VIRUS-L Digest Friday, 1 Jul 1994 Volume 7 : Issue 48 Today's Topics: I.C.A.R.O. Re: Viruses = Commercial Opportunity? Re: GOOD vs. BAD HUH? Programming in general (not necessarily viruses) Re: Bad and good viruses... A virus definition... Re: GOOD vs. BAD HUH? Re: Anonymous FTP Site Distributing Viruses? Re: "New" Virus found? (PC) Re: Natas Virus Test Re: Viruses = Commercial Opportunity? Re: The underground and 'good' viruses Re: Fred Cohen and computer viruses VTECH 4.0 (PC) New virus - Junkie (PC) Re: Anonymous FTP Site Distributing Viruses? Re: Why so many Leprosy viruses? (PC) Need info on "WONDER" virus (PC) Re: ** Date recovery after Michelangelo virus infection ** (PC) Re: What is name of Newest F-Prot? (PC) Re: New virus (Trashed?) in Ann Arbor Mi? (PC) Re: Monkey Virus (PC) Re: Thunderbyte Antivirus (PC) Re: info on 2 viruses (PC) Re: antivirus products (PC) Re: antivirus products (PC) Re: Joshi virus - False alarm? (PC) Re: What is name of Newest F-Prot? (PC) Re: Why so many Leprosy viruses? (PC) Re: Possible D-Day Virus? (PC) New virus (Trashed?) in Ann Arbor Mi? (PC) Re: MtE Virus info wanted (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Mon, 06 Jun 94 15:49:11 +0100 From: Luca Sambucci <93647758S@sgcl1.unisg.ch> Subject: I.C.A.R.O. - -----BEGIN PGP SIGNED MESSAGE----- ITALIAN COMPUTER ANTIVIRUS RESEARCH ORGANIZATION Being an anti-virus manufacturer and/or a well known anti-virus researcher, you have been automatically added to the Italian Computer Antivirus Research Organization's mailing list. Being subscribed to this list, you'll receive virus news, reports, analysis and always the new versions of the General Antivirus Test. The I.C.A.R.O. is a completely indipendent organization founded by four Italian Anti-Virus researchers with the only purpose to provide the users with correct information and to establish an indipendent virus-help network in Italy as well as between Italy and the other countries. For questions, un/subscriptions, and other information requests, please write me at one of the above addresses: luca.sambucci@ntgate.unisg.ch 93647758s@sgcl1.unisg.ch With the next message you'll receive the June 1994 edition of the General Antivirus Test. Best Regards, Luca Sambucci P.S. My PGP 2.3a public key is available at the PGP key-servers. - -----BEGIN PGP SIGNATURE----- Version: 2.3a iQCVAgUBLfJqBOZQNzkHaA4JAQHekgP/YtT76a8SUVxjSHfvhZEGN3KM0CS7LhU4 DvKroQ6Xi38wPy1itz2yTfHMHzh9GsOvGleqCbpTuP2VJ3zbSgPEM4bXn3HsJDYt uOBL52yMaFA1aV7gHhHUGn1p5c+/qHn9or4t8/pRDfCYhwC3qOEmAxct/pFAjL6w N4M7QgwkpLE= =O0ES - -----END PGP SIGNATURE----- ------------------------------ Date: Fri, 24 Jun 94 11:29:00 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Viruses = Commercial Opportunity? tluten@news.delphi.com (TLUTEN@DELPHI.COM) writes: >First, my greetings and apologies to the regulars in this area. I'm new >to the net, and came principally because I thought I'd find a group of >accessible experts here. I think I have. Well, there are some experts here :-) but many of them are biased or asscociated with an existing product, so..... >I may have an opportunity to do some work with a start-up that wants to >market a new(ly available in the US) anti-virus package. If I understand you correctly, you mean that this product has been available outside the US for a while, but is only now being marketed there.....hmm.. now, which one could that be ? H+BEDV's ? Lozinsky's ? Sophos' ? I don't remember any other good non-US products not marketed there...although there is one good British product that is marketed in such a hopeless way that it could just as well not be available at all....:-) >The thing that >puzzles me about the market is that a few years ago, I was acutely aware >of viruses: Michaelangelo, Stoned, etc., etc. I read about 'em in the SF >Chron regularly. Now I don't see the coverage. Right. Unfortunately, the virus problem has not gone away...it is just as big (or even bigger) than it was at the peak of the media attention. What caused this is: 1) computer viruses are no longer a novelty......people are aware that they exist, and the fact that a new virus has been discovered is not news any more....I mean, we get 5 new viruses per day right now. A virus striking somewhere is not news either - it was back in '88, but today it is such common event that for the media to pay any atttention it would have to be big...something like Microsoft shipping virus-infected Windows 4.0, or something like that. 2) The "cry wolf!" syndrome....the media totally overreacted to two virus stories that turned out to be mostly non-events, the DataCrime virus and the Michelangelo scare. They are simply afraid they will look like fools once again. >basically don't work (they crash the system?). Has the success of >Windows made viruses a non-issue? No, the viruses spread just as happily as before....the general level of interest has just dropped significantly. >The thrust of my question, is does the world want/need another AV product, >even one that's betterfastercheapersmarter? Well, it has been a long time since a new anti-virus product appeared.... In fact, I don't remember any major new product in the past two years at least, just revisions of old products or old products released under new names, well...maybe a few hardware "solutions". On the other hand, quite a few anti-virus products have been dropped or are no longer marketed actively.....I don't have a complete list of discontinued products...doea anybody ? As for "betterfastercheapersmarter" ... well ... many of the products on the market today are pretty good, fast, cheap and smart :-) - -frisk Fridrik Skulason Frisk Software International phone: +354-1-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-617274 ------------------------------ Date: Fri, 24 Jun 94 12:07:07 -0400 From: bediger@nugget.rmnug.org (Bruce Ediger) Subject: Re: GOOD vs. BAD HUH? id@mist.demon.co.uk (Iolo Davidson) writes: >Show me a "good virus" that people are clamouring to have on their >computers for the benefits it brings, and I will concede there is >interest. If you define "virus" as Cohen has, then there are "good viruses": compilers written in the computer programming langauge that the compiler compiles. Lost of people want GCC on their computer. I have it on mine. It strikes me that the problem boils down to this: a mathematical definition of "virus" is going to include some compilers, some utilities and maybe even some operating systems. How do you seperate the mathematical viruses you want (GCC for example), from the one you don't want? Sincerely, Bruce Ediger - -- ------------------------------ Date: Fri, 24 Jun 94 12:09:17 -0400 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) Subject: Programming in general (not necessarily viruses) The biggest problem in programming anything for the PC is that there are so many of them in all different shapes and sizes and they keep changing (just found out that Intel is now putting IDs into 486SX-33 chips, before thought this was limited to Pentium/P5/586 chips, but when a checker started reporting and SX as a 33 Mhz Pentium, something was obviously wrong. Of course manufacturers have been slipstreaming such things for years, the last real screwy I ran into was on a Mk 1 IBM PC-AT with a 1984 vintage BIOS (I know). It reacted to Int 10 just a little differently than you would expect and I had to change some of my programs to accomodate it. As a result, it is really hard to write programs that work on "all" platforms - I suspect this is one reason why Symantec abandoned support of all 8088 machines, might also have something to do with the fact that people with 8088s do not have much money for toys. But then Windoze 3.1 did the same thing. And this is just programs that comply with the Microsoft definition of the PC, heaven help anyone who uses "undocumented" functions or calls. (Well, I do but I always try to check validity first and provide escape routes). By far, the great bulk of the viruses I see (not going to say all though the Brain is still the best written one I have encountered) show that while a few of the writers may be trying to write "harmless" viruses, they usually fail from a sheer lack of knowlege. In fact most just assume that because it works on their machine at home, it will work anywhere. Nope. Even the virus writing manuals suffer from this. For instance the Boot Viruses listed in the "Little Black Book", despite a publication date in the '90s only works with DOS 3.x - and not all of them, won't work properly with some Zenith varieties of 3.x either. Look at all of the viruses that screw up one or more of the common floppy or hard disks as well (and often even after disinfecting data remains to screw things up later). MICHELANGELO never heard of a 3 1/2" disk - thought anything not a 360k had to be a 1.2 Mb. S-Bug assumes that the disk BIOS entry is always found in the same place - wrong. Music-Bug carefully set aside sectors to go resident in and then put its code somewhere else. I hear that the intelligent virus writers quickly find other challenges once they realize just how much work and study is involved. Besides, if they want a real challenge, a really good A-V program is much harder to write. The only good thing to report is that IMHO the current crop of virus writers are really stretching in trying to find ways to avoid detection. In most cases this just makes them easier to detect. The bad part, is that while easy to detect, they are often hard to remove - - not from a single file, but from many at once automatically. More and more the best answer is identify/ delete/restore from backup. Warmly, Padgett ------------------------------ Date: Fri, 24 Jun 94 12:55:59 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Bad and good viruses... Andy Hon Wai Chu (umchu023@cc.umanitoba.ca) writes: > It is funny that there is a virus called "Good virus" (Virus - > Allan Lundell 1989) original written in West Germany, a virus that won't > let "unkown" programs run on one's machine. If the programs to be run > aren't already infected with this virus, they won't be allowed to run at all. > Sounds like a Anti-virus Virus !!! I am not familiar with the particular virus you mentioned, but the idea pops up every now and then. There are about half a dozen such viruses in my collection, each of which tries to be an "anti-virus virus" in one way or another. Some notify the user of a possible virus infection if something is found attached to the file *after* the "anti-virus virus". One of then even attempts to "disinfect" the file! Are they examples of the proverbial "beneficial viruses"? Nope. They all modify other programs without taking the necessary care and often without permission. Several programs stop working after becoming infected with those "anti-virus" viruses. They waste time and disk space, trying to do a job that is better done by a non-replicating program. In short, they are useless and harmful junk. But they *are* viruses (real viruses, I mean) and several scanners detect them as such. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 24 Jun 94 13:03:22 -0400 From: "Brian H. Seborg" Subject: A virus definition... I have been watching the discussion on what is a computer virus and the attempts to delineate types of computer virus and I thought it appropriate that we try to agree on some essential elements for this discussion before we go further. In teaching classes on computer viruses at the University of Maryland Baltimore County campus I initially used the definition by Cohen from his article entitled "Computer Viruses: Theory and Experiments," Computers & Security, Vol. 6, No. 1, February 1987, pp.22-25 in which he puts forth the following definition: "We define a computer 'virus' as a program that can 'infect' other programs by modifying them to include a possibly evolved copy of itself." This was a good definition, and one could even argue that it worked for MBR and boot sector viruses (kind of). However, when I began to see companion viruses and viruses like DIR II, it was obvious that this definition needed some fixing to make sure that it covered these types of viruses. So I modified Fred's original version for the purpose of my class and came up with the following definition: "We define a computer 'virus' as a self-replicating program that can 'infect' other programs by modifying them or their environment such that a call to an 'infected' program implies a call to a possibly evolved copy of the 'virus'." --Seborg's modification to Cohen's definition :-) This definition seems to cover viruses like companion viruses as well as DIR II. It also seems to be sufficient to exclude non-virus programs. Non-virus TSR's are not included because they are not self-replicating. Other programs like Format, and some others that some people have at one time argued were virus-like are also excluded. I had a private discussion with Fredrick Skulason using a close proximity to this definition, and he and I were not able to come up with an exception either in terms of a virus that this definition did not cover, or a non-virus that this definition covered; however, I'm sure that any of you who believe Godel's Incompleteness Theory will put this to the test! :-) This definition also does not make any value judgements as to the inherent maliciousness or "benign-ness" of viruses, since this is a separate argument (and I think it's clear which side I'm on here!). What I would propose is that you all think about this definition and see if there is anything else that needs to be added to it to make it complete, or, if it seems 'good enough', then let's use it as a basis to take the next step which is probably to define virus types. Here I would suggest that we look to biology to see what they have done in this regard since I see no reason to re-create the wheel (yeah, I know there are already papers on this, so let's reference them). Not being at all conversent with Biological standards for classifying viruses, I will have to defer to others out there who have this background. I also thought that Suzana Stoljakovic-Celustka had a good idea when she suggested using some of the terminology put forth by Leonard M. Adleman (who Fred Cohen credits with comming up with the term 'computer virus') in his paper entitled "An Abstract Theory of Computer Viruses". One final thought, I had thought that there was still an argument as to whether biological viruses were actually life, so this could have some bearing on future discussions as to whether computer viruses are 'artificial life' especially if there is still debate on wheither the biological counterpart is life. Anyway, hopefully we can get a thread going that keeps this discussion going and we can arrive at some conclusions as a group that we can put under the FAQ, perhaps under the heading: "FAQ Esoteric, or FAQ Philosophical Stuff". :-) Brian Seborg bseborg@fdic.gov ------------------------------ Date: Fri, 24 Jun 94 13:40:24 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: GOOD vs. BAD HUH? Iolo Davidson (id@mist.demon.co.uk) writes: > Show me a "good virus" that people are clamouring to have on their > computers for the benefits it brings, and I will concede there is > interest. A major mistake of both of the arguing sides is that they refuse to understand what the other side is talking about - refuse to understand that the two sides are talking about *completely* different things. You (and most others) are thinking about real computer viruses. Then you are asking yourself - can such thing be beneficial? And the answer is, of course, NEVER! Dr. Cohen is talking about beneficial programs and then is asking himself - can we increase the beneficial effect by the means of some sort of self-replication that does not cause harm? And the answer to this is, surprisingly, yes, somethimes we can. Only problem is - the two things (your mental model of "beneficial" virus and his mental model of beneficial "virus") are very different. Here is an example of a software package that uses replication to some extent and which is without doubt beneficial. I have given this example several times; maybe it should go in the FAQ. Consider a company that has about 1,000 PCs, all networked together in a LAN. The company also takes the virus problem seriously, and insists that each and every of those PCs must be running the latest version of the SuperDuper Scanner, before it is allowed to access the network. (Let's ignore for a moment whether the decision to rely on a scanner for virus protection is wise or not.) This is a very reasonable requirement, because scanners tend to get old like nothing else, and a new virus could sneak in undetected by the obsolete scanners and wreak havoc. So, the person responsible for the network has imposed a requirement: no PC that does not run the latest version of SuperDuper Scan is allowed to log in. That's fine, but how do you achieve that? The simple answer is - by keeping a copy of the (presumably resident) scanner on each of the PCs and regularly updating them. Only problem is - how do you keep 1,000 PCs up-to-date? And keeping them up-to-date with a product, a new version of which is released every month? Heck, if you try to go to each PC (and they are probably in different buildings and some are in obscure locations and used rarely) and update it manually from a floppy - then one month will not be sufficient to update them all - and before you have finished, you'll have to start all over again! A real nightmare... The obvious alternative is to keep one copy of the anti-virus package on the server and update the PCs from there. (Of course, it is presumed that you have a site license, but any company with 1,000 PCs that is using a particular anti-virus product has also probably been careful enough to get a site license.) However, if you go to each PC and manually download the new version from the server, then the situation has not improved very much. One option is to tell the users to do it regularly, and even set some sort of automatic system that sends them automatic reminders each time the software on the server is updated. However, users tend to be lazy and automatic messages tend to be automatically ignored... :-) But there is an alternative! Design the anti-virus package like a network virus (a worm actually). One segment of the worm constantly monitors the logins. Each time a workstation attempts to login, that segment automatically questions that station whether it is running the anti-virus product and which version of it. If it turns out that a newer version is available, the segment informs the user about this, and proposes to update the local version. If the user refuses, then access to the network is denied. If the user accepts, another segment of the worm fetches the relevant (updated) parts of the package from the server, uploads them to the workstation, and reboots the latter, in order to make sure that the changes will take effect. Of course, the user is kept informed about this and user permission is requested each time. Now comes the best part. The "worm" - the set of programs that are responsible for the automatic distribution of the software actually come as part of it. They are part of the anti-virus software, and they are used to copy parts of the anti-virus software accross the network, in an automated way. That is, to some extent, the package is a virus (worm), because it is able to replicate (parts of) itself. Are there any ethical problems? I don't see any. The owner of the network has the full right to decide what the policy of admitting workstations to log in will be. The user has the alternative not to comply - and not to use the network. Of course, in a well-implemented (read: secure) package, the different parts of the virus will use cryptographic means to authentify each other. That is, it will be impossible for the user to lie that "yeah, the newest version of the software is already running", and it will be impossible for a rogue program to lie "hi, I'm the automatic distribution service; lemme "update" your anti-virus package". In most of the existing implementations the packages do not go to such trouble, but in the future they probably will - because this is the way to go. Of course, there will be some other goodies, like making sure that the different "worms" of this kind do not conflict with each other and so on, but this is not so important for our discussion. In fact, it is extremely easy to implement a primitive version of what I described above. A simple set of command lines inserted in the system login script and a couple of external programs will do the job. And there are already several anti-virus packages which do use this approach - CPAV, Untouchable, Dr. Solomon's Anti-Virus ToolKit (I think; not sure about it), and so on. Now, consider the above for a moment. Is it a virus? Is it a beneficial virus? "Of course not!", will say you and probably many others. "It is a legitimate program, installed by legitimate people, doing useful stuff and modifying only what it should." Yes, it is not really a virus. It is not a *real* virus. "Of course yes!", will say Dr. Fred Cohen. "It conforms to my definition. It is able to replicate (parts of) itself under certain conditions. Therefore, it is a virus. It does some useful job. Therefore, it is a beneficial virus.". Do you see where the problem is now? The two sides are talking about two different things. You, me, and almost anybody else is talking about real viruses, which can *never* be beneficial. Dr. Fred Cohen is talking about beneficial programs which can replicate themselves under certain conditions. Of course they can exist, they do exist, they can (and should) be used. They conform to his definition of the term "computer virus". But they are not real computer viruses. There is nothing wrong in what Dr. Cohen is talking about. It can be useful and definitely some research should be done in that direction. My only problem with Dr. Cohen is that he doesn't bother to explain to the general public that what he is talking about is *different* from what they are calling computer viruses, and what they are calling computer viruses is a definitely bad thing and the irresponsible people who are creating them should be pursuied and put in jail as soon as one of their creations "escapes" (or is released) and finds its way to some place where it is unwanted. Maybe he thinks that those things are "obvious" - but it is not obvious for the general public that his oppinions are like that, and many are intentionally misusing his words to condone their unethical and often illegal activities. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 24 Jun 94 14:07:22 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Anonymous FTP Site Distributing Viruses? Rick Schott (RSCHOTT@CMS.CC.WAYNE.EDU) writes: > One of our system programmers saw and heard part of a news article on > the Detroit NBC TV affilaiate last night (Th 06/02/94, 6 pm), about an > anonymous FTP site that has virus samples. Unfortunately, he didn't > get any further details. Does anyone have any details about this? Yes, unfortunately such things happen every now and then. We are trying as well as we can to have such sites closed down and/or the viruses removed from public distribution, but it is not easy and new ones keep popping up. :-( The American "freedom of speech" is often misused to condone such activities. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 24 Jun 94 14:14:18 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: "New" Virus found? (PC) Keith Gordon Bullington (bullingt@sfu.ca) writes: > I've come across a .COM infecting virus that fails to be caught by > SCAN v2.01, TBScan or F-Prot 2.12. This virus infected my system quite [snip] > Contains the text strings: "Dr. White - Sweden 1994.3" and > "Junkie Virus - written in > Malmo" This is the Junkie virus - a relatively new one, but definitely in the wild. Get F-Prot 2.12c - it is able to detect and disinfect this virus. > (B.T.W. VPCScan flagged it as a "PS_MPC-23" infection, if that means > anything to you...) It does, but VPCScan is wrong - this virus is not a PS-MPC variant. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 24 Jun 94 14:15:51 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Natas Virus Test Luca Sambucci (93647758S@sgcl1.unisg.ch) writes: > > NATAS VIRUS TEST > > Copyright (C) 1994 Luca Sambucci > > All rights reserved. > > Italian Computer Antivirus Research Organization The English version of this test, as well as the English version of a general scanner test by Luca is available from our ftp site. We are currently working on making the Italian versions also available in a single package. Future documents issued by I.C.A.R.O will be also available from our ftp site: ftp.informatik.uni-hamburg.de:/pub/virus/texts/tests/icaro The previous contents of the .../tests directory has been moved to ../tests/vtc. Please, note that I.C.A.R.O. is *NOT* related to CARO in any way (except that they are also "good guys figthing viruses" as the CARO members are), regardless of the similarities of the two abbreviations. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 24 Jun 94 14:23:41 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Viruses = Commercial Opportunity? TLUTEN@DELPHI.COM (tluten@news.delphi.com) writes: > I may have an opportunity to do some work with a start-up that wants to > market a new(ly available in the US) anti-virus package. The thing that Do they want to market an already developed package or do they intend to start developing a new one? In this industry it is almost impossible for a newcomer to come up with a good software product - even the big companies prefer to aquire already established products and then sell them. There are several kinds of anti-virus software, but even those that do not depend on known-virus detection must be installed on a virus-free system, and currently the only way to determine whether a system is virus-free is to use a scanner. Therefore, a good anti-virus product must contain a good scanner. Now, let's suppose that your product consists of a scanner alone, and you are about to enter the anti-virus business, with no prior experience in the field. Currently there are about 4,500 known viruses and averagely 2,000 new ones are produced every year. Let's suppose that it takes you averagely one hour to analyse a virus and modify your scanner in a way to be able to handle the virus properly. This means that you must spend 563 man-days only to be able to handle the currently known viruses. This is more than two years - and for those two years another 4,000 viruses (at least) will appear. And don't forget that some viruses are more "difficult" than others, and that it might take you months before you can come up with a method to handle them. And you'll have to also work for the general design and the user interface of your product, and on its documentation, and on its marketing, and on running a business in general, and... Do you see now why this is not for newcomers? Only a company with a lot of experience and an already established product in the field will be able to keep up with the game. > puzzles me about the market is that a few years ago, I was acutely aware > of viruses: Michaelangelo, Stoned, etc., etc. I read about 'em in the SF > Chron regularly. Now I don't see the coverage. Is Dr. Cohen or that guy from Australia around? Are they reading this? Yes, most people learn about computer viruses from their favorite newspaper and not from some mathematical journal. To answer the original poster's question - yes, the media seems to have cooled up a bit and computer viruses are not headline news any more (although from time to time some journo out there tries the old trick...). > But has the environment too? Yes, it has. There are more nasties, more nasty nasties, and more often encountered nasties. They are just not news any more - people are becoming used to them. After all, they are not a big deal - just a costly annoyance. > I read that Windows viruses > basically don't work (they crash the system?). Has the success of > Windows made viruses a non-issue? Not really. There are only three known Windoze-specific viruses and at least one of them works very well. It is true that most boot sector viruses make Windoze unable to run in 32BitAccess mode, and it is true that often Windoze applications infected by regular file viruses refuse to run properly, but nevertheless there are still enough viruses that run very well in a Windoze environment (in a DOS session). > I read that three dozen viruses do all > the damage (Jerusalem, Dark Avenger, etc. etc.) The number is about ten times higher, but you are basically right - compared to the huge number of known viruses (about 4,500), the number of viruses that are actually in the wild (about 200) is ridiculously small. > Has the world gotten > used to that? To some extent - yes. After all, the common flu does not make headline news each time somebody gets infected by it... > Three years ago when Michaelangelo's birthday was nigh, I > bought Flu-Shot and Norton AV. That hasn't been very wise from your part, because Flu-Shot wouldn't protect you from a boot sector virus like Michelangelo, and NAV is one of the worse anti-virus products around. > Haven't had problems since. Consider yourself lucky. You will have problems - sooner or later. Not big problems - the world will not come to an end - but problems that are annoying enough. > The thrust of my question, is does the world want/need another AV product, > even one that's betterfastercheapersmarter? I am not a good businessman (otherwise I wouldn't be working 14 hours a day on a half-time job ), but I happen to know quite a lot about viruses and anti-virus programs. Most of the widely used anti-virus programs are horribly bad. There are a few that are reasonably good and even excellent, but for some reasons the companies producing them are not the ones with lotsa money for their marketing departments. :-( Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 24 Jun 94 14:47:15 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: The underground and 'good' viruses Ian Douglas (iandoug@cybernet.za) writes: > We are having a similar discussion in the FidoNet echos. The Underground is > doing its best to persuade us that > 1) good viruses can exist ('cos Fred Cohen says so) They can - but what Fred Cohen calls viruses and what you/me/they are calling viruses are different things. > 2) these viruses can actually do useful, beneficial things They can - but you probably won't call them viruses. > 3) research into these viruses is a Good Thing, and actually nothing but > research into Artificial Intelligence (wow!). It is - but this is not what the underground is doing. > However they have not clearly defined exactly what they mean by 'good' > virus. The definition is also very flexible, and changes shape when > objections against it are raised. Yep, it's all a problem of (incompatible) definitions... > They usually talk about some small program, limited to one machine (or > network) only, that goes around deleting .bak files older than a month; or > other similar tasks. Dr. Cohen gives similar examples in some of his papers. Unfortunately, I do not find them convincing, for reasons similar to yours - their task can be done better and more reliably by a non-replicating program. There *are* tasks for which using self-replicating means is more effective (see the example that I just posted in a reply to Iolo Davidson), but this is not one of them. And neither is the "compression virus" and a few other of Dr. Cohen's examples. > Of course they are not shy about dragging Fred's name in when it helps them > either.. Yep, that's my main problem with him. He is not careful enough to express himself in a way that is clear and difficult to misunderstand and/or misuse. > Which brings us back to the question of What Is A Virus. While I understand > Fred's definitions (ok, not the maths one, have not seen it yet), a boot > disk with diskcopy on is not the sort of thing that is causing problems in > the world right now. Exactly. It is not a *real* virus. :-) > So I propose a slight modification to the working definition of a virus > being a program that can replicate in the right environment: > A virus is a program that can replicate in the right environment, and that > alters the 'normal', 'expected' flow of execution to ensure that a copy of > itself gets executed. No, that's too general too, like Dr. Cohen's definition. There can be useful programs that conform to your definition and this will again cause confusion. I would propose you to include something that the real viruses do the above in an unauthosized way, and/or that they cause unwanted interruptions. Regards, Vesselin P.S. Your other article about the impossibility of beneficial viruses was excellent, BTW. Had a few technical mistakes, but they were too minor and not worth mentioning. However, it generally missed the point - - what you prove to be impossible is not what Dr. Cohen is talking about when he mentions beneficial viruses. - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 24 Jun 94 15:10:27 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Fred Cohen and computer viruses CELUSTP@cslab.felk.cvut.cz (CELUSTP@cslab.felk.cvut.cz) writes: > S: 1. Who are "we"? > VB: We, the users. We, the anti-virus researchers. > We = users; We = anti-virus researches; => users = anti-virus researches > Is that true? Of course not, who taught you logic? It only means that there exists an intersection between the two sets. That is, some people are both users and anti-virus researchers and the speaker is one of them. > For valid statistics one should compare the sample of random chosen viral > programs with the sample of random chosen non-viral programs. The programs > in both examined group should be of similar length, i.e. if viruses are 200- > 4000 bytes long, the length of non-viral programs should variate in those > limits too. After the bugs in every group are counted and the same > statistical analysis is performed for every group, the obtained results can > be compared. However, this is unrealistic, because computer viruses are usually short programs and commercial packages are usually big programs. That's exactly why I introduced the "bugs per byte" concept, as opposed to "number of bugs in a program". > VB: In that definition Vesselin Bontchev was trying to make sense from a > VB: scientific point of view. Dr. Cohen's definition also makes sense from > VB: a scientific point of view. However, the average user doesn't give a > VB: dime for the scientific point of view and stands on practical > VB: reasoning. > Scientific point of view is not good for practical reasoning? There is certainly something wrong with your way of logical reasoning. The above only means that some theoretical scientific concepts do not have immediate practical applications and are therefore useless for this purpose. This does not mean that they are not useful for other (theoretical) purposes. What I am saying is that Dr. Cohen's definition of the term "computer virus" is one of those things. > Let denote computer virus > with A and reproduction with B. Then we can say : A has feature B. [snip] > If we > denote real virus with C and "sneaking around...etc." with D, then we can > say: C has feature D. > Comparing B with D it is obvious that B is not equal D (assuming that words > used follow the logic of natural language). It is, however, not obvious at all that one cannot include the other - it is only obvious that they are not equivalent. > If B is not equal D, it implies > that comparing A and C, A is not equal C, because the "operation" - "has > feature" is the same between A and B, and C and D. You mean, if 2 != 3 and 2 != 5 and since 3 is not equal to 5, then 2 != 2, because the "operation" - "!=" is the same between 2 and 3 and 2 and 5? Hmm, interesting way of reasoning... :-) But what I am saying actually is: Dr. Cohen's "computer viruses" are not what we are calling "real computer viruses" - they are a broader term, which include both "real computer viruses" and "some useful self-replicating programs" - two completely incompatible sets. I am alse saying that Dr. Cohen's definition/understanding of the term is too broad to be of any practical use. Note that I am not saying that it is useless - it is in fact quite useful to prove some important theorems. > VB: Performing experiments is a completely different thing. I also have > VB: about 4,300 viruses on my machine, but wouldn't like to run even a > VB: single one while I am using the machine for normal work. So, let me > VB: ask again - would you want a virus running on to computer you are > VB: using every day for work unrelated to virus experiments? > Yes, the benevolent one(s). Well, since none of them are benevolent ones, this boils down you "no, I don't want to run any of them on my computer". Thanks, this is what I wanted to hear. > VB: That's why I (Dr. Solomon, actually) proposed this term. > Vesselin Bontchev = Dr. Solomon? Another case of wierd logic - what's up with you? I proposed this term in this forum. Dr Solomon was the first to coin the term and he has a publication about this in "Computers & Security". Is it so difficult to grasp? > Why Dr. Solomon does not speak for himself? Dr. Solomon does not read this forum. Or at least does not participate. :-) > S: The understanding > S: requires sometimes particular knowledge of mathematics. > VB: The general public doesn't have one, which is why they don't > VB: understand him. > What is "general public"? The billions that learn about the things outside their field of specialization from the media. > If word "general" denotes the diversity in > education of people meeting viruses on this or that way, then it is > reasonable to think that some of them will have some knowledge of > mathematics. Some undoubtedly do. A very minor part. Some of them who have one, does not have a knowledge about the particular part of mathematics needed to understand Dr. Cohen's papers. (Mathematics is a wide field, you know... and the mathematicians are a strange group. ) Some of those who *can* understand them might have never heard about them or even about computer viruses (oh my!), or may never make the connection between the nasty program that has erased their hard disk and Dr. Cohen's elegant mental constructs. > Besides, to understand Fred Cohen's work one needs some > knowledge of theory of sets and basics of mathematical logic. I think that Yep, you see, it becomes even more difficult. > VB: I am tempted to quote the FAQ of a sceptics' newsgroup: Yes, they > VB: laughed at Gallileo, and they laughed at Einstein - but they also > VB: laughed at Coco the clown. > Was Coco the clown talking about general theory of relativity or Einstein was > making funny tricks? Yeah, sort of.... > Anyway, I agree with Fred Cohen's proposal about discerning between benign > and malign viruses. I don't. I think that the difference is so big, that we must use completely different terms. Even "computer viruses" and "real computer viruses" is not good enough. How about "agents" and "real computer viruses"? > In fact there is an article, An Abstract Theory of Computer Viruses by > Leonard M. Adleman, which introduces more differentiated notation. He derives > from basic mathematical definitions the following features of virus: "is > pathogenic", "is contagious", "is benignant", "is a Trojan horse", "is a > carrier", "is virulent". According to these features there are four types of > viruses: "benign", "Epeian", "disseminating" and "malicious". Ah, so you've read it? Why did you ask to mail it to you then? OK, it doesn't really matter... But have you really understood it? I haven't - and several other serious researchers I have asked have admitted that they don't understand it either. Until I met Prof. Harold Highland on a conference in Curacao a few weeks ago - and he told me that, according to Len Adleman himself, this article has been some kind of elaborated joke from the part of Prof. Adleman. He wanted to prove that one can publish any kind of rubbish in a serious source, if a famous name is attached to that rubbish. A very naughty joke with the anti-virus research community, I must say... :-( I've spent lots of time pondering on that paper... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 17 Jun 94 04:16:08 +0200 From: Rob_Vlaardingerbroek@f0.n3110.z9.virnet.bad.se (Rob Vlaardingerbroek) Subject: VTECH 4.0 (PC) Hello, Virus attention message dated June 17 1994. ========================================== The Vtech 4.0 virus is spreading through Holland by Bulletin Borad systems. It was found in game areas on BBS's in a file called GT3-324.ZIP. Delete this file immediately when found on your system. We received several messages from bulletin boards that went down on this one. The only av-product that will detect this virus is AVP in heuristic scan mode. For this reason we made a little disinfector, which is included in this file, called K-VTECH.EXE. The disinfector K-VTECH.EXE can deal with this virus, but has it's limitations as the virus can't always be prepared for 100%, due to the fact that there will be added a few bytes to the infected files. Self checking files will have big problems in that case, as their file size is either de- or increased. Just replace them with the original software. Samples will be send out to the av-developers. You can download (+31703836044) or freq the disinfector (freq's are accepted from all systems). Sincerely, Rob Vlaardingerbroek - --- GEcho 1.01+ * Origin: Virus Research Centre Holland LAB (9:3110/0) ------------------------------ Date: Sat, 18 Jun 94 13:31:07 +0200 From: Rob_Vlaardingerbroek@f0.n3110.z9.virnet.bad.se (Rob Vlaardingerbroek) Subject: New virus - Junkie (PC) Hello, >From Belgium and The Netherlands we received several reports concerning a new virus, which in the end is called the Junkie virus. Description of the virus : The Junkie virus is written by a person calling himself Dr White, living in Malmo. It is a memory resident .COM, boot sector and master boot record infector, that infects it's host on file-open and execute commands. It spreads very fast. It will infect boot sector and master boot record when they are accessed. It will replace the first 4 bytes of a .COM file with a jump to the main virus body. The main virus body is encrypted with a simple word XOR routine. Resident monitoring programs like TBFILE and VSAFE won't intercept the write commands, because the virus uses the DOS internal file structures (System File Table) to infect the file. VSAFE, the resident monitoring routine of Central Point will be pulled out of memory. The virus doesn't contain damaging routines, but some .COM file that use self-checking may be damaged, as the virus adds 0-15 bytes of garbage at the end of the file, in front of the virus, to round the file length up to a file length dividable by 16. The virus body that is loaded from the bootsector is on disks located on the last 2 sectors on the disk and on the harddisk at the cylinder 0, head 0, sector 4. The following text can be found inside the encrypted body of the virus: DrW Dr White - Sweden 1994 Junkie Virus - Written in Malmo A disinfector is placed on our BBS (+31703857867), you can freq it as K-JUNKIE.ZIP Regards, Rob Vlaardingerbroek. - --- GEcho 1.01+ * Origin: Virus Research Centre Holland LAB (9:3110/0) ------------------------------ Date: Fri, 24 Jun 94 09:49:25 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Anonymous FTP Site Distributing Viruses? RSCHOTT@CMS.CC.WAYNE.EDU (Rick Schott) writes: >One of our system programmers saw and heard part of a news article on >the Detroit NBC TV affilaiate last night (Th 06/02/94, 6 pm), about an >anonymous FTP site that has virus samples. there are quite a few sites on the Internet that offer viruses to anybody interested. This includes some major public access sites as well as virus writing organizations. Currently most of those sites seem to be in USA/Canada. The sites generally offer nothing that is not available on the VxBBSes, but may be easier to access for overseas users, as making an international phone call to a BBS would be slowe and more expensive than just FTPing the viruses. One side note on the "export" from Canada....It is illegal to export custom-written anti-virus software from Canada, but viruses may be exported freely...strange, isn't it ? - -frisk Fridrik Skulason Frisk Software International phone: +354-1-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-617274 ------------------------------ Date: Fri, 24 Jun 94 11:33:16 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Why so many Leprosy viruses? (PC) pcm2@netcom.com (Neil McAllister) writes: >I was recently reading the large virus summary in Hypertext form put >out by Patricia Hoffman (I think that's right) and I noticed a rather >extensive "family history" listing for the Leprosy virus. That "history" is so utterly incorrect that you should just ignore it. What Patty got correct is that a large number of variants exists..... >I was >wondering, for a virus that is so easy to defeat, and which does so >little to corrupt systems, why are there so many variants on this >program? Quite simple...the source to various Leprosy viruses (both the C and the assembly-based ones) is easily available......the virus is simple, easy to understand, and easy for somebody with a minimal understanding of programming to modify, so that it is not detected with the most common virus scanners. - -frisk ------------------------------ Date: Fri, 24 Jun 94 12:02:18 -0400 From: cacs16@vaxa.strath.ac.uk Subject: Need info on "WONDER" virus (PC) Hi Does anybody know anything about the "WONDER" virus. The virus detection on my PC says that the exe created by the C compiler is infected, but whenI try to detect the virus on the hard disk ther software doesn't find it. So the virus prwarns me that it is the "WONDER" virus. However the software doesn't seem to find the actual virus. Does that make any sense? Ideas/help appreciated. Thanks. Mark { Mark Davison, Physics & Applied Physics, University of Strathclyde } of the virus & says that it's detecting activity of the "WONDER" virus. ------------------------------ Date: Fri, 24 Jun 94 12:05:28 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: ** Date recovery after Michelangelo virus infection ** (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >Nope. When the Michelangelo virus activates, it overwrites the first >17 sectors on heads 0-3 on the first 256 tracks of the disk it has >been booted from. eh, I admit I was wrong, but you are not right either :-) it overwrites the first 256 tracks, heads 0-3, of the disk you boot from, but the number of sectors is variable, depending on the media..... anyhow, I have corrected my technical note... - -frisk ------------------------------ Date: Fri, 24 Jun 94 12:54:10 -0400 From: umchu023@cc.umanitoba.ca (Andy Hon Wai Chu) Subject: Re: What is name of Newest F-Prot? (PC) rniess@whale.st.usm.edu (Rick Niess) writes: >Hi All, > Ok, for weeks now my copy of VIRSTOP has been screaming about being >outdated, but after several uneventful archies as well as several >questionings of friends, I have been unable to locate the latest version >of the F-PROT package. Could someone PLEASE clue me in as to where to get >it from (FTP site, would be nice)? Thanx... The newest version of F-Prot is 2.12c, you can found it on complex.is and other major archive sites. Go get it now! - -- Andy Hon Wai Chu email: umchu023@ccu.umanitoba.ca from: University of Manitoba, Canada ------------------------------ Date: Fri, 24 Jun 94 12:57:46 -0400 From: kellogg@netcom.com (Lucas) Subject: Re: New virus (Trashed?) in Ann Arbor Mi? (PC) Johnny Yuma (rebel@engin.umich.edu) wrote: : Has anyone heard anything about the new(?) virus found in Ann Arbor? I : saw some overly hyped peice about it on the news, claiming that 'No Virus : Scanners can detect it'..'and infact, could spread it farther'. Has : anyone heard anything? Or even touched a live copy? I would love to hear : more about this virus. I beleive they called it the 'Trashed' virus. : I'm kinda bummed, that since it was found in Ann Arbor, (according to the : News people here... go figure), that it wasent named after Ann Arbor... : Oh well, cant have everything I guess. =) : Rebel : - -- : Everyone should know of all information that others have deemed unfit for : for public knowledge. -Author Unknown : rebel@engin.umich.edu -- Rebel without a clue -- Finger for PGP Key : Key fingerprint = 6E AF E6 6D E3 2E 87 40 CA 54 64 D3 B7 1A D0 3E Indeed, the press release on this virus was totally over-hyped. This is a rather simple virus that uses very mild polymorphic techniques [if one wants to actually say it's polymorphic]. It is multi-partite [infects both boot and files], and uses encryption. This virus is easily detected. If you have Viruscan, version 1xx, you may use the /ext option to include the detection string for this virus. Place the following in a text file: "26 81 34 ?? 46 46 e2 f7" warning, found Junkie virus Then, if you named the file junkie.txt, the syntax would be: scan c: /ext junkie.txt Version 117 will detect this virus, as well as 2.10 of scan. We have only three reports of this virus, none from the U.S. Lucas McAfee Tech Supt ------------------------------ Date: Fri, 24 Jun 94 13:01:12 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Monkey Virus (PC) virusbtn@vax.oxford.ac.uk (virusbtn@vax.oxford.ac.uk) writes: > I posted a way to get rid of most Master Boot Sector infectors here a couple > of months ago. If anyone wants it, I'll post it to them. I don't recall it, but I hope it is not the generic "run FDISK/MBR" approach - because this will not work against Monkey (and against a dozen other viruses) and will screw up the disk contents instead. > Remember, there are > very few common viruses which require you to low-level format your hard drive, *NO* viruses require you to low-level format your hard drive. Ever. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 24 Jun 94 12:59:26 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Thunderbyte Antivirus (PC) Craig (tracker@netcom.com) writes: > Vesselin Bontchev of Germany holds it in very high regard in his testing, > right up there with F-Prot. It certainly stomps all over Norton, definitely > McAfee, and even CPAV. Uhm, I wouldn't put it this way... How about this: "It certainly stomps all over CPAV, definitely Norton, and even McAfee."? This reflects better the relative "quality" of the other three products. :-) Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 24 Jun 94 13:42:14 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: info on 2 viruses (PC) sa1737976@v9001.ntu.ac.sg (sa1737976@v9001.ntu.ac.sg) writes: > i need some info on what McAfee's scan identified as NewBug and NiceDay > viruses. thunder-byte anti-virus identified both of them as anti-exe. the > problem is that i can't find any of these entries in vsum !! the NiceDay sampl > that i have doesn't seem to infect another diskette. does it have an internal > timer ? or what r its infection criteria ? McAfee's SCAN reports (never use the word "identify" with SCAN, unless it is preceded by "doesn't" - it doesn't perform exact identification of any viruses) as NewBug [Genb] the two known variants of AntiEXE - .A and .B. TbScan reports both of them as Anti-Exe. The only sample in my collection that SCAN reports as "NiceDay [Genb]" is the Stoned.YMP virus - which TbScan does not detect at all, unless its heuristics are switched into "paranoid mode" and then it reports it as "unknown virus". So, I am afraid that I am unable to determine what you are talking about. The AntiEXE virus is a rather simplistic MBR infector, stealth virus, which looks for EXE files with a particular structure of the header and does not allow them to run. A more detailled description is available as a CARObase entry from our anonymous ftp site: ftp.informatik.uni-hamburg.de:/pub/virus/texts/carobase/carobase.zip > and where can i get a copy of f-prot ? seems like quite a lot of ppl r talking For instance, from oak.oakland.edu:/SimTel/msdos/virus/fp-212c.zip. > abt it and using it. i can accept uuencoded stuff :). thanx !! You seem to be implying that you do not have ftp access. If this is the case, I would advise you to learn how to use a ftp-by-email service. Send mail to ftpmail@doc.ic.ac.uk, consisting of the single word "help", in order to get more information. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 24 Jun 94 13:43:49 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: antivirus products (PC) Fridrik Skulason (frisk@complex.is) writes: > >F-Check - a program from an obsolete version of the package F-Prot. > Uh, Vess, did you get a heat stroke or something in the Caribbean ? :-) > F-CHECK is in fact the major difference between the shareware F-PROT and > the (regular commercial) F-PROT Pro ... it is an integrity checker with > generic disinfection. Oooppsss! :-( My memory is fading away... As Mikko correctly noticed, I have confused F-Check with F-[FS]Check from F-Prot 1.x. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 24 Jun 94 13:45:22 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: antivirus products (PC) Craig (tracker@netcom.com) writes: > Untouchable is no longer made. I called and asked Symantec about it. Symantec never used to make it - and neither did Fifth Generation Systems. They only used to sell it. The program is made by BRM Technologies in Israel, they are still alive and kicking, and will without doubt find a new distributor - one which is not so shortsighted. In fact, I am involved in preliminary tests of the new version of their scanning engine - and it is awesome! :-) > If Symantec still made it or even incorporated the integrity checking part > of it into the next major version of NAV, they'd make mucho sales. NAV could use a lot of improvements and learn from Untouchable's scanner too... > I sure hope Jimmy Kuo of Symantec reads this and influences Symantec to > follow through on this. He does, but I am not sure that such decisions depend on him. You see, the bad thing with the big anti-virus companies is that often even the few competent anti-virus researchers in them are overhelmed by the internal bureaucracy. :-( > Hopefully some US company will come to the > rescue. I hope that too. Meanwhile it is still available in Europe - it is usually sold under the name V-Analyst 3 by different local companies, but I don't know whether English versions are available. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 24 Jun 94 14:05:33 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Joshi virus - False alarm? (PC) Geoff Besko (gbesko@bldgeduc.lan1.umanitoba.ca) writes: > When I scan a machine on my network with the Microsoft Anti-Virus utility, > that came with MS-DOS 6.1, it says that the machine has the Joshi virus. > However, when I check the same machine with the newest (v2.12) of F-Prot it > doesn't register any viruses at all. F-Prot is able to correctly detect and identify two of the three known Joshi variants. Either you have the third variant, or a completely different virus, or it is some kind of false positive - but the quality of MSAV is so low, that I am unable to determine what is it in your case. > Has anyone heard about problems with the reliability of the MS Antivirus > program? Yep, it has one big problem - it is unreliable. :-) Well, it has several other problems too. > I will probably try another program to see if it finds anything but > I was wondering if anyone has had any similar experiences? Any help would be > much appreciated! Try McAfee's SCAN. If it says "Joshi" (and having in mind that F-Prot didn't detect anything), then it is probably Joshi.C. If it says something different or nothing at all - I don't know. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 24 Jun 94 14:10:46 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: What is name of Newest F-Prot? (PC) Rick Niess (rniess@whale.st.usm.edu) writes: > Ok, for weeks now my copy of VIRSTOP has been screaming about being > outdated, Try using the /OLD switch. Try also reading the documentation. :-) > Could someone PLEASE clue me in as to where to get > it from (FTP site, would be nice)? Thanx... oak.oakland.edu:/SimTel/msdos/virus/fp-212c.zip Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 24 Jun 94 14:12:45 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Why so many Leprosy viruses? (PC) Neil McAllister (pcm2@netcom.com) writes: > I was recently reading the large virus summary in Hypertext form put > out by Patricia Hoffman (I think that's right) and I noticed a rather > extensive "family history" listing for the Leprosy virus. I was Take anything you read in Patricia Hoffman's VSUM with a large grain of salt. It's more like a truck of salt, actually. VSUM is the biggest peiece of disinformation, incorrect, incomplete, and plain wrong things about computer viruses ever put together. > wondering, for a virus that is so easy to defeat, and which does so > little to corrupt systems, why are there so many variants on this > program? "So little to corrupt systems"? I wouldn't say this about an overwriting virus - it is *impossible* to disinfect the programs infected by it - you'll have to restore them from a clean backup. Of course, a virus with such an infection technique (and a non-resident one on the top of that) cannot go any far. Why there are so many variants? Well, it's source has been published widely on the virus exchange BBSes. Besides, are there really that many variants? I have 36 different ones in my collection. Compare this with the 168 known variants of Jerusalem and the 165 known variants of Vienna - two other viruses that are rather old and whose source has been widely distributed and even published in books. > I've never heard of a significant infection caused > by it. You never will. A virus that is that stupid is just unable to spread widely. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 24 Jun 94 14:17:23 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Possible D-Day Virus? (PC) John Goodrich (c23jrg@kocrsv01.delcoelect.com) writes: > Does anyone out there know of any viruses that trigger on D-day, > similar in nature to the much-heralded Michelangelo virus of a couple > years ago? Yes, there are. Plenty of viruses cause their damage EVERY DAY. It is futile to expect that computer viruses activate only on certain dates. > My PC keyboard locks up in Windows only since this > morning, and the date seems like it could be more than a coincidence. I strongly doubt that it is caused by a virus. BTW, you could do one simple experiment yourself - change the date of your computer to some previous date and see what happens. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 24 Jun 94 15:08:39 -0400 From: iolo@mist.demon.co.uk (Iolo Davidson) Subject: New virus (Trashed?) in Ann Arbor Mi? (PC) > I'm kinda bummed, that since it was found in Ann Arbor, (according to the > News people here... go figure), that it wasent named after Ann Arbor... > Oh well, cant have everything I guess. =) It is against the EICAR conventions to name viruses after place names. It is also silly to name them for the place they are found, as different researchers find their samples in different places. Thus Stoned has been called New Zealand, Australian, Hawaii, San Diego, and Smithsonian among other names. News people, including the computer press, are not good sources aof information about viruses. In fact, I have never known a news story about something I knew about firsthand to be accurate. I extrapolate from that to the belief that they aren't accurate about the things I don't know about first hand either. - -- ARE YOU THE TIME AN EVEN-TEMPERED GUY BETTER TRY MAD ALL Burma Shave ------------------------------ Date: Fri, 24 Jun 94 19:00:08 -0400 From: elis@teleport.com (Eli Shapira) Subject: Re: MtE Virus info wanted (PC) Very likely that it is a false alarm. Norton v2.1 had a few of them..... Eli >From: "Jeff E. Lewis" >Subject: MtE Virus info wanted (PC) >Date: Tue, 21 Jun 1994 10:23:12 EDT >I would appreciate information on "MtE" which I "found" on my >machine with Norton Antivirus 2.1. THis was NOT indicated by > >cpav (1991?) >microsoft anti-virus (1993) >mcafee scan 106 >mcafee scan 108 > >but there was no doubt that something was present since scandisk >recovered 90 mb of hard disk space 11 days after I started using >the indicated infected program. >Thanks, >Jeff E. Lewis ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 48] *****************************************