VIRUS-L Digest Saturday, 26 Feb 1994 Volume 7 : Issue 14 Today's Topics: Re: "Good Viruses?" Re: Virus testing Re: good vs bad viruses Re: "Good Viruses?" and other stuff Re: Form. Should it be Hated and Feared?? (PC) Re: McAfee versus F-prot (PC) re: Monkey Virus - Dead hard disk (PC) Re: Virus testing re: Alternate infection method? (V-Sign) (PC) HELP DIR-II virus (PC) Re: Help in removing Monkey virus from hard disk (PC) Re: McAfee Scan 111 false positive (PC) Re: Discussion of FIST 2 virus (PC) Re: virus signature database? (PC) Re: FS5 possible virus warning (PC) Re: Discussion of FIST 2 virus (PC) Re: EMD Enterprises PC Armor Beta Test Survey (PC) Re: McAfee versus F-prot (PC) Reply to two questions about F-PROT (PC) Re: McAfee Scan 111 false positive (PC) Re: Is speed really important? (PC) Re: Form. Should it be Hated and Feared?? (PC) Re: Fprot or McAfee (PC) InVircible (PC) SCAN 109 False Positive (PC) THE FORM! (PC) A problem with McAfee's CLEANv111. (PC) Using VSHIELD with Windows (was Re: VSHIELD (PC)) fp-211.zip - Version 2.11 of the F-PROT anti-virus product (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Fri, 11 Feb 94 19:27:33 -0500 From: Subject: Re: "Good Viruses?" [crap deleted] (you know... bandwidth, etc. etc.) A virus could be good (at least in theory). How about a virus to unfrag your drive once a month when you've left the computer for an hour? How about a virus to protect against all other viruses -- i.e. a vaxine! These things are possible and with care taken so they don't trash hard drives etc, I would be a neat concept... Don't be so close-minded! Brian McEntire (finger mcentire@orthanc.async.vt.edu for public key) ------------------------------ Date: Sun, 13 Feb 94 08:49:49 -0500 From: "Steve Bonds (007" Subject: Re: Virus testing Marko Helenius wrote: >I am the responsible reseacher of Virus Test Laboratory of Finland. >I would appreciate comments on how to arrange virus test sets. >One problem is gathering new viruses. >I thought that one source might be Anti-Virus producers, which are willing to >co-operate. Is this the right thing to do it and how should I do it in an >objective way ? Most of the largest antivirus producers are understandably unwilling to give away ANY virus. To quote one, "It wouldn't look good if [name of company] got the reputation as a virus spreader." However, if you are polite, can take "NO" for an answer, and if people have seen your name appear on comp.virus before, you should have few problems getting a decent set together. One advantage of arranging a collection for AV testing is that the most common viruses are (almost by definition) easier to find, so your test suite can include more of these. I feel that a test biased towards detection and disinfection of the more common viruses is useful for general-purpose testing. In any case I urge you to compare your results with Vesselin's just to see if they are close. If you can't get a collection anywhere else, there are always the virus BBS's, but this always leaves me feeling dirty all over... -- Steve Bonds - -- 000 000 7777 | sbonds@jarthur.claremont.edu and Steve_Bonds@hmc.edu 0 0 0 0 7 |----------------------------------------------------------- 0 0 0 0 7 | Childhood is short... [Calvin & Hobbes] 000 000 7 | ...but immaturity is forever. ------------------------------ Date: Sun, 13 Feb 94 19:41:29 -0500 From: blossj@alleg.EDU (Jeffrey Bloss) Subject: Re: good vs bad viruses Ellen Carrico writes: > viruses are inherently "bad" or may be "good" simply don't have any > relevence in the real world. Out here, where I work, if a scanned > computer shows a virus that computer is no longer available for staff or > public use until it has been cleaned (usually by me). With more than See... out here where _I_ work it's a different story. My job takes me into various businesses and homes, where I sometimes find a viri or two, but I find that if I CALMLY explain that the majority of computer viri do nothing more than replicate... and display funny messages. Then run the thing to prove it. Then reinfect the machine to DOUBLE prove it. I guess what I'm getting at is that people need to understand what they're dealing with and stop thinking of viri as a "witch" of the 90's. Sure they can destroy your data... or make it so you can't get to it, but then so can a fire. If there were a little less "alarmist" action and a little more thinking going on there wouldn't be as much data LOST to begin with. I have a collection of about 1500 viri... never wrote one, just a hobby... and have NEVER lost a piece of data I didn't want to. > anti-virus software, train staff, develop and maintain policies, perform > routine scans, and repair destroyed files and disks. I can think of many > more productive ways to spend my time and the library's funds. Here again... one of the BEST routines for detecting viri was "developed" by someone using nothing more than the basic tools that come with DOS and a file compression routine... PKZIP to be exact. This amazingly simple method of compressing several known clean files like COMMAND.COM into an archive, doing a daily routine of compressing the SAME files into another archive and comparing the two with DOS File Compare... automatically at boot up... detects viri better than MOST signature scanners. And the whole thing other than the ZIP util is free. I really think we need to reasses our Michangelo media blitz mentality. ------------------------------ Date: Mon, 14 Feb 94 00:58:43 -0500 From: "Roger Riordan" Subject: Re: "Good Viruses?" and other stuff lev@nssdca.gsfc.nasa.gov (Brian S. Lev) writes >> I challenge anyone to put forth (even conceptually) a virus that >> would be considered "good" in that it would be beneficial for it >> to be released in the wild. > Purely as a mental exercise, howzabout a virus-like piece of software > that mimicked part of the functionality of the old "Spinwrite" > program? It would glom onto as many disks as it could, check to see > if they were bootable, and then do a verbatim rewrite of the boot > sectors so that they'd never "age out" due to electomagnetic > degradation? If you designed and released such a virus, would you be prepared to offer a guarantee of - say - $10,000 per incident, that your program would never corrupt anyones hard disk? I would almost guarantee that within a week your phone would would be running hot from users whose hard disks didn't appreciate this treatment. Roger Riordan Author of the VET Anti-Viral Software. riordan.cybec@tmxmelb.mhs.oz.au CYBEC Pty Ltd. Tel: +613 521 0655 PO Box 205, Hampton Vic 3188 AUSTRALIA Fax: +613 521 0727 ------------------------------ Date: Fri, 11 Feb 94 09:34:04 -0500 From: jeh@christa.unh.edu (John E Hynes) Subject: Re: Form. Should it be Hated and Feared?? (PC) daveg@robin.EE.UNLV.EDU (David Good) writes: >Recently, we received a batch of disks from Motorola that were >infected by PC Form virus. > > >Should I be treating this virus with more respect??? Inquiring minds >WANT to know. FORM can infect your pc if you *attempt* to boot from the infected floppy, even if the boot fails (due to the floppy not having system files or whatever) It is, however, fairly benign - it causes no _overt_ damage, other than infecting floppy bootsectors and hard disk partition tables. On high density disks (as with many bootsector viruses) it can cause directory tree damage, as it relocates the original bootsector to a root directory sector. ------------------------------ Date: Fri, 11 Feb 94 10:20:16 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: McAfee versus F-prot (PC) datadec@ucrengr.ucr.edu (kevin marcus) writes: >F-Prot is faster, is capable of cleaning more viruses, provides much >more accurate virus identification, has much more accurate >descriptions of viruses (though they are often pretty brief -- they're >not wrong), We are working on a major revision of the virus information database, and hope it will be ready in time for 2.12 (late March). > and has had a much better history (less false positives, I haven't kept accurate count, but both products have had occasional false positives - which typically are corrected immediately - we (F-PROT and SCAN, that is) have a much shorter development cycle than some other packages (NAV and CPAV for example), which means that we are more up-to-date, but unfortunately there is less time for testing. >less hacks (any?), I am aware of one hacked version of the VIRSTOP program, but not of F-PROT itself. However, there have been a few cases where the documentation has been changed without our permission - in one case even changing the address to send payments to... - -frisk ------------------------------ Date: Fri, 11 Feb 94 10:29:39 -0500 From: "David M. Chess" Subject: re: Monkey Virus - Dead hard disk (PC) > From: Mahmoud.Mirzamani@lambada.oit.unc.edu (Mahmoud Mira"zamani) > I also like to know if there is a program other than the sahreware > KILLMONK that would be helpful? I would think any good anti-virus program would repair the Monkeys by now. IBM AntiVirus does, for instance. > Finally, as I was testing KILLMONK to remove the Monkey virus on one > the PC's last Thursday, I followed its suggestion by typing fdisk > /mb(?). Are you sure KILLMONK suggested running FDISK /MBR?? The correct advice is -never- to run that command on a Monkey infected machine, since Monkey writes an invalid partition table, and if you use FDISK /MBR to fix the MBR code, it won't be able to boot (since it won't see the partition table that the virus stashed away on track 0). If you've already done this to a machine, you options are pretty much: - Use FDISK to repartition the disk, and reformat etc as needed. Simple and reliable, but you almost certainly lose all the files that used to be on it! - Use a disk-fixer (Norton Disk Doctor is one, I think) that will walk the disk, find the partitions, and rebuild the partition table. Has some non-zero chance of working, but may not. - Get a guru with a sector editor to look through track 0 on the hard disk for a sector that looks like a master boot record XOR'd with a constant. Perform the XOR to recover the original, write it to the real MBR, and the disk should be fixed. - Find a system with -exactly- the same size, format, and partition-setup as yours, save a copy of that MBR, carry it over to your system, write it to the MBR. - - -- - David M. Chess | Two: one to change the lightbulb, and High Integrity Computing Lab | one to fill the bathtub with IBM Watson Research | brightly-colored machine tools ------------------------------ Date: Fri, 11 Feb 94 10:35:26 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Virus testing cshema@uta.fi (Marko Helenius) writes: >I am the responsible reseacher of Virus Test Laboratory of Finland. >I would appreciate comments on how to arrange virus test sets. Heh...you are (un)lucky Vesselin is busy with his thesis right now, otherwise he would probably e-mail you a 10-page list of DOs and DON'Ts. >One problem is gathering new viruses. >I thought that one source might be Anti-Virus producers, which are willing to >co-operate. Is this the right thing to do it and how should I do it in an >objective way ? There are some issues to consider.... Just maintaining a virus collection properly is not an easy-part-time job. Classifying the viruses properly, replicating the samples and weeding out the non-viruses takes a lot of time. Obtaining viruses: Well, most anti-virus companies are pretty hestiant to send viruses to anybody...as an absolute minimum you would have to demonstrate a clear need, sufficient physical security and trustworthiness of the persons having access to the virus collection. There are also other issues to consider - will you give viruses to anybody, and if so, to whom ? What will you be doing that is not already being done elsewhere ? - -frisk ------------------------------ Date: Fri, 11 Feb 94 10:42:42 -0500 From: "David M. Chess" Subject: re: Alternate infection method? (V-Sign) (PC) > From: kenney@laser.nb.rockwell.com (Kevin Kenney) > I don't know my DOS file structure well enough to know if starting an EXE > (possibly) executes code in the 1st block of a file, and thus could run > a 'non-file infecting' virus residing there. This might be an alternate > way to be infected with any (or some) boot virii. > Can anyone confirm/refute this alternate infection method? Except for a very few viruses that are designed to run this way (and CANSU is not one), running a file that a boot virus has (accidentally) overlaid shouldn't cause the virus to become active, or infect the hard disk. (The environment that a file runs in is so different from the one a boot sector runs in that it'd be quite a coincidence, I think, if boot sector code were to happen to function correctly as a program file.) > Is disinfecting a boot infector from a file more prone to failure > than other disinfections? When a boot infector accidentally overlays part of a file with itself (or with a saved original BR), the overlaid data is generally lost, unrecoverable, not saved anywhere. A backup or another copy of the program is probably your only hope. > Can someone send me a rundown of V-sign, so I can panic to the proper degree? It's a fairly typical boot infector; infects A: and B: and the first two hard disks. Sometimes displays a V-shaped sign on boot. No destructive payload. > (Is there an informational server I could e-mail to for automatic info?) See the online help in IBMAV or (I imagine) F-PROT, or gopher to index.almaden.ibm.com and look in the IBM Computer Virus Information Center. DC ------------------------------ Date: Fri, 11 Feb 94 14:09:09 -0500 From: UG2T@ibm3090.rz.uni-karlsruhe.de (Tony) Subject: HELP DIR-II virus (PC) My computer was affected by DIR-II virus and when I removed it using CPAV, I can no longer boot from my hard disk. I don't know what to do now so please if there is someone knowledgeable in correcting this problem, I would greatly appreciate your help. Thanks a lot in advance. Tony ------------------------------ Date: Fri, 11 Feb 94 18:49:28 -0500 From: gary@sci34hub.sci.com (Gary Heston) Subject: Re: Help in removing Monkey virus from hard disk (PC) cvardema@bashful.helios.nd.edu (charles vardeman) writes: >There is a small community college here in South Bend that has a >computer lab that was infected w/ the monkey virus. Unfortunately, >they used the FDISK/MBR option and now cannot restart their systems. They did this to more than one machine without checking to verify that it worked? Hmmm... Remind me to not take any classes there... >Is there anything that can be done to restore the MBR of their hard >drives. I'm thinking of something like Northon disk doctor or some >utility of that nature. Short of that, would it be possible to go in >w/ a disk editor and reset the information.. Well, the first crazy thing that came to mind actually stands a good chance of working. Find a machine that is still infected but hasn't been FDISK /MBR'd yet. Use a disc utility (either Nortons' Utilities, or possibly Padgget Petersons' MBR saver) to read the *infected* MBR from this machine. Then, go to one of the botched machines and write this MBR over the DOS variety, and see if it'll boot. If it does, you now have a bootable infected system. Use KILLMONK or whatever is the proper method at hand, and clean up the system properly. Now reboot it again to make sure it's all working. Then, and *only* then, clean up each of the remaining machines in the same manner. Note: Do *not* reinfect one of the non-bootable machines! Infect one that is clean and working to get your MONKEY-ized MBR, otherwise, you'll overwrite the information you need to retrieve. As always, should you decide to accept this mission, boot the systems from a known-clean write-protected floppy, and write the infected MBR to another one. And demo F-Prot to them--they need to license a real product and do things right in the future. bootable - -- Gary Heston SCI Systems, Inc. gary@sci.com site admin The Chairman of the Board and the CFO speak for SCI. I'm neither. "Quit while you're ahead. All the best gamblers do." Baltasar Gracian ------------------------------ Date: Sat, 12 Feb 94 07:36:20 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: McAfee Scan 111 false positive (PC) rjryba@major.cs.mtu.edu (Russell J. Ryba) writes: >I just upgraded to MS-DOS 6.2 and now scan says I have the Filler and >Isreali Boot Sector Viruses. After some experimenting I narrowed the >culprit down to the new version of MSAV. I have not heard of this particular false positive, but quite frankly I am not too surprised ... MSAV and CPAV have a rather bad reputation for not co-existing with other anti-virus programs. They have been fixing some of the problems - encrypting search strings in memory and such... Anyhow, if this is indeed a new false alarm, Central Point should fix it within a year or two. - -frisk ------------------------------ Date: Sat, 12 Feb 94 08:07:07 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Discussion of FIST 2 virus (PC) hj5@prism.gatech.edu (JOHNSON P.E., HARRIS T) writes: >One of our field office DOS machines became infected with the FIST 2 >virus (I think). Central Point Anti-Virus indicated this is the >infection. "FIST 2" is a non-standard name, so it is very difficult to determine which virus they are talking about. My guess is that this is some variant of the second group of the Screaming_Fist family, as no other viruses contain "Fist" and "2" as a part of the name. In that case, this could be any of the following viruses: Screaming_Fist.II.650 Screaming_Fist.II.652 Screaming_Fist.II.692 Screaming_Fist.II.696 Screaming_Fist.II.724 Screaming_Fist.II.732 Screaming_Fist.II.838 >The symptoms included corrupted files and directories, >invalid drive specification, etc. No other virus detection incl. DOS >6.2 found the virus Well, whether DOS anti-virus finds anything or not is really not significant. However, all those variants are found by SCAN and F-PROT, so if you tried either of those and they found nothing, I might suspect a false alarm. >which made me suspicious but on the currupted >machine command.com for DOS_6.2 grew from 54K bytes to 55K bytes. Well, it would be better to know the exact byte increase. >Also by sequentualy inspecting EVERY disk than came into that office >for the past 3-months we did find a WP_5.2 document with some very >suspicious code appended to the end of the document. Without trying >to disassemble the code, I think this was the source. Sorry, but I seriously doubt that. - -frisk ------------------------------ Date: Sat, 12 Feb 94 08:20:41 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: virus signature database? (PC) STEVEM@sjsuvm1.bitnet (steve mazdeh) writes: >Hello everyone. > I was wondering if there is a sort of reference list anywhere on the >internet that has the names and signatures of all the known viruses. No. It does not exist. Regarding names of viruses: Well, if you combine several lists - the VIRLIST.LIS in F-PROT 2.11 (which lists 3356 different viruses), the latest VSUM (probably around 2500 viruses), and VIRLIST.TXT in SCAN 111 (2738 viruses) you would theoretically end up with the majority of the 4000 or so viruses that are known today. I say "theoretically" because it is extremely difficult to determine which names are aliases and which ones are not. As for the list of search patterns - that is impossible, as many viruses simply do not contain any constant code you can extract a search pattern from. There are lists of search patterns available, but combining them all would probably not be sufficient to detect more than 50-60% of the viruses that exist. That reason is simply that with nearly 10 new viruses appearing per day, just maintaining a decent search string database requires significant work, and many companies are not eager to give that work away "free" ... - -frisk ------------------------------ Date: Sat, 12 Feb 94 08:30:50 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: FS5 possible virus warning (PC) Roberto@suds01.cern.ch (Roberto Divia) writes: >a "COM" and "MEMORY" virus, but NOT an "EXE" virus. In other words, >it should not infect EXE files. Cascade checks the file type, not the file name extension - it will infect any file that is executed, not too long, and which does not start with "MZ", so it could easily infect an .EXE file that was structurally a .COM file. >After removing the virus, I scanned all my parents' floppies. >And I found the virus on the 2nd floppy of the FS5 distribution kit. >Purchased in a big shop, it was original, write-protected copy from >Microsoft. This probably indicates that somebody had bought this copy before - infected it - possibly deliberately, and then returned it. The store just shrink-wraps the pagage again and sells it to the next vict...eh, buyer. >As I have not followed the all story (I came in only at the last >chapter), I am not sure of what happened to that floppy. The dates >are correct, Cascade does not change the date on any file it infects. It would be more interesting, however to check they layout of the infected file on the diskette. >infected an "EXE" file. So, my conclusion was: this virus was on >the floppy since the beginning. But I am not an expert in viruses... If that had been the case it would have been on the master copy, and there would be thousands of copies floating around. I have not heard of any other report of this problem, so my conculion is that unless I get more identical reports, this is just an icolated incident - assuming that the possibility of a false alarm has been ruled out. - -frisk ------------------------------ Date: Sat, 12 Feb 94 12:25:47 -0500 From: fguidry@crl.com (Fran Guidry) Subject: Re: Discussion of FIST 2 virus (PC) JOHNSON P.E., HARRIS T wrote: >One of our field office DOS machines became infected with the FIST 2 >virus (I think). Central Point Anti-Virus indicated this is the >infection. The symptoms included corrupted files and directories, >invalid drive specification, etc. No other virus detection incl. DOS >6.2 found the virus which made me suspicious but on the currupted >machine command.com for DOS_6.2 grew from 54K bytes to 55K bytes. Download a copy of the latest F-Prot and use that to confirm or deny the CPAV diagnosis. >Also by sequentualy inspecting EVERY disk than came into that office >for the past 3-months we did find a WP_5.2 document with some very >suspicious code appended to the end of the document. Without trying >to disassemble the code, I think this was the source. Please explain how the "code" appended to the end of a WordPerfect document was executed on your computer. By what mechanism did this data become a program?? > Now the big question, can it be >detected and cleaned from a rather large FOXPRO database? 11 months >of management information is in what may be an infected file. While >we have backups, if we can't find it we don't know which backups are >infected. Why do you think a database is infected? Since a virus must be executed to have any effect, a virus infection of a data file is vanishingly rare. As described above regarding the WordPerfect data file "code," one must ask how a data file made the transition to become an executable program. I might venture to say the the vast majority of damage caused by viruses results from ill-advised reaction rather than real instances of infection. Please read the FAQ, and possibly consult with someone who has a clearer understanding of the problem before deleting files, reformatting disks, or taking other drastic action. Fran ------------------------------ Date: Sat, 12 Feb 94 15:00:57 -0500 From: ghosh+@pitt.edu (Sunondo Ghosh) Subject: Re: EMD Enterprises PC Armor Beta Test Survey (PC) On Tue, 25 Jan 94 19:27:02 EST, R. Wallace Hale wrote: > Subject: EMD Enterprises PC Armor Beta Test Survey (PC) > Appears to me to be more of a market survey than a legitimate > invitation to competent beta testers. To: R. Wallace Hale >From : Rick DePaolis Beta Test Review Team Leader - EMD Armor (previously PC Armor) EMD Enterprises 70473.3260@CompuServe.COM On behalf of the Beta Test Review Team, I thank you for your response. Firstly, let me assure you that the ultimate goal of this test is to provide our customers with the best computer security product. We know that to meet this goal, we need to thoroughly test EMD Armor on a variety of system configurations as well as amass a test user base as diversified as our customer base. Not knowing what your background is or your area of expertise, thus not having any insight into your skepticism, I can only hope through this respnse to help put your mind at ease. The great volume of responses we have received from potential beta testers attest to their knowledge and familiarity with the requirements necessary to obtain meaningful results, and we certainly appreciate the time and effort of all respondents. I assure you that the goal of EMD Enterprises has always been and will remain one in which our customers' needs come first. We desire to satisfy those needs and hope to continue providing our customers with the quality computer products we hope are synonymous with our name. - ------------------------------------------------------------------- ps: I (Sunondo Ghosh) am just posting on the behalf of Mr. Rick DePaolis since he doesn't have access to the internet. Please reply to him directly. ------------------------------ Date: Sat, 12 Feb 94 19:54:51 -0500 From: trimm@netcom.com (Trimm Industries) Subject: Re: McAfee versus F-prot (PC) datadec@ucrengr.ucr.edu (kevin marcus) writes: >Joel Johnson wrote: >>I would like to know if there are significant differences between >>McAfeee and F-Prot antiviral software. Currently Looking into site >>license and want to know is F-Prot considered as through as McAfee and >>will it catch as many virus's. Any input on this would be >>appreciated. Thank you. >F-Prot is faster, is capable of cleaning more viruses, provides much >more accurate virus identification, has much more accurate >descriptions of viruses (though they are often pretty brief -- they're >not wrong), and has had a much better history (less false positives, >less hacks (any?), less bugs...) I second that, Kevin. We at Trimm have a site license from Frisk, and are very pleased with both the product and its author. While McAfee & Co. are OK, Frisk is simply a whole lot more technically sophisticated than McAfee, and it shows in the product. One of the traditional problems with scanners is that a minor hack of the code (say, by taking Sourcer and adding a NOP early in the code) renders the new variant invisible to them until the program is updated. All except for F-Prot. I did an experiment some years ago where I took source for some of the more common viruses, such as Jeru-B and MtE/Pogue, and started adding NOPs and other hacks to them, then reassembled, and ran Scan, F-Prot, and a couple others to see if the new variant was still visible. As soon as I changed anything, Scan would fail to find the variant. However, I had to totally mutilate the source code before F-Prot failed to find the virus. This makes F-Prot superior against new strains of hacks (which constitute the bulk of the virus problem.) It appears that the scan strings in McAfee ScanXXX, at least some of the time, include the address fields of machine instructions, thus any inserted bytes earlier in the code make the string comparison fail. John can correct me if I'm wrong on this point. - -- Gary M. Watson Trimm Industries Internet: trimm@netcom.com North Hollywood, CA 91605 Compuserve 72242,3437 * Manufacturers of Disk/Tape Enclosures and Hot Swap Disk Array Encolsures * * Views expressed here may not even be mine, much less Trimm Industries'! * ------------------------------ Date: Sun, 13 Feb 94 05:48:55 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Reply to two questions about F-PROT (PC) The message below is a reply to an e-mail message from a person in Sweden but mail to 'mozart.omega.studo.mh.se' bounced, so I am posting it here. > I have just two simple question. After using the shareware version of f-prot > for over a year and a half I am very satisfied with its perfomance and > interface, but since I tested a product called Virsim (dated 1991) from > Rosentahl Engineering on both Thund> erbytes scanner and f-prot, I must say > i am confused. TBAV found 1350 infected files out of 1600 possible, f-prot > found only 3 infected files. The reason is simple - the files generated by Virsim are not infected, so why on earth should F-PROT report them as viruses ? The files contain random fragment of viruses, but F-PROT is a virus detector, not a virus fragment detector. Those three files that were detected are actually false positives, and I would have been much happier if they had not been detected at all. TBAV named the viruses simply because it found search patterns belonging to specific viruses - - but all those identifications are "incorrect" in the sense that the files are not infected. Basically, VIRSIM is totally worthless for the purpose of comparing scanners, and we have been working on reducing the number of VIRSIM-generated files that F-PROT reports as infected. If you try an older version of F-PROT (2.08 or so) you will see that it reports many more as infected....we saw this as a problem that needed to be fixed. > Why are some viruses in the information-database typed in yellow and some > in white! Primary names versus aliases and variant names... - -frisk ------------------------------ Date: Sun, 13 Feb 94 08:17:54 -0500 From: "Steve Bonds (007" Subject: Re: McAfee Scan 111 false positive (PC) Russell J. Ryba wrote: >I just upgraded to MS-DOS 6.2 and now scan says I have the Filler and >Isreali Boot Sector Viruses. After some experimenting I narrowed the >culprit down to the new version of MSAV. I have received several calls from panicked people who discovered the Filler virus in memory, only to discover that they were merely infected with MSAV. This whole business with MSAV is starting to wear a bit thin on my end... Microsoft really outdid themselves with this one. Fortunately, the new versions of F-prot (2.10+) warn the user when their computer may have contracted MSAV, thereby helping to avoid some of these false positives. -- Steve Bonds - -- 000 000 7777 | sbonds@jarthur.claremont.edu and Steve_Bonds@hmc.edu 0 0 0 0 7 |----------------------------------------------------------- 0 0 0 0 7 | Childhood is short... [Calvin & Hobbes] 000 000 7 | ...but immaturity is forever. ------------------------------ Date: Sun, 13 Feb 94 17:26:54 -0500 From: cshema@uta.fi (Marko Helenius) Subject: Re: Is speed really important? (PC) dm252@cleveland.freenet.edu (Keith A. Peer) writes: |> I have read and heard about how fast some antiviral scanners are. My |> question is with all of this so called speed is it possible to be |> missing some infections? Are some scanners not scanning the entire |> file to increase speed? Being that some viruses can enter a file in |> the front, middle or end and in some cases anywhere how can a scanner |> that does not scan the entire file find all infections? F-Prot and |> ThunderByte are very fast scanners compare to McAfee. Does McAfee scan |> the entire file while F-Prot and Thunderbyte don't? I mean really |> isn't the quality of the scanner really what's important and not that |> it can scan a hard disk in "X" seconds? If some scanner is faster than some other scanner, it does not mean, that the slower scanner is more reliable than the faster one. Because we are receiving thousands of new viruses per year and because of polymorphic viruses, most producers have to work all the time to keep their scanner fast enough. Some producers have devoloped their scanning mechanism so that it is both fast and reliable. Of course if fast scanning mechanism reduces product's quality, then fast scanning is not worth of it. Regards - -- O-----------------------------------------------------------O l M.Sc. Marko Helenius l l l University of Tampere l Fax: +358 31 2156070 l l Department of Computer Science l Phone +358 31 655960 l l P.O.BOX 607 l E-Mail: cshema@uta.fi l l SF-33101 TAMPERE, FINLAND l l O-----------------------------------------------------------O ------------------------------ Date: Sun, 13 Feb 94 17:37:46 -0500 From: cshema@uta.fi (Marko Helenius) Subject: Re: Form. Should it be Hated and Feared?? (PC) daveg@robin.EE.UNLV.EDU (David Good) writes: |> Recently, we received a batch of disks from Motorola that were |> infected by PC Form virus. |> |> Since these are not bootable disks, I was not overly concerned that |> the safety and security of the computing world may be in jeopardy. |> |> Then I started thinking... What happens if I leave a Form infected |> non-bootable disk in the drive and reset the pc?? Will it be released, |> so that it may hatch some insidious plot on my HD?? Is there any other |> way it can creep into my machine other then booting off the floppy?? |> |> Should I be treating this virus with more respect??? Inquiring minds |> WANT to know. You should not fear or respect Form, but you should get rid of it. Form will be released if (bootable or non-bootable) diskette is in disk drive and computer is booted. After this "accident" all disks and hard disks attached will be infected. Regards - -- O-----------------------------------------------------------O l M.Sc. Marko Helenius l l l University of Tampere l Fax: +358 31 2156070 l l Department of Computer Science l Phone +358 31 655960 l l P.O.BOX 607 l E-Mail: cshema@uta.fi l l SF-33101 TAMPERE, FINLAND l l O-----------------------------------------------------------O ------------------------------ Date: Sun, 13 Feb 94 19:46:37 -0500 From: blossj@alleg.EDU (Jeffrey Bloss) Subject: Re: Fprot or McAfee (PC) > Well, F-Prot's scanning engine seems more accurate, and F-Prot is also > about five times faster than McAfee's Scan. And I have right here 7 viri SCAN detects and F-Prot doesn't How manny viri did you test the two with? What types? When you're talkin' SCAN or F-Prot or IM or... each has it's strong points and weak points. Scan is a much better signature scanner, but F-Prot does heuristics... which in it SELF can be good or bad. ------------------------------ Date: Tue, 08 Feb 94 03:50:02 +0200 From: Malte_Eppert@f6050.n491.z9.virnet.bad.se (Malte Eppert) Subject: InVircible (PC) Hi Zvi! > with much more flesh. Are you familiar with the new INT13 > derouters What does "derouting" mean - resolve the ROM entry point? > their presence. Now we have a whole lot of stealthy boot > infectors, and Nika even does it without memory stealing! How does it do that, if I may ask? No more INT 12 return moving!? Does it go low DOS into a zeroblock hole? > I read you'll be off Virnet for writing your PhD. My sincere > wishes for a glorious thesis and all the best. Hi Vess, I'll second Zvi :-) cu! eppi - --- GEcho 1.01+ * Origin: Another Virus Help Node - The EpiCentre! (9:491/6050) ------------------------------ Date: Thu, 10 Feb 94 06:12:00 +0200 From: Fred_Janssen@f1.n9931.z9.virnet.bad.se (Fred Janssen) Subject: SCAN 109 False Positive (PC) > "Found the 1008-B Dropper [1008Drop] Virus" > in the MODE.COM file of DOS version 3.3 is a false > positive. This was a known problem with Viruscan 109. > There must be an other strategy used by McAfee SCAN > on scanning only executables (default) or all files. Please read the documentation, it states: /A will scan all files, and larger parts thereoff. Fred - --- * Origin: Fred's Place (9:9931/1) ------------------------------ Date: Mon, 14 Feb 94 11:22:15 -0500 From: corgan@interaccess.com (Dave Bost) Subject: THE FORM! (PC) What is the best and cleanest way to remove the FORM virus for good?? Does a general format remove the boot sector? If not, what is the best way to overwrite it without putting the system files on the disk? - -- Dave Bost corgan@interaccess.com ------------------------------ Date: Mon, 14 Feb 94 14:16:50 -0500 From: jeffcoat@merlin.etsu.edu (Joseph Jeffcoat) Subject: A problem with McAfee's CLEANv111. (PC) I have just tried out McAfee's CLEAN v111 and keep getting a Need More RAM error. This program tels me that I need about 390 K *not sure about the number, but I know that it is over 350 K* of ram more. I have about 468 K of base memory available. I recently ran CLEAN v110 and had no problem running it. Anybody out there have had the above problem?? Also...does McAfee's have a internet mailing address?? Thanks... Buddy ------------------------------ Date: Mon, 14 Feb 94 15:20:52 -0500 From: mcafee@netcom.com (McAfee Associates) Subject: Using VSHIELD with Windows (was Re: VSHIELD (PC)) Hello Marcus, You write: >I have just updated my McAfee scan to what i think is the latest >version (111)... >.when i use the VSHIELD that works in my autoexec.bat file i get >the following message: > Can not find file c:\windows\win.ini > VSHIELD Windows Messager is not installed This means that you are running VSHIELD with the /WINDOWS switch, which VSHIELD should be run with just once when it is installed to insert the VSHWIN Windows compatibility module into the WIN.INI file. VSHWIN is the program that allows VSHIELD to display messages under Windows. > >I'm using the /windows flag as I have done for older versions of VSHIELD. >My Windows directory is on my drive D: >My question is: How do I correctly get VSHIELD to find windows on >drive D and what exactly does Windows Messager do? Change your VSHIELD command line to "VSHIELD {options} /WINDOWS D:\WINDOWS" and VSHIELD will install VSHWIN.EXE correctly. > >Thanks for reading, >Marcus >ECE OU > Regards, Aryeh Goretsky - -- - - - - - - - Please send your reply, if any, to Aryeh@McAfee.COM - - - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: mcafee@netcom.com 2710 Walsh Ave, 2nd Floor| FAX (408) 970-9727 | or try: support@mcafee.com Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714 95051-0963 USA | USR HST Courier DS | or GO MCAFEE Support for SENTRY/SCAN/VSHIELD/CLEAN/WSCAN/NETSHLD/TARGET/CONFIG MGR/PROVIEW ------------------------------ Date: Sat, 12 Feb 94 02:15:06 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: fp-211.zip - Version 2.11 of the F-PROT anti-virus product (PC) I have uploaded to the SimTel Software Repository (available by anonymous ftp from the primary mirror site OAK.Oakland.Edu and its mirrors): pub/msdos/virus/ fp-211.zip Version 2.11 of the F-PROT anti-virus product This version adds detection/identification of more than 450 new viruses, compared to 2.10. It identifies 3173 different viruses and also detects viruses belonging to 183 other families, giving a total of 3356. Uploaded by the author. Fridrik Skulason frisk@complex.is ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 14] *****************************************