VIRUS-L Digest Thursday, 24 Mar 1994 Volume 7 : Issue 19 Today's Topics: Research opportunity sought 'Good viruses?' Re: Have we lost track of the virus problem? re: A few truths Comm Viruses Re: A few truths Re: Intelligent detection Re: RAMA EXEC (IBM VM/CMS) FORM, Filler, and Green Caterpillar (No ryhme intended!) (PC) Joshua & Joshi (PC) Re: Filler virus (PC) divide overflow error in F-Prot (PC) Any reviews of InVircible/V-Care ? (PC) Delete-Beeping virus (PC) Is speed really important? (PC) MS-DOS 6.x Anti-Virus (PC) michaelangelo virus (fwd) (PC) Mich Birthday... (PC) V-CARE (PC) BUGSRES virus found (PC) New Proto-T (Multi-Partite, resident .COM infector) (PC) virusfree-ftp (PC) Michelangelo (PC) re: Shrink-wrapped virus? (PC) Re: Volume labels changing (PC) Removing the Form Virus (PC) RE: Floppy boot-up (PC) Re: M-day ? (PC) Re: Monkey, an easier way (PC) Virex PC 2.93 shareware antivirus package (PC) March WildList VDS 3.0j (updated) (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Wed, 09 Mar 94 12:23:34 -0500 From: amn@ubik.demon.co.uk (Anthony Naggs) Subject: Research opportunity sought I'm currently looking for a research post, where I can formalise my study of technical & social aspects of the computer virus / anti-virus arena. Ideally in an English speaking part of the world, with an opportunity to gain a MPhil or PhD. Thanks for any help. Regards, Anthony Naggs Paper mail: Hat 1: Software/Electronics Engineer PO Box 1080, Peacehaven, Hat 2: Computer Anti-Virus Researcher East Sussex BN10 8PZ PGP: public key available from keyservers Great Britain Email: amn@ubik.demon.co.uk Phone: +44 273 589701 ------------------------------ Date: Thu, 10 Mar 94 07:15:40 -0500 From: A.APPLEYARD@fs1.mt.umist.ac.uk Subject: 'Good viruses?' These are these intergrades between ordinary programs and viruses:- (0) ordinary program with no self replicating ability. (1) program that contains a `self replicate' command. (2) program that looks for places to copy itself into, but asks the user for permission before copying itself there. (3) program that looks for places to copy itself into, and does not ask the user for permission before copying itself there: this is defined as a virus. and any of these could be trojan, i.e. with an unannounced bad effect. A #3 trojan is a harmful virus. A #3 non-trojan is a `harmless' virus that yet can cause trouble by taking up space, altering registers and store locations, etc. ------------------------------ Date: Fri, 11 Mar 94 16:15:19 -0500 From: vfr@netcom.com (vfr) Subject: Re: Have we lost track of the virus problem? "Mitchell Cottrell" writes: > To those who feel they must come to the defense of virus creators i > ask; are you trying to justify your past actions?? That is the ONLY > reason that I can ever see for any intelligent person in the computing > industry to take that stand. Hello Mitchell- As one who has been accused from time to time of "defending" virus writers, I would like to address your statement, and try to answer your question. No, I am not trying to justify my past action, as I am not a virus writer or distributor. There are other reasons people may do what appears to some to be "coming to the defense" of virus writers. I don't know if my particular case is the sort of "defense" you are talking about, but I'll tell you what I see happening. Maybe it will answer some of the questions; maybe it will provoke a few more :) When I give a lecture or presentation on "virus issues", I focus on the ethical and social issues. These include not only the virus writers but the entire computing community and all of our parts in the big picture. I have found that people tend to generalize their concept of "the virus writer". This generalization is not only unscientific, it is dangerous. Virus writers come in many "flavours"; they are a diverse (but relatively small) population. When attempting to research 'how' we can solve what is a problem, i.e. the willfull distribution of malicious software (and I am talking in this case about viruses, hacking tools, etc. which have the design potential to be both malicious and/or used in a malicious fashion), it is necessary to look at -all- vectors of transmission, not just the 'technical' ones. These vectors include the social and ethical aspects. To look at these aspects requires looking at the motivations of many types of individuals. It would be very wrong to say all virus writers are intentionally malicious people. They are not. Likewise, it would be wrong to say it is ethical or moral to intentionally release computer viruses to an unsuspecting population. It clearly is not. And finally, there are the legal issues, which differ from jurisdiction to jurisdiction, which compound the already complex problem. As a society, we tend to accept that if something is not illegal, specifically, it is 'ok' to do. When you add in the cultural diversity that makes up the computing population (and the virus writing population) you come up with even more complexity. When someone insists on classifying all virus writers (or hackers) as malicious misfits, clarification is needed. To do a proper study on the 'big picture' of 'the virus crisis' (if indeed there is one), a person needs to look at the who/where/why/what/when and then some. Is it defending a virus writer to investiate the motivation, and if it is found that the person fits an ethical model that does not include the willful harm of others, to simply say so? Ethical and moral models are -fact-. I'm often accused of defending virus writers, and I'm told it is because I do not find them all to be "the criminal degenerates they all are". Well, they are not. Some, yes. All, no. I can't think of any reason anyone would defend malicious action--but I think we have to be careful in differentiating the action from the actor. > I apologize for running on.. It's an important issue. Sara - -- SGordon@Dockmaster.ncsc.mil / vfr@netcom.com bbs: 219-273-2431 fidonet 1:227/190 / virnet 9:10/0 p.o. box 11417 south bend, in 46624 while [ $lines -le $maxlines ] do echo >> $BUFFER lines='expr $lines +1 ' ------------------------------ Date: Sun, 13 Mar 94 09:45:02 -0500 From: Subject: re: A few truths "David M. Chess" writes >> "I have run thousands of sample viruses on a machine, and I have >> never gotten wiped out,' Stang says, downplaying the reputation >> of viruses as computer killers. >With all due respect to David Stang, I'd like to add a few >contrary pieces of evidence from our own experience: > - We have a machine that automatically executes and > analyzes incoming viruses as the first step of "triage". > It regularly has its hard disk wiped, CMOS corrupted, > files erased, and so on. I suspect Stang may have > been misquoted here, or a sentence about only running The quote is as it appears on the magazine. So we have Mr. Stang's words against yours. Mr. Stang has no affiliations with AV products at all, you do. Who's word will I trust? The answer in my eyes is pretty clear. > selected viruses may have been left out. While it's > certainly possible to argue about the nature of "most" > viruses, no one can deny that there are hundreds, and > probably thousands, of intentionally destructive ones. As there is an even larger quantity of viruses that are not "intentionally destructive." > - Even the Stoned virus, which is cited as an example > of a virus that's not "really dangerous", can cause > considerable disruption. It assumes that track 0 on > hard disks is unused, and stores a copy of the original > Master Boot Record there. On some machines, including > those set up with an old version of FDISK, and those > that have adapters that use track 0 for startup code, a > Stoned infection can overlay important data, making the > machine non-bootable, and sometimes corrupting the File > Allocation Table. Not counting incompatibilities with 3 1/2 inch diskettes etc. > - The FORM virus, another common virus that contains no > intentionally destructive code, has similar problems: > it assumes that all bootable hard disk partitions are > FAT formatted. On systems running Boot Manager, HPFS, > Linux, or anything else besides FAT in the bootable > partition, the FORM can cause basically random system > corruption when it operates on what it thinks is the > BPB and File Allocation Table. >Sorry, Kohntark, if this is a bit technical, but I think the >basic meaning is clear: even viruses that aren't intentionally >destructive can cause expensive and time-consuming damage. >This coupled with the fact that viruses run without the >knowledge or consent of the system owner seems to imply >pretty unequivocally that they are Bad Things that we'd be >much better off without. It isn't really technical, & you are missing the overall picture. You name specific examples. I can name specific counter-examples of viruses that cause not damage to the system. Example:A lot of innocous of Vienna variants. Just like you can cite damaging viruses due to incompatibilities I can name commercial products that cause damages to the system due to the same causes. The idea here is the majority of viruses are not intended to cause damage intentionally. If they do, well, they are not alone, commercial products have the same unexpected effects. Just try using a few newer products in older DOS systems. ktark@src4src.linet.org ------------------------------ Date: Mon, 14 Mar 94 21:40:09 -0500 From: bbowen@megatest.com (Bruce Bowen) Subject: Comm Viruses Is there any information or experience out there on communication viruses? By this I mean not a virus in the traditional sense that damages files or file systems, but one that makes crank calls over attached modems, makes long distance calls, etc., possibly at times when the owner is not home, or sleeping, or some other time when he or she is not expected to be watching. I have a suspicion that I may have such a virus loaded on my machine by a vindictive ex-girlfriend/comm software programmer. I'm also interested in information on any available line simulators/monitors that simulate a phone line that I could plug my modem into so as to monitor it. I've been getting a lot of crank calls at work that hang-up when answered. My ex-girlfriend claims to be getting a lot too. She came over one day to demonstrate some "games" she had written. I'm just wondering if it could be my own machine that's harassing me, and/or whether I could be being set up. I unplugged the phone line from the machine and I have not received any crank calls at work since. - -Bruce bbowen@megatest.com ------------------------------ Date: Tue, 15 Mar 94 11:32:32 +0000 From: pdb@cdc.demon.co.uk (Peter Burnett) Subject: Re: A few truths >With all due respect to David Stang, I'd like to add a few >contrary pieces of evidence from our own experience: > > - Even the Stoned virus, which is cited as an example > of a virus that's not "really dangerous", can cause > considerable disruption. It assumes that track 0 on > hard disks is unused, and stores a copy of the original > Master Boot Record there. On some machines, including > those set up with an old version of FDISK, and those > that have adapters that use track 0 for startup code, a > Stoned infection can overlay important data, making the > machine non-bootable, and sometimes corrupting the File > Allocation Table. > > Sorry, Kohntark, if this is a bit technical, but I think the > basic meaning is clear: even viruses that aren't intentionally > destructive can cause expensive and time-consuming damage. Only today ( 15th-march-94 ), my counterpart in another one of the companies sites called me up and said " we have just been hit by Stoned on two platforms, have you got the stuff to dela with it". Whilst the phyisical damage is not that great, there is the time-factor involved which so far on this exercise is. My time - 1 Hour. Counterparts Time - 2 hours+ Machines ( 2 off in-operative ) - 2 * 1/2 day Subsequent investigation - ???? hours. Due to this attack, 2 machine resources are out of action, 3+ hours of human time lost plus the investigation to follow to determine how we got infected in the first place. Initial investigation seems to show that the infection took place via floopy disk(s) brought in from a local collage when some individuals have been doing an offsite training course. Conclusion: Whilst the attack itself may not be outragous, the loss in human time is and the cost of this I summise will be in the region of 500 Uk Pounds plus ( for this estimate I used the basis that I and others are costed at 20.00 Uk pounds per hour ) Regards, Peter. - -- Std. disclaimer...... My own opinions are not those of my employer +----------------------------------------------------------------+ | Peter Burnett Post Design Services Software Support | | Computing Devices Company Ltd, Castleham Road | | St. Leonards On Sea, East Sussex, UK TN38 9NJ | | Tel: 44-(0)424-853481 ( Work ) pdb@compd.com | | 44-(0)424-851520 ( Fax ) pdb@cdc.demon.co.uk | | 44-(0)831-838714 ( Home ) pdb@seuk.demon.co.uk | +----------------------------------------------------------------+ ------------------------------ Date: Wed, 16 Mar 94 09:56:47 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Intelligent detection Istvan Szucs (iszucs@stwing.resnet.upenn.edu) writes: > University of Pennsylvania. I am currently working on a project, to > implement an intelligent virus detector program on the PC. (By > intelligence I mean capable of learning by example, using heuristics It won't work. > in an intelligent manner, etc). In theory I have solved most of the > problems that came up to make the program intelligent, but there is :-). Really? I suspect that you'll encounter a few problems when trying to implement your "theory" in practice. > one issue I haven't been able to settle to my satisfaction: extracting > signatures automatically. Just this sentence of yours is enough to determine your lack of experience in the anti-virus field and to conclude that you are likely to fail. First of all, the term "signatures" is incorrect and misleading. It makes people think that each virus has a "signature" - something unique that distinguishes it just like the human signature is unique for every human. Unfortunately, it is not so in practice. For many viruses an almost unlimited (well, finite, but huge) number of byte sequences can be selected that will detect the virus. For other viruses only one or a few such sequences exist. Yet for some others no such sequence exists. That's why most anti-virus experts prefer to use the term "scan string". It is more appropriate, because it means that this is just a string (a byte sequence) used by a scanner to scan for a virus. Second, looking for viruses based on scan strings is only one line of anti-virus defense, and a pretty weak one at that. Third, there are viruses for which no scan string can be found that matches all replicants of the virus. Read the section of the FAQ for this newsgroup that explains what a polymorphic virus is. The existence of such viruses makes looking for scan strings obsolete as a single defense against viruses, be it automatic or manual. It simply doesn't work. > I am wondering if anybody attempted to solve this question > automatically. Yes, many. I am aware of at least two products which use this approach. One of them is Victor Charlie, which heavily relies on it. Another one is TbScan, the registered version of which allows automatic scan string extraction from the new viruses. In none of the above cases the method works reliably enough to be used as a single (or even as main) defense against viruses. It simply doesn't work against polymorphic viruses. > I think it would even be helpful if someone could tell > me how it is oone manually. From the books and articles I have read so > far it seems to be a synthesis of disassembly and black magic. Is that > true? Yes. :-) Seriously, it is a synthesis of disassembly and application of common sense, backed up with a lot of experience in the anti-virus field. There are different ways that scan strings can be picked manually, depending on what goals exactly you want to achieve. Note that some of those goals are contradictory, i.e., you can't satisfy them all. 1) Detect as many variants of the virus as possible. The scanner that does this best is F-Prot. Obviously, Frisk is very good at selecting the sequence of bytes in the virus that is unlikely to change in the future, yet still reliably detects the virus. You should ask him for advice if you are interested in achieving this. 2) Distinguish between the signifficantly different viruses as precisely as possible. This is my approach, so I can tell you how to do it. Use *two* scan strings, together with their offsets from the beginning of the virus. As the first scan string, use the part of the virus code that repairs the infected file at runtime and transfers control to it. As a second scan string, use the part of the virus code that writes the virus to the infected files. In the first case, make sure that you include the instructions which fetch the saved original bytes of the infected file from the place where the virus has saved them. In the second case, make sure that you include the instructions which contain the length of the virus. This approach attempts to ensure that on disinfection you will not damage the file by disinfecting the wrong variant. Disadvantages - often even a minor variant of the virus will not be detected by this method and you will need a new set of scan string, resulting to a potential huge number of strings (there are abpout 4,300 known IBM PC viruses). 3) Cause as few false positives as possible. The guys at IBM have some authomatic approach of measuring whether a scan string is likely to cause false positives, but I have yet to see it described in a paper. The best person to contact is probably David Chess. 4) Make the life of the automatic scan string extractor as easy as possible. For this purpose, just pick the first few (e.g., up to 16) bytes from the entry point of the infected files, make sure that those bytes are always the same among the infected files, and call this a scan string. Needless to say, this method is easy, but extremely unreliable and troublesome, as it is likely to cause false positives, not to be able to distinguish between different viruses and so on. > I would be also appreciate if someone would be willing to assist me > with the project in a more general sense. I would be happy to exchange I am afraid that I cannot help you more than telling you that your idea will not work and not to waste your time with it. Unless, of course, your goal is to determine how suitable the AI approaches are for handling the virus problem. I wish you fun while learning how unsuitable they are. :-) In general, your idea is only valuable as implementing it in a multi-line virus protection scheme. As a line that is not reliable, not likely to work, but which sometimes works and doesn't hurt. I'm not sure, however, whether it is worth the time and the efforts needed to implement it properly. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Wed, 16 Mar 94 09:43:56 -0500 From: peprbv@cfa0.harvard.edu (Bob Babcock) Subject: Re: RAMA EXEC (IBM VM/CMS) > This sort of junk mail clearly is an offense against EARN rules. How can > we keep those Arabic narcissists from wasting our user's and programmer's > time, our storage media and net bandwidth? When I received a copy of RAMA EXEC (on a Unix system!), I sent a complaint to the postmaster at the offending site and I sent a message to the sender telling him (?) that I considered it a personal insult that he thought I would be stupid enough to run his EXEC without examining it first. Neither message generated a response. I would expect messages to postmaster to be most effective because they get the local postmaster mad at the perpetrator. ------------------------------ Date: Wed, 09 Mar 94 09:33:21 -0500 From: Brian Seborg Subject: FORM, Filler, and Green Caterpillar (No ryhme intended!) (PC) Some quick answers to some quick questions: How to clean FORM: Form is a DOS boot sector infector, not an MBR infector. To clean it: 1) Reboot system from a clean DOS disk with the same version of DOS as the infected machine. Make sure that if you need any device drivers (like doublspace, or diskmanager) that these are loaded via the floppy's config.sys. 2) Run SYS C: 3) Scan any diskettes that you have used in the PC and after backing up any contents via the copy or xcopy command (don't use diskcopy as it will copy the boot sector as well), format any infected diskettes. 4) DONE The Filler virus: Perhaps there actually is such a thing, but I have yet to see it. Usually, when you see that McAfee has identified the Filler virus active in memory, what it has really identified is Central Point Anti-virus, or Microsoft Anti-virus (same thing basically). Check your config.sys and autoexec.bat files to see if either of these programs are being loaded RAM resident. I would bet that you will find that they are there. Get rid of them, they are junk and should not be used with another anti-virus anyway. The Green Caterpillar: No, it is not polymorphic. Look for it to infect command.com, as well as other files. Reboot from a clean dos disk, scan the disk with a decent scanner (most scanners should catch this virus since it is common) and erase (cleaning is for the unenlightend! :-)) all infected programs and replace from originals or clean back-ups. Done. No big deal! :-) I hope this helps. Hey, what about the FAQ? Doesn't anyone read it! I just had to say it. :-) Also, I see that this list has about pounded KTark into the mud. Suffice it to say that KTark is wrong, and I think we have all made that intuitively obvious. I appeal to KTark to not waste anymore time on this thread unless he is ready to offer plausible counter examples. :-) Brian Seborg VDS Advanced Research Group ------------------------------ Date: Wed, 09 Mar 94 13:22:54 -0500 From: Bill Geimer Subject: Joshua & Joshi (PC) Does anybody have a good anonymous FTP or other source for information about the PC Johsua & Joshi virii. We have recently seen them along with the widespread form virus. Thanks ------------------------------ Date: Thu, 10 Mar 94 09:55:26 -0500 From: bl432@cleveland.freenet.edu (Bill B. Wise) Subject: Re: Filler virus (PC) In a previous article, kitten@sneeze.resp-sci.arizona.edu (Bruce Saul) says: > Pardon me if the form of my question is >incomplete for this forum. One of the ibm-at clones >at our office has been reported as being infected by >the Filler virus. > The virus was discovered by scanning a floppy >disk with Mcafee scan v109. Filler was discovered in >active memory at that point and an advisory came up >on the screen to shut down, then boot from a clean disk >and scan once more. > This was done. The disk scan found no >virus. We then ran scan from a network drive. It >reported Filler and advised us to shut the unit down. > When we tried to reboot once more from the >write protected disk we got a drive error, and had >to press the f1 key. An addittional attempt to >boot resulted in a disk controller failure. > > Can anyone help me with this problem? I have just had a similar situation on several PC's here. The units in question were all running Novi, as installed by our info systems dept. when the machines are booted with a floppy, causing the Novi virus stuff to be bypassed, they scan clean of any virus with Mcaffe Scan, versions 112 & 109 (old). I am now trying to comfirm that Scan is being triggered by the TSR portion of Novi. I'll post as I have more info. Bill Wise Computer Resource Lab MetroHealth Medical Center Cleveland Ohio bl432@cleveland.freenet.edu aa1875@freenet.lorain.oberlin.edu ------------------------------ Date: Thu, 10 Mar 94 12:02:42 -0500 From: jjb18@konichiwa.cc.columbia.edu (Jeremy J. Blumenfeld) Subject: divide overflow error in F-Prot (PC) A user came in to our lab with a disk which virstop had reported having a boot sector infection. When running f-prot, the program reported that the boot sector was infected with a NoInt variant of the Stoned virus. Unfortunately I am not sure which one as when the user answered y to disinfect the computer started scrolling 'divide overflow' error down the screen. Not sure what this means or if there is any possible way to get the data back from these diskettes. any help? jeremy blumenfeld email: jjb18@columbia.edu ------------------------------ Date: Thu, 10 Mar 94 10:10:41 -0500 From: GOL AMIR Subject: Any reviews of InVircible/V-Care ? (PC) I wrote (in response to Amir Netiv): >Wasn't it you who told me, about a year ago [...] No it wasn't! I was wrong. It was Zvi Netiv who told me that, not Amir Netiv. Of course, Amir is not responsible for what Zvi is saying, and vice versa. Sorry for the confusion - It only goes to prove that nobody's perfect, not even me ;-). As for the "5 missing bytes", Zvi Netiv had assured me that it wasn't a bug. He has a point, but I'm still a bit doubtful ... And again, sorry for the confusion, Amir Gol (I) ------------------------------ Date: 10 Mar 94 15:26:21 -0700 From: clawsona@yvax.byu.edu Subject: Delete-Beeping virus (PC) I have a suspicion that I have been infected by a virus, but am having some trouble in confirming this. >From time to time when deleting a sub-directory, I will hear two "warning beeps" - sounds similar to those made by anti-virus programs to alert a user to the presence of a virus - but otherwise the PC behaves normally. I have scanned several times using the latest Norton Anti-Virus 3.1 with the latest virus definition files (downloaded from CompuServe Symmantec SIG) but it always comes up negative. I can not replicate the sounds, which will be made manifest once in several dozen attempts. An analysis of memory does not show anything glaringly obvious. Does anybody have any information which might help? As I am a new user of InterNet, please E-Mail any information which you might have to the following address: I may never find my way back in here again. Thank you, Albert Clawson Clawsona@yvax.byu.edu ------------------------------ Date: Fri, 11 Mar 94 01:18:55 -0500 From: "Frans Veldman" Subject: Is speed really important? (PC) "Roger Riordan" wrote: > Better programs use some form of hashing to search for multiple > templates simultaneously. For example VET uses the PolySearch > algorithm. This can search for an almost unlimited number of templates > simultaneously, and effectively conducts 16 searches at once (for > templates starting on successive bytes), but has only 14 microprocessor > instructions in the crucial inner loop. It is estimated that the Being the author of TbScan, I think that people would like to hear my opinion about it. TbScan has only 8 microprocessor instructions in the crucial inner loop. In every loop, it processes two bytes of the input data, and searches for an unlimited amount of signatures. Due to some kind of 32-bit hashing it will exit from this inner loop only once in a few thousands bytes of input. > process will be able to handle over 10,000 templates without significant > performance degradation. > It must be emphasised that this process does not involve any loss of > security. ALL instances of any of the templates will be detected. > F-Prot and Dr. Solomons Toolkit presumably use similar > algorithms, and give about the same performance as VET. > TBSCAN apparently does not have quite such a good algorithm, but Thank you. I however believe my algorithm is even better, although I haven't given it a nice sounding name. :-) If I remove all signatures from TbScan and run it again, it processes the disk in the same time! This means that all time spent scanning is due disk access, heuristic analysis, and performing the inner loop of the signature search engine. > it uses a further trick. Whereas most programs use the normal > DOS calls for file handling TBSCAN bypasses DOS completely, and > uses direct disk reads. This gives a substantial improvement in > speed, at the risk of compatibility problems. In this mode Well, that depends on how you implement it. We don't get any reports of compatibility problems. TbScan does some testing, and if the disk format is not completely recognized, it falls back on DOS. > TBSCAN is significantly faster than anything else we have tested, > but in the "compatible" mode, which uses normal DOS calls, it is > a bit slower than VET. The improvement in the normal mode is a This is not because of the 'less good search algorithm' but because TbScan also performs a full-fledged heuristic analysis and checksumming of the file. If I turn that off, the speed is nearly doubled. However, I want TbScan to be the fastest, but not by decreasing its detection capabilities. > TBSCAN appears to work well, but the authors of other scanners > probably feel they have enough support calls caused by > compatibility problems, without deliberately going looking for > trouble! Please state that this is YOUR personal opinion. We have other experiences. - -- Thunderbye, Frans Veldman <*** PGP 2.3 public key available on request ***> Frans Veldman Telephone: +31-85-211869 (voice) veldman@esass.iaf.nl P.o. Box 1380 2:280/200.0@fidonet 6501 BJ Nijmegen / The Netherlands ------------------------------ Date: Fri, 11 Mar 94 03:11:59 -0500 From: slbray@deakin.edu.au (Sharyn Bray) Subject: MS-DOS 6.x Anti-Virus (PC) Hi to all reading comp.virus, I was wondering whether anyone could offer an opinion, comment, thought etc. regarding the effectiveness of the Anti-Virus for Dos (and A-V for Windows) package now bundled with MS-DOS, version 6.x, compared to other offerings (such as Scan, V-Prot, etc.) ? Thanks in advance. Stuart Palmer (kindly via slbray, kindly via Deakin) ------------------------------ Date: Fri, 11 Mar 94 11:05:02 -0500 From: "Phillip A. Mitchem" Subject: michaelangelo virus (fwd) (PC) I was wondering if you have seen this problem before and what you did about it? Is there a way this person's information can be reclaimed if the partitions are damaged. Take Care, Phillip Mitchem usgpamx@gsusgi2.gsu.edu Amicus usque ad aras. - ---------- Forwarded message ---------- Date: Fri, 11 Mar 94 09:41:15 EST From:JOULRT@GSUVM1 To: USGADM@GSUVM1 Subject: michaelangelo virus Dale, on Michaelangelo's birthday, perhaps by coincidence, our hard drive became inaccessible. The problem is that the computer does not recognize that it has a C Drive. Our computer consultant told us that the partitions are gone, based on a Norton tools search. The Norton search told us that only the D drive is partitioned. But the main menu gives us only a choice of A or B Drive. Now I have some new software called Unformat. But this tool gives me only A or B Drive options for unformatting. Do you have any suggestions? Thanks!!! ------------------------------ Date: Tue, 08 Mar 94 07:51:00 +0200 From: Nemrod_Kedem@f0.n9721.z9.virnet.bad.se (Nemrod Kedem) Subject: Mich Birthday... (PC) Hello, All. It seems that the 4th birthday of Michaelangelo was not a big thing to the media this year but seems that this virus is not yet dead. On March 6th, seems that Michaelangelo virus hit a lot of PCs all over the world. In Israel alone, hudreds of PC were gone... As a worker of a Data recovery company I saw dozens of PCs comming in for recovery after Mich attack. IMHO, the reason for mich to hit much more PCs then in the last years is that nobody thought that a virus can strike three years in a raw. All anti-viruses detects and removes the Mich virus without any problem but seems that there arestill many PC users that do not use an Anti-virus (and I emphesize DON'T USE, bacause most of them do have one). Seems that old viruses are not yet dead and we should still keep our eyes opened and USE our anti-viruses regulary. Nemrod Kedem, Authorized Agent of McAfee Associates. - --- FastEcho/386 1.40a/Real! * Origin: Make Safe Hex! (9:9721/0) ------------------------------ Date: Thu, 10 Mar 94 11:50:00 +0200 From: Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv) Subject: V-CARE (PC) Ysrael Radai writes in reply to Amir Netiv: AN> V-CARE started the Generic "thing" .... IR> Are you speaking of generic *detection* (integrity checking) or IR> generic *disinfection* or both?? True, Generic detection (based on checksum - smart or simple was indeed something that we didn't start. There is not a single AV that respects itself that didn't have this for many years. Untouchable was one that claimed to have a checksum algorithm that can't be fooled. However as you yourself well know (since you were among the first people who has seen the V-CARE Generic disinfection at that time (as we misjudged you to be objective) was obviously the first in the world (as you yourself say). IR> Again, no distinction between detection and modification. I agreed with you on that before. IR> You are probably correct that V-CARE was the first product which used IR> generic disinfection. As mentioned. IR> But that doesn't mean that "Untouchable or V-Analyst IR> learned the system from you"! IR> (I spoke to someone at BRM about this. IR> He said that at one point they did take a look at V-CARE, but all that IR> they learned was how *not* to implement generic disinfection.) That sounds like the right responce if I may remined you that a week after we had our meeting you have met with another AV manufacturer in Israel that said he didnt know us at all and never heard of us. May I remind you how you laughed ;-) Yuval (author of Untouchable) has set in a lecture we gave and did some bazaar things with his hands when we explained the method. VB>> how would their product protect your hard disk from VB>> a virus that infects like Brain, but also corrupts only the VB>> data files on your hard disk and only when they are being VB>> modified by DOS. AN> how about a virus that infects only a PC with a modem and only AN> when there is a call on the line? IR> Vesselin's question was a serious one and you reply by comparing IR> it to absurdities. Sorry Israel, you under estimate me, for your knowledge there is such a virus as I described, and it infects only BBSs and only while there is a call on the line. IR> Apparently such a virus doesn't yet exist, but your IR> reply is an evasion, not a serious answer. Sorry again, you should be more proffesional in you criticism. If you would, you would have known that such a virus is easily possible I said that: The avarage speed of file scanning by V-CARE is about 2500 files per minute. IR>First, how can you speak of a speed without mentioning the *machine*? IR>Secondly, it's no trick to produce fast scans if you SKIP MOST OF THE IR>FILE. Correct me if I'm wrong, but I think that's what your program IR>does. Well first, its true, on an XT the speed will go drastically down, and secondly there are other ways of increasing the speed that will cause a lot of misses (like had happened with TNTvirus from 2 years ago). IR> I could mention a few drawbacks to the V-CARE package, but they IR> would be based on the package as I tried it several years ago. I have IR> no idea to what extent you've improved it since then, so it would seem IR> unfair to judge your present package by your former one. On the other IR> hand, you keep telling us that nothing in your software has changed IR> during the last 5 years, so maybe the drawbacks are still relevant? I would refer you to the latest articles in Frech magazines from the last year. All of them (non excluded) tested V-analyst and V-CARE (and naturally others) and all (non exluded) find V-CARE (known as ViGUARD in France) the best in generic disinfection and protection. IR> Oh yes, the most interesting program in the V-CARE package I saw was IR> V-GUARD. I get the impression this is no longer part of V-CARE. If IR> not, why not? And what happened to your philosophy of not including IR> any TSRs in your package? a. V-CARE has a module called VGUARD.EXE. You are mixing it with another product: V-CARE is sold under the name V-GUARD in swiss, ViGUARD in france and V-CARE in the rest of the world. some other OEM names also exists!. b. Since 3 years, we have changed our motives: we no longer try to aducate the world, but rather give everyone what they want: Heuristic scanning (VSECURE) a specific TSR (6K only), (VMONITOR) another TSR for generic alarming, (EXPERT) a new and unique module (again the first in the world) that analyses and studies viruses online, and integrate it into the "known-virus" database, and a lot more... So, you see, things change people change (but not everyone). Warm regards * Amir Netiv. V-CARE Anti Virus, head team * - --- * Origin: <<< NSE Software >>> Israel (9:9721/120) ------------------------------ Date: Sun, 13 Mar 94 14:43:25 -0500 From: "jrezek1@vaxa.hofstra.edu"@vaxc.hofstra.edu Subject: BUGSRES virus found (PC) I have found a virus called BUGSRES on my PC with CPAV utility. I would like to know if this is a computer virus or not. When i run the latest version of NAV it says there is no virus. The computer seems to be fine and CPAV sys this virus will effect all .SYS .EXE .COM files. Could this be an error or should i be concerned. Please help if you can. ------------------------------ Date: Mon, 14 Mar 94 09:36:16 -0500 From: Henrik Stroem Subject: New Proto-T (Multi-Partite, resident .COM infector) (PC) New variant of Proto-T The virus infects the MBR of the first harddisk, then goes resident and hooks INT 21h. It has an INT 21/4B handler, which infects .COM files. Certain .COM files are not infected, because of a primitive letter check routine. RAM installation check performed by the virus: INT 21/2C2C -> AX=0DCD if the virus INT 21h handler is active. MBR installation check by the virus itself: MBR[0],E8h -> JNE INFECT The MBR code installs an INT 13h handler, which tries to determine when DOS is loaded, and then hook INT 21h. Did not work on my PC. The virus seems to have a variable infective size. F-Prot 2.11 identifies some samples of the virus as Proto-T.1053, while other files are identified as "New or modified variant of Proto-T". I've proposed the name Proto-T.MP for this new variant (Multi-Partite). Since no other antivirus program is able to disinfect this new variant, I've written a small disinfection program to deal with the problem. The disinfection program will try to disable the INT 21h handler in memory, unhook the INT 13h handler if active, disinfect the MBR, and clean itself if it becomes infected. I've called the disinfection program DISINF v1.0 since it is my first file-disinfector. It is available from me by E-Mail if requested. The disinfection program is Copyrighted Freeware, meaning that it is free, but should be distributed in its complete unmodified form. AVP 1.07 called this virus ComTSR, but could not disinfect. Does anyone know if any of the previous variants infects the MBR? Henrik Stroem (Author of HS Anti-Boot Virus) Stroem System Soft (March 13th, 1994) ------------------------------ Date: Mon, 14 Mar 94 11:36:18 -0500 From: pdthomas@winternet.mpls.mn.us (Twins fan) Subject: virusfree-ftp (PC) Does anyone know of some ftp sites that the uploads are scanned for viruses. I am looking for a virus disinfectant or scanner but it would seem most obvious to me that someone would stick a virus in a disinfectant or a scanning program. I am also interested in sites that people know of that scan uploads. either post here or email me, thanx in advance Paul Thomasson @ @ m m n n at < m m m m n n n winternet.mpls.mn.us \__/ m m m n nn pdthomas@icicle.winternet.mpls.mn.us TWINS ------------------------------ Date: Tue, 15 Mar 94 12:06:11 -0500 From: wdsst3@cislabs.pitt.edu (William D Sands) Subject: Michelangelo (PC) Sorry that I had to post to answer a rather trivial question, but time is of the essence, and I can't access a FAQ at the moment. A friend of mine had his harddrive infected with the Michelangelo virus last week. I have plenty of software with which to disinfect his harddrive and floppy discs, but my question is: Is there any way to recover any of the data which was present on the harddrive, or is the only alternative to reformat the harddisk (since I guess Michelangelo starts to do that for you anyway. I just seem to remember that I have heard of people who have recovered at least some of the files from a harddisk infected in this manner. Thanks a lot. -Bill Sands ------------------------------ Date: Wed, 16 Mar 94 09:41:41 -0500 From: johnboyd@ocdis01.tinker.af.mil (John Boyd) Subject: re: Shrink-wrapped virus? (PC) In your message of 15 Mar 1994 at 1205 CST, you write: > ------------------------------ > Date: Mon, 28 Feb 94 10:10:34 -0500 > >From: Chip Seymour > Subject: Shrink-wrapped virus? (PC) > > We have apparently received a virus-infected 3.5" HD diskette directly > >from a well-known manufacturer who will remain unnamed. When > installing their product from the shrink-wrapped floppy, F-PROT v2.11a > reported > > [deleted] > The manufacturer denies having sent a virus-infected product, and when > we received a replacement floppy, it too was infected. It's no surprise that they'd deny it. It's either a testament to their lack of knowledge or control of the subject, or a realization of what kind of bad PR it'll create if the info gets out to the world. A bit like trying to hand-cap a firehose though. There are at least two possibilities that explain the infection. Either someone who wrote part of the code which comprises the app wrote it on a machine which is infected, and they haven't/can't find it; or the infection was introduced at the disk duplication facility; in which case, all the software that they've received back from the duplicator is infected, but they can't do anything about it. Of course, possibility #3 is that some 'neat trick' in the software is causing a false positive which someone else here will probably know about. Hope you get it cleared up soon, though... - ---------------------------------------------------------------------------- johnboyd@ocdis01.tinker.af.mil johnboyd@aol.com 'There are two things that a grown man should never see; sausage being made, and legislation being passed' - Bismark Disclaimer: My opinion represents only me, and sometimes not even that. ------------------------------ Date: Wed, 16 Mar 94 09:44:09 -0500 From: peprbv@cfa0.harvard.edu (Bob Babcock) Subject: Re: Volume labels changing (PC) > > appears that any disk that is formatted in this particular > > office will generate an addition 0 byte hidden file that I have only > > detected through CHKDSK. > Suspicious. Some boot viruses exceeding 512b sector length hide their code in > sectors marked as bad. Maybe this is just another trick like this. What's the > file called? Does CHKDSK report lost clusters? > Watch out and hand such a disk to a virus researcher. Sounds like the dreaded volume label virus. ;-) A volume label entry in a disk directory looks just like a zero-byte file with special attribute bits set. Many versions of CHKDSK count the volume label as a file. ------------------------------ Date: Wed, 16 Mar 94 09:45:49 -0500 From: Steve Bonds (007) Subject: Removing the Form Virus (PC) Once again I have seen a bunch of messages pleading for help on getting rid of the FORM virus. Like most boot sector viruses, this one can be a real challenge to get rid of unless you know what you are doing and do it well. One note, however, if you are running MSAV and another antivirus program tells you that you are infected with FORM, it is entirely possible that you are not really infected. Remove MSAV and try again with a better scanner, such as F-prot. Here is an overview of what needs to be done, I give more detail to each step below. + Remove the virus from the DOS Boot Sector + Prevent the computer from booting from a floppy disk + Install a software monitor to warn of future infections *Removing the Virus from the DOS Boot Sector* This is the simplest step. Either boot from a clean floppy with the same version of DOS as is on the hard disk and then SYS C:, or grab a copy of F-prot from oak.oakland.edu as /pub/msdos/virus/fp-211.zip. F-prot will disinfect FORM very easily. *Preventing the previously infected computer from booting from a floppy* Most newer BIOSes have an option to boot only from the hard disk. If you do not have such a BIOS, I strongly suggest that you upgrade. You might ask, "Well what if I want to boot from a floppy occasionally?" You can either change the CMOS settings so the BIOS will boot from the floppy again, or you can use the SAFEMBR program which is included with the file FIXUTIL6.ZIP (it is in the same place as FP-211.ZIP, above). This does an integrity check of the MBR on startup (not real useful for FORM, but good for MBR viruses) and also allows a floppy boot by holding down the key while booting the computer. *Installing a software monitor* This allows you to catch infected floppies as they are used, rather than getting a nasty surprise. The TSR included with F-prot has two command line switches that can be useful for tracking down FORM. Load VIRSTOP with the switches /WARM and /BOOT. The /WARM switch checks the floppy in the A: drive for viruses before a warm boot is performed. The /BOOT switch checks all floppies accessed for boot sector viruses, and displays a warning message if a virus is found. It should be noted that frisk still considers these options experimental. Also, if the floppy is accessed from Windows, no message will be displayed. (it seems like it should say SOMETHING-- what's up with this frisk?) If all of these steps are followed, you should be able to reduce the rate of infection quite a bit. (Hopefully to zero!) If you are feeling especially ambitious, starting a floppy scanning program can help slow the spread of Form to other computers aside from your lab. Good luck! -- Steve Bonds ------------------------------ Date: Wed, 16 Mar 94 09:44:49 -0500 From: Steve Bonds (007) Subject: RE: Floppy boot-up (PC) Mahmoud Mirzamani wrote: > wrote: >> >>At this point the CMOS is read in. Assuming that the PC is set up to >>boot in a standard manner, the ROM code then examines the first floppy >>drive to see if it has a disk in it. If it does, the contents of the >>disk's boot sector is read into memory and executed. [Stuff Deleted] >Good point, however I have a question about ways to prevent a disk boot-up. >I know of the NoFBoot and SumFBoot programs which prevent and accidental >warm boot-up, but what about cold boot-up? Is there a way to prevent >reading of A: drive all together? The only way to do this is by changing the ROM that controls the bootup, namely the BIOS. Many of the newer BIOSes have an option to boot from the hard disk first, bypassing the floppy entirely. There is no software solution that can prevent a cold boot simply because software has not yet entered the loop-- all of the boot process is done through firmware! If you need to boot from a floppy occassionally (shouldn't need to in a student lab...) then you might check out FIXUTIL6.ZIP, which contains a number of useful hard disk repair and recovery utilities. The MBR replacement SAFEMBR offers an option to boot from a floppy disk if the control key is held down during a hard disk boot. You can get this from a number of places-- if you need specifics give me an E-mail and I'll tell you exactly where. -- Steve Bonds ------------------------------ Date: Wed, 16 Mar 94 09:55:41 -0500 From: "Jeffrey Rice - Pomona College, California." Subject: Re: M-day ? (PC) frisk@complex.is (Fridrik Skulason) writes: >I was just wondering if anybody, anywhere had encountered Michaelangelo >yesterday - I don't know how many machines got hit yesterday, perhaps a >few thousand, but it might have been more if the 6th had not been a Sunday. > >- -frisk > Well, here at Pomona College in Southern California, we had two computers hit, to my knowledge. None of the academic machines were hit (to my surprise, since they insist on running CPAV), but 2 machines had hard drvies wiped out. I spent a couple hours on the first running fdisk and then norton disk doctor, but the second was a total loss. Someone at the computer center told the user to reformat their drive....which made my job easier, though. There was nothing let to recover. Jeff Rice Pomona College, California ------------------------------ Date: Wed, 16 Mar 94 09:56:22 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Monkey, an easier way (PC) Brian Seborg (seborg@csrc.ncsl.nist.gov) writes: [snip] > and then use Norton or some other disk-editor to copy the partition > table (logical sector 0) to a file. Since your disk-editor is likely [snip] > version :-)). Copy the file you created in the previous step back to > sector 0. Next, run FDISK/MBR (this will overwrite the Monkey part of > sector 0 leaving the partition table intact). That should do it. Of First, it is NOT logical sector 0. It is the physical sector 1, cylinder 0, head 0 - the MBR. Second, if you have saved and replaced the whole MBR as you suggest, running FDISK/MBR is unnecessary and with viruses like Monkey which overwrite the whole MBR could screw the things up, if the user doesn't do it properly. As a general rule (have to update the FAQ sometime): Whenever you want to use FDISK/MBR, boot from a clean floppy, and try to access the hard disk (e.g., DIR C:). If you can access it, proceed with FDISK/MBR - it won't hurt. However, if you cannot access the hard disk, DO NOT run FDISK/MBR - it will make your hard disk non-bootable and in general is likely to screw the things up to the point when a data recovery expert will be needed. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Wed, 09 Mar 94 11:52:21 -0500 From: amn@ubik.demon.co.uk (Anthony Naggs) Subject: Virex PC 2.93 shareware antivirus package (PC) The latest version of Virex PC is now available, (218958 bytes); ftp.demon.co.uk:/pub/antivirus/pc/av-progs/virx293.zip Or from Datawatch's own ftp site; gateway.datawatch.com directory /pub Use this as your free update for a previously registered version, or to evaluate as a shareware purchase. Details of "what's new" ======================= 1. There has been a net increase of 246 virus detectors in version 2.93, bringing the total to 1966 detectors. 2. VPCScan can now detect Tremor virus. Unlike other leading anti-virus products, our detection algorithm for Tremor is 100% reliable. 3. The VPCScan fixed-signature scanning has been rewritten to make optimal use of available memory while minimizing impact of low-memory situations on scanning speed. The result includes the ability to install cleanly under DoubleSpaced DOS 6.2 and Windows DOS boxes. Also, scanning efficiency under all memory conditions has improved. 4. Virus specific disinfection has been added for a variety of common viruses that our users might actually run across in the field. These include Stoned.Empire.Monkey.B, Ripper, Azusa, AntiEXE and Stoned.LZR. 5. Possible "false positives" for the Nuke Encryption Device are eliminated. Our thanks to Accolade, Inc. for their assistance with this problem. 6. False positives by other scanners on VPCScan should be reduced due to better encryption of our wild-card signatures. 7. A problem with Virex.com working correctly with older versions of Professional Write and the Norton Utilities has been corrected. Virex.com remains the single smallest continuous virus protection with both known and unknown virus detection, using only 528 bytes of memory. Perfect for use with systems burdened with large network drivers. 8. Datawatch now provides interactive technical support for Virex for the PC through our forum on America OnLine, keyword DATAWATCH, or by calling our technical support specialists at (919) 549-0711. We can also be reached via Internet email at MacTech@datawatch.com. Technical support is available to registered users only. Please register by calling us at the phone number listed above. Credit card orders are accepted. Archive details =============== Length Method Size Ratio Date Time CRC-32 Attr Name ------ ------ ----- ----- ---- ---- -------- ---- ---- 43780 Stored 43780 0% 22-02-94 00:00 f776f5a2 --w- INSTALL.EXE 4696 Implode 2571 46% 22-02-94 00:00 f2c8a058 --w- VIREX.COM 262810 Implode 137006 48% 22-02-94 00:00 8e2c6a67 --w- VPCSCAN.EXE 9877 Implode 4145 59% 24-02-94 00:00 1a6ef9c1 --w- WHATSNEW.293 9535 Implode 4189 57% 22-02-94 00:00 9a22d631 --w- README.VPC 5026 Implode 2006 61% 22-02-94 00:00 c68acbb6 --w- FAMILY.TXT 1343 Implode 772 43% 22-02-94 00:00 2a5f801f --w- $TOC 52058 Implode 18279 65% 22-02-94 00:00 5e7e01cf --w- VIREXPC.DOC 11599 Implode 5081 57% 22-02-94 00:00 4351bfe0 --w- REGISTER.DOC 181 Shrunk 143 21% 28-02-94 12:15 8eb42e4a --w- VPCFILES.LST ------ ------ --- ------- 400905 217972 46% 10 *Please* if you find the electronic distribution useful (eg to update your registered copy, or to evaluate, ..) let DataWatch know through Email, fax, postcard or a phone call! - -- Anthony Naggs Paper mail: Hat 1: Software/Electronics Engineer PO Box 1080, Peacehaven, Hat 2: Computer Anti-Virus Researcher East Sussex BN10 8PZ PGP: public key available from keyservers Great Britain Email: amn@ubik.demon.co.uk Phone: +44 273 589701 ------------------------------ Date: Wed, 09 Mar 94 23:27:18 -0500 From: Joe Wells <0004886415@mcimail.com> Subject: March WildList ============================================================================ PC Viruses in the Wild - March 9, 1994 ============================================================================ This is a cooperative listing of viruses reported as being in the wild by 16 virus information professionals. The basis for these reports are virus incidents where a sample was received, and positively identified by the participant. Rumors and unverified reports have been excluded. The list should not be considered a list of "currently common" viruses however. No provision is made for commonness. A currency basis for the list has been set. Reports date from September of 1992 to the present. This data indicates only "which" viruses have been found in the wild. ============================================================================ The section below gives the names of participants, along with their organization, antivirus product (if any), and geographic location. Key Participant Organization Product Location ============================================================================ As Alan Solomon S&S Int'l Toolkit UK Dc Dave Chess IBM IBM AntiVirus USA Ek Eugene Kaspersky KAMI AVP Russia Fb Fernando Bonsembiante Virus Report None Argentina Fs Fridrik Skulason Frisk Int'l F-Prot Iceland Gj Glenn Jordan Datawatch VirexPC USA Jw Joe Wells Symantec NAV USA Pd Paul Ducklin CSIR Virus Lab None So Africa Pp Padgett Peterson Hobbyist DiskSecure USA Rf Richard Ford Virus Bulletin None UK Rh Richard Head Jade Corp None Japan Rr Roger Riordan CYBEC VET Australia Sg Shimon Gruper EliaShim ViruSafe Israel Vb Vesselin Bontchev U of Hamburg None Germany Ws Wolfgang Stiller Stiller Research Integ Master USA Yr Yuval Rakavi BRM Untouchable Israel ============================================================================ The first chart is based on two or more participants reporting a virus. Therefore, these viruses are probably more geographically scattered. CARO Name of Virus AsDcEkFbFsGjJwPdPpRfRhRrSgVbWsYr Alias(es) ============================================================================ 3-Tunes..................| . . . . . x x . . . . . . . . . | 1784 AntiEXE..................| . . . . x . x . . . . . . x . x | D3,Newbug Athens...................| . . . . x . x . . . . . . . . . | Trajector Barrotes.A...............| x . . . . . x x . . . . . . . . | Barrotos Brasil...................| . . . . . . x . x . . . . . . . | Butterfly................| . . . . . . x . . . . . . x . x | Cascade.1701.A...........| x x . x x . . . . x x . x x . . | 1701 Cascade.1704.A...........| x x x . x . x . . . . . x . . x | 1704 Changsha.................| . . . . . . x . . . x x . . . . | Centry Chinese Fish.............| x x . . x x x x . . . x . . . x | Fish Boot CPM......................| . . . . . . x . x . . . . . . . | Chile,Meirda Dark_Avenger.1800.A......| x x . x x x x . . x x x . . x x | Eddie Dark_Avenger.2100.SI.A...| x . . . . . x . . . . . . . . . | V2100 Datalock.920.............| x x . . . . x . . . . . x . . x | V920 Dir-II.A.................| x x x x x . x x . x x x x x x x | Creeping Death Disk_Killer.A............| x . x . . . x . x x . . x . . . | Ogre Even_Beeper..............| x x . . . . . . . . . . . . . . | EXE_Bug.A................| x . . . . . x x . x . . x . x . | CMOS Killer EXE_Bug.C................| . . . . . . . x . . . . x . x . | Fichv.2_1................| x . . . x . . . . . . . x . . x | 905,CHV 2.1 Filler...................| . . . . . x x . . . . . . . . . | Flip.2153.A..............| x x . x x . x . . x x . x . . . | Omicron Flip.2343................| x . . . x . . . . . . . . . . . | Omicron 2 Form.....................| x x . x x x x . x x x . x x x x | Form 18 Freddy_2.................| . . . . x . x . . . . . . . . . | Frodo.Frodo.A............| x x . x x . x . . . x x x . . x | 4096,100 Year Ginger...................| . . . . . . x . . . . x . . . . | Gingerbread Green Caterpillar........| x x . . x x x . . x x x x . x x | Find,1591,1575 Helloween.1376...........| x . . . . . x . . x x x . . x x | 1376 Jerusalem.1244...........| x x . . . . . . . . . . . . . . | 1244 Jerusalem.1808.Standard..| x x . x x x x x x x x . x . x x | 1808,Israeli Jerusalem.Anticad.4096.B.| x . . . x . . . . . . . x . . . | Invader Jerusalem.Fu_Manchu......| x . . . . . x . . . . . x . . . | 2080,2086 Jerusalem.Mummy.2_1......| x . . . x . . x . . x . x . . . | PC Mummy Jerusalem.Sunday.A.......| . . . . . . . x . . x . . . . x | Sunday Jerusalem.Zerotime.Austr.| x x . . . . . . . . . x x . x x | Slow Joshi.A..................| x x . . x x x . x x x x x . x . | Kampana.3700:Boot........| x x . x x x x . . x x . . . x . | AntiTel,Telecom Keypress.1232.A..........| x x . . . . . x . x x x x . x x | Turku,Twins Liberty..................| . x . . x . x . . x x . . . x x | Mystic,Magic Maltese Amoeba...........| x x . . x . x . x x . . x . x x | Grain of Sand Music_Bug................| . . . . x x . . x . . . . . x . | Necros...................| x . . . . . x . . . . . . . . . | Gnose,Irish3 NJH-LBC..................| x . . . . . . . . . . . . . . x | Korea Boot No_Frills.Dudley.........| x . . . . . . . . . . x . . . . | Oi Dudley No_Frills.No_Frills......| . . . . . . x . . . . x . . . . | Nomenklatura.............| x x . . . . . . . . . . . . . . | Nomen November_17th.855.A......| x x . . x . x . . . . . . . . . | V855 NPox.963.A...............| . . . . x . x . . . . . . . . x | Evil Genius Ontario.1024.............| . x . . . . . . . . . x x . . . | SBC,1024 Parity_Boot.B............| x . . . . . x x . x x . . x . . | Generic 1 Ping_Pong.B..............| x x . x . . . . . x . . x . x . | Italian Predator.2448............| . . . . x . x . . . . . . . . . | 2448 Print_Screen.............| x x . . . . x . . . . . . . . x | India,PrnSn Quit.A...................| x x . . . . . . . . . . . . . . | 555,Dutch Quox.....................| . x . . x . x . . . . . . . . . | Stealth 2 Ripper...................| x x . . x . x . . . . . . . . . | Jack the Ripper Screaming_Fist.696.......| x x . . . x x . . . . . . . x . | Fist 2,Scream 2 Sleepwalker..............| . . . . . . x . . . . x . . . . | Stealth.B................| . x . . . . x . x . . . . . . . | STB Stoned.16................| x x . . . . x . . . . . . . . x | Brunswick Stoned.Azusa.............| x x . . x . x x x . x x x . x . | Hong Kong Stoned.Empire.Monkey.B...| . x . . x x x . x . . x . x x . | Monkey 2 Stoned.Empire.Monkey.A...| . . . . . . x . . . . x . . . . | Monkey Stoned.Flame.............| . . . . . . x . . . . x . x . . | Stoned(3C) Stoned.June_4th..........| x . . . . x x . . . x x . x x x | Bloody!,Beijing Stoned.Lzr...............| . . . . x . x . . . . . . . . x | Stoned.Whit Stoned.Manitoba..........| . . . . x . x . . . . . . . . . | Stonehenge Stoned.Michelangelo......| x x x x x x x x x x x x x x x . | Stoned.NoINT.............| x x . . x x x x . x . x . . x . | Stoned Stoned.NOP...............| . . . . . . x . . . . . . . x . | NOP Stoned.Standard.B........| x . x x x x x x x x x x x x x . | New Zealand Stoned.Swedish_Disaster..| x . . . . x . . . . . . . . . . | Stoned.W-Boot............| . . . . . . x . . . . x . . . x | W-Boot Stardot.789..............| . x . . . . x . . . . . . . . . | 805 SVC.3103.................| x . x . . . x . . . x . x . . . | SVC 5.0 Swiss_Phoenix............| . . . . . . x . . . . . . . . x | Tequila..................| x x . . x . x x . x x . x x x x | Tremor...................| . . . . x . . . . x . . . x x . | V-Sign...................| x x . . x x x . . x x x x . x . | Cansu,Sigalit Vacsina.TP-05............| x x . . x x x . . x x . . . x . | RCE-1206 Vacsina.TP-16............| x x . . x . . . . . . . . . . . | RCE-1339 Vienna.648.Reboot........| x x x . . . . . . . . . . . . . | DOS-62 WXYC.....................| . x . . . . x . . . . . . . . . | Yankee Doodle.TP-39......| x . . . x . . . . . . . . . . . | RCE-2772 Yankee Doodle.TP-44.A....| x . x . x . x . . x x . . x . x | RCE-2885 Yankee Doodle.XPEH.4928..| . . . . x . . . . . . . . . . x | Micropox Yeke.1076................| . x . . . . x . . . . . . . . . | ============================================================================ Total for first list: 88 Viruses ============================================================================ The second chart is based on a single participant noting more than one infection site and may signify limited regional virus outbreaks. CARO Name of Virus AsDcEkFbFsGjJwPdPpRfRhRrSgVbWsYr Alias(es) ============================================================================ 10_Past_3.748............| . . . . . . . x . . . . . . . . | AntiCMOS.................| . x . . . . . . . . . . . . . . | Boot-437.................| . . . . . . . . . . . . . . . x | BootEXE..................| . . . . . . . . . x . . . . . . | BFD-451 Brain....................| . . . . . . . . x . . . . . . . | Pakistani Cascade.1701.G...........| . . . . . . . . . . . . . x . . | 1701 Coffeeshop:MtE_090.......| . . . . . . . x . . . . . . . . | Darth_Vader.3.A..........| . . . . . . . . . . . . . . x . | Datalock.828.............| . . . . . . . . . . . . . . . x | Den_Zuko.A...............| x . . . . . . . . . . . . . . . | Den Zuk DosHunter................| . x . . . . . . . . . . . . . . | Emmie.3097...............| . . . . . . . . . . . . . . . x | EXE_Engine...............| . . . . . . . . . . . . . x . . | Grower...................| . . . . . . x . . . . . . . . . | V270x,268+ Hafenstrasse.............| . . . . . . . . . . . . . x . . | Hafen Hi.......................| . . . . . . . . . . . . . . . x | Hi.460 Involuntary.A............| . . . . . . x . . . . . . . . . | Invol Japanese_Xmas............| . . . . . . . . . . x . . . . . | Xmas in Japan Jerusalem.1808.CT........| . x . . . . . . . . . . . . . . | Capt Trips Jerusalem.1808.Null......| . x . . . . . . . . . . . . . . | Jerusalem.Carfield.......| x . . . . . . . . . . . . . . . | Jerusalem.Moctezuma......| . x . . . . . . . . . . . . . . | Jerusalem.Mummy.1_2......| . . . . . . . x . . . . . . . . | Jerusalem.Sunday.II......| . x . . . . . . . . . . . . . . | Sunday 2 Joshi.B..................| . x . . . . . . . . . . . . . . | Jumper...................| . . . . . . . . . . . . . . . x | Kampana.Galicia:Boot.....| . . . . . . x . . . . . . . . . | Telecom Keypress.1744............| . . . . . . . . . . . . . . . x | Little Brother.307.......| . . . . x . . . . . . . . . . . | Lyceum.1788..............| . . x . . . . . . . . . . . . . | MISiS....................| . . . . . . . . . . . . . . . x | Zharinov,NIKA Murphy.Smack.1841........| . . . . . . x . . . . . . . . . | Smack Necropolis...............| . . . . . . . . . . . . . . . x | 1963 November_17th.800........| . . . . . . x . . . . . . . . . | Jan1, 800 Number_of_the_Beast......| . . . x . . . . . . . . . . . . | 512,666 Parity_Boot.A............| . . . . . . . . . . . . . . x . | Sat_Bug..................| . . . . . . x . . . . . . . . . | Satan Bug Screaming_Fist.NuWay.....| . . . . . . x . . . . . . . . . | Sticky Stinkfoot................| . . . . . . . x . . . . . . . . | Stoned.Bunny.A...........| . . . . . . . x . . . . . . x . | Stoned.Dinamo............| . . . . . . . . . . . . . . . x | Stoned.Michelangelo.K....| . . . . . . . . . . . . . . . x | Stoned.Empire.In_Love....| . . . . . . x . . . . . . . . . | SVC.2936.................| . . . . . . x . . . . . . . . . | SVC.3241.................| . x . . . . . . . . . . . . . . | Stoned.Empire.Int_10.....| . . . . . . . . x . . . . . . . | Swiss_Boot...............| . . . . x . . . . . . . . . . . | Swiss Army Syslock.Syslock.A........| x . . . . . . . . . . . . . . . | Vmem.....................| . . . . . . . . . . . . . . . x | Voronezh.1600............| . . x . . . . . . . . . . . . . | RCE-1600 Yale.....................| . x . . . . . . . . . . . . . . | Alameda ============================================================================ Total for both lists: 139 Viruses ============================================================================ Release Notes: Vol.203, March 1994 The 3-Tunes virus has appeared on the list. Two companies report the virus as being in the wild in South America. SVC.3241 has appeared, also in South America. Stoned.Empire.Monkey A and B variants have been found in Australia. Many Stealth.B reports are being received from the Florida (USA) penninsula. After comprehensive tests on FreqList viruses using several current AV products, much of the alias field has been updated. Eli Shapira of Central Point and Igor Grebert of McAfee Associates have provided information for the companion FreqList. This information will be incorporated in the next FreqList release. Vol.202, February 1994 This volume adds two new sources: Fernando Bonsembiante of Argentina, who produces the publication Virus Report, and Richard Head, of Yasuko Amano Jade Corp, who translates the virus reports of the IPA in Japan. Both these sources provide information that is regional in nature. This report includes the MISiS (Zharinov,NIKA) which was omitted from Vol.201. It was reported in Israel by Anthony Naggs of the UK and BRM. Vol.201, January 1994 The Ripper virus was reported by four participants last month. Formerly reported to be in Bulgaria and Finland, the virus is now verified in the UK (several reports), Ireland, Finland, and the Netherlands. New information from BRM adds some viruses to the second list that are verified in Israel. Note especially Necropolis, which, with Dir II and Frodo, represent over 75 percent of the reports received by BRM. ============================================================================ The collation of this material is done by Joe Wells, Virus Specialist at Symantec, Peter Norton Group, who is solely responsible for its contents. The material presented is implicitly copyrighted under various laws, but may be freely quoted or cited. However, its source and cooperative nature should be duly referenced. Other antivirus product developers are invited to participate in the list. If you wish to do so, please contact me. ============================================================================ The WILDList by Joe Wells -- jwells@symantec.com -- 70750,3457 -- Vol2.02a ============================================================================ ------------------------------ Date: Wed, 16 Mar 94 09:49:45 -0500 From: tyetiser@umbc.edu (Mr. Tarkan Yetiser) Subject: VDS 3.0j (updated) (PC) Hello everyone, The new VDS (Virus Detection System) 3.0j Shareware Edition is available on Simtel-20 and some of its mirrors; the file name is VDS30J.ZIP. This release of the package is intended to allow potential customers to evaluate the suitability of the product to their needs. It is a fully functional copy that lacks a few features of the Pro version (see the docs for details). VDS 3.0j includes a fast virus scanner, a robust integrity checker with anti-stealth capability, a generic virus remover, external signature support, emergency diskette preparation, a very versatile decoy launcher, a low-level disk recovery tool, readable documentation, excellent Netware support (not just compatible), automatic and semi-automatic installation (with de-install feature), and a redesigned object-oriented (seriously) user interface. VDS 3.0 emphasizes integrity checking, but also provides known virus scanning. Its catalog-based integrity database supports both DOS drives and Novell volumes. Newly-added installation program simplifies protecting workstations by offering complete electronic distribution and configuration options. Once in place, VDS can perform periodic (user-definable) integrity checks and scans without further user intervention. System requirements: IBM PC compatible computer Hard disk (for integrity checker) with 1024K free space 384K of memory available Optional 192K extended memory for large catalogs MS/PC-DOS 3.0 or later If you are looking for a comprehensive and up-to-date anti-virus package, we invite you to try VDS. It's only an FTP away! Let us know what you think. Regards, Tarkan Yetiser tyetiser@umbc8.umbc.edu VDS Advanced Research Group P.O. Box 9393 Baltimore, MD 21228, U.S.A. ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 19] *****************************************