VIRUS-L Digest Tuesday, 7 Jun 1994 Volume 7 : Issue 39 Today's Topics: comp.virus problems Re: Disabled viruses? Stop the Madness! :-) Re: GOOD vs. BAD HUH? Re: The truth about good viruses virus terrorists (?) Re: MVS Virus (IBM MVS) os2scan 2.00 and Bootmanager Partition (OS/2) Jack The Ripper (PC) Swiss Virus (PC) 170x Virus (PC) Central Point/DOS 6 Anti Virus Signatures and Updates (PC) Re: Scanning ZIP files (PC) Re: Virstop.exe and 386Max 7.0 (PC) Re: French Virus (PC) Re: Help re Genb (PC) Re: McAfee VirusScan 2.00 and VIRUSCAN V114 uploaded to SimTel (PC) Re: DOS 6.X Anti-Virus (PC) Help with boot virus.... (PC) Re: VIRSTOP 2.12 Freezes PC (PC) New virus found - Evolution 2001 (PC) Aragon Virus (PC) Re: VIRSTOP 2.12 Freezes PC (PC) Re: Virstop.exe and 386Max 7.0 (PC) virus on IBM PC??? (PC) Server-Downing Viri (PC) Re: false alarm (boot sector changed) by McAfee SCAN ??? (PC) Liberty virus (PC) wow! i'm infected... (PC) Re: VSUM??????? (PC) Re: Good anti-virus software recommedation needed (PC) New files on risc.ua.edu (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Sun, 22 May 94 16:47:30 -0400 From: roger.ertesvaag@thcave.bbs.no (Roger Ertesvaag) Subject: comp.virus problems * In a message to All on 05-20-94, Vesselin Bontchev said the following: VB> Appologies to the net and to Padgett in particular, but I am accessing VB> this forum as a newsgroup (comp.virus) and not as a digest (Virus-L), VB> and there have been some problems with comp.virus recently, so I have VB> missed several messages, including the one Padgett is replying to. So, Does anyone know if these problems will be corrected, or do I have to switch to Virus-L? [Moderator's note: After a long (!) time of trying to track down where the problem is, I think that we've figured it out. With a bit of luck, comp.virus should be flowing smoothly once again.] Roger -=-=-=[ roger.ertesvaag@thcave.bbs.no ]=-=-=- - --- > SPEED 2.0b #1486 > The best alternative to INTELLIGENCE is SILENCE. - ---- +-----------------------------------------------------------------------+ | Thunderball Cave BBS +47 2256 7018 / 2256 8809 (USR V.32bis/Terbo) | | -- thcave.bbs.no -- Oslo Norway -- | +-----------------------------------------------------------------------+ ------------------------------ Date: Sun, 22 May 94 16:10:14 -0400 From: dasheiff+@pitt.edu (Richard M Dasheiff M.d.) Subject: Re: Disabled viruses? res@bfs.uwm.edu (Ralph Stockha usen) writes: >I would like to check out the functioning of my anti-virus setup. Are there >any "disabled" viruses available that my program could detect, but would be >safe have on a test floppy? >Thanks, >Ralph Doren Rosenthal has one, but I forgot her full email address drosen@ .calstate.edu her address is p.o. box 1650 San Luis Obispo CA 93406 also check out the following ftp sites: oak.oakland.edu pub/msdos/virus vbait12.zip virsimul.zip garbo.uwasa.fi pc/virus virsim2c.zip :-)rmd@med.pitt.edu ------------------------------ Date: Mon, 23 May 94 09:09:48 -0400 From: "Brian H. Seborg" Subject: Stop the Madness! :-) Yes it's time again to fire another salvo over the bow of the good ship Malarkey! I challenged Fred Cohen to provide us with documentation on "good viruses" and he referred us to his book (this from someone who had just maligned anti-virus software authors as stoking the flames of public fear just to make a buck! By the way, Fred has his own anti-virus package on the market, but I would never suggest that he was trying to get people to write "good" viruses so there would be a greater need for his package! :-)). As Ross Greenberg so aptly pointed out, I'm sure Fred could enlighten us in a paragraph so we wouldn't have to wait to buy his book for an answer! Also, Fred seems to be making a claim that if a virus asks your permission to spread that it is okay! This is idiotic! First, consider this, for the virus to ask your permission to spread, it has to be running on your PC without your permission! Vesselin, I can't believe that you bought off on this lame distinction! :-) Another point, Fred, have you ever heard of version control? How about change control? How would you affect these via a virus? Here's a scenario, I send out a "good" virus (Ha, ha, ha, sorry, I can't keep myself from laughing!) throughout my corporation. This is the infamous compression virus (hee, hee, sorry!) that will compress any executable file it encounters. First, though, to be a "good" virus it asks permission to infect the system ("Hi, I am Fred Cohen's compression virus, I am very nice and will help you save disk space, is it okay for me to infect your computer?"). Of course unless every user in the corporation is computer literate they will probably reboot the computer at this point, but, humor me and I'll continue. Assuming the user allows the virus to infect (will it ask this same question everytime it attempts to infect another file? Man, would this be boring or what?) it will then ask, "Hey, this file is not compressed, would you like me to compress it?" (would it ask this every time it encountered a non-compressed executable, or would it be able to flip a bit to store the fact that the question had already been asked and answered in the negative? What if the next time I DID want it to compress the file? Would the virus just neglect to ask me so that I would not get any benefit from it?). Also, I can see the user saying, "Damn, how do I turn this stupid thing off!" after about the 10th time the virus asks permission to do something! One more issue, how will you make sure the virus gets control in memory? Will it infect command.com or one of the system areas so that it makes sure to get control every-time? If this is the case, then how many different "good" viruses can use this same paradigm before you run out of space in command.com (I guess we could change it to command.exe and then load it up with different special purpose viruses and make it an even greater lumbering behemoth than it is now!) Now, let's say you want to upgrade this virus. How are going to enforce version control? In other words, you have a faster, better compression algorithm, and you update the virus and now you want to make sure it is in place throughout the corporation, how do you affect this change? How do you even know the first version even made it to all PCs? One more thing, not all PCs are network connected, how do you get the virus and the upgrades to the laptops (this is a tough enough issue for legitimate software)? Finally, how do you ensure that the virus does not leave your corporate environment for parts unknown? (other people's PCs?) Even if you had a method of doing this, how much would it cost and how big would the virus be at this point? What if it did get out? It would seem that you'd be legally liable for any damage it did, or trespass at the least. But, I digress... Suffice it to say that the concept of a "good" virus all sounds good theoretically, but when you give it a "reality-check" the notion of "good" viruses beyond the confines of a laboratory environment shows itself to be the ludicrous idea it is. Maybe I've been spending too much time in the real world! :-) I guess I'll just have to buy Fred's book! :-) Brian Seborg "..castles made of sand slip into the sea eventually..." -Jimi Hendrix ------------------------------ Date: Tue, 24 May 94 11:25:57 -0400 From: tgilbert@salsa.abq.bdm.com (Todd Gilbert) Subject: Re: GOOD vs. BAD HUH? bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) wrote: > > Well... it depends. It depends on the definition. If you define a > computer virus as the above (and most people do), then indeed, it is > impossible to create a good virus. There are other possible > definitions (e.g., Dr. Cohen's), which include *only* the property to > replicate. Some "viruses" of that type *can* be useful. The real > problem is one of misunderstanding - what almost everybody calls a > computer virus conforms to your "definition", not to Dr. Cohen's, and > many programs that conform to Dr. Cohen's definition are not > understood as viruses by most other people. > > > It all depends on the definition of the term "computer virus". > Given your use of quotes, I take it that you prefer Dr. Cohen's definition to the widely accepted "definition". Why? Does his (fairly sure this person is male) writing it down and wanting to be THE AUTHORITY on viruses make everything he says correct? If so, perhaps he should write a virus that contains his definition and will spread the word to all computers and their users. I gather he'd think _that_ was a good virus. I would not. Todd - -- tgilbert@salsa.abq.bdm.com The owls are not what they seem or " @nacho.abq.bdm.com And neither are the penguins "I don't know what I like about you, but I like it a lot", Led Zep. ------------------------------ Date: Wed, 25 May 94 10:19:19 -0400 From: UCC DASD Administration Subject: Re: The truth about good viruses >Date: Wed, 11 May 94 01:06:17 -0400 >From: pjc@as03.bull.oz.au (Paul Carapetis) >Subject: Re: The truth about good viruses > >I have yet to be convinced that _any_ virus can be _known_ to be >benevolent. > >No matter how talented a programmer wrote it, no matter how honourable its >design intentions, no matter how well it worked when it was first released, >how can the integrity of said virus be confirmed by the time it infects >your (or my) machine? Wouldn't a known "benevolent" virus be the perfect >target for one of the twisted minds that create the "malicious" variety? I >can just see it... > >Message displayed on screen: "Hi! I'm a benevolent virus." > "Do you want me to defrag your disk?" > >Typed reply: "Yes please!" > >Action: formatting, formatting... > >No thank you very much! I want full control over everything that is run on >my system, and a virus must already be running in order to ask permission >to infect, so how can I be sure it has not already taken any action? > >Blueskies from down-under, >Paul I think this illustrates quite nicely the whole problem with beneficial viruses. That being the lack of a trusted path. When I buy a software package, or down load a shareware program, or buy a Rolex watch from the trenchcoat of a gentlemen on the streets of Manhattan, I am depending on a certain avenue through which this product came. How reliable is that path? It's one thing to talk about self replicating code in the ivory confines of a researcher's tower. And I don't doubt the veracity of those claims. But once you pass those doors and come out into the gene pool, you loose that element of verifiability. An unknown program running on my computer is suspect, even if it says, Hi! I'm from the Government/Virus Research Department/Mensa club, and I'm here to help you..... As the saying goes, How do you know where it's been? If some people came to your house and said, You just go away for a few days. We're going to clean your house for you, fix the roof and install a Jacuzzi in the master bedroom. Trust us. We're Nice People. Maybe they're telling the truth. But if they have no credentials, references or licenses, how would you know? Would you hand over the keys to your house? I don't think the most important question is whether beneficial viruses exist. But how could you tell if you had the real thing? Jon Loux Data Administration/Security Administration University of Connecticut Computer Center ------------------------------ Date: Wed, 25 May 94 14:02:10 -0400 From: tgilbert@salsa.abq.bdm.com (Todd Gilbert) Subject: virus terrorists (?) I won't repost it, but there's an article under bit.listserve.ethics-l that you folks might find interesting. It appears to be a couple guys from Eastern Europe threatening to release viruses unless somebody offers them a good paying job. A couple of the responses are quite interesting too. My favorite is the one that advises these two guys to read Faust (maybe you had to be there :-> ). Regards Todd - -- tgilbert@salsa.abq.bdm.com The owls are not what they seem or " @nacho.abq.bdm.com And neither are the penguins "I don't know what I like about you, but I like it a lot", Led Zep. ------------------------------ Date: Mon, 23 May 94 11:33:55 -0400 From: Arthur Gutowski Subject: Re: MVS Virus (IBM MVS) >Date: Mon, 25 Apr 94 14:43:00 +0200 >From: Philippe_Cheve@f111.n331.z9.virnet.bad.se (Philippe Cheve) >Subject: Mainframe virus (IBM MVS) >I would like to know if it possible to infect a mainframe. >Where are running MVS ESA, JES3 under IBM 3090 & ES9000 and we have >some many days strange problem with application module and somebody in >company are thinking that our system could have been infected by >Virus. >Where i can find information about this kind of Virus ? Tell your people not to panic. Most likely it is a *bug* in the application, *NOT* a virus. I have never heard of an MVS virus. Neither has any of the MVS systems and applications programmers I know. It has been talked about on this forum in the past, and it certainly seems possible that one could be written. No MVS programmer that I know, however, would waste their time on virus-writing, when typically they're overloaded with real work to do. Like debugging applications. Art /===" Arthur J. Gutowski, MVS System Programmer : o o : Wayne State University Bitnet: AGUTOWS@WAYNEST1 : --- : Detroit, Michigan Internet: AGUTOWS@cms.cc.wayne.edu "===/ Have a day. Phone: (313) 577-0718 - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Don't take yourself too seriously and don't listen to the experts (especially the pigs) and you've got it. -- Kermit's Guide to Life in the 90's ------------------------------ Date: Tue, 24 May 94 03:10:33 -0400 From: koenen@cipserv1.physik.uni-ulm.de Subject: os2scan 2.00 and Bootmanager Partition (OS/2) Hi netters, I have a very simple question: Does the new McAffee os2scan ver. 2.00 check the bootmanager partition? The docs tell nothing about it and the program itself says, that it has checked the MBR (partition table) and the bootsector of the drive. But the bootmanager partition isn't a drive. Thanks Jo +-----------------------------------------------------------------------+ | Joachim A. Koenen; Universitaet Ulm; Abt. Experimentelle Physik | | Albert-Einstein-Allee 11; D-89069 Ulm; Germany Tel: ++49 731 502-3022 | | E-mail: Joachim.Koenen@Physik.Uni-Ulm.De | +-----------------------------------------------------------------------+ ------------------------------ Date: Sat, 21 May 94 06:36:01 +0000 From: ineichen@cui.unige.ch (INEICHEN Gerard(centre EAO)) Subject: Jack The Ripper (PC) We have found a "Jack The Ripper" virus in more than one school in Geneva. This virus isn't described in the VSUM of Patricia Hoffmann, but is detected by scan 113 & 114. Does anybody have more information about this virus ? Thank you Reply to ineichen@cui.unige.ch Gerard Ineichen ------------------------------ Date: Sat, 21 May 94 06:40:03 +0000 From: ineichen@cui.unige.ch (INEICHEN Gerard(centre EAO)) Subject: Swiss Virus (PC) A student has found a "swiss virus" that infects the boot record. It seems to be a new variant of the virus. Mac Afee scan 114 lists it but i haven't found more info. Be carefull : it isn't the swiss phoenix nor the Swiss 143. Thank you for more information Send mail to ineichen@cui.unige.ch Thank you Gerard Ineichen ------------------------------ Date: Sat, 21 May 94 03:03:52 -0400 From: nwsoh1@hestia.cc.monash.edu.au (Mr NWS Soh) Subject: 170x Virus (PC) When I scan my hard disk recently using SCAN C: /m , using mcafee's anti-virus program version 84. Message reads: Found 1701/1704 virus - version B [170x] active in memory Found 1 file containing a virus. Using the same mcafee to clean, c:> clean c: [170x] /m /a somehow, using scanning the C: drive again, I still get the same message found Message reads: Found 1701/1704 virus - version B [170x] active in memory Please help. I suppose reformatting the hard disk could get rid of the virus but I do not wish to do so because of the huge number data and programs in my 120Mb drive. Please send your replies to either the newsgroup or to, nwsoh1@nellads.cc.monash.edu.au Thankyou in advance. ------------------------------ Date: Sat, 21 May 94 09:37:07 -0400 From: plo@cs.rmit.oz.au (Perry L Oren) Subject: Central Point/DOS 6 Anti Virus Signatures and Updates (PC) I was wondering if anyone out there knows of an ftp site where the latest signatures for the DOS 6 and Central Point anti virus products can be found. Perry Oren plo@etrog.se.citri.edu.au 20 Ames Avenue Carnegie, VIC, 3163 AUSTRALIA ------------------------------ Date: Sat, 21 May 94 13:19:16 +0400 From: eugene Subject: Re: Scanning ZIP files (PC) Hi! >Does anyone know, when you scan a ZIP file will the virus scanner pick AVP 2.0 shareware extracrs the files (into temporary files) from ZIP (including ZIP2EXE executables) and ARJ (including multivolume archives) on scanning. It does it with DIET/PKLITE/LZEXE/... also. Regards, Eugene - --- - -- Eugene Kaspersky, KAMI Group, Moscow, Russia - -- eugene@kamis.msk.su +7 (095)278-9949 ------------------------------ Date: Sun, 22 May 94 07:48:17 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Virstop.exe and 386Max 7.0 (PC) juan@fiu.edu (Juan Carlos Perez) writes: >I apologize for the question if it is not appropiate, but I would like to >know if upcoming versions of F-Prot will solve the problem of VIRSTOP.EXE >not working with 386MAX v7.0. This has already been fixed. Just use the /NOTRACE command-line switch, which is in the current version (2.12). The main function of this switch is to make Virstop work on machines with (no-Intel compatible) Cyrix 486SLCs, but it solves the 386Max/BlueMax problem as well. - -frisk ------------------------------ Date: Sun, 22 May 94 07:50:10 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: French Virus (PC) pj@doc.ic.ac.uk (Paul Jarvis) writes: > Our college has recently been hit by something which FPROT >identifies as the "French" virus. When I checked this news group >I found no articles at all, for at least the last week. Is there >a problem with our feed? No, this is a general problem with the VIRUS-L <-> comp.virus gateway, which has been rather unreliable. >Also can you tell me anything about this virus. Well, it is French :-) Actually the virus has been renamed by now to "Jumper". I have not disassembled it yet - just added quick detection of it...planning to analyse it in the near future...so unfortunately I cannot tell you anything about it yet. - -frisk ------------------------------ Date: Sun, 22 May 94 07:55:35 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Help re Genb (PC) 142893@pc-lab.fbk.eur.nl (C.A.W. Coopmans) writes: > Can anyone outthere help me with a virus with the scan code: > [Genb] Genb (reported by SCAN) just means: "I am almost sure this is a virus, but it is not identical to anything I know". This probably is a new (at least new to SCAN) virus, and therefore it is not possible to tell you what it does or how to get rid of it. You should make a copy of the infected boot sector, and send that to the various anti-virus companies/researchers. Actually, many boot sector viruses can be removed with a "generic" method: - ------------------------------------------------------------------------------- Frisk Software International - Technical note #8 Generic boot sector disinfection Although F-PROT is usually up-to-date with respect to virus detection and disinfection, there are occasional cases of a virus infecting a machine before we have implemented disinfection of that particular virus. The instructions below describe a "generic" method for the removal of boot sector viruses. If the virus infects the Master (Partition) boot sector. Create a bootable system diskette on a different (clean) machine, that is running DOS 5 or 6, with the FORMAT /S or "SYS" commands. You cannot use DOS 4 or older for this purpose. Copy the file FDISK.EXE to that diskette and write-protect it. Boot the infected machine with this diskette - do not rely on just pressing Ctrl-Alt-Del...press the Reset button or turn the machine off and then back on. Check if you are able to access all partitions on the hard disk normally. If they are not recognized, it might be because the virus encrypts the partition data or overwrites it....in this case the generic disinfection method described below is not possible. One method with will often work is to wipe out the MBR with a disk edtitor, and then run NDD and tell it to recover the lost partitions. My favourite tool for this purpose is NDD version 4.5. However, you should mmake a backup copy of the (infected) MBR first - if you don't know how to do that, you probably should not be fiddling with the MBR anyhow. If everything seems to be OK, give the command FDISK /MBR. This will overwrite the code part of the MBR - in effect "killing" the virus. (note: if you are using Novell DOS 7.0, you need to select this option from the menu, not give a command-line switch). Reboot the machine normally from the hard disk. If the virus infects the DOS boot sector: Create a bootable system diskette on a different (clean) machine, that is running exactly the same version of DOS as the infected machine. COPY the SYS.COM file from the DOS directory to the diskette and write- protect it. Boot from the diskette and give the command SYS C: In addition to copying the system files over (which is not necessary to remove the virus), this will overwrite the DOS boot sector with "clean" code, killing the virus. - -frisk ------------------------------ Date: Sun, 22 May 94 08:11:51 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: McAfee VirusScan 2.00 and VIRUSCAN V114 uploaded to SimTel (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >5) One old bug in the SCAN serries is finally fixed - the multiple >detections. SCAN 2.00 no more reports more than one virus when only a >single virus is present in the file. That is: it no longer reports multiple viruses in a single sample...however, different samples of a single virus may occasionally be reported to be infected with different viruses - a "first-generation" sample may be reported to be infected with a different virus than the normally infected files. For example: F:\LP\A\COMMAND.COM Found the _PHUNNIE virus F:\LP\A\10000C.COM Found the _PHUNNIE virus F:\LP\A\PHUNNIE.COM Found the SUN-2 virus - -frisk ------------------------------ Date: Sun, 22 May 94 22:51:43 -0400 From: snpdoggy@aol.com (Snp Doggy) Subject: Re: DOS 6.X Anti-Virus (PC) slbray@deakin.edu.au (Sharyn Bray) writes: I found DOS 6.x Anti-Virus is NOT very good... In fact, I think it is a waste of time...I collect viruses, I have over 100 including, yankee doodle virus, aids, michealangelo , Richards, vmessiah, and many, many others...Anti-Virus found only 10 out of 120 viruses I had on floppy disks..50 of which it WAS supposed to FIND, but DID NOT...when I tried F-Prot it found 75 and then I tried McAfee's and it found 60 of 120...I'm not a sales person or anything, I'm actually just a hacker who collects viruses...I suggest F-Prot or another commercial scanner...I hope I helped ya :) PS. No, I DO NOT pass viruses to people...I just collect 'em :) ------------------------------ Date: Fri, 20 May 94 18:04:19 +0000 From: angela@rahul.net (Angela Tsoi) Subject: Help with boot virus.... (PC) I've been having a BIG problem w/ a virus in mu hard drive. It's a boot sector virus. I try almost all of the scan problem and none of them could detect it. SO i resorted to format my hard drive, at the end of the format it said Possible Boot Virus: Do your want to continue? I said yes and it work for about a week or so then it pop back up again. How can I get rid of it for good? Help a poor unfortunate soul.. - -- Angela Tsoi ------------------------------ Date: Mon, 23 May 94 08:56:19 -0400 From: dlinder@cse.unl.edu (Daniel Linder) Subject: Re: VIRSTOP 2.12 Freezes PC (PC) ralf@meaddata.com (Ralf Grisard) writes: >I just downloaded F-Prot 2.12. When I run VIRSTOP from the MS-DOS prompt, >it seems to load OK, giving me a message that it has been installed. But >then regardless of what it is, the next command I enter freezes the PC, >and I have to reboot to unfreeze it. >I'm running MS-DOS6.2 with 386Max on a Dell 486/50 with 8 megs of RAM. >Among other things, I'm connected to a Banyan network, but I'm running >VIRSTOP after connecting to the network, as per the VIRSTOP doc. F-Prot >itself runs fine -- it's only VIRSTOP that I'm having a problem with. >Any ideas? (Helpful ones only, please :-) When my father got his copy of 386Max, we started loading things high. It turned out that the computer would freeze right after the VIRSTOP command was loaded. More specifically, VIRSTOP would load all right, but the next program (loaded high or not, if I remember right) would freeze the machine. Since the memory difference for our setup was not much different between using MSDos 6.0 and 386Max, he decided to stick with MemMaker. If I remember right, there was some note made of this on somewhere. (Might bave been on Qualitas' BBS or in the on-line documentation). I tried sending a letter to Fredrick S. (Maker of F-Prot), but never got a response--my letter might have bounced off the face of the earch... Does any one know if it is a 386Max problem or a F-Prot problem? Thanks1 Dan - -- | Dan Linder - Computer Sci/Engineer| "If there's nothing wrong with me, | | dlinder@cse.unl.edu - Senior | there must be something wrong with | | "Get LINUX and drop DOS" | the universe!" Bev Crusher-Remember Me | | Disclaimer: My university does not listen to me, why would I speak for them? | ------------------------------ Date: Mon, 23 May 94 09:31:22 -0400 From: "MICHAL EGLER" Subject: New virus found - Evolution 2001 (PC) I have found a new virus. It is possible to find infected programs in BREAJARJ.ARJ and ZIPCRACK.ARJ archive files in most of BBS in Poland. But I am quite sure that this wirus was not written in Poland. I suggest that this virus was written by the same person who wrote TREMOR virus. Some facts about Evolution 2001 virus: - -virus code created useing 386 opcodes - -polimorphic uncode procedure - -increment year in file creation date about 100 years - -code similary to TREMOR virus / time stemp, virus internal text - -infect EXE files - -increment file size about 2770 bytes - -virus code resident in high conventional memory / about 9Exx:xxxx - -most times memory start address = 9E42:0 - -virus code reerved 7136 bytes in memory - -contain text -=p Evolution 2001 Virus was done by lord Salivantis - Nov/Dec 1993 p=- - -virus display text befor 3:58:46 and 5:58:9 under some other conditions Non of known shareware antivirus programs can find this virus. ------------------------------ Date: Mon, 23 May 94 12:42:28 -0400 From: litta@essex.ac.uk () Subject: Aragon Virus (PC) After downloading McAfee's latest version of scan113 and running it on my system (486DX 33 4M ram 170 HD ), there was no virus found etc msg. Next I tested high memory with the flag /chkhi, after which scan return that it had in fact found the "Aragon" virus and informed me to reboot from a clean disk and rerun scan (also from a new clean disk). Following these instruction and rerunning scan to check high memory still returned the same msg. As I was runnuing dblspace at the time and had heard that this could sometimes be mistaked for a virus, I decided to remove it. Again no change in the error msg. Next I disabled the HD in the CMOS seting and tried again. Still no luck. Finally created a new boot block from disk which checks integratety yet again know change. If anyone can offer some help it would be most appreciated. The "Aragon" virus copies the boot block before writing itself onto it. Thus any checking made to it will be routed to the copy of the original boot block. Could it be possible that some hardware could look like the virus ? _____ Aidan Littlewood Replies to :- litta@essex.ac.uk ------------------------------ Date: Mon, 23 May 94 21:41:51 -0400 From: gus@jomega.eglin.af.mil (Eric P. Augustus) Subject: Re: VIRSTOP 2.12 Freezes PC (PC) ralf@meaddata.com (Ralf Grisard) writes: >I just downloaded F-Prot 2.12. When I run VIRSTOP from the MS-DOS prompt, >it seems to load OK, giving me a message that it has been installed. But >then regardless of what it is, the next command I enter freezes the PC, >and I have to reboot to unfreeze it. >I'm running MS-DOS6.2 with 386Max on a Dell 486/50 with 8 megs of RAM. >Among other things, I'm connected to a Banyan network, but I'm running >VIRSTOP after connecting to the network, as per the VIRSTOP doc. F-Prot >itself runs fine -- it's only VIRSTOP that I'm having a problem with. >Any ideas? (Helpful ones only, please :-) I don't recall the exact reasons why virstop hangs with 386max, but if you use the '/notrace' command line parameter it'll work okay. - -- ======================================================================= _/_/_/_/ _/ _/ _/_/_/_/ Eric Augustus, Capt _/ _/ _/ _/ WL/MNGA _/ _/_/ _/ _/ _/_/_/_/ Eglin AFB, FL 32542 _/ _/ _/ _/ _/ (904) 882-4636 x2359 _/_/_/_/ _/_/_/_/ _/_/_/_/ gus@jomega.eglin.af.mil =================== #INCLUDE ======================= ------------------------------ Date: Mon, 23 May 94 21:42:04 -0400 From: gus@jomega.eglin.af.mil (Eric P. Augustus) Subject: Re: Virstop.exe and 386Max 7.0 (PC) juan@fiu.edu (Juan Carlos Perez) writes: >I apologize for the question if it is not appropiate, but I would like to >know if upcoming versions of F-Prot will solve the problem of VIRSTOP.EXE >not working with 386MAX v7.0. Thanks...:) Try the '/notrace' command line parameter. - -- ======================================================================= _/_/_/_/ _/ _/ _/_/_/_/ Eric Augustus, Capt _/ _/ _/ _/ WL/MNGA _/ _/_/ _/ _/ _/_/_/_/ Eglin AFB, FL 32542 _/ _/ _/ _/ _/ (904) 882-4636 x2359 _/_/_/_/ _/_/_/_/ _/_/_/_/ gus@jomega.eglin.af.mil =================== #INCLUDE ======================= ------------------------------ Date: Tue, 24 May 94 08:56:19 -0400 From: litta@essex.ac.uk (Littlewood A) Subject: virus on IBM PC??? (PC) (Posted by walaj@essex.ac.uk for litta@essex.ac.uk) After downloading McAfee's latest version of scan113 and running it on my system (486DX 33 4M ram 170 HD ), there was no virus found etc msg. Next I tested high memory with the flag /chkhi, after which scan return that it had in fact found the "Aragon" virus and informed me to reboot from a clean disk and rerun scan (also from a new clean disk). Following these instruction and rerunning scan to check high memory still returned the same msg. As I was runnuing dblspace at the time and had heard that this could sometimes be mistaked for a virus, I decided to remove it. Again no change in the error msg. Next I disabled the HD in the CMOS seting and tried again. Still no luck. Finally created a new boot block from disk which checks integratety yet again know change. If anyone can offer some help it would be most appreciated. The "Aragon" virus copies the boot block before writing itself onto it. Thus any checking made to it will be routed to the copy of the original boot block. Could it be possible that some hardware could look like the virus ? (If you receive this, please mail me (litta@essex.ac.uk)) ------------------------------ Date: Tue, 24 May 94 11:29:39 -0400 From: Christopher Aedo Subject: Server-Downing Viri (PC) I've brought up a test server of sorts, in order to train CRM personnel on security weaknesses, and common problems of Novell NetWare 3.12 servers. One of the books on NetWare listed a few viruses that were common threats to NetWare. These viruses are: Cascade.1701 Cascade.1704 Frodo Green Caterpillar.1 Jerusalem.Standard Yankee Doodle 2885 According to the publication, these viruses will move from an infected workstation, onto the server. We are also trying to evaluate virus protection. We are running Norton AntiVirus on the server right now, so this would be a good test to see if it is able to detect and stop these viruses before anything major happens. The environment is secure and controlled, so we are going to try to infect the server with these viruses. What I would like is either the source code, or maybe an infected file UUencoded, or somewhere where I can get these viruses. Also, which anti virus package is the best one out there these days? Thank you in advance. - -Christopher Aedo (u56513@uicvm.uic.edu) ------------------------------ Date: Tue, 24 May 94 13:37:31 -0400 From: Henrik Stroem Subject: Re: false alarm (boot sector changed) by McAfee SCAN ??? (PC) > From bontchev@fbihh.informatik.uni-hamburg.de Tue May 24 19:17:24 MET DST 1994 > Subject: Re: false alarm (boot sector changed) by McAfee SCAN ??? (PC) > Christian Fritze (fritze@amadeus.statistik.uni-dortmund.de) writes: > > SCAN.EXE c: /AF filename.crc > > After doing so > > SCAN.EXE c: /CF filename.crc > > reported the boot-sector was changed. > [snip] > > We are using OS/2-Bootmanager, VSHIELD113, SCAN113.9.24,MSDOS 5.0 german. > I am not an expert in the way SCAN computes its checksums for the boot > sector, or in OS/2, but I suspect that the BootManager is the problem. > I'll appreciate if more OS/2-competent people than me comment on this > question, but I think that the BootManager modifies the MBR each time > you decide to change the bootable operating system. The BootManager masks all non-selected entries in the MBR, so a standard HPFS partition with type 07h will be changed to 17h, and DOS types 05, 06 and 04 will in the same way become 15h, 16h and 14h. Only the active entry will not be masked. The solution is to use a different filename.crc file for each OS, or to use a program that is aware of this. > In general, there are several things in the popular operating systems > (SETVER for MS-DOS, BootManager for OS/2, etc.) that make the life > rather difficult for the integrity checkers. The solution is to make > the integrity checkers aware of those problems. Try my HS v3.58. Available by ftp from 141.210.10.117:/pub/msdos/virus as the file hs-v358.zip. It is a bootsector integrity checker that will detect all bootinfectors, and automatically remove them. It uses no RAM, and executes in less than a second on most machines. Sincerely, Henrik Stroem Stroem System Soft ------------------------------ Date: Tue, 24 May 94 14:02:44 -0400 From: charlesb@bedford.progress.com (Charley Boudreau) Subject: Liberty virus (PC) Does anyone know anything about the Liberty virus. What damage does it cause? How does it effect file size? Etc? Also, any suggestions for a book or BBS that would have this info about the common (and not so common) viruses? Thanks ------------------------------ Date: Wed, 25 May 94 05:00:37 +0000 From: jstefani@silver.ucs.indiana.edu (Jack Stefani) Subject: wow! i'm infected... (PC) after a long time of just not caring, i downloaded mcfee scan and ran it on my harddrive. after scanning it all, it reported back that it found cansu(?) virus in my partition table. so now that i'm infected i've got a few questions. 1.) after i found out that i was infected, i copied off to a floppy some of my important stuff(all non-executables, source code, word perfect documents etc...) is there anything i have to worry about? are executables the only things that can get infected. 2.) scan said that my partition table was infected but it didn't tell me what file did the infected. how can i find out where i got the virus from. 3.) and of course, how do i get rid of it? i've just know downloaded the clean program that scan talked about. i doubt if i'll run it tonight though since the doc's for scan said that the removal of partition table virus can screw up everything. 4.) where can i get info on my particular virus(cansu), what will happen if i just leave it in? well, any help is apprecaited. thanks. - ---------------------------- jack stefani ------------------------------ Date: Wed, 25 May 94 14:00:13 -0400 From: grettir@keflavik.wordperfect.com (Grettir Asmundarson) Subject: Re: VSUM??????? (PC) [Samples of VSUM inaccuracies deleted] > My personal opinion of VSUM is that it is too incredibly useless and > inaccurate to be of any use whatsoever to anybody. What is the best alternative to VSUM? F-Prot has accurate virus information built-in, but sometimes I'd like more information than is available there. I've taken a look at both CVC and CMBASE, but I'm not sure those are the answer either... > - -frisk grettir ------------------------------ Date: Wed, 25 May 94 12:30:26 -0400 From: S1083509@cedarville.edu (Joe Brown) Subject: Re: Good anti-virus software recommedation needed (PC) jclee@netcom.com (Johnson C. Lee) writes: >From: jclee@netcom.com (Johnson C. Lee) >Subject: Good anti-virus software recommedation needed >Date: Thu, 12 May 94 18:16:23 -0400 >Hi, > Does anybody know if there is any anti-virus software that will >detect the virus automatically ? What I mean is every two weeks I have >to run my anti-virus software to do detection and it took a long time. >It will be nice if there is an anti-virus software which will do the >detection when there is disk operation etc etc. > And can someone recommend me some good anti-virus software either >in the shareware domain or in the market ? I am particularily looking >for something that will work in a networked (both netware and >TCP) environment. >Any info will be appreciated. >Thanks, >- -Johnson You can try Norton Anti-Virus or Central Point Anti-Virus, both of these I believe will do this. - --Joe Brown - --Anglo-Saxon American And Proud Of It - --Tiny Toons Are Awesome - -- - --Cedarville College - --Cedarville, Ohio - --s1083509@cedarville.edu ------------------------------ Date: Sun, 22 May 94 16:31:31 -0400 From: James Ford Subject: New files on risc.ua.edu (PC) The last time I sent this message it appeared that someone at McAfee.com accidently placed files in a public area which contained the word "beta". McAfee.com has since replaced these files. The latest versions should be the "correct" versions (according to McAfee.com). I have placed a Gopher server on top of the anonymous FTP area of risc.ua.edu. You can now access risc.ua.edu by a Gopher client or by mosaic by using the URL "gopher://risc.ua.edu". Please let me know if you have any problems on risc. Thanks. - ----------- Mirrored 02 ------------- (ftp.mcafee.com:/pub/antivirus -> /pub/ibm-antivirus/Mirrors/mcafee/antivirus) @ Sat May 21 00:12:07 CDT 1994 Got 00-Index 1909 Got cln115b.zip 273895 Got ocln115b.zip 291420 Got oscn115b.zip 258680 Got scn115b.zip 254436 Got vsh115.zip 146220 - ------------------------------------- - ---------- James Ford - Seebeck Computer Center jford@seebeck.ua.edu, jford@risc.ua.edu The University of Alabama (in Tuscaloosa, Alabama) (205) 348-3968 (205) 348-3993 (fax) ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 39] *****************************************