VIRUS-L Digest Friday, 15 Jul 1994 Volume 7 : Issue 54 Today's Topics: Types of viruses??? Re: Fred Cohen and computer viruses Re: Disabled viruses? Ignorance Bad and good viruses... Re: Viruses = Commercial Opportunity? Re: Types of viruses??? Anonymous FTP Site Distributing Viruses? Re: SMEG Junkie (PC) Re: Cansu virus... Please Help/RISC-Aix virus Scan (PC) Re: VTECH 4.0 (PC) Re: Need info on "WONDER" virus (PC) Rosenthal Virus Simulator (PC) Re: Netware & Virstop (PC) unknown virus (PC) Re: WARNING: VALIDATE.COM and VALIDATE.EXE can be cheated. (PC) Re: Need help on "stoned" virus (PC) Re: Joshi (PC) Re: Netware & Virstop (PC) Re: New Super-virus "Junkie" (PC) Re: Safe ANSI driver - where ? (PC) Re: ** Date recovery after Michelangelo virus infection ** (PC) Re: Symantec (PC) Re: "New" Virus found? (PC) Re: Best Anti-virus software (PC) Stoned.Manitoba (PC) Re: Dr Solomon's on the move! (PC) Dr Solomon's on the move! (PC) Re: Why so many Leprosy viruses? (PC) generic virus question (PC) Re: Cure for SVC.2936 & Three_Tunes viruses (PC) antivirus products (PC) Re: Cure for SVC.2936 & Three_Tunes viruses (PC) DATA-RAPE VIRUS (PC) Mirroring of mcafee.com restricted (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Sun, 03 Jul 94 18:06:44 -0400 From: Iolo Davidson Subject: Types of viruses??? > I do not intend to floppy transport any executables. Every formatted PC floppy contains an executable. - -- MOM AND POP AS PLAIN ARE FEELING GAY AS DAY BABY SAID Burma Shave ------------------------------ Date: Sun, 03 Jul 94 18:12:09 -0400 From: rferris@magnus.acs.ohio-state.edu (Rebecca R Ferris) Subject: Re: Fred Cohen and computer viruses Vesselin Bontchev wrote: >CELUSTP@cslab.felk.cvut.cz (CELUSTP@cslab.felk.cvut.cz) writes: > >> VB: In that definition Vesselin Bontchev was trying to make sense from a >> VB: scientific point of view. Dr. Cohen's definition also makes sense from >> VB: a scientific point of view. However, the average user doesn't give a >> VB: dime for the scientific point of view and stands on practical >> VB: reasoning. > >> Scientific point of view is not good for practical reasoning? > >There is certainly something wrong with your way of logical reasoning. >The above only means that some theoretical scientific concepts do not >have immediate practical applications and are therefore useless for >this purpose. This does not mean that they are not useful for other >(theoretical) purposes. What I am saying is that Dr. Cohen's >definition of the term "computer virus" is one of those things. > [snip] > >But what I am saying actually is: Dr. Cohen's "computer viruses" are >not what we are calling "real computer viruses" - they are a broader >term, which include both "real computer viruses" and "some useful >self-replicating programs" - two completely incompatible sets. I am >alse saying that Dr. Cohen's definition/understanding of the term is >too broad to be of any practical use. Note that I am not saying that >it is useless - it is in fact quite useful to prove some important >theorems. > [snip] >> S: The understanding >> S: requires sometimes particular knowledge of mathematics. > >> VB: The general public doesn't have one, which is why they don't >> VB: understand him. > >> What is "general public"? > >The billions that learn about the things outside their field of >specialization from the media. > >> If word "general" denotes the diversity in >> education of people meeting viruses on this or that way, then it is >> reasonable to think that some of them will have some knowledge of >> mathematics. > >Some undoubtedly do. A very minor part. Some of them who have one, >does not have a knowledge about the particular part of mathematics >needed to understand Dr. Cohen's papers. (Mathematics is a wide field, >you know... and the mathematicians are a strange group. ) Some >of those who *can* understand them might have never heard about them >or even about computer viruses (oh my!), or may never make the >connection between the nasty program that has erased their hard disk >and Dr. Cohen's elegant mental constructs. > >> Besides, to understand Fred Cohen's work one needs some >> knowledge of theory of sets and basics of mathematical logic. I think that > >> Anyway, I agree with Fred Cohen's proposal about discerning between benign >> and malign viruses. > >I don't. I think that the difference is so big, that we must use >completely different terms. Even "computer viruses" and "real computer >viruses" is not good enough. How about "agents" and "real computer >viruses"? Speaking on behalf of the General Public (i.e., one of the billions that learn about the things outside their field of specialization from the media, and one of those who depends on her computer every day), I've watched this ongoing debate with great interest and agree that the root of the problem is one of terminology. I tend to agree with Vesselin's take on this virus issue, and I'm glad to see him propose clarifying the terminology. As an editor, I agree that using "real computer viruses" to describe the general public's definition of a virus is not a good alternative, since it implies that viruses by any other definition (e.g., Dr. Cohen's) are something completely different. Being only a user and not a computer expert, I can't suggest any alternatives, but can I suggest a starting point? It seems to me that the crux of the problem is the breadth of the two definitions: Scientific/mathematical/Dr. Cohen Definition: Boiled down, this definition basically describes the process by which a type of program works ("a program that can 'infect' other programs by modifying them to include a possibly evolved copy of itself). This definition focuses on the action of the program itself-- how it works--not on its uses or possible benefits/dangers. General Public (i.e., general computer users who know nothing of programming and have no plans/time to take it up): Our definition depends upon the scientific one (re: "infecting" other programs) but also assumes negative aspects, e.g., a virus is a program that gets on our disks without permission and causes either actual damage, fear of actual damage, or at the very least annoyance. One could make this distinction for the other sense of "virus" as well: Scientifically, a virus is "any of a kingdom of prokaryotes... that consist of nucleic acid, either RNA or DNA, within a case of protein: they infect animals, plants, and bacteria and can reproduce only within living cells," which is a very neutral description. Ask the average patient in a physician's waiting room, however, and they will tell you a virus is something that makes them sick ("a disease caused by a virus," the rest of this definition of virus, from Webster's New World Dictionary, 3rd College Edition). The word "virus" has a long history of negative connotation (the Latin root of the word "virus" means "a slimey liquid, poison") that continues today and that all the technical arguments here will not erase. Therefore, I would suggest that, instead of trying to change the minds of millions about the definition of a computer virus (which I think would be a futile effort), let the General Public's definition stand (hey, it's in our dictionaries that way! :) ) and instead come up with a more neutral term for the scientific definition. As Vesselin says, the danger in Dr. Cohen's asserting that there are beneficial viruses (which, according to his definition of virus, there are) is in the public's misunderstanding of his definition and the misuse of his assertions by more nefarious types. - -- becky rferris@magnus.acs.ohio-state.edu _____________________________________________________ "That frog is not my plate!" -- Bess Lowell ------------------------------ Date: Sun, 03 Jul 94 18:13:04 -0400 From: nhirsch@panix.com (Norman Hirsch) Subject: Re: Disabled viruses? bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) >Subject: Re: Disabled viruses? >Date: Thu, 30 Jun 1994 08:58:35 EDT >Richard M Dasheiff M.d. (dasheiff+@pitt.edu) writes: >> Doren Rosenthal has one, but I forgot her full email address >First, I think that it is 'he', not 'she'. Second, his so-called >"virus simulator" is *completely* useless for testing anti-virus >software. The "simulated viruses" generated by it are not viruses at >all - just collections of scan strings stollen from different >scanners. If a scanner detects them, this is no guarantee that it will >detect the live virus as well, and if a scanner does not detect it, >this does not necessarily mean that it will not detect the real virus. >In short - completely useless product, and a harmful one too, because >it misleads the people. Hi Vesselin.. I agree with that but if the anti-virus program picks it up as a virus, at least it gives the tester an idea of whether the anti-virus program responds as it should. For example, you might want to see if it deletes or moves the file or properly displays it's results in Windows or sends a message via NetWare or ? For those reasons, a simulated virus can be very useful in setting up and checking your A-V program. It can also be useful in training as a demo to what to expect if a "real" virus is found. Ironically, the perfect A-V scanner will not see the simulated virus. Best regards, Norman Hirsch Phone: 212-304-9660 NH&A, authorized McAfee agent Fax: 212-304-9759 577 Isham St. # 2-B BBS: 212-304-9759,,,,,,,3 New York, NY 10034 CompuServe: 72115,661 USA Internet: nhirsch@panix.com ------------------------------ Date: Sun, 03 Jul 94 19:48:57 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Ignorance Hello everybody, Someone sent me the following message and asked me to reply to it in public: > What does one do, in principle, when: > One does not want to shell out $395 for an obsolete Word Perfect 5.1 > that one's wife's work requires files to be formatted in; > One has one's wife use the default "word processor" that comes with > Windows (Write), then uses the Software Bridge to translate it to WP format; > Wife's work runs virus checker (and are naive to the point of not > knowing which one), and gets a positive on a translated file; > One does not find that virus on one's own machine using a checker > that is able to find that virus (the infected file is only on > floppies which did not test positive previously); > Wife's work does not believe in false positives in virus software > (being psychologists, they understand the concept of a false > positive); > Wife's work is paranoid of persons unknown, and so will not take > any advice from one. Especially after one has given them a file > with a virus in it; > The infected file cannot be given to anyone (like the Software > Bridge publishers, or anti-virus writers) because of confidential > information in the file. So they disinfected it. > What would you have them do? > Feel free to respond to this in public. This is not a hypothetical > situation. Well, I am at loss how to reply to this question. What would I have them do? I am always ready to help - but if the user(s) do(es) not want my help, or does not trust me, or whatever - then I cannot do anything. My advice is - ignore them. Continue to work the way you are used to. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Sun, 03 Jul 94 19:54:40 -0400 From: roger.ertesvaag@thcave.bbs.no (Roger Ertesvaag) Subject: Bad and good viruses... * In a message to All on 06-28-94, Bradley said: B> It's a virus that does what I said. It includes an uninstall option for B> the hard drive. If you want to know more, I have the full KOH document B> in my little personal FTP site: ftp.netcom.com:/pub/bradleym B> Just read the KOH.readme to find the KOH directory, and DON'T take the B> actual program out of the U.S. because it's export controlled. A virus that's export controlled? You must be kidding! RogEr -=-=-=[ roger.ertesvaag@thcave.bbs.no ]=-=-=- - --- > SPEED 2.0b #1486 > Internet: roger.ertesvaag@thcave.bbs.no - ---- +-----------------------------------------------------------------------+ | Thunderball Cave BBS +47 2256 7018 / 2256 8809 (USR V.32bis/Terbo) | | -- thcave.bbs.no -- Oslo Norway -- | +-----------------------------------------------------------------------+ ------------------------------ Date: Sun, 03 Jul 94 19:53:34 -0400 From: datadec@corsa.ucr.edu (Kevin Marcus) Subject: Re: Viruses = Commercial Opportunity? Vesselin Bontchev wrote: >Now, let's suppose that your product consists of a scanner alone, and >you are about to enter the anti-virus business, with no prior >experience in the field. Currently there are about 4,500 known viruses >and averagely 2,000 new ones are produced every year. Let's suppose >that it takes you averagely one hour to analyse a virus and modify >your scanner in a way to be able to handle the virus properly. This >means that you must spend 563 man-days only to be able to handle the >currently known viruses. This is more than two years - and for those >two years another 4,000 viruses (at least) will appear. 2,000 per year, eh? Gee, Pakistani Brain came out in ... 1986? That means there should be more than 10,000. I think something is wrong here. I'd suspect the growth is more expontial or logrithmic vs. linear, but I can't say I have done any statistical analysis. I know it's not linear though. While it might take and one for a *person* to analyse a virus, it is quite possible to: 1) Use already existing information to your advantage. There is a lot of information on the net, even some useful info in VSUM that could be used to make this speed up. The difficulty is when there is *no* info on a virus. It might not work on DOS 5.0, and you might be testing things on DOS 5.0. 2) Even for one person, I've always found it useful/helpful to have more than one computer. More than one hard drive might be kinda useful if you have only one computer. This allows you to have systems with different versions of dos -- many viruses might only work with dos 3.3, or 5.0 or... 3) Do you really need to detect 4500 viruses to be a useful product? There are many other products which don't detect nearly that many which still sell *quite* well. 4) While you will get opposite answers from just about everyone here, consider: Viruses in the wild are considerably more important to detect/ remove than viruses *not* in the wild. Those should be highest priority (use Joe Wells' list, for example). The other 4300 or so viruses not in the wild probably won't ever get there. While I don't know if all, I'm sure that most viruses in the wild were "new" to virus scanners, and so they didn't help anyone in the first place, anwyays, and they required some update before they were able to deal with the problem -- your product would also do this... Plus, you'd benefit from smaller size, faster scans, and a higher repair rate (since you could concentrate on repairs for some of the nastily encrypted polymorphic viruses) 5) How much can the process be automated? With Linux becoming more popular on PC's, how much can DOSEMU benefit someone working with viruses? I'll just leave this one open for your thoughts... :) 6) How much longer do you think that there will be a market for AV products? With OS's other than DOS gaining a larger user base, the number of viruses for a particular OS would be nearly reset to zero. People will only run programs in their DOS emulator before the equivalent comes out for their new OS. >Do you see now why this is not for newcomers? Only a company with a >lot of experience and an already established product in the field will >be able to keep up with the game. Maybe a lot of experience in ASM programming, but probably not a whole bunch more. >That hasn't been very wise from your part, because Flu-Shot wouldn't >protect you from a boot sector virus like Michelangelo, and NAV is one >of the worse anti-virus products around. Yeah, just because it has a smaller detection than, say, McAfee's SCAN, let's say, it must be amongst the worst, eh? At least there couldn't possibly be any other factors that go into an AV product's reviews, eh? - -- --=> Kevin Marcus: datadec@ucrengr.ucr.edu, tck@bend.ucsd.edu "ciafn syoo,u yroeua da rteh icso?o l ." <- Email for solution. Computer Science Dept., University of California, Riverside. .oOo.oOo. T H I E V E S S U C K .oOo.oOo. ------------------------------ Date: Sun, 03 Jul 94 19:55:49 -0400 From: buster@klaine.pp.fi (Kari Laine) Subject: Re: Types of viruses??? mlwinkelman@dow.com (Mike Winkelman) writes: >From: mlwinkelman@dow.com (Mike Winkelman) >Subject: Types of viruses??? >Date: Fri, 1 Jul 1994 11:13:39 EDT Hi Mike, >Also, could someone explain in short sentences and laymans >dialog the major methodologies by which viruses infect >computers? I only put here some thoughts but there are also some viruses which are using other techniques like infecting through ARJ-package or just infecting very specific files. But anyway I normally think the process in two directions. 1. How a virus gains control of your machine so that it can start infecting floppies. 2. After it has control how it goes forward. Virus always have to get executed otherwise it is very dead one and there is no threat. So it has to be part of something PC executes time to time, like: - - partition sector - - boot sector (either floppy or disk) - - program file - - it is companion type (using default execution order of dos) - - it makes it part of the files system (like DIR-II) There are viruses which employ several of these techniques so the division to types is normally so clear. 1. How virus gains control of your PC You start you machine with a floppy in drive. If this floppy contains a boot sector where there is a virus it will try to infect your harddisks boot or/and partition sectors. Because when you start a PC from the harddisk code onto partition sector and boot sector will get executed and so any virus there will get infected virus will go memory resident watching anything you do. Now if it is a stealth virus it can make itself pretty invisible even fool some scanners. Other route might be a dropper which when run does the installing of virus to your partition and boot sector. third would be an infected program you run in your PC it will maybe infect some other files when it is run and/or go memory resident. Then it can start infecting programs when run them. 2. How virus will infect floppies to go other places Basically main thing is that then virus must be type which is memory resident (actually viruses which don't employ memory resident techniques haven't become such a big problem). Now then when you put a diskette into you floppy drive and make a dir for example it virus would install itself to the boot sector of the floppy (if it is a employing boot sectors) and now when somebody boots his machine by accident the whole thing will repeat. >I'm particularly interested to find out if there are any viruses >that infect things like word processing files or other nonexecutable >files that get transported from work to home and vice versa. I would say these are not threads to nobody. There has been some fuss about these but the bottom line is that I haven't heard somebody to get such a thing in his machine and it causing damage. If somebody have indeed information about this I would be interested. Thanks > >Just what are the problems with doing that?? Luckily it doesn't work (now I sure somebody jumps on me :) ) > >I do not intend to floppy transport any executables. One basic thing I have tried to get users understand is that each floppy contains a small program on it's boot sector and that's the one which gives message type "Non bootdisk ... replace and try again " So even a empty diskette might contain a virus like Form, which I have been found on the field so much that I am totally fed up to hear even it's name. Regards Kari Laine, buster@klaine.pp.fi LAN Vision Oy ------------------------------ Date: Sun, 03 Jul 94 20:02:49 -0400 From: Iolo Davidson Subject: Anonymous FTP Site Distributing Viruses? > Yes, unfortunately such things happen every now and then. We are > trying as well as we can to have such sites closed down and/or the > viruses removed from public distribution, but it is not easy and new > ones keep popping up. :-( I have come to believe that this is (a) futile and (b) counterproductive. Trying to kill the market for viruses by restricting the supply just drives up the price. Hence the collection now being marketed on CDROM. If the price is attractive enough, it will become an additional motivation for writing new viruses (ie CDROM V.2). The only way to destroy the market is to allow free distribution of viruses. I would not want to be involved in such distribution myself, though. Let the crazies do it. - -- MOM AND POP AS PLAIN ARE FEELING GAY AS DAY BABY SAID Burma Shave ------------------------------ Date: Fri, 01 Jul 94 17:34:58 -0400 From: "Jimmy Kuo" Subject: Re: SMEG Junkie (PC) Lloyd E Vancil writes: >A report in dod news this am ,Quoted below, speaks of >Smeg and Junkie spreading. I cannot find reference to >either in vsum. Can someone out there enlighten me please. >What are these? These are the newest "in-the-wild" viruses that have managed to hit the press. BTW, the only relationship between these two viruses are their proximity in time. Junkie is slowly getting more widespread. SMEG is so far only confirmed in England. >Is the report below accurate? Only slightly. It's made out to scare people. The significance is you need to update your scanner's definitions (or the scanner itself). Scanners do not detect viruses it doesn't already have a definition for. But when a virus is known, new definitions are created. You just have to update your scanner. Integrity checkers should have detected these, no problem. And integrity checkers with repair would have detected and repaired these, no problem. So, if you are a NAV user, make sure inoculation is on (it's on by default)! >what can I use to find and kill them? Get used to depending on more than just a scanner! In this case, an integrity checker would be constant, effective protection. NAV made available an emergency definition set to detect Junkie a couple weeks ago. The update for SMEG is going through its paces before mass distribution now. And the actual viruses they're referring to as SMEG are Pathogen and Queeg. NAV definition updates are available by calling the NAV BBS. Procedures are in your manual. They are also available from a subscription service and through Vesselin's ftp site (they're getting pretty big so it takes me a little time to package them and get them to him to post). >Macafee? Don't know about McAfee. Jimmy Kuo cjkuo@symantec.com Norton AntiVirus Research ------------------------------ Date: Fri, 01 Jul 94 17:37:00 -0400 From: "Jimmy Kuo" Subject: Re: Cansu virus... Please Help/RISC-Aix virus Scan (PC) Subject: Cansu virus...Please Help/RISC-Aix virus Scan (PC) Victor M. Germani writes: >I have recently been on-site installing software and I have found a disk >infected with the CANSU (??) virus. What is this virus? What does it do? >what kind of virus is this. I need as much info on this virus as I can get. >There is a possibility that we have infected several sites. Cansu, or V-Sign, is a simple boot sector/MBR infector. Nothing special. >I also found that the MSAV and Norton cannot find this virus. The >virus was found using a customers virus program called inoculan (I >think). Are there any other programs that can detect this virus? This just says you haven't updated your definitions in a while. Everybody gets V-SIGN by now. >This virus was found on a DOS disk, however, the file came off of a >RISC/AIX server. Can this effect the server/UNIX enviornment and also >the network. It matters which machines the disk has been placed into. However, since it's a boot virus, where the files came from is irrelevant. However, which ever machine you have booted from this disk is infected. But I would assess from your message that you probably use this diskette for transporting files only. But backtrack your steps a little with the diskette and see if one of the machines' MBR you have been using is infected. Jimmy Kuo cjkuo@symantec.com Norton AntiVirus Research ------------------------------ Date: Fri, 01 Jul 94 17:41:38 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: VTECH 4.0 (PC) Rob Vlaardingerbroek (Rob_Vlaardingerbroek@f0.n3110.z9.virnet.bad.se) writes: > The Vtech 4.0 virus is spreading through Holland by Bulletin Borad systems. > It was found in game areas on BBS's in a file called GT3-324.ZIP. Delete > this file immediately when found on your system. We received several > messages from bulletin boards that went down on this one. > The only av-product that will detect this virus is AVP in heuristic > scan mode. For this reason we made a little disinfector, which is included > in this file, called K-VTECH.EXE. I strongly suspect that the virus described by you is what we (CARO) are calling "Lunacy" (because it's such a pathetic attempt to write a polymorphic virus). Is there any way, other than by a modem (I don't have one), to obtain your disinfector, so that I can check whether we are really talking about one and the same virus? Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 01 Jul 94 17:45:45 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Need info on "WONDER" virus (PC) cacs16@vaxa.strath.ac.uk (cacs16@vaxa.strath.ac.uk) writes: > Does anybody know anything about the "WONDER" virus. This is a remarkably unremarkable overwriting virus, written in a high-level language (Turbo C). The probability of you being infected by it is about zero. > The virus detection on my PC says that the exe created > by the C compiler is infected, but whenI try to detect > the virus on the hard disk ther software doesn't find it. Which virus detection are you using on your PC? It almost certainly uses a scan string for this virus, picked from the standard libraries that the compiler has attached to it - and thus detecting as "infected" any other C program that contains the same libraries. This is a common problem with viruses written in high-level languages and virus scanners that do not perform exact identification. > However the software doesn't seem to find the actual virus. There isn't one. > Does that make any sense? To me - yes, and I can see how it can be frustrating. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 01 Jul 94 18:01:51 -0400 From: as194@cleveland.Freenet.Edu (Doren Rosenthal) Subject: Rosenthal Virus Simulator (PC) Date: Mon Jun 27 15:33:45 1994 dasheiff+@pitt.edu (Richard M Dasheiff M.d.) writes: >res@bfs.uwm.edu (Ralph Stockhausen) writes: >>I would like to check out the functioning of my anti-virus setup. Are there >>any "disabled" viruses available that my program could detect, but would be >>safe have on a test floppy? >Doren Rosenthal has one, but I forgot her full email address My address is: Doren Rosenthal Rosenthal Engineering P.O. Box 1650 San Luis Obispo, CA USA 93406 email as194@cleveland.freenet.edu Phone 1 (805) 541-0910 (voice) I'm a member of both the ASP and the ASAD and you can obtain the shareware version of my "Virus Simulator" as VIRSIM2C.ZIP from most ASP approved vendors and the ASP, JCS and other CD-ROMs. Also it is available for downloading from most anonymous ftp sites and simtel and garbo mirrors. VIRSIM2C.ZIP Registered users receive several supplements in addition to shareware version. Fridrik Skulason writes: >Well, as I have said several times before...the programs created by the virus >simulator are not viruses, so anti-virus programs should *not* detect them at >all. Some scanners may or may not detect them, but detection (or failure >to detect) says nothing about the ability of the scanner to detect the actual >viruses. This is not correct and Frisk is welcome to correct me if he believes otherwise. The Virus Simulator MtE supplement generates real viruses based on an actual Dark Averger mutation engine. Users can confirm this for themselves as the samples actually replicate. Like all the virus samples generated by the Virus Simulator, they are safe and controlled. The boot sector virus simulations actually overwrite the boot sector on the floppy diskette. You can boot from the floppy and confirm this for yourself. The registered version supplement "B" does this very dramatically. Anti-virus products that protect systems from attacks on a boot sector from a virus should have no difficulty revealing this action. The memory resident virus simulation puts a very large TSR in memory. Again anti-virus products that protect against this action should have no difficulty revealing the memory resident virus simulation. It also flashes "Rosenthal Engineering, Test Virus in Memory" if you have any doubt it's there. Users should simply read the DOC file for themselves to understand the strengths and limitations of Virus Simulator. Vesselin Bontchev writes: >> Doren Rosenthal has one, but I forgot her full email address >First, I think that it is 'he', not 'she'. At last Vesselin and I agree on something. I'm a he... >Second, his so-called >"virus simulator" is *completely* useless for testing anti-virus >software. The "simulated viruses" generated by it are not viruses at >all - just collections of scan strings stollen from different >scanners. If a scanner detects them, this is no guarantee that it will >detect the live virus as well, and if a scanner does not detect it, >this does not necessarily mean that it will not detect the real virus. >In short - completely useless product, and a harmful one too, because >it misleads the people. Forgive me, but I don't believe this second point is correct. As described in the documentation, the registered version of Virus Simulator includes a number of supplements. This program is publicly available to anyone who has an interest. Anyone who doubts the Virus Simulator MtE Supplement is not a valid virus for training and demonstration can watch it replicate just as Vess has himself. If an anti-virus program fails to detect one of the files infected by the Virus Simulator MtE Supplement, it has failed to detect a real virus based on an actual Dark Avenger Mutation Engine that has been made safe and controlled. There is certainly room for disagreement here on the value of my Virus Simulator. The program is publicly available for anyone to try for themselves and form their own opinion. Please be sure to read the documentation file, the limitations of this program are clearly stated, it's not misleading at all. Doren Rosenthal as194@cleveland.freenet.edu Member ASP and ASAD. Author of Virus Simulator (VIRSIM2C.ZIP), Rosenthal UnInstall (UNSTAL01.ZIP), Rosenthal WinLite (WINLITE1.ZIP), Disk Drive Cleaner (CLEANER1.ZIP), System Monitor (SYSMON30.ZIP), Master Disk (MASTER20.ZIP) - -------------------------------------------------- ------------------------------ Date: Fri, 01 Jul 94 18:08:01 -0400 From: iolo@mist.demon.co.uk (Iolo Davidson) Subject: Re: Netware & Virstop (PC) mjm@tardis.svsu.edu " "Mark J. Miller"" writes: > This isn't strictly a virus question, but I was hoping someone might > have some suggestions. No rude ones please ;) > > We are getting faculty offices hooked to a Novell network & we want to > install f-prot's virstop. I know how to do this, either in autoexec or using > /rehook. But, the computers won't be connected to the network all the time. > We're allowing faculty to choose when & how long to be connected to the > network. Because we have many old computers, 8088s & 286s, we want to be > able to unload the network software from memory when they disconnect to > free up memory. But with virstop loaded the unload command doesn't unload > the software. > > Does anyone know how to get around this? Will another anti-virus > program do the trick? Unloading anti-virus TSR's is controversial. If you can do it, a virus can be written to do it, too. Regardless of this fact, Novell refuse to certify TSRs that can't be unloaded. The VirusGuard TSR in Dr. Solomon's Anti-Virus Toolkit can be unloaded, provided it was loaded with the right command line switch in the first place (thus preventing unloading in the default case). It can also be un-rehooked (in the f-prot terminology- VirusGuard calls it un-reguarding). This is a newish feature and may not yet be documented. I therefore advise that you ask their tech support hotline for the details of the switches rather than reveal them myself. - -- Iolo Davidson ------------------------------ Date: Sun, 03 Jul 94 18:05:11 -0400 From: Iolo Davidson Subject: unknown virus (PC) > However, these are the symptoms: > > Many lost clusters taking up hard disk space. This is the dreaded "turned off the computer without exiting the application" virus. It is spread by the increasingly common practice of allowing human beings to operate complicated machinery they do not understand. This practice is typically associated with the installation of Windows, though Windows itself is not to blame. - -- MOM AND POP AS PLAIN ARE FEELING GAY AS DAY BABY SAID Burma Shave ------------------------------ Date: Sun, 03 Jul 94 18:10:54 -0400 From: David_Conrad@MTS.cc.Wayne.edu Subject: Re: WARNING: VALIDATE.COM and VALIDATE.EXE can be cheated. (PC) Perhaps the time has come for McAfee to give up on the CRC polynomials, which of course can be forged, and to start using something better, like MD5. They could publish source code for the validation program as well as the executables. The source code for MD5 is available from RSA and can be used without royalties, and writing a wrapper program is a trivial exercise. The source code to my own mdx.exe (which is in xsum10.zip and can be found at oak.oakland.edu in /pub/msdos/fileutil) is only 114 lines, and it also does MD4, a self-check of the executable, wildcard matching and supports multiple patterns on the command line. A program that only did MD5 could be kept down to a few dozen lines of C code. Try writing a 'cheating program' for MD5! P.S. Please excuse the shameless plug for xsum, but it *is* freeware. David R. Conrad David_Conrad@mts.cc.wayne.edu ab411@detroit.freenet.org ------------------------------ Date: Sun, 03 Jul 94 18:11:42 -0400 From: "Mark E. Johnson" Subject: Re: Need help on "stoned" virus (PC) Just cleanse the drive with McA V114, get the CleanV114 off of any BBS, or call McA themselves, at 408-988-4004 download the latest version, the 'Stoned' virus is pretty harmless to an AT, unless you have a variant which can screw things up pretty back but download the CLEAN program an forget it ------------------------------ Date: Sun, 03 Jul 94 19:48:36 -0400 From: iandoug@cybernet.za (Ian Douglas) Subject: Re: Joshi (PC) Allan D Gray (agray@ATHENA.MIT.EDU) wrote: > For months I have been using a boot disk for my computer, because I am > infected with a boot-sector virus. [..] > F-prot says that this can cure this virus. When I run it is says that it has > cured it. If I run it again, it finds "Joshi" and claims to cure it again.... > The computer won't boot without a boot disk.... Sounds like you got a double infection.. for example, you get infected by Stoned, then later by Joshi. When Stoned infected you, it moved the MBR to 0,0,7 (IIRC), and puts itself in the MBR. Then Joshi comes along and moves what it thinks is the MBR, but is actually Stoned, elsewhere. Then F-Prot comes along and sees you have Joshi, and puts what it thinks is the MBR back, but actually puts stoned back.. etc.. However, if you can boot clean off a diskette and access your HD ok, then Fdisk /mbr will fix it.. (dos 5 and higher) Cheers, Ian - -- - ----------------------------------------------------------------------------- Ian Douglas InterNet: iandoug@cybernet.za P.O. Box 484 Lead, Follow, FidoNet: 5:7102/119 7532 Sanlamhof or get out of TopNet: 225:2048/1 South Africa the way. - ----------------------------------------------------------------------------- ------------------------------ Date: Sun, 03 Jul 94 19:49:22 -0400 From: nhirsch@panix.com (Norman Hirsch) Subject: Re: Netware & Virstop (PC) "Mark J. Miller" writes: >From: "Mark J. Miller" >Subject: Netware & Virstop (PC) >Date: Thu, 30 Jun 1994 08:58:35 EDT > This isn't strictly a virus question, but I was hoping someone might have >some suggestions. No rude ones please ;) > We are getting faculty offices hooked to a Novell network & we want to >install f-prot's virstop. I know how to do this, either in autoexec or using >/rehook. But, the computers won't be connected to the network all the time. >We're allowing faculty to choose when & how long to be connected to the >network. Because we have many old computers, 8088s & 286s, we want to be >able to unload the network software from memory when they disconnect to >free up memory. But with virstop loaded the unload command doesn't unload >the software. > Does anyone know how to get around this? Will another anti-virus program >do the trick? Yes, yes. But the first yes will work for any TSR. Get TSRCOM35 utilities including Mark and Release and the network versions. You do a "Mark" before you load the drivers you want to unload and do a "release" or a "release -K" (check me on the -K) and it will dump any TSR's loaded after the mark and will either release the mark or not depending on the -k. The file is available off BBS's and I have it on mine. You may find it on internet. It also has a useful utility "EATMEM" which you can use to eat up memory to test how much memory it takes to run a given program. I would also suggest you use McAfee's VSHIELD program which is available from mcafee.com as the TSR or choice. Best regards, Norman Hirsch Phone: 212-304-9660 NH&A, authorized McAfee agent Fax: 212-304-9759 577 Isham St. # 2-B BBS: 212-304-9759,,,,,,,3 New York, NY 10034 CompuServe: 72115,661 USA Internet: nhirsch@panix.com ------------------------------ Date: Sun, 03 Jul 94 19:50:56 -0400 From: nhirsch@panix.com (Norman Hirsch) Subject: Re: New Super-virus "Junkie" (PC) Michael_D_Jones@ccm.hf.intel.com (Michael Jones) writes: >From: Michael_D_Jones@ccm.hf.intel.com (Michael Jones) >Subject: New Super-virus "Junkie" (PC) >Date: Thu, 30 Jun 1994 08:58:35 EDT >Does anyone have any specific information on the "Junkie" virus? I got the >following fax yesterday from someone. Do any other scanners detect and/or >clean this. I don't buy their solution for cleaning it. McAfee provided a virus signature to create an ASCII file to use to detect JUNKIE. It is used with the /EXT switch using their SCAN.EXE version 116 or prior versions. The signature is: "26 81 34 ? ? 46 46 E2 F7" Junkie Virus Best regards, Norman Hirsch Phone: 212-304-9660 NH&A, authorized McAfee agent Fax: 212-304-9759 577 Isham St. # 2-B BBS: 212-304-9759,,,,,,,3 New York, NY 10034 CompuServe: 72115,661 USA Internet: nhirsch@panix.com ------------------------------ Date: Sun, 03 Jul 94 19:51:23 -0400 From: wfan1@lindblat.cc.monash.edu.au (William Fang) Subject: Re: Safe ANSI driver - where ? (PC) Mike Ramey (mramey@u.washington.edu) wrote: : Can anyone tell me where to get a shareware -safe- ANSI driver? : Some of the programs used in our computer lab require ANSI.SYS. : PKSFANSI is -not- included in the shareware version of PKZIP. On your nearest oak or simtel mirror. In the screen/zansi12.zip Try ftp.clarkson.edu in pub/simtel20-cdrom/msdos/screen or archie.au (if you're in Australia). - - Bill ------------------------------ Date: Sun, 03 Jul 94 19:52:07 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: ** Date recovery after Michelangelo virus infection ** (PC) Fridrik Skulason (frisk@complex.is) writes: > >Nope. When the Michelangelo virus activates, it overwrites the first > >17 sectors on heads 0-3 on the first 256 tracks of the disk it has > >been booted from. > eh, I admit I was wrong, but you are not right either :-) it overwrites > the first 256 tracks, heads 0-3, of the disk you boot from, but the number > of sectors is variable, depending on the media..... OK, I stand corrected. The *exact* way to say it is "...the first up to 17 sectors, depending on the media, on heads...". OK? :-) Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Sun, 03 Jul 94 19:52:31 -0400 From: nhirsch@panix.com (Norman Hirsch) Subject: Re: Symantec (PC) tluten@news.delphi.com (TLUTEN@DELPHI.COM) writes: >From: tluten@news.delphi.com (TLUTEN@DELPHI.COM) >Subject: Symantec (PC) >Date: Thu, 30 Jun 1994 08:58:35 EDT >Dr. Bontchev's remarks on AV software caught my eye. Symantec owns >all of Norton, thus Norton AV. It bought Central Point, and thus owns >its AV package. It bought Certus, and used the technology to upgrade >Norton AV. It apparently (per Bontchev) bought yet another company >that produces (or produced) an AV product. what *are* they up to? > Tom Luten > TLUTEN@DELPHI.COM Trying to get a larger market share (consolidation), I would suppose, although the AV portion of that was probably of minor concern compared to the utilities (PC Tools, etc.) Nevertheless, if you add up all the market shares of the above products in the AV marketplace in the US, they still have only approximately 1/2 of what McAfee has = 67% I once imagined all the companies absorbing each other till there were just two companies, Microsoft and the "other". Then Microsoft will simply buy the "other"! Best regards, Norman Hirsch Phone: 212-304-9660 NH&A, authorized McAfee agent Fax: 212-304-9759 577 Isham St. # 2-B BBS: 212-304-9759,,,,,,,3 New York, NY 10034 CompuServe: 72115,661 USA Internet: nhirsch@panix.com ------------------------------ Date: Sun, 03 Jul 94 19:53:56 -0400 From: buster@klaine.pp.fi (Kari Laine) Subject: Re: "New" Virus found? (PC) frisk@complex.is (Fridrik Skulason) writes: >From: frisk@complex.is (Fridrik Skulason) >Subject: Re: "New" Virus found? (PC) >Date: Fri, 1 Jul 1994 11:13:39 EDT >bullingt@sfu.ca (Keith Gordon Bullington) writes: >>I've come across a .COM infecting virus that fails to be caught by >>SCAN v2.01, TBScan or F-Prot 2.12. >the virus in question (Junkie) can be detected and removed with F-PROT 2.12c >- -frisk So it can with the Dr. Solomon's Anti-Virus Toolkit. Btw does F-Prot remove it from the partition sector? And does it overwrite sectors 3 and 4? Kari Laine, buster@klaine.pp.fi ------------------------------ Date: Sun, 03 Jul 94 19:55:22 -0400 From: nhirsch@panix.com (Norman Hirsch) Subject: Re: Best Anti-virus software (PC) ohe@allianse.no writes: >From: ohe@allianse.no >Subject: Best Anti-virus software (PC) >Date: Thu, 30 Jun 1994 08:58:35 EDT >Were trying to figure out the best Anit-virus software for both >Netware server's (NLM's) and DOS/Windows workstation. >We have been looking at Norton Antivirus v3.0, F-Prot, >Norman Data Defences and Central Point. >Does anybody have any kind of hints and tips, which one is the best >and why ?? >Thank you I would suggest you try McAfee's NLM and workstation products for DOS/Windows. They have very good detection rates (if not the best), the best support and the largest market share (if that means anything to you). They are very frequently updated. The NLM's are Novell Tested and Approved for 3.11, 3.12, SFT-III, NetWare for OS/2 and 4.01. Best regards, Norman Hirsch Phone: 212-304-9660 NH&A, authorized McAfee agent Fax: 212-304-9759 577 Isham St. # 2-B BBS: 212-304-9759,,,,,,,3 New York, NY 10034 CompuServe: 72115,661 USA Internet: nhirsch@panix.com ------------------------------ Date: Sun, 03 Jul 94 19:58:03 -0400 From: Iolo Davidson Subject: Stoned.Manitoba (PC) > To me this means one of two things: either Stoned.Manitoba is not > a BSV, or not all floppy disks have been scanned. Number two is correct. > I'm currently scanning *every* floppy disk anywhere near the area, > and not trusting the users at all. This is a common problem in a virus cleanup. Someone has a disk they think "doesn't count" when you ask for all the floppies. They may think this because it has only data files on it or similar reasoning. Any formatted floppy can have a boot sector virus. It does not have to be bootable or have any files on it at all. Go get 'em! - -- MOM AND POP AS PLAIN ARE FEELING GAY AS DAY BABY SAID Burma Shave ------------------------------ Date: Sun, 03 Jul 94 19:57:41 -0400 From: buster@klaine.pp.fi (Kari Laine) Subject: Re: Dr Solomon's on the move! (PC) "R. Wallace Hale" writes: >From: "R. Wallace Hale" >Subject: Re: Dr Solomon's on the move! (PC) >Date: Fri, 1 Jul 1994 11:13:39 EDT >>S&S International, developers of Dr Solomon's Anti-Virus Toolkit, >>are moving to new, larger premises. >Used versions 4.xx, but missed the 5.xx series completely. Recently put >6.51 through the mill and was impressed. Nice to hear that >Installation is fast, simple, and >flexible, and the optional Toolkit interface certainly makes usage easy, >even for a tyro. >Going head-to-head with F-PROT 2.12, it's nearly impossible for me to >pick a winner. However, since I value both products primarily for their >scanner functions, and strongly advocate the use of at least two >quality scanners, that presents no problem. :) Both scanners are good. But on the detection rate and accuracy of polymorphic viruses I would say FindViru is more accurate. Do you have need for a memory resident scanner? if so compare that features in these products and you WILL notice a difference :-) >Lest any one get an incorrect impression, I am not attempting to present >a critical review of Toolkit. I'm not in the business of formally testing >AV products, nor am I on the payroll of any AV product vendor. I am biased because I am working in the technical support for LAN Vision Oy which is selling Toolkit here in Finland. >I've regarded Toolkit as one of the best AV products available and wonder >why there is so little mention of it here, other than in Vesselin's posts. First it is commercial product and not like a shareware. And it seems many people discussing here are not the ones using paid av-software :-) I am quite sure bontchev or many others professionals did not have to pay for a licence naturally. But yeah I would like to see little more posting about how to best use Toolkit and what improvements it would need and of course the problems also. >Perhaps Toolkit users have no problems to discuss? Yeah that must be that . > R. Wallace Hale "You can observe a lot just by > halew@nbnet.nb.ca watching." > BBS (506) 325-9002 - Lawrence Berra Regards Kari Laine, buster@klaine.pp.fi LAN Vision Oy ------------------------------ Date: Sun, 03 Jul 94 19:58:26 -0400 From: Iolo Davidson Subject: Dr Solomon's on the move! (PC) > I've regarded Toolkit as one of the best AV products available and wonder > why there is so little mention of it here, other than in Vesselin's posts. This is simply because those involved with the Dr. Solomon's Toolkit don't take part in this group. When I worked for them, I used to read the group regularly, but had trouble posting because the service we used was broken for moderated groups. I eventually figured out the work-around, just before leaving that service and joining demon, which is currently broken for moderated groups. I expect there would be more participation from S&S personnel if they didn't have to bypass a broken mailer. Maybe they are actually sending messages and the mailer is losing them (that's what a mailer does when it is broken for moderated groups). I can't post to this group using the write or follow facilities- or rather I can, but the message just disappears. I have to address mail to the moderator by hand if I want it to get through. - -- MOM AND POP AS PLAIN ARE FEELING GAY AS DAY BABY SAID Burma Shave ------------------------------ Date: Sun, 03 Jul 94 20:00:25 -0400 From: datadec@corsa.ucr.edu (Kevin Marcus) Subject: Re: Why so many Leprosy viruses? (PC) Vesselin Bontchev wrote: >Neil McAllister (pcm2@netcom.com) writes: > >You never will. A virus that is that stupid is just unable to spread >widely. Hm. How many Stoned, Jerusalem, or... say, Vacsina infections have you heard of? Those viruses don't do anything at all fascinating. (unless you consider a TSR fascinating or fixups for EXE->COM's...) Trivial.xx is somewhat interesting for it's "tight" programming, but I'd say it's not going to spread anywhere. - -- --=> Kevin Marcus: datadec@ucrengr.ucr.edu, tck@bend.ucsd.edu "ciafn syoo,u yroeua da rteh icso?o l ." <- Email for solution. Computer Science Dept., University of California, Riverside. .oOo.oOo. T H I E V E S S U C K .oOo.oOo. ------------------------------ Date: Sun, 03 Jul 94 20:00:00 -0400 From: sjs@crl.com (Steve Smith) Subject: generic virus question (PC) Please excuse my ignorace on the subject, but I'm trying to understand viruses. TC Molloy recently posted about a problem with the Monkey virus that caught my attention. He said in part: > I put the disk in my PC and typed 'dir'. Immediately, the bells and > whistles from my Anti-viral package went off. The "Monkey" virus was > attempting to write to the boot sector of my hard disk and my anti-virus > software package had frozen my machine waiting for me to respond with > Proceed or Stop. My anti-virus package stops whenever anything attempts to > write to the boot sector without permission. Of course, I said STOP.. How would a virus like this get activated? TC typed dir on his machine which wasn't booted off of the customer's infected disk. wouldn't something have had to execute code that was infected, or was it the tsr of his anti-virus program that automatically scanned the disk and caught the culprit before it could do any damnage or was even accesed. Thanks Steve Smith sjs@crl.com - - -- TC Molloy Internet email: dd.id=msmwhq01.tmollo01@eds.diamondnet.sprint.com ------------------------------ Date: Sun, 03 Jul 94 19:59:40 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Cure for SVC.2936 & Three_Tunes viruses (PC) Fabio Esquivel C. (fesquive@cariari.ucr.ac.cr) writes: > Are those viruses really hard do disinfect? Not really. It's perfectly possible to disinfect both of them. > infected here in different enterprises and friends' homes, with both=20 > viruses and still McAfee's product (version 115B) and Fridrik's F-Prot=20 > (version 2.12c) are unable to disinfect them, though they are relatively=20 > old viruses. There are so many viruses around, that the authors of disinfecting programs simply cannot implement disinfection for all of them. And since disinfection is not recommended anyway (it is always better to restore from originals or a clean backup), it gets low priority, compared to scanning. If those two viruses are in the wild in your area, report this to the producer of the scanner(s) you are using and request him to include disinfection for those viruses in the next release of the product. > I remember that Dark Avenger was disinfectable by undoing the changes=20 > made to the executable's header and wiping off the virus code from the=20 > end of the executable file. I think that SVC.2936 (Scan's June1530) and=20 > the Three_Tunes viruses infect executable files in the same manner as=20 > Dark Avenger does. Sort of... They are disinfectable, yes. > Then, why it is not possible to undo the changes to the exec's header and= > leave the files as closely as they were before infection? But it is. For instance, AntiVirus Pro is able to disinfect both of them - I just checked. > By now, my friends and the enterprises attacked are just replacing the=20 > files from backups or reinstallations... This is the most reliable way to erradicate a virus infection. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Sun, 03 Jul 94 20:02:26 -0400 From: Iolo Davidson Subject: antivirus products (PC) > the bad thing with the big anti-virus companies is that often even the > few competent anti-virus researchers in them are overhelmed by the > internal bureaucracy. :-( Even when the researcher is the executive director. - -- MOM AND POP AS PLAIN ARE FEELING GAY AS DAY BABY SAID Burma Shave ------------------------------ Date: Sun, 03 Jul 94 20:03:58 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Cure for SVC.2936 & Three_Tunes viruses (PC) fesquive@cariari.ucr.ac.cr (Fabio Esquivel C.) writes: >Are those viruses really hard do disinfect? Three_Tunes is hard, quite hard...yes. It is on my "to-do", list though... but will probably not be added until 2.13a. SVC.2936 on the other hand, I don't remember why I did not add disinfection of that, but I see that I have added disinfection of quite a few other SVC viruses, even bigger and more advanced versions....I'll take a look at it. >Then, why it is not possible to undo the changes to the exec's header and= >leave the files as closely as they were before infection? Well, to do that, you must either: know exactly what the header looked like before....which is possible if you are running an integrity checker with generic disinfection capabilities. or decrypt the virus, and recover the header information.....and that is not easy to do. However, although those two viruses are not easy to disinfect, they are still much easier to disinfect than polymorphic viruses like Pathogen and S-bug. - -frisk Fridrik Skulason Frisk Software International phone: +354-1-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-617274 ------------------------------ Date: Sun, 03 Jul 94 20:03:11 -0400 From: 2925659@sscl.uwo.ca Subject: DATA-RAPE VIRUS (PC) Has anyone heard of the DATA-RAPE virus?? My friend has it on his system, I looked for info on it in the NEW version of F-PROT 212c... There appears not to be any info contained there in... F-PROT says that it is a suspicious file that may be a virus, but offer's no help in removing it... Please let me know if there is a way to get rid of this... ------------------------------ Date: Sun, 03 Jul 94 19:50:30 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Mirroring of mcafee.com restricted (PC) Hello everybody, As you probably know, our ftp site is mirroring McAfee's (mcafee.com) as ftp.informatik.uni-hamburg.de:/pub/virus/McAfee/. However, a few days ago, McAfee created two new directories on their ftp site - netmgmt and utility. Those directories contain about 19 megabytes of files, most of which are not anti-virus programs or even remotely related to virus protection. Since they occupy signifficant space on our disks, we have decided to discontinue mirroring those directories from mcafee.com. Mirroring of the other directories is still supported. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 54] *****************************************