VIRUS-L Digest Tuesday, 25 Jan 1994 Volume 7 : Issue 6 Today's Topics: Something that looks like a new idea for an antivirus virus Italian Computer Crime Act "Good Viruses?" Liabilities ad infinitum Best PD anitvirus? Virus Test Laboratory will be founded in Finland Re: Cracked by the Cyborg Re: Cracked by the Cyborg Re: Viruses not destructive?? Re: Liabilities F-PROT Professional v 2.10 (PC) Re: Cure CPAV Immuninzation? (PC) Re: MBR/FBR viruses (PC) Help with Little red virus (PC) 1008 Dropper (PC) MicroSoft Anti-Virus question (PC) Re: Form virus (PC) Re: Critical error handler bug? (PC) RE: A Message (PC) FORM Virus (PC) re: A message. (PC) "Barrote" Virus alert ... (PC) Looking for AVscan(?)) scanner (PC) McAfee VIRUSCAN V111 uploaded to SimTel Software Repository (PC) New files on risc.ua.edu (PC) Other antivirals - change detectors (CVP) 3.3 Local Reports (CVP) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Fri, 14 Jan 94 10:05:17 -0500 From: A.APPLEYARD@fs1.mt.umist.ac.uk Subject: Something that looks like a new idea for an antivirus virus From periodical `New Scientist', 15 Jan 1994, p18:- [Virus busters get a shot in the arm] by Jonathan Beard, New York. Computers could soon fight off viruses that attack them by using an in-build "immune system", For a user, this should mean that systems will no longer be immobilized for hours or days, but will instead fight the virus while performing other functions. Existing antivirus programs are generally managing to stay one byte ahead of today's equally primitive viruses, which usurp machine facilities and are designed to try to copy themselves onto other systems. But scientists at IBM are working on new software that would resemble a biological immiue system to help networks react more quickly to viral assaults of the future. The system would not only identify the virus and repair files that have been modified, but also send a message to every other computer on the network to tell them how to destroy the virus. Computer viruses are often introduced onto single computers or networks accidentally from floppy disks. The danger that viruses represent to corporate data means come companies have made inserting a floppy of unknown origin into a computer a sackable offence. However, Steve White, manager of IBM's High Integrity Computing Lab (HICL) in New York, says: "We don't want users worrying about infecting their computers. Today, says White, viruses travel very slowly; even the successful ones take months or years to become prevalent. Current antivirus products - such as IBM's AntiVirus 6.1 - are updated to deal with newly recognized viruses each month or quarter, which is sufficient to deal with this relatively slow spread. But White warns that in future, millions of users will plug in to networks and any virus present will spreal extremely quickly, infecting humdreds or thousands of computers in a matter of minutes or hours. At present whenever a new virus is recognised in it quickly distributed among an informal network of virus collectors - such as those at the HICL - many of whom work for software companies selling antivirus software. They dissect the new program to discover how it works, identify its "signature" - the telltale pattern of bytes it inserts in any file that it modifies in the infected computer - and add that to antiviral programs' "wanted lists". White says that cirrent programs recognise about 2000 viruses. But this is too slow a process for the world that White envisages. So the HICL is creating a system that will identlfy viruses, not by comparing their code to a reference library, but by watching them at work. A typical virus seeks out data files that are frequently accessed or modified because it can use them to infect programs that come into contact with lots of files. The algorithms being developed at IBM also watch such files for any sign of tampering, and then begin to create "decoy files" which are repeatedly accessed (but not altered) to make them attractive to a virus. If a decoy file grows longer, the system has both caught the virus at work and its signature. The automatic program would then scan the computer for files the virus had modified, repair them and add the new viral signature to its database. A message to every other computer in the network would tell them to search and destroy this virus. [With a figure that shows a random network of computers, at first unaffected, then virus spreads through them, then self-cure and immunity spread among the infected computers.]] ------------------------------ Date: Fri, 14 Jan 94 10:27:15 -0500 From: Luca Parisi Subject: Italian Computer Crime Act As of today, another country has provisions against computer viruses in its legislation: Italy. A "Computer Crime Act" has been approved by the Italian Parliament last December 14th. These are its data: LEGGE 23 dicembre 1993, n. 547 (Gazzetta Ufficiale 30-12-1993, n. 305) (Law no. 547 passed Dec 23, 1993 - Published on the Official Journal no. 305 of Dec 30, 1993) The new act addresses various issues, including: . Damages caused to computers and telecommunication systems; . Unauthorized access; . Possession and unauthorized diffusion of access codes; . Spreading of malicious code; . Computer fraud; . Wiretapping of data communications; . Etc. I'm not a lawyer, so I can't translate the whole act - I can only volounteer to e-mail a full copy in Italian to those interested (it's around 22KB). However, I have enclosed a tentative translation of the article dealing with "Computer Viruses", as well as the original text. If you find the translation inaccurate or plain wrong, feel free to correct it. Luca Parisi - Rome, Italy. **Unofficial translation of Penal Code, art. 615.5** "Article 615-quinquies of the Penal Code (Spreading of programs aimed at damaging or interrupting a computer system). Anyone who spreads, transmits or delivers a computer program, whether written by himself or by someone else, aimed at or having the effect of damaging a computer or telecommunication system, the programs or data contained in or pertaining to it, or interrupting in full or in part or disrupting its operation is punished with the imprisonment for a term of up to two years and a fine of up to It. L. 20,000,000." **Original Text, as in referenced act** "Art. 615-quinquies. - (Diffusione di programmi diretti a danneggiare o interrompere un sistema informatico). - Chiunque diffonde, comunica o consegna un programma informatico da lui stesso o da altri redatto, avente per scopo o per effetto il danneggiamento di un sistema informatico o telematico, dei dati o dei programmi in esso contenuti o ad esso pertinenti, ovvero l'interruzione, totale o parziale, o l'alterazione del suo funzionamento, e' punito con la reclusione sino a due anni e con la multa sino a lire venti milioni." ------------------------------ Date: Sun, 16 Jan 94 23:59:39 -0500 From: ktark@src4src.linet.org Subject: "Good Viruses?" Brian Seborg writes: >It's been quite a while since I last fealt compelled to post to Virus-L, >but I thought that recent discussions regarding the legality of viruses >and liability were interesting enough that I'd like to jump back into the >fray. Well, here is another person who does not feel like this thread is a 'waste of bandwith' [personal statistical figures & data deleted] >There is NO SUCH >THING AS A NON-DESTRUCTIVE VIRUS, PERIOD!!!!! If even the most benign virus >gets out of the lab, it's a problem. Let's look at the following scenario: An isolated computer (No networking capabilities, all removable media is not shared with any other computer) I contend that there exists a virus for this system such that this virus will infect all files that 'can be' infected without inhibiting their ulterior execution and then 'dwell' on the system without causing ANY damage to ANY stored media. Yes, performance will be affected, but the system will retain all functionality. The existence of one such virus will prove your point wrong. Perhaps with time I will be able to conduct this experiment and prove my theory. >Who's liable? The distributor of the >virus, can you find him/her? Even if I do put a disclaimer, there is such a >thing as strict liability, and even if it is not applicable to software like >computer viruses, you can disclaim all liability, but this does not mean that >you do not have any liability! I hope this adds some real-world perspective >to the discussion. >Brian Seborg >VDS Advanced Research Group Let us add some more world perspective to this: You have an economical and personal interest in making all computer viruses appear as evil incarnate, you make a living out of this premise, whether you like it or not. Let us hear from someone who has no stakes in this matter.. ktark@src4src.linet.org ------------------------------ Date: Sun, 16 Jan 94 23:59:46 -0500 From: ktark@src4src.linet.org Subject: Liabilities ad infinitum CELUSTP@cslab.felk.cvut.cz writes: >2. Bad (or "bad") guys/girls. I don't have precise sociological analysis what >kind of people (age, profession, degree of education, etc.) write viruses and >establish Virus Exchange BBS'. From my (incomplete) knowledge, I would say >that most of them are students in their adolescent age (probably not very >different from students attending my speech). Mistake #1: This is one of the myths & fantasies about computer viruses and computer virus authors. Most virus writers are NOT in their adolescent stage. Most of them are university students, some are pursuing Master Degrees, som have PhD degrees. I have examples to prove my point. This adolescent nonsense is another scheme by bigwigs with monetary stakes in the matter to make themselves appear on top of the knowledge heap, which is in fact not true. >About their motives to write >and exchange viruses they may be: curiosity, temporary frustration by >somebody or something (e.g. professor in school), usual tendency of young >people in adolescent age to oppose to everything and everybody, i.e. to >behave as rebels (it is normal stage when somebody is growing up, but as soon >as we get out from this stage we forget it), etc. Mistake # 2 Curiosity? Temporary frustation? How about ridiculing pseudo-professional slick-marketed, poorly designed products that rip people off their money? (I am talking about AV software of course..) Writing viruses is not something you grow out of.. like your clothes or your hairstyle, as there is nothing to outgrow, as long as there is dishonest people making money off garbage software, there will be computer viruses. >The exchange of viruses I >see as normal wish to exchange software among the members of the same group >of software authors/users. Maybe it could be said that those people are >slightly deviant, oh yeah? How about software companies that release poorly designed, not properly tested software, isn't that deviant? (add that to the fact that YOU are paying for this product) They KNOW their products are not tested properly and yet they release them! Just to meet the deadline. I think you have no idea of what the computer industry is like, your experience in the matter seems to be minimal, so any judgements like this one are off base. >because they probably know that some viruses can cause >damage in some environments and some of them write viruses with intention to >make a damage, e.g. by destroying data. However, I don't dare to classify all >of them as criminals. Not yet. The most I can say that they are irresponsible >or simply "kids with problems" (whatever is their real age). PhD's = kids with problems?? Please! I think anyone who willingly takes somebody's money in exchange for a scam passed off as quality software is far more criminal than any virus writer in existence. Those people are not 'kids with problems'.. they are 'ADULTS with problems' and far more dangerous! [point deleted] >4. Good (or "good") guys/girls - people producing anti-virus products or >dealing in some way with anti-virus stuff (research, evaluation of a-v >products, hobby, etc.). Their reasons for doing such a job are probably in >the greatest extent to make a profit from their products/evaluations/ >research. probably? Do you know anyone who likes to work for free? >Then it could be interesting field of research for getting an >academical degree. Some of reasons to choose right this field might be as in >the first group of "bad" guys/girls, i.e. frustrations of different kind. I >would say there is no special reason to call this group of people "good". >Those are simply people doing their job. And making a lot of money in the process. >Well, after all we should look what is the virus/anti-virus picture today. >Maybe I will oversimplify, but roughly it is: "good" guys/girls are fighting >against "bad" guys/girls to protect "victims" (or more exactly "poor innocent >victims"). Is that really so? Or maybe, the question is : who has use from >that picture? >On the first place - a-v producers, because it is the part of marketing, i.e. >exaggerations in representation of "virus danger" sell the product better. I agree. >Who has disadvantage from this picture? Well, mostly the "victims" who can >only be confused with heaps of information/disinformation about computer >viruses and anti-virus products. They usually get an exaggerated and chaotic >picture about how viruses can be dangerous and how bad are person writing >them, while any a-v product is represented as salvation. What they don't get >from articles in newspapers, courses, advertisements and possibly from this >forum is real information about how to protect -their- systems in -their- >working environment and what is real degree of danger in -their- environment, >not in some general space/time/society. True. >Of course, minority of researchers who dare to think that viruses can be used >for something useful (not defining now what is really useful) have >disadvantage from the statements of kind "all viruses are bad, because they >exist". [Yes, Karl, I agree with you in some points, only don't know what is >the purpose of your arguing. If you really want to point that not -all- >viruses will cause damage in -all- environments and if you have wish to do >some serious work, as e.g. a study of epidemiology, I will be glad to help >you in that and explain how to investigate such things in isolated and >controlled environment. Thank you. >But, if you only want to justify writing of viruses >for which you know that are harmful in some environment and to provoke people >here, then you are nothing more than just another frustrated kid, making >noise and it would be better to stop wasting bandwidth here. You decide what >you want to be.] You have gotten the point wrong. I am not trying to justify the deed of writing viruses, as this is a very subjective matter, I am trying to show that viruses CAN be beneficial and they are not inherently destructive as some will like them to appear. >What are the final conclusions? To stop unnecessary wasting of bandwidth with >discussions who are "bad"/"good" guys/girls and if viruses can be good or >bad, I would hardly call this thread a 'waste of bandwith', as a matter of fact, some people think is far one of the most interesting subjects presented here in a long time. >I propose to turn back the discussion to the question of virus >definition. This time from the legal point of view. [related deleted] IMHO, to turn this into a never ending legalese argument will be of little use unless we have some people with law background participating. A commonly accepted technical definition of a computer virus has yet to be found, where the mathematical terms are precise and sound; so venturing into legal realms where the terms are very vague and subjective will make matters even worse. ktark@src4src.linet.org ------------------------------ Date: Mon, 17 Jan 94 05:42:02 -0500 From: fred-app@dsv.su.se (Fredrik Appelberg) Subject: Best PD anitvirus? As a newcomer to this group, I'd like to ask : What is the best PD/ShareWare antivirus program, and where do I get it? Thanx, --Fredrik ------------------------------ Date: Thu, 20 Jan 94 10:53:39 -0500 From: cshema@uta.fi (Marko Helenius) Subject: Virus Test Laboratory will be founded in Finland Virus Test Laboratory will be founded at the University of Tampere and it will be located with the computer science department. The Virus Test Laboratory will concentrate on testing anti-viral products. The tests will be made only by the University of Tampere. Other participants are not allowed to take any part in testing. The test procedures will be however public. The Virus Test Laboratory will start its activity in the beginning of the year 1994. There will be working two researchers when the activity starts. The responsible researcher will be Marko Helenius, Master of Science in computer science. Marko Helenius has made a large research about spread of computer viruses in Finland. The research has achieved great publicity in Finland. (The test results will be published in Virus Bulletin and Virus News International in near future.) The invigilator of the Virus Test Laboratory will be Pertti J{rvinen, professor of computer science. There is a real need for the Virus Test Laboratory, because producers, importers and users (companies) of anti-viral products wants reliable tests of anti-viral products. Only PC's anti-virus programs will be tested. Memory resident scanners will be included in testing. The virus tests will be made only of programs, which testfee is paid. The testfee can be paid by importers and producers of anti-virus products or by other instances. The products will be classified into three price classes. For the first class products the testfee will be highest and for the third class products the testfee will be cheapest. The testfee can be paid by several participants. The salaries of the Virus Test Laboratory's researchers will be paid by these payments. No financial profit will be taken by the Virus Test Laboratory. The testfee will finance two or four tests at a time (not decided yet). If some of the first or second class products will not success, the product will be classified as a lower class product and the testfee will be lowered to respond the testfee of a lower class product. Also if a second or third class product begins to success, it will be classified as a higher class product and the testfee will be heightened to respond the testfee of a higher class product. The classification of products is only internal of the Virus Test Laboratory and it will not be published in test reports. We will make a rough preliminary test to find out which products are first class products, which are second class products and which are third class products. The preliminary test is free of charges and does not obligate to pay testfee later on. We will give more information about the first test later on. The version of anti-virus product, which is wanted to be tested must be sent to the Virus Test Laboratory within a fixed period. Otherwise the tests will be made of latest version available for Virus Test Laboratory. Number of viruses detected and virus detection speed will be among testing. The detection speed test will be made in a clean machine. If possible, we will develop a way to test number of false alarms caused by anti-virus program. Only properties, which are possible to measure are tested. No opinions will be allowed in test reports. Virus Test Laboratory's virus database will contain about 3000 viruses at the beginning. (All of these viruses can't be used at the beginning, because we must first confirm that viruses, that are used are real viruses.) The virus database will be of course updated later on. The tests are made only against alive viruses. Each virus will be tested to be a real and alive virus. The test results and a list of viruses, which were not detected will be sent to the representatives and producers of anti-virus programs before publishing the final results. If they find any errors in testing, they must point out corrections within a fixed period. If there are real mistakes that are made by the Virus Test Laboratory's researchers, the mistakes will be corrected. The test results will be published four times a year. Test results, list of viruses, which were not detected and samples (up to 100 samples, more if needed) of these viruses will be sent to trustworthy importers or producers of anti-virus programs. The samples will be password-crypted. The reliability of importers is confirmed by the producer of tested anti-virus product. If needed reliability can't be proved, the virus samples will not be sent. By these security measures wrong use of the virus samples will be prevented. The test results will be sent to international newspapers including Virus Bulletin and Virus News International. Test results will be available in internet. The test results will also be available from the Virus Test Laboratory in paper format with reasonable fee. So what's the benefit ? In this world there is no independent virus research center, which produces regularly test reports of anti-virus products and which helps anti-virus producers to develop their products. That's what we are up to. We want to give independent facts about anti-virus products. We will publish only facts, no opinions like "It looks pretty, I think it's the best product !" We will give information like "The product recognised XXX file viruses of XXX and XXX boot sector viruses of XXX. The product has XX, XX and XX versions. The XX version was tested. The memory resident portion of the product recognised XX file viruses of XX and XX boot sector viruses of XX. It has/has not mouse control. The detection speed of XX version in a clean machine was XX seconds." It is up to customers then to decide, which product suits for their needs best. We want to do the testing as well as it is possible, taking in consideration every problem, which might false the test results. The test procedures will be public and tests will be made so that they can be repeated, if needed. Now we want to now your interest about this project. We would especially appreciate comments on testing procedures, virus test- sets, security measures, virus situation reports and utilities to help testing. Regards Marko Helenius, University of Tampere E-mail: cshema@uta.fi Fax: +358 31 2156070 P.S. All comments are welcome. ------------------------------ Date: Wed, 19 Jan 94 11:12:03 -0500 From: "David M. Chess" Subject: Re: Cracked by the Cyborg >From: harris@lmps.nml.mot.com >But when I executed a game (Budo) I see the message appear for >an instant: "Cracked by the Cyborg". Often when some "c00l hacker d00d" breaks the copy-protection on a commercial game (or even just patches out the copyright notice), he also inserts a message taking credit for the damage he's done. From your description, I'd guess that the copy of the game you're running has been "cracked" in this way. Your system problems may be unrelated, or the "Cyborg" may have done the job badly, and left you with a buggy game that damages your system. It might even have had a Trojan planted in it (somewhat less likely, I'd say), or even an actual virus. DC ------------------------------ Date: Wed, 19 Jan 94 14:01:19 -0500 From: ktark@src4src.linet.org Subject: Re: Cracked by the Cyborg harris@lmps.nml.mot.com writes: >I need some NET Wisdom..... you really do! >Has any body heard of a virus with a name even similar to >something like: "Cracked by the Cyborg" ??? >Couldn't start up my home DOS machine. Said there was a problem with the >C drive. I repaired it with Norton, started it up and every thing seemed >fine. But when I executed a game (Budo) I see the message appear for >an instant: "Cracked by the Cyborg". Since the game has nothing todo >with Cyborgs and I just had a problem starting the machine, I suspect >this to be a virus' msg. >Any ideas? Have you thought for a minute that you are running an illegally obtained software? How do you feel about literally stealing someone's property and using it for your own benefit? DO this: call you phone operator and ask for the 1-800 number operator and ask for the ASP 1-800 number. Call the number and explain your problem to the person on the phone. Better yet! call the manufacturer of the game, they will be very interested in your problems. With this kind of behaviour it is no wonder that computer viruses keep on thriving. It is this kind of idiotic attitude that keeps SYS administrators everywhere up all night. (ah, and in case you don't know it by now, you are running an illegally obtained program, illegally modified by 'Cyborg' ) Erase it before you company gets raided by the powers that be :) ktark@src4src.linet.org ------------------------------ Date: Wed, 19 Jan 94 11:13:50 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Viruses not destructive?? ktark@src4src.linet.org writes: >Count how many viruses 'do nothing besides replicate.' >Count how many 'reformat the hard drive.' >There is a clear winner, and by a large margin. >There are more non-malicious viruses than they are malicious ones. There is a fundamental misunderstanding here. Just because a virus does nothing specifically malicious but replicate does not mean that it is harmless. For example, if a virus infects a program that does a self-integrity check, and refuses to run because it has been modified, the user of that program has been harmed. He has been denied the ability to use the program, because of the virus, even though the virus "does nothing but replicate". By definition a virus has to modify something, and this (unauthorized) modification may be harmful, even though it is not malicious in intent. - -frisk Fridrik Skulason Frisk Software International phone: +354-1-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-617274 ------------------------------ Date: Wed, 19 Jan 94 12:10:05 -0500 From: Rob Subject: Re: Liabilities Against my better judgement, I'll reply to ktark's post. Perhaps our tone towards each other's arguments has been a little frosty? ktark@src4src.linet.org writes ( >=ktark >>=me >>>+ someone else ) > EVERY program modifies the environment in some way, Viruses modify programs in a way that may be initially unknown to the 'victim' of the attack, without their permission or initiation, and in a way that often involves some effort on their part to remove. Viruses that manage to get as far as affecting a file have done some damage, in terms of the time spent investigating and curing them, before any active destruction such as disk trashing has occurred. A program initiated by a user, for the purposes of the user, or a program that facilitates that user's actions, in a predetermined way, certainly modifies the environment, as you assert. I was not equating the two types of program, and assume that you don't either. > >Any viral attack, even by a 'good' virus, causes damage. Read Stoll's book > None one of the examples you mention has anything to do with the > theoretical properties of computer viruses. > (they don't even have anything to do with computer viruses, mixing > computer criminals with this is innapropiate.) > Go Read any of Fred Cohen's papers and then come back to argue. Send me references and I will. However, I still stand by my point, that incongruous actions by a computer, from a user's point of view, are damaging. > >When things act weird, people get worried. In my opinion this is > >justified. Computers should act in a deterministic way, and anyone who causes > >spurious behaviour in another person's computer is guilty of some sort of > >crime. I'm well aware that commercial software often exhibits such behaviour; > >that is only an argument for pillorying commercial software houses, not > >supporting the existence of viruses. > > I am not looking for an argument to support the existence of viruses. > There are many valid arguments for this. Okay, so I wasn't very rigorous in my English. Substitute: supporting the perpetuation of viruses, and their continued creation by a group of people called virus writers. > I am trying to show that viruses are not by definition inherently > destructive. > There are a lot of viruses that don't cause 'spurious behaviour' in people's > computers, so your point is not valid. Could you list these, along with their effects? What I'm getting at is, by attacking a computer, a virus is exhibiting spurious behaviour. Regardless of what that behaviour is. > >> > These properties hardly equate to the properties > >of a lion!!!! > A lion is a predator by nature, a computer virus isn't. > > > >Though perhaps a virus writer is? > > how so? can you show us how? > do you have ANY known example of a computer virus writer infecting > directly any system? Are there no known examples of predators killing at a distance, before getting the spoils of their actions? The virus writer's kill may be different to the lion's prey, but I'm sure some writers would like to think of themselves as 'hunters', with 'systems' their prey. > >Without the virus writer, a virus would not exist. > > And without people like John Mcafee, Mr. Bontchev and Sarah Gordon many > virus writers would not exist. Chicken and egg time. Certainly, some class of people may rely on publicity to survive (MPs eg). But again, so what? Is that an excuse? > >Is the vector of the virus, or the virus writer him(her)self more dangerous? > > Dangerous? > Can you show that ALL viruses are dangerous? > Can you show that most viruses are dangerous? ( > 60% ) See above. Do you welcome, with open arms, any virus attack you receive? Or do you quietly tut-tut to yourself, then set about removing the infestation? You also take my word 'dangerous' as related to the writer/vector, and attach it to a virus. That may or may not be appropriate, but is not indicated by my question. > IF you cannot show some information relevant to the matter then you question > is off grounds since neither virus vector or virus writers are dangerous. I see a man with a loaded gun, pointed at me as dangerous. Or a drunk-driver on the same road as me. I see a virus vector, with an infected disk in one of my systems, as dangerous. I see a virus writer, writing a virus for PCs (my realm of experience), as dangerous. > 'What is more dangerous, a computer virus or a irresponsible Novell systems > administrator / systems programmer ?' :) ;-) I'll let that one pass .... I think. > >Without the virus, the vector is not dangerous (in relation to this > >particular issue). > Could you make your statements clear? > What are you talking about? A drunk-driver, without a car, will not kill someone by driving into them. He may still stab them, say, if that is his wont. I'm saying that the virus vector can't harm my machine by viral attack, without possessing a virus. He may still attack it with paint stripper, say. > >Without the vector, the virus is still, potentially, dangerous. The existence of certain 'things' even without their use, is dangerous. The potential exists. The initial writer of a virus may be a wonderful (wo)man, but their writing of a hazardous virus has increased this potential. viz the Arms race. Was the world in the 60s/70s/80s free from fear of destruction by atomic weapons? Were any used in this period? The obvious difference is that viruses are being 'used', and some destruction is also taking place. > >And a question to the 'No Liability' lobby - if you have a viral attack, and > >you know who the author of the virus code is, who do you blame? Or maybe you > >don't apportion blame? > > you blame whoever put the virus there! What, into the world, or onto your system? > >> But it cannot be proven that the deed of writing viruses causes such > >> things. > > >Terribly post-modern, but not very useful. Writing viruses is the sine qua > >non of the whole shooting match. > > The point is not being 'post-modern' or > or 'useful.' > I am talking in mathematical and logical terms, not in bleeding sentiments > or one sided morality. Alright, so which stage of a virus event causes the damage? And does that stage depend on any other stages occurring? Be as logical as you like, and tell me that a virus attack does not require a virus. > >> The ones that should be held liable are the ones that introduce viruses > >> in computer systems without authorization, (which is against the law > >> in many countries.) > > > >Should we lock up drug smugglers, or the barons who control them? > > Both! > But virus writers are not any more criminal than any Novell systems > administrator / systems programmer. > Unless you can come up with a logical argument proving otherwise. Are you talking about the current state of legislation, or about your concept of criminality (or maybe morality)? > >Which does more good? Treat the cause, not the symptom. Like locking up > > prostitutes, or clearing out squatters, the problem still exists, you've > > just changed the players. > > yes. > so what do you think it should be done? > a 12 step program for virus writers? > a political correctness course for computer programmers showing everyone > how we should be nice programmers while our employers exploit the living > daylights out of us? Leave PC out of any discussion with me. I'm no fan of it. > showing us how we all should worship corporations like microsoft and IBM, > that embody the purity and honesty that is exclusive only to our favourite > god? Again, you're yelling at the wrong man. Microsoft are leeches, sucking the life out of all other software companies. And IBM are a bunch of fools, who messed up the birth of personal computers. > The legal sense of the word is the point. > I never intended to include anyone's favourite brand of ethics and bleeding > heart sentiments here. Is maintenance of the status quo, re virus legislation, your avowed intention? Some of your other statements suggest that you would like to 'change the world'. So why not this little bit of it? > Virus writers are as pure and as idiotic as any Novell systems administrator > / systems programmer. > From your sentimental point of view we have a warped sense of 'right' or > 'wrong,' > From my logical and mathematically trained point of view the ones who have > a warped sense of right and wrongs are the ones that have misconceptions > and ideas that they cannot support in a logical argument. Again, post-modern, but useless. The world is not driven by 'pure' logic. If you think it is you've been reading too many mathematics and logic books. Try as people might to suppress it, most do have a sense of right and wrong, I'd have thought a logician such as yourself would be very keen on the concept of True and False. My concept of wrong in this issue may be skewed, but I suspect that a majority of computer professionals and users would concur, at least in part. You obviously don't, and I'm interested in the reasons (beyond logic) that lead you to your conclusions. Do you agree with your idea of logic, or are you the sort who likes to argue one thing, and believe another. Or is logic enough for you, in all aspects of your life? Philosophical, man. Back to viruses. > >> Have you ever heard of disclaimers? > >> That takes care of any implied secondary intentions you might want to > >> give to the manufacturer. > >> To complete my point: If the product has a proper disclaimer notice > >> the manufacturer cannot be held liable for the proper / improper use > >> of whatever the product is. > >> Computer viruses included. > > > >Good call my friend. Virus writers - get in touch with your lawyers, and > >let's see if we can knock up a good disclaimer. I'd like to see the wording > >on that. > > 1-I am not your friend. indeed. Vernacular excess, I'm afraid. > >'Any use of this soldier for killing members of alien races is not the > >responsibility of this army. We disclaim everything we can.' > >Sorry Mrs German, you're son was killed, but noone's responsible. > > How does this have anything to do with computer viruses? > Are you attempting to establish an analogy here? > or perhaps some attempt at cynical humour? You're approach to virus activities is just a little cold. I was using an absurd example to show what 'logic', applied to extremes, can result in. > >What a load of cack. Good for malefactor's consciences, but meaningless to > >any sane member of the human race. > > Using your argument most of the members of the human race that have existed > have been insane as they have supported slavery and racism through out > centuries. > Yes, this includes your ancestors. But not me. And probably not you. > You are the direct product of generations of insanity. (See comments above on virus event precursors) I believe someone has pointed out the legal failings in your arguments regarding disclaimers in the main list. > >> >people understand it, not as Dr. Cohen undertsands it) that cannot be > >> >performed (often much better) by a non-viral program. > >> > >> Well, I predicted you reply, :) and I stated below in the original > >> posting: > >> > >> "While a million of you will argue that a good use for a computer virus is > >> yet to be found, there is yet to be proven that there isn't a good use for > >> a computer virus." > > > >.. "that cannot be performed (often much better) by a non-viral program?" > > care to mention any examples? > Do you know of ANY product that does what KOH does? and better? > (I assume you know what KOH is..) Nope, you've got me there. > >> Are they destructive? > > > >See above. A noisy fan in my car may not be destructive in any quantitative > >sense, but it sure annoys me. Maybe most viruses are just 'noise'; IMHO we > >shouldn't have to put up with it, and we should strive to punish those who > >cause it. It's antisocial, maybe not pathological, but certainly antisocial. > > 'A bug in my favourite package of software may not be destructive in a > quantitative sense, but it sure annoys me. Maybe most commercial software > is just 'noise';IMHO we shouldn't have to put up with it, and we should strive to > punish those who cause it. It's antisocial, maybe not pathological, but certainly > antisocial.' My relationship to commercial software is different to my dealings with viruses. And I suspect your's is too. > >reviews etc. Viruses tend to get dumped on us from above (or below). > > yes, and the ones responsible for dumping it there are the ones who should > be punished. Not BOTH, as you suggested earlier? > >the social graces of Genghis Khan's horde from the east). The benefits of > >'harmless' viruses is nil. > > No, they are not. > KOH has more than nil benefits, it has many. Is this the only 'harmless' virus? I seem to recall others being mentioned, then discounted. > >> Let's face it, software uncompatibilities and data destruction are not > >> exclusive to viruses.. on the contrary I have seen -some- viruses that have > >> less compatibility problems than a lot of commercial products, (AntiViral > >> ones included.) > > > >So lambast software suppliers. Don't laud the lowest stratum of the computing > >world. And don't make excuses for them. > > This whining does not contradict my point in any way. So a virus will successfully identify a 320k floppy as such before trashing it. So what? - ---------- The above edit was condensed from what I originally sent to ktark, in response to his edit which was personally sent to me. I realise that my edits have been a little lengthy, and will therefore reply personally to ktark, if he wishes to respond to any points he might find in it. (Unless he really annoys me :-) Rob. ------------------------------ Date: Fri, 14 Jan 94 07:50:57 -0500 From: Chip Seymour Subject: F-PROT Professional v 2.10 (PC) Troops, We've successfully installed F-PROT 2.10 on a number pf PC's, but on one in particular, we get the message C:\F-PROT\VIRSTOP.EXE VIRSTOP error. F-PROT reports no viruses in memory or on the hard disk. Any idears? Chip Seymour NetAdmin & default security guy Computervision Corp Bedford MA USA ------------------------------ Date: Fri, 14 Jan 94 08:08:01 -0500 From: Martin_blas Perez Pinilla Subject: Re: Cure CPAV Immuninzation? (PC) Thom Kerr wrote: > My fiance purchased a second-hand PC clone that came with > CPAV loaded. > For curiousity's sake she used the IMMUNIZE option. Curiosity killed the cat... > Now the machine will not boot-up off the hardrive. > I've checked datemarks on the dos files: COMMAND.COM, > IO.SYS, and MSDOS.SYS. They do not appear to have been > updated. Also CONFIG.SYS and AUTOEXEC.BAT seem to have Any file can be changed without change his datemark. > no unusual contents. Probably the "immunization" has ruined some program loaded at the boot time. > Any suggestions? (a) Try to boot without CONFIG.SYS and AUTOEXEC.BAT. If this fails, reinstall the system from the original DOS disks (SYS C:). (b) Delete all the CPAV garbage. (c) Delete and reinstall all "immunized" programs. (d) Say all your friends (and brothers, and sisters, and fellows...) that CPAV is garbage, and specifically that "immunization" is very dangerous. Regards, - -mb M.B. Perez Pinilla | mtppepim@lg.ehu.es | Write 10^6 times: Departamento de Matematicas | "I'll never waste bandwidth" Universidad del Pais Vasco | SPAIN ------------------------------ Date: Sat, 15 Jan 94 16:14:59 -0500 From: mikehan@kaiwan.com (Mike Hanewinckel) Subject: Re: MBR/FBR viruses (PC) Steven Hoke (uttsbbs!steven.hoke@pacbell.com) wrote: : TO:ALL : A. PADGETT PETERSON was heard to say to ALL on 12-13-93: : for any reason, I wouldn't know one if it was in front of me. I take it : that FixMBR will save the MBR and can restore it from an archived copy. : >From the documentation, it looked like it was replacing the MBR (or the : boot sector?) with its own record, and you saved a copy of the original : off line. Is that correct? One question then is can you restore the : original MBR, i.e., remove FixMBR to leave the system as if it had never : been installed, or if you restore the MBR, are you restoring the MBR : modified with the installation of FixMBR. If there was nothing wrong : with the system, and you simply did FDISK/MBR, would the system be : restored to its original state? Doing a FDISK /MBR will replace the master boot record with a new copy and in most cases everything would fine. The exception would be if you have a non-standard hard drive that uses partitioning software to "trick" the bios into accepting it. Or if you had an OS2/DOS/UNIX multiple boot partition. : A similar question is do you know what TBAV's TBUTIL does? It *sounds* : like its doing something similar, but I don't know if its doing the same : function. I know if you install TBUTIL, when you boot, you get a message : giving the results of its internal checking of the modified boot sector, : and after it checks ok, then you get the message "Starting MS-DOS". : There is also the provision to remove the modified boot sector through : either its own utility or with FDISK/MBR. Is this similar to what FixMBR : is doing, in what its modifying? TBAV is an excellent product. What TBUTil does is a couple of things. It can store your hard disk's vital areas, the boot record and partition table, along with your cmos settings to a floppy disk. Then at a later time, TBUTIL can compare your backup copy to the original and notify you if anything has changed. If so it can resotre it to exactly the way it was. It also has an option to replace the partition with its own anti-virus partition, as you mention. ANd it can also make a similar anti-virus boot sector on your floppy disks. The Norton Utilities also have a couple of tricks. A rescue disk can be made using the Norton Utilities, which stores those key parts of your hard drive to a floppy. And also, the Norton utiltiy IMAGE, which is similar to the dos MIRROR command, will store a copy of the MBR, Partition table, as well as a copy of the fat and root directory. IMAGE places this at the very end of the hard drive so it will most likely be there unless the entire drive is formatted. Image info is used by UNERASE and UNFORMAT. Since it is on the hard drive it is not as secure as the other methods. Mike Hanewinckel ------------------------------ Date: Sun, 16 Jan 94 21:23:49 +0000 From: vganti@nmt.edu (venkata ganti) Subject: Help with Little red virus (PC) hi netters, i have a problem with " little red " virus . I have an f-prot anti-virus program which is not able to disinfect it. Can any of you please send me any ftp sites, where i can get a new version of the f-prot version or any other program which can disinfect the "little red". any other info. on this is helpful thanks ------------------------------ Date: Fri, 14 Jan 94 07:59:00 +0200 From: Giampaolo_Montaletti@f106.n392.z9.virnet.bad.se (Giampaolo Montaletti) Subject: 1008 Dropper (PC) Hi All, Scanning hd of ps2 Ibm/30 (286 based) with Scan109 report virus 1008 Dropper in mode.com. Dos version installed is 3.30 from Ibm. Clean109 does NOT report and clean anithing. Another scan with scan109 does NOT report viruses, F-prot and Tbav too. Comparision with original floppy does not report size increasing in file. What? Why? a false allarm from scan? Giampaolo Montaletti - --- GEcho 1.00 * Origin: tlink-tlank-tlunk: big changes at Disney (9:392/106) ------------------------------ Date: Thu, 20 Jan 94 11:30:47 -0500 From: Subject: MicroSoft Anti-Virus question (PC) At the Ides of March meeting in New York there was discussion of both MSAV and Central Point Anti_virus. I thought I overheard a discussion which alleged that CPAV was easy to defeat - "Change a couple of bytes" and it was supposed to defeat it. I did not confirm that at the time. I am not interested in data on CPAV, but I AM interested in any security flaws which may exist in MicroSoft Anti-Virus, as my company is using it as one of our AV tools on the systems which have V6.n licensed. Is there some flaw which makes MSAV easily defeated? I would not want the details published, I am sure the virus writers value VIRUS-L data as much as I do, I just need to be warned if there are major flaws. I have avoided discussion of the mentioned meeting, I am sure you would not publish that kind of language. PHIL BANCROFT, PROJECT MANAGER OF DESKTOP SECURITY DGIITAL EQUIPMENT CORPORATION ------------------------------ Date: Thu, 20 Jan 94 14:16:25 +0000 From: dave@grcfin.demon.co.uk ("David R. Sim") Subject: Re: Form virus (PC) eraath@lmera.ericsson.se "Anders Trosell JL/OD" writes: > We have big problem the FORM virus on our PC.s. > Have someone more information or experience about > this virus? > How it infects? > Where it comes from? etc. We've had a problem here with FORM, although thanks to Cheynnes anti virus software and a lack of hard disk PCs we've managed to keep it under control. The virus is one of the most common - I believe it was distributed on a major software suppliers application disks and hence got a foothold. It is reasonably infectious, infecting boot sectors on floppys and the partition on hard disks. It goes memory resident when an infected disk is used with a PC and checks other disks as they are used, infecting them if not already contaminated. Clearing it off isn't a major problem - Cheynnes stuff or Dr Solomons Toolkit both work (as would most others I expect). We've never has a problem afterwards on a hard disk athough the odd floppy has had its boot sector corrupted beyond repair. If not detected it will cause an apparent fault with the keyboard. Hope this helps. Don't worry TOO much - it's not a particulaly nasty virus - but it is annoying and difficult to get rid of. - -- ************************************************************************ * Dave ---- Internet: dave@grcfin.demon.co.uk * * "This isn't a game for children - it's for dogs and wizards..." * *******************************************************[Terry Brooks]*** ------------------------------ Date: Thu, 20 Jan 94 05:03:09 -0500 From: Otto Stolz Subject: Re: Critical error handler bug? (PC) On Mon, 20 Dec 1993 Rob Slade wrote: > also factors such as the infamous "critical error handler bug," > which means that very innocent actions on your part can be damaging. > Funny, they've never fixed that. On Thu, 06 Jan 94 11:17:39 -0500 Ken Bell said: > What is this infamous bug? On Fri, 08 Oct 93 19:37:37 MEZ I had said in VIRUS-L: > There has been a severe bug in MS-DOS for at least 4 major versions > (DOS 2 to DOS 5) [...] It is widely (or is it?) known as "The Critical- > Error-Handler Bug", and works thus: > > 1. User asks for something to be written on a floppy disk (e.g. save > the file he/she is editing), but the disk is write-protected. > > 2. DOS enters its Critical-Error Handler, which displays the notorious > "Abort, Retry, Ignore" message. > > 3. User notices that the wrong disk (henceforth "W") is in the drive, > and replaces it with the disk ("R") he/she had intended to use, > then user asks the system to go on and "Retry" the writing > operation. > > 4. Now DOS seizes the opportunity to destroy disk R by writing W's FAT > over R's. This holds even for DOS 5.0, when both R and W have been > formatted under earlier versions of DOS. > > So take my advice: Whenever you are asked the ominous question, choose > the "Abort" option, and start your writing action over again! In this > case, DOS will use the correct FAT from disk R. A follow-on poster in VIRUS-L (which I apparently haven't kept) pointed out that the "Abort" option would abort the program issuing the write request, which could result in loss of data (e.g. when you try to save the working-file from a word processor, or from an editor. Now my advice is: - - Exert the "Abort" option when you have issued the offending write request from the command prompt (e.g. an XCOPY command), - - exert the "Ignore" option when you have issued the offending write request from inside an application program (e.g. a word processor) -- BEWARE: I have not tested this variant! --, - - never exert the "Retry" option for a write request! Good luck, Otto Stolz ------------------------------ Date: Thu, 20 Jan 94 04:42:43 -0500 From: hqxoos1@ramstein.af.mil (HQ USAFE/XOOS-TEMPEST;480-7984) Subject: RE: A Message (PC) Virgil Vaduva (s1105353@cedarville.edu) writes: > A strange message coming from the machine: > > "WARNING: The shareware should be loaded for large media" Are you sure that the message says "shareware"? This looks a lot like the DOS error message which says, "SHARE must be loaded for large media." SHARE.EXE is loaded via the CONFIG.SYS file and its purpose is to handle file-sharing in operating systems like Windows. Check your DOS book for more info. Regards, Dennis =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Dennis S. Hernit (hqxoos1@ramstein.af.mil) Ramstein Air Base, Germany =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ------------------------------ Date: Wed, 19 Jan 94 21:32:50 -0500 From: ALLENTAYLOR@delphi.com Subject: FORM Virus (PC) From: allentaylor.delphi.com - ---------------------------- Writes: < Subject: Form Virus on PC < Keywords: < We have big problems with a virus called FORM. < I want information about this virus < How it infects? < Where does it come from? at>The FORM-Virus, or Form Boot is a memory resident infector of hard disk and floppy boot sectors, discovered in Switzerland circa mid 1990. at>Download the Virus-L Frequently Asked Question file via anonymous FTP on cert.org [192.88.209.5] and read Sections [B.3], [b.10],[c.4],[d-ALL]. at>Download VSUMX312.zip via anonymous FTP on McAfee.com [192.187.128.1] This text has been the subject of some serious criticisim in this forum but does have "some" relevant information concerning your problem. at>Generaly speaking, this virus can be dealt with like most boot sector viruses: 1. Power down your PC. 2. Boot up from a previously prepared write protected Boot_Floppy. 3. You can use the appropriate virus cleaner [TBAV-TBUtility], [and with DOS 5 or higher; FDSIK /MBR command] or [DOS Sys Command] or, [McAfee MDisk] to restore the boot sector. 4. RESCAN with a Virus Scanner on a write protected Floppy. 5. Don't forget to scan ALL floppys that have come in contact with the infected PC and be sure to warn others to whom you may have sent infected floppys. Best Regards, - ------------------------------------------------------------------------ | Allen G. Taylor, | allentaylor.delphi.com | | Computer Virus Research Center | * CVRC BBS * | | Indianapolis, Indiana, USA | Specializing in Anti-Virus Software | - ------------------------------------------------------------------------ ------------------------------ Date: Wed, 19 Jan 94 11:15:36 -0500 From: "David M. Chess" Subject: re: A message. (PC) > From: s1105353@cedarville.edu (Virgil) > > A strange message coming from the machine: > > "WARNING: The shareware should be loaded for large media" Was the message actually "SHARE should be loaded for large media"? This message is printed by various versions of DOS that don't include built-in support for large partitions (usually >32M). If you have a partition greater than 32M, you shoud load SHARE in CONFIG.SYS or AUTOEXEC.BAT (see your DOS manual for details). Or, better, you should upgrade your version of DOS! Probably not a virus... - - -- - David M. Chess | Mah'-ee huv'-erk-raft High Integrity Computing Lab | iz fuhl ov ee'-ulz IBM Watson Research ------------------------------ Date: Wed, 19 Jan 94 11:24:03 -0500 From: "David M. Chess" Subject: "Barrote" Virus alert ... (PC) >From: Jorge Amodio > Below are the symptoms of the virus and more information: > > - After booting MS-DOS the screen show a pattern like jail bars > with the leyend "Virus Barrote" and the PC halts. > > - It's seems that was developed by somebody called O-Soft. We know of a virus like that, apparently rather widespread in Spain. It is 1310 bytes long, infects COM and EXE files that are executed, and on January 5th it displays the message "Virus BARROTES por OSoft", and overwrites the master boot record of the first hard disk. IBM AntiVirus should be able to detect it correctly, if that is indeed the virus you're dealing with; of course, you may have encountered a variant with different behavior. We call the strain that we have seen "Barrotes-1310". DC ------------------------------ Date: Wed, 19 Jan 94 11:04:53 -0500 From: ssmith@GALINA.DEC.COM (Sheldon E. Smith) Subject: Looking for AVscan(?)) scanner (PC) I'm trying to locate a scanner called `AVscan' which a friend described as "a freeware scanner by H+BEDV Datentechnik Gmbh, a German software house". Unfortunately, he doesn't remember where he saw (about) it. Anybody know if it's available on the 'net? Do I even have the right name? Thanks in advance.... ------------------------------ Date: Tue, 18 Jan 94 02:44:25 -0500 From: aryeh@mcafee.com (McAfee Associates) Subject: McAfee VIRUSCAN V111 uploaded to SimTel Software Repository (PC) I have uploaded to the SimTel Software Repository (available by anonymous ftp from the primary mirror site OAK.Oakland.Edu and its mirrors): pub/msdos/virus/ clean111.zip CLEAN-UP 9.21V111 virus remover for PC's/LAN's scanv111.zip VIRUSCAN 9.21V111 virus scanner for PC's/LAN's vshld111.zip VSHIELD 5.56V111 virus prevention TSR for PC's wscan111.zip WSCAN V111: Windows front-end for VIRUSCAN Beginning with this release, we will now be using PKZIP 2.04g to archive our files. Our new serial number is: Authentic files Verified! # FZW802 McAFEE ASSOCIATES This message only appears if your version of the UNZIP program supports PKWare, Inc.'s Authenticity Verification. Version 111 of the VIRUSCAN series replaces Version 109. Version 110 was the number used for the beta-test version of this release, but it was skipped over for the production version due to a Trojan horse which appeared in the Gainesville, Florida area bearing the number. Version 111 of VIRUSCAN adds detection of 45 new viruses and 61 new variants of existing viruses, bring the total number of known viruses to 1,811, or counting variants, 2,738. CLEAN-UP adds disinfection of the 592, Ganeu, Khobar, Spanish Holidays, Thriller, Unbx, and Volkox viruses. VALIDATE VALUES FOR VERSION 111: CLEAN FOR OS/2 V111 (OS2CLEAN.EXE) S:330,256 D:01-14-94 M1: DF80 M2: 1F85 CLEAN-UP 9.21V111 (CLEAN.EXE) S:192,959 D:01-14-94 M1: 1969 M2: 0E47 SCAN FOR OS/2 9.21V111 (OS2SCAN.EXE)S:238,720 D:1-14-94 M1: 06B6 M2: 1384 SCAN FOR WINDOWS 111 (WINSTALL.EXE) S:19,606 D:01-14-94 M1: 7DD3 M2: 0142 SCAN FOR WINDOWS 111 (WSCAN111.EXE) S:78,230 D:01-14-94 M1: 74EC M2: 0357 VIRUSCAN SCAN 9.21V111 (SCAN.EXE) S:160,355 D:01-14-94 M1: 70B9 M2: 1DFA VSHIELD 5.56V111 (VSHIELD.EXE) S:52,701 D:01-14-94 M1: 7DD2 M2: 09A6 Regards, Aryeh Goretsky McAfee Associates Technical Support - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: aryeh@mcafee.COM 2710 Walsh Ave, Suite 200| FAX (408) 970-9727 | IP# 192.187.128.1 Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714 95051-0963 USA | USR HST Courier DS | America Online: McAfee ------------------------------ Date: Mon, 17 Jan 94 14:23:29 -0500 From: James Ford Subject: New files on risc.ua.edu (PC) The following files have been mirrored from mcafee.com and are available on risc.ua.edu in the directory /pub/ibm-antivirus/Mirrors/mcafee/antivirus. 00-Index 1555 clean111.zip 275697 ocln111.zip 291673 oscn111.zip 259442 scanv111.zip 256551 vsh111.zip 151389 wscan111.zip 312745 - ---------- James Ford - Seebeck Computer Center jford@seebeck.ua.edu, jford@risc.ua.edu The University of Alabama (in Tuscaloosa, Alabama) ------------------------------ Date: Mon, 10 Jan 94 02:58:18 -0500 From: "Rob Slade" Subject: Other antivirals - change detectors (CVP) BEGPANB.CVP 931111 Other Antivirals - Change Detectors If your "generic" antiviral is a change detection program, then you will probably have a much better idea of what is infected, although less idea of how. Change detectors will usually tell you that the boot sector, or master boot record, or a specific file has been changed. Sometimes, in the case of a stealth virus, it will not be able to "see" any change on the disk, but will report a change in memory of the interrupts. Activity monitors usually run all the time, and so, in addition to sometimes telling you, specifically, what type of action is being done, they generally give you some clues by catching something as it happens. Change detectors are usually run at set intervals, often at boot time, and so only report after the fact. However, because change detection software identifies specific objects, you will generally get more information from them about boot sector infectors than you will get from activity monitors, and boot infectors are much more common. As with activity monitors, if the antiviral identifies a file that you can easily replace, copy it off and replace it. If a change detector shows only one file changed, then it is highly unlikely that any other files are infected. If a cluster of files are changed, particularly in one directory, then the chances are very good that you do have a real infection. However, like activity monitors, change detectors are subject to false positive alarms. If you have made changes to WordPerfect, SETVER or another program, these will generate alerts from change detectors. If you upgrade your DOS version, the boot sector will change. If you repartition the disk, the master boot record will change. If, therefore, it is inconvenient to replace the modified program, or if the boot sector appears to be infected, then you may have to do the same types of investigations as were outlined for activity monitors. Since boot sector infectors are more likely to be identified here, trying to trap an infection on a floppy disk is more important. If you have two different sized floppy disks, then format two new disks, one for each. Label each as to whether it is drive A: or B: on the computer. Copy some files onto them, and take several directory listings. If you have utility software, try to look at the boot sectors of the floppy disks. The reason for all this activity is that one must try to force the virus to infect the disk, and this is not always as easy as it sounds. Also, if a boot sector infector is identified, recovery is not quite as simple as replacing a file. Boot from a system disk that is known to be free from infection. If you cannot access the hard disk at this point, do not try anything further. If the hard drive is readable, then do a SYS C: command (if the boot sector is changed) or an FDISK /MBR (if the master boot record has been altered). This should fix the problem, but you will also need to check *all* diskettes for infection. copyright Robert M. Slade, 1993 BEGPANB.CVP 931111 ============== Vancouver ROBERTS@decus.ca | "Daughters of feminists love to wear Institute for Robert_Slade@sfu.ca | pink and white short frilly dresses Research into rslade@cue.bc.ca | and talk of successes with boys/ User p1@CyberStore.ca | It annoys/ Security Canada V7K 2G6 | Their Mums ..." - Nancy White ------------------------------ Date: Sun, 16 Jan 94 02:21:41 -0500 From: "Rob Slade" Subject: 3.3 Local Reports (CVP) BEGPANC.CVP 931111 3.3 Local Reports If you hear reports of a virus in your particular area, be cautious, but don't panic. As I write this, there have been a great many news reports of the formidably named SatanBug virus. This is perhaps more widespread than some because of the activity of virus exchange bulletin boards, but got much more press than it warranted because of reports from Washington, DC. In the same way, we have recently been inundated with reports of "Stoned 3" and "Stoned 4": these are the names given by a particularly widely distributed (though not particularly good) scanner to a wide variety of viral variants and even false alarms. However, it is true that virus infections tend to happen in clusters. Therefore, if there are a lot of validated reports of one particular infection in your area, then it is best to be careful. Make sure that you have a program which is either effective in preventing, or will correctly identify, this specific virus. It is a good idea to get accurate information about the virus: what does it infect, what are the exact symptoms, how does it behave, and is there any information you can check to determine that you do *not* have the virus. In this latter category, during the months leading up to March of 1992, we were able to advise people who were worried about the Michelangelo virus to use CHKDSK. This simple utility checks the files and space on the disk, but it also gives a report on the memory. For most machines (although not all) it should report "Total Memory" as being 655360 bytes. If it does, then you do *not* have the Michelangelo virus. You may, of course, have something else. Try to find out all you can about the distribution and spread of the virus, as well as any technical details. The more people have been hit whom you know, the more risk there is to you and your system. If, on the other hand, only machines in lawyers' offices are being hit, and you don't know or deal with any lawyers (and who does, if they can help it?), then you are probably at lower risk. Not no risk, but lower. Try to assess the source of the reports. Recently the Clinton administration health plan was distributed to interested parties and the media on disk. Almost immediately a newswire report was issued, and got almost universal coverage, stating that the disks were infected with a virus. (The mythical but ubiquitous "Stoned 3," as it happened.) When the dust had cleared, it turns out the *only* report was from one reporter -- who happened to work for the newswire service. He had infected his machine and "decided" that the only source could have been the Clinton disk. (I must admit that this report caught me out, too. You can't be too careful.) copyright Robert M. Slade, 1993 BEGPANC.CVP 931111 ============== Vancouver ROBERTS@decus.ca | "In questions of science, the Institute for Robert_Slade@sfu.ca | authority of a thousand is not Research into rslade@cue.bc.ca | worth the humble reasoning User p1@CyberStore.ca | of a single individual." Security Canada V7K 2G6 | - Galileo ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 6] ****************************************