VIRUS-L Digest Wednesday, 13 Apr 1994 Volume 7 : Issue 26 Today's Topics: New files on our ftp site (General) Number of viruses on non-PC machines GOOD VS BAD VIRUSES Re: OS/2 and Virus's (OS/2) HEEEEEELP ME NOW!!!! : Filler Virus (PC) Disk Secure (PC) Re: Avoiding floppy boot (was: FORM problems) (PC) Re: boot sector virus named newbug (name from mcafee scan) (PC) Re: McAfee virus programs (PC) Re: MSAV signature files via FTP? (PC) Re: boot sector virus named newbug (name from mcafee scan) (PC) Re: vds30j.zip - Anti-virus w/integrity checker, scanner & more (PC) Re: NAV Update Files by FTP? (PC) help! on michelangelo virus (PC) CANSU Virus (PC) Re: Possible coding error in JezzBall (windows, PC) Re: Alternate infection method? (V-Sign) (PC) Re: Thanks for all comments re best antivirus (PC) Re: Help! Monkey Virus (PC) Re: Clean 111 & Mich. (PC) Re: Help with V-Sign? (PC) Re: DOS 6.X Anti-Virus (PC) Re: A false alarm report (PC) Dangerous bug in CLEAN (PC) Re: Joshua & Joshi (PC) Re: PGP Signed Files & F-Prot (PC) Re: MS-DOS 6.x Anti-Virus (PC) Re: Is speed really important? (PC) Re: DOS 6.X Anti-Virus (PC) top 10 anti virus s/w? (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Thu, 31 Mar 94 14:57:01 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: New files on our ftp site (General) Hello, everybody! Yes, as some of you might have noticed by the increased traffic in Virus-L/comp.virus, I am back on-line. :-) Here are some additions to our ftp site. First, just a reminder, the name of the site is ftp.informatik.uni-hamburg.de and the IP address is 134.100.4.42 - this is for those of you with broken DNS servers, as one person from France who asked me about it in a letter. The subdirectory tree that I manage is /pub/virus. All directories mentioned below are subdirectories of this one. 1) We have removed McAfee's programs from the progs directory. Instead, we are mirroring McAfee's ftp site in the McAfee directory. The antivirus programs can be found in McAfee/antivirus. 2) Since McAfee's ftp site carries also Patricia Hoffman's VSUM, it has also been removed from the progs directory. You can find it now in McAfee/vsum. 3) The latest updates of Norton Anti-Virus, as sent to us by Symantec, can always be found in the progs directory. The names of the archives are always 'nav??upd.zip', where '??' stands for '20', '21', and '30', reflecting the updates for NAV versions 2.0, 2.1, and 3.0 respectively. I have decided to use the MS-DOS file naming scheme (in order to spare the problems of people who are new to ftp-ing and are are trying to download those files on their MS-DOS machines), and it limits me to 8 characters in the file name, so I am unable to include there information about how recent the update it. You'll have to look at the creation date of the file - the file name will be always one and the same. 4) I have received a new version (2.00) of Eugene Kaspersky's AntiVirus Pro. It is available as in progs/avp_200.zip. This is a completely new version (although still free to the registered users), which is able to do detection, disinfection, and memory deactivation of many new virus (a total of more than 3,000, according to the docs; haven't tested this yet). It is also able to scan *and* disinfect inside compressed files (a la PKLite) and archives (PKZIP, ARJ, don't know the full list of the supported ones). It doesn't need the unpackers to be present; it contains its own code to do the unpacking. A heuristic analyser is also included. The Pro version provides to the expert user a very powerful virus description language, which allows him to define how to detect, deactivate in memory, and disinfect new viruses, even polymorphic ones. Have in mind, however, that understanding how to use it is far from trivial - I am still banging my head on some fine points. Also, the part of the documentation that describes how to do it is literally *horribly* written, both in means of bad English and bad writing style. However, the product *is* very powerful and is the only one I am aware of that provides this power to the user. So, if you know how to disinfect viruses, it is worth the trouble to learn how to do it with AVP. Unfortunately, the Pro version crashes horribly under DesqView, and also crashes while scanning my virus collection. The "normal" version (also included in the package) has no such problems. Since the difference between the two versions, from the user's point of view, is only in the ability of the Pro version to create new virus definitions, most users won't need to use the Pro version anyway. Besides, the authors promise to supply via e-mail an update to the virus definitions database within 48 hours to the registered users for any new virus sent to them. 5) Two new scanners are available in the progs directory. The archive avscn147.zip contains the English freeware version (AVScan) of a German product (AntiVir IV), produced by H+BEDV. The English version does *not* work under German versions of MS-DOS and it is in general not allowed to use it in Germany. So, please, German users, don't download it. The commercial product (AntiVir IV), unfortunately, has only a German version. It can also do disinfection (a very good one, even better than F-Prot, I am told, but I have to test it, in order to believe) and integrity checking - while AVScan is only a scanner. Nevertheless, it is not a bad scanner, and is free, so give it a try. I intend to test it and publish the test results for it, together with the test results for several other scanners. 6) The second new scanner, in progs/vblite16.zip, is the 'lite' shareware version of the Australian product VirusBuster. 7) Two new directories have been created under the directory texts. The directory texts/alive contains the new electronic magazine "Alive", published by Suzana Stojakovic-Celustka. The magazine discusses such things like computer viruses, artificial life, beneficial viruses, and other controversial subjects. However, unlike many of the so-called "underground" magazines, it doesn't publish the source code of real viruses nor does it encourage the writing and spreading of such viruses, which is why I have agreed to distribute it from our ftp site. 8) The second directory, texts/bulletin, contains the English translation of the F-Prot Bulletins, published by Data Fellows. This is an electronic magazine, similar to Virus Bulletin and Secure Computing (which are published in print only). Similarly to those two, it contains valuable technical information about computer viruses. 9) A new version of our hypertext interface to our Computer Virus Catalog is now available in texts/catalog/cmb-30.zip. That used to be called Computer Virus Base and has been renamed to Computer Malware Base. 10) And of course, the latest version of the other programs that we usually distribute from our ftp site are also available; check in the progs directory. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 01 Apr 94 08:15:11 -0500 From: mikko.hypponen@df.elma.fi Subject: Number of viruses on non-PC machines Even though I'm working with only the PC viruses, I get often asked about the virus situation on other computers. As I do not have very recent information about the current situation, could anyone fill me in? Here are my current estimates on the number of known viruses on platforms other than the PC. Please correct me if you have better or more current information. Apple Macintosh: 18 (around 50 with all variants?) Commodore Amiga: more than 100 Acorn Archimedes: 84 (according to a recent article in VB) Atari ST series: 20 HP-48: 5 UNIX: 3 Commodore 64: 2 Any others? - -- Mikko Hypponen // mikko.hypponen@df.elma.fi // Finland Data Fellows Ltd's F-PROT Professional Support: f-prot@df.elma.fi PGP 2.3a public key available, ask by e-mail ------------------------------ Date: Fri, 01 Apr 94 11:08:52 -0500 From: "Tom Kirke (312) 413-5539" Subject: GOOD VS BAD VIRUSES olpopeye@aol.com says the " **CENTRAL QUESTION** of the debate" is: > *********************************************************************** > WHAT IS THE **INTENT** INVOLVED IN EACH INSTANCE?? > *********************************************************************** I can not disagree more! In this case the intent is entirely irrelevant. What is the case is that someone is putting code on my machine that that I don't want, code that may not work properly ( because of special local conditions ), code that presumes it knows what is best for me. I am greatly in favor of people or corporations making code available for my use, I even pay for it. However I must repeat DOWN WITH THE RAM POLICE. Tom Kirke | All standard and non-standard U33515@UICVM.CC.UIC.EDU | disclaimers, declaimers, and claimers U33515@UICVM.CC.UIC.EDU@INTERNET#| apply. APPLELINK:HARDBALL | We have discovered a *therapy* (NOT a cure) for the common cold, play tuba for an hour. ------------------------------ Date: Thu, 31 Mar 94 15:09:54 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: OS/2 and Virus's (OS/2) Brian J. Geregach (sirtwist@csuohio.edu) writes: > Looking for any information on how virus's affect the OS/2 environment. First, there are the OS/2-specific viruses. I know only two such viruses and they are too lame to be of any signifficant threat. Second, there are the MS-DOS viruses, which are able to run in a DOS box under OS/2. Many of them use undocumented tricks not supported in DOS boxes and simply crash, but many others are able to run and infect correctly - mostly because OS/2 runs DOS programs so well, including DOS viruses. Due to the memory protection in OS/2, virus that has infected the memory in one DOS session, is unable to infect the other DOS sessions - unless it succeeds to infect the command interpretter, which is shared between the sessions. (I mean, to infect the file containing the command interpretter - then the virus will become active in any subsequently started DOS session.) Furthermore, the format of the OS/2 application is different from this of the MS-DOS executables, and many (most) viruses are unable to infect these files correctly. If infected, such files will crash when started. However, the DOS programs are still infectable on an OS/2 system. Third, there are the DOS-independent viruses, like most MBR infectors. They are perfectly able to infect an OS/2-only system (or Unix-only, or whatever else, if it only runs on an IBM PC compatible machine). Depending on how exactly the virus works, OS/2 may crash at boot time, or be able to boot and work. The virus, however, will not be able to spread. However, if the virus has a damaging payload that activates at boot time (e.g., Michelangelo), it will still be able to cause damage. There is one additional aspect to this - some boot sector viruses mess up with the Boot Manager and can me quite a pain to remove - Form is a good example for that. At last, as far as I understand, OS/2 can keep an image of a DOS boot sector in a file and be instructed to boot from it. In some cases, such files can contain the image of an infected boot sector and cause re-infections. However, my knowledge of OS/2 is not good enough, so I would like if someone more knowledgeable on this subject could comment on this. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Sun, 27 Mar 94 02:08:08 +0200 From: Malte_Eppert@f6050.n491.z9.virnet.bad.se (Malte Eppert) Subject: HEEEEEELP ME NOW!!!! : Filler Virus (PC) Hi Bernt! > My scan112 reports a Filler virus in upper memory. Then I boot > from a clean, writeprotected disk and run clean112, but it doesn't > remove the virus. I've read that it formats part/all of disk!! Do you use an older version of TNT Turbo Anti-Virus, or some version of CPAV? This error sometimes occurs if you load one of those devices high and scan memory afterwards. The phenomenon is called "ghost virus" and ist often due to unencrypted scan strings used by such a resident scanner. > How do I remove it??? Try unloading your TSR- ore device-driver virus scanner. cu! eppi - --- GEcho 1.01+ * Origin: Another Virus Help Node - The EpiCentre! (9:491/6050) ------------------------------ Date: Mon, 28 Mar 94 09:04:03 +0200 From: Trevor_Learoyd@p11.f107.n441.z9.virnet.bad.se (Trevor Learoyd) Subject: Disk Secure (PC) Hi Padgett, On 07 Mar 94 at 16:36, you wrote to All: APP> Both are available on several sites (Archie). DS241.ZIP and FixUtil6.ZIP APP> are current or I can send uuencodes. Do you (or anyone else here) know of any UK Fido sites where these files are available? Regards.....Trevor - --- GEcho 1.00 * Origin: Red Shifted from Index III (9:441/107.11) ------------------------------ Date: Thu, 31 Mar 94 07:09:06 -0500 From: "David M. Chess" Subject: Re: Avoiding floppy boot (was: FORM problems) (PC) >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) >3) Third, check if your computers have the new AMI BIOSes, which allow >them to be set up to attempt to boot from the hard disk first, instead >of from the floppy. As a sidenote, it's not just AMI BIOSes that allow this; various IBM PS/2s, for instance, also have a configurable boot order... DC ------------------------------ Date: Thu, 31 Mar 94 12:09:12 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: boot sector virus named newbug (name from mcafee scan) (PC) Marion Neubauer (Y72@VM.URZ.UNI-HEIDELBERG.DE) writes: > a person from my departement brought a pc with suspicious harddisk > to the dealer. the dealer found a virus called newbug (name from scan v112). > we scaned all other pcs and floppies and did not found any virus > at all. maybe someone take a floppy away, but i wanna know > if it is possible that scan and f-prot (i tried it with both) did > not recognize the virus under some circumstances? SCAN 112 calls "NewBug [Genb]" the viruses with standard CARO virus name AntiEXE.A and AntiEXE.B. F-Prot detects the first as "AntiEXE" and the second as "New or modified variant of AntiEXE". According to my experience, both scanners are able to detect those viruses reliably. I am also not aware of any false positives of SCAN for this particular virus. Could it be that somebody has disinfected the virus already, or that the hard disk has been delivered infected, or there has been some other kind of anti-virus software (like CPAV/MSAV) that could have caused a ghost positive? Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 31 Mar 94 12:26:29 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: McAfee virus programs (PC) Mike Mattone (mike@mik.uky.edu) writes: > Can anybody tell me where I can find the shareware versions of the > McAfee virus protection programs, SCAN, CLEAN and VSHIELD? I looked A good place to get them is McAfee's own ftp site: mcafee.com. They can be found in the /pub/antivirus directory. > at wuarchive.wustl.edu but they've made so many changes to their > system since I last looked there that I can't find *anything* anymore. I am not using wuarchive, because it is so overloaded, but you can find them also on oak.oakland.edu, in the /pub/msdos/virus directory. Many other sites are carrying them as well. Our site is mirroring mcafee.com in the directory /pub/virus/McAfee, but it would be a waste of resources for you to download them from here. > I'd prefer e-mail rather than a follow-up post because I rarely have > a chance to check netnews, but I will make a point of it now that I > have asked this question. So, feel free to respond in whatever manner > seems most appropriate to you. I am sending you a copy of this message by e-mail. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 31 Mar 94 12:30:10 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: MSAV signature files via FTP? (PC) YALUSA JONGIHLATI (mm94jony@sirius.ru.ac.za) writes: > Could someone please tell me if the MSAV signature file for Viruses can be > downloaded via FTP and if so, could you please E-Mail it to me. I don't think so, although I might be wrong. Long time ago, we got the updates for CPAV with the permission to distribute them on our ftp site. (They can still be found there: ftp.informatik.uni-hamburg.de:/pub/virus/progs/cpav_upd.zip although they should be out-of-date already.) We also got the updates for MSAV, but they were not explicitely mentioned in the permission. I asked CPS whether I can distribute them too, but got a negative answer. I found this quite frustrating, because the MSAV updates *are* freely available on CPS' BBS and on the top of that the CPAV updates also work for MSAV (at least the DOS part does). Since then I have got several other updates, but since they have never been accompanied with the explicit permission to distribute them and since we have not been explicitely asked by CPS to perform such a service with any further updates, I refrain from putting them on our ftp site. Besides, you should consider using a better anti-virus product. :-) Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 31 Mar 94 12:35:37 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: boot sector virus named newbug (name from mcafee scan) (PC) Marion Neubauer (Y72@VM.URZ.UNI-HEIDELBERG.DE) writes: > a person from my departement brought a pc with suspicious harddisk > to the dealer. the dealer found a virus called newbug (name from scan v112). > we scaned all other pcs and floppies and did not found any virus > at all. maybe someone take a floppy away, but i wanna know > if it is possible that scan and f-prot (i tried it with both) did > not recognize the virus under some circumstances? SCAN 112 calls "NewBug [Genb]" the viruses with standard CARO virus name AntiEXE.A and AntiEXE.B. F-Prot detects the first as "AntiEXE" and the second as "New or modified variant of AntiEXE". According to my experience, both scanners are able to detect those viruses reliably. I am also not aware of any false positives of SCAN for this particular virus. Could it be that somebody has disinfected the virus already, or that the hard disk has been delivered infected, or there has been some other kind of anti-virus software (like CPAV/MSAV) that could have caused a ghost positive? Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 31 Mar 94 12:35:49 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: vds30j.zip - Anti-virus w/integrity checker, scanner & more (PC) Warning, those of you who decide to use VDS 3.0j, be aware that the scanner often gives a false positive about a virus called "Animus". The scanner is rather poor in general, so my advice is to drop it and to use only the integrity checker, combining it with a good scanner like F-Prot. The integrity checker in VDS is rather good, if you manage to make it work on your system - it seems to be incompatible with compressed and encrypted volumes and other unusual environments. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 31 Mar 94 13:06:18 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: NAV Update Files by FTP? (PC) Dilan Patel (dpatel@menger.eecs.stevens-tech.edu) writes: > Is there anyway that one can get NAV 3.0 update files directly off an > internet site ? Yes, there is. > if so, can someone please tell where I can get the updates ? Symantec regularly sends us the updates and, with their permission, we are making them available on our ftp site: ftp.informatik.uni-hamburg.de:/pub/virus/nav??upd.zip There are three archives matching the above specification, for NAV versions 2.0, 2.1, and 3.0 respectively. The latest updates for NAV 3.0 are for March. As far as I understand, the other versions will be discontinued soon. Please, note that providing this kind of service does not imply that I am recommending NAV 3.0 as an anti-virus product. I am not. However, I realize that it has a large user base, and I also understand that keeping those users updated provides them a better protection than not to; that's why we are providing this kind of service. Of course, an even better protection for them would be to switch to an even better product, but this is up to them to decide. :-) > Please e-mail me with any info. Why do you think that others will not be interested in the answer of this question? Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: 31 Mar 94 13:39:45 +0000 From: mjliu@csie.nctu.edu.tw (Ming-zhou Liu) Subject: help! on michelangelo virus (PC) hi, today at my friend's place, i turned on his computer and strange message appears: DRIVE FAILURE (or something to that effect, i forgot) Put boot disk into drive A and press any key... at first i checked the power supply and the wiring but found nothing wrong. then i go to CMOS setup and found that the date stopped on "Mar 6". it seems to me that maybe the date was set incorrectly and today it happened to fall on Mar 6 and triggered the virus! my question is: the error message above looks like what the michelangelo does to the computer? to disable harddisk completely?? any recovery of data possible?? ------------------------------ Date: Wed, 30 Mar 94 09:05:00 -0600 From: jerry.brown@cld9.com (Jerry Brown) Subject: CANSU Virus (PC) Anyone know anything about the CANSU virus, as in if it can remvoved without haveing to re-partion the hard drive? It was running around a local university, and I managed to get it transfered to a friends computer......unfortunately, Central Point Anti-Virus will not detect it; so I didn't know it was present till the computer would no longer boot. McAfee's Scan program will detect it, but unfortunately Clean says it cannot safely remove it from the partion table. Right now, I am booting off a floppy, which loads VSHIELD. VSHIELD throws up a message that the partition table is infected, but does install itself as the virus doesn't activate unless you boot off the infected disk. Any suggestions? - --- FreeMail 1.09 * Origin: ATAS BBS*713-837-8003*Internet:@atas.cld9.com (1:106/8003) ------------------------------ Date: Thu, 31 Mar 94 13:49:19 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Possible coding error in JezzBall (windows, PC) Alan D. Tegel (olympian@mentor.cc.purdue.edu) writes: > the game she was playing. She said she would reach a very high score > and then low and behold the whole screen would turn into Japanese letters [snip] > it to them yet. Does this sound like a virus or a software bug? It sounds like a software bug to me. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 31 Mar 94 13:51:13 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Alternate infection method? (V-Sign) (PC) Kevin Kenney (kenney@nb.rockwell.com) writes: > I know the above. I also know that boot sector viruses are often larger than > the boot sector, with the 'body' of the virus being elsewhere. In V-Sign's > case, I've been told this 'body' resides in the directory table area. My That's true, although it applies only to floppies, not to hard disks. The second part of the virus body is written over the last two sectors of the root directory - where exactly depends on the particular format of the floppy. > comment was if this 'body' was in the data area, and corrupted a file, the > 'body' could be written so as to infect a system if the corrupted file was run First, it is in the directory area, not in the data area. This means that it can corrupt the information *about* the files, but never be placed *in* the files. Second, in this particular case (V-Sign), the virus is *not* written in the way you are afraid of. > I'd read the FAQ if it were ever updated! It's two years old! It should keep > people up to date, instead of just giving basic defintions. If you have bothered to read the FAQ carefully, you would have noticed a reference to our Computer Virus Catalog. It is available from our ftp site (get the exact reference from the FAQ), free of charge, and contains the technical description of many viruses. If you have bothered to follow this reference and to look in the CVC, you would have found the description of the V-Sign virus and of the way it infects. I admit that the FAQ is rather old and *does* need updating (I really should do this one of these days), but this is not a scanner that needs to be updated every month. It's main goal is to provide the basic knowledge and also pointers to additional sources of information. IMHO, it fulfils this goal rather well. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 31 Mar 94 13:54:53 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Thanks for all comments re best antivirus (PC) Dave Spitz (SPITZ_DAVE@MUSIC.LIB.MATC.EDU) writes: > As it looks right now, we are attempting to stay with McAfee > Associates for our antiviral software. F-Prot is a very close second, > and depending upon circumstances F-Prot my be the final choice. Just curious, what kind of tests show F-Prot to be second to SCAN? According to my tests here (I am going to publish the reults soon), F-Prot is significantly superior to SCAN in all aspects common between the two packages. It has better detection (although not that much better; something like 96% vs. 82%), *much* better identification (which is virtually non-existent in SCAN), *much* better disinfection (which is rather weak in CLEAN). It is true, however, that the sharware version of McAfee's software has some features that are not available in the shareware version of F-Prot - features like integrity checking and generic disinfection. However, those features are rather weak in McAfee's products; there are other packages which implement them in a much better and more secure way. Or was it the combination of the features (instead of being forced to use several different products) that makes McAfee's product look better to you? Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 31 Mar 94 14:03:51 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Help! Monkey Virus (PC) Bruce Andrew Carl Douglas (umdougl6@cc.umanitoba.ca) writes: > Mcafee SCNA 9.19 v108 later identified it as the Monkey virus located in > the boot sector of his floppies. MSAV (bundled with MS-Dos 6.2) also > reported the monkey virus. However, neither of the cleaning programs with > these two packages worked. I would advise you to use a better scanner - for instance, F-Prot. Alternatively, you could use the small program KillMonk3, which can deal with this particular virus (and with one more, Int_10, but nothing else) very well. Both programs are free for individual use and are available from many ftp sites. In particular, KillMonk3 is available even on McAfee's ftp site, regardless that it is not produced by them. > I used the FDISK /MBR command on one of the floppies, and i was given the > message PACKED FILE CORRUPT. After that, i switched to the C:\ drive and > rescanned the floppy. It was reported clean. Hmm... First, the above message ("Packed file is corrupt") is unlikely to be caused by this virus. It is a boot sector infector and does not affect files. Second, the trick FDISK/MBR is suitable *only* for removing MBR infectors from the firth physical hard disk. It doesn't work on floppies; you have to use SYS for that, if you can, or even better - a virus-specific program. Third, Monkey is a typical example of a virus when the trick FDISK/MBR _MUST_NOT_ be used, because it will make the hard disk inaccessible. All of the above makes me doubt that you have had a typical Monkey infection. It could be something else, including a file infector. I would suggest that in the future you use a scanner which is able to do better identification of the viruses it detects. F-Prot is an excellent example for such a scanner. There are others, which can do better identification, but they are commercial, while F-Prot is free for individual use. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 31 Mar 94 15:02:23 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Clean 111 & Mich. (PC) McAfee Associates (mcafee@netcom.com) writes: [Why "McAfee Associates", BTW? I was told that the company has been renamed to just "McAfee".] > We used to deactivate viruses when they were found in memory. We stopped > after receiving complaints from users about their systems crashing when a > virus could not be disabled correctly. There is no such virus which cannot be disabled correctly in memory. There are only anti-virus programs which are unable to do that. The better ones can do it, but it requires a lot of care and effort and we see fewer such programs lately. > With the almost unlimited numbers > of PC configurations in use, it is impossible to test for compatibility > with each operating environment. Sorry, but the above doesn't make any sense. In order to deactivate the virus in memory, the anti-virus program must be able to detect it there, to identify it, to patch the relevant part of it, and to check that the patch has been successful. This has nothing to do with the "unlimited numbers of PC configurations in use" - it is more related to the "unlimited number of existing computer viruses". :-) The only incompatibility that I can see is if a weird memory manager succeeds to load the virus in a part of memory that is readable not writing to it (and therefore patching the virus) is not allowed. However, first, it is unlikely that the virus will be able to work in those conditions, second, I know of no such memory manager, and third, in this case the anti-virus program has just to check that the patch has not been successful and to announce it. > Therefore it is quite logical to warn > the user that a computer virus has been found in the memory of his (her) > computer system and to power down the system and boot from a virus-free > copy of the operating system on diskette before continuing. It is indeed always better to ensure that the memory is virus-free, and the most reliable way to do this is to cold boot from an uninfected write-protected system diskette. However, a good anti-virus program should be able to detect if there is a virus in memory (most anti-virus programs can do this) and to deactivate it if this is the case. Very few scanners can do the second step. Actually, I know only about two - IBM Antivirus (the resident scanner, but it can deactivate very few viruses) and AntiVirus Pro - it's much better and has memory detection, memory deactivation, file & boot sector detection and disinfection for most viruses it can find. Therefore - it can be done. You have simply opted towards the easier solution and are not doing it. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 31 Mar 94 15:02:38 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Help with V-Sign? (PC) jbakan@opal.tufts.edu (jbakan@opal.tufts.edu) writes: > A scan with F-Prot version 211 showed the presence of V-Sign (in > the MBR I think). It was subsequently removed with F-Prot. > The inability to load high, however continues, even if booted from a > clean floppy. Again, this is not a total failure to load high, > a couple of small aps do load high, but most only load in conventional > memory. The machine scans as clean with F-Prot and Viruscan. > What does V-Sign do? How is it propagated? Are the continuing memory > problems due to V-Sign, or do I have another (possibly hardware) problem? F-Prot is able to identify V-Sign reliably, which makes me think that you indeed have been infected by this particular virus. However, the problems that you describe do not seem to be related to it. For a description of V-Sign, see our Computer Virus Catalog. See the FAQ for information how to get it. My advice to you is to run the memory optimizer that comes with your memory manager - Optimize, Memmaker, or whatever. Try it, you problems might go away. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 31 Mar 94 15:07:57 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: DOS 6.X Anti-Virus (PC) Fred Houlihan (FTH@PSUVM.PSU.EDU) writes: > I subscribed to the IBM update service and received a diskette with > the signature file for the IBM Antivirus update 1.04 this past > Saturday. It immediately detected 2 probable virus's on my system that Please note that when IBM Antivirus says "probable", it means that the virus has not been identified exactly and it might be a false positive. Have you instructed it to use fuzzy scan strings? This often causes such problems. > program. I witnessed Norton support in January when a co-worker's [snip] > and was able to recover from it all in a couple of hours. Meanwhile > I am still in big trouble dealing with both Central Point and IBM and Norton (Symantec, actually), Central Point, IBM... You seem to think that only the big companies are able to produce good anti-virus software? :-) Give F-Prot a try - it is free for individual use and its scanner is signifficantly better than any of the scanners in the products mentioned above; especially better than Central Point's. I don't have first-hand impressions of how good the technical support is, however. But I have withnessed cases when the author of the product has supplied an update only 24 hours after an infection with a new virus has been reported to him. He is not the only one to be able to do it - I have withnessed the same for VET and AVP too. > yet. There are only 2 sources where this virus could have come from: > my installation of Central Point V2 for Windows or the IBM Antivirus > update. Why do you think so? V-Sign is a boot sector virus; this means that even blank formatted floppies are infectable and infective. It is enough to forget such an infected data-only floppy in the A: drive at boot time and your hard disk will become infected. Or are you talking about a different virus? Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 31 Mar 94 15:13:32 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: A false alarm report (PC) Fridrik Skulason (frisk@complex.is) writes: > I just checked a file named DELAY.EXE, in a file named imagepro.zip, which > is available on most major FTP archive sites. This was because according > to a report I received, an anti-virus program (VirHunt 4.0c) reports a > NMAN virus in that file. > This is incorrect - the file is NOT infected. :-). I can easily see how it has happened. "NMAN" (short for "Nowhere Man") is the identifier used by the CVirus family. As you know, these are High Level Language viruses (HLLOs), and it is very easy to pick the wrong sequence of bytes (one that will cause false positives) as a scan string for such viruses. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 31 Mar 94 15:52:35 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Dangerous bug in CLEAN (PC) Hello, everybody! I have several times repeated here how important it is to identify viruses exactly. Without this, it is often impossible to reply to one of the main questions the user of an infected system asks: "what does this virus do? What damage has it caused to my system?". However, exact identification is even more important during virus disinfection. Disinfecting the wrong virus variant can severly damage the file, instead of restoring it to its original state. Not all viruses can be properly disinfected, and very few scanners perform exact virus identification, so it is always better to delete the infected files and restore them from uninfected backups. Nevertheless, some scanner perform better virus identification than others, and are therefore more reliable. I have also often complained here how unreliable is the virus identification in McAfee's SCAN. Fortunately, its companion program, CLEAN, performs slightly better identification. So, often when SCAN has reported a virus, which the documentation claims CLEAN is able to disinfect, CLEAN is able to detect that it is actually a different variant and refuses to attempt to disinfect it, offering the option to destroy the file as an alternative. As it turns out, this is sometimes not an alternative, and CLEAN has made the choice for you. In those cases, when it tells the user that it is unable to remove the virus and asks whether to delete the file, this is a rhetorical question - because the file is *already* destroyed. Here is how to reproduce the bug. Take an executable file you don't care about if it is destroyed, and use a hex editor to change its last ten bytes to 03 F3 A5 26 C6 06 FE 03 CB 58. This will make SCAN to report the file as infected by "Jerusalem [Jeru-A]". So far, so good - there is nothing bad in this and it is possible to fool most scanner in a similar way. Now, start CLEAN, and tell it to disinfect the "[Jeru-A]" virus from the file. It will display several messages that it is trying to remove the virus. At the end it will notice that it can't do it (quite naturally, since there is no virus in the file), and will suppose that this is a new variant and will propose you to delete it. Reject the proposal and tell it NOT to delete it. At this point, CLEAN has been unable to remove the virus, and you have told it not to damage the file. It is natural to assume that the file has rematined in its original (although "infected") state. Nope! Look at it, it has been severly truncated! On the top of that, CLEAN says that the virus is removed (or even something more weird - that 9 viruses are removed). Looks like a bug to me - first CLEAN attempted to disinfect a virus it did not identify, and second it damaged the file without asking me for permission and without even noticing it. Is it so difficult to work on a temporary copy of the file and restore it if the disinfection attempt is detected to fail (as it is in this particular case)? The bug is verified to exist in in CLEAN versions 112 and 113 and probably exists in many of the previous versions. A copy of this message has been forwarded to McAfee. At last, I would like to thank to Zvi Netiv, who turned my attention towards this bug. The moral of the story is: beware of virus disinfectors that cannot perform exact, or at least nearly exact identification. Even better, don't use disinfectors at all - just delete the infected files and restore them from a clean backup instead. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 31 Mar 94 16:54:34 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Joshua & Joshi (PC) > [Moderator's note: No, although the address cert.sei.cmu.edu works, it > was long ago replaced by cert.org (IP number 192.88.209.5); please use > the new name/number. Also, the version of VTC on cert.org might be > out of date - Vesselin?] Uhm, yes, I am afraid so. Yes, just checked, it is *rather* out of date - the latest update is from 1992. Those who are interested can get the latest version from our ftp site: Site: ftp.informatik.uni-hamburg.de IP: 134.100.4.42 Dir: pub/virus/texts/catalog Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 31 Mar 94 16:56:29 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: PGP Signed Files & F-Prot (PC) Ian Hebert (ian.hebert@homebase.com) writes: > Frisk, you already distribute your PGP public key with the shareware > version of F-Prot. Why don't you include a PGP signature for the > documentation, virus signature, and executable files? That would be the > best way I can think of to allow users to assure themselves that they've > got a legitimate copy.... Yes, indeed, I wholeheartly support the idea! Frisk's PGP public key has already received wide distribution, it is on the PGP public key servers, is signed by me, and it is rather difficult to spoof it. He *really* should begin to include detached signatures of at least the executable files in his package - and maybe clearsign the documentation files. Frisk? Please? :-) Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 31 Mar 94 17:02:01 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: MS-DOS 6.x Anti-Virus (PC) Richard Ellison (RichardE@keeper.demon.co.uk) writes: > > I was wondering whether anyone could offer > > an opinion, comment, thought etc. regarding the effectiveness of the > > Anti-Virus for Dos (and A-V for Windows) package now bundled with MS-DOS, > > version 6.x, compared to other offerings (such as Scan, V-Prot, etc.) ? > I would recommend that you do not use the so AV soft supplied with MS-DOS > as it is not the best around (I am being diplomatic here). Just a word of caution, could it be possible that the original poster has in mind not MSAV (the anti-virus program that comes with MS-DOS 6.0), but IBM Antivirus/DOS (the anti-virus program that comes with PC-DOS 6.1)? While I completely agree with you that MSAV is total junk and simply dangerous to use, IBM's product is not that bad (although I've seen better ones). At last, neither of the two should be confused with the anti-virus product that comes with Novell DOS 7 (which a variant of the scanner that used to be part of Untouchable). > I suggest that you use something like F-PROT which is a very good and fast > virus scanner (It is also shareware) or if you would like to buy then > Thunderbyte Anti-virus is a very good choice. A minor correction - F-Prot is freeware for individual use and TBAV is shareware. Also, TBAV is significantly faster than F-Prot (something like 4 times!), although its detection rate is worse. Nevertheless, both are very good choices, as you pointed out. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 31 Mar 94 17:34:38 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Is speed really important? (PC) Karl Tarhk (src4src!ktark@imageek.york.cuny.edu) writes: > >TbScan has only 8 microprocessor instructions in the crucial inner loop. > Short of engaging everyone in a "my scanner is faster, my scanner is Well, his scanner indeed *is* the fastest one around, so what's your point? TbScan scans my whole virus collection (5,300 directories, 15,500 executable files) in about 5 minutes! F-Prot, which is also very fast, takes about 20 minutes. And this is when scanning infected files; on a clean system both scanners should be much faster. > I tested 100 different generations of the DSME (dark slayer mutation > engine, taiwan) available in most Virus Exchange BBSs around the world; > against F-prot 2.11 and TBSCAN 6.10. So, what are you trying to tell us, exactly? That there is a particular virus that the scanner doesn't detect? Big news, there are dozens of them. That there is a particular virus that *two* scanners do not detect? So what, there are many other viruses for which this is valid too. Scanners are supposed to detect only viruses known to them. Or do you want to emphasize that TbScan does not detect this particular DSME virus *reliably*? Cheer up, I can list 74 other viruses which it also detects unreliably (i.e., detects some of the replicants but misses others). Why did you forget to tell us about the other 3623 viruses (out of 3918) which TbScan *does* detect reliably? (The data holds for TbScan 6.11, used on a set of the file infectors only that are known to me.) You want also data for the boot sector infectors? Fine, TbScan 6.11 detects reliably 335 out of 34,2 has no unreliable detections and crashes on four of my test samples. Doesn't this sound better as a test than yours, applied only on a singe virus, with 100 miserable replicants (miserable for a polymorphic virus like DSME), and only two scanners? > Other AV packages were not tested (Why bother?) Yes, indeed, why bother. Why bother trying AntiVirus Pro 2.0, for instance, whose heuristics seem to catch DSME reliably... > It is pretty obvious Frisk hasn't gotten around detecting DSME yet... It is, indeed. Another one which is causing him big trouble is the Uruguay family, so you could use that the next time you want to show us that you are able to find a virus that the scanner does not detect properly. > It bothers me that we find this kind of bragging while TBSCAN flies by 45 > infected files. Agreed, that's not good. Frans definitely should fix it. > How good is the fastest scanner if it is not accurate? Well, "not accurate" is a bit over-streched; see the test data above. Every scanner I have seen has some unreliable detections - some more, some less. Of the popular ones, FindVirus (from Dr. Solomon's Anti-Virus ToolKit) seems to have the least unreliable detections, while VPCScan seems to have the most. The test data is still not completely digested, so don't quote me on that; a better report will be (hopefully) available soon. > Does the end user want speed or reliability? The end user wants both. And many other things. Like an anti-virus product that costs nothing, uses no resources, needs no updating, and prevents all possible and impossible viruses. :-) Of course, there are better and worse approximations to this ideal. TbScan is one of the better ones; I know several which are both slower and less reliable than it. > A wise decision would be to compromise some speed for more reliability. I'm pretty sure that Frans can improve the reliability without compromising the speed. It's a good thing that you have reported that unreliable detection, but even better would be to report *all* unreliable detections, so that he can fix them. > This adolescent bragging reminds me much of the bragging that goes > on in the virus-writing underworld... Yeah, there is a lot of bragging and flaming going around... :-) Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 01 Apr 94 09:08:50 -0500 From: Iolo Davidson Subject: Re: DOS 6.X Anti-Virus (PC) Fred Houlihan writes: >I subscribed to the IBM update service and received a diskette with >the signature file for the IBM Antivirus update 1.04 this past >Saturday. It immediately detected 2 probable virus's on my system that >V1.02 missed. But this diskette was cut in November and a number >of virus's have originated since then. I'd feel more comfortable with >something more current. Some anti-virus packages are updated monthly. Dr. Solomon's Anti-Virus Toolkit can be obtained with monthly updates rather than quarterly, for instance (costs a bit more). Their support is very good in Britain, with round the clock phone support and downloadable add-on drivers. In the USA it's supported by Ontrack, and I don't know how they compare. >There are only 2 sources where this virus could have come from: >my installation of Central Point V2 for Windows or the IBM Antivirus >update. I purchased CP Tools from them directly and received the >IBM diskette in the mail from my paid subscription. I have no >bootleg software or freeware on my system. I very much doubt that either Central Point or IBM are shipping infected diskettes. Anti-virus software producers are much too sensitive to the possibilities to be careless about this. Avoiding pirated software or shareware/PD stuff doesn't make you immune. Any diskette can carry a virus, including those which seem only to contain data or nothing at all. In Britain, Form has become the most widespread virus due to a bulk supplier of blank formatted diskettes becoming infected. Few people bother to scan "blank" disks. Iolo Davidson (no club, lone wolf) ------------------------------ Date: Fri, 01 Apr 94 15:40:56 +0000 From: thssamj@iitmax.iit.edu (jani) Subject: top 10 anti virus s/w? (PC) What are the top 10 virus detection/cleaner programs for the PC [Moderator's note: "top 10" in sales? in quality? in what?] Is there a list of such benchmarked programs ? Thanks --amj ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 26] *****************************************