VIRUS-L Digest Friday, 8 Apr 1994 Volume 7 : Issue 25 Today's Topics: re: Good vs. Bad Viruses Re: good vs bad viruses Re: Good Vs. Bad Viruses Re: the current virus threat Re: protection from virus in college labs Re: Help OS/2 Viruses (OS/2) Re: OS/2 and Virus's (OS/2) HEEEEEELP ME NOW!!!! : Filler Virus (PC) Disk Secure (PC) Re: Avoiding floppy boot (was: FORM problems) (PC) Re: boot sector virus named newbug (name from mcafee scan) (PC) Re: McAfee virus programs (PC) Re: MSAV signature files via FTP? (PC) Re: boot sector virus named newbug (name from mcafee scan) (PC) Re: vds30j.zip - Anti-virus w/integrity checker, scanner & more (PC) Re: NAV Update Files by FTP? (PC) help! on michelangelo virus (PC) CANSU Virus (PC) Re: Possible coding error in JezzBall (windows, PC) Re: Alternate infection method? (V-Sign) (PC) Re: Thanks for all comments re best antivirus (PC) Re: Help! Monkey Virus (PC) Re: Clean 111 & Mich. (PC) Re: Help with V-Sign? (PC) Re: DOS 6.X Anti-Virus (PC) Re: A false alarm report (PC) Dangerous bug in CLEAN (PC) Re: Joshua & Joshi (PC) Re: PGP Signed Files & F-Prot (PC) Re: MS-DOS 6.x Anti-Virus (PC) Re: Is speed really important? (PC) New files on our ftp site (General) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Thu, 31 Mar 94 11:58:44 -0500 From: olpopeye@aol.com Subject: re: Good vs. Bad Viruses The debate continues unabated. Brian Seborg (src4src!ktark@imageek.york.cuny.edu) writes >....(much skipped) "It is common knowledge that virus infection and 'damage' figures are way out of proportion to scare users and sell more AV software." Way out of proportion? Maybe. To scare users and sell more AV software? Can you spell P A R A N O I A ?? This is akin to saying that auto makers cause wrecks to sell more cars. It's the old "post hoc, ergo propter hoc" argument; as such it's logically fallacious and unproveable. He ends up with: >..." 'There is no such thing as a good virus in the wild' Prove it!" That's a good circular argument... Can YOU prove that there IS such a thing...? Henrik Stroem (hstroem@ed.unit.no) allows that I'm "missing the point," then suggests that: ">...it is many viruses which may not cause a YES to appear, and the virus-writer will then by your book not be a criminal because (of) the lack of intent." Right - See Test # 5 in my original message which invites one to "insert your own test here..." A crime committed by negligence, by dereliction, or through gross stupidity is still a crime, even if devoid of malicious intent. In court, the fact of guilt or innocence remains unchanged; the severity of the sentence adjudged may be lessened through consideration of "mitigating circumstances." Then we encounter "Sara" (vfr@netcom.com) who seems to feel that one must consider the "Social and ethical aspects;" to say that "it would be very wrong to say all virus writers are intentionally malicious people." Oh? I disagree, but given the book definition of "malicious," there exists a semantic difference that in no way mitigates the deleterious effects of some idiot loosing a virus upon the computer world. Surely enough has been said, written, and preached about the ill effects of viruses in the our world that unless one has been living under a rock, literally EVERYONE with any programming knowledge at all is fully aware of viruses' destructive effects. Knowing these effects, how can *ANYONE* sit and write a virus (generic term, to include Trojans, worms, et al) knowing that there exists a high probability that once written, it will be released either through INTENT or through NEGLIGENCE and thus cause highly undesirable effects to someone else's computer/data/business/etc.? 'Way back when I was a younker, I found an old chemistry book telling how to mix nitroglycerine. I was young enough and stupid enough to mix a small batch. Fortunately, I neither killed nor maimed anyone, but I disintegrated a tree stump so violently that a piece took out Dad's pickup truck's windshield 250 feet away. Dad was not amused. I never, never ever tried that again. But despite the lack of malicious intent, the truck windshield was still trashed. So personally, I don;t care what your social or ethical lacks, your "flavors," your "motivation," or any "who/where/why/what/when and then some," keep your destructive crap out of MY computer! My warm regards and thanks to the many supporters of my viewpoint. As for the others, well, "c'est la vie, n'est pas?" Walter E. Murdock OlPopeye@AOL.COM Murdock Associates, Palo Alto 75270.37@Compuserve.com "I sign the payroll, so my opinions count. HERE, anyway!" ------------------------------ Date: Thu, 31 Mar 94 13:43:55 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: good vs bad viruses Karl Tarhk (src4src!ktark@imageek.york.cuny.edu) writes: > You or anyone in this group have yet to prove that I am wrong. He, and many others in this group have proven you wrong many times, but you have yet to admit it. :-) > Is is common knowledge that virus infection and 'damage' figures > are way out of proportion to scare users and sell more AV software. Is it? Care to provide some hard evidence? > >You have not refuted any of the arguments regarding "good" > >viruses, and if David Stang actually stated that most businesses would > >not be affected by viruses, that is probably because he is aware that > >most businesses fail. :-) > The David Stang quote was a serious one, pseudo-humour does not apply here. With all my respect to Dr. Stang, some of our students who have attended his speech on computer viruses at the Hannover Computer Fair have reported it to be total nonsense, so I would take anything technical he says on this subject with a pinch of salt. Especially when it is reported by third parties known to be virus writers. :-) Too bad that I missed Dr. Stang in Hannover - we could have a nice discussion... > I hate to turn this into personal excursion into adolescence.. but since Don't do it, then. :-) > most businesses fail, then VDS leads the pack.. right? > Isn't VDS a business after all? :) What are you trying to tell us here, hmm? Each time an anti-virus expert proves you wrong, your standard reply is "ah, but you are one of those who want to sell us anti-virus products; you are biased". Well, you seem to be one of those who is writing viruses; I would say that you are rather biased too... > The is no such thing as 'the truth.' Ah, we're getting phylosophical, aren't we? How about a discussion about ethics? Have you asked yourself - it is ethical to create a virus and release it to the world? Regardless of whether it is legal or not - is it ethical? Is it a "good thing" to do? > If your statements are not supported by someone's knowledge or studies, > then your truth is a particular one and might not have much in common with > a universal truth. If someone's statement are not supported by someone's knowledge or studies, then either the statements or the knowledge and studies are flawed. Find out which one is the case and demonstrate it - this is the scientific way to have a discussion. > You say 'There is no such thing as a good virus in the wild' > Prove it! Don't they teach you basic logic in your country? Haven't you ever heard that it is always difficult (and often impossible) to prove a negative? *You* claim that there is such a thing as a good virus, *you* prove it. It should be much easier. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 31 Mar 94 13:56:51 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Good Vs. Bad Viruses Mike Mattone (mike@mik.uky.edu) writes: > I think that the people who design the virus-protection software are > the ones inventing a majority of the viruses out there. Care to provide some evidence to back up the above claim? There are about 4300 IBM PC viruses out there, so you have to prove me that at least 2151 of them have been "invented" by the "people who design the virus protection software". Or do you mean just the viruses in the wild? Well, there are about 150 of them, so please prove me that at least 76 of them have been written by the above cathegory of people. Not that I do not know any viruses that have been written by people who have also tried to sell anti-virus software (V2Px and Gliss are two examples), but this is by no means anything more than isolated exceptions. No self-respecting anti-virus researcher will ever release virus. > If a new virus > appears on the scene, you have to rush out buy some software to protect > your computer, right? Wrong. There are about 3-4 new viruses appearing every *day*. The above claim would mean that you have to rush out to by some anti-virus software 3-4 times every day, which is obviously not the case. :-) People usually buy anti-virus software in two cases: *after* they get infected, or when they are implementing some kind of corporate policy for virus protection - which is often a consequence of the first situation. > Sort of a self-perpetuating business, huh? This is a die-hard urban legend. It has always amased me why it is so viable. It is indeed the first thing that comes to mind when you consider the question, but is also the first thing that a reasonable person would reject after examiningn closely the subject. Oh, well, probably most people are not reasonable persons who like to examine the subject closely... :-) Look, more new viruses means that the anti-virus producers are forced to constantly improve their products, in order to be able to detect them. This means that they have to spend much time, efforts, and money doing this. Clearly, it is much more profitable for them if there were no new viruses (so that they don't need to update their products), but the old viruses still spread (so that there is still a market for their products). Well, the old viruses still spread, because only about 20% of the computer users care to use some kind of anti-virus protection. Therefore, more new viruses is clearly a pure waste of money for the anti-virus developpers. On the other hand, in most cases it is not correct to claim that the user is forced to pay for each new update. Most producers of anti-virus software that needs constant updating (i.e., scanners) have licenses that are dependent on time, not on the number of updates. Therefore, those producers are clearly at loss if the virus production increases and they are forced to produce more updates for the licensed period of time. As you can easily see, in any case it is the commercial interest of the anti-virus producers that computer viruses exist, but it is *not* in their commercial interest to have more and more new viruses. > P.S. Just kidding, okay? You mean, it was some kind of joke? Sorry for not getting it, but the subject is very serious and I am getting really tired of this urban legend. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 31 Mar 94 14:05:46 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: the current virus threat Christopher W Outtrim (cs90cwo@brunel.ac.uk) writes: > I am carrying out a study of the current threat to computer systems, > in particular stand alone PC's and PC networks. I am particularly > interested in polymorphic viruses (eg. The Satan Bug) and the methods > used to guard against and remove such viruses. Polymorphism is an attack against a particular kind of anti-virus protection, merelly known-virus scanning. It is a rather efficient attack, if implemented well. However, such viruses can be easily detected using other kinds of anti-virus protection, for instance integrity checking. Of course, there are also attacks which are very effective against integrity checking (but don't work against scanners) and so on. In general, the best idea is to use all available kinds of anti-virus protection, with an accent on integrity checking, since this is the strongest line of defence (meaning that it is the one that is the most difficult to bypass, not that it is impossible to bypass it). Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 31 Mar 94 17:08:54 -0500 From: "Steve Bonds (007" Subject: Re: protection from virus in college labs Julian wrote: >I teach at a community college campus that has 80 computers connected >through Banyan Vines as well as each station being used as intel term. >We have been having a terrible time keeping our stations "clean" even though >we require students to get their disks checked before entering the lab. >Students have computers at home and at work that may be getting infected >by our viruses or vice versa. While we have not run into a lot of problems >with viruses on our network, independent stations have been a constant >area of concern. Sounds like you have a problem with boot sector viruses. (Form, Stoned, Monkey and Michelangelo are a few common examples.) File infecting viruses often spread through a network's file system creating lots of headaches for the system admin. Boot sector viruses are spread by users booting the computers from infected disks. The best way to prevent their spread is to change the CMOS in the computers so that they boot from the hard disk only. If floppy booting is really necessary, you can install a program in the boot sector of the hard disk that will boot from a floppy if you hold down the key while starting up. Mail me if you want more info. Another wise precaution is to install some kind of TSR that checks for viruses in the boot sector when the computer starts, and each file as it is executed. One good program is included with F-prot, a freeware antivirus package. You can get it via FTP from oak.oakland.edu as /pub/msdos/fp-211.zip. The actual TSR is called VIRSTOP.EXE. Be sure to load it after the Banyan file redirector (REDIRXX) or it won't work properly. Run the test file "F-TEST.COM" to test if VIRSTOP is working. Load VIRSTOP with the /WARM and /BOOT switches to check for boot sector viruses before warm-booting and as each floppy is accessed. If you disable floppy booting and install VIRSTOP, the rate of infection you see in your lab is sure to drop markedly! Mail me back if you want more help. -- Steve Bonds - -- 000 000 7777 | sbonds@jarthur.claremont.edu and Steve_Bonds@hmc.edu 0 0 0 0 7 |----------------------------------------------------------- 0 0 0 0 7 | Childhood is short... [Calvin & Hobbes] 000 000 7 | ...but immaturity is forever. ------------------------------ Date: Thu, 31 Mar 94 12:21:11 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Help OS/2 Viruses (OS/2) Hervey Allen (hervey@oregon.uoregon.edu) writes: > a virus. My questions to anyone out there are, "Are there any OS/2 > specific viruses ?", Yes, there are. I have seen two of them already. The first is a primitive overwriting virus which barely works and the second is a non-resident parasitic virus. Neither of them poses a serious threat and I would be very surprised to hear that they have been found in the wild. > and "Can you point to a file on the network that > might talk about such viruses?" I am afraid that I cannot help you here. [problem description deleted] > If anyone has dealt with anything like this, or if this really sounds > like corrupt OS/2 startup files any advice or info that comes my way > would be greatly appreciated. It does sound like a hardware or a configuration problem to me, not like a virus, but I am by no means an OS/2 expert - my knowledge in this area is severly limited. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 31 Mar 94 15:09:54 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: OS/2 and Virus's (OS/2) Brian J. Geregach (sirtwist@csuohio.edu) writes: > Looking for any information on how virus's affect the OS/2 environment. First, there are the OS/2-specific viruses. I know only two such viruses and they are too lame to be of any signifficant threat. Second, there are the MS-DOS viruses, which are able to run in a DOS box under OS/2. Many of them use undocumented tricks not supported in DOS boxes and simply crash, but many others are able to run and infect correctly - mostly because OS/2 runs DOS programs so well, including DOS viruses. Due to the memory protection in OS/2, virus that has infected the memory in one DOS session, is unable to infect the other DOS sessions - unless it succeeds to infect the command interpretter, which is shared between the sessions. (I mean, to infect the file containing the command interpretter - then the virus will become active in any subsequently started DOS session.) Furthermore, the format of the OS/2 application is different from this of the MS-DOS executables, and many (most) viruses are unable to infect these files correctly. If infected, such files will crash when started. However, the DOS programs are still infectable on an OS/2 system. Third, there are the DOS-independent viruses, like most MBR infectors. They are perfectly able to infect an OS/2-only system (or Unix-only, or whatever else, if it only runs on an IBM PC compatible machine). Depending on how exactly the virus works, OS/2 may crash at boot time, or be able to boot and work. The virus, however, will not be able to spread. However, if the virus has a damaging payload that activates at boot time (e.g., Michelangelo), it will still be able to cause damage. There is one additional aspect to this - some boot sector viruses mess up with the Boot Manager and can me quite a pain to remove - Form is a good example for that. At last, as far as I understand, OS/2 can keep an image of a DOS boot sector in a file and be instructed to boot from it. In some cases, such files can contain the image of an infected boot sector and cause re-infections. However, my knowledge of OS/2 is not good enough, so I would like if someone more knowledgeable on this subject could comment on this. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Sun, 27 Mar 94 02:08:08 +0200 From: Malte_Eppert@f6050.n491.z9.virnet.bad.se (Malte Eppert) Subject: HEEEEEELP ME NOW!!!! : Filler Virus (PC) Hi Bernt! > My scan112 reports a Filler virus in upper memory. Then I boot > from a clean, writeprotected disk and run clean112, but it doesn't > remove the virus. I've read that it formats part/all of disk!! Do you use an older version of TNT Turbo Anti-Virus, or some version of CPAV? This error sometimes occurs if you load one of those devices high and scan memory afterwards. The phenomenon is called "ghost virus" and ist often due to unencrypted scan strings used by such a resident scanner. > How do I remove it??? Try unloading your TSR- ore device-driver virus scanner. cu! eppi - --- GEcho 1.01+ * Origin: Another Virus Help Node - The EpiCentre! (9:491/6050) ------------------------------ Date: Mon, 28 Mar 94 09:04:03 +0200 From: Trevor_Learoyd@p11.f107.n441.z9.virnet.bad.se (Trevor Learoyd) Subject: Disk Secure (PC) Hi Padgett, On 07 Mar 94 at 16:36, you wrote to All: APP> Both are available on several sites (Archie). DS241.ZIP and FixUtil6.ZIP APP> are current or I can send uuencodes. Do you (or anyone else here) know of any UK Fido sites where these files are available? Regards.....Trevor - --- GEcho 1.00 * Origin: Red Shifted from Index III (9:441/107.11) ------------------------------ Date: Thu, 31 Mar 94 07:09:06 -0500 From: "David M. Chess" Subject: Re: Avoiding floppy boot (was: FORM problems) (PC) >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) >3) Third, check if your computers have the new AMI BIOSes, which allow >them to be set up to attempt to boot from the hard disk first, instead >of from the floppy. As a sidenote, it's not just AMI BIOSes that allow this; various IBM PS/2s, for instance, also have a configurable boot order... DC ------------------------------ Date: Thu, 31 Mar 94 12:09:12 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: boot sector virus named newbug (name from mcafee scan) (PC) Marion Neubauer (Y72@VM.URZ.UNI-HEIDELBERG.DE) writes: > a person from my departement brought a pc with suspicious harddisk > to the dealer. the dealer found a virus called newbug (name from scan v112). > we scaned all other pcs and floppies and did not found any virus > at all. maybe someone take a floppy away, but i wanna know > if it is possible that scan and f-prot (i tried it with both) did > not recognize the virus under some circumstances? SCAN 112 calls "NewBug [Genb]" the viruses with standard CARO virus name AntiEXE.A and AntiEXE.B. F-Prot detects the first as "AntiEXE" and the second as "New or modified variant of AntiEXE". According to my experience, both scanners are able to detect those viruses reliably. I am also not aware of any false positives of SCAN for this particular virus. Could it be that somebody has disinfected the virus already, or that the hard disk has been delivered infected, or there has been some other kind of anti-virus software (like CPAV/MSAV) that could have caused a ghost positive? Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 31 Mar 94 12:26:29 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: McAfee virus programs (PC) Mike Mattone (mike@mik.uky.edu) writes: > Can anybody tell me where I can find the shareware versions of the > McAfee virus protection programs, SCAN, CLEAN and VSHIELD? I looked A good place to get them is McAfee's own ftp site: mcafee.com. They can be found in the /pub/antivirus directory. > at wuarchive.wustl.edu but they've made so many changes to their > system since I last looked there that I can't find *anything* anymore. I am not using wuarchive, because it is so overloaded, but you can find them also on oak.oakland.edu, in the /pub/msdos/virus directory. Many other sites are carrying them as well. Our site is mirroring mcafee.com in the directory /pub/virus/McAfee, but it would be a waste of resources for you to download them from here. > I'd prefer e-mail rather than a follow-up post because I rarely have > a chance to check netnews, but I will make a point of it now that I > have asked this question. So, feel free to respond in whatever manner > seems most appropriate to you. I am sending you a copy of this message by e-mail. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 31 Mar 94 12:30:10 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: MSAV signature files via FTP? (PC) YALUSA JONGIHLATI (mm94jony@sirius.ru.ac.za) writes: > Could someone please tell me if the MSAV signature file for Viruses can be > downloaded via FTP and if so, could you please E-Mail it to me. I don't think so, although I might be wrong. Long time ago, we got the updates for CPAV with the permission to distribute them on our ftp site. (They can still be found there: ftp.informatik.uni-hamburg.de:/pub/virus/progs/cpav_upd.zip although they should be out-of-date already.) We also got the updates for MSAV, but they were not explicitely mentioned in the permission. I asked CPS whether I can distribute them too, but got a negative answer. I found this quite frustrating, because the MSAV updates *are* freely available on CPS' BBS and on the top of that the CPAV updates also work for MSAV (at least the DOS part does). Since then I have got several other updates, but since they have never been accompanied with the explicit permission to distribute them and since we have not been explicitely asked by CPS to perform such a service with any further updates, I refrain from putting them on our ftp site. Besides, you should consider using a better anti-virus product. :-) Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 31 Mar 94 12:35:37 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: boot sector virus named newbug (name from mcafee scan) (PC) Marion Neubauer (Y72@VM.URZ.UNI-HEIDELBERG.DE) writes: > a person from my departement brought a pc with suspicious harddisk > to the dealer. the dealer found a virus called newbug (name from scan v112). > we scaned all other pcs and floppies and did not found any virus > at all. maybe someone take a floppy away, but i wanna know > if it is possible that scan and f-prot (i tried it with both) did > not recognize the virus under some circumstances? SCAN 112 calls "NewBug [Genb]" the viruses with standard CARO virus name AntiEXE.A and AntiEXE.B. F-Prot detects the first as "AntiEXE" and the second as "New or modified variant of AntiEXE". According to my experience, both scanners are able to detect those viruses reliably. I am also not aware of any false positives of SCAN for this particular virus. Could it be that somebody has disinfected the virus already, or that the hard disk has been delivered infected, or there has been some other kind of anti-virus software (like CPAV/MSAV) that could have caused a ghost positive? Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 31 Mar 94 12:35:49 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: vds30j.zip - Anti-virus w/integrity checker, scanner & more (PC) Warning, those of you who decide to use VDS 3.0j, be aware that the scanner often gives a false positive about a virus called "Animus". The scanner is rather poor in general, so my advice is to drop it and to use only the integrity checker, combining it with a good scanner like F-Prot. The integrity checker in VDS is rather good, if you manage to make it work on your system - it seems to be incompatible with compressed and encrypted volumes and other unusual environments. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 31 Mar 94 13:06:18 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: NAV Update Files by FTP? (PC) Dilan Patel (dpatel@menger.eecs.stevens-tech.edu) writes: > Is there anyway that one can get NAV 3.0 update files directly off an > internet site ? Yes, there is. > if so, can someone please tell where I can get the updates ? Symantec regularly sends us the updates and, with their permission, we are making them available on our ftp site: ftp.informatik.uni-hamburg.de:/pub/virus/nav??upd.zip There are three archives matching the above specification, for NAV versions 2.0, 2.1, and 3.0 respectively. The latest updates for NAV 3.0 are for March. As far as I understand, the other versions will be discontinued soon. Please, note that providing this kind of service does not imply that I am recommending NAV 3.0 as an anti-virus product. I am not. However, I realize that it has a large user base, and I also understand that keeping those users updated provides them a better protection than not to; that's why we are providing this kind of service. Of course, an even better protection for them would be to switch to an even better product, but this is up to them to decide. :-) > Please e-mail me with any info. Why do you think that others will not be interested in the answer of this question? Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: 31 Mar 94 13:39:45 +0000 From: mjliu@csie.nctu.edu.tw (Ming-zhou Liu) Subject: help! on michelangelo virus (PC) hi, today at my friend's place, i turned on his computer and strange message appears: DRIVE FAILURE (or something to that effect, i forgot) Put boot disk into drive A and press any key... at first i checked the power supply and the wiring but found nothing wrong. then i go to CMOS setup and found that the date stopped on "Mar 6". it seems to me that maybe the date was set incorrectly and today it happened to fall on Mar 6 and triggered the virus! my question is: the error message above looks like what the michelangelo does to the computer? to disable harddisk completely?? any recovery of data possible?? ------------------------------ Date: Wed, 30 Mar 94 09:05:00 -0600 From: jerry.brown@cld9.com (Jerry Brown) Subject: CANSU Virus (PC) Anyone know anything about the CANSU virus, as in if it can remvoved without haveing to re-partion the hard drive? It was running around a local university, and I managed to get it transfered to a friends computer......unfortunately, Central Point Anti-Virus will not detect it; so I didn't know it was present till the computer would no longer boot. McAfee's Scan program will detect it, but unfortunately Clean says it cannot safely remove it from the partion table. Right now, I am booting off a floppy, which loads VSHIELD. VSHIELD throws up a message that the partition table is infected, but does install itself as the virus doesn't activate unless you boot off the infected disk. Any suggestions? - --- FreeMail 1.09 * Origin: ATAS BBS*713-837-8003*Internet:@atas.cld9.com (1:106/8003) ------------------------------ Date: Thu, 31 Mar 94 13:49:19 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Possible coding error in JezzBall (windows, PC) Alan D. Tegel (olympian@mentor.cc.purdue.edu) writes: > the game she was playing. She said she would reach a very high score > and then low and behold the whole screen would turn into Japanese letters [snip] > it to them yet. Does this sound like a virus or a software bug? It sounds like a software bug to me. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 31 Mar 94 13:51:13 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Alternate infection method? (V-Sign) (PC) Kevin Kenney (kenney@nb.rockwell.com) writes: > I know the above. I also know that boot sector viruses are often larger than > the boot sector, with the 'body' of the virus being elsewhere. In V-Sign's > case, I've been told this 'body' resides in the directory table area. My That's true, although it applies only to floppies, not to hard disks. The second part of the virus body is written over the last two sectors of the root directory - where exactly depends on the particular format of the floppy. > comment was if this 'body' was in the data area, and corrupted a file, the > 'body' could be written so as to infect a system if the corrupted file was run First, it is in the directory area, not in the data area. This means that it can corrupt the information *about* the files, but never be placed *in* the files. Second, in this particular case (V-Sign), the virus is *not* written in the way you are afraid of. > I'd read the FAQ if it were ever updated! It's two years old! It should keep > people up to date, instead of just giving basic defintions. If you have bothered to read the FAQ carefully, you would have noticed a reference to our Computer Virus Catalog. It is available from our ftp site (get the exact reference from the FAQ), free of charge, and contains the technical description of many viruses. If you have bothered to follow this reference and to look in the CVC, you would have found the description of the V-Sign virus and of the way it infects. I admit that the FAQ is rather old and *does* need updating (I really should do this one of these days), but this is not a scanner that needs to be updated every month. It's main goal is to provide the basic knowledge and also pointers to additional sources of information. IMHO, it fulfils this goal rather well. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 31 Mar 94 13:54:53 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Thanks for all comments re best antivirus (PC) Dave Spitz (SPITZ_DAVE@MUSIC.LIB.MATC.EDU) writes: > As it looks right now, we are attempting to stay with McAfee > Associates for our antiviral software. F-Prot is a very close second, > and depending upon circumstances F-Prot my be the final choice. Just curious, what kind of tests show F-Prot to be second to SCAN? According to my tests here (I am going to publish the reults soon), F-Prot is significantly superior to SCAN in all aspects common between the two packages. It has better detection (although not that much better; something like 96% vs. 82%), *much* better identification (which is virtually non-existent in SCAN), *much* better disinfection (which is rather weak in CLEAN). It is true, however, that the sharware version of McAfee's software has some features that are not available in the shareware version of F-Prot - features like integrity checking and generic disinfection. However, those features are rather weak in McAfee's products; there are other packages which implement them in a much better and more secure way. Or was it the combination of the features (instead of being forced to use several different products) that makes McAfee's product look better to you? Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 31 Mar 94 14:03:51 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Help! Monkey Virus (PC) Bruce Andrew Carl Douglas (umdougl6@cc.umanitoba.ca) writes: > Mcafee SCNA 9.19 v108 later identified it as the Monkey virus located in > the boot sector of his floppies. MSAV (bundled with MS-Dos 6.2) also > reported the monkey virus. However, neither of the cleaning programs with > these two packages worked. I would advise you to use a better scanner - for instance, F-Prot. Alternatively, you could use the small program KillMonk3, which can deal with this particular virus (and with one more, Int_10, but nothing else) very well. Both programs are free for individual use and are available from many ftp sites. In particular, KillMonk3 is available even on McAfee's ftp site, regardless that it is not produced by them. > I used the FDISK /MBR command on one of the floppies, and i was given the > message PACKED FILE CORRUPT. After that, i switched to the C:\ drive and > rescanned the floppy. It was reported clean. Hmm... First, the above message ("Packed file is corrupt") is unlikely to be caused by this virus. It is a boot sector infector and does not affect files. Second, the trick FDISK/MBR is suitable *only* for removing MBR infectors from the firth physical hard disk. It doesn't work on floppies; you have to use SYS for that, if you can, or even better - a virus-specific program. Third, Monkey is a typical example of a virus when the trick FDISK/MBR _MUST_NOT_ be used, because it will make the hard disk inaccessible. All of the above makes me doubt that you have had a typical Monkey infection. It could be something else, including a file infector. I would suggest that in the future you use a scanner which is able to do better identification of the viruses it detects. F-Prot is an excellent example for such a scanner. There are others, which can do better identification, but they are commercial, while F-Prot is free for individual use. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 31 Mar 94 15:02:23 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Clean 111 & Mich. (PC) McAfee Associates (mcafee@netcom.com) writes: [Why "McAfee Associates", BTW? I was told that the company has been renamed to just "McAfee".] > We used to deactivate viruses when they were found in memory. We stopped > after receiving complaints from users about their systems crashing when a > virus could not be disabled correctly. There is no such virus which cannot be disabled correctly in memory. There are only anti-virus programs which are unable to do that. The better ones can do it, but it requires a lot of care and effort and we see fewer such programs lately. > With the almost unlimited numbers > of PC configurations in use, it is impossible to test for compatibility > with each operating environment. Sorry, but the above doesn't make any sense. In order to deactivate the virus in memory, the anti-virus program must be able to detect it there, to identify it, to patch the relevant part of it, and to check that the patch has been successful. This has nothing to do with the "unlimited numbers of PC configurations in use" - it is more related to the "unlimited number of existing computer viruses". :-) The only incompatibility that I can see is if a weird memory manager succeeds to load the virus in a part of memory that is readable not writing to it (and therefore patching the virus) is not allowed. However, first, it is unlikely that the virus will be able to work in those conditions, second, I know of no such memory manager, and third, in this case the anti-virus program has just to check that the patch has not been successful and to announce it. > Therefore it is quite logical to warn > the user that a computer virus has been found in the memory of his (her) > computer system and to power down the system and boot from a virus-free > copy of the operating system on diskette before continuing. It is indeed always better to ensure that the memory is virus-free, and the most reliable way to do this is to cold boot from an uninfected write-protected system diskette. However, a good anti-virus program should be able to detect if there is a virus in memory (most anti-virus programs can do this) and to deactivate it if this is the case. Very few scanners can do the second step. Actually, I know only about two - IBM Antivirus (the resident scanner, but it can deactivate very few viruses) and AntiVirus Pro - it's much better and has memory detection, memory deactivation, file & boot sector detection and disinfection for most viruses it can find. Therefore - it can be done. You have simply opted towards the easier solution and are not doing it. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 31 Mar 94 15:02:38 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Help with V-Sign? (PC) jbakan@opal.tufts.edu (jbakan@opal.tufts.edu) writes: > A scan with F-Prot version 211 showed the presence of V-Sign (in > the MBR I think). It was subsequently removed with F-Prot. > The inability to load high, however continues, even if booted from a > clean floppy. Again, this is not a total failure to load high, > a couple of small aps do load high, but most only load in conventional > memory. The machine scans as clean with F-Prot and Viruscan. > What does V-Sign do? How is it propagated? Are the continuing memory > problems due to V-Sign, or do I have another (possibly hardware) problem? F-Prot is able to identify V-Sign reliably, which makes me think that you indeed have been infected by this particular virus. However, the problems that you describe do not seem to be related to it. For a description of V-Sign, see our Computer Virus Catalog. See the FAQ for information how to get it. My advice to you is to run the memory optimizer that comes with your memory manager - Optimize, Memmaker, or whatever. Try it, you problems might go away. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 31 Mar 94 15:07:57 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: DOS 6.X Anti-Virus (PC) Fred Houlihan (FTH@PSUVM.PSU.EDU) writes: > I subscribed to the IBM update service and received a diskette with > the signature file for the IBM Antivirus update 1.04 this past > Saturday. It immediately detected 2 probable virus's on my system that Please note that when IBM Antivirus says "probable", it means that the virus has not been identified exactly and it might be a false positive. Have you instructed it to use fuzzy scan strings? This often causes such problems. > program. I witnessed Norton support in January when a co-worker's [snip] > and was able to recover from it all in a couple of hours. Meanwhile > I am still in big trouble dealing with both Central Point and IBM and Norton (Symantec, actually), Central Point, IBM... You seem to think that only the big companies are able to produce good anti-virus software? :-) Give F-Prot a try - it is free for individual use and its scanner is signifficantly better than any of the scanners in the products mentioned above; especially better than Central Point's. I don't have first-hand impressions of how good the technical support is, however. But I have withnessed cases when the author of the product has supplied an update only 24 hours after an infection with a new virus has been reported to him. He is not the only one to be able to do it - I have withnessed the same for VET and AVP too. > yet. There are only 2 sources where this virus could have come from: > my installation of Central Point V2 for Windows or the IBM Antivirus > update. Why do you think so? V-Sign is a boot sector virus; this means that even blank formatted floppies are infectable and infective. It is enough to forget such an infected data-only floppy in the A: drive at boot time and your hard disk will become infected. Or are you talking about a different virus? Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 31 Mar 94 15:13:32 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: A false alarm report (PC) Fridrik Skulason (frisk@complex.is) writes: > I just checked a file named DELAY.EXE, in a file named imagepro.zip, which > is available on most major FTP archive sites. This was because according > to a report I received, an anti-virus program (VirHunt 4.0c) reports a > NMAN virus in that file. > This is incorrect - the file is NOT infected. :-). I can easily see how it has happened. "NMAN" (short for "Nowhere Man") is the identifier used by the CVirus family. As you know, these are High Level Language viruses (HLLOs), and it is very easy to pick the wrong sequence of bytes (one that will cause false positives) as a scan string for such viruses. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 31 Mar 94 15:52:35 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Dangerous bug in CLEAN (PC) Hello, everybody! I have several times repeated here how important it is to identify viruses exactly. Without this, it is often impossible to reply to one of the main questions the user of an infected system asks: "what does this virus do? What damage has it caused to my system?". However, exact identification is even more important during virus disinfection. Disinfecting the wrong virus variant can severly damage the file, instead of restoring it to its original state. Not all viruses can be properly disinfected, and very few scanners perform exact virus identification, so it is always better to delete the infected files and restore them from uninfected backups. Nevertheless, some scanner perform better virus identification than others, and are therefore more reliable. I have also often complained here how unreliable is the virus identification in McAfee's SCAN. Fortunately, its companion program, CLEAN, performs slightly better identification. So, often when SCAN has reported a virus, which the documentation claims CLEAN is able to disinfect, CLEAN is able to detect that it is actually a different variant and refuses to attempt to disinfect it, offering the option to destroy the file as an alternative. As it turns out, this is sometimes not an alternative, and CLEAN has made the choice for you. In those cases, when it tells the user that it is unable to remove the virus and asks whether to delete the file, this is a rhetorical question - because the file is *already* destroyed. Here is how to reproduce the bug. Take an executable file you don't care about if it is destroyed, and use a hex editor to change its last ten bytes to 03 F3 A5 26 C6 06 FE 03 CB 58. This will make SCAN to report the file as infected by "Jerusalem [Jeru-A]". So far, so good - there is nothing bad in this and it is possible to fool most scanner in a similar way. Now, start CLEAN, and tell it to disinfect the "[Jeru-A]" virus from the file. It will display several messages that it is trying to remove the virus. At the end it will notice that it can't do it (quite naturally, since there is no virus in the file), and will suppose that this is a new variant and will propose you to delete it. Reject the proposal and tell it NOT to delete it. At this point, CLEAN has been unable to remove the virus, and you have told it not to damage the file. It is natural to assume that the file has rematined in its original (although "infected") state. Nope! Look at it, it has been severly truncated! On the top of that, CLEAN says that the virus is removed (or even something more weird - that 9 viruses are removed). Looks like a bug to me - first CLEAN attempted to disinfect a virus it did not identify, and second it damaged the file without asking me for permission and without even noticing it. Is it so difficult to work on a temporary copy of the file and restore it if the disinfection attempt is detected to fail (as it is in this particular case)? The bug is verified to exist in in CLEAN versions 112 and 113 and probably exists in many of the previous versions. A copy of this message has been forwarded to McAfee. At last, I would like to thank to Zvi Netiv, who turned my attention towards this bug. The moral of the story is: beware of virus disinfectors that cannot perform exact, or at least nearly exact identification. Even better, don't use disinfectors at all - just delete the infected files and restore them from a clean backup instead. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 31 Mar 94 16:54:34 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Joshua & Joshi (PC) > [Moderator's note: No, although the address cert.sei.cmu.edu works, it > was long ago replaced by cert.org (IP number 192.88.209.5); please use > the new name/number. Also, the version of VTC on cert.org might be > out of date - Vesselin?] Uhm, yes, I am afraid so. Yes, just checked, it is *rather* out of date - the latest update is from 1992. Those who are interested can get the latest version from our ftp site: Site: ftp.informatik.uni-hamburg.de IP: 134.100.4.42 Dir: pub/virus/texts/catalog Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 31 Mar 94 16:56:29 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: PGP Signed Files & F-Prot (PC) Ian Hebert (ian.hebert@homebase.com) writes: > Frisk, you already distribute your PGP public key with the shareware > version of F-Prot. Why don't you include a PGP signature for the > documentation, virus signature, and executable files? That would be the > best way I can think of to allow users to assure themselves that they've > got a legitimate copy.... Yes, indeed, I wholeheartly support the idea! Frisk's PGP public key has already received wide distribution, it is on the PGP public key servers, is signed by me, and it is rather difficult to spoof it. He *really* should begin to include detached signatures of at least the executable files in his package - and maybe clearsign the documentation files. Frisk? Please? :-) Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 31 Mar 94 17:02:01 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: MS-DOS 6.x Anti-Virus (PC) Richard Ellison (RichardE@keeper.demon.co.uk) writes: > > I was wondering whether anyone could offer > > an opinion, comment, thought etc. regarding the effectiveness of the > > Anti-Virus for Dos (and A-V for Windows) package now bundled with MS-DOS, > > version 6.x, compared to other offerings (such as Scan, V-Prot, etc.) ? > I would recommend that you do not use the so AV soft supplied with MS-DOS > as it is not the best around (I am being diplomatic here). Just a word of caution, could it be possible that the original poster has in mind not MSAV (the anti-virus program that comes with MS-DOS 6.0), but IBM Antivirus/DOS (the anti-virus program that comes with PC-DOS 6.1)? While I completely agree with you that MSAV is total junk and simply dangerous to use, IBM's product is not that bad (although I've seen better ones). At last, neither of the two should be confused with the anti-virus product that comes with Novell DOS 7 (which a variant of the scanner that used to be part of Untouchable). > I suggest that you use something like F-PROT which is a very good and fast > virus scanner (It is also shareware) or if you would like to buy then > Thunderbyte Anti-virus is a very good choice. A minor correction - F-Prot is freeware for individual use and TBAV is shareware. Also, TBAV is significantly faster than F-Prot (something like 4 times!), although its detection rate is worse. Nevertheless, both are very good choices, as you pointed out. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 31 Mar 94 17:34:38 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Is speed really important? (PC) Karl Tarhk (src4src!ktark@imageek.york.cuny.edu) writes: > >TbScan has only 8 microprocessor instructions in the crucial inner loop. > Short of engaging everyone in a "my scanner is faster, my scanner is Well, his scanner indeed *is* the fastest one around, so what's your point? TbScan scans my whole virus collection (5,300 directories, 15,500 executable files) in about 5 minutes! F-Prot, which is also very fast, takes about 20 minutes. And this is when scanning infected files; on a clean system both scanners should be much faster. > I tested 100 different generations of the DSME (dark slayer mutation > engine, taiwan) available in most Virus Exchange BBSs around the world; > against F-prot 2.11 and TBSCAN 6.10. So, what are you trying to tell us, exactly? That there is a particular virus that the scanner doesn't detect? Big news, there are dozens of them. That there is a particular virus that *two* scanners do not detect? So what, there are many other viruses for which this is valid too. Scanners are supposed to detect only viruses known to them. Or do you want to emphasize that TbScan does not detect this particular DSME virus *reliably*? Cheer up, I can list 74 other viruses which it also detects unreliably (i.e., detects some of the replicants but misses others). Why did you forget to tell us about the other 3623 viruses (out of 3918) which TbScan *does* detect reliably? (The data holds for TbScan 6.11, used on a set of the file infectors only that are known to me.) You want also data for the boot sector infectors? Fine, TbScan 6.11 detects reliably 335 out of 34,2 has no unreliable detections and crashes on four of my test samples. Doesn't this sound better as a test than yours, applied only on a singe virus, with 100 miserable replicants (miserable for a polymorphic virus like DSME), and only two scanners? > Other AV packages were not tested (Why bother?) Yes, indeed, why bother. Why bother trying AntiVirus Pro 2.0, for instance, whose heuristics seem to catch DSME reliably... > It is pretty obvious Frisk hasn't gotten around detecting DSME yet... It is, indeed. Another one which is causing him big trouble is the Uruguay family, so you could use that the next time you want to show us that you are able to find a virus that the scanner does not detect properly. > It bothers me that we find this kind of bragging while TBSCAN flies by 45 > infected files. Agreed, that's not good. Frans definitely should fix it. > How good is the fastest scanner if it is not accurate? Well, "not accurate" is a bit over-streched; see the test data above. Every scanner I have seen has some unreliable detections - some more, some less. Of the popular ones, FindVirus (from Dr. Solomon's Anti-Virus ToolKit) seems to have the least unreliable detections, while VPCScan seems to have the most. The test data is still not completely digested, so don't quote me on that; a better report will be (hopefully) available soon. > Does the end user want speed or reliability? The end user wants both. And many other things. Like an anti-virus product that costs nothing, uses no resources, needs no updating, and prevents all possible and impossible viruses. :-) Of course, there are better and worse approximations to this ideal. TbScan is one of the better ones; I know several which are both slower and less reliable than it. > A wise decision would be to compromise some speed for more reliability. I'm pretty sure that Frans can improve the reliability without compromising the speed. It's a good thing that you have reported that unreliable detection, but even better would be to report *all* unreliable detections, so that he can fix them. > This adolescent bragging reminds me much of the bragging that goes > on in the virus-writing underworld... Yeah, there is a lot of bragging and flaming going around... :-) Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 31 Mar 94 14:57:01 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: New files on our ftp site (General) Hello, everybody! Yes, as some of you might have noticed by the increased traffic in Virus-L/comp.virus, I am back on-line. :-) Here are some additions to our ftp site. First, just a reminder, the name of the site is ftp.informatik.uni-hamburg.de and the IP address is 134.100.4.42 - this is for those of you with broken DNS servers, as one person from France who asked me about it in a letter. The subdirectory tree that I manage is /pub/virus. All directories mentioned below are subdirectories of this one. 1) We have removed McAfee's programs from the progs directory. Instead, we are mirroring McAfee's ftp site in the McAfee directory. The antivirus programs can be found in McAfee/antivirus. 2) Since McAfee's ftp site carries also Patricia Hoffman's VSUM, it has also been removed from the progs directory. You can find it now in McAfee/vsum. 3) The latest updates of Norton Anti-Virus, as sent to us by Symantec, can always be found in the progs directory. The names of the archives are always 'nav??upd.zip', where '??' stands for '20', '21', and '30', reflecting the updates for NAV versions 2.0, 2.1, and 3.0 respectively. I have decided to use the MS-DOS file naming scheme (in order to spare the problems of people who are new to ftp-ing and are are trying to download those files on their MS-DOS machines), and it limits me to 8 characters in the file name, so I am unable to include there information about how recent the update it. You'll have to look at the creation date of the file - the file name will be always one and the same. 4) I have received a new version (2.00) of Eugene Kaspersky's AntiVirus Pro. It is available as in progs/avp_200.zip. This is a completely new version (although still free to the registered users), which is able to do detection, disinfection, and memory deactivation of many new virus (a total of more than 3,000, according to the docs; haven't tested this yet). It is also able to scan *and* disinfect inside compressed files (a la PKLite) and archives (PKZIP, ARJ, don't know the full list of the supported ones). It doesn't need the unpackers to be present; it contains its own code to do the unpacking. A heuristic analyser is also included. The Pro version provides to the expert user a very powerful virus description language, which allows him to define how to detect, deactivate in memory, and disinfect new viruses, even polymorphic ones. Have in mind, however, that understanding how to use it is far from trivial - I am still banging my head on some fine points. Also, the part of the documentation that describes how to do it is literally *horribly* written, both in means of bad English and bad writing style. However, the product *is* very powerful and is the only one I am aware of that provides this power to the user. So, if you know how to disinfect viruses, it is worth the trouble to learn how to do it with AVP. Unfortunately, the Pro version crashes horribly under DesqView, and also crashes while scanning my virus collection. The "normal" version (also included in the package) has no such problems. Since the difference between the two versions, from the user's point of view, is only in the ability of the Pro version to create new virus definitions, most users won't need to use the Pro version anyway. Besides, the authors promise to supply via e-mail an update to the virus definitions database within 48 hours to the registered users for any new virus sent to them. 5) Two new scanners are available in the progs directory. The archive avscn147.zip contains the English freeware version (AVScan) of a German product (AntiVir IV), produced by H+BEDV. The English version does *not* work under German versions of MS-DOS and it is in general not allowed to use it in Germany. So, please, German users, don't download it. The commercial product (AntiVir IV), unfortunately, has only a German version. It can also do disinfection (a very good one, even better than F-Prot, I am told, but I have to test it, in order to believe) and integrity checking - while AVScan is only a scanner. Nevertheless, it is not a bad scanner, and is free, so give it a try. I intend to test it and publish the test results for it, together with the test results for several other scanners. 6) The second new scanner, in progs/vblite16.zip, is the 'lite' shareware version of the Australian product VirusBuster. 7) Two new directories have been created under the directory texts. The directory texts/alive contains the new electronic magazine "Alive", published by Suzana Stojakovic-Celustka. The magazine discusses such things like computer viruses, artificial life, beneficial viruses, and other controversial subjects. However, unlike many of the so-called "underground" magazines, it doesn't publish the source code of real viruses nor does it encourage the writing and spreading of such viruses, which is why I have agreed to distribute it from our ftp site. 8) The second directory, texts/bulletin, contains the English translation of the F-Prot Bulletins, published by Data Fellows. This is an electronic magazine, similar to Virus Bulletin and Secure Computing (which are published in print only). Similarly to those two, it contains valuable technical information about computer viruses. 9) A new version of our hypertext interface to our Computer Virus Catalog is now available in texts/catalog/cmb-30.zip. That used to be called Computer Virus Base and has been renamed to Computer Malware Base. 10) And of course, the latest version of the other programs that we usually distribute from our ftp site are also available; check in the progs directory. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 25] *****************************************