21-Jun-94 15:15:06-GMT,59120;000000000000 Received: from remus.rutgers.edu by aramis.rutgers.edu (5.59/SMI4.0/RU1.5/3.08) id AA03988; Tue, 21 Jun 94 11:14:50 EDT Received: from fidoii.CC.Lehigh.EDU by remus.rutgers.edu (5.59/SMI4.0/RU1.5/3.08) id AA14024; Tue, 21 Jun 94 11:14:39 EDT Received: from Fidoii.CC.Lehigh.EDU ([127.0.0.1]) by Fidoii.CC.Lehigh.EDU with SMTP id <127434-6>; Tue, 21 Jun 1994 10:35:22 EDT Message-Id: <9406211406.AA18147@bull-run.ims.disa.mil> Reply-To: virus-l@lehigh.edu Originator: virus-l@lehigh.edu Sender: virus-l@lehigh.edu Precedence: bulk From: VIRUS-L Moderator To: Multiple recipients of list Subject: VIRUS-L Digest V7 #40 X-Listprocessor-Version: 6.0b -- ListProcessor by Anastasios Kotsikonas X-Comment: Virus Discussion List Date: Tue, 21 Jun 1994 10:22:40 EDT VIRUS-L Digest Tuesday, 21 Jun 1994 Volume 7 : Issue 40 Today's Topics: Hobbes McAfee File Infected??? (PC) Stealth and Self-encryption Nomenclature Good viruses/Bad viruses Integrity Checking Re: The truth about good viruses ARJ-, ZIP-viruses ? Bad and good viruses... OS/2 Viruses? Are there any of those? (OS/2) WinRX (PC) FLIP and CANSU (V-SIGN) viruses (PC) Re: FORM and SPANISH Telecom? (PC) MtE Virus info wanted (PC) ** Date recovery after Michelangelo virus infection ** (PC) dir/reg (PC) UNIX antivirus & Monkey disinfector (PC) Re: PowerPC Virus?? (PC) (Mac) Re: DIR-Virus? (PC) Computer viruses for Sale (PC) Thunderbyte Antivirus (PC) Re: ** Date recovery after Michelangelo virus infection ** (PC) Re: vbait12.zip - Simple virus bait, detects COM infecting virus (PC) Re: Help: W-boot or Swiss Variant Virus (PC) Thanks To ALL of you + solution (PC) Help! Checksums keep changing .......... (PC) Re: xFwd: CD-ROM Virus-Alert (PC) Monkey Virus (PC) Aragon Virus (PC) f-prot strange behavior (PC) More information about Evolution 2001 Virus (PC) WARNING: VALIDATE.COM and VALIDATE.EXE can be cheated. (PC) HELP: How add code into .EXE ? (PC) files updated on risc (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Tue, 31 May 94 00:47:48 -0400 From: ldhagen@crl.com (Lance D. Hagen) Subject: Hobbes McAfee File Infected??? (PC) [Moderator's note: Since this message was posted several days ago, I presume that the problem - if there was indeed a problem - has been fixed. I'd appreciate it, however, if someone could follow-up with a verification.] I just downloaded the HOBBES Internet FTP site (hobbes.cdrom.com) McAfee OS/2 Ver 1.14 and upon unzipping the file got virus-like problems and a "SCUM OF EUROPE" message and warning. The file is located in the /pub/hobbes which ports you to "/.1/os2" as current directory, then under 2_x/diskutil: ocln114.zip 291584 McAfee Virus Clean for OS/2 version 1.14 Upon PKUNZIP"ing" my system locked, and needed rebooting. Next my my default path failed and no longer held PKUNZIP. Then with the successful unzipping I got a wrapper message from "Scum of Europe" and lots of cold pricklies. I've deleted all associated files and see no sign of Virus using McAfee OS/2 ver 1.09 found locally. Any ideas, help? /<<<<<<<<<<<>>>>>>>>>>>\ / Lance D. Hagen \ / 73500.2276@compuserve.com\ | ldhagen@crl.com | \ San Antonio / \ (210) 366-3382 / \>>>>>>>>>><<<<<<<<< Subject: Nomenclature How about this for a way to differentiate different types of viruses: Malicious viruses Benevolent viruses OR - if you prefer the medical analogy: Benign viruses Malignant viruses I think this is less misleading than the term "Real viruses", and it clearly indicates both the meaning (which Real does not) as well as educating the reader (there may be either kind) and retaining a short and readable text. The problem with the term Real is that it is misleading in the sense that it somehow implies that benign viruses are imaginary, which they are not. As to the person who posted that this stuf isn't interesting compared to which new strain of Jerusalem MacAfee's virus defense gives a false positive for in scanning version 3.4.5 of the newest package by Xray Inc, I disagree. As to the difficulty of teaching people about two kinds of viruses, try this little bit of text: Computer viruses are computer programs that reproduce. Some of these viruses are intended to harm people by damaging their information systems, and we call them malignant. Other viruses are intended to demonstrate a concept, to explore issues in artificial life, or even to do useful functions. We call them benign. This doesn't seem much harder to understand than this version which is wrong: Real viruses are malicious little programs that, unbeknownst to the user, enter their computer system, modify their programs, and destroy their information. The point is, we can present the right information in a readable way if we just try to. Now I do understand that the term hacker has been misinterpreted by most of the computing community. Some people call the malicious hackers crackers, which I think is a better term, and which I use to differentiate benevolent hackers from malicious hackers. I too have been a hacker (as opposed) to a cracker) and hope to change the usage of those terms just as I hope to get people to use the correct usage of virus. And the best way to do this is to get the members of this group to start using the terms correctly, because this group is influential, and you have to start somewhere. As to the existence of good biological viruses, of course there are. Haven't you heard of genetic therapy yet? And if life itself is good, then every living creature has at its heart a benevolent virus. But those who think there are no benevolent biological viruses probably read a biology book somewhere that told them that all viruses were bad. My biology book told me that they were small genetic life forms, and that in a world of competition for survival, living creatures survive by killing their neighbors, whether directly (as in people who kill things and eat them) or indirectly (as in most plants, which merely refuse to allow competitors to thrive by depriving them of light, minerals, etc.). As to where my books can be found, try any major book chain, or order direct from John Wiley and Sons in New York. FC ------------------------------ Date: Thu, 26 May 94 13:16:43 -0400 From: Adam Jenkins Subject: Good viruses/Bad viruses Vesselin Bontchev writes: >Agreed. What I (and several others; the original term has been >proposed by Dr. Alan Solomon) call "real viruses" is not an >exact definition, it is not a scientific term at all, and can't >be found in any serious scientific paper about computer viruses. >In short, it's useless from the scientific point of view. Who cares what you call "real viruses"? Since when were you an authority on the English language? A real virus as defined by a dictionary is an organism that is able to reproduce. >Fact is that for most people the term "computer viruses" means >those nasty little programs that invade their computers without >authorisation, that often destroy data, and that always waste a >lot of time and efforts. Hmmmm these views aren't necessarily an accident, it is in both the media and the anti-virus industry's interests to promote these views. And viruses like KOH do not waste time or effort; like any other software, viruses can be useful and save time and effort. They are a medium not a philosophy. >You can't hope to change those people's view, so let's try to at Why not? It's a misconception, let's correct it, it is unethical to let anti virus vendors sell millions of copies of their software on the basis of people's ill founded fears. >New York Times article entitled "Bank Loses $10 Million Due to >Computer Viruses. Are We All Doomed?". :-) Perhaps it should read "Bank Loses $10 Million Due to Negligence in their Computer Security". Oh no, far easier to blame viruses, everyone knows that us mortals are helpless to stop these evil pieces of work by the twisted youth who strive tirelessly to destroy the threads of our society. >fact that the media has twisted the noble word "hacker" to mean >"a twit with no life who enjoys breaking into other people's >computers". Hmmm I've seen this argument before. The way I see it, the confusion arises because in the early days of computing, hacking meant using things that weren't known, and this often meant breaking into systems etc. In those days it seems people had better perspective, and realised that hacking to get more computer time or for the challenge was more a misdemeanour than a federal offence. I still don't understand why a 14 year old breaking into a bulletin board system is investigated by the same law enforcement agencies that investigate drug cartels and matters of national security. The blame should be as much on the administrators not the hackers. >Well, maybe that the ticket! Since the term "computer virus" is >already loaded with negative sense in the view of the public oppinion, >maybe you should use a different term when you are talking about >"useful replicating programs". You keep saying this. But to do this would continue the deceit and why should the general public be kept in the dark just because they are already in the dark? >You will discover that most of them understand a computer virus >as "something that came when I didn't want it". Or "something that came when I was leeching several megs of software that I didn't pay for". There seems a much higher incidence of viruses transmitted in pirated software than in original copies, who are we protecting here? >Dr. Cohen, I am sorry to disappoint you, but relatively very few >people have read the paper you are talking about. It's too >technical for most. Most people prefer their morning newspaper >as a source of information. He mentioned it as a reference; and I would think it a much more valid reference than a morning newspaper. I shudder to think at what people would think if they believed everything that was found in the newspapers. >Nope, the group are are talking about is not a profit >organization, so money doesn't play that much importance in it. >In fact, several of the members of this group work for bitterly >competing companies and often those companies don't like much >some of the sharing of information that goes into this group. Perhaps not money, but it is in the groups common interest that all viruses be regarded as dangerous and unwanted. I think this is why people like yourself keep sniping at the virus researchers that are looking at things with a more realistic perspective and are not as closely affiliated with groups that profit from public fear. Regards, Adam - -- No fate but what we make | Adam Jenkins | Phone: +61-3-252-6000 Finger jenky@192.35.153.200 for PGP key | Email: adamj@mel.dbce.csiro.au ------------------------------ Date: Fri, 27 May 94 04:07:43 -0400 From: sikkid@axpvms.cc.utexas.edu Subject: Integrity Checking I saw a post a few days ago about the best and worst antivirus programs... I noticed that Vesselin stated that TBAV's integrity checker was "mediocre." I was just wondering why he said that, and what makes for a good CRC checker... I know a lot about viruses, but my knowledge of CRC calculation techniquesw is pretty limited... Regards, sikkid ------------------------------ Date: Sat, 28 May 94 15:34:37 -0400 From: 39534@chopin.udel.edu (Scott Ste Beardsley) Subject: Re: The truth about good viruses Robert Knippen wrote: >I understand that the parties involved have a much deeper understanding >of the myriad of philosophical issues surrounding the writing of virus >code. I just wonder if they have lost sight of the level at which >simple facts clearly do exist. > >If my machine has instructions stored that I have not authorized in >some way, especially if someone practiced some form of deception in >order to bring about this state of affairs, I would say this is >unquestionably a bad thing, whether the writer of those instructions >intended them to do harm, or intended them to facilitate my use of my >machine, (or even intended them to be stored on my machine at all). > This is a bad judgement if you need to decid between good and bad instructions on your system. By this token MS-Windows is a horridly evil virus, and much of what people use today are "unquestionably a bad thing." Most of the users outthere have no idea of what code does, they can't knwo what things do in their instruction set, they don't know how to give authority, they just put a diskin and type "install" In this way the majority of commercial software is evil... BUT, I think beter judgment would be to throw out the idea of good/bad and go with helpful, or hurtful, and leve behind the connotations of good and bad, after all can a 1 or 0 be bad or good? Someone already mentioned the KOH virus, that encrypts and protects your HD. It is a virii but it's replication and it's infection, even tho it is a cntrolled infection, you could say it is like a vaccine, tho it doesnt protect against itslf as a vaccine would, but it is a controlled infection designed to be helpful. The vaccine contains code that could be dangerous(rna) but it is designed to be helpful and it is crippled so as not to replicate as much. Much like a "elpful" virus wouldbe crippled not to overthrow your system. Just like rna code wether it's in a vaccine or in the HIV virus can';t really be called evil or bad, I don't think you can call 1's and 0's bad or even good. >It seems like a privacy issue to me, and I never seem to see this >aspect in the discussion. > Tis is a innacurate view I think, privac has different connotations than this discussion contains. I think the way that I look at it is that "virus" is not good or evil or any connotaion liek that, those are judgment calls of the particular user/victim/whatever. It's just another string of code that can either do things good or bad. If you don't want your systm executing that code, than you may see it as bad, but if you want your system to execute it(KOH) than it might be good to you. BUt if yor going to judge your basis of wether a virus is good or bad on wther or not youknow what instructions ar ebieng executed, than unles you are an asemlby wiz, you've just made all software pretty much "evil" ------------------------------ Date: Mon, 30 May 94 01:55:11 +0400 From: Kazatski Oleg Nikolaevitch Subject: ARJ-, ZIP-viruses ? Hi, all ! Otto Stolz wrote: > On the other hand, it is essential for a scanner to scan inside > compressed, self-extracting programs (such as PKLITE, LZEXE, and ...) Are there scanner which scan viruses in incompressed, self-extracting programs and .ARJ (.ZIP) files ? What is his name ? Are there viruses which really infect .ARJ and .ZIP files ? All the best ! +-------------------+--------------------------+-----------------+ | Leading | Russia, Oleg Kazatski | Game walks into | | relcom.comp.virus | kazatski@kartaly.chel.su | one's bag | +-------------------+--------------------------+-----------------+ ------------------------------ Date: Mon, 30 May 94 01:56:06 +0400 From: Kazatski Oleg Nikolaevitch Subject: Bad and good viruses... Hi ! 12 May bradleym@netcom.com (Bradley) wrote: > How about KOH? Also the Potassium Hydroxide virus. It will encrypt your > HD for you using the IDEA algorythm. Tell me please about Potassium Hydroxide virus. > A virus by nature is what? It's intention is to produce copies > of itself and attach these copies to your programs (without you > knowing) and either display a message, play a tune, fill up your > disk, destroy data etc... How can this be good? NOT POSSIBLE!!! I am agree. There are not good and harmless viruses. Also boot viruses modify my boot sector without my wishes. > Any program that functions to work without the owners approval is > harmful. YES, and once more YES ! All the best ! +-------------------+--------------------------+-----------------+ | Leading | Russia, Oleg Kazatski | Game walks into | | relcom.comp.virus | kazatski@kartaly.chel.su | one's bag | +-------------------+--------------------------+-----------------+ ------------------------------ Date: Fri, 27 May 94 12:03:12 -0400 From: "." Subject: OS/2 Viruses? Are there any of those? (OS/2) Hi, I'd like to know if there are any OS/2 viruses? As far as I know, DOS viruses use TSR in order to stay in memory and infect other programs. OS/2 doesn't have TSRs so any "out-of-the ordinary" apps can be detected by task-list. I know that it is possible to write trojan horses for OS/2, but is it possible to write viruses? Thanks, Rann Glaser - amir77@taunivm.tau.ac.il Acknowledge-To: ------------------------------ Date: Wed, 25 May 94 12:30:07 -0400 From: S1083509@cedarville.edu (Joe Brown) Subject: WinRX (PC) Does anyone have any information on how good WinRX, I believe the name is, is at detecting and cleaning virus's. - --Joe Brown - --Anglo-Saxon American And Proud Of It - --Tiny Toons Are Awesome - -- - --Cedarville College - --Cedarville, Ohio - --s1083509@cedarville.edu ------------------------------ Date: Thu, 26 May 94 05:15:09 -0400 From: itxcs@upsyc.psychology.nottingham.ac.uk (Chris Sexton) Subject: FLIP and CANSU (V-SIGN) viruses (PC) Hi All, After having a recent _nightmare_ with my PC (work deadlines and a virus attack) I found *TWO* of the critters on my machine. These were the FLIP virus and CANSU (or V-SIGN). When one of them acted, it savaged my partition table and FAT, meaning I couldn't access any files. If it wasn't for Norton Utilities and Mcafee I'd be up the Khybosh without a paddle. NU completely rebuilt my FATs and Partition table, and saved the day. I thought it was a general hardware failure of the hard drive, not a virus. My 260Mb h/d suddenly became 33Mb, and unreadable, and I can't work out which of these viruses actually did the damage. I've got a feeling it was FLIP, as CANSU seems a pretty harmless beast (wiping system files is harmless compared to major h/d failure ;-) ). Anyway, I'd appreciate any suggestions as to which one caused me so much hassle, and also any other stories of run-ins with either of these babies. Cheers in advance, Chris. ==========================.===========================================. | Chris Sexton | * * * * | | ICL Institute of I.T. | * ^___^ | | Nottingham University |_______________mm_(_o o_)_mm_______________| | University Park |___l___l___l___l___l___l___l___l___l___l___| | Nottingham, NG7 2RG. |_l___l___l___l___l___l___l___l___l___l___l_| - --------------------------.-------------------------------------------. | csx@cs.nott.ac.uk | "I'd rather have a full bottle in front | | itxcs@psyc.nott.ac.uk | of me than a full frontal labotomy." | ==========================.===========================================. ------------------------------ Date: Thu, 26 May 94 05:29:29 -0400 From: gerace@ucsu.Colorado.EDU (Jerry Gerace) Subject: Re: FORM and SPANISH Telecom? (PC) Alan Coombe wrote: >We run diskless PC's on a Novell server. We have a Ram drive. > >Does anyone know if these viruses have stealth capabilities, whereby they can >survive a RESET (Either RESET button or CTRL+ALT+DEL) I just got done disinfecting several PC's that had the Form virus on it. Happy to say, it's a pretty tame virus. No stealth at all, isn't harmful, just sits there duplicating with itself. I did a warm boot and it just couldn't make it. Easily disinfected with F-prot, although apparantly (before I arrived on the scene), Norton Anti-Virus screwed up a few floppies while attempting to disinfect (it somehow screwed up the MBR instead of just using the stored copy the virus makes) but the disks were fairly easily recovered. ------------------------------ Date: Thu, 26 May 94 09:00:32 -0400 From: "Jeff E. Lewis" Subject: MtE Virus info wanted (PC) I would appreciate information on "MtE" which I "found" on my machine with Norton Antivirus 2.1. THis was NOT indicated by cpav (1991?) microsoft anti-virus (1993) mcafee scan 106 mcafee scan 108 but there was no doubt that something was present since scandisk recovered 90 mb of hard disk space 11 days after I started using the indicated infected program. Thanks, Jeff E. Lewis ------------------------------ Date: Thu, 26 May 94 16:10:16 -0400 From: iolo@mist.demon.co.uk (Iolo Davidson) Subject: ** Date recovery after Michelangelo virus infection ** (PC) > For a hard disk infected with the M. virus, does anyone > have info on > > * Whether there is a shareware/commercial_software > that will recover most/all the data present on the > damaged hard-disk. If the virus has triggered, the first 17 sectors on the first 4 heads on the first 256 cylinders will have been overwritten with garbage and are gone for good. This may not be the whole of the disk. Something may be recoverable, especially if a large disk has been partitioned into several volumes. However, the recovery will require skill; there is no magic program that you can run that will give it to you on a plate. Better to restore a backup or seek professional help. If the virus has not triggered, but merely infected the hard disk, then the data will not have been damaged (yet). Most anti-virus software can clean a disk of Michelangelo. - -- Iolo Davidson (no club, lone wolf) ------------------------------ Date: 26 May 94 16:08:47 -0500 From: sullivan@cobra.uni.edu Subject: dir/reg (PC) Hi, Just a word to the wise... We received a demo diskette from Network Computing Inc. for a program called LAN Page. It was version 1.0.5. When it arrived, it was taken out of the package, write protected, and inserted in a workstation protected by VIRSTOP 2.12. The intercept immediately reported a FORM infection in the boot sector. F-Prot 2.12 was able to remove the virus and everything seems to be fine. We called the company's tech support line and reported it. They said that it isn't the current shipping version, but they will check out the duplicator stations to be safe. Thought you'd like to know. Diane ============================ sullivan@uni.edu Diane Sullivan ISCS NTS University of Northern Iowa Cedar Falls, Iowa 50614-0121 (319) 273-6814 ------------------------------ Date: Thu, 26 May 94 17:56:35 -0400 From: jaf@jaflrn.Morse.Net (Jon Freivald) Subject: UNIX antivirus & Monkey disinfector (PC) > Date: Fri, 13 May 94 17:15:20 -0400 > From: Richard Foley > Subject: UNIX anti-virus scanners (UNIX) > > any suggestions/recommendations for anti-virus products for use > under UNIX? Tripwire by Gene Kim/Gene Spafford of Purdue is a very good integrity management system. It's available in source form and runs on most flavors of *nix (I'm running it on Linux). > Date: Wed, 18 May 94 09:39:06 -0400 > From: "David M. Chess" > Subject: re: Monkey Virus (PC) > > >From: Jeff K Landauer > > > >Well, Scan shows that I have this, but I can't get rid of it. It > >reports that I need to boot from a floppy in order to clean the system, > >but when I do that, I can't access my hard drive. > > When you boot a Monkey-infected system from a clean diskette, > DOS can't see the hard drive, but an anti-virus program should be > able to. I don't know about scan/clean in particular, but just > try it as though the C: drive were visible, and it ought to > work. With the standalone program of IBMAV, for instance, > you would do "IBMAVSP *" or whatever, as usual. DC Also, Tim Martin's killmonk will safely clean it even when it's active in memory. I know this isn't recommended practice, but I sent a user killmonk and he used it that way before calling me for instructions - worked just fine. (Available most places as killmnk3.zip) Jon - -- Jon Freivald ( jaf@jaflrn.Morse.Net ) PGP V2 - 22A829/40 DA 9E 8E C0 A1 59 B2 46 3B 73 81 2B 7B 83 1F Nothing is impossible for the man who doesn't have to do it. ------------------------------ Date: Thu, 26 May 94 18:16:39 -0400 From: bgrubb@freedom.NMSU.Edu (Bruce Grubb) Subject: Re: PowerPC Virus?? (PC) (Mac) Andrew Brown (asbrown@raptor.swarthmore.edu) wrote: : In article , : bobk@uhunix.uhcc.hawaii.edu (Bob Koehler) wrote: : > Aloha, : > We just got our PowerMacs and are awaiting SoftWindows. But we have a : > question. : > If we begin downloading PC things and pick up a PC virus, will it also : > infect the Mac part of the disk? Or will it just infect the PC stuff? : > Are there any virus detection programs that will check and fix both sides : > of the PowerMac? : > Any information will be appreciated. : > Mahalo, : > bobk : > bobk@uhunix.uhcc.hawaii.edu : Wow. Don't give them any ideas. Pretty soon we'll have fat, : cross-platform viruses floating around. What a nightmare. I don't think that is what Bob Koehler is asking. He is asking if there are ALREADY EXISTING PC viruses that can create problems. Well we know that there are about six of the PC viruses that can get through SoftWindows and destroy the Desktop files or erase the drive on the Mac section. The good news is that there are only about six of the hundreds of PC viruses that can do this. The problems is that I forget what six there are and that unlike the Mac there is NO Gatekeeper or Disinfectant-like programs on the PC side {i.e no free or semi-free 'detect _ALL_ know viruses' programs.} I have crossposted this to comp.virus as thay are far more knowledgable on this than comp.sys.powerpc is. ------------------------------ Date: Thu, 26 May 94 21:50:16 -0400 From: gandalf@pipeline.com (Tom Neumann) Subject: Re: DIR-Virus? (PC) hoens@gmd.de (guenter hoens) wrote: > >Some days ago i gave a floppy to a friend, but when he >tried to read it, there was nothing. >I got the floppy back, and i could read this floppy >very well. We had a next try, but the same happend. >The Dir-Command on his computer reported, that there >were no files. Its very likely that one of your foppy drives has heads badly out of alignment, thats why files made on that machine can be read, but not files made on other machines. I had a similar problem with a Vicon 386 at work, it could only read files made on it, though it seemed to read anyones double Density formatted disks. I ran a diagnostic program on it and the alignment was way off. GANDALF ------------------------------ Date: Thu, 26 May 94 23:09:12 -0400 From: dhull@nunic.nu.edu (Dr. David B Hull) Subject: Computer viruses for Sale (PC) First question - is this newgroup really dead!! [Moderator's note: no, it's been revived. There were problems with the mail to news gateway, followed by the moderator going on a couple of long business trips.] At any rate, I just received a nice little CD -ROM from American Eagle Publications. It is really a knock out, with 527 major virus source codes and pleanty of other interesting things. I happen to need it for my research into the morphology of computer viruses. But if my serial number of 001126 is true - oh boy ! I in one sense congratulate Mark (see sig), but it really does tread on dangerous ground. a well - I live in a main frame enviroment practicing "security by obscurity" - so I don't tell nobody nothin. OK if this newsgroup is alive - what happens next ! The man has just yelled fire in a crowded theater ! - -- < David B. Hull Always interested in computer viruses. > < > < > < " And God saw that it was good. And God blessed them, saying: > < Be fruitful and multiply" Mark A. Ludwig (quoting God !) > < > < " Fornication is the contemplation of the body" - Kibo reincarnation ? > < > < " When the mind goes to rest, the bonds of the body are destroyed, > < And when the one flavour of the Innate pours forth, > < There is neither outcaste nor Brahmin. > < > < Here is the sacred Yamuna and here the River Ganges, > < Here are Prayaga and Benares, here are Sun and Moon, > < Here I have visited in my wanderings shrines and such places > < of pilgrimage, > < For I have not seen another shrine blissful like my own body. " > < Saraha - tantric siddha and poet > ------------------------------ Date: Thu, 26 May 94 23:19:59 -0400 From: iiggii@mixcom.mixcom.com (KMJ Enterprises) Subject: Thunderbyte Antivirus (PC) Has anyone heard of/used thunderbyte antivirus? How does it compare (reliability, speed, etc) to some of the others - McAfee, SP, Norton, etc? advTHANXance ...Hank hobbes@mixcom.mixcom.com - -- ------------------------------ Date: Fri, 27 May 94 03:49:21 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: ** Date recovery after Michelangelo virus infection ** (PC) schoudhu@ucunix.san.uc.EDU (Spandan Choudury) writes: >For a hard disk infected with the M. virus, does anyone >have info on > * Whether there is a shareware/commercial_software > that will recover most/all the data present on the > damaged hard-disk. Maybe this should go into the FAQ.... - ------------------------------------------------------------------------------ Frisk Software International - Technical note #3 Recovery from Michelangelo When the Michelangelo virus activates, it overwrites the first 9 sectors on heads 0-3 on every track of the hard disk. Recovery from this may or may not be possible, depending on two factors. Time: If the virus was allowed to run without interruption when it activated, it will have overwritten data on every track, making recovery much more complicated than if the user hit reset or the power-off within seconds of the activation of the virus, Size of the disk: As the virus only overwrites 9 sectors, disks with a large number of sectors on every track - 32 sectors maybe, will have a large part of their data intact. Also, a disk might have (or rather, appear to have, from the BIOS' point of view) a large number of heads...maybe 64, and as described before, the virus will only destroy data on the first 4 heads. The fastest method to recover would probably be to re-partition the disk, re-format and restore yesterday's backup. However, as the users who make backups every day may not be the ones who are most likely to be hit by the virus, we will assume that no backups exist. We will also assume that the person trying to restore the data is thoroughly familiar with partition layouts, disk editors and other similar tools. In my personal opinion, the best tool for doing this by hand is NU, version 4.5, rather than versions 5 and later. If not - don't try this....send the disk to some professional data recovery service. Finally, we will assume this is a "normal" disk - not a "fancy" one like a HPFS/Stacker/Doublespace volume. The virus will always have trashed the MBR - head 0, track 0, sector 1, which needs to be rebuilt - usually by hand, but if one restores the rest first, a program like NDD should be able to reconstruct it. The first step is to "map" the disk, and determine the extent of the damage. As DOS keeps two copies of the FAT, there is a chance that the second one is intact, but the virus usually trashes the first one. Locate the second one (If you don't know what an intact FAT looks like, you probably should not be doing this anyhow), and if it is OK, just copy it over the first one. Examine the root directory - if it is OK, fine...if not, then you need to re-build it by locating other directories on the disk, noting their starting cluster and re-creating the root directory You need to re-construct the DOS boot sector too. The best way (assuming you don't have a backup of it) is to copy it from a different machine with identical partitioning, but it can also be re-built manually, or in some cases reconstructed by NDD....however, then you would have to reconstruct the MBR first... In other words: Recovering from Micelangelo is not easy, but an attack does not have to be a complete disaster. - -frisk ------------------------------ Date: Fri, 27 May 94 03:51:19 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: vbait12.zip - Simple virus bait, detects COM infecting virus (PC) heilfort@ap01.physik.uni-greifswald.de (Matthias Heilfort) writes: >I have uploaded to the SimTel Software Repository (available by anonymous >ftp from the primary mirror site OAK.Oakland.Edu and its mirrors): >SimTel/msdos/virus/ >vbait12.zip Simple virus bait, detects COM infecting virus "Detects COM infecting viruses"...hmm... Is it able to detect infection by stealth viruses ? If not, I would say a redesign was required. - -frisk ------------------------------ Date: Fri, 27 May 94 04:05:45 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Help: W-boot or Swiss Variant Virus (PC) DARREN.JABBA@law.mail.cornell.edu (DARREN) writes: >F-Prot 2.12 identifies it as "W-boot - unknown" and apparently >cannot get rid of it. The docs also say it cannot be >disinfected. >SCAN/CLEAN 1.14 identifies it as "Swiss Variant" and also can't >get rid of it (safely -- I guess that under other circumstances >it could). My guess is that this is a slightly modified W-boot variant - the "unknown" part simply means that the checksum doesn't match, but it appears to be more-or-less like the original. >1. Are they actually the same virus? No...W-boot and Swiss Boot are totally different viruses. >2. What does it/they do? Well, if this is a new variant, it might do something other than the original, right ? Anyhow...it probably is not seriously destructive. >3. Will using SYS or FDISK/MBR get rid of it safely? Probably, yes...see below for info on generic removal....however, it might be a good idea to make a copy of the boot sector (or better yet, a TeleDisk image of an infected diskette) and send that to the various anti-virus companies, so the products can be updated. >or 4. Will we just have to kill/reformat everything? You absolutely never have to do that when dealing with a boot sector infection. - --------------------- Frisk Software International - Technical note #8 Generic boot sector disinfection Although F-PROT is usually up-to-date with respect to virus detection and disinfection, there are occasional cases of a virus infecting a machine before we have implemented disinfection of that particular virus. The instructions below describe a "generic" method for the removal of boot sector viruses. If the virus infects the Master (Partition) boot sector. Create a bootable system diskette on a different (clean) machine, that is running DOS 5 or 6, with the FORMAT /S or "SYS" commands. You cannot use DOS 4 or older for this purpose. Copy the file FDISK.EXE to that diskette and write-protect it. Boot the infected machine with this diskette - do not rely on just pressing Ctrl-Alt-Del...press the Reset button or turn the machine off and then back on. Check if you are able to access all partitions on the hard disk normally. If they are not recognized, it might be because the virus encrypts the partition data or overwrites it....in this case the generic disinfection method described below is not possible. One method with will often work is to wipe out the MBR with a disk edtitor, and then run NDD and tell it to recover the lost partitions. My favourite tool for this purpose is NDD version 4.5. However, you should mmake a backup copy of the (infected) MBR first - if you don't know how to do that, you probably should not be fiddling with the MBR anyhow. If everything seems to be OK, give the command FDISK /MBR. This will overwrite the code part of the MBR - in effect "killing" the virus. (note: if you are using Novell DOS 7.0, you need to select this option from the menu, not give a command-line switch). Reboot the machine normally from the hard disk. If the virus infects the DOS boot sector: Create a bootable system diskette on a different (clean) machine, that is running exactly the same version of DOS as the infected machine. COPY the SYS.COM file from the DOS directory to the diskette and write- protect it. Boot from the diskette and give the command SYS C: In addition to copying the system files over (which is not necessary to remove the virus), this will overwrite the DOS boot sector with "clean" code, killing the virus. ------------------------------ Date: Fri, 27 May 94 05:34:08 -0400 From: we34329@vub.ac.be (DE KERPEL SVEN) Subject: Thanks To ALL of you + solution (PC) First of all I want to thank everyone who gave me info on my virus problem. Special thanks go to Larry Pendergraft, who found a solution a few moments after I found it my self using information he gave me. The flip virus aka Omicron reduced my diskspace to 33MB by deleting the info which records the long partitions. (I know some other viri do this to) Solution The virus wrote a FFFA to offset 13h of the boot record, this is only used if Harddisks with <32MB are used. If long partitions are used this value should be 0 and the value at offset 20h should give the amount of sectors used. Thanks again, Sven De Kerpel ------------------------------ Date: Fri, 27 May 94 08:03:20 -0400 From: vcurtis@relay.nswc.navy.mil (vcurtis) Subject: Help! Checksums keep changing .......... (PC) I ran the Microsoft Anti-Virus program in DOS 6.2 with the following options selected: Verify Integrity, Prompt While Detect, Anti-Stealth, and Check All Files. The checksum had been changed on nearly every .exe, .com, & .dll file on my system. The scan showed no virus however. One other strange problem occured. About 75% through the virus scan, the program quit with this message: "MWAV caused a General Protection Fault in Module MWAVSCAN.DLL at 0001:0C77." It threw me out of the program and back to program manager. I tried to execute the Anti-Virus program again, and all it would do is give me the following message "Unable to lock conventional memory." It would not even try to run. I rebooted and tried again. Got same results as first time, changed Checksums, and GPF message, followed by conventional memory message on retry. I ran McAfee and F-Prot (April '94) on the system and they showed nothing. I deleted MWAVSCAN.DLL and reinstalled it, rerun with same scenario, same results. I eventually copied MWAVSCAN.DLL from another source and put it on my system. When I rerun Virus-Scan I had same checksum change problem, but the GPF error occurred on a different MWAV???.DLL file. If I turn off Anti-Stealth checking, I still get checksum changes, but no GPF message and the program completes it scan. I don't know if this is symptomatic of some virus or what. I am very uncomfortable with this constantly changing checksum situation. Can anyone offer any suggestions? email: vcurtis@relay.nswc.navy.mil Thank you. ------------------------------ Date: Fri, 27 May 94 12:37:25 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: xFwd: CD-ROM Virus-Alert (PC) This is sort of a follow-up to my own earlier posting, but ah...well.. jilka@GBAWS4.zamg.ac.at writes: >CD-Rom manufacturer Chinon America, Inc. says computer vandals have ilegally >put its name on a virus-ridden file and released it on the INTERNET. there is one fundamental misunderstanding...this is a Trojan, not a virus. > The program also immediately crashes the CPU, forces the user to reboot >and stays in memory. The virus has proven thus far to be _undetectable_ by >traditional virus checkers." The last part is nonsense....many scanners have detected it for many years - the Trojan was originally released in '90 Anyhow...here is the original documentation of the Trojan: _______________________________________________________________________________ ***** ***** *** WARPCOM II Trojan Horse *** * Programmed by Flash Force! * ***** ***** RABID N'tnl Development Corp ***** ***** *** *** Copyright (c) 1990 RABID! *** *** * * * * _______________________________________________________________________________ This is the second version of the WARPCOM trojan. The original, I hear, has been the demise of many deserving hard drives. Frankly, that surprised me since the first one has so many shortcomings. This version is much improved. Okay, here's the scenario. Your victim runs WARPCOM II and nothing happens but disk access. So he just deletes what he thinks is a screwed up program. Later he turns off the computer and goes to sleep, or whatever. Next morning, he turns it on, and it appears to hang. "Funny," he thinks. He tries again and it says "Non-system disk error"...At this point everything on his hard drive is in data heaven. Goodbye, loser. Now for a more detailed description of what happens: 1) WARPCOM II finds the COMMAND.COM used to boot up the computer. 2) Deletes it, even if it is read-only. 3) Creates another that is the same size with the same creation/modification dates and same attributes. The COMMAND.COM that is created appears to be the same old copy that is always used to boot up the computer, but in reality it has instructions to format the drive and nothing else. Since the damage occurs at boot time, and the trojan is run before that, most stupid people will not be able to make the connection between the trojan and their hard drive getting annihilated. Also, WARPCOM II makes no screen writes so it can be easily concealed in a batchfile or something similar (Sierra game loader?) Use your imagination on this part. The one problem with WARPCOM II is that Flushot will detect it. If your victim is running Flushot, I wouldn't bother them with this. The only known program that can get around Flushot is the Twelve Tricks Trojan. This program and textfile are provided for educational purposes only, of course. I wouldn't want anyone using this for any malicious purpose or anything. (not!) Flash Force RABID ------------------------------ Date: Sat, 28 May 94 00:22:15 -0400 From: Steve Hathaway Subject: Monkey Virus (PC) A strain of Monkey Virus has been reported in Heppner, Oregon. This virus infects the boot block of disk drives and the disk partition table of hard disks. The FORMAT command cannot create a good format of any floppy disk in the presence of the Monkey Virus. The only way to eradicate the Monkey Virus is boot a virus-free DOS and recreate a new partition table and FAT tables on your hard disk (preferably after low-level format), then restore a bootable operating system and then your last good backup. If you are lucky enough to have your computer on a network with a file server, you may copy all of your application files to the server, and restore them from the server after you have a newly formatted and bootable hard disk. The Monkey Virus appears not to infect the structure of remote network disks. Some of the stealth features of the Monkey Virus allow the hard disk to boot and use a reserved - relocated copy of the system partition table. You can copy files to diskettes, but that action becomes the propogation activity. If you boot a virgin DOS from diskettes and look for the hard disk, the absence of a recognizable partition table causes the hard-disk not to be recognized. The PCTOOLS DiskFix program can usually examine the appropriate contents of saved system configuration to rebuild a new partition on the hard drive, allowing recovery formatting to continue. ================================================================= Steve Hathaway // Oregon State Police // Emergency Management Systems Analyst ------------------------------ Date: Mon, 30 May 94 08:48:58 -0400 From: litta@esl3.NoSubdomain.NoDomain (Littlewood A) Subject: Aragon Virus (PC) After downloading McAfee's latest version of scan113 and running it on my system (486DX 33 4M ram 170 HD ), there was no virus found etc msg. Next I tested high memory with the flag /chkhi, after which scan return that it had in fact found the "Aragon" virus and informed me to reboot from a clean disk and rerun scan (also from a new clean disk). Following these instruction and rerunning scan to check high memory still returned the same msg. As I was runnuing dblspace at the time and had heard that this could sometimes be mistaked for a virus, I decided to remove it. Again no change in the error msg. Next I disabled the HD in the CMOS seting and tried again. Still no luck. Finally created a new boot block from disk which checks integratety yet again know change. If anyone can offer some help it would be most appreciated. The "Aragon" virus copies the boot block before writing itself onto it. Thus any checking made to it will be routed to the copy of the original boot block. Could it be possible that some hardware could look like the virus ? - -- _____ Aidan Littlewood Replies to :- litta@essex.ac.uk ------------------------------ Date: Mon, 30 May 94 09:23:14 -0400 From: am3a035@math.uni-hamburg.de (Radoslav Smiljanic) Subject: Re: f-prot strange behavior (PC) Qian Qian (qianqian@tucson.princeton.edu) wrote: |>All this happened after I restore something from a disk given |>by my friend. I used to run f-prot without any problem. |>I just run f-prot to check my harddisk and came up something |>strange which I think probably has something to do with virus. |>In the upper window some message shows: |>Error reading C:\WP51\INSTALL.EXE |>after which suddenly the same message shows up for rest of the |>files on the disk. At the end it says no suspicious virus is |>detected. But I knew it is not all right. I then reboot the |>machine from a clean floppy disk and run f-prot from a clean |>protected floppy. The result was almost same. I did several |>times. In one occasion, it did say that a variant of Como virus |>was detected. But when I tried to disinfect the infected |>file, the same error reading phenomenon occurred again. |>The machine is 386sx16 with 4M RAM running DOS6.0. |>Any suggestion about what I should do? I need inputs from |>net wisdoms. |>Thanks ahead! I'm not sure if I have the solution for you, but perhaps you have bad sectors or clusters. It occurs sometimes on old HDDs and floppydisks. Data written to these sectors or clusters is lost and can't be accessed. Try to check your HDD with Norton Disk Doctor or similar applications. - -- - ------------------------------------------------------------------------------ Rado Smiljanic, rado@math.uni-hamburg.de A fool's brain digests philosophy into folly, science into superstition, and art into pedantry. Hence University education. -- G. B. Shaw ------------------------------ Date: Mon, 30 May 94 10:56:39 -0400 From: "MICHAL EGLER" Subject: More information about Evolution 2001 Virus (PC) NEXT (MORE) INFORMATION ABOUT >>> Evolution 2001 Virus <<< There are more complete information about new virus 'Evolution 2001'. I have uncode and analyze code of this virus and all information are from virus code. I have written cure program for it. - -virus code created useing 386 opcodes - -polimorphic uncode procedure - -increment year in file creation date about 100 years - -code similary to TREMOR virus / time stemp, virus internal text - -infect EXE files - -increment file size about 2770 bytes - -virus code resident in high conventional memory - -virus reserved 7136 bytes in memory (it makes 9E42:0 as start virus code) - -contain text ' Evolution 2001 Virus was done by lord Salivantis - Nov/Dec 1993' - -virus display text befor 3:58:46 and 5:58:9 if pressed - -use stealth technology for hide increase file size under programs like: NC, VC, DC - -before open file (like view under VC) virus cure infected file - -change interrupt vectors: 1, 9, 13h, 21h, 24h ------------------------------ Date: Mon, 30 May 94 14:04:25 -0400 From: Olivier Montanuy Subject: WARNING: VALIDATE.COM and VALIDATE.EXE can be cheated. (PC) Motivation: VALIDATE.COM and VALIDATE.EXE are currently used to authentify the files contained in McAfee shareware packages, so as to prevent any insertion of virus or trojans while they stay on public BBS or FTP servers. They are inadequate and may be misleading. ******** This is a warning for users of McAfee shareware packages ******** I have a method to cheat *both* these programs: as an exemple, I included in this post an uuencoded .ZIP archive containing two files: * one is TV.COM (Tiny View, a public domain file viewer, author???) * the other one is TV_SPOIL.COM. A copy of TV.COM in which I inserted a trojan horse (err...well, you'll see what I mean if you have a look at the file content :-) VALIDATE.COM and VALIDATE.EXE should report the same checksum and length. ( on my PC at least :-) I won't publish the source code or the executable of my cheating program, and I will not discuss details of the cheating method, except with McAfee associates or trusted comp.virus contributors (if they care :-) Technical note: VALIDATE.COM performs a double 16-bit CRC and VALIDATE.EXE a 32-bit (and somehow unorthodox) CRC. The cheating method use only simple polynom arithmetic. The main program routine is 10 line of C code, and could be reduced to a hundred byte of machine code (but who would bother?) Temporary counter measure: I don't have a replacement of VALIDATE.COM and VALIDATE.EXE. Anyway, it should be sufficient to authentify only the length of the files in the compressed package (using 'pkunzip -l'). As a matter of fact I seriously doubt it is feasible to modify a file without affecting either the normal file length, or the compressed file lenght, or the compression method. Olivier Montanuy Telecom Paris, France montanuy@inf.enst.fr Included files: (uudecode and pkunzip this) [Moderator's note: ...with all due caution.] - ------------------------------------------------------------------- begin 666 exemple.zip M4$L#!!0 H ( ,:3OASOY<5'3@, +X# & 5%8N0T]-35)O2!MG&'^> MW.62V,ZZ580QR"Y;#)B45LKF8#DSMXI;'5A-+*WVPYC+,5TUI_?'X$0T*,QZ ML(\;^V:7?M.-4%),\N&2>E;[Y:#Z810*?G"%79;"Z-QJ-X>W]W4;[(7G?5Y^ M]_Q^][R_YZU^!>_V]\?;(?'!Q:[^=F]DB;% M8(^D\F)*TCX=YL?$,4F>"G:-C(H\A;LD+94,7DXIVOBX)*MBDI\<28H2/R8E MQ:"//Q-M/P?@P,L @$!7@6X.633_XCK--#,O,>=(M)'H8+J9 >:O?*L5$%R* MK]2 >9\5L'@C ZO""VJT/(1%-_SZO?I4_Z&;(GZ*< 31GFYV.O"CJU9=/.$%KN9K^]CJ&;/6Q6(>D3-CN!7'@G[!1:7[0:/'4[ZNFC]<6F40P]X[Y@ M6?HK2EN*#;&>Y>OX+#2*3"6;0K>QX :,;DQRI3!6WW3F8EX$K?$VGW=9@9PW M7V\UY+U6PV+(BZ6'KL+KS5:@;"SH]2GTWVM3AAY M=',:3W S>,,_38+F630,5O65#+8(<_;G:-IOH7S2/H^R1ZC3#NQ=,/7Z4;1_ M41=VR,7>Y)P]L^?!/LBN'NKER.'BMABL7 M]K9JW^EFLP>*7HC6(A>#X:'*@55G\WB0B;?N-? MA]66OCAQMGQ,P&.E_W&.[>ZP3P"ANOXP>Y;8YV9OHB^^Q4VAX^A-T\2M&:2# M"U?R[UF!P8'\.^0%NR*5Z%W5S:QGI_#:5?-O4$L#!!0 H ( ,:3OASOY<5' MW ( +X# , 5%9?4U!/24PN0T]-?5';3Q-+&)^Q=0N+BR^F+R;-U%N@ M8*N&8*";EECPDBARBW(QJ9MVL478ZNS4IK9<&G@0]P_P5>-YXYR$DW#BP8<% M61)\:2(^F9#P0$A<+6^HH$VH,RT"OOAE=N>;W_?]?OO-;Q&-UCL"3[=8#*$[ M:#<8XD'!--K'@D$*5@4])63D+(L1>BB26:31?J1/_@;[_7ZF=Q!F*D$:K.S9 M1].LK5A-'P#3>\F?04])KY0PM"L251%=$NK"L0%)05=C6)6= B_PMZ3!:%@B MLCMP\P:2E##: UJZ6U H(DLDJMP3^"&91&)A)E(5JD;G&QKJT$WWC9A")"6> M%/@ RT($#>T5O"'R"=.U;IG7/FBTJ?!L'++FW+*N3RSZ5*A5*G#S+\T1@3.^K#.+ M:E9>I& %-PPG'2GZL'T4ZKJ5E+_6K;-@S'P,#?,BQ$?,"Q#;1#Z^9:X"0ZL< MA.;'PEK>6.)&(0#&\Z/0M0YI;FBKYC'@78UO&>9_ )>;TP O,EJ)\YEQ.#;9 MKV&6/TVCIV?*X.;4\_M4PT(U7F:@ZWW-"CU_6Z,7V;;05C,"?\SHR4'4QF3'? PB(H[.#WM_^$(XOYYF)F%?M_$34$L! A0 % " M @ QI.^'._EQ4=. P O@, 8 @ %16+D-/35!+ M 0(4 !0 @ ( ,:3OASOY<5'W ( +X# , ( '(# !4 A5E]34$])3"Y#3TU02P4& ( @!N > 8 end - -------------------------------------------------------------- ------------------------------ Date: Mon, 30 May 94 14:22:09 -0400 From: cogni@actcom.co.il (Michael Cale') Subject: HELP: How add code into .EXE ? (PC) Hello all. Now i try write basical ANTI-viral program that add to user program short code that will check CRC (or somethink same) before running program. Add any code to .COM is trivial, but with .EXE i have some problem. I think that i forget some needed actions and do part only. I add my code INSTEAD OF starting part of .EXE (after header part) and try change back it at run time, and also change relocation table but... have problems. :( May be someone can help me - send any working code or write what are ALL needed procedures to add code into .EXE correctly. Thanks in advance. All the best, Alexe Levitas cogni@actcom.co.il P.S. DON'T WORRY - I DON'T TRY WRITE VIRUS. ------------------------------ Date: Sat, 28 May 94 16:01:14 -0400 From: James Ford Subject: files updated on risc (PC) The following files have been mirrored from ftp.mcafee.com: (ftp.mcafee.com:/pub/antivirus -> /pub/ibm-antivirus/Mirrors/mcafee/antivirus @ Sat May 28 00:10:17 CDT 1994 - ------------------------------ Got 00-Index 1912 Got osc-201.zip 324798 Got scn-201.zip 296703 Got vsh-201.zip 342228 removed /pub/ibm-antivirus/Mirrors/mcafee/antivirus/vsh-200.zip removed /pub/ibm-antivirus/Mirrors/mcafee/antivirus/scn-200.zip removed /pub/ibm-antivirus/Mirrors/mcafee/antivirus/osc-200.zip - ---------- James Ford - Seebeck Computer Center jford@seebeck.ua.edu, jford@risc.ua.edu The University of Alabama (in Tuscaloosa, Alabama) (205) 348-3968 (205) 348-3993 (fax) ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 40] ***************************************** 23-Jun-94 15:04:14-GMT,65715;000000000000 Received: from remus.rutgers.edu by aramis.rutgers.edu (5.59/SMI4.0/RU1.5/3.08) id AA28403; Thu, 23 Jun 94 11:04:12 EDT Received: from fidoii.CC.Lehigh.EDU by remus.rutgers.edu (5.59/SMI4.0/RU1.5/3.08) id AA16502; Thu, 23 Jun 94 11:02:18 EDT Received: from Fidoii.CC.Lehigh.EDU ([127.0.0.1]) by Fidoii.CC.Lehigh.EDU with SMTP id <127573-8>; Thu, 23 Jun 1994 10:49:06 EDT Message-Id: <9406231419.AA22137@bull-run.ims.disa.mil> Reply-To: virus-l@lehigh.edu Originator: virus-l@lehigh.edu Sender: virus-l@lehigh.edu Precedence: bulk From: VIRUS-L Moderator To: Multiple recipients of list Subject: VIRUS-L Digest V7 #41 X-Listprocessor-Version: 6.0b -- ListProcessor by Anastasios Kotsikonas X-Comment: Virus Discussion List Date: Thu, 23 Jun 1994 10:36:50 EDT VIRUS-L Digest Thursday, 23 Jun 1994 Volume 7 : Issue 41 Today's Topics: Best products for open systems security Re: Wanted: Infos on ARJ-Virus Re: GOOD vs. BAD HUH? Re: CARO and EICAR danger from used disks? The underground and 'good' viruses re: Parity Boot B on OS/2 bootdrive (OS/2) FYI: "Form-detector" (PC) info on 2 viruses (PC) Re: DIR-Virus? (PC) Re: FORM and SPANISH Telecom (PC) Re: Vet software (PC) Re: Good anti-virus software recommedation needed (PC) Re: Any Iper Info? (PC) Re: DANGEROUS VIRUS (PC) Re: ** Date recovery after Michelangelo virus infection ** (PC) Re: Anti-CMOS virus.... (PC) Re: Information requested on Doom virus (PC) Re: InVirible (???) (PC) Virus in Norton Commander 4.0! (PC) RE: Attack by MOnkey ... (PC) virus destroyed disk driver (PC) info wanted on NiceDay and NewBug (PC) NOINT virus (PC) New virus (Trashed?) in Ann Arbor Mi? (PC) "New" Virus found? (PC) Re: Anti-CMOS virus.... (PC) New virus - Ear.Interceptor (PC) Re: antivirus products (PC) Re: Virstop.exe and 386Max 7.0 (PC) re: What about long partitions (PC) Joshi virus - False alarm? (PC) Harmless Viruses VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Tue, 31 May 94 01:12:49 -0400 From: jonbines@panix.com (Jonathan Bines) Subject: Best products for open systems security environments? A while back, I asked for input on Best Products for Open Systems Security as part of my research for a report on this topic in my newsletter, the Best Practices Report. Alas, I can't provide a summary of responses, because nobody responded to either of my two queries (except a couple of people who requested summaries...). However, in the interests of stirring the pot a bit, here's some of what I've found in the course of my investigation. Perhaps it will incline some of you to share your own experiences. THE IMPORTANCE OF POLICY First off, there was universal agreement that without a comprehensive, well-thought-out security policy, based on a thorough analysis of your computing and organizational environment, no amount of technology was going to give you adequate security. An article in the May issue of the Best Practices Report discussed the areas where security can fail, including: * Inadequate employee education and training * Vague or inadequately-defined responsibilities * Uncontrolled or inadequately-controlled access to information * Inadequate backup and storage management policies * Inadequate physical security * Inadequate controls against viruses * Exposure of employees and outsiders to unnecessary temptation * Inadequate definition and restriction of privileges In addition to addressing all of these concerns, managers need to assess the value of their data to determine the necessary level of protection. Managers also agreed that without the support of top management, a security policy is probably doomed to failure. The topic of developing a security policy was also addressed in the May issue of BPR, from a broad, organizational perspective. In the next issue, we'll be discussing the technologies that are are available for open systems security. Here's an overview of what we've found so far: THE TECHNOLOGY: Of course, a security policy is only as good as your ability to implement/enforce it. And while a great deal of this enforcement comes down to people and politics in your organization, technology also has an important role to play. Here are some of the products that people mentioned as worthwhile in implementing network security in open enviornments: A. SECURITY MANAGEMENT Security Management involves going out on the network to ensure that your policies are being followed. It includes checking to ensure that users have valid, up-to-date passwords, that user privileges are correctly assigned, that users log off properly, etc. The two market leaders for this technology are Raxco's Security Toolkit and SecureMax from OpenVision. Both of these products have received good reports from users, who say that they greatly simplify their management tasks. Raxco's product gets additional praise for its comprehensive reporting capabilities. OpenVision has strong -- SecureMax and Security Detective--for the OpenVMS environment. CA Unicenter also provides extensive security features, although it is only available as part of the complete CA solution and involves changing the OS kernel. Fisher International provides the Watchdog suite of data security products for PC-LANs. Mergent offers a similar function which a couple of people said is somewhat less functional than the Fisher product. B. USER AUTHENTICATION/IDENTIFICATION This is the gatekeeper to to your environment--ensuring that the person logging on is authorized to log on, and that they are who they claim to be. One problem many large sites are facing is the need of users to carry around 40 different passwords to access each different environment/resource in an organization--various solutions seek "single- sign-on" across the entire computing environment, although I've yet to hear of a successful example of this in practice (except in very limited environments) Products available for Access Control include - -Security Dynamics offers SecurID, which employs a credit-card-sized (two-card thickness) number generator which users carry with them. They log in using their PIN plus the number on the SecurID card. Thus, if the card is lost, it's of no use to anyone without the PIN - -Dallas Semiconductor offers "Dallas Sign On," based on its "Button" technology--a button-sized authenticator which connects to a port on the computer for "bring-something, know-something" authentication. They are looking at including encryption technology inside the button. - -Enigma Logic provides SafeWord software which communicate with ID verification technologies such as smart cards, handheld tokens, and some biometric technologies. Enigma Logic offers a token which includes the PIN in the token--without knowing the PIN, the user can't activate the token to get the authentication number. - -Mergent International provides Single Sign-On/Data Access Control (SSO/Dacs) for DOS and OS/2 compatibles, ostenstibly providing single-sign-on to workstation, network and mainframe environments. - -IBM released a new version of NetSP, a single sign-on product providing a third-party security server that controls userID and user access to applications. - -Fifth Generation Systems provides Secure Access Facility for Enterprise (SAFE), a PC-based product that creates a "security kernel" on each PC conatining relevant security information (encrypted). SAFE handles the negotiation of access to network resources. Fischer's Watchdog product offers similar functionality. - -BoKS, distributed by SECURIX, Inc. in the US, provides flexible access control, including the ability to define access control to complement security policy (for example, limiting the time period when a user can access the system, or the hosts he/she can access). Authentication is through passwords. - -Firewalls represent the point of entry to a computing environment from the Internet--so that only a single computer talks directly to the Net. Firewall vendors include: Raptor Eagle, Enigma Logic, Trusted Information Systems, ANS Interlock - -A number of products provide remote access security, for users logging into systems from remote locations. Typical schemes include software or hardware that "dials back" the user, combined with other authentication methods. Los Altos Technologies' TermServ is an example of a software- based remote access product--in addition to modem security, it provides detailed reporting for capacity planning and management. C. PRIVILEGE DEFINITION Kerberos is the premier product for defining and maintaining levels of user privilege. The software provides authentication of a user to various resources in a computing environment. Developed at MIT, various implementations are currently available, including a number of commercial implementations. Difficulties with Kerberos include the lack of support from key applications, continued reliance on passwords (it is not an user identification/authentication product) complexity of implementation (and problems with scalability), and lack of interoperability among competing versions (DCE vs. MIT, for example). Commercial Kerberos providers include CyberSAFE (formerly Open Computing Security Group), and Cygnus Network Security. D. DATA INTEGRITY PRODUCTS Data integrity products include backup and storage management products (If you haven't read the summary of Best Backup Product for Open Systems, I'm happy to send it to you), encryption products, and virus protection products--making sure data is not lost or compromised on the system or in transit. Despite user complaints that encryption should be linked to the token device used for user identification/authentication, no company is currently providing this capability. Many security management products also provide some data integrity functionality-- virus control, primarily--and utilities such as the Norton suite are available as well. Now then. If you have experience with any of these products, or know of others which should be included in my report, I'd really appreciate hearing about them. A summary of all responses will be posted. Complete confidentiality is guaranteed. - -- Jon Bines (jonbines@panix.com) ^ If you're not part of the solution, ^ NSM Best Practices Rept. ^ you're part of the precipitate. ^ 203 1st Ave #1 NY NY 10003 ^ ^ Phone/Fax 212-254-7064 ^ -Steven Wright ^ ------------------------------ Date: Tue, 31 May 94 05:57:47 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Wanted: Infos on ARJ-Virus P. Immond (pi@europe.pha.oche.de) writes: > I'm looking for infos on ARJ-Virus. I *suspect* that you mean Archive_Worm - the Russian virus that infects ARJ archives and that was described in Virus Bulletin. If my assumptions are wrong, please specify more information. I am including the original description of the virus that I got from Eugene Kaspersky. > Can it really infect an ARJ with > Securtiy envelope? Yes, it can, but the resulting infected archive will have its security envelope broken, of course. BTW, the "security envelope" is not secure at all. If you want a *really* secure (in the cryptographical sense) archiver, supporting symmetric and assymmetric (public-key) encryption and public-key authentication, compatible with PGP-generated keys - use HPACK. Regards, Vesselin Arjvirus ======== It's a not memory resident virus which searches for the archive ARJ files and infects them. This virus, which is a worm more than a standard DOS virus, is 5000 bytes of length. It updates these files by its (virus) copy. On execution this infector searches for the files with ARJ extension by using "*.arj" mask (the files with ARJ extension are created by the ARJ.EXE utility and contain the compressed files). It searches for ARJ files in the current and all the parent directories. If the ARJ archive file is found, the virus creates the temporary file with the random selected name and COM extension. This name consist of four letters from 'A' till 'V', the 'V' limitation is because this virus uses the 0Fh limit for letter number, the 15th (0Fh) letter is 'V'. The result names looks as BHPL.COM, NLJJ.COM, OKPD.COM etc. Then the virus writes itself (5000 bytes) into this COM file, and for hiding it appends to the file the garbage bytes of random selected length, the virus checks that the length of that garbage should not exceed the maximum length of executable COM file. The length of the result worm files are more than 5000 bytes, the 5000 bytes is the length of worm's body which is stored in file on any infection. Then the virus inserts that file into the archive was found. It does it by easiest way - the virus forces the ARJ.EXE utility to make it. One of ARJ.EXE switches is "a" character, it forces to add the file(s) in ARJ archive file. And the virus uses this option, it executes the ARJ.EXE with "a" character by using the standard C function. The string which is executed looks as: c:\command.com /c arj a .com where is the name with extension of ARJ archive was found, is the four bytes of length random selected name described above. The "/c" switch causes COMMAND.COM to execute the pointed program (ARJ.EXE) and immediately exit. On execution of this command the archiver ARJ.EXE compresses and adds the worm into the archive file was found. And the virus deletes the temporary file and searches for next ARJ file. If there are not the archive files in the current directory, the virus jumps to the parent one. If the current directory is the disk root directory, the virus returns to DOS. One of the features of this infector is duplicate infection. On execution of archive the virus does not check the file for its presence, and how can it do this? To check the archive inside is not the easy task, and I see that the author of this virus do not set it (to prevent the duplicate infection) as an object. It realized the new idea by the easiest way, not more. The second, the virus generate the random names of the worm files. Sometimes it can generate the name which is present in ARJ file which is for infection. As the result, that file will be overwritten by the virus and the contents of that file will be lost. For hiding its spreading the virus hooks INT 10h - the video interrupt. It sets it to IRET instruction which disables the standard output to the screen. This feature hide the virus, but if on virus activity one of errors will appear, the ARJ.EXE program or DOS will displays the error message (for example, "Write protect error writing drive A:") and waits for the answer. But the virus disables the output, and the user will see the blank screen only. It looks as the computer hangs up. By the way, the virtual DOS machine under MS-Windows switches for full screen text mode on write protect error, and there is impossibly to switch to another task. And the last note, this virus contains the short internal text string: *.arj .. 0000.com /c arj a c:\command.com - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 31 May 94 06:12:16 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: GOOD vs. BAD HUH? Bradley (bradleym@netcom.com) writes: > How about KOH? Also the Potassium Hydroxide virus. It will encrypt your > HD for you using the IDEA algorythm. And it includes an option for > removal from your HD as well as a couple other options. How nice from its part, isn't it? However... First, as I already pointed out in another message of mine, just asking the user for permission to infect is not enough, because it causes an interruption that may be unwanted. No, a virus that claims to be "beneficial" *must* not infect a system, unless the owner of that system *actively* invites the virus. And there should be no place for mistakes, that is, cryptographically strong means should be used to authenticate the virus to the system and the system to the virus. Second, what does KOH do exactly that cannot be done by a non-viral program like SFS, SecureDevice or SecureDrive? (All the three are available in the USA and the first two are available to the whole world. Also, unlike KOH, the last two come in source, so you can check them yourself for security bugs and/or backdoors.) And why should I use a virus instead of a non-viral program to encrypt my disks? Third, since the virus installs the encryption program on each disk it infects, it is so easy to forget it there while traveling abroad (this concerns mostly US citizens). Now, if your disks were encrypted by a stand-alone program, you could simply leave that program home. (Hint to the non-US people: the US export regulations forbid exporting of encryption software without a special license. The penalty is 41 to 51 months prison.) You can't simply "leave home" the KOH virus, because it is on the boot sector of all your encrypted disks... Beneficial virus? NOT. > And CPAV will also modify your files for you, under the guise > of protecting you. Yeah, but first, it doesn't do so unless you explicitely tell it to do it, and second, if you feel unhappy about it, you can always call CPS' tech support number and bitch about it. Now, when the virus writers begin to provide tech support for their creations, I'll reconsider. > Besides, only a small amount of viruses have > malicious code. You mean - only a small amount (about 1/3) of the known viruses are intentionally destructive. That's true - most of the damage caused by viruses is because of the lost time, efforts, and money, spent to remove them. But so what? It doesn't make them less damaging... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 31 May 94 07:52:01 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: CARO and EICAR Keith A. Peer (dm252@cleveland.freenet.edu) writes: > I am trying to find out about 2 organizations that I > heard are PC Security/Virus related but I do not know > where or how to contact them. The organizations are > "CARO" and "EICAR". Any help is greatly appreciated. EICAR (European Institute for Computer Anti-virus Research) is an organization of companies (either producing anti-virus software or interested in virus protection) - much like NCSA in the USA. Anybody can become a member - they have only to pay the membership fee. Contact information: Dr. Paul Langemeyer c/o Siemens Nixdorf AG Otto-Hahn-Ring 6 85739 Muenchen Germany Telephone: +49-89-636-45400 Telefax: +49-89-636-47326 CARO (Computer Anti-virus Researchers' Organization) is not a formal organization per se. It is something like a private club of the technical virus experts. Membership is *very* limited. We are just friends who exchange technical knowledge about computer virus, in order to help each other to fight them. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 31 May 94 10:34:47 -0400 From: nschechtman@pppl.gov (Nathan Schechtman) Subject: danger from used disks? I just bought several hundred used disks from someone on the internet. I'd like to guarantee that they're safe. Any suggestions out there? Will reformatting them remove all viruses? Thanks Nathan Schechtman email: nschechtman@pppl.gov Princeton Plasma Physics Lab phone: 609-243-3465 Princeton, NJ 08543 ------------------------------ Date: Tue, 31 May 94 14:51:34 -0400 From: Ian Douglas Subject: The underground and 'good' viruses I see messers Cohen and Bontchev are discussing the merits of 'good' viruses. We are having a similar discussion in the FidoNet echos. The Underground is doing its best to persuade us that 1) good viruses can exist ('cos Fred Cohen says so) 2) these viruses can actually do useful, beneficial things 3) research into these viruses is a Good Thing, and actually nothing but research into Artificial Intelligence (wow!). However they have not clearly defined exactly what they mean by 'good' virus. The definition is also very flexible, and changes shape when objections against it are raised. They usually talk about some small program, limited to one machine (or network) only, that goes around deleting .bak files older than a month; or other similar tasks. IMHO these sort of things can better be done by a simple tsr or even via bat files. So why the necessity for using a program that replicates? Simply to blur the distinction between right and wrong. They are implying that since 'good' viruses exist, then all research into writing viruses is a Good Thing and should be encouraged, admired, etc. They take pains to distance themselves from those OTHER evil people who write nasty viruses that destroy data. Horrors! Of course they are not shy about dragging Fred's name in when it helps them either.. They have also invented new names for their creations, like CyberPet. Which brings us back to the question of What Is A Virus. While I understand Fred's definitions (ok, not the maths one, have not seen it yet), a boot disk with diskcopy on is not the sort of thing that is causing problems in the world right now. So I propose a slight modification to the working definition of a virus being a program that can replicate in the right environment: A virus is a program that can replicate in the right environment, and that alters the 'normal', 'expected' flow of execution to ensure that a copy of itself gets executed. For example: MBR infectors: Normal flow: BIOS, MBR, Dos BS, etc.. After infection: BIOS, MBR (virus), MBR (real), Dos BS, etc.. Similarly with other types of infections. And that is my 2c worth to the great debate :-) Cheers, Ian ------------------------------ Date: Thu, 02 Jun 94 15:42:27 -0400 From: "David M. Chess" Subject: re: Parity Boot B on OS/2 bootdrive (OS/2) > From: jan@myhost.subdomain.domain (Jan H. Bergesen) ?? Is that really the Internet address? Seems unlikely! > I've somehow managed to get the virus Parity Boot B on my OS/2 boot partition > this is drive d: formatted with HPFS. > I know one can use fdisk/m under DOS, but what do I do under OS/2??? The Parity Boot B infects the master boot record, and doesn't care what the operating system involved is. If you can find a bootable DOS 5+ diskette with FDISK on it, FDISK /MBR should still do the Right Thing. Do make sure you have good backups first, though! Or find an antivirus program that disinfects it explicitly. - - -- - David M. Chess High Integrity Computing Lab IBM Watson Research ------------------------------ Date: Tue, 31 May 94 01:51:14 -0400 From: "A.Jilka" Subject: FYI: "Form-detector" (PC) Hi all, I thought you might be interested: Whenever a PC is infected by FORM and you run QEMM 6 or 7 the machine locks up after executing DOSDATA.SYS . As we do swap floppies now and then with Uni-Vienna it happens that one of our PCs gets infected. Uni-Vienna seems to have an infectionrate of +70%. So: if your PC locks during boot, give your favourite AV a chance. Greetings, Alfred - -- ...^^^^^.. ********************************** A U S T R I A . Linz : * Geological Survey, Austria * : * * : * * :* Vienna: * jilka@gbaws4.zamg.ac.at * :^^^.........:. Salzburg : * * : * Innsbruck : * Phone: +43/222/712-56-74/85 * ........... HOME Graz : * Fax: +43/222/712-56-74/56 * :.. * * ...: * * :........: ********************************** ! Enjoy life, you'll be dead long enough ! ------------------------------ Date: Tue, 31 May 94 02:04:14 -0400 From: sa1737976@v9001.ntu.ac.sg Subject: info on 2 viruses (PC) i need some info on what McAfee's scan identified as NewBug and NiceDay viruses. thunder-byte anti-virus identified both of them as anti-exe. the problem is that i can't find any of these entries in vsum !! the NiceDay sample that i have doesn't seem to infect another diskette. does it have an internal timer ? or what r its infection criteria ? and where can i get a copy of f-prot ? seems like quite a lot of ppl r talking abt it and using it. i can accept uuencoded stuff :). thanx !! ------------------------------ Date: Tue, 31 May 94 02:57:10 -0400 From: tluten@delphi.com Subject: Re: DIR-Virus? (PC) I ran into similar problems several years ago,and concluded that the "format" commands used by various systems were potentially incompatible, as were some floppy drives. I would like to hope that these mismatches have been worked out in the succeeding yea rs, but maybe they have not. ------------------------------ Date: Tue, 31 May 94 05:42:59 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: FORM and SPANISH Telecom (PC) Alan Coombe (a.coombe@east-anglia.ac.uk) writes: > We run diskless PC's on a Novell server. We have a Ram drive. In this case you don't have to worry about neither Form, nor Spanish Telecom (presuming that you mean the widespread boot virus, not the rare COM-infecting dropper). Both are boot sector viruses and cannot spread accross networks. > Does anyone know if these viruses have stealth capabilities, whereby they can Form is not stealth, but the boot variety of Spanish Telecom is. > survive a RESET (Either RESET button or CTRL+ALT+DEL) No, neither of them attempts to survive a warm reboot and no virus can ever *survive* (EXE_Bug tricks excluded) the cold reboot initiated by depressing the RESET button. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 31 May 94 05:46:37 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Vet software (PC) John Guynn (jag@univel.telescan.com) writes: > Is Vet commercial or shareware? Commercial, sold by Cybec Pty Ltd. PO Box 205, Hampton, VIC 3188. Australia. > If it's shareware where can I ftp it > from? It's not and you can't. > I looked in the FAQ but it didn't mention anything specific > about any anti-virus software (as far as commercial or shareware and > locations). This is intentional. The FAQ is not meant for advertising purposes and we didn't want all the anti-virus producers to bother us with questions why their excellent product is not mentioned there. :-) Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 31 May 94 06:23:46 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Good anti-virus software recommedation needed (PC) Johnson C. Lee (jclee@netcom.com) writes: > Does anybody know if there is any anti-virus software that will > detect the virus automatically ? Since there is no such thing as "the virus" (there are about 4,300 known IBM PC virusES), the answer to the above question is "NO". > What I mean is every two weeks I have > to run my anti-virus software to do detection and it took a long time. Maybe you have to get a better anti-virus program. What kind of anti-virus program are you using? If it is a scanner, I advise you to take a look at TBAV and F-Prot. Both are very good and very fast. (TBAV is faster, but F-Prot has a better detection rate.) If it is an integrity checker, take a look at Integrity Master and VDS. > It will be nice if there is an anti-virus software which will do the > detection when there is disk operation etc etc. Or is it a *memory-resident* scanner that you need? Many (most) scanner-based anti-virus products include one. > And can someone recommend me some good anti-virus software either > in the shareware domain or in the market ? Some of the best scanners *are* shareware. In fact, the commercial products are often (not always) far behind. The best integrity checker I know about was commercial (Untouchable by Finth Generation Systems), but since Symantec bought the company, I don't know how it is sold any more. > I am particularily looking > for something that will work in a networked (both netware and > TCP) environment. That's a more difficult requirement. I am not aware of any good TCP/IP-based scanner. Most NetWare (NLM) based products are nothing exceptional... You might look at the NLM produced by S&S International (they sell Dr. Solomon's Anti-Virus ToolKit) - their scanner is very good, but I have no experience with the NLM. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 31 May 94 07:11:35 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Any Iper Info? (PC) Jerry Billette (jer@netcom.com) writes: > viruses. While we were disinfecting our systems using NAV 3.0 we came > across multiple .exe files that contained the iper virus. The best NAV 3.0 is most probably wrong, because the Iper virus infects only COM files. It could be anything - from a different virus to a false positive. I would advise you to use a scanner that performs a better identification. > information that we could come up with is that the iper virus infects > com files. This is correct. > So, my questions are 1) does this virus do any damage > besides replicate and It seems to have a date trigger that activates in 17th of any months. The code that is activated does something with the ports, which might be causing some damage, but I don't have the necessary help files handy, so I can't tell it exactly. However, you almost certainly do not have this virus. > 2) why did it only show up in .exe files and not > any .com files? Probably because NAV 3.0 is simply wrong and you do not have this virus. As I said, it might be a different virus, or no virus at all. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 31 May 94 07:19:16 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: DANGEROUS VIRUS (PC) Dale (slash@ccinet.ab.ca) writes: > Chinon America Inc. last week reported the existence of a virus named > "CD-IT" that reportedly surfaced on the Internet. A file identified as That was a typical example of the uninformed journalistic hype that surrounds the virus problem. First, it was not a virus. It was a trojan horse - and a very well known one - Worpal.2. Second, most good scanners (e.g., F-Prot) have been able to detect it for years. Third, it was seen on a BBS - it was not "spreading on the Internet", as the article seemed to imply. In short - junk information in a junk article. Ignore it. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 31 May 94 07:23:17 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: ** Date recovery after Michelangelo virus infection ** (PC) Spandan Choudury (schoudhu@ucunix.san.uc.EDU) writes: > For a hard disk infected with the M. virus, does anyone > have info on > * Whether there is a shareware/commercial_software > that will recover most/all the data present on the > damaged hard-disk. It cannot be done automatically and therefore no software exists that does it. Only with the qualified help of a data recovery expert you might be able to recover some of the lost information - and in most cases it is likely to cost you more than the information that has been lost. A much better solution is to simply restore from a backup. And if you don't have one, *now* is the time to understand that all those people telling you to make regular backups have been right... :-) Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 31 May 94 07:32:40 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Anti-CMOS virus.... (PC) jeff@lab.bus.utah.edu (jeff@lab.bus.utah.edu) writes: > In the last week I have had four computers in our lab infected by > a virus called Anti-CMOS. > So far the only way to disinfect it has been a low-level format which > is not the option I want. Low level format is *never* necessary. Try McAfee's CLEAN, telling it to remove the [genp] virus. It *might* work, although it is not guaranteed to. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 31 May 94 07:40:22 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Information requested on Doom virus (PC) Unknown (Unknown@sun4.bham.ac.uk) writes: > Does anyone know of the Doom virus, supposedly undetectable (!), and Undetectable, huh? I know two viruses with similar name (Taiwan.677, sometimes called Doom, and Doom_II), and both have been known to the scanners for years. > corrupts PC FAT's on Friday 13th (my goodness - that's today, panic) Taiwan.677 activates on 8th of any month and Doom_II activates in March, so maybe you mean something else. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 31 May 94 07:46:14 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: InVirible (???) (PC) Francis Ng-Cheng-Hin (FNGCHENG@1308.watstar.uwaterloo.ca) writes: > A while ago on Fido, I heard of a program called InVirible (or something > like that) that was an integrity checker or something similar to that. > Anyways I think the author was from the Middle East. I haven't been able to Israel. > find this program at oak.oakland.edu and do remember the author saying it > was available for FTP somewhere, but I can't remember where. I would As far as I know, it is commercial. I might be wrong, and if it is indeed shareware, I'd be happy to offer it from our ftp site. I think that the author reads this forum, so he might be able to reply to you directly. > has this file. Thanks. Also is it just me or does this newgroup have very > few if any posts? There seems to be some problem - not all articles published in Virus-L appear on comp.virus. This used to happen every now and then, but has increased lately. I am often receiving feedback of articles I have sent to comp.virus, but have never seen them there (but obviously other people have seen them in Virus-L). Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 31 May 94 13:04:21 -0400 From: gorbiel@student.uci.agh.edu.pl (Andrzej Gorbiel) Subject: Virus in Norton Commander 4.0! (PC) [ Article crossposted from comp.os.msdos.apps ] [ Author was Andrzej Gorbiel ] [ Posted on 31 May 1994 16:59:57 GMT ] Hello, Some days ago I had problems with Norton Commander 4.0 It behaved strange! The left pannel was moved right by 8 columns. The right pannel displayed mostly garbage. It used to hang more often. After ALT_F1 it displayed a window "Choose RIGHT drive:" (instead of LEFT). I started searching for the reason. I ran all the antiviral software I had. Nothing! I compared VALIDATE checksums of NC.EXE and NCMAIN.EXE - - nothing! I boot from a write protected floppy and did all the tests again - nothing! I deleted NC.INI (AFTER exiting Norton Commander!) - it helped! Fortunately I have a backup of this fatal NC.INI. I appended it in this mail. You won't beleive my words until you try it yourself! So do try! It's not very dangerous (I hope!). BTW Does any one know what is inside NC.INI? There is CWD in left pannel, CWD in right pannel, a path to user echosen editor, file-filer mask and everything found in "Configuration" dialog box. The size of the file seems to be constant (774 bytes). And there must be a byte (or a bit) that cause NC to go mad with no hope of recovery by configuration changes (you must exit NC first and than delete NC.INI). Enjoy! Andrzej BTW if you find whitch bit of NC.INI is critical (i.e. causes this effect) do not hesitate to inform me (by e-mail). Or write a virus that changes that bit and call it Symantec! QUUNCD Ver. 1.2, by Theodore A. Kaldis. BEGIN--cut here--CUT HERE-- begin 600 nc.ini M0E5)3$0T,````"@$`0`I``(``P`,`!(`WP```(;,-*X$``KV=1J*Z#8````` M`*D`=@$"`"D`$P">`;E\`8/&/H/'/O.DPPZX``*+V#'),/8``"@````5`%X. M`0````(`7`!44D%.1T4N(2$A```````````````````````````````````` M``````````````````````````````````!-```````````````````````` M-*X``(=.W"A!5TQ!3@!25P!S``````````![8@```````````0`````````J M+F5X92`J+F1L;"`J+C,X-@```````````#<```!$.EPA(2%<8GHN>FEP`%13 M```````````````````````````````````````````````````````````` M``````````````````````````C#`@`#``P`$@#?````?@$0UP0``````-`$ M3P```````0`F``(`",,3`"W#````````````````````````````````!\,` M`!4````!``$``P!<4U1204Y'12XA(2$````````````````````````````` M```````````````````````````````````````````````````````````` M```````0UP``25G<*"XN``!3`%````!E```````"`'MB```````````!```` M`````"HN='1F````````````````````````````-P```$,Z7%1%6%1<1T%: M151!7&MA9S`W.30N>FEP```````````````````````````````````````` M```````````````````````````````````%``,``P````$````!``$````` M``$````!``$``0`!``$```````(````!``$````!``$````!`"P&[`0!``$` M``````$`"``(``$`8SI<141)5%Q17%$N15A%("$N(0`````````````````` )``````````#: ` end END--cut here--CUT HERE-- ------------------------------ Date: Tue, 31 May 94 16:33:15 -0400 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) Subject: RE: Attack by MOnkey ... (PC) >From: lubkt@Lehigh.EDU (Binod Taterway) >Subject: Attack by MOnkey ... (PC) >I noticed that after doing the DIR on an infected diskette, the virus >becomes memory resident but does not infect the hard disk. I have >looked at Patricia Huffman's summary on MONKEY, but the description >does not tell how (at what point) infection takes place. Am sure that by now several have explained what to do with the MONKEY (yet another beneficial virus ?) but the philodendrum of "ghosting" of boot sector infectors is worthy of some thought: When you do a DIR of a floppy disk, it is necessary for DOS to first examine the boot sector to determine what kind of disk it is. In the case of most current DOS versions, the boot sector is read into a designated area of the first 64k of memory. Since this area is used only for this purpose, it will not be overwritten until the next disk is inserted. Thus when a DIR of an infected disk is done, the infected code is read into this area as data (it is NOT executed or truely "memory resident" in the TSR meaning, it is just there). Many scanners are unable to make this distinction and finding nothing unusual about a BSI virus being found in low memory rather than at the TOM feel obliged to report the condition. To check, simply place a clean write-protected (just in case) disk in the PC, do a DIR of that disk (DIRing the hard disk will not generally work), and rerun the scanner. If everything comes up clean then the floppy and not the PC is what was infected. Padgett stepanography: hiding a message in a duck ------------------------------ Date: Wed, 01 Jun 94 08:21:28 +0000 From: wdwitte@cs.vu.nl (Witte de W) Subject: virus destroyed disk driver (PC) Hi, a few days ago i had the form virus on my system (boot sector virus). I succesfully deleted it, but now my b-drive (3.5" HD) does not work probably anymore. Only (very) now and then it will respond to a 'dir' command, but most of the times i get a 'General Failure'. The internal setup - as far i can see it - are fine. The diskette's are formatted and reformatting does not work either. Has anyone an idea what might be going on? please respond! wiebe de witte (wdwitte@cs.vu.nl) - -- - --- guns don't kill men, bullets do - Sledge Hammer ------------------------------ Date: Wed, 01 Jun 94 14:37:49 -0400 From: sa1737976@v9001.ntu.ac.sg Subject: info wanted on NiceDay and NewBug (PC) can someone out there help me by providing info on the virus NewBug as identified by McAfee's scan. the only thing i know abt it is that it displays a message Have a nice day (c)YCP on 1st June (actually i found this out accidentally). i haven't been able to find anything abt it in vsum. and vsum doesn't say anything abt the NewBug virus either. another problem is that thunderbyte anti-virus identifies both of them as anti-exe virus !!? i'm really lost ! another thing is, how good is f-prot ? i've heard abt it but haven't tried it. i'd appreciate it if someone can mail me an uuencoded copy. thanx :) ! ------------------------------ Date: Wed, 01 Jun 94 15:36:17 -0400 From: marty@gsbnetop.UCAR.EDU (Martin Moses) Subject: NOINT virus (PC) Recently we have had several cases of the NOINT PC virus. This virus appears to attack the boot sector very nasty. Are there any known cures for this virus. If you have any information please send me E-Mail martin.moses@gsb.uchicago.edu Thanks Marty ------------------------------ Date: Thu, 02 Jun 94 03:44:41 -0400 From: rebel@engin.umich.edu (Johnny Yuma) Subject: New virus (Trashed?) in Ann Arbor Mi? (PC) Has anyone heard anything about the new(?) virus found in Ann Arbor? I saw some overly hyped peice about it on the news, claiming that 'No Virus Scanners can detect it'..'and infact, could spread it farther'. Has anyone heard anything? Or even touched a live copy? I would love to hear more about this virus. I beleive they called it the 'Trashed' virus. I'm kinda bummed, that since it was found in Ann Arbor, (according to the News people here... go figure), that it wasent named after Ann Arbor... Oh well, cant have everything I guess. =) Rebel - -- Everyone should know of all information that others have deemed unfit for for public knowledge. -Author Unknown rebel@engin.umich.edu -- Rebel without a clue -- Finger for PGP Key Key fingerprint = 6E AF E6 6D E3 2E 87 40 CA 54 64 D3 B7 1A D0 3E ------------------------------ Date: Thu, 02 Jun 94 06:34:43 -0400 From: bullingt@sfu.ca (Keith Gordon Bullington) Subject: "New" Virus found? (PC) I've come across a .COM infecting virus that fails to be caught by SCAN v2.01, TBScan or F-Prot 2.12. This virus infected my system quite rapidly and the only scanner I could find to pick it up (except by simple debug hunt-and-peck) was VPCScan v2.93. Here's the lowdown on what I found, more information can be acquired if anyone is interested by e-mailing me. Virus ???: .COM infection only (so far) Approximately 1k in size added on to file (date is stable) Volatile encryption seems to be used (different for every file) Contains the text strings: "Dr. White - Sweden 1994.3" and "Junkie Virus - written in Malmo" I have an isolated infection sample if anyone needs one. (B.T.W. VPCScan flagged it as a "PS_MPC-23" infection, if that means anything to you...) bullingt@sfu.ca (Adam) ------------------------------ Date: Thu, 02 Jun 94 07:35:03 -0400 From: panther!jaguar!cmeli@relay.iunet.it (Clyde Meli) Subject: Re: Anti-CMOS virus.... (PC) jeff@lab.bus.utah.edu (Jeff Hasset) wrote: >In the last week I have had four computers in our lab infected by >a virus called Anti-CMOS. > [stuff deleted] >P.S. This virus has only shown up since we updated our virus scan >(we are using F-Prot). Are you using F-Prot 2.12? I tested it on some old PC's in our lab, and it reported a new variant of Anti-CMOS in the MBR. However it was not a virus as the MBR contained some code relating to a protection device driver (ADM.SYS) which was used to write-protect drive C. It did not contain any virus code however. It is just a false positive, nothing to get worried about. You could rewrite the MBR code with FDISK /MBR, after booting from a clean floppy (assuming drive C is visible after booting), especially if this protection driver is not used any more. Regards, Clyde - ----- Clyde Meli, B.Sc., Teaching Assistant, Dept. of Computer Information Systems, University of Malta, Malta. Internet: cmeli@unimt.mt Telephone: (+356) 3290-2509 ------------------------------ Date: Wed, 01 Jun 94 19:52:06 +0200 From: Rob_Vlaardingerbroek@f0.n3110.z9.virnet.bad.se (Rob Vlaardingerbroek) Subject: New virus - Ear.Interceptor (PC) Hello, The following virus was isolated in Sassenheim, The Netherlands. It is spreading to the eastern part of Holland towards Germany by now. Thomas Schlangen will hatch the disinfector into virnet Germany. First and temporary description of the virus by Rob Vlaardingerbroek: Ear.Interceptor virus : (temporary name) The Interceptor virus is possible a variant of the Ear virus. It's a resident .COM and .EXE infector. It will check it's residency by comparing if the vector is changed. This indicates that it will load itself again when another program also chains interrupt 21h. When resident, the virus will infect .COM and .EXE files when executed. The following message is encrypted in the virus : The E-262, gone in our presence, living in our minds... The only iNTeRCePToR capable of speeds over Mach 3... The 'eXeCuToR' was the fear of all USAF pilots facing the iNTeRCePToR. This message can be displayed sometimes. The rest of the virus isn't encrypted. The virus does not contain a destructive payload. It plays tricks by hanging the system, intercepting printing and so on. It should be possible to disinfect all files, though the virus overwrites already infected files, meaning that it does not check whether a file is infected already. As no scanner is able to find this virus yet, a disinfector is put on our bbs. Freq or download K-EARINT.ZIP Samples of the virus are sent out to the av-developers. Sincerely, Rob Vlaardingerbroek - --- GEcho 1.01+ * Origin: Virus Research Centre Holland LAB (9:3110/0) ------------------------------ Date: Thu, 02 Jun 94 13:42:13 -0400 From: Mikko Hypponen Subject: Re: antivirus products (PC) Vesselin Bontchev (bontchev@fbihh.informatik.uni-hamburg.de) writes: > F-Check - a program from an obsolete version of the package F-Prot. Uhh, no...F-CHECK is the DOS-based integrity checker from the current F-PROT Professional anti-virus suite. It's not included in the shareware version. The old (pre-version 2.0) F-PROT shareware packages contained programs called F-FCHK and F-XCHK, but these are not related to F-CHECK. - -- Mikko Hypponen // mikko.hypponen@datafellows.fi // Finland Data Fellows Ltd's F-PROT Professional Support: f-prot@datafellows.fi PGP public key available, check the keyservs ------------------------------ Date: Thu, 02 Jun 94 13:56:24 -0400 From: Mikko Hypponen Subject: Re: Virstop.exe and 386Max 7.0 (PC) Ralf Grisard (ralf@meaddata.com) writes: > I'm running MS-DOS6.2 with 386Max on a Dell 486/50 with 8 megs of RAM. > Among other things, I'm connected to a Banyan network, but I'm running > VIRSTOP after connecting to the network, as per the VIRSTOP doc. F-Prot > itself runs fine -- it's only VIRSTOP that I'm having a problem with. > Any ideas? (Helpful ones only, please :-) You're problem is related to the 386Max memory manager you are using, not to the network. See below. Juan Carlos Perez (juan@fiu.edu) writes: > I would like to know if upcoming versions of F-Prot will solve the > problem of VIRSTOP.EXE not working with 386MAX v7.0. Thanks...:) Version 2.12 introduced a new switch to VIRSTOP: /NOTRACE. This switch makes VIRSTOP compatible with 386Max 7.x and BlueMax 7.x memory managers from Qualitas. This switch also makes it possible to use VIRSTOP in machines which are using the older 486 clone chips from Cyrix. These processors had a bug which caused the single-stepping mechanism of the processor to fail in certain situations. - -- Mikko Hypponen // mikko.hypponen@datafellows.fi // Finland Data Fellows Ltd's F-PROT Professional Support: f-prot@datafellows.fi PGP public key available, check the keyservs ------------------------------ Date: Thu, 02 Jun 94 15:46:10 -0400 From: "David M. Chess" Subject: re: What about long partitions (PC) >From: we34329@vub.ac.be (DE KERPEL SVEN) >A virus (flip) messed with my HD now It claims that i have now >long partitions (116MB) is reduced to 33MB (the max for normal >partitions. A partition longer than 32Meg has zero in the old "Total sectors" word in the BPB, and the true total sector count further out. The Flip doesn't know about this, and always lowers the old field's value by six, without checking. Use Norton or something to look at the DOS boot record of each partition; you should find the hex value FFFA in the word at offset 13 (hex). If you change that to a zero and reboot, you should get the true partition size back, assuming that nothing has written to the partition in the meantime in a disastrous way. - - -- - David M. Chess | IBM Computer Virus Information Center High Integrity Computing Lab | gopher: index.almaden.ibm.com IBM Watson Research | http://index.almaden.ibm.com ------------------------------ Date: Thu, 02 Jun 94 17:09:30 -0400 From: gbesko@bldgeduc.lan1.umanitoba.ca (Geoff Besko) Subject: Joshi virus - False alarm? (PC) When I scan a machine on my network with the Microsoft Anti-Virus utility, that came with MS-DOS 6.1, it says that the machine has the Joshi virus. However, when I check the same machine with the newest (v2.12) of F-Prot it doesn't register any viruses at all. Has anyone heard about problems with the reliability of the MS Antivirus program? I will probably try another program to see if it finds anything but I was wondering if anyone has had any similar experiences? Any help would be much appreciated! Thanks! Geoff - ---------------------------------------------------------------- Geoff Besko Network Administrator (BLDG_EDUC) University of Manitoba Geoff_Besko@UManitoba.CA ------------------------------ Date: Tue, 31 May 94 14:55:19 -0400 From: Ian Douglas Subject: Harmless Viruses The following article was published in a local electronic mag at the beginning of the year, and also posted onto the FidoNet virus echos. I am posting it here as it has some relevance to the debate about good and bad viruses. Unarmed and Dangerous ===================== (c) Ian Douglas 1994 There is a myth going around that, if a computer virus does not have a payload, then it is not dangerous, and is in fact harmless. Some people even refer to these as toys. I want to examine this in more detail, and show why it is a myth, but we first need to do a short history of warfare. Once upon a time, a long time ago, Og woke up to find Gonta playing rather closely with Sheema, who was what we would call Og's wife. Og got rather upset, and punched Gonta. Unfortunately Gonta was rather larger than Og, and puched him back, knocking him out, before turning his attention once again to Sheema. When Og woke up, he made a plan. He went outside the cave, and climbed up above it. When Gonta came out, Og dropped a large rock on Gonta's head, killing him. And thus was born the principle of *long range violence* - whereby a person can inflict violence on another with little or no danger to themselves. As time went by, improvements were made in the methodology - spears, bows and arrows, catapults, guns, bombs, missiles. While most of these were used in conventional warfare, a new breed of Ogs arose - the terrorist. They use long range violence against innocent people, with little care about WHO actually gets hurt. Their favourite tool is the time bomb. Then came computers, and a new twist for the terrorists: computer viruses and trojans. ------------------------ The term 'virus writer' needs clarification. There are three groups of people who might write viruses: 1) a computer scientist working for a company developing a new operating system, and who has to test just how secure the operating system is. 2) a programmer working for the military, who has to develop programs designed to knock out enemy computer systems. (Although I can't see HOW they will (a) introduce it to the enemy systems; (b) expect it to remain undetected; and (c) activate all copies at the same time (except by time/date)) These two groups work in carefully controlled labs, and their creations do not get out, and thus do not bother the rest of us. While people in both these groups can be described as 'virus writers', they are not the cause of the current computer virus problem. 3) the underground and people of similar mindset, who think it is 'cute', 'neat', 'k00l', 'fun', or whatever the current slang phrase is, to write and distribute computer viruses and other rogue code (trojans, ansi bombs etc). To avoid confusion when referring to this group as opposed to the other two above, I have coined a new word - compterr (computer terrorist) - - to refer to such people. The plural is compterrs, not compterri. ------------------------ Now, to the subject of the 'harmless' computer virus. There are basically four types of computer viruses: file infectors, boot record infectors, companion infectors, and FAT infectors. Let us look at each of these in turn. File infectors: assume that a 'harmless' file infector exists. It has no payload, i.e. it has no code specifically written to do damage, like formatting C:. It infects .com and .exe files perfectly - the host program should always run after infection. Surely this virus is 'harmless'? No. (1) On a purely non-physical level, it harmful in two ways: Firstly, it is unethical to modify someone elses programs without permission. Secondly, it destroys the trust that the user has in his machine and the software on it. Now he is never sure if running a program will result in a virus spreading or activating. Remember, the user does not know that the virus has no payload. And even if he did, do you suppose that he really wants all the files on his disk infected? The situation is that people have more implicit trust in a $5 calculator than in a $2000 computer. (2) On the physical level, there is also damage. Firstly, the virus has to alter the code of the infected host, to ensure that the virus is executed. Viruses usually change the beginning of the host to allow the virus code to be executed first, before returning control to the host. So, the original file is damaged. Even running an anti-virus repair program is unlikely to restore the program to its original state. (3) Then there are legal implications. Altering a program may be in violation of copyright. It may also invalidate the warranty on a program. Some programs which check themselves before running will refuse to run if infected by a virus. The user is denied the use of the programs for which he paid. (4) Then there is the matter of trespassing. A hard disk is private property. You decide what you want to store on it. A virus removes that choice from you, and just invades. (5) Consider the implications for a company which gives it's clients diskettes which have infected files on. The client detects the virus. Now do they still trust their supplier? A vital relationship has been damaged. (6) The user has the inconvenience of checking every file and disk that he receives, and the hassle of cleaning the virus off of his system. This is wasteful of both time and money. (7) Computer viruses waste disk space with useless code. (8) Computer viruses slow the machine down with useless code. (9) Memory resident viruses waste memory. Some analogies to put the matter in perspective: You have a letterbox. Everytime you get a letter, you also get an invisible letter with it. You remove the visible letter, but not the invisible letter. Pretty soon, your letterbox is full of invisible letters, and there is no space for your legitimate normal mail. Or I come into your bedroom and spraypaint graffitti (Iron Maiden Rulez!) all over the walls. According to the compterrs, I have not damaged your walls - the original walls are still there, under the graffitti. Anyone agree that the walls are not damaged? How about if the original of the Mona Lisa was hanging on the wall at the time? Or I come into your room, remove the blankets from your bed, place them under your bed, and put a small black suitcase on your bed. The compterrs say that the bed is not damaged, just rearranged. Time for you to go to bed. How do you? You have no way of knowing if the suitcase contains pressure-sensitive explosives or not. I have denied you access to your bed. Some of the examples used about file damage also apply to the other forms of virus infection. Boot sector infectors: Assume that a perfect boot sector infector exists. It does not matter whether it is a Main Boot Record (Partition Table) or DOS Boot Record infector - the operation is similar. The virus will move the original boot sector elsewhere, and insert itself where the boot sector was. Let us assume that the virus is well written and does not accidently put the moved boot sector over the directory table or the FAT. Surely such a virus is harmless? No. See points (1), (4), (5), (6), (7), (8) and (9) above. In addition, the boot sector is no longer where it should be. The user might do certain operations assuming that it WAS still there, with disasterous consequences. In addition, some Main Boot Record viruses use that part of the first sector reserved for the partition table. If a user booted off a diskette, his hard drive would be inaccessible to DOS. Also, most boot sector viruses manage to wreck part of the FAT or directory tables on diskettes. Analogy: I come into your room, move your bed out into the passageway, and put a camping bed in its place. Now when you want to go to bed, you find your bed is not what you thought it was. Companion Virus infectors: These viruses create matching, usually hidden, com files with the same name as .exe files. The .com files contain the virus code. Since DOS executes filename.com before filename.exe, the virus gets executed first. Now assume that a perfect such virus exists, with no malicious code. Is it harmless? No. See points (1), (4), (5), (6), (7) and (8) above. In addition, this method of infection wastes more disk space than normal file infectors, since it creates new files. This clogs up the directory table with junk, and, since viruses are usually short, leads to lots of small files. For example, assume the virus is around 1000 bytes long, and your hard disk has allocation units of 2048 bytes. This is the minimum amount of space that DOS will allocate to a file, even if it is smaller. So for every copy of the virus, around 1k is totally wasted space. Now if you had 100 infected files on your hard disk...you lose 200k, half of which is empty.. Analogy: same as boot sector viruses. File Allocation Table / Directory infectors: These are a variant of companion infectors. The difference is that instead of using DOS to execute the virus, the virus creates a copy of itself, and alters the pointers to a real executable to point to the virus instead. So when you execute filename.exe, you actually execute the virus, which replicates, and then passes control to filename.exe. Again, assume such a perfect virus exists. It is harmless? No. All points raised in the discussion about companion infectors also apply. Worse, cleaning up such a virus is often a nightmare, and can result in major data loss. This is because the virus manipulates the FAT directly, totally destroying what was there before. Conclusion: there is no such thing as a 'harmless' virus. The second bottom line: Viruses destroy time. Users have to waste time checking all files and disks, and cleaning up after an infection. Remember too that time costs money... The bottom line: Viruses destroy money. Users are forced into taking expensive security measures, which costs money: the cost of the product, the cost of obtaining the product, cost of training, cost of cleaning up after an infection, cost of liability insurance. This money could have been put to more productive use. The cost is recovered by increasing the price of goods and services to the consumer. In the end, the consumer in the street (YOU!) ends up paying for the virus problem... Cheers, Ian ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 41] ***************************************** 23-Jun-94 17:19:06-GMT,31248;000000000000 Received: from remus.rutgers.edu by aramis.rutgers.edu (5.59/SMI4.0/RU1.5/3.08) id AA07357; Thu, 23 Jun 94 13:19:05 EDT Received: from fidoii.CC.Lehigh.EDU by remus.rutgers.edu (5.59/SMI4.0/RU1.5/3.08) id AA20918; Thu, 23 Jun 94 13:17:37 EDT Received: from Fidoii.CC.Lehigh.EDU ([127.0.0.1]) by Fidoii.CC.Lehigh.EDU with SMTP id <127612-4>; Thu, 23 Jun 1994 13:06:09 EDT Message-Id: <9406231705.AA22851@bull-run.ims.disa.mil> Reply-To: virus-l@lehigh.edu Originator: virus-l@lehigh.edu Sender: virus-l@lehigh.edu Precedence: bulk From: VIRUS-L Moderator To: Multiple recipients of list Subject: VIRUS-L Digest V7 #42 X-Listprocessor-Version: 6.0b -- ListProcessor by Anastasios Kotsikonas X-Comment: Virus Discussion List Date: Thu, 23 Jun 1994 13:05:59 EDT VIRUS-L Digest Thursday, 23 Jun 1994 Volume 7 : Issue 42 Today's Topics: Introduction to the Anti-viral archives listing of 02 June 1994 Archive access without anonymous ftp last changed 07 April 1994 Brief guide to file formats last changed 11 April 1994 Apple II Anti-viral archive sites last changed 04 August 1993 Unix security archive sites last changed 18 July 1993 Amiga Anti-viral archive sites last changed 04 August 1993 Atari ST Anti-viral archive sites last changed 04 August 1993 Anti-viral Documentation archive sites last changed 17 May 1994 Macintosh Anti-viral archive sites last changed 10 May 1994 IBMPC Anti-viral archive sites last changed 10 May 1994 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Thu, 02 Jun 94 10:31:32 -1000 From: Jim Wright Subject: Introduction to the Anti-viral archives listing of 02 June 1994 Introduction to the Anti-viral archives listing of 02 June 1994 This posting is the introduction to the "official" anti-viral archives of VIRUS-L/comp.virus. With the generous cooperation of many sites throughout the world, we are attempting to make available to all the most recent news and programs for dealing with the virus problem. Currently we have sites for Amiga, Apple II, Atari ST, IBMPC, Macintosh and Unix computers, as well as sites carrying research papers and reports of general interest. Updates to these lists are made exclusively by contributions provided by the readers of this group. My thanks go out to the many people who keep this information current. If you have general questions regarding the archives, you can send them to this list or to me. I'll do my best to help. If you have a submission for the archives, you can send it to me or to one of the persons in charge of the relevant sites. If you have any corrections to the lists, please let me know. The files contained on the participating archive sites are provided freely on an as-is basis. To the best of our knowledge, all files contained in the archives are either Public Domain, Freely Redistributable, or Shareware. If you know of one that is not, please drop us a line and let us know. Reports of corrupt files are also welcome. PLEASE NOTE The Managers of these systems, and the Maintainers of the archives, CAN NOT and DO NOT guarantee any of these applications for any purpose. All possible precautions have been taken to assure you of a safe repository of useful tools. Jim Wright Canada-France-Hawaii Telescope Corporation jwright@cfht.hawaii.edu JWRIGHT@UHCFHT ------------------------------ Date: Thu, 02 Jun 94 10:32:03 -1000 From: Jim Wright Subject: Archive access without anonymous ftp last changed 07 April 1994 Archive access without anonymous ftp last changed 07 April 1994 To get files from the anti-viral archives, you do not need access to anonymous ftp. (However, anonymous ftp is generally the preferred method.) Below is information on accessing the archive sites using only email. -=- The AppleII, Atari ST and IBMPC archives have mail servers which provide access to their archives. You may receive automatic updates of Macintosh anti-viral programs via email. See the individual articles on these sites. -=- One way to get access to the archives is through a BITFTP server. Send a message to one of the BITNET addresses BITFTP@PUCC, BITFTP@PLEARN or BITFTP@DEARN with the body of the message containing the single word HELP. This should get you more information, and give you access to any archive site on the Internet. Due to excessive loads, this service has been restricted to BITNET and EARN sites only. UUCP sites need not apply. -=- If you are not an official BITNET site but still need mail access to the archives, you can try one of the FTPmail servers. Send mail to one of the addresses FTPmail@decwrl.dec.com (Western US), FTPmail@sunsite.unc.edu (Eastern US), FTPmail@cs.uow.edu.au (Australia) or FTPmail@doc.ic.ac.uk (England) with the body of the message containing the word 'help'. ------------------------------ Date: Thu, 02 Jun 94 10:32:34 -1000 From: Jim Wright Subject: Brief guide to file formats last changed 11 April 1994 Brief guide to file formats last changed 11 April 1994 -- The most recent copy of the complete text may be anonymous ftp'd -- -- from ftp.cso.uiuc.edu (128.174.5.61) in the directory doc/pcnet. -- -- That file is maintained by David Lemson (lemson@uiuc.edu). -- -- Please do not strip this note from this list when passing it on. -- ARC (.arc) This format is most popular on PCs. Compresses and stores multiple files in a single archive. PC - arc 6.02, pk361 Mac - ArcMac 1.3c Unix - arc 5.21 VM/CMS - arcutil Amiga - Arc 0.23, PKAX VMS - arcvms Apple2 - dearc Atari - arc 5.21b, pkunarc OS/2 - arc2 ARJ (.arj) ARJ is a new archive format for DOS. Compresses and stores multiple files in a single archive. The author is Robert K Jung, robjung@world.std.com. PC - arj 2.41a (arj241a.exe) Unix - unarj 2.41 Amiga - unarj 0.6 BinHex (.hqx) A Macintosh format. Converts a binary Mac file, including data and resource forks, into an archive of only printing ASCII characters. Note that BinHex4.0 will create and decode the ASCII hqx encoding used on Usenet, while BinHex5.0 will decode the ASCII hqx encoding but will create a non-ASCII binary file. PC - xbin 2.3 Mac - BinHex4.0, BinHex5.0, StuffIt 1.6, Compact Pro 1.32 Unix - mcvert VM/CMS - binhex binscii ( ) A favorite Apple2 file transmission format. Similar to uu{en,de}code except it can handle multiple files in a single package. Apple2 - binscii Compact Pro (.cpt) A new Macintosh format. Compresses and stores multiple files in a single archive. Mac - Compact Pro 1.32, Extractor 1.21 PC - EXTRACT compress (.Z) A Unix format. Compresses a single file in an archive. PC - u16, comprs16, comp430d Mac - MacCompress3.2A Unix - compress VM/CMS - compress Amiga - compress VMS - lzcomp Apple2 - compress Atari - compress Disk Masher (.dms) This is an Amiga format. Compresses and stores an entire floppy in a single archive. Amiga - DMS GZIP (.gz, .z, .tar.z, .tar.gz, .tgz) The GNU implementation of ZIP. Replaces Unix "compress" for GNU software. The last three file extensions above are for gzip'd tape archives. Unix - gzip 1.2.4 PC - gzip 1.2.4 OS/2 - gzip 1.2.4 VMS - gzip 1.2.4 Amiga - gzip 1.2.4 Atari - gzip 1.2.4 Primos - gzip 1.2.4 HPACK (.hpk) A multi-system archiver. Shareware. PC - hpack 0.79a0 Mac - hpack 0.79a0 Unix - hpack 0.79a0 OS/2 - hpack 0.79a0 Amiga - hpack 0.79a0 Atari - hpack 0.79a0 Archimedes - hpack 0.79a0 LHarc (.lzh) This format originated on PCs, and is now popular on Amigas. Compresses and stores multiple files in a single archive. PC - lha 2.55b (lha255b.exe & lha255b.txt) Mac - MacLHarc 0.41 Unix - lha 1.00 Amiga - LHarc 1.30 [Only .lh0 and .lh1], LhA 1.32, LZ 1.92 Atari - lharc113 LHWarp (.lzw) This is an Amiga format. Compresses and stores an entire floppy in a single archive. Better compression than plain Warp. Amiga - Lhwarp LU (.lbr) This is an old format that originated with CP/M. It is virtually non-existent now. Collects multiple files into a single archive with no compression. PC - lue220 Mac - ArcMac 1.3c Unix - lar VM/CMS - arcutil VMS - vmssweep LZ (.lha .lzh) This format is popular on Amigas. Compresses and stores multiple files in a single archive. Will extract .lzh or .lza, and will produce .lza. Is fast when extracting files. Amiga - LZ 1.92 MSX (.msx) A new format for CP/M machines. Is also able to extract lharc archives. CP/M - PMARC and PMEXT nupack ( ) A favorite Apple2 archive format. Apple2 - nupack PackIt (.pit) An old Macintosh format. Compresses and stores multiple files in a single archive. PC - UnPackIt 1.0 Mac - PackIt3.1.3 Unix - unpit PAK (.pak) An old PC format. Compresses and stores multiple files in a single archive. Also the name of an Amiga format which produces self-extracting archives. Also the name of a new PC format. PC - PAK 2.51 Unix - arc 5.21 Amiga - PAK 1.0 shell archive (.shar, .sh) A Unix format. Stores multiple files in a single archive without compression. PC - unshar Mac - UnShar2.0 Unix - sh, unshar Amiga - UnShar Apple2 - unshar Atari - shar ShrinkIt ( ) A favorite Apple2 archive format. Apple2 - ShrinkIt Squeeze (._Q_) An old PC (CP/M?) format. Compresses and stores multiple files in a single archive. PC - sqpc131 VM/CMS - arcutil Amiga - Sq.Usq VMS - vmsusq Atari - ezsqueeze StuffIt (.sit) A Macintosh format. Compresses and stores multiple files in a single archive. PC - mactopc, UnStuffit 1.0 Mac - StuffIt 1.6 Unix - unsit Amiga - unsit tape archive (.tar) A Unix format. Stores multiple files in a single archive without compression. PC - tar, tarread, pax, pdtar Mac - UnTar2.0 Unix - tar, GNU tar Amiga - TarSplit, pax, GNUtar 1.09 VMS - vmstar Atari - sttar uuencode (.uu, .uue) A Unix format. Converts a binary file into an archive of only printing ASCII characters suitable for mailing. PC - uuexe 5.15 Mac - UMCP Tools 1.5.1 Unix - uuencode, uudecode VM/CMS - arcutil Amiga - uuencode, uudecode VMS - uudecode2. Apple2 - uu.en.decode Warp (.wrp) This is an Amiga format. Compresses and stores an entire floppy in a single archive. Amiga - WarpUtil xxencode (.xx, .xxe) A Unix format. Converts a binary file into an archive of only printing ASCII characters suitable for mailing. Solves many of the problems of uuencode. PC - uuexe 5.15 Unix - xxencode, xxdecode VM/CMS - xxencode ZIP (.zip) This format is popular on many systems. Compresses and stores multiple files in a single archive. PC - PKZIP/PKUNZIP 2.04g, Portable unzip 5.1, Portable zip 2.0 Mac - UnZip1.02c Unix - Portable unzip 5.1, Portable zip 2.0 VM/CMS - arcutil 2.0 (uncompress only) Amiga - PKAZip 1.01, Portable unzip 5.1, Portable zip 2.0 Atari - STZip 0.9 beta VMS - Portable unzip 5.1, Portable zip 2.0 OS/2 - PKZIP/PKUNZIP 1.02, Portable unzip 5.1, Portable zip 2.0 ZOO (.zoo) This format is popular on USENET. Compresses and stores multiple files in a single archive. PC - zoo 2.10 Mac - MacBooz2.1 Unix - zoo 2.10 VM/CMS - zoo Amiga - zoo 2.10 VMS - zoo 2.10 Atari - zoo 2.10 OS/2 - zoo 2.10 ZOOM (.zom) This is an Amiga format. Compresses and stores an entire floppy in a single archive. Not in common use due to program speed. Amiga - zoom ------------------------------ Date: Thu, 02 Jun 94 10:33:35 -1000 From: Jim Wright Subject: Apple II Anti-viral archive sites last changed 04 August 1993 Apple II Anti-viral archive sites last changed 04 August 1993 brownvm.bitnet Chris Chung Access is through LISTSERV, using SEND, TELL and MAIL commands. Files are stored as apple2-l xx-xxxxx where the x's are the file number. uk.ac.hensa.micros HENSA/micros Managers Terminals: host uk.ac.hensa.micros, user "hensa", password "hensa" NIFTP: host uk.ac.hensa.micros, user "hensa", password "hensa" FTP: host micros.hensa.ac.uk, user "hensa", password "hensa" GOPHER: address micros.hensa.ac.uk, port 70 Software archive for UK higher education sector. Anti-Viral stuff is not collected into a distinct area. Hostname is in UK format. (This site previously known as uk.ac.lancs.pdsoft.) ------------------------------ Date: Thu, 02 Jun 94 10:36:07 -1000 From: Jim Wright Subject: Unix security archive sites last changed 18 July 1993 Unix security archive sites last changed 18 July 1993 cert.org Ed DeHart Accessible through anonymous ftp, IP number 192.88.209.5 A number of directories can be found in ~ftp/pub/tools. funic.funet.fi Jyrki Kuoppala Accessible through anonymous ftp, IP number 128.214.6.100. Directory pub/unix/security contains programs to help in security, pub/doc/security contains various documents about security in general and unix security (like the worm documents) wuarchive.wustl.edu Chris Myers Accessible through anonymous ftp, IP number 128.252.135.4. A number of directories can be found in ~ftp/usenet/comp.virus/*. ------------------------------ Date: Thu, 02 Jun 94 10:33:05 -1000 From: Jim Wright Subject: Amiga Anti-viral archive sites last changed 04 August 1993 Amiga Anti-viral archive sites last changed 04 August 1993 ms.uky.edu Sean Casey Access is through anonymous ftp. The Amiga anti-viral archives can be found in /pub/amiga/Antivirus. The IP address is 128.163.128.6. phil.utmb.edu atlantis.utmb.edu John Perry David M. Stoner These sites can be reached through anonymous ftp. The Amiga anti-viral archives can be found in the directory /pub/virus-software/amiga. The IP address is for phil is 129.109.9.22. The IP address for atlantis is 129.109.12.7. phil.utmb.edu runs gopher-server software which can be used to access the archives. uk.ac.hensa.micros HENSA/micros Managers Terminals: host uk.ac.hensa.micros, user "hensa", password "hensa" NIFTP: host uk.ac.hensa.micros, user "hensa", password "hensa" FTP: host micros.hensa.ac.uk, user "hensa", password "hensa" GOPHER: address micros.hensa.ac.uk, port 70 Software archive for UK higher education sector. Anti-Viral stuff is not collected into a distinct area. Hostname is in UK format. (This site previously known as uk.ac.lancs.pdsoft.) ------------------------------ Date: Thu, 02 Jun 94 10:34:05 -1000 From: Jim Wright Subject: Atari ST Anti-viral archive sites last changed 04 August 1993 Atari ST Anti-viral archive sites last changed 04 August 1993 atari.archive.umich.edu Jeff Weiner Service via FTP and mail, FTP preferred. Login as "anonymous", password is your mail address. For instructions on the mail server, send the message help to "Index" contains complete listing with descriptions. "CompInd.Z" contains same list but is compressed. "ls-lR.Z" contains compressed ls -lR listing. All anti-viral material is contained in ~atari/utilities/virus The IP number for this site is 141.211.164.8, but may change. twitterpater.Eng.Sun.COM Steve Grimm Access to the archives is through mail server. For instructions on the archiver server, send help to uk.ac.hensa.micros HENSA/micros Managers Terminals: host uk.ac.hensa.micros, user "hensa", password "hensa" NIFTP: host uk.ac.hensa.micros, user "hensa", password "hensa" FTP: host micros.hensa.ac.uk, user "hensa", password "hensa" GOPHER: address micros.hensa.ac.uk, port 70 Software archive for UK higher education sector. Anti-Viral stuff is not collected into a distinct area. Hostname is in UK format. (This site previously known as uk.ac.lancs.pdsoft.) ------------------------------ Date: Thu, 02 Jun 94 10:34:36 -1000 From: Jim Wright Subject: Anti-viral Documentation archive sites last changed 17 May 1994 Anti-viral Documentation archive sites last changed 17 May 1994 cert.org Kenneth R. van Wyk Access is available via anonymous ftp, IP number 192.88.209.5. This site maintains archives of all VIRUS-L digests, all CERT advisories, as well as a number of informational documents. VIRUS-L/comp.virus information is in: pub/virus-l/archives pub/virus-l/archives/predig pub/virus-l/archives/1988 pub/virus-l/archives/1989 pub/virus-l/archives/1990 pub/virus-l/archives/1991 pub/virus-l/archives/1992 pub/virus-l/archives/1993 pub/virus-l/docs pub/virus-l/docs/reviews CERT information is in: pub/cert_advisories pub/cert-tools_archive corsa.ucr.edu Kevin Marcus Access is available via anonymous ftp, IP number 138.23.166.133. This site maintains archives of all VIRUS-L digests and a number of informational documents. VIRUS-L/comp.virus information is in: /pub/anti-virus-tools /pub/virus-l/{ 1988 - 1994 } /pub/virus-l/predig /pub/virus-l/index.appleyard /pub/virus-l/predig.digested /pub/virus-l/docs/misc /pub/virus-l/docs/reviews/{ amiga | atari | books | mac | pc } /pub/virus-l/docs/slade.cvp.articles /pub/virus-l/docs/vtc/tests /pub/virus-l/docs/vtc csrc.ncsl.nist.gov John Wack This site is available via anonymous ftp, IP number 129.6.54.11. The archives contain all security bulletins issued thus far from incident response teams (CERT, CIAC, FIRST members). It also contains many security-related publications and resource informa- tion about viruses and other threats, as well as archives of VIRUS_Ls and RISK forums. The NIST computer security BBS is also accessible from this system by logging in to account 'bbs'. ftp.informatik.uni-hamburg.de Virus Test Center, Faculty for Informatics, University of Hamburg Vogt-Koelln-Str. 30, D22527 Hamburg, Germany Prof. Dr. Klaus Brunnstein, Vesselin Bontchev, Dr. Simone Fischer-Huebner, Wolf-Dieter Jahn brunnstein@rz.informatik.uni-hamburg.dbp.de bontchev@fbihh.informatik.uni-hamburg.de A large number of technical and accurate descriptions of viruses affecting Mac, MSDOS, Amiga, Atari, Unix, etc. systems. Look in the directory /pub/virus/texts. The IP address is 134.100.4.42. uk.ac.hensa.micros HENSA/micros Managers Terminals: host uk.ac.hensa.micros, user "hensa", password "hensa" NIFTP: host uk.ac.hensa.micros, user "hensa", password "hensa" FTP: host micros.hensa.ac.uk, user "hensa", password "hensa" GOPHER: address micros.hensa.ac.uk, port 70 Software archive for UK higher education sector. Anti-Viral stuff is not collected into a distinct area. Hostname is in UK format. (This site previously known as uk.ac.lancs.pdsoft.) unma.unm.edu Dave Grisham This site has a collection of ethics documents. Included are legislation from several states and policies from many institutions. Access is through ftp, IP address 129.24.8.1. Look in the directory /ethics. ------------------------------ Date: Thu, 02 Jun 94 10:35:37 -1000 From: Jim Wright Subject: Macintosh Anti-viral archive sites last changed 10 May 1994 Macintosh Anti-viral archive sites last changed 10 May 1994 dftnic.gsfc.nasa.gov Brian Lev This site offers the "MacDefender" package (formerly "MacSecure"), made up of John Norstad's Disinfectant and Brian Lev's "MacHelper" Hypercard stack. Floppy disk: NASA Automated Systems Incident Response Capability c/o Hughes STX Corp. 7701 Greenbelt Road, Suite 400 Greenbelt, MD 20770 (Attn: Brian Lev) DECnet Copy from DFTNIC::DISK$MOE:[ANONYMOUS.FILES.SOFTWARE.MAC] BinHex (ASCII) format as MACDEFENDER.HQX binary format as MACDEFENDER.HQX Anonymous FTP from DFTNIC.GSFC.NASA.GOV (128.183.10.3) BinHex (ASCII) format as [.FILES.MAC]MACDEFENDER.HQX binary format as [.FILES.MAC]MACDEFENDER.HQX ftp.technion.ac.il Al Hartshorn This site can be reached through anonymous ftp. The Macintosh anti-viral archives can be found in the directory /pub/unsupported/mac/info-mac/virus. No uploads are permitted at this time. The IP address is 132.68.1.10. ifi.ethz.ch Danny Schwendener Interactive access through DECnet (SPAN/HEPnet): $SET HOST 57434 or $SET HOST AEOLUS Username: MAC Interactive access through X.25 (022847911065) or Modem 2400 bps (+41-1-251-6271): # CALL B050 Username: MAC Files may also be copied via DECnet (SPAN/HEPnet) from 57434::DISK8:[MAC.TOP.LIBRARY.VIRUS] phil.utmb.edu atlantis.utmb.edu John Perry David M. Stoner These sites can be reached through anonymous ftp. The Macintosh anti-viral archives can be found in the directory /pub/virus-software/macintosh. The IP address is for phil is 129.109.9.22. The IP address for atlantis is 129.109.12.7. phil.utmb.edu runs gopher-server software which can be used to access the archives. rascal.ics.utexas.edu Macintosh Archivist Access is through anonymous ftp, IP number is 128.83.138.20. Archives can be found in the directory mac/virus. src.doc.ic.ac.uk wizards@doc.ic.ac.uk Automatically maintained mirror copy of the sumex archive. Gopher access from src.doc.ic.ac.uk. Anonymous FTP from src.doc.ic.ac.uk (146.169.2.10) cd packages/info-mac/virus Janet NIFTP (for UK users) Host: uk.ac.ic.doc.src User: guest Pass: your email address Path: packages/info-mac/virus ISO FTAM Janet Addr: 000005102000 IXI Addr: 204334504108 Internet Addr: 146.169.2.1 [not ...10!] User: anon Path: packages/info-mac/virus Interactive Janet: pad uk.ac.ic.doc.src (00000510200001) Internet: telnet src.doc.ic.ac.uk [146.169.2.10], User: sources ISO VT (see FTAM for addresses), User: sources sumex-aim.stanford.edu Bill Lipa Access is through anonymous ftp, IP number is 36.44.0.6. Archives can be found in /info-mac/virus. Administrative queries to . Submissions to . There are a number of sites which maintain shadow archives of the info-mac archives at sumex: * MACSERV@PUCC services the Bitnet community * LISTSERV@RICEVM1 for e-mail users (Bitnet) * listserv@ricevm1.rice.edu for e-mail users (Internet) * FILESERV@IRLEARN for folks in Europe uk.ac.hensa.micros HENSA/micros Managers Terminals: host uk.ac.hensa.micros, user "hensa", password "hensa" NIFTP: host uk.ac.hensa.micros, user "hensa", password "hensa" FTP: host micros.hensa.ac.uk, user "hensa", password "hensa" GOPHER: address micros.hensa.ac.uk, port 70 Software archive for UK higher education sector. Anti-Viral stuff is not collected into a distinct area. Hostname is in UK format. (This site previously known as uk.ac.lancs.pdsoft.) ------------------------------ Date: Thu, 02 Jun 94 10:35:06 -1000 From: Jim Wright Subject: IBMPC Anti-viral archive sites last changed 10 May 1994 IBMPC Anti-viral archive sites last changed 10 May 1994 phil.utmb.edu atlantis.utmb.edu John Perry David M. Stoner These sites can be reached through anonymous ftp. The IBMPC anti-viral archives can be found in the directory /pub/virus-software/pc. The IP address is for phil is 129.109.9.22. The IP address for atlantis is 129.109.12.7. phil.utmb.edu runs gopher-server software which can be used to access the archives. ftp.cso.uiuc.edu Mark Zinzow This site can be reached through anonymous ftp. The IBMPC anti-viral archives are in /pc/virus. The IP address is 128.174.5.61. ftp.funet.fi Tapio Keihanen This site (in Finland) can be reached through anonymous ftp. The IBMPC anti-viral archives mirrored from SimTel are in directory /pub/msdos/SimTel/virus. Other IBMPC anti-viral archives are in directory /pub/msdos/utilities/virus. The IP address is 128.214.6.100. ftp.informatik.uni-rostock.de Virus Test Center This site can be reached through anonymous ftp. The IBMPC anti-viral archives can be found in /pub/antivirus. The IP address is 139.30.5.23. ftp.technion.ac.il Al Hartshorn This site can be reached through anonymous ftp. The IBMPC anti-viral archives can be found in the directories /pub/unsupported/dos/simtel/virus and /pub/supported/McAfee. No uploads are permitted at this time. The IP address is 132.68.1.10. ftp.twi.tudelft.nl Piet de Bondt This site can be reached through anonymous ftp. The IBM-PC anti-viral archives are in /pub/msdos/virus and contain subdirs for TBAV (directly from authors), McAfee (mirror) and others (F-Prot, Integrity Master, VSumX, ...) WWW (World wide web): telnet www.twi.tudelft.nl The IP address is 130.161.156.11 garbo.uwasa.fi Harri Valkama This site can be reached through anonymous ftp and mail server. The IBMPC anti-viral archives can be found in pc/virus. For information on the mail server, send a message to mailserv@garbo.uwasa.fi with the subject line garbo-request and the body of the message send help The IP address is 128.214.87.1. hemkosys.com ADMIN: Patrick Rada, Peter Mahr, Michael Sullivan via Internet at or via Netware MHS at LIB: Internet Netware MHS This site is directly accessible from Netware MHS email. Access is through a mail-server. For a list of available items, send a message to the LIB address with the work INDEX in the subject line. risc.ua.edu James Ford This site can be reached through anonymous ftp. The IBM-PC anti-virals can be found in pub/ibm-antivirus. Uploads to pub/00uploads. Uploads are screened. Requests to JFORD@UA1VM.BITNET for UUENCODED files will be filled on a limited basis as time permits. The IP address is 130.160.4.7. SimTel Keith Petersen For security reasons the SimTel Software Repository is located on a host that is not accessible by Internet users, however its files are available by anonymous ftp from the primary mirror site OAK.Oakland.Edu (141.210.10.117), and secondary mirror sites wuarchive.wustl.edu (128.252.135.4), archive.orst.edu (128.193.2.13), ftp.uu.net (192.48.96.9), ftp.funet.fi (128.214.6.100), src.doc.ic.ac.uk (146.169.2.1), ftp.switch.ch (130.59.1.40), archie.au (139.130.4.6), NCTUCCCA.edu.tw (140.111.1.10), ftp.technion.ac.il (132.68.1.10), by Gopher from Gopher.Oakland.Edu, or by e-mail through the BITNET/EARN file servers. The anti-viral archives are in /pub/msdos/virus on OAK; other sites may vary. uk.ac.hensa.micros HENSA/micros Managers Terminals: host uk.ac.hensa.micros, user "hensa", password "hensa" NIFTP: host uk.ac.hensa.micros, user "hensa", password "hensa" FTP: host micros.hensa.ac.uk, user "hensa", password "hensa" GOPHER: address micros.hensa.ac.uk, port 70 Software archive for UK higher education sector. Anti-Viral stuff is not collected into a distinct area. Hostname is in UK format. (This site previously known as uk.ac.lancs.pdsoft.) urvax.urich.edu Claude Bersano-Hayes This site can be reached through anonymous ftp. The IBM-PC anti-virals can be found in [MSDOS.ANTIVIRUS]. The IP address is 141.166.36.6. ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 42] ***************************************** 24-Jun-94 11:13:54-GMT,52799;000000000000 Received: from remus.rutgers.edu by aramis.rutgers.edu (5.59/SMI4.0/RU1.5/3.08) id AA23682; Fri, 24 Jun 94 07:13:49 EDT Received: from fidoii.CC.Lehigh.EDU by remus.rutgers.edu (5.59/SMI4.0/RU1.5/3.08) id AA18960; Fri, 24 Jun 94 07:12:23 EDT Received: from Fidoii.CC.Lehigh.EDU ([127.0.0.1]) by Fidoii.CC.Lehigh.EDU with SMTP id <127725-3>; Fri, 24 Jun 1994 06:47:23 EDT Message-Id: <9406241014.AA24212@bull-run.ims.disa.mil> Reply-To: virus-l@lehigh.edu Originator: virus-l@lehigh.edu Sender: virus-l@lehigh.edu Precedence: bulk From: VIRUS-L Moderator To: Multiple recipients of list Subject: VIRUS-L Digest V7 #43 X-Listprocessor-Version: 6.0b -- ListProcessor by Anastasios Kotsikonas X-Comment: Virus Discussion List Date: Fri, 24 Jun 1994 06:47:17 EDT VIRUS-L Digest Friday, 24 Jun 1994 Volume 7 : Issue 43 Today's Topics: Re: Hobbes McAfee File Infected??? (PC) GOOD vs. BAD HUH? Viruses = Commercial Opportunity? Re: GOOD vs. BAD HUH? Anonymous FTP Site Distributing Viruses? re: Stealth and Self-encryption Benign viruses Re: Stealth and Self-encryption Re: Stealth and Self-encryption re: OS/2 Viruses? Are there any of those? (OS/2) ANSI bomb (PC) Crusander Virus on CD (PC) What is name of Newest F-Prot? (PC) Viruses - Pathogen (PC) New Viruses (PC). Re: tbav620.zip - Thunderbyte anti-virus pgm (complete) v6.20 (PC) Re: Gateway 2000 Europe preloaded virus report (PC) Re: What about long partitions (PC) VirStop and IBM model 40SX (PC) Re: antivirus products (PC) Re: Aragon Virus (PC) What about long partitions (PC) Re: FYI: New PC Virus alert (PC) Re: Gateway 2000 Europe preloaded virus report (PC) Re: Virruses - Pathogen (PC) Re: antivirus products (PC) Re: Help re Genb (PC) Re: good virus protection (PC) Why so many Leprosy viruses? (PC) Re: SCAN V115 gives false Budo (B2) alarm with IBM PC DOS 3.3 (PC) Possible D-Day Virus? (PC) re: FLIP and CANSU (V-SIGN) viruses (PC) re: Monkey Virus (PC) Re: HELP: How add code into .EXE ? (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Thu, 23 Jun 94 10:16:17 -0400 From: ldhagen@crl.com (Lance D. Hagen) Subject: Re: Hobbes McAfee File Infected??? (PC) MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM M [Moderator's note: Since this message was posted several days M M ago, I presume that the problem - if there was indeed a problem - M M has been fixed. I'd appreciate it, however, if someone could M M follow-up with a verification.] M MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM I can confirm the problem has been addressed on the Hobbes site. I E-mailed the site immediately and they also reproduced the "Scum of Europe" PKUNZIP wrapper (authentication) message. No mention was made of the lock-up I experienced, (apparently, associated with a change in my DOS (running under OS/2) path---until I cleaned up, the subdirectory containing PKUNZIP, which is in my path statement, was unrecognized by the OS). Can't say this was a virus (system scans clean now), but both the Hobbes site and I have vaporized that file. /<<<<<<<<<<<>>>>>>>>>>>\ / Lance D. Hagen \ / 73500.2276@compuserve.com\ | ldhagen@crl.com | \ San Antonio / \ (210) 366-3382 / \>>>>>>>>>><<<<<<<<< it seems to me that recently there is a lot of interest in the > concept of "good viruses". There are a lot of posts by people who wish to promote the idea of "good viruses" for one reason or another (my guess is self-justification or trying to deal with guilt feelings) and there are a lot of other posts saying "Rubbish, there's no such thing as a good virus". I don't call either of these "interest". The first is self serving and the second is negative, a denial of interest. Show me a "good virus" that people are clamouring to have on their computers for the benefits it brings, and I will concede there is interest. - -- Iolo Davidson - "My boss made me say it. She dares you to sue." ------------------------------ Date: Fri, 03 Jun 94 03:28:19 -0400 From: tluten@news.delphi.com (TLUTEN@DELPHI.COM) Subject: Viruses = Commercial Opportunity? First, my greetings and apologies to the regulars in this area. I'm new to the net, and came principally because I thought I'd find a group of accessible experts here. I think I have. I may have an opportunity to do some work with a start-up that wants to market a new(ly available in the US) anti-virus package. The thing that puzzles me about the market is that a few years ago, I was acutely aware of viruses: Michaelangelo, Stoned, etc., etc. I read about 'em in the SF Chron regularly. Now I don't see the coverage. Partly my reading has changed. But has the environment too? I read that Windows viruses basically don't work (they crash the system?). Has the success of Windows made viruses a non-issue? I read that three dozen viruses do all the damage (Jerusalem, Dark Avenger, etc. etc.) Has the world gotten used to that? Three years ago when Michaelangelo's birthday was nigh, I bought Flu-Shot and Norton AV. Haven't had problems since. Did everyone else too? The thrust of my question, is does the world want/need another AV product, even one that's betterfastercheapersmarter? Obviously, there are always some buyers for almost anything you can think of. But that doesn't make a business. All reactions welcomed. ------------------------------ Date: Fri, 03 Jun 94 14:43:34 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: GOOD vs. BAD HUH? vfr (vfr@netcom.com) writes: > why? i may tend to agree, in my personal opinion, such things are > more efficiently, in some cases, done by non replicating programs. > but then, there is the definition of 'efficiently' :) why > do you think it *must* be done better (define better please) > by a replicating program in > order > to be "good" virus; and, why must this be the case to make it economically > effective? If a non-viral program is going to do a better job, what is the point of using a virus in the first place, even if it claims to be a beneficial one? > it seems to me that recently there is a lot of interest in the > concept of "good viruses". i have read dr. cohen's posts and think > again, its a problem of definition. Yep, this is what I am saying all the time. What he understands under the term "computer virus" and what most users understand under the term "(real) computer virus" are two very different things. > we hear the word 'virus' and then > get frantic. 'not another of those viruses!'. Indeed. That is why, any beneficial program that use some self-replicating mechanism should call itself something else - "agent" or "vitamin" or whatever, but not "virus" or "worm", because those terms are already loaded with negative meaning in the point of view of the general public. > what i see you saying above, and correct me please if i am wrong, > is that you agree there can be good viruses, depending on the > definition of virus. Yes, I do. I know several useful programs that do fit in Dr. Cohen's definition of the term "computer virus". DISKCOPY is one of them. :-) > if the definition is solely that it must > be capable of replicating, then are you saying such a virus is possible? If the definition is that "it must be able to replicate itself UNDER SOME CONDITIONS", then yes, I am saying that such a beneficial virus is possible. However, I do not think that such definiton is very useful for practical purposes. It is too broad and it includes the nasty little programs that we are calling "real viruses" and which can NEVER be beneficial. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 03 Jun 94 17:02:26 -0400 From: Rick Schott Subject: Anonymous FTP Site Distributing Viruses? One of our system programmers saw and heard part of a news article on the Detroit NBC TV affilaiate last night (Th 06/02/94, 6 pm), about an anonymous FTP site that has virus samples. Unfortunately, he didn't get any further details. Does anyone have any details about this? Thanks. Rick ------------------------------ Date: Tue, 21 Jun 94 12:36:29 -0400 From: "David M. Chess" Subject: re: Stealth and Self-encryption >From: itxcs@upsyc.psychology.nottingham.ac.uk (Chris Sexton) >This may be an ignorant question, but can anyone please explain >the difference between stealth techniques and self-encryption? >Is either one something to do with making a DIR command (for >example) not include the extra size due to the virus? See (B4) and (B5) in the VIRUS-L/comp.virus FAQ list. There are various degrees of stealth, ranging from a simple length-stealth that just makes DIR lie about the length of infected files, to a full content-stealth that makes the file look clean if you read it with the virus active. The more complex the stealthing, in general, the less likely infected systems are to run correctly for very long (i.e. complex stealthing tends to lead to buggy virus behavior). Self-encryption, on the other hand, attempts to hide the virus from scanners even if the virus is not active in memory, by making every infected file look very different from every other. DC ------------------------------ Date: Tue, 21 Jun 94 12:37:25 -0400 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) Subject: Benign viruses From: "Fredrick B. Cohen" >Computer viruses are computer programs that reproduce. Some of these viruses >are intended to harm people by damaging their information systems, and we call >them malignant. Other viruses are intended to demonstrate a concept, to >explore issues in artificial life, or even to do useful functions. We call >them benign. I have no problem with this except would make a tensy change: "Other viruses are intended to demonstrate a concept, to explore issues in artificial life, or even to do useful functions and do not deliberately cause damage. We call them benign." ^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^ STONED is probably a good example of a virus that does not cause any deliberate damage and you could say that it was intended to demonstrate a concept so "we" could call it benign ? Still have yet to see a virus that does not screw something up (am willing to entertain the concept, just have not seen any in practice). Have not even had to leave home to find something that every virus I have seen screws up. (usually need go no further than Windoze or Word Perfect) Further, I do not consider the average user capable of deciding if something is safe or not (and most that I have asked agree with me). *They should not have to be* any more than the driver of a car needs to be able to decide what is a sufficient brake rotor size is for their car. Of course there is no NHTSA, SEMA, or SAE for PCs. Bemusidly, Padgett ------------------------------ Date: Tue, 21 Jun 94 12:46:25 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Stealth and Self-encryption itxcs@upsyc.psychology.nottingham.ac.uk (Chris Sexton) writes: >Hi, >This may be an ignorant question, but can anyone please explain >the difference between stealth techniques and self-encryption? totally different. stealth: involves intercepting open/read/findfile requests, in order to return information indicating no virus is present...subtract virus size from (real) file size, for example. primarily effective against integrity checkers...does not bother scanners. self-encryption: the virus code is encrypted so that samples look different, if the encryption is polymorphic the different samples have no search string in common. Does not bother integrity checkers, but complicates things for scanners. - -frisk ------------------------------ Date: Tue, 21 Jun 94 14:34:14 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Stealth and Self-encryption Chris Sexton (itxcs@upsyc.psychology.nottingham.ac.uk) writes: > This may be an ignorant question, but can anyone please explain > the difference between stealth techniques and self-encryption? Both techniques, as well as many other interesting and useful topics are addressed in the FAQ. Get it and read it - it's worth the effort. In short, "stealth" is the capability of a virus, when active in memory, to intercept the access requests to the objects infected by it and to modify them in such a way, as to make those objects look uninfected to the originator of the requests. Encryption ("encoding" is probably a more exact term) is the capability of a virus to scramble its code in a way that makes it look different from the original, in order to obfuscate its contents. > Is either one something to do with making a DIR command (for > example) not include the extra size due to the virus? Yes, this is stealth, or more exactly, a (minor) degree of it. Viruses that have only this property are called "semi-stealth". "Full-stealth" viruses also return the original (uninfected) object (file or boot sector), regardless of how you access it - Read, Write, Seek, etc. > What does either method involve? Stealth involves interception of some DOS functions and/or interrupts and modifying the result that they return. Encryption involves applying a (usually simple) scrambling function (like XOR with a key) to the virus body. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 21 Jun 94 12:36:55 -0400 From: "David M. Chess" Subject: re: OS/2 Viruses? Are there any of those? (OS/2) >From: "." >I'd like to know if there are any OS/2 viruses? >As far as I know, DOS viruses use TSR in order to stay in memory >and infect other programs. OS/2 doesn't have TSRs There are two known OS/2 viruses, both distributed as source code, and (IMHO) unlikely to spread beyond the first generation. Both are non-resident viruses, of the "replace every EXE file in the current directory with a copy of me" variety (one of them preserves the original function of the infected EXE, one does not). In the DOS world, such viruses rarely if ever become real problems. DC ------------------------------ Date: Thu, 02 Jun 94 18:07:06 -0400 From: id@mist.demon.co.uk (Iolo Davidson) Subject: ANSI bomb (PC) > A virus must be able to replicate. An ANSI bomb isn't. I believe Dr. Solomon has seen an ANSI bomb which could launch an executable contained in part of the ANSI "text" file. I don't remember if the example he had contained a virus or not, but it could easily have done so. It would not have been self-replicating for the ANSI bomb itself perhaps, but could have been a dropper for a virus. - -- Iolo Davidson - "My boss made me say it. He dares you to sue." ------------------------------ Date: Thu, 02 Jun 94 21:08:24 -0400 From: pi@EUROPE.pha.oche.de (P. Immond) Subject: Crusander Virus on CD (PC) Crusander Virus on CD Name of CD: ,,Die DFUe-CD - die Welt der DatenFernUebertragung'' Publisher : mediaplex where? : Subdir *19* File *sport21c.zip* What? : sport21c.zip should be a program to test the serial port in this ZIP are packed install.com document.co_ sports.co_ sport21c.exe document.co_ and spots.co_ are with PKLITE compressed COM-files which have the Crusander (Butterfly-Virus) As they are compressed COM-files by PKLITE they were not detected. After De-compressing the words ,,Hurray the Crusaders'' are readable by hexeditor and the virus will be detected. Additional problem: The CD has a pre-installed version of RemoteAccess Mailbox which uses that files in sport21c.zip direct from CD as filebase. So every installation of that BBS-program direct from CD will push the virus. (Original by Hein(t)z Mueller Tel: (+49) 5251 835137 Fax: (+49) 5251 835104 Email: hmueller.pad@sni.de | USA: hmueller.pad@sni-usa.com) Regards, Peter AACHEN/GERMANY: EUROPE.pha.oche.de +49-241-922444 V32b/V42b 19.2 X75 + FAX AVN AntiVirusNetwork Host & Archive MyBOX 0.9e: Z3.8 * JANUS2 * QM * GSMAIL HUERTH/GERMANY: FREEPORT.pha.oche.de +49-2233-66968 V32b/V42b ZyX 19.2 + FAX ------------------------------ Date: Thu, 02 Jun 94 23:07:41 -0400 From: rniess@whale.st.usm.edu (Rick Niess) Subject: What is name of Newest F-Prot? (PC) Hi All, Ok, for weeks now my copy of VIRSTOP has been screaming about being outdated, but after several uneventful archies as well as several questionings of friends, I have been unable to locate the latest version of the F-PROT package. Could someone PLEASE clue me in as to where to get it from (FTP site, would be nice)? Thanx... ~ Rick Niess ~ -- IMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM; :\_\_\_ \_\_ \_ \_ \ || / Rick C. Niess : : \_ \_ \_ \_ \_\_ \_ \/DD\/ rniess@whale.st.usm.edu : : \_\_\_ \_ \_ \_ \_ ---3 ww 3--- "Press any key to continue,: : \_ \_ \_ \_ \_ \_\_ /\AA/\ "or any other key to quit.": : \_ \_ . \_\_ . \_ \_ . /UMOMMOM8\ -anonymous: HMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM< ------------------------------ Date: Fri, 03 Jun 94 03:30:19 -0400 From: riordan@tmxmelb.mhs.oz.au (Roger Riordan) Subject: Viruses - Pathogen (PC) Subject: Re: Virruses(!) - Pathogen (PC) datadec@ucrengr.ucr.edu (Kevin Marcus) writes > BRAYMANR@DELPHI.COM wrote: > >Can anyone give me the specs on the Pathogen virus. I am studying it > >and collecting information eventually so that I might write a virus > >disinfectant. > > Well, I have not personally gotten around to analyzing this virus, but > from what I have seen/heard: > > It uses a polymorphic engine called, "SMEG", and I believe there are > currently two viruses out there using the engine. It is supposed to be > a lot more nasty than, for example, MtE, throwing in bogus calls to dos, > like "get version number" and similar "real program like" code segments. > Apparently, it was generated with the purpose of causing false > positives. SMEG was no doubt designed to be difficult to detect, but the designers went way overboard, with the result that it is in fact quite easy to detect (and far less nasty than TPE). It uses an extremely variable (and extremely long) decryptor, but this consists almost entirely of instructions like MOV, INC, DEC, ADD, ROL, SHR. Some of these read from memory, but in almost all cases the destination is a register, and the results are almost always ignored. There are fairly frequent forward jumps round small do-nothing subroutines, which are called from further on. The decryption loop is closed in a variety of non-obvious ways, such as MOV DX,XXXX .... JMP DX, and PUSH CS ... PUSH AX ... RET FAR. The decryption loop can contain more than 400 instructions, but only about nine of these actually do anything, and only two or three write to memory. There are no calls to DOS, or "real program like" code segments of any sort. VET 7.71 will reliably detect SMEG based viruses. At this stage we have not added disinfection procedures. With Best Wishes, Roger Riordan Author of the VET Anti-Viral Software riordan.cybec@tmxmelb.mhs.oz.au CYBEC Pty Ltd. Tel: +613 521 0655 PO Box 205, Hampton Vic 3188 AUSTRALIA Fax: +613 521 0727 ------------------------------ Date: Fri, 03 Jun 94 03:30:30 -0400 From: riordan@tmxmelb.mhs.oz.au (Roger Riordan) Subject: New Viruses (PC). We have just received samples of two new viruses found in the wild. Both of these have simultaneously been reported from the US and/or Europe. Junkie Virus; A new multipartite virus from Sweden. Junkie is an apparently new encrypted multipartite virus claiming to be written in Sweden. It infects .COM files only. When you run an infected file it infects the Master Boot Record (which includes the partition record) on the hard disk, but does nothing else. The next time you reboot the virus goes resident in memory, and then infects each .COM file accessed. The virus contains the messages Dr White - Sweden 1994 & Junkie Virus - Written in Malmo...M01D. The virus infects all 3.5" disks, but only 1.2M 5.25" disks. It does not contain any warhead. Our sample was in a file downloaded from a Melbourne BBS. Mongolian Virus; A destructive new BS virus from Mongolia. This is a fairly primitive boot sector virus. It is fairly obvious, as it causes a great deal of additional disk activity when running programs from floppy disks, but it has a nasty warhead. If the PC is switched on on May 30th the virus overwrites the first 17 sectors of each partition on the hard disk, and then overwrites the Master Boot Record. Finally it displays the message Mongolain Virus VERSION 1.00 Mongolian Brain Co.Ltd 1992 Today is birthday of my babby!!! Our sample was on a 1.44M disk, & we could not infect a 720K disk. (Dave Chess, of IBM, has pointed out this is due to a bug in the virus.) Only a small section of the normal boot sector is overwritten, and the boot sector appears normal if viewed with a disk editor. Our sample was found in Canberra. VET 7.713 can recover files/disks infected with both viruses. With Best Wishes, Roger Riordan Author of the VET Anti-Viral Software riordan.cybec@tmxmelb.mhs.oz.au CYBEC Pty Ltd. Tel: +613 521 0655 PO Box 205, Hampton Vic 3188 AUSTRALIA Fax: +613 521 0727 ------------------------------ Date: Fri, 03 Jun 94 16:56:27 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: tbav620.zip - Thunderbyte anti-virus pgm (complete) v6.20 (PC) Banther (sikkid@bga.com) writes: > : a signature, heuristic and CRC scanner. It detects known, unknown and > : future viruses. TbScanX is the resident version of TbScan. TbClean is > ^^^^^^^^^^^^^^ > What's a future virus? :) A known virus is an existing virus which is known to the author of the scanner. An unknown virus is an existing virus which is not known to the author of the scanner. A future virus is a virus that does not exist yet. The above statement ("detects known, unknown, and future viruses") is a commonly used marketing trick. The idea is to fool the user to think that the product can detect ALL possible viruses. The statement is formally correct (i.e., it is not a lie), but should be understood as "The product detects SOME of the known viruses, SOME of the unknown viruses, and will detect SOME of the viruses written in the future". However, no marketoid worth his/her salt is going to state it in this way... :-) Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: 06 Jun 94 10:43:08 +0100 From: virusbtn@vax.oxford.ac.uk Subject: Re: Gateway 2000 Europe preloaded virus report (PC) chl@dmu.ac.uk (Conrad Longmore) writes: > PC Week has reported that Gateway 2000 has accidentally shipped some > machines with the Smeg polymorphic virus. According to the report, > Gateway have recalled some of the machines that were shipped. Text from the article actually reads: Gateway 2000 admitted last week that it recalled 70 machines... ... but the infection was not the so-called Smeg polymorphic viruses which ^^^ (I know, I had to read it twice too :) There seems to be some confusion over exactly what happened, but as far as I know, there was a *bug* in the pre-loaded software. This was confused in a game of chinese whispers to a virus. Sigh. If you have a Gateway machine, don't panic. Regards, Richard Ford Editor, Virus Bulletin ------------------------------ Date: Fri, 03 Jun 94 17:04:31 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: What about long partitions (PC) DE KERPEL SVEN (we34329@vub.ac.be) writes: > A virus (flip) messed with my HD now It claims that i have now long partitions > (116MB) is reduced to 33MB (the max for normal partitions. There was recenlt an article here, explaining what to do in exactly those cases. In short, check the two bytes at offset 13h and 14h of the boot sector (*not* the MBR!). If they are 0FAh, 0FFh - change them to 00, 00. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: 03 Jun 94 14:40:28 -0500 From: sullivan@cobra.uni.edu Subject: VirStop and IBM model 40SX (PC) Hi, I am using F-Prot 2.12 and Virstop on our workstations on campus. In attempting to improve the level of protection we're getting, I am adding some parameters to the virstop load. I have been using the switches /disk (if there's a hard drive) /boot, /warm, and /rehook (if they're connected to a Novell network). This is fine in most cases. However, on the few model 40SX's that I have encountered, when I have the /warm option, the diskette drive light comes on and it displays the message that it's checking the diskette drive. It stays that way until you power off. We've also seen this on one model 50, but I wasn't there and don't know that it was really narrowed down to the /warm parameter. We're running DOS 5.0. I cut the autoload down to the bare bones to be sure the problem wasn't in the ordering of the drivers or devices. When I boot fresh with only himem.sys, ansi.sys, setver, and emm386 and then load just virstop, the same problem happens, so I'm confident it isn't anything else I'm doing. I can continue with all of the other parameters, so it must be the /warm. Has anyone else found this? Is it a problem with the model 40? Is there a work-around? I'd really like to be able to use this option, so if anyone has an answer, I'd appreciate the help. Thanks Diane ============================ sullivan@uni.edu Diane Sullivan ISCS NTS University of Northern Iowa Cedar Falls, Iowa 50614-0121 (319) 273-6814 ------------------------------ Date: Sat, 04 Jun 94 06:41:27 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: antivirus products (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >F-Check - a program from an obsolete version of the package F-Prot. Uh, Vess, did you get a heat stroke or something in the Caribbean ? :-) F-CHECK is in fact the major difference between the shareware F-PROT and the (regular commercial) F-PROT Pro ... it is an integrity checker with generic disinfection. - -frisk ------------------------------ Date: Fri, 03 Jun 94 14:34:23 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Aragon Virus (PC) Littlewood A (litta@esl2.NoSubdomain.NoDomain) writes: > After downloading McAfee's latest version of scan113 The latest version is 115b, I think. > Next I tested high memory with the flag /chkhi, after which > scan return that it had in fact found the "Aragon" virus > and informed me to reboot from a clean disk and rerun scan > (also from a new clean disk). There was a version of McAfee's SCAN in the past (I don't recall the exact version number), which gave such a false positive when scanning one of the DOS standard programs (MODE, I think). It is just possible that you don't have a virus, but are a victim of a badly selected scan string. I would advise you to upgrade to a newer version of SCAN and try again. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 03 Jun 94 18:00:48 -0400 From: iolo@mist.demon.co.uk (Iolo Davidson) Subject: What about long partitions (PC) > A virus (flip) messed with my HD now It claims that i have now long partitions > (116MB) is reduced to 33MB (the max for normal partitions. > > FDISK reports 116MB > Norton Disk Doctor and DOS say 33MB > > Need help. Flip subtracts six sectors from the number of total sectors stored in the word at offset 13h in the DOS boot sector when it infects. This only makes sense for drives 32Mbyte or smaller. On larger volumes, this number is stored elsewhere and offset 13h holds zero. If it has anything else than zero, DOS assumes it is a less than 32Mbyte disk and this *is* the number of sectors, hence the reduction in the size of your disk. Cure- with a disk sector editor, change the hex "FA FF" at offset 13h in the DOS boot sector to "00 00". If you don't understand how to do this, seek expert help. - -- Iolo Davidson - "My boss made me say it. He dares you to sue." ------------------------------ Date: Fri, 03 Jun 94 13:28:08 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: FYI: New PC Virus alert (PC) sweeneyp@pspdpc89.wal.ab.com (sweeneyp@pspdpc89.wal.ab.com) writes: > CD-ROM manufacturer Chinon America, Inc. says computer vandals have > illegally put its name on a virus-ridden file and released it on the > Internet. Oh, no not again! We've already got this message twice. It is typical journalistic junk. First, it is not a virus (it is a trojan horse), second, it is not "undetectable" (I know at least two scanners that have been detecting it for years), third, it was not "released on the Internet"... Just ignore it. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Sat, 04 Jun 94 16:35:18 -0400 From: buster@klaine.pp.fi (Kari Laine) Subject: Re: Gateway 2000 Europe preloaded virus report (PC) chl@dmu.ac.uk (Conrad Longmore) writes: >From: chl@dmu.ac.uk (Conrad Longmore) >Subject: Gateway 2000 Europe preloaded virus report (PC) >Date: Thu, 2 Jun 1994 11:51:03 EDT >PC Week has reported that Gateway 2000 has accidentally shipped some >machines with the Smeg polymorphic virus. According to the report, >Gateway have recalled some of the machines that were shipped. Smeg is >reported to be a polymorphic virus written in the UK by the virus >write called the Black Baron. >The report indicates that the virus can be picked up by the June >update of Sophos Sweep. It can be found and killed also with the Dr Solomon's Anti-Virus Toolkit and I bet with several others. Regards Kari Laine / buster@klaine.pp.fi LAN Vision Oy ------------------------------ Date: Fri, 03 Jun 94 16:15:17 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Virruses - Pathogen (PC) Kevin Marcus (datadec@ucrengr.ucr.edu) writes: > It uses a polymorphic engine called, "SMEG", and I believe there are > currently two viruses out there using the engine. It is supposed to be > a lot more nasty than, for example, MtE, throwing in bogus calls to dos, > like "get version number" and similar "real program like" code segments. Hmm, I have not analysed the virus either, but I do not think that the above is correct. First, I disagree that it is more difficult to detect than the MtE. TPE 1.4 - yes, but not SMEG. Second, I do not think that it uses GetDOSVersion calls in the decryptor - are you sure that you are not confusing it with Phantom_1? But maybe I have missed something. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Sat, 04 Jun 94 06:36:01 -0400 From: tracker@netcom.com (Craig) Subject: Re: antivirus products (PC) Vesselin Bontchev (bontchev@fbihh.informatik.uni-hamburg.de) wrote: : Untouchable - commercial, latest version I have seen was 30.01, the : company that used to sell it was aquired by Symantec. Status - : unknown. Untouchable is no longer made. I called and asked Symantec about it. If Symantec still made it or even incorporated the integrity checking part of it into the next major version of NAV, they'd make mucho sales. I sure hope Jimmy Kuo of Symantec reads this and influences Symantec to follow through on this. People in the US need an excellent inegrity checker like Untouchable provided. Hopefully some US company will come to the rescue. ------------------------------ Date: Fri, 03 Jun 94 16:09:28 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Help re Genb (PC) Kevin Marcus (datadec@ucrengr.ucr.edu) writes: > This is SCAN's generic boot infector id. Basically SCAN is telling you > that it thinks you have got a virus, but it doesn't know which one it is. This is correct. > This represents a somewhat serious problem; if you don't know what virus > you have, you probably can't get rid of it. While CLEAN usually does a > bit more checking before trying to disinfect, most likely, it is > something clean can't handle. This is also correct in principle, but it doesn't apply in this particular case. You see, when you tell CLEAN to remove a GenP or GenB virus, it begins to scan the disk until it find something that looks like an original MBR or DBS respectively, and then moves it to replace the infected one. Therefore, it is not important whether SCAN can correctly identify the virus. What is important is whether CLEAN can find the correct boot sector. For instance, if it is encrypted somehow, this method will not work. But in many cases it does. Curiously, if some of the virus-specific removal procedures in CLEAN are buggy (as the Michelangelo remover used to be - it used to trash 1.2 Mb floppies during disinfection), you can often use the generic disinfection (or is it heuristic disinfection?) routines of GenB/GenP. > You should try another software package, or one that performs more exact > identification, such as NAV 3.0 or F-Prot. Uhm, the last time I tested it (which was damn difficult, because NAV 3.0 does not seem to be designed to be tested), NAV didn't seem to perform exact identification of *any* virus (and F-Prot identifies exactly only about 30% of the viruses it detects). Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 03 Jun 94 16:46:45 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: good virus protection (PC) Kevin Marcus (datadec@ucrengr.ucr.edu) writes: > Let's say that virus scanner A detects 1000 viruses. However, of these > 1000 viruses, they are all mostly available from virus BBS's, and not a > single one has been found in the wild, ever. It is capable of removing > each one perfectly. > Now, comes along scanner B. Scanner B only detects 50 viruses. However, > these viruses have all been found in the wild, there are no others that > have ever been found in the wild which it doesn't detect [to date], and > it is capable of removing each one perfectly. Your mental experiment is flawed and unrealistic. In reallity, the things are *never* as you describe above. The producer of a scanner that is able to handle very well a lot of viruses, will never select to handle only uncomon viruses. Never. Similarly, almost nobody who bothers to enter the anti-virus market, will select the B approach. I know of only one who has tried - Jim Bates has produced a scanner in the UK, which can handle *only* the viruses reported to the Computer Crime Unit at the Scotland Yard. As far as I know, the scanner doesn't sell well, regardless that it is relatively cheap. Obviously, the users prefer to use better solutions, and there are solutions which are better, yet cheaper (F-Prot). > To your end consumer, which one is best? Neither. Both are flawed, for different reasons. I wouldn't advise anybody to rely on either of them. > The point: If someone claims a product has poor identification and poor > disinfection, does that necessarily mean that their product is no good? > Absolutely not! The types and kinds of viruses detected are what matters. Yes, it does. You cannot have good disinfection without identifying the virus you want to disinfect well enough. Therefore, someone who is making such claims is either doing false advertising, or doesn't know what s/he is talking about. In both cases it is extremely unlikely that s/he is able to produce a good anti-virus product. I have yet to see such case. > Additionally, scanner B will benefit from having faster scan speeds, and > less false positives (most likely). Not really. Let's use a reallistic example. F-Prot. It detects about 96% of the 4,300 viruses in my collection, yet is extremely fast - takes only about 20 minutes to scan about 16,000 files. And this is 16 thousand *infected* files. As you should know, scanning of an infected file (if one of the modern scanning methods are used) takes more time than scanning a clean file. On clean files F-Prot is much faster. An even faster scanner is TbScan - it achieves the above in about 5 minutes. Indeed, it's detection rate is noticeably lower than F-Prot's, but it is still excellent (i.e. - above 90%). Therefore, it *is* possible to create a scanner that is both good and fast. Shall we take another reallistic example? How about NAV 3.0? Even if we ignore for a moment its brain-damaged design, which makes testing it a nearly impossible task, it scores some miserable 64% detection, yet is noticeably slower. I didn't bother to measure how much slower exactly; besides scanner speed should not be measured on an infected system as a matter of principle. Look, most scanners are either very good, or very bad - both in detection and speed. There are very few which are almost as good as each other and this makes it difficult to chose between them. However, there is another factor, unrelated to how well a scanner protects you from viruses. This is the user interface, the "easy to use", and the marketing of the product. Often good anti-virus products are made by small companies and by people who are hackers (in the good sense) and don't really care about the user interface. In the same time, the big companies tend to develop niceley looking products (they have a *lot* of experience and resources to design attractive user interfaces), which are often miserable from the anti-virus point of view, because the developpers are lacking anti-virus experience, or because the few good anti-virus experts in the company are overhelmed by the general bureaucracy in the (big) company and by the marketoids. Oh, yes, and those big companies have a lot of money for their marketing deparments, so their products are marketed very agressively. As a result, we are seeing some very bad anti-virus products to become dominant on the market. The hackers, and those in-the-know, use better products, but they are the minortiy; Joe User tends to select the nicely looking product, the one that is marketed better. That's why computer viruses continue to proliferate. If Micosoft had included Padgett's freeware utiltites in their new DOS, they would have dealt with almost all existing boot sector viruses and with a large class of the future ones. Instead, they have selected to include a stripped-down version of an already inferior scanner. As a result, people who are using it have more problems (because it is causing false positives, on the top of everything) than if not using anti-virus programs... > In the event there should be a new virus created that is thrown into > the wild, neither scanner will be helpful. This does happen, every now and then. The latest well-known cases are Satan Bug and the SMEG viruses. > The only time when Scanner A is more valuable is when a currently existing > virus is thrown into the wild. This does happen too. The problem is, you can't know in advance which of the known viruses is going to be "thrown in the wild", so you should better rely on a scanner that protects against as many of them as possible. Of course, even better is not to rely on a scanner alone. > So, the question: Who has some statistics on how many viruses have gone from > "just another virus" to a "in the wild virus?" Hmm, difficult question. We have trouble even to list all viruses that are in the wild... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Sun, 05 Jun 94 05:35:38 -0400 From: pcm2@netcom.com (Neil McAllister) Subject: Why so many Leprosy viruses? (PC) I was recently reading the large virus summary in Hypertext form put out by Patricia Hoffman (I think that's right) and I noticed a rather extensive "family history" listing for the Leprosy virus. I was wondering, for a virus that is so easy to defeat, and which does so little to corrupt systems, why are there so many variants on this program? As far as I can tell from the virus listing, all the different variants are pratically identical, though they all come from different sources and points of origin. What is the interest in this virus? I've never heard of a significant infection caused by it. Just curious, - -- +----------------------------------------------------------------+ | Neil McAllister / pcm2@netcom.com | | Director of Special Operations, Bladder Control Central | +----------------------------------------------------------------+ ------------------------------ Date: Mon, 06 Jun 94 08:26:34 -0400 From: hazen@phoenix.cs.uga.edu (Mark) Subject: Re: SCAN V115 gives false Budo (B2) alarm with IBM PC DOS 3.3 (PC) wrote: >McAfee's beta test scanv115.zip from /pub/msdos/virus on >oak.oakland.edu indicates that my machine running IBM PC DOS 3.3 >has the Budo (B2) virus in COMMAND.COM. However, it reports >the same thing about COMMAND.COM on the permanently write protected >installation diskette. I suspect this is a false alarm. I can confirm this error! Here at my job we had a sudden outcropping of the Budo virus which we only noticed on four machines, and which also showed up only after the new version of Scan and Clean were in public distribution. I never noticed it before, but those are the only machines out of 100 or so here in the building which were running on DOS 3.3, which we updated to 5.0 when we found the errors. - -- :Mark Hazen hazen@phoenix.cs.uga.edu :Family & Consumer Sciences mhazen@hestia.fcs.uga.edu :All I ask is a chance to prove that money can't make me happy. ------------------------------ Date: Mon, 06 Jun 94 14:11:31 -0400 From: c23jrg@kocrsv01.delcoelect.com (John Goodrich) Subject: Possible D-Day Virus? (PC) Does anyone out there know of any viruses that trigger on D-day, similar in nature to the much-heralded Michelangelo virus of a couple years ago? My PC keyboard locks up in Windows only since this morning, and the date seems like it could be more than a coincidence. Any replies (the speedier the better) would be appreciated. Thanks. John Goodrich ------------------------------ Date: Tue, 21 Jun 94 12:37:46 -0400 From: "David M. Chess" Subject: re: FLIP and CANSU (V-SIGN) viruses (PC) >From: itxcs@upsyc.psychology.nottingham.ac.uk (Chris Sexton) >My 260Mb h/d suddenly became 33Mb, and unreadable, and I can't >work out which of these viruses actually did the damage. Yep, that was FLIP. It doesn't know about partitions bigger than 32K, and when it tries to shrink a partition to make some room for itself, it assumes that the partition is <32K. You can probably fix this by using some low-level editor to find the boot record of the DOS partition, find the word at offset 0x13, and set it to zero (it's probably 0xFFFA now). A value of zero means "more than 32K, go look at the doubleword out at 0x20 for the real number". But FLIP doesn't know this, and just blithely subtracts 6 from the 0000, resulting in FFFA, which then becomes the new apparent size of your partition. DC ------------------------------ Date: Tue, 21 Jun 94 12:38:29 -0400 From: "David M. Chess" Subject: re: Monkey Virus (PC) > From: Steve Hathaway > The only way > to eradicate the Monkey Virus is boot a virus-free DOS and recreate > a new partition table and FAT tables on your hard disk (preferably > after low-level format), then restore a bootable operating system > and then your last good backup. Good heavens, no! The best and simplest way to remove the Monkey virus is just to use some anti-virus program that can find the original master boot record, and put it back for you. No data loss, no reformatting, no restoring from backups. Even without an anti-virus program, you can generally trick the virus into showing you a copy of the real MBR, save that to diskette (of course remembering that the diskette will become infected in the process), then reboot from a clean diskette, restore the saved MBR that you fooled the virus into giving you, and you're done. (This is for hackers only; it's much simpler to just run a good antivirus program.) Unless a virus has actually -gone off- and overwritten data, it's never necessary to reformat to get rid of a virus. If your system boots correctly while infected, it should be possible to just slice the virus out of the loop, restoring a clean boot. That's what anti-virus programs do. - - -- - David M. Chess | IBM Computer Virus Information Center High Integrity Computing Lab | gopher://index.almaden.ibm.com IBM Watson Research | http://index.almaden.ibm.com ------------------------------ Date: Tue, 21 Jun 94 12:42:08 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: HELP: How add code into .EXE ? (PC) cogni@actcom.co.il (Michael Cale') writes: >Hello all. >Now i try write basical ANTI-viral program that add to user program short >code that will check CRC (or somethink same) before running program. My advice: Forget it! - ------------------------------------------------------------------------------ Frisk Software International - Technical note #11 Why external self-checking is a bad idea Every now and then somebody gets the bright idea of adding a small piece of code to existing programs, which will check for virus infection when the program is executed. The idea is that this will detect any virus infection immediately, and is also effective against unknown viruses. There are some serious flaws with this approach, however. 1) This method cannot prevent the program from getting infected in the first place, and whenever an infected program that has been protected this way is run, the virus code will be activated first. The virus might be able to detect or even remove the self-checking code, but it might also make it totally ineffective by using stealth techniques, so the self-checking code only "sees" the original, non-infected program. 2) Some program contain an internal self-check - F-PROT.EXE is an example. That internal code might also be unable to detect stealth viruses, but unless the external self-check code uses stealth techniques too, the result will be a conflict, where the internal check will notice the newly added code and determine that the application has been infected. 3) This method is ineffective against "companion" viruses that don't modify the applications they infect. 4) It may not be possible to protect all programs this way. It is relatively easy to add code of this type to most .COM files, unless the original program was slightly less than 64K, and the resulting file would break that limit. EXE files are more of a problem, in particular containing internal overlays, where one cannot append the code to the file, as the resulting file might become too big to load. Windows applications are also a problem, as they have two different entry points, and special care has to be taken to handle that correctly. On the other hand, adding internal self-checking to programs is a good idea, although it has the same limitations regarding stealth viruses, it does not cause the conflicts described above, and can be put in any program at compile-time. It is also much more difficult for viruses to bypass. - -frisk ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 43] ***************************************** 24-Jun-94 14:14:09-GMT,66843;000000000000 Received: from remus.rutgers.edu by aramis.rutgers.edu (5.59/SMI4.0/RU1.5/3.08) id AA05026; Fri, 24 Jun 94 10:14:05 EDT Received: from fidoii.CC.Lehigh.EDU by remus.rutgers.edu (5.59/SMI4.0/RU1.5/3.08) id AA21926; Fri, 24 Jun 94 10:12:20 EDT Received: from Fidoii.CC.Lehigh.EDU ([127.0.0.1]) by Fidoii.CC.Lehigh.EDU with SMTP id <127808-7>; Fri, 24 Jun 1994 09:39:03 EDT Message-Id: <9406241236.AA24584@bull-run.ims.disa.mil> Reply-To: virus-l@lehigh.edu Originator: virus-l@lehigh.edu Sender: virus-l@lehigh.edu Precedence: bulk From: VIRUS-L Moderator To: Multiple recipients of list Subject: VIRUS-L Digest V7 #44 X-Listprocessor-Version: 6.0b -- ListProcessor by Anastasios Kotsikonas X-Comment: Virus Discussion List Date: Fri, 24 Jun 1994 09:39:03 EDT VIRUS-L Digest Friday, 24 Jun 1994 Volume 7 : Issue 44 Today's Topics: Re: Integrity Checking Re: ARJ-, ZIP-viruses ? Re: Bad and good viruses... Re: Fred Cohen and computer viruses Re: The truth about good viruses Re: Nomenclature Re: Bad and good viruses... Good viruses/Bad viruses Re: Stealth and Self-encryption Re: Stealth and Self-encryption Re: OS/2 Viruses? Are there any of those? (OS/2) Re: OS/2 Viruses? Are there any of those? (OS/2) OS/2 Viruses? Are there any of those? (OS/2) Re: FORM and SPANISH Telecom? (PC) Re: MtE Virus info wanted (PC) Re: ** Date recovery after Michelangelo virus infection ** (PC) Re: Thunderbyte Antivirus (PC) Re: Help: W-boot or Swiss Variant Virus (PC) Re: Help! Checksums keep changing .......... (PC) Re: HELP: How add code into .EXE ? (PC) Re: WARNING: VALIDATE.COM and VALIDATE.EXE can be cheated. (PC) Re: Thunderbyte Antivirus (PC) Re: Monkey Virus (PC) FLIP and CANSU (V-SIGN) viruses (PC) Re: Thunderbyte Antivirus (PC) Re: Computer viruses for Sale (PC) Re: MtE Virus info wanted (PC) Re: Thunderbyte Antivirus (PC) Re: Help! Checksums keep changing .......... (PC) Re: Monkey Virus (PC) Natas Virus Test AVP 2.0 update D (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Tue, 21 Jun 94 14:51:01 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Integrity Checking sikkid@axpvms.cc.utexas.edu (sikkid@axpvms.cc.utexas.edu) writes: > programs... I noticed that Vesselin stated that TBAV's integrity > checker was "mediocre." I was just wondering why he said that, and I meant that it does the basic job (computing CRCs of the executable objects, watching for modifications) but that it is neither cryptographically strong, nor designed to withstand against some possible virus attacks against this kind of anti-virus products. In short, it works, and probably will catch a lot of viruses. I am convinced, however, that I can design a virus that will be able to bypass it (and even several different types of viruses). Also, I wouldn't be surprised if some of the already existing viruses are able to bypass it - but I haven't checked and this is something rather difficult to test. > what makes for a good CRC checker... I know a lot about viruses, but > my knowledge of CRC calculation techniquesw is pretty limited... You need a few basic documents, all available in electronical form: 1) ftp.informatik.uni-hamburg.de:/pub/virus/texts/security/crc.zip. The is the ultimate guide to CRCs. Everything you always wanted to know about CRCs (but were afraid to ask). :-) Well, not everything really. It lacks a detailled guide how to break them. :-)) 2) ftp.informatik.uni-hamburg.de:/pub/virus/texts/crypto/md[45].zip. Those are two files, describing two cryptographically strong hash functions (sample C source is included). A third such function can be found in the file shs.zip in the same directory. 3) Yisrael Radai's paper on integrity checking. It's a huge paper, more like a small booklet (54 pages) and explains about everything you need to know about using integrity checking for anti-virus purposes. Contains excellent discussion about how to design fast, yet still secure (for virus protection purposes; not secure from the cryptographical point of view) integrity checkers. The paper is in PostScript form, but is not yet available for distribution; you'll have to kindly ask Yisrael about it. 4) ftp.informatik.uni-hamburg.de:/pub/virus/texts/viruses/attacks.zip. A paper of mine, which nicely complements Yisrael's and explains how NOT to design an integrity checker - i.e., what are the different kinds of attacks that a virus could use against it and how to thwart them. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 21 Jun 94 14:58:33 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: ARJ-, ZIP-viruses ? Kazatski Oleg Nikolaevitch (kazatski@kartaly.chel.su) writes: > Are there scanner which scan viruses in incompressed, > self-extracting programs and .ARJ (.ZIP) files ? What is his name ? Yes, there are several. Two of the best I've seen are AntiVirus Pro and UTScan (from Untouchable). The first program is Russian, BTW, and is excellent in almost any other way. (Well, the integrity checker is not good enough, and it doesn't include a resident scanner.) It is shareware and is availabe from our ftp site: Site: ftp.informatik.uni-hamburg.de IP: 134.100.4.42 Dir: /pub/virus/progs Files: avp_200.zip, avp_200c.zip, avp_200d.zip, dr_et.zip, pm940506.zip (you need all of them) > Are there viruses which really infect .ARJ and .ZIP files ? I know of only one such virus - the Russian virus Archive_Worm, which infects ARJ archives. However, it is not the existence of such viruses that creates the need to scan inside archives - it is the fact that many packages are distributed in archived form, and people want to be able to scan them for viruses, without having to manually unpack them first. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 21 Jun 94 15:02:20 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Bad and good viruses... Kazatski Oleg Nikolaevitch (kazatski@kartaly.chel.su) writes: > Tell me please about Potassium Hydroxide virus. This is a master boot record infector, variant of Stealth_Boot, written by Mark Ludwig. It encrypts the volume it infects, using a cryptographically strong algorithm (IDEA) with a user-supplied passphrase. Some people claim that it is "beneficial", because it does something useful (protects the information on your disks from prying eyes) and because it asks your permission before infecting a disk. Of course, such claims are completely bogus, as I have explained in one of my previous messages here. (Hmm, I didn't see it appear, but there have been some problems with this newsgroup lately...) Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 23 Jun 94 10:03:04 -0400 From: CELUSTP@cslab.felk.cvut.cz Subject: Re: Fred Cohen and computer viruses Hi all, bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) wrote: S: 1. Who are "we"? VB: We, the users. We, the anti-virus researchers. We = users; We = anti-virus researches; => users = anti-virus researches Is that true? S: 3. Does any statistical data exist about bugs per byte of code in computer S: virus ("real" or not) code in comparison with bugs per byte of code in S: "normal" application code? VB: No, I am not aware of any, but 98.47% of all statistics are made up VB: anyway. :-) Well, you can create some yourself. One of the buggiest VB: commercial packages around - Microsoft Word for Windows - has about VB: 8,000 bugs and occupies several megabytes (forgot how much). Most VB: viruses I have seen are 200-4000 bytes long and about half a dozen VB: bugs each. A (*very*) rough computation shows that the average virus VB: has more bugs per byte than the buggiest commercial package. For valid statistics one should compare the sample of random chosen viral programs with the sample of random chosen non-viral programs. The programs in both examined group should be of similar length, i.e. if viruses are 200- 4000 bytes long, the length of non-viral programs should variate in those limits too. After the bugs in every group are counted and the same statistical analysis is performed for every group, the obtained results can be compared. VB: In that definition Vesselin Bontchev was trying to make sense from a VB: scientific point of view. Dr. Cohen's definition also makes sense from VB: a scientific point of view. However, the average user doesn't give a VB: dime for the scientific point of view and stands on practical VB: reasoning. Scientific point of view is not good for practical reasoning? S: 5. Consequently, one could conclude that "real viruses" are not computer S: viruses. What they are? VB: I lost you here. How exactly did you conclude the above from the VB: premises listed? The most one can conclude is that the "real viruses" VB: are not the benevolent viruses Dr. Cohen is talking about - which is VB: exactly what I am trying to point out. The "replication", "reproduction" or "infection" is an essential characteristic of computer virus. In the simplest definition computer virus is "a program that reproduces" (by Fred Cohen). Let denote computer virus with A and reproduction with B. Then we can say : A has feature B. By what is said on this forum about "real viruses", the simplest definition of real virus is "a program which sneaks around and infect people's computers without their knowledge and authorization" (by Vesselin Bontchev). If we denote real virus with C and "sneaking around...etc." with D, then we can say: C has feature D. Comparing B with D it is obvious that B is not equal D (assuming that words used follow the logic of natural language). If B is not equal D, it implies that comparing A and C, A is not equal C, because the "operation" - "has feature" is the same between A and B, and C and D. (Of course, if the language used is such that "sneaking around..etc." has the same meaning as "reproduction" then A is equal to C). VB: Performing experiments is a completely different thing. I also have VB: about 4,300 viruses on my machine, but wouldn't like to run even a VB: single one while I am using the machine for normal work. So, let me VB: ask again - would you want a virus running on to computer you are VB: using every day for work unrelated to virus experiments? Yes, the benevolent one(s). S: The other "beasts" could be S: called "real viruses", "malicious software" or something else, why not? VB: That's why I (Dr. Solomon, actually) proposed this term. Vesselin Bontchev = Dr. Solomon? Why Dr. Solomon does not speak for himself? S: The understanding S: requires sometimes particular knowledge of mathematics. VB: The general public doesn't have one, which is why they don't VB: understand him. What is "general public"? If word "general" denotes the diversity in education of people meeting viruses on this or that way, then it is reasonable to think that some of them will have some knowledge of mathematics. Besides, to understand Fred Cohen's work one needs some knowledge of theory of sets and basics of mathematical logic. I think that most of technically oriented educational organizations cover this area. If not, the books with basics of set theory are widely available. VB: I am tempted to quote the FAQ of a sceptics' newsgroup: Yes, they VB: laughed at Gallileo, and they laughed at Einstein - but they also VB: laughed at Coco the clown. Was Coco the clown talking about general theory of relativity or Einstein was making funny tricks? Anyway, I agree with Fred Cohen's proposal about discerning between benign and malign viruses. In fact there is an article, An Abstract Theory of Computer Viruses by Leonard M. Adleman, which introduces more differentiated notation. He derives from basic mathematical definitions the following features of virus: "is pathogenic", "is contagious", "is benignant", "is a Trojan horse", "is a carrier", "is virulent". According to these features there are four types of viruses: "benign", "Epeian", "disseminating" and "malicious". Good for start. Cheers, Suzana ____________________________________________________ / / | | / |\__/| / | If you know what you are | /~~~~~~\ / \ | talking about, you have | ~\( * * )/~~\( 0 0 )/~ | something more valuable than | ( O ) ( O ) | gold or jewels. | \______/ \______/ | - Proverbs 20.15 - | @/ \@ @/ \@ |______________________________| - --------------------------------------------------------------------------- Address: Suzana Stojakovic-Celustka e-mail addresses: Department of Computers celustka@sun.felk.cvut.cz Faculty of Electrical Engineering celustkova@cs.felk.cvut.cz Karlovo namesti 13 celust@cslab.felk.cvut.cz 12135 Prague 2 phone : (+42 2) 293485 Czech Republic fax : (+42 2) 290159 ------------------------------ Date: Thu, 23 Jun 94 10:05:03 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: The truth about good viruses Scott Ste Beardsley (39534@chopin.udel.edu) writes: > By this token MS-Windows is a > horridly evil virus, and much of what people use today are > "unquestionably a bad thing." \jokemode=on Uhm, I wouldn't disagree with that... :-) Lessee: Pro: 1) It is very widespread. 2) It steals the control on your machine from you. 3) It displays funny messages on the screen. 4) It eats up disk space and memory. 5) It slows down your computer to a crawl. 6) It randomly crashes your machine Yep, must be a virus... Con: 1) Computer viruses actually *do* something. 2) The authors of computer viruses support their products and regularly release new versions. Nah, it probably ain't a virus after all... Hey, you can use it to create a copy of it, so it is a virus even according to Dr. Cohen's definition! \jokemode=off > Most of the users outthere have no > idea of what code does, they can't knwo what things do in their > instruction set, they don't know how to give authority, they just put > a diskin and type "install" In this way the majority of commercial > software is evil... However, all this "evil software" is produced by known companies, with tech support lines. If a virus screws up your hard disk, you can't call the author and request an upgrade. > BUT, I think beter judgment would be to throw out the idea of > good/bad and go with helpful, or hurtful, and leve behind the > connotations of good and bad, after all can a 1 or 0 be bad or good? By itself, it cannot - it is neutral. However, its *usage* can be a bad or a good thing. The fact that computer viruses exist is not a good or a bad thing per se (except in the "tough luck" sense) - but the fact that they can and are used to destroy other people's data and/or waste their time, efforts, and money *is* a bad thing. > Someone already mentioned the KOH virus, that encrypts and > protects your HD. It is a virii but it's replication and it's > infection, even tho it is a cntrolled infection, you could say it is > like a vaccine, tho it doesnt protect against itslf as a vaccine > would, but it is a controlled infection designed to be helpful. The Nonsense. I keep hearing about this "beneficial KOH virus". This is TOTAL NONSENSE (and I am tempted to use a stronger word). I already posted a message explaining why it is so - didn't it made it? Maybe I should post about it again? > I think the way that I look at it is that "virus" is not good or evil > or any connotaion liek that, those are judgment calls of the > particular user/victim/whatever. It's just another string of code > that can either do things good or bad. If you don't want your systm > executing that code, than you may see it as bad, but if you want your > system to execute it(KOH) than it might be good to you. BUt if yor I tend to agree with this. If you don't want it to run on your system and it still runs, then this is bad for you - yes, I definitely agree. My point is that this is so for almost every user - they don't want viruses to run on their systems (anybody volunteering to run that Super Duper Destructive Virus on their hard disk? Anyone?), but those viruses try to, nevertheless. That's why, computer viruses are considered as bad by most people. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 23 Jun 94 10:05:31 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Nomenclature Fredrick B. Cohen (fc@Jupiter.SAIC.Com) writes: > How about this for a way to differentiate different types of viruses: > Malicious viruses OK, I can give you about 5,000 examples of this category. > Benevolent viruses Care to provide some examples of this category? And convince us that they are really benevolent, do not cause harm, and do a job that cannot be done (or not so effectively) by non-viral means? Mind you, I'm confident that you can come with a couple of valid examples. Heck, even I can come up with at least one. Now, isn't that second category a bit small? Too artificial? Not worth even mentioning, considering the overhelming majority of the first cathegory? Even harmful to mention and promote, because its sole existence will be used by irresponsible twits to create viruses of the first category? Think again. > I think this is less misleading than the term "Real viruses", and it clearly > indicates both the meaning (which Real does not) as well as educating the > reader (there may be either kind) and retaining a short and readable text. I think not. The term "real viruses" emphasizes that those are the viruses you are likely to meet in reality - unlike the purely theoretical constructs some scientists like to play with. > The problem with the term Real is that it is misleading in the sense that > it somehow implies that benign viruses are imaginary, which they are not. It is not misleading. Decribe one of your "benign viruses" and lots of people will wonder - "But is it *really* a virus?". DISKCOPY is a virus, according to you - but is it *really* a virus? Is it a Real Virus? Nope. > As to the person who posted that this stuf isn't interesting compared to which > new strain of Jerusalem MacAfee's virus defense gives a false positive for in > scanning version 3.4.5 of the newest package by Xray Inc, I disagree. Yep, that stuff is terribly boring - quite unlike playing with theoretical concepts. Unfortunately, it is boring, but *important* stuff - representing *real* problems that *real* people have every day with *real* viruses. > As to the difficulty of teaching people about two kinds of viruses, try this > little bit of text: > Computer viruses are computer programs that reproduce. Some of these viruses > are intended to harm people by damaging their information systems, and we call > them malignant. Other viruses are intended to demonstrate a concept, to > explore issues in artificial life, or even to do useful functions. We call > them benign. Nope, it's wrong and not good for educating people. It implies that if a virus is not intended to do harm, then it is "an OK thing". This is wrong; most of the Real Viruses are not intended to cause harm - but they do nevertheless - because of incompatibilities, bugs, and because of the time, resources, and money wasted to detect and remove them. Therefore, I prefer to speak about viruses that are intentionally destructive and viruses that are not intentionally destructive. I tend to avoid words like "benign" and "harmless" when applied to computer viruses. Real computer viruses, that is. > This doesn't seem much harder to understand than this version which is wrong: > Real viruses are malicious little programs that, unbeknownst to the user, > enter their computer system, modify their programs, and destroy their information. It *is* wrong (doesn't mention the most important property of the virus - its ability to replicate), but then I was not trying to give an exact definition. I was merely trying to express what most people understand when they hear the term "computer virus". > The point is, we can present the right information in a readable way if we > just try to. We certainly can, and I am sure that we all are trying to. But, hey, Dr. Cohen, even you made a mistake in your definition above. You made another one, in one of your first papers that contains the so-often-cited natural-language definition of the term "computer virus". Now, if even *you* are making such mistakes, what about us, the mere mortals? :-) My point is that it is *easy* to make a mistake when trying to explain computer viruses to people that know nothing about it and that we should take extreme care and think how our words could me misunderstood and/or misinterpreted. In particular, virus writers often misinterpret your words about "benign viruses" to make up and excuse of their unethical and often criminal acts. > I too have been a hacker (as opposed) > to a cracker) and hope to change the usage of those terms just as I hope to > get people to use the correct usage of virus. Good luck. You will fail, in both cases. :-) I am also using the terms "hacker" and "cracker" in the way you understand them, but I have long given any hope to change the general public's oppinion about this. > And the best way to do this is > to get the members of this group to start using the terms correctly, because > this group is influential, and you have to start somewhere. I'd agree with the above, *if* the change was not harmful. And saying that there are "benign" viruses, without carefully explaining what you mean exactly, *is* harmful, IMNSHO, for a reason I've stated multiple times - it is misused by the crowd of virus writers to excuse their deeds. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 23 Jun 94 10:07:37 -0400 From: umchu023@cc.umanitoba.ca (Andy Hon Wai Chu) Subject: Re: Bad and good viruses... > Hi ! > 12 May bradleym@netcom.com (Bradley) wrote: >> How about KOH? Also the Potassium Hydroxide virus. It will encrypt your >> HD for you using the IDEA algorythm. > Tell me please about Potassium Hydroxide virus. >> A virus by nature is what? It's intention is to produce copies >> of itself and attach these copies to your programs (without you >> knowing) and either display a message, play a tune, fill up your >> disk, destroy data etc... How can this be good? NOT POSSIBLE!!! It is funny that there is a virus called "Good virus" (Virus - Allan Lundell 1989) original written in West Germany, a virus that won't let "unkown" programs run on one's machine. If the programs to be run aren't already infected with this virus, they won't be allowed to run at all. Sounds like a Anti-virus Virus !!! - -- - -------------------------------------------- Andy Hon Wai Chu email: umchu023@ccu.umanitoba.ca ------------------------------ Date: Thu, 23 Jun 94 10:08:20 -0400 From: iolo@mist.demon.co.uk (Iolo Davidson) Subject: Good viruses/Bad viruses > it is unethical > to let anti virus vendors sell millions of copies of their > software on the basis of people's ill founded fears. The fears are well founded. Businesses that suffer a virus attack lose a lot of money just in the clean up. Anti-virus software is a minimal expense, comparable with paying to put locks on the doors of the company premises. > >You will discover that most of them understand a computer virus > >as "something that came when I didn't want it". > > Or "something that came when I was leeching several megs of > software that I didn't pay for". There seems a much higher > incidence of viruses transmitted in pirated software than in > original copies, who are we protecting here? Not in my experience. Viruses "come" with any source of software including shrink wrapped products, brand new computers straight from the manufacturer, and bulk supplies of "blank" preformatted disks. You complain that anti-virus researchers are motivated by their making a living off their work. Apologists for virus writers have a motivation too. The fact that no money is involved does not make it noble. - -- PUT YOUR BRUSH NEEDS A BACK ON THE SHELF SHAVE ITSELF THE DARN THING Burma-Shave ------------------------------ Date: Thu, 23 Jun 94 10:10:43 -0400 From: buster@klaine.pp.fi (Kari Laine) Subject: Re: Stealth and Self-encryption itxcs@upsyc.psychology.nottingham.ac.uk (Chris Sexton) writes: >From: itxcs@upsyc.psychology.nottingham.ac.uk (Chris Sexton) >Subject: Stealth and Self-encryption >Date: Tue, 21 Jun 1994 10:23:12 EDT >Hi, >This may be an ignorant question, but can anyone please explain >the difference between stealth techniques and self-encryption? Stealth is the technique to hide changes virus makes when it infects the host files and/or boot and/or partition sectors. For example if you try to look infected boot sector virus makes sure you see the original one it has put aside to be shown you if you come around asking for it :-) This requires virus to hook many interrupts of the bios and DOS. Encryption (polymorphism) is used to make virus look different each time it infects a file and thuss make seeking of it more difficult. So actually these are totally different things and the aims what virus authors (scumheads) try to achieve with these are quite different. >Is either one something to do with making a DIR command (for >example) not include the extra size due to the virus? Stealth would do it. Regards Kari Laine ------------------------------ Date: Thu, 23 Jun 94 10:10:27 -0400 From: v922340@si.hhs.nl (Snaaijer, I.H.) Subject: Re: Stealth and Self-encryption itxcs@upsyc.psychology.nottingham.ac.uk (Chris Sexton) writes: - ->This may be an ignorant question, but can anyone please explain - ->the difference between stealth techniques and self-encryption? - -> - ->Is either one something to do with making a DIR command (for - ->example) not include the extra size due to the virus? That's a typical example of a Stealth technique, others are hooking int13 and when asked for replace the infected bootsector with an original one. the idea is to make the virus invisible for the user or user programs (scanners) The idea behind encription is not hiding, but making the code unrecognizable, so signature seekers won't help you finding the virus. If you combine the two techniques you can create code that is rather hard to find, and unfortunaly it also happens. - -> - ->What does either method involve? Hope I heled you. - -> - ->Thanks in advance, - -> - ->Chris Ivar. +---------------------+-----------------------------------------------------+ | uu uu sssss sssss | Ivar Snaaijer. E-mail : v922340@si.hhs.nl | | uu uu ss ss +-----------------------------------------------------+ | uu uu sssss sssss | "Violence is the last refuge of the incompetent" | | uu uu ss ss | -Asimov | | uuuuu sssss sssss | -= This space is for $ale =- | +---------------------+-----------------------------------------------------+ ------------------------------ Date: Tue, 21 Jun 94 15:06:05 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: OS/2 Viruses? Are there any of those? (OS/2) (AMIR77@taunivm.tau.ac.il) writes: > I'd like to know if there are any OS/2 viruses? Yes, I am aware of at least two OS/2-specific viruses. Also, many of the MS-DOS viruses can work perfectly in a DOS emulation box under OS/2. > As far as I know, DOS viruses use TSR in order to stay in memory > and infect other programs. Those two viruses are not memory resident. The first is a silly (and rather buggy) overwriting virus. The second is a non-resident virus, which spawns a copy of the original file on execution and then executes it as a subprocess. > OS/2 doesn't have TSRs so any "out-of-the > ordinary" apps can be detected by task-list. I know I am by no means an OS/2 expert, but I tend to disagree with the above. I think that there *are* ways to make viruses for OS/2 that will be far from trivial to spot. However, until such viruses begin to appear, I prefer to keep those thoughts of mine for myself. > that it is possible to write trojan horses for OS/2, but is it > possible to write viruses? It is possible to write viruses for almost any kind of general-purpose computing system. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 23 Jun 94 10:04:25 -0400 From: ykchung@Winkie.Oz.nthu.edu.tw (Jimmy Chung) Subject: Re: OS/2 Viruses? Are there any of those? (OS/2) (AMIR77@taunivm.tau.ac.il) wrote: > Hi, > I'd like to know if there are any OS/2 viruses? Yes. There are 2 os/2 viruses now, as I know. :)) JImmy - -- ------------------------------ Date: Thu, 23 Jun 94 10:09:11 -0400 From: iolo@mist.demon.co.uk (Iolo Davidson) Subject: OS/2 Viruses? Are there any of those? (OS/2) > I'd like to know if there are any OS/2 viruses? Yes. > As far as I know, DOS viruses use TSR in order to stay in memory > and infect other programs. OS/2 doesn't have TSRs so any "out-of-the > ordinary" apps can be detected by task-list. Many DOS viruses don't go TSR, but just infect another program, or directory full of programs, everytime you run an infected executable. - -- PUT YOUR BRUSH NEEDS A BACK ON THE SHELF SHAVE ITSELF THE DARN THING Burma-Shave ------------------------------ Date: Tue, 21 Jun 94 15:23:04 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: FORM and SPANISH Telecom? (PC) Jerry Gerace (gerace@ucsu.Colorado.EDU) writes: > I just got done disinfecting several PC's that had the Form virus on it. > Happy to say, it's a pretty tame virus. No stealth at all, isn't harmful, > just sits there duplicating with itself. "Just"? Uhm, well... sort of... When it infects the hard disk, Form overwrites the last cluster of the bootable partition with the second part of the virus body, without bothering to check whether the cluster is free, or even whether this is a DOS partition. Results? If you had a file that includes this last cluster (e.g., if your disk is nearly full, or fragmented), you can say "bye-bye" to that file. Surprise, surprise, many "unformatting" programs save a vital part of their disk recovery information in a file that occupies guess what? - right, tha last cluster of the volume. Also, removing Form from a OS/2 system that has BootManager installed and is using HPFS volumes is a *very* tedious procedure. Remember, there ain't no such thing as a "harmless" computer virus. A "harmless" *real* computer virus, that is. > I did a warm boot and it just couldn't make it. Easily disinfected with > F-prot, although apparantly (before I arrived on the scene), Norton Anti-Virus > screwed up a few floppies while attempting to disinfect (it somehow screwed > up the MBR instead of just using the stored copy the virus makes) but the > disks were fairly easily recovered. Hm, strange. NAV is generally one of the worse anti-virus products around, but even it should be able to cope with the most widespread viruses like Form. Are you sure you have used the latest version? Have you contacted the tech support? Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 21 Jun 94 15:25:08 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: MtE Virus info wanted (PC) Jeff E. Lewis (U12585@uicvm.uic.edu) writes: > I would appreciate information on "MtE" which I "found" on my > machine with Norton Antivirus 2.1. THis was NOT indicated by This is quite probably a false positive from an obsolete version of NAV. Older versions of NAV are known to have had this problem. > but there was no doubt that something was present since scandisk > recovered 90 mb of hard disk space 11 days after I started using > the indicated infected program. This *might* be caused by a virus, but unlikely. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 21 Jun 94 15:27:50 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: ** Date recovery after Michelangelo virus infection ** (PC) Fridrik Skulason (frisk@complex.is) writes: > Maybe this should go into the FAQ.... Maybe not, having in mind that it is incorrect. :-) > When the Michelangelo virus activates, it overwrites the first 9 sectors > on heads 0-3 on every track of the hard disk. Nope. When the Michelangelo virus activates, it overwrites the first 17 sectors on heads 0-3 on the first 256 tracks of the disk it has been booted from. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 21 Jun 94 15:35:33 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Thunderbyte Antivirus (PC) KMJ Enterprises (iiggii@mixcom.mixcom.com) writes: > Has anyone heard of/used thunderbyte antivirus? Yep, it's a rather popular shareware anti-virus product. > How does it compare > (reliability, speed, etc) to some of the others - McAfee, SP, Norton, > etc? I don't know what "SP" is. The scanner in TBAV is the definitely the fastest scanner around. It's closest competitor is more than two times slower than it. Its detection rate is *much* better than NAV and rather better than SCAN. The package also contains a more complete set of anti-virus tools. However, there *are* scanners with even higher detection rate (F-Prot, AVP, and several others). The disinfector included in the package shouldn't be relied upon, unless you also use the integrity checker - but then, my oppinion is that virus disinfection shouldn't be relied upon in principle. Also, the scanner has its share of bugs; it keeps crashing when scanning some weird boot sectors (but then, so does SCAN). In short, the packge is definitely better than any of the two products you mentioned, but I wouldn't call it the best around. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 23 Jun 94 10:02:28 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Help: W-boot or Swiss Variant Virus (PC) Fridrik Skulason (frisk@complex.is) writes: > >F-Prot 2.12 identifies it as "W-boot - unknown" and apparently > >cannot get rid of it. The docs also say it cannot be > >disinfected. > My guess is that this is a slightly modified W-boot variant - the "unknown" > part simply means that the checksum doesn't match, but it appears to be > more-or-less like the original. Uhm, Frisk, sorry to contradict you, but you are wrong on this one. First, the original poster is right - according to the documentation, F-Prot 2.12 is unable to remove even the "original" W-Boot virus. (Version 2.12c is able to remove it.) Second, my latest tests show that F-Prot says "- unknown" about viruses it should know about a bit too often. It says so about 63 viruses out of the 356 boot sector viruses in my collection. I guess, you checksums need to be fixed a bit. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 23 Jun 94 10:02:51 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Help! Checksums keep changing .......... (PC) vcurtis (vcurtis@relay.nswc.navy.mil) writes: > The checksum had been changed on nearly every .exe, .com, & .dll file on > my system. The scan showed no virus however. One other strange problem > occured. About 75% through the virus scan, the program quit with this > message: "MWAV caused a General Protection Fault in Module MWAVSCAN.DLL > at 0001:0C77." It threw me out of the program and back to program manager. > I tried to execute the Anti-Virus program again, and all it would do is > give me the following message "Unable to lock conventional memory." It > would not even try to run. MSAV is total junk. It keeps crashing, does not detect viruses, causes false positives... In short - delete it and don't trust anything it says. Get a better anti-virus product - there are a few pretty good ones out there, but MSAV/CPAV is not one of them, definitely. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 23 Jun 94 10:03:45 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: HELP: How add code into .EXE ? (PC) Michael Cale' (cogni@actcom.co.il) writes: > Now i try write basical ANTI-viral program that add to user program short > code that will check CRC (or somethink same) before running program. Add any That's a *very* bad idea. Don't do it. Modifying other people's programs is always wrong and often causes problems. Think about all those self-checking programs (i.e., most anti-virus programs) that will suddenly stop working after you "immunize" them. Think about all those integrity checkers that will scream "Virus!" when the user uses your program and modifies all of his/her programs. Think about all those heuristic analysers that will go bananas when they see a piece of code attached to the programs much like a virus. Think about all those stealth viruses that will happily bypass your check and continue to infect. In short - forget it. > code to .COM is trivial, but with .EXE i have some problem. I think that i > forget some needed actions and do part only. I add my code INSTEAD OF starting > part of .EXE (after header part) and try change back it at run time, and also > change relocation table but... have problems. :( Oh-la-la... :-( Even the viruses are doing it in a better way. They do not mess with the beginning of the code nor with the relocation items. Instead, their code is fully relocatable, is appended at the end of the EXE files, and the CS:IP field in the header are changed to point to the appended code. After the code finishes with its work, it transfers control to the original entry point - usually by pushing the original CS/IP values on the stack and executing a RET Far. But don't do that - it's a bad idea, as I explained above. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 23 Jun 94 10:04:03 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: WARNING: VALIDATE.COM and VALIDATE.EXE can be cheated. (PC) Olivier Montanuy (montanuy@lsun75.cnet) writes: > VALIDATE.COM and VALIDATE.EXE are currently used to authentify the > files contained in McAfee shareware packages, so as to prevent any > insertion of virus or trojans while they stay on public BBS or FTP > servers. They are inadequate and may be misleading. Yep. This is a known problem. Has been reported to McAfee years ago. Their answer (besides "So what?") is essentially that there is no easy way to do it right. You see, it is trivial to use a cryptographically strong hash function (e.g., MD4, MD5, SHA, etc.) instead of a CRC. But this just means that the forger will not try to forge it, but instead will modify the documentation that lists the correct values. In fact, this is what the forgers do even now, because it is still easier than forging CRCs - something that few crackers know how to do. A *real* solution would involve using of public key authentication. There is an archiver that provides such means - HPACK - but it is not as popular as PKZIP. Besides, almost anything related to public key cryptography has patent problems in the USA, where a company called Public Key Partners owns all patents in this area. And one of those patents contains claims that cover all possible public-key systems - even the ones that are not invented yet. If you think that this is ridiculous, I agree with you. BTW, even if a public-key authentication mechanism is used, it will work only for people who already have the public key. First-time users of the product will still be vulnerable to a key spoofing attack. But I digress; this topic is more appropriate for sci.crypt. > I won't publish the source code or the executable of my cheating program, > and I will not discuss details of the cheating method, except with > McAfee associates or trusted comp.virus contributors (if they care :-) I'll be very interested to discuss (in private) the method you are using. > VALIDATE.COM performs a double 16-bit CRC and VALIDATE.EXE a 32-bit > (and somehow unorthodox) CRC. The frist two 16-bit CRC poynomials are public (and rather easy to determine anyway). How did you determine the 32-bit polynomial? Or does your attack involve determining the polynomial at all? > I don't have a replacement of VALIDATE.COM and VALIDATE.EXE. There can't be any. MD4, MD5, and SHA implementations are available from our ftp site, but as I explained above, this does not solve the problem. > Anyway, it should be sufficient to authentify only the length of > the files in the compressed package (using 'pkunzip -l'). Cetainly not! > As a matter of fact I seriously doubt it is feasible to modify > a file without affecting either the normal file length, or the > compressed file lenght, or the compression method. Alas, it is perfectly possible to modify the file without changing any of those. In fact, you can make the file contain anything you want, and just reserve the last 4 bytes of it, in which you put a special, computed value, in order to preserve the original CRC. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 23 Jun 94 10:08:13 -0400 From: tracker@netcom.com (Craig) Subject: Re: Thunderbyte Antivirus (PC) KMJ Enterprises (iiggii@mixcom.mixcom.com) wrote: : Has anyone heard of/used thunderbyte antivirus? How does it compare : (reliability, speed, etc) to some of the others - McAfee, SP, Norton, : etc? Vesselin Bontchev of Germany holds it in very high regard in his testing, right up there with F-Prot. It certainly stomps all over Norton, definitely McAfee, and even CPAV. ------------------------------ Date: 22 Jun 94 08:49:19 +0000 From: virusbtn@vax.oxford.ac.uk Subject: Re: Monkey Virus (PC) Steve Hathaway writes: > A strain of Monkey Virus has been reported in Heppner, Oregon. > This virus infects the boot block of disk drives and the disk partition > table of hard disks. The FORMAT command cannot create a good format > of any floppy disk in the presence of the Monkey Virus. The only way > to eradicate the Monkey Virus is boot a virus-free DOS and recreate > a new partition table and FAT tables on your hard disk (preferably > after low-level format) Presumably the disk is then cut into 1-inch size chunks, buried in soft peat for a year and recycled as firelighters, yes? :-) I posted a way to get rid of most Master Boot Sector infectors here a couple of months ago. If anyone wants it, I'll post it to them. Remember, there are very few common viruses which require you to low-level format your hard drive, though I guess if you haver a backup it's one way. If the machine still boots DOS when its infected, it is probably easily recoverable. Regards, Richard Ford Editor, Virus Bulletin ------------------------------ Date: Thu, 23 Jun 94 10:08:55 -0400 From: iolo@mist.demon.co.uk (Iolo Davidson) Subject: FLIP and CANSU (V-SIGN) viruses (PC) > My 260Mb h/d suddenly became 33Mb, and unreadable, and I can't > work out which of these viruses actually did the damage. I've > got a feeling it was FLIP Yes, Flip puts hex FA FF in offset 13h and 14h of the dos boot sector. Edit these back to 00 00 and your disk will be 260Mb again. Incidentally, this is an example of a "harmless" virus that does damage, for those who believe in harmless or benign viruses. The virus was written before DOS4 came along with the extended boot record. It alters the size of the disk in the DOS3 style boot record, which is incompatible with the way drives larger than 32Mb are described in the DOS 4 to 6 boot record. This caused no problems under DOS3. If this were a "beneficial" virus, how would the author withdraw the old version that truncates disks when he updates it to the new, improved version? - -- PUT YOUR BRUSH NEEDS A BACK ON THE SHELF SHAVE ITSELF THE DARN THING Burma-Shave ------------------------------ Date: Thu, 23 Jun 94 10:10:09 -0400 From: martijnl@sci.kun.nl (Martijn Leisink) Subject: Re: Thunderbyte Antivirus (PC) iiggii@mixcom.mixcom.com (KMJ Enterprises) writes: >Has anyone heard of/used thunderbyte antivirus? How does it compare >(reliability, speed, etc) to some of the others - McAfee, SP, Norton, >etc? >advTHANXance > ...Hank hobbes@mixcom.mixcom.com > >- -- Thunderbyte is one of the best antivirus-packets! It is the fastest, I think. And it scans better than for example McAfee (since it is able to scan heuristic). No doubt, Thunderbyte is better than all others I know. Martijn Leisink ------------------------------ Date: 22 Jun 94 08:43:51 +0000 From: virusbtn@vax.oxford.ac.uk Subject: Re: Computer viruses for Sale (PC) dhull@nunic.nu.edu (Dr. David B Hull) writes: > At any rate, I just received a nice little CD -ROM from > American Eagle Publications. It is really a knock out, with > 527 major virus source codes and pleanty of other interesting > things. I happen to need it for my research into the > morphology of computer viruses. But if my serial number of > 001126 is true - oh boy ! I in one sense congratulate > Mark (see sig), but it really does tread on dangerous ground. > a well - I live in a main frame enviroment practicing > "security by obscurity" - so I don't tell nobody nothin. Mark Ludwig's CD-ROM is in some ways a major nuisance, and in some ways a minor annoyance. Firstly, nobody in the anti-virus industry wants to purchase it, because we (I think this is pretty much an industry wide view) would rather spend our money on other things. It sets a pretty bad precedent if we start paying for virus code. Heck, we would be getting close to commisioning the damn things. Other than that though, I don't think we are going to see a virus explosion. Most of the people who are willing to cough up the money for the CD-ROM will probably be in a position to get hold of most of its contents anyway. Sure, we will see a few wierd and wonderful viruses in the wild, and it will make it easier for those who want to hack a virus to do so, but on the whole (Please let me be right :) it won't make a big difference. I do however think it is unethical. > OK if this newsgroup is alive - what happens next ! The > man has just yelled fire in a crowded theater ! But what can we do about it? The anti-virus industry is powerless to intervene - the only way you can change things is to get the US government to do something. Getting them to listen is really in the hands of the large US businesses. If they get enough complaints from the heavyweights they will listen. If not, then we can all go on living with it. It is really our own choice. Regards, Richard Ford Editor, Virus Bulletin ------------------------------ Date: Thu, 23 Jun 94 10:11:09 -0400 From: v922340@si.hhs.nl (Snaaijer, I.H.) Subject: Re: MtE Virus info wanted (PC) "Jeff E. Lewis" () writes: - ->I would appreciate information on "MtE" which I "found" on my - ->machine with Norton Antivirus 2.1. THis was NOT indicated by - -> - ->cpav (1991?) - ->microsoft anti-virus (1993) - ->mcafee scan 106 - ->mcafee scan 108 - -> IF only NAV finds it it's most likly to be a false alarm . See also more articles with comments on NAV - ->but there was no doubt that something was present since scandisk - ->recovered 90 mb of hard disk space 11 days after I started using - ->the indicated infected program. I don't know witch program it is or what it's purpose is but most applications written in clipper are known to create lots of lost chains if you reboot when the programs are running. (this isn't a bug, just a matter of using a lot of large files) Most applications do this to some extent. I know that 90MB is a lot of space, but if no other program is reported to have a MtE disgized virus aboard, it must be a misculous application. Try TBAV (v6.20) and F-PROT (don't know the last version) to be shure. Since the programs use diffrent algoritms to detect MtE it's almost impossible it comes throug the 0.1% of both of them. (I don't know how Macaffee detects MtE, but I Haven't heard about algoritm checking in the other three). - ->Thanks, - ->Jeff E. Lewis - -> Hope it will help you, Ivar. +---------------------+-----------------------------------------------------+ | uu uu sssss sssss | Ivar Snaaijer. E-mail : v922340@si.hhs.nl | | uu uu ss ss +-----------------------------------------------------+ | uu uu sssss sssss | "Violence is the last refuge of the incompetent" | | uu uu ss ss | -Asimov | | uuuuu sssss sssss | -= This space is for $ale =- | +---------------------+-----------------------------------------------------+ ------------------------------ Date: Thu, 23 Jun 94 10:11:20 -0400 From: v922340@si.hhs.nl (Snaaijer, I.H.) Subject: Re: Thunderbyte Antivirus (PC) iiggii@mixcom.mixcom.com (KMJ Enterprises) writes: - ->Has anyone heard of/used thunderbyte antivirus? How does it compare - ->(reliability, speed, etc) to some of the others - McAfee, SP, Norton, - ->etc? - -> I have been working with it for quite a while now. All the virusses I ever had an eye on were detected by TBAV, derectly (signature+huristics) or inderectly (huristics and common sence). The speed is incredible, and the other utility's are quite good IF you use them. It also has a rather low number of false alarms, witch is quite an effor d with huristics. - ->advTHANXance - -> ...Hank hobbes@mixcom.mixcom.com - -> - ->- -- - -> Hope I helped, Ivar +---------------------+-----------------------------------------------------+ | uu uu sssss sssss | Ivar Snaaijer. E-mail : v922340@si.hhs.nl | | uu uu ss ss +-----------------------------------------------------+ | uu uu sssss sssss | "Violence is the last refuge of the incompetent" | | uu uu ss ss | -Asimov | | uuuuu sssss sssss | -= This space is for $ale =- | +---------------------+-----------------------------------------------------+ ------------------------------ Date: Thu, 23 Jun 94 10:11:38 -0400 From: v922340@si.hhs.nl (Snaaijer, I.H.) Subject: Re: Help! Checksums keep changing .......... (PC) vcurtis@relay.nswc.navy.mil (vcurtis) writes: - ->I ran the Microsoft Anti-Virus program in DOS 6.2 with the following - ->options selected: Verify Integrity, Prompt While Detect, Anti-Stealth, - ->and Check All Files. - -> - ->The checksum had been changed on nearly every .exe, .com, & .dll file on - ->my system. The scan showed no virus however. One other strange problem - ->occured. About 75% through the virus scan, the program quit with this - ->message: "MWAV caused a General Protection Fault in Module MWAVSCAN.DLL - ->at 0001:0C77." It threw me out of the program and back to program manager. - ->I tried to execute the Anti-Virus program again, and all it would do is - ->give me the following message "Unable to lock conventional memory." It - ->would not even try to run. I can't think up a senario why the CRC of all those file's at the same time and nothing realy happens. The only thing I can think of right now is a virus capable of dwelling undetected by MSAV, witch is not unlikely because MSAV is rather wide spread. - -> - ->I rebooted and tried again. Got same results as first time, changed - ->Checksums, and GPF message, followed by conventional memory message on - ->retry. - -> - ->I ran McAfee and F-Prot (April '94) on the system and they showed nothing. This makes it unlikely that there is a REAL problem but MSAV, try a newer version F-PROT or try TBAV (6.20). If both the programs don't come up with something delete MSAV and you don't have an infection anymore. - -> - -> [...] - ->If I turn off Anti-Stealth checking, I still get checksum changes, but - ->no GPF message and the program completes it scan. This is probably caused by a bit flaky implementation (my words only) of the BIOS-browser witch give windows the hickup's. - -> - ->I don't know if this is symptomatic of some virus or what. I am very - ->uncomfortable with this constantly changing checksum situation. I can understand that. Try INTEGRETY MASTER to realy find out What is changing. - -> - ->Can anyone offer any suggestions? - -> Hope I helped, Ivar. +---------------------+-----------------------------------------------------+ | uu uu sssss sssss | Ivar Snaaijer. E-mail : v922340@si.hhs.nl | | uu uu ss ss +-----------------------------------------------------+ | uu uu sssss sssss | "Violence is the last refuge of the incompetent" | | uu uu ss ss | -Asimov | | uuuuu sssss sssss | -= This space is for $ale =- | +---------------------+-----------------------------------------------------+ ------------------------------ Date: Thu, 23 Jun 94 10:12:13 -0400 From: Henrik Stroem Subject: Re: Monkey Virus (PC) > Article 14072 of comp.virus: > Newsgroups: comp.virus > From: Steve Hathaway > Subject: Monkey Virus (PC) > Sender: virus-l@lehigh.edu > Date: Tue, 21 Jun 1994 10:23:12 EDT > A strain of Monkey Virus has been reported in Heppner, Oregon. > This virus infects the boot block of disk drives and the disk partition > table of hard disks. The FORMAT command cannot create a good format Eh, not quite correct. It infects the Master Boot Record of harddisks, not the partition table. The partition table is a 64 byte small data area near the end of the Master Boot Record. Viruses usually infects code, not data. > of any floppy disk in the presence of the Monkey Virus. The only way > to eradicate the Monkey Virus is boot a virus-free DOS and recreate > a new partition table and FAT tables on your hard disk This is far from the only way of disinfection... > (preferably > after low-level format), then restore a bootable operating system > and then your last good backup. This is NOT the way to do it! You never need to format in order to get rid of a boot infector. > If you are lucky enough to have your computer on a network with a file > server, you may copy all of your application files to the server, and > restore them from the server after you have a newly formatted and > bootable hard disk. The Monkey Virus appears not to infect the structure > of remote network disks. It is a bootvirus, not a filevirus. Bootinfectors cannot infect network disks. Network disks are not bootable, so there is no point, even if the bootsector of the network disk was available AND readable. I think you should read the FAQ for comp.virus, available by ftp from cert.org in directory /pub/virus-l as the file FAQ.virus-l > If you boot a virgin DOS from diskettes and look for the hard disk, > the absence of a recognizable partition table causes the hard-disk > not to be recognized. The PCTOOLS DiskFix program can usually > examine the appropriate contents of saved system configuration > to rebuild a new partition on the hard drive, allowing recovery > formatting to continue. Check out the file killmnk3.zip available by ftp from 141.210.10.117 in the directory /pub/msdos/virus. It contains correct and detailed information about this virus, as well as a working disinfection program. No needs for backups or formatting. Sincerely, Henrik Stroem Stroem System Soft ------------------------------ Date: Thu, 23 Jun 94 11:51:50 +0100 From: Luca Sambucci <93647758S@sgcl1.unisg.ch> Subject: Natas Virus Test - -----BEGIN PGP SIGNED MESSAGE----- > NATAS VIRUS TEST > Copyright (C) 1994 Luca Sambucci > All rights reserved. > Italian Computer Antivirus Research Organization In the past few months a new, polymorphic, stealth, multipartite virus appeared in the wild: the "Natas" virus. A lot of antivirus producers have soon updated their antivirus software to implement the detection algorythm for this virus. There is also a "special Natas version" of the McAfee's VirusScan utility (VirusScan v.2.1.0). Well, let's see how good the newest versions of some antivirus products can detect it. The option used are the same used for the June 1994 edition of the General Antivirus Test, except for the "/CPL" option for the AVScan (this product now scans inside compressed files by default). For all other information (product/producer information, legal issues etc.) please refer to the June 1994 edition of the General Antivirus Test (always available at request or at our official distribution sites). The following products have been tested: Name Version Date (MM/DD/YY) Producer =-----------------------------------------------------------= AVScan 1.57 06/08/94 H+BEDV GmbH AV Toolkit Pro 2.00d 06/20/94 KAMI Ltd. F-Prot 2.12c 06/16/94 Frisk Soft. Int. Sweep 2.63Beta 06/06/94 Sophos Plc ThunderByte AV 6.20 05/06/94 ESaSS BV ViruScan 9.28V116_ 06/02/94 McAfee Inc. VirusScan 2.0.2 06/02/94 McAfee Inc. VirusScan (special "Natas" edition) 2.1.0 06/08/94 McAfee Inc. TEST RESULTS For the test I've infected 1200 files (600 COM, 600 EXE) with Natas replications. Here the results (1200 replications): | Antivirus | Rel. | Unrel. | %Total | | product | Detected | Identif. | Detected | =----------------+----------+----------+===========+--= AVScan 1.57 | 0 | 2 < 0.17% > =----------------+----------+----------+===========+--= AVP 2.00d | 1200 | 0 < 100.00% > =----------------+----------+----------+===========+--= F-Prot 2.12c | 1196 | 1 < 99.75% > =----------------+----------+----------+===========+--= Sweep 2.63_ | 1197 | 1 < 99.83% > =----------------+----------+----------+===========+--= TbScan 6.20 | 0 | 1200 < 100.00% > =----------------+----------+----------+===========+--= ViruScan 116_ | 0 | 31 < 2.58% > =----------------+----------+----------+===========+--= VirusScan 2.0.1| 0 | 0 < 0.00% > =----------------+----------+----------+===========+--= VirusScan 2.1.0| 1191 | 0 < 99.25% > =----------------+----------+----------+===========+--= Note: AVScan identified one replication as "MtE", and another as "TPE". F-Prot identified one replication as "Possibly new variant of Semtex". Sweep identified one replication as "MutaGen -> 1.10". TbScan detected all replications with the aid of the heuristic analyser (remember: used with the -noautohr switch). ViruScan 116Beta identified 30 replications as "TPE", and one as "MtE". Best Regards, Luca Sambucci - -----BEGIN PGP SIGNATURE----- Version: 2.3a iQCVAgUBLgmuseZQNzkHaA4JAQHDtAP/YvhG4Y+ale+Q3ylUaS9vx4yhjGPJhjIM gzuEWr6WL4pv3s6TKxkZuSLWqDPxXwSWxyjFtH+APM1/UyuNqWOcPp4Ur2UGzH4e xziaKTCeTkXogcvd18hqHXj2pBkUkIv4cr8Sytra5L8fRCaCKk8wRVy4eoqRpyLQ ojkpGgck1ZQ= =8wZP - -----END PGP SIGNATURE----- ------------------------------ Date: Wed, 22 Jun 94 18:09:34 +0400 From: eugene Subject: AVP 2.0 update D (PC) Hello all! Update D for Antiviral Toolkit Pro (AVP) ver. 2.0 is available on anonymous ftp site (Germany): ftp.informatik.uni-hamburg.de:/pub/virus/progs/avp_200d.zip Virus Help Centre BBS (Sweden): Line #1 +46-26-275710 USR DS Modem 2:205/204 Line #2 +46-26-275715 V32 Modem 2:205/234 Best regards, Eugene Kaspersky - --- - -- Eugene Kaspersky, KAMI, Moscow, Russia - -- eugene@kamis.msk.su +7 (095)278-9412 ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 44] ***************************************** 27-Jun-94 19:46:59-GMT,62057;000000000000 Received: from remus.rutgers.edu by aramis.rutgers.edu (5.59/SMI4.0/RU1.5/3.08) id AA13135; Mon, 27 Jun 94 15:46:56 EDT Received: from fidoii.CC.Lehigh.EDU by remus.rutgers.edu (5.59/SMI4.0/RU1.5/3.08) id AA08863; Mon, 27 Jun 94 15:46:35 EDT Received: from Fidoii.CC.Lehigh.EDU ([127.0.0.1]) by Fidoii.CC.Lehigh.EDU with SMTP id <128110-5>; Mon, 27 Jun 1994 15:29:07 EDT Message-Id: <9406271403.AA27262@bull-run.ims.disa.mil> Reply-To: virus-l@lehigh.edu Originator: virus-l@lehigh.edu Sender: virus-l@lehigh.edu Precedence: bulk From: VIRUS-L Moderator To: Multiple recipients of list Subject: VIRUS-L Digest V7 #45 X-Listprocessor-Version: 6.0b -- ListProcessor by Anastasios Kotsikonas X-Comment: Virus Discussion List Date: Mon, 27 Jun 1994 15:29:01 EDT VIRUS-L Digest Monday, 27 Jun 1994 Volume 7 : Issue 45 Today's Topics: Re: Stealth and Self-encryption Re: Nomenclature Virus in GIF Re: Good viruses/Bad viruses Re: ARJ-, ZIP-viruses ? Re: Bad and good viruses... Re: The truth about good viruses Re: The truth about good viruses Good Virus?, here's a potential ironic example. Re: The truth about good viruses Re: Disabled viruses? Re: Good virus ? Re: Stop the madness! :-) Killed the Monkey Virus (PC) Re: vbait12.zip - Simple virus bait, detects COM infecting virus (PC) Scan V115 (PC) Re: MtE Virus info wanted (PC) Re: FLIP and CANSU (V-SIGN) viruses (PC) Re: dir/reg (PC) Re: HELP: How add code into .EXE ? (PC) Junkie virus (PC) HELP!!!!! (PC) New AV software (PC) Little Fishies? (pc) Re. Swiss virus (PC) Re: Server-Downing Viri (PC) Re: VIRSTOP 2.12 Freezes PC (PC) Re: FYI: New PC Virus alert (PC) Telecom Virus (PC) Safe ANSI driver - where ? (PC) Re: Jack The Ripper (PC) Re: Server-Downing Viri (PC) Monkey Virus Attack (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Thu, 23 Jun 94 10:14:06 -0400 From: robertk@stack.urc.tue.nl (Robert Klep) Subject: Re: Stealth and Self-encryption Chris Sexton (itxcs@upsyc.psychology.nottingham.ac.uk) wrote: : Hi, : This may be an ignorant question, but can anyone please explain : the difference between stealth techniques and self-encryption? : Is either one something to do with making a DIR command (for : example) not include the extra size due to the virus? Yeah....thats stealth........it means that the virus will do its best not to be detected. There are several techniques that are used for this: not showing extra size, circumventing AV-software with on-the-fly desinfection, and much more......... : What does either method involve? Self-encryption is a method to hide the actual virus-code in an infected file. When it's used with a variable encryption-key, (almost) every copy of the virus will be different....this is done to prevent AV-software to 'lock on to' scanstrings, which can be used to identify a virus. : Thanks in advance, : Chris robertk : ==========================.===========================================. : | Chris Sexton | * * * * | : | ICL Institute of I.T. | * ^___^ | : | Nottingham University |_______________mm_(_o o_)_mm_______________| : | University Park |___l___l___l___l___l___l___l___l___l___l___| : | Nottingham, NG7 2RG. |_l___l___l___l___l___l___l___l___l___l___l_| : - --------------------------.-------------------------------------------. : | csx@cs.nott.ac.uk | "I'd rather have a full bottle in front | : | itxcs@psyc.nott.ac.uk | of me than a full frontal labotomy." | : ==========================.===========================================. ------------------------------ Date: Thu, 23 Jun 94 10:14:58 -0400 From: dwd@umr.edu (Dan DeNise) Subject: Re: Nomenclature Fredrick B. Cohen (fc@Jupiter.SAIC.Com) wrote: > How about this for a way to differentiate different types of viruses: > > Benign viruses > Malignant viruses How about Wild vs. Domesticated? Captures the sense that wild viruses are found 'in the wild' while domestic ones stay where you corral them and, under normal circumstances, don't gore their owners. - -- Daniel DeNise dwd@umr.edu 1.314.341.4841 Computer Center University of Missouri-Rolla Missouri's Technological University ------------------------------ Date: Thu, 23 Jun 94 10:15:12 -0400 From: an24237k@aol.com (AN24237K) Subject: Virus in GIF This is probably a simple question, but is it possible to embedd a virus into a GIF file? ------------------------------ Date: Thu, 23 Jun 94 10:06:34 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Good viruses/Bad viruses Adam Jenkins (Adam.Jenkins@dbce.csiro.au) writes: > >Agreed. What I (and several others; the original term has been > >proposed by Dr. Alan Solomon) call "real viruses" is not an > >exact definition, it is not a scientific term at all, and can't > >be found in any serious scientific paper about computer viruses. > >In short, it's useless from the scientific point of view. > Who cares what you call "real viruses"? Well, both me and Dr. Solomon are considered authorities in the computer virus field, so I guess some people do care how we are calling those things. Whether *you* care about it, or whether you recognize our authority in this field is a completley different subject, which, I am afraid is rather irrelevant. Of course, you are entitled to you oppinions - ain't freedom of speech wonderful? > Since when were you an > authority on the English language? First, the term was initially coined by Dr. Alan Solomon from the UK, who happens to speak British English. Second, I've heard that the American and the Australian dialects sometimes differ so much from it, that the respective people sometimes do not understand each other - maybe this is your case. Third, my English is certainly better than your Bulgarian. Fourth, I was speaking as an authority on computer viruses and not as an authority on the English language. Enough? > A real virus as defined by a > dictionary is an organism that is able to reproduce. OK, let's make it "real computer virus" then. > >Fact is that for most people the term "computer viruses" means > >those nasty little programs that invade their computers without > >authorisation, that often destroy data, and that always waste a > >lot of time and efforts. > Hmmmm these views aren't necessarily an accident, it is in both > the media and the anti-virus industry's interests to promote > these views. Those views certainly aren't an accident - they reflect the real losses of time, efforts and money that the real people have suffered from real viruses. The claim that such a view is in the interests of the anti-virus industry is certainly interesting - maybe you can supply some evidence to back it up? Why exactly is it in the interests of the anti-virus industry to consider computer viruses as the kind of programs described above? Methinks, the interests of the anti-virus industry is to sell anti-virus products and services. For this purposes, it is sufficient that the potential customers (a) know that there are computer viruses, (b) know that they are widespread, (c) know that some of them cause damage, and (d) want to get rid of them. How does the claim that *all* viruses are bad help the anti-virus insdustry? Will the benefits diminuish of it is admitted that beneficial viruses are possible? Why? Just asking... > And viruses like KOH do not waste time or effort; This is the third time I read about the dreaded KOH virus in this issue and I am getting really bored by it. No, KOH is NOT a beneficial virus. Yes, KOH can (and does) cause damage. > >You can't hope to change those people's view, so let's try to at > Why not? Because it's hopeless. :-) Most people who have tried have witnessed it. > It's a misconception, let's correct it, it is unethical > to let anti virus vendors sell millions of copies of their > software on the basis of people's ill founded fears. Oh! Is it? "Ill founded fears"? Do you know how often I am getting calls to help about a virus-related problem? About 2-3 times per day. And I am even not working on a virus help line. All this is without counting the countless times I have answered virus-related questions here and have helped people to recover from a virus attack. I guess, all those hare "ill founded fears"... I wish that there were a way to gather all the loudmouths like you and to force them to do our job - maybe then you will finally learn how "profitable" our profession is, and how "ill founded" those fears are... Wishful thinking... Loudmouths never do real work, by definition. > >New York Times article entitled "Bank Loses $10 Million Due to > >Computer Viruses. Are We All Doomed?". :-) > Perhaps it should read "Bank Loses $10 Million Due to Negligence > in their Computer Security". Except that it doesn't sell that well. > >fact that the media has twisted the noble word "hacker" to mean > >"a twit with no life who enjoys breaking into other people's > >computers". > Hmmm I've seen this argument before. The way I see it, the > confusion arises because in the early days of computing, hacking > meant using things that weren't known, and this often meant > breaking into systems etc. In those days it seems people had > better perspective, and realised that hacking to get more > computer time or for the challenge was more a misdemeanour than a > federal offence. Too bad, it seems that some people have lost this perspective now and are doing it "for fun", "to be cool", and so on, often without even bothering to understand *what* they are doing and *why* the list of system bugs they have snatched from a fellow cracker works, let alone how to fix them. Lots of loss of perspective, as it seems... > I still don't understand why a 14 year old > breaking into a bulletin board system is investigated by the same > law enforcement agencies that investigate drug cartels and > matters of national security. The blame should be as much on the > administrators not the hackers. That's certainly an interesting point of view. I suggest that the next time somebody breaks into your house, you tell the police to arrest you, because it's your fault that you have not put a better lock on the door. > >Well, maybe that the ticket! Since the term "computer virus" is > >already loaded with negative sense in the view of the public oppinion, > >maybe you should use a different term when you are talking about > >"useful replicating programs". > You keep saying this. Because (a) it is true, (b) it works, and (c) several companies are already doing this. > But to do this would continue the deceit > and why should the general public be kept in the dark just > because they are already in the dark? You think it would be much better to confuse them by telling them that computer viruses can be beneficial, without explaining them that you mean something completely different under the term "virus"? > >You will discover that most of them understand a computer virus > >as "something that came when I didn't want it". > Or "something that came when I was leeching several megs of > software that I didn't pay for". There seems a much higher > incidence of viruses transmitted in pirated software than in > original copies, who are we protecting here? Is there? Evidence, please. My own statistics show that the most widespread viruses have been distributed in some perfectly legal way. The prefered ones are: a boot sector virus on pre-formatted diskettes; a virus on the cover diskette of a computer magazine; a virus in a popular commercial package; (and only from time to time) in a shareware package. The claim that viruses are spread mostly by pirated programs is a completely unfounded myth. There is something else which is true however. In countries where the software piracy is widely practiced, the estime for intellectual property is very low, the programmers are less motivated to create useful code, and more people write viruses. Bulgaria and Russia are two excellent examples. (The widespread virus writing in the USA is caused by different factors.) > >Dr. Cohen, I am sorry to disappoint you, but relatively very few > >people have read the paper you are talking about. It's too > >technical for most. Most people prefer their morning newspaper > >as a source of information. > He mentioned it as a reference; and I would think it a much more > valid reference than a morning newspaper. It's certainly a better scientific reference. And just as certainly most people will prefer to read the morning newspaper instead. > I shudder to think at > what people would think if they believed everything that was > found in the newspapers. But people do believe all the nonsense that is in the newspapers - at least most of them do so. Welcome to the real world. [CARO] > Perhaps not money, but it is in the groups common interest that > all viruses be regarded as dangerous and unwanted. Is it? Why? I can't follow you here. Please, elaborate. > I think this > is why people like yourself keep sniping at the virus researchers > that are looking at things with a more realistic perspective and > are not as closely affiliated with groups that profit from public > fear. So, what is exactly my interest in this? Perhaps you think that I am a masochist (sp?), enjoying working 14 hours per day on a half-time job, ruining my health, and replying to stupid questions? Oh, yes, the "virus researchers". Who are they? I don't know any self-respecting scientific researcher, besides Dr. Cohen, who claims that computer viruses can be beneficial. And my only gripe with Dr. Cohen is that he should take more care to explain (with simple words) that what he is talking about is something completely different from what most people undertsand under the term "computer virus". I'm not even arguing whose understanding is more correct and am ready to admit that he is right and everybody else is wrong. I only want him to emphasize that he is talking about something *different* - in order not to give an excuse to the crowd of malicious "real" virus writers to condone their acts. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 23 Jun 94 10:16:55 -0400 From: pike@UTKVX.UTCC.UTK.EDU (HANK PIKE) Subject: Re: ARJ-, ZIP-viruses ? Kazatski Oleg Nikolaevitch writes... > > Are there scanner which scan viruses in incompressed, >self-extracting programs and .ARJ (.ZIP) files ? What is his name ? >Are there viruses which really infect .ARJ and .ZIP files ? Norton Antivirus 3.0 (NAV) has an optionto scan within compressed files. F-prot can scan all files so I assume it scans in compressed files too. Anyone know for sure? Frisk? ------------------------------ Date: Thu, 23 Jun 94 10:17:59 -0400 From: bradleym@netcom.com (Bradley) Subject: Re: Bad and good viruses... Kazatski Oleg Nikolaevitch (kazatski@kartaly.chel.su) wrote: > 12 May bradleym@netcom.com (Bradley) wrote: > > How about KOH? Also the Potassium Hydroxide virus. It will encrypt your > > HD for you using the IDEA algorythm. > Tell me please about Potassium Hydroxide virus. It's a virus that does what I said. It includes an uninstall option for the hard drive. If you want to know more, I have the full KOH document in my little personal FTP site: ftp.netcom.com:/pub/bradleym Just read the KOH.readme to find the KOH directory, and DON'T take the actual program out of the U.S. because it's export controlled. Next time you qoute, please be more careful. I didn't say the following things. > > A virus by nature is what? It's intention is to produce copies > > of itself and attach these copies to your programs (without you > > knowing) and either display a message, play a tune, fill up your > > disk, destroy data etc... How can this be good? NOT POSSIBLE!!! > I am agree. There are not good and harmless viruses. Also boot > viruses modify my boot sector without my wishes. Prove it. I only have to name one Good Virus (tm) to prove you wrong, and I have. But I think many people would admit that it's preferable to not have the majority of the viruses on thier computer. > > Any program that functions to work without the owners approval is > > harmful. > YES, and once more YES ! But most programs DO. That's what programs are for. I can't think of a single install program that actually included a list of what it was going to do. Bradley - -- bradleym@netcom.com finger for PGP public key Hayward, CA ------------------------------ Date: Tue, 07 Jun 94 16:49:21 -0400 From: 39534@brahms.udel.edu (Scott Ste Beardsley) Subject: Re: The truth about good viruses UCC DASD Administration wrote: >>Date: Wed, 11 May 94 01:06:17 -0400 >>From: pjc@as03.bull.oz.au (Paul Carapetis) >>Subject: Re: The truth about good viruses >> >>I have yet to be convinced that _any_ virus can be _known_ to be >>benevolent. >> I am yet to be convinced that any software can be known to be benevolent. Anyhting you can do to ensure the validty of software can be used on virii. Crypto signatures, checksums, trusted suppliers etc... >>No matter how talented a programmer wrote it, no matter how honourable its >>design intentions, no matter how well it worked when it was first released, >>how can the integrity of said virus be confirmed by the time it infects >>your (or my) machine? Wouldn't a known "benevolent" virus be the perfect >>target for one of the twisted minds that create the "malicious" variety? I >>can just see it... Gee don't they already do that to regular software? It's called Trojan Horses. What can be used to ensure that the shareware of software you have gotten is of the same integrity as it is advertised or as yu percieve it to be? >> >>No thank you very much! I want full control over everything that is run on >>my system, and a virus must already be running in order to ask permission >>to infect, so how can I be sure it has not already taken any action? Then im afraid you'll have to write all your own software and OS. OR you could run an OS that allows acces to all sourcecode like Linux. Otherwaise you really don't know whats going on now do ya? I installation prgram must allready be running to ask if you wish to insallthat new graphics program you bought, how do you know it hasnt done something already? > >I think this illustrates quite nicely the whole problem with beneficial >viruses. That being the lack of a trusted path. When I buy a software >package, or down load a shareware program, or buy a Rolex watch from the >trenchcoat of a gentlemen on the streets of Manhattan, I am depending on a >certain avenue through which this product came. How reliable is that >path? It's one thing to talk about self replicating code in the ivory >confines of a researcher's tower. And I don't doubt the veracity of those >claims. But once you pass those doors and come out into the gene pool, >you loose that element of verifiability. An unknown program running on my >computer is suspect, even if it says, Hi! I'm from the Government/Virus >Research Department/Mensa club, and I'm here to help you..... As the >saying goes, How do you know where it's been? Once again the sawm can be said for any software which you don't compile yourself or have full acces to the source code, and that you are skilled enough to understand. You CAN use crypto signatures, and other things to verify it's intergrity, but the same thing could be done to virii. > >I don't think the most important question is whether beneficial viruses >exist. But how could you tell if you had the real thing? The same way that you can tell if the OS your running is benificial, and if it's windows, than we know you've been had already 8) ------------------------------ Date: Tue, 07 Jun 94 18:53:57 -0400 From: hiscrp@leonis.nus.sg (C R Pennell) Subject: Re: The truth about good viruses At the risk of starting this all over again, would someone PLEASE tell me what are the supposed benefits of a "good" virus? What are they supposed to do? Why are they supposed to be better than allowing me to go out an buy/ download something that I specifically asked for? I've been looking for this info in the argument, but it's been a bit like coming in after the film has started. Only this one appears to have no plot at all. Richard Pennell History national Uni of Singapore My opinions not NUS's ------------------------------ Date: Tue, 07 Jun 94 23:51:19 -0400 From: nhirsch@panix.com (Norman Hirsch) Subject: Good Virus?, here's a potential ironic example. I've seen a few messages about the potential good virus. Here's a potential example that I throw out for analysis/opinion. Ironically it's the VIR.DAT file of NetShield. Background: NetShield is McAfee's anti-virus NLM for Novell servers. The encrypted database of viruses that the NetShield NLM uses when it scans for viruses is the VIR.DAT file. When new virus strings are found, they are added and a new, updated VIR.DAT file is created and distributed. (The latest VIR.DAT file is zipped up in McAfee's filename: VIRDT115.ZIP.) Scenario: In a multiple server environment with NetShield running on each server, NetShield can be configured with "Cross Server Updating Enabled". With cross server updating enabled, if the VIR.DAT file on the one server is updated (by copying a new VIR.DAT file over the older file), VIR.DAT will then proceed to copy itself to all the other servers and automatically update the virus database on each server. One can certainly argue that VIR.DAT is a "good virus" because it reproduces itself across the network to other servers without intervention. It, of course, needs the environment of having cross server updating enabled plus NetShield on each server, etc. In actuality, it is the NetShield NLM that is facilitating the reproduction of VIR.DAT so perhaps this is an ironic variation and an arguable example of a good virus! The argument seems to reduce to what degree can the environment itself contribute to the reproductive behavior. Each "virus" (good or bad) needs a certain environment to reproduce. VIR.DAT needs NETSHLD.NLM and cross server updating enabled. A "bad" virus might need command.com or the hidden files or ? The next step in this direction would be the argument that programs that do "software distribution" across a network are in fact facilitators of good viruses. The bottom line of my analysis of these examples is that it shows the ridiculousness of trying to talk about good viruses. IMHO, there is no good virus because for all practical purposes, a virus is a bad thing by definition. Using the definition that "something nice that replicates is a good 'virus'" is an oxymoron (sp?) as far as I'm concerned. Best regards, Norman Hirsch ------------------------------ Date: Wed, 08 Jun 94 03:33:53 -0400 From: computergy@aol.com (Computergy) Subject: Re: The truth about good viruses UCCDASD Administration writes: I have concerns about a 'good' virus. As anyone who uses computer software on a regular basis even the best program can have errors and glitches. A 'good' virus no matter how well written is bound to have some conflict with other software or equipment that causes it to do a bad thing. Since there are millions of combinations of computers and software there is always going to be a chance that the virus will do something wrong. Computergy @ Aol.com All knowledge is power. --Emerson ------------------------------ Date: Wed, 08 Jun 94 04:17:31 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Disabled viruses? dasheiff+@pitt.edu (Richard M Dasheiff M.d.) writes: >res@bfs.uwm.edu (Ralph Stockha >usen) writes: >>I would like to check out the functioning of my anti-virus setup. Are there >>any "disabled" viruses available that my program could detect, but would be >>safe have on a test floppy? >>Thanks, >>Ralph >Doren Rosenthal has one, but I forgot her full email address Well, as I have said several times before...the programs created by the virus simulator are not viruses, so anti-virus programs should *not* detect them at all. Some scanners may or may not detect them, but detection (or failure to detect) says nothing about the ability of the scanner to detect the actual viruses. - -frisk Fridrik Skulason Frisk Software International phone: +354-1-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-617274 ------------------------------ Date: Wed, 08 Jun 94 08:07:11 -0400 From: "The Radio Gnome" Subject: Re: Good virus ? Hi, Another thought on the operation of a 'good' virus. Wouldn't such a program use the same sort of mechanisms to spread as bad viruses? If so, then all the existing anti-virus TSRs would stop it in its tracks. If it found a way around F-PROT for example, then some cybervandal would inevitably reverse engineer it and attach a harmful payload, thus making the 'good' virus an unwitting 'partner' in creating the next generation of harmful virus technology. Short term benefits with long term negative complications. Starting to sound like nuclear power? :-) Re: compression... not all EXEs (fewer and fewer with Windows and more advanced OSs) are compressable, even though they might 'look' so. Even PKlite stumbles on some. Take the following scenario: "Hello, I am the Space Saver(c), should I compress your programs? (125 programs to compress, 9.2Mb of disk would be saved) (y/n) Y .compressing... DONE! IPX NETX (oops! this program uses self modifying code or some other trick) workstation hangs, NIC generates a packet storm, file server ABENDS running NCP... Congratulations, the 'good' virus just kicked 100+ students off of the lab net, luckily the routers stopped the storm from speading to the campus backbone. The real issue here is control. When the user or administrator has control away from them, the problems start. BTW, how is a program like WSUPDATE (Novell Netware) classified? I just posted a note on the Novell list about using it to control DOOM and other nuisance net games. - -------------------------------------------------------------------------- Politics is not the art of persuasion, its the science of selfishness Andy Wing - Temple University Computer Services ------------------------------ Date: Thu, 09 Jun 94 07:08:33 -0400 From: "Fredrick B. Cohen" Subject: Re: Stop the madness! :-) "Brian H. Seborg" writes: > Yes it's time again to fire another salvo over the bow of the good > ship Malarkey! I challenged Fred Cohen to provide us with > documentation on "good viruses" and he referred us to his book (this > from someone who had just maligned anti-virus software authors as > stoking the flames of public fear just to make a buck! By the way, > Fred has his own anti-virus package on the market, but I would never > suggest that he was trying to get people to write "good" viruses so > there would be a greater need for his package! :-)). Several inaccuracies here. 1 - I do not have an antivirus package on the market - it was licensed long ago to a Danish firm - SR 2 - There is a big difference between making a buck by scaring people needlessly and paying for the costs of doing research by publishing results through a reputable publisher. You seem to have no objection to paying for many less reputable researchers via your tax dollars. > As Ross > Greenberg so aptly pointed out, I'm sure Fred could enlighten us in a > paragraph so we wouldn't have to wait to buy his book for an answer! As Vesselin Bontichev so aptly pointed out, it often takes more than a paragraph to understand the issues of how life works. You don't have to wait to buy my book, it has been out for some time. I will, however try to help enlighten you by responding to your questions in a form that will encourage you to take the time and effort to get the whole story by reading my books. > Also, Fred seems to be making a claim that if a virus asks your > permission to spread that it is okay! This is idiotic! First, > consider this, for the virus to ask your permission to spread, it has > to be running on your PC without your permission! Vesselin, I can't > believe that you bought off on this lame distinction! :-) I don't think I ever said that, and I do not think it is idiotic. Naturally, people who are context bound such as you seem to be may not see some of the other ways that permission can work. I hope you will decide to read my book to learn about different ways of thinking about the issue. > Another point, Fred, have you ever heard of version control? How > about change control? How would you affect these via a virus? Yes indeed, I have. In fact, if you would have read my books on the subject, you would probably find that I know quite a bit about these issues and have investigated them in some depth. Unfortunately, I cannot detail all of the issues of change control in such a small space, but if you read my books, you will hopefully come to understand just how these issues can be addressed and how most current change control systems miss the mark. > Here's > a scenario, I send out a "good" virus (Ha, ha, ha, sorry, I can't keep > myself from laughing!) throughout my corporation. It must be very enjoyable to laugh while slandering ideas you have not yet taken the time to investigate, but I think that you would make a much better case and sway more people to your point of view if you would think more and abuse less. > This is the > infamous compression virus (hee, hee, sorry!) that will compress any > executable file it encounters. First, though, to be a "good" virus it > asks permission to infect the system ("Hi, I am Fred Cohen's > compression virus, I am very nice and will help you save disk space, > is it okay for me to infect your computer?"). I did not write the infamous compression virus, I wrote some of the famous ones that preceded some of the commercial products that are widely used to reduce disk usage and increase performance. My viruses do not get their authorization to spread in such a way. If you would take the time to read my works, you would probably already know that, but people who laugh at new ideas without bothering to investigate them often encounter this problem. > Of course unless every > user in the corporation is computer literate they will probably reboot > the computer at this point, but, humor me and I'll continue. I don't understand why computer challenged people would reboot their computers if this message appeared or what that has to do with the issue of benevolent viruses. > Assuming > the user allows the virus to infect (will it ask this same question > everytime it attempts to infect another file? Perhaps I am giving you too much credit, but I bet that if you spend some time thinking before typing, you could come up with a better way. > Man, would this be > boring or what?) it will then ask, "Hey, this file is not compressed, > would you like me to compress it?" (would it ask this every time it > encountered a non-compressed executable, or would it be able to flip a > bit to store the fact that the question had already been asked and > answered in the negative? What if the next time I DID want it to > compress the file? Would the virus just neglect to ask me so that I > would not get any benefit from it?). Also, I can see the user saying, > "Damn, how do I turn this stupid thing off!" after about the 10th time > the virus asks permission to do something! I have a similar problem with lots of poorly designed programs that ask stupid questions and don't adapt well to me, but that has nothing to do with being a virus, only with the limits of the program's ergonomics. Perhaps if you took some time to look into this subject, you could contribute to writing better programs. > > One more issue, how will you make sure the virus gets control in > memory? Will it infect command.com or one of the system areas so that > it makes sure to get control every-time? If this is the case, then > how many different "good" viruses can use this same paradigm before > you run out of space in command.com (I guess we could change it to > command.exe and then load it up with different special purpose viruses > and make it an even greater lumbering behemoth than it is now!) Actually, you should read my books and find out about other ways viruses can work. There isn't enough room here to detail all of them. > > Now, let's say you want to upgrade this virus. How are going to > enforce version control? In other words, you have a faster, better > compression algorithm, and you update the virus and now you want to > make sure it is in place throughout the corporation, how do you affect > this change? How do you even know the first version even made it to > all PCs? One more thing, not all PCs are network connected, how do > you get the virus and the upgrades to the laptops (this is a tough > enough issue for legitimate software)? You know, you are starting to make me feel as if I am very smart because solving these problems wasn't that hard for me to do. But maybe it's you that are not thinking hard enough. Try this. For each question you have written, think until you find a good way to solve the problem. This will probably take a few years if you continue to ask questions. Then, write down all of the issues and the ways to resolve them, and publish them in a book. Then listen to people like you claim that you are an idiot. I will, of course, help defend you. > > Finally, how do you ensure that the virus does not leave your > corporate environment for parts unknown? (other people's PCs?) Even > if you had a method of doing this, how much would it cost and how big > would the virus be at this point? What if it did get out? It would > seem that you'd be legally liable for any damage it did, or trespass > at the least. But, I digress... Suffice it to say that the concept > of a "good" virus all sounds good theoretically, but when you give it > a "reality-check" the notion of "good" viruses beyond the confines of > a laboratory environment shows itself to be the ludicrous idea it is. > Maybe I've been spending too much time in the real world! :-) I guess > I'll just have to buy Fred's book! :-) From your electronic mailing address, I had guessed you worked for the FDIC, and agency of the US government. Most people would not consider that the "real world". But as a reality check, I have been working most of my time for a wide variety of corporations of all sizes, government agencies, and community organizations for most of the last ten years. There have been benevolent viruses operating in commercial applications since 1985, and none of them have ever caused any of the problems you claim to be unaviodable. I guess you will just have to buy a copy of my books! > > "..castles made of sand slip into the sea eventually..." > > -Jimi Hendrix Here here! UCC DASD Administration writes under an anonymous ID (no human name on this account) > ... > I think this illustrates quite nicely the whole problem with beneficial > viruses. That being the lack of a trusted path. When I buy a software > package, or down load a shareware program, or buy a Rolex watch from the > trenchcoat of a gentlemen on the streets of Manhattan, I am depending on a > certain avenue through which this product came. How reliable is that > path? It's one thing to talk about self replicating code in the ivory > confines of a researcher's tower. And I don't doubt the veracity of those > claims. But once you pass those doors and come out into the gene pool, > you loose that element of verifiability. An unknown program running on my > computer is suspect, even if it says, Hi! I'm from the Government/Virus > Research Department/Mensa club, and I'm here to help you..... As the > saying goes, How do you know where it's been? A very interesting and valid point to be addressed. And it has been addressed in my books. But without even referring to them, I don't understand what the issue of a trusted path has to do with viruses and does not apply to anyothr program. Obviously, if you purchase a benevolent virus from a guy in a trench coad who is selling fake Rolex watches, or if you take a gift virus from the NSA, you are asking for trouble. But the same is true regardless of whther it is a virus or any other software. > > If some people came to your house and said, You just go away for a few days. > We're going to clean your house for you, fix the roof and install a Jacuzzi > in the master bedroom. Trust us. We're Nice People. Maybe they're telling > the truth. But if they have no credentials, references or licenses, how > would you know? Would you hand over the keys to your house? But of course, in the computing environment, we do this far too much. We commonly allow programs to operate for millions of instructions without chceking on them. This mail is being sent through hundreds of computers over which we have no control, and yet we choose to trust them. I agree strongly that we need better integrity controls for all information technology, but again, I don't understand what this has to do with viruses as opposed to all software. > > I don't think the most important question is whether beneficial viruses > exist. But how could you tell if you had the real thing? > Here here! We need to only buy computer viruses from legitimate sources. I agree that the same standards should be applied to the purchase of benevolent viruses as any other program. FC ------------------------------ Date: Thu, 23 Jun 94 10:12:35 -0400 From: dd.id=msmwhq01.tmollo01@eds.diamondnet.sprint.com (TC Molloy) Subject: Killed the Monkey Virus (PC) I would like to share an experience with the "Monkey" computer virus on June 3, 1994. A customer was directed to me concerning a problem. He couldn't read a DOS floppy diskette on his notebook PC and wanted to know if I could help him to recover his critical data. I put the disk in my PC and typed 'dir'. Immediately, the bells and whistles from my Anti-viral package went off. The "Monkey" virus was attempting to write to the boot sector of my hard disk and my anti-virus software package had frozen my machine waiting for me to respond with Proceed or Stop. My anti-virus package stops whenever anything attempts to write to the boot sector without permission. Of course, I said STOP.. The "Monkey" virus is an encrypted virus that can only be identified when it is in RAM. The "Monkey" virus re-writes the boot sector on the disk (floppy or hard). There are no viral signatures on the disk to identify and destroy. The user of an infected machine experiences problems reading floppy disks. When I attempted to boot his machine from a clean floppy, the hard disk drive was not visible or identifiable (Drive not found). After recovering his diskette and killing the virus, the customer then informed me that he had ten associates with him who were probably infected too. I went back with him to test their machines and found them all infected. At the customer's home office, the notebooks go into a docking stations that is connected to a LAN. They use the LAN to pass files using Lotus Notes. I asked the customer to have the office machines tested and, sure enough, they too were all infected with the "Monkey" virus. A conversation with the LAN administrator indicated that the problem had only appeared within the last week. All the customer machines had an anti-viral package from Central Point or other vendors but they were NOT up-to-date on the latest virus definitions. A old copy of McAfee was run on an infected machine and it reported no infections. The encrypted "Monkey" virus file stores itself in the boot sector only, therefore, to eradicate the virus, the boot sector of the disk must be erased or the disk partition deleted. The DOS application 'FDISK' can do this but it also deletes all files on the entire disk (not good). When the "Monkey" virus infects a disk, it copies the original boot sector as a file to somewhere else on the disk. The boot sector can be rebuilt using Symantec's Norton Disk Doctor (NDD C: /REBUILT) which will delete the boot sector, find the original file and restore the machine. Also, the floppy disk boot sectors were rebuilt using NDD to prevent re-infection. Retesting the machine with my anti-viral software confirmed that "Monkey" was no longer present. Having found the solution to getting the "Monkey" off their backs, the remaining machines hard disk boot sectors were rebuilt. The boot sectors of all floppy disks were also rebuilt. The LAN administrator is in the process of updating or upgrading the anti-viral software to meet the current threats. - -- TC Molloy molloyt@iia.org ------------------------------ Date: Thu, 23 Jun 94 10:13:50 -0400 From: dasheiff+@pitt.edu (Richard M Dasheiff M.d.) Subject: Re: vbait12.zip - Simple virus bait, detects COM infecting virus (PC) frisk@complex.is (Fridrik Skulason) writes: ]heilfort@ap01.physik.uni-greifswald.de (Matthias Heilfort) writes: ] ]]I have uploaded to the SimTel Software Repository (available by anonymous ]]ftp from the primary mirror site OAK.Oakland.Edu and its mirrors): ] ]]SimTel/msdos/virus/ ]]vbait12.zip Simple virus bait, detects COM infecting virus ] ]"Detects COM infecting viruses"...hmm... Is it able to detect infection ]by stealth viruses ? If not, I would say a redesign was required. ] ]- -frisk ] Speak plainly (as I installed this virus bait). Is it worthless? (i.e. just takes up disk space) harmful? (i.e. gives a sense of False security) helpful? (i.e. works as advertised) ?-) rmd@med.pitt.edu - -- :-) rmd@med.pitt.edu ------------------------------ Date: Thu, 23 Jun 94 10:14:34 -0400 From: auyanged@jhunix.hcf.jhu.edu (Edward D. Auyang) Subject: Scan V115 (PC) I have McAfee's Scan v115...upon entering the command, the hard drive is accessed for a second or so before the memory check...anyone know what it's doing? Also, has anyone had VShield to successfully intercept a virus? Please mail me rather than post. TIA Ed ------------------------------ Date: Thu, 23 Jun 94 10:17:09 -0400 From: pike@UTKVX.UTCC.UTK.EDU (HANK PIKE) Subject: Re: MtE Virus info wanted (PC) "Jeff E. Lewis" writes... >I would appreciate information on "MtE" which I "found" on my >machine with Norton Antivirus 2.1. THis was NOT indicated by > >cpav (1991?) >microsoft anti-virus (1993) >mcafee scan 106 >mcafee scan 108 > >but there was no doubt that something was present since scandisk >recovered 90 mb of hard disk space 11 days after I started using >the indicated infected program. >Thanks, >Jeff E. Lewis > Jeff, If you want a great antivirus program, try F-prot, it is available free to private users and it is by far the best AV program I have found. Stay away from McAfee, it is no good from what I have seen. It could not clean up the MONKEY virus and F-prot got it right away. hp ------------------------------ Date: Thu, 23 Jun 94 10:17:25 -0400 From: buster@klaine.pp.fi (Kari Laine) Subject: Re: FLIP and CANSU (V-SIGN) viruses (PC) itxcs@upsyc.psychology.nottingham.ac.uk (Chris Sexton) writes: >From: itxcs@upsyc.psychology.nottingham.ac.uk (Chris Sexton) >Subject: FLIP and CANSU (V-SIGN) viruses (PC) >Date: Tue, 21 Jun 1994 10:23:12 EDT >Hi All, >After having a recent _nightmare_ with my PC (work deadlines >and a virus attack) I found *TWO* of the critters on my machine. >These were the FLIP virus and CANSU (or V-SIGN). >When one of them acted, it savaged my partition table and FAT, >meaning I couldn't access any files. If it wasn't for Norton >Utilities and Mcafee I'd be up the Khybosh without a paddle. >NU completely rebuilt my FATs and Partition table, and saved >the day. I thought it was a general hardware failure of the >hard drive, not a virus. >My 260Mb h/d suddenly became 33Mb, and unreadable, and I can't >work out which of these viruses actually did the damage. I've >got a feeling it was FLIP, as CANSU seems a pretty harmless >beast (wiping system files is harmless compared to major >h/d failure ;-) ). >Anyway, I'd appreciate any suggestions as to which one caused >me so much hassle, and also any other stories of run-ins with >either of these babies. It is hard to say exactly what has happened without seeing the disk but I think what has happened: 1. Virus caused damage to your partition sector. 2. Norton finished the work :-( Now you need an expert who could have a look on your hard disk. But because of 2. it might be gone. Kari Laine ------------------------------ Date: Thu, 23 Jun 94 10:18:09 -0400 From: buster@klaine.pp.fi (Kari Laine) Subject: Re: dir/reg (PC) >We received a demo diskette from Network Computing Inc. for a program called >LAN Page. It was version 1.0.5. When it arrived, it was taken out of the >package, write protected, and inserted in a workstation protected by VIRSTOP >2.12. The intercept immediately reported a FORM infection in the boot sector. >F-Prot 2.12 was able to remove the virus and everything seems to be fine. >We called the company's tech support line and reported it. They said that it >isn't the current shipping version, but they will check out the duplicator >stations to be safe. Hi Diane, could you confirm that was there really a Form on the diskettes send out by this company? Have they confirmed or who else did? Regards Kari Laine ------------------------------ Date: Thu, 23 Jun 94 10:19:10 -0400 From: simoaro@freenet.hut.fi (Simo Aro) Subject: Re: HELP: How add code into .EXE ? (PC) Edellisessd artikkelissa cogni@actcom.co.il (Michael Cale') sanoo: >May be someone can help me - send any working code or write what are ALL >needed procedures to add code into .EXE correctly. >P.S. DON'T WORRY - I DON'T TRY WRITE VIRUS. Even if You are NOT coding a virus, have a look at some EXE-infecting virus source. And try to find 40HEX-virus magazines, there was a good article about EXE-infectors (in issue #8 or #9).. When You know a lot about EXE-infectors, it should be a lot easier to write such a program You were about to do. ------------------------------ Date: Thu, 23 Jun 94 10:19:24 -0400 From: rbhessing@amoco.com (Bart Hessing) Subject: Junkie virus (PC) I recently read something about a new, advanced virus called "Junkie", but don't have any details about it. Can anyone enlighten? Thanks. ------------------------------ Date: Tue, 07 Jun 94 19:49:52 -0400 From: c007@Lehigh.EDU (ERIC A. MEEKER) Subject: HELP!!!!! (PC) I'm pretty sure I have a virus on my computer but I have no idea what it is or how to get rid of it. I've been trying a few virus scanners, etc. and have no luck. The only thing I noticed is that the virus is adding (usually) 959 bytes to most executable files. I have a program called vsafe that tells me what is being changed, but it does nothing to remove it. If ANYONE can help me, please write to the Internet address below. Thanx in advance!!! Eric Meeker Internet address: c007@ns1.cc.lehigh.edu ------------------------------ Date: Wed, 08 Jun 94 02:36:25 -0400 From: tluten@delphi.com Subject: New AV software (PC) Greetings, wizards! I'm new to the net, and came because I thought I'd find a collection of virus experts here. I think I have. My purpose is to seek advice. I may have an opportunity to do some work with a start-up that poposes to market a new AV product. My problem is that I have a sense the AV market is pretty well served already. Three years ago, it seems that I was reading about computer viruses every other day. I know that when Michelangelo was about to go off, we bought Norton AV, Flushot, got a copy of SCAN, and worried a lot. Not so much now. I read that Windows files are basically uninfectable. Does the rise of Windows spell the end of virus concerns? Do concerns over viruses spell the end of DOS? So, if we posit a new AV product with essentially a 100% hit rate, very fast integrity checker, heuristics, etc., etc., in short a betterfasternotcheapersmarter product, does anyone care? Does the world want/need a new AV product? And by the way, what does it take in an AV company to be a top three player? All responses welcome! And thanks for your time. Tom Luten ------------------------------ Date: Wed, 08 Jun 94 03:39:46 -0400 From: computergy@aol.com (Computergy) Subject: Little Fishies? (pc) About a year ago I had to do a search and destroy mission on an clients machine. I knew there was a virus lurking but only one program out of four I used would detect and clean it. I believe it infected the partition table on the hard drive. It would replicate onto every floppy disk placed in a drive. (took hours to track down all floppies that had been in the machine.) When active it would slow the machine to a crawl, then lock it up, and display the words 'Save the Little Fishies'. I have never read anything about a virus of this sorts. For personnel interest, does anyone have an idea? Thanks Computergy@aol.com All knowledge is power.--Emerson ------------------------------ Date: Wed, 08 Jun 94 03:47:18 -0400 From: riordan@tmxmelb.mhs.oz.au (Jakub Kaminski) Subject: Re. Swiss virus (PC) Gerard Ineichen writes: >A student has found a "swiss virus" that infects the boot record. It seems >to be a new variant of the virus. Mac Afee scan 114 lists it but i haven't >found more info. > >Be carefull : it isn't the swiss phoenix nor the Swiss 143. Gerard, Probably you've found the Swiss Boot virus (Swiss Army or Armee). It is DOS Boot Sector virus. It infects floppies (as far as I know it doesn't affect 1.44M diskettes) and Dos Boot Sector of the active partition on a hard disk. It is 3 sectors long. When it infects a hard disk it hides the original DBS and its two sectors inside last three sectors of drive C:. When it infects a floppy it hides the original DBS and rest of itself in two first unused clusters and marks those clusters in the File Allocation Table as: "". When you boot off the infected floppy virus infects the hard disk. After booting from infected hard disk it gets memory resident (catches int13). It infects diskette if detects int13, ah=2, ch=0 (read cylinder 0). It's not a stealth virus so you can clean infected hard disk even if Swiss Boot is active in memory but of course it's always safe to boot off the system disk first. On the 7th of February it displays the message and overwrites all sectors!!! The message is encrypted in the last sector: "Schaft die Schweizer Armee ab !". I think there is a variant that triggers on the 2nd of February but it's so easy to produce plenty of them :-/ Regards, Jakub Kaminski riordan.cybec@tmxmelb.mhs.oz.au (Jakub Kaminski) CYBEC Pty Ltd. Tel: +613 521 0655 PO Box 205, Hampton Vic 3188 AUSTRALIA Fax: +613 521 0727 ------------------------------ Date: Wed, 08 Jun 94 04:31:52 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Server-Downing Viri (PC) U56513@uicvm.uic.edu (Christopher Aedo) writes: >One of the books on NetWare listed a few viruses that were common >threats to NetWare. These viruses are: There is absolutely netware-specific about the viruses...they are just fairly common file viruses....that's all. >According to the publication, these viruses will move from an >infected workstation, onto the server. Most file viruses will do so (boot sector viruses will not). However, in many cases the viruses can be stopped easily by simply making shared directories read-only, and by making the shared programs "execute-only". There are a few viruses that are Netware-specific, attempt to use loopholes in some particular versions of Netware, but they are not among those you listed. - -frisk ------------------------------ Date: Wed, 08 Jun 94 04:39:14 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: VIRSTOP 2.12 Freezes PC (PC) gus@jomega.eglin.af.mil (Eric P. Augustus) writes: >I don't recall the exact reasons why virstop hangs with 386max, but if >you use the '/notrace' command line parameter it'll work okay. right. The exact reason....uh, well...Virstop uses some "dirty tricks", and 386max does too....and those tricks are mutually incompatible. the /Notrace also fixes a few other incompatibility problems - it makes Virstop work on old Cyrix 486SLCs (which are not 100% Intel compatible), as well as on machines with old DR DOS 3.x - -frisk Fridrik Skulason Frisk Software International phone: +354-1-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-617274 ------------------------------ Date: 08 Jun 94 09:41:17 +0100 From: virusbtn@vax.oxford.ac.uk Subject: Re: FYI: New PC Virus alert (PC) As far as I know (Chinon have yet to send me a sample) this is a Trojan, not a virus. The description seems to have varied somewhat from the original press release. I may be wrong. Richard Ford Editor, Virus Bulletin ------------------------------ Date: Wed, 08 Jun 94 05:10:50 -0400 From: watson (John Watson) Subject: Telecom Virus (PC) Can anyone e-mail me information about the Telecom virus. Thanks John ------------------------------ Date: Wed, 08 Jun 94 14:04:15 -0400 From: mramey@u.washington.edu (Mike Ramey) Subject: Safe ANSI driver - where ? (PC) Can anyone tell me where to get a shareware -safe- ANSI driver? Some of the programs used in our computer lab require ANSI.SYS. PKSFANSI is -not- included in the shareware version of PKZIP. bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >Richard M Dasheiff M.d. (dasheiff+@pitt.edu) writes: >> I just read an article by Brett Glass in the May 2, 1994 INFOWORLD about >> ANSI bombs. It's a sequence of characters imbedded in a text file which can >> be interpreted by ansi.sys to do something unexpected, like redefining >> the keyboard to replace the enter key with deltree c:\*.* /y >> He spoke of a defense against it with a program by PKware called PKSFANSI >> Is that s/w, and if so, what ftp site? >2) Run an ANSI driver that does not allow, or can be configured not to >allow, keyboard reprogramming. NNANSI and ZANSI are two examples of such. ------------------------------ Date: Wed, 08 Jun 94 15:02:01 -0400 From: id@mist.demon.co.uk (Iolo Davidson) Subject: Re: Jack The Ripper (PC) ineichen@cui.unige.ch "INEICHEN Gerard(centre EAO" writes: > We have found a "Jack The Ripper" virus in more than one school in Geneva. > Does anybody have more information about this virus ? Off the top of my head, it is a fairly news boot sector virus that has a disk wipe payload. If your anti-virus can recognise it, it should be able to get rid of it too. - -- Iolo Davidson - "My boss made me say it. He dares you to sue." ------------------------------ Date: Wed, 08 Jun 94 15:02:15 -0400 From: id@mist.demon.co.uk (Iolo Davidson) Subject: Re: Server-Downing Viri (PC) U56513@uicvm.uic.edu " Christopher Aedo" writes: > One of the books on NetWare listed a few viruses that were common > threats to NetWare. These viruses are: > Cascade.1701 > Cascade.1704 > Frodo > Green Caterpillar.1 > Jerusalem.Standard > Yankee Doodle 2885 > > According to the publication, these viruses will move from an > infected workstation, onto the server. Almost any file virus will infect dos programs stored on the file server. > We are also trying to evaluate virus protection. We are > running Norton AntiVirus on the server right now, so this would > be a good test to see if it is able to detect and stop these > viruses before anything major happens. > > The environment is secure and controlled, so we are going to > try to infect the server with these viruses. > > What I would like is either the source code, or maybe an > infected file UUencoded, or somewhere where I can get these > viruses. I do not believe that any reputable company will be willing to supply live viruses for such a purpose. They would make themselves liable to possible legal action and certain moral censure. > Also, which anti virus package is the best one out there these > days? Dr. Solomon's Anti-Virus Toolkit for Netware is the best. F-prot's netware product would be a contender if it was as good as the standalone F-Prot, but I have seen a review which says it's detection abilities are inferior. (disclaimer: I helped write Dr. Solomon's, but am no longer employed by this company.) - -- Iolo Davidson - "My boss made me say it. She dares you to sue." ------------------------------ Date: Wed, 08 Jun 94 16:03:50 -0400 From: dd.id=msmwhq01.tmollo01@eds.diamondnet.sprint.com (TC Molloy) Subject: Monkey Virus Attack (PC) I had a little excitement yesterday. An accounts customer was directed to me concerning a problem. He couldn't read a DOS floppy diskette on his Compaq notebook. He wanted to know if I could help him to recover his critical data. I put the disk in my AST notebook and typed 'dir'. Immediately, the bells and whistle from my Anti-viral package went off. The "Monkey" virus was attempting to write to the boot sector of my hard disk and my anti-virus software package had frozen my machine waiting for me to respond with Proceed or Stop. My anti-virus package stops whenever anything attempts to write to the boot sector without permission. Of course, I said STOP..... The "Monkey" virus is an encrypted virus that can only be identified when it is in RAM. The "Monkey" virus re-writes the boot sector on the disk (floppy or hard). There are no viral signatures on the disk to identify and destroy. The user of an infected machine experiences problems reading floppy disks. When I attempted to boot his machine from floppy, the hard drive was not visible or identifiable (drive not found). After recovering his diskette and killing the virus, the customer then informed me that he had ten associates with him who were probably infected too. I went back with him to test their machines and found them all infected. At the customer home office, the notebooks go into docking stations that are connected to a LAN. They use the LAN to pass files using Lotus Notes. I asked the customer to have the office machines tested and, sure enough, they too were all infected with the "Monkey" virus. A conversation with the LAN administrator indicated that the problem had only appeared within the last week. All the customer machines had an anti-viral package from Central Point or other vendors but they were not up-to-date on the latest virus definitions. The encrypted "Monkey" virus file stores itself in the boot sector only, therefore, to eradicate the virus, the boot sector of the disk must be erased or the disk partition deleted. The DOS application 'FDISK' can do this but it also deletes all files on the entire disk (not good). When the "Monkey" virus infects a disk, it copies the original boot sector as a file to somewhere else on the disk. The boot sector can be rebuilt using Symantec's Norton Disk Doctor (NDD C: /REBUILT) which will delete the boot sector, find the original boot sector file and restore the machine. Retesting the machine with my anti-viral software confirmed that "Monkey" was no longer present. Having found the solution to getting the "Monkey" off their backs, the remaining machines hard disk's boot sectors were rebuilt. The boot sectors of all floppy disks were also rebuilt. The LAN administrator is in the process of updating or upgrading the anti-viral software. - -- TC Molloy EDS 5400 Legacy Drive C4-1D-33 Plano, Texas 75024 Internet email: dd.id=msmwhq01.tmollo01@eds.diamondnet.sprint.com ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 45] ***************************************** 30-Jun-94 13:49:02-GMT,65640;000000000000 Received: from remus.rutgers.edu by aramis.rutgers.edu (5.59/SMI4.0/RU1.5/3.08) id AA24060; Thu, 30 Jun 94 09:49:00 EDT Received: from fidoii.CC.Lehigh.EDU by remus.rutgers.edu (5.59/SMI4.0/RU1.5/3.08) id AA19877; Thu, 30 Jun 94 09:47:54 EDT Received: from Fidoii.CC.Lehigh.EDU ([127.0.0.1]) by Fidoii.CC.Lehigh.EDU with SMTP id <127503-3>; Thu, 30 Jun 1994 09:12:11 EDT Message-Id: <9406301256.AA01138@bull-run.ims.disa.mil> Reply-To: virus-l@lehigh.edu Originator: virus-l@lehigh.edu Sender: virus-l@lehigh.edu Precedence: bulk From: VIRUS-L Moderator To: Multiple recipients of list Subject: VIRUS-L Digest V7 #46 X-Listprocessor-Version: 6.0b -- ListProcessor by Anastasios Kotsikonas X-Comment: Virus Discussion List Date: Thu, 30 Jun 1994 08:57:51 EDT VIRUS-L Digest Thursday, 30 Jun 1994 Volume 7 : Issue 46 Today's Topics: Re: Disabled viruses? Re: Stop the Madness! :-) Re: Disabled viruses? Re: GOOD vs. BAD HUH? Re: Stop the Madness! :-) Re: The truth about good viruses Re: virus terrorists (?) books on virus' and their history? Re: Yet *another* damn Bitnet worm.. (IBM VM/CMS) antivirus programs for NT (WinNT) Re: Help with boot virus.... (PC) Re: Swiss Virus (PC) Re: 170x Virus (PC) Re: McAfee VirusScan 2.00 and VIRUSCAN V114 uploaded to SimTel (PC) Re: DOS 6.X Anti-Virus (PC) Re: Help with boot virus.... (PC) Re: false alarm (boot sector changed) by McAfee SCAN ??? (PC) Re: VSUM??????? (PC) Re: wow! i'm infected... (PC) Re: Good anti-virus software recommedation needed (PC) F-Prot 2.12 won't scan C: with Lantastic (PC) Re: Good anti-virus software recommedation needed (PC) Joshi (PC) Best Anti-virus software (PC) Killing the Monkey Virus (PC) Netware & Virstop (PC) Killing a Monkey virus attack (PC) Killing the Monkey Virus (PC) Symantec (PC) Stealth.B Pain (PC) U.B.S. _denies_ INFECTING DISKS WITH MICHANGELO. (PC) New Super-virus "Junkie" (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Thu, 09 Jun 94 07:33:12 -0400 From: buster@klaine.pp.fi (Kari Laine) Subject: Re: Disabled viruses? dasheiff+@pitt.edu (Richard M Dasheiff M.d.) writes: >From: dasheiff+@pitt.edu (Richard M Dasheiff M.d.) >Subject: Re: Disabled viruses? >Date: Tue, 7 Jun 1994 14:36:53 EDT >res@bfs.uwm.edu (Ralph Stockha >usen) writes: >>I would like to check out the functioning of my anti-virus setup. Are there >>any "disabled" viruses available that my program could detect, but would be >>safe have on a test floppy? It is good to verify the setup. I have too many times situations that an organisation thinks they have virus protection or backup system running, until . . But NO anti-virus vendor should be able/willing to supply you with a set ! Instead when we get that kind of queries we ask customer to visit our lab and bring the concept with him. Of course this is not the same as testing concept at the customer site but it anyhow helps to validate a good part of it. Many scanners support a test sample idea. You have a special file or boot sector which makes anti virus product react as it would be a virus. >>Thanks, >>Ralph >Doren Rosenthal has one, but I forgot her full email address >drosen@ .calstate.edu >her address is p.o. box 1650 > San Luis Obispo CA 93406 >also check out the following ftp sites: >oak.oakland.edu > pub/msdos/virus > vbait12.zip > virsimul.zip >garbo.uwasa.fi > pc/virus > virsim2c.zip >:-)rmd@med.pitt.edu Right problem here is that nothing of stuff mentioned above is REAL viruses. They are just files which some of the anti virus (dummest of them) give an FALSE ALARM. So if I understood right you want to test how effective your anti-virus protection sheme is NOT that you wanted to test how prone you sheme is to CAUSE FALSE ALARMS. This because those files listed are not viruses. It is hard to verify an anti-virus installation. If you are not expert of yourself get one. Don't trust only one scanner. Use checksumming as addional potection. Use memory resident scanners to catch them before they have change to contaminate your harddisk (network). Set up a workstation(s) to check incoming diskettes. Acquire several scanners for these sheep dip machines. If you like I am willing to comment by mail. Regards Kari Laine ------------------------------ Date: Thu, 09 Jun 94 07:44:42 -0400 From: buster@klaine.pp.fi (Kari Laine) Subject: Re: Stop the Madness! :-) "Brian H. Seborg" writes: >From: "Brian H. Seborg" >Subject: Stop the Madness! :-) >Date: Tue, 7 Jun 1994 14:36:53 EDT [snip] >Also, Fred seems to be making a claim that if a virus asks your >permission to spread that it is okay! This is idiotic! First, >consider this, for the virus to ask your permission to spread, it has >to be running on your PC without your permission! Vesselin, I can't >believe that you bought off on this lame distinction! :-) First let's make clear I think there is NOT good or beneficial computer viruses. I think that there won't be any in near future cause the whole idea is dum in the todays situation. If the computing ways and system's were totally changed maybe then there could be some use for this kind of a tactics of software "delivery" BUT I DOUBT IT VERY MUCH. Now then you say that it does not make any difference that virus asks users permission to run and if user answers NO it will kill itself (and most probably to host file also causing problems). I think this makes a hell of difference from legal point of view. >"..castles made of sand slip into the sea eventually..." > > -Jimi Hendrix You had some lenghty comments about how there could NOT be beneficial virus. I will try to read them when I have two days of the work :-) Anyway the whole idea of beneficial viruses should drop dead. Regards Kari Laine, buster@klaine.pp.fi ------------------------------ Date: Thu, 09 Jun 94 09:51:42 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Disabled viruses? Richard M Dasheiff M.d. (dasheiff+@pitt.edu) writes: > Doren Rosenthal has one, but I forgot her full email address First, I think that it is 'he', not 'she'. Second, his so-called "virus simulator" is *completely* useless for testing anti-virus software. The "simulated viruses" generated by it are not viruses at all - just collections of scan strings stollen from different scanners. If a scanner detects them, this is no guarantee that it will detect the live virus as well, and if a scanner does not detect it, this does not necessarily mean that it will not detect the real virus. In short - completely useless product, and a harmful one too, because it misleads the people. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 09 Jun 94 10:05:39 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: GOOD vs. BAD HUH? Todd Gilbert (tgilbert@salsa.abq.bdm.com) writes: > > replicate. Some "viruses" of that type *can* be useful. The real > > problem is one of misunderstanding - what almost everybody calls a > > computer virus conforms to your "definition", not to Dr. Cohen's, and > > many programs that conform to Dr. Cohen's definition are not > > understood as viruses by most other people. > > > > It all depends on the definition of the term "computer virus". > > > Given your use of quotes, I take it that you prefer Dr. Cohen's definition > to the widely accepted "definition". Actually, my use of quotes was intended to indicate that the quoted word is not quite the same that most people would understand when hearing it for the first time. Similar in the case with the word "definition" - I would hardle give such a scientific term to the general public's understanding of the term, which is based mostly on common sense; not on exact definitions. > Why? Does his (fairly sure this > person is male) writing it down and wanting to be THE AUTHORITY on > viruses make everything he says correct? Dr. Fred Cohen is indeed male and he *is* an authority on viruses. He predicted them ten years ago, he is the first to have a Ph.D. in this area, and he has proven mathematically about everything interesting that can be proven about computer viruses. Of course, being an authority on the subject does not automatically make everything he says correct - I have caught him to be wrong at least twice. :-) Back to your question. I, as a scientist, tend to like exact and scientific definitions. I certainly prefer an exact definition to the general public's "common sense". However, I do understand that Dr. Cohen's definition, while very convenient in the mathematical sense, and allowing to prove several interesting theorems, is not good enough for common use - it is too broad and hard to understand. That's why I think that it is better to use a different term ("real computer viruses") to describe the general public's understanding of this malicious phenomenon. > If so, perhaps he should write a virus that contains his definition > and will spread the word to all computers and their users. I gather > he'd think _that_ was a good virus. If you *really* want to get some deeper understanding of the problems, I would suggest that you find Dr. Cohen's papers (most of them can be find in "Computers & Security") and try to understand them. They are definitely not easy to understand by a person without the appropriate mathematical background, which is why so many people do not understand what he is talking about. However, if you *do* understand them, you'll find out that, first, he is talking about something completely different, and second, he would never do (or even suggest) something like you described above. IMHO, Dr. Cohen's major fault is not using a simpler language to break this down to the people who don't have the qualification to understand his paper. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 09 Jun 94 10:55:25 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Stop the Madness! :-) Brian H. Seborg (bseborg@fdic.gov) writes: > Fred has his own anti-virus package on the market, but I would never > suggest that he was trying to get people to write "good" viruses so > there would be a greater need for his package! :-)). As Ross Nope. First, as far as I know, he does not support his package any more (too bad, because it is rather good, in the sense that it is secure, but it had a horrible user interface, which made it virtually unusable). Second, his package was not a scanner, but an integrity shell - therefore, its success was independent on how many viruses there are out there. > Greenberg so aptly pointed out, I'm sure Fred could enlighten us in a > paragraph so we wouldn't have to wait to buy his book for an answer! I also find it rather frustrating that Dr. Cohen is so reluctant to explain himself, especially in a simpler language. He *really* must not expect that anybody who is interested will be able to find and understand his papers and book and needs just a reference to them. > Also, Fred seems to be making a claim that if a virus asks your > permission to spread that it is okay! This is idiotic! First, > consider this, for the virus to ask your permission to spread, it has > to be running on your PC without your permission! Vesselin, I can't > believe that you bought off on this lame distinction! :-) You were either not paying attention, or have missed the article in which I treated this issue. My oppinion is that "ask for permission" is not sufficient as it leads to interruptions which may be unwanted and sometimes even damaging. (I have an example with a hospital computer running life-critical software that gets interrupted by a virus which asks whether it is OK to infect and waits for user input.) According to me, we should impose a stronger criterion. Just asking for permission is not good enough - a virus that claims to be beneficial must wait for the user to actively *invite* it to his/her machine - i.e., install it there, or install a program that invites the virus. > Another point, Fred, have you ever heard of version control? How > about change control? How would you affect these via a virus? Here's I have treated this question too, in an article that is supposed to appear in "Alive". Essentially, I am saying that a "beneficial virus" should contain a mechanism to pass critical messages (like "remove yourself" or "update yourself"), and those messages must be able to spread faster than the virus. In some sense, those messages will be "viruses" for the "computational environment" consisting of all existing copies of the virus, just like the virus is a virus in the "normal" computational environment (the one that the user uses). Again, this is not enough. Suppose that a system becomes dependent on the services that the "beneficial virus" provides. Then an attacker could attack such a system by sending a message to all copies of the virus to remove themselves (a denial of service attack). Therefore, the message passing mechanism must be cryptographically secure - probably using some kind of public key encryption and authentication. > myself from laughing!) throughout my corporation. This is the > infamous compression virus (hee, hee, sorry!) that will compress any > executable file it encounters. First, though, to be a "good" virus it I do not think that Dr. Cohen's "compression virus" is a good example of a beneficial virus. In fact, neither of his examples are convincing enough to me - everything that they do can be either dangerous and/or damaging, or can be performed better (or at least not worse) by a non-viral program. I think that I have a better example of a beneficial virus; see below. I also strongly suspect that all "beneficial viruses" must be "worms" (using Dr. Cohen's definition in both cases), but so far I have been unable to prove this. > the user allows the virus to infect (will it ask this same question > everytime it attempts to infect another file? Man, would this be > boring or what?) it will then ask, "Hey, this file is not compressed, > would you like me to compress it?" (would it ask this every time it > encountered a non-compressed executable, or would it be able to flip a > bit to store the fact that the question had already been asked and > answered in the negative? What if the next time I DID want it to See above. As I said: 1) The user must actively invite the virus - i.e., run a TSR, or set an environment variable (those are just inferior examples; in a real case public key encryption and authentication must be used, so that the virus authenticates itself to the system and the system authenticates itself to the virus). The default action for the virus (if no such invitation is found) must be NOT to infect the system. 2) There must be a way to turn off the prompting - the user must *both* be able to set the default action to "no, don't infect" (by removing the invitation or not installing it in the first place) and to "yes, keep infecting without asking". > would not get any benefit from it?). Also, I can see the user saying, > "Damn, how do I turn this stupid thing off!" after about the 10th time > the virus asks permission to do something! Therefore, there *must* be a way to "turn the stupid thing off" and it should be an easy way. > One more issue, how will you make sure the virus gets control in > memory? Will it infect command.com or one of the system areas so that > it makes sure to get control every-time? If this is the case, then > how many different "good" viruses can use this same paradigm before > you run out of space in command.com (I guess we could change it to > command.exe and then load it up with different special purpose viruses > and make it an even greater lumbering behemoth than it is now!) The answer to this depends on the particular environment and implementation. Ideally, there should be a "virus API" in the operating system, which provides documented ways to control and interact with the self-replicating programs. > Now, let's say you want to upgrade this virus. How are going to > enforce version control? In other words, you have a faster, better > compression algorithm, and you update the virus and now you want to > make sure it is in place throughout the corporation, how do you affect > this change? How do you even know the first version even made it to > all PCs? One more thing, not all PCs are network connected, how do > you get the virus and the upgrades to the laptops (this is a tough > enough issue for legitimate software)? See above my reply about the efficient message passing mechanism. It's particular implementation is left as an exercise to the reader. :-) I am only insisting that any virus that claims to be beneficial must contain such a mechanism. > Finally, how do you ensure that the virus does not leave your > corporate environment for parts unknown? (other people's PCs?) Even > if you had a method of doing this, how much would it cost and how big > would the virus be at this point? What if it did get out? It would Look, according to Dr. Cohen's definition of the term "virus", a disk operating system that is contained on a diskette and is able to do diskette copying, is a virus. How do you solve the above problem for it? What happens if it "gets out"? :-) > seem that you'd be legally liable for any damage it did, or trespass Liable for any damage, ha-ha... How often you have seen a software producer being responsible for any damage their product has done? Naw, they all come with a fine disclaimer, which essentially says "if this product does anything at all, it is not out fault". > at the least. But, I digress... Suffice it to say that the concept > of a "good" virus all sounds good theoretically, but when you give it > a "reality-check" the notion of "good" viruses beyond the confines of > a laboratory environment shows itself to be the ludicrous idea it is. > Maybe I've been spending too much time in the real world! :-) I guess OK, realitiy check time. Here is one example (I have used it several times), which *is* a virus according to Dr. Cohen's definition (a worm, actually), and which *is* used in the real life (I know of at least three products that are using it). Suppose your company has thousands of PCs, all connected together to a huge LAN. You are the owner of the company, or at least the person charged for virus protection of the LAN. You want to make sure that each PC is running the latest version of your favorite anti-virus program. Well, problem is, the scanner part of any anti-virus program needs constant updating, and updating thousands of PCs every month is a pain. That's why, you do the following. You install the latest copy of the anti-virus program on the server (this requires only one copy to be constantly updated, instead of thousands of them), and put a small program in the login script. At login time, i.e., whenever a user tries to log in from his/her workstation, this program checks whether the workstation is running the latest version of the anti-virus package. If this is not the case, the program offers the user to automatically update his/her copy from the server and then to reboot the PC (so that any resident scanners are reinstalled from the updated versions). If the user does not accept the offer, then access to the LAN is refused. Do you see any problems with the above scheme? I don't. You, as the owner of (or the person responsible for) the network, have the full right to refuse network access to a workstation that does not comply to the company's policy of running the latest version of the anti-virus package. Well, according to Dr. Cohen's definition, the anti-virus package, together with the login script and the parts that do the checking and the copying of the updated versions, is a virus - because it copies (possibly modified parts of) itself. Do you understand now what I mean when I am saying that what Dr. Cohen understands under the term "computer virus" and what the general public understands under this term, are completely different things? BTW, there are several anti-virus prodcuts that are actually using the above scheme - CPAV, Untouchable, Dr. Solomon's Anti-Virus ToolKit... Of course, they do not advertise it as a "beneficial virus", but as "Centralized Software Updating (tm)" or something like that. Which leads me to one of my other points - if you are going to create a beneficial virus, don't call it a "virus", because this term is already loaded with negative meaning. Just call it something else. Agent, vitamin, whatever. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 09 Jun 94 11:18:07 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: The truth about good viruses UCC DASD Administration (DASDCAT@UConnVM.UConn.Edu) writes: > I think this illustrates quite nicely the whole problem with beneficial > viruses. That being the lack of a trusted path. When I buy a software This *is* indeed one of the problems, but not the whole problem - there are others as well. Of course, this does not mean that the problem cannot be solved - merely that we should work into that direction. Yes, any virus that claims to be beneficial must provide a trusted path - it must authenticate itself to the system it infects, and the system must authenticate itself to the virus. IMHO, the best solution would be to use some kind of public key authentication. For instance, the company that produces the virus could publish some kind of public key for it; then the user could make available (to the virus) an invitation encrypted with this public key, and so on - the particular details of the protocol are left as an exercise to the cryptographically inclined reader. > you loose that element of verifiability. An unknown program running on my > computer is suspect, even if it says, Hi! I'm from the Government/Virus > Research Department/Mensa club, and I'm here to help you..... As the > saying goes, How do you know where it's been? Why unknown? It says "Hi! I am the SuperDuper beneficial virus made by BeneViral Software Inc. and here is my MD5 hash, signed with my secret key". You compute the MD5 hash yourself, verify the one in the virus using the published public key, check that the two values match and then you know that this is indeed a BeneViral Software's product. > If some people came to your house and said, You just go away for a few days. > We're going to clean your house for you, fix the roof and install a Jacuzzi > in the master bedroom. Trust us. We're Nice People. Maybe they're telling > the truth. But if they have no credentials, references or licenses, how > would you know? Would you hand over the keys to your house? Conclusion: beneficial viruses must carry credentials. See above for an example. > I don't think the most important question is whether beneficial viruses > exist. But how could you tell if you had the real thing? Digital signatures have been around for about 20 years already... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 09 Jun 94 12:01:26 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: virus terrorists (?) Todd Gilbert (tgilbert@salsa.abq.bdm.com) writes: > I won't repost it, but there's an article under bit.listserve.ethics-l > that you folks might find interesting. It appears to be a couple > guys from Eastern Europe threatening to release viruses unless > somebody offers them a good paying job. >From Roumania, as far as I recall. Also, from the tone of the message it didn't seem that they are very serious about their threats; it was merely an expression of the frustration the people there experience... And yes, there *are* a lot of things there (Eastern Europe) that cause frustration - I can tell you from personal experience... :-) This has caused a lot of people in Bulgaria, Russia, and other countries to write viruses. Of course, while being a reason, it is certainly not an excuse, and you shouldn't get the impression that everybody there is doing this. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 09 Jun 94 19:13:40 -0400 From: hankp@UTKVX.UTCC.UTK.EDU (REMOTE SUPERVISOR) Subject: books on virus' and their history? Hello all, I was wandering if anyone knew of a good book about viruses and their history. I heard of one a while back but could not recall the name. My point is not to build a virus, but to learn more about them, first ones, what certain ones do, etc. any help is appreciated. Hank Pike ------------------------------ Date: Fri, 10 Jun 94 14:43:50 -0400 From: Otto Stolz Subject: Re: Yet *another* damn Bitnet worm.. (IBM VM/CMS) These days, Valdis Kletnieks said: > It's called 'INV1 EXEC'. The apparent author is stuya36@saupm00. > > I'm sure we all know the drill. > Valdis Kletnieks > Computer Systems Engineer > Virginia Polytechnic Institute On Tue, 7 Jun 1994 10:25:15 EDT John Hammond said: > I forward this notice that was sent to NODMGT-L@MARIST about another > virus/worm discovered on Bitnet. I haven't seen this INV1 EXEC yet. Most probably, it's yet another one of these CHRISTMA-style chain letters. I'm forwarding this to VALERT-L to spread the word. (I hope, this goes faster than the chain letter...) Best wishes, Otto Stolz ------------------------------ Date: Fri, 10 Jun 94 20:04:15 -0400 From: shrichardson@rocky.ucdavis.edu Subject: antivirus programs for NT (WinNT) Does anyone know of Scanners or tsr protection programs for Windows NT? ------------------------------ Date: Thu, 09 Jun 94 08:16:33 -0400 From: buster@klaine.pp.fi (Kari Laine) Subject: Re: Help with boot virus.... (PC) angela@rahul.net (Angela Tsoi) writes: >From: angela@rahul.net (Angela Tsoi) >Subject: Help with boot virus.... (PC) >Date: Tue, 7 Jun 1994 14:36:53 EDT > I've been having a BIG problem w/ a virus in mu hard drive. It's a boot >sector virus. I try almost all of the scan problem and none of them could >detect it. SO i resorted to format my hard drive, at the end of the format it >said Possible Boot Virus: Do your want to continue? I said yes and it work >for about a week or so then it pop back up again. How can I get rid of it for >good? Help a poor unfortunate soul.. Any chance this could be FALSE cause by those "protection built in" new bioses. Why I am not suprised of this problems? Kari Laine, buster@klaine.pp.fi ------------------------------ Date: Thu, 09 Jun 94 12:03:31 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Swiss Virus (PC) INEICHEN Gerard(centre EAO) (ineichen@cui.unige.ch) writes: > A student has found a "swiss virus" that infects the boot record. It seems > to be a new variant of the virus. Mac Afee scan 114 lists it but i haven't > found more info. > Be carefull : it isn't the swiss phoenix nor the Swiss 143. It is the virus with a standard CARO name Swiss_Boot. Unfortunately, I have not analysed it yet. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 09 Jun 94 12:23:23 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: 170x Virus (PC) Mr NWS Soh (nwsoh1@hestia.cc.monash.edu.au) writes: > When I scan my hard disk recently using SCAN C: /m , using mcafee's > anti-virus program version 84. This is a *very* old an obsolete version of SCAN; I strongly suggest you to upgrade. The latest version I know of is 115B and version 116 will be probably out before this message gets published. > Message reads: Found 1701/1704 virus - version B [170x] active in memory > Found 1 file containing a virus. The virus is active in memory, but only one file is infected? Hm, there is a slight probability that it is a false positive... Nevertheless, boot from a clean, write-protected system diskette, and do the scan again. Now the virus shouldn't be in memory and the disinfector should be able to disinfect the infected file, if the virus is known to it. > Please help. I suppose reformatting the hard disk could get rid of the > virus but I do not wish to do so because of the huge number data and > programs in my 120Mb drive. Formatting the disk is never necessary. In the worst case, delete all infected files and restore them from clean backups or original copies. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 09 Jun 94 12:31:30 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: McAfee VirusScan 2.00 and VIRUSCAN V114 uploaded to SimTel (PC) Fridrik Skulason (frisk@complex.is) writes: > That is: it no longer reports multiple viruses in a single sample...however, > different samples of a single virus may occasionally be reported to be > infected with different viruses - a "first-generation" sample may be reported > to be infected with a different virus than the normally infected files. This is yet another confirmation of my suspicion that SCAN 2.00 is actually a very preliminary beta of an unfinished product. They told me once that they intend to do exact identification - obviously they have not managed to do even "good enough" identification... All preliminary tests show that SCAN 2.00 is actually *worse* than the old SCAN/CLEAN suite. My advice to anybody who relies on McAfee's anti-virus products is to wait and use the old version, until the new product becomes more stable and all the important features in it are implemented properly. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 09 Jun 94 12:37:12 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: DOS 6.X Anti-Virus (PC) Snp Doggy (snpdoggy@aol.com) writes: > I found DOS 6.x Anti-Virus is NOT very good... In fact, I think it is Agreed. In fact, the above expression ("not very good") is a rather mild one. It's an awful program, from the anti-virus point of view. > a waste of time...I collect viruses, I have over 100 including, > yankee doodle virus, aids, michealangelo , Richards, vmessiah, I'll permit myself to doubt the quality of your collection. In particular, I *know* that the thing you are calling "Richards" is NOT a virus, but a Trojan Horse. > and many, many others...Anti-Virus found only 10 out of 120 viruses I > had on floppy disks..50 of which it WAS supposed to FIND, but DID > NOT...when I tried F-Prot it found 75 and then I tried McAfee's and > it found 60 of 120...I'm not a sales person or anything, I'm actually While I agree with the classation (i.e., MSAV is the worst one, McAfee's it better, and F-Prot is even better), the above detection rates are way too low. This, together with the mistake I spotted above, makes me doubt about the quality of your collection and its usefulness for scanner tests. Have you tried to replicate each of the viruses yourself? Have you made sure that all of them are different and working viruses? Or are you just relying on what some scanner says? Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 09 Jun 94 12:45:21 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Help with boot virus.... (PC) Angela Tsoi (angela@rahul.net) writes: > I've been having a BIG problem w/ a virus in mu hard drive. It's a boot > sector virus. I try almost all of the scan problem and none of them could > detect it. SO i resorted to format my hard drive, at the end of the format it > said Possible Boot Virus: Do your want to continue? I said yes and it work > for about a week or so then it pop back up again. How can I get rid of it for > good? Help a poor unfortunate soul.. It is quite probable that you don't have a virus, but some kind of ANTI-virus software or (most probably) hardware/firmware on your machine. When you are trying to format a floppy, the formatting program does two things, which are considered highly "suspicious" by the anti-virus programs: first, it formats the floppy, and second, it writes to its boot sector. This explains the two messages you have seen. I advise you to enter the CMOS configuration program of your PC (on most machines this is done by pressing at boot time, but some machines may require a different combination of keypresses or a special "setup" diskette), and check for an item (usually the "Advanced steup" menu) that says "Boot sector protection" or "Virus protection", or "Chip Away Virus", or something like that. If it is enabled, then you know that it was causing the problem. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 09 Jun 94 12:49:29 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: false alarm (boot sector changed) by McAfee SCAN ??? (PC) Henrik Stroem (hstroem@ed.unit.no) writes: > Try my HS v3.58. Available by ftp from 141.210.10.117:/pub/msdos/virus > as the file hs-v358.zip. It is a bootsector integrity checker that > will detect all bootinfectors, and automatically remove them. It uses > no RAM, and executes in less than a second on most machines. I do have your HS v3.58 and it is on our ftp site. The only problem is that it refuses to run on my machine - something I have reported to you several times in the past. As far as I recall, the problem occured because the installation program was trying to trace in interrupt down to the BIOS - but my machine is running QEMM in stealth mode. You said that a future version of the program will fix the problem - any news since then? Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 09 Jun 94 12:55:50 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: VSUM??????? (PC) Grettir Asmundarson (grettir@keflavik.wordperfect.com) writes: > What is the best alternative to VSUM? F-Prot has accurate virus > information built-in, but sometimes I'd like more information than is > available there. I've taken a look at both CVC and CMBASE, but I'm not > sure those are the answer either... Try Eugene Kaspersky's AntiVirus Pro. It has a very nice help system, with descriptions of hundreds of viruses, and even with demos of their sound and video effects. The package can be obtained from our anonymous ftp site: Site: ftp.informatik.uni-hamburg.de Dir: /pub/virus/progs Files: avp_200.zip, avp_200c.zip, pm940506.zip Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 09 Jun 94 13:04:23 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: wow! i'm infected... (PC) Jack Stefani (jstefani@silver.ucs.indiana.edu) writes: > after a long time of just not caring, i downloaded mcfee scan and ran Well, obviously you should have been caring... > it on my harddrive. after scanning it all, it reported back that it > found cansu(?) virus in my partition table. so now that i'm infected Yes, this is an olygomorphic MBR infector with a standard CARO name V-Sign. > 1.) after i found out that i was infected, i copied off to a floppy > some of my important stuff(all non-executables, source code, word > perfect documents etc...) is there anything i have to worry about? are Yes, there are many things to worry about: 1) Your hard disk is probably still infected. 2) You have infected the floppy disks to which you have copied your stuff. 3) Because your computer is still infected, you continue to spread the virus, running the risk to infect your friends' machines and so on. > executables the only things that can get infected. The "executables" are indeed the only thing that can get infected, but if you mean by this "the executable *files*", then you are wrong. This virus does NOT infect files, it infects MBRs of the hard disks and the boot sectors of the floppies. Even the blank, formatted floppies, or the floppies with only data files on them, can become infected and be infective. > 2.) scan said that my partition table was infected but it didn't tell > me what file did the infected. That's perfectly reasonable, because the virus is in the Master boot Sector (the one that contains the partition table) and not in any file. > how can i find out where i got the > virus from. You can't. > 3.) and of course, how do i get rid of it? i've just know downloaded > the clean program that scan talked about. i doubt if i'll run it > tonight though since the doc's for scan said that the removal of > partition table virus can screw up everything. Funny, I had the impression that CLEAN is able to remove this particular virus... OK, if it doesn't do the job, then better try some better disinfector. I would suggest F-Prot - one of the best ones. > 4.) where can i get info on my particular virus(cansu), what will > happen if i just leave it in? The virus is described in our Computer Virus Catalog. See the FAQ for information about how to get it. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 09 Jun 94 14:14:42 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Good anti-virus software recommedation needed (PC) Joe Brown (S1083509@cedarville.edu) writes: [sorry about the long quote] > > Does anybody know if there is any anti-virus software that will > >detect the virus automatically ? What I mean is every two weeks I have > >to run my anti-virus software to do detection and it took a long time. > >It will be nice if there is an anti-virus software which will do the > >detection when there is disk operation etc etc. > > And can someone recommend me some good anti-virus software either > >in the shareware domain or in the market ? I am particularily looking > >for something that will work in a networked (both netware and > >TCP) environment. > You can try Norton Anti-Virus or Central Point Anti-Virus, both of these I > believe will do this. I wouldn't recommend *any* of those two packages. They are rather weak from the anti-virus point of view, and besides, none of them do everything that the original poster wants (e.g., working in a TCP/IP environment). Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 09 Jun 94 14:45:58 -0400 From: "Michael Chui" Subject: F-Prot 2.12 won't scan C: with Lantastic (PC) Running on a Lantastic 4.2 server, F-Prot 2.12 reports an error reading C:\. Ironically, it seems perfectly capable of scanning drives on other servers, but it only reports an error when it is scanning the hard drive on which it is running. Any suggestions? Michael Chui mchui@cs.indiana.edu ------------------------------ Date: Thu, 09 Jun 94 19:49:38 -0400 From: hankp@UTKVX.UTCC.UTK.EDU (REMOTE SUPERVISOR) Subject: Re: Good anti-virus software recommedation needed (PC) S1083509@cedarville.edu (Joe Brown) writes... >jclee@netcom.com (Johnson C. Lee) writes: >>From: jclee@netcom.com (Johnson C. Lee) >>Subject: Good anti-virus software recommedation needed >>Date: Thu, 12 May 94 18:16:23 -0400 > >>Hi, >> Does anybody know if there is any anti-virus software that will >>detect the virus automatically ? What I mean is every two weeks I have >>to run my anti-virus software to do detection and it took a long time. >>It will be nice if there is an anti-virus software which will do the >>detection when there is disk operation etc etc. >> And can someone recommend me some good anti-virus software either >>in the shareware domain or in the market ? I am particularily looking >>for something that will work in a networked (both netware and >>TCP) environment. > >>Any info will be appreciated. > >>Thanks, > >>- -Johnson > >You can try Norton Anti-Virus or Central Point Anti-Virus, both of these I >believe will do this. > >- --Joe Brown >- --Anglo-Saxon American And Proud Of It >- --Tiny Toons Are Awesome >- -- >- --Cedarville College >- --Cedarville, Ohio >- --s1083509@cedarville.edu > Try F-Prot 2.12, it is as good or better than Norton and CPAV and it is available at oak.oakland.edu in /pub/msdos/virus. I used Norton for a long time (using the current release) and tried f-Prot and switched, now I use F-Prot instead. Hnak Pike ------------------------------ Date: Thu, 09 Jun 94 21:28:31 -0400 From: agray@ATHENA.MIT.EDU (Allan D Gray) Subject: Joshi (PC) For months I have been using a boot disk for my computer, because I am infected with a boot-sector virus. The anti-virus programs that I was using could identify the problem, but not fix it. I finally decided to get off my duff and tackle this problem. I found this group, got the FAQ, read it, downloaded new ani-virus software, etc. etc. F-prot says that this can cure this virus. When I run it is says that it has cured it. If I run it again, it finds "Joshi" and claims to cure it again.... The computer won't boot without a boot disk.... Does anyone know how to deal with this problem without reformatting my eintire HD??? If so, please let me know. ABG 4781agall@umbsky.cc.umb.edu Thanks! ------------------------------ Date: Fri, 10 Jun 94 06:30:48 -0400 From: ohe@allianse.no Subject: Best Anti-virus software (PC) Were trying to figure out the best Anit-virus software for both Netware server's (NLM's) and DOS/Windows workstation. We have been looking at Norton Antivirus v3.0, F-Prot, Norman Data Defences and Central Point. Does anybody have any kind of hints and tips, which one is the best and why ?? Thank you. ======================================================= ohe@allianse.no ------------------------------ Date: Fri, 10 Jun 94 10:36:48 -0400 From: dd.id=msmwhq01.tmollo01@eds.diamondnet.sprint.com (TC Molloy) Subject: Killing the Monkey Virus (PC) I would like to share an experience with the "Monkey" computer virus on June 3, 1994. A customer was directed to me concerning a problem. He couldn't read a DOS floppy diskette on his notebook PC and wanted to know if I could help him to recover his critical data. I put the disk in my PC and typed 'dir'. Immediately, the bells and whistles from my Anti-viral package went off. The "Monkey" virus was attempting to write to the boot sector of my hard disk and my anti-virus software package had frozen my machine waiting for me to respond with Proceed or Stop. My anti-virus package stops whenever anything attempts to write to the boot sector without permission. Of course, I said STOP..... The "Monkey" virus is an encrypted virus that can only be identified when it is in RAM. The "Monkey" virus re-writes the boot sector on the disk (floppy or hard). There are no viral signatures on the disk to identify and destroy. The user of an infected machine experiences problems reading floppy disks. When I attempted to boot his machine from floppy, the hard drive was not visible or identifiable (Drive not found). After recovering his diskette and killing the virus, the customer then informed me that he had ten associates with him who were probably infected too. I went back with him to test their machines and found them all infected. At the customer's home office, the notebooks go into a docking stations that is connected to a LAN. They use the LAN to pass files using Lotus Notes. I asked the customer to have the office machines tested and, sure enough, they too were all infected with the "Monkey" virus. A conversation with the LAN administrator indicated that the problem had only appeared within the last week. All the customer machines had an anti-viral package from Central Point or other vendors but they were NOT up-to-date on the latest virus definitions. A old copy of McAfee was run on an infected machine and it reported no infections. The encrypted "Monkey" virus file stores itself in the boot sector only, therefore, to eradicate the virus, the boot sector of the disk must be erased or the disk partition deleted. The DOS application 'FDISK' can do this but it also deletes all files on the entire disk (not good). When the "Monkey" virus infects a disk, it copies the original boot sector as a file to somewhere else on the disk. The boot sector can be rebuilt using Symantec's Norton Disk Doctor (NDD C: /REBUILT) which will delete the boot sector, find the original file and restore the machine. Also, the boot sector of all floppy disk were rebuilt using NDD. Retesting the machine with my anti-viral software confirmed that "Monkey" was no longer present. Having found the solution to getting the "Monkey" off their backs, the remaining machines hard disk's boot sectors were rebuilt. The boot sectors of all floppy disks was also rebuilt. The LAN administrator is in the process of updating or upgrading the anti-viral software to meet the current threats. - -- TC Molloy Internet email: dd.id=msmwhq01.tmollo01@eds.diamondnet.sprint.com ------------------------------ Date: Fri, 10 Jun 94 11:01:21 -0400 From: "Mark J. Miller" Subject: Netware & Virstop (PC) This isn't strictly a virus question, but I was hoping someone might have some suggestions. No rude ones please ;) We are getting faculty offices hooked to a Novell network & we want to install f-prot's virstop. I know how to do this, either in autoexec or using /rehook. But, the computers won't be connected to the network all the time. We're allowing faculty to choose when & how long to be connected to the network. Because we have many old computers, 8088s & 286s, we want to be able to unload the network software from memory when they disconnect to free up memory. But with virstop loaded the unload command doesn't unload the software. Does anyone know how to get around this? Will another anti-virus program do the trick? Any help will be gratefully appreciated. Thanks, Mark :-) ***************************************************************************** Mark J. Miller * The man who fights for his Instructional Computing Programmer/Analyst * ideals is the man who is Saginaw Valley State Universtiy * alive! Wickes 227, 517-790-5643 * mjm@tardis.svsu.edu * -- Miguel de Cervantes, 71053,1571@compuserve.com * author of Don Quixote ------------------------------ Date: Fri, 10 Jun 94 11:58:10 -0400 From: dd.id=msmwhq01.tmollo01@eds.diamondnet.sprint.com (TC Molloy) Subject: Killing a Monkey virus attack (PC) I would like to share an experience with the "Monkey" computer virus on June 3, 1994. A customer was directed to me concerning a problem. He couldn't read a DOS floppy diskette on his notebook PC and wanted to know if I could help him to recover his critical data. I put the disk in my PC and typed 'dir'. Immediately, the bells and whistles from my Anti-viral package went off. The "Monkey" virus was attempting to write to the boot sector of my hard disk and my anti-virus software package had frozen my machine waiting for me to respond with Proceed or Stop. My anti-virus package stops whenever anything attempts to write to the boot sector without permission. Of course, I said STOP.. The "Monkey" virus is an encrypted virus that can only be identified when it is in RAM. The "Monkey" virus re-writes the boot sector on the disk (floppy or hard). There are no viral signatures on the disk to identify and destroy. The user of an infected machine experiences problems reading floppy disks. When I attempted to boot his machine from a clean floppy, the hard disk drive was not visible or identifiable (Drive not found). After recovering his diskette and killing the virus, the customer then informed me that he had ten associates with him who were probably infected too. I went back with him to test their machines and found them all infected. At the customer's home office, the notebooks go into a docking stations that is connected to a LAN. They use the LAN to pass files using Lotus Notes. I asked the customer to have the office machines tested and, sure enough, they too were all infected with the "Monkey" virus. A conversation with the LAN administrator indicated that the problem had only appeared within the last week. All the customer machines had an anti-viral package from Central Point or other vendors but they were NOT up-to-date on the latest virus definitions. A old copy of McAfee was run on an infected machine and it reported no infections. The encrypted "Monkey" virus file stores itself in the boot sector only, therefore, to eradicate the virus, the boot sector of the disk must be erased or the disk partition deleted. The DOS application 'FDISK' can do this but it also deletes all files on the entire disk (not good). When the "Monkey" virus infects a disk, it copies the original boot sector as a file to somewhere else on the disk. The boot sector can be rebuilt using Symantec's Norton Disk Doctor (NDD C: /REBUILT) which will delete the boot sector, find the original file and restore the machine. Also, the floppy disk boot sectors were rebuilt using NDD to prevent re-infection. Retesting the machine with my anti-viral software confirmed that "Monkey" was no longer present. Having found the solution to getting the "Monkey" off their backs, the remaining machines hard disk boot sectors were rebuilt. The boot sectors of all floppy disks were also rebuilt. The LAN administrator is in the process of updating or upgrading the anti-viral software to meet the current threats. - -- TC Molloy Internet email: dd.id=msmwhq01.tmollo01@eds.diamondnet.sprint.com ------------------------------ Date: Fri, 10 Jun 94 16:11:44 -0400 From: dd.id=msmwhq01.tmollo01@eds.diamondnet.sprint.com (TC Molloy) Subject: Killing the Monkey Virus (PC) riordan@tmxmelb.mhs.oz.au (Jakub) wrote: > Jeff K Landauer writes: > > Well, Scan shows that I have this, but I can't get rid of it. It > reports that I need to boot from a floppy in order to clean the system, > but when I do that, I can't access my hard drive. I don't know what to > do. I downloaded just about all the virus software I could find to try > to fix this thing, but nothing looks like it will help. Am I screwed? > I look back on old posts, and the situation looks pretty bad. Thanks > for any help, I would like to share an experience with the "Monkey" computer virus on June 3, 1994. A customer was directed to me concerning a problem. He couldn't read a DOS floppy diskette on his notebook PC and wanted to know if I could help him to recover his critical data. I put the disk in my PC and typed 'dir'. Immediately, the bells and whistles from my Anti-viral package went off. The "Monkey" virus was attempting to write to the boot sector of my hard disk and my anti-virus software package had frozen my machine waiting for me to respond with Proceed or Stop. My anti-virus package stops whenever anything attempts to write to the boot sector without permission. Of course, I said STOP.. The "Monkey" virus is an encrypted virus that can only be identified when it is in RAM. The "Monkey" virus re-writes the boot sector on the disk (floppy or hard). There are no viral signatures on the disk to identify and destroy. The user of an infected machine experiences problems reading floppy disks. When I attempted to boot his machine from a clean floppy, the hard disk drive was not visible or identifiable (Drive not found). After recovering his diskette and killing the virus, the customer then informed me that he had ten associates with him who were probably infected too. I went back with him to test their machines and found them all infected. At the customer's home office, the notebooks go into a docking stations that is connected to a LAN. They use the LAN to pass files using Lotus Notes. I asked the customer to have the office machines tested and, sure enough, they too were all infected with the "Monkey" virus. A conversation with the LAN administrator indicated that the problem had only appeared within the last week. All the customer machines had an anti-viral package from Central Point or other vendors but they were NOT up-to-date on the latest virus definitions. A old copy of McAfee was run on an infected machine and it reported no infections. The encrypted "Monkey" virus file stores itself in the boot sector only, therefore, to eradicate the virus, the boot sector of the disk must be erased or the disk partition deleted. The DOS application 'FDISK' can do this but it also deletes all files on the entire disk (not good). When the "Monkey" virus infects a disk, it copies the original boot sector as a file to somewhere else on the disk. The boot sector can be rebuilt using Symantec's Norton Disk Doctor (NDD C: /REBUILT) which will delete the boot sector, find the original file and restore the machine. Also, the floppy disk boot sectors were rebuilt using NDD to prevent re-infection. Retesting the machine with my anti-viral software confirmed that "Monkey" was no longer present. Having found the solution to getting the "Monkey" off their backs, the remaining machines hard disk boot sectors were rebuilt. The boot sectors of all floppy disks were also rebuilt. The LAN administrator is in the process of updating or upgrading the anti-viral software to meet the current threats. - -- TC Molloy Internet email: dd.id=msmwhq01.tmollo01@eds.diamondnet.sprint.com ------------------------------ Date: Sat, 11 Jun 94 01:53:09 -0400 From: tluten@news.delphi.com (TLUTEN@DELPHI.COM) Subject: Symantec (PC) Dr. Bontchev's remarks on AV software caught my eye. Symantec owns all of Norton, thus Norton AV. It bought Central Point, and thus owns its AV package. It bought Certus, and used the technology to upgrade Norton AV. It apparently (per Bontchev) bought yet another company that produces (or produced) an AV product. what *are* they up to? Tom Luten TLUTEN@DELPHI.COM ------------------------------ Date: Sun, 12 Jun 94 23:17:02 -0400 From: "Rudy A Davis" Subject: Stealth.B Pain (PC) Hello, I have had the stealth.B virus on and off again for the past 6 months. Central Point Anti-Virus version 1.5 does not even recognize this virus. Norton Anti-Virus 3.0 recognizes it but requires a RESCUE disk. I am trying my RESCUE disk but it appears that my RESCUE disk is also now infected. Questions: 1) What are the dangers of operating indefinitely with this virus ? (I have seen no ill-effects other than notification of existence thru NORTON AV v3.0) 2) Anyone have any suggestions about an Anti-Virus program which will take care of this virus dynamically without having to re-install DOS ? 3) Where is a published listing of people who write viruses so that I may wish bad things toward them by name ? Thanks and regards, RAD ------------------------------ Date: Sat, 11 Jun 94 16:25:36 -0400 From: Mike Ramey Subject: U.B.S. _denies_ INFECTING DISKS WITH MICHANGELO. (PC) I just had a long talk with the on-duty supervisor of the University Book Store Computer Department. He reports that they received a complaint of a virus-infected disk yesterday, but the customer did not present the disk for inspection. In response to the complaint, they checked all their DOS/PC computers using Central Point Anti-Virus (CPAV) and Norton Anti-Virus (NAV). They found no infection on any of their computers. On Monday, I will talk to the manager of the Computer Department, and post any additional information to: lanadmin@u, qna@cac, virus-l@lehigh.edu. CAC/HELP: Do we have a local (uwash.) or regional (pnw.) newsgroup for virus info? I suggest it may be worth creating one -- preferably 'pnw.' because if there is a virus in Portland, it may be in Seattle next week. Also note that VIRUS-L and comp.virus messages are posted only about once a week. While we certainly don't want to disseminate false reports, we also need to alert each other to real virus outbreaks. Your comments please. -- Mike Ramey, University of Washington, Seattle WA 98195. - ---------- Forwarded message ---------- Date: Fri, 10 Jun 1994 17:15:12 -0700 (PDT) From: Michael R. "Majik" Fountain To: LAN Administrators Group Subject: BOOKSTORE INFECTING DISKS WITH MICHANGELO The U Bookstore is infecting disks with Michangelo. They have it on one of their demo computers and are formatting floppies with it. \|/ /|\MAJIK ------------------------------ Date: Thu, 09 Jun 94 12:41:11 -0400 From: Michael_D_Jones@ccm.hf.intel.com (Michael Jones) Subject: New Super-virus "Junkie" (PC) Does anyone have any specific information on the "Junkie" virus? I got the following fax yesterday from someone. Do any other scanners detect and/or clean this. I don't buy their solution for cleaning it. ***Begin included article ****Another Super-Virus Discovered 06/02/94 BRIER, WASHINGTON, U.S.A., 1994 JUN 2 (NB) -- A super-virus that can create havoc on your computer system has been accidentally discovered while a sales representative was demonstrating an anti-virus program to a customer. Called "Junkie," the virus was discovered in Ann Arbor, Michigan, while a Reflex Inc. rep was demonstrating the merits of that company's Disknet anti-virus software. "Junkie" reportedly has software engineers concerned for several reasons: It is encrypted, making it difficult to be spotted; it is polymorphic, meaning it changes each time it replicates; and it infects both the drive's boot sector and executable files on the Reflex engineers are studying the characteristics of "Junkie" in an effort to see what other effects it may have on a computer. The source of the virus is still uncertain, but it was discovered on pre-installed, shrink-wrapped software. The PC manufacturer that pre-installed the software was not identified, but Reflex spokesperson Bob Reed told Newsbytes that it appears that was not the source of the infection. "The system was installed for a month before it ("Junkie") showed up." said Reed. Reflex engineers say "Junkie" is spread by infecting the boot sector, the portion of the hard disk that contains the startup instructions for a computer. It can reportedly also infect the boot sector of a floppy drive and even make an anti-viral program a carrier. "Junkie can make anti-virus toolkits spread viruses. Scanners open files to search for viruses, in turn opening the door for Junkie to use the scanner itself as a means of spreading the virus," according Reed said the Ann Arbor incident is the only time so far "Junkie" is known to have surfaced. he said there are no visable warnings of the virus. He stresses the need for having a current backup of your computer data. "The only known cure is re-formatting the hard disk," sys Reed. That gets rid of "Junkie." Users are cautioned not to make a backup copy of the drive that is suspect, since the backup will also be contaminated. Most anti-virus programs scan for known viruses, but cannot always detect a new and different problem such as "Junkie." That makes it necessary to continually update anit-virus programs, with a resultant added cost in time and money to make sure your computer system is virus-free. (Jim Mallory/19940602/Press contact: Lucy Stokstad, Reed, Revell-Pechar, 206-4624777; Reader contact: Reflex Inc., 800-673-3539) ***End included article ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 46] ***************************************** 1-Jul-94 15:31:10-GMT,47360;000000000000 Received: from remus.rutgers.edu by aramis.rutgers.edu (5.59/SMI4.0/RU1.5/3.08) id AA04585; Fri, 1 Jul 94 11:30:40 EDT Received: from fidoii.CC.Lehigh.EDU by remus.rutgers.edu (5.59/SMI4.0/RU1.5/3.08) id AA00655; Fri, 1 Jul 94 11:30:25 EDT Received: from Fidoii.CC.Lehigh.EDU ([127.0.0.1]) by Fidoii.CC.Lehigh.EDU with SMTP id <127816-6>; Fri, 1 Jul 1994 11:23:55 EDT Message-Id: <9407011119.AA02662@bull-run.ims.disa.mil> Reply-To: virus-l@lehigh.edu Originator: virus-l@lehigh.edu Sender: virus-l@lehigh.edu Precedence: bulk From: VIRUS-L Moderator To: Multiple recipients of list Subject: VIRUS-L Digest V7 #47 X-Listprocessor-Version: 6.0b -- ListProcessor by Anastasios Kotsikonas X-Comment: Virus Discussion List Date: Fri, 1 Jul 1994 11:11:49 EDT VIRUS-L Digest Friday, 1 Jul 1994 Volume 7 : Issue 47 Today's Topics: Searching for Documents on Virus Ethical Issues Types of viruses??? Re: danger from used disks? Re: danger from used disks? Re: danger from used disks? Re: Good viruses/Bad viruses 380A: U.B.S. _denies_ INFECTING DISKS WITH MICHANGELO. (PC) Re: Dr Solomon's on the move! (PC) Boot sector virus ? (PC) Virus found, Please help! (PC) Cansu virus...Please Help/RISC-Aix virus Scan (PC) Matura (PC) SMEG Junkie (PC) Budo Virus (PC) Help! (PC) Testing Anti-Virus TSRs (PC) unknown virus (PC) STACK virus (PC) Chill Touch and Junkie Viruses (PC) New virus was found. (PC) NATAS Virus? (PC) Stoned.Manitoba (PC) Re: info on 2 viruses (PC) Re: "New" Virus found? (PC) Cure for SVC.2936 & Three_Tunes viruses (PC) Need help on "stoned" virus (PC) Re: Joshi virus - False alarm? (PC) Re: Virus in Norton Commander 4.0! (PC) The AntiCMOS virus (PC) Junkie virus (PC) McAfee VirusScan V2.0.2 uploaded to SimTel (PC) F-PROT 2.12C released (PC) fp-212c.zip - Version 2.12c of the F-PROT anti-virus package Updated VDS 3.0m on Oak (PC) McAfee files available on risc.ua.edu (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Mon, 13 Jun 94 02:19:02 -0400 From: JUAN CARLOS PEREZ Subject: Searching for Documents on Virus Ethical Issues Hello all, I have to do an oral presentation for a class about a computer related ethical issue and chose "Viruses" as my topic. Someone mentioned to me that there was an outstanding Bulgarian article posted a while back concerning Virus Ethics. I would appreciate aa repost of this article (or where I can find it) and possibly any other articles relating to the ethical issues concerning viruses. The presentation is for June 28. Thank you so much! :) ------------------------------ Date: Fri, 17 Jun 94 16:19:43 -0400 From: mlwinkelman@dow.com (Mike Winkelman) Subject: Types of viruses??? Hello, I was wondering if there is a faq for this group and where it might be? Also, could someone explain in short sentences and laymans dialog the major methodologies by which viruses infect computers? I'm particularly interested to find out if there are any viruses that infect things like word processing files or other nonexecutable files that get transported from work to home and vice versa. Just what are the problems with doing that?? I do not intend to floppy transport any executables. Any advice? Help?? Experiences?? Regards, Mike Winkelman mlwinkelman@dow.com ------------------------------ Date: Thu, 23 Jun 94 17:12:35 -0400 From: tracker@netcom.com (Craig) Subject: Re: danger from used disks? Nathan Schechtman (nschechtman@pppl.gov) wrote: : I just bought several hundred used disks from someone on the internet. : I'd like to guarantee that they're safe. Any suggestions out there? : Will reformatting them remove all viruses? : Thanks : Nathan Schechtman email: nschechtman@pppl.gov : Princeton Plasma Physics Lab phone: 609-243-3465 : Princeton, NJ 08543 : If you use Norton's Wipedisk that'll defintiely remove anything on them. ------------------------------ Date: Thu, 23 Jun 94 18:04:09 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: danger from used disks? Nathan Schechtman (nschechtman@pppl.gov) writes: > I just bought several hundred used disks from someone on the internet. > I'd like to guarantee that they're safe. Any suggestions out there? > Will reformatting them remove all viruses? It depends on what kind of disks they are and what do you understand under "formatting" them. If they are floppy disks, then formatting them will almost certainly remove any viruses. Just beware of some "safe formatting" programs, that do not do destructive format but only zero out a few important areas (like FAT, root directory, etc.). If you use one of them, it will be possible to "unformat" the floppy, thus recovering any previously present virus. The latest versions of DOS (5.0 and above) do "safe formatting" by default, unless you supply the /U switch to the FORMAT command. If they are hard disk, things are getting trickier. The DOS command FORMAT will remove any boot sector virus, will remove recoverably and file virus, but will not touch any master boot sector virus. To remove the latter, you'll need to run the program FDISK from DOS 5.0 or above with the option /MBR. Of course, I am assuming that you want the disks formatted for DOS. If this is not the case, the solution might be completely different. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 23 Jun 94 18:06:50 -0400 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Re: danger from used disks? Nathan Schechtman wrote: )I just bought several hundred used disks from someone on the internet. )I'd like to guarantee that they're safe. Any suggestions out there? )Will reformatting them remove all viruses? ) )Thanks Not if the machine you format them with has a virus on it. Wiping the floppies with a strong magnet (look at the refrigerator for a source) is guaranteed to remove all viruses. Formatting may install one, though. Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Thu, 23 Jun 94 19:40:12 -0400 From: Dennis.Clouse@ucop.edu (Dennis Clouse) Subject: Re: Good viruses/Bad viruses Item from S.F. Chronicle 6/11/94: >>Shooting Victim Pulled Fake Gun, Police Say<< A man shot by an undercover officer during a Tenderloin narcotics investigation had pulled a realistic replica of a .45-caliber pistol on another officer, police said yesterday. (remainder deleted). Note the response here was a) immediate, and b) absolute. Would anyone suggest that the correct response would be to wait until the trigger had been pulled a few times to establish whether or not *this* pistol has or has not caused harm (at least to date)? Would anyone suggest that the correct response would be to wait until the pistol could be disassembled and analysed to determine if it *could* cause harm? I feel the appropriate response to any viral computer system intrusion should be a) immediate, and b) absolute. Security professionals are not in a position to wait and assess damage prior to response: they must respond to the *perceived threat*. Whether a viral threat turns out to be 'Real' during the post-mortem of the virus is immaterial ... the important thing is that the *perceived threat* to the system has been negated. We consider mosquitoes a threat because they *may* carry diseases. We eradicate them, without considering the guilt or innocence of *individual* mosquitoes. Frankly, were someone to suggest that they had bred a 'beneficial' mosquito, and we should amend our mosquito abatement methods to indentify and allow for that single, exceptional, allegedly benign creature, I would question his/her motives (if not sanity). Ditto the alleged 'beneficial' or 'nondestructive' computer virus. To paraphrase one of Rob Slade's .sig lines (Rob? Where are you?): > _Kill them all and let the apologists sort them out_ < (Works for me!) Dennis * Dennis.Clouse@UCOP.EDU Office of the President, University of California * "my neighbor just gave me a GenB pistol ... is it dangerous?" ------------------------------ Date: Mon, 13 Jun 94 19:59:10 -0400 From: qna@cac.washington.edu ("David Wall c/o QnA") Subject: 380A: U.B.S. _denies_ INFECTING DISKS WITH MICHANGELO. (PC) On Mon Jun 13 16:53:05 PDT 1994, David Wall wrote: > On Sat Jun 11 13:18:08 PDT 1994, Mike Ramey wrote: > > CAC/HELP: > Do we have a local (uwash.) or regional (pnw.) newsgroup for virus info? > I suggest it may be worth creating one -- preferably 'pnw.' because if > there is a virus in Portland, it may be in Seattle next week. Also note > that VIRUS-L and comp.virus messages are posted only about once a week. > While we certainly don't want to disseminate false reports, we also need > to alert each other to real virus outbreaks. Your comments please. > Mike, C&C maintains reasonably current PC and Mac virus utilities on the ftp.cac host. We also publish a very basic document about the virus problem. We recognize that this is an area of serious concern. At this time we do not have plans to take any additional action, but we wouldn't be opposed to people starting a new newsgroup. A local, UW, group would be easily set up. One with wider circulation would require the Usenet new group process. - -- David Wall (QnA Router) router@ren.cac.washington.edu ------------------------------ Date: Mon, 13 Jun 94 21:01:15 -0400 From: "R. Wallace Hale" Subject: Re: Dr Solomon's on the move! (PC) >S&S International, developers of Dr Solomon's Anti-Virus Toolkit, >are moving to new, larger premises. Used versions 4.xx, but missed the 5.xx series completely. Recently put 6.51 through the mill and was impressed. Installation is fast, simple, and flexible, and the optional Toolkit interface certainly makes usage easy, even for a tyro. Going head-to-head with F-PROT 2.12, it's nearly impossible for me to pick a winner. However, since I value both products primarily for their scanner functions, and strongly advocate the use of at least two quality scanners, that presents no problem. :) Lest any one get an incorrect impression, I am not attempting to present a critical review of Toolkit. I'm not in the business of formally testing AV products, nor am I on the payroll of any AV product vendor. I've regarded Toolkit as one of the best AV products available and wonder why there is so little mention of it here, other than in Vesselin's posts. Perhaps Toolkit users have no problems to discuss? R. Wallace Hale "You can observe a lot just by halew@nbnet.nb.ca watching." BBS (506) 325-9002 - Lawrence Berra ------------------------------ Date: Tue, 14 Jun 94 03:35:57 -0400 From: berek@xmission.com (Berek Halfhand) Subject: Boot sector virus ? (PC) Does anyone know of a boot-sector virus called Leonart2 or Lennart2 or something like that? It's been going around the college recently and supposedly few virus checkers find the thing... I would like to know the following, if possible: 1. Analysis 2. What detects it 3. What cures it 4. Where can I find the cure 5. Has anyone had problems with this particular virus before, and the previous version (I assume) Any responses are welcome, as are e-mail replies... berek@xmission.com ------------------------------ Date: Tue, 14 Jun 94 10:33:20 -0400 From: CL-28951@cphkvx.cphk.hk Subject: Virus found, Please help! (PC) My friend's company has a Novell network computer system. He told me that when he DIR the Executable files (EXE files>, the file size was increased. He used the Mcafee SCN-201 to scan the hard disk, but it does not show virus was detected. Does anybody know what kind of virus is it? How can this virus can be removed. Please advise! Thanks Philip Tong My Email Address: cl-28951@cphkvx.cphk.hk ------------------------------ Date: Tue, 14 Jun 94 20:47:04 -0400 From: vmgerman@rodan.syr.edu (Victor M. Germani) Subject: Cansu virus...Please Help/RISC-Aix virus Scan (PC) I have recently been on-site installing software and I have found a disk infected with the CANSU (??) virus. What is this virus? What does it do? what kind of virus is this. I need as much info on this virus as I can get. There is a possibility that we have infected several sites. I also found that the MSAV and Norton cannot find this virus. The virus was found using a customers virus program called inoculan (I think). Are there any other programs that can detect this virus? This virus was found on a DOS disk, however, the file came off of a RISC/AIX server. Can this effect the server/UNIX enviornment and also the network. I need help! Any and all responses will be greatly appreciated. Please E-mail me directly at: vmgerman@rodan.syr.edu Thanks in advance ------------------------------ Date: Wed, 15 Jun 94 16:00:21 -0400 From: moodley@beastie.cs.und.ac.za (Sugan Moodley) Subject: Matura (PC) Help! I got the Matura92 virus.... Actually the entire durban campus of Natal got it ( south africa ) Is there a doctor in the house? Whats the prognosis....? Thanx in advance.... ------------------------------ Date: Wed, 15 Jun 94 16:01:26 -0400 From: lev@slced1.Nswses.Navy.Mil (Lloyd E Vancil) Subject: SMEG Junkie (PC) A report in dod news this am ,Quoted below, speaks of Smeg and Junkie spreading. I cannot find reference to either in vsum. Can someone out there enlighten me please. What are these? Is the report below accurate? what can I use to find and kill them? Macafee? Article follows >From DOD news Paperboy@Tecnet1.jcte.jcs.mil june 15 94 :``JUNKIE'' COMPUTER VIRUS SPREADING ANN ARBOR, Mich., June 14 -- A new breed of computer virus that outsmarts anti-virus software has cropped up nationwide and as far away as London's financial district since its discovery in Ann Arbor, experts said Tuesday. The virus known as "Junkie" and its relative "Smeg" are part of a technological breakthrough by the underground hackers who create viruses for the thrill of infecting computers and destroying data. Junkie was discovered last month after an Ann Arbor man bought a new computer for his son. The virus shut down the computer and went undetected until local computer consultant Jim Shaeffer found it using a special program. Shaeffer reported the virus to Frank Horowitz, a specialist in anti- virus software in Brier, Wash. "This is the first time we've seen this," Horowitz told United Press International. "And there're going to be many others like this." After computer users were electronically told about the discovery, Horowitz said, the Smeg virus was found in computers used by London financial services firms. It's unclear how many computers have been infected by the new viruses, which Horowitz said are far more dangerous than the well-publicized "Michelangelo" virus, which was designed to shut down computers on Michelangelo's birthday several years ago. Horowitz said he's received reports from across the country about the new virus. But he said it's impossible to tell how far it's spread. By breaking Junkie's code, Horowitz said, he could tell the virus was created in 1994. The code also contained the virus name, a standard procedure for hackers who want to know when their creation gets publicity. Junkie is unique because, unlike other viruses, it can attack a floppy disk, a computer's boot sector, or its executable files. Other viruses only attack one of those three crucial areas of a computer. It's also dangerous because Horowitz said standard, scanner- type anti-virus software can't find Junkie. The virus is "polymorphic," meaning its characteristics are always changing to avoid detection. Horowitz compared the relationship between the new virus and anti- virus software to updated police radar devices that go unseen by civilian radar detectors. Also disturbing is that Junkie was found in a new computer. Horowitz said the computer might have been infected at the computer factory. The discovery indicates that viruses are entering a new phase of destruction, Horowitz said. "Viruses are continuing to be developed with a lot of expertise," Horowitz said. "They're definitely a growing number of viruses out there with new technology, and we're beginning to see the distribution of those viruses more quickly." ===== ------------------------------ Date: Wed, 15 Jun 94 15:59:23 -0400 From: Dana Antkowiak Subject: Budo Virus (PC) Has anyone else been infected with the Budo (B2) virus? If you have and have sucessfully cleaned it, please e-mail me back on which program you used to clean it off of your machine. Or if anyone has any ideas or suggestion that would be helpful will be appreciated. Thanks:=} ------------------------------ Date: Thu, 16 Jun 94 17:39:50 -0400 From: craig%enterprise@uunet.UU.NET (Craig S. Maloney) Subject: Help! (PC) I need help in getting rid of a virus. It is Newbug variety of the GENB [Generic Boot Sector] virus. It will not "Clean" from a hard disk. I have used McAfee Clean ver. 115 to remove Genb from floppy drives, but I have had no luck with hard disks. Anyone have any ideas? Craig - -- - ------------------------------------------=---------------------------------- Craig Maloney | Engineering Computer Center Supervisor | Wayne State University PC/Mac Systems, College of Engineering | 5050 Anthony Wayne Drive Internet: craig@enterprise.eng.wayne.edu| Detroit, MI 48202 Fax : 313-577-5969 | - ------------------------------------------=---------------------------------- ------------------------------ Date: Fri, 17 Jun 94 07:42:29 -0400 From: iolo@mist.demon.co.uk (Iolo Davidson) Subject: Testing Anti-Virus TSRs (PC) I am writing utilities for automating the testing of DOS anti-virus TSRs, the idea being to find out which file viruses a TSR can detect/intercept without having to clean up an infected computer every time one is missed. I have been able to perform sensible tests on the TSR components of the following products: Norton Smartscan Central Point McAfee Dr. Solomon's However, I have had anomolous results with TSRs from the following products: Thunderbyte IBM Virex Untouchable Cybec I would like to correspond with the authors of the software concerned, with a view to getting some details about the way their programs work. As the author of one of these products, (VirusGuard in Dr. Solomon's Anti-Virus Toolkit) I understand the desire to keep such details from the competition, defined as both competing AV vendors and the virus writers. I do not therefore intend to discuss the matter in a public forum, nor press for details that authors are unwilling to reveal. I am no longer employed by any anti-virus software publisher and am now writing and programming free lance. I invite anyone with technical information on the products which are giving me trouble to correspond with a view to making the testing of their product easier and safer. I hope that they (you?) will feel that it is in their own interests to do so. - -- Iolo Davidson "I am the Cat," said the Cat, "who walks by himself, and all places are alike to me." - Kipling ------------------------------ Date: Fri, 17 Jun 94 12:13:07 -0400 From: beichelb@topgun.idbsu.edu (Ben Eichelberger) Subject: unknown virus (PC) We have experienced an unknown virus on our University Campus. The lastest version of McAfee Virus Detection software 114 did not find anything. However, these are the symptoms: Many lost clusters taking up hard disk space. On one machine it ate up over 140MB of disk space leaving less than a MB of room to work in. Other machines had 30MB, 50MB and 70MB of lost clusters in one file. Some diskettes have also had lost clusters eating up remaining room on the diskette. Two of the diskettes where unrecoverable and data was lost. We were able to fix the lost clusters with dos chkdsk /f. Our major concern now is how to remove an unknown virus from these machines. Any help or suggestions would be greatly appreciated. ------------------------------ Date: Fri, 17 Jun 94 15:04:08 -0400 From: peterj@netcom.com (Peter Jennings) Subject: STACK virus (PC) In a routine scan of my system using McAfee's SCAN 1.15B obtained yesterday from a SimTel site, the STACK virus was reported in 6 files recently installed with Xerox Ventura PicturePro. The files were DLLs and executable overlays (filters). However, the documentation accompanying both SCAN and CLEAN makes no reference to the STACK virus. I attempted to use the SCAN /AF followed by the CLEAN /GRF options to remove the viruses, but got a message that the file generated by SCAN was "damaged". I attempted to use the SCAN /AG command as described in the CLEAN documentaion as a prelude to running CLEAN /GENERIC, but /AG seems to be unrecognized as an argument by this copy of SCAN. It seems to only be part of version 1.5. Does anyone have any knowledge of the STACK virus and how I might go about removing it, or if this product gives a false indication with SCAN. The virus is present on both the 3.5 and 5.25 inch disks in the package. Apparently Xerox has sold Ventura to Corel, but Corel claims that they support Ventura Publisher, but not Ventura PicturePro, so I am having trouble finding the right Customer Support number to call for help. Any help would be appreciated. Peter - -- - -- peterj@netcom.com |==================================================================| | Netsurfers using DOS should finger peterj@netcom.com to learn | | about MagicKey, the pop up Internet Help window with autotyping. | | Over 300 Internet resources available at the touch of a key. | |==================================================================| ------------------------------ Date: Fri, 17 Jun 94 20:50:13 -0400 From: mcafee@netcom.com (McAfee Associates) Subject: Chill Touch and Junkie Viruses (PC) The following viruses arrived too late to be placed into Version 116, however, enclosed are descriptions and external strings to detect them with VIRUSCAN (and possibly other antivirus programs, as well). To use the external strings, create a text file with one string per line and save it with a name like VIRUS.TXT. Then run VIRUSCAN by typing: SCAN C: /EXT VIRUS.TXT You can replace "C:" with any drive letter or letters (each separated by a space). To check all local hard disk drives, replace "C:" with the "/ADL" switch. To check all network dsik drives, replace "C:" with the "/ADN" switch. NOTE: These strings are for VIRUSCAN Version 11X only, not the new Version 2.x series. Chill Touch Description: The Chill Touch virus is a memory-resident .COM file infector. When run, the virus installs itself in memory as a terminate-and-stay resident program and infects COMMAND.COM. Infection Method: Once in memory, the virus watches for the running, copying, and opening of .COM files and infects on these accesses, increasing the size of infected files by 544 bytes. Messages: The virus contains the message "Chill Touch . You can't touch these phantoms", however, the message is not visible within the virus code due to a simple XOR loop used to cipher the virus code. Detection: The virus can be detected by VIRUSCAN's /EXT switch with the following string: "C7 09 8B F7 AC 34 ? AA E2" Chill Touch Infected files can be deleted with the DOS DEL command or VIRUSCAN`s /D switch. VIRUSCAN's validation and recovery codes option will also detect and remove this virus. Other: We have received two reports of this virus from the United States and one report of the virus from Europe to date. Junkie Description: The Junkie virus is a memory-resident multipartite (file and system area) infector. The virus infects .COM files greater than 4,096 bytes and the master boot record of hard disks. Infection Method: Once a virus-infected program is run, the virus installs itself in memory as a terminate-and-stay-resident program. On the system area of the hard disk, the virus copies two 512-byte sectors of code into the first track of the hard disk. The virus then modifies the existing master boot record of the hard disk to read the extra sectors and execute them upon boot-up. For files, the virus monitors the system for attempts to run and open them. When a file is run or opened, the virus checks it for a .COM extension on the file. The virus modifies the begining instructions of the file to point to the end of the file, and adds approximately 1,024 bytes of virus code to the end of the file. The next time the file is run, the virus code will then be executed before returning control to the host program. Messages: The virus contains the text "Dr White - Sweden 1994 Junkie Virus - Written in Malmo..._", however, this message is not visable within the virus code due to a simple XOR loop used to cipher the virus code. Detection: The Junkie virus can be detected by VIRUSCAN's /EXT switch with the following string: "26 81 34 ? ? 46 46 E2 F7" Junkie Virus Infected files can be deleted with the DOS DEL command or VIRUSCAN's /D switch. VIRUSCAN's validation and recovery codes option will also detect and remove this virus. Other: We have had one report of this virus on one PC from Stockholm, Sweden. While there have been multiple reports of this virus from the Great Lakes region of the United States, it appears that these are not reports OF the virus but reports ABOUT the virus from the U.S. distributor of a Scandanavian antivirus program. We have had no other infection reports of this virus from any of our 150+ offices in 50+ countries around the world. Aryeh Goretsky Technical Support - -- - - - - - - - Please send your reply, if any, to Aryeh@McAfee.COM - - - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: mcafee@netcom.com 2710 Walsh Ave, 2nd Floor| FAX (408) 970-9727 | or try: support@mcafee.com Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714 95051-0963 USA | USR HST Courier DS | or GO MCAFEE Support for SENTRY/SCAN/VSHIELD/CLEAN/WSCAN/NETSHLD/TARGET/CONFIG MGR/PROVIEW ------------------------------ Date: Sat, 18 Jun 94 12:32:25 -0400 From: s9410544@yallara.cs.rmit.OZ.AU (Hoang Anh Nguyen) Subject: New virus was found. (PC) I have discoved a new virus with the name NGVC, this virus very small size and only distroy the Fat, Probably this virus come from Vietnam. ------------------------------ Date: 15 Jun 94 22:23:50 +0000 From: garcia@bkfsu1.sedalia.sinet.slb.com (Geoframe User) Subject: NATAS Virus? (PC) I notice an "emergency copy" of the new Scan 2, specifically aimed at the "NATAS" virus. After downloading it from the McAfee ftp site, I'm still no wiser than before about this virus, but I assume if McAfee saw fit to release a special version, it must be fairly serious. Anybody have any information? Oh, for what it's worth, this special version seems to hang up on me while doing an "internal scan" of one of my Central Point Backup files. No error message, it just stops. Anyone else have any problems with it? Steve Garcia garcia@bakersfield.geoquest.slb.com ------------------------------ Date: Mon, 20 Jun 94 10:50:00 -0400 From: janzen@atbms.ncs.dnd.ca (R. Janzen) Subject: Stoned.Manitoba (PC) We have been hit by teh virus which f-prot identifies as Stoned.Manitoba. It seems to be removed normally by f-prot, and all of the floppy disks have been scanned. However, the virus seems to be popping up at several other locations (around the original infection). As I understand BSVs, the only way that it could be spread is by booting off of an infected disk (or having an infected data disk in the boot drive at boot-time). To me this means one of two things: either Stoned.Manitoba is not a BSV, or not all floppy disks have been scanned. I'm currently scanning *every* floppy disk anywhere near the area, and not trusting the users at all. Can anyone verify for me whether stoned.manitoba is only a BSV? And am I correct on how it could be spread. Thanks Rob janzen janzen@atbms.achq.dnd.ca ------------------------------ Date: Thu, 23 Jun 94 11:54:33 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: info on 2 viruses (PC) sa1737976@v9001.ntu.ac.sg writes: >and where can i get a copy of f-prot ? seems like quite a lot of ppl r talking >abt it and using it. i can accept uuencoded stuff :). thanx !! it is available on most major FTP sites, but you can always get a copy of the latest version (currently 2.12c) by uuencoded e-mail, by sending any mail message to f-prot@complex.is - -frisk Fridrik Skulason Frisk Software International phone: +354-1-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-617274 ------------------------------ Date: Thu, 23 Jun 94 11:56:32 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: "New" Virus found? (PC) bullingt@sfu.ca (Keith Gordon Bullington) writes: >I've come across a .COM infecting virus that fails to be caught by >SCAN v2.01, TBScan or F-Prot 2.12. the virus in question (Junkie) can be detected and removed with F-PROT 2.12c - -frisk ------------------------------ Date: Thu, 23 Jun 94 22:14:25 -0400 From: "Fabio Esquivel C." Subject: Cure for SVC.2936 & Three_Tunes viruses (PC) Are those viruses really hard do disinfect? There are several PCs=20 infected here in different enterprises and friends' homes, with both=20 viruses and still McAfee's product (version 115B) and Fridrik's F-Prot=20 (version 2.12c) are unable to disinfect them, though they are relatively=20 old viruses. I remember that Dark Avenger was disinfectable by undoing the changes=20 made to the executable's header and wiping off the virus code from the=20 end of the executable file. I think that SVC.2936 (Scan's June1530) and=20 the Three_Tunes viruses infect executable files in the same manner as=20 Dark Avenger does. Then, why it is not possible to undo the changes to the exec's header and= =20 leave the files as closely as they were before infection? By now, my friends and the enterprises attacked are just replacing the=20 files from backups or reinstallations... \___/=20 (O o) - ----------------------------------oOo-U-oOo--------------------------------= - -- Fabio Esquivel - University of Costa Rica | C:\GAMES>a:install fesquive@cariari.ucr.ac.cr (163.178.101.5) | Blood_Drinker virus found! fesquive@bribri.ci.ucr.ac.cr (163.178.101.8) | Apply, Kill, Panic? _ =09=09=09 "Up the Irons!" - 8=AC) - ---------------------------------------------------------------------------= - --- __|||__ (__/^\__) ------------------------------ Date: Fri, 24 Jun 94 02:47:57 +0000 From: phle@undergrad.math.uwaterloo.ca (Phat H. Le) Subject: Need help on "stoned" virus (PC) Please forgive me if this is one of those FAQ. The problem is that my PC is infected with the so called "stoned" virus. This virus infects the boot sector and from the info I've got from MSAV indicates that this virus is harm- less yet irritating. Anyway, I tried F-PROF and it told me to reboot the PC with a virgin boot disk and rerun the antivirus software. I did just that but when I rebooted the PC with a cleaned boot diskette, I couldn't see the C drive. So the way I got rid of the virus was to reboot the PC from the harddrive and backed up all the files onto a server, then did a low level format to the C drive. This is what you might call a "brute force" method and it worked fine. However, my question is - is there another way to remove this stoned virus or is there any antiviral software out there that can get rid of it other than the "brute force" method? Any help on this will be greatly appreciated, PhLe - -- +----------------------------------------------------------------------------+ | Phat H. Le | | | phle@napier.uwaterloo.ca | "I'LL BE BACK!" - Arnold Schwarzenegger | +----------------------------------------------------------------------------+ ------------------------------ Date: Fri, 24 Jun 94 03:41:21 -0400 From: Henrik Stroem Subject: Re: Joshi virus - False alarm? (PC) > From: gbesko@bldgeduc.lan1.umanitoba.ca (Geoff Besko) > Date: Thu, 23 Jun 1994 10:37:28 EDT > When I scan a machine on my network with the Microsoft Anti-Virus utility, > that came with MS-DOS 6.1, it says that the machine has the Joshi virus. Really? I didn't know a MS-DOS v6.1 was ever released. Microsoft jumped from v6.0 directly to 6.20, then later to 6.21 and 6.22 (current). PC-DOS on the other hand released v6.1, and jumped up to 6.3 (current). But I don't think you mean PC-DOS 6.1 because it comes with IBM Anti-Virus, and not MSAV. > However, when I check the same machine with the newest (v2.12) of F-Prot it > doesn't register any viruses at all. F-Prot should be able to detect Joshi, so it is probably a false alarm, or a new variant of Joshi (not likely). > Has anyone heard about problems with the reliability of the MS Antivirus > program? I will probably try another program to see if it finds anything but > I was wondering if anyone has had any similar experiences? Any help would be > much appreciated! There has been much noise about MS Anti-Virus, but I've never heard about a Joshi false positive from it before, so this might be something else. Maybe you have a floppy that is infected, and which where in use at the time you detected the virus? You might want to check out the FIXUTIL6.ZIP, containing some nice tools that should be able to tell you whether you are infected or not. Sincerely, Henrik Stroem Stroem System Soft ------------------------------ Date: Fri, 24 Jun 94 03:46:31 -0400 From: Henrik Stroem Subject: Re: Virus in Norton Commander 4.0! (PC) > From: gorbiel@student.uci.agh.edu.pl (Andrzej Gorbiel) > Subject: Virus in Norton Commander 4.0! (PC) > Date: Thu, 23 Jun 1994 10:37:28 EDT > BTW if you find whitch bit of NC.INI is critical (i.e. causes this > effect) do not hesitate to inform me (by e-mail). Or write a virus > that changes that bit and call it Symantec! Another solution would be to upgrade to NC v4.5, and chances are that this problem might have been fixed. Sincerely, Henrik Stroem Stroem System Soft ------------------------------ Date: Fri, 24 Jun 94 04:32:46 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: The AntiCMOS virus (PC) In the last two weeks, I have noticed a dramatic increase in the number of reported AntiCMOS infections. My guess is that the virus got "locky", and is being distributed in some packege, preinstalled on machines from some manufacturer, or on pre-formatted floppy disks from some producer. I am looking for any information that might explain this sudden increase. - -frisk Fridrik Skulason Frisk Software International phone: +354-1-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-617274 ------------------------------ Date: Wed, 15 Jun 94 15:58:10 -0400 From: Michael_D_Jones@ccm.hf.intel.com (Michael Jones) Subject: Junkie virus (PC) Does anyone have any specific information on the "Junkie" virus? I got the following fax yesterday from someone. Do any other scanners detect and/or clean this. I don't buy their solution for cleaning it. From what I've been hearing, it's a pretty nasty little bug. ***Begin included article ****Another Super-Virus Discovered 06/02/94 BRIER, WASHINGTON, U.S.A., 1994 JUN 2 (NB) -- A super-virus that can create havoc on your computer system has been accidentally discovered while a sales representative was demonstrating an anti-virus program to a customer. Called "Junkie," the virus was discovered in Ann Arbor, Michigan, while a Reflex Inc. rep was demonstrating the merits of that company's Disknet anti-virus software. "Junkie" reportedly has software engineers concerned for several reasons: It is encrypted, making it difficult to be spotted; it is polymorphic, meaning it changes each time it replicates; and it infects both the drive's boot sector and executable files on the Reflex engineers are studying the characteristics of "Junkie" in an effort to see what other effects it may have on a computer. The source of the virus is still uncertain, but it was discovered on pre-installed, shrink-wrapped software. The PC manufacturer that pre-installed the software was not identified, but Reflex spokesperson Bob Reed told Newsbytes that it appears that was not the source of the infection. "The system was installed for a month before it ("Junkie") showed up." said Reed. Reflex engineers say "Junkie" is spread by infecting the boot sector, the portion of the hard disk that contains the startup instructions for a computer. It can reportedly also infect the boot sector of a floppy drive and even make an anti-viral program a carrier. "Junkie can make anti-virus toolkits spread viruses. Scanners open files to search for viruses, in turn opening the door for Junkie to use the scanner itself as a means of spreading the virus," according Reed said the Ann Arbor incident is the only time so far "Junkie" is known to have surfaced. he said there are no visable warnings of the virus. He stresses the need for having a current backup of your computer data. "The only known cure is re-formatting the hard disk," sys Reed. That gets rid of "Junkie." Users are cautioned not to make a backup copy of the drive that is suspect, since the backup will also be contaminated. Most anti-virus programs scan for known viruses, but cannot always detect a new and different problem such as "Junkie." That makes it necessary to continually update anit-virus programs, with a resultant added cost in time and money to make sure your computer system is virus-free. (Jim Mallory/19940602/Press contact: Lucy Stokstad, Reed, Revell-Pechar, 206-4624777; Reader contact: Reflex Inc., 800-673-3539) ***End included article ------------------------------ Date: Wed, 15 Jun 94 02:48:05 -0400 From: lucas@mcafee.com (Kelly Lucas) Subject: McAfee VirusScan V2.0.2 uploaded to SimTel (PC) I have uploaded to the SimTel Software Repository (available by anonymous ftp from the primary mirror site OAK.Oakland.Edu and its mirrors): SimTel/msdos/virus/ scn-202.zip VirusScan V2.0.2 scans/cleans for viruses vsh-202.zip VShield V2.0.2 virus prevention TSR WHAT'S NEW VirusScan Version 2.0.2 contains the following changes from 2.0.1: VirusScan .DAT files o A false alarm of the TELECOM (alias: Antitelefonica) virus in memory on Toshiba T-4500 notebook computers has been fixed. o CLEAN.DAT now includes removers for over 1,250 viruses, including the 5Volt, Lycee.0930, ParVir1, and most boot viruses. o All false alarms reported to the VirusScan Development Team have been fixed. VirusScan for DOS o The /NOBREAK switch has been added. This switch will prevent a scan from being stopped by pressing the Ctrl-C or Ctrl-Brk keys. o VirusScan now makes use of Expanded Memory (EMS) available using the LIM-EMS 4.0 specification. This can reduce VirusScan's Conventional Memory (Base 640Kb) requirements by up to 60%. o Conventional memory requirements have been reduced from 340kb to 300Kb. o VirusScan's scanning speed has been improved by approximately 12%. VShield o False reports of viruses in memory on older PC's has been fixed. o A problem launching DOS programs under Windows has been fixed. For instructions on using the programs, please refer to the VirusScan documentation. For Validate values, please refer to the PACKING.LST enclosed inside each .ZIP file. Regards, Kelly Lucas Technical Support - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: lucas@mcafee.COM 2710 Walsh Ave, Suite 200| FAX (408) 970-9727 | IP# 192.187.128.1 Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714 95051-0963 USA | USR HST Courier DS | America Online: McAfee ------------------------------ Date: Thu, 16 Jun 94 10:21:29 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: F-PROT 2.12C released (PC) Version 2.12c is a minor update ... it adds detection and disinfection of a fairly large number of viruses, but the primary reason it is released is that some of those viruses are "in the wild" Among the viruses we added detection/disinfection of are: Chill (in the wild in USA) Junkie (in the wild in several countries) Natas (in the wild in Mexico and USA) SMEG.Pathogen and SMEG.Queeg (In the wild in the UK) I just uploaded 2.12c to oak.oakland.edu....it should be avaialable for download soon, but it can also be obtained by sending e-mail to our mail server: f-prot@complex.is it will attempt to e-mail an uu-encoded copy back to you. - -frisk ------------------------------ Date: Fri, 17 Jun 94 09:58:04 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: fp-212c.zip - Version 2.12c of the F-PROT anti-virus package I have uploaded to the SimTel Software Repository (available by anonymous ftp from the primary mirror site OAK.Oakland.Edu and its mirrors): SimTel/msdos/virus/ fp-212c.zip Version 2.12c of the F-PROT anti-virus package Version 2.12c is a minor update... it adds detection and disinfection of a fairly large number of viruses, but the primary reason it is released is that some of those viruses are "in the wild". Among the viruses we added detection/disinfection of are: Chill (in the wild in USA) Junkie (in the wild in several countries) Natas (in the wild in Mexico and USA) SMEG.Pathogen and SMEG.Queeg (In the wild in the UK) - -frisk Fridrik Skulason Frisk Software International phone: +354-1-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-617274 ------------------------------ Date: Fri, 17 Jun 94 17:22:43 -0400 From: tyetiser@umbc.edu (Mr. Tarkan Yetiser) Subject: Updated VDS 3.0m on Oak (PC) Hello everyone, The new VDS (Virus Detection System) 3.0m Shareware Edition is available on Simtel-20 and some of its mirrors; the file name is VDS30M.ZIP. This release of the package is intended to allow potential customers to evaluate the suitability of the product to their needs. It is a fully functional copy that lacks a few features of the Pro version (see the docs for details). VDS 3.0m includes a fast virus scanner, a robust integrity checker with anti-stealth capability, a generic virus remover, external signature support, emergency diskette preparation, a very versatile decoy launcher, a low-level disk recovery tool, readable documentation, excellent Netware support (not just compatible), automatic and semi-automatic installation (with de-install feature), and an object-oriented (seriously) user interface. VDS 3.0 emphasizes integrity checking, but also provides known virus scanning. Its catalog-based integrity database supports both DOS drives and Novell volumes. Newly-added installation program simplifies protecting workstations by offering complete electronic distribution and configuration options. Once in place, VDS can perform periodic (user-definable) integrity checks and scans without further user intervention. System requirements: IBM PC compatible computer Hard disk (for integrity checker) with 1024K free space 384K of memory available Optional 192K extended memory for large catalogs MS/PC-DOS 3.0 or later If you are looking for a comprehensive and up-to-date anti-virus package, we invite you to try VDS. It's only an FTP away! Let us know what you think. Regards, Tarkan Yetiser tyetiser@gl.umbc.edu VDS Advanced Research Group P.O. Box 9393 Baltimore, MD 21228, U.S.A. ------------------------------ Date: Mon, 20 Jun 94 14:32:44 -0400 From: James Ford Subject: McAfee files available on risc.ua.edu (PC) Mirrored 02 Mirrored from: ftp.mcafee.com:/pub/antivirus Mirrored to: risc.ua.edu:/pub/ibm-antivirus/Mirrors/mcafee/antivirus) @ Mon Jun 20 12:26:55 CDT 1994 - ------------------------------ Got 00-Index 2124 Got clean116.zip 276384 Got ocln116.zip 289502 Got oscan116.zip 256697 Got scanv116.zip 255499 Got virdt116.zip 76232 Got vshld116.zip 146472 Got wscan116.zip 310518 removed /pub/ibm-antivirus/Mirrors/mcafee/antivirus/wscn115b.zip removed /pub/ibm-antivirus/Mirrors/mcafee/antivirus/vsh115.zip removed /pub/ibm-antivirus/Mirrors/mcafee/antivirus/scn115b.zip removed /pub/ibm-antivirus/Mirrors/mcafee/antivirus/oscn115b.zip removed /pub/ibm-antivirus/Mirrors/mcafee/antivirus/ocln115b.zip removed /pub/ibm-antivirus/Mirrors/mcafee/antivirus/cln115b.zip - ---------- James Ford - Seebeck Computer Center jford@seebeck.ua.edu, jford@risc.ua.edu The University of Alabama (in Tuscaloosa, Alabama) (205) 348-3968 (205) 348-3993 (fax) ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 47] ***************************************** 5-Jul-94 15:17:14-GMT,31326;000000000000 Received: from remus.rutgers.edu by aramis.rutgers.edu (5.59/SMI4.0/RU1.5/3.08) id AA16338; Tue, 5 Jul 94 11:17:05 EDT Received: from fidoii.CC.Lehigh.EDU by remus.rutgers.edu (5.59/SMI4.0/RU1.5/3.08) id AA16049; Tue, 5 Jul 94 11:16:53 EDT Received: from Fidoii.CC.Lehigh.EDU ([127.0.0.1]) by Fidoii.CC.Lehigh.EDU with SMTP id <128260-3>; Tue, 5 Jul 1994 11:04:17 EDT Message-Id: <9407051446.AA06099@bull-run.ims.disa.mil> Reply-To: virus-l@lehigh.edu Originator: virus-l@lehigh.edu Sender: virus-l@lehigh.edu Precedence: bulk From: VIRUS-L Moderator To: Multiple recipients of list Subject: VIRUS-L Digest V7 #49 X-Listprocessor-Version: 6.0b -- ListProcessor by Anastasios Kotsikonas X-Comment: Virus Discussion List Date: Tue, 5 Jul 1994 10:46:20 EDT VIRUS-L Digest Tuesday, 5 Jul 1994 Volume 7 : Issue 49 Today's Topics: Introduction to the Anti-viral archives listing of 01 July 1994 Archive access without anonymous ftp last changed 07 April 1994 Brief guide to file formats last changed 11 April 1994 Amiga Anti-viral archive sites last changed 04 August 1993 Apple II Anti-viral archive sites last changed 04 August 1993 Atari ST Anti-viral archive sites last changed 04 August 1993 Anti-viral Documentation archive sites last changed 17 May 1994 IBMPC Anti-viral archive sites last changed 23 June 1994 Macintosh Anti-viral archive sites last changed 10 May 1994 Unix security archive sites last changed 18 July 1993 Virus-L Is A Moderated, Digested Mail Forum For Discussing Computer Virus Issues; Comp.Virus Is A Gatewayed And Non-Digested Usenet Counterpart. Discussions Are Not Limited To Any One Hardware/Software Platform - Diversity Is Welcomed. Contributions Should Be Relevant, Concise, Polite, Etc. (The Complete Set Of Posting Guidelines Is Available By Ftp On Cert.Org Or Upon Request.) Please Sign Submissions With Your Real Name; Anonymous Postings Will Not Be Accepted. Information On Accessing Anti-Virus, Documentation, And Back-Issue Archives Is Distributed Periodically On The List. A Faq (Frequently Asked Questions) Document And All Of The Back-Issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Fri, 01 Jul 94 10:12:05 -1000 From: Jim Wright Subject: Introduction to the Anti-viral archives listing of 01 July 1994 Introduction to the Anti-viral archives listing of 01 July 1994 This posting is the introduction to the "official" anti-viral archives of VIRUS-L/comp.virus. With the generous cooperation of many sites throughout the world, we are attempting to make available to all the most recent news and programs for dealing with the virus problem. Currently we have sites for Amiga, Apple II, Atari ST, IBMPC, Macintosh and Unix computers, as well as sites carrying research papers and reports of general interest. Updates to these lists are made exclusively by contributions provided by the readers of this group. My thanks go out to the many people who keep this information current. If you have general questions regarding the archives, you can send them to this list or to me. I'll do my best to help. If you have a submission for the archives, you can send it to me or to one of the persons in charge of the relevant sites. If you have any corrections to the lists, please let me know. The files contained on the participating archive sites are provided freely on an as-is basis. To the best of our knowledge, all files contained in the archives are either Public Domain, Freely Redistributable, or Shareware. If you know of one that is not, please drop us a line and let us know. Reports of corrupt files are also welcome. PLEASE NOTE The Managers of these systems, and the Maintainers of the archives, CAN NOT and DO NOT guarantee any of these applications for any purpose. All possible precautions have been taken to assure you of a safe repository of useful tools. Jim Wright Canada-France-Hawaii Telescope Corporation jwright@cfht.hawaii.edu JWRIGHT@UHCFHT ------------------------------ Date: Fri, 01 Jul 94 10:12:35 -1000 From: Jim Wright Subject: Archive access without anonymous ftp last changed 07 April 1994 Archive access without anonymous ftp last changed 07 April 1994 To get files from the anti-viral archives, you do not need access to anonymous ftp. (However, anonymous ftp is generally the preferred method.) Below is information on accessing the archive sites using only email. -=- The AppleII, Atari ST and IBMPC archives have mail servers which provide access to their archives. You may receive automatic updates of Macintosh anti-viral programs via email. See the individual articles on these sites. -=- One way to get access to the archives is through a BITFTP server. Send a message to one of the BITNET addresses BITFTP@PUCC, BITFTP@PLEARN or BITFTP@DEARN with the body of the message containing the single word HELP. This should get you more information, and give you access to any archive site on the Internet. Due to excessive loads, this service has been restricted to BITNET and EARN sites only. UUCP sites need not apply. -=- If you are not an official BITNET site but still need mail access to the archives, you can try one of the FTPmail servers. Send mail to one of the addresses FTPmail@decwrl.dec.com (Western US), FTPmail@sunsite.unc.edu (Eastern US), FTPmail@cs.uow.edu.au (Australia) or FTPmail@doc.ic.ac.uk (England) with the body of the message containing the word 'help'. ------------------------------ Date: Fri, 01 Jul 94 10:13:06 -1000 From: Jim Wright Subject: Brief guide to file formats last changed 11 April 1994 Brief guide to file formats last changed 11 April 1994 -- The most recent copy of the complete text may be anonymous ftp'd -- -- from ftp.cso.uiuc.edu (128.174.5.61) in the directory doc/pcnet. -- -- That file is maintained by David Lemson (lemson@uiuc.edu). -- -- Please do not strip this note from this list when passing it on. -- ARC (.arc) This format is most popular on PCs. Compresses and stores multiple files in a single archive. PC - arc 6.02, pk361 Mac - ArcMac 1.3c Unix - arc 5.21 VM/CMS - arcutil Amiga - Arc 0.23, PKAX VMS - arcvms Apple2 - dearc Atari - arc 5.21b, pkunarc OS/2 - arc2 ARJ (.arj) ARJ is a new archive format for DOS. Compresses and stores multiple files in a single archive. The author is Robert K Jung, robjung@world.std.com. PC - arj 2.41a (arj241a.exe) Unix - unarj 2.41 Amiga - unarj 0.6 BinHex (.hqx) A Macintosh format. Converts a binary Mac file, including data and resource forks, into an archive of only printing ASCII characters. Note that BinHex4.0 will create and decode the ASCII hqx encoding used on Usenet, while BinHex5.0 will decode the ASCII hqx encoding but will create a non-ASCII binary file. PC - xbin 2.3 Mac - BinHex4.0, BinHex5.0, StuffIt 1.6, Compact Pro 1.32 Unix - mcvert VM/CMS - binhex binscii ( ) A favorite Apple2 file transmission format. Similar to uu{en,de}code except it can handle multiple files in a single package. Apple2 - binscii Compact Pro (.cpt) A new Macintosh format. Compresses and stores multiple files in a single archive. Mac - Compact Pro 1.32, Extractor 1.21 PC - EXTRACT compress (.Z) A Unix format. Compresses a single file in an archive. PC - u16, comprs16, comp430d Mac - MacCompress3.2A Unix - compress VM/CMS - compress Amiga - compress VMS - lzcomp Apple2 - compress Atari - compress Disk Masher (.dms) This is an Amiga format. Compresses and stores an entire floppy in a single archive. Amiga - DMS GZIP (.gz, .z, .tar.z, .tar.gz, .tgz) The GNU implementation of ZIP. Replaces Unix "compress" for GNU software. The last three file extensions above are for gzip'd tape archives. Unix - gzip 1.2.4 PC - gzip 1.2.4 OS/2 - gzip 1.2.4 VMS - gzip 1.2.4 Amiga - gzip 1.2.4 Atari - gzip 1.2.4 Primos - gzip 1.2.4 HPACK (.hpk) A multi-system archiver. Shareware. PC - hpack 0.79a0 Mac - hpack 0.79a0 Unix - hpack 0.79a0 OS/2 - hpack 0.79a0 Amiga - hpack 0.79a0 Atari - hpack 0.79a0 Archimedes - hpack 0.79a0 LHarc (.lzh) This format originated on PCs, and is now popular on Amigas. Compresses and stores multiple files in a single archive. PC - lha 2.55b (lha255b.exe & lha255b.txt) Mac - MacLHarc 0.41 Unix - lha 1.00 Amiga - LHarc 1.30 [Only .lh0 and .lh1], LhA 1.32, LZ 1.92 Atari - lharc113 LHWarp (.lzw) This is an Amiga format. Compresses and stores an entire floppy in a single archive. Better compression than plain Warp. Amiga - Lhwarp LU (.lbr) This is an old format that originated with CP/M. It is virtually non-existent now. Collects multiple files into a single archive with no compression. PC - lue220 Mac - ArcMac 1.3c Unix - lar VM/CMS - arcutil VMS - vmssweep LZ (.lha .lzh) This format is popular on Amigas. Compresses and stores multiple files in a single archive. Will extract .lzh or .lza, and will produce .lza. Is fast when extracting files. Amiga - LZ 1.92 MSX (.msx) A new format for CP/M machines. Is also able to extract lharc archives. CP/M - PMARC and PMEXT nupack ( ) A favorite Apple2 archive format. Apple2 - nupack PackIt (.pit) An old Macintosh format. Compresses and stores multiple files in a single archive. PC - UnPackIt 1.0 Mac - PackIt3.1.3 Unix - unpit PAK (.pak) An old PC format. Compresses and stores multiple files in a single archive. Also the name of an Amiga format which produces self-extracting archives. Also the name of a new PC format. PC - PAK 2.51 Unix - arc 5.21 Amiga - PAK 1.0 shell archive (.shar, .sh) A Unix format. Stores multiple files in a single archive without compression. PC - unshar Mac - UnShar2.0 Unix - sh, unshar Amiga - UnShar Apple2 - unshar Atari - shar ShrinkIt ( ) A favorite Apple2 archive format. Apple2 - ShrinkIt Squeeze (._Q_) An old PC (CP/M?) format. Compresses and stores multiple files in a single archive. PC - sqpc131 VM/CMS - arcutil Amiga - Sq.Usq VMS - vmsusq Atari - ezsqueeze StuffIt (.sit) A Macintosh format. Compresses and stores multiple files in a single archive. PC - mactopc, UnStuffit 1.0 Mac - StuffIt 1.6 Unix - unsit Amiga - unsit tape archive (.tar) A Unix format. Stores multiple files in a single archive without compression. PC - tar, tarread, pax, pdtar Mac - UnTar2.0 Unix - tar, GNU tar Amiga - TarSplit, pax, GNUtar 1.09 VMS - vmstar Atari - sttar uuencode (.uu, .uue) A Unix format. Converts a binary file into an archive of only printing ASCII characters suitable for mailing. PC - uuexe 5.15 Mac - UMCP Tools 1.5.1 Unix - uuencode, uudecode VM/CMS - arcutil Amiga - uuencode, uudecode VMS - uudecode2. Apple2 - uu.en.decode Warp (.wrp) This is an Amiga format. Compresses and stores an entire floppy in a single archive. Amiga - WarpUtil xxencode (.xx, .xxe) A Unix format. Converts a binary file into an archive of only printing ASCII characters suitable for mailing. Solves many of the problems of uuencode. PC - uuexe 5.15 Unix - xxencode, xxdecode VM/CMS - xxencode ZIP (.zip) This format is popular on many systems. Compresses and stores multiple files in a single archive. PC - PKZIP/PKUNZIP 2.04g, Portable unzip 5.1, Portable zip 2.0 Mac - UnZip1.02c Unix - Portable unzip 5.1, Portable zip 2.0 VM/CMS - arcutil 2.0 (uncompress only) Amiga - PKAZip 1.01, Portable unzip 5.1, Portable zip 2.0 Atari - STZip 0.9 beta VMS - Portable unzip 5.1, Portable zip 2.0 OS/2 - PKZIP/PKUNZIP 1.02, Portable unzip 5.1, Portable zip 2.0 ZOO (.zoo) This format is popular on USENET. Compresses and stores multiple files in a single archive. PC - zoo 2.10 Mac - MacBooz2.1 Unix - zoo 2.10 VM/CMS - zoo Amiga - zoo 2.10 VMS - zoo 2.10 Atari - zoo 2.10 OS/2 - zoo 2.10 ZOOM (.zom) This is an Amiga format. Compresses and stores an entire floppy in a single archive. Not in common use due to program speed. Amiga - zoom ------------------------------ Date: Fri, 01 Jul 94 10:13:36 -1000 From: Jim Wright Subject: Amiga Anti-viral archive sites last changed 04 August 1993 Amiga Anti-viral archive sites last changed 04 August 1993 ms.uky.edu Sean Casey Access is through anonymous ftp. The Amiga anti-viral archives can be found in /pub/amiga/Antivirus. The IP address is 128.163.128.6. phil.utmb.edu atlantis.utmb.edu John Perry David M. Stoner These sites can be reached through anonymous ftp. The Amiga anti-viral archives can be found in the directory /pub/virus-software/amiga. The IP address is for phil is 129.109.9.22. The IP address for atlantis is 129.109.12.7. phil.utmb.edu runs gopher-server software which can be used to access the archives. uk.ac.hensa.micros HENSA/micros Managers Terminals: host uk.ac.hensa.micros, user "hensa", password "hensa" NIFTP: host uk.ac.hensa.micros, user "hensa", password "hensa" FTP: host micros.hensa.ac.uk, user "hensa", password "hensa" GOPHER: address micros.hensa.ac.uk, port 70 Software archive for UK higher education sector. Anti-Viral stuff is not collected into a distinct area. Hostname is in UK format. (This site previously known as uk.ac.lancs.pdsoft.) ------------------------------ Date: Fri, 01 Jul 94 10:14:07 -1000 From: Jim Wright Subject: Apple II Anti-viral archive sites last changed 04 August 1993 Apple II Anti-viral archive sites last changed 04 August 1993 brownvm.bitnet Chris Chung Access is through LISTSERV, using SEND, TELL and MAIL commands. Files are stored as apple2-l xx-xxxxx where the x's are the file number. uk.ac.hensa.micros HENSA/micros Managers Terminals: host uk.ac.hensa.micros, user "hensa", password "hensa" NIFTP: host uk.ac.hensa.micros, user "hensa", password "hensa" FTP: host micros.hensa.ac.uk, user "hensa", password "hensa" GOPHER: address micros.hensa.ac.uk, port 70 Software archive for UK higher education sector. Anti-Viral stuff is not collected into a distinct area. Hostname is in UK format. (This site previously known as uk.ac.lancs.pdsoft.) ------------------------------ Date: Fri, 01 Jul 94 10:14:38 -1000 From: Jim Wright Subject: Atari ST Anti-viral archive sites last changed 04 August 1993 Atari ST Anti-viral archive sites last changed 04 August 1993 atari.archive.umich.edu Jeff Weiner Service via FTP and mail, FTP preferred. Login as "anonymous", password is your mail address. For instructions on the mail server, send the message help to "Index" contains complete listing with descriptions. "CompInd.Z" contains same list but is compressed. "ls-lR.Z" contains compressed ls -lR listing. All anti-viral material is contained in ~atari/utilities/virus The IP number for this site is 141.211.164.8, but may change. twitterpater.Eng.Sun.COM Steve Grimm Access to the archives is through mail server. For instructions on the archiver server, send help to uk.ac.hensa.micros HENSA/micros Managers Terminals: host uk.ac.hensa.micros, user "hensa", password "hensa" NIFTP: host uk.ac.hensa.micros, user "hensa", password "hensa" FTP: host micros.hensa.ac.uk, user "hensa", password "hensa" GOPHER: address micros.hensa.ac.uk, port 70 Software archive for UK higher education sector. Anti-Viral stuff is not collected into a distinct area. Hostname is in UK format. (This site previously known as uk.ac.lancs.pdsoft.) ------------------------------ Date: Fri, 01 Jul 94 10:15:08 -1000 From: Jim Wright Subject: Anti-viral Documentation archive sites last changed 17 May 1994 Anti-viral Documentation archive sites last changed 17 May 1994 cert.org Kenneth R. van Wyk Access is available via anonymous ftp, IP number 192.88.209.5. This site maintains archives of all VIRUS-L digests, all CERT advisories, as well as a number of informational documents. VIRUS-L/comp.virus information is in: pub/virus-l/archives pub/virus-l/archives/predig pub/virus-l/archives/1988 pub/virus-l/archives/1989 pub/virus-l/archives/1990 pub/virus-l/archives/1991 pub/virus-l/archives/1992 pub/virus-l/archives/1993 pub/virus-l/docs pub/virus-l/docs/reviews CERT information is in: pub/cert_advisories pub/cert-tools_archive corsa.ucr.edu Kevin Marcus Access is available via anonymous ftp, IP number 138.23.166.133. This site maintains archives of all VIRUS-L digests and a number of informational documents. VIRUS-L/comp.virus information is in: /pub/anti-virus-tools /pub/virus-l/{ 1988 - 1994 } /pub/virus-l/predig /pub/virus-l/index.appleyard /pub/virus-l/predig.digested /pub/virus-l/docs/misc /pub/virus-l/docs/reviews/{ amiga | atari | books | mac | pc } /pub/virus-l/docs/slade.cvp.articles /pub/virus-l/docs/vtc/tests /pub/virus-l/docs/vtc csrc.ncsl.nist.gov John Wack This site is available via anonymous ftp, IP number 129.6.54.11. The archives contain all security bulletins issued thus far from incident response teams (CERT, CIAC, FIRST members). It also contains many security-related publications and resource informa- tion about viruses and other threats, as well as archives of VIRUS_Ls and RISK forums. The NIST computer security BBS is also accessible from this system by logging in to account 'bbs'. ftp.informatik.uni-hamburg.de Virus Test Center, Faculty for Informatics, University of Hamburg Vogt-Koelln-Str. 30, D22527 Hamburg, Germany Prof. Dr. Klaus Brunnstein, Vesselin Bontchev, Dr. Simone Fischer-Huebner, Wolf-Dieter Jahn brunnstein@rz.informatik.uni-hamburg.dbp.de bontchev@fbihh.informatik.uni-hamburg.de A large number of technical and accurate descriptions of viruses affecting Mac, MSDOS, Amiga, Atari, Unix, etc. systems. Look in the directory /pub/virus/texts. The IP address is 134.100.4.42. uk.ac.hensa.micros HENSA/micros Managers Terminals: host uk.ac.hensa.micros, user "hensa", password "hensa" NIFTP: host uk.ac.hensa.micros, user "hensa", password "hensa" FTP: host micros.hensa.ac.uk, user "hensa", password "hensa" GOPHER: address micros.hensa.ac.uk, port 70 Software archive for UK higher education sector. Anti-Viral stuff is not collected into a distinct area. Hostname is in UK format. (This site previously known as uk.ac.lancs.pdsoft.) unma.unm.edu Dave Grisham This site has a collection of ethics documents. Included are legislation from several states and policies from many institutions. Access is through ftp, IP address 129.24.8.1. Look in the directory /ethics. ------------------------------ Date: Fri, 01 Jul 94 10:15:39 -1000 From: Jim Wright Subject: IBMPC Anti-viral archive sites last changed 23 June 1994 IBMPC Anti-viral archive sites last changed 23 June 1994 phil.utmb.edu atlantis.utmb.edu John Perry David M. Stoner These sites can be reached through anonymous ftp. The IBMPC anti-viral archives can be found in the directory /pub/virus-software/pc. The IP address is for phil is 129.109.9.22. The IP address for atlantis is 129.109.12.7. phil.utmb.edu runs gopher-server software which can be used to access the archives. ftp.cso.uiuc.edu Mark Zinzow This site can be reached through anonymous ftp. The IBMPC anti-viral archives are in /pc/virus. The IP address is 128.174.5.61. ftp.funet.fi Tapio Keihanen This site (in Finland) can be reached through anonymous ftp. The IBMPC anti-viral archives mirrored from SimTel are in directory /pub/msdos/SimTel/virus. Other IBMPC anti-viral archives are in directory /pub/msdos/utilities/virus. The IP address is 128.214.6.100. ftp.informatik.uni-rostock.de Virus Test Center This site can be reached through anonymous ftp. The IBMPC anti-viral archives can be found in /pub/antivirus. The IP address is 139.30.5.23. ftp.technion.ac.il Al Hartshorn This site can be reached through anonymous ftp. The IBMPC anti-viral archives can be found in the directories /pub/unsupported/dos/simtel/virus and /pub/supported/McAfee. No uploads are permitted at this time. The IP address is 132.68.1.10. ftp.twi.tudelft.nl Piet de Bondt This site can be reached through anonymous ftp. The IBM-PC anti-viral archives are in /pub/msdos/virus and contain subdirs for TBAV (directly from authors), McAfee (mirror) and others (F-Prot, Integrity Master, VSumX, ...) WWW (World wide web): telnet www.twi.tudelft.nl The IP address is 130.161.156.11 garbo.uwasa.fi Harri Valkama This site can be reached through anonymous ftp and mail server. The IBMPC anti-viral archives can be found in pc/virus. For information on the mail server, send a message to mailserv@garbo.uwasa.fi with the subject line garbo-request and the body of the message send help The IP address is 128.214.87.1. hemkosys.com ADMIN: Patrick Rada, Peter Mahr, Michael Sullivan via Internet at or via Netware MHS at LIB: Internet Netware MHS This site is directly accessible from Netware MHS email. Access is through a mail-server. For a list of available items, send a message to the LIB address with the work INDEX in the subject line. risc.ua.edu James Ford This site can be reached through anonymous ftp, Gopher and WWW (URL gopher://risc.ua.edu) The IBM-PC anti-virals can be found in pub/ibm-antivirus. Mirrors of other sites can be found in /pub/ibm-antivirus/Mirrors. Mirrored sites include: complex.is (F-Prot), ftp.mcAfee.com (Scan/Clean) and Cert.org (Virus-L archives and documents). Uploads to pub/00uploads. Uploads are screened. The IP address is 130.160.4.7. SimTel Keith Petersen For security reasons the SimTel Software Repository is located on a host that is not accessible by Internet users, however its files are available by anonymous ftp from the primary mirror site OAK.Oakland.Edu (141.210.10.117), and secondary mirror sites wuarchive.wustl.edu (128.252.135.4), archive.orst.edu (128.193.2.13), ftp.uu.net (192.48.96.9), ftp.funet.fi (128.214.6.100), src.doc.ic.ac.uk (146.169.2.1), ftp.switch.ch (130.59.1.40), archie.au (139.130.4.6), NCTUCCCA.edu.tw (140.111.1.10), ftp.technion.ac.il (132.68.1.10), by Gopher from Gopher.Oakland.Edu, or by e-mail through the BITNET/EARN file servers. The anti-viral archives are in /pub/msdos/virus on OAK; other sites may vary. uk.ac.hensa.micros HENSA/micros Managers Terminals: host uk.ac.hensa.micros, user "hensa", password "hensa" NIFTP: host uk.ac.hensa.micros, user "hensa", password "hensa" FTP: host micros.hensa.ac.uk, user "hensa", password "hensa" GOPHER: address micros.hensa.ac.uk, port 70 Software archive for UK higher education sector. Anti-Viral stuff is not collected into a distinct area. Hostname is in UK format. (This site previously known as uk.ac.lancs.pdsoft.) urvax.urich.edu Claude Bersano-Hayes This site can be reached through anonymous ftp. The IBM-PC anti-virals can be found in [MSDOS.ANTIVIRUS]. The IP address is 141.166.36.6. ------------------------------ Date: Fri, 01 Jul 94 10:16:09 -1000 From: Jim Wright Subject: Macintosh Anti-viral archive sites last changed 10 May 1994 Macintosh Anti-viral archive sites last changed 10 May 1994 dftnic.gsfc.nasa.gov Brian Lev This site offers the "MacDefender" package (formerly "MacSecure"), made up of John Norstad's Disinfectant and Brian Lev's "MacHelper" Hypercard stack. Floppy disk: NASA Automated Systems Incident Response Capability c/o Hughes STX Corp. 7701 Greenbelt Road, Suite 400 Greenbelt, MD 20770 (Attn: Brian Lev) DECnet Copy from DFTNIC::DISK$MOE:[ANONYMOUS.FILES.SOFTWARE.MAC] BinHex (ASCII) format as MACDEFENDER.HQX binary format as MACDEFENDER.HQX Anonymous FTP from DFTNIC.GSFC.NASA.GOV (128.183.10.3) BinHex (ASCII) format as [.FILES.MAC]MACDEFENDER.HQX binary format as [.FILES.MAC]MACDEFENDER.HQX ftp.technion.ac.il Al Hartshorn This site can be reached through anonymous ftp. The Macintosh anti-viral archives can be found in the directory /pub/unsupported/mac/info-mac/virus. No uploads are permitted at this time. The IP address is 132.68.1.10. ifi.ethz.ch Danny Schwendener Interactive access through DECnet (SPAN/HEPnet): $SET HOST 57434 or $SET HOST AEOLUS Username: MAC Interactive access through X.25 (022847911065) or Modem 2400 bps (+41-1-251-6271): # CALL B050 Username: MAC Files may also be copied via DECnet (SPAN/HEPnet) from 57434::DISK8:[MAC.TOP.LIBRARY.VIRUS] phil.utmb.edu atlantis.utmb.edu John Perry David M. Stoner These sites can be reached through anonymous ftp. The Macintosh anti-viral archives can be found in the directory /pub/virus-software/macintosh. The IP address is for phil is 129.109.9.22. The IP address for atlantis is 129.109.12.7. phil.utmb.edu runs gopher-server software which can be used to access the archives. rascal.ics.utexas.edu Macintosh Archivist Access is through anonymous ftp, IP number is 128.83.138.20. Archives can be found in the directory mac/virus. src.doc.ic.ac.uk wizards@doc.ic.ac.uk Automatically maintained mirror copy of the sumex archive. Gopher access from src.doc.ic.ac.uk. Anonymous FTP from src.doc.ic.ac.uk (146.169.2.10) cd packages/info-mac/virus Janet NIFTP (for UK users) Host: uk.ac.ic.doc.src User: guest Pass: your email address Path: packages/info-mac/virus ISO FTAM Janet Addr: 000005102000 IXI Addr: 204334504108 Internet Addr: 146.169.2.1 [not ...10!] User: anon Path: packages/info-mac/virus Interactive Janet: pad uk.ac.ic.doc.src (00000510200001) Internet: telnet src.doc.ic.ac.uk [146.169.2.10], User: sources ISO VT (see FTAM for addresses), User: sources sumex-aim.stanford.edu Bill Lipa Access is through anonymous ftp, IP number is 36.44.0.6. Archives can be found in /info-mac/virus. Administrative queries to . Submissions to . There are a number of sites which maintain shadow archives of the info-mac archives at sumex: * MACSERV@PUCC services the Bitnet community * LISTSERV@RICEVM1 for e-mail users (Bitnet) * listserv@ricevm1.rice.edu for e-mail users (Internet) * FILESERV@IRLEARN for folks in Europe uk.ac.hensa.micros HENSA/micros Managers Terminals: host uk.ac.hensa.micros, user "hensa", password "hensa" NIFTP: host uk.ac.hensa.micros, user "hensa", password "hensa" FTP: host micros.hensa.ac.uk, user "hensa", password "hensa" GOPHER: address micros.hensa.ac.uk, port 70 Software archive for UK higher education sector. Anti-Viral stuff is not collected into a distinct area. Hostname is in UK format. (This site previously known as uk.ac.lancs.pdsoft.) ------------------------------ Date: Fri, 01 Jul 94 10:16:40 -1000 From: Jim Wright Subject: Unix security archive sites last changed 18 July 1993 Unix security archive sites last changed 18 July 1993 cert.org Ed DeHart Accessible through anonymous ftp, IP number 192.88.209.5 A number of directories can be found in ~ftp/pub/tools. funic.funet.fi Jyrki Kuoppala Accessible through anonymous ftp, IP number 128.214.6.100. Directory pub/unix/security contains programs to help in security, pub/doc/security contains various documents about security in general and unix security (like the worm documents) wuarchive.wustl.edu Chris Myers Accessible through anonymous ftp, IP number 128.252.135.4. A number of directories can be found in ~ftp/usenet/comp.virus/*. ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 49] ***************************************** 5-Jul-94 16:20:06-GMT,52042;000000000000 Received: from remus.rutgers.edu by aramis.rutgers.edu (5.59/SMI4.0/RU1.5/3.08) id AA20897; Tue, 5 Jul 94 12:19:56 EDT Received: from fidoii.CC.Lehigh.EDU by remus.rutgers.edu (5.59/SMI4.0/RU1.5/3.08) id AA18293; Tue, 5 Jul 94 12:19:35 EDT Received: from Fidoii.CC.Lehigh.EDU ([127.0.0.1]) by Fidoii.CC.Lehigh.EDU with SMTP id <128306-4>; Tue, 5 Jul 1994 11:46:36 EDT Message-Id: <9407051451.AA06143@bull-run.ims.disa.mil> Reply-To: virus-l@lehigh.edu Originator: virus-l@lehigh.edu Sender: virus-l@lehigh.edu Precedence: bulk From: VIRUS-L Moderator To: Multiple recipients of list Subject: VIRUS-L Digest V7 #50 X-Listprocessor-Version: 6.0b -- ListProcessor by Anastasios Kotsikonas X-Comment: Virus Discussion List Date: Tue, 5 Jul 1994 11:14:38 EDT VIRUS-L Digest Tuesday, 5 Jul 1994 Volume 7 : Issue 50 Today's Topics: Philosophy - good vs bad viruses Re: Benign viruses Integrity Checking Good versus Bad viruses. Fred Cohen and computer viruses Re: _Fred Cohen and computer viruses Re: Good vs Bad OS/2 Viruses? Are there a (OS/2) Re: What is name of Newest F-Prot? (PC) Re: What is name of Newest F-Prot? (PC) Re: Thunderbyte Antivirus (PC) Re: ** Date recovery afte (PC) MtE Virus info wanted (PC) WinRX (PC) Thunderbyte Antivirus (PC) ** Date recovery after Mi (PC) To all who replied about "where is F-PROT?"... (PC) NAV 2.0 gives false "Maltese Amoeba" alarm (PC) Re: What is name of Newest F-Prot? (PC) Norman Virus Control (PC) Re: "New" Virus found? (PC) Re: FLIP and CANSU (V-SIGN) viruses (PC) Re: FORM and Spanish TELECOM (PC) Re: Monkey Virus (PC) Re: ANSI bomb (PC) Re: _Stone virus... (PC) Athens virus: info needed (PC) Possible virus? (PC) Re: Jack The Ripper (PC) Re: Safe ANSI driver - where ? (PC) Re: Telecom Virus (PC) New Anti-Virus/Security Product (PC) CRC values (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Sat, 25 Jun 94 13:01:48 -0400 From: "Fredrick B. Cohen" Subject: Philosophy - good vs bad viruses "Brian H. Seborg" writes: > Yes it's time again to fire another salvo over the bow of the good > ship Malarkey! I challenged Fred Cohen to provide us with > documentation on "good viruses" and he referred us to his book (this > from someone who had just maligned anti-virus software authors as > stoking the flames of public fear just to make a buck! By the way, > Fred has his own anti-virus package on the market, but I would never > suggest that he was trying to get people to write "good" viruses so > there would be a greater need for his package! :-)). Several inaccuracies here. 1 - I do not have an antivirus package on the market - it was licensed long ago to a Danish firm - SR 2 - There is a big difference between making a buck by scaring people needlessly and paying for the costs of doing research by publishing results through a reputable publisher. You seem to have no objection to paying for many less reputable researchers via your tax dollars. > As Ross > Greenberg so aptly pointed out, I'm sure Fred could enlighten us in a > paragraph so we wouldn't have to wait to buy his book for an answer! As Vesselin Bontichev so aptly pointed out, it often takes more than a paragraph to understand the issues of how life works. You don't have to wait to buy my book, it has been out for some time. I will, however try to help enlighten you by responding to your questions in a form that will encourage you to take the time and effort to get the whole story by reading my books. > Also, Fred seems to be making a claim that if a virus asks your > permission to spread that it is okay! This is idiotic! First, > consider this, for the virus to ask your permission to spread, it has > to be running on your PC without your permission! Vesselin, I can't > believe that you bought off on this lame distinction! :-) I don't think I ever said that, and I do not think it is idiotic. Naturally, people who are context bound such as you seem to be may not see some of the other ways that permission can work. I hope you will decide to read my book to learn about different ways of thinking about the issue. > Another point, Fred, have you ever heard of version control? How > about change control? How would you affect these via a virus? Yes indeed, I have. In fact, if you would have read my books on the subject, you would probably find that I know quite a bit about these issues and have investigated them in some depth. Unfortunately, I cannot detail all of the issues of change control in such a small space, but if you read my books, you will hopefully come to understand just how these issues can be addressed and how most current change control systems miss the mark. > Here's > a scenario, I send out a "good" virus (Ha, ha, ha, sorry, I can't keep > myself from laughing!) throughout my corporation. It must be very enjoyable to laugh while slandering ideas you have not yet taken the time to investigate, but I think that you would make a much better case and sway more people to your point of view if you would think more and abuse less. > This is the > infamous compression virus (hee, hee, sorry!) that will compress any > executable file it encounters. First, though, to be a "good" virus it > asks permission to infect the system ("Hi, I am Fred Cohen's > compression virus, I am very nice and will help you save disk space, > is it okay for me to infect your computer?"). I did not write the infamous compression virus, I wrote some of the famous ones that preceded some of the commercial products that are widely used to reduce disk usage and increase performance. My viruses do not get their authorization to spread in such a way. If you would take the time to read my works, you would probably already know that, but people who laugh at new ideas without bothering to investigate them often encounter this problem. > Of course unless every > user in the corporation is computer literate they will probably reboot > the computer at this point, but, humor me and I'll continue. I don't understand why computer challenged people would reboot their computers if this message appeared or what that has to do with the issue of benevolent viruses. > Assuming > the user allows the virus to infect (will it ask this same question > everytime it attempts to infect another file? Perhaps I am giving you too much credit, but I bet that if you spend some time thinking before typing, you could come up with a better way. > Man, would this be > boring or what?) it will then ask, "Hey, this file is not compressed, > would you like me to compress it?" (would it ask this every time it > encountered a non-compressed executable, or would it be able to flip a > bit to store the fact that the question had already been asked and > answered in the negative? What if the next time I DID want it to > compress the file? Would the virus just neglect to ask me so that I > would not get any benefit from it?). Also, I can see the user saying, > "Damn, how do I turn this stupid thing off!" after about the 10th time > the virus asks permission to do something! I have a similar problem with lots of poorly designed programs that ask stupid questions and don't adapt well to me, but that has nothing to do with being a virus, only with the limits of the program's ergonomics. Perhaps if you took some time to look into this subject, you could contribute to writing better programs. > > One more issue, how will you make sure the virus gets control in > memory? Will it infect command.com or one of the system areas so that > it makes sure to get control every-time? If this is the case, then > how many different "good" viruses can use this same paradigm before > you run out of space in command.com (I guess we could change it to > command.exe and then load it up with different special purpose viruses > and make it an even greater lumbering behemoth than it is now!) Actually, you should read my books and find out about other ways viruses can work. There isn't enough room here to detail all of them. > > Now, let's say you want to upgrade this virus. How are going to > enforce version control? In other words, you have a faster, better > compression algorithm, and you update the virus and now you want to > make sure it is in place throughout the corporation, how do you affect > this change? How do you even know the first version even made it to > all PCs? One more thing, not all PCs are network connected, how do > you get the virus and the upgrades to the laptops (this is a tough > enough issue for legitimate software)? You know, you are starting to make me feel as if I am very smart because solving these problems wasn't that hard for me to do. But maybe it's you that are not thinking hard enough. Try this. For each question you have written, think until you find a good way to solve the problem. This will probably take a few years if you continue to ask questions. Then, write down all of the issues and the ways to resolve them, and publish them in a book. Then listen to people like you claim that you are an idiot. I will, of course, help defend you. > > Finally, how do you ensure that the virus does not leave your > corporate environment for parts unknown? (other people's PCs?) Even > if you had a method of doing this, how much would it cost and how big > would the virus be at this point? What if it did get out? It would > seem that you'd be legally liable for any damage it did, or trespass > at the least. But, I digress... Suffice it to say that the concept > of a "good" virus all sounds good theoretically, but when you give it > a "reality-check" the notion of "good" viruses beyond the confines of > a laboratory environment shows itself to be the ludicrous idea it is. > Maybe I've been spending too much time in the real world! :-) I guess > I'll just have to buy Fred's book! :-) From your electronic mailing address, I had guessed you worked for the FDIC, and agency of the US government. Most people would not consider that the "real world". But as a reality check, I have been working most of my time for a wide variety of corporations of all sizes, government agencies, and community organizations for most of the last ten years. There have been benevolent viruses operating in commercial applications since 1985, and none of them have ever caused any of the problems you claim to be unaviodable. I guess you will just have to buy a copy of my books! > > "..castles made of sand slip into the sea eventually..." > > -Jimi Hendrix Here here! UCC DASD Administration writes under an anonymous ID (no human name on this account) > ... > I think this illustrates quite nicely the whole problem with beneficial > viruses. That being the lack of a trusted path. When I buy a software > package, or down load a shareware program, or buy a Rolex watch from the > trenchcoat of a gentlemen on the streets of Manhattan, I am depending on a > certain avenue through which this product came. How reliable is that > path? It's one thing to talk about self replicating code in the ivory > confines of a researcher's tower. And I don't doubt the veracity of those > claims. But once you pass those doors and come out into the gene pool, > you loose that element of verifiability. An unknown program running on my > computer is suspect, even if it says, Hi! I'm from the Government/Virus > Research Department/Mensa club, and I'm here to help you..... As the > saying goes, How do you know where it's been? A very interesting and valid point to be addressed. And it has been addressed in my books. But without even referring to them, I don't understand what the issue of a trusted path has to do with viruses and does not apply to anyothr program. Obviously, if you purchase a benevolent virus from a guy in a trench coad who is selling fake Rolex watches, or if you take a gift virus from the NSA, you are asking for trouble. But the same is true regardless of whther it is a virus or any other software. > > If some people came to your house and said, You just go away for a few days. > We're going to clean your house for you, fix the roof and install a Jacuzzi > in the master bedroom. Trust us. We're Nice People. Maybe they're telling > the truth. But if they have no credentials, references or licenses, how > would you know? Would you hand over the keys to your house? But of course, in the computing environment, we do this far too much. We commonly allow programs to operate for millions of instructions without chceking on them. This mail is being sent through hundreds of computers over which we have no control, and yet we choose to trust them. I agree strongly that we need better integrity controls for all information technology, but again, I don't understand what this has to do with viruses as opposed to all software. > > I don't think the most important question is whether beneficial viruses > exist. But how could you tell if you had the real thing? > Here here! We need to only buy computer viruses from legitimate sources. I agree that the same standards should be applied to the purchase of benevolent viruses as any other program. FC ------------------------------ Date: Sat, 25 Jun 94 21:45:39 -0400 From: Matthew Johnson Subject: Re: Benign viruses A. Padgett Peterson, P.E. Information Se writes: >Still have yet to see a virus that does not screw something up (am willing >to entertain the concept, just have not seen any in practice). Have not even >had to leave home to find something that every virus I have seen screws up. I have found one that doesn't--KOH. It reproduces at your command, encrypts your HD with a password you give it, if you want, and it has NO bugs.. so far.. _EL_ ------------------------------ Date: Sun, 26 Jun 94 07:36:23 -0400 From: bill.lambdin@pcohio.com (Bill Lambdin) Subject: Integrity Checking >From %f To ALL on 06-21-94 %f [I saw a post a few days ago about the best and worst antivirus %f [programs... I noticed that Vesselin stated that TBAV's integrity %f [checker was "mediocre." I was just wondering why he said that, and %f [what makes for a good CRC checker... I know a lot about viruses, but %f [my knowledge of CRC calculation techniquesw is pretty limited... Myself. I prefer an integrity checker that has an option that saves the integrity datafiles to diskette. so I can boot clean once or twice a week from diskette, and perform a full integrity check. The integrity data files stored on the hard drive are open to attack by viruses. Bill Lambdin - ------------------------+----------------------------- Internet | PGP key available on request | Virus Research bill.lambdin@pcohio.com | blambdin@aol.com | 08:48 06/25/94 - --- * CMPQwk #1.4 * UNREGISTERED EVALUATION COPY ------------------------------ Date: Mon, 27 Jun 94 14:29:25 -0400 From: bmonette@porpoise.oise.on.ca (Bernie Monette) Subject: Good versus Bad viruses. I have watched, read rather, the back and forth debate about good or bad viruses and I heartily approve of the discourse. It is important to come to a philosophical understanding of what these beasts are and what we are to do with them. As computers become more and more a part of daily living, even more so than now, the risk of and the benefit from this sort of programming code becomes significant. We can write code that acts as a virus and does what we want it to do either for good or ill. We need the discussion to ask ourselves what should be done with this knowledge. How are we to protect ourselves and how can we use this stuff to make computing better. If we cannot do it then who can? Cheers, Bernie Monette ------------------------------ Date: Mon, 27 Jun 94 14:37:33 -0400 From: rreymond@VNET.IBM.COM Subject: Fred Cohen and computer viruses Hi folks, Suzana wrote: > ... . According to these features there are four types of >viruses: "benign", "Epeian", "disseminating" and "malicious". Hmmm... I found that very interesting. Could you please give more details on ? .............................................Bye| ..................................................Roberto - ----------------------------------------------------------------------- * All the above are my own opinions, not necessarily shared by IBM * *********************************************************************** Roberto Reymond IBM PSP - C.E.R.T. Semea Circonvall. Idroscalo RREYMOND@VNET.IBM.COM 20090 Segrate (MI) ITIBM99K@IBMMAIL.COM RREYMOND AT VNET MI SEG 526 Italy .........Phone +39.2.596.25244 Fax +39.2.596.29587.............. *********************************************************************** * " Another one bites the dust| " , Queen (The Game, 1980) * *********************************************************************** ------------------------------ Date: Mon, 27 Jun 94 06:27:25 +0400 From: Kazatski Oleg Nikolaevitch Subject: Re: _Fred Cohen and computer viruses Hi ! bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev): > > To quote Fred Cohen: "It takes one to know one." I can admit that is not so > > easy to obtain Dr Cohen's published articles and books (especially not in my > > part of the world), but it is not impossible either. Are there the electronic variants Dr Cohen's articles and books ? > (look at, for example, Vesselin Bontchev's definition of virus in > electronic magazine "Alive" No 0). Can I know this definition and Dr Cohen's definition of virus ? > Performing experiments is a completely different thing. I also have > about 4,300 viruses on my machine, but wouldn't like to run even a > single one while I am using the machine for normal work. So, let me > ask again - would you want a virus running on to computer you are > using every day for work unrelated to virus experiments? Under no circumstances ! Regards. - -- OK ------------------------------ Date: Tue, 28 Jun 94 04:04:13 -0400 From: adamj@highett.mel.dbce.csiro.au (Adam Jenkins) Subject: Re: Good vs Bad Vesselin Bontchev writes: >First, the term was initially coined by Dr. Alan Solomon from the UK, >who happens to speak British English. Second, I've heard that the >American and the Australian dialects sometimes differ so much from it, >that the respective people sometimes do not understand each other - >maybe this is your case. Third, my English is certainly better than >your Bulgarian. Fourth, I was speaking as an authority on computer >viruses and not as an authority on the English language. Enough? Um yeah but one small thing to point out, I'm not trying to tell other people what to call things. >Those views certainly aren't an accident - they reflect the real losses >of time, efforts and money that the real people have suffered from real >viruses. The claim that such a view is in the interests of the >anti-virus industry is certainly interesting - maybe you can supply some evidence to back it up? I wouldn't have thought evidence was needed, just a bit of thought. Just like people who sell locks aren't going to sell many locks telling about how school lockers are being broken into and some kids books being pinched, why would people buy products to kill programs they know very little about if they knew that a large percentage of these viruses are relatively harmless? >Oh! Is it? "Ill founded fears"? Do you know how often I am getting >calls to help about a virus-related problem? About 2-3 times per day. >And I am even not working on a virus help line. All this is without >counting the countless times I have answered virus-related questions >here and have helped people to recover from a virus attack. I guess, >all those are "ill founded fears"... I wish that there were a way to >gather all the loudmouths like you and to force them to do our job - >maybe then you will finally learn how "profitable" our profession is, >and how "ill founded" those fears are... Wishful thinking... Loudmouths >never do real work, by definition. Um your choosing to help people with virus-related problems is your choice I thought, and its a good thing. But don't call me a loudmouth, count how many posts I've made and how many you've made before calling me that please. And yes I've had PCs infected by viruses and yes I've helped people fix infected disks/machines. >Except that it doesn't sell that well. No funny that. >system bugs they have snatched from a fellow cracker works, let alone >how to fix them. Lots of loss of perspective, as it seems... You're generalising, there are many pursuits in which people are lousy and yet still call themselves the common name for that pursuit. >I suggest that the next time somebody breaks into your house, you tell >the police to arrest you, because it's your fault that you have not put >a better lock on the door. Um no but I would expect a criminal who broke into my house when I left my door unlocked or open to get less time than if he had actually had to pick the lock or force the door. >You think it would be much better to confuse them by telling them that >computer viruses can be beneficial, without explaining them that you >mean something completely different under the term "virus"? No it will be a long time I would hazard to guess before someone will devise a beneficial computer virus, KOH seems like a good beginning though. I am just sick of hearing how evil and widespread viruses are. >Is there? Evidence, please. My own statistics show that the most >widespread viruses have been distributed in some perfectly legal way. The problem with gathering statistics like this is that for some strange reason people who pirate software don't like to advertise that fact. And I would guess that the majority of people who find their computer has a virus would get a copy of an antivirus package and use that to kill it, not always call you; especially not if they suspect they got the virus in a pirated game or application. >It's certainly a better scientific reference. And just as certainly >most people will prefer to read the morning newspaper instead. Count me as one who wouldn't, but I guess I must just be strange huh? Murders and wars just seem to depress me; the real problems of today, not some bit of code that attaches itself to my files and prints a funny message. >But people do believe all the nonsense that is in the newspapers - at >least most of them do so. Welcome to the real world. Welcome to commercial anti virus land. >Oh, yes, the "virus researchers". Who are they? I don't know any >self-respecting scientific researcher, besides Dr. Cohen, who claims >that computer viruses can be beneficial. They are those who are interested in viruses that agree with you it appears. The others must just be plain evil. Regards, Adam ------------------------------ Date: Sun, 26 Jun 94 07:39:23 -0400 From: bill.lambdin@pcohio.com (Bill Lambdin) Subject: OS/2 Viruses? Are there a (OS/2) >From AMIR77@TAUNIVM.TAU.AC.IL To ALL on 06-21-94 A [I'd like to know if there are any OS/2 viruses? I know of one OS/2 virus. It was published in an issue of 40HEX. This virus is a stupid non resident direct infector. I sent this virus to many of the A-V developers, so virtually all scanners should detect this virus easily. I have heard that there is another (resident) OS/2 infector, but I haven't seen this virus, and it may not exist. ------------------------------ Date: Sat, 25 Jun 94 02:49:20 -0400 From: tracker@netcom.com (Craig) Subject: Re: What is name of Newest F-Prot? (PC) Rick Niess (rniess@whale.st.usm.edu) wrote: : Hi All, : Ok, for weeks now my copy of VIRSTOP has been screaming about being : outdated, but after several uneventful archies as well as several : questionings of friends, I have been unable to locate the latest version : of the F-PROT package. Could someone PLEASE clue me in as to where to get : it from (FTP site, would be nice)? Thanx... : ~ Rick Niess ~ FTP site: oak.oakland.edu cd /pub/msdos/virus fp-212c.zip File you want; it's v2.12c of F-Prot ------------------------------ Date: Sat, 25 Jun 94 06:41:39 -0400 From: ag311@cleveland.Freenet.Edu (Carol Conti-Entin) Subject: Re: What is name of Newest F-Prot? (PC) > Ok, for weeks now my copy of VIRSTOP has been screaming about being >outdated, but after several uneventful archies as well as several >questionings of friends, I have been unable to locate the latest version >of the F-PROT package. Could someone PLEASE clue me in as to where to get >it from (FTP site, would be nice)? Thanx... Since I can't FTP, I get it directly from the source via e-mail sent to f-prot@complex.is with the message send-to: There's also a send-as: command line, with the default being uue - -- Carol Conti-Entin Internet: ag311@cleveland.freenet.edu N.E. Ohio, USA ------------------------------ Date: Sat, 25 Jun 94 11:52:42 -0400 From: al026@yfn.ysu.edu (Joe Norton) Subject: Re: Thunderbyte Antivirus (PC) ML> No doubt, Thunderbyte is better than all others I know. It is the fastest, and it probably detects more than anything else. It does give off a lot of false alarms though. Where I work at we use F-Prot. F-Prot is just as effective at detecting any of the common viruses, it is better at cleaning them, and costs a *LOT* less. If we used ThunderByte we would be constantly dealing with false alarm calls. We just faxed Frisk off a renewal for 700? sites. I do wish F-Prot would add a small thing for imunizing drives like TBUTIL -im though. Joe Norton (tech at Michigan Education Data Network Association) ------------------------------ Date: Sun, 26 Jun 94 07:34:55 -0400 From: bill.lambdin@pcohio.com (Bill Lambdin) Subject: Re: ** Date recovery afte (PC) >From FRISK@COMPLEX.IS To ALL on 06-21-94 F [The fastest method to recover would probably be to re-partition the d F [re-format and restore yesterday's backup. However, as the users who Agreed. A recent backup should always be considered as the first line of defence in any disaster recovery plan. Bill Lambdin - ------------------------+----------------------------- Internet | PGP key available on request | Virus Research bill.lambdin@pcohio.com | blambdin@aol.com | 10:10 06/25/94 - --- * CMPQwk #1.4 * UNREGISTERED EVALUATION COPY ------------------------------ Date: Sun, 26 Jun 94 07:44:00 -0400 From: bill.lambdin@pcohio.com (Bill Lambdin) Subject: MtE Virus info wanted (PC) >From U12585@UICVM.UIC.EDU To ALL on 06-21-94 U [I would appreciate information on "MtE" which I "found" on my U [machine with Norton Antivirus 2.1. THis was NOT indicated by from your description, you may have a false alarm. I would recommend for you to try one of the following scanners because they deetct MtE reliably Dr. Solomon'a Anti-Virus Toolkit (commercial) F-Prot FP-212C.ZIP Integrity Master I_M222.ZIP McAfee's Scan SCN-116.ZIP SCN202.ZIP These and many others can detect MtE reliably. Bill Lambdin - ------------------------+----------------------------- Internet | PGP key available on request | Virus Research bill.lambdin@pcohio.com | blambdin@aol.com | 09:47 06/25/94 - --- * CMPQwk #1.4 * UNREGISTERED EVALUATION COPY ------------------------------ Date: Sun, 26 Jun 94 07:40:55 -0400 From: bill.lambdin@pcohio.com (Bill Lambdin) Subject: WinRX (PC) >From S1083509@CEDARVILLE.EDU To ALL on 06-21-94 S [Does anyone have any information on how good WinRX, I believe the nam S [is at detecting and cleaning virus's. I tested Win-Rx about a year ago. and was not very impressed. I would suggest for you to switch to McAfee's Scan for Windows bcause WinScan will detect more viruses. ------------------------------ Date: Sun, 26 Jun 94 07:45:26 -0400 From: bill.lambdin@pcohio.com (Bill Lambdin) Subject: Thunderbyte Antivirus (PC) >From IIGGII@MIXCOM.MIXCOM.COM To ALL on 06-21-94 I [Has anyone heard of/used thunderbyte antivirus? How does it compare I [(reliability, speed, etc) to some of the others - McAfee, SP, Norton, I [etc? TBAV offers a scanner, and generic routines that will detect viruses that TBscan and other scanners will miss. from my tests, TBAV's scanner is of equal quality to F-prot. I recommend the scanner. ad the generic routines. Bill Lambdin - ------------------------+----------------------------- Internet | PGP key available on request | Virus Research bill.lambdin@pcohio.com | blambdin@aol.com | 10:00 06/25/94 - --- * CMPQwk #1.4 * UNREGISTERED EVALUATION COPY ------------------------------ Date: Sun, 26 Jun 94 07:42:23 -0400 From: bill.lambdin@pcohio.com (Bill Lambdin) Subject: ** Date recovery after Mi (PC) >From IOLO@MIST.DEMON.CO.UK To ALL on 06-21-94 I [If the virus has triggered, the first 17 sectors on the first 4 heads I [the first 256 cylinders will have been overwritten with garbage and a I [gone for good. This may not be the whole of the disk. Something may I [recoverable, especially if a large disk has been partitioned into I [several volumes. However, the recovery will require skill; there is To recover these extended partitions, you will have to re-construst the the partition tabel information. Bill Lambdin - ------------------------+----------------------------- Internet | PGP key available on request | Virus Research bill.lambdin@pcohio.com | blambdin@aol.com | 09:50 06/25/94 - --- * CMPQwk #1.4 * UNREGISTERED EVALUATION COPY ------------------------------ Date: Mon, 27 Jun 94 14:24:39 -0400 From: rniess@whale.st.usm.edu (Rick Niess) Subject: To all who replied about "where is F-PROT?"... (PC) Hi All To all who replied to my request for f-prot's location, a heart-fi lled thanx goes out to you. So far I've gotten 43 replies from that same po st. They all said pretty much the same thing, that I could find it at oak.oakland.edu. But there was one that was different. Here it is: RN> Nice to see, someone is using F-Prot. You can get newest RN> versions, as RN> soon, as they're released by frisk from his own ftp - complex.is RN> (yes, RN> sooo long name!), in the directory /pub. The last version RN> available here RN> is, I believe, F-Prot 2.12c (file fp-212c.zip) since 16th June. RN> RN> This is the fastest method to obtain shareware F-Prot version, as RN> the RN> other ftp's are having delays of 3-4 days after frisk puts F-Prot RN> on RN> complex.is - so check it regularly... (new versions are released RN> bimonthly, but.....). Note that I can't find F-Prot on complex.is RN> using RN> archie (archie.luth.se in Sweden) - so check it every 3-4 weeks. RN> RN> On the other hand you can try to download it using e-mail, but it RN> will RN> be cutted in 15 pieces (hahaha!!!). Just thought y'all'd like to know... ~ Rick Niess ~ ------------------------------ Date: Mon, 27 Jun 94 05:19:24 +0400 From: Oleg Nickolaevitch Kazatski Subject: NAV 2.0 gives false "Maltese Amoeba" alarm (PC) Hi, all ! NAV 2.0 indicates that my machine running MS DOS 5.0 has the "Maltese Amoeba" virus in two files but I can not find any viruses in this files. I suspect this is a false alarm. - -- OK [Moderator's note: I believe that this is indeed a false alarm, and was documented as such some time back.] ------------------------------ Date: Mon, 27 Jun 94 14:47:43 -0400 From: bondt@dutiws.twi.tudelft.nl (Piet de Bondt) Subject: Re: What is name of Newest F-Prot? (PC) Rick Niess wrote: >Hi All, > > Ok, for weeks now my copy of VIRSTOP has been screaming about being >outdated, but after several uneventful archies as well as several >questionings of friends, I have been unable to locate the latest version >of the F-PROT package. Could someone PLEASE clue me in as to where to get >it from (FTP site, would be nice)? Thanx... Hi Rick (and others), Please read the files Jim Wright so very nicely put together ! It contains references to all known sites that carry anti-virus software and/or texts. For you, try oak.oakland.edu, wuarchive.wustl.edu, or ftp.twi.tudelft.nl (or Frisk's own site, but I don't think the link to Island is very fast, so I won't burden his site with requests ...) Piet de Bondt. bondt@dutiws.twi.tudelft.nl or piet@kgs.twi.tudelft.nl ============================================================================== FTP-Admin for MSDOS Anti-virus software at anon-ftp-site: ftp.twi.tudelft.nl ------------------------------ Date: Mon, 27 Jun 94 14:53:27 -0400 From: "Guffey, Steven W." Subject: Norman Virus Control (PC) Hello list members, I just recently received an evaluation copy of the Norman Virus Control for Workstations. The package consisted of their anti-viral software called Norman Armour and their informational database called V-base. The anti-viral sofware has DOS and Windows components. The database is chock full of hypertext and seems to be pretty comprehensive. My questions are: Has anyone used/evaluated this product? If so, what did you think of it? They claim to be able to detect 99%+ viruses. Has anyone been able to test this claim? Is the virus database (V-base) accurate? (Or at least more accurate than VSUM) Any input would be greatly appreciated. I've included the company information below for anybody who is interested. Norman Data Defense Systems Inc. 3028 Javier Road Suite 201 Fairfax, VA 22031 Voice: 703-573-8802 FAX: 703-573-3919 Steve G. =============================================================================== "...Speaking words of wisdom...Let it be..." -Paul McCartney - ------------------------------------------------------------------------------- Vulcan - "Live long and prosper." Ferengi - "I knew there was a reason I liked you." =============================================================================== ------------------------------ Date: Mon, 27 Jun 94 15:37:22 -0400 From: nelsoncb+@pitt.edu (Corbett B Nelson) Subject: Re: "New" Virus found? (PC) Keith Gordon Bullington (bullingt@sfu.ca) wrote: : Contains the text strings: "Dr. White - Sweden 1994.3" and : "Junkie Virus - written in : (B.T.W. VPCScan flagged it as a "PS_MPC-23" infection, if that means : anything to you...) PS-MPC is a virus creation package that allows for encryption of virii. However, it does require the user to supply their own activation code... - -- - -------------------------------------------------------------------------- nelsoncb+@pitt.edu Finger me for my pgp public key... ------------------------------ Date: Mon, 27 Jun 94 15:41:54 -0400 From: Henrik Stroem Subject: Re: FLIP and CANSU (V-SIGN) viruses (PC) Iolo Davidson writes Friday, June 24th 1994; > The virus was written before DOS4 came along with the extended boot record. > If this were a "beneficial" virus, how would the author withdraw the > old version that truncates disks when he updates it to the new, > improved version? With proper version checking it would not truncate the disk, but refuse to infect DOS 4 and greater, or simply choose another disk-reservation technique for unknown DOS versions. New versions of the virus would handle new versions of DOS. Just another example which indicates that most virus-writers are no good as computer programmers. Sincerely, Henrik Stroem Stroem System Soft ------------------------------ Date: Mon, 27 Jun 94 15:39:59 -0400 From: Henrik Stroem Subject: Re: FORM and Spanish TELECOM (PC) Vesselin Bontchev writes Friday, June 24th 1994; > Form from a OS/2 system that has BootManager installed and is using > HPFS volumes is a *very* tedious procedure. If using the BootManager, Form will infect the BootManager partition. Removal consists of booting OS/2, running FDISK, removing BootManager from partition table, then creating it again (without exiting), then adding bootable entries. Tedious; yes. Very; no. Of course you could use an antiviral to do a Form-specific disinfection, since the original sector is stored at the end of the BM-partition (which only contains code on the first 30-40 sectors). Removing Form from an HPFS partition is what I would call *very* tedious. This can become neccessary if you DON'T have BootManager when Form comes along. A specific Form disinfection might work here too, but I don't remember for sure. Sincerely, Henrik Stroem Stroem System Soft ------------------------------ Date: Mon, 27 Jun 94 18:09:26 -0400 From: Henrik Stroem Subject: Re: Monkey Virus (PC) kenney@netcom.com (Kevin Kenney) writes June 24th; > Monkey and int10 are two viruses that infect (encrypt) a disk's partition > table as well as the MBR. Nope, this is wrong. Monkey infects the MBR, but does not infect nor encrypts the partition table. It encrypts the copy of the original MBR which is placed at cyl 0, head 0, sec 3. > Booting from a clean floppy means not being able to access the hard disk > (normally). Thus special methods are needed, (albeit not reformatting). This is because Monkey overwrites the partition table with part of its own code, and instead depends on using stealth to fetch the table from sector 3, where the original is stored in encrypted form (XOR 2Eh). > Various virus eradicators handle these 'normally'. Check the literature > - your post was incorrect, possibly dangerously. I disagree. *YOU* should check the virus/litterature! The Monkey is not encrypted, nor is the partition table. Only the saved original at sector three is encrypted. The partition table does contain part of the Monkey virus code and data, but is not 'infected' by Monkey, just overwritten. The MBR *IS* 'infected', *NOT* the partition table. > Good luck - Thanks, same to you. Sincerely, Henrik Stroem Stroem System Soft ps The point here is that FDISK/MBR should not be used against this virus, since the partition table is overwritten with virus code and data. The original table is only available when the virus is active in memory after booting from the infected harddisk. ps2 As for the INT_10, it can usually be disinfected by using FDISK/MBR, since it keeps the partition table in place. ------------------------------ Date: Mon, 27 Jun 94 18:35:10 -0400 From: BRENNAN@hal.hahnemann.edu (A. Andrew Brennan) Subject: Re: ANSI bomb (PC) id@mist.demon.co.uk writes: > > A virus must be able to replicate. An ANSI bomb isn't. > > I believe Dr. Solomon has seen an ANSI bomb which could launch an > executable contained in part of the ANSI "text" file. I don't remember > if the example he had contained a virus or not, but it could easily have > done so. It would not have been self-replicating for the ANSI bomb > itself perhaps, but could have been a dropper for a virus. > What prevents the accompanying executable from copying files to another diskette - in effect, a multi-file virus?? andrew. (brennan@hal.hahnemann.edu) ------------------------------ Date: Mon, 27 Jun 94 06:11:52 +0400 From: Kazatski Oleg Nikolaevitch Subject: Re: _Stone virus... (PC) Hi ! bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev): > news spool owner (news@undergrad.math.uwaterloo.ca) writes: > > > McAfee's v2 reports that I have the stone virus (stone.stonheng) > > How do I kill it? Is there a vacine? > > you can remove this virus by booting from a write > protected system diskette containing DOS version 5.0 or higher, making > sure that you still can access the hard disk (DIR C:) and m