To: VIRUS-L@LEHIGH.EDU Subject: VIRUS-L Digest V6 #122 -------- VIRUS-L Digest Wednesday, 15 Sep 1993 Volume 6 : Issue 122 Today's Topics: Re: Dark Avenger Update? Re: Viruses and Genetic Algorithms Re: Dark Avenger Update? Virus droppers (was Re: Form Virus) Learning how to make virus programs: NOT Re: Mac's, Novelle & Viruses. (Mac) Waldo? (PC) "Stone virus problem" (PC) Re: Possible DOS/Windows virus... in the development stage? (!) (PC) Re: Experiments with mutated viruses. (PC) Flash BIOS (PC) Re: posting re retaliator viruses (PC) Re: Can TT font files be infected? (PC) boot viruses, without booting from an infected disk (PC) Possible DOS/Windows virus... in the development stage? (!) (PC) Re: You never forget the first time (PC) mcafee's 107 serie (PC) September 1993 LAT (PC) New file on risc (PC) Ethernet node addresses VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Mon, 13 Sep 93 14:34:44 -0400 From: Anthony Naggs Subject: Re: Dark Avenger Update? Jenny Abar, , asked: > > Just wondering if anyone has heard anything about Dark Avenger > lately, any new viruses, ... He may have continued his virus experiments, but there is no evidence that he has distributed any of them during the last 18 months or so. > ... mutation engines, ... There are occasional rumours of further versions. However none of those sent to me have been functional. > ... has he been caught, > etc. Why would anyone want to catch him? He hasn't broken any Bulgarian laws, or done anything that another country might reasonably extradite him for. Conclusion: like most student hackers, he has found more constructive areas to continue his interest in computers. Regards, Anthony Naggs Software/Electronics Engineer & Computer Virus Researcher Email: amn@ubik.demon.co.uk Phone: +44 273 589701 Paper mail: PO Box 1080, Peacehaven, East Sussex BN10 8PZ Great Britain ------------------------------ Date: Mon, 13 Sep 93 14:34:47 -0400 From: Anthony Naggs Subject: Re: Viruses and Genetic Algorithms Alan K.-C. Tai, , writes: > Sorry if this has already been discussed. Allow me to post what > is probably an ignorant question: > > What is the implication of genetic algorithms for viruses and > anti-virus software? Because of the analogy between computer and biological viruses the word 'genetic' occasionally appears in discussions, but usually in other contexts. I can't see an immediate application for genetic algorithims by viruses or anti-virus products, don't they require some kind of feedback by the computer user? Perhaps you would be kind enough to make some specific suggestions for using them, for us to comment on? Regards, Anthony Naggs Software/Electronics Engineer & Computer Virus Researcher Email: amn@ubik.demon.co.uk Phone: +44 273 589701 Paper mail: PO Box 1080, Peacehaven, East Sussex BN10 8PZ Great Britain ------------------------------ Date: Mon, 13 Sep 93 14:34:50 -0400 From: Anthony Naggs Subject: Re: Dark Avenger Update? William H. Lambdin, <73044.2573@compuserve.com>, writes: > > The latest thing that I have seen written by Dark Avenger was the Uruguay > virus, but that was several months ago Strange, have you any evidence for this? The author of the Uruguay viruses is known. So far as I'm aware he wrote his viruses in Uruguay. Regards, Anthony Naggs Software/Electronics Engineer & Computer Virus Researcher Email: amn@ubik.demon.co.uk Phone: +44 273 589701 Paper mail: PO Box 1080, Peacehaven, East Sussex BN10 8PZ Great Britain ------------------------------ Date: Mon, 13 Sep 93 14:34:45 -0400 From: Anthony Naggs Subject: Virus droppers (was Re: Form Virus) William H. Lambdin, <73044.2573@compuserve.com>, writes: > > the scanner authors should add the ability to detect droppers. Even though > they themselves aren't viruses, they should be detected. ... If a particular 'dropper' is distributed 'in the wild' this is a reasonable expectation. > ... Some have replied > to me with " Why? the scanner will detect the virus after it is laid on the > boot sector." The idea is to detect the dropper before infection takes > place. It is always best to prevent a user from running a dropper than to > have the user remove the virus later. It is impossible to write a scanner that detects all possible 'droppers'. For any single virus there is a near infinite number of possible droppers. Would it be useful to have a scanner describe nearly every program on your system like this: "Program not recognised, it might be a virus dropper!" ? I think not. >From both a user and a-v developer point of view anticipating all possible droppers with a scanner is not effective. This is where defence program such as an 'active monitor', is useful. As a resident OS extension it attempts to recognise 'virus like activity', such as editing program files or altering boott sectors. Of course this doesn't cover all situations, but if you can afford an hour to examine each program file you are welcome to commission a program from me to meet your needs. :-) Regards, Anthony Naggs Software/Electronics Engineer & Computer Virus Researcher Email: amn@ubik.demon.co.uk Phone: +44 273 589701 Paper mail: PO Box 1080, Peacehaven, East Sussex BN10 8PZ Great Britain ------------------------------ Date: Tue, 14 Sep 93 20:12:07 -0400 From: Roger Thompson <70451.3621@compuserve.com> Subject: Learning how to make virus programs: NOT TO: INTERNET:VIRUS-L@lehigh.edu Kristian Nmi Milec of mile5057@nova.gmi.edu wrote:- >Subject: Learning how to make virus programs: Info? >...in which to reach that end. The purpose for the software is to >make.... to ensure that only legal copies of software are located on >local drives. To go through 250+ machines is nearly impossible.... >However, all of the machines are connected to a file server..... and in >order to print/mail/create purchase orders (for example) they need to >attach to a NFS. If I could make a virus that goes into their machine, >checks for illeagle software... You don't need a "virus" program to do this as the administrator can force execution of analysis/anything programs each time a user logs in. You've described a product which already exists. N.S.O. - Network Security Organizer, was designed to give system administrators centralized control over workstation security. It provides auditing of all software AND hardware installed on the workstations, so apart from being able to identify "bogus" programs you'll know straight away if RAM or other hardware goes missing. NSO's primary function is virus detection and any program installed by the user is a potential virus. NSO will audit all floppy disk accesses, making it possible to identify the source of an "infection". NSO installs anti-virus software like Doctor, Scan or F-prot automatically onto each workstation as it logs in, saving the administrator much legwork when upgrades are received. It sounds like you'd appreciate the time savings. You can download the software for evaluation from Leprechaun Software's BBS on 404-971-8866. Phil Seakins. ------------------------------ Date: Tue, 14 Sep 93 14:12:19 -0400 From: Anthony Naggs Subject: Re: Mac's, Novelle & Viruses. (Mac) Kiggundu Mukasa, , asks: > I help maintain an ethertalk and localtalk Mac network which is about to "go > Novelle". I wanted to know are there any viruses that will go from the > Novelle system to the mac? As Mark Anbinder says, there are no viruses that affect both MS-DOS and MAC systems. In theory it is possible, but in view of the (relatively) low number of viruses for the MAC it is unlikely that any virus author has the skills to do so. > And which ones should i be on the look out for on this new mixed platform?? Essentially your concerns are the same as for your existing networks: 1. Prevent infected programs from being placed on servers, by using up to date MAC & MS-DOS scanners. 2. Prevent programs on servers from being altered (infected), by setting Novell attributes to 'execute-only'. You might also ensure anti-virus software is loaded on to workstations in login scripts, (see Padgett Peterson's recent posting). Regards, Anthony Naggs Software/Electronics Engineer & Computer Virus Researcher Email: amn@ubik.demon.co.uk Phone: +44 273 589701 Paper mail: PO Box 1080, Peacehaven, East Sussex BN10 8PZ Great Britain ------------------------------ Date: Tue, 14 Sep 93 09:45:05 -0400 From: jskean@unlinfo.unl.edu (jonathan skean) Subject: Waldo? (PC) I have a colleague whose PC is displaying the message "Waldo won't let you do that." at times when running Microsoft Windows 3.1. Does anyone have information about this? It isn't mentioned in McAfee ScanV106. - -- Jonathan Skean, Computer Tech voice: (402)472-2684 502 Hamilton Hall fax: (402)472-9402 University of Nebraska usenet: JSKEAN@UNL.EDU Lincoln, NE 68588-0304 USA bitnet: JSKEAN%UNL.EDU@UNLVAX1 ------------------------------ Date: Tue, 14 Sep 93 13:31:49 -0400 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: "Stone virus problem" (PC) >From: wirth@NADC.NADC.NAVY.MIL (B. Wirth) >Subject: Stone virus problem. (PC) > I have encountered a standard stone virus on hard drive. The >drive is divided into two logical partitions. F-Prot v2.09 detected >the virus. It was removed from the first partition, but F-prot v2.09 >can not remove it from the second partition. It states that the MBR >can not be found be found on the second drive (Drive D:). I run SCAN >9.17 v106 and there is no sign of the virus detected on any drive. I >did not find any signs of the virus active at boot time. Any >sugestions as to how to clean the second partition. What ever help >can be suggested will be greatly appreciated. Sorry but this does not track. The STONED is a master boot sector infector and there is only one MBR on a disk regardless of how many logical drives it may contain. Remove it from that one sector, reboot, and the disk is clean. (I am assuming from the above that there is only one physical disk in the PC) Each logical partition does contain an Operating System Boot Record (also a single sector) but the STONED virus does not infect these. I suspect that either something is confused or you have an entirely different virus (F-Prot is one of the best in avoiding mis-identification though). Warmly, Padgett ------------------------------ Date: Mon, 13 Sep 93 14:34:52 -0400 From: Anthony Naggs Subject: Re: Possible DOS/Windows virus... in the development stage? (!) (PC) Stephen Joseph Smith, , writes: > > Preface: I know next to nothing about viruses. This is not an actual > virus report. This is a report of a letter received at my place of > employment that made me suspicious. If anyone else has received a > letter like this, please post or email. If anyone has any idea what > to do about the letter, please post or email. > ... > Thanks. The letter from "Cheyenne Software" and Tom's reply are enclosed. Hmmm. Cheyenne Software are agents for a commercial edition of Frisk's FProt, and have the only Netware NLM version that I know of. The only phone number I have is a little different from the one in the letter, (1 516 484 5110). > Dear Tom Throop: > > I need information on all of your software products. I need all of > them to be for DOS and/or Windows. For this I would need to know what > version you have come out with (ex: 1.0, 2.0) and for the versions I > would need to know what the executable name is, the size of the file, > the date and time of the file. ... This is a rather unorthodox style. I can't imagine courtesy in business correspondence differs too much between the US & UK, and I would expect the letter to start with an explanation of the software policing svheme and an *invitation* to have your products included. I strongly suggest you contact Cheyenne to determine if the letter is genuine, and report your dissatisfaction. Regards, Anthony Naggs Software/Electronics Engineer & Computer Virus Researcher Email: amn@ubik.demon.co.uk Phone: +44 273 589701 Paper mail: PO Box 1080, Peacehaven, East Sussex BN10 8PZ Great Britain ------------------------------ Date: Mon, 13 Sep 93 14:38:15 -0400 From: Anthony Naggs Subject: Re: Experiments with mutated viruses. (PC) Sajid Rahim, , writes: > > Toolkit failed to recognise any one of the mutated code. ... This statement in particular seems to be flawed, as you only appear to have used the FindVirus prgoram. The Toolkit also include the ChkVirus integrity checking program, which is specifically intended to detect and warn of new viruses. > ... Scan was able > to work for non-encrypted codes whilst fprot was able to detect all. > > At the conclusion, I was horrified to think of the potential disaster > waiting to emerge for those using Dr Solomons. Finally I wish to file > a disclaimer that all these experiments were carried out without any > biase to any of the three products. If Dr Solomon's Toolkit failed to detect your 'mutations' it seems likely that you destroyed the ability of your viruses to replicate. If they can't replicate they are not viruses, hence Toolkit is correct in not reporting them. Anybody 'testing' a-v products should ensure that they are actually trying to detect genuinely replicating viruses. I do not understand why you have performed your "mutation detection experiment", but please ensure your 'viruses' are not distributed. Preferably destroy them. There are too many fools creating viruses already! Regards, Anthony Naggs Software/Electronics Engineer & Computer Virus Researcher Email: amn@ubik.demon.co.uk Phone: +44 273 589701 Paper mail: PO Box 1080, Peacehaven, East Sussex BN10 8PZ Great Britain ------------------------------ Date: Mon, 13 Sep 93 14:38:17 -0400 From: Anthony Naggs Subject: Flash BIOS (PC) Fred Cohen, , also wrote: > > The problem with the turn switch and all the other schemes for flash ROMs > is that like a hard disk with a write lock switch, when you eventually write > enable it for a few seconds to make a legitimate change, the attack can use > that window of vulnerability to win. That's why we need to have a procedure > involving booting from a special disk starting from, power down in order > to be even a little bit safe: > 1: Turn keyswitch to ROM CHANGE position I don't understand the insistance on a key switch, they add to the production cost and provide a extra point of failure. > 2: Place permanently write protected disk in disk drive Why 'permanently write protected'? If I was the manufacturer I would reserve the ability to distribute BIOS images that can be used only a limited number of times, by altering an installation count on the diskette. > 3: wait till screen tells you to remove disk > 4: remove disk and turn keyswitch back to RUN position > > The ROM should be set to look for a disk in A after clearing memory. ... Why clear memory? You have already stated that the system has been started from a power down. > ... As soon > as the door is closed, it should read from A, verify the write protect status > of A by attempting (and failing) to write to it, ... This is silly, floppy disk drives report the write-protect status of disk without having to write to it. > ... use an RSA based (or similar) > cryptographic checksum to verify the legitimacy of the data in A, load its > Flash ROM, put the proper message on the screen, and halt the processor. > This scheme would allow even a bad ROM update to be backed out of because the What is your definition of a 'bad ROM update'? To me the phrase conveys a change of the ROM that fails in some way. Yet your reference to 'backed out' implies an earlier recognition of failure. > loading routine is in ROM not EROM, should prevent unauthorized updates, and > enforces the procedures required to prevent malicious EROM changes. > > The reason this scheme is NOT used (even though the hardware designers of most > flash ROMs designed their ROMs to work this way) is that it costs money to add > a switch and the few hundred lines of code required to implement protection, > and we all know that people want protection for free and believe it is safe > even when it isn't. Call a bug a feature, and you have happy customers. This all seems totally excessive. I'm getting somewhat fed up with all the assertions about what 'manufacturers' do, without any primary evidence for specific brands or products. So I have just phoned Intel UK, and asked Andy Powell their Product Marketing Manager about this. Intel are the inventors of the 'Flash' variation of EAROM, (Electrically Alterable ROM), and the only major manufacturer I know of currently supplying system with 'Flash BIOS'. (Often branded by other manufacturers, eg Amstrad). Trusting that my notes and understanding are accurate: As documented here previously, Intel use Flash memories that include a small 'boot block'. Like the rest of the BIOS the boot block is programmed at the factory, but it cannot be changed without physically altering the system board, (eg by removing the Flash). The boot block includes a 'minimum BIOS' supporting the diskette drives and allowing the Flash update process to operate. At system startup the processor first executes code in the boot block, which performs multiple checksums to authenticate the majority of the BIOS before passing control. Changing the BIOS is done by booting from the "Flash Update Utility" diskette that includes the new BIOS. The boot block BIOS checks that the new BIOS is for the correct PC model & configuration of equipment, before releasing the interlocks that prevent programming of the Flash. If the boot block BIOS detects an error in the Flash BIOS at boot up, due to deliberate tampering or failure to complete a BIOS update, it will prevent normal use of the system. The only remedy being to correctly complete installation with the "Flash Update Utility". The exact details of the authentication procedures are Intel trade secrets. It certainly appears that Intel PCs using Flash BIOS are no more vulnerable to malicious alteration than other PCs whose ROMs can be removed from sockets and replaced. Regards, Anthony Naggs Software/Electronics Engineer & Computer Virus Researcher Email: amn@ubik.demon.co.uk Phone: +44 273 589701 Paper mail: PO Box 1080, Peacehaven, East Sussex BN10 8PZ Great Britain ------------------------------ Date: Mon, 13 Sep 93 20:26:15 -0400 From: mcafee@netcom.com (McAfee Associates) Subject: Re: posting re retaliator viruses (PC) Hello Sam Pitawala, fltline@aol.com writes: >"William H. Lambdin" <73044.2573@compuserve.com> writes: >Posted: Thu, 26 Aug 93 14:23:02 -0400 > >:Does anyone have experience with retaliator viruses? >:I have read several messages about them, and would appreciate some info. >:It the information is of a sensitive nature, please respond via E-Mail. > >I had a discussion with a tech from McAfee, in the America OnLine >Virus area (McAfee message board) about this same subject. He stated >that he had no knowledge of any viruses that attack anti-viral >software. When I presented the following chart to him, he changed his >story somewhat: > >Virus Name Action >- ----------------- --------- > >Encroacher Will search for and delete the following CPAV files: > CHKLIST.CPS files > CPAV.EXE - the CPAV main program > VSAFE.COM - the resident sentry program > >Groove (Same as above) > >Peach Searches for and destroys all CHKLIST.CPS files in >every directory before infection >takes place (thereby disabling > CPAV) > >Tremor Will disable (aka Turn off) the Microsoft > memory resident >virus identifier (VSAFE) > >LOKJAW-ZWEI Will search for CPAV, F-Prot, McAfee's Scan, McAfee's > > Clean and delete them > >PC WEEVIL A Mutation Engine Variant which will, like Tremor, > > disables Microsoft Anti-Virus > >Hope this has been of some help to you. Point of order: :-) The technician you spoke with was unsure of the answer and brought a copy of your message to me--I assumed that you meant viruses which directly attack McAfee Associates' software and told him to answer "no" to your question. Your subsequent reply listed a few, including (at least) one I have not heard of before called the "Lokjaw-zwie" which claims to delete McAfee Associates' VIRUSCAN (SCAN.EXE). Naturally, we'd be very interested in seeing a copy of this particular virus, or if you don't actually have one, perhaps you could send us a copy of the description or report you received of it? Thanks! Regards, Aryeh Goretsky McAfee Associates' Technical Support - -- - - - - - - - Please send your reply, if any, to Aryeh@McAfee.COM - - - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: mcafee@netcom.com 2710 Walsh Ave, 2nd Floor| FAX (408) 970-9727 | or try: support@mcafee.com Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714 95051-0963 USA | USR HST Courier DS | or GO MCAFEE Support for SENTRY/SCAN/VSHIELD/CLEAN/WSCAN/NETSHLD/TARGET/CONFIG MGR/PROVIEW ------------------------------ Date: Tue, 14 Sep 93 14:15:44 -0400 From: Anthony Naggs Subject: Re: Can TT font files be infected? (PC) Ralf Muschall, , asks: > > The problem came to my mind by a recent question in this group, > where somebody had a possibly infected file 'pcplus.fon'. Possibly, but there is an alternate explanation. Many virus scanners (eg McAfee's Scan) look for 'scan strings'. These are small segments of a virus that the a-v producer believes are unlikely to appear in uninfected files. Windows resource files and compressed executables (eg with PKLite), include many byte sequences which are rare in ordinary programs. Scanning them with this method can therefore produce false alarms. > Since True Type fonts begin with the 'Mark Zbikowski' > magic number, a virus could think they are executables > and attach itself to them. > The questions is now: > Does this happen? Only a few viruses will actually infect Windows resource files. The two most common methods for a virus to select new files to infect are: 1. Look for files with a .COM or .EXE extension, perhaps with a search or by watching for file accesses. 2. Watch for programs being loaded for execution, with function $4B. With Windows this only happens in the DOS boxes. > If it happens, is it important (i.e. are > fonts executed by MS Windows or only treated > as data)? Fonts, and other resource files for Windows, use information in the extended ('new') EXE header to decide what facilities to allocate (eg memory). A Windows 'aware' virus could add an executable copy to such files. While Windows would probably run it if attached to a DLL, or device driver I doubt it will do so for a Font file. If an MS-DOS virus attempted to infect it (eg a member of the Jerusalem family) the file would probably be corrupted, and Windows would refuse to load it. > If both is true, do scanners take care of that fact? Hope this helps, Anthony Naggs Software/Electronics Engineer & Computer Virus Researcher Email: amn@ubik.demon.co.uk Phone: +44 273 589701 Paper mail: PO Box 1080, Peacehaven, East Sussex BN10 8PZ Great Britain ------------------------------ Date: Tue, 14 Sep 93 14:15:42 -0400 From: Anthony Naggs Subject: boot viruses, without booting from an infected disk (PC) James W. Kaiser, , reports: > > I have a friend who got infected by a boot sector virus and claims the > machine was _never_ booted with the infected floppy in the machine. I don't > see how this is possible. I suspect it actually happened but he just doesn't > remember it. Is it possible? There are several possibilities: 1. There are 'dropper' programs, which carry a virus and place in a PC. Bypassing the normal infection method, but allowing to infect in the future. 2. 'booting from a floppy' includes just running the boot program on the floppy, that says "Non-system disk. Any key to continue". The virus in the boot sector has not only loaded into the PC, and then loaded the original boot program, but in the case of Stoned and Michelangelo it has already infected the hard drive! Preventation is either by ensuring drive A: is empty before booting your PC, or (if available) select a BIOS setting that only boots from your hard drive. Best regards, Anthony Naggs Software/Electronics Engineer & Computer Virus Researcher Email: amn@ubik.demon.co.uk Phone: +44 273 589701 Paper mail: PO Box 1080, Peacehaven, East Sussex BN10 8PZ Great Britain ------------------------------ Date: Tue, 14 Sep 93 18:08:17 -0400 From: vfreak@aol.com Subject: Possible DOS/Windows virus... in the development stage? (!) (PC) From: Rob_Slade@mindlink.bc.ca (Rob Slade) >However, as foar as I know, Cheyenne is legitimate. They make an antiviral >called InocuLAN (which I have, but haven't gotten around to reviewing yet). >The contact numbers I have for them are 800-243-9462 and 516-484-5110. I haven't tested InnocuLAN from Cheyenne. But from all appearances it seems legitimate as well as a complete A-V package. meaning it contains a scanner as well as generic detection routines. Bill ------------------------------ Date: Wed, 15 Sep 93 04:16:26 -0400 From: mot@vinkku.hut.fi (Matti Teinonen) Subject: Re: You never forget the first time (PC) gmillman@pilot.njin.net (Gregory Millman) writes: > I think I've just had my first brush with a virus and I need some > advice. I'm a novice at telecommunications. Last night I went > cruising and had a ball. I stopped in at a couple local bbs. I > downloaded a couple files. I downloaded pkunzip.exe, and pkz204.zip, > and showgif.exe, and tush.gif from a local bulletin board. I also > downloaded a popular internet tutorial, meritcrz.exe, and > meritcrz.zip, and even hyteln65.zip. Maybe I got a little carried > away. Today, when I tried to unzip hyteln65.zip, I got a message > saying there was an error in the zip file. Same message when I tried > to unzip meritcrz.zip. When I tried to run meritcrz.exe using You perhaps did try to unzip with old version of the pkunzip? The more recent pkz204-package has a new version of the pkunzip, too. Actually I think the name of the package should be pkz204g.exe for the self-extracting package. You should not try to run incompletely unzipped .exe's, you never can know what happens. For virus detection use some decent program like viruscan or fprot. Matti ------------------------------ Date: Tue, 14 Sep 93 09:27:42 -0400 From: HAYES@urvax.urich.edu Subject: mcafee's 107 serie (PC) Hello. The McAffee's 107 serie is now available from us. Source: McAfee's own FTP'able site. Site: urvax.urich.edu, [141.166.36.6] (VAX/VMS using Multinet) Directory: [anonymous.msdos.antivirus] FTP to urvax.urich.edu with username anonymous and your email address as password. You are in the [anonymous] directory when you connect. cd msdos.antivirus, and remember to use binary mode for the zip files. Enjoy, Claude. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Claude Bersano-Hayes HAYES @ URVAX (Vanilla BITNET) University of Richmond hayes@urvax.urich.edu (Bitnet or Internet) Richmond, VA 23173 ------------------------------ Date: Mon, 13 Sep 93 11:12:56 -0400 From: vfreak@aol.com Subject: September 1993 LAT (PC) LAT 9309 September 13, 1993 +--------------------------+----------+---------+-----------+-----+ | SCANNER | COMMON | POLY- | ZOO |FLAGS| | | | MORPHIC | | | | | | | | | | |37 |56 |1511 1463| | +--------------------------+----------+---------+-----------+-----+ | F-Prot 2.09D |37 100% |56 100% |1488 98.5%| S | | TBAV 605 |37 100% |55 98.2%|1485 98.3%| GS | | Scan 107 |36 97.3%|52 92.9%|1354 89.6%| S | | | | | | | | Integrity Master-201 |36 97.3%|54 96.4%|1352 89.5%| GS | | Dr Sol A-V toolkit 6.18 |35 94.6%|29 51.8%|1348 89.2%| C | | VIRx 2.9 |35 94.6%|34 60.1%|1311 86.8%| S | | | | | | | | NAV 2.1 SEP 93 SIGS |30 81.1%|24 42.9%|1015 67.2%| C | | MSAV w/DOS 6.0 |28 75.7%|17 30.4%| 913 62.4%| D | +--------------------------+----------+---------+-----------+-----+ C- Commercial software D- This product does not scan for boot sector viruses inside droppers. This is why scanners that detect droppers were tested against 1335 viruses. Scanners that fail to detect droppers were tested against 1303 viruses. I tried to be fair. G- Generic Virus detector. The other utilities with this product may detect viruses that this scanner misses, so don't judge this product too harshly because the scanner isn't as effective as you would like. S- Share Ware or Free Ware procuct. A new version of Integrity Master should be released soon. I will test it next month. I removed UTscan from this months LAT because the signatures were getting too old. ======================================================================== I have tested the following generic products, and recommend them. FLAGS +------+ F-Prot Professional (Command Software Systems) | IV | Integrity Master (Stiller Research) |*ISV | PC-cillin (Trend Micro Devices) | ASV | PC-Rx (Trend Micro Devices) | ASV | TBAV (Thunderbyte) |*ISV | Untouchable (Fifth Generation Systems) | ISV | Victor Charlie (Bangkok Security Associates) |*BEISV| +------+ *-Share ware product A-Activity Monitor B-Uses Bait files that try to get infected by unknown viruses E-extract the signatures for unknown viruses I-uses integrity checking S-Stores System areas. Boot sector, and Partition table V-comes with a Virus scanner. I placed the generic virus detectors in alphabetical order. I do not recommend one product over another. All of them work differently and may not fit the way you use a computer, so request information on several before you decide. ======================================================================== I would like to thank most of these companies for providing me with evaluation copies of their software to test. If your company produces anti-viral software, and would like for me to test it in LAT, contact me at either of the addresses below. ======================================================================== These tests were performed on a 33 MHZ 486 Bill Lambdin 102 Jones Lane P.O. Box 577 East Bernstadt, Ky. 40729 Internet address> v.freak@aol.com Metaverse BBS Co-SysOp (606) 843-9363 ------------------------------ Date: Mon, 13 Sep 93 13:00:57 -0400 From: James Ford Subject: New file on risc (PC) The file FProt v2.09d has been placed on risc.ua.edu (130.160.4.7) for anonymous FTP in the directory /pub/ibm-antivirus. ------------------------------ Date: Sun, 12 Sep 93 17:39:19 -0400 From: Jerry Leichter Subject: Ethernet node addresses [Moderator's note: This is quite far off the topic of viruses, so please send any follow-ups via e-mail to the authors.] In a side question in a recent VIRUS-L message, Padgett Peterson wondered where the Ethernet addresses used by various vendors come from. What information I have comes from RFC 1060, the "assigned numbers" RFC. It's rather old (March 1990) but the basic information is probably still correct. Assignment of Ethernet is addresses is done by the IEEE. An Ethernet station address is 12 hex digits long. The 6 leading digits (in the standard rep- resentation) are assigned by IEEE; the assignee fills in the six trailing digits. One of the leading digits has a reserved bit; it is 0 for a station address, 1 for a multicast address. The writers of the RFC didn't know if the assignment of a block of numbers included both the station and multicast numbers with a common leading 23 bits. (Based on actual usage, this is PROBABLY the case.) It was also unclear to the writers how the upper 6 digits were chosen. There were hints that some number of the bits were deliberately randomized, while others were allocated sequentially. It may also be the case that globally unique vs. locally unique numbers, and physically assigned vs. software assigned numbers, were supposed to be allocated in distinct ranges. If this is so, it hasn't been done consistently. I don't know the mechanics of applying to IEEE for a range of addresses, but I assume they are similar to those of applying to Xerox for an Ethernet protocol number: You tell them how many numbers you need, suggesting some particular ones if you care; they reserve something for you and send you back a nice letter telling you what you got. Xerox, when I dealt with them a couple of years back, charged soemthing like $250/request; a request could be for any "reasonable" number of protocol numbers. (Ethernet protocol numbers are only 16 bits long, so there's a limited supply; on the other hand, there was never all that much demand, and these days people use IEEE-format SNAP SAP's, which do the same thing with a 6-byte range of values.) Obviously, Xerox knows what all the reserved numbers are. However, they won't necessarily tell you: Publication is up to the "owner" of the number. Xerox sends you a form asking for permission to give out your name. I've never seen an actual Xerox listing of protocol numbers; I assume the "private" ones show up as simply "reserved". I would guess that IEEE does something similar; but, again, I've never seen an "official" list. One list I've got was being maintained (a couple of years ago) by someone at cyrus@pprg.unm.edu. Whether anyone there is still keeping the list going, I have no idea. -- Jerry ------------------------------ End of VIRUS-L Digest [Volume 6 Issue 122] ******************************************