VIRUS-L Digest Tuesday, 18 Jan 1994 Volume 7 : Issue 4 Today's Topics: AI and Anti-viral studies Australia's CVIG closes doors! Re: Cracked by the Cyborg Virus statistics sought Re: Viruses not destructive?? (Was: Virus/gun analogy doesn't work) Re: Virus/gun analogy doesn't work Re: Liabilities Documentation and courses Thank You (Unix) Any reviews of InVircible/V-Care ? (PC) Any reviews of InVircible/V-Care ? (PC) keyboard lockup virus? (PC) Re: Anti-virus part. & mbr (PC) F-PROT's virstop just missing the mummy... (PC) Re: Any reviews of InVircible/V-Care ? (PC) A message. (PC) Vincent Virus in Malta (PC) Rael virus (PC) Any reviews of InVircible/V-Care ? (PC) Re: Satan bug on 500 user lan (PC) Re: Critical error handler bug? (PC) A virus or just bad BIOS??? (PC) "Barrote" Virus alert ... (PC) Form virus (PC) GalMar virus? (PC) Re: Stoned Infection (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Mon, 03 Jan 94 08:54:19 -0500 From: hendee@ocean.dnet.nasa.gov (Jim Hendee) Subject: AI and Anti-viral studies I have searched all the Virus-L archives, as well as the FAQ, and can find no definitive answer on how Artificial Intelligence (AI) is being used in anti-virus studies. Reference was made to a certain product, but the manufacturer never made a reply. Also, I saw at one time that Fridrik Skulason made a remark that he was interested in AI, but I never saw a follow up. Is anybody really using AI techniques in their antivirus software engineering? It would seem that a rule-based system would be a good one for engineering a good antivirus product, even though it may be slow. Another interesting avenue of investigation might be the utilization of AI's game theory algorithms (e.g., minimax) in the ultimate game of the good guys vs. the bad guys. Or maybe somebody out there is using neural networks to learn all the possible means of PC attack and counter attack. Study of Genetic Algorithms seems ideally suited for application to antivirus studies. If nobody is doing this, it seems now would be a good time! +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ | Jim Hendee | Internet: hendee@ocean.aoml.erl.gov | | Data Manager | OMNET: j.hendee | | Ocean Chemistry Division | Fax: 305 361-4582 | | Atlantic Oceanographic and | Phone: 305 361-4396 | | Meteorological Laboratories | | | National Oceanic and | "So if you must be talking, | | Atmospheric Administration | Please try to make it rhyme, | | U.S. Department of Commerce | Because your mind is on vacation, | | 4301 Rickenbacker Causeway | And your mouth is working overtime." | | Miami, FL 33149-1026 | -- Mose Allison -- | +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ ------------------------------ Date: Mon, 03 Jan 94 12:20:21 -0500 From: Klaus Brunnstein Subject: Australia's CVIG closes doors! With end-1993, "Computer Virus Interest Group News" (Brisbane/Australia) distributed it's last (Vo.3 No.11) edition. As a Queensland government grant to Queensland Univ. of Technology expired after 3 years, CVIG is dissolved by end-of-1993, and CVIG News will no longer contribute in fighting virus incidents. CVIG's qualified analyses of products and descriptions of malicious code (Virus/Worms.. Fact Sheets) and CVIG's trend analysis made significant contributions about Down-Under and Far-East trends; CVIG's end will leave a vacuum which will be hard to fill :-) The final edition mentions the maturity of Australian AV-producers. CYBEC, Leprachaun and few more Australian AV producers/distributors offer to take over CVIG's task to collect data on viral events and warn about imminent threats. Scott Mewett, in his last contribution, mentions that replies to recent CVIG questionaires seemed to indicate a continuous decline in 1993 in viral events, down -13% in 2nd quarter and even -27% (from 111 to 67 reported events) in 3rd quarter 1993. But when CVIG analysed the trends in their home university (QUT), they found a contrasting increase in viral incidents in both 2nd and 3rd quar- ter! Unfortunately, CVIG will no longer be able to analyse the evident contra- diction between these figures! It is with some amusement that readers from outside "Down-Under" read the last "Readers Forum", where Elizabeth Gunn from Leprachaun argues that "Australian AV products are comparable, if not better than rival overseas products". It remaims to wish that Aussie-AV experts succeed to fill the gap which CVIG undoubtedly leaves behind. Klaus Brunnstein (University of Hamburg, Dec.28,1993) ------------------------------ Date: Wed, 05 Jan 94 03:27:14 -0500 From: harris@lmps.nml.mot.com Subject: Re: Cracked by the Cyborg I need some NET Wisdom..... Has any body heard of a virus with a name even similar to something like: "Cracked by the Cyborg" ??? Couldn't start up my home DOS machine. Said there was a problem with the C drive. I repaired it with Norton, started it up and every thing seemed fine. But when I executed a game (Budo) I see the message appear for an instant: "Cracked by the Cyborg". Since the game has nothing todo with Cyborgs and I just had a problem starting the machine, I suspect this to be a virus' msg. Any ideas? Previous sypmtoms of odd behavior: Difficult to say, I have been installing the Japanese DOS J5.0V system along with its' compatible MS windows. I was having keyboard mapping problems (nothing strange) & once or twice the CPU locked up on me. I attributed this to the OS, but thought it a little unusual. Regards, Rex Harris harris@lmps.nml.mot.com ------------------------------ Date: Wed, 05 Jan 94 18:45:57 -0500 From: DAVID Subject: Virus statistics sought I am looking for statistics on computer viruses, i.e. how many are there, how many computers will they infect this year and previous years, at what rate are new viruses growning, etc. Any help on this subject is greatly appreaciated. THANKS!! THATS ALL FOLKS ------------------------------ Date: Sun, 09 Jan 94 19:58:44 -0500 From: ktark@src4src.linet.org Subject: Re: Viruses not destructive?? (Was: Virus/gun analogy doesn't work) Greg Cotton (cotton@vms.ucc.okstate.edu) writes: >>src4src!ktark@imageek.york.cuny.edu (Karl Tarhk) writes: >>As i said it has yet to be proven that viruses are inherently >>destructive! >Pardon me if I sound ignorant (for I haven't been following the >thread), but this point seems a bit hard to swallow. I am talking about the logical proof of a statement. The validity of it has nothing to do with whether you 'swallow' it or not. >Please clarify >how when there are so many viruses out there that reformat the hard >drive or one of my favorite (not because it destroys data, but because >it was cunning) is the one that randomly erases a sector for every 16 >files it infects. How can these be said to not be destructive?? Go to your favourite anonymous ftp site and grab a copy of VSUM 9310. (While it is not the most accurate source of information, there is nothing better.) Count how many viruses 'do nothing besides replicate.' Count how many 'reformat the hard drive.' There is a clear winner, and by a large margin. There are more non-malicious viruses than they are malicious ones. While this proves nothing about the inherent properties of a computer virus, it illustrates another flaw in the thinking of most people. Go to your favourite dictionary and look up the word 'inherent.' ktark@src4src.linet.org ------------------------------ Date: Sun, 09 Jan 94 19:58:38 -0500 From: ktark@src4src.linet.org Subject: Re: Virus/gun analogy doesn't work in response to:bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Vesselin Bontchev (bontchev@fbihh.informatik.uni-hamburg.de) writes: >> Of course not. >> The point here is not distribution, the point here is the making >> and creating of viruses. >> Distribution of viruses is another story. > >OK. As several people mentioned here, it is OK to write a virus, if >you don't give it to anybody. However, if it appears somewhere where >it is not wanted, then you are partly responsible for it. Do you agree >with this? Yes. This makes both, you and I partially responsible for distribution ^^^^^^^^^ of source codes into possible irresponsible hands. >> As i said it has yet to be proven that viruses are inherently >> destructive! > >OK, let's put it in another way. All viruses are harmful (i.e. can >cause damage) in some environments. Some of the existing viruses are >written with the intent to be harmful, while others cause harm >non-intentionally. Using your argument: ANY piece of software, in theory (and in real life) has an environment in which it will be harmful! And most software has not been written with the intent of causing damage! This argument proves nothing, as it is just a theoretical generalization of operating system / software interaction. ktark@src4src.linet.org ------------------------------ Date: Sun, 09 Jan 94 19:58:51 -0500 From: ktark@src4src.linet.org Subject: Re: Liabilities Rob writes: >> Shall we mention the percentage of the ones that DO NOT replicate at >> all, i.e. cannot 'escape' in newer / exotic DOS systems?? > >I believe the use of the word 'cannot' in the context of viruses is as >appropriate as 'never' in the rest of our daily lives. And what, if I might >ask, is your point? That because some viruses don't escape, we shouldn't say >that some (most?) of them do? My point is to show that comparing viruses to feline predators is complete nonsense. Most viruses are unsuccessful in their action. Most feline predators are not. >> Wrong! >> The real properties, mathematically speaking, are 'reproduction' of the >> virus and 'modification' of the system. >> Equating 'modifying' with 'causing damage' is wrong, in specific scientific >> terms, (We are not discussing the ethics behind here.) > >I enjoy a good game of word play. But I never suffer from the the >misconception that it is any way important. When you go to a boxing match, do >you say to the loser that he fought well, and was unfortunate to have his >face modified by his opponent? EVERY program modifies the environment in some way, (go and look up some book on the theory of operating systems.) using YOUR logic: then every program causes damage to the system. Again, 'To Modify' does not equal 'to cause damage', to assert so is completely idiotic! Every software company modifies their own product constantly, and yet this modification can hardly be considered 'damage.' >Any viral attack, even by a 'good' virus, causes damage. Read Stoll's book >for a fairly lucid description of the loss of trust in your computer, or in >the network, caused by 'hacking' in general, and the Internet worm in >particular. None one of the examples you mention has anything to do with the theoretical properties of computer viruses. (they don't even have anything to do with computer viruses, mixing computer criminals with this is innapropiate.) Go Read any of Fred Cohen's papers and then come back to argue. >When things act weird, people get worried. In my opinion this is >justified. Computers should act in a deterministic way, and anyone who causes >spurious behaviour in another person's computer is guilty of some sort of >crime. I'm well aware that commercial software often exhibits such behaviour; >that is only an argument for pillorying commercial software houses, not >supporting the existence of viruses. I am not looking for an argument to support the existence of viruses. There are many valid arguments for this. I am trying to show that viruses are not by definition inherently destructive. There are a lot of viruses that don't cause 'spurious behaviour' in people's computers, so your point is not valid. >> > These properties hardly equate to the properties >of a lion!!!! > A lion is a predator by nature, a computer virus isn't. > >Though perhaps a virus writer is? how so? can you show us how? do you have ANY known example of a computer virus writer infecting directly any system? [gun matter deleted] >Without the virus writer, a virus would not exist. And without people like John Mcafee, Mr. Bontchev and Sarah Gordon many virus writers would not exist. >Without a (currently known) means of transmission, the virus cannot escape. Could you be more specific? >Is the vector of the virus, or the virus writer him(her)self more dangerous? Dangerous? Can you show that ALL viruses are dangerous? Can you show that most viruses are dangerous? ( > 60% ) IF you cannot show some information relevant to the matter then you question is off grounds since neither virus vector or virus writers are dangerous. 'What is more dangerous, a computer virus or a irresponsible Novell systems administrator / systems programmer ?' :) >Without the virus, the vector is not dangerous (in relation to this >particular issue). Could you make your statements clear? What are you talking about? >Without the vector, the virus is still, potentially, dangerous. ??? >And a question to the 'No Liability' lobby - if you have a viral attack, and >you know who the author of the virus code is, who do you blame? Or maybe you >don't apportion blame? you blame whoever put the virus there! >> But it cannot be proven that the deed of writing viruses causes such >> things. >Terribly post-modern, but not very useful. Writing viruses is the sine qua >non of the whole shooting match. The point is not being 'post-modern' or or 'useful.' I am talking in mathematical and logical terms, not in bleeding sentiments or one sided morality. >> The ones that should be held liable are the ones that introduce viruses >> in computer systems without authorization, (which is against the law >> in many countries.) > >Should we lock up drug smugglers, or the barons who control them? Both! But virus writers are not any more criminal than any Novell systems administrator / systems programmer. Unless you can come up with a logical argument proving otherwise. >Which does >more good? Treat the cause, not the symptom. Like locking up prostitutes, or >clearing out squatters, the problem still exists, you've just changed the >players. yes. so what do you think it should be done? a 12 step program for virus writers? a political correctness course for computer programmers showing everyone how we should be nice programmers while our employers exploit the living daylights out of us? showing us how we all should worship corporations like microsoft and IBM, that embody the purity and honesty that is exclusive only to our favourite god? > > >I don't think that virus creation should be forbidden per se. But I do > > >think that if a virus is found somewhere where it is unwanted, the > > >author of the virus should share the responsability, even if he has > > >not introduced the virus into that system. > >> By the same token, the manufacturers of firecrackers should be held > >> liable when someone uses their product in a malicious way? > > >> NO! > > >If this "someone" manifactures firecrackers and distributes them to > >children, telling them "look how great it will be to put some fire on > >that building" - yes, such person should be held liable. >> >> Agree. > But this is an specific case where the manufacturer is taking another >> if we refer to a manufacturer in the broad sense of the word the answer >> is still :NO! >Change the product to Nuclear bombs, say. Is the manufacturer still innocent? In the eyes of the law, yes. >Or make the product soldiers; is the government innocent? In the eyes of the law, yes. >Crack, tanks, child pornography, bugging devices. Just a few products where the >manufacturer, IMHO, is guilty for the results. Maybe not liable, in your legalistic >sense of the word. The legal sense of the word is the point. I never intended to include anyone's favourite brand of ethics and bleeding heart sentiments here. >Just guilty in a very real sense. The very real sense? Who's very real sense? yours? Is there a very real sense? have you seen it? >Forget broad, we're talking about virus writers. >Are they pure as the driven snow, or are they a bunch of idiots, with a >severely warped sense of 'right' and 'wrong'? Virus writers are as pure and as idiotic as any Novell systems administrator / systems programmer. >From your sentimental point of view we have a warped sense of 'right' or 'wrong,' >From my logical and mathematically trained point of view the ones who have a warped sense of right and wrongs are the ones that have misconceptions and ideas that they cannot support in a logical argument. >> Have you ever heard of disclaimers? >> That takes care of any implied secondary intentions you might want to >> give to the manufacturer. >> To complete my point: If the product has a proper disclaimer notice >> the manufacturer cannot be held liable for the proper / improper use >> of whatever the product is. >> Computer viruses included. > >Good call my friend. Virus writers - get in touch with your lawyers, and >let's see if we can knock up a good disclaimer. I'd like to see the wording >on that. 1-I am not your friend. 2-Go and take a look at the original source codes for some of the viruses distributed by Trident. >'Any use of this soldier for killing members of alien races is not the >responsibility of this army. We disclaim everything we can.' >Sorry Mrs German, you're son was killed, but noone's responsible. How does this have anything to do with computer viruses? Are you attempting to establish an analogy here? or perhaps some attempt at cynical humour? >What a load of cack. Good for malefactor's consciences, but meaningless to >any sane member of the human race. Using your argument most of the members of the human race that have existed have been insane as they have supported slavery and racism through out centuries. Yes, this includes your ancestors. You are the direct product of generations of insanity. Your arguments really make a lot of sense. >> >Besides, there are many *useful* applications for firecrackers. I have >> >yet to see *one* useful application of a computer virus (as most >> >people understand it, not as Dr. Cohen undertsands it) that cannot be >> >performed (often much better) by a non-viral program. >> >> Well, I predicted you reply, :) and I stated below in the original >> posting: >> >> "While a million of you will argue that a good use for a computer virus is >> yet to be found, there is yet to be proven that there isn't a good use for >> a computer virus." > >.. "that cannot be performed (often much better) by a non-viral program?" care to mention any examples? Do you know of ANY product that does what KOH does? and better? (I assume you know what KOH is..) >> >> You are assuming something that can NOT be proven: Computer viruses >> >> are inherently destructive. >> >> >Whether computer viruses are inherently destructive in theory is a >> >different question and I will be glad to do some research in this >> >direction, but we are not talking about the theory now. We are talking >> >about the viruses that exist *now* and that destroy data *now*. >> >> What about the viruses that don't destroy data? >> I will say that more than 60% (approximately) of all known viruses don't >> carry any destructive or malicious code. >> >> Are they destructive? > >See above. A noisy fan in my car may not be destructive in any quantitative >sense, but it sure annoys me. Maybe most viruses are just 'noise'; IMHO we >shouldn't have to put up with it, and we should strive to punish those who >cause it. It's antisocial, maybe not pathological, but certainly antisocial. 'A bug in my favourite package of software may not be destructive in a quantitative sense, but it sure annoys me. Maybe most commercial software is just 'noise';IMHO we shouldn't have to put up with it, and we should strive to punish those who cause it. It's antisocial, maybe not pathological, but certainly antisocial.' This illogical, one sided way of thinking is what keeps bigotry alive. >> If they cause damage accidentally, is besides the point, as there is plenty > >ermm, not quite. We install commercial software of our own volition, looking >carefully at the licence agreement, guarantees, reputation, independent >reviews etc. Viruses tend to get dumped on us from above (or below). yes, and the ones responsible for dumping it there are the ones who should be punished. >> of commercial software (Example: MS DOS's original Chkdsk.exe) that causes >> unwanted destruction, so if you apply your thinking to commercial software >> you could say that there is software that exists *now* that destroys your >> data *now*. > >The benefits of DOS (ie it lets you use the box on your desk for something >more exciting than watching it display 'Please insert boot disk') outweigh >the problems problems like having all of your hardrive thrashed? yeah, sure.. maybe for you, but not for the rest of users out there. >(such as CHKDSK, such as supporting a modern day empire with all >the social graces of Genghis Khan's horde from the east). The benefits of >'harmless' viruses is nil. No, they are not. KOH has more than nil benefits, it has many. If there is someone out there that can find a program that does what KOH is able to do, please speak now. >The problems don't have to be too great to swing >the balance against them. yes, and this applies to commercial software as well. >> Let's face it, software uncompatibilities and data destruction are not >> exclusive to viruses.. on the contrary I have seen -some- viruses that have >> less compatibility problems than a lot of commercial products, (AntiViral >> ones included.) > >So lambast software suppliers. Don't laud the lowest stratum of the computing >world. And don't make excuses for them. This whining does not contradict my point in any way. >I've gone on (and I mean that most sincerely) at great length. Please forgive >me - it won't happen again. I hope not. ktark@src4src.linet.org ------------------------------ Date: Sun, 09 Jan 94 20:25:49 -0500 From: ab770@FreeNet.Carleton.CA (Marc Heroux) Subject: Documentation and courses I want to work in the computer securities and anti-virus. Is there courses that I could take to get a job in the field. - -- If it dont fit use a bigger hammer. -Miles O'brien When a fox chases a rabit, the rabit will always win. The fox is chassing dinner and the rabbit his running for his life. Sun Tzu ------------------------------ Date: Thu, 06 Jan 94 23:31:16 -0500 From: radatti@cyber.com (Pete Radatti) Subject: Thank You (Unix) > # Thank you!. > This is the message that came out in a terminal window while > I was working in the OpenWindows enviroment in a Sun SPARCstation 10 > with the root privilegies. Actually, it happen after executing the > cp command. If it is anything except a "echo "#Thank You!" > /dev/console" I will be surprised. It a very simple, nasty way to scare people. If it is an attack then it is more likley to be a trojan. Peform the command find / -name cp -print > report then examine the report for "cp" commands that should not exist. Also use the file command on them to insure they are all executables and not a script. You can also use diff to compare them to copies of "cp" on a known good system. If you still think you have problems after this contact me and I will provide a program to search your system. Good Luck Pete Radatti radatti@cyber.com ------------------------------ Date: Fri, 24 Dec 93 13:19:00 +0200 From: Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv) Subject: Any reviews of InVircible/V-Care ? (PC) Allen Taylor writes: > I also am skeptical of the claims made by Netz; No > virus infection on any machine that is protected with > their package and no updates in the last > three years [??]. Well is sells the product, that might be a good reason for the claims, However there is something true behind it... V-CARE (my product and also the one that InVircible was derived from) solved so many "UnKnown" virus problems you won't believe. > I also am looking for a solid review. My questions to > McAfee about Adaptive expert Systems [and to Patricia > Hoffman of VSUM fame] > have gone unanswered, so far. Whay should they answer? McAfee does not go the generic way [What? No updates? :-( ], and Patricia has no interst in this, I wrote (Faxed) to McAfee 5 some years ago on some Virus issue and was ignored completely. Besides: Why do you think he'd know the answers? If you are looking for reviews, read the french magazines, I'm sure you'll find more reviwes then you can read (the product is called ViGUARD in France). BTW, V-CARE is not new, it exists some 5 years or so... and did the same then as it does today. Warmly * Amir Netiv. V-CARE Anti-Virus, head team. * - --- * Origin: <<< NSE Software >>> Israel (9:9721/120) ------------------------------ Date: Fri, 24 Dec 93 13:11:00 +0200 From: Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv) Subject: Any reviews of InVircible/V-Care ? (PC) Chua Keng Ngee and howard@ccu1.auckland.ac.nz (Howard Ross) askes: >> We have recently been approached by someone selling InVircible >> I understand that this product was previously >> marketed as V-Care by CSA Interprint of Israel. True, it still is! CSA has the distribution rights, but the V-CARE product is developed and produced by NSE Software of Israel (humbly yours). What you call Invircible was once a part of V-CARE and now is a separete product. As so V- CARE has all the features that are in the InVircible product, The InVircible doesn't have what V-CARE has. For example it doesn't have a TSR prevention module. >> it employs generic defences against viral attack. >> Because it does not use scanning, it doesn't fall >> into obsolescence. V-CARE started the Generic "thing", some of the features that were introduced by V-CARE are also implemeted in other products like UnTouchable. And No: InVircible *does* use scanning, but gives less weight to this module as the main motive is Generality. As so: you cannot use InVircible on a previously infected disk. >> It boasts high speed, easy-of-use, inobtrusiveness, >> and a high rate of restoration/disinfection. >> Can the labelling on the package be believed? Yes. The avarage speed of file scanning by both V-CARE and InVircible is about 2500 files per minute. (No other product in the worls competes with that). V- CARE has a veraity of generic methods that can be used to clean unknown viruses (and obviously to detect unknown viruses). > Well, I can only point out an oddity I discovered > after install.exe has finished the installation. > The size of files inoculated by CPAV were > decreased by 5 bytes. Is this normal ? Beware! InVircible attacks the CPAV immunization system as it considers it a " virus" or an illegal type of modification. The problem you described could be the result. BTW, if you are looking for reviews, look in the French magazines, I'm sure you'l find more reviews then you can read. (The product is called there " ViGUARD"). Generally the InVircible is a part of the Generic modules of V-CARE, it requires to be previously installed in order to protect your PC, and it will allways work *ONLY AFTER* the infection was done! V-CARE however invests a seriouse interest in preventing and in detecting an dealing with new viruses. You've asked... Warmly * Amir Netiv. V-CARE Anti-Virus, head team * - --- * Origin: <<< NSE Software >>> Israel (9:9721/120) ------------------------------ Date: Sun, 26 Dec 93 12:37:25 -0800 From: "Harry G. Newman" Subject: keyboard lockup virus? (PC) Our computers at church have what appears to be a keyboard lockup virus. If the keyboard is left for a few minutes, like answering the phone, the keyboard is locked up. The mouse still works but to get the keyboard working the PC must be rebooted. Anybody have any suggestions? Harry Newman (Rev.) hnewman@igc.org ------------------------------ Date: Mon, 03 Jan 94 09:09:30 -0500 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: Re: Anti-virus part. & mbr (PC) >From: mikehan@kaiwan.com (Mike Hanewinckel) >Has anybody else noticed this 'bug' in ThunderByte's anti-viral boot >sector/partition feature? If you are using IBM DOS version 6 and QEMM >version 7.0 or higher with the DOS-UP feature enabled, ThunderByte's >partition software will be triggered when it 'check system ram'. For what it is worth, I ran into something similar with the file that moves my DiskSecure (now v2.4 and FreeWare) intercept into low memory, if QEMM 7.+ DOSDATA.SYS and DOS-UP.SYS are in use, my stuff would lock up. After talking with QEMM and receiving a copy of their API, I wrote a program, QEMMST.COM (included in the DS24.ZIP) that will determine if QEMM v6.0 or above is in use and will return an errorlevel equal to the version number if present. Unfortunately, you cannot as yet inquire whether DOSDATA is in use however if QEMM 7.x is present, it is likely. Warmly, Padgett ps Since DS II is now FreeWare and Frisk's F-Prot is also free to individuals, and both work on any PC including 8088s, there is no longer any excuse for people not to have effective protection. ------------------------------ Date: Tue, 04 Jan 94 01:51:57 -0800 From: aurona@irix.me.ncu.edu.tw (Aqrose H. Chang) Subject: F-PROT's virstop just missing the mummy... (PC) A question, if virstop works as well in network as in PC? I am using VIRSTOP to prevent virii to infect my files, but it seems useless as I am on my local NOVELL network. Is it a BUG? or just not include in? By the way, the NAV 3.0 can detect that though.. Thanks a lots. Sincerely, Aurona ------------------------------ Date: Tue, 04 Jan 94 04:36:56 -0500 From: amirg1@ccsg.tau.ac.il (GOL AMIR) Subject: Re: Any reviews of InVircible/V-Care ? (PC) This time I'm going to beat VI ! Chua Keng Ngee (isc00272@leonis.nus.sg) wrote: : Well, I can only point out an oddity I discovered after install.exe has : finished the installation. : The size of files inoculated by CPAV were decreased by 5 bytes. Is this : normal ? I use Stacker 3.0, Dos 5.0, and InVircible version 5.01. It's a bug in InVircible. When CPAV "immunize" a file, it appends a short CRC checking code and a 5 bytes "MSDOS" signature to it. The "MSDOS" sig is ment to fool some virus (a variant of Jerusalem, as far as I remember). When the scaning module of InVirceble detects a file "immunized" by CPAV, it removes that "MSDOS" sig (without asking for user confirmation, without any user notification and without even updating its own signatures database) and hence the missing 5 bytes. : and is 5.01 the latest version ? The last version I know of is 5.04A. Amir Gol (I) ------------------------------ Date: Tue, 04 Jan 94 16:16:58 -0500 From: s1105353@cedarville.edu (Virgil) Subject: A message. (PC) A strange message coming from the machine: "WARNING: The shareware should be loaded for large media" Does anyone know what viruse is this?? I KNOW is a virus but I don't know which one!! <><><><><><><><><><><><><><><><><><><><><> <> Virgil Vaduva P.O. BOX 601 Cedarville, <> <> Ohio, 45314 <> <> 001122[[ Email Adresses: <> <> <> <> s1105353@cedarville.edu <> <> VirgilV@roearn.ici.ac.ro <> <> VirgilV@bestdpx.power-dept.pub.ro <> <> Virgil.V@lambada.oit.unc.edu <> <> .......etc...... <> <> ====================================== <> <> So if you people want to write me you <> <> can choose the adress..... <> <><><><><><><><><><><><><><><><><><><><><><> ------------------------------ Date: Wed, 05 Jan 94 17:44:21 -0500 From: panther!jaguar!cmeli@relay.iunet.it (Clyde Meli) Subject: Vincent Virus in Malta (PC) A number of PC's at the PC Lab of the Dept. of Information Systems at the University of Malta were infected last December with a boot sector virus called Vincent. It infects the MBR like No_INT does. Scanners such as Dr. Solomon's Toolkit detect it incorrectly as No_INT (CARO name Stoned.No_INT). BOOT-ID reports the boot sector as #40L7QVS.T8P and displays "..unknown; seems to be a boot sector, possibly a virus ("MSDOS4.0")". There are no strings embedded in the boot sector. Its operation is identical to Stoned III or No_INT, and can be cleaned with any antivirus software which can clean No_INT. It copies the original floppy boot sector to track 0 head 1 sector 3 and the original HD MBR to track 0 head 0 sector 7, just like No_INT. Two years ago, this same virus infected the PC lab. of the Computing Dept. (as it was known then), and I had called it 'Vincent' after the first student who had his working floppy infected by the virus during a Pascal programming practical session. After analysing it, I have extracted the following search pattern which may be used for Vincent (I propose the CARO name Stoned.No_INT.Vincent): 83 FA 01 77 05 E8 0A 00 72 00 58 1F It does no damage other than overwriting any directory entries which may be present on floppies (just like No_INT). - --------------------------------------------------------------------------- Clyde Meli, B.Sc., Teaching Assistant, Dept. of Information Systems, University of Malta, Msida, Malta. Internet: cmeli@unimt.mt ------------------------------ Date: Wed, 05 Jan 94 21:16:47 -0300 From: Gustavo Muslera Subject: Rael virus (PC) Someone out there know something about the "Rael" virus? It's reported by TBAV 6.09, but not by F-Prot 2.10c or Scan 109... I don't know nothing about this virus (except his name :), and I think that the virus is actually inside a packed program, because a friend that got it deleted the infected programs, checked all, and aparently was clean, but when checked again next day the virus was here... Obviously, allways has been detected with TBAV... but perhaps the virus are compressed within a program, and then here is not detected. The virus is detected with newer versions of another antivirus (I ear something about scan 110, f-prot 2.10f, and AVP 1.07b)? How i can get rid of it? (if thereis inside a packed program, except for trial all then programs in this machine) Thanks for any help Gustavo ------------------------------ Date: Sun, 02 Jan 94 10:15:00 +0200 From: Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv) Subject: Any reviews of InVircible/V-Care ? (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) answers Howard Ross (howard@ccu1.auckland.ac.nz): > It is true that anti-virus packaged based on integrity > checking don't need to be updated as often as the scanners. > It is not true, however, that they don't have to be updated at all > - every program becomes obsolete with time. Nice said. However you'd be surprized to know that since V-CARE invented the smart-signature stuff, almost NO change in the system was necessary (more then 5 years now). And not only that but even the product that you yourself like(ed?) most (Untouchable or Vanalyst) has learned the system from us, and also didn't have to change much in the last 2 years. > Second, while integrity checking is a stronger > line of anti-virus defense than scanning, it is > certainly not good enough as a *single* line of defense. > The best is to combine it with scanning - scan all incomming > software and control the integrity of > the existing software. That is exactly the difference between V-CARE and InVircible, While V-CARE is strong both in specific scanning (VSCAN), specific preventing (VSECURE-TSR), and even heuristic scanning, InVircible only does the integrity checking. > I can bet you that > (a) I can design a virus that will be able to infect a system > infected by it and pass unnoticed (actually, I'll > probably be able to invent 3-4 different ways to bypass > the system, but I am making a safe bet ) and > (b) it doesn't protect against at least some of the already existing viruses. > If you doubt in the above, ask the producer how the > package protects your system against Brain - one of the > first IBM PC viruses. V-CARE protects your Disk very well against this type of viruses, as they are the simplest to prevent, (please refer to previouse dicussions on VirNet some 8 monthes ago). However integrity checking is easily capable of detecting and cleaning boot viruses, in-fact its easier then file infectors. > ask them how would their product protect your hard disk from > a virus that infects like Brain, but also corrupts only the > data files on your hard disk and only when they are being > modified by DOS. Is that your idea of a problematic virus? how about a virus that infects only a PC with a modem and only when there is a call on the line? or one that infects only PCs with Spanish keyboard support? or... ;-) I mean: les't not get too theoretical on this, there are enough viruses in the world that pose a problem then to go look for one that does not exist or that if it would exist i'd bet you (I see you like betting) that it wount spread enough to justify changing the whole Anti-Virus scheam. > BTW, one of the problems with the integrity-based > system is that they detect the infection only after-the-fact > - which in some cases might be too late. Like if you get > infected by Michelangelo on March 6. :-) BTW, as everyone knows that people tend to modify viruses, think of a simple modification of Michelangelo that triggers on March the 7th (???) Don't change your system date ahead or you might be surprized...8-) Wramly (No rains this winter in Israel) * Amir Netiv. V-CARE Anti-Virus, head team * - --- * Origin: <<< NSE Software >>> Israel (9:9721/120) ------------------------------ Date: Thu, 06 Jan 94 10:18:27 -0500 From: "David M. Chess" Subject: Re: Satan bug on 500 user lan (PC) > From: mikehan@kaiwan.com (Mike Hanewinckel) > It is also a polymorphic virus, so you will need a virus > checker that can handle generic viruses. Slight confusion here: while the virus is polymorphic, and can't be detected by a simple scan string, it's entirely possible to write a small algorithmic detector for it. So the latest version of any decent scanner (including IBM AntiVirus) should detect SatanBug just fine, without having to use "generic" detection (without, for instance, allowing it to spread and noticing the changes later). In general, "generic" sorts of detection are needed only to detect brand-new viruses that the developers haven't seen yet. Once the developers have a sample of the virus, the best policy is to make sure that the product can specifically detect *that* virus, by non-generic means. At least if the virus is actually out in the world spreading... - - -- - David M. Chess High Integrity Computing Lab IBM Watson Research ------------------------------ Date: Thu, 06 Jan 94 11:17:39 -0500 From: Ken Bell Subject: Re: Critical error handler bug? (PC) On Mon, 20 Dec 1993 Rob Slade wrote: >also factors such as the infamous "critical error handler bug," >which means that very innocent actions on your part can be damaging. >Funny, they've never fixed that. What is this infamous bug? And, a corollary, does installing one's own critical error handler circumvent it? ------------------------------ Date: Thu, 06 Jan 94 12:14:00 -0500 From: Jeff Shane Subject: A virus or just bad BIOS??? (PC) I have an old i386-20 motherboard and 4 Conner hard drives (3 100MB and 1 170MB). For four months, I used all four drives in an i486-33 and experienced no problems with the drives. The three 100MB drives are 2-3 years old. After installing the drives in my machine, I have experienced very interesting problems. Whenever any of the 100MB drives are connected, the machine can hang from 1 to 120 seconds on any access to a hard drive (170 or 100). Has anyone heard of a problem like this? (By the way, I can only use two drives at any one time due to BIOS limitations.) *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=* | Jeffrey S. Shane | | Telecommunication Systems / Zoology | | Brigham Young University | | Provo, Utah | |-----------------------------------------------------------------| | Nothing makes a politcian forget campaign promises faster than | | being elected. | | | | Political joke of the year: The Brady Bill | | A man in California (where they have some of the toughest | | gun laws in the nation) waits 15 days for his gun, (the | | Brady Bill only says 5) takes a trip to New York, and | | shoots a bunch of people (outside of NYC in respect of the | | mayor). The Brady Bill would have done *NOTHING* to prevent| | this man's actions. It is just a great example of the | | empty rhetoric and absloute stupidity coming out of | | Washington lately! | | | | Remember: PEOPLE KILL PEOPLE (the answer is family values)| *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=* ------------------------------ Date: Thu, 06 Jan 94 14:25:48 -0500 From: Jorge Amodio Subject: "Barrote" Virus alert ... (PC) Hi there, I'm looking for information about one MS-DOS virus program. This virus have appeared at spanish and argentinian scientific bases in the antartic continent. Below are the symptoms of the virus and more information: - After booting MS-DOS the screen show a pattern like jail bars with the leyend "Virus Barrote" and the PC halts. - It's seems that was developed by somebody called O-Soft. - Executable files are incremented by 1300 bytes. - Apparently it's activated by date, at 5 Jan 1994. - Changing the date before Jan 5 1994 the computer work fine. Thanks in advance for any information or fix, any material will be transmited to the antartic bases to solve the problem and continue with their scientific activities. "Barrote" is a spanish term that means jail bars. Please reply to pete@secyt.gov.ar because I'm not subscriber of the list. Thanks again, Best Regards. =============================================================================== Jorge Ma rcelo Amodio RECyT - Argentine Science and Technology Network Phone: +541-312-8917 Secretariat of Science and Technology Fax: +541-312-8917 ------------------------------ Date: Fri, 07 Jan 94 02:09:09 -0500 From: eraath@lmera.ericsson.se (Anders Trosell JL/OD) Subject: Form virus (PC) We have big problem the FORM virus on our PC.s. Have someone more information or experience about this virus? How it infects? Where it comes from? etc. /Anders Trosell ------------------------------ Date: Sat, 08 Jan 94 07:44:38 -0500 From: "Aaron A. Johnson" Subject: GalMar virus? (PC) Has any one ever heard if this virus I got it from the report of Scan v109. It is not listed in the list, any body ever hear of it? Assistance would be aprec. I can't backup, or copy files i get "ERROR 2020" this unit contains Very important data and the last compleat backup is about 2 weeks old. MEDIC-1@Virginia.Edu ------------------------------ Date: Sat, 08 Jan 94 22:16:59 -0500 From: ALLENTAYLOR@delphi.com Subject: Re: Stoned Infection (PC) D.R.Worrall@lut.ac.uk wrote 22 Dec 93: < My computer (386SX, DOS 3.3) is apparently infected with the Stoned virus.. < None of these programs (TBAV, McAfee & F-prot) detect any infected files.. < How do I go about disinfecting my machine? The first thing you need to do is download the Virus -L FAQ and read the answers to many of your questions. The fact that you have three of the best Virus Scanners indicates that you have the tools to deal with the Stoned virus [see FAQ C.9]. The Stoned virus family have historicaly been infectors of the Master Boot Record of hard drives or the boot sector of floppys. The fact that your virus software does not ID any infected files or programs would be normal and not considered a "false positive" [see FAQ C.5]. To disinfect your system read FAQ C.3. It is important for you to understand that you have to use a virus scanner/ cleaner from a CLEAN, write-protected floppy AFTER you boot up from a CLEAN write-protected floppy bootdisk! [see FAQ C.6] I attempted to respond to your inquiry via INTERNET email but had it returned because the remote system ID'd you as an Unknown Local User. Best Regards, - ------------------------------------------------------------------------ | Allen G. Taylor, | allentaylor.delphi.com | | Computer Virus Research Center | * CVRC BBS * | | Indianapolis, Indiana, USA | Specializing in Anti-Virus Software | - ------------------------------------------------------------------------ ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 4] ****************************************