VIRUS-L Digest Tuesday, 12 May 1992 Volume 5 : Issue 103 Today's Topics: formatting system disks (PC) RE:Question about Michaelangelo (PC) Re: safe computing questions (PC) Re: New Virus: Joes Demise (PC) Re: Question about Michaelangelo (PC) Lines of defense against viruses Re: Bug in TBSCAN/VSIG9203+ (PC) JOES DEMISE virus (PC) Virus in Moria (PC) Re: Starship virus (PC) Starship (PC) Re: EuroMail Bomb Virus (Amiga) Re: Why a good virus is a bad idea? Virus hides in printer (again) Anti-Virus Hardware survey Checklist part 13 (almost finished) Re: Virus jokes (Humor!) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Fri, 08 May 92 17:42:40 -0400 >From: Veng-Ly Tong Subject: formatting system disks (PC) I would appreciate any feedback on this question that I have: I installed a memory resident virus detection program (Dr.PANDA) recently and I just found a little problem (IMO): whenever I try to format a disk on an external drive, the scanner kicks in and tells me that a formatting attempt has been made and the scanner prevents this from happening. I have to deactivate the memory resident scanner before I may try formatting a disk again . My question is this: If (hypothetically) there was indeed a virus in my system, and I formatte a disk and made it bootable, would the virus (active) infect the formatted disk (assuming it was a boot sector virus)? I understand the possibility of this question being brought up before. If so, please send me a personal response at V$T6747@SRU (Bitnet). Thanks in advance. ------------------------------ Date: Fri, 08 May 92 22:54:00 +0000 >From: mccd@rosie.uh.edu (Reza Golshan ACUS 743-1587) Subject: RE:Question about Michaelangelo (PC) John, The following is the information that we released after some modifications, for the University of Houston(Park) community on March/2/92. I beleive that the problem that was encountered here was very similar to what you were facing. Contact me if there was anything that I could do to help. ========================================================================== == Reza Golshan | <<<<>>>> == == University of Houston(Park) | <<<>> == == Academic Computing User Services |================================= == 36, Heyne Building | "A little more than kin, and == == Houston, Texas 77204 | less than kind." == == ph# (713)-743-1587; FAX: (743-1542) | Bill Shakespeare, Hamlet == ========================================================================== ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Multiple Infection Problems(Michelangelo and Stoned) ==================================================== If your IBM_PC(compatible) is being infected by both the Michelangelo and Stoned, a reinfection by the Michelangelo would make the Michelangelo's removal impossible. This problem was first explained by Martin Zejma(8326442@ AWIWUW11.BITNET) from University of Economics Vienna(Austria). This problem was then checked and verified by the ACUS based on the available documents and examination of both of these viruses. The pattern shown below, presents how the problem would gradually develop. Area one(Side 0, Track 0, Sector 1) is where the original bootsector is being stored, area two(Side 1, Track 0, Sector 3) is where the Stoned viru s stores the original bootsector upon infection by the Stoned and area three (Side 1, Track 0, Sector 14) is where the Michelangelo stores the original bootsector upon infection by Michelangelo. [ EVENT ] [ AREA 1] [ AREA 2 ] [AREA 3] ****************************************************************************** Original Original nil nil Disk Bootsector Michelangelo Michelangelo nil Original Infection Bootsector |__________________________________________^ Stoned Stoned Michelangelo Original Infection Bootsector |________________________^ Michelangelo Michelangelo Michelangelo Stoned reinfection |_________________________________________^ It could then be seen that upon the second infection by the Michelangelo, the original bootsector would be erased. When the antivirus program is run, the Michelangelo would be shown on the bootsector(Stoned would not be seen since at that point it is not on the bootsector). At this stage, by using an antivirus software, the Michelangelo virus is then removed, which would be; [ EVENT ] [ AREA 1] [ AREA 2 ] [AREA 3] ****************************************************************************** Michelangelo Stoned Michelangelo nil Removal ^______________________________________________| The antivirus program is run again, and the program will then show an infection by the Stoned virus. This would be the main indicator that there is a double infection. Do not proceed with the cleaning of the Stoned at this point and it is highly recommended that you contact the Academic Computing User Services (ACUS) at 743-1587 or the Administrative Computing at 749-4911 so that a consultant could help you on recovering your files. The safest option at this point is to bootup from a clean and protected floppy diskette and copy the files from the harddisk to the other floppy diskettes. Note that you should bootup from a DOS 5.0 bootable diskette, if you were using DOS 5.0 on the harddisk. After the backup has been done, you may then proceed by reformatting the harddisk. Note that in general some bootsector viruses would survive the total format by installing their code on high memory sectors and then they would reinstall their code back on the newly created bootsector of the disk. The solution to this is to simply bootup and issue the format command, from a previously virus checked and protected diskette. The reason behind above procedure is that after the Stoned is detected, the removal of Stoned would be; [ EVENT ] [ AREA 1] [ AREA 2 ] [AREA 3] ****************************************************************************** Stoned Michelangelo nil nil Removal ^______________________________________________| When the antivirus program is run again the Michelangelo would be detected, and removing Michelangelo would be refused by the antivirus program since there is no original bootsector to replace it. It is possible at this point that the disk would be beyond repair(Due to the possible loss of the file allocation table), however, if you are at this point, you may call the ACUS or the Administrative Computing for help. The SYS.COM can be used in this case in an attempt to transfer back the system, in addition to some other procedures that might be necessary to take to recover the files. Those procedures are beyond the scope of this briefing and should be handled by our consultants only. The above procedure might be slightly different for the different variants of the Stoned virus(26+ variants), which could make the recovery procedures more cumbersome. As always please note that having a backup of your files is your best protection against computer viruses. ************************************************************************* ************************************************************************* A friend of mine's machine recently stopped booting from the HD, so we ran scan, and it reported that he was infected by Stoned. We cleaned that, ran scan again, and it reported that he was bitten by Mich. We tried cleaning that, and even though clean reported that it was successful, upon rescan it was still there. Even Norton Anti-virus Michaelangelo didn't clean it correctly. Any explanations and solutions? john - - -- | John R. Schutz | Email&NeXTmail: | | A learning NeXTie | john@csrnxt1.ae.utexas.edu | | (512)328-0587 | "We are all victims of dead men." | | 3009 Hatley Dr., Austin, TX 78746 | -Charles Fuller | ------------------------------ Date: Fri, 08 May 92 23:16:06 +0000 >From: tvv@suntan.tandem.com (Tom Van Vleck) Subject: Re: safe computing questions (PC) jim@cavebear.berkeley.edu (Jim Bradley) writes: > >o Can I contract a virus on my PC by performing a "dir" of an infected > floppy disk? > >o Can data and document files be vectors of PC viruses? > >o Is there any risk in copying data and document files from an infected > DOS floppy disk to a clean PC's hard disk? (Assuming, of course, > that one does *not* boot from the the infected diskette.) The short answers are 1. Nobody knows for sure. 2. Theoretically possible, depending on what program processes the data. 3. Little risk today. 1. All data is a "program" for some interpreter. Showing that an interpreter NEVER malfunctions for any possible input is a difficult task. So if a bad guy makes a floppy disk with a screwed up directory, and gets you to DIR it, could it cause your OS's DIR command to make a wild transfer into a data buffer? Prove he couldn't.. for all possible versions of DIR, for all possible diskettes. 2. I have seen ill-formed data files cause word processing programs to crash. If they can crash they can make wild stores. If they can make wild stores they can overwrite code. If they can overwrite code they can drop a virus. Many word processors, spreadsheets, picture displayers, etc lack defensive code that checks all possible data values before using them as indices or lengths. 3. As of today, nobody has reported such a program. So the risk is low. We should encourage software producers to write defensive programs, and we should identify the ones that are weak, and we have to scan everything. - -- Tomv Van Vleck ------------------------------ Date: Sat, 09 May 92 02:28:00 +0100 >From: Anthony Naggs Subject: Re: New Virus: Joes Demise (PC) Well done to Bill VanderClock & Harpreet Singh for their initial investigation and analysis. Did you have any special tools for this or did you use debug? I hope you don't have to do that too often. Harpreet Singh (Singh_Harp@Bentley.BitNet) observed: > The virus was discovered by the greatest anti-virus tool of all, > WINDOWS 3.0 :-). Windows just refused to start-up, after the > infection. On close investigation, it was found that many files had > increased in size by about 1k. Most EXE infecting viruses damage Windows EXE files by either overwriting the Windows portion of the program (in which case the program size will not appear to change) or they correctly add to the file but calculate garbage values for starting the host program. Harpreet Singh asks: > This string is found by F-Prot in infected files even if the virus is > memory resident, thus showing that the virus does not detach itself > from infected-files on file-open (can a virus do that?). Yes they can, if a memory resident virus takes active steps, like this, to hide its presence then it is a stealth virus. This would make it much harder to perform the initial diagnosis, as you would not see the 1k increase in file size that alerted you to the virus. Regards, Anthony Naggs (Email: amn@vms.brighton.ac.uk or xa329@city.ac.uk) ------------------------------ Date: Sat, 09 May 92 02:30:00 +0100 >From: Anthony Naggs Subject: Re: Question about Michaelangelo (PC) John R. Schutz (john@csrnxt1.ae.utexas.edu) reports: > A friend of mine's machine recently stopped booting from the HD, so we > ran scan, and it reported that he was infected by Stoned. We cleaned > that, ran scan again, and it reported that he was bitten by Mich. We > tried cleaning that, and even though clean reported that it was > successful, upon rescan it was still there. Even Norton Anti-virus > Michaelangelo didn't clean it correctly. Any explanations and > solutions? The explanation is easy: The PC was first infected with Michaelangelo (which is based closely on Stoned), which placed itself in the Partition table sector (or Master Boot Record - MBR) and moved the original to a sector further down the disk, and things would apear to be normal. When Stoned infected the system it did exactly the same thing, but it placed the Mich virus in the sector that Mich had already placed the original MBR - so now the original MBR is destroyed. At boot time this would load & run Stoned, which would then load & run Mich, but Mich will load & run Mich again, and again, ... hence the PC failing to boot. Certain recovery software does not recognise the problem, so it sees Stoned, and attempting to fix that it copies Mich into the MBR. Run the software again and it now finds Mich but in attempting to repair it it only finds the copy of Mich when Stoned infected the disk. This loop is as infinite as the failed boot. Fortunately part of Stoned & Michaelangelo's attempt to disguise themselves includes copying details of the first 4 primary partitions into the infected MBR. This allows DOS to find extended partitions, and means your partition information still exists. The solution is hard, unless you are using MS-DOS 5 in which case FDISK /MBR should fix things for you. Otherwise you will have some problems, what you have to do is keep the partition information stored at the end of the virus & match it with a suitable MBR partition table boot sector. As this seems to be a very common problem I shall write a small program to assist & post it and details of how to use it over the weekend. Hope this is clear, Anthony Naggs + It was all very well to say "Drink Me", + but the wise little Alice was not going Email: amn@vms.brighton.ac.uk + to do THAT in a hurry. or xa329@city.ac.uk + - Alice's Adventures in Wonderland ------------------------------ Date: Sat, 09 May 92 17:05:51 +0700 >From: "S." Tripathi Subject: Lines of defense against viruses Hi all, What would be the best line(s) of defense agianst viruses? My [limited] understanding is that at boot time a scanner and then a TSR monitoring program. Most AV software seem to have the two functions built in. Do the AV software also come with disinfectors or are they separate packages ? Where do integrity checkers fit into the scheme of things ? Which are the "best" products for the different lines of defense? From where may copies be obtained (preferably UK sites) ? Communication welcome either via this forum or email. Thanks. - -- The O Shachindra Tripathi +---- ----+---- ---+--- Computer Science Department | A I N | | University of Keele +---+ | n Keele, Staffs ST5 5BG | | / \ U.K. * ____| * | * / \ JANET : csp58@uk.ac.keele.seq1 other : csp58@seq1.keele.ac.uk ------------------------------ Date: Sun, 10 May 92 10:52:46 +0700 >From: jeroenp@rulfc1.LeidenUniv.nl (Jeroen W. Pluimers) Subject: Re: Bug in TBSCAN/VSIG9203+ (PC) In a previous message, Robert Slade writes: > > Both HTSCAN and TBSCAN use the VSIGyymm.ZIP virus signature files. > Along with the VIRSCAN.DAT file and the *.AVR files, the zip > distribution contains COMPRSCA.DAT which lists signatures for > compressed executable files. This file, if appended to the > VIRSCAN.DAT, allows compressed executables to be identified, since > they present another level of risk in terms of virus detection. Due to some inter-human communication problems (other words for misunder standing), I only heard yesterday why the problem is caused. The description of the virus signature is limited to 30 characters, TBSCAN is not quite helpfull in it's error message and the author of COMPRSCA.DAT documentation was not pointed on this problem until now. - -- o _ _ _ _ _ voice: +31-2522-20908 (19:00-24:00 UTC) / (_' | (_) (_' | | snail: P.S.O. __/ attn. Jeroen W. Pluimers P.O. Box 266 jeroenp@rulfc1.LeidenUniv.nl 2170 AG Sassenheim jeroen_pluimers@f521.n281.z2.fidonet.org The Netherlands ------------------------------ Date: Sun, 10 May 92 14:48:17 -0400 >From: Michael Powell Subject: JOES DEMISE virus (PC) University of Louisville Phone: (502)588-6744 About a week ago, a message was posted on VALERT concerning a potential new virus called "Joes Demise." I posted the information found in the alert note on a local BBS. A few days later, I received the following reply. To me, it doesn't sound like the symptoms mentioned as "Joes Demise" but it does sound like something is possibly wrong. Let me know if anyone has information on this: >Mike, > >Does this 'new' virus show up like the Michaelangelo did by using the >DOS mem command to see what memory one has? I know that I am bound to >have a virus of some type that thus far nothing has been able to detect. >I know this because DOS's mem shows only 654336 bytes instead of the >655??? (can't remember offhand). Plus things get totally screwy on my >monitor; letters suddenly changing to something else etc... Thus far >it has not caused any problems. > >I also have a file that Norton's Anti-virus reports that it possibly >contains an unknown virus. > >Mark Thanks! Michael Powell - --------------------------------------------------------------- BITNET: mlpowe01@ulkyvm.bitnet INTERNET: mlpowe01@ulkyvm.louisville.edu ------------------------------ Date: Sat, 09 May 92 08:44:34 -0700 >From: pain.uucp!curtiss@markv.com, pain!curtiss@hermix.markv.com (Curtis Shenton) Subject: Virus in Moria (PC) weiss@cs.unc.edu (Steve Weiss) writes: > My son has been playing an adventure game called Moria on our PC. > Today, when he went to park the disk, he discovered that all the system > files had been deleted. It's as if a DEL *.* had been executed from > the home directory. Fortunately, only system files were lost; all our > data files are in directories and they seem to have been spared. > > Is anyone aware of a virus in this game? Are there other effects > waiting to happen? I really doubt that it's actually the game Moria. IT may have been infected with a virus, did you scan it? Also where did your son get this copy from? Since the source code is freely available I suppose their is a remote chance someone put a trojan in and recompiled it. - -- pain!curtiss@markv.com, usc.edu!celia!techsys!pain!curtiss ------------------------------ Date: Mon, 04 May 92 13:57:28 +0300 >From: grdo@botik.yaroslavl.su (Dmitry O. Gryaznov) Subject: Re: Starship virus (PC) 8326442@AWIWUW11.BITNET (martin zejma) writes: >In the latest Virus-l issues a few articles concerning new anti-virus >tools and stealth viruses mentioned 'Starship' as an example , >once for not replicating at all ( or very seldom ) and on the other side >as difficult to detect the occuring infection. > >Recently I had a short correspondence with Joe Wells about the reason >why this virus is still not detected by any of the currently available >shareware scanners. The point was that no one seemed to be able to >make it replicate, maybe especially in the U.S.. Vesselin mentioned >he's not dissected the virus, but he would do so ( if his time allows >it ). > >About three weeks ago I tried to replicate 'Starship', and it instantly >infected the harddisk. Joe Wells tended to the explanation that it >may only replicate in the former eastern block countries, but >as I'm living in Western Europe, there must be another reason. I am glad that at last somebody in the West succeeded to activate Starship (if only it is possible to be glad on this :-( ) It was me to supply Western anti-virus researches with Starship samples. I had got a sample more than a year ago. I had dissected and analyzed it thouroughly. >SO, DOES anybody have an explanation why this virus refuses to replicate The virus refused to replicate on my PC by itself too. So I found out the conditions under which it should: - there must be a RAM at segment 0BB00H (== 0B000:0B000; == 0B800:3000) It is a fourth (or third if counted from 0) text video page for CGA/EGA/VGA. - the active (bootable) hard disk partition must be a regular DOS one - e.g. less than 32 Mb. - 48 bytes at absolute location 0:4b0 thru 0:4df must be set to 0 or to any other same value. - BIOS must support int 13h, AH=08H - get hard disk parameters. The only thing I did to get the virus to work on my PC AT was zeroing 48 bytes at 0:4b0 using DEBUG: debug f 0:4b0,4df 0 q Then I ran an infected sample and Starship successfully infected my hard disk. The virus creates fake partition in the last 6 sectors of hard disk. The virus goes resident and replicates only when booted from an infected hard disk. It then infects .COM & .EXE files being created on either A: or B: drives. I copied several .EXE and .COM files from hard disk to floppy - they turned infected. I sent them to Joe Wells, who reported he failed to get Starship to replicate. >last available absolute sector.So no currently available scanner >should detect it, cause the MBR and the PBR remain uninfected, and the >location of the PBR isn't checked. There are at least 3 Soviet scanners (including my own, of course) which detect and disinfect the virus for over a year already. - -- Sincerely, Dmitry O. Gryaznov | PSI AS of Russia Internet: grdo@botik.yaroslavl.su | Pereslavl-Zalessky Phones: voice: (08535)-98-122 BBS: (08535)-98-301 | 152140 Russia ------------------------------ Date: Sun, 10 May 92 02:50:05 +0000 >From: Martin Zejma <8326442@AWIWUW11.BITNET> Subject: Starship (PC) Vesselin Bontchev and David M. Chess write that the simple copy command uses the 'create file' function (3Ch) of int 21h. It is expected to be that way, but it isn't any more. I inspected various PC / MS-DOS versions ranging from 3.2 to 5.00, and only the ones before / including 3.3 use 'create file' in the COPY and XCOPY command, since 4.00 an undocumented nice function (6Ch) is used , which accepts a file name as input ( at DS:SI ) , and as output comes the handle in AX. So simple copying won't work, and recalling your posting, Vesselin, it seems that your test computer runs at least version 3.3 , too. The possible variations of the virus when mutating are : 4*2*3*16*2*2 = 1536 | (It seems I missed factor 16, last time :) When asking about compilers, I naturally also meant linkers, but cause most time I write in TurboPascal or TurboC , and these IDE's (nice abbreviation) most time compile and link automatic, so I forgot the second. BTW Correction to Vesselin : 'cd02' should be 'cd03', sorry | Regards, Martin +-----------------------------------------------------------------------+ | Martin Zejma 8326442 @ AWIWUW11.BITNET | | | | Wirtschaftsuniversitaet Wien --- Univ. of Economics Vienna/Austria | +-----------------------------------------------------------------------+ ------------------------------ Date: Sat, 09 May 92 03:44:00 +0000 >From: vishart@ubvmsd.cc.buffalo.edu (Joseph Hart) Subject: Re: EuroMail Bomb Virus (Amiga) engel@ztivax.zfe.siemens.de (Michael Engel) writes... >One of my viruscheckers (virusZ) finds an EuroMail Bomb virus >in some programs I got via ftp. Other checkers do not. >Is it really a virus , and if yes, what will it do ? You appear to have encountered an entity called EM-Wurm. Here is what I have been able to find out about it so far : - EM-Wurm (deliberately against EUROMAIL) doesn't survive reset always: writes in startup-sequence $A0,$0A (1st line) own Process: clipboard.device writes in c: $A0, length: 3888 Bytes (ASCII-Text available) writes in 5th Byte of c:protect (when available) $01 Result: protect useless Damage routine: Works only when devices EM, EUROMAIL or EUROSYS are available. overwrites all Files in these directories with memory from MsgPort. In damaged files: from $BC text 'clipboard.device'. After that a pause of 3mins using dosdelay $259A After pause damage routine is called again. I am not absolutely certain that this is what you have, but it sure looks like it. ___________________________________________________________________ | Internet: vishart@ubvmsd.cc.buffalo.edu Joe Hart | /// Plink: OSS542 Niagara Falls, NY | \\\/// Ham call: WA2SND | \XX/ AMIGA - Computers for REAL MEN =================================================================== ------------------------------ Date: 08 May 92 20:05:11 +0000 >From: ralphc@tekcae.cax.tek.com (Ralph Carpenter) Subject: Re: Why a good virus is a bad idea? werner@rascal.ics.utexas.edu (Werner Uhrig) writes: >> I am writing an article about the possibility to use virus techniques >> for something useful. I am already aware with Dr. Cohen's ideas on [text deleted] > have you ever heard of a human immunization that spreads ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > "virus-like"? I haven't, but even if it was possible, who > would/should take the responsibility to consider the whole > world as their private laboratory...?!? It's a minor point, but I believe that the proponents of the Sabin Polio immunization system touted the fact that it used live "safe" polio viruses because those "safe" viruses would spread to other members of the family and neighborhood through normal human (non-sanitary) contact, the same way that colds and the flu spread among family members. The result would be beneficial because people that had never been "officially" immunized would wind up immune to polio. At least that was the argument when those opposed to live viruses balked at changing from the Salk vaccine, which uses dead viruses. I don't know if the proposed benefits actually turned out that way in the last 30+ years since Sabin's method displaced the Salk method. What is the current thinking? (Just a trivia question, I know this is a computer virus group....) Ralph Carpenter Thermal Engineering CAX Center Tektronix, Inc. Beaverton, OR ------------------------------ Date: Fri, 08 May 92 14:57:00 +0100 >From: Anthony Naggs Subject: Virus hides in printer (again) New Scientist magazine suffered major injuries in the its recent 'revamp'/ 'relaunch' losing several respected contributors and gaining an editorial mess. However it has again published a National Enquirer reject in the Feedback column of the latest issue [No 1820, 9 May 1992]: > Some of the newest viruses can play a nasty trick: they store themselves > in your printer. > ... [stuff deleted] ... > [the virus] can hide in the printer while a program cleans the computer > of all known viruses. It then runs back down the printer lead and into > the printer. Theseer and wider to undermine peoplfidene in computers and anti-virus products. It is the duty of those of us who know better to stomp on these stories. I missed some of the previous debate on this subject, but my points for refuting the story are: 1 Viruses need to propagate in order to spread, if there is only ever one copy, (wherever it is), ipso facto it is not a virus. 2 Few, if any, printers have memory which can be read back by connected computers. 3 There is no mechanism in any pc operating system that will receive, store and execute data from a printer. 4 Such a viruscannot know all anti-virus software, so would have to move itself out of the computer while any program is run - therefore the computer is not infected anymore! In summary such a virus would need cooperation from the printer and host computer. Coercing such cooperation would require parts of the virus to be permanently in both machines, hence being present when anti-virus software is used. I have rung New Scientist 3 times already today but have been unable to speak to anybody about this, however as I was typing this in they rang me back. They report that the original source for this story was Microsoft! You certainly have my support if you stomp on Microsoft as well as the story. Regards Anthony Naggs (Email: amn@vms.brighton.ac.uk or xa329@city.ac.uk) ------------------------------------------------ vii. And Grimma said, We have two choices. - The Book of Nome, viii. We can run, or we can hide. - Quarries, Chp 3 ix. And they said, Which shall we do? - x. She said, We shall Fight. - Terry Pratchet ------------------------------ Date: Fri, 08 May 92 23:43:17 +0000 >From: saluja@Cadence.COM (Dipender Saluja) Subject: Anti-Virus Hardware survey Has anyone used any Anti-Virus Hardware products? I'm new to this newsgroup, so I'm not sure if there has been a discussion regarding Anti-Virus hardware -- but it would be great if someone could provide some detailed information about any hardware solutions that exist. It would be interesting to hear about how they work, how effective they are against file, boot sector and partition table viruses, and general pros and cons. If anyone has a good description, a comparision chart, or any information whatsoever about Anti-Virus Hardware --- I'd really appreciate it if you could mail it to me. If I get a good response, I'll be happy to post a summary on the net. Thanks, -- Dipender. - ------------------------------------------------------------------------------- Dipender Saluja saluja@cadence.com Cadence Design Systems ...uunet!cadence!saluja - ------------------------------------------------------------------------------- ------------------------------ Date: Fri, 08 May 92 22:36:57 -0700 >From: rslade@sfu.ca (Robert Slade) Subject: Checklist part 13 (almost finished) 920508 PRTCKLD.CVP Antiviral checklist - part 13 (Lucky, eh?) If infection found: Once you find an infection, what do you do about it? First thing is, don't panic. Remember that a lot of viral programs don't do any damage -- at least not intentionally. While you should not go blithely on as if nothing had happened when you find a virus, don't overreact, either. And, instead of focussing on the immediately obvious problem of the infection itself, try to take a few steps for future protection. _ Send copy to recognized researcher This step is vitally important, and all too often neglected. Get a copy of the virus. Copy an infected program to a disk, or infect a floppy disk with a boot sector infector. The instant reaction is to sweep it under the rug: that helps no one. On the one hand, people are afraid of the reputation of viri as being related to pirate software. However, if no one ever tries to find out how they spread, how can we make the studies to determine this? On the other, new variants spring up all the time, and we need to track and trace these mutations. _ Isolate machine and disks As mentioned, do not simply carry on as before. The floppy disks used in the machine are often neglected in the panic. Remember that the most successful of viral programs have always been boot sector viri, and these are always spread by diskettes. _ Perform minimal disinfection Please let me stress the "minimal". Do the *least* that you can do, and still ensure security. While there is some doubt as to the wisdom of "disinfecting" of program files, it is surely better to delete one file than to restore the whole directory. It is better to delete and restore one directory than to restore the whole disk. And. No one. Ever, yet. Has found a virus which requires a low level format. No LLFs. Got that? However, do perform a thorough disinfection. Many people, while going far too far in gouging an infection out of their workstation, will fail to check out their floppy diskettes and backups. One of the most Frequently Asked Questions on VIRUS-L is "I cleaned off Stoned but now it's back, how come?" Easy answer. You didn't check your disks. Also, with few exceptions, when disinfecting power down cold and start fresh. If you have a virus in memory, none of your disinfection methods can be guaranteed, and some may even harm. copyright Robert M. Slade, 1992 PRTCKLD.CVP 920508 ============== Vancouver | "Is it plugged in?" Institute for Robert_Slade@sfu.ca | "I can't see." Research into rslade@cue.bc.ca | "Why not?" User CyberStore Dpac 85301030 | "The power's off Security Canada V7K 2G6 | here." ------------------------------ Date: Fri, 01 May 92 19:29:45 -0700 >From: msb-ce@cup.portal.com (Fritz Schneider) Subject: Re: Virus jokes (Humor!) KvW> [Comments on whether or not to accept jokes at all are welcomed.] I will be giving a talk on viruses to the Bar Association shortly and a selection of topical humor is welcome. I won't be able to use my large collection of lawyer jokes, you see. Complete the following in 50 words or less: "Did you hear about the robot who got stoned?..." "There was a young coder named Cyrus,..." "A salesman, a manager and a programmer were sitting on a bus..." "What do you get if you cross a virus with a ...?" On second thought, maybe I'll go back to the lawyer jokes. What can they do? Stone me? Cheers, Fritz ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 103] ******************************************