one after the other. Until recently when memory scanning became de-rigeur, and thank goodness it did, no-one bothered to clean memory following a scan. Remember the Prodigy STAGE.DAT controversy a few months ago ? It all started when someone scanned the disks before installing the *P* upgrade and discovered a host of virus names and strings inside the .DAT file. Why ? My thought is that *P* needed to create a contiguous fixed-size file on disk and did it the simplest way possible: by just creating a giant memory buffer (without putting anything in it) and copying it to disk to create the STAGE.DAT file. Whatever happened to be in memory at the time was just swept along. Since a scanner had just been run that left all of the strings in memory, this became STAGE.DAT. Now clearing free memory is trivial, one easy way would be for a scanner to clear memory before loading, but then if a virus was present a) the system would probably crash and b) you would not get a virus report. I fully expect the next generation of anti-virus tools to be able to disconnect a virus from memory when found (if it can identify it, it should be able to remove it and at least determine if it is active or not). On the subject of encryption, I agree with Ross, a trivial one is sufficient to avoid false positives at least until signatures reach a significant portion of the number of ten-byte signatures - on the close order of 10^24 - which should take a while. To keep them encrypted at all times except when individually used would cause an extreme preformance loss for something that is already slow. Meanwhile, the real key piece of information seems to have been missed - - why the signatures were still in memory. When the second scanner loaded, it should have overwritten the RAM Ross was using therefore, for this to happen, Ross's code, when expanded in memory, had to be longer than the subsequent program. (why there probably have not been more "false positives" rather than any deliberate avoidance). I suspect that the "virus" string found was near the end of the expanded search string list and the list followed the executable code. Consequently, there may be an easier way than wiping memory - in a program you have a choice as to where buffers are placed. If the decrypted strings were kept in a buffer area at the front of the program and followed by the executable code that (hopefully) does not match anyone else's viral signatures, any other scanner that follows should overwrite all the strings before starting. Since when loading "high" a quick way to lock up a machine is to use expanding buffers beyond the file size, these concepts should also be considered by any memory resident routine. Just some thoughts, Padgett Somewhere west of Orlando ps Life is a learning process, when one stops, so does the other. - app ------------------------------ Date: Thu, 27 Jun 91 13:21:28 -0700 From: Eric_Florack.Wbst311@xerox.com Subject: Encrypted strings hi, Ross; - -=-=-= >On /DISK/, yes. But consider the amount of scanners, including MAcAffee that >look at RAM, as well. False trip city, as we have seen. Sigh. Look, I simply didn;t remove the strings from memory. What's your point? =-=-= Exactly this:False trips cause problems for both you and the person whose machine if falsely diagnosed as being infected. Such false trips cost both of you income. A point which, given the release info I've just gotten on v1.5 you tend to agree with. You say: =-=-= >As for your beta testers not finding the problem, I suggest to you >that perhaps they missed a major problem. WIthout being judgemental, >here, finding this problem after beta was complete would seem to call >into question the validity of certain of your test results. Actually, it just showed that our beta testers did not run into that problem (recall that the reports I mentioned above were limited in number). This implies that they don't use one of our competitor's products. So what? There are many people who opt not to use our competitor's products. =-=-=- The ` so what' is that many others /do/.... Allow me to explain that one of the things I do for a living is such testing. IMHO, interfacing with other, similar products , where possible, (even if only for direct a/b comparison) is part of a complete test. You say: =-=-= And, sometimes, a minor mistake is make and is blown way out of proportion. - -=-=-= Sorry, Ross, if you thought my posting was blowing your error out of proportion, but I honestly don't see how. Recall, please, that this thread started with a general post was directed at all of us for input on a specific problem. My intent was not to attack a particular program. (Indeed, the names of the packages the author mentioned were one point I didn't even consider.... ) but rather, my intent was a general answer. Good hearing from you. ------------------------------ Date: 27 Jun 91 15:41:00 -0500 From: "William Walker C60223 x4570" Subject: Re: Can such a virus be written ... (PC) Steven van Aardt (vanaards@project4.computer-science.manchester.ac.uk) writes: > Is it possible to write a PC virus which installs itself whenever > you place an infected disk in the drive and do a DIR command ? Lots of people replied: > Yes. But A. Padgett Peterson (padgett%tccslr.dnet@mmc.com) replies: > No ... you cannot BECOME infected in this manner. Padgett is right. To infect a PC, viral code must be executed from the medium on which it is stored. The DIR command does not execute any code from the disk or diskette it is viewing, but just displays the information contained in the sectors of the requested directory or subdirectory. Therefore, if you do a DIR of an infected diskette on a clean PC, there is no way to infect the PC. Someone else has mentioned the possibility of renaming a file to contain ANSI.SYS codes for remapping the keyboard, but this would not be transparent to the user, as the remaining information (date, time, and size) would be shifted to the left. Bill Walker ( WALKER@AEDC-VAX.AF.MIL ) | OAO Corporation | "Non sequitur -- your facts are Arnold Engineering Development Center | un-coordinated." M.S. 120 | -- NOMAD Arnold Air Force Base, TN 37389-9998 | ------------------------------ Date: Thu, 27 Jun 91 11:52:28 -0700 From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: doom2:reply (PC) Eric_Florack.Wbst311@xerox.com writes: > Ross says: > - -=-=- > The signature a scanner uses is of no use to a bad guy unless he or > she already has the subject virus on hand, in any case. > =-=-=- > Of course not. My point in this case was the person doing the altering > to routre around your code being the original author. Moreover, we > have seen several varieties of a particular virus around, indicating While this arguement has some validity, I would suggest that it only serves to reinforce a point made before in this forum, and which I very strongly emphasize in my seminars and consulting. The "my scanner is better than your scanner, nyaah" school of evaluation misses a vital point: any two scanners are better than either alone. Even though I feel that Ross's product is one of the best on the market, and I use it myself for my own testing and protection, I would hate to see the day when it became the only one available. As Ross has pointed out, no matter how well strings are encrypted, eventually someone will break the code, and then it is a trivial matter to write a virus that circumvents that package. However, with a number of scanner packages on the market (and even I don't have them all), the author of a virus can never know which package his code will have to go up against. ============= Vancouver p1@arkham.wimsey.bc.ca | "If you do buy a Institute for Robert_Slade@mtsg.sfu.ca | computer, don't Research into (SUZY) INtegrity | turn it on." User Canada V7K 2G6 | Richards' 2nd Law Security | of Data Security ------------------------------ Date: Thu, 27 Jun 91 11:59:14 -0700 From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Self-Modifying SETVER.EXE (PC) 76476.337@CompuServe.COM (Robert McClenon) writes: > This is very unfriendly behavior for users who try to maintain > any sort of discipline to control viruses, or any of various other > sorts of discipline. Virex-PC gave me multiple alerts telling me that Unfriendly and, unfortunately, all too common. Buried in the documentation for Mace Vaccine, which has a change detection component, you will find a note that self modifying programs will trigger false alarms, and that Mace Utilities itself makes such self modifying programs ... ============= Vancouver p1@arkham.wimsey.bc.ca | "If you do buy a Institute for Robert_Slade@mtsg.sfu.ca | computer, don't Research into (SUZY) INtegrity | turn it on." User Canada V7K 2G6 | Richards' 2nd Law Security | of Data Security ------------------------------ Date: Thu, 27 Jun 91 16:17:25 -0500 From: THE GAR Subject: Re: Can such a virus be written .... (PC) >From: Doug Krause >> >vanaards@project4.computer-science.manchester.ac.uk (Steven van Aardt) writes: ># ># Is it possible to write a PC virus which installs itself whenever >#you place an infected disk in the drive and do a DIR command ? > >Doesn't STONED act that way? > >Douglas Krause One yuppie can ruin your whole day. NO! Stoned does NOT act that way. At least if I am understanding the question properly. If I am, then the virus is impossible. Let me make sure I understand. We have booted from some drive, C, and are now, after the COMMAND.COM from C has been loaded, doing a DIR on some infected disk, A. The question is, can the infected disk A, infect C. NO. The code that is being executed is in RAM, not on drive A. Without executing any code from A, we cannot invoke a virus. STONED works by executing the boot sector on the infected drive A, but this can only happen at boot time, not by executing a DIR command. Macintosh's CAN infect C from A in the above case, because inserting a disk executes the DESKTOP program on that disk. If the DESKTOP on A is infected, getting a listing will give you the virus (WDEF usually!) /++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\ ! Later + Systems Programmer ! ! Gary Warner + Samford University Computer Services ! ! + II TIMOTHY 2:15 ! \+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++/ ------------------------------ Date: Thu, 27 Jun 91 16:06:00 -0800 From: Michael_Kessler.Hum@mailgate.sfsu.edu Subject: MacAfee Products (PC) We investigated the issue of a license agreement with MacAfee, and it turns out that they will issue a "group" license limited to ten users who would have the right to do a virus check of the various LANs and all their stations. In other words, ten lab managers would have unlimited right to use the product once we pay a $1500 fee (approximately). At the same time, we are allowed to distribute the product as shareware for individual users. My interpretation: I cannot use the product, except on a single station like any other individual user, since we did not pay for the license, but I can make it available to others for their personal use, leaving the question of payment to their conscience. It also means that I do not "distribute" the copy to individual users who happen to be the office secretaries in the various departments. On the other hand, I do not feel overly pressured to use this product since F-Prot (we payed the suggested fee) seems to work just fine. MKessler@HUM.SFSU.EDU ------------------------------ Date: 27 Jun 91 23:57:00 +1700 From: VANVLECK_TOM@tandem.com Subject: Trojan horses in data files Mac and PC applications that read structured data files might be tricked into executing a trojan horse by an ill-formed input file. Given garbage input, word processors, picture displayers, and spreadsheets sometimes crash by executing an illegal instruction. If the bytes making up this instruction come from the data file, the data file can act as a virus installer. I don't know if a DIR A: command can be tricked in this way; proving that it can't be, no matter what's on the floppy in drive A, would be a hard job unless the code is thoroughly defensive. I do not believe such a trojan horse data file exists today. We should - - change scanners to scan all files, not just code - - identify applications that are vulnerable to this attack and suggest they be repaired or avoided Tom Van Vleck ------------------------------ Date: Thu, 27 Jun 91 22:25:22 -0500 From: Thomas Lapp Subject: Interesting action with MACs (Mac) This came from a colleague at work who works with our PCs. In a followup message she sent to me today, she indicated that a technician seems to think it is more a problem with some flakey hardware taking a bunch of other pieces out, and that it was just coincidence that System 7 was going in at the same time... If anyone else has seen anything like this, I'd be real interested in knowing more, and passing it back to Barbara. -tom From: NAME: Barbara J. Miller FUNC: ISD-P&DD/IT&E To: NAME: Thomas L. Lapp Thought you might be interested in hearing about a "potential virus". It has not been declared a virus by anyone at this point, but I always like to expect the worst until it is determined. From: NAME: Barbara J. Miller FUNC: ISD-P&DD/IT&E Date: 26-Jun-1991 Posted-date: 26-Jun-1991 Precedence: 1 Subject: Virus Alert - Mac's S7 To: See Below Virus Alert: I just received word of a virus that was encountered during a Mac System 7 installation. Both the keyboard and mouse DIED on three machines that just had System 7 installed on them. The customer then attached a voltage meter to the ADB port of a fourth machine only to find a unusually high reading. It appears the virus destroys chips on the mouse and keyboard. Suggestions: Be cautious when installing S7. Be sure it is a CLEAN copy - directly from Apple or from CD-ROM. Apple has been contacted. - tom - -- internet : mvac23!thomas@udel.edu or thomas%mvac23@udel.edu (home) : 4398613@mcimail.com (work) uucp : {ucbvax,mcvax,uunet}!udel!mvac23!thomas Location : Newark, DE, USA ------------------------------ Date: Fri, 28 Jun 91 10:58:34 +0000 From: t821431@minyos.xx.rmit.OZ.AU (Richard Clarkson) Subject: VIRUSSCAN 80 (PC) What ftp sites are VIRUS SCAN 80 available from? Can you supply the addresses? Thanks in advance Richard Clarkson [Ed. See Jim Wright's monthly VIRUS-L/comp.virus archive site postings. These are posted at the beginning of each month. The most recent one was V4I96 on 3 June 1991; it is available by anonymous FTP on cert.sei.cmu.edu in pub/virus-l/archives/1991] ------------------------------ Date: Fri, 28 Jun 91 08:17:33 -0400 From: HTORRES@LEDA.HQ.NASA.GOV Subject: Virusafe 4.02 (PC) Any product or beta test on Virusafe 4.02. I have used it for a while and it proves to be very reliable. They are in Florida on 520 west hwy. 436 suite 1180-30Altamonte Springs Florida 32714. Please, reply. Tito ------------------------------ Date: 28 Jun 91 13:19:01 -0400 From: Ray Glath <76304.1407@CompuServe.COM> Subject: North American Distributor of Virus Bulletin newsletter RG Software Systems, Inc. is pleased to announce our appointment as North American Distributor for the acclaimed "Virus Bulletin" monthly newsletter, published in the U.K. This 25+ page highly informative and unbiased publication (no advertising) contains detailed analyses of viruses, anti-virus product reviews, trend projections, and news events concerning viruses. Anyone wishing to subscribe should contact: Virus Bulletin c/o RG Software Systems, Inc. 6900 E. Camelback Road, #630 Tel. (602) 423-8000 Scottsdale, AZ 85251 FAX (602) 423-8389 One Year subscription cost: $ 350.00. Back issues (from as early as July 1989) are available for $ 35.00 each. Virus Bulletin states the following policy due to its editorial content: "Copies will only be sent to bona fide professionals. We reserve the right to request additional evidence concerning the subscriber's job function. Copies will not be mailed to private addresses without verification." ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 112] ****************************************** 1-Jul-91 19:13:33-GMT,43748;000000000001 Received: from remus.rutgers.edu by aramis.rutgers.edu (5.59/SMI4.0/RU1.4/3.08) id AA01239; Mon, 1 Jul 91 15:13:15 EDT Received: from IBM1.CC.Lehigh.EDU by remus.rutgers.edu (5.59/SMI4.0/RU1.4/3.08) id AA10533; Mon, 1 Jul 91 15:13:00 EDT Message-Id: <9107011913.AA10533@remus.rutgers.edu> Received: from LEHIIBM1.BITNET by IBM1.CC.Lehigh.EDU (IBM VM SMTP R1.2.2MX) with BSMTP id 1197; Mon, 01 Jul 91 15:05:36 EDT Received: from LEHIIBM1.BITNET by LEHIIBM1.BITNET (Mailer R2.08) with BSMTP id 9113; Mon, 01 Jul 91 15:05:06 EDT Date: Mon, 1 Jul 91 14:59:58 EDT Reply-To: VIRUS-L@ibm1.cc.lehigh.edu Sender: Virus Discussion List From: "The Moderator Kenneth R. van Wyk" Subject: VIRUS-L Digest V4 #113 Comments: To: VIRUS-L@IBM1.CC.LEHIGH.EDU To: Multiple recipients of list VIRUS-L VIRUS-L Digest Monday, 1 Jul 1991 Volume 4 : Issue 113 Today's Topics: Software pricing System 7 Keyboard Trouble (Mac) Ross Bashing? Not at all... My 2 cents (Mac) Beta Testing / DS "bug" report. (PC) Re: Software Upgradable BIOS (PC) Words Re: McAfee on VSUM accuracy and Microcom (PC) So, you think you're pretty safe, eh? (general) Two versions of SCANV80.ZIP? (PC) Requirements for Virus Checkers (PC) Self-Modifying SETVER.EXE (PC) Re: Can such a virus be written ... (PC) Re: Ross-bashing Encrypted strings doom2:reply (PC) Disinfectant 2.5 (Mac) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Fri, 28 Jun 91 14:58:17 -0400 From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: Software pricing I think I've missed something somewhere. $30/year for a single user Hypercard stack of virus information (a very good one though I liked it better as a flat ASCII file), $350/year for a soft cover anti-viral magazine, and people are b*tch*ng about $1500/2 years with unlimited updates to license software for 10 technicians to service (one would expect) 10,000 PCs ? $0.15/pc ? They even give telephone support! The answer is simple: if you don't like the price, buy something else (or nothing), there are plenty of alternatives. Better yet, write your own software and support it yourself, that just takes learning and effort. Problem is not many people today seem to have heard of John Galt or TANSTAAFL. Bemusidly, Padgett ------------------------------ Date: Fri, 28 Jun 91 16:06:20 -0400 From: Joe McMahon Subject: System 7 Keyboard Trouble (Mac) In re the report of Mac hardware trouble discovered in conjunction with System 7 installation: I believe this is caused by somebody unplugging ADB devices and plugging them back in again while the power's on. This can blow the ADB chip. As far as I know, there are no software-controllable voltages/currents to chips anywhere in the machine (exclusive of predetermined control signals). I think this is merely a coincidence. Do other machines which use the same hard disk develop the trouble? Do other machines develop this trouble when a program from the damaged one is run on them? If neither of these is true, you don't have a virus, you have a hardware failure. --- Joe M. ------------------------------ Date: Fri, 28 Jun 91 13:21:05 -0700 From: Eric_Florack.Wbst311@xerox.com Subject: Ross Bashing? Not at all... Hi, Padgett: Remember the Prodigy STAGE.DAT controversy a few months ago ? It all started when someone scanned the disks before installing the *P* upgrade and discovered a host of virus names and strings inside the .DAT file. Why ? My thought is that *P* needed to create a contiguous fixed-size file on disk and did it the simplest way possible: by just creating a giant memory buffer (without putting anything in it) and copying it to disk to create the STAGE.DAT file. Whatever happened to be in memory at the time was just swept along. =-=-= Right. But in this case, since the resulting data was to be writen to disk it would have made sense to use CALLOC, as opposed to MALLOC as they seem to have. In *P*'s case, clearing the RAM /before/ use would hgave been the way to go. Matter of fact, there's still some question to my mind why they didn't go this route. I can find no practical objection to doing so. Given that they must have thought of this point, I have to assume they had some reason other than trivial perfomance increases for not wanting to clear out the RAM in question. But, we digress... you are most correct when you mention that clearing RAMbefore scanning would crash the system and/or not report. Because of this I'm not suggesting that pre-clearing the RAM for scanners and such... I'm merely suggesting clearing the already allocated RAM, /after/ the thing is done. You say: - -=-=- When the second scanner loaded, it should have overwritten the RAM Ross was using...... =-=-= Well, for the first time in recent memory I'm going to disagree with you, Padgett, for two reasons: Ross' program may not be using the same area of RAM as John's. Given the diversity of anti=viral programs out there, who knows where a program is going to leave it's signitures? Would you have anti-viral writers clear all of RAM before scanning to accomidate other such writers? Clearly, the best way to accomplish compatibility and reliability is for each writer to clean up their own 'mess'. You suggest: =-=-=-= If the decrypted strings were kept in a buffer area at the front of the program and followed by the executable code that (hopefully) does not match anyone else's viral signatures, any other scanner that follows should overwrite all the strings before starting. - -=-=-= Bad move. You're assuming that everyone will use the same buffer area. As for the strings (you hope) not being the same, isn't this where we started this merry-go-round? Obviously, they /are/ the same, in many cases, and that's where this problem started. My best regards to you. E ------------------------------ Date: Fri, 28 Jun 91 17:09:00 -0400 From: "Mark Nutter, Apple Support" Subject: My 2 cents (Mac) Regarding all the recent flap about "can a virus infect a PC just by doing a DIR of a floppy?"--- Looks to me like the original rumor was inspired by an incomplete understanding of how the WDEF virus works on the Mac. Since I have seen some references to the Mac "executing the Desktop file" etc., I thought I would try and clarify how WDEF worked. Hopefully, this will help clear up matters for both Mac users (who have to deal with it) and PC users (who don't, but might be interested anyway). The Mac OS allows any file to have a resource "fork", which is essentially a simple database of menus, icons, code, configuration settings, etc., that is associated with the data. All executable code is stored as a resource, but not all resource files/forks necessarily contain executable code. In systems prior to System 7.0, the Finder maintains an invisible resource file called "Desktop", which is not supposed to contain any executable resources. (Finder is the program that lets you launch programs, copy files, look at disk directories, etc.) What WDEF did was to copy an executable resource into the Desktop file. This resource was a resource of type "WDEF" (hence the name of the virus). WDEF resources are supposed to contain code for drawing customized windows, but this resource contained a virus which installed itself and then called the standard WDEF code to actually draw the window. The loophole exploited by the virus was that whenever the Mac OS needs a resource, it searches ALL open resource files, beginning with the last resource file to be opened. Step by step: 1) user inserts WDEF infected disk. 2) Finder opens the disk's Desktop file [note: no infection yet]. 3) user double-clicks on a disk or folder icon to open up a window, 4) Finder looks for a WDEF resource to actually draw the window, starting with the most-recently opened file, 5) since the infected Desktop was the most recently opened resource file, Finder executes the viral WDEF resource instead of the standard System resource. Infection occurs in step 5. Observations: as of System 7.0, Finder no longer keeps any resources in its Desktop files, thus under System 7.0 and future systems, the loophole exploited by WDEF will no longer exist. Users of pre-7.0 systems can be protected against WDEF (and other viruses that exploit this loophole) by obtaining a copy of the FREE anti-viral utility GateKeeper Aid and/or the Disinfectant INIT (also free). These utilities are available by anonymous ftp from sumex-aim.stanford.edu in the info-mac/virus directory. Also, if by any chance you think you have a Desktop-infecting virus and you haven't got GateKeeper or Disinfectant handy, you can easily disinfect it yourself without any special hardware or software: just reboot the Mac and hold down the Command and Option keys. This signals the Finder to erase the old Desktop file and re-construct it from the contents of the disk. You will lose any Get Info comments you may have (does anybody really use those?), but you will also eradicate any *DEF viruses that may be lurking on the disk. Holding down Command/Option also works while inserting new floppy disk. - ----------------------------------------------------------------------------- Mark Nutter MANUTTER@IUP Apple Support Manager Indiana University of Pennsylvania G-4 Stright Hall, IUP Indiana, PA 15705 "You can lead a horse to water, but you can't look in his mouth." - Archie B. ============================================================================= ------------------------------ Date: Fri, 28 Jun 91 17:17:57 -0400 From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: Beta Testing / DS "bug" report. (PC) I am just wondering if anyone has ever really had the experience of doing a full V&V (verification and validation) process on any software ? The amount of testing required is mind boggling (back in 1980 on a military program involving a 4 Mhz embedded computer that could address a whopping 32K, the estimate was that it would take the better part of a century to test every possible combination). Having just discovered an obscure anamoly in DISKSECURE, let's use this for an example: DISKSECURE replaces the MBR of a hard disk with code (horrors !). It is designed as a "technology demonstrator" to go resident before DOS loads and detect/prevent MBR and Boot Record infections while preventing bypass via a floppy boot. It has been out "in the real world" for about six months and I have received two reports and one possible of a problem. It seems that in an XT with a 32 MB RLL disk (i.e. ST-238) using a Western Digital WD1002A-27X (NOT a WD1002-27X, only the "A" version reported) with the 62-000094-002 BIOS when jumpered to "translate" mode (makes the 615 track, 26 sector per track RLL drive look like a 940 track, 17 sector/track MFM drive), the controller writes 17 bytes of "something" to the MBR in a normally unused area. The WD folks I have talked to think it might be related to the "translate" mode (they promised to look into it and get back to me RSN) and I have not been able to decipher the 160+K of assembly language SOURCER provided me of the WD BIOS yet. The real "hooker" is that I added code to version 0.95 to read back the MBR after DS installs and validate itself. Problem is it passes. I asked the people (both over 1000 miles from me) to turn off any cacheing and reduce the buffers to 1 (minimum DOS will accept). It still passes. But on the next boot, the seventeen bytes are changed and the validation DS does on itself when booted fails. For joy. The point I am trying to make is that these kinds of obscure problems are going to crop up in any code. I am told that the demos of 123/W crashed repeatedly, Windows UAEs are legion, and have lost track of the letter revisions of most major wordprocessing software. In the antiviral world, the general level of the code is so good that we get hung up when two different scanners, both of which work perfectly well on their own, disagree with each other. For me, I am very pleasently astounded that there are not more conflicts, false positives, or false negatives considering the incredible array of equipment and viruses out there - the talent that goes into any of the products is just incredible - and they all get updated at least quarterly. And somebody always finds fault. Publicly. So sure, I try to prod the manufacturers into the "next generation" by pointing out what can be done & sometimes get a bit abrasive when my instinct tells me that a wrong path is being taken - I've seen too many quotes that management can seize on to say "we don't need protection", but then it is difficult to conduct a meaningful discussion by remote control and no-one has any free time at conferences. Now, in the best of all possible worlds, MicroSoft and Digital Research would sponsor a week-long offsite for anti-viral researchers to get together once a year in a think-tank atmosphere for brainstorming. And if you believe the that will ever happen, I have this bridge up north...... Padgett Somewhere west of Orlando - Tourist capital of the world ------------------------------ Date: 28 Jun 91 20:00:38 +0000 From: vail@tegra.com (Johnathan Vail) Subject: Re: Software Upgradable BIOS (PC) ingoldsb%ctycal@cpsc.ucalgary.ca (Terry Ingoldsby) writes: > It is not even necessary to place it under hardware control, rather if > the hardware incorporates an interlock that requires a special, > possibly unique, code, then the viruses could bash at it forever > (almost) without success. > > For example if each machine thus manufactured were assigned a unique > value in EPROM (which could not be read by the CPU), say of length 64 > bits, then the user could be queried, by the software upgrade program, > to enter the key. If the key matched, the EAROM would be modified, > otherwise nothing would happen. The answer to the problem is simply to have a portion of uncorruptable boot code. This would allow the same level of protection available with rock bound BIOS today. This can be implemented in normal EPROM or a reserved portion of the flashrom. jv <<-- "Always Mount a Scratch Monkey" _____ | | Johnathan Vail | n1dxg@tegra.com |Tegra| (508) 663-7435 | N1DXG@448.625-(WorldNet) ----- jv@n1dxg.ampr.org {...sun!sunne ..uunet}!tegra!vail ------------------------------ Date: 28 Jun 91 19:50:32 +0000 From: vail@tegra.com (Johnathan Vail) Subject: Words Many months ago there was a small thread about various terminology and several people suggested that I compile a list. Here is that list. This is a first draft and comments and additions are welcome. Email responses are encouraged to reduce group traffic and I will summarize the changes. Thanks, jv Law of Stolen Flight: Only flame, and things with wings. All the rest suffer stings. _____ | | Johnathan Vail | n1dxg@tegra.com |Tegra| (508) 663-7435 | N1DXG@448.625-(WorldNet) ----- jv@n1dxg.ampr.org {...sun!sunne ..uunet}!tegra!vail ________________ virus - a piece of code that is executed as part of another program and can replicate itself in other programs. The analogy to real viruses is pertinent ("a core of nucleic acid, having the ability to reproduce only inside a living cell"). Most viruses on PCs really are viruses. worm - a program that can replicate itself, usually over a network. A worm is a complete program by itself unlike a virus which is part of another program. Robert Morris's program, the Internet Worm, is an example of a worm although it has been mistakenly identified in the popular media as a virus. trojan (horse) - This is some (usually nasty) code that is added to a harmless program. This could include many viruses but is usually reserved to describing code that does not replicate itself. time bomb - This is code or a program that checks the systems clock in order to trigger its active symptoms. The popular legend of the time bomb is the programmer that installs one in his employer's computers to go off in case he is laid off or fired. magic cookie - This is a usually benign feature added to a product by the programmer without official knowledge or consent. One example of the is the 'xyzzy' command in Data General's AOS operating system. Another is the "RESIST THE DRAFT" message in an unused sector of Apple Logo. back door - This is an undocumented feature added to a product which can allow those who know about it to gain access to things that are otherwise protected. The original Tempest video game was supposed to have a key sequence that would allow the author of the firmware to get free games in an arcade. Some military systems are rumored to have back doors in their software that prevents their being used against the countries that built them. stealth virus - This is a type of virus that attempts to hide its existence. A common way of doing this on IBM PCs is for the virus to hook itself into the BIOS or DOS and trap sector reads and writes that might reveal its existence. mixed terms - Many of the above terms can apply to the same piece of code. For example a virus can replicate itself but not "do its dirty work" until a certain time. It could be said to contain a time bomb. ------------------------------ Date: Sat, 29 Jun 91 01:27:44 +0000 From: mcafee@netcom.com (McAfee Associates) Subject: Re: McAfee on VSUM accuracy and Microcom (PC) BLSCOLLO@OCC.BITNET (Bonnie Scollon) writes: [stuff deleted] >This is not true. As the college virus tracker, I try to keep >up-to-date copies of most anti-viral products. Of course, I can obtainn >copies of McAfee'ssoftware but when I try to pay the fee, I get back a >form letter saying they will not sell a single copy to a college -- we >must spend thousands to obtain a site license for ALL our PC's, >whether we would install the programs or not. If this is not a refusal >to sell, I would not know what else to call it. [rest of message deleted] Hello Bonnie, McAfee Associates policy on licensing is based on the concept that the software is owned by whoever paid for it. If a home user registers with payment made by a business then the order is returned along with a note stating that businesses must license the software if they wish to use it. In order to accomodate the different requirements of businesses, we have three kinds of licenses available. Service Industry Licenses are for technicians who will use the software on any number of systems. This kind of licensed is based on the number of copies to be used by the technicians. The software must be removed from the machine after use.Small Business Licenses are for businesses with less then fifty PC's. We have two types of SBL's: a license for VIRUSCAN, CLEAN-UP, and VSHIELD for computers or workstations; and a license for NETSCAN for a file server or servers. This allows small businesses without a network to cut costs and add NETSCAN when the time comes. Finally, we have the Site Licenses, which are for businesses with 100 PC's or more and go in increments of 100. For Site Licenses, the VIRUSCAN, VSHIELD, CLEAN-UP, and NETSCAN programs can be purchased either separately or together. We're flexible on how a site is defined: it does not necessarily have to be an address, but can be all the computers in a world-wide department or for a division of a company, and so forth. We also have corporate licenses available that cover all the computers a business owns plus any and all added during the license, increment licenses by pro-rating the amount already paid, and offer educational discounts. If you would like to discuss your situation further, I would recommend that you contact McAfee Associates directly at (408) 988-3832 and ask for the sales department. It has been our policy to provide access to our software and technical support for five days without charge, and, if necessary, extend this. Aryeh Goretsky McAfee Associates Technical Support - - McAfee Associates | Voice (408) 988-3832 | mcafee@netcom.com 4423 Cheeney Street | FAX (408) 970-9727 | (Aryeh Goretsky) Santa Clara, California | BBS (408) 988-4004 | 95054-0253 USA | v.32 (408) 988-5190 | mrs@netcom.com ViruScan/CleanUp/VShield | HST (408) 988-5138 | (Morgan Schweers) ------------------------------ Date: Sat, 29 Jun 91 17:53:17 -0700 From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: So, you think you're pretty safe, eh? (general) Note in passing Bill Hancock's editorial in the "Digital Review" of June 17, 1991. Bill describes his recent encounter with a virus (unnamed, but apparently fairly new) in their computer lab. Bill is no slouch; he is a highly competent technical lecturer. The machines are all protected with an antivirus program (also unnamed, but it appears to be a resident scanner, perhaps VSHIELD.) The virus infected the diagnostics programs that he tried to fix the problem with. Seemingly, the first indication he had was when a word processor stopped working. (Again, unnamed, but the description seems consistent with Word Perfect.) The piece is a good description, and, while I could wish he had made some more helpful points about the level of risks in various situations (eg. letting your scanner get out of date), his checklist for recovery is thorough, if a little overblown. ============= Vancouver p1@arkham.wimsey.bc.ca | "If you do buy a Institute for Robert_Slade@mtsg.sfu.ca | computer, don't Research into (SUZY) INtegrity | turn it on." User Canada V7K 2G6 | Richards' 2nd Law Security | of Data Security ------------------------------ Date: Sat, 29 Jun 91 17:54:42 -0700 From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Two versions of SCANV80.ZIP? (PC) I retrieved SCANV80.ZIP from the wuarchive.wustl.edu mirror of SIMTEL20, but when I went to repost it on a local board found a different version. Both versions appear to be authentic, with some minor differences in text files: Deep Cove version: Searching ZIP: SCANV80.ZIP Length Method Size Ratio Date Time CRC-32 Attr Name - ------ ------ ----- ----- ---- ---- ------ ---- ---- 17598 Implode 6962 61% 06-24-91 16:20 ac0b595f --w AGENTS.TXT 4026 Implode 1961 52% 05-24-91 15:23 02f06c2c --w README.1ST 5576 Implode 2288 59% 06-24-91 05:30 325e105d --w REGISTER.DOC 87437 Implode 47087 47% 06-24-91 03:47 eece6261 --w SCAN.EXE 28786 Implode 10695 63% 06-24-91 21:27 931869b9 --w SCANV80.DOC 6495 Implode 1895 71% 10-31-89 16:16 0449b09d --w VALIDATE.COM 2844 Implode 1406 51% 02-14-91 14:25 aa330b57 --w VALIDATE.DOC 24639 Implode 6532 74% 06-24-91 04:08 ce521c6f --w VIRLIST.TXT - ------ ------ --- ------- 177401 78826 56% 8 SIMTEL version: Searching ZIP: SCANV80.ZIP Length Method Size Ratio Date Time CRC-32 Attr Name - ------ ------ ----- ----- ---- ---- ------ ---- ---- 17598 Implode 6962 61% 06-24-91 16:20 ac0b595f --w AGENTS.TXT 3952 Implode 1942 51% 06-25-91 10:16 8643da95 --w README.1ST 5600 Implode 2307 59% 06-25-91 10:29 8858f474 --w REGISTER.DOC 87437 Implode 47087 47% 06-24-91 03:47 eece6261 --w SCAN.EXE 28777 Implode 10695 63% 06-25-91 11:18 678dddbb --w SCANV80.DOC 6495 Implode 1895 71% 10-31-89 16:16 0449b09d --w VALIDATE.COM 2844 Implode 1406 51% 02-14-91 14:25 aa330b57 --w VALIDATE.DOC 24320 Implode 6494 74% 06-25-91 11:15 64c446d0 --w VIRLIST.TXT 9785 Implode 4205 58% 06-25-91 11:19 3a5d3c03 --w NETSCN80.DOC 25050 Implode 8650 66% 06-25-91 10:34 39dc87eb --w VSHLD80.DOC - ------ ------ --- ------- 211858 91643 57% 10 It seems the only differences are found in: README.1ST REGISTER.DOC SCANV80.DOC VIRLIST.TXT with the addition of two files: NETSCN80.DOC VSHLD80.DOC ============= Vancouver p1@arkham.wimsey.bc.ca | "If you do buy a Institute for Robert_Slade@mtsg.sfu.ca | computer, don't Research into (SUZY) INtegrity | turn it on." User Canada V7K 2G6 | Richards' 2nd Law Security | of Data Security ------------------------------ Date: 30 Jun 91 00:53:46 -0400 From: Robert McClenon <76476.337@CompuServe.COM> Subject: Requirements for Virus Checkers (PC) Ross Greenberg says: > EVERYBODY: Never accept a problem with a piece of code: the > vendor can't fix it if they don't know there is a problem. The second clause is true but sadly irrelevant. I wish every developer were as attentive as Ross is to complaints. I wish every vendor were as responsive as Ross and Microcom are. For those reasons the first clause is good advice in general but not worth fighting over. Ross was responding to my mention of two programs which required that I disable Virex-PC. The first was a game which hogs conventional memory. My thanks to Ross for reducing the size of his TSR. The second was a fax program which has interrupt conflicts with Virex-PC. Don't ask me why this fax program takes over multiple interrupts. I don't know either, and consider its use of multiple interrupts to be evidence of strange design. Ross suggests I contact technical support at Microcom. I did. But I don't think there is a problem with Virex-PC. I also tried contacting the technical support people with the developer of the fax program. They didn't understand. I might as well have been talking to robots. They told me that obviously I wasn't supposed to run the two programs at once. If I had bought the program as commercial software I would have asked for my money back at this point. But I didn't. It was included with my modem as a package deal. Sometimes unpriced software is worth what you paid for it. (Sometimes it is worth less, sometimes more.) There always must be a way to disable resident software, even if it is not the fault of the resident software. I did it by writing a .BAT file which creates a dummy file; AUTOEXEC.BAT checks for it and if it finds it suppresses the load of Virex-PC. Maybe my dog doesn't like a guest who never bathes and says mean things to the dog. As a result, the dog barks all the time. The dog is trying to warn me and is doing his job. But if I have a reason to have the guest in my house, I may have to put the dog in the back yard. It is not the fault of the dog but of the guest. There must always be a way to disable resident software. Robert McClenon Neither my employer nor anyone else paid me to say this. ------------------------------ Date: 30 Jun 91 00:52:45 -0400 From: Robert McClenon <76476.337@CompuServe.COM> Subject: Self-Modifying SETVER.EXE (PC) Padgett's comments are well-taken. I would rather that SETVER modified itself than that it modified something else. I am willing to concede that perhaps the use of an undisciplined coding technique such as self-modification is understandable for a program such as SETVER which deals with undisciplined situations. I would have appreciated a warning from SETVER that it was modifying itself. Given the length of the message it produces when executed, another line saying "SETVER is about to rewrite itself" would not have been too much to ask. Actually, I would suggest that any other program which modifies itself should notify the user. There are other reasons than anti-viral compatibility to warn a user of self-modification, such as the need to take a new backup. Robert McClenon Neither my employer nor anyone else paid me to say this. ------------------------------ Date: Sun, 30 Jun 91 12:47:52 +0000 From: ao@elixir.lne.kth.se (Anders Ohlsson) Subject: Re: Can such a virus be written ... (PC) Hello all! Quite interresting subject. After reading the last few postings on the subject, I decided to test it. Here's what I found out. Not only is it possible to write such a virus. In fact, you could put any virus on a diskette, hide the file containing it and then do a little editing using Norton Utilities or whatever. One of you mentioned that the sizes and dates would be shifted to the left. True. But... I edited the volume label, and this was (in my eyes) a little less obvious since all you will see when you DIR the disk is: Volume in drive A is Volume Serial Number is 4711-4711 Directory of A:\ README 49 91-06-30 13.58 1 File(s) 1456640 bytes free I sure wouldn't notice the missing volume label. Would you? All you have to do is edit the said volume label, and as somebody pointed out, make some assumptions on what the user is going to do next... I think that many (including me) would read the README file... So, all you have to do is to redefine the "t"-key (as in type)! The ANSI sequence would for example execute a hidden file on the disk in A:. The hidden executable file could then in turn do a few things. I haven't tried these, and I don't think that any of them are impossible... 1. Clear the volume label 2. Erase whatever the ANSI sequence typed on the screen 3. Redefine the "t" to mean "t" 4. Install whatever virus you like I tried a little more harmless thing. A batch file that prints out a little message, and it works just fine. Your turn... - Anders Ohlsson - ao@elixir.lne.kth.se ------------------------------ Date: Sun, 30 Jun 91 15:26:02 +0000 From: kforward@kean.ucs.mun.ca (Ken Forward) Subject: Re: Ross-bashing padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) writes: > Allright, enough already. So there was a conflict between two SCAN > programs that caused a "false positive" when one was run immediately > following another.... Eeek! My apologies if I contributed to this thread by reporting a Taiwan3 false positive. My intent certainly was not to flame Ross or his VIRx product; in retrospect I should have made that perfectly clear in my posting. As I see it, posting re a false positive is informative; it could perhaps save somebody some grief. Padgett, maybe somebody saw those warnings and decided they didn't need to low-level format their hard drive ! :-) :-) With thanks to Ross, Padgett and the many others who make our computing lives more secure, - --------------------------------------------------------------------------- Kenneth Forward | "...the large print give'th, and MUN Dept of Physics | the small print take'th away..." kforward@kean.ucs.mun.ca | -Tom Waits- - --------------------------------------------------------------------------- ------------------------------ Date: Sun, 30 Jun 91 14:57:11 From: c-rossgr@microsoft.COM Subject: Encrypted strings >From: Eric_Florack.Wbst311@xerox.com > >>Sigh. Look, I simply didn;t remove the strings from memory. What's your >>point? >Exactly this:False trips cause problems for both you and the person >whose machine if falsely diagnosed as being infected. Such false >trips cost both of you income. Nothing personal,Eric, but don't teach Grandpa how to suck eggs? >Allow me to explain that one of the things I do for a living is such >testing. IMHO, interfacing with other, similar products , where >possible, (even if only for direct a/b comparison) is part of a >complete test. In order for a second program to pick up on this a false positive, machines had to be configured in a certain way, program had to be run in a certain order, etc. My beta testers did not. It's a problem, yes, but it's a problem that any professional developer of these products realizes that he's gonna run into from time to time. You deal with as quickly as you can, you try not to have scanner du'jour, and you spend more time dealing with lots of postings from detractors who do not understand the problem as completely as, perhaps, we do. >>And, sometimes, a minor mistake is make and is blown way out of proportion. >Sorry, Ross, if you thought my posting was blowing your error out of >proportion, but I honestly don't see how. Recall, please, that this >thread started with a general post was directed at all of us for input >on a specific problem. We have already given the problem more verbiage than it deserves. The problem was fixed in Version 1.5. If you want to continue to discuss problems with an outdated version, you are welcome to do so, but I'm done with this topic. Ross - --------------------------- > >Date: Thu, 27 Jun 91 11:52:28 -0700 >From: p1@arkham.wimsey.bc.ca (Rob Slade) >Subject: doom2:reply (PC) >The "my scanner is better than your scanner, nyaah" school of >evaluation misses a vital point: any two scanners are better than >either alone. Even though I feel that Ross's product is one of the >best on the market, and I use it myself for my own testing and >protection, I would hate to see the day when it became the only one >available. Wisw choice! Wouldn't want you using one of them inferior products! :-) > As Ross has pointed out, no matter how well strings are >encrypted, eventually someone will break the code, and then it is a >trivial matter to write a virus that circumvents that package. >However, with a number of scanner packages on the market (and even I >don't have them all), the author of a virus can never know which >package his code will have to go up against. As a point of fact: I have heard of a program floating about that will take a subject virus and a subject scanner and will determine *exactly* what the search string being used by that scanner for that particular virus is. And that it does this without dis-asming the scanner at all -- simply by running it and playing some games with the subject virus. I agree with Rob entirely: use more than one scanner. Mine, of course! And, somebody else's. I like Frisk's, Jim Bates',and Ray Glath's myself. (I like mine better! :-) ) Ross ------------------------------ Date: Sun, 30 Jun 91 14:57:11 From: c-rossgr@microsoft.COM Subject: doom2:reply (PC) >From: p1@arkham.wimsey.bc.ca (Rob Slade) > >The "my scanner is better than your scanner, nyaah" school of >evaluation misses a vital point: any two scanners are better than >either alone. Even though I feel that Ross's product is one of the >best on the market, and I use it myself for my own testing and >protection, I would hate to see the day when it became the only one >available. Wisw choice! Wouldn't want you using one of them inferior products! :-) > As Ross has pointed out, no matter how well strings are >encrypted, eventually someone will break the code, and then it is a >trivial matter to write a virus that circumvents that package. >However, with a number of scanner packages on the market (and even I >don't have them all), the author of a virus can never know which >package his code will have to go up against. As a point of fact: I have heard of a program floating about that will take a subject virus and a subject scanner and will determine *exactly* what the search string being used by that scanner for that particular virus is. And that it does this without dis-asming the scanner at all -- simply by running it and playing some games with the subject virus. I agree with Rob entirely: use more than one scanner. Mine, of course! And, somebody else's. I like Frisk's, Jim Bates',and Ray Glath's myself. (I like mine better! :-) ) Ross ------------------------------ Date: Fri, 28 Jun 91 14:53:28 -0600 From: j-norstad@nwu.edu (John Norstad) Subject: Disinfectant 2.5 (Mac) Disinfectant 2.5 ================ June 28, 1991 Disinfectant 2.5 is a new release of our free Macintosh anti-viral utility. Version 2.5 detects the new C strain of the ZUC virus, recently discovered in Italy. See the section on the ZUC virus in the 2.5 online manual for details. Version 2.5 also recognizes the MDEF D virus. We do not believe that the D strain of MDEF was ever released to the public. Disinfectant recognizes it anyway, just in case it was inadvertently released. See the section on MDEF in the 2.5 online manual for details. Neither of these two viruses is malicious, and we have no reason to believe that either of them is widespread. It is no longer possible to support the old 64K ROMs or operating system versions prior to 6.0 in Disinfectant. Beginning with version 2.5, Disinfectant requires a Mac 512KE or later model and system 6.0 or later. These restrictions are necessary because Apple's Macintosh Programmer's Workshop, which we use to develop Disinfectant, no longer supports the old ROMs or old systems. Version 2.5 corrects an error which sometimes caused Disinfectant to crash after printing the online manual, especially on HP DeskWriter printers. The online manual contains a new section titled "System 7 Notes." This section discusses important issues regarding viruses, Disinfectant, and System 7. It also describes our plans for Disinfectant 3.0. This new section is reproduced in full below. Disinfectant 2.5 is available now via anonymous FTP from site ftp.acns.nwu.edu [129.105.113.52]. It will also be available soon on sumex-aim.stanford.edu, rascal.ics.utexas.edu, comp.binaries.mac, America Online, CompuServe, GEnie, Delphi, BIX, MacNet, Calvacom, AppleLink, and other popular sources of free and shareware software. Macintosh users who do not have access to electronic sources of free and shareware software may obtain a copy of Disinfectant by sending a self- addressed stamped envelope and an 800K floppy disk to the author at the address given below. People outside the US may send an international postal reply coupon instead of US stamps (available from any post office). Please use sturdy envelopes, preferably cardboard disk mailers. People in Western Europe may obtain a copy of the latest version of Disinfectant by sending a self-addressed disk mailer and an 800K floppy disk to macclub benelux. Stamps are not required. The address is: macclub benelux Disinfectant Update Wirtzfeld Valley 140 B-4761 Bullingen Belgium System 7 Notes ============== Disinfectant 2.5 works properly with Apple's new System 7, provided you remember the following three special rules: 1. Leave the Disinfectant INIT in the System Folder proper. Do not move the INIT to the new Extensions Folder. 2. If you try to repair an infected file, Disinfectant may tell you that the file is busy and recommend that you "try again without MultiFinder." However, you can't turn off MultiFinder in System 7. If this situation occurs, restart your Mac using the 800K "Disk Tools" startup floppy that comes with System 7 (or any other startup disk which contains an old System 6 startup System with MultiFinder turned off). Then run Disinfectant again. 3. There is one small problem with Disinfectant's custom get file dialog with which you can select a folder to be scanned. Don't try to select anything in the Desktop level in this dialog. Disinfectant may crash or scan the wrong object. We are working on a new version 3.0 of Disinfectant which will fix all three of the problems mentioned above. Following are some other features planned for Disinfectant 3.0. Version 3.0 will take full advantage of the new facilities available in System 7, including Balloon help, color icon families, anti-viral and other Apple events, icon dropping in the Finder, and proper placement of the Preferences file and the Disinfectant INIT file in the new Preferences and Extensions folders respectively. Version 3.0 will eliminate the restriction that the INIT must load last. The INIT will be renamed "Disinfectant Extension." Version 3.0 will include a new "Upgrade" command which, in the future, will make it possible for people to download very small upgrade files instead of entire new versions of the program. The version 3.0 online manual will include a very thorough discussion of all the issues regarding viruses and Disinfectant as they relate to System 7. We hope to release version 3.0 later this summer. You should also be aware that System 7 is completely immune to the "Desktop file" viruses (WDEF and CDEF.) These viruses never activate, spread, or cause any damage under System 7. Both hard disks and floppy disks are immune to these viruses under System 7. Since the Disinfectant INIT detects and blocks viruses when they first try to attack your system, and since the Desktop file viruses never attack under System 7, the Disinfectant INIT will not detect them under System 7. The Disinfectant application, however, will still detect and remove the Desktop file viruses. You should also be aware of a problem with System 7's new file sharing feature. If you share a folder and permit write access to it by granting the "make changes" privilege with the new "Sharing" command, it is possible for files in the shared folder to become infected by a virus over the network, even if you have the Disinfectant INIT installed on your Mac. The INIT will, however, prevent the virus from spreading to your non-shared folders. It will also completely block any attempt by the virus to execute it's viral code on your Mac or cause any damage to your Mac. We have always had the problem of viruses spreading over a network to files in writable folders on dedicated AppleShare file servers. With System 7's new file sharing, this has now also become a problem on personal Macs. Virus infection over the network is only one of many serious security problems with writable shared folders. Writable shared folders are inherently insecure, and no kind of anti-viral or other security software can prevent damage to their contents. To minimize these problems, we recommend that you limit write access to your shared folders to only trusted individuals. Never grant write access to guests (any user.) The only way to eliminate the problems completely is to never grant the "make changes" privilege to anyone except yourself. John Norstad Academic Computing and Network Services Northwestern University 2129 Sheridan Road Evanston, IL 60208 USA Internet: j-norstad@nwu.edu Bitnet: jln@nuacc America Online: JNorstad CompuServe: 76666,573 AppleLink: A0173 ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 113] ****************************************** 1-Jul-91 19:39:34-GMT,24756;000000000001 Received: from remus.rutgers.edu by aramis.rutgers.edu (5.59/SMI4.0/RU1.4/3.08) id AA02042; Mon, 1 Jul 91 15:39:27 EDT Received: from IBM1.CC.Lehigh.EDU by remus.rutgers.edu (5.59/SMI4.0/RU1.4/3.08) id AA11750; Mon, 1 Jul 91 15:39:14 EDT Message-Id: <9107011939.AA11750@remus.rutgers.edu> Received: from LEHIIBM1.BITNET by IBM1.CC.Lehigh.EDU (IBM VM SMTP R1.2.2MX) with BSMTP id 1233; Mon, 01 Jul 91 15:33:24 EDT Received: from LEHIIBM1.BITNET by LEHIIBM1.BITNET (Mailer R2.08) with BSMTP id 9237; Mon, 01 Jul 91 15:31:14 EDT Date: Mon, 1 Jul 91 15:02:22 EDT Reply-To: VIRUS-L@ibm1.cc.lehigh.edu Sender: Virus Discussion List From: "The Moderator Kenneth R. van Wyk" Subject: VIRUS-L Digest V4 #114 Comments: To: VIRUS-L@IBM1.CC.LEHIGH.EDU To: Multiple recipients of list VIRUS-L VIRUS-L Digest Monday, 1 Jul 1991 Volume 4 : Issue 114 Today's Topics: Introduction to the Anti-viral archives, listing of 01 July 1991 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ------------------------------------------------------------ Date: Sun, 30 Jun 91 03:48:59 -1000 From: Jim Wright Subject: Introduction to the Anti-viral archives, listing of 01 July 1991 Introduction to the Anti-viral archives, listing of 01 July 1991 This posting is the introduction to the "official" anti-viral archives of VIRUS-L/comp.virus. With the generous cooperation of many sites throughout the world, we are attempting to make available to all the most recent news and programs for dealing with the virus problem. Currently we have sites for Amiga, Apple II, Atari ST, IBMPC, Macintosh and Unix computers, as well as sites carrying research papers and reports of general interest. You may notice that in this edition of the list, every section has been modified. The Atari ST list has added atari.archive.umich.edu run by Jeff Weiner, and Steve Grimm's site has changed to twitterpater.eng.sun.com. All lists were affected by the loss of the Heriot-Watt archive server run by Dave Ferbrache. His archives contained approximately 150MB of information and programs related to viruses and security. It was through mail with Dave that I was prompted to hold the vote for comp.virus and start the anti-viral archive site list. I wish him well in his new job and look forward to when he can go back "on the air". If you have general questions regarding the archives, you can send them to this list or to me. I'll do my best to help. If you have a submission for the archives, you can send it to me or to one of the persons in charge of the relevant sites. If you have any corrections to the lists, please let me know. The files contained on the participating archive sites are provided freely on an as-is basis. To the best of our knowledge, all files contained in the archives are either Public Domain, Freely Redistributable, or Shareware. If you know of one that is not, please drop us a line and let us know. Reports of corrupt files are also welcome. PLEASE NOTE The Managers of these systems, and the Maintainers of the archives, CAN NOT and DO NOT guarantee any of these applications for any purpose. All possible precautions have been taken to assure you of a safe repository of useful tools. Jim Wright jwright@cfht.hawaii.edu JWRIGHT@UHCFHT ------------------------------ Date: Sun, 30 Jun 91 03:49:28 -1000 From: Jim Wright Subject: Archive access without anonymous ftp, last changed 30 June 1991 Archive access without anonymous ftp, last changed 30 June 1991 To get files from the anti-viral archives, you do not need access to anonymous ftp. (However, anonymous ftp is generally the preferred method.) Below is information on accessing the archive sites using only email. -=- One way to get access to the archives is through the BITFTP server at Princeton. Send a message to the BITNET address is BITFTP@PUCC with the body of the message containing the single word HELP. This should get you more information, and give you access to any archive site on the Internet. Due to excessive loads, this service has been restricted to BITNET and EARN sites only. UUCP sites need not apply. -=- Both the AppleII and the Atari ST archives have mail servers which provide access to their archives. You may receive automatic updates of Macintosh anti-viral programs via email. See the individual articles on these sites. -=- You may also retrieve files from the SIMTEL-20 and the INFO-MAC archives by using one of the many mail servers which maintain a shadow archive of these sites. Send the following message to one of the listserv sites. help See the IBMPC and Macintosh articles for a complete list of servers. ------------------------------ Date: Sun, 30 Jun 91 03:49:59 -1000 From: Jim Wright Subject: Brief guide to files formats, last changed 30 June 1991 Brief guide to files formats, last changed 30 June 1991 -- The most recent copy of the complete text may be anonymous ftp'd -- -- from ux1.cso.uiuc.edu (128.174.5.59) in the directory doc/pcnet. -- -- That file is maintained by David Lemson (lemson@uiuc.edu). -- -- Please do not strip this note from this list when passing it on. -- ARC (.arc) This format is most popular on PCs. Compresses and stores multiple files in a single archive. PC - arc 6.00, pk361 Mac - ArcMac 1.3c Unix - arc 5.21 VM/CMS - arcutil Amiga - Arc 0.23, PKAX VMS - arcvms Apple2 - dearc Atari - arc 5.21b, pkunarc OS/2 - arc2 BinHex (.hqx) A Macintosh format. Converts a binary Mac file, including data and resource forks, into an archive of only printing ASCII characters. Note that BinHex4.0 will create and decode the ASCII hqx encoding used on Usenet, while BinHex5.0 will decode the ASCII hqx encoding but will create a non-ASCII binary file. PC - xbin 2.3 Mac - BinHex4.0, BinHex5.0 Unix - mcvert VM/CMS - binhex binscii ( ) A favorite Apple2 archive format. Apple2 - binscii Compactor (.cpt) A new Macintosh format. Compresses and stores multiple files in a single archive. Mac - Compactor1.21 compress (.Z) A Unix format. Compresses a single file in an archive. PC - u16, comprs16, comp430d Mac - MacCompress3.2A Unix - compress VM/CMS - compress Amiga - compress VMS - lzcomp Apple2 - compress Atari - compress LHarc (.lzh) This format originated on PCs, and is now popular on Amigas. Compresses and stores multiple files in a single archive. PC - lh113c Mac - MacLHarc 0.41 Unix - lharc10 Amiga - LHarc Atari - lharc113 LHWarp (.lzw) This is an Amiga format. Compresses and stores an entire floppy in a single archive. Better compression than plain Warp. Amiga - Lhwarp LU (.lbr) This is an old format that originated with CP/M. It is virtually non-existent now. Collects multiple files into a single archive with no compression. PC - lue220 Mac - ArcMac 1.3c Unix - lar VM/CMS - arcutil VMS - vmssweep nupack ( ) A favorite Apple2 archive format. Apple2 - nupack PackIt (.pit) An old Macintosh format. Compresses and stores multiple files in a single archive. PC - UnPackIt Mac - PackIt3.1.3 Unix - unpit PAK (.pak) An old PC format. Compresses and stores multiple files in a single archive. Also the name of an Amiga format which produces self-extracting archives. Also the name of a new PC format. PC - pak250 Unix - arc 5.21 Amiga - PAK 1.0 shell archive (.shar, .sh) A Unix format. Stores multiple files in a single archive without compression. PC - unshar Mac - UnShar2.0 Unix - sh, unshar Amiga - UnShar Apple2 - unshar Atari - shar Squeeze (._Q_) An old PC (CP/M?) format. Compresses and stores multiple files in a single archive. PC - sqpc131 VM/CMS - arcutil Amiga - Sq.Usq VMS - vmsusq Atari - ezsqueeze StuffIt (.sit) A Macintosh format. Compresses and stores multiple files in a single archive. PC - mactopc Mac - StuffIt 1.6 Unix - unsit Amiga - unsit tape archive (.tar) A Unix format. Stores multiple files in a single archive without compression. PC - tar, tarread, pax, pdtar Mac - UnTar2.0 Unix - tar Amiga - TarSplit, pax VMS - vmstar Atari - sttar uuencode (.uu, .uue) A Unix format. Converts a binary file into an archive of only printing ASCII characters suitable for mailing. PC - uuxref20 Mac - UMCP-Tools1.0 Unix - uuencode, uudecode VM/CMS - arcutil Amiga - uuencode, uudecode VMS - uudecode2. Apple2 - uu.en.decode Warp (.wrp) This is an Amiga format. Compresses and stores an entire floppy in a single archive. Amiga - WarpUtil xxencode (.xx, .xxe) A Unix format. Converts a binary file into an archive of only printing ASCII characters suitable for mailing. Solves many of the problems of uuencode. PC - uuxref20 Unix - xxencode, xxdecode VM/CMS - xxencode ZIP (.zip) This format is most popular on PCs. Compresses and stores multiple files in a single archive. PC - pkz110 Mac - UnZip1.02c Unix - unzip4.01 Amiga - PKAZip Atari - pkz101-2 ZOO (.zoo) This format is popular on many systems. Compresses and stores multiple files in a single archive. PC - zoo201 Mac - MacBooz2.1 Unix - zoo201 VM/CMS - zoo Amiga - amigazoo VMS - zoo201 Atari - booz OS/2 - booz ------------------------------ Date: Sun, 30 Jun 91 03:50:30 -1000 From: Jim Wright Subject: Amiga Anti-viral archive sites, last changed 30 June 1991 Amiga Anti-viral archive sites, last changed 30 June 1991 beach.gal.utexas.edu John Perry This site can be reached through anonymous ftp. The Amiga anti-viral archives can be found in the directory [ANONYMOUS.PUB.VIRUS.AMIGA]. This system is running VMS, not Unix. The IP address is 129.109.1.207. ms.uky.edu Sean Casey Access is through anonymous ftp. The Amiga anti-viral archives can be found in /pub/amiga/Antivirus. The IP address is 128.163.128.6. uk.ac.lancs.pdsoft Steve Jenkins Service for UK only; no access from BITNET/Internet/UUCP Terminals : call lancs.pdsoft, login as "pdsoft", pwd "pdsoft" FTP : call lancs.pdsoft, user "pdsoft", pwd "pdsoft". Pull the file "help/basics" for starter info, "micros/index" for index. Anti-Viral stuff is held as part of larger micro software collection and is not collected into a distinct area. ux1.cso.uiuc.edu Mark Zinzow Lionel Hummel The archives are in /amiga/virus. There is also a lot of stuff to be found in the Fish collection. The IP address is 128.174.5.59. ------------------------------ Date: Sun, 30 Jun 91 03:51:01 -1000 From: Jim Wright Subject: Apple II Anti-viral archive sites, last changed 30 June 1991 Apple II Anti-viral archive sites, last changed 30 June 1991 brownvm.bitnet Chris Chung Access is through LISTSERV, using SEND, TELL and MAIL commands. Files are stored as apple2-l xx-xxxxxx where the x's are the file number. uk.ac.lancs.pdsoft Steve Jenkins Service for UK only; no access from BITNET/Internet/UUCP Terminals : call lancs.pdsoft, login as "pdsoft", pwd "pdsoft" FTP : call lancs.pdsoft, user "pdsoft", pwd "pdsoft". Pull the file "help/basics" for starter info, "micros/index" for index. Anti-Viral stuff is held as part of larger micro software collection and is not collected into a distinct area. ------------------------------ Date: Sun, 30 Jun 91 03:51:32 -1000 From: Jim Wright Subject: Atari ST Anti-viral archive sites, last changed 30 June 1991 Atari ST Anti-viral archive sites, last changed 30 June 1991 atari.archive.umich.edu Jeff Weiner Service via FTP and mail, FTP preferred. Login as "anonymous", password is your mail address. For instructions on the mail server, send the message help to "Index" contains complete listing with descriptions. "CompInd.Z" contains same list but is compressed. "ls-lR.Z" contains compressed ls -lR listing. All anti-viral material is contained in ~atari/utilities/virus The IP number for this site is 141.211.164.8, but may change. twitterpater.Eng.Sun.COM Steve Grimm Access to the archives is through mail server. For instructions on the archiver server, send help to uk.ac.lancs.pdsoft Steve Jenkins Service for UK only; no access from BITNET/Internet/UUCP. Terminals : call lancs.pdsoft, login as "pdsoft", pwd "pdsoft". FTP : call lancs.pdsoft, user "pdsoft", pwd "pdsoft". Pull the file "help/basics" for starter info, "micros/index" for index. Anti-Viral stuff is held as part of larger micro software collection and is not collected into a distinct area. ------------------------------ Date: Sun, 30 Jun 91 03:52:03 -1000 From: Jim Wright Subject: Anti-viral Documentation archive sites, last changed 30 June 1991 Anti-viral Documentation archive sites, last changed 30 June 1991 cert.sei.cmu.edu Kenneth R. van Wyk Access is available via anonymous ftp, IP number 128.237.253.5. This site maintains archives of all VIRUS-L digests, all CERT advisories, as well as a number of informational documents. VIRUS-L/comp.virus information is in: pub/virus-l/archives pub/virus-l/archives/predig pub/virus-l/archives/1988 pub/virus-l/archives/1989 pub/virus-l/archives/1990 pub/virus-l/docs CERT information is in: pub/cert_advisories pub/cert-tools_archive csrc.ncsl.nist.gov John Wack This site is available via anonymous ftp, IP number 129.6.48.87. The archives contain all security bulletins issued thus far from organizations such as NIST, CERT, NASA-SPAN, DDN, and LLNL-CIAC. Also, other related security publications (from NIST and others) and a partial archive of VIRUS_L's and RISK forums. lehiibm1.bitnet Ken van Wyk new: This site has archives of VIRUS-L, and many papers of general interest. Access is through ftp, IP address 128.180.2.1. The directories of interest are VIRUS-L and VIRUS-P. uk.ac.lancs.pdsoft Steve Jenkins Service for UK only; no access from BITNET/Internet/UUCP Terminals : call lancs.pdsoft, login as "pdsoft", pwd "pdsoft" FTP : call lancs.pdsoft, user "pdsoft", pwd "pdsoft". Pull the file "help/basics" for starter info, "micros/index" for index. Anti-Viral stuff is held as part of larger micro software collection and is not collected into a distinct area. unma.unm.edu Dave Grisham This site has a collection of ethics documents. Included are legislation from several states and policies from many institutions. Access is through ftp, IP address 129.24.8.1. Look in the directory /ethics. ------------------------------ Date: Sun, 30 Jun 91 03:52:34 -1000 From: Jim Wright Subject: IBMPC Anti-viral archive sites, last changed 30 June 1991 IBMPC Anti-viral archive sites, last changed 30 June 1991 beach.gal.utexas.edu John Perry This site can be reached through anonymous ftp. The IBMPC anti-viral archives can be found in the directory [ANONYMOUS.PUB.VIRUS.PC]. This system is running VMS, not Unix. The IP address is 129.109.1.207. risc.ua.edu James Ford This site can be reached through anonymous ftp. The IBM-PC anti-virals can be found in pub/ibm-antivirus. Uploads to pub/ibm-antivirus/00uploads. Uploads are screened. Requests to JFORD@UA1VM.BITNET for UUENCODED files will be filled on a limited basis as time permits. The IP address is 130.160.4.7. uk.ac.lancs.pdsoft Steve Jenkins Service for UK only; no access from BITNET/Internet/UUCP Terminals : call lancs.pdsoft, login as "pdsoft", pwd "pdsoft" FTP : call lancs.pdsoft, user "pdsoft", pwd "pdsoft". Pull the file "help/basics" for starter info, "micros/index" for index. Anti-Viral stuff is held as part of larger micro software collection and is not collected into a distinct area. ux1.cso.uiuc.edu Mark Zinzow This site can be reached through anonymous ftp. The IBMPC anti-viral archives are in /pc/virus. The IP address is 128.174.5.59. vega.hut.fi Timo Kiravuo This site (in Finland) can be reached through anonymous ftp. The IBMPC anti-viral archives are in /pub/pc/virus. The IP address is 130.233.200.42. wsmr-simtel20.army.mil Keith Peterson Direct access is through anonymous ftp, IP 192.88.110.20. The anti-viral archives are in PD1:. Please get the file 00-INDEX.TXT and review it offline. NOTE: There are also a number of servers which provide access to the archives at simtel. WSMR-SIMTEL20.Army.Mil can be accessed using LISTSERV commands from BITNET via LISTSERV@NDSUVM1, LISTSERV@RPIECS and in Europe from EARN TRICKLE servers. Send commands to TRICKLE@ (for example: TRICKLE@AWIWUW11). The following TRICKLE servers are presently available: AWIWUW11 (Austria), BANUFS11 (Belgium), DKTC11 (Denmark), DB0FUB11 (Germany), IMIPOLI (Italy), EB0UB011 (Spain) and TREARN (Turkey). ------------------------------ Date: Sun, 30 Jun 91 03:53:05 -1000 From: Jim Wright Subject: Macintosh Anti-viral archive sites, last changed 30 June 1991 Macintosh Anti-viral archive sites, last changed 30 June 1991 beach.gal.utexas.edu John Perry This site can be reached through anonymous ftp. The Macintosh anti-viral archives can be found in the directory [ANONYMOUS.PUB.VIRUS.MAC]. This system is running VMS, not Unix. The IP address is 129.109.1.207. dftnic.gsfc.nasa.gov Brian Lev This site offers the "MacSecure" package, made up of John Norstad's Disinfectant, and a pair of locally developed HyperCard stacks: Joe McMahon's "Anti-Viral Doc" and Brian Lev's "MacHelper". Floppy disk: Advanced Data Flow Technology Office Code 930.4 Goddard Space Flight Center Greenbelt, MD 20771 (Attn: Brian Lev) DECnet Copy from DFTNIC::CLDATA:[ANONYMOUS_FTP.FILES.MAC] BinHex (ASCII) format as MACSECURE31.HQX binary format as MACSECURE31.SEA Anonymous FTP from DFTNIC.GSFC.NASA.GOV (128.183.10.3) BinHex (ASCII) format as [.FILES.MAC]MACSECURE31.HQX binary format as [.FILES.MAC]MACSECURE3.SIT ifi.ethz.ch Danny Schwendener Interactive access through DECnet (SPAN/HEPnet): $SET HOST 57434 or $SET HOST AEOLUS Username: MAC Interactive access through X.25 (022847911065) or Modem 2400 bps (+41-1-251-6271): # CALL B050 Username: MAC Files may also be copied via DECnet (SPAN/HEPnet) from 57434::DISK8:[MAC.TOP.LIBRARY.VIRUS] rascal.ics.utexas.edu Werner Uhrig Access is through anonymous ftp, IP number is 128.83.138.20. Archives can be found in the directory mac/virus-tools. scfvm.bitnet Joe McMahon Access is via LISTSERV. SCFVM offers an "automatic update" service. Send the message AFD ADD VIRUSREM PACKAGE and you will receive updates as the archive is updated. You can also subscribe to automatic file update information with FUI ADD VIRUSREM PACKAGE sumex-aim.stanford.edu Bill Lipa Access is through anonymous ftp, IP number is 36.44.0.6. Archives can be found in /info-mac/virus. Administrative queries to . Submissions to . There are a number of sites which maintain shadow archives of the info-mac archives at sumex: * MACSERV@PUCC services the Bitnet community * LISTSERV@RICE for e-mail users * FILESERV@IRLEARN for folks in Europe uk.ac.lancs.pdsoft Steve Jenkins Service for UK only; no access from BITNET/Internet/UUCP Terminals : call lancs.pdsoft, login as "pdsoft", pwd "pdsoft" FTP : call lancs.pdsoft, user "pdsoft", pwd "pdsoft". Pull the file "help/basics" for starter info, "micros/index" for index. Anti-Viral stuff is held as part of larger micro software collection and is not collected into a distinct area. wsmr-simtel20.army.mil Robert Thum Access is through anonymous ftp, IP number 192.88.110.20. Archives can be found in PD3:. Please get the file 00README.TXT and review it offline. ------------------------------ Date: Sun, 30 Jun 91 03:53:36 -1000 From: Jim Wright Subject: Unix Anti-viral and security archive sites, last changed 30 June 1991 Unix Anti-viral and security archive sites, last changed 30 June 1991 funic.funet.fi Jyrki Kuoppala Accessible through anonymous ftp, IP number 128.214.6.100. Directory pub/unix/security contains programs to help in security, pub/doc/security contains various documents about security in general and unix security (like the worm documents) wuarchive.wustl.edu Chris Myers Accessible through anonymous ftp, IP number 128.252.135.4. A number of directories can be found in ~ftp/usenet/comp.virus/*. ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 114] ****************************************** 2-Jul-91 18:12:24-GMT,23300;000000000001 Received: from remus.rutgers.edu by aramis.rutgers.edu (5.59/SMI4.0/RU1.4/3.08) id AA20446; Tue, 2 Jul 91 14:12:15 EDT Received: from IBM1.CC.Lehigh.EDU by remus.rutgers.edu (5.59/SMI4.0/RU1.4/3.08) id AA07533; Tue, 2 Jul 91 14:12:08 EDT Message-Id: <9107021812.AA07533@remus.rutgers.edu> Received: from LEHIIBM1.BITNET by IBM1.CC.Lehigh.EDU (IBM VM SMTP R1.2.2MX) with BSMTP id 2272; Tue, 02 Jul 91 14:05:27 EDT Received: from LEHIIBM1.BITNET by LEHIIBM1.BITNET (Mailer R2.08) with BSMTP id 2575; Tue, 02 Jul 91 14:04:57 EDT Date: Tue, 2 Jul 91 13:57:02 EDT Reply-To: VIRUS-L@ibm1.cc.lehigh.edu Sender: Virus Discussion List From: "The Moderator Kenneth R. van Wyk" Subject: VIRUS-L Digest V4 #115 Comments: To: VIRUS-L@IBM1.CC.LEHIGH.EDU To: Multiple recipients of list VIRUS-L VIRUS-L Digest Tuesday, 2 Jul 1991 Volume 4 : Issue 115 Today's Topics: Rumors Recalciterant infection with Frodo (PC) $MUSTAFA, new virus? (PC) Retrospect Remote vs. Gatekeeper (Mac) Disk Boot Failure?! (PC) Re: Can such a virus be written .... (PC) GUARD - prevents h.d. infection via floppy boot (PC) Re: Virus protection: what to use New files on MIBSRV (PC) Disinfectant 2.5? (Mac) Re: Two versions of SCANV80.ZIP? (PC) re: Words VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Sat, 29 Jun 91 02:05:00 +0000 From: William Hugh Murray <0003158580@mcimail.com> Subject: Rumors > I just received word of a virus that was encountered during a Mac > System 7 installation. Both the keyboard and mouse DIED on three > machines that just had System 7 installed on them. The customer > then attached a voltage meter to the ADB port of a fourth machine > only to find a unusually high reading. It appears the virus > destroys chips on the mouse and keyboard. I am glad I do not have his job. I know that Ken is very careful about what he posts. I am reluctant to second guess him. However, in the case of this posting, I must. The posting is potentially more damaging than the damage that it seeks to avert. First, it is hearsay. The author does not cite his source, and claims no first-hand knowledge of the events that he reports. Second, it appeals to fear of permanent and irreversible damage from a program. Such appeals to fear can never be justified except by carefully tested conclusions. Third, it speculates on hardware damage from indirect evidence. I can think of far more likely causes for keyboards and mouses not to work than destruction of chips, particularly, if as the reporter speculates, the cause is somehow related to the installation of software. Fourth, while second-hand, it reports something so unlikely as to make any responsible reporter question his sources and hold his water. That is, it reports that programmable behavior of a computer caused permanent damage to the computer hardware. The only evidence that any damage that may have occurred was software related was that the same code had just been installed on all of them. Sorry, that is not sufficient evidence that any damage was software related. A report of an "unusually high (output voltage) reading" is used to support the conclusion that the damage was caused by software, when in fact, that should lead one to the far more likely conclusion that any damage was related to an abnormally high input voltage. Rumors of viruses are almost as damaging to public trust as viruses themselves. One should not attribute damage to viruses without cause. One may not justify premature reports on the basis that the virus is very damaging. The greater the power attributed to the virus, the greater, not the lesser, the responsibility to report only what one knows with a very high level of confidence and authority. "I just received word" will not cut it. I will be very surprised if these events are at all related to software. If the cause was software, I will be extremely surprised if the symptoms reported were caused by destruction of chips. I will not be surprised to learn that they did not happen as reported, did not happen at all, or are pure fantasy. Even if they happened exactly as reported, the report is still premature and irresponsible. ____________________________________________________________________ William Hugh Murray 203-966-4769 Information System Security 203-326-1833 (CELLULAR) Consultant to Deloitte & Touche 203-761-3088 Wilton, Connecticut email: 315-8580@MCIMAIL.COM WHMurray@DOCKMASTER.NCSC.MIL MCI-Mail: 315-8580 TELEX: 6503158580 FAX: 203-966-8612 Compu-Serve: 75126,1722 21 Locust Avenue, Suite 2D DASnet: [DCM1WM]WMURRAY New Canaan, Connecticut 06840 PRODIGY: DXBM57A [Ed. The moderator's response: VIRUS-L/comp.virus receives a great number of messages which appeal to fear and/or are purely hearsay. Long time subscribers will no doubt recognize past examples such as discussions of disk drives writing to write-protected disks, viruses destroying monitors, etc. I generally send a response to the author requesting that he/she cite some reference and/or provide complete technical details of any testing and so forth; I have yet to get a response to such a request... Occasionally, however, one of two things can happen. The first is that I accidentally overlook and accept the posting. Mistakes can happen, but I try my best to avoid them and I try even harder to learn from my mistakes. The second is that I decide to pass the message on under the assumption that the vast pool of technical expertise that we have out on the list will quickly and decisively dispell the poster's claims. I also would like add the comment that VIRUS-L, like all/most _public_ discussion forums, cannot guarantee the technical authenticity of its contents. The contents of the list are up to the individual subscribers. As such, I would strongly recommend treating all (outlandish) claims with a grain of salt until they can be independently verified.] ------------------------------ Date: Sun, 30 Jun 91 20:31:32 +0700 From: Aviel Roy-Shapira Subject: Recalciterant infection with Frodo (PC) Help please! I have a recalciterant infection by Frodo or 4096. I am not sure about the source of the infection, but somehow it got into my system. Clean (V. 77) cleaned the disk alright, but the infection keeps poping up. It has become even wierder. Both Clean, Virus Scan, and F-Fchk (115) report that all the files on my hard disk are free from the virus. But, if I boot from the hard disk, and I run F-SYSCHK, it says the virus is lurking in memory. I don't get this warning if I boot from a floppy. My config.sys file contains Device=DMDrvr.bin, Device=f-driver.sys, files=40 and buffers=20. I don't run any programs or TSR from my autoexec, which simply states the path and sets a couple of environment variable. DMDrvr.bin appears to be clean, as its length is 8000 bytes or so and it didnot change. I thought that Frodo was only a COM and EXE file infector, yet it somehow entered my system and refuses to leave. Any ideas? Aviel ------------------------------ Date: Mon, 01 Jul 91 17:52:00 +1200 From: "John, Registry" Subject: $MUSTAFA, new virus? (PC) Hi, Anybody heard of a possible PC virus called $MUSTAFA? Don't know too much about it at the moment. The mouse has stopped working. If you look at device drivers, there is one at Memory Size Driver Program Attributes NUL MSDOS C 0AAD-0BA7 3.9K $MUSTAFA CS . . . There is a file open: Name Ext Program AUX CON PRN $MUSTAFA (1041) A memory map shows: . . . 1036 - 103F 0.2K TRUMOUSE Environment 1040 - 2193 69K (1041) 2194 - 23BD 8.7K TRUMOUSE . . . The partition table and boot sectors look o.k. Scan 77 doesn't pick it up. I am getting Scan 80 (hopefully) and will try that. If you do a whereis $mustafa.* it finds it on every directory on the disk (2.7K long. Looking at the actual directory entries the file doesn't exist. If anybody has any more info for me please e-mail. John ------------------------------ Date: 01 Jul 91 02:06:56 -0400 From: huff@mcclb0.med.nyu.edu (Edward J. Huff) Subject: Retrospect Remote vs. Gatekeeper (Mac) I ran the Retrospect 1.3 remote updater, which sends a new version of the Retrospect Remote cdev across the network. Gatekeeper 1.1.1 and 1.2 both log the PBSetCatInfo from '' to 'cdev' operation to whatever application happened to be running. The basic problem is: gatekeeper depends on trusting certain programs to be permitted certain operations, but sometimes, operations can be performed by an INIT such as Retrospect Remote, while that program is the "current application," and gatekeeper fails to notice that the operation was not initiated by the trusted program. ------------------------------ Date: Mon, 01 Jul 91 12:28:37 +0000 From: gburlile@magnus.acs.ohio-state.edu (Greg Burlile) Subject: Disk Boot Failure?! (PC) Could a virus cause the "Disk Boot Failure" DOS error message to appear? We've had this problem with two of our machines. One of them we had to reformat so that would could finally get the PC to boot from the hard drive. The other computer we were able to boot from diskette and then reboot from the hard drive. Prior to that we had a problem with several computers (including the two I mentioned above) having their root directory files erased (including the hidden system files). Could someone please give me some input as to why this is happening. Is it a virus? I've run F-PROT 1.13 on these machines and nothing came up. I just downloaded a copy of 1.16 and will see if it finds anything. ------------------------------ Date: Mon, 01 Jul 91 13:40:17 +0000 From: mfr3@cunixb.cc.columbia.edu (Matthew F Ringel) Subject: Re: Can such a virus be written .... (PC) PJML@ibma.nerc-wallingford.ac.uk (Pete Lucas) writes: >until the virus has had a look at whats there. Of course the write-protect >notch/slide is 99.99% effective in my experience at preventing any >illicit writes; you would, of course, have write-protected any diskette >you put in the drive before doing the hypothetical DIR command, wouldnt >you? > Pete Lucas Speaking of that... Is it possible for a virus to circumvent an IBM's write-protection of a disk (if the disk is protected in the stndard way of covering the notch), or is it something physical that no piece of software can get around? Any idea? I'd love to hear them. -Matthew }{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}}{}{}{}{}{}{}{}{ Matthew F. Ringel {} Internet:mfr3@cunixb.cc.columbia.edu ...and God saw the light... {} ringel@cs.columbia.edu ..and said that it was pretty neat.{} Columbia University Football #1! ------------------------------ Date: Mon, 01 Jul 91 15:20:00 +0300 From: Y. Radai Subject: GUARD - prevents h.d. infection via floppy boot (PC) About half a year ago, someone asked whether there was a way of preventing infection of one's hard disk on cold-boot when an infected diskette happens to be in drive A:. As I hinted a couple of times, I would soon be announcing a program to do this. Well, it's called GUARD and is now available in uuencoded ZIPped form to anyone who requests it from me by e-mail. Some people on this list expressed the opinion that this wouldn't work on a cold boot, or against partition-record viruses, or that it could only detect infection but not prevent it, or that it would re- quire hardware or a special BIOS. Well, GUARD prevents hard-disk infection on floppy boot (even cold boot) without using either hard- ware or a special BIOS. The basic idea is as follows: When you install GUARD, it zeroes out several bytes of each entry of the partition table (storing the origi- nal bytes elsewhere in the partition record), so that these partitions are not recognized as DOS partitions when booting from a diskette, and it inserts code in the partition record which resets these bytes when booting is performed from the hard disk. A command GUARD -G in the AUTOEXEC.BAT file of the hard disk zeroes the bytes again, thus re- storing the protection for the next diskette boot. Because of the fact that the hard-disk partitions are non-DOS par- titions when booting from a diskette, no boot-sector or file virus can infect the hard disk. A partition-record virus will infect the parti- tion record of the hard disk *temporarily*, but the viral code will be overwritten by GUARD's uninfected code the next time booting is per- formed from the hard disk. There's nothing original in the idea of modifying the partition record for this purpose, although I haven't seen a program which deals with p.r. viruses in this way. Note also that it does not rely on a device driver or any other code outside of the p.r., as most other programs of this type do. Another feature is that you can protect *selected partitions* of your hard disk(s). GUARD also contains an option to require typing of a password in order to use the computer after booting from the hard disk. Can GUARD be circumvented by a directed attack? Of course, but what anti-viral program can't? (The closest thing to an exception seems to be a carefully designed checksum program activated after booting from a clean diskette.) However, it's effective against all viruses which do not mount a directed attack against this type of defense (which includes all viruses known today). Note: I am not the author of GUARD. I simply beta-tested it, sug- gested numerous improvements, and wrote the documentation for it. You are invited to try it out ("gamma-test" it) and to send me your com- ments, which I will reply to and/or forward to the author. (Eventual- ly GUARD will be uploaded to Simtel20 and other servers as shareware.) Y. Radai Hebrew Univ. of Jerusalem, Israel RADAI@HUJIVMS.BITNET RADAI@VMS.HUJI.AC.IL ------------------------------ Date: Mon, 01 Jul 91 15:38:00 +0300 From: Y. Radai Subject: Re: Virus protection: what to use Aryeh Goretsky gave a good description of the three main types of anti-viral software. I think he missed a few important points, how- ever, so I'd like to contribute a few additions to what he wrote. Concerning "filters" (or as I call them, generic monitoring pro- grams), he writes: >Filters have the >advantage of being able to detect new viruses because they are not >looking for specific viruses, but rather virus-methods. Correct, but there is another advantage (in comparison to the other methods he mentions, which can only detect infections *after* they have occurred): filters can *prevent* infection from occurring at all. He then mentions three disadvantages of filters. However, there are two others: (1) They can't prevent anything which happens before they go resident (in particular, boot sector infections). (2) Being resi- dent programs, they are more vulnerable to neutralization or circum- vention by a hostile program than is a non-resident program. Concerning "change checkers" (modification detectors), he writes: >The advantages to change checkers >are that they will detect known and unknown viruses, like the filter, True, but a filter can also be effective against immediate-acting *Trojans*, something that is not true of a change checker. >it's been theorized that if >the method of change checking is known, a virus could be written to >add itself to files in such a way that a checksum identical to the >known (good) checksum is generated; This is not possible with a CRC or cryptographic algorithm if each user's checksums are based on a different key unknown to others and his table of checksums is inaccessible to a hostile program. (These two conditions cannot be achieved in inter-machine transfer of files to arbitrary users, but they can be achieved when modification takes place on a given computer, which is what is normally assumed when discussing viruses.) Turning to [known-virus] scanners, he writes: >And of course, as more >viruses are added, the scanner gets s l o w e r. This is true of *most* scanners, but not all of them. By using a hashing technique, the scanning time can be kept constant, at the price of somewhat increased program size. Y. Radai Hebrew Univ. of Jerusalem, Israel RADAI@HUJIVMS.BITNET RADAI@VMS.HUJI.AC.IL ------------------------------ Date: Mon, 01 Jul 91 11:10:06 -0500 From: James Ford Subject: New files on MIBSRV (PC) The following files have been uploaded to risc.ua.edu in the directory pub/ibm-antivirus for anonymous ftping: scanv80.zip netscn80.zip vshld80.zip clean80.zip virx15.zip One last note: MIBSRV.MIB.ENG.UA.EDU has been removed. It is probably going to make someone a nice boat - ---------- Behind every successful man is a woman who made it necessary. - ---------- James Ford - jford@ua1vm.ua.edu, jford@risc.ua.edu The University of Alabama (in Tuscaloosa, Alabama) ------------------------------ Date: Mon, 01 Jul 91 12:39:33 -0700 From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Disinfectant 2.5? (Mac) Recently, the Fidonet "Warnings" echo carried a note about Mac users having to upgrade to Disinfectant 2.5. I replied with the information from John Norstad's posting here a while back: ========== From: j-norstad@nwu.edu (John Norstad) Subject: Disinfectant and System 7 (Mac) Date: 20 May 91 01:50:16 GMT Thanks to an error in Apple's Compatibility Checker, I've been deluged with requests for information on Disinfectant 2.5. If you have installed the Disinfectant INIT on your system, Apple's Compatibility Checker incorrectly reports that it is incompatible with System 7, and it recommends that you get version 2.5. There is no Disinfectant 2.5, and there won't be one! Disinfectant 2.4 works fine with System 7, provided you leave the Disinfectant INIT in ========== I have now received the following reply: ========== 06/30/91 19:10:49 From: JOHN LENKO Subj: REPLY TO MSG# 12992 (DISINFECTANT 2.5) Unbelievers get viruses...at least in this case they do! This is John's friend Chris, the source for the info.. I already have 2.5, and it is already posted on DDCBBS, in case you do not believe that there is a version 2.5. I would suggest looking into it, for it is not only System 7.0 compatible, but is also able to recognize the new strain of ZUC, strain C, that is.... - --- TBBS v2.1/NM * Origin: Doppler/Deep Cove TBBS - Richmond, B.C. (153/915) ========= What gives? ============= Vancouver p1@arkham.wimsey.bc.ca | "If you do buy a Institute for Robert_Slade@mtsg.sfu.ca | computer, don't Research into (SUZY) INtegrity | turn it on." User Canada V7K 2G6 | Richards' 2nd Law Security | of Data Security ------------------------------ Date: Tue, 02 Jul 91 00:37:39 +0000 From: mcafee@netcom.com (McAfee Associates) Subject: Re: Two versions of SCANV80.ZIP? (PC) p1@arkham.wimsey.bc.ca (Rob Slade) writes: >I retrieved SCANV80.ZIP from the wuarchive.wustl.edu mirror of >SIMTEL20, but when I went to repost it on a local board found a >different version. Both versions appear to be authentic, with some >minor differences in text files: [listing of ZIP file contents deleted here...] >It seems the only differences are found in: > README.1ST > REGISTER.DOC > SCANV80.DOC > VIRLIST.TXT >with the addition of two files: > NETSCN80.DOC > VSHLD80.DOC Oops. The SCAN zip file was released with two extra doc files in it accidentally. It was replaced after it this was discovered a few hours later, but apparently a few copies are circulating... It's no cause for alarm, the only difference being that the ZIP file with the extra two files may take a bit longer to download. Regards, Aryeh Goretsky McAfee Associates Technical Support - -- McAfee Associates | Voice (408) 988-3832 | mcafee@netcom.com 4423 Cheeney Street | FAX (408) 970-9727 | (Aryeh Goretsky) Santa Clara, California | BBS (408) 988-4004 | 95054-0253 USA | v.32 (408) 988-5190 | mrs@netcom.com ViruScan/CleanUp/VShield | HST (408) 988-5138 | (Morgan Schweers) ------------------------------ Date: Mon, 01 Jul 91 20:39:06 -0700 From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: re: Words vail@tegra.com (Johnathan Vail) writes: > virus - a piece of code that is executed as part of another program > and can replicate itself in other programs. The analogy to real > viruses is pertinent ("a core of nucleic acid, having the ability to > reproduce only inside a living cell"). Most viruses on PCs really are > viruses. > > worm - a program that can replicate itself, usually over a network. A > worm is a complete program by itself unlike a virus which is part of > another program. Robert Morris's program, the Internet Worm, is an > example of a worm although it has been mistakenly identified in the > popular media as a virus. > bomb. Question: Given that under these definitions boot sector infectors, "spawning" viri and items such as Mac's WDEF are excluded from "virus", does that make them all "worms"? If so, you will have to define "most viruses on PCs", since many of the more successful PC viri are BSI's. ============= Vancouver p1@arkham.wimsey.bc.ca | "If you do buy a Institute for Robert_Slade@mtsg.sfu.ca | computer, don't Research into (SUZY) INtegrity | turn it on." User Canada V7K 2G6 | Richards' 2nd Law Security | of Data Security ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 115] ****************************************** 3-Jul-91 19:16:41-GMT,23112;000000000001 Received: from remus.rutgers.edu by aramis.rutgers.edu (5.59/SMI4.0/RU1.4/3.08) id AA28256; Wed, 3 Jul 91 15:16:31 EDT Received: from IBM1.CC.Lehigh.EDU by remus.rutgers.edu (5.59/SMI4.0/RU1.4/3.08) id AA13929; Wed, 3 Jul 91 15:16:21 EDT Message-Id: <9107031916.AA13929@remus.rutgers.edu> Received: from LEHIIBM1.BITNET by IBM1.CC.Lehigh.EDU (IBM VM SMTP R1.2.2MX) with BSMTP id 3282; Wed, 03 Jul 91 15:08:31 EDT Received: from LEHIIBM1.BITNET by LEHIIBM1.BITNET (Mailer R2.08) with BSMTP id 6356; Wed, 03 Jul 91 15:08:02 EDT Date: Wed, 3 Jul 91 14:45:29 EDT Reply-To: VIRUS-L@ibm1.cc.lehigh.edu Sender: Virus Discussion List From: "The Moderator Kenneth R. van Wyk" Subject: VIRUS-L Digest V4 #116 Comments: To: VIRUS-L@IBM1.CC.LEHIGH.EDU To: Multiple recipients of list VIRUS-L VIRUS-L Digest Wednesday, 3 Jul 1991 Volume 4 : Issue 116 Today's Topics: General definition part 1 (general) Requirements for Virus Checkers (PC) New Release of VIRx: Version 1.6 now available (PC) FROD/4096 (PC) Disinfectant 2.5 (Mac) re: Can such a virus be written... (PC) (Amiga) Words, Words, Words Re: Dos Boot control with pascal. (PC) Disinfectant 2.5, To be or not to be? (Mac) Re: Software pricing IBM Write-Protection (was: Can such a virus be written ... ) (PC) sideshow on doom2:reply (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Mon, 01 Jul 91 20:59:49 -0700 From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: General definition part 1 (general) DEFGEN1.CVP 910701 Towards a Definition of computer Viral Programs The "man on the street" is now often aware of the term "computer virus" even if he (or she) does not use a computer. However, it is often the case that those who are otherwise technically literate do not understand some of the implications of the phrase. This is not surprising in that the term is slang, is often misused, and that "hard" information is difficult to come by. It is important to know what a computer virus is if you are going to defend yourself against the many that are "out there." It is also important to know what a computer virus is not. There are other types of programs and situations which can do damage to your computer or data, and many of these will not be caught by the same methods which must trap viral programs. A biological analogy, which we find in the dictionary, is helpful. The Oxford English Dictionary, which speaks of: "... a moral or intelletual poison, or poisonous influence..." while satisfying to the wounded ego of those who have been hit is not terribly helpful in a technical sense. Webster, however, steers us in a more helpful route in stating that a virus is: "... dependent on the host's living cells for their growth and reproduction..." By elimating the biological references, we can come to the definition that a virus is an entity which uses the resources of the host to spread and reproduce itself without informed operator action. Let me stress here, the word "informed." A virus cannot run completely on its own. The computer user must always take some action, even if it is only to turn the computer on. This is the major strength of a virus: it uses *normal* computer operations to do its dirty work, and therefore there is no single identifying code that can be used to find a viral program. I must make mention, before I continue, of the work of Fred Cohen. Dr. Cohen is generally held to have coined the term "computer virus" in his thesis, published in 1984. However, his definition covers only those sections of code which, when active, attach themselves to other programs. This, however, neglects many of the programs which have been most successful "in the wild". Many researchers still insist on this definition, and therefore use other terms such as "worm" and "bacterium" for those viri which do not attack programs. copyright Robert M. Slade, 1991 DEFGEN1.CVP 910701 ============= Vancouver p1@arkham.wimsey.bc.ca | "If you do buy a Institute for Robert_Slade@mtsg.sfu.ca | computer, don't Research into (SUZY) INtegrity | turn it on." User Canada V7K 2G6 | Richards' 2nd Law Security | of Data Security ------------------------------ Date: Tue, 02 Jul 91 12:30:07 From: c-rossgr@microsoft.COM Subject: Requirements for Virus Checkers (PC) >From: Robert McClenon <76476.337@CompuServe.COM> > The second clause is true but sadly irrelevant. I wish every >developer were as attentive as Ross is to complaints. I wish every >vendor were as responsive as Ross and Microcom are. For those reasons >the first clause is good advice in general but not worth fighting >over. and thanks, but I think we could do better, frankly. All that, however, requires that users *actively* take part in the process of product development. If you're using a company's product and there's stuff about it that you don't like, think is needed, want in the next version --- call them up and tell them. Microcom actually pays people to listen to your suggestions (and the odd complaint, I guess) and writes them up. When we start talking about what to include in the next version of the code, the end user (the people with the money to buy the product) dictate what we stick into that next release. Be vocal! This isn't just for anti-virus products, of course: I've been involved in the commercial programming end of a number of products. We always work in an ideal world of what we think the world wants and neds...until them pesky end-users start telling us where we're wrong.... Heck, *I* was under the impression that everybody *loved* command line interfaces (maybe my UNIX background showing through?) --- but it seems people are in love with those hgorrid little drop and shadow boxes. Guess what Version 2.0 has in it.... Ross ------------------------------ Date: Tue, 02 Jul 91 12:37:00 From: c-rossgr@microsoft.COM Subject: New Release of VIRx: Version 1.6 now available (PC) There were some problems with Version 1.5. Version 1.6 is now available on CIS, my BBS (212-889-6438) and, shortly, on SIMTEL-20. Hightlights: What's New In VIRx Version 1.6 ============================== Date: 7/01/91 1. VIRx Version 1.6 now detects six newly discovered viruses, bringing the total count to just over 500. 2. VIRx now indicates whether an infected compressed program was infected before or after the compression (PKLITE and LZEXE). This was trivial to implement, but a useful addition. 3. Another few cycles were shaved off our decompression routines: experience pays. For those wondering, all decompression routines are completely internal and done in memory --- and always have been. Problems Corrected from v1.5: 1. False positives for the "Sathanyc/Goblin/Necrop" viruses. VIRx Version 1.5 was incorrectly identifying "ICE'ed" programs as infected. An example of this was the well known TIMESET program: our apologies and gratitude to Peter Petrakis for being a good sport about our mistake. 2. Occasional false positives for "Scrnched" files: fixed. 3. The P1 Virus string was occasionally left in DOS buffers: another scanner program which apparently used the same string would make erroneous reports of an active P1 Virus in memory. This has been fixed. 4. Due to similar templating of the V2P6 Virus, VIRx would find a possible infection in the VDEFEND program. This was rectified. ------------------------------ Date: Tue, 02 Jul 91 15:31:51 -0400 From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: FROD/4096 (PC) >From: Aviel Roy-Shapira >Clean (V. 77) cleaned the disk alright, but the infection >keeps poping up. It has become even wierder. Both Clean, Virus Scan, >and F-Fchk (115) report that all the files on my hard disk are free >from the virus. But, if I boot from the hard disk, and I run >F-SYSCHK, it says the virus is lurking in memory. I don't get this >warning if I boot from a floppy. This being the second time I have seen this type of posting with regard to Frodo/4096 & have two comments to make: the 4096 is a "stealth" virus & goes resident in memory. At least two of the scan programs mentioned will detect the 4096 in memory unless they are explicitly told not to (/nomem) in which case use will infect every file on the disk (yes I did, publicly, once, nevermore) However, this is one of the viruses that can be detected very easily in memory using CHKDSK. Most clean 640k PCs will report "655360 bytes total memory". If the 4096 is resident, this value will be somewhere below 652xxx bytes (CMA- do not have my notes here). If you have 655360 (everyone got it memorized now ?) you do not have the 4096 "classic" version. Cooly (monsoon season has started), Padgett ------------------------------ Date: Tue, 02 Jul 91 15:29:03 -0400 From: Ed Maioriello Subject: Disinfectant 2.5 (Mac) All, I have seen many questions regarding the compatibility of Disinfectant 2.4 with Macintosh System 7 and the availability of Disinfectant 2.5. I have experienced no problems using Disinfectant 2.4 with System 7, though I understand the Disinfectant init should be left in the System Folder proper - not placed in the Extensions folder. The same is true of Disinfectant 2.5 and its init which is available off Sumex-aim.stanford.edu via anonymous ftp now. Ed Maioriello Bitnet: EMAIORIE @ UGA University Computing & Networking Servs. Internet: emaiorie@uga.cc.uga.edu University of Georgia Athens, Ga. 30602 (404)-542-8780 Where are the Snowdens of yesteryear? ------------------------------ Date: Tue, 02 Jul 91 19:12:28 -0500 From: Finnegan Southey Subject: re: Can such a virus be written... (PC) (Amiga) Fridrik Skulason writes: >However, the question was >whether a virus-infected diskette could infect the system, when the >user issued a 'DIR' command. >The answer to that question is a definite NO - on a PC, that is - but >I am not sure if the same applies to the Amiga or the Mac - perhaps >omebody else can clarify that. This is definatly possible on Amiga's running Kickstart/Workbench 1.3 or lower. All AmigaDos commands are executable files so a file infector could easily use the dir or list commands. I've heard that Kickstart 2.0 has most AmigaDos commands in ROM (the ROMs are shipping now) but I'm not sure. That would be great from the virus perspective... - ----------------------------------------------------------------------------- Finnegan Southey - CCS HELP DESK, University of Guelph, Ontario, CANADA BitNet: ACDFINN.VM.UOGUELPH.CA CoSy: fsouthey@COSY.UOGUELPH.CA You are in a maze of twisty little passages, all alike. ------------------------------ Date: 02 Jul 91 23:20:29 -0400 From: Robert McClenon <76476.337@CompuServe.COM> Subject: Words, Words, Words >Date: Mon, 01 Jul 91 20:39:06 -0700 >From: p1@arkham.wimsey.bc.ca (Rob Slade) >Subject: re: Words >vail@tegra.com (Johnathan Vail) writes: >> virus - a piece of code that is executed as part of another >>program >> and can replicate itself in other programs. The analogy to >>real >> viruses is pertinent ("a core of nucleic acid, having the >>ability to >> reproduce only inside a living cell"). Most viruses on PCs >>really are >> viruses. >> worm - a program that can replicate itself, usually over a >>network. A >> worm is a complete program by itself unlike a virus which is >>part of >> another program. Robert Morris's program, the Internet >>Worm, is an >> example of a worm although it has been mistakenly identified >>in the >> popular media as a virus. > >Question: > >Given that under these definitions boot sector infectors, > "spawning" viri and items such as Mac's WDEF are excluded from > "virus", does that make them all "worms"? > >If so, you will have to define "most viruses on PCs", since many >of the more successful PC viri are BSI's. This is very much a terminological issue at two levels. However, I would agree with Vail that the definitions are sound and do not require a modification of the statements that he made. The real issue is: "What is a program?" I submit that the Master Boot Record of a PC is a special-purpose program. Therefore a Boot Sector Infector such as Stoned is a virus using Vail's definition. Any code executed in the Desktop is a program, even if it is a Trojan horse program because it is taking advantage of a weakness in System less than 7.0. Therefore WDEF is a program infecting virus. A program is any stand-alone sequence of executable instructions, not just those executed by a valid call to the operating system. Slade has a good question. He is basically demanding clarification of terminology. We need that. Stoned is a virus. WDEF is a virus. The Morris worm was not a virus. It was a worm. Robert McClenon Neither my employer nor anyone else paid me to say this. ------------------------------ Date: Wed, 03 Jul 91 05:30:58 +0000 From: dave@tygra.Michigan.COM (David Conrad) Subject: Re: Dos Boot control with pascal. (PC) phys169@csc.canterbury.ac.nz writes: >SJS132@psuvm.psu.edu (Steve Shimatzki) writes: >> Does anyone know how I would make a program to boot off of floppy >> (fist, not boot, and then run...) or add it to the existing boot, >> so that I could have my program run first. >> >> I got curious about the new portable computer security software, that >> makes sure that it is booted with a 'KEY' disk, and I wanted to do >> something like that, but as PD (commercial is 99$!!!!) >> >(1) you can encode the hard disk (scramble sectors) so you have to boot off > a special floppy that replaces the BIOS to decode them correctly, Please, I have enough nightmares after my hard disk made that funny sound last week, I don't need the disk to be in some weird, non-standard and insufficiently well-tested format, thank you. >[Mark suggests that the BIOS could be replaced, and that the BIOS writers >need to help out the security/anti-viral effort. Amen.] > >Mark Aitchison. This has little to do with pascal, so I'm directing followups to comp.virus. David R. Conrad dave@michigan.com - -- = CAT-TALK Conferencing Network, Computer Conferencing and File Archive = - - 1-313-343-0800, 300/1200/2400/9600 baud, 8/N/1. New users use 'new' - = as a login id. AVAILABLE VIA PC-PURSUIT!!! (City code "MIDET") = E-MAIL Address: dave@Michigan.COM ------------------------------ Date: Wed, 03 Jul 91 09:20:00 -0400 From: "Mark Nutter, Apple Support" Subject: Disinfectant 2.5, To be or not to be? (Mac) p1@arkham.wimsey.bc.ca quotes from John Norstad: >>There is no Disinfectant 2.5, and there won't be one! Disinfectant 2.4 >>works fine with System 7, provided you leave the Disinfectant INIT in He then quotes "John's friend Chris" as saying: >>I already have 2.5, and it is already posted on DDCBBS, in case you do >>not believe that there is a version 2.5. I would suggest looking into He then asks: >========= > >What gives? > >========= I think the answer lies in the dates of the messages. I downloaded Disinfectant 2.5 yesterday (July 2), and noted in the help file that John is working on a 3.0 version that will be a lot more at home in System 7. Presumably, he was already working on this on 20 May 91, when his original message was posted, and was therefore expecting to go from 2.4 straight to 3.0. The recent discovery of a new strain of the ZUC virus, however, prompted him to release an interim update to 2.5. Unless someone has any proof to the contrary, I see no reason to suspect that 2.5 is not a bona fide release of Disinfectant. - ----------------------------------------------------------------------------- Mark Nutter MANUTTER@IUP Apple Support Manager Indiana University of Pennsylvania G-4 Stright Hall, IUP Indiana, PA 15705 "You can lead a horse to water, but you can't look in his mouth." - Archie B. ============================================================================= ------------------------------ Date: 03 Jul 91 13:44:53 +0000 From: "Brian W. Gamble" Subject: Re: Software pricing padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) writes: >I think I've missed something somewhere. $30/year for a single user >Hypercard stack of virus information (a very good one though I liked >it better as a flat ASCII file), $350/year for a soft cover anti-viral >magazine, and people are b*tch*ng about $1500/2 years with unlimited >updates to license software for 10 technicians to service (one would >expect) 10,000 PCs ? $0.15/pc ? They even give telephone support! The >answer is simple: if you don't like the price, buy something else (or >nothing), there are plenty of alternatives. > >Better yet, write your own software and support it yourself, that just >takes learning and effort. > >Problem is not many people today seem to have heard of John Galt or >TANSTAAFL. Yes Padgett, life is strange Your society and mine both seem to think that anything needed should be free for the asking. Any company who stands up and asks to be paid for their efforts is going to get lots of complaints. Actually, your postings and those from Aryeh Goretsky are clear and useful reading. My thanks to both of you. I would hardly call a license policy based on human nature a refusal to sell a product. Everything I read from the McAfee group about their license policies make a good deal of semse. They have a flexable policy that covers everybody from the single PC owner user, right up to a multinational company like the one I work for. You get what you pay for people, and frankly, I think the product is worth the price. Those who don't think the product is worth the price should quit wasting bandwith and buy something else. It is abundantly clear that McAfee has a product for sale, and very easy to find out what their sales policies are for any given situation. The only free lunch comes from friends, and even then it often isn't. The above line(s) are mine, but may be the result of too much exposure to a fictional character called L. Long. TANSTAAFL makes sense to me! - -- Brian W. Gamble, Brian.Gamble@Waterloo.NCR.COM NCR Canada Ltd. E&M Waterloo Charter Member -- The ShoeString Racing Team ------------------------------ Date: 03 Jul 91 09:09:00 -0500 From: "William Walker C60223 x4570" Subject: IBM Write-Protection (was: Can such a virus be written ... ) (PC) Here we go again ... From: mfr3@cunixb.cc.columbia.edu (Matthew F Ringel) > Is it possible for a virus to circumvent an IBM's > write-protection of a disk ... NO! If a diskette is write-protected (cover the notch, slide the slide, whatever), the IBM floppy controller will not allow any writes to that diskette. Now, there have been weird failures of the write- protect mechanism which have allowed writes (light bouncing around because of a silver tab, light passing through a translucent disk cover, a short in the write-protect detector, etc.). One which I've seen myself is an "electrical tape-like" write-protect tab which, when used in a drive with a mechanical detector (a switch), eventually got an indentation deep enough to let the switch engage, allowing writes to the diskette. In all of these cases, HARDWARE was at fault. With the present floppy controller system, software CANNOT bypass the write-protect mechanism "...and there's no doing anything about it!" -- The Rum Tum Tugger, "Cats" Bill Walker ( WALKER@AEDC-VAX.AF.MIL ) | OAO Corporation | Arnold Engineering Development Center | "I'd like to solve the puzzle, Pat" M.S. 120 | Arnold Air Force Base, TN 37389-9998 | ------------------------------ Date: 01 Jul 91 16:43:00 -0500 From: "zmudzinski, thomas" Subject: sideshow on doom2:reply (PC) While I agree with Mr. Slade on the benefits of encrypting search strings to prevent false positives, his statement: > As Ross [Greenburg] has pointed out, no matter how well strings are > encrypted, eventually someone will break the code, and then it is a > trivial matter to write a virus that circumvents that package. should not go uncontested. This paraphrase contains two (mathematical, not grammatical) infinitives, "no matter how well ... encrypted" and "eventually". If I can play with one infinitive, let alone two, I can probably prove the world is flat (well, it _is_, locally) or some such. Actually, what Mr. Greenburg wrote was: >> The bad guys can certainly break >> whatever coding scheme I use, thereby using the string list just as if >> it were not encoded at all. Mr. Greenburg's statement describes his assessment of his abilities to develop/implement a cryptographic system. If he says that he cannot do something he believes to be difficult, so be it -- he knows where his strengths lie. On one hand, if all one is trying to do is prevent false positives from other scanners, trivial bit flipping when the program is loaded (to avoid "finding" their images on disk) and again at EOJ (to clean up memory) will do just fine. And on the other hand, does anyone _really_ believe that the "bad guys" _don't_ run the latest crop of anti-viral software to check that their "products" won't be caught immediately? Tom Zmudzinski * * * ZmudzinskiT @ IMO-UVAX.DCA.MIL #include /* To keep the lawyers happy */ #include /* To keep the reader happy */ #exclude /* To keep ME happy */ ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 116] ****************************************** 8-Jul-91 15:33:15-GMT,25726;000000000001 Received: from remus.rutgers.edu by aramis.rutgers.edu (5.59/SMI4.0/RU1.4/3.08) id AA18995; Mon, 8 Jul 91 11:33:11 EDT Received: from IBM1.CC.Lehigh.EDU by remus.rutgers.edu (5.59/SMI4.0/RU1.4/3.08) id AA24187; Mon, 8 Jul 91 11:33:04 EDT Message-Id: <9107081533.AA24187@remus.rutgers.edu> Received: from LEHIIBM1.BITNET by IBM1.CC.Lehigh.EDU (IBM VM SMTP R1.2.2MX) with BSMTP id 5778; Mon, 08 Jul 91 11:25:22 EDT Received: from LEHIIBM1.BITNET by LEHIIBM1.BITNET (Mailer R2.08) with BSMTP id 4072; Mon, 08 Jul 91 11:25:02 EDT Date: Mon, 8 Jul 91 10:59:48 EDT Reply-To: VIRUS-L@ibm1.cc.lehigh.edu Sender: Virus Discussion List From: "The Moderator Kenneth R. van Wyk" Subject: VIRUS-L Digest V4 #117 Comments: To: VIRUS-L@IBM1.CC.LEHIGH.EDU To: Multiple recipients of list VIRUS-L VIRUS-L Digest Monday, 8 Jul 1991 Volume 4 : Issue 117 Today's Topics: Recurring 4096 Infection (PC) VSHLD80B.ZIP - Resident virus infection prevention program (PC) VIRX16.ZIP - VIRX v1.6: Easy to use free virus checker (PC) VirusX (PC) Demo Disk from Mainstay (Mac) DOS 5.0 & FPROT116 (PC) Virus Scanner (PC) Re: McAfee on VSUM accuracy and Microcom (PC) sideshow on doom2:reply (PC) TNT AntiVirus from CARMEL / WARNING !!! (PC) Re: Recalciterant infection with Frodo IBM Anti-Virus Product 2.1.2 (PC) Introduction to introductory columns (general) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: 03 Jul 91 09:14:00 -0500 From: "William Walker C60223 x4570" Subject: Recurring 4096 Infection (PC) From: Aviel Roy-Shapira > Help please! I have a recalciterant infection by Frodo or 4096. I am > not sure about the source of the infection, but somehow it got into my > system. Clean (V. 77) cleaned the disk alright, but the infection > keeps poping up. It has become even wierder. Both Clean, Virus Scan, > and F-Fchk (115) report that all the files on my hard disk are free > from the virus. But, if I boot from the hard disk, and I run > F-SYSCHK, it says the virus is lurking in memory. I don't get this > warning if I boot from a floppy. > My config.sys file contains Device=DMDrvr.bin, Device=f-driver.sys, > files=40 and buffers=20. I don't run any programs or TSR from my > autoexec, which simply states the path and sets a couple of > environment variable. DMDrvr.bin appears to be clean, as its length > is 8000 bytes or so and it didnot change. > I thought that Frodo was only a COM and EXE file infector, yet it > somehow entered my system and refuses to leave. Any ideas? 4096 also infects COMMAND.COM and (I think) .SYS and .BIN files, but SCAN should still find it there. I have a few ideas to try. Since I don't know your level of expertise, forgive me if I say something you already know or have already tried. 4096 is a "stealth" virus because it covers its tracks if it is active in memory. For this reason, you must first boot from a known clean floppy (usually your original DOS diskette) before running SCAN or whatever. A potential problem that I see in your case is DMDRVR.BIN, which (if I'm not mistaken) is Disk Manager, implying that you have a large hard disk partitioned into several logical drives. Booting from a pure DOS floppy will not allow access to partitions other than C:. One thing you can do is create a bootable floppy (after booting from a known clean floppy, of course), copy DMDRVR.BIN from your original Disk Manager diskette (SCAN it first), make a CONFIG.SYS file on the floppy which contains only DEVICE=DMDRVR.BIN, and add a write-protect tab. Booting from this diskette should give you access to all partitions on your hard disk as well as provide a clean environment in which to run SCAN. Since you apparently do not know what is still infected, try the following. After booting from a known clean floppy, do SYS C: COPY COMMAND.COM C: to put a clean system back on your hard disk. Before rebooting, rename CONFIG.SYS and AUTOEXEC.BAT to something else (I know you said that you have no programs in AUTOEXEC, but I'm making this more generic). Reboot, then SCAN the system. If the virus is NOT in memory, restore CONFIG.SYS, but take out the DEVICE=F-DRIVER.SYS line. Copy the DMDRVR.BIN file from your original Disk Manager diskette to drive C:. Reboot and SCAN. If the virus is still NOT in memory, restore the line DEVICE=F-DRIVER.SYS, and copy F-DRIVER.SYS from a known clean source if you have one. Reboot and SCAN. Restore AUTOEXEC.BAT. Reboot and SCAN. Now start running programs and SCAN after each program. I know this seems like a pain-in-the-butt, time- consuming procedure, but if the anti-virus programs aren't finding the remaining infected files, it's about the only way. I hope this helps in some way and hasn't duplicated your efforts. Bill Walker ( WALKER@AEDC-VAX.AF.MIL ) | OAO Corporation | "I think, therefore I am. Arnold Engineering Development Center | Nah, I think not." M.S. 120 | *POOF* Arnold Air Force Base, TN 37389-9998 | ------------------------------ Date: Wed, 03 Jul 91 13:13:00 -0600 From: mcafee@netcom.COM (McAfee Associates) Subject: VSHLD80B.ZIP - Resident virus infection prevention program (PC) I have uploaded to SIMTEL20: pd1: VSHLD80B.ZIP Resident virus infection prevention program Version 80-B of VSHIELD has been released. This version replaces Version 80, which mis-identified some files encrypted with ICE as being infected with the Crypt-1 virus. The validation results for VSHIELD Version 80-B should be: FILE NAME: VSHIELD.EXE VSHIELD1.EXE SIZE: 33,723 11,281 DATE: 07-01-1991 02-14-1991 FILE AUTHENTICATION Check Method 1: 9B2B 6B40 Check Method 2: 097C 103E Regards Aryeh Goretsky McAfee Associates Technical Support - - - McAfee Associates | Voice (408) 988-3832 | mcafee@netcom.com 4423 Cheeney Street | FAX (408) 970-9727 | (Aryeh Goretsky) Santa Clara, California | BBS (408) 988-4004 | 95054-0253 USA | v.32 (408) 988-5190 | mrs@netcom.com ViruScan/CleanUp/VShield | HST (408) 988-5138 | (Morgan Schweers) ------------------------------ Date: Wed, 03 Jul 91 13:25:00 -0600 From: c-rossgr@MICROSOFT.COM (Ross Greenberg) Subject: VIRX16.ZIP - VIRX v1.6: Easy to use free virus checker (PC) I have uploaded to SIMTEL20: pd1: VIRX16.ZIP VIRX v1.6: Easy to use free virus checker VIRx is a freely distributable scanning program -- there is *no* charge associated with it, although copyrights *are* maintained by both Microcom and me. In addition to SIMTEL20, it is available on CIS and on my BBS at 212-889-6438. === What's New In VIRx Version 1.6 1. VIRx Version 1.6 now detects six newly discovered viruses, bringing the total count to just over 500. 2. VIRx now indicates whether an infected compressed program was infected before or after the compression (PKLITE and LZEXE). This was trivial to implement, but a useful addition. 3. Another few cycles were shaved off our decompression routines: experience pays. For those wondering, all decompression routines are completely internal and done in memory --- and always have been. Ross - - - Ross M. Greenberg Author, Virex-PC, VIRx and FLU_SHOT+ ------------------------------ Date: 03 Jul 91 17:03:58 +0000 From: Tom Carter Subject: VirusX (PC) I have asked this question before but have received nil replies. PLEASE, can someone out there tell me what the latest version of VirusX really is?? Thanx..... ------------------------------ Date: Wed, 03 Jul 91 20:58:05 +0000 From: robs@ux1.cso.uiuc.edu (Rob Schaeffer) Subject: Demo Disk from Mainstay (Mac) The demo disk from Mainstay has nVIR attached to the archive. It seems to not be able to spread, but it is there. Disinfectant nicely removes the virus. I would be curious to know why the virus doesn't spread. Rob - -- robs@ux1.cso.uiuc.edu "Putting magnets on the T.V. distorts the picture and makes it more real." ------------------------------ Date: Wed, 03 Jul 91 16:44:46 -0700 From: Steve Clancy Subject: DOS 5.0 & FPROT116 (PC) A user recently posted this on our BBS. Has anyone else experienced this? "I was wondering if any one has experienced a problem with FPROT116. Since I installed it with msdos ver 5.00 it hangs my system with the message Virus Alert!! Int 13 has been changed. I have tested and no virus is found. If I disable f-driver in my config.sys file everything is ok. All other programs associated with this program works fine. Any thoughts or suggestions?" I am not familiar enough with FPROT116 or DOS 5.0 to make an intelligent comment. Any help will be appreciated. - -- Steve Clancy =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= % Steve Clancy, Biomedical Library % WELLSPRING RBBS % % University of California, Irvine % 714-856-7996 300-2400 24hrs % % P.O. Box 19556 % 714-856-5087 300-9600 24hrs % % Irvine, CA 92713 U.S.A. % SLCLANCY@UCI.BITNET % % % SLCLANCY@UCI.EDU % %.....................................................................% % "As long as I'm alive, I figure I'm making a profit." % % -- John Leas, 1973 % =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ------------------------------ Date: Thu, 04 Jul 91 09:23:14 +0700 From: Vincent Chan Subject: Virus Scanner (PC) Hi, I have read with interest some of the reviews and entries here in this Virus List and I must say that this is by far the most informative and well discussed topic on computer virus. I have also followed some of the discussions on various virus scanner on the market today, be it commercially available or shareware, these discussions have helped me to choose the right product that will cater to my need. Two of the virus scanners that I found most helpful for the detection and removal of virus are Fprot from frisk and McAfee Scan. Both of these product have helped me to detect and remove some of the prevalent virus over here. The most common virus is Joshi virus, that has caused me much headache and heartache at times. Both of these product have managed to detect and remove the virus. Recently I was introduced to Ross Greenberg VIRX. This program looks interesting and it is able to scan the harddisk for virus at considerable speed. But I have not really explored the potential of this program. But recently I tried to scan a diskette which has been infected with Joshi virus and it couldnt detect it! Fprot and McAfee Scan have no problem with it. The VIRX version is 1.5. I dunno whether the author realised this or not. Anyway I read from the latest issue of Virus-l that Ross has come out with the latest version of VIRX 1.6 and hopefully will be able to fix the problem that I mentioned above, if not in this version then future version of Virx. ------------------------------ Date: Sat, 29 Jun 91 00:43:49 +0000 From: mcafee@netcom.com (McAfee Associates) Subject: Re: McAfee on VSUM accuracy and Microcom (PC) c-rossgr@microsoft.COM writes: [stuff deleted] > >This is good news. I was under the impression that Microcom attempted >to license a copy from you and was told that they may not use it >without a license and that a license would not be issued to Microcom >under any circumstances. > >I am glad that the information given to me is false and that Microcom >is expressly being given permission to utilize this product from the >vendor. I would presume there is a charge for such usage: what would >that charge be for *only* one computer to use your product? I'll be >sure to report that amount to the Microcom people I deal with. > >Ross Hello Ross, I've given Mr. McAfee a copy of your message, but he hasn't typed up a reply yet. In the meantime, perhaps you could leave me your mailing address and/or fax number so that I could give that to John for a (faster) reply. Thanks, Aryeh Goretsky McAfee Associates Technical Support - - -- McAfee Associates | Voice (408) 988-3832 | mcafee@netcom.com 4423 Cheeney Street | FAX (408) 970-9727 | (Aryeh Goretsky) Santa Clara, California | BBS (408) 988-4004 | 95054-0253 USA | v.32 (408) 988-5190 | mrs@netcom.com ViruScan/CleanUp/VShield | HST (408) 988-5138 | (Morgan Schweers) ------------------------------ Date: Thu, 04 Jul 91 02:27:30 From: c-rossgr@microsoft.COM Subject: sideshow on doom2:reply (PC) >From: "zmudzinski, thomas" > >Actually, what Mr. Greenburg wrote was: ^ Actually, what Mr. Greenberg wrote was: ^ minor nit... :-) >> The bad guys can certainly break >> whatever coding scheme I use, thereby using the string list just as if >> it were not encoded at all. > Mr. Greenburg's statement describes his assessment of his >abilities to develop/implement a cryptographic system. If he says >that he cannot do something he believes to be difficult, so be it -- >he knows where his strengths lie. Whoa! I'm sure that simply sticking in DES encryption is probably within even my meager abilities -- provided that the instruction manual doesn't use words that are too big... But does even using DES (provided I can find the on/off switch on my computer by myself) really buy us anything? It's just the idea that it's not that tough to break such a scheme: recall that I spend a good deal of my life actively disasming encrypted viruses. Anything that is gonna be disasmed at run time is trivial to disasm by anyone with their mind set on it. Remember that, regardless of the scheme used to make such a marvelous cryptographic system, the key *must* be included in the body of the program in order for it to work convieniently. To have different keys that are external to a program that are different from machine to machine would be a tech support nightmare. Have you ever tried to figure out what shipping >50K copies of code *really* means? I merely have to code this stuff: Microcom has to do tech support. I have the easy part of the job: disasming new viruses and creating fast search algorithms is nothing compared to dealing with Martha from BrokenHipBone, Arkansas who wants to know why she has to stick the ignition keys to her tractor into the floppy drive door when the machine asks her to "insert her key, then press any key." She will, of course, end up asking wherere the "any" key is. > And on the other hand, does anyone _really_ believe that the "bad >guys" _don't_ run the latest crop of anti-viral software to check that >their "products" won't be caught immediately? Hey, I'm sure that most of the anti-virus people probably have bad guys as beta testers without even knowing it! Ross ------------------------------ Date: 04 Jul 91 09:02:14 +0700 From: infocenter@urz.unibas.ch Subject: TNT AntiVirus from CARMEL / WARNING !!! (PC) This is a warning to everybody, who intends buying the product Turbo Anti-Virus from CARMEL distributed by EPG Softwareservice, Germany In January 91 I bought this product (Version 7.02). The program itself has a nice user-interface and was at the time I bought it quite up-to-date. By buying the product they promise you a quarterly update. HAAAAAAAAAAAAAAAAAAAAAAAAAA ... well, they promise ?!?!? I got version 7.02. It's now half a year later and I've never seen an update. I know from other people who bought the stuff later, that they got meanwhile up to 7.06. During a phone call with EPG they told me about V7.1. Totally I sent them a FAX for customer support (something they also promised); you expect right ... I never got an answer ... and I called them up three times. I think you will agree with me that nothing needs to be more up-to-date than Virus-protection packages. So with my experiences I can only recommend: DO NOT BUY TNT ANTI-VIRUS at least not from EPG Softwareservice, Germany. You can find enough other good software, where you get updates so you can catch up with the virus-spreaders. bye ............................................................. Didi ------------------------------ Date: Thu, 04 Jul 91 08:10:46 +0000 From: mcafee@netcom.com (McAfee Associates) Subject: Re: Recalciterant infection with Frodo <4096> (PC) AVIR@BGUVM.BITNET (Aviel Roy-Shapira) writes: >Help please! I have a recalciterant infection by Frodo or 4096. I am >not sure about the source of the infection, but somehow it got into my >system. Clean (V. 77) cleaned the disk alright, but the infection >keeps poping up. It has become even wierder. Both Clean, Virus Scan, >and F-Fchk (115) report that all the files on my hard disk are free >from the virus. But, if I boot from the hard disk, and I run >F-SYSCHK, it says the virus is lurking in memory. I don't get this >warning if I boot from a floppy. [rest of message deleted...] Hello Mr. Roy-Shapira, One POSSIBLE reason the virus might be occuring is because there is a segment of viral code stuck at the end of one of the files loaded when your hard disk boots. When a file is saved on disk, space is allocated for it in clusters. If a file does not fill up the last cluster allocated for it, DOS will fill the left-over space with garbage from memory to pad out the file so it fills up the cluster to the end. If the virus were in memory it could have been written into the "empty" space at the end of a cluster to pad the remaining space in the cluster. If this occurred, whenever the file was loaded into memory, the virus signature would appear because it was read in as well. The virus itself would not be infectious. First off, it's most likely that only a relatively small segment of code was stored at the end of the cluster, and secondly, such viral code exists beyond the End Of File marker; it's not recognized as being part of the program and will not be executed. So what you're left with is an annoying false alarm. The best way to deal with this is to overwrite the space at the end of cluster chains on the disk. A practical way to do this is to defragment the fixed disk with a disk optimizing program. This will usually overwrite any possible "virus garbage." Another solution may be a program called COVERUP1.ZIP in the SIMTEL20 archives. It says that it erases the "tails" of clusters, and overwrite the offending section of viral code. I have not had a chance to try this myself, so use at your own risk. Regards, Aryeh Goretsky McAfee Associates Technical Support - -- McAfee Associates | Voice (408) 988-3832 | mcafee@netcom.com 4423 Cheeney Street | FAX (408) 970-9727 | (Aryeh Goretsky) Santa Clara, California | BBS (408) 988-4004 | 95054-0253 USA | v.32 (408) 988-5190 | mrs@netcom.com ViruScan/CleanUp/VShield | HST (408) 988-5138 | (Morgan Schweers) ------------------------------ Date: 03 Jul 91 15:22:19 -0400 From: "David.M.Chess" Subject: IBM Anti-Virus Product 2.1.2 (PC) A new level of the IBM Anti-Virus Product now exists. It should be available now or shortly from IBM Marketing Reps, Branch Offices, the Electronic Software Delivery section of IBMLINK, and on Promenade (the PS/1 support BBSy-thing). I'll attach the contents of the WHATIS.NEW file. As I said a bit ago, I'm not an Official Anything, so don't send me your money! *8) As before, the U.S. terms are $35 for an original license, $10 for an upgrade (for terms outside the U.S., contact your country IBM). DC The IBM Anti-Virus Product, Version 2.1.2 Copyright (C) IBM Corporation 1989, 1990, 1991 The following are the highlights of the changes and enhancements made to The IBM Anti-Virus Product since the release of Version 2.00.01: - Added signatures for approximately 42 viruses (refer to VIRSCAN.DOC, section 5.1, for more details) - VIRSCAN now looks for the local message file "local.msg", in the same directory as "virscan.exe", and if it is found, virscan displays it upon exit (in addition to the standard messages) when one or more virus signatures are found. A maximum of 10 message lines are displayed. This facility allows sites to tell users about local procedures that should be followed when viruses are encountered. - Added support for arbitrary-length "don't-cares". "%N" sequences (in place of a pair of bytes in a signature) mean that 0 to N arbitrary bytes can be in the corresponding position. 'N' is a single hex digit from '0' to 'F'. - Spaces are now allowed between pairs of hex digits in VIRSCAN signatures. This can simplify the use of signatures from other sources. - VIRSCAN now respects the "boot" keyword that can be used in the third line of virscan signatures. If a "boot" virus is found in a file, the user won't by default be warned unless the third signature line also contains the strings "EXE" or "COM" (or both). If the -G command line option is specified, then the user will be warned of boot virus signatures wherever they are found. - VIRSCAN now won't complain if it can't read the boot sector of a network drive, unless the '-v' option is used or the boot sector scan was explicitly specified with the '-b' option. - Added the "*" option: "*" scans all local fixed drives. "*n" scans all network drives. "*f" scans all local fixed drives.