To: VIRUS-L@LEHIGH.EDU Subject: VIRUS-L Digest V6 #75 -------- VIRUS-L Digest Monday, 10 May 1993 Volume 6 : Issue 75 Today's Topics: List/group outages, moderator address update Virus Copyright Re: Sharing info Virus in a .GIF file? Re: Antivirus Software Distribution re: unix viruses? (UNIX) Re: CyberSoft UNIX scanner (UNIX) UNIX intrusion detection in real time (UNIX) German Message from English Computer (PC) Re: New variety of Stoned virus? (PC) Re: VIRUS-L Digest V6 #73: VSUM Thread (PC) Re: MSAV and text-files (PC) Re: New variety of Stoned virus? (PC) F-Prot False alarm? (PC) Re: F-Prot 2.08 (PC) F-PROT 2.08 (PC) Re: Copyright of Virus Signatures (PC) New McAfee programs available (PC) Possible new virus (PC) stoned virus (PC) Mich on Sun? (PC) FP-208A.ZIP - F-PROT 2.08a: Virus detection/removal software (PC) McAfee VIRUSCAN V104 uploaded to SIMTEL20 (PC) Evaluation standards - open ended (CVP) Legal Net News YAEMA! (Yet Another Errant Magazine Article) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.org or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk, krvw@first.org ---------------------------------------------------------------------- Date: Mon, 10 May 93 09:48:14 -0400 From: "Kenneth R. van Wyk" Subject: List/group outages, moderator address update VIRUS-L/comp.virus readers: Over the past couple of weeks, we've experienced a couple of network, computer, and power outages that have caused several delays in getting VIRUS-L postings out to you all. As a result, I have several messages in the queue that are somewhat dated; I will get those out ASAP. My apologies for any inconveniences. In an attempt to improve the reliability of the list/group, I've moved the moderator account here to my office system. Please continue to address all submissions to virus-l@lehigh.edu, however. Again, sorry for the inconvenience. Cheers, Ken Kenneth R. van Wyk Division Chief, Operations Center for Information Systems Security (CISS) Moderator, VIRUS-L/comp.virus krvw@Agarne.IMS.DISA.MIL ------------------------------ Date: Wed, 05 May 93 20:49:06 -0400 From: radatti@cyber.com (Pete Radatti) Subject: Virus Copyright > When a virus is found, it does not usually contain a copyright, because >as far as I can tell, to claim copyright your real name must appear with it. >Obviously, most virus writers dont want to do this. However, if sometime did >extract a piece of code (signature) from the virus, and included it in their >virus scanner, and recieved a fanancial advantage from this inclusion, and the >author came forth to claim copyright, would such a case be legal? Under the Berne Convention all material is copyright the moment it is created by the author. The author's name and copyright notice need not appear. The Berne Convention is held to in most of the world including US and Europe. It would, of course, be stupid for the author to claim copyright in the same way that it would be stupid to demand a deposit refund on the truck used to bomb the World Trade Center... Pete Radatti ------------------------------ Date: Wed, 05 May 93 22:27:22 -0400 From: AMN@UBIK.DEMON.CO.UK Subject: Re: Sharing info Roberto Reymond, , writes: > ... For example, the Great Britain: since the net is accessible > from UK, then I must be very careful to not post here anything is > forbidden in UK, isn't? ... I find great difficulty in understanding this statement. > ... If I was British, I > was aware that it's illegal for me to write a virus, so if here > somebody shows some virus code, or point out where get a copy of > 40-Hex, I simply ignore those info. ... It is exceedingly difficult to "be aware that it's illegal", as it is not illegal in Britain to write or possess computer viruses. You seem to have misunderstood part the British "Computer Misuse Act", which makes it illegal to: * cause damage or alteration to computer data, (regardless of the means used). It is quite probable that supplying, or producing, viruses expecting that they will be used for such a purpose is also illegal. I am quite happy that the current rules enforced by the moderator of virus-l/comp.virus prohibit the distribution of viruses here. And ethically I endorse the rules prohibiting the use of this forum to advertise or exchange viruses. Information about viruses is a cloudier issue. Knowing that virus writers (such as phalcon/skism in the US) follow this forum, I urge all contributors to judge carefully the balance between informing users and educating the virus writers. Regards, Anthony Naggs Email: Paper mail: Software/Electronics Engineer amn@ubik.demon.co.uk P O Box 1080, Peacehaven & Computer Virus Researcher [or xa329@city.ac.uk] East Sussex BN10 8PZ Phone: +44 273 589701 Great Britain ------------------------------ Date: Thu, 06 May 93 01:22:49 -0400 From: dbarber@crash.cts.com Subject: Virus in a .GIF file? While reading alt.supermodels (if you have to ask why, *don't) there was a discussion about someone finding a virus in a .GIF file. Seems to me that if there's a virus in a .GIF file -- SO WHAT? Outside if it being a novel way to convey a virus across the internet to someone looking for it, I can't see how it could actually infect ones machine, since a .GIF file is not "executed". Unless someone has written a well distributed .GIF viewer with a hook to run viri from selected .GIF files (and therefore avoid detection as an infected program), it would seem there is nothing to worry about from a .GIF file. If I'm wrong, will someone please tell me just where? Thanks! Without change, *David Barber* nothing can ever get better. @}-->---- UUCP: ucsd!crash!dbarber INET: dbarber@crash.cts.com ------------------------------ Date: Thu, 06 May 93 11:46:56 -0400 From: mha@baka.ithaca.ny.us (Mark Anbinder) Subject: Re: Antivirus Software Distribution Dave Millar asks... > Can anyone point me to procedures for safe distribution of antiviral > sofware - addressing use of FTP as well as diskettes? The safest way to obtain an antiviral utility is from the author or publisher directly. That's the only way you can be reasonably certain you're getting clean software. In the case of commercial software, that means obtaining updates on a distribution disk from the publisher, or obtaining from the company's own online bulletin board or their own FTP site, if one or both is provided. In the case of freeware or shareware, it means selecting a "trusted" FTP site or online service. For example, John Norstad makes his Macintosh Disinfectant utility available on his own FTP server; that's the safest place to get each version from, though of course there are other FTP sites that can be trusted with respect to Disinfectant and other antivirals. I provide antiviral utilities on my own bulletin board, but I grant that only people who know me well can really be sure that my BBS is a "safe" source for this software. In your situation, there are undoubtedly facilities on Penn's campus, or dealers nearby, where you can obtain safe copies of the free and shareware utilities. - ------------------------------------------------------------------------- Mark H. Anbinder | Technical Support Coordinator BAKA Computers Inc. | mha@baka.ithaca.ny.us 200 Pleasant Grove Road | (or) mha@tidbits.com Ithaca, New York 14850 USA | Phone 607-257-2070 Fax 257-2657 - ------------------------------------------------------------------------- BAKA Technical Support e-mail "hotline": tech_support@baka.ithaca.ny.us - ------------------------------------------------------------------------- ------------------------------ Date: Thu, 06 May 93 09:40:48 -0400 From: "David M. Chess" Subject: re: unix viruses? (UNIX) >From: schardt@acc.vf.ge.com (James A. Schardt) >I have been told that there are UNIX viruses (not talking about >worms or Trojan horses). Is there a place on the net where >UNIX viruses are documented? The three things I know of that might fit your description are: - A shell-script virus that was written up in a USENIX Proceedings awhile back (I don't have a ref, I'm afraid); it worked, and escaped to one or two other machines during test, but isn't known to be in the wild at present. - A technical description of a library virus that was put out as a hoax just to show that it was possible. The virus itself was never written, but the account sounded quite plausible. Don't know if it's archived anywhere. - The virus that Fred Cohen used for his experiments documented in his "Computer Viruses: Theory and Experiment", Computers & Security, Vol. 6 (1987) pp. 22-35". This was of course never released outside the experiment. There are no UNIX viruses known to be in the wild at present. >Is it true that a virus would find the UNIX environment very >inhospitable because of the protection the OS puts around its >own memory space and the confinment of the users memory space. No. Computer viruses don't have to do anything nefarious with memory spaces to operate; as the Cohen paper cited above shows, they can spread in many typical environments by flowing only along channels that are authorized for writing. They don't have to subvert security, or exploit a lack of security, to spread. On the other hand, they do seem to require a degree of interconnectivity and software sharing that so far only happens in the microcomputer area... - - -- - David M. Chess \ Femmes aux tetes de fleurs High Integrity Computing Lab \ retrouvant sur la plage la IBM Watson Research \ depouille d'un piano a queue ------------------------------ Date: Thu, 06 May 93 13:05:59 -0400 From: Albert-Lunde@nwu.edu (Albert Lunde) Subject: Re: CyberSoft UNIX scanner (UNIX) radatti@cyber.com (Pete Radatti) writes: >CyberSoft, Inc is a company that produces virus scanners for Unix and >other operating systems. It uses its own parsing language called >CVDL. CVDL is copyright and published for use by end users of >CyberSoft's VFind product. An obvious question is what/how many Unix viruses does it "scan" for. I was under the impression that there were few to none Unix viruses "in the wild" and thus most of the potential market was for security/ integrity software rather than known virus scanners. If this is not the case, tell us about it. - -- Albert Lunde Albert-Lunde@nwu.edu ------------------------------ Date: Thu, 06 May 93 19:26:18 -0400 From: QMDKDL@GSUVM1.GSU.EDU Subject: UNIX intrusion detection in real time (UNIX) A student of mine is doing work in the area of law enforcement / computer security. He recently found a dissertation abstract which talks about a security system capable of identifying attackers in realtime. It's based on typing metrics and developed for for Sun workstations running UNIX. We are trying to find some additional information on the product but have been unsuccessful. Is any one familiar with the product or have suggestions as to where / whom we might look? Feel free to respond directly to my id (qmdkdl@gsuvm1.gsu.edu) Thanks in advance. kdl kdl ------------------------------ Date: Wed, 05 May 93 17:40:18 -0400 From: "William Walker C60223 x4570" Subject: German Message from English Computer (PC) Interesting problem: I've had a user report that his machine has displayed a German message twice: once a month ago and once two days ago. His machine locked up after the one two days ago. The message is "Kein system oder laufwerksfehler. Wechseln und taste drucken." This translates roughly to "No system or DOS error. Replace and press a key." It sounds to me like he had a diskette formatted with a German version of DOS in his drive when he rebooted; however, I checked all of his diskettes with Norton Utilities and did not find this message on any of them. Neither did I find it anywhere on his hard disk. The user insists that there was no diskette in the drive at the time (he even called their "computer expert" over, who says the same thing). He also says that no one has used a foreign diskette on his system recently, and he has not exchanged diskettes with anyone. Sounds like famous last words to me. ;-) The only stray diskette on his system was one which had some data files which he converted for someone last month, but they kept the diskette, he did not make a diskcopy, and they haven't been back since, especially not two days ago. There is no memory missing on the machine. Booting from a clean DOS 5.0 floppy and running F-PROT 2.07 and 2.08 revealed nothing, even with a heuristic scan. The MBR and boot sector of the hard drive are normal. I seriously doubt that this is a virus, but I can't find another reason for it, either. Does anyone have a clue as to what's happening? Thanks in advance. Bill Walker ( WALKER@AEDC-VAX.AF.MIL ) | "Simply do not ask me what this is OAO Corporation | all about, parce que je ne sais Arnold Engineering Development Center | pas, mes chers." 1103 Avenue B | -- Holly Golightly, Arnold Air Force Base, TN 37389-1200 | "Breakfast at Tiffany's" ------------------------------ Date: Wed, 05 May 93 22:27:35 -0400 From: AMN@UBIK.DEMON.CO.UK Subject: Re: New variety of Stoned virus? (PC) Kate Wilson, , wrote: > Yesterday we had (yet another!) hit from the Stoned virus. ... > > Both floppy drives stopped reading high-density diskettes at the same > time the PC was infected although I suspect that was coincidence and not > virus-related... This is -THE- biggest possible clue that you have a variant of Stoned. For the technically minded: MSDOS uses a data block (called the BIOS Parameter Block - BPB) in the boot sector to recognise a diskette's format. Most Stoned variants destroy this when they infect. If the data block is invalid DOS typically assumes the disk is 360k, though this seems to vary a little with machine configuration and DOS version. Hope this helps, Anthony Naggs Email: Paper mail: Software/Electronics Engineer amn@ubik.demon.co.uk P O Box 1080, Peacehaven & Computer Virus Researcher [or xa329@city.ac.uk] East Sussex BN10 8PZ Phone: +44 273 589701 Great Britain ------------------------------ Date: Thu, 06 May 93 01:05:38 -0400 From: vmk@rand.mel.cocam.oz.au (Victor Kay) Subject: Re: VIRUS-L Digest V6 #73: VSUM Thread (PC) For some time now I've been following the thread about VSUM. Now don't get me wrong, I'm neither for or against it (although I must admit that since following the thread I'm very unsure of its worth and don't refer to it). The point is that the argument seems very one-sided. At any time I've been expecting Ms Hoffman to respond to the allegations - - but no show!! Don't you think it would be a good idea to invite her to respond to the issues raised? Regards Victor Kay Co-Cam Computer Group , Melbourne, Australia E-Mail: vmk@rand.mel.cocam.oz.au ------------------------------ Date: Thu, 06 May 93 06:08:19 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: MSAV and text-files (PC) v922340@herzberg.si.hhs.nl (Ivar Snaaijer) writes: >It says on page 79 something about a virus that is known to infect datafiles. >infect a datafile ? , don't they mean that there is some code that could be >a firus that is stored in a file witch is not executable ? I don't have the book, so I don't know what they are dalking about, but there are indeed a few viruses that can "infect" a datafile - for example some stupid overwriting viruses that overwrite all files in the current directory. However, you would not be able to *execute* the "infected" datafile. The most common methods to select which files to infect are: 1) Seletct files with .COM and/or .EXE extensions 2) Select files that are loaded/executed with INT 21H, fuction 4BH. >How can a non-exacutable be a threath to you ? It cannot - not unless you rename it and run. However, a much more serious problem is that some viruses *corrupt* datafiles - >an other thin about MS (CP) AV is that it default scans ALL files on disk. >(this takes a lot of time on a 213Mb HDD). Is this realy neccesery or >is huristic scanning stupid ? .... Uh, I don't understand what you mean...CPAV/MSAV does not do any heuristic scanning at all. One note about MSAV - The May 93 Virus Bulletin just reviewed it - and one interesting observation is that it performed much worse than the CPAV scanner which was tested in January - missed more than twice as many viruses from the "small" set. - -frisk - -- Fridrik Skulason Frisk Software International phone: +354-1-694749 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-28801 ------------------------------ Date: Thu, 06 May 93 06:27:20 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: New variety of Stoned virus? (PC) sph0301@utsph.sph.uth.tmc.edu (Kate Wilson) writes: >Yesterday we had (yet another!) hit from the Stoned virus. Surprisingly, >the latest version (2.08) of F-Prot wouldn't clean it Right. It seems 2.08 has problems removing some boot sector viruses, which coul d be disinfected with 2.07. We have how found and fixed the problem, and a new version - 2.08a is being tested right now - we will announce it when it is ready for release - hopefully later today. - -frisk - -- Fridrik Skulason Frisk Software International phone: +354-1-694749 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-28801 ------------------------------ Date: Thu, 06 May 93 10:44:54 -0400 From: fergp@sytex.com (Paul Ferguson) Subject: F-Prot False alarm? (PC) This message is forwarded from the FidoNet VIRUS_INFO Conference - 8<----- Begin forwarded message --------- Date: 05-02-93 (01:54) From: ARIE ZILBERSTEIN To: ALL Subj: F-Prot 2.08 Y'hello All! F-Prot 2.08 reported this on its Heuristics scan: - ------------- C:\CPAV\VWATCH.COM seems to be infected with an unknown virus. Please contact Frisk Software International or send us a copy for analysis. - ------------- VWATCH.COM is a memory resident program that comes with the CPAV package. It checks whenever you load a file for viruses. If you can, please notify Frederick of this case -- VWATCH.COM is -not- infected by any virus. Bye AZ .. "No, I never did it before, but how hard can it be?" - Last RPG words - --- FMail 0.95a4 beta+ * Origin: Beyond Tomorrow * 972-3-544-4488/3746 * 24h * 14Kbps (2:403/159.0) 8<------ End of forwarded message ----------- Cheers. Paul Ferguson | Uncle Sam wants to read Network Integrator | your e-mail... Centreville, Virginia USA | Just say "NO" to the Clipper fergp@sytex.com | Chip... - -------------------------------+------------------------------ I love my country, but I fear it's government. ------------------------------ Date: Thu, 06 May 93 13:17:45 -0400 From: Albert-Lunde@nwu.edu (Albert Lunde) Subject: Re: F-Prot 2.08 (PC) gj9@prism.gatech.edu (georgia deakin) writes: >I just obtained a copy of F-prot 2.08 and started to install it on one >machine here. Seems this computer is infected with the Stoned virus. This >is the one virus we seem to have problems with here - I have been told by >campus technicians that it floats around on our net. [...] Not literally -- Stoned is a boot infector, so it mainly spreads by infecting diskettes -- it won't spread by infecting files on a file server or over any network I know of. I think the FAQ has more to say about this... - -- Albert Lunde Albert-Lunde@nwu.edu ------------------------------ Date: Thu, 06 May 93 15:34:29 -0400 From: pessoa@dcc.ufmg.br Subject: F-PROT 2.08 (PC) I got F-PROT 2.08 last friday. I was making some tests with it when I discovered something strnge. This version couldn't remove the Michelangelo virus from a disk. So I made some physical copies of the disk and made tests with other scanners. Everyone found the virus and could remove it. F-PROT 2.07 did this too. Well, anybody knows what is happening ? Would my program be hacked or something like this ? Or is it a program error ? Thanks Albener Esquirio Pessoa ------------------------------ Date: Thu, 06 May 93 21:46:40 -0400 From: dudleyh@redgum.ucnv.edu.au (Dudley Horque) Subject: Re: Copyright of Virus Signatures (PC) skank@leland.Stanford.EDU (Forked Tongue Redlich) writes: >Well, I'm only a law student, but . . . >Probably not. Copyright protects expression of ideas, not the ideas. >Thus, you couldn't copyright E=MC^2, though you could copyright >a book explaining it. >Also, generally speaking, the shorter the expression, the harder it is >to copyright. If you tried to copyright the letter A, you'd lose, >because others are going to need to use it. > A couple of interesting points... a guy who lives about 30km from here was on a national current affairs infotainment program on television recently for having patented a formula which he claims (from what I can remember) explains a lot of unknowns in the universe, much like the young Albert Einstein did in the movie Young Einstein, with his formula that you quoted (e=mC^2). Secondly, you cannot, indeed, copyright the letter A, but you can copyright a certain design of the letter A. Fonts (both computerised and otherwise) are subject to copyright. I know these points don't further any discussion points here, but I thought that they might be everso slightly interesting. - -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Ciao4niao My philosophy on life is far too deep Dudley Arthur Horque to fit into two lines... I'd need three. ------------------------------ Date: Thu, 06 May 93 22:16:42 -0400 From: HAYES@urvax.urich.edu Subject: New McAfee programs available (PC) Hello. Just to mention the availability for FTP processing of the new versions of McAfee Associate programs. They all contain the string "104" in the filename (e.g. SCANV104.ZIP). Enjoy, Claude. ========== Site: urvax.urich.edu, [141.166.36.6] (VAX/VMS using Multinet) Directory: [anonymous.msdos.antivirus] FTP to urvax.urich.edu with username anonymous and your email address as password. You are in the [anonymous] directory when you connect. cd msdos.antivirus, and remember to use binary mode for the zip files. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Claude Bersano-Hayes HAYES @ URVAX (Vanilla BITNET) University of Richmond hayes@urvax.urich.edu (Bitnet or Internet) Richmond, VA 23173 ------------------------------ Date: Fri, 07 May 93 05:55:01 -0400 From: venzi@math.fu-berlin.de Subject: Possible new virus (PC) A couple of days ago I got scanv102. After my machine broke down several times I decided to run scan, and I've got the following messages: Virus cannot be removed safely from the partition table Virus removed. I scanned again after booting safe msdos - nothing happened. Then I tryed with the "infected" msdos, and the "infected" scan - nothing. The message came during the memory scan. Is this a new virus? How can I get rid of it? Venzi ------------------------------ Date: Fri, 07 May 93 11:03:20 -0400 From: tsnow%vitronix@uunet.UU.NET (Tom Snow) Subject: stoned virus (PC) Hello All, After scanning my hard drive with mcafees virus scanner ver 9.12 the [stoned] virus was found active in memory. I rebooted with a diskette and reran Scan & Clean. The [stoned] virus still exists. I pulled the battery and let the machine sit awhile but to no avail the virus is still there. I just can't get rid of this virus. Any suggestions. Thanks, Tom Snow - -- Tom Snow Phone: (703) 704-ll84 Night Vision & Electronic Sensors Directorate Fax: (703) 704-1100 AMSEL-RD-NV-AOD-IAMT E-mail: tsnow@nvl.army.mil Ft. Belvoir, VA 22060 ------------------------------ Date: Sat, 08 May 93 06:38:36 -0400 From: Javier Fernandez Baldomero Subject: Mich on Sun? (PC) Hi!: I saw this on sun-managers, and thought that maybe somebody in this list knew the answers. Please don't answer directly to sun-managers (or you'll get flamed :-) ================== Delivery-date: Sat, 8 May 1993 12:23:15 UTC+0200 Originator: sun-managers-relay@ra.mcs.anl.gov Send-date: Fri, 7 May 1993 8:08:52 UTC-0400 From: Authorizing-Users: To: Reply-To: Message-ID: <9305071208.AA19545@axl.gnr> Subject: PC Virus on Sun >X-Envelope-to: jfernandez@ugr.es >Precedence: bulk >Followup-To: junk What affect (if any) would a PC floppy infected with Michaelangelo virus have on a Sun if it was inserted in a Floppy drive and mounted as a PCFS file system? I think that since the virus is said to affect the boot block(s) of PC disks, the disk probably would not be readable by the Sun since it is somewhat corrupt, but maybe not. If it fooled my SPARC 10 and mounted correctly would the virus be able to harm any of my local SPARC disks or files ? ( These are not really hypothetical questions, this already happened. ) I will summarize if there is interest... - --------------------------------------------------------------- Wyllys Ingersoll E-Systems, Melpar Div. Ashburn, VA Internet: wyllys@axl.melpar.esys.com UUCP: uunet!melpar.esys.com!axl!wyllys ------------------------------ Date: Sat, 08 May 93 16:51:15 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: FP-208A.ZIP - F-PROT 2.08a: Virus detection/removal software (PC) I have uploaded to WSMR-SIMTEL20.Army.Mil and OAK.Oakland.Edu: pd1: FP-208A.ZIP F-PROT 2.08a: Virus detection/removal software This version, (2.08a) corrects one significant problem with 2.08 as well as two minor ones. - Version 2.08 was not always able to disinfect boot sector viruses that 2.07 could handle without problems - Not all samples of the Azusa virus were identified properly - some were identified as "new or modified variant of Stoned". - One false alarm in a file named DOS400.TSG I apologize for any inconvenience caused by this. frisk - - - Fridrik Skulason frisk@complex.is ------------------------------ Date: Sat, 08 May 93 16:51:28 -0400 From: aryeh@mcafee.com (McAfee Associates) Subject: McAfee VIRUSCAN V104 uploaded to SIMTEL20 (PC) I have uploaded to WSMR-SIMTEL20.Army.Mil and OAK.Oakland.Edu: pd1: CLEAN104.ZIP CLEAN-UP V104 virus remover for PC's & LAN's NSHLD104.ZIP NETSHIELD 1.5 Novell 3.11 NLM virus prevention SCANV104.ZIP VIRUSCAN V104 virus scanner for PC's & LAN's VSHLD104.ZIP VSHIELD virus prevention program for PC's WSCAN104.ZIP WSCAN V104 Windows version of VIRUSCAN WHAT'S NEW Version 104 of the VIRUSCAN (SCAN, CLEAN, VSHIELD and WSCAN) series has been released. Perhaps the most immediate and obvious change is that there is no longer a separate program for scanning network drives (NETSCAN). All of NETSCAN's functionality has been added to SCAN, along with some changes to make SCAN easier to use in networked environments (see below for details). Version 104 adds detection of 219 new viruses, bringing the total number of known viruses to 1,353, or counting variants, 2,049 viruses. Version 103 was skipped due to a Trojan horse bearing that version number reported from Arizona. VIRUSCAN SCAN has three new options and one change added to it: Since SCAN is capable of checking both local and network drives, there are now switches to check all local drives (/ADL), all network drives (/ADN), and both local and networked drives (/AD). Additionally, a new switch (/BMP) has been added to check OS/2 Boot Manager partitions for master boot record (partition table) and boot sector viruses. Also, the /UNATTEND switch is now a default option. This switch was required for use in a multi- tasking environment such as DesqView, Windows, or OS/2. CLEAN-UP CLEAN adds removers for the 1757, Barrotes, Coahuila, Math Test, Monkey, and XTAC viruses. Additionally, during the course of adding the OS/2 Boot Manager capability, the code for handling boot sector viruses was completely re-worked. CLEAN-UP also has the new switches that SCAN has (/AD, /ADL, /ADN, and /BMP). VSHIELD VSHIELD now displays messages in Windows with a Windows dialogue box (previous versions displayed messages in windowed DOS session opened on the desktop). This is done through a new program, VSHWIN.EXE, which is INSTALLED by the /WINDOWS switch. Once VSHIELD is run with the /WINDOWS switch, it is not necessary to use the switch again. The CHKSHLD program now displays the options VSHIELD is using. Due to changes in this version of VSHIELD, it is no longer compatible with MS-DOS 2.0. MS-DOS 3.0 or greater is required to run VSHIELD. WSCAN WSCAN supports all new features added to SCAN. Additionally, WINSTALL has been updated to allow installation on a network drive. NETSHIELD The NETSHIELD NetWare Loadable Module engine had been updated to version 1.5. This release adds the ability to detect unknown viruses by computing a cyclic redundancy check (CRC) value for files and then comparing them against that stored value for changes. OS/2 PROGRAMS SCAN and CLEAN for OS/2 are available by anonymous ftp from the mcafee.com site (IP# 192.187.128.1). They are located in the pub/antivirus directory. VALIDATE VALUES CHECKSHIELD 0.4 (CHKSHLD.EXE) S:8,075 D:04-19-93 M1: 85A5 M2: 0A4F CLEAN FOR OS/2 V104 (OS2CLEAN.EXE) S:279,624 D:05-03-93 M1:89D6B M2: 105F CLEAN-UP 9.15V104 (CLEAN.EXE) S:144,637 D:05-03-93 M1: 6846 M2: 0EEE NETSHIELD V1.5 (V104) (NETSHLD.NLM) S:117,895 D:05-03-93 M1: 650C M2: 000F NETSHIELD V1.5 (V104) (VIR.DAT) S:42,720 D:05-03-93 M1: 2DE6 M2: 0F31 SCAN FOR OS/2 9.15V104 (OS2SCAN.EXE)S:206,064 D:05-03-93 M1: 0B56 M2: 108F VIRUSCAN SCAN 9.15V104 (SCAN.EXE) S:117,452 D:05-03-93 M1: 5771 M2: 1FC0 VSHIELD 5.4V104 (VSHIELD.EXE) S:46,914 D:05-01-93 M1: 4A5F M2: 132B VSHIELD WINDOWS MODULE (VSHWIN.EXE) S:14,260 D:03-16-93 M1: 3151 M2: 054B SCAN FOR WINDOWS 104 (WINSTALL.EXE) S:19,606 D:05-03-93 M1: FBF4 M2: 0438 SCAN FOR WINDOWS 104 (WSCAN104.EXE) S:76,882 D:05-03-93 M1: B007 M2: 1CBF Regards, Aryeh Goretsky McAfee Associates Technical Support - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: aryeh@mcafee.COM 3350 Scott Blvd, Bldg 14 | FAX (408) 970-9727 | IP# 192.187.128.1 Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714 95054-3107 USA | USR HST Courier DS | or GO MCAFEE ------------------------------ Date: 01 May 93 16:17:00 -0600 From: "Rob Slade, DECrypt Editor" Subject: Evaluation standards - open ended (CVP) PRTAVS6.CVP 930425 Evaluation Standards - Open ended As viral programs are constantly developing new methods of attacking files and avoiding detecting, so too antiviral software is constantly developing new methods, or at least new twists on old methods. The problem here is similar to that of the application of a single standard to diverse types of antiviral software. It is, however, complicated by the fact that we do not know what the new features of antiviral software may be, until such time as they appear. Thus, while it might be possible to gather a series of criteria, broadly applicable to the wide variety of antiviral software, and to balance and "weight" the various gauges in order to come up with a "fair" assessment, it is impossible to so judge some feature that you have never considered. As examples, let us consider the recent rise of three new forms of "generic" antiviral software: "heuristic" scanning, checksum "generic" disinfection and "heuristic" "generic" disinfection. "Heuristic" scanning is nowhere near being a dependable form of viral detection. A great many programs, including antiviral software and other powerful utilities, are all accused (falsely) of being "suspicious". At the same time, a number of viral and trojan programs are not "caught". Thus "heuristic" scanning would fail miserably at criteria set up to judge signature scanning software. It would, though, be a great pity to inhibit the development of heuristic scanning software. This field is really the application of "expert systems" to antiviral software: an "expert" antiviral disassembler is checking the code for you. Along with hoped for advances in change detection, this bodes well to hold the greatest promise for the future of antiviral software. Indeed, not only will it identify suspect viral programs, but, with only minor additions, trojans and other "malware" as well. If you know that you have a virus infection, don't bother purchasing a "checksum" disinfector. The checksum, CRC, hamming or "image" calculations *must* be done while the software is "clean", since it only tries to return it to an "original" state. Even then, checksum disinfectors have a very low success rate with disinfection, and would undoubtedly fail any test set up to measure a set of "cleaning" programs. Heuristic disinfectors are even worse: they sometimes harm "good" programs. While disinfection is often recommended against, there are situations where you want to keep an existing program rather than replacing it with an original copy which may not contain "set up" information. In this case, you may need the services of a disinfection program which does not rely on a data base of "known" viral programs. copyright Robert M. Slade, 1993 PRTAVS6.CVP 930425 ============== Vancouver ROBERTS@decus.ca | "Is it plugged in?" Institute for Robert_Slade@sfu.ca | "I can't see." Research into rslade@cue.bc.ca | "Why not?" User p1@CyberStore.ca | "The power's off Security Canada V7K 2G6 | here." ------------------------------ Date: Thu, 06 May 93 22:43:01 -0400 From: fergp@sytex.com (Paul Ferguson) Subject: Legal Net News Due to the increasing demands of external activities, Legal Net News will discontinue being sent on a mailing list. My apologies go out to all of you who sent subscription requests. Legal Net News will, however, continue to be compiled, produced, released and archived on a regular basis. It can be found at the following locations: Publicly Accessable BBS's ------------------------- The SENTRY Net BBS Arlington Software Exchange Centreville, Virginia USA Arlington, Virginia USA +1-703-815-3244 +1-703-532-7143 To 9,600 bps To 9,600 bps The Internet ------------ Legal Net News is available at the following archive site(s)- tstc.edu (161.109.128.2) Directory: /pub/legal-net-news Login as ANONYMOUS and use your net ID (for example: fergp@sytex.com) as the password. The most recently released issue was volume 1, issue 4 dated 6 May, 1993 and is in the following formmat: Filename Filename Compressed ASCII Vol 1, Issue 1 LNM0493.ZIP LNM0493.TXT Vol 1, Issue 2 LNN0102.ZIP LNN1.002 Vol 1, Issue 3 LNN0103.ZIP LNN1.003 Vol 1, Issue 4 LNN0104.ZIP LNN1.004 Thanks for the interest. Cheers. Paul Ferguson | Uncle Sam wants to read Network Integrator | your e-mail... Centreville, Virginia USA | Just say "NO" to the Clipper fergp@sytex.com | Chip... - -------------------------------+------------------------------ I love my country, but I fear it's government. ------------------------------ Date: 07 May 93 14:53:00 -0600 From: "Rob Slade" Subject: YAEMA! (Yet Another Errant Magazine Article) Datamation, May 1, 1993 edition, has an article entitled "How to Kill a Mutant Virus". As is often the case, the "article" seems to be more akin to an extended advertisement for commercial antiviral software. I'd like to quote, and comment on, a few lines. The piece starts out with "A smarter and more malicious breed of computer virus is ready to seek out and destroy your ... data". The author (one Rick Cook) goes on to deal reasonably well with stealth and polymorphism, but he neglects to mention that this technology is already "old", in viral terms, and has not proven to be terribly successful. What *is* successful? Stoned and Jerusalem; two pretty "stupid" viri. The CPAV development manager states that "I don't know a single corporation that is not looking into or doesn't have virus protection of some kind". I'll just let that one lie. The following paragraph states that "Because the new viruses are so potent, there is considerable interest in hardware to exterminate them". (Send in the Daleks! :-) Aha! we come to the reason for the article! Western Digital's Immunizer! Therefore, I shall be releasing my review of the Immunizer immediately. "The Immunizer works only on some of the newest ... microprocessors (a list ... is available from Western Digital)". While, strictly speaking, this statement is syntactically true, it is desperately misleading. The "Immunizer" must be "built in" to the machine, with a specialized controller and BIOS. At the time I tested it, there were only two: I got to see one and Ken got to see the other. They may have built some other prototypes since, and there have been some announcements that certain companies were going to build "Immunizer ready" machines, but I haven't seen any ads yet. The piece quotes Robert Lee, of WD, as saying that the Immunizer gets fewer false positives than "the popular antivirus software". Whichever software he is referring to, and I have tested some dillies, that is a *terrible* thing to say about them. I have never had so many false positives with *anything* as I had with Immunizer. The piece ends with another quote from the CPAV guy that "The virus writers have tried to come up with something that could not be caught, and they have failed". Well, yes. Vesselin, how well is CPAV doing on the MtE tests? :-) ============= Vancouver ROBERTS@decus.ca | "The client interface Institute for Robert_Slade@sfu.ca | is the boundary of Research into rslade@cue.bc.ca | trustworthiness." User p1@CyberStore.ca | - Tony Buckland, UBC Security Canada V7K 2G6 | s pcimmnzr.rvw ------------------------------ End of VIRUS-L Digest [Volume 6 Issue 75] *****************************************