From: Kenneth R. van Wyk (The Moderator) Errors-To: krvw@CERT.SEI.CMU.EDU To: VIRUS-L@IBM1.CC.LEHIGH.EDU Path: cert.sei.cmu.edu!krvw Subject: VIRUS-L Digest V4 #83 Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU -------- VIRUS-L Digest Wednesday, 15 May 1991 Volume 4 : Issue 83 Today's Topics: re: The Shape of the World (PC) New VIRx Release (PC) What's so bad about self-extracting archives? Tequila virus (PC) Re: SCAN hangs while checking Window's SOL.EXE file (PC) Re: CLEAN77 for a network? (PC) SCAN version 77 compressed? (PC) Re: SCAN hangs while checking Window's SOL.EXE file (PC) Re: Trojan version of VIRUSCAN version 78 (PC) PC Virus Index(PC) Self-extracting archives "protection" from research viruses New Name For FPROT (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Tue, 14 May 91 14:59:00 From: microsoft!c-rossgr@uunet.uu.net Subject: re: The Shape of the World (PC) >From: "David.M.Chess" > > Must we? [play the numbers game in scanners] Or rather, given that > we must at the moment, must we always? Remember that we can't even get the user community (the folks who spend their hard earned money to buy my products!) to make backups to protect themselves. They seem to prefer that somebody do that protection for them. Obviously if an ad indicates that Product A protects against 400 viruses -- and it might even be true -- that's going to offer 25% (or 33%) more protection than one that scans for "only" 300 viruses. Do you think the public is going to respond favorably to a condom that protects against the AIDS virus 99% of the time as compared to one that protects against it 99.9% of the time -- even when your odds of getting "hit" with the AIDS virus are pretty slim to begin with. Maximal Protection! That's what the market seems to clamour for. And the marketing dudes I work with closely at Microcom tell me what we can lose a site license because of and where our strong points are: I recall one site license potential that was lost on our not catching the Whale Virus in an early cut of our code. You know how difficult it is to get the Whale Virus to infect something without crashing your system, right? Well, the site license didn't and that cost a bunch-o-bucks. Now, of course, we catch the Whale Virus. The next time a site license asks we can put on our best Grey Poupon voice and say "Of course. Of course." >Is there any hope that the anti-virus community might band together >(for a moment, at least!) and decide that the numbers game shall be >played ONLY with viruses that have appeared in reliably-confirmed >real-world incidents? Speaking on my own behalf, I hope so. Speaking on behalf of Microcom (which I can't do in any case), marketing has to stay competitive. So, when one of our competitors says "Yes, but do you want to risk even the slightest chance of getting infected with this virus if it escapes into the wild.", my marketing can respond "Ha! We already protect you against that nasty virus!". > I'm not sure; the hope that we might is part of >why I asked those questions. It would mean restraining ourselves in >advertising and in talking to the press, getting publications like the >Virus Bulletin (and others less respectable) to stop using 300+ >viruses, including losers like the Anti-Pascals, in their evaluations, >and so on. As long as the advertising works (and is used by the competition) it would be suicide to drop out of the numbers game -- see my new release blurb below for an example of why we must continually play the damned game. Yes, I picked up a bunch-o new strings for this cut of the code. More important to me, though, are the minor enhancements that make the code easier to use. >It might be marketingly impossible, of course. On the other hand, is >it possible that eventually people making buying decisions will get >tired of "We Detect 100 More Viruses Than Our Competitors!!!" sorts of >claims, and be more impressed by "We Detect Every Virus Known To Have >Caused A Real Infection, and We're etc>"? Hear, hear! I would love to be able to impress that upon people rather than the numbers game. The first people to convince would be in MIS, though: now how do you convince them that your second point is more important than the numbers games? Until then, I have to provide the marketing dudes at Microcom with ammunition for winning on both points you make. Ross ------------------------------ Date: Tue, 14 May 91 15:03:18 From: microsoft!c-rossgr@uunet.uu.net Subject: New VIRx Release (PC) I'm pleased to announce a new release of the *FREE* scanner we put out as a demo of Virex-PC. This scanner is completly useable for scanning against viruses: it is not crippled in any way. The only difference between it and Virex-PC's scanner (one part of the Virex-PC package) is in the disinfectors included in the commercially available product. Here's the "WHATS.NEW" file. What's New In VIRx Version 1.4 ============================== Date: 5/11/91 1. VIRx now scans memory above 640K through 1 Meg if the -X command line option is selected. This feature is added for detection of viruses like E.D.V. that search high memory for writable RAM, and for protection against possible infected device drivers that have been loaded high. Note: Many programs use that area of memory for special disk caching and this has been noted to have caused some problems with incorrect results for some machines. 2. If a batch mode is selected, the resulting screens will now time out if you do not hit a key and the scan will continue. This makes the batch mode fully useable for unattended operation. 3. When this software becomes outdated, it will warn the user that scanning with outdated software can result in new viruses being missed. Then the user can elect to continue the scan anyway. Previous versions of VIRx would cease to function on the cut-off date; this is no longer the case, although you are advised to update your software before that date arrives. We consider VIRx 1.4 to be outdated by October, 1991, although we recommend obtaining each monthly update of VIRx in any case. 4. VIRx 1.4 detects over 50 newly discovered viruses, bringing the total to over 400. This was accomplished without slowing down the scanner. 5. VIRx 1.4 can now take multiple targets on the command line, allowing an entire set of file systems to be scanned: VIRx C:\ D: E:\thisdir F:\thatdir\thisfile scans the entire C: disk, the current directory on the D: drive and its children, the specified directory on the E: drive and its children and the specified file on the F: drive. Any options you select on the command line are valid for each target you specify. 6. Both decompression routines, LZEXE and PKLITE, were optimized for speed of decompression and memory model independence. String selection of compressed file hits take about 50% as long as did VIRx 1.2. Problems Corrected from v1.2 : 1. Problem with scanning certain Novell Network server volumes has been corrected. 2. Execute-only files on Novell Networks are handled properly now on screen as well as in the log. 3. There was a bug when write-protected files were scanned and discovered to contain a virus. Fixed. 4. False positive on Marc Perkel's MARXMENU menu compiler Marxcomp.exe, version 2.27, for the KAMAKAZI virus has been corrected. Our apologies to Marc. 3. PKLite from PKWare uses a special compression method on unusually highly compressible files that version 1.2 of VIRx did not decompress properly every time. This has been corrected, and VIRx 1.4 fully supports all compression methods used by PKLite as of version 1.05, still including the -e switch available in PKLite Professional. ------------------------------ Date: Tue, 14 May 91 14:42:00 -0600 From: Keith Petersen Subject: What's so bad about self-extracting archives? > Only one problem: How do I find out what format the thing was > archived in in the first place, when all I'm confronted with is a .EXE > file? This program will list the directory and archive type of any self-extracting MS-DOS archive. WSMR-SIMTEL20.ARMY.MIL [192.88.110.20] Directory PD1: Filename Type Length Date Description ============================================== FV135.ZIP B 8128 910319 View dirs of ARC/DWC/LBR/LZH/PAK/ZIP/ZOO/SFXs Keith - - - - Keith Petersen Maintainer of SIMTEL20's MSDOS, MISC and CP/M archives - [192.88.110.20] Internet: w8sdz@WSMR-SIMTEL20.Army.Mil or w8sdz@vela.acs.oakland.edu Uucp: uunet!wsmr-simtel20.army.mil!w8sdz BITNET: w8sdz@OAKLAND ------------------------------ Date: 14 May 91 16:56:37 -0400 From: "David.M.Chess" Subject: Tequila virus (PC) Has this been around for awhile? Just in the last week or so, I've heard of it from a couple of different, widely separated, places in Europe, and I hadn't heard of it before. Does anyone have a good description written up? I'm well into analyzing it, but it's always nice to have someone else's notes to check myself against. Just how widespread does it seem? Does anyone know of it "getting lucky" (shipping with a commercial package, or anything on that order)? DC ------------------------------ Date: Tue, 14 May 91 16:41:00 -0500 From: "Sant." Subject: Re: SCAN hangs while checking Window's SOL.EXE file (PC) icking@gmdzi.uucp (Werner Icking) writes: > As far as I have seen, the problem does not depend on the version of SCAN. > It depends on running SCAN under Windows in conjunction with SHARE. > It seems to me that Windows opens a lot of files and the error occurs if > SCAN attempts to open one of these files, too. > > The problem disappeared on my PC since I replaced loading SHARE by using > NOSHARE (Simtel or mirror-sites: NOSHARE.ZIP) But I'm running SCAN while I boot up. My system is a 8meg 386-33 w/CACHE and DOS 3.3, so I don't use SHARE. - -- +------------------------------------------------------------------------------ + | Santanu Sircar BITNET: ssircar@umaecs.bitnet | | University of Massachusetts/Amherst INTERNET: ssircar@ecs.umass.edu | +------------------------------------------------------------------------------ + ------------------------------ Date: Tue, 14 May 91 16:20:00 -0500 From: ONLY 30 MORE CREDIT HOURS AND I'M GONE Subject: Re: CLEAN77 for a network? (PC) boone@athena.cs.uga.edu (Roggie Boone) writes: > I am installing a Local Area Network in our department that will be > running Novell Netware 386. I am thinking about using the McAffee > Netscan77 virus detection program. I am curious if there is a network > version of CLEAN77, or can CLEAN77 remove viruses from a network such > as described above? Any info would be appreciated. CLEAN77 works well for networks. I use it for our Netware 2.15 here at the University of Kansas. There is a complementary program called NETSCAN77 that will scan the server for viruses. Once a virus has been detected, you use CLEAN77 to cure it. McAffee and Associates is a very helpful company. I recently discovered a virus that NETSCAN will not detect on EXE files and called them and told them about it. They were very helpful and will be putting out a solution to this problem in a couple of weeks. Brady... ORAND@kuhub.cc.ukans.edu ------------------------------ Date: Tue, 14 May 91 16:24:26 -0700 From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: SCAN version 77 compressed? (PC) I have received copies of SCAN version 77, some with the authentic verification still intact. All show the same file size and validation codes, and match that in the documentation. I have checked it out with other virus scanners. (All right, I'm paranoid. In this business, what else is new?) SCAN 75 was about 80K, but 77 is 59K. Aryeh has said that Virucide is compressed. Is SCAN now compressed as well? (I would have asked Aryeh, but her return-path doesn't work for me.) ============= Vancouver p1@arkham.wimsey.bc.ca | "If you do buy a Institute for Robert_Slade@mtsg.sfu.ca | computer, don't Research into (SUZY) INtegrity | turn it on." User Canada V7K 2G6 | Richards' 2nd Law Security | of Data Security ------------------------------ Date: Wed, 15 May 91 00:40:37 +0000 From: mcafee@netcom.COM (McAfee Associates) Subject: Re: SCAN hangs while checking Window's SOL.EXE file (PC) SSIRCAR@ecs.umass.edu (Sant.) writes: >Has anyone had problems with SCANV77? When I scan my hard drive, the >program hangs on one particular file, SOL.EXE, Window's solitaire >program. I don't have problems with running the game and SCAN doesn't >have problems with any other file. In order to continue, I have to >press 'F' to accept the failure. Does anyone know why this is >happening? It sounds like you are exiting to DOS from Windows to run SCAN, and have a file running under Windows. You can either exit Windows and then run SCAN, or shut down the Solitaire program and then run SCAN. Alternatively, you can run SCAN with the /UNATTEND option which will install a critical error handler that will allow SCAN to automatically select "Fail" when it comes across a file in use. I would recommend that if you use the /UNATTEND option, you also use the /REPORT option so that you will have a record of any files that were skipped. Aryeh Goretsky McAfee Associates Technical Support ------------------------------ Date: Wed, 15 May 91 13:19:00 +1200 From: "Mark Aitchison, U of Canty; Physics" Subject: Re: Trojan version of VIRUSCAN version 78 (PC) aryehg%darkside.com@apple.com (Aryeh Goretsky) writes: > We have received a trojan horse version of VIRUSCAN... > > Running PKUNZIP on the file reveals the following: > > . Authentic files Verified! # TJB859 Zip Source: McAFEE ASSOCIATES > > While the Authentic Files Verified Message appears, the Serial Number is > NOT correct. McAfee Associate's Serial Number is NWM405. This worries me. Could somebody explain what good the PKUNZIP authentication system should be, as it obviously isn't providing enough warning here. (Who would know, and think of looking at, the serial number? Probably few people). Mark Aitchison, Physics, University of Canterbury, New Zealand. ------------------------------ Date: Wed, 15 May 91 11:43:30 +0000 From: Ian Leitch - ITU LSHTM - (071) 927 2260 Subject: PC Virus Index(PC) In response to the many queries which now appear on Virus-L asking for specific information about particular viruses, I have uploaded the PC Virus Index to the MIBSRV "official" anti-viral archives. The PC Virus Index (PCVI) is developed and maintained by Bryan Clough (of Clough and Partners) with whose permission it is being made available. PCVI is a text-linked database about PC viruses which is delivered through an 'intelligent' front-end. It provides an ever developing knowledge base about viruses as they emerge. Updated versions are issued about monthly. Search keys (including virus name or alias, family attribution, code size, type and other characteristics) can be used to construct a profile about any specified virus. The reports generated selectively include: - a summary description of the effects of infection - disinfection methods - the efficacy of some popular anti-viral software - a detailed report on the characteristics of the virus(es) The user interface is presently being re-designed to give greater flexibility for the introduction of new features. Constructive comment about the utility of PCVI or the direction of its future development are always welcome. Ian Leitch London School of Hygiene and Tropical Medicine JANET: uqak940@uk.ac.ulcc.mvs ------------------------------ Date: Wed, 15 May 91 11:47:10 -0500 From: "A. Andrew Brennan" Subject: Self-extracting archives I'm not entirely sure, but with some (.ZIP) sfx archives, can't you specify "-v" to get the list w/o extracting and "xxx.xxx" to extract only one file? I think that I have used this technique with PKZ110.EXE - I only wanted the ZIP and UNZIP executables. Not entirely sure though - I haven't checked this yet. A. Andrew Brennan {you don't know me from Adam - but he didn't have a belly button ... } ------------------------------ Date: Wed, 15 May 91 09:02:56 From: (Steven W. Smith) Subject: "protection" from research viruses >From: "David.M.Chess" >Subject: re: The Shape of the World (PC) >> >>This loud cry for protection against research-only viruses is quite >>quite bothersome -- the numbers game we have to play (as a vendor) in >>order to counter "my scanner can beat up your scanner" type of games >>is sorta foolish -- yet we must play the game. > >Must we? Or rather, given that we must at the moment, must we always? >Is there any hope that the anti-virus community might band together >(for a moment, at least!) and decide that the numbers game shall be >played ONLY with viruses that have appeared in reliably-confirmed >real-world incidents? ... For now, if it's really bothering you, I've got what seems a reasonable solution: use Frisk's F-Prot (or any other package you like that has an external list of nasties) and edit the SIGN.TXT file to remove those signatures that you deem ridiculous. Simple, no? Granted, it's no solution to the authors of antiviral software, but from the user perspective it works. _,_/| \o.O; Steven W. Smith, Programmer/Analyst =(___)= Glendale Community College, Glendale Az. USA U SMITH_S@GC.BITNET *poof* My opinions are now your opinions, so you'd better get used to it! ------------------------------ Date: Wed, 15 May 91 10:53:14 -0600 From: rtravsky@CORRAL.UWyo.Edu (Richard W Travsky) Subject: New Name For FPROT (PC) "Argus"... I like it. Gee, I hope it doesn't mean an increase in the price ;) Richard Travsky Division of Information Technology RTRAVSKY @ CORRAL.UWYO.EDU University of Wyoming (307) 766 - 3663 / 3668 ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 83] *****************************************