To: VIRUS-L@LEHIGH.EDU Subject: VIRUS-L Digest V6 #88 -------- VIRUS-L Digest Tuesday, 1 Jun 1993 Volume 6 : Issue 88 Today's Topics: Re: IDES '93 Conference Proceedings Network Security Standards info sharing Human factor in infections Re: Review of BootX (Amiga) Re: The Anti-Viral Software of MS-DOS 6 (PC) Re: CPAV updates? (PC) Tremor (PC) Re: Single state machines and warm reboots (PC) Re: CPAV updates? (PC) Re: Bug With Virstop 2.08a & DOS6 Memmaker? (PC) TREMOR via Satellite (PC) TREMOR Analysis (PC) DOS 6 Double Space and Invisible Virus (PC) Re: The Anti-Viral Software of MS-DOS 6 (PC) Re: Cure against Tremor available? (PC) Re: The Anti-Viral Software of MS-DOS 6 (PC) Is "Untouchable" (V-ANALYST) Effective (PC) Thunderbyte anti-virus utils v6.02 uploaded to SIMTEL20 and OAK (PC) virus news INTERNATIONAL CONFERENCE 93 Activity Monitors - variations (CVP) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@AGARNE.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Thu, 27 May 93 18:06:35 +0000 From: jmr@philabs.philips.com (Joanne Mannarino) Subject: Re: IDES '93 Conference Proceedings bontchev@news.informatik.uni-hamburg.de (Vesselin Bontchev) writes: |> George Guillory (wk04942@worldlink.com) writes: |> |> > I hate to bring this up but has anyone received the proceedings from |> > the 6th International Computer Virus and Security Conference? |> |> At least none of the VTC participants (there were three of us) have |> received them yet. I'll second your appeal to the organizers - due to |> bad organization, it was almost impossible to attend the speeches, so |> I would like at least to read the submitted papers... This conference was held in New York City this past March and I understand that the next one is already reserved for March 1994. Please be forewarned to avoid this conference. I sent two people to this last one and they felt it was the most unprofessional, unorganized conference they'd ever attended -- they only went two of the three days because they were waiting for it to get better but realized it never would. I wrote a letter of complaint to the organization and also sent copies to IEEE and ACM which were supposedly sponsors. I don't expect to hear back from them, but wanted to warn anyone who may contemplate going that it's a total waste of time and money. Also, from what I've heard, this wasn't just a bad year. The conference is very badly organized and seems to get worse every year. - -joanne mannarino - -- joanne mannarino philabs!jmr@uunet or philips laboratories - briarcliff jmr@philabs.philips.com ------------------------------ Date: Fri, 28 May 93 08:01:42 -0400 From: MARTIN@SALIG.DEMON.CO.UK Subject: Network Security Standards Can anyone point me in the direction of FTP sites that carry papers on strategy on security and anti-virus matters for networks? If so, can you please list any FTP sites other than CERT.ORG which has an anonymous FTP account. Many thanks in advance. --+ Martin Overton |Compuserve: 100063,1161 PC Technical Specialist |Internet : Martin@Salig.Demon.Co.Uk Tel: +44 (403) 231937 |"Beam me up,Sooty!" ------------------------------ Date: Mon, 31 May 93 10:00:50 -0400 From: rreymond@vnet.IBM.COM Subject: info sharing Hi everybody| After all that talk about the Inbar's article, I've got my copy. Now I wanna thanks here Inbar for having shared those info. In fact this article was very interesting and useful for me. Why? Simple: all what I know about viruses and counter measures, I've learned it ON MY OWN, or at least supported by some more skilled (and patient) colleagues... D'ya understand? That stuff, that I'm sure it wasn't a mistery for The Dark Side before Inbar's article, was quite a mistery FOR ME. And if now I can better understand some tricks is because someone (Inbar) has kindly decided to share that, insted to keep for himself. C'm on, folks, let's share... ..............................................Bye| ...................................................Roberto - ----------------------------------------------------------------------- * All the above are my own opinions, not necessarily shared by IBM * *********************************************************************** Roberto Reymond IBM C.E.R.T. Italy via Lecco 61 - --------------- 20059 Vimercate (MI) RREYMOND@vnet.ibm.com Italy MI VIM 491 ..........Phone +39.39.600.6873 Fax +39.39.600.5015............ *********************************************************************** * " Another one bites the dust| " , Queen (The Game, 1980) * *********************************************************************** ------------------------------ Date: Sun, 23 May 93 10:12:01 +0200 From: Inbar_Raz@f210.n9721.z9.virnet.bad.se (Inbar Raz) Subject: Human factor in infections frisk@complex.is (Fridrik Skulason) wrote: >>Would I be mistaken if I assumed that those companies weren't adequately >>protected, or was it a new variant? > They *thought* they wre fully protected...unfortunately, they had not > updated > their anti-virus software for two years. Then I wouldn't be mistaken to assume that :-) The problem, the way I see it, is that companies that have something to lose < namely, Data), don't realize that just equipping the employees (or workstations) with Anti Virus products, no matter how idiot-proof or easy to use they are, is NOT SUFFICIENTLY protective. I believe that a company that cares about it's data bad enough, and that is in the risk group that I defined earlier in this thread, should actually hire a qualified person to handle the virus problem. By Qualified, I don't mean 'First Degree in Computers', because people that learned their computer science only when in College, don't really know much about computer. By Qualified, I mean almost every one of this echo's participants - people that involve with viruses all the time, wether they know everything about every virus, like the hot-shots, or wether they don't, like me, but they know how to deal with Anti-Viruses, and know the general risks and how to defend against them. Any comments? Inbar Raz Chief Data Recovery - - -- Inbar Raz 5 Henegev, Yavne 70600, ISRAEL. Phone: +972-8-438660 Chief Data Recovery, 15 Habanim, Nes-Ziona 70400, ISRAEL. Phone: +972-8-400070 Netmail: 2:401/100.1, 2:403/100.42, 9:9721/210 nyvirus@weizmann.weizmann.ac.il - --- FMail 0.94 * Origin: Inbar's Point - Home of the first UnTinyProg. (9:9721/210) ------------------------------ Date: Sat, 29 May 93 15:37:25 -0400 From: hkantola@cc.helsinki.fi (Heikki Kantola) Subject: Re: Review of BootX (Amiga) Rob Slade (roberts@decus.arc.ab.ca) wrote: > Performance > > Unknown at this time due to lack of a test suite. Currently one of the most > highly recommended Amiga antivirals. > > Local Support > > The author is reachable via Fidonet and Internet mail. > However, the author has recently announced that all BootX development is discontinued. But luckily there happens to other equally good (?) PD/SW viruskillers for Amiga, for example: Virus Checker (currently upto v6.26) and VirusZ (latest is v3.06). - -- - -------------------------------------------------------------------------- Heikki Kantola, Computer Linguistics student at the University of Helsinki E-Mail: heikki.kantola@helsinki.fi IRC: Hezu - -------------------------------------------------------------------------- ------------------------------ Date: Thu, 27 May 93 14:37:41 -0400 From: gary@sci34hub.sci.com (Gary Heston) Subject: Re: The Anti-Viral Software of MS-DOS 6 (PC) frisk@complex.is (Fridrik Skulason) writes: [ about CPAV causing false alarms ] >Unfortunately no...Here is for example one report I received yesterday from >one of my largest users: >>I have encountered interaction between DOS V6.0's VSAFE and McAfee V104 and >>F-Prot 2.08a > [ ... ] I see this basically as MS/CP problem - those scanners seem to >be the only ones which do not encrypt all virus signatures in memory. This >is generating too many questions for me though - and what I probably will do >is to add a check for VSAFE to my program, and if it is found I will display >a message like "WARNING! WARNING! - VSAFE found in memory" First, I think this is an *excellent* idea. It'll help cut down on inexperienced people panicing when they run into it (and there'll be a *flood* of them as DOS 6.0 propagates). Second, I think you also need to include a disinfect option. You'd be doing the antiviral world a favor. :-) - -- Gary Heston SCI Systems, Inc. gary@sci34hub.sci.com site admin The Chairman of the Board and the CFO speak for SCI. I'm neither. Hestons' First Law: I qualify virtually everything I say. ------------------------------ Date: Thu, 27 May 93 19:14:30 +0000 From: ee1ckb@sunlab1.bath.ac.uk (Alan Boon) Subject: Re: CPAV updates? (PC) In the referenced article, bontchev@rzsun2.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >Alan Boon (ee1ckb@sunlab1.bath.ac.uk) writes: > >> I am currently using CP Anti-Virus v1.4 and before anyone say anything >> bad about it, I like it and think it's one of the best around! Does > >Would be curious to know why to you think that it is so good? >According to my own experience, it is actually one of the worst >anti-virus programs around... Don't you like it because of the user >interface, by chance? Remember that there is no record of a virus >being ever stopped by a user interface... :-) > >> anybody knows where I can download virus signature files from so I can >> update my CPAV detection capabilities? It will be lovely if anyone > >They are available via anonymous ftp as > >ftp.informatik.uni-hamburg.de:/pub/virus/progs/cpav_upd.zip > >According to Padgett, the updates can be used to upgrade also the >MS-DOS version of MSAV - the scanner that comes with MS-DOS 6.0. With Bootsafe and Vsafe running, your system is well protected provided you update the signature files. It offers a comprehensive protection system that no other can match. Anyway, it wasn't the user interface that attracted me but the protection level it offered. Alan. ------------------------------ Date: Fri, 28 May 93 09:27:22 -0400 From: "Dr. Martin Erdelen" Subject: Tremor (PC) On Wed, 12 May 93 13:45:20 MEZ I wrote: >is there any new development re: disinfection of the Tremor virus? Are there >antiviral programs by now which can handle this beast? Thanks to all who responded. With the help of KILLT2.EXE, the Tremor Killer by Pascal Pochol, I was able to disinfect the afflicted files. Yes, I do know that overwriting would be better, but do my clients have clean backups? Nooooo! (Incidentally, how does one make sure that the backups are *really* clean? If no permanent infection watch is run - - as of course should be, but also of course often is not - you are apt to sooner or later replace the clean copy with an infected one, aren't you?) While we are at it: I can't remember to have seen in the discussion any description of Tremor's payload. Is there more to it than the trembling screen image? Or has it not yet been fully analysed? MArtin (~ , , (___/__/__-_ Dr. Martin Erdelen EARN/BITNET: HRZ090@DE0HRZ1A.BITNET - -Computing Centre- Internet: erdelen at hrz.uni-essen.de University of Essen Tel.: +49 201 183-2998 Schuetzenbahn 70 FAX: +49 201 183-3960 D-4300 Essen 1 Binary: . .-. -.. . .-.. . -- (~~ Germany (()~~ +-----------------------+ Smoke: ()))) ((()))~~~ ())~~~ | Remarkably | ())))) ~~~ | remarkless | (())()~(())()) | room | (())()) +-----------------------+ ((()()()))) ------------------------------ Date: Fri, 28 May 93 15:06:55 -0400 From: "David M. Chess" Subject: Re: Single state machines and warm reboots (PC) From: Garry J Scobie Ext 3360 >> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) >> I know of no virus (and am sure will be corrected if wrong 8*) that >> can survive a *real* warm reboot. >Was this thread ever followed up. In Volume 5 Issue 41 1992, Vesselin >noted that no virus could survive the genuine or *real* Ctrl-Alt-Del >or warm re-boot. However, in Issue 44 David Chess notes: >> In short, since some viruses ARE able to survive the Ctrl-Alt-Del >> sometimes, > >Was this taken off-line and resolved? David, Vesselin? We are all agreeing loudly with each other, as usual! *8) There are viruses which will still be there if you press Control-Alt-Delete and wait for the good old DOS prompt to come back. However, the way they work is by preventing a "real" warm reboot (in Padgett's sense of "real"), and in many cases someone as observant as Vesselin will be able to tell, by watching exactly what happens after the C-A-D is pressed, that that "real" reboot did not occur. So it's true both that we know of no virus that's still in memory after a "real" warm reboot, but at the same time if you just press C-A-D and wait for the machine to settle down again, there *are* viruses that can survive that. - - -- - / We have a little garden, David M. Chess / A garden of our own, High Integrity Computing Lab / And every day we water there IBM Watson Research / The seeds that we have sown. ------------------------------ Date: Sat, 29 May 93 08:57:30 -0400 From: A.M.Zanker@newcastle.ac.uk (A.M. Zanker) Subject: Re: CPAV updates? (PC) bontchev@rzsun2.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >Alan Boon (ee1ckb@sunlab1.bath.ac.uk) writes: >> I am currently using CP Anti-Virus v1.4 and before anyone say anything >> bad about it, I like it and think it's one of the best around! Does >Would be curious to know why to you think that it is so good? >According to my own experience, it is actually one of the worst >anti-virus programs around... Don't you like it because of the user >interface, by chance? Remember that there is no record of a virus >being ever stopped by a user interface... :-) Ha Ha! Yes, it has a nice user interface. It also detects the 50 or so virii that are ever really seen outside virus testing labs etc. (according to Alan Solomon). It always seems to have a fairly low rating in P. Hoffman's certification tests, but then she seems to use the standard 1.4 version without any of the updates. The Windows version is also rather nice and has got me out of a few scrapes. Both DOS and Windows versions can also detect changes to "system" files (.exe, .com, .dll, .ov?, etc.) which seems to cover just about everything one is likely to meet in everyday home use. Mike - -- - -- Mike Zanker | A.M.Zanker@ncl.ac.uk Department of Mathematics and Statistics | University of Newcastle upon Tyne, UK | ------------------------------ Date: Sun, 30 May 93 01:23:51 -0400 From: medici@dorm.rutgers.edu (Mark Medici) Subject: Re: Bug With Virstop 2.08a & DOS6 Memmaker? (PC) sphughes@sfsuvax1.sfsu.edu (Shaun P. Hughes) writes: | RTRAVSKY@corral.uwyo.edu (Rich Travsky 3668 (307) 766-3663/3668) writes: | >I have encountered an odd interaction between virstop.exe version | >2.08a and dos 6's memmaker. Specifically, having virstop running | >(either in conventional or high memory) will hang the pc when using | >memmaker. This means then that to run memmaker you have to comment | >it out of whichever startup file you have it in. | I finally got around to dos 6.0 yesterday and had absolutely no | conflict between virstop 208a and memmaker. I suspect your problem | lies elsewhere. I have had experiences similar to Rich's. If I allow DOS6's MemMaker to try and determine the best way to load VIRSTOP from F-PROT 2.08a, the system locks hard requiring cold-boot. However, if I select the custom MemMaker option, tell MemMaker that I want to specify which files to try and load high, and exclude VIRSTOP, there is no problem. Note that VIRSTOP is actually loaded into memory, it's just that I don't let MemMaker try to fit it high. After MemMaker is done, I have no trouble loading VIRSTOP into UMB (providing enough space is left over for it). So the problem seems only to be that MemMaker's method of determining VIRSTOP's size is not working -- not that VIRSTOP is incompatible with DOS6's UMB/EMM386.EXE. - -- _________________________________________________________________________ RUCS | Mark A. Medici * Telecommunications Analyst II * User Services User | Rutgers University Computing Services, New Brunswick, NJ 08903 Services | [medici@gandalf.rutgers.edu] [908-932-2412] ------------------------------ Date: Mon, 31 May 93 16:17:05 -0400 From: Fischer@rz.uni-karlsruhe.de Subject: TREMOR via Satellite (PC) Clarification: Several people sent e-mail to me asking which version of PKUNZIP or McAfee's SCAN were infected! Maybe I was not precise enough. 1. The virus infection did *not* happen at McAfee Associates nor at PK Ware! 2. The company Channel Videodat near Cologne, Germany most probably contracted TREMOR from a shareware dealer in Duesseldorf, Germany named Software Projekt Heidel, who supplied the 104 Version of McAfee's anti-virus software and an infected copy of PKUNZIP.EXE 3. The transmission is on the same channel as the TV program PRO-7, that is broadcasted in Europe. I hope this clarifys the matter. Christoph Fischer Micro-BIT Virus Center University of Karlsruhe Zirkel 2 W-7500 KARLSRUHE 1 Germany +49 721 376422 Phone +49 721 32550 FAX email: ry15@rz.uni-karlsruhe.de ------------------------------ Date: Mon, 31 May 93 16:28:31 -0400 From: Fischer@rz.uni-karlsruhe.de Subject: TREMOR Analysis (PC) TREMOR Analysis The analysis of the mutation mechanism in TREMOR revealed a complexity of 5.8 billion possibilies of variation of the decryption loop. Now that the full tree is analysed a 100% hit rate in detecting this virus can be achieved. During this analysis a delay mechanism for the payload trigger has been found. This can be used to back-trace an infection strain, since the infection date can be derived from the trigger code! TREMOR Prevalence TREMOR is now pretty much spread in Germany the Micro-BIT Virus Center gets about 1-2 calls from infected sites per day. Several companies were among the callers. Christoph Fischer Micro-BIT Virus Center University of Karlsruhe Zirkel 2 W-7500 KARLSRUHE 1 Germany +49 721 376422 Phone +49 721 32550 FAX email: ry15@rz.uni-karlsruhe.de ------------------------------ Date: Tue, 01 Jun 93 03:35:02 -0400 From: "Roger Riordan" Subject: DOS 6 Double Space and Invisible Virus (PC) We recently received a sample of "Invisible" virus. This infects both files and MBRs. Without really thinking we ran it on a test PC in which the hard disk was set up using DOS 6 Double Space. After running an infected file the PC was rebooted. Immediately we discovered major corruption. The root directory appeared to be OK, but many files and directories (at various levels) were unreadable, and a number of directories were recursive. Of about 15M on the hard disk about 4M was lost. We tried running CHKDISK. This reported many lost clusters, and made these into about 300 files, but most of these were still unreadable. Eventually we gave up and reformatted the hard disk. We did not install Double Space this time! As far as we know at present the only deliberate damage done by the virus is to write the original MBR, followed by the virus, to the last seven sectors on the hard disk. We were able to read this as an absolute sector using Nortons, but many clusters and even physical sectors appeared to be totally unreadable. It is possible that the virus marked the occupied sectors as bad, and that this caused the damage, but this does not seem very probable. CONCLUSION. Double Space would appear to have the capability of converting an infection with an otherwise trivial virus into a major disaster. Roger Riordan Author of the VET Anti-Viral Software. riordan.cybec@tmxmelb.mhs.oz.au CYBEC Pty Ltd. Tel: +613 521 0655 PO Box 205, Hampton Vic 3188 AUSTRALIA Fax: +613 521 0727 ------------------------------ Date: Sat, 29 May 93 17:02:07 +0000 From: bontchev@news.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: The Anti-Viral Software of MS-DOS 6 (PC) Y. Radai (RADAI@vms.huji.ac.il) writes: > I do not notice any behavior like that described above when I use McAfee's > Scan V102, S&S's FindViru 6.18, or UTScan 28. I find it only when I run > F-PROT after running MSAV. I then get the message "The xxxxxx virus search > pattern has been found in memory" (where xxxxxx is "Telecom", unless VSafe is > loaded in extended memory, in which case xxxxxx is "Stoned"). I therefore > think that the problem lies with F-PROT rather than with MSAV or VSafe in this > particular case. I beg to disagree. Although I have not observed it myself, I have received several reports about interaction with SCAN 104 and ghost positives. It seems indeed to depend on where exactly is VSAFE loaded in memory. And the cause of the problem is, of course, VSAFE and nothing else - because it doesn't bother to encrypt its scan strings. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Sat, 29 May 93 16:45:47 +0000 From: bontchev@news.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Cure against Tremor available? (PC) Robert Hoerner (Robert.Hoerner@f2170.n492.z9.virnet.bad.se) writes: > F-PROT 2.08 finds it. Unfortunately, neither version 2.08, nor version 2.08a of F-Prot is able to find the Tremor virus -reliably-, let alone to disinfect it. (By unreliable detection I mean that some infected files are detected and some aren't.) As far as I understand, Frisk has solved the problem and an update for F-Prot should be out RSN... > I myself wrote a finder+cleaner : ANTISER.ZIP, frequestable. It desinfects > TREMOR-infected files just at the moment, they are started. No danger for re- > infection anymore. Does not work on packed files ! If your program is freeware or shareware (and if it is good, of course ), and if you are interested to make it available via anonymous ftp, then I could put it on our ftp site - just uuencode it and e-mail it to me. BTW, are you sure that your program detects the Tremor virus reliably? This is extremely difficult to test, because the virus has a considerable potential for polymorphism, but mutates very slowly. That is, even if you generate a few thousands of replicants, you'll still have only a few different mutations and a test based only on them might not be good enough. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Sat, 29 May 93 16:58:59 +0000 From: bontchev@news.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: The Anti-Viral Software of MS-DOS 6 (PC) A. Padgett Peterson (padgett@tccslr.dnet.mmc.com) writes: > As far as the easy disable in memory as documented widely, a tiny TSR > (uses no free RAM) could disable the disabler just as easily. Nope. The disabler -is- needed - as Yisrael pointed out, MSAV needs to turn VSAFE off before it begins to scan the disk. If you don't allow disabling of VSAFE, then you won't be able to run MSAV with VSAFE in memory. A quick fix is to make the TSR ask the user whether s/he really wants VSAFE to be disabled, but this is, after all, a kludge. > Finally, given that the signatures are distributed separately, what is to > stop an enterprising person from distributing their own signature update > for use with MSAV having a much higher detection rate (for a suitable fee > of course) ? I am not competent in legal matters, but I think that one must obtain a permission from Central Point Software and/or from Microsoft, before publishing such an update... And why would they permit their competitors to publish better anti-virus software? Besides, the format of the updates is not published. On the top of that, I suspect that those updates have some internal limitations, which cannot be circumvented without a complete re-design of the product. For instance, I am 100% sure that they don't provide the means for exact virus identification. > Thus the question must be not "whether MSAV is the One True Answer" but > "*could* it be ..." e.g. is the engine robust enough ? Certainly, Windows Hm, what do you mean by "robust enough"? I've got the impression that the scanning engine in CPAV/MSAV is rather far from the modern fast scanning technologies... > Now let's look on the positive side: MSAV is at least trivially integrated > into DOS. Is it? How? From what I have seen, it is just an add-on product, which has nothing to do with the operating system. Heh, it even doesn't check the DOS version like the other external DOS commands... :-) > I haven't tried it yet but would expect it to be compatable with > disk compression and Windows 32BitDiskAccess (possibly why the boot sector Please try it and post the results. I have my reasons to doubt that the above is true, but I might be wrong. > it against necessary functions that we do not know about (yet 8*). In > other words, the hard part (nice human interface & it works) is done and the > a-v people can concentrate on improving the detection rate plus the low > level add-ons. Actually, even the user interface is screwed-up. The nice user interface of CPAV has been restricted quite a lot in MSAV... > There are some drawbacks that I know of. For instance you can take a looong > coffee break while waiting for the memory scan on a 4.77 Mhz PC or XT but > this is fixable or possibly no-one will care. This is again a result of the usage of out-of-date scanning technology. It cannot be fixed without a complete re-design of the scanning engine. > ps STAC also quietly announced availability of STACKER for OS/2 on p 170 > of the May 24 PC-Week. Did anyone else notice ? Sure, I even saw the product at the CeBIT'93 computer fair in Hannover... :-) Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Tue, 25 May 93 17:44:00 +0200 From: Schwartz_Gabriel@f101.n9721.z9.virnet.bad.se (Schwartz Gabriel) Subject: Is "Untouchable" (V-ANALYST) Effective (PC) TO: bontchev@news.informatik.uni-hamburg.de Yes you might be right about the integrity checker of V-Analyst but most of the users want to see scan results much more then integrity check. Altough integrity check is a very important path of an anti-virus package it can't stand alone as the leading part.I'm lookin in the latest VSUM reports and V-Analyst doesn't look very good there, - --- FastEcho/386 B0426/Real! (Beta) * Origin: >> Rudy's Place << VirNet, Israel (9:9721/101) ------------------------------ Date: Sat, 29 May 93 17:50:37 -0400 From: bondt@dutiws.TWI.TUDelft.NL (Piet de Bondt) Subject: Thunderbyte anti-virus utils v6.02 uploaded to SIMTEL20 and OAK (PC) I have uploaded to WSMR-SIMTEL20.Army.Mil and OAK.Oakland.Edu: pd1: TBAV602.ZIP Thunderbyte anti-virus utilities, v6.02 TBAVU602.ZIP Thunderbyte anti-virus pgm, upgrade 6.01->6.02 TBAVX602.ZIP TBAV processor specific pgms; see TBAV602.ZIP VSIG9305.ZIP Signatures for HTSCAN virus scanner Greetings, Piet de Bondt E-Mail : bondt@dutiws.twi.tudelft.nl ------------------------------ Date: Mon, 31 May 93 09:44:43 -0400 From: wachtel@canon.co.uk (Tom Wachtel) Subject: virus news INTERNATIONAL CONFERENCE 93 virus news INTERNATIONAL CONFERENCE 93 23rd June 1993 Sheraton Skyline Heathrow Virus News International is widely recognised for its excellent coverage of security issues. VNI contributors gather information from around the world and are in constant contact with police forces and law enforcement agencies. Nowhere near all of this information has been published in VNI - yet. As the virus field comes of age, so your need for information becomes more and more specialised. Because you now have a much better understanding of viruses, you are now asking more focused questions. You will be given answers on which to build your defences against potential security breaches. What you will get at the VNI Conference is a concise intelligence briefing. When you return to your organisation, you will be in a position to update your company's policies and procedures with the advantage of having a clear idea of what is to come. * Why do virus authors do it? * What new approaches are virus authors likely to take? * How to prepare for the next attack * Up to the minute news of activities in the virus world What the conference will give you One of the most frequently asked questions is "Why do they do it?" At the VNI Conference, you will hear from people who have contacted virus authors and who have hacked into closed computer systems. Their insights will help you understand your enemy better. Knowing what new angles virus authors are likely to take is one of the questions many technical people would like to know. Vesselin Bontchev of the Virus Test Center at the University of Hamburg is one of the world's leading virus researchers and is better placed than most to be able to provide at least some of the answers. Most people assume that all anti-virus software operates in the same way. Dr. Simon Shepherd of the United Kingdom Computer Virus Certification Centre, University of Bradford knows better. He will explain how a full evaluation is carried out and what you should look for when deciding which products to use. Dr Alan Solomon, Chairman of S & S International, will give you a briefing on the activities of virus authors and others involved in the dissemination of viruses. With contacts right around the globe, Dr Solomon has an unrivalled understanding of what virus authors and distributors are doing. Speakers Sara Gordon is an independent researcher and consultant in computer security. Her insight into the minds, motives and methods of hackers and virus writers provides a unique perspective, with a wealth of expertise and information. She recently interviewed the Dark Avenger. Robert Schifreen is the man the House of Lords cleared of all charges of hacking into Prince Philip's Prestel mailbox. Now one of the world's most respected consultants in the field of protection from hacking, he will be giving you an insight into the motives of hackers. Vesselin Bontchev is a Research Associate at the University of Hamburg, while continuing his research at the Virus Test Center there. Dr Simon Shepherd is Senior Lecturer in Cryptography and Computer Security at the University of Bradford, and Director of the UK Computer Virus Certification Centre. He has extensive experience in the design of secure communications and computing systems. Dr Alan Solomon, one of the leading figures in the anti-virus research community, is co-founder and technical director of the European Institute for Computer Anti-Virus Research. He is also Chairman of S & S International and of the IBM PC User Group. An International Event Virus News International has frequently shown that the appearance of a virus in one part of the world is usually the prelude to its appearance in other countries, probably including yours. VNI has a truly international following and the conference provides and opportunity to discuss experienced with delegates from around the globe. For the benefit of international delegates, The Sheraton Skyline at Heathrow has been selected as the venue for the conference. VNI is conscious that delegates must justify fees and expenses so we have packed this conference into one day. The location makes it perfectly possible for delegates to fly in from Europe or other parts of the UK, spend a full and fruitful day at the conference, and return home without incurring any overnight expense. Who should attend? Senior IT staff, network managers, Information Centre managers and technical staff involved in data security procedures and development Date 23rd June 1993 Venue The Sheraton Skyline, Heathrow Fee L295.00 + VAT per delegate Delegates' fees may be paid by Access or Visa or by cheque. Company purchase orders accepted. Since the conference is scheduled for less than one month from now, interested persons should contact Paul Robinson on +44-792-324-000 asap. Alternatively, his email address is 70007.5406@COMPUSERVE.COM. - ----------------------------------------------------------------------- virus news INTERNATIONAL, William Knox House, Llandarcy, Swansea. West Glamorgan, SA10 6NL, United Kingdom Tel No. +44 792 324000 Fax No. +44 792 324001 =================== - -- Tom Wachtel (wachtel@canon.co.uk) ------------------------------ Date: Fri, 28 May 93 15:05:12 -0400 From: "Rob Slade" Subject: Activity Monitors - variations (CVP) PRTAVSA.CVP 930522 Activity Monitors - variations I would like to cover, under the topic of activity monitoring software, two variations on the theme. The first variation is very minor: that of operation restricting software. Operation restricting software is similar to activity monitoring software, except that instead of watching for suspicious activities it "automatically" prevents them. In the past I have tended to class operation restricting software as a separate type of antiviral even though the difference between a "monitor" and a "restrictor" is really only one of degree in the information given to the user. The reason that I have done so is that the "degree" is not a continuum, and there tends to be a definite gap between those programs which inform the user, and those which do not. As with mainframe security "permission" systems, some of these operation restricting packages allow you to restrict the activities that programs can perform, sometimes on a "file by file" basis. However, the more options these programs allow, the more time they will take to set up. Again, the program must be modified each time you make a valid change to the system, and, as with activity monitors, some viri may be able to evade the protection by using low level programming. It is important, when evaluating both activity monitoring and operation restricting software, to judge the extent that the operator is given the option of "allowing" an operation. It is also important that the operator be informed, not only that a particular program or operation should be halted, but also why. There should not be too many "false alarms" generated by the software, and it would be helpful to have the option of "tuning" the software to be less, or more, sensitive to a given type of activity. The second variant on activity monitoring may at first seem to be wildly diverse: "heuristic" scanning. However, please note that heuristic scanners attempt to do the same thing that an activity monitor does, if in a slightly different way. Instead of "waiting" for a program to perform a suspicious activity, a heuristic scanner examines the *code* of a program for suspicious calls (hopefully before the program is even run). Although such scanners may be limited to checking for very generic sections of code in their current, natal state, eventually they will require a good deal of "intelligence" to justify the analytical nature implied by the name "heuristic". Heuristic scanners are currently tools best used by those with some background in virus identification and prevention, but they hold a promise to become very useful tools even for the novice with future development. copyright Robert M. Slade, 1993 PRTAVSA.CVP 930522 ============== _________________________ Vancouver ROBERTS@decus.ca | | |\^/| | | swiped Institute for Robert_Slade@sfu.ca | | _|\| |/|_ | | from Research into rslade@cue.bc.ca | | > < | | Alan User p1@CyberStore.ca | | >_./|\._< | | Tai Security Canada V7K 2G6 |____|_______^_______|____| ------------------------------ End of VIRUS-L Digest [Volume 6 Issue 88] *****************************************