VIRUS-L Digest Thursday, 28 Apr 1994 Volume 7 : Issue 28 Today's Topics: WARNING: Possible virus on anonymous FTP, garbo.uwasa.fi (PC) Re: How big a threat are Books? Jitec claim world's first virus-proof computer "Harmless" (right) Viruses AI Viral Detection Re: The truth about good viruses Re: Good Vs. Bad Viruses Potential information Virus Re: The truth about good viruses Re: How big a threat are Books? New Book on Benevolent Viruses Re: Good vs. Bad Viruses / in autoexec.bat is it a virus? (PC) Problem with McAfee's SCAN (PC) "Norton" and "PC Tools" to Merge (PC) HELP ME!!! My PC sing the song!!! (PC) VDS and 4Dos (PC) Is it possible to detect viruses this way? (PC) Help with French Boot virus. (PC) Re: Clean 111 & Mich. (PC) Re: V2P6 ?? (PC) Re: Savannah & Jeremy Viruses ???? (PC) Re: NOVADEMO.EXE (PC) Re: NOVADEMO.EXE (PC) Re: PGP Signed Files & F-Prot (PC) Re: Generic MBD virus in partition table (PC) AVP 2.0 is available on ftp site (PC) F-Prot Error Message (PC) Re: MS-DOS 6.x Anti-Virus (PC) Virus scanners-Which one?? (PC) F-PROT 2.12 announcement (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Mon, 18 Apr 94 21:23:41 -0400 From: Subject: WARNING: Possible virus on anonymous FTP, garbo.uwasa.fi (PC) [Moderator's note: This was in the virus-l queue when I returned from several days of business travel; to date, I've received no independent confirmation of this report, so treat it carefully!] ************** VIRUS ALERT ***** VIRUS ALERT *************** Hi guys, it's been a while since i've posted anything here, been upgrading my system. anyhow, I HAVE DISCOVERED A NASTY LITTLE CRITTER IN A FILE FROM THE FTP SITE GARBO.UWASA.FI The filename you should be looking for is MODED301.ZIP In this zip file, the file: HALLBRAS.SAM IS INFECTED WITH THE SATANBUG VIRUS. I found using Frisk's F-prot ver. 2.09d. DO NOT USE F-PROT VER 2.11 TO SCAN THIS FILE, I TRIED DOING THIS AND THE ZIP FILE CAME UP CLEAN. now, Frisk, can u explain why ver 2.09d caught this bug but 2.11 doesn't? I'd really like to know. as you are reading this, a more detailed analysis is being done. for the time being AVOID THIS FILE, BECAUSE MOST LIKELY THE EXECUTABLE FILE IS INFECTED TOO, ALTHOUGH I HAVEN'T CONFIRMED THIS YET. I should also point out that while F-prot ver. 2.09d was able to identify the presence of the satanbug virus, it was unable to remove it. Frisk, any suggetsions on how to deal with this little (or not so little being that, this virus takes up 9kb of DOS memory :( on how to deal with this little pain in the ___ :) fill in the blanks.> PLEASE NOTE: THAT THE APPROPRIATE PEOPLE WILL BE INFORMED OF THIS SITUATION. I will be posting updates to this information as soon as they are availible to me. If you require additional information on how I found this virus, please send me email and i will be happy to accomidate you. - ------- ____________________________________________________________________________ | Christopher Mateja (PRES. / OWNER) |Bitnet: | | Bits-N-Bytes Computer Services |Internet: | | 333 15TH STREET, SUITE #2 |AMER. ONLINE: < - disabled - > | | BROOKLYN, NY 11215-5005 ( USA ) | | |======================================+-------------------------------------| | MY TOYS ?? WHERE ARE MY TOYS !??! I CAN'T DO THIS JOB WITHOUT MY TOYS !!! | |____________________________________________________________________________| ------------------------------ Date: Fri, 08 Apr 94 10:34:46 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: How big a threat are Books? rjryba@major.cs.mtu.edu (Russell J. Ryba) writes: >Hello All, > I just saw an add for the "Little Black Book of Computer Viruses". >It is supposed to teach you how to create your own computer viruses. >Are books like this a threat? They are - the question is how serious the threat is. Consider an older book...Burger's "Computer viruses - a high-tech disease". It included the source code to Vienna.648, Rush_Hour and a few other viruses. Directly or indirectly this book is responsible for all the variants of those viruses that exist. They are not a major problem, compared to many other viruses, but they have caused problems for a number of computer users around the world, and they would probably argue that the books are a threat. >Or is it a good idea to let people know >how they work, so they can protect themselves better? Suppose somebody published a book "How to make deadly poison from common household chemicals"....could the authors argue that they are just informing people about the dangers so they could protect themselves better ? The fact is - you don't need instructions on how to make viruses to be able to defend yourself against them. There are some good books on the market that describe what viruses are, how they work, and how to protect yourself against them - without providing too much assistance to the virus authors. (besides, Ludwig's two books are just plain bad....) - -frisk ------------------------------ Date: Fri, 08 Apr 94 10:45:44 -0400 From: "becky (b.l.) chan" Subject: Jitec claim world's first virus-proof computer News clips from the Globe And Mail and Financial Post: Jitec Corpoaration, a small privately-held computer company in St-Hubert, Quebec has developed the world's first virus-immune computer. Jitec's line of Vectria desktop computers have a patented computer chip called EVAC (electronic virus activity control) which detects the movement of viruses through a computer's memory, rather than tracing their signatures. Existing anti-virus software can only find existing viruses, and must be updated regularly to protect computers from new viruses. The Vectoria does not need updating because it tracks viruses as they jump from one memory sector to another in a computer's memory, acting as a filter to detect and kill viruses. Does anyone know more about Vectoria and how the EVAC technology works? - -- Becky L. Chan email: beckyc@bnr.ca ------------------------------ Date: Fri, 08 Apr 94 11:05:04 -0400 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: "Harmless" (right) Viruses >From: WOLF@vaxb.acs.unt.edu >Subject: Harmless Viruses I said: >>I have said before and will say again "there ain't no such thing as a >>harmless virus" (TANSTAAHV - pronounced tahn-stahv). Consided two oft >>mentioned STONED and MICHELANGELO (well - on any day except March 6th). >I doubt anyone would say Michelangelo is a harmless virus. You'd be surprised but ok, how about STONED and JOSHI or INT_10 or WXYC (I specialize in the low level infectors remember - pick any of the 600+ variants, modifications, & corruptions) >Stoned might be merely annoying >except that is was not written to be upwards compatible - therefore it >destroys data. No, it is not *downwards* compatible either - biggest problem to DOS is disks partitioned with FDISK 1.x found in DOS 2.x. Those other OSes that are affected destructively are those that do not conform to the specifications introduced with PC-DOS 3.0 either (and in fact have no reason to). My programs check for this condition. >However, with other examples such as the KOH and >Cruncher 2.1 (notice the version number, very important) I doubt >you could find such flaws. Do not have but from what I have seen these are not viruses any more than PKLite or LZEXE or MACinDOS are. Part of our problem is that there is no formal accepted definition of what a virus is. Dr. Cohen's own definition postulates software that is a virus on Tuesday but not on Monday. >There are some situations that each will >cause incompatibilities, such as any software, BUT because they do ask >for user permission for their actions, I can not see them as being >harmful. In point of fact, each of them can be benificial. KOH >encrypts your hard drive and floppies (should you request it to) >with a user specified password. So what makes that a virus ? MTE is not a virus by itself, nor is any other polymorphic engine, rather they are something that can be added to any program, whether it replicates or not. (Could make an interesting "Canary Trap"). >merely pointing >out that some virus writers (such as some members of TridenT and Mark >Ludwig in the examples above) are writing good, useful, user friendly >programs and deserve a second look regarding the "virus writer" mentality. Still say I have never seen anything that required a virus to operate. Not sure what is meant by "virus writer mentality", my major problem is with the "virus distributer mentality" something I rate with distributing crack to kindergardeners. >Jerusalem was poorly coded and not in the least harmless anyway. To discuss >harmless viruses, stick to the ones that self-respecting researchers will >term that way. Wasn't discussing "harmless" viruseses since TANSTAAHV. Cannot speak for any one else, only myself. Obviously the answer is biased by the definition of "self-respecting researcher". Suspect we would include different people. >Just the fact that a program modifies code, or >even replicates itself while doing so, is not wrong. At last we agree on something so long as it is on your PC and not mine. Warmly, Padgett This is not necessarily the opinion I was told I had. ------------------------------ Date: Fri, 08 Apr 94 11:30:18 -0400 From: "Ian S. Nelson" Subject: AI Viral Detection I was sitting at work the other day (in the AI department at CMU) watching some pretty darn amazing things being done when the idea of an artificial intelligent virus detector came into my mind. Now I've been following virus-l for a long time and every time this subject comes up, the AV "big wigs" say that AI is inappropriate for virus finding. Now I'm just a lowly lab assistant but some of the things I saw done were amazing (and I'm a CS major, so I keep up to date on that type of stuff) Anyhow, most of the AI discussions I have seen are in regards to old school AI (ie big honking search trees and stuff.) The most impressive things I have seen were being done with neural networks. Why couldn't a set of NNs be trained to detect viruses? To me it seems like it would be a great way to make the next generation in virus protection. Albeit, I haven't the slightest idea how to start programming such a beast, but I would think that we have enough viral data (plus you can always make more by infecting dummy files with existing viruses) to train one pretty well. Perhaps a network that was designed to look for replication code and just went through each sector of the harddrives. We could then feed it harddrives infected with viruses (be it boot sectors or spawns or appending or whatever) It seems like it has to be possible, and the best thing is it can only improve itself. - -- Ian S. Nelson I speak for only myself. Finger for my PGP key. If you are a beautiful woman, it is mandatory that you reply to this message. ------------------------------ Date: Fri, 08 Apr 94 11:51:47 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: The truth about good viruses fc@Jupiter.SAIC.Com writes: >I await your further attempts at demonstrating that all viruses are bad. As Alan Solomon once said: There is a difference between Fred Cohens "viruses" and "real" viruses. What Fred considers a "virus" may not necessarily be considered one by most of the anti-virus community...so it is possible to construct something which according to FC is a "beneficial virus", but according to other definitions is not a virus at all. - -frisk ------------------------------ Date: Fri, 08 Apr 94 12:35:16 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Good Vs. Bad Viruses Mike Mattone (mike@mik.uky.edu) writes: > I think that the people who design the virus-protection software are > the ones inventing a majority of the viruses out there. Yeah...sure...if you belive that I have a nice bridge to sell you as well. most anti-virus products are updated every two months or so. Even if there was only one new virus per month, there would still be the same number of updates released. Instead we have around 7 new ones per day. I sure wish that I only got one per month - then I might be able to work a bit less than those 100 hours per week that I am currently doing, and still make the same amount of money :-) This does not mean that no virus author has tried selling an anti-virus product - I can name at least three examples where this is true - but those few viruses are only a fraction of a percent of the total number of viruses today. - -frisk ------------------------------ Date: Fri, 08 Apr 94 18:54:28 -0400 From: Brian Seborg Subject: Potential information Virus I have been misquoted by Walter Murdock. In the last issue he attributed a quote to me saying in essence that virus statistics were manipulated by the anti-virus producers and that the virus problem was blown out of proportion. This was in fact the statement of KTark. I disagree with this statement entirely! Viruses are a real threat, no doubt some anti-virus authors have a vested interest in people being aware of this problem, and sometimes taking advantage of the fear factor, but the truth remains that viruses are out there, that they are a threat, and that it is a good idea to have some type of virus protection mechanism. Frankly, I don't care whose product you buy. In fact, the fact that there are several anti-virus products out there is good. You have a choice, virus authors can't beat them all without an inordinate amount of effort, and it keeps the quality of the products up while the price stays low! I respect many of my competitors, even though I think VDS is the best! As for Fred Cohen, are you really going to argue that there is such thing as a good virus in the wild? If you know some secret that the rest of us don't then I'd like to hear about it because I think that you are being irresponsible to suggest that there are such things as good viruses unless you qualify that by stating that this is only true in a research environment that is controlled. I'm not arguing that one cannot hypothesize a useful virus, what I am saying is that such a thing is not practical. Name something that cannot be done with other than a virus and then you may have something. But if the application is to study or simulate artificial life, then although this is fine in a lab, it is not fine in the real world. After all, this is why you were unable to complete your full experiments as detailed in your dissertation. No one was willing to let you release viruses on their systems once they saw what they could do, no matter how benign you made them or if you included code that asked permission to infect, or announced each infection. No one will abide a virus in a production environment. And remember, impressionable minds like KTark are listening to you, so put up an argument or concede that useful viruses are limited to the lab. Fruitful information is likely to come out of your research, but would you like to report any experiments you have done that include the release of live viruses into the wild? I thought not. Brian Seborg VDS Advanced Research Group ------------------------------ Date: Fri, 08 Apr 94 21:18:35 -0400 From: datadec@ucrengr.ucr.edu (Kevin Marcus) Subject: Re: The truth about good viruses wrote: >The truth about good viruses: > >Typical security pundit comment >- -------------------------------- > The truth about this subject > ---------------------------- >There ain't no such thing as a good virus >(because) they all cause damage under some >circumstances > The same is true for any program - what does > being a virus have to do with it? - Nothing Well, maybe if you are under an OS like AIX or something. Otherwise, I doubt it. Now, while I imagine that most products have "bugs" which may cause some kinda quirk on some weird system, the idea is that they were not written carelessly to create these bugs. There are attempts to fix them. Just out of curiosity, anyone have any problems with either lharc or even dsz? (For those who want to reply about dsz and nonregistered copies plaguing WWIV BBS's, you're wrong; that is WWIV's bug. :)) >I've never met a virus I liked > Bigotry was never a good excuse before, why use it > as one now. While I wouldn't say that I have seen this come up, I wouldn't put it past some of the people on this group. Have you ever met.. say, a nuclear missile that you liked pointed at your home? Me neither. >All viruses are bad because they go where they >are not authorized to go, overwriting data, or >at least using othrewise available space and time. > The definition of virus does not imply spreading > without authority or overwriting other data. If > using otherwise unused space or time is inherently > bad, then all programs are inherently bad, not just > viruses, because all programs use time and space that > would not otherwise be used. Er... I know this is gunna cause soem chaos, but you don't have a definition of a virus there to say what is implied, and what isn't. Additionally, the space and time that "all" programs use are often WANTED, while a virus is often NOT WANTED. >P.S. Whoever has been taking the heat for supporting the concept of >good viruses - I commend you. Sorry I haven't been more supportive, but >I have been busy finishing a book on good viruses. Please send me some >E-mail so we can gang up on these miscreants who can't tell the >difference between morality and mathematics. - FC April 1st was a few days ago; you're a bit late. - -- --=> Kevin Marcus: datadec@ucrengr.ucr.edu, tck@bend.ucsd.edu "ciafn syoo,u yroeua da rteh icso?o l ." <- Email for solution. Computer Science Dept., University of California, Riverside. .oOo.oOo. T H I E V E S S U C K .oOo.oOo. ------------------------------ Date: Sat, 09 Apr 94 02:51:49 -0400 From: "Steve Bonds (007" Subject: Re: How big a threat are Books? Russell J. Ryba wrote: > I just saw an add for the "Little Black Book of Computer Viruses". >It is supposed to teach you how to create your own computer viruses. >Are books like this a threat? Or is it a good idea to let people know >how they work, so they can protect themselves better? I think I read >somwhere that TIMID was listed in this book. Either in an article, or >Virus info list somewhere. So, what do you think? Post replies >please. It is certainly a good idea to let people know how viruses work-- at a minimum it would cut down on the number of posts we get around from people here asking how to disinfect FORM from their files, or wondering if they are taking a risk reading articles in this group because they might contain viruses. A bit of virus literacy would certainly be welcome. However, publishing source code for viruses allows people with little or no programming skill to make small modifications-- just modified enough to throw off signature scanning and exact identification. While I doubt much can be done about it, I feel that publishing source code is unethical and nobody will get any part of the source code I have collected unless I know them personally and they have grave need for it. It is interesting to run through these sources since they often give a bit of insight into the author, but the danger of widespread modification overshadows the possible benefit to researchers in my mind. Since so few of these books are published, I doubt they are a serious threat. Anyone who NEEDS one of these books is unlikely to write successful viruses with only the knowledge in the book. Even experienced assembly programmers have a hard time creating viable viruses. People panicked when VCS came out thinking that now "anyone" could create viruses using a nice window-oriented interface. That fear was never realized, since the viruses that VCS created were both feeble and easily detected by scanning. How-to manuals for a variety of illegal activities are already freely available in the USA. It is no real shock to me that how-to's for viruses are also included... In summary, I think it is impossible to control the knowledge of how to write a virus so we would be better off convincing people of the unethicality of such actions. -- Steve Bonds - -- 000 000 7777 | sbonds@jarthur.claremont.edu and Steve_Bonds@hmc.edu 0 0 0 0 7 |----------------------------------------------------------- 0 0 0 0 7 | Childhood is short... [Calvin & Hobbes] 000 000 7 | ...but immaturity is forever. ------------------------------ Date: Sat, 09 Apr 94 08:40:39 -0400 From: Subject: New Book on Benevolent Viruses "It's Alive!" - Now available from John Wiley and Sons Publishers Author Dr. Frederick B. Cohen ISBN 0-471-00860-5 Contents: Introduction A Definition of Life Ecosystems Formalities Life - The Game LPs Other Worlds Evolution The Future Annotated Bibliography Comes with a software disk containing source code for benevolent viruses for Unix as well as a Life game and other similar systems. ALSO INCLUDED: - An Intergenerational Communications Theory - Diseases of the Joint Life Form - The Nanotechnology Breeder Reactor - CoreWar and Tierra - Benevolent Viruses for Distributed Databases - And a whole lot more! Here's what one reviewer said about it: "In It's Alive, Fred Cohen does for living programs what Stephen Jay Gould did for evolution, and Asimov did for just about everything else in the cosmos. ..." If you are interested in artificial life or computer viruses, this book is a must read - only $39.95, software included, published by John Wiley and Sons, New York. FC ------------------------------ Date: Mon, 11 Apr 94 17:09:39 -0400 From: vfr@netcom.com (vfr) Subject: Re: Good vs. Bad Viruses olpopeye@aol.com writes: >Then we encounter "Sara" (vfr@netcom.com) who seems to feel >that one must consider the "Social and ethical aspects;" to say >that "it would be very wrong to say all virus writers are intentionally >malicious people." yep. this is what i say, and it is based on numerous interactions with virus writers (and distributors); research conducted using standard accepted ethical models, etc. >Oh? I disagree, but given the book definition of "malicious," there >exists a semantic difference that in no way mitigates the deleterious >effects of some idiot loosing a virus upon the computer world. i agree, deliberate release of any program that is capable of placing itself into another persons 'space' without their consent is not good. i am interested in why you disagree. perhaps you or anyone who does disagree with my statement could e-mail me why, specifically. views opposite my findings are of great interest, especially if they are thoroughly documented. >Knowing these effects, how can *ANYONE* sit and write a virus >(generic term, to include Trojans, worms, et al) knowing that there >exists a high probability that once written, it will be released either >through INTENT or through NEGLIGENCE and thus cause highly >undesirable effects to someone else's computer/data/business/etc.? this is one point i would like to address. it is simply not true that every person who writes a virus 'knows' this. it is also incorrect to assume that -every- virus that is ever written will be released thru intent or negligence. i agree with you (if this is what you are saying) that it is likely in most cases. and, i agree that the writing of a virus is in most cases waste of time, misdirected energy. >So personally, I don;t care what your social or ethical lacks, >your "flavors," your "motivation," or any "who/where/why/what/when >and then some," keep your destructive crap out of MY computer! i agree. no one has the right to put any proggie of any type into your computer. but it would be gross oversimplification to assume that this is the goal of -every- individual who has ever written or who will write a virus. this is understandably a very sensitive type issue; many people have suffered terrible damage, harm, etc., because of viruses. the people who have written them are responsible for this damage; the people who have distributed them are responsible for this damage. the people who make 'heros' of the writers are responsible for this damage, and in the past i have been guilty of somewhat 'romanticizing' the virus as have the -majority- of anti-virus involved people i know, who participate here. we can do it unintentionally, some can do it intentionally (this is usually the job of the virus distributor or other pro-virus individual). and, the only way to stop the 'problem' would seem to be for people to stop writing viruses, or if they must do it, to stop releasing them. it really is not worth the little attention they get for it... if there is anyone else working in field of viruses and ethics, please mail me regarding a mailing list which will deal with this topic. there has been some interest, especially with virus as autonomous agents making its way to the frontlines. - -- SGordon@Dockmaster.ncsc.mil / vfr@netcom.com bbs: 219-273-2431 fidonet 1:227/190 / virnet 9:10/0 p.o. box 11417 south bend, in 46624 while [ $lines -le $maxlines ] do echo >> $BUFFER lines='expr $lines +1 ' ------------------------------ Date: Thu, 07 Apr 94 13:34:40 -0400 From: kclark@herbie.unl.edu (Kevin Clark) Subject: / in autoexec.bat is it a virus? (PC) Sorry if this is a common question, but where I work we have been having problems with a / showing up in two different machines. I'm wondering if a virus may be causing this. The computers are set up on a coactive network and swap disks back an forth so it is very likely they could be passing it back and forth. We have had it happen twice in the past two weeks. I don't know much about IBM's being a mac person myself, so any help would be appreciated. Thanks, - -- .---. <<< Kevin Clark >>>kclark@herbie.unl.edu -----oOOo-(_0 0_)-oOOo------- (_) ------------------------------ Date: Thu, 07 Apr 94 15:02:45 -0400 From: JDG111@psuvm.psu.edu Subject: Problem with McAfee's SCAN (PC) Recently at work I installed SCAN 1.13 on one of our machines. I had it set to scan memory and the C:\DOS directory at bootup. The command was the first line in the autoexec.bat file, so SCAN was run before any other programs. It all worked well, until I tried to run a TSR program AFTER scan had finished it's checking. The TSR locked up, and refused to work. I know SCAN doesn't stay resident in memory, and there shouldn't have been ANY conflict with the TSR, since the TSR was loaded only after the scan was completed. At first, I thought the TSR might have been corrupted, but as soon as I removed SCAN from the autoexec.bat file, and booted, the TSR worked fine. I repeated the process different times, using scan with the /NOMEM switch and all, but everytime scan ran before the TSR was loaded, the TSR refused to work. If scan wasn't run, the TSR worked with no problems. My question to the rest of you - WHY? Does scan possibly corrupt memory or not reset some necessary pointers when it runs? I have no explanation, except that scan must alter something in memory and whatever it changes conflicts with the TSR when it is loaded. (BTW, the TSR is loaded ONLY from the autoexec.bat, there are no drivers for it in Config.sys, and, as I stated twice before, it's loaded into memory only AFTER scan has run it's course.) Ideas anyone? --Doug ------------------------------ Date: Thu, 07 Apr 94 15:41:26 -0400 From: "Tom Zmudzinski" Subject: "Norton" and "PC Tools" to Merge (PC) In case any fans of these two product lines are interest, these two already excellent companies are about to become one: Symantec and Central Point Merge Strengthens Presence In Enterprise Market CUPERTINO, Calif. A April 4, 1994 A Symantec Corporation (NASDAQ:SYMC) today announced a definitive agreement to merge with Central Point Software, Inc., a Beaverton, Ore.-based company, in a deal estimated at $60 million. The merger will be a pooling of interest whereby all outstanding shares of Central Point stock will be exchanged for an aggregate of approximately 4 million shares of Symantec stock. Symantec and Central Point, both well-known for desktop utility products, have each been investing in development and acquisition of products in the fast-growing market for software designed for networked computers -- the enterprise software market. Symantec markets several successful enterprise software products, Norton Administrator for Networks, Norton AntiVirus for NetWare, Norton Utilities Administrator and Norton DiskLock Administrator. In addition, Central Point markets enterprise products including Central Point Anti-Virus for NetWare, XTree Tools for Networks, XTreeNet, NetControl, and LANlord. "By combining with Central Point, Symantec will be better positioned to compete in this new and rapidly expanding market for enterprise software," said Gordon E. Eubanks, CEO and President of Symantec Corp. "Our Norton enterprise products are already well-received. We have sold more than 100,000 copies of Norton Administrator for Networks. However, this market is competitive. By combining with Central Point, we will significantly increase our resources committed to the enterprise," continued Eubanks. Chuck Boesenberg, CEO and chairman of Central Point commented, "Success in the competitive enterprise arena was critical to both companies' long-term growth. Symantec's strengths - data recovery and data management - are very complementary to our own. Together we are a stronger enterprise company." Boesenberg will remain with the merged company and will actively manage the development and shipment of next generation Central Point desktop products such as the PC Tools brand. Rick Schell, currently vice president and general manager of the Central Point Network Product Group, will also remain with the merged company. Boesenberg will also assume a seat on the Symantec board of directors. The merger is subject to regulatory review under the Hart-Scott-Rodino Act, and is expected to close in the June quarter. Central Point, headquartered in Beaverton, Ore., is a leading developer of desktop utility and network management software. The company builds products for Windows, DOS, Macintosh and OS/2 desktops, as well as Novell NetWare and other popular network operating systems. Founded in 1981, the company now has a worldwide customer base of more than seven million users. The company's products are translated into eight foreign languages and are available in more than 30 countries. Symantec Corporation provides a broad line of software for the enterprise including the Norton family of products, networked productivity applications, and software languages for development in the enterprise. The company is headquartered in Cupertino, Calif. and sells its software worldwide. Brand and product references herein are registered trademarks or trademarks of their respective holders. ------------------------------ Date: Thu, 07 Apr 94 15:54:02 -0400 From: nas@netcom.com (Vasily Nasedkin) Subject: HELP ME!!! My PC sing the song!!! (PC) Is anybody knows what the hell is that - my PC plays the funeral music from the internal speaker every 30 min.? Antivirus programm in DOS 6.0 doesn't detect anything. Please help me! I am dying with my PC. Vasily. ------------------------------ Date: Thu, 07 Apr 94 16:04:22 -0400 From: ramontur@ecst.csuchico.edu (Ramon Turner) Subject: VDS and 4Dos (PC) Hello all. I just recently d/led a copy of vds30j.zip...and it's a GREAT program, one of the most extensive I've seen so far. From what the docs say, I can't wait to register. One SMALL problem, tho. The code isn't consistant with itself. When it initialized its file database, it recognized that I was running under a different command interpreter...4DOS.COM. I REALLY liked that. Unfortunately, when I rebooted, it searched all of my boot files for viruses or aberrations. THIS time, it went STRAIGHT to COMMAND.COM, instead of 4DOS.COM, and since the info that it had on my command interpreter was DIFFERENT from what it saw in COMMAND.COM, it decided that my command interpreter was different from what it ORIGINALLY was. *SIGH*. It's an EASY programming mistake to make, one I've made a LOT of times...but at LEAST they could have made ALL of the code go directly to COMMAND.COM, not just PARTS. Does anyone know if this bug(it's NOT a feature :) is fixed in either the commercial or registered version? I should probably just send a message to the authors... :) I'd recommend that you all pick it up and take a look at it. One word of warning: if you are going to reinitialize the file database, make sure that you have a spare copy of the program lying around...it has a NASTY habit of ASSUMING that you don't want it installed if anything goes wrong(an invalid directory, for example), or if you abort installation, and erases itself. - -Ramon - -- * + * + + * * + + + * Ramon Turner (ramontur@ecst.csuchico.edu) * + * * + * * + * + + + * + * ------------------------------ Date: Fri, 08 Apr 94 10:49:26 -0400 From: fuzzy@nttsgw.yh.ntts.co.jp (Toru Fujii) Subject: Is it possible to detect viruses this way? (PC) I'm not sure if this is the right news group for this article. Please excuse me if I'm in the wrong news group. I'm a novice in this field, but I just thought of a simple way to detect viruses on PCs. Method is really simple. 1. Make an .EXE or .COM file which the only content is RET code or something similar and very small (1 byte or so.) 2. Run this program and see change in its size. If the PC is infected, virus should infect the file and change the size of this small file, and thus the virus should be detected. Can someone tell me if it is possible or why is it not possible? Thanks. - -- Toru Fujii (E-mail:fuzzy@nttsgw.yh.ntts.co.jp) ------------------------------ Date: Fri, 08 Apr 94 11:16:01 -0400 From: Jeff Auman Subject: Help with French Boot virus. (PC) Our campus public labs at Penn State have seen a recent rash of infections of what F-Prot 2.11 refers to as the "French Boot" virus, but makes no attempt to disinfect it. It appears to be a simple MBR virus, but there have been a few instances where FAT table corruption has occured. I guess there's the possibility of different variants, but using f-prot 2.11 and McAfee's scan, (which simply identifies it as a generic boot virus), I can't really tell. McAfee's is usually able to fix the disk when the original MBR is located on the disk, and has been necessary when the FAT table was corrupted. But, we can't use McAfee's since PSU does not currently have a site license (nor will there be one in the future). Does anyone know of a good disinifection alternative for those cases where FAT corruption (of floppies) has occured? Thanks. Jeff Auman CAC Help Desk Consultant ------------------------------ Date: Fri, 08 Apr 94 11:30:26 -0400 From: "Michael Chui" Subject: Re: Clean 111 & Mich. (PC) Scott Howard wrote: >I believe that McAfee was involved in computer security well before >viruses were even heard of. Not exactly the same thing, but close enough. References? Michael Chui mchui@cs.indiana.edu ------------------------------ Date: Fri, 08 Apr 94 11:44:43 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: V2P6 ?? (PC) Alan.Thew@liv.ac.uk (Alan Thew) writes: >A UK scanner (viscan) has found a virus called V2P6 in a WordPerfect file >(WP 6.0a for DOS) > \WP60\CVDWPG2.CVX >My first thoughts were that this might be a false positive. Yep. That is what it is. Rule-of-thumb #1 You never have one infected file (it is 0 or "many") V2P6 is a non-resident virus that will only infect files having a .COM extension. Also V2P6 is a polymorphic virus - and as such has a somewhat higher chance of causing a false positive than "normal" viruses. Viscan was an OK product back in '91, but it is not as "up-to-date" as the leading UK scanner (DSAVTK). - -frisk ------------------------------ Date: Fri, 08 Apr 94 11:46:35 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Savannah & Jeremy Viruses ???? (PC) SPITZ_DAVE@MUSIC.LIB.MATC.EDU (Dave Spitz) writes: >Hi all, I've been gatting a lot of mail with bits and piece of info >about the 2 aboved mentioned viruses from another virus list. Never heard of them. Not in my 4000 virus collection. Not a CARO name. In other words - if those viruses exist, they are brand new, and I don't think anybody here can tell you anything of use. - -frisk ------------------------------ Date: Fri, 08 Apr 94 14:04:34 -0400 From: hermanni@wavu.elma.fi (Mikko Hypponen) Subject: Re: NOVADEMO.EXE (PC) Clinton Bodine (junix!cbodine@sinkhole.unf.edu) wrote: > I was curious if anyone else has experienced the fun of NOVADEMO.EXE. I was just writing up an entry about this virus for the F-PROT Professional virus-info database. Here it is: - -- HLLO.Dangerous_Messanger is a non-resident overwriting virus written with a high-level language, probably with Turbo Pascal 4.0. It has been packed with PKLITE 1.15, and it spreads in packed form. This virus was originally found in Finland in March 1994, and it seems to be of Finnish origin. It was initially spreaded via BBS systems, in a file called NOVADEMO.ZIP. This archive was described with the following FILE_ID.DIZ file: Nova Demo New group presents new demo called NOVA now with GUS, SB Pro, SB, PAS and Aria support! This most parts of this demo are in SVGA mode! And effects are as fast as usually! This is state of art programming! HLLO.Dangorous_Messanger infects files in the current directory and in directory \DOS, if such exists. It does some preliminary checking before infecting a file, and will not infect files which are smaller than approximately 12000 bytes. When an infected program is executed, the virus starts to search for suitable EXE-files in the \DOS directory of current drive. If no suitable files are found, the virus will search for victims in the current directory. Once the virus has found an appropriate file for infection, it will overwrite the first 12288 bytes of the victim file with the virus code. The actual code part of the virus takes up 8192 bytes, the rest 4096 bytes are just random filler bytes. Virus infects up to three files during one execution. The virus does not change the date and time stamps of the files it infects. Files are irreparably damaged by this infection process, and they need to be replaced with clean copies. After infection the virus will overwrite the program file it was launched from with a text string "Dangerous Messanger was here" and delete it. After this it will exit - on random times it will also display the text "Bad command or file name" before exiting. The virus contains a separate activation routine, which is executed on seemingly random basis. At this time, it will overwrite all files in the current directory with several kilobytes of the same "Dangerous Messanger" string and delete them. Finally the virus clears the screen and hangs the machine. In addition to the strings shown above, the virus also contains the following text strings: "This is Dangerous Messanger, and here is my message to the world" "Computer protected, no action." "Can't initalize hardware... Try on another computer..." The second string above might indicate that the virus will not spread if the machine is protected with some sort of marker. The last string is displayed only when the initial dropper of this virus, NOVADEMO.EXE, is executed. Even though this virus infects files only in DOS-directory and in the current directory, it is capable of spreading across the directory tree. This happens, for example, when a user changes to another directory and runs an infected program via path. Running CHKDSK in C:\WINDOWS-directory would cause three of the EXE-programs in Windows-directory to be infected. - -- As this virus destroys the files it infects, it is not supposed to become a serious threat. However, at this time I have received multiple reports of this virus being in the wild in Scandinavia and also in Belgium. Current anti-virus scanners (that I have access to) do not detect this virus. This is no wonder since this virus is fairly new, it is written in a high-level language and it is also packed. The next version of F-PROT should be able to handle it, though. At this moment the virus can be located fairly easily with a text- searching tool like Norton Utilities' TS.EXE, by searching for the text which the virus has in the start of the file, replacing the original PKLITE Copyright statement: "Finnish demogroup NOVA 1994!". Mail me for more detailed information. - -- Mikko Hypponen // mikko.hypponen@df.elma.fi // Finland Data Fellows Ltd's F-PROT Professional Support: f-prot@df.elma.fi PGP 2.3a public key available, ask by e-mail ------------------------------ Date: Fri, 08 Apr 94 14:11:54 -0400 From: mikko.hypponen@df.elma.fi Subject: Re: NOVADEMO.EXE (PC) Clinton Bodine (junix!cbodine@sinkhole.unf.edu) writes: > I was curious if anyone else has experienced the fun of NOVADEMO.EXE I was just writing a description of this virus for F-PROT Professional virus-info database. Here it is: - -- HLLO.Dangerous_Messanger is a non-resident overwriting virus written with a high-level language, probably with Turbo Pascal 4.0. It has been packed with PKLITE 1.15, and it spreads in packed form. This virus was originally found in Finland in March 1994, and it seems to be of Finnish origin. It was initially spreaded via BBS systems, in a file called NOVADEMO.ZIP. This archive was described with the following FILE_ID.DIZ file: Nova Demo New group presents new demo called NOVA now with GUS, SB Pro, SB, PAS and Aria support! This most parts of this demo are in SVGA mode! And effects are as fast as usually! This is state of art programming! HLLO.Dangorous_Messanger infects files in the current directory and in directory \DOS, if such exists. It does some preliminary checking before infecting a file, and will not infect files which are smaller than approximately 12000 bytes. When an infected program is executed, the virus starts to search for suitable EXE-files in the \DOS directory of current drive. If no suitable files are found, the virus will search for victims in the current directory. Once the virus has found an appropriate file for infection, it will overwrite the first 12288 bytes of the victim file with the virus code. The actual code part of the virus takes up 8192 bytes, the rest 4096 bytes are just random filler bytes. Virus infects up to three files during one execution. The virus does not change the date and time stamps of the files it infects. Files are irreparably damaged by this infection process, and they need to be replaced with clean copies. After infection the virus will overwrite the program file it was launched from with a text string "Dangerous Messanger was here" and delete it. After this it will exit - on random times it will also display the text "Bad command or file name" before exiting. The virus contains a separate activation routine, which is executed on seemingly random basis. At this time, it will overwrite all files in the current directory with several kilobytes of the same "Dangerous Messanger" string and delete them. Finally the virus clears the screen and hangs the machine. In addition to the strings shown above, the virus also contains the following text strings: "This is Dangerous Messanger, and here is my message to the world" "Computer protected, no action." "Can't initalize hardware... Try on another computer..." The second string above might indicate that the virus will not spread if the machine is protected with some sort of marker. The last string is displayed only when the initial dropper of this virus, NOVADEMO.EXE, is executed. Even though this virus infects files only in DOS-directory and in the current directory, it is capable of spreading across the directory tree. This happens, for example, when a user changes to another directory and runs an infected program via path. Running CHKDSK in C:\WINDOWS-directory would cause three of the EXE-programs in Windows-directory to be infected. - -- As this virus destroys the files it infects, it is not supposed to become a serious threat. However, at this time I have received multiple reports of this virus being in the wild in Scandinavia and also in Belgium. Current anti-virus scanners (that I have access to) do not detect this virus. This is no wonder since this virus is fairly new, it is written in a high-level language and it is also packed. The next version of F-PROT should be able to handle it, though. At this moment the virus can be located fairly easily with a text- searching tool like Norton Utilities' TS.EXE, by searching for the text which the virus has in the start of the file, replacing the original PKLITE Copyright statement: "Finnish demogroup NOVA 1994!". Mail me for more detailed information. - -- Mikko Hypponen // mikko.hypponen@df.elma.fi // Finland Data Fellows Ltd's F-PROT Professional Support: f-prot@df.elma.fi PGP 2.3a public key available, ask by e-mail ------------------------------ Date: Fri, 08 Apr 94 15:32:50 -0400 From: mramey@u.washington.edu (Mike Ramey) Subject: Re: PGP Signed Files & F-Prot (PC) If Frisk begins using a "PGP public key" on his files, I will need some information and instructions on how to access (and verify?) the files. Where can I find info/instrs for PGP public key -- for newbies?! -mr bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >Yes, indeed, I wholeheartly support the idea! Frisk's PGP public key >has already received wide distribution, it is on the PGP public key >servers, is signed by me, and it is rather difficult to spoof it. He >*really* should begin to include detached signatures of at least the >executable files in his package - and maybe clearsign the >documentation files. Frisk? Please? :-) ------------------------------ Date: Sat, 09 Apr 94 03:00:39 -0400 From: "Steve Bonds (007" Subject: Re: Generic MBD virus in partition table (PC) Christine JOUVE wrote: >I have discovered it using scan which have informed me by the message: >"Scanning partition table of disk C: > Found the Generic MBD [Genp] virus in partition table." > >Before removing it with clean, I have rebuilt the partition table with >my favorite "doctor" (Norton utilities). > >Every things become right (scan have detected no virus) until reusing scan, >a few days later, I have descovered again that my PC is infected by >Generic MBR virus. There is no such thing as the Generic MBR Virus. SCAN uses this name to refer to a number of different viruses which all can be disinfected using a similar scheme-- hence the term "generic". CLEAN is notorious for leaving a trail of wreckage when it is used to disinfect viruses because it isn't always able to make an exact identification. Often you are better off BEFORE using CLEAN. ;-> Your computer becomes infected when you attempt a boot from an infected floppy disk. The boot does not have to be successful-- you can get infected even from an "unbootable" floppy. Get a better scanner (see below) and check your floppies for viruses. To keep from getting reinfected I recommend the following. (Hmmm... this is sounding awful familiar... ;-> ) + Change your CMOS to prevent floppy boots. If you NEED to boot from a floppy install a program on your hard disk that allows floppy boots on request. Mail me for more detail. + Install F-prot's VIRSTOP with the /BOOT and /WARM switches. This will catch viruses before you can get infected if you use a warm boot or access the disk before trying to boot from it. (Say by taking a DIR.) Be sure to F-TEST it so it's working OK! + Keep a copy of your MBR/DBR stored someplace off-line. (On a write-protected floppy!) Just in case... + Install a virus-resistant MBR, such as SAFEMBR. -- Steve Bonds - -- 000 000 7777 | sbonds@jarthur.claremont.edu and Steve_Bonds@hmc.edu 0 0 0 0 7 |----------------------------------------------------------- 0 0 0 0 7 | Childhood is short... [Calvin & Hobbes] 000 000 7 | ...but immaturity is forever. ------------------------------ Date: Sat, 09 Apr 94 12:15:39 +0400 From: eugene Subject: AVP 2.0 is available on ftp site (PC) Hello! Antiviral Toolkit Pro (AVP) ver. 2.0 is available on anonymous ftp site: ftp.informatik.uni-hamburg.de:/pub/virus/progs/avp_200.zip You can use an ftp-by-email server to download it: ftpmail@doc.ic.ac.uk ftpmail@Pa.dec.com ftpmail@cs.uow.edu.au There are three features included into AVP 2.0: - - Code Analyzer (heuristic scanner) detects new viruses or modified variants of the old ones; - - Unpacking Engine allows to scan and disinfect packed (PKLITE,LZEXE,...) files in on-the-fly mode; - - Extracting Engine allows to scan archive files (ZIP,ARJ) in on-the-fly mode; Good luck, Eugene - --- - -- Eugene Kaspersky, KAMI Group, Moscow, Russia - -- eugene@kamis.msk.su +7 (095)278-9949 ------------------------------ Date: Sat, 09 Apr 94 13:04:36 -0400 From: Said Fattouh Subject: F-Prot Error Message (PC) When I run F-Prot v2.11 from any drive other than C, A or B (ex: F or E), I get the following error: "Disk error on drive F" and then it gives me the option to either retry or press ESC to abort. If I choose ESC to abort, it continues. It will repeat the error almost on every option I select. Does anyone know how to get around the error? Thank you. Said Fattouh Academic Computing University of Houston-Downtown said@dt.uh.edu ------------------------------ Date: Sun, 10 Apr 94 09:08:27 -0400 From: Bradford Smith Subject: Re: MS-DOS 6.x Anti-Virus (PC) Regarding the MSAV included with DOS 6.0.. Has anyone heard of it containg scraps of virus code? I recently used a scanner that reported that file infected with a virus named "1226". Any comments would be appreciated. Regards, Brad ------------------------------ Date: Sun, 10 Apr 94 23:18:47 -0400 From: cmassa@post.its.mcw.edu (Christopher Massa) Subject: Virus scanners-Which one?? (PC) I missed the series of posts about which virus scanner is best (preferably shareware, but would like to know about commercial programs also). Which one is most reliable and easiest to use? How do the Microsoft antivirus programs that are packaged with MSDOS and Windows compare with these others? Thanks. Chris Massa ------------------------------ Date: Wed, 27 Apr 94 13:08:17 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: F-PROT 2.12 announcement (PC) I have released version 2.12 of F-PROT. It has been uploaded to the usual distribution sites, but may not be available for download from some of them, such as oak.oakland.edu until tomorrow. If you prefer a copy by e-mail, you can send a message to f-prot@complex.is Version 2.12 - major changes: The identification of boot sector viruses has been improved significantly. F-PROT does exact identification for most boot sector viruses it detects, and previously it would refuse to remove variants that differed by as little as one bit from the original virus. Other programs which did not do as good identification would happily remove the virus. F-PROT now attempts to determine if a new boot sector virus is sufficiently similar to a known variant to attempt disinfection. Some improvements have been made to VIRSTOP. It is now more Windows- friendly than before - it will now beep instead of asking the user to press ENTER when intercepting a boot virus. It is now also possible to specify which drive to use for the "swap" files when using the /DISK switch. Finally, the /REHOOK switch allows VIRSTOP to be re-enabled, it was loaded before NETWARE or another program that took over the "load-and-execute" function. Version 2.12 - the following problems were found and corrected: Several false positives were fixed. The "Tamanna" false positive appeared in 2.11. The others were older, but had not been reported to us before. "Possibly a new variant of Tamanna" in PWLICLMT.EXE (part of a beta release of DEC Pathworks) "Possibly a new variant of Cysta" in KBDF.COM (Turkish keyboard driver) "Possibly a new variant of SillyOR" in a program named TRAPKEY.EXE "Leprosy" (VIRSTOP/Quick Scan) in a program named OPENPORT.COM F-PROT 2.11 and earlier would not detect all Cysta.8045-infected .SYS files. The Stoned.Angelina virus was not identified properly on 3.5" diskettes. Some Voronezh.1600 and Liberty-infected files were not disinfected correctly. Version 2.12 - minor improvements and changes: When using the /ANALYSE option, F-PROT will now not report "Invalid entry point", unless the file has a .COM or .EXE extension - not .OVL for example. If a virus is damaged, by shortening the file by a few bytes, F-PROT will now report "- truncated (xxx bytes missing)", instead of reporting just "New or modified variant of ...". This should never happen under normal circumstances and is of most interest to researchers that may have corrupted samples in their collections. Version 2.12 - new viruses: The following 58 viruses are now identified, but can not be removed as they overwrite or destroy infected files. Some of them were detected by earlier versions of F-PROT, but only reported as "New or modified variant of..." AB Abraxas (1214, 1304 and 1508) Burger (405.D, 405.E, 405.F, 441, 505.G, 505.H, 505.I, 505.J, 560.AK, 560.AL, 560.AM and 560.AN) Como.1786 Doubleheart.452.B Genvir.1376 Grog (Enmity, Sempre and Trumpery) HBT HLLO (4505, 5760, Mission, Novademo.A and Novademo.B) Hot Milan (AntiNazi, Naziskin.270, Naziskin.903, Sabrina and Verbatim) Silly_Willy-trojanized .EXE files Slugger Trivial (23, 24, 25.B, 25.C, 27.D, 31.C, 36.A, 36.B, 36.C, 37, 38, 39, 42.F, 42.G, 42.H, 43.B, 43.C, 59, 66, 89, 342, Ansibomb and Vootie.B) VCL (526, Mindless.423 and Muu) ZigZag.232 The following 449 new viruses can now be detected and removed. Many of these viruses were detected by earlier versions, but are now identified accurately. _241 _451 _494 _635 _638 _779 _804 _1987 _2717 Accept (3619 and 3773) Aiw Alexander (1843 and 2104) AntiCMOS AntiMIT.764 Arcv (Jo.912 and Ice-9.642) Armageddon.1079.E Ash (712 and 1586) Australian_Parasite (152, 153, 155, 187, 215, AMSV, 635, Feeble, Vga_Demo, Comic, Lipo, Gotter and 306) B1 Baba Badsectors.3422 Baron Behaviour.Herb Berlusconi Betaboys.615 Big_Bang Billy Black_Jec (230, 246 and Sad.300) Blood_Sugar BUPT.1261 Butterfly.FJM Cascade (1699.B, 1701.Jojo.G, 1701.M, 1701.N, 1701.O, 1701.P and 1704.S) Changsha Civil_War.281 Civil IV (568 and 586) Cybercide (1321 and 2256) Danish_Tiny (NC.284, NC.286 and Wild_Thing.287) Dark_Avenger (1797, 1799, 1800.Eugen, 1800.L, 1800.Platina, 1813 and Major) Datalock (828.B and 828.C) Deicide_II.622 Dementia Dutch_Tiny.111 Ear (Job and Homecoming) Fax_Free (608.A, 608.B, 622, 623, 1024.C, 1024.D, 1024.E, 1536.Lamer, 1536.Pinniz.A, 1536.Pinniz.B, 1536.Pinniz.C, 1536.Pinniz.D and 1536.Pisello2) Flip (2153.G and 2153.H) Friday_the_13th (416.C and 416.D) Frodo.Fish_6.D Ginger Gippo.JumpingJack Gotcha.605 Green_Caterpillar.1575.G Grog (1089, Gonfie, IlCuoce, Noncemale and Ovile) Grunt.529 Hates.212 Helloween (1228, 1401 and 1430) HH&H.4087 Hiperion.249 HLLC.Sauna Hungarian (1409 and Kiss.1006) Hungarian_Andromeda (1024 and 1536.B) Icelandic.656.C Ienez Industrial Intruder.1555 Ionkin.195 IVP (351, 644, Crystal, Stress, Taselhoff, Wild_Thing.555 and Wild_Thing.557) Japanese_Christmas.722 Jerusalem (2389, 1808.CT.SubZero.B, 1808.SuMsDos.AN, Sunday.K, Tarapa and Zerotime.Australian.C) Jimi Keypress (1232.L and 1600) KMIT Kolumna Kommuna Kuang Lyceum.1901 March_25th (B and C) Marzia (D, E, F, G, H, I, J and K) Metallica.2620 Michelangelo (C, G and J) Mirage MMIR.278 Murphy (1477, 1521.B, 1650, 1659, 1752, Delyrium.1788 and Napalm) Nipple NoFrills.840 November_17th (900.B, 900.C and 998) Npox.1015 PCBB.1845 Phantasm PHX.1360 Ping-Pong (Standard.G, Standard.H and Standard.I) Pirate Pixel.761 Prague (604 and Pizza) Praying (579 and 587) Predator.1063 Proto-T (Ritzen, Ritzen.1087 and 1050) PS-MPC (150.A, 150.B, 338.A, 338.B, 338.C, 339.A, 339.B, 339.C, 339.D, 339,E, 343.A, 343.B, 343.C, 344.B, 344.C, 344.D, 344.E, 344.F, 346.B, 347.A, 347.B, 347.C, 347.D, 347.E, 347.F, 347.G, 347.H, 347.I, 347.J, 348.B, 348.C, 351.A, 351.B, 352.B, 352.C, 352.D, 352.E, 352.F, 352.G, 352.H, 352.I, 352.J, 352.K, 352.L, 353.A, 353.B, 357, 425, 565.B, 565.C, 565.D, 569.A, 569.B, 569.C, 570.B, 570.C, 570.D, 572.B, 573.C, 573.D, 573.E, 573.F, 573.G, 573.H, 573.I, 574.C, 574.D, 577.C, 578.D, 578.E, 578.F, 578.G, 579.A, 579.B, 579.C, 594, 597.B, 597.C, 597.D, 598.B, 598.C, 602.A, 602.B, 602.C, 602.D, 603.A, 603.B, 603.C, 605.B, 606.B, 606.C, 607.B, 607.C, 610.A, 610.B, 610.C, 611.C, 611.D, 611.E, 611.F, 611.G, 611.H, 611.I, 611.J, 611.K, 612.A, 612.B, 612.C, 612.D, 612.E, 615, 639, 691, 739, 749, 2668, Abominog, Actifed, Alchemy, Argent, Blender, Birthday, Doggy, Fred, G2.572, G2.573.A, G2.573.B, G2.574, G2.575.A, G2.575.B, G2.576, G2.578, G2.582, G2.584.A, G2.584.B, G2.584.C, G2.585.A, G2.585.B, G2.588, G2.Mudshark, Greetings, Joana.942, Justice, Love, McWhale.1023, McWhale.1124, Mojave, Projekt.897, Projekt.918, Quest, Ranger, School, Schrunch.442, Seven_Percent.918, Shock, Silent, Skeleton.542, Skeleton.550, Skeleton.570, Skeleton.616, Skeleton.617, Sorlec.597, Sorlec.639, Steeve.672, Steeve.686, SwanSong.1714, SwanSong.1772, Swansong.1773, SwanSong.2062, Walt.311, Walt.355, Warez.1805, Weakley, Z10.683 and Z10.687) PSV.B Pysk Raptor Russian_Tiny.127 Sandy Satan.602 Shake.C Sidewinder SillyC (92, 100, 158 and 207) Sparkle Steryd Stoned (Bunny.A, Bunny.B, Bunny.C, Standard.F, Standard.I, Standard.J, Standard.L, Standard.M, Standard.O, Standard.P, Standard.Q, Standard.R, Standard.S, Standard.Good, Standard.Pervert, Standard.Space.B and Standard.Udos) Sybille.1200 Sze.314 Taiwan (677 and 743.C) Timid (298, 299, 301 and 303) Tiny_GM Tiny_family.Fred Trakia Trident (444 and Nolimit2) Troi (C and D) Unhandled VCL (379, Angel.436, Angel.1681, Assassin, Dial, Julian, Olympic.B, Sorlec and Suck) VCS (Standard.Darkside and Standard.Test) Vienna (533, 608, 610, 660, 680, 700.A, 700.C, 709, 814, Choinka.C, Feliz, Parasite.861, Violator.716.B, Violator.716.C, Violator.803, Violator.821, Violator.843.B, Violator.843.C, Violator.909, Violator.957, Violator.5286, W-13.318 and W-13.507.E) Virdem.1336.Locked.B Wrzod Yam.3596 Yankee_Doodle.Login.3045.C YB.426 Yesterday The following 58 new viruses are now detected but can not yet be removed. _592 Antitrace Appelscha Arcv.Anna.745 Austr_Term Backform Carpe_Diem Code_Zero.735 Czech_Happy Daemaen Dark_Avenger.2829 Dillinger DIR-II (M, O, Q, S, T, W) Doomsday.715 Doubleheart.649 Gippo.Blow Glith Grog (Dream, Inc, NTA, Outwit-C, Outwit-E, Public, Razor and Wildcard) Hallow Jerusalem.Vtech Konkoor LM M5-VP2 Mystic.379 PCBB (833, 1680 and 1683) PHB.B Pit Predator.1154 Proto-T.694 Raubkopie.1888.B Sayha Screaming_Fist (839, 846, 855 and 862) Sluknov Split_Second (1135 and 1149) SVC.3122 Sze.351 Topa V2221 Veronika Wally X-1.571 X-3A Yog The following 15 viruses which were detected by earlier versions can now be removed. CIS Ein_Volk Jerusalem.986 PS-MPC (ARCV.2.692, ARCV.2.693 and ARCV.8) Satanbug VCL (Chuang, Diarrhea.933, Diarrhea.1222, Diogenes and Mimic) Warrior Weak Yeke (1076 and 1204) The following viruses have been renamed, in order to make F-PROT follow the CARO naming standard as closely as possible. _1068 -> Spinner _1417 -> Spanish_Fool _1441 -> Sum _1588 -> Distrust _1784 -> Three_Tunes _2000 -> Alphastrike Anticlr -> Anti-Clerical Commonwealth -> CIS Dos1 -> Dos_1 Error_412 -> Runtime Groz -> Grozny Inoc -> Inoculation Krusha -> Khrusha Micro-128 -> Micro NGV -> Genvir QMU.1513 -> QMU Quit-1992 -> Quit Satwar -> Satanic_Warrior Simple -> Simple_Minded Talking_Heads -> No_Party Tula.419 -> Tula V-1920 -> Dostepu The _758 and Gemand viruses have been moved into the Hungarian_Andromeda virus family ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 28] *****************************************