VIRUS-L Digest Thursday, 7 Jul 1994 Volume 7 : Issue 52 Today's Topics: Re: Disabled viruses? Virus Simulation good viruses? good viruses? Unknown Virus Attack (message: Disks travel in packs.) (PC) Re: Telecom Virus (PC) How can I delete "Keypress" (PC) Jack the Ripper (PC) Re: Scan V115 (PC) Help ! virus Genb is killing us all (PC) Re: Server-Downing Viri (PC) Re: Junkie virus (PC) need help with kampana virus (PC) Re: New Super-virus "Junkie" (PC) Re: Symantec (PC) Re: Joshi (PC) Re: Symantec (PC) Re: Netware & Virstop (PC) Re: Symantec (PC) Re: Best Anti-virus software (PC) Re: New Super-virus "Junkie" (PC) Re: New Super-virus "Junkie" (PC) Re: Stealth.B Pain (PC) BIOS Virus Protection, and Checksumming (PC) Anti-Virus for VINES Networks (PC) Stealth Virus size-hiding technique? (PC) Monkey Virus (PC) Re: New AV software (PC) Re: Symantec (PC) Re: AntiVirus Pro (avp_200.zip) (PC) Rosenthal Virus Simulator VIRSIM2C.ZIP (PC) Re: New Super-virus "Junkie" (PC) Antiviral Toolkit Pro 2.0 in US (PC) AVP 2.0 User's Guide (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Thu, 30 Jun 94 11:59:54 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Disabled viruses? buster@klaine.pp.fi (Kari Laine) writes: >But NO anti-virus vendor should be able/willing to supply you with a >set ! unfortunately not true....one vendor distributes a set of "viruses" for "testing" .... carefully selected so that they detect them all, and the competition detected few or none....conveniently ignoring minor issues such as: a) some of the "viruses" do not work b) some of the "viruses" are only Trojans, not viruses c) some of the viruses only work on Japanese NEC-compatible machines, not on standard PCs.... If you change the sentence to "But NO respectable anti-virus vendor should be able/willing to supply you with a set !", then I'll agree. - -frisk ------------------------------ Date: Thu, 30 Jun 94 14:28:04 -0400 From: dhull@nunic.nu.edu (Dr. David B Hull) Subject: Virus Simulation I have to disagree about the usefulness of virus simulations. In particular, Rosenthal Engineering' s Virus Simulator, does a reasonable job and I have used it repeatedly in teaching anti-virus and computer security tactics. It allows students to actually detect a "virus" and get the feel of the various scanners on the market. It provides experience in eradicating viruses, and allows a complete walk through of a security system. I would not try a hospital fire drill with a full scale real fire; but then I wouldn't consider a fire drill complete unless I have the fire marshalls outside in the parking lot extinguishing a fire in a 55 gallon drum, under supervision of the fire department of course. I must also agree, however, despite being touted as a means of evaluating various scanners; it probably is not the best way of doing this. On the other hand, should I tell my students to believe what is written on the scanner packages ? For $25 for a single user license; it is a lot nicer than the FORM virus I used to use for training - and let's you sleep at night too. - -- < David B. Hull Always interested in computer viruses. > < Nil Temere, Neque Timore The Berney Sept > ------------------------------ Date: Thu, 30 Jun 94 15:16:08 -0400 From: Ian Douglas Subject: good viruses? Fredrick B. Cohen wrote > How about this for a way to differentiate different types of viruses: > Malicious viruses > Benevolent viruses > OR - if you prefer the medical analogy: > Benign viruses > Malignant viruses > Computer viruses are computer programs that reproduce. Some of these viruses > are intended to harm people by damaging their information systems, and we call > them malignant. Other viruses are intended to demonstrate a concept, to > explore issues in artificial life, or even to do useful functions. We call > them benign. IMHO, there is no such thing as a benign virus - if it replicates, it has to either create files (companion) or mess with existing files, BS, or FATs. When it does so, it ceases to be 'harmless' and starts causing damage. However I can understand the difference between those that have a payload and those that do not. But to call those without a payload 'benign' is to perpetuate the myths that the underground is trying so hard to spread. Cheers, Ian - -- - ----------------------------------------------------------------------------- Ian Douglas InterNet: iandoug@cybernet.za P.O. Box 484 Lead, Follow, FidoNet: 5:7102/119 7532 Sanlamhof or get out of TopNet: 225:2048/1 South Africa the way. - ----------------------------------------------------------------------------- ------------------------------ Date: Thu, 30 Jun 94 15:23:46 -0400 From: Ian Douglas Subject: good viruses? Adam Jenkins wrote =========================================================================== Hmmmm these views aren't necessarily an accident, it is in both the media and the anti-virus industry's interests to promote these views. And viruses like KOH do not waste time or effort; like any other software, viruses can be useful and save time and effort. They are a medium not a philosophy. =========================================================================== KOH is not a good virus - When it asked if it could install, I said no. It installed anyway. Then like a fool I stuck an important floppy in Drive A;, next thing I know KOH is trashing the disk (called 'encrypting'). I lost important data on that disk. =========================================================================== Perhaps it should read "Bank Loses $10 Million Due to Negligence in their Computer Security". Oh no, far easier to blame viruses, everyone knows that us mortals are helpless to stop these evil pieces of work by the twisted youth who strive tirelessly to destroy the threads of our society. =========================================================================== This is called blaming the victim and is a favourite trick used by the underground to justify their actions: "He was using MASV - he deserved to get hit" etc... Cheers, Ian - -- - ----------------------------------------------------------------------------- Ian Douglas InterNet: iandoug@cybernet.za P.O. Box 484 Lead, Follow, FidoNet: 5:7102/119 7532 Sanlamhof or get out of TopNet: 225:2048/1 South Africa the way. - ----------------------------------------------------------------------------- ------------------------------ Date: Wed, 29 Jun 94 13:28:34 +0000 From: kbukala@undergrad.math.uwaterloo.ca (Kamil Bukala) Subject: Unknown Virus Attack (message: Disks travel in packs.) (PC) Short: Infection by Virus, IBM PC 486-33 (f-prot 2.12c can't detect it), Message: "Disks travel in packs.", Damage: Fats damaged (with directories and files lost) I think I have been hit by an unknown virus (to me anyway).. It's started at work when the system there got a seriously screwed up windows/system directory (many cross-linked files and allocation errors, which check disk couldn't fix but norton 7 did).. But 2 weeks after that another system did the same thing, so after scaning with Mcfee and F-prot (not finding anything resembling a virus) we decided that the virus was gone.. I was using my computer (about 3 weeks after the system at work was fixed) and well the IDE I/O card overheated (Could have been the virus, but it was quite warm in the room 30 degrees Celcius - we had a hot spell), so I got a caching controller from a friend at work and installed that but it messed up my hard drive. Thinking it was the controller that messed up my hard drive I took it back to work and installed it there on a reguler controller. After booting a couple of times (got the divide overflow message twice) the screen went blank and I got the following message: "Disks travel in packs." Anybody know what virus this is and how to get rid of it?? Email reply preferred at: kbukala@cayley.uwaterloo.ca ------------------------------ Date: Wed, 29 Jun 94 10:25:19 -0400 From: Otto Stolz Subject: Re: Telecom Virus (PC) On Wed, 08 Jun 94 05:10:50 -0400 John Watson said: > Can anyone e-mail me information about the Telecom virus. No. Not until you supply a valid E-mail address. Regards, Otto Stolz ------------------------------ Date: Wed, 29 Jun 94 23:28:16 -0400 From: yjj@eng.umd.edu (Yuan Jiang) Subject: How can I delete "Keypress" (PC) My disks are infected with "Keypress" when I use "scan", but "clean" does not clean it. What should I use? ------------------------------ Date: Thu, 30 Jun 94 06:46:07 +0000 From: amato@hei.unige.ch Subject: Jack the Ripper (PC) We are looking to find an anti-virus that is able to clean the "Jack the Ripper" virus. Has anyone an idea (the latest release of McAfee cannot do the job!) Cheers - --------------------------------------------------------------- Edgardo AMATO - Computer Center - The Graduate Institute for International Studies - Institut Universitaire de Hautes Etudes Internationales - Av. de la Paix 11A - CH-1202 Geneve/Switzerland Tel:+41(22)734.89.50 Fax:+41(22)733.30.49 Net:amato@hei.unige.ch - --------------------------------------------------------------- ------------------------------ Date: Thu, 30 Jun 94 02:54:20 -0400 From: mcafee@netcom.com (McAfee Associates) Subject: Re: Scan V115 (PC) Hello, auyanged@jhunix.hcf.jhu.edu (Edward D. Auyang) writes: >I have McAfee's Scan v115...upon entering the command, the hard drive is >accessed for a second or so before the memory check...anyone know what VIRUSCAN is reading itself off the disk in oder to perform a self-check. >it's doing? Also, has anyone had VShield to successfully intercept a virus? I watched one of our SQA engineers do this in their lab today, but I don't think that is the reply you were looking for. When VSHIELD finds a virus it reports location of the virus (name of file or system area), the I.D. code used by CLEAN-UP to remove it, and a message to run VIRUSCAN to check for further infection. That's with the Version 11X programs. The new Version 2.X VShield has a slightly different message. > >Please mail me rather than post. >TIA > >Ed > I hope you don't mind that I posted a reply to comp.virus--I thought other people may want to know the answer to your question. Regards, Aryeh Goretsky Technical Support - -- - - - - - - - Please send your reply, if any, to Aryeh@McAfee.COM - - - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: mcafee@netcom.com 2710 Walsh Ave, 2nd Floor| FAX (408) 970-9727 | or try: support@mcafee.com Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714 95051-0963 USA | USR HST Courier DS | or GO MCAFEE Support for SENTRY/SCAN/VSHIELD/CLEAN/WSCAN/NETSHLD/TARGET/CONFIG MGR/PROVIEW ------------------------------ Date: Thu, 30 Jun 94 05:18:48 -0400 From: simon@sgp.hp.com (Simon Chong) Subject: Help ! virus Genb is killing us all (PC) Hi there, Is there anyone who come across a vacine for a virus called 'Genb' ? Well, the same virus when attack on the harddisk is called 'Genp' - that's what the McAcfee virus scan s/w say s. It can be 'clean' using McAcfee June'94 issue. But the same s/w doesn't seems to do the job for 'Genb' that attacked on floppy diskettes. The virus is spreading so fast - we now have heaps of them piling up At moment, only solution is to reformat the floppy diskette. Anybody care to give some ideas what we could do - will be much appreciated ..... HELP ! HELP ! Simon the victim. ------------------------------ Date: Tue, 28 Jun 94 05:46:34 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Server-Downing Viri (PC) Iolo Davidson (id@mist.demon.co.uk) writes: > > Cascade.1701 > > Cascade.1704 > > Frodo > > Green Caterpillar.1 > > Jerusalem.Standard > > Yankee Doodle 2885 > > > > According to the publication, these viruses will move from an > > infected workstation, onto the server. > Almost any file virus will infect dos programs stored on the file > server. Except Jerusalem.Standard. It will hang the workstation, because it uses an "Are you there?" call that conflicts with Novell NetWare's printing services. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 28 Jun 94 05:50:01 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Junkie virus (PC) Bart Hessing (rbhessing@amoco.com) writes: > I recently read something about a new, advanced virus called "Junkie", > but don't have any details about it. Can anyone enlighten? Thanks. It is not advance at all. A lame variably encrypted multi-partite COM and MBR infector. Here is the information about it I got from Zvi Netiv. Regards, Vesselin - ----------------------------------------------------------------------- VIRUS DATA SHEET: JUNKIE. From: Zvi Netiv, 17 June 1994 - ----------------------------------------------------------------------- A new virus was found, named Junkie. The ViruSample was isolated in the North Jordan valley, where it probably got on infected mice software. Junkie seems to be the first multipartite virus with full dual infection mechanisms. It is a memory resident COM, as well as boot and master boot infector. The virus contains the following encrypted code: "Dr White - Sweden 1994 Junkie Virus - Written in Malmo ... M01D". Similar text appears in the Desperado virus, relating to the same writer, "Dr White". Infection mechanism: Junkie will go resident after booting from a floppy with an infected boot sector, or from the HD, if the MBS is infected. Junkie will not become resident if running an infected file, but the HD MBS will become infected, if it wasn't yet. Once the virus is resident in memory, it will infect COM files on execution, including COMMAND.COM, and the boot sector of floppies - only in drive A - when addressed. Damage: Junkie patches floppy boot sectors and HD MBS from offset 98 to 127. The virus code itself is contained in two sectors, 0,0,4-5 on HD and on the last track (40 or 80), side 1, sectors 8-9 on floppies. Junkie does not relocate nor store the original sector anywhere. In COM files, the virus will append itself at the end of the file, with a length of 1027 to 1042 bytes. Junkie does not verify that the victim is a real COM, thus EXE files with a COM extension (4DOS.COM, NDOS.COM) will become infected and may hang the computer if run. The virus code is encrypted. Junkie does not use stealth and it is a selective fast infector (not all files will be infected on opening, just some). Junkie will infect COM files longer than about 5 Kbyte only. As far as we could see from the code, Junkie has no payload. Other symptoms: when active, Junkie will decrease the base memory by three kbytes, by modifying INT 12h's return. Also, INT 1Ch (timer) will be hooked, Qemm will complain about and will not load high programs requiring this handler. Detection: 3 kbyte memory stealing is detected on booting, the decoy test will disclose memory resident viral activity, the virus will be sampled (9224 bytes sample) and the master boot sector will indicate it was changed. Furthermore, if a virus scan is attempted with IVSCAN, or an integrity check with IVB, piggybacking will be sensed and the scan will be halted. Removal: first, the HD MBS should be repaired with a generic tool (FDISK/MBR, ResQdisk, IVSCAN/B etc.) and the machine should be rebooted. When Junkie is not resident the files can then be repaired by IVSCAN or IVB. Files that were secured with InVircible from former versions will be fully restored with the generic recovery mode. Zvi Netiv, author InVircible - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 30 Jun 94 10:43:22 -0400 From: clandesm@panix.com (Cliff Landesman) Subject: need help with kampana virus (PC) I was having trouble reading and writing to diskettes, so I ran F-Prot and it reported the kampana virus in memory. How do I reboot from a clean boot disk? My DOS 5.0 came with the used computer I bought and I only have the orginal diskettes for DOS 4.0, not 5.0. I'd like to keep 5.0, if possible. If I install 4.0, will I lose 5.0? How serious is the kampana virus? - --Cliff - -- The Internet NonProfit Center: Information ABOUT nonprofit organizations. Accessible by gopher, www, ftp, and email At: envirolink.org Select: EnviroOrgs ------------------------------ Date: Thu, 30 Jun 94 12:04:10 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: New Super-virus "Junkie" (PC) Michael_D_Jones@ccm.hf.intel.com (Michael Jones) writes: >Does anyone have any specific information on the "Junkie" virus? simple encryption, 1027 bytes, onfects MBRs too. relatively easy to get rid of....not a "super virus" at all.. >I got the >following fax yesterday from someone. Do any other scanners detect and/or >clean this. At least F-PROT 2.12C ... I don't know anything about other scanners I don't buy their solution for cleaning it. the reformatting "solution"...no...they are just totally incompetent... - -frisk ------------------------------ Date: Thu, 30 Jun 94 12:19:21 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Symantec (PC) tluten@news.delphi.com (TLUTEN@DELPHI.COM) writes: >Dr. Bontchev's remarks on AV software caught my eye. Symantec owns >all of Norton, thus Norton AV. It bought Central Point, and thus owns >its AV package. It bought Certus, and used the technology to upgrade >Norton AV. It apparently (per Bontchev) bought yet another company >that produces (or produced) an AV product. the original NAV (version 1) was a horrible, unusable and almost worthless product....Symantec knew that, but they had to offer something. They approached me...invited me and my wife over to California, and made an offer regarding taking over F-PROT. However, I was not satisfied with what they offered, so we flew back home. Symantec bought Certus for their Anti-virus technology, and managed to get a good product that way. Regarding Central Point, on the other hand, they must have bought them for a different reason - the Certus/NOVI technology is IMHO better than the Central Point one.....I guess the prime reason was that they wanted to get rid of their primary competito in the general utility area....or the CPAV customer base... - -frisk ------------------------------ Date: Thu, 30 Jun 94 12:23:11 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Joshi (PC) Allan D Gray (agray@ATHENA.MIT.EDU) writes: > F-prot says that this can cure this virus. When I run it is says that it has > cured it. If I run it again, it finds "Joshi" and claims to cure it again.... Be aware that Joshi has two important properties. First, it is stealth, which means that if it is active in memory, a program inspecting the disk won't be able to "see" it there. Second, on some computers it "survivies" a warm reboot. That is, if you press Alt-Ctrl-Del, it might look as if the machine has rebooted (from a clean diskette), but the virus is still active in memory. I would suggest you to turn the computer off and then on instead, or use the Reset button, if you have one. > The computer won't boot without a boot disk.... That's already strange... Joshi doesn't cause such problems. It could be that you have a different variant, or more than one virus, or a somehow damaged copy of the virus. > Does anyone know how to deal with this problem without reformatting my > eintire HD??? If so, please let me know. My advice is to cold-boot from an uninfected write-protected DOS 5.0 (or above) system diskette, make sure that the hard disk is accessible (e.g., DIR C:) and ONLY IF IT IS, run FDISK/MBR. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 30 Jun 94 13:02:11 -0400 From: bondt@dutiws.twi.tudelft.nl (Piet de Bondt) Subject: Re: Symantec (PC) TLUTEN@DELPHI.COM wrote: >Dr. Bontchev's remarks on AV software caught my eye. Symantec owns >all of Norton, thus Norton AV. It bought Central Point, and thus owns >its AV package. It bought Certus, and used the technology to upgrade >Norton AV. It apparently (per Bontchev) bought yet another company >that produces (or produced) an AV product. what *are* they up to? > > Tom Luten > TLUTEN@DELPHI.COM > Maybe the try to finally compete McAfee, or even TBAV and F-Prot, let alone the Russian AVP ... Piet de Bondt. bondt@dutiws.twi.tudelft.nl or piet@kgs.twi.tudelft.nl ============================================================================== FTP-Admin for MSDOS Anti-virus software at anon-ftp-site: ftp.twi.tudelft.nl ------------------------------ Date: Thu, 30 Jun 94 13:02:54 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Netware & Virstop (PC) Mark J. Miller (mjm@tardis.svsu.edu) writes: > network. Because we have many old computers, 8088s & 286s, we want to be > able to unload the network software from memory when they disconnect to > free up memory. But with virstop loaded the unload command doesn't unload > the software. This is because VirStop has intercepted some interrupt vectors after the network shell. The only way to unload the network shell would be to "unhook" VirStop first. This is not possible, and it is intentional - - if it were possible, a virus could do it as well. This is exactly the situation with CPAV's VSAFE - it is possible to unload it from memory and there are viruses, designed to do exactly that. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 30 Jun 94 13:03:12 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Symantec (PC) TLUTEN@DELPHI.COM (tluten@news.delphi.com) writes: > Dr. Bontchev's remarks on AV software caught my eye. Symantec owns I'm flattered, but please note that I am not a Dr. yet. :-) > all of Norton, thus Norton AV. It bought Central Point, and thus owns > its AV package. It bought Certus, and used the technology to upgrade > Norton AV. It apparently (per Bontchev) bought yet another company > that produces (or produced) an AV product. what *are* they up to? Making money, I guess. :-) Yep, now Symantec should "own" the following anti-virus products: NAV, CPAV, MSAV, NOVI, Untouchable. (And didn't Central Point buy XTree in the past? Then Symantec should now also own XTree's anti-virus product.) Just speculating - what would happen with the millions of users of the above products if, for some reasons, Symantec suddenly goes out of business? :-( Yes, it doesn't look very probable, but then who would think one year ago that Central Point is going to disappear? Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 30 Jun 94 13:03:32 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Best Anti-virus software (PC) ohe@allianse.no (ohe@allianse.no) writes: > Were trying to figure out the best Anit-virus software for both > Netware server's (NLM's) and DOS/Windows workstation. > We have been looking at Norton Antivirus v3.0, F-Prot, > Norman Data Defences and Central Point. I don't have much experience with NLMs and Winoze-based anti-virus products, but they are often worse than their DOS counterparts. However, I do have experience with the DOS versions of the above products. My impressions are: 1) CPAV - total junk. Often crashes. Causes false positives. Very low detection rate (impossible to measure, because it crashes on my virus collection). Nice user interface, though 2) NAV - mostly useless. Better than CPAV, in the sense that it at least works. Difficult to test, but not impossible. Very low virus detection rate - something like 64%. 3) Norman Data Defense. Moderately useful. The user interface is flexible enough both for novices and power users. The detection rate is bearable, but nothing impressive - about 75%. Slightly worse than McAfee's SCAN. 4) F-Prot. Excellent scanner - one of the best around. Very high detection rate - about 96%. Very good disinfector. Note that the above remarks apply only for the scanner parts of the products - the parts that are the easiest to test. Both NAV and CPAV contain also resident scanners, monitors, and integrity checkers - easy to bypass. Norman does not have an integrity checker. Only the Professional version of F-Prot has an integrity checker, but I am definitely not impressed by it. > Does anybody have any kind of hints and tips, which one is the best > and why ?? If you mean "which is the best one of the above four scanners", then this is definitely F-Prot. If you are interested in the products in general (not only in the scanner parts), then the other products have more features, but they are rather weak anyway, so it is difficult to compare. However, if you are asking which is the best scanner of the existing ones (not limiting yourself to the above four), then please consider also the following ones: 1) AntiVirus Pro. Shareware, excellent scanner/disinfector (comparable with F-Prot), mediocre integrity checker (comparable with the other ones), relatively good (well, as good as those things can be - i.e., not much) monitoring program, excellent virus information database, excellent memory inspection program (but novice users will probably never need it). 2) Dr. Solomon's Anti-Virus ToolKit. Commercial, excellent scanner/disinfector, mediocre (no, bad) integrity checker, excellent resident scanner. 3) TBAV. Shareware, excellent combination of different anti-virus tools, although one can find better ones in other packages. The scanner is excellent, the heuristic analyser too. Mediocre integrity checker, the disinfector shouldn't be relied upon - it is more like an experimental tool. The scanner is the fastest around. 4) Untouchable (used to be, sigh. Symantec bought the company the was selling it in the States and the product is now discontinued). Commercial, the best integrity checker around. The scanner is also very good. The Israeli company that produces it is working on a new version, the scanner of which is excellent. 5) Integrity Master. Shareware, good enough integrity checker, if you can't find Untouchable. The scanner is also good enough - slightly better than McAfee's SCAN. 6) VDS. Good enough integrity checker, if you can't find untouchable, and if you manage to make it work on your system - I was unable to even install it on mine. The scanner is junk. Shareware. There are probably a few other scanners that are in the "good enough" range (80-90% detection rate), but they are not worth mentioning, because some of the scanners mentioned above are in the "excellent" range (>90% detection rate). McAfee's scanned dropped out of the "good enough" range - my latest test with version 115b showed detection rate of 79%. Seems that they can't keep up with the new viruses. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 30 Jun 94 13:07:55 -0400 From: sandyk@vt.edu (Sandy Knapp) Subject: Re: New Super-virus "Junkie" (PC) Michael_D_Jones@ccm.hf.intel.com (Michael Jones) says: > >Does anyone have any specific information on the "Junkie" virus? I got the >following fax yesterday from someone. Do any other scanners detect and/or >clean this. I don't buy their solution for cleaning it. I have heard that F-Prot 2.12c (dated 6/16/94) will remove junkie and smeg. Get it from oak.oakland.edu.Ther was some discussion on one of the windows newsgroups about it recently - Sandy ------------------------------ Date: Thu, 30 Jun 94 13:12:33 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: New Super-virus "Junkie" (PC) Michael Jones (Michael_D_Jones@ccm.hf.intel.com) writes: > Does anyone have any specific information on the "Junkie" virus? I got the I posted an article with such information a few days ago. It has not appeared yet, but comp.virus seems to be stable now, so you'll probably see it soon. > following fax yesterday from someone. Do any other scanners detect and/or > clean this. I don't buy their solution for cleaning it. F-Prot 2.12c and Dr. Solomon's scanner detect it for sure. VPCScan 2.93 also detects it, but misiedntifies it as PS_MPC-23(w). VET misidentifies it as TPE. AVP detects it too - as Junkie.1027. Of those scanners only Dr. Solomon's and AVP detect it in the boot sectors. F-Prot misses it there, sigh... :-( > ****Another Super-Virus Discovered 06/02/94 Ignore this rubbish. It's another hype a la Michelangelo. The virus is a rather lame variably encrypted multi-partite memory resident COM and MBR infector. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 30 Jun 94 13:34:28 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Stealth.B Pain (PC) Rudy A Davis (p01322@psilink.com) writes: > I have had the stealth.B virus on and off again for the > past 6 months. Thank to Mr. Mark Ludwig for having written and published in his book the source of Stealth_Boot.A - the virus from which the one that has attacked you is derived. > Central Point Anti-Virus version 1.5 does not even recognize > this virus. CPAV is total junk. Throw it away and get a better anti-virus product. > Norton Anti-Virus 3.0 recognizes it but requires a RESCUE disk. Again, definitely not one of the best anti-virus products around. Try F-Prot. If what you have is indeed Stealth_Boot.B, version 2.12c should be able to disinfect it. > 1) What are the dangers of operating indefinitely with this > virus ? (I have seen no ill-effects other than notification > of existence thru NORTON AV v3.0) You are going to spread the infection around. On some machine, the virus could cause damage. Then the user of that machine, if they succeed to trace you as a source of the infection, could sue you for not taking the necessary care and indirectly being the reason for the damage caused to them. > 2) Anyone have any suggestions about an Anti-Virus program > which will take care of this virus dynamically without > having to re-install DOS ? F-Prot should; give it a try. > 3) Where is a published listing of people who write viruses > so that I may wish bad things toward them by name ? There isn't such a listing available, but it is known who has written (and published) the main Stealth Boot virus. His name is Mark Ludwig, he owns American Eagle Publications, and his e-mail address is 0005847161@mcimail.com. Send him a message, explaining him how much you appreciate his book that teaches people how to write viruses. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 30 Jun 94 14:42:10 -0400 From: Jim_Gallegos@Sterling.Com (Jim Gallegos) Subject: BIOS Virus Protection, and Checksumming (PC) In reading prior appends on using BIOS-based boot sector virus protection, I get the slight impression that it is not a desirable thing to have enabled... is this correct? I may be misunderstanding the appends (specifically by Vesselin on Thu 9 Jun), so please let me know if I am. I would also like to "baseline" my systems by scanning executables after installation and computing a checksum/etc. and then periodically performing a re-scan to see if there any changes (that I didn't cause myself, that is!). Does anyone know of such a utility? (I think CPAV does this, but I am not sure). Jim Gallegos ------------------------------ Date: Thu, 30 Jun 94 15:38:49 -0400 From: perezju@fiu.edu (Julio J. Perez) Subject: Anti-Virus for VINES Networks (PC) Does anyone know of any decent anti-virus software packages that will work in Banyan VINES networked environments? I am looking for something that will check for viruses in the Unix kernel of the servers in addition to the DOS-compatible files in the server. While on the subject of VINES, does anyone know of a newsgroup that supports Banyan VINES? Apparently, there's Novell even in the soup around here.. ==================================================================== Julio J. Perez Candidate for M.S. in Computer Science Florida International University--Miami, FL USA Internet: perezju@fiu.edu Phone: +1 305 471-1810 Fax: +1 305 471-1878 ==================================================================== ------------------------------ Date: Fri, 01 Jul 94 10:58:07 -0400 From: dnikuya@netcom.com (dave nikuya) Subject: Stealth Virus size-hiding technique? (PC) Most descriptions of stealth viruses mention that they will intercept calls regarding files they have infected, so as to return the original size, etc. My question is: assuming that they have not added so much size to the infected file that it requires more clusters (and would therefore set off alerts from CHKDSK et.al.), would it not be easier and just as effective to simply change the size recorded in the directory back to the original size? - -- dnikuya@netcom.com ------------------------------ Date: Fri, 01 Jul 94 10:59:36 -0400 From: ruben@ralp.satlink.net (Ruben Arias) Subject: Monkey Virus (PC) Monday, 27 Jun 1994 TC Molloy dd.id=msmwhq01.tmollo01@eds.diamondnet.sprint.com (TC Molloy) Writes: >I had a little excitement yesterday. An accounts customer was directed to >me concerning a problem. He couldn't read a DOS floppy diskette on his >Compaq notebook. He wanted to know if I could help him to recover his >critical data. >I put the disk in my AST notebook and typed 'dir'. Immediately, the bells >and whistle from my Anti-viral package went off. The "Monkey" virus was >attempting to write to the boot sector of my hard disk and my anti-virus >software package had frozen my machine waiting for me to respond with >Proceed or Stop. My anti-virus package stops whenever anything attempts to >write to the boot sector without permission. Of course, I said STOP..... >The "Monkey" virus is an encrypted virus that can only be identified when >it is in RAM. ..... Dr Mr Molloy Would you please detail wich Anti-Viral Package is in use in your machine ?? Thats in order to stablish what kind of product(s) detect Monkey virus in memory. Remember some messages posted (I believe ...) reacently asked about Monkey. Kind Regards Ruben Arias - ------------------------------------------------------------------------------ Ruben Mario Arias |> /| | |> |\ | | |_ | E-mail: ruben@ralp.satlink.net Buenos Aires, ARGENTINA. - ------------------------------------------------------------------------------ ------------------------------ Date: Fri, 01 Jul 94 10:59:55 -0400 From: buster@klaine.pp.fi (Kari Laine) Subject: Re: New AV software (PC) tluten@delphi.com writes: >From: tluten@delphi.com >Subject: New AV software (PC) >Date: Mon, 27 Jun 1994 15:33:45 EDT >Greetings, wizards! I'm new to the net, and came because I thought I'd >find a collection of virus experts here. I think I have. My purpose is >to seek advice. I may have an opportunity to do some work with a start-up >that poposes to market a new AV product. If you are making plans for you future pick rather SQL-databases or something solid . >My problem is that I have a sense >the AV market is pretty well served already. It in fact is but of course there is always changes for new good products but then you should try to find something new. >Three years ago, it seems that >I was reading about computer viruses every other day. Do you really say there went a day without a screamout :-) >I know that when >Michelangelo was about to go off, we bought Norton AV, Flushot, got a copy >of SCAN, and worried a lot. Not so much now. I read that Windows files >are basically uninfectable. Does the rise of Windows spell the end of virus >concerns? I am afraid no. >Do concerns over viruses spell the end of DOS? I am again afraid no :-) >So, if we posit >a new AV product with essentially a 100% hit rate, very fast integrity checker, >heuristics, etc., etc., in short a betterfasternotcheapersmarter product, >does anyone care? There ain't 100% hit rate, There alrady are very good and fast integrity checkers, there already are good heuristic scanners. Two good ones are at least TBAV and AVP. >Does the world want/need a new AV product? I am little biased to answer this one but I would say no if it can be avoided. >And by the >way, what does it take in an AV company to be a top three player? You have to have a working organisation: 1. development department 2. marketing department 3. support department 4. a "spy" network 5. international department 6. manufacturing department 7. shipping department 8. accounting department 9. PR department 10. few other deparrments. you end up with about 40-150 people. Then if this startup company is starting from cratch it should have financing for about 1-2 years before product is ready to ship. Then development have to be widened to cover all the different operation systems. Hmm I think I wouldn't start a development project of a new anti-virus product > >All responses welcome! And thanks for your time. > > > Tom Luten Best Regards Kari Laine, buster@klaine.pp.fi LAN Vision Oy, FINLAND ------------------------------ Date: Fri, 01 Jul 94 11:00:10 -0400 From: kellogg@netcom.com (Lucas) Subject: Re: Symantec (PC) Yes, Semantec did indeed buy 5th Generation. And, if I might add, they purchased another AV producer called XTree. Hmmmmmm.....seems obvious to me what they are doing. Lucas kellogg@netcom.com TLUTEN@DELPHI.COM (tluten@news.delphi.com) wrote: : Dr. Bontchev's remarks on AV software caught my eye. Symantec owns : all of Norton, thus Norton AV. It bought Central Point, and thus owns : its AV package. It bought Certus, and used the technology to upgrade : Norton AV. It apparently (per Bontchev) bought yet another company : that produces (or produced) an AV product. what *are* they up to? ------------------------------ Date: Fri, 01 Jul 94 11:04:21 -0400 From: hzf30@mfg.amdahl.com (Curly) Subject: Re: AntiVirus Pro (avp_200.zip) (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: > Grettir Asmundarson (grettir@keflavik.wordperfect.com) writes: > > > What is the best alternative to VSUM? F-Prot has accurate virus > > information built-in, but sometimes I'd like more information than is > > available there. I've taken a look at both CVC and CMBASE, but I'm not > > sure those are the answer either... > > Try Eugene Kaspersky's AntiVirus Pro. It has a very nice help system, > with descriptions of hundreds of viruses, and even with demos of their > sound and video effects. I have tried this program and found it to be very good. Unfortunately, it always crashes my system when I try to exit from it. It exits with a message saying that it cannot find COMMAND.COM and locks up. I have to reboot to recover (I hate that!) Curiously, it runs fine when executed from the command line. Only, when I use it interactively, does it hose up my system. Anyone else experience this and/or have a solution? - -Curly > > Regards, > Vesselin ------------------------------ Date: Fri, 01 Jul 94 11:03:45 -0400 From: as194@cleveland.Freenet.Edu (Doren Rosenthal) Subject: Rosenthal Virus Simulator VIRSIM2C.ZIP (PC) Date: Mon Jun 27 15:33:45 1994 dasheiff+@pitt.edu (Richard M Dasheiff M.d.) writes: >res@bfs.uwm.edu (Ralph Stockhausen) writes: >>I would like to check out the functioning of my anti-virus setup. Are there >>any "disabled" viruses available that my program could detect, but would be >>safe have on a test floppy? >Doren Rosenthal has one, but I forgot her full email address My address is: Doren Rosenthal Rosenthal Engineering P.O. Box 1650 San Luis Obispo, CA USA 93406 email as194@cleveland.freenet.edu Phone 1 (805) 541-0910 (voice) I'm a member of both the ASP and the ASAD and you can obtain the shareware version of my "Virus Simulator" as VIRSIM2C.ZIP from most ASP approved vendors and the ASP, JCS and other CD-ROMs. Also it is available for downloading from most anonymous ftp sites and simtel and garbo mirrors. VIRSIM2C.ZIP Registered users receive several supplements in addition to shareware version. Fridrik Skulason writes: >Well, as I have said several times before...the programs created by the virus >simulator are not viruses, so anti-virus programs should *not* detect them at >all. Some scanners may or may not detect them, but detection (or failure >to detect) says nothing about the ability of the scanner to detect the actual >viruses. This is not correct and Frisk is welcome to correct me if he believes otherwise. The Virus Simulator MtE supplement generates real viruses based on an actual Dark Averger mutation engine. Users can confirm this for themselves as the samples actually replicate. Like all the virus samples generated by the Virus Simulator, they are safe and controlled. The boot sector virus simulations actually overwrite the boot sector on the floppy diskette. You can boot from the floppy and confirm this for yourself. The registered version supplement "B" does this very dramatically. Anti-virus products that protect systems from attacks on a boot sector from a virus should have no difficulty revealing this action. The memory resident virus simulation puts a very large TSR in memory. Again anti-virus products that protect against this action should have no difficulty revealing the memory resident virus simulation. It also flashes "Rosenthal Engineering, Test Virus in Memory" if you have any doubt it's there. Users should simply read the DOC file for themselves to understand the strengths and limitations of Virus Simulator. Vesselin Bontchev writes: >> Doren Rosenthal has one, but I forgot her full email address >First, I think that it is 'he', not 'she'. At last Vesselin and I agree on something. I'm a he... >Second, his so-called >"virus simulator" is *completely* useless for testing anti-virus >software. The "simulated viruses" generated by it are not viruses at >all - just collections of scan strings stollen from different >scanners. If a scanner detects them, this is no guarantee that it will >detect the live virus as well, and if a scanner does not detect it, >this does not necessarily mean that it will not detect the real virus. >In short - completely useless product, and a harmful one too, because >it misleads the people. Forgive me, but I don't believe this second point is correct. As described in the documentation, the registered version of Virus Simulator includes a number of supplements. This program is publicly available to anyone who has an interest. Anyone who doubts the Virus Simulator MtE Supplement is not a valid virus for training and demonstration can watch it replicate just as Vess has himself. If an anti-virus program fails to detect one of the files infected by the Virus Simulator MtE Supplement, it has failed to detect a real virus based on an actual Dark Avenger Mutation Engine that has been made safe and controlled. There is certainly room for disagreement here on the value of my Virus Simulator. The program is publicly available for anyone to try for themselves and form their own opinion. Please be sure to read the documentation file, the limitations of this program are clearly stated, it's not misleading at all. Doren Rosenthal as194@cleveland.freenet.edu Member ASP and ASAD. Author of Virus Simulator (VIRSIM2C.ZIP), Rosenthal UnInstall (UNSTAL01.ZIP), Rosenthal WinLite (WINLITE1.ZIP), Disk Drive Cleaner (CLEANER1.ZIP), System Monitor (SYSMON30.ZIP), Master Disk (MASTER20.ZIP) - -------------------------------------------------- ------------------------------ Date: Fri, 01 Jul 94 11:00:40 -0400 From: kellogg@netcom.com (Lucas) Subject: Re: New Super-virus "Junkie" (PC) This virus known as Junkie is in, reality a simple virus that is multi-partite, encrypted, and stealth. I am unaware of a logic bomb in the virus. I know of three reported cases of this virus, all outside the continental U.S. To detect it, either wait for our revision 117 of Viruscan, or use scan with the /ext [filename] option. Create a file with the following string: " 268134??4646E2F7 " As you can see, since this is detectable from a string, this is not really a polymorphic virus, as has been reported. Lucas McAfee Tech Supt ------------------------------ Date: Wed, 29 Jun 94 12:26:11 -0400 From: dm252@cleveland.Freenet.Edu (Keith A. Peer) Subject: Antiviral Toolkit Pro 2.0 in US (PC) Antiviral Toolkit Pro 2.0 D has been RELEASED in US! This package is the data base oriented professional antiviral software - Antiviral Toolkit Pro ver. 2.0. It can be used as conventional and/or professional (Pro) antiviral system. It consist of four programs: Antiviral scanner/remover -V.EXE Antiviral scanner/remover with database editor -VPRO.EXE Antiviral resident detector -D.COM Antiviral utilities -U.COM The main features of AVP antiviral are: - - A great number (more than 3000+) of viruses which are detected and disinfected by AVP scanner; - Code Analyzer (heuristic scanner) which detects new viruses or modified variants of the old ones; - Unpacking Engine which allows scan packed files in on-the-fly mode; - Extracting Engine which allows scan archive files in on-the-fly mode; - Database Editor which allows to include information how to detect and disinfect new viruses; - Professional utilities and antiviral monitor. You can find AVP in: AVP200D.ZIP size 1,022,996 complete archive AVP200D1.ZIP size 635,886 part 1 of 2 AVP200D2.ZIP size 396,265 part 2 of 2 It has been uploaded to: Channel 1 BBS 1-617-354-3230 CompUSA BBS 1-214-888-5406 File Bank BBS 1-619-728-7307 Metaverse BBS 1-606-843-9363 PC-OHIO BBS 1-216-381-3320 PKWARE BBS 1-414-354-8670 Rusty and Edy's BBS 1-216-726-3642 Sydex BBS 1-503-683-1385 FTP sites will follow soon! I will post where I have placed the archive in a few days. Sincerely, Keith A. Peer CENTRAL COMMAND INC. - -- Keith A. Peer -=> dm252@cleveland.freenet.edu +---------------+ Central Command Inc. | PGP Key | P.O. Box 856, Brunswick, Ohio 44212 | Available | 216-273-5743 [Anti-Viral Services / Consulting] +---------------+ ------------------------------ Date: Wed, 29 Jun 94 12:34:15 -0400 From: dm252@cleveland.Freenet.Edu (Keith A. Peer) Subject: AVP 2.0 User's Guide (PC) Antiviral Toolkit Pro User's Guide ================================== The User's Guide for Antiviral Toolkit Pro 2.0D that was released in the U.S. was accidently not included within the archives: AVP200D.ZIP, AVP200D1.ZIP, AVP200D2.ZIP or AVP200D.ARJ. I have released the User's Guide in archive AVP20USG.ZIP and AVP20USG.ARJ. Look for the file USERGUID.DOC within AVP20USG.ZIP or AVP20USG.ARJ. This is the English User's Guide. I apologize for this oversight. I have uploaded it to: Channel 1 BBS 1-617-354-3230 CompUSA BBS 1-214-888-5406 File Bank BBS 1-619-728-7307 Metaverse BBS 1-606-843-9363 PC-OHIO BBS 1-216-381-3320 PKWARE BBS 1-414-354-8670 Rusty and Edy's BBS 1-216-726-3642 Sydex BBS 1-503-683-1385 FTP Sites will follow in a few days! I will post where I placed the archive. Sincerely, Keith A. Peer CENTRAL COMMAND INC. - -- Keith A. Peer -=> dm252@cleveland.freenet.edu +---------------+ Central Command Inc. | PGP Key | P.O. Box 856, Brunswick, Ohio 44212 | Available | 216-273-5743 [Anti-Viral Services / Consulting] +---------------+ ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 52] *****************************************