VIRUS-L Digest Wednesday, 18 May 1994 Volume 7 : Issue 34 Today's Topics: mistaken identity Re: Good Viruses vs Bad Viruses Virus Insurance? re: Good Viruses vs. Bad Viruses Internet Worm what is a good virus software? compression and viruses? Disabled viruses? Fred Cohen and computer viruses Re: No PC viruses on 3.5" disks? (PC) problem with F-PROT 2.12 :virstop.exe /warm (PC) Monkey Virus (PC) Virus (may day variety??) (PC) Disk Crash, Possible Virus? (PC) Queeg and Pathogen (PC) Re: New viruses: SMEG.Pathogen, SMEG.Queeg (PC) Re: MUSH.COM? (PC) Re: Monkey Curiosity (PC) Virus Alert (fwd) (PC) Help! Need advice on Michael Angello virus. (PC) antivirus products (PC) "Jack-the-Ripper" (PC) ANSI bomb (PC) help identifying a virus... (PC) Help with Form Virus (PC) Help:filler Virus (PC) URGENT HELP: damaged FAT by flip-virus (PC) B1 (or NYB) Virus (PC) Virus: Squisher Dropper (PC) fp-212.zip - F-PROT virus detector/disinfector version 2.12 (PC) Stone virus - stone.stonheng (PC) tbav620.zip - Thunderbyte anti-virus pgm (complete) v6.20 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Sun, 01 May 94 09:34:22 -0400 From: Subject: mistaken identity One of your recent readers seems to have mistaken the definition of computer viruses for the definition of *Real Viruses*. To clarify: *Real Viruses* depend on the mental state of the user Computer viruses do not. I take it from the comments that surrounded the misimpression that the contributor prefers the definition of Computer Viruses and is thus in favor of the concept and the reality of benevolent viruses. Please feel free to correct me if I am wrong. - FC ------------------------------ Date: Mon, 02 May 94 06:27:32 -0400 From: Adam Jenkins Subject: Re: Good Viruses vs Bad Viruses In reply to the message on 12 April from : Okay I've stayed out of this discussion for a while, content to sit back and watch but your post was begging to be replied to. >WHMurray@DOCKMASTER.NCSC.MIL asserts: >>In fact, since the virus writer has so little control, his >intent is irrelevant. I would agree with this.. >So little control?!?!?!?! You mean, these mental twirps are >being forced to write viruses at gunpoint?!?!?!? Poor fellows!! >Or might this be a further attempt to excuse people (??) from >their own personal responsibility for their own actions or their >own negligence? Lets get down to brass tacks: If you hit yer >thumb with a hammer, dont blame the hammer! Its YOUR fault, not >the hammers. Okay now here we go, straight into the world of subjectivity. "Mental twerps"? I gather you have met many (ie at least one) virus authors and are in a position to assert your assessment of their psychological profiles? Viruses by their very nature are not controllable. The author may or may not want their virus spread (according to intent, yep) but regardless of their intent, they do not have control over their work, at least after it has left their secured system. >He goes on with: >>The virus writer. . .cannot predict how it will behave... You honestly think many of the "professionals" you seem so eager to defend bother checking their programs under the myriads of operating systems, hardware, conflicting TSRs, etc.? I would dare to say that neither type of programmer check the behaviour of their work under all environments, and I would argue, nor should they. Programs are designed for certain tasks in certain environments, by nature. >Baloney! If not, then surely he should be locked in a rubber >room. If computer code A causes behavior B in computer system C, >then there is a markedly high probability that it will cause >similar behaviors in Systems D thru Z, et al, assuming their >operating systems are of the same genre, the systems are >XXX-Compatible, etc. Now this is just waffle.. are your letters meant to represent software, hardware, what? I guess its irrelevant.. >must be **CERTAIN** that if it causes anomalous behavior in HIS >system, then it will cause similar behavior in others systems! You've missed the point again, the point is not that a virus writer isn't trying to write a virus, but that he may be trying to write a non destructive virus. I don't see too many people going around up in arms about the author of the "drain" or "faces" joke programs.. Reason: (1) they are harmless, (2) they are not viruses and therefore the user isn't scared of them due to the virus/trojan propaganda. >Further, if the behavior caused is NOT what another would >appreciate some other clod causing to occur in HIS computer >system, then the virus writer has a MORAL and ETHICAL obligation >to either (a) NOT write the virus code in the first place, or >(B) DESTROY it immediately, BEFORE it is accidentally loosed >into a population!! This is being very altruistic; how would you judge what a person of different background with a different attitude and living in a different country would appreciate or not? Maybe you're perfect, but I'm not and I don't think I'm the only one. You seem to assume that everyone SHOULD have moral and ethical obligations. I think in practice you will find that this is not the case; a simple example is that of finding a $50 note. Should one go chasing up and down the street searching for the owner, give it to the police (who may thank you and then spend it on donuts) or keep it? I don't think moral issues are as clear cut as you are making out. >(The mind boggles -- I can just hear some scientist at the >Center for Disease Control wailing as humanity dies by the >billions, But I didnt MEAN for this nerve gas to be loosed among >the population!! And thats not so far fetched as we might wish.) What about the guys who invented the atomic bomb? Ah yes, morally they were all correct huh, after all they were working for the US Government, the saviours of the world and self-appointed peace keepers. Of course they shouldn't feel responsible for Hiroshima, they had no personal intent to cause injury and they had no control over the eventual use of their work. >Exactly. If it is USEFUL (like WordPerfect, Lotus 1-2-3, etc.), >then we call it Application Software and actively seek it out, >pay ridiculous prices for a weasel-worded license" to use it, >and snarl&curse the bugs we then find in it while were USING it >to accomplish some useful, socially acceptable purpose. We dont >INTENTionally use the application software to ruin someones >data/computer system/blood pressure. (Oh, we might ruin a >business competitor, but we do that in a legal, moral, and >ethical (read: socially acceptable) manner, dont we? We dont >sneak in the night and burn down his place of business, do we? >Then similarly, we shouldnt write virus code to accomplish the >same ends in a less dramatic fashion (no sirens, flashing >lights, and cops to haul us off to jail...)) I wouldn't have thought the intent of most viruses was to destroy people's data/computer system/blood pressure but more as a practical-joke, which perhaps gives the author the satisfaction of seeing their work proliferate. A similar feeling that any software author would get seeing his software used by others. >HOWEVER -- And this is a BIG however -- Would you actively seek >out and purchase software (i.e., code) that would fill your hard >disk with garbage, trash your data, rearrange your FAT, or lock >up your computer so its unusable? Hardly. Unless YOUR mental >processes need refining!! One word; Windows. >Just a bunch of spoiled brats aiming at your -- and my -- >champagne glass filled with Roederer Cristal... Grow up and go forth into the real world my friend. Life sucks, get a helmet. I think a lot of the virus issues revolve around the fact that there are a lot of arrogant computer professionals who know a lot less than they should, and feel very insecure, so when someone manages to change their data without them knowing they feel violated and weak, like they are. The real problem is their stupidity and attitude, not the virus. I was in class once and a couple of guys walked in and started using a computer which someone had put a "Warning - virus infected" notice on. Some student pointed this out to them, and their response was to shrug and say "So?" Admittedly this is too casual an attitude in that they could spread the virus unwittingly, but at least they aren't having a hernia over it and starting a witch-hunt. >Anyway, I guess Ive said all I can say on the subject. You certainly tried to, the meaningless examples and Latin words, with references to champagne and professionals certainly gave me that impression. >If we all, as professionals in the computer industry, would >inculcate this simple Four Way Test into our business or even >into our personal lives, think of how much higher we could hold >our heads... And how our fortunes would multiply! Ahhhhhh I pity you. Some of the largest companies in the industry are among the least ethical, not mentioning any names or lawsuits. But yes, if we are all good then we deserve our candy and we'll get it because God is fair and the world is just, right Walter? Adam - -- "90 percent of computer users use DOS; | Adam Jenkins I'd rather tell them to do drugs" | Phone: +61-3-252-6213 Scott McNealy, CEO, Sun Microsytems | Email: ba732@freenet.cwru.edu ------------------------------ Date: Mon, 02 May 94 08:35:48 -0400 From: Christopher G Sexton Subject: Virus Insurance? As part of a piece of work I am doing on computer security, whilst analysing the threats and risks of viruses, and also the methods and techniques of securing against the threats they present, I found myself wondering whether organisations and businesses can take out some form of insurance against the damage and loss caused by a virus attack. Does anyone out there know if such insurance schemes exist? I would be very grateful for any follow-up to my question, and any extra details if possible. Cheers, Chris. ------------------------------ Date: Mon, 02 May 94 15:21:57 -0400 From: olpopeye@aol.com Subject: re: Good Viruses vs. Bad Viruses Brian Seborg writes (see Vol. 7 # 028) >I have been misquoted by Walter Murdock. In the last issue he attributed a >quote to me saying in essence that virus statistics were manipulated by the >anti-virus producers and that the virus problem was blown out of proportion. >This was in fact the statement of KTark. Brian is completely correct. I blew it. Since Ive already apologized to him privately, allow me to again apologize in public. I can only say that my unusually careless correspondence was/is due to failing health and a sometimes-euphoric fog induced by numerous cardiac medications. Im sorry. Also in Vol. 7 Nr 028, Sara Gordon@Dockmaster.ncsc.mil writes: >i agree, deliberate release of any program that is capable of placing itself into >another persons 'space' without their consent is not good. An understatement, if ever I encountered one, but: Way to go, Sara! You had me worried for a while with your defense of the vandals hiding among us! You also say: >i am interested in why you disagree. The one great thing about being a good debater is ones ability to see BOTH sides of a subject, regardless whether one is pro or con. Immodestly, I place myself in that category. I can see the need for, the desire to, the search for enlightenment that can come from an experiment of Lets see what this will do. Where I break ranks with you, with KTark, and with other seemingly liberal thinkers is at that fine point where the experimenter is no longer satisfied with the results obtained in HIS laboratory, and looses his experiment upon the public. >From such thinking, we have our beloved (??) federal government spraying viruses (benign, they said) in various cities to test aerosol dispersion techniques for Nuclear/Biological/Chemical (NBC) Warfare. We have other experimenters dosing unsuspecting, ignorant, or mentally-deprived people with radiation to see how it works. (It kills them, stupid!). So, when someone says, Lets see how this computer virus works. I say: "It screws up other peoples lives, stupid!" Probably Im too old and too conservative to appreciate the thrill some clod (Oh! How I wish I could use some of my old Navy epithets here!) gets when he hands an infected disk to a friend, who knowingly or unknowingly then passes the infection to another, and another and another ad infinitum, ad nauseam. It must be identical to the thrill a TFL (Tagger-For-Life) gets when he spray-paints his mark on an expensive freeway sign, or when a mongrel sprays his mark on a handy fire hydrant. I see no moral or ethical difference between a tagger and a virus-er. Singapore seems to have an idea how to control both. Or either. You say: >It is also incorrect to assume that -every- virus that is ever written will be >released thru intent or negligence. i agree with you (if this is what you are >saying) that it is likely in most cases. and, i agree that the writing of a virus is >in most cases waste of time, misdirected energy. YES! Thats exactly what Im saying! (This is an Eureka! moment where a bright light flashes on atop ones head!) >i agree. no one has the right to put any proggie of any type into your computer. >but it would be gross oversimplification to assume that this is the goal of - -every- >individual who has ever written or who will write a virus. AHA! Another Eureka! Precisely! Not EVERY virus will be released; not EVERY virus-writer intends to infect the world; HOWEVER -- And this is a big however -- ENOUGH of them DO to start up and feed a vertical market in computer programming! So, this has been my point all along since I horned into this thread of Good Viruses vs. Bad Viruses: What is the INTENT of the virus code writer? If his intent is benign, then he will exercise the good judgment and personal respon- sibility to ENSURE that his code will NEVER be loosed on the populace. I refuse to consider the view that accidents happen. Accidents are CAUSED, through either negligence or by design. Either should be punishable by law or by social action (firing, peer group disapproval, loss of computer access, and yes, even caning if the damage caused warrants it). Sara, you, I, Brian, Frisk, Clinton, the Pope - Were ALL singly and individually responsible for our own actions. If we screw up by INTENTionally breaking the law or mores of ethics of a situation, then we are individually responsible. If a code writer is of such an age or intelligence-challenged or otherwise inca- pable of judging right from wrong, --(in quotes, since neither is an absolute)-- then surely this person is NOT educated highly enough to learn how to program in the first place. For instance: Do you believe that the Ms. Cs. (Morris, as I recall) who wrote -- and released -- the infamous Internet Worm didnt KNOW what it would do? A Master of Science degree? 'Scuse me while I laugh till I barf! Anyway -- As I said before: >"I guess Ive said all I can say on the subject. I doubt Ive changed anyones >opinion. Let me cease wasting bandwidth (and the valuable time) of the >Forum with this: A quote attributed to Will Rogers goes something like this: Changing someones opinion is like trying to teach a horse to sing. It cant be done. It makes the horse mad as Hell and renders him unfit to ride or to plow. I quit this thread. Thanks for your patience. Walter E. Murdock olpopeye@svpal.org Murdock Associates, Palo Alto olpopeye@aol.com U.S. Navy Retired & Proud Of It. 75270.37@Compuserve.Com "I sign the payroll, so my opinions count. HERE, anyway!" ------------------------------ Date: Mon, 02 May 94 16:34:19 -0400 From: "Jeffrey Rice - Pomona College, California." Subject: Internet Worm Could anyone tell me about the Internet Worm? It is mentioned in the FAQ here, among other places, but doesn't tell what it was (is?) or how it worked. I'm curious how it could work with the variety of operating systems on the net.... /-----------------------------------------------------------------------------\ | Jeffrey Rice | "The man who ...is not moved by concord of sweet | | Pomona College | sounds is fit for treasons, stratagems, and | | Claremont, California | spoils. Let no such man be trusted." -WS | \-----------------------------------------------------------------------------/ ------------------------------ Date: Tue, 03 May 94 13:58:06 -0400 From: hank@UTKVX.UTCC.UTK.EDU (Hank Pike) Subject: what is a good virus software? Hello, I was wandering if someone could tell me of some good anti-virus software, both commercial and shareware/freeware. I was looking in to Norton but I have seen good things about something called Fprot. Any help is appreciated. Also, I was wanting a seperate virus protection that can be run (fully installed) off of a floppy disk and that can find and fix around 2000 virus'. Does this exist? For the floppy I was wanting shareware or freeware. I need this for fixing several IBM PC's that tend to get virus' on them. Hope someone can help. Thanks. Hank Pike ------------------------------ Date: Wed, 04 May 94 01:48:31 -0400 From: anson922@raven.csrv.uidaho.edu (Anson Dale) Subject: compression and viruses? I read the FAQ but didn't find the answer to this question. Can virus scanners find viruses in compressed files? If I download a file, is it best to scan it before or after decompression, or both? Can just decompressing a file install a virus to my system? (I guess this was more than one question! :) ). Any response would be appreciated... anson922@raven.csrv.uidaho.edu ------------------------------ Date: Thu, 05 May 94 13:02:17 -0400 From: res@bfs.uwm.edu (Ralph Stockhausen) Subject: Disabled viruses? I would like to check out the functioning of my anti-virus setup. Are there any "disabled" viruses available that my program could detect, but would be safe have on a test floppy? Thanks, Ralph ------------------------------ Date: Mon, 09 May 94 10:29:36 -0400 From: Subject: Fred Cohen and computer viruses Hi everybody, bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) versus Fred Cohen (fc@Jupiter.SAIC.Com) wrote: FC> There ain't no such thing as a good virus FC> (because) they all cause damage under some FC> circumstances FC> The same is true for any program - what does FC> being a virus have to do with it? - Nothing VB>The difference, as I am trying to explain to everybody, is that what VB>*we* call *real* viruses spread without authorization. None of the VB>"normal" programs do that. Also, what we call real viruses tends to VB>contain much more bugs per byte of code than the normal applications. VB>Sounds like a serious enough difference to me. I am afraid that I need some more explanation for above statements. 1. Who are "we"? 2. What are "real viruses"? 3. Does any statistical data exist about bugs per byte of code in computer virus ("real" or not) code in comparison with bugs per byte of code in "normal" application code? 4. The spreading without authorization is not an essential characteristic of computer virus by results of the Contest for the Best Virus Definition (look at, for example, Vesselin Bontchev's definition of virus in electronic magazine "Alive" No 0). 5. Consequently, one could conclude that "real viruses" are not computer viruses. What they are? FC> I've never met a virus I liked FC> Bigotry was never a good excuse before, why use it FC> as one now. VB>Show me at least one person who wants to run a *real* virus on their VB>machine. Then I'll show you at least 100 others who wouldn't. From VB>your logic it follows that at least 99% of the people are bigots. I have run several DOS viruses on different PC configurations performing experiments. It was intentionally done from my side and approved by owners of machines or responsible people. It means with me it should be at least 5 persons involved. I am waiting for 500 "others" to be showed to me. And yes, bigotry can spread easily. Maybe not 99% but percentage could be high. VB>The problem, Dr. Cohen, is that we, the anti-virus researchers, are VB>talking about something completely different. We are talking about VB>*real* computer viruses, not about histories of the states of Turing VB>Machines. We are talking about those nasty little programs, written VB>usually by irresponsible adolescent kids, that try to sneak into our VB>computers against our will and often to destroy our data. *That* is VB>always bad, no matter what you are trying to tell me. Oh, I got it. The "real virus" is nasty, little program, trying to sneak into somebody's computer against his/her will with possibility to destroy data. Very interesting definition of a computer virus. I agree that it has nothing to do with Dr Fred Cohen's definition of computer virus. To take a short look in the history [quoting my unpublished article "Could Computer Viruses Be Beneficial ?"] : 'The concept of self-replicating program is not a new idea. John von Neumann described reliable self-replicating programs in 1940. A number of so-called "worm" programs were run on the Arpanet during the 1970s, some of them with ability of limited replication. In the 1980s a mathematical game called "core wars", in which two or more competing programs struggled for survival in a simulated computer, was known. In 1984. Fred Cohen performed and described the first experiments with computer viruses. He gave the definition of computer virus in his paper "Computer Viruses - Theory and Experiments", originally appearing in IFIPsec 84. To quote this paper: "We define a computer "virus" as a program that can "infect" other programs by modifying them to include a possibly evolved copy of itself." In 1986., the first experiment with an IBM PC based network virus was performed by several graduate students at the University of Texas at El Paso. The "population" of PC viruses started its growth since 1987., when viruses apparently created in Pakistan, Israel, Germany, Italy and New Zealand all independently spread throughout the world. The population of PC/DOS viruses is the largest virus population today and it counts more than 4000 examples.' I guess the term "real virus" applies mostly to the population of PC/DOS viruses which appeared about three years after Fred Cohen performed his experiments and gave his definition of computer virus. I am surprised that after so long time there are still people who are not familiar with his work in this field. So, briefly: Dr Cohen is best known for his pioneering work on computer viruses, the invention of high integrity operating system mechanisms now in widespread use, and automation of protection management functions. He regularly provides consulting services for top management worldwide. During the 10 years of his research work, Fred Cohen wrote over 60 professional publications and 11 books. He is also a widely sought speaker, averaging over 12 invited talks per year. Dr Cohen's current interests are in the areas of high integrity distributed computing, office automation, information warfare, information theory, artificial life and social aspects of computing. Fred Cohen's research work concerning computer viruses is consistent in terminology. His extensive theoretical work is complete and many times confirmed in practice. When Dr Cohen is talking about computer viruses he is never in contradiction with himself or hypocritical (which cannot be said for some other people). He knows what is he talking about, but maybe the people talking about "real viruses" don't know what they are talking about. Or it might be one more marketing and media trick: "Real viruses are coming to conquer you. Get paranoic! Buy my product, it will save you!" It would be fair that the term "computer virus" is used with the meaning which Fred Cohen gave to it in his definition. It would be a sign of respect to his impressive scientific work in this field. The other "beasts" could be called "real viruses", "malicious software" or something else, why not? VB>Another problem, Dr. Cohen, is that you often tend to be too terse and VB>not to explain in details what you mean exactly - and do not express it VB>in a language understandable by the general public. This often makes VB>people not to understand you, or to misunderstand you. Is it surprising VB>then that people tend to flame you? :-) To quote Fred Cohen: "It takes one to know one." I can admit that is not so easy to obtain Dr Cohen's published articles and books (especially not in my part of the world), but it is not impossible either. The understanding requires sometimes particular knowledge of mathematics. From my experience, I can say that Dr Cohen never refused to give an appropriate explanation when it was necessary. I don't know if I can consider myself as "general public", but I never had problems to understand Fred Cohen's language (although English is not my native language). Just the opposite. I always enjoy his sense of humour. People who flame other people should try to understand the other part first. That way flaming could possibly be avoided. Not talking about keeping ordinary politeness in public communications. FC> P.S. Whoever has been taking the heat for supporting the concept of good FC> viruses - I commend you. Sorry I haven't been more supportive, but FC> I have been busy finishing a book on good viruses. Please send me some FC> E-mail so we can gang up on these miscreants who can't tell the FC> difference between morality and mathematics. - FC VB>The real problems arise when some people (a) cannot see the difference VB>between mathematics and real life and (b) don't see the need for VB>morality and ethics. This sounds to me like a call: "Burn the mathematicians! The people using and understanding math are immoral and unethical. They should be exterminated, because nothing good can be expected from them!...etc..." The problem for me is a) I was convinced that I am one of the anti-virus people (although probably of suspicious morality because I like and use math), b) now when using mathematics and talking about beneficial viruses is publicly condemned as unreal, immoral and unethical, I have crisis of identity - who am I and where I belong to? The general problem might be problem of "closed minds". It happened many times in history that original ideas were distorted and oversimplified to fit the whims of mass. Brainwashing if applied often enough is a very effective mean for manipulation of crowd by some individuals who got sufficient power. Every new idea, coming in such an environment tends to be rejected and condemned. The progressive scientists were often "endangered species" in any field and time. They prosecuted and burnt people claiming that Earth is turning around Sun, in the past, didn't they? Anyway, I declare publicly that am proud to belong to the group of open minded people (even if it will take me to burn at the stake) who think that computer viruses can be beneficial and that using mathematics or connecting Computer Science with other fields of science (biology, psychology, etc.) could bring only progress. Cheers, __________________________ Suzana | | /| MATH IS COOL!! | /~~~~~~\ / |__________________________| ~\( * * )/~ ( \___/ ) \______/ @/ \@ - --------------------------------------------------------------------------- Address: Suzana Stojakovic-Celustka e-mail addresses: Department of Computers celustka@sun.felk.cvut.cz Faculty of Electrical Engineering celustkova@cs.felk.cvut.cz Karlovo namesti 13 celust@cslab.felk.cvut.cz 12135 Prague 2 phone : (+42 2) 293485 Czech Republic fax : (+42 2) 298098 ------------------------------ Date: Sun, 01 May 94 09:33:05 -0400 From: gg@superdec.uni.uiuc.edu (gg) Subject: Re: No PC viruses on 3.5" disks? (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >Mike Bogdan (Mbogdan@msu.edu) writes: >> PC viruses be transmitted via network? >Yes. Of course they can be transmitted via network, but are there any PC-specific viruses that go out and try to look for networks as a way to spread themselves? If so, which one(s)? Thanks. - -- /~~~\ gg@superdec.uni.uiuc.edu /~~~\ ( gg ) cross your eyes and align the ( gg ) \___/ the two symbols. \___/ ------------------------------ Date: Sun, 01 May 94 09:35:11 -0400 From: "Jean-Louis Oneto (+33) 93.40.53.80" Subject: problem with F-PROT 2.12 :virstop.exe /warm (PC) Date sent: 1-MAY-1994 13:49:40 MET Hello Net ! Installing the last f-prot 2.12 version on a system with a Floptical as the only floppy drive available, I discovered that the /warm qualifier of VIRSTOP.exe results in a system hangup after the display of the message: Virus checking of drive A:, if I load virstop.exe from the config.sys file, using either device= or devicehigh= command. Everything works fine if I load virstop from autoexec.bat, either with loadhi or just in low mem. From the virstop.doc file, there is mention of similar problem for the /disk: option, but nothing for the /warm option. I append my config.sys and autoexec.bat file to this message, in case you need more details in my config. Thanks in advance, Jean-Louis Oneto OCA-CERGA, Avenue Copernic, 06130 Grasse - FRANCE NSI/Decnet (formely SPAN) : ocar01::oneto (17494::oneto) Internet : oneto@ocar01.obs-azur.fr | Voice : (+33) 93.40.53.80 | Fax : (+33) 93.40.53.33 Transpac : PSI%(+2080)83159713::ONETO / 183159713::ONETO - -------------------- config.sys -------------------- DEVICE=C:\DOS\SETVER.EXE DEVICE=C:\DOS\HIMEM.SYS rem devicehigh=c:\f-prot\virstop.exe /warm/boot/copy install=c:\dos\share.exe /f:2048 /l:25 device=c:\dos\emm386.exe auto 1552 ram frame=e000 DOS=HIGH,umb files = 40 buffers = 40 rem stacks=9,256 lastdrive=z DEVICEhigh=C:\DOS\ansi.sys DEVICEhigh=C:\DOS\DISPLAY.SYS CON:=(EGA,437,1) COUNTRY=033,850,C:\DOS\COUNTRY.SYS break=on shell=c:\dos\command.com c:\dos /e:1024 /p devicehigh=C:\XTRADRV\xtradrv.sys a:70 - -------------------- autoexec.bat -------------------- @ECHO OFF rem C:\F-PROT\VIRSTOP lh C:\F-PROT\VIRSTOP.exe /copy/boot/warm echo JLO/JCP, version du 01-may-1994 prompt=$e[1;31m$t$h$h$h$h$h$h$ $e[33m$e[ JLO $e[36m$p$g$e[0;37m PATH C:\DOS;c:\bat;c:\nc;c:\com;C:\XTRADRV;e:\pov SET TEMP=e:\us403\tmp set tmp=e:\us403\tmp break=on verify=on MODE CON CODEPAGE PREPARE=((437) C:\DOS\EGA.CPI) MODE CON CODEPAGE SELECT=437 KEYB FR,,C:\DOS\KEYBOARD.SYS lh doskey/bufsize=1024/insert call c:\bat\doskdef.bat c:\utl\ecran\67vesa c:\utl\mouse\znix\mouse /mo lh c:\com\fmtfix - -------------------------------------------------- ------------------------------ Date: Mon, 02 May 94 00:25:03 -0400 From: Jeff K Landauer Subject: Monkey Virus (PC) Well, Scan shows that I have this, but I can't get rid of it. It reports that I need to boot from a floppy in order to clean the system, but when I do that, I can't access my hard drive. I don't know what to do. I downloaded just about all the virus software I could find to try to fix this thing, but nothing looks like it will help. Am I screwed? I look back on old posts, and the situation looks pretty bad. Thanks for any help, - Jeff ------------------------------ Date: Mon, 02 May 94 07:48:20 +0000 From: kaikow@standards.com Subject: Virus (may day variety??) (PC) Alas, on 1 May, I finally fell victim to a virus, at least it is the first one that I have been aware of. On Friday, I had intermittent problems using Crosstalk Communicator, then the problems suddenly stopped. On Sunday, I merrily used my computer with no difficulties in the AM (around lunch time), however, when I tried to use it later that day, I found that: 1. Many files were missing from C:\ 2. All files with "autoexec", "config", ".txt",".bat", ".sys", etc. were clobbered and/or deleted. In the cases, I noted the files were of unchanged length but were of the form (I may not have the text right, but u get the idea). system settings are in winword6.ini and win.ini The above line was then followed by sufficient binary jibberish to keep the file length unchanged from the good version. In particular, this was in config.sys, tho autoexec.bat was unchanged. I recovered most of the files with UNDELETE, but they had been clobbered, but not autoexec.bat. Given the types of files that were affected, this is clearly a virus. It is not surprising that it happened with my second use of the system on 1 May, as the first use likely triggered a "May day" virus. I have informed the author of a widely used program that could have been the carrier as I ftped the new version in mid-April (14th I think). I won't mention what the program is until I hear from the author. Note that he compiled some of another widely used DOS memory extender into it this time, so that could be the carrier, perhaps not. As a result, I ran out (just before the store closed) and got DOS 6.21. Alas, its anti-virus software did not detect anything so the beast is still likely lurking on my disk, unless it wiped itsself out. Have any of you seen this virus? What is the best way to protect against future mishaps? I do now have vsafe running, but would like to find a way to test it. ------------------------------ Date: Mon, 02 May 94 12:18:35 -0400 From: Ed.Vongehren@GSA.GOV Subject: Disk Crash, Possible Virus? (PC) Of course my backup was out of date and I never protected the realy important stuff, when (for want of a better expression) my disk crashed. I guess that's what it did; all I know is that the FINDER no longer recognizes that I have a hard drive attached to the SCSI interface. Just prior to "loosing" the drive I noticed that I had around 1meg or less of free space. My first thought was that I overwrote my FAT files (or what ever Mac calls them); but then it could be either a legitimate crash (what ever that really means) or a virus. I've tried to use the Apple standard file-fixer utility (what ever its called) and Norton Utilities but I can't even get to "square-one" because they don't even acknowledge that I have an attached disk. Does anyone have any suggestions (other than back it up next time)? Ed von Gehren vongehren@acm.org ------------------------------ Date: Tue, 03 May 94 04:28:42 -0400 From: A.APPLEYARD@fs1.mt.umist.ac.uk Subject: Queeg and Pathogen (PC) (1) The word SMEG also derives from `Red Dwarf', where the verb `smeg' and its participle `smegging' are used to express annoyance in much the same way as many people often use the `f-word'. (2) From p10 of Sat 30 April 1994 issue of the Daily Telegraph (British national daily newspaper):- [Sci-fi fiend plants new computer viruses] by Christine McGourty, Technology Correspondent. A fan of the BBC2's `Red Dwarf' science fiction series is thought to be responsible for two highly destructive new computer viruses. Called Pathogen and Queeg, the viruses destroy data on computer disks in a way that makes them extremely difficult to detect. Victims of the Pathogen virus known they have been hit when the message "Smoke me a kipper, I'll be back for breakfast... Unfortunately some of your data won't!!!" appears on screen. The "kipper" phrase is used frequently by Ace Rimmer, one of Red Dwarf's leading charac- ters, before embarking on a near-impossible mission, said a spokesman for the series. Also on screen, the virus writer boasts of being from Britain, "NOT from Bulgaria" - the origin of most of today's computer viruses - and calls himself the Black Baron. Both Pathogen and Queeg were discovered this week. Pathogen is triggered between 5pm and 6pm on a Monday and the Queeg virus between 12 noon and 1pm on a Sunday. Mr.Steve Warren, a computer virus expert, said only a specific seqence of instructions triggered the virus and it could lie dormant for months. None of the anti-virus programs available could detect it. "It is one of the most serious virus strains we've seen," he said. "The writer has coded the virus so that it circumvents certain anti-virus products. There could be people downloading anti-virus software for protection, but actually downloading a virus. We are extremely concerned about it." ------------------------------ Date: Tue, 03 May 94 04:30:49 -0400 From: virusbtn@vax.ox.ac.uk Subject: Re: New viruses: SMEG.Pathogen, SMEG.Queeg (PC) gcluley@nose.sands.co.uk writes: > S&S International, developers of Dr. Solomon's Anti-Virus Toolkit, have > discovered two dangerous new viruses running wild on British computers. Graham: A couple of questions. Firstly, I've had a sample of Pathogen (gathered from a site in the UK) for some time - long enough to publish a full `Virus Analysis' in the May edition of Virus Bulletin. I've only had it reported to me from *one* site. How many reports of the thing have you actually had? The trigger routine is fairly obvious - - if it was common out there, IMHO we would have had rather more reports. > If you find any instances of the viruses using the above extra drivers you > should then use the following drivers in their place. These following > drivers are not intended for use, unless a Pathogen or Queeg infection has > already been detected: Why the two drivers? The only explanation I can think of is that the first does not get all instances of the virus, and the second gets false positives. Is this right? Regards, Dicky Ford, ! finger virusbtn@ox.vax.ac.uk Editor, Virus Bulletin. ! Tel. +44 (0)235 555139 Fax +44 (0)235 559935 ------------------------------ Date: Tue, 03 May 94 04:34:35 -0400 From: virusbtn@vax.ox.ac.uk Subject: Re: MUSH.COM? (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: > Thom Odell (guest06@mtholyoke.edu) writes: > >> I am wondering if an audio program called mush.com and it's associated >> file mushroom.ovl is som sort of virus? > > No. It is a joke program, and a rather old one at that. Does nothing > destructive - just plays a digitized melody. Just my $0.02 worth... I too have a copy of mush.com and the associated file mushroom.ovl. The program plays a digitized version of an advert for an air freshener. I have to say, it is a great program - whoever wrote it did a good job. However, the only copy I have ever seen is infected with Cascade (this doesn't mean that your version is). What happened is that someone brought a copy of the program into a company to show a friend. With a day, the disk had visited nearly every machine in the organisation, infecting every one! It is a classic example of the irresistable program running riot. Enjoy. Dicky Ford ! finger virusbtn@ox.vax.ac.uk Editor, Virus Bulletin ! Tel. +44 (0)235 555139 Fax +44 (0)235 559935 ------------------------------ Date: Tue, 03 May 94 04:40:06 -0400 From: virusbtn@vax.ox.ac.uk Subject: Re: Monkey Curiosity (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: > Dale Morlock (harrier1@delphi.com) writes: > >> I just encountered Monkey on a client's PC. I can't find much on >> Monkey except that it's a stealth virus. What am I dealing with? Any >> cautions? Thanks! Dave: We did an analysis of it in Virus Bulletin, December 1993, p.12. If you don't have access to a copy of this, get in contact, and I will fax it to you. Regards, Dicky Ford, ! finger virusbtn@vax.ox.ac.uk Editor, Virus Bulletin ! Tel. +44 (0)235 555139 Fax +44 (0)235 559935 ------------------------------ Date: Tue, 03 May 94 16:55:44 -0400 From: Subject: Virus Alert (fwd) (PC) Greetings, You may have already seen this but I missed being able to actually read the last couple of Virus-l mailings. I just received this. I figure that extra warnings are better than not hearing about this type of distructive virus. Please help spread the word. Who knows what other networks this little piece of no-class trash has made it to. Andy Rogers > > > > --- Forwarded message follows --- > > From: newsbytes@clarinet.com (NB-LAX) > > Subject: ****Dangerous, New Trojan Horse Virus Found On Internet 04/29/94 > > Keywords: Bureau-LAX > > Date: 29 Apr 94 19:03:17 GMT > > > > TORRANCE, CALIFORNIA, U.S.A., 1994 APR 29 (NB) -- A new "Trojan > > Horse" computer virus is on the Internet and is labeled with the > > name of the fourth largest manufacturer of compact disc read-only > > memory (CD-ROM) drives. Chinon America, Incorporated, the company > > whose name has been improperly used on the rogue program, is > > warning IBM and compatible personal computer (PC) users to beware > > of the program known as "CD-IT.ZIP." > > > > A Chinon CD-ROM drive user brought the program to the company's > > attention after downloading it from a Baltimore, Maryland > > Fidonet server. One of the clues that the virus, masquerading as > > a utility program, wasn't on the up-and-up was that it purports "to > > enable read/write to your CD-ROM drive," a physically impossible > > task. > > > > CD-IT is listed as authored by Joseph S. Shiner, couriered > > by HDA, and copyrighted by Chinon Products. Chinon America told > > Newsbytes it has no division by that name. Other clues were > > obscenities in the documentation as well as a line indicating > > that HDA stands for Haven't Decided a Name Yet. > > > > David Cole, director of research and development for Chinon, told > > Newsbytes that the company knows of no one who has actually been > > infected by the program. Cole said the virus isn't particularly > > clever or dynamic, but none of the virus software the company > > tried was able to eradicate the rogue program. Chinon officials > > declined to comment on what antivirus software programs were > > used. > > > > If CD-IT is actually run, it causes the computer to lock up, > > forcing a reboot, and then stays in memory, corrupting critical > > system files on the hard disk. Nothing but a high-level reformat > > of the hard disk drive will eradicate the virus at this point, a > > move that sacrifices all data on the drive. It will also corrupt > > any network volumes available. > > > > "We felt that it was our responsibility as a member of the > > computing community to alert Internet users of this dangerous > > virus that is being distributed with our name on it. Even though > > we have nothing to do with the virus is it particularly > > disturbing for us to think that many of our loyal customers could > > be duped into believing that the software is ours," Cole > > explained. > > Chinon is encouraging anyone who might have information that > > could lead to the arrest and prosecution of the parties > > responsible for CD-IT to call the company at 310-533-0274.. In > > addition, the company has notified the major distributors of > > virus protection software, such as Symantec and McAfee Associates, > > so they may update their programs to detect and eradicate CD-IT. > > > > (Linda Rohrbough/19940429/Press Contact: Rolland Going, The > > Terpin Group for Chinon, tel 310-798-7875, fax 310-798-7825; > > Public Contact: Chinon, CD-IT Information, 310-533-0274) > > > > Monica Winker-Bergstrom > > CTS, 170 Wilson Library BITNET: M-WINK@UMINN1 > > Phone: (612) 625-4343 Internet: M-WINK@VM1.SPCS.UMN.EDU ------------------------------ Date: Wed, 04 May 94 10:44:34 -0400 From: rfeehan@bud.peinet.pe.ca (Robert Feehan) Subject: Help! Need advice on Michael Angello virus. (PC) Everyone: I need information on the Micheal Angello virus. Last week when my PC was in for service the vendor infected my PC with the above virus. They returned the unit to me and I used it for a couple of days but it was not working correctly (the a drive would not read disks properly). I took it back and they found the virus on it and removed it. My problem is this: 1. Is the machine ok now that they removed it or should the hard disk be reformatted? 2. I have a bunch of infected floppies that I need the data off. A) can they be safely cleaned or should they be destroyed? B) I tried the latest Mcaffee (2.0) but it would not remove the virus, can other programs remove it from the floppies? 3. How does this virus spread? If the above has been heard before please excuse me, this is the first virus I have ever had to deal with. I am also new to this forum. You can post your responses or email me at rfeehan@peinet.pe.ca. Thanks for reading this message. Rob - -- +------------------------------------------------------------------------------+ Rob Feehan Maritime Electric rfeehan@peinet.pe.ca voice: 902-629-3691 +------------------------------------------------------------------------------+ ------------------------------ Date: Wed, 04 May 94 16:55:10 +0000 From: Christopher W Outtrim Subject: antivirus products (PC) Does anybody know the status of the following antivirus products. I am currently working on my final year undergraduate degree project which is a study of the virus threat and antivirus techniques. I would be interested to know if the following are still available, in use, effective or not widely used plus any commentsanyone would like to make about them. project6 SAFE Thunderbyte Antivirus Untouchable Virusbuster Vaccine Virex VirucidePlus Bootx Antivirus(fink enterprises) PC-cillin Chasseur II Control Room Central Point Antivirus Fcheck Fprot Hyper access/5 AntivirusPlus(Techmar) Immunizer Viruscan suit of programs VET antiviral Virusafe Vkiller Watchdog7 Thanks Chri s ------------------------------ Date: Wed, 04 May 94 13:50:56 -0400 From: hudspeth@jarhead.eng (Todd Hudspeth) Subject: "Jack-the-Ripper" (PC) Could anyone provide any information on the "Jack-the-Ripper" virus? Please reply via e-mail. Thanks, Todd Hudspeth Security Administrator MSFC/NASA hudspeth@jarhead.msfc.nasa.gov ------------------------------ Date: Wed, 04 May 94 14:34:37 -0400 From: dasheiff+@pitt.edu (Richard M Dasheiff M.d.) Subject: ANSI bomb (PC) I just read an article by Brett Glass in the May 2, 1994 INFOWORLD about ANSI bombs. It's a sequence of characters imbedded in a text file which can be interpreted by ansi.sys to do something unexpected, like redefining the keyboard to replace the enter key with deltree c:\*.* /y Does this qualify as a virus? Has anyone seen one? Are they, or will they be common? He spoke of a defense against it with a program by PKware called PKSFANSI Is that s/w, and if so, what ftp site? :( rmd@med.pitt.edu ------------------------------ Date: Wed, 04 May 94 16:19:52 -0400 From: rcc@lgc.com (Randy Clarke) Subject: help identifying a virus... (PC) Hi, I discovered last night that my home PC was infected with a partition table virus. McAfee's scan v113 reported that it was called 'Nyr [Genp]'... A perusal of the virus list didn't show a listing for 'Nyr' and I was wondering if that is a particular virus or a general class of virii. If anyone can enlighten me, or point me in the right direction; I'd appreciate it. Thanks! Randy ------------------------------ Date: Wed, 04 May 94 21:30:54 -0400 From: CMSHERGE@UGA.cc.uga.edu Subject: Help with Form Virus (PC) Hi, I have some problems caused by the Form virus on some of my disks (DOS). An anti-virus program detected the Form virus and cleaned the disk from it. I tried to read the disk and everything seemed to be ok. Now, a few days later I tried to read the disk again and the computer can't see the disk at all. Any ideas what could have happened? Any programs out there that can rescue my data on that disk? Thanks for your help. Hergen ------------------------------ Date: Thu, 05 May 94 03:35:29 -0400 From: "TONGA M SILIVA (STUPIDLY WISE)" Subject: Help:filler Virus (PC) Virus: Filler [Filler] ====================== Has anyone come across with the above virus. If you have you may be able to help me out. I have this virus detected on my PC for about a month now. I'm using MSDOS6.0 and used a McAfee Scan virus prg to scan my disks. The funny thingis the scan program only detects this virus from the scan.exe command from my autoexec.bat file. If I scan my hard disk from a write protected diskette and from a write protected scan diskette it cannot detect this virus. Even if the scan c: d: /chkhi command from my autoexec.bat file displays message virus found - Filler [filler].... , then I used by diskettes to clean out the virus it displays message that there is no virus found. I find this very frustrating, and I keep redoing other methods and I'm about to give up. So far it has not done any damage, yet. I even used the MSAV (virus prg) from the MSDOS6.0, it cannot detect this. command I used in my autoexec.bat file for scanning is: scan c: d: d: /chkhi /bell and the clean command I've used is : clean c: [Filler] and the McAfee virus version I am using is: version 112. Please could anyone out there help me. T. Siliva siliva_t@usp.ac.fj University of the South Pacific Fiji Islands. ------------------------------ Date: Thu, 05 May 94 13:51:03 -0400 From: we34329@vub.ac.be (DE KERPEL SVEN) Subject: URGENT HELP: damaged FAT by flip-virus (PC) My computer had flip-virus. I removed it but my FAT is still damaged. Does anyone have experiance in resolving this problem? Please reply to we34329@is1.vub.ac.be or try to irc me on msdos_FATproblem Thanx Sven De Kerpel we34329@is1.vub.ac.be ------------------------------ Date: Fri, 06 May 94 15:25:50 -0400 From: Mike Albrecht Subject: B1 (or NYB) Virus (PC) Greetings, F-Prot discovered what it identified as the B1 virus on a machine. It was unable to disinfect and I could find no documentation on this virus. I downloaded a copy of McAfee Scan and Clean V114. Scan identified the virus as NYB [Genp] and was able to clean. I also noticed that just scanning an infected diskette either with F-Prot or Scan, caused the virus to appear in memory though it wasn't active. Does anyone have any information on this virus, what it does, where it came from, etc. I've cleaned the hard drive(s) involved but was unable to clean the diskettes -- just copied off the files and reformatted the diskettes. Is this a fairly new virus? Any help is appreciated. Thank you. Mike Albrecht Director of Computing Services Washington State University College of Business & Economics Pullman, WA 99164-4750 (509) 335-9660 ALBRECHT@WSUVM1.CSC.WSU.EDU ------------------------------ Date: Sat, 07 May 94 05:12:48 -0400 From: s316@ii.uib.no (Per Nestande) Subject: Virus: Squisher Dropper (PC) I found a virus called Squisher Dropper in two files on my hard disc. Except from infecting EXE files, does anybody know what it does? (I have checked in VSUM (updated 31. Jan. 94) and found one called Squisher and one called Dropper, but none called Squisher Dropper.) Please send answers to my e-mail address. Thanks. Per Nestande e-mail: s316@brems.ii.uib.no - -- Department of Informatics, University of Bergen, Norway -- ------------------------------ Date: Sun, 01 May 94 09:33:49 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: fp-212.zip - F-PROT virus detector/disinfector version 2.12 (PC) I have uploaded to the SimTel Software Repository (available by anonymous ftp from the primary mirror site OAK.Oakland.Edu and its mirrors): SimTel/msdos/virus/ fp-212.zip F-PROT virus detector/disinfector version 2.12 Version 2.12 is the regular, bimonthly update to F-PROT. The total number of viruses identified by this version is over 3900. Version 2.12 - major changes: The identification of boot sector viruses has been improved significantly. F-PROT does exact identification for most boot sector viruses it detects, and previously it would refuse to remove variants that differed by as little as one bit from the original virus. Other programs which did not do as good identification would happily remove the virus. F-PROT now attempts to determine if a new boot sector virus is sufficiently similar to a known variant to attempt disinfection. Some improvements have been made to VIRSTOP. It is now more Windows- friendly than before - it will now beep instead of asking the user to press ENTER when intercepting a boot virus. It is now also possible to specify which drive to use for the "swap" files when using the /DISK switch. Finally, the /REHOOK switch allows VIRSTOP to be re-enabled, it was loaded before NETWARE or another program that took over the "load-and-execute" function. Version 2.12 - the following problems were found and corrected: Several false positives were fixed. The "Tamanna" false positive appeared in 2.11. The others were older, but had not been reported to us before. "Possibly a new variant of Tamanna" in PWLICLMT.EXE (part of a beta release of DEC Pathworks) "Possibly a new variant of Cysta" in KBDF.COM (Turkish keyboard driver) "Possibly a new variant of SillyOR" in a program named TRAPKEY.EXE "Leprosy" (VIRSTOP/Quick Scan) in a program named OPENPORT.COM F-PROT 2.11 and earlier would not detect all Cysta.8045-infected .SYS files. The Stoned.Angelina virus was not identified properly on 3.5" diskettes. Some Voronezh.1600 and Liberty-infected files were not disinfected correctly. Version 2.12 - minor improvements and changes: When using the /ANALYSE option, F-PROT will now not report "Invalid entry point", unless the file has a .COM or .EXE extension - not .OVL for example. If a virus is damaged, by shortening the file by a few bytes, F-PROT will now report "- truncated (xxx bytes missing)", instead of reporting just "New or modified variant of ...". This should never happen under normal circumstances and is of most interest to researchers that may have corrupted samples in their collections. Version 2.12 - new viruses: 58 new viruses are now identified, but can not be removed as they overwrite or destroy infected files. Some of them were detected by earlier versions of F-PROT, but only reported as "New or modified variant of..." 449 new viruses can now be detected and removed. Many of these viruses were detected by earlier versions, but are now identified accurately. 58 new viruses are now detected but can not yet be removed. 15 viruses which were detected by earlier versions can now be removed. Some viruses have been renamed, in order to make F-PROT follow the CARO naming standard as closely as possible. frisk - - - Fridrik Skulason frisk@complex.is ------------------------------ Date: Mon, 09 May 94 10:25:23 -0400 From: news spool owner Subject: Stone virus - stone.stonheng (PC) McAfee's v2 reports that I have the stone virus (stone.stonheng) How do I kill it? Is there a vacine? When I use the /clean option it is reported that there is no remover for the virus. Does this mean a hard drive format is in order? Thanks, - -- ======================================================================== John jmorton@cayley.uwaterloo.ca ------------------------------ Date: Mon, 09 May 94 10:28:04 -0400 From: bondt@dutiws.TWI.TUDelft.NL (Piet de Bondt) Subject: tbav620.zip - Thunderbyte anti-virus pgm (complete) v6.20 I have uploaded to the SimTel Software Repository (available by anonymous ftp from the primary mirror site OAK.Oakland.Edu and its mirrors): SimTel/msdos/virus/ tbav620.zip Thunderbyte anti-virus pgm (complete) v6.20 The Thunderbyte Anti-Virus utilities are ShareWare. There are four security modules (TbScan, TbScanX, TbClean, TbMon) included. These modules are programmed in assembler and there for very fast! TbScan is a signature, heuristic and CRC scanner. It detects known, unknown and future viruses. TbScanX is the resident version of TbScan. TbClean is the first heuristic cleaner in the world. Even an infected file with an unknown virus can be cleaned. TbMon consists of three resident programs (TbMem, TbFile, TbDisk) which monitors your system against unknown viruses. From version 6.09 a Windows interface is included. Changes: A breakthrough in the battle against polymorphic viruses! TbScan now has the ultimate answer on encrypted viruses. To cope with the ever increasing amount of polymorphic viruses, polymorphic engines, encryption engines, etc., the authors implemented a real code emulator in TbScan. This code emulator automatically decrypts any encrypted virus without any information about the specific virus. The current version decrypts MTE, TPE, URUGUAY, DSME, DAME, DESPERADO, NED, KRUEGER, SMEG (pathogen and queeg) PHANTOM_1 and many other viruses reliably. tbav620.zip has replaced tbav612.zip and older. TBAV is uploaded by its authors to anon-ftp site ftp.twi.tudelft.nl in dir /pub/msdos/virus/tbav) and from there distributed to SimTel, garbo.uwasa.fi and nic.funet.fi and from there to their mirror-sites. Greetings, Piet de Bondt E-mail: bondt@dutiws.twi.tudelft.nl ========================================================================== FTP-Admin for MSDOS Anti-virus software at: ftp.twi.tudelft.nl ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 34] *****************************************