VIRUS-L Digest Tuesday, 5 Jul 1994 Volume 7 : Issue 50 Today's Topics: Philosophy - good vs bad viruses Re: Benign viruses Integrity Checking Good versus Bad viruses. Fred Cohen and computer viruses Re: _Fred Cohen and computer viruses Re: Good vs Bad OS/2 Viruses? Are there a (OS/2) Re: What is name of Newest F-Prot? (PC) Re: What is name of Newest F-Prot? (PC) Re: Thunderbyte Antivirus (PC) Re: ** Date recovery afte (PC) MtE Virus info wanted (PC) WinRX (PC) Thunderbyte Antivirus (PC) ** Date recovery after Mi (PC) To all who replied about "where is F-PROT?"... (PC) NAV 2.0 gives false "Maltese Amoeba" alarm (PC) Re: What is name of Newest F-Prot? (PC) Norman Virus Control (PC) Re: "New" Virus found? (PC) Re: FLIP and CANSU (V-SIGN) viruses (PC) Re: FORM and Spanish TELECOM (PC) Re: Monkey Virus (PC) Re: ANSI bomb (PC) Re: _Stone virus... (PC) Athens virus: info needed (PC) Possible virus? (PC) Re: Jack The Ripper (PC) Re: Safe ANSI driver - where ? (PC) Re: Telecom Virus (PC) New Anti-Virus/Security Product (PC) CRC values (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Sat, 25 Jun 94 13:01:48 -0400 From: "Fredrick B. Cohen" Subject: Philosophy - good vs bad viruses "Brian H. Seborg" writes: > Yes it's time again to fire another salvo over the bow of the good > ship Malarkey! I challenged Fred Cohen to provide us with > documentation on "good viruses" and he referred us to his book (this > from someone who had just maligned anti-virus software authors as > stoking the flames of public fear just to make a buck! By the way, > Fred has his own anti-virus package on the market, but I would never > suggest that he was trying to get people to write "good" viruses so > there would be a greater need for his package! :-)). Several inaccuracies here. 1 - I do not have an antivirus package on the market - it was licensed long ago to a Danish firm - SR 2 - There is a big difference between making a buck by scaring people needlessly and paying for the costs of doing research by publishing results through a reputable publisher. You seem to have no objection to paying for many less reputable researchers via your tax dollars. > As Ross > Greenberg so aptly pointed out, I'm sure Fred could enlighten us in a > paragraph so we wouldn't have to wait to buy his book for an answer! As Vesselin Bontichev so aptly pointed out, it often takes more than a paragraph to understand the issues of how life works. You don't have to wait to buy my book, it has been out for some time. I will, however try to help enlighten you by responding to your questions in a form that will encourage you to take the time and effort to get the whole story by reading my books. > Also, Fred seems to be making a claim that if a virus asks your > permission to spread that it is okay! This is idiotic! First, > consider this, for the virus to ask your permission to spread, it has > to be running on your PC without your permission! Vesselin, I can't > believe that you bought off on this lame distinction! :-) I don't think I ever said that, and I do not think it is idiotic. Naturally, people who are context bound such as you seem to be may not see some of the other ways that permission can work. I hope you will decide to read my book to learn about different ways of thinking about the issue. > Another point, Fred, have you ever heard of version control? How > about change control? How would you affect these via a virus? Yes indeed, I have. In fact, if you would have read my books on the subject, you would probably find that I know quite a bit about these issues and have investigated them in some depth. Unfortunately, I cannot detail all of the issues of change control in such a small space, but if you read my books, you will hopefully come to understand just how these issues can be addressed and how most current change control systems miss the mark. > Here's > a scenario, I send out a "good" virus (Ha, ha, ha, sorry, I can't keep > myself from laughing!) throughout my corporation. It must be very enjoyable to laugh while slandering ideas you have not yet taken the time to investigate, but I think that you would make a much better case and sway more people to your point of view if you would think more and abuse less. > This is the > infamous compression virus (hee, hee, sorry!) that will compress any > executable file it encounters. First, though, to be a "good" virus it > asks permission to infect the system ("Hi, I am Fred Cohen's > compression virus, I am very nice and will help you save disk space, > is it okay for me to infect your computer?"). I did not write the infamous compression virus, I wrote some of the famous ones that preceded some of the commercial products that are widely used to reduce disk usage and increase performance. My viruses do not get their authorization to spread in such a way. If you would take the time to read my works, you would probably already know that, but people who laugh at new ideas without bothering to investigate them often encounter this problem. > Of course unless every > user in the corporation is computer literate they will probably reboot > the computer at this point, but, humor me and I'll continue. I don't understand why computer challenged people would reboot their computers if this message appeared or what that has to do with the issue of benevolent viruses. > Assuming > the user allows the virus to infect (will it ask this same question > everytime it attempts to infect another file? Perhaps I am giving you too much credit, but I bet that if you spend some time thinking before typing, you could come up with a better way. > Man, would this be > boring or what?) it will then ask, "Hey, this file is not compressed, > would you like me to compress it?" (would it ask this every time it > encountered a non-compressed executable, or would it be able to flip a > bit to store the fact that the question had already been asked and > answered in the negative? What if the next time I DID want it to > compress the file? Would the virus just neglect to ask me so that I > would not get any benefit from it?). Also, I can see the user saying, > "Damn, how do I turn this stupid thing off!" after about the 10th time > the virus asks permission to do something! I have a similar problem with lots of poorly designed programs that ask stupid questions and don't adapt well to me, but that has nothing to do with being a virus, only with the limits of the program's ergonomics. Perhaps if you took some time to look into this subject, you could contribute to writing better programs. > > One more issue, how will you make sure the virus gets control in > memory? Will it infect command.com or one of the system areas so that > it makes sure to get control every-time? If this is the case, then > how many different "good" viruses can use this same paradigm before > you run out of space in command.com (I guess we could change it to > command.exe and then load it up with different special purpose viruses > and make it an even greater lumbering behemoth than it is now!) Actually, you should read my books and find out about other ways viruses can work. There isn't enough room here to detail all of them. > > Now, let's say you want to upgrade this virus. How are going to > enforce version control? In other words, you have a faster, better > compression algorithm, and you update the virus and now you want to > make sure it is in place throughout the corporation, how do you affect > this change? How do you even know the first version even made it to > all PCs? One more thing, not all PCs are network connected, how do > you get the virus and the upgrades to the laptops (this is a tough > enough issue for legitimate software)? You know, you are starting to make me feel as if I am very smart because solving these problems wasn't that hard for me to do. But maybe it's you that are not thinking hard enough. Try this. For each question you have written, think until you find a good way to solve the problem. This will probably take a few years if you continue to ask questions. Then, write down all of the issues and the ways to resolve them, and publish them in a book. Then listen to people like you claim that you are an idiot. I will, of course, help defend you. > > Finally, how do you ensure that the virus does not leave your > corporate environment for parts unknown? (other people's PCs?) Even > if you had a method of doing this, how much would it cost and how big > would the virus be at this point? What if it did get out? It would > seem that you'd be legally liable for any damage it did, or trespass > at the least. But, I digress... Suffice it to say that the concept > of a "good" virus all sounds good theoretically, but when you give it > a "reality-check" the notion of "good" viruses beyond the confines of > a laboratory environment shows itself to be the ludicrous idea it is. > Maybe I've been spending too much time in the real world! :-) I guess > I'll just have to buy Fred's book! :-) From your electronic mailing address, I had guessed you worked for the FDIC, and agency of the US government. Most people would not consider that the "real world". But as a reality check, I have been working most of my time for a wide variety of corporations of all sizes, government agencies, and community organizations for most of the last ten years. There have been benevolent viruses operating in commercial applications since 1985, and none of them have ever caused any of the problems you claim to be unaviodable. I guess you will just have to buy a copy of my books! > > "..castles made of sand slip into the sea eventually..." > > -Jimi Hendrix Here here! UCC DASD Administration writes under an anonymous ID (no human name on this account) > ... > I think this illustrates quite nicely the whole problem with beneficial > viruses. That being the lack of a trusted path. When I buy a software > package, or down load a shareware program, or buy a Rolex watch from the > trenchcoat of a gentlemen on the streets of Manhattan, I am depending on a > certain avenue through which this product came. How reliable is that > path? It's one thing to talk about self replicating code in the ivory > confines of a researcher's tower. And I don't doubt the veracity of those > claims. But once you pass those doors and come out into the gene pool, > you loose that element of verifiability. An unknown program running on my > computer is suspect, even if it says, Hi! I'm from the Government/Virus > Research Department/Mensa club, and I'm here to help you..... As the > saying goes, How do you know where it's been? A very interesting and valid point to be addressed. And it has been addressed in my books. But without even referring to them, I don't understand what the issue of a trusted path has to do with viruses and does not apply to anyothr program. Obviously, if you purchase a benevolent virus from a guy in a trench coad who is selling fake Rolex watches, or if you take a gift virus from the NSA, you are asking for trouble. But the same is true regardless of whther it is a virus or any other software. > > If some people came to your house and said, You just go away for a few days. > We're going to clean your house for you, fix the roof and install a Jacuzzi > in the master bedroom. Trust us. We're Nice People. Maybe they're telling > the truth. But if they have no credentials, references or licenses, how > would you know? Would you hand over the keys to your house? But of course, in the computing environment, we do this far too much. We commonly allow programs to operate for millions of instructions without chceking on them. This mail is being sent through hundreds of computers over which we have no control, and yet we choose to trust them. I agree strongly that we need better integrity controls for all information technology, but again, I don't understand what this has to do with viruses as opposed to all software. > > I don't think the most important question is whether beneficial viruses > exist. But how could you tell if you had the real thing? > Here here! We need to only buy computer viruses from legitimate sources. I agree that the same standards should be applied to the purchase of benevolent viruses as any other program. FC ------------------------------ Date: Sat, 25 Jun 94 21:45:39 -0400 From: Matthew Johnson Subject: Re: Benign viruses A. Padgett Peterson, P.E. Information Se writes: >Still have yet to see a virus that does not screw something up (am willing >to entertain the concept, just have not seen any in practice). Have not even >had to leave home to find something that every virus I have seen screws up. I have found one that doesn't--KOH. It reproduces at your command, encrypts your HD with a password you give it, if you want, and it has NO bugs.. so far.. _EL_ ------------------------------ Date: Sun, 26 Jun 94 07:36:23 -0400 From: bill.lambdin@pcohio.com (Bill Lambdin) Subject: Integrity Checking >From %f To ALL on 06-21-94 %f [I saw a post a few days ago about the best and worst antivirus %f [programs... I noticed that Vesselin stated that TBAV's integrity %f [checker was "mediocre." I was just wondering why he said that, and %f [what makes for a good CRC checker... I know a lot about viruses, but %f [my knowledge of CRC calculation techniquesw is pretty limited... Myself. I prefer an integrity checker that has an option that saves the integrity datafiles to diskette. so I can boot clean once or twice a week from diskette, and perform a full integrity check. The integrity data files stored on the hard drive are open to attack by viruses. Bill Lambdin - ------------------------+----------------------------- Internet | PGP key available on request | Virus Research bill.lambdin@pcohio.com | blambdin@aol.com | 08:48 06/25/94 - --- * CMPQwk #1.4 * UNREGISTERED EVALUATION COPY ------------------------------ Date: Mon, 27 Jun 94 14:29:25 -0400 From: bmonette@porpoise.oise.on.ca (Bernie Monette) Subject: Good versus Bad viruses. I have watched, read rather, the back and forth debate about good or bad viruses and I heartily approve of the discourse. It is important to come to a philosophical understanding of what these beasts are and what we are to do with them. As computers become more and more a part of daily living, even more so than now, the risk of and the benefit from this sort of programming code becomes significant. We can write code that acts as a virus and does what we want it to do either for good or ill. We need the discussion to ask ourselves what should be done with this knowledge. How are we to protect ourselves and how can we use this stuff to make computing better. If we cannot do it then who can? Cheers, Bernie Monette ------------------------------ Date: Mon, 27 Jun 94 14:37:33 -0400 From: rreymond@VNET.IBM.COM Subject: Fred Cohen and computer viruses Hi folks, Suzana wrote: > ... . According to these features there are four types of >viruses: "benign", "Epeian", "disseminating" and "malicious". Hmmm... I found that very interesting. Could you please give more details on ? .............................................Bye| ..................................................Roberto - ----------------------------------------------------------------------- * All the above are my own opinions, not necessarily shared by IBM * *********************************************************************** Roberto Reymond IBM PSP - C.E.R.T. Semea Circonvall. Idroscalo RREYMOND@VNET.IBM.COM 20090 Segrate (MI) ITIBM99K@IBMMAIL.COM RREYMOND AT VNET MI SEG 526 Italy .........Phone +39.2.596.25244 Fax +39.2.596.29587.............. *********************************************************************** * " Another one bites the dust| " , Queen (The Game, 1980) * *********************************************************************** ------------------------------ Date: Mon, 27 Jun 94 06:27:25 +0400 From: Kazatski Oleg Nikolaevitch Subject: Re: _Fred Cohen and computer viruses Hi ! bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev): > > To quote Fred Cohen: "It takes one to know one." I can admit that is not so > > easy to obtain Dr Cohen's published articles and books (especially not in my > > part of the world), but it is not impossible either. Are there the electronic variants Dr Cohen's articles and books ? > (look at, for example, Vesselin Bontchev's definition of virus in > electronic magazine "Alive" No 0). Can I know this definition and Dr Cohen's definition of virus ? > Performing experiments is a completely different thing. I also have > about 4,300 viruses on my machine, but wouldn't like to run even a > single one while I am using the machine for normal work. So, let me > ask again - would you want a virus running on to computer you are > using every day for work unrelated to virus experiments? Under no circumstances ! Regards. - -- OK ------------------------------ Date: Tue, 28 Jun 94 04:04:13 -0400 From: adamj@highett.mel.dbce.csiro.au (Adam Jenkins) Subject: Re: Good vs Bad Vesselin Bontchev writes: >First, the term was initially coined by Dr. Alan Solomon from the UK, >who happens to speak British English. Second, I've heard that the >American and the Australian dialects sometimes differ so much from it, >that the respective people sometimes do not understand each other - >maybe this is your case. Third, my English is certainly better than >your Bulgarian. Fourth, I was speaking as an authority on computer >viruses and not as an authority on the English language. Enough? Um yeah but one small thing to point out, I'm not trying to tell other people what to call things. >Those views certainly aren't an accident - they reflect the real losses >of time, efforts and money that the real people have suffered from real >viruses. The claim that such a view is in the interests of the >anti-virus industry is certainly interesting - maybe you can supply some evidence to back it up? I wouldn't have thought evidence was needed, just a bit of thought. Just like people who sell locks aren't going to sell many locks telling about how school lockers are being broken into and some kids books being pinched, why would people buy products to kill programs they know very little about if they knew that a large percentage of these viruses are relatively harmless? >Oh! Is it? "Ill founded fears"? Do you know how often I am getting >calls to help about a virus-related problem? About 2-3 times per day. >And I am even not working on a virus help line. All this is without >counting the countless times I have answered virus-related questions >here and have helped people to recover from a virus attack. I guess, >all those are "ill founded fears"... I wish that there were a way to >gather all the loudmouths like you and to force them to do our job - >maybe then you will finally learn how "profitable" our profession is, >and how "ill founded" those fears are... Wishful thinking... Loudmouths >never do real work, by definition. Um your choosing to help people with virus-related problems is your choice I thought, and its a good thing. But don't call me a loudmouth, count how many posts I've made and how many you've made before calling me that please. And yes I've had PCs infected by viruses and yes I've helped people fix infected disks/machines. >Except that it doesn't sell that well. No funny that. >system bugs they have snatched from a fellow cracker works, let alone >how to fix them. Lots of loss of perspective, as it seems... You're generalising, there are many pursuits in which people are lousy and yet still call themselves the common name for that pursuit. >I suggest that the next time somebody breaks into your house, you tell >the police to arrest you, because it's your fault that you have not put >a better lock on the door. Um no but I would expect a criminal who broke into my house when I left my door unlocked or open to get less time than if he had actually had to pick the lock or force the door. >You think it would be much better to confuse them by telling them that >computer viruses can be beneficial, without explaining them that you >mean something completely different under the term "virus"? No it will be a long time I would hazard to guess before someone will devise a beneficial computer virus, KOH seems like a good beginning though. I am just sick of hearing how evil and widespread viruses are. >Is there? Evidence, please. My own statistics show that the most >widespread viruses have been distributed in some perfectly legal way. The problem with gathering statistics like this is that for some strange reason people who pirate software don't like to advertise that fact. And I would guess that the majority of people who find their computer has a virus would get a copy of an antivirus package and use that to kill it, not always call you; especially not if they suspect they got the virus in a pirated game or application. >It's certainly a better scientific reference. And just as certainly >most people will prefer to read the morning newspaper instead. Count me as one who wouldn't, but I guess I must just be strange huh? Murders and wars just seem to depress me; the real problems of today, not some bit of code that attaches itself to my files and prints a funny message. >But people do believe all the nonsense that is in the newspapers - at >least most of them do so. Welcome to the real world. Welcome to commercial anti virus land. >Oh, yes, the "virus researchers". Who are they? I don't know any >self-respecting scientific researcher, besides Dr. Cohen, who claims >that computer viruses can be beneficial. They are those who are interested in viruses that agree with you it appears. The others must just be plain evil. Regards, Adam ------------------------------ Date: Sun, 26 Jun 94 07:39:23 -0400 From: bill.lambdin@pcohio.com (Bill Lambdin) Subject: OS/2 Viruses? Are there a (OS/2) >From AMIR77@TAUNIVM.TAU.AC.IL To ALL on 06-21-94 A [I'd like to know if there are any OS/2 viruses? I know of one OS/2 virus. It was published in an issue of 40HEX. This virus is a stupid non resident direct infector. I sent this virus to many of the A-V developers, so virtually all scanners should detect this virus easily. I have heard that there is another (resident) OS/2 infector, but I haven't seen this virus, and it may not exist. ------------------------------ Date: Sat, 25 Jun 94 02:49:20 -0400 From: tracker@netcom.com (Craig) Subject: Re: What is name of Newest F-Prot? (PC) Rick Niess (rniess@whale.st.usm.edu) wrote: : Hi All, : Ok, for weeks now my copy of VIRSTOP has been screaming about being : outdated, but after several uneventful archies as well as several : questionings of friends, I have been unable to locate the latest version : of the F-PROT package. Could someone PLEASE clue me in as to where to get : it from (FTP site, would be nice)? Thanx... : ~ Rick Niess ~ FTP site: oak.oakland.edu cd /pub/msdos/virus fp-212c.zip File you want; it's v2.12c of F-Prot ------------------------------ Date: Sat, 25 Jun 94 06:41:39 -0400 From: ag311@cleveland.Freenet.Edu (Carol Conti-Entin) Subject: Re: What is name of Newest F-Prot? (PC) > Ok, for weeks now my copy of VIRSTOP has been screaming about being >outdated, but after several uneventful archies as well as several >questionings of friends, I have been unable to locate the latest version >of the F-PROT package. Could someone PLEASE clue me in as to where to get >it from (FTP site, would be nice)? Thanx... Since I can't FTP, I get it directly from the source via e-mail sent to f-prot@complex.is with the message send-to: There's also a send-as: command line, with the default being uue - -- Carol Conti-Entin Internet: ag311@cleveland.freenet.edu N.E. Ohio, USA ------------------------------ Date: Sat, 25 Jun 94 11:52:42 -0400 From: al026@yfn.ysu.edu (Joe Norton) Subject: Re: Thunderbyte Antivirus (PC) ML> No doubt, Thunderbyte is better than all others I know. It is the fastest, and it probably detects more than anything else. It does give off a lot of false alarms though. Where I work at we use F-Prot. F-Prot is just as effective at detecting any of the common viruses, it is better at cleaning them, and costs a *LOT* less. If we used ThunderByte we would be constantly dealing with false alarm calls. We just faxed Frisk off a renewal for 700? sites. I do wish F-Prot would add a small thing for imunizing drives like TBUTIL -im though. Joe Norton (tech at Michigan Education Data Network Association) ------------------------------ Date: Sun, 26 Jun 94 07:34:55 -0400 From: bill.lambdin@pcohio.com (Bill Lambdin) Subject: Re: ** Date recovery afte (PC) >From FRISK@COMPLEX.IS To ALL on 06-21-94 F [The fastest method to recover would probably be to re-partition the d F [re-format and restore yesterday's backup. However, as the users who Agreed. A recent backup should always be considered as the first line of defence in any disaster recovery plan. Bill Lambdin - ------------------------+----------------------------- Internet | PGP key available on request | Virus Research bill.lambdin@pcohio.com | blambdin@aol.com | 10:10 06/25/94 - --- * CMPQwk #1.4 * UNREGISTERED EVALUATION COPY ------------------------------ Date: Sun, 26 Jun 94 07:44:00 -0400 From: bill.lambdin@pcohio.com (Bill Lambdin) Subject: MtE Virus info wanted (PC) >From U12585@UICVM.UIC.EDU To ALL on 06-21-94 U [I would appreciate information on "MtE" which I "found" on my U [machine with Norton Antivirus 2.1. THis was NOT indicated by from your description, you may have a false alarm. I would recommend for you to try one of the following scanners because they deetct MtE reliably Dr. Solomon'a Anti-Virus Toolkit (commercial) F-Prot FP-212C.ZIP Integrity Master I_M222.ZIP McAfee's Scan SCN-116.ZIP SCN202.ZIP These and many others can detect MtE reliably. Bill Lambdin - ------------------------+----------------------------- Internet | PGP key available on request | Virus Research bill.lambdin@pcohio.com | blambdin@aol.com | 09:47 06/25/94 - --- * CMPQwk #1.4 * UNREGISTERED EVALUATION COPY ------------------------------ Date: Sun, 26 Jun 94 07:40:55 -0400 From: bill.lambdin@pcohio.com (Bill Lambdin) Subject: WinRX (PC) >From S1083509@CEDARVILLE.EDU To ALL on 06-21-94 S [Does anyone have any information on how good WinRX, I believe the nam S [is at detecting and cleaning virus's. I tested Win-Rx about a year ago. and was not very impressed. I would suggest for you to switch to McAfee's Scan for Windows bcause WinScan will detect more viruses. ------------------------------ Date: Sun, 26 Jun 94 07:45:26 -0400 From: bill.lambdin@pcohio.com (Bill Lambdin) Subject: Thunderbyte Antivirus (PC) >From IIGGII@MIXCOM.MIXCOM.COM To ALL on 06-21-94 I [Has anyone heard of/used thunderbyte antivirus? How does it compare I [(reliability, speed, etc) to some of the others - McAfee, SP, Norton, I [etc? TBAV offers a scanner, and generic routines that will detect viruses that TBscan and other scanners will miss. from my tests, TBAV's scanner is of equal quality to F-prot. I recommend the scanner. ad the generic routines. Bill Lambdin - ------------------------+----------------------------- Internet | PGP key available on request | Virus Research bill.lambdin@pcohio.com | blambdin@aol.com | 10:00 06/25/94 - --- * CMPQwk #1.4 * UNREGISTERED EVALUATION COPY ------------------------------ Date: Sun, 26 Jun 94 07:42:23 -0400 From: bill.lambdin@pcohio.com (Bill Lambdin) Subject: ** Date recovery after Mi (PC) >From IOLO@MIST.DEMON.CO.UK To ALL on 06-21-94 I [If the virus has triggered, the first 17 sectors on the first 4 heads I [the first 256 cylinders will have been overwritten with garbage and a I [gone for good. This may not be the whole of the disk. Something may I [recoverable, especially if a large disk has been partitioned into I [several volumes. However, the recovery will require skill; there is To recover these extended partitions, you will have to re-construst the the partition tabel information. Bill Lambdin - ------------------------+----------------------------- Internet | PGP key available on request | Virus Research bill.lambdin@pcohio.com | blambdin@aol.com | 09:50 06/25/94 - --- * CMPQwk #1.4 * UNREGISTERED EVALUATION COPY ------------------------------ Date: Mon, 27 Jun 94 14:24:39 -0400 From: rniess@whale.st.usm.edu (Rick Niess) Subject: To all who replied about "where is F-PROT?"... (PC) Hi All To all who replied to my request for f-prot's location, a heart-fi lled thanx goes out to you. So far I've gotten 43 replies from that same po st. They all said pretty much the same thing, that I could find it at oak.oakland.edu. But there was one that was different. Here it is: RN> Nice to see, someone is using F-Prot. You can get newest RN> versions, as RN> soon, as they're released by frisk from his own ftp - complex.is RN> (yes, RN> sooo long name!), in the directory /pub. The last version RN> available here RN> is, I believe, F-Prot 2.12c (file fp-212c.zip) since 16th June. RN> RN> This is the fastest method to obtain shareware F-Prot version, as RN> the RN> other ftp's are having delays of 3-4 days after frisk puts F-Prot RN> on RN> complex.is - so check it regularly... (new versions are released RN> bimonthly, but.....). Note that I can't find F-Prot on complex.is RN> using RN> archie (archie.luth.se in Sweden) - so check it every 3-4 weeks. RN> RN> On the other hand you can try to download it using e-mail, but it RN> will RN> be cutted in 15 pieces (hahaha!!!). Just thought y'all'd like to know... ~ Rick Niess ~ ------------------------------ Date: Mon, 27 Jun 94 05:19:24 +0400 From: Oleg Nickolaevitch Kazatski Subject: NAV 2.0 gives false "Maltese Amoeba" alarm (PC) Hi, all ! NAV 2.0 indicates that my machine running MS DOS 5.0 has the "Maltese Amoeba" virus in two files but I can not find any viruses in this files. I suspect this is a false alarm. - -- OK [Moderator's note: I believe that this is indeed a false alarm, and was documented as such some time back.] ------------------------------ Date: Mon, 27 Jun 94 14:47:43 -0400 From: bondt@dutiws.twi.tudelft.nl (Piet de Bondt) Subject: Re: What is name of Newest F-Prot? (PC) Rick Niess wrote: >Hi All, > > Ok, for weeks now my copy of VIRSTOP has been screaming about being >outdated, but after several uneventful archies as well as several >questionings of friends, I have been unable to locate the latest version >of the F-PROT package. Could someone PLEASE clue me in as to where to get >it from (FTP site, would be nice)? Thanx... Hi Rick (and others), Please read the files Jim Wright so very nicely put together ! It contains references to all known sites that carry anti-virus software and/or texts. For you, try oak.oakland.edu, wuarchive.wustl.edu, or ftp.twi.tudelft.nl (or Frisk's own site, but I don't think the link to Island is very fast, so I won't burden his site with requests ...) Piet de Bondt. bondt@dutiws.twi.tudelft.nl or piet@kgs.twi.tudelft.nl ============================================================================== FTP-Admin for MSDOS Anti-virus software at anon-ftp-site: ftp.twi.tudelft.nl ------------------------------ Date: Mon, 27 Jun 94 14:53:27 -0400 From: "Guffey, Steven W." Subject: Norman Virus Control (PC) Hello list members, I just recently received an evaluation copy of the Norman Virus Control for Workstations. The package consisted of their anti-viral software called Norman Armour and their informational database called V-base. The anti-viral sofware has DOS and Windows components. The database is chock full of hypertext and seems to be pretty comprehensive. My questions are: Has anyone used/evaluated this product? If so, what did you think of it? They claim to be able to detect 99%+ viruses. Has anyone been able to test this claim? Is the virus database (V-base) accurate? (Or at least more accurate than VSUM) Any input would be greatly appreciated. I've included the company information below for anybody who is interested. Norman Data Defense Systems Inc. 3028 Javier Road Suite 201 Fairfax, VA 22031 Voice: 703-573-8802 FAX: 703-573-3919 Steve G. =============================================================================== "...Speaking words of wisdom...Let it be..." -Paul McCartney - ------------------------------------------------------------------------------- Vulcan - "Live long and prosper." Ferengi - "I knew there was a reason I liked you." =============================================================================== ------------------------------ Date: Mon, 27 Jun 94 15:37:22 -0400 From: nelsoncb+@pitt.edu (Corbett B Nelson) Subject: Re: "New" Virus found? (PC) Keith Gordon Bullington (bullingt@sfu.ca) wrote: : Contains the text strings: "Dr. White - Sweden 1994.3" and : "Junkie Virus - written in : (B.T.W. VPCScan flagged it as a "PS_MPC-23" infection, if that means : anything to you...) PS-MPC is a virus creation package that allows for encryption of virii. However, it does require the user to supply their own activation code... - -- - -------------------------------------------------------------------------- nelsoncb+@pitt.edu Finger me for my pgp public key... ------------------------------ Date: Mon, 27 Jun 94 15:41:54 -0400 From: Henrik Stroem Subject: Re: FLIP and CANSU (V-SIGN) viruses (PC) Iolo Davidson writes Friday, June 24th 1994; > The virus was written before DOS4 came along with the extended boot record. > If this were a "beneficial" virus, how would the author withdraw the > old version that truncates disks when he updates it to the new, > improved version? With proper version checking it would not truncate the disk, but refuse to infect DOS 4 and greater, or simply choose another disk-reservation technique for unknown DOS versions. New versions of the virus would handle new versions of DOS. Just another example which indicates that most virus-writers are no good as computer programmers. Sincerely, Henrik Stroem Stroem System Soft ------------------------------ Date: Mon, 27 Jun 94 15:39:59 -0400 From: Henrik Stroem Subject: Re: FORM and Spanish TELECOM (PC) Vesselin Bontchev writes Friday, June 24th 1994; > Form from a OS/2 system that has BootManager installed and is using > HPFS volumes is a *very* tedious procedure. If using the BootManager, Form will infect the BootManager partition. Removal consists of booting OS/2, running FDISK, removing BootManager from partition table, then creating it again (without exiting), then adding bootable entries. Tedious; yes. Very; no. Of course you could use an antiviral to do a Form-specific disinfection, since the original sector is stored at the end of the BM-partition (which only contains code on the first 30-40 sectors). Removing Form from an HPFS partition is what I would call *very* tedious. This can become neccessary if you DON'T have BootManager when Form comes along. A specific Form disinfection might work here too, but I don't remember for sure. Sincerely, Henrik Stroem Stroem System Soft ------------------------------ Date: Mon, 27 Jun 94 18:09:26 -0400 From: Henrik Stroem Subject: Re: Monkey Virus (PC) kenney@netcom.com (Kevin Kenney) writes June 24th; > Monkey and int10 are two viruses that infect (encrypt) a disk's partition > table as well as the MBR. Nope, this is wrong. Monkey infects the MBR, but does not infect nor encrypts the partition table. It encrypts the copy of the original MBR which is placed at cyl 0, head 0, sec 3. > Booting from a clean floppy means not being able to access the hard disk > (normally). Thus special methods are needed, (albeit not reformatting). This is because Monkey overwrites the partition table with part of its own code, and instead depends on using stealth to fetch the table from sector 3, where the original is stored in encrypted form (XOR 2Eh). > Various virus eradicators handle these 'normally'. Check the literature > - your post was incorrect, possibly dangerously. I disagree. *YOU* should check the virus/litterature! The Monkey is not encrypted, nor is the partition table. Only the saved original at sector three is encrypted. The partition table does contain part of the Monkey virus code and data, but is not 'infected' by Monkey, just overwritten. The MBR *IS* 'infected', *NOT* the partition table. > Good luck - Thanks, same to you. Sincerely, Henrik Stroem Stroem System Soft ps The point here is that FDISK/MBR should not be used against this virus, since the partition table is overwritten with virus code and data. The original table is only available when the virus is active in memory after booting from the infected harddisk. ps2 As for the INT_10, it can usually be disinfected by using FDISK/MBR, since it keeps the partition table in place. ------------------------------ Date: Mon, 27 Jun 94 18:35:10 -0400 From: BRENNAN@hal.hahnemann.edu (A. Andrew Brennan) Subject: Re: ANSI bomb (PC) id@mist.demon.co.uk writes: > > A virus must be able to replicate. An ANSI bomb isn't. > > I believe Dr. Solomon has seen an ANSI bomb which could launch an > executable contained in part of the ANSI "text" file. I don't remember > if the example he had contained a virus or not, but it could easily have > done so. It would not have been self-replicating for the ANSI bomb > itself perhaps, but could have been a dropper for a virus. > What prevents the accompanying executable from copying files to another diskette - in effect, a multi-file virus?? andrew. (brennan@hal.hahnemann.edu) ------------------------------ Date: Mon, 27 Jun 94 06:11:52 +0400 From: Kazatski Oleg Nikolaevitch Subject: Re: _Stone virus... (PC) Hi ! bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev): > news spool owner (news@undergrad.math.uwaterloo.ca) writes: > > > McAfee's v2 reports that I have the stone virus (stone.stonheng) > > How do I kill it? Is there a vacine? > > you can remove this virus by booting from a write > protected system diskette containing DOS version 5.0 or higher, making > sure that you still can access the hard disk (DIR C:) and make back up your important files... just in case. > and executing > the command FDISK/MBR. This will remove the virus from the first hard > disk. or else run DISKEDIT and try to find your non-infected MBR and save it in one's place. Good luck ! - -- OK ------------------------------ Date: Tue, 28 Jun 94 00:08:49 -0400 From: ebottoni@cat.cce.usp.br (Eduardo Benedicto Ottoni) Subject: Athens virus: info needed (PC) I'm looking for some info on the Athens virus (effects, effective cleaning programs etc), which has appeared in many machines in our campus. Any information is welcome. Eduardo B. Ottoni Dept. of Experimental Psychology University of Sao Paulo - Brazil ------------------------------ Date: 28 Jun 94 01:46:42 -0600 From: slb96@cc.usu.edu Subject: Possible virus? (PC) Forgive me if this is not a virus, but I feel that it is. About 5 or 6 months ago I turned my computer on and got an error, HD Controller Error. Since then, I have been needing to boot off a floppy drive (I have a program which redirects the bootup to the C drive). So, I called up the local computer places and asked their opinions. They told me to buy a new controller card (which makes sense), so I did. That didn't seem to fix the bug. Then they said to try a format, which I did. Still no luck. After that I also tried a new HD, but that did not work either. At last I broke down and took the computer in. They couldn't figure out what was wrong. So, I though it was just some freakish problem.. until tonight. I was at a friends house and he too was having the same problem. When I asked him how long it had been doing it, he told me around 4 or 5 months. I have now been up for around 5 hours reading docs, the FAQ for this group, and asking questions on IRC. So I guess it all boils down to this question, Might I have a virus? I don't know much about viruses, so don't flame me too much. :-) THanks for any help. ____________________________________________________________________________ | | Never drive fast, | | Frijoles | You could hit a bump and spill your beer. | | slb96@cc.usu.edu | | | 2+2=5 |* The opinions expressed above are MINE MINE MINE! | |________________________|___________________________________________________| ------------------------------ Date: Tue, 28 Jun 94 05:37:59 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Jack The Ripper (PC) Iolo Davidson (id@mist.demon.co.uk) writes: > > We have found a "Jack The Ripper" virus in more than one school in Geneva. > > Does anybody have more information about this virus ? > Off the top of my head, it is a fairly news boot sector virus that has a > disk wipe payload. It is far worse. It does a slow and random corruption of the information on the disk(s). Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 28 Jun 94 05:41:40 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Safe ANSI driver - where ? (PC) Mike Ramey (mramey@u.washington.edu) writes: > Can anyone tell me where to get a shareware -safe- ANSI driver? > Some of the programs used in our computer lab require ANSI.SYS. > PKSFANSI is -not- included in the shareware version of PKZIP. Take a look at oak.oakland.edu, directory /SimTel/msdos/screen/. It contains several ANSI drivers. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 28 Jun 94 05:45:00 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Telecom Virus (PC) watson (John Watson) (watson@mildred.physics) writes: > Can anyone e-mail me information about the Telecom virus. It is described in our Computer Virus Catalog. Check the FAQ of this newsgroup for information about how to get the CVC - and about how to ask such questions, and lots of other useful stuff. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 24 Jun 94 22:21:08 -0400 From: emd@access.digex.net (EMD Enterprises) Subject: New Anti-Virus/Security Product (PC) Glen Rock, PA, June 16, 1994--EMD Enterprises has announced the release of Ver 2.0 of EMD Armor(TM) Plus. EMD Armor Plus is a comprehensive anti-virus and security system for IBM compatible personal computers. PRODUCT DESCRIPTION EMD Armor Plus works as an extension of the system BIOS. Working at the very basic system level it continuously looks for activities that suggest the presence of a virus. Unlike software-only products, it provides protection against viruses right from the time of boot-up. Unauthorized users are stopped by BIOS level password protection. The System Administrator can assign up to 5 authorized users with different access rights. The secondary users' access rights to directories, floppy drives, printers, and serial ports can be controlled by the System Administrator. The System Administrator can also define user permissions (read, write, execute, and modify permissions) within accessible directories. Other features include a screen blanker and a unique feature called the Disk Guard, which auto-repairs correctable hard disk data errors, long before they become uncorrectable due to hard disk aging. Hard disk locking (Optional) protects data on the hard disk even if EMD Armor Plus is removed from the system. Also included is a utility called CLINIC. CLINIC scans and cleans both known and unknown viruses on hard and floppy disks using a proprietary algorithm. CLINIC scans both conventional and upper memory when initiated. It can optionally immunize commonly used files to prevent future virus infections and to reduce false alarms. EMD Armor Plus is not a TSR - and uses none of the conventional memory. SYSTEM REQUIREMENTS The EMD Armor Plus is an 8-bit add-on card and it requires the following computer environment. - PC/XT/AT/386/486 computer - one 8-Bit or 16-Bit ISA or EISA computer slot - DOS 3.0 or higher EMD Armor Plus is compatible with Microsoft Windows 3.X, and Novell Operating Systems. SYSTEM OPTIONS EMD Armor Plus LAN - Provides protection against viruses and unauthorized access via network connections. EMD Armor License Pack - Includes additional user accounts for each system. For more information please contact EMD Enterprises, 6 Cardinal Drive, Glen Rock, PA 17327 Phone: (717) 235-4261 Fax: (717) 235-1456 Fax Back: (717) 235-4261 ext. 4, request document number 1015 BBS: (717) 235-1456 Email(Internet): emd@access.digex.net # # # ------------------------------ Date: Sun, 26 Jun 94 07:33:18 -0400 From: bill.lambdin@pcohio.com (Bill Lambdin) Subject: CRC values (PC) Here are CRC values for executable files in the following list of virus= detection software AVP200D.ARJ FP-212.ZIP VDS30M.ZIP I only give CRCs for executable files because these are the files most likely to be attacked, and I don't want to waste bandwidth. These CRC values were generated by CHKfile 1.0 written by Wolfgang Stiller, and distributed by PC-Magazine. If you do not have a copy of CHKfile, send me an internet E-Mail messag= e to the address below, and I will dend you a copy of CHKfile 1.0 in a debug script or UUencoded. - ------------------------------------------------------------- AVP200D.ARJ CHKFILE 1.0 =FE PCDATA TOOLKIT (C) 1990 Ziff Communications Co. PC Magazine =FE Wolfgang Stiller. Checking: *.* File Name + Check Check File Update Update Extension: Val1: Val2: Size: Date: Time: - ---------- ---- ---- ----- ------ ------ - -VPRO.EXE A7F1 D9FD 1DCA0 03/21/94 02:00:00 - -V.EXE 0524 B42C 1969B 03/21/94 02:00:00 - -U.COM 000C D979 5C18 06/20/94 02:00:00 - -D.COM 8163 6169 2476 03/21/94 02:00:00 - ------------------------------------------------------------- FP-212C.ZIP CHKFILE 1.0 =FE PCDATA TOOLKIT (C) 1990 Ziff Communications Co. PC Magazine =FE Wolfgang Stiller. Checking: *.* File Name + Check Check File Update Update Extension: Val1: Val2: Size: Date: Time: - ---------- ---- ---- ----- ------ ------ F-PROT.EXE 56F1 A09A 1CAC7 06/16/94 02:12:44 VIRSTOP.EXE FB4D 351B 8A99 06/16/94 02:12:28 F-TEST.COM 14EB 645D 3A 11/02/92 02:12:10 - ------------------------------------------------------------- VDS30M.ZIP CHKFILE 1.0 =FE PCDATA TOOLKIT (C) 1990 Ziff Communications Co. PC Magazine =FE Wolfgang Stiller. Checking: *.* File Name + Check Check File Update Update Extension: Val1: Val2: Size: Date: Time: - ---------- ---- ---- ----- ------ ------ INSTALL.EXE CDA6 59E3 AF4C 05/11/94 04:21:38 VFSLITE.EXE 85D7 EE8B F2F1 05/12/94 21:40:52 VITALFIX.EXE 2094 A53B 96E6 05/12/94 21:40:52 VDS.EXE A716 35C4 163E7 05/12/94 21:40:52 - ------------------------------------------------------------- Bill Lambdin - ------------------------+----------------------------- Internet | PGP key available on request | Virus Research bill.lambdin@pcohio.com | blambdin@aol.com | 16:23 06/24/94 - --- * CMPQwk #1.4 * UNREGISTERED EVALUATION COPY ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 50] *****************************************