VIRUS-L Digest Tuesday, 8 Feb 1994 Volume 7 : Issue 9 Today's Topics: Re: "Good Viruses?" RE: Something that looks like a new idea Beneficial Viruses Re: What happened to SHI (Amiga) Re: Any reviews of InVircible/V-Care ? (PC) Is this a virus ? (PC) Re: Fprot or McAfee (PC) Re: MicroSoft Anti-Virus question (PC) Is speed really important? (PC) Case History of a False Alarm (PC) 1008 DROPPER (PC) Form. Should it be Hated and Feared?? (PC) Virus affecting keyboard? (PC) Location of Virus Simulator Files (PC) Re: Rael virus (PC) Death to MickeySoft (PC) Re: Fprot or McAfee (PC) Beethoven (?) (PC) Re: MicroSoft Anti-Virus question (PC) avp_107b program (PC) Parity Check Virus? (PC) Re: Help in removing Monkey virus from hard disk (PC) Aurora text editor bug/virus/problem (PC) Potential Virus Help (PC) New Address to Virus Help Centre The SETI virus (CVP) Call for Papers: Artificial Life VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Thu, 27 Jan 94 09:59:17 -0500 From: alan@saturn.cs.swin.oz.au (Alan Christiansen) Subject: Re: "Good Viruses?" ktark@src4src.linet.org writes: >Brian Seborg writes: >>There is NO SUCH >>THING AS A NON-DESTRUCTIVE VIRUS, PERIOD!!!!! If even the most benign virus >>gets out of the lab, it's a problem. >The existence of one such virus will prove your point wrong. >Perhaps with time I will be able to conduct this experiment and >prove my theory. Yes it would prove it wrong in an entirely non pratical way. I might say ALL viruses which standa any chanc of ever escaping into the wild are dangerous and potentially destructive. The measures required to safely contain such a virus makes the concept meanigless except for the express purpose of finding out enough a bout a virus to kill it. This however is verbal diarrhoea. The above quoted statement about virus is much more succinct and clear. >>Brian Seborg >>VDS Advanced Research Group >Let us add some more world perspective to this: >You have an economical and personal interest in making all computer viruses >appear as evil incarnate, you make a living out of this premise, whether >you like it or not. >Let us hear from someone who has no stakes in this matter.. I have no financial stakes in the matter. Viruses ARE BAD. Ther are NO good Viruses. Good Viruses are not possible. If you have a virus that is apparently good it is not wise to release it anywhere. Being not wise, it is also not good to release it, and this is near enough in my book to the only good virus is a dead one. I first thought of viruses a number of years before they escaped in the wild. I thought of all sorts of ideas for viruses which have of late surfaced in real viruses. I considered hunter/killer/doctor viruses. I thought about many things, I wanted to believe in them, I wanted to write one but I could find NO wise way to do so. In the end I concluded the idea was not even wise to think about because if I get Really good idea how to write a really efficient virus I may be tempted to tell people and then I will sow the seeds of my own discontent. Not wise. Bye. Alan >ktark@src4src.linet.org - -- | This space was intentionally left blank, | until some silly included a self descriptive | self referential self referential self ... | ... Stack overflow. Executing cleanup rm *.* ------------------------------ Date: Thu, 27 Jan 94 14:14:19 -0500 From: william.d.bauserman@gte.sprint.com Subject: RE: Something that looks like a new idea A.APPLEYARD@fs1.mt.umist.ac.uk writes: > From periodical `New Scientist', 15 Jan 1994, p18:- > [Virus busters get a shot in the arm] by Jonathan Beard, New York. > Computers could soon fight off viruses that attack them by using an in-build >"immune system", For a user, this should mean that systems will no longer be >immobilized for hours or days, but will instead fight the virus while >performing other functions. And possibly aiding the spread of any virus it fails to identify. > Existing antivirus programs are generally managing to stay one byte ahead of >today's equally primitive viruses, which usurp machine facilities and are >designed to try to copy themselves onto other systems. But scientists at IBM >are working on new software that would resemble a biological immiue system to >help networks react more quickly to viral assaults of the future. I would venture to say that (save hueristics) antivirus programs (scanners) are generally managing to stay one byte "behind" today's viruses. Not all of which I would classify as primitive (IMO, even the Brain virus was "modern" in it's time). > The system would not only identify the virus and repair files that have been >modified, but also send a message to every other computer on the network to >tell them how to destroy the virus. [Stuff Deleted] > At present whenever a new virus is recognised in it quickly distributed >among an informal network of virus collectors - such as those at the HICL - >many of whom work for software companies selling antivirus software. They >dissect the new program to discover how it works, identify its "signature" >the telltale pattern of bytes it inserts in any file that it modifies in the >infected computer - and add that to antiviral programs' "wanted lists". White >says that cirrent programs recognise about 2000 viruses. > But this is too slow a process for the world that White envisages. So the >HICL is creating a system that will identlfy viruses, not by comparing their >code to a reference library, but by watching them at work. Heuristics, huh, I like A-I, but how do they get rid of false positives - especially, if they are broadcasting to the network your PC is infected. > A typical virus seeks out data files that are frequently accessed or >modified because it can use them to infect programs that come into contact >with lots of files. The algorithms being developed at IBM also watch such >files for any sign of tampering, and then begin to create "decoy files" which >are repeatedly accessed (but not altered) to make them attractive to a virus. >If a decoy file grows longer, the system has both caught the virus at work and >its signature. Ah...so IBM is creating decoy "data" files. We all know that data files are the number one cause of spreading infection :) I hope the algorithm doesn't tell the network that my word processor is a virus. > The automatic program would then scan the computer for files the virus had >modified, repair them and add the new viral signature to its database. A >message to every other computer in the network would tell them to search and >destroy this virus. I just hope they don't pick up "Microsoft Word 6.0 Document" as a signature :) I would be very leary of using anything like this in today's world. I don't know if I would ever trust a network message that tells my pc to modify files. If this is the wave of the future, you wouldn't need viruses, just create a timebomb that would broadcast a fake message to modify files on March 6th. :) Since this did come from an article and not IBM, I give IBM the benefit of the doubt that the errors/misinterpretations are from the reporter. Can David Chess elaborate on this project? I understand the reasoning behind it, but I am interested to know more about the security and liability problems. Just imagine two rival corporations hooked up to this proposed information superhighway, one sends out a message that all files containing a string, of say "CD21" or better yet a string of nothing but wildcards, have been infected by an overwriting virus - please automatically delete these files. This would take longer to recover from than any viral attack and then what about the legal implications when they trace it back to their rival (the list of defendents would be a mile long). By the way, when I originally saw the subject, I thought, finally all of Padgett's "soapboxing" has paid off, somebody has implemented his BIOS protection plan. Oh well, maybe next time... Bill Bauserman This is entirely my own opinion. william.d.bauserman@gte.sprint.com ------------------------------ Date: Fri, 28 Jan 94 15:50:59 -0500 From: guillory@blkbox.COM (George Guillory) Subject: Beneficial Viruses A recent article out of the Houston Post by Eric Hanson entitled "Houston Realtors try new system to keep keys out of thieves' hands" discusses beneficial use of viruses. In the article, Lynn Zarr, president of the Houston Association of Realtors explains that it is a common practice of thieves to case homes on the market via Realtors. When they find a home they wish to burglarize they obtain the code for the lockbox via illegal means. Quoting the article, "In the new system, each of the 10,000 Realtors will be issued an electronic keypad, about the size of a makeup compact, which fits into the lockbox attached to the house for sale. After punching in a personal code number, the Realtor slips his coded keypad into the lock box, causing a small opening to appear and the key to drop out." "Zarr said the new system has several other security features. For one, it includes a mechanism for quickly spreading a lock out virus throughout the computerized system should a keypad be lost or stolen, Zarr said." The newspaper article states that installation of the boxes has begun and that approximately 53,000 computerized lockboxes will be installed in the Houston area with a cost of about US$3.5 million. (Hey, I just reported what the newspaper article said. Contact the Houston Association of Realtors if you have any flames. I have the complete newspaper article if someone is interested.) George Guillory guillory@blkbox.com ------------------------------ Date: Thu, 27 Jan 94 11:21:38 -0500 From: kcci1@syma.sussex.ac.uk (Alan Buxey) Subject: Re: What happened to SHI (Amiga) kohli@iam.unibe.ch (Reto Kohli) writes: > Anyone recently heard of Safe Hex International ? > I would greatly appreciate getting an internet address to contact them, > if they still exist. Please email, I will summarize if necessary. sorry about not replying by email, but i have .elmrc problems ;) Safe Hex International are still around, they have an info column in amiga format now, if you want, email me (i can to reply mail) and i'll give you their phone number. alan - -- Alan - proposer for comp.sys.amiga.cd32 and rec.games.video.cd32 - ------------------------------------------------------------------------------- From Alan - a reply is appreciated ;-) ------------------------------ Date: Thu, 27 Jan 94 09:40:32 -0500 From: Subject: Re: Any reviews of InVircible/V-Care ? (PC) Amir Netiv writes, in reply to various readers: > V-CARE started the Generic "thing" .... Are you speaking of generic *detection* (integrity checking) or generic *disinfection* or both?? If we consider generic detection, the original version of Untouchable (known then as "VirAlarm") was released in the spring of 1988, which would make it almost 6 years old. (You speak of only 5 years for your product.) > However you'd be surprized to know that since > V-CARE invented the smart-signature stuff, almost NO change in the system was > necessary (more then 5 years now). And not only that but even the product that > you yourself like(ed?) most (Untouchable or Vanalyst) has learned the system > from us, and also didn't have to change much in the last 2 years. Again, no distinction between detection and modification. You are probably correct that V-CARE was the first product which used generic disinfection. But that doesn't mean that "Untouchable or V-Analyst learned the system from you"! I think you attach far too much impor- tance to your role in this. (I spoke to someone at BRM about this. He said that at one point they did take a look at V-CARE, but all that they learned was how *not* to implement generic disinfection.) >> ask them how would their product protect your hard disk from >> a virus that infects like Brain, but also corrupts only the >> data files on your hard disk and only when they are being >> modified by DOS. > > Is that your idea of a problematic virus? how about a virus that infects only > a PC with a modem and only when there is a call on the line? or one that > infects only PCs with Spanish keyboard support? or... ;-) I mean: les't not > get too theoretical > on this, there are enough viruses in the world that pose a problem > then to go look for one that does not exist .... Vesselin's question was a serious one and you reply by comparing it to absurdities. Apparently such a virus doesn't yet exist, but your reply is an evasion, not a serious answer. > Yes. The avarage speed of file scanning by both V-CARE and InVircible is about > 2500 files per minute. (No other product in the worls competes with that). First, how can you speak of a speed without mentioning the *machine*? Secondly, it's no trick to produce fast scans if you SKIP MOST OF THE FILE. Correct me if I'm wrong, but I think that's what your program does. I could mention a few drawbacks to the V-CARE package, but they would be based on the package as I tried it several years ago. I have no idea to what extent you've improved it since then, so it would seem unfair to judge your present package by your former one. On the other hand, you keep telling us that nothing in your software has changed during the last 5 years, so maybe the drawbacks are still relevant? Oh yes, the most interesting program in the V-CARE package I saw was V-GUARD. I get the impression this is no longer part of V-CARE. If not, why not? And what happened to your philosophy of not including any TSRs in your package? Y. Radai Hebrew Univ. of Jerusalem, Israel RADAI@HUJIVMS.BITNET RADAI@VMS.HUJI.AC.IL ------------------------------ From: grossnik@iam.unibe.ch (Bruno Grossniklaus) Subject: Is this a virus ? (PC) Hi We have some PS2/70 computers whit IBM DOS 5.0 config.sys and autoexec.bat are empty. Default drive is c: When selecting file / open (or save) in any program (DOS or WINDOWS) there is a very short access on drive a: (Led is on, drive stars 0.5 s). This slows speed down when saving. Does anybody has a idea what this is? (we made a scan with McAfee 109) If you have any suggestions, I would be happy to hear from you. If the responses are useful, i shall gladly summarize and post. If this is a FAQ question, please let me know where to get the info from. /// Bruno Grossniklaus | Universitaet Bern o-o Niesenweg 3 | IAM Buero 210 | 3138 Uetendorf | Laenggassstr. 51 - Schweiz | 3012 Bern +41 33 45 24 73 | Tel: +41 31 631 84 19 | Fax: +41 31 631 39 65 Europe grossnik@iam.unibe.ch ------------------------------ Date: 27 Jan 94 15:30:11 +0000 From: virusbtn@vax.oxford.ac.uk Subject: Re: Fprot or McAfee (PC) jlj@cs1.bradley.edu (Joel Johnson) writes: > I'd like to get some input on which is better Fprot or McAfee. Does > it really matter which one we use in a university. Fprot is much > cheaper with their site licenses. Are they very close in quality? In the last VB comparative review, F-PROT scored 100% against our three test-sets (Viruses in the wild, A 'Standard' set of viruses, and MtE), with a scan rate of 180 KB per sec. SCAN scored 92.6% (In the wild) Standard 98.1% and 100% against the MtE, though it was very slow (only 54.2 KB per sec). Both products seem to be okay, but for the money... well, draw your own conclusions :) Regards, Dicky Ford Editor, Virus Bulletin. ------------------------------ Date: Thu, 27 Jan 94 11:30:47 -0500 From: Subject: Re: MicroSoft Anti-Virus question (PC) Phil Bancroft writes: > At the Ides of March meeting in New York there was discussion of both > MSAV and Central Point Anti_virus. I thought I overheard a discussion > which alleged that CPAV was easy to defeat - "Change a couple of bytes" > and it was supposed to defeat it. I did not confirm that at the time. > > I am not interested in data on CPAV, but I AM interested in any security > flaws which may exist in MicroSoft Anti-Virus, as my company is using > it as one of our AV tools on the systems which have V6.n licensed. > > Is there some flaw which makes MSAV easily defeated? MSAV is full of security holes. For details, ftp to CERT.ORG, cd to pub/virus-l/docs/reviews/pc, and download the file radai.msav. You'll find 10 holes in MSAV mentioned there. Here's an abbreviated version of some of them: 1. It's trivial for a virus to disable VSafe. All it has to do is load certain values into the AX and DX registers and call a certain interrupt, and voila, VSafe either has all its options disabled or is completely unloaded from memory (depending on the value loaded into AX), without the user being aware that his protection has disappeared. This trick is used by the Tremor virus [and by at least 3 others since that was written]. 2. While VSafe's generic monitoring detects most viral modifications to already existing executable files, it does not detect creation of a new executable file (important for detecting companion viruses), modifications made to a file with a *non*-executable extension, or renaming of files. 6. Companion viruses do not modify existing files, but create new ones which get executed before the target program. The integrity checking of MSAV and VSafe does not detect infection by this type of virus. 7. A simple way for a virus to defeat the integrity checking is to alter the checksum database, deleting the entry (name and information) for a file just before infecting it. An even simpler way is to delete the entire checksum database. The user will notice nothing unusual since if a database is deleted, MSAV will simply start creating the database anew as if one never existed, this time using the *infected* files as a basis for future comparison instead of the original ones. Viruses which exploit this weakness are the Peach, Groove, Encroacher, and Twitch viruses. 8. A good checksum algorithm for AV use will be based on different (unknown) keys for different users. MSAV/VSafe does not do this. Thus even if it were impossible to delete the database or any of its entries, it would still be possible for a virus writer to incorporate the checksumming code from MSAV.EXE or VSAFE.COM into his virus, so that after infecting a file, it could compute the checksum of the infected file and modify the checksum and file length in the database according to the new values. 9. To increase speed, MSAV and VSafe do not checksum the entire file, but only its first 63 bytes. Thus a virus which alters only other parts of the file and preserves the file size, date/time, and attributes will not be detected by the integrity checking of MSAV or VSafe. Considering that there are viruses (e.g. ZeroHunt) which preserve the size and viruses (e.g. LeapFrog) which avoid modifying the beginning of files, it would not be difficult to write such a virus. Another way of exploiting this loophole would be to overwrite the scan strings within MSAV.EXE and/or VSAFE.COM, thus rendering the scanner completely ineffective. The integrity checking of MSAV/VSafe would not notice the modification. Y. Radai Hebrew Univ. of Jerusalem, Israel RADAI@HUJIVMS.BITNET RADAI@VMS.HUJI.AC.IL ------------------------------ Date: Thu, 27 Jan 94 11:59:50 -0500 From: dm252@cleveland.freenet.edu (Keith A. Peer) Subject: Is speed really important? (PC) I have read and heard about how fast some antiviral scanners are. My question is with all of this so called speed is it possible to be missing some infections? Are some scanners not scanning the entire file to increase speed? Being that some viruses can enter a file in the front, middle or end and in some cases anywhere how can a scanner that does not scan the entire file find all infections? F-Prot and ThunderByte are very fast scanners compare to McAfee. Does McAfee scan the entire file while F-Prot and Thunderbyte don't? I mean really isn't the quality of the scanner really what's important and not that it can scan a hard disk in "X" seconds? Regards, Keith - -- Keith A. Peer Cleveland Freenet -=> dm252 Internet -=> dm252@cleveland.freenet.edu Interests: Viruses, Antiviral Hardware and Software ------------------------------ Date: Thu, 27 Jan 94 12:36:06 -0500 From: danr@umcc.umcc.umich.edu (Dan Romanchik) Subject: Case History of a False Alarm (PC) I had a virus scare yesterday. It was a false alarm, but I thought others might benefit from my experience. I'm running Windows 3.1 and PC Tools. Central Point Software, the vendor of PC Tools, released a new DLL, WNFSV1.DLL, to allow you to view files zipped with version pkzip, version 2.04. I downloaded the file and installed it. After a couple of days, I rebooted my computer, and MSAV noted that WNFSV1.DLL had changed. Being suspicious of this, I ran F-PROT. I was an older version, but I ran it anyway. It told me I had the Telecom virus in memory. Now, I was getting really scared. So, I booted from a clean disk, then went out to get the latest version of F-PROT. I ran this, and everything looked cool. So, I booted up from the hard disk, running MSAV in the process because it was in my AUTOEXEC.BAT file. Again, it reported that WNFSV1.DLL had changed. Yikes! At this point, I deleted the file. I ran F-PROT (this time the latest version) again. This time it said that it had found traces of the Telecom virus, but this time the error message said that this was probably because I had run MSAV or CPAV since booting the computer. So, apparently, this was all a false alarm. I reinstalled the WNFSV1.DLL, reran F-PROT, and everything looks clean. I don't know why MSAV said that the file had changed. I would have expected the attributes to change when I copied the .DLL file from the floppy disk, telling MSAV that the change was OK. Apparently, the attributes didn't change, maybe because the file name is the same. I think in the future, I'm going to use just one anti-virus program. Playing around with two of them, each giving you different results is not good for the nerves. I also think I'm going to make F-PROT my standard program. You can't beat the price, and updates are readily available. I'd be interested in any comments any of you out there might have. Dan danr@umcc.umich.edu ------------------------------ Date: Thu, 27 Jan 94 12:36:09 -0500 From: greg.mcclure@mwcsinc.muug.mb.ca (Greg Mcclure) Subject: 1008 DROPPER (PC) GM> Scanning hd of ps2 Ibm/30 (286 based) with Scan109 report virus 1008 Dropp GM> in mode.com. Dos version installed is 3.30 from Ibm. GM> Clean109 does NOT report and clean anithing. GM> Another scan with scan109 does NOT report viruses, F-prot and Tbav too. GM> Comparision with original floppy does not report size increasing in file. GM> What? Why? a false allarm from scan? Yes it is a false alarm version 111 of Scan has been released and solves this problem. Greg... 15:35 01/26/94 Internet: greg.mcclure@wpcusrgrp.mb.ca greg.mcclure@mwcsinc.muug.mb.ca Compuserve: 75170,1100 * RM 1.3 B0337 * An ass thinks one thing, his rider another. - ---- Muddy Waters Computer Society Inc. Winnipeg, Manitoba, Canada (204)943-6507,08,09 (204)942-0227 (204)956-4997 (all nodes USR 16.8K D/S) ------------------------------ Date: Fri, 28 Jan 94 02:11:13 +0000 From: daveg@robin.EE.UNLV.EDU (David Good) Subject: Form. Should it be Hated and Feared?? (PC) Recently, we received a batch of disks from Motorola that were infected by PC Form virus. Since these are not bootable disks, I was not overly concerned that the safety and security of the computing world may be in jeopardy. Then I started thinking... What happens if I leave a Form infected non-bootable disk in the drive and reset the pc?? Will it be released, so that it may hatch some insidious plot on my HD?? Is there any other way it can creep into my machine other then booting off the floppy?? Should I be treating this virus with more respect??? Inquiring minds WANT to know. ===================================================================== Dave Good daveg@ee.unlv.edu Development Technician Dept. of Electrical and Computer Engineering University of Nevada, Las Vegas (the town that loves YOUR money) *** *** **Anything is possible if you don't know what you are talking about** *** *** ------------------------------ Date: Fri, 28 Jan 94 00:56:36 -0500 From: U19250@uicvm.uic.edu Subject: Virus affecting keyboard? (PC) I have some type fo virus on my PC that is listed as the NOINT version of the STONED virus. I cleaned off the hard drive, and all floppies, repeatedly but could not clean it totally. Finally, I had to do a low level format of the hard drive (upon advice froma haced friend and COMPAQ). The interesting thing is that once the virus came aboard, I could not use the shift key. Even if I booted from a clean floppy, the shift key would not work. Interestingly the diagnostics disk allowd the shift key, and there were no prob lems. But anything other than that...no shift key. Any ideas? Robin u19250@uicvm.uic.edu ------------------------------ Date: Fri, 28 Jan 94 03:03:01 -0500 From: ALLENTAYLOR@delphi.com Subject: Location of Virus Simulator Files (PC) TO: ALL VIRUS-LIST Readers: I recently posted some file information/location that was incorrect. I had earlier stated that the following files could be retrieved by ftp.mcafee.com : VIRSIM2C.ZIP VIRPRES2.ZIP McAfee has the virus simulator listed as VIRSIM10.ZIP and VIRSIMUL.ARC. It can also be found via ftp at oak.oakland.edu. The virus presentation program can be downloaded from Computer Security BBS at 303 962-9536. The virus presentation program is directed at the virus "novice" or the K-12 group. It serves a purpose but is not a source of serious virus information. I apologize to anyone who may have wasted valuable FTP time looking for the files. If you are unable to FTP these files and ABSOLUTELY have to have them, post me your snail-mail address and I'll try to send them to you on floppy as long as our floppy supply lasts. Sorry, 5 1/4" only!! Best Regards, ________________________________________________________________________ | Allen G. Taylor, | allentaylor@delphi.com | | Computer Virus Research Center | * CVRC BBS * | | Indianapolis, Indiana, USA | Specializing in Anti-Virus Software | |======================================================================| |PGP 2.3 Public Key Available upon Request & via All Public Key Servers| |______________________________________________________________________| ------------------------------ Date: Fri, 28 Jan 94 06:19:20 -0500 From: Christian Treber Subject: Re: Rael virus (PC) eugene writes: > > Someone out there know something about the "Rael" virus? It's > <...> > RAEL-IMPERIAL AEROSOL KID VIRUS III > -Buenos Aires-Argentina- > ...Rael, Imperial Aerosol Kid-exits in the daylight, spraygun head... > - SaTaNiC BRaIn B.B.S. 383-7480 Las 24 Horas - Genesis, "The Lamb Lies Down On Broadway" (song of the same name). Gruss, Christian - -- Christian Treber, telenet GmbH | __~~~~ | Marburger Str. 14, 64289 Darmstadt, Germany | ___ _/\ / \ | phone: +49 6151/9769-{0(root)|65(me)|25(fax)} | ~_/ \-/ \__/ \______| e-mail: ctreber@telenet.de |__/ Fan of Tongariro NP, NZ | ------------------------------ Date: Fri, 28 Jan 94 07:43:11 -0500 From: Seppo Roponen Subject: Death to MickeySoft (PC) I am new with the comp.viruses-newsgroup, so I do not know whether my question is "oh, again, some idiot is asking the same question"-type question. Sorry, if so. I downloaded some files from nic.funet.fi -ftp site and after zipping the files I got a Windows icon "Death to MickeySoft" and my mouse started behave like I would have painted with paintbrush. I made a hard boot, boot with absolutely clean system disk and scanned viruses with McAfee v.108. Nothing was found. Any hints? Some well-known virus? What to do? - -Seppo Roponen National Consumer Research Center, Helsinki, Finland **************************************************** E-mail: seppo.roponen@ktk.kuluttajatalo.mailnet.fi ------------------------------ Date: Fri, 28 Jan 94 13:35:16 -0500 From: adamsp@umbsky.cc.umb.edu (Peter C.S. Adams) Subject: Re: Fprot or McAfee (PC) jlj@cs1.bradley.edu (Joel Johnson) wrote: > > I'd like to get some input on which is better Fprot or McAfee. Does > it really matter which one we use in a university. Fprot is much > cheaper with their site licenses. Are they very close in quality? Our resident PC Virus guru says F-Prot wins all the head to head comparisons. My position as a support rep is that even if they're only close, I prefer F-Prot because: it is MUCH easier to use; therefore people in the field are MUCH more likely to actually use it. +-------------------------------------+ | The sunlights differ, but there is | Peter C.S. Adams | only one darkness. -Ursula LeGuin | UMass-Boston +-------------------------------------+ ------------------------------ Date: Fri, 28 Jan 94 18:54:25 -0500 From: THE GAR Subject: Beethoven (?) (PC) Here is a puzzle for you... A student reported to our computer services group that they had found the "Beethoven" virus on one of their diskettes, and that when they scanned the computer in our lab, it had it too. We don't know what program he was scanning with, but our MacAfee finds no virus on the indicated computer. MacAfee tech support reports not knowing of a Beethoven virus. Can someone tell me if they've heard of it, what can find it/clean it, and what other name it might be called? /++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\ ! Later + Systems Programmer ! ! Gary Warner + Samford University Computer Services ! ! + II TIMOTHY 2:15 ! \+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++/ ------------------------------ Date: Fri, 28 Jan 94 20:03:45 -0500 From: udsm@sunyit.sunyit.edu (Derek S. Meyer) Subject: Re: MicroSoft Anti-Virus question (PC) writes: >At the Ides of March meeting in New York there was discussion of both >MSAV and Central Point Anti_virus. I thought I overheard a discussion >which alleged that CPAV was easy to defeat - "Change a couple of bytes" >and it was supposed to defeat it. I did not confirm that at the time. > >I am not interested in data on CPAV, but I AM interested in any security >flaws which may exist in MicroSoft Anti-Virus, as my company is using >it as one of our AV tools on the systems which have V6.n licensed. > >Is there some flaw which makes MSAV easily defeated? I would not want >the details published, I am sure the virus writers value VIRUS-L data >as much as I do, I just need to be warned if there are major flaws. Sure.. Tell me where to send it I have a little (I DO MEAN LITTLE) program that takes MVAV out of mem without the user everknowing it and when you hit the hmmm alt V key calls it back into mem until u hit the esc key to sitck it back into active and it is removed again ------------------------------ Date: Fri, 28 Jan 94 20:03:55 -0500 From: udsm@sunyit.sunyit.edu (Derek S. Meyer) Subject: avp_107b program (PC) I seem to have a problem with this software Luckly it was not with a very harmful virus. I was quiet supprised to see that this program whould execute after it had become infected. It even detected itself as being affected. One plus to it I noticed is that it whould NOT try to disinfect itself but made no reference as to not use the program anymore or to do anything else. Oh well.. jsut thought somone out there might be instrestred... One other thing I might even get flamed for this but oh well. Over break (christmas) I had some NuKE newsletters that I had been reading and i enjoyed them. Most of them seemed to be fairly old, so I started looking for some newer ones. I cant seem to find them. Now i doubt that most of the AV ppl will tell me where to find these newsletters but maybe some of you non AV ppl that read this group for info might be able to help me out.. IF so Please e-mail me.. Derek ------------------------------ Date: Sat, 29 Jan 94 00:58:50 -0500 From: Marlon Brownlee Subject: Parity Check Virus? (PC) I am working with three colleagues, we all have different laptops. Over the past month, we have all begun to get a "parity check" error when we press the "caps lock" key while running an application, such as Microsoft Excel. It just seems too coincidental that four people at the same site should fall prey to the same affliction in such a short time period....we have shared floppy disks in the past, that seems to be how it has spread....just today, a colleage not working with us directly also experienced the same problem, shortly after sharing a floppy disk with us..... any ideas? we have checked all our machines and disks with Central Point Anti-Virus to no avail - it doesn't find any signs of a virus. ------------------------------ Date: Sat, 29 Jan 94 01:14:25 -0500 From: udsm@sunyit.sunyit.edu (Derek S. Meyer) Subject: Re: Help in removing Monkey virus from hard disk (PC) virusbtn@vax.oxford.ac.uk writes: >Dear All, > >Maybe I have missed the thread somewhere here, but in case I have not, >here are some step-by-step instructions for removing viruses like >Monkey. Forgive any technical screw-ups, but I'm working from home, >(unsupported by a safety net here folks!). > >Problem: If I boot from the hard drive, the hard disk appears to be okay, >but I have a MBS virus in memory. If I boot from the floppy disk, DOS cannot >see the hard drive. If I use FDISK /MBR, I screw up my disk. Also the program called killmnk3.zip (advaliable from oak.oakland.edu) help remove some of the monkey viruses (never have used it though) Derek - ------------------------------------------------------------- Just a SUNY Tech Student Messing around with computers> ------------------------------ Date: Sat, 29 Jan 94 15:29:29 -0500 From: andrewf@lsupoz.apana.org.au (Andrew Foster) Subject: Aurora text editor bug/virus/problem (PC) Hi, There is a text editor called Aurora, which when installed contains 15 files. Lately I have noticed that when I go into a directory that is empty and use Norton Utilities "fa" command which displays the file attributes of the current directory I get the 15 files used by aurora. I never worried too much. Yesterday when I was in Xtree Gold I put a disk in drive B, logged it and it contained 15 files, of which all were Aurora. The disk showed up as having 1.4MB free - the files that were supposedly on there weren't on there. I couldn't delete them in XtreeGold because when I went to it said "Error: Disk has been changed". I use TBAV 6.10 which showed a negative virus scan or a checksum change. I went into the aurora directory, deleted the files and everything is O.K. Typing this up makes me wondering - I had that directory APPENDed with "APPEND C:\UTIL\AURORA;". Would this have been the problem? Andrew - -- Andrew Foster andrewf@lsupoz.apana.org.au ------------------------------ Date: Sat, 29 Jan 94 18:52:23 -0500 From: smithc@minerva.cis.yale.edu (Christopher L Smith) Subject: Potential Virus Help (PC) On a IBM computer I am working with I have run across an unexplained behaviour and am wondering if it fits as part of a known virus. It appears that any disk that is formatted in this particular office will generate an addition 0 byte hidden file that I have only detected through CHKDSK. Have you seen this? Any suggested ways of getting rid of this abnormality? Thanks! - -- Christopher L. Smith Yale Divinity School SUNY at Stony Brook (Applied Mathematics) New Haven, CT Stony Brook, NY smithc@minerva.cis.yale.edu smithc@ams.sunysb.edu ------------------------------ Date: Fri, 28 Jan 94 15:13:49 -0500 From: Mikael Larsson Subject: New Address to Virus Help Centre I just wanted to inform you all that Virus Help Centre has a new address from today (28th of January)... PO Box 7018 is valid only a few more months, so please update all lists, address books, customer databases etc etc with the new address that is: Virus Help Centre Box 244 811 23 Sandviken Sweden Phone: +46-26 275740 (still the same) Fax: +46-26 275720 (still the same) Best Regards, Mikael Larsson Virus Help Centre ---->>> NOTE!!! New Mailing address to VHC from 28th Of January <<<---- - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Virus Help Centre Phone: +46-26 275740 Email: mikael@vhc.se Box 244 Fax: +46-26 275720 or : mikael@abacus.hgs.se S-811 23 Sandviken BBS #1: +46-26 275710 Fido : 2:205/204 & 2:205/234 Sweden BBS #2: +46-26 275715 Authorized McAfee Agent! ------------------------------ Date: Fri, 28 Jan 94 13:13:08 -0500 From: "Rob Slade" Subject: The SETI virus (CVP) OPNFUT7.RVW 940125 The SETI Virus A question was posed on the RISKS-FORUM Digest regarding antiviral protection applied to data obtained from the Search for Extra Terrestrial Intelligence (SETI) program. On the face of it, this is absurd. If there are intelligent aliens out there who have the technology to contact us, they are unlikely to have Macs or MS-DOS. Yet, as with the Desert Storm viral myth, and related rumours about viral programs interfering with missiles, there are some slender threads of fact involved--just enough to make the rumour resistant to elimination. The original poster mentioned the "fact" that all computers are based on Turing machines and that all Turing machines are able to emulate each other. This statement is then used to propose that an advanced alien intelligence would be able to devise a program which would be able to infect all computers, and, by extension, a program which would be able to crash all of earth's computers. There are several problems with this concept. The first is the extreme misunderstanding of a Turing machine. While a Turing machine can be described in physical terms, and while a limited Turing machine can be built, the Turing machine is properly a mathematical concept. It can be used to determine whether a program can be written to solve a certain class of problem and, if such a program can be written, whether the program will ever give you a useful answer. The determinations of a Turing machine are independent of specifics of hardware, architecture or physical limits. It is only in this way that the Turing machine is said to be a universal computer. Real, physical, existing computers can run models of Turing machines, but do not otherwise emulate Turing machines. Turing machines do not emulate other computers: you cannot run Windows on a Turing machine, although a Turing machine might be able to tell you if you could ever write a utility that might keep Windows from crashing so often. Although data from the SETI project is massaged in computers, it is still just that--data. In discussing the ability of viral programs to travel through vectors that are normally assumed to be data, it is emphasized again and again that computers don't distinguish between programs and data: a program is data that a computer has been told to execute. In the case of SETI, however, the distinction is abundantly clear. It makes as much sense to run SETI data as it does to read the object file from your favourite computer game. Even given all of the above, there is still the possibility of error and software malfunction. The famous Internet Worm took advantage of a software loophole which allowed the end of a data overrun to be entered as an executable command. It is not beyond the bounds of possibility that an unknown bug in the programs examining SETI data will somehow allow the computer to start to try to execute a random part of that data as code. That "random" is important, though. Who knows what a random sequence of bytes might do? Cohen's calculations put the mean time between totally random occurrences of viral programs in the order of hundreds of thousands of years. Given the relatively few computers involved in SETI research, our Sun will likely die before our computers do. (Or, to put it another way, we are at staggeringly greater risk of catching the ultimate virus from the actions of teenage mutant copyright breakers scanning in pictures from Playboy, than we are from SETI data.) Ah, you say, but that is only if this is all random. What if the aliens are deliberately programming viral programs and trojans into the data stream? Well, assuming for the moment that there *are* aliens, and assuming that they, for some completely inexplicable reason, want to shut down our computers, trying to imbed trojans in the data stream would be a particularly stupid way to go about it. Like supposed NSA types trying to include a mythical virus in a purported pc's printer going to some random country in, say, the Middle East, the aliens would have to know more about our computers than we do. Our computer architectures are not the only ones possible. Even at the most basic level of digital electronics, who is to say that alien computers use binary logic? It could be trinary (or N-ary). And even if some superintelligent race somewhere had written a virus that could infect CP/M, UNIX, VMS, MacOS, MVS and MS-DOS, have you any idea of what the code would look like after umpteen million years between galaxies? It'd be easier to go around in a flying saucer handing out packages that you said were upgrades to "Mortal Kombat III". In both disk sizes. This is also, in a sense, the ultimate answer to the question of the military use of viral programs. If you have enough information about enemy computers and procedures to have half a chance of designing a good virus, you have enough information to do more direct sabotage in other ways. copyright Robert M. Slade, 1994 OPNFUT7.CVP 940125 ============== Vancouver ROBERTS@decus.ca | "Is it plugged in?" Institute for Robert_Slade@sfu.ca | "I can't see." Research into rslade@cue.bc.ca | "Why not?" User p1@CyberStore.ca | "The power's off Security Canada V7K 2G6 | here." ------------------------------ Date: Fri, 28 Jan 94 18:43:45 -0500 From: spaf@cs.purdue.edu (Gene Spafford) Subject: Call for Papers: Artificial Life I'm on the editorial board of a new journal. One of the areas I'll be coordinating is computer viruses and autonomous agents in computing systems. I'd like to encourage any of you with interesting research ideas or results to write them up for submission. Enclosed is a call for papers for the journal with more details. ===== CALL FOR PAPERS ARTIFICIAL LIFE Premiering in March with double Fall/Winter 1993 issue Edited by Christopher G. Langton Los Alamos National Laboratory and Santa Fe Institute Artificial Life, a new quarterly from The MIT Press, is the first unifying forum for the dissemination of scientific and engineering research in the field of artificial life. It reports on synthetic biological work being carried out in any media, from the familiar "wetware" of organic chemistry, through the inorganic "hardware" of mobile robots, all the way to the virtual "software" residing inside computers. Covering topics from the origin of life, through self- reproduction, evolution, growth and development, and animal behavior, to the dynamics of whole ecosystems, its articles present novel approaches to the theory and application of biological phenomena. Artificial Life will be an essential resource for scientists, academics, and students researching artificial life, biology, evolution, robotics, artificial intelligence, neural networks, genetic algorithms, ecosystem dynamics, and the origin of life. Selected Articles from Volume 1, Numbers 1 & 2 Kristian Lindgren and Mats Nordahl Cooperation and Community Structure in Artificial Ecosystems Luc Steels The Artificial Life Roots of Artificial Intelligence Pattie Maes Autonomous Agents and AL Tom Ray An Evolutionary Approach to Synthetic Biology Eugene Spafford Computer Viruses as Artificial Life Stephanie Forrest and Melanie Mitchell Genetic Algorithms and Artificial Life Quarterly, Volume 1 forthcoming, fall/winter/spring/summer 96 pages per issue 7 x10, illustrated, ISSN 1064-5462 Yearly Rates: $45 Individual; $125 Institution, $25 Student For Submission Information To order Subscriptions please contact: please contact: Christopher G. Langton Circulation Department Santa Fe Institute MIT Press Journals 1660 Old Pecos Trail 55 Hayward Street Santa Fe, NM 87501 U.S.A. Cambridge, MA 02142 U.S.A. TEL: 505-984-8800 TEL: 617-253-2889 FAX: 505-982-0565 FAX: 617-258-6779 cgl@santafe. edu journals-orders@mit.edu ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 9] ****************************************