VIRUS-L Digest Thursday, 24 Feb 1994 Volume 7 : Issue 13 Today's Topics: Symantec IBM Computer Virus Info Center available on Gopher/WWW Help with Possible "911" Virus Re: Something that -isn't- a new idea for an antivirus virus Viruses, Virus Bulletin, etc. 'RAMA EXEC' sent to CMSUG-L subscribers from 'UVA3003 at SAKAAU03' HELP:email adresses needed (Archimedes) Next version of DOS and viruses (PC) Re: Form. Should it be Hated and Feared?? (PC) Re: Fprot or McAfee (PC) Re: Is speed really important? (PC) Re: Form. Should it be Hated and Feared?? (PC) Re: Location of Virus Simulator Files (PC) Re: Beethoven (?) (PC) Re: Case History of a False Alarm (PC) McAfee VSHIELD v108 Problem with CANSU (PC) InVircible (PC) Re: Any reviews of InVircible (PC) InVircible (PC) Re: InVircible (PC) Re: InVircible (PC) Windows Viruses? (PC) The Form Virus (PC) NIKA? virus (PC) Need ANTIEXE virus info (PC) Q: F-Prot and Tremor (PC) Discussion of FIST 2 virus (PC) Re: Form. Should it be Hated and Feared?? (PC) Re: Is speed really important? (PC) Re: Is speed really important? (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Thu, 10 Feb 94 04:04:33 -0500 From: jboyle@uclink.berkeley.edu (John Michael Boyle) Subject: Symantec Does anyone know the new number for the Symantec/Norton BBS. Thanks a lot. ------------------------------ Date: Thu, 10 Feb 94 14:37:31 -0500 From: "David M. Chess" Subject: IBM Computer Virus Info Center available on Gopher/WWW We at the High Integrity Computing Lab at the IBM Thomas J. Watson Research Center are pleased to announce the opening of the IBM Computer Virus Information Center on the Net. To access it via Gopher, Gopher to index.almaden.ibm.com, and choose the "IBM Computer Virus Information Center" from the main menu. To get to it in the Web, use "http://index.almaden.ibm.com" and make the corresponding selection from there. Stuff currently online in the Information Center includes news items (about IBM's anti-virus products and services, recent common-virus lists, and so on), descriptions of common viruses, a cross-reference of virus names, some research papers from the Lab, and some pointers to other sources of information. We know that the information is not complete, and we are eagerly seeking additions and suggestions. We hope that this will be a valuable resource on the Net for those seeking computer virus information. Stop by and look around! (Oh, and of course we have the latest FAQ from VIRUS-L, too!) - - -- - David M. Chess | IBM Computer Virus Information Center High Integrity Computing Lab | gopher: index.almaden.ibm.com IBM Watson Research | http://index.almaden.ibm.com ------------------------------ Date: Thu, 10 Feb 94 17:23:23 -0500 From: ALLENTAYLOR@delphi.com Subject: Help with Possible "911" Virus I am requesting help with a possible "virus problem". A California Police Department is being hit with calls to their 911 [Emergency Telephone System] that are generated by a legitimate computer user [who happens to be a Fidonet node]. The local telephone company has verified that the telephone lines are okay. Does anyone know of a virus that directs communications software to dial 911? If this is a real virus problem as opposed to some soft- ware hardware glitch it represents a serious threat to emergency communications in this country. Time is essential in resolving this problem. Please Email any responses to allentaylor@delphi.com ASAP. Thanks. Best Regards, ________________________________________________________________________ | Allen G. Taylor, | allentaylor@delphi.com | | Computer Virus Research Center | * CVRC BBS * | | Indianapolis, Indiana, USA | Specializing in Anti-Virus Software | |======================================================================| ------------------------------ Date: Thu, 10 Feb 94 17:58:25 -0500 From: glratt@is.rice.edu (Glenn Forbes Larratt) Subject: Re: Something that -isn't- a new idea for an antivirus virus "David M. Chess" writes: >The ordinary notion of "virus" as it's used on VIRUS-L is >something like "code desiged to spread from system to system >without the knowledge or consent of the system owner". This fits >FORM, 1575, NVir, and the many other viruses that trouble current >computer users. It does not fit XCOPY, COMMAND.COM, or any >component of our immune system design. I consider the writing of >code designed to spread between systems without the system >owners' consent to be irresponsible; we would certainly not >include such code in a product! Hmmm...(a little devil's advocating here)...by that definition, wouldn't the CONFIG.SYS line: DEVICE=C:\DOS\SMARTDRV.EXE be considered viral (as it's put in place by DOS 6.0's Install)? What of the creation of SMARTDRV.EXE, HIMEM.SYS, and EMM386.EXE in the root of the boot device when one installs Windows, and the subsequent changes to CONFIG.SYS and AUTOEXEC.BAT (which are generally unnecessary)? I would amend your definition slightly, to read "code designed to spread ITSELF from system to system without the knowledge or consent of the system owner". I think this would help differentiate between those things that are considered virii and those that are just needlessly intrusive software. - -- Glenn Forbes Larratt x5474 LAN Specialist, Rice U, User Services, OCS The Lab Ratt (not briggs :-) CMU 1985-86, USN 1986-88, RU 1989-93 glratt@rice.edu (Internet) GLRATT@RICEVM1 (Bitnet) Neil Talian? NAS Connolly, elevation 33' ------------------------------ Date: Thu, 10 Feb 94 21:37:07 -0500 From: jcumming@netcom.com (John D. Cumming) Subject: Viruses, Virus Bulletin, etc. Dicky Ford Editor, Virus Bulletin. regarding your posting to jlj@cs1.bradley.edu (Joel Johnson) "In the last VB comparative review, F-PROT scored 100% against our three test-sets (Viruses in the wild, A 'Standard' set of viruses, and MtE), with a scan rate of 180 KB per sec. SCAN scored 92.6% (In the wild) Standard 98.1% and 100% against the MtE, though it was very slow (only 54.2 KB per sec)." While checking out our accounting computer recently, I detected the Michalangelo Virus, and further checks indicated that it arrived via vendor disks, along with our accounting package updates. This has caught the attention of management here, and being the software wenie who found the thing, I am charged with coming up with a solution. I am trying to find the best source of virus checker software, and updates (new ones are certainly being created all the time). I am also interested in your Virus Bulletin. What information can you offer ? How does one get F-Prot ? Best John Cumming (jcumming@netcom.com) PS: and yes, the new McAfee Scan is amazing slow ! ------------------------------ Date: Wed, 09 Feb 94 06:03:01 -0500 From: Melvin Klassen Subject: 'RAMA EXEC' sent to CMSUG-L subscribers from 'UVA3003 at SAKAAU03' Apparently another CHRISTMA EXEC plagiarism... I haven't seen it, just forwarding the alert. Regards, Otto - ----------------------------Original message---------------------------- Warning to users of the VM/CMS Operating System! If you receive a file into your VM/CMS reader, (sent to you via the CMSUG-L mailing-list) do *not* read it in, and do *not* execute it. It is a "COMPUTER WORM". It will spread copies of itself to all the users in your 'NAMES' file, i.e., it will spread all over BITNET! ------------------------------ Date: Wed, 09 Feb 94 11:38:08 -0500 From: Klaus Brunnstein Subject: HELP:email adresses needed (Archimedes) Having just received (via ftp) the "Archimedes Virus Reference Document" which describes 52 virus strains with 66 viruses/variants, I wish to get in contact with the authors. Could anybody please inform me about email or snail mail adresses of *Tor O. Houghton* or *Alan Glover*? Thanx in advance Klaus Brunnstein (Univ Hamburg, Feb.9,1994) ------------------------------ Date: Wed, 09 Feb 94 00:24:02 -0500 From: datadec@ucrengr.ucr.edu (kevin marcus) Subject: Next version of DOS and viruses (PC) I've heard that in addition to win-dose 4.0, a DOS 7.0 is supposed to be released in the future, with no more .COM support. Personally, I don't know how they would implement that since there is always, "COMMAND.COM", though they may just have some kind of internal 'redirection' to a COMMAND.EXE. Nonetheless, were that to happen, does anyone have any thoughts on what that would do to both the virus and antivirus world? There are quite a few viruses which only infect .COM files, and this could be siezed as an opportunity to speed up scanners, make them smaller, etc, even though the viruses could still spread on other systems. (Like StarShip. This virus has basically no chance of spreading, yet a lot of products detect it. A long time ago, I thought it was very important to detect everything that could be in the wild at some time, but now I am wondering about the feasibility.) Comments? - -- --=> Kevin Marcus: datadec@ucrengr.ucr.edu, tck@bend.ucsd.edu CSLD Room Monitor, Tues, Thurs 9-12p, Sat 11a-2p (909)/787-2842. Computer Science Dept., University of California, Riverside. .oOo.oOo.oOo. Thieves Suck. Don't steal. .oOo.oOo.oOo. ------------------------------ Date: Wed, 09 Feb 94 00:27:34 -0500 From: datadec@ucrengr.ucr.edu (kevin marcus) Subject: Re: Form. Should it be Hated and Feared?? (PC) David Good wrote: >Recently, we received a batch of disks from Motorola that were >infected by PC Form virus. > >Since these are not bootable disks, I was not overly concerned that >the safety and security of the computing world may be in jeopardy. > >Then I started thinking... What happens if I leave a Form infected >non-bootable disk in the drive and reset the pc?? Will it be released, >so that it may hatch some insidious plot on my HD?? Is there any other >way it can creep into my machine other then booting off the floppy?? > >Should I be treating this virus with more respect??? Inquiring minds >WANT to know. Well, there is no other non-trivial way of infecting your hard drive without an attempted boot from the floppy. However, a lot of people probably don't know much about that, and might very well infect themselves. I would highly suggest that you inform the company and tell them where you received the disks. Also, in the future, it's probably not the best idea to mention company names like that since, unless you know what you are doing (I'm not saying you don't, but for others), you might be panicing a lot of people over a false alarm and make a company look bad. Most newer BIOS's allow you to skip a floppy boot through the CMOS. You still should probably get rid of the virus, just so that there are no potential problems. - -- --=> Kevin Marcus: datadec@ucrengr.ucr.edu, tck@bend.ucsd.edu CSLD Room Monitor, Tues, Thurs 9-12p, Sat 11a-2p (909)/787-2842. Computer Science Dept., University of California, Riverside. .oOo.oOo.oOo. Thieves Suck. Don't steal. .oOo.oOo.oOo. ------------------------------ Date: Wed, 09 Feb 94 04:13:17 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Fprot or McAfee (PC) virusbtn@vax.oxford.ac.uk writes: >In the last VB comparative review, F-PROT scored 100% against our >three test-sets (Viruses in the wild, A 'Standard' set of viruses, and >MtE), with a scan rate of 180 KB per sec. SCAN scored 92.6% (In the >wild) Standard 98.1% and 100% against the MtE, though it was very slow >(only 54.2 KB per sec). In all fairless, it must be noted that my access to those viruses is probably somewhat better than McAfee's..... :-) The question which product detects more viruses depends entirely on which virus collection you use. If I use my own virus collection, F-PROT naturally detects more viruses than SCAN. I assume that if the McAfee collection was used instead, the reverse would be true. If a third-party collection is used, the results vary - sometimes SCAN gets slightly more viruses - sometimes F-PROT. It all depends on which viruses are included. Nobody has a complete collection of all the 4000 (or so) existing PC viruses, so a totally unbiased complete comparison is unfortunately impossible. As a final note, in the latest VSUM (where SCAN has usually been slightly higher than F-PROT), the results were as follows. F-PROT 2.10g 97.0% SCAN V111 94.6% and then all the way down to MSAV 47.6% - -frisk Fridrik Skulason Frisk Software International phone: +354-1-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-617274 ------------------------------ Date: Wed, 09 Feb 94 04:30:10 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Is speed really important? (PC) dm252@cleveland.freenet.edu (Keith A. Peer) writes: >I have read and heard about how fast some antiviral scanners are. Keep in mind that there are two totally separate issues here: 1) Speed on a clean machine. 2) Speed on an infected machine. Most machines will not be infected most of the time, right ? For this reason certain scanners (in particular DSAVTK) try to maximize speed on clean machines. There are several ways to increase speed, including: 1) scanning only selected parts of the files 2) bypassing the DOS file system, and accessing the disk directly. 3) code tracing - scanning only the part of the file that is executed initially. >My question is with all of this so called speed is it possible to be >missing some infections? Are some scanners not scanning the entire >file to increase speed? Most scanners don't scan the entire file, as that would be way to slow - in fact I thought (I may be wrong here) that the only scanner that scans the entire file by default was IBM's, although some other scanners offer that as an option. After all, with a few exceptions (Commander Bomber for example), a virus cannot be located just anywhere in the file - it is usually either at the beginning or at the end - so scanning the entire file for all viruses simply does not make much sense. This does not mean that it is sufficient to scan just the first X and the last Y KB of any file - what if some garbage had been appended to the file, for example... Scanning only selected parts of the file should not lead to any missed infections, provided the entire file is scanned for those few viruses that can be located anywhere.. - -frisk ------------------------------ Date: Wed, 09 Feb 94 04:33:36 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Form. Should it be Hated and Feared?? (PC) daveg@robin.EE.UNLV.EDU (David Good) writes: >Then I started thinking... What happens if I leave a Form infected >non-bootable disk in the drive and reset the pc?? Will it be released, >so that it may hatch some insidious plot on my HD?? Is there any other >way it can creep into my machine other then booting off the floppy?? >Should I be treating this virus with more respect??? Inquiring minds >WANT to know. Well, Form is relatively harmless, compared to many other viruses, but still... Anyhow - you don't have to boot from an infected diskette to become infected. If you just forget an infected non-bootable disk in the machine, reboot, get the "Non-bootable disk" message, remove the disk and continue, your machine will become infected. - -frisk ------------------------------ Date: Wed, 09 Feb 94 04:38:41 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Location of Virus Simulator Files (PC) ALLENTAYLOR@delphi.com writes: > VIRSIM2C.ZIP The Rosenthal virus simulator again...(sigh) >From the F-PROT NEW.211 file We have significantly reduced the number of VIRSIM-generated files that F-PROT reports as containing a virus. As the files are not really virus-infected, but only contain random fragments of viruses, any detection of them should be considered a false alarm. There are still a few VIRSIM-generated samples that are reported as viruses, but we are working on fixing that. - -frisk ------------------------------ Date: Wed, 09 Feb 94 04:45:27 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Beethoven (?) (PC) GLWARNER@samford.bitnet (THE GAR) writes: >We don't know what program he was scanning with, but our MacAfee >finds no virus on the indicated computer. Well, F-PROT 2.11 detects Beethoven, but unfortunately it cannot remove it. I was not aware that it was in the wild, but I'll give disinfection a higher priority....2.11a should be able to remove it as well. >Can someone tell me if they've heard of it, what can find it/clean it, >and what other name it might be called? It has no other name...this is a relatively new virus, that is probably not detected by the majority of current virus scanners. - -frisk Fridrik Skulason Frisk Software International phone: +354-1-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-617274 ------------------------------ Date: Wed, 09 Feb 94 05:52:55 -0500 From: oep@colargol.edb.tih.no (Oeyvind Pedersen) Subject: Re: Case History of a False Alarm (PC) Dan Romanchik (danr@umcc.umcc.umich.edu) wrote: : I had a virus scare yesterday. It was a false alarm, but I : thought others might benefit from my experience. : : I think in the future, I'm going to use just one anti-virus : program. Playing around with two of them, each giving : you different results is not good for the nerves. Well, how about using two antivirus programs that don't throws parts of viri all over your computers memory. (i.e. keep away from MSAV/CPAV) : I also think : I'm going to make F-PROT my standard program. You can't beat the : price, and updates are readily available. Good thinking. : : I'd be interested in any comments any of you out there might : have. That was mine... : : Dan : danr@umcc.umich.edu - - oep ------------------------------ Date: Wed, 09 Feb 94 08:28:43 -0500 From: Johnson_B.MARL@rx.xerox.com Subject: McAfee VSHIELD v108 Problem with CANSU (PC) I have encountered a problem with McAfee's VSHIELD v108, aside from the difficulty in deciphering the less than clear installation instructions scattered throughout the VSHIELD document. This problem was encountered on a COMPAQ , DESKPRO, 386/20E, 16M Memory, C: and D: hard drives plus A: 3.5: and B: 5.25: floppy drives running DOS6.2 and WINDOWS 3.1 plus nothing else of interest. I use two 3.5: test diskettes one infected with FORM the other with CANSU to test whether AV software is working. A modest test but this is the limit of my collection. VSHWIN.EXE was installed from the A: drive into C:\WINDOWS and statement run=vshwin.exe placed in WIN.INI by manually running VSHIELD with /WINDOWS option. VSHIELD runs from the autoexec.bat with the options: VSHIELD /ACCESS /NOBREAK /NOREMOVE /M /ONLY A: B: Slightly paranoid maybe, but an attempt to prevent a virus disabling VSHIELD - I hope? :-) I am also curious why VSHIELD and SCAN default to scanning memory for STEALTH viruses only - does anyone know why? While running in DOS, VSHIELD is capable of identifying both Cansu and Form accurately. Within WINDOWS using FILE MANAGER to do a directory of the A: drive VSHIELD/VSHWIN accurately display a message warning of the FORM infection but the PC hangs on the CANSU diskette. When accessing the CANSU diskette the diskette drive light goes green, quickly turns red then goes off. If I try to soft boot, WINDOWS goes into a long dialogue warning screen which states: WARNING The system is either busy or has become unstable. You can wait and see if the system bcomes available again and continue working or you can restart your computer. It then gives the option to press any key to continue or else CTRL+ALT+DEL. I was forced to take the latter. The positive side is that the machine stopped :-). The negative side is that it did not tell me the diskette was infected :-(. The moral appears to be if your PC hangs while accessing a diskette when running VSHEILD run Scan against that diskette. As an aside why is the floppy drive light sometimes green and at others red? Regards, Brian ------------------------------ Date: Fri, 04 Feb 94 14:18:00 +0200 From: Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv) Subject: InVircible (PC) Zvi Netiv writes: ZN> In December 1991 I terminated CSA Interprint as my ZN> distributor, and since then, CSA, together with NSE are ZN> deliberately violating my copyrights and author rights. ZN> A. Netiv from NSE is my elder son. *Correction:* CSA does not work with NetZ anymore, and not vice-versa, And there is no violation of anything, nor has ever been one. As for the second part..... its true. ;-) ZN> InVircible is a carefully balanced combination of generic and ZN> conventional techniques, scanning included. It is true that ZN> InVircible's main thrust is generic, but it has also an ZN> extremely efficient scanner, VSCAN, dedicated to 'only' a few hundreds of ZN> common or problematic viruses. The combined power of both approaches ZN> spares the need for frequent scanner updates. A scanner that knows only several hundreds of viruses is surely NOT enough today when we are dealing with almost 4000 viruses. Furthermore InVirCible does NOT protect the PC from being infected even by those 10 viruses that are most common in the world and the public enemy #1. It will only recover (hopefully) the damaged files AFTER infection, and this is not always possible. Warmly * Amir Netiv. V-CARE Anti-Virus, head team * - --- * Origin: <<< NSE Software >>> Israel (9:9721/120) ------------------------------ Date: Mon, 10 Jan 94 08:18:01 +0200 From: Zvi_Netiv@f202.n9721.z9.virnet.bad.se (Zvi Netiv) Subject: Re: Any reviews of InVircible (PC) -=> Quoting Allen Taylor to All <=- AT> From: Allen Taylor AT> I also am looking for a solid review. Look for the January issue of Computer World in New Zealand. If it won't do then call Steve Wilson, phone 64 9 3661593. He has plenty of written stuff about InVircible and anti-virus products. AT> questions to McAfee about Adaptive expert Systems [and to Patricia AT> Hoffman of VSUM fame] have gone unanswered, so far. 'Adaptive' is not my wording and I dislike it! 'Expert System' is mine, and I stand behind. McAfee and Pat Hoffman have good reasons to ignore your questions. After all, I was the party spoiler at the NCSA conference in 1991 with the introduction of the generic approach. It didn't stop anybody from becoming 'generic' since then. McAfee's generic option was introduced in December 91, one month after the conference. Patricia's VSUM? I have piously avoided the certification of VSUM, and here is why: Pat certifies products by rating the percentage of viruses detected, when 'tested' against her collection. VSCAN, InVircible's scanner PURPOSELY recognizes only a few hundreds of viruses (the rest is taken care of by the generic modules - and there are at least three of them, not one). These 'few' hundreds, VSCAN removes them with micro-surgery precision, and unparalleled low 'false positives' or butchery due to misidentification. Practically, VSCAN identifies LESS viruses than any other product, but removes MORE than anybody else! Needless to explain what would have been InVircible's rating in VSUM. Now let's look on VSUM's reliability. First, it tells you nothing about what percent of the viruses that a product detects it can also safely and successfully remove. For example: McAfee's SCAN misidentifies Timor (a Jerusalem variant) as 1241, Emmie variants as Teletype, a Violator variant as Parasite, a Haifa variant as Trident etc. When cleaned by CLEAN you'll get a lot of ruined files. Next! VSUM indicates that Frodo-4096 (one of the 10 most common file infectors) can be detected by CPAV and MSAV. True? Wrong! All Carmel's derived scanners, CPAV/MSAV included DO NOT DETECT FRODO ANYMORE since the beginning of 1993. Former versions did. Conclusion: Patricia does probably more paper-work than actual testing. And this is just a short list. Take care and beware of anti-viruses. Viruses are less harmful! Zvi Netiv, InVircible's author, NCL - Israel (9:9721/202) .. SENILE.COM found . . . Out Of Memory . . . - --- FMail/386 0.97b beta+ * Origin: Beyond Tomorrow * 972-3-544-4488/3746 * 24h * 14Kbps (9:9721/202) ------------------------------ Date: Fri, 04 Feb 94 14:30:00 +0200 From: Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv) Subject: InVircible (PC) Zvi Netiv writes to Vesselin: > ZN> Are you familiar with the new INT13 derouters (Nika/Quox and Newbug)? > ZN> They do a much better job than the boot part of the archaic Tequila > ZN> and Flip, especially Quox! It deroutes also the write function > ZN> (INT 13-3, not only the read 13-2). They all use stealth, of course. So what else is new? Didn't you read My dicussion with Padgett several months (or was it a year) ago about ways to find the original Int-13 ISR at the BIOS level? > VB> BTW, one of the problems with the integrity-based system is that they > VB> detect the infection only after-the-fact - which in some cases might > VB> be too late. Like if you get infected by Michelangelo on March 6. :-) > ZN> On this singular case, you are dead indeed! Is there anything you can > ZN> do, except using a hardware solutions? Of course not! What about "some" specific solutions, like maybe a TSR that detects the infected floppy at first, and what about programs that work at the BIOS level and recover your disk's MBR immediatelly etc'. > ZN> all boot/partition infectors till now were easy to catch, since > ZN> 'memory stealing' disclosed their presence. Now we have a whole lot of > ZN> stealthy boot infectors, and Nika even does it without memory stealing! Wait, wait, what do you mean memory stealing? Oh you probably mean the 1 or 2 Ks missing from the memory. Well this is NOT always due to a virus, and in some cases it might set an alarm on totaly legit programs. > ZN> The next thing that will happen is this: an imaginative viropath will > ZN> combine the Nika vehicle (stealth, and no self-disclosure by memory > ZN> stealing) with a payload 'a la Michelangelo'. So? > ZN> Computer's doomsday? Not > ZN> the least. InVircible's SUBSTITUTE for the murderous AV TSR simply > ZN> announces 'faked partition (or boot) sector' and it even samples it for > ZN> the next generations to come. In your case you talk about something you detect AFTER (or during) boot. No one said that TSRs should replace this procedure. A good TSR can simple add a protective feature pre-infection. > ZN> I would say that a carefully designed generic AV is superior on all fronts > ZN> to TSR prevention or scanner. I couldnt sgree more, except that a carfully designed generic AV is not enough to solve the user's problem. A complementary specific solution MUST be inclouded and it MUST have some preventive features as well. Would you make free sex with an infected AIDS mate assuming that there probably a generic medicine for all viruses? > VB> which in some cases might be too late. > ZN> This cliche is used too often. Let's elaborate on this one: > ZN> We all know that viruses are made to propagate. DANGEROUS OR 'LETHAL' > ZN> VIRUSES DO NOT PROPAGATE AND DO NOT BECOME WIDESPREAD BECAUSE THEIR > ZN> PROPAGATION IS A DECAYING PROCESS! They are self destroying and each > ZN> subsequent generation infects LESS computers. So the process dies > ZN> out by itself. Maybe so, But tell this tho the ONE organization that has 12,000 PCs in a noetwork and got it yesterday. :-( As a world-wide plague you are probably right. > ZN> Now we are left only with the playful viruses! And these, > ZN> you have plenty of time to catch them on the next morning and in the > ZN> majority of cases, even the next week! Some of the "hamfull" viruses as you call them are only harmfull on random occasions. Do you not consider Michelangelo harmfull? Next day, or next week is usually a day (or week) too late! > ZN> I think it is about time that we, anti-virus producers and virus > ZN> researchers stop scaring people with irrational statements, just to push > ZN> idiotic products that take over the users machines and economically > ZN> inflict more harm than do good. "We" don't scare people, they do well themselves. "We" try to help people, and assume they should get all the help they can get and use an AV that is the simplest to use and solves the maximal problems transparently. > ZN> File servers are fairly protected by the inherent network security > ZN> and due to the fact that viruses are made to propagate almost only > ZN> in DOS environment and on media with a DOS type file structure. Sorry, that is not true. File servers need a lot of extra protection especially if you are dealing with Lantastic, LANmanager, or even Novell. There are holes everywhere in any system that runs or emulates DOS. Regards * Amir Netiv. V-CARE Anti-Virus head team * - --- * Origin: <<< NSE Software >>> Israel (9:9721/120) ------------------------------ Date: Mon, 10 Jan 94 08:16:00 +0200 From: Zvi_Netiv@f202.n9721.z9.virnet.bad.se (Zvi Netiv) Subject: Re: InVircible (PC) -=> Quoting Chua Keng Ngee to All <=- CKN> From: Chua Keng Ngee CKN> From: howard@ccu1.auckland.ac.nz (Howard Ross) > We have recently been approached by someone selling InVircible by NetZ > Computing Ltd. of Israel. I understand that this product was previously > marketed as V-Care by CSA Interprint of Israel. Second Sight Limited from Auckland is NetZ Computing's distributor of InVircible for Australia and New Zealand. V-Care/V-Guard are the former tradenames of the product created by the undersigned. V-Care/V-Guard and InVircible are registered tradenames, as well as copyrighted worldwide to NetZ Computing, and myself as the author. In December 1991 I terminated CSA Interprint as my distributor, and since then, CSA, together with NSE are deliberately violating my copyrights and author rights. A. Netiv from NSE is my elder son. CKN> [ Talk about search for a reputable review DELETED ] A comprehensive review on InVircible is due for mid January in the N.Z. Computer World. Additional notes in English may be obtained through Mr. Steve Wilson from Second Sight, telephone 64 9 3661593. > InVircible looks very attractive because it employs generic defenses > against viral attack. Because it does not use scanning, > it doesn't fall into obsolescence. It boasts high speed, easy-of-use, > unobtrusiveness, and a high rate of restoration/disinfection. InVircible is a carefully balanced combination of generic and conventional techniques, scanning included. It is true that InVircible's main thrust is generic, but it has also an extremely efficient scanner, VSCAN, dedicated to 'only' a few hundreds of common or problematic viruses. The combined power of both approaches spares the need for frequent scanner updates. CKN> Well, I can only point out an oddity I discovered after CKN> install.exe has finished the installation. CKN> The size of files inoculated by CPAV were decreased by 5 bytes. Is CKN> this normal ? The 5 'missing bytes' contained the string 'MsDos' added by an inoculation introduced five years ago by Carmel, now the origin of CPAV and MSAV. Unfortunately, this scheme caused more harm than good. Programs using self integrity checking got stuck, and from our point of view as AV producers, it masked sometimes the presence of a virus that was in the file, prior to its 'inoculation'. Therefore we 'peel' it off first thing. You mentioned Untouchable being used for the detection of the missing bytes. Have you tried UT after adding or deleting an entry from DOS 5+ Setver.exe? This is certainly a benign change to the program. InVircible will refuse to "restore" the file while UT will treat it as if infected. > Is InVircible version 5.01 the latest? No, 5.01 is one year old. The current version is 5.04. It has important changes; we improved the diagnostic capability between benign/viral/ updates changes and made the whole thing more friendly and automatic. We added new techniques in all programs, among them the unique boot anti-stealth feature. Ask SSL for a demo of the Nika/Quox/Newbug/Noint/ Tequila/Flip viruses! The equivalent of the scanner update in first generation AV products is the addition of new techniques in ours. The purpose is to close loopholes when a new viral technology emerges. Fortunately, less general counter techniques are needed than specific routines against specific viruses. This way, we can provide you better virus control and recovery, with longer intervals between the versions and let you be self sufficient in dealing with viral incidents. Does it make sense to you? Keep well and take care, Zvi Netiv, NetZ Computing Ltd., Israel, Virnet address (9:9721/202) .. My other computer is a VAX. - --- FMail/386 0.97b beta+ * Origin: Beyond Tomorrow * 972-3-544-4488/3746 * 24h * 14Kbps (9:9721/202) ------------------------------ Date: Mon, 10 Jan 94 08:29:02 +0200 From: Zvi_Netiv@f202.n9721.z9.virnet.bad.se (Zvi Netiv) Subject: Re: InVircible (PC) -=> Quoting Vesselin Bontchev to All <=- VB> From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) VB> Howard Ross (howard@ccu1.auckland.ac.nz) writes: VB> It is true that anti-virus packaged based on integrity checking don't VB> need to be updated as often as the scanners. It is not true, however, VB> that they don't have to be updated at all [ skipped] VB> Second, while integrity checking is a stronger VB> line of anti-virus defense than scanning, it is certainly not good VB> enough as a *single* line of defense. The best is to combine it with VB> scanning - scan all incoming software and control the integrity of VB> the existing software. Thank you Vesselin, you said it even better than I did at the NCSA conference in November 1991, where we last met. Of course you know InVircible, since I gave you a copy (then still V-Care) and it had BOTH a scanner and an integrity checker. It still has, and much better now, with much more flesh. Are you familiar with the new INT13 derouters (Nika/Quox and Newbug)? They do a much better job than the boot part of the archaic Tequila and Flip, especially Quox! It deroutes also the write function (INT 13-3, not only the read 13-2). They all use stealth, of course. VB> If you doubt in the above, ask the producer how the package protects VB> your system against Brain - one of the first IBM PC viruses. One of the first we removed too. What is so special about it? VB> BTW, one of the problems with the integrity-based system is that they VB> detect the infection only after-the-fact - which in some cases might VB> be too late. Like if you get infected by Michelangelo on March 6. :-) On this singular case, you are dead indeed! Is there anything you can do, except using a hardware solutions? Of course not! Michelangelo gets itself caught every time the computer is booted, which makes it about a thousand times on the average, before it triggers. So do all the rest. Now I'll suggest a harder one: all boot/partition infectors till now were easy to catch, since 'memory stealing' disclosed their presence. Now we have a whole lot of stealthy boot infectors, and Nika even does it without memory stealing! The next thing that will happen is this: an imaginative viropath will combine the Nika vehicle (stealth, and no self-disclosure by memory stealing) with a payload 'a la Michelangelo'. Computer's doomsday? Not the least. InVircible's SUBSTITUTE for the murderous AV TSR simply announces 'faked partition (or boot) sector' and it even samples it for the next generations to come. I tried lots of TSR, even Frisk's excellent Virstop against Nika, and nothing! Mind you, Nika is known here for at least nine month. Our NATIONAL INSTITUTE OF STANDARDS was one of its first victims. Nika is classical for TSR prevention. I would say that a carefully designed generic AV is superior on all fronts to TSR prevention or scanner. The trouble is that for some reason people, yourself included, attribute 'generic' only to integrity checking and restoration. Where from was this stupidity taken? Generic in my understanding is any technique that will assist in the detection that there is a viral process going on. It may consist of baits (as was copied from my early product into other semi-TSR - since the baits are launched only once, with the loading of the TSR, it is not really a TSR), memory stealing sensing, piggy-backing sensing, BIOS int. derouting, and of course integrity checking (NOT plain checksums or CRC) and a few more proprietary processes. Generic anti virus proved to be safer, much more efficient and cheaper than old fashioned TSR and scanners. VB> which in some cases might be too late. This cliche is used too often. Let's elaborate on this one: We all know that viruses are made to propagate. DANGEROUS OR 'LETHAL' VIRUSES DO NOT PROPAGATE AND DO NOT BECOME WIDESPREAD BECAUSE THEIR PROPAGATION IS A DECAYING PROCESS! They are self destroying and each subsequent generation infects LESS computers. So the process dies out by itself. Now we are left only with the playful viruses! And these, you have plenty of time to catch them on the next morning and in the majority of cases, even the next week! I think it is about time that we, anti-virus producers and virus researchers stop scaring people with irrational statements, just to push idiotic products that take over the users machines and economically inflict more harm than do good. Millions of PC are now running 5 to 10 times slower because of the good-for-nothing Vsafe TSR from DOS 6.0/6.2. Every junior virus writer knows how to deactivate Vsafe, as it is fully documented in Ralf Brown's interrupts listing! And what about the endless and futile scanning for viruses, run daily by millions like some sort of paganic ritual. We really got the world by the balls! Not to speak about a thousand dollars anti-virus NLMs for networks, which are completely redundant. File servers are fairly protected by the inherent network security and due to the fact that viruses are made to propagate almost only in DOS environment and on media with a DOS type file structure. Else, I certainly agree with you that even generic techniques need updating with new counter-techniques, as new viral technologies emerge. I never said the contrary. But I suppose you will agree that it is easier to keep pace by general techniques, than to assemble an intricate algorithm for every single pissed-on virus that was written in Kamchatka, and interests nobody except needless AV updates merchants! I read you'll be off Virnet for writing your PhD. My sincere wishes for a glorious thesis and all the best. Zvi Netiv, Author of V-Care/V-Guard/InVircible and ResQdisk. .. SENILE.COM found . . . Out Of Memory . . . - --- FMail/386 0.97b beta+ * Origin: Beyond Tomorrow * 972-3-544-4488/3746 * 24h * 14Kbps (9:9721/202) ------------------------------ Date: Wed, 09 Feb 94 16:37:54 -0500 From: dm252@cleveland.freenet.edu (Keith A. Peer) Subject: Windows Viruses? (PC) I only know of DOS based viruses isn't it possible to create a windows virus? I understand that windows operate in protected mode but still can't this be circumvented? - -- Keith A. Peer +---------------+ Cleveland Freenet -=> dm252 | PGP Key | Internet -=> dm252@cleveland.freenet.edu | Available | Interests -=> Antiviral Software and Hardware +---------------+ ------------------------------ Date: Thu, 10 Feb 94 01:11:42 -0500 From: corgan@interaccess.com (Dave Bost) Subject: The Form Virus (PC) I have had the pleasure of getting the FORM virus on to my system. I must have infested alot of disks, because I am running across it left and right. Right now I am using MSAV to clean these disks, sometimes these disks are useable again, sometimes not. What is the deal with this form virus? Is it possible for a virus to take up residence on the hardware? What is the best way to clean the FORM virus. All info. is appreciated, thanks. - -- Dave Bost corgan@interaccess.com ------------------------------ Date: Thu, 10 Feb 94 11:32:11 -0500 From: reeda@sun1.bham.ac.uk (Alan Reed) Subject: NIKA? virus (PC) I have a boot sector virus which contains the string NIKA . It causes the top left row of the vdu to print garbage and only allows infected floppys to access the disk drive. F-prot 2.10c seems not to identify this virus can someone tell me what it is and what it was designed to do. Is there a specific cure, or are normal boot sector cleaning procedures sufficient? ------------------------------ Date: Thu, 10 Feb 94 12:26:18 -0500 From: harper@suny.stat.vt.edu (Scott Harper) Subject: Need ANTIEXE virus info (PC) What can the Antiexe virus do to a machine? Does it damage executables, or simply infect them? Thanks for any advice. - -- - --- Scott Harper -- sharper@vtvm1.cc.vt.edu ------------------------------ Date: Thu, 10 Feb 94 12:36:47 -0500 From: mw@spinfo.uni-koeln.de (Markus Wischerath) Subject: Q: F-Prot and Tremor (PC) Hi there, What exactly does it mean if F-Prot reports something like c:\foo.com - infection: Tremor (?) ^^^ I have only seen a message like this with Tremor, and VIRLIST.LST (new with 2.11) indicates that F-Prot is not able to remove this virus. So does this "(?)" mean F-Prot has identified the virus properly, but can't safely remove it? Or is it basically the same as "new/modified variant of"? I also found that no antivirus program seems to be able to remove Tremor, although Frisk is the only who clearly says so. However, I understand that Tremor does remove itself from infected files, eg. when copying them to a floppy or ZIPping them with the virus in memory. This is may be a dumb question, :) but why can't antivirus progs utilize the virus' own technique to remove it? Something to do with the polymorphism, perhaps? We prefer to replace infected files with clean backups anyway, but I'm curious. Thanks for any info. - --Markus mw@spinfo.uni-koeln.de # rm -rf / and one was assaulted...peanut ------------------------------ Date: Thu, 10 Feb 94 14:11:44 -0500 From: hj5@prism.gatech.edu (JOHNSON P.E., HARRIS T) Subject: Discussion of FIST 2 virus (PC) One of our field office DOS machines became infected with the FIST 2 virus (I think). Central Point Anti-Virus indicated this is the infection. The symptoms included corrupted files and directories, invalid drive specification, etc. No other virus detection incl. DOS 6.2 found the virus which made me suspicious but on the currupted machine command.com for DOS_6.2 grew from 54K bytes to 55K bytes. Also by sequentualy inspecting EVERY disk than came into that office for the past 3-months we did find a WP_5.2 document with some very suspicious code appended to the end of the document. Without trying to disassemble the code, I think this was the source. Does anyone know anything about this virus? What does it do? Where does it reside? Can it be cleaned from a machine without reformatting? Has other scan software begun to find it? Is reformatting sufficient to clean it? Now the big question, can it be detected and cleaned from a rather large FOXPRO database? 11 months of management information is in what may be an infected file. While we have backups, if we can't find it we don't know which backups are infected. Thanks for any input you may have. I previously posted this note but never saw either a reply or the posting. So I am re-posting in the hope that a new reader can respond. - -- Harris Johnson, PE - Economic Development Institute, Georgia Tech Atlanta Georgia, 30332 voice: 404-836-6665 uucp: ...!{decvax,hplabs,ncar,purdue,rutgers}!gatech!prism!hj5 Internet: hj5@prism.gatech.edu ------------------------------ Date: 11 Feb 94 09:30:13 +0000 From: virusbtn@vax.oxford.ac.uk Subject: Re: Form. Should it be Hated and Feared?? (PC) daveg@robin.EE.UNLV.EDU (David Good) writes: > Recently, we received a batch of disks from Motorola that were > infected by PC Form virus. :( > Since these are not bootable disks, I was not overly concerned that > the safety and security of the computing world may be in jeopardy. > > Then I started thinking... What happens if I leave a Form infected > non-bootable disk in the drive and reset the pc?? Will it be released, > so that it may hatch some insidious plot on my HD?? Is there any other > way it can creep into my machine other then booting off the floppy?? When you turn on a machine with a floppy disk in the disk drive, several things happen. Firstly, the power supply in the machine warms up, and a timer starts. Once voltages have settled, the computer begins its Power On Self Test routines, stored in a fixed location of ROM. At this point the CMOS is read in. Assuming that the PC is set up to boot in a standard manner, the ROM code then examines the first floppy drive to see if it has a disk in it. If it does, the contents of the disk's boot sector is read into memory and executed. I am sure that you will have seen the message `Non System Disk or Disk Error...' - this is displayed by code located in the boot sector of a non-bootable floppy disk. If Form were to infect this disk, it would treat this boot sector as valid, and store it for later use. Thus, when booting from an infected disk, the Form virus would be loaded (which would infect the first fixed disk), following which the contents of the `non-bootable' boot sector, and the message `Non System disk etc' would be displayed. The golden rule is that any floppy disk could contain a boot sector virus. The only way for a boot sector virus to get off that floppy disk in normal use is to boot from it. Get out of the habit of using the three-fingered salute (Ctrl-Alt-Del) to your machine when it hangs - remove the floppy first. Any disk, whether it be bootable or not, is a potential hazard. Regards, Dicky Ford Editor, Virus Bulletin. ------------------------------ Date: Fri, 11 Feb 94 05:27:13 -0500 From: "Steve Bonds (007" Subject: Re: Is speed really important? (PC) Keith A. Peer wrote: >I have read and heard about how fast some antiviral scanners are. My >question is with all of this so called speed is it possible to be >missing some infections? Most "good" scanners, one example being F-prot, use better searching algorithms and optimized code to increase speed rather than sacrificing a single missed virus. Yes it is possible to be fast without missing any viruses. >Are some scanners not scanning the entire >file to increase speed? Being that some viruses can enter a file in >the front, middle or end and in some cases anywhere how can a scanner >that does not scan the entire file find all infections? An example of this would be MSAV, which only scans the beginnings of files to check for viruses. This will catch most viruses, but it will also miss a few. (BTW MSAV is still slower than F-prot despite this 'feature'.) >F-Prot and ThunderByte are very fast scanners compare to McAfee. >Does McAfee scan the entire file while F-Prot and Thunderbyte don't? F-prot is fast because frisk codes most, if not all, in assembly language. Frisk also knows his stuff when it comes to fast searching algorithms-- adding more signatures to the pattern search list does not appreciably change the searching time. McAfee uses a good algorithm that checks the whole file, but it is slightly slower since McAfee is coded in C and uses a different algorithm. I'm not sure what makes ThunderByte so fast, but it sure is FAST!! Unfortunately its detection rate leaves a bit to be desired. (Good heuristics, though!) >I mean really isn't the quality of the scanner really what's important >and not that it can scan a hard disk in "X" seconds? Yes, quality is the most important thing. However, a slow scanner will not get used as often as one that is quicker because who wants to sit around while a scanner putters through all the files on the hard drive? The use of TSR scanners and integrity checkers has helped reduce the dependence on scanners somewhat so the speed becomes less of a day-to-day annoyance. Most people are willing to wait if they already think they are infected. Also, some businesses have a set routine for virus scanning. A faster scanner will be able to scan large network drives more quickly. A speed difference of 10 seconds between scanners for a small PC hard drive might grow to several minutes on a gargantuan file server! But you are right, all the speed in the world doesn't matter if the scanner misses the infection. If I wanted a fast scanner and didn't care about the detection rate, I could write one in five bytes or less... :) -- Steve Bonds - -- 000 000 7777 | sbonds@jarthur.claremont.edu and Steve_Bonds@hmc.edu 0 0 0 0 7 |----------------------------------------------------------- 0 0 0 0 7 | Childhood is short... [Calvin & Hobbes] 000 000 7 | ...but immaturity is forever. ------------------------------ Date: Fri, 11 Feb 94 09:06:44 +0000 From: phys169@cantva.canterbury.ac.nz (Mark Aitchison Physics and Astronomy Computolog ist) Subject: Re: Is speed really important? (PC) dm252@cleveland.freenet.edu (Keith A. Peer) writes: > I have read and heard about how fast some antiviral scanners are. My > question is with all of this so called speed is it possible to be > missing some infections? Scanners may have a choice of scan methods, with some tradeoff between speed and accuracy of naming (yes, and possibly missing some viruses), but reviews normally compare equivalent modes when rating virus scanners. The speed can certainly be important, since users may scan less often, or take the scanner out of the autoexec.bat (or whatever) if it is inconveniently slow. Mark Aitchison. ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 13] *****************************************